firewall

Port forwarding with Linux

Dave Farquhar General , ,

It’s Tuesday. I can’t wait for the weekend. Hey, at least this week we get a little break on Wednesday, at least in the States.
I posted some mail last night. Among those was a request that I reveal some of my Linux server-at-home secrets. I think I’ve sufficiently covered the creation of mail and Web servers, but I’ll go back and look some other time, when my brain’s less fried. I spent the day trying to make bootable Linux CDs. I’m thankful for CD-RWs, because I would have toasted about 10 CD-Rs in that process. I’ve found a Web site at work that talks all about it; I’ll refrain from calling it great until I figure out whether all of its steps actually work. I have made one successful bootable CD using the process, but it wouldn’t do everything I wanted. When I subbed in my own kernel that could do everything I wanted and left things like amateur radio support behind (just what I always wanted… a HAM-enabled Linux boot CD. Be still, my heart!) I got various different error messages. So not only am I wrong, I’m inconsistently wrong.

Anyway, let’s talk about firewalling. I don’t write firewalling scripts by hand; I let an expert do it. Then I go in and make slight modifications. My favorite method by far is to use PMFirewall, which asks you a bunch of nice questions and then writes a script. At present it only works with 2.2-based distros (a version for 2.4 is in alpha). If you want to do some forwarding, all you have to do is edit rc.firewall and add a couple of lines (this example assumes you’re running a Web server on 172.16.0.10, port 80):


echo "1" > /proc/sys/net/ipv4/ip_forward #enable IP forwarding
/usr/sbin/ipmasqadm portfw -a -P tcp -L $IPADDR 80 -R 172.16.0.10 80 #forward Web services to port 80 on 172.16.0.10

If you’re also running IMAP services on the same box, you can theoretically open it up with this line (I haven’t tried anything like this yet):


/usr/sbin/ipmasqadm portfw -a -P tcp -L $IPADDR 143 -R 172.16.0.10 143 #forward IMAP to port 143 on 172.16.0.10

Forwarding with Freesco is supposed to be easy but I’ve never actually done it yet. I’ll have to play around with it, on someone else’s cable or DSL connection of course (we wouldn’t want to keep anyone from reading these pages, after all). I believe Freesco is still 2.0-based, and firewalling and forwarding has changed with each major kernel revision since 2.0. It may have changed some before that too, for all I know, but back in those days I was fighting Slackware on 486s and deciding I hated Linux. It wasn’t until 1997 when a coworker gave me a copy of Red Hat 5.2 that I changed my mind and realized I didn’t hate Linux, I hated Slackware.

We can’t give hackers anything else to work with

Dave Farquhar General , , , , , , , , , , , ,

Thanks to David Huff for pointing this link out to me (the good Dr. Keyboard also passed it along). Steve Gibson was hacked last month, and he wasn’t very happy about it. So he set out to learn everything he could about l337 h4x0rs (elite hacker wannabes–script kiddies). What he found out bothers me a lot.
Kids these days. Let me tell you…

In my day, 13-year-old truants (those who had computers and modems) used their modems to dial 800 numbers over and over again long into the night, looking for internal-use-only numbers. Armed with a list, they then dialed every possible keycode combination looking for PINs. Then they’d use that information to call long-distance on the telco’s dime. They’d call BBSs, where they’d swap the previous night’s findings for more codez, cardz (credit card numbers), warez (pirated software), or porn.

I never did those things but I knew a lot of people who did. They’d drop off the face of the earth on a moment’s notice, and rumors would go around about FBI busts, computer equipment being confiscated, kids being hauled off to juvenile detention center… And some of them never came back. Some of them cleaned up. Others, who knows? I heard a rumor about one of them running away to Las Vegas after he got out. And some just got hold of their old contacts and went right back to business. One of my friends cleaned up–the huge phone bill he got was enough of a reality check that he stopped. Whether it was a moral reason or just fear of getting caught again, I don’t know. I knew another who got busted repeatedly, and he’d call me up and brag about how his line was tapped, throwing in the occasional snide remark to whoever else might have been listening. I remember our last conversation. He sent me some code (all of the guys I knew were at least semi-competent 6502 assembly language programmers) and we talked music. I’d been fascinated by that subculture, though I never did anything myself–I just talked to these guys (partly out of fear of getting caught, partly because I did want to have some semblence of a life, partly because I didn’t want to kiss up to a bunch of losers until I’d managed to prove I was elite enough), but at that point I was 16, I’d published once, and I realized as the conversation ended that my fascination with it was ending also. It was 1991. The scene was dying. No, it was dead and pathetic. These “elites” had become the butt of jokes–they were risking arrest so they could call Finland for free and pirate Grover’s Magic Numbers, for Pete’s sake! I guess I was growing up. And I never talked to him again. (I don’t even remember this guy’s real first name anymore–only his handle.)

I guess if I’m going to be totally honest, the only thing that’s really changed are the stakes. I want to say my generation wasn’t that bad… But I don’t know.

Essentially, some guy going by “Wicked” had zombies running on 474 Windows PCs. Some of “Wicked’s” buddies took issue with Gibson talking about script kiddies–they thought he was talking about them–so they told “Wicked” to take him down. And he did. And he bragged about it.


"we will just keep comin at you, u cant stop us 'script kiddies' because we are
better than you, plain and simple."

Now, when someone annoys me, I find out what I can about the guy. At 26, I do it to try to get some understanding. At 13 I didn’t necessarily have that motivation, but I did at least have some basic respect. And anyone claiming to be better than Steve Gibson… Gimme a break! That’s like walking up to Michael Jordan and saying you’re better on the basketball court, or walking up to Mark McGwire and saying you can hit a baseball further, or walking up to Colin Powell and telling him you can beat him in a war. And anyone who’s ever written a line of assembly language code and read any of Steve Gibson’s stuff knows it. And it’s not like the guy’s exactly living in obscurity.

