Avon wrote to All <=-
Just a quick request to solicit for any feedback you may wish to
share about fsxNet.
If you have any thoughts on how things are going at present,
stuff you would like to see more/less of, ideas for echos/file
areas etc to add/remove etc. Stuff that could be done differently
or things reinstated etc.
You get the idea. Any feedback good, bad or otherwise appreciated.
If you have any thoughts on how things are going at present, stuff you would like to see more/less of, ideas for echos/file areas etc to add/remove etc. Stuff that could be done differently or things reinstated etc.
Avon wrote to All <=-
If you have any thoughts on how things are going at present, stuff you would like to see more/less of, ideas for echos/file areas etc to add/remove etc. Stuff that could be done differently or things
reinstated etc.
You get the idea. Any feedback good, bad or otherwise appreciated.
If you have any thoughts on how things are going at present, stuff you would like to see more/less of, ideas for echos/file areas etc to add/remove etc. Stuff that could be done differently or things
reinstated etc.
FSX.HAMBURGERS - and beyond
2) Better message threading (in FSX_GENERAL).
No idea how to achieve this.
2) Better message threading (in FSX_GENERAL).
No idea how to achieve this.
This is the job of the message editor used by the users.
But yes, this is a problem that cuts some threads into smaller sub-threads with no connection between the messages.
Just a quick request to solicit for any feedback you may wish to share
about fsxNet.
If you have any thoughts on how things are going at present, stuff you
would like to see more/less of, ideas for echos/file areas etc to
add/remove etc. Stuff that could be done differently or things reinstated etc.
This is the job of the message editor used by the users.
That's the problem, there is no easy way to fix it. Or is there?
For me this is the biggest usability problem in fsxNet. It works fine in othernets (like Fidonet), so it's not an FTN problem in general.
Just a quick request to solicit for any feedback you may wish to share about fsxNet.
We could use more areas, just what areas I am not sure. I wouldn't want
to see a long list of areas that are not used but a healthy list of
areas where people can talk about... things. :)
I have been thinking of starting a new FDN for gaming related files. I am something of a gamer. I like games like Doom, Quake, Unreal, Duke3D and others.
If that fits fsxNet and the users are interested in that we could do
that.
The only thing I'm thinking about:
- Consolidate the several BBS software support echos into FSX_BBS
- maybe create a RetroComputing echo? :)
Why? What is the disadvantage of low-traffic echos? It's not that
echomail areas are a limited resource.
At least keep FSX_MYS seperate or 90% of the messages in FSX_BBS would
be about Mystic.
I have been thinking of starting a new FDN for gaming related files. I
am something of a gamer. I like games like Doom, Quake, Unreal, Duke3D
and others.
The only thing I'm thinking about:
- Consolidate the several BBS software support echos into FSX_BBS
Why? What is the disadvantage of low-traffic echos? It's not that echomail areas are a limited resource.
At least keep FSX_MYS seperate or 90% of the messages in FSX_BBS would be about Mystic.
a game echo and some file bases appeals.. I was think also for other
echos perhaps something that covers Marvel/DC comics/movies etc... and something about Space stuff so SpaceX,Nasa etc... anyway I'll be quiet again.
It also allows others to filter out what might otherwise be noise to
them, I'm sure there are plenty of mystic users who couldn't care less about talisman posts, and vice versa. It's not a bad thing, just not everyone wants to spend their time on everything.
i have noticed that fsxNet seems to be largely technical and lacking of a 'entertainment' sort of echo. the general echo seems to be a stand in for just about everything.
that said i haven't noticed a time where i was like "all of these movie messages.. i wish they were going somewhere else so i didn't have to sift through them"
i have noticed that fsxNet seems to be largely technical and lacking
of a 'entertainment' sort of echo. the general echo seems to be a
stand in for just about everything.
that said i haven't noticed a time where i was like "all of these
movie messages.. i wish they were going somewhere else so i didn't
have to sift through them"
Black Panther wrote to Avon <=-
more hours in the day
1) Long names for the echomail areas:
Al wrote to Avon <=-
We could use more areas, just what areas I am not sure. I wouldn't want
to see a long list of areas that are not used but a healthy list of
areas where people can talk about... things. :)
I have been thinking of starting a new FDN for gaming related files. I am something of a gamer. I like games like Doom, Quake, Unreal, Duke3D and others.
Isnt that gamenet?
@BBSID: TRMB
Re: fsxNet Feedback
By: deon to Al on Thu May 06 2021 02:21 pm
Isnt that gamenet?
