Problem is that NAT changes the address and port as packets are sent out. What you're talking about, TCP's "simultaneous open" behavior (when SYN packets cross on the wire), only applies if the addresses and ports on both sides are identical. But this can't happen with NAT.
Example: Two peers use a rendezvous server of some kind to agree on ports and addresses. Peer 1 uses address A1 and port P1; Peer 2 uses address A2 and port P2.
(A1,P1) -> (A2,P2)
(hits NAT box for Peer 1; port P1 translated to P3)
(A1,P3) -> (A2,P2)
(A2,P2) -> (A1,P1)
(hits NAT box for Peer 2; port P2 translated to P4)
(A2,P4) -> (A1,P1)
by the time these packets actually get on the Internet, they aren't using the same ports anymore, so it's not a simultaneous open.
I have Sprint PCS service on a Motorola StarTAC phone, and love it.
It's coverage is kinda spotty, but where it does work, I can plug it into the serial port on the back of my laptop with a cable from Motorola, and I can use it to connect to the Internet from anywhere. It's slow, but it's fine for reading email, or for downloading a document or program to work on during a delayed flight. Anybody know if other phones/services able to do this nowadays?
I also wrote a program that lets me manipulate its addressbook from my Linux machine, which keeps me from having to type letters on its terrible little keypad. (see StarTalk)
Yuck. Do they let individual schools/businesses choose whether they want these types of sites blocked?
For this application, though, it sounds like he would want that type of thing blocked; users downloading software and installing it on your kiosk would be pretty irritating.
before we ended up dropping the project. They offer a service where you filter Internet access to only connect to their proxy, then you set up your Web browser to use it. They worry about finding inappropriate sites, which is a full-time job for several people. They have contacts in case you catch them allowing something they shouldn't be, or blocking something they shouldn't be.
Apart from not having to maintain a list of blocked sites, the nice thing about using a service is that the user can't just uninstall Net-Nanny from the PC to get around the restrictions; the restrictions are implemented on a router they do not have access to.
I also haven't heard any stories of N2H2 blocking sites critical of them, or blocking sites that contain anything other than obscene material, although I haven't actively looked.
When I played with them, I was able to find sites that weren't on their list, but it was hard, and they may have gotten better since then.
This is how the RBL was originally implemented. You take the RBL as a BGP feed to your router (or to gated), and it routes traffic destined to those addresses to the bit-bucket.
But they're still running IP on top of ATM; if they aren't, they aren't connected to the Internet. And they can set up filters where IP is converted to ATM, and where ATM is converted back to IP. We do this on all of our ATM circuits.
Do your terminal servers support a RADIUS attribute that specifies a filter? And does your RADIUS server let you build such a filter dynamically?
If so, this is pretty easy to do; I implemented it in an experimental copy of the Cistron RADIUS server that we played with for awhile. Basically, I could send with each RADIUS acceptance packet a string attribute that would look something like this:
"drop if source != <address assigned>"
We use Bay Networks terminal servers, and they support an attribute like this. I don't know what kind of terminal servers you are using, but it would surprise me somewhat if they didn't also offer support for this.
It would really surprise me if this caused any significant load on your terminal servers; this check probably requires an additional 2-5% of CPU time over normal PPP overhead.
This is generally considered an acceptable risk. This topic is discussed on the NANOG mailing list on a weekly basis; see the mailing list archives for more information.
The summary of what you'll see is a consensus that people who configure routers with different MTUs on different interfaces using RFC1918 address space, well, shouldn't do that. As long as they don't, you won't see any of the breakage that you describe above.
Generally, the solution to that is to do the checking on a border router, which handles a T1 or so and can easily spare the CPU cycles to check packets. That lets the routers in the core of your network, which may be bottlenecked by their CPU, not have to worry about it.
Some RADIUS servers and terminal servers can do filtering right above the PPP layer, which is ideal. Terminal servers generally have some spare cycles, and that prevents all routers from having to do this check.
Tunneling is generally the best way to do this, using something like L2TP. If you want your packets to appear to come from your sattelite provider, you send them via normal, unforged IP to a server of theirs, which rewrites the address and resends it from their IP space. Somewhat less efficient, but much more controllable.
I can't believe that sattelite services require forging of IP headers; that would not work with a large number of ISPs, including ours, and we have at least a handful of DirecPC customers.
