[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A couple of questions




> > I can confirm fully what Andy has said, plus the fact that they will not
> > only filter packets and have a firewall that stops any incoming web
> > requests, but they will enforce a NO SERVERS policy for all their users,
> > so you can't even serve for actvnet customers. I don't know what the
> > status of multi-player net-aware games is.
> 
> I do not play 'net games myself, but I am sure the games use ports above
> 1024. Actvnet cannot close these ports simply because Unix clients grab
> these ports at random when they request a connection.

Not quite. FTP on browsers is set passive, it is possible that the router
thingie that you connect to (the one that gives you the ether connection
to actvnet), also runs some sort of firewall and takes care of that. In
particular, I'd expect it to remap the ports such that they do not collide
as it itself has only 1 address, not 5 or 10. So it's gatewaying /
masquerading / tunneling anyway.

It is relatively easy to set up such a systems such that all the routing
goes through a central switching unit and never peer to perr. 

With such speeds it has to be a powerful system and it CERTAINLY can
handle packet filtering if it also uses the distributed routers / terminal
servers / whatever they call the box they put in your house.

> When I talked to them the max was 5 users per 64k. However, this is not
> an issue. Users will feel each other's presence _only_ if all of them do
> something like ftp transfer simultaneously. This does not happen in real
> life.

God help you if you live near a Linux box owner and he runs a web site
(unless the server thing does not work on actvnet, period).

> > I suppose that if routing is set up to funnel any request from any actvnet
> > member for port 80 outwards to an extrenal gateway, you can't do nothing
> > about it. 
> 
> Like I said above, ports above 1024 cannot be safely closed, so one can
> run an HTTP server on port 8000, and this should work fine. Of course,
> you cannot run SMTP server this way... But even then, you cannot do
> any real work if your IP changes. Even if you run your computer 24/7,
> NAT can force disconnection after a certain time of inactivity. On the
> other hand, one can ping Actvnet server every 10 min from cron, thus
> simulating life ;-)

With normal web serive for lemmings [tm], NO ports need to be open for TCP
anywhere at all, for incoming connections. HTTP pulls by itself, FTP is in
passive mode, NNTP pulls by itself, and IRC is not on TCP. All larger
providers with 'limited services' work this way, including many North
American cable providers as far as I have gathered. 

This means, that the firewall can be configured to block any TCP
connection from coming in. It can also block certain datagrams that are
clearly not IRC or games, such as ping, dns, and the (in)famous bonk etc.

> > >From other cable provider deals abroad, it seems that they enforce their
> > policies *very* promptly and will not just terminate anyone caught
> > (including innocent users whose email addresses were used for spam
> > propagation - at least one case in the US last year), but will keep you
> > off *permanently* and apparently set up some sort of blacklist system
> > against caught people, which means that getting in with another cable
> > provider may be impossible. (source: usenet archives).
> 
> One more detail I recall. Actvnet does not allow to use more than one
> computer, to say nothing of connecting several PCs via a Linux box. They
> said they would check it constantly. However, how they can
> _conclusively_ detect extra computers behind a properly firewalled Linux
> is beyond me. There are ways to do it inconclusively though.

They can't, but if they catch you once, you're dead.

Neither actvnet nor anyone else can tell you what you can do with your
machine. Legally, nobody can tell you that you can't have a second ether
card in the same machine, or what to do with it. What they can and do tell
you is, that on the wire they give you, you put ONE computer, and you do
NOT use it as a server. Period. And it's fair enough. 

Peter