Well, Gibson was diplomatic with this punk. And his reasoning and his respect softened him. He called the attacks off. Then they suddenly started again, and Gibson got this message:


is there another way i can reach you that is secure, (i just ddosed you, i aint stupid, im betting first chance ud tracert me and call fbi) you seem like an interesting person to talk to

Say what? You want to talk to someone, so you blow away every other line of communication and ask if you can talk? Now I can just picture this punk once he gets up the nerve to go talk to a girl. He knocks on the door, and the first words out of his mouth are, “I just tesla coiled your phone line so you couldn’t call the cops, but…” Then he’d toss some Kmart pickup line every girl’s heard a million times her way, and hopefully she’d smack him and run to the neighbors’ and call the cops.

For some reason people get hacked off when you do something malicious to them.

Well, Gibson reverse-engineered some Windows zombies and followed them into a l33t IRC channel where he had another interesting conversation. I won’t spoil the rest of it.

Now, I admit when I was 13, I was a mess. I was insecure, and I had trouble adjusting. My voice was cracking, my skin was oily, and I was clumsy and gawky. And I didn’t like anyone I knew when I was 13, because I was the class punching bag. Part of it was probably because I was an outsider. This was a small town, and I wasn’t born there, which was a strike against me. If you got all your schooling there you were still OK. I came in the third grade, so strike two. And I didn’t want to be a hick, so strike three. I liked computers, and in 1987 that was anything but cool, especially in a small town. And everyone thought I was gay, because I didn’t hit on girls and I didn’t have a huge porn collection–and there aren’t many worse things to be in southern Missouri, because it’s still a really bigoted place (and since girls made me stammer, it’s not like I could have proven I was straight anyway). And I had goals in life besides getting the two or three prettiest girls in the class in bed. (Yes, this was 7th grade.) So I guess I was oh-for-two with two big strikeouts. And since I was five feet tall and about 90 pounds, if that (I’m 5’9″, 140 now, and I was scrawnier then than I am now) I couldn’t exactly defend myself either. So I was an easy target with nothing to like about me.

I guess “Wicked” sees Steve Gibson as a five-foot, 90-pound outsider with a really big mouth, so he’s gonna go pick on him. Then he’s gonna go hit on the 13-year-old girl who looks 18, and he thinks taking down grc.com is going to make her swoon and tell him to take her to bed and lose her forever. But since she has a life, she doesn’t give a rat’s ass about whether grc.com is up or down, so hopefully she’ll smack him but I doubt it.

Yeah, I want to say the solution is to make things like they were in 1987 but bullies are bullies, whether it’s 2001 or 1987 or 1967. AD or BC, for that matter.

I want to say that accountability to a higher being will solve everything and make kids behave, but I know it won’t. That grade-school experience I just described to you, with 13-year-olds making South Park look tame and trying to get in girls’ pants? You know where that happened? A Lutheran grade school. Introducing the kids to God won’t fix it. Establishing a theocracy won’t fix it. In college I wrote a half-serious editorial, after a pair of 6-year-olds in Chicago murdered a four-year-old by dropping him out of a 20th-story window after he refused to steal candy for them, where I advocated the death penalty for all ages–maybe then parents would keep an eye on their kids, I reasoned. But I know that won’t fix anything either.

Steve Gibson doesn’t offer any answers. He’s not a social engineer. He’s a programmer–probably the best and most socially responsible programmer alive right now. And what Gibson wants is for Microsoft to cripple the TCP/IP code in Windows XP, so the zombies these script kiddies use don’t gain the ability to spoof come October.

Frankly, I wish such a castrated TCP/IP stack, with raw sockets capability removed, were available for Linux. My Linux boxes are a minimal threat, being behind a firewall and only having a single port exposed, but I’d cripple them just to limit their usefulness to a script kiddie just in case.

Why? Screw standards compliance. The standard for mail servers used to be to allow them to be wide open so anyone could use one, just in case their mail server was down. It was all about being a good neighbor. Then spammers trampled that good faith, so open relays are now the exception, not the rule.

Maybe there’s some legitimate use for raw sockets. I don’t know. But I know nothing I use needs them. So why can’t I run a stripped-down TCP/IP on all my boxes, so that in the event that I do get compromised, my PCs’ usefulness is limited?

If software companies want to provide a full, standards-compliant, exploitable TCP/IP stack for esotetic purposes that need them, fine. Do it. But don’t install it by default. Make it a conscious decision on the part of the systems administrator.

Let’s just get one myth out of the way. The Internet isn’t going to change the world. So when the world does stupid things, the Internet’s just going to have to change instead.

How to get mod_gzip working on your Linux/Apache server

Dave Farquhar Linux , , , , ,

My research yesterday found that Mandrake, in an effort to get an edge on performance, used a bunch of controversial Apache patches that originated at SGI. The enhancements didn’t work on very many Unixes (presumably they were tested on Linux and Irix) and were rejected by the Apache group. SGI has since axed the project, and it appears that only performance-oriented Mandrake is using them.
I don’t have any problem with that, of course, except that Mod_Gzip seems to be incompatible with these patches. And Mod_Gzip has a lot of appeal to people like me–what it does is intercept Apache requests, check for HTTP 1.1 compliance, then compress content for sending to browsers that can handle compressed data (which includes just about every browser made since 1999). Gzip generally compresses HTML data by about 80 percent, so suddenly a DSL line has a whole lot more bandwidth–three times as much.

Well, trying to make all of this work by recompiling Apache had no appeal to me (I didn’t install any compilers on my server), so I went looking through my pile-o’-CDs for something less exotic. But I couldn’t find a recent non-Mandrake distro, other than TurboLinux 6.0.2. So I dropped it in, and now I remember why I like Turbo. It’s a no-frills server-oriented distro. Want to make an old machine with a smallish drive into a firewall? The firewall installation goes in 98 megs. (Yes, there are single-floppy firewalls but TurboLinux will be more versatile if you’re up to its requirements.)

So I installed Apache and all the other webserver components, along with mtools and Samba for convenience (I’m behind a firewall so only Apache is exposed to the world). Total footprint: 300 megs. So I’ve got tons of room to grow on my $50 20-gig HD.

Even better, I tested Apache with the command lynx http://127.0.0.1 and I saw the Apache demo page, so I knew it was working. Very nice. Installation time: 10 minutes. Then I tarred up my site, transferred it over via HTTP, untarred it, made a couple of changes to the Apache configuration file, and was up and going, sort of.

