亚洲精品第一国产综合精品99,亚洲色婷婷一区二区三区,亚洲精品国产福利在线观看

�l�于把postfix跟imap搞好了，庆贺下！

pony — Wed, 14 Apr 2010 09:41:00 GMT

�q�段旉��看postfix的架构文档，�ȝ��寚w��件系�l�有了个皮毛的认识�?br /> 在想不知能否在��Y件开发中借鉴下postfix的架构经验�?br /> 现在已经能通过postfix发送邮�Ӟ��q�能通过courier-imap的pop3接收邮�g了，
�ȝ��l�验��是要多�ȝ��日志�Q�跟邮�g相关的日志可以去�?var/log/maillog�Q�另外配�|�文件一点点的改�Q�不要一�ơ更改过多的内容�?br /> 接下来把认证相关的改成mysql�Q�把webmail配置上�?br />

pony 2010-04-14 17:41 发表评论

Postfix架构

pony — Thu, 08 Apr 2010 01:45:00 GMT

Postfix接收邮�g的架构示意图�Q?br />

trivial-
rewrite(8)

Network

->

smtpd(8)

^
| | v

\

Network -> qmqpd(8) -> cleanup(8) -> incoming

/

pickup(8) <- maildrop

^
|

Local -> sendmail(1) -> postdrop(1)

Postfix发送邮件的架构�C�意图：

trivial-
rewrite(8) smtp(8) -> Network

/

^
| | v

-

lmtp(8)

->

Network

/

incoming -> active -> qmgr(8) --- local(8) -> File, command

^
| | v

\

- virtual(8) -> File

deferred \

pipe(8) -> Command

pony 2010-04-08 09:45 发表评论

[zz]L7-filter Kernel Version HOWTO

pony — Tue, 16 Mar 2010 05:09:00 GMT

【�{载自http://l7-filter.sourceforge.net/HOWTO�?small>
Last update 23 Aug 2008

If you have not already, please read the README.

What You Need To Get
Kernel Patch
Iptables Patch
Protocol Definitions
Actually Doing Stuff
More Information

Important links on this page:

Download page
Packet flow diagram
Pattern Writing HOWTO
Shaping script for bridges
Shaping script for non-bridges
Protocolinfo.org

What You Need To Get

The 2.4 or 2.6 Linux kernel source (2.6 strongly preferred) from kernel.org
The iptables source from netfilter.org
Our "l7-filter kernel version" package (netfilter-layer7-vX.Y.tar.gz)
Our "Protocol definitions" package (l7-protocols-YYYY-MM-DD.tar.gz)

Kernel Patch

Short version for experts: Apply our kernel patch. Enable the new match option in Netfilter.

Check our kernel compatibility list to see if the Linux version you want to use has been tested.

Use the appropriate kernel patch from the "Layer 7 patches" package to patch^[1] the kernel (read the README in the package to determine which patch to use). Set up your kernel as you would otherwise. Now enable the following options (these are correct for Linux 2.6.21.1, but they tend to move around a lot, so you may have to go hunting if you have a different kernel version):

"Prompt for development and/or incomplete code/drivers" (under "Code maturity level options")
"Network packet filtering framework" (Networking → Networking support → Networking Options)
"Netfilter Xtables support" (on the same screen)
"Netfilter connection tracking support" (... → Network packet filtering framework → Core Netfilter Configuration), select "Layer 3 Independent Connection tracking"
"Connection tracking flow accounting" (on the same screen)
And finally, "Layer 7 match support"
Optional but highly recommended: Lots of other Netfilter options, notably "FTP support" and other matches. If you don't know what you're doing, go ahead and enable all of them.

Warning: Some users have reported kernel crashes when they using SMP with l7-filter. (Some have also reported that their SMP systems run fine.) If you have a multi-CPU machine, test carefully before putting it into production with l7-filter.

Compile and install the kernel as usual. (Our code may generate warnings about "initialization from incompatible pointer type", ignore them.) Reboot.

¹How to patch a source tree

Suppose you have a patch called happy.patch. To apply it, go into the root directory of the source tree you want to patch and run "patch -p1 < happy.patch"

Iptables Setup

First read the README in the package "Layer 7 patches". Depending on your version of iptables, the instructions are different.

iptables 1.4.0 and older

Use the appropriate iptables patch to to patch^[1] iptables. Compile iptables, pointing it at your patched kernel source:

Run "chmod +x extensions/.layer7-test" (information about file permissions can't be contained in the patch)
Then "make KERNEL_DIR=/path/to/patched/kernel_source" (you must have configured your kernel source before this step)
And install (as root): "make install KERNEL_DIR=/path/to/patched/kernel_source"

iptables 1.4.1

Don't use this version. There's no reason to and it's difficult to compile.

iptables 1.4.1.1 and newer

Copy libxt_layer7.c and libxt_layer7.man (from the subdirectory of the "Layer 7 patches" package that the README points you to) to the extensions/ directory of your iptables source. Then:

"./configure --with-ksource=/path/to/patched/kernel_source" (use the full path)
"make"
(as root) "make install"

Protocol Definitions (Pattern Files)

These files tell iptables and the kernel how protocol names correspond to regular expressions, e.g. "ftp" means "^220[\x09-\x0d -~]*ftp".

Uncompress the "Protocol Definitions" package and make the resulting directory /etc/l7-protocols.^[2]

You should now be ready to actually do stuff.

²Notes for non-conformists

You can also install the patterns in a custom location. If you do this, you need to specify --l7dir before --l7proto when you use l7-filter:

iptables [...] -m layer7 --l7dir /home/bob/patterns --l7proto http [...]

Actually doing stuff

There are three things you may be interested in doing: (1) blocking certain protocols (2) controlling bandwidth use (3) accounting. We cover each of these cases below.

First, a reminder: Just because you're using l7-filter, you don't need to do all of your packet classification using it. It's likely that what you want to accomplish can be at least partially done with less demanding classifiers, such as port matching. For instance, you can probably assume that traffic on TCP port 80 that isn't matched by any P2P patterns is HTTP; you don't need to actually use the HTTP pattern.

l7-filter uses the standard iptables extension syntax. (If you are not familiar with this, it's time to read the documentation at netfilter.org or at least "man iptables".)

iptables [specify table & chain] -m layer7 --l7proto [protocol name] -j [action]

(Or, if you're just interested in accounting, omit "-j [action]".)

For a list of valid protocol names, see the protocols page. You can also add your own protocols.

The only trick is that, in order to do its classification, l7-filter must be able to see all of the relevant traffic. It only sees packets if they go through an l7-filter rule. One way of ensuring this is to use the POSTROUTING chain of the mangle table:

iptables -t mangle -A POSTROUTING -m layer7 --l7proto [etc.]

See this packet flow diagram for details. In some cases, l7-filter can sucessfully match even if it can only see one side of the connection, but in general, this won't work.

If you are using a version of l7-filter earlier than 2.7, you must manually load the ip_conntrack module kernel for l7-filter to work. Newer versions do this automatically.

