Shorewall users - Dec 2012 - Protecting hosts from each other

I''ve got a project coming up that requires me to protect hosts from
each other within a network. Specifically, we''ve a class C subnet, and
some addresses are assigned to customers (only a handful) we resell bandwidth
to. At present they are just plugged into our frontend network - not as bad as
it sounds as we manage the customer routers involved. However, I want to improve
that, so that "misconfiguration" of any customer device cannot take
out our network - not that I''d ever fail to notice an old router where
the gateway address box is first in list (ie gateway is where device IP normally
is, and vice-versa) and so configure it with a duplicate IP address for our
gateway (oops).

So my plan is to knock up a small box, with a VLAN capable switch, so that each
customer has their own network segment. What''s the best way to
configure this ? As I see it, there are two approaches :

1) Bridge.
Configure all the customer VLANs and our frontend network on a bridge, and
filter the traffic to only allow the specific IP (or IPs) to owrk in each VLAN.

2) Proxy ARP
http://shorewall.net/ProxyARP.htm
which seems like it''ll do the job.

Just for good measure, ideally I''d like to get DHCP working so each
customer can "just plug in" and we don''t need to manually
configure their router for them. I''m well flummoxed on how to make that
work ! but that''s a different mailing list. Might need a DHCP instance
per port.

So expanding on the example in the Proxy ARP page, I want it so that the device
at130.252.100.18 can only use that address. If it gets configured
with130.252.100.19 or worse,130.252.100.17, it won''t "take
out" the network but will just "not work". Does the proxy ARP
setup provide that level of protection ? I don''t need any other
filtering - they are outside of our main firewall etc (so the policy will be
allow any->any).

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012

> I''ve got a project coming up that requires me to protect hosts
from each
> other within a network. Specifically, we''ve a class C subnet, and
some
> addresses are assigned to customers (only a handful) we resell bandwidth
> to. At present they are just plugged into our frontend network - not as
> bad as it sounds as we manage the customer routers involved. However, I
> want to improve that, so that "misconfiguration" of any customer
device
> cannot take out our network - not that I''d ever fail to notice an
old
> router where the gateway address box is first in list (ie gateway is where
> device IP normally is, and vice-versa) and so configure it with a
> duplicate IP address for our gateway (oops).
>
> So my plan is to knock up a small box, with a VLAN capable switch, so that
> each customer has their own network segment. What''s the best way
to
> configure this ? As I see it, there are two approaches :
>
> 1) Bridge.
> Configure all the customer VLANs and our frontend network on a bridge, and
> filter the traffic to only allow the specific IP (or IPs) to owrk in each
> VLAN.
>
> 2) Proxy ARP
> http://shorewall.net/ProxyARP.htm
> which seems like it''ll do the job.
>
> Just for good measure, ideally I''d like to get DHCP working so
each
> customer can "just plug in" and we don''t need to
manually configure their
> router for them. I''m well flummoxed on how to make that work ! but
that''s
> a different mailing list. Might need a DHCP instance per port.
I''m not sure I understood exactly but is it so that you''ll
have one VLAN
interface per client on the box? If so then I think ISC DHCP will work as
long as you make it listening on all those interfaces. It will complain
about it with "Multiple interfaces match the same blabla" but works
fine.
>
> So expanding on the example in the Proxy ARP page, I want it so that the
> device at130.252.100.18 can only use that address. If it gets configured
> with130.252.100.19 or worse,130.252.100.17, it won''t "take
out" the
> network but will just "not work". Does the proxy ARP setup
provide that
> level of protection ? I don''t need any other filtering - they are
outside
> of our main firewall etc (so the policy will be allow any->any).
Again, if it works as I expected above then I guess it will work. But
that''s different than the example because 130.252.100.18 and
130.252.100.19 all share eth1 and not different interfaces.

Regards,
Simon


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412

"Simon Matter" wrote:
>I''m not sure I understood exactly but is it so that you''ll
have one VLAN
>interface per client on the box? If so then I think ISC DHCP will work as
>long as you make it listening on all those interfaces. It will complain
>about it with "Multiple interfaces match the same blabla" but
works fine.

Yep, that''s it. I''m thinking I might need to run one instance
of dhcpd per VLAN, otherwise it will be difficult determining what gets what
lease. With one instance/vlan I can just do a subnet declaration for a.b.c.0/24,
and define a range with one address in it. Should work, though not the simplest
setup to manage !

