setting up lax security on one ethernet interface while leaving theother strict - Networking

This is a discussion on setting up lax security on one ethernet interface while leaving theother strict - Networking ; I have an ubuntu (7.04) box with two ethernet interfaces. I would like to leave one of them secure, but make the other one very insecure --- maybe even allow telnet over it. (The insecure one is to be networked ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: setting up lax security on one ethernet interface while leaving theother strict

  1. setting up lax security on one ethernet interface while leaving theother strict

    I have an ubuntu (7.04) box with two ethernet interfaces.

    I would like to leave one of them secure, but make the other one very
    insecure --- maybe even allow telnet over it. (The insecure one is
    to be networked to one old computer for which i can't get a recent
    version of ssh.)

    Can this be done through the gui?

    Or is there some single configuration file i can change to make it
    happen?

    Thanks in advance for any info.

    dan

  2. Re: setting up lax security on one ethernet interface while leaving the other strict

    On Thu, 25 Sep 2008, in the Usenet newsgroup comp.os.linux.networking, in
    article ,
    dan wrote:

    NOTE: Posting from groups.google.com (or some web-forums) dramatically
    reduces the chance of your post being seen. Find a real news server.

    >I have an ubuntu (7.04) box with two ethernet interfaces.
    >
    >I would like to leave one of them secure, but make the other one very
    >insecure --- maybe even allow telnet over it. (The insecure one is
    >to be networked to one old computer for which i can't get a recent
    >version of ssh.)


    Rather limited details - but if you assume that the old system is the
    only one on the "insecure" network (or you can tolerate someone
    sniffing everything on that network), AND that the network cards
    are such that the kernel will never make a mistake identifying which
    one should be eth0 and which eth1, then there are several ways to
    handle the problem. Perhaps the simplest technique would be two
    firewall rules - one that allows connections to port 23 on IP address
    $FOO, and the other that blocks access to all other addresses (which
    should probably be the default rule). If you are running in.telnetd
    out of xinetd, see if it will accept the "bind" option to tell xinetd
    to only allow this on one receiving IP address.

    Another option would be to not use networking at all, but run a
    terminal on the serial port of the "server" and use some serial
    application like minicom on the "client". See the
    Remote-Serial-Console-HOWTO for details.

    Old guy

  3. Re: setting up lax security on one ethernet interface while leavingthe other strict

    On Sep 26, 1:05*pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:

    > NOTE: Posting from groups.google.com (or some web-forums) dramatically
    > reduces the chance of your post being seen. *Find a real news server.


    So as far as I can tell, the risk is raised to precisely zero. I have
    used groups.google.com for years and have never had a post that was
    not seen.

    As for "Find a real news server", this is a confusion that you
    maintain deliberately, despite having been corrected numerous times.
    News is a service, not a protocol. Web servers that serve news are
    "real news server"s.

    DS

  4. Re: setting up lax security on one ethernet interface while leavingthe other strict

    David Schwartz wrote:
    > On Sep 26, 1:05 pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:
    >
    >> NOTE: Posting from groups.google.com (or some web-forums) dramatically
    >> reduces the chance of your post being seen. Find a real news server.

    >
    > So as far as I can tell, the risk is raised to precisely zero. I have
    > used groups.google.com for years and have never had a post that was
    > not seen.
    >
    > As for "Find a real news server", this is a confusion that you
    > maintain deliberately, despite having been corrected numerous times.
    > News is a service, not a protocol. Web servers that serve news are
    > "real news server"s.


    It seems that you did not get the point:

    Due to the amount of crap in the Google service, many readers
    intentionally ignore everything from groups.google.com;
    it has nothing to do with the protocol or service itself.

    --

    Tauno Voipio


  5. Re: setting up lax security on one ethernet interface while leavingthe other strict

    The real question is how may people just IGNORE google crap

    David Schwartz wrote:
    >
    > On Sep 26, 1:05 pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:
    >
    >> NOTE: Posting from groups.google.com (or some web-forums) dramatically
    >> reduces the chance of your post being seen. Find a real news server.

    >
    > So as far as I can tell, the risk is raised to precisely zero. I have
    > used groups.google.com for years and have never had a post that was
    > not seen.
    >
    > As for "Find a real news server", this is a confusion that you
    > maintain deliberately, despite having been corrected numerous times.
    > News is a service, not a protocol. Web servers that serve news are
    > "real news server"s.
    >
    > DS


  6. Re: setting up lax security on one ethernet interface while leavingthe other strict

    On Sep 27, 3:01*am, Send wrote:

    > The real question is how may people just IGNORE *google crap


    A question for which we don't know the answer.

