Slashdot Mirror

← Back to Domains

Domain: tux.org

Stories and comments across the archive that link to tux.org.

Comments · 1,193

  1. mirrors by dotgod · · Score: 3, Informative · on Mandrake Linux 9.0 Beta 1

    Australia

    ftp://ftp.planetmirror.com/pub/Mandrake/8.2/i586/ (Brisbane)
    Austria

    ftp://ftp.univie.ac.at/systems/linux/Mandrake/8.2/ i586/ (Vienna)

    ftp://gd.tuwien.ac.at/pub/linux/Mandrake/8.2/i586/ (Vienna)
    Belgium

    ftp://ftp.belnet.be/packages/mandrake/8.2/i586/
    Costa Rica

    ftp://ftp.ucr.ac.cr/pub/Unix/linux/mandrake/Mandra ke/8.2/i586/
    Czech Republic

    ftp://ftp.cesnet.cz/OS/Linux/Mandrake/mandrake/8.2 /i586/ (Brno)

    ftp://ftp.fi.muni.cz/pub/linux/mandrake/8.2/i586/ (Brno)

    ftp://klobouk.fsv.cvut.cz/pub/linux-mandrake/Mandr ake/8.2/i586/ (Prague)

    ftp://mandrake.redbox.cz/Mandrake/8.2/i586/

    ftp://sunsite.mff.cuni.cz/OS/Linux/Dist/Mandrake/m andrake/8.2/i586/ (Prague)

    http://ftp.fi.muni.cz/pub/linux/mandrake/8.2/i586/ (Brno)
    Denmark

    ftp://ftp.dkuug.dk/pub/mandrake/8.2/i586/ (Koebenhavn)

    ftp://ftp.sunsite.dk/mirrors/mandrake/8.2/i586/ (Aalborg)
    Estonia

    ftp://ftp.aso.ee/pub/os/Linux/distributions/mandra ke/8.2/i586/
    Finland

    ftp://ftp.song.fi/pub/linux/Mandrake/8.2/i586/ (Espoo)
    France

    ftp://ftp.ciril.fr/pub/linux/mandrake/8.2/i586/ (Nancy)

    ftp://ftp.club-internet.fr/pub/unix/linux/distribu tions/Mandrake/8.2/i586/ (Paris)

    ftp://ftp.info.univ-angers.fr/pub/linux/distributi ons/mandrake/8.2/i586/ (Angers)

    ftp://ftp.lip6.fr/pub/linux/distributions/mandrake /8.2/i586/ (Paris)

    ftp://ftp.proxad.net/pub/Distributions_Linux/Mandr ake/8.2/i586/ (Paris)

    ftp://ftp.u-strasbg.fr/pub/linux/distributions/man drake/8.2/i586/ (Strasbourg)

    ftp://linux.ups-tlse.fr/Mandrake/8.2/i586/ (Toulouse)
    Germany

    ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/Mandra ke/8.2/i586/ (Esslingen)

    ftp://ftp.de.uu.net/pub/linux/mandrake/8.2/i586/

    ftp://ftp.fh-giessen.de/pub/linux/mandrake/8.2/i58 6/ (Giessen)

    ftp://ftp.fh-wolfenbuettel.de/pub/os/linux/mandrak e/dist/8.2/i586/ (Wolfenbuettel)

    ftp://ftp.gwdg.de/pub/linux/mandrake/8.2/i586/ (Goettingen)

    ftp://ftp.join.uni-muenster.de/pub/linux/distribut ions/mandrake/8.2/i586/ (Muenster)

    ftp://ftp.leo.org/pub/comp/os/unix/linux/Mandrake/ Mandrake/8.2/i586/ (Munchen)

    ftp://ftp.tu-chemnitz.de/pub/linux/mandrake/8.2/i5 86/ (Chemnitz)

    ftp://ftp.tu-clausthal.de/pub/linux/mandrake/8.2/i 586/ (Clausthal)

    ftp://ftp.uasw.edu/pub/os/linux/mandrake/dist/8.2/ i586/ (Wolfenbuettel)

    ftp://ftp.uni-bayreuth.de/pub/linux/Mandrake/8.2/i 586/ (bayreuth)

    ftp://ftp.uni-kassel.de/pub/linux/mandrake/8.2/i58 6/ (Kassel)

    ftp://ftp.uni-mannheim.de/systems/linux/mandrake/8 .2/i586/ (Mannheim)

    ftp://ftp.vat.tu-dresden.de/pub/Mandrake/8.2/i586/ (Dresden)

    ftp://ramses.wh2.tu-dresden.de/pub/mirrors/mandrak e/8.2/i586/ (Dresden)

    ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/ mandrake/8.2/i586/ (Aachen)
    Greece

    ftp://ftp.duth.gr/pub/Mandrake/8.2/i586/ (Thrace)

    ftp://ftp.ntua.gr/pub/linux/mandrake/8.2/i586/ (Athens)
    Hong Kong

    ftp://ftp.wisr.eie.polyu.edu.hk/linux/mandrake/8.2 /i586/
    Hungary

    ftp://ftp.linuxforum.hu/mirror/Mandrake/8.2/i586/
    Ireland

    ftp://ftp.esat.net/pub/linux/mandrake/8.2/i586/
    Italy

    ftp://bo.mirror.garr.it/mirrors/Mandrake/8.2/i586/ (Bologna)

    ftp://ftp.edisontel.it/pub/Mandrake_Mirror/Mandrak e/8.2/i586/
    Latvia

    ftp://ftp.latnet.lv/linux/mandrake/8.2/i586/
    Netherlands

    ftp://ftp.nl.uu.net/pub/linux/mandrake/8.2/i586/

    ftp://ftp.nluug.nl/pub/os/Linux/distr/Mandrake/Man drake/8.2/i586/

    ftp://ftp.surfnet.nl/pub/os/Linux/distr/Mandrake/M andrake/8.2/i586/

    ftp://ftp.wau.nl/pub/Mandrake/8.2/i586/ (Wageningen)
    Poland

    ftp://ftp.ps.pl/mirrors/mandrake/8.2/i586/ (Szczecin)

    ftp://ftp.task.gda.pl/pub/linux/Mandrake/8.2/i586/ (Gdansk)
    Portugal

    ftp://ftp.dei.uc.pt/pub/linux/Mandrake/Mandrake/8. 2/i586/ (Coimbra)

    ftp://tux.cprm.net/pub/Mandrake/8.2/i586/
    Russia

    ftp://ftp.chg.ru/pub/Linux/mandrake/8.2/i586/ (Chernogolovka)
    Singapore

    ftp://ftp.singnet.com.sg/opensource/linux/Mandrake /8.2/i586/
    Slovakia

    ftp://spirit.profinet.sk/mirrors/Mandrake/8.2/i586 / (Bratislava)
    Spain

    ftp://ftp.cesga.es/pub/linux/Mandrake/8.2/i586/ (Galicia)

    ftp://ftp.cica.es/pub/Linux/Mandrake/8.2/i586/ (Sevilla)

    ftp://ftp.rediris.es/pub/linux/distributions/mandr ake/8.2/i586/
    Sweden

    ftp://ftp.chello.se/pub/Linux/Mandrake/8.2/i586/

    ftp://ftp.chl.chalmers.se/pub/Linux/distributions/ Mandrake/8.2/i586/ (Gothenburg)

    ftp://ftp.du.se/pub/os/mandrake/8.2/i586/ (Dalarma)
    Switzerland

    ftp://ftp.pcds.ch/pub/Mandrake/8.2/i586/ (Neuhausen)

    ftp://sunsite.cnlab-switch.ch/mirror/mandrake/8.2/ i586/ (Zurich)
    Taiwan

    ftp://linux.cdpa.nsysu.edu.tw/pub/Mandrake/mandrak e/8.2/i586/

    ftp://linux.csie.nctu.edu.tw/distributions/mandrak e/Mandrake/8.2/i586/

    ftp://mdk.linux.org.tw/pub/mandrake/8.2/i586/
    Turkey

    ftp://ftp.ankara.edu.tr/pub/linux/dagitimlar/Mandr ake/8.2/i586/ (Ankara)
    United Kingdom

    ftp://ftp.mirror.ac.uk/sites/sunsite.uio.no/pub/un ix/Linux/Mandrake/Mandrake/8.2/i586/ (Canterbury)
    United States

    ftp://ftp-linux.cc.gatech.edu/pub/linux/distributi ons/mandrake/8.2/i586/ (Georgia)

    ftp://ftp.cise.ufl.edu/pub/mirrors/mandrake/Mandra ke/8.2/i586/ (Florida)

    ftp://ftp.cse.buffalo.edu/pub/Linux/Mandrake/mandr ake/8.2/i586/ (NY)

    ftp://ftp.nmt.edu/pub/linux/mandrake/8.2/i586/ (New Mexico)

    ftp://ftp.orst.edu/pub/mandrake/8.2/i586/ (Oregon)

    ftp://ftp.tux.org/pub/distributions/mandrake/8.2/i 586/ (Virginia)

    ftp://ftp.umr.edu/pub/linux/mandrake/Mandrake/8.2/ i586/ (Missouri)

    ftp://ftp.uwsg.indiana.edu/linux/mandrake/8.2/i586 / (Indiana)

    ftp://linux-cs.tccw.wku.edu/pub/linux/distribution s/Mandrake/8.2/i586/ (WKU-Linux, Western Kentucky University)

    ftp://mirror.aca.oakland.edu/linux/mandrake/8.2/i5 86/ (Michigan)

    ftp://mirror.cs.wisc.edu/pub/mirrors/linux/Mandrak e/8.2/i586/ (Wisconsin)

    ftp://mirror.mcs.anl.gov/pub/Mandrake/8.2/i586/ (Illinois)

    ftp://mirrors.ptd.net/mandrake/8.2/i586/ (Pensylvania)

    ftp://mirrors.secsup.org/pub/linux/mandrake/Mandra ke/8.2/i586/

    ftp://uml-pub.ists.dartmouth.edu/mirrors/ftp.mandr akesoft.com/pub/Mandrake/mandrake/8.2/i586/ (New Hampshire)

    ftp://videl.ics.hawaii.edu/mirrors/mandrake/Mandra ke/8.2/i586/ (Hawaii)

    http://mandrake.dsi.internet2.edu/Mandrake/8.2/i58 6/ (For Internet2 academic institutions only)

  2. mirrors by country... by neo8750 · · Score: 4, Informative · on Mozilla 1.1 Beta Out And About
    lets be nice to the main site! .at .au .be .bg .ca .ch .com/.net/.org/.edu .cz .de .dk .ee .es .fi .fr .gr .hk .hu .ie .il .jp .kr .no .pl .pt .ru .se .sg .sk .tw .uk
  3. Re:Recommendations? Linux BBS FAQ by t0qer · · Score: 3, Informative · on Remembering the BBS

    Well, if you're pretty good with linux, you could try dosemu under linux and run any old dos based BBS software under there. I searched around and found this post on the tux.org. Some further searching took me to the Linux BBS FAQ. Enjoy!

  4. Donated PC's not necessarily the best value by mikosullivan · · Score: 2 · on Microsoft's Guide to Accepting Donated PCs

    Using donated computers in the schools is a good-spirited idea, but it turns out it's not usually the most cost-effective way to get computing to the kids. My friends who have worked on the Yorktown High School LTSP project say that the cost of maintaining old PC's ends up being much greater than just getting thin clients for LTSP. (Those thin clients are really where LTSP saves money: Windoze requires overweight clients.) They say that by getting a set of homogenous thin clients they can maintain the hardware with a minimum of effort. The thin clients run longer because they have fewer parts, and they cost less to replace if they do break down. Finally, the expertise to maintain them is easier to obtain: once you know the quirks of one of the thin clients, you know them all.

  5. Rawk by Burgundy+Advocate · · Score: 2, Funny · on Doctorow and Sterling Cyber-Riffing at SXSW
    In the last 5 years, Linux became useable.

    And he's funny, too!

    Seriously though. Linux is finally nearing the desktop usability of Windows 95. Granted, this isn't saying much, but it's something.

    At least the desktop doesn't core dump every ten minutes anymore... remember Gnome 1.0?

    Next stop: why not head towards the clean looks and good driver handling of Windows 98?

  6. First Widener!!! by CmderTaco · · Score: -1 · on Building Linux Virtual Private Networks
    .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't --
    - Marco     Share twitter facebook linkedin
  7. 10th post (Score:-1, Offtopic) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:35AM (#3077644) I claim this early post for JinWicked! Share twitter facebook linkedin
  8. Is it as good as New Riders' MySQL book? (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:36AM (#3077649) New Riders' MySQL book is mighty fine; if this is half as good it'll be worth reading Share twitter facebook linkedin
  9. ep (Score:-1) by bitchslapboy ( 193543 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:37AM (#3077652) Homepage This early post for Ida! --

    Slashdot - contra bonos mores Share twitter facebook linkedin
  10. first dead penis bird (Score:-1) by neal n bob ( 531011 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:38AM (#3077655) Homepage Journal man this site really, really sucks. Hardly makes it worth mentioning that you can kiss my grits. Share twitter facebook linkedin
  11. What's complicated about FreeSWAN? (Score:4, Interesting) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:39AM (#3077660) They have excellent documentation and they keep the documentation trees for older versions online. Installation is as complicated as running a skript and installing the recompiled kernel, if even that. I guess it never hurts to have more documentation, but saying that IPSec is "a difficult beast to ride" produces more awe than necessary. Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:-1, Offtopic) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:45AM (#3077703) Overrated, maybe. But redundant? Parent Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:5, Insightful) by Starship Trooper ( 523907 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:49AM (#3077724) Homepage Journal What's complicated about FreeSWAN?

      Well, a LOT. Not if you're deeply involved technically in the project, but if you back out and take the perspective of someone who's never used a VPN, plenty.

      A lot of people don't even think about the fact that there's a separate protocol field in IP, or that people run any IP protocol but UDP or TCP. Getting 50/51 through your existing firmware firewall can be a real trick. FreeSWAN requires you to be able have the GNU Multi-Precision library installed for the crypto calculations before you compile it. Unless your distro can with FreeSWAN, you have to recompile your kernel with modifications.

      And, like many tools, there's no single graphical GUI; unlike SAMBA's excellent SWAT, there's nothing to lead you to ipsec.conf or ipsec.secrets. There's a LOT of reading to be done.

      Ok, so, for you or me, it's easy. Maybe a day of reading tops. But compare that to the commercial world where an application must install and be configured from a GUI in a few hours, and FreeSWAN is... nearly a toy. It's unusable in a business environment. As soon as you say "compile", a CTO is going to turn down your volume.

      It's cool, but don't call it uncomplicated. That's part of it's coolness (-;

      --
      Loneliness is a power that we possess to give or take away forever Parent Share twitter facebook linkedin
      • Re:What's complicated about FreeSWAN? (Score:3, Insightful) by smcavoy ( 114157 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:30AM (#3077979) I use Freeswan in a production environment. I have Embedded Linux routers using freeswan connecting to Linux boxes. They VPNs are relatively simple, 2 outgoing connections to central
        systems. I did find there was a large learning curve at the beginning, but now it takes 5 min to setup a new vpn tunnel. The systems have been extremely reliable. I've never had a problem (other than net congestion) with keeping the tunnels up. A lot of the tunnels have 80+ days of uptime. As for compiling, most modern distros include IPSec (trustix, mandrake, etc.) or there are options like Astaro. Having a CTO "turn down your volume" based on the fact that you have to compile software, doesn't say anything about the quality or reliability of the software, that's a personal decision by CTO not to use OSS. I do agree it's not point and click, and that would be nice, but to say it's unusable in a business environment is just untrue. It's not pretty but it works, and works well. Parent Share twitter facebook linkedin
      • Re:What's complicated about FreeSWAN? (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @04:54AM (#3078169) How right you are. As a system admin that has always used windows or dos. I am tring to change. I want to start using some Linux servers here, but one of the things that I want to use is free/swan. It does seem great, but as a 1 person IT department I have not found the time that I need to read and understand the documentation on swan. Do I want a GUI Heck yes. Do I still want access to the .conf file Heck yes. These problems are around a lot in the Linux community. The people that have always used linux do see it as hard and some dont want us new people to whine because it is not "dumb down", but on the other hand they want all of us to switch to it. I dont want to do away with the command line at all. I love it for a lot of what I do, but when I want to make changes or try out some new tools I dont want to have to spend 1-2 days reading ALL the docs just to know where to start. Just my 2 cents.
        Let the flames begin!!!! Parent Share twitter facebook linkedin
        • Re:What's complicated about FreeSWAN? (Score:3, Insightful) by disappear ( 21915 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:03AM (#3078246) Homepage
          one of the things that I want to use is free/swan. It does seem great, but as a 1 person IT department I have not found the time that I need to read and understand the documentation on swan. Do I want a GUI Heck yes.

          With security software in general, and VPN software in particular, that's a very, very dangerous attitude: a GUI may fool you into thinking that you understand what's going on when in reality you haven't a clue. With most software, that's not an issue, but with security software, that can compromise the very goal you're trying to achieve.

          I dont want to do away with the command line at all. I love it for a lot of what I do, but when I want to make changes or try out some new tools I dont want to have to spend 1-2 days reading ALL the docs just to know where to start.

          How many days do you want to spend cleaning up after a security incident that occurred because the GUI let you get away without spending two days reading documentation? How much time will you save in the long run if every time you save two days reading documentation you spend three days cleaning up?

          (We lose money on every item --- but we make it up in volume!)

          Parent Share twitter facebook linkedin
          • Re:What's complicated about FreeSWAN? (Score:1) by BeNude ( 28969 ) writes: Alter Relationship on Wednesday February 27, 2002 @11:15AM (#3081147) Homepage I would disagree with you about the usefulness of a GUI to implement VPN's or firewalls.

            First of all, a GUI interface, if it is well-designed, can provide every bit as much control over the underlying security behavior of a firewall as any command-line interface. Furthermore, a GUI allows an administrator to spend less time trying to deal with syntax, etc., and more time on building a ruleset that is secure.

            Someone who has done the reading and understands how firewalls and VPN's work will appreciate a GUI because of this.

            For those who don't fully understand how firewalls and VPN's work, a GUI at least provides a reasonable learning environment and early attempts at a ruleset will probably more secure anyhow. :)

            Parent Share twitter facebook linkedin
        • IANACLB (Score:4, Interesting) by hey! ( 33014 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:21AM (#3078804) Homepage Journal IANACLB (I Am Not a Command Line Bigot), but doing better than a CLI interface in an area like this is a tall order. It's not something you can just slap onto the product in a few days (as most VPN box configuration GUIs I've seen appear to be).

          The problem with the GUI interfaces I have seen is that they really don't give you any effective conceptual support. You have to figure out the topology and requirements of your network, then you do this bit of intellectual gymnastics that turns these global requirements and properties into settings for each individual box, THEN you sit down at your GUI. At that stage, the GUI can have very little benefit, since you are talking about a half dozen relatively simple commands you need to type in. In fact, typing them in means you can keep them in a little word processor file and send them to the box over and over again with little changes -- good for setting up multiple boxes or for playing around with a single box you are repeatedly pin-resetting.

          To really help a person like you who doesn't have time to bone up on every box you are working with, what you really need is something that is kind of a cross between a network management system and a CAD system. You would sketch out your network, and drop little dollops of distinctively colored "paint" on each network or host that needs to participate in some virtual network. The system would then output configurations to download to each of the participating firewalls or hosts.

          A GUI that just configures and individual box does practically nothing for you.
          --
          Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure. Parent Share twitter facebook linkedin
      • Where to get Freeswan packages for Red Hat (Score:2) by Nailer ( 69468 ) writes: Alter Relationship on Wednesday February 27, 2002 @10:47AM (#3080965) Unless your distro can with FreeSWAN, you have to recompile your kernel with modifications.

        Non-US distributions like SuSE and Debian can include Freeswan in their list of apps. US based ones like Red Hat can't. But some lovely fellows at Steambaloon (a Linux security consulting firm - no, I work for someone else) produce source and binary packages of the original and updated Red Hat kernels (with the AC patches, extensive testing, and old 2.4 VM) with Klips, the kernel level part of ipsec, compiled in.

        Parent Share twitter facebook linkedin
      • How stupid is the CTO? (Score:1) by SharpNose ( 132636 ) writes: Alter Relationship on Wednesday February 27, 2002 @11:21AM (#3081178) Journal Let's see: provided I know FreeSWAN, I can grab a machine and start setting it up immediately. If I want to get something commercial and very expensive, I have to fill out how many forms, get approval from how many people, wait for it to get ordered how long? Exactly where are you starting your clock when you say "configured from GUI in a few hours?"

        Parent Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:3, Interesting) by LWolenczak ( 10527 ) writes: Alter Relationship <julia@evilcow.org> on Wednesday February 27, 2002 @04:25AM (#3077934) Homepage Journal The FreeS/WAN people don't document everything that you can do with frees/wan. Its very neat when you get down to the point where your playing with dozens of tunnels confiugred every which way.

      One of the things that they don't tell you how to do, i guess so they don't get asked questions, is how to put gre traffic inside of an ipsec tunnel and make it work right. Also, it seems to have slipped by that you CAN make two linux 2.4 secure gateways talk to each other over the ipsec tunnel.

      I have a couple samples of some of the neat things I have done at http://lwolenczak.net/ipsec.html Parent Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:3, Interesting) by Etyenne ( 4915 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:40AM (#3078498) Complicated thing with FreeSWAN :

      - Client behind NAT

      - Left/Right side nomenclature really confuse me; they could have used "peers" or client/server, I don't know

      - Recompiling kernel; easy if you have a single box, quite hard when you manage 30+. Plus it require you to commit the sin of rebooting the machine.

      At work, we have choosen CIPE for Linux-Linux VPN. It is totally userland, come stock on recent RedHat version and is available as RPM; all that make it is easy to install and upgrade on a lot of machines. Plus the config file is really dumb-proof. We are stuck using PPTP for Windows-Linux VPN because that's all the Windows monkeys know about. --
      :wq Parent Share twitter facebook linkedin
      • Re:What's complicated about FreeSWAN? (Score:1) by pivo ( 11957 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:17AM (#3078772) From my understanding of FreeSWAN, it's not intended to connect many machines to a central point, for example a VPN for home manchines connected to a central office. It's intended to link offices together. So you should only have to install it on the specific machines that link those offices. If you're company's so big or disperse that you have thirty officies, then I guess you would have to recompile each kernel, though you'd be smarter to have identical machines and build the kernel once then distribute it to each machine.

        We use PPP over SSH for our home/office VPN for Linux and Solaris. It works very well and since it was originally a skunworks project, we didn't even have to get IT to open any new ports since SSH was already supported. Parent Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:2) by LinuxGeek8 ( 184023 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:57AM (#3079084) Homepage I am struggling for some time now to get it going, but I still do not understand how it works.
      On my end I have a linux firewall with iptables.
      And what I could not figure out is what to do with the packet filtering, do I need to accept traffic over 50/ip on the ipsec0 interface or the eth0 interface. Same question for the 500 udp/ip traffic.

      And the other part of the network is connected to a freebsd server with racoon running. That is a completely different ipsec implementation. At least for configuring it is different.

      I believe running a packet filter is quite hard if you want to do it right. You have to understand networking and just play with for a few weeks just to understand it.
      If anyone would tell me he has a secure packet filter running, but cannot explain how it works, I just cannot believe it. You just have to know what you are doing.
      Same with ipsec.
      Ipsec is not only networking, but also crypto.
      So there is more you need to know about it, and it adds extra complexity to firewalling. --
      Well, don't worry about that. We can get you back before you leave. (Dr. Who)
      Parent Share twitter facebook linkedin
      • Re:What's complicated about FreeSWAN? (Score:1) by pfunkmallone ( 89539 ) writes: Alter Relationship on Thursday February 28, 2002 @09:44AM (#3086925) On your eth0 interface of the firewall, you need to allow 500 udp, and 50 tcp (if you're using ESP which is default). This allows the IPSEC peers to setup the tunnel. http://www.freeswan.org/freeswan_trees/freeswan-1. 95/doc/firewall.html

        According to the FreeSwan folks, no firewalling NEEDS to be done on the ipsec0 interfaces, as all packets coming through this tunnel are already being disassembled and "cleaned-up" by freeswan itself. Parent Share twitter facebook linkedin
  12. Women of the world, Stop sucking dick! (Score:-1, Troll) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:46AM (#3077705) Women of the world, it is time to stop sucking dick!

