firewall

Big trouble

Dave Farquhar General , , ,

Getting in trouble. At work, we use a content-filtering application called Websense to keep people from visiting sports sites and porn sites and checking their stocks at work. Prior to its installation, one of the most commonly visited sites in our firewall logs was ESPN.com. Well, I set off Websense this afternoon:

Status: The Websense category "Sports" is filtered.

URL: http://www.symantec.com/sabu/ghost/compatible_drives.html

As you can pretty clearly see from the URL, I was wanting to see if the CD-R drive we have is compatible with Ghost 7.5. Websense didn’t see it that way.

I printed that message out and hung it on my cubicle wall. That’s what we do with bizarre and amusing Websense messages.

So I just had to do a little research. It would appear that Sabu is the name of a professional wrestler. I learn something new every day. But that raises the debate of whether professional wrestling is a sport. Websense and I disagree once again.

Hey, I never said I learn something useful every day…

And that leads me straight into this:

How I once almost accidentally stole a piano from some Mormons. It was my junior year of college, and I was living next door to the Lutheran church just off campus. I was walking out to my car, which was parked on the church parking lot, when a guy walked up to me.

“Can you get me into that church?” he asked, pointing over his shoulder with his thumb.

“Why do you need in the church?” I asked.

“I’m here to deliver a piano,” he said.

I had no idea what the church would want with a new piano, but seeing as I hadn’t set foot in the place all year, what did I know? I had a key for emergencies, and this seemed like one. “Hang on,” I said. “I’ll run in and get a key.”

So I came back out with a key, unlocked the door, and the guy wheeled the piano off his truck. “Any idea where they want this?” he asked as he wheeled it through the door.

Seeing as I didn’t even know they were getting a piano, I definitely didn’t know where they wanted it.

“We’ll just leave it here in the Narthex,” I said. “That way Pastor will see it first thing when he walks in, and he can move it where he wants it.” (That’d teach him for not being there when a piano was due to be delivered.)

“This is 305 S. College Avenue, isn’t it?”

I paused. I didn’t know the church’s address off the top of my head, but seeing as I lived next door at 206 S. College Ave., I knew the church’s address wasn’t an odd number. So I told him that.

“Where else is there a church on College Avenue?” he asked me.

There was none. I racked my brain for a minute. “Let me step outside and see what the building number is.” This was Columbia, after all. Maybe they did put even- and odd-numbered buildings on the same side of the street, for all I knew. They do everything else screwy in that town. Then a thought hit me out of the blue. “I wonder what the address of that Mormon thing across the street is?”

So I peered across the street at our squarish, utilitarian-styled neighbor. “Institute of Religion. Church of Jesus Christ of Latter-Day Saints,” the sign read. Then I looked for a building number. Indeed, it was the address the piano delivery guy was looking for.

He thanked me and wheeled the piano out the door and back into his truck.

I locked the door back up, then went back inside to put the key away. “Have I ever got a story for you,” I said to the first guy I spotted.

Optimizing a Linux box in-place

Dave Farquhar General , , , , , , , ,

Here’s the Linux bit I promised yesterday. I wrote it much earlier, so I might as well throw it out there.
Our test firewall at work is an old Pentium-200 running Red Hat Linux and a commercial firewall app. (No, I won’t disclose which one. Security, you know.) It’s a bit slow. A P200 is severe overkill for the firewall built into the Linux kernel (Steve DeLassus and I made a firewall out of the first PC he ever bought, a 486SX/20 of 1992 vintage, which, save the loss of the original power supply in an electrical storm, has never required any service), but this commercial package does a lot more than the simple firewalls built into Unixish kernels do.

It had 72 megs of RAM in it and swapped mercilessly. Its speed seemed to be OK once it was booted, but seeing as this is a testbed, it tends to get rebooted an awful lot. I needed to do something for it.

So I trekked into the PC graveyard to see what I could dig up. I found a Compaq 386DX/20. I left that alone. That’ll be useful if I ever need to pillage a pair of Compaq drive rails, which has happened before. Unfortunately those rails are worth more than the rest of the computer. I also spotted a Mac SE. That’ll be handy if I ever need a doorstop. Then I found a Pentium-75 and another Pentium of unknown speed. I opened them up. The 75 had a pair of 16-meg sticks. I opened up the unknown Pentium and looked inside. Ugh. Socket 4. That meant it was a Pentium-60, or, at best, a Pentium-66. It had a pair of 8-meg sticks.

I pulled the memory sticks out of the 75. The 60 didn’t have anything usable in it, save a pair of hard drives, both 540 megs, one a Quantum and the other a Seagate. I took the Seagate because it was easier to unbolt. I don’t have any way of knowing at this late date which of those drives was the better performer, and it probably doesn’t make much difference anymore.

The idea was to add some memory, and put in a second hard drive dedicated to virtual memory. Since the likelihood of the machine needing to read data from a drive and simultaneously hit virtual memory was fairly high, I wanted the virtual memory on its own drive. Furthermore, Linux’s partition-read
mechanism isn’t terribly efficient. This doesn’t matter for SCSI drives, which re-order I/O events, but for IDE drives it matters a lot. So getting the swap partition onto a dedicated drive was likely to improve performance a fair bit. (If this were a production system, it would probably have a SCSI
drive in it.)

