Search Results

Search found 90601 results on 3625 pages for 'user friendly'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 324/3625 | < Previous Page | 320 321 322 323 324 325 326 327 328 329 330 331  | Next Page >

  • Run Bash Script Another Server

    - by psce
    I want to run command one by one, for change the names of the directories on the server. When I run script, directories renamed in server 1. But, directories are not found in server 2. What the error could be in the script? Script; #!/bin/bash mach_directory=/home/user/example erase_dir1=cache erase_dir2=tmp for i in {0..10} do user=user server=$(ssh $user@server$i hostname) ssh $user@$server find $mach_directory -type d -name $erase_dir1 ! -path "*Admin/$erase_dir1*" -print0 | while IFS= read -r -d '' file ; do mv "$file" "${file}_$(date +%d%m%Y)"; done ssh $user@$server find $mach_directory -type d -name $erase_dir2 ! -path "*Admin/$erase_dir2*" -print0 | while IFS= read -r -d '' file ; do mv "$file" "${file}_$(date +%d%m%Y)"; done done

    Read the article

  • How can I have 2 users working on the same PC at the same time

    - by Sharon Cook
    I have a pc/machine that has its own ip address and it can be connected to by certain external PC's through our firewall. User A has a RDP connection from say Germany directly to the PC - his ip number is allowed through our firewall to connect to the PC. He now wants User B to connect at the same time so that User B can see what User A is doing on the screen at the same time and maybe take over the screen to put his input in. I know that you cannot have 2 RDP connections at the same time but what would be the easiest solution to this. I want User A to keep his RDP connection, but I am unsure of what to suggest so that User B can see what is going on at the same time. The Users are not happy to use Real VNC, etc.

    Read the article

  • How to rename database without first stopping SQL instance to flush connections

    - by John Galt
    Is there a way to force a database into single user mode so a script can be run to rename databases? I find I have to Restart the instance of SQL (to force off any connections from a web app, etc.) and then I can run this script: USE master go sp_dboption MDS, "single user", true go sp_dboption StagingMDS, "single user", true go sp_renamedb MDS, LastMonthMDS go sp_renamedb StagingMDS, MDS go sp_dboption LastMonthMDS, "single user", false go sp_dboption MDS, "single user", false go After this script runs, I can restart IIS for my web app and it can connect to the new production database. All the above works well and we've been doing this for years but now we've upgraded to SQL 2008 and the SQL2008 instance also hosts other databases that support other web apps. So, rather than using a Restart of the whole SQL instance to enable subsequent single-user mode on 2 databases, is there a less intrusive way of accomplishing this? Thanks.

    Read the article

  • trouble shooting ntfs-loop-xen combination in wubi based grub of Ubuntu

    - by Registered User
    Here is a situation I installed Ubuntu on a laptop using Wubi in Windows 7 drive.*The laptop is not mine.*I have installed and things worked by now perfectly without any problem.We are trying to set up a Xen (virtualization)environment in this laptop. After setting up every thing cleanly.When I needed to boot with following grub entries menuentry "Xen Linux 2.6.32.27" { insmod ntfs set root='(hd0,2)' loopback loop0 /ubuntu/disks/root.disk set root=(loop0) multiboot /boot/xen.gz module /boot/vmlinuz-2.6.32.27 dummy=dummy root=/dev/sda2 loop=/ubuntu/disks/root.disk ro console=tty0 module /boot/initrd.img-2.6.32.27 } I got error file not found error unknown command 'multiboot' error unknown command 'module' error unknown command 'module' Now to dig this issue further I reboot the machine and go to grub command prompt and manually pass on each of the above parameters which you see in the grub entry when I reached grub> insmod multiboot then I got following message on screen error:file not found. It looks like this wubi+ grub setup has just enough modules to use loopback file on ntfs, but the ACTUAL /boot directory is on the loopback NOT ntfs (hd0,2). Therefore any attempt to read any files from (hd0,2) simply wont work, cause there's no file there.I need to use insmod multiboot and command multiboot and module which are available in grub on a normal install without Wubi.But since the laptop is not mine so I am not allowed to partition it and have to make it work in this situation only. While a normal Kernel is still booting? How can I get module multiboot in this Wubi based install.

