Re: Best Authentikation and security against WarDriver
Michelle Konzack wrote: Hello Collegues, Now I have 17 Lucent ORINOCO COR/ROR and one Proxim MP.11a (54 MBit) Now my question: How can I block the Netzwork for all and do only allow to my Clients ? I know Win98 has already 'pptp' but Win95 and Macintosh ? In general, the Clients are using PCI/PCMCIA-Adaptors with ORINOCO GoldCards, because others are laking in Performance for this. There was someone which has sugested to install the pptpd... How secure is it ? Setting up pptp or ipsec would definitely be the most elegant solution, but alas it'd also be the most nightmarish to set up with so many different operating systems. The other solution I can think is authenticating users with a login/password in a caged firewalled environment, and after positive auth (via a web page), open up their connection to the network. There's an article discussing this on linux journal september 2003 issue, but it seems it's not available to the public: http://www.linuxjournal.com/modules.php?op=modload&name=NS-lj-issues/issue113&file=index However, it deals with setting up software that does this trick, specifically NoCatAuth, which can be downloaded from: www.nocat.com José PS. Please reply to the list.
Re: Fun with routes
On Wednesday 17 March 2004 07:24, aCaB wrote: > I was trying to figure out a cheap solution to increase upload speed for > one of my customers (currently using ADSL). > > I soon realized that dedicated lines such as CDN, HDSL etc are too > expensive in respect to common ADSL and come up with a brain-dead idea > of bounding various ADSL lines together... > > Let's say I have ISP-A and ISP-B providing me 2 lines with static > addresses IP-A and IP-B; both ISP's allows source address spoofing. > For simplicity let's also say I will only accept incoming connections on > IP-A, but, to increase upload speed, I want reply packets to come out > both from ISP-A (with no modifications) AND ISP-B (with source address > spoofing). > > I'm quite sure this can be done, but I'm not sure if iproute2 would do > this. I've set up lots of multiple connection gateways but outbound load balancing wasn't a concern (only inbound). Still, I'm pretty sure that iproute2 is the correct tool and that this is pretty trivial to setup. Forget ip spoofing, just set things up so that traffic alternates which connection it goes out. Look at load balancing in the LARTC (http://lartc.org/howto/lartc.rpdb.multiple-links.html). If you truly want double the bandwidth you won't get it but if you just want to share the load across multiple connections then this is the answer. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux
Re: Best Authentikation and security against WarDriver
Michelle Konzack wrote: Hello Collegues, Now I have 17 Lucent ORINOCO COR/ROR and one Proxim MP.11a (54 MBit) Now my question: How can I block the Netzwork for all and do only allow to my Clients ? I know Win98 has already 'pptp' but Win95 and Macintosh ? In general, the Clients are using PCI/PCMCIA-Adaptors with ORINOCO GoldCards, because others are laking in Performance for this. There was someone which has sugested to install the pptpd... How secure is it ? Setting up pptp or ipsec would definitely be the most elegant solution, but alas it'd also be the most nightmarish to set up with so many different operating systems. The other solution I can think is authenticating users with a login/password in a caged firewalled environment, and after positive auth (via a web page), open up their connection to the network. There's an article discussing this on linux journal september 2003 issue, but it seems it's not available to the public: http://www.linuxjournal.com/modules.php?op=modload&name=NS-lj-issues/issue113&file=index However, it deals with setting up software that does this trick, specifically NoCatAuth, which can be downloaded from: www.nocat.com José PS. Please reply to the list. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fun with routes
I have read this and I think it will solve your problem. http://www.samag.com/documents/s=1824/sam0201h/0201h.htm Salu2 Andrés aCaB wrote: Thanks you all for your quick replies. The situation in the place I live is gonna look quite weird to you folk
Re: Fun with routes
