how exactly do you intend to enforce a ban on such software? > > people forget that the internet allows easy access to servers located > outside the reach of authorities that might wish to restrict access to > software or information...
OK I do concede you are right in this part of your argument, as any sensible person must realize that the Internet is an international phenomenon. An unknown malicious hacker can get his malware anywhere on the Web, or even get it from some weird underground mailing catalogs if need be, I can imagine. But that does not mean that Congress (US) cannot pass a law barring KNOWN malicious hackers from both purchasing malware and signing up with AOL.COM to try his port scanner and Trojan NetBus out on some poor saps. so if you can't stop the "hackers" getting the software, what does > restriciting access to it achieve? > > well, for one a sysadmin would not be allowed to have the software to run > against his own systems. > Consider: Obviously someone who wants to work as a Brinks Armored car security guard and who has no criminal record can legally obtain a permit and then purchase a gun for his job on the armored truck. Yet you would not argue that a known convicted violent criminal offender should be allowed to go into a gunshop to buy a handgun because a ban on all handguns would also stop that Brinks guard from buying one, would you? I am neither pro nor con "Gun Control", but anyone has to agree that actor Charlton Heston is right: "Guns don't kill people, people do." Now extend that analogy to the issue of computer intrusion by malicious hackers. Now the gun = 44 caliber malware. I do not argue that legitimate people working in computer security or systems administrators should not have access to sniffers, pinging software, rootkits, or whatever, to test their systems. IT IS THE MALICIOUS KNOWN HACKER who should be barred from access to all manner of malware and from access to ISPs across the country. If malicious hacking is going to be limited one must start somewhere. Yes, obviously, the malware itself isn't ruining systems and home PCs, "people" are, but in this case the malicious hackers are. Surely you must see the sense in that position. In mathematics there is a hypothetical computer known as a Turing Machine, also known as a 'finite state machine'. This hypothetical machine, the concept of which was invented by British mathematician Alan Turing (the British mathematician who cracked the infamous German Nazi Enigma code, that's code, not cipher). Actually this hypothetical computer is self-aware and is intelligent. Until the day computer scientists invent "self-aware" programs and "self-aware"computers which can use its own internal programs to detect Trojans and viruses and eliminate them, something else should be employed besides the products of the firewall distributors to cut down on what somebody posting here called "script kiddies". If a computer program can self-replicate (a virus) then surely one can write code that is "self-aware", or at least mimics the property. Robert Betts Cogito/Ergo/Sum (The French Philosopher Rene Descartes) > 1. RE: Using Cisco IOS firewall feature set (piranha x) > 2. Re:Question (Stuart Eddleston) > 3. iptables/linux - filtered ports? (Jay Christopherson) > 4. Re: From the Morris worm to Nimda (Martin) > 5. Re: Which Wall is better (John P. Herlocher) > 6. compile error on udp relay (patrick) > 7. RE: SOCKS Question (Ellana Livermore) > 8. Re: Question (MCR) > 9. RE: Comparison between checkpoint and Cisco IOS firewall (Prathabacimman.M) > 10. RE: iptables/linux - filtered ports? (Hiemstra, Brenno) > 11. Certificates and Auth ([EMAIL PROTECTED]) > 12. Re: Two ISP's (David Burton) > > --__--__-- > > Message: 1 > Reply-To: [EMAIL PROTECTED] > From: "piranha x" <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED], [EMAIL PROTECTED] > Subject: RE: Using Cisco IOS firewall feature set > Date: Thu, 17 Jan 2002 21:13:35 -0800 > > > dont skip over thingz!!! > > make sure folks understand that they cant do this using CATos and that they > gotta pay more for the x-bar setup and that they really need the 256 MB CARD > > what lunacy .... > > the layer 3 router on the 65xx ...SWITCH... > has enough to DO just routing - sandwich the firewall with 6509'S with the > xbar and dual nic the firewall and you'll be fine... > > piranha... > > >From: "Glenn Shiffer" <[EMAIL PROTECTED]> > >To: <[EMAIL PROTECTED]> > >Subject: RE: Using Cisco IOS firewall feature set > >Date: Thu, 17 Jan 2002 21:10:31 -0500 > > > >The 65xx series Cat is well capable of handling IOS Firewall, even on a > >single Sup configuration, which obviously, is your config, as you are > >using MLS which requires the MSFC in the slot where a second Sup could > >otherwise go. > > > >CBAC will cut down on performance, not significantly at CPU levels below > >60 o/o, but can cause sluggishness above that. > > > >One thing more, keep the management functions of your network out of > >band, both for security and accessibility reasons. > > > >Glenn > > > > > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED]] On Behalf Of Eric Appelboom > >Sent: Wednesday, January 16, 2002 2:15 PM > >To: [EMAIL PROTECTED] > >Cc: [EMAIL PROTECTED] > >Subject: Using Cisco IOS firewall feature set > > > >I am looking at complimenting our FW-1's with switches installed with > >the Cisco IOS firewall feature set. > > > >I would like to implement this on 6500 switches also using layer 3 > >switching so inspection can be done on switches and not on fw nic. > >We primarily would like to reduce unessesary internal to internal > >traffic. > > > >We will use the Cisco Policy Manager version 3 which appears to be > >similar to the FW-1 GUI and not commandline. > > > >There doesn't appear to be many people using the IOS firewall feature > >set and it appears quite apt and manageable. > >I am aware of the TCP\UDP only inspection limitation of CBAC. > > > >Does anyone used the IOS firewall in production and can give advice? > >Are there any peformance comparisons? > > > >Regards > >Eric > > > > > > > >*** Disclaimer: The information in this email is confidential and is > >intended solely for the addressee(s). Access to this email by anyone > >else is unauthorised. If you are not an intended recipient, you must not > >read, forward, print, use or disseminate the information contained in > >the email. Any representations (contractual or otherwise), views or > >opinions presented are solely those of the author and do not necessarily > >represent those of the employer or any of its affiliates. > > > > > >_______________________________________________ > >Firewalls mailing list > >[EMAIL PROTECTED] > >http://lists.gnac.net/mailman/listinfo/firewalls > > > _________________________________________________________________ > Join the world's largest e-mail service with MSN Hotmail. > http://www.hotmail.com > > > --__--__-- > > Message: 2 > Date: Wed, 16 Jan 2002 16:20:35 -0600 > From: "Stuart Eddleston" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: Re:Question > > Its not that I distrust Microsoft you understand.....but over my Users = > dead and dismembered bodies..... > > ----------------------------------------------------------------- > > Come on now, we have our networks covered by a PII with XP as the > firewall. Works great! > > -----Original Message----- > From: Mike Fetherston [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 16, 2002 1:43 PM > To: Network Operations; [EMAIL PROTECTED] > Subject: Re: Question > > > yeah, i just about choked when i read that. > > ----- Original Message -----=20 > From: "Network Operations" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Wednesday, January 16, 2002 2:05 PM > Subject: RE: Question > > > ROFL, > > Thats almost as funny as that "Your son is a computer hacker piece".... > > cheers.. > > >>> Dan McGinn-Combs <[EMAIL PROTECTED]> 01/16 10:45 AM >>> > stop! don't move! don't spend! > XP has a built in firewall!!! > check it out! > Dan > > -----Original Message----- > From: Jamie [mailto:[EMAIL PROTECTED]]=20 > Sent: Wednesday, January 16, 2002 10:10 AM > To: [EMAIL PROTECTED]=20 > Subject: Question > > > I'm looking for a firewall for a personal computer using XP, any > suggestions. > =20 > Please advise > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > > > --__--__-- > > Message: 3 > Date: Wed, 16 Jan 2002 19:10:37 -0800 > To: [EMAIL PROTECTED] > Subject: iptables/linux - filtered ports? > From: [EMAIL PROTECTED] (Jay Christopherson) > > Hey all- > > My apologies if I am rehashing a previous topic, but I didn't find it in > the archives. > > I recently setup a linux firewall using iptables and then ran an nmap > against the host. Nmap reported a few ports, all of them "filtered" > instead of open. As I understand it, this means that nmap is not sure > if the port is open or not, because it is not getting any return > packets. > > Is there a way to use iptables to "stealth" the port? In other words, > can iptables be configured in such a way as to make port scanners think > that a port (or a host!) does not even exist at the specified ip? > > Would adding a filter against icmp be enough (since nmap pings for hosts > first... unless told not to)? > > - J > > --__--__-- > > Message: 4 > From: Martin <[EMAIL PROTECTED]> > Date: Fri, 18 Jan 2002 17:35:51 +1100 > To: [EMAIL PROTECTED] > Subject: Re: From the Morris worm to Nimda > > $author = "[EMAIL PROTECTED]" ; > > > > Sorry, but Government facts and science research journals would dispute what > > you say. Most hackers are not experienced in the intricacies of software > > engineering nor do they have backgrounds in computer science. Most of them > > buy their tools: sniffers, port scanners, war dialers, root kits, from > > underground websites I would not dare visit for fear of who might be lurking > > there. They do not write their own code for these tasks and they do not have > > to, and THAT is the problem, so I am afraid I am indeed "with it." > > how exactly do you intend to enforce a ban on such software? > > people forget that the internet allows easy access to servers located > outside the reach of authorities that might wish to restrict access to > software or information... > > so if you can't stop the "hackers" getting the software, what does > restriciting access to it achieve? > > well, for one a sysadmin would not be allowed to have the software to run > against his own systems. > > > > No one would seriously contemplate making it illegal for firemen training > > novice firemen to set fires at some Fire Academy to see if the apprentice > > firemen can effectively put it out. Neither do I suggest that security > > specialists, if you indeed are one, and Network Administrators should be > > barred from using hacking tools to check the security of some network. The > > malicious hackers are the people who should not have this software. > > unfortunately they still sell matches and lighters at the corner store, so > the means to prevent arson can not be totally removed and hence we still > have firemen responding to cases of arson... > > > > So what does this paragraph above mean? Neither the hacker nor the vendor > > has the PC user's interests at heart. One's motive is to violate a computer > > user's privacy, the other's motive is profit. And do you think it is only > > the Department of Defense or the FBI that can be victims of hackers? A > > cancer patient in a hospital ward whose vital signs must be checked every > > hour via computer can be a victim of a hacker, many of whom are not such > > "benign white hatters" as you were in your scenario above. > > if a hospital has patient management computers hooked up to a network that > can be reached from any untrusted network (and i am talking no connection, > not just firewalls or other access restrictions) then i would not let them > treat me if my life depended on it... > > > > Any invasion of privacy is an obscenity, whether it is Big Brother, or a > > malicious hacker probing someone's network or PC for personal information. > > It is the height of arrogance and an abuse of power; actually it is > > "cyberrape", and should not be tolerated. > > keep the arguement to facts and avoid hyperbole like "cyberrape" and you > will sound more convincing... > > you are so concerned about privacy, and yet you advocate restricting the > posession and distribution of software which could only be implemented > through severe violations of the very privacy you hold so dear... > > i think you need to reconsider your