Sign in with
Sign up | Sign in
Your question

IPSEC wireless router ?

Last response: in CPUs
Share
Anonymous
a b à CPUs
September 24, 2005 7:33:55 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

I am looking for something secure:
hardware wireless router:

- une ethernet port dedicated to provider (DHCP and PPPOE capable)
- one LAN port which would be linked to some switch
- wireless repeter

BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN ethernet, but
rather require any client to use IPSEC tunneling.

Thats for home use; I am too lame to set linux box, because I dont feel liike
setting up an IPSEC server, and had too much bad XP with IDE disks on home made
router (usually crash after 2 or 3 years 24/24).

I hope such a device should be available between 150 and 300 e

Maybe there is some tutorials to convert this way some Linksys WRT ?
or some Dlink with such native support ?

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/

More about : ipsec wireless router

Anonymous
a b à CPUs
September 24, 2005 7:33:56 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

On Sat, 24 Sep 2005 15:33:55 +0200, DEMAINE Benoit-Pierre
<nntp_pipex@demaine.info> wrote:

>I am looking for something secure:
>hardware wireless router:
>
>- une ethernet port dedicated to provider (DHCP and PPPOE capable)
>- one LAN port which would be linked to some switch
>- wireless repeter
>
>BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN ethernet,

Not possible. 802.11 wireless is bridging by definition. No routing,
IP addresses, or services (such as IPSec) involved. There's no other
way to connect between wireless and wired devices other than bridging.

Now, you could isolate the wired and wireless part with a router, VPN,
or filters, but that requires layer 3 services in addition to
bridging.

>but
>rather require any client to use IPSEC tunneling.

Overkill. You have WPA encryption for the wireless. On top of that,
you want to add VPN encryption. You don't really need both. WPA is
enough.

>Thats for home use; I am too lame to set linux box, because I dont feel liike
>setting up an IPSEC server, and had too much bad XP with IDE disks on home made
>router (usually crash after 2 or 3 years 24/24).

The bigger they are, the harder they crash. How about this
alternative? Use an access point, not a wireless router for the
wireless part of the puzzle. Use WPA encryption. Use a seperate
IPSec VPN router to terminate the tunnel. Netgear seems to have a
good selection:
| http://www.netgear.com/products/business/prod_vpnrouter...
There are lots of other wired VPN routers to chose from at around
$100US. If you want your VPN termination, it's in the box. This will
also allow you to be rather creative in locating the wireless access
point and allow easy upgrades to the latest 802.11 acronyms.

There are products that sorta do what you want:
| http://www.netgear.com/products/details/FWAG114.php
| http://www.sonicwall.com/products/tz170SP_wireless.html
I don't think you'll like the prices.

>I hope such a device should be available between 150 and 300 e
>
>Maybe there is some tutorials to convert this way some Linksys WRT ?
>or some Dlink with such native support ?

Yes. The WRT54G can handle alternative firmware with VPN termination
features. Sveasoft Alchemy includes PPTP VPN services which is handy
for Windoze clients as it comes with the operating system. IPSec is
available in various custom builds. I'm too lazy to find these. Bug
me if you need URL's.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Anonymous
a b à CPUs
September 24, 2005 7:59:15 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

> I am looking for something secure:
> hardware wireless router:

I know where you're going with that but why? You can use WPA on a
WRT54G as long as your clients support it and given a strong password,
that's going to suit pretty much all home users.

IPSec has limitations too, how were you planning on authenticating?
Which EAP type were you going to use? EAP-MD5 for example is easily
dictionary crackable for example.

David.
Related resources
Anonymous
a b à CPUs
September 24, 2005 8:12:50 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

DEMAINE Benoit-Pierre <nntp_pipex@demaine.info> wrote in
news:43353ab0$0$24372$626a14ce@news.free.fr:

> I am looking for something secure:
> hardware wireless router:
>
> - une ethernet port dedicated to provider (DHCP and PPPOE capable)
> - one LAN port which would be linked to some switch
> - wireless repeter
>
> BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN
> ethernet, but rather require any client to use IPSEC tunneling.
>
> Thats for home use; I am too lame to set linux box, because I dont
> feel liike setting up an IPSEC server, and had too much bad XP with
> IDE disks on home made router (usually crash after 2 or 3 years
> 24/24).
>
> I hope such a device should be available between 150 and 300 e
>
> Maybe there is some tutorials to convert this way some Linksys WRT ?
> or some Dlink with such native support ?
>

I don't think you can do what you want. You can use an IPSEC tunnel
between computers through the O/S such as Win 2K, XP and etc and that's a
VPN solution software to software, you can have a software VPN client on
a client machine with server software VPN implemented on a device such as
a firewall appliance or a er such as a Watchguard or others that fall
into that category such a Sonicwall, Cisco and others, software client to
server host VPN solutions such as AT&T Extranet or you can have hardware
to hardware VPN solution router to router.

http://www.homenethelp.com/vpn/

But some kind of a VPN solution between the wireless gateway device such
as a NAT router and your wireless machines on the LAN is questionable.
Maybe, a VPN solution with a wireless Watchguard FW appliance or others
and its client VPN software solution on the machines may work to protect
a wireless LAN situation between the gateway device and the clients I
don't know.

You can checkout the WG X5 series I think that's around $300 but the VPN
on the client machines cost extra and you can checkout others too

Duane :) 
Anonymous
a b à CPUs
September 24, 2005 10:54:12 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

I just want you to know that I am sitting out here in and Extended stay inn
using a dial-up direct connection to the Internet. Before implementing
Analogx's IPsec Secpol rules for configuring IPsec to act in a firewall like
mannerism, BlackIce was sounding off and blocking unsolicited inbound
traffic. I have not been on a dial-up connection with a machine in several
years and was surprised at the number of probes, scans and attacks being ran
against the machine such as MS SQL Server, RPC, *NetBIOS*, etc, which BI was
blocking and logging and alerting on things such as O/S Fingerprinting. And
I have some vulnerable applications running such as IIS and SQL Server.

However, since implementing IPsec on the XP Pro machine and activating the
Analogx's SecPol rules with making adjustments in the rules like allowing
SMTP on TCP port 587, because EarthLink uses port 587 and not 25 and
configuring AnalogX's rules to block all the Windows Networking ports and
other ports IPsec protects by default such as TCP 135 only allowing traffic
in a LAN situation, BlackIce has not log anything in the logs, barked,
whined, or alerted with IPsec supplementing BI.

I was using BI and IPsec to supplement the no FW Linksys NAT router I was
using. But until now, I was not aware of how powerful of a solution IPsec is
and its ability to be used in a FW like manner to stop inbound or outbound
traffic by port, protocol or IP and nothing is coming past it *NOTHING*
which would make BlackIce react.

I am very impressed with IPsec and its ability to supplement in a FW like
manner. <g>

http://www.petri.co.il/block_ping_traffic_with_ipsec.ht...
http://www.analogx.com/contents/articles/ipsec.htm
http://support.microsoft.com/kb/813878

But just keep in mind I am not a guru like you are, and therefore, you can
kiss my *ASS* about IPsec and anything else for that matter with your
*tounge* hanging out. <vbg>
Anonymous
a b à CPUs
September 24, 2005 11:20:38 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

> using. But until now, I was not aware of how powerful of a solution IPsec is
> and its ability to be used in a FW like manner to stop inbound or outbound
> traffic by port, protocol or IP and nothing is coming past it *NOTHING*
> which would make BlackIce react.

