[SunRescue] Re: Help!

Chris Byrne rescue at sunhelp.org
Fri Apr 20 03:25:21 CDT 2001 

When you say "Two of them run AOL" what do you mean? If you mean using AIM
than you should have no problem, but if you are using AOL's BYOS (bring your
own service) option you might.

The BYOS servers are non stateful proxies from the internet to AOLNet, and
they are geographically distributed and load balanced across AOL's major
nodes. If a user with BYOS logs in, that users session is then associated
with the IP address of the login session.

In earlier versions of AOL the 'real' ip address of the system is
transmitted as part of the login, and if it doesn't match the source IP
address you may not be allowed to login. In more recent versions I don't
think they do this. It was VERY irritating when I was doing tech support for
an ISP however.

As of early last year (the last time I had to deal with this issue thank
god) if two persons appearing under the same IP address attempted to login,
one of them would either not be allowed to login, or the currently logged in
user would have their session silently drop. After quite a bit of testing we
couldn't figure out what specific conditions might cause which response. It
was clear however that if the users logins were directed to different
servers that there was no problem. We tested this from several widely
seperated geographic locations, and did some simple sniffer work.

We also observed that two sessions on different systems could not be
established with the same user credentials if they were directed to the same
server. As in the previous example, either the second user would be unable
to log in, or the first user would have their session silently terminate.
Again if the login servers were different it was possible to authenticate
and establish communications from two different locations using the same
authentication information, however after a few minutes (or even seconds)
one of the sessions would be dropped. Also in this instance we could not
determine what factors affected the behavior of the drop (i.e. who was
dropped and when)

Overall I'd say using full AOL with PAT (port address translation, how most
firewalls do address trnaslatios) is a bad idea, but test it and see if it
works for you.

Chris Byrne




-----Original Message-----
From: rescue-admin at sunhelp.org [mailto:rescue-admin at sunhelp.org]On
Behalf Of Joshua D. Boyd
Sent: 20 April 2001 00:37
To: rescue at sunhelp.org
Subject: Re: [SunRescue] Re: Help!


On Fri, 20 Apr 2001, Greg A. Woods wrote:
> Of course the embsd.org guys have the right idea and are working with
> FlashRAM cards and such.....  That also gives them an order of magnitude
> more space than can be found on a floppy to, and almost infinitely more
> real-world reliability than any floppy drive.

Yeah, I was looking at their site.  Pretty spiffy.  I might have a spare
40 meg drive around (from an old notebook) to through in the 486 to give
them a try.

> I had some chipset problems on the 486 I tried too -- it had some PCI
> slots that were not quite up to snuff and I think there was some
> hardware conflict causing wait states on the ISA bus.

Every PCI 486 I've seen has had some really nasty problems.  My 486 is
just straight ISA (well local bus IDE and video, but those are on the
motherboard).

> I really really really hate PCs (even though I have three in production
> and another two in test and two old laptops also in test!).  If I could
> have found a cheap/free Sbus ethernet card I've have tried my SS1+ (or
> maybe an SS2) as a gateway, but I can't seem to find such things at any
> decent price (usually they're about three times as much as a whole new
> machine can be had for!).

I strongly dislike PCs also (as do most people on the list from what I've
seen).  However, the price performance ratio really makes it hard to argue
against how crude the machines are.  I know it is that type of thinking
that propogates the POS machines, but as a college student, it is hard to
afford more than a few good machines, and they rest end up being whats
cheap or free.

> I also have a GIF tunnel for routing my real non-NAT'ed network through
> the cable network, though that's mostly unused now that I have the DSL
> line and my real network's routed directly over it.

GIF tunnel?

> If that's just a 1mbit aDSL line then you shouldn't have any worries
> even with a 386.  My cable modem is/was at least 2mbits and I've now got
> a 3.0mbit aDS line too.

Oh, my DSL line is only 640k.  My understanding is that ISA is 3mbit, so a
640k feed to/from two ethernet cards shouldn't be too troublesome.

> >  I can't imagine that NAT would saturate this
> > machine.
>
> A NAT needs memory and CPU power, things old 486's can sometimes be
lacking.
>
> The deciding factor is how many machines you'll have behind the NAT and
> what they'll be doing.

Most of the machines behind the NAT only do email and web.  Two of the run
AOL, but not for very long stretchs of time.  There are about 15 machines
behind that nat, but usually only 4 are in use as once.  And the 486 in
question currently has 28megs of ram (it had more, but I was able to reuse
it on my p75 file server).

I would use my file server, but as I'm not highly confident in my ability
to secure a linux machine while running general serivices on it, I want to
seperate the firewall to a different machine.  Further, I've already maxed
out all the expansion slots on this machine.




--
Joshua Boyd


_______________________________________________
rescue maillist  -  rescue at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/rescue

More information about the rescue mailing list