firewall recommendations?
I'm looking for a firewall that has a very high packet throughput rate, can handle minimal stun tasks, do server load balancing for http etc., handle many-to-one as well as bi-directional NAT and just plain works with high reliability/redundancy. Suggestions off list would be wonderful. Thanks.
needing switch options
I need to find a few options for switches.. My requirements are based on heavy voip traffic so the switch needs to support a very high pps rate while not as much in the Gbps realms - we're using small codecs. We are looking at supporting > 1M subscribers. Initially, we will be handling media but down the road most of the media will not need to be passed on/across our network. I'd like to get some recommendations from the list as to vendor/models that have been deployed and excellent performance / cost has been achieved. I've looked at the 3com 8807 and the 7757 kits already - I'm not sure they would fit the bill (low pps, fabric speed iffy, fabric fail-over time questionable - that's my impression from reading on their site). Replies off list would probably be best and thanks in advance.
XO opinions
I'd like to get opinions from people using XO's voip services as well as opinions on any customer service they received for whatever service they had from XO.. offlist replies would probably be best for all.
image stream routers
I'd like to get some feedback as to what people's experiences are (if any) with image stream routers.. specifically the industrial ones. http://www.imagestream.com/ begin:vcard fn:Matt Hess n:Hess;Matt org:LiveWire Networks adr;dom:;;4577 Pecos St;Denver;CO;80211 email;internet:[EMAIL PROTECTED] title:Sr. Network Engineer tel;work:303-458-5667 x 106 tel;fax:303-458-5725 x-mozilla-html:FALSE url:http://www.livewirenet.com/ version:2.1 end:vcard
Re: Qwest PSTN problems / status page?
Jay R. Ashworth wrote: On Mon, Aug 22, 2005 at 03:16:01PM -0600, Mike Lewinski wrote: We have been told they are currently experiencing a major outage and "All calls are failing out-going" (which isn't true as I've made some calls, but am seeing intermittent congestion returned on our PRIs) I have also heard that it... "Seems to be on the public switching network.Seattle can call out, Minneapolis & Ohio can't." Qwest reportedly *just* signed a new union contract today; perhaps some people didn't get the memo? Considering the way some ds1 repeaters have just vanished from qwest central offices today - I'd have to agree with that thought. http://news.google.com/news?q=qwest+-field Cheers, -- jra begin:vcard fn:Matt Hess n:Hess;Matt org:LiveWire Networks adr;dom:;;4577 Pecos St;Denver;CO;80211 email;internet:[EMAIL PROTECTED] title:Sr. Network Engineer tel;work:303-458-5667 x 106 tel;fax:303-458-5725 x-mozilla-html:FALSE url:http://www.livewirenet.com/ version:2.1 end:vcard
Re: Qwest PSTN problems / status page?
Their VoIP LD service is also affected.. from my initial understanding it affects a variety of inter-lata calls. Some inter-lata calls are down hard.. others are intermittent. This holds true for calls between latas where qwest is the ILEC. Ex: denver to somewhere in omaha (another qwest number). Mike Lewinski wrote: Is anyone aware of a network status page for Qwest PSTN. We have been told they are currently experiencing a major outage and "All calls are failing out-going" (which isn't true as I've made some calls, but am seeing intermittent congestion returned on our PRIs) I have also heard that it... "Seems to be on the public switching network.Seattle can call out, Minneapolis & Ohio can't." (We first noticed it WRT LD calls, and my first test was to OH and that succeeded, so whatever it is clearly is intermittent). Mike begin:vcard fn:Matt Hess n:Hess;Matt org:LiveWire Networks adr;dom:;;4577 Pecos St;Denver;CO;80211 email;internet:[EMAIL PROTECTED] title:Sr. Network Engineer tel;work:303-458-5667 x 106 tel;fax:303-458-5725 x-mozilla-html:FALSE url:http://www.livewirenet.com/ version:2.1 end:vcard
Re: Active and available abuse desks [OT]
Was told this was off-topic.. oops! Off-list replies please, thanks. Matt Hess wrote: I'm curious as to what people feel is pro-active for the internet community as far as an available and active abuse desk goes.. As of late I run into more and more automated groups who I personally think are very wrong for forcing reports to come in via e-mail or web submission only. The argument I have been presented is that those ISP's should not have to offer an actual human being on an abuse desk for non-customers as they make no money on it. My take is that this is an inherent expense to having customers.. that expense is part of being involved with the internet and should be expected of a provider who wishes to be taken seriously in the internet community. *dons flame retardant.. well, everything* Matt Hess
Active and available abuse desks
I'm curious as to what people feel is pro-active for the internet community as far as an available and active abuse desk goes.. As of late I run into more and more automated groups who I personally think are very wrong for forcing reports to come in via e-mail or web submission only. The argument I have been presented is that those ISP's should not have to offer an actual human being on an abuse desk for non-customers as they make no money on it. My take is that this is an inherent expense to having customers.. that expense is part of being involved with the internet and should be expected of a provider who wishes to be taken seriously in the internet community. *dons flame retardant.. well, everything* Matt Hess
Re: latest FCC rulings
James Edwards wrote: Wire centers serving more than 38,000 business lines or at least 4 fiber based CLEC's (this means their own fiber, I think) do not have to offer DS1 CO to CO loops to a CLEC. For DS3/Dark Fiber it is 24,000 business lines or 3 fiber based CLEC's. This is interoffice transport, the CLEC's transport between its colos, which they lease from the LEC per their interconnect contract. It can be quite inexpensive. Why bother coloing if you can't get good transport between the colos ? Yes this is what I've gotten out of it.. facility feeder loops are still available but interoffice transport lines have been all but killed.. It would appear that the FCC's intention was to force the clecs to compete among themselves and leave the ilec out of the fray in large population centers.. which really makes no sense unless the fcc is attempting to stifle the business of clecs and limit them to less populated/rural areas.. hence, providing a quasi monopoly.. Much the same for customer loops from your colo. Unbundling, IIRC, is what the xLEC's got from the Telcom act. The loops and fiber. These unbundeled elements can only be accessed by colocation with the LEC, for most cases. For wire centers that meet the limits, key here is it has to be both sides meetings the limits for interoffice transport (CO to CO), a colocated CLEC cannot get ds1, ds3, and dark fiber to build their network. With these rulings I think they have all but killed the UNE platform. We are in several Qwest CO's in New Mexico, this is one of the few times it has been good to live in NM, in the context of telecommunications. Fiber based xLEC's, not many, and we only have one city that can be considered big. The questions we had are work were about the business lines. Does it include CLEC lines ? If is does not, business lines are where the LEC's have seen a big decrease and any counts are suspect as they may be old. So is the xLEC supposed to buy interoffice transport from the fiber based folks in the colo ? Can they get loops, too ? We asked the Colorado PUC and they have interpreted it to mean total business lines.. clecs and lecs totaled together.. funny thing is.. we checked out the line count at denver main at it was under the 38k line limit.. struck me as rather funny. It would appear that the FCC intention is for clecs to buy from other fiber clecs.. but at least out here in colorado it would appear very expensive to do that.. much more so then back haul loops would be. I am not sure about how this effects DS0's. Voice and HSDSL. DSL line share is gone so you have to do voice to offer DSL, in the wholesale context. What are they up too ? They limit competition in locations where there are several major providers or a lot of business customers. Well, in a nutshell my interpretation is that the ilecs have gone to the fcc and through many rounds of lobbying and somewhat shady filings.. (like qwest's recent filing to become completely deregulated) they have told the fcc that since this administration wants to see broadband grow and push out to more areas the fcc needs to get the clecs off their back and then the ilecs will build it for them. The fcc has done so by really hurting the interoffice transport (back haul loops, dark fiber restrictions, death of UNE etc.). They really neutered the Telecommunications Act of 1996.. for some sick reason they think the clecs have an equal chance against the ilecs. Heck, 2 of the commissioners were against the rulings.. but who cares.. a simple majority needs to be held to pass the rules and screw the industry.. sounds like a bargain deal for the ilecs.. buy 3 commissioners, get 2 free. I find commissioner Jonathan Adelstein's opinion on this a great help to laying it out as to what's about to happen.. (http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-255344A5.pdf) begin:vcard fn:Matt Hess n:Hess;Matt org:LiveWireNet adr;dom:;;4577 Pecos St;Denver;CO;80211 email;internet:[EMAIL PROTECTED] title:Senior Network Engineer tel;work:303-458-5667 tel;fax:303-458-5725 x-mozilla-html:FALSE url:http://www.livewirenet.com/ version:2.1 end:vcard
latest FCC rulings
I'm curious.. with the new fcc rulings out how are other clecs planning on coping with them? I'd love to hear reactions or thoughts on the latest the fcc is throwing at the lecs. (http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-255344A1.pdf) Offlist is fine in case this is considered off-topic. Matt Hess begin:vcard fn:Matt Hess n:Hess;Matt org:LiveWireNet adr;dom:;;4577 Pecos St;Denver;CO;80211 email;internet:[EMAIL PROTECTED] title:Senior Network Engineer tel;work:303-458-5667 tel;fax:303-458-5725 x-mozilla-html:FALSE url:http://www.livewirenet.com/ version:2.1 end:vcard
e.root-servers.net we have a problem..