It's not new Duane. All you're doing is blocking traffic by port. I'm
surprised that it's new to you.

The main advantage of IPSec is the Sec part, i.e. security. Simply
creating filters and a filter action like you are doing is the very very
simplest start. What the original poster wanted was security which to
do properly requires a PKI implementation. Then you get mutual
authentication and encryption, none of which you have right now.

> I am very impressed with IPsec and its ability to supplement in a FW like
> manner. <g>

Being doing that for ages, it's not new but it does have value, it's
just not the friendliest interface for noddies to configure and it
doesn't provide any stateful inspection or application inspection but
yes, if all you want to do is set up block/allow filters, it's fine.

> But just keep in mind I am not a guru like you are, and therefore, you can
> kiss my *ASS* about IPsec and anything else for that matter with your
> *tounge* hanging out. <vbg>

No need but keep reading, you'll learn as you go along. It fascinates
me why you post what you do sometimes.

Just remember, IPSec is an IP only solution, if you have NWLink or
NetBEUI installed and bound, you might just as well hand your PC over to
Mr Hacker.

David.
Anonymous
a b à CPUs
September 25, 2005 9:39:17 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

David Taylor wrote:
>>I am looking for something secure:
>>hardware wireless router:
>
>
> I know where you're going with that but why? You can use WPA on a
> WRT54G as long as your clients support it and given a strong password,
> that's going to suit pretty much all home users.

Even if I buy WPA APs, few clients have it yet

WPA is not down compatible with 802.11b ... IPSEC is with any wireless card and any
OS ... and will remain secure as long as SSL is not broken, when optimists people
think than WPA will be broken within 12 months.

I am not to buy for WPA which will soon be weak.

> IPSec has limitations too, how were you planning on authenticating?
> Which EAP type were you going to use? EAP-MD5 for example is easily
> dictionary crackable for example.

exchange of primary key can be done by email the day before my customer joins me, or
the first day using transparent proxy that allows access only to HTTPS webmails ...

or just hand in hand (aka oral confirmation that the signature of the key is really
mine).

IPSEC cant be weaker than WPA, simply because like WEP, WPA is limitted by hardware,
and broken proto means you can throught out your devices, when IPSEC can be upgraded
even on old machines, and keeps the network compliant with any other devices.

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/
Anonymous
a b à CPUs
September 25, 2005 9:42:47 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

> I am very impressed with IPsec and its ability to supplement in a FW like
> manner. <g>

IPSEC just rules where most other protos just sux.

ATM I never seted it up myself, but from tutos I have read, it way non-trivial to
set up (server side), but really claimed by every one to be highly secure, and may
be the only known REALLY secure layer to encapsulate VPNs.

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/
Anonymous
a b à CPUs
September 25, 2005 9:42:48 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

DEMAINE Benoit-Pierre <nntp_pipex@demaine.info> wrote in
news:43361cb9$0$22382$626a14ce@news.free.fr:

>> I am very impressed with IPsec and its ability to supplement in a FW
>> like manner. <g>
>
> IPSEC just rules where most other protos just sux.
>
> ATM I never seted it up myself, but from tutos I have read, it way
> non-trivial to set up (server side), but really claimed by every one
> to be highly secure, and may be the only known REALLY secure layer to
> encapsulate VPNs.
>

It's simple with the AnalogX rules that can be implemeted on the Win 2K,
XP and the Win 2K3 O/S(s). All one does is enable or disable the IPsec
rules say for instance for the HTTP server/client, SMTP server/client,
NNTP server/client etc, etc and edit those rules and see what's being
done and learn from them. Again it's a piece of cake even I can do it.
;-)

Duane :) 
Anonymous
a b à CPUs
September 25, 2005 9:47:40 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

could you stop trolling and talk about avaibale wireless IPSEC DEVICES ?

btw: clients will be Linux and BSDs laptops ...
so that even pentium (1) 150MHz with PCMCIA1 802.11b adapters can still benefit of
my secure wireless network, witout need of those PCMCIA2 cards (which are not
supported by old lappies), nor need of OS that require 256MB or even 2GB just to
install ...

IPSEC support can be added to 8 years old BSD laptops !!!

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/
Anonymous
a b à CPUs
September 25, 2005 9:47:41 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

DEMAINE Benoit-Pierre <nntp_pipex@demaine.info> wrote in
news:43361ddf$0$8933$626a14ce@news.free.fr:

> could you stop trolling and talk about avaibale wireless IPSEC DEVICES
> ?
>
> btw: clients will be Linux and BSDs laptops ...
> so that even pentium (1) 150MHz with PCMCIA1 802.11b adapters can
> still benefit of my secure wireless network, witout need of those
> PCMCIA2 cards (which are not supported by old lappies), nor need of OS
> that require 256MB or even 2GB just to install ...
>
> IPSEC support can be added to 8 years old BSD laptops !!!
>

Well, SuSe Linux that I use is using about that much RAM and disk space
just to install. And I am not into mix, blend and roll your own.

Well, you have to have to valid end points I don't care what O/S you're
using. The VPN end points must be client to server software solutions. Or
you can install the VPN client software solution on a machine and install
the server solution as part of the firmware of a low-end wireless
firewall appliance. But I don't think the VPN will apply for a LAN
situation period wired or wireless and is only for remote connections
over the Internet with a client machine. However, you'll need to check on
it. The other VPN solution is hardware to hardware -- router to router.

The only thing you might be able to do is an AD-HOC wireless solution on
a gateway computer with wireless client machines using IPsec on the
gateway server machine between the client machines.

I don't think you're going to find a hardware VPN solution for the
wireless machines on the LAN.

Duane :) 
Anonymous
a b à CPUs
September 25, 2005 9:49:27 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

some of my friends even use IPSEC on wired LAN ... just in case some one spies their
LAN after hacking the gateway ...

atm, I /just/ want to secure wireless part of my home.

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/
Anonymous
a b à CPUs
September 25, 2005 9:49:28 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

DEMAINE Benoit-Pierre <nntp_pipex@demaine.info> wrote in
news:43361e4a$0$8933$626a14ce@news.free.fr:

> some of my friends even use IPSEC on wired LAN ... just in case some
> one spies their LAN after hacking the gateway ...
>
> atm, I /just/ want to secure wireless part of my home.
>

Well, there is nothing to say that one cannot hack the wireless and get to
the wire LAN machines or hack the wire ones and get to the wireless ones on
the LAN. That's if you come right down to it.:) 

Duane :) 
Anonymous
a b à CPUs
September 25, 2005 10:06:14 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

>>BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN ethernet,
>
>
> Not possible. 802.11 wireless is bridging by definition. No routing,
> IP addresses, or services (such as IPSec) involved. There's no other
> way to connect between wireless and wired devices other than bridging.

are you sure ? then, what is my hand setted up gateway doing ???

- 3 NICs
- 1 Wireless adapter ...

4 IPs
and clients on any network can not even ping any other IP than the NIC of my gateway
it is connected to ... not even the IP of wireless card if he is on wired NIC ...

what happens is that for simplicity, and dummy compliance, all manifacturers do
brige wireless to wired ... BUT on all firewalling tutos, you will find that this
kind of briging DO require to be activated ... aka is NOT available before you
explicitely ask for it.

I already DID set up routing, and/or briging on x86 boxes ...

my actual question is: do any hardware router do that including IPSEC ?

> Now, you could isolate the wired and wireless part with a router, VPN,
> or filters, but that requires layer 3 services in addition to
> bridging.

that would mean set up a dedicated gateway between wired and wireless, which would
decrypt IPSEC connections; that is precisely what I am too lame to do myself.

> Overkill. You have WPA encryption for the wireless. On top of that,
> you want to add VPN encryption. You don't really need both. WPA is
> enough.

WPA is hardware encryption: next year it will be broken = next year I can buy a new
router, and ask all my clients to buy new cards ...

All we know about WPA is that it was secure yesterday ... and that when some one
breaks it, you learn about it on forums only 6 months after all teenagers already
craked company networks ...

In france, such security breaches can lead people to jail, even put in jail the one
who have been attacked.

> The bigger they are, the harder they crash. How about this
> alternative? Use an access point, not a wireless router for the
> wireless part of the puzzle. Use WPA encryption. Use a seperate
> IPSec VPN router to terminate the tunnel. Netgear seems to have a
> good selection:

- depends on (weak) WPA
- depends on an additional box

=> twice more storage device + spinning disk + 2 systems + 2 supplies = 4 times more
reasons to crash.

and my problem is that IWANT TO AVOID SETTING UP MANUALLY THE IPSEC SERVER.

> There's no other
> way to connect between wireless and wired devices other than bridging.

looks like you missed a point: I never said I want my networks to be in the same IP
ranges ... would any admin want to keep in the same range all computers of the
building ? who would be mad enough to try to keep transparent briging between all
computers ? who would try to interconnect more than 1000 computers on the same segment ?

Even at home, it is out of order to have wireless in the same IP range that wired LAN.

Honney pots will fill holes

DHCP+DNS will make things transparent for users.

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/
Anonymous
a b à CPUs
September 25, 2005 10:06:15 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

On Sun, 25 Sep 2005 06:06:14 +0200, DEMAINE Benoit-Pierre
<nntp_pipex@demaine.info> wrote:

>>>BUT but BUT: I want the wireless interface NOT TO BE BRIGED to LAN ethernet,
>>
>>
>> Not possible. 802.11 wireless is bridging by definition. No routing,
>> IP addresses, or services (such as IPSec) involved. There's no other
>> way to connect between wireless and wired devices other than bridging.
>
>are you sure ?

Yes, I'm sure it's bridging.

> then, what is my hand setted up gateway doing ???

That's the router section. Think of a "wireless router" as a
"wireless access point" glued to an "ethernet router". If done in
seperate boxes, the ethernet output from the access point would go to
one of the LAN inputs of the "ethernet router". When you set the IP
addresses and all that, you're setting the router section. The only
exception is that a stand along access point requires an IP address to
do configurations and system settings. That IP address is only use
for configuration and has nothing to do with the traffic.

>
>- 3 NICs
>- 1 Wireless adapter ...
>
>4 IPs
>and clients on any network can not even ping any other IP than the NIC of my gateway
>it is connected to ... not even the IP of wireless card if he is on wired NIC ...

Wanna bet? If you ignore the router part of the puzzle and just play
with an access point, the IP address of the access point can be
literally anything. In fact, that's exactly what I do on wireless
systems that I don't want the users to tinker with the access points.
I set the management IP address of the access point to something
that's out of the usual 192.168.1.0/24 block.

>what happens is that for simplicity, and dummy compliance, all manifacturers do
>brige wireless to wired ... BUT on all firewalling tutos, you will find that this
>kind of briging DO require to be activated ... aka is NOT available before you
>explicitely ask for it.

Sorry. I don't understand what you're asking or saying.

>I already DID set up routing, and/or briging on x86 boxes ...
>
>my actual question is: do any hardware router do that including IPSEC ?
>
>> Now, you could isolate the wired and wireless part with a router, VPN,
>> or filters, but that requires layer 3 services in addition to
>> bridging.
>
>that would mean set up a dedicated gateway between wired and wireless, which would
>decrypt IPSEC connections; that is precisely what I am too lame to do myself.
>
>> Overkill. You have WPA encryption for the wireless. On top of that,
>> you want to add VPN encryption. You don't really need both. WPA is
>> enough.
>
>WPA is hardware encryption: next year it will be broken = next year I can buy a new
>router, and ask all my clients to buy new cards ...

That's why I suggested you seperate the router function (with VPN) and
the wireless function. When the next great exploits or new acronyms
come out, you don't have to toss everything and start over.

>All we know about WPA is that it was secure yesterday ... and that when some one
>breaks it, you learn about it on forums only 6 months after all teenagers already
>craked company networks ...

Yawn. You're welcome to your own level of paranoia. However, if you
run on that assumption, there isn't an operating system, application,
or protocol that won't shortly be cracked by teenagers or university
grad students.

>In france, such security breaches can lead people to jail, even put in jail the one
>who have been attacked.
>
>> The bigger they are, the harder they crash. How about this
>> alternative? Use an access point, not a wireless router for the
>> wireless part of the puzzle. Use WPA encryption. Use a seperate
>> IPSec VPN router to terminate the tunnel. Netgear seems to have a
>> good selection:
>
>- depends on (weak) WPA
>- depends on an additional box
>
>=> twice more storage device + spinning disk + 2 systems + 2 supplies = 4 times more
>reasons to crash.
>
>and my problem is that IWANT TO AVOID SETTING UP MANUALLY THE IPSEC SERVER.

Good luck. IPsec is no fun to setup. Lots of settings. Lots of
potential incompatibilities between servers and clients. Lots of
things to go wrong. To the best of my knowledge, nobody has a
non-manual IPSec VPN setup.

>> There's no other
>> way to connect between wireless and wired devices other than bridging.
>
>looks like you missed a point: I never said I want my networks to be in the same IP
>ranges ... would any admin want to keep in the same range all computers of the
>building ? who would be mad enough to try to keep transparent briging between all
>computers ? who would try to interconnect more than 1000 computers on the same segment ?

I think you missed my point. 802.11 wireless is bridging. I still
recall wireless access points that didn't have an IP address for
configuration and had to be set via a serial port. There's no layer 3
stuff involved in bridging. That doesn't mean you have to setup your
entire network without any routers and using just bridging. However,
that's exactly the way a typical hot spot or home network is setup.
The users bridge (encapsulate 802.3 ethernet inside 802.11 wireless
packets) between client radios and the access point. The IP stack is
in the client, not the wireless client. At the access point, it goes
to a router, which deals with the IP addresses, routing, and such.

>Even at home, it is out of order to have wireless in the same IP range that wired LAN.

