[swinog] Decentralisation vs. centralisation [was: new project: DHCP Protect]

[Nico Schottelius]

Good evening,

Gregor Riepl  writes:

> [...] you should even put the project on a public collaboration platform to
> allow for easy pull/merge requests. ;)

Gregor, if I understand you correctly, you are implicitly saying "please
put your stuff on one of the big sites like github/gitlab/bitbucket".

I personally think that this is the wrong direction to move, as it
makes the Internet more dependent on a few entities. That makes it less
robust, as we have seen in the censorship case at github related to nationality.

Instead I recommend to decentralise and actually provide your code
from your own system.

I understand your point that it should be easy to contribute, but maybe
it is a more sustainable way to fire up your own git service and have
your code pulled in from your machine, preferable via IPv6?

Just my 5 Rappen,

Nico

--
Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] new project: DHCP Protect

[Gregor Riepl]

> This is why I wrote DHCP Protect. DHCP Protect works with the userspace API
> of Netfilter (iptables/ip6tables) and will treat each DHCP(v4/v6) packet
> and decide if it should be forwarded or not.
> 
> Don’t worry, iptables can be configured in a way that if the program is not
> working, it will ACCEPT the packets by default.

In case anyone is not familiar with userspace filters, here is a good overview
of how nftables works:
https://www.slideshare.net/azilian/nftables-the-evolution-of-linux-firewall
(I found something even better a few years ago, but I lost the link...)

> There are no packages available, but don’t be scared, it’s really simple to
> install and it will do all the systemd stuff for you! After make install it
> will already be running (you can also make uninstall which will delete
> everything and remove it from systemd).
> 
> git clone https://git.home.spale.com/dhcp_protect.git

Your Gitea instance doesn't seem to like this link when accessed from a web
browser. This works better: https://git.home.spale.com/public/dhcp_protect
Perhaps you should even put the project on a public collaboration platform to
allow for easy pull/merge requests. ;)

Anyway, thanks for sharing!


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] new project: DHCP Protect

[Pascal Gloor]

I just realised there’s a error in the git path:

it should be https://git.home.spale.com/public/dhcp_protect.git

Sorry about that.
Pascal



___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] new project: DHCP Protect

[Pascal Gloor]

Hi Community,

I don’t know about you, but as an ISP we’ve always faced the problem of crazy 
DHCP clients (v4 and v6) flooding our servers. While at Quickline we have a 
DHCP server with anti-flood mechanisms it might not the case for everyone.

This is why I wrote DHCP Protect. DHCP Protect works with the userspace API of 
Netfilter (iptables/ip6tables) and will treat each DHCP(v4/v6) packet and 
decide if it should be forwarded or not.

Don’t worry, iptables can be configured in a way that if the program is not 
working, it will ACCEPT the packets by default.


There are no packages available, but don’t be scared, it’s really simple to 
install and it will do all the systemd stuff for you! After make install it 
will already be running (you can also make uninstall which will delete 
everything and remove it from systemd).

git clone https://git.home.spale.com/dhcp_protect.git
cd dhcp_protect
sudo apt-get install build-essential uthash-dev libnetfilter-queue-dev
make all
sudo make install

That’s it.

And then you need the iptables/ip6tables rule:

iptables -A INPUT -p udp -m udp --dport 67 -j NFQUEUE --queue-num 67 
--queue-bypass
ip6tables -A INPUT -p udp -m udp --dport 547 -j NFQUEUE --queue-num 67 
--queue-bypass

(SAME queue number! the program can treat v4/v6 at the same time)

The program will log to syslog when it blacklists.

I’ve tested this with 10kpps and the CPU load of the program was about 4-6% on 
one core (AMD Ryzen 7 2700X).

There’s also a flooding perl client in the repository to test the performance. 
It can do pseudo DHCPv4/DHCPv6, but since it’s pseudo, don’t use the 
perftest.pl again a real DHCP server.


More information in the README -> https://git.home.spale.com/public/dhcp_protect

I’d be glad on feedback! It is useful? what additional features would you like 
to see?

Thanks for reading
See you at Swing#36

Pascal



___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] Swisscom routing question / problem

[DUCHET Rémy]

Hello,

 

Can someone from Swisscom can contact me about a BGP routing issue ?

Many thanks in advance.

 

Rémy



smime.p7s
Description: S/MIME cryptographic signature

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] A1/aon.at contact

[Jan-Philipp Benecke]

Hey together,

hoping there is someone from aon.at/A1 on list.
We tried to reach out to you but your postmaster@ mailbox exceeded the
quota ;)

Can someone may contact me off-list ?

Thanks a lot.

Have a nice day,
Jan-Philipp

-- 
 
 
 
Jan-Philipp Benecke
Deliverability Team

Fon: +49 4402 97390-00 
E-Mail: j...@cleverreach.com 

Xing  LinkedIn
 

*CleverReach GmbH & Co. KG
HRA 4020 Oldenburg (Oldb.)*
cleverreach.de 
CleverReach® 
CleverReach® 

Vertreten durch: CleverReach Verwaltungs GmbH, HRB 210079 Oldenburg (Oldb.)
//CRASH Building | Schafjückenweg 2 | 26180 Rastede | Germany
Geschäftsführung: Jens Klibingat & Sebastian Schwarz
Aufsichtsrat: Rolf Hilchner & Heinz-Wilhelm Bogena

PUSH///  CleverReach®
 CleverReach @Instagram
 https://twitter.com/cleverreach
 CleverReach @YouTube


Aktuell können Sie einige Informationen nicht sehen.Bitte aktivieren Sie
externe Inhalte, um die Mail vollständig angezeigt zu bekommen oder
klicken Sie hier.



___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog