Archive for 'legacy'

GallChluiche

Ballsbridge can be a very nice place to work, but ocasionally they have one of these new-fangled soccer matches. It might aswell be military blockade and martial law. Being 30 seconds walk from Landsdown Road definitely sucks right now!.

SAGE-IE monthly talk was last night, Dave Malone gave a great talk on forensics, filled the room again! Donal is looking at alternative locations.

The E-voting list is coming along very well, Meaigs is really putting up the pressure. Good to see!

Phil@rb mailed me today to tell me he got some FreeBSD nut to put c-hey into FreeBSD Ports. I really must start trojaning some of the stuff I maintain that’s in ports ;0

972/1000

Being single again has it’s advantages, I just found out that since I live in Leinster, there is a higher proportion of females to males than any other province. It’s 972 Males to 1000 Females, which of course means every Leinster man should demand his 1.0288 woman.

Take that Munster (998 Men to 1,000 women) and even worse, Connaucht (1,006/1,000) and Ulster (1,024/1000) which have more men than Women! haha!

Bouncy Bouncy

A few months ago, I mailed Bugtraq, not just once, but twice in the same night. Not a brilliant move, for the next 3 days I got a couple of hundred vacation replies and bounce messages from idiot fetchmail users and other silly people who don’t seem to know what the mail from: field is for, and instead bounce to the RFC822 From header, gah!.

In a silly excercise of proving I havn’t learnt a damn thing, I Posted to lkml (it’s been 3 years since that happened!), and again the same thing has happened, bouncy bouncy bounce. Ah well, at least I got a good few useful replies and requests. ArmLinux Chief Russell King also
managed to clear up some information on Vital Systems, the company which made my TrueMobile Router.

After seeing some photos of the boards from Vital Systems, I decided to open my router, to see what it’s looked like. I have photos, which I’ll upload soon, it’s intresting inside, no nice DB9 serial port unfortunately, but quite a few connectors that may be for attaching a serial device, so it looks promising.

I’ve been looking at Movable Type recently, it looks good and Kevin from webgroup is thinking of using it to power BrickNews. I was considering using it for my Blog until I read this:

Note: Starting with version 2.2, there are two storage options for Movable Type: Berkeley DB or MySQL

…

If your webhost does provide MySQL support, we recommend using this storage mechanism for added stability.”

[http://www.movabletype.org/requirements.shtml]

WHAT? MySQL more stable than BDB ? These guys are smoking something. No thanks.

Distant Shore

After an evening of Cinema, seeing The Hunted, and an night of banter in Claire (starfish) and Dave (sares)’s place, a morning of a walk from town to Fairview I arrived home at 4:30am to the pleasant surprise of a free copy of Karan Casey’s Distant Shore, signed by Karan, Niall and Robbie.

Niall’s concertina playing really stands out as excellent, it’s been a while since I’ve seen either him, or his brother Cillian, both excellent musicians, but no doubt they’ll be at the Fleadh in August. Another surprise is that one of the tracks includes the vocals of Karen Matheson, excellent stuff.

Summer!

I’ve been bold, It’s been a week and a half since I uddated my Blog, but there are reasons. On Saturday last, RedBrick’s NFS setup decided to crap itself, leaving us with no servers until Tuesday Lunchtime, gah!!! But at least there was good weather.

To make matters slightly more intresting, I decided to go ahead and swap our MTA (the venerable Postfix) for Exim on Thursday, it was on our plans anyway, but I just suddenly felt like doing it. It went surpsingly well, considering the nature of a such a change. All that’s left now for the big move is the migration to IMAP, which is coming in on-schedule, yay!

Today I found myself in teaching music in Bray of all places, filling in for a friend who’s away. Considering I went out there with no instrument, and no idea what I’d be teaching, it went well. There was a piano out there, so I used that, even though I had two Guitar classes, one bouzouiki, one Mandolin and one Banjo. One of the Guitar Pupils was a Belgian lady who joined Comhaltas to pick up Irish Guitar (she can already play Guitar very well), turns out she’s also learning Irish with Gael Linn (her two kids are in a Gaelscoil), so we did the class in Irish, which was fun (Irish with a Belgian Accent can take some getting used to though!).

Today I’m reading “Taking Chances” by John Haigh, who knows, I might even finish this book!

Sloowwwwwwww

So, amid a new security issue, Apache 2.0.46 is Released and I set about upgrading all of the servers I’m responsible for. I start with prodigy, because skyhawk, our webmaster isnt on, I leave it running. My the time I’ve upgraded 3 Dells run Linux, and a FreeBSD server I have, Prodigy still hasnt even finished

.

