Martin's Random Notes

Preparing a new Ubuntu VM Server

2012-01-04T15:25:00.003Z

Here is my crib sheet on setting up a new Ubuntu server, including notes on enabling Virtualisation. These notes include discussion of Kimsufi / OVH dedicated hosting, but the principles apply to all dedicated servers. I use Kimsufi because they are the only dedicated hosting provider that I can afford for non-profit purposes...
See also:-
    Ubuntu Server Guide: https://help.ubuntu.com/11.10/serverguide/C/
    Kimsufi KS series: Dedicated Hosting Prices:   http://www.kimsufi.co.uk/ks

1) Install base OS (Ubuntu 11.10 == November 2011)
This summary is based on Ubuntu Server 11.10. Normally I would use an LTS version of Ubuntu, but 10.04 LTS is missing the ability to shut down the guest VM's when the host server is rebooted.   So if you intend to host any VM's, then I would suggest using 11.10 until 12.04 LTS is released in April 2012.

In the case of Kimsufi / OVH hosting, this is simply a matter of using the web control panel or the MOMI desktop application to reinstall the OS. Choose "raw" OS distribution on the assumption that you want to control things yourself.   This will still include the RTM monitoring application, which is simply a CRON job that pushes status updates to the OVH servers every few minutes so that the web control panel shows up-to-date information about your boxes.

After the base install is finished on a Kimsufi / OVH box, you might want to change the random root password that was set during the automatic provisioning process. If you look at the shadow file before and after, it seems likely that the automatic provisioner uses an older version of crypt(3) for generating the hash. Setting a new password will replace the password hash with a "$6$" SHA one which should be harder to break by brute force. (On the other hand- the opposite viewpoint is: If an atttacker is in a position to read /etc/shadow, then your box has already been owned anyway. And given direct physical access - or access to the diagnostic netboot image via the web management GUI - they can just change the root password anyhow.)

If you have your own box, then just download the Ubuntu Server .ISO media, burn to a CD or DVD, and boot from that. Then do a basic install.

2) Enable password-less SSH logins
Typing in a password every time is insecure and tedious. So straight after installation, edit /etc/ssh/sshd_config and make sure root logins are enabled (true by default for Kimsufi/OVH installs) :-
    PermitRootLogin yes

Use scp to copy the public SSH key from your management workstations (e.g. ~/.ssh/id_rsa.pub) into /root/.ssh/authorized_keys2 on the server. Now execute "/etc/init.d/ssh restart" so that this takes effect. Then log out, and log back in to test passwordless logins.

Once passwordless logins are confirmed working, edit /etc/ssh/sshd_config to disable password authentication. This will stop lames trying to brute-force your SSH password all day long…
    PasswordAuthentication no
Run "/etc/init.d/ssh restart" again so that this takes effect.

Also in /etc/ssh/sshd_config … consider changing the listening TCP port to a non-default value:
    Port 22022
BUT, this seems to break virt-manager client (see below) so you might want to avoid that if your server will be hosting VMs.

Also in /etc/ssh/sshd_config … consider enabling a legal warning text for logins:
    Banner /etc/issue.net
where that file contains:
    WARNING: COMPUTER MISUSE ACT 1990
You will commit a criminal offence if you act outside your authority in relation to this computer.

To restart SSH after any config changes, you need to say:-
    /etc/init.d/ssh restart

If you'd like to change the messages shown at login time, change to the /etc/update-motd.d directory. On Kimsufi OVH systems, it's probably worth commenting out everything in /etc/update-motd.d20-ovh-informations (or just stick an exit near the top).   You need to reboot afterwards to test.

3) Patch the box
    apt-get -y update
    apt-get -y dist-upgrade
    reboot

4) Fix hostname, hosts file, DNS…Edit /etc/hostname and set your desired hostname in Fully Qualified Domain Name format.
Example:-
    www7.example.com

Edit /etc/hosts and add your hostname (by itself and in FQDN format) and your IP address.
Example:-
    1.2.3.4 www7 www7.example.com

Edit /etc/resolv.conf. Delete whatever crap is in it. Make it use Google's nice fast name servers:-
    nameserver 8.8.8.8
    nameserver 8.8.4.4

Edit /etc/network/interfaces and make sure IPv4 and IPv6 addresses, netmasks and gateways are correctly set.

Unless you want to act as a DNS server, remove bind:-
    apt-get remove bind9

Reboot.

5) Revert to stock Linux kernel If the hosting server uses your vendor's custom kernel (e.g. for Kimsufi/OVH servers) you need to revert to a standard kernel and standard grub settings. Otherwise you won't get regular security updates, and perhaps the VM hosting won't work so well.

Full details:
    http://neuro.me.uk/2009/09/20/revert-to-standard-ubuntu-kernel-on-ovh-or-kimsufi-servers/

Summary: (based on Ubuntu 11.10 on Kimsufi 2010 box)
    root@server:~# uname -a
    Linux server.fqdn 2.6.38.2-grsec-xxxx-grs-ipv6-64 #2 SMP Thu Aug 25 16:40:22 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

    root@server:~# rm /etc/grub.d/06_OVHkernel <-- This removes the grub template for OVH's Dirty Kernel

    root@server:~# apt-get -y install linux-server grub
    …
    Could not find /boot/grub/menu.lst file. Would you like /boot/grub/menu.lst generated for you? (y/N) y
    Searching for splash image ... none found, skipping ...
    Found GRUB 2: /boot/grub/core.img
    Found kernel: /boot/vmlinuz-3.0.0-14-server
    Found GRUB 2: /boot/grub/core.img
    Updating /boot/grub/menu.lst ... done

    root@server:~# ln -sf "/dev/sda1" /dev/root
    root@server:~# grub-install --recheck --root-directory=/ /dev/sda
    Probing devices to guess BIOS drives. This may take a long time.
    Installing GRUB to /dev/sda as (hd0)...
    Installation finished. No error reported.
    This is the contents of the device map //boot/grub/device.map.
    Check if this is correct or not. If any of the lines is incorrect,
    fix it and re-run the script `grub-install'.

    (fd0)    /dev/fd0
    (hd0)    /dev/sda

    root@server:~# grub
    Probing devices to guess BIOS drives. This may take a long time.

       [ Minimal BASH-like line editing is supported.   For
         the   first   word, TAB lists possible command
         completions. Anywhere else TAB lists the possible
         completions of a device/filename. ]
    grub> root (hd0,0)
    root (hd0,0)
    grub> find /boot/grub/stage2
    find /boot/grub/stage2
     (hd0,0)
    grub> setup (hd0)
    setup (hd0)
    Checking if "/boot/grub/stage1" exists... yes
    Checking if "/boot/grub/stage2" exists... yes
    Checking if "/boot/grub/e2fs_stage1_5" exists... yes
    Running "embed /boot/grub/e2fs_stage1_5 (hd0)"... 21 sectors are embedded.
    succeeded
    Running "install /boot/grub/stage1 (hd0) (hd0)1+21 p (hd0,0)/boot/grub/stage2 /boot/grub/menu.lst"... succeeded
    Done.
    grub> quit
    quit
    root@server:~# sync
    root@server:~# reboot
    …
    root@server:~# uname -a
    Linux server.fqdn 3.0.0-14-server #23-Ubuntu SMP Mon Nov 21 20:49:05 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

uname -a shows that the standard Ubuntu kernel is now running - good.

6) Install other Ubuntu daemons:

For accurate time keeping...

    ntpdate fr.pool.ntp.org        -> to fix the time initially
    apt-get install openntpd
    vi /etc/openntpd/ntpd.conf
    ->    set a single server (cdns.ovh.net) if using Kimsufi hosting,
        otherwise use your country's server pool e.g. fr.pool.ntp.org
    /etc/init.d/openntpd restart

NOTE: it is NOT recommended to run NTP daemons on VM guests, just on VM hosts.

For a basic web server with a database and PHP, you might want to install the LAMP daemons (linux apache mysql php).   You can do this from the SSH command line like so:
        tasksel
Just select LAMP Server. It will ask you for a MySQL root password.   That's it!   A working default config is installed.   But you probably only want to do that in VM guests, not in the VM host.

7) Install Virtualisation Support on Ubuntu Server

Documentation: https://help.ubuntu.com/11.10/serverguide/C/virtualization.html

We will install Ubuntu's default VM hosting package, KVM, on the server.

We can manage the VM's remotely via a secure SSH connection - either via the command line or via a GUI interface. For the GUI option, prepare an Ubuntu Linux client (desktop, laptop or VM) for remote VM management by installing the Ubuntu desktop operating system.    On this client machine, install the Ubuntu packages virt-manager and virt-viewer.
      sudo apt-get install virt-viewer virt-manager

OK, back to your host server.    First, check that it supports KVM :-
    kvm-ok
    The program 'kvm-ok' is currently not installed. You can install it by typing:
    apt-get install cpu-checker

    apt-get install cpu-checker
    …

    kvm-ok
    INFO: /dev/kvm does not exist
    HINT:   sudo modprobe kvm_intel
    INFO: Your CPU supports KVM extensions
    KVM acceleration can be used

    modprobe kvm_intel
    kvm-ok
    INFO: /dev/kvm exists
    KVM acceleration can be used

Good. Now install the virtualization server packages…
    apt-get install kvm libvirt-bin virtinst

At this point I would probably reboot for luck.   Then you're ready to get started.   You can use the virsh command line client to manage virtual machines on the server. But for initial setup you might want to use the GUI tool.   You'll need to have a recent Ubuntu workstation for this.

Make sure that the management workstation's public SSH key is in the authorised hosts file on the server (as detailed earlier).
Make sure you can SSH from the management workstation onto the server.
THE VM MANAGEMENT GUI WILL NOT WORK unless you can successfully SSH from your management workstation to your server on port 22.

From the management workstation, start up the virt-manager program. This is a GUI application that makes it pretty easy to build new VM guests. Start the Virtual Machine Manager GUI (if it's not in the menu, type virt-manager)….

    In virt-manager, use File / Add Connection to define a connection to your server host…
        Hypervisor type = QEMU/KVM
        Tick: Connect to remote host
        Method: SSH
        Username: root
        Hostname: your.server.fqdn

Once a connection is established, double-click on it to review the server's connection details.   Resist the urge to mess with the 192.168.x.x IP range (that's not actually used for production as far as I can tell).   But you will need to go to the Storage tab, and press the + button to add a new storage pool (because the default one is in a silly place with little free space). ..

Create a directory, owned by root, called /home/VMs.
Use the + button in the GUI to add this as the storage pool.
Use the X button in the GUI to delete the default one.
Alternatively you could do some diddling with symlinks if you prefer.
The Add Storage Pool dialog appears. Enter a pool name (default will do) and select "dir: Filesystem Directory" as the storage type unless you want to do something advanced (such as using raw disk partitions or iSCSI targets). Press Forward and the storage pool will be allocated.

At this point you SSH onto the server host, and fetch an .ISO image to install the VM guest from. For example:-
    cd /home/VMs/
   wget http://www.ubuntu.com/start-download?distro=server&bits=64&release=latest -O ubuntu11.10.x64.server.iso

The install CD will only take a minute to download from the lovely fast 100 megabit connection of a Kimsufi box. Awesome!

In the GUI window Storage tab, press the Refresh icon (next to 'Volumes') so that the .ISO media file shows up in the list.

OK, back to the main Virtual Machine Manager window…
    - Right-click on the Connection, and select "New". The 'Create a new virtual machine' dialogue appears…
    - Enter a name for the VM, click 'Local install media' (unless you want to import an existing VM image). Press Forward.
    - Select the .ISO file from the browse list.
    - Select the OS type and Version from the drop-down menu. Press Forward.
    - Confirm RAM and CPU allocations.   Press Forward.
    - Confirm the storage size (default 8 GB). Press Forward.
    - Tick "Customize configuration before install".    Also, expand the Advanced Options section.
        - Change 'Virtual default network (NAT)' to 'Specify shared device name'.
            - As 'Bridge Name', enter 'br0'
        - Tick 'Set a fixed MAC address' (if you are using Kimsufi / OVH hosting)
            - Copy the MAC address for this VM from the Kimsufi web manager Virtual MAC for VPS service dialog.
    - Press Finish.
    - There will be a delay of one or two minutes.
    - A new GUI dialog will appear, allowing you to review and customise the VM installation parameters. Similar to VMware.
    - Press Begin Installation to proceed.
    - A VNC VM server console window appears.   Click through the text-based menus to install Ubuntu Server as you normally would on your own PC.
    - IPV6 and DHCP auto configuration will fail. Select 'Do Not Configure The Network At This Time'.
    - In the disk partitioner, select 'Guided - use entire disk'.
    - Select OpenSSH Server when prompted for which packages to install.

Once installed, the VM will reboot with amazing speed. You will be able to control it through the VNC-based console window in Virtual Machine Manager. Your first action will be to log in on this console and fix the /etc/network/interfaces file (see section 8 below - especially if using Kimsufi / OVH hosting), then reboot the VM.

You can also connect to the VM guest console of an existing VM without using virt-manager.
Syntax:
    virt-viewer --connect 'qemu+ssh://root@server.example.com/system' vm1
where vm1 is the name of your VM guest.   Note that virt-viewer is quite slow - being based on VNC - but it's good enough to let you onto the VM guest console so that you can fix network settings in order to fix things so that SSH works (see next section).   But you may prefer to enable a proper text-mode virtual serialconsole - see later section in this guide ("HOWTO: Enable text-mode VM guest console").

8) Fixing the IP Routing for the VIrtual Machines (Kimsufi OVH Hosting only)
OVH uses a weird system whereby you can request extra IP addresses (failover IPs) which can then be used by your VM guests. However, those IP's don't lie within the same IP subnet as your host server.   So your host server has to run its network interface in Bridge Mode, otherwise the OVH switching/routing infrastructure won't route traffic to and from those extra IP addresses.

So on Kimsufi / OVH hosting, you need to start off by requesting those extra "failover" IP addresses - which will incur a small extra monthly fee. Use the Kimsufi Web Manager to do this. It takes a few minutes to work for each extra IP. You need to request a failover IP address and after that, you need to request a Virtual MAC.   In the web manager, use "Associate a virtual MAC to an IP address".

References:
    http://help.ovh.co.uk/BridgeClient
    http://help.ovh.com/DedieMac

For this to work, on the hosting server, we need to edit /etc/network/interfaces. Comment out what's there and replace the 'eth0' references with 'br0' references. This is necessary for your VM guests to successfully route traffic to the Internet (because of the unusual routing config at OVH).

For my VM server machine's /etc/network/interfaces, I ended up with:-

    auto lo
    iface lo inet loopback

    #auto eth0
    #iface eth0 inet static
    #    address 91.121.7.8
    #    netmask 255.255.255.0
    #    network 91.121.7.0
    #    broadcast 91.121.7.255
    #    gateway 91.121.7.254

    #iface eth0 inet6 static
    #   address 2001:41D0:0001:5A08:dead:beef:cafe:f00d
    #    netmask 56
    #   gateway 2001:41D0:0001:5AFF:00FF:00FF:00FF:00FF

    auto br0
    iface br0 inet static
        address 91.121.7.8
        netmask 255.255.255.0
        gateway 91.121.7.254
        bridge_ports eth0
        bridge_fd 9
        bridge_hello 2
        bridge_maxage 12
        bridge_stp off

    iface br0 inet6 static
        address 2001:41D0:0001:5A08:dead:beef:cafe:f00d
        netmask 56
        gateway 2001:41D0:0001:5AFF:00FF:00FF:00FF:00FF

By the way, the example above includes IPV6 support, which you might or might not need. But it's the way of the future of course.   The gateway is perhaps a bit non-standard at OVH: it generates warnings about not matching the 56-bit net mask, but this seems to be by design, and it does work OK.

So… Edit your /etc/network/interfaces file accordingly and reboot the box. If you can't log back in after 2 minutes, you've got something wrong, and you'll have to boot the box from a rescue image so that you can edit the file again and fix it. On the Kimsufi hosting boxes, you can net boot into a recovery image via the web manager - it just takes a while (it always does a full FSCK first, annoyingly).

Note that some web servers may not start when you reboot. The Mathopd web server failed to listen on 0.0.0.0 presumably because it started before br0 was fully initialised. That could probably be fixed by tweaking the daemon startup order, but a quick fix was to change the ListenAddress in Mathopd from 0.0.0.0 to 91.121.7.8.   However, for maximum security, you should probably avoid running web servers (etc) in the VM hosting server OS.   It is better to run them in the VM guests, so that any compromise of such a service only destroys the VM guest, not everything on the physical box.

When we've done an initial installation of a VM guest (see above), we will need to go onto the guest VM console and edit the guest's /etc/network/interfaces file to match. My first guest had the following config in /etc/network/interfaces…

    # The loopback network interface
    auto lo
    iface lo inet loopback

    # The primary network interface
    auto eth0
    iface eth0 inet static
        hwaddress ether 02:00:00:ab:af:f5
        address   178.32.50.87
        broadcast 178.32.50.87
        netmask   255.255.255.255
        post-up   route add            91.121.7.254 dev eth0
        post-up   route add default gw 91.121.7.254
        post-down route del            91.121.7.254 dev eth0
        post-down route del default gw 91.121.7.254

    iface eth0 inet6 static
        address 2001:41D0:0001:5A08::3
        netmask 56
        gateway 2001:41D0:0001:5AFF:00FF:00FF:00FF:00FF

That is, as far as the Guest VM is concerned, his network is /32, and his default route is the same router that the host VM sees directly connected on eth0 (even though you would think that the router was not in the right subnet). Of course you will need to set the IP addresses and MAC (hwaddress) to match your own allocations from Kimsufi/OVH.

If troubleshooting is necessary to get guest networking working, use the VM Guest console, and remember to check the usual files are all correct:-
    /etc/networks
    /etc/network/interfaces
    /etc/hostname
    /etc/hosts
    /etc/resolv.conf
    /etc/udev/rules.d/70-persistent-net.rules

When the VM guest is working, SSH into it, and execute:-
    apt-get install acpid
This ensures that it responds to virtual power off events. In other words, it will close down cleanly when you reboot the host server (e.g. to apply new security updates).

You may also want to disable the non-privileged user account created during setup, after setting a root password and enabling passwordless SSH logins as for the host server. Of course you'll now need to set up the basic things on the VM guest, just as you did on the VM host.

HOWTO: Enable text-mode VM guest console

You can set up a virtual serial port as a much nicer (much faster) text-based alternative to the VNC-based console offered by virt-manager / virt-viewer.   Like the VNC console, it will still work when SSH doesn't (e.g. because you've got something wrong in a config file).

Reference:
    http://blog.codefront.net/2010/02/01/setting-up-virtualization-on-ubuntu-with-kvm/

In ubuntu 11.10, everything detailed in the Reference was already set up by default, except the definition for /etc/init/ttyS0.conf.

Getting a virtual serial console to your VM from the Host Server

    - SSH onto the VM server. Edit the VM’s settings:
        virsh edit billiejean

    - In the [devices] block, add (if not already present, as is the case on recent versions):
        serial type='pty'
              target port='0'/
        /serial

    - SSH into the VM guest and create a file /etc/init/ttyS0.conf containing:-
       start on stopped rc RUNLEVEL=[2345]
           stop on runlevel [!2345]
       respawn
           exec /sbin/getty -8 38400 ttyS0 xterm-256color

    - Restart your VM:
        virsh stop billiejean
        virsh start billiejean

     - Verify the console works by opening a console to the VM from the server:
             virsh console billiejean
    You may have to hit “Enter” before you see any console output. After editing files you may find you need to execute "clear ; reset" on the command line if the display won't scroll properly.

HOWTO: Take a rapid VM Snapshot before applying system updates or changes

I don't like to apply a load of security updates unless I can roll back the system quickly in the event of problems.   Happily this is pretty easy with Ubuntu Server VM's.   However, you will first need to convert your VM image files from the default RAW format to the compressed QCOW2 format. This is a bit slower than RAW, but it does offer Snapshots.   A Snapshot is a point in time, stored inside the image file, that you can roll back to using the virsh command.

To convert a VM image file to QCOW2 (Copy On Write) format:-
    qemu-img convert -f raw vm21.img -O qcow2 vm21.img.qcow2

This command will take some minutes to execute (depending on the size of the VM).    The QCOW2 file will be smaller than the original, as it does not store unused areas of the virtual disk.

To take a snapshot, use a syntax like this:-
    virsh snapshot-create vm3

If your VM3 VM image is in RAW format rather than QCOW2 format, the snapshot-create command will fail with:
    error: Requested operation is not valid: Disk 'vm3.img' does not support snapshotting

To change the VM definition to use QCOW2, first use qemu-img as shown above to make a QCOW2 version of the VM.   Then use 'virsh edit vm3' (for example) rather than editing the file from Linux directly. That way, the VM software will know about the change. You want to find a line below "disk .." like this:-
    driver name='qemu' type='raw'/
    source file='/home/VMs/vm21.img'/
and change this to:    driver name='qemu' type='qcow2'/
    source file='/home/VMs/vm21.img.qcow2'/

To manage the snapshots, you can use 'virsh snapshot-list', 'virsh snapshot-restore', 'virsh snapshot-delete' (etc).

Note! The Snapshots are not external files. They are stored within the QCOW2 file itself. So, they are an easy way to image a virtual box before applying system updates (etc) so that you can quickly revert back. But for an external backup, the easiest thing is probably to shut down the VM, and take a copy of the whole QCOW2 file so that you can then restart the VM, and then copy the backup file to another server.