So I swapped in the 16s for the 4s and found an empty bay to hold the 540, which I put on the second IDE channel as master (another performance trick), and booted Linux. The next trick is to use your favorite disk partitioning tool (I like cfdisk, but I can navigate plain old fdisk) to blow away whatever partition is on the new drive (this one was /dev/hdc) and create a single partition. I just made it the size of the drive, since 2.4 can deal with large swap partitions and Linux is smart enough to use whatever virtual memory it needs, not just automatically use all it has available. Then I set
it to type 82. Linux can do swapfiles, but a filesystemless dedicated swap partition gives better performance.

Next, I edited /etc/fstab. I found an entry for the swap partition pointing at /dev/hda2. I changed that to /dev/hdc1. That means I now have a small swap partition just sitting on the first drive unused, but that’s not a big deal to me. The system’s not using the disk space it has. While I was there, I noticed the CD-ROM drive was pointing at /dev/cdrom. I asked Charlie, our Unix/Linux guru, if Red Hat had some intelligence I didn’t know about. He said /dev/cdrom was just a symlink. I changed the entry to read /dev/hdd, which is where the CD-ROM drive ended up after my shuffle. Better to just code things directly than try to track symlinks, in my estimation.

Next, I issued the command mkswap /dev/hdc1 to initialize the swap partition. Then I rebooted and listened.

Indeed, during boot, the second drive was getting activity. I logged in and ran top, then hit shift-M to have a look at memory usage. The firewalling software was eating up a lot. But swap usage was down.

I decided to try cutting memory usage down a little more. I loaded /etc/inittab into vi. Red Hat by default gives you six virtual consoles. This machine has little need for more than two. Pulling the extras saves you a couple of megs. Near the end of the file you’ll see several lines that look something like this:

1:2345:respawn:/sbin/mingetty 38400 tty1

I commented out the last four of those. Hit the i key to put vi in insert mode, scroll down to those lines, add a # to the beginning of them, then hit ESC, then hit ZZ (shift-Z twice) to rapidly save the file, no questions asked. (I know, vi ain’t friendly, but it’s there.)

Then I had a look at /etc/rc3.d to see what daemons were running. I found apmd, sendmail, and gpm running. That was a waste of a couple megs, not to mention a possible security risk. I vaguely remember all three of them having had security issues in the past, and sendmail is one of those programs that should never be running unless you need it. Yes, this machine’s just practice, but Hall of Fame catcher Johnny Bench found that if he got sloppy and just let wild pitches go while he was warming up pitchers, he wasn’t as sharp at blocking potential wild pitches during the game when
it counted. So he worked just as hard during practice as he did during the game. Now he’s considered the greatest catcher of all time.

So I applied the Johnny Bench principle and disabled them with the following command sequence:

mv /etc/rc3.d/S26apmd /etc/rc3.d/K26apmd
mv /etc/rc3.d/S80sendmail /etc/rc3.d/K80sendmail
mv /etc/rc3.d/S85gpm /etc/rc3.d/K85gpm

I rebooted to find memory usage down by about 4 megs and the system booted a little faster. It was also more secure.

Total downtime: About 45 minutes.

That was time well spent. I may end up having to just bite the bullet and get some memory, but the system will perform better with these changes no matter how much memory is in it. And, more importantly, performing this exercise made me notice something I hadn’t noticed before. It let me tighten up security.

Had I blindly just ordered some memory to put in the system, or a new PC, like some people unfortunately advocate, I wouldn’t have necessarily noticed that as quickly.


Speaking of Linux, I did finally get Apache, PHP, and MySQL all talking together on my church’s 486. I used phpWeblog, which is an awfully nice package. Pages load in an acceptable two seconds. I notice the machine is paging, so a little more memory will probably help that. It’s amazing that people are throwing away Pentium-class machines when even a 486 has enough power to be a decent intranet server.

Not everyone’s so fortunate as you and me. Give ’em to someone who can use them if you don’t want them.

All in no particular order…

Dave Farquhar General , , , , , , ,

U2. I couldn’t help but notice during U2’s halftime performance yesterday how much Bono has aged. Now, granted, he’s 42 or 43 now, so he’s not going to look 22 anymore, but last night he didn’t look 42 to me. His voice didn’t seem terribly strong either, but that’s something he’s battled for more than 20 years. During their famous Sarajevo gig in 1997, Edge had to sing a few numbers (including Sunday Bloody Sunday) because Bono had lost his voice.
Above all else, it was a show. The band showed up on stage, sans Bono. He was walking through the crowd. They played one obvious song (Beautiful Day), then in a flash of showmanship, projected the names of 9/11 victims as they played an obscure song off The Unforgettable Fire, the haunting MLK (one of two tributes to Martin Luther King Jr. on that album) before segueing into Where the Streets Have No Name, with a few improvised lyrics (including a chorus from All You Need is Love, a nod to Paul McCartney).

Very typical U2. U2 fans undoubtedly loved it or at least enjoyed it; not-so-big fans probably weren’t so impressed (they sounded worse than, for instance, Mariah Carey, but a musician I work with is convinced she was lip-syncing) and U2 haters probably found something else to hate. I was impressed that they didn’t sell out by playing three songs off their current album. They played a hit from a year ago, then they played an obscure song, then they played a minor hit from 15 years ago, but it wasn’t one of the two huge hits off that album.

Heartbreak. That was what the game itself was. The Rams didn’t show up to play for the first three quarters. I have to wonder how badly Warner was hurting, because he definitely didn’t look 100% (and if I can notice a difference, there definitely is one). I have to wonder what if he hadn’t taken those hits late in the game three weeks ago against Green Bay…?

Security. I see from this story that Linux is less secure than Windows, based on counting reports at SecurityFocus.

SecurityFocus reported a total of 96 Linux vulnerabilities, versus 42 Windows NT/2000 vulnerabilityes (24 for Windows 2000 and 18 for NT4.0). Buried deeper in the article, you see that Mandrake Linux 7.2 notched up 33 vulnerabilities, Red Hat 7.0 suffered 28, Mandrake 7.1 had 27 and Debian 2.2 had 26.

So, first things first, James Middleton seems to think 2=4.

Now, math aside, those 26 Debian vulnerabilities were in all likelihood present in all the other distributions. So there’s a lot of triple- or even quadruple-counting here.

I remember a good number of those Linux vulnerabilities. Some of them were buffer overflows in utilities that would be difficult or impossible to exploit without shell access to the machine. Some of them were in daemons (services) that may or may not be running at any given time. Very few were in the kernel itself. Bottom line is, a typical Linux-based Web server sitting behind a firewall with only port 80 exposed probably didn’t have anything to worry about. The same goes for a typical Linux-based Samba server.

This isn’t like Windows, where you get the components Microsoft deems necessary, whether you want them or not, and you fear removing or disabling them because you don’t know what else will break and have no way of knowing. With Mandrake, you’ll get some services you don’t want, but you can disable them without breaking stuff. Red Hat has reformed and installs surprisingly little in its minimum installation these days. Debian installs even less.

So, the dirty little secret this article didn’t tell you: Not all the security problems affected any given Linux server. Chances are most of the security flaws affected any given Windows server.

I hate it when technology journalists blindly spit out numbers without having a clue what they mean.

I may publish again. I was mad enough to fire off a proposal to one of my former editors to see if he’d be interested in a few magazine articles. It’s time there was some stuff out there written by someone who has a clue what he’s talking about.

Useful link. For once I saw a banner ad that halfway interested me today. At LowerMyBills.com you can compare different utilities services available to you. Long-distance rates include both the interstate and intrastate rate (important if you’re like me and rarely call out-of-state). Alas, they don’t list local phone service providers, and their high-speed Internet listings aren’t complete, but it’s better than nothing. They also do listings for loans and debt relief, neither of which I need right now.

If the site’s useful to you, you’ll know.

Ho-hum.

Dave Farquhar General , , , , , , , , ,

Another day, another Outlook worm. Tell me again why I continue to use Outlook? Not that I ever open unexpected attachments. For that matter, I rarely open expected ones–I think it’s rude. Ever heard of cut and paste? It’s bad enough that I have to keep one resource hog open to read e-mail, so why are you going to make me load another resource hog, like Word or Excel, to read a message where the formatting doesn’t matter?
The last couple of times I received Word attachments that were important, I converted them to PDFs for grins. Would you believe the PDFs were considerably smaller? I was shocked too. Chances are there was a whole lot of revisioning data left in those documents–and it probably included speculative stuff that underlings like me shouldn’t see. Hmm. I guess that’s another selling point for that PDF-printer we whipped up as a proof of concept a couple of weeks ago, isn’t it? I’d better see if I can get that working again. I never did get it printing from the Mac, but seeing as all the decision-makers who’d be using it for security purposes use PCs, that’s no problem.

I spent the day learning a commercial firewall program. (Nope, sorry, won’t tell you which one.) My testbed for this thing will be an old Gateway 2000 box whose factory motherboard was replaced by an Asus SP97 at some point in the past. It’s got 72 megs of RAM. I put in an Intel Etherexpress Pro NIC today. I have another Etherexpress Pro card here that I’m bringing in, so I’ll have dual EEPros in the machine. The firewall has to run under Red Hat, so I started downloading Red Hat 7.2. I learned a neat trick.

First, an old trick. Never download with a web browser. Use the command-line app wget instead. It’s faster. The syntax is really simple: wget url. Example: wget http://www.linuxiso.org/download/rh7.2-i386-disc1.iso

Second trick: Download your ISOs off linuxiso.org. It uses some kind of round-robin approach to try to give you the least busy of several mirrors. It doesn’t always work so well on the first try. The mirror it sent me to first was giving me throughput rates that topped out at 200KB/sec., but frequently dropped as low as 3KB/sec.Usually they stayed in the 15MB/sec range. I cancelled the transfer (ctrl-c) and tried again. I got a mirror that didn’t fluctuate as wildly, but it rarely went above the 20MB/sec. range. I cancelled the transfer again and got a mirror that rarely dropped below 50MB/sec and occasionally spiked as high as 120MB/sec. Much better.

Third trick (the one I learned today): Use wget’s -c option. That allows wget to resume transfers. Yep, you can get the most important functionality of a download manager in a 147K binary. It doesn’t spy on you either. That allowed me to switch mirrors several times without wasting the little bit I’d managed to pull off the slow sites.

