Discussion:
Security is vital!
(too old to reply)
***** charles
2007-03-26 21:55:00 UTC
Permalink
Hi all,

I have heard a lot about how secure OpenBSD is. I
was wondering which distribution of Linux is the most
secure? I have a special problem that I need to solve.
I need to connect two buildings with a lan wirelessly.
I will be doing it with two computers running an os
using a wireless device in each one running encription
between the two. This is to prevent a person from
"breaking into" the connection. So back to my
dilema, which os/distribution should I choose?

thanks,
charles.....
Moe Trin
2007-03-28 00:17:21 UTC
Permalink
On Mon, 26 Mar 2007in the Usenet newsgroup comp.os.linux.questions, in article
Post by ***** charles
I have heard a lot about how secure OpenBSD is.
But have you looked at the question "why"? Two things - Theo and
friends write very strict code, though it's not perfect (Al Viro had
a field day pointing out a few rather obvious gaffs), and second -
everything is disabled by default. If you want a service, at the
least you need to configure and enable it - you may have to install
it first. The latter is the reason MS-DOS 3.3 never had a network
exploit out of box. Does that make it secure?
Post by ***** charles
I was wondering which distribution of Linux is the most secure?
NORMALLY the answer to that one would be "the one you are most familiar
with" - but you have to take that one with a large quantity of salt in
these days when the "popular" distributions come with eleven zillion
applications, many installed by default, which is precisely what you DO
NOT want here. When did you last look at the output of 'netstat -apntu'
and see what's running on your box now?
Post by ***** charles
I have a special problem that I need to solve. I need to connect two
buildings with a lan wirelessly. I will be doing it with two computers
running an os using a wireless device in each one running encription
between the two. This is to prevent a person from "breaking into" the
connection.
Well, you just kissed off the popular distributions for the simple
reason that this is a relatively dumb process. Obviously if this is a
router, there is no reason to allow users near the keyboard if it even
_has_ one (the same is true of _any_ server). Normally it's easier to
start with nothing and add what you need, than to start with a full
house and attempt to hack out the unneeded/unwanted crap. So I'd run
any tiny distribution that includes the needed wireless driver, and
tell all of the computers in each building that the LAN side NIC is
their gateway to the other building - stick the wireless on it's own
network and tell each wireless box that the "other" network is
reachable using the peer as the gateway. Set up an SSH server on each
that only accepts connections from a few specific administration boxes.
Nothing else needs to be running - perhaps the sysklogd, and maybe the
random number generator - can't see anything else as being needed. That
means no one else can connect to your routers, all the routers do is
pass traffic from one building to the other, and if you're smart you are
using WPA-PSK on the wireless link, so the traffic is secure. Again,
look at your own system - this workstation has 21 "users" (all me), and
'ps aux | grep -vc USER' reports 80 processes _total_!

Hmmm, wireless - I'd also use high gain dishes so the link is only
talking to the peer and few (if any) others can even _see_ the link.
We used an Infrared link with ten power telescopes (field of view about
3 degrees) on each end in California to cross a city street without
eavesdroppers noticing for about a year.
Post by ***** charles
So back to my dilema, which os/distribution should I choose?
Any tiny distribution - after all there's going to be next to nothing
that needs to be running. For perspective, the old Linux Router Project
consisted of one floppy - you'd need more due to the wireless and SSH,
but that might bring you up to the equivalent of three floppies. If it
ain't installed, it can't be exploited. Simple concept, no?