Most systems I've seen use a common /24 IP block for everything. If
there's a VPN server in the system, the VPN server delivers an IP
address through the tunnel to the client, which is used instead of the
DHCP assigned IP address. I think that's what you're talking about.

>Honney pots will fill holes
>
>DHCP+DNS will make things transparent for users.

Sigh. Good luck...


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice Skype: JeffLiebermann
# http://www.LearnByDestroying.com AE6KS
# http://802.11junk.com
# jeffl@comix.santa-cruz.ca.us
# jeffl@cruzio.com
Anonymous
a b à CPUs
September 25, 2005 10:06:15 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

On Sun, 25 Sep 2005 06:06:14 +0200, DEMAINE Benoit-Pierre
<nntp_pipex@demaine.info> wrote:

>my actual question is: do any hardware router do that including IPSEC ?

Wireless router or ethernet router with VPN?

Wireless:
| http://www.netgear.com/products/details/FWAG114.php
| http://www.sonicwall.com/products/tz170SP_wireless.html
| http://www.linksys.com/servlet/Satellite?childpagename=...


There are plenty of ethernet routers with IPSec VPN terminations.
Search Google or the major manufacturers for "VPN Router".


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice Skype: JeffLiebermann
# http://www.LearnByDestroying.com AE6KS
# http://802.11junk.com
# jeffl@comix.santa-cruz.ca.us
# jeffl@cruzio.com
Anonymous
a b à CPUs
September 25, 2005 12:11:56 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

> set up (server side), but really claimed by every one to be highly secure, and may
> be the only known REALLY secure layer to encapsulate VPNs.

Wait a week then visit www.newburynetworks.com and view their webcast on
why VPN's (IPSec or otherwise) are in their opinion NOT the way to
secure a WLAN.

IPSec isn't the only solution and as has been stated, doesn't secure
anything other than IP, is a layer 3 protocol, doesn't encrypt
broadcasts and requires that the network be subnetted.

David.
Anonymous
a b à CPUs
September 25, 2005 12:20:14 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

> I think you missed my point. 802.11 wireless is bridging. I still
> recall wireless access points that didn't have an IP address for
> configuration and had to be set via a serial port. There's no layer 3
> stuff involved in bridging. That doesn't mean you have to setup your

I can see where he's coming from, he wants an IPSec driver on the
wireless side of his router above the MAC bridge part of the wireless.
Anonymous
a b à CPUs
September 25, 2005 12:26:55 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

> Who cares about what the OP is talking about?

That's generally the point of a thread, to discuss the original
question! :) 

> I been using it for a couple of years and that's after someone made me aware
> of it so how can it be new to me? I have made posts about using IPsec as a

Duane said "But until now, I was not aware of how powerful of a solution
IPsec is
and its ability to be used in a FW like manner"

> O/S(s) are not aware that it's even there. And many users *bitch* about the
> XP O/S FW not being able to stop outbound traffic .However, with the use of

Yes and many users complain that Windows is unstable after they've
loaded a whole truck load of poorly written 3rd party device drivers.

> and on the post where you started going to left field.on NWLink and NetBIOS.

Go back and read Duane, you mentioned IPSec protecting Netbios over
NWLink. I can pick the post and requote it if you like?

> *university/college/boy -- ass-wipe*. <g> and <EOR>

Do you feel inferior Duane is that it?, how was it in "the hood"?

David.
Anonymous
a b à CPUs
September 25, 2005 1:27:37 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

"David Taylor" <djtaylor@bigfoot.com> wrote in message
news:MPG.1da0706313bab0c2989e5e@news.cable.ntlworld.com...
>> Who cares about what the OP is talking about?
>
> That's generally the point of a thread, to discuss the original
> question! :) 
>
>> I been using it for a couple of years and that's after someone made me
>> aware
>> of it so how can it be new to me? I have made posts about using IPsec as
>> a
>
> Duane said "But until now, I was not aware of how powerful of a solution
> IPsec is
> and its ability to be used in a FW like manner"

So what? My use of IPsec was behind a NAT router and BlackIce to
*supplement* them both as neither one of them had the ability to stop
outbound traffic from a machine. Now, I am out on the road on a dial-up
connection a direct connection to the Internet and can fully understand the
power of IPsec as a packet filtering solution.


>
>> O/S(s) are not aware that it's even there. And many users *bitch* about
>> the
>> XP O/S FW not being able to stop outbound traffic .However, with the use
>> of
>
> Yes and many users complain that Windows is unstable after they've
> loaded a whole truck load of poorly written 3rd party device drivers.
>
>> and on the post where you started going to left field.on NWLink and
>> NetBIOS.
>
> Go back and read Duane, you mentioned IPSec protecting Netbios over
> NWLink. I can pick the post and requote it if you like?

There you go with another one of your *bitch* moves. You said NetBIOS over
TCP IP not me. What I should have said was the NetBIOS port that even BI
protects. But just keep in mind you're the greatest guru of ALL TIMES not
me.

>
>> *university/college/boy -- ass-wipe*. <g> and <EOR>
>
> Do you feel inferior Duane is that it?, how was it in "the hood"?

And I have been to college too but I don't flaunt it like I have seen you
do it the onetime I read a post that you made to some one you flaunted it. .
What you can do for me is kiss my BLACK ass that's what you can do. You put
your pants on one leg at a time and a POS like you will never be better than
me. You are nothing but a somewhat educated POS.

And you're a dime a dozen out here on the Internet.
Anonymous
a b à CPUs
September 25, 2005 2:59:02 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

"
> That's generally the point of a thread, to discuss the original
> question! :) 
>

Wait just a damn minute here you lurking *clown*. You made some posts to me
and I cannot do the same with you as you went out of your way to do it? GTF
out of here with this. You POS it is not your show in this NG or the
Internet. You may think that it is your show, your NG, and your Internet and
apparently your world. But you can rest assured that it's not. :) 
Anonymous
a b à CPUs
September 25, 2005 3:00:03 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

> And I have been to college too but I don't flaunt it like I have seen you
> do it the onetime I read a post that you made to some one you flaunted it. .

You're so funny Duane, ONE guy asked and I answered his question. You
call that flaunting it to reply to his question "where did you learn
stuff"? You have issues.

> What you can do for me is kiss my BLACK ass that's what you can do. You put
> your pants on one leg at a time and a POS like you will never be better than
> me. You are nothing but a somewhat educated POS.

Yep, you really do have a complex. Get therapy or grow up.
Anonymous
a b à CPUs
September 25, 2005 3:15:04 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

David Taylor wrote:
>>Who cares about what the OP is talking about?
>
>
> That's generally the point of a thread, to discuss the original
> question! :) 

I agree that 'trolling' was not a good word; I ought to say:

personnal argumentation with insults and useless challenging ... to fight about
un-interesting personnal qualifications/abilities.

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/
Anonymous
a b à CPUs
September 25, 2005 3:15:05 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

> personnal argumentation with insults and useless challenging ... to fight about
> un-interesting personnal qualifications/abilities.

He started it! :p 
Anonymous
a b à CPUs
September 25, 2005 3:30:25 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

>>are you sure ?
>
>
> Yes, I'm sure it's bridging.
>
>
>>then, what is my hand setted up gateway doing ???
>
>
> That's the router section. Think of a "wireless router" as a
> "wireless access point" glued to an "ethernet router". If done in
> seperate boxes, the ethernet output from the access point would go to
> one of the LAN inputs of the "ethernet router". When you set the IP
> addresses and all that, you're setting the router section. The only
> exception is that a stand along access point requires an IP address to
> do configurations and system settings. That IP address is only use
> for configuration and has nothing to do with the traffic.

learn abit about the french product called 'freebox':
it natively support wireless routing, and it is REALLY A ROUTER:
software conf can activate (or not) routing to wireless; by default it is off and
you can only access wired part.

Pb about this device is that the manifacturer does not sell it. It is an afforded
part to customer who pay for internet access ...

I mean that in this device, the wireless card is not briged.

>>4 IPs
>>and clients on any network can not even ping any other IP than the NIC of my gateway
>>it is connected to ... not even the IP of wireless card if he is on wired NIC ...
>
>
> Wanna bet? If you ignore the router part of the puzzle and just play
> with an access point, the IP address of the access point can be
> literally anything. In fact, that's exactly what I do on wireless
> systems that I don't want the users to tinker with the access points.
> I set the management IP address of the access point to something
> that's out of the usual 192.168.1.0/24 block.

what is your point in this part ?

>>what happens is that for simplicity, and dummy compliance, all manifacturers do
>>brige wireless to wired ... BUT on all firewalling tutos, you will find that this
>>kind of briging DO require to be activated ... aka is NOT available before you
>>explicitely ask for it.
>
> Sorry. I don't understand what you're asking or saying.

hmmm, did you ever try to activate WDS ?
did you read routing table of a WRT54g ?

if yes, read me again ...

>>WPA is hardware encryption: next year it will be broken = next year I can buy a new
>>router, and ask all my clients to buy new cards ...
>
> That's why I suggested you seperate the router function (with VPN) and
> the wireless function. When the next great exploits or new acronyms
> come out, you don't have to toss everything and start over.

I can perfectly well do it on my old pentium 120 ...

question is: can ahardware router do it for me ?

> Good luck. IPsec is no fun to setup. Lots of settings. Lots of
> potential incompatibilities between servers and clients. Lots of
> things to go wrong. To the best of my knowledge, nobody has a
> non-manual IPSec VPN setup.

that why I ask hardware device

(but still, I expect this kind of hardware to be upgradable ...
when WPA is encoded (let say) into silicon, IPSEC ought to be encoded into FLASH device)

> Most systems I've seen use a common /24 IP block for everything. If
> there's a VPN server in the system, the VPN server delivers an IP
> address through the tunnel to the client, which is used instead of the
> DHCP assigned IP address. I think that's what you're talking about.

some companies have over 10000 box in a single building: if you use only hub and
switches, you need a star network, where the root switch may saturate with a 100gb
.... because if two end branch clients want to exchange, they are likely to have to
come back to root switch ... when a routed network can be designed as islands, then
islands can be interconnected a smart way.

I have been customer in a network you describe: it was deadly slow and unstable:
breaking the root switch shotdown whole the network ... for example when you unplug
the switch the leads to the DHCP server room ...

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/
Anonymous
a b à CPUs
September 25, 2005 3:30:26 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

On Sun, 25 Sep 2005 11:30:25 +0200, DEMAINE Benoit-Pierre
<nntp_pipex@demaine.info> wrote:

>learn abit about the french product called 'freebox':
>it natively support wireless routing, and it is REALLY A ROUTER:
>software conf can activate (or not) routing to wireless; by default it is off and
>you can only access wired part.

You still aren't getting my point. 802.11 wireless is bridging.
Where you attach a router and what it does is not part of 802.11.
There's not one word that even mentions routeing or IP addresses in
the IEEE 802.11 specifications.
http://standards.ieee.org/getieee802/802.11.html
Download any of 802.11a/b/g specs and find me where it says "router".

>I mean that in this device, the wireless card is not briged.

All 802.11 wireless cards are bridged. You can attach a router at
both ends and hide the bridging from the client, but the basic
protocol is bridging.

>> Wanna bet? If you ignore the router part of the puzzle and just play
>> with an access point, the IP address of the access point can be
>> literally anything. In fact, that's exactly what I do on wireless
>> systems that I don't want the users to tinker with the access points.
>> I set the management IP address of the access point to something
>> that's out of the usual 192.168.1.0/24 block.
>
>what is your point in this part ?

That with bridging, it's not important that the IP address of the
wireless device be in the same subnet as the wireless LAN.

>>>what happens is that for simplicity, and dummy compliance, all manifacturers do
>>>brige wireless to wired ... BUT on all firewalling tutos, you will find that this
>>>kind of briging DO require to be activated ... aka is NOT available before you
>>>explicitely ask for it.
>>
>> Sorry. I don't understand what you're asking or saying.
>
>hmmm, did you ever try to activate WDS ?


I don't understand your terms "dummy compliance", "tutos", and what
needs to be "activated". What does WPA have to do with anything in
bridging and routeing. WPA encryption is totally transparent to both.

>did you read routing table of a WRT54g ?

> ~ # netstat -r
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt Iface
> 192.168.111.0 * 255.255.255.0 U 40 0 0 br0
> 63.198.98.0 * 255.255.255.0 U 40 0 0 vlan1
> 127.0.0.0 * 255.0.0.0 U 40 0 0 lo
> default adsl-63-198-98- 0.0.0.0 UG 40 0 0 vlan1

What should I read in there? That's the router part of the WRT54G.

>if yes, read me again ...

Done. I still don't understand what you're asking or suggesting.

>question is: can ahardware router do it for me ?

Do you want everything in one box? If so, I've listed 3 possible
wireless VPN routers. If you can live with everything in seperate
boxes, then it can be done with a much wider and cheaper variety of
boxes.

>> Good luck. IPsec is no fun to setup. Lots of settings. Lots of
>> potential incompatibilities between servers and clients. Lots of
>> things to go wrong. To the best of my knowledge, nobody has a
>> non-manual IPSec VPN setup.
>
>that why I ask hardware device

Hardware IPSec is about the same complexity as software (FreeSWAN)
especially when dealing with poorly defined features such as replay
protection. I've seen compatibility issues that were not fun to
troubleshoot.

>I have been customer in a network you describe: it was deadly slow and unstable:
>breaking the root switch shotdown whole the network ... for example when you unplug
>the switch the leads to the DHCP server room ...

I'm not suggesting you build a complex network for your home wireless.
I'm simply suggesting that you seperate the modem, VPN router, and
wireless access point into three seperate boxes. I can list the
benifits when you're ready to listen.


--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Anonymous
a b à CPUs
September 25, 2005 3:38:14 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

The TZ 170 SP Wireless allows network administrators to create user accounts for
occasional guest users such as consultants and contractors that permit wireless
connections to the Internet without providing access to the corporate network.

sounds nice ... I need to read again tonight ...

