Rob, I'm currently using a FreeS/WAN ipsec vpn. I've set it up for a client in portland to be able to work from home on his win2k system and NT network (freeswan+netfilter firewall). And on my network. Freeswan/netfilter firewall. Home system on cable (some vpns have problems with cable), and on my laptop.
Freeswan was a paint to setup. I could duplicate it quickly now that I've worked through it. It is a reliable and stable product, however the documentation, while extensive, is certainly lacking in some areas. Specifically in the area of what to do when it doesn't work. Setup and administration of it requires reading a lot of documentation. I've only used freeswan over a 256k dsl. Soon I will be using it regularly over a t1. Any speed degredation is negligible. Plus I believe freeswan does some compression, so it is possible to break even or get more bandwidth! Certainly the functionality provided far exceeds the cost of 2-3% bandwidth! Cory On Sat, Oct 06, 2001 at 12:01:13AM -0700, Multiple recipients of list wrote: > > EUG-LUG Digest 247 > > Topics covered in this issue include: > > 1) Re: iPaq > by Bob Miller <[EMAIL PROTECTED]> > 2) Re: iPaq > by Linux Rocks ! <[EMAIL PROTECTED]> > 3) Firewall Featuritis > by Bob Miller <[EMAIL PROTECTED]> > 4) Re: Firewall Featuritis > by Ben Barrett <[EMAIL PROTECTED]> > 5) Hardware salvage? > by "Dan Robinson" <[EMAIL PROTECTED]> > 6) RE: Hardware salvage? > by "Garl Grigsby" <[EMAIL PROTECTED]> > 7) Re: Hardware salvage? > by Ralph Zeller <[EMAIL PROTECTED]> > 8) Re: Firewall Featuritis > by Seth Cohn <[EMAIL PROTECTED]> > 9) Re: Firewall Featuritis > by Jacob Meuser <[EMAIL PROTECTED]> > 10) Re: Firewall Featuritis > by Rob Hudson <[EMAIL PROTECTED]> > 11) cheap books > by Rob Hudson <[EMAIL PROTECTED]> > 12) Re: Firewall Featuritis > by Jacob Meuser <[EMAIL PROTECTED]> > 13) Re: Firewall Featuritis > by Bob Miller <[EMAIL PROTECTED]> > 14) Re: Firewall Featuritis > by Jacob Meuser <[EMAIL PROTECTED]> > > From: Bob Miller <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: [EUG-LUG:3082] Re: iPaq > > Seth Cohn wrote: > > > It's not running Linux, but I'm not convinced > > that running Linux on a handheld is so hot right > > now... speed and ram are huge issues, and so far, > > I'm not impressed with the results. > > Jim Gettys is: > > an architect of the Linux on iPAQ project, > > one of the two inventors (with Bob Schieffler) of > the X Window System, > > an old friend of mine from college. > > I ran into him at LinuxWorld '00. After the usual round of "where are > they now", he showed me his Bitsy (iPAQ precursor). He said something > like, "Sure it has enough RAM. It has 32 megs. We wrote X on VAX > 750s with 4 megs. 32 meg is <ironic>more menory than you can ever > use</ironic>." The StrongARM CPU is significantly faster, too. > > Fer you younguns, a VAX 750 was about the size of a washer/dryer. > It travelled by forklift, and did not come with a leather pouch. > > -- > Bob Miller K<bob> > kbobsoft software consulting > http://kbobsoft.com [EMAIL PROTECTED] > From: Linux Rocks ! <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: [EUG-LUG:3083] Re: iPaq > > no pouch? you got ripped dude! > > On Thursday 04 October 2001 08:27 am, you wrote: > > Seth Cohn wrote: > > > It's not running Linux, but I'm not convinced > > > that running Linux on a handheld is so hot right > > > now... speed and ram are huge issues, and so far, > > > I'm not impressed with the results. > > > > Jim Gettys is: > > > > an architect of the Linux on iPAQ project, > > > > one of the two inventors (with Bob Schieffler) of > > the X Window System, > > > > an old friend of mine from college. > > > > I ran into him at LinuxWorld '00. After the usual round of "where are > > they now", he showed me his Bitsy (iPAQ precursor). He said something > > like, "Sure it has enough RAM. It has 32 megs. We wrote X on VAX > > 750s with 4 megs. 32 meg is <ironic>more menory than you can ever > > use</ironic>." The