aCaB wrote: First off, ISP-B should be dropping your spoofed packets on the floor once they hit their network. I'm a strange guy, I know, but I totally disagree. IMHO An ISP should provide a customer with the internet. That's it. Right, "that's it". The ISP should provide the Internet with the customer, not someone else's customer. An ISP should not (unless asked to) mangle/NAT packets, stop pings, block backdoor scans, scan mails for viruses or do any activity limiting somehow their users freedom over the net. They can and should of cause identify and fight troublemakers through the customers. By blocking spoofed packets, they are identifying and fighting troublemakers. Spoofed packets could be a denial of service attack, an intrusion in progress, or a long list of other nasty things. We could discuss a lot about what an ISP should and should not, but I don't feel this is the proper time for such a discussion. Except that your proposed solution won't work if outbound spoofing is prohibited. Now, the best thing to do would be to approach both ISPs and ask if they'll allow your wish (and their upstreams will permit it). You do risk having some destinations be unreachable if you send packets through the "wrong" pipe. pt
Re: Fun with routes
On Wednesday 17 March 2004 07:24, aCaB wrote: > I was trying to figure out a cheap solution to increase upload speed for > one of my customers (currently using ADSL). > > I soon realized that dedicated lines such as CDN, HDSL etc are too > expensive in respect to common ADSL and come up with a brain-dead idea > of bounding various ADSL lines together... > > Let's say I have ISP-A and ISP-B providing me 2 lines with static > addresses IP-A and IP-B; both ISP's allows source address spoofing. > For simplicity let's also say I will only accept incoming connections on > IP-A, but, to increase upload speed, I want reply packets to come out > both from ISP-A (with no modifications) AND ISP-B (with source address > spoofing). > > I'm quite sure this can be done, but I'm not sure if iproute2 would do > this. I've set up lots of multiple connection gateways but outbound load balancing wasn't a concern (only inbound). Still, I'm pretty sure that iproute2 is the correct tool and that this is pretty trivial to setup. Forget ip spoofing, just set things up so that traffic alternates which connection it goes out. Look at load balancing in the LARTC (http://lartc.org/howto/lartc.rpdb.multiple-links.html). If you truly want double the bandwidth you won't get it but if you just want to share the load across multiple connections then this is the answer. -- Fraser Campbell <[EMAIL PROTECTED]> http://www.wehave.net/ Georgetown, Ontario, Canada Debian GNU/Linux -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fun with routes
Thanks you all for your quick replies. The situation in the place I live is gonna look quite weird to you folk. Here are NO small ISP's and only a few major telco's are offering ADSL. Moreover none of them can be bothered setting up specially crafted connections or routing disciplines; they do plug in their pre-configured c*sco's and sell their fixed ADSL packages. Period. If you want something more you have to choose CDN or fibre. That said, I repeat: I'm not willing to set-up a real life environment Featuring ADSL bonding via IP spoofing, I was just willing to satisfy my curiosity: is that possible? And if so can it be achieved? Does this sound strange? First off, ISP-B should be dropping your spoofed packets on the floor once they hit their network. I'm a strange guy, I know, but I totally disagree. IMHO An ISP should provide a customer with the internet. That's it. An ISP should not (unless asked to) mangle/NAT packets, stop pings, block backdoor scans, scan mails for viruses or do any activity limiting somehow their users freedom over the net. They can and should of cause identify and fight troublemakers through the customers. We could discuss a lot about what an ISP should and should not, but I don't feel this is the proper time for such a discussion. Load balancing the two will become a problem... how does your computer decide which path to send on? Aside from a few specific cases (like equal-cost load balancing) your routing protocol/procedure/program should make the same decision every time for where a packet should be routed. Ok you got the point. This is exactly what i was asking. From my point of view even a quite rudimental approach as route each packet through a different interfcae/isp would be enough. Even a random mechanism would be ok. A much easier way to do this, using existing proven technology would be MLPPP to one provider (assuming that your provider supports MLPPP and that you can get client hardware to do so as well). Some careful routing with two separate DSL connections to the same provider will work as well. A part that no one here is offering MLPPP or _even_ two adsl (dont ask me why, but i guess this is done to sell dedicated lines instead), that is no fun, which is somewhat in contrast with the subject of my mail. Thanks again for your time!
