Searching on internet helped me to suspect packet size. If the remote site was sending packets which are too big, they would get dropped, with an icmp reply saying “make things smaller, man” (in computer terms).

However, for some reason it may not work, if icmp packets are dropped, or if anything like this happens.

The symptom in my case was simple. I could access everything from the router itself, but from client computers, connection was hanging forever without data coming… Some tcpdump showed me that the mss (requested max packet size) value in the initial SYN connection packet sent by my router was 1414 while the one sent when the connection came from a client computer was 1460. That’s a 46 bytes difference. Knowing that networking in Japan is not the same as what I’m used to (for example, the VHDSL modem I use to connect to Internet also provides IPv6 directly, while IPv4 is obtained through PPPoE ; I suspect pppoe in fact transits through ipv6), I decided to change the value of mss in the connection packets.

Easier said than done, setting the MTU on ppp0 or changing mss in route didn’t have any impact on the data sent.

When nothing works, it’s time to use iptables for some dirty work:

iptables -I FORWARD 1 -o ppp0 -p tcp -j TCPMSS --tcp-flags syn,fin,ack syn --set-mss 1414

For all forwarded tcp SYN packets to interface ppp0, I set the mss to 1414… and guess what? It works. I can finally access websites that didn’t work. Strange workaround, and something I didn’t think I would ever have to do… well… life is weird.

First, port knocking is not meant to be used alone…

Even if you use your daemon’s default port (let’s say port 22 for sshd), port knocking can protect you more than you can even imagine. Let’s take the following setup:

• SSHd running on port 65122
• Connections to port 65122 are replied with “connection refused” (via an icmp target rule)
• In order to “open” port 65122, connection attempts must be made to ports 22448, 44228 and 22884 in this order. Any other order will blacklist the IP attempting to connect for 1 hour
• More than 5 attempts to connect to port 65122 within 20 minutes will result in 1 hour blacklist

Now, if you’re that smart, just try to find your way in without the “passphrase” (which is 22448-44228-22884-65122). If you do too many attempts, you’ll end blacklisted. Let’s say you found out that port 65122 gets you banned when you connect, and have determined that you can make up to 5 attempts in 20 minutes. Let’s also say you know you have to knock exactly 3 ports to be able to connect.
You then have to test 65536^3 = 281474976710656 combinations, and can only test 5 in 20 minutes, that would require 70368744177660 minutes (133882694 years or so).

I can assume no decent system will be up for 133882694 years without any shift into security settings. You can parallelize that with different source IPs, but it will still last too long against people shifting every 3~6 months.

“We won the desktop. We won the server. We will win the Web. We will move fast, we will get there. We will win the Web.”

Our old pal Steve Ballmer said that a couple of years ago. And yeah, we can see that Microsoft tried to go in this direction. Initially planning to leave the Web « as-is » by not updating Microsoft Internet Explorer, they had to resume development as soon as Firefox 1.0 was out, on november 9th, 2004. Development was resumed, and MSIE 7.0 announced…

Still, MSIE 7.0 is far from what you would expect from a modern browser. Yes, Microsoft fixed old stuff like the transparent PNG issue, but it still remains really old. Just try to read JavaScript documentation from 1999, and you’ll see that most interesting stuff is not implemented. And that’s not just “some functions”. For example in JavaScript you have a method called “toSource()”. This method can convert an array to a string representing it in JavaScript, let’s call that a JavaScript Object Notation. Yeah, you see what I mean, for example PHP is able to read JSON strings, and convert them to native PHP constructions (arrays, null, string, …).

So, Microsoft announced MSIE 8.0 with a bunch of more or less useless improvements. MSIE 8.0 is supposed to pass ACID2 test, implement more recent JavaScript, etc…

Anyway it’s not yet relevant as MSIE 8.0 isn’t released.

So, Mister Ballmer said, two years ago, that Microsoft will “move fast” and “win the Web”. The web is not something anyone can just “win”, as Molly said, still even if it were, Microsoft’s efforts are far from what would make anyone win something. Yes, Microsoft bought “live.com” and made stuff on this and has a whole herd of 13 year old using MSN and writing blogs there, but if this is what you would call “win the web”, then Skyblog is just the same.

So, let’s just see if there’s still something in Microsoft’s bag, or if that’s just the usual barking we hear for years (and yeah, on microsoft.com you still have this old Linux-Windows servers comparison. This is 100% neutral, I swear. And yeah, linux is less reliable than windows, less secure, and costs way more than Windows. Of course your child will know how to manage your windows server, so no need to hire anyone.