From owner-freebsd-questions@freebsd.org  Thu May 14 19:49:52 2020
Return-Path: <owner-freebsd-questions@freebsd.org>
Delivered-To: freebsd-questions@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 73BD82DC9C6
 for <freebsd-questions@mailman.nyi.freebsd.org>;
 Thu, 14 May 2020 19:49:52 +0000 (UTC) (envelope-from jon@radel.com)
Received: from radel.com (fly.radel.com [70.184.242.170])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.radel.com", Issuer "GoGetSSL RSA DV CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 49NMZR2sgLz3K70
 for <freebsd-questions@freebsd.org>; Thu, 14 May 2020 19:49:51 +0000 (UTC)
 (envelope-from jon@radel.com)
X-CGP-ClamAV-Result: CLEAN
X-VirusScanner: Niversoft's CGPClamav Helper v1.19.2 (ClamAV engine v0.99.2)
X-ExtFilter: Niversoft's DomainKeys Helper
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; d=radel.com; s=20170108.radel;
 h=Subject:To:References:From:Message-ID:Date:User-Agent:
 MIME-Version:In-Reply-To:Content-Type;
 b=X61aLiUbDka9F6DeMiToUp0Zu0Qpz2qjwztJZ7PO9FIgrYIRZXkFbshXmjflWeRxhD
 ew1c/Gk1FJzIXx3bbgpRyH+KYDpEheGRtUdbYl8PPRvn7zTEDNM1v1c9DjxwVSvVjcJR
 joxVCjy/ks+NRLqlxr2ZiLYsCtfrn52oYrssUe0R/OYFxIRH2zZzshfE6e2Ml+sJv5lL
 JGGArq5u+J51Uo+uCVd0pQDumh+7AqRrF89XaYXUfxJR1EEDmOcZt8l2oDu/b7PWVfMj
 Ll1j/y3Y7cqUfe+nr9V4SCtCpxdw7mjY7zfJscvneHw2/aDUpUyKyIM2rJzvogGlern3
 35tQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=radel.com; s=20170108.radel; t=1589485784; x=1590090584;
 q=dns/txt; h=Subject:To:References:From:Message-ID:Date:
 User-Agent:MIME-Version:In-Reply-To:Content-Type; bh=hkhbgvctu09
 xwASGJr8Fyznh0Mv7ntYAkTfVbw3MJSk=; b=kO3J0w+lz/zrPXxFi9OpGO1hWBF
 OC5WPiy05Qnezy5KHAKf4GBK4FaRWxZhG1gRXzvVxNquZPrOrggHkjHgIWT6+WWh
 ZEnqmlq9fON1fgi/7Y4Ef5V1oaHneJqAsVtya09x239fYSwiby2SVB1TWjntNiKx
 HdwNQ4kTCPKLixZ12gxTUSxbOXdSLrR9vRRhlWfhb0EC5qBJHn1EF14Hv1YH8BpK
 iCyh55SYtAxE/mKx69vDtG1BQHQOXfmXeCUuyf6WRiil3IT53NOngqI5Vtvts0le
 pcc7CxawfiYYKYin2BDEU297iJIUTDoJKpiENWp/TOlPCcaAe93WiJYk6MA==
Received: from [2001:470:880a:4389:583d:db0e:e540:e825] (account jon@radel.com
 HELO haralson.local)
 by radel.com (CommuniGate Pro SMTP 6.1.14 _community_)
 with ESMTPSA id 2143983 for freebsd-questions@freebsd.org;
 Thu, 14 May 2020 19:49:43 +0000
Subject: Re: OT: Selective routing and proxying
To: freebsd-questions@freebsd.org
References: <CAGBxaXmmHEiH+mDc_Db08iOYG4qpPqHGDJudsm=MrP_+F413rQ@mail.gmail.com>
From: Jon Radel <jon@radel.com>
Message-ID: <6050bc86-4b92-24ca-82bf-e0a1b4b4f3f2@radel.com>
Date: Thu, 14 May 2020 15:49:43 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0)
 Gecko/20100101 Thunderbird/68.8.0
MIME-Version: 1.0
In-Reply-To: <CAGBxaXmmHEiH+mDc_Db08iOYG4qpPqHGDJudsm=MrP_+F413rQ@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
 micalg=sha-256; boundary="------------ms000300060404030301030503"
X-Rspamd-Queue-Id: 49NMZR2sgLz3K70
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
 dkim=pass header.d=radel.com header.s=20170108.radel header.b=kO3J0w+l;
 dmarc=pass (policy=none) header.from=radel.com;
 spf=pass (mx1.freebsd.org: domain of jon@radel.com designates 70.184.242.170
 as permitted sender) smtp.mailfrom=jon@radel.com
X-Spamd-Result: default: False [-3.07 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[];
 R_DKIM_ALLOW(-0.20)[radel.com:s=20170108.radel];
 NEURAL_HAM_MEDIUM(-0.38)[-0.379,0]; FROM_HAS_DN(0.00)[];
 SIGNED_SMIME(-2.00)[];
 R_SPF_ALLOW(-0.20)[+ip4:70.184.242.160/28];
 TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[];
 MIME_GOOD(-0.20)[multipart/signed,multipart/alternative,text/plain];
 TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1];
 NEURAL_HAM_LONG(-1.00)[-1.000,0];
 HFILTER_HELO_IP_A(1.00)[radel.com];
 DKIM_TRACE(0.00)[radel.com:+];
 DMARC_POLICY_ALLOW(-0.50)[radel.com,none];
 FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~];
 IP_SCORE(0.41)[asn: 22773(2.10), country: US(-0.05)];
 ASN(0.00)[asn:22773, ipnet:70.184.240.0/21, country:US];
 MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[];
 RCVD_COUNT_TWO(0.00)[2]
X-Content-Filtered-By: Mailman/MimeDel 2.1.33
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 14 May 2020 19:49:52 -0000

