gmane.linux.gentoo.user

Re: VPN vs LAN address hostname resolution

Michael Orlitzky — 2013-05-22T19:44:17

Can't this be changed? If you're running a script to update 20 hosts
files regularly, you're reinventing what DNS already does.



Both would solve the problem.

If the routers are the VPN gateways as well, you could decide e.g. that
a certain chunk of the VPN space belongs to location 1, and then have
the router at location 1 do the appropriate thing (all packets travel
through it, after all). This can be done directly with some VPN
software, or you can translate the addresses on the fly with iptables.

With a DNS server at each physical location, you just have the DNS
server at location 1 return the local (location 1) address instead of
the VPN address for any hostnames physically located at location 1.

Re: VPN vs LAN address hostname resolution

Samuraiii — 2013-05-22T19:35:30

On 2013-05-22 20:52, Michael Orlitzky wrote:
 The only result I got was a script which every 5 minutes checked all
possible addresses of given machine (my "network" is not big at all -
only eight machines and one network printer). So checking around 20
addreses is not big deal - but this approach feels clumsy and not
scalable to bigger networks (as have other users from list to deal with).

Script was just checking (by sftp with public ssh keys for unprivileged
account) if LAN (eth or wifi) address is up and if not it just assigned
address to hostname from vpn range (it did not accounted if machine is
up or down). And the just write new /etc/hosts.
Central dns is possible only in one part of network - only one machine
runs 24/7.
For me personally is not problem to remember where am I - but other
users need names instead of adresses.

Routers on both sides are just simple boxes which support only built-in
dhcp.
Central DNS and/or routed VPN does not solve problem of compute not in
any of "known" networks.

S

Re: Lightweight & Simple Proxy that supports upstream authentication

Heiko — 2013-05-22T19:08:09

authentication.
Internet access for its setup, but for some reason* my employer does not want 
to give the contractors a login for the corporate proxy.
corporate proxy using one of my credentials, and have the contractor use this 
simple proxy instead of the corporate one.
need caching, inter-proxy coordination, or other exotic stuff. Just a way to 
allow other people to authenticate against the corporate proxy using my 
credentials, but without giving my credentials away. 
one under my full control and nobody else's)

cntlm is what you looking for
http://cntlm.sourceforge.net/

It's available for linux and windows. Depending on your needs.

I'm using it for years and it's doing really well. It needs a little time to 
create a config file. But it's really powerful. It's even possible to provide 
your contractors a config file within your credentials. hint: see the -M 
option or just use it with interactive prompt (-I option).

heiko

Re: VPN vs LAN address hostname resolution

Michael Orlitzky — 2013-05-22T18:52:20

Which machines are joined to the VPN? For a location-to-location VPN,
the simplest thing to do would be to have your gateway routers
participate in the VPN and handle the routing appropriately. That way if
you're on the LAN at location 1 and you send a packet to another machine
on the same LAN (using its VPN address), the gateway router knows to
send the packet right back onto the LAN. No configuration necessary on
the hosts. You can use the same VPN addresses at both locations.

If that's not possible, set up a DNS resolver at each location and
return the appropriate (local or VPN) address.

Re: VPN vs LAN address hostname resolution

Michael Mol — 2013-05-22T18:40:13

What you're trying to accomplish is painfully difficult with IPv4. (If
you were using IPv6, I'd just point you at gai.conf, but AFAIK there is
no analog for IPv4.)

You may be far better served using a different VPN topology. (i.e.
n2n+IPsec, or having a VPN routing point at your network gateway)

(That said, if anyone knows a better way to do this, I'll be taking
notes, too...)

Re: VPN vs LAN address hostname resolution

Samuraiii — 2013-05-22T18:30:44

On 2013-05-22 19:52, Michael Mol wrote:
I'm sorry for mistake the subnet mask for both spaces IS 255.255.255.0.
so it is not overlapping at all.
I apologise for my mistake in notation.
still this is not (mainly) problem with routing but problem with
assigning name to address.
If I had superfast internet connection I would not mind and just use vpn
address space.
So basically i need to assign lan address to computer (laptop) which is
in same location (LAN) as other machines. And vpn address on all other
computers.