    Sucking dick is the ultimate act of subservience;
    a woman sucking dick not only gets no orgasm for
    her work, but gets a mouthfull of what can only
    be described as warm rancid milk for her efforts.

    This sexual slavery must be stopped!
    Women, reclaim your mouths, and

    STOP
    SUCKING
    DICK! Share twitter facebook linkedin
  13. Alan Thicke. DEAD. (Score:-1) by Alan_Thicke ( 553655 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:47AM (#3077709) Journal I just heard the sad news on CBC radio. Comedy actor/writer Alan Thicke was found dead in his home this morning. Even if you never liked his work, you can appreciate what he did for 80's television. Truly a Canadian icon.
    He will be missed :(



    Show me That Smile (The Growing Pains Theme Song):

    Show me that smile again.
    Ooh show me that smile.
    Don't waste another minute on your crying.
    We're nowhere near the end.
    We're nowhere near.
    The best is ready to begin.

    As long as we got each other
    We got the world
    Sitting right in our hands.
    Baby rain or shine;
    All the time.
    We got each other
    Sharing the laughter and love.

    --
    Alan Thicke's Journal
    My Slashdot ads say " Share twitter facebook linkedin
  14. why? (Score:0) by tplayford ( 308405 ) writes: Alter Relationship <tom@sai[ ]taly.com ['l-i' in gap]> on Wednesday February 27, 2002 @03:51AM (#3077734) I'm sure this book is very usefull etc. But I've set up serveral internationl linux based VPN's now and it really isn't that difficult.

    I suppose this is the same for almost all computer books, easy if you know how...

    Share twitter facebook linkedin
    • Re:why? (Score:2, Insightful) by MonkeyBot ( 545313 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:09AM (#3077844) Sometimes, there are special constraints on the networks you are working with. For instance, I need to use stuff that uses IP, but since PPP over SSH is strictly TCP, I can't use that option. Moreover, my boss is a paranoid guy that doesn't trust some 24-year-old punk (me) to run his firewalls, so both offices have managed firewalls through different ISPs, ruling out the possibility of a single ISP routing traffic over its network to the other office so that I don't have to do anything. This adds additional constraints because since I can't control the firewall without going through pains with both ISPs for several days, I can't even open a port for something like PPTP (which I really wouldn't want to do anyway). Granted, I can probably find out what I need to know from a Google search, but it would be nice to have all the common VPN solutions covered--even just introduced--in a book format. I'm buying it. Parent Share twitter facebook linkedin
      • Re:why? (Score:2) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @08:10AM (#3079648) Of course, ppp over ssh implies a full IP tunnel using ppp with ssh underneath, IP in TCP encapsulation, essentially. You get full IP functionality this way, though the architecture is horribly flawed (TCP connections run with TCP somewhere underneath, very bad when packets get loss and two layers start doing recovery).

        Now ssh without ppp on top supports only TCP tunnels, I'll assume that is what you are talking about. A statement that says you need to use IP, but you only get TCP sounds really goofy, since TCP rides on top of IP, phrasing it with the protocols you need (i.e. udp, icmp, etc) would have made the post more sensible (that and omitting ppp...). If I heard someone make the statement you just made I wouldn't trust them with firewall configuration either...
        --
        XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
      • Re:why? (Score:2) by Pii ( 1955 ) writes: Alter Relationship <jedi.lightsaber@org> on Wednesday February 27, 2002 @08:31AM (#3079810) Journal What do you mean, "PPP over SSH is strictly TCP?"

        Are you saying that ICMP, or UDP, traffic is unable to utilize this tunnel?

        That is certainly not correct. Just as PPP carries all of your IP traffic (any protocol) between your home and your ISP, a PPP over SSH tunnel will also carry whatever you need it to.

        --
        For those that would die defending it, Freedom
        has a sweet taste that the protected will never know.         Parent Share twitter facebook linkedin
    • Re:why? (Score:2) by Bender Unit 22 ( 216955 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:13AM (#3079206) Journal It's not when it works you need the books. It's when it doesn't work you'd wish you had the book.
      I have configured a VPN with the help of a HOW-TO page and it worked. B
      ut when you want to do larger setup's in the "real" world. All kinds of questions comes and demands comes to mind and it's nice to be on top of things and be able to say from the first meeting, what is possible and what is not. Parent Share twitter facebook linkedin
  15. Garsh (Score:-1) by Guns n' Roses Troll ( 207208 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:51AM (#3077735) Homepage I never knew that a high-steppin' yella could do that.
    Share twitter facebook linkedin
  16. VPN hardware (Score:1, Troll) by pokka ( 557695 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:02AM (#3077793) Building VPNs is a pain in the ass, regardless of whether you're using windows NT/2k or linux. Microsoft's documentation is sketchy (and in some cases completely wrong), and there are very few sources for building a VPN in Linux.

    This book may make it easier to build a VPN, but it's kind of obsolete, now that the Linksys VPN router has been released, making it a matter of plugging in and turning on. Of course, if you have plenty of free time, but very little money, you might go for the book instead. Share twitter facebook linkedin
    • Re:VPN hardware (Score:-1, Offtopic) by Anonymous Coward writes: on Wednesday February 27, 2002 @04:17AM (#3077888) Heck of a troll. Good Job! Parent Share twitter facebook linkedin
    • Re:VPN hardware (Score:2, Interesting) by Cyno ( 85911 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:38AM (#3078046) Journal ...or if you're worried about security. I never trust commercial companies to deliver secure code. Specially if they keep it closed source. Unless you want to flash the rom on this thing every few weeks I'd just read up on a linux ppp over ssh solution and write some scripts to keep that software updated. Parent Share twitter facebook linkedin
    • Re:VPN hardware (Score:1) by starpool ( 562363 ) writes: Alter Relationship on Wednesday February 27, 2002 @02:12PM (#3081956) We started out making slow progress with FreeS/WAN trying to connect to a Raptor Firewall, and thought we'd try to take the easy way out and use two Linksys VPN Routers. Bottom line: the LVRs will only allow one Class C subnet access to the tunnel. Since we have multiple subnets at 4 different locations, the LVR is disqualified, at least for now. (Maybe Linksys will add this capability to future firmware.) So we're back to FreeS/WAN and Raptor...now if I can just get that book at my local BN. Parent Share twitter facebook linkedin
  17. What's wrong with PPTP? (Score:4, Interesting) by Jacco de Leeuw ( 4646 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:06AM (#3077826) Homepage PPTP is often used for 'road warrior' setups, i.e. people working from home or on the road. It's cheap because there are free (as in speech) PPTP servers for Linux and the Windows PPTP clients are free too (as in beer). In contrast, Windows IPSEC clients are often expensive.

    So, what's wrong with it then? Well, the security of PPTP apparently depends on the password. A German student has written software which can crack the password in a couple of hours on a Pentium II.

    c't (Heise) reported about this.

    --
    -------
    Warning: Slashdot may contain traces of nuts.
    Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:2, Informative) by Anonymous Coward writes: on Wednesday February 27, 2002 @04:19AM (#3077901) It's Point-to-Point Tunneling Protocol and thus more limited than IPSec which can be used in routed mode and can connect arbitrary networks. Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:3, Interesting) by FallLine ( 12211 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:25AM (#3077939) Well firstly, Microsoft's implimentation of PPTP is insecure, buggy on the client side (and the server side, where their server is used), and has a hard time supporting multiple clients in a NAT environment.

      Secondly, a lot of older hardware has little to no support for the GRE protocol that PPTP depends on. Thus many people simply can't use it.

      Thirdly, it's virtually impossible to get two people connecting to the same VPN behind the same NAT network on any hardware. The nature of GRE makes it very difficult since it has no concept of port to diffentiate between packets, only source and destination IP. Unfortunately, NAT is very common these days so this really does matter. Parent Share twitter facebook linkedin
      • Re:What's wrong with PPTP? (Score:0, Troll) by icedivr ( 168266 ) writes: Alter Relationship on Wednesday February 27, 2002 @09:44AM (#3080500) If it's so insecure, why aren't people getting cracked all the time?

        Secondly, since when does hardware support a networking protocol in the absense of software? Any machine that can run 95 or 98 can run PPTP. They have pretty modest hardware requirements by today's standards.

        Thirdly, I have created multiple outbound pptp tunnels behind an ICS connection. It can be done.

        Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:3, Informative) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:40AM (#3078066) Just FYI, but Win2k and newer (at least) include native IPSEC support that can interoperate with FreeS/WAN and such. Other systems, well, they are intended for home use that doesn't need that functionality.. --
      XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:2, Informative) by jeremiahstanley ( 473105 ) writes: Alter Relationship <miah AT miah DOT org> on Wednesday February 27, 2002 @04:45AM (#3078100) Homepage With Win2k you can get this little patch and then you have a free as in beer IPSec implementation provided by Microsoft under Win2k. It even supports x509 certs. IPSec clients are not that expensive. Look at SSH Sentinal for another option. It even supports the newer AES ciphers (which I don't expect out of Microsoft for a long time)as added security.

      For all of this you have to patch the code to use the newer ciphers. You can get that here and if you need to use x509 certs you can get that stuff here. This is all pretty easy if you have you druthers about compiling new kernels and working with OpenSSL.

      Why this isn't in the kernel to begin with is anybody's guess. I would guess that it has something to do with all those pesky crypto export laws. Just like everything else in the ol US of A we have to sacrifice our freedoms so that we can be safe from the KGB and that one guy from Hackers. --
      Hire me... Parent Share twitter facebook linkedin
    • Its damn slow (Score:1) by moankey ( 142715 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:08AM (#3078275) From testimonies of traveling whatevers the people always complain that PPTP is very sloooow. They preferred using RAS in place, albeit a very expensive phone bill.

      Most were of course higher level execs so their complaining actually mattered. Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @05:19AM (#3078347) So, what's wrong with it then? Well, the security of PPTP apparently depends on the password. A German student [uni-freiburg.de] has written software which can crack the password in a couple of hours on a Pentium II.

      Thank god I'm not in Germany!!!! Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @05:26AM (#3078396) You can buy PGPnet (IPsec client) in most office depots , office max, or Circuit City for $39. It has the same functionality as the NAI version. Parent Share twitter facebook linkedin
    • wireless PPTP == readable password file (Score:1) by nealmcb ( 125634 ) writes: Alter Relationship on Friday March 01, 2002 @04:59AM (#3091216) Homepage The Heise article is in German, but refers to the original paper which is in English
      Normally, the file /etc/shadow (or /etc/password on old systems) is regarded one of the most vulnerable points of an unix system [Uni99]. If an attacker can obtain the information in this file, the system is nearly hacked. Using Microsoft's PPTP protocol, information about your passwords is not only publicly available, you also provide additional hints about the passwords, which allow to speed-up the attack by a factor of up to 2^16 .

      With this said, it is clear why we believe Microsoft's PPTP implementation isn't suitable for securing wireless networks.

      --

      --Neal
      Go IETF!

      Parent Share twitter facebook linkedin
  18. Problem is getting Management to go along (Score:2, Interesting) by Cy Guy ( 56083 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:27AM (#3077946) Homepage Journal I think the priority should be getting management to understand the importance of using standard protocols instead of proprietary ones.

    Having a book like this one is great if you want to familiarize yourself with the standards and how to implement them on Linux, but the much harder task is getting Management, particularly at larger companies, to see the benefit of implementing a standards based VPN where the users can use any standards based client over any TCP/IP network.

    Instead what I see is managers that want to buy a single product that comes with both the server and client applications, but then doesn't work or is hard to implement when the clients are trying to access the VPN from a cablemodem, DSL, or 802.11 connected machine, and don't (God forbid) want to use MSIE and Citrix on Windows to get onto the office network.

    --
    Work for Change & GET PAID! Share twitter facebook linkedin
  19. Can't beat SSH (Score:2, Insightful) by schlach ( 228441 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:27AM (#3077953) Journal for simple encrypted forwarding

    LocalForward 8080 theproxy:8080
    LocalForward 25 thesmtp:25
    LocalForward 143 theimap:143

    Don't forget your '-g' =) Share twitter facebook linkedin
    • SSH != VPN. That's a good thing. (Score:1) by Brian Hatch ( 523490 ) writes: Alter Relationship <<bri> <at> <ifokr.org>> on Wednesday February 27, 2002 @06:32AM (#3078902) Homepage Journal We have a section about when a VPN is not what you need, and these are the exact kind of examples when a VPN is unnecessary overkill.

      As a side note, if you use '-g', make sure you have iptables/ipchains/hosts.{allow|deny} rulesets enabled to make sure that only authorized machines can use the gateway. Otherwise anyone in the world can use your encrypted tunnel.

      Parent Share twitter facebook linkedin
      • Re:SSH != VPN. That's a good thing. (Score:2) by brassrat77 ( 9533 ) writes: Alter Relationship on Wednesday February 27, 2002 @09:33AM (#3080403) As a side note, if you use '-g', make sure you have iptables/ipchains/hosts.{allow|deny} rulesets enabled to make sure that only authorized machines can use the gateway.

        This is an EXCELLENT POINT that CANNOT BE OVEREMPHASIZED.

        I recently had to set up tunnels to allow a set of NAT'd workstations (laptops runnin a mix of Linux and W2K) access a system on the inside of a remote firewall where SSH was the only available securable protocol. We needed to use the "-g" switch, and the need for filtering access was immediately apparent.

        We ended up using a set of scripts to build the tunnel, including the necessary iptables rules.

        As an aside, I'd check if hosts.allow|deny rules are sufficient - I think the ssh tunnel would make all connections appear to be coming from the host running the tunnel. (Can't check for myself right now)

        Parent Share twitter facebook linkedin
  20. The main problem with IPSEC... (Score:5, Insightful) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:48AM (#3078126) IPSEC is wonderful, but many businesses don't think things through and use it for telecommuting. Why is this bad? Well, the way this works is that someone connects to the VPN system and gets a full tunnel that allows the authorized client to behave on the internal network as if it was actually there, bypassing the firewall. The problem here is pretty obvious. The client machine is not protected by a firewall,a nd so if the client is compromised, an attacker has a clear path straight past the firewall. So the effectiveness of the firewall is greatly reduced.

    Now if you don't have a firewall protectecting the network, this won't hurt, but if you do, then a solution like ssh is somewhat more secure, as you only set up the tunnels you absolutely need to very specific hosts. While there is still a risk, it is greatly reduced and strikes a good balance between usability and security.

    What IPSEC *is* good for is seamlessly connecting sites together without really expensive dedicated lines securely. While it makes no guarantee as to bandwidht or availability, it does provide almost the same level of security. If a company can't afford lines to sites but still wants to expand, IPSEC is ideal. I use it to connect my home private network to a friends home private network. The key here is that not only do you have to trust the clients whose keys you permit to connect, but you must also trust that the administrator of that client machine or network is sufficiently competent to keep his network secure, as the security of the two networks is tied a lot more closely together... --
    XML is like violence. If it doesn't solve the problem, use more. Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:1, Informative) by Anonymous Coward writes: on Wednesday February 27, 2002 @04:58AM (#3078205) Actually, this is bypassed by disabling split tunneling (allowing the client machine to access the internet "directly" and accessing the VPN tunnel).

      -m

      Parent Share twitter facebook linkedin
      • Re:The main problem with IPSEC... (Score:2) by j7953 ( 457666 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:19AM (#3079240)
        Actually, this is bypassed by disabling split tunneling (allowing the client machine to access the internet "directly" and accessing the VPN tunnel).

        Well, but that doesn't prevent the telecommuter's computer to become compromised with some background logging software that'll collect information when connected to the company network, and send it to the attacker when connected to the internet.

        Of course, using an SSH tunnel also doesn't solve that problem.

        The only real option is to assign IPs from a different subnet to the telecummters' home computers, and having a firewall between that subnet and the rest of the company network that'll not allow access to certain ressources that are especially critical. And, of course, the telecommuters must be educated about the security issues.

        --
        Sig (appended to the end of comments I post, 54 chars) Parent Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:2, Informative) by icedivr ( 168266 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:10AM (#3078285) Your beef can be easily solved by ensuring that the remote machine's default route is down the tunnel.

      As far as I'm concerned, a bigger threat is the road warrior laptop not having adequate virus protection. (VP of Sales does insist on Windows, doesn't he?) Desktops behind the firewall presumably have multiple layers of protection in front of them, the road warrior, maybe not. Parent Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:2) by Shoten ( 260439 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:29AM (#3078417) So, you're saying the main problem with IPSEC is that it's not a magic bullet? Nothing is...get over it. I've heard people say the same about firewalls, saying how firewalls make people think that they're totally secure, so they no longer patch systems or pay attention. That may be true sometimes, but it's still not a valid argument that firewalls are flawed. Security isn't one box or one piece of software, and saying that one has a problem because it doesn't blanket everything is like criticizing deadbolts because thieves can still break a window to get into your home.
      --

      For your security, this post has been encrypted with ROT-13, twice. Parent Share twitter facebook linkedin
      • Re:The main problem with IPSEC... (Score:2) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:53AM (#3079060) Right, but I was saying that IPSEC is not only not a magic bullet (that is to be expected) but companies outright misuse the technology without any serious thought. They invest tons in making sure they have tight firewalls and policies that prohibit people from hooking up modems to the outside world (internet without firewall), and yet repeat the mistake in a different form time and time again. It would be nice to establish trusted connections to telecommuters, but it just simply can never be secure enough (well, maybe if the telecommuter is the same person who designed the corporate security and takes home security equally seriously, but not worth finding out). --
        XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
        • Re:The main problem with IPSEC... (Score:2) by Shoten ( 260439 ) writes: Alter Relationship on Thursday February 28, 2002 @03:15AM (#3084102) I see your point, but at that stage of the game, it's not the technology that is to blame. Any solid technology will be a problem if it is not part of a sound, well-thought out implementation. There are ways around the problem as well, however; for example, Checkpoint VPNs can push a security policy out to the client upon connection, enforcing a firewall policy at the end point and prohibiting network communications between that point and any node besides the VPN gateway. But that's a whole other ball of wax, and returns to the issue of making wise choices when rolling out technology.

          The bottom line is, VPNs make it possible to do things in business that aren't cost-effective any other way, and businesses are there to make money, not to be secure. It's a trade-off, and if the return outweighs the risk, it's worth the risk.

          --

          For your security, this post has been encrypted with ROT-13, twice. Parent Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:1) by Sloppy ( 14984 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:59AM (#3078631) Homepage Journal

      So the effectiveness of the firewall is greatly reduced

      Don't you have the same exact problem with desktop machines on the LAN, inside the firewall? Seems to me that VPN-though-a-firewall doesn't introduce any vulnerabilities that you don't already have.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it. Parent Share twitter facebook linkedin
      • Re:The main problem with IPSEC... (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @06:38AM (#3078946) But LAN machines have never been exposed to the internet. I am sure somebody can put some "fun" deamons up on a machine just waiting for a VPN connection. Parent Share twitter facebook linkedin
        • Re:The main problem with IPSEC... (Score:1) by Sloppy ( 14984 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:18AM (#3079239) Homepage Journal

          But LAN machines have never been exposed to the internet.

          Ha hah hah ha! That's a good one.

          Seriously, it must be nice to work at a place where they haven't heard of "Active Content" and no one uses products like Microsoft Word or Microsoft Outlook. :-)

          --
          As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it. Parent Share twitter facebook linkedin
          • Re:The main problem with IPSEC... (Score:2) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:48AM (#3079450) When dealing with internal systems, you can enforce all kinds of policies about virus software, etc. You can keep it relatively boxed. With telecommuting, the clients not only have relaxed restrictions, but also are vulnerable while connected to the internet to the sort of attacks firewalls are meant to keep out. Normally, this wouldn't be too bad, but with a full tunnel, that machine will probably contain sensitive information itself and, for the duration of the connection, gives full access to a corporate network if compromised. --
            XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
          • Re:The main problem with IPSEC... (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @09:07AM (#3080140) If you want to get legalistic about it:

            Local Area Network by definition is not a Wide Area Network now is it? If you have a LAN you cannot be exposed to the internet or it is a WAN. If you run active content then you are running code on the LAN. Don't run unknown code on a LAN. If you downloading something from the internet you are using a WAN interface are you not?

            The point is you have a machine that has been directly exposed to the intenet and now it is on your network and that is NOT the same thing.If I have to go to the head at a bus station I will finish my drink because I won't really know what it is when I get back. Parent Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:1) by -audiowhore- ( 153163 ) writes: Alter Relationship on Wednesday February 27, 2002 @11:08AM (#3081115) Bollocks! There are quite a few commercial VPN clients out there that either have a 'stateful' firewall engine (Check Points Secure Client), and some others that support personal firewall software (the Cisco client has support for Black Ice and Zone Alarms). The Cisco client can be configured to not install or initialise *unless* the personal firewall is installed/running.

      --audiowhore Parent Share twitter facebook linkedin
      • Re:The main problem with IPSEC... (Score:2) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:22PM (#3082392) But then, how do you ensure the client is using approved software if you are using a standard like IPSEC? I know, corporate policy, but if people are at home, they might try more exotic things... In any event, clients configured like this are a good way to make IPSEC *better* for telecommuting, but the safest bet is to not have full network transparency, but instead only have selected services that telecommuters need and allow only those in your preferred method of access.. --
        XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
  21. CIPE - a better solution. (Score:3, Informative) by ion++ ( 134665 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:18AM (#3078339) I'm using CIPE for linux at work. It can be found at http://sites.inka.de/sites/bigred/devel/cipe.html or for windows at http://cipe-win32.sourceforge.net/.
    It's a better solution because it doesnt run TCP over TCP, which can give a problem, when retransmission occurs. With the right ammount of bad luck, you can have double retransmission where both layers of TCP retransmit. CIPE runs completely over UDP to avoid this problem.

    JonB Share twitter facebook linkedin
    • Re:CIPE - a better solution. (Score:2, Insightful) by ion++ ( 134665 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:22AM (#3078367) Oh yeah, i forgot to mention that it works behind a NAT, which IPSEC has trouble with.
      Further more it works with non-static ip address. Obviously one end needs to know the ip of the other end, but thats all which is needed.

      JonB Parent Share twitter facebook linkedin
      • Re:CIPE - a better solution. (Score:1) by The Darkness ( 33231 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:29AM (#3078878) Homepage Oh yeah, i forgot to mention that it works behind a NAT, which IPSEC has trouble with.
        Junta already posted a valid response to this statement.

        Further more it works with non-static ip address. Obviously one end needs to know the ip of the other end, but thats all which is needed.
        FreeS/WAN works great with non-static IP addresses.

        For example:

        /etc/ipsec.conf

        conn netnet
        left=theirhost.dyn.dhs.org
        leftid=@theirhost.dyn.dhs.org
        leftsubnet=10.1.1.0/24
        right=%defaultroute
        rightid=@myhost.dyn.dhs.org
        rightsubnet=10.1.2.0/24
        leftrsasigkey=....
        rightrsasigkey=....
        authby=rsasig
        auto=start

        And in ipsec.secrets:

        @myhost.dyn.dhs.org : RSA {
        ...
        }

        I have been using a similar configuration since the release of FreeS/WAN v1.5.

        --
        There are two kinds of people: 1) those that need closure Parent Share twitter facebook linkedin
    • Re:CIPE - a better solution. (Score:2, Informative) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:39AM (#3078494) Better solution than, say, ppp over ssh (a really dumb hack), but not better than IPSEC for most all applications.

      IPSEC also does not run TCP over TCP, it uses udp for isakmp, and data is transmitted through custom protocols (numbers 50 and/or 51), *not* through TCP.

      Another thing about IPSEC that works better than CIPE is that IPSEC more strongly authenticates the machine at the other end. This is why NAT breaks, because unlike CIPE, IPSEC works to ensure the packet has passed unmodified since leaving a known trusted host, and the very nature of NAT prevents this. Solution is simple, move the IPSEC gateway to either the NAT system or beyond. Though it is being pushed in many circles as a good solution for telecommuting, it really was never designed for that and that usage really spits in the face of firewalls.

      Finally, CIPE lacks compatibility. Sure you can configure windows and linux boxes and maybe other platforms, but just try to connect to, say a CISCO router....

      CIPE is a hack that creates more problems than it solves in the long run. PPP over ssh is worse, but a dumb idea, set up tunnels for specific tcp services that you need, more overhead, but security is better (not perfect, but better). For connecting networks together, a good architect can piece together an IPSEC solution that guarantees identity at other end of the pipe... CIPE offers the gaping whole that IPSEC can while not offering enough identification. So ssh or IPSEC remains the best solution, depending on the problem. --
      XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
    • Duh, we cover cIPe in the book. (Score:2, Informative) by Brian Hatch ( 523490 ) writes: Alter Relationship <<bri> <at> <ifokr.org>> on Wednesday February 27, 2002 @06:40AM (#3078953) Homepage Journal Ummm, we cover cIPe in the book. Would be a pretty crappy job if we hadn't. Parent Share twitter facebook linkedin
  22. Answer? (Score:3, Funny) by sharkey ( 16670 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:29AM (#3078412) Why does every book need to include the magic 'L' word in the title nowadays?

    Because they have a better chance of getting posted to the Slashdot homepage? --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next. Share twitter facebook linkedin
  23. Crossplatform aspect? (Score:2, Interesting) by egghat ( 73643 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:51AM (#3078571) Homepage How is the crossplatform aspect covered? There are hundreds of possible solutions for VPNs out there, but if you want something that works on *nix, Windows and Mac (Classic and X) and is free and open, the range of products to choose from gets small ...

    For example, I couldn't find a free IPSEC client for Windows.

    Any new hints from this book?

    Thanks in advance.

    egghat. --
    -- "As a human being I claim the right to be widely inconsistent", John Peel Share twitter facebook linkedin
  24. Semi-OT: any ISPs that route a VPN connection? (Score:1) by Sloppy ( 14984 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:06AM (#3078670) Homepage Journal

    Anyone know of any ISPs (preferably outside USA) that will route stuff coming from a VPN (or any other type of encrypted tunnel) to The Internet? (i.e. from The Internet's point of view, it would be like I was a local user of that ISP, even though I'm physically somewhere else.) Doesn't have to be free beer.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it. Share twitter facebook linkedin
    • Re:Semi-OT: any ISPs that route a VPN connection? (Score:2) by disappear ( 21915 ) writes: Alter Relationship on Wednesday February 27, 2002 @09:42AM (#3080488) Homepage
      Anyone know of any ISPs (preferably outside USA) that will route stuff coming from a VPN (or any other type of encrypted tunnel) to The Internet? (i.e. from The Internet's point of view, it would be like I was a local user of that ISP, even though I'm physically somewhere else.)

      Why would you want to do that? Not only will it slow down your network connection, but I suspect that it should be fairly easy to do traffic analysis to determine which traffic was yours in the first place, even at a busy ISP...

      Parent Share twitter facebook linkedin
  25. Has anybody used isakmpd on Linux (Score:2) by Chang ( 2714 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:06AM (#3078673) Anybody out there have any success compiling and using OpenBSD's isakmpd on Linux?

    I really need to use aggressive mode but the patches for freeswan are ancient/unmaintained.

    A pointer would be greatly appreciated.
    Share twitter facebook linkedin
  26. ssh + ppp = vpn (Score:1) by hopeless case ( 49791 ) writes: Alter Relationship <{christopherlmarshall} {at} {gmail.com}> on Wednesday February 27, 2002 @06:11AM (#3078722) Here's this script I use to setup a quick and dirty VPN between my workstation at work and my home PC. It has to originate from work to get through the firewall but once setup, of course, packets can flow both ways. I call the script ssh-vpn.

    You have to setup ssh correctly with rsa keys before it will work. You also have to download pty-redir. See the VPN mini how-to for more details.

    #!/bin/bash

    REMOTE_HOST=$1
    REMOTE_IP=$2
    LOCAL_IP=$3

    if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] ; then
    echo "usage ssh-vpn "
    exit 1
    fi

    # this file holds the slave pty that the local pppd needs
    tmpfile=/tmp/tmp$$

    # start remote pppd
    /usr/local/bin/pty-redir /usr/bin/ssh -1 -o 'Batchmode yes' -t -l root $REMOTE_HOST /usr/sbin/pppd local ${REMOTE_IP}:${LOCAL_IP} 2> $tmpfile

    # give the remote pppd process a little time to send its first connect request
    sleep 5

    #start local pppd
    /usr/sbin/pppd $(cat $tmpfile) passive

    # remove file that held the slave pty file name
    sleep 5
    rm $tmpfile

    Share twitter facebook linkedin
  27. Right in time. (Score:2) by Bender Unit 22 ( 216955 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:06AM (#3079151) Journal I have just been playing with IPSec for the last couple of days and wanted to buy a book on the subject. While I managed to sucessfully make a VPN connection between 2 machine, I still need to read a great deal about what's under the hood.
    So I looked at amazon also thinking that I could not go wrong with a book from O'Reilly, but after looking at the few stars it got I had been looking at this book and the one from RSA. Well, that does it. I'm getting this one. :)
    Share twitter facebook linkedin
  28. 1 2 Related Links Top of the: day, week, month. next

    Patent on Wireless Transfer of Pupil Data

    27 comments previous

    Piro On Why .Coms Don't Work

    300 comments window._taboola = window._taboola || []; _taboola.push({ mode: 'text-links-a', container: 'taboola-below-article-text-links', placement: 'Below Article Text Links', target_type: 'mix' });
  29. First Widener!!! by CmderTaco · · Score: -1 · on Building Linux Virtual Private Networks
    .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't --
    - Marco     Share twitter facebook linkedin
  30. 10th post (Score:-1, Offtopic) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:35AM (#3077644) I claim this early post for JinWicked! Share twitter facebook linkedin
  31. Is it as good as New Riders' MySQL book? (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:36AM (#3077649) New Riders' MySQL book is mighty fine; if this is half as good it'll be worth reading Share twitter facebook linkedin
  32. ep (Score:-1) by bitchslapboy ( 193543 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:37AM (#3077652) Homepage This early post for Ida! --

    Slashdot - contra bonos mores Share twitter facebook linkedin
  33. first dead penis bird (Score:-1) by neal n bob ( 531011 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:38AM (#3077655) Homepage Journal man this site really, really sucks. Hardly makes it worth mentioning that you can kiss my grits. Share twitter facebook linkedin
  34. What's complicated about FreeSWAN? (Score:4, Interesting) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:39AM (#3077660) They have excellent documentation and they keep the documentation trees for older versions online. Installation is as complicated as running a skript and installing the recompiled kernel, if even that. I guess it never hurts to have more documentation, but saying that IPSec is "a difficult beast to ride" produces more awe than necessary. Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:-1, Offtopic) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:45AM (#3077703) Overrated, maybe. But redundant? Parent Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:5, Insightful) by Starship Trooper ( 523907 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:49AM (#3077724) Homepage Journal What's complicated about FreeSWAN?

      Well, a LOT. Not if you're deeply involved technically in the project, but if you back out and take the perspective of someone who's never used a VPN, plenty.

      A lot of people don't even think about the fact that there's a separate protocol field in IP, or that people run any IP protocol but UDP or TCP. Getting 50/51 through your existing firmware firewall can be a real trick. FreeSWAN requires you to be able have the GNU Multi-Precision library installed for the crypto calculations before you compile it. Unless your distro can with FreeSWAN, you have to recompile your kernel with modifications.

      And, like many tools, there's no single graphical GUI; unlike SAMBA's excellent SWAT, there's nothing to lead you to ipsec.conf or ipsec.secrets. There's a LOT of reading to be done.

      Ok, so, for you or me, it's easy. Maybe a day of reading tops. But compare that to the commercial world where an application must install and be configured from a GUI in a few hours, and FreeSWAN is... nearly a toy. It's unusable in a business environment. As soon as you say "compile", a CTO is going to turn down your volume.

      It's cool, but don't call it uncomplicated. That's part of it's coolness (-;

      --
      Loneliness is a power that we possess to give or take away forever Parent Share twitter facebook linkedin
      • Re:What's complicated about FreeSWAN? (Score:3, Insightful) by smcavoy ( 114157 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:30AM (#3077979) I use Freeswan in a production environment. I have Embedded Linux routers using freeswan connecting to Linux boxes. They VPNs are relatively simple, 2 outgoing connections to central
        systems. I did find there was a large learning curve at the beginning, but now it takes 5 min to setup a new vpn tunnel. The systems have been extremely reliable. I've never had a problem (other than net congestion) with keeping the tunnels up. A lot of the tunnels have 80+ days of uptime. As for compiling, most modern distros include IPSec (trustix, mandrake, etc.) or there are options like Astaro. Having a CTO "turn down your volume" based on the fact that you have to compile software, doesn't say anything about the quality or reliability of the software, that's a personal decision by CTO not to use OSS. I do agree it's not point and click, and that would be nice, but to say it's unusable in a business environment is just untrue. It's not pretty but it works, and works well. Parent Share twitter facebook linkedin
      • Re:What's complicated about FreeSWAN? (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @04:54AM (#3078169) How right you are. As a system admin that has always used windows or dos. I am tring to change. I want to start using some Linux servers here, but one of the things that I want to use is free/swan. It does seem great, but as a 1 person IT department I have not found the time that I need to read and understand the documentation on swan. Do I want a GUI Heck yes. Do I still want access to the .conf file Heck yes. These problems are around a lot in the Linux community. The people that have always used linux do see it as hard and some dont want us new people to whine because it is not "dumb down", but on the other hand they want all of us to switch to it. I dont want to do away with the command line at all. I love it for a lot of what I do, but when I want to make changes or try out some new tools I dont want to have to spend 1-2 days reading ALL the docs just to know where to start. Just my 2 cents.
        Let the flames begin!!!! Parent Share twitter facebook linkedin
        • Re:What's complicated about FreeSWAN? (Score:3, Insightful) by disappear ( 21915 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:03AM (#3078246) Homepage
          one of the things that I want to use is free/swan. It does seem great, but as a 1 person IT department I have not found the time that I need to read and understand the documentation on swan. Do I want a GUI Heck yes.

          With security software in general, and VPN software in particular, that's a very, very dangerous attitude: a GUI may fool you into thinking that you understand what's going on when in reality you haven't a clue. With most software, that's not an issue, but with security software, that can compromise the very goal you're trying to achieve.

          I dont want to do away with the command line at all. I love it for a lot of what I do, but when I want to make changes or try out some new tools I dont want to have to spend 1-2 days reading ALL the docs just to know where to start.

          How many days do you want to spend cleaning up after a security incident that occurred because the GUI let you get away without spending two days reading documentation? How much time will you save in the long run if every time you save two days reading documentation you spend three days cleaning up?

          (We lose money on every item --- but we make it up in volume!)

          Parent Share twitter facebook linkedin
          • Re:What's complicated about FreeSWAN? (Score:1) by BeNude ( 28969 ) writes: Alter Relationship on Wednesday February 27, 2002 @11:15AM (#3081147) Homepage I would disagree with you about the usefulness of a GUI to implement VPN's or firewalls.

            First of all, a GUI interface, if it is well-designed, can provide every bit as much control over the underlying security behavior of a firewall as any command-line interface. Furthermore, a GUI allows an administrator to spend less time trying to deal with syntax, etc., and more time on building a ruleset that is secure.

            Someone who has done the reading and understands how firewalls and VPN's work will appreciate a GUI because of this.

            For those who don't fully understand how firewalls and VPN's work, a GUI at least provides a reasonable learning environment and early attempts at a ruleset will probably more secure anyhow. :)

            Parent Share twitter facebook linkedin
        • IANACLB (Score:4, Interesting) by hey! ( 33014 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:21AM (#3078804) Homepage Journal IANACLB (I Am Not a Command Line Bigot), but doing better than a CLI interface in an area like this is a tall order. It's not something you can just slap onto the product in a few days (as most VPN box configuration GUIs I've seen appear to be).

          The problem with the GUI interfaces I have seen is that they really don't give you any effective conceptual support. You have to figure out the topology and requirements of your network, then you do this bit of intellectual gymnastics that turns these global requirements and properties into settings for each individual box, THEN you sit down at your GUI. At that stage, the GUI can have very little benefit, since you are talking about a half dozen relatively simple commands you need to type in. In fact, typing them in means you can keep them in a little word processor file and send them to the box over and over again with little changes -- good for setting up multiple boxes or for playing around with a single box you are repeatedly pin-resetting.

          To really help a person like you who doesn't have time to bone up on every box you are working with, what you really need is something that is kind of a cross between a network management system and a CAD system. You would sketch out your network, and drop little dollops of distinctively colored "paint" on each network or host that needs to participate in some virtual network. The system would then output configurations to download to each of the participating firewalls or hosts.

          A GUI that just configures and individual box does practically nothing for you.
          --
          Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure. Parent Share twitter facebook linkedin
      • Where to get Freeswan packages for Red Hat (Score:2) by Nailer ( 69468 ) writes: Alter Relationship on Wednesday February 27, 2002 @10:47AM (#3080965) Unless your distro can with FreeSWAN, you have to recompile your kernel with modifications.

        Non-US distributions like SuSE and Debian can include Freeswan in their list of apps. US based ones like Red Hat can't. But some lovely fellows at Steambaloon (a Linux security consulting firm - no, I work for someone else) produce source and binary packages of the original and updated Red Hat kernels (with the AC patches, extensive testing, and old 2.4 VM) with Klips, the kernel level part of ipsec, compiled in.

        Parent Share twitter facebook linkedin
      • How stupid is the CTO? (Score:1) by SharpNose ( 132636 ) writes: Alter Relationship on Wednesday February 27, 2002 @11:21AM (#3081178) Journal Let's see: provided I know FreeSWAN, I can grab a machine and start setting it up immediately. If I want to get something commercial and very expensive, I have to fill out how many forms, get approval from how many people, wait for it to get ordered how long? Exactly where are you starting your clock when you say "configured from GUI in a few hours?"

        Parent Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:3, Interesting) by LWolenczak ( 10527 ) writes: Alter Relationship <julia@evilcow.org> on Wednesday February 27, 2002 @04:25AM (#3077934) Homepage Journal The FreeS/WAN people don't document everything that you can do with frees/wan. Its very neat when you get down to the point where your playing with dozens of tunnels confiugred every which way.

      One of the things that they don't tell you how to do, i guess so they don't get asked questions, is how to put gre traffic inside of an ipsec tunnel and make it work right. Also, it seems to have slipped by that you CAN make two linux 2.4 secure gateways talk to each other over the ipsec tunnel.

      I have a couple samples of some of the neat things I have done at http://lwolenczak.net/ipsec.html Parent Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:3, Interesting) by Etyenne ( 4915 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:40AM (#3078498) Complicated thing with FreeSWAN :

      - Client behind NAT

      - Left/Right side nomenclature really confuse me; they could have used "peers" or client/server, I don't know

      - Recompiling kernel; easy if you have a single box, quite hard when you manage 30+. Plus it require you to commit the sin of rebooting the machine.

      At work, we have choosen CIPE for Linux-Linux VPN. It is totally userland, come stock on recent RedHat version and is available as RPM; all that make it is easy to install and upgrade on a lot of machines. Plus the config file is really dumb-proof. We are stuck using PPTP for Windows-Linux VPN because that's all the Windows monkeys know about. --
      :wq Parent Share twitter facebook linkedin
      • Re:What's complicated about FreeSWAN? (Score:1) by pivo ( 11957 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:17AM (#3078772) From my understanding of FreeSWAN, it's not intended to connect many machines to a central point, for example a VPN for home manchines connected to a central office. It's intended to link offices together. So you should only have to install it on the specific machines that link those offices. If you're company's so big or disperse that you have thirty officies, then I guess you would have to recompile each kernel, though you'd be smarter to have identical machines and build the kernel once then distribute it to each machine.

        We use PPP over SSH for our home/office VPN for Linux and Solaris. It works very well and since it was originally a skunworks project, we didn't even have to get IT to open any new ports since SSH was already supported. Parent Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:2) by LinuxGeek8 ( 184023 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:57AM (#3079084) Homepage I am struggling for some time now to get it going, but I still do not understand how it works.
      On my end I have a linux firewall with iptables.
      And what I could not figure out is what to do with the packet filtering, do I need to accept traffic over 50/ip on the ipsec0 interface or the eth0 interface. Same question for the 500 udp/ip traffic.

      And the other part of the network is connected to a freebsd server with racoon running. That is a completely different ipsec implementation. At least for configuring it is different.

      I believe running a packet filter is quite hard if you want to do it right. You have to understand networking and just play with for a few weeks just to understand it.
      If anyone would tell me he has a secure packet filter running, but cannot explain how it works, I just cannot believe it. You just have to know what you are doing.
      Same with ipsec.
      Ipsec is not only networking, but also crypto.
      So there is more you need to know about it, and it adds extra complexity to firewalling. --
      Well, don't worry about that. We can get you back before you leave. (Dr. Who)
      Parent Share twitter facebook linkedin
      • Re:What's complicated about FreeSWAN? (Score:1) by pfunkmallone ( 89539 ) writes: Alter Relationship on Thursday February 28, 2002 @09:44AM (#3086925) On your eth0 interface of the firewall, you need to allow 500 udp, and 50 tcp (if you're using ESP which is default). This allows the IPSEC peers to setup the tunnel. http://www.freeswan.org/freeswan_trees/freeswan-1. 95/doc/firewall.html

        According to the FreeSwan folks, no firewalling NEEDS to be done on the ipsec0 interfaces, as all packets coming through this tunnel are already being disassembled and "cleaned-up" by freeswan itself. Parent Share twitter facebook linkedin
  35. Women of the world, Stop sucking dick! (Score:-1, Troll) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:46AM (#3077705) Women of the world, it is time to stop sucking dick!

    Sucking dick is the ultimate act of subservience;
    a woman sucking dick not only gets no orgasm for
    her work, but gets a mouthfull of what can only
    be described as warm rancid milk for her efforts.

    This sexual slavery must be stopped!
    Women, reclaim your mouths, and

    STOP
    SUCKING
    DICK! Share twitter facebook linkedin
  36. Alan Thicke. DEAD. (Score:-1) by Alan_Thicke ( 553655 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:47AM (#3077709) Journal I just heard the sad news on CBC radio. Comedy actor/writer Alan Thicke was found dead in his home this morning. Even if you never liked his work, you can appreciate what he did for 80's television. Truly a Canadian icon.
    He will be missed :(



    Show me That Smile (The Growing Pains Theme Song):

    Show me that smile again.
    Ooh show me that smile.
    Don't waste another minute on your crying.
    We're nowhere near the end.
    We're nowhere near.
    The best is ready to begin.

    As long as we got each other
    We got the world
    Sitting right in our hands.
    Baby rain or shine;
    All the time.
    We got each other
    Sharing the laughter and love.

    --
    Alan Thicke's Journal
    My Slashdot ads say " Share twitter facebook linkedin
  37. why? (Score:0) by tplayford ( 308405 ) writes: Alter Relationship <tom@sai[ ]taly.com ['l-i' in gap]> on Wednesday February 27, 2002 @03:51AM (#3077734) I'm sure this book is very usefull etc. But I've set up serveral internationl linux based VPN's now and it really isn't that difficult.

    I suppose this is the same for almost all computer books, easy if you know how...

    Share twitter facebook linkedin
    • Re:why? (Score:2, Insightful) by MonkeyBot ( 545313 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:09AM (#3077844) Sometimes, there are special constraints on the networks you are working with. For instance, I need to use stuff that uses IP, but since PPP over SSH is strictly TCP, I can't use that option. Moreover, my boss is a paranoid guy that doesn't trust some 24-year-old punk (me) to run his firewalls, so both offices have managed firewalls through different ISPs, ruling out the possibility of a single ISP routing traffic over its network to the other office so that I don't have to do anything. This adds additional constraints because since I can't control the firewall without going through pains with both ISPs for several days, I can't even open a port for something like PPTP (which I really wouldn't want to do anyway). Granted, I can probably find out what I need to know from a Google search, but it would be nice to have all the common VPN solutions covered--even just introduced--in a book format. I'm buying it. Parent Share twitter facebook linkedin
      • Re:why? (Score:2) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @08:10AM (#3079648) Of course, ppp over ssh implies a full IP tunnel using ppp with ssh underneath, IP in TCP encapsulation, essentially. You get full IP functionality this way, though the architecture is horribly flawed (TCP connections run with TCP somewhere underneath, very bad when packets get loss and two layers start doing recovery).

        Now ssh without ppp on top supports only TCP tunnels, I'll assume that is what you are talking about. A statement that says you need to use IP, but you only get TCP sounds really goofy, since TCP rides on top of IP, phrasing it with the protocols you need (i.e. udp, icmp, etc) would have made the post more sensible (that and omitting ppp...). If I heard someone make the statement you just made I wouldn't trust them with firewall configuration either...
        --
        XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
      • Re:why? (Score:2) by Pii ( 1955 ) writes: Alter Relationship <jedi.lightsaber@org> on Wednesday February 27, 2002 @08:31AM (#3079810) Journal What do you mean, "PPP over SSH is strictly TCP?"

        Are you saying that ICMP, or UDP, traffic is unable to utilize this tunnel?

        That is certainly not correct. Just as PPP carries all of your IP traffic (any protocol) between your home and your ISP, a PPP over SSH tunnel will also carry whatever you need it to.

        --
        For those that would die defending it, Freedom
        has a sweet taste that the protected will never know.         Parent Share twitter facebook linkedin
    • Re:why? (Score:2) by Bender Unit 22 ( 216955 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:13AM (#3079206) Journal It's not when it works you need the books. It's when it doesn't work you'd wish you had the book.
      I have configured a VPN with the help of a HOW-TO page and it worked. B
      ut when you want to do larger setup's in the "real" world. All kinds of questions comes and demands comes to mind and it's nice to be on top of things and be able to say from the first meeting, what is possible and what is not. Parent Share twitter facebook linkedin
  38. Garsh (Score:-1) by Guns n' Roses Troll ( 207208 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:51AM (#3077735) Homepage I never knew that a high-steppin' yella could do that.
    Share twitter facebook linkedin
  39. VPN hardware (Score:1, Troll) by pokka ( 557695 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:02AM (#3077793) Building VPNs is a pain in the ass, regardless of whether you're using windows NT/2k or linux. Microsoft's documentation is sketchy (and in some cases completely wrong), and there are very few sources for building a VPN in Linux.

    This book may make it easier to build a VPN, but it's kind of obsolete, now that the Linksys VPN router has been released, making it a matter of plugging in and turning on. Of course, if you have plenty of free time, but very little money, you might go for the book instead. Share twitter facebook linkedin
    • Re:VPN hardware (Score:-1, Offtopic) by Anonymous Coward writes: on Wednesday February 27, 2002 @04:17AM (#3077888) Heck of a troll. Good Job! Parent Share twitter facebook linkedin
    • Re:VPN hardware (Score:2, Interesting) by Cyno ( 85911 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:38AM (#3078046) Journal ...or if you're worried about security. I never trust commercial companies to deliver secure code. Specially if they keep it closed source. Unless you want to flash the rom on this thing every few weeks I'd just read up on a linux ppp over ssh solution and write some scripts to keep that software updated. Parent Share twitter facebook linkedin
    • Re:VPN hardware (Score:1) by starpool ( 562363 ) writes: Alter Relationship on Wednesday February 27, 2002 @02:12PM (#3081956) We started out making slow progress with FreeS/WAN trying to connect to a Raptor Firewall, and thought we'd try to take the easy way out and use two Linksys VPN Routers. Bottom line: the LVRs will only allow one Class C subnet access to the tunnel. Since we have multiple subnets at 4 different locations, the LVR is disqualified, at least for now. (Maybe Linksys will add this capability to future firmware.) So we're back to FreeS/WAN and Raptor...now if I can just get that book at my local BN. Parent Share twitter facebook linkedin
  40. What's wrong with PPTP? (Score:4, Interesting) by Jacco de Leeuw ( 4646 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:06AM (#3077826) Homepage PPTP is often used for 'road warrior' setups, i.e. people working from home or on the road. It's cheap because there are free (as in speech) PPTP servers for Linux and the Windows PPTP clients are free too (as in beer). In contrast, Windows IPSEC clients are often expensive.

    So, what's wrong with it then? Well, the security of PPTP apparently depends on the password. A German student has written software which can crack the password in a couple of hours on a Pentium II.

    c't (Heise) reported about this.

    --
    -------
    Warning: Slashdot may contain traces of nuts.
    Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:2, Informative) by Anonymous Coward writes: on Wednesday February 27, 2002 @04:19AM (#3077901) It's Point-to-Point Tunneling Protocol and thus more limited than IPSec which can be used in routed mode and can connect arbitrary networks. Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:3, Interesting) by FallLine ( 12211 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:25AM (#3077939) Well firstly, Microsoft's implimentation of PPTP is insecure, buggy on the client side (and the server side, where their server is used), and has a hard time supporting multiple clients in a NAT environment.

      Secondly, a lot of older hardware has little to no support for the GRE protocol that PPTP depends on. Thus many people simply can't use it.

      Thirdly, it's virtually impossible to get two people connecting to the same VPN behind the same NAT network on any hardware. The nature of GRE makes it very difficult since it has no concept of port to diffentiate between packets, only source and destination IP. Unfortunately, NAT is very common these days so this really does matter. Parent Share twitter facebook linkedin
      • Re:What's wrong with PPTP? (Score:0, Troll) by icedivr ( 168266 ) writes: Alter Relationship on Wednesday February 27, 2002 @09:44AM (#3080500) If it's so insecure, why aren't people getting cracked all the time?

        Secondly, since when does hardware support a networking protocol in the absense of software? Any machine that can run 95 or 98 can run PPTP. They have pretty modest hardware requirements by today's standards.

        Thirdly, I have created multiple outbound pptp tunnels behind an ICS connection. It can be done.

        Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:3, Informative) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:40AM (#3078066) Just FYI, but Win2k and newer (at least) include native IPSEC support that can interoperate with FreeS/WAN and such. Other systems, well, they are intended for home use that doesn't need that functionality.. --
      XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:2, Informative) by jeremiahstanley ( 473105 ) writes: Alter Relationship <miah AT miah DOT org> on Wednesday February 27, 2002 @04:45AM (#3078100) Homepage With Win2k you can get this little patch and then you have a free as in beer IPSec implementation provided by Microsoft under Win2k. It even supports x509 certs. IPSec clients are not that expensive. Look at SSH Sentinal for another option. It even supports the newer AES ciphers (which I don't expect out of Microsoft for a long time)as added security.

      For all of this you have to patch the code to use the newer ciphers. You can get that here and if you need to use x509 certs you can get that stuff here. This is all pretty easy if you have you druthers about compiling new kernels and working with OpenSSL.

      Why this isn't in the kernel to begin with is anybody's guess. I would guess that it has something to do with all those pesky crypto export laws. Just like everything else in the ol US of A we have to sacrifice our freedoms so that we can be safe from the KGB and that one guy from Hackers. --
      Hire me... Parent Share twitter facebook linkedin
    • Its damn slow (Score:1) by moankey ( 142715 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:08AM (#3078275) From testimonies of traveling whatevers the people always complain that PPTP is very sloooow. They preferred using RAS in place, albeit a very expensive phone bill.

      Most were of course higher level execs so their complaining actually mattered. Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @05:19AM (#3078347) So, what's wrong with it then? Well, the security of PPTP apparently depends on the password. A German student [uni-freiburg.de] has written software which can crack the password in a couple of hours on a Pentium II.

      Thank god I'm not in Germany!!!! Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @05:26AM (#3078396) You can buy PGPnet (IPsec client) in most office depots , office max, or Circuit City for $39. It has the same functionality as the NAI version. Parent Share twitter facebook linkedin
    • wireless PPTP == readable password file (Score:1) by nealmcb ( 125634 ) writes: Alter Relationship on Friday March 01, 2002 @04:59AM (#3091216) Homepage The Heise article is in German, but refers to the original paper which is in English
      Normally, the file /etc/shadow (or /etc/password on old systems) is regarded one of the most vulnerable points of an unix system [Uni99]. If an attacker can obtain the information in this file, the system is nearly hacked. Using Microsoft's PPTP protocol, information about your passwords is not only publicly available, you also provide additional hints about the passwords, which allow to speed-up the attack by a factor of up to 2^16 .

      With this said, it is clear why we believe Microsoft's PPTP implementation isn't suitable for securing wireless networks.

      --

      --Neal
      Go IETF!

      Parent Share twitter facebook linkedin
  41. Problem is getting Management to go along (Score:2, Interesting) by Cy Guy ( 56083 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:27AM (#3077946) Homepage Journal I think the priority should be getting management to understand the importance of using standard protocols instead of proprietary ones.

    Having a book like this one is great if you want to familiarize yourself with the standards and how to implement them on Linux, but the much harder task is getting Management, particularly at larger companies, to see the benefit of implementing a standards based VPN where the users can use any standards based client over any TCP/IP network.

    Instead what I see is managers that want to buy a single product that comes with both the server and client applications, but then doesn't work or is hard to implement when the clients are trying to access the VPN from a cablemodem, DSL, or 802.11 connected machine, and don't (God forbid) want to use MSIE and Citrix on Windows to get onto the office network.

    --
    Work for Change & GET PAID! Share twitter facebook linkedin
  42. Can't beat SSH (Score:2, Insightful) by schlach ( 228441 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:27AM (#3077953) Journal for simple encrypted forwarding

    LocalForward 8080 theproxy:8080
    LocalForward 25 thesmtp:25
    LocalForward 143 theimap:143

    Don't forget your '-g' =) Share twitter facebook linkedin
    • SSH != VPN. That's a good thing. (Score:1) by Brian Hatch ( 523490 ) writes: Alter Relationship <<bri> <at> <ifokr.org>> on Wednesday February 27, 2002 @06:32AM (#3078902) Homepage Journal We have a section about when a VPN is not what you need, and these are the exact kind of examples when a VPN is unnecessary overkill.

      As a side note, if you use '-g', make sure you have iptables/ipchains/hosts.{allow|deny} rulesets enabled to make sure that only authorized machines can use the gateway. Otherwise anyone in the world can use your encrypted tunnel.

      Parent Share twitter facebook linkedin
      • Re:SSH != VPN. That's a good thing. (Score:2) by brassrat77 ( 9533 ) writes: Alter Relationship on Wednesday February 27, 2002 @09:33AM (#3080403) As a side note, if you use '-g', make sure you have iptables/ipchains/hosts.{allow|deny} rulesets enabled to make sure that only authorized machines can use the gateway.

        This is an EXCELLENT POINT that CANNOT BE OVEREMPHASIZED.

        I recently had to set up tunnels to allow a set of NAT'd workstations (laptops runnin a mix of Linux and W2K) access a system on the inside of a remote firewall where SSH was the only available securable protocol. We needed to use the "-g" switch, and the need for filtering access was immediately apparent.

        We ended up using a set of scripts to build the tunnel, including the necessary iptables rules.

        As an aside, I'd check if hosts.allow|deny rules are sufficient - I think the ssh tunnel would make all connections appear to be coming from the host running the tunnel. (Can't check for myself right now)

        Parent Share twitter facebook linkedin
  43. The main problem with IPSEC... (Score:5, Insightful) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:48AM (#3078126) IPSEC is wonderful, but many businesses don't think things through and use it for telecommuting. Why is this bad? Well, the way this works is that someone connects to the VPN system and gets a full tunnel that allows the authorized client to behave on the internal network as if it was actually there, bypassing the firewall. The problem here is pretty obvious. The client machine is not protected by a firewall,a nd so if the client is compromised, an attacker has a clear path straight past the firewall. So the effectiveness of the firewall is greatly reduced.

    Now if you don't have a firewall protectecting the network, this won't hurt, but if you do, then a solution like ssh is somewhat more secure, as you only set up the tunnels you absolutely need to very specific hosts. While there is still a risk, it is greatly reduced and strikes a good balance between usability and security.

    What IPSEC *is* good for is seamlessly connecting sites together without really expensive dedicated lines securely. While it makes no guarantee as to bandwidht or availability, it does provide almost the same level of security. If a company can't afford lines to sites but still wants to expand, IPSEC is ideal. I use it to connect my home private network to a friends home private network. The key here is that not only do you have to trust the clients whose keys you permit to connect, but you must also trust that the administrator of that client machine or network is sufficiently competent to keep his network secure, as the security of the two networks is tied a lot more closely together... --
    XML is like violence. If it doesn't solve the problem, use more. Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:1, Informative) by Anonymous Coward writes: on Wednesday February 27, 2002 @04:58AM (#3078205) Actually, this is bypassed by disabling split tunneling (allowing the client machine to access the internet "directly" and accessing the VPN tunnel).

      -m

      Parent Share twitter facebook linkedin
      • Re:The main problem with IPSEC... (Score:2) by j7953 ( 457666 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:19AM (#3079240)
        Actually, this is bypassed by disabling split tunneling (allowing the client machine to access the internet "directly" and accessing the VPN tunnel).

        Well, but that doesn't prevent the telecommuter's computer to become compromised with some background logging software that'll collect information when connected to the company network, and send it to the attacker when connected to the internet.

        Of course, using an SSH tunnel also doesn't solve that problem.

        The only real option is to assign IPs from a different subnet to the telecummters' home computers, and having a firewall between that subnet and the rest of the company network that'll not allow access to certain ressources that are especially critical. And, of course, the telecommuters must be educated about the security issues.

        --
        Sig (appended to the end of comments I post, 54 chars) Parent Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:2, Informative) by icedivr ( 168266 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:10AM (#3078285) Your beef can be easily solved by ensuring that the remote machine's default route is down the tunnel.

      As far as I'm concerned, a bigger threat is the road warrior laptop not having adequate virus protection. (VP of Sales does insist on Windows, doesn't he?) Desktops behind the firewall presumably have multiple layers of protection in front of them, the road warrior, maybe not. Parent Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:2) by Shoten ( 260439 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:29AM (#3078417) So, you're saying the main problem with IPSEC is that it's not a magic bullet? Nothing is...get over it. I've heard people say the same about firewalls, saying how firewalls make people think that they're totally secure, so they no longer patch systems or pay attention. That may be true sometimes, but it's still not a valid argument that firewalls are flawed. Security isn't one box or one piece of software, and saying that one has a problem because it doesn't blanket everything is like criticizing deadbolts because thieves can still break a window to get into your home.
      --

      For your security, this post has been encrypted with ROT-13, twice. Parent Share twitter facebook linkedin
      • Re:The main problem with IPSEC... (Score:2) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:53AM (#3079060) Right, but I was saying that IPSEC is not only not a magic bullet (that is to be expected) but companies outright misuse the technology without any serious thought. They invest tons in making sure they have tight firewalls and policies that prohibit people from hooking up modems to the outside world (internet without firewall), and yet repeat the mistake in a different form time and time again. It would be nice to establish trusted connections to telecommuters, but it just simply can never be secure enough (well, maybe if the telecommuter is the same person who designed the corporate security and takes home security equally seriously, but not worth finding out). --
        XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
        • Re:The main problem with IPSEC... (Score:2) by Shoten ( 260439 ) writes: Alter Relationship on Thursday February 28, 2002 @03:15AM (#3084102) I see your point, but at that stage of the game, it's not the technology that is to blame. Any solid technology will be a problem if it is not part of a sound, well-thought out implementation. There are ways around the problem as well, however; for example, Checkpoint VPNs can push a security policy out to the client upon connection, enforcing a firewall policy at the end point and prohibiting network communications between that point and any node besides the VPN gateway. But that's a whole other ball of wax, and returns to the issue of making wise choices when rolling out technology.

          The bottom line is, VPNs make it possible to do things in business that aren't cost-effective any other way, and businesses are there to make money, not to be secure. It's a trade-off, and if the return outweighs the risk, it's worth the risk.

          --

          For your security, this post has been encrypted with ROT-13, twice. Parent Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:1) by Sloppy ( 14984 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:59AM (#3078631) Homepage Journal

      So the effectiveness of the firewall is greatly reduced

      Don't you have the same exact problem with desktop machines on the LAN, inside the firewall? Seems to me that VPN-though-a-firewall doesn't introduce any vulnerabilities that you don't already have.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it. Parent Share twitter facebook linkedin
      • Re:The main problem with IPSEC... (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @06:38AM (#3078946) But LAN machines have never been exposed to the internet. I am sure somebody can put some "fun" deamons up on a machine just waiting for a VPN connection. Parent Share twitter facebook linkedin
        • Re:The main problem with IPSEC... (Score:1) by Sloppy ( 14984 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:18AM (#3079239) Homepage Journal

          But LAN machines have never been exposed to the internet.

          Ha hah hah ha! That's a good one.

          Seriously, it must be nice to work at a place where they haven't heard of "Active Content" and no one uses products like Microsoft Word or Microsoft Outlook. :-)

          --
          As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it. Parent Share twitter facebook linkedin
          • Re:The main problem with IPSEC... (Score:2) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:48AM (#3079450) When dealing with internal systems, you can enforce all kinds of policies about virus software, etc. You can keep it relatively boxed. With telecommuting, the clients not only have relaxed restrictions, but also are vulnerable while connected to the internet to the sort of attacks firewalls are meant to keep out. Normally, this wouldn't be too bad, but with a full tunnel, that machine will probably contain sensitive information itself and, for the duration of the connection, gives full access to a corporate network if compromised. --
            XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
          • Re:The main problem with IPSEC... (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @09:07AM (#3080140) If you want to get legalistic about it:

            Local Area Network by definition is not a Wide Area Network now is it? If you have a LAN you cannot be exposed to the internet or it is a WAN. If you run active content then you are running code on the LAN. Don't run unknown code on a LAN. If you downloading something from the internet you are using a WAN interface are you not?

            The point is you have a machine that has been directly exposed to the intenet and now it is on your network and that is NOT the same thing.If I have to go to the head at a bus station I will finish my drink because I won't really know what it is when I get back. Parent Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:1) by -audiowhore- ( 153163 ) writes: Alter Relationship on Wednesday February 27, 2002 @11:08AM (#3081115) Bollocks! There are quite a few commercial VPN clients out there that either have a 'stateful' firewall engine (Check Points Secure Client), and some others that support personal firewall software (the Cisco client has support for Black Ice and Zone Alarms). The Cisco client can be configured to not install or initialise *unless* the personal firewall is installed/running.

      --audiowhore Parent Share twitter facebook linkedin
      • Re:The main problem with IPSEC... (Score:2) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:22PM (#3082392) But then, how do you ensure the client is using approved software if you are using a standard like IPSEC? I know, corporate policy, but if people are at home, they might try more exotic things... In any event, clients configured like this are a good way to make IPSEC *better* for telecommuting, but the safest bet is to not have full network transparency, but instead only have selected services that telecommuters need and allow only those in your preferred method of access.. --
        XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
  44. CIPE - a better solution. (Score:3, Informative) by ion++ ( 134665 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:18AM (#3078339) I'm using CIPE for linux at work. It can be found at http://sites.inka.de/sites/bigred/devel/cipe.html or for windows at http://cipe-win32.sourceforge.net/.
    It's a better solution because it doesnt run TCP over TCP, which can give a problem, when retransmission occurs. With the right ammount of bad luck, you can have double retransmission where both layers of TCP retransmit. CIPE runs completely over UDP to avoid this problem.

    JonB Share twitter facebook linkedin
    • Re:CIPE - a better solution. (Score:2, Insightful) by ion++ ( 134665 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:22AM (#3078367) Oh yeah, i forgot to mention that it works behind a NAT, which IPSEC has trouble with.
      Further more it works with non-static ip address. Obviously one end needs to know the ip of the other end, but thats all which is needed.

      JonB Parent Share twitter facebook linkedin
      • Re:CIPE - a better solution. (Score:1) by The Darkness ( 33231 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:29AM (#3078878) Homepage Oh yeah, i forgot to mention that it works behind a NAT, which IPSEC has trouble with.
        Junta already posted a valid response to this statement.

        Further more it works with non-static ip address. Obviously one end needs to know the ip of the other end, but thats all which is needed.
        FreeS/WAN works great with non-static IP addresses.

        For example:

        /etc/ipsec.conf

        conn netnet
        left=theirhost.dyn.dhs.org
        leftid=@theirhost.dyn.dhs.org
        leftsubnet=10.1.1.0/24
        right=%defaultroute
        rightid=@myhost.dyn.dhs.org
        rightsubnet=10.1.2.0/24
        leftrsasigkey=....
        rightrsasigkey=....
        authby=rsasig
        auto=start

        And in ipsec.secrets:

        @myhost.dyn.dhs.org : RSA {
        ...
        }

        I have been using a similar configuration since the release of FreeS/WAN v1.5.

        --
        There are two kinds of people: 1) those that need closure Parent Share twitter facebook linkedin
    • Re:CIPE - a better solution. (Score:2, Informative) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:39AM (#3078494) Better solution than, say, ppp over ssh (a really dumb hack), but not better than IPSEC for most all applications.

      IPSEC also does not run TCP over TCP, it uses udp for isakmp, and data is transmitted through custom protocols (numbers 50 and/or 51), *not* through TCP.

      Another thing about IPSEC that works better than CIPE is that IPSEC more strongly authenticates the machine at the other end. This is why NAT breaks, because unlike CIPE, IPSEC works to ensure the packet has passed unmodified since leaving a known trusted host, and the very nature of NAT prevents this. Solution is simple, move the IPSEC gateway to either the NAT system or beyond. Though it is being pushed in many circles as a good solution for telecommuting, it really was never designed for that and that usage really spits in the face of firewalls.

      Finally, CIPE lacks compatibility. Sure you can configure windows and linux boxes and maybe other platforms, but just try to connect to, say a CISCO router....

      CIPE is a hack that creates more problems than it solves in the long run. PPP over ssh is worse, but a dumb idea, set up tunnels for specific tcp services that you need, more overhead, but security is better (not perfect, but better). For connecting networks together, a good architect can piece together an IPSEC solution that guarantees identity at other end of the pipe... CIPE offers the gaping whole that IPSEC can while not offering enough identification. So ssh or IPSEC remains the best solution, depending on the problem. --
      XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
    • Duh, we cover cIPe in the book. (Score:2, Informative) by Brian Hatch ( 523490 ) writes: Alter Relationship <<bri> <at> <ifokr.org>> on Wednesday February 27, 2002 @06:40AM (#3078953) Homepage Journal Ummm, we cover cIPe in the book. Would be a pretty crappy job if we hadn't. Parent Share twitter facebook linkedin
  45. Answer? (Score:3, Funny) by sharkey ( 16670 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:29AM (#3078412) Why does every book need to include the magic 'L' word in the title nowadays?

    Because they have a better chance of getting posted to the Slashdot homepage? --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next. Share twitter facebook linkedin
  46. Crossplatform aspect? (Score:2, Interesting) by egghat ( 73643 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:51AM (#3078571) Homepage How is the crossplatform aspect covered? There are hundreds of possible solutions for VPNs out there, but if you want something that works on *nix, Windows and Mac (Classic and X) and is free and open, the range of products to choose from gets small ...

    For example, I couldn't find a free IPSEC client for Windows.

    Any new hints from this book?

    Thanks in advance.

    egghat. --
    -- "As a human being I claim the right to be widely inconsistent", John Peel Share twitter facebook linkedin
  47. Semi-OT: any ISPs that route a VPN connection? (Score:1) by Sloppy ( 14984 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:06AM (#3078670) Homepage Journal

    Anyone know of any ISPs (preferably outside USA) that will route stuff coming from a VPN (or any other type of encrypted tunnel) to The Internet? (i.e. from The Internet's point of view, it would be like I was a local user of that ISP, even though I'm physically somewhere else.) Doesn't have to be free beer.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it. Share twitter facebook linkedin
    • Re:Semi-OT: any ISPs that route a VPN connection? (Score:2) by disappear ( 21915 ) writes: Alter Relationship on Wednesday February 27, 2002 @09:42AM (#3080488) Homepage
      Anyone know of any ISPs (preferably outside USA) that will route stuff coming from a VPN (or any other type of encrypted tunnel) to The Internet? (i.e. from The Internet's point of view, it would be like I was a local user of that ISP, even though I'm physically somewhere else.)

      Why would you want to do that? Not only will it slow down your network connection, but I suspect that it should be fairly easy to do traffic analysis to determine which traffic was yours in the first place, even at a busy ISP...

      Parent Share twitter facebook linkedin
  48. Has anybody used isakmpd on Linux (Score:2) by Chang ( 2714 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:06AM (#3078673) Anybody out there have any success compiling and using OpenBSD's isakmpd on Linux?

    I really need to use aggressive mode but the patches for freeswan are ancient/unmaintained.

    A pointer would be greatly appreciated.
    Share twitter facebook linkedin
  49. ssh + ppp = vpn (Score:1) by hopeless case ( 49791 ) writes: Alter Relationship <{christopherlmarshall} {at} {gmail.com}> on Wednesday February 27, 2002 @06:11AM (#3078722) Here's this script I use to setup a quick and dirty VPN between my workstation at work and my home PC. It has to originate from work to get through the firewall but once setup, of course, packets can flow both ways. I call the script ssh-vpn.

    You have to setup ssh correctly with rsa keys before it will work. You also have to download pty-redir. See the VPN mini how-to for more details.

    #!/bin/bash

    REMOTE_HOST=$1
    REMOTE_IP=$2
    LOCAL_IP=$3

    if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] ; then
    echo "usage ssh-vpn "
    exit 1
    fi

    # this file holds the slave pty that the local pppd needs
    tmpfile=/tmp/tmp$$

    # start remote pppd
    /usr/local/bin/pty-redir /usr/bin/ssh -1 -o 'Batchmode yes' -t -l root $REMOTE_HOST /usr/sbin/pppd local ${REMOTE_IP}:${LOCAL_IP} 2> $tmpfile

    # give the remote pppd process a little time to send its first connect request
    sleep 5

    #start local pppd
    /usr/sbin/pppd $(cat $tmpfile) passive

    # remove file that held the slave pty file name
    sleep 5
    rm $tmpfile

    Share twitter facebook linkedin
  50. Right in time. (Score:2) by Bender Unit 22 ( 216955 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:06AM (#3079151) Journal I have just been playing with IPSec for the last couple of days and wanted to buy a book on the subject. While I managed to sucessfully make a VPN connection between 2 machine, I still need to read a great deal about what's under the hood.
    So I looked at amazon also thinking that I could not go wrong with a book from O'Reilly, but after looking at the few stars it got I had been looking at this book and the one from RSA. Well, that does it. I'm getting this one. :)
    Share twitter facebook linkedin
  51. 1 2 Related Links Top of the: day, week, month. next

    Patent on Wireless Transfer of Pupil Data

    27 comments previous

    Piro On Why .Coms Don't Work

    300 comments window._taboola = window._taboola || []; _taboola.push({ mode: 'text-links-a', container: 'taboola-below-article-text-links', placement: 'Below Article Text Links', target_type: 'mix' });
  52. First Widener!!! by CmderTaco · · Score: -1 · on Building Linux Virtual Private Networks
    .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't .have .enough .charaters .per .line .that .really .sucks .when .that .happens .and .you .have .to .put .some .lame .lameness .filter .defeater .text .in .there .i .wonder .how .many .people .will .read .this .whole .comment .I .certainly .hope .it .doesnt .annoy .too .many .people .This .is .just .the .beginning .because .PAGE .WIDENING .IS .BACK .I .like .wide .pages .I .wish .all .pages .could .be .as .wide .as .this .dont .you .wide .pages .are .much .cooler .than .those .narrow .pages .you .are .used .to .reading .because .you .dont .have .to .worry .about .the .lameness .filter .telling .you .that .you .don't --
    - Marco     Share twitter facebook linkedin
  53. 10th post (Score:-1, Offtopic) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:35AM (#3077644) I claim this early post for JinWicked! Share twitter facebook linkedin
  54. Is it as good as New Riders' MySQL book? (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:36AM (#3077649) New Riders' MySQL book is mighty fine; if this is half as good it'll be worth reading Share twitter facebook linkedin
  55. ep (Score:-1) by bitchslapboy ( 193543 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:37AM (#3077652) Homepage This early post for Ida! --

    Slashdot - contra bonos mores Share twitter facebook linkedin
  56. first dead penis bird (Score:-1) by neal n bob ( 531011 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:38AM (#3077655) Homepage Journal man this site really, really sucks. Hardly makes it worth mentioning that you can kiss my grits. Share twitter facebook linkedin
  57. What's complicated about FreeSWAN? (Score:4, Interesting) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:39AM (#3077660) They have excellent documentation and they keep the documentation trees for older versions online. Installation is as complicated as running a skript and installing the recompiled kernel, if even that. I guess it never hurts to have more documentation, but saying that IPSec is "a difficult beast to ride" produces more awe than necessary. Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:-1, Offtopic) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:45AM (#3077703) Overrated, maybe. But redundant? Parent Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:5, Insightful) by Starship Trooper ( 523907 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:49AM (#3077724) Homepage Journal What's complicated about FreeSWAN?

      Well, a LOT. Not if you're deeply involved technically in the project, but if you back out and take the perspective of someone who's never used a VPN, plenty.

      A lot of people don't even think about the fact that there's a separate protocol field in IP, or that people run any IP protocol but UDP or TCP. Getting 50/51 through your existing firmware firewall can be a real trick. FreeSWAN requires you to be able have the GNU Multi-Precision library installed for the crypto calculations before you compile it. Unless your distro can with FreeSWAN, you have to recompile your kernel with modifications.

      And, like many tools, there's no single graphical GUI; unlike SAMBA's excellent SWAT, there's nothing to lead you to ipsec.conf or ipsec.secrets. There's a LOT of reading to be done.

      Ok, so, for you or me, it's easy. Maybe a day of reading tops. But compare that to the commercial world where an application must install and be configured from a GUI in a few hours, and FreeSWAN is... nearly a toy. It's unusable in a business environment. As soon as you say "compile", a CTO is going to turn down your volume.

      It's cool, but don't call it uncomplicated. That's part of it's coolness (-;

      --
      Loneliness is a power that we possess to give or take away forever Parent Share twitter facebook linkedin
      • Re:What's complicated about FreeSWAN? (Score:3, Insightful) by smcavoy ( 114157 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:30AM (#3077979) I use Freeswan in a production environment. I have Embedded Linux routers using freeswan connecting to Linux boxes. They VPNs are relatively simple, 2 outgoing connections to central
        systems. I did find there was a large learning curve at the beginning, but now it takes 5 min to setup a new vpn tunnel. The systems have been extremely reliable. I've never had a problem (other than net congestion) with keeping the tunnels up. A lot of the tunnels have 80+ days of uptime. As for compiling, most modern distros include IPSec (trustix, mandrake, etc.) or there are options like Astaro. Having a CTO "turn down your volume" based on the fact that you have to compile software, doesn't say anything about the quality or reliability of the software, that's a personal decision by CTO not to use OSS. I do agree it's not point and click, and that would be nice, but to say it's unusable in a business environment is just untrue. It's not pretty but it works, and works well. Parent Share twitter facebook linkedin
      • Re:What's complicated about FreeSWAN? (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @04:54AM (#3078169) How right you are. As a system admin that has always used windows or dos. I am tring to change. I want to start using some Linux servers here, but one of the things that I want to use is free/swan. It does seem great, but as a 1 person IT department I have not found the time that I need to read and understand the documentation on swan. Do I want a GUI Heck yes. Do I still want access to the .conf file Heck yes. These problems are around a lot in the Linux community. The people that have always used linux do see it as hard and some dont want us new people to whine because it is not "dumb down", but on the other hand they want all of us to switch to it. I dont want to do away with the command line at all. I love it for a lot of what I do, but when I want to make changes or try out some new tools I dont want to have to spend 1-2 days reading ALL the docs just to know where to start. Just my 2 cents.
        Let the flames begin!!!! Parent Share twitter facebook linkedin
        • Re:What's complicated about FreeSWAN? (Score:3, Insightful) by disappear ( 21915 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:03AM (#3078246) Homepage
          one of the things that I want to use is free/swan. It does seem great, but as a 1 person IT department I have not found the time that I need to read and understand the documentation on swan. Do I want a GUI Heck yes.

          With security software in general, and VPN software in particular, that's a very, very dangerous attitude: a GUI may fool you into thinking that you understand what's going on when in reality you haven't a clue. With most software, that's not an issue, but with security software, that can compromise the very goal you're trying to achieve.

          I dont want to do away with the command line at all. I love it for a lot of what I do, but when I want to make changes or try out some new tools I dont want to have to spend 1-2 days reading ALL the docs just to know where to start.

          How many days do you want to spend cleaning up after a security incident that occurred because the GUI let you get away without spending two days reading documentation? How much time will you save in the long run if every time you save two days reading documentation you spend three days cleaning up?

          (We lose money on every item --- but we make it up in volume!)

          Parent Share twitter facebook linkedin
          • Re:What's complicated about FreeSWAN? (Score:1) by BeNude ( 28969 ) writes: Alter Relationship on Wednesday February 27, 2002 @11:15AM (#3081147) Homepage I would disagree with you about the usefulness of a GUI to implement VPN's or firewalls.

            First of all, a GUI interface, if it is well-designed, can provide every bit as much control over the underlying security behavior of a firewall as any command-line interface. Furthermore, a GUI allows an administrator to spend less time trying to deal with syntax, etc., and more time on building a ruleset that is secure.

            Someone who has done the reading and understands how firewalls and VPN's work will appreciate a GUI because of this.

            For those who don't fully understand how firewalls and VPN's work, a GUI at least provides a reasonable learning environment and early attempts at a ruleset will probably more secure anyhow. :)

            Parent Share twitter facebook linkedin
        • IANACLB (Score:4, Interesting) by hey! ( 33014 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:21AM (#3078804) Homepage Journal IANACLB (I Am Not a Command Line Bigot), but doing better than a CLI interface in an area like this is a tall order. It's not something you can just slap onto the product in a few days (as most VPN box configuration GUIs I've seen appear to be).

          The problem with the GUI interfaces I have seen is that they really don't give you any effective conceptual support. You have to figure out the topology and requirements of your network, then you do this bit of intellectual gymnastics that turns these global requirements and properties into settings for each individual box, THEN you sit down at your GUI. At that stage, the GUI can have very little benefit, since you are talking about a half dozen relatively simple commands you need to type in. In fact, typing them in means you can keep them in a little word processor file and send them to the box over and over again with little changes -- good for setting up multiple boxes or for playing around with a single box you are repeatedly pin-resetting.

          To really help a person like you who doesn't have time to bone up on every box you are working with, what you really need is something that is kind of a cross between a network management system and a CAD system. You would sketch out your network, and drop little dollops of distinctively colored "paint" on each network or host that needs to participate in some virtual network. The system would then output configurations to download to each of the participating firewalls or hosts.

          A GUI that just configures and individual box does practically nothing for you.
          --
          Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure. Parent Share twitter facebook linkedin
      • Where to get Freeswan packages for Red Hat (Score:2) by Nailer ( 69468 ) writes: Alter Relationship on Wednesday February 27, 2002 @10:47AM (#3080965) Unless your distro can with FreeSWAN, you have to recompile your kernel with modifications.

        Non-US distributions like SuSE and Debian can include Freeswan in their list of apps. US based ones like Red Hat can't. But some lovely fellows at Steambaloon (a Linux security consulting firm - no, I work for someone else) produce source and binary packages of the original and updated Red Hat kernels (with the AC patches, extensive testing, and old 2.4 VM) with Klips, the kernel level part of ipsec, compiled in.

        Parent Share twitter facebook linkedin
      • How stupid is the CTO? (Score:1) by SharpNose ( 132636 ) writes: Alter Relationship on Wednesday February 27, 2002 @11:21AM (#3081178) Journal Let's see: provided I know FreeSWAN, I can grab a machine and start setting it up immediately. If I want to get something commercial and very expensive, I have to fill out how many forms, get approval from how many people, wait for it to get ordered how long? Exactly where are you starting your clock when you say "configured from GUI in a few hours?"

        Parent Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:3, Interesting) by LWolenczak ( 10527 ) writes: Alter Relationship <julia@evilcow.org> on Wednesday February 27, 2002 @04:25AM (#3077934) Homepage Journal The FreeS/WAN people don't document everything that you can do with frees/wan. Its very neat when you get down to the point where your playing with dozens of tunnels confiugred every which way.

      One of the things that they don't tell you how to do, i guess so they don't get asked questions, is how to put gre traffic inside of an ipsec tunnel and make it work right. Also, it seems to have slipped by that you CAN make two linux 2.4 secure gateways talk to each other over the ipsec tunnel.

      I have a couple samples of some of the neat things I have done at http://lwolenczak.net/ipsec.html Parent Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:3, Interesting) by Etyenne ( 4915 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:40AM (#3078498) Complicated thing with FreeSWAN :

      - Client behind NAT

      - Left/Right side nomenclature really confuse me; they could have used "peers" or client/server, I don't know

      - Recompiling kernel; easy if you have a single box, quite hard when you manage 30+. Plus it require you to commit the sin of rebooting the machine.

      At work, we have choosen CIPE for Linux-Linux VPN. It is totally userland, come stock on recent RedHat version and is available as RPM; all that make it is easy to install and upgrade on a lot of machines. Plus the config file is really dumb-proof. We are stuck using PPTP for Windows-Linux VPN because that's all the Windows monkeys know about. --
      :wq Parent Share twitter facebook linkedin
      • Re:What's complicated about FreeSWAN? (Score:1) by pivo ( 11957 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:17AM (#3078772) From my understanding of FreeSWAN, it's not intended to connect many machines to a central point, for example a VPN for home manchines connected to a central office. It's intended to link offices together. So you should only have to install it on the specific machines that link those offices. If you're company's so big or disperse that you have thirty officies, then I guess you would have to recompile each kernel, though you'd be smarter to have identical machines and build the kernel once then distribute it to each machine.

        We use PPP over SSH for our home/office VPN for Linux and Solaris. It works very well and since it was originally a skunworks project, we didn't even have to get IT to open any new ports since SSH was already supported. Parent Share twitter facebook linkedin
    • Re:What's complicated about FreeSWAN? (Score:2) by LinuxGeek8 ( 184023 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:57AM (#3079084) Homepage I am struggling for some time now to get it going, but I still do not understand how it works.
      On my end I have a linux firewall with iptables.
      And what I could not figure out is what to do with the packet filtering, do I need to accept traffic over 50/ip on the ipsec0 interface or the eth0 interface. Same question for the 500 udp/ip traffic.

      And the other part of the network is connected to a freebsd server with racoon running. That is a completely different ipsec implementation. At least for configuring it is different.

      I believe running a packet filter is quite hard if you want to do it right. You have to understand networking and just play with for a few weeks just to understand it.
      If anyone would tell me he has a secure packet filter running, but cannot explain how it works, I just cannot believe it. You just have to know what you are doing.
      Same with ipsec.
      Ipsec is not only networking, but also crypto.
      So there is more you need to know about it, and it adds extra complexity to firewalling. --
      Well, don't worry about that. We can get you back before you leave. (Dr. Who)
      Parent Share twitter facebook linkedin
      • Re:What's complicated about FreeSWAN? (Score:1) by pfunkmallone ( 89539 ) writes: Alter Relationship on Thursday February 28, 2002 @09:44AM (#3086925) On your eth0 interface of the firewall, you need to allow 500 udp, and 50 tcp (if you're using ESP which is default). This allows the IPSEC peers to setup the tunnel. http://www.freeswan.org/freeswan_trees/freeswan-1. 95/doc/firewall.html

        According to the FreeSwan folks, no firewalling NEEDS to be done on the ipsec0 interfaces, as all packets coming through this tunnel are already being disassembled and "cleaned-up" by freeswan itself. Parent Share twitter facebook linkedin
  58. Women of the world, Stop sucking dick! (Score:-1, Troll) by Anonymous Coward writes: on Wednesday February 27, 2002 @03:46AM (#3077705) Women of the world, it is time to stop sucking dick!

    Sucking dick is the ultimate act of subservience;
    a woman sucking dick not only gets no orgasm for
    her work, but gets a mouthfull of what can only
    be described as warm rancid milk for her efforts.

    This sexual slavery must be stopped!
    Women, reclaim your mouths, and

    STOP
    SUCKING
    DICK! Share twitter facebook linkedin
  59. Alan Thicke. DEAD. (Score:-1) by Alan_Thicke ( 553655 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:47AM (#3077709) Journal I just heard the sad news on CBC radio. Comedy actor/writer Alan Thicke was found dead in his home this morning. Even if you never liked his work, you can appreciate what he did for 80's television. Truly a Canadian icon.
    He will be missed :(



    Show me That Smile (The Growing Pains Theme Song):

    Show me that smile again.
    Ooh show me that smile.
    Don't waste another minute on your crying.
    We're nowhere near the end.
    We're nowhere near.
    The best is ready to begin.

    As long as we got each other
    We got the world
    Sitting right in our hands.
    Baby rain or shine;
    All the time.
    We got each other
    Sharing the laughter and love.

    --
    Alan Thicke's Journal
    My Slashdot ads say " Share twitter facebook linkedin
  60. why? (Score:0) by tplayford ( 308405 ) writes: Alter Relationship <tom@sai[ ]taly.com ['l-i' in gap]> on Wednesday February 27, 2002 @03:51AM (#3077734) I'm sure this book is very usefull etc. But I've set up serveral internationl linux based VPN's now and it really isn't that difficult.

    I suppose this is the same for almost all computer books, easy if you know how...

    Share twitter facebook linkedin
    • Re:why? (Score:2, Insightful) by MonkeyBot ( 545313 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:09AM (#3077844) Sometimes, there are special constraints on the networks you are working with. For instance, I need to use stuff that uses IP, but since PPP over SSH is strictly TCP, I can't use that option. Moreover, my boss is a paranoid guy that doesn't trust some 24-year-old punk (me) to run his firewalls, so both offices have managed firewalls through different ISPs, ruling out the possibility of a single ISP routing traffic over its network to the other office so that I don't have to do anything. This adds additional constraints because since I can't control the firewall without going through pains with both ISPs for several days, I can't even open a port for something like PPTP (which I really wouldn't want to do anyway). Granted, I can probably find out what I need to know from a Google search, but it would be nice to have all the common VPN solutions covered--even just introduced--in a book format. I'm buying it. Parent Share twitter facebook linkedin
      • Re:why? (Score:2) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @08:10AM (#3079648) Of course, ppp over ssh implies a full IP tunnel using ppp with ssh underneath, IP in TCP encapsulation, essentially. You get full IP functionality this way, though the architecture is horribly flawed (TCP connections run with TCP somewhere underneath, very bad when packets get loss and two layers start doing recovery).

        Now ssh without ppp on top supports only TCP tunnels, I'll assume that is what you are talking about. A statement that says you need to use IP, but you only get TCP sounds really goofy, since TCP rides on top of IP, phrasing it with the protocols you need (i.e. udp, icmp, etc) would have made the post more sensible (that and omitting ppp...). If I heard someone make the statement you just made I wouldn't trust them with firewall configuration either...
        --
        XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
      • Re:why? (Score:2) by Pii ( 1955 ) writes: Alter Relationship <jedi.lightsaber@org> on Wednesday February 27, 2002 @08:31AM (#3079810) Journal What do you mean, "PPP over SSH is strictly TCP?"

        Are you saying that ICMP, or UDP, traffic is unable to utilize this tunnel?

        That is certainly not correct. Just as PPP carries all of your IP traffic (any protocol) between your home and your ISP, a PPP over SSH tunnel will also carry whatever you need it to.

        --
        For those that would die defending it, Freedom
        has a sweet taste that the protected will never know.         Parent Share twitter facebook linkedin
    • Re:why? (Score:2) by Bender Unit 22 ( 216955 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:13AM (#3079206) Journal It's not when it works you need the books. It's when it doesn't work you'd wish you had the book.
      I have configured a VPN with the help of a HOW-TO page and it worked. B
      ut when you want to do larger setup's in the "real" world. All kinds of questions comes and demands comes to mind and it's nice to be on top of things and be able to say from the first meeting, what is possible and what is not. Parent Share twitter facebook linkedin
  61. Garsh (Score:-1) by Guns n' Roses Troll ( 207208 ) writes: Alter Relationship on Wednesday February 27, 2002 @03:51AM (#3077735) Homepage I never knew that a high-steppin' yella could do that.
    Share twitter facebook linkedin
  62. VPN hardware (Score:1, Troll) by pokka ( 557695 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:02AM (#3077793) Building VPNs is a pain in the ass, regardless of whether you're using windows NT/2k or linux. Microsoft's documentation is sketchy (and in some cases completely wrong), and there are very few sources for building a VPN in Linux.

    This book may make it easier to build a VPN, but it's kind of obsolete, now that the Linksys VPN router has been released, making it a matter of plugging in and turning on. Of course, if you have plenty of free time, but very little money, you might go for the book instead. Share twitter facebook linkedin
    • Re:VPN hardware (Score:-1, Offtopic) by Anonymous Coward writes: on Wednesday February 27, 2002 @04:17AM (#3077888) Heck of a troll. Good Job! Parent Share twitter facebook linkedin
    • Re:VPN hardware (Score:2, Interesting) by Cyno ( 85911 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:38AM (#3078046) Journal ...or if you're worried about security. I never trust commercial companies to deliver secure code. Specially if they keep it closed source. Unless you want to flash the rom on this thing every few weeks I'd just read up on a linux ppp over ssh solution and write some scripts to keep that software updated. Parent Share twitter facebook linkedin
    • Re:VPN hardware (Score:1) by starpool ( 562363 ) writes: Alter Relationship on Wednesday February 27, 2002 @02:12PM (#3081956) We started out making slow progress with FreeS/WAN trying to connect to a Raptor Firewall, and thought we'd try to take the easy way out and use two Linksys VPN Routers. Bottom line: the LVRs will only allow one Class C subnet access to the tunnel. Since we have multiple subnets at 4 different locations, the LVR is disqualified, at least for now. (Maybe Linksys will add this capability to future firmware.) So we're back to FreeS/WAN and Raptor...now if I can just get that book at my local BN. Parent Share twitter facebook linkedin
  63. What's wrong with PPTP? (Score:4, Interesting) by Jacco de Leeuw ( 4646 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:06AM (#3077826) Homepage PPTP is often used for 'road warrior' setups, i.e. people working from home or on the road. It's cheap because there are free (as in speech) PPTP servers for Linux and the Windows PPTP clients are free too (as in beer). In contrast, Windows IPSEC clients are often expensive.

    So, what's wrong with it then? Well, the security of PPTP apparently depends on the password. A German student has written software which can crack the password in a couple of hours on a Pentium II.

    c't (Heise) reported about this.

    --
    -------
    Warning: Slashdot may contain traces of nuts.
    Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:2, Informative) by Anonymous Coward writes: on Wednesday February 27, 2002 @04:19AM (#3077901) It's Point-to-Point Tunneling Protocol and thus more limited than IPSec which can be used in routed mode and can connect arbitrary networks. Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:3, Interesting) by FallLine ( 12211 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:25AM (#3077939) Well firstly, Microsoft's implimentation of PPTP is insecure, buggy on the client side (and the server side, where their server is used), and has a hard time supporting multiple clients in a NAT environment.

      Secondly, a lot of older hardware has little to no support for the GRE protocol that PPTP depends on. Thus many people simply can't use it.

      Thirdly, it's virtually impossible to get two people connecting to the same VPN behind the same NAT network on any hardware. The nature of GRE makes it very difficult since it has no concept of port to diffentiate between packets, only source and destination IP. Unfortunately, NAT is very common these days so this really does matter. Parent Share twitter facebook linkedin
      • Re:What's wrong with PPTP? (Score:0, Troll) by icedivr ( 168266 ) writes: Alter Relationship on Wednesday February 27, 2002 @09:44AM (#3080500) If it's so insecure, why aren't people getting cracked all the time?

        Secondly, since when does hardware support a networking protocol in the absense of software? Any machine that can run 95 or 98 can run PPTP. They have pretty modest hardware requirements by today's standards.

        Thirdly, I have created multiple outbound pptp tunnels behind an ICS connection. It can be done.

        Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:3, Informative) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:40AM (#3078066) Just FYI, but Win2k and newer (at least) include native IPSEC support that can interoperate with FreeS/WAN and such. Other systems, well, they are intended for home use that doesn't need that functionality.. --
      XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:2, Informative) by jeremiahstanley ( 473105 ) writes: Alter Relationship <miah AT miah DOT org> on Wednesday February 27, 2002 @04:45AM (#3078100) Homepage With Win2k you can get this little patch and then you have a free as in beer IPSec implementation provided by Microsoft under Win2k. It even supports x509 certs. IPSec clients are not that expensive. Look at SSH Sentinal for another option. It even supports the newer AES ciphers (which I don't expect out of Microsoft for a long time)as added security.

      For all of this you have to patch the code to use the newer ciphers. You can get that here and if you need to use x509 certs you can get that stuff here. This is all pretty easy if you have you druthers about compiling new kernels and working with OpenSSL.

      Why this isn't in the kernel to begin with is anybody's guess. I would guess that it has something to do with all those pesky crypto export laws. Just like everything else in the ol US of A we have to sacrifice our freedoms so that we can be safe from the KGB and that one guy from Hackers. --
      Hire me... Parent Share twitter facebook linkedin
    • Its damn slow (Score:1) by moankey ( 142715 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:08AM (#3078275) From testimonies of traveling whatevers the people always complain that PPTP is very sloooow. They preferred using RAS in place, albeit a very expensive phone bill.

      Most were of course higher level execs so their complaining actually mattered. Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @05:19AM (#3078347) So, what's wrong with it then? Well, the security of PPTP apparently depends on the password. A German student [uni-freiburg.de] has written software which can crack the password in a couple of hours on a Pentium II.

      Thank god I'm not in Germany!!!! Parent Share twitter facebook linkedin
    • Re:What's wrong with PPTP? (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @05:26AM (#3078396) You can buy PGPnet (IPsec client) in most office depots , office max, or Circuit City for $39. It has the same functionality as the NAI version. Parent Share twitter facebook linkedin
    • wireless PPTP == readable password file (Score:1) by nealmcb ( 125634 ) writes: Alter Relationship on Friday March 01, 2002 @04:59AM (#3091216) Homepage The Heise article is in German, but refers to the original paper which is in English
      Normally, the file /etc/shadow (or /etc/password on old systems) is regarded one of the most vulnerable points of an unix system [Uni99]. If an attacker can obtain the information in this file, the system is nearly hacked. Using Microsoft's PPTP protocol, information about your passwords is not only publicly available, you also provide additional hints about the passwords, which allow to speed-up the attack by a factor of up to 2^16 .

      With this said, it is clear why we believe Microsoft's PPTP implementation isn't suitable for securing wireless networks.

      --

      --Neal
      Go IETF!

      Parent Share twitter facebook linkedin
  64. Problem is getting Management to go along (Score:2, Interesting) by Cy Guy ( 56083 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:27AM (#3077946) Homepage Journal I think the priority should be getting management to understand the importance of using standard protocols instead of proprietary ones.

    Having a book like this one is great if you want to familiarize yourself with the standards and how to implement them on Linux, but the much harder task is getting Management, particularly at larger companies, to see the benefit of implementing a standards based VPN where the users can use any standards based client over any TCP/IP network.

    Instead what I see is managers that want to buy a single product that comes with both the server and client applications, but then doesn't work or is hard to implement when the clients are trying to access the VPN from a cablemodem, DSL, or 802.11 connected machine, and don't (God forbid) want to use MSIE and Citrix on Windows to get onto the office network.

    --
    Work for Change & GET PAID! Share twitter facebook linkedin
  65. Can't beat SSH (Score:2, Insightful) by schlach ( 228441 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:27AM (#3077953) Journal for simple encrypted forwarding

    LocalForward 8080 theproxy:8080
    LocalForward 25 thesmtp:25
    LocalForward 143 theimap:143

    Don't forget your '-g' =) Share twitter facebook linkedin
    • SSH != VPN. That's a good thing. (Score:1) by Brian Hatch ( 523490 ) writes: Alter Relationship <<bri> <at> <ifokr.org>> on Wednesday February 27, 2002 @06:32AM (#3078902) Homepage Journal We have a section about when a VPN is not what you need, and these are the exact kind of examples when a VPN is unnecessary overkill.

      As a side note, if you use '-g', make sure you have iptables/ipchains/hosts.{allow|deny} rulesets enabled to make sure that only authorized machines can use the gateway. Otherwise anyone in the world can use your encrypted tunnel.

      Parent Share twitter facebook linkedin
      • Re:SSH != VPN. That's a good thing. (Score:2) by brassrat77 ( 9533 ) writes: Alter Relationship on Wednesday February 27, 2002 @09:33AM (#3080403) As a side note, if you use '-g', make sure you have iptables/ipchains/hosts.{allow|deny} rulesets enabled to make sure that only authorized machines can use the gateway.

        This is an EXCELLENT POINT that CANNOT BE OVEREMPHASIZED.

        I recently had to set up tunnels to allow a set of NAT'd workstations (laptops runnin a mix of Linux and W2K) access a system on the inside of a remote firewall where SSH was the only available securable protocol. We needed to use the "-g" switch, and the need for filtering access was immediately apparent.

        We ended up using a set of scripts to build the tunnel, including the necessary iptables rules.

        As an aside, I'd check if hosts.allow|deny rules are sufficient - I think the ssh tunnel would make all connections appear to be coming from the host running the tunnel. (Can't check for myself right now)

        Parent Share twitter facebook linkedin
  66. The main problem with IPSEC... (Score:5, Insightful) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:48AM (#3078126) IPSEC is wonderful, but many businesses don't think things through and use it for telecommuting. Why is this bad? Well, the way this works is that someone connects to the VPN system and gets a full tunnel that allows the authorized client to behave on the internal network as if it was actually there, bypassing the firewall. The problem here is pretty obvious. The client machine is not protected by a firewall,a nd so if the client is compromised, an attacker has a clear path straight past the firewall. So the effectiveness of the firewall is greatly reduced.

    Now if you don't have a firewall protectecting the network, this won't hurt, but if you do, then a solution like ssh is somewhat more secure, as you only set up the tunnels you absolutely need to very specific hosts. While there is still a risk, it is greatly reduced and strikes a good balance between usability and security.

    What IPSEC *is* good for is seamlessly connecting sites together without really expensive dedicated lines securely. While it makes no guarantee as to bandwidht or availability, it does provide almost the same level of security. If a company can't afford lines to sites but still wants to expand, IPSEC is ideal. I use it to connect my home private network to a friends home private network. The key here is that not only do you have to trust the clients whose keys you permit to connect, but you must also trust that the administrator of that client machine or network is sufficiently competent to keep his network secure, as the security of the two networks is tied a lot more closely together... --
    XML is like violence. If it doesn't solve the problem, use more. Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:1, Informative) by Anonymous Coward writes: on Wednesday February 27, 2002 @04:58AM (#3078205) Actually, this is bypassed by disabling split tunneling (allowing the client machine to access the internet "directly" and accessing the VPN tunnel).

      -m

      Parent Share twitter facebook linkedin
      • Re:The main problem with IPSEC... (Score:2) by j7953 ( 457666 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:19AM (#3079240)
        Actually, this is bypassed by disabling split tunneling (allowing the client machine to access the internet "directly" and accessing the VPN tunnel).

        Well, but that doesn't prevent the telecommuter's computer to become compromised with some background logging software that'll collect information when connected to the company network, and send it to the attacker when connected to the internet.

        Of course, using an SSH tunnel also doesn't solve that problem.

        The only real option is to assign IPs from a different subnet to the telecummters' home computers, and having a firewall between that subnet and the rest of the company network that'll not allow access to certain ressources that are especially critical. And, of course, the telecommuters must be educated about the security issues.

        --
        Sig (appended to the end of comments I post, 54 chars) Parent Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:2, Informative) by icedivr ( 168266 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:10AM (#3078285) Your beef can be easily solved by ensuring that the remote machine's default route is down the tunnel.

      As far as I'm concerned, a bigger threat is the road warrior laptop not having adequate virus protection. (VP of Sales does insist on Windows, doesn't he?) Desktops behind the firewall presumably have multiple layers of protection in front of them, the road warrior, maybe not. Parent Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:2) by Shoten ( 260439 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:29AM (#3078417) So, you're saying the main problem with IPSEC is that it's not a magic bullet? Nothing is...get over it. I've heard people say the same about firewalls, saying how firewalls make people think that they're totally secure, so they no longer patch systems or pay attention. That may be true sometimes, but it's still not a valid argument that firewalls are flawed. Security isn't one box or one piece of software, and saying that one has a problem because it doesn't blanket everything is like criticizing deadbolts because thieves can still break a window to get into your home.
      --

      For your security, this post has been encrypted with ROT-13, twice. Parent Share twitter facebook linkedin
      • Re:The main problem with IPSEC... (Score:2) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:53AM (#3079060) Right, but I was saying that IPSEC is not only not a magic bullet (that is to be expected) but companies outright misuse the technology without any serious thought. They invest tons in making sure they have tight firewalls and policies that prohibit people from hooking up modems to the outside world (internet without firewall), and yet repeat the mistake in a different form time and time again. It would be nice to establish trusted connections to telecommuters, but it just simply can never be secure enough (well, maybe if the telecommuter is the same person who designed the corporate security and takes home security equally seriously, but not worth finding out). --
        XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
        • Re:The main problem with IPSEC... (Score:2) by Shoten ( 260439 ) writes: Alter Relationship on Thursday February 28, 2002 @03:15AM (#3084102) I see your point, but at that stage of the game, it's not the technology that is to blame. Any solid technology will be a problem if it is not part of a sound, well-thought out implementation. There are ways around the problem as well, however; for example, Checkpoint VPNs can push a security policy out to the client upon connection, enforcing a firewall policy at the end point and prohibiting network communications between that point and any node besides the VPN gateway. But that's a whole other ball of wax, and returns to the issue of making wise choices when rolling out technology.

          The bottom line is, VPNs make it possible to do things in business that aren't cost-effective any other way, and businesses are there to make money, not to be secure. It's a trade-off, and if the return outweighs the risk, it's worth the risk.

          --

          For your security, this post has been encrypted with ROT-13, twice. Parent Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:1) by Sloppy ( 14984 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:59AM (#3078631) Homepage Journal

      So the effectiveness of the firewall is greatly reduced

      Don't you have the same exact problem with desktop machines on the LAN, inside the firewall? Seems to me that VPN-though-a-firewall doesn't introduce any vulnerabilities that you don't already have.

      --
      As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it. Parent Share twitter facebook linkedin
      • Re:The main problem with IPSEC... (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @06:38AM (#3078946) But LAN machines have never been exposed to the internet. I am sure somebody can put some "fun" deamons up on a machine just waiting for a VPN connection. Parent Share twitter facebook linkedin
        • Re:The main problem with IPSEC... (Score:1) by Sloppy ( 14984 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:18AM (#3079239) Homepage Journal

          But LAN machines have never been exposed to the internet.

          Ha hah hah ha! That's a good one.

          Seriously, it must be nice to work at a place where they haven't heard of "Active Content" and no one uses products like Microsoft Word or Microsoft Outlook. :-)

          --
          As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it. Parent Share twitter facebook linkedin
          • Re:The main problem with IPSEC... (Score:2) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:48AM (#3079450) When dealing with internal systems, you can enforce all kinds of policies about virus software, etc. You can keep it relatively boxed. With telecommuting, the clients not only have relaxed restrictions, but also are vulnerable while connected to the internet to the sort of attacks firewalls are meant to keep out. Normally, this wouldn't be too bad, but with a full tunnel, that machine will probably contain sensitive information itself and, for the duration of the connection, gives full access to a corporate network if compromised. --
            XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
          • Re:The main problem with IPSEC... (Score:0) by Anonymous Coward writes: on Wednesday February 27, 2002 @09:07AM (#3080140) If you want to get legalistic about it:

            Local Area Network by definition is not a Wide Area Network now is it? If you have a LAN you cannot be exposed to the internet or it is a WAN. If you run active content then you are running code on the LAN. Don't run unknown code on a LAN. If you downloading something from the internet you are using a WAN interface are you not?

            The point is you have a machine that has been directly exposed to the intenet and now it is on your network and that is NOT the same thing.If I have to go to the head at a bus station I will finish my drink because I won't really know what it is when I get back. Parent Share twitter facebook linkedin
    • Re:The main problem with IPSEC... (Score:1) by -audiowhore- ( 153163 ) writes: Alter Relationship on Wednesday February 27, 2002 @11:08AM (#3081115) Bollocks! There are quite a few commercial VPN clients out there that either have a 'stateful' firewall engine (Check Points Secure Client), and some others that support personal firewall software (the Cisco client has support for Black Ice and Zone Alarms). The Cisco client can be configured to not install or initialise *unless* the personal firewall is installed/running.

      --audiowhore Parent Share twitter facebook linkedin
      • Re:The main problem with IPSEC... (Score:2) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @04:22PM (#3082392) But then, how do you ensure the client is using approved software if you are using a standard like IPSEC? I know, corporate policy, but if people are at home, they might try more exotic things... In any event, clients configured like this are a good way to make IPSEC *better* for telecommuting, but the safest bet is to not have full network transparency, but instead only have selected services that telecommuters need and allow only those in your preferred method of access.. --
        XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
  67. CIPE - a better solution. (Score:3, Informative) by ion++ ( 134665 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:18AM (#3078339) I'm using CIPE for linux at work. It can be found at http://sites.inka.de/sites/bigred/devel/cipe.html or for windows at http://cipe-win32.sourceforge.net/.
    It's a better solution because it doesnt run TCP over TCP, which can give a problem, when retransmission occurs. With the right ammount of bad luck, you can have double retransmission where both layers of TCP retransmit. CIPE runs completely over UDP to avoid this problem.

    JonB Share twitter facebook linkedin
    • Re:CIPE - a better solution. (Score:2, Insightful) by ion++ ( 134665 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:22AM (#3078367) Oh yeah, i forgot to mention that it works behind a NAT, which IPSEC has trouble with.
      Further more it works with non-static ip address. Obviously one end needs to know the ip of the other end, but thats all which is needed.

      JonB Parent Share twitter facebook linkedin
      • Re:CIPE - a better solution. (Score:1) by The Darkness ( 33231 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:29AM (#3078878) Homepage Oh yeah, i forgot to mention that it works behind a NAT, which IPSEC has trouble with.
        Junta already posted a valid response to this statement.

        Further more it works with non-static ip address. Obviously one end needs to know the ip of the other end, but thats all which is needed.
        FreeS/WAN works great with non-static IP addresses.

        For example:

        /etc/ipsec.conf

        conn netnet
        left=theirhost.dyn.dhs.org
        leftid=@theirhost.dyn.dhs.org
        leftsubnet=10.1.1.0/24
        right=%defaultroute
        rightid=@myhost.dyn.dhs.org
        rightsubnet=10.1.2.0/24
        leftrsasigkey=....
        rightrsasigkey=....
        authby=rsasig
        auto=start

        And in ipsec.secrets:

        @myhost.dyn.dhs.org : RSA {
        ...
        }

        I have been using a similar configuration since the release of FreeS/WAN v1.5.

        --
        There are two kinds of people: 1) those that need closure Parent Share twitter facebook linkedin
    • Re:CIPE - a better solution. (Score:2, Informative) by Junta ( 36770 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:39AM (#3078494) Better solution than, say, ppp over ssh (a really dumb hack), but not better than IPSEC for most all applications.

      IPSEC also does not run TCP over TCP, it uses udp for isakmp, and data is transmitted through custom protocols (numbers 50 and/or 51), *not* through TCP.

      Another thing about IPSEC that works better than CIPE is that IPSEC more strongly authenticates the machine at the other end. This is why NAT breaks, because unlike CIPE, IPSEC works to ensure the packet has passed unmodified since leaving a known trusted host, and the very nature of NAT prevents this. Solution is simple, move the IPSEC gateway to either the NAT system or beyond. Though it is being pushed in many circles as a good solution for telecommuting, it really was never designed for that and that usage really spits in the face of firewalls.

      Finally, CIPE lacks compatibility. Sure you can configure windows and linux boxes and maybe other platforms, but just try to connect to, say a CISCO router....

      CIPE is a hack that creates more problems than it solves in the long run. PPP over ssh is worse, but a dumb idea, set up tunnels for specific tcp services that you need, more overhead, but security is better (not perfect, but better). For connecting networks together, a good architect can piece together an IPSEC solution that guarantees identity at other end of the pipe... CIPE offers the gaping whole that IPSEC can while not offering enough identification. So ssh or IPSEC remains the best solution, depending on the problem. --
      XML is like violence. If it doesn't solve the problem, use more. Parent Share twitter facebook linkedin
    • Duh, we cover cIPe in the book. (Score:2, Informative) by Brian Hatch ( 523490 ) writes: Alter Relationship <<bri> <at> <ifokr.org>> on Wednesday February 27, 2002 @06:40AM (#3078953) Homepage Journal Ummm, we cover cIPe in the book. Would be a pretty crappy job if we hadn't. Parent Share twitter facebook linkedin
  68. Answer? (Score:3, Funny) by sharkey ( 16670 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:29AM (#3078412) Why does every book need to include the magic 'L' word in the title nowadays?

    Because they have a better chance of getting posted to the Slashdot homepage? --

    --
    "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next. Share twitter facebook linkedin
  69. Crossplatform aspect? (Score:2, Interesting) by egghat ( 73643 ) writes: Alter Relationship on Wednesday February 27, 2002 @05:51AM (#3078571) Homepage How is the crossplatform aspect covered? There are hundreds of possible solutions for VPNs out there, but if you want something that works on *nix, Windows and Mac (Classic and X) and is free and open, the range of products to choose from gets small ...

    For example, I couldn't find a free IPSEC client for Windows.

    Any new hints from this book?

    Thanks in advance.

    egghat. --
    -- "As a human being I claim the right to be widely inconsistent", John Peel Share twitter facebook linkedin
  70. Semi-OT: any ISPs that route a VPN connection? (Score:1) by Sloppy ( 14984 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:06AM (#3078670) Homepage Journal

    Anyone know of any ISPs (preferably outside USA) that will route stuff coming from a VPN (or any other type of encrypted tunnel) to The Internet? (i.e. from The Internet's point of view, it would be like I was a local user of that ISP, even though I'm physically somewhere else.) Doesn't have to be free beer.

    --
    As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it. Share twitter facebook linkedin
    • Re:Semi-OT: any ISPs that route a VPN connection? (Score:2) by disappear ( 21915 ) writes: Alter Relationship on Wednesday February 27, 2002 @09:42AM (#3080488) Homepage
      Anyone know of any ISPs (preferably outside USA) that will route stuff coming from a VPN (or any other type of encrypted tunnel) to The Internet? (i.e. from The Internet's point of view, it would be like I was a local user of that ISP, even though I'm physically somewhere else.)

      Why would you want to do that? Not only will it slow down your network connection, but I suspect that it should be fairly easy to do traffic analysis to determine which traffic was yours in the first place, even at a busy ISP...

      Parent Share twitter facebook linkedin
  71. Has anybody used isakmpd on Linux (Score:2) by Chang ( 2714 ) writes: Alter Relationship on Wednesday February 27, 2002 @06:06AM (#3078673) Anybody out there have any success compiling and using OpenBSD's isakmpd on Linux?

    I really need to use aggressive mode but the patches for freeswan are ancient/unmaintained.

    A pointer would be greatly appreciated.
    Share twitter facebook linkedin
  72. ssh + ppp = vpn (Score:1) by hopeless case ( 49791 ) writes: Alter Relationship <{christopherlmarshall} {at} {gmail.com}> on Wednesday February 27, 2002 @06:11AM (#3078722) Here's this script I use to setup a quick and dirty VPN between my workstation at work and my home PC. It has to originate from work to get through the firewall but once setup, of course, packets can flow both ways. I call the script ssh-vpn.

    You have to setup ssh correctly with rsa keys before it will work. You also have to download pty-redir. See the VPN mini how-to for more details.

    #!/bin/bash

    REMOTE_HOST=$1
    REMOTE_IP=$2
    LOCAL_IP=$3

    if [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] ; then
    echo "usage ssh-vpn "
    exit 1
    fi

    # this file holds the slave pty that the local pppd needs
    tmpfile=/tmp/tmp$$

    # start remote pppd
    /usr/local/bin/pty-redir /usr/bin/ssh -1 -o 'Batchmode yes' -t -l root $REMOTE_HOST /usr/sbin/pppd local ${REMOTE_IP}:${LOCAL_IP} 2> $tmpfile

    # give the remote pppd process a little time to send its first connect request
    sleep 5

    #start local pppd
    /usr/sbin/pppd $(cat $tmpfile) passive

    # remove file that held the slave pty file name
    sleep 5
    rm $tmpfile

    Share twitter facebook linkedin
  73. Right in time. (Score:2) by Bender Unit 22 ( 216955 ) writes: Alter Relationship on Wednesday February 27, 2002 @07:06AM (#3079151) Journal I have just been playing with IPSec for the last couple of days and wanted to buy a book on the subject. While I managed to sucessfully make a VPN connection between 2 machine, I still need to read a great deal about what's under the hood.
    So I looked at amazon also thinking that I could not go wrong with a book from O'Reilly, but after looking at the few stars it got I had been looking at this book and the one from RSA. Well, that does it. I'm getting this one. :)
    Share twitter facebook linkedin
  74. 1 2 Related Links Top of the: day, week, month. next

    Patent on Wireless Transfer of Pupil Data

    27 comments previous

    Piro On Why .Coms Don't Work

    300 comments window._taboola = window._taboola || []; _taboola.push({ mode: 'text-links-a', container: 'taboola-below-article-text-links', placement: 'Below Article Text Links', target_type: 'mix' });
  75. Re:What I really want to see... by Anonymous Coward · · Score: 0 · on Professional Linux Programming
    All this stuff is documented somewhere, you just have to know where to find it :) But I don't know exactly what you're expecting here -- all this is obviously not going to be found in one book. I mean, this story is talking about a book review for a book that's 1,000 pages, and one of the complaints is that it's "too sketchy". How long would a book be that covers all the stuff you're talking about, from basic user-level stuff (reading a PostScript file) to basic software engineering theory (CASE, revision control systems) to advanced programming stuff (making branches in CVS)? 10,000 pages? 100,000 pages?

    For general programmer-level stuff, a good place to start would be Eric Raymond's Software Release Practice HOWTO. The GNU coding standards and maintainer information provide guidance for practices on the GNU project; although other open source projects will not follow all of these practices, they give you a good idea of how things are generally organized. Sourceforge itself has pretty good documentation. There are various guides to sending patches (the diff manual is also good reading for this). There is a book on autoconf. There are several documents on CVS; an interesting one is the CVS best practices HOWTO. It's fairly new (November 20, 2001) and still pretty sketchy, but perhaps it will evolve into a more complete best practices guide (the author is soliciting input, so this is a chance to contribute).

    And, of course, nearly every Open Source software package comes with some sort of manual. (This contrasts with proprietary Windows applications, which seem to expect you to buy some sort of proprietary book on the side, in addition to the proprietary application you have already bought.) E.g., the the GCC manual, the GNU Make manual, the Perl manual, the Python tutorial, and so on. Although these are not always ideal for the beginner they will certainly be a useful reference to keep handy.

  76. Re:Cool by Kynde · · Score: 5, Informative · on Linux 2.5.2 Kernel Released

    Those of you anxious to contribute by testing I suggest you get acquainted with the following sites:
    Linux Kernel Mailing List FAQ (a must read before submitting bugs or oopses)
    Good site about kernel hacking (not just for newbies either)

  77. Think Unix by danny · · Score: 2 · on The Case For Full Disclosure In The Linux Changelog
    It's a cool book. If you want to know more about it, check out Lasser's web site, or read my own book review.

    Danny.

  78. Re:GCC extensions?? by Yokaze · · Score: 2 · on Intel's New Compiler Boosts Transmeta's Crusoe

    It's a very pragmatic decision.

    Different compiler do produce different code and have different extensions.

    To enable compiling the kernel with different compilers, you have to programm for the different extensions and you have to test the kernel with the different compilers. This, plus the different architectures supported gives you a (n*m) variety of possibilities and the same amount of problems.

    For the very same reason, the kernel is not only for GCC it's also only for one or two different versions of GCC.
    Maybe take a look a the LKML-FAQ, where Rafael R. Reilova gives an anwser on why not use different compilers.

  79. Below is the article copied from Byte... by Eusebo · · Score: -1, Flamebait · on Debate on Linux Virtual Memory Handling
    Byte.com is pretty non-responsive from my part of the world. Its a good read if you have time...

    Linux Kernel Pillow Talk

    (Linux Kernel Pillow Talk: Page1of1)
    By Moshe Bar

    October 29, 2001

    And you thought the netherworlds of dry kernel engineering were free of politics, egos, and prima-donnas? Guess again. The events of the last four to six weeks and the e-mails flying to and from the Linux kernel mailing list show how Byzantine and complex the dynamics of decision finding, features design, and implementations can be. Go to http://www.tux.org/lkml/ to subscribe to the kernel mailing list, but be careful: This is a very high-traffic list. Subscribe only if you really want to follow every single detail of the Linux kernel, or instead read the weekly digest at Linux Kernel Cousin at http://kt.zork.net/kernel-tra ffic.

    Sure, the lively debates have always existed. In the past there have been disputes about the Linux firewalling code, networking code, scheduler, installer, driver model, and many more. One recurrent theme has always been the Virtual Memory (VM) manager. Nothing determines the peculiar behavior, the feel -- even the ultimate success or failure of an operating system -- like its virtual memory design. Sometime during the development cycle leading up to the Linux 2.4.0 kernel, in other words in 2.3.xx times, Rik Van Riel (http://www.surriel.com), a Dutch kernel hacker working for Brazil-based Conectiva (one of the smaller Linux distributions), introduced a radically new VM code. It was based on what seemed to be new and advanced algorithms for efficient finding, allocation, and disposal of virtual memory pages requested by programs. Rik later introduced an interesting new kernel feature called the "OOM killer." OOM stands for Out Of Memory. The OOM killer attempts to locate a killable process when memory runs out in the system. Without such a feature the whole machine can go nuts or enter a vicious cycle of swapping out a few pages, realizing immediately after that those pages are needed, and searching again for swappable page candidates, keeping the kernel busy doing only this instead of letting user processes run.

    Rik is a gifted hacker, and among other things he has been trying to improve the efficiency and speed of maintenance of those lists in the kernel responsible for managing all the virtual memory pages in the system. One of the main questions to address in every operating system VM code is: "How do you choose which page to steal next when there is a RAM shortage?"

    In the 2.4.0 release, the Linux kernel scans the process page and decides which page to remove. The problem with this approach is that sometimes a lot of process tables have to be scanned to free just one page, or very few pages. Also, this approach does not guarantee that the pages stolen are only those that will not be needed again very soon. Some UNIXes introduced the notion of the working set; that is, the minimum amount required by a process to function efficiently. This solution is, however, limited to per-process pages only and does not consider other kinds of pages, such as filesystem caching. Stealing from these pages might in some cases even prove counter-productive. Very often in VM theory, a solution to one problem can worsen another; that's why kernel programming is difficult.

    Rik van Riel and I have variously discussed another approach, called "reverse mapping," which implements a reverse-lookup between the page and process table. Once you have reverse-mapped pages, the VM can simply scan the pages for the ones to be freed. Naturally, some extra fields need to be added to the appropriate control tables to allow this reverse mapping. My own implementation has an overhead of 14 bytes and is therefore certainly a lesser solution than Rik's -- his overhead is just 8 bytes.

    Other extremely talented kernel hackers such as Marcelo Tosati and Ben LaHaise have made other important contributions to the Linux VM.

    However, even though all these intelligent people tried hard to make the Linux VM fast, efficient, and powerful, user reports since the 2.4.0 release indicated poor Linux kernel performance and erratic and unstable behaviors. Up to kernel 2.4.7, for instance, on machines with small memory footprints (less than 40-MB RAM), sudden swap storms could erupt which would virtually freeze the system while it inexplicably started swapping pages in out and like crazy. In some cases, the aforementioned OOM Killer would choose the wrong process to kill; I have seen the all-important init process killed erroneously. Many fringe kernel projects, like my own Mosix project or others such as Win4Lin, suffered because users accused these projects of unstable operations, assuming that a released kernel like 2.4.0 must be free of such nasty bugs. Even though the kernel had gradually evolved from 2.4.0 to 2.4.9, it was evident that the VM design was more of a liability than an advantage.

    Linus himself said in a recent kernel list mailing that he wasn't happy yet with the VM. These problems were enough for many Linux shops to resist the migration to the 2.4 kernels and instead continue using the 2.2.19 kind of kernels. Obviously, compared to 2.4., the 2.2. series has many shortcomings -- like no zero-copy networking, the division of page cache and buffer-cache in filesystem operations, big spinlocks (serializations of kernel execution paths for computers with more than one CPU) for many parts of the kernel, and so on.

    A simple C program like the one below shows how kernels up to 2.4.9 had problems dealing with stress workloads on the VM system. If, after running this program, you turned the swap partition off with swapoff, your server or workstation would become totally unresponsive for up to 15 minutes.

    /* based on a code originally proposed by Andrew Tanenbaum, later by Derek Glidden and many others since */ #include void main(void) { /* in the next line we allocate 200MB, but since the virtual memory page is not actually allocated by the kernel until we use it, we also have to create an access to. The amount of allocated pages should reflect the total RAM on your computer. This test runs well with machines of, say, 256MB */ void *p = (void *)calloc(50000000, sizeof(int)) ; /* In the next line we let the system calm down a bit after allocating pages*/ sleep(12); /* and now re release it all again */ free(p); }

    Back in February 2001, I ran an informal and unscientific benchmark comparing FreeBSD 4.1.1 to kernel 2.4.0 (visit http://ww w.byte.com/documents/s=558/byt20010130s0010/) on exactly the same hardware and with exactly the same subsystems versions (MySQL, Sendmail, Apache, and others). The results clearly showed that, indeed, there were major problems with the efficiency and speed of the early 2.4 kernels. A New VM

    Then, on September 24, with the kernel standing at version 2.4.9, everything suddenly changed. Andrea Arcangeli, an Italian kernel hacker (read my interview with him two years ago at http://ww w.byte.com/documents/s=287/byt20000229s0008/) and a very prolific contributor, decided that enough was enough. He sat down and in one of those marathon hacking bouts completely rebuilt the VM from scratch. In short succession he sent to Linus Torvalds over 150 patches to the 2.4.9 kernel, to implement a new VM engine. This is an extremely remarkable feat. A VM is a major piece of software and by nature very complex. One needs to satisfy many opposed objectives: Simultaneously efficient handling for server-type loads and interactive-type loads; ease of implementation and at the same time, optimized use of every last and small feature of the CPU. The VM must also be able to run well on Intel CPUs spanning 4 or 5 generations, as well as on AMD chips, Alphas, MIPSes, Sparcs, ARMs, and what have you. Andrea, by the way, does all his development on a Compaq AlphaServer with 2 500-MHz CPUs and 3-GB RAM.

    Out of the blue, Linus accepted the new VM and incorporated it into the official Linux kernel tree.

    Recently, I spent two days with Andrea giving speeches. During the two days, over many bottles of beer, we had plenty of time to discuss his new VM. I was mainly interested in how the new VM affects Mosix. Because Mosix must migrate virtual memory pages belonging to the program's address spaces between cluster nodes, it is important to correctly understand the VM and interface efficiently to it.

    Specifically, Andrea took exception to the following problems in the 2.4 VM:

    • kswapd looping forever on DMA or NORMAL class-zones.
    • swap+ram will be almost all available address space (modulo when the swap cache serves to avoid swapin of shared anonymous memory after a fork).
    • swapout storms.
    • benchmarks, when run repeatedly, gradually slow down.

    The new VM is much simpler and faster. Let me explain how it works.

    The old 2.4 VM had a major design problem that manifested itself mainly when freeing physically dirty pages (remember dirty pages are the frames of 4-KB memory in the RAM whose contents have been modified by one of the virtual memory pages residing in it). The last owner of the page (usually the VM, except in swapoff) has to clear the dirty flag before freeing the page. When being swapped off in swapoff it may be a little more complicated -- we may need to grab the pagecache_lock to ensure nobody starts using the page while we clear it.

    So, Andrea went and did the following: All physical pages are now divided into active and inactive pages. These two are further divided into dirty and clean for both active and inactive. When the active dirty pages become about 66 percent of the total number of pages, the VM starts to scan them for the oldest ones to be put into inactive dirty and then, later still, from there to the swap when memory becomes tight. This part is very central to the new VM and its simplicity is...well, simply stunning.

    This elegant mechanism totally changes the behavior of the 2.4.10 kernel under heavy load and also makes for much better predictability of the system. Another very important change is that the swap is now additional to the RAM, just like in 2.2 times. All earlier 2.4 kernels (since 2.3.12) needed at least the same amount of RAM in swap and then more to give you additional virtual memory. This meant that on an 8-GB server, you needed to put aside almost a full 9-GB disk just to be able to swap, similar to some versions of Solaris or other UNIXes.

    Finally, the page scanner doesn't page scan if there are theoretically no freeable pages, whereas before it did. Oh, and the OOM killer never really worked, so Andrea disabled it, as I did for all my kernels. In 2.4.12 it is enabled again; this time, however, it works much better. Try it with the above program to see it in action.

    Arcangeli's VM is stable, acts predictably -- something that the old VM never really achieved -- and it makes the swap space look like it did in 2.2 days. Additionally, the design is much simpler and easier to understand. People will catch up fast with it.

    However, many kernel hackers disagree. Upon the release of kernel 2.4.10, a virulent and sometimes aggressive debate flamed up, with many people trying to show why one of the two was a good VM and the other not. Some comments got a bit out of control, and only in the last two weeks or so has some calm been restored.

    However, one nasty side effect stays. Alan Cox, the number two man after Linus Torvalds, does not yet like the new VM and in his own kernel tree (called the "ac tree") he still continues to use and patch the old VM. As a consequence, users and system administrators now find themselves facing two very different kernel trees to choose from: the official Linux tree and the Alan Cox tree. Quite often, latest patches to drivers and new features are only in Alan Cox's tree. Those who want to go with the official Linux source code may find themselves unable to apply the patches due to the different VM code all over. It is acceptable for the two trees to be different for a few days on such important subsystems like VM, but it is not acceptable to have them different for months and across many kernel versions.

    Nobody has yet dared to speak of a Linux source fork, but this is dangerously close to one.

    It became obvious that the VM up to 2.4.10 was a design liability. You can try to fix something that was designed badly, but it will never become a beauty. I think Linus' decision to scrap the old VM and go with the Arcangeli VM was courageous and right. Having a functioning and stable Linux box should not be deferred to 2.5 when we can do it already with 2.4. Kernel Preemption

    But apart from the VM issues, there are other lively debates in the kernel community. There was an interesting interview at h ttp://kerneltrap.com/article.php?sid=328&mode=thre ad&order=0 with Robert Love, who is leading one of two projects trying to make the Linux kernel fully preemptible. Making the kernel preemptible means making it possible to interrupt whatever the kernel is doing (say, executing a system call) to process some other outstanding task and then return to its original task. Linux, as a multiprocessing OS, obviously always did that for user-land processes. However, many, just like Robert Love, feel that the fact that Linux up to now would not let itself be interrupted contributed to poor latency. Latency describes how quickly you can expect a response from your kernel when you actually need something from it. Note that Linux is not designed as a real-time OS (though there is at least one Linux real-time implementation somewhere), and therefore does not explicitly guarantee latency. User-land programs must be aware of this as, especially with kernel preemption, latencies can be very unpredictable.

    Theoretically, an OS will answer faster if it can be interrupted. What does suffer from kernel preemption is the global throughput. If you have a task that gets n seconds within the kernel to complete (let's say executing a given system call takes 0.005 seconds), then all the interruptions add some overhead to switch from one kernel task to another. So, finishing the execution of that system call (in our example) will finally require n+op where p is the frequency of switching and o the static overhead for one switching operation. Notice that kernel context switching does not invalidate the CPU cache, and is therefore not as expensive as process switching. However, kernel preemption will surely lead to a higher rate of switching from kernel space to user space, because upon preemption the scheduler might decide to give higher priority to a user process.

    In other words, kernel preemption does decrease latency but slows down overall throughput. It's the math: nothing to be done against it.

    Furthermore, in his interview, Robert Love heavily criticized Linus Torvalds for adopting Andrea Arcangeli's new VM in 2.4.10 and dropping the old van Riel VM.

    Well, I did try the patch with kernel 2.4.12 and with pre13. While accurate measurement (which Robert Love provides with the preemption kernel patches) does indeed report an improvement in latency, for the life of me I have not noticed it on an empirical basis.

    I really do appreciate Love's work, but I do not fully agree with some of his comments in the interview. First, as Linus himself said, if latency sucks in the kernel then we should check why it sucks, with or without preemptive scheduling. If the latency is bad in the stock kernel, then it should be fixed anyway.

    The preemptive kernel 2.4.12 worked fine on my laptops and on my SGI 550 workstation where I do interactive work. The MP3 player very rarely skipped beats when doing heavy background work such as kernel compiling or opening large files in the editor. But for my servers and clusters, the decrease in performance and the unpredictability of latency is a problem. Also, some important patches will not apply to a Love-patched kernel. Mosix, the clustering kernel extension, does not patch correctly, and neither do some versions of the LIDS intrusion detection system.

    It is up to each individual user to decide whether or not to use the patch, but is important to understand the implications of using it. Linux and FreeBSD Revisited

    Upon returning home the other week after meeting with Andrea, I went to my lab and searched for the disk images of the server comparison I ran back in January of this year (of FreeBSD 4.1.1 versus Linux 2.4.0). I took the Compaq ML500 server I have been reviewing (2x 1-GHz CPUs, 2-GB RAM) and upgraded both the FreeBSD disk image to 4.4-Stable and the Linux version to 2.4.12. Then, I changed the memory down to 192-MB RAM so as to stress the VM system more. I also upgraded to the latest stable versions of Sendmail (8.12.1) and MySQL (version 3.23.42). Finally, I compiled everything with the latest version of gcc, 3.0.2, and tuned the two instances to the best of my knowledge (softupdates and increased maxusers for FreeBSD, and untouched default values for Linux).

    The results were very interesting indeed. Since this benchmark is too much to be handled in this article, Byte.com will post it here soon for you to read.

    The story of this article is that the 2.4 kernel has finally grown up with the 2.4.10 release. Not many users outside the relatively small kernel community realize that. Now you know about it, too. Spread the good news and immediately install 2.4.12 on your busy server. The server will thank you for it.

    Moshe Bar is a systems administrator and OS researcher who started learning UNIX on a PDP-11 with AT&T UNIX Release 6, back in 1981. Moshe has a M.Sc and a Ph.D. in computer science and writes UNIX-related books.

    For more of Moshe's columns, visit the Serving With LinuxIndex Page . Page1of1

  80. Re:Windows XP dumb terminal by vsync64 · · Score: 2, Interesting · on Shuttle's Tiny PC Reviewed

    Same with EsounD. When I'm in the mood, I run a really elegant setup where I run software across my 3 different (currently running; I've got a few more dormant ones :P) machines (running different OSen... do that with XP) all simultaneously piping their audio through my server box to connect to my speakers. Right now I'm just plugged straight from my laptop into the speakers, mainly because the only apps I've been running on my other machines of late have been CLI stuff with no audio. But where was I? Oh yeah. EsounD is cool.

  81. Linux-Kernel Mailing List Info by Anonymous Coward · · Score: 3, Informative · on IP Theft in the Linux Kernel

    Then tell them that on the linux-kernel mailing list:

    linux-kernel@vger.kernel .org

    You don't need to be subscribed to the list to successfully send stuff to it, so post away!

    If you actually do want to subscribe to the list send a message to majordomo@vger.kernel.org with the following in the body:

    subscribe linux-kernel malda@slashdot.org

    where malda@slashdot.org will be replaced by your email address.

    An archive of the list can be found at http://boudicca.tux.org/hypermail/linux-kernel/

    Hope this helps!

  82. Linux-Kernel Mailing List Info by Anonymous Coward · · Score: 0, Redundant · on IP Theft in the Linux Kernel

    And just so people know where to throw their flames to:

    linux-kernel@vger.kernel .org

    You don't need to be subscribed to the list to successfully send stuff to it, so post away!

    If you actually do want to subscribe to the list send a message to majordomo@vger.kernel.org with the following in the body:

    subscribe linux-kernel malda@slashdot.org

    where malda@slashdot.org will be replaced by your email address.

    An archive of the list can be found at http://boudicca.tux.org/hypermail/linux-kernel/

    Hope this helps!

  83. Re:Chantilly .. by caryw · · Score: 1 · on Extreme Telecommuting

    Hick town eh?

    Oh yeah, way out there in Fairfax County.

    Funny, we have the NRO, one of the largest airports in the US, an 802.11b wireless network, SGI, a linux users group, and an Intel datacenter, not to mention also having a boatload of linux careers. Oh yeah, and don't forget that MAE-East often gets cut by cows chewing on the fiber out here in hickville. Oh, I forgot some little things like ThinkGeek, NSI, and ARIN.
    Oh yeah, and that hick high school is getting me my CCNA.

    I'm not even going to mention AOL, Erols, or the CIA.

    But you get the picture.

    - Cary

  84. Re:something else that should be said by Tooky · · Score: 1 · on Linux 2.4.7 Released

    Of course it should also be said that if you have a machine which you can test the new kernel on, expose it to as much different hardware, to as many different systems as possible, and check for bugs that would be useful. Making sure any bugs you do find are emailed to the kernel mailing list. The more people using the new kernels on systems which they don't mind the odd crash on the better. More eyes find more bugs.

  85. I've always been pulling for XFS. by Omega · · Score: 5 · on Benchmarking XFS, ext2, ReiserFS, FAT32
    I guess I've always been partial to XFS and I hope that it becomes the new default filesystem for Linux.

    This guy Dave (I forget his last name now), from sgi gave a presentation to the DC-LUG back in 1999 and talked about XFS and how sgi wanted to release it as GPL to become a core component of Linux. He also talked about the history of XFS and how they had to invent a new size prefix to describe how large a filesystem XFS could accomodate ("exo-byte" = 1024 Gb). XFS has been used by sgi for their MIPS and Cray machines ever since 1984, and now that sgi has donated it to the Linux community, I think we'd be remiss if we didn't welcome it with open arms.

    But that's just MHO. ;)

  86. Re:Mandrake reviews by Salgak1 · · Score: 1 · on Dueling Distros - It's All Good, Apparently
    http://www.tux.org/pub/distributions/mandrake/iso seems useful.

    I got my install ISO image there yesterday, and am getting the ext cd image today as we speak. Decent data rate.

    Of course, now that I've mentioned it, I expect it to be /.ed in no time. . .

  87. Re:Weird ... by Spiv · · Score: 2 · on The 2.4.x Kernel, ECN And Problem Websites

    If a firewall doesn't understand a packet, and wants to protect a server behind it, it should drop the packet.

    Or the firewall manufacturer could be forward-thinking, realise that someday someone might have a useful reason to set that bit, and reject the packet, probably by sending a RSET with ECN unset. That way the experimental host can be notified of the problem, and can try again without ECN if it chooses.

    I have no disagreement with firewalls being paranoid. I do disagree with firewalls dropping these packets silently. Especially seeing as upgrades fixing the problem have been available since mid-2000, according to here.

    -Spiv.

  88. Hilarious! RTFM, kind sir by MagicMike · · Score: 1 · on The 2.4.x Kernel, ECN And Problem Websites
    Seriously, man. You are making reasoned arguments, I'll grant you that, but you're basis is a bit dodgy.

    Here's a link for ya. LKML FAQ on ECN. Nifty.

    As an aside, I thought it was entirely funny watching that stairstep. Did you notice that you got totally outgunned on slashdot IDs? Every single person trying to reason with you had been around for longer than you, and you're id indicates you're no slouch.

    Anyway, it appears from the FAQ, the RFCs, and the circumstantial evidence of major vendors providing bug-fix patches for this thing that its not a "deny by default" thing like blocking HTML tags, its a real-deal out-of-spec problem, and networking vendors need to get their act together.

    I didn't enable that option though, so I don't particularly care either way...

  89. Please refer to the linux-kernel mailing list FAQ by cpeterso · · Score: 2 · on The 2.4.x Kernel, ECN And Problem Websites

    Please refer to the bold, red warning prefacing the linux-kernel mailing list FAQ:

    Hot off the Presses:

    On 22-FEB-2001, vger.kernel.org will enable ECN. You may need to switch ISP in order to receive linux-kernel email. See the section on ECN for more details.

    On 25-JAN-2001, David Miller announced that vger.kernel.org will enable ECN in 4 weeks time. This means if your email account is with an ISP which has a buggy router, you will no longer be able to receive linux-kernel mail (as well as other mailing lists hosted on vger). You should check if your ISP is ECN tolerant, and get them to fix their routers or switch to another ISP.

    Of course, these are the same people that use the MAPS DUL to block dial-up modem users from posting to the linux-kernel mailing list. Rik van Riel threw a temper tantrum, saying the DUL was class prejudice based on internet connection and that "DUL is an unethical list to use because it assumes guilty by default. Anyway, since linux-kernel has chosen to not receive email from me I won't bother answering VM bugreports or anything here." Alan Cox quickly replied, Thats ok. Andrea will I am sure be happy to take over as maintainer [of the VM subsystem]."

  90. Re:Thinkpads... by Olinator · · Score: 1 · on New IBM Linux Notebook Includes DVD Player

    Actually, I installed (albeit with various bits of hackery) RH6.2 onto an X20 with the builtin modem and NIC not too long ago. You can download drivers for the modem from www.tux.org/pub/dclug/marvin/ltmodem-5.78e.tar.gz; there're details at walbran.org/sean/linux/stodolsk/. Admittedly, they're basically linux kernel modules that act as wrappers for a binary, but they do work.

    I gotta say, the X20 is a nice piece of hardware. I was very reluctant to hand it over to the professor who bought it (I do IT stuff for UMass's CS department.)

    The only machines I've seen that compare weight- and power-wise are Vaios, and they absolutely suck as far as hardware reliability goes. (On the other pseudopod, this same professor took a ThinkPad 600 into the Israeli desert for six months; it must be practically unkillable.)
  91. Holy mother of God! by alexburke · · Score: 2 · on Perl + Python = Parrot

    Here are some gems. For the rest, check it out! I was literally in tears from laughing so hard...

    *BSD users (and
    developers) are all complete jackasses, so you'll fit right in.

    I know, I have a bit of a gut, but compared to Maddog, Nick Petreley or ESR, I'm a modern Adonis.

    Virtually all users of Linux (and all other
    forms of Un*x) are unkempt, longhaired, beast-bearded dirty GNU hippies, and I am sick and tired of having to deal with them.

    The person I have the greatest problem with is that (in)famous communist RMS. Now, RMS may have been responsible for GNU, the GPL, GCC and many other contributions to the computing community, but his stance, as well as stench, displayed in his essays and actions, nauseates me. I mean, with that filth-ridden beard of his, where does he have room to demand that people refer to Linux as GNU / Linux? When he is as clean-shaven as I, he may claim that right, but until then, he should go back to playing his little flute and dropping acid like there's no tomorrow. Honestly, if he doesn't shut his mouth and go back to reading Marx, I'm going to shut it for him. I am sorry to sound so harsh, but a little hygiene every once in a while is a Good Thing(TM). Makes me wish I'd gone with a closed source license back in the day.

    Next in line of dirty scuzz-balls I have to deal with, and probably the worst thorn in my side, is Alan Cox, the primary coder of my kernel's TCP/IP
    stack (ha, what a joke!) and all around dirty GNU hippy. Alan views toothpaste the same way a vampire views garlic. The man's wife (who I spent
    a few years with at the University of Helsinki) often calls me crying in the middle of the night to complain of the rank, unbearable stench the man exudes after sex. On several occasions at trade shows, exhibitions and beer bashes, I have nearly fainted from the torrent of rotten odor that pours from every inch of his toxic person.

    --

  92. Re:of course they have by sn00ker · · Score: 1 · on I Suspect M$ That Has Broken The GPL
    um actually...... http://boudicca.tux.org/hypermail/linux-kernel/thi s-week/0005.html
    Look closely at the date on that post.
    Now, open your mouth a little wider and put the other foot in.
  93. Slashdot's High Standards by eean · · Score: 4 · on Perl + Python = Parrot

    If you can put this up, then you certainly need to put up Linus's message. He said he submitted it to slashdot.

  94. Something a bit more recent... by Bwuce+Pewwens · · Score: 2 · on Perl For The Palm?

    ...that I found via Google. The guy mentions that it would probably be over 2MB if it happened, but that wouldn't be a problem for someone with an 8MB Palm, or even a 4MB. I know I'd take out some of the games on my almost full Palm IIIx to make room for Perl if it was ported.

  95. Re:And people wonder why RMS hasn't gotten anywher by RedWizzard · · Score: 2 · on RMS Responds To Allchin's Comments
    What RMS doesn't understand is that this battle won't be won all at once.
    Obviously he understands exactly that. He's been fighting the battle more years than anyone else.
    The free software comunity needs to coexist with the proprietary world, and wean users gradually off proprietary software by offering superior alternatives. If RMS insists on stubbornly making it an all-or-nothing deal, he's most likely going to end up with nothing.
    RMS doesn't agree. He sees no place for "the proprietary world", and his fanaticism has paid off. It is exactly because the GPL doesn't make concessions with our rights that, for example, Linux has been more widely adopted than other "free" OSes like BSD etc.
    By the way, the correct name of the operating system is "Linux," not "GNU/Linux." It was named "Linux" by Linus Torvalds.
    No, the correct term for the kernel is Linux. That's what Linus named. He has never named or distributed an operating system. See the LKML FAQ. Whether a Linux based operating system should be called GNU/Linux or just Linux is open to interpretation. Given that the user has very little interaction with the kernel there is certainly a strong argument for RMS' point of view.
  96. Re:Best way of reporting problems by Erik+Hensema · · Score: 1 · on Kernel 2.4.2 Released

    First, try 2.4.1. Knowing if 2.4.1 works for you is fital in finding the bug.

    Then, when you know what version broke the driver, you may or may not investigate further on your own. You might want to try some 2.4.2-preX kernel to futher pin down the breakage.

    Eventually, just file a bug report to the Linux kernel mailing list. Be sure to be as accurate as possible: describe your hardware and the symptoms as exact as possible.

  97. Writing one for the Linux kernel by goingware · · Score: 2 · on Bug Tracking Database Systems?
    I have proposed writing one more or less from scratch at the Linux Quality Database Project.

    It's just a proposal so far, I want to find a few developers to collaborate with before I start, but I'm also writing and posting articles there on the general topic of making Free Software of better quality and also testing the kernel in particular.

    While this doesn't provide an answer to your question, some of what I plan would be useful to think about in selecting a bugbase.

    The number one feature that I wished to have in bugbases at companies I've worked at in the past was for the user to have an ability to describe a configuration of a machine and then give it a name in the database.