    Read the article

  • How can I launch RemoteApp on Windows Server from server itself at startup

    - by Rusted
    I have Windows Server 2008 R2 with RDS and custom desktop (GUI) application installed on the server. The app is started as RemoteApp on server by user from his desktop computer (or, sometimes, he can work from notebook over VPN). Some details about environment: the server automatically shuts down every evening and automatically power-on every morning (this is a requirement) desktop application do some precalculations/precaching on startup and it can take lot of time mentioned application have some memory leaks, so I can't use hibernate instead of shutdown When user launching this app from his computer, he can't start work with it until this app finishes pre-initialization. Is there any way to start RemoteApp session at the server startup (without actual user logon), so that the user could connect to this session from his computer later? I don't want to involve the user's computer to make it work. I have tried to do it by Windows startup script, but have no luck - starting RDP session requires actual user session.

    Read the article

  • Multiple Domains on an Exchange Server

    - by William
    When I create a new user in exchange, it asks me to provide the User Logon Name. There is a dropdown box that supposedly allows you to select a domain for the user's login. What is this referring to? How can I make it so that I can create users with different domains in their user logon name? p.s. I am very aware of 'Accepted Domains' in Exchange allowing one user to have several email addresses in different domains. I am just curious how I can modify the user's Logon name specifically.

    Read the article

  • Searching For a Desktop Security Software to harden Windows machines, anybody?

    - by MosheH
    I'm a network administrator of a small/medium network. I'm looking for a software (Free or Not) which can harden Windows Computers (XP And Win7) for the propose of hardening standalone desktop computers (not in domain network). Note: The computers are completely isolated (standalone), so i can't use active directory group policy. moreover, there are too many restriction that i need to apply, so it is not particle to set it up manual (one by one). Basically what I’m looking for is a software that can restrict and disable access for specific user accounts on the system. For Example: User john can only open one application and nothing else -- He don’t see no icon on the desktop or start menu, except for one or two applications which i want to allow. He can't Right click on the desktop, the task-bar icons are not shown, there is no folder options, etc... User marry can open a specific application and copy data to one folder on D drive. User Dan, have access to all drives but cannot install software, and so on... So far ,I've found only the following solutions, but they all seems to miss one or more feature: Desktop restriction Software 1. Faronics WINSelect The application seems to answer most of our needs except one feature which is very important to us but seems to be missing from WINSelect, which is "restriction per profile". WINSelect only allow to set up restrictions which are applied system-wide. If I have multiple user accounts on the system and want to apply different restrictions for each user, I cant. Deskman (No Restriction per user)- Same thing, no restriction per profile. Desktop Security Rx - not relevant, No Win7 Support. The only software that I've found which is offering a restriction per profile is " 1st Security Agent ". but its GUI is very complicated and not very intuitive. It's worth to mention that I'm not looking for "Internet Kiosk software" although they share some features with the one I need. All I need is a software (like http://www.faronics.com/standard/winselect/) that is offering a way to restrict Windows user interface. So if anybody know an Hardening software which allows to set-up user restrictions on Windows systems, It will be a big, big, big help for me! Thanks to you all

    Read the article

  • Windows XP autostart process as administrator

    - by Zulakis
    I am looking for a way with which i can autostart a certain program on logon of a user with user-rights with administrator-rights. I already tried using task scheduler but it didn't work out because you got to enter a username with format machine\user and our pxe-image-deployment-system automatically patches the machine names so the entered domain\user stopped working. UPDATE: the runas.exe command does not seem appropiate for this task, too. If using /user:machinename\Administrator /savcred it is invalid after imaging. What one user suggested was using .\Administrator or localhost\Administrator but both didn't work on my XP SP3 machines.

    Read the article

  • MySQL mistake with grant option

    - by John Tate
    I am unsure reading the MySQL documentation if creating a user with the GRANT option will give them the power to create users and grant privileges, or change the privileges of other users databases. I have been creating databases for users like this CREATE DATABASE user; USE user; GRANT ALL PRIVILEGES ON *.* TO 'user'@'localhost' IDENTIFIED BY 'password' WITH GRANT OPTION; Is this the best way of doing it or have I just given my users too much control? They are people I am hosting sites for. Thankfully at this point they are trustworthy. I use quotas. Edit: I have realized I have been granting users access to all databases. This is obviously stupid I should be using this: GRANT ALL PRIVILEGES ON database.* to 'user'@localhost' IDENTIFIED BY 'password' What is the simplest way to revoke privileges for every user except root so I can quickly end this catastrophic rookie mistake?

