About Something…

Bellinda Kontominas

March 13, 2007

AdvertisementAdvertisement

A SIMPLE dietary supplement may help improve concentration, memory and problem-solving in children.

Scans on four British children who took an omega oil supplement for three months showed their brains developed dramatically – by the equivalent of three years – over that period.

The four children in the pilot study on the effects of diet on young brains were aged between eight and 13 and were classified as overweight. They took two capsules a day of a supplement called VegEPA, which contains a combination of omega-3 and omega-6 fatty acids, found in fish, flaxseed oil and sunflower oil. They were also encouraged to cut down on fatty snacks and to exercise more.

After three months the children’s reading age had advanced by more than a year, their handwriting was neater and they paid more attention in class. The scans showed an increase in nerve fibres in their brain, said the lead researcher, Basant Puri, from London’s Imperial College. “It means you have more connections and greater density of nerve cells, in the same way a tree grows more branches,” said Professor Puri, whose study is yet to undergo peer

source: www.smh.com.au

What we will do in the situation where we want to access a node located behind a firewall, or locate in LAN behind a router. Quite impossible to access it. May be we can do port forwarding it the router to forward our packets to the target node, but we have to be the system administrator of the LAN to do it (or may be ask them to do).

However, if our target node is able contact us from the LAN, we still can access the node without disturbing our lovely system administrator. A tunnel between our node and the node will do the job. In this case, the tunnel is initiated by our target node. This is known as reverse tunnel.

Using ssh, you can set up this easily. Type the command as below:

# ssh -fNR [bind_address:]port:host:hostport] [user@]hostname

As example we want to access the target node (name: localhost) from our node (name: www.example.org). The port we want to access is port 22 and it will be accessible from our node at port 2222.

# ssh -fNR 2222:localhost:22 www.example.com

After that, the you are prompted password as usual. After successful login, the command quit but it will remains in background.

To access the target node, use our node to access the forwarded port (2222). So let say, if you want to ssh into the machine (because we have forwarded ssh port), we can use this command

# ssh localhost -p 2222

Then we will able to access the node in the LAN. This is valid for other ports as well. Cheers!

Bandwidth limit can be set up using WISPr Attributes. Two attribute can be used for this purpose, which is

1. WISPr-Bandwidth-Max-Down
2. WISPr-Bandwidth-Max-Up

These attribute must be define in radreply table or radgroupreply table. Operator := is commonly used, but I figure out that == operator can be use also.
Lets say we want to limit a user bandwidth to 256kbps for download and 32kbps for upload. So we define in the radreply table:

WISPr-Bandwidth-Max-Down := 256000
WISPr-Bandwidth-Max-Up := 32000

However, bandwidth limitation is not successful yet by just applying these attributes, this is because our network users session is being routed in two way to go to Internet, using NAS internal ip (in my case br0) and NAS tunnel (tun0). Seems the br0 interface have more priority than tun0, and it packets will always being routed using this interfaces. This is not good as the attribute we set is only applied to tun0 tunnel which is created by Chillispot.

To overcome the situation we must force all packets to be routed using tun0. We can apply some firewall rules to help us achieve this. Below is the rules I used.

# iptables -P FORWARD DROP
# iptables -F FORWARD
# iptables -A FORWARD -o tun0-j ACCEPT
# iptables -A FORWARD -i tun0 -j ACCEPT

So when I list back the policy for Forward Chain in the Iptables, I’ll get this:

# iptables -nvL FORWARD
Chain FORWARD (policy DROP 17 packets, 1088 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all — * tun0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all — tun0 * 0.0.0.0/0 0.0.0.0/0

By this rule, the bandwidth will be shape according to what we set in radreply/radgroupeply table. We can test this using iperf command.

So for the upload testing this is what i got:

$ iperf.exe -c 10.20.20.1 -i 10 -t 60
——————————

——————————
Client connecting to 10.20.20.1, TCP port 5001
TCP window size: 8.00 KByte (default)
————————————————————
[1912] local 10.0.1.4 port 3834 connected with 10.20.20.1 port 5001
[ ID] Interval Transfer Bandwidth
[1912] 0.0-10.0 sec 64.0 KBytes 52.4 Kbits/sec
[1912] 10.0-20.0 sec 40.0 KBytes 32.8 Kbits/sec
[1912] 20.0-30.0 sec 40.0 KBytes 32.8 Kbits/sec
[1912] 30.0-40.0 sec 40.0 KBytes 32.8 Kbits/sec
[1912] 40.0-50.0 sec 40.0 KBytes 32.8 Kbits/sec
[1912] 50.0-60.0 sec 32.0 KBytes 26.2 Kbits/sec
[1912] 0.0-65.4 sec 264 KBytes 33.1 Kbits/sec

