> ls /lib/iptables/*icmp* /lib/iptables/libip6t_icmp6.so /lib/iptables/libipt_icmp.so > rpm -qf /lib/iptables/libipt_icmp.so iptables-1.8.9-2.3.mga9 > rpm --verify iptables | grep icmp S.5...... /lib/iptables.d/linux-2.6-main/libip6t_icmp6.so S.5...... /lib/iptables.d/linux-2.6-main/libipt_icmp.so > wc -c /lib/iptables.d/linux-2.6-main/libipt_icmp.so 0 /lib/iptables.d/linux-2.6-main/libipt_icmp.so > ls -l /lib/iptables.d/linux-2.6-main/libipt_icmp.so -rwxr-xr-x 1 root root 0 Dez 13 2023 /lib/iptables.d/linux-2.6-main/libipt_icmp.so > su .... change to super-user, has uid=0 (id -a, on Linux-Live CDs also: sudo su - without password there) > urpmi --reinstall iptables $MIRRORLIST: media/core/updates/iptables-1.8.9-2.3.mga9.i586.rpm iptables-1.8.9-2.3.mga9.i586.rpm von /var/cache/urpmi/rpms wird installiert Vorbereiten … ########################################################################################## 1/1: iptables ########################################################################################## 1/1: iptables-1.8.9-2.3.mga9.i586 wird entfernt ########################################################################################## Speicherzugriffsfehler (Speicherabzug geschrieben) > exit ... quit bash, leaves super-user mode here (or: the bash started in super-user mode on top of the bash in normal user mode) > find /var/cache/urpmi/ -type f -daystart -ctime 0 /var/cache/urpmi/partial/MD5SUM /var/cache/urpmi/.metalink /var/cache/urpmi/mirrors.cache > find /var/cache/urpmi/ -daystart -name '*.rpm' /var/cache/urpmi/glibc-debuginfo-2.36-43.mga9.i586.rpm /var/cache/urpmi/rpms/cpupower-6.3.2-2.mga9.i586.rpm /var/cache/urpmi/rpms/libbpf1-6.3.2-2.mga9.i586.rpm /var/cache/urpmi/rpms/texlive-doc-20220321-12.mga9.noarch.rpm /var/cache/urpmi/rpms/kernel-userspace-headers-6.3.2-2.mga9.i586.rpm /var/cache/urpmi/rpms/kernel-desktop-latest-6.3.2-2.mga9.i586.rpm /var/cache/urpmi/rpms/libfontconfig1-2.14.2-1.1.mga9.i586.rpm /var/cache/urpmi/rpms/fontconfig-2.14.2-1.1.mga9.i586.rpm /var/cache/urpmi/rpms/libfontconfig-devel-2.14.2-1.1.mga9.i586.rpm /var/cache/urpmi/rpms/thunderbird-102.11.0-1.mga9.i586.rpm /var/cache/urpmi/rpms/kernel-desktop-6.3.2-2.mga9.i586.rpm > file /var/cache/urpmi/mirrors.cache /var/cache/urpmi/mirrors.cache: Unicode text, UTF-8 text > less /var/cache/urpmi/mirrors.cache ... here you can view the contents of the file, search for text with "/here-I-enter-search-text" > curl https://ftp.fi.muni.cz/pub/linux/mageia/distrib/9/i586 or: > w3m -dump -T text/html https://ftp.fi.muni.cz/pub/linux/mageia/distrib/9/i586/ [ICO] Name Last modified Size Description [PARENTDIR] Parent Directory - [DIR] doc/ 2012-03-14 15:02 - [DIR] dosutils/ 2021-02-16 15:04 - [DIR] install/ 2011-02-15 01:01 - [DIR] isolinux/ 2023-08-19 20:56 - [DIR] media/ 2019-08-26 11:26 - [DIR] misc/ 2023-08-19 23:21 - [ ] VERSION 2025-08-13 14:15 47 [ ] autorun.inf 2011-05-27 17:12 80 [TXT] index.html 2016-07-01 00:07 3.9K [ ] product.id 2023-08-11 21:01 111 [ ] product.id.Default 2023-08-11 21:01 111 [TXT] release-notes.html 2023-08-19 20:25 90K [TXT] release-notes.txt 2023-08-19 20:25 50K > w3m -dump -T text/html https://ftp.fi.muni.cz/pub/linux/mageia/distrib/9/i586/media/core/updates/ >updates.dirlis > w3m -dump -T text/html https://ftp.fi.muni.cz/pub/linux/mageia/distrib/9/i586/media/core/core/ >core.dirlis !! warning/attention: with >filename the file would be deleted before writing content into it, if it existed ;; you can append to an exisiting file with: >>filename, works for any shell command! > grep iptables updates.dirlis [ ] iptables-1.8.9-2.2.mga9.i586.rpm 2023-11-09 579K [ ] iptables-1.8.9-2.3.mga9.i586.rpm 2023-12-13 579K [ ] iptables-nft-1.8.9-2.2.mga9.i586.rpm 2023-11-09 9.7K [ ] iptables-nft-1.8.9-2.3.mga9.i586.rpm 2023-12-13 9.8K [ ] libiptables-devel-1.8.9-2.2.mga9.i586.rpm 2023-11-09 16K [ ] libiptables-devel-1.8.9-2.3.mga9.i586.rpm 2023-12-13 16K [ ] libiptables12-1.8.9-2.2.mga9.i586.rpm 2023-11-09 38K [ ] libiptables12-1.8.9-2.3.mga9.i586.rpm 2023-12-13 38K > rpm -q iptables iptables-1.8.9-2.3.mga9 > wget https://ftp.fi.muni.cz/pub/linux/mageia/distrib/9/i586/media/core/updates/iptables-1.8.9-2.3.mga9.i586.rpm > wget https://ftp.fi.muni.cz/pub/linux/mageia/distrib/9/i586/media/core/updates/iptables-nft-1.8.9-2.3.mga9.i586.rpm > su > rpm --reinstall iptables-nft-1.8.9-2.3.mga9.i586.rpm iptables-1.8.9-2.3.mga9.i586.rpm > rpm --verify iptables | grep icmp ... This time no output, no files with corrupted/changed file-${S}ize or md{5}sum > ls -l /lib/iptables.d/linux-2.6-main/libipt_icmp.so -rwxr-xr-x 1 root root 14828 Dez 13 2023 /lib/iptables.d/linux-2.6-main/libipt_icmp.so ... file size ~ 14KB > iptables -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT ... The Mageia distribution uses a firewall program called “Shorewall”, that sets up the iptables-configuration for you; configured at /etc/shorewall. If you configure a local service like a web server, a mail server or anything the like, you need to open the respective TCP(or udp) port at your firewall. Look by ›iptables -L‹ if there doesn´t come a -j DENY rule before the ACCEPT- rule you install here, otherwise the rule you appended at the end of the list will remain unseen & unused by the IP tables of the Linux/ ¡operating system kernel!, where the data provided and edited with the iptables user program is used to handle network packages. Almost all network packages on your computer will nowadays use the IP internet protocol, mostly version 4, but some use IPv6 version 6 of the internet protocol. On top of IP comes a second layer where you nowadays find either TCP, UDP or ICMP (special purpose, used f.i. at ping anyhost). On top of TCP function f.i. the https:// and http:// as well as smtp[s]:// and imap[s]:// protocols. libipt_icmp.so ~ -m icmp ... module Internet Message Control Protocol, or-the-like, ping my-machine - response via ICMP httpd/apache: port 8080 is often used as mirror or second choice port, http standard port is 80 > ifconfig enp1s0 enp1s0: flags=4163 mtu 1500 inet 192.168.0.22 netmask 255.255.255.0 broadcast 192.168.0.255 > grep 192.168.0 /etc/httpd/conf/httpd.conf Listen 192.168.0.22:8080 ... remove that line one reboot, Apache2(=httpd) will not start if DHCP assigns a different IP address like at a cafe or somewhere else, entry is ¡temporary only! > systemctl restart httpd > systemctl status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; preset: disabled) Active: active (running) since Wed 2025-08-20 21:00:42 CEST; 44min ago Main PID: 9734 (/usr/sbin/httpd) > systemctl | grep httpd httpd.service loaded active running The Apache HTTP Server > rpm -qa | grep apache apache-2.4.62-1.mga9 apache-doc-2.4.62-1.mga9 apache-mod_ssl-2.4.62-1.mga9 ... lists what packages you have installed, matching the name apache (grep -i ... »ignore-case«) > ls -l /etc/httpd/conf/httpd.conf -rw-r--r-- 1 root root 12586 Aug 20 20:31 /etc/httpd/conf/httpd.conf > ls -ld /etc/httpd/conf/sites* drwxr-xr-x 2 root root 4096 Aug 20 22:00 /etc/httpd/conf/sites.d drwxr-xr-x 2 root root 4096 Aug 20 20:39 /etc/httpd/conf/sites-disabled.d > ls -l /etc/httpd/conf/sites.d insgesamt 16 -rwxr-xr-x 1 root root 417 Aug 20 22:00 xchg.conf ... > rpm -qi apache Name : apache Version : 2.4.62 Description : This package contains the main binary of apache, a powerful, full-featured, efficient and freely-available Web server. Apache is also the most popular Web server on the Internet. ... > rpm -ql apache ... simply too many files in this package, you could do a | grep -i mysearchtxt or a | less > rpm -qc apache ... here more useful, lists only config files as normally all put into /etc not always used, this switch; as also: rpm -ql apache | grep "^/etc/" ›^‹ ... search string must start at the beginning of the line, -i ... ignore-Up/Lower-Case ›A‹/›a‹ igual > netstat -tupnl -t ... tcp, -p ... show program name/ pid: httpd/dhclient, run as root (after invoking su/sudo) -u ... udp, -n ... numeric: show IP addresses like 192.168.0.22 and port numbers like 8080 instead of localhost:webcache -l ... show listening ports only, where a service, a daemon or another server is running on you own computer, which has opened a respective port. An IP address like 192.168.0.22 is not accessible from another computer as long as you have not opened the respective port at your firewall, i.e. port 8080 for the ~/xchg/ folder. Aktive Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 192.168.0.22:8080 0.0.0.0:* LISTEN 5981/httpd tcp 0 0 127.0.0.3:443 0.0.0.0:* LISTEN 5981/httpd tcp 0 0 127.0.0.4:443 0.0.0.0:* LISTEN 5981/httpd tcp6 0 0 ::3:443 :::* LISTEN 5981/httpd tcp6 0 0 :::80 :::* LISTEN 5981/httpd tcp6 0 0 ::4:443 :::* LISTEN 5981/httpd udp 0 0 0.0.0.0:68 0.0.0.0:* 8664/dhclient > netstat -atupn ... show all network connections, outgoing from your web browser and listening sockets of server processes. A server is considered to be listening, also if currently no client is connected. > netstat -atup tcp 0 0 localhost.localdo:36286 93.243.107.34.bc.:https VERBUNDEN - > dig +short -x 93.243.107.34 any p5df36b22.dip0.t-ipconnect.de. > geoiplookup 93.243.107.34 GeoIP Country Edition: DE, Germany GeoIP ASNum Edition: AS3320 Deutsche Telekom AG > dig 93.243.107.34 ;; AUTHORITY SECTION: . 3600 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2025082002 1800 900 604800 86400 > dig 7.3.2.8 ... use dig with an arbitrary non-existant IP: . 600 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2025082002 1800 900 604800 86400 Very strange¡! - This is a computer located in Germany with absolutely no Domain Name Record „Resource Record“ – »RR« configured for it. Yet the reverse name lookup "dig -x" finds a registered name, dip0.t-ipconnect. Says the computer has an own domain name available via reverse DNS lookup but runs absolutely no service to be contacted for. A public service from a server needs minimum an A (IPv4) or an AAAA (IPv6) address configured, available via forward DNS queries (look at the sources of the ātea program, sources at upload.elmstel.info, documentation page at the former location of elstel.org/atea. > tar -xvf atea-v0.8.4.tar atea-0.8.4/dane-direct.c atea-0.8.4/dane-direct.c > grep --color "res_n[a-z]*" atea-0.8.4/dane-direct.c //retval = res_nquerydomain( rctx, "_443._tcp.", domain, C_IN, T_TLSA, answer.content, ANSLEN ); //retval = res_nsearch( rctx, "_443._tcp.elstel.org.", C_IN, T_TLSA, answer.content, ANSLEN ); lenret = res_nquery( &rctx, domainIdent, ns_c_in, ns_t_tlsa, answer.content, sizeof(answer.content) ); lenret = res_nquery( &rctx, domainIdent, ns_c_in, ns_t_tlsa, answer.content, sizeof(answer.content) ); res_nclose(&rctx); > man 3 res_nquerydomain LIBRARY Resolver library (libresolv, -lresolv) SYNOPSIS #include #include #include ... the operating system library for DNS-resolution, used in here; I didn´t finish to program that, it should resolve DANE queries by hand using only the bare metal OS operating system system library functionality. > ls -l $(realpath /etc/ssl/certs/ca-bundle.*); -r--r--r-- 1 root root 275972 Mär 26 2024 /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt -r--r--r-- 1 root root 225535 Mär 26 2024 /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem > ip route ... how you are connected to the internet the address families 192.168.__.* and 10.0.0.* always belong to your LAN - local area network There are millions of LANs on the world, and the router is most often called 192.168.0.1 or 192.168.12.1 192.168.0.0/24 ... 24 is a netmask, 3*8=24, the first 3 three Bytes of the IPv4 are fixed, i.e. 192.168.0.