    Read the article

  • Cannot Send Item error in Outlook - permissions to registry?

    - by Tim Alexander
    The issue I am trying to solve is to do with users getting a Cannot Send Item error in Outlook 2007 connecting to Exchange 2007. Basically if there is an image in the email (either one they have pasted in or one from another email in the chain) they get a "Cannot Send Item" error. Initially thought it was a citrix issue but users get it when they RDP to a server as well. Changing the message to Rich Text works 80% of the time but I do not think this is a solution but more of a temporary workaround. After some troubleshooting we found that the error can be fixed by adding the user as a member of the local power users group. of course this is not really a fix. My thoughts were that the ability of a power user to add/remove software may give them more access to the registry which might allow them to get round a restriction that is in place for a normal user. I have tried going through a procmon but the wealth of information is confusing. It initially looked like it may be an Outlook 2007 email security setting but this does not change between power user and normal user (set to 1 in the registry, "Use the security setting from Outlook Security Settings Public Folders"). I am struggling to fine tune my troubleshooting to work out exactly what is blocking it. Has anyone had an experience with an error similar to this? Or are there any tips for trying to track down issues via procmon as I must admit my approach seems somewhat lacking :) EDIT: So I have trawled through the two logs we have from process monitor (one as a power user and one a normal user). annoyingly I can find no obvious difference where something is denied access. There are more access denied events in the normal user log but these are quickly followed by sucessful entries to the same path fractions of a second later. The only thing that does stand out is an access denied to HKCR.html. This does not even appear in the power user version of the log. From what I understand this helps determine the default browser which ties in nicely with the fact that 9 out of 10 times you can send the message as Rich Text. EDIT: Looks like KB2509470 was causing the issue. Not really sure why but when I can work out what it does and why it causes the problem will post here unless anyone beats me to it!

    Read the article

  • how to set auto redirection in tomcat

    - by Registered User
    I have a site http://social.openitup.in right now what you are seeing is a default Tomcat6 page. I am using mod_ajp as a front end and Apache vhost configuration for same is <VirtualHost *:80 > ServerName social.openitup.in ServerAdmin webmaster@localhost ProxyRequests off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPreserveHost On ProxyPass / ajp://192.168.1.19:8009/ ProxyPassReverse / ajp://192.168.1.19:8009/ </VirtualHost> How ever I have an application running on it http://social.openitup.in/olat what I want to do is when some one opens http://social.openitup.in then rather than seeing Tomcat6 home page from /var/lib/tomcat6/webapps/ROOT/index.html the person is redirected to olat application which is in /var/lib/tomcat6/webapps/olat how can this be achived? The above vhost configuration is on a machine separate than where OLAT is running.

    Read the article

  • Running an rsync sweep before initializing lsyncd for synchronizing instances on EC2

    - by chrisallenlane
    My company uses several EC2 servers that will scale up and down according to the load we're receiving on our sites at any given moment. For the sake of our discussion here, we're running four instances: master.ourdomain.com - the file syncing "hub" of the webservers www1/www2/www3.ourdomain.com - three webservers which turn on or off as dictated by load I'm using lsyncd to keep all of the webservers in sync, and for the most part, it's working quite well. We're using a two-way syncing scheme, such that each webserver syncs against master, and master syncs against each webserver. Thus, the webservers are kept in sync, even though they aren't syncing against each other directly. I'm having one problem that I'm having a hard time solving,though. It occurs under these circumstances: When changes are made on master (perhaps after we've pushed new code), while some of the redundant webservers are sleeping And then a sleeping webserver wakes-up to absorb load Under that circumstance, I would like the following to happen: First, the newly-awoken webserver should sync its file structure - one way - against master, to bring its web application code up-to-date. Then, and only then, should it begin pushing changes in its file structure back to master. Unfortunately, currently, when a sleeping server is started, when lsyncd starts up, it pushes changes back to master before updating its own codebase, thus overwriting new code with old. Thus, before lsyncd starts, I'd like to be able to synchronize the webservers code against master's, perhaps by running a simple one-way rsync against the two machines. We're running lsyncd v.2, and I've tried to make this happen by using the "bash" configuration options documented in the lsyncd manual. My configuration file looks like this: settings = { logfile = "/home/user/log/lsyncd/log.txt", statusFile = "/home/user/log/lsyncd/status.txt", maxProcesses = 2, nodaemon = false, } bash = { onStartup = "rsync [email protected]:/home/user/www /home/user/www" } sync{ default.rsyncssh, source="/home/user/www/", host="[email protected]", targetdir="/home/user/www/", rsyncOpts="-ltus", excludeFrom="/home/user/conf/lsyncd/exclude" } (I've obviously redacted that file somewhat to protect the identities of the guilty.) Simply put, though, this just isn't working. How else might I approach this problem? I was looking at the --delete-after option in man rsync, but I don't think that does what I'm looking for. Are there any suggestions about how I should approach this problem? Thanks for lending your time and expertise. Chris

    Read the article

  • Error 1069 the service did not start due to a logon failure

    - by Si
    Our CruiseControl.NET service on Win2003 Server (VMWare Virtual) was recently changed from a service account to a user account to allow for a new part of our build process to work. The new user has "Log on as a service" rights, verified by checking Local Security Settings - Local Policies - User Rights Assignment, and the user password is set to never expire. The problem I'm facing is every time the service is restarted, I get the 1069 error as described in this questions subject. I have to go into the properties of the service (log on tab) and re-enter the password, even though it hasn't changed, and the user already has the appropriate rights. Once I enter the password apply the changes, a prompt appears telling me that the user has been granted log on as a service rights. The service will then start will no problems. Not a show stopper, but a pain none-the-less. Why isn't the password persisting with the service?

    Read the article

  • Untangle VPN setup, how to see internal addresses?

    - by NFS user
    So Untangle is setup as the default gateway at 192.168.100.1/24, it is the authorative DHCP server issuing addresses from 192.168.100.100 to 192.168.100.200 and is successfully connected to the Internet. Untangle uses OpenVPN for remote access. Accessing the VPN gives me the address 192.168.40.5. However, I cannot ping any machines on the internal 192.168.100.x network remotely. Clearly, there is something basic that I am missing. What is it and how is it solved? Update: The VPN was not setup with the internal network. Since Untangle only allows editing the VPN setup once, the VPN had to be removed and reinstalled with the internal network exported. Now it works. The lesson is that the internal network must be setup before configuring the VPN.

    Read the article

  • When an Excel file is locked on a network share, how does it know who locked the file?

    - by ScottStonehouse
    We are using Excel 2010 and sometimes users are working from a network share. When a user on the network opens the file in Excel, the file is locked for editing - this is the expected behavior. When another user tries to open the file, Excel gives the message [filename] is locked for editing by 'John Doe' The problem is, the user is always this one particular user's name, no matter who actually has the file open. Where does Excel get this info, and how do I fix it? Update: I should have mentioned that in Excel, under Options (General), the correct user names have been set up. That is not where this user name is coming from.

    Read the article

  • Apache returns 403 Forbidden for alternative port vhost

    - by Wesley
    I'm having an issue getting vhosts to work on Apache 2.2, Debian 6. I have two VirtualHosts, one on port 80 and one on port 8888. The port 80 one has been created automatically by DirectAdmin, the 8888 is a custom one. It's configuration is as follows. <VirtualHost *:8888 > DocumentRoot /home/user/public_html/development ServerName www.myserver.nl ServerAlias myserver.nl <Directory "/home/user/public_html/development"> Options +Indexes +FollowSymLinks +MultiViews AllowOverride All Order Allow,deny Allow from all </Directory> </VirtualHost> Of course I also have a NameVirtualHost *:8888 The port 80 DocumentRoot is /home/user/public_html/production, which is perfectly accessible and works like a charm. The port 8888 docroot of /home/user/public_html/development is 403 forbidden though. I have compared the permissions for both folders. They seem fine to me. drwxr-xr-x 2 root root 4096 Aug 17 16:14 development drwxr-xr-x 4 root root 4096 Aug 18 04:29 production Also, the index.php file which is supposed to display when accessing through port 8888, located in /development/: -rwxr-xr-x 1 root root 41 Aug 17 16:14 index.html I have looked at my error_log and found many of the following entries, only being added to the log file when accessing through port 8888. [Sat Aug 18 04:35:09 2012] [error] [client 27.32.156.232] Symbolic link not allowed or link target not accessible: /home/user/public_html /home/user/public_html is a symbolic link that refers to /home/user/domains/mydomain/public_html. The symbolic link has the following permissions: lrwxrwxrwx 1 admin admin 29 Aug 17 15:56 public_html -> ./domains/mydomain/public_html I'm at a loss. It seems that everything is readable or executable. I've set the Directory to FollowSymLinks in the httpd.conf file, but that doesn't seem to make a difference. If I change that directory tag to <Directory "/home/admin/public_html"> (so it has FollowSymLinks on that as well) it still does not work. Any help is greatly appreciated. If I need to post more information, let me know. I'm pretty much a beginner at this stuff. .. .. UPDATE: I ended up changing the configuration to directly go to the actual path of the files, avoiding the public_html symlink altogether. That worked. Thanks for the suggestions folks. DocumentRoot /home/user/domains/mydomain/public_html/development instead of DocumentRoot /home/user/public_html/development

    Read the article

  • Sendmail Undeliverable Redirection?

    - by Dizzle
    Good afternoon; I don't know much about sendmail, so this may be fairly easy for those of you more experienced with it. We have an account, "[email protected]", sending reports to various groups. From time to time an undeliverable message will be sent back to "[email protected]". We'd like for those undeliverable messages to be rerouted, or bounced, from "[email protected]" to a group of our choosing. To carve out a scenario for clarity: [email protected] sends a report to [email protected] and [email protected] [email protected] has someone who's mail account no longer exists, triggering an undeliverable message being sent back to [email protected] Rather than having the undeliverable message sit in [email protected]'s Inbox, we'd like for it to be automatically rerouted/bounced to an admin group, [email protected] So I guess a "rule" of sorts. I've come across this solution: Sendmail : ignore local delivery But I don't know enough about sendmail to know if this is what will fit this situation. Any help is greatly appreciated.

    Read the article

  • How to configure what certificates can be issued using Web Enrollment in Windows Server 2008 R2 Enterprise?

    - by antik
    I have a CA installed on of my Windows Servers in a small farm of systems. I've installed the Certification Authority Web Enrollment and Certificate Enrollment Web Service roles on the CA. I want to issue a Computer certificate to a computer not jointed to my domain. The user attempting web enrollment has domain credentials. The user was able to navigate to https://myServerHostname/certsrv and request a User certificate successfully. However, the user needs a Computer cert as well. From the certsrv site, the user tried the following: Advanced Certificate Request Create and Submit a Request to this CA However, the Computer certificate template is not available under the Certificate Template heading. He is only seeing "User" and "Basic EFS". How do I configure the CA to allow him to request a Computer cert for his system?

    Read the article

  • How to run django on localhost with nginx and uwsgi?

    - by user2426362
    How to run django on localhost with nginx and uwsgi? This im my config but not works. nginx: server { listen 80; server_name localhost; access_log /var/log/nginx/localhost_access.log; error_log /var/log/nginx/localhost_error.log; location / { uwsgi_pass unix:///tmp/localhost.sock; include uwsgi_params; } location /media/ { alias /home/user/projects/zt/myproject/myproject/media/; } location /static/ { alias /home/user/projects/zt/myproject/myproject/static/; } } uwsgi: [uwsgi] vhost = true plugins = python socket = /tmp/localhost.sock master = true enable-threads = true processes = 2 wsgi-file = /home/user/projects/zt/myproject/myproject/wsgi.py virtualenv = /home/user/projects/zt chdir = /home/user/projects/zt/myproject touch-reload = /home/user/projects/zt/myproject/reload This config work on my ubuntu server with normal domain (not localhost) but on localhost not working. If I run localhost in web browser I have Welcome to nginx!

    Read the article

  • How can I find the original un-changed configuration file to compare with the *.rpmnew file?

    - by User
    While upgrading from CentOS 5.7 to 5.8 I've received the following warnings: warning: /etc/sysconfig/iptables-config created as /etc/sysconfig/iptables-config.rpmnew warning: /etc/ssh/sshd_config created as /etc/ssh/sshd_config.rpmnew warning: /etc/odbcinst.ini created as /etc/odbcinst.ini.rpmnew (To know the reason for such files, and what one can do with them read - Why do I have .rpmnew file after an update? ) I want to know what exactly has been change in the default config file by comparing the old default file (the original un-changed configuration file) with the new default file (*.rpmnew). Then, I can apply the changes to my modified file (aka diff merge). The problem is I don't know where can I find the original un-changed configuration file...