1. Blocking

Don't. Here's why:

l7-filter matching isn't foolproof: there may be both false positives (one protocol can look like another) and false negatives (applications can do obscure things that we didn't count on). Patterns that are known to regularly generate false positives are marked "overmatching" on the protocols page, but others may also do so occasionally.
Almost every type of Internet traffic has legitimate uses. For instance, P2P protocols, while widely used to violate copyright, are also an efficient way to distribute open source software and legally free music.
Programs can respond to being blocked by port-hopping, switching between TCP and UDP, opening a new connection for every trivial operation, using encryption, or employing other evasion tactics. Trying to block such protocols has consequences on two levels:
1. In the case of port/protocol-hopping, you make it harder for yourself to identify protocols that already act this way.
2. You encourage programmers to include these "features" in new programs, making it harder for everyone in the future. For example: In early 2006, Bittorrent started moving towards end-to-end encryption because many networks were either blocking it or severely restricting its bandwidth.
l7-filter patterns are not generally designed with blocking in mind. We consider a protocol to be well identified if the identification is useful for controlling its bandwidth. This means, for instance, that for P2P applications, we do not focus on catching connections that are not downloads.
Blocking with l7-filter provides no security, since any reasonably determined person can easily circumvent it.

Instead of dropping packets you don't like, we recommend using Linux QoS to restrict their bandwidth usage. If you insist on using l7-filter to drop packets, make sure you have investigated other options first, such as the features of your HTTP proxy (useful for worms).

2. Bandwidth Restriction

To control the bandwidth that a protocol uses, you can use Netfilter to "mark" the packets and QoS to filter on that mark. To mark:

iptables -t mangle -A POSTROUTING -m layer7 --l7proto imap -j MARK --set-mark 3

The number "3" is arbitrary. It can be any integer. Then use tc to filter on that mark (tc is "traffic control", the userspace tool for Linux QoS, part of the iproute2 package):

tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw flowid 1:3

Did you understand that last command? You can try reading The Linux Advanced Routing and Traffic Control HOWTO for enlightenment. You should do this so that you have some idea what you're doing, but unfortunately, tc is incredibly obtuse and you're likely to wish you just had a canned script. Well, we can help:

Shaping script for bridges
Shaping script for non-bridges

These may need to be modified if your setup is significantly different than mine, but it should provide a much better starting point than most other things you are likely to find.

Be prudent when choosing the amount of bandwidth you allow each protocol. Restricting a protocol to an unusably low bandwidth can have similar consequences to blocking it.

3. Accouting

If you just want to keep track of what's in use on your network, simply use the above command without any -j option. For example:

iptables -t mangle -A POSTROUTING -m layer7 --l7proto imap

You can then get statistics by using iptables -L. (See "man iptables" for details.)

More Information

Dealing with FTP, IRC, etc.

Some protocols open child connections to transfer data. FTP is the most familiar example. If you have loaded the ip_conntrack_ftp or nf_conntrack_ftp kernel module, l7-filter will classify FTP and all its child connections as FTP. The same goes for IRC/IRC-DCC, etc.

If you wish to classify the children differently, use the standard iptables "helper" match. You can use "-m --helper ftp" to match ftp child connections. Of course, once you've done this, it's silly to involve l7-filter, at least for the children.

The "unset" and "unknown" matches

l7-filter marks unmatched connections that it is still trying to match as "unset". The first few packets of all TCP connections as well as those of some UDP connections will match this. Similarly, l7-filter marks connections that it has given up trying to match as "unknown". These are matched just like normal protocols:

iptables -A FORWARD -m layer7 --l7proto unset iptables -A FORWARD -m layer7 --l7proto unknown

The "unset" match is only supported by l7-filter 2.9 and up.

Upgrading the protocol definitions

The protocol definitions are simple text files with a format described in the Pattern-HOWTO. They can be updated as a package or individually.

If you update the protocol definitions, you need to clear the relevant iptables rules and re-enter them. This is because the pattern files are only read by iptables, not directly by the kernel.

Other things to know

By default, l7-filter looks at the first 10 packets or 2kB, whichever is smaller. These limits are somewhat conservative. It is well known that some HTTP connections (those that involve large cookies), for instance, need more packets to be matched.
- You can alter the number of packets at any time through /proc/net/layer7_numpackets. (i.e. "echo 16 > /proc/net/layer7_numpackets".)
- In l7-filter versions 2.0 and forward, you can alter the number of bytes at module load time: "modprobe xt_layer7 maxdatalen=N" (ipt_layer7 in old versions), where N is in bytes. This should be used cautiously, since performance may decrease drastically with larger data sizes. To prevent you from accidentally bringing down your network, there is an artificial limit of 65536 imposed. If you're sure you know what you're doing, you can remove this limit by editing ipt_layer7.c or xt_layer7.c in the kernel source.
It's possible (although rare) for a connection to be matchable by more than one pattern. The patterns are tested in the order you specified with iptables. After a match is made, l7-filter does not continue testing that connection, so changing the order of your rules may change what happens.
Sometimes important messages go only to the system log, not the terminal you are working at. Such messages include notifications that regular expressions failed to compile and various things that tc generates. A useful command is "tail -f /var/log/messages".

Please see the FAQ for more information.

pony 2010-03-16 13:09 发表评论

proftpd服务启动的问�?Starting proftpd: execvp: No such file or directory

pony — Thu, 22 Jan 2009 01:41:00 GMT

把profpd源代码目录下的proftpd-1.3.1/contrib/dist/rpm/proftpd.init.d拯��?etc/rc.d/init.d/proftpd
�?etc/rc.d/rc3.d中徏立proftpd的启动停止链接：
ln -s ../init.d/proftpd S86proftpd
ln -s ../init.d/proftpd K18proftpd
然后�Q?sbin/service proftpd start
报错误：Starting proftpd: execvp: No such file or directory
�l�检查，是proftpd.init.d脚本中的路径有问�?
PATH="$PATH:/usr/local/sbin"
而我的proftpd安装�?usr/local/proftpd目录�?br /> 修改上面的�\径�ؓPATH="$PATH:/usr/local/proftpd/sbin",重新启动�Q�问题解�?br />

pony 2009-01-22 09:41 发表评论

UNIX�~�程艺术的一�D�话

pony — Wed, 04 Jun 2008 13:32:00 GMT

看这本书我最�l�常回顾的一�D�话是：
“软�g设计和实现应该是一门充满快乐的艺术�Q�一�U�高水��^的游戏。如果这�U�态度对你来说听�v来有些荒谬，或者��o你隐�U�感到有些困�H�，那么情停下来�Q�想一惻I��问问自己是不是已�l�把什么给遗忘了。如果只是�ؓ了赚钱或是打发时��_��你�ؓ什么要搞��Y件设计而不是别的什么呢�Q�你肯定曄��也认��Y件设计值得你付出激�?....."

pony 2008-06-04 21:32 发表评论

linux下so文�g的创建及调用�Ҏ��

pony — Wed, 21 May 2008 02:56:00 GMT

1.创徏so文�g

�q�一步很��?只需要在用cc�~�译的时�?加上-shared选项卛_��,�q�样成成的执行程序即为动态链接库,例如:

cc -shared -o hello.so hello.c

2.调用so文�g中的函数的步�?/div>

a. 包含so中函数的头文�?包含dlfcn.h头文�?�q�个头文件中定义了打开so文�g,调用so的函�?关闭so的函�?/span>

b.��x��so中函数的�c�d��变量

c.用dlopen函数打开so文�g,�q�回句柄

d.用dlsym函数以上c步骤中得到的句柄,得到so文�g中要调用的函数的动态地址,�q�把�q�个地址赋值给在b步骤中申明的函数�c�d��变量

e.通过b中申明的函数�c�d��变量调用so中的函数

f.用dlclose函数关闭c中得到的句柄所指向的so动态连接库

挺简单吧!