I don't actually know what is going on in gamenet these days. I still
get applications for gamenet from time to time but I have no access to
the server anymore so I ask those applicants to send their app to
Marissa.
I still poll the gamenet hub for netmail if that ever happens but I
haven't got a netmail for a long time and I'm not sure how that is all setup now.
But no, what I was speaking of is something we may do here, we'll have
to see how all this feed back and stuff shakes out.
Ttyl :-),
Al
i tried to apply at Marissa, but no response :(
messages waiting in FSX_GEN. It'd be nice to split them up into other echoes, but I don't have an idea as to how to do that, either.
There are worse problems for a network to have.
Many thanks to everyone who took the time to reply to this thread. If you have not yet, do feel free to do so.
It's Sat morning here and I have a full day coming up. What I am
planning to do next is to try and spend some time tonight to write up
all the feedback and then post a summary of it here to ensure I have captured the main themes etc. correctly.
Is there a need for separate BBS echos? Could they be merged
to one? (+1 agree).
Thanks again for this feedback. It's very helpful.
Here's the summary of what we've put forward thus far.[...]
Security / Privacy ==================
Binkp secure encryption for all hubs.
Better privacy.
SSH officially supported.
SSH for specific echos.
Security / Privacy ==================
Binkp secure encryption for all hubs.
Better privacy.
SSH officially supported.
SSH for specific echos.
There would probably need to be more discussion around this. I'm all for adding privacy/encryption to things, but it's only as strong as its weakest link. I'm not sure echomail was ever designed with privacy in mind.
BBSs were pretty secure back in the day. There was no http, ftp,
gopher or any internet involved. There was simply a BBS login.. :)
We can provide echo areas and netmail, but not privacy. Not today.
*** Quoting Avon from a message to All ***
Security / Privacy ==================
Binkp secure encryption for all hubs.
Better privacy.
SSH officially supported.
SSH for specific echos.
There would probably need to be more discussion around this. I'm all for adding privacy/encryption to things, but it's only as
strong as its weakest link. I'm not sure echomail was ever designed with privacy in mind.
Sure there could be a policy put in place that FSX_SECURE is only to be made available over SSH connections, e.g: s20OS on Mystic,
which would mean my Telegard system couldn't carry it it all, but then how can you enforce that it's only distributed over secure
bink connections?
We can provide echo areas and netmail, but not privacy.
Not today.
And lets assume for a moment we have such an echo
available, and it's configured correctly on every system.
What do we talk about there? I'm not sure what I type on
my keyboard varies that much based on if the channel is
encrypted, except perhaps if I'm entering a credit card
number.
Al wrote to Avon <=-
Re: Re: fsxNet Feedback
By: Avon to All on Sun May 09 2021 01:51 pm
Is there a need for separate BBS echos? Could they be merged
to one? (+1 agree).
-1
I don't think individual areas for different software is a bad thing
and folks can connect or not as they choose.
Here's the summary of what we've put forward thus far. I've tried to
If there's anything missing from this brain dump of feedback etc. also
let me know.
After a few more days to ensure this is correct my next steps will be to respond to it all and try to put some order around what we can work on addressing first, second etc.
Final call for anything else you want to add. I plan to circle back to this thread in the coming day or so.
A file area for themes perhaps.
It's out of my own skill set but that could be useful.
Do you mean BBS themes, menus and ANSIs etc.?
Yes, mystic has a new themes setup that folks can use to build their own themes.
Synchronet also can do that although it works in it's own way.
I was thinking of a file area where these sort of files could be shared when authors want to do that.
Final call for anything else you want to add. I plan to circle back to this thread in the coming day or so.
Security / Privacy
==================
Binkp secure encryption for all hubs.
Better privacy.
SSH officially supported.
SSH for specific echos.
# More discussion needed around these points. It's only as strong as weakest link and echomail may not have been designed with privacy in
mind. How best to enforce an echomail area only available via SSH?
# We could choose to 'secure' the network using something like ZeroTier
# We can offer echos and netmail but not privacy
There are several aspects where the current practice in fsxNet and the
BBSs connected to it are not compatible with the GDPR in the EU
(General Data Protection Regulation) (I guess there are other
countries with strict privacy laws that might apply too).
# We could choose to 'secure' the network using something like ZeroTierI used ZeroTier and it's quite easy to setup and works, but I dislike the idea to use a commercial provider for the basic infrastructure. FTN is DIY.
I don't really understand how european laws are enforcable in
non-european nations? If the BBS was in europe, sure, they must comply to european laws, but if a BBS is in another country.. do we have
international agreements to honour GDPR laws? Am I going to get
extradited from Australia if a European user logs into my BBS?
There are several aspects where the current practice in fsxNet and the
BBSs connected to it are not compatible with the GDPR in the EU
(General Data Protection Regulation) (I guess there are other
countries with strict privacy laws that might apply too).
I don't really understand how european laws are enforcable in
non-european nations? If the BBS was in europe, sure, they must comply to european laws, but if a BBS is in another country.. do we have international agreements to honour GDPR laws? Am I going to get
extradited from Australia if a European user logs into my BBS?
I don't see any need to block europeans from fsxnet / BBSing, it's up to them to comply with their own laws. What's to stop a european from
logging into a BBS via a proxy even if we did block them all out?
Ok, now say we care about the GDPR, how do we comply? is it simply a
matter of having a privacy policy?
Personally, I don't care. I'm not in europe, I'm never going to europe,
and I'm kind of offended that europeans think they can enforce their moronic laws on the entire world?
So you don't know the GDPR, but you know it is a moronic law? I wonder
how a non-moronic law would look like and work.
- don't store and process personal data that are not technical
essential
- get informed consent for the storage and processing of personal data
in advance
- don't make optional (non-essential) personal data a condition (as in non-optional) for using the service
- don't leak / transmit personal data to third parties (without
informed consent)
# We could choose to 'secure' the network using something like
ZeroTier
I used ZeroTier and it's quite easy to setup and works, but I
dislike the idea to use a commercial provider for the basic
infrastructure. FTN is DIY.
You dont have to use "a provider" with ZeroTier.
I run a ZeroTier network that is independant of "zerotier" (the provider) itself.
While you may argue that you "find" me through their root server (which
is the default) - it doesnt "have" to operate that way. I can populate a "moon" that you "orbit" around (their terms, not mine) so that zerotier
can be turned off and our connection still works.
I know ZeroTier were working on personal "roots" so that this moon thing has a less of a value (and they are no longer a sudo dependancy). (I
havent kept up with it recently though.)
The other good thing, with ZeroTier, you dont necessarily provide anybody on the network (who needs to be authorised if it is configured to do so), to see everything on all ports. You can firewall it to a certain extent
(at the network layer), such that only specific ports are permitted on
the network. (I did setup the FSX zerotier network this way.) (You could also have your own running firewall as well if you wanted.)
Is it completely independent?
Wikipedia tells me: "Virtual networks are created and managed using a ZeroTier controller. Management is done using an API,
proprietary web-based UI (ZeroTier Central), open-source web-based or CLI alternative. Using root servers other than those hosted by
ZeroTier Inc. is *impeded* by the software's license.
Can I configure the ports or has the admin the power to change the rules at will?
Is it possible to use ZeroTier in a really decentralized way?
Is it completely independent?
Yes - https://www.zerotier.com/manual/#4_4
Wikipedia tells me: "Virtual networks are created and managed using
a ZeroTier controller. Management is done using an API, proprietary
web-based UI (ZeroTier Central), open-source web-based or CLI
alternative. Using root servers other than those hosted by ZeroTier
Inc. is *impeded* by the software's license.
It seems illogical to impede the use of their roots via the software license, when their documentation tells you how to do it (via moons).
Can I configure the ports or has the admin the power to change the
rules at will?
The owner of the network controls the ports for the network. But you with
a (virtual) interface to the network can apply your OS level firewalling
- in the same way you may want to firewall one host from another on the same ethernet network.
Is it possible to use ZeroTier in a really decentralized way?
Yes, I believe so - even though I've not actually tried it with any
system not connected to the internet.
[...]
If zerotier
shuts down their root servers, you will still continue to function if you have my moon configured.
Oli wrote to deon <=-
I agree. It also would not qualify as Open Source software / license.
Another incredibly powerful feature of ZeroTier is the ability to tap the entire network regardless of how widely distributed its
nodes are. Using the tee ability within a flow rule essentially copies every frame sent/received by nodes on the network and sends it
to a node of your choice such as an IDS or full packet capture solution such as Moloch.
from: https://blog.reconinfosec.com/locking-down-zerotier/
see also: https://www.zerotier.com/2016/08/31/capability-based-security-for-virtual-networks/
headline "Global Rules and Security Monitoring"
Is there a way to prevent this?
It's still kind of centralized (your moon).
While still a "VPN" - it is still semi public, so you still have obligations. Their are people you dont know on the network - but not
*anybody* - the network "admin" can choose to "authorise" (or not) those requesting to join it.
