On Wed, 07 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <4731f293$0$3218$8404b019@news.wineasy.se>, David Brown wrote:

>Moe Trin wrote:

>> I don't use dnsmasq, but I suspect you want to look at the -A option.
>
>It's the -H option (or --addn-hosts, which I use in the conf file). I
>don't see any -A option.

-A, --address=//[domain/]
Specify an IP address to return for any host in the given
domains. Queries in the domains are never forwarded and always
replied to with the specified IP address which may be IPv4 or
IPv6. To give both IPv4 and IPv6 addresses for a domain, use
repeated -A flags. Note that /etc/hosts and DHCP leases override
this for individual names. A common use of this is to redirect
the entire doubleclick.net domain to some friendly local web
server to avoid banner ads. The domain specification works in the
same was as for --server, with the additional facility that /#/
matches any domain. Thus --address=/#/1.2.3.4 will always return
1.2.3.4 for any query not answered from /etc/hosts or DHCP and
not sent to an upstream nameserver by a more specific --server
directive.

At least that's what it says on the man page I have ;-)

>> You may need to be careful if you are grabbing updates for windoze
>> systems, as they frequently use a network bandwidth provider such as
>> akamai to do the actual delivery. There are other applications in
>> addition to those used by windoze that MAY use a bandwidth provider.
>
>Yes, it's important to be careful to avoid blocking useful domains that
>also host adverts. On the other hand, windows updates often cause more
>harm than good, so blocking them might be a good plan!

I've had reports from my users who have run into this problem with their
home installations. It's usually overly aggressive filtering/blocking on
their part. I dunno about windoze - I stopped using that in 1992.

>I didn't see the -A option you mention, but the -H option loads a whole
>file, and it's possible to use it many times (thus the downloaded file
>would be in addition to the dns / dhcp server's own /etc/hosts and
>another list I have for local machines).

Above - The man page I have is about 900 lines long, and the -A option
is about line 250.

>While I've use lynx a few times, I really don't think there are many
>others in my company who would be happy with it! I've bullied them all
>into using Firefox or Opera, and threatened them with wire cutters (for
>their network cables, of course) if they ever use IE, but there's a
>limit to my authority :-(

Well, you could always set up a local proxy server (and block outbound
access to port 80 from all but that server) and configure it to abuse the
users who try to connect using IE... but you may not win many friends by
doing so ;-)

Old guy

Moe Trin wrote:
> On Wed, 07 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
> article <4731f293$0$3218$8404b019@news.wineasy.se>, David Brown wrote:
>
>> Moe Trin wrote:
>
>>> I don't use dnsmasq, but I suspect you want to look at the -A option.
>> It's the -H option (or --addn-hosts, which I use in the conf file). I
>> don't see any -A option.
>
> -A, --address=//[domain/]
> Specify an IP address to return for any host in the given
> domains. Queries in the domains are never forwarded and always
> replied to with the specified IP address which may be IPv4 or
> IPv6. To give both IPv4 and IPv6 addresses for a domain, use
> repeated -A flags. Note that /etc/hosts and DHCP leases override
> this for individual names. A common use of this is to redirect
> the entire doubleclick.net domain to some friendly local web
> server to avoid banner ads. The domain specification works in the
> same was as for --server, with the additional facility that /#/
> matches any domain. Thus --address=/#/1.2.3.4 will always return
> 1.2.3.4 for any query not answered from /etc/hosts or DHCP and
> not sent to an upstream nameserver by a more specific --server
> directive.
>
> At least that's what it says on the man page I have ;-)
>

I don't know how I missed that before, but the option is in my man page now!

As far as I can see, the -H option works like a file full of -A lines,
and is thus more convenient for me.

>>> You may need to be careful if you are grabbing updates for windoze
>>> systems, as they frequently use a network bandwidth provider such as
>>> akamai to do the actual delivery. There are other applications in
>>> addition to those used by windoze that MAY use a bandwidth provider.
>> Yes, it's important to be careful to avoid blocking useful domains that
>> also host adverts. On the other hand, windows updates often cause more
>> harm than good, so blocking them might be a good plan!
>
> I've had reports from my users who have run into this problem with their
> home installations. It's usually overly aggressive filtering/blocking on
> their part. I dunno about windoze - I stopped using that in 1992.
>
>> I didn't see the -A option you mention, but the -H option loads a whole
>> file, and it's possible to use it many times (thus the downloaded file
>> would be in addition to the dns / dhcp server's own /etc/hosts and
>> another list I have for local machines).
>
> Above - The man page I have is about 900 lines long, and the -A option
> is about line 250.
>
>> While I've use lynx a few times, I really don't think there are many
>> others in my company who would be happy with it! I've bullied them all
>> into using Firefox or Opera, and threatened them with wire cutters (for
>> their network cables, of course) if they ever use IE, but there's a
>> limit to my authority :-(
>
> Well, you could always set up a local proxy server (and block outbound
> access to port 80 from all but that server) and configure it to abuse the
> users who try to connect using IE... but you may not win many friends by
> doing so ;-)
>

I intend to set up a proxy server sometime (I'm going to test out squid
with clamd virus scanning, at least for web-based email sites which
bypass the normal email scanner). I'll log access by IE rather than
block it (as the IT man, I have few enough friends...)

mvh.,

David


> Old guy

Rikishi 42 wrote:
> On 2007-11-05, Send wrote:
>> Rikishi 42 wrote:
>>> On 2007-11-03, Send wrote:
>>>> Rikishi 42 wrote:
>>>>> This is the situation: a friend and I both use a broadband router with a few
>>>>> machines behind them, at our respective homes. We each picked a name for our
>>>>> 'domain'. His is fictional. Mine also exists on the net, but with only the
>>>>> www and ftp of rikishi42.net defined in the DNS, not my home machines.
>>>>>
>>>> stealing - Using some one elses domain name is unethical. Bottom line
>>>> "IT'S NOT YOURS"
>>> Yes it is. Read the headers...
>> Are You trolling Read Youyr own post You said & I Quote
>> "Mine also exists on the net"
>
> Exactly. So where is the stealing? It's *mine*.


Saying "His is fictional. Mine also exists on the net" implies you
borrowed it "also exists on the net" does not infer that you purchased
and registered the domain.


>
>>>> 192.168.xxx.xxx addresses are private network addresses and usually not
>>>> forwarded upstream by a router. Can you imagine what would happen if
>>>> everyone using the same addresses allowed all their network traffic to
>>>> reach the www. They would be mass collisions Not to mention that your
>>>> private network is no longer "private".
>>>>
>>>> Be forewarned of the security implications
>>> Are you on medication? Or did you just miss the original post?
>> What You have trouble reading ... The original is Quoted DUA
>
> We are not putting the 192.168.x.x addresses in any DNS, nor using trough
> the Internet.
> I use it, between my machines.
> He uses it between his machines.

You Said "He's added 2 of my PC's in the /etc/hosts of his laptop, for
use when he visits and connects it to my LAN."


Again "visits and connects it to my LAN" is not saying he is Physically
in your home connecting wires to your router. he could just as easily
be visiting and connecting to your LAN via the internet


> He's added 2 of my machines into his laptop's /etc/hosts, so he can use it
> when he's visiting me, and connects to my LAN. From my home, in my home.
>
> Never is that non-routable range used on the Net, for $DEITY's sake.
>
>>>>> My guess is that, upon finding that rikishi42.net exists, there is an
>>>>> attempt to get the address from the DNS, skipping hosts all together.
>>>>>
>>>>> But do I presume correctly, or is there more to it?
>>>>>
>>>> Why bother with all this ? Do it right. Just use the name & IP address
>>>> that has been assigned to you by your ISP. If you are assigned a
>>>> dynamic (IP address changes from time to time) which they normally are
>>>> then use a FREE service like DynDns and have your own "REAL" domain ...
>
> And just how many IP's do you get from your ISP? I get 2, and that just not
> enough. Hence the used of a broadband router.
>
>>>> they have several domain you can pick from other than dyndns.org. There
>>>> are programs you can run that will update the Dyndns listing
>>>> automatically when your ISP changes your IP address.
> Since they aren't used on the Net, there is no point in DynDNS.
>
>>>> Dns lookup Work ... Other friends anyware can reach your machine and you
>>>> will NOT be blocked by upstream routers.
>>> You *are* stoned out of your mind, aren't you. :-)
>>>
>>>
>>> Please, please read the original post, and grep it.
>> You asked for the help
> Yep, and I appreciate all help I've gotten. I'll be examining my friends
> nsswitch config, first.
>
> You had misunderstood the question so much, it amased not only me, but
> other's as well. If you want to understand, please read the original post,
> and _all_ the answers people posted. But I allready suggested that, and you
> didn't bother, did you? :-)

I suggest you spend less time Sleeping in "ENGLISH Class"
State it more Prescisely! so it's not unclear


>
>> .. Go play with your dolls somewhere OFF Usenet
>> INTERNET
> Usenet INTERNET ? Weird.
>
>

On Wed, 07 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <473236ae$0$3209$8404b019@news.wineasy.se>, David Brown wrote:

>Moe Trin wrote:

>> At least that's what it says on the man page I have ;-)
>
>I don't know how I missed that before, but the option is in my man
>page now!

