https://smaugmuds.afkmods.com/index.php?a=rssfeed&t=4066 The largest Smaug community resource site. - en SmaugMuds 60 https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17944#p17944 Hmm, I think I said basically the same thing with significantly more brevity. :tongue: https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17944#p17944 Fri, 12 Jun 2009 01:20:18 CDT General Discussions nobody@example.com (Conner) https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17943#p17943 I guess what I'm saying is that I'm not convinced that there really is a better way with IPv4 or IPv6. The main functional difference between stopping somebody at the firewall vs. the application -- no matter how you accomplish that, be it via IP blocks or authentication -- is that it's cheaper to stop connections before they're fully established, and perhaps more secure in case the application has vulnerabilities. That said, the DOS problem is a very real one and is recognized by security pe https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17943#p17943 Fri, 12 Jun 2009 00:07:17 CDT General Discussions nobody@example.com (David Haley) https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17942#p17942 Given how long the current tcp/ip has been established and it's present wide-spread usage, add to that the advent of IPv6, I'm not really sure that there is a reasonable way to actually fix it. This conversation was really more of a "it's too bad that we don't have a better way to handle this" than a "let's come up with a better way to handle this" sort of thread. Though if you have something in mind that could be done to eliminate the need to use broad IP range bans to block individuals which s https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17942#p17942 Thu, 11 Jun 2009 23:09:10 CDT General Discussions nobody@example.com (Conner) https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17933#p17933 I see -- since we were talking about forums and spammers there, or even spammers at a given MUD, I was trying to figure out what the functional difference between blocking their connection at the service level or firewall level (there isn't any, unless you're talking about a DOS). Of course, if one wants to block them for [i]all[/i] services, the firewall is the way to go. But this whole conversation got started because of ranged IP bans being too aggressive, and AFAICT none of this talk spea https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17933#p17933 Wed, 10 Jun 2009 20:58:24 CDT General Discussions nobody@example.com (David Haley) https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17932#p17932 A range ban at the firewall won't let them into the system at all. SSH would require they have access to the SSH server at the very least, as you need to be able to reach the system before SSH negotiation can even take place. https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17932#p17932 Wed, 10 Jun 2009 19:14:12 CDT General Discussions nobody@example.com (Samson) https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17931#p17931 Exactly, the difference would be that as it is, with a range block, we can deny them access regardless of who they are because we're resorting to the IP, but if we had some sort of ssh style authentication, we could determine who they were without letting them get into the system at all. https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17931#p17931 Wed, 10 Jun 2009 18:20:22 CDT General Discussions nobody@example.com (Conner) https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17930#p17930 Well the difference between range blocking them at the form and range blocking them at the firewall is that at the firewall you'd be denying them access to the entire machine and any services currently running on it. That includes things like the Sandbox forum (dead as it may be) and several MUDs running on the box in addition to the actual forum/repository. If all we're trying to do is block someone from abusing the forum, range blocking at the forum is sufficient. If they start abusing the ser https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17930#p17930 Wed, 10 Jun 2009 18:16:20 CDT General Discussions nobody@example.com (Samson) https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17929#p17929 [quote=Conner]Functionally, the difference is whether they have to connect and then log in before being dropped versus never even reaching the actual forums which has the potential to block the wrong people when the range in question covers more than just the offender. [/quote] I'm not sure how one method will block offenders whereas the other won't. If you only accept registered users, then either you accept them at the firewall level or the forum level; vice-versa for refusing them. If the ra https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17929#p17929 Wed, 10 Jun 2009 17:38:19 CDT General Discussions nobody@example.com (David Haley) https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17927#p17927 Nah, we were talking about blocking IP ranges [i]at the firewall[/i], David, not just their accounts once they've logged into the forums. Functionally, the difference is whether they have to connect and then log in before being dropped versus never even reaching the actual forums which has the potential to block the wrong people when the range in question covers more than just the offender. Most forum software can't do that negotiation as part of the connection so the result is having to go t https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17927#p17927 Wed, 10 Jun 2009 17:19:50 CDT General Discussions nobody@example.com (Conner) https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17918#p17918 Hmm, I thought we were talking about just preventing people from using a site, not outright blocking connections. (I'm also not sure what the functional difference is, unless we're talking about DOS attacks.) But, well, don't forget that there's not much difference between doing the negotation as part of the connection, and immediately following it, especially given TCP's heavy implementation costs to begin with. https://smaugmuds.afkmods.com/topic/is-there-a-problem-with-mudbytes-4066/&p=17918#p17918 Tue, 9 Jun 2009 14:35:26 CDT General Discussions nobody@example.com (David Haley)