If an ISP lets their customers forge IP packets, then there is no way to track down spammers, network attackers, or anything else. No reasonable ISP deliberately lets you forge IP packets. The only reason some do is because they don't have the time or the know-how to fix it.
You don't really get any useful type of anonymity from this anyways, since you can send forged packets but will never receive responses (because the packets are forged, the responses won't go to the right place). This prevents you from using TCP altogether, which makes it useless for email, Web browsing, pretty much anything except various types of attacks.
Further, the IP header has been used as a verification mechanism of the source for a long, long time. The UCB rlogin/rsh tools use this as their only security, and have been out since 4.2BSD was released in 1982.
By definition, you can't restrict redistribution of Open Source software, so with every Open Source program I'm aware of, zero-cost legal copies are available.
Zero cost certainly isn't the most important part of an Open Source program, but it isn't the least important part, either. There's nothing wrong with using Open Source software just because it's free and good.
To make this work under Windows, rather than to a proxy server, and configure everything on the Windows machine to go through the proxy via the forwarded port. Bring up Dial-Up Networking, start up ssh, and everything should Just Work.
That would force *everything* through the VPN, though, which might not be what you want.
If you used a copy of VMWare running Linux on the Windows laptop, that could act as the gateway. Set up host-only networking, give Linux control of the modem...Kinda crude, but it could (possibly) work.
If you only need SSH1, there is a free Windows plugin for TeraTerm that will do SSH. We use this in our office, with port-forwarding, to provide a secure TCP connection to our SQL database, and it works exceedingly well.
The plugin is called ttssh, and it's a tiny bit tricky to set up, but if you follow the instructions it will work.
Haven't looked at the license, but it is free for all uses, and comes with source code, as is TeraTerm.
For the server side, OpenSSH should work, although we use the F-Secure server.
Slashdot Mirror
The NAT would probably prevent you from sending the bastardized TCP request, and even if it didn't, the reply would go to the wrong place.
Problem is that NAT changes the address and port as packets are sent out. What you're talking about, TCP's "simultaneous open" behavior (when SYN packets cross on the wire), only applies if the addresses and ports on both sides are identical. But this can't happen with NAT.
Example: Two peers use a rendezvous server of some kind to agree on ports and addresses. Peer 1 uses address A1 and port P1; Peer 2 uses address A2 and port P2.
(A1,P1) -> (A2,P2)
(hits NAT box for Peer 1; port P1 translated to P3)
(A1,P3) -> (A2,P2)
(A2,P2) -> (A1,P1)
(hits NAT box for Peer 2; port P2 translated to P4)
(A2,P4) -> (A1,P1)
by the time these packets actually get on the Internet, they aren't using the same ports anymore, so it's not a simultaneous open.
Try:
$ fwhois slashdot.org@whois.internic.net
I have Sprint PCS service on a Motorola StarTAC phone, and love it.
It's coverage is kinda spotty, but where it does work, I can plug it into the serial port on the back of my laptop with a cable from Motorola, and I can use it to connect to the Internet from anywhere. It's slow, but it's fine for reading email, or for downloading a document or program to work on during a delayed flight. Anybody know if other phones/services able to do this nowadays?
I also wrote a program that lets me manipulate its addressbook from my Linux machine, which keeps me from having to type letters on its terrible little keypad. (see StarTalk)
I've done this for my StarTAC phone:
http://www.tir.com/~sgifford/startalk/
It includes programs to write to/from the addressbook, and a detailed analysis of the protocol used to communicate with the phone.
I'd love to take a look at your script, and see how the Samsung phones are different from Motorola. Where can I find a copy?
See bug #53080
Actually, we do know the exact terms of the publishing contract: http://mathworld.wolfram.com/docs/WeissteinBookCon tract.html
Looks like the problem is that he signed over copyright of the whole thing to CRC (see section 5).
GPG prevents anything from being paged out to disk using mlock(2) (if your OS allows it).
Yuck. Do they let individual schools/businesses choose whether they want these types of sites blocked?
For this application, though, it sounds like he would want that type of thing blocked; users downloading software and installing it on your kiosk would be pretty irritating.
http://www.bess.net/
before we ended up dropping the project. They offer a service where you filter Internet access to only connect to their proxy, then you set up your Web browser to use it. They worry about finding inappropriate sites, which is a full-time job for several people. They have contacts in case you catch them allowing something they shouldn't be, or blocking something they shouldn't be.
