db.osoal.org.nz

Subscribe to this feed

Declared stable

Friday, 11th March 2005

Instead of saying how long its been since I posted something here I'm just going to pretend it was less than two years, in a feeble attempt to encourage audience participation in blogs, you have to pretend along too.

My real reason for posting something is that I have just put a link to this on my website ( http://db.osoal.org.nz/ ) so I thought I would make it a link to something that had been updated recently.

Reading through the old .plan entries here is odd, it seems I have neglected to mention that I have been working ( in a technical capacity ) on building up an ISP called LinuxNet or ACSData for the last 6 years. We've got like proper gear and everything now =)

Hey well gnu has been up for a while thats always good .plan fodder:

[ db@gnu.osoal.org.nz | Fri Mar 11 11:11:41 | /dev/pts/5 ]
[ ~ ]$ uptime
11:11pm up 488 days, 22:47, 5 users, load average: 0.00, 0.00, 0.00

Thats its second time round the uptime counter, so thats like er 985 days or 2.6 years. I guess after 3 years you can call it stable or something, then it should be time to buy a new one.

My car loan will be paid off in May, I've got lots of great ideas of what to do with another few hundred dollars a fortnight, new socks here we come!

They have started running ads on TV on how bad binge drinking is, it's almost got me inspired me to get totally smashed. Gee it seems like alot of effort, maybe tomorrow.

Freeswan makes hosts unreachable

Saturday, 3rd May 2003

Why freeswan pisses me off.

I use freeswan about the place for implementing various VPNs and even
just encrypting extruded subnets in transit. It is not that hard to
implement, is very quick to reconnect when a site has become
unreachable and is generally quite reliable.

When you establish a tunnel with ipsec, you can specify a subnet on
either or both ends of the connection, lets say it looks like this:

<Lame ASCII Drawing>

Subnet A
202.49.249.8/29
^
|
v
Router A
203.109.146.10
^
|
Internet
|
v
Router B
202.49.249.41
^
|
v
Subnet B
202.49.249.224/29

</Lame ASCII Drawing>

You are asking freeswan, to make an ipsec tunnel for encrypting
communications bettween hosts on 202.49.249.8/29 and hosts on
202.49.249.224/29. As a part of putting up this tunnel, freeswan on each
of the routers adds some routing entries, Router A gets a routing entry
that says packets destined for 202.49.249.224/29 should go out the local
ipsec interface. Likewise Router B in this scenario gets a routing entry
that says packets destined for 202.49.249.8/29 should go out the ipsec
interface. At first glance this does not seem entirely unreasonable.

The issue is caused by behaviour of the "sec" part of ipsec, a tunnel is
always established with a fixed set of filters on it. In the example
above, any packet that strays into the ipsec interface on Router B must
be originating from an ip within 202.49.249.224/28 and also be destined
for an ip address in 202.49.249.8/29. Anything else will be filtered by
Router B and even if Router B did conspire to forward the packets
anyway, Router A would drop them as soon as they arrived at the other
end of the tunnel.

The routing entries that freeswan has added simply dont reflect this
behaviour at all. If Router A tries to ping 202.49.249.225 it will
default to using a source address of 203.109.230.65 and so a packet
with a source of 203.109.230.65 and a destination address of
202.49.249.225 will never reach its destination. What has gone wrong?
We don't have a tunnel definition for 203.109.230.65 to talk to
202.49.249.225 via the tunnel. Packets with a source address of
203.109.230.65 ( or any other source address outside 202.49.249.208/29
) should never have arrived at the ipsec interface in the first place.
Instead the routing entries that freeswan initially added should read
as follows:

Router A should send packets with a source address of 202.49.249.8/20
and a destination address of 202.49.249.224/29 to the ipsec tunnel.

Router B should send packets with a source address of 202.49.249.224/29
and a destination address of 202.49.249.8/29 into the ipsec tunnel.

This is called policy routing, a regular garden variety router or PC
makes routing decisions based on a routing table that contains
information on the next hop to reach a given destination subnet. A
policy router can also make routing decisions based on the source
address that is trying to reach a given destination.

Luckily Linux has supported policy routing for quite some time, so why
doesn't freeswan install policy routes for each tunnel definition?

Priorities

Sunday, 2nd January 2000


New years resolution:

Make reasonable effort to not get maimed.

Reckless disregard

Monday, 29th October 2001


Since my last .plan update gnu has been moved from one server room to another
and just recently had its UPS replaced, it however has not been rebooted.

Really.

Greatest hits

Saturday, 28th July 2001


Some OSOAL search engine http referrers:

+animal +lolita +sheep
+free +nude +sleep +drunk +girl
+"Sailor Moon" or "SailorMoon" and "mush" or "mux" or "mud" or "muse" or "muck"
+armageddon +ftp +divx
+attack +llama +pictures
+free +eyore +icons

Much kudos to the guy who put "Worlds stupidest person" in and got my .plan

The ip addresses for any of the above go to the highest bidder.

Government tech

Friday, 27th April 2001

http://www.e-government.govt.nz/

ssh: SSH-1.99-2.0.11 (non-commercial)
released 17 November 1998

ftp: wu-2.4.2-academ[BETA-18]
released July 6 1998

http: PHP/3.0.8 PHP/3.0.8
released May 22 1999

Hmm, stuck in the previous millenium.

I would appreciate it if the government would stay the hell off the internet
until they can ensure bored 12 year olds are unable to own their web servers
at a whim.

Hidden meaning

Tuesday, 20th February 2001


All your base are belong to us!

GooberQuest

Tuesday, 7th November 2000

**** NT Quest V0.0003a ****
*
* Please enter your handle

> DeadBeef
* Welcome to NT Quest 'DeadBeef'
* You are a level 0 MCSE with 4 experience and 90 days to rule the realm.

> taste gun
* Hey not so quickly, try doing an install first..

> Install NT
* You can't

> taste gun
* Oh come on, you need an available partition to install NT on.

> Install NT on /dev/hda8
* You can't

> quit
* Thanks for playing NT Quest 'DeadBeef'
* You are a level 0 MCSE with 7 Experience, and 89 days to rule the realm.
* Bye!

Previous Next

© 2009 Lincoln Reid <lincoln@osoal.org.nz>