pony 2008-05-21 10:56 发表评论

(转蝲)iptables的man中文文档

pony — Mon, 12 May 2008 01:08:00 GMT

总览
用iptables -ADC 来指定链的规则，-A��d�� -D删除 -C 修改

iptables - [RI] chain rule num rule-specification[option]
用iptables - RI 通过规则的顺序指�?br />
iptables -D chain rule num[option]
删除指定规则
iptables -[LFZ] [chain][option]
用iptables -LFZ 铑֐� [选项]

iptables -[NX] chain
�?nbsp;-NX 指定�?br />
iptables -P chain target[options]
指定铄��默认目标

iptables -E old-chain-name new-chain-name
-E 旧的铑֐� 新的铑֐�
用新的链名取代旧的链�?br /> 说明
Iptalbes 是用来设�|�、维护和��查Linux内核的IP包过滤规则的�?nbsp;
可以定义不同的表�Q�每个表都包含几个内部的链，也能包含用户定义的链。每个链都是一个规则列表，对对应的包进行匹配：每条规则指定应当如何处理与之相匹配的包。这被称�?target'�Q�目标）�Q�也可以跛_��同一个表内的用户定义的链�?br />
TARGETS
防火墙的规则指定所��查包的特征，和目标。如果包不匹配，��送往该链中下一条规则检查；如果匚w��,那么下一条规则由目标值确�?该目标值可以是用户定义的链�?或是某个专用�?如ACCEPT[通过], DROP[删除], QUEUE[排队], 或�?nbsp;RETURN[�q�回]�?br /> ACCEPT 表示让这个包通过。DROP表示��这个包丢弃。QUEUE表示把这个包传递到用户�I�间。RETURN表示停止�q�条铄��匚w��Q�到前一个链的规则重新开始。如果到达了一个内建的�?的末�?�Q�或者遇到内建链的规则是RETURN�Q�包的命�q�将由链准则指定的目标决定�?br />
TABLES
当前有三个表�Q�哪个表是当前表取决于内栔R��|�选项和当前模�?�?br /> -t table
�q�个选项指定命��o要操作的匚w��包的表。如果内核被配置��动加载模块，�q�时若模块没有加载，(�pȝ��)��尝�?��?加蝲适合的模块。这些表如下�Q�filter,�q�是默认的表�Q�包含了内徏的链INPUT�Q�处理进入的包）、FORWORD�Q�处理通过的包�Q�和OUTPUT�Q�处理本地生成的包）。nat,�q�个表被查询时表�C�遇��C��产生新的�q�接的包,�׃��个内建的链构成：PREROUTING (修改到来的包)、OUTPUT�Q�修改�\�׃��前本地的包）、POSTROUTING�Q�修改准备出�ȝ��包）。mangle �q�个表用来对指定的包�q�行修改。它有两个内��则：PREROUTING�Q�修改�\�׃��前进入的包）和OUTPUT�Q�修改�\�׃��前本地的包）�?br /> OPTIONS
�q�些可被iptables识别的选项可以区分不同的种�c�R�?br />
COMMANDS
�q�些选项指定执行明确的动作：若指令行下没有其他规�?该行只能指定一个选项.对于长格式的命��o和选项�?所用字母长度只要保证iptables能从其他选项中区分出该指令就行了�?br /> -A -append
在所选择的链末添加一条或更多规则。当源（地址�Q�或�?�?nbsp;目的�Q�地址�Q��{换�ؓ多个地址�Ӟ��q�条规则会加到所有可能的地址(�l�合)后面�?br />
-D -delete
从所选链中删除一条或更多规则。这条命令可以有两种�Ҏ��Q�可以把被删除规则指定�ؓ链中的序�?�W�一条序号�ؓ1),或者指定�ؓ要匹配的规则�?br />
-R -replace
从选中的链中取代一条规则。如果源�Q�地址�Q�或�?�?nbsp;目的�Q�地址�Q�被转换为多地址�Q�该命��o会失败。规则序号从1开始�?br />
-I -insert
�Ҏ��l�出的规则序号向所选链中插入一条或更多规则。所以，如果规则序号�?�Q�规则会被插入链的头部。这也是不指定规则序��h��的默认方式�?br />
-L -list
昄��所选链的所有规则。如果没有选择链，所有链��被昄��。也可以和z选项一起��用，�q�时链会被自动列出和归零。精��输出受其它所�l�参数媄响�?br />
-F -flush
清空所选链。这�{�于把所有规则一个个的删除�?br />
--Z -zero
把所有链的包及字节的计数器清�I�。它可以�?nbsp;-L配合使用�Q�在清空前察看计数器�Q�请参见前文�?br />
-N -new-chain
�Ҏ��l�出的名�U�徏立一个新的用户定义链。这必须保证没有同名的链存在�?br />
-X -delete-chain
删除指定的用戯��定义链。这个链必须没有被引用，如果被引用，在删除之前你必须删除或者替换与之有关的规则。如果没有给出参敎ͼ��q�条命��o��试着删除每个非内建的链�?br />