    DS

  7. Re: setting up lax security on one ethernet interface while leavingthe other strict

    On Sep 27, 7:43*pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:

    > >> So as far as I can tell, the risk is raised to precisely zero. I have
    > >> used groups.google.com for years and have never had a post that was
    > >> not seen.


    > Where have you been looking? *On google? *Wow, google doesn't filter
    > posts from google - there's a surprise. *I'd bet if you looked harder,
    > you would find specific *public* news servers that block posts from
    > groups.google.com, never mind non-public servers (like those run
    > by my or my wife's employers).


    Ah, so in your world, a post that doesn't go to every news server is
    "not seen". In that case, every post is "not seen" and *nothing*
    increases the changes that a post will be "not seen" since there is no
    way to raise the probability beyond a certainty.

    > >> News is a service, not a protocol.



    > >> Web servers that serve news are "real news server"s.

    >
    > Are they serving news on port 119 or 563?


    Ah, so the *port* a news server serves news on is what makes a news
    server "real". You know that's nonsense.

    >*Do they follow RFC0977,
    > RFC1036, or RFC3977? * Or do they alter news posts - as google does.


    As I said, news is a service not a protocol. Are you going to ignore
    that argument or address it?

    > >The real question is how may people just IGNORE *google crap


    > Given the fact that many news readers can filter on the Message-ID:
    > header, and everyone and their goat has published simple instructions
    > on how to do so, it's rather difficult to guess how many ignore google
    > _crap_ *verses how many ignore all posts from google (whether in one
    > or all newsgroups they may read).


    So, in other words, you have no idea.

    DS

  8. Re: setting up lax security on one ethernet interface while leavingthe other strict

    On Sep 26, 11:59*pm, Tauno Voipio wrote:

    > > As for "Find a real news server", this is a confusion that you
    > > maintain deliberately, despite having been corrected numerous times.
    > > News is a service, not a protocol. Web servers that serve news are
    > > "real news server"s.


    > It seems that you did not get the point:


    > * Due to the amount of crap in the Google service, many readers
    > * intentionally ignore everything from groups.google.com;


    Right, and those readers will not see your post. But those who don't
    will see them. So the post will be seen, just not by some people.
    There is no risk that your post will "not be seen". No post will be
    seen by those who choose to filter it out.

    > * it has nothing to do with the protocol or service itself.


    I know that and you know that. But Moe Trin does not, despite the fact
    that it's been explained to him many times now. He seems to think that
    a "real news server" is one that serves news using a particular
    protocol on a particular port. He honestly believes that news is a
    protocol, not a service.

    DS

  9. Re: setting up lax security on one ethernet interface while leaving the other strict

    On Sun, 28 Sep 2008, in the Usenet newsgroup comp.os.linux.networking, in
    article <785221b8-0e46-4b7b-896a-1d71a1dc97b3@k36g2000pri.googlegroups.com>,
    David Schwartz wrote:

    NOTE: Posting from groups.google.com (or some web-forums) dramatically
    reduces the chance of your post being seen. Find a real news server.

    >> Where have you been looking? On google? Wow, google doesn't filter
    >> posts from google - there's a surprise. I'd bet if you looked harder,
    >> you would find specific *public* news servers that block posts from
    >> groups.google.com, never mind non-public servers (like those run
    >> by my or my wife's employers).

    >
    >Ah, so in your world, a post that doesn't go to every news server is
    >"not seen".


    Twisting the meaning rather hard, aren't you? The note I include says
    that it REDUCES THE CHANCE of a post being seen. Do you feel that if
    a news server doesn't carry any posts from group.google.com, or the
    fairly well documented (posted in newsgroups - such as
    news.software.readers) evidence that some people really do block,
    delete, or filter posts simply can't be true? And therefore filters
    must not exist. How do you know this is or is not the case?

    >In that case, every post is "not seen" and *nothing* increases the
    >changes that a post will be "not seen" since there is no way to raise
    >the probability beyond a certainty.


    Ah, nothing anyone can say can change your mind. And anything that is
    posted that you disagree with...

    >>>> News is a service, not a protocol.


    like the RFCs you decided are not relevant... why, they simply must not
    exist. I'll bet the posts to news.admin.net-abuse.usenet and/or
    news.admin.net-abuse.policy discussing the banning of Google (which
    strangely, groups.google.com doesn't seem to have available on their
    search engine) don't exist in your view either.

    >>>> Web servers that serve news are "real news server"s.

    >>
    >> Are they serving news on port 119 or 563?