So in the case of a
Why not investigate OpenVPN? A dedicated hub feed to a european hub
deon wrote to N1uro <=-
OpenVPN is not point to point, but rather point to Hub. And sure an OpenVPN network could be created so that each hub was an OpenVPN hub,
but then me communicating to you (eg: crashing something to you) is dependant on our hubs being up.
ZeroTier is peer to peer - so if you are a node, and I am a node, we
can find each other. While we find each other via the root nodes
(called planets) provided by zerotier itself - we could also find each other via "our" roots (called moons) - and each hub could be a moon as well as anybody else who wanted to be one.
You only need to find one active moon to find me.
Any VPN has to have some sort of a hub. Even ZeroTier. At least with OpenVPN it's open source, and we could customize it to how we
see fit and we need
not announce which port or which protocol type we decide to use.
The root nodes in this case would be hubs. There needs to be a central point within each network to host and serve the proper
security certs. Even with OpenVPN, a point/node would still be able to see another point/node within the private IP network. That
The root nodes in this case would be hubs. There needs to be a central point within each network to host and serve the proper
security certs. Even with OpenVPN, a point/node would still be able to see another point/node within the private IP network.
That
So no.
Like web serving - the DNS server has nothing to do with the SSL exchange that occurs when you "A" and the server "C" when you are
browsing a secure website.
deon wrote to N1uro <=-
So I dont agree with you.
So I dont agree with you.That's perfectly fine and I'm happy to accept this. I will however
say that what you describe is not how I've had OpenVPN working in a
major corporate environment nor is it how IP works when you factor in the netmask of a subnet.
I'm on a subnet of 44/9 which is somewhat of a vpn minus the encryption. 44.0.0.1 is the host and where BGP is announced. My IP is
44.88.0.9 however
my path to a point in New Jersey does NOT go to 44.0.0.1, it is direct:
traceroute to wb2snn.ampr.org (44.64.10.33), 30 hops max, 60 byte packets
1 gw.n1uro.ampr.org (44.88.0.1) 5.670 ms 6.102 ms 6.095 ms
2 wb2ona.ampr.org (44.64.255.225) 41.601 ms 45.571 ms 46.421 ms
deon wrote to N1uro <=-
Its direct via the "hub" though right?
44/9 includes both 44.88.0.9 and 44.0.0.1 (and 44.64.10.33)
Network: 44.0.0.0/9 00101100.0 0000000.00000000.00000000 HostMin: 44.0.0.1 00101100.0 0000000.00000000.00000001 HostMax: 44.127.255.254 00101100.0 1111111.11111111.11111110 Broadcast: 44.127.255.255 00101100.0 1111111.11111111.11111111
If you did a tcpdump -ni tun0 on 44.0.0.1 you would see the packets
coming in (from your real IP) and going out again (to the other IP). Traceroute doest show it because you are not technically traversing a router (because it is a /9 network).
traceroute to wb2snn.ampr.org (44.64.10.33), 30 hops max, 60 byte packets
1 gw.n1uro.ampr.org (44.88.0.1) 5.670 ms 6.102 ms 6.095 ms
2 wb2ona.ampr.org (44.64.255.225) 41.601 ms 45.571 ms 46.421 ms
So, if you turn off 44.0.0.1, can you still ping 44.64.10.33 from 44.88.0.9?
Further the performance of your network traffic to 44.64.10.33 is
limited by the your link, 44.0.0.1's link and 44.64.10.33. If any of
those links gets "busy", especially 44.0.0.1 your peformance is
impacted.
it like OpenVPN would do. So in the policy route table I have for 44/9 this is one of hundreds of routes:
44.64.10.32/27 via 24.0.91.254 dev tunl0 proto 44 onlink window 840
traceroute to wb2snn.ampr.org (44.64.10.33), 30 hops max, 60 byte packets
1 gw.n1uro.ampr.org (44.88.0.1) 5.670 ms 6.102 ms 6.095 ms
2 wb2ona.ampr.org (44.64.255.225) 41.601 ms 45.571 ms 46.421 ms
After a few more days to ensure this is correct my next steps will be respond to it all and try to put some order around what we can work o addressing first, second etc.
Final call for anything else you want to add. I plan to circle back to this thread in the coming day or so.
deon wrote to N1uro <=-
So things werent adding up for me with your explaination of what you
were doing. I think we were coming from 2 different contexts.
I was lead to believe that "the network" as 44/9 and that the OpenVPN server surved that subnet to clients. So as a client on the network,
your address would have been a /9. (I should have picked that up when
you gave your ping output.)