Old guy
***** charles
2007-03-28 18:31:55 UTC
Permalink
Post by Moe Trin
On Mon, 26 Mar 2007in the Usenet newsgroup comp.os.linux.questions, in article
Post by ***** charles
I have heard a lot about how secure OpenBSD is.
But have you looked at the question "why"? Two things - Theo and
friends write very strict code, though it's not perfect (Al Viro had
a field day pointing out a few rather obvious gaffs), and second -
everything is disabled by default. If you want a service, at the
least you need to configure and enable it - you may have to install
it first. The latter is the reason MS-DOS 3.3 never had a network
exploit out of box. Does that make it secure?
Post by ***** charles
I was wondering which distribution of Linux is the most secure?
NORMALLY the answer to that one would be "the one you are most familiar
with" - but you have to take that one with a large quantity of salt in
these days when the "popular" distributions come with eleven zillion
applications, many installed by default, which is precisely what you DO
NOT want here. When did you last look at the output of 'netstat -apntu'
and see what's running on your box now?
Post by ***** charles
I have a special problem that I need to solve. I need to connect two
buildings with a lan wirelessly. I will be doing it with two computers
running an os using a wireless device in each one running encription
between the two. This is to prevent a person from "breaking into" the
connection.
Well, you just kissed off the popular distributions for the simple
reason that this is a relatively dumb process. Obviously if this is a
router, there is no reason to allow users near the keyboard if it even
_has_ one (the same is true of _any_ server). Normally it's easier to
start with nothing and add what you need, than to start with a full
house and attempt to hack out the unneeded/unwanted crap. So I'd run
any tiny distribution that includes the needed wireless driver, and
tell all of the computers in each building that the LAN side NIC is
their gateway to the other building - stick the wireless on it's own
network and tell each wireless box that the "other" network is
reachable using the peer as the gateway. Set up an SSH server on each
that only accepts connections from a few specific administration boxes.
Nothing else needs to be running - perhaps the sysklogd, and maybe the
random number generator - can't see anything else as being needed. That
means no one else can connect to your routers, all the routers do is
pass traffic from one building to the other, and if you're smart you are
using WPA-PSK on the wireless link, so the traffic is secure. Again,
look at your own system - this workstation has 21 "users" (all me), and
'ps aux | grep -vc USER' reports 80 processes _total_!
Hmmm, wireless - I'd also use high gain dishes so the link is only
talking to the peer and few (if any) others can even _see_ the link.
We used an Infrared link with ten power telescopes (field of view about
3 degrees) on each end in California to cross a city street without
eavesdroppers noticing for about a year.
Post by ***** charles
So back to my dilema, which os/distribution should I choose?
Any tiny distribution - after all there's going to be next to nothing
that needs to be running. For perspective, the old Linux Router Project
consisted of one floppy - you'd need more due to the wireless and SSH,
but that might bring you up to the equivalent of three floppies. If it
ain't installed, it can't be exploited. Simple concept, no?
Old guy
So I am still liking OpenBSD, the 4M ISO download. It basically
installs nothing and you have to add whatever you want through an
Internet ftp server. The wireless distance is rather far, 1.5 miles but
it is a clear line of sight, no obstructions. There are two 60 foot
towers to be used. The current configuration uses two Linksys
WET11's with no security. One of the buildings is right accross
the street from a high school. At the moment any kid with a properly
configured laptop can hop onto the Internet through the current
system. So the main goal is to secure the wireless link. I could set
it up so that access is only through the connected keyboard without
a lot of grief.

So the following is the only thing I need running:?

OS
Wireless driver
SSH (only if I want access from another computer)

What apps would I need to run to manage the connection, if any?

I am hoping when I get the first one set up correctly, I can just
clone the software to the second identical machine.

Since the lans already have an Internet connection, the wireless
connection will have to be in "bridge mode".

thanks,
charles......
Moe Trin
2007-03-29 20:02:51 UTC
Permalink
On Wed, 28 Mar 2007, in the Usenet newsgroup comp.os.linux.questions, in article
Post by ***** charles
So I am still liking OpenBSD, the 4M ISO download. It basically
installs nothing and you have to add whatever you want through an
Internet ftp server.
That's as good as any. The key is "does OpenBSD have the wireless driver"?
Post by ***** charles
The wireless distance is rather far, 1.5 miles but it is a clear line
of sight, no obstructions. There are two 60 foot towers to be used.
At 2.4 GHz, the clearance needed is about 8.5 meters - 28 feet, and
curvature of the earth adds about a foot, so assuming nothing is within
30 foot of line of sight (vertically or horizontally), that should be
fine.
Post by ***** charles
The current configuration uses two Linksys WET11's with no security.
One of the buildings is right accross the street from a high school.
At the moment any kid with a properly configured laptop can hop onto
the Internet through the current system. So the main goal is to secure
the wireless link. I could set it up so that access is only through
the connected keyboard without a lot of grief.
First thing I'd do after setting the link encryption would be to set it
up as a point to point link. For example, building one on 192.168.0.0/24
with the router on this link as 192.168.0.254 (use the numbers you would
want - this is for hand-waving). The other building is on 192.168.1.0/24
with the router on this link as 192.168.1.254. The link being on
specific IPs of 192.168.3.33 and 192.168.4.44 with a _host_ route only
between the two. Ignoring the default route to the world and loopback
the _hosts_ in building one have the routing table