Re: Fun with routes
I have read this and I think it will solve your problem. http://www.samag.com/documents/s=1824/sam0201h/0201h.htm Salu2 Andrés aCaB wrote: Thanks you all for your quick replies. The situation in the place I live is gonna look quite weird to you folk. Here are NO small ISP's and only a few major telco's are offering ADSL. Moreover none of them can be bothered setting up specially crafted connections or routing disciplines; they do plug in their pre-configured c*sco's and sell their fixed ADSL packages. Period. If you want something more you have to choose CDN or fibre. That said, I repeat: I'm not willing to set-up a real life environment Featuring ADSL bonding via IP spoofing, I was just willing to satisfy my curiosity: is that possible? And if so can it be achieved? Does this sound strange? First off, ISP-B should be dropping your spoofed packets on the floor once they hit their network. I'm a strange guy, I know, but I totally disagree. IMHO An ISP should provide a customer with the internet. That's it. An ISP should not (unless asked to) mangle/NAT packets, stop pings, block backdoor scans, scan mails for viruses or do any activity limiting somehow their users freedom over the net. They can and should of cause identify and fight troublemakers through the customers. We could discuss a lot about what an ISP should and should not, but I don't feel this is the proper time for such a discussion. Load balancing the two will become a problem... how does your computer decide which path to send on? Aside from a few specific cases (like equal-cost load balancing) your routing protocol/procedure/program should make the same decision every time for where a packet should be routed. Ok you got the point. This is exactly what i was asking. From my point of view even a quite rudimental approach as route each packet through a different interfcae/isp would be enough. Even a random mechanism would be ok. A much easier way to do this, using existing proven technology would be MLPPP to one provider (assuming that your provider supports MLPPP and that you can get client hardware to do so as well). Some careful routing with two separate DSL connections to the same provider will work as well. A part that no one here is offering MLPPP or _even_ two adsl (dont ask me why, but i guess this is done to sell dedicated lines instead), that is no fun, which is somewhat in contrast with the subject of my mail. Thanks again for your time! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fun with routes
aCaB wrote: I was trying to figure out a cheap solution to increase upload speed for one of my customers (currently using ADSL). I soon realized that dedicated lines such as CDN, HDSL etc are too expensive in respect to common ADSL and come up with a brain-dead idea of bounding various ADSL lines together... Let's say I have ISP-A and ISP-B providing me 2 lines with static addresses IP-A and IP-B; both ISP's allows source address spoofing. For simplicity let's also say I will only accept incoming connections on IP-A, but, to increase upload speed, I want reply packets to come out both from ISP-A (with no modifications) AND ISP-B (with source address spoofing). I'm quite sure this can be done, but I'm not sure if iproute2 would do this. Any ideas? I'm aware of legal concerns regarding IP spoofing, so that this idea is quite unlikely to become a real life example, but I'd still like to know about it for my own curiosity's sake. Thanks a lot. First off, ISP-B should be dropping your spoofed packets on the floor once they hit their network. Your example does specify that this is not the case, though. Load balancing the two will become a problem... how does your computer decide which path to send on? Aside from a few specific cases (like equal-cost load balancing) your routing protocol/procedure/program should make the same decision every time for where a packet should be routed. A much easier way to do this, using existing proven technology would be MLPPP to one provider (assuming that your provider supports MLPPP and that you can get client hardware to do so as well). Some careful routing with two separate DSL connections to the same provider will work as well. --Rich
Re: Fun with routes
aCaB wrote: First off, ISP-B should be dropping your spoofed packets on the floor once they hit their network. I'm a strange guy, I know, but I totally disagree. IMHO An ISP should provide a customer with the internet. That's it. Right, "that's it". The ISP should provide the Internet with the customer, not someone else's customer. An ISP should not (unless asked to) mangle/NAT packets, stop pings, block backdoor scans, scan mails for viruses or do any activity limiting somehow their users freedom over the net. They can and should of cause identify and fight troublemakers through the customers. By blocking spoofed packets, they are identifying and fighting troublemakers. Spoofed packets could be a denial of service attack, an intrusion in progress, or a long list of other nasty things. We could discuss a lot about what an ISP should and should not, but I don't feel this is the proper time for such a discussion. Except that your proposed solution won't work if outbound spoofing is prohibited. Now, the best thing to do would be to approach both ISPs and ask if they'll allow your wish (and their upstreams will permit it). You do risk having some destinations be unreachable if you send packets through the "wrong" pipe. pt -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fun with routes
