1994-12-05 - Re: Info about Linux

Header Data

From: crawford@scruznet.com (Michael D. Crawford)
To: cypherpunks@toad.com
Message Hash: 49252f2d37408d018a61cb77388d2c598bea33b1cb10a06eb8199b4e4b287b46
Message ID: <199412050740.XAA09108@scruz.net>
Reply To: N/A
UTC Datetime: 1994-12-05 07:41:17 UTC
Raw Date: Sun, 4 Dec 94 23:41:17 PST

Raw message

From: crawford@scruznet.com (Michael D. Crawford)
Date: Sun, 4 Dec 94 23:41:17 PST
To: cypherpunks@toad.com
Subject: Re: Info about Linux
Message-ID: <199412050740.XAA09108@scruz.net>
MIME-Version: 1.0
Content-Type: text/plain


Matt Bartley <mbartley@localhost.acs.uci.edu> writes

> Michael D. Crawford <crawford@scruznet.com> writes
>> ...a serial card with a 16
>> character buffer that works just fine is available quite cheaply.
>
>Which card is this?  My hacked-together clone currently has a 16550A
>card.  I have had lots of RS232 problems.  For example, my mouse on
>com1: doesn't seem to work in Linux's (gpm/selection).

I don't want to recommend a particular card until I've tried one myself.
I'm using the old fashioned one-character-buffer card.  I will ask a friend
who has had some success.

Selection doesn't work at all unless you have the 1.1.something kernel or
later.  The 1.0 kernel that ships with Yggdrasil doesn't support selection.
The "even" numbered kernels are regarded as stable release for regular
people to use.  The "odd" releases, 1.1.x, are development versions that
are not expected to be stable, which is why it's not what you get on
Yggdrasil.  Release 1.2 is coming Real Soon Now.  You can get the
development kernels, and I think the Y. CD has a tar file with a fairly
recent 1.1.x kernel.

I also recommend using a bus mouse.  I'm using the Logitech bus mouse; I
previously had used a Microsoft serial mouse.  I get a lot better
performance from the bus mouse - my cursor moves when I move the mouse,
with much greater reliability than the serial mouse did.

(I mentioned using Linux for a firewall router)

>Could this be done via dialup?  I can get into a dialup SLIP server
>which dynamically assigns addresses, and I just in the past week got
>my Linux box to connect to it.

It might be possible to make a router work on a LAN with dynamic addresses,
but I doubt it.  Much better would be to either apply to InterNIC for a
class C network number, or ask your service provider to assign you a whole
subnet of addresses for yourself (if they only do dynamic addressing, they
probably won't want to do this.  They may be reluctant in yielding up any
of their address space in any case.)

>Also, what is the difference between a router, a gateway, and a
>firewall?

A router connects two different cables, which may be of the same or
different physical media, so that IP packets can hop from one cable to
another.  The router also knows how to direct packets that are meant for
distant destinations: it passes them on to the next router.  One might
connect two ethernets with a router, or an ethernet and a SLIP/PPP modem
connection.

Routers are also often referred to as gateways, but I prefer the more
precise meaning, in which a gateway is a machine that connects two
incompatible networking protocols, by translating the higher level
services.  For example, there are Internet SMTP to UUCP mail gateways in
every Unix box, as well as the Internet/CompuServe and Internet/AOL
gateways.  There are other kinds, such as the network file service gateways
to allow Macintoshes to do AppleShare mounts from an NFS server - the
FastPath and Gator boxes do an NFS mount from the fileserver, then act as
appleshare servers.  When a Mac reads a file using AppleShare, the gateway
reads the file using NFS and passes along the results.

A firewall is a single point of connection between a "protected" and a
"public" network.  It is usually combined with a router.  It uses such
things as filtering packets based on protocol, port number, source and
destination addresses to try to keep hackers out of a network.  Services
which are desired to run through the firewall, but which are risky, are
handled by proxy servers on the firewall, so in this sense it is a gateway.


There is a very good book out on this topic, from the folks who maintain
AT&T's firewall, entitled Firewalls and Internet Security, by William R.
Cheswick and Steven M. Bellovin, ISBN 0-201-63357-4.  I recommend it to
anyone who runs a machine on the Internet - and to anyone who wishes to
penetrate one: it has a pretty detailed guide on how to hack machines.
(The authors recommend subscribing to 2600 magazine!)

You don't need to have a firewall to tighten up the security on your
machine.  Read this book if you're going to put a Unix box of any sort on
the Internet, or you might wake up some day to find someone's erased your
hard disk from the other side of the globe.

To be complete, I should also mention bridges.  A bridge is a sort of
primitive router, that connects two or more LAN sections.  The sections
have the same physical media.  This is done for fault isolation, to extend
the maximum cable length, to allow star topology on bus nets like ethernet,
and to reduce traffic on the whole net somewhat (the bridges don't pass
packets that are destined for the same cable segment that they originated
on, but they do pass broadcast packets).  Bridges used in organizations
that require multiple protocols on the same net (eg., AppleTalk and IP).
Twisted Pair Ethernet Hubs are a sort of bridge.

There is a serious problem with bridges, in that they make the entire
network appear to be on the same segment of cable to higher-level
protocols, so an IP broadcast will stimulate every machine on the campus
net.  When I was at CERN, working on the NA47 experiment, I would do
"ruptime | grep na47" to find what workstations were lightly loaded in my
building.  This resulted in the central network police bearing down on my
experiments sysadmin, as my broadcasts were asking every machine in the lab
- thousands! - what their load was, and they were all responding
simultaneously.  (In such a case it is a much better idea to use
multiprotocol routers - I can't fathom why CERN doesn't do this.)

>> There is a security enhancement I mean to try once I've set up my own
>> full-time router...

>Be sure to post to comp.os.linux.announce when this is available!

I will, of course.

Another idea is to foil dictionary attack on my passwd file by varying the
encryption algorithm somewhat.  It won't necessarily be a more secure
algorithm, but to hack my password file you'd have to run a dictionary
attack just for my machine.

I'm not so convinced that the Cypherpunks list wants to hear all this, but
it's probably of interest to you that Linux is the cheapest way to get
complete Unix/X11 development tools on a machine that you can be root on.
Most of you can't edit the password file, tinker on the kernel, or reboot
your campus Unix machines, but if you have at least a 386 you can do all
this.  If you wanted to make, say, a hardware encryption card for Unix,
you'd be best off using Linux so you'll have the full kernel sources to
ease writing your device driver.

Regards,


Michael D. Crawford
crawford@scruznet.com     <- Please note change of address.
crawford@maxwell.ucsc.edu <- Finger me here for PGP Public Key.







Thread