00:06.33 | *** join/#gllug Leeds (~richardc@n219078058021.netvigator.com) |
02:41.32 | *** join/#gllug Leeds (~richardc@www.scorefive.com) |
02:46.14 | *** join/#gllug boudiccas (~boudiccas@unaffiliated/boudiccas) |
07:51.05 | *** join/#gllug zplinux (~zplinux@213.8.57.217) |
08:35.41 | zplinux | hmm, hi all |
08:35.45 | zplinux | is it possible to have many clients connect to one server and not have them talk to each other? |
08:36.01 | zplinux | I am reffering to openvpn |
08:36.04 | zplinux | and I dont mean the client-to-client option |
08:36.40 | jpds | Don't think so; you'd probably have to put them on their own VLANs. |
08:38.13 | zplinux | how many vlans can I have on my pc? |
08:39.26 | zplinux | thanks jpds |
08:40.11 | jpds | zplinux: They usually go on switchen. |
08:43.41 | Leeds | zplinux: isn't that the point of the client-to-client option? |
08:44.21 | zplinux | hi LEEDS! |
08:44.33 | zplinux | em |
08:44.46 | zplinux | not sure |
08:44.59 | Leeds | or, well, obviously its absence |
08:45.31 | zplinux | I mean the idea is to allow clients to download updates when a firewall blocks incoming connection |
08:45.47 | Leeds | what does that have to do with clients seeing each other? |
08:46.03 | zplinux | yet from the security perspective, we dont want one hacked client to enter the whole system |
08:46.17 | zplinux | Leeds: not sure |
08:46.45 | zplinux | I mean I dont want to allow a hacked client to have access to any other system |
08:47.11 | zplinux | kind of ptp from each cleint to our server |
08:47.26 | zplinux | infact I only need one line in the route |
08:47.35 | zplinux | hmm |
08:48.34 | zplinux | I think I just need to try it out |
08:48.48 | zplinux | seems I can do this with the avail tools |
08:48.54 | antiphase | You'd need to use a VLAN per switch port or a switch with port protection. You can't do it with software if you allow users any sort of system access |
08:49.35 | zplinux | can't I use ebtales? |
08:49.40 | antiphase | And that still potentially allows UDP from one client to another unless you also put ACLs between your VLANs or put everyone on a firewall and have some horrendous config |
08:50.11 | antiphase | It's the sort of question that you have to ask why you're asking, because it suggests some sort of elementary architectural problem |
08:50.37 | antiphase | s/UDP/unidirectional traffic/ |
08:50.43 | antiphase | guzzles moar coffee |
08:51.22 | antiphase | ebtables is for controlling traffic between network segments |
08:51.51 | antiphase | You're talking about clients who are potentially on the same network, which is why you end up having to have a network per client so you can control the inter-network traffic |
08:52.36 | antiphase | reads the question again |
08:52.46 | antiphase | Do you just mean openvpn? |
08:52.56 | zplinux | yes I do |
08:53.46 | antiphase | If you haven't got IP forwarding enabled, then the server shouldn't route packets |
08:54.17 | antiphase | Of course if you're using it as a gateway then having IP forwarding enabled is sort of useful :P |
08:54.33 | antiphase | iptables is a possibility though |
08:55.04 | antiphase | I understamd why you asked about ebtables now, but it's unnecessary unless you're using TAP interfaces, which are horrid anyway |
08:56.22 | zplinux | antiphase: ok, how would you solve this common problem |
08:56.31 | antiphase | Is it common? |
08:56.54 | zplinux | you hold a server in your company that has updates to your costemers |
08:57.11 | zplinux | costumers |
08:57.17 | antiphase | customers :P |
08:57.42 | antiphase | I'd firstly ask why openvpn would be your choice for just moving some data about |
08:57.51 | antiphase | rather than HTTPS |
08:58.07 | antiphase | (over the public internet) |
08:58.14 | zplinux | they are connected to the internet using NAT and you can't open a forward port there |
08:58.31 | antiphase | They can still connect to your server then |
09:00.08 | zplinux | I want the connection to be secure |
09:00.13 | zplinux | https is a nice idea |
09:00.43 | zplinux | only need a script to dowload updates and run them |
09:01.11 | zplinux | but I also want to offer interactive support |
09:01.19 | zplinux | so I do need a way in |
09:01.24 | antiphase | What does that involve? |
09:01.30 | zplinux | sshing in |
09:03.17 | antiphase | So you're back to a VPN again |
09:04.24 | zplinux | yes |
09:04.34 | zplinux | let try it here |
09:04.58 | zplinux | I will be back when I know what to ask |
09:39.55 | *** join/#gllug mikejw (~android@212.183.140.0) |
10:04.08 | hali | morning |
10:04.16 | hali | f*cking notting hill carneval outside my window |
10:05.10 | hali | at least the bring good food |
12:11.59 | *** join/#gllug eje211 (~quassel@82-71-45-200.dsl.in-addr.zen.co.uk) |
12:12.32 | eje211 | Hey! I'm looking to buy a Netbook with Linux or without Windows in London. Does such a thing still exist, and if so, where? |
12:13.46 | *** join/#gllug eje211 (~quassel@82-71-45-200.dsl.in-addr.zen.co.uk) |
12:30.00 | *** join/#gllug andrewblack (~andrew@vm.black1.org.uk) |
12:38.31 | eje211 | Hey! I'm looking to buy a Netbook with Linux or at least without Windows in London. Does such a thing still exist, and if so, where? |
13:32.44 | *** join/#gllug sabinef72 (~sabinef72@barcelone.ipv6.popipo.fr) |
14:41.23 | *** join/#gllug Leeds (~richardc@n219078058021.netvigator.com) |
15:31.28 | *** join/#gllug andrewblack (~andrew@vm.black1.org.uk) |
16:04.44 | *** join/#gllug Barry-Nichols (~Barry@cpc3-bsfd4-0-0-cust332.5-3.cable.virginmedia.com) |
17:12.26 | *** join/#gllug DiscordianUK (~ch@fedora/DiscordianUK) |
17:43.26 | *** join/#gllug andrewblack (~andrew@vm.black1.org.uk) |
17:46.04 | *** join/#gllug MessedUpHare (~stewart@cpc8-acto3-2-0-cust6.4-2.cable.virginmedia.com) |
18:32.51 | *** join/#gllug DiscordianUK (~ch@fedora/DiscordianUK) |
22:46.16 | *** join/#gllug shai (~Shai@l192-117-110-233.cable.actcom.net.il) |