But in your message, you shared this:this
it like OpenVPN would do. So in the policy route table I have for 44/9
is one of hundreds of routes:
44.64.10.32/27 via 24.0.91.254 dev tunl0 proto 44 onlink window 840
So its not really a single /9 vpn network, its multiple networks, and
you have a /27 vpn network and you route 44/9 over it.
And given that 44.0.0.1 goes "offline" without loss of connectivity to
you to 44.88.0.9 that means that the other end of your OpenVPN link
also has an alternative link to 44.88.0.9 (directly or indirectly).
Anyway, OpenVPN is a viable "vpn" alternative - I agree, but I think it requires too many management points, sets of servers running OpenVPN
and configuration to multiple parts of the network to provide
redundancy. (Too much for a simple BBS network.)
In contrast (which is how this thread started), ZeroTier is peer to
peer and just requires you to run a client and me. Since I'm managing
"my" network, I'm using a personal "controller" (not zerotiers) - and
you find me by requesting the controllers network address. Once I authorise you on the network, you dont route your traffic through my controller, you connect direct to me point to point.
Where the concern also was, is that ZeroTier's root servers are
required for you to find me - implying if they turned them off you couldnt. That's not true however, since I can define a personal root server (called a moon and more for redundancy), which you configure to find me without ZeroTiers invovlement.
I recall reading at some point that ZeroTier were going to enable you
to advertise your own "root servers" (since the root server's address
is harded coded in the client - in much the same way that DNS servers
(the DNS analogy) have a standard root server configuration). If and
when they do that, then ZeroTier could turn off their root servers and
you would still be able to find me (and no moons required).
I agree. It also would not qualify as Open Source software /
license.
Just to try and help offer another possible solution to this issue as a network engineer:
Why not investigate OpenVPN?
A dedicated hub feed to a european hub
can set up DNS locally to feed a hub in europe over OpenVPN using either TCP or UDP and choose ports, and maintain custom certs that may have a
long expiration date on them... and then it'd be up to that european hub
to feed the rest of europe - insuring that their laws are followed.
So in the case of a "network" setup for "fsx" - the network admin would authorise nodes to access the "fsx" network (I would suggest based on
their application to join the network) - and de-authorise them when they leave the network.
We are still strangers here, but we are a list of known strangers and we can identify who is doing something in appropriate on the network and
take action if that is deemeed the right response.
But at the same time,
our conversations and traffic is encrypted from the outside world.
Anybody outside of the network cant get to our systems and do stuff
(which is the script kiddies reference I made when I started this thread).
Another incredibly powerful feature of ZeroTier is the ability to
tap the entire network regardless of how widely distributed its
nodes are.
Is there a way to prevent this?
I dont see this as an issue, it would be no differnet to tcpdump -ni eth0:
Anybody outside of the network cant get to our systems and do stuff
(which is the script kiddies reference I made when I started this thread).
So you propose everything should happen within the VPN? No open BBS / binkp ports to the real Internet?
So in the case of a "network" setup for "fsx" - the network admin would authorise nodes to access the "fsx" network (I would suggest based on
their application to join the network) - and de-authorise them when they leave the network.
-1
We are still strangers here, but we are a list of known strangers and we can identify who is doing something in appropriate on the network and
take action if that is deemeed the right response.
-1
there are other ways for encryption, which fit the FTN model better.
Another incredibly powerful feature of ZeroTier is the ability to
tap the entire network regardless of how widely distributed its
nodes are.
Is there a way to prevent this?
I dont see this as an issue, it would be no differnet to tcpdump -ni eth0:
I was not aware that you can monitor all of my fsxnet traffic with a tcpdump on your side.
For a corporate network this is obviously a feature, but in our use case I would call it a security flaw.
Oli wrote to N1uro <=-
N1uro wrote (2021-05-14):
p2p connections work by default in ZeroTier. Does OpenVPN do any NAT
hole punching? A known and simpler alternative would be tinc. OpenVPN
has also become kind of old-tech. Is there anything wireguard wouldn't
do simpler and better (for our use case)?
Personally I'm not interested in a top-down approach with admin(s) maintaining certs and granting and revoking access. I would call it unnecessary centralization (bullshit power & small bus factor). FTN are
on the lower layer decentralized and designed as "cooperative anarchy".
It's not that I don't appreciate your initiative to setup OpenVPN for
the network, I just doubt that standard VPNs are a good fit for FTN.
(not sure what the European hub and laws part is about)
Sysop: | altere |
---|---|
Location: | Houston, TX |
Users: | 66 |
Nodes: | 4 (0 / 4) |
Uptime: | 11:39:19 |
Calls: | 728 |
Calls today: | 1 |
Files: | 7,667 |
Messages: | 295,547 |