Re: [CentOS] regarding vpn server for 1500 clients

[Dhaval Thakar]

> If you could use a lower CPU intensive crypt like blowfish, it would be 
> easier.
>
> Are all these trading partners in different locations or are there semi large
> groups in the same locations?
>   
all these are end users.
they connect software from home / offices.
> Maybe a hundred or so share an office, you could set up IPSec tunnels to each
> remote office and pass all 100 through that tunnel. It takes a lot less CPU to
> pass 100 combined then 100 separate connections.
>
>
>   

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[Alain Reguera Delgado]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Guy Boisvert wrote:
...
>>> Does anybody could give me a pointer on this?
>> please, take a lookt at:
>> http://wiki.centos.org/HowTos/Chroot_Vsftpd_with_non-system_users
...
> This link is interesting but the problem is not that i don't want to use 
> "local" users.  I have no problem with that.  That's the SSL/TLS 
> handshake error that i don't figure out.

Did you tried to connect to your server with the lftp client in debug 9
? What it says.

Cheers,
- --
Alain Reguera Delgado 
GnuPG : http://ciget.cienfuegos.cu/~al/publickey.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFJTDAOyXxCQEoXDZARAu9CAJ945uO9KVz5aEPOwc+eGvIbzD3Q5gCfSxP3
6Ym3KiCVvGRsKy7CQODd8N0=
=koZH
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[Guy Boisvert]

John R Pierce wrote:
> Guy Boisvert wrote:
>>  FTPS is supposed to be directly supported by DreamWeaver, so that why 
>> am asking about it.
>>   
> 
> does Dreamweaver support WebDAV over HTTPS as an update method?   this 
> would be a LOT EASIER to get working behind a firewall
> 
> if they can access your website with https/ssl, and you can get mod_dav 
> working, you're in business.
> 

Ok, i'll check that.  I still focus on FTPS for now but i'll have a look 
a WebDAV/HTTPS.


Thanks!


Guy Boisvert, ing.
IngTegration inc.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[John R Pierce]

Guy Boisvert wrote:
>   FTPS is supposed to be directly supported by DreamWeaver, so that why 
> am asking about it.
>   

does Dreamweaver support WebDAV over HTTPS as an update method?   this 
would be a LOT EASIER to get working behind a firewall

if they can access your website with https/ssl, and you can get mod_dav 
working, you're in business.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[Guy Boisvert]

John R Pierce wrote:
> 
> I don't know if you can do that with FTPS...FTP uses a seperate 
> dynamic port for the data socket, and the mode this port is assigned is 
> at the whim of the *client* software, it can either be PORT or PASSIVE 
> mode, this makes NAT address translation of FTP a real mess.AFAIK, 
> FTPS (ftp over ssl) does much the same.
> 
> 
> I quote from Wikipedia...
> 
> 
> The firewall problem
> 
> Because FTP  is a 

[...]

> cannot decrypt it). Therefore, in many firewalled networks, clear FTP 
> connections will work while FTPS connections will either completely fail 
> or require the use of passive mode (assuming all ports >= 1024 to the 
> server are unfiltered).
> 

Well John, i can't even get it working locally on the same subnet (and 
no, the server doesn't use firewalling)!  I'm not even at the firewall 
access level!


Thanks for the pointer anyway.


Regards,


Guy Boisvert, ing.
IngTegration inc.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[John R Pierce]

Guy Boisvert wrote:
> Bob Hoffman wrote:
>   
>>> When i try, i get this error message:
>>>
>>> SSL/TLS client handshake failed (Error = 0x80090308)
>>>
>>>
>>>
>>> Does anybody could give me a pointer on this?
>>>
>>>
>>>   
>> I really hope you post the end fulfillment of this problem as I want to do
>> ssl with my vsftp and have not gotten around to it.
>>
>> Have you tried just restarting vsftp?
>> I also find that I had to play with the user list allow/deny to get mine to
>> work right.
>>
>> Can you, if you take out the ssl stuff, access it via ftp normally?
>>
>> 
>
>
> Hi Bob,
>
>   Just to put all this in perspective, i'm not a "green" on CentOS and i 
> restarted vsftpd each time i modified my test server (it's very ok that 
> you asked!).  I don't consider myself an expert but i'm pretty 
> confortable with CentOS.
>
>   I can reach easily the server by regular FTP, check my previously 
> posted config file and you'll see that i don't force local users to use 
> SSL.  For the remote users, i'll redirect port 990 on our firewall to 
> port 21 on the server.  I read that vsftpd can't use different ports for 
> regular FTP and FTPS so i let it be on port 21, which we use internally.
>   

I don't know if you can do that with FTPS...FTP uses a seperate 
dynamic port for the data socket, and the mode this port is assigned is 
at the whim of the *client* software, it can either be PORT or PASSIVE 
mode, this makes NAT address translation of FTP a real mess.AFAIK, 
FTPS (ftp over ssl) does much the same.


I quote from Wikipedia...


The firewall problem

Because FTP  is a 
port-hopping protocol (i.e. data channels use a random port chosen 
during the communication), many firewalls 
 are designed to 
understand FTP protocol messages to determine what secondary data 
connections they need to allow. However, if the control connection is 
encrypted using TLS/SSL (or any other method for that matter), the 
firewall is not able to get the port numbers of the data connections 
from the control connection (since it is encrypted and the firewall 
cannot decrypt it). Therefore, in many firewalled networks, clear FTP 
connections will work while FTPS connections will either completely fail 
or require the use of passive mode (assuming all ports >= 1024 to the 
server are unfiltered).


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[Guy Boisvert]

Alain Reguera Delgado wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Guy Boisvert wrote:
>> Hi!
>>
>>  I'm trying to figure out what's going wrong with a "simple" FTPS setup 
>> and VSFTPD.
> ...
>> When i try, i get this error message:
>>
>> SSL/TLS client handshake failed (Error = 0x80090308)
> 
> How are you trying to connect ? What is the address you are referring to
> access ? Can you use lftp with debug 9 and post the output ?

As i said, i'm trying to connect in FTPS mode with FileZilla and 
SmartFTP to port 21 at the address of my server!


> 
>> Does anybody could give me a pointer on this?
> 
> please, take a lookt at:
> http://wiki.centos.org/HowTos/Chroot_Vsftpd_with_non-system_users
> 
> I would like to hear if this is useful to you.
> 
> Best Regards,


This link is interesting but the problem is not that i don't want to use 
"local" users.  I have no problem with that.  That's the SSL/TLS 
handshake error that i don't figure out.

Thanks!



Guy Boisvert, ing.
IngTegration inc.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[Guy Boisvert]

Ray Van Dolson wrote:
> 
> To the OP (sorry, jumping into a lot of threads late); what version of
> vsftpd are you using?
> 
> A few months back FileZilla released a new version that "broke" TLS/SSL
> support with a number of FTP servers.  I ran into the problem with
> ProFTPD specifically:
> 
>   http://bugs.proftpd.org/show_bug.cgi?id=3094
> 
> But vsftpd had this issue as well and was patched in v 2.0.7.  I don't
> know if this fix was backported by RH or not
> 
> I also don't know if SmartFTP client would exhibit the same problem.
> You could try an older version of FileZilla (< 3.1.0) to see if it
> works correctly...
> 
> Ray


Hi Ray,

Here are the infos:

vsftpd-2.0.1-6.el4

Linux [server name] 2.6.9-78.0.8.EL #1 Wed Nov 19 19:43:32 EST 2008 i686 
i686 i386 GNU/Linux

CentOS release 4.7 (Final)



I'll try older FileZilla and report back as soon as i find a solution.


Thanks for your help!


Guy Boisvert, ing.
IngTegration inc.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[Guy Boisvert]

Bob Hoffman wrote:
>> When i try, i get this error message:
>>
>> SSL/TLS client handshake failed (Error = 0x80090308)
>>
>>
>>
>> Does anybody could give me a pointer on this?
>>
>>
> 
> I really hope you post the end fulfillment of this problem as I want to do
> ssl with my vsftp and have not gotten around to it.
> 
> Have you tried just restarting vsftp?
> I also find that I had to play with the user list allow/deny to get mine to
> work right.
> 
> Can you, if you take out the ssl stuff, access it via ftp normally?
> 


Hi Bob,

Just to put all this in perspective, i'm not a "green" on CentOS and i 
restarted vsftpd each time i modified my test server (it's very ok that 
you asked!).  I don't consider myself an expert but i'm pretty 
confortable with CentOS.

