pavement

Talk:Network Configuration (Advanced)

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
(yup, you just need to log in)
(my typical VPN scenario)
 
(6 intermediate revisions by 3 users not shown)
Line 16: Line 16:
  
 
anonymous edits are allowed, so you still get to contribute if you forget to log in but your name won't go on it.  which kinda sucks for me 'cause I see 14+ edits from an IP address and think I'm gonna have to dig into the anti-spam again. =)  Great article though, and I ESPECIALLY like the way you thought to work in the "defaultrouter" option explanation in rc.conf - that was one thing I remember knowing damn well what it was and what I wanted to set it to but having trouble figuring out HOW when I was first starting out. =)  --[[User:Jimbo|Jimbo]] 18:23, 15 September 2007 (EDT)
 
anonymous edits are allowed, so you still get to contribute if you forget to log in but your name won't go on it.  which kinda sucks for me 'cause I see 14+ edits from an IP address and think I'm gonna have to dig into the anti-spam again. =)  Great article though, and I ESPECIALLY like the way you thought to work in the "defaultrouter" option explanation in rc.conf - that was one thing I remember knowing damn well what it was and what I wanted to set it to but having trouble figuring out HOW when I was first starting out. =)  --[[User:Jimbo|Jimbo]] 18:23, 15 September 2007 (EDT)
 +
 +
== another suggestion ==
 +
 +
consider adding a section on using [[route]] to check your current routes and change them (e.g., route add, route del etc etc). I would do it but uh, <s>I'm lazy. </s>you've do such great work already that I don't want to step on your toes.
 +
 +
--[[User:Dave|Dave]] 20:11, 15 September 2007 (EDT)
 +
 +
== Thanks for the feedback ==
 +
 +
Thanks guys, much appreciated feedback!  I had logged in but I guess the cookie or what-ever had lapsed and I became a number (much like in real life I guess!).
 +
 +
The 'route' command is a good suggestion.  Give me a chance to try the command on my FreeBSD box in the office (a Wikipedia server itself) and I'll write up some notes on it.
 +
 +
The VPN option is a valid point.  We use CheckPoint Secure Firewall for that purpose (and its to Hong Kong not Cayman Islands as per my example, but the rest of it is valid).  I only have personal experience of this system and personally using SmoothWall.  That's not to say I wouldn't be willing to write it up with some pointers but I have minimal foundation of tunneling using SSH/SSL.  To me SSH is wrapped in PuTTY and is how I console to my boxes!
 +
 +
Jimbo, you say that anonymous edits are permitted.  Is this intended to allow anyone to contribute?  I think most people who are serious at contributing wouldn't take issue at having to sign-up and sign-in to do so - perhaps that's me personally.  What do other contributers think?
 +
 +
== the thing about requiring logins... ==
 +
 +
... is that it doesn't actually slow down the spammers: in fact what it does is encourage them to register several hundred accounts as rapidly as possible, at which point you are acquiring several hundred trash accounts per day as well as a couple hundred spam edits a day.  (My countermeasures have blocked about 3000 spam edits so far this month.)  And while reverting spam edits (that get through the defenses) is relatively easy, deleting trash accounts is a screaming PAIN.  You actually have to do it from the mysql console itself; mediawiki has zero provision built in for deleting user accounts (and "banning" user accounts just means in a matter of months you have a couple hundred real user accounts buried in THOUSANDS of banned "accounts" and plenty more random-generated trash names coming in every day).
 +
 +
Also, you'd be surprised how often an anonymous will ''revert'' a spam, if you let them.  Or just make a tiny little one or two word fix.  Not only are those edits worthwhile in and of themselves, I think they encourage that same person to feel like they've done something valuable, and ''then'' come back and register and contribute more regularly.  I know that's how Wikipedia itself got me.  --[[User:Jimbo|Jimbo]] 12:34, 16 September 2007 (EDT)
 +
 +
== and incidentally, check out the OpenVPN article =) ==
 +
 +
You might find it pretty interesting.  With OpenVPN and a very little work, you can duplicate or even improve upon the setup you're describing in your article with a single server in each office and a single internet link in each office.  Which may or may not be something your company needs or wants, but it's a pretty sweet capability to have for next to nothing anyway - internet links are DRASTICALLY less expensive than WAN links! =)  --[[User:Jimbo|Jimbo]] 12:37, 16 September 2007 (EDT)
 +
 +
== vpn'ing and routes ==
 +
 +
generally you'll find one of two setups: a firewall/vpn system that does it all OR a firewall and a seperate VPN system (usually in a DMZ outside the FW) that allows folks in. in the first scenario, you don't need routing -- the FW is your gateway of last resort anyway, and all your traffic goes there no matter what, so who cares? -- but in the 2nd scenario, you only want your VPN traffic going to the vpn server and if it winds up at your FW, it's just gonna sit there doing nothing useful except annoying users and you. hence, routes on your FW for VPNs.
 +
 +
--[[User:Dave|Dave]] 13:43, 16 September 2007 (EDT)
 +
 +
==  the thing about requiring logins... ==
 +
 +
...that told me then!
 +
 +
[slowly steps away from the conversation...]
 +
 +
== my typical VPN scenario ==
 +
 +
... fwiw, is a dedicated hardware router (something along the lines of a netgear prosafe firewall) serving as default gateway, with a static route programmed into it that diverts VPN traffic back inside the LAN to an OpenVPN server, which routes the traffic wherever it should ultimately go.  That way you can leave the machines on the LAN configured normally and not have to worry about the VPN anywhere except the firewall and the openvpn server.  --[[User:Jimbo|Jimbo]] 15:40, 16 September 2007 (EDT)

Latest revision as of 14:40, 16 September 2007

The use of static routing is one of the cleverest networking configuration tricks I have learned despite it being difficult to find information on how to do it on the internet. Therefore I thought I would right it up with a rather detailed example with which to explain how to utilise it. I invite anyone to help on re-working it if they feel the topic could be explained better!

Contents

IP 80.73.220.216

Not sure why but my userid User:DrModiford has been replaced by my internet IP. So it's me in case you're wondering!

some thoughts on this

ip/name: it's because you're not logged in.

dismissing subnetting with "and so on" is a disservice cos it's more complex than that, but I don't really see an easy way to explain it and not glaze people's eyes over. other than that small quibble (which I really don't know what to suggest to change, i'm just pointing it out), I would say excellent article, might want to mention VPNs in there somewhere (as static routes are used a lot in site-to-site VPN'ing (especially IPSec, although Jimbo prefers SSL/openSSL tunnels, they're the de facto standard...)

--Dave 18:14, 15 September 2007 (EDT)

yup, you just need to log in

anonymous edits are allowed, so you still get to contribute if you forget to log in but your name won't go on it. which kinda sucks for me 'cause I see 14+ edits from an IP address and think I'm gonna have to dig into the anti-spam again. =) Great article though, and I ESPECIALLY like the way you thought to work in the "defaultrouter" option explanation in rc.conf - that was one thing I remember knowing damn well what it was and what I wanted to set it to but having trouble figuring out HOW when I was first starting out. =) --Jimbo 18:23, 15 September 2007 (EDT)

another suggestion

consider adding a section on using route to check your current routes and change them (e.g., route add, route del etc etc). I would do it but uh, I'm lazy. you've do such great work already that I don't want to step on your toes.

--Dave 20:11, 15 September 2007 (EDT)

Thanks for the feedback

Thanks guys, much appreciated feedback! I had logged in but I guess the cookie or what-ever had lapsed and I became a number (much like in real life I guess!).

The 'route' command is a good suggestion. Give me a chance to try the command on my FreeBSD box in the office (a Wikipedia server itself) and I'll write up some notes on it.

The VPN option is a valid point. We use CheckPoint Secure Firewall for that purpose (and its to Hong Kong not Cayman Islands as per my example, but the rest of it is valid). I only have personal experience of this system and personally using SmoothWall. That's not to say I wouldn't be willing to write it up with some pointers but I have minimal foundation of tunneling using SSH/SSL. To me SSH is wrapped in PuTTY and is how I console to my boxes!

Jimbo, you say that anonymous edits are permitted. Is this intended to allow anyone to contribute? I think most people who are serious at contributing wouldn't take issue at having to sign-up and sign-in to do so - perhaps that's me personally. What do other contributers think?

the thing about requiring logins...

... is that it doesn't actually slow down the spammers: in fact what it does is encourage them to register several hundred accounts as rapidly as possible, at which point you are acquiring several hundred trash accounts per day as well as a couple hundred spam edits a day. (My countermeasures have blocked about 3000 spam edits so far this month.) And while reverting spam edits (that get through the defenses) is relatively easy, deleting trash accounts is a screaming PAIN. You actually have to do it from the mysql console itself; mediawiki has zero provision built in for deleting user accounts (and "banning" user accounts just means in a matter of months you have a couple hundred real user accounts buried in THOUSANDS of banned "accounts" and plenty more random-generated trash names coming in every day).

Also, you'd be surprised how often an anonymous will revert a spam, if you let them. Or just make a tiny little one or two word fix. Not only are those edits worthwhile in and of themselves, I think they encourage that same person to feel like they've done something valuable, and then come back and register and contribute more regularly. I know that's how Wikipedia itself got me. --Jimbo 12:34, 16 September 2007 (EDT)

and incidentally, check out the OpenVPN article =)

You might find it pretty interesting. With OpenVPN and a very little work, you can duplicate or even improve upon the setup you're describing in your article with a single server in each office and a single internet link in each office. Which may or may not be something your company needs or wants, but it's a pretty sweet capability to have for next to nothing anyway - internet links are DRASTICALLY less expensive than WAN links! =) --Jimbo 12:37, 16 September 2007 (EDT)

vpn'ing and routes

generally you'll find one of two setups: a firewall/vpn system that does it all OR a firewall and a seperate VPN system (usually in a DMZ outside the FW) that allows folks in. in the first scenario, you don't need routing -- the FW is your gateway of last resort anyway, and all your traffic goes there no matter what, so who cares? -- but in the 2nd scenario, you only want your VPN traffic going to the vpn server and if it winds up at your FW, it's just gonna sit there doing nothing useful except annoying users and you. hence, routes on your FW for VPNs.

--Dave 13:43, 16 September 2007 (EDT)

the thing about requiring logins...

...that told me then!

[slowly steps away from the conversation...]

my typical VPN scenario

... fwiw, is a dedicated hardware router (something along the lines of a netgear prosafe firewall) serving as default gateway, with a static route programmed into it that diverts VPN traffic back inside the LAN to an OpenVPN server, which routes the traffic wherever it should ultimately go. That way you can leave the machines on the LAN configured normally and not have to worry about the VPN anywhere except the firewall and the openvpn server. --Jimbo 15:40, 16 September 2007 (EDT)

Personal tools