position... > > marty > > -- > "To err is human, to forgive is not my policy. --root" > > - sig file on slashdot > > > --__--__-- > > Message: 5 > Date: Thu, 17 Jan 2002 08:27:21 -0500 > From: "John P. Herlocher" <[EMAIL PROTECTED]> > To: "Hiemstra, Brenno" <[EMAIL PROTECTED]> > Cc: 'Vishal Mukherjee' <[EMAIL PROTECTED]>, > Firewall <[EMAIL PROTECTED]> > Subject: Re: Which Wall is better > > I concur. > > There is little comparison between the two tools. > > Winroute, unless changed recently, is a home/home office solution. > > Checkpoint on the other hand is a full featured Enterprise firewall product > with an enterprise price. > > John > > On Thu, Jan 17, 2002 at 01:41:53PM +0100, Hiemstra, Brenno wrote: > > In my opinion you cant compare these to with eachother > > because they aren't the same > > > > winroute pro is a kind of software which you can use at > > home or in a small office network. > > > > Firewall 1 is an Enterprise firewall package which can > > be used by small but is definately used at big multinational > > companies all over the world... > > > > And there is a BIG price difference > > > > Regards, > > > > > > Brenno > > > > > -----Original Message----- > > > From: Vishal Mukherjee [SMTP:[EMAIL PROTECTED]] > > > Sent: donderdag 17 januari 2002 13:11 > > > To: Firewall > > > Subject: Which Wall is better > > > Importance: High > > > > > > > > > Hi all > > > which one is better > > > 1. WinRoute Pro > > > 2. firewall - 1 > > > > > > > > > Thanks & Regards > > > ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ > > > Vishal Mukherjee > > > "Gravitation can not be held responsible for people falling in love" > > > - Albert Einstein > > > ~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~ > > > > > > > > > > > > Visit Our Cement Site at http://cement.indorama.com > > > Our Software Site at http://www.irssl.com > > > > > > > > > _______________________________________________ > > > Firewalls mailing list > > > [EMAIL PROTECTED] > > > http://lists.gnac.net/mailman/listinfo/firewalls > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > --__--__-- > > Message: 6 > Date: Fri, 18 Jan 2002 09:41:09 +0300 > From: patrick <[EMAIL PROTECTED]> > To: Firewall <[EMAIL PROTECTED]> > Subject: compile error on udp relay > > sirs > anyone with a working version of udp relay. I get the following > error while trying to compile the source code. some patches anything.. > complie error: > > cd ./work; \ > make clearerr udpx0 > make[1]: Entering directory `/var/temp/udpl-0.1.1/work' > make[1]:*** No rule to make target '/lib/aksl_h.dep', needed by > 'mtypes.o'. Stop. > make[1]: Leaving directory `/var/temp/udpl-0.1.1/work' > make: ***[work/udpx0] Error 2 > > > pls help > regards > patrick > > > --__--__-- > > Message: 7 > Date: Thu, 17 Jan 2002 10:18:03 -0600 > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > From: Ellana Livermore <[EMAIL PROTECTED]> > Subject: RE: SOCKS Question > > PORTUS-ES supports SOCKS V4 & V5 > > > __________________________________________________________________ > > > Ellana Livermore > Livermore Software Laboratories > div of Freemont Avenue Software, Inc. > 1830 S. Kirkwood, Suite 205 > Houston, TX 77077 > vox: 281-759-3274 or 800-240-5754 > fax: 281-759-8558 > www.lsli.com > > > > --__--__-- > > Message: 8 > Date: Thu, 17 Jan 2002 15:24:46 -0800 > From: MCR <[EMAIL PROTECTED]> > To: Steve Smith <[EMAIL PROTECTED]> > Cc: [EMAIL PROTECTED] > Subject: Re: Question > > I'm sure it works great. XP let's data pass from the LAN to WAN, and vice > versa. So......how will you ever know if your network (that XP is > protecting) has been compromised due to some exploit until it's too late? > > > Steve Smith wrote: > > > Come on now, we have our networks covered by a PII with XP as the > > firewall. Works great! > > > > -----Original Message----- > > From: Mike Fetherston [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, January 16, 2002 1:43 PM > > To: Network Operations; [EMAIL PROTECTED] > > Subject: Re: Question > > > > > > yeah, i just about choked when i read that. > > > > ----- Original Message ----- > > From: "Network Operations" <[EMAIL PROTECTED]> > > To: <[EMAIL PROTECTED]> > > Sent: Wednesday, January 16, 2002 2:05 PM > > Subject: RE: Question > > > > > > ROFL, > > > > Thats almost as funny as that "Your son is a computer hacker piece".... > > > > cheers.. > > > > > >>>>Dan McGinn-Combs <[EMAIL PROTECTED]> 01/16 10:45 AM >>> > >>>> > > stop! don't move! don't spend! > > XP has a built in firewall!!! > > check it out! > > Dan > > > > -----Original Message----- > > From: Jamie [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, January 16, 2002 10:10 AM > > To: [EMAIL PROTECTED] > > Subject: Question > > > > > > I'm looking for a firewall for a personal computer using XP, any > > suggestions. > > > > Please advise > > > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > --__--__-- > > Message: 9 > From: "Prathabacimman.M" <[EMAIL PROTECTED]> > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: RE: Comparison between checkpoint and Cisco IOS firewall > Date: Fri, 18 Jan 2002 13:45:45 +0530 > > > IOS > Less price Less work > Checkpoint > More price More work > IOS has a very basic functionality but checkpoint has some advanced > features. It depends on your requirement. > > Prathabacimman.M > -----Original Message----- > From: vishwas asemend [mailto:[EMAIL PROTECTED]] > Sent: Thursday, January 17, 2002 5:56 AM > To: [EMAIL PROTECTED] > Subject: Comparison between checkpoint and Cisco IOS firewall > > > Hi all, > I want to choose a firewall. > and finally i came to two firewall , checkpoint and cisco-ios > > can anybody tell me the advantages and disadvantages of cisco_ios > and checpoint NG or 4.1 > > Regards > Vish > > > > ------------------------------------------------------------ > Get your free email from http://www.netjaal.com > _______________________________________________ > > > --__--__-- > > Message: 10 > From: "Hiemstra, Brenno" <[EMAIL PROTECTED]> > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, > [EMAIL PROTECTED] > Subject: RE: iptables/linux - filtered ports? > Date: Fri, 18 Jan 2002 10:31:26 +0100 > > Well... > > Basically what your firewall is doing now is "drop" the IP packet. > > What you are wanting is to "reject" the connection. This will mean > that your firewall will send an ICMP packet back to let the source > know that there isnt such IP address or a listening port there... > > The problem with this setup is that this will reveil your firewall for > the "portscanner" because it receives an ICMP packet from the > firewalls' IP address and NOT the scanned IP address. (assuming > that you are scanning an IP address that is behind the firewall... > not the firewall itself). > > Hope this answers your question... > > Regards, > > > Brenno > > > -----Original Message----- > > From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] > > Sent: donderdag 17 januari 2002 4:11 > > To: [EMAIL PROTECTED] > > Subject: iptables/linux - filtered ports? > > > > Hey all- > > > > My apologies if I am rehashing a previous topic, but I didn't find it in > > the archives. > > > > I recently setup a linux firewall using iptables and then ran an nmap > > against the host. Nmap reported a few ports, all of them "filtered" > > instead of open. As I understand it, this means that nmap is not sure > > if the port is open or not, because it is not getting any return > > packets. > > > > Is there a way to use iptables to "stealth" the port? In other words, > > can iptables be configured in such a way as to make port scanners think > > that a port (or a host!) does not even exist at the specified ip? > > > > Would adding a filter against icmp be enough (since nmap pings for hosts > > first... unless told not to)? > > > > - J > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > --__--__-- > > Message: 11 > Date: Fri, 18 Jan 2002 10:42:42 +0100 (MET) > From: [EMAIL PROTECTED] > To: <[EMAIL PROTECTED]> > Subject: Certificates and Auth > > Hi List! > > Recently there has been a discussion about authentification using preshared > keys and DH. > > I�ve been wondering if any of you is using certificate based authentication > between servers or VPN-clients/Gateways yet? > > Anyone, anywhere any info regarding this? Especially usefull is any info > about CP FW-1 because with NG (my Sales Rep told