On Wed, Oct 27, 2004 at 08:19:03AM +0200, BlueStar88 wrote: > To *any port* at *any ip* and to *listen port*, that's fine with me. > But i've noticed the use of *all local available ip adresses* for > *outgoing* connections. > Thought you've got that. You've said to avoid any unwanted > connections i should use firewall rules using the ownership to label > the packets. Dropping the packets at the output table would be a > solution, but i think it's against the nature of the node to throw > all the unwanted packets away.. there would be many useless threads..
No, don't drop them, just label them, on the source node. Then, on the router, make sure the labelled packets only go to the desired interface. Likewise make sure that the listenPort is only accessible from that interface. > > The problem is the use of *all local IP addresses* bound to the > network interface used for *outgoing* internet connections. If you are running the firewall on a separate machine then the node will only have one address on eth0.. > > eth0 123.123.123.123 > eth0:1 123.123.123.124 > eth0:2 123.123.123.125 > > In the example above it would use all of the three ips, to initiate > outgoing connections. I don't know why. Because that is how TCP/IP works, unless you explicitly bind an address. Freenet has no way to know which address is preferred and in fact most people will want it to use all 3 addresses. > But that would make it looks > like three different hosts acting with one node-identity. True, we don't properly support multi-homing yet. > If i block > the 2nd and 3rd address by firewall i'll loose 66% of the threads on > trial initiated outgoing connections. The node does not know about > the packets beeing dropped... > > It would confuse the freenet routing at the worst case!? > > I don't know exactly, but if i could bound to a specific ip instead > to 0.0.0.0 there could be a chance to limit the use of only the same > ip as source ip too.. > > Is there a way to make the node using only one address!? Or is there > generally no way to avoid the use of multiple virtual addresses on > outgoing connections? You ought to be able to make it work with the firewall rules. If you can't, then you can hack the source. If you want me to do it that's fine but you need to donate $100 to the project and give me a shell where I can test it. > > >>In my opinion it makes a difference, if i present just a > >>number/account-id/nick/any-provider-data, or my real name and street > >>address via the easy use of the arin database.... > > > >What database? I whois my IP address and get an address in bradford.. > >(I'm in bristol)... I was under the impression the way to go from IP > >address to home address was to send some threatening legalese to the > >ISP. > > I've talked about www.arin.net. But you're right. I was wrong about > that. In the almost cases it reverses only another named address > without any closer personal data. > Only if somebody gets the line between the registered Domain and the > used ip address i have the problem. Got somehow in panic.. ;-) Of course, if they already know that somebody on www.arin.net runs a freenet node, they can find what the IP is of that node :) -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so.
signature.asc
Description: Digital signature
_______________________________________________ Support mailing list [EMAIL PROTECTED] http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://dodo.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