Fourth trick: Verify your ISOs after you download them. LinuxISO provides MD5 sums for its wares. Just run md5sum enigma-i386-disc1.iso to get a long 32-character checksum for what you just downloaded. If it doesn’t match the checksum on the site, don’t bother burning it. It might work, but you don’t want some key archive file (like, say, the kernel) to come up corrupt. Even though CD-Rs are dirt cheap these days and high-speed burners make quick work of them, there’s still no point in unnecessarily wasting 99 cents and five minutes on the disc and half an hour on a questionable install.

As for downloading the file in separate pieces like Go!Zilla does, there’s a command-line Linux program called mget that does it, but it doesn’t follow redirection and it doesn’t do FTP except through a proxy server, so I have a hard time recommending it as a general-purpose tool. When it works, it seems to work just fine. You might try mget, but chances are decent you’ll end up falling back on wget.

Why I run Debian, and some Debian tricks

Dave Farquhar Linux , , , , , , , , , , , ,

After Dan Bowman pointed out another blogger’s recent difficulties installing Evolution on Mandrake 8.1, I had little comment other than, “That wouldn’t be an issue if you’re running Debian.” Well, I think I said a few other things because I tend to be wordy, but that was the only important thing I had to say.Debian is one of the more difficult Linux distributions to install (you have to know what hardware is in your machine–it doesn’t nicely autodetect everything like Mandrake), but it’s far and away the easiest distribution to maintain. We’ll get back to that in a minute.

Released versions of Debian tend to be ultra-conservative. The current version, Debian 2.2r5, still uses the 2.2.19 kernel, for one thing (and that’s a fairly recent change). The current 2.2 kernel is either 2.2.39 or 2.2.40. All packages (at least all the ones anyone uses anymore) are constantly checked and maintained and patched. In theory, the current stable Debian release ought to be the most bullet-proof Linux available.

Besides Debian Stable, there’s also Debian Testing and Debian Unstable. Debian Unstable is pretty cutting-edge, but I’ve had no problems running it. I just keep up with the current patches and the system runs fine. I know people who run production servers on Testing and Unstable and get away with it.

If you want the latest and greatest stuff, after you install Debian, edit the file /etc/apt/sources.list and uncomment the ftp and http lines. Next, copy and paste those lines, then edit the “stable” to read “unstable.” (Or if you’re more conservative, edit it to read “testing.”) Be aware that occasionally you’ll run into problems running packages from unstable under stable. I ran Evolution, Galeon, Dillo, Sylpheed, and a multitude of other packages from unstable just fine, but when I installed AbiWord (a really nice, lean, mean, superfast word processor, by the way) it failed to run right. I upgraded to unstable, and then it worked perfectly.

OK, let’s talk some tricks.

Want to upgrade your distribution after a new version comes out, or upgrade from stable to testing or unstable? Easy. Type this:

apt-get update ; apt-get dist-upgrade

Then Debian will go download the pieces it needs to upgrade itself.

Want to keep your system up to date with any little changes (security patches, whatever) that may have happened recently? Type this:

apt-get update ; apt-get upgrade

So Debian lets you keep a current and presumably secure installation very easily. If you run that line regularly, you can rest assured that if your system is insecure, it’s not Debian’s fault but rather a misconfiguration on your part.

Want to try out some new piece of software? Forget having to hunt down RPMs or keep track of your distribution CD. Check availability with this command sequence:

apt-get update ; apt-cache pkgnames [name of program]

Found it? Excellent. Install it with this command:

apt-get install [name of program]

And if it wasn’t as great as you heard, you can uninstall it with this command:

apt-get remove [name of program]

System acting goofy? This’ll cure much that ails you:

apt-get clean ; apt-get update ; apt-get check

So from a system administration standpoint, Debian is great. Debian developers often try to justify the difficulty of installation by saying you only have to run it once, and to a degree, they’re right.

Compiling a kernel under Debian

I found a nice document detailing customizing your kernel under Debian. The standard method works under Debian, of course, but it’s cleaner to do it within the confines of your package manager–then it doesn’t go stomping on files you modified. Plus it’s actually a little easier to let Debian handle some of the details.

Here are the notes I took while using the document.

With additions:
Use kernel-source-2.4.17

export CFLAGS=”-O3 -mcpu=i686 -march=i386 -fforce-addr -fomit-frame-pointer -funroll-loops -frerun-cse-after-loop -frerun-loop-opt -malign-functions=4″
export CXXFLAGS=”-O3 -mcpu=i686 -march=i386 -fforce-addr -fomit-frame-pointer -funroll-loops -frerun-cse-after-loop -frerun-loop-opt -malign-functions=4″

Using -march=i686 is known to cause instability and not improve performance by any noticeable amount. The kernel mostly ignores these settings but I set them anyway. You can alternatively set them in the file /etc/profile. If you ever find yourself compiling apps from source, you want these options set so they’ll perform optimally.

A correction:
Debian tar doesn’t seem to support the -I switch for bzip2. So I extracted the archive with the following:
bunzip2 -k -c kernel-source-2.4.17.tar.bz2 | tar -xf –

the -k switch tells bzip2 to keep the original file intact, while -c tells it to extract to stdout. The | redirects stdout to the specified program, in this case, tar. -xf tells it to extract the file.