me ;-) ) it would accept ANY > certificate created by a major CA (certifcate authority) > > Next; HOW DOES THIS BLOODY THING WORK?! I wasn�t able to get THAT info from > sales (no wonder ) > > Thanks for your time! > > Sebastian > > -- > GMX - Die Kommunikationsplattform im Internet. > http://www.gmx.net > > > --__--__-- > > Message: 12 > From: [EMAIL PROTECTED] (David Burton) > To: [EMAIL PROTECTED] > Date: Fri, 18 Jan 2002 05:49:32 -0500 (EST) > Subject: Re: Two ISP's > > [EMAIL PROTECTED] (Kotakoski Harri EXT-Novosys/Copenhagen) wrote: > > > Hello, > > > > > From: ext garentsen [mailto:[EMAIL PROTECTED]] > > > I've got two ISP's providing me with 10 Mbit and 3 Mbit internet > > > access at home. I would like to set up my Linux (or any other OS) > > > firewall to distribute my load evenly between theese two. > > > > As Paul said this is mainly routing issue. > > > > There are two possible solutions: > > > > First one (which is the 'correct' one) is to use BGP peering with ISP's. > > You probably don't have possibility to do this because ISP's are pretty > > picky with organizations they are peering with. And you should also have > > Autonomous System ID and be prepared to pay for this arrangement. > . . . > > Other possibility is to use NAT for outbound connections (NATting to > > different address spaces) and dynamic DNS for inbound (actually it does > > not have to be dynamic). If someone likes to know how this really works > > I'm prepared to write something about it. > > > > This requires system capable of handling this and only implementation I > > am aware of is Stonegate firewall. I think that Rainfinity and Radware > > also have some stuff related to issue. > > > > rgds, > > Harri > > Here at Burton Systems Softwaer, we do something like your "other > possibility." It was harder to set it up than I expected, and it > still is not perfect, so I'd be interested in reading your advice > for Emil, Harri. > > Our Linux NAT/firewall/server is multi-homed, using a DSL line with > a static IP, plus a cablemodem line with a "slightly dynamic" IP that > last changed about 5 months ago. > > I wanted two connections mainly for redundancy, not for load sharing. > These "consumer quality" wideband connections are fast and cheap, > but they are also unreliable. > > Our DSL is Directv (formerly Telocity). The cablemodem is Time-Warner > Roadrunner. I like Directv because they give us a static IP, and > their customer service is usually better, and they are a little bit > cheaper, too. But most of the time the cablemodem connection is > slightly faster than the DSL connection. > > Both lines stay up for long periods of time, but occasionally they go > down for long periods of time, too. My Roadrunner service was once > down for 6.5 days! It would have been down even longer if I'd not > screamed bloody murder at every Time-Warner person I could track down. > My DSL service has never been down anywhere near that long, but a > friend's once went down for more than a week! > > Also, every month or two the crummy DSL modem/gateway box "loses > synch" (their tech support's term) and has to be power-cycled to > recover. I keep threatening to plug it into an X-10 module, so that > I can make get it to recover automatically. The cablmodem doesn't > have that problem, but when the power goes out, the DSL line stays > up and the cablemodem line immediately goes down (T-W apparently > doesn't use any battery backup at all). > > We can't tolerate week-long outages! So I figured that the way > to have reliable Internet connectivity is to have two completely > independent connections. The cablemodem comes into the front of > the building on coax, and the DSL comes in the back on a phone > line. The Linux NAT/router has three NICs: one for the DSL > gateway, one for the cablemodem, and one for the LAN. > > Handling the outgoing connections is pretty straightforward. I > have a little script that tests the lines every couple of minutes, > and tries to "ping out" over each of the two lines. If the current > default route is down, but the other one is up, it changes the > routing table to make the other line be the default. (I haven't > bothered to try