Tuesday, April 22, 2008

freebsd 多路由 教育网电信 双线接入

通过使用ipfw的lookup table实现对教育网和电信的路由自动选择。

#此前在首页部分显示#

On Tue, Aug 24, 2004 at 10:55:13PM +0200, Simon L. Nielsen wrote:
> On 2004.08.24 11:17:39 -0500, Chris wrote:
> > I'm working with a friend of mine w/ipfw. Below are IP's that are trying
> > to hack in via ssh. I suggested to use something in the form of:
> >
> > # Allow in SFTP, SSH, and SCP from public Internet
> > ${fwcmd} add 090 pass log tcp from xxx.xxx.xxx.xxx/29 to ${ip} 22 setup
> > limit src-addr 4
> >
> > But he mentions that he needs access to his box from potential client
> > sites where the IP is unknown.
> >
> > There has to be a better way to block the below - suggestions?
>
> If you use FreeBSD -CURRENT or -STABLE (newer than 4.10 and 5.2) you
> could use the new table feature. Otherwise if you use ipfw2 you could
> use "or-blocks" e.g.
>
> ipfw deny ip from { 1.2.4.5 or 1.2.4.7 or 1.2.5.7 } to any

Good call, but unfortunately, this is not very good in performance either..

If you use latest kernel, your ipfw2 should have the lookup tables patch which
uses radix lookup. { blah or bleh or x or y or z } list is a linear lookup,
causing the system to lookup twice in linear fassion to come to a match. It is
not exactly any better in terms of performance efficiency than adding hundreds
of straight ipfw rules each with a ip address specification.

Try this if you have tables feature:

ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32
ipfw table 1 add x.x.x.x/32

ipfw add 300 deny ip from table(1) to any

No matter how many elements you got in table 1, due to radix/patricia trie
lookup as with kernel routing table, the time spent in looking thru firewall
elements is O(32) constant.

To demonstrate the efficiency:

Test #1: Start with 1 ipfw rule (the last rule 65535 being allow all) that
denies one ip address on the DUT. Flood the remote tester device that is not
denied by the ipfw rule. Start the test, and increment the ipfw rules from 1
to 10. Result:

1 rule: 140kpps
2 rule: 140kpps
3 rule: 138kpps
4 rule: 137kpps
5 rule: 135kpps
6 rule: 135kpps
7 rule: 132kpps
8 rule: 133kpps
9 rule: 131kpps
10 rule: 129kpps

Test #2: Perform the exact same test above, however use a lookup table to store
the elements from 1 to 10:

1 element in table: 140kpps
2 element in table: 140kpps
3 element in table: 140kpps
4 element in table: 141kpps
5 element in table: 140kpps
6 element in table: 139kpps
7 element in table: 140kpps
8 element in table: 142kpps
9 element in table: 140kpps
10 element in table: 140kpps




Monday, April 21, 2008

D-link 友讯网络 BAS 认证校园网客户端 for linux

aecium
Amtium eFlow Client for GNU/Linux.

http://gitorious.org/projects/aecium

感谢wkz0712的工作,广大的linux校园网用户可以不用摆脱虚拟机直接连入校园网了!
bkuyang验证有效,可以在河南大学的校园网使用。

Amtium eFlow Client for GNU/Linux




这是一个根据(貌似)官方版本(网上有)反汇编后,重写的版本。欢迎使用。使用:
$12net -h
如有错误请回帖指明。
你可以将程序改名,首次使用参数要输全

$sudo cp 12net /usr/bin/program_name
$program_name -h 210.45.193.3 -u username -p password -d eth0 -f

或者在$HOME/.program_name里写:
host=210.45.193.3
server=int
interface=eth0

离开:
$program_name -l

下载链接: aecium.zip

Saturday, April 19, 2008

This one is from Drivel.
Just don't know why cant they make the Desktop Client WSWG.

Are you using CERNET?
Yes
No

Why do you choose it?
I like it because ...
I have no other choice!



Friday, April 18, 2008

Desktop posting client test

Testing post from BloGTK!
Mesh
Enjoying my happy on with CERNET~

Will all these things work perfect?
Testing post from BloGTK!

Mesh

Enjoying my happy on with CERNET~