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.1.0 192.168.0.254 255.255.255.0 UG 0 0 430 eth0

with the hosts in the other building having

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.0.0 192.168.1.254 255.255.255.0 UG 0 0 430 eth0

The router in building 1 has only the following:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.4.44 0.0.0.0 255.255.255.255 UH 0 0 16 eth1
192.168.1.0 192.168.4.44 255.255.255.0 UG 0 0 430 eth1

with the router in the other building having

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.3.33 0.0.0.0 255.255.255.255 UH 0 0 16 eth1
192.168.0.0 192.168.3.33 255.255.255.0 UG 0 0 430 eth1

Your school kids no longer have _access_ as the routers have the only two
valid addresses on the link. Without encryption, the link can be sniffed,
which is why you encrypt it. Problem solved.
Post by ***** charles
OS
Wireless driver
SSH (only if I want access from another computer)
I _ALWAYS_ recommend having a second way to admin the box (the primary
means is usually the console or serial port). I'd set up SSH so that it
ONLY accepts connections from "a few" specific hosts on the LAN.
Post by ***** charles
What apps would I need to run to manage the connection, if any?
[compton ~]$ whatis ifconfig route
ifconfig (8) - configure a network interface
route (8) - show / manipulate the IP routing table
[compton ~]$

Actually, you may need 'iwconfig' to manage the wireless, but that's it.
Post by ***** charles
I am hoping when I get the first one set up correctly, I can just
clone the software to the second identical machine.
The routers are a pair - set them up at the same time, but this can be
done in the lab or what-ever. Actually, these boxes are so dumb and
under-worked, I'd be use anything cheap and dirty to do the job - a pair
of 386SX laptops would likely be enough, but that obviously depends on
the number of hosts in the two buildings and how much they talk to each
other..
Post by ***** charles
Since the lans already have an Internet connection, the wireless
connection will have to be in "bridge mode".
I wouldn't - but I've been doing IP networking since the 1980s. The
main reason I would NOT use a bridge is to keep the traffic on the
link to a minimum, and prevent outsiders from connecting. Do _each_
of the LANs have their own (local) gateway to the world (independent of
the wireless link)? If so, all the more reason to configure the routers
this way, as the only traffic going over the air is that between the
buildings. Stuff going to the world won't be on this link and with
the routing tables I show, there is no way any outsider can hitchhike
because the routers can't send packets to the world - they have no
route to there.

Old guy
***** charles
2007-03-30 17:04:47 UTC
Permalink
Post by Moe Trin
On Wed, 28 Mar 2007, in the Usenet newsgroup comp.os.linux.questions, in article
Post by ***** charles
So I am still liking OpenBSD, the 4M ISO download. It basically
installs nothing and you have to add whatever you want through an
Internet ftp server.
That's as good as any. The key is "does OpenBSD have the wireless driver"?
Post by ***** charles
The wireless distance is rather far, 1.5 miles but it is a clear line
of sight, no obstructions. There are two 60 foot towers to be used.
At 2.4 GHz, the clearance needed is about 8.5 meters - 28 feet, and
curvature of the earth adds about a foot, so assuming nothing is within
30 foot of line of sight (vertically or horizontally), that should be
fine.
Post by ***** charles
The current configuration uses two Linksys WET11's with no security.
One of the buildings is right accross the street from a high school.
At the moment any kid with a properly configured laptop can hop onto
the Internet through the current system. So the main goal is to secure
the wireless link. I could set it up so that access is only through
the connected keyboard without a lot of grief.
First thing I'd do after setting the link encryption would be to set it
up as a point to point link. For example, building one on 192.168.0.0/24
with the router on this link as 192.168.0.254 (use the numbers you would
want - this is for hand-waving). The other building is on 192.168.1.0/24
with the router on this link as 192.168.1.254. The link being on
specific IPs of 192.168.3.33 and 192.168.4.44 with a _host_ route only
between the two. Ignoring the default route to the world and loopback
the _hosts_ in building one have the routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.1.0 192.168.0.254 255.255.255.0 UG 0 0 430 eth0
with the hosts in the other building having
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.0.0 192.168.1.254 255.255.255.0 UG 0 0 430 eth0
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.4.44 0.0.0.0 255.255.255.255 UH 0 0 16 eth1
192.168.1.0 192.168.4.44 255.255.255.0 UG 0 0 430 eth1
with the router in the other building having
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.3.33 0.0.0.0 255.255.255.255 UH 0 0 16 eth1
192.168.0.0 192.168.3.33 255.255.255.0 UG 0 0 430 eth1
Your school kids no longer have _access_ as the routers have the only two
valid addresses on the link. Without encryption, the link can be sniffed,
which is why you encrypt it. Problem solved.
Post by ***** charles
OS
Wireless driver
SSH (only if I want access from another computer)
I _ALWAYS_ recommend having a second way to admin the box (the primary
means is usually the console or serial port). I'd set up SSH so that it
ONLY accepts connections from "a few" specific hosts on the LAN.
Post by ***** charles
What apps would I need to run to manage the connection, if any?
[compton ~]$ whatis ifconfig route
ifconfig (8) - configure a network interface
route (8) - show / manipulate the IP routing table
[compton ~]$
Actually, you may need 'iwconfig' to manage the wireless, but that's it.
Post by ***** charles
I am hoping when I get the first one set up correctly, I can just
clone the software to the second identical machine.
The routers are a pair - set them up at the same time, but this can be
done in the lab or what-ever. Actually, these boxes are so dumb and
under-worked, I'd be use anything cheap and dirty to do the job - a pair
of 386SX laptops would likely be enough, but that obviously depends on
the number of hosts in the two buildings and how much they talk to each
other..
Post by ***** charles
Since the lans already have an Internet connection, the wireless
connection will have to be in "bridge mode".
I wouldn't - but I've been doing IP networking since the 1980s. The
main reason I would NOT use a bridge is to keep the traffic on the
link to a minimum, and prevent outsiders from connecting. Do _each_
of the LANs have their own (local) gateway to the world (independent of
the wireless link)? If so, all the more reason to configure the routers
this way, as the only traffic going over the air is that between the
buildings. Stuff going to the world won't be on this link and with
the routing tables I show, there is no way any outsider can hitchhike
because the routers can't send packets to the world - they have no
route to there.
Old guy
Excellent post. I have always thought that keeping the two physical lans
on one segment was the easiest but maybe not. Only one of the lans has
an Internet connection. Let's call them shop and home. The shop has
the Internet connection and the home does not. The only way home gets
on the Internet is through the shops' link. The situation you discribe
makes
the two wireless boxes not only connections but routers too. A lan can
have only one external link or gateway address not like dns which can be
set up as primary and secondary.

The link to the Interet is a 3MBs dsl line. So far the 802.11b link between
the lans has seemed to work ok, it's not the bottleneck. I had thought of
doing something with the new 802.11n spec but that would just be overkill.
The current setup goes dead when the temp goes below freezing so I would
like to put a wireless card in each computer and run an antenna to the top
of the poles so weather won't affect the solution. The next problem is to
find
hardware like that which will will work with OBSD, the drivers. A 802.11g
card would be fine if I could get the antenna setup correctly.