    >
    >Ah, so the *port* a news server serves news on is what makes a news
    >server "real". You know that's nonsense.
    >
    >>Do they follow RFC0977,
    >> RFC1036, or RFC3977? Or do they alter news posts - as google does.

    >
    >As I said, news is a service not a protocol. Are you going to ignore
    >that argument or address it?


    Are you going to ignore RFC0977? RFC3977? Are you going to ignore
    any post that disagrees with you?

    >>> The real question is how may people just IGNORE google crap

    >
    >> Given the fact that many news readers can filter on the Message-ID:
    >> header, and everyone and their goat has published simple instructions
    >> on how to do so, it's rather difficult to guess how many ignore google
    >> _crap_ verses how many ignore all posts from google (whether in one
    >> or all newsgroups they may read).

    >
    >So, in other words, you have no idea.


    And you know it's not significant, or doesn't happen at all?

    No - it's simply that nothing anyone can say or write will change your
    mind. You feel that groups.google.com is a news server and EVERYONE must
    see every post that originates there. Others disagree, but that's not
    significant to you. I suppose you think that because you see ads from
    google, everyone else should and can't imagine why people might take
    steps to avoid seeing them. That those steps might reduce the chance
    of a post from groups.google.com - whether spam or not - from being
    seen by everyone who views these groups obviously can't be important.

    Old guy

  10. Re: setting up lax security on one ethernet interface while leavingthe other strict

    On Sep 29, 1:02*pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:

    > >Ah, so in your world, a post that doesn't go to every news server is
    > >"not seen".


    > Twisting the meaning rather hard, aren't you? The note I include says
    > that it REDUCES THE CHANCE of a post being seen.


    And yet, every such post is in fact seen.

    > Do you feel that if
    > a news server doesn't carry any posts from group.google.com, or the
    > fairly well documented (posted in newsgroups - such as
    > news.software.readers) evidence that some people really do block,
    > delete, or filter posts simply can't be true? *And therefore filters
    > must not exist. *How do you know this is or is not the case?


    Actually, from anecdotal evidence, I think it's not true. I see people
    who claim they filter out all posts from google responding to posts
    from google. I'm sure there actually are some servers and some readers
    who filter such posts, but I have no idea what the number is. Do you
    have any idea?

    The only evidence I have suggests that it's very, very small. If you
    have contrary evidence, please share.

    But again, the anecdotal evidence I have is that people who claim to
    filter such posts always see them.

    > >In that case, every post is "not seen" and *nothing* increases the
    > >changes that a post will be "not seen" since there is no way to raise
    > >the probability beyond a certainty.


    > Ah, nothing anyone can say can change your mind. *And anything that is
    > posted that you disagree with...


    You are the one making the claim. You have a burden of proof.

    > >>>> News is a service, not a protocol.


    > like the RFCs you decided are not relevant... *why, they simply must not
    > exist. * I'll bet the posts to news.admin.net-abuse.usenet and/or
    > news.admin.net-abuse.policy discussing the banning of Google (which
    > strangely, groups.google.com doesn't seem to have available on their
    > search engine) don't exist in your view either.


    Please either address this argument or don't. Are you maintaining that
    only NNTP is news? Are you saying that if it doesn't arrive on port
    119/563 it's not news or not real news?

    > >>>> Web servers that serve news are "real news server"s.


    > >> Are they serving news on port 119 or 563?


    > >Ah, so the *port* a news server serves news on is what makes a news
    > >server "real". You know that's nonsense.


    > >>Do they follow RFC0977,
    > >> RFC1036, or RFC3977? Or do they alter news posts - as google does..


    > >As I said, news is a service not a protocol. Are you going to ignore
    > >that argument or address it?


    > Are you going to ignore RFC0977? RFC3977? *Are you going to ignore
    > any post that disagrees with you?


    Okay, you're going to ignore my argument. That's fine. I'll just point
    out, again, for everyone watching that you continue to repeat these
    arguments even though you know they are incorrect.

    On the off chance you actually think these RFCs somehow say that news
    is a protocol (which is almost unimaginable, but just in case):

    This document specifies the Network News Transfer Protocol (NNTP),
    which is used for the distribution, inquiry, retrieval, and posting
    of Netnews articles using a reliable stream-based mechanism.

    So NTTP is a protocol that transfers news. How can this be so if news
    itself is a protocol?

    For example, HTTP is not a web page. HTTP is a protocol for getting a
    web page from one place to another. The web page is the service.

    You might as well argue that satellite customers don't have "real web
    access" since the protocol by which they get web pages is not HTTP.