I can reach easily the server by regular FTP, check my previously 
posted config file and you'll see that i don't force local users to use 
SSL.  For the remote users, i'll redirect port 990 on our firewall to 
port 21 on the server.  I read that vsftpd can't use different ports for 
regular FTP and FTPS so i let it be on port 21, which we use internally.


Thanks!


Guy Boisvert, ing.
IngTegration inc.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[Guy Boisvert]

John R Pierce wrote:
> Bill Campbell wrote:
>> As a rule, we require external developers to access our servers
>> using OpenVPN which provides a simple means of getting secure
>> access without having to deal with multiple server components.
>>   
> 
> and, at work, our GNOC guys use SSL-VPN's from Juniper, which for 
> business partners are highly restricted such that they can ONLY access 
> the specific server and services they have rights to.   while I'm not in 
> the group that manages this, the guys who do are on my floor, and tell 
> me that the global management console makes managing all this a 
> breeze... we have dozens of firewalls as we're a 5 employee global 
> manufacturing company, this is all under central control.
> 
> you mentioned FTP and FTPS...   I prefer whenever possible to use 
> scp/sftp, as its much easier to forward through a NAT/Masquerade 
> firewall.   I have no idea if Dreamweaver supports this, however.
> 

Hi John,

Good pointers but i'm not sure i'm up to setup a chrooted ssh 
environment.  I tried that a couple of times (not on this network) and 
it wasn't very practical.  I'm not saying i'm an expert at that and it 
may very well be my fault if i found it cumbersome.

vsftpd is supposed to support FTPS so it would be perfect in my 
situation.


Thanks!


Guy Boisvert, ing.
IngTegration inc.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Firefox 3.0.4 and Adobe Flash (CentOS 5 (32bit))

[Lanny Marcus]

On Wed, Dec 17, 2008 at 6:21 PM, MHR  wrote:

> TigerDirect.com has a $99 box available, and it's pretty low end, but
> it might suit your purposes.

As I wrote a couple of nights ago, if I was in the USA, I would order
one of those, without giving it a second thought.  Wonderful!   Next
Monday morning, I am going to go to a shopping center in Cali, where
there are *lots* of stores that sell computer stuff and see if I can
come up with something like that.

We have four (4) Dell Dimension boxes and their support here is
*SUPER*, but they use proprietary cases, motherboards and power
supplies. Their quote of USD$237 for a new motherboard is probably not
something I am going to follow up on. The box is running most of the
time, which is puzzling, because it is an intermittent problem.

My wife just made me an offer I may refuse: She told me to go to the
Dell web site for Colombia and look for a new, inexpensive box there.
They have one with Ubuntu Linux on it, for about US$700 with a monitor
and 3 year in house warranty. Maybe.   :-)
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[Guy Boisvert]

Bill Campbell wrote:
> On Fri, Dec 19, 2008, Guy Boisvert wrote:
>> Hi!
>>
>>  I'm trying to figure out what's going wrong with a "simple" FTPS setup 
>> and VSFTPD.
>>
>>  I saw references on Google and tried, and tried, and tried... without 
>> success.
>>
>>  I'll start by explaining my situation: I have a WEB development server 
>> behind a firewall.  It's currently only for the intranet.  We now have 
>> an external company that will have to do a new website for us and we 
>> want them to access securely our development server.
>>
>>  Internally, we access it with regular FTP (we use DreamWeaver 8).  In 
>> the references i saw, i'd just add the following lines and it is 
>> supposed to work:
> 
> As a rule, we require external developers to access our servers
> using OpenVPN which provides a simple means of getting secure
> access without having to deal with multiple server components.
> 
> The OpenVPN clients for Windows and OS X are simple to set up,
> well within the capabilities of the average web developer (which
> often aren't extensive :-). 
> 
> Bill


Hi Bill,

It is a very good idea but i can't force them to use it.  The WEB 
Developpers are inside an University and i heard that it's complicated 
to make the IT staff add some stuff like that.

FTPS is supposed to be directly supported by DreamWeaver, so that why 
am asking about it.


Thanks!


Guy Boisvert, ing.
IngTegration inc.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web based ssl VPN

[John R Pierce]

Dnk wrote:
> That is what I am currently using. One of our vp's had a "web" based  
> one at his last job. But to connect, they go to a web page, login, and  
> they gain VPN access. Then there are No client software to install  
> either.   I know some sonic wall, barracuda, etc devices do this. 
>   

Well, there IS client software, its just installed auto-magically via 
the web interface, using either a Java (for firefox clients) or ActiveX 
(for MSIE on Windows) client stack.The Juniper SSLVPN we use at my 
work functions this way for end user -> WAN VPNs (but LAN -> WAN VPNs 
instead use an appliance router)


sadly, my experience with these is that the MSIE ActiveX Windows client 
stack seems to be a lot more robust than the Java client stacks, at 
least for VPN routing (aka Network Connect).   the Java stuff is OK for 
remote access (X windows, RDP clients, Citrix client, file transfer) via 
the web interface, but thats not really a VPN in my book, its just a 
remote application portal.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web based ssl VPN

[Tim Nelson]

Have you looked at SSL-Explorer? Erm... I mean Adito? SSL-Explorer appears to 
have been taken over by Barracuda but still forked into Adito.

Linky links: http://sourceforge.net/projects/adito

BTW: Sent from my web based mail system on my workstation at my desk in my 
office in Duluth, Minnesota, United States, North America, Earth, etc... you 
get the idea... :)

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

- "Dnk"  wrote:

> Can anyone recommend one to run under CentOS?
> 
> Dnk
> 
> Sent from my iPhone
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Web based ssl VPN

[Dnk]

Can anyone recommend one to run under CentOS?

Dnk

Sent from my iPhone
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web based ssl VPN

[Tim Nelson]

I used it about 1-1.5 years ago when it was still SSL-Explorer. At the time, it 
"worked" but not all the time. It certainly wasn't what I would call reliable. 
Hence it was nothing more than a plaything, definitely not production worthy. I 
couldn't tell if it was the super shiny AJAX interface or something on the 
backend and didn't really investigate any deeper. I would hope that one year's 
time in addition to what appears to be a rewrite of the backend (from PHP to 
Java) would improve it. All of my testing was done on a CentOS 4.4 machine.

Tim Nelson
Systems/Network Support
Rockbochs Inc.
(218)727-4332 x105

- "Dnk"  wrote:

> On 19-Dec-08, at 1:03 PM, Tim Nelson  wrote:
> 
> > Have you looked at SSL-Explorer? Erm... I mean Adito? SSL-Explorer 
> 
> > appears to have been taken over by Barracuda but still forked into 
> 
> > Adito.
> >
> > Linky links: http://sourceforge.net/projects/adito
> >
> > BTW: Sent from my web based mail system on my workstation at my desk
>  
> > in my office in Duluth, Minnesota, United States, North America,  
> > Earth, etc... you get the idea... :)
> >
> > Tim Nelson
> > Systems/Network Support
> > Rockbochs Inc.
> > (218)727-4332 x105
> >
> > - "Dnk"  wrote:
> >
> >> Can anyone recommend one to run under CentOS?
> >>
> >> Dnk
> >>
> >> Sent from my iPhone
> >> ___
> >> CentOS mailing list
> >> CentOS@centos.org
> >> http://lists.centos.org/mailman/listinfo/centos
> > ___
> > CentOS mailing list
> > CentOS@centos.org
> > http://lists.centos.org/mailman/listinfo/centos
> 
> That is the one I was looking at, however was more curios if anyone  
> has actually used it, and more specifically, on CentOS.
> 
> D
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web based ssl VPN

[Dnk]

On 19-Dec-08, at 1:03 PM, Tim Nelson  wrote:

> Have you looked at SSL-Explorer? Erm... I mean Adito? SSL-Explorer  
> appears to have been taken over by Barracuda but still forked into  
> Adito.
>
> Linky links: http://sourceforge.net/projects/adito
>
> BTW: Sent from my web based mail system on my workstation at my desk  
> in my office in Duluth, Minnesota, United States, North America,  
> Earth, etc... you get the idea... :)
>
> Tim Nelson
> Systems/Network Support
> Rockbochs Inc.
> (218)727-4332 x105
>
> - "Dnk"  wrote:
>
>> Can anyone recommend one to run under CentOS?
>>
>> Dnk
>>
>> Sent from my iPhone
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

That is the one I was looking at, however was more curios if anyone  
has actually used it, and more specifically, on CentOS.