StrongARM CPU is significantly faster, too. > > > > Fer you younguns, a VAX 750 was about the size of a washer/dryer. > > It travelled by forklift, and did not come with a leather pouch. > From: Bob Miller <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: [EUG-LUG:3084] Firewall Featuritis > > As I understand it, it's conventional wisdom in the security world > that one technique for improving security is partitioning. Keep > different services on different boxes, so that if a box is > compromised, the attackers are less likely to compromise further > services. > > But all the prepackaged free firewall distributions I see(*) load up > the firewall box with stuff like DHCP, DNS, Squid, and even groupware > applications. > > Are all these distribution builders suffering from wrongheaded > marketing-driven feature creep, or is partitioning overkill for a SOHO > firewall? > > * E-Smith, Astaro Linux, Smoothwall, to name a few. > > -- > Bob Miller K<bob> > kbobsoft software consulting > http://kbobsoft.com [EMAIL PROTECTED] > From: Ben Barrett <[EMAIL PROTECTED]> > To: Bob Miller <[EMAIL PROTECTED]> > cc: [EMAIL PROTECTED] > Subject: [EUG-LUG:3085] Re: Firewall Featuritis > > I think people want to be doing packet filtering everywhere possible > just to satisfy the seeming need to feed paranoia, but time keeps > proving that risks pop up in the strangest of places! > > See risks.org to find examples =^> > > cheerio > > Ben > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- > "slide" to www.euglug.org and benb.org ~ shanti ~ in lake'ch, my kin... > Finally, I (this text) would be delighted to be included, in whole or in > part, in your next discussion of self-reference. With that in mind, > please allow me to appologize in advance for infecting you. > From: "Dan Robinson" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Subject: [EUG-LUG:3086] Hardware salvage? > > Hi, I'm a Linux novice and usually a lurker here, and over the last > few > weeks, way behind even in that. (I'm trying to stay a Windose novice > also. I still prefer menu and KB mode, which I don't see emphasized > much any more.) I don't have a Linux box I use yet, so I understand > very little of the tech stuff here. I had hoped to get a second-hand > laptop to put Linux on, partly because it would be a lot easier to > bring to clinics, since I don't have a car. > > I heard that I could get a 386 laptop for $20 (and that such would > run some versions of Linux w/o GUI). I didn't find any 386s > available, but instead maybe a 486 for $50. It turned out the only > one available was a TI Travel Mate 4000M for $100, from PC Parlor out > on Hy 99 North. It also turned out that the "button" (stick?) mouse > didn't work because of a broken cable (and a battery would cost about > another $100). They said they would salvage a cable when they opened > up another one, and meanwhile I could use an external mouse. I bought > it, perhaps foolishly, and when I opened it up to take a look, found > that the button and cable were one part. Several cursor keys also > didn't work, perhaps because of broken clips on connectors of the > main keyboard cables. I bought it about a month ago. > > I don't like using a mouse in the first place, and I can hardly say > this is a laptop if it needs an external mouse, since there's no room > for it on my lap. I find it not worth using as is, certainly not > worth buying a battery for. They still haven't gotten the part, or > other parts needed, or sent the instructions they said they > downloaded, and they don't seem concerned about that. They said they > made no guarantees, and of course all sales are final. PC Parlor is > not a place I'd reccomend doing business. > > Anyway, I'm looking for a "button" mouse assembly for the above (or > is it somewhat generic?). Another possibility is someone who can > splice a small mylar ribbon cable. Other parts might also be welcome, > or a source for a similar inexpensive laptop. I