I still like Mandrake for workstations, but I think Turbo is going to get the nod the next few times I need to make Linux servers. I can much more quickly and easily tailor Turbo to my precise requirements.

Now, speaking of Mod_Gzip… My biggest complaint about Linux is the “you figure it out” attitude of a lot of the documentation out there, and Mod_Gzip may be the worst I’ve ever seen. The program includes no documentation. If you dig on the Web site, you find this.

Sounds easy, right? Well, except that’s not all you have to do. Dig around some more, and you find the directives to turn on Mod_Gzip:

# [ mod_gzip sample configuration ]

mod_gzip_on Yes

mod_gzip_item_include file .htm$
mod_gzip_item_include file .html$
mod_gzip_item_include mime text/.*
mod_gzip_item_include mime httpd/unix-directory

mod_gzip_dechunk yes

mod_gzip_temp_dir /tmp

mod_gzip_keep_workfiles No

# [End of mod_gzip sample config]

Then, according to the documentation, you restart Apache. When you do, Apache bombs out with a nice, pleasant error message–“What’s this mod_gzip_on business? I don’t know what that means!” Now your server’s down for the count.

After a few hours of messing around, I figured out you’ve gotta add another line, at the end of the AddModule section of httpd.conf:

AddModule mod_gzip.c

After adding that line, I restarted Apache, and it didn’t complain. But I still didn’t know if Mod_Gzip was actually doing anything because the status URLs didn’t work. Finally I added the directive mod_gzip_keep_workfiles yes to httpd.conf and watched the contents of /tmp while I accessed the page. Well, now something was dumping files there. The timestamps matched entries in /var/log/httpd/access_log, so I at least had circumstantial evidence that Mod_Gzip was running.

More Like This: “/cgi-bin/search.cgi?terms=linux&case=insensitive&boolean=and”>Linux

01/31/2001

Dave Farquhar General , , , , , , , ,

Mailbag:

Music, HD, Linux modem

Sick. Something you’ll (hopefully) never see: DefragCam. I can blame one of my twisted coworkers for that idea.

A sad referrer showed up in my logs yesterday. It was a search request, from Hotbot, on the string, “I’ve never had a girlfriend.” I’m pretty sure that phrase appears as part of a sentence in Are we talking about more than just sunsets? but as part of a phrase. I seem to remember writing, “I’ve never had a girlfriend outside the winter months,” or something like that. I have no way of knowing where that request came from. Probably a bored, lonely teenager. More people have never had a girlfriend than anyone’s willing to admit. Including a majority of teenagers.

It’s only a problem if you let it be one. Unfortunately a lot of people do, and that makes them vulnerable to all sorts of scum, like advertisers and fringe religious fanatics and seedy individuals, all promising things they can’t or won’t deliver.

Not that I’m much of an advice-giver (unless you’ve got a slow computer, then I’m pretty good), but the best suggestion I’ve got is to find something you’re good at. Lose yourself in that. If you’re not good at anything, find something you enjoy and lose yourself in it. You’ll get good at it. That alleviates the boredom, and it builds confidence, which makes you good at other things. Does it make girls notice you? Only indirectly. But it’s better to be a winner who only occasionally has girlfriends (and remember, ideally you should only be in a successful relationship once anyway) than to be a loser who always has a girl.

I hate to sound callous, but given the choice between having a book published to my name, or having any of my ex-girlfriends back, I’d choose the book. I wouldn’t even hesitate. When I find a girl who’s cooler than writing magazine articles, and she thinks I’m pretty cool too, then I’ll know it’s time to settle down.

I guess that’s the other good thing about losing yourself in other interests. If a girl starts hanging around who’s more interesting than those things, great. If she’s not, that’s your subconscious mind’s way of telling you to keep looking.

A new way to benchmark. Finally, there’s a multitasking-oriented benchmark, available from www.csaresearch.com . Keep an eye on these guys. I didn’t use any benchmarks in Optimizing Windows, because they don’t reflect real-world performance and they generally test your hardware, not the operating system as it stands on your machine. This benchmark uses new methods that try to take multitasking into account, so it will do a better job of reflecting how a system feels. It was like I was telling my sister yesterday. If I put two computers in front of her, she doesn’t care which one puts up better numbers. She knows which one’s faster. But with a lot of the benchmarks today, the faster machine doesn’t put up the best numbers. Or a PC might put up numbers that appear to kill another, but when you sit down to use the two, you can’t tell a difference.

Time for a review. I’ve been so critical of reviews lately I decided to try my hand at writing one myself, to see if I’ve still got what it takes.

Linksys Etherfast Cable/DSL Router

Broadband Internet connections are increasingly common, and it’s hard for a single PC to use up all the available bandwidth. Plus, more and more homes have multiple PCs, and it’s a shame to spend $50 a month for Internet access and limit its use to a single PC. A number of third-party programs for sharing an Internet connection exist, and recenolution. These devices are about the size of a hub, plug into your cable/DSL modem, have a built-in firewall, and include one or more ports. You can plug your PCs into these ports and/or plug in a hub or switch so you can support a larger number of PCs. Another advantage of a standalone router is additional security against hackers. A Unix box can be very secure, but if a hacker does get into it, he can do a lot of unpleasant things, to you or to someone else (but make it look like you’re the one doing it). A hacker can’t do much to a router besides mess up its configuration. You can reset it and reconfigure it in five minutes. So the security of one of these devices is very tough to beat.

One of the most popular standalone cable/DSL routers is the Linksys BEFSR41, also known simply as the EtherFast Cable/DSL Router. It’s widely available for around $150. The best price I could find on it was $131. I tested the 4-port version. A 1-port and 8-port version is also available. The 1-port version is less expensive but requires a separate hub or switch. If you already have one of those, you can save some money, but the 4- or 8-port version is ideal since it includes a built-in switch. I have an 8-port dual 10/100 hub; the Linksys router therefore gives me three additional higher-speed network ports, since switches are faster than hubs. Most people will probably want the 4- or 8-port version, because it’s easy to get spoiled really quickly by a 100-megabit switched Ethernet LAN.