I got an error on make xconfig:

make: wish: command not found.

So I headed off to www.debian.org/distrib/packages. At the bottom of the page, there’s a form where you can type a filename and it’ll tell you what package it comes from. Type in “wish,” hit enter, and I get a long list, including /usr/bin/wish8.3 in a package named libs/tk8.3. Sounds promising. So I do an apt-get install tk8.3 and I’m in business. Type make xconfig again, and we’re set. This page is also a really good way to hunt down packages if you don’t know exactly how Debian named it.

Options I chose for kernel compilation:

Code maturity level options: prompt for development and/or incomplete code/drivers. I answered Yes, so I’d get modern filesystem support.
Loadable module support: I answered yes to all. I’ve read that disabling modules and compiling everything directly into the kernel can improve performance but I’m wary of that. If the kernel’s too big, the system won’t boot. And the idea of modules is to keep only what you need in memory. So I suppose there are instances where a no-modules kernel could increase performance, but there are certainly instances where it would hurt. I chose to be conservative.
Processor type and features: I changed a couple of the defaults. Double-check the processor family option; in my experience it’s usually but not always correct. Enable MTRR support unless you’re using a 486, Pentium, or AMD K5 CPU. All other reasonably modern CPUs, including AMD, Cyrix, Intel, and WinChip, support MTRRs for increased GUI performance. Since the PC I’m using only has one CPU, I disable SMP support. Then I enable local APIC and IO-APIC support on uniprocessors.
General setup: I accepted the defaults, because aggressive use of APM makes me really nervous. Under Windows, APM always does me more harm than good.
MTD: Since I don’t use any flash memory devices, I accepted the defaults of No.
Parallel port support: Curiously, this was disabled by default. This PC has a parallel port but I only use network printers, so I left it disabled to save a little memory.
Plug and play configuration: I said no to ISA plug and play support, since this machine is a laptop and won’t have any ISA PnP cards. On modern PCs that have no ISA slots, say N.
Block devices: The defaults are usually sufficient, but some configurations need RAM disk support and initrd support turned on. If you’re going to mess around with ISO images, you’ll probably want to turn on loopback device support.
Multi-device support: I’ve never seen a laptop with RAID, so the default of disabling it all works great for me.
Networking options: The defaults are fine for most uses. If you’re going to make a router or firewall out of your PC, enable Netfilter.
Telephony support: I disabled it.
ATA/IDE/MFM/RLL support: Disable it if you have an all-SCSI system. I don’t. Turn on SCSI emulation support if you use a CD-R or CD-RW. Under IDE chipset support/bugfixes, disable the chipsets your PC doesn’t have. This laptop has an Intel chipset, so all I had enabled were Generic PCI IDE chipset support, Sharing PCI IDE Interrupts support, Generic PCI bus-master support, Use PCI DMA by default when available, Intel PIIXn chipset support, PIIXn tuning support.
SCSI support: I have an all-IDE system (unfortunately), so I disabled it. Note that SCSI emulation for a CD-R counts as a SCSI device, as does a parallel port Zip drive. Since I have neither, I’m safe disabling it to save some memory and speed up boot time slightly.
IEEE 1394 (Firewire support): I disabled it since I have no Firewire ports.
I2O device support: I disabled it.
Network device support: This can be tricky. I turned off SLIP and PPP since I don’t use them. You may need PPP. I turned off ARCnet support, which you’ll probably do as well since ARCnet is very rare. I have a 100-megabit 3Com 3c556 NIC in this laptop, so I went into Ethernet 10 or 100 Mbit, drilled down to 3COM cards, and said yes to 3c590/3c900 series, since that’s the driver the 3c556 uses. I turned off the others. I like to compile support for the machine’s NIC straight into the kernel when I can, since it speeds up network configuration at boot time. On servers, I’ve been known to compile support for every type of NIC I own into the kernel, so that if I ever have to change NICs, it’ll come back up automatically without any configuration from me. I turned off wireless, token-ring, PCMCIA, ATM, amateur radio, infrared, and ISDN support.
Old CD-ROM drivers: You can probably turn this off, unless you know you have an old proprietary 1X or 2X CD-ROM drive. These were the drives that generally plugged straight into an ISA sound card, and they were very common on 486s. I sold tons of these things in 1994; I’m pretty sure that by the time I was selling PCs again in the summer of 1995, everything I was selling had an IDE drive in it.
Input core support: I don’t use USB input devices, so I turned it off.
Character devices: Near the bottom, after Ftape support, there are options for specific chipsets. You can find out what chipset you have by typing the command lspci in a shell. (You have to be root to do this–use the su command if you’re logged in as yourself, as you should be.) This laptop has an Intel 440BX chipset, so I turned off the VIA, AMD, SiS and ALI support.
Multimedia devices: Disable video for Linux unless you have a capture card. Most will disable Radio adapters as well.
File systems: I enable Ext3 and ReiserFS, along with DOS FAT and VFAT (as modules), ISO 9660 and Joliet, NTFS read-only (as module). Under network file systems, I enable SMB since I (unfortunately) work in Windows environments. I disable NFS since we have no NFS servers.
Console drivers: The defaults work for me.
Sound: Since I have onboard sound, I enable sound support and pick my chipset, in this case, ESS Maestro3. I disable all others.
USB support: I have USB ports but don’t use them. I left it enabled just in case, but I’m not sure why.
Bluetooth: I don’t use it, so I disabled it.
Kernel Hacking: I disabled Kernel debugging, the default.
Whew! Hit Save and Exit. Exit X to save some system resources while compiling and installing.