And this is for download test:

$ iperf -c 10.0.1.4 -i 10 -t 60
——————————

——————————
Client connecting to 10.0.1.4, TCP port 5001
TCP window size: 16.0 KByte (default)
————————————————————
[ 3] local 10.20.20.1 port 60918 connected with 10.0.1.4 port 5001
[ 3] 0.0-10.0 sec 568 KBytes 465 Kbits/sec
[ 3] 10.0-20.0 sec 312 KBytes 256 Kbits/sec
[ 3] 20.0-30.0 sec 296 KBytes 242 Kbits/sec
[ 3] 30.0-40.0 sec 312 KBytes 256 Kbits/sec
[ 3] 40.0-50.0 sec 288 KBytes 236 Kbits/sec
[ 3] 50.0-60.0 sec 264 KBytes 216 Kbits/sec
[ 3] 0.0-60.3 sec 2.00 MBytes 278 Kbits/sec

Finally, we managed to set up bandwidth limit for our network users. However, there is a problem in the way, traffic burst happens when everytime an object is retrieved from the Internet. Imagine a web page that contains 20 objects, there will be 20 traffic burst to happen. The traffic will make the traffic looks inaccurate when being test using bandwidth tester. Except, if we could excluded the beginning of the data transfer from the test, the bandwidth test will looks more accurate.

Sometimes a user session must be terminated. A lot of reason to do it and I leave it to you to choose what the reason is but I know someday you want to kill his session not for nothing. If you use icradius there is tools name as  radkill to do it. You also can use snmp protocol to kill him but there is an easier way for Freeradius user through radclient command.

root@salji:# radclient -h
Usage: radclient [options] server[:port] <command> [<secret>]
<command> One of auth, acct, status, coa, or disconnect.
-c count Send each packet ‘count’ times.
-d raddb Set dictionary directory.
-f file Read packets from file, not stdin.
-i id Set request id to ‘id’. Values may be 0..255
-n num Send N requests/s
-p num Send ‘num’ packets from a file in parallel.
-q Do not print anything out.
-r retries If timeout, retry sending the packet ‘retries’ times.
-s Print out summary information of auth results.
-S file read secret from file, not command line.
-t timeout Wait ‘timeout’ seconds before retrying (may be a floating point number).
-v Show program version information.
-x Debugging mode.

If the chillispot server is on the same machine as freeradius, we can run this command:

# echo “User-Name = raihan” | radclient -x 127.0.0.1:3779 status theradiussecret

If the command is accepted by server, you can get this output.

# echo “User-Name = raihan” | radclient -x 127.0.0.1:3779 status theradiussecret
Sending Disconnect-Request of id 63 to 127.0.0.1 port 3779
User-Name = “raihan”
rad_recv: Disconnect-ACK packet from host 127.0.0.1:3779, id=63, length=20

But firstly, You must starts chillispot server with this option, –coaport=3779 (or any port you desire) to make chillispot server accept your command.

# chilli –fg –coaport 3779

If the chillispot is separated from freeradius, the NAS wont have radclient command to do the job. But we can allow the chillispot to accept kill request from other nodes using –coanoipcheck option. Meaning, you can run the command from any machine, but with some security issue emerge. Well, some iptables rules  can fix it.

chilli –fg –coaport 3779 –coanoipcheck

This module is sligthly different than last module; The significant difference is in the query attribute where the sql query will calculate the time used by a user from the first access time of a user.
It will compare to Access-Period we define, and terminate a user session when the times expire.

Using this, we can limit a user access period for 1 day or 1 week from his first time he login using the a prepaid card.
The counter module we create is as below,

— snipped —
sqlcounter accessperiod {

counter-name = Max-Access-Period-Time
check-name = Access-Period
sqlmod-inst = sql
key = User-Name
reset = never
query = “SELECT UNIX_TIMESTAMP() – UNIX_TIMESTAMP(AcctStartTime) FROM radacct WHERE UserName = ‘%{%k}’ ORDER BY AcctStartTime LIMIT 1″
}

— snipped —

In the authorize section, we should include the module:

— snipped —
authorize {

preprocess
chap
mschap
suffix
eap
files
sql
pap
accessperiod

}
— snipped —

And as usual, we need to restart/reload the server to make the new configuration take effect.

Then for the radcheck table, we insert the appropriate attribute:

+—-+———–+——————-+—-+————-+
| id | UserName | Attribute | op | Value |
+—-+———–+——————-+—-+————-+
| 3 | user | Access-Period | := | 3600 |
+—-+———–+——————-+—-+————-+