D
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web based ssl VPN

[Dnk]

On 19-Dec-08, at 1:09 PM, Adam Tauno Williams   
wrote:

> On Fri, 2008-12-19 at 13:02 -0800, Dnk wrote:
>> Can anyone recommend one to run under CentOS?
>
> OpenVPN?
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

That is what I am currently using. One of our vp's had a "web" based  
one at his last job. But to connect, they go to a web page, login, and  
they gain VPN access. Then there are No client software to install  
either.   I know some sonic wall, barracuda, etc devices do this. 
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web based ssl VPN

[John R Pierce]

Dnk wrote:
> Can anyone recommend one to run under CentOS?
>   

I'd recommend OpenVPN as /the/ VPN to use with a Linux VPN server...
but, web based?   its SSL based.the only 'web based' stuff I'm aware 
of is when the VPN client is embedded in a client side web 'object' like 
ActiveX, the VPN itself isn't actually webbased, it just APPEARS that 
way to the user.

OpenVPN has a nice unobtrusive openvpnGUI client you can distribte to 
your Windows users, along with the appropriate PKI keys.   The specifics 
of how you want to do your PKI key management are left up to the system 
administrator as an exercise, but it uses OpenSSL keys, so anyone 
familiar with those should have no problems.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Web based ssl VPN

[Adam Tauno Williams]

On Fri, 2008-12-19 at 13:02 -0800, Dnk wrote:
> Can anyone recommend one to run under CentOS?

OpenVPN?

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Robert Moskowitz]

Les Mikesell wrote:
> Robert Moskowitz wrote:
>   
>   
>   
>> How about lots of GRE tunnels? :-)
>> 
>> 
>> 
> I've done that with a few connections - mostly connecting to Cisco 
> routers to pass multicast streams.  I'm not sure how it would scale up 
> in terms of the interface numbers and managing routes but it should work.
>   
>   
 What was the network environment like that the tunnels went over?
 
 
>>> Some over the internet, some private, but always with fixed src/dest 
>>> addresses and nothing going over them that couldn't have run unencrypted 
>>> over the internet.
>>>   
>> RED (Random Early Discard) was specifically developed and deployed to 
>> break flows that lacked congestion control. CeeUceeME was the big 
>> culprit at the time. Multicast streams could have a lot of data lose if 
>> RED is needed to manage congestion.
>> 
>
> Where would this happen - and would it happen to the encapsulating GRE 
> packets or just bare udp multicast?

Any router could employ RED in a congestion situation. The buffer 
reaches n% full and m randomly selected packets in the buffer are 
silently dropped. The buffer is compressed and the router gets on with 
its life. This is better than the router stopping receiving incoming 
packets until its buffer empties a bit.

A protocol that has flow control, like TCP will deal with the packet 
loss. A couple packets will not disrupt an audio stream. But if the 
protocol is going gangbusters and just tossing out packets as fast as it 
can, then it could have a LOT of packets tossed out at the congested 
router, and BAM, the protocol breaks.

Back when Tony Li coded it for the backbone Cisco routers and it was 
deployed overnight with no testing (those were the Internet days), the 
CeeUceeMe programmers over at CMU refused to implement any flow control. 
It had gotten so bad, that the EU nets were ready to put a block on its 
protocol number. Then someone thought up RED, Tony coded it up, and all 
those CeeUCeeMe streams broke. The programmers at CMU finally got it

A little Internet history there.


So any UDP protocol that does not implement flow control can suffer big 
time. On a SIP call, you might see it as your voice breaking up like a 
cell call in a 'bad' area. Or with video it could be an image freeze.

GRE just sometimes would mess up a protocol's reaction to congestion 
that it was a worst response. Of course, this was 10 years ago, and lots 
of apps are much smarter. But some programmers still develop on a local 
LAN and expect to see the same dynamics on the broader Internet


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Les Mikesell]

Robert Moskowitz wrote:
> 
   
> How about lots of GRE tunnels? :-)
> 
> 
 I've done that with a few connections - mostly connecting to Cisco 
 routers to pass multicast streams.  I'm not sure how it would scale up 
 in terms of the interface numbers and managing routes but it should work.
   
>>> What was the network environment like that the tunnels went over?
>>> 
>> Some over the internet, some private, but always with fixed src/dest 
>> addresses and nothing going over them that couldn't have run unencrypted 
>> over the internet.
> RED (Random Early Discard) was specifically developed and deployed to 
> break flows that lacked congestion control. CeeUceeME was the big 
> culprit at the time. Multicast streams could have a lot of data lose if 
> RED is needed to manage congestion.

Where would this happen - and would it happen to the encapsulating GRE 
packets or just bare udp multicast?

-- 
   Les Mikesell
lesmikes...@gmail.com

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Les Mikesell]

Scott Silva wrote:
>
   
> How about lots of GRE tunnels? :-)
> 
 I've done that with a few connections - mostly connecting to Cisco 
 routers to pass multicast streams.  I'm not sure how it would scale up 
 in terms of the interface numbers and managing routes but it should work.
>>> What was the network environment like that the tunnels went over?
>> Some over the internet, some private, but always with fixed src/dest 
>> addresses and nothing going over them that couldn't have run unencrypted 
>> over the internet.
>>
> If it doesn't need to be encrypted, then why do you need tunnels?

There are two reasons.

> Couldn't you just set a route on the remote machines and use that?
> Could be as simple as a batch file/shell script.

One reason is that I was distributing multicast with a Cisco router 
doing the fanout.  With a tunnel, you put multicast in one end and it 
comes out the other even if the intermediate path doesn't handle 
multicast.  The other is that the end points all had private addressing 
which the terminating equipment understood but not the intermediate routers.

-- 
   Les Mikesell
 lesmikes...@gmail.com

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Ray Van Dolson]

On Fri, Dec 19, 2008 at 01:54:32PM -0500, Robert Moskowitz wrote:
> Ray Van Dolson wrote:
> > On Fri, Dec 19, 2008 at 01:14:34PM -0500, Ross Walker wrote:
> >   
> >> On Dec 19, 2008, at 12:20 PM, Ray Van Dolson  wrote:
> >>
> >> 
> >>> How about lots of GRE tunnels? :-)
> >>>   
> >> Well PPTP is PPP over GRE, so that's basically it.
> >>
> >> PPTP can run without encryption too if the OP really doesn't care  
> >> about encryption.
> >>
> >> 
> >
> > The only thing I'll say in the world of using PPTP (via PoPToP) is to
> > consider what happens when most or all of your clients reconnect at one
> > time (network glitch, etc).  This was my biggest challenge as the
> > original configuration had PPP calling all sorts of perl scripts and
> > such from its ip-up mechanism.  The server would come to a complete
> > crawl as 800+ of these ip-up scripts would fire off along with their
> > associated tasks.  This would result in clients timing out, links
> > failing, etc -- the server could never "catch up". 
> >   
> 
> I was recommending it based on the protocol. I did mention that I have 
> limited deployment experience.
> 
> OUCH. All that perl could really kill the user experience.
> 
> Almost as bad as a D-H exponentiation!
> 

It gets even worse... whoever had set up the system first didn't now
how to get the IP address correctly from a variable in the ip-up
script.  So what'd they do?  They called grep on /var/log/messages to
look for it.

You can imagine the fun this created :-)
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] how to install yum by apt

[Dag Wieers]

On Thu, 18 Dec 2008, Karanbir Singh wrote:

> Dag Wieers wrote:
>> But it would be nice if the centos-release package would contain an apt
>> configuration file.
>
> easy to drop in, please post a recommended config stanza, into an issue
> at bugs.centos.org/ and it can be taken from there.