This is a cryptographically signed message in MIME format.

--------------ms000300060404030301030503
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 5/14/20 14:13, Aryeh Friedman wrote:
> My significant other's employer (a public university) has payed for
> subscriptions on many newspapers and other periodicals that normally ar=
e
> pay-walled and allows anyone on the campus network (or VPN to it) us sa=
id
> subscriptions if you use the library's proxy server.   There are other =
on
> campus only services that they want to also access like virtual desktop=
s
> and network drives.  For privacy reasons we want to make so only access=
 to
> the said subscription and/or on campus IT services are routed via the V=
PN
> connection/library proxy and all others go out our normal ISP.  Note we=

> also have and other VPN connection to one of my clients that due to pri=
vacy
> regulations (HIPAA) must be used for all our work with them.
>
> What is the best way to handle all this?  (Currently have 2 physical
> FreeBSD machines in the house and 2 more running as VM's and one Window=
s VM
> and one Windows physical machine... the VM's use bhyve)
>
It all depends:

  * Are the VPNs you use relatively "open" ones, where if you know the
    IPsec parameters, PSK (pre-shared key), and your authentication
    information, it'll come right up.=C2=A0 Or are we talking something w=
ith
    proprietary sauce carefully tied to an employer/client owned laptop
    that won't work unless the security token is plugged in?
  * Is the address space on the other side of all VPNs non-overlapping?
  * How dependent are you on DNS working for names on the far side of
    the VPNs?

In the case of a fortunate answer to the first question, I'd personally
use a FreeBSD VM, or a copy of pfSense either as a virtual appliance or
one of their little physical boxes, to act as a router and firewall.=C2=A0=

Terminate the VPNs on the new router.=C2=A0 Terminate your ISP connection=
 on
the new router.=C2=A0 Then it pretty much becomes a very straight-forward=

exercise in routing.=C2=A0 With however much firewalling you want to add =
to
force things to break if the "wrong" workstation tries to use the HIPAA
connection, etc.

Unless the answer to question number two is unfortunate.=C2=A0 In which c=
ase
you'll have to do some NATing. I'd strongly consider 1:1 mapping to an
otherwise unused chunk of RFC 1918 space.=C2=A0 Which should be easy to d=
o on
the edge router, except that....

