Talk:XS Configuration Management: Difference between revisions

From OLPC
Jump to navigation Jump to search
No edit summary
(host security)
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Hi, just wondering about a firewall function in the XS server, ie; with dual NIC's using one 'real' IP on ETH0 and then all school PC's are assigned a 10.x.x.x address via DHCP on ETH1. IPTables would take of the routing between interfaces.
Hi, just wondering about a firewall function in the XS server, ie; with dual NIC's using one 'real' IP on ETH0 and then all school PC's are assigned a 10.x.x.x address via DHCP on ETH1. IPTables would take of the routing between interfaces.


:There can be a firewall there, but there isn't. Unlike the windows world, we expect our laptops to protect themselves. There is often going to be a NAT functionality (in IPv4), but we are working to provide IPv6 tunneling to allow school laptops to be full=fledged residents of the Internet.
:There can be a firewall there, but there isn't. There is often going to be a NAT functionality (in IPv4), but we are working to provide IPv6 tunneling to allow school laptops to be full=fledged residents of the Internet. Unlike the windows world, we expect our laptops to protect themselves.

::I'm for host security, how is the division of labor handled?
:::http://www.faqs.org/rfcs/rfc1173.html (RFC 1173) suggests one way, but that was before there were a billion computers on the internet. Should the user be provided with a way of knowing their computer is being attacked/abused and give them the option of going off the network for a while? Or can this be done with some automated tools?


:That said, there will be ''some'' application proxies at the servers (hooked in using iptables). HTTP cache for sure, and possibly others. These are only contemplated if they greatly improve the performance of the network at little cost to a particular and well-known application. --[[User:Wad|Wad]] 22:48, 16 January 2008 (EST)
:That said, there will be ''some'' application proxies at the servers (hooked in using iptables). HTTP cache for sure, and possibly others. These are only contemplated if they greatly improve the performance of the network at little cost to a particular and well-known application. --[[User:Wad|Wad]] 22:48, 16 January 2008 (EST)


Remote School server access --
=== Remote School server access ===


I don't see it discussed anywhere, but can an XO access the server remotely, rather than through mesh? For example, can an XO talk to a local WAP and communicate with a server over the internet? [[User:Rmyers|Rmyers]] 16:49, 7 March 2008 (EST)
I don't see it discussed anywhere, but can an XO access the server remotely, rather than through mesh? For example, can an XO talk to a local WAP and communicate with a server over the internet? [[User:Rmyers|Rmyers]] 16:49, 7 March 2008 (EST)

:Absolutely. Laptops can access the presence service from anywhere on the Internet to collaborate with their school mates. Unfortunately, the realities of most school networks preclude this, placing the school server behind one or more layers of NAT from the Internet. --[[User:Wad|Wad]] 04:07, 27 August 2008 (UTC)


=== Access to multiple school servers ===
This may be more of a presence question - can an XO use multiple presence services?
If my school server is behind firewall when I'm not on campus, can I use an alternate
server (one I set up for my friends?) in addition to my 'home' school server?

Latest revision as of 10:57, 19 October 2008

Hi, just wondering about a firewall function in the XS server, ie; with dual NIC's using one 'real' IP on ETH0 and then all school PC's are assigned a 10.x.x.x address via DHCP on ETH1. IPTables would take of the routing between interfaces.

There can be a firewall there, but there isn't. There is often going to be a NAT functionality (in IPv4), but we are working to provide IPv6 tunneling to allow school laptops to be full=fledged residents of the Internet. Unlike the windows world, we expect our laptops to protect themselves.
I'm for host security, how is the division of labor handled?
http://www.faqs.org/rfcs/rfc1173.html (RFC 1173) suggests one way, but that was before there were a billion computers on the internet. Should the user be provided with a way of knowing their computer is being attacked/abused and give them the option of going off the network for a while? Or can this be done with some automated tools?
That said, there will be some application proxies at the servers (hooked in using iptables). HTTP cache for sure, and possibly others. These are only contemplated if they greatly improve the performance of the network at little cost to a particular and well-known application. --Wad 22:48, 16 January 2008 (EST)

Remote School server access

I don't see it discussed anywhere, but can an XO access the server remotely, rather than through mesh? For example, can an XO talk to a local WAP and communicate with a server over the internet? Rmyers 16:49, 7 March 2008 (EST)

Absolutely. Laptops can access the presence service from anywhere on the Internet to collaborate with their school mates. Unfortunately, the realities of most school networks preclude this, placing the school server behind one or more layers of NAT from the Internet. --Wad 04:07, 27 August 2008 (UTC)


Access to multiple school servers

This may be more of a presence question - can an XO use multiple presence services? If my school server is behind firewall when I'm not on campus, can I use an alternate server (one I set up for my friends?) in addition to my 'home' school server?