Thank you.
Although, I can be pretty daft on occasion, I am trying to ``do the
right thing.'' It is not always easy knowing what that maybe in a
variety of contexts.
For me, from my humble experience, when I do not know something, it
works best to try to summarize what it is that I know, especially when I
am asking for help.
Either this is an erroneous process on this list or I did a very poor
job of communicating, or both . . .
Whether or not I am believed, I always try to present the minimum amount
of data/information necessary to get to the next step. For example, in
my original post, I hoped to either find somebody experienced with this
problem (highest hope) or, in lieu of that, suggestions on where to go
and what to do next.
Finally, today, I am receiving responses that address the latter.
Thank you.
Ray Olszewski wrote:
>
> Michael -- It is unlikely that there is a lot of AOL expertise here on this
> list (others, please correct me if I am wrong), so the most valuable
> information to provide here would be a better description of what "users
> logging into AOL over our high speed internet connections" means ...
> particularly the "logging in" part.
OK -- good point.
[ snip ]
> In any case, I don't know if this is what the users at the offending
> workstations are doing, and really *you* are the only one in a position to
> find this out. So ...
>
> Are they running some proprietary AOL software that
> does secret things? (If so, what does sniffing
> the traffic tell you?)
>
> Are they just connecting to an http(s) site and
> authenticating themselves somehow? (Might this be
> launching spyware apps or the like?)
>
> Are they doing something else? (What?)
OK.
> I do note that you wrote ...
>
> >We have been told that, apparently, logging into aol over a lan
> >connection results in some kind of connection to a special aol network.
> >I have never used aol and I do not understand this -- hence the first
> >two questions.
>
> ... so please don't reply with one of your "read what I wrote more
> carefully" responses. Even if you don't know yet, only you are in a position
> to find out what the users at your client site are actually doing. We're
> troubleshooters here, not the Psychic Friends Network.
>
> As a general matter, if what you are looking for is ONLY someone who has
> already seen the exact problem you are seeing and knows the exact answer,
> then what you've sent up to now is fine (and I'm wasting both your and my
> time by replying), since it is probably enough to find such a person. But in
> that case, you might do better on an AOL support list than here. And I am
> certainly not the person whose help you want.
To me, it is obvious that that is what I wanted; but, also obviously, it
was not so obvious to those who responded. I am sorry for my poor
communications.
> If you want help analyzing something that is a new problem to all of us ...
> then my suggestion above is a good place to start. So are Jeff's suggestions
> (about reporting the routing table and such on an "offending" workstation
> when it is "logged in" to AOL).
Just as you say, ``We're ... not the Psychic Friends Network.'' Nor am
I! What does it hurt to test the waters for somebody already
experienced in addressing these issues? If there is one, I cannot know
it without asking; nor can I know that there is not one without asking.
However, if there is, then a considerable amount of bandwidth is saved
by asking brief questions.
Also, I, for one, learn alot regarding where to go and what to do next
by probing List Services (>20!), not the least of which is this one. I
do not and cannot know everything, so I ask questions, starting simple
and progressing in complexity as need arises. Is this a bad process?
> This would probably be a good topic to explore further, either here or on
> the -devel list, and that is why I am bothering to reply at all. It is (or
> may be) a concrete, and potentially widespread, instance of a general
> problem with firewalling ... what is the difference between a tunnel and a
> hole? If users can run software that punches hard-to-find holes in firewalls
> (and we know they can, as a general matter), what's a sysadmin to do?
YES! This is exactly why I posted, yesterday.
Prior to yesterday, I had only noticed the aol connections; and, being
busy managing other fires across thousands of users, hundreds of servers
and dozens of networks, I put off indepth root-cause analysis of these
issues and assumed that the martian-blocking nature of the firewalls was
adequate protection.
Then, I noticed the United Airlines log entry!
Yesterday, I questioned that assumption, took note of what I did know,
searched the archives and posted three (3) simple questions.
> But for that sort of discussion to work, you need to be interested enough in
> exploring the problem with us, not just finding a known answer quickly, to
> share the sorts of information I mention above and that others have already
> suggested. Your call.
Excusable or not, ``people who should know better fail'' set me off!
What followed in that post (NOTE: I am not picking on you, Jeff; but,
yours was the first response) was reference to dialup, which I thought
that I had precluded, and a summary:
``Insufficient data.''
This was inadequate to my task and offensive to me, since I did not know
where to go and what to do next. That is why I asked the question --
why I am trying, in followups, to very carefully communicate to you and
others what I cannot know that you want to see. Where in the
troubleshooting documents does it address this sort of situation? I am
*NOT* saying that it is not in the docs; simply, that I do not know
where it is -- kindly, show me.
> Let me close with one specific response. You wrote:
>
> >From the ``ll header'' entries
> >that accompany each martian, we have identified the mac address of
> >culprit workstations and determined that they are not dialing out on
> >modems; but, even if they were, I do not see any change to my
> >questioning. What is the difference?
>
> The difference is that holes caused by dialout workstations are old news,
> and there is really no way to address this problem at the firewall (except
> by blocking traffic routed through it with the martians rules, as you are
> already doing). So it's not really a LEAF issue.
Perhaps, this is ``old news'' to you; but, not to me -- hence, my
question. Again, I do not find this in the troubleshooting docs, nor
did I find such in the archives. Please, point me to the documentation
and I will rtfm . . .
[ snip ]
> >It maybe interesting to know that aol installs a special ``adapter''
> >that is purported to behave similarly to an hardware nic. In fact, on
> >win9x, at least, it is next to the nic in network neighborhood
> >properties and is near identically configured.
>
> This certainly suggests to me that AOL is somehow tunneling through your
> firewall, causing the behaviors you note, and creating the sort of hole that
> is at least potentially exploitable. When you have access to an offending
> workstation, perhaps you will be able to tell us if this characteristic
> applies to the sorts of logins your users are doing or just to AOL's dial-up
> service.
Thank you, for this useful suggestion. Do you know how to quantify
this?
Also, since I do not know everything there is to know about networks and
quantifying everything quantifiable about same, regarding your sniffer
questions, can you describe a simple, open source process to accomplish
these tasks?
Thank you, for a constructive post -- I learned alot . . .
--
Best Regards,
mds
mds resource
888.250.3987
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much we
think we know. The more I know, the more I know I don't know . . .
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