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/
September 25, 2005 4:33:53 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

David Taylor wrote:
> It's not new Duane. All you're doing is blocking traffic by port. I'm
> surprised that it's new to you.
>
> The main advantage of IPSec is the Sec part, i.e. security. Simply
> creating filters and a filter action like you are doing is the very
> simplest start. What the original poster wanted was security which to
> do properly requires a PKI implementation. Then you get mutual
> authentication and encryption, none of which you have right now.

at a 94 IETF meeting in the gateway working group ... a friend
introduced something that has since come to be called VPN. my view was
that it somewhat upset the ipsec people ... since they were working on
end-to-end. the issue with ipsec has been that it required updates to
all the deployed (mostly kernel) tcp/ip protocol stacks. VPN could be
deployed w/o impacting current installed systems. eventually things
were somewhat patched over with the ipsec people labeling VPNs as
light-weight ipsec ... and lots of other people referring to ipsec as
heavy-weight ipsec. there was at least one vendor who announced a
purely vaporware vpn product that dec. ... in response to the uptake of
the concept after the ietf meeting.

to a large degree, the apperance of SSL was because of the same factor
.... the difficulty with doing end-to-end ipsec because of its
impacting, existing deployed systems.

towards the end of 94, my wife and i got called in to cpmsult with the
small client/server company that had come up with ssl ... who wanted to
do payments on their server
http://www.garlic.com/~lynn/aadsm5.htm#asrn2
http://www.garlic.com/~lynn/aadsm5.htm#asrn3

at the time, they had this stuff that was going to use something called
digital certificates issued by these organizations called certification
authorities (as part of something called PKI). as part of doing
payments ... we had to go around and do some end-to-end business audits
on these organizations calling themselves certification authorities ...
some collected postings on the subject off SSL certificates
http://www.garlic.com/~lynn/subpubkey.html#sslcert

SSL implementation at the time was one-way authentication between the
server and the browser. using SSL for the webserver to payment gateway
traffic ... we required an SSL implementation that supported mutual
authentication.

however, as part of that effort, we coined the term "certificate
manufactoring" ... since the majority of the operations weren't
actually doing full-fledge PKIs ... no actual management and
administration of the certified information (contained in the digital
certificates) ... just the straight-forward manufactoring of the
certificates. In fact, numerous certificate-based infrastructures from
the period would rely on existing business operations for
administration of the current validaty of the certified information (as
opposed to actually deploying a full-fledge PKI). The issue then was
that for such operations ... it was quite a trivial proof to show that
the digital certificates were redundant and superfluous (if you were
relying on existing business operations for real-time validity ... then
it was a very short step to having existing business operations also
providing public keys in real time).

there is now even cross-over between the original 94 vpn and the 94 ssl
.... with the apparance of ssl-based VPNs.

the basic technology is asymmetric key cryptography; what one key (of a
key-pair) encodes, the other key decodes (to differentiate from
symmetric key which uses the same key for both encoding and decoding).

there are business process applications of asymmetric key cryptography
called "public key" (where one key is identified as public and made
available, and the other key is identified as private and kept
confidential and never divulated) and "digital signature" (which
involves encoding a hash of a message/document with a private key).

However, there are numerous examples of infrastructures that use public
keys, digital signatures, encrypted channels that don't involve PKI,
certification authorities, and/or digital signatures.

one of the most prevalent authentication infrastructures is RADIUS ...
starting out having been a userid/password implementation. There have
been extensions to RADIUS where public keys are registered in lieu of
passwords and digital signatures used for authentication ... totally
certificateless operation
http://www.garlic.com/~lynn/subpubkey.html#radius

another wide-spread authentication environment is KERBEROS, found as
integral part of a large number of platforms. the original pk-init
specification had public keys being registered in lieu of passwords and
supporting digital signature authentication ... again a certificateless
operation
http://www.garlic.com/~lynn/subpubkey.html#kerberos

pk-init specification was later upgraded to also include PKI and
certificate-based operation ... supporting the ability for total
strangers to log on to your system ... recent lengthy description
http://www.garlic.com/~lynn/2005q.html#23 Logon with Digital Signature

another public key, non-PKI authentication and confidential
infrastructure with relatively wide deployment is SSH
http://www.openssh.com
http://www.ssh.com

in any case, IPSEC PKI infrastructure can carry with it a much heavier
infrastructure operation than is actually needed for public key
authentication and encryption (and even can be redundant and
superfluous compared to simple upgrades to existing management and
administrative operation).
http://www.garlic.com/~lynn/subpubkey.html#certless
Anonymous
a b à CPUs
September 25, 2005 6:01:09 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

> The TZ 170 SP Wireless allows network administrators to create user accounts for
> occasional guest users such as consultants and contractors that permit wireless
> connections to the Internet without providing access to the corporate network.
>
> sounds nice ... I need to read again tonight ...

But you can do that with any AP that provides multiple SSID's (or a
couple of AP's) that map to seperate VLAN's, one for employees and one
VLAN going straight out to the internet.

David.
Anonymous
a b à CPUs
September 25, 2005 6:03:57 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

Can you stop posting to me like a *bitch*. That's all you amount to me is
that and nothing else. And that's what you would be viewed as in the *hood*
or on the *streets* a man acting like a *bitch*.
Anonymous
a b à CPUs
September 25, 2005 6:11:45 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

> Can you stop posting to me like a *bitch*.

I just want to make a correction here. I don't want you *bitching* about it.
<g>

Can you stop posting to me like a *bitch*?
Anonymous
a b à CPUs
September 26, 2005 1:14:59 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

On 25 Sep 2005 12:33:53 -0700, lynn@garlic.com wrote:

I'll risk a bit of topic drift here...

>to a large degree, the apperance of SSL was because of the same factor
>... the difficulty with doing end-to-end ipsec because of its
>impacting, existing deployed systems.

Difficulty is an understatement. The AH encapsulation would
effectively prevent re-writing the header on NAT firewalls making that
useless. At least ESP payload only works though NAT. Replay attack
prevention seems to cause some compatibility issues with different
implementations. I lost count of how many different encryption and
authentication protocols were available. Compatibility still seems to
be a problem:
http://nscsysop.hypermart.net/vpnnat.html
I've also lost count of how many bug reports I've submitted to
manufacturers over VPN compatibility issues. My guess(tm) is that SSL
is becoming popular because it offers considerable simplicity and
compatibility.

>however, as part of that effort, we coined the term "certificate
>manufactoring" ... since the majority of the operations weren't
>actually doing full-fledge PKIs

Well, part of the incentive was the Verisign was charging ridiculous
amounts for a server certificate. That might be justifiable with a
big ecommerce site, but not with a small hosted web site that just
wants something better than a password. If Verisign had recognized
the market and priced their PKI services accordingly, there would not
have been any need for the "certificate manufactorys".
| http://www.cacert.org
| http://www.instantssl.com
| http://www.thawte.com


>it was quite a trivial proof to show that
>the digital certificates were redundant and superfluous (if you were
>relying on existing business operations for real-time validity ... then
>it was a very short step to having existing business operations also
>providing public keys in real time).

Well, when the browser now says "Just click here to accept this
certificate as valid" without the slightest authentication, one might
as well pretend that everything is valid. As I recall that was in
response to MS expiring all their certificates issued with Windoze
runtimes in 2000(?) combined with the social engineering of some MS
certificates from Verisign, where MS discovered they had no way to
revoke a certificate.

>there is now even cross-over between the original 94 vpn and the 94 ssl
>... with the apparance of ssl-based VPNs.

Yes, for good reason. The browsers all have SSL capability and an SSL
based VPN can therefore be deployed with a minimum of butchery on the
client side.
| http://www.whalecommunications.com/site/Whale/Corporate...
| http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns1...

>However, there are numerous examples of infrastructures that use public
>keys, digital signatures, encrypted channels that don't involve PKI,
>certification authorities, and/or digital signatures.

Ummm.... Pre shared keys? (Never mind).

>in any case, IPSEC PKI infrastructure can carry with it a much heavier
>infrastructure operation than is actually needed for public key
>authentication and encryption (and even can be redundant and
>superfluous compared to simple upgrades to existing management and
>administrative operation).

We're talking about a home user with probably a handful of potential
users. The alleged benefit of PKI is that it authenticates the
terminating web pages as being whom they claim to be. I've setup
bogus servers to see how typical clients react. I've found that some
method of authentication is a required as almost all users are
clueless when a counterfeit web page appears. I even got caught in my
own trap when I forgot to turn it off one day. Same with a faked SSID
hot spot running HostAP. One doesn't really "need" PKI and a CA to do
the authentication, but methinks it is generally a good idea.



--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Anonymous
a b à CPUs
September 27, 2005 2:46:52 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

Jeff Liebermann wrote:
> On 25 Sep 2005 12:33:53 -0700, lynn@garlic.com wrote:
>
> I'll risk a bit of topic drift here...

u cant be more offtopic that those 2 insulting guys ...

> We're talking about a home user with probably a handful of potential
> users. The alleged benefit of PKI is that it authenticates the
> terminating web pages as being whom they claim to be.

if you consider really secure systems, those where the user is really user, and not
root or admin ...

how could a simple user land browser install a certificate the kernel could use to
establish a new network layer ?

that would require right separation that are planed in GNU/Hurd, and not that stable
in UML, or fuse ...

=> point is: there is no use to tell about SSL support of browser:
root ought to
wget gateway/certificate
then restart a daemon ...

> I've setup
> bogus servers to see how typical clients react. I've found that some
> method of authentication is a required as almost all users are
> clueless when a counterfeit web page appears. I even got caught in my
> own trap when I forgot to turn it off one day. Same with a faked SSID
> hot spot running HostAP. One doesn't really "need" PKI and a CA to do
> the authentication, but methinks it is generally a good idea.

one point for you (regarding most admins thinking ...)

about me:
I am the only admin on all box I install, especially on my familly's computers ...

and that is not enough yet to prevent them doing stupid things ...

the worse things are now impossible to them:
- I hey, I found that free demo CD in supermarket, but it says I have no right to
install it
- I made you not to have this right because I knew you would try to install it !

what happened for real:
- I was given this CD that offers cheap internet access
- you already have cheap internet access for the same price as the one on your new
CD, exept that you attemp to install your stuipd CD broke IE down

by that time, my dad was admin on the box, and the CD broke out all GUI of IE,
including home page, connection params, bookmarks and so on ... after what my
brother (7y more experience in IT than me) founded about 18 troyans on their (live)
box ... I founded 8 more ones using offline scan ...

(hell, a brother who claims to be IT professionnal, and does AV scan on a live box
.... I cant believe it)

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/
Anonymous
a b à CPUs
September 27, 2005 2:54:37 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

>>did you read routing table of a WRT54g ?
>
>
>>~ # netstat -r
>>Kernel IP routing table
>>Destination Gateway Genmask Flags MSS Window irtt Iface
>>192.168.111.0 * 255.255.255.0 U 40 0 0 br0
>>63.198.98.0 * 255.255.255.0 U 40 0 0 vlan1
>>127.0.0.0 * 255.0.0.0 U 40 0 0 lo
>>default adsl-63-198-98- 0.0.0.0 UG 40 0 0 vlan1
>
>
> What should I read in there? That's the router part of the WRT54G.
>
>
>>if yes, read me again ...
>
>
> Done. I still don't understand what you're asking or suggesting.

YOUR STUPIDITY HIDES YOU THAT BR0 HAD TO BE SET UP MANUALLY !!!

I never had access to any WRT in my life (just touch the plastic box in a shop), BUT
YOU SHOW ME TOURSELF THAT I AM RIGHT IN MY ASSUPMTIONS !!!

go and try set up a WDS gateway, and you will learn from life that there is no such
thing like what you think life is.

some clue to help your mind:
what is br0 ? how to set it up ?
have you ever seen a hardware NIC that the driver makes available as br0 ?
if it's really a linux running around, why arnt there eth0 and eth1 in the routing
tables ???

have you ever seen on the market a hardware NIC that does at the same time wired and
non-wired ?
I never did => where are eth0 and wlan0 ???

===>>> stop writing clueless, and stop insulting and arguing with David, Duane, or
who ever they are.

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/
Anonymous
a b à CPUs
September 27, 2005 2:54:38 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

On Mon, 26 Sep 2005 22:54:37 +0200, DEMAINE Benoit-Pierre
<nntp_pipex@demaine.info> wrote:

>YOUR STUPIDITY HIDES YOU THAT BR0 HAD TO BE SET UP MANUALLY !!!

The setup is stock Sveasoft Alchemy.
~ # cat /etc/motd
------------------------------------------
Welcome to the Sveasoft WRT54G/GS Firmware
Alchemy-V1.0 build
version v3.37.6.8sv
USE OF THIS FIRMWARE IS AT YOUR OWN RISK
http://www.sveasoft.com

>I never had access to any WRT in my life (just touch the plastic box in a shop), BUT
>YOU SHOW ME TOURSELF THAT I AM RIGHT IN MY ASSUPMTIONS !!!
>
>go and try set up a WDS gateway, and you will learn from life that there is no such
>thing like what you think life is.

WDS is fairly simple to setup.
http://www.linksysinfo.org/modules.php?name=Content&pa=...

>some clue to help your mind:
>what is br0 ? how to set it up ?
>have you ever seen a hardware NIC that the driver makes available as br0 ?
>if it's really a linux running around, why arnt there eth0 and eth1 in the routing
>tables ???

It's Linux:
~ # uname -a
Linux router 2.4.20 #2 Thu Apr 21 19:40:17 CEST 2005 mips unknown

br0 is the bridge port and can be linked to any of the other bridged
ethernet ports on the switch. I'll guess (not sure) that the routeing
table uses br0 instead of eth0 because br0 is the filtered port name
while eth0 is the unfiltered port name.

Incidentally eth0 and eth1 are there.

~ # ifconfig
br0 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:10
inet addr:192.168.111.33 Bcast:192.168.111.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:87104 errors:0 dropped:0 overruns:0 frame:0
TX packets:111983 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10605896 (10.1 MiB) TX bytes:47923183 (45.7 MiB)

eth0 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:10
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:268597 errors:0 dropped:0 overruns:0 frame:0
TX packets:274490 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:70588908 (67.3 MiB) TX bytes:64626923 (61.6 MiB)
Interrupt:3 Base address:0x2000

eth1 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:11
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:66 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 B) TX bytes:6331 (6.1 KiB)
Interrupt:4 Base address:0x8000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
RX packets:1170 errors:0 dropped:0 overruns:0 frame:0
TX packets:1170 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:96923 (94.6 KiB) TX bytes:96923 (94.6 KiB)

vlan0 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:10
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:87085 errors:0 dropped:0 overruns:0 frame:0
TX packets:188737 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11164196 (10.6 MiB) TX bytes:53280155 (50.8 MiB)

vlan1 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:11
inet addr:63.198.98.51 Bcast:63.198.98.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:181414 errors:0 dropped:0 overruns:0 frame:0
TX packets:85673 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:54582227 (52.0 MiB) TX bytes:11338413 (10.8 MiB)


>have you ever seen on the market a hardware NIC that does at the same time wired and
>non-wired ?
>I never did => where are eth0 and wlan0 ???

wlan0 is wl0

~ # cat /proc/net/wl0
wl0: Aug 2 2004 14:32:51 version 3.60.13.0
resets 23681
perm_etheraddr 00:0c:41:9c:3d:12 cur_etheraddr 00:0c:41:9c:3d:12
board 0x1603, board rev 4.5
wsec 1 auth 0 wsec_index 0 wep_algo 1
rate_override 0
antdiv_override 3 txant 3
current_bss.BSSID 00:0c:41:9c:3d:12
current_bss.SSID "LearnByDestroying"
associated 1


>===>>> stop writing clueless, and stop insulting and arguing with David, Duane, or
>who ever they are.

Clueless? Run a Google Groups search for posting with my name. Read
a few. Then come back and call me clueless.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice Skype: JeffLiebermann
# http://www.LearnByDestroying.com AE6KS
# http://802.11junk.com
# jeffl@comix.santa-cruz.ca.us
# jeffl@cruzio.com
Anonymous
a b à CPUs
September 27, 2005 2:56:37 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

David Taylor wrote:
>>The TZ 170 SP Wireless allows network administrators to create user accounts for
>>occasional guest users such as consultants and contractors that permit wireless
>>connections to the Internet without providing access to the corporate network.
>>
>>sounds nice ... I need to read again tonight ...
>
>
> But you can do that with any AP that provides multiple SSID's (or a
> couple of AP's) that map to seperate VLAN's, one for employees and one
> VLAN going straight out to the internet.
>
> David.

I am not tu buy 100 APs for my parents house ... nor spend 1y writing IPSEC conf,
nor buy some 3000e hardware touter ...

if nothings cheap (200 USD), or fast to implement (4 human days), I just give up.

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/
Anonymous
a b à CPUs
September 27, 2005 2:56:38 AM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

> I am not tu buy 100 APs for my parents house ... nor spend 1y writing IPSEC conf,
> nor buy some 3000e hardware touter ...

Where did you get 100 from? I said ONE AP that supports multiple SSID's
otherwise use 2 AP's, one for each SSID and use VLAN's to seperate the
networks.
Anonymous
a b à CPUs
September 27, 2005 2:43:31 PM

Archived from groups: comp.sys.ibm.pc.hardware.chips (More info?)

>>some clue to help your mind:
>>what is br0 ? how to set it up ?
>>have you ever seen a hardware NIC that the driver makes available as br0 ?
>>if it's really a linux running around, why arnt there eth0 and eth1 in the routing
>>tables ???
>
>
> It's Linux:
> ~ # uname -a
> Linux router 2.4.20 #2 Thu Apr 21 19:40:17 CEST 2005 mips unknown
>
> br0 is the bridge port and can be linked to any of the other bridged
> ethernet ports on the switch. I'll guess (not sure) that the routeing
> table uses br0 instead of eth0 because br0 is the filtered port name
> while eth0 is the unfiltered port name.

thats wrong, and your next past confirms it ...

br0 is NOT a brige port

and you can NOT choose the port of the switch you link to.

you OBVIOuSLY dont know how this device is soldered.

And finally, your guess IS WRONG.

br0 IS NOT an alias nor a filter.

I told you to read about wds because tutos tell about this difference. Maybe you
readed words, but your brain did not understood them.

> Incidentally eth0 and eth1 are there.
>
> ~ # ifconfig
> br0 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:10
> inet addr:192.168.111.33 Bcast:192.168.111.255
> Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:87104 errors:0 dropped:0 overruns:0 frame:0
> TX packets:111983 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:10605896 (10.1 MiB) TX bytes:47923183 (45.7 MiB)
>
> eth0 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:10
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:268597 errors:0 dropped:0 overruns:0 frame:0
> TX packets:274490 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> RX bytes:70588908 (67.3 MiB) TX bytes:64626923 (61.6 MiB)
> Interrupt:3 Base address:0x2000
>
> eth1 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:11
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> TX packets:66 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> RX bytes:0 (0.0 B) TX bytes:6331 (6.1 KiB)
> Interrupt:4 Base address:0x8000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> UP LOOPBACK RUNNING MULTICAST MTU:16436 Metric:1
> RX packets:1170 errors:0 dropped:0 overruns:0 frame:0
> TX packets:1170 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:96923 (94.6 KiB) TX bytes:96923 (94.6 KiB)
>
> vlan0 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:10
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:87085 errors:0 dropped:0 overruns:0 frame:0
> TX packets:188737 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:11164196 (10.6 MiB) TX bytes:53280155 (50.8 MiB)
>
> vlan1 Link encap:Ethernet HWaddr 00:0C:41:9C:3D:11
> inet addr:63.198.98.51 Bcast:63.198.98.255
> Mask:255.255.255.0
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:181414 errors:0 dropped:0 overruns:0 frame:0
> TX packets:85673 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:54582227 (52.0 MiB) TX bytes:11338413 (10.8 MiB)

without br0, eth0 and wlan0 are just ... independant !

there is NO hardware brige, and there is no default hard link.

briging eth to wlan IS SOFTWARE !!!

wlan0 is NOT an ethernet NIC with an antena, but a NIC dedicated to wireless.

> Clueless? Run a Google Groups search for posting with my name. Read
> a few. Then come back and call me clueless.

the fact you wrote 1000000messages in groups does not mean you know what you write
about.

> All 802.11 wireless cards are bridged. You can attach a router at
> both ends and hide the bridging from the client, but the basic
> protocol is bridging.

NO wireless card is briged. NONE.

Briging IS NOT A PROTOCOL, but asoftware setup.

> 802.11 wireless is bridging by definition.

did you ever set up MANUALLY a wireless card ?
what is wlan0 ?
how is br0 set up un the WRT ?

there is no such protocol as briging !
and 802.11 is only supported by dedicated cards.

> There's no other
> way to connect between wireless and wired devices other than bridging.

there IS, and I do it every morning:
iptables.

*********

the more I read your old posts, the more I see you speak cluelessly.

--
DEMAINE Benoit-Pierre (aka DoubleHP ) http://www.demaine.info/
\_o< If computing were an exact science, IT engineers would not have work >o_/
!