Setting up VPN's

2003-05-15 Thread Craig 
Hi Guys

We have to setup a VPN for a client and was wondering what software packages
we could use for this, what works well and is reliable ? And what I need to
do to get it working on their firewall ...

Thanks
Craig

gre tunnel MTU adjustment

2003-05-15 Thread Jeff S Wheeler 
Dear List,

I have a GRE tunnel setup between a debian linux/zebra router at my
co-lo and my home office.  This allows me to have a /27 without coughing
up $7/IP to the local cable monopoly.  There are no other broadband IP
options available.

My problem is I can't raise the MTU on the intermediate links over which
the tunneled packets must travel, thus the MTU of my GRE tunnel is less
than 1500.  Many popular Internet sites, including paypal, hotmail,
portions of Yahoo, and my beloved friendster, have utterly broken Path
MTU Detection.  The problem is wide-spread, and I don't think these
sites are going to correct their problem or disable PMTUd on their
servers, load balancers, and whatnot.

Cisco routers have the ability to fragment and reassemble IP packets
traversing GRE tunnels in order to effectively increase the tunnel MTU. 
The command syntax is e.g. `ip mtu 1500` in interface configuration.

Is similar functionality available on linux?  If not, can someone with
iptables clue give me an example of how to disable the IP Don't-Fragment
bit on ip packets that are being routed to my tunnel, allowing them to
be fragmented even though the transmitting TCP stack has set DF?

Kind thanks,

-- 
Jeff S Wheeler <[EMAIL PROTECTED]>


signature.asc
Description: This is a digitally signed message part

Re: Setting up VPN's

2003-05-15 Thread aCaB 
Your cross posted question has already been discussed in debian-isp ml 
on 19-20-21 March 2003. Please have a look at the archives: 
http://lists.debian.org/debian-isp/2003/debian-isp-200303/threads.html

Hi Guys
We have to setup a VPN for a client and was wondering what software packages
we could use for this, what works well and is reliable ? And what I need to
do to get it working on their firewall ...
Thanks
Craig

RE: Setting up VPN's

2003-05-15 Thread Daniel Hooper 
Pptp-linux is about all there is unfortunatly, you'll also need to get a
patched version of ppp and do some kernel modifications to support mppe.

-Daniel

-Original Message-
From: Craig [mailto:[EMAIL PROTECTED] 
Sent: Thursday, 15 May 2003 3:06 PM
To: Debian-Security; Debian-ISP
Subject: Setting up VPN's


Hi Guys

We have to setup a VPN for a client and was wondering what software
packages
we could use for this, what works well and is reliable ? And what I need
to
do to get it working on their firewall ...

Thanks
Craig


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]


_

This message contains confidential information and is intended only for the 
individual 
named. If you are not the named addressee you should not disseminate, 
distribute or
copy this e-mail. Please notify the sender immediately by e-mail of you have 
received
this e-mail by mistake and delete this e-mail from your system. E-mail 
transmission could
be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or 
contain viruses.
The sender therefore does not accept liability for any errors or omissions in 
the contents 
of this message, which arise as a result of e-mail transmission. If 
verification is required
please request a hard-copy version.
Emerge Technologies Pty. Ltd. 49 Brookman Street, Kalgoorlie, WA, 6430
Ph: 61 8 9021 2000 Fax 61 8 9021 0222 http://www.emerge.net.au
15/5/2003 From: Daniel Hooper [EMAIL PROTECTED]
To: recipient recipient

Re: gre tunnel MTU adjustment

2003-05-15 Thread Teun Vink 
On Thu, 2003-05-15 at 09:40, Jeff S Wheeler wrote:
> Dear List,
> 
> I have a GRE tunnel setup between a debian linux/zebra router at my
> co-lo and my home office.  This allows me to have a /27 without coughing
> up $7/IP to the local cable monopoly.  There are no other broadband IP
> options available.
> 
> My problem is I can't raise the MTU on the intermediate links over which
> the tunneled packets must travel, thus the MTU of my GRE tunnel is less
> than 1500.  Many popular Internet sites, including paypal, hotmail,
> portions of Yahoo, and my beloved friendster, have utterly broken Path
> MTU Detection.  The problem is wide-spread, and I don't think these
> sites are going to correct their problem or disable PMTUd on their
> servers, load balancers, and whatnot.
> 
> Cisco routers have the ability to fragment and reassemble IP packets
> traversing GRE tunnels in order to effectively increase the tunnel MTU. 
> The command syntax is e.g. `ip mtu 1500` in interface configuration.
> 
> Is similar functionality available on linux?  If not, can someone with
> iptables clue give me an example of how to disable the IP Don't-Fragment
> bit on ip packets that are being routed to my tunnel, allowing them to
> be fragmented even though the transmitting TCP stack has set DF?
> 
> Kind thanks,

Hi,

I use a GRE tunnel between my DSL connection at home and the network of
the ISP I work for. I use this iptables line in my setup, which fixes
the MTU for all outgoing packets:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp

Works just fine...


grtz,

Teun Vink
--
BOFH excuse #382: Someone was smoking in the computer room and set off
the halon systems.

Re: Setting up VPN's

2003-05-15 Thread thing 
Craig wrote:
Hi Guys
We have to setup a VPN for a client and was wondering what software packages
we could use for this, what works well and is reliable ? And what I need to
do to get it working on their firewall ...
Thanks
Craig
 

I use freeswan ipsec, I believe win2k and firewall1 are compatible with 
it, but I just do freewswan to freeswan.

Thing

RE: gre tunnel MTU adjustment

2003-05-15 Thread Christian Storch 
Perhaps you want to say:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu

?
Another simple possibility for small networks is to adjust
the default MSS of every client to something about 1400.
(that value fits for nearly every kind of tunnel)

Christian

PS: Something like a crazy workaround is to establish two tunnels and
bundle them with MPP. Finally you could get 'virtual' 1500 MSS.
Normally used for real time traffic solutions.

-Original Message-
From: Teun Vink [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 15, 2003 10:33 AM
To: Jeff S Wheeler
Cc: debian-isp@lists.debian.org
Subject: Re: gre tunnel MTU adjustment

...

Hi,

I use a GRE tunnel between my DSL connection at home and the network of
the ISP I work for. I use this iptables line in my setup, which fixes
the MTU for all outgoing packets:

iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp

Works just fine...

...

RE: gre tunnel MTU adjustment

2003-05-15 Thread Teun Vink 
On Thu, 2003-05-15 at 11:51, Christian Storch wrote:
> Perhaps you want to say:
> 
> iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j
> TCPMSS --clamp-mss-to-pmtu
> 

You're right, that's the correct argument (--clamp-mss-to-pmtu)
Incidently, --clamp works as well, iptables obviously does some sort of
"argument completion".



Teun

Re: reinstall slapd

2003-05-15 Thread Joey Hess 
[EMAIL PROTECTED] wrote:
> I've discovered a unique bug, I think. I ran dpkg-reconfigure debconf,
> and selected readline, instead of dialog, and now it's prompting for
> the admin password. Sheesh. All that time wasted...

Sorry -- the sad fact is that the version of whiptail in debian unstable
dropped support for prompting for passwords with no warning. Also, the
brain-dead return codes of whiptail do not let debconf tell the
difference between "return code 1 because user hit the cancel key" and
"return code 1 because this --passwordbox option has slipped my mind"
and "return code 1 because I don't know how to use your terminal".
There are plenty of bug reports filed on this already.

Anyway, the readline interface, with libterm-readline-gnu-perl
installed, happens to be the best interface to debconf for anyone who's
been using unix for more than 6 months. Enjoy it!

-- 
see shy jo


pgptmsqW5OCox.pgp
Description: PGP signature

Re: Which (simple) Wiki?

2003-05-15 Thread Stuart Krivis 

--On Wednesday, May 14, 2003 2:55 PM +0200 Dominik Schulz 
<[EMAIL PROTECTED]> wrote:

Hi,
I'm looking for a very simple Wiki. It should be easy to install and
have a very clear design. It's meant for a very limited amount of users
(less than 10) so I don't need any kind of authtentification.
Every Wiki I've found is much to overloaded for my needs.
Any suggestions would be very appreciated.