to illustrate:

hostname: foo
Location:1
address eth0: 10.1.1.3
address tap0: 10.2.2.3

hotname: bar
Location: 1
addresses are irrelevant
hosts entry for foo is 10.1.1.3 *(this is what I want to update if foo
moves to location 2 to 10.2.2.3)*

hosname baz
Location: 2
addresses are irrelevant
Hosts entry for foo is 10.2.2.3 *(this is what I want to update if foo
moves to location 2 to 10.1.1.3)*

Thank you or patience
S

Re: VPN vs LAN address hostname resolution

Michael Mol — 2013-05-22T17:52:09

To be clear, replacing /8 with /24 would do this:

10.1.1.0/8, as a "network", is really just 10.0.0.0/8. This is also true
of 10.2.2.0/8. The bits after the first 8 are irrelevant, since a /8 is
being used. Use /24 instead, in this case.

It would be good for Samuraiii to read up:

http://www.tcpipguide.com/free/t_IPAddressing.htm

Openssl 1.0.1c/d have serious issues?

Tanstaafl — 2013-05-22T17:49:47

Hello all,

1. dev-libs/openssl-1.0.1c is current stable version

2. Reliable sources on the postfix list claim c (and d) versions have 
'serious' issues:

On 2013-05-22 12:19 PM, Viktor Dukhovni wrote:
 > 1.0.1c has some known issues, you should use 1.0.1e.

and

On 2013-05-22 12:38 PM, Quanah Gibson-Mount <quanah< at >zimbra.com> wrote:
 > Both 1.0.1c and 1.0.1d had *serious* problems.  Unless you can
 > absolutely confirm that Gentoo has applied all of the patches from
 > both of those releases to their build, I would strongly advise you to
 > roll your own 1.0.1e release.
 >
 > --Quanah

So... can anyone comment on this? Does the stable version 1.0.1c apply 
patches to address these issues?

Re: howto on setting up rootfs on ZFS?

Robert David — 2013-05-22T17:46:29

Hi, 

I use grml livecd for various recovery/livecd purposes. I just
add an script to my boot partition to compile current zfs. Since it is
debian based it contains installation through aptitude. 

Robert.

/boot/zfs # ls
install_zfs*  spl-0.6.1.tar.gz  zfs_create  zfs-0.6.1.tar.gz

/boot/zfs # cat install_zfs
#!/bin/sh

aptitude update
aptitude install build-essential zlib1g-dev uuid-dev
aptitude install linux-headers-3.7-1-grml-amd64 

tar -xvzpf spl-0.6.1.tar.gz
tar -xvzpf zfs-0.6.1.tar.gz

cd spl-0.6.1
./configure --prefix=/
make
make install

cd ..
cd zfs-0.6.1
./configure --prefix=/
make 
make install

cd ..

rm -rf zfs-0.6.1
rm -rf spl-0.6.1


On Mon, 20 May 2013 13:52:33 -0400
Douglas J Hunley <doug.hunley< at >gmail.com> wrote:

Re: VPN vs LAN address hostname resolution

Michael Orlitzky — 2013-05-22T17:36:29

This isn't two networks, it's one network and you've got the VPN space
overlapping the LAN space. To oversimplify a little, Don't Do That.

Use a separate subnet for the VPN. Then traffic to the VPN will be
routed over the VPN interface as intended, but traffic to the LAN will
be routed over the LAN interface. This is what you want, but right now
the VPN and the LAN are the same network, so "routing to the LAN" is the
same as "routing to the VPN", and your network stack doesn't know what
to do with it.

VPN vs LAN address hostname resolution

Samuraiii — 2013-05-22T16:36:43

Hello,

I am trying to get hostname address resolution on my LAN and VPN with
one serious problem:
I have two "networks" eg. 10.1.1.0 and 10.2.2.0 which are representing
local address space for LAN (10.1.1.0/8) and VPN address space (10.2.2.0/8).
Every host has its own address "suffix" (eg. host foo has LAN address
10.1.1.3 and vpn address 10.2.2.3).
I would like to setup some sort resolution which would account for
availability of host on LAN:
If host foo is in same LAN and host bar the connection would be carried
through LAN interface with LAN address and NOT (as avahi is trying to
do) using VPN connection which is connecting through remote server and
is therefore *a lot* slower than LAN connection.
The LAN address is not available always but VPN is.


So my question is there something which would do this almost same as
avahi but would be capable of prioritizing interface/address?
 
Thank you for advice in advance
S

Re: Seamonkey and path to internet

Dale — 2013-05-22T14:55:42


Well, so far so good.  It sat here all night and most of yesterday and
it still works.  So, this setting fixed something. 