-P -policy
讄��铄��目标规则�?br />
-E -rename-chain
�Ҏ��用户�l�出的名字对指定链进行重命名�Q�这仅仅是修饎ͼ��Ҏ��个表的结构没有媄响。TARGETS参数�l�出一个合法的目标。只有非用户自定义链可以使用规则�Q�而且内徏铑֒�用户自定义链都不能是规则的目标�?br />
-h Help.
帮助。给出当前命令语法非常简短的说明�?br />
PARAMETERS
参数
以下参数构成规则详述�Q�如用于add、delete、replace、append �?nbsp;check命��o�?br />
-p -protocal [!]protocol
规则或者包��?待检查包)的协议。指定协议可以是tcp、udp、icmp中的一个或者全部，也可以是数��|��代表�q�些协议中的某一个。当然也可以使用�?etc/protocols中定义的协议名。在协议名前加上"!"表示相反的规则。数�?相当于所有all。Protocol all会匹配所有协议，而且�q�是�~�省时的选项。在和check命��o�l�合�Ӟ��all可以不被使用�?br /> -s -source [!] address[/mask]
指定源地址�Q�可以是��L��名�?a class="UBBWordLink" target="_blank">�|�络名和清楚的IP地址。mask说明可以�?a class="UBBWordLink" target="_blank">�|�络掩码或清楚的数字�Q�在�|�络掩码的左�Ҏ��?a class="UBBWordLink" target="_blank">�|�络掩码左边"1"的个敎ͼ�因此�Q�mask��gؓ24�{�于255.255.255.0。在指定地址前加�?!"说明指定了相反的地址�D�c��标�?nbsp;--src 是这个选项的简写�?br />
-d --destination [!] address[/mask]
指定目标地址�Q�要获取详细说明请参�?nbsp;-s标志的说明。标�?nbsp;--dst 是这个选项的简写�?br />
-j --jump target
-j 目标跌��{
指定规则的目标；也就是说�Q�如果包匚w��应当做什么。目标可以是用户自定义链�Q�不是这条规则所在的�Q�，某个会立卛_��定包的命�q�的专用内徏目标�Q�或者一个扩展（参见下面的EXTENSIONS�Q�。如果规则的�q�个选项被忽略，那么匚w��的过�E�不会对包��生媄响，不过规则的计数器会增加�?br />
-i -in-interface [!] [name]
i -�q�入的（�|�络�Q�接�?nbsp;[!][名称]
�q�是包经��p��接口接收的可选的入口名称�Q�包通过该接口接�Ӟ��在链INPUT、FORWORD和PREROUTING中进入的包）。当在接口名前��?!"说明后，指的是相反的名称。如果接口名后面加上"+"�Q�则所有以此接口名开头的接口都会被匹配。如果这个选项被忽略，会假设�ؓ"+"�Q�那么将匚w��L��接口�?br />
-o --out-interface [!][name]
-o --输出接口[名称]
�q�是包经��p��接口送出的可选的出口名称�Q�包通过该口输出�Q�在链FORWARD、OUTPUT和POSTROUTING中送出的包�Q�。当在接口名前��?!"说明后，指的是相反的名称。如果接口名后面加上"+"�Q�则所有以此接口名开头的接口都会被匹配。如果这个选项被忽略，会假设�ؓ"+"�Q�那么将匚w��所有�Q意接口�?br />
[!] -f, --fragment
[!] -f --分片
�q�意味着在分片的包中�Q�规则只询问�W�二及以后的片。自那以后由于无法判断这�U�把包的源端口或目标端口�Q�或者是ICMP�c�d��的）�Q�这�c�d��不能匹配�Q何指定对他们�q�行匚w��的规则。如�?!"说明用在�?-f"标志之前�Q�表�C�相反的意思�?br />
OTHER OPTIONS
其他选项
�q�可以指定下列附加选项�Q?br />
-v --verbose
-v --详细
详细输出。这个选项让list命��o昄��接口地址、规则选项�Q�如果有�Q�和TOS�Q�Type of Service�Q�掩码。包和字节计数器也将被显�C�，分别用K、M、G(前缀)表示1000�?,000,000�?,000,000,000倍（不过请参�?x标志改变它）�Q�对于添�?插入,删除和替换命令，�q�会使一个或多个规则的相兌��l�信息被打印�?br />
-n --numeric
-n --数字
数字输出。IP地址和端口会以数字的形式打印。默认情况下�Q?a class="UBBWordLink" target="_blank">�E�序试显�C�Z��机名�?a class="UBBWordLink" target="_blank">�|�络名或者服务（只要可用�Q��?br />
-x -exact
-x -�_��
扩展数字。显�C�包和字节计数器的精��|��代替用K,M,G表示的约数。这个选项仅能用于 -L 命��o�?br />
--line-numbers
当列表显�C��则时�Q�在每个规则的前面加上行��P��与该规则在链中的位置相对应�?br />
MATCH EXTENSIONS
对应的扩�?br /> iptables能够使用一些与模块匚w��的扩展包。以下就是含于基本包内的扩展包，而且他们大多数都可以通过在前面加�?来表�C�相反的意思�?br />
tcp
�?nbsp;--protocol tcp 被指�?且其他匹配的扩展未被指定�?�q�些扩展被装载。它提供以下选项�Q?br />
--source-port [!] [port[:port]]
源端口或端口范围指定。这可以是服务名或端口号。��用格式端口：端口也可以指定包含的�Q�端口）范围。如果首端口可��忽略�Q�默认是"0"�Q�如果末端口可��忽略�Q�默认是"65535"�Q�如果第二个端口号大于第一个，那么它们会被交换。这个选项可以使用 --sport的别名�?br />
--destionation-port [!] [port:[port]]
目标端口或端口范围指定。这个选项可以使用 --dport别名来代�ѝ�?br />
--tcp-flags [!] mask comp
匚w��指定的TCP标记。第一个参数是我们要检查的标记�Q�一个用逗号分开的列表，�W�二个参数是用逗号分开的标记表,是必��被讄��的。标记如下：SYN ACK FIN RST URG PSH ALL NONE。因此这条命令：iptables -A FORWARD -p tcp --tcp-flags SYN, ACK, FIN, RST SYN只匹配那些SYN标记被设�|�而ACK、FIN和RST标记没有讄��的包�?br />
[!] --syn
只匹配那些设�|�了SYN位而清除了ACK和FIN位的TCP包。这些包用于TCP�q�接初始化时发出��h��Q�例如，大量的这�U�包�q�入一个接口发生堵塞时会阻止进入的TCP�q�接�Q�而出�ȝ��TCP�q�接不会受到影响。这�{�于 --tcp-flags SYN, RST, ACK SYN。如�?--syn"前面�?!"标记�Q�表�C�相反的意思�?br />
--tcp-option [!] number
匚w��讄��了TCP选项的�?br />
udp
当protocol udp 被指�?且其他匹配的扩展未被指定�?�q�些扩展被装�?它提供以下选项�Q?br />
--source-port [!] [port:[port]]
源端口或端口范围指定。详�?nbsp;TCP扩展�?-source-port选项说明�?br />
--destination-port [!] [port:[port]]
目标端口或端口范围指定。详�?nbsp;TCP扩展�?-destination-port选项说明�?br />
icmp
当protocol icmp被指�?且其他匹配的扩展未被指定�?该扩展被装蝲。它提供以下选项�Q?br /> --icmp-type [!] typename
�q�个选项允许指定ICMP�c�d��Q�可以是一个数值型的ICMP�c�d��Q�或者是某个由命令iptables -p icmp -h所昄��的ICMP�c�d��名�?br />
mac
--mac-source [!] address
匚w��物理地址。必��L��XX:XX:XX:XX:XX�q�样的格式。注意它只对来自以太讑֤��q�进入PREROUTING、FORWORD和INPUT铄��包有效�?br />
limit
�q�个模块匚w��标志用一个标记桶�q��o器一一定速度�q�行匚w��,它和LOG目标�l�合使用来给出有限的登陆�?当达到这个极限值时,使用�q�个扩展包的规则��进行匹�?(除非使用�?!"标记)

--limit rate
最大��^均匹配速率�Q�可赋的值有'/second', '/minute', '/hour', or '/day'�q�样的单位，默认�?/hour�?br />
--limit-burst number
待匹配包初始个数的最大�?若前面指定的极限�q�没辑ֈ��q�个数�?则概数字�?.默认��gؓ5

multiport
�q�个模块匚w��一�l�源端口或目标端�?最多可以指�?5个端口。只能和-p tcp 或�?nbsp;-p udp �q�着使用�?br />
--source-port [port[, port]]
如果源端口是其中一个给定端口则匚w��

--destination-port [port[, port]]
如果目标端口是其中一个给定端口则匚w��

--port [port[, port]]
若源端口和目的端口相�{��ƈ与某个给定端口相�{?则匹配�?br /> mark
�q�个模块和与netfilter�q��o器标记字�D�匹配（��可以在下面讄��Z��用MARK标记�Q��?br />
--mark value [/mask]
匚w��那些无符��h��记值的包（如果指定mask�Q�在比较之前会给掩码加上逻辑的标讎ͼ��?br />
owner
此模块试为本地生成包匚w��包创��的不同特征。只能用于OUTPUT链，而且即�ɘq�样一些包�Q�如ICMP ping应答�Q�还可能没有所有者，因此永远不会匚w��?br />
--uid-owner userid
如果�l�出有效的user id�Q�那么匹配它的进�E��生的包�?br />
--gid-owner groupid
如果�l�出有效的group id�Q�那么匹配它的进�E��生的包�?br />
--sid-owner seessionid
�Ҏ��l�出的会话组匚w��该进�E��生的包�?br />
state
此模块，当与�q�接跟踪�l�合使用�Ӟ��允许讉K��包的�q�接跟踪状态�?br />
--state state
�q�里state是一个逗号分割的匹配连接状态列表。可能的状态是:INVALID表示包是未知�q�接�Q�ESTABLISHED表示是双向传送的�q�接�Q�NEW表示包�ؓ新的�q�接�Q�否则是非双向传送的�Q�而RELATED表示包由新连接开始，但是和一个已存在的连接在一��P��如FTP数据传送，或者一个ICMP错误�?br />
unclean
此模块没有可选项�Q�不�q�它试着匚w��那些奇怪的、不常见的包。处在实验中�?br />
tos
此模块匹配IP包首部的8位tos�Q�服务类型）字段�Q�也��是��_��包含在优先位中）�?br />
--tos tos
�q�个参数可以是一个标准名�U�ͼ��Q�用iptables -m tos -h 察看该列表）�Q�或者数倹{�?br />
TARGET EXTENSIONS
iptables可以使用扩展目标模块�Q�以下都包含在标准版中�?br />
LOG
为匹配的包开启内核记录。当在规则中讄��了这一选项后，linux内核会通过printk()打印一些关于全部匹配包的信息（诸如IP包头字段�{�）�?br /> --log-level level
记录�U�别�Q�数字或参看 syslog.conf(5)�Q��?br /> --log-prefix prefix
在纪录信息前加上特定的前�~��Q�最�?4个字母长�Q�用来和记录中其他信息区别�?br />
--log-tcp-sequence
记录TCP序列受��如果记录能被用戯��取那么这��存在安全隐患�?br />
--log-tcp-options
记录来自TCP包头部的选项�?br /> --log-ip-options
记录来自IP包头部的选项�?br />
MARK
用来讄��包的netfilter标记倹{��只适用于mangle表�?br />
--set-mark mark

REJECT
作�ؓ对匹配的包的响应�Q�返回一个错误的包：其他情况下和DROP相同�?br />
此目标只适用于INPUT、FORWARD和OUTPUT链，和调用这些链的用戯��定义链。这几个选项控制�q�回的错误包的特性：

--reject-with type
Type可以是icmp-net-unreachable、icmp-host-unreachable、icmp-port-nreachable、icmp-proto-unreachable�?nbsp;icmp-net-prohibited 或�?nbsp;icmp-host-prohibited�Q�该�c�d��会返回相应的ICMP错误信息�Q�默认是port-unreachable�Q�。选项 echo-reply也是允许的；它只能用于指定ICMP ping包的规则中，生成ping的回应。最后，选项tcp-reset可以用于在INPUT链中,或自INPUT链调用的规则�Q�只匚w��TCP协议�Q�将回应一个TCP RST包�?br /> TOS
用来讄��IP包的首部八位tos。只能用于mangle表�?br />
--set-tos tos
你可以��用一个数值型的TOS ��|��或者用iptables -j TOS -h 来查看有效TOS名列表�?br /> MIRROR
�q�是一个试验示范目标，可用于�{换IP首部字段中的源地址和目标地址�Q�再传送该�?�q�只适用于INPUT、FORWARD和OUTPUT链，以及只调用它们的用户自定义链�?br />
SNAT
�q�个目标只适用于nat表的POSTROUTING链。它规定修改包的源地址�Q�此�q�接以后所有的包都会被影响�Q�，停止对规则的��查，它包含选项�Q?br />
--to-source [-][:port-port]
可以指定一个单一的新的IP地址�Q�一个IP地址范围�Q�也可以附加一个端口范��_��只能在指�?p tcp 或�?p udp的规则里�Q�。如果未指定端口范围�Q�源端口�?12以下的（端口�Q�会被安�|��ؓ其他�?12以下的端口；512�?024之间的端口会被安�|��ؓ1024以下的，其他端口会被安置�?024或以上。如果可能，端口不会被修攏V�?br />
--to-destiontion [-][:port-port]
可以指定一个单一的新的IP地址�Q�一个IP地址范围�Q�也可以附加一个端口范��_��只能在指�?p tcp 或�?p udp的规则里�Q�。如果未指定端口范围�Q�目标端口不会被修改�?br />
MASQUERADE
只用于nat表的POSTROUTING链。只能用于动态获取IP�Q�拨��P��q�接�Q�如果你拥有静态IP地址�Q�你要用SNAT。伪装相当于�l�包发出时所�l�过接口的IP地址讄��一个映像，当接口关闭连接会�l�止。这是因为当下一�ơ拨��h��未必是相同的接口地址�Q�以后所有徏立的�q�接都将关闭�Q�。它有一个选项�Q?br />
--to-ports [-port>]
指定使用的源端口范围�Q�覆盖默认的SNAT源地址选择�Q�见上面�Q�。这个选项只适用于指定了-p tcp或�?p udp的规则�?br />
REDIRECT
只适用于nat表的PREROUTING和OUTPUT链，和只调用它们的用戯��定义链。它修改包的目标IP地址来发送包到机器自�w�（本地生成的包被安�|��ؓ地址127.0.0.1�Q�。它包含一个选项�Q?br />
--to-ports []
指定使用的目的端口或端口范围�Q�不指定的话�Q�目标端口不会被修改。只能用于指定了-p tcp �?nbsp;-p udp的规则�?br />
DIAGNOSTICS
诊断
不同的错误信息会打印成标准错误：退�?a class="UBBWordLink" target="_blank">代码0表示正确。类��g��不对的或者滥用的命��o行参数错误会�q�回错误代码2�Q�其他错误返�?a class="UBBWordLink" target="_blank">代码�?�?br />
BUGS
臭虫
Check is not implemented (yet).
��查还未完成�?br />
COMPATIBILITY WITH IPCHAINS
与ipchains的兼�Ҏ�?br /> iptables和Rusty Russell的ipchains非常�怼�。主要区别是INPUT 铑֏�用于�q�入本地��L��的包,而OUTPUT只用于自本地��L��生成的包。因此每个包只经�q�三个链的一个；以前转发的包会经�q�所有三个链。其他主要区别是 -i 引用�q�入接口�Q?o引用输出接口�Q�两者都适用于进入FORWARD铄��包。当和可选扩展模块一起��用默认过滤器表时�Q�iptables是一个纯�_�的包过滤器。这能大大减��以前对IP伪装和包�q��o�l�合使用的�؜淆，所以以下选项作了不同的处理：
-j MASQ
-M -S
-M -L
在iptables中有几个不同的链�?br />
SEE ALSO
参见
iptables-HOWTO有详�l�的iptables用法,对netfilter-hacking-HOWTO也有详细的本质说明�?br />
AUTHORS
作�?br />
Rusty Russell wrote iptables, in early consultation with Michael Neuling.
Marc Boucher made Rusty abandon ipnatctl by lobbying for a generic packet selection framework in iptables, then wrote the mangle table, the owner match, the mark stuff, and ranaround doing cool stuff everywhere.
James Morris wrote the TOS target, and tos match.
Jozsef Kadlecsik wrote the REJECT target.
The Netfilter Core Team is: Marc Boucher, Rusty Russell.