    Each user would have some number, one or many, preset machine configurations, particularly the hardware configurations in my case, and the components of these configurations would be drawn from a database describing every piece of hardware that could conceivably be placed in a Linux box.

    Then when you go to report a bug, you log in (so your contact info and presets are available), select the config that has the bug, and describe it.

    For the Linux kernel, you'd paste in or upload your .config file (this is created by the kernel configuration process).

    Then kernel developers could do boolean searches, say "find me all the crashes involving TCP that had a WhizzyNet card installed but in which PPP is not configured in the kernel".

    The other part of this is that it is meant to be easy to use for both those who test new kernels (to report bugs) and kernel developers (to research bug reports).

    I got the idea to develop the database after subscribing to the linux-kernel mailing list to resolve a bug on my laptop during the 2.4.0-test series kernels.

    I was able to work with the list to resolve the bug and see that the patch stuck in the kernel sources, but I felt that many people who might otherwise like to contribute to testing new kernels might be put off by the process of dealing with the list - it's not sufficient simply to report a bug, sometimes patches don't "stick" and you've got to hang around until you're sure your bug stays fixed, but linux-kernel has one of the highest amounts of traffic of any internet mailing list.


    Michael D. Crawford
    GoingWare Inc

  98. IMPORTANT: New Address for Bug Reports by goingware · · Score: 3 · on Ladies And Gentlemen, Linux 2.4
    As you will see in the Linux-Kernel Mailist List FAQ, the old server for the list (and most bug reports) at vger.rutgers.edu has died.

    I just saw a very confused user posting to linux-kernel wondering where to send a report (he'd figured it out, but wasn't sure).

    The correct, new address for bug report submissions is linux-kernel@vger.kernel.org

    Same hostname, different domain.

    If you're going to work with the new kernel, I highly recommand you browse the mailing list. But linux-kernel has one of the highest volumes of any internet mailing list so you probably don't want to actually subscribe (you don't have to subscribe to post, unlike many mailing lists).

    Instead, read the list off an archive server. There are many of them. This search at Google will find you an archive


    Michael D. Crawford
    GoingWare Inc

  99. Let the Patches Begin: 2.4.0ac1 by goingware · · Score: 2 · on Ladies And Gentlemen, Linux 2.4
    Why settle for 2.4.0 when you can get the very latest?: Linux 2.4.0ac1.

    I got in before the Slashdot effect myself - I'm running 2.4.0-prerelease-ac5.

    They have this time at Apple in the development of new hardware called freezing the ROMs. You have to do it so you can get them into production to include in the new machines. But development of ROM software doesn't stop, it just takes the form of RAM-based patches...


    Michael D. Crawford
    GoingWare Inc

  100. Conclusive evidence that AD is right by Tim+Randolph · · Score: 3 · on Million Dollar Reviews: Sun E10K/4500/450 Servers

    This is one of the funnest threads I've followed in /. for a long time. Doing a Google search on AtariDatacenter's real email string comes up with enough postings on geek topics that it seems highly credile that the owner of that email could have written the review. The best data point is this resume.

    Doing the same thing for "Chris Chabot", the supposed author of the Review Board article does turn up a couple of semi-sophisticated computer related hits (needs help compiling a kernel), but in these cases Chris has a Review Board email address! ---> chabotc@reviewboard.com

    I very much doubt that the review board is running a Sun E10K.

    It seems pretty damn certain that the Review Board plagarized these articles. Since "redir" was also the original submitter and a strident attacker of AD, I would give fat odds, that he is "Chris Chabot" or at least a buddy of his.

    But you got to hand it to the guy. Redir is a great handle for someone who redirects content from one site to another.

  101. Understand your architecture better by lamontg · · Score: 1 · on What Debugger Is Best For Multithreaded Apps?
    Why are you trying to write a C++ app using threads on linux? I can think of several reasons why you've picked the wrong three things to try to use together.

    First of all, if you're going to do threads on linux, you're going to wind up debugging the race conditions in the standard library calls if you use C++. The GNU libstdc++ is not yet fully MT-safe. So, if your requirement is C++ and threads, you pretty much need to pick another platform other than linux.

    Second, there's threads on linux. Linus spent a lot of effort to make sure that fork()+exec() work well under linux. There's three reasons to use multithreaded code: faster creation, faster context switches, and easier/faster message passing through shared memory in threads vs. e.g. SysV IPC. Under linux you don't get any gains for the context switches. Context switches for processes are only about 10% slower than context switches for threads under linux. You also don't win a whole lot in process creation which is faster under linux than thread creation is under solaris (plus pthread_create() is broken and slow under linux). You should consider looking at your programming model and seeing if good old fork() will work for you. If you don't believe me, check out this and the entire thread here. Also read this whole thread.

    Then there's the fact that you've run into problems with the tools that you've got on linux not be adequate to handle threads. Not only is gdb broken, but strace isn't going to help you with threads either. And in disagreement to those who claim that printf() is good enough for everyone (e.g. Linus), I think that its good to have many different debugging tools in your toolbox. Strace and reading corefiles in gdb usually are my first line of getting a handle on what the problem is, then I usually read the code and use printf()s. So this is another strike against threads under linux.

    I can't speak on the virtues of C++ vs. Java. I'm merely a lowly sysadmin / system programmer who predominantely uses C. I do know though that lots of very good programmers make mistakes because they know how to program but don't understand the architecture of the systems that they're writing code for. They believe things like "threads are fast" without either hitting the linux-kernel mailing list or the linux sources to find out how threads and processes are actually implimented under linux.

    So, if you're going to stick with threads then stay the hell away from Linux and use some other OS like Solaris. If you can avoid using threads, though, Linux may be a perfectly sufficient platform for you to use. Once you've made that choice, then you need to decide if you're going to use Java or C++ and I'm out of my league there.

    And when you're considering if you should throw out threads, remember:

    "We should forget about small efficiencies, say about 97% of the time: premature optimization is the root of all evil." - Donald Knuth

    That suggests to me you shouldn't use pthreads unless you need to.

  102. Understand your architecture better by lamontg · · Score: 1 · on What Debugger Is Best For Multithreaded Apps?
    Why are you trying to write a C++ app using threads on linux? I can think of several reasons why you've picked the wrong three things to try to use together.

    First of all, if you're going to do threads on linux, you're going to wind up debugging the race conditions in the standard library calls if you use C++. The GNU libstdc++ is not yet fully MT-safe. So, if your requirement is C++ and threads, you pretty much need to pick another platform other than linux.

    Second, there's threads on linux. Linus spent a lot of effort to make sure that fork()+exec() work well under linux. There's three reasons to use multithreaded code: faster creation, faster context switches, and easier/faster message passing through shared memory in threads vs. e.g. SysV IPC. Under linux you don't get any gains for the context switches. Context switches for processes are only about 10% slower than context switches for threads under linux. You also don't win a whole lot in process creation which is faster under linux than thread creation is under solaris (plus pthread_create() is broken and slow under linux). You should consider looking at your programming model and seeing if good old fork() will work for you. If you don't believe me, check out this and the entire thread here. Also read this whole thread.

    Then there's the fact that you've run into problems with the tools that you've got on linux not be adequate to handle threads. Not only is gdb broken, but strace isn't going to help you with threads either. And in disagreement to those who claim that printf() is good enough for everyone (e.g. Linus), I think that its good to have many different debugging tools in your toolbox. Strace and reading corefiles in gdb usually are my first line of getting a handle on what the problem is, then I usually read the code and use printf()s. So this is another strike against threads under linux.

    I can't speak on the virtues of C++ vs. Java. I'm merely a lowly sysadmin / system programmer who predominantely uses C. I do know though that lots of very good programmers make mistakes because they know how to program but don't understand the architecture of the systems that they're writing code for. They believe things like "threads are fast" without either hitting the linux-kernel mailing list or the linux sources to find out how threads and processes are actually implimented under linux.

    So, if you're going to stick with threads then stay the hell away from Linux and use some other OS like Solaris. If you can avoid using threads, though, Linux may be a perfectly sufficient platform for you to use. Once you've made that choice, then you need to decide if you're going to use Java or C++ and I'm out of my league there.

    And when you're considering if you should throw out threads, remember:

    "We should forget about small efficiencies, say about 97% of the time: premature optimization is the root of all evil." - Donald Knuth

    That suggests to me you shouldn't use pthreads unless you need to.

  103. Understand your architecture better by lamontg · · Score: 1 · on What Debugger Is Best For Multithreaded Apps?
    Why are you trying to write a C++ app using threads on linux? I can think of several reasons why you've picked the wrong three things to try to use together.

    First of all, if you're going to do threads on linux, you're going to wind up debugging the race conditions in the standard library calls if you use C++. The GNU libstdc++ is not yet fully MT-safe. So, if your requirement is C++ and threads, you pretty much need to pick another platform other than linux.

    Second, there's threads on linux. Linus spent a lot of effort to make sure that fork()+exec() work well under linux. There's three reasons to use multithreaded code: faster creation, faster context switches, and easier/faster message passing through shared memory in threads vs. e.g. SysV IPC. Under linux you don't get any gains for the context switches. Context switches for processes are only about 10% slower than context switches for threads under linux. You also don't win a whole lot in process creation which is faster under linux than thread creation is under solaris (plus pthread_create() is broken and slow under linux). You should consider looking at your programming model and seeing if good old fork() will work for you. If you don't believe me, check out this and the entire thread here. Also read this whole thread.

    Then there's the fact that you've run into problems with the tools that you've got on linux not be adequate to handle threads. Not only is gdb broken, but strace isn't going to help you with threads either. And in disagreement to those who claim that printf() is good enough for everyone (e.g. Linus), I think that its good to have many different debugging tools in your toolbox. Strace and reading corefiles in gdb usually are my first line of getting a handle on what the problem is, then I usually read the code and use printf()s. So this is another strike against threads under linux.

    I can't speak on the virtues of C++ vs. Java. I'm merely a lowly sysadmin / system programmer who predominantely uses C. I do know though that lots of very good programmers make mistakes because they know how to program but don't understand the architecture of the systems that they're writing code for. They believe things like "threads are fast" without either hitting the linux-kernel mailing list or the linux sources to find out how threads and processes are actually implimented under linux.

    So, if you're going to stick with threads then stay the hell away from Linux and use some other OS like Solaris. If you can avoid using threads, though, Linux may be a perfectly sufficient platform for you to use. Once you've made that choice, then you need to decide if you're going to use Java or C++ and I'm out of my league there.

    And when you're considering if you should throw out threads, remember:

    "We should forget about small efficiencies, say about 97% of the time: premature optimization is the root of all evil." - Donald Knuth

    That suggests to me you shouldn't use pthreads unless you need to.

  104. Re:This is actually pretty cool. by Benley · · Score: 1 · on GNOME ORBit Ported To Linux Kernel

    While this may not be exactly what you're looking for, you might try DS3 for modem sharing. Or, something that I suspect is more what you're after is MSREDIR, a serial port redirector that is designed to let multiple people share multiple modems (an implementation of RFC 2217).

    As for sound card sharing, while I haven't looked into this very much, it is probably not difficult to do it using the EsounD daemon. I think I may have tried this before using xmms to play across the network to a remote host. Quite cool if you ask me.

  105. Why Not Just Read Kernel Traffic? by Carnage4Life · · Score: 5 · on What Does The Future Hold For Linux?

    Nailer asks:
    With kernel 2.4 in the final stages of bug hunting, and on track for a December release, I thought it might be pertinent to discuss the future of Linux. What now?

    If you are truly interested in Linux kernel development and the future of the OS, why not just just subscribe to the Linux Kernel mailing list, browse the archive or read the digests on Kernel traffic?

    Slashdot is comprised primarily of Linux users not Linux developers. Questions like this are better sent to mailing lists frequented by the people who make these decisions than to a bunch of armchair critics. This article is similar to asking a bunch of random Windows users where Windows&#153 development should go and expecting a coherrent answer.

    Second Law of Blissful Ignorance

  106. Why Not Just Read Kernel Traffic? by Carnage4Life · · Score: 5 · on What Does The Future Hold For Linux?

    Nailer asks:
    With kernel 2.4 in the final stages of bug hunting, and on track for a December release, I thought it might be pertinent to discuss the future of Linux. What now?

    If you are truly interested in Linux kernel development and the future of the OS, why not just just subscribe to the Linux Kernel mailing list, browse the archive or read the digests on Kernel traffic?

    Slashdot is comprised primarily of Linux users not Linux developers. Questions like this are better sent to mailing lists frequented by the people who make these decisions than to a bunch of armchair critics. This article is similar to asking a bunch of random Windows users where Windows&#153 development should go and expecting a coherrent answer.

    Second Law of Blissful Ignorance

  107. Jon: your education in the humanities by Anne+Marie · · Score: 1 · on Ask Jon And Jay About Bastille Linux

    Hi, Jon. On your homepage you indicate you majored in English and philosophy, rather than CS, mathematics, or the hard sciences. Has your background in the humanities allowed you to bring a unique approach to problem solving in the areas you're now exploring?

    For example, much of "hardening" consists of finding poorly written code with buffer overruns and the like. But much of it also consists of cultural engineering/deengineering: how would a script kiddy approach this distribution? What sort of exploits generate the most prestige among fellow crackers/kiddies? That sort of thing. Did your humanities training (which is clearly still an active part of your life, what with all the poetry you write) give you a unique perspective that others lack?

    (And on a personal note, did you ever forgive your girlfriend for her choice in that waiting-room?)

  108. Jon: your education in the humanities by Anne+Marie · · Score: 1 · on Ask Jon And Jay About Bastille Linux

    Hi, Jon. On your homepage you indicate you majored in English and philosophy, rather than CS, mathematics, or the hard sciences. Has your background in the humanities allowed you to bring a unique approach to problem solving in the areas you're now exploring?

    For example, much of "hardening" consists of finding poorly written code with buffer overruns and the like. But much of it also consists of cultural engineering/deengineering: how would a script kiddy approach this distribution? What sort of exploits generate the most prestige among fellow crackers/kiddies? That sort of thing. Did your humanities training (which is clearly still an active part of your life, what with all the poetry you write) give you a unique perspective that others lack?

    (And on a personal note, did you ever forgive your girlfriend for her choice in that waiting-room?)

  109. Phase tree patch by yerricde · · Score: 2 · on Mandrake 7.2 Download Available

    ReiserFS is the way to go for large drives or for any data really. I hate to fsck.

    Using ReiserFS just to avoid fscking up your filesystem when the power goes out? Once the new Tux2 phase tree patch to ext2 makes it into the kernel, ext2fs will be "atomic" to the point where the need to fsck with your partitions is dramatically reduced.

  110. Emperor Has No Clothes by 1010011010 · · Score: 5 · on Linus Speaks With c't On Clean Design And ReiserFS
    I'd like to know why people aren't interested in 2.4. Is it that it's been delayed so long it's like vaporware?

    I'd say that the reason that people aren't interested in the 2.4 kernel is they they have lost faith in the development process.

    Over the last two years, people have repeatedly posted on the LKML in one way or another that the emperor has no clothes. They've been nice, they've been rude, they've even posted good ideas and patches to provide some clothes. But, universally, the response from the LKML acolytes has been a variant of "the emperor isn't naked; he is in fact wearing a 3-piece suit, and if you don't like it, you can get your own emperor, you idiot."

    It's very sad. Criticism is what keeps any public enterprise honest and productive, and the denizens of the LKML don't have any tolerance for it.

    The linux development process has little direction, no planning, little to no leadership, meaningless feature freezes, and little to no documentation and guidelines. The kernel itself *is* spaghetti code inside, no matter what people say. They try to maintain control over what people use by not exporting some functions from the kernel .o files, but that's a bandaid, and a way to control who gets to work with the kernel more than what can be done with it. That the kernel is spaghetti code is one of the major reasons that 2.4 is so late, and so buggy. Just try to do some kernel programming, and you'll see, if you don't believe me. Take a look at the big, ugly union in the VFS. Figure out all the places that bdflush gets invoked, and the number of different ways to have a pinned buffer flushed by other parts of the kernel anyway. Look at the brokenness in the spinlocks and semaphores. Look at all the VM rewrites and the warring but both broken USB stacks. Check out the tendency of the VM OOM "feature" to kill random programs like X and kswapd. And don't forget all the race conditions.

    It is very difficult to alter some part of Linux because of all the unintended consequences. It's difficult to get needed features and clean-ups into the kernel because of cronyism and a narrow-minded religious devotion to Posix. Go back and read up on the NTFS-streams thread for a good example of that (Alan and Viro actually invited everyone talking about streams to an off-list discussion, and then notified them that they had been added to their killfiles).

    Clean code? Just look at the 2.4.0-test-pre-pooch-screw series of debacles, where the VM is rewritten every few weeks, and new features are tossed in while there's still massive bugs to fix in the code that's already there, and in spite of repeated "feature freezes". That would all be fine in a 2.3.x series kernel, but judging from the version number, "2.4.0-test" is supposed to be pretty stable except for bug fixes -- not have major features added and subsystems being rewritten.

    Linux has terminal featureitis. No one wants to work on the hard things; they just want to add features. Quickly.

    And Linus, to make things worse, claims that a kernel debugger is counter-productive; that debugging with printk puts hair on your chest. Never mind that you can't debug race conditions well, if at all, by adding printk statements everywhere, because they change the timing of the code when it runs. Never mind that essentially every other 'modern' OS includes a kernel debugger, and that many of those OSes are better designed, better implemented, and perform better and run more reliably than Linux (FreeBSD, HPUX, Solaris, and even NT come to mind).

    Linus must be right. In fact, he's declared himself to be infallible -- he will not allow a kernel debugger to be added, and has publicly stated that he thinks people who use debuggers are dummies and that he won't work with them. But never mind that; he's the leader of the mo vmentarians , Linux is our official OS, and we'll just get back to work on his lima bean farm and wait for him to wave out the window of his car at us, or splash us with mud as he drives by. And that would actually be fine, if he was actually a leader; that is, if he made decisions and stuck with them. But he doesn't do that. Refer to his "I'm a wimp" email. He'll occasionally toss in a new filesystem ("accidentally,"Alan Cox recently suggested merely covering them up with his skip-a-number, backport and turn yourself around hokey-pokey versioning scheme. The real solution would be the one that software developers everywhere have always used, which is to:
    • set realistic goals for a release
    • defer any further feature creep until the next release
    • concentrate on fixing bugs in the pre-release cycle
    • aim for modularity, stable interfaces and good documentation to make upgrades and new feature addition easier and the learning curve less steep
    • provide robust methods for troubleshooting the system to make development and debugging easier.
    Linux does none of these things. By design. So continue to kvetch about idiots like me (and IBM, and SGI, and HP, and Reiser, and about 1000 other people and companies) pointing out that Linux is fundamentally screwed.

    The most common response to criticism is a variant of "love it or leave it." Keep suggesting that we go write our own damn OS if we don't like it; your love it or leave it response will be accepted one day, and we will leave Linux. I actually think it would be a good idea for the major external linux players to fork the kernel, clean it up, and maintain their own version. I don't doubt that it would shortly become the defacto standard kernel, because it will be cleaner, more stable, more scalable, more extendible, and will probably be released on time and respect feature freezes. SGI, IBM, Reiser and a lot of other people and companies have a lot of good code and ideas to contribute, not to mention full-time developers, years of experience making scalable and robust systems, and a willingness to release all that work under the GPL. And if they fork the kernel, they can do it without having to be named "Ted", "Ingo", "Alan", "Linus" or "Rik".

    One day the question will be, are *you* relevant? Why should we accept *your* code? Is it clean? Is it modular? Is it safe (see LWN article about C code with undefined behavior being included in the kernel). Of course, a fork can always be re-merged with the holy penguin pee version. In the meantime, all the people who want to run Linux on enterprise systems rather than PDAs and webpads can have a stable, working kernel with adequate features.

    It would be useful if people would make substantive replies to this message, rather than engage in the usual comments about rioting, sending spam reports, saying "love it or leave it," moderating it as a troll, port-scanning my mail server, attempted hacks and other juvenile/illegal acts, sending spam reports, threatening violence, etc. Of course, substantive debate is really hard to come by on either the LKML or Slashdot, so I don't expect it. So, go ahead, get started telling me to sod off. I'll get back to switching over to FreeBSD, although I would prefer if someone would take up a rational refutation of this message instead. Show me the Emperor's Clothes.

    ________________________________________
  111. Re:In the "what's new" box... by Platinum+Dragon · · Score: 4 · on Send Some Mo' Zilla

    Actually, yeah, that's exactly it:

    -Go to Blackdown's site.
    -Click on "OK" when the window pops up asking if you want to get the plugin (it's the standard plugin download dialog box).
    -It will (should?) take you to a page where you can download the Java plugin.

    If you want to do things the slightly harder way (like I did a week ago; I jumped the gun:), you can go to Blackdown, click on Download, pick a mirror, go into JDK-1.3.0/i386/rc1 and grab j2re-1.3.0-RC1-linux-i386.tar.bz2. Then you can install the Java runtime yourself; it includes the plugin.

    Of course, if you just want to get to the tarball with no searching, you can just click her e.

    Have fun! I am!
    -------------

  112. Re:uh.... by zilym · · Score: 2 · on Microsoft Withdraws Linux NTFS Threats

    I don't think so. Check this message on LKML:

    There was a historical referrence, in the beginning, that implies that I was accussing Microsoft of using Linux code. The reality was that I offered to help them with the solution I was working on because of the huge mess that the great taskfile debate brought out. People were pointing out that because I was exposing how to abuse it in the kernel and that a policy of preventing harmfal combinations was not acceptable. Since this information could/would/did spill over to the script kiddies, I thought it was the better part of valor (sp) to inform an aquaintance at Microsoft of the potential problem that they could see.

  113. And read the linux-kernel mailing list FAQ. by Chyeburashka · · Score: 1 · on How Can One Attract the Developer's Attention?
    The linux-kernel mailing list FAQ contains a wealth of information relating to lkml.

    As has been mentioned elsewhere, contacting the maintainer is first, best step. For the particular would-be patch which inspired this story, the maintainer's name and email address is now listed at the top of the source for /usr/src/linux/arch/i388/traps.c in the 2.4.0-test7 kernel tree. This information was missing in the 2.2.x series tree.

  114. Don't get discouraged! by Phaid · · Score: 5 · on How Can One Attract the Developer's Attention?

    I had this experience myself a few months ago - I was having a problem compiling 2.3.48 and .49 with Athlon-specific kernel features turned on. I wound up fixing the problem - it was trivial - and posted this patch to the mailing list.

    No one got back to me directly, and indeed it took two revisions of the kernel (but at that point they were coming out about twice a week) to get the fix "officially" in.

    But, on the other hand: a lot of people were happy that I posted the patch, and the fix did eventually get included -- or at least, the problem got noticed and someone fixed it, albeit a different way.

    The moral of the story: the developers don't have time to answer every email personally, but posting problems - and patches - to the list will help others and it will cause the problems to eventually get noticed and fixed.

  115. Visit Yorktown High School Linux User's Group by jocknerd · · Score: 2 · on Ideas for High School Computer Projects?

    Yorktown High School Linux User's Group in Arlington, Virginia is a good place to get some ideas. Those kids are getting more experience than I do in my programming job! I want to go back to High School!

  116. LoopSlack by ptbrown · · Score: 3 · on SuperSlak - Linux On A SuperDisk

    Another way of partitionlessly installing Linux that a few distros (Mandrake and Suse, maybe others) are offering now is to use a loopback filesystem. I've had ZipSlack on my HD for a little bit and have become entirely too fed up with UMSDOS. So, with a little tweaking of the setup scripts, I installed LoopSlack to a 1.2G file. Kent Robotti has put together a prepackaged LoopLinux that is essentially the same thing.

    Loopback-Root-FS-mini-HOWT O
    LoopLinux
    The easiest distribution to futz around with for stuff like this.
    And if anyone cares to know what I did (which is a bit of a different approach than Kent took) feel free to ask.

    And yes, this is also essentially what BeOS Personal does.