    > >>> The real question is how may people just IGNORE google crap

    >
    > >> Given the fact that many news readers can filter on the Message-ID:
    > >> header, and everyone and their goat has published simple instructions
    > >> on how to do so, it's rather difficult to guess how many ignore google
    > >> _crap_ verses how many ignore all posts from google (whether in one
    > >> or all newsgroups they may read).

    >
    > >So, in other words, you have no idea.

    >
    > And you know it's not significant, or doesn't happen at all?


    I suspect it's not significant. But, again, I'm not making a claim.
    You are.

    > No - it's simply that nothing anyone can say or write will change your
    > mind. You feel that groups.google.com is a news server and EVERYONE must
    > see every post that originates there.


    It is a news server. Your argument that it's not a "real news server"
    is genuine idiocy.

    As for whether everyone sees every post that originates there, I'm
    pretty certain 100% is not possible. But if you think it's, say, less
    than 90%, you've provided no evidence to support that view. And
    certainly no evidence to support the bizarre claim that that
    "significantly reduces" that chances a post "will be seen".

    > Others disagree, but that's not
    > significant to you. *I suppose you think that because you see ads from
    > google, everyone else should and can't imagine why people might take
    > steps to avoid seeing them. *That those steps might reduce the chance
    > of a post from groups.google.com - whether spam or not - from being
    > seen by everyone who views these groups obviously can't be important.


    You: Black and white are the same color.

    Me: That's crazy.

    You: What kind of idiot doesn't know that railroad crossings are both
    black and white?

    Me: ?!

    So do you retract your original claim that posting from google
    "dramatically
    reduces the chance of your post being seen" and now replace it with an
    argument about chances that your post may not be "seen by everyone who
    views these groups"? Of course no news provider can assure that every
    post is seen by every viewer.

    DS

  11. Re: setting up lax security on one ethernet interface while leaving the other strict

    David Schwartz writes:

    > Actually, from anecdotal evidence, I think it's not true. I see people
    > who claim they filter out all posts from google responding to posts
    > from google. I'm sure there actually are some servers and some readers
    > who filter such posts, but I have no idea what the number is. Do you
    > have any idea?


    I filter posts from google. I normally only see the replies.

  12. Re: setting up lax security on one ethernet interface while leaving the other strict

    On Mon, 29 Sep 2008 13:38:34 -0700 (PDT), David Schwartz wrote:

    >On Sep 29, 1:02*pm, ibupro...@painkiller.example.tld (Moe Trin) wrote:
    >
    >> >Ah, so in your world, a post that doesn't go to every news server is
    >> >"not seen".

    >
    >> Twisting the meaning rather hard, aren't you? The note I include says
    >> that it REDUCES THE CHANCE of a post being seen.

    >
    >And yet, every such post is in fact seen.
    >
    >> Do you feel that if
    >> a news server doesn't carry any posts from group.google.com, or the
    >> fairly well documented (posted in newsgroups - such as
    >> news.software.readers) evidence that some people really do block,
    >> delete, or filter posts simply can't be true? *And therefore filters
    >> must not exist. *How do you know this is or is not the case?

    >
    >Actually, from anecdotal evidence, I think it's not true. I see people
    >who claim they filter out all posts from google responding to posts
    >from google. I'm sure there actually are some servers and some readers
    >who filter such posts, but I have no idea what the number is. Do you
    >have any idea?
    >
    >The only evidence I have suggests that it's very, very small. If you
    >have contrary evidence, please share.
    >
    >But again, the anecdotal evidence I have is that people who claim to
    >filter such posts always see them.


    Nah, what we who filter do see is the first non-google reply to such
    a message, and none of that leakage has convinced me I'm missing any
    traffic worth reading

    Grant.
    --
    http://bugsplatter.id.au:8080/ dodo, for internet that dies

  13. Re: setting up lax security on one ethernet interface while leaving the other strict

    On Mon, 29 Sep 2008, in the Usenet newsgroup comp.os.linux.networking, in
    article <8760283d-63ce-45cf-a18d-50d7dd15969f@b1g2000hsg.googlegroups.com>,
    David Schwartz wrote:

    NOTE: Posting from groups.google.com (or some web-forums) dramatically
    reduces the chance of your post being seen. Find a real news server.

    >ibupro...@painkiller.example.tld (Moe Trin) wrote:


    >> Twisting the meaning rather hard, aren't you? The note I include says
    >> that it REDUCES THE CHANCE of a post being seen.

    >
    >And yet, every such post is in fact seen.


    By everyone? Or even most people? Do you have any evidence of that?

    >> Do you feel that if a news server doesn't carry any posts from
    >> group.google.com, or the fairly well documented (posted in
    >> newsgroups - such as news.software.readers) evidence that some
    >> people really do block, delete, or filter posts simply can't be
    >> true? And therefore filters must not exist. How do you know
    >> this is or is not the case?


    >Actually, from anecdotal evidence, I think it's not true. I see people
    >who claim they filter out all posts from google responding to posts
    >from google.


    At the moment, I'm still responding to your post, yet I filter posts
    from googlegroups.com in other groups (8 of the 81 I try to scan every
    day). Don't believe me?

    [compton ~]$ grep ^09/2.*linux.misc.*killed newslog | cut -d' ' -f1,3-6
    09/20/2008 comp.os.linux.misc: 39/39 (14 killed),
    09/21/2008 comp.os.linux.misc: 33/33 (15 killed),
    09/22/2008 comp.os.linux.misc: 35/35 (24 killed),
    09/23/2008 comp.os.linux.misc: 24/24 (16 killed),
    09/24/2008 comp.os.linux.misc: 44/44 (15 killed),
    09/25/2008 comp.os.linux.misc: 40/40 (24 killed),
    09/26/2008 comp.os.linux.misc: 20/20 (4 killed),
    09/27/2008 comp.os.linux.misc: 41/41 (18 killed),
    09/28/2008 comp.os.linux.misc: 55/55 (18 killed),
    09/29/2008 comp.os.linux.misc: 38/38 (14 killed),
    [compton ~]$

    Why don't you wander over to comp.os.linux.misc, and look at all posts
    since about 14:00 UTC on the 19th. It should be quite obvious why
    those posts got killed. What's even more curious is that no one is
    replying to those spam posts from google. Occasionally, you'll see
    posts from a newbie commenting how much spam is present, and several
    regulars replying with "kill all posts with Message-ID ending with
    googlegroups.com". Do you think they ignore their own advice?

    >I'm sure there actually are some servers and some readers who filter
    >such posts, but I have no idea what the number is. Do you have any
    >idea?


    Absolute numbers? Of course not - I only see feeds from four servers.
    But you might _read_ news.software.readers or comp.os.linux.misc and
    see if anyone responds to your posts there.

    >But again, the anecdotal evidence I have is that people who claim to
    >filter such posts always see them.


    Some see replies - and can quote over those, as I did in message
    . However there are some
    people that filter _replies_ to posts from groups.google.com - it's
    trivial to do with a news reader ('Xref: googlegroups.com>$' and even
    that noise is gone). You _do_ realize that killfiles don't absolutely
    have to apply to all groups, don't you?

    >Okay, you're going to ignore my argument. That's fine. I'll just point
    >out, again, for everyone watching that you continue to repeat these
    >arguments even though you know they are incorrect.
    >
    >On the off chance you actually think these RFCs somehow say that news
    >is a protocol (which is almost unimaginable, but just in case):
    >
    > This document specifies the Network News Transfer Protocol (NNTP),
    > which is used for the distribution, inquiry, retrieval, and posting
    > of Netnews articles using a reliable stream-based mechanism.
    >
    >So NTTP is a protocol that transfers news. How can this be so if news
    >itself is a protocol?


    So you feel that there are no standards? Usefor seems to call news
    articles themselves a part of the protocol.

    When I speak of posting from groups.google.com (or some web-forums
    which you're ignoring), and suggest they find a real news server, you
    really don't think I'm referring to CNN or the Reuters, do you?

    >> No - it's simply that nothing anyone can say or write will change
    >> your mind. You feel that groups.google.com is a news server and
    >> EVERYONE must see every post that originates there.

    >
    >It is a news server. Your argument that it's not a "real news server"
    >is genuine idiocy.


    And so, following RFC1738 section 3.7 _EXACTLY_ you can read or post
    news from/to the groups.google.com server? No, of course not.

    It's a web server. It doesn't accept connections to 119 or 563. It
    doesn't speak NNTP (which if you read those RFCs you'd discover has
    a language of it's own, just as a web server speaks it's own protocol.
    It's the same idea as a 'Mail-to-News' gateway. Like google, such
    servers are usually spam sewers because the administrator refuses to
    address spam/abuse issues, and get filtered for the same reason. You
    may also notice that google is ALTERING the bodies of posts - something
    not done on a real server. It's not even a reliable archiving server,
    because of that "feature".

    >So do you retract your original claim that posting from google
    >"dramatically reduces the chance of your post being seen" and now
    >replace it with an argument about chances that your post may not be
    >"seen by everyone who views these groups"? Of course no news provider
    >can assure that every post is seen by every viewer.


    I see no reason to change that note - it reflects several years of
    observations.

    Old guy

+ Reply to Thread