>Again, if it works as I expected above then I guess it will work. But
>that''s different than the example because 130.252.100.18 and
>130.252.100.19 all share eth1 and not different interfaces.
Indeed, I''ll be using VLANs on the switch to spearate them.


Back at work Monday, so I can start experimenting.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412

On 12/31/2012 05:44 AM, Simon Hobson wrote:
> "Simon Matter" wrote:
> 
>> I''m not sure I understood exactly but is it so that
you''ll have one VLAN
>> interface per client on the box? If so then I think ISC DHCP will work
as
>> long as you make it listening on all those interfaces. It will complain
>> about it with "Multiple interfaces match the same blabla" but
works fine.
> 
> 
> Yep, that''s it. I''m thinking I might need to run one
instance of dhcpd per VLAN, otherwise it will be difficult determining what gets
what lease. With one instance/vlan I can just do a subnet declaration for
a.b.c.0/24, and define a range with one address in it. Should work, though not
the simplest setup to manage !
> 
> 
>> Again, if it works as I expected above then I guess it will work. But
>> that''s different than the example because 130.252.100.18 and
>> 130.252.100.19 all share eth1 and not different interfaces.
> 
> Indeed, I''ll be using VLANs on the switch to spearate them.
> 
> 
> Back at work Monday, so I can start experimenting.
In this setup, I would simply set the ''proxyarp'' option on all
interfaces and not worry about entries in /etc/shorewall/proxyarp. And I
would not use a bridge -- I would subnet the /24 and route between the
VLANs.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412

Tom Eastep wrote:
>In this setup, I would simply set the ''proxyarp'' option on
all
>interfaces and not worry about entries in /etc/shorewall/proxyarp.
I have one question here. I use routing entries to direct traffic for specific
IP addresses to the right VLAN, and proxy-arp takes care of the rest. If a
device is misconfigured, it''ll then send out ARP requests giving
it''s own incorrect IP address as it''s source. As I understand
it, the proxy ARP code will simply repeat that ARP request over the appropriate
interface - which means we could "hijack" an IP address
that''s in use. So I definitely need to do <something> to prevent
this - I know the misconfigured device won''t actually get any replies,
but it could still poison ARP caches on the network. Or have I missed something
?

>And I
>would not use a bridge -- I would subnet the /24 and route between the
>VLANs.
Yes, that would be the ideal way, but for a variety of reasons it isn''t
going to happen. Not least, it would probably take weeks (or even months !) to
shuffle stuff around - I could shift my stuff fairly quickly, but
there''s stuff I don''t manage, and it can be
"difficult" getting changes made. Amongst the changes needed would be
to move the default gateway - which of course means reconfiguring everything on
the network - while not updating the netmask ona few things might not be the end
of the world.
Very much a case of "I wouldn''t start from here" if I had the
choice.

Also, once I''ve got it working, there may be other sites we''d
want to use it on where we wouldn''t have the luxury of spare addresses.
We''ve just lost one site where we had just a /28 (14 usable addresses)
and over a dozen customers connected.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412

On 12/31/2012 09:17 AM, Simon Hobson wrote:
> Tom Eastep wrote:
> 
>> In this setup, I would simply set the ''proxyarp''
option on all
>> interfaces and not worry about entries in /etc/shorewall/proxyarp.
> 
> I have one question here. I use routing entries to direct traffic for
> specific IP addresses to the right VLAN, and proxy-arp takes care of
> the rest. If a device is misconfigured, it''ll then send out ARP
> requests giving it''s own incorrect IP address as it''s
source. As I
> understand it, the proxy ARP code will simply repeat that ARP request
> over the appropriate interface - which means we could "hijack" an
IP
> address that''s in use. So I definitely need to do
<something> to
> prevent this - I know the misconfigured device won''t actually get
any
> replies, but it could still poison ARP caches on the network. Or have
> I missed something ?
The ARP request will be dropped as a martian if you set route_filter on
the VLAN interfaces.
> 
> 
>> And I would not use a bridge -- I would subnet the /24 and route
>> between the VLANs.
> 
> Yes, that would be the ideal way, but for a variety of reasons it
> isn''t going to happen. Not least, it would probably take weeks (or
> even months !) to shuffle stuff around - I could shift my stuff
> fairly quickly, but there''s stuff I don''t manage, and it
can be
> "difficult" getting changes made. Amongst the changes needed
would be
> to move the default gateway - which of course means reconfiguring
> everything on the network - while not updating the netmask ona few
> things might not be the end of the world. Very much a case of "I
> wouldn''t start from here" if I had the choice.
Shorewall can''t help you in the case of a bridge -- neither can
routefilter. You would have to use arptables to prevent a misconfigured
host from hijacking your network.
> 
> Also, once I''ve got it working, there may be other sites
we''d want to
> use it on where we wouldn''t have the luxury of spare addresses.
We''ve
> just lost one site where we had just a /28 (14 usable addresses) and
> over a dozen customers connected.
> 
>
------------------------------------------------------------------------------
>
> 
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5,
CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills
> current with LearnDevNow - 3,200 step-by-step video tutorials by
> Microsoft MVPs and experts. SALE $99.99 this month only -- learn more
> at: http://p.sf.net/sfu/learnmore_122412 
> _______________________________________________ Shorewall-users
> mailing list Shorewall-users@lists.sourceforge.net 
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
> 

-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412

On 12/31/2012 11:44 PM, Simon Hobson wrote:
> "Simon Matter" wrote:
>
>> I''m not sure I understood exactly but is it so that
you''ll have one
>> VLAN interface per client on the box? If so then I think ISC DHCP
>> will work as long as you make it listening on all those interfaces.
>> It will complain about it with "Multiple interfaces match the same
>> blabla" but works fine.
>
>
> Yep, that''s it. I''m thinking I might need to run one
instance of
> dhcpd per VLAN, otherwise it will be difficult determining what gets
> what lease. With one instance/vlan I can just do a subnet declaration
> for a.b.c.0/24, and define a range with one address in it. Should
> work, though not the simplest setup to manage !
There''s no need to run multiple instances of dhcpd for multiple VLANs. 
Just define them as separate subnets, give your DHCP server an interface 
in each subnet, and it will automatically allocate clients from the 
right range.  (Or you could use your switches as DHCP relays and have 
them include option 82; dhcpd will still pick the right subnet range 
under that circumstance as well.)

I can show you working examples of the correct dhcpd and switch configs 
(for HP Comware and ProCurve switches) if you need them.

Paul


------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612

> Shorewall can''t help you in the case of a bridge -- neither can
> routefilter. You would have to use arptables to prevent a misconfigured
> host from hijacking your network.
>   
Which is exactly why I use arptables to "manually" craft my INPUT, 
OUTPUT and FORWARD arptables chains (in shorewall''s
"started") - these
chain definitions are very similar to their corresponding counterparts 
in iptables, and there is even arptables-restore, using the same format 
as iptables-restore, to restore arptables chains.

There is a proposal I''ve made a while ago for such functionality to be 
included as part of shorewall (a bit like "rules" for arptables, if
you
like) as I think it would be beneficial to everyone.

------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612

On 01/02/2013 07:02 AM, Mr Dash Four wrote:
> 
>> Shorewall can''t help you in the case of a bridge -- neither
can
>> routefilter. You would have to use arptables to prevent a misconfigured
>> host from hijacking your network.
>>   
> Which is exactly why I use arptables to "manually" craft my
INPUT,
> OUTPUT and FORWARD arptables chains (in shorewall''s
"started") - these
> chain definitions are very similar to their corresponding counterparts 
> in iptables, and there is even arptables-restore, using the same format 
> as iptables-restore, to restore arptables chains.
> 
> There is a proposal I''ve made a while ago for such functionality
to be
> included as part of shorewall (a bit like "rules" for arptables,
if you
> like) as I think it would be beneficial to everyone.
Something like this?

	http://www1.shorewall.net/manpages/shorewall-arprules.html

Comments welcome,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612

-------- Original Message --------
Subject: Re: [Shorewall-users] Protecting hosts from each other
Date: Wed, 02 Jan 2013 09:36:42 -0800
From: Tom Eastep <teastep@shorewall.net>
Reply-To: Shorewall Users <shorewall-users@lists.sourceforge.net>
To: shorewall-users@lists.sourceforge.net

On 01/02/2013 07:02 AM, Mr Dash Four wrote:
> 
>> Shorewall can''t help you in the case of a bridge -- neither
can
>> routefilter. You would have to use arptables to prevent a misconfigured
>> host from hijacking your network.
>>   
> Which is exactly why I use arptables to "manually" craft my
INPUT,
> OUTPUT and FORWARD arptables chains (in shorewall''s
"started") - these
> chain definitions are very similar to their corresponding counterparts 
> in iptables, and there is even arptables-restore, using the same format 
> as iptables-restore, to restore arptables chains.
> 
> There is a proposal I''ve made a while ago for such functionality
to be
> included as part of shorewall (a bit like "rules" for arptables,
if you
> like) as I think it would be beneficial to everyone.
Something like this?

	http://www1.shorewall.net/manpages/shorewall-arprules.html

Comments welcome,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________








------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612

Paul Gear wrote:
>There''s no need to run multiple instances of dhcpd for multiple
VLANs.
>Just define them as separate subnets, give your DHCP server an interface 
>in each subnet, and it will automatically allocate clients from the 
>right range.
Not when each VLAN is on the same subnet it won''t. The whole point is
that I''m not in a position to partition our address block, so the
"firewall" I''m building has to be transparent - hence bridge
or proxy ARP.
> (Or you could use your switches as DHCP relays and have 
>them include option 82; dhcpd will still pick the right subnet range 
>under that circumstance as well.)
>
>I can show you working examples of the correct dhcpd and switch configs 
>(for HP Comware and ProCurve switches) if you need them.

Don''t know what switch I''ll be using yet - the budget
doesn''t run to a new switch, so I''m eyeing up what''s
on the shelf. Today I was fiddlling with a Linksys switch that at first sight
seemed to fit all the requirements - but the b***ard GUI uses so much javascript
I get "Out of Memory" errors popping when going into the key VLAN
config page (and it''s IE only, doesn''t seem to work with
current versions at all, etc, etc). The CLI is really really basic and only
provides the basics to get the switch online so you can use the GUI.

I''ll have to use an HP switch for testing, but I won''t be able
to justify keeping it - not enough ports, and all PoE (= expensive).

------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612

On 01/02/2013 10:37 AM, Tom Eastep wrote:
> 
> 
> 
> -------- Original Message --------
> Subject: Re: [Shorewall-users] Protecting hosts from each other
> Date: Wed, 02 Jan 2013 09:36:42 -0800
> From: Tom Eastep <teastep@shorewall.net>
> Reply-To: Shorewall Users <shorewall-users@lists.sourceforge.net>
> To: shorewall-users@lists.sourceforge.net
> 
> On 01/02/2013 07:02 AM, Mr Dash Four wrote:
>>
>>> Shorewall can''t help you in the case of a bridge --
neither can
>>> routefilter. You would have to use arptables to prevent a
misconfigured
>>> host from hijacking your network.
>>>   
>> Which is exactly why I use arptables to "manually" craft my
INPUT,
>> OUTPUT and FORWARD arptables chains (in shorewall''s
"started") - these
>> chain definitions are very similar to their corresponding counterparts 
>> in iptables, and there is even arptables-restore, using the same format
>> as iptables-restore, to restore arptables chains.
>>
>> There is a proposal I''ve made a while ago for such
functionality to be
>> included as part of shorewall (a bit like "rules" for
arptables, if you
>> like) as I think it would be beneficial to everyone.
> 
> Something like this?
> 
> 	http://www1.shorewall.net/manpages/shorewall-arprules.html
> 
> Comments welcome,
One additional note: I would require that either SOURCE or DEST be
specified.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612

> Something like this?
>
> 	http://www1.shorewall.net/manpages/shorewall-arprules.html
>   
Indeed. I take it this isn''t "mainstream" yet (judging by the
first like
of that man page), as this is the first time I am seeing it. Assuming 
that is so, I am also not sure that all ACTIONs included in that man 
page are supported - at least for my distro (Fedora) - this would need 
thorough checking. There was a specific command, the name of which 
escapes me at the moment, which could be used to show the available 
built-in arptables targets for a particular distro (like DROP, ACCEPT 
etc). That is worth using to build a potential list of capabilities for 
the various distros out there.

You also need to be aware that you have 2 source and 2 destination 
pairs: SOURCE (as in IP address/mask), as well as HW SOURCE (as in MAC 
address), DESTINATION, as well as HW DESTINATION (or, as is referred in 
arptables, TARGET/HW TARGET). There are also other options, which can be 
specified in the arptables statement as well (for *very* specific 
fine-grade tuning), though I don''t use these:

  --arhln      -a [!] length[/mask]
                               Hardware address length
  --arpop      -p [!] operation[/mask]
                               ARP operation
  --arhrd      -h [!] hrd[/mask]
                               ARP hardware address
  --arpro      -w [!] plen[/mask]
                               ARP protocol address format

Another possible pitfall you need to be aware of is the chain names - 
Fedora, in their infinite wisdom, decided to "do a Micro$oft" and 
changed the names the core chains to be IN, OUT and FORWARD, instead of 
keeping with all other distros out there (Debian, Ubintu etc), so if you 
plan to introduce this feature in shorewall, you need to be aware of 
those differences.

On a separate note, something of a heads-up for you Tom: I''ve just
found
quite a few "nasties" in shorewall (tested on shorewall .10+, though I
am not finished yet), some of them not very pleasant to say the least, 
but will have more time to finish my testing to be sure - will be in a 
position to post them no earlier than this weekend (too busy at the moment).

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712

> One additional note: I would require that either SOURCE or DEST be
> specified.
>   
There is a one limitation, which I ran across with regards to this: 
SOURCE IP/mask, HW SOURCE (i.e. MAC address) as well as DESTINATION IP 
(i.e. TARGET IP) can, at the most, be specified in a single arptables 
statement, otherwise, if all 4 are specified, the whole thing never 
matches for some reason. I have never tried the other arptables options 
(listed in my previous post) either, so this is worth investigating.


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712

> There was a specific command, the name of which escapes me at the 
> moment, which could be used to show the available built-in arptables 
> targets for a particular distro (like DROP, ACCEPT etc). That is worth 
> using to build a potential list of capabilities for the various 
> distros out there.
"cat /proc/net/arp_tables_matches" seems to give the names of all 
available targets, which are in *addition* to the built-in ones (REJECT, 
ACCEPT, DROP).
"cat /proc/net/arp_tables_names" seems to give the names of all 
available arp tables ("filter" is more or less present in 100% of all 
cases).


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712

On 1/2/13 4:43 PM, Mr Dash Four wrote:
> 
>> Something like this?
>> 
>> http://www1.shorewall.net/manpages/shorewall-arprules.html
>> 
> Indeed. I take it this isn''t "mainstream" yet (judging
by the first
> like of that man page), as this is the first time I am seeing it.
Yes -- this is all vaporware.
> Assuming that is so, I am also not sure that all ACTIONs included in
> that man page are supported - at least for my distro (Fedora) - this
> would need thorough checking. There was a specific command, the name
> of which escapes me at the moment, which could be used to show the
> available built-in arptables targets for a particular distro (like
> DROP, ACCEPT etc). That is worth using to build a potential list of
> capabilities for the various distros out there.
> 
> You also need to be aware that you have 2 source and 2 destination 
> pairs: SOURCE (as in IP address/mask), as well as HW SOURCE (as in
> MAC address), DESTINATION, as well as HW DESTINATION (or, as is
> referred in arptables, TARGET/HW TARGET). There are also other
> options, which can be specified in the arptables statement as well
> (for *very* specific fine-grade tuning), though I don''t use these:
> 
> --arhln      -a [!] length[/mask] Hardware address length --arpop
> -p [!] operation[/mask] ARP operation --arhrd      -h [!] hrd[/mask] 
> ARP hardware address --arpro      -w [!] plen[/mask] ARP protocol
> address format
> 
> Another possible pitfall you need to be aware of is the chain names -
>  Fedora, in their infinite wisdom, decided to "do a Micro$oft"
and
> changed the names the core chains to be IN, OUT and FORWARD, instead
> of keeping with all other distros out there (Debian, Ubintu etc), so
> if you plan to introduce this feature in shorewall, you need to be
> aware of those differences.
I checked out arptables on Fedora. The package is arptables_jf; the
synopsis says that:

	Arptables_jf is a fork of arptables from
	ebtables.sourceforge.net written by Jay Fenlason.

So apparently, Jay decided that the etables team has been neglecting his
baby and has decided to take it back. In view of this development, I''m
not going to do anything right now. AFAICT, Jay''s arptables is still a
subset of ebtables and I think that the best long-term strategy for
Shorewall is to support ebtables. That isn''t a small project and will
require several months to bring to fruition.
> 
> On a separate note, something of a heads-up for you Tom: I''ve just
> found quite a few "nasties" in shorewall (tested on shorewall
.10+,
> though I am not finished yet), some of them not very pleasant to say
> the least, but will have more time to finish my testing to be sure -
> will be in a position to post them no earlier than this weekend (too
> busy at the moment).
I''ll await your report.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712

>> There was a specific command, the name of which escapes me at the 
>> moment, which could be used to show the available built-in arptables 
>> targets for a particular distro (like DROP, ACCEPT etc). That is 
>> worth using to build a potential list of capabilities for the various 
>> distros out there.
> "cat /proc/net/arp_tables_matches" seems to give the names of all
> available targets, which are in *addition* to the built-in ones 
> (REJECT, ACCEPT, DROP).
...though, as is usually the case with Fedora, this doesn''t work 100%
of
all cases: I am getting errors like "Couldn''t load target 
`XXXX'':/lib64/arptables/libarpt_XXXX.so: cannot open shared object
file:
No such file or directory" where XXXX is the name of the "target"
listed
with the above command.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712

On 1/2/13 5:37 PM, Mr Dash Four wrote:
> 
>>> There was a specific command, the name of which escapes me at the 
>>> moment, which could be used to show the available built-in
arptables
>>> targets for a particular distro (like DROP, ACCEPT etc). That is 
>>> worth using to build a potential list of capabilities for the
various
>>> distros out there.
>> "cat /proc/net/arp_tables_matches" seems to give the names of
all
>> available targets, which are in *addition* to the built-in ones 
>> (REJECT, ACCEPT, DROP).
> ...though, as is usually the case with Fedora, this doesn''t work
100% of
> all cases: I am getting errors like "Couldn''t load target 
> `XXXX'':/lib64/arptables/libarpt_XXXX.so: cannot open shared object
file:
> No such file or directory" where XXXX is the name of the
"target" listed
> with the above command.
On my Debian squeeze box, I see:

root@gateway:~# cat /proc/net/arp_tables_matches
time
connlimit
realm
pkttype
physdev
mac
connmark
helper
limit
statistic
mark
comment
owner
conntrack
conntrack
root@gateway:~#

And almost none of those are mentioned in ''man arptables''

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712

> I checked out arptables on Fedora. The package is arptables_jf; the
> synopsis says that:
>
> 	Arptables_jf is a fork of arptables from
> 	ebtables.sourceforge.net written by Jay Fenlason.
>
> So apparently, Jay decided that the etables team has been neglecting his
> baby and has decided to take it back.
Don''t know who he is (as if I would care, though - there are a lot of 
self-inflated egos in that circle who think they are the next 
Ein-bloody-stein), but if he decided to fork it on his own, that''s 
always a bad sign, so stay well-clear indeed. I also just noticed the 
version of arptables_jf (as distributed by Fedora) - 0.0.8 - that 
doesn''t fill me with much confidence. No wonder I couldn''t get
a lot of
the stuff to work "as advertised" - as my last few posts on the
subject
will testify.
>  In view of this development, I''m
> not going to do anything right now. AFAICT, Jay''s arptables is
still a
> subset of ebtables and I think that the best long-term strategy for
> Shorewall is to support ebtables. That isn''t a small project and
will
> require several months to bring to fruition.
>   
Seems like a wise move.
> I''ll await your report.
>   
I''ll post it as soon as I can.


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712

> On my Debian squeeze box, I see:
>
> root@gateway:~# cat /proc/net/arp_tables_matches
> time
> connlimit
> realm
> pkttype
> physdev
> mac
> connmark
> helper
> limit
> statistic
> mark
> comment
> owner
> conntrack
> conntrack
> root@gateway:~#
>
> And almost none of those are mentioned in ''man arptables''
>   
In addition to the above, I also have:

CHECKSUM
CT
NFQUEUE
SECMARK
NFLOG
CONNSECMARK
CLASSIFY
AUDIT
CONNMARK
MARK
ERROR

A simple "find" to look for "libarpt_*.so" does not return
anything at
all (I looked in /lib64 as well as /usr/lib64), which tells me all I 
need to know whether any of the above targets are "available" to 
arptables. I am, frankly, amazed I didn''t run across this before, but I
guess I didn''t need to use any of those targets when crafting my 
arptables-restore statements.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712

On 01/02/2013 05:47 PM, Mr Dash Four wrote:
> 
>> I checked out arptables on Fedora. The package is arptables_jf; the
>> synopsis says that:
>>
>> 	Arptables_jf is a fork of arptables from
>> 	ebtables.sourceforge.net written by Jay Fenlason.
>>
>> So apparently, Jay decided that the etables team has been neglecting
his
>> baby and has decided to take it back.
> Don''t know who he is (as if I would care, though - there are a lot
of
> self-inflated egos in that circle who think they are the next 
> Ein-bloody-stein), but if he decided to fork it on his own, that''s
> always a bad sign, so stay well-clear indeed. I also just noticed the 
> version of arptables_jf (as distributed by Fedora) - 0.0.8 - that 
> doesn''t fill me with much confidence. No wonder I
couldn''t get a lot of
> the stuff to work "as advertised" - as my last few posts on the
subject
> will testify.
> 
>>  In view of this development, I''m
>> not going to do anything right now. AFAICT, Jay''s arptables is
still a
>> subset of ebtables and I think that the best long-term strategy for
>> Shorewall is to support ebtables. That isn''t a small project
and will
>> require several months to bring to fruition.
>>   
> Seems like a wise move.
> 
I took another look at ebtables this morning and it doesn''t seem to
support changing the source or destination IP address. I have a
requirement for that on my own firewall where I have the following in my
/etc/shorewall/init file:

if ! arptables -L -n -v | fgrep -q ''10.1.10.11''; then
   arptables -A OUTPUT -o eth1 -d 10.1.10.0/24 -j mangle \
      --mangle-ip-s 10.1.10.11
fi

So I guess that I will go ahead and add support for both flavors of
arptables.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712

On 01/03/2013 07:55 AM, Tom Eastep wrote:
> On 01/02/2013 05:47 PM, Mr Dash Four wrote:
>>
>>> I checked out arptables on Fedora. The package is arptables_jf; the
>>> synopsis says that:
>>>
>>> 	Arptables_jf is a fork of arptables from
>>> 	ebtables.sourceforge.net written by Jay Fenlason.
>>>
>>> So apparently, Jay decided that the etables team has been
neglecting his
>>> baby and has decided to take it back.
>> Don''t know who he is (as if I would care, though - there are a
lot of
>> self-inflated egos in that circle who think they are the next 
>> Ein-bloody-stein), but if he decided to fork it on his own,
that''s
>> always a bad sign, so stay well-clear indeed. I also just noticed the 
>> version of arptables_jf (as distributed by Fedora) - 0.0.8 - that 
>> doesn''t fill me with much confidence. No wonder I
couldn''t get a lot of
>> the stuff to work "as advertised" - as my last few posts on
the subject
>> will testify.
I notice that he has an @redhat email address so I assume that he works
there.
> So I guess that I will go ahead and add support for both flavors of
> arptables.
arptables-restore in arptables_jf is broken to the point of uselessness
with respect to --arpop (output folded to fit in email).

Input file:

cat /var/lib/shorewall/.arptables-input
*filter
:IN ACCEPT
:OUT ACCEPT
:FORWARD ACCEPT
-A OUT -o p3p1 -d 10.1.10.0/24  --arpop Request -j mangle --mangle-ip-s
10.1.10.11
COMMIT
[root@sami shorewall]#

Output:

[root@sami shorewall]# arptables-save
# Generated by arptables-save v0.0.8 on Thu Jan  3 12:38:54 2013
*filter
:IN ACCEPT [1:28]
:OUT ACCEPT [1:28]
:FORWARD ACCEPT [0:0]
-A OUT -d 10.1.10.0/255.255.255.0 -p  0100/ffff -o p3p1 -j mangle \
                                      ---------
        --mangle-ip-s 10.1.10.11
COMMIT
# Completed on Thu Jan  3 12:38:54 2013
[root@sami shorewall]#

Then:

[root@sami shorewall]# arptables-save | arptables-restore
[root@sami shorewall]# arptables-save
# Generated by arptables-save v0.0.8 on Thu Jan  3 12:40:08 2013
*filter
:IN ACCEPT [0:0]
:OUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
-A OUT -d 10.1.10.0/255.255.255.0 -p  0001/ffff -o p3p1 -j mangle \
                                      ---------
       --mangle-ip-s 10.1.10.11
COMMIT
# Completed on Thu Jan  3 12:40:08 2013
[root@sami shorewall]#

Looks to me like an endian problem.

I''ve added a vile hack to work around it until it''s fixed.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712

On 01/03/2013 01:04 PM, Tom Eastep wrote:
> On 01/03/2013 07:55 AM, Tom Eastep wrote:
> arptables-restore in arptables_jf is broken to the point of uselessness
> with respect to --arpop (output folded to fit in email).
https://bugzilla.redhat.com/show_bug.cgi?id=891769

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122712

> https://bugzilla.redhat.com/show_bug.cgi?id=891769
>   
Don''t hold your breath though!


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012

> So I guess that I will go ahead and add support for both flavors of
> arptables.
>   
You are a brave man!

The current arptables_jf code is leaking more than a 75 year old granny 
- that''s how bad it is. I had to, quite literally, test every single 
statement in my own arptables-restore file to make sure that it works as 
expected without any nasties and found the whole experience extremely 
frustrating. This code isn''t even alpha quality and should not be in
the
wild at all. More on this in the "Beta 3" thread.

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. ON SALE this month only -- learn more at:
http://p.sf.net/sfu/learnmore_123012

On 01/03/2013 05:35 AM, Simon Hobson wrote:
> Paul Gear wrote:
>
>> There''s no need to run multiple instances of dhcpd for
multiple
>> VLANs. Just define them as separate subnets, give your DHCP server
>> an interface in each subnet, and it will automatically allocate
>> clients from the right range.
>
> Not when each VLAN is on the same subnet it won''t. The whole point
is
> that I''m not in a position to partition our address block, so the
> "firewall" I''m building has to be transparent - hence
bridge or proxy
> ARP.
Sorry - i must have misread the beginning part of your post.  That''s
not
a firewall i would like to be building.  :-\  The DHCP part of it could 
be just as tricky as the firewall part.


------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412

Paul Gear wrote:
>>> There''s no need to run multiple instances of dhcpd for
multiple
>>> VLANs. Just define them as separate subnets, give your DHCP server
>>> an interface in each subnet, and it will automatically allocate
>>> clients from the right range.
>>
>> Not when each VLAN is on the same subnet it won''t. The whole
point is
>> that I''m not in a position to partition our address block, so
the
>> "firewall" I''m building has to be transparent -
hence bridge or proxy
>> ARP.
>
>Sorry - i must have misread the beginning part of your post. 
That''s not
>a firewall i would like to be building.  :-\
Yeah, it''s not the firewall I''d be building if I could design
the network from scratch.
However, even if I could redesign the network, that wouldn''t help in
the general case where there''s only a very small IP allocation. One
site we had, we could only get a /28 from the ISP, so 13 addresses usable for
customers - and at one point we did have 13 users on the site. I don''t
see availablility of IPv4 address blocks getting better in the future -
"they''re not making any more of it you know".
> The DHCP part of it could  be just as tricky as the firewall part.
Indeed. But first I''m experimenting to see how the different topologies
work in practice. Using proxy-ARP, on Friday I managed to get a device in one
VLAN to successfully use a wrong (not allowed for it and allocated to a
different VLAN) IP. I need to do a less "ad hoc" session and verify
the sequence of events required.

Just for good measure, the first switch off the shelf (Linksys SRW248G4), which
I could have kept and used permanently has a sh*te GUI that only works with
Internet Exploder, and the VLAN pages don''t work as they trigger out of
memory errors :( SOmeone, somewhere in the world, would have felt a buring
sensation in their ears on Friday !

------------------------------------------------------------------------------
Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
MVPs and experts. SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122412

On 01/06/2013 07:08 AM, Mr Dash Four wrote:
> 
>> https://bugzilla.redhat.com/show_bug.cgi?id=891769
>>   
> Don''t hold your breath though!
Just got notice that arptables_jf-0.0.8-25.fc17 has been submitted as an
update to Fedora 17; similar version to Fedora 18.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612

> Just got notice that arptables_jf-0.0.8-25.fc17 has been submitted as an
> update to Fedora 17; similar version to Fedora 18.
I hope they incorporated the "-n" bug in that release as well...

------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612

On 01/08/2013 07:32 PM, Mr Dash Four wrote:
>> Just got notice that arptables_jf-0.0.8-25.fc17 has been submitted as
an
>> update to Fedora 17; similar version to Fedora 18.
> I hope they incorporated the "-n" bug in that release as well...
The ebtables group have done that in their next release -- don''t know
about arptables_jf. Have you submitted a report about that.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612

>> I hope they incorporated the "-n" bug in that release as
well...
>>     
>
> The ebtables group have done that in their next release -- don''t
know
> about arptables_jf. Have you submitted a report about that.
>   
No, but Steven did that on the netfilter ML the other day (it was to do 
with arptables-save) and I assume it would be included since "that 
change is in the git tree" (tm) Pablo.


------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612

On 01/09/2013 02:08 AM, Mr Dash Four wrote:
> 
>>> I hope they incorporated the "-n" bug in that release as
well...
>>>     
>>
>> The ebtables group have done that in their next release --
don''t know
>> about arptables_jf. Have you submitted a report about that.
>>   
> No, but Steven did that on the netfilter ML the other day (it was to do 
> with arptables-save) and I assume it would be included since "that 
> change is in the git tree" (tm) Pablo.
I believe that Steven''s report was against the ebtables version of
arptables, not arptables_jf. According to the update that I just
received, the only bug fixed in arptables_jf-0.0.8-25.fc17/fc18 was the
byte-swap issue that I had reported.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery
and much more. Keep your Java skills current with LearnJavaNow -
200+ hours of step-by-step video tutorials by Java experts.
SALE $49.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122612