Re: [leaf-user] O.T. - Basic Openvpn question
Hi Erich, You will see by yourself, this goes to the list too I guess it did - but it seems the signature itself was still stripped off. But at least the message made it through :-) I suspect this will address Erich's problem. However, it leaves the list open to nasty spam that's base64 encoded. I took a quick look at the python re module, and we may be able to utilize a negative lookahead assertion to filter non s/mime base64 messages. I guess closing the list to non_members would cut down a lot more spam than any filter could ever do The leaf-lists have had member-only posting for as long as I can remember (which is why we don't see any Spam on the lists - or do you?). The Spam I was referring to is the stuff that gets forwarded to me because I'm the list admin (posts by non-members, bounces, posts that were held due to failing the content-check and so on). The filters are to catch the more unusual stuff - Spam, that is posted to some Mailinglist to Webpage/Newsgroup portal, or the even more unusual case of Spam with a From that happens to be a subscribed user (this is more likely to happen with Viruses/Worms, since they tend to use From-addresses found in the address books of their victims). So, the content filter is just an additional check, not the only one. Martin - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] O.T. - Basic Openvpn question
Hi Martin Martin Hejl wrote: Hi Erich, You will see by yourself, this goes to the list too I guess it did - but it seems the signature itself was still stripped off. But at least the message made it through :-) Yes, it went through, funny that pgp signatures would make it, but then they are not mime encoded. Did anyone ever try pgp-mime? cheers Erich - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] O.T. - Basic Openvpn question
On Fri, 2007-02-09 at 03:42, Martin Hejl wrote: You will see by yourself, this goes to the list too I guess it did - but it seems the signature itself was still stripped off. But at least the message made it through :-) Martin, I suspect the content filters are still stripping the signature. I'll look into the problem further, when time permits. -- Mike Noyes mhnoyes at users.sourceforge.net http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, sitedocs - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] O.T. - Basic Openvpn question
Mike Mike Noyes wrote: On Thu, 2007-02-08 at 12:37, Mike Noyes wrote: Content-Type: application/x-pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename=smime.p7s Content-Description: S/MIME Cryptographic Signature I allowed all the content-types in his message yesterday. I now believe he is running into the base64 encoding filter. Note: prior to this message, I never saw a legitimate use for base64 encoding on a mailing list. I'll need to evaluate this issue further. Erich, I removed Content-Transfer-Encoding: base64 from Privacy options... [Spam filters]. Please try posting, and let me know if things work. You will see by yourself, this goes to the list too Martin, I suspect this will address Erich's problem. However, it leaves the list open to nasty spam that's base64 encoded. I took a quick look at the python re module, and we may be able to utilize a negative lookahead assertion to filter non s/mime base64 messages. I guess closing the list to non_members would cut down a lot more spam than any filter could ever do My 0.02 Erich http://www.amk.ca/python/howto/regex/regex.html#SECTION00054 - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] O.T. - Basic Openvpn question
It would be convenient for me to be able to access my Linux machine on the network at the school where I work, from my XP machine at home through my Bering Leaf box. Without flogging through the many Openvpn docs or joining the mailing list, I thought I'd ask the question here, as several Leaf users seem to be doing a similar thing. As I'll be going through the school server to enter the internal network, I'll probably need the network admins to make some allowance for this in their server configuration. What would they need to do before I can get started on either end of a VPN? If they can't or won't do what is required, then VPN would obviously be a non-starter! Jim Ford - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] O.T. - Basic Openvpn question
(again without signature as the list appears not to accept S/MIME) Jim Jim Ford schrieb: It would be convenient for me to be able to access my Linux machine on the network at the school where I work, from my XP machine at home through my Bering Leaf box. Without flogging through the many Openvpn docs or joining the mailing list, I thought I'd ask the question here, as several Leaf users seem to be doing a similar thing. As I'll be going through the school server to enter the internal network, I'll probably need the network admins to make some allowance for this in their server configuration. What would they need to do before I can get started on either end of a VPN? They could either provide you with an openvpn server at the perimeter or port forward the openvpn traffic (default UDP 1194) to your openvpn server. If I was your network administrator I would probably do the first as once you have tunneled traffic through your linux server your internal network cannot be protected against you at the perimeter. If they can't or won't do what is required, then VPN would obviously be a non-starter! You could set up a openvpn client on your linux machine at the school which would try to connect to your openvpn server at home. Typically outbound traffic is not as restricted on most sites. If outbound traffic on 1194 is restricted you could just as well use port 80 or even go through a http proxy. Thus you can most probably circumvent _unfriendly_ (aka professional) administrators. ( I did not tell you you should ;-) ) cheers Erich - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] O.T. - Basic Openvpn question
Jim Ford wrote: It would be convenient for me to be able to access my Linux machine on the network at the school where I work, from my XP machine at home through my Bering Leaf box. Without flogging through the many Openvpn docs or joining the mailing list, I thought I'd ask the question here, as several Leaf users seem to be doing a similar thing. As I'll be going through the school server to enter the internal network, I'll probably need the network admins to make some allowance for this in their server configuration. What would they need to do before I can get started on either end of a VPN? If they can't or won't do what is required, then VPN would obviously be a non-starter! Please don't get me wrong - I can surely understand wanting to just get things done, without having to wade through tons of docs. But there are two things you should be aware of: - I don't know what kind of school you're talking about, at many schools as well as businesses that I know, circumventing the in-place security to make a connection to another net is a reason to get fired. So, I'd be rather surprised if the admins simply agree to setting this up - unless they have a home office