Thanks much.  Looks like I can stop closing and restarting now.  I was
beginning to think Linux was turning into windoze.  lol 

Dale

:-)  :-)

Re: Seamonkey and path to internet

Raffaele BELARDI — 2013-05-22T08:12:43

Looks like there's two variables with similar names:
network.dnsCacheExpiration (60)
Network.dnsCacheExpirationGracePeriod (2592000)

I only have the latter and the default seems fine according to:
http://forums.mozillazine.org/viewtopic.php?f=7&t=2680535
(5th post and down, on second page)

raf

Re: Seamonkey and path to internet

Alan McKinnon — 2013-05-22T07:51:15

Hmmm. Mine is set the same - 30 days.

I wonder how that could have happened when Mozilla's wiki recommends 60
seconds as default

Re: IPTables - Going Stateless

James — 2013-05-22T02:16:16




There are lots of tools and approaches to security. Here is something
you might want to investigate further: Stateless Firewall Filters:
great for fending off DDOS and such.......

Instead of the maginot wall (firewall router) several different
security devices can be layered in a serial path to perfrom
various and diffent security functions.

Here is a starting point by a fairly reputable routing vendor:

http://www.juniper.net/techpubs/en_US/junos12.2/topics/concept/firewall-filter-overview.html

http://www.juniper.net/techpubs/software/junos-security/junos-security10.3/junos-security-swconfig-interfaces-and-routing/topic-47671.html

http://www.juniper.net/techpubs/en_US/junos/topics/concept/firewall-filter-types.html


James

Re: problems merging python packages

Stroller — 2013-05-22T00:18:44

On 20 May 2013, at 13:54, Tamer Higazi wrote:


I was reluctant to reply at first, but since you haven't had any other responses in the last 24 hours, may I suggest that you:

1) re-read the "stupid response" and look up any words you don't understand.

2) address the concerns raised by the "stupid question".

3) refrain from top-posting on this list.


I might be misinterpreting your reply, and I apologise if I'm wrong, but it appears hostile or dismissive.

It appears to me like you have not fully understood the question, and your response looks like you're berating staticsafe for asking it. 

The question is not actually stupid (although it may or may not isolate your problem in the end) - staticsafe merely asked in a modest manner. 

If others share my interpretation of your response (hostile, dismissive &c) then it might explain why no-one else has stepped forward to assist you.

Obviously no-one can be blamed for making an error in a foreign language. If this is the cause of our collective misundersta

Re: Seamonkey and path to internet

James Cloos — 2013-05-22T00:15:38

D> I thought about renaming my config to *.old and trying that.  Thing is,
D> I have YEARS worth of emails on here that I don't want to lose or anything.

Start it with:

    seamonkey -no-remote -ProfileManager

create a new profile and then start that profile.

Does it still stop working?

You might need to run:

    seamonkey -P default

once after the experiment to ensure that starting seamonkey without args
defaults to the original profile again.

-JimC

Re: Re: IPTables - Going Stateless

Adam Carter — 2013-05-22T00:16:19

Anyone advocating stateless firewalls in 2013 deserves scrutiny. I would be
asking for some evidence there is a performance issue, and that the best
solution to the problem is to turn off stateful inspection.

Re: Re: IPTables - Going Stateless

Mike Gilbert — 2013-05-21T22:41:08

Most daemons send/receive on the same port on the server. The port
used by the /client/ is generally random.

An exception would be an FTP daemon, which uses port 20 for active
mode data connections, but a random port for passive data connections.
FTP is weird like that.

Re: Seamonkey and path to internet

Dale — 2013-05-21T21:36:22

Dang, that thing was set to like forever.  Default according to your
link was supposed to be like 60 or something.  Mine was set to over
250,000.  O_O 

Maybe that will fix this thing.  I seem to recall it would have "looking
up ****" at the bottom.  The **** is whatever website I was trying to
get to. 

I'm not sure this is it but thanks much!!  Should know pretty soon. 

Dale

:-)  :-)

Re: Seamonkey and path to internet

Michael Orlitzky — 2013-05-21T21:26:53

Try visiting an IP address instead of a hostname. There's an internal
DNS cache; if that's what's stopped working you can turn it off with
http://kb.mozillazine.org/Network.dnsCacheExpiration in about:config.
And hopefully that avoids the lookup entirely.