Note! "virsh snapshot-create vm23" took over 20 minutes on a running (but idle) guest VM. During this time, the VM guest did not respond via the network. It is very much quicker to say:
    virsh
        shutdown vm23
        (wait for 15 seconds for it to close down)
        snapshot-create vm23
        start vm23

Booting a VM is much faster than booting a real box. So there's no advantage that I can see in snapshotting a running box.

HOWTO: Clone an existing VM

Let's say you've built a nice VM guest environment and you want to be able to make a copy of it, so that you can use it as a template for other instances. There are several ways to make the clone…

First, obtain a new IP address (and MAC address if necessary).   For example on Kimsufi/OVH hosting, you need a new "failover" IP and a corresponding new virtual MAC ready (see above).

Now, SSH onto the server and issue the shell command "virt-clone" (see below).
    - I don't recommend using the GUI (virt-manager) as you end up with daft filename (vm1-clone) that then needs changing.
    - You might try the clone command in "virsh" (but close down the virt-manager GUI first, or it will get confused).
    - With virt-clone, you can copy the VM image and change its MAC address in one go:-
     virsh shutdown vm1
     virt-clone -o vm1 -n vm2 -f /home/VMs/vm2.img --mac 02:00:00:47:f4:da
     virsh start vm1
    - There are config files in /etc/libvirt/qemu and /var/lib/libvirt. These are best edited using "virsh edit vmname".
    - You may have to restart /etc/init.d/libvirt-bin daemon after any changes made by hand in external editors.

How do we then edit the /etc files to personalize the cloned VM?
i.e.
    /etc/networks
    /etc/network/interfaces
    /etc/hostname
    /etc/hosts
    /etc/udev/rules.d/70-persistent-net.rules

Well you have three choices…

    A. Boot the clone (alone to avoid IP clash), edit over SSH, then reboot;
or
    B. Boot the clone (alone to avoid IP clash), and use the remote console for editing the files.
or
    C. Mount the clone's filesystem from the VM host, and edit/fix before booting it
    example:
     modprobe nbd max_part=63
     qemu-nbd -c /dev/nbd2 /home/VMs/vm2.img
     mkdir /mnt/vm2
     mount /dev/nbd2p1 /mnt/vm2
        .. edit files in /mnt/vm2/etc/...
        umount /mnt/vm2
     qemu-nbd -d /dev/nbd2
Option C is probably best.

Multi-WAN + Multi-LAN + No-NAT routing with pfSense 2.0.1

2012-01-02T14:22:00.001Z

This notes summarise how to run multiple No-NAT LAN and WAN connections using version 2.0.1 of pfSense (an excellent open-source routing/firewalling appliance operating system). My setup didn't work out of the box initially, so I thought it was worth writing up a summary of the settings that are now working here.

If you are running NAT (boo!), or if you want to do load-balancing rather than policy-based routing, then these notes are probably not for you.    The official pfSense "Multi-WAN 2.0" documentation is at http://doc.pfsense.org/index.php/Multi-WAN_2.0

The beauty of pfSense 2.0.1 for multi-WAN setups is that you can define as many Gateway Groups as you like. You use these Gateway Groups in your outbound firewall rules to define your outbound routing & failover policies. In my case, there are several internal LANs, each with its own outbound Gateway Group. But in a simpler setup, you could have just one internal LAN, but define your outbound firewall rules to use different Gateway Groups for different computers and other devices (by source IP address) and/or different applications (by destination TCP port).

Summary of Connections

My setup uses a Soekris NET5501 low-power computer with 4 Ethernet ports as the combined firewall/router running pfSense. To conserve Ethernet ports while allowing separation of different internal networks, all the internal networks leave the firewall on a VLAN trunk. This trunk connects to a Cisco Small Business SG200-26 switch. Both the Soekris and the Cisco switch are fanless, which makes for total silence and very low power consumption.   The Soekris boots pfSense from a CompactFlash card, so hard disk failures do not occur.

No other routers are used here: my pfSense system controls all the internet uplinks itself, using two ADSL modems plus a 3G dongle.

My WAN links are as follows:

    ▪    1 x ADSL PPPoE via BT 20CN to ISP AAISP ( http://aaisp.net.uk/broadband.html )
    ▪    1 x ADSL PPPoE via BT 21CN to ISP AAISP
    ▪    1 x 3G/UMTS PPP via 3UK   to ISP AAISP ( http://aaisp.net.uk/telecoms-mobile-data.html )

AAISP customers: there is a Bonding Lines KB article at http://aaisp.net.uk/kb-broadband-bonding.html

My LAN networks are as follows:

    ▪    VOIP subnet - where my Asterisk telephone system lives - with full ingress and egress filtering
    ▪    HOSTING subnet - where my web & mail servers live - with full ingress and egress filtering
    ▪    INTERNAL subnet - where all the household computers and handheld devices live - full ingress filtering
    ▪    PENTEST subnet - for running security audits - with no filtering.

All three WAN links terminate at Andrews & Arnold (www.aaisp.net.uk) who offer true unfiltered no-NAT connections, with free blocks of public IPV4 and IPV6 addresses.    For now I'm only using IPV4, as the IPV6 support in pfSense 2.0.1 isn't ready for production use.   The sister project Monowall offers full IPV6 support but currently lacks the multi-WAN capabilities of its sibling pfSense.

My 3G/UMTS link is just an old HUAWEI USB 3G modem with an AAISP Data SIM card in it. This is used as a failover connection, in case both the ADSL lines fail at the same time.   The SIM card only costs £2 per month to rent, but the data costs 2.5p per megabyte, so it's only used during failover.

Each LAN subnet has its own static IP address block, so there is no NAT anywhere in the system. NAT is evil: it tends to break certain applications, and makes debugging unnecessarily difficult. You don't need NAT if you use a proper ISP that doesn't charge for IP addresses.   (And no, NAT is not a security feature. For security, you need a firewall that offers ingress and egress filtering, not simply address rewriting.)

Routing Principles: Multi-WAN, Multi-LAN, No-NAT...

My setup depends on all three Internet connections correctly routing the same static IP address blocks. AAISP has a control panel that lets you specify which IP blocks should be routed down each of your lines. You can specify primary, secondary, tertiary (etc) routing to say what you want to happen when any given link or links fail.   This only affects the downstream direction (from AAISP to you). The upstream direction is of course up to you: that's where pfSense's Multi-WAN policies come into play. AAISP will accept packets from any of your links for any of your IP addresses.

You can choose whether to spread all your traffic across all of your lines (depending which boxes you tick). If you do that, then AAISP will weight the traffic according to the speed of each line.   In my case, I like to reserve one ADSL link for VOIP traffic, and use the other ADSL line for everything else. That way, I normally get perfect VOIP quality, but if one ADSL line fails, then all applications will share the remaining ADSL line. The 3G link is only used if both ADSL links fail.

In addition to the static IP blocks, each WAN connection has its own static IP address which is where the PPP session terminates. You wouldn't normally do much with these individual static IPs, but you might choose to terminate VPN endpoints on them in pfSense.

The ADSL lines connect to Draytek Vigor 120 modems, which convert ADSL frames to PPPoE frames (phone line in, ethernet out). This reduces the usable MTU to 1492 bytes. pfSense does TCP MSS clamping by default, so there's no need to adjust MTUs on the computers.

In theory, using ADSL modems rather than ADSL routers means that the pfSense firewall knows all about the state of each ADSL line (as it's doing all the routing itself). In practice (at least with pfSense 2.0.1) when an ADSL line loses PPP sync, this doesn't seem to trigger the failover policy rules in pfSense, so some ICMP ping targets are necessary to make the failover policy rules fire.   I'll come onto this shortly.

Settings used in ISP control panel on www.aaisp.net.uk

NOTE: If you can't see all of the in-line screen shots, you need to make your window bigger (thanks Blogger)...

On each ADSL line (click on the telephone number) :-
    ▪    Tick "Rate: 90%" (reserves space on downlink for short UDP frames i.e. VOIP)
    ▪    Tick "MTU1492" (does MSS clamping to avoid creating pMTUd blackhole on misconfigured websites)
    ▪    Tick "FastTimeout" (speed up failover on loss of sync on one ADSL line)

On each IP address block (click the IP address block e.g. 217.x.x.x/27) :-
▪ Tick the lines under "IP Routing", "IP Routing3", and "IP Routing3" to show where to route each IP Block

Settings used in pfSense firewall/router web GUI

NOTE: If you can't see all of the in-line screen shots, you need to make your window bigger (thanks Blogger)...

GUI Section: "Interfaces/Assign"

▪ Set up Ethernet ports and VLANs ...

▪ Define the ADSL lines (PPPoE) …

▪ Define the 3G/UMTS link (PPP) ...

GUI Section: "Interfaces", "Interface Groups"

▪ Define one group called INTERNET for all internet-facing links.

▪ This group is then used for setting up firewall rules for all incoming traffic

GUI Section: "System/Routing/Gateways"

▪ Name each outbound gateway (I just used the underlying Interface name)

▪ Edit each Gateway in turn, and set Monitor IPs and advanced threshold parameters (latency, packet loss, etc) for each gateway.

▪ DO NOT select any of the gateways as the Default Gateway (see below).

▪ Note that different Monitor IPs are needed for each line. (You might not need Monitor IPs if each gateway has a different IP at the ISP end, but that's ISP-specific.)

▪ The Latency (etc) parameters will be different for 3G dongles, compared with ADSL lines.

GUI Section: "System/Routing/Gateway Groups"

▪ Define named gateway groups, for outbound routing purposes. Each named Group defines an order for trying to get outbound packets to the Internet...

    ▪    Failover only works if the right parameters are set, for example:-

GUI Section: "Firewall rules" (incl 'internet' gateway set)

    ▪    Set outbound egress firewall rules using named gateway groups in the Gateway column (see below). This ensures that outbound traffic takes correct route(s) so that different kinds of traffic go out through the interfaces you require. This also makes failover work!

    ▪    Remember to set the inbound firewall rules under the INTERNET interface group (we created that earlier). This means you don't need to bother setting inbound firewall rules for each internet-facing interface.

    ⁃    for example, my main LAN uses "Surfing_GW" (ADSL line 4, failing over to ADSL line 1, failing over to the 3G dongle) except for certain hosts such as digital TV boxes :-

▪ To give another example, here are the egress ACLs (outbound firewall rules) for my VOICE network. Notice how the rules can use alias names for particular internal and external hosts. These aliases map to fixed IP addresses in the pfSense GUI.

Overall, it all seems to work quite well. Failover isn't totally transparent though. There are a few seconds of disruption during failover. I'm not sure whether the stateful firewall rules allow replies to continue to arrive following a failover event, so things like audio streams may need to be restarted.

Failover seems to work fairly well but there are still some occasional problems with Gateway Group priorities not being restored after all the gateways come back up. So for example, if my voice traffic fails over to ADSL_L4, it won't necessarily revert to ADSL_L1 after L1 comes back up.

There is a tick box under "System / Advanced : Miscellaneous", called "Gateway Monitoring States":

"By default the monitoring process will flush states for a gateway that goes down. This option overrides that behavior by not clearing states for existing connections."

It may be best NOT to tick this box, otherwise the firewall rules may still try to force traffic down gateways that are down.

Hopefully there may be some subtle Multi-WAN improvements to come in pfSense 2.1 and later versions.

HOWTO: Disable touchpad when mouse is plugged in

2011-12-03T10:32:00.004Z

My Dell M4400 laptop runs Ubuntu Linux 10.04. When writing reports, I kept making mistakes due to hitting the trackpad during typing. To solve this problem, I'm using this script to disable the touchpad when my favourite mouse is plugged in. When the mouse is unplugged, the script restarts the touchpad. Very nice.

To use the script, first edit the script to check for the USB ID of your favourite mouse. Then run the script manually in the Terminal to check it works. If all is well, you can start it automatically at login by copying it into /usr/local/bin and adding this command under your System / Preferences / Startup Applications menu:
    /usr/local/bin/mouseSwitcher.sh >/dev/null 2>/dev/null &

For the sake of completeness, here is the script from the Ubuntu forum post linked to above. I've added a comment or two and set my own mouse ID up, and fixed a bug relating to breeding syndaemon processes that eventually stopped X running. Otherwise it's as the author wrote it.

BTW, rather annoyingly, syndaemon doesn't actually work on my Dell M4400 with Ubuntu 10.04. It's supposed to disable the trackpad for a second or two whenever you're typing. But I thought I'd leave it in anyway as it will probably work on other hardware.

#!/bin/bash
#
# Toggle touchpad on and off
# Tested on Ubuntu 10.04
# Author: Heath Thompson
# Email: Heath.Thompson (0at0) gmail.com
#
# NOTE you need to edit line 38 to match your mouse ID!!
#
# For startup wait for desktop to load first.
while true
do
    if ps -A | grep gnome-panel > /dev/null;
    then
        echo 'X loaded'
        break;
    else
        echo 'X not loaded, waiting...'
        sleep 5
    fi
done
#
# Check to see if appletouch is running
# if lsmod | grep appletouch > /dev/null;
# then
#     echo " * Appletouch enabled";
# else
#     echo " * Appletouch either not working or not installed"
#     killall mouseSwitcher.sh
# fi

killall syndaemon

while true
do
        # 'xinput list' will list all input devices x detects
        # I could reference my usb mouse by ID but I'm afraid that if I plug
        # another device in before my mouse, it might not have the same ID each
        # time. So using the device name makes it relatively fail-safe.
        if xinput list 'HID 04b3:310b'; #EDIT THIS LINE TO MATCH YOUR MOUSE ID
        then
                # Found my usb wireless mouse
                # Disable everything on the Touchpad and turn it off
                synclient TouchpadOff=1 MaxTapTime=0 ClickFinger1=0 ClickFinger2=0 ClickFinger3=0;
                # Ends all syndaemon capturing which may have been used to monitor the touchpad/keyboard activity
                killall syndaemon
        else
                # My usb wireless mouse isn't present we need the touchpad
                # Reenable Touchpad and configure pad-clicks
                # RTCornerButton is the Right Top Corner on the touchpad
                #       The value 3 maps it as the right click button
                # RBCornerButton is the Right Bottom Corner on the touchpad
                #       The value 2 maps it as the middle click button
                synclient TouchpadOff=0 MaxTapTime=150 ClickFinger1=1 ClickFinger2=2 ClickFinger3=3 RTCornerButton=3 RBCornerButton=2;
                # Forces break of touchpad functions while typing if the touchpad is enabled.
                # Adds a 3 second interval following keyboard use which helps to prevent the
                # mouse from jumping while typing & resting hands on restpad or the touchpad
                # (Fix: only start syndaemon if we haven't already done so since last change of state.)
                if ! pgrep syndaemon >/dev/null ; then syndaemon -i 3 -d; fi
        fi

        # wait 2 seconds and poll the mouse state again
        sleep 2
done

sleep 15

An alternative approach is to make use of the udev framework to detect the USB mouse being connected. This is documented here and here.

Mac OS X Lion: Saved Versions considered harmful

2011-11-28T20:55:00.003Z

Lion has a new feature designed to take safety copies of files you are editing.   But this isn't a good idea if you edit confidential documents, as it will result in copies of your sensitive documents spreading beyond the folder you put them in. There's no easy way to disable it..

The idea is that Lion will keeps a local backup in a special place on your disk. Any application compliant with this new scheme will have a little triangle next to the filename in the window title bar, allowing you to browse different saved versions (using the Time Machine 'Star Wars' GUI).   Also you will notice that "File/Save" has become "File/Save a version".

Annoyingly, this means that the hidden folder /.DocumentRevisions-V100 contains extra copies of every file you've edited with a recent Apple application. See this Reg article for more details.

So, how to disable automatic document backups?

Some commentators are wrongly suggesting that opening up a Terminal window, and using the command sudo tmutil disablelocal will stop new file copies being created in /.DocumentRevisions-V100. That is incorrect. The tmutil disablelocal command refers to local backup files that are taken between runs of Time Machine. That's not what I'm seeing on my iMac.

As a workaround, at your own risk, you might try opening up a Terminal, and executing the command:-

cd /
sudo rm -rf .DocumentRevisions-V100

That will delete any lingering unwanted backup copies of your documents. But the next time you use a Versions-aware application, the directory structure will be re-created, and the madness will start again. Well done Apple! You've just given corporations another reason not to use your products.

PS: If you worry about due diligence (whether for commercial reasons, or to keep personal data safe from computer thieves etc) then you should be using Lion's new Full Disk Encryption feature.    See System Preferences / Security & Privacy / FileVault.   Set this to encrypt the whole system volume. On the plus side, this means that once your computer is switched off, no-one can access the hard drive without a valid password (not even if they boot from a LiveCD).   On the minus side, it means you lose everything if you forget your password.   This is the most secure solution: it's much better than just encrypting your home directory.

PPS: If you use FileVault full disk encryption, you need to think about how your backups are protected.   If you use Time Machine to make backups, then you need to tick the box to encrypt them (System Preferences / Time Machine / Select Disk / Encrypt backup disk).   If the tick box is greyed out, then you are probably using an external network drive to hold your backups.   In this case, I recommend that you use Disk Utility to create a "spare encrypted image" on the external backup drive.   Make a point of mounting the encrypted image before you take a Time Machine backup, and dismounting it again afterwards.

PPPS: Need to lend someone your MacBook to surf the web? If you want to keep your files private, log out, and click the icon to reboot the box into secure mode. They won't be able to save or print anything - but if they just want to surf the web, maybe that's a good thing.

Gmail Contact Sync: Mac, iPhone, iPad... [UPDATED]

2011-10-15T09:57:00.003+01:00

How to keep your address book synchronized across an iMac, MacBook, iPhone and iPad...

Easy when you know how - but step 3. had me fluxmoxxed until I spotted it!

Set Gmail as your Sync source in the Address Book on the Macs.
On iPhone and iPad, select Exchange sync, and ensure contact sync is turned on.
On the Macs, press the task bar icon showing a circle with two arrows

Now click Sync Now.
If Sync Now isn't offered (Sync is Disabled instead), then open the iSync application and re-enable sync. You may need to disable syncing with a non-existent device: I had an old Nokia phone set to sync over bluetooth, and now that phone has gone, it was simplest to just disable sync for that handset rather than waiting for iSync to time out on it.

With iOS 5, you also have the option of using the iCloud to sync all your Apple devices together, instead of using Google.   I will try this sometime, as I have found that using Google to sync your contacts has limitations. Specifically, if you create a Contact in the Mac Address Book application, then you are limited in what labels each phone number can have (if it is to sync successfully to the hand-held Apple devices).

On iOS 5 devices, you can force an early Contacts sync by opening Contacts, then pressing the left arrow if necessary to get to the Groups view. Then press the refresh icon (curly arrow button) in the top left of the screen.

Using Google for your Contact Sync, a Contact can use fields with the following labels (set in the Mac Address Book application) :-
    - Home
    - Work
    - Mobile
    - Home fax
    - Work fax
    - Notes.

But, don't use these labels (as they don't sync to your iPhones etc) :-
    - Main
    - iPhone
    - Other
    - "Custom" ones (that you make up in the Address Book program)

Also, don't use enter more than one number with the same label (as they don't all sync to the iPhones). So where people have two mobile numbers, the second mobile needs to be entered as 'Home fax' (say).

Presumably, these limitations arise from the Mac Address Book contact data being adjusted to match Google Contacts when changes are uploaded. But if we use iCloud, then presumably by virtue of being an Apple-only solution, it shouldn't matter what labels you assign to each phone number - as there shouldn't be any cross-vendor field mapping translations going on during the Sync process.

Can anyone confirm whether iCloud is better than Google Contacts in this regard?   That is, if you use iCloud, do all possible field labels sync correctly across all Macs, iPhones, iPads and iPods Touch?

See also my other post about keeping email folders in sync:
http://martins-random-notes.blogspot.com/2011/01/gmail-push-instant-notification-of-new.html

Accessing an Ubuntu desktop from Mac OS X Lion [UPDATED]

2011-10-07T18:30:00.000+01:00

I've got this working now, but it's more complicated than it ought to be...

My home machine is an Apple iMac running OS X Lion. The screen is very big and clear, so I'd like to use the Mac screen for everything when I'm working from home.

My company machine is a laptop running Ubuntu 10.04 LTS. I'd like to access the laptop screen remotely from the Mac over my LAN, so that I don't need to use the laptop screen and keyboard when I'm working from home.

Surely with VNC, this should be easy... Just share the Ubuntu screen with VNC, and connect to it from the Mac.

On Ubuntu: start the 'built-in VNC server (System / Preferences / Remote Desktop).
On the Mac (Finder / Connect to Server / vnc://hostname)

Problem 1: The Ubuntu screen appears on the Mac, but updates are not shown.

Cause: "xdamage" doesn't work. This is a server-side optimization. Apparently it clashes with something in the NVidia driver.
Solution: A workaround is to turn Compiz screen effects off on the Linux end: (System / Preferences / Appearance / Visual Effects).

Problem 2: It's very slow.

I've tried various VNC servers and clients to no effect. It always seems unacceptably slow (and that's on a quiet wireless LAN between two fast machines).
One solution is to use FreeNX server on the Ubuntu box, and the NX4 Beta Mac client from nomachine.com. That works nice and quickly, but it doesn't re-publish your existing X desktop. Instead, it creates a new desktop instance and serves that. It all seems over-complicated, so I'm going to give up for the time being.
I'm told that Nested-X is probably the way to go - but I'm guessing that would be a pain to configure.

Booting Acronis True Image from a USB stick

2011-07-11T16:32:00.003+01:00

Today I needed to restore a netbook PC from a backup image taken with Acronis True Image Home 9.0 (which is excellent). The backup image was stored on an external USB hard drive. The problem was how to boot the Acronis recovery image, as the netbook has no CD drive.
UPDATE: If you're using Acronis True Image Home 2011 or later, then it's really easy. You just install Acronis True Image Home on a Windows machine, then use the "rescue media builder" application to write a bootable image directly to the USB stick.

When I wrote this article, I only had the older product, True Image Home 9.0. For this older version, you can make a bootable USB stick via the following procedure..

1. Take a USB stick (a.k.a. memory key or flashdrive). Delete everything on it. Format as FAT32 in Windows XP.

2. Download the HP USB Disk Storage Format Tool. Run it on Windows XP to reformat the USB stick in the correct way. Otherwise, step 3 will fail with the error "grubinst: Should be a disk image" (at least under VMWare).

3. Download Grub4DOS from the links given on Using Grub4DOS to Create a Bootable Drive. Follow steps 1 and 2, not forgetting to copy the grldr file to the USB stick's root folder.

4. Do a full installation of Acronis True Image Home 9.0 (full version not trial version) into the Windows XP VM. Run their Media Builder program and have it write direct to the USB stick. (Don't make an ISO as it won't work.)

5. Cut and paste the menu.lst file from here, creating menu.lst (LST not 1st) on the USB stick so that Grub will boot properly.

6. You're done! Boot the netbook from the USB stick and the Acronis recovery menu should appear.

AWSTATS on Apache with Ubuntu Server 10.04 LTS

2011-06-21T08:21:00.003+01:00

Got this working today. Nice guide here covers most of it. Another good guide is here.

To enable Perl on Apache:
apt-get install libapache2-mod-perl2
vi /etc/apache2/sites-enabled/www.example.com
Add:-

<Files ~ "\.(pl|cgi)$">
   SetHandler perl-script
   PerlResponseHandler ModPerl::Registry
   Options +ExecCGI
   PerlSendHeader On
   AuthName "AWStats Authentication"
   AuthType Basic
   AuthUserFile /example/path/to/.htpasswd_www.example.com
   Require valid-user
</Files>

If you're paranoid about security, it may be better to configure AWSTATS to run in static mode only.

It may also be sensible to update awstats manually to the latest stable version. I just did this by searching for files on the server and replacing them with the new versions, though this is a bit tedious due to the way that Ubuntu's package installer spreads the distribution files around the filesystem. Finally it's necessary to restart Apache so that mod_perl doesn't run the old code.

UK SIM cards with static IP addresses

2011-06-16T17:25:00.012+01:00

Should you have a need for 3G Data SIMs with "real" fixed public IP addresses (rather than the usual dynamic NATted private IPs), I have found three options...

1) Orange Fixed IP SIMs - As far as I can tell, these are only available via ScanCom - www.scancom.co.uk - as the Orange call centre doesn't seem to know about them. Cheapest deal is £5 per month inc VAT. Prepaid for 18 months. 500 MB per month. 1.7p per MB for excess usage out of bundle. The SIMs will work on the Orange 2G & 3G networks. They should also roam freely on T-Mobile, though currently only for 2G.

2) Andrews & Arnold Data SIMs - These come with a fixed public IP address as standard.

£ 10 + VAT to buy…
£ 2 + VAT per month when activated (you can suspend them)…
2.5p +VAT per MB. (No free megabytes - you just pay for what you use).

The A&A SIMs work on the Three network, but don't offer any 2G fallback when outside the Three service area.

Special feature 1: At no extra cost, the A&A SIM cards can be configured instantly to have not just one fixed public IP address, but also a fixed public IP address block (e.g. for your LAN). I have tested this successfully using a Linux machine as a router.

Special Feature 2: The A&A data SIMs can also be configured to use your own IP private addressing scheme using L2TP tunneling to your own Internet endpoint, but to do this you'd need to configure your own LNS router (e.g. using a Linux box with xl2tpd or OpenL2TP).

3) Comms365 Limited can apparently offer static IP SIMs too. "We have interconnects with Vodafone and Three and will be adding in Everything Everywhere shortly. We can provide both Fixed Public and Fixed Private IP Addresses on our SIMs and routed blocks of IPs. A range of tariffs from 2MB to 10GB is available."

Are there any decent 3G routers?

3G Routers tend to be a bit of a pain. Many of them lack embedded 3G radios, so they have to rely on tatty USB dongles, which usually lack external antenna connectors. Also, they tend not to support NAT-Free mode (i.e. they assume you want 192.168.1.x addresses for your LAN).

After some searching, I discovered an Alix-based router that looks promising for a work project of mine. The Alix 6F2 board can be fitted with a Mini-PCI-Express 3G radio card rather than using an external USB device. Suppliers in Europe are http://shop.varia-store.com/product_info.php?info=p1204_UMTS---3G-Zeroshell-ready-system-with-ALIX-6F2-and-accessories.html (approx cost 319 Euros). Alternative supplier is http://www.msdist.co.uk (cheaper but requires assembly, and your own Mini-PCI-Express UMTS card). Varia's case looks nicer, as the SIM card and CF card are both externally accessible.

UPDATE: The Alix 6F2 boards work very nicely in no-NAT mode with pfSense 2.0 RC3 with my Andrews & Arnold data SIM cards. Annoyingly, the SIM card only works in the SIM card slot on the 3G radio card (inside the Vario case) rather than in the motherboard SIM card slot! Presumably there's a magic AT init string command that would tell the 3G radio to read the other SIM card slot, but I don't know what it is.

UPDATE 2: I've belatedly realised that the Novatel EU850D Mini-PCI-Express 3G card, shipped as part of the Varia Store's Alix 6F2 bundle, supports HSDPA but does not support HSUPA. This means you get nice fast downloads, but your upload speed is limited to 384 kbps at best. That's a shame since the Three network in the UK offers much faster uploads (up to 2 megabits I think).

Please post a comment if you know of:

any other 3G routers than can work in NAT-Free mode?
any Mini-PCI-Express 3G cards that have internal SIM card slots + external antenna connectors + HSUPA support.

If you don't need NAT-Free operation, but you need a 3G router with a high-gain antenna, you might want to look at the Deltenna WIBE which Amazon UK is now offering at about £200. For routine mobile use using WiFi, I would recommend the Huawei Mifi device, e.g. as sold in the UK by Three. Or use an iPhone 4S on a suitable tariff for tethering (e.g. Three's One Plan).

How to disable GMail's spam filter

2011-06-10T16:17:00.004+01:00

GMail's spam filtering is usually excellent, but sometimes it can get over-zealous. The first thing to know is that mail from people in your GMail Contacts list is never flagged as spam. So regular correspondents should be added to to your GMail Contacts.

If you want to turn off GMail spam filtering altogether, here's how...

The following steps will set up a filter to ensure that all e-mail goes to your Inbox and never to your Spam folder...

Log into GMail.com in your web browser
Click 'Options' (the cog icon on the top right of the screen)
Click 'Mail Settings'
Click 'Filters'
Click 'Create a new filter' (at bottom of list)
In the 'Doesn't have' field, enter "opsjk fokjaw9ptu4398ru39u9u93flkoifjew" (or any other long, random character string you choose)
Click 'Next Step'
Tick the box "Never send it to Spam"
Click "Create Filter".

I have several secondary GMail accounts that currently forward all mail to my master GMail account. By disabling spam filtering on all except the master GMail account, there is only one Spam folder to check periodically for false positives (mis-labelled "ham").

You can also set GMail to forward messages only when filter conditions are met. To do this, first remove any existing forwarding rule. Then create a filter rule (after any Never send to Spam rule) for the messages to be forwarded. For example, to forward all email sent to your domain EXCEPT mail to sales@ and info@, you can create a filter that has the To: field set like this:

-{sales@example.com OR info@example.com}

Then after clicking 'Next Step', you just tick the option to forward matching messages to a specific address. You can also add a similar list of banned words (or word combinations) in the Subject field. Finally, be sure to use the 'Test Search' button to verify which messages from your current Inbox would have been forwarded by that rule.

More thoughts on Sandboxing for security

2011-06-03T16:11:00.002+01:00

From a security perspective, perhaps today's desktop operating systems are missing the point. With the increase in carefully-targeted spear-phishing attacks, we need to change our approach if we are to stop our computers being compromised. Firewalls, content-checkers, anti-virus programs, whole-disk encryption: these are all necessary, but they are not enough.

We must assume the worst and plan accordingly. From time to time, you or a colleague will receive malware-infected files that will get past the virus scanner. How can we remain secure?

Given the security threats from the Internet today, I believe that all web pages, images and documents need to be be opened inside a sandbox container by default.

Whenever a file (web page, document, image...) is loaded onto your computer, the operating system must set a trust level for that file.
Unless you raise the trust level of a file, the program that opens it must not be allowed to access your hard drive or your network connection even if the file came from someone you trust.

Issues and observations...

This all has the potential to get a bit klunky when you have multiple instances of the same application accessing different files at different trust levels. But given some simple API conventions, it ought to be simple enough to make it all work smoothly if the operating system GUI is made sandbox-aware.
Speed-wise, things shouldn't be too bad either, since modern OSes have "copy on write" memory management facilities that enable RAM to be shared when you're running several instances of the same program.
Technically it should be easy enough to store trust level of each file as "extended attributes" in the filesystem, since lots of operating systems support that. If the OS kernel ensures that only privileged programs can change that trust level, then appropriate sandboxing settings can be enforced automatically whenever an application opens a file.
Email programs are problematic. What if a malicious email gains control of your email program? The malware could then read your email and send email as you - so an attacker might exploit that to reset the passwords of your e-commerce accounts. I'm not sure how we can prevent that.

My prediction for 2011 and 2012 is that sandboxing will become more common. I've already written about some Windows and Mac sandboxing approaches. It seems that Ubuntu Linux 11.04 and later versions now include an "easy" application sandboxing tool called Arkrose, which is built on top of the LX Linux Containers framework - "chroot on steroids". Here are some links...

Accessing a VM image from a QEMU host

2011-06-01T14:52:00.003+01:00

Just a quick note of the commands needed to mount a VM disk image from the QEMU host server...
The following commands may be useful if you need to copy some files (SSH keys perhaps) to or from a VM disk image. This assumes the QEMU VM environment, which is the one that's built in to Ubuntu Server 10.04 Linux. You need to be root, of course.

It will only work safely for VM's that aren't running at the time!

-- Shut down our VM guest...
# virsh shutdown vm2
Domain vm2 is being shutdown

-- Load the required kernel module...
# lsmod | grep nbd
# modprobe nbd max-part=63
# lsmod | grep nbd
nbd 9903 0

-- Export the VM image file on /dev/nbd0, then mount that to a temp folder
# qemu-nbd -c /dev/nbd0 vm2.img
# ls -l /dev/nbd0*
brw-rw---- 1 root disk 43, 0 2011-06-01 15:42 /dev/nbd0
brw-rw---- 1 root disk 43, 1 2011-06-01 15:42 /dev/nbd0p1
brw-rw---- 1 root disk 43, 2 2011-06-01 15:42 /dev/nbd0p2
brw-rw---- 1 root disk 43, 5 2011-06-01 15:42 /dev/nbd0p5
# mount /dev/nbd0p1 /mnt/vm2

-- You can now access the VM disk folders under /mnt/vm2...
... do your stuff ...

-- To clean up...
# umount /mnt/vm2
# qemu-nbd -d /dev/nbd0
/dev/nbd0 disconnected
# rmmod nbd
# virsh start vm2
Domain vm2 started

I believe there's a command to take a snapshot of a running VM, but I haven't tested that myself. "virsh snapshot-create VMname" apparently needs libvirt >= 0.8.1, but Ubuntu Server 10.04 LTS currently only runs libvirt 0.7.5. I guess the LTS releases of Ubuntu Server must be a bit conservative, as they have five years of support, all free of charge.

VMware on Linux: Promiscuous Mode

2011-05-31T18:22:00.001+01:00

When VMware Workstation is hosted under Linux, by default it doesn't allow guest VMs to access the network in Promiscuous mode. There's an easy fix for this...

If you run something like Wireshark from a VM guest, you'll see VMware display an error message. The problem is that when VMware is started without root privileges, it doesn't have the permissions necessary to access the /dev/vmnet0 device.

A quick temporary bodge is to use chgrp and chmod to tweak the permissions on /dev/vmnet* until the next reboot (where yourgroup is a group that your user account is in):
chgrp yourgroup /dev/vmnet*
chmod g+rw /dev/vmnet*

A more permanent fix is to edit /etc/init.d/vmware and tweak the ownership and permissions when the device is created, by adding the lines in red:
# Start the virtual ethernet kernel service
vmwareStartVmnet() {
vmwareLoadModule $vnet
"$BINDIR"/vmware-networks --start >> $VNETLIB_LOG 2>&1
chgrp yourgroup /dev/vmnet*
chmod g+rw /dev/vmnet*

After you reboot (or stop and restart the VMware daemon) you'll be able to use Wireshark or whatever in your VM guest OS. Just Remember! Your VM guest's Network Adapter must be set to BRIDGED (connected directly to the physical network), not NAT (used to share the host's IP address).

Aside: I did think it ought be possible to achieve the same effect a little more cleanly, by creating a file in /etc/udev/rules.d to set the desired ownership and permission modes for /dev/vmnet*. But nothing I've tried has worked. Anyone?

Fixed: Ubuntu Server shows outdated update info

2011-05-31T08:33:00.002+01:00

Just updated some Ubuntu 10.04.2 servers using 'apt-get update; apt-get dist-upgrade', then rebooted to find stale information displayed in the login banner, still showing lots of updates pending. There's a simple fix for this...

  rm /etc/motd.tail

/usr/lib/update-notifier/update-motd-updates-available --force
The system would catch up eventually anyway. These commands just speed it up.

Easy sandboxing for Windows apps

2011-05-26T19:34:00.004+01:00

Sandboxie looks very interesting.... Yet to try it, but have heard good things about it. Without the cost of firing up different VMs, it is able to launch programs inside wrappers, to isolate different programs from each other (or to isolate different web pages from each other) - and to protect your Windows machine from the sandboxed program.

Remembering that web browsers and email attachments are the top ways to get your computer infected, it's better if those programs don't have access to most of your Windows machine in the first place. And if you have a few Sandboxie instances, you can not only limit the exposure of the windows filesystem to any website, but you can also make cross-site attacks less likely.

If a sandbox were correctly set up :-

a malicious email that exploits a mail client weakness could only tamper with messages and settings on the email client;
an infected web page could only tamper with saved details and settings in the web browser.

Ideally you would run Outlook in one sandbox, and Internet Explorer in several others...e.g. Home Banking and frequently-used, high-reputation home shopping sites could have one or several sandboxes, and general web surfing could have another. Facebook probably deserves its own sandbox too, in case some people's pages contain malicious HTML.

You would definitely want PDF viewers and Flash viewers to run inside one of the less trusted sandboxes. So you'd have a temp folder like C:\mail_attachments to save incoming PDF's to. Then you'd manually launch a sandboxed PDF viewer in that folder.

What about sandboxing on the Mac?

We could really do with something similar on the Mac. A quick web search suggests that a command-line sandbox facility was introduced in Leopard 10.5. So the underlying OS hooks are all there. But so far we seem to be lacking a nice GUI-based program to make it easy for end-users to create and control sandbox instances and policy rulesets - something which definitely sounds non-trivial.

If you know of a Sandboxie equivalent for the Mac, please leave a comment. (Yes I know you could use VMware, but that would be slow and tedious.)

If you are a security professional, you can stop reading now.

If you are a zealous Apple fan, please read on before posting irate comments!

Sadly, some Apple fans like to think that the Mac platform wears some kind of halo that makes security problems impossible. But before you post comments saying that Mac apps don't need sandboxing, please just think for one second. Yes, Mac apps don't run as root by default, but so what? Unless you run each program (or surf to each website) under a different Mac username, then a compromise in any one program means that all your user data is exposed. Possibly the whole keychain too (I seem to recall that once it's unlocked, it's unlocked - but I try not to use it anyway, as it's always struck me as a potential single point of security failure and a high-value target).

Now, I strongly prefer the Mac to all other current OS platforms, but as a security professional by trade, I'm not naive enough to believe that the Mac is in any way resistant (let alone immune) to security issues. A client exploit is just a client exploit: it doesn't matter what OS it's running on, as once you're app has been owned, it's generally game over for the home directory and everything in it. A privilege escalation up to root isn't necessary for you to lose all the personal data you care about, and/or to have a subtle back door inserted. The only issue is whether the attacker's code runs as root, or runs as you. Attack code running as you is quite bad enough, because it's your personal data that the bad guys are after.

We're way beyond the early days of crude computer viruses that spread like wildfire in a highly obvious way. The IT security threats to worry about today are the back doors that just sit there quietly in the background hoovering up your banking credentials or whatever.

At the risk of stating the bleeding obvious, the main reason that Harry Homeowner gets infected more often when using Windows is that, until recently, there were too few Mac users to represent a decent return on investment for attackers. With Macs becoming more popular, that honeymoon period won't last forever. Sure, Mac OS X has fewer open TCP ports by default than Windows does. But the main threat is from buggy web browsers, buggy email clients and buggy attachment viewers, so open TCP ports aren't relevant in many cases.

Disabling/enabling services in Ubuntu (UPDATED)

2011-05-26T12:51:00.010+01:00

Recent versions of Ubuntu have changed the way that system services start up. Presumably this reflects a policy change in Linux systems.
There are now THREE different ways for Linux services to start automatically at boot...

New way: /etc/init/example.conf
- If you find such a file, open it up in an editor and examine its startup conditions (beginning with "start on").
- To prevent the service from starting, edit the startup conditions to begin with "start on (NEVER and ..."
Legacy way: /etc/init.d/example and /etc/rc5.d/S20example.
To start a service using this traditional technique...
- Place a shell script in /etc/init.d/example.
- Create a symbolic link to /etc/init.d/example for each run level you want the service to auto-start in. For example: ln -s /etc/init.d/example /etc/rc5.d/S20example would start the example service in Run Level 5.
- Symbolic links named something like /etc/rcN.d/K20example provide a way to stop a service cleanly when the machine changes run level (e.g. shuts down).
- You may recall that run level 2 is single-user text-mode; 3 is multi-user text mode; 5 is multi-user GUI mode.
- The numbers after 'S' or 'K' provide a crude way of tweaking service start-up order, so that for example you can make sure that a database service starts up before an SQL-based application server.
- To stop a service starting in this way, you can just delete the symlinks i.e. rm /etc/rc*.d/S*example.
Bastardized legacy way: /etc/init.d/example by itself.

Some services still use /etc/init.d/example but rather than relying on symlinks such as /etc/rc*.d/S*example, they use a new syntax for startup conditions, placed in comments near the top of
/etc/init.d/example.
For example, the Mathopd web server is controlled solely from
/etc/init.d/mathopd, which contains the text:

### BEGIN INIT INFO
# Provides:          mathopd
# Required-Start:    $local_fs $remote_fs $network $syslog
# Required-Stop:     $local_fs $remote_fs $network $syslog
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Mathopd web server
### END INIT INFO

BEGIN INIT INFO

END INIT INFO

exit

After rebooting, run "netstat -tan | grep LISTEN" to make sure you know what's bound to your external network interfaces (i.e. anything other than 127.0.0.1 for IPv4, or ::1 for IPv6).

If you see an IPv6 service listed like this:

     tcp6   0   0 :::51413     :::*        LISTEN 

it simply means that the service is listening on all IPv6 interfaces, on port 51413. It's the IPv6 equivalent of showing 0.0.0.0:51413.

Further reading at http://overtag.dk/wordpress/2011/02/headaches-over-disablingenabling-services-init-d-scripts-in-ubuntu-10-10/ . See also http://ubuntuforums.org/showthread.php?t=1519273 .

New Cycling website launch

2011-04-03T08:43:00.003+01:00

http://www.ComeCyclingLedbury.com - finally got it finished. :-)

Security Websites

2011-02-17T11:12:00.004Z

Herewith, just some bookmarks to websites covering network security topics.
Standard caveats apply...

These resources are intended for use by pentesters (IT security consultants) as part of an authorized security test. Pentesters get called in when a company wants an independent check on the security of its internet & intranet infrastructure, web applications, or whatever.

Never probe or attack any machine without the consent of the owner and any interested third parties.

Never run an exploit you found on the Internet unless you have read the code, understood it, and (where appropriate) changed the payload to something you trust.

Home users: Please don't panic if your IP address is probed from the Internet. The scanning box was probably compromised without its owner's knowledge, so responding in kind is pointless as well as illegal. Sustained or intense attacks should be reported to the Abuse contact for the domain, or for the IP, or for the IP block (but not all three). The system owner probably doesn't realise his box has been owned. But don't bother reporting brief probes: it happens all the time. 90% of abuse reports are bogus anyway, so don't bother the Abuse contacts with trivia.

Where to Start

http://sectools.org/ - the top security tools by category
http://seclists.org/ - security mailing lists archive
http://metasploit.com - awesome exploitation framework
http://fastandeasyhacking.com - Armitage (GUI front end for Metasploit)
http://securitytube.net - YouTube for pentesters
http://foofus.net - all about password hashes

Vulnerability Announcements & Discussions

Exploit Archives

Installing Windows on Dell Inspiron 1545

2011-01-26T15:06:00.002Z

If you're trying to install a clean copy of Windows XP or Windows 7 on a Dell Inspiron 1545 laptop, these notes might help...

You must update to Dell's latest BIOS before you start, otherwise the XP installer will fail with a blue screen.

Dell's BIOS updater only runs under Windows, so use the preinstalled Windows to update the BIOS before you do anything else.

If installing Windows XP, you need to build a "slipstreamed" installation CD that incorporates Service Pack 3. (Google for the instructions on this.) Otherwise, again, the XP installer will fail with a blue screen.

You can also install a full retail RTM Windows 7 Home Premium (64-bit) DVD. Of course that will need a unique license key (just like XP). There may be a cheap way of buying legal license keys if you already own a genuine Windows 7 installation disk: see http://www.windows7key.co.uk - but I can't vouch for that website, and it sounds a bit too good to be true.

Out of curiousity, I also tried installing from a Dell OEM disk of Windows 7, but this was unsuccessful: halfway through, it complained that it couldn't see the DVD drive. I wish I'd taken advantage of Dell's free Vista-to-Windows-7 upgrade offer before it expired!

Gmail Push: instant notification of new email

2011-01-18T08:45:00.004Z

Just a quick note about setting up 'push' email delivery on Gmail accounts. This feature gives you instant notification of incoming emails, without the need to poll frequently via POP or IMAP. There are two different ways to set it up, depending on the mail client you use...

I can confirm Gmail Push mail notification as working on Mozilla Thunderbird (Mac and Linux), Apple Mail (Mac), Apple Mail (iPad), and Apple Mail (iPhone). The Mozilla Thunderbird approach should also work on Windows. I don't know about Microsoft's own mail clients, as I've learnt to avoid them over many years.

The first thing to say is that it's time to stop using POP3 to retrieve email on any of your computers. The problem with POP3 is that it doesn't work well when you have more than one computer accessing the same mail account: once you've retrieved a piece of mail, it's deleted from the server (unless you tweak the settings - but that makes for slow downloads). The mail retrieval protocol of choice for most people is IMAP. If you switch from POP3 to IMAP, then your mail stays on the server, and each time you connect with your mail program, it just downloads any stuff it hasn't already got. A good IMAP client will also copy send mail into an IMAP Sent Items folder, so that whichever computer you use, you get a consistent view of mail sent and received. The free Google Mail service implements IMAP particularly well; offers plenty of storage space (7 GB per user if I recall correctly); has excellent spam filtering; and is highly recommended. So - to begin with - if you're going down the Push Email route, I'd recommend switching to Gmail with IMAP to begin with, if you haven't already done so. Of course, once you have a Gmail account, you can use it with any ISP.

So - how can Push email be configured to give you instant email notifications with Gmail? The following variations are working here (January 2011):-

Mozilla Thunderbird v3.1.7 for Mac (also working on Ubuntu Linux): for Thunderbird I think it's best to access Gmail using IMAP. The key setting for instant email notification is "Tools", "Account Settings", (mailbox name), "Server Settings", "Advanced", "Use IDLE command if the server supports it".
Apple Mail (v4.4 on MacOS 10.6.5): again, this works well with IMAP. Unde "Mail", "Preferences", (account name), just enable POP, and tick the box "Use IDLE command if the server supports it".
Apple iPhone / iPad Mail iOS v4.2.1: this platform can access Gmail really efficiently using the Microsoft Exchange protocol (it seems efficient in use of bandwidth, and it allows easy syncing on Contacts and Calendars too). It's configured by going into Settings, "Mail, Contacts, Calendars", "Add Account", then picking "Microsoft Exchange". Follow the help on Gmail's help pages for the correct settings.

NOTE 1: whilst in general, most Google Mail users can use "gmail.com" instead of "googlemail.com", for some reason my girlfriend's account could only be configured successfully on the iPad when the username@googlemail.com format was used for the username of the Microsoft Exchange account.
NOTE 2: on the iPhone and iPad, whilst you're setting up email sync via Microsoft Exchange, you can also enable sync of Contacts and Calendars to Google. This is very handy, as it provides much of the "everything everywhere" type functionality of Apple's MobileMe service without having to pay a subscription fee. If you also use Apple's Calendar and Contacts programs on the Mac, you just need to take care to set them to use Google's servers, instead of just storing your data locally.
NOTE 3: in iTunes, make sure your local email store (laptop or desktop) isn't set to sync with your iPhone or iPad. You don't need local email sync in iTunes if you're syncing your email directly with Google's servers. The same goes for Contacts and Calendars: you don't need to sync those in iTunes if you're syncing directly to Google's servers.

Google's help pages offer lots of detailed instructions on setting things up. Not everything is obvious. For example, it's worth understanding the difference between archiving an email [recommended] and deleting it [not recommended].

It's quite impressive if I send myself a test email. Within seconds, my iMac, MacBook, iPad and iPhone will all "ding" to indicate that a new email has arrived. This is especially impressive on the iPad and iPhone, as these work even when they are sleeping, and are using cellular data connections rather than WiFi.

By the way, I reckon Mozilla Thunderbird and Apple Mail work equally well on the Mac. If you need to use PGP to email commercial documents around, then Thunderbird has the edge, as it supports PGP directly via the free GPG Enigmail plug-in. For PGP support in Apple Mail, you'd need to buy PGP Desktop for Mac - but as I've mentioned elsewhere in this blog, PGP Desktop for Mac doesn't integrate tightly with the Apple Mail client (it uses a localhost proxy server instead) so it's not as straightforward or reliable as the Thunderbird/Enigmail combination.

PS: For iPhone, see http://www.google.com/mobile/sync/ for more info.

Hope this is useful!

VOIP QoS on Dual-WAN ADSL Cisco 1841

2010-12-19T16:06:00.005Z

Just now I'm messing about with a Cisco 1841 router with two ADSL cards in it (as outlined in an earlier post to this blog). I'll write in more detail about the IOS settings later, but meanwhile I'd appreciate some pointers if anyone has a suitable IOS config to share...

My ISP's control panel makes it easy for me adjust routing and QoS on the downlink, so I'd like to optimize the uplink using IOS commands, so that the VOIP egress traffic goes out through one pipe, and all other egress traffic uses the other, but with failover so that all traffic can egress through a single pipe if either ADSL line should drop. So far everything works except the failover bit. So my VOIP uplink quality isn't compromised when rapid bursts of upload traffic occur, and since it all goes up one pipe, there are no issues with out-of-order packet delivery due to asymmetrical routing.

The key part of the setup is currently as follows:

access-list 110 permit ip   host x.x.x.x any
access-list 110 permit icmp host x.x.x.x any

route-map voip permit 10
    match ip address 110
    set interface dialer0

route-map voip permit 20
    set interface dialer1

interface fa0/0
    ip policy route-map voip

HINT: this initially had the side-effect of blocking some or all inbound TCP connections, even if the ingress ACL was removed.
SOLUTION: Try rebooting the router. Or turn CEF and fast switching off and on again on all the interfaces:

no IP cef
interface fa0/0
    no ip route-cache
interface dialer0
    no ip route-cache
interface dialer1
    no ip route-cache

^Z
write

ip cef
interface fa0/0
    no ip route-cache
interface dialer0
    no ip route-cache
interface dialer1
    no ip route-cache

Cutting back to the chase. The failover part can't simply be done with weighted "ip route" static routes, as the only thing that's predictable about the VOIP system is my source IP address: the destination IP ranges are unpredictable.

Current suggestion I've had is to use the IP SLA facility in IOS, probably combined with two VRFs. I do like the sound of that: the idea of IP SLA is that you can ping a machine at the ISP (say, pong.aaisp.net.uk) via both dialer routes. Then if one route fails (due to dropped ADSL line or problems in the BT network) you can switch all traffic to the other line within a few seconds. This would probably involve sticking the VOIP server on the second Ethernet interface, which is spare at the moment anyway. That would also place the VOIP server in front of the firewall, which is no problem if I get the ACLs right, and would remove one more potential cause of jitter etc.

UPDATE: Cisco IOS doesn't appear to support per-source-interface or per-source-VLAN default routes, so it isn't possible to simply assign two weighted static routes per source interface. So IP SLAs may be the way to go.

Dual-WAN ADSL with Cisco 1841

2010-12-06T16:03:00.001Z

I've got a second ADSL line now, so I've just started playing with bonding my two AAISP.net.uk lines together using a Cisco 1841 router with two ADSL cards. It works pretty nicely out of the box, but as ever, some small lurking matters have emerged...

The relevant bits of the Cisco IOS configuration are shown in the listing below. This basic setup allows the router to aggregate both lines as best it can. It doesn't use Multilink PPP because (apparently) multilink PPP requires the underlying networks to ensure in-sequence packet delivery - which might happen on Ethernet or Fibre, but won't happen on ADSL.

VOIP sounds funny unless the links have similar delay characteristics. AAISP sorted that for me by getting BT to enable Interleaving on both lines, not just one.

So, the relevant chunks of the IOS config are:-

!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/1/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
load-interval 30
no atm ilmi-keepalive
!
interface ATM0/1/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 2
!
!
interface Dialer0
ip address negotiated
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
tx-ring-limit 3
tx-queue-limit 3
dialer pool 1
dialer-group 1
ipv6 address autoconfig
ipv6 enable
ipv6 traffic-filter v6-outside-in in
ppp authentication chap pap callin
ppp chap hostname xxxx@a.1
ppp chap password xxx
ppp pap sent-username xxxx@a.1 password xxxx

!
interface Dialer1
ip address negotiated
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation ppp
tx-ring-limit 3
tx-queue-limit 3
dialer pool 2
dialer-group 1
ipv6 address autoconfig
ipv6 enable
ipv6 traffic-filter v6-outside-in in
ppp authentication chap pap callin
ppp chap hostname xxxx@a.2
ppp chap password xxx
ppp pap sent-username xxxx@a.2 password xxxx

ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 0.0.0.0 0.0.0.0 Dialer1

ipv6 route ::/0 Dialer0
ipv6 route ::/0 Dialer1

This works reasonably well in concert with Andrews & Arnold's ADSL service. Speed testing using www.speedtest.net showed that download speeds were improved by adding the second line, and the service continued largely unaffected if you unplugged one of the lines to simulate a fault. Curiously, unplugging line 2 never disrupted a VOIP call, but unplugging line 1 killed audio in the uplink direction for ten or fifteen seconds.

I made some VOIP quality tests via a cellphone left next to a radio. The downlink audio quality of VOIP calls never faltered regardless of traffic levels. That's probably down to Andrews & Arnold's optional policy setting, whereby 5% of the link is reserved for small UDP frames (a nice basic QoS mechanism). However, the uplink portion of the Speedtest.net test was able to provoke some disruption to voice quality if VOIP a call was in progress at the time. There are two obvious approaches to fixing this...

1. Implement QoS prioritization so that the VOIP traffic always goes first on the uplink.

2. Dedicate the entire uplink capacity of one of the ADSL lines to the VOIP service.

I'll try a few options and blog about the results later.

Updating FreeBSD 7.3 to 8.1 on Soekris NET5501

2010-11-17T23:53:00.009Z

Just a quick heads-up if you're updating a FreeBSD server with a serial console.

I've been running super-low-energy Soekris NET5501 boards as rackmount servers for a little while now, so I thought it was time to update one of them from FreeBSD 7.x to 8.1. Apart from anything else, the USB serial port multiplexer on one of my 7.3 boxes has a tendency to make the box reboot when odd things happen on the serial ports, so I'm hoping for better luck with the new USB subsystem code in 8.x.

The Soekris machines are proper servers: no video card, no keyboard - just a serial port. The serial port is your console device, so if your server isn't accessible on the network, it's vital that the serial console lets you log in and fix the problem.

So it was annoying to find that the serial console no longer worked after upgrading to FreeBSD 8.1. However, it turns out that this is simply because FreeBSD's designers have, in their wisdom, decided to rename all the serial ports, thereby breaking my system. This didn't seem to be in the release notes - very annoying!

/dev/ttyd0 is now /dev/ttyu0
/dev/cuad0 is now /dev/cuau0

So after using csup to update to RELENG_8_1, and issuing the usual update command "make buildworld && make buildkernel && make installkernel", you will need to edit /etc/ttys before you reboot.

In /etc/ttys, change:
    ttyd0 "/usr/libexec/getty std.115200" xterm on secure
to
    ttyu0 "/usr/libexec/getty std.115200" xterm on secure

That will make the serial console work when you boot into 8.1.

You might also need to edit /etc/remote if you connect out to other systems.

UPDATE: I tried to get it right first time today, updating another box from 7.1 to 8.1. It even with both ttyd0 and ttyu0 in the /etc/ttys file, the serial console doesn't start after the initial boot prompt, the first time you boot into 8.1. Presumably the system gets confused by the 8.1 kernel combined with the 7.1 userland. Anyhow, a workaround is to let the system boot multi-user, then do the "mergemaster -p ; make installworld; mergemaster -F" from there.   The serial console should work again once the 8.1 userland is installed. NB the mergemaster -F option is recommended to avoid those tedious prompts about config files where only the VCSID has changed.

Losing access to the serial console (even if only temporarily) is potentially risky. All things considered, perhaps it wasn't a good idea for FreeBSD's engineers to rename all the serial ports on what is primarily a server OS.

UPDATE 2: It isn't necessary to rebuild your ports immediately (7.x binaries run happily on an 8.x system). However, once you do start updating ports or installing new ones, it seems to be best to use "portupgrade -rRfa" to forcibly rebuild all your ports, as some of them have OSTYPE baked into them at build time, which can cause problems later on (e.g. causing "portupgrade portupgrade" to break).

Ubuntu 10.10 First Impressions

2010-10-21T08:27:00.001+01:00

Tried out clean installs of Ubuntu 10.10 (Maverick Meerkat) on two Dell Latitude D620 systems yesterday.

The 10.10 Desktop Edition installed without a hitch (downloading updates at install time, which is handy) and looks very nice.   The new Ubuntu font is elegant and easy to read. There have been subtle updates to the style of the desktop icons, which make the overall visual effect rather nicer. Early days, but it all looks good so far. The installer found all my hardware as usual (wifi, ethernet, GSM, sound, video, Dell sound buttons, etc).

The 10.10 Netbook Edition had a little whinge about video driver support, then worked identically to the Desktop version. So those nice simple menus seen in 10.04 Netbook Edition did not appear - just the default full-blown Linux desktop. Sadly it seems that the Netbook user interface no longer runs on hardware without accelerated 3D video support.   This seems like a big step backwards, as the simple newbie-friendly Netbook user interface offered a chance for non-techies to switch from Windows to Ubuntu, now that Windows XP is getting long in the tooth (takes too long to patch from a clean install), given that Windows Vista and Windows 7 are just too horrible and slow for any sane person to contemplate.

For a simple user-friendly desktop on older laptops, you can install Ubuntu 10.04 Netbook Edition. But would be nice if the 10.10 Netbook Edition ran in a simple 2D style on machines without 3D accelerated graphics hardware.   It sounds as though Ubuntu has missed a trick there.

Apple iPad first impressions

2010-10-16T12:09:00.004+01:00

I finally got an iPad a few days ago. Generally, it's a very impressive device - as it should be for the price. Just some initial observations:

iPad could be all you need if you are a non-techie, and you just want access to web and email. But if you need printing, photo library management, music library management etc, then you still need a computer as well. The iPod functions can't be used without access to a computer running iTunes for syncing purposes, unless you buy all your music from the iTunes store (as opposed to importing your own CDs).

It's strange that a brand-new iPad won't "activate" after purchase without being plugged into iTunes. It is sold without network operator subsidy, without network operator branding. So why does it need "activation" at all? That's an unwelcome hangover from the days of operator-locked iPhones. To be fair, you could probably get a retail store to activate your new iPad for you (it just seems to want to talk to iTunes for a second: it doesn't need any credentials and you don't have to set up any settings at that point).

iPad lacks any cameras, so you can't do Facetime videoconferencing, and you can't take snaps. Rumours are that the next version (probably 12 months on from initial release) will have at a front-facing camera for Facetime.

The screen is very good. iPad lacks the ultimate "retina" resolution of the iPhone 4, but in practice that's not a problem, nor is it even noticeable. Again, it's rumoured that there will be an annual refresh that will update the iPad, but adopting the retina level of resolution seems unlikely on cost grounds: and seems pointless, since the point of the retina resolution was to deliver a large number of pixels on a small device, which doesn't apply to the iPad.

The Apple iPad case is essential really. Without it, you'd be quite limited in the orientations you could use the iPad in, and the screen would be too vulnerable given the cost of the device.

The 3G cellular version works well. I'm using it with an aaisp.net.uk SIM card, which only costs £2 per month plus 2.5 pence per MB, and has the advantage of not going through a dirty NAT proxy like most cellular service providers. It's a shame that the cellular versions of the iPad are so expensive, as the device is far less useful if it's not always-on.

I can't get the IPSEC VPN client to talk to m0n0wall's IPSEC VPN gateway (anyone?). It might well work over PPTP, but that's probably less secure, so it's probably not worth setting up unless really necessary.

Port scans reveal that iPad listens on TCP port 62078 (iphone-sync), and UDP port 5353 (multicast DNS), even on the cellular interface. Moreover, the device responds actively to port scans (i.e. it sends ICMP Port Unreachable when closed UDP ports are probed, and TCP RST when closed TCP ports are probed). This is pretty poor security practice for an always-on internet-exposed device these days. However, I doubt that 62078/tcp or 5353/udp are exploitable. If I netcat into 62078/tcp, I get disconnected straight away.

iPad currently runs iOS 3.2.2, as opposed to iPhone's 4.1, so some 4.1 features aren't there. Apple expects to ship iOS 4.2 in November 2010. The iPad has half the RAM of the iPhone 4, which is a little bit worrying in terms of instant obsolescence.

My Apple bluetooth keyboard works with the iPad, but it's a bit annoying, as it disables the on-screen keyboard. So you can't just move to the bluetooth keyboard when typing long emails, say. But the on-screen keyboard is surprisingly good.

My Nokia bluetooth headphones paired with the iPad, and played from the iPod application initially, but then couldn't be persuaded to resume after a break. Perhaps iOS 4.2 will make bluetooth work a bit better generally.

Skype works well - the microphone and speakers are good. But of course there's no camera.

A few iPhone apps won't run, but most will. A number of iPhone apps only use an iPhone-sized bit of the screen, but hopefully those will mostly get upgraded soon.

The SSH client iSSH works reasonably well, although the usable screen is small when the on-screen keyboard is used. This can be compensated for by setting a smaller font size. Sadly the bluetooth keyboard doesn't seem to work very well with it... For example the arrow keys don't work if I SSH into a FreeBSD server and edit a file using vi. But to be honest, if you're going to drag a bluetooth keyboard around, why not take a small laptop instead.

Battery life is excellent on standby, but that big screen drains the battery if you leave it on all the time.

The iPad lacks a USB port, so you can't use it to download a file from the Internet for transfer to a computer at work. In fact, as far as I know, you can't use the flash memory as a general-purpose filestore. But perhaps that makes the iPad more acceptable in corporate environments from a security perspective. If an employee uses their personal iPad over a 3G cellular network, then whatever they do on the iPad stays on the iPad, making it less likely they'll want to abuse corporate computers for utter shite such as Facebook, Myspace or Bebo.

Under the present release of the iPad's iOS system, you can't enable 3G "tethering" (sharing the 3G connection to other machines). Perhaps this will come with the iOS 4.2 update in November. However, if previous iPhone releases are anything to go by, the tethering support will be via bluetooth rather than via WiFi, so it's probably still going to be easier to buy a MiFi device. That just means paying for another SIM card if you want the iPad to work independently of the MiFi, but at least 3G data SIMs are affordable in the UK now.

AFAICT the iPad doesn't support IPV6. If the iPhone 4 is any guide, then IPV6 support may arrive with iOS 4.2.

Ubuntu Server virtualisation on Kimsufi hosting

2010-10-09T11:00:00.000+01:00

After yesterday's false start with Citrix XenServer, today I'm switching to Ubuntu Server as my VM hosting platform.

Ubuntu's LTS Server operating system comes with 5 years of free security updates, and has a free built-in VM hosting platform called KVM, which appears to do exactly what I need. So that seems like a nice easy low-hassle way to go.

Inside the virtual environment, I'll create a VM guest instance of Ubuntu LTS Server as my web server platform, so that backups and disaster recovery are really easy.

So far so good. Using the automated OS deployment web tool provided by the server hosting company, it only took a few clicks of the mouse to install Ubuntu 10.04 on my Kimsufi KS Q-1T dedicated server. Total time: about 12 minutes.

There's a small problem with Kimsufi's default Ubuntu server installation: it uses a customised Kimsufi kernel build. This is annoying in general (customised kernels don't benefit from Ubuntu's automatic security updates) but it's a showstopper for VM hosting environments due to the use of kernel modules. But this is easily fixed by using Ubuntu's apt-get command to revert to the default Ubuntu Linux kernel, and setting grub to default settings. See the link below for details.