Mar 20, 2000

中文�l�护�Q�杨�?#183;NetSnake

pony 2008-05-12 09:08 发表评论

pony — Wed, 07 May 2008 06:00:00 GMT

以前用CAS一直是用java的客��L��,今天��x��自己的phpMyAdmin集成��C��心认证系�l�中,�q�样��׃��需要到apache的目录中用access文�g��L��制了.
在集成phpCAS的时�?�pȝ��报出一些错�?
Warning: include_once(DB.php) [function.include-once]: failed to open stream: No such file or directory in /opt/httproot/phpMyAdmin/cas/PGTStorage/pgt-db.php on line 11

Warning: include_once() [function.include]: Failed opening 'DB.php' for inclusion (include_path='.:/usr/local/php-5.2.5/lib/php') in /opt/httproot/phpMyAdmin/cas/PGTStorage/pgt-db.php on line 11

Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at /opt/httproot/phpMyAdmin/cas/PGTStorage/pgt-db.php:11) in /opt/httproot/phpMyAdmin/cas/client.php on line 489

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at /opt/httproot/phpMyAdmin/cas/PGTStorage/pgt-db.php:11) in /opt/httproot/phpMyAdmin/cas/client.php on line 489

Warning: Cannot modify header information - headers already sent by (output started at /opt/httproot/phpMyAdmin/cas/PGTStorage/pgt-db.php:11) in /opt/httproot/phpMyAdmin/cas/client.php on line 880
查了些资�?重新安装了php后问题解�?
1.在编译php的时�?要加�?-with-curl, --with-openssl, --with-dom, --with-zlib�q�些选项
如果�pȝ��中还没有安装curl�?
wget http://curl.haxx.se/download/curl-7.18.1.tar.gz
tar -zxvf curl-7.18.1.tar.gz
./configure --prefix=/usr/local/curl
make
sudo make install
�~�译安装php�Q?br /> ./configure --prefix=/usr/local/php --with-apxs2=/usr/local/apache/bin/apxs --with-mysql=/usr/local/mysql/ --with-libxml-dir=/usr/local/libxml-2.6.30/ --with-gd=/usr/local/gd-2.0.35/ --with-curl=/usr/local/curl/ --with-openssl --with-zlib --with-pear=/usr/local/php_pear
make
make test
sudo make install
注意�Q�有可能pear安装不成功，要看你下载的php包，安装完后到php源代码目录下的pear下看看是有有错，否则�Q�要��C��载一个pear的安装包�Q?br /> wget http://pear.php.net/install-pear.phar
再执行make�Q�make install

2.安装PEAR:DB
cd /usr/local/php/bin
pear install DB

3.��试phpCAS
把phpCAS包里的example_simple.php以及source目录里的所有文件拷贝到一个可以从apapche执行php文�g的目录中
然后讉K��http://host/dir/example_simeple.php
�l�果��面转向到https://sso-cas.univ-rennes1.fr的中心认证地址�Q�说明phpCAS安装成功�?br />

pony 2008-05-07 14:00 发表评论

(转蝲)apachectl startssl启动apache自动�q�行输入密码

pony — Mon, 28 Apr 2008 01:24:00 GMT

apachectl startssl启动apache自动�q�行输入密码

作者：不详来源: http://www.chinaunix.net(无显�C�即不详)

核心提示�Q�安装了一台服务器�Q�只开放了https�Q�没有开放http 把启动命�?usr/local/bin/apachectl startssl写到/etc/rc.local里，重启服务器�? 发现apache�q�没有自动运行�?手动�q�行 [root@localhost]# /usr/local/bin/apachectl restart httpd not running, trying to start Apach.....

安装了一台服务器�Q�只开放了https�Q�没有开放http
把启动命�?usr/local/bin/apachectl startssl写到/etc/rc.local里，重启服务器�?br /> 发现apache�q�没有自动运行�?br /> 手动�q�行
[root@localhost]# /usr/local/bin/apachectl restart
httpd not running, trying to start
Apache/2.2.0 mod_ssl/2.2.0 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.

Server www.example.com:443 (RSA)
Enter pass phrase:

OK: Pass Phrase Dialog successful.
发现原来是要输入pass phrase的原�?br />
解决�Ҏ��?�U?br /> 1�Q�去�?usr/local/bin/apachectl startssl启动�?strong style="color: black; background-color: #99ff99;">pass phrase�Q�用�I?strong style="color: black; background-color: #99ff99;">pass phrase启动apache
(while preserving the original file):
$ cp server.key server.key.org
$ openssl rsa -in server.key.org -out server.key

��认server.key 文�g为root可读
$ chmod 400 server.key
参�?a target="_blank">http://www.chinaunix.net/jh/13/599604.html

2�Q�编�?br /> vi /usr/local/apache2/conf/extra/httpd-ssl.conf
注释SSLPassPhraseDialog builtin
在后��d��
SSLPassPhraseDialog exec:/usr/local/apache2/conf/apache_pass.sh

vi /usr/local/apache2/conf/apache_pass.sh
#!/bin/sh
echo "密码"

chmod +x /usr/local/apache2/conf/apache_pass.sh

然后重启apache
[root@localhost conf]# /home/apache2/bin/apachectl start
[root@localhost conf]#

然后从�v服务器，��可以运行了

参�?a target="_blank">http://httpd.apache.org/docs/2.0 ... sslpassphrasedialog

pony 2008-04-28 09:24 发表评论

pony — Sat, 26 Apr 2008 05:44:00 GMT

今天早上启动ubuntu�Q�登录进入xwindow�Q�突然弹��Z��个错误提�C�框�Q?br /> 1.dbus服务不能启动
2.failed to initialize HAL
�pȝ��提示先启动dbus服务,然后重新启动
于是执行:sudo /etc/init.d/dbus start
重新启动�?�l�果仍然出现�q�个错误.
怀疑是在启动dbus服务之前有什么其它的服务发生错误��D��dbus不能启动,所以首先想��C��更改服务的启动顺�?br /> �?etc/rc2.d/S2Odbus改了启动��序:
sudo mv /etc/rc2.d/S20dbus /etc/rc2.d/S12dbus
重新启动后发现没有错误了�Q�以为问题就�q�样解决�?很开�?�l�果��L��看进�E?发现我好几个默认的服务都没启�?看来原因�q�不只是dbus不能启动
仔细想了��x��天在�pȝ��中的改动,记得��Z��l�apache重新配置了ssl�?没有新装什么服务啊,�H�然惛_��现在我的apache启动的时候是需要输入证书密码的,是不是因为系�l�自动启动的时候没有输入密码导致apache服务的启动没有执行完�l�果在后面启动的服务都不能执行呢?
赶紧查了下apache服务的启动顺�?
ls /etc/rc2.d/*apache*
昄��S12apache
于是把dbus服务的启动顺序改回来,仍然�?0,但把apache的启动删除掉,重新启动!再查看进�E?发现��Z��apache的服务外,其它的都启动好了!看来果然是这个原因！

pony 2008-04-26 13:44 发表评论

pony — Fri, 25 Apr 2008 07:14:00 GMT

今天上午正在配置ssl,�H�然发现�?0几个ssh-scan的进�E?心里一�?安��的机器ip地址怎么也有人来扫描�?�q�来试探俺的ssh用户,跟踪了一�?看他�q�在孜孜不倦的试探,于是在iptables里加一条规�?先把他的数据包阻止掉:
sudo iptables -t filter -A INPUT -s xxx.xxx.xxx.xxx(他的ip地址) -s DROP
再跟�t�了一�?没有ssh-scan的进�E�了.
但这也不是长�q�的办法�?�q�是先把ssh的证书登录搞好吧,然后又在�|�上搜了�?看能不能在iptables里直接防止ssh-scan,搜到�q�篇文章:
http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/
明天再搞�?��C��.如果有朋友能告诉我更好的办法的话,先谢谢了!

pony 2008-04-25 15:14 发表评论

apache2.2中配�|�ssl

pony — Fri, 25 Apr 2008 06:39:00 GMT

一.首先要安装好openssl
    下蝲openssl:
     wget http://www.openssl.org/source/openssl-0.9.8a.tar.gz
     ./configure --prefix=/usr/local/openssl
     make
     sudo make install
     也可以直接用apt安装:
      sudo apt-get install openssl libssl-dev
      注意一定要安装openssl的开发库,否则�~�译apache的时候会报错�?不能�~�译ssl�?
�?�~�译安装apache
     �q�里不多说了,主要是configure的时候加上ssl的选项

�?创徏ssl所需要的证书
(�q�里所有的文�g都是创徏�?etc/httpd目录�?
1.创徏key文�g:
sudo openssl genrsa -des3 -out server.key 1024
执行完后应该在当前目录中有一个server.key文�g

2.查看创徏的key文�g:(不是必须)
openssl rsa -noout -text -in server.key
3.创徏pem文�g:(不是必须)
sudo openssl rsa -in server.key -out server.key.unsecure
4.创徏scr文�g:
sudo openssl req -new -key server.key -out server.csr
执行完后应该在当前目录中有一个server.csr文�g
5.创徏crt文�g:
sudo openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
执行完后应该在当前目录中有一个server.crt文�g

�?修改apache的ssl配置文�g
1.修改httpd.conf
在文件中扑ֈ�下面一�?把注释去�?br /> #Include conf/extra/httpd-ssl.conf
2.修改httpd-ssl.conf
在extra目录�?修改ssl的配�|�文�?br /> 扑ֈ�SSLCertificateFile和SSLCertificateKeyFile的配�|?修改文�g路径��C��面创建的目录

�?启动apache
sudo /usr/local/apache/bin/apachectl start
�q�时应该要求你回�{�证书密�?回答后即可启�?br /> 打开��览器测试下�?�q�时候应该能以https讉K��你的站点�?

但这�?是所有的用户都可以访问你的https站点�?如果你希望只有认证的用户才能讉K��的话,��L��l�下面的配置!

�?创徏认证客户所需要的证书
1.创徏用户的key文�g:
sudo openssl genrsa -des3 -out client.key 1024
2.创徏用户的crt证书文�g:
sudo openssl req -new -x509 -days 3650 -key client.key -out client.crt
修改SSLCACertificateFile的文件�\�?br /> 3.创徏讉K��用户的csr文�g:
sudo openssl req -new -out pony.csr
4.创徏讉K��用户的crt证书文�g:
sudo openssl x509 -req -in pony.csr -out pony.crt -signkey client.key -CA client.crt -CAkey client.key -CAcreateserial -days 3650
5.导出为pfx证书:(ie中只能导入pfx证书)
sudo openssl pkcs12 -export -in pony.crt -inkey client.key -out pony.pfx
在你的测试机的ie中导入这个pfx证书
6.修改ssl配置文�g:
在httpd-ssl.conf文�g中找到SSLCACertificateFile的配�|?然后修改文�g路径为client.crt
把以下两行注释去�?
SSLVerifyClient require
SSLVerifyDepth 10

重新启动apache,再次讉K��apache的时�?ie��׃��弹出�H�口选择证书�?
that's all

(本文参考了CU的文�?http://www.chinaunix.net/jh/13/469276.html,非常感谢作�?)

pony 2008-04-25 14:39 发表评论

pony — Fri, 25 Apr 2008 03:57:00 GMT

sudo vi /etc/profile
#seconds
export TMOUT=3600

pony 2008-04-25 11:57 发表评论

pony — Tue, 22 Apr 2008 11:14:00 GMT

:范围修饰�W�s/被替换的字符�?替换后的字符�?可选标�?

例如:

:%s/demo/hello world./g 把全�?demo"替换�?hello world.

范围修饰�W�包�?

1.%,表示所有行

2.., 表示当前�?/div>

3.$, 表示最后移�?/div>

4.4,9,表示�W?行到�W?�?/div>

s表示vi命��o的替换操�?/div>

g表示�Ҏ��一行中的所有匹配进行操�?/div>

pony 2008-04-22 19:14 发表评论

ubuntu下安装mysql的注意事��?-innodb

pony — Tue, 22 Apr 2008 07:35:00 GMT

如果从源代码�~�译安装mysql,�~�省安装�?是没有innodb引擎�?所�?在configure的时�?要加�?-with-plugins=all(或者max),�q�样才会支持innodb.在mysql里可以执行show engines命��o来查看当前的mysql服务器所支持的存储引�?

pony 2008-04-22 15:35 发表评论

dhcp client问题

pony — Mon, 21 Apr 2008 02:27:00 GMT

最�q�家里的电脑除了个怪问�?安��用的是东�Ҏ��U�的�|�络,�pȝ��是ubuntu 6 server,�pȝ��开机后一�D�|��?�|�络��p��动断�?ifconfig查看�|�卡信息,ip地址是对�?但ping不通外面的�|�络.然后再过一�D�|��?�|�络又重新回�?查看syslog,message�{�日�?只发现这��L��日志:

Apr 20 22:26:10 localhost dhclient: DHCPDISCOVER on eth0 to 255.255.255.255 port 67 interval 7

Apr 20 22:26:10 localhost dhclient: DHCPOFFER from 10.119.16.1

Apr 20 22:26:10 localhost dhclient: DHCPREQUEST on eth0 to 255.255.255.255 port 67

Apr 20 22:26:10 localhost dhclient: DHCPACK from 10.119.16.1

Apr 20 22:26:10 localhost dhclient: bound to xxx.xxx.xxx.xxxx(我的ip地址) -- renewal in 1595 seconds.

初步分析应该是ubuntu的dhclient有问�?暂时解决不了.

先写个脚本解决下问题�?(bash不怎么熟悉,只好用perl�?

fixnetwork.pl:

#/usr/bin/perl

use Net::Ping;

my $ip = "xxx.xxx.xxx.xxx";#随便写个公网上能ping通的ip地址

my $p = Net::Ping->new("tcp", 4);

while (1) {

if ($p->ping($ip)) {

print "$ip answered\n";

} else {

print "$ip did not answer\n";

system("ifdown eth0");

system("ifup eth0");

}

sleep(1);

}

然后执行:sudo fixnetwork.pl > fixnetwork.log &

现在暂时�|�络是能用了,但不知道�q�个dhclient的问题什么时候能解决:(

pony 2008-04-21 10:27 发表评论

ubuntu下安装php及phpMyAdmin

pony — Sat, 19 Apr 2008 07:24:00 GMT

apache的安装就不说了^_^
1.下蝲php
wget http://cn2.php.net/get/php-5.2.5.tar.gz/from/cn.php.net/mirror
2.下蝲libxml
wget ftp://ftp.gnome.org/pub/GNOME/sources/libxml2/2.6/libxml2-2.6.30.tar.gz
3.下蝲gd
wget http://www.libgd.org/releases/gd-2.0.35.tar.gz
4.下蝲phpMyAdmin
wget http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.11.5.1-all-languages.tar.gz?download
5.安装libxml
    tar -zxvf libxml2-2.6.30.tar.gz
    cd libxml2-2.6.30/
    ./configure --prefix=/usr/local/libxml-2.6.30
    make
    sudo make install
6.安装gd
    tar -zxvf gd-2.0.35.tar.gz
    cd gd-2.0.35/
    ./configure --prefix=/usr/local/gd-2.0.35
    make
    sudo make install
7.安装php
    tar -zxvf php-5.2.5.tar.gz
    cd php-5.2.5/
    ./configure --prefix=/usr/local/php-5.2.5 --with-apxs2=/usr/local/apache-2.2.8/bin/apxs --with-mysql=/usr/local/mysql --with-libxml-dir=/usr/local/libxml-2.6.30/ --with-gd=/usr/local/gd-2.0.35/
    make
    make test
    sudo make install
8.配置apache及php
    cp php.ini-dist /usr/local/lib/php.ini
    在httpd.conf�?
    #安装完php后一般安装程序会自动修改httpd.conf文�g加入以下配置:
    LoadModule php5_module modules/libphp5.so
    AddType application/x-httpd-php .php .phtml
   AddType application/x-httpd-php-source .phps
9.安装phpMyAdmin
    tar -zxvf phpMyAdmin-2.11.5.1-all-languages.tar.gz
    sudo mv phpMyAdmin-2.11.5.1-all-languages /usr/local/apache-2.2.8/htdocs/phpMyAdmin
讉K��一下看看可以没:
    http://host/phpMyAdmin/index.php
配置��面应该出来�?恭喜,安装成功!