guess it's partly > that I hate throwing things away that can be salvaged. > > Dan Robinson [EMAIL PROTECTED] > Eugene OR 97401 http://www.efn.org/~danrob/ > Subject: [EUG-LUG:3087] RE: Hardware salvage? > From: "Garl Grigsby" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > > Well Dan, you are a lucky man. I was just on my way to the dumpster with > (wait for it, wait for it) Ti laptop. Now it is not a 4000 series, but > it is a TM5000 P75. I have no idea what is on it because the powersupply > has grown legs. If you want it, you are more than welcome to it. At the > very least you should be able to scavange parts from it. Now it is not > in what I would call good shape, but it does function. Let me know if > you are intersted. > > Garl > > -----Original Message----- > From: Dan Robinson [mailto:[EMAIL PROTECTED]] > Sent: Thursday, October 04, 2001 4:40 PM > To: [EMAIL PROTECTED] > Subject: [EUG-LUG:3086] Hardware salvage? > > > Hi, I'm a Linux novice and usually a lurker here, and over the last > few > weeks, way behind even in that. (I'm trying to stay a Windose novice > also. I still prefer menu and KB mode, which I don't see emphasized > much any more.) I don't have a Linux box I use yet, so I understand > very little of the tech stuff here. I had hoped to get a second-hand > laptop to put Linux on, partly because it would be a lot easier to > bring to clinics, since I don't have a car. > > I heard that I could get a 386 laptop for $20 (and that such would > run some versions of Linux w/o GUI). I didn't find any 386s > available, but instead maybe a 486 for $50. It turned out the only > one available was a TI Travel Mate 4000M for $100, from PC Parlor out > on Hy 99 North. It also turned out that the "button" (stick?) mouse > didn't work because of a broken cable (and a battery would cost about > another $100). They said they would salvage a cable when they opened > up another one, and meanwhile I could use an external mouse. I bought > it, perhaps foolishly, and when I opened it up to take a look, found > that the button and cable were one part. Several cursor keys also > didn't work, perhaps because of broken clips on connectors of the > main keyboard cables. I bought it about a month ago. > > I don't like using a mouse in the first place, and I can hardly say > this is a laptop if it needs an external mouse, since there's no room > for it on my lap. I find it not worth using as is, certainly not > worth buying a battery for. They still haven't gotten the part, or > other parts needed, or sent the instructions they said they > downloaded, and they don't seem concerned about that. They said they > made no guarantees, and of course all sales are final. PC Parlor is > not a place I'd reccomend doing business. > > Anyway, I'm looking for a "button" mouse assembly for the above (or > is it somewhat generic?). Another possibility is someone who can > splice a small mylar ribbon cable. Other parts might also be welcome, > or a source for a similar inexpensive laptop. I guess it's partly > that I hate throwing things away that can be salvaged. > > Dan Robinson [EMAIL PROTECTED] > Eugene OR 97401 http://www.efn.org/~danrob/ > To: [EMAIL PROTECTED] > From: Ralph Zeller <[EMAIL PROTECTED]> > Subject: [EUG-LUG:3088] Re: Hardware salvage? > > If you can get by with a 386 or 486 and without a gui, you might be > just as well off without a mouse? > > At 04:39 PM 10/4/2001 -0700, "Dan Robinson" <[EMAIL PROTECTED]> wrote: > >I heard that I could get a 386 laptop for $20 (and that such would > >run some versions of Linux w/o GUI). I didn't find any 386s > >available, but instead maybe a 486 for $50. > > >Anyway, I'm looking for a "button" mouse assembly for the above (or > From: Seth Cohn <[EMAIL PROTECTED]> > Subject: [EUG-LUG:3089] Re: Firewall Featuritis > To: [EMAIL PROTECTED] > > Yeah, Bob, I'm looking at some of this and > wondering where the line needs to be drawn... > > on one level, a little SMC or Linksys is