I just grabbed the page off the 'net, as it's not installed on any of
the systems here. The source appears to be
http://www.thekelleys.org.uk/dnsmasq...smasq-man.html.

>As far as I can see, the -H option works like a file full of -A lines,
>nd is thus more convenient for me.

That's one way to do it. Our DNS servers are updated via a dumb script
that uses a file very much like the hosts file as a source, but it also
creates the separate forward and reverse zones, and then kicks the
primary name server to update things. We don't have external IPs in
the zone files as we aren't authoritative for them.

>> Well, you could always set up a local proxy server (and block
>> outbound access to port 80 from all but that server) and configure
>> it to abuse the users who try to connect using IE... but you may not
>> win many friends by doing so ;-)
>
>I intend to set up a proxy server sometime (I'm going to test out
>squid with clamd virus scanning, at least for web-based email sites
>which bypass the normal email scanner).

Why do you need web-based email sites? Doesn't your company run it's
own mail system? Here, both Security and HR would be going ballistic
if our users even tried accessing those sites, never mind attempting
to do business through them. Company policy prohibits personal use of
computers or network, which is why we've got "Employee Association"
owned computers in the break areas and they're on a separate network
completely isolated from the company.

>I'll log access by IE rather than block it (as the IT man, I have few
>enough friends...)

You have friends... Wow. ;-) Seriously, I'm lucky here as
we don't use windoze at this facility - it's limited mainly to the
corporate and the regional sales offices which are on different subnets
thankfully. We also don't allow visiting computers. That eliminates a
lot of network problems.

Old guy

Moe Trin wrote:
> On Wed, 07 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
> article <473236ae$0$3209$8404b019@news.wineasy.se>, David Brown wrote:
>
>> Moe Trin wrote:
>
>>> At least that's what it says on the man page I have ;-)
>> I don't know how I missed that before, but the option is in my man
>> page now!
>
> I just grabbed the page off the 'net, as it's not installed on any of
> the systems here. The source appears to be
> http://www.thekelleys.org.uk/dnsmasq...smasq-man.html.
>
>> As far as I can see, the -H option works like a file full of -A lines,
>> nd is thus more convenient for me.
>
> That's one way to do it. Our DNS servers are updated via a dumb script
> that uses a file very much like the hosts file as a source, but it also
> creates the separate forward and reverse zones, and then kicks the
> primary name server to update things. We don't have external IPs in
> the zone files as we aren't authoritative for them.
>
>>> Well, you could always set up a local proxy server (and block
>>> outbound access to port 80 from all but that server) and configure
>>> it to abuse the users who try to connect using IE... but you may not
>>> win many friends by doing so ;-)
>> I intend to set up a proxy server sometime (I'm going to test out
>> squid with clamd virus scanning, at least for web-based email sites
>> which bypass the normal email scanner).
>
> Why do you need web-based email sites? Doesn't your company run it's
> own mail system? Here, both Security and HR would be going ballistic
> if our users even tried accessing those sites, never mind attempting
> to do business through them. Company policy prohibits personal use of
> computers or network, which is why we've got "Employee Association"
> owned computers in the break areas and they're on a separate network
> completely isolated from the company.
>

You are in a much bigger company than ours, and with much stricter
rules. There's always a certain amount of tradeoff between security and
functionality and flexibility (the most secure computers have no network
access of any kind, for example) - the trick is getting the maximum
realistic security while still providing the functionality and
flexibility you want for the users. Given the size of our company, and
the openness and freedom we like to have, together with the technical
abilities of the users (they are at least fairly competent, and have no
problem following rules and guidelines), we have a rather different
view. People are free to use browsers as they want, as long as they are
responsible. Using non-IE browsers means they have to work harder to
get malware onto their machines - having a virus scanner in the path
would make it even harder.

>> I'll log access by IE rather than block it (as the IT man, I have few
>> enough friends...)
>
> You have friends... Wow. ;-) Seriously, I'm lucky here as
> we don't use windoze at this facility - it's limited mainly to the
> corporate and the regional sales offices which are on different subnets
> thankfully. We also don't allow visiting computers. That eliminates a
> lot of network problems.
>

We have a wireless network for visiting computers, or other "unsafe"
machines (such as laptops that may be used off-site).

> Old guy

On Thu, 08 Nov 2007 09:27:28 +0100, David Brown rearranged some electrons
to say:

>
> You are in a much bigger company than ours, and with much stricter
> rules. There's always a certain amount of tradeoff between security and
> functionality and flexibility (the most secure computers have no network
> access of any kind, for example) - the trick is getting the maximum
> realistic security while still providing the functionality and
> flexibility you want for the users. Given the size of our company, and
> the openness and freedom we like to have, together with the technical
> abilities of the users (they are at least fairly competent, and have no
> problem following rules and guidelines), we have a rather different
> view. People are free to use browsers as they want, as long as they are
> responsible. Using non-IE browsers means they have to work harder to
> get malware onto their machines - having a virus scanner in the path
> would make it even harder.
>

Big or small, every company needs to worry about liability. So, what if
one of your 'responsible' employees downloads some 'objectionable'
material? If someone happens to see it, you're opening your company up
for a harassment lawsuit. Sad to say, but it happens....

On Thu, 08 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <4732c5f2$0$27838$8404b019@news.wineasy.se>, David Brown wrote:

>Moe Trin wrote:

>> Why do you need web-based email sites? Doesn't your company run it's
>> own mail system? Here, both Security and HR would be going ballistic
>> if our users even tried accessing those sites, never mind attempting
>> to do business through them. Company policy prohibits personal use of
>> computers or network, which is why we've got "Employee Association"
>> owned computers in the break areas and they're on a separate network
>> completely isolated from the company.
>
>You are in a much bigger company than ours, and with much stricter
>rules. There's always a certain amount of tradeoff between security
>and functionality and flexibility (the most secure computers have no
>network access of any kind, for example) - the trick is getting the
>maximum realistic security while still providing the functionality and
>flexibility you want for the users.

I was thinking you were using a web-based email sites for business.
That doesn't give the right impression to customers.

For _personal_ use, that is a decision the company management has to
make. Yes, there is the obvious abuse situation (I visited a
supplier recently, and noted one system in a technician's office that
was displaying current stock exchange tickers - hardly an appropriate
use).

>Given the size of our company, and the openness and freedom we like
>to have, together with the technical abilities of the users (they are
>at least fairly competent, and have no problem following rules and
>guidelines), we have a rather different view. People are free to use
>browsers as they want, as long as they are responsible.

There is also a difference in the legal climate. In the USA, the mere
hint of anything sexual _can_ bring on lawsuits - with the federal and
state governments being interested parties. Most company legal staffs
recommend a zero-tolerance on the part of management, just to avoid
those legal problems.

>Using non-IE browsers means they have to work harder to get malware
>onto their machines - having a virus scanner in the path would make
>it even harder.

The employee association systems in break areas are all running the
same basic Linux install as used locally. The employees are familiar
with it and have no problems. The systems are set so that users can
not save anything (the user's home directory is read-only) and there
is no removable media. You can _read_ your personal mail, but you
can't save it locally. This eliminates a LOT of problems.

>We have a wireless network for visiting computers, or other "unsafe"
>machines (such as laptops that may be used off-site).

We're an R&D facility, so visiting computers are simply not allowed.
Company systems that may come or go get a clean install each time.
Sales people who visit either lock up the computers in lockers in
the lobby, or use them only in the lobby. We don't even get usable
cell-phone or radio/TV broadcast coverage in the buildings - which is
a mixed joy.

Paranoid? Who, us???

Old guy

Moe Trin wrote:
> On Thu, 08 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
> article <4732c5f2$0$27838$8404b019@news.wineasy.se>, David Brown wrote:
>
>> Moe Trin wrote:
>
>>> Why do you need web-based email sites? Doesn't your company run it's
>>> own mail system? Here, both Security and HR would be going ballistic
>>> if our users even tried accessing those sites, never mind attempting
>>> to do business through them. Company policy prohibits personal use of
>>> computers or network, which is why we've got "Employee Association"
>>> owned computers in the break areas and they're on a separate network
>>> completely isolated from the company.
>> You are in a much bigger company than ours, and with much stricter
>> rules. There's always a certain amount of tradeoff between security
>> and functionality and flexibility (the most secure computers have no
>> network access of any kind, for example) - the trick is getting the
>> maximum realistic security while still providing the functionality and
>> flexibility you want for the users.
>
> I was thinking you were using a web-based email sites for business.
> That doesn't give the right impression to customers.
>

I absolutely agree - it's hard to take professionals seriously if they
have gmail or hotmail email accounts (at least, for professionals in a
technical area).

> For _personal_ use, that is a decision the company management has to
> make. Yes, there is the obvious abuse situation (I visited a
> supplier recently, and noted one system in a technician's office that
> was displaying current stock exchange tickers - hardly an appropriate
> use).
>

Yes, that's a matter for administration. I don't make the law, I only
enforce it.


>> Given the size of our company, and the openness and freedom we like
>> to have, together with the technical abilities of the users (they are
>> at least fairly competent, and have no problem following rules and
>> guidelines), we have a rather different view. People are free to use
>> browsers as they want, as long as they are responsible.
>
> There is also a difference in the legal climate. In the USA, the mere
> hint of anything sexual _can_ bring on lawsuits - with the federal and
> state governments being interested parties. Most company legal staffs
> recommend a zero-tolerance on the part of management, just to avoid
> those legal problems.
>

Here in Norway, there is not nearly the same sort of issues, and
therefore there is no need for IT to worry about it.

>> Using non-IE browsers means they have to work harder to get malware
>> onto their machines - having a virus scanner in the path would make
>> it even harder.
>
> The employee association systems in break areas are all running the
> same basic Linux install as used locally. The employees are familiar
> with it and have no problems. The systems are set so that users can
> not save anything (the user's home directory is read-only) and there
> is no removable media. You can _read_ your personal mail, but you
> can't save it locally. This eliminates a LOT of problems.
>

When you need a more controlled system (effectively treating the users
as the general public), that makes a lot of sense. I know everyone in
our company, so it's a very different scale.

>> We have a wireless network for visiting computers, or other "unsafe"
>> machines (such as laptops that may be used off-site).
>
> We're an R&D facility, so visiting computers are simply not allowed.
> Company systems that may come or go get a clean install each time.
> Sales people who visit either lock up the computers in lockers in
> the lobby, or use them only in the lobby. We don't even get usable
> cell-phone or radio/TV broadcast coverage in the buildings - which is
> a mixed joy.
>
> Paranoid? Who, us???
>

Just because you're paranoid, does not mean they're not out to get you.

mvh.,

David


> Old guy

On Sun, 11 Nov 2007 23:06:02 +0100, David Brown rearranged some electrons
to say:

> You make it sound as though there are gangs
> of crackers working round the clock on ways to break into my networks,
> using a combination of essentially unrelated client and server attacks.

And you think there aren't?

On Sun, 11 Nov 2007, in the Usenet newsgroup comp.os.linux.networking, in
article <47377e7c$0$3208$8404b019@news.wineasy.se>, David Brown wrote:

>Moe Trin wrote:

>> For _personal_ use, that is a decision the company management has to
>> make. Yes, there is the obvious abuse situation (I visited a
>> supplier recently, and noted one system in a technician's office that
>> was displaying current stock exchange tickers - hardly an appropriate
>> use).
>
>Yes, that's a matter for administration. I don't make the law, I only
>enforce it.

While to a minor extent, it's a "bandwidth" and "what are we paying
you for" issue, there may be security issues as well. Our users do
not have the permission to install software, so that issue is slightly
reduced. Still, one has to be careful. I note that Bugtraq is reporting
a Macintosh (OSX - but not sure which release) trojan - some pr0n site
that gets the user to install a plugin to see the pictures better or
something.

>> In the USA, the mere hint of anything sexual _can_ bring on lawsuits
>> - with the federal and state governments being interested parties.

>Here in Norway, there is not nearly the same sort of issues, and
>therefore there is no need for IT to worry about it.

Lawsuits are an all-to-common problem here. Even if the company wins
in court, the plaintiff is rarely able to reimburse the wasted legal
costs (lawyers are not cheap). It's a threat we live with.

[employee association systems for "personal" use]

>> This eliminates a LOT of problems.
>
>When you need a more controlled system (effectively treating the users
>as the general public), that makes a lot of sense. I know everyone in
>our company, so it's a very different scale.

It keeps the company out of the individual's personal business. It's
also self-policing, as the employees themselves make sure the systems
aren't abused.

>> Paranoid? Who, us???
>
>Just because you're paranoid, does not mean they're not out to get you.

"When they _are_ out to get you, always check your paperwork."

Old guy