The end result was an up-to-date kernel (2.4.17) that was about 200K smaller than the stock 2.2.19 kernel and boots to a login prompt in 18 seconds flat, as opposed to 45 seconds before. Much of the improvement is due to the 3c590 driver loading faster as part of the kernel rather than as a module, and the kernel no longer searching for phantom SCSI devices. But Charlie Sebold told me it’s his experience that recent 2.4.x kernels boot a lot faster than earlier kernels.

It’s not perfect–I don’t have sound completely working yet–but I found some clues. I’m not overly concerned about sound support though. The system beeps at me when I have mail, and for work purposes, that’s all the sound I need. I don’t see any point in turning my PC into a multimedia tribute to Billy Joel or Star Wars or Quake III.

Wintendo must go…

Dave Farquhar Windows , ,

Some l337 h4x0r is watching this as I type. Yeah, I got the new virus. Fortunately it doesn’t look like it’s smart enough to look at an IMAP store, so it didn’t replicate. That’ll be the last time I use Outlook at home, and maybe at work. Yes, Linux has security vulnerabilities, but they’re benign compared to this crap. Especially if you’re behind a firewall with Telnet and even SSH access turned off. A root exploit on a machine disconnected from the world doesn’t do any good.
So kiss off, Gates. You embarrassed me. Yeah, I wrote a book about your worthless OS. I know a lot more about your worthless OS than about any alternative. That’s fine. I learned Wintendo, I can learn something else.

And to the loser who’s now recording my keystrokes: I’ll rebuild the system. Enjoy what little you get. Meanwhile, get a life, OK? Get interested in girls or something.

More of the same.

Dave Farquhar General , , , , , , ,

As I watched my Royals’ parent club, the Oakland Athletics, play the Yankees, I burned a CD under Linux for the first time. I honestly don’t remember when I last used my old Sony CD-R (it’s so old it’s a 2X burner!) but that was under Windows.
But burning an ISO image is insanely easy, at least if you’ve got a SCSI drive. Here’s the voodoo I needed:

cdrecord -v speed=2 dev=0,0 binary-i386-1.iso

By the time I could have pulled up the ISO image in Easy CD Creator, I’d typed the command line and cdrecord had already burned a meg.

How do you know the numbers? cat /proc/scsi/scsi.

And I know now why my people at work who are in the know on Linux love Debian. How big is a default installation of the current release? 141 megs. Including XFree86 3.36. It’s definitely not a distro for those who like the bleeding edge or even the leading edge, but if you’re wanting to build a Firewall, Debian looks like the distro of choice, and it’ll fit on a discarded 170-meg drive with room to spare.

I reformatted my experimental mail server, then I installed Debian. Then I made it a mailserver. Exim, a sendmail replacement, was already installed. So was procmail. So here’s what I did to make a mail server:

apt-get install courier-imap
apt-get install fetchmail

I created a .fetchmailrc file in my home directory:

poll postoffice.swbell.net with protocol pop3
user dfarq password noway is dfarq

Then I made the file secure:
chmod 0710 .fetchmailrc

I configured courier-imap. I had to scroll down to the bottom of /etc/courier-imap.config and uncomment the last line to activate it. Then I configured exim. I searched for the phrase “maildir” and uncommented the line that enables maildir format (courier doesn’t work with the default mbox format, and maildirs are more efficient anyway).

Then I ran fetchmail: fetchmail -d.

That should have worked. It didn’t. Exim continued to use mbox format. So I can connect to my IMAP server, which is populated by fetchmail, which is in turn served by exim, but since exim doesn’t put the mail in a format the server understands, I’ve got nothing to read.

So I guess I’m going to think about ditching exim for qmail. I have no great loyalty to exim except that Debian put it there by default.

And the Cardinals are eliminated (I’m furious with the way LaRussa handled Matt Morris; he won’t win 22 games next season, that’s a given now) and the A’s are going to have to play Game 5 without Jermaine Dye. I see the Royals have problems with the Yankees even when they’re wearing another uniform. Hopefully they can pull it off today. I’d have liked to have seen Johnny Damon, Jermaine Dye, Jeremy Giambi and Mike Magnante go to the Series in Royals’ uniforms, but if they get there in someone else’s, I’ll take it.

Just had a conversation with Dan Bowman to confirm my feeble grip on sanity (but I was afraid I may have let go, so that is good news), and now it’s way late. It’s actually about 11:30; this server runs on Farquhar time. I’m gonna go make friends with my pillow. Apologies if this is poorly edited.

Sorcerer, meet Squid. Squid, meet Sorcerer.