    Read the article

  • how to reduce time of git pulling each time when you do a make world on Xen source

    - by Registered User
    I am compiling xen from source and each time I do a make world it basically gives some or the other error my problem are not those errors ( I am trying to debug them) but the problem is each time when I do a make world Xen basically pulls things from git repository + rm -rf linux-2.6-pvops.git linux-2.6-pvops.git.tmp + mkdir linux-2.6-pvops.git.tmp + rmdir linux-2.6-pvops.git.tmp + git clone -o xen -n git://git.kernel.org/pub/scm/linux/kernel/git/jeremy/xen.git linux-2.6-pvops.git.tmp Initialized empty Git repository in /usr/src/xen-4.0.1/linux-2.6-pvops.git.tmp/.git/ remote: Counting objects: 1941611, done. remote: Compressing objects: 100% (319127/319127), done. remote: Total 1941611 (delta 1614302), reused 1930655 (delta 1604595) **Receiving objects: 20% (1941611/1941611), 98.17 MiB | 87 KiB/s, done.** and if you notice the last line it is still consuming my bandwidth pulling things from internet.How can I stop this step each time and use existing git repository?

    Read the article

  • sharing a USB printer in SOHO environment [migrated]

    - by Registered User
    Here is a situation I am facing, there is USB printer which works only on a Windows XP machine, there are other devices in LAN it is a Small Office Home Office environment. How can this USB printer attached to Windows XP machine be shared so that other laptops or users in Network who have Windows 7 or Linux on their laptops can use this printer. The printer model number is Canon Laser Shot LBP-1210 http://www.canon-europe.com/For_Home/Product_Finder/Printers/Laser/LaserShot_LBP1210/index.asp a print server is not available to me I need to make it work in this situation only.What can I do? the clients are unable to connect to this.It is not a network or TCP/IP printer If a from Windows 7 machine some one wants to use this printer so that he can take a print he gets an error while adding the printer to his machine which is a Windows 7 machine (where as the printer is USB printer on Windows XP machine) Start--->Devices and Printers---> Add Printer---> Find Printer by name or IP address--->Selected a shared printer by name-->\\PC-Name-printer3 and select browse it gives a message Windows can not find a driver for Canon LASER SHOT LBP-1210 on the network what does this mean do I need to install some kind of software at client machine or on the machine where printer is present?

    Read the article

  • How to open a server port outside of an OpenVPN tunnel with a pf firewall on OSX (BSD)

