Saturday, April 08, 2006

Bandwidth Throttling using squid

What is Bandwidth throttling :

Consider we are having 512Kbps Internet connection line. And the system administrator wants to divide the whole bandwidth into two sections. Read More
One for the normal users and the other for special users who need high speed internet connection. So that all the normal users can use 256 Kbps and the special users can use the remaining 256 Kbps. So in this case you have to make a bandwidth throttling to differentiate the whole single pipe line into two sections. This can be achieved using squid proxy server.

Squid main configuration file ----- /etc/squid/squid.conf
Squid log file ----- /var/log/squid/access.log
Cache log file ----- /var/log/squid/cache.log

Bandwidth throttling in squid is done using Delay Pools. Delay pools uses bucketing system.

Throttle Calculations
512Kbps(Kilo bits per second) -----> 64Kbytes -----> 64000bytes
256Kbps -----> 32Kbytes -----> 32000bytes
128Kbps -----> 16Kbytes -----> 16000bytes
64Kbps -----> 8Kbytes -----> 8000bytes

Points to remember in Delay Pools:
There are basically three things to note, they are - delay pools, delay class, delay parameters.

Delay pool --- Defines how many pools we want to use
Delay Class ---- Defines type of the pool you are going to use.
Delay Parameter � allots the restrictions and fill rate/maximum bucket size.

As I have said previously in this documentation delay pools uses bucketing system.
Now there are three types of buckets

Class 1 pool: A single aggregate bucket, shared by all users
Class 2 pool: One aggregate bucket, 256 individual buckets
Class 3 pool: One aggregate bucket, 256 network buckets, 65,536 individual buckets

If you still have any problem in the above syntax (ie) aggregate, network and individual buckets to understand, then here is a simple syntax/example for all these

For Class 1 delay pool
delay_parameters 1 32000/32000

For Class 2 delay pool
delay_parameters 1 48000/48000 48000/48000

For Class 3 delay pool
delay_parameters 2 32000/32000 8000/8000 16384/16384

Example Setup:
One 512Kbps pipe line. We want to distribute the whole pipe line into 2. One for normal users and other for special users as follows
Normal users --- 128 Kbps
Special Users --- 384 Kbps

Configuration Setup File /etc/squid/squid.conf:
Before getting into the delay pools setup first create the acl(Access Control List). Through acl you can define rules according to your requirements. Find the Access Control section in the squid.conf file.
Here is an example:

acl superusers src 192.168.1.1 192.168.1.2 192.168.1.3
acl mynetwork src 192.168.1.0/255.255.255.0

Here in the above example only three users are special users who need 256Kbps bandwidth which are listed in the specialusers label and the whole network including he special users are labeled as mynetwork.

After creating the users you have to allow them to access the internet. Below line specifies for allowing the mentioned labeled users.

http_access allow superusers
http_access allow mynetwork

Now comes the funny part Delay Pools. Here We will deal with a basic example for delay pools.

The example is as follows: We are having 512Kbps pipe line connection. We want to divide it into segments one for the special users, web servers and the other for the normal users in the organization. The special users and the web servers are given 384Kbps speed and the remaining 128Kbps for the normal users.

Delay Pools for super users:
Check for the delay pools section in the squid.conf file.
Start the configuration for delay pools as follows
==================================
########## Delay Pools############
==================================

delay_pools 2

As described above we have to create 2 delay pools, one for each delay class.
====================================================
######### Defining Delay pool 1 in class 2 #########
====================================================

delay_class 1 2
delay_parameters 1 48000/48000 48000/48000
delay_access 1 allow superusers

The first line specifies Delay Class which defines delay pool 1 for the delay class 2.

Why we are using delay class 2 here?

The first part on the second line ie �1� defines the pool One(1)

The second part on second line defines the aggregate 48000/48000(restore/max). where restore is the number of bytes (not bits - modem and network speeds are usually quoted in bits) per second placed into the bucket, and maximum is the maximum number of bytes which can be in the bucket at any time.

The third part on second line is individual buckets again 48000/48000(restore/max). All the special users and the web servers should obtain the same speed of 384 Kbps.

The third line allows the super users to fall in that bucket.

=====================================================
######### Defining Delay pool 2 in class 3 #########
=====================================================

Delay Pools for normal users:

delay_class 2 3
delay_parameters 2 32000/32000 8000/8000 16384/16384
delay_access 2 allow !superusers

The first line specifies Delay Class which defines delay pool 2 for the delay class 3.

The first part on the second line ie �2� defines the pool Two(2) of class three(3)

The second part on second line defines the aggregate 32000/32000(restore/max) as aggregate (ie for whole).
Note : - If you use -1/-1. �-1� indicates �unlimited�.

The third part on second line is network bucket. We have defined here 8000/8000 .

The fourth part on second line is for individual.

The third line specifies to throttle all the users except the super users.

How to check:
First set proxy settings in your browser as follows:
Go to any client machine and open an IE(Internet Explorer). Select "Tools" menu then select "Internet Options" then select "Connections" tab. After that select the "LAN Settings" button, you will get a new pop-up window there you select "Use proxy server for your LAN" check box and finally give your squid proxy servers ip address and the port on which the squid proxy server is configured. Now press "OK" and again press "OK". Cloase the window and now open a new window.
Second Check by downloading any large file

Start to download any lage file not less than 10MB size. Because when ever you download any small file it used to download it quickly. When you start downloading large file at first if you note some starting bytes of the file gets downloaded quickly and later it gets slowed down.

Keep a note on the download pop-up box which shows the speed limits in "kbps". When we start downloading note on the pop-up box the speed limits in kbps shows high value and then slowly gets decreased. This means when you start downloading the bucket gets filled and slowly it decreases and becomes stable to the specified limit in Kbps according to the configuration. Remember again as i told restore value is used to set the download speed, and the max value lets you set the size at which the files are to be slowed down from.

Improve Squid Caching

1. Create separate partitions for /var/squid/0 and /var/squid/1
2. Edit /etc/squid/squid.conf and specify following settings in it:

cache_dir diskd /var/squid/0/cache0 1536 32 64
cache_dir diskd /var/squid/1/cache0 1536 32 64
cache_dir diskd /var/squid/0/cache1 1536 32 64
cache_dir diskd /var/squid/1/cache1 1536 32 64
cache_dir diskd /var/squid/0/cache2 1536 32 64
cache_dir diskd /var/squid/1/cache2 1536 32 64

3. Comment the following parameters:
cache_mem 8 MB

4. If possible make this two partitions reiserfs.

Thursday, April 06, 2006

How to Compile gcc 3.4.4 on aix

## Build environment
# make -v
GNU Make 3.80
# gcc -v
Reading specs from /usr/bin/../lib/gcc-lib/powerpc-ibm-aix5.2.0.0/2.9-aix51-020209/specs
gcc version 2.9-aix51-020209
# CONFIG_SHELL=/usr/local/bin/bash
# export CONFIG_SHELL
# /usr/local/src/gcc-3.4.2/gcc-3.4.2/config.guess
powerpc-ibm-aix5.2.0.0
# /usr/local/src/gcc-3.4.2/gcc-3.4.2/configure --enable-languages=c,c++ --enable-threads=aix --disable-nls
# date
Mon Oct 18 13:51:06 PDT 2004
# make -j 2
# date
Mon Oct 18 15:00:12 PDT 2004
## Note - this is a 2-processor system (IBM P15).
## I did the build twice, with and without -j 2 and saw no performance gain/loss.
## Results
# gcc -v
Reading specs from /usr/local/lib/gcc/powerpc-ibm-aix5.2.0.0/3.4.2/specs
Configured with: /usr/local/src/gcc-3.4.2/gcc-3.4.2/configure --enable-languages=c,c++ --enable-threads=aix --disable-nls
Thread model: aix
gcc version 3.4.2

Tuesday, April 04, 2006

How to Compile Linux 2.6 Kernel

How To Compile Linux 2.6 Kernel on redhat 9/8

STEP 1:

Download the latest version of the kernel and any patches.
This documentation is done with linux-2.6.3, but look for
later versions.
Read More

http://www.kernel.org/pub/linux/kernel/v2.6/

Also take a look at
http://www.codemonkey.org.uk/post-halloween-2.5.txt This has
some useful hints on some of the changes needed.



STEP 2:

Download the latest version of module-init-tools
"module-init-tools-3.0.tar.gz" and
"modutils-2.4.21-23.src.rpm"

http://www.kernel.org/pub/linux/kernel/people/rusty/modules/module-init-tools-3.0.tar.gz
http://www.kernel.org/pub/linux/kernel/people/rusty/modules/modutils-2.4.21-23.src.rpm



STEP 3:

Install module-init-tools. This will replace depmod
[/sbin/depmod] and other tools.

tar -zxvf module-init-tools-3.0.tar.gz
cd module-init-tools-3.0
./configure --prefix=/sbin
make
make install
./generate-modprobe.conf /etc/modprobe.conf



STEP 4:

Install modutils-2.4.21-23.src.rpm. You may get warnings
about user rusty and group rusty not existing. Also, yes,
you'll have to force the install. If you don't do these steps
for both Redhat 9 and Redhat 8, you'll have problems with the
make modules_install.

rpm -i modutils-2.4.21-23.src.rpm
rpmbuild -bb /usr/src/redhat/SPECS/modutils.spec
rpm -Fi /usr/src/redhat/RPMS/i386/modutils-2.4.21-23.i386.rpm



STEP 5:

Install and configure the kernel. Do NOT use the /usr/src/linux
area! Reference the README. I put my files in /home/src/kernel/

gunzip linux-2.6.3.tar.gz tar -xvf linux-2.6.3.tar cd
linux-2.6.3

If you have patches install these now:

bzip2 -dc ../patch-2.6.xx.bz2 | patch -p1



STEP 6:

Copy the appropriate /usr/src/linux-2.4/configs
[kernel-2.4.20-i686.config, kernel-2.4.20-i686-smp.config]
to .config in whatever directory you are installing. In my
case it's /home/src/kernel/linux-2.6.3

cp /usr/src/linux-2.4/configs/kernel-2.4.20-i686.config /home/src/kernel/linux-2.6.3/.config

If you don't have the source configs, you can download them
from here:

https://sourceforge.net/project/showfiles.php?group_id=79320&package_id=109944

I've also included a file config2.6-chirico which was a 2.6
version for some of my systems. This isn't a bad reference if
you run into trouble.



STEP 7:

Assuming you copied the appropriate kernel-2.4 config to
.config, run the following which will run through necessary
questions for the 2.6 kernel. Or, you might want to use the
config2.6-chirico...this has already been run through make
oldconfig on my system, and I've answered the necessary questions
for a general system.

make oldconfig



STEP 8:

This is very important. Make sure you're .config has the
following in it CONFIG_EXT3_FS=y You'll run into the following
error if you leave this =m instead of =y:

pivotroot: pivot_root(/sysroot,/sysroot/initrd) failed

This is because Redhat 9.0 and 8.0 use the ext3 filesystem
for /boot ...



STEP 9:

Edit the Makefile and add changes to the Extraversion is needed.
Patches will update these values as well.

VERSION = 2
PATCHLEVEL = 6
SUBLEVEL = 3
EXTRAVERSION = -skim-ch6



STEP 10:

make bzImage



STEP 11:

make modules



STEP 12:

make modules_install



STEP 13:

make install

If you come across errors here, what version of "depmod" is
being picked up in your path?

Also, if you get a module not found, say the following:
No module aic7xxx found for kernel 2.6.x
Then, in /lib/modules/2.6.x/kernel/drivers/scsi/aic7xxx/
cp aic7xxx.ko aic7xxx.o

insmod should look for aic7xxx.ko ;but , it looks for aic7xxx.o

If you still have trouble, make the following change in the
.config
CONFIG_BLK_DEV_SD=y
and go back to STEP 10.

You also may want to ref
kernel-2.6.3-i686-smp-chirico-aic7xxx.config
in
http://prdownloads.sourceforge.net/souptonuts/configs-0.3.tar.gz?download



STEP 14:

mkdir /sys



STEP 15:

/etc/rc.sysinit needs to be modified. Look for the following
line:

action $"Mounting proc filesystem: " mount -n -t proc /proc /proc

and after this line enter the following:

action $"Mounting sysfs filesystem: " mount -t sysfs none /sys

Here's my /etc/rc.sysinit for reference:

http://prdownloads.sourceforge.net/souptonuts/rc.sysinit.txt?download



Be very careful at this step. Backup the /etc/rc.sysinit file.

Thomer [http://thomer.com/linux/migrate-to-2.6.html ] also added
changes to /etc/fstab. I only had to do STEP 16 below.



STEP 16:

Add the following to /etc/fstab for usb support.

/proc/bus/usb /proc/bus/usb usbdevfs defaults 0 0



STEP 17 (CHECKING EVERYTHING):

Check the following:

a. The new image file should be installed on boot and there
should be sym link to it. My latest kernel is 2.6.3-skim-ch6,
and I got the "-skim-ch6" from the values I put in the Makefile,
so I see the following:

/boot
vmlinuz -> vmlinuz-2.6.3-skim-ch6
System.map -> System.map-2.6.3-skim-ch6

/boot/grub/grub.conf Should have been automatically
updated from make.

In /boot/grub/grub.conf change "default=0" to boot
with the new kernel. Here's an example of my
grub.conf:


# grub.conf generated by anaconda
#
# Note that you do not have to rerun grub after making
# NOTICE: You have a /boot partition. This means that
# all kernel and initrd paths are relative to
# root (hd0,2)
# kernel /vmlinuz-version ro root=/dev/hda6
# initrd /initrd-version.img
#boot=/dev/hda
default=0
timeout=10
splashimage=(hd0,2)/grub/splash.xpm.gz
title Red Hat Linux (2.6.3-skim-ch6)
root (hd0,2)
kernel /vmlinuz-2.6.3-skim-ch6 ro root=LABEL=/
initrd /initrd-2.6.3-skim-ch6.img


b. The directory /sys exists

c. You added the mount command for sys in /etc/rc.sysinit

d. CONFIG_EXT3_FS=y was used in the .config

e. Run /sbin/lsmod or cat /proc/modules to make
sure a 2.4 kernel module wasn't forgotten. Also
look at "$cat /proc/iomem"



STEP 18 (DEVELOP YOUR OWN 2.6 MODULES):

You're done with the 2.6 build. So learn how to develop
2.6 kernel modules. First, checkout the following article

http://lwn.net/Articles/driver-porting/

Then, take a look at the following sample code, which shows how
to create /proc entries for communicating with the kernel and writing
out to any available tty device.

http://prdownloads.sourceforge.net/souptonuts/procreadwrite.0.0.1a.tar.gz?download




REFERENCES:

http://www.codemonkey.org.uk/post-halloween-2.5.txt
http://kerneltrap.org/node/view/799
http://thomer.com/linux/migrate-to-2.6.html
http://www.kernel.org/

http://bugzilla.kernel.org/
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&group=linux.kernel
http://linuxdevices.com/articles/AT3855888078.html

http://prdownloads.sourceforge.net/souptonuts/README_26.txt?download
http://prdownloads.sourceforge.net/souptonuts/rc.sysinit.txt?download
http://prdownloads.sourceforge.net/souptonuts/configs-0.3.tar.gz?download
https://sourceforge.net/forum/forum.php?forum_id=353715

http://www.redhat.com/software/rhel/kernel26/
http://www.tldp.org/HOWTO/KernelAnalysis-HOWTO.html
http://www-124.ibm.com/linux/projects/?topic_id=2

KERNEL DRIVER DEVELOPMENT IN 2.6:

Excellent (series of articles):
http://lwn.net/Articles/driver-porting/

Here's my sample program:
http://prdownloads.sourceforge.net/cpearls/procreadwrite.0.0.1a.tar.gz?download

Good but dated for 2.4 kernel:
http://www.oreilly.com/catalog/linuxdrive2/

http://linuxdevices.com/articles/AT4389927951.html
http://linuxdevices.com/articles/AT5793467888.html

How to Compile 2.6 kernel for RedHat 9/8

How to Compile 2.6 kernel for RedHat 9/8
Mike Chirico
Last Updated: Wed Mar 24 09:12:06 EST 2004

The latest version of this document can be found at:
http://prdownloads.sourceforge.net/souptonuts/README_26.txt?download

For configs ref:
http://sourceforge.net/project/showfiles.php?group_id=79320&package_id=109944

How to Configure Infrared Device on Linux

How to Configure Infrared Device on Linux

http://tldp.org/HOWTO/Infrared-HOWTO/index.html
Configuring Linux


This is a basic article on how to configure Linux so that it will run your webserver, telnet, ftp, mysql etc. It is primarily focused for Fedora/RedHat releases but applies to almost all server based flavors.
Read More


Summary of Commands
Trying to Start:

Then try doing this:
httpd cd /etc/rc.d/init.d/
then type:
./httpd start
mysql cd /etc/rc.d/init.d/
then type:
./mysqld start
telnet Edit the file /etc/xinetd.d/telnetd
changing the two lines to:
# default: on
disabled = no
then try doing this
/etc/rc.d/init.d/xinetd restart
ftp
Edit the file /etc/xinetd.d/wu-ftpd
changing the two lines to:
# default: on
disabled = no
then run the command
/etc/rc.d/init.d/xinetd restart



Details of Configuring Linux
EDITORS NOTE: Some of the newest flavors of Linux have changed the locations of the configuration files. For this reason please note that most of these commands apply best to Fedora/Redhat. However, some configuration commands like the use of xinetd or running chkconfig are useful on almost all Linux/Unix systems.

First off, I should mention that this guide is best used when in front of your Linux computer, with an open xterm session. The exact commands come from RedHat 7.1+ related server, but apply to most Linux servers.

TIP 1. When you need to find a particular file/directory then use the 'locate' command (on Fedora slocate works well too) to find things on your server. Like, typing: locate xinetd


TIP 2. If you did not know this already, all of the web server html files for Fedora are placed under: /var/www/html


Step 1. Which Processes are Running On Your Server?
If you don't know, then you need to find out asap! Use the command:
/sbin/chkconfig --list


The output would look something like:

httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
telnet: off



The above command will give you a long list of processes with info beside them like "off". Any process with the word "off" next to it can be assumed disabled by default during startup. You should look for your processes that are usually needed for running a webserver like httpd, telnet, wu-ftp, mysqld. All of these should be "on" by default.


Step 2. Get Processes Started
Starting up your webserver (httpd), mysql (mysqld), sendmail, etc. is easy so long as you follow the directions from the steps below.

For your webserver and mysql, you can enable these things right away for use during this session.

Change to the initialization (aka init) directory:
cd /etc/rc.d/init.d/

This directory (when listed) shows all processes you can start like httpd and mysqld. For now let's start our web server with the command:
./httpd start

You should then see:
Starting httpd: [ OK ]


Now enable your webserver (httpd) for ALL future STARTUPS!

1. Edit the config files as applied to the "rc" directory of your choice. Remember that all resource files activated at different run times are in different rc.d directories. For instance, when your server is loaded at runtime level 5 (usual) then all the resources under rc5.d are activated. Change directory to:
/etc/rc.d/rc5.d
Remember that the rc5.d is a resource directory (under /etc) for run level 5... etc.

You edit files in these directories to control what occurs at different run levels. Files with a prefix of K are NOT installed to run at startup. Files with S are ready to run at startup. Example names: K74ypserv or S14nfslock.

You can always use something like the command:
/sbin/chkconfig --add httpd
to add the web server to the future startups. However, I prefer doing my change manually.

2. You can manually force this by simply using a command like:
mv K15httpd S15httpd


Summary for those needing one... You now should have your webserver started and ready as default for all future starts with:
./httpd start
mv k15httpd s15httpd



Step 3. What About telnet and ftp?
Ok, you're smart enough to have noticed that following the steps above you can not get telnet or ftp started. That's because they are not part of the initd process, but rather the xinetd process. The xinetd process handles the startup of all of your network related protocols etc.

1st Start telnet first by changing directories to xinetd:
cd /etc/xinetd.d/

Next type ls to list all of the processes that can be configured. You'll notice for instance the file telnet.

2nd Edit the telnet file and change two lines:
# default: on
...
disabled = no

These lines are not adjacent, but usually the first and last lines of the configuration file (in our case telnet). You need to edit all configuration files that apply to things you're trying to start. Many processes come by default turned off and disabled = yes. You can edit files like telnet, wu-ftp, etc.


3rd Once you have edited and saved the files with the default on and disabled = no, you can force an automatic restart of the xinetd to load without rebooting:
/etc/rc.d/init.d/xinetd restart

Finally, you should see:
Stopping xinetd: [ OK ] Starting xinetd: [ OK ]



Believe it or not, following all of this you should now have running:
httpd (webserver)
telnet


Now check to see what processes you have running again by using:
/sbin/chkconfig –list
or use the long "process" ps command like: ps -e | grep http.

You can use these same steps above to get mysql and ftp running. Replace httpd with mysql, and telnet with wu-ftpd. Always remember there is a difference between configuration and startup files under initd and xinetd.

Hopes this helps you get going! Special thanks to John for his inspiration and to Tom for catching a typo that could have mislead readers!

Monday, April 03, 2006

Beginers Area Launched

Well a good News for Beginers I have launched a Beginers Area So Its Just the Place for u if u are a NewBie It will Feature everything Which Suits for Beginers Hope you will like it http://www.beginlinux.blogspot.com

Oracle 10g

======
RHEL4
======
Oracle Database 10g Release 2 is certified to run the base release of
RHEL4 (Advanced Server and Enterprise Server) without updates. (Free
evaluation copies of RHEL4 are available for download.) If you have update
CDs, you can use the boot CD from the update instead of the boot CD
from the base release to automatically apply all updates during the
installation. All updates from Red Hat are supported by Oracle.
Read More


The easiest and fastest way to apply the updates for a fresh install of
Linux is to perform the install by using the update CDs. If Linux is
already installed or you don't have the updates on CDs, they can be
applied through RHN. Because this guide is designed for a fresh Linux
install, you'll use the update CDs.

1. Boot the server using the first CD.
* You may need to change your BIOS settings to allow booting
from the CD.
2. The boot screen appears with the boot: prompt at the bottom of
the screen.
* Select Enter to continue with a graphical install on the
console. (For other installation methods and options, refer to the Red
Hat Installation Guide.)
* The installer scans your hardware, briefly displays the Red
Hat splash screen, and then begins a series of screen prompts.
3. Language Selection
* Accept the default.
4. Keyboard Configuration
* Accept the default.
5. Welcome Screen
* Click on Next.
6. Disk Partitioning Setup
* A thorough treatment of disk partitioning is beyond the
scope of this guide, which assumes that you are familiar with disk
partitioning methods.

(WARNING: Improperly partitioning a disk is one of the
surest and fastest ways to wipe out everything on your hard disk. If you
are unsure how to proceed, stop and get help, or you will risk losing
data!)

This guide uses the following partitioning scheme, with
ext3 for each filesystem:

The 9GB disk on the first controller (/dev/sda) will hold
all Linux and Oracle software and contains the following partitions:
- 100MB /boot partition
-1,500MB swap partition—Set this to at least twice the
amount of RAM in the system but to no more than 2GB. (Thirty-two-bit
systems do not support swap files larger than 2GB.) If you need more than 2GB
of swap space, create multiple swap partitions.
-7,150MB root partition—This partition will be used for
everything, including /usr, /tmp, /var, /opt, /home, and more. This
approach is purely to simplify installation for the purposes of this guide. A
more robust partitioning scheme would separate these directories onto
separate filesystems.
7. Boot Loader Configuration
* Accept the default.
8. Network Configuration
* It is usually best to configure database servers with a
static IP address. To do so, click on Edit .
* A pop-up window appears. Uncheck the Configure using DHCP
box, and enter the IP Address and Netmask for the server. Be sure that
Activate on boot is checked, and click on OK .
* In the Hostname box, select manually and enter the
hostname.
* In the Miscellaneous Settings box, enter the remaining
network settings.
9. Firewall Configuration
* For the purposes of this walk-through, no firewall is
configured. Select No firewall
* Select Disabled on the "Enable SELinux" drop down list.
* Click on Proceed when the "Warning - No Firewall" window
appears.
10. Additional Language Support
* Accept the default.
11. Time Zone Selection
* Choose the time settings that are appropriate for your
area. Setting the system clock to UTC is usually a good practice for
servers. To do so, click on System clock uses UTC.
12. Set Root Password
* Enter a password for root, and enter it again to confirm.
13. Package Installation Defaults
* Select Customize software packages to be installed.
14. Package Group Selection
* Select only the package sets shown here and leave all
others unselected.
* Desktop
o X Window System
o Gnome
* Applications
o Graphical Internet (optional)
* Servers
o Do not select anything in this group.
* Development
o Development Tools
* System
o Administration Tools
o System Tools
+ Add the package 'sysstat' by clicking on the
Details link and selecting "sysstat - The sar an iostat system monitoring
commands." from the Optional Packages list.
* Miscellaneous
o Do not select anything in this group.
* Click on Next to proceed.
15. Installing Packages
* Software will be copied to the hard disk and installed.
Change disks as prompted.
16. Congratulations
* Remove the installation media from the system, and click on
Reboot .
17. The system automatically reboots and presents a new welcome
screen.
* Click on Next.
18. License Agreement
* Read the license agreement. If you agree to the terms,
select Yes, I agree to the License Agreement and click on Next.
19. Date and Time
* Set the Date and Time.
* If you want to use an NTP server (recommended), select
Enable Network Time Protocol and enter the name of the NTP server.
20. Display
* Accept the defaults or change as required.
21. Red Hat Login
* Enter your Red Hat Network login and password or create a
new one.
22. System User
* Create an account for yourself.
* Do not create an account for oracle at this time. Creating
the oracle account is covered later in this section.
23. Additional CDs
* Click on Next.
24. Finish Setup
* Click on Next.
25. A graphical login screen appears.
26. Congratulations! Your RHEL4 software is now installed.

Verifying Your Installation

Required kernel version: 2.6.9-5.0.5.EL This kernel, or any of the
kernels supplied in updates, works with Oracle Database 10g Release 2 .

Check your kernel version by running the following command:

uname -r

Ex:
# uname -r
2.6.9-22.ELsmp

Once you've completed the steps above, all of the packages required for
Oracle Database 10g Release 2 will have been installed. Verify this
using the example below.
Required package versions (or later):

* binutils-2.15.92.0.2-10.EL4
* compat-db-4.1.25-9
* control-center-2.8.0-12
* gcc-3.4.3-9.EL4
* gcc-c++-3.4.3-9.EL4
* glibc-2.3.4-2
* glibc-common-2.3.4-2
* gnome-libs-1.4.1.2.90-44.1
* libstdc++-3.4.3-9.EL4
* libstdc++-devel-3.4.3-9.EL4
* make-3.80-5
* pdksh-5.2.14-30
* sysstat-5.0.5-1
* xscreensaver-4.18-5.rhel4.2
* libaio-0.3.96
* openmotif21-2.1.30-11.RHEL4.2 (Required only to install Oracle
demos. Installation of Oracle demos is not covered by this guide.)

To see which versions of these packages are installed on your system,
run the following command:

rpm -q binutils compat-db control-center gcc gcc-c++ glibc glibc-common
gnome-libs libstdc++ libstdc++-devel make pdksh sysstat xscreensaver
libaio openmotif21

Ex:
# rpm -q binutils compat-db control-center gcc gcc-c++ glibc
glibc-common > gnome-libs libstdc++ libstdc++-devel make pdksh sysstat xscreensaver
libaio openmotif21
binutils-2.15.92.0.2-15
compat-db-4.1.25-9
control-center-2.8.0-12.rhel4.2
gcc-3.4.4-2
gcc-c++-3.4.4-2
glibc-2.3.4-2.13
glibc-common-2.3.4-2.13
gnome-libs-1.4.1.2.90-44.1
libstdc++-3.4.4-2
libstdc++-devel-3.4.4-2
make-3.80-5
pdksh-5.2.14-30.3
sysstat-5.0.5-1
xscreensaver-4.18-5.rhel4.9
libaio-0.3.103-3
openmotif21-2.1.30-11.RHEL4.4

=====================================================================================
Part II: Configuring Linux for Oracle
=====================================================================================

Now that the Linux software is installed, you need to configure it for
Oracle. This section walks through the steps required to configure
Linux for Oracle Database 10g Release 2.

Verifying System Requirements

To verify that your system meets the minimum requirements for an Oracle
Database 10g Release 2 database, log in as root and run the commands
below.
To check the amount of RAM and swap space available, run this:

grep MemTotal /proc/meminfo
grep SwapTotal /proc/meminfo

Ex:
# grep MemTotal /proc/meminfo
MemTotal: 1034680 kB
# grep SwapTotal /proc/meminfo
SwapTotal: 1534196 kB

The minimum RAM required is 1024MB, and the minimum required swap space
is 1GB. Swap space should be twice the amount of RAM for systems with
2GB of RAM or less and between one and two times the amount of RAM for
systems with more than 2GB.

You also need 2.5GB of available disk space for the Oracle Database 10g
Release 2 software and another 1.2GB for the database. The /tmp
directory needs at least 400MB of free space. To check the available disk
space on your system, run the following command:

df -h

Ex:
# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda3 6.8G 1.3G 5.2G 20% /
/dev/sda1 99M 17M 77M 18% /boot

The example shows that the /tmp directory does not have its own
filesystem. (It's part of the root filesystem for this guide.) With 5.2 GB
available, the root filesystem has just enough space for the installation
(2.5 + 1.2 + 0.4 = 4.1GB) with a little room left over.

Create the Oracle Groups and User Account

Next, create the Linux groups and user account that will be used to
install and maintain the Oracle Database 10g Release 2 software. The user
account will be called oracle, and the groups will be oinstall and dba.
Execute the following commands as root:

/usr/sbin/groupadd oinstall
/usr/sbin/groupadd dba
/usr/sbin/useradd -m -g oinstall -G dba oracle
id oracle

Ex:
# /usr/sbin/groupadd oinstall
# /usr/sbin/groupadd dba
# /usr/sbin/useradd -m -g oinstall -G dba oracle
# id oracle
uid=501(oracle) gid=502(oinstall) groups=502(oinstall),503(dba)

Set the password on the oracle account:

passwd oracle

Ex:
# passwd oracle
Changing password for user oracle.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Create Directories

Now create directories to store the Oracle Database 10g Release 2
software and the database files. This guide adheres to the Optimal Flexible
Architecture (OFA) for the naming conventions used in creating the
directory structure. For more information on OFA standards, see Appendix C
of the Oracle Database Installation Guide 10g Release 2 (10.2) for
Linux x86.

The following assumes that the directories are being created in the
root filesystem. This is done for the sake of simplicity and is not
recommended as a general practice. These directories would normally be
created as separate filesystems.

Issue the following commands as root:

mkdir -p /u01/app/oracle
chown -R oracle:oinstall /u01/app/oracle
chmod -R 775 /u01/app/oracle

Ex:
# mkdir -p /u01/app/oracle
# chown -R oracle:oinstall /u01/app/oracle
# chmod -R 775 /u01/app/oracle

Configuring the Linux Kernel Parameters

The Linux kernel is a wonderful thing. Unlike most other *NIX systems,
Linux allows modification of most kernel parameters while the system is
up and running. There's no need to reboot the system after making
kernel parameter changes. Oracle Database 10g Release 2 requires the kernel
parameter settings shown below. The values given are minimums, so if
your system uses a larger value, don't change it.

kernel.shmall = 2097152
kernel.shmmax = 536870912
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
fs.file-max = 65536
net.ipv4.ip_local_port_range = 1024 65000
net.core.rmem_default=262144
net.core.wmem_default=262144
net.core.rmem_max=262144
net.core.wmem_max=262144

If you're following along and have just installed Linux, the kernel
parameters will all be at their default values and you can just cut and
paste the following commands while logged in as root.

cat >> /etc/sysctl.conf <kernel.shmall = 2097152
kernel.shmmax = 536870912
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
fs.file-max = 65536
net.ipv4.ip_local_port_range = 1024 65000
net.core.rmem_default=262144
net.core.wmem_default=262144
net.core.rmem_max=262144
net.core.wmem_max=262144
EOF
/sbin/sysctl -p

Ex:
# cat >> /etc/sysctl.conf <> kernel.shmall = 2097152
> kernel.shmmax = 536870912
> kernel.shmmni = 4096
> kernel.sem = 250 32000 100 128
> fs.file-max = 65536
> net.ipv4.ip_local_port_range = 1024 65000
> EOF
# /sbin/sysctl -p
net.ipv4.ip_forward = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
kernel.shmall = 2097152
kernel.shmmax = 536870912
kernel.shmmni = 4096
kernel.sem = 250 32000 100 128
fs.file-max = 65536
net.ipv4.ip_local_port_range = 1024 65000
net.core.rmem_default = 262144
net.core.wmem_default = 262144
net.core.rmem_max = 262144
net.core.wmem_max = 262144

Run the following commands as root to verify your settings:

/sbin/sysctl -a | grep shm
/sbin/sysctl -a | grep sem
/sbin/sysctl -a | grep file-max
/sbin/sysctl -a | grep ip_local_port_range
/sbin/sysctl -a | grep rmem_default
/sbin/sysctl -a | grep rmem_max
/sbin/sysctl -a | grep wmem_default
/sbin/sysctl -a | grep wmem_max

Ex:
# /sbin/sysctl -a | grep shm
kernel.shmmni = 4096
kernel.shmall = 2097152
kernel.shmmax = 536870912
kernel.shm-use-bigpages = 0
# /sbin/sysctl -a | grep sem
kernel.sem = 250 32000 100 128
# /sbin/sysctl -a | grep file-max
fs.file-max = 65536
# /sbin/sysctl -a | grep ip_local_port_range
net.ipv4.ip_local_port_range = 1024 65000
# /sbin/sysctl -a | grep rmem_default
net.core.rmem_default = 262144
# /sbin/sysctl -a | grep rmem_max
net.core.rmem_max = 262144
# /sbin/sysctl -a | grep wmem_default
net.core.wmem_default = 262144
# /sbin/sysctl -a | grep wmem_max
net.core.wmem_max = 262144

For Novell SUSE Linux releases, use the following to ensure that the
system reads the /etc/sysctl.conf file at boot time:

/sbin/chkconfig boot.sysctl on

Setting Shell Limits for the oracle User

Oracle recommends setting limits on the number of processes and open
files each Linux account may use. To make these changes, cut and paste
the following commands as root:

cat >> /etc/security/limits.conf <oracle soft nproc 2047
oracle hard nproc 16384
oracle soft nofile 1024
oracle hard nofile 65536
EOF

cat >> /etc/pam.d/login <session required /lib/security/pam_limits.so
EOF

For RHEL4, use the following:

cat >> /etc/profile <if [ \$USER = "oracle" ]; then
if [ \$SHELL = "/bin/ksh" ]; then
ulimit -p 16384
ulimit -n 65536
else
ulimit -u 16384 -n 65536
fi
umask 022
fi
EOF

cat >> /etc/csh.login <if ( \$USER == "oracle" ) then
limit maxproc 16384
limit descriptors 65536
umask 022
endif
EOF

For SLES 9, use the following:

cat >> /etc/profile.local <if [ \$USER = "oracle" ]; then
if [ \$SHELL = "/bin/ksh" ]; then
ulimit -p 16384
ulimit -n 65536
else
ulimit -u 16384 -n 65536
fi
umask 022
fi
EOF

cat >> /etc/csh.login.local <if ( \$USER == "oracle" ) then
limit maxproc 16384
limit descriptors 65536
umask 022
endif
EOF

=====================================================================================
Part III: Installing Oracle
=====================================================================================

Oracle Database 10g Release 2 can be downloaded from OTN. Oracle offers
a development and testing license free of charge. However, no support
is provided and the license does not permit production use. A full
description of the license agreement is available on OTN.

The easiest way to make the Oracle Database 10g Release 2 distribution
media available on your server is to download them directly to the
server.

Use the graphical login to log in as oracle.

Create a directory to contain the Oracle Database 10g Release 2
distribution:

mkdir 10gR2_db

To download Oracle Database 10g Release 2 from OTN, point your browser
(Firefox works well) to
http://www.oracle.com/technology/software/products/database/oracle10g/htdocs/10201linuxsoft.html.
Fill out the Eligibility Export Restrictions page, and read the OTN
License agreement. If you agree with the restrictions and the license
agreement, click on I Accept.

Click on the 10201_database_linux32.zip link, and save the file in the
directory you created for this purpose (10gR2_db)—if you have not
already logged in to OTN, you may be prompted to do so at this point.

Unzip and extract the file:

cd 10gR2_db
unzip 10201_database_linux32.zip

Install the Software and Create a Database

Log in using the oracle account.
Change directory to the location where you extracted the Oracle
Database 10g Release 2 software.

Ex:
$ cd $HOME/10gR2_db

Change directory to Disk1.

Ex:
$ cd database

Start the Oracle Universal Installer.

$ ./runInstaller

1. Select Installation Method
* Select Basic Installation
* Oracle Home Location: /u01/app/oracle/product/10.2.0/db_1
* Installation Type: Enterprise Edition (1.3GB)
* UNIX DBA Group: oinstall
* Make sure Create Starter Database is checked
* Global Database Name: demo1
* Enter the Database Password and Confirm Password
* Click on Next
2. Specify Inventory Directory and Credentials
* Inventory Directory: /u01/app/oracle/oraInventory
* Operating System group name: oinstall
* Click on Next
3. Product-specific Prerequisite Checks
* If you've been following the steps in this guide, all the
checks should pass without difficulty. If one or more checks fail,
correct the problem before proceeding.
* Click on Next
4. Summary
* A summary of the products being installed is presented.
* Click on Install.
5. Configuration Assistants
* The Oracle Net, Oracle Database, and iSQL*Plus
configuration assistants will run automatically
6. Execute Configuration Scripts
* At the end of the installation, a pop up window will appear
indicating scripts that need to be run as root. Login as root and run
the indicated scripts.
* Click on OK when finished.
7. End of Installation
* Make note of the URLs presented in the summary, and click
on Exit when ready.
8. Congratulations! Your new Oracle Database 10g Release 2 database
is up and ready for use.

How to get the LANn card's speed on linux

For logging on to the net or for attaching as a node on a LAN, your computer needs a network card. The network card forms the interface between your computer and the network.Read More
There are different kinds of network cards available in the market depending on its speed and other features. Here is a tip to find out the characteristics of your network card.

If you want to find what type of network card is used, its speed, on which IRQ it is listed, and the chip type used, you use the following command :

# dmesg |grep eth0

Here eth0 is the first network card. If you have additional cards, it will be named eth1, eth2 and so on. And here is the output of the above command :

divert: allocating divert_blk for eth0
eth0: RealTek RTL8139 at 0xd800, 00:80:48:34:c2:84, IRQ 9
eth0: Identified 8139 chip type 'RTL-8100B/8139D'
divert: freeing divert_blk for eth0
divert: allocating divert_blk for eth0
eth0: RealTek RTL8139 at 0xd800, 00:90:44:34:a5:33, IRQ 9
eth0: Identified 8139 chip type 'RTL-8100B/8139D'
eth0: link up, 100Mbps, full-duplex, lpa 0x41E1
eth0: no IPv6 routers present
...

The important things to note here are those highlighted in colour. As you can see from the above listing, my ethernet card is a RealTek RTL8139 chipset based card on IRQ 9 (Interrupt Request). Its speed is 100 Mbps and is a full-duplex card. And the link is up.

As is the philosophy of Linux, there is more than one way of finding the same information. Linux also comes with a cute sounding tool called mii-tool which can also be used to get the same information about your network card.

# mii-tool -v eth0

eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD
10baseT-HD
...

Here -v is verbose mode. From the above listed output, one can see that the ethernet card is working as a 100baseTX, FD (Full Duplex) card which can work in the following modes :

* 100 Mbps Speed (Full duplex or half duplex ) or
* 10 Mbps speed (Full duplex or half duplex).

