| |
| |
| |
|
Page: 1 2 3 4
Comments:
<0> remember me to not rent one of your vservers :)
<0> because i am currently implementing some kind of anonymous instant messenger using packet spoofing
<0> it's really easy to establish a connection between 2 hosts where both hosts spoof their senders address
<1> and how does that make you anonymous? the other end still needs to know where to send
<0> imagine you have 2 hosts: both knowing each other (you need to know real ip/dns and the persons gpg-key)
<1> uhu
<0> so host1 and host2 want to connect to each other: host1 spoofs his sender-address and includes his real address in the data-field of the packet (encrypted with gpg)
<0> so host2 decrypts the data field and knows where to answer and from there on does the same
<2> hows it anon to say the sysadmin of both the boxes
<0> if you do it right, host1 and host2 talk to a lot of "other" people never really involved but never to each other
<0> Strykar: well the concept is that host1 and host2 belong to you.
<0> i recently got the idea when i got to know that german intelligence illegally was sniffing on journalists
<0> also would be a nice-to have application to make logging on provider side useless :)
<0> the very same concept may even be used to make external analysis on a p2p-net like freenode a lot more painful
<0> uhm freenet not freenode
<0> however i'd not recommend using gpg in that case but whatever encryption is used, doesnt matter at all
<1> callee, but how is that anonimising? If I put up a tap to 'sniff' you. i'd still know where you are sending, So i'd know the other party involved in the chat. Even though packets that are part of the conversation might apear to be comming from all over the world it will not be hard to figure this out.
<0> Henk: this method is used to make external analysis of the communication virtually impossible
<0> nothing more
<0> internal communication cannot be anonymised, for example someone could crack your box and install a sniffer on the very same machine.
<0> however imagine not 2 but 100000 using that little program: no where to do any social networking...
<0> because noone talks to anyone :)
<1> callee, but fundamentaly spooing the sender adresses in a bidirectional socket tcp conversation adds no anonimity at all.
<0> Henk: the most effective way is anonymizing something like freenet that way
<1> callee, may i remind you that the kind of sniffing/logging done by 'inteligence' services is done on an ethernet level?
<0> well, internet is ip only, so where is your ethernet level at all?
<1> taps are placed by your ISP
<0> Henk: well, but how do you know where to look
<1> or by US in our datacenter right next to your servers switch
<0> i mean having a net no knowing who is who and who talks to whom makes it a little difficult to find out where to tap anyone
<0> because that would require all information in the same place, beein illegal in both US an EU afaik
<1> sure you are right, but spoofing the sender's IP address add no privacy at all
<0> apart from that it's practically impossible to store that much information for the time beeing
<1> anyway i;d love to discuss this with you some other time but i need to get back to work.
<0> Henk: righ, so do i
<3> namp tells me port 111 (rpcbind) is 'filtered' but it should be open due to rule -s nnn.nnn.nnn.nnn -j ACCEPT . I have used other ports through this rule. any idea?
<1> alnr, maybe rpcbind is rejecting you (look at etc/hosts.allow|deny)
<3> Henk: tx, but I found out my provider is filtering port 111
<0> alnr: well, if thats the case, you can redirect to 111 from another port
<0> i did the same a couple of days ago, to tunnel openvpn through a proxy that only would connect to 443
<0> so i redirected 443 to the default openvpn-port (1194) and everything works find now :)
<0> dammit, kernel 2.6.16 is so screwed
<4> no way, whats you problem? and shouldnt that be topic in kernel channel?
<5> haha
<5> no man it's ok, if you use iptables you sure got a linux kernel
<0> just wanted to express my wrath :)
<0> switching back to kernel 2.6.14
<2> im using 2.6.15.6 and it's beautiful
<6> callee: I have been pretty happy with various 2.6.15 kernels. 2.6.16 is the development branch. :)
<0> rob0: there are however no grsecurity patches for 2.6.15 only 14 and 16
<0> i will however try default testing kernel 2.6.15
<0> maybe a desktop doesnt need that kind of stuff anyway
<0> grsecurity on the server is fine
<0> rob0: even 2.6.15 fails to bring up dri, but at least it doesnt crash :)
<7> hi
<7> some help here
<7> I used firestarter but i disliked how much cpu it consumes, so i am thinking of using its iptables tweaks without launching it
<7> do u know how to do so ?
<7> hello
<8> 3/c
<9> RE
<10> need help on fwbuilder for ubuntu
<10> desert ?
<6> This channel is about iptables itself, not about frontends for iptables. I don't use such things as fwbuilder.
<8> ditto
<10> ok ok thanks a lot and go back sleep
<6> I wish I could :)
<8> okay
<11> hellow everyone
<11> "how can i drop more than 1 port onone iptables lines ?" examp`le iptables -A FORWARD -s 169.100.1.2 -p tcp --dport 8900(how to add more?) -d 169.100.30.1/24 -j DROP
<6> -m multiport (or just add more rules.)
<11> rob0 -m ?
<11> rob0 if i want filter example 50 65 5000 and 139 ? the same rule but with -m ?
<6> Type "man iptables", hit enter, then type "/multiport" and enter again.
<11> ptables -A INPUT --protocol tcp --match multiport --source-ports 22,21,20,80 -j :)
<11> thanks
<12> hello.... somabody have any experiency with l7filter ?
<12> ?
<6> I wouldn't touch L7. For things like that you should use a proxy IMHO.
<13> soo... in the man page for iptables, there's a ROUTE target.... how do I get this target?
<13> or anyone know why my REDIRECT rule would stop working when I don't have an ip address on the network even though I can route packets just fine?
Return to
#iptables
or
Go to some related
logs:
slack packages sdlperl
can't create mcop directory mpg321
#debian
#lisp
postqueue Sender address rejected: Domain not found
tproxy 2.6.17
xchat nuked
#gimp
#linuxhelp
atp-get build-essential
|
|