policy in place already, that happens to use OpenVPN. That is, unless you're the headmaster or another important part of the administration ;-) - It actually helps to know what one is doing, instead of just following the advice from a mailing-list. Chances are, you'll run into problems (no matter how much people try to give you precise instructions). If you don't know what exactly you're doing, troubleshooting will be a mess. Regarding what you'll need to tell the admins - it depends on what kind of setup you have at your school. If it's a proxy only environment, they might not have to do anything, since OpenVPN can operate through HTTP proxies just fine (at least it did, the last time I checked). It'll be slower, but it should work. But please, only do that after you've talked to the admin in charge of the proxy server, since that kind of thing _will_ show up in the log files, and any competent admin will figure out that something strange is going on rather quickly. If you have a direct connection to the net that is protected by a firewall blocking inbound and outbound traffic, ask them to allow UDP traffic on port 1194 (or 5000, if you're using an old version of OpenVPN) - or any other UPD port1024 - you can set which port to use in the config file. If they don't block outgoing traffic at all, they might not have to do anything - as I said, what exactly needs to be done depends on the actual setup at your school. I hope that helps (at least a little) Martin - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] O.T. - Basic Openvpn question
Hi Erich, Thus you can most probably circumvent _unfriendly_ (aka professional) administrators. ( I did not tell you you should ;-) ) I am one of those unfriendly administrators - and anybody who tried to pull that kind of thing without talking to me or somebody else who's in charge first (and got caught - I cannot rule out that somebody smarter than me would be able to slip through) would have all network access revoked immediately, followed by some serious trouble from the administration. Most work-places have policies ruling what's allowed regarding access to the computers/network, and usually, those don't include circumventing security measures. I'm _not_ saying that Jim is wrong trying to do what he's trying to do (it may be in the best interest of his employer to do so) - but he should talk to the people in charge, rather than trying to get past them, IMHO. Martin - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] O.T. - Basic Openvpn question
Hi Martin Martin Hejl schrieb: Hi Erich, Thus you can most probably circumvent _unfriendly_ (aka professional) administrators. ( I did not tell you you should ;-) ) I am one of those unfriendly administrators - and anybody who tried to pull that kind of thing without talking to me or somebody else who's in charge first (and got caught - I cannot rule out that somebody smarter than me would be able to slip through) would have all network access revoked immediately, followed by some serious trouble from the administration. Most work-places have policies ruling what's allowed regarding access to the computers/network, and usually, those don't include circumventing security measures. Absolutely, I am one of those myself, but keeping information undisclosed does not enhance security. I would, in any case, suggest to have (if needed) a remote access policy which is supported by management. Typically what happens to very restrictive shops is that one wise guy comes up and finds a way to fool us. So it is always better to open up under strict rules. BTW, Do you know why the list drops S/MIME signed messages? cheers Erich - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] O.T. - Basic Openvpn question
Hi Erich, Absolutely, I am one of those myself, but keeping information undisclosed does not enhance security. I would, in any case, suggest to have (if needed) a remote access policy which is supported by management. I agree. My main point really really was: don't try to work against the rules that usually are part of your work-contract, but work with them (unless you're on some sort of a mission to get fired). Not allowing remote access isn't necessarily a measure of keeping information undisclosed - it's merely a measure to keep systems out of the local network that one has no control over. I have better things to do than to work through the aftermath caused by somebody connecting a worm/trojan/virus-infected computer/net to the net I'm responsible for... Most large companies I know either require approved computers (usually supplied by the company) or some serious we'll cut your throat if you cause any problems contracts, before one can access their net remotely. And I don't blame them, even if those rules make daily work more difficult than needed at times. BTW, Do you know why the list drops S/MIME signed messages? Same as a couple of months ago - seems to be a side-effect of the de-MIME function used on the list, to get rid of HTML and possible malware. I'm not aware of any way to get past that (last time we discussed that, I tried everything I could think of, and S/MIME messages would just not go through). Maybe, part of it is that mailman re-writes the message (for the digest and to add the list-specific footer to the messages), which could break a signed message anyway. Maybe somebody more familiar with mailman and the supporting tools SF uses will be able to offer some ideas. For now, all I know is that it's best to not send S/MIME message to our lists. Sorry about that. Martin - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] O.T. - Basic Openvpn question
On Wed, 2007-02-07 at 15:18, Martin Hejl wrote: BTW, Do you know why the list drops S/MIME signed messages? Same as a couple of months ago - seems to be a side-effect of the de-MIME function used on the list, to get rid of HTML and possible malware. I'm not aware of any way to get past that (last time we discussed that, I tried everything I could think of, and S/MIME messages would just not go through). Maybe, part of it is that mailman re-writes the message (for the digest and to add the list-specific footer to the messages), which could break a signed message anyway. Maybe somebody more familiar with mailman and the supporting tools SF uses will be able to offer some ideas. For now, all I know is that it's best to not send S/MIME message to our lists. Sorry about that. Martin, Would you like me to take a look? -- Mike Noyes mhnoyes at users.sourceforge.net http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, sitedocs - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] O.T. - Basic Openvpn question
On Wed, 2007-02-07 at 14:51, Erich Titl wrote: BTW, Do you know why the list drops S/MIME signed messages? Erich, I just added application/pgp-signature to mailman content filtering pass_mime_types. Please let me know if it addresses your issue. If so, I'll need to modify our devel list also. Thanks for bringing this issue to our attention. -- Mike Noyes mhnoyes at users.sourceforge.net http://sourceforge.net/users/mhnoyes/ SF.net Projects: leaf, sitedocs - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/