Apart from not having to maintain a list of blocked sites, the nice thing about using a service is that the user can't just uninstall Net-Nanny from the PC to get around the restrictions; the restrictions are implemented on a router they do not have access to.
I also haven't heard any stories of N2H2 blocking sites critical of them, or blocking sites that contain anything other than obscene material, although I haven't actively looked.
When I played with them, I was able to find sites that weren't on their list, but it was hard, and they may have gotten better since then.
This is how the RBL was originally implemented. You take the RBL as a BGP feed to your router (or to gated), and it routes traffic destined to those addresses to the bit-bucket.
I've never done it, but it's certainly possible.
But they're still running IP on top of ATM; if they aren't, they aren't connected to the Internet. And they can set up filters where IP is converted to ATM, and where ATM is converted back to IP. We do this on all of our ATM circuits.
Do your terminal servers support a RADIUS attribute that specifies a filter? And does your RADIUS server let you build such a filter dynamically?
If so, this is pretty easy to do; I implemented it in an experimental copy of the Cistron RADIUS server that we played with for awhile. Basically, I could send with each RADIUS acceptance packet a string attribute that would look something like this:
"drop if source != <address assigned>"
We use Bay Networks terminal servers, and they support an attribute like this. I don't know what kind of terminal servers you are using, but it would surprise me somewhat if they didn't also offer support for this.
It would really surprise me if this caused any significant load on your terminal servers; this check probably requires an additional 2-5% of CPU time over normal PPP overhead.
The summary of what you'll see is a consensus that people who configure routers with different MTUs on different interfaces using RFC1918 address space, well, shouldn't do that. As long as they don't, you won't see any of the breakage that you describe above.
Generally, the solution to that is to do the checking on a border router, which handles a T1 or so and can easily spare the CPU cycles to check packets. That lets the routers in the core of your network, which may be bottlenecked by their CPU, not have to worry about it.
Some RADIUS servers and terminal servers can do filtering right above the PPP layer, which is ideal. Terminal servers generally have some spare cycles, and that prevents all routers from having to do this check.
Tunneling is generally the best way to do this, using something like L2TP. If you want your packets to appear to come from your sattelite provider, you send them via normal, unforged IP to a server of theirs, which rewrites the address and resends it from their IP space. Somewhat less efficient, but much more controllable.
I can't believe that sattelite services require forging of IP headers; that would not work with a large number of ISPs, including ours, and we have at least a handful of DirecPC customers.
If an ISP lets their customers forge IP packets, then there is no way to track down spammers, network attackers, or anything else. No reasonable ISP deliberately lets you forge IP packets. The only reason some do is because they don't have the time or the know-how to fix it.
You don't really get any useful type of anonymity from this anyways, since you can send forged packets but will never receive responses (because the packets are forged, the responses won't go to the right place). This prevents you from using TCP altogether, which makes it useless for email, Web browsing, pretty much anything except various types of attacks.
Further, the IP header has been used as a verification mechanism of the source for a long, long time. The UCB rlogin/rsh tools use this as their only security, and have been out since 4.2BSD was released in 1982.
Is there any way to make this work under Windows?
By definition, you can't restrict redistribution of Open Source software, so with every Open Source program I'm aware of, zero-cost legal copies are available.
Zero cost certainly isn't the most important part of an Open Source program, but it isn't the least important part, either. There's nothing wrong with using Open Source software just because it's free and good.
To make this work under Windows, rather than to a proxy server, and configure everything on the Windows machine to go through the proxy via the forwarded port. Bring up Dial-Up Networking, start up ssh, and everything should Just Work.
That would force *everything* through the VPN, though, which might not be what you want.
If you used a copy of VMWare running Linux on the Windows laptop, that could act as the gateway. Set up host-only networking, give Linux control of the modem...Kinda crude, but it could (possibly) work.
If you only need SSH1, there is a free Windows plugin for TeraTerm that will do SSH. We use this in our office, with port-forwarding, to provide a secure TCP connection to our SQL database, and it works exceedingly well.
The plugin is called ttssh, and it's a tiny bit tricky to set up, but if you follow the instructions it will work.
Haven't looked at the license, but it is free for all uses, and comes with source code, as is TeraTerm.
For the server side, OpenSSH should work, although we use the F-Secure server.
I believe he was talking about the references to "pheasants" in your original post.
Try the patent office Web page:
http://www.uspto.gov/patft/