Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Lame_azz]

I do discuss things with the eMule devs.

Great to heard.

Kad is still sacred.

Code is not a cow .And .. er .. excuse me for shooting to the legs but CVS version has broken Kad which connects, etc but ... fails to find sources   

As for the scenario you propose up, why is your FTP client not doing the bandwith control?

Yep, true up to some degree.But as for me, I do prefer aMule to slow down while I'm uploading to FTP.So, FTP client do not have to throttle.And what about IM clients?And other software capable of sending data?It should implement hardcore bandwith management?Why?IM client for example transfers files only occasionally.It is not its main speciality.From other hand, aMule always transfers files so it is reasonable to expect it will operate like a pro when doing so, right?As for me, filesharing occurs in background and should not interfere with day-to-day tasks if possible.Now, it sometimes does.

Using tc ... well, my ADSL router has it built-in ("hacked" advanced firmware), it is pain in the ass to configure it and it solves problem only partially, because tc isn't damn effective when managing outbound 256Kbit channel with 1492 bytes packets(there is just too few packets to have enough freedom of maneurs for tc).Also some hint: if someone shares internet channel on router and router is not runs traffic scheduler (most common case), tc on local machine is quite useless: it can not account fact that other machines transferring data via same channel so tc will fail on such "semi-dynamic bandwith" channel because local tc is not aware how many bandwith left unused on the router.Of course tc on router solves this but you do not have to expect this hack (er, you call this "solution") will be widely used 

In fact. there is two machines, each can run aMule.As well as both.As well as any other software.They sharing same ADSL channel.Now, it a bit relaxed with tc on ADSL router (quite uncommon case, 99.99% users will fail to repeat this trick since this requires "hacked" firmware!).However 2 eMules with bandwith management based on pinging are working a way better than this complex and half-working "solution" in given network setup.Even if 2 eMule running they just throttling upload speed when needed and never saturating channel so it getting high latency.As well as balancing channel load on their own, etc.So, ping-based bandwith management is NOT so moron, even if it looks so for someone.

[Kry]

... dude.

I said that millions of times.

aMule can't ping.

You can only ping as root.

[Vollstrecker]

And, just to have it comlete, ping is ICMP, and I, and I think many many others, too, don't even think about natting icmp-ping just to use aMule.

[Lame_azz]

... dude.

I said that millions of times.

aMule can't ping.

You can only ping as root.

Umm, just pinged some host as... er, usual user using "ping" command.Am I doing something wrong here?It just works while I'm not root.
Possible you're about UDP ping?And even if you need to allocate some port below 1024, it is possible to start as root and then drop root rights when socket allocated, just set gid and uid to normal restricted user (that's how some daemons creating privileged sockets without being run as root later).

And, just to have it comlete, ping is ICMP, and I, and I think many many others, too, don't even think about natting icmp-ping just to use aMule.

Wast majority of NATs and firewalls are usually allowing outgoing ICMP pings and replies to these pings and handling them properly.Just 'cause without ping any network troubleshooting is sort of nightmare.Usually this even requires no extra setup (for example, all SOHO routers  I seen are allowing outcoming pings and replies and handling this properly).And no, I did not offered that this should be the one and the only option to control speed.Those rare people with their (pretty unusual) NATs\firewalls incapable of dealing with ICMP can fallback to static speeds setup (though I can not understand how these guys are troubleshooting their network, just in case).What's wrong?And well, there is also UDP ping as option.You're already NATing UDP to run aMule, yep?Finally there is another sort of similar system - it measures round-trip times without sending any extra packets.As for me, this worked worse than ping and this requires lots of peers to get proper statistic and inaccurate due to remote peers can have latency on their own.But even this still works somehow better than dumb flooding at full speed and complete ignorance of channel saturation.

[Kry]

... dude.

I said that millions of times.

aMule can't ping.

You can only ping as root.

Umm, just pinged some host as... er, usual user using "ping" command.Am I doing something wrong here?It just works while I'm not root.
Possible you're about UDP ping?And even if you need to allocate some port below 1024, it is possible to start as root and then drop root rights when socket allocated, just set gid and uid to normal restricted user (that's how some daemons creating privileged sockets without being run as root later).