Configuration is wickedly easy. Plug it into your cable/DSL modem, plug a computer into it, turn all of it on, configure the PC for DHCP if it isn’t already, then open a Web browser and go to http://192.168.1.1 . Feed it the factory password (which is undoubtedly documented all over the Web, but I won’t document it here as well), then make the changes you need. Most people won’t have to do any configuration other than changing the configuration password. If you want to put it on a different subnet, do it, then run winipcfg, push the release all button, then the renew all button, reconnect to the router, and make other changes if need be.

Administration is easy too. Just connect to the router via its Web interface, and click on the Status tab. You instantly get your network status. If your ISP drops your connection, hit the Release, then the Renew button. From the DHCP tab, you can tell the router how many clients to support. You can go to the advanced tab to configure port forwarding or a DMZ if you want such a thing–most of us won’t.

The only thing I had difficulty doing was upgrading the firmware from the browser interface. The router must not have liked the version of IE I was using. However, nothing stops you from downloading and running the firmware upgrade directly–as long as you’ve got a Windows box handy. Mac and Linux users may have problems there. Firmware updates seem to come every couple of months.

The firewall built into the router is unable to pass Steve Gibson’s LeakTest, but all hardware routers have this weakness–it’s virtually impossible for a hardware router to tell the difference between innocent traffic and malicious traffic caused by a Trojan Horse. However, the router passes ShieldsUp! ( www.grc.com ) with flying colors.

The speed of the connection is certainly acceptable; with me running a caching nameserver on the Linux box it replaced that machine should be able to outperform any standalone router any time. Of course this is purely subjective; the speed of the Internet changes constantly. Nothing stops me from running a caching nameserver behind this router, which will help performance significantly. Local network performance on the built-in 10/100 switch is outstanding.

Appearance-wise, it’s a solid product, made of two-tone blue and black plastic but it’s not cheap plastic. Styling is modern but tasteful–no wild colors or translucent parts. It has indicator lights up front, a reset switch up front, and ports in the back. It also has built-in legs, so presumably it’s stackable with other Linksys hardware (I don’t have any Linksys switches or hubs, so I can’t check that).

The only flaw I can really find with this router is that the MAC address can’t be changed. Some ISPs authenticate against the card’s MAC address, which allows them to control how you connect to them. It also prevents you from using this type of device. Some competing routers allow you to change their MAC address, so they can spoof that card and get around the limitation.

I read of problems using it with services that use PPPoE (PPP over Ethernet). My service doesn’t, so I can’t test this. Buyer beware.

I was disappointed that the 45-page manual didn’t have an index, but it had a lot of nice information in it, such as pinouts for Ethernet cables. It’s written in clear, plain and straightforward English. Manuals of this length and quality are rare these days.

I think it’s a decent product, but for my purposes I want something else. I don’t want something so easy to reset to factory defaults and configure. Why? It’s getting corporate use, and I want it to be complex enough to scare people away. I want the user interface of an HP LaserJet printer control panel. It’s a pain to configure, so therefore end-users don’t mess with it. I’m not sure if I’ll find such a beast, but you bet I’ll look for it.

Mailbag:

Music, HD, Linux modem

Impressions of Netscape 6

Dave Farquhar net.culture , , , , , ,

I’ll be back in a bit. With preliminary impressions of Netscape 6. My notes on it are at work, but I’ll give you the overall. I’m thinking C+. It worked OK for me and it was fast. There were things about it that annoyed me though. I very badly want to use a non-Microsoft product, because I detest Microsoft, but IE has a couple of features that save me a lot of keystrokes and I have to think of that.

Assuming it manages to install, chances are there’ll be things about it you like. The things that bother me most are features that Netscape used to have but now don’t. But for basic browsing it’s much better than its predecessors.

I’ll get the rest of the details up here within a few hours.

My notes on Netscape 6. This is pretty rough, but I don’t have time to pretty it up.

Speed: Good. Very comparable to IE in most regards and sometimes faster, though still not as fast when rendering nested tables. On a P2/350 it’s hard to tell a difference. Program loads very slowly however (20+ seconds on that P2/350).

Stability: So-so if you can manage to get it installed. Installation problems galore; seemed stable under NT4 once I got it running. Under heavy use it didn’t crash on me once. However, numerous attempts to get Java plug-in working failed. I never did get it to install on a Mac G3 running OS 8.6.

Features: Stop animations feature is gone and sorely missed. Makes me mouse more than IE does. IE-like backspace is there; ctrl-enter is not and autocomplete is Netscape 4-like rather than IE like, forcing more keystrokes. I wish they’d focus more on usability, speed and stability and less on eye candy. Text enlargement doesn’t trigger window scrollbar or margin resizing when needed, so if you enlarge the text, you’ll lose the edge of the screen.

The ctrl-l-accessible Open Location box doesn’t use any autocomplete at all.

What’s Related moves from the navigation bar to the sidebar, where it’s tempting to turn off to save screen space.

Built-in search tool turns the sidebar back on if you turned it off. Annoying–don’t throw out your bookmarks to Google and Altavista yet.

No longer any fast, easy way to toggle images on/off

No longer forces you to install everything under the sun, which is very nice. Good to be able to get just a browser if you want.

Memory usage: disappointing. Used anywhere from 18-28 megs during initial testing. It’d be so nice to nuke the #$%& eye candy and get that memory usage down.

The verdict: I’m pretty happy with how the Gecko rendering engine turned out. But as soon as K-Meleon comes of age, chances are I’ll switch to that because it’s so much leaner and meaner. (Mozilla’s plagued by the same eye candy garbage, and until we all have 2-GHz processors and a gig of RAM and 15K RPM hard drives on our desktops, I’m mostly interested in having something that works fast. That means giving up some inessential whiz-bang stuff.)

And if you missed it… I posted an update late yesterday. It was too important to wait until this morning.

~~~~~~~~~~

From: “bill cavanaugh” <billcav@nospam.yahoo.com>
I just followed the Daynotes link to your site. I couldn’t help but notice:

“Farquhar’s Law. I should have some t-shirts made with this on it. Repeat after me. Cable connections are the last thing most people check. Make them the first thing you check.”

This has been one of (actually, I think the first) Pournelle’s Laws for a couple of decades.

Bill

~~~~~
Aw man, I thought I stole that fair and square from PC/Computing way back when it was still a magazine kind of worth reading.

Well, hopefully there’s some other stuff on the site useful to you that isn’t stolen from someone who stole it from Jerry Pournelle.

~~~~~~~~~~

From: “Curtis Horn” <curtishorn@nospam.home.com>
Subject: Fwd: FIC VA-503+ and K6-III+

I read what Peter said, and you are right, I got the K6-III because my other option is a k6-2, and we all know that on chip cache is better than on board, even at 100Mhz.  And it wasn’t that much more expensive than getting a k6-2.

I haven’t had the chance to upgrade the bios, but I did find it.  The other issue is that the bios chip is soldered on so I have to do it right and back up the old bios.  I’ll have some time this weekend, when I’m going to put the hard drive in.

This may sound weird but ever since I got a job that has me work on computer sometimes I feel less enthusiastic about doing it at home.  Right now I have 3 computers that I have to put NT Images on, and one has to have a second network card (for a bnc connector).  Thanks allot for the help.

Curtis

~~~~~
By all means take all proper precautions. It’s always a shame to ruin a motherboard because of something as simple as a BIOS upgrade. (I’ve got a dead Abit IT5H under my desk. Great board. I have no idea what I did that killed it, and that’s a shame because I could drop a Cyrix MII in it along with all the 72-pin SIMMs I could scrounge up and a 7200 rpm hard drive and it’d still be a fantastic workaday machine.)

What you say about not wanting to work on PCs after you get home actually makes a lot of sense. I resemble that remark! My main station’s Antec 300W power supply blew over the summer. The PC sat there in pieces for a couple of months because I just didn’t feel like working on it after doing that kind of stuff all day at work. I finally got around to swapping in another power supply a couple of weeks ago. I messed up my Linux firewall around the same time that power supply blew. I didn’t get around to fixing it until this weekend. Writing is relaxing to me because I don’t do it all day. Back when I was paying for college by selling my soul working as a salesman in a consumer electronics store, I found working on PCs relaxing.

I’m glad I could help.

 

Windows keyboard tricks

Dave Farquhar Windows , , , ,

Those promised keyboard tricks. To get a Windows key, download the Kernel Toys. The keyboard applet, which works under 95 and 98, allows you to remap the caps lock, control, or alt keys to a Windows key. You can also remap the caps lock key to control or alt if you want. 

To assign My Computer to a hotkey, create a new shortcut with the following command line:
explorer.exe /n,/e,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}

Next, click on the shortcut key and hit a key (I suggest “m” or “c”) and that’ll give you instant two-pane access to My Computer any time you hit ctrl-alt and that key.

If you want single-pane access (I don’t think it’s as useful, but hey), use this command line instead:
explorer.exe /n,::{20D04FE0-3AEA-1069-A2D8-08002B30309D}

I finally fixed my firewall. I souped up the firewall a while back, then it never worked again. (I guess that’s the ultimate in security, eh? No one can hack in if you’re offline.) I forgot which ethernet card was outgoing and which was pointing inward, to my LAN. Finally, I tried stopping and restarting PMFirewall, which printed my network configuration. When both NICs were assigned to the address 192.168.0.1, I knew I was in trouble. With that tip-off, fixing it took just a matter of minutes.

Speaking of Linux, a speed tip. If you’re running Red Hat Linux as a NAT/IP masquerade gateway to share an Internet connection, do yourself a favor and install the BIND and caching-nameserver RPMs, then set your first DNS entry on your other PCs to your gateway’s IP address. This will make your proxy server look up DNS addresses for you and store them, reducing network traffic slightly but noticeably. The overhead is minimal; I’ve got Steve DeLassus running IP masquerade and caching nameserver on a 486SX/20 and it’s more than up to the task. For a small home network, a 386SX/16 has enough horsepower as long as it meets your distribution’s minimum memory requirements. I’d be more comfortable with a 50 MHz or faster 486 for a small office, but that’s as much due to expected age and reliability as it is to CPU requirements.

If you’re running a close derivative of Red Hat (Mandrake is certainly close enough, and I believe even Caldera and TurboLinux are as well), go ahead and download Red Hat’s caching nameserver RPM. It’s just a couple of short text files, but it’s easier to download and install an RPM than it is to key them in.

Scanner troubleshooting secrets

Dave Farquhar Macintosh , , , , , , , , , , , , , , , , , , , , , , , , , , ,

~Mail Follows Today’s Post~

Scanner wisdom. One of the things I did last week was set up a Umax scanner on a new iMac DV. The scanner worked perfectly on a Windows 98 PC, but when I connected it to the Mac it developed all sorts of strange diseases–not warming up properly, only scanning 1/3 of the page before timing out, making really loud noises, crashing the system…

I couldn’t resolve it, so I contacted Umax technical support. The tech I spoke with reminded me of a number of scanner tips I’d heard before but had forgotten, and besides that, I rarely if ever see them in the scanner manuals.

  • Plug scanners directly into the wall, not into a power strip. I’ve never heard a good explanation of why scanners are more sensitive to this than any other peripheral, but I’ve seen it work.
  • Plug USB scanners into a powered hub, or better yet, directly into the computer. USB scanners shouldn’t need power from the USB port, since they have their own power source, but this seems to make a difference.
  • Download the newest drivers, especially if you have a young operating system like MacOS 9, Mac OS X, Windows ME, or Windows 2000. It can take a little while for the scanner drivers to completely stabilize. Don’t install off the CD that came with the scanner, because it might be out of date. Get the newest stuff from the manufacturer’s Web site.
  • Uninstall old drivers before installing the new ones. This was the problem that bit me. The new driver didn’t totally overwrite the old one, creating a conflict that made the scanner go goofy.
  • Buy your scanner from a company that has a track record of providing updated drivers. Yes, that probably means you shouldn’t buy the $15 scanner with the $25 mail-in rebate. Yes, that means don’t buy HP. Up until a couple of years ago, getting NT drivers out of HP was like pulling teeth; now HP is charging for Windows 2000 drivers. HP also likes to abandon and then pick back up Mac support on a whim. Terrible track record.