Added as:

http://bugs.centos.org/view.php?id=3307

Kind regards,
-- 
--   dag wieers,  d...@centos.org,  http://dag.wieers.com/   --
[Any errors in spelling, tact or fact are transmission errors]
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Robert Moskowitz]

Les Mikesell wrote:
> Robert Moskowitz wrote:
>   
>>>   
>>>   
 How about lots of GRE tunnels? :-)
 
 
>>> I've done that with a few connections - mostly connecting to Cisco 
>>> routers to pass multicast streams.  I'm not sure how it would scale up 
>>> in terms of the interface numbers and managing routes but it should work.
>>>   
>> What was the network environment like that the tunnels went over?
>> 
>
> Some over the internet, some private, but always with fixed src/dest 
> addresses and nothing going over them that couldn't have run unencrypted 
> over the internet.
RED (Random Early Discard) was specifically developed and deployed to 
break flows that lacked congestion control. CeeUceeME was the big 
culprit at the time. Multicast streams could have a lot of data lose if 
RED is needed to manage congestion.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[Alain Reguera Delgado]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Guy Boisvert wrote:
> Hi!
> 
>   I'm trying to figure out what's going wrong with a "simple" FTPS setup 
> and VSFTPD.
...
> When i try, i get this error message:
> 
> SSL/TLS client handshake failed (Error = 0x80090308)

How are you trying to connect ? What is the address you are referring to
access ? Can you use lftp with debug 9 and post the output ?

> Does anybody could give me a pointer on this?

please, take a lookt at:
http://wiki.centos.org/HowTos/Chroot_Vsftpd_with_non-system_users

I would like to hear if this is useful to you.

Best Regards,
- --
Alain Reguera Delgado 
GnuPG : http://ciget.cienfuegos.cu/~al/publickey.asc
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with CentOS - http://enigmail.mozdev.org

iD8DBQFJS+2HyXxCQEoXDZARAj74AKCcJgaImMbd44ytJtj9iYcTXb7xEQCbBO7h
fwLT2nhqvniRAXpsRQTWkT8=
=MJ4o
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Robert Moskowitz]

Ray Van Dolson wrote:
> On Fri, Dec 19, 2008 at 01:14:34PM -0500, Ross Walker wrote:
>   
>> On Dec 19, 2008, at 12:20 PM, Ray Van Dolson  wrote:
>>
>> 
>>> How about lots of GRE tunnels? :-)
>>>   
>> Well PPTP is PPP over GRE, so that's basically it.
>>
>> PPTP can run without encryption too if the OP really doesn't care  
>> about encryption.
>>
>> 
>
> The only thing I'll say in the world of using PPTP (via PoPToP) is to
> consider what happens when most or all of your clients reconnect at one
> time (network glitch, etc).  This was my biggest challenge as the
> original configuration had PPP calling all sorts of perl scripts and
> such from its ip-up mechanism.  The server would come to a complete
> crawl as 800+ of these ip-up scripts would fire off along with their
> associated tasks.  This would result in clients timing out, links
> failing, etc -- the server could never "catch up". 
>   

I was recommending it based on the protocol. I did mention that I have 
limited deployment experience.

OUCH. All that perl could really kill the user experience.

Almost as bad as a D-H exponentiation!


> The band-aid solution was to rate limit SYN packets that established
> the connection... the permanent solution was to write a plugin for PPPd
> in C that replaced most of the ip-up functionality with something a bit
> more efficient.
>
> As long as you're not needing to do any sort of complex post login
> tasks for each user, this may not even end up being an issue.  But
> something to keep in mind and plan for if you're talking 1500 users...
> :)
>
> Ray
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>   
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Robert Moskowitz]

William Warren wrote:
> Robert Moskowitz wrote:
>   
>> Ray Van Dolson wrote:
>>   
>> 
>>> On Fri, Dec 19, 2008 at 03:42:08PM +, Karanbir Singh wrote:
>>>   
>>> 
>>>   
 Rainer Duffner wrote:
 
   
 
>> 1500 clients is quite a lot, but not hard to handle from a single 
>> machine if you select a cpu capable of doing ssl quickly. eg a power6 
>> machine with a few cores would handle that without any problems.
>> 
>>   
>> 
> And what is the suggested RRP of such a thing?
> (If one may ask).
>   
> 
>   
 I am sure if you ask someone who sells them, they will tell you :D

 
   
 
>> If you want to stick with commodity hardware, a couple of quad core 
>> amd's should also fit right in.
>> 
>>   
>> 
> Or use an SSL-offloader.
> Then, you can handle the same load with much less CPU-power.
>   
> 
>   
 Can get fiddly, with specific drivers and patches required to various 
 bits.. But thats a solution that could work too.

 
   
 
>>> To OP; anecdotal evidence only -- and I certainly wouldn't recommend
>>> using PPTP for a secure VPN solution :)  
>>> 
>>>   
>> The OP did not want security, only tunneling. His desire. Definitely not 
>> mine. My work for the last 14 years has been to make communication on 
>> the Internet unassailable, at least along the data path (I make no 
>> attempts with the OS or apps).
>>
>> I would like to see ALL communications be encrypted. D*MN the torpedos!
>>
>>   
>> 
>>> At my previous job we ran
>>> PoPToP (PPTP) on CentOS and the older HP DL140 G1 1U servers and were
>>> handling up to 1000 clients pretty comfortably per machine.  This was
>>> with 1GB of RAM per server and a single 2.4GHz Xeon processor.
>>>   
>>> 
>>>   
>> I have heard of similar numbers.
>>
>>   
>> 
>>> Left before we could migrate to OpenVPN which I think would have
>>> slightly higher processing requirements. :)
>>> 
>>>   
>> Sure would have!
>>
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> http://lists.centos.org/mailman/listinfo/centos
>>
>>   
>> 
> openvpn doesn't hit a modern cpu that hard anymore(unless you dialup 
> something higher than 128 bit).  I routinely do 5-10 users an sub 1ghz 
> machines with openvpn.  Leave the encryption in place..it's not going to 
> make a huge difference.

Like I said, it is the setup that is the killer. If the users all come 
on within a short time frame, they can fail. 5-10 users is nothing. D-H, 
and RSA are killers for CPUs. ECC can be too, it depends on which curve 
and whos code (some of it patented).


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Scott Silva]

on 12-19-2008 10:33 AM Les Mikesell spake the following:
> Robert Moskowitz wrote:
>>>   
 How about lots of GRE tunnels? :-)
 
>>> I've done that with a few connections - mostly connecting to Cisco 
>>> routers to pass multicast streams.  I'm not sure how it would scale up 
>>> in terms of the interface numbers and managing routes but it should work.
>> What was the network environment like that the tunnels went over?
> 
> Some over the internet, some private, but always with fixed src/dest 
> addresses and nothing going over them that couldn't have run unencrypted 
> over the internet.
> 
If it doesn't need to be encrypted, then why do you need tunnels?

Couldn't you just set a route on the remote machines and use that?
Could be as simple as a batch file/shell script.



-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[Ray Van Dolson]

On Fri, Dec 19, 2008 at 01:37:55PM -0500, Bob Hoffman wrote:
> 
> > 
> > When i try, i get this error message:
> > 
> > SSL/TLS client handshake failed (Error = 0x80090308)
> > 
> > 
> > 
> > Does anybody could give me a pointer on this?
> > 
> > 
> 
> I really hope you post the end fulfillment of this problem as I want to do
> ssl with my vsftp and have not gotten around to it.
> 
> Have you tried just restarting vsftp?
> I also find that I had to play with the user list allow/deny to get mine to
> work right.
> 
> Can you, if you take out the ssl stuff, access it via ftp normally?
> 

To the OP (sorry, jumping into a lot of threads late); what version of
vsftpd are you using?

A few months back FileZilla released a new version that "broke" TLS/SSL
support with a number of FTP servers.  I ran into the problem with
ProFTPD specifically:

  http://bugs.proftpd.org/show_bug.cgi?id=3094

But vsftpd had this issue as well and was patched in v 2.0.7.  I don't
know if this fix was backported by RH or not

I also don't know if SmartFTP client would exhibit the same problem.
You could try an older version of FileZilla (< 3.1.0) to see if it
works correctly...

Ray
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[Bob Hoffman]

> 
> When i try, i get this error message:
> 
> SSL/TLS client handshake failed (Error = 0x80090308)
> 
> 
> 
> Does anybody could give me a pointer on this?
> 
> 

I really hope you post the end fulfillment of this problem as I want to do
ssl with my vsftp and have not gotten around to it.

Have you tried just restarting vsftp?
I also find that I had to play with the user list allow/deny to get mine to
work right.

Can you, if you take out the ssl stuff, access it via ftp normally?