Content filtering proxie

2003-05-15 Thread Kay-Michael Voit 












































































































































































































































































































































































































































































































































































































































































































































































































































































































Hi,
I wonder if there is content filter proxy solution, filtering porn and
violence.
I don't like this stuff either, but I'm forced to install it...

Regards,
Kay-Michael Voit

Content filtering proxy 2

2003-05-15 Thread Kay-Michael Voit 
I've no idea why my last message was empty... Sorry... So again...

I'm looking for a content filter proxy solution for filtering porn and
violence from websites.
I don't like filtering, but I'm forced to install it...

Re: Content filtering proxie

2003-05-15 Thread Mark Lijftogt 



It worked.. all the content is filterd out.. every last bit.
Welldone ! 

Cheers,
Mark



On Thu, May 15, 2003 at 11:33:03PM +0200, Kay-Michael Voit wrote:
> Old-Return-Path: <[EMAIL PROTECTED]>
> From: Kay-Michael Voit <[EMAIL PROTECTED]>
> Reply-To: Kay-Michael Voit <[EMAIL PROTECTED]>
> To: debian-isp@lists.debian.org
> Subject: Content filtering proxie
> X-Spam-Status: No, hits=-2.0 required=4.0
>   tests=BAYES_01
>   version=2.53-lists.debian.org_2003_04_28
> X-Spam-Level: 
> X-Spam-Checker-Version: SpamAssassin 2.53-lists.debian.org_2003_04_28 
> (1.174.2.15-2003-03-30-exp)
> Resent-Message-ID: <[EMAIL PROTECTED]>
> Resent-From: debian-isp@lists.debian.org
> X-Mailing-List:  archive/latest/13830
> List-Post: 
> List-Help: 
> List-Subscribe: 
> List-Unsubscribe: 
> Resent-Sender: [EMAIL PROTECTED]
> Resent-Date: Thu, 15 May 2003 16:50:25 -0500 (CDT)
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> Hi,
> I wonder if there is content filter proxy solution, filtering porn and
> violence.
> I don't like this stuff either, but I'm forced to install it...
> 
> Regards,
> Kay-Michael Voit
> 
> 
> -- 
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
> 

-- 


-- Mark Lijftogt

Re[2]: Content filtering proxy 2

2003-05-15 Thread Kay-Michael Voit 

thanks, i think this is exactly what i was searching for. though i
don't hold with chastity, our lawgiver obviously does :)

regards,
kay


ALB> squid+squidguard+chastity lists+webmin+usermin  VERY HIGH LEVEL
ALB> solution. It rules and its in debian well, that just figures doesnt
ALB> it?


ALB> El jue, 15 de 05 de 2003 a las 16:57, Kay-Michael Voit escribió:
>> I've no idea why my last message was empty... Sorry... So again...
>> 
>> I'm looking for a content filter proxy solution for filtering porn and
>> violence from websites.
>> I don't like filtering, but I'm forced to install it...

RE: Re[2]: Content filtering proxy 2

2003-05-15 Thread Jeromy Lukenbaugh 
 
You should check out censornet. Debian based and it works great.

www.censornet.com

-Original Message-
From: Kay-Michael Voit [mailto:[EMAIL PROTECTED] 
Sent: Thursday, May 15, 2003 7:01 PM
To: debian-isp@lists.debian.org


thanks, i think this is exactly what i was searching for. though i don't
hold with chastity, our lawgiver obviously does :)

regards,
kay


ALB> squid+squidguard+chastity lists+webmin+usermin  VERY HIGH LEVEL
ALB> solution. It rules and its in debian well, that just figures 
ALB> doesnt it?


ALB> El jue, 15 de 05 de 2003 a las 16:57, Kay-Michael Voit escribió:
>> I've no idea why my last message was empty... Sorry... So again...
>> 
>> I'm looking for a content filter proxy solution for filtering porn 
>> and violence from websites.
>> I don't like filtering, but I'm forced to install it...


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]