Useful links:

Ubuntu Server Edition (download)
Ubuntu Server Guide (documentation)
Ubuntu Virtualization Guide (documentation)
Revert to Standard Ubuntu Kernel on OVH or Kimsufi Servers (documentation)
Kimsufi dedicated servers (I'm a happy customer)

Virtualizing my Internet server

2010-10-09T01:39:00.010+01:00

I'm about to start work on a new non-profit website using a content management system so that other people can help to edit the content. I'm hoping that a VMware-type approach will make this easier...

The basic problem is that an Internet-visible server always suffers from maintenance hassles :-

If you don't apply frequent security updates, then eventually either the CMS or the OS will be compromised, and the site will be defaced.

If you do apply frequent security updates, then sooner or later, something breaks.

If you do security lockdown, you may screw up and lock yourself out.

In any case, eventual compromise & defacement is always a risk using any CMS, especially if semi-trusted users have access to the system (or if trusted users log in from compromised home PCs). For my application, the use of a CMS can't be avoided.

If the hardware fails, you're faced with reinstalling everything, not just restoring data from a backup.

What's needed is a quick way to recover the whole server to a known good state, so that you can easily roll back the system in the event of a failed upgrade, a hardware failure, or a security compromise of the OS or the CMS. So it seems to me that some sort of VM system is the way to go.

Desirable features of a VM system :-

Must allow the live VM to be checkpointed, then backed up to a remote server (may be in a cron job).

Must be cheap for my non-profit site.

Should allow the live VM to be cloned and used for development (although avoiding an IP address clash with the live VM might be a problem, unless we have enough access to boot the cloned VM into single-user mode and edit one or two config files).

Must not expose management services to the network (except perhaps in a limited way, for example SSH with key authentication on a random TCP port) because my server is in a remote datacentre, directly exposed to the Internet.

The host & guest OSes need to be easily updated with security patches when necessary.

VMware ESXi looks nice in theory, but it lacks a firewall, and I seem to recall the free version doesn't offer many tools for managing the VM guests. Another option is VMware Server + Ubuntu LTS server, but VMware Server isn't officially supported on Ubuntu Server 10.04 LTS, only on 8.04. It seems that VMware Server hasn't been updated for a while now.

Other options include Citrix XenServer; Oracle Virtualbox; KVM; Proxmox and Parallels Virtuzzo. The first three of these are free products; the last two cost money. I decided to investigate Citrix XenServer.

XenServer seems similar to VMware ESXi - it's a virtualisation appliance - but unlike ESXi, XenServer allows you to use the Iptables firewall to protect the management services. Initial setup of XenServer was quick and painless using the hosting company's automated server deployment tool (see www.kimsufi.co.uk for affordable dedicated servers). Then :-

Log in as root over SSH, using the password allocated by the Kimsufi installer.
Run "netstat -an | grep LISTEN" to check for ports open to the Internet.
Point a web browser at the HTTP interface & download/install the management GUI client (Windows only).
Check you can log into the management GUI with the root password.
Edit the firewall ruleset ("vi /etc/sysconfig/iptables") and block all inbound access except from your authorised management client IP ranges.
Reload the firewall ruleset: "/etc/init.d/iptables restart".
Run NMAP port-scans against the box from authorised and unauthorised IP addresses to make sure that the firewall rules are working.

So far the box doesn't have an IPV6 address, otherwise /etc/init.d/iptables6 would also need editing.

It would be nicer to route management traffic through a VPN, but restricting access by IP address is probably good enough to be going on with. But I will just run Wireshark tomorrow to check that the Windows management GUI client doesn't pass traffic in the clear.

OK, so now the VM host management services are hidden from the public internet. Tomorrow I'll try using the GUI to build a VM guest.

Update: it turns out that the free XenServer license expires after 12 months, after which time it needs to be renewed, otherwise my VM's won't come back up if the host server reboots for any reason. So in effect, XenServer's free edition has an automatic 12-monthly denial-of-service feature. Furthermore, if Citrix ever decided to discontinue license renewals, then my VM's would be dead in the water. Commercial licenses for XenServer costs $1,000 for the first year alone, so that's not an option for our non-profit site. So, no point wasting any more time with Citrix products: I'll look elsewhere.

IPV6 on Ubuntu 8.04 server

2010-10-08T01:59:00.001+01:00

In case anyone else is wondering why /etc/network/interfaces fails to configure a static IPV6 address on Ubuntu 8.04, here's the solution...

It turns out that there's a bug in the code that initializes the network stack in 8.04 (Hardy Heron). No doubt that bug is fixed in 10.04, but right now I need 8.04 in order to run VMware Server 2.0.2 without messy patches.

Under Ubuntu 8.04, don't bother trying to configure IPV6 from /etc/network/interfaces. Just leave your IPV4 settings in that file. Place your IPV6 settings into /etc/rc.local, like this:-

    ip addr add 2001:41D0:0001:5A08::1/56 dev eth0
    ip route add default via 2001:41D0:0001:5AFF:00FF:00FF:00FF:00FF dev eth0 

The problem wasn't helped by being remote from the server in question, since any failure to parse /etc/network/interfaces would stop IPV4 from initializing, locking me out of the box. Happily though, the colo hosting company Kimsufi (OVH) offers an excellent control panel which lets you netboot a rescue image supporting SSH with a temporary root password. From the rescue image, it was straightforward to mount the root partition of the hard disk onto /mnt, then fix the /etc/network/interfaces file.

The dedicated server prices at Kimufi are very affordable. Kimsufi offers a wide range of operating systems: you can have them auto-installed "raw", or preconfigured for hosting tasks. The automatic OS installation facilities are easy to use, deploying your chosen OS very rapidly. All in all, very impressive, and very good value for money. And they support native IPV6.

IPV6 + Cisco 1841 ADSL + Monowall

2010-09-19T23:18:00.006+01:00

Got this combination working today after a bit of a struggle...

My new router is an old Cisco 1841 from EBay, which arrived complete with two WIC-1ADSL cards. I decided to use an external router rather than the firewall's internal ADSL modem so that I could have a small network segment between the router and the firewall, where I can use an old 10 megabit hub for network monitoring.   I can also plug into that hub if I need a completely unfiltered Internet connection for debugging or penetration testing.

The Cisco WIC-1ADSL cards are dirt cheap on EBay but they seem to cope OK with ADSL 2 ("up to 8 megabits", BT 20CN). They won't get full speed from ADSL 2+ ("up to 24 megabits", BT 21CN) if that ever arrives here: for that you'd need a HWIC-1 ADSL-M card, which is almost £400 by itself.   But for now I'm getting about 3 megabits sync speed with the WIC-1ADSL card, which is good for my dodgy phone line.

IPV6 worked straight away on the Cisco once a few relevant commands were added to the IOS configuration.   Sadly the same could not be said for Monowall, which only routed IPV6 intermittently, and only then with much packet loss.   After banging my head against the wall for some hours, I disabled the Traffic Shaper on Monowall, and lo and behold, IPV6 routing started working perfectly.

The Cisco 1841 offers some flexible QoS options as you'd expect. The following configuration lines appear to be sufficient to prioritize outbound VOIP traffic at busy times:-

class-map match-any voice
    match access-group 105

access-list 105 remark VoIP traffic of all sorts
access-list 105 permit udp any any

policy-map dsl-qos
    class voice
        priority 250
        remark Let VOIP take max. 250 kbit/sec upstream
    class class-default
        fair-queue

interface Dialer0
    bandwidth 550
    remark 550 kbits/sec = upstream bandwidth
    tx-ring-limit 3
    tx-queue-limit 3
    service-policy output dsl-qos

This may get more complicated if I rent a second phone line to use the second ADSL card.

If you're looking for a Cisco ADSL router to experiment with IPV6, you don't need to use an 1841 rack-mount router: you could use an 877 desktop router. You might also consider a 2811 if you're feeling rich and you want to run several ADSL lines very quickly. You should budget for increasing the RAM and Flash memory (EBay bits will do for a home network) and for taking out a SmartNet contract so that you can download the latest IOS. For SmartNet contracts, a good place seems to be http://www.ithsc.co.uk. Annoyingly it can take a few days for a SmartNet contract to start working.

Very few UK ISPs currently support native IPV6 over ADSL, so if you don't want to tunnel IPV6 over IPV4, you might need to switch ISPs. I strongly recommend Andrews & Arnold for ADSL services that are fully compatible with IPV6.

Wake-on-LAN workaround for Mac Snow Leopard

2010-09-18T11:26:00.023+01:00

This article discusses Wake-on-Demand versus "classic" Wake-on-LAN on Mac Snow Leopard.

Apple's Snow Leopard operating system introduced Wake On Demand (WoD). This is an open standard, intended to be a more user-friendly version of Wake On LAN (WoL) which has been around for years.

Wake On Demand allows computers to save energy by sleeping when idle, whilst waking up automatically if another machine on your network requests service. So for example, your iMac can save energy by sleeping, but it will wake up quickly if you need to copy a file over to your MacBook; access an iTunes library; or log in remotely via Remote Desktop or SSH. The Wake On Demand feature is enabled by ticking the box marked Wake for network access under System Preferences / Energy Saver. Sensibly, laptops don't wake up with lid closed or without mains power.

Whilst the Wake On Demand feature is well-intentioned, it has an unwelcome side-effect: the sleeping computers wake up every two hours (day and night) to check the local network configuration and refresh the Bonjour proxy cache. I don't like this: it's a waste of energy (the computer won't sleep again until the usual timer expires); it unnecessarily stresses the machine; and it's annoying if someone's sleeping in the same room as the computer.

The Wake On Demand feature depends on a device on your network running a Bonjour Proxy Cache server. Recent firmware for the Apple Time Capsule and Apple Airport Express wireless access points implement a Bonjour Proxy service. I've already blogged about one side-effect of this here: Apple Time Capsule steals IP addresses, but that's OK really. An always-on Mac can also run the Bonjour Proxy service (e.g. if Internet connection sharing is enabled).

Wake on LAN is an open standard that predates Wake-on-Demand. To wake up a computer using WoL, you just need to send a "magic WoL packet" to the computer's Ethernet MAC address.

Annoyingly, the Snow Leopard OS doesn't offer any way to enable WoL without enabling WoD. However, there is a workaround documented in an article at the link below:-

10.6: Turn off automatic wake-from-sleep network check [hints.macworld.com]

From the article:-

"A comment in mDNSResponder's open source code offers some explanation:
we still want to wake up in at most 120 minutes, to see if the network environment has changed. E.g. we might wake up and find no wireless network because the base station got rebooted just at that moment, and if that happens we don't want to just give up and go back to sleep and never try again.
...So how do I turn off this auto-wake feature then?
The code in mDNSResponder makes only two checks on when not to schedule the maintenance wakes:
If 'Wake for network access' is turned off
if there are no Bonjour-advertised services on your system
This check is always made at the point the machine is about to go to sleep. After much experimentation, I finally have a reliable way of defeating this check without really doing either of the above.

Using sleepwatcher, add the following commands to your script to run when your computer is going to sleep:
    /bin/sleep 1
    /usr/sbin/systemsetup -setwakeonnetworkaccess on >/dev/null
And add this to your 'wakeup' script:
    /usr/sbin/systemsetup -setwakeonnetworkaccess off >/dev/null
Finally, also execute that last command right now, or just manually turn 'Wake for network access' off in the Energy Saver preferences.
What this does is turn wake for network access on only at the very last moment when your machine is going to sleep. This way, mDNSResponder will be fooled into thinking you don't have network wakes enabled, so it won't schedule the unwanted maintenance wake. In reality, though, your sleep script will enable it anyway, but in such a way that mDNSResponder doesn't see it."

As an alternative to Sleepwatcher, you might try disabling Bonjour advertisements [Apple.com] if you don't mind not being able to resolve the hostnames of any machines on your local network that don't have DNS entries. (Non-geeks: don't try this at home unless you have your own DNS nameserver, or you only have one computer on your network at any time.)

If you use the Ports (formerly Fink) framework, you can install Sleepwatcher using one command:-
sudo port install sleepwatcher
Then just follow the instructions. I placed the commands from the Macworld article into the files /opt/local/etc/rc.sleep and /opt/local/etc/rc.wakeup. But by default those scripts allow for per-user sleep and wakeup commands.

You might also find these links useful:-

bb's Homepage [Sleepwatcher]
pmset command [Wikipedia.org]
pmset(1) Mac OS X Manual Page [developer.apple.com]
Sleep Proxy Service [Wikipedia.org]
Mac OS X v10.6: About Wake on Demand [support.apple.com]

The last of these links states: "Macs that have Wake on Demand enabled will occasionally wake for a brief time, without lighting the screen, in order to maintain registrations with the Bonjour Sleep Proxy. On some Macs, sounds from the optical drive, hard drive, or fans may be heard during these brief maintenance wakes." (I don't believe these maintenance wakes are brief: they appear to use the normal timeouts to determine when the next sleep occurs.)

Sending the magic Wake-On-LAN packet

If you're not relying on a Bonjour proxy server, how can you send the magic WoL packet to wake up your computer? Well, you could write a trivial piece of code to spit out the single Ethernet frame that's needed, or you could download such a program from the Internet. But if you use Monowall or pfSense as your VPN firewall, then you'll find the firewall's GUI already offers a web page (Services / Wake on LAN) that lets you store a list of MAC addresses for your network, so that you just click on an entry to wake up that computer - see screenshot below:-

You can probably wake up every box on a LAN segment by sending the magic WoL packet to the broadcast MAC address (all FF's) but I've never tried that.

Stopping random cut-and-paste errors

2010-08-21T17:24:00.005+01:00

Recently I've kept finding random bits of text pasted in at random places in the documents I've been editing under Ubuntu Linux. Today I realised that my new laptop has a middle mouse button, which pastes the contents of the cut-and-paste buffer. Time to disable that middle mouse button...

It turns out that the laptop has three middle mouse buttons: one below the trackpad, one above the trackpad, and one on the external Bluetooth mouse: invoked by pressing the scroll wheel.

So, how to disable all three middle mouse buttons? Well there's no preference setting for that in the GUI, but a quick Google search reveals that there's a command-line tweak that's fairly painless. Chapter and verse can be found in this Ubuntu Wiki Article, but for my Dell M4400 laptop, the quick answer for Ubuntu 10.04 is to stick three lines down at the bottom of the file ~/.profile (the script that gets run each time you log in) :-

xinput set-button-map 'Microsoft Bluetooth Notebook Mouse 5000' 1 0 3

xinput set-button-map 'AlpsPS/2 ALPS DualPoint TouchPad' 1 0 3

xinput set-button-map 'DualPoint Stick' 1 0 3

I'm not yet certain whether the ~/.profile file is the right place to put these lines. I'm not certain whether it gets executed unless you fire up an terminal window (as opposed to firing up a text editor or email client as soon as you log in). I'll update this note if I discover that it needs to go elsewhere.

Herefordshire in the sunshine

2010-08-18T19:41:00.001+01:00

Took some photos at the weekend, on a short walk around Marcle Ridge in Herefordshire. I don't know why this part of the country is so empty, as it's lovely countryside to walk in. Photos below... Click for full-size images...

Ubuntu Netbook Edition: Consumer-Friendly Linux

2010-08-18T08:40:00.008+01:00

Just a quick note in praise of Ubuntu Linux 10.04 "Lucid Lynx" - more specifically their excellent Netbook edition - with a HOWTO for installing it on the problematic Dell C400 laptop.

Ubuntu Netbook Edition is a nice consumer-friendly desktop operating system for everyone, but it's particularly appealing for your friends and relatives who just want something quick and easy for accessing web and email (although once they've got used to Ubuntu, the other tools it comes with such as word processors, music players and graphics editors may also prove useful). The Netbook edition has a simple menu system that's really easy to use.   Also, the window manager works well on smaller screens. And the boot-up time is rapid even on older hardware (under a minute on anything Pentium-4 powered). Installing it is easy too: it auto-detected all my devices: Ethernet, Wi-Fi, 3G UMTS, Audio, Video, Bluetooth, the lot.   Also, the network manager applet in the toolbar makes it easy to configure 3G data connections, and to hop around between different Ethernet and Wi-Fi networks.

I've installed Ubuntu 10.04 succesfully on a Dell Precision M4400 laptop; a Dell Latitude D620 laptop; an HP XE4500 laptop; and two Dell Latitude C400 laptops.   The Dell C400 laptops caused problems (an error abort message in the installer, and flashing video in the test drive mode), apparently due to a buggy ACPI system on that hardware.   But that's easily fixed - see HOWTO below.   The fix is to disable ACPI mode.   I've also disabled Intel video card kernel mode setting as a precaution - although I think that may be the default now anyway. Read on for a step-by-step solution - this may be useful on other buggy laptops/desktops too.

Once set up, Ubuntu runs nicely on the Dell C400, which isn't half bad when you consider that it's only a 1 GHz Pentium 3 machine.   My C400's both have 1 GB RAM, but it would probably work at an acceptable speed with less memory too.

HOWTO: Install Ubuntu 10.04 "Lucid Lynx" on the Dell C400 laptop

- Boot netbook 10.04 CD
- Press F6 when keyboard icon appears
- Arrow down to "Install Ubuntu Netbook"
- Press F6 (Other Options) and :-
- Press Escape
- Press right-arrow to edit Boot Options line
- Press left-arrow four times to move cursor to just after "splash"
- Type " acpi=off i915.modeset=0 nomodeset" (This mode choice applies one-time only.)
- Press Return to start the install

(UPDATE: This does not work on Ubuntu 10.10. Once again, new software breaks on old hardware. Perhaps on 10.10, you could try the Alternate Install CD [text-mode during installation], then try updating the kernel and manually enabling the intel driver in xorg.conf.)

Yay! Now the 10.04 installer boots, and after answering 7 quick questions, it begins installing 10.04 Netbook to the hard drive. Easy.

The install completes OK, but after booting into your freshly-installed system, you'll still have problems. By default, the desktop will die (X crash) after painting the menu etc because those special boot settings weren't saved.

Solution:
- press Power switch once to shut down cleanly
- switch on again to reboot
- hold down Shift as soon as box starts to boot
- This brings up a pre-boot menu so that you can set temporary boot parameters.
- Press 'e' to edit the grub settings:
    change 'quiet splash' to 'quiet splash acpi=off i915.modeset=0 nomodeset'
- Type Ctrl/X to boot with these temporary settings.

The system should now start normally.

Now edit edit /etc/default/grub to make the change permanent. Change the line:
     GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"
to
     GRUB_CMDLINE_LINUX_DEFAULT="quiet splash acpi=off i915.modeset=0 nomodeset"

Now run "sudo update-grub".

At this stage, if you have Ethernet or Wireless working, you should probably
run the Update Manager to update everything (over 200 packages including new kernel and X) then reboot. Then check it all still works.

So far, the only issue I'm seeing is that shutting down Linux doesn't power off the laptop. That's predictable because ACPI support is needed for that. No matter, just press the power switch after it shuts down.

What about software? Well, web and email work out of the box, but there's no Flash support (so BBC News clips don't work), no Java and no MP3 support. But all that is easily fixed, as follows…   No geeking required!

- 1. From the menu, select System and click Software Sources.   Tick the box "Other Software / Lucid Partner".

- 2. From the menu, select Favourites / Ubuntu Software Centre.   Install "Adobe Flash Plugin" (otherwise BBC News clips won't work). Better still, install "Ubuntu Restricted Extras" to include support for MP3, TrueType fonts, Java and various Codecs too.

- 3. Personally I prefer Sun Java not OpenJDK Java. So I then use the Software Centre to remove all Open JDK related items, and then I install "Sun Java 6.0 Plug-in" instead for some software to work. Note that during installation of the Sun Java software, you need to Alt-Tab to bring a license acceptance dialog to the front in order to allow the install to proceed.

- 4. You might also want libdvdcss2 so that you can play DVD movies (probably not possible anyway on the Dell C400). Haven't tried it as I don't watch movies on my laptop anyway.

- 5. I also install the Chromium Web Browser and the GIMP graphics editor - again just pick them from the Software Centre tool and they install very easily.

Hopefully, Ubuntu Netbook Edition can breathe a bit of extra useful life into older hardware.

iPhone 4 Frustrations on T-Mobile UK

2010-07-09T08:18:00.009+01:00

Finally got my iPhone 4 (unlocked from Apple). Having sold my iPhone 3G to my sister (who is now using it on T-Mobile), I'd been reduced to using an appalling old Motorola, so I was keen to get going with the new phone, mainly because texting on the Motorola is pretty tedious. Only problem being lack of a Micro SIM....

T-Mobile support say they don't have any Micro SIMs yet. Very frustrating! The iPad and iPhone were announced months ago, so this seems poor.

T-Mobile doesn't officially support iPhones yet, but of course everything just works (on the SIM Only £15 tariff) except for Visual Voicemail, which is easily replaced with the free Hushmail service. You have to wonder whether T-Mobile is holding back releasing Micro SIMs until they've got Visual Voicemail working.

I resorted to cutting down my SIM card very carefully - the cut goes alarmingly close to the gold pads. This worked, but it's hard to cut accurately by hand, and the phone sometimes says "No SIM Card". I've resorted to adding a sticky label to the SIM carrier to try to hold it in the right place.

In the hope of a more permanent solution, I've ordered a Micro SIM cutting machine plus several free T-Mobile PAYG SIMs. Hopefully T-Mobile support will be able to swap my pay-monthly account to a PAYG IMSI once I've cut it to size.

UPDATE: In fact, you can't move a pay-monthly T-Mobile account onto a PAYG SIM card. But the problem was easily fixed by visiting a T-Mobile shop and paying them £10 for a new SIM card. The new SIM card was instantly set up with my existing phone number, and the Micro SIM cutter made quick work of chopping it down to the right size. Problem solved.

Ubuntu 10.04 LTS - First Impressions

2010-06-03T17:50:00.004+01:00

I've been testing this release ("Lucid Lynx") on a Dell Precision M4400 laptop. Initial impressions very favourable. It boots quickly, even with full-disk encryption (via the Alternate Install CD): around 30 seconds to the login screen. Much quicker than MS Windows on the same hardware.
Initial setup tasks like setting up MP3 playback, using the WLAN, using the GSM radio, and setting up a Bluetooth mouse (Microsoft Notebook Mouse 5000) were all very simple, and very quick. No messing around with obscure config files.

The desktop looks more polished than previous versions. It's easy on the eye, with a good choice of default colours and fonts really making good use of the hardware.

Only slight oddity is that changing the Ethernet MAC address (e.g. for MAC spoofing attacks) isn't possible using 'ifconfig'. But it's easy with "macchanger-gtk", which is in the Ubuntu repository.

The box itself initially ran a bit warm, and the fan came on a bit. Evidently this is a known issue with the M4400 laptop, due to its ridiculously fast processor. Most of the time I really don't need all that speed, and by adding the CPU Frequency Scaling Monitor to the panel at the top of the screen (right-click, Add to Panel) it's easy to set the CPU frequency to "OnDemand", to keep it running slower and cooler when there's not much going on. By clicking on the icon, you can change the mode as required, so you can nail it down to 800 MHz if that's what you want to do.

UPDATE: Ubuntu 10.04 works happily with VMWare 7.1. I've imported the VMs from my old machine, so this will become my main work machine now. The screen on the Dell M4400 is much easier to read than my old Dell D620: brighter and sharper.

Traverse Viking PCI ADSL card + MONOWALL

2010-05-15T23:20:00.019+01:00

I now have one of these cards in a Soekris net5501, in a nice case supplied by Wim at kd85.com ...
(click on image to enlarge):-

The PCI ADSL card presents a virtual Ethernet port, and you can use it as a router or an RFC1483 Bridge.

The Soekris board runs the Monowall firewall appliance distribution from Compact Flash. So the whole thing uses very little power, has no moving parts, and avoids the need for a separate ADSL modem and power supply.

The first thing to know about using the Viking ADSL card with Monowall is that you need to use the GENERIC build of Monowall, not the EMBEDDED build.   This is because the EMBEDDED build is missing the device driver re(4) for the virtual NIC (RealTek 8139C+) which the Viking card presents to you. This is OK, as the GENERIC build works happily on a CompactFlash card in the Soekris, and it still supports the Soekris serial console.

Configuring the Viking card was a bit of a challenge. It has a serial console port on some jumpers, but I don't yet have all the bits to make up the right cable. It offers TELNET and HTTP config options, but in Monowall under PPPoE you don't get IP access to the card (only PPPoE).

You can access the TELNET and HTTP management services from Monowall's LAN interface if you take the ADSL link offline. Change the WAN port from PPPoE to a static IP (192.168.1.2 say). This won't work unless you have either enabled NAT in Monowall (temporarily untick the box marked 'Advanced Outbound NAT'), or you have previously configured a default gateway on the ADSL card (e.g. 192.168.1.2). Otherwise, the ADSL card won't know how to route management traffic back to you.

For initial config of the ADSL card, the easiest thing is to make sure your Monowall has NAT enabled ( 'Advanced Outbound NAT' unticked), and then set up a the 'vr0' port as 192.168.1.2/24. Then we can access the device via TELNET or HTTP, even though the device doesn't have a default gateway for us.

For use as a PPPoE device in Monowall, the following commands enable the device to work on a standard BT 20CN ADSL line in the UK, setting the device up as a bridge instead of a router. (These commands assume that you're starting from the default factory configuration, which can be restored by using a jumper as described in the documentation.)

telnet 192.168.1.1

Escape character is '^]'.

                ,vvvdP9P???^   ,,,
              vvd###P^`^         vvvvv v
         vv#####?^                  ????####vv,
      vv####??     ,vvvdP???^ ,,,        ??##^
     v#####?    ,vvd##P?^        #?#v#vvv
   v#####?    v###P^    ,vvv,        '?#?,
######?   ####?^ ,vd#P?^     `???##
#####?   v#### ,d##P^           ''
######   v#### ]###L                   _   _          _                  ___
#####?   v#### ]##L                   /   / \ |\ | |_ \/   /\   |\ |   |
######    #### ]###L                  \_ \_/ | \| |_ /\ /--\ | \|   |
?#####v   ####v ]##h,            ,,
?#####    ?###h, `9#hv,     ,vv###
    ######    #####L    ]###L        ,v#v'
    ?#####vv    ?9##hv,        ,,vvvv###'
       ?#####vv     `??9P\vv,   ^         vv##,
          ######                       #######L
            ??###hvv,          ,vvv#?##?????
                `????9hdhvv,

Login: admin
Password: *****

Login successful

--> ip delete interface ipwan 

--> bridge add interface br0 

--> bridge attach br0 ethernet 

--> rfc1483 add transport tr1 a1 0 38 llc bridged 

--> bridge add interface br1 

--> bridge attach br1 tr1 

--> system config save

In Monowall, under "Interfaces", we just set the WAN interface to be 're0' (a RealTek RTL8139C), and set the Interface Type to be PPPoE. Then just enter your ADSL login name and password into Monowall under "Interfaces: WAN", "PPPoE configuration".

Hope this helps someone ;-)

Askozia PBX 2.0: Fix for IAX trunk not working

2010-05-13T11:49:00.004+01:00

I'm running a free Asterisk appliance image on a Soekris NET5501 low-power embedded computer. So far so good: it's simplicity itself to set up (just copy the image to a Compact Flash card and boot).

I have an IAX trunk up to my service provider, plus a Linksys SPA3000 SIP ATA and an IAX softphone (Loudhush) on the Macbook. Call quality over ADSL is far better than analog voice or cellphones.

Just one gotcha when upgrading from the previous release: the IAX trunk appeared to connect but didn't pass calls through. This turns out to be due to a new security feature in recent Asterisk releases. To fix this, login to the HTTP GUI and enter some manual attributes:-

Advanced
    IAX
      Manual Attributes

        calltokenoptional=0.0.0.0/0.0.0.0
        requirecalltoken=no

If your firewall doesn't block access to 4569/udp from untrusted networks, you probably want to read up on how to secure these settings properly.

HOWTO: Install Ubuntu Linux via PXE Boot

2010-05-12T19:12:00.006+01:00

Here's how to do a network-based installation of Ubuntu Linux, for machines without CDROM drives. It is very simple.

You will need a PXE install server (see below) to serve the installation media, and a target machine to install Ubuntu onto.

On the PXE install server:-

Unpack the .ISO contents to /usr/local/www/ubuntu
Start a webserver on port 80, to serve up /usr/local/www
Start a TFTP server, to serve up /usr/local/www/ubuntu/install/netboot
Start a DHCP server, to hand out IP addresses, with a boot filename of "pxelinux.0"

On the target machine:-

Boot the target machine using PXE. The Ubuntu setup menu should appear.
Let the Ubuntu installer run as normal. Begin installing Ubuntu.
When "Choose a mirror of the Ubuntu archive" appears, scroll to the top of the list "Ubuntu archive mirror country", and select "enter information manually".
For "Ubuntu archive mirror hostname", enter "10.42.42.42" (or the IP address of your PXE install server).
For "Ubuntu archive mirror directory", enter "/ubuntu" (NOTE: the default of "/ubuntu/" does not work.)

That's all there is to it. It should just work!

HOWTO: Build a PXE Install Server using FreeBSD

You can make a PXE install server very quickly by installing a default configuration of FreeeBSD. I installed FreeBSD 7.1 as a VMware machine.

Start by installing a minimal version of FreeBSD. Be sure to install the Ports tree when prompted.

Once FreeBSD is installed, we will need three ports: a DHCP server; a web server; and an rsync client.

cd /usr/ports/net/isc-dhcp30-server
make install

cd /usr/ports/www/mathopd
make install

cd /usr/ports/net/rsync
make install

We will configure these later. But first, let's unpack the Ubuntu CDROM ISO image (that's what the rsync client was for)…

mdconfig -a -t vnode -u 3 -f /tmp/ubuntu-9.10-i386.iso
mount_cd9660 /dev/md3 /mnt
mkdir /usr/local/www/ubuntu
rsync -avH /mnt/ /usr/local/www/ubuntu

OK, so now you have the entire CDROM tree on your server, at /usr/local/www/ubuntu.

Time to configure some stuff:

/etc/rc.conf

ifconfig_em0="10.42.42.42 netmask 255.255.255.0"
!! Change 'ifconfig_em0' to match your LAN card !!
sshd_enable="YES"
inetd_enable="YES"
mathopd_enable="YES"
dhcpd_enable="YES"

/etc/inetd.conf

tftp dgram udp wait root /usr/libexec/tftpd tftpd -l -s /usr/local/www/ubuntu/install/netboot

/usr/local/etc/mathopd.conf

User daemon
PIDFile /var/mathopd/pid
Control {
    Types {
        text/html { html }
        text/plain { txt }
        image/gif { gif }
        image/jpeg { jpg }
        text/css { css }
        application/octet-stream { * }
    }
    IndexNames { index.html }
}
Server {
    Virtual {
        AnyHost
        Control {
            Alias /
            Location /usr/local/www/ubuntu/
} } }

/usr/local/etc/dhcpd.conf

ddns-update-style none;
subnet 10.42.42.0 netmask 255.255.255.0 {
range 10.42.42.100 10.42.42.200;
option broadcast-address 10.42.42.255;
option host-name "temporary" ;
filename "pxelinux.0";
}

Reboot the PXE install server, and the various daemons should start. This will conflict with any existing DHCP services on your network, so you probably want to keep it all standalone: just connect the PXE install server to the target machine with an Ethernet crossover cable.

Hope this helps…

Update. Warren Block has written up a nice tutorial on how to set up a FreeBSD PXE server, offering a choice of useful images to boot. See his page at http://www.wonkity.com/~wblock/docs/html/pxe.html

HOWTO: Install a Soekris server with PXE Boot

2010-05-11T08:53:00.013+01:00

The Soekris NETxxxx boards can't boot from CDROM or USB, so installing an operating system requires PXE booting from the network, unless you want to prepare the hard disk or CF card in another machine first. Another challenge is that the Soekris boards only have a serial console, so you can't use an operating system that assumes a video display and keyboard. This article outlines your options.

You can use PXE Boot for a wide variety of purposes. My motivation on this occasion was to write a new image the CF card that my Soekris NET5501 AskoziaPBX Asterisk server boots from, without having to unbolt the server from the rack.

To install a full FreeBSD system, see :-

    http://jdc.parodius.com/freebsd/pxeboot_serial_install.html
    http://wiki.soekris.info/Installing_FreeBSD
    http://wiki.soekris.info/Installing_FreeBSD#Patch_for_PATA_hard_disk_errors_on_FreeBSD_7.x

To install other operating systems, see:-
     http://wiki.soekris.info/Main_Page#Operating_Systems .

To load an embedded "appliance" distribution (Monowall, pfSense, AskoziaPBX, FreeNAS?) the procedure is much simpler, and should only take a couple of minutes. During installation, we'll use a special-purpose LiveCD to avoid having to configure anything by hand, with a standalone Ethernet cable to avoid conflicts with existing network configurations.

Prerequisites:

Working serial console access to the Soekris computer (9600-N-8-1 with no handshaking).
A temporary PC or a VMware server, to boot a LiveCD as your PXE server.
An Ethernet cable from the LiveCD PXE server to the first Ethernet port on the Soekris.
A USB memory stick containing the image you want to install to the Soekris.

NOTE: The USB stick isn't essential. If you don't have physical access to the Soekris, you can save your image to the Voyage VM beforehand if you assign it an IP address compatible with your network. You can usually reset or power-cycle the Soekris 5501 via a serial console connection using its ILO feature: type '+++', wait 1 sec, 'reset(return)' to reset; '+++', wait 1 sec, 'power(return)' to power-cycle.

Procedure:

Download the Voyage Linux Live CD ISO from http://linux.voyage.hk. (I used 0.6.5.)
Boot the Live CD on a spare PC, or under VMware. Use a standalone network (e.g. just one Ethernet cable) because Voyage Linux will start its own DHCP and TFTP servers.
Login to the Live CD system: user "root", password "voyage". Execute the commands:

        remountrw
                   [Optional: To change the IP address range: vi /etc/dnsmasq.pxe.conf /etc/exports /etc/init.d/voyage-pxe /tftpboot/pxelinux.cfg/default and change 192.168.1. Do not reboot! The changes are volatile! ]
        /etc/init.d/dnsmasq restart
        /etc/init.d/voyage-pxe start

Start the Soekris machine. When prompted, type Control-P to enter the ComBIOS monitor. Now type: 'boot f0' (that's f, then zero) to begin the PXE Boot process.

Keep an eye on the Soekris serial console. After the Linux kernel has booted, if you're lucky you'll get a login prompt. Log in as user "root", password "voyage".
If instead of a login prompt, you get repeated "mount call failed: 13" errors, just wait for a minute. You will be dropped into a BusyBox shell with the prompt "(initramfs)", which is good enough for most purposes.
Now plug the USB memory stick into the Soekris PC.
Use this command sequence to load the image onto the Soekris (your mileage may vary slightly) :-

            mkdir /tmp/usb
            mount -t vfat /dev/sda1 /tmp/usb
            dd if=/tmp/usb/fred.img of=/dev/hda bs=16k

This assumes that your .img file has already been decompressed using gzip. If not, you should be able to get away with "gzip -dc /tmp/usb/fred.img >/dev/hda" although this will be a bit slow.

You may need to tweak the /dev entries to match your hardware, depending on the type of disks you have. It may be helpful to use the 'ls' command to check for /dev/hd* and /dev/sd* before you plug in the USB memory stick, so that you can be sure which device is which. For example the hard disk may be /dev/hdb on some systems.

No-NAT Firewalling with Monowall

2010-05-03T20:45:00.002+01:00

Just a heads up for anyone tearing their hair out over this one.

PROBLEM: After setting up monowall with no NAT, you can surf the web, but the websites hosted in your DMZ are inaccessible from the internet.

SOLUTION: For a No-NAT setup, see "Firewall: NAT: Outbound" and tick the box "Enable advanced outbound NAT". Ticking this box disables NAT (yes, really!) provided that you don't enter any NAT mappings.

OK, with that problem sorted, the next step is to try out IPV6. Recent versions of Monowall support IPV6 out of the box, and my ISP supports IPV6 over ADSL, so it's got to be worth a go.

Full Disk Encryption & PGP email for the Mac

2010-04-07T09:15:00.020+01:00

As a security specialist, my own systems need to be secure, so it's my policy that most of my systems should employ full-disk encryption (FDE). The only exceptions are servers - since these won't restart after a power failure in they use FDE. I also want to be able to send PGP-encrypted emails, for example for business correspondence, or for bike club membership administration.

FDE provides protection in two ways. Firstly, if someone steals your computer, they don't get all your files (unless it was up and running with no screen lock password when they stole it). Secondly, if someone temporarily gains physical access to your computer, it's harder - although by no means impossible - for them to install a trojan to steal passwords or give them a remote shell.

Review: PGP Full Disk Encryption for Mac

For Windows machines, for domestic use I recommend installing TrueCrypt FDE. Quick, easy, free of charge. Alternatively, the more expensive flavours of Vista and Windows 7 offer BitLocker FDE out of the box, which probably makes for an easier life if you have the correct license already.

On Linux machines, I recommend installing from the "alternate installation" downloads of Ubuntu, as these provide FDE options out of the box at installation time.

On the Mac, the only easily-obtainable FDE solution is PGP. There are a few others, but last time I looked, they weren't sold directly to end-users, but only via third-party "solutions providers" whose websites looked pretty impenetrable. So going with PGP seemed like the simplest path to FDE on the Mac.

UPDATE: (March 2011). Apple's website now gives preview information about a built-in FDE option in the forthcoming Mac OS X Lion update (10.7). So you might want to hold off buying PGP WDE for Mac now.

ASIDE. Apple's FileVault facility only does home directory encryption, leaving the rest of the filesystem open to attack, e.g. by tampering with config files or trojanising binaries in the PATH. Yes: Apple signs its binaries, but No: that doesn't buy you much security, since the Mac is quite happy to run unsigned binaries - how else could you use it for software development? The Mac isn't locked down like an iPod, iPad or iPhone, since it's a general-purpose computing device, not a consumer electronics appliance. And without FDE, you can just boot into single-user mode or use a LiveCD if you want to steal or tamper with the files on the disk.

PGP's store - http://store.pgp.com - offered two Mac packages: PGP Whole Disk Encryption (£119), and PGP Desktop Professional (£199). The latter product includes email encryption as well as FDE. Neither product covers updates between major releases as far as I can tell, and you only get one year's "bronze" support after purchase. In reality of course, any support issues are likely to be handled through the online forum so the lack of ongoing support probably doesn't matter. You can evaluate the software for 30 days before purchase.

I purchased PGP Desktop Professional 10.0.1 for the MacBook. Encrypting the hard disk on the MacBook was fine: it was simple and straightforward, and the minor Mac OS X update from 10.6.2 to 10.6.3 caused no problems. There's no noticeable speed decrease: the little 13" MacBook Pro still flies, though with 8 GB RAM and a solid-state disk, it's got the odds stacked in its favour.

So I can recommend PGP Full Disk Encryption for the Mac. I only found one thing to watch out for: hibernation. Once you use FDE, you can't use hibernation (the energy-saving mode where your RAM is saved to disk) for fairly obvious reasons. The PGP FDE installer disables hibernation for you automatically, but if you adjust the Mac's energy-saving settings later, it will probably get turned back on again. meaning that once the Mac hibernates, it won't wake up again (you'll need to hold down the power switch to forcibly turn it off and on again). To fix this, use the following commands in Terminal.app :-

sudo pmset -a hibernatemode 0
sudo nvram "use-nvramrc?"=false

Even with this setting, the MacBook will sleep happily enough in the normal way, for example when you close the lid. But of course the decryption keys are already loaded when you do this, so you need to set a strong password and make your preferences are set to demand the password when waking up from sleep.

Review: PGP Email Encryption for Mac

PGP Desktop Professional on the Mac does not function as a mail-client plugin, as you might have expected. To be fair, it seems that Apple's Mail.app mail client doesn't provide a public API to allow such plugins to be written easily. So PGP provides a proxy-based solution, which is always going to be a little clunky. PGP intercepts your mail client's outbound SMTP, POP and IMAP connections and tries to use "opportunisitic encryption", i.e. for each connection it tries to identify the associated email account, creating a corresponding "PGP messaging service" instance. You have to switch off SSL in your Mail.app account settings so that PGP's proxy can fiddle with your traffic, but that's OK because PGP enables SSL by default on the onward connections to your service provider's mail servers. All this fudging has the unwelcome side-effect of making NMAP scans return fake open TCP ports on all SMTP, POP and IMAP related port numbers.

Using PGP 10.0.1 for Mac with Google Mail, the first problem was that the messaging services kept breeding with lots of different server names (several Google-related domain names plus raw IPs). It seemed that PGP was doing reverse DNS lookups in order to identify the account to use when an outbound mail socket was established, then getting confused since RDNS lookups can often fail or return round-robin DNS load balancing hostnames rather than the public FQDN hostname.

We can simulate this as follows...

$ dig smtp.gmail.com
smtp.gmail.com. 300 IN CNAME gmail-smtp-msa.l.google.com.
gmail-smtp-msa.l.google.com. 300 IN A 209.85.229.109

$ nslookup 209.85.229.109
109.229.85.209.in-addr.arpa name = ww-in-f109.1e100.net.

"ww-in-f109.1e100.net." is exactly the sort of name that gets listed in the breeding PGP messaging services.

Surely it would be better for PGP to do forward DNS lookups for all the configured email services when an outbound mail socket is established. That way, it would pick up the cached forward DNS mapping that was just used to set up the outbound socket, allowing PGP to match the hostname quickly and easily against the list of configured messaging services rather than causing that list to breed as it does now.

After several weeks of using PGP 10.0.1 for Mac, my outbound SMTP eventually failed completely: messages would just sit in Apple Mail's outbox, and eventually they'd time out and a failure dialog would appear. At first I suspected a GMail outage, but it turned out that I could successfully send mail by switching off the PGP email services (see Preferences/Messaging dialog and untick "Secure Email"). So the problem must have been something PGP-related, possibly related to recent Mac OS X updates - even though the 10.6.3 update didn't initially appear to have caused any problems.

The PGP website suggested deleting the PGP messaging services and allowing PGP to re-create them automatically. That didn't help. So I posted a question to PGP's support forum, but after a few days, I'd only had one "I share your pain" type of reply, without a solution. I guess I could have filed an official support ticket, but thinking things over, it occurred to me that a proxy-based solution to email encryption was fundamentally dirty and unreliable anyway. It would be far better for the mail client to support encryption directly: then you could just tick a box when you wanted to encrypt a message, rather than hoping that the proxy would encrypt it for you - although to be fair, if you place "[PGP]" in the Subject line of an email, the PGP proxy should not send the mail unless it can find the necessary keys to encrypt it.