-Bob

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[John R Pierce]

Bill Campbell wrote:
> As a rule, we require external developers to access our servers
> using OpenVPN which provides a simple means of getting secure
> access without having to deal with multiple server components.
>   

and, at work, our GNOC guys use SSL-VPN's from Juniper, which for 
business partners are highly restricted such that they can ONLY access 
the specific server and services they have rights to.   while I'm not in 
the group that manages this, the guys who do are on my floor, and tell 
me that the global management console makes managing all this a 
breeze... we have dozens of firewalls as we're a 5 employee global 
manufacturing company, this is all under central control.

you mentioned FTP and FTPS...   I prefer whenever possible to use 
scp/sftp, as its much easier to forward through a NAT/Masquerade 
firewall.   I have no idea if Dreamweaver supports this, however.




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Les Mikesell]

Robert Moskowitz wrote:
>>   
>>> How about lots of GRE tunnels? :-)
>>> 
>> I've done that with a few connections - mostly connecting to Cisco 
>> routers to pass multicast streams.  I'm not sure how it would scale up 
>> in terms of the interface numbers and managing routes but it should work.
> 
> What was the network environment like that the tunnels went over?

Some over the internet, some private, but always with fixed src/dest 
addresses and nothing going over them that couldn't have run unencrypted 
over the internet.

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Ray Van Dolson]

On Fri, Dec 19, 2008 at 01:14:34PM -0500, Ross Walker wrote:
> 
> 
> On Dec 19, 2008, at 12:20 PM, Ray Van Dolson  wrote:
> 
> > How about lots of GRE tunnels? :-)
> 
> Well PPTP is PPP over GRE, so that's basically it.
> 
> PPTP can run without encryption too if the OP really doesn't care  
> about encryption.
> 

The only thing I'll say in the world of using PPTP (via PoPToP) is to
consider what happens when most or all of your clients reconnect at one
time (network glitch, etc).  This was my biggest challenge as the
original configuration had PPP calling all sorts of perl scripts and
such from its ip-up mechanism.  The server would come to a complete
crawl as 800+ of these ip-up scripts would fire off along with their
associated tasks.  This would result in clients timing out, links
failing, etc -- the server could never "catch up". 

The band-aid solution was to rate limit SYN packets that established
the connection... the permanent solution was to write a plugin for PPPd
in C that replaced most of the ip-up functionality with something a bit
more efficient.

As long as you're not needing to do any sort of complex post login
tasks for each user, this may not even end up being an issue.  But
something to keep in mind and plan for if you're talking 1500 users...
:)

Ray
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Scott Silva]

on 12-19-2008 7:49 AM Ray Van Dolson spake the following:
> On Fri, Dec 19, 2008 at 03:42:08PM +, Karanbir Singh wrote:
>> Rainer Duffner wrote:
 1500 clients is quite a lot, but not hard to handle from a single 
 machine if you select a cpu capable of doing ssl quickly. eg a power6 
 machine with a few cores would handle that without any problems.
>>> And what is the suggested RRP of such a thing?
>>> (If one may ask).
>> I am sure if you ask someone who sells them, they will tell you :D
>>
 If you want to stick with commodity hardware, a couple of quad core 
 amd's should also fit right in.
>>> Or use an SSL-offloader.
>>> Then, you can handle the same load with much less CPU-power.
>> Can get fiddly, with specific drivers and patches required to various 
>> bits.. But thats a solution that could work too.
>>
> 
> To OP; anecdotal evidence only -- and I certainly wouldn't recommend
> using PPTP for a secure VPN solution :)  At my previous job we ran
> PoPToP (PPTP) on CentOS and the older HP DL140 G1 1U servers and were
> handling up to 1000 clients pretty comfortably per machine.  This was
> with 1GB of RAM per server and a single 2.4GHz Xeon processor.
> 
> Left before we could migrate to OpenVPN which I think would have
> slightly higher processing requirements. :)
> 
> Ray
If you could use a lower CPU intensive crypt like blowfish, it would be easier.

Are all these trading partners in different locations or are there semi large
groups in the same locations?
Maybe a hundred or so share an office, you could set up IPSec tunnels to each
remote office and pass all 100 through that tunnel. It takes a lot less CPU to
pass 100 combined then 100 separate connections.



-- 
MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't



signature.asc
Description: OpenPGP digital signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Ross Walker]

On Dec 19, 2008, at 12:20 PM, Ray Van Dolson  wrote:

> How about lots of GRE tunnels? :-)

Well PPTP is PPP over GRE, so that's basically it.

PPTP can run without encryption too if the OP really doesn't care  
about encryption.

-Ross

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Michael Semcheski]

On Fri, Dec 19, 2008 at 11:41 AM, John R Pierce  wrote:
> I still think I'd recommend Juniper SSLVPN appliance hardware however.
> one of their midsized boxes can easily handle 1000s of sessions at wire
> speeds up to 100baseT at the server side, and has really good

I was an end user of a Juniper SSLVPN appliance, and so were 1000's of
my colleagues.  I would definitely recommend doing their own
verification of how many sessions these appliances require.  I know my
organization had to add a lot more appliances to get performance up to
what they consider an acceptable speed.  What they consider acceptable
speed is not wire speed for many US broadband users.

I don't know what the exact numbers are, but I suspect they can handle
closer to 100's of sessions than 1000's of sessions.

Sorry for going off-topic.

Mike
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] FTPS setup problem

[Bill Campbell]

On Fri, Dec 19, 2008, Guy Boisvert wrote:
>Hi!
>
>   I'm trying to figure out what's going wrong with a "simple" FTPS setup 
>and VSFTPD.
>
>   I saw references on Google and tried, and tried, and tried... without 
>success.
>
>   I'll start by explaining my situation: I have a WEB development server 
>behind a firewall.  It's currently only for the intranet.  We now have 
>an external company that will have to do a new website for us and we 
>want them to access securely our development server.
>
>   Internally, we access it with regular FTP (we use DreamWeaver 8).  In 
>the references i saw, i'd just add the following lines and it is 
>supposed to work:

As a rule, we require external developers to access our servers
using OpenVPN which provides a simple means of getting secure
access without having to deal with multiple server components.

The OpenVPN clients for Windows and OS X are simple to set up,
well within the capabilities of the average web developer (which
often aren't extensive :-). 

Bill
-- 
INTERNET:   b...@celestial.com  Bill Campbell; Celestial Software LLC
URL: http://www.celestial.com/  PO Box 820; 6641 E. Mercer Way
Voice:  (206) 236-1676  Mercer Island, WA 98040-0820
Fax:(206) 232-9186

Once at a social gathering, Gladstone said to Disraeli, I predict,
Sir, that you will die either by hanging or of some vile disease.
Disraeli replied, "That all depends upon whether I embrace your
principles or your mistress".
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[William Warren]

Robert Moskowitz wrote:
> Ray Van Dolson wrote:
>   
>> On Fri, Dec 19, 2008 at 03:42:08PM +, Karanbir Singh wrote:
>>   
>> 
>>> Rainer Duffner wrote:
>>> 
>>>   
> 1500 clients is quite a lot, but not hard to handle from a single 
> machine if you select a cpu capable of doing ssl quickly. eg a power6 
> machine with a few cores would handle that without any problems.
> 
>   
 And what is the suggested RRP of such a thing?
 (If one may ask).
   
 
>>> I am sure if you ask someone who sells them, they will tell you :D
>>>
>>> 
>>>   
> If you want to stick with commodity hardware, a couple of quad core 
> amd's should also fit right in.
> 
>   
 Or use an SSL-offloader.
 Then, you can handle the same load with much less CPU-power.
   
 
>>> Can get fiddly, with specific drivers and patches required to various 
>>> bits.. But thats a solution that could work too.
>>>
>>> 
>>>   
>> To OP; anecdotal evidence only -- and I certainly wouldn't recommend
>> using PPTP for a secure VPN solution :)  
>> 
>
> The OP did not want security, only tunneling. His desire. Definitely not 
> mine. My work for the last 14 years has been to make communication on 
> the Internet unassailable, at least along the data path (I make no 
> attempts with the OS or apps).
>
> I would like to see ALL communications be encrypted. D*MN the torpedos!
>
>   
>> At my previous job we ran
>> PoPToP (PPTP) on CentOS and the older HP DL140 G1 1U servers and were
>> handling up to 1000 clients pretty comfortably per machine.  This was
>> with 1GB of RAM per server and a single 2.4GHz Xeon processor.
>>   
>> 
>
> I have heard of similar numbers.
>
>   
>> Left before we could migrate to OpenVPN which I think would have
>> slightly higher processing requirements. :)
>> 
>
> Sure would have!
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>   
openvpn doesn't hit a modern cpu that hard anymore(unless you dialup 
something higher than 128 bit).  I routinely do 5-10 users an sub 1ghz 
machines with openvpn.  Leave the encryption in place..it's not going to 
make a huge difference.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Ray Van Dolson]

On Fri, Dec 19, 2008 at 01:11:29PM -0500, Robert Moskowitz wrote:
> Ray Van Dolson wrote:
> > On Fri, Dec 19, 2008 at 12:49:08PM -0500, Robert Moskowitz wrote:
> >   
> >> Ray Van Dolson wrote:
> >> 
> >>> How about lots of GRE tunnels? :-)
> >>>   
> >> RED can kill GRE tunnels over the net. Depends on the protocol they 
> >> carry. If it is all TCP, you see a lot of slowstart. Of course if their 
> >> path is free of congestion, then no RED.
> >>
> >> Plus there is a lot of configuration for GRE, and most platforms come 
> >> with 'managed' tunneling like IPsec, SSLvpn, PPTP.
> >>
> >> 
> >
> > Yeah you'd definitely have to do some coding to make it manageable.
> > They always came in 'handy' but sounds like PPTP might be the way to go
> > for this particular question anyways.
> >
> > PoPToP is rock solid in my experience and the maintainer is very
> > responsive and helpful (James Cameron).
> 
> same Cameron that maintains webmin?
> 
> And for your Windos clients the maintainer is pretty good too. Not so 
> responsive, but they pretty much have a stable platform :)
> 

Hmm, not sure.  He's from down under and works for HP (last time I
checked).

Ray
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Robert Moskowitz]

Ray Van Dolson wrote:
> On Fri, Dec 19, 2008 at 12:49:08PM -0500, Robert Moskowitz wrote:
>   
>> Ray Van Dolson wrote:
>> 
>>> How about lots of GRE tunnels? :-)
>>>   
>> RED can kill GRE tunnels over the net. Depends on the protocol they 
>> carry. If it is all TCP, you see a lot of slowstart. Of course if their 
>> path is free of congestion, then no RED.
>>
>> Plus there is a lot of configuration for GRE, and most platforms come 
>> with 'managed' tunneling like IPsec, SSLvpn, PPTP.
>>
>> 
>
> Yeah you'd definitely have to do some coding to make it manageable.
> They always came in 'handy' but sounds like PPTP might be the way to go
> for this particular question anyways.
>
> PoPToP is rock solid in my experience and the maintainer is very
> responsive and helpful (James Cameron).

same Cameron that maintains webmin?

And for your Windos clients the maintainer is pretty good too. Not so 
responsive, but they pretty much have a stable platform :)


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Robert Moskowitz]

Les Mikesell wrote:
> Ray Van Dolson wrote:
>   
>> How about lots of GRE tunnels? :-)
>> 
>
> I've done that with a few connections - mostly connecting to Cisco 
> routers to pass multicast streams.  I'm not sure how it would scale up 
> in terms of the interface numbers and managing routes but it should work.

What was the network environment like that the tunnels went over?


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Ray Van Dolson]

On Fri, Dec 19, 2008 at 12:49:08PM -0500, Robert Moskowitz wrote:
> Ray Van Dolson wrote:
> > How about lots of GRE tunnels? :-)
> RED can kill GRE tunnels over the net. Depends on the protocol they 
> carry. If it is all TCP, you see a lot of slowstart. Of course if their 
> path is free of congestion, then no RED.
> 
> Plus there is a lot of configuration for GRE, and most platforms come 
> with 'managed' tunneling like IPsec, SSLvpn, PPTP.
> 

Yeah you'd definitely have to do some coding to make it manageable.
They always came in 'handy' but sounds like PPTP might be the way to go
for this particular question anyways.

PoPToP is rock solid in my experience and the maintainer is very
responsive and helpful (James Cameron).

Ray
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Robert Moskowitz]

Ray Van Dolson wrote:
> How about lots of GRE tunnels? :-)
RED can kill GRE tunnels over the net. Depends on the protocol they 
carry. If it is all TCP, you see a lot of slowstart. Of course if their 
path is free of congestion, then no RED.

Plus there is a lot of configuration for GRE, and most platforms come 
with 'managed' tunneling like IPsec, SSLvpn, PPTP.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Les Mikesell]

Ray Van Dolson wrote:
> How about lots of GRE tunnels? :-)

I've done that with a few connections - mostly connecting to Cisco 
routers to pass multicast streams.  I'm not sure how it would scale up 
in terms of the interface numbers and managing routes but it should work.

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] FTPS setup problem

[Guy Boisvert]

Hi!

I'm trying to figure out what's going wrong with a "simple" FTPS setup 
and VSFTPD.

I saw references on Google and tried, and tried, and tried... without 
success.

I'll start by explaining my situation: I have a WEB development server 
behind a firewall.  It's currently only for the intranet.  We now have 
an external company that will have to do a new website for us and we 
want them to access securely our development server.

Internally, we access it with regular FTP (we use DreamWeaver 8).  In 
the references i saw, i'd just add the following lines and it is 
supposed to work:

ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=YES
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem



Here are the previous lines in my vsftpd config:

anonymous_enable=YES
local_enable=YES
write_enable=YES
local_umask=022
dirmessage_enable=YES
xferlog_enable=YES
connect_from_port_20=YES
xferlog_std_format=YES
chroot_local_user=YES
chroot_list_enable=YES
chroot_list_file=/etc/vsftpd/vsftpd.chroot_list
pam_service_name=vsftpd
userlist_enable=YES
listen=YES
tcp_wrappers=YES


I generated the PEM cert with the following command:

openssl req -x509 -nodes -days 365 -newkey rsa:1024  -keyout 
/etc/vsftpd/vsftpd.pem  -out /etc/vsftpd/vsftpd.pem


I tried to connect with FileZilla without luck.  I heard that FileZilla 
may have a problem with vsftpd in FTPS mode so i downloaded SmartFTP 
which i read should be able to connect.

When i try, i get this error message:

SSL/TLS client handshake failed (Error = 0x80090308)



Does anybody could give me a pointer on this?


Thanks in advance and happy holidays to everybody!


Guy Boisvert, ing
IngTegration inc.

___
Pre-Boxing Day Domain Sales: Hosting + Domain = US$4.95/year
Offer Ends: Dec 31, 2008.http://www.doteasypromo.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Raid1 --> Raid5

[John R Pierce]

Mariusz wrote:
> On Fri, Dec 19, 2008 at 02:00:43PM +, Karanbir Singh wrote:
>   
>> Mariusz wrote:
>> 
>>> ok, thanks for reply, but logical disk(s) will be the same? after migration?
>>>   
>> Did you ask your vendor / manufacturer of the raid layer ? What did they 
>> say ?
>>
>> - KB
>> 
> no, i haven't asked yet, but i'm going to do it. Maybe i should use dd 
> command (create image all logical disk to another disk) and add new 3rd disk, 
> create raid 5 volume and after restore system from dd image?
>   


dd is a sector by sector image of a disk, not very useful for moving 
file systems.if its e3fs, I'd use dump -> spare storage, rebuild the 
raid, then restore -> new raid.   or tar or cpio or whatever your 
favorite backup method is that preserves links and stuff.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Ray Van Dolson]

How about lots of GRE tunnels? :-)

Ray
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Robert Moskowitz]

John R Pierce wrote:
> Robert Moskowitz wrote:
>   
>> The OP did not want security, only tunneling. 
>> 
>
> use simple PPPoE perhaps?
>   

PPPoE does not have good behaviour over the broader Internet. Works find 
for the last mile.

> I still think I'd recommend Juniper SSLVPN appliance hardware however.  
>   

The CTO over there is an old friend of mine

> one of their midsized boxes can easily handle 1000s of sessions at wire 
> speeds up to 100baseT at the server side, and has really good 
> managability.  if these clients are in fact field offices, I'd instead 
> use one of their ipsec hardware appliances (such as whatever has 
> replaced the Netscreen 208) and put the baby version (netscreen 5xl) at 
> each site so its LAN to WAN connectivity, transparent to all clients..
>
> 1500 clients connected to this server, I do hope they are going to have 
> a high speed symmetric internet connection...   even 128kbps per user 
> and half the users active, thast still  10 megabit symmetric pretty much 
> saturated.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Raid1 --> Raid5

[Mariusz]

On Fri, Dec 19, 2008 at 02:00:43PM +, Karanbir Singh wrote:
> Mariusz wrote:
> > ok, thanks for reply, but logical disk(s) will be the same? after migration?
> 
> Did you ask your vendor / manufacturer of the raid layer ? What did they 
> say ?
> 
> - KB
no, i haven't asked yet, but i'm going to do it. Maybe i should use dd command 
(create image all logical disk to another disk) and add new 3rd disk, create 
raid 5 volume and after restore system from dd image?
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[John R Pierce]

Robert Moskowitz wrote:
>
> The OP did not want security, only tunneling. 

use simple PPPoE perhaps?

I still think I'd recommend Juniper SSLVPN appliance hardware however.  
one of their midsized boxes can easily handle 1000s of sessions at wire 
speeds up to 100baseT at the server side, and has really good 
managability.  if these clients are in fact field offices, I'd instead 
use one of their ipsec hardware appliances (such as whatever has 
replaced the Netscreen 208) and put the baby version (netscreen 5xl) at 
each site so its LAN to WAN connectivity, transparent to all clients..

1500 clients connected to this server, I do hope they are going to have 
a high speed symmetric internet connection...   even 128kbps per user 
and half the users active, thast still  10 megabit symmetric pretty much 
saturated.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Robert Moskowitz]

Ray Van Dolson wrote:
> On Fri, Dec 19, 2008 at 03:42:08PM +, Karanbir Singh wrote:
>   
>> Rainer Duffner wrote:
>> 
 1500 clients is quite a lot, but not hard to handle from a single 
 machine if you select a cpu capable of doing ssl quickly. eg a power6 
 machine with a few cores would handle that without any problems.
 
>>> And what is the suggested RRP of such a thing?
>>> (If one may ask).
>>>   
>> I am sure if you ask someone who sells them, they will tell you :D
>>
>> 
 If you want to stick with commodity hardware, a couple of quad core 
 amd's should also fit right in.
 
>>> Or use an SSL-offloader.
>>> Then, you can handle the same load with much less CPU-power.
>>>   
>> Can get fiddly, with specific drivers and patches required to various 
>> bits.. But thats a solution that could work too.
>>
>> 
>
> To OP; anecdotal evidence only -- and I certainly wouldn't recommend
> using PPTP for a secure VPN solution :)  

The OP did not want security, only tunneling. His desire. Definitely not 
mine. My work for the last 14 years has been to make communication on 
the Internet unassailable, at least along the data path (I make no 
attempts with the OS or apps).

I would like to see ALL communications be encrypted. D*MN the torpedos!

> At my previous job we ran
> PoPToP (PPTP) on CentOS and the older HP DL140 G1 1U servers and were
> handling up to 1000 clients pretty comfortably per machine.  This was
> with 1GB of RAM per server and a single 2.4GHz Xeon processor.
>   

I have heard of similar numbers.

> Left before we could migrate to OpenVPN which I think would have
> slightly higher processing requirements. :)

Sure would have!


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] problem of apt

[Dag Wieers]

On Fri, 19 Dec 2008, cjzjm100 wrote:


Today the apt had a problem,here is the result:
[cjzjm...@localhost ~]$ sudo apt-get install 
nautilus-sendtoPassword:/var/lib/apt/lists/mrepo_rhel5s-i386_RPMS.os_repodata_repomd.xml:1: parser error : Start tag expected, '<' not found  ^apt-get: rpm/rpmindexfile.cc：645：std::string rpmRepomdIndex::IndexURI(std::string) const: “Res.size() > 0”failed.gave up.


You may want to report this to the apt mailinglist, though with a bit more 
information (apt version, etc...)


But to me the error indicates that the repodata file either is empty or 
not properly XML. Is it possible that the location of the repository 
simply is wrong, or that you have permission problems on those files so 
that they fail to be downloaded ?


Reporting this to the apt mailinglist may make apt provide a cleaner error 
message, but if the cause is not within apt you will have to fix the cause 
anyhow.


Kind regards,
--
--   dag wieers,  d...@centos.org,  http://dag.wieers.com/   --
[Any errors in spelling, tact or fact are transmission errors]___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Ray Van Dolson]

On Fri, Dec 19, 2008 at 03:42:08PM +, Karanbir Singh wrote:
> Rainer Duffner wrote:
> >> 1500 clients is quite a lot, but not hard to handle from a single 
> >> machine if you select a cpu capable of doing ssl quickly. eg a power6 
> >> machine with a few cores would handle that without any problems.
> > 
> > And what is the suggested RRP of such a thing?
> > (If one may ask).
> 
> I am sure if you ask someone who sells them, they will tell you :D
> 
> >> If you want to stick with commodity hardware, a couple of quad core 
> >> amd's should also fit right in.
> > Or use an SSL-offloader.
> > Then, you can handle the same load with much less CPU-power.
> 
> Can get fiddly, with specific drivers and patches required to various 
> bits.. But thats a solution that could work too.
> 

To OP; anecdotal evidence only -- and I certainly wouldn't recommend
using PPTP for a secure VPN solution :)  At my previous job we ran
PoPToP (PPTP) on CentOS and the older HP DL140 G1 1U servers and were
handling up to 1000 clients pretty comfortably per machine.  This was
with 1GB of RAM per server and a single 2.4GHz Xeon processor.

Left before we could migrate to OpenVPN which I think would have
slightly higher processing requirements. :)

Ray
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Karanbir Singh]

Rainer Duffner wrote:
>> 1500 clients is quite a lot, but not hard to handle from a single 
>> machine if you select a cpu capable of doing ssl quickly. eg a power6 
>> machine with a few cores would handle that without any problems.
> 
> And what is the suggested RRP of such a thing?
> (If one may ask).

I am sure if you ask someone who sells them, they will tell you :D

>> If you want to stick with commodity hardware, a couple of quad core 
>> amd's should also fit right in.
> Or use an SSL-offloader.
> Then, you can handle the same load with much less CPU-power.

Can get fiddly, with specific drivers and patches required to various 
bits.. But thats a solution that could work too.

- KB
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] problem of apt

[cjzjm100]

Hi all !
Today the apt had a problem,here is the result:
[cjzjm...@localhost ~]$ sudo apt-get install 
nautilus-sendtoPassword:/var/lib/apt/lists/mrepo_rhel5s-i386_RPMS.os_repodata_repomd.xml:1:
 parser error : Start tag expected, '<' not found  ^apt-get: 
rpm/rpmindexfile.cc：645：std::string rpmRepomdIndex::IndexURI(std::string) 
const: “Res.size() > 0”failed.gave up.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Robert Moskowitz]

DISCLAIMER:

I work for ICSAlabs, an Independent Division of Verizon Business 
Systems. We are the UL of security product testing.

I co-chaired the IPsec work in the IETF back in the late '90s.

I am the creator of the HIP protocol.

I have lots of standards experience, lots of testing experience, and 
limited deployment experience.

The following IS NOT the position of my employer. I just benefit from a 
lot of help on this list, and rarely can give back

dhaval.tha...@networthdirect.com wrote:
> Hi list,
>
>
> I have to build vpn server for 1500 clients. No encryption necessary.
> can anyone please recommend me vpn server.
>
> I do not have experience on vpn.
>
> I have tested openvpn on my test setup, & its working fine.
>
> I want to check if there any other vpn server available.
> I have not checked but can pptp vpn be usefull?
>
>
> My requirement is to connect 1500 clients on vpn server.
> Need frontend to manage vpn clients.

I am going to recommend PPTP to you, the reason is low setup cost and 
the encryption stinks (and thus does not cost much CPU).

You see even if you run IPsec with ESP NULL (RFC 2510, read it for all 
the US-centric jokes we stuffed in it), you have to pay for IKE and 
actually the session handshake can be more the killer for a VPN server 
than the actual per-packet-encryption. Why? Becuase to do ANY decent VPN 
protocol that has encyrption available, the handshake MUST use 
asymmetric (ie public-key) encryption. At least Diffie-Hellman, perhaps 
some RSA or ECC thrown in there. Oh, 802.11i Four-Way-Handshake DOES 
avoid this when running with a pre-shared key (OUCH, I wrote the paper 
on the attack on that after I helped develop the protocol including all 
of its compromises).

So every morning when those 1500 users log in, you eat dust while all 
the public-key work goes on. Without hardware to do the work, your 
server just dies. I don't care if your run IPsec, SSLvpn, HIP, or SSH, 
you will have public key crypto running for the handshake. The actual 
cost of AES in a counter-mode operation (like CCMP that was created for 
802.11i, or GCM that was created for 802.1AE) is actually quite 
reasonable. And if you run RC4 with SSLvpns, boy are you running a low 
overhead (and easy to attack) cipher.


But PPTP

Microsoft invented it to get connected and of course no one would bother 
to attack it... So the handshake is really light weight and won't kill 
your server.

There are variants of PPTP (eg L2PPTP) that have some real crypto in 
them in an attempt to fix what was broken, but then Microsoft got the 
'religion' and went full throttle with IPsec, and did a decent job of 
it. So decent in fact that many corporations turn it OFF becuase they 
can't do internal traffic shaping when all the Microsoft traffic is 
running in ESP!


So to conclude.

Find a tunnelling protocol that has a CHEAP setup cost, like PPTP. This 
can be a bigger deal breaker than the actual tunnel encryption method.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Rainer Duffner]

Karanbir Singh schrieb:
> Dhaval Thakar wrote:
>   
>> I prefer non-encryption vpn.
>> If I use openvpn, it will require more processing power than poptop.
>> I guess creating backup server might become difficult as it works on ssl 
>> cert. cert created on server1 might not work with server2. Whereas in 
>> poptop I need to copy single file (chap-secrets).
>> 
>
> 1500 clients is quite a lot, but not hard to handle from a single 
> machine if you select a cpu capable of doing ssl quickly. eg a power6 
> machine with a few cores would handle that without any problems.
>
>   

And what is the suggested RRP of such a thing?
(If one may ask).


> If you want to stick with commodity hardware, a couple of quad core 
> amd's should also fit right in.
>   

Or use an SSL-offloader.
Then, you can handle the same load with much less CPU-power.
Though, the throughput you need with 1500 users will already mandate a
pretty beefy server - at least concerning I/O.
Soekris, WRAP and Alix need not apply, I'm afraid



Rainer
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Raid1 --> Raid5

[Karanbir Singh]

Mariusz wrote:
> ok, thanks for reply, but logical disk(s) will be the same? after migration?

Did you ask your vendor / manufacturer of the raid layer ? What did they 
say ?

- KB
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Raid1 --> Raid5

[Mariusz]

On Fri, Dec 19, 2008 at 03:17:25AM -0800, John Doe wrote:
> > From: Mariusz 
> > I'm thinking of changing raid 1 to raid 5 (phisical --> in bios, now i've 
> > got 2 
> > disks in raid1, i want to add 3rd disk). Will centos work correctly?
> 
> If it is physical RAID, CentOS should only see logical disk(s) and not the 
> underlying physical disks...
> I guess it all depends if your RAID controller supports RAID1 to RAID5 
> migration.
> 
> JD
ok, thanks for reply, but logical disk(s) will be the same? after migration?

Mariusz
> 
> 
>   
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 
> -- 
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> 

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Raid1 --> Raid5

[John Doe]

> From: Mariusz 
> I'm thinking of changing raid 1 to raid 5 (phisical --> in bios, now i've got 
> 2 
> disks in raid1, i want to add 3rd disk). Will centos work correctly?

If it is physical RAID, CentOS should only see logical disk(s) and not the 
underlying physical disks...
I guess it all depends if your RAID controller supports RAID1 to RAID5 
migration.

JD


  

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Karanbir Singh]

Dhaval Thakar wrote:
> I prefer non-encryption vpn.
> If I use openvpn, it will require more processing power than poptop.
> I guess creating backup server might become difficult as it works on ssl 
> cert. cert created on server1 might not work with server2. Whereas in 
> poptop I need to copy single file (chap-secrets).

1500 clients is quite a lot, but not hard to handle from a single 
machine if you select a cpu capable of doing ssl quickly. eg a power6 
machine with a few cores would handle that without any problems.

If you want to stick with commodity hardware, a couple of quad core 
amd's should also fit right in.

- KB
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Raid1 --> Raid5

[Mariusz]

I'm thinking of changing raid 1 to raid 5 (phisical --> in bios, now i've got 2 
disks in raid1, i want to add 3rd disk). Will centos work correctly?

cheers

Mariusz

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] drbd 8.3.0 is out

[Rainer Traut]

Am 19.12.2008 11:29, schrieb Ian Forde:
> On Fri, 2008-12-19 at 10:20 +0100, Rainer Traut wrote:
>> Hi,
>>
>> is this the right place to ask for updated -extras- packages?
>>
>> this seems to be the successor of the 8.2.x branch and contains various
>> bugfixes.
>
> Uhhh... this was *just* released... that's a little quick to be asking,
> isn't it? ;)  I'm pretty sure I won't be using this in production until
> it's at least at 8.2.3 or so...

You mean 8.3.3?
Yeah you're right, drbd is really really fundamental. But the extras 
repo is already missing 8.2.7 which was left out. And even 8.2.7 has 
some bugs fixed not until 8.3.0.

And 8.2.8's release date seems unknown if not unsure.

> Of course, that's not to say that testing packages won't be produced at
> some point.  After all, wasn't there some overlap of 8.1.x and 8.2
> packages?

If there's something to test I will do...

Rainer
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Ian Forde]

On Fri, 2008-12-19 at 16:02 +0530, Dhaval Thakar wrote:

> I prefer non-encryption vpn.

Uhh... without encryption, you take the "p" out of "vpn"...

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Dhaval Thakar]

Matej Cepl wrote:
> On 2008-12-17, 08:37 GMT, NiftyClusters T Mitchell wrote:
>   
>> It is possible that dedicated Cisco hardware solutions will 
>> scale better.
>> 
>
> Your mileage may vary, but I have terrible experience with Linux 
> Cisco VPN clients, so I would strongly suggest OpenVPN. Of 
> course, I don't know anything about needs for so huge 
> installation etc. -- the only I have is very bad experience with 
> Cisco VPN as its user.
>   
thanks for the reply.
I need vpn server to provide software connectivity to the clients.
This is trading software.

I have installed & used OpenVpn on my test setup.
It is working fine.

I prefer non-encryption vpn.
If I use openvpn, it will require more processing power than poptop.
I guess creating backup server might become difficult as it works on ssl 
cert. cert created on server1 might not work with server2. Whereas in 
poptop I need to copy single file (chap-secrets).

I am trying testing poptop, if there any better vpn server available 
kindly let me know.




___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] drbd 8.3.0 is out

[Ian Forde]

On Fri, 2008-12-19 at 10:20 +0100, Rainer Traut wrote:
> Hi,
> 
> is this the right place to ask for updated -extras- packages?
> 
> this seems to be the successor of the 8.2.x branch and contains various 
> bugfixes.

Uhhh... this was *just* released... that's a little quick to be asking,
isn't it? ;)  I'm pretty sure I won't be using this in production until
it's at least at 8.2.3 or so... 

Of course, that's not to say that testing packages won't be produced at
some point.  After all, wasn't there some overlap of 8.1.x and 8.2
packages?

-I

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] drbd 8.3.0 is out

[Karanbir Singh]

Rainer Traut wrote:
> Hi,
> 
> is this the right place to ask for updated -extras- packages?
no. you want bugs.centos.org instead

> this seems to be the successor of the 8.2.x branch and contains various 
> bugfixes.

also, offer to work with the packagers to test the stuff as its built.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] regarding vpn server for 1500 clients

[Matej Cepl]

On 2008-12-17, 08:37 GMT, NiftyClusters T Mitchell wrote:
> It is possible that dedicated Cisco hardware solutions will 
> scale better.

Your mileage may vary, but I have terrible experience with Linux 
Cisco VPN clients, so I would strongly suggest OpenVPN. Of 
course, I don't know anything about needs for so huge 
installation etc. -- the only I have is very bad experience with 
Cisco VPN as its user.

Matěj

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] drbd 8.3.0 is out

[Rainer Traut]

Hi,

is this the right place to ask for updated -extras- packages?

this seems to be the successor of the 8.2.x branch and contains various 
bugfixes.

Thx
Rainer

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos