[freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-11-06 Thread Matthew Toseland 
On Wed, Nov 06, 2002 at 05:55:48AM -0500, harik at chaos.ao.net wrote:
> On Thu, 31 Oct 2002, Matthew Toseland wrote:
> 
> > On Fri, Nov 01, 2002 at 12:17:42AM +0100, Anonymous wrote:
> 
> > Good point. So far this has only been implemented in startup (stop
> > people running perm nodes with invalid IP addresses), I am not (yet)
> > rejecting bad addresses from the routing table.
> 
> It would be reasonable to make an Access Control List
Um, it would be total overkill. You want it, implement it and we'll
consider putting it in though.
> 
> (Class/object/something) and re-use it for things like bad-refrences,
> who to bandwidth limit and who's allowed to access what port (or servlet
> inside fproxy)
> 
> If you give it the ability to handle domain names (localhost, *.nsa.gov)
> and CIDR netblocks (127.0.0.1, 192.168.0.0/16, 10.0.0.0/8) it'd handle
> everything we're trying to do right now.
> 
> Setting
> 
> BadRefrences=127/8,localhost,192.168/16,10/8,*.fr
> FCPAllow=127.0.0.1 
> FProxyAllow=127.0.0.1
> 
> as the default should handle what we want, while still allowing people
> to override it for test-networks.
> 
> --Dan
> 



-- 
Matthew Toseland
toad at amphibian.dyndns.org
amphibian at users.sourceforge.net
Freenet/Coldstore open source hacker.
Employed full time by Freenet Project Inc. from 11/9/02 to 11/11/02.
http://freenetproject.org/
-- next part --
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:

[freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-11-06 Thread ha...@chaos.ao.net 
On Thu, 31 Oct 2002, Matthew Toseland wrote:

> On Fri, Nov 01, 2002 at 12:17:42AM +0100, Anonymous wrote:

> Good point. So far this has only been implemented in startup (stop
> people running perm nodes with invalid IP addresses), I am not (yet)
> rejecting bad addresses from the routing table.

It would be reasonable to make an Access Control List

(Class/object/something) and re-use it for things like bad-refrences,
who to bandwidth limit and who's allowed to access what port (or servlet
inside fproxy)

If you give it the ability to handle domain names (localhost, *.nsa.gov)
and CIDR netblocks (127.0.0.1, 192.168.0.0/16, 10.0.0.0/8) it'd handle
everything we're trying to do right now.

Setting

BadRefrences=127/8,localhost,192.168/16,10/8,*.fr
FCPAllow=127.0.0.1 
FProxyAllow=127.0.0.1

as the default should handle what we want, while still allowing people
to override it for test-networks.

--Dan

-- next part --
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: not available
URL:

Re: [freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-11-06 Thread harik 
On Thu, 31 Oct 2002, Matthew Toseland wrote:

 On Fri, Nov 01, 2002 at 12:17:42AM +0100, Anonymous wrote:

 Good point. So far this has only been implemented in startup (stop
 people running perm nodes with invalid IP addresses), I am not (yet)
 rejecting bad addresses from the routing table.

It would be reasonable to make an Access Control List

(Class/object/something) and re-use it for things like bad-refrences,
who to bandwidth limit and who's allowed to access what port (or servlet
inside fproxy)

If you give it the ability to handle domain names (localhost, *.nsa.gov)
and CIDR netblocks (127.0.0.1, 192.168.0.0/16, 10.0.0.0/8) it'd handle
everything we're trying to do right now.

Setting

BadRefrences=127/8,localhost,192.168/16,10/8,*.fr
FCPAllow=127.0.0.1 
FProxyAllow=127.0.0.1

as the default should handle what we want, while still allowing people
to override it for test-networks.

--Dan




msg05255/pgp0.pgp
Description: PGP signature

Re: [freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-11-06 Thread Matthew Toseland 
On Wed, Nov 06, 2002 at 05:55:48AM -0500, [EMAIL PROTECTED] wrote:
 On Thu, 31 Oct 2002, Matthew Toseland wrote:
 
  On Fri, Nov 01, 2002 at 12:17:42AM +0100, Anonymous wrote:
 
  Good point. So far this has only been implemented in startup (stop
  people running perm nodes with invalid IP addresses), I am not (yet)
  rejecting bad addresses from the routing table.
 