Another 4 servers later, I’m still waiting on Prodigy. Jesus, there’s a reason it’s called Slowaris.

Wowsa

heanet@canyonero:~$ ps -ef | grep -c httpd
1317

and that’s just http, there’s another 317 ftp downloads at the same time. That’s an awful lot of downloads.

Leathermen are great, today we actually used a Leatherman to cut 5 cm thick wooden floortiles, and it did it better than the hacksaw we tried to use first. Then, in a stunning overture the Leatherman made light work of rackmounting a Cisco 12400. What that photo wont tell you is that they are about 1.5 metres high and weigh about half a tonne.

Also, I got annoyed enough to post to IIU, something I havnt done in a while (though it is hard when you work in the industry).

• E-voting is truly scary
• PRSTV is non-deterministc
• The mysterious “change count” button

One quarter of Sourceforge

From the looks of things, Sourceforge seem to have slashed their list of official mirrors. As far as I can tell, HEAnet is now the only non-US mirror of Sourceforge and there are now a total of 4 SourceForge download sites.

We don’t mind, we certainly have the capacity to cope, but it is a little odd … maybe SourceForge are upgrading/replacing the other mirrors.

Firewalls Suck!

As you may know, I’m a network engineer for HEAnet, and one my jobs is system administator for ftp.heanet.ie, one of the busiest download servers in Europe. Running a big ftp server means there’s more than a few mails a week, usually about the odd corrupted download, a stale mirror … this and that. But yesterday we got a rather unusual problem mailed to us. Just one of our mirrors (in this case OpenBSD) wasnt working for the user. All of our other mirrors worked fine, and even OpenBSD worked fine in http, just not ftp.

Being the stupid type, I decided to actually try and figure out what was wrong. The reporter was extremely clueful, and had no fear of tcpdump, which is a good thing because I had to ask him to run it a lot. I’ll try and condense our experiences into something that is still readable, but remains horrific.

The user has a nice network, he has an OpenBSD machine that is being used as a Firewall (using packet filter) and NAT device for some Windows 2000 machines, as well as a FreeBSD machine or two in public IP space. He tested using Internet Explorer on the windows boxes, and command-line ftp on the FreeBSD and OpenBSD ones, we tried all combinations of filtering on/off and ftp passive mode on and off and so on with no avail. I checked using command-line ftp on a FreeBSD machine myself and Colin have in San Fransisco, and it worked fine for me.

No matter what, he failed to be able to use ftp://ftp.heanet.ie/pub/OpenBSD/ for some reason. Taking a gander around the various mirrors, I noticed that OpenBSD is unusual in that it has a larger than average

file, this is the file that gives the nice OpenBSD Logo banner. So I deleted it, and voila the mirror worked for the user. All of the symptoms went away, weird, to say the least. So, some experimentation: We created an empty

file, still worked. So we started shoving some dummy text into it, and it just kept on working, right up until we get to 1,288 bytes.

Anyone who knows IP well is probably shouting MTU, MTU, MTU! right now, but for those of you who don’t realise the signifance – in IP the Maximum Transmitable Unit size is usually 1,500 bytes. When you take away IP and TCP headers, this comes to a payload size of 1,288 bytes, a figure that is familiar (or should I say infamous) to network engineering types. And sure enough, if we lowered the MTU on either side, the size the banner could be before breakage also dropped. WEIRD-ASS. It very much looked like something was preventing FTP, a TCP based protocol which should have no problem with packet fragmentation from utilising more than one packet to transmit the ftp banner. Again, I say – WEIRD ASS.

So, we knew that something between our FTP server and our users machine was acting a little strangely. We ruled out routers, on the basis that it would take a really odd router bug to have this kind of an effect (not that most of NANOG wouldnt put that past Cisco ;). I called our users service provider, who happened to be a customer of ours to let them know about the odd problem, and see about finding a root cause.

Their network engineer confirmed that they could experience the problem aswell, which instantly gave rise to a desire to fix it, they know all too well that these small niggles can become major headaches far too easily! Again, their engineer was extremely clueful and again completely unafraid of the ways of tcpdump. So, straight into firewalls logs, as they were running checkpoint-ng, though had a nice liberal firewall policy as regards to outbound traffic.

And sure enough, right there in the logs were messages saying:

message_info: Port command ended without a new line

which corresponed pretty nicely with the kernel errors on our side:

conntrack_ftp: partial PORT 359824284+26

this, despite the fact that we were using passive ftp, which doesnt use the port command, and that ftp banners are exchanged on the control channel anyway .. but hey! So, after logging a call with his checkpoint support people, and a quick google on how to disable the check all is now working. FTP is working fine for the user, passive and active, with the full banner. Here’s the reason the check exists in the first place, and when you read it it kind of makes sense. The fact that the checkpoint people don’t seem to have checked it too well, or handle MTU boundaries satisfactorily doesnt give me much confidence in their abilities or testing procedures though.

But this definitely re-enforces my opinion that firewalls suck, they reduce the auditability of your network, and they interfer with things that arnt meant to be interfered with. If you want to limit access to servers, or limit outgoing connections … use an Access Control List, on your router. Don’t use one of these fancy mumbo jumbo firewall thingies, gah!

Actually I have much worse stories about firewalls (including one which reduced the security of a network my a few orders of magnitude) … but they’re for another day. In the meantime, hopefully I will have mentioned the words banner,checkpoint,ftp and mtu enough times in this articles for google to catch it for the next poor unfortunate
network engineer :)

FluxFlox

Today I took the plunge, after *counts* 7 years of using WindowMaker I’ve decided to try something new, fluxbox. Don’t get me wrong I love WindowMaker but a small few things annoy me about it, the clip and dock just take up space as far as I’m concerned, and the complete dearth of decorative options for Title Bars was very annoying. So now I’m using FluxBox. It took a while to get keybinding in to a usable state for me, but now that I’m there I have to say I’m pleasantly suprised. This might just work out.

Last night I read through a review copy of Dave Malone’s and Niall Murphy’s IPv6 book, looks extremely good. I managed to mail a vew comments before the night was out, but I’ll sit down and give the book a proper read later this week.

Bringing a smile to my face, I managed to track down the Department of Health Press Release about the incoming smoking ban, it’s 4 months old, but still, it makes me very happy. I can’t wait for smoking to be banned.

Though with the state of law enforcement in this country, it might be a while yet before the benifits are felt in any real way.

Recent Posts

• Weighty matters
• Prime and Proper
• Fact-checking Ireland Offline
• Holy Orders
• Point Break

Recent Comments

• David Malone on Weighty matters
• Fergal Daly on Weighty matters
• colmmacc on Weighty matters
• Fergal Daly on Weighty matters
• colmmacc on Weighty matters

Blogroll

• Antoin O’Lachtnain
• Colin Whittaker
• Earhart’s blog
• John Lyons
• John Naughton
• Justin Mason
• My Photoblog
• Planet Apache
• Planet ILUG
• Planet RedBrick
• Simon McGarr

Organisations

• Apache Software Foundation
• Digital Rights Ireland
• Dublin City University Networking Society
• HEAnet
• Irish Citizens for Trustworthy E-voting
• Irish Linux Users Group
• Irish Network Operators Group
• Joost
• System Administrators Guild of Ireland

Archives

• May 2011 (1)
• September 2010 (1)
• March 2010 (1)
• January 2010 (1)
• December 2009 (3)
• November 2009 (1)
• September 2009 (3)
• August 2009 (1)
• July 2009 (2)
• May 2009 (2)
• March 2009 (1)
• February 2009 (2)
• January 2009 (2)
• September 2008 (2)
• August 2008 (1)
• June 2008 (1)
• May 2008 (1)
• April 2008 (3)
• March 2008 (1)
• January 2008 (4)
• December 2007 (1)
• August 2007 (2)
• July 2007 (1)
• May 2007 (1)
• April 2007 (3)
• March 2007 (1)
• February 2007 (3)
• November 2006 (1)
• October 2006 (6)
• September 2006 (1)
• August 2006 (5)
• July 2006 (3)
• June 2006 (5)
• May 2006 (7)
• April 2006 (5)
• March 2006 (9)
• February 2006 (4)
• December 2005 (7)
• November 2005 (6)
• October 2005 (5)
• September 2005 (5)
• August 2005 (6)
• July 2005 (7)
• June 2005 (4)
• May 2005 (2)
• June 2003 (15)
• May 2003 (19)

Categories

• apache (29)
• coding (4)
• creative commons (4)
• evoting (5)
• general (122)
• humour (3)
• ipv6 (1)
• Joost (2)
• legacy (34)
• meta (9)
• mirroring (2)
• music (9)
• niagara (14)
• photography (18)
• TheVeniceProject (3)
• Uncategorized (2)