the > answer. But as Michelle said to me recently, > they won't do stateful... and on the other end of > the spectrum is the invisible firewalls she and > Tim have done... > > But then a 'single box' is a attrative answer, > but it's also a single point of failure. > > I'm thinking about this stuff a lot lately, > becasue of the stuff I want to setup... > > > > --- Bob Miller <[EMAIL PROTECTED]> wrote: > > As I understand it, it's conventional wisdom in > > the security world > > that one technique for improving security is > > partitioning. Keep > > different services on different boxes, so that > > if a box is > > compromised, the attackers are less likely to > > compromise further > > services. > > > > But all the prepackaged free firewall > > distributions I see(*) load up > > the firewall box with stuff like DHCP, DNS, > > Squid, and even groupware > > applications. > > > > Are all these distribution builders suffering > > from wrongheaded > > marketing-driven feature creep, or is > > partitioning overkill for a SOHO > > firewall? > > > > * E-Smith, Astaro Linux, Smoothwall, to name a > > few. > > > > -- > > Bob Miller K<bob> > > kbobsoft software consulting > > http://kbobsoft.com > > [EMAIL PROTECTED] > > > > > __________________________________________________ > Do You Yahoo!? > NEW from Yahoo! GeoCities - quick and easy web site hosting, just $8.95/month. > http://geocities.yahoo.com/ps/info1 > From: Jacob Meuser <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: [EUG-LUG:3090] Re: Firewall Featuritis > > On Thu, Oct 04, 2001 at 10:40:21PM -0700, Seth Cohn wrote: > > Yeah, Bob, I'm looking at some of this and > > wondering where the line needs to be drawn... > > > > on one level, a little SMC or Linksys is the > > answer. But as Michelle said to me recently, > > they won't do stateful... and on the other end of > > the spectrum is the invisible firewalls she and > > Tim have done... > > > > But then a 'single box' is a attrative answer, > > but it's also a single point of failure. > > > > I'm thinking about this stuff a lot lately, > > becasue of the stuff I want to setup... > > > > I'm pretty happy with my 486 running OpenBSD. Comes with a stateful > packet filter (that's pretty easy to set up) and can be used in > "invisible" bridge mode. And if I want to get fancy, it has everything > I would need to do make an IPsec vpn. > > Yes it does have things like apache and sendmail also, but chmod 0000 > makes them pretty useless. > > Did I mention all that's needed for install is a single floppy and a > network connection (to get two files - a kernel and a tarball)? > > Oh yeah, the next release, due out Dec. 1, will have integrated ALTQ. > http://www.openbsd.org/cgi-bin/man.cgi?query=altq > > -- > <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > From: Rob Hudson <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: [EUG-LUG:3091] Re: Firewall Featuritis > > > On 20011005.1353, Jacob Meuser said ... > > > > I'm pretty happy with my 486 running OpenBSD. Comes with a stateful > > packet filter (that's pretty easy to set up) and can be used in > > "invisible" bridge mode. And if I want to get fancy, it has everything > > I would need to do make an IPsec vpn. > > I found this at freeswan.org: > > IPSEC is Internet Protocol SECurity. It uses strong cryptography to > provide both authentication and encryption services. Authentication > ensures that packets are from the right sender and have not been > altered in transit. Encryption prevents unauthorised reading of > packet contents. > > These services allow you to build secure tunnels through untrusted > networks. Everything passing through the untrusted net is encrypted > by the IPSEC gateway machine and decrypted by the gateway at the > other end. The result is Virtual Private Network or VPN. This is a > network which is effectively private even though it includes > machines at several different sites connected by the insecure > Internet. > > > Would a common use for this be something like... 1 business having 3 > branch offices, and them wanting a VPN between the 3, with secure > encrypted transmissions along the untrusted internet? Something like > that? > > It sounds pretty cool. > > What kind of performance loss is there with encrypting at the gateway? > Does IPSEC just encrypt the data segment in the TCP/IP headers or > something more? Where's a FAQ? I wanna know how it works. :) > > Thanks, > Rob > > -- > Rob <rob_at_euglug_dot_net> > my @euglugCode = qw(v+++ e--- eug+ bsd+++ gnu+ S+++); > From: Rob Hudson <[EMAIL PROTECTED]> > To: EUGLUG <[EMAIL PROTECTED]> > Subject: [EUG-LUG:3092] cheap books > > EUGLUGers, > > I've ordered from this company before: > http://www.edwardrhamilton.com/ > > Recently I saw an O'Reilly book in their catalog so I decided to > search the webpage for more. I found the following: > > MySQL and mSQL $5.95 > http://www.edwardrhamilton.com/titles/1/3/4/1349430.html > > USER FRIENDLY: The Comic Strip $4.95 > http://www.edwardrhamilton.com/titles/1/3/4/1349600.html > > You pay $3.50 shipping for any and all books you order. It's a good > deal. > > Sorry for the blatant plug, but I know there are a lot of O'Reilly > readers here, so I thought I'd share the find. > > -Rob > > > -- > Rob <rob_at_euglug_dot_net> > my @euglugCode = qw(v+++ e--- eug+ bsd+++ gnu+ S+++); > From: Jacob Meuser <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: [EUG-LUG:3093] Re: Firewall Featuritis > > On Fri, Oct 05, 2001 at 02:21:26PM -0700, Rob Hudson wrote: > > > > What kind of performance loss is there with encrypting at the gateway? > > Does IPSEC just encrypt the data segment in the TCP/IP headers or > > something more? Where's a FAQ? I wanna know how it works. :) > > > > Well, OpenBSD doesn't use Free S/WAN (or however it's written). OBSD's > IPsec implementation is, um, "homegrown", from what I understand. > > Not a FAQ but a manpage: > http://www.openbsd.org/cgi-bin/man.cgi?query=vpn > > Or on an OpenBSD box: man vpn > > You can probably find some tasty tidbits on the subject in the ml > archives also. http://marc.theaimsgroup.com/?l=openbsd-misc > > -- > <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > From: Bob Miller <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: [EUG-LUG:3094] Re: Firewall Featuritis > > Rob Hudson wrote: > > > Would a common use for this be something like... 1 business having 3 > > branch offices, and them wanting a VPN between the 3, with secure > > encrypted transmissions along the untrusted internet? Something like > > that? > > Yes, that's one common scenario. The other is, imagine plugging > your laptop in anywhere and having a secure channel back to the > home office(s). > > > What kind of performance loss is there with encrypting at the gateway? > > Does IPSEC just encrypt the data segment in the TCP/IP headers or > > something more? Where's a FAQ? I wanna know how it works. :) > > Adds probably 20-30 bytes to each packet. For a 1K packet, that's > 2-3% overhead. For anything slower than a T3, the computation time to > do the encryption/decryption should be negligible compared to that > 2-3% traffic increase. > > There's a fairly good description of the IPSEC protocols at the > FreeS/WAN site. > > http://www.freeswan.org/freeswan_trees/freeswan-1.91/doc/ipsec.html > > -- > Bob Miller K<bob> > kbobsoft software consulting > http://kbobsoft.com [EMAIL PROTECTED] > From: Jacob Meuser <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Subject: [EUG-LUG:3095] Re: Firewall Featuritis > > On Fri, Oct 05, 2001 at 01:53:55PM -0700, Jacob Meuser wrote: > > > > Did I mention all that's needed for install is a single floppy and a > > network connection (to get two files - a kernel and a tarball)? > > > Doh! make that three files - basexx.tgz, etc.tgz, a kernel. I always > forget about etcxx.tgz, the etc-root-var setup files. > > -- > <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]> > <[EMAIL PROTECTED]>