Don't talk about things you don't know about, please, it's embarassing. You can't use raw sockets as user. The ping binary is setuid root. And no, I will not encourage people to run aMule as a priviledged service, even if it would be latter dropped. The security risk is too high.

[Lame_azz]

Don't talk about things you don't know about, please, it's embarassing. You can't use raw sockets as user. The ping binary is setuid root. And no, I will not encourage people to run aMule as a priviledged service, even if it would be latter dropped. The security risk is too high.

Er, I was somewhat lame, sorry.But btw, let's remember there is UDP ping (I guess it is ok to use local high udp ports, right?) and round-trip times can be measured as well(this requires nothing at all but not as good as real pinging and requires some number of peers to have realistic statistic).

P.S. when choosing between security and usability I'm choosing a ... balance.I do not want to feel myself like locked in the jail just to be a bit more secure.As long as program drops rights on startup after sockets were allocated I see no ways how it can harm me more than today when it runs as non-root, maybe I'm wrong (I'm unfortunately not a expert in Linux\*nix yet) but lots of security-sensitive daemons do the trick with setgid\setuid and it seems to work providing good balance between security and functionality - program does what it should and able to allocate ports, etc but it does not runs as root most of time.

P.P.S. dropping of rights about to occur quickly on startup and before any actual networking will take place, etc.So, it looks like it's only you who can harm system while aMule initializes with root rights.You can harm aMule users already, if you will ever wish to, because I have to run "make install" as root anyway and it is doubtfull that lots of users carefully checks what actually will happen when you issue this command.

[Vollstrecker]

Wast majority of NATs and firewalls are usually allowing outgoing ICMP pings and replies to these pings and handling them properly.Just 'cause without ping any network troubleshooting is sort of nightmare.Usually this even requires no extra setup (for example, all SOHO routers  I seen are allowing outcoming pings and replies and handling this properly).

Almost all guys that maintain firewall, and almost all howtos for iptables and other things that claim to be more than a personal Firewall for Windows, and that isn't enough, because I do it that way, have one thing in common. They think, that the best policy for a Firewall, Paketfilter or what you like to call it, is: Disallow erverything, and allow then what you need. You are again talking about things you don't understand, and the fact that most SoHo-Routers are shipped misconfigured or unconfigured and you aren't able the change this doesn't tell anyone that this is the right way.

I can not understand how these guys are troubleshooting their network, just in case

I don't want to repeat Kry or myself, but just don't talk about things you don't understand. When there are network troubles and ping is needed, it will be allowed, if not, it is disallowed. And if you use ICMP or UDP makes no difference because every port that is opend/natted or whatever different from closed is a possible security hole that can be avoided.

You want to surf, you can slow down or shutdown aMule by Hand.

[Kry]

Also, ping... ping what? what should we decide to DDoS from aMule?

[Lame_azz]

Almost all guys that maintain firewall, and almost all howtos for iptables and other things that claim to be more than a personal Firewall for Windows, and that isn't enough, because I do it that way, have one thing in common. They think, that the best policy for a Firewall, Paketfilter or what you like to call it, is: Disallow erverything, and allow then what you need.

Absolutely!So, those who firewalls all things (including things they're need to use) have to unfirewall things they're need.Nothing wrong here.If you need ping, do not firewall it or unfirewall it if you already firewalled it.F__kingly simple conclusion, don't you think so?

You are again talking about things you don't understand, and the fact that most SoHo-Routers are shipped misconfigured or unconfigured and you aren't able the change this doesn't tell anyone that this is the right way.

Hmm, sounds like typical "all people are idiots and I'm the only smart guy on this planet, blah-blah-blah".Who except you actually cares how do YOU treat these settings?These settings are here, they will be here for a while and defaults will prevail anyway, no matter what you think about it.Even corporate firewalls are often allowing outcoming pings and replies to these pings.And SOHO routers do this as well.They only killing incoming ping requests.Seems to be reasonable balance.Firewalls are basically intended to protect from hostile outside environment, and not to cause lots of headaches to its legitimate user(s) by turning from bastion intended to protect into fortified jail intended to restrict.