    - by Timbo
    I have a Mac mini that I use as a media server running XBMC and serves media from my NAS to my stereo and TV (which has been color calibrated with a Spyder3Express, happy). The Mac runs OSX 10.8.2 and the internet connection is tunneled for general privacy over OpenVPN through Tunnelblick. I believe my anonymous VPN provider pushes "redirect_gateway" to OpenVPN/Tunnelblick because when on it effectively tunnels all non-LAN traffic in- and outbound. As an unwanted side effect that also opens the boxes server ports unprotected to the outside world and bypasses my firewall-router (Netgear SRX5308). I have run nmap from outside the LAN on the VPN IP and the server ports on the mini are clearly visible and connectable. The mini has the following ports open: ssh/22, ARD/5900 and 8080+9090 for the XBMC iOS client Constellation. I also have Synology NAS which apart from LAN file serving over AFP and WebDAV only serves up an OpenVPN/1194 and a PPTP/1732 server. When outside of the LAN I connect to this from my laptop over OpenVPN and over PPTP from my iPhone. I only want to connect through AFP/548 from the mini to the NAS. The border firewall (SRX5308) just works excellently, stable and with a very high throughput when streaming from various VOD services. My connection is a 100/10 with a close to theoretical max throughput. The ruleset is as follows Inbound: PPTP/1723 Allow always to 10.0.0.40 (NAS/VPN server) from a restricted IP range >corresponding to possible cell provider range OpenVPN/1194 Allow always to 10.0.0.40 (NAS/VPN server) from any Outbound: Default outbound policy: Allow Always OpenVPN/1194 TCP Allow always from 10.0.0.40 (NAS) to a.b.8.1-a.b.8.254 (VPN provider) OpenVPN/1194 UDP Allow always to 10.0.0.40 (NAS) to a.b.8.1-a.b.8.254 (VPN provider) Block always from NAS to any On the Mini I have disabled the OSX Application Level Firewall because it throws popups which don't remember my choices from one time to another and that's annoying on a media server. Instead I run Little Snitch which controls outgoing connections nicely on an application level. I have configured the excellent OSX builtin firewall pf (from BSD) as follows pf.conf (Apple App firewall tie-ins removed) (# replaced with % to avoid formatting errors) ### macro name for external interface. eth_if = "en0" vpn_if = "tap0" ### wifi_if = "en1" ### %usb_if = "en3" ext_if = $eth_if LAN="{10.0.0.0/24}" ### General housekeeping rules ### ### Drop all blocked packets silently set block-policy drop ### all incoming traffic on external interface is normalized and fragmented ### packets are reassembled. scrub in on $ext_if all fragment reassemble scrub in on $vpn_if all fragment reassemble scrub out all ### exercise antispoofing on the external interface, but add the local ### loopback interface as an exception, to prevent services utilizing the ### local loop from being blocked accidentally. ### set skip on lo0 antispoof for $ext_if inet antispoof for $vpn_if inet ### spoofing protection for all interfaces block in quick from urpf-failed ############################# block all ### Access to the mini server over ssh/22 and remote desktop/5900 from LAN/en0 only pass in on $eth_if proto tcp from $LAN to any port {22, 5900, 8080, 9090} ### Allow all udp and icmp also, necessary for Constellation. Could be tightened. pass on $eth_if proto {udp, icmp} from $LAN to any ### Allow AFP to 10.0.0.40 (NAS) pass out on $eth_if proto tcp from any to 10.0.0.40 port 548 ### Allow OpenVPN tunnel setup over unprotected link (en0) only to VPN provider IPs ### and port ranges pass on $eth_if proto tcp from any to a.b.8.0/24 port 1194:1201 ### OpenVPN Tunnel rules. All traffic allowed out, only in to ports 4100-4110 ### Outgoing pings ok pass in on $vpn_if proto {tcp, udp} from any to any port 4100:4110 pass out on $vpn_if proto {tcp, udp, icmp} from any to any So what are my goals and what does the above setup achieve? (until you tell me otherwise :) 1) Full LAN access to the above ports on the mini/media server (including through my own VPN server) 2) All internet traffic from the mini/media server is anonymized and tunneled over VPN 3) If OpenVPN/Tunnelblick on the mini drops the connection, nothing is leaked both because of pf and the router outgoing ruleset. It can't even do a DNS lookup through the router. So what do I have to hide with all this? Nothing much really, I just got carried away trying to stop port scans through the VPN tunnel :) In any case this setup works perfectly and it is very stable. The Problem at last! I want to run a minecraft server and I installed that on a separate user account on the mini server (user=mc) to keep things partitioned. I don't want this server accessible through the anonymized VPN tunnel because there are lots more port scans and hacking attempts through that than over my regular IP and I don't trust java in general. So I added the following pf rule on the mini: ### Allow Minecraft public through user mc pass in on $eth_if proto {tcp,udp} from any to any port 24983 user mc pass out on $eth_if proto {tcp, udp} from any to any user mc And these additions on the border firewall: Inbound: Allow always TCP/UDP from any to 10.0.0.40 (NAS) Outbound: Allow always TCP port 80 from 10.0.0.40 to any (needed for online account checkups) This works fine but only when the OpenVPN/Tunnelblick tunnel is down. When up no connection is possbile to the minecraft server from outside of LAN. inside LAN is always OK. Everything else functions as intended. I believe the redirect_gateway push is close to the root of the problem, but I want to keep that specific VPN provider because of the fantastic throughput, price and service. The Solution? How can I open up the minecraft server port outside of the tunnel so it's only available over en0 not the VPN tunnel? Should I a static route? But I don't know which IPs will be connecting...stumbles How secure would to estimate this setup to be and do you have other improvements to share? I've searched extensively in the last few days to no avail...If you've read this far I bet you know the answer :)

    Read the article

  • ssh -x : howto get clipboard?

    - by Gupu User
    Hello! I'm connected to a server via ssh -x and my only way to get text out of the system is the x clipboard (unless i want to take thousends of screenshots and OCR over it). I can not execute any programs on the other machine, because i don't have access. How can I achive this?

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 320 321 322 323 324 325 326 327 328 329 330 331  | Next Page >