Thanks you all for your quick replies. The situation in the place I live is gonna look quite weird to you folk. Here are NO small ISP's and only a few major telco's are offering ADSL. Moreover none of them can be bothered setting up specially crafted connections or routing disciplines; they do plug in their pre-configured c*sco's and sell their fixed ADSL packages. Period. If you want something more you have to choose CDN or fibre. That said, I repeat: I'm not willing to set-up a real life environment Featuring ADSL bonding via IP spoofing, I was just willing to satisfy my curiosity: is that possible? And if so can it be achieved? Does this sound strange? First off, ISP-B should be dropping your spoofed packets on the floor once they hit their network. I'm a strange guy, I know, but I totally disagree. IMHO An ISP should provide a customer with the internet. That's it. An ISP should not (unless asked to) mangle/NAT packets, stop pings, block backdoor scans, scan mails for viruses or do any activity limiting somehow their users freedom over the net. They can and should of cause identify and fight troublemakers through the customers. We could discuss a lot about what an ISP should and should not, but I don't feel this is the proper time for such a discussion. Load balancing the two will become a problem... how does your computer decide which path to send on? Aside from a few specific cases (like equal-cost load balancing) your routing protocol/procedure/program should make the same decision every time for where a packet should be routed. Ok you got the point. This is exactly what i was asking. From my point of view even a quite rudimental approach as route each packet through a different interfcae/isp would be enough. Even a random mechanism would be ok. A much easier way to do this, using existing proven technology would be MLPPP to one provider (assuming that your provider supports MLPPP and that you can get client hardware to do so as well). Some careful routing with two separate DSL connections to the same provider will work as well. A part that no one here is offering MLPPP or _even_ two adsl (dont ask me why, but i guess this is done to sell dedicated lines instead), that is no fun, which is somewhat in contrast with the subject of my mail. Thanks again for your time! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Fun with routes
aCaB wrote: I was trying to figure out a cheap solution to increase upload speed for one of my customers (currently using ADSL). I soon realized that dedicated lines such as CDN, HDSL etc are too expensive in respect to common ADSL and come up with a brain-dead idea of bounding various ADSL lines together... Let's say I have ISP-A and ISP-B providing me 2 lines with static addresses IP-A and IP-B; both ISP's allows source address spoofing. For simplicity let's also say I will only accept incoming connections on IP-A, but, to increase upload speed, I want reply packets to come out both from ISP-A (with no modifications) AND ISP-B (with source address spoofing). I'm quite sure this can be done, but I'm not sure if iproute2 would do this. Any ideas? I'm aware of legal concerns regarding IP spoofing, so that this idea is quite unlikely to become a real life example, but I'd still like to know about it for my own curiosity's sake. Thanks a lot. First off, ISP-B should be dropping your spoofed packets on the floor once they hit their network. Your example does specify that this is not the case, though. Load balancing the two will become a problem... how does your computer decide which path to send on? Aside from a few specific cases (like equal-cost load balancing) your routing protocol/procedure/program should make the same decision every time for where a packet should be routed. A much easier way to do this, using existing proven technology would be MLPPP to one provider (assuming that your provider supports MLPPP and that you can get client hardware to do so as well). Some careful routing with two separate DSL connections to the same provider will work as well. --Rich -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Fun with routes
I was trying to figure out a cheap solution to increase upload speed for one of my customers (currently using ADSL). I soon realized that dedicated lines such as CDN, HDSL etc are too expensive in respect to common ADSL and come up with a brain-dead idea of bounding various ADSL lines together... Let's say I have ISP-A and ISP-B providing me 2 lines with static addresses IP-A and IP-B; both ISP's allows source address spoofing. For simplicity let's also say I will only accept incoming connections on IP-A, but, to increase upload speed, I want reply packets to come out both from ISP-A (with no modifications) AND ISP-B (with source address spoofing). I'm quite sure this can be done, but I'm not sure if iproute2 would do this. Any ideas? I'm aware of legal concerns regarding IP spoofing, so that this idea is quite unlikely to become a real life example, but I'd still like to know about it for my own curiosity's sake. Thanks a lot.
Fun with routes
I was trying to figure out a cheap solution to increase upload speed for one of my customers (currently using ADSL). I soon realized that dedicated lines such as CDN, HDSL etc are too expensive in respect to common ADSL and come up with a brain-dead idea of bounding various ADSL lines together... Let's say I have ISP-A and ISP-B providing me 2 lines with static addresses IP-A and IP-B; both ISP's allows source address spoofing. For simplicity let's also say I will only accept incoming connections on IP-A, but, to increase upload speed, I want reply packets to come out both from ISP-A (with no modifications) AND ISP-B (with source address spoofing). I'm quite sure this can be done, but I'm not sure if iproute2 would do this. Any ideas? I'm aware of legal concerns regarding IP spoofing, so that this idea is quite unlikely to become a real life example, but I'd still like to know about it for my own curiosity's sake. Thanks a lot. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]