And it uses autonegotiation to bring up the link. You can call the above device as a 10/100 NIC.
Another tool which also does the same thing is ethtool. Try the following command on your machine to see the output.

# ethtool eth0

Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 32
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: pumbg
Wake-on: p
Current message level: 0x00000007 (7)
Link detected: yes

Here full duplex, half duplex and auto-negotiation have the following meanings.
Full Duplex - Logic that enables concurrent sending and receiving. This is usually desirable and enabled when your computer is connected to a switch.

Half Duplex - This logic requires a card to only send or receive at a single point of time. When your machine is connected to a Hub, it auto-negotiates itself and uses half duplex to avoid collisions.

Auto-negotiation - This is the process of deciding whether to work in full duplex mode or half duplex mode. An ethernet card supporting autonegotiation will decide for itself which mode is the optimal one depending on the network it is attached to.
For logging on to the net or for attaching as a node on a LAN, your computer needs a network card. The network card forms the interface between your computer and the network.Read More
There are different kinds of network cards available in the market depending on its speed and other features. Here is a tip to find out the characteristics of your network card.

If you want to find what type of network card is used, its speed, on which IRQ it is listed, and the chip type used, you use the following command :

# dmesg |grep eth0

Here eth0 is the first network card. If you have additional cards, it will be named eth1, eth2 and so on. And here is the output of the above command :

divert: allocating divert_blk for eth0
eth0: RealTek RTL8139 at 0xd800, 00:80:48:34:c2:84, IRQ 9
eth0: Identified 8139 chip type 'RTL-8100B/8139D'
divert: freeing divert_blk for eth0
divert: allocating divert_blk for eth0
eth0: RealTek RTL8139 at 0xd800, 00:90:44:34:a5:33, IRQ 9
eth0: Identified 8139 chip type 'RTL-8100B/8139D'
eth0: link up, 100Mbps, full-duplex, lpa 0x41E1
eth0: no IPv6 routers present
...

The important things to note here are those highlighted in colour. As you can see from the above listing, my ethernet card is a RealTek RTL8139 chipset based card on IRQ 9 (Interrupt Request). Its speed is 100 Mbps and is a full-duplex card. And the link is up.

As is the philosophy of Linux, there is more than one way of finding the same information. Linux also comes with a cute sounding tool called mii-tool which can also be used to get the same information about your network card.

# mii-tool -v eth0

eth0: negotiated 100baseTx-FD, link ok
product info: vendor 00:00:00, model 0 rev 0
basic mode: autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD
10baseT-HD
...

Here -v is verbose mode. From the above listed output, one can see that the ethernet card is working as a 100baseTX, FD (Full Duplex) card which can work in the following modes :

* 100 Mbps Speed (Full duplex or half duplex ) or
* 10 Mbps speed (Full duplex or half duplex).

And it uses autonegotiation to bring up the link. You can call the above device as a 10/100 NIC.
Another tool which also does the same thing is ethtool. Try the following command on your machine to see the output.

# ethtool eth0

Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes: 10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: Yes
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 32
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: pumbg
Wake-on: p
Current message level: 0x00000007 (7)
Link detected: yes

Here full duplex, half duplex and auto-negotiation have the following meanings.
Full Duplex - Logic that enables concurrent sending and receiving. This is usually desirable and enabled when your computer is connected to a switch.

Half Duplex - This logic requires a card to only send or receive at a single point of time. When your machine is connected to a Hub, it auto-negotiates itself and uses half duplex to avoid collisions.

Auto-negotiation - This is the process of deciding whether to work in full duplex mode or half duplex mode. An ethernet card supporting autonegotiation will decide for itself which mode is the optimal one depending on the network it is attached to.

Sunday, April 02, 2006

Dansguardian Complet Firwall for Linux

Complete Firewall for Linux – Dansguardian
(To block porn sites, jobs sites, any contents which are harmful to your network and your organization)Read More