Umax’s track record is pretty darn good. I’ve downloaded NT drivers for some really ancient Umax scanners after replacing old Macs with NT boxes. I once ran into a weird incompatibility with a seven-year-old Umax scanner–it was a B&W G3 with a wide SCSI controller (why, I don’t know) running Mac OS 8.6. Now that I think about it, I think the incompatibility was with the controller card. The scanner was discontinued years ago (before Mac OS 8 came out), so expecting them to provide a fix was way out of line.
m I’ve ever had with a Umax that they didn’t resolve, so when I spec out a scanner at work, Umax is always on my short list.

And here’s something I just found interesting. Maybe I’m the only one. But in reading the mail on Jerry Pournelle’s site, I found this. John Klos, administrator of sixgirls.org, takes Jerry to task for saying a Celeron can’t be a server. He cites his 66 MHz 68060-based Amiga 4000, which apparently acts as a mail and Web server, as proof. Though the most powerful m68k-based machine ever made, its processing power pales next to any Celeron (spare the original cacheless Celeron 266 and 300).

I think the point he was trying to make was that Unix plays by different rules. Indeed, when your server OS isn’t joined at the hip to a GUI and a Web browser and whatever else Gates tosses in on a whim, you can do a lot more work with less. His Amiga would make a lousy terminal server, but for serving up static Web pages and e-mail, there’s absolutely nothing wrong with it. Hosting a bunch of Web sites on an Amiga 4000 just because I could sounds very much like something I’d try myself if I had the hardware available or was willing to pay for the hardware necessary.

But I see Jerry Pournelle’s point as well.

It’s probably not the soundest business practice to advertise that you’re running off a several-year-old sub-100 MHz server, because that makes people nervous. Microsoft’s done a pretty admirable job of pounding everything slower than 350 MHz into obsolescence and the public knows this. And Intel and AMD have done a good job of marketing their high-end CPUs, resulting in people tending to lay blame at the CPU’s feet if it’s anything but a recent Pentium III. And, well, if you’re running off a shiny new IBM Netfinity, it’s very easy to get it fixed, or if need be, to replace it with another identical one. I know where to get true-blue Amiga parts and I even know which ones are interchangeable with PCs, but you might well be surprised to hear you can still get parts and that some are interchangeable.

But I’m sure there are far, far more sub-100 MHz machines out there in mission-critical situations functioning just fine than anyone wants to admit. I know we had many at my previous employer, and we have several at my current job, and it doesn’t make me nervous. The biggest difference is that most of them have nameplates like Sun and DEC and Compaq and IBM on them, rather than Commodore. But then again, Commodore’s reputation aside, it’s been years since I’ve seen a computer as well built as my Amiga 2000. (The last was the IBM PS/2 Model 80, which cost five times as much.) If I could get Amiga network cards for a decent price, you’d better believe I’d be running that computer as a firewall/proxy and other duties as assigned. I could probably get five years’ uninterrupted service from old Amy. Then I’d just replace her memory and get another ten.

The thing that makes me most nervous about John Klos’ situation is the business model’s dependence on him. I have faith in his A4000. I have faith in his ability to fix it if things do go wrong (anyone running NetBSD on an Amiga knows his machine better than the onsite techs who fix NetFinity servers know theirs). But there’s such thing as too much importance. I don’t let Apple certified techs come onsite to fix our Macs anymore at work, because I got tired of them breaking other things while they did warranty work and having to fix three things after they left. I know their machines better than they do. That makes me irreplaceable. A little job security is good. Too much job sercurity is bad, very bad. I’ll be doing the same thing next year and the year after that. It’s good to be able to say, “Call somebody else.” But that’s his problem, not his company’s or his customers’.

~~~~~~~~~~

From: rock4uandme
To: dfarq@swbell.net
Sent: Wednesday, October 25, 2000 1:22 PM
Subject: i`m having trouble with my canon bjc-210printer…

i`m having trouble with my canon bjc210 printer it`s printing every thing all red..Can you help???
 
 
thank you!!    john c
 
~~~~~~~~~

Printers aren’t my specialty and I don’t think I’ve ever seen a Canon BJC210, but if your printer has replacable printheads (some printers make the printhead part of the ink cartridge while others make them a separate component), try replacing them. That was the problem with the only Canon printer I’ve ever fixed.
 
You might try another color ink cartridge too; sometimes those go bad even if they still have ink in them.
 
If that fails, Canon does have a tech support page for that printer. I gave it a quick look and it’s a bit sketchy, but maybe it’ll help. If nothing else, there’s an e-mail address for questions. The page is at http://209.85.7.18/techsupport.php3?p=bjc210 (to save you from navigating the entire www.ccsi.canon.com page).
 

I hope that helps.

Dave
 
~~~~~~~~~~
 

From: Bruce Edwards
Subject: Crazy Win98 Networking Computer Problem

Dear Dave:

I am having a crazy computer problem which I am hoping you or your readers
may be able to give me a clue to.  I do have this posted on my daily
journal, but since I get very little traffic, I thought your readership or
yourself may be able to help.  Here’s the problem:

My wife’s computer suddenly and inexplicably became very slow when accessing
web sites and usually when accessing her e-mail.  We access the internet
normally through the LAN I installed at home.  This goes to a Wingate
machine which is connected to the aDSL line allowing shared access to the
internet.

My computer still sends and receives e-mail and accesses the web at full
speed.  Alice’s computer now appears to access the web text at about the
speed of a 9600 baud modem with graphics coming down even more slowly if at
all.  Also, her e-mail (Outlook Express) usually times out when going
through the LAN to the Wingate machine and then out over the internet. 
The LAN is working since she is making a connection out that way.

File transfer via the LAN between my PC and hers goes at full speed.
Something is causing her internet access to slow to a crawl while mine is
unaffected.  Also, it appears to be only part of her internet access.  I can
telnet out from her computer and connect to external servers very fast, as
fast as always.  I know telnet is just simple text, but the connection to
the server is very rapid too while connecting to a server via an http
browser is much much slower and then, once connected, the data flows so slow
it’s crazy.

Also, dial-up and connect to the internet via AOL and then use her mail
client and (external to AOL) browser works fine and is as speedy as you
would expect for a 56K modem.  What gives?

I tried reinstalling windows over the existing set-up (did not do anything)
and finally started over from “bare metal” as some like to say.  Reformat
the C drive.  Reinstall Windows 98, reinstall all the drivers, apps, tweak
the configuration, get it all working correctly.  Guess what?  Same slow
speed via the aDSL LAN connection even though my computer zips out via the
same connection.  Any suggestions?

Sincerely,

Bruce W. Edwards
e-mail:  bruce@BruceEdwards.com
Check www.BruceEdwards.com/journal  for my daily journal.

Bruce  🙂
Bruce W. Edwards
Sr. I.S. Auditor  
~~~~~~~~~~

From: Dave Farquhar [mailto:dfarq@swbell.net]Sent: Monday, October 23, 2000 6:16 PM
To: Edwards, Bruce
Cc: Diana Farquhar
Subject: Re: Crazy Win98 Networking Computer Problem

Hi Bruce,
 
The best thing I can think of is your MTU setting–have you run any of those MTU optimization programs? Those can have precisely the effect you describe at times. Try setting yor MTU back to 1500 and see what that does. While I wholeheartedly recommend them for dialup connections, MTU tweaking and any sort of LAN definitely don’t mix–to the point that I almost regret even mentioning the things in Optimizing Windows.
 
Short of that, I’d suggest ripping out all of your networking protocols and adapters from the Network control panel and add back in TCP/IP and only the other things you absolutely need. This’ll keep Windows from getting confused and trying to use the wrong transport, and eliminate the corrupted TCP/IP possibility. These are remote, but possible. Though your reinstall should have eliminated that possibility…
 
If it’s neither of those things, I’d start to suspect hardware. Make sure you don’t have an interrupt conflict (rare these days, but I just saw one a couple weeks ago so I don’t rule them out). Also try swapping in a different cable or NIC in your wife’s machine. Cables of course go bad more frequently than NICs, though I’ve had horrible luck with cheap NICs. At this point I won’t buy any ethernet NIC other than a Bay Netgear, 3Com or Intel.
 
I hope that helps. Let me know how it goes for you.

Dave 
~~~~~~~~~~
From: Bruce Edwards

Hi Dave:
 
Thank you for posting on your web site. I thought you would like an update.
 
I verified the MTU setting was still at 1500 (it was).  I have not used one of the optimizing programs on this PC.
 
I removed all the adapters from the PC via the control panel.  Rebooted and only added back TCP/IP on the Ethernet card. 
 
I double checked the interrupts in the control panel, there do not appear to be any conflicts and all devices report proper function.
 
I still need to 100% verify the wiring/hubs.  I think they are O.K. since that PC, using the same adapter, is able to file share with other PCs on the network.  That also implies that the adapter is O.K.
 
I will plug my PC into the same hub and port as my wife’s using the same cable to verify that the network infrastructure is O.K.
 
Then, I’ll removed the adapter and try a different one.
 
Hopefully one of these things will work.
 
Cheers,
 
Bruce
~~~~~~~~~~

This is a longshot, but… I’m wondering if maybe your DNS settings are off, or if your browser might be set to use a proxy server that doesn’t exist. That’s the only other thing I can think of that can cause sporadic slow access, unless the problem is your Web browser itself. Whichever browser you’re using, have you by any chance tried installing and testing the other one to see if it has the same problems?
 
In my experience, IE 5.5 isn’t exactly the greatest of performers, or when it does perform well, it seems to be by monopolizing CPU time. I’ve gotten much better results with IE 5.0. As for Netscape, I do wish they’d get it right again someday…
 
Thanks for the update. Hopefully we can find an answer.