pony 2008-04-19 15:24 发表评论

pony — Fri, 18 Apr 2008 03:57:00 GMT

mysql安装步骤:

1.下蝲mysql-6.0.4-alpha.tar.gz

2.tar -zxvf mysql-6.0.4-alpha.tar.gz

3.cd mysql-6.0.4-alpha

4../configure --prefix=/usr/local/mysql

5.make

6.sudo make install

7.sudo cp supported-files/my-medium.cnf /etc/my.cnf

8.sudo cp supported-files/mysql.server /etc/init.d

9.sudo chmod a+x /etc/ini.d/mysql.server

10.cd /usr/local/mysql

11.bin/mysql_install_db --user=mysql

到这�?mysql基本安装完毕,然后��p��启动mysql�?

先试试mysqld_safe可以�?

1.bin/mysqld_safe &

2.ps -ef | grep mysql

可以查到mysql的进�E?ok,kill掉mysql的进�E?/div>

现在试试以服务的方式启动mysql:

1./etc/init.d/mysql.server

报错�?Starting MySQL../etc/init.d/mysql: line 159: kill: (6638) - No such process

于是sudo vi /etc/init.d/mysql.server,查找到启动mysql的脚�?在大�U?07行左�?把变量打印出�?

然后手工执行启动mysql的命�?bin/mysqld_safe --datadir=/usr/local/mysql/var/ --pid-file=/usr/local/mysql/var/mysql.pid

发现启动mysql错误,报permission deny.于是怀疑是用户权限问题��D��/usr/mysql/var/mysql.pid文�g无法创徏.

再重新执行上面的命��o:sudo bin/mysqld_safe --datadir=/usr/local/mysql/var/ --pid-file=/usr/local/mysql/var/mysql.pid

��x��真相大白!在手工执�?etc/init.d/mysql.server�?也要记得"sudo".

pony 2008-04-18 11:57 发表评论

pony — Sun, 13 Apr 2008 09:18:00 GMT

今天在试用apache的最新版�?.2.8,配置apache-tomcat connector的时候发现在http.conf中不再支持AddModule指��o了，只需要LoadModule卛_��?br /> 另外�Q�最新的Connector也增加了很多功能。可以到http://tomcat.apache.org/connectors-doc/reference/apache.html查看详细的指令说明�?br />

pony 2008-04-13 17:18 发表评论

ubuntu server版本上安装xwindow

pony — Mon, 07 Apr 2008 07:05:00 GMT

# apt-get install xserver-xorg
# apt-get install x-window-system-core
# dpkg-reconfigure xserver-xorg
# apt-get install gnome-core
# apt-get install gdm xscreensaver
# apt-get install ttf-arphic*
# startx

pony 2008-04-07 15:05 发表评论

pony — Mon, 25 Feb 2008 07:18:00 GMT

摘要: linux下的mosix��集阅读全文

pony 2008-02-25 15:18 发表评论

安装apache的错误问题解�? error,APR with the bundled APR-utilq错误解决

pony — Mon, 25 Feb 2008 01:42:00 GMT

configure: error,APR with the bundled APR-utilq错误解决

一般在�W�一�ơ安装进一般不会遇到这�U�问题，在重新编译时会遇到该问题
以下是我�Ҏ��错误提示�q�行�U�正安装�?br goog_docs_charindex="379" />

cd httpd-2.2.2

安装APR
cd srclib/apr

#./configure --prefix=/usr/local/apr
#make
#make install

安装APR-util
cd srclib/apr-util

#./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
#make
#make install

再安装apache
# ./configure --prefix=/usr/local/apache
--enable-so --enable-mods-shared=all
--enable-cgi
--with-apr=/usr/local/apr
--with-apr-util=/usr/local/apr-util/bin

# make
#make install

�q�样安装正常�Q?/div>

pony 2008-02-25 09:42 发表评论

clickstream��目体会

pony — Thu, 21 Feb 2008 07:36:00 GMT

clickstream是opensymphony上的一个开源项�?其目的是用于跟踪用户在web服务器上的浏览历�?通过�q�个模块得到的历史数�?可以分析出用戯��问网站的路径,瓉��,热点�q�接�{?�q�根据这些数据对�pȝ��功能做出适当调整.

其设计的出发�Ҏ��利用servlet的filter,在每�ơ对servlet的访问时��日�?日志的实��C��要是通过在当前用��L��session中设�|�一个clickstream的跟�t�对�?�q�利用HttpSessionListener来跟�t�session的创�?销毁事�?从而达到跟�t�一个用��L��览历史功能.

鸡蛋里挑炚w��头吧!
1.clickstream只有在用戯��问servlet时才能实现跟�t�的目的.如果�|�站有很多的静态页�?那么��无法通过它来跟踪�?�q�是apache的日志好�?
2.clickstream在每个对servlet的访问都创徏了一个session,�q�对很多不需要session的servlet来说,是不必要�?对于高�ƈ发访问的�pȝ��,�q�会增加�pȝ��的负�?��其是如果站�Ҏ��采用集群的话,更会带来大量的session复制的性能问题.我徏议才�pȝ��刚上�U�的时候或者有功能的重要更新的时候可以利用它来跟�t�用�?以分析用戯��?改进�pȝ��.

pony 2008-02-21 15:36 发表评论

亚洲精品第一国产综合精品99,亚洲色婷婷一区二区三区,亚洲精品国产福利在线观看

�l�于把postfix跟imap搞好了，庆贺下！

Postfix架构

[zz]L7-filter Kernel Version HOWTO

Table of Contents

What You Need To Get

Kernel Patch

1How to patch a source tree

Iptables Setup

iptables 1.4.0 and older

iptables 1.4.1

iptables 1.4.1.1 and newer

Protocol Definitions (Pattern Files)

2Notes for non-conformists

Actually doing stuff

1. Blocking

2. Bandwidth Restriction

3. Accouting

More Information

Dealing with FTP, IRC, etc.

The "unset" and "unknown" matches

Upgrading the protocol definitions

Other things to know

proftpd服务启动的问�?Starting proftpd: execvp: No such file or directory

UNIX�~�程艺术的一�D�话

linux下so文�g的创建及调用�Ҏ��

(转蝲)iptables的man中文文档

(转蝲)apachectl startssl启动apache自动�q�行输入密码

apachectl startssl启动apache自动�q�行输入密码

apache2.2中配�|�ssl

ubuntu下安装mysql的注意事��?-innodb

dhcp client问题

ubuntu下安装php及phpMyAdmin

ubuntu server版本上安装xwindow

安装apache的错误问题解�? error,APR with the bundled APR-utilq错误解决

configure: error,APR with the bundled APR-utilq错误解决

clickstream��目体会

¹How to patch a source tree

²Notes for non-conformists