=2E...if you're dependent on DNS for services reached across either VPN,
DNS will get a bit trickier.=C2=A0 A lot of end-user VPN configurations a=
re
configured to force use of resolvers on the organizational network.=C2=A0=

It's the cleanest way to give the client machine access to names that
map to private addresses on the other side.=C2=A0 But that doesn't work s=
o
well when there are VPNs to multiple organizations that have no reason
to coordinate access to DNS data.=C2=A0 There I'd say it comes down to ho=
w
complicated your needs are.=C2=A0 If there are only a couple of names tha=
t
need to work, it's probably easiest to just dump them into /etc/hosts on
the various clients that need access.=C2=A0 If it's more complicated, I'd=
 be
tempted to use dnsdist, which I've successfully used quite recently to
"glue together" a unified view of DNS for client machines:=C2=A0 RFC 1918=

reverse lookups from here, <company>.local from over there, the Internet
at large via the filtering at OpenDNS/Cisco Umbrella unless it's the
mail servers which would loose their little minds if you did that.=C2=A0=C2=
=A0
Likewise, it would be a fairly easy configuration to forward
<university>.edu lookups across one VPN, <medical>.com across another,
and send the rest to your ISP or Google or whatever you currently do.=C2=A0=

Writing a bit of Lua code to translate responses in a way that matches
the 1:1 NAT would be somewhat more advanced, but I believe that's quite
feasible (I've had to do some other weird rewrites in dnsdist, but not
that).

But again, it all depends.=C2=A0 You haven't even told us whether you use=
 a
managed switch that supports VLANs and/or have spare ethernet ports,
never mind what your budget is.

And as always, any issues regarding the terms of the contract with the
periodical subscription folks or whether any of this would freak out
some security officer somewhere, who realizes that you've now exposed
his stuff to all the users of your wifi AP, are between you and Not Me.

--=20
--Jon Radel
jon@radel.com


--------------ms000300060404030301030503
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
C9owggXmMIIDzqADAgECAhBqm+E4O/8ra58B1dm4p1JWMA0GCSqGSIb3DQEBDAUAMIGFMQsw
CQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQHEwdTYWxm
b3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDErMCkGA1UEAxMiQ09NT0RPIFJTQSBD
ZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0xMzAxMTAwMDAwMDBaFw0yODAxMDkyMzU5NTla
MIGXMQswCQYDVQQGEwJHQjEbMBkGA1UECBMSR3JlYXRlciBNYW5jaGVzdGVyMRAwDgYDVQQH
EwdTYWxmb3JkMRowGAYDVQQKExFDT01PRE8gQ0EgTGltaXRlZDE9MDsGA1UEAxM0Q09NT0RP
IFJTQSBDbGllbnQgQXV0aGVudGljYXRpb24gYW5kIFNlY3VyZSBFbWFpbCBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL6znlesKHZ1QBbHOAOY08YYdiFQ8yV5C0y1oNF9
Olg+nKcxLqf2NHbZhGra0D00SOTq9bus3/mxgUsg/Wh/eXQ0pnp8tZ8XZWAnlyKMpjL+qUBy
RjXCA6RQyDMqVaVUkbIr5SU0RDX/kSsKwer3H1pT/HUrBN0X8sKtPTdGX8XAWt/VdMLBrZBl
gvnkCos+KQWWCo63OTTqRvaq8aWccm+KOMjTcE6s2mj6RkalweyDI7X+7U5lNo6jzC8RTXtV
V4/Vwdax720YpMPJQaDaElmOupyTf1Qib+cpukNJnQmwygjD8m046DQkLnpXNCAGjuJy1F5N
ATksUsbfJAr7FLUCAwEAAaOCATwwggE4MB8GA1UdIwQYMBaAFLuvfgI9+qbxPISOre44mOzZ
MjLUMB0GA1UdDgQWBBSCr2yM+MX+lmF86B89K3FIXsSLwDAOBgNVHQ8BAf8EBAMCAYYwEgYD
VR0TAQH/BAgwBgEB/wIBADARBgNVHSAECjAIMAYGBFUdIAAwTAYDVR0fBEUwQzBBoD+gPYY7
aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2VydGlmaWNhdGlvbkF1dGhvcml0
eS5jcmwwcQYIKwYBBQUHAQEEZTBjMDsGCCsGAQUFBzAChi9odHRwOi8vY3J0LmNvbW9kb2Nh
LmNvbS9DT01PRE9SU0FBZGRUcnVzdENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3Au
Y29tb2RvY2EuY29tMA0GCSqGSIb3DQEBDAUAA4ICAQB4XLKBKDRPPO5fVs6fl1bsj6JrF/bz
9kkIBtTYLzXN30D+03Hj6OxCDBEaIeNmsBhrJmuubvyE7HtoSmR809AgcYboW+rcTNZ/8u/H
v+GTrNI/AhqX2/kiQNxmgUPt/eJPs92Qclj0HnVyy9TnSvGkSDU7I5Px+TbO+88G4zipA2ps
ZaWeEykgzClZlPz1FjTCkk77ZXp5cQYYexE6zeeN4/0OqqoAloFrjAF4o50YJafX8mnahjp3
I2Y2mkjhk0xQfhNqbzlLWPoT3m7j7U26u7zg6swjOq8hITYc3/np5tM5aVyu6t99p17bTbY7
+1RTWBviN9YJzK8HxzObXYWBf/L+VGOYNsQDTxAk0Hbvb1j6KjUhg7fO294F29QIhhmiNOr8
4JHoy+fNLpfvYc/Q9EtFOI5ISYgOxLk3nD/whbUe9rmEQXLp8MB933Ij474gwwCPUpwv9mj2
PMnXoc7mbrS22XUSeTwxCTP9bcmUdp4jmIoWfhQm7X9w/Zgddg+JZ/YnIHOwsGsaTUgj7fIv
xqith7DoJC91WJ8Lce3CVJqb1XWeKIJ84F7YLXZN0oa7TktYgDdmQVxYkZo1c5noaDKH9Oq9
cbm/vOYRUM1cWcef20Wkyk5S/GFyyPJwG0fR1nRas3DqAf4cXxMiEKcff7PNa4M3RGTqH0pW
R8p6EjCCBewwggTUoAMCAQICEHQDryTAYaEsgncP8aGW6o4wDQYJKoZIhvcNAQELBQAwgZcx
CzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1Nh
bGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNB
IENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBMB4XDTE4MDMwNDAw
MDAwMFoXDTIxMDMwMzIzNTk1OVowgfoxCzAJBgNVBAYTAlVTMQ4wDAYDVQQREwUyMjE1MDEL
MAkGA1UECBMCVkExFDASBgNVBAcTC1NwcmluZ2ZpZWxkMRowGAYDVQQJExE2OTE3IFJpZGdl
d2F5IERyLjEVMBMGA1UEChMMSm9uIFQuIFJhZGVsMTIwMAYDVQQLEylJc3N1ZWQgdGhyb3Vn
aCBKb24gVC4gUmFkZWwgRS1QS0kgTWFuYWdlcjEfMB0GA1UECxMWQ29ycG9yYXRlIFNlY3Vy
ZSBFbWFpbDESMBAGA1UEAxMJSm9uIFJhZGVsMRwwGgYJKoZIhvcNAQkBFg1qb25AcmFkZWwu
Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtK/dFQxMTnVPcP1TI09m30v8
rSG/VWSFWfFvu/2jzPkNL+ivx6A4LNUbqw4CS73GIKcbp8IrpNQz2oQV6mTv+KVJzJMf8GjA
y8EzZjhc2tAXL+Q57omCTuAc6cw2KDYFL0aNWX4CEe/LqfoBDKpJF7HCrwwus55+tTEkAY8j
tRkQRMHf47YQVJjD/4pdC/h+7jjI0oSgh1npT7Q3K47g6IkVzjhiH8LCsCSVYaLzRZfgcl3s
0GLE858PV/84l5d/hUVD0u9J2EdKpf+hnFqZnA3qw9R0xFQIE6yOkUvhALw1zxXaiGj0047a
gBE2Bhv2UIlj6Q0zPa5kRYDy9vBI6QIDAQABo4IBzTCCAckwHwYDVR0jBBgwFoAUgq9sjPjF
/pZhfOgfPStxSF7Ei8AwHQYDVR0OBBYEFHS/Ewun4pYC9Lla5kkmj4zo7tKcMA4GA1UdDwEB
/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMEBggrBgEFBQcDAjBG
BgNVHSAEPzA9MDsGDCsGAQQBsjEBAgEDBTArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3Vy
ZS5jb21vZG8ubmV0L0NQUzBaBgNVHR8EUzBRME+gTaBLhklodHRwOi8vY3JsLmNvbW9kb2Nh
LmNvbS9DT01PRE9SU0FDbGllbnRBdXRoZW50aWNhdGlvbmFuZFNlY3VyZUVtYWlsQ0EuY3Js
MIGLBggrBgEFBQcBAQR/MH0wVQYIKwYBBQUHMAKGSWh0dHA6Ly9jcnQuY29tb2RvY2EuY29t
L0NPTU9ET1JTQUNsaWVudEF1dGhlbnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcnQwJAYI
KwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTAYBgNVHREEETAPgQ1qb25AcmFk
ZWwuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQBUNLBptNFZRBkOUPOCI9TPM6QauLK6jojtbxZO
XWvZfKvq8ukWUZTPtaDS5UjsMhlxLf/Crv8HkiVXSzC36cVQyjNjl1u+u/Sbl/6q/TfQk+aK
5jzDd4onQVzlfE33ymtZJgh+4dMPWKuXjRS0OyMLzv3mYCvFO83l1G9rBiaCEfFJHKgVGY1z
3ZU/gsPCQ2a0xf3908lwl5H3SPB3ZzLWDf41o5zV70HXfsgP862KzxU9t46XBGZ8TRl/5fl+
Xj2KQdpyWlNZUS00/UHznxeFO5+bkNaOg24BjwfBOWi0D47CE+6BRWvtrmgciWxefUuYeeIy
Qr58KK8DlBCkVF06MYIENTCCBDECAQEwgawwgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJH
cmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBD
QSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBh
bmQgU2VjdXJlIEVtYWlsIENBAhB0A68kwGGhLIJ3D/GhluqOMA0GCWCGSAFlAwQCAQUAoIIC
WTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0yMDA1MTQxOTQ5
NDNaMC8GCSqGSIb3DQEJBDEiBCDSRowUgQhu5GdKW0QNeojoW+LDd5135GmDzqz5qXGZVjBs
BgkqhkiG9w0BCQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcw
DgYIKoZIhvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEo
MIG9BgkrBgEEAYI3EAQxga8wgawwgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVy
IE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1p
dGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2Vj
dXJlIEVtYWlsIENBAhB0A68kwGGhLIJ3D/GhluqOMIG/BgsqhkiG9w0BCRACCzGBr6CBrDCB
lzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMH
U2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBS
U0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0ECEHQDryTAYaEs
gncP8aGW6o4wDQYJKoZIhvcNAQEBBQAEggEADNum6BRUNW7qccqnhoVd0pQqkeFFprtnlGw9
K9sZQwJ2GxW9POwsszK5f2Cuf9Zu7Ob/XndVXCkT1gLkiJlCbs5O7T4wbZBYpAnmKGxByPQW
LRhawtlgo7LZD9TAlOtXPo3eThZksIiok6tnC1f/DqeWmsCpwdwQIJDO1F8of/xelumVRbLG
T815RrGDwQpWH7GzBfS7HrvvZBptN2YZbxVsbJWH8oqUmud+fGI1967WLCrpKaGPlwNHq1d3
GJxjSJnDS9nTuW6vAkfdryOJMOPLAldnmKuaHNyedMdQYBHWG8Ob9ES+Cycbfeak9wyWbfnH
oSeEfqsRnTtk5a0NZQAAAAAAAA==
--------------ms000300060404030301030503--