Yes, If you feeling paranoid you're ok to spend whole life locked in the underground bunker.But don't be surprised that other people will find this ... er... a bit strange or inconvenient to spend whole life being locked in the bunker, even if this provides some extra security.

I don't want to repeat Kry or myself, but just don't talk about things you don't understand.

Excuse me, but paranoids and fascist admins are not seems to be a good judges.Especially taking into account simple fact that fascist network setup with outbound ICMP disabled is very rare in the world.And well, usually in fascist environments admins are firewalling P2P a way before this happens with ICMP.So you're basically talking about nothing.Or, about your specific network setup.Not very interesting thing anyway.

When there are network troubles and ping is needed, it will be allowed, if not, it is disallowed.

If you're so paranoid, you're better to approve each sent P2P packet manually as well .You can even craft rule for packet and later ...er... delete it.The only prob is that you should do all this really quickly  .But again, you do not have to expect others will do the same.

In real life you probably will have a quite open ruleset for outbound packets when running aMule anyway.Probably you have to allow any DST and DST PORT in some places, yes?Or you're crafting rules for each remore peer individually, adding few millions of rules to your firewall?What if Alice is on address X, port A, Bob on address Y, port B, John on address Z, port C, etc?... I only see solution to allow aMule outcoming packets to any DST ip and any DST port at very most restricting SRC IP and SRC port.So I see no gain in security if outcoming ICMP is disabled or enabled for aMule process.

So, what is your problem?If you don't need this solution I do not insist you should allow ping on your firewall and use it.I'm pretty sure this option should be configurable and there should be way to disable it since there is no universal shit in this world and feature can make someone unhappy (for example, on high-latency channels or channels where ping not increasing too much on channel saturation).

And if you use ICMP or UDP makes no difference because every port that is opend/natted or whatever different from closed is a possible security hole that can be avoided.
You want to surf, you can slow down or shutdown aMule by Hand.

Do it yourself please.As well as approve each and every P2P packet by manually crafting rule to pass packet and then when it passed, delete your rule.Actually you don't even need a firewall since you can takeover this role and approve all packets yourself.

And well, what should I do if there is more than one user on the router?Asking mother\sister\brother\boyfriend\girlfriend\wife\husband\dog\cat\mouse to throttle their aMule just because I want to surf is pretty annoying option, don't you think so?(if no, go on and inspect each packet yourself:-\).Mods of eMule with pinging are pretty self-balancing.But not a case with aMule though 

Also, ping... ping what? what should we decide to DDoS from aMule?

If you will ask me what to ddos, I will offer some anti-P2P companies for example, RIAA seems to be good target  .As well as these nasty P2P poisoners\flooders . But well, enough kidding.Instead of attacking me, maybe you're better about to take a look on any mod implementing this pinging and learn how this implemented?As far as I can guess it usually pings closest available IPS's router (this surely enough to track channel saturation and provides proper results while avoiding ddos).Such router usually have to pass all my data anyway, some small and rare pings are nothing compared to all my dataflow.

[wuischke]

paranoids and fascist admins

Please be polite and do NOT insult anyone.

Reminder: You are here to request features you want to see in aMule. NO ONE is going to do anything if you take the code, write these features and follow the GPL when publishing, (unless you harm the network)
But in order to persuade our fascist admins (read: main developers) it's of no use to insult them and other forum members (no matter how much of an asshole they are), but instead to answer their questions.

Also, ping... ping what?

The ISP.

[Kry]

Let's start with

http://en.wikipedia.org/wiki/Fascism

and then move back to the point where you can't ping unless you're root.

[Vollstrecker]

Absolutely!So, those who firewalls all things (including things they're need to use)

You got it, it is NOT needed.

"all people are idiots and I'm the only smart guy on this planet, blah-blah-blah"

No, that's Kry, I just try to follow him.

Even corporate firewalls are often allowing outcoming pings and replies to these pings.And SOHO routers do this as well.They only killing incoming ping requests.Seems to be reasonable balance.

Coll, so you can ping anyone you want. But don't forget, for them your pings are incoming ones and they'll never know about it. So you want to send requests but don't expect answers to measure something. That's no problem, but the result can be hardcoded. It will be 0.

In real life you probably will have a quite open ruleset for outbound packets when running aMule anyway.

Exactly 6 rules are enough.

Probably you have to allow any DST and DST PORT in some places, yes?Or you're crafting rules for each remore peer individually, adding few millions of rules to your firewall?What if Alice is on address X, port A, Bob on address Y, port B, John on address Z, port C, etc?... I only see solution to allow aMule outcoming packets to any DST ip and any DST port at very most restricting SRC IP and SRC port.So I see no gain in security if outcoming ICMP is disabled or enabled for aMule process.

First I thought you know what a firewall is. You filter for src/dst - port/ip with protcoll and some other criterias. Nothing more, nothing less. If you want to allow connections for processes, you need a Desktop"Firewall" (something like Zonealarm) But these things shouldn't be called so. Just code a NOP-Sled in a endless loop and you have the same effect (at least if you are not missing the fancy icon in your systray).

And well, what should I do if there is more than one user on the router?Asking mother\sister\brother\boyfriend\girlfriend\wife\husband\dog\cat\mouse to throttle their aMule just because I want to surf is pretty annoying option,

What you should do is more than simple. Learn what a firewall is, how it works, and how to configure it, and use traffic shaping.

[Lame_azz]

paranoids and fascist admins

Please be polite and do NOT insult anyone.

I'm using same conversation style as my opponent.If he is willing to "label" me with "sticker" ("you're stupid, you don't know, blah-blah"), I can do the same.If someone does not likes it's own conversation style, he has to reconsider it.I will do the same then.

Reminder: You are here to request features you want to see in aMule. NO ONE is going to do anything if you take the code, write these features and follow the GPL when publishing, (unless you harm the network)

Yes, exactly.However, it is still a feature request forum so at least I can try, isn't it?

But in order to persuade our fascist admins (read: main developers) it's of no use to insult them and other forum members (no matter how much of an asshole they are), but instead to answer their questions.

Actually, it was not intended as insult.This phrase was just used to show that security only good up to some degree and you always have to find balance between security and usability.The most secure way is to ban 0.0.0.0 - 255.255.255.255 and unplug network cable for better reliability.However this is hardly a usable solution.And well, if someone feels himself like a fascist (or why he applies this phrase to himself, then?), thinks it's bad (or why this is treated as insult?), maybe, he has to change something in his life?

Let's start with

Nope, fascists are not my feature request, sorry.And well, I already told about pinging.Try to read again, you don't have to be a root in all cases.If you do not want to implement feature for any other reasons (for example you do not need it since all works ok for you without it, etc) it is ok. However, I'm pretty sad to heard comments about aMule like "why it saturates channel and all getting so slow?eMule was better!".I'm actually want to see Linux winning the battle.Not just to heard once more from users that "linux software worse than windoze-based one, blah-blah".I do not want to hear user's comments like "windows was better" and "all good software is for windows, there is no good software for Linux!".

You got it, it is NOT needed.

It is not needed for you and in your network setup.Great.You can relax, have some beer, etc.So, why you're here, at all, then?In my network setup pinging works better than static setup.For those who can't get the clue, try to read direct text: THIS HAS BEEN TESTED WITH EMULE MODS IMPLEMENTING SUCH PINGING.And I liked how this works.That's why I'm requesting feature.Can you understand this, after all?Of course nobody is "strictly must" implement this.But I'm surely can admit I like how this feature works in eMule in my network setup.

Coll, so you can ping anyone you want. But don't forget, for them your pings are incoming ones and they'll never know about it. So you want to send requests but don't expect answers to measure something. That's no problem, but the result can be hardcoded. It will be 0.

Duh, only pretty dumb people can ping firewalled machines for a long time, I guess.And well, if you'll stop attacking me, will take a look on mods implementing this feature, try to ping like they do, etc... well, the practice shows that in most cases mods are able to find reasonable close host to ping.And no, there is not 0 replies.Why?Try to read RFCs related to IP networking, this helps.Some "fascist" network setups may be not a case.But actually, ICMP is not "just one more thing to ban", it used for variety of legitimate reasons and part of standard.If someone want to ban it, ok, he can.But he has to recognize consequences.Maybe someone has forgot but ICMP was not invented for hackers.It has a dozen of legitimate uses it was invented for.Try to read some RFCs related to IP networking, not just rule your firewall and blame me here

First I thought you know what a firewall is.

First, I thought you read some RFCs related to IP networking but it looks like you're not.So what?If you'll read RFCs, you will figure out that I can expect ICMP to work in usual case, for example.I'm do not care about fascist setups.There is standards.That's all what really matters.If someone willing to ignore them, that's their option but they do not have to complain about some things not working in their setup then.

You filter for src/dst - port/ip with protcoll and some other criterias. Nothing more, nothing less. If you want to allow connections for processes, you need a Desktop"Firewall" (something like Zonealarm)

Hey?IPtables can allow access taking into account PID (GID, UID, ...  - read man iptables for example).Do not know if I can call it "Desktop"Firewall"" but the option is still here.Of course this works only with IPtables on local machine where process resides, since you can't transfer information like PID over IP.So, remote firewalls have only packet headers to chew on and yes, there is no info about processes.Umm, well, you tried to say "all people are idiots..." once more here?Looks like it failed, sorry

But these things shouldn't be called so. Just code a NOP-Sled in a endless loop and you have the same effect (at least if you are not missing the fancy icon in your systray).

Iptables has no icon in system tray on it's own.But will you blame it as well?Since it can take a things like PID into account and therefore making per-process rulesets possible (as long as it runs on same machine where process resides of course).

What you should do is more than simple. Learn what a firewall is, how it works, and how to configure it, and use traffic shaping.

Well, for those who has problems with reading I will repeat:
1) Local traffic shaping on my machine will not help since there is more than one machine attached to router and local shaper is simply not aware how other machines are using channel at given moment.Simple, yes?For example if my machine runs aMule and someone on other machine browses, shaper on my machine will have no idea that someone is browsing.Shaping will not happen.
2) My ADSL router runs (Linux) altered firmware with "tc" traffic shaper built in.It relaxes things a bit but this is half-working and quite complex solution.I will repeat again: tc isn't damn great on 256kbit upload channel filled with 1492 bytes packets.And well, in my opinition this is not a solution but a dirty half-working hack which compensates lack of settings in aMule.And I can't recommend everyone to hack their routers to have tc running on router itself so it able to account ALL traffic from ALL machines.This requires firmware flashing and unsafe for "average Joe"

P.S. Uff, I'm tired on flaming.Maybe we should discuss features, not our networking knowledge?

[FreeToGo]

There have been a good technical discussion on "ping". Let talk about whether the majority linux users could possibly use this function safely.

I knew that some linux system required  privileged access to run "ping" and firewall could sometimes prevent ping from functioning properly.

But what I don't know is what is the situation of the majority linux users of amule. Based on distrowatch, the most popular distros nowadays are Ubuntu, OpenSuSe and Fedora. In Ubuntu, ping doesn't require root privileges. For Opensuse and Fedora, inputs from others are needed.

I see ping based bandwidth control as an good options for amule users. As long as it is an option, it should be able to let users decide for themselves whether they want to enable it or not. Firewall and Root privileges could prevent some users from using these proposed the new feature. But I still think that it is good to have this option if the majority could benefit from it. And most importantly, I want amule to be the best linux ed2k client.

 

[Kry]

...

YOU CAN'T PING WITHOUT BEING ROOT, FOR FUCKS SAKE

YOU CAN'T.

CAN'T.

NOT ON UBUNTU, NOT ANYWHERE. YOU CAN'T.

THE PING BINARY IS SETUID ROOT.

PINGING IS NOT AN OPTION

READ MY SENTENCES.