* default via 192.168.0.1 dev enp1s0 169.254.0.0/16 dev enp1s0 scope link metric 1002 192.168.0.0/24 dev enp1s0 proto kernel scope link src 192.168.0.22 > cat /etc/resolv.conf ... local configuration file, the dns resolver is configured here domain home search home nameserver 10.0.0.138 nameserver 208.67.222.222 > sed -i 's#10.0.0.138#192.168.0.1#' /etc/resolv.conf > cat /etc/resolv.conf domain home search home nameserver 192.168.0.1 nameserver 208.67.222.222 > dig @208.67.220.220 +short www.google.com 142.251.36.196 > dig @192.168.0.1 +short www.google.com 142.251.36.196 > geoiplookup 208.67.220.220 GeoIP Country Edition: US, United States GeoIP ASNum Edition: AS36692 OpenDNS, LLC _ 208.67.220.220 ... is a public DNS resolver located in the USA _ 192.168.0.1 ... is the rooter box in your house, as provided by your ISP log into your home router »w3m/firefox http://192.168.0.1« and look at the configuration/ connection state, your home router will connect to a local name server that caches results from a global name server like @208.67.222.222. Global companies provide servers near your home country and they are usually more straigth and faster reachable from where you are, so the name server of you ISP (internet service provider) is preferred over a global one. Any device like a tablet, small computer or mobile phone has manually configurable IP-settings and often you can configure a DNS-server/ resolver manually by IP, if you don´t do that a program like dhclient will ask for and usually retrieve the IP of a local nameserver via the DHCP- protocol (dynamic host control protocol). there is: The web server: www.startpage.com, www.google.com - serving the http(s)-protocol The DNS resolver: @208.67.222.222, converting domain names like “www.orf.at“ into IP-addresses e.g. 194.232.104.4, which are then contacted by the ‘socket layer’ of your operating system, e.g. here: Linux > dig +short www.orf.at A 194.232.104.149 194.232.104.4 ... a domain name like ›www.orf.at‹ may have more than one server that provides the very same web content of this web page, each here with its own IPv4 address > dig +short elstel.org MX elstel.org TXT 10 mx.dotplex.com. "v=spf1 include:_spf.dotplex.com -all" "google-site-verification=cy-8EZc9vGTGEaOlx6XidcDxRGwHfdWLnOQDUX2hUOo" ... SPF - sender policy framework, used against spam-mails > dig +short elstel.org A elstel.org AAAA 185.231.124.34 2a0c:5f00:1:122:: > dig +short -x 2a0c:5f00:1:122:: web4.dotplex.com. > dig +short -x 185.231.124.34 web4.dotplex.com. > host web4.dotplex.com. web4.dotplex.com has address 185.231.124.34 web4.dotplex.com has IPv6 address 2a0c:5f00:1:122:: web4.dotplex.com mail is handled by 10 mx.dotplex.com. > host elstel.org elstel.org has address 185.231.124.34 elstel.org has IPv6 address 2a0c:5f00:1:122:: elstel.org mail is handled by 10 mx.dotplex.com. ... if you should ever configure a web server like Apache, you will likely have virtual hosts, that is in this example the same server provides web content for entirely different sites from different customers and each site has an own/different domain name. The reverse DNS-lookup ›dig -x‹ gives here just the ¿canonical? domain name, the principal used to connect to with an ftps or ssh (secure shell) client. Ssh was written and is still maintained by the OpenBSD project, they have an own fork of the openssl library called libressl. The ssl library is used to encrypt web content, the protocol identifier becomes then https:// instead of http:// or ftps:// instead of ftp:// - file transfer protocol, to upload web content or formerly also for public download sites. Note that sftp is an entirely different protocol than ftps. ›ftps‹ is nothing more than ftp+ssl, while the sftp command opens a secure shell connection, »ssh«, but then does not use the connection to prompt you for bash/csh/xxx-shell commands that would be executed on the remote machine; - it uses the connection for transferring files like index.html or background.jpeg instead. Good Evening, Goog Luck ‼ — Yours, Elmar Stellnberger Dipl.-Ing., Eucilea Dos Santos da Selva [not writing/typing at this text at the moment]