 It would be reasonable to make an Access Control List
Um, it would be total overkill. You want it, implement it and we'll
consider putting it in though.
 
 (Class/object/something) and re-use it for things like bad-refrences,
 who to bandwidth limit and who's allowed to access what port (or servlet
 inside fproxy)
 
 If you give it the ability to handle domain names (localhost, *.nsa.gov)
 and CIDR netblocks (127.0.0.1, 192.168.0.0/16, 10.0.0.0/8) it'd handle
 everything we're trying to do right now.
 
 Setting
 
 BadRefrences=127/8,localhost,192.168/16,10/8,*.fr
 FCPAllow=127.0.0.1 
 FProxyAllow=127.0.0.1
 
 as the default should handle what we want, while still allowing people
 to override it for test-networks.
 
 --Dan
 



-- 
Matthew Toseland
[EMAIL PROTECTED]
[EMAIL PROTECTED]
Freenet/Coldstore open source hacker.
Employed full time by Freenet Project Inc. from 11/9/02 to 11/11/02.
http://freenetproject.org/



msg05270/pgp0.pgp
Description: PGP signature

[freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-11-02 Thread Matthew Toseland 
On Sat, Nov 02, 2002 at 05:29:58PM +0100, Robert Bihlmeyer wrote:
> First, I'd like to throw in that I've been running different nodes in
> a 192.168.x/24 net, and even on the same node (feeding one of them the
> 127.0.0.1:portnum reference of the other). So I don't think special
> casing adresses will work for all cases. I'm sure my setup is in the
> minority though...
> 
> Oskar Sandberg  writes:
> 
> > Personally, I would prefer if we had a general strategy of fighting bad 
> > references that worked well enough that we didn't need to worry about 
> > special casing those addresses that are "obviously wrong" given TCP and 
> > DNS on the general Internet.
> 
> That's obviously preferable.
> 
> > However, I guess the real question is, how many times to we attempt to 
> > contact these bad references before throwing them out? If it is large, 
> > then a lot of time and effort is being wasted.
> 
> Maybe we're doing it wrong then? A thread waiting for a timeout and a
> number of SYN packets should be all that is being wasted. Not
> something I'd lose much sleep over. I'm more concerned about somebody
> maliciously feeding lots of bad references into the system. Is there
> some DDoS potential here (announcing :80)?
No, adding a new invalid reference will usually displace an old working
one.
> 
> -- 
> Robbe



-- 
Matthew Toseland
toad at amphibian.dyndns.org
amphibian at users.sourceforge.net
Freenet/Coldstore open source hacker.
Employed full time by Freenet Project Inc. from 11/9/02 to 11/11/02.
http://freenetproject.org/
-- next part --
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:

[freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-11-02 Thread Robert Bihlmeyer 
First, I'd like to throw in that I've been running different nodes in
a 192.168.x/24 net, and even on the same node (feeding one of them the
127.0.0.1:portnum reference of the other). So I don't think special
casing adresses will work for all cases. I'm sure my setup is in the
minority though...

Oskar Sandberg  writes:

> Personally, I would prefer if we had a general strategy of fighting bad 
> references that worked well enough that we didn't need to worry about 
> special casing those addresses that are "obviously wrong" given TCP and 
> DNS on the general Internet.

That's obviously preferable.

> However, I guess the real question is, how many times to we attempt to 
> contact these bad references before throwing them out? If it is large, 
> then a lot of time and effort is being wasted.

Maybe we're doing it wrong then? A thread waiting for a timeout and a
number of SYN packets should be all that is being wasted. Not
something I'd lose much sleep over. I'm more concerned about somebody
maliciously feeding lots of bad references into the system. Is there
some DDoS potential here (announcing :80)?

-- 
Robbe
-- next part --
A non-text attachment was scrubbed...
Name: signature.ng
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:

Re: [freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-11-02 Thread Robert Bihlmeyer 
First, I'd like to throw in that I've been running different nodes in
a 192.168.x/24 net, and even on the same node (feeding one of them the
127.0.0.1:portnum reference of the other). So I don't think special
casing adresses will work for all cases. I'm sure my setup is in the
minority though...

Oskar Sandberg [EMAIL PROTECTED] writes:

 Personally, I would prefer if we had a general strategy of fighting bad 
 references that worked well enough that we didn't need to worry about 
 special casing those addresses that are obviously wrong given TCP and 
 DNS on the general Internet.

That's obviously preferable.

 However, I guess the real question is, how many times to we attempt to 
 contact these bad references before throwing them out? If it is large, 
 then a lot of time and effort is being wasted.

Maybe we're doing it wrong then? A thread waiting for a timeout and a
number of SYN packets should be all that is being wasted. Not
something I'd lose much sleep over. I'm more concerned about somebody
maliciously feeding lots of bad references into the system. Is there
some DDoS potential here (announcing your-victim:80)?

-- 
Robbe



signature.ng
Description: PGP signature

[freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-11-01 Thread Oskar Sandberg 
On Fri, Nov 01, 2002 at 08:13:18AM +, Roger Hayter wrote:
<> 
> Does it matter if there are stupid references?  Once they can't be 
> contacted, they get dropped anyway.  I know, my node is currently 
> dropping all references after an hour or two, because it can't reliably 
> contact any of them. (I know that's another question.)

Personally, I would prefer if we had a general strategy of fighting bad 
references that worked well enough that we didn't need to worry about 
special casing those addresses that are "obviously wrong" given TCP and 
DNS on the general Internet.

However, I guess the real question is, how many times to we attempt to 
contact these bad references before throwing them out? If it is large, 
then a lot of time and effort is being wasted.

It also might be helpful if the announcement is failed because of this, 
and the nodes user is warned that it did somehow.

-- 

Oskar Sandberg
oskar at freenetproject.org

___
devl mailing list
devl at freenetproject.org
http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl

[freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-11-01 Thread Marco A. Calamari 
At 19.00 31/10/02 -0500, you wrote:
>Matthew Toseland (toad at amphibian.dyndns.org) wrote:
>> On Fri, Nov 01, 2002 at 12:17:42AM +0100, Anonymous wrote:
>> > I think we need an auto-string-matching-filter with 'localhost' and
>> > startwith '127.' addresses wich ignore that references.
>> What about 192.168. etc? We can block the same IPs that we already check
>> to bypass the bandwidth limiter.
>
>I can envision someone trying to set up a private Freenet for testing.
>If you block non-routable or loopback addresses by default (which
>I agree is a good idea), then there should be a config file setting
>for people to *not* block, so they can set up their private Freenets.

IMHO, this too is a good point (I do a private Freenet long ago ...)
What about block silly addresses always & put in freenet.conf
 a parameter to allow/disallow private addresses (guess the default
 value ) ?

Ciao.   Marco


-- 
+ il  Progetto Freenet - segui il coniglio bianco+
* the Freenet  Project - follow the  white rabbit*
*   Marco A. Calamarimarcoc at dada.it www.marcoc.it*
* PGP RSA: ED84 3839 6C4D 3FFE 389F 209E 3128 5698   *
+ DSS/DH:  8F3E 5BAE 906F B416 9242 1C10 8661 24A9 BFCE 822B +



___
devl mailing list
devl at freenetproject.org
http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl

[freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-11-01 Thread Roger Hayter 
In message <000901c28133$b6b5acf0$4d0aff01 at srv1>, Anonymous 
 writes
>Hello,
>I think "it contains at least one '.'" strategy suggested by M. Toss-land is
>not enough.
>
>I've in my RTable some 'localhost' nodes but _also_ some '127.x.y.z:port'
>stupid reference.
>
>I think we need an auto-string-matching-filter with 'localhost' and
>startwith '127.' addresses wich ignore that references.
>
>every ip starting with 127. is local computer!
>so it's stupid to reference it!
>
>regards, Anonymous.
>

Does it matter if there are stupid references?  Once they can't be 
contacted, they get dropped anyway.  I know, my node is currently 
dropping all references after an hour or two, because it can't reliably 
contact any of them. (I know that's another question.)
-- 
Roger Hayter

___
devl mailing list
devl at freenetproject.org
http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl

[freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-11-01 Thread Anonymous 
Hello,
I think "it contains at least one '.'" strategy suggested by M. Toss-land is
not enough.

I've in my RTable some 'localhost' nodes but _also_ some '127.x.y.z:port'
stupid reference.

I think we need an auto-string-matching-filter with 'localhost' and
startwith '127.' addresses wich ignore that references.

every ip starting with 127. is local computer!
so it's stupid to reference it!

regards, Anonymous.


___
devl mailing list
devl at freenetproject.org
http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-11-01 Thread Roger Hayter 
In message 000901c28133$b6b5acf0$4d0aff01@srv1, Anonymous 
[EMAIL PROTECTED] writes
Hello,
I think it contains at least one '.' strategy suggested by M. Toss-land is
not enough.

I've in my RTable some 'localhost' nodes but _also_ some '127.x.y.z:port'
stupid reference.

I think we need an auto-string-matching-filter with 'localhost' and
startwith '127.' addresses wich ignore that references.

every ip starting with 127. is local computer!
so it's stupid to reference it!

regards, Anonymous.



Does it matter if there are stupid references?  Once they can't be 
contacted, they get dropped anyway.  I know, my node is currently 
dropping all references after an hour or two, because it can't reliably 
contact any of them. (I know that's another question.)
--
Roger Hayter

___
devl mailing list
[EMAIL PROTECTED]
http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl

Re: [freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-11-01 Thread Oskar Sandberg 
On Fri, Nov 01, 2002 at 08:13:18AM +, Roger Hayter wrote:
 
 Does it matter if there are stupid references?  Once they can't be 
 contacted, they get dropped anyway.  I know, my node is currently 
 dropping all references after an hour or two, because it can't reliably 
 contact any of them. (I know that's another question.)

Personally, I would prefer if we had a general strategy of fighting bad 
references that worked well enough that we didn't need to worry about 
special casing those addresses that are obviously wrong given TCP and 
DNS on the general Internet.

However, I guess the real question is, how many times to we attempt to 
contact these bad references before throwing them out? If it is large, 
then a lot of time and effort is being wasted.

It also might be helpful if the announcement is failed because of this, 
and the nodes user is warned that it did somehow.

-- 

Oskar Sandberg
[EMAIL PROTECTED]

___
devl mailing list
[EMAIL PROTECTED]
http://hawk.freenetproject.org/cgi-bin/mailman/listinfo/devl

[freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-10-31 Thread Matthew Toseland 
On Fri, Nov 01, 2002 at 12:17:42AM +0100, Anonymous wrote:
> Hello,
> I think "it contains at least one '.'" strategy suggested by M. Toss-land is
Hmm.
> not enough.
Hmmm.
> 
> I've in my RTable some 'localhost' nodes but _also_ some '127.x.y.z:port'
> stupid reference.
Good point. So far this has only been implemented in startup (stop
people running perm nodes with invalid IP addresses), I am not (yet)
rejecting bad addresses from the routing table.
> 
> I think we need an auto-string-matching-filter with 'localhost' and
> startwith '127.' addresses wich ignore that references.
What about 192.168. etc? We can block the same IPs that we already check
to bypass the bandwidth limiter.
> 
> every ip starting with 127. is local computer!
> so it's stupid to reference it!
> 
> regards, Anonymoose.
> 

-- 
Matthew Toseland
toad at amphibian.dyndns.org
amphibian at users.sourceforge.net
Freenet/Coldstore open source hacker.
Employed full time by Freenet Project Inc. from 11/9/02 to 11/11/02.
http://freenetproject.org/
-- next part --
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL:

[freenet-dev] 127.0.0.1 stupid node referenced! :(

2002-10-31 Thread Greg Wooledge 
Matthew Toseland (toad at amphibian.dyndns.org) wrote:
> On Fri, Nov 01, 2002 at 12:17:42AM +0100, Anonymous wrote:
> > I think we need an auto-string-matching-filter with 'localhost' and
> > startwith '127.' addresses wich ignore that references.
> What about 192.168. etc? We can block the same IPs that we already check
> to bypass the bandwidth limiter.

I can envision someone trying to set up a private Freenet for testing.
If you block non-routable or loopback addresses by default (which
I agree is a good idea), then there should be a config file setting
for people to *not* block, so they can set up their private Freenets.

-- 
Greg Wooledge  |   "Truth belongs to everybody."
greg at wooledge.org  |- The Red Hot Chili Peppers
http://wooledge.org/~greg/ |
-- next part --
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: