Re: [9fans] banishment of nuisance IP addresses

Re: [9fans] banishment of nuisance IP addresses

[cinap_lenrek]

seems tricky with listeners that run as none, no?

so your banish files would need to be world writable in this
case, no? that means everyone can just lock you out of your
box by writing a line there...

--
cinap

Re: [9fans] banishment of nuisance IP addresses

[Steve Simon]

re: anyone can banish ano IP address

You are quite right, not a problem for me, but not a general solution.

Ok, chmod og-w /lib/ndb/banished first.

I could then write a file server, envoked in cpurc as bootes and thus
has rights to update the files in /lib/ndb/banished/*.

The file server would have to ensure its /srv/xxx file is not accessable
by others.

This could be mounted by the network listners before they becomenone() so
they retain access. They would also need to ensure they unmount
the writable access to the banishment directory before starting their
child process (if the incomming connection is successful).

ugh. Even _if_ that would work its a real pain.

oh well, nice idea, but no bananna.

-Steve

Re: [9fans] banishment of nuisance IP addresses

[Sergey Zhilkin]

[-- Attachment #1: Type: text/plain, Size: 1373 bytes --]

I wonder .... if it will be system with IPv6 enabled and connected directly
to internet.
There is no fw in plan 9 ....
May be time to think about it ?

вт, 29 окт. 2019 г. в 14:27, Steve Simon <steve@quintile.net>:

> re: anyone can banish ano IP address
>
> You are quite right, not a problem for me, but not a general solution.
>
> Ok, chmod og-w /lib/ndb/banished first.
>
> I could then write a file server, envoked in cpurc as bootes and thus
> has rights to update the files in /lib/ndb/banished/*.
>
> The file server would have to ensure its /srv/xxx file is not accessable
> by others.
>
> This could be mounted by the network listners before they becomenone() so
> they retain access. They would also need to ensure they unmount
> the writable access to the banishment directory before starting their
> child process (if the incomming connection is successful).
>
> ugh. Even _if_ that would work its a real pain.
>
> oh well, nice idea, but no bananna.
>
> -Steve
>
> ------------------------------------------
> 9fans: 9fans
> Permalink:
> https://9fans.topicbox.com/groups/9fans/Te00ed62cf5d85d9e-M4d3ca138d4a82de48a303955
> Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
>


-- 
С наилучшими пожеланиями
Жилкин Сергей
With best regards
Zhilkin Sergey

[-- Attachment #2: Type: text/html, Size: 2034 bytes --]

Re: [9fans] banishment of nuisance IP addresses

[Steve Simon]

[-- Attachment #1: Type: text/plain, Size: 1830 bytes --]

no “fw” not sure what that is.

as it happens i turned off ipv6 last night. it was causing problems with smtp which i fail to understand, maybe tls certificate, i am not sure.

the banishment code works fine for ipv6

-Steve


> On 5 Nov 2019, at 10:02 am, Sergey Zhilkin <szhilkin@gmail.com> wrote:
> 
> 
> I wonder .... if it will be system with IPv6 enabled and connected directly to internet. 
> There is no fw in plan 9 .... 
> May be time to think about it ?
> 
> вт, 29 окт. 2019 г. в 14:27, Steve Simon <steve@quintile.net>:
>> re: anyone can banish ano IP address
>> 
>> You are quite right, not a problem for me, but not a general solution.
>> 
>> Ok, chmod og-w /lib/ndb/banished first.
>> 
>> I could then write a file server, envoked in cpurc as bootes and thus
>> has rights to update the files in /lib/ndb/banished/*.
>> 
>> The file server would have to ensure its /srv/xxx file is not accessable
>> by others.
>> 
>> This could be mounted by the network listners before they becomenone() so
>> they retain access. They would also need to ensure they unmount
>> the writable access to the banishment directory before starting their
>> child process (if the incomming connection is successful).
>> 
>> ugh. Even _if_ that would work its a real pain.
>> 
>> oh well, nice idea, but no bananna.
>> 
>> -Steve
>> 
>> ------------------------------------------
>> 9fans: 9fans
>> Permalink: https://9fans.topicbox.com/groups/9fans/Te00ed62cf5d85d9e-M4d3ca138d4a82de48a303955
>> Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
> 
> 
> -- 
> С наилучшими пожеланиями
> Жилкин Сергей
> With best regards
> Zhilkin Sergey
> 9fans / 9fans / see discussions + participants + delivery options Permalink

[-- Attachment #2: Type: text/html, Size: 3385 bytes --]

Re: [9fans] banishment of nuisance IP addresses

[Sergey Zhilkin]

[-- Attachment #1: Type: text/plain, Size: 2378 bytes --]

>no “fw” not sure what that is.
firewall :)

вт, 5 нояб. 2019 г. в 13:06, Steve Simon <steve@quintile.net>:

> no “fw” not sure what that is.
>
> as it happens i turned off ipv6 last night. it was causing problems with
> smtp which i fail to understand, maybe tls certificate, i am not sure.
>
> the banishment code works fine for ipv6
>
> -Steve
>
>
> On 5 Nov 2019, at 10:02 am, Sergey Zhilkin <szhilkin@gmail.com> wrote:
>
> 
> I wonder .... if it will be system with IPv6 enabled and connected
> directly to internet.
> There is no fw in plan 9 ....
> May be time to think about it ?
>
> вт, 29 окт. 2019 г. в 14:27, Steve Simon <steve@quintile.net>:
>
>> re: anyone can banish ano IP address
>>
>> You are quite right, not a problem for me, but not a general solution.
>>
>> Ok, chmod og-w /lib/ndb/banished first.
>>
>> I could then write a file server, envoked in cpurc as bootes and thus
>> has rights to update the files in /lib/ndb/banished/*.
>>
>> The file server would have to ensure its /srv/xxx file is not accessable
>> by others.
>>
>> This could be mounted by the network listners before they becomenone() so
>> they retain access. They would also need to ensure they unmount
>> the writable access to the banishment directory before starting their
>> child process (if the incomming connection is successful).
>>
>> ugh. Even _if_ that would work its a real pain.
>>
>> oh well, nice idea, but no bananna.
>>
>> -Steve
>>
>> ------------------------------------------
>> 9fans: 9fans
>> Permalink:
>> https://9fans.topicbox.com/groups/9fans/Te00ed62cf5d85d9e-M4d3ca138d4a82de48a303955
>> Delivery options: https://9fans.topicbox.com/groups/9fans/subscription
>>
>
>
> --
> С наилучшими пожеланиями
> Жилкин Сергей
> With best regards
> Zhilkin Sergey
>
> *9fans <https://9fans.topicbox.com/latest>* / 9fans / see discussions
> <https://9fans.topicbox.com/groups/9fans> + participants
> <https://9fans.topicbox.com/groups/9fans/members> + delivery options
> <https://9fans.topicbox.com/groups/9fans/subscription> Permalink
> <https://9fans.topicbox.com/groups/9fans/Te00ed62cf5d85d9e-Mf70fb7e29d4e9df88f57dd6e>
>


-- 
С наилучшими пожеланиями
Жилкин Сергей
With best regards
Zhilkin Sergey

[-- Attachment #2: Type: text/html, Size: 4149 bytes --]

Re: [9fans] banishment of nuisance IP addresses

[hiro]

from just your description i like how you rely on the filesystem to
store the state, which seems to make it trivial to split multiple
tasks into multiple programs :)