later,
charles.....
Moe Trin
2007-03-31 03:21:52 UTC
Permalink
On Fri, 30 Mar 2007, in the Usenet newsgroup comp.os.linux.questions, in article
Post by ***** charles
Excellent post. I have always thought that keeping the two physical
lans on one segment was the easiest but maybe not.
Two LANs located in two different buildings. Obviously it also depends
on how many boxes are on each segment. We keep them separated because of
security and administrative reasons, but we're using /22 subnets too.
This facility has multiple subnets in each building, and we've got five
buildings right here, with plans/space for two more.
Post by ***** charles
Only one of the lans has an Internet connection. Let's call them shop
and home. The shop has the Internet connection and the home does not.
The only way home gets on the Internet is through the shops' link.
OK
Post by ***** charles
The situation you discribe makes the two wireless boxes not only
connections but routers too. A lan can have only one external link or
gateway address not like dns which can be set up as primary and
secondary.
News to me - we've been running at least three routers on every sub-net
for at least 23 years. What you are thinking is that you can't have two
or more gateways leading to the same place with the same metric - unless
you are using a routing daemon like gated or routed, or you are using a
policy based routing setup using '/sbin/ip' in place of '/sbin/route'.
(Yes, I have been a network admin for over 20 years, and using IP even
longer.) For a simple setup here, I'd use this on the hosts in the shop:

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.1.0 192.168.0.254 255.255.255.0 UG 0 0 430 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 1788 eth0

which says "192.168.0.0/24 is local, 192.168.1.0/24 is reachable through
192.168.0.254, and everything else (the default) is through 192.168.0.1.
Notice, there is no ambiguity here - no multiple links to the same place.
On the house side, you _could_ do the same thing with suitable substitutes,
but seeing as how there's only one way out of the house to _anywhere_ you
could reduce it to

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 1788 eth0

which says 192.168.1.0/24 is local, and everything else (which includes
work) is reachable through the default router 192.168.1.254. Because the
'work' wireless box has to have a default route, it would now look like

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.4.44 0.0.0.0 255.255.255.255 UH 0 0 16 eth1
192.168.1.0 192.168.4.44 255.255.255.0 UG 0 0 430 eth1
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 1788 eth0

which is the same as a work host with the addition of the host link,
whereas the home wireless box would just be

Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.3.33 0.0.0.0 255.255.255.255 UH 0 0 16 eth1
0.0.0.0 192.168.3.33 0.0.0.0 UG 0 0 1788 eth1

Minor less secure than the independent defaults out from each end, but
that's why you encrypt the wireless link.
Post by ***** charles
The link to the Interet is a 3MBs dsl line. So far the 802.11b link between
the lans has seemed to work ok, it's not the bottleneck. I had thought of
doing something with the new 802.11n spec but that would just be overkill.
Only reason I'd go to newer gear is if the current gear has no, or very
little (WEP) security.
Post by ***** charles
The current setup goes dead when the temp goes below freezing so I would
like to put a wireless card in each computer and run an antenna to the top
of the poles so weather won't affect the solution.
See Jeff Liebermann over in alt.internet.wireless. Sixty foot of really
good cable is going to cost you mucho bucks, is lossy (meaning you need
a bigger antenna to make up for the extra loss) and can be a severe pain
in the a$$ to maintain if any moisture is involved. This is not the
solution you are looking for.

Hmmm, SWBell is cryptic with their netblock names, but where in Texas
does it get below freezing and _doesn't_ have a high temperature problem
the rest of the year? If it's only a cold problem, I'd stick the link in
a NEMA 4X box with an inch or two of polystyrene to act as a thermal
insulation. The link device should generate enough heat to keep it's
footies nice and toasty. But I'd actually expect a hot problem rather than
cold.
Post by ***** charles
The next problem is to find hardware like that which will will work with
OBSD, the drivers. A 802.11g card would be fine if I could get the
antenna setup correctly.
Jeff is primarily windoze, but he also does Linux - I don't know that he
does *BSD and for a built-in card, that's going to be a big problem. That
is the reason everyone sticks the RF stuff remotely, and runs Ethernet
between the RF and computing. Severe less hassle about drivers, cable
loss and the like, at the tradeoff of having the electronics up on the
tower somewhere with the resulting temperature/weather problems. None the
less, he does this crap for a living (in Santa Cruz, CA) and knows what
evil is hidden under the rocks.

Old guy
***** charles
2007-03-31 09:14:31 UTC
Permalink
Post by Moe Trin
On Fri, 30 Mar 2007, in the Usenet newsgroup comp.os.linux.questions, in article
Post by ***** charles
Excellent post. I have always thought that keeping the two physical
lans on one segment was the easiest but maybe not.
Two LANs located in two different buildings. Obviously it also depends
on how many boxes are on each segment. We keep them separated because of
security and administrative reasons, but we're using /22 subnets too.
This facility has multiple subnets in each building, and we've got five
buildings right here, with plans/space for two more.
Post by ***** charles
Only one of the lans has an Internet connection. Let's call them shop
and home. The shop has the Internet connection and the home does not.
The only way home gets on the Internet is through the shops' link.
OK
Post by ***** charles
The situation you discribe makes the two wireless boxes not only
connections but routers too. A lan can have only one external link or
gateway address not like dns which can be set up as primary and
secondary.
News to me - we've been running at least three routers on every sub-net
for at least 23 years. What you are thinking is that you can't have two
or more gateways leading to the same place with the same metric - unless
you are using a routing daemon like gated or routed, or you are using a
policy based routing setup using '/sbin/ip' in place of '/sbin/route'.
(Yes, I have been a network admin for over 20 years, and using IP even
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.1.0 192.168.0.254 255.255.255.0 UG 0 0 430 eth0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 1788 eth0
which says "192.168.0.0/24 is local, 192.168.1.0/24 is reachable through
192.168.0.254, and everything else (the default) is through 192.168.0.1.
Notice, there is no ambiguity here - no multiple links to the same place.
On the house side, you _could_ do the same thing with suitable
substitutes,
Post by Moe Trin
but seeing as how there's only one way out of the house to _anywhere_ you
could reduce it to
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 1788 eth0
which says 192.168.1.0/24 is local, and everything else (which includes
work) is reachable through the default router 192.168.1.254. Because the
'work' wireless box has to have a default route, it would now look like
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.4.44 0.0.0.0 255.255.255.255 UH 0 0 16 eth1
192.168.1.0 192.168.4.44 255.255.255.0 UG 0 0 430 eth1
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 1788 eth0
which is the same as a work host with the addition of the host link,
whereas the home wireless box would just be
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 95017 eth0
192.168.3.33 0.0.0.0 255.255.255.255 UH 0 0 16 eth1
0.0.0.0 192.168.3.33 0.0.0.0 UG 0 0 1788 eth1
Minor less secure than the independent defaults out from each end, but
that's why you encrypt the wireless link.
Post by ***** charles
The link to the Interet is a 3MBs dsl line. So far the 802.11b link between
the lans has seemed to work ok, it's not the bottleneck. I had thought of
doing something with the new 802.11n spec but that would just be overkill.
Only reason I'd go to newer gear is if the current gear has no, or very
little (WEP) security.
Post by ***** charles
The current setup goes dead when the temp goes below freezing so I would
like to put a wireless card in each computer and run an antenna to the top
of the poles so weather won't affect the solution.
See Jeff Liebermann over in alt.internet.wireless. Sixty foot of really
good cable is going to cost you mucho bucks, is lossy (meaning you need
a bigger antenna to make up for the extra loss) and can be a severe pain
in the a$$ to maintain if any moisture is involved. This is not the
solution you are looking for.
Hmmm, SWBell is cryptic with their netblock names, but where in Texas
does it get below freezing and _doesn't_ have a high temperature problem
the rest of the year? If it's only a cold problem, I'd stick the link in
a NEMA 4X box with an inch or two of polystyrene to act as a thermal
insulation. The link device should generate enough heat to keep it's
footies nice and toasty. But I'd actually expect a hot problem rather than
cold.
Post by ***** charles
The next problem is to find hardware like that which will will work with
OBSD, the drivers. A 802.11g card would be fine if I could get the
antenna setup correctly.
Jeff is primarily windoze, but he also does Linux - I don't know that he
does *BSD and for a built-in card, that's going to be a big problem. That
is the reason everyone sticks the RF stuff remotely, and runs Ethernet
between the RF and computing. Severe less hassle about drivers, cable
loss and the like, at the tradeoff of having the electronics up on the
tower somewhere with the resulting temperature/weather problems. None the
less, he does this crap for a living (in Santa Cruz, CA) and knows what
evil is hidden under the rocks.
Old guy
Looks like we're back to putting the electronics back on the pole, a couple
of
WRT54GL's set up in bridge mode to replace the two WET11's that operate
that way now. Fort Worth gets below 32 degrees about 3 to 4 weeks a year
at night. Sometimes the WET's work and sometimes they don't. Building a
box around the routers with one side of glass may keep them warm enough
and functioning all the time. There are about 4 or 5 machines at any one
time
at both the shop and the home. DHCP is not used, all the address are hard
coded. There is not that much traffic between the two places or even to the
outside world. Sometimes a bunch of guys come over to add their computers
to the lan, they go through changing IP hell. I would like to add a dhcp
server
to the mix so keeping the wireless connection "transparent" is a must.

later.....
Moe Trin
2007-04-01 00:01:02 UTC
Permalink
On Sat, 31 Mar 2007, in the Usenet newsgroup comp.os.linux.questions, in article
Post by ***** charles
Looks like we're back to putting the electronics back on the pole, a
couple of WRT54GL's set up in bridge mode to replace the two WET11's
that operate that way now.
You _could_ put the electronics on the ground. You'd then have to run a
low loss RF cable ($BUX) up the pole. Assuming the cable loss is a mere
3.0 dB, you'd have to install a higher gain antenna to make up for it.
Gain is a function of area, so to double the gain, you'd need an antenna
that is nominally double in area ($BUX). The larger size _may_ exert
greater wind loads on the tower, necessitating strengthening ($BUX) and
depending on the cable/antenna you may need a dehydrator (or nitrogen
bottle) to pressurize them ($BUX). See where that is going?

On the other hand, you may want to do the cost tradeoff of getting a
broadband connection at home, and using VPN to tunnel between the two.
Post by ***** charles
Fort Worth gets below 32 degrees about 3 to 4 weeks a year at night.
Sometimes the WET's work and sometimes they don't.
Most of the consumer gear I've seen is spec'ed from 0 to 50C. However
someone recently noted a wireless access point is generating about 2
Watts of heat. Using an inch or two of styrofoam insulation (R value is
about 4 per inch - polyurethane or polyisocyanuate would be better at
roughly R6 per inch) would retain that heat over the short freezing
intervals.
Post by ***** charles
Building a box around the routers with one side of glass may keep them
warm enough and functioning all the time.
That's definitely not the way I'd go. NEMA weatherproof box, an inch or
two of foam inside to handle to cool, and bright shiny surfaces to
reflect the sun loading. 50C = 122F is pretty easy to hit in even a
flat finish painted surface in the sun. I've rarely seen gear with a
wider temperature range (-10C - +60C = +14 - 140F), but even that dies
when left in the sun on a summer day. That's why I hate uncovered parking
at the stores (I'm near Phoenix).
Post by ***** charles
There are about 4 or 5 machines at any one time at both the shop and
the home. DHCP is not used, all the address are hard coded. There is
not that much traffic between the two places or even to the outside
world.
OK - clued setup.
Post by ***** charles
Sometimes a bunch of guys come over to add their computers to the lan,
they go through changing IP hell.
Which LAN - house or shop? We've got a couple thousand systems at this
facility, and have them statically configured. Part of this is paranoia
(we're an R&D facility), but mostly it's just common sense. We only have
a few O/S installation variations (basically workstations, servers, and
"others") and things are pretty standardized. Moving boxes (and changing
IPs as needed) is generally handled by student interns we use as low cost
slaves^W^W^W^Wto give them experience in computer administration. It's
pretty much a "no-brainer".
Post by ***** charles
I would like to add a dhcp server to the mix so keeping the wireless
connection "transparent" is a must.
They don't see the wireless link - they'd only see the local router
interface. As mentioned, the house needs only a LAN setup and a default
router, while system at the shop would need that AND a single static
route. This does depend on the distributions, but typically is only
a single line in a file. We've stayed away from BOOTP and DHCP as an
extra complication with more security concerns that create more problems
than it solves.

Old guy

Continue reading on narkive:
Loading...