If there is someone on here that is responsible for e.root-servers.net and if that person could ping me off list I'd appreciate it, thanks.
Interland.net noc contact
Anyone have a contact for Interland.net's noc? I don't see them on the noc list.. (http://puck.nether.net/netops/) and the interland customer care (HA!) reps have no concept of what the word "proactive" means. Drop me a line off list please.. thanks. begin:vcard fn:Matt Hess n:Hess;Matt org:LiveWireNet adr;dom:;;4577 Pecos St;Denver;CO;80211 email;internet:[EMAIL PROTECTED] title:Senior Network Engineer tel;work:303-458-5667 tel;fax:303-458-5725 x-mozilla-html:FALSE url:http://www.livewirenet.com/ version:2.1 end:vcard
Re: pppoa and a tnt
Yes, it does, thanks. Looks like we are going with 1483.. Christopher J. Wolff wrote: Matt, I don't remember seeing PPPoA in the 11.0 firmware. Hope this helps. Christopher -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hess Sent: Sunday, September 19, 2004 10:18 PM To: [EMAIL PROTECTED] Subject: pppoa and a tnt Does anybody know if a max tnt supports ppp over atm?
pppoa and a tnt
Does anybody know if a max tnt supports ppp over atm?
Re: Distributed Dictonary email slam
I completely agree, indeed it does not.. which is why we have now dropped doing secondary mx for this domain. Anyway.. thanks to all who responded on and off list.. gave me a few good ideas to tinker with.. Probably the most notable thing from this is the technical level with which spammers are now employing such a distributed network of spamming zombie type systems in a very directed manner.. and I always pictured them as drooling slobs that stare at blinking lights.. ;) Randy Bush wrote: Impossible as the customer does not wish to give us a list. You want to keep a list of valid accounts on the secondary so you can refuse mail for non-existing accounts on the secondary too. anyway, as they say, that does not scale randy --- Q: Because it reverses the logical flow of conversation. A: Why is top posting frowned upon?
Re: Distributed Dictonary email slam
Impossible as the customer does not wish to give us a list. However, I have thought of that and created some perl foo to go through.. identify the queued junk and remove it completely from our queue .. thus no bounce and no delivery. Christopher X. Candreva wrote: On Sun, 5 Sep 2004, Matt Hess wrote: source hosts.. Now being as we are a secondary mx I'm dropping their record out of our email system as I write this, however, I am curious if other have gone through or are currently going through something of this magnitude (12K spam/dictionary msgs per hour destined to one domain and that's just what is You want to keep a list of valid accounts on the secondary so you can refuse mail for non-existing accounts on the secondary too. If you don't care about yourself -- relize that if, say, all of these mails have a return address forged from the same domain, you will be DOSing THAT site with the bounce messages. This is enough for some people to block mail from you. == Chris Candreva -- [EMAIL PROTECTED] -- (914) 967-7816 WestNet Internet Services of Westchester http://www.westnet.com/
Distributed Dictonary email slam
We are secondary mx for a specific domain that has been hammered since friday night. We've accumulated literally thousands of email messages in our queue while the primary mx at the customer site is out of service yet again. In looking at the queue it appears that it's one heck of a dictionary based slam. Interesting thing about this is that it is distributed.. entire dictionary destination addresses such as [EMAIL PROTECTED] come from one host (apparently with a trojan on it or otherwise) while [EMAIL PROTECTED] come from yet a different host.. and so on down the alphabet all the while constantly changing source hosts.. Now being as we are a secondary mx I'm dropping their record out of our email system as I write this, however, I am curious if other have gone through or are currently going through something of this magnitude (12K spam/dictionary msgs per hour destined to one domain and that's just what is getting past the blacklist checks). Normally I see my spam block daemon at around 10 - 15 concurrent requests.. right now it's tearing along at around 160 - 180 concurrent bad connections. And of course a few suggestions to mitigate this would be appreciated.. I currently employ multiple blacklists such as spamcop.net, abuseat.org, spews level 1 and 2, and spamhaus, plus my own blocklists for china and korea to check on incoming email source addresses.
Re: Research - Valid Data Gathering vs. Annoying Other
Robert Bonomi wrote: <>*HOW* is one supposed to tell a 'benign' probe from a 'hostile' one, when it is addressed to a machine that doesn't exist, or to a 'service' that doesn't exist on an existant machine? With all the 'overtly hostile' traffic out there, why on earth would anyone consider that, with regard to 'unexpected'/'abnormal' traffic, there should be _any_ 'expectation of innocence'? Easy, they need to set the evil bit to 0 ;) begin:vcard fn:Matt Hess n:Hess;Matt org:LiveWireNet adr;dom:;;4577 Pecos St;Denver;CO;80211 email;internet:[EMAIL PROTECTED] title:Senior Network Engineer tel;work:303-458-5667 tel;fax:303-458-5725 x-mozilla-html:FALSE url:http://www.livewirenet.com/ version:2.1 end:vcard
OT? experience with time warner telecom?
Apologies if this is off topic but we are looking at time warner telecom for an upstream connection and I would like to get some info as to people's experience with this group.. good or bad. Off-list is fine.. especially if this is indeed OT. begin:vcard fn:Matt Hess n:Hess;Matt org:LiveWire Networks adr;dom:;;4577 Pecos St;Denver;CO;80211 email;internet:[EMAIL PROTECTED] title:Sr. Network Engineer tel;work:303-458-5667 x 106 tel;fax:303-458-5725 x-mozilla-html:FALSE url:http://www.livewirenet.com/ version:2.1 end:vcard
Re: Blocking Win95 hosts [WAS: Lazy network operators - NOT]
I think something like this would be best (safest?) used on collection mx hosts.. hosts that clients would not connect with to send mail.. just other servers delivering mail inward.. I personally can't imagine why someone would want to use a win95/98/Me system as a mta.. so this probably would be a rather interesting idea worth testing out. If nothing else the collateral in the above scenario would probably be very low. And of course the fingerprint list they have has a quite a few systems from aix to zaurus. Patrick W.Gilmore wrote: On Apr 18, 2004, at 11:40 PM, Matt Hess wrote: I was amused at this and decided to look real quick.. OpenBSD's pf can block on OS fingerprints.. effectively doing exactly what you are kidding about (at least I'd hope so.. well, maybe) even in the man page example they put: # Do not allow Windows 9x SMTP connections since they are typically # a viral worm. Alternately we could limit these OSes to 1 connection each. block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \ to any port smtp The OS fingerprint list they have is rather extensive.. Ya know, I do not think that is such a bad idea. Does anyone have any stats on the number of "real" MTAs that use Win9x? Or of the "real" MTAs that show up as Win9x on this fingerprint?
Re: Lazy network operators - NOT
I was amused at this and decided to look real quick.. OpenBSD's pf can block on OS fingerprints.. effectively doing exactly what you are kidding about (at least I'd hope so.. well, maybe) even in the man page example they put: # Do not allow Windows 9x SMTP connections since they are typically # a viral worm. Alternately we could limit these OSes to 1 connection each. block in on $ext_if proto tcp from any os {"Windows 95", "Windows 98"} \ to any port smtp The OS fingerprint list they have is rather extensive.. :) Mike Jezierski - BOFH wrote: {sniped} the damned operating system Micro$haft. If there was a blackhole list to block all Windows lUsers it would be more effective - granted that would also reduce email down to about 10% of the computing population. No zombies on my Macintosh regards.
Re: Lazy network operators - NOT
I haven't seen it mentioned yet but I believe that some may be looking for something like the lists at: http://www.blackholes.us/ and if it has been mentioned already I apologize for the duplicate. Doug White wrote: : : : : Lou Katz wrote: : > : > On Sun, Apr 18, 2004 at 02:01:45PM -0400, Jerry Eyers wrote: : > > : > > >Spamming is pervasive mainly due to the inattention or failure to enforce : > > >acceptable use policies by the service provider. : > > : > > I must point out that this statement is just flat wrong. : > > : > > Spamming exists because spamming works. Why do spammers send : > > out millions of emails? Because thousands of people click, look at, and : > > subscribe to services and products being spewed by the spammers. : > > : > > If spamming didn't sell products, spamming would die off. We must : > > educate the users to not do anything with spam but delete it. As from : > > the sucess of infomercials on television shows, that won't happen : > > anytime soon. : > > : > : > I think you are 'right on'. I offer this observation, first : > triggered by a third-hand report from some sociologists: : : Perhaps you'd both care to provide a methodology whereby the same fools : who respond to anatomical enlargement/improvement potions could be : successfully educated as to the foibles of responding to spam? All 150 : million plus of them? : : And then perhaps compare that required effort and potential success to : that of applying consistent global pressure on the 100 or so networks : that host the compromised machines that are the unwitting gateways for : almost all of today's spam. Unfortunately, in many cases, the networks : do put enormous effort into disconnecting compromised boxes, but the : numbers are overwhelming (240,000 on one network alone in the last 2 : weeks). That does not appear to be good enough any more. : : I'm with Paul. : : As Steve Bellovin has so frequently bleated: "Push the responsibility to : the edges, where it belongs". : : -- Well, Paul did advance a methodology - blackhole them all I prefer to send a 550 IP blocked for USE - for resolution contact your service provider. Educating the masses who feel anatomically lacking, would be an impossible task for a server admin. Blocking the provider will hit them in the pocketbook, and usually gets attention at the highest executive level, when enough of their customers quit them. Remember it took AOL the loss of nearly 10 million subscribers to make them move against spam at all. Of course, we don't all agree with their methodology, but they are making the attempt. If just a few admins block Comcast (At&T) they will likely be ignored. If thousands of them block Comcast - they will become more pro-active, I submit. SBC-Yahoo has silently implemented spam filters that add X headers which the recipient can filter against. For instance I filter against X-overseas source blah blah As for doing something from a provider standpoint against those who will not install an a/v solution because it slows down their machine - or interferes with their MP3 files, or graphics editors, is another mountain to climb, but climb it they must. The individual mail server admin is a very small part of the big picture, but is responsible for his users, and must do as needed to re-capture the users' inbox for their legitimate use. The job becomes even more difficult when not everyone can agree on what is spam and what is legitimate. Maybe more rejects like : 550 postage due for commercial message delivery. :-)
Comcast Contact
Can somebody at comcast.net with a clue about possible ip routing problems please contact me off-list.
Re: Oh where, oh where has Comcast gone
Well, I do know, as a customer, they are going through a large att -> comcast.net transition period right now.. they even left a poorly thought out automated message on my answering machine to let me know that on june 30th they plan on royally screwing up everything.. now naturally they didn't say that but that message sure didn't leave much room for any hope of contacting support that week if need be.. John R Levine wrote: I saw a bunch of mail to comcast.net bouncing, so I figured I'd check to see if maybe their mail servers were misconfigured or something. Holy petunias, they've imploded into private network space. It appears that the glue records in the GTLD servers are OK, but ns02 is returning the 172.30 address which, since it's authoritative for itself, overwrites the good data. Tsk, tsk. I suppose that's one way to cut down the amount of spam they get. $ dnsqr ns comcast.net 2 comcast.net: 76 bytes, 1+2+0+0 records, response, noerror query: 2 comcast.net answer: comcast.net 4929 NS ns01.jdc01.pa.comcast.net answer: comcast.net 4929 NS ns02.jdc01.pa.comcast.net $ dnsqr a ns01.jdc01.pa.comcast.net 1 ns01.jdc01.pa.comcast.net: 59 bytes, 1+1+0+0 records, response, noerror query: 1 ns01.jdc01.pa.comcast.net answer: ns01.jdc01.pa.comcast.net 4923 A 172.30.0.16 $ dnsqr a ns02.jdc01.pa.comcast.net 1 ns02.jdc01.pa.comcast.net: 59 bytes, 1+1+0+0 records, response, noerror query: 1 ns02.jdc01.pa.comcast.net answer: ns02.jdc01.pa.comcast.net 4919 A 172.30.0.17 Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner "More Wiener schnitzel, please", said Tom, revealingly.
Re: Mobile code security (was Re: rr style scanning of non-customers)
why can't multibillion dollar companies figure that out? it does mystify me :) The only lame excuses I can come up with are possibly: laziness, stupidity, ignorance, complacency, fear of non-compliance (but I think that's a stretch) and perhaps the raccoon mentality of 'it's new and shiny - I MUST have it'. Beyond that I have no idea why groups continue to use a Microsoft Virus Run-Time Environment or even see the excuses above as legitimate justification.