Link for more details: www.dansguardian.org
One feature many firewall appliances have been pushing recently is content filtering proxies, whether transparent or authenticated. These content filtering proxies are a boon to individuals with young children in the house, but many of them are extremely basic. Without pointing any fingers, I had purchased a content filtering firewall appliance that promised content filtering and was sorely disappointed. The content filtering was extremely basic and was solely word-based. Unfortunately, this word list was something the end user had to enter in by hand. So if you're looking to keep your children from stumbling across some pornographic web pages, you have to get pretty creative to populate your word list. The other drawback to this particular appliance was that port forwarding didn't work. Eventually it was this drawback that convinced me to sell it; my daughter is only a year and a half and won't be surfing solo anytime soon.
As a result, I took an unused desktop computer and installed MandrakeSoft's Multi-Network Firewall 8.2 on it, to replace the now removed firewall appliance. While the end result may have been more expensive, you can't put a price on flexibility. And by using a Linux-based firewall operating system, I get all the flexibility I want.
One way you can configure MNF is to use Squid as a transparent proxy, which is ideal. No reconfiguration of the LAN to point everything to a proxy. Cached web pages. And the ability to use DansGuardian as a content filter. MNF also comes with squidGuard which is nice, but doesn't seem to be as flexible as DansGuardian when it comes to content filtering.
DansGuardian has a few requirements. It requires Squid for the web proxy, and it requires a web server like Apache. It does not require MNF, and while this was written to use DansGuardian on MNF, it will run on a variety of operating systems including any Linux, FreeBSD, OpenBSD, and even OS X (although at the time of this writing, the OS X support is alpha quality).
Configuring DansGuardian
Building DansGuardian is very straightforward. For the purpose of this tutorial, we will assume DansGuardian is installed in the system so the binary is in /usr/sbin and the configuration files are in /etc/dansguardian. DansGuardian comes with a logrotation script that is installed into /etc/dansguardian, called logrotation. This should be executed weekly, so you should add the following to your crontab (as root):
59 23 * * sat /etc/dansguardian/logrotation
You can modify your system crontab by executing crontab -e. Another alternative, for systems that use logrotate is to create a file called dansguardian in your /etc/logrotate.d directory that looks like this:
/var/log/dansguardian/access.log {
weekly
rotate 5
copytruncate
compress
notifempty
missingok
}
If you do choose to use the script that comes with DansGuardian make sure you chmod 0700 the script to make it executable.
To start DansGuardian you can use the SysV-style initscript (ie. Mandrakelinux packages come with /etc/rc.d/init.d/dansguardian which can be started by using service dansguardian start), or you can just execute dansguardian on the commandline. If you start DansGuardian in this way, you can use the typical "kill" method of stopping it, or use dansguardian -q.
The main configuration file for DansGuardian is /etc/dansguardian/dansguardian.conf. There are a number of other files included, these are the banned lists and exception lists. These files all reside in the /etc/dansguardian directory as well. Every time you make a change to any of these files, you will need to restart DansGuardian, and this can be accomplished by executing dansguardian -r as root.
The following files make up the overall configuration of DansGuardian:
exceptioniplist
This file contains a list of client IP addresses that you wish to allow unrestricted access (no filtering).
exceptionphraselist
This file contains a list of phrases that, if they appear in a web page, will bypass filtering. You may want to use the weightedphraselist instead, as this can result in a lot of pages not being blocked.
exceptionsitelist
This file contains a list of domain endings that if found in the requested URL, will not be filtered.
exceptionurllist
This file contains a list of URL parts for sites where filtering should be turned off.
exceptionuserlist
This file contains a list of usernames that will not be filtered (you must use basic authentication or ident must be enabled for this to work).
bannedextensionlist
This file contains a list of file extensions that will be banned. This can be used to restrict users from downloading screen savers, executable files, viruses, and so forth.
bannediplist
This file contains a list of client IP addresses that will not get web access at all.
bannedmimetypelist
This file contains a list of MIME-types that will be banned. If a URL request returns a MIME-type in this list, DansGuardian will block it. This can be used to block movies, but shouldn't be used to graphic image files or text/html, etc.
bannedphraselist
This file contains a list of phrases that will result in banning a page. Each phrase must be enclosed between <> characters, and they may contain spaces. You can also use a combination of phrases that, if all are found in a page, will result in it being blocked.
bannedregexpurllist
This file contains a list of regular _expression URLs that will be banned. that will be banned. This can be used to restrict users from downloading screen savers, executable files, viruses, and so forth.
bannedsitelist
This file contains a list of sites that are to be banned. You can use IP addreses here as well as domain names, and can even include stock SquidGuard blacklists as well.
bannedurllist
This file contains a list of URL parts to block, which allows you to block parts of a site rather than the entire site. You can also use SquidGuard lists here as well.
banneduserlist
This file contains a list of usernames to whom, if basic proxy authentication is enabled, access will be denied automatically.
weightedphraselist
This file contains a list of phrases with a corresponding positive or negative value. As phrases are encountered in a page, the total "value" of the page will be calculated based on these values; good phrases will have negative values and bad phrases will have positive values. One the Naughtyness Limit has been reached (defined in dansguardian.conf, the page will be blocked.
pics
This file contains a number of PICS sections that allow you to fine-tune your PICS filtering. The defaults for DansGuardian are for young children (mild profanity, artistic nudity, etc.).
Each of these configuration files are very straightforward and are basically one item per line (ie. a URL or IP address, etc.).
The dansguardian.conf file is the primary configuration file for DansGuardian. It is here that you will configure things like logging, where to redirect users when attempting to access a denied page, and so forth. The file is heavily commented and fairly straightforward.
An example dansguardian.conf file without comments follows:
reportinglevel = 2
htmltemplate = '/etc/dansguardian/template.html'
accessdeniedaddress = http://10.0.5.1:8444/cgi-bin/dansguardian.pl
loglevel = 3
filterip =
filterport = 3328
proxyport = 3128
proxyip = 10.0.5.1
bannedphraselist = '/etc/dansguardian/bannedphraselist'
exceptionphraselist = '/etc/dansguardian/exceptionphraselist'
weightedphraselist = '/etc/dansguardian/weightedphraselist'
bannedsitelist = '/etc/dansguardian/bannedsitelist'
exceptionsitelist = '/etc/dansguardian/exceptionsitelist'
exceptionurllist = '/etc/dansguardian/exceptionurllist'
bannedurllist = '/etc/dansguardian/bannedurllist'
bannedregexpurllist = '/etc/dansguardian/bannedregexpurllist'
bannedextensionlist = '/etc/dansguardian/bannedextensionlist'
bannedmimetypelist = '/etc/dansguardian/bannedmimetypelist'
bannediplist = '/etc/dansguardian/bannediplist'
exceptioniplist = '/etc/dansguardian/exceptioniplist'
banneduserlist = '/etc/dansguardian/banneduserlist'
exceptionuserlist = '/etc/dansguardian/exceptionuserlist'
picsfile = '/etc/dansguardian/pics'
weightedphrasemode = 1
naughtynesslimit = 50
showweightedfound = on
reverseaddresslookups = off
createlistcachefiles = on
maxuploadsize = -1
username_id_method_proxyauth = off
username_id_method_ntlm = off # **NOT IMPLEMENTED**
username_id_method_ident = on
forwarded_for = off
maxchildren = 120
log_connection_handling_errors = on
This is a fairly standard configuration one might have; you can even use it verbatim provided you change IP addreses and port settings to match your own system.
The reportinglevel setting tells DansGuardian to fully report why access was denied (ie. give the denied phrase). You may choose to use a level of 1 instead, or 3 to use the HTML template file. If you use the HTML template file, then the htmltemplate file needs to be set to the full path and filename of the template file you wish to use. If you use a setting of 0 through 2 you will need to set the accessdeniedaddress keyword. In this case, it's pointing to the internal IP address of our firewall (10.0.5.1), and the port it listens to (in this case port 8444). It also contains the full path to the dansguardian.pl CGI script.
The loglevel keyword is to determine what gets logged to the /var/log/dansguardian/access.log logfile.
The filterip determines what IP address that DansGuardian will listen on. If left blank, all IPs will be listened on. The filterport keyword is the port that DansGuardian will bind to. The proxyip is the IP address of the proxy; usually the localhost. The proxyport is the port to use to connect to the proxy (in this case, 3128, which is the port that Squid is listening on).
The keywords following are all related to the various configuration files discussed earlier, and simply include them to be a part of the configuration.
The weightedphrasemode determines how weighted phrases are used. A setting of 1 is for normal operation. The naughtynesslimit keyword sets the limit over which a page will be blocked. This is based on the values of the weightedphraselist file and each "hit" on a page will modify the naughtyness of the page. The higher the rating, the "naughtier" the page. As a general rule of thumb, with the default settings, a limit of 50 is suitable for young children, 100 for older children, and 160 for young adults.
The showweightedfound keyword determines whether the phrases found that made up the total that exceeds the naughtyness limit will be logged, and if reportinglevel is set to 2, reported.
The reverseaddresslookups keyword determines whether or not DansGuardian will look up the forward DNS for an IP URL address and search for both the banned site and URL lists. This is useful for preventing a user from simply entering the IP address for a banned site. It can also have an impact on the searching speed, however.
The createlistcachefiles keyword determines whether or not the bannedsitelist and bannedurl files will be cached. Fast computers do not need this, but on slower computers this could result in a significant process start speed increase.
The maxuploadsize keyword is used for POST protection on web upload forms. A setting of -1 disables, a setting of 0 blocks completely, and any other value sets the file upload size in kilobytes (after MIME encoding and headers).
The forward_for keyword, if enabled, will add an X-Forwarded-For to the HTTP request header. This may be required for some sites that need to know the source IP.
The maxchildren keyword sets the maximum number of processes to spawn to handle incoming connections. This can be used to prevent DoS attacks from killing the server by maxing out spawned processes.
The log_connection_handling_errors keyword is used to determine if DansGuardian will log debug info to syslog.
Configuring Squid
No real special configuration needs to be done with Squid, although the use of Squid is required. DansGuardian will appear to Squid to be a normal web browser. However, the system must be configured in such a way that users cannot bypass DansGuardian, just as they should not be able to bypass Squid. You can do this either with an authenticated proxy (ie. users must log into the proxy to be able to access the network andprovide valid credentials), or you can use a transparent proxy, one where outbound web traffic is routed through the proxy without the end user even knowing it's there; it's all done at the firewall level.
For instance, on a system with just Squid doing web proxying, you might have the firewall redirect all request to outbound port 80 (HTTP) to localhost port 3328 (the proxy). With this method, the end user does not need to reconfigure their browser, and isn't even aware of the proxy at all... until it is unable to connect to a website on their behalf or blocks a site due to DansGuardian.
Taking this further, there is a certain process that needs to be followed. What you want to accomplish is the following:
lan -> fw -> fw -> wan
Or, looking at it a different way:
client -> DansGuardian -> Squid -> server
On the Multi Network Firewall system I use, Squid is configured to list on port 3328; the port that DansGuardian listens to by default. Changing /etc/squid/squid.conf so that Squid listens now on port 3128, DansGuardian can be activated. DansGuardian will always connect to Squid on this port, so you must have Squid listening there. It's a simple matter of modifying one file and restarting Squid, then starting DansGuardian. The firewall rules for the transparent proxy don't even need to be changed as the firewall will have previously forwarded HTTP requests to port 3328 on the localhost.
A Word On Apache
The Apache configuration is extremely straightforward and not really worth mentioning, however for the sake of completeness, here it is. Apache must be running on the firewall, and your firewall rules should ensure that the outside world cannot access it. You could also configure Apache to listen to some non-standard port, perhaps port 8000 or some other un-used port. The installation of DansGuardian should have placed the file dansguardian.pl into your web server's cgi-bin directory. This is all that Apache really needs to serve, so you can lock down Apache to only serve this one particular CGI.
When DansGuardian blocks a page, it will redirect the client to the specified server to view the reasons why the page was blocked, or simply that access was denied (depending upon how you configured it). The Apache server should listen only on the internal interface (LAN-side). You can do this by setting the BindAddress keyword in your Apache configuration files.
PICS Filtering
The pics file contains information for PICS filtering. The first keyword in the file is enablePICS and this determines whether PICS filtering will be used. If it is disabled, all other PICS-related settings are ignored.
PICS stands for Platform for Internet Content Selection. This specification allows for metadata to be associated with internet content. It was designed to help control what children access on the internet, and is used in this capacity in DansGuardian.
Building on PICS is the ICRA, or Internet Content Rating Association. This also provides a rating system for websites (one may often see "We rated with RSAC" slogans on adult websites). The ICRA used to be RSAC (Recreational Software Advisory Council). A number of keywords in the pics file deal with ICRA ratings, to allow you to tailor DansGuardian to your needs. For instance, the keyword ICRAnuditygraphic would allow (1) or disallow (0) graphic nudity. You may want to disallow that, yet allow ICRAnudityeducational. It's entirely up to you. There are RSAC keywords, because many sites still use RSAC instead of using the newer ICRA rating system. The RSAC keywords have a range of 0 (none) to 4 (wanton and gratuitous). A setting of 2 is default.
Yet another rating system is the evaluWEB rating system, which is similar to the British Film classifcation system. The evaluWEBrating keyword can take the following ratings:
U - universal; suitable for children unattended
1 - PG; Parental Guidance recommended
2 - 18+; only suitable for adults
CyberNOT is another rating system, and there are two keywords that deal with it; each keyword can be a value of 0 (none) to 8 (lots). The default is 3.
SafeSurf is similar to RSAC, but contains a larger range of categories that can be set from 0 (none) to 9 (wanton and gratuitos). You can set the age of the viewer by using the SafeSurferagerange keyword to 1 (all ages), 3 (early teens, the default), to 9, explicitly for adults.
Weburbia is a similar rating system to evaluWEB.
Finally, Vancouver Webpages is another PICS-based rating system. There are a number of keywords dealing with it, each one is commented as they take different values. The general rule of thumb is that a low number is good, a high number is bad.
To really fine-tune DansGuardian you should spend a little time in the pics file adjusting it for your needs. The PICS, and similar, rating systems can help with a number of sites, but they are all voluntary. In other words, the webmaster of an adult site must voluntarily place the appropriate metadata for rating on their pages; not all webmasters do this. For some it's a matter of being lazy, for others they simply don't care. The (more or less) ethical adult sites will use one or more of these rating systems to protect children from viewing content not suitable for them.
In other words, PICS is a helpful addition to your arsenal, but you will likely see better results using weighted phrases. For instance, to include the stock weighed phrase list on pornography, you would use:
Weighted Phrases
The weightedphraselist file contains instructions on how to use weighted phrases, and includes a number of files dealing with various topics.
.Include
Feel free to add your own weighted phrases to this file or create your own and have it included in a similar manner.
This is used by the naughtyness limit that is configured in dansguardian.conf. Adding a positive weight increases the naughtyness rating, while adding a negative weight decreases it. For instance:
<10>
<><10>
,<50>
,<-30>
<-25>
The first adds 10 to the count on any occurance of the string "slut" in a page (ie. sluts, slut!, abslutxyz).
The second adds 10 the count on any occurance of the word "slut" (ie. Sally is a slut that visits...).
The third adds 50 to the count when the strings "slut" and "horny" are found on the same page.
The forth subtracts 30 from the count when the strings "breast" and "medical" are found on the same page.
Finally, if the string education is found on the page, 25 is subtracted from the count.

