Re: [swinog] TCP timestamps
Hi, > Furthermore ICMP is _mandatory_ for MTU path discovery to work. So be ready > for all kind of non functioning stuff if you transfer larger packets than the > MTU somewhere in the middle (such as trying to squeeze a 1500 byte ethernet > packet into a IPSec tunnel with a MTU around 1426). TCP/IP is built in the > way that it reacts on these ICMP MTU mismatch messages when packets get > dropped on the way due to too big size. TCP can adapt but if ICMP is filtered > away, then TCP will not notice and a endless retransmission dance begins. The > odd thing there is that it "kinda works". Sometimes its just slow and > sometimes nothing works. We use IPSec in our network heavily and we have seen > that happening with large corporations such as Networksolutions.com (which is > one of the oldest companies in the internet, they should know this stuff!). > T1his can be a big issue. So if I ever find a consultant telling me I should > filter away ICMP just because, I will kick him out of the door immediately. > The onl y reason where this could be valid is if you still have Windows95 machines in your network due to the "ping-of-death" bug. But if you have that, then you're hopelessly lost anyway. This is basically only true for ipv6. In ipv4 network devices can fragment. This does not mean, that I would consider filtering icmp a reasonable idea. > > Let's face it. Firewalls and NAT have been built to break the internet in the > way it has been intended with all kinds of strange side effects. Thinking > they are the only defence to protect you is so wrong. Social engineering > brings hackers behind firewalls and they attack from with inside. A well > secured localhost is way more important. I'm using machines on public IP's > without firewall or NAT in between over 20 years and the issues I've seen > have all been controllable (but I'm not an interesting target to hack like a > Bank). On the other hand NAT & Firewalls (and their admins) have turned out > to be a way bigger problem. NAT and Firewalls are not the biggest problem, but there is just too many people around configuring these devices with a limitted understanding, of how the internet works. regrards Robert -- Robert Meyer r.me...@net-wizard.org ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Looking for a new mailsystem
Hi, I have made good experiences with FurureLab as a solution provider for Internet Service Platforms (http://www.futurelab.ch/de). regards Robert On Mon, Dec 17, 2012 at 04:03:34PM +, Michael Richter wrote: > Hi there > > We are looking for a new mailsystem > can anyone recommend a swiss company who can deliver us an open source mail > system also with support? It should be open source based. > We have over 13'000 mailboxes, for me these are a lot, for others it's tiny > :-) > > We aren't having enough men-power to build such a system ourself. > > I'm glad for every response > > thanks michael > > > > Freundliche Grüsse > > sasag Kabelkommunikation AG > Michael Richter > dipl. Techniker HF > Mühlenstrasse 21 > 8201 Schaffhausen > mrich...@sasag.ch > 052 633 01 71 > www.sasag.ch > > > ___ > swinog mailing list > swinog@lists.swinog.ch > http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog -- Robert Meyer r.me...@net-wizard.org ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] datacenter failover?
Hi, > we have some servers in datacenter#1: ns1, ns2, web1(mail/sql). > we also have ns3 and web2 outside this web. > > how can we make this working? > > ok, we can copy the data by cron, no problem. Not a problem for static content, but in case of webmail and a database, its not that easy anymore. Assuming, I read my email during failover to the other datacenter, the cronjob has to know, that the master of the storage resides in the backup datacenter. > > but can i give ns3 another ip for an a record? I would personally define ns1 as master and ns2/ns3 as slaves. ns2/ns3 are the A records for the various domains, but you only edit your zonefiles on ns1. kind regards Robert -- Robert Meyer r.me...@net-wizard.org ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog