|
 |
06c8df |
<sect1 id="configurations-ppp-intro">
|
|
|
24901b |
|
|
|
06c8df |
<title>Introduction</title>
|
|
|
24901b |
|
|
|
24901b |
<para>
|
|
|
853a0f |
This chapter describes two computers configuration, one acting
|
|
|
853a0f |
as server and other as client. The server computer will be
|
|
|
853a0f |
configured to provide internet services and the client to make
|
|
|
853a0f |
use of internet services provided by the server computer. The
|
|
|
853a0f |
connection medium both client and server computer use is the
|
|
|
853a0f |
telelphone line (i.e., the same medium you use to realize
|
|
|
853a0f |
phone calls). In this configuration, both client and server
|
|
|
853a0f |
computers use special devices named <quote>Modems</quote> to
|
|
|
853a0f |
transmit data in form of sound across the telephone line. The
|
|
|
853a0f |
configuration described in this chapter could be a good choise
|
|
|
853a0f |
when the only communication medium you have access to is the
|
|
|
853a0f |
telephone system.
|
|
|
64e7ca |
</para>
|
|
|
64e7ca |
|
|
|
64e7ca |
<para>
|
|
|
64e7ca |
Even this configuration tries to reduce the lack of
|
|
|
64e7ca |
communication, there are limitations around it that we cannot
|
|
|
4497fa |
take off, yet. The following list shows what these limitations
|
|
|
4497fa |
are:
|
|
|
64e7ca |
</para>
|
|
|
64e7ca |
|
|
|
64e7ca |
<itemizedlist>
|
|
|
64e7ca |
<listitem>
|
|
|
64e7ca |
<para>
|
|
|
64e7ca |
Only one connection (of 15 minutes) is possible at a time.
|
|
|
64e7ca |
</para>
|
|
|
64e7ca |
</listitem>
|
|
|
64e7ca |
<listitem>
|
|
|
64e7ca |
<para>
|
|
|
64e7ca |
More than 3 consecutive connections from the same phone number
|
|
|
64e7ca |
in a time range of 60 minutes means that that number is
|
|
|
4497fa |
attacking the ISP to provoke a <quote>Denying of
|
|
|
4497fa |
Service</quote> (DoS) attacks. In such cases, the phone number
|
|
|
4497fa |
originating the phone call will be denyed from realizing
|
|
|
4497fa |
further phone calls onto the ISP in the next 15 minutes. If
|
|
|
4497fa |
after 15 mintes, 3 new consecutive connections are detected
|
|
|
4497fa |
from the same phone number than before, the delay time will be
|
|
|
4497fa |
duplicated on each consecutive interval (e.g., 15*1 for the
|
|
|
4497fa |
first time, 15*2 for the second time, 15*3 for the third time,
|
|
|
4497fa |
and so on).
|
|
|
64e7ca |
</para>
|
|
|
4497fa |
|
|
|
4497fa |
<note>
|
|
|
4497fa |
<para>
|
|
|
4497fa |
In order to achieve an acceptable degree of efficiency when
|
|
|
4497fa |
controlling consecutive connections from the same phone
|
|
|
4497fa |
number, it is required that both the client's phone number and
|
|
|
4497fa |
connection time be registered somehow in the server (e.g., Is
|
|
|
4497fa |
it on pppd's log file?). Without such information it would be
|
|
|
4497fa |
very difficult to achieve any prevention against DoS attacks
|
|
|
4497fa |
originated from incoming calls.
|
|
|
4497fa |
</para>
|
|
|
4497fa |
</note>
|
|
|
4497fa |
|
|
|
64e7ca |
</listitem>
|
|
|
64e7ca |
<listitem>
|
|
|
64e7ca |
<para>
|
|
|
64e7ca |
The ISP is isolated from Internet, so it is not possible to
|
|
|
4497fa |
provide Internet access through the ISP. For example, don't
|
|
|
4497fa |
ever think you will be able to send international e-mail to
|
|
|
4497fa |
Gmail or Yahoo, nor visit web sites like Google or Wikipedia.
|
|
|
4497fa |
I really would like to provide such accesses, but without a
|
|
|
4497fa |
link to Internet I don't have where to send your requests.
|
|
|
64e7ca |
</para>
|
|
|
64e7ca |
</listitem>
|
|
|
64e7ca |
<listitem>
|
|
|
64e7ca |
<para>
|
|
|
64e7ca |
The information generated inside the ISP is jailed to it. This
|
|
|
64e7ca |
way, it will be available to people registered inside the ISP
|
|
|
4497fa |
only (e.g., through the web interface).
|
|
|
64e7ca |
</para>
|
|
|
64e7ca |
</listitem>
|
|
|
64e7ca |
<listitem>
|
|
|
64e7ca |
<para>
|
|
|
64e7ca |
The implementation of services that required persistent
|
|
|
64e7ca |
connections (e.g., <application>chats</application>) will not
|
|
|
64e7ca |
be considered as a practical offer. Instead, only
|
|
|
64e7ca |
asynchronous services (e.g.,
|
|
|
64e7ca |
<application>e-mail</application>) will be supported. This
|
|
|
64e7ca |
restriction is required to reduce the connection effective
|
|
|
64e7ca |
times. For example, consider an environment where you connect
|
|
|
4497fa |
the ISP to send/receive e-mails only and then quickly
|
|
|
4497fa |
disconnect from ISP to release the line for others to use.
|
|
|
4497fa |
There is no need for you to be connected at the same time
|
|
|
4497fa |
someone else sends you an e-mail, this in order for you to
|
|
|
4497fa |
receive it. E-mail messages sent to you will be available in
|
|
|
4497fa |
your mailbox the next time you establish a point-to-point
|
|
|
4497fa |
connection with the ISP and use your mail client to send and
|
|
|
4497fa |
receive new messages. Likewise, you don't need to be connected
|
|
|
4497fa |
to the ISP in order to write your e-mail messages. You can
|
|
|
4497fa |
write your messages off-line and then establish connection to
|
|
|
4497fa |
send it whe it be ready.
|
|
|
64e7ca |
</para>
|
|
|
64e7ca |
</listitem>
|
|
|
64e7ca |
<listitem>
|
|
|
64e7ca |
<para>
|
|
|
4497fa |
Your user profile will be automatically removed from the ISP
|
|
|
4497fa |
when no effective point-to-point connection be established by
|
|
|
4497fa |
you in a period greater than 7 days since the last effective
|
|
|
4497fa |
point-to-point connection you established to the ISP. When
|
|
|
4497fa |
your user profile is removed, you will need to get registered
|
|
|
4497fa |
again (i.e., create a new user profile) using the web
|
|
|
4497fa |
interface provided by the ISP. </para>
|
|
|
4497fa |
</listitem>
|
|
|
4497fa |
<listitem>
|
|
|
4497fa |
<para>
|
|
|
4497fa |
When a user receive messages, the user's e-mail client must be
|
|
|
4497fa |
configure to move the e-mail messages from server to client.
|
|
|
4497fa |
This is forced in the ISP computer by denying user's from
|
|
|
4497fa |
accessing the IMAP service. Only POP service will be
|
|
|
4497fa |
available. This restriction is required to save disk space on
|
|
|
4497fa |
ISP computer.
|
|
|
64e7ca |
</para>
|
|
|
64e7ca |
</listitem>
|
|
|
64e7ca |
</itemizedlist>
|
|
|
64e7ca |
|
|
|
64e7ca |
<para>
|
|
|
64e7ca |
I'm very sorry about these limitations, but this is the best I
|
|
|
64e7ca |
can offer with one PC, one modem, and one single telephone
|
|
|
64e7ca |
line. If you think this configuration can be improved somehow,
|
|
|
853a0f |
please send me an e-mail to
|
|
|
853a0f |
<email>al@projects.centos.org</email>. Notice that, in order
|
|
|
853a0f |
for you to be able to send e-mails to this address you need to
|
|
|
853a0f |
do it using the Mail Transfer Agent provided in the server
|
|
|
853a0f |
computer. I don't answer phone calls personally, the phone is
|
|
|
853a0f |
very busy answering point-to-point connections ;).
|
|
|
64e7ca |
</para>
|
|
|
64e7ca |
|
|
|
853a0f |
<warning>
|
|
|
853a0f |
<para>
|
|
|
853a0f |
The
|
|
|
853a0f |
class="domainname">projects.centos.org</systemitem> mentioned in
|
|
|
853a0f |
this chapter must not be confused with the real infrastructure
|
|
|
853a0f |
provided by &TC;; on Internet. The domain name mentioned in
|
|
|
853a0f |
this chapter is not available on Internet and was created to
|
|
|
853a0f |
illustrate the real infrastructure inside an isolated
|
|
|
853a0f |
environment.
|
|
|
853a0f |
</para>
|
|
|
853a0f |
</warning>
|
|
|
853a0f |
|
|
|
64e7ca |
<para>
|
|
|
64e7ca |
In order for you to share information with others, it is
|
|
|
64e7ca |
required that both you and the person you want to share
|
|
|
64e7ca |
information with, have an e-mail address registered inside
|
|
|
64e7ca |
ISP. This registration process is realized through a secured
|
|
|
4497fa |
web interface accessable through an encrypted connection. The
|
|
|
4497fa |
web interface provided should permit everyone to update or
|
|
|
4497fa |
delete their personal profiles. All actions realized through
|
|
|
4497fa |
this web interface must be simple enough to be achieved in
|
|
|
4497fa |
less than 15 minutes (the time you have before the
|
|
|
4497fa |
point-to-point connection be closed by the ISP).
|
|
|
4497fa |
</para>
|
|
|
4497fa |
|
|
|
4497fa |
<para>
|
|
|
4497fa |
Inside the ISP, user information is stored inside an LDAP
|
|
|
4497fa |
server. The web application manipulates LDAP records and all
|
|
|
4497fa |
related files inside the operating system that make possible a
|
|
|
4497fa |
user to establish a point-to-point connection to the ISP, as
|
|
|
4497fa |
well as registering, updating or deleting its profile inside
|
|
|
4497fa |
the ISP. Care should be taken to prevent one user to
|
|
|
4497fa |
modify/delete profiles from other users. The user's profile
|
|
|
4497fa |
administration is individual to each user using the user's
|
|
|
4497fa |
identity as reference. The user's identity is determined by a
|
|
|
4497fa |
username (e.g., the e-mail address) and a password. The LDAP
|
|
|
4497fa |
server will be available for everyone to consult from their
|
|
|
4497fa |
mail clients. Inside the web application, verifications must
|
|
|
4497fa |
be included to avoid duplicated values, invalid characters and
|
|
|
4497fa |
similar stuff.
|
|
|
64e7ca |
</para>
|
|
|
64e7ca |
|
|
|
4497fa |
<para>
|
|
|
4497fa |
Inside the ISP, all related subsystems (e.g., Postix,
|
|
|
4497fa |
Cyrus-Imapd and Saslauthd) must retrive user information from
|
|
|
4497fa |
LDAP server. Likewise, the mailbox administration must be
|
|
|
4497fa |
automated based on the users in the LDAP server. The web
|
|
|
4497fa |
application must be able to be aware of all files related
|
|
|
4497fa |
inside the infrastructure in a way that administration tasks
|
|
|
4497fa |
can be automated and presented friendly to end users (this
|
|
|
4497fa |
will required the web application to run some program that
|
|
|
4497fa |
needs root privileges =:-|). The whole process would be as
|
|
|
4497fa |
follows:
|
|
|
4497fa |
</para>
|
|
|
4497fa |
<orderedlist>
|
|
|
64e7ca |
<listitem>
|
|
|
64e7ca |
<para>
|
|
|
4497fa |
Establish a point-to-point connection to ISP, as described in
|
|
|
4497fa |
<xref linkend="configurations-ppp-modem-client" />.
|
|
|
64e7ca |
</para>
|
|
|
64e7ca |
</listitem>
|
|
|
4497fa |
<listitem>
|
|
|
64e7ca |
<para>
|
|
|
4497fa |
Register a new user profile through the web application
|
|
|
4497fa |
provided by the ISP.
|
|
|
64e7ca |
</para>
|
|
|
4497fa |
</listitem>
|
|
|
4497fa |
<listitem>
|
|
|
64e7ca |
<para>
|
|
|
4497fa |
Configure your workstation using the information provided as
|
|
|
4497fa |
result of a successful registration in order to start using
|
|
|
4497fa |
the services provided by the ISP you recently get registered
|
|
|
4497fa |
in.
|
|
|
64e7ca |
</para>
|
|
|
4497fa |
</listitem>
|
|
|
4497fa |
</orderedlist>
|
|
|
64e7ca |
|
|
|
24901b |
</sect1>
|