How To Configure SAMBA Server

What's Samba?
Samba allows linux computers to share files and printers across a network connection. By using its SMB protocol, your linux box can appear in Windows Network Neighborhood or My Network Places just like any other windows machine. Read More
You can share files this way, as well as printers. By using samba on my home network, for example, my Windows machines have access to a printer directly hooked up to my Linux box, and my Linux box has access to a printer directly hooked up to one of my Windows machines. In addition, everyone can access everyone else's shared files. You can see how samba can be very useful if you have a network of both Windows as well as Linux machines. Samba configurations are slightly different depending on the distribution you're using. Therefore, this tutorial explains how it's done on a RedHat Linux machine, as this is my distro of choice, and the only one I've ever installed samba on. The following method has been used by me on RedHat 7.2, 7.3, and 8.

Installing Samba
The first step to configuring samba is, obviously, to make sure that it's installed. In most cases, this will already be the case. It is often a good idea to install the samba daemon package with the RedHat installation. You can test to see if samba is installed by typing rpm -q samba in a terminal. This performs a query on the samba package. If installed, it will indicate the version. If not, it will indicate "package not installed". If samba is not currently installed, there are a multitude of places to get it. The RPM package is available on the RedHat CDs, on the RedHat network, or straight from www.samba.org or one of the samba mirror sites. In addition, you might wish to find it at www.rpmfind.net, a nice resource for RPM packages. Once you have the samba RPM package downloaded somewhere on your harddrive, it's time to install it. Browse to where the file is located and perform one of the following two operations:

if samba is not currently installed, rpm -i samba.rpm (replace samba.rpm with the full version name of the file) if you wish to upgrade your samba version, rpm -U samba.rpm
Now that samba is installed, we can work on configuring this program

smb.conf file
All of samba is configured in one single file, the smb.conf file. This file, located at /etc/samba/smb.conf, allows you to specify which resources on the linux machine you wish to share and who they can be accessed by. A fresh installation of samba will include a sample smb.conf file. This file is completely commented, pointing out all of your available options, and how you can change them. However, samba is an extremely powerful tool, and most casual users have no need for 3/4 of the contents of this sample file. Therefore, I'm providing my own smb.conf file below. If you wish to just share a few folders across a small home LAN, you might be better off basing your own smb.conf file off of mine, as opposed to the long-winded sample file.
[global]
workgroup = PUTIEVILLE
server string = My Lil Linux Box
hosts allow = 192.168. 127. log file = /var/log/samba/%m.
log security = user
encrypt passwords = yes s
mb passwd file = /etc/samba/smbpasswd socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

[Downloads]
comment = Downloads
path = /home/windisk/Downloads
browseable = yes
writable = yes
public = yes read onfiltered= no

[homes]
comment = My Home Directory
browseable = yes
writable = yes
public = yes
read onfiltered= no

[printers]
path = /var/spool/samba
public = yes
guest ok = yes
printable = yes
browseable = yes
writable = yes
read onfiltered= no

Samba Users
Since we're using user level security (the best option when connecting to a WinNT based machine, such as Windows 2000 or Windows XP), we need to set up samba users. First, lets create the smbpasswd file that we defined in the smb.conf file. The best way to go about this is to create it based on your existing /etc/passwd file. In other words, samba users are created based on existing linux users:
cat /etc/passwd mksmbpasswd.sh > /etc/samba/smbpasswd
Chmod 600 this file (/etc/samba/smbpasswd) so that only root has read and write permissions. However, this file only copies over Linux users to samba users. It doesn't copy over their passwords, as well. Therefore, use the following command to set each samba user's password:
smbpasswd username
Obviously, replace username with each of your user's usernames. You will then be prompted to enter a password for this user account. I like to set my samba user's passwords the same as their linux user counterparts. However, this isn't necessary.

Samba Service
Now that everything has been configured, the final step is to start the samba service. Samba runs in the background as a linux daemon. Therefore, it can be controlled by typing:
service smb start
service smb stop
service smb restart
Note that once the computer is restarted or shutdown, the samba service won't start up again the next time. I use the GUI (xwindows) program serviceconf to set up all my services to execute automatically.

Connecting To A Samba Resource
Now that everything should be working, let's test it out. We use the samba client to connect to a samba resource. For testing purposes, we can connect to localhost.
smbclient //localhost/Downloads
You must specify the name of the computer as well as the resource you wish to connect to. In this case, I can connect to the Downloads resource because I specified this resource in my smb.conf file (note it points to /home/windisk/Downloads). Since you are using the samba client while already logged in as a linux user, you will only be prompted for a password. The username will be assumed to be the samba counterpart of the linux username you're currently logged in as. If you wish, you can go to a Windows machine such as Windows XP. If you open My Network Places, and browse to your workgroup, your linux machine should be listed. When trying to access it, you should be prompted with a username and password. This can be any of the samba users you previously created. Once logged in, you should see a listing of all available resources available. Congratulations! Samba should now successfully be set up and working on your network