On balance I can't recommend PGP's email encryption product on the Mac platform, so I've looked at the open-source equivalent GPG instead. GPG and PGP are fully compatible, so users can send and receive encrypted messages over the Internet using either product.

Update: PGP Support said that because my purchase was less than 30 days ago, I could use the PGP Store's Order History page to request a refund for PGP Desktop Professional, so that I could purchase PGP Whole Disk Encryption instead. This has saved me some money, so I'll go ahead and buy a second PGP WDE license for my other Mac.

Installing free GPG email encryption on the Mac

On the Mac, it's easy to install GnuPG (GPG) to provide a free OpenPGP-compatible encryption library, but it's proved difficult for the open-source community to maintain a suitable encryption plugin for Apple's Mail.app mail client because each update to Mac OS X breaks the undocumented hooks that such plugins have to rely on: so at the time of writing, the GPGMail plugin still doesn't support Snow Leopard. It's a shame that Apple doesn't support OpenPGP natively in its mail client.

So the simplest email solution seemed to be to deactivate PGP's email proxy, ditch Apple's unencryptable Mail.app mail client, and switch over to Mozilla's Thunderbird email client plus its EnigMail PGP plug-in (which I've already grown to trust on the Ubuntu Linux platform). Thunderbird 3.0's release notes mentioned the ability to import folders from Apple's Mail.app client, as well as integrating with Apple's Address Book & Spotlight, and supporting Gmail's IMAP folder naming conventions - so it seemed worth a try…

Download Mozilla Thunderbird : http://www.mozillamessaging.com. British users, be sure to select the British language build, not EN-US. Install in the normal way.

Install the Mac Ports framework if not already done. See http://www.macports.org/

From Mac Ports, install gnupg (the underlying encryption software layer). I avoided the later "version 2" branch (gnupg2) because it needs gpg-agent, which Enigmail doesn't support as far as I can tell.

        sudo port selfupdate
        sudo port upgrade outdated
        sudo port install gnupg

Download and install the EnigMail plugin for Thunderbird (the GUI for the encryption software): https://addons.mozilla.org/en-US/thunderbird/addon/71 http://enigmail.mozdev.org/home/index.php

Thunderbird had an option to import messages from Apple Mail, but since my Gmail account uses IMAP, I thought it would be cleaner to simply let Thunderbird import the folders directly from Gmail, after setting up the mail client settings according to the hints on Google's site: http://mail.google.com/support/bin/answer.py?answer=78892. I have thousands and thousands of messages built up on Gmail, so this import process did take an hour or two.

To import keys from the old PGP installation:-

/opt/local/bin/gpg --allow-secret-key-import --import PGP\ Private\ Keyring.skr
/opt/local/bin/gpg --import PGP\ Public\ Keyring.pkr

Tweak settings in Thunderbird:-

               - Under OpenPGP / Preferences / Files and Directories
                        "Override with" : /opt/local/bin/gpg

              - OpenPGP / Key Management
                        Tweak Trust on imported public keys

A warning was displayed about my public key, concerning its embedded crypto preferences not matching the available keys, so it may be necessary to re-distribute my public key so that people don't send me emails that I can't decrypt.

Having completed all these steps, Thunderbird seems to be running very well as my Mac email client. It seemed a shame to dump Apple Mail, but in fact Thunderbird 3 looks very polished, and since it implements the more important Mac integration features (Address Book, Spotlight) it should serve me well. It's also handy to be using the same mail clients on both Mac and Linux.

So to conclude this article, PGP Whole Disk Encryption seems to work well on the Mac, but I recommend using free software (Thunderbird + Enigmail + GPG) if you need to send encrypted emails. Yes it's open-source software, but it's very polished and easy to use.

Apple Time Capsule steals IP addresses, but that's OK really

2009-11-17T11:24:00.009Z

Found one minor oddity with my new Apple Time Capsule. If you have an ARP monitoring program running (such as arpwatch, or any FreeBSD server) you may notice that the Time Capsule's MAC address periodically appears to steal the IP address of one or more Mac Snow Leopard clients. Odd as it may seem, this is by design.

The Time Capsule runs a Sleep Proxy service, part of the multicast DNS (mDNS) service involved in Apple's Bonjour protocol, which helps Macs to find each other. When one of your Macs goes to sleep, the Sleep Proxy occupies its IP address, like keeping someone's chair warm for them. It doesn't appear to cause any problems here, and presumably it all helps to allow sleeping Mac machines to continue to offer file sharing services, if you've allowed that in your Energy Saver preferences.

It's possibly worth sticking the Time Capsule on AppleCare warranty cover if you can, as there have been reports of PSU capacitor failures after 18 months, and it's hard to know whether that issue has been fixed yet. AppleCare doesn't cover Time Capsule by itself, but you can add it free of charge to the AppleCare policy of a covered Mac.

Generally, the Apple Time Capsule seems like an impressive device, thoughtfully designed as usual. It's small, fast, quiet, and frugal with power (the hard drive spins down when idle). And of course it's very shiny, though as a backup device, you probably want to hide it somewhere so that if someone steals your computers, they don't also steal your backup device.

Offering a 4-port Gigabit Ethernet switch, a dual-band WiFi access point (including an optional guest network), and offering optional PPPoE and firewalling, it's very flexible. You can use it for straight NAS file sharing and/or as a Time Machine (managed backups) server for a network of Apple Mac machines running Leopard or later. Time Machine really works well, and you can go into the backups from another Mac if you know the password. All in all, a nice bit of design.

Update (Jan 2010). The SMB/CIFS server in the Time Capsule seems a bit buggy. You can mount shares from Ubuntu 9.10 Linux using "mount -t smbfs //server/share /media/fred" but no files show up. Apparently this has been reported, so maybe a future update will fix it.

Update (April 2010). Following a firmware update (easily installed via the Mac management app), the SMB service now seems to work from Ubuntu Linux 9.10 and FreeBSD Unix 7.2. I haven't used it for serious production yet but it looks OK, with the caveat that your first mount request sometimes times out and fails if the Time Capsule drive had been idle for long enough to spin down. I guess energy saving is all about compromises, and the system will run cooler and last longer if it spins down.

Update (July 2010). The Samba server in the current firmware (7.5.1) still seems very buggy. Tried a mixture of clients (Windows XP, Windows 7, FreeBSD Samba, MAC Samba) will consistently poor results. So whilst I can recommend the Time Capsule for Apple clients, I can't recommend it for Windows clients.

Update (December 2010). I've just installed firmware 7.5.2 on the Time Capsule, and also on my Airport Express. I expect this will finally cure the Samba problems, as I successfully tested a pre-release of 7.5.2. Other enhancements appear to include improved IPV6 support (also for in the Airport Express).

HOWTO: Fix dig & nslookup on Mac OS X

2009-11-17T11:00:00.002Z

If ping works but dig & nslookup are broken, there's a simple fix.

Normally the Mac has a symlink from /etc/resolv.conf to /var/run/resolv.conf :-

$ ls -l /etc/resolv.conf
lrwxr-xr-x 1 root wheel 20 14 Aug 21:49 /etc/resolv.conf -> /var/run/resolv.conf

If you've dicked around and broken the symlink, then some utilities will work while others won't. To fix, just re-instate the missing symlink:-

$ sudo ln -s /var/run/resolv.conf /etc/resolv.conf

HOWTO: Make smaller PDF files on the Mac

2009-11-13T00:55:00.017Z

On the Mac, printing a document to a PDF sometimes results in a very big file, for example when the original document has lots and lots of pictures in it. To make a smaller PDF :-

1. Save to PDF in the normal way.
2. Open the big PDF file using Preview (the default Apple PDF viewing application).
3. Pick: File / Save As
4. Set: Format = PDF
5. Set: Quartz Filter = Reduce File Size

I've just reduced a 12-page file from 15 MB to 1 MB by this method.

Using PPP over UK ADSL using pfSense

2009-09-27T16:34:00.068+01:00

Most home broadband connections use an ADSL router with a built-in NAT firewall. For more complex networks, the next step is to place a dedicated firewall behind your ADSL router. But there's a third way: put your ADSL device into Bridge mode. Then it's just a dumb modem, so your firewall can run the PPP session to your ISP....

First some background: just why would you want to ditch your ADSL router and run PPP straight from the firewall?

Advantages:

There's one less thing to go wrong, because there's one less router between you and your ISP.
You don't waste a static IP address, because your first Internet-visible IP terminates on the firewall, not the router.
If you want to adjust the services you publish to the Internet, you only have one device to reconfigure.
You can use a cheaper ADSL modem instead of a pricey ADSL router. This can be quite a saving if you need something more sophisticated than basic NAT.
For multi-WAN configurations, if the firewall runs both ADSL PPP sessions, then it may be easier to arrange automatic fail-over when one ADSL line fails, or goes down for two minutes to re-sync.
If you want to support IPV4 + IPV6, there's probably more chance of getting everything working properly if there's just one key device to configure, not two.

Disadvantages:

In the UK, most ADSL providers offer PPPoA (point-to-point protocol over ATM) which, through an ADSL router, delivers a full-size MTU of 1500 bytes. But if you switch to an ADSL modem/bridge delivering your traffic via Ethernet, then 8 bytes of each frame is lost due to PPP headers, so you end up with an MTU of 1492 bytes. This should not be a problem, except for some broken websites which suffer from the "pMTUd blackhole" problem. These misconfigured websites set the Don't Fragment bit on their outgoing IP frames, whilst simultaneously discarding any ICMP "Frag Needed but Don't Frag was Set" responses from routers which are unable to deliver large unfragmented frames across low-MTU links. As a workaround, pfSense automatically implements MSS Clamping on PPPoE interfaces, meaning that it fiddles with the TCP options field in SYN / SYN-ACK frames to ensure that the MSS isn't set higher than PPPoE can cope with. This is slightly dirty (the firewall is changing the packets passing through it) but it seems to work well enough.
Some security people take the view that an Internet-facing security perimeter should have several devices, placed in series, each with an ACL (access control list) set up to filter incoming traffic. The converse view is that firewalling should be done at the firewall, and routers should be left alone to get on with routing.

At home, for some years I've been running a Cisco 877W ADSL router on the outside, with a dedicated pfSense firewall on the inside. pfSense is a free and easy-to-use open-source firewall software package, based on the rock-solid FreeBSD Unix operating system but with a user-friendly web-based management screen. pfSense will run on just about any Intel-based hardware, but I've chosen a diskless Soekris NET5501 low-energy rackmount server, purchased from the excellent KD85.com. Whilst Soekris computers are quite expensive, they use almost no electricity, so they probably pay for themselves if you run them 24*7 for a few years.

The Cisco router isn't really designed as a consumer-friendly device. Even for a network geek, it can be a bit of a pain to configure, and to maintain with security updates, even with a Cisco SmartNet contract. By contrast, the pfSense firewall is much simpler to update. You just save the configuration using your web browser, load the new firmware onto a fresh Compact Flash card, boot it up and restore the saved config from your web browser. In the event of problems, you just pop the old Compact Flash card back in.

So for now I've unplugged the Cisco router, and connected a cheap ADSL modem in Bridge mode. There are at least half a dozen UK ADSL modems that offer Bridge Mode, whereby your ADSL link still runs PPPoA, but this is presented to you as PPPoE. I've tested three of them. They are all nice and cheap compared to some of the fancier ADSL routers out there....

D-Link DSL-320B. Summary: Best avoided unless the firmware improves. This is a small device offering one Ethernet port and one ADSL port. It runs from 9 volts AC. Annoyingly, even after flashing it to the latest UK firmware, I never did get it working in standard PPPoA mode (as an ADSL NAT router) though it did work with an Apple Mac in Bridged mode (as an ADSL modem). For bridged mode on UK BT 20CN ADSL2 lines, you must select "1483 Bridged IP LLC" mode, as shown in the picture below (click to enlarge). The whole experience didn't really inspire confidence, so I didn't bother testing it with pfSense. Rather disappointing, as I had expected better from D-Link.

Draytek Vigor 120. Summary: works like a charm. This gadget is sold as a PPPoE ADSL modem, not as an router than can also be used as a modem. The vendor claims you can just plug it into your router/firewall and use it without any configuration at all. I took the time to assign a static IP address for management purposes: this isn't strictly necessary, but does facilitate statistics display:-

The management IP address does not need to be related in any way to the IP subnets used by the firewall. It's only there so that you can plug in a laptop and see what's going on with the ADSL link itself. The device is still acting only as a modem, not a router.

The only minor gripe I found with the Draytek is that the web management interface was needlessly confusing. The default status page shows "DISCONNECTED", which probably relates to routing being switched off. The status page marked "Online Status" (shown above) is what you want, but you can't always access that page because the web menu screen is buggy (and has a clashing colours making it hard to read). But refreshing the page usually makes the menu render properly, or you can just open the status page directly at /doc/online.sht.

In case it helps anyone... My system is in the UK, on a standard but rather faint BT 20CN ADSL line. My Draytek Vigor 120 arrived with the current v3.2.4.1 firmware but the modem code seemed to be out-of-date, so I updated it from the maker's website using the file v120_a4_v324 (modem code 332201) as this seemed to be the recommended modem code for the UK. It's been running flawlessly for 10 days now without re-syncing once, despite the high attenuation on my line, maintaining a good stable 11 dB SNR (with the BT end set for extra stable mode).

So far then, the Vigor 120 seems perfectly compatible with pfSense 1.2.3, and highly stable even on marginal BT ADSL limes. It also claims compatibility with all the new ADSL standards, so with a bit of luck it should still work when BT upgrade my local exchange to 21CN ADSL 2+, making it good value for the price.

Billion BiPAC 5200. Summary: works pretty well, but tends to re-sync every few days on my noisy ADSL line. This again is a very small device. It offers one ADSL port and four Ethernet ports, and runs from 12 volts DC (which is handy because that's what all my Soekris servers and Netgear switches use - so in theory I could use a true battery backup circuit instead of a wasteful mains UPS).

The Billion device worked straight away as a plain old ADSL NAT router, but upon switching to Bridge mode, it just didn't seem to want to work with the PPP client in pfSense until I tried switching it to an unlikely sounding connection mode: "1483 Bridge IP LLC". This sounded wrong, because the normal connection mode in the UK is VC rather than LLC, but it works. The correct setup is as shown above (click picture to enlarge). Note that VPI/VCI needs to be set to 0/38 for normal UK ADSL lines (BT 20CN ADSL2), whilst the other settings can be left at defaults...

The Billion device comes in two models: the 5200 and the 5200S. I went for the 5200, which has 4 Ethernet ports, whilst the slightly cheaper 5200S only has a single Ethernet port. Used in Bridged Mode, only one Ethernet port can carry Internet traffic (because everything's wrapped up inside PPP frames). However, the web management service remains active when Bridge Mode is used, so it may be useful to have more than one Ethernet port in case you want to monitor things like ADSL line conditions without disconnecting the PPP link.

So much for the different ADSL modems. What about configuring pfSense? For test purposes, I downloaded the CDROM installer ISO image for pfSense 1.2.3, burnt it to CD, booted it up and installed it on a 10 year old Dell desktop PC fitted with two network cards. Predictably, pfSense found and auto-configured all the hardware: it even recognised the power switch, so that it does a clean shutdown when you switch off. One network interface became "LAN" (local area network), the other "WAN" (wide area network). So far just standard stuff, the default install equivalent to a simple NAT firewall to begin with.

For PPP over ADSL, we just need to go into Interfaces / WAN in the pfSense web GUI, and set it up as shown below (click image to enlarge):-

At the top, you set "Type" to be "PPPoE". This means the interface doesn't have an IP address or Gateway, as everything should get set up automatically over Ethernet using PPP. You just need to fill in your ADSL ISP username and password lower down under "PPPoE Configuration". Then just hit the Save button at the bottom, wait a minute for pfSense to apply the changes, and the link should come up (assuming that you got the username and password correct).

If you have problems, the first thing to do is look at the pfSense log. However, this isn't very detailed, so it may help to configure pfSense to send your system log to another machine using the SYSLOG protocol on the LAN interface. See my blog post from earlier today, for details of how to configure a FreeBSD server to receive SYSLOG messages from a remote host.

Another debugging technique is to plug the pfSense firewall into the ADSL Ethernet modem via an Ethernet hub (not a switch!). Then plug a laptop into the Ethernet hub and run Wireshark to watch the packets going past.

Whilst we're just messing about testing stuff, if you have a recent Apple Mac to hand, you can plug that in instead of the pfSense box to control the PPP link. On the Mac, go to "System Preferences" - "Network", then press the "+" button at bottom left. In the pop-up box, for "Interface" choose "PPPoE" and for "Service Name" enter something like "IPV6 PPPoE Test". In the box that appears, leave the PPPoE service name blank, then enter your ADSL ISP account name and password. Under "Advanced", just make sure "Configure IPV4" is set to "Using PPP" whilst "Configure IPv6" is set to "Automatically". Save your settings and press the Connect button. Once the PPP link comes up, for IPV6 access you'll need to correct the IPV6 address and gateway, as outlined in my earlier post today (PPP over ADSL and PPP over dialup are pretty similar from the Mac's point of view). If the link doesn't seem to be working, once again you can run Wireshark to watch the PPP protocol start up over the Ethernet port.

My next step will probably be to switch from pfSense to Monowall, with a view to adding native IPV6 support to my networks. Another option would be to stick with IPv4 and pfSense, but add a second ADSL line for higher speed and redundancy. Apparently pfSense 2.0 alpha supports true WAN link aggregration, as does my ISP, aaisp.net.

UPDATE: Currently running Monowall 1.32 using PPP over ADSL with a Traverse Viking PCI ADSL card. This has given me native IPV6 over ADSL for the first time, thanks to my ISP, www.aaisp.net .

HOWTO: Native IPV6 dialup on the Mac

2009-09-27T12:38:00.020+01:00

The world is running out of IPV4 addresses, so the transition from IPV4 to IPV6 is getting closer. Here's how to kick the tyres, if you want to try web surfing with IPV6. Dialup is just for testing of course, ADSL is next ...

1. Take an Apple MacBook running Snow Leopard (Mac OSX 10.6).

2. Disconnect Ethernet and Wifi.

3. Plug in the Apple USB Modem.

4. In the Mac's "System Preferences: Network" control panel (which will probably pop up automatically when the modem is plugged in), create a dial-up connection for an IPV6-compatible ISP, for example http://aaisp.net .

As far as I'm aware, AAISP (Andrews & Arnold) is the only ISP here in the UK that offers IPV6 natively over both ADSL and dial-up. You need to ask them to enable IPV6 for you - it's free - and you may also want to ask for a second login account - again, it's free - so that you can mess about testing stuff without clashing with the static addresses assigned your main ADSL line.

5. Enter the ISP's IPV6 name servers manually under the dial-up connection settings (as it doesn't get them automatically)

If you dial up now, you'll notice IPV4 and IPV6 addresses get assigned to network interface ppp0. These can be checked in a Terminal window using the command ifconfig ppp0. You can check routes with netstat -anr

But you'll find IPV6 web access still doesn't work, because the IPV6 address that gets set up on the ppp0 interface is a link-local one. I've yet to read up about IPV6 in detail, but for test purposes I got IPV6 working by deleting the default IPV6 address, replacing it with one of the millions of IPV6 addresses assigned to me by my ISP. To do this, I had to execute these commands (sanitised where 'x:x' appears) being careful not to confuse 6 (six) and b (letter B)...

sudo -s [to become root]

ifconfig ppp0 inet6 delete fe80::216:x:x:x%ppp0

route delete -inet6 default

ifconfig ppp0 inet6 2001:8b0:x:x::42

route add -inet6 default 2001:8b0:x:x::42%ppp0

echo 'nameserver 2001:8b0::2020' >>/etc/resolv.conf

echo 'nameserver 2001:8b0::2021' >>/etc/resolv.conf

Worth noting at this point that a fully-formed IPV6 address is of the form dead:beef:cafe:f00d:dead:beef:cafe:f00d but most often many of those bits are set to zero. The abbreviation "::" means just stick a load of zeroes in there to make it up to the correct length. So 2001:8b0::2020 is really 2001:08b0:000:0000:0000:0000:2020.

OK, so you should now have IPV6 connectivity, but how to test it?

Use 'dig -t aaaa www.example.com' to discover the IPV6 address of your favourite website.
Use ping6 and traceroute6 to test connectivity to known IPV6 addresses.
Browse directly to an IPV6 website by putting the IPV6 address in square brackets, i.e. http://[dead:beef:cafe:f00d:dead:beef:cafe:f00d]:port/index.html (assuming that the site supports browsing by address rather than virtual hostname).

You may also have access to http://ipv6.google.com (the IPV6-only version of Google) although due to bizarre practices at Google, that only works if your ISP has satisfied Google that it supports IPV6 properly. But there are some handy links to other IPV6-only sites at http://www.sixxs.net/misc/coolstuff/#ipv6gate .

Thus far you're running with a dual IPV4 and IPV6 stack. You can force IPV6 only by removing the IPV4 address and default route, but you'll then quickly realise how few websites support IPV6. There is a chicken and egg problem here... Even those sites that do support IPV6 are generally dual-stack, and often your DNS lookup will return IPV4 addresses by default, so you'll end up using IPV4 even when you have IPV6 enabled. I believe you can run IPV6 only on your machine by setting up a magic route for IPV4 addresses, as the IPV4 space appears as a subset of the IPV6 address range. But looking at the devices on my network with regard to IPV6 compatibility... There's a VOIP ATA, two laser printers, an iPhone, and an old Airport Express. None of these support IPV6, so I'll have to run dual-stack once I get my ADSL firewall to support IPV6.

UPDATE: As described elsewhere on this blog, I can confirm that native IPV6 over ADSL is working for me with Monowall 1.32. Modem is a Traverse Viking ADSL PCI card in Bridge mode.

HOWTO: Send SYSLOG messages to FreeBSD

2009-09-26T14:26:00.011+01:00

When you try to send SYSLOG messages for storage on a FreeBSD 7 server, the odds are that your messages won't appear in your log file on the first attempt. You need to get several things right...

1. Syslogd needs to be started with the '-n' flag to suppress reverse DNS lookups every time a message comes in. Apart from being a stupid waste of time, these checks fail unless the RDNS lookup succeeds, and exactly matches a hostname in syslog.conf.

2. Syslogd needs to be started with '-a 192.168.1.42/32' (to accept messages from a single sender) or '-a 192.168.1.0/24' (to accept from a whole subnet). Or you can give the -a flag several times. The easiest way to set up the flags is to give them in /etc/rc.conf , for example:

syslogd_flags="-n -a 192.168.99.7/32:* -a 1.2.3.4/28:*" # Log from Firewall and DMZ

3. Your /etc/syslog.conf file needs to include this magic syntax, right up the top before all your normal rules:-

+192.168.99.7

*.* /var/log/firewall.log

4. The log file needs to exist before syslogd is restarted, and it needs to have the right permissions. So you'll need something like:-

touch /var/log/firewall.log

chown root /var/log/firewall.log

chmod 0600 /var/log/firewall.log

Hope this helps someone...

GMail's SSL Certificate Updated: Fixing STUNNEL

2009-08-20T23:03:00.018+01:00

Today it appeared that Google Mail had updated the SSL certificate they use to secure access to the SMTPS service on smtp.gmail.com:587. The change stopped me from sending personal email through a corporate HTTP proxy today, and I couldn't immediately remember how to load fresh certificates in my Stunnel server again...

Corporate proxies often block direct access to Gmail on port 587, but allow connections to arbitrary SSL services elsewhere. So I run two copies of the STUNNEL SSL proxy back-to-back on my home server. First, a STUNNEL SSL listener accepts incoming SSL client connections. After authenticating the client by checking for a valid client-side SSL certificate, the SSL listener decrypts my traffic and connects onward to a STUNNEL SSL client listening on the loopback address, 127.0.0.1. The STUNNEL SSL client then connects out to smtp.gmail.com:587, verifies GMail's SSL certificate, and encrypts my outbound mail before sending it on its way.

The outbound STUNNEL client was failing to connect to GMail, because their SSL certificate could not be verified. The STUNNEL syslog entries confirmed this (and restarting it didn't help). Things had probably been like that for a while, because it's only one of my work laptops that uses the STUNNEL proxies to send and receive mail (SMTPS and IMAPS): my other machines connect directly to GMail.

To try to see why it was failing, I checked the STUNNEL config file that controls my SMTP client connections to Google. The config file started with:

CAfile = Equifax_Secure_Certificate_Authority.pem
verify = 2

So I thought if I retrieved the current SSL certificate from smtp.gmail.com:587, I could just check the CA they'd used, then pull in the .PEM file for that CA.

I'm very rusty on all this. A handy reference is: http://www.madboa.com/geek/openssl/ .

OK, let's use the openSSL utility to connect to the Gmail SMTP service and see what's going on...

# openssl s_client -connect smtp.gmail.com:587 -starttls smtp
CONNECTED(00000003)
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDWzCCAsSgAwIBAgIKYg1RaQADAAAJ6TANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0wOTA3MTcxNzE3MzVaFw0xMDA3MTcxNzI3MzVa
MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw5zbXRw
LmdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyfUHCINEHBj0
nyzNX/elLmKptij/pO5jri0vjGFKdQ/iMmcaxVNMoHcXYHKAwXZ91FN7MSu5iqOc
moDnQVc2iHRQRdVNK4bT0Rtfp4CvaSQPtdZE6ECpc369d2K4jlblcMW84akKUjtP
A+Nlt5BEasFv44+IlMsWa7dKOvFSZN0CAwEAAaOCASwwggEoMB0GA1UdDgQWBBTw
isHdXiADnrSmIxV8tmr7cj5wLzAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra
42sSJDBbBgNVHR8EVDBSMFCgTqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dv
b2dsZUludGVybmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNy
bDBmBggrBgEFBQcBAQRaMFgwVgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRp
Yy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRo
b3JpdHkuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDQYJ
KoZIhvcNAQEFBQADgYEACr0GdO989vBLvdZVHEPN6eNMTjTpDifg3m0wJGLH3nWH
jhiN8akr7q6MyzJxU8RBrcsKrqI631zmKd8tp2e8wRdtnqxkG7EJ1UxIcez6ZQx0
5IN48+ygwLaOSll0qK1Z6qThTqwCTgq5LlHyd0kihfos5m537daAOp6o9zGNc9Y=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1915 bytes and written 353 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 5DEDE00746F38BF291827E3755F2C26022F0F0DDE976BC1F74E4635AC9866E28
Session-ID-ctx:
Master-Key: 9C80B5DEE18ACCE28FEB3197B885B8C8FEC3B577462DFFF31DBD5472F23F16E2F5CD41392DD78851A5D0A3C9031F5B00
Key-Arg : None
Start Time: 1250808647
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 PIPELINING
^C

If we save this output to a file called 'stuff' and read that using another openssl command, we can get more information about dates, issuers, etc:-

# openssl s_client -connect smtp.gmail.com:587 -starttls smtp >stuff 2>&1
# openssl x509 -text -in stuff
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
62:0d:51:69:00:03:00:00:09:e9
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=Google Inc, CN=Google Internet Authority
Validity
Not Before: Jul 17 17:17:35 2009 GMT
Not After : Jul 17 17:27:35 2010 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=smtp.gmail.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c9:f5:07:08:83:44:1c:18:f4:9f:2c:cd:5f:f7:
a5:2e:62:a9:b6:28:ff:a4:ee:63:ae:2d:2f:8c:61:
4a:75:0f:e2:32:67:1a:c5:53:4c:a0:77:17:60:72:
80:c1:76:7d:d4:53:7b:31:2b:b9:8a:a3:9c:9a:80:
e7:41:57:36:88:74:50:45:d5:4d:2b:86:d3:d1:1b:
5f:a7:80:af:69:24:0f:b5:d6:44:e8:40:a9:73:7e:
bd:77:62:b8:8e:56:e5:70:c5:bc:e1:a9:0a:52:3b:
4f:03:e3:65:b7:90:44:6a:c1:6f:e3:8f:88:94:cb:
16:6b:b7:4a:3a:f1:52:64:dd
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
F0:8A:C1:DD:5E:20:03:9E:B4:A6:23:15:7C:B6:6A:FB:72:3E:70:2F
X509v3 Authority Key Identifier:
keyid:BF:C0:30:EB:F5:43:11:3E:67:BA:9E:91:FB:FC:6A:DA:E3:6B:12:24

X509v3 CRL Distribution Points:
URI:http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crl

Authority Information Access:
CA Issuers - URI:http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crt

1.3.6.1.4.1.311.20.2:
...W.e.b.S.e.r.v.e.r
Signature Algorithm: sha1WithRSAEncryption
0a:bd:06:74:ef:7c:f6:f0:4b:bd:d6:55:1c:43:cd:e9:e3:4c:
4e:34:e9:0e:27:e0:de:6d:30:24:62:c7:de:75:87:8e:18:8d:
f1:a9:2b:ee:ae:8c:cb:32:71:53:c4:41:ad:cb:0a:ae:a2:3a:
df:5c:e6:29:df:2d:a7:67:bc:c1:17:6d:9e:ac:64:1b:b1:09:
d5:4c:48:71:ec:fa:65:0c:74:e4:83:78:f3:ec:a0:c0:b6:8e:
4a:59:74:a8:ad:59:ea:a4:e1:4e:ac:02:4e:0a:b9:2e:51:f2:
77:49:22:85:fa:2c:e6:6e:77:ed:d6:80:3a:9e:a8:f7:31:8d:
73:d6
-----BEGIN CERTIFICATE-----
MIIDWzCCAsSgAwIBAgIKYg1RaQADAAAJ6TANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0wOTA3MTcxNzE3MzVaFw0xMDA3MTcxNzI3MzVa
MGgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMRcwFQYDVQQDEw5zbXRw
LmdtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyfUHCINEHBj0
nyzNX/elLmKptij/pO5jri0vjGFKdQ/iMmcaxVNMoHcXYHKAwXZ91FN7MSu5iqOc
moDnQVc2iHRQRdVNK4bT0Rtfp4CvaSQPtdZE6ECpc369d2K4jlblcMW84akKUjtP
A+Nlt5BEasFv44+IlMsWa7dKOvFSZN0CAwEAAaOCASwwggEoMB0GA1UdDgQWBBTw
isHdXiADnrSmIxV8tmr7cj5wLzAfBgNVHSMEGDAWgBS/wDDr9UMRPme6npH7/Gra
42sSJDBbBgNVHR8EVDBSMFCgTqBMhkpodHRwOi8vd3d3LmdzdGF0aWMuY29tL0dv
b2dsZUludGVybmV0QXV0aG9yaXR5L0dvb2dsZUludGVybmV0QXV0aG9yaXR5LmNy
bDBmBggrBgEFBQcBAQRaMFgwVgYIKwYBBQUHMAKGSmh0dHA6Ly93d3cuZ3N0YXRp
Yy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRBdXRo
b3JpdHkuY3J0MCEGCSsGAQQBgjcUAgQUHhIAVwBlAGIAUwBlAHIAdgBlAHIwDQYJ
KoZIhvcNAQEFBQADgYEACr0GdO989vBLvdZVHEPN6eNMTjTpDifg3m0wJGLH3nWH
jhiN8akr7q6MyzJxU8RBrcsKrqI631zmKd8tp2e8wRdtnqxkG7EJ1UxIcez6ZQx0
5IN48+ygwLaOSll0qK1Z6qThTqwCTgq5LlHyd0kihfos5m537daAOp6o9zGNc9Y=
-----END CERTIFICATE-----

OK so the SSL certificate itself is only valid for a year, but if I could persuade Stunnel to trust Equifax and Google, hopefully it should all be OK. Equifax's root cert can be found on the web, and there's a link to Google's root cert in the X509 data shown in the output of the previous command. Putting it all together:-

# wget http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crt
# wget https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer
# cat GoogleInternetAuthority.crt Equifax_Secure_Certificate_Authority.cer > Certs.cer

So the file Certs.cer can be referenced from the STUNNEL config file like so:-

CAfile = Certs.cer
verify = 2

This initially appeared to have fixed the problem - but then I realised that the equivalent IMAPS proxy was still working, without a similar change being made. I then became suspicious, and so backed out the change to my SMTPS proxy (restoring CAfile = Equifax_Secure_Certificate_Authority.pem in the Stunnel config file) and the service continued to work.

So I start to think the most likely explanation is that GMail re-generated their certificate while I was dicking around at my end, but I'm not entirely convinced. I was working through midnight, so maybe that had something to do with it. If anyone can shed any more light on this, I'd like to know!

In the longer term, it might be better if FreeBSD just knew about the normal root CA's, but I can't see how to set that up.

Garmin GPSmap 60CSx -update

2009-08-15T19:40:00.008+01:00

I've now had the opportunity to leave the GPS logging on a long car journey. Very impressive...

Despite being on the floor of the car, the logging was highly accurate (as shown by copying off the .GPX file and loading it into Google Earth). It even shows which side of the road I was driving on.

I've also installed an 8 GB microSDHC card, despite claims on Garmin's website that high capacity cards don't work. This allows the entire Garmin TOPO Great Britain v2 DVD mapping to be loaded onto the device at once (1.7 GB) whilst still leaving an enormous amount of free space for track logs or foreign maps.

For reference, the microSDHC card I used was the Kingston Class 4 microSDHC 8GB card, part number SDC4/8GB. I also tested the equivalent 4GB card, Kingston SDC4/4GB. 4 GB is perfectly adequate for the UK mapping, but the cards are so cheap that you might as well go for 8 GB just in case.

A nice feature of the GPS 60csx is that you can tell it to save a continuous tracklog to the microSD card. You can tell it how often to record a track point (by time, by distance moved, or Auto). This creates a GPX file named with today's date (example: "2009_08_15.GPX") which can be copied to a Mac or a PC via the USB cable. Google Earth can read this file format directly, or you can squirt it into GPSVisualizer.com if you prefer to see it in Google Maps. Quick and easy.

Garmin GPSmap 60CSx - first impressions

2009-08-08T19:59:00.007+01:00

Just got one of these handheld GPS units for hiking and cycling. First impressions excellent...

Whereas my old Garmin eTrex Vista unit was slow to acquire satellites, and really struggled anywhere but a flat open field, the new 60CSx acquires in a second or two even indoors. The receiver in the 60CSx certainly seems very sensitive, helped nodoubt by having a proper antenna on the top of the unit.

Right now it's showing 7 metre accuracy sitting on my desk in the house with no direct line of sight to the window. Possibly helped slightly by the receiving off-air WAAS/EGNOS correction data - you have to turn this on in the System menu, then you get 'D' in the satellite strength bars when correction data is being received. This feature was also offered on the eTrex but it never worked for me.

The eTrex unit was too inaccurate for surveying MTBO checkpoints in woodland, but hopefully the 60CSx will be more capable. The bicycle mount kit looks reasonable.

The 60CSx has proper buttons for menu navigation, instead of the appallingly slow cursor-based GUI system used on the eTrex. So the 60CSx looks better all round so far.

The software support looks better than average. The icing on the cake is that most of the software is Mac compatible, so (particularly if you've bought the Topo maps, which include the Garmin BaseCamp software) there's no need to use Windows. You can upload and download waypoints etc, and you can export your GPS logs as GPX or KMZ (Google Earth). The most flexible format is probably GPX. From a GPX file, you can use http://www.GpsVisualizer.com to convert to various formats including Google Maps. You can also feed GPX files into GpsBabel+ if you want to do your conversions on your own machine. Google Earth can read GPX directly too.

The 60CSx unit has a coarse base map, but you can also buy a detailed Topographical map on DVD - either for UK regions or for the whole UK. You then have to load it onto the GPS using the software provided. The GPS comes with a 256 MByte MicroSD flash card, but it looks as though it will take a 4 GB card for less than ten quid, which should be able to accommodate all the UK map tiles at once (as well as still having enough memory for a long continuous tracklog).

I remain undecided as to whether a map is really much use on a handheld, as the screen is quite small, and you don't use handhelds in the same way as in-car satnav devices. But I guess it would be useful if you'd gone to the trouble of setting up lots of waypoints before your trip, and moreover the Topo map can also be used on the PC or Mac for route planning.

Having installed the UK Topo DVD onto the Mac, the supplied software (Garmin BaseCamp) lets you view the map tiles in 2D and 3D modes. Sadly 2D mode has almost no detail (A roads only) while 3D mode doesn't occupy much of a 24" iMac screen - probably due to usage restrictions on the OS map data. This would be quite a crippling feature if you wanted to use the software for route planning: quite annoying to have to export to Google Maps or Google Earth just to see the whole route with adequate detail. I really wish the OS map data came with fewer restrictions: I feel like I've paid for it many times over now - in taxes, map purchases, Tracklogs and now the Garmin TOPO disc.

EZMLM Log File Viewer

2009-08-04T07:15:00.018+01:00

DJB's EZMLM mailing list software keeps a log showing subscriber additions and deletions, but the date and time are in a non-human-readable format. Here's a script to view those logs...

A while back, I found a Perl script somewhere to display the log properly. Now I've tweaked it slightly so that the output includes any extra info passed to "ezmlm-sub -n" when the subscriber was added. I can't find the original source now, but here's my changed version.

cat /usr/local/sbin/ezmlm-logview.pl
#!/usr/bin/perl -w
use strict;
if ($#ARGV != 0) {
 print "usage: ezmlm-logview /home/owner/listdir \n";
 exit;
}
my $log = "$ARGV[0]/Log";
open LOG, "<$log" or die "$log: open: $!\n";
my @F;
while () {
 @F = split;
 print scalar(localtime $F[0]);

 for (my $count=1; $count <= scalar(@F)-1; $count++)
 {
  my $field = $F[$count];
  print "$field ";
 }
 print "\n";
}

Leopard 10.5.7: MacBook WiFi connects, then drops

2009-07-07T20:36:00.006+01:00

My old MacBook's built-in Wi-Fi was rock-solid until recently, but just lately it had problems. Disabling RealPlayer Downloader Agent seemed to fix this....

The old late-Tiger, early-Leopard problem of not reconnecting after sleep was fixed in an Apple software update around six months ago.

But just now, after booting from cold, the Wi-Fi kept briefly connecting to my access point (a Cisco 877W ADSL router), then dropping off again - and showing all my neighbours (non-clashing) access points but not mine.

Looking at /var/log/system.log I noticed that each time the Airport en1 interface came up, RealPlayer Downloader Agent started doing things:-

Jul  7 20:17:37 guest43 RealPlayer Downloader Agent[161]: System Configuration Callback!
Jul  7 20:17:37 guest43 RealPlayer Downloader Agent[161]: changed keys (\n    "State:/Network/Interface/en1/IPv4"\n)
Jul  7 20:17:37 guest43 RealPlayer Downloader Agent[161]: changed dict {\n}

So I killed the RealPlayer processes:-

bash-3.2# ps -ax | grep Real
161 ??         0:01.86 /Users/martinjohnson/Library/Application Support/RealNetworks/RealPlayer Downloader Agent.app/Contents/MacOS/RealPlayer Downloader Agent -psn_0_77843
219 ??         0:00.62 /Users/martinjohnson/Library/Application Support/RealNetworks/RPDLAgentHelperD all
249 ttys000    0:00.00 grep Real
bash-3.2# kill -9 219 161
bash-3.2# ps -ax | grep Real
251 ttys000    0:00.00 grep Real
bash-3.2#

And now the Wi-Fi link comes up and stays up. Maybe it's just coincidence, but to try to make this change permanent, I've been into System Preferences / Accounts / Login Items and removed Real Player. It was always annoying anyway! To be fair to Real Networks, it should not be possible for an application issue to make the Wi-Fi drop out: this has the feel of a race condition in the kernel - maybe caused by the Real application firing off a pointless burst of traffic each time the link comes up - but what do I know.

iPhone: Fix for "Can't Connect To YouTube"

2009-07-07T20:28:00.004+01:00

I saw this error on an unlocked & jailbroken iPhone 2G running the iPhone 3.0 software. Setting the date and time correctly fixed it. Seems like poor design though: why should the YouTube app need to know what time it is?

Linux on Dell C400 laptop: Ubuntu Jaunty Jackalope

2009-05-20T11:00:00.007+01:00

Ubuntu Linux just gets better and better, and the new Jaunty release is no exception. Very easy to use, and to add and remove software packages, keep up with the security updates, etc. It doesn't need shiny new hardware: it will run quite happily on old slow laptops....

I have a couple of old Dell Latitude C400 laptops - very small, not quick (from the Pentium 3 era) but perfectly usable given enough RAM. These runs Jaunty very nicely, however there is an issue with the X Windows display fonts becoming corrupted, because the Jaunty installer doesn't quite guess the settings correctly for the C400. To fix this, you can copy the following file into /etc/X11/xorg.conf:-

Section "Device"
Identifier      "Configured Video Device"
Driver "intel"
Option "AccelMethod" "exa"
Option "MigrationHeuristic" "greedy"
Option "ExaNoComposite" "false"
Option "DRI" "false"
EndSection

Section "Extensions"
Option "Composite" "disabled"
EndSection

Section "Monitor"
Identifier      "Configured Monitor"
EndSection

Section "Screen"
Identifier      "Default Screen"
Monitor         "Configured Monitor"
Device          "Configured Video Device"
EndSection

[26th May: Tweaked this a bit (added DRI and Composite lines). Fonts were fine, but occasionally the machine would lock up. Repeated on 3 different C400 machines.]

Another thing worth noting, is that Ubuntu Linux offers full-disk encryption right out of the box. But to get it, you need to download the Alternate Installer CD image rather than the default one. Then just select "Encrypted LVM" when the installer gets to the disk partitioning stage.

Hopefully the next Ubuntu will offer full-disk-crypto on the default installation CD, to encourage users to encrypt their disks. That way, if someone steals my laptop, it's only money I've lost; and if someone borrows my laptop without permission, it's pretty hard for them to drop a keylogger on it without modifying the hardware.

View from the hotel room

2009-02-01T20:29:00.018Z

I'm on the road a lot for work, so I get to stay in hotels that can be a bit lacking in charm...

Hangar Lane Gyratory System, May 2008:

Heathrow, December 2008:

Portsmouth, January 2009:

Changing the subject... Seen in Uxbridge, an NHS policy change is revealed:

First Post

2009-02-01T19:54:00.001Z

I'm new to blogging, so I'm not sure how much I'll use this. But I felt I ought to write stuff down somewhere. The kind of stuff that doesn't feel worth the effort of creating a web page, but might be useful to aid my memory later, or to help others find technical notes on things.