Dave Farquhar General , , ,

I didn’t feel all that well last night. Not sure if I’m coming down with something, or if it’s something else. I’ve actually felt a little weird for the last couple of days, so I’ve been sucking down zinc lozenges, and I remembered Steve DeLassus’ advice the last time I got sick: swallow a raw garlic clove. I felt fine the next day. So guess what I had for breakfast this morning? That’ll solve the problem of anyone wanting to come near me all day…
I napped a good part of the evening, but I got a little work done. I finally got the guts to raise my hand in the Sorcerer mailing list and ask if anyone else was having problems compiling XFree86. Turns out there was a bug. So now I don’t feel so stupid. It took a couple of hours to compile, and at first I configured it wrong, but now I’ve got a usable GUI.

I also installed Squid on the Sorcerer box. There isn’t a spell for Squid yet, and I’m not positive I can write it (it requires adding users and doinking with configuration files, and editing configuration files automatically goes a little beyond my Unix lack-of-expertise), but I may give it a try. One thing that annoys me about Squid: It uses really lame compiler options, and it ignores the system default options. I need to learn the syntax of make files so I can try to override that. The main reason to run Squid is for performance, so who wouldn’t want a Squid compiled to wring every ounce of performance it can out of the CPU?

But at any rate, I installed it, and did minimal–and I mean minimal–configuration: adding a user “squid” and setting it to run as that user, changing ownership of its directory hierarchy, opening it up to the world (I’m behind a firewall), running squid -NCd1, and putting a really lame script in /etc/rc3.d. Here’s the script:

#!/bin/sh
echo “Starting Squid…”
/usr/local/squid/bin/squid

See? Told you it was lame.

Performance? It smokes. There are a few sites that Squid seems to slow down no matter what, but www.kcstar.com absolutely rips now, so I can get my Royals updates faster.

It makes sense. My Squid boxes have previously been TurboLinux boxes, which are nice, minimalist systems, but they’re designed for portability. In other words, they’re still 386-optimized. Plus, they’re running the 2.2 kernel and ext2. This one’s running 2.4.9, disk formatted reiserfs, with everything optimized for i686.

Building a Squid server

Dave Farquhar Linux , ,

I’ve talked about Squid before. Squid is a caching Web proxy, designed to improve network speed and conserve bandwidth by caching Web content locally. How much it helps you depends on how you use the Web in that particular environment, but it’s usually worthwhile, seeing as the software is either free or costs next to nothing (it comes with most Linux distributions) and it doesn’t take much hardware to run it. Don’t use your Pentium-75, but you can deploy a standard desktop PC as a Squid server and it’ll work fabulously, unless you’ve got thousands of PCs hitting it. For a thousand bucks, you can seriously reduce your traffic and chances are it’ll pay for itself fairly quickly.
And ironically, Squid integrates beautifully with Internet Explorer 5.0 and newer.

Here’s what you do. Build up a minimal Linux server. For this, I prefer TurboLinux 6.01–it’s more lightweight than the current version, and you can still get patches for it that keep it from being h4x0r h34v3n. Pick the minimum base install, then add Squid and Apache. Yes, you need Apache. We’ll talk about that in a minute. I don’t like to have anything else on a Squid box, because Squid tends to be a big memory, CPU, and disk hog. Keep your computing resources as free as possible to accomodate Squid. (For that reason it would probably be better under a 2.4 kernel using ReiserFS-formatted partitions but I didn’t have time to test that.)

Once Squid is installed, modify /etc/squid/squid.conf. You’ll find a pair of lines that read “allow localhost” and “deny all.” That allows Squid to work only for the local machine, which isn’t what we want. Assuming you’re behind a firewall (you should be, and if you’re not, I’ll help you make a really big banner that says, “Welcome, l337 h4x0r5!”), change the “deny all” line to read “allow all.”

Next, make sure Apache and Squid are running. Go to /etc/rc.d/rc3.d and make sure there are scripts present that start Apache (httpd) and Squid. If there aren’t, go to /etc/rc.d/init.d and make copies of the Apache and Squid scripts. Give them a name that starts with S and a number, e.g. S50httpd.

Next, let Squid build and configure the directories and logs it needs with the command squid -NCd1. No, I don’t know what the -NCd1 means. I found it in a forum somewhere.

Now, go to your DNS and add an entry called wpad.yourdomainname. How you do this depends on the DNS you use. Someone else handles those duties at my job, so I just had him do it. Point that to your squid server.

Now, in /home/httpd/html (assuming TurboLinux–use the default Apache directory if you’re using a different distro), create two files, called proxy.pac and wpad.dat. They should both contain the following Javascript code:

function FindProxyForURL(url,host)
{
return “PROXY 192.168.10.50:3128”;
}

Substitute your Squid server’s IP address for 192.168.10.50.

What’s this do? Well, when IE is set to autodetect your Proxy settings, it goes looking for http://wpad.yourdomainname/wpad.dat, which tells it where to find the Proxy server. You could use any Web server you wanted; I just use the Squid server on the theory that if the Squid server is for whatever reason unavailable, a Web server running on the same machine is the most likely to also be unavailable, so IE won’t find it and won’t use a proxy, giving you a degree of failover.

The cool thing is, this combination of Apache and Squid works well, and can be quickly implemented with almost no work since Internet Explorer by default goes looking for a proxy and most people don’t uncheck that checkbox in the control panel.

We did this to reduce traffic on a T1 line for a short period of time (it saves us from needing to get multiple T1s) and so far we’re very impressed with the results. I recommend you try it.