to load share for better performance.) > > Also, the script watches for changes in IP on the dynamic DNS > line, and if that happens it updates the Dynamic DNS entry for > www2.burtonsys.com at our DNS service, www.zoneedit.com, by > doing a magic "wget" incantation. (BTW, I highly recommend > zoneedit.com.) > > Also, whenever a line goes up or down, or when the dynamic IP > changes for the cablemodem, the script logs the event. > > Right now I'm using only the DSL line for incoming mailserver > traffic, but I'm going to change it to use the cablemodem line > as a secondary mail server. Since DNS permits listing multiple > mail servers, that should work just fine. > > The toughest thing is handling incoming Web (or FTP) access. > > Unfortunately (and inexplicably, to me) there's no provision > in DNS records for a "backup" IP to be associated with a domain > name, and browsers don't know how to look up two or more IPs > for a name and then try each until one is found that works. > I have no idea why this capability exists for mail exchangers > but not for web servers and ftp servers. :-( > > So... what to do? > > I first looked at using BGP and telling the world about the two > routes to my box. Ha, silly me! The chances of talking either > outfit into letting me mess with BGP routing are precisely zero. > They wouldn't know how, even if I could find someone there who > understood the question, and they wouldn't do it if they knew how. > > T-W/RR support is particularly hidious. At Time-Warner, they make > it VERY clear that they don't care AT ALL about you and your problems. > > On one occasion when my Roadrunner connection was down, and had > been down for many hours, I finally waited through the Time-Warner/ > Roadrunner hold queue and got a support person on the phone. > He said he didn't have any other reported problems in my area, > and he advised me to wait and try it again tomorrow, and call > them back again if it was still down. I asked him to please > investigate the problem and have someone call *ME* back when they > got it fixed or knew more. He replied, "we don't do call-backs." > > At least he wasn't overtly rude, unlike some of his coworkers. > > The Directv/Telocity folks are only slightly better. They aren't > rude, but their financial woes seem to have cut into their support > staff. > > So I gave up on BGP and went to "plan B." You can see the result > at our web address: http://www.burtonsys.com/ > > Www.burtonsys.com is hosted at a cheap ($5/month for 1 MB) but > very reliable ISP called netmar.com. At Netmar, we have just a > skeleton web site, with a "redirection page" that lets visitors > choose between www1.burtonsys.com and www2.burtonsys.com, which > correspond to our DSL and cablemodem lines, respectively. > > Plus, if you wait a bit or click the "status" link, a cgi script > at Netmar runs and pings our two lines from the Netmar server, to > determine for website visitors which server is "up." (Wait a bit > longer, and it'll redirect you to a working server.) > > Another approach, which might be better, would be to use the > "failover" service at www.zoneedit.com. According to their web > site, if your main web connection goes down, they will detect > it and adjust your DNS record accordingly, within a few minutes. > Visitors to your site would see only a short outage -- probably > under 10 minutes -- and they would not have to go through the > strange "redirection page" that we use. I've not tried this > approach, but it sounds good, and it is certainly simpler, and > I've been very pleased with everything else at zoneedit.com. > > Do you have a better idea, Harri? > > -Dave Burton <[EMAIL PROTECTED]> > Burton Systems Software: http://www.burtonsys.com/ > PO Box 4157, Cary, NC 27519-4157 USA > Makers of TLIB Version Control 5.53 for Win-NT/2K/XP/9x/ME/3.1x, DOS & OS/2. > (and command-line version also runs under Linux's WINE Windows Emulator) > Tel: 1-919-481-0149 Alternate tel: 1-919-481-6658 > Fax: 1-919-481-3787 Alternate fax: 1-919-481-4886 > > > --__--__-- > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > > End of Firewalls Digest _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