Dave 
~~~~~~~~~~ 

Fixing stuff, computer and recording-related

Dave Farquhar Music , , ,

A productive weekend. I’m writing this well in advance because I fully expect to have no time available the next couple of days. So I’ll talk about my weekend.
Rebuildng a 486SX/20. The power supply in Steve DeLassus’ old Leading Technology 486 that’s been serving as his Linux firewall/gateway/DNS cache for the better part of a year died last week. Unfortunately, he had one of the last of the true-blue AT clones–you oldtimers know what I’m talking about. You know, the power supplies with the lever switch on the side, rather than that cheap modern pushbutton? Well, good luck finding one of those power supplies these days. Pushbutton AT boxes are easier to find than dirt, but getting one of those to work in that case would have been a serious gerry-rig. So we picked up a new AT case/ps combo to transfer the contents into. All told, it took me a couple of hours to get the guts transferred to the new case and to get the system back up and running (it takes 5-7 minutes, literally, to boot–once it’s running it’s fine, but we’re talking a seriously underpowered computer here).

Fixing an Alesis ADAT. Say what? An ADAT is an 8-track digital tape recorder that records on SVHS tape. I’ve had one for a couple of years for odd recording projects, but when I took it to church Thursday and set it up, it made as much noise as John’s synthesizer (and it wasn’t nearly as pleasant a sound). It flashed a few error codes and ate the tape. Swell. ADATs are notoriously tempermental and unreliable. Unfortunately for me, it’s next to impossible to find anyplace to service them–the places I could find needed a week and a half to three weeks before they could even look at it. But I needed it Monday. Last time something like that happened, a computer was involved, and that was when I learned how to fix my own computers. So guess what I did? I learned how to fix ADATs.

An ADAT looks like a big VCR, and there’s lots of open space, so when I showed it to a former VCR tech I work with, he pointed out every potential trouble spot very easily after we popped the cover. So I went off to Gateway Electronics for some rubber restorer, tape head cleaner, and foam swabs. On the way back I drove past a music store with an Alesis sign in the front window. So I stopped in, because it’s best to calibrate an ADAT against an ST-126 cassette, and all I have are ST-120s. So I paid way too much for an ST-126, but they were kind enough to format it for me. So I spent a couple of hours Saturday afternoon ripping open the ADAT and cleaning it. I let it dry for a few hours, came home, popped in the fresh ST-126, and the ADAT didn’t complain. Good. I went ahead and cleared its internal memory and calibrated it against the new tape just to be on the safe side, and successfully recorded with it.

Fortunately for me, the ‘net is full of ADAT care and maintenance tips. It turned out my buddies and I did just about every possible wrong thing you could to the poor thing (letting it sit idle for months; leaving tapes in with the power off, running it without a UPS or power conditioner, using cheap tapes rather than high-grade ones, and in the case of one of us — not me — smoking around it). It’s now in my sole possession, so I expect it’ll do a whole lot better now. Normally they first need service after about 250 hours of use. This one has 45 on it and has needed service twice. I don’t intend to let it happen again.

Speaking of the electronics store… As I was digging around for solvents and swabs and chuckling over some of the other obscure gear in the place (there’s stuff there that was there when I first visited the store 10 years ago–scout’s honor), I couldn’t help but notice another customer. For one, she was young and female. Standard clientele at this place is mid-40s male. I’m out of place there. For two, she was gorgeous. For three, she kept walking up to the front counter with a handful of resistors, verifying their specs with the guy there. I can count on one hand the number of people I know who’ve ever built anything from discrete components, myself included. So I was mulling over what to say to her (of course) when her boyfriend walked up. Drat.

My songwriting debut. I couldn’t find my keys or my wallet this morning, so I didn’t make early church. It was just as well because I had this song running around in my head that needed to escape to paper. I’ve written exactly one listenable song that isn’t about something that’s either depressing or enraging (and that was a song about someone who has no self-esteem but should). For the video we’re producing, we need to have some backing music (which was why I was messing with the ADAT). And something tells me pastor would be less than happy if we used Love Songs Bite.

So we’ve got a talented musician who knows how to write music but not lyrics. And we’ve got a wannabe goth/punk songwriter who’s never written a happy song in his life tasked with writing the lyrics. The day before we needed them, they hit me. I don’t think they’re all that great, but they fit our need and John liked them, and the thought did occur to me that they do say more than a lot of the songs we sing do, and if John can work a good pop hook or two in there and we can get the rhythm section to drive it, it just might fly.

I probably should bring a Cars CD tomorrow for John to listen to, since of all the bands I know they probably most closely resemble our setup. Their sound was defined by guitarist Elliot Easton and keyboardist Greg Hawkes — and our two best musicians happen to be on those two instruments as well. Their other hallmark was the harmonies Easton, Hawkes, and Ben Orr did in the background. We’ve got people who can do that too. Or we can just get the choir up there. And I’m at least as disturbed as singer/songwriter Ric Ocasek was, but I’ll keep my neurotic lyrics to myself. And I’ll let someone else sing. We’ll skip that part of the formula.

Whew. That’s a lot of stuff. After all that, I should take the rest of the week off — but I know I won’t.

Trustworthy consulting

Dave Farquhar Windows

Friday, 6/16/00
NT security consulting. I think there’s a special place in hell for recruiters, slimebags that they are, but I’m starting to wonder if that place isn’t next door to the special place for consultants. I took a consulting gig that basically amounts to setting up an NT domain correctly–how many times does one have to say don’t put a server on DHCP, just give it an IP address? It’ll probably also involve building a Linux box to serve as a firewall, since this is a school that suspects its students have been tapping into the office network from the lab and nuking (or possibly changing) files. Kids today, I’ll tell ya…

Putting the two networks on separate NT domains and TCP/IP subnets should make that difficult, but with a Linux box that doesn’t speak SMB sitting between the two networks, it should be impossible. It’s also tempting to just unbind TCP/IP from the MS client and use NetBEUI as the networking protocol in the office for added security. That way, even if someone did manage to get into the Linux box, they still wouldn’t be able to do anything useful.

Come to think of it, with TCP/IP unbound from the MS client, do they even need a firewall? Maybe those extraneous protocols that shipped with Windows are useful for something after all… NetBEUI’s awfully chatty, too chatty for large networks, but this is a small network.

I speak harshly of consultants because my predecessor documented absolutely nothing that he did. I mean, I understand the temptation to make a client dependent on you, but if you do a good job and then hand over total documentation of their network, why on earth would any sane client go to another consultant afterward? Methinks they’d trust you to the death.

Then again, maybe I still have a naive, idealistic view of human nature…

Look out, George Brett… Can’t resist. The company picnic was today, and I played softball. Led off and played catcher (yes, I was the odd catcher batting leadoff, and the odd leadoff batter who can’t run). I went 1-for-2. Thought I stroked a single to right my first at-bat, but it curved foul, and I fanned on the next pitch. Next at-bat, with a runner on and two out, I stroked a single to right. The runner advanced to third on the play; I was thrown out trying to take second on a close play.

I thought swinging the bat would be a good test on my wrists, and it was. They held up. Hitting everything to right field indicates low bat speed, but that’s to be expected I think. I was a bit surprised I could swing the bat at all, let alone do anything productive with it. Now if I’d only stayed at first, because the batter after me led off the next inning with a long homer to center, which would have been a three-run shot if I’d been more conservative.

An easy firewall for Linux

Dave Farquhar Linux ,

Saturday, 4/29/00
PMFirewall. I recommended this firewall-builder for Linux a couple of weeks ago (from www.pointman.org). InfoWorld’s resident Linux guru, Nick Petreley, gives it his seal of approval this week here.

As for making it a standard part of distributions, I e-mailed Jacques Le Marois, president of Mandrakesoft, inquiring just about that possibility. (As an aside, wanna know one reason why I like Linux? Le Marois answers my mail! And sometimes he mails me! Meanwhile, I know neither Gates nor Ballmer give a rat’s behind about anything I think or say.) Le Marois had a team look into it, but informed me that it could be tough to integrate. I’m wondering if maybe it shouldn’t be integrated into the control panel, rather than as part of the setup process (it’s specialized, after all). Hmm. Maybe it’s time to mail him again…

[E-mail him I did. And I have no idea if my lobbying had anything to do with this or not, but Control Panel-based firewalling soon became a standard feature in Mandrake and other Linux distributions. –DF, 5/23/02]