Airshows, photography and Linux routing

Dave Farquhar General , , , , , , , , , ,

Gatermann and I went out shooting again yesterday. More exploration of the warehouse district, and we found out that the warehouse district is a halfway decent place to watch an airshow. A couple of cargo planes buzzed us, tipping us off to what was going on, so I went chasing. I’m not the airplane junkie my dad was (few people are), but I’m still a sucker for exotic military planes. I borrowed Gatermann’s telephoto lens and took shots as planes went by. A pair of vintage P-51 Mustangs zoomed by, so I got a few shots of those. A couple of modern fighters made a brief appearance, but I couldn’t get them into the lens quickly enough to identify them. Chances are they were F-16s; not as common a sight as they once were, but you still see them.
I was hoping for a chance to see the Stealth Bomber; about four years ago I was in St. Louis on the 4th and as Gatermann and I were stepping outside to go get something to eat, we heard a low rumble overhead, looked up, and got a spectacular view of the rarely seen and highly classified B-2. Of course there wasn’t a camera in sight so we didn’t get a shot.

This year, a B-52 came from out of nowhere. It was huge–I mean HUGE–and very obviously not an airliner. I’d never seen one in person before so I didn’t identify it immediately. I got it in the camera, zoomed in on it, and figured out what it was. I got several shots. The B-52 is an oldie but a goodie; we used it heavily in Vietnam and in the late 1970s we intended to replace it with the B-1. Carter cancelled the B-1; later Reagan re-initiated it, but it was a disappointment. The B-1 never fully replaced the B-52 and now there’s talk of decommissioning the B-1 completely.

The B-52 was followed by a series of stunt pilots. I guess that’s good for oohs and ahhs, but I wanted to see weird airplanes.

The grand finale was the B-1. It totally snuck up on me; I think Gatermann spotted the thing first. I recognized it but the camera couldn’t catch it–the autofocus wasn’t fast enough. I switched to manual focus and waited. And waited. I spotted it looping around on the east side of the river; most non-classified stuff makes two passes. But you can’t get a good shot from that distance with this lens. I never saw it come back. It didn’t really look like it was landing (Scott Air Force base is across the Mississippi River, in Illinois), but I couldn’t find the thing. I gave up, turned around, and started walking back when Tom yelled and pointed. I quickly turned around, and the B-1 was just barely in range. I pointed and shot as it disappeared behind a warehouse. I think I got it.

I shot more than a full roll of just airplanes.

After airplanes and lunch, we headed out to CompUSA. Gatermann wanted a KVM switch; I wanted Baseball Mogul 2002. A Belkin 4-port switch was $200. A Linksys was $150. Gatermann grabbed the Linksys. I came up empty on Baseball Mogul. We went back to his place, hooked up the Linksys, and it was a real disappointment. It doesn’t pass the third mouse button. Numlock doesn’t work. And it has a slight ghosting effect on the picture. I didn’t notice it but Gatermann did. Stepping the resolution down and lowering the refresh rate didn’t help a whole lot. He’ll be taking the Linksys back. (To Linksys’ credit, the box is made in Taiwan, though its wall wart is made in Red China. I’m not a fan of financing World War III, nor am I a fan of slave labor, so I try to avoid products made in Red China whenever possible. Gatermann does too. I’m not sure what his reasons are but Red China’s treatment of the seven prisoners of war after their pilot kamikazeed our spyplane probably has something to do with it.)

Bottom line: Belkin’s KVM switches are better. I like the Linksys’ metal case better than the plastic case on my Belkin, but the Belkin performs a lot better and its buttons feel more solid. I also like the ability to change displays from the keyboard, rather than having to reach over to the switch like the Linksys requires.

I’m generally not impressed with Linksys’ products. Their DSL router, though it looks really slick, doesn’t forward ports very well. If you just want to split off a cable or DSL connection, it’s great. If you want to learn how the Internet works and run some servers behind your firewall, it’s going to frustrate you. It’s just not as stable as Gatermann’s Pentium-75 running Freesco, which we cobbled together from a bunch of spare parts. Get a used Pentium-75 motherboard with 8 megs of RAM, put it in a $20 AT case along with a $15 floppy drive and a pair of $15 PCI NICs and download Freesco, and you have something much more versatile and reliable for half the price. And a lot of us have most of that stuff laying around already.

And Linksys network cards are absolute junk. Their workmanship isn’t good, their drivers aren’t stable, and the cards have a tendency to just die. Or they age really poorly, spitting out tons and tons of bad packets as they carry out their wretched lives. Netgears are much better, and not much more expensive.

I also gave Gatermann’s Linux configurations a look. Freesco didn’t appear to be forwarding port 80, even though we configured it to, and Apache was installed and I’d verified it was working by opening a browser and going to 127.0.0.1. I tried a variety of things–including forwarding the ports manually from a command line, using the ipportfw command if I remember right–but it never worked. Finally, I tried hitting the Web server from a Windows PC inside Gatermann’s private network. It was denied too. Workstation-oriented Linux distros tend to come locked down really tight by default these days, which is probably a good thing in general, but it makes it really hard to just turn on Web services to the world. I know it can be done but I wouldn’t know where to begin. So I had him download TurboLinux Server 6.5, which will probably solve all his web serving problems.