darkness

Mixmaster is alive and well, and working. Checking out Freenet too. BTW, in the freenet.conf file, fproxy.bindAddress is now mainport.bindAddress IIRC. Not noted in their documentation as far as I could see, but I found it by searching around with Google.

Switched over most of the IPs in our office. To facilitate zone transfers between my internal and external views I had to assign an extra address to each name server, then use the transfer-source option in one of the views on each server. Then you modify the view without transfer-source to not match the IP you specified to transfer-source. Like this:

view "internal"
{
	match-client { ! 10.0.0.4; 10.0.0.0/8; 127.0.0.1; };

	...
};

view "external"
{
	transfer-source 10.0.0.3;
};

In the above example 10.0.0.3 was the additional IP added to the name server that was using the above configuration, and 10.0.0.4 was the IP added to the other name server.

When you’ve got more than two subnets on the same segment and you want ISC dhcpd to know about them/hand out IPs in them, you need to use the shared-network directive. Helpful hint.

I got my Cisco Aironet LMC-350 today. Oddly, I’m getting packet loss to my Orinoco RG-1000 which was sitting about five feet from the laptop. Not good? It worked fine with an LMC-340 I tested it with. I hope it’s just the lack of antenna… but the 340 didn’t have an antenna on it either. I’ll have to do some experiments. Maybe ad-hoc to another card will be OK. Maybe it’s the firmware, and some new security provisions that are fucking up with the Orinoco AP?

Spent a lot of it in traffic. Didn’t get to go out to a client’s site – a single client’s site, among seven in this area that need visiting – until 1500 or so. I got stuck in plenty of traffic, yes indeed.

I killed a Cisco Aironet 340 LMC PCMCIA 802.11b adapter (phew) today. Hint: I think trying to use the (apparently undocumented) airoflash utility from the airo-linux project is a bad idea. I don’t blame them, really. What the hell was I doing trying to flash my card with an undocumented program, anyway? Now I think I just get the triple amber LED blink. According to Cisco’s site that means something like “bad firmware checksum.” It tells me to re-flash the firmware. Problem: I can get neither Linux nor Windows 2000 to recognize the card, so I can’t flash it. (Linux wants a device name, which never gets assigned since the driver (presumably) can’t communicate with the card properly. Windows has a similar problem: the Cisco utilities won’t load because Windows never really thinks there is a network card in the system.) I was going to call TAC, but I have fears of my bullshitting ability. I don’t think I will be able to say to them, “yeah, I was flashing it using approved methods, of course *wink, wink*” without sounding like a total liar. “So, what exactly did you click in the Windows application?” “Uh, well, I, uh, clicked, um… I don’t… remember?” “*click*” So I ordered a LMC 350 from techonweb.com who were highly rated at Reseller Ratings and Price Grabber. Oh, they also had a good price on the card; within $15 of the lowest on a $100-ish card. Then, of course, I blew $35 on overnight shipping. I’m so impatient when it comes to gadgets. Oh well, it’ll come out of my record budget.

I made seared Tuna steak covered in mustard, some fried brown rice (I forgot fucking Soy sauce!), and my own concoction of Broccoli in wine with some spices thrown on. I now have a mid-grade headache, and immediately after eating I thought I was going to puke briefly. That’s not so abnormal, but it was stronger than with other meals, so it stood out to me. This stuff makes me sick. I don’t know if it’s the spiciness, the oil, the mustard, or what. Maybe it’s all the salt I put on the food. I’ll down some Mylanta before bed and hope for the best.

Oh, I almost forgot! We have CABLE! Yes! We have Road Runner and 500 channels of shit again. Joy! No more dial-up. My co-worker’s power just got turned on today too, which is good. I wonder if Duke Power met their goal of having 90% of power in CLT on by today (well, yesterday; Wednesday) at midnight?

I set up my slight voodoo Bind configuration tonight and Bind 9.2.1 ate it. I can’t test yet since I have no machines configured on the internal IP block that the internal view’s match-client statement looks for. I was going to switch a system over tonight… but I stopped, since I thought I had determined that I would need to switch all systems at once (or within a block of time that customers will not be likely to access our resources). I thought this because I thought the name servers would only be available on one IP or the other. However, I’ve now remembered that Linux can have *gasp* more than one IP per interface. So I’ll have to configure my name servers up like that tomorrow and try switching a machine, then. It should be fun.

I think I forgot something in the above paragraph, but I’m too tired so I’m just going to be off to bed now.

Urgent need to change from one ISP to the other. Don’t really want to speak of the reasons for this here. Anyway, since last night I’ve been working on this every waking hour that I could spare. Even put off commitments to a big customer to get this done with. Bad news: it’s still not done. I need to make this entry quick, but I don’t want to miss too much of what I’ve been doing.

My iptables rules are a leap forward for me compared to what I’ve been doing. I think I might try and dumb down my iptables rules script that I’m going to try using after I’ve (A) ironed out any bugs, and (B) removed sensitive information, dumbed it down into an example, etc. Things I’m doing that I’ve (stupidly) never done before: for services, branch to a chain that lists all the hosts providing that service when you match the service’s port; reorganizing rules based on which has the most packets (iptables -nvL); when mucking with iptables rules remotely, make a “safe host” entry at the top of the the INPUT and FORWARD chains that contains an unqualified ACCEPT for that IP address.

I also recompiled my kernel/iptables/wanpipe with the CONNMARK patch. Here’s the reason: I’ve got two Internet connections with different IP ranges on them. I’ve got one internal network with reserved addresses. To make an example, say an incoming SMTP connection comes in on Internet connection B. Packet gets NAT’ed, sent through to SMTP server. Now SMTP server makes a response to the client. When this datagram hits the server, you have no way of determining whether the packet should be sent out Internet connection A or Internet connection B (where it belongs), except giving the SMTP server two IPs and filtering on that perhaps. CONNMARK adds a field to the structures already maintained by the conntrack code which is basically like fwmark. You can match on this “connection mark” (connmark), copy fwmark to the connmark, or copy the connmark to the fwmark. In my case, when the SYN for the SMTP connection came in I’d set the connmark on that connection. Then when any packet that has a connmark is about to be routed (in the mangle table, PREROUTING chain) I copy the connmark to the fwmark for any packets that have connmark set. Once you’ve got fwmark set, you can route with ip rule based on the fwmark. Nice.

Note on building this setup, though. I wanted an athlon kernel. AFAIK, the only way to get source is to just rpmbuild -ba the spec file with no explicit target. So I have to build twice: once with rpmbuild -ba --target athlon kernel-2.4.spec, and once with rpmbuild -ba kernel-2.4.spec. (I could do this all in one step with --target i386,athlon I think — but I also noticed that apparently rpmbuild -ba is building for i586, though the arch tag on the resulting binary RPM is i386? Am I going insane here? This is RH 8.0, too; isn’t that only supposed to support i686? If it had built an i686 kernel and called it i386, maybe I’d buy it, but… i586?)

Also, the CONNMARK patch wasn’t as simple as the MARK_operations patch I had applied earlier: it had a bunch of files, some of which weren’t exactly in patch(1) format AFAIK. So I pointed KERNEL_DIR at a copy of /usr/src/linux, had it patch that copy, then diff -urN /usr/src/linux /my/usr/src/linux/copy > linux-2.4.18-CONNMARK.patch. Fun. Put patch in spec file, rebuild kernel RPMs. This patch didn’t modify iptables, either, which I found weird since I needed it to build the CONNMARK target and connmark matcher. I later found out that (at least when building from the RH 8.0 iptables 1.2.6a patch), iptables will check /usr/src/linux for certain files corresponding to the presence of the CONNMARK patch in the kernel; it will build this target and matcher if it finds them. So: patch kernel source, install kernel source, then build iptables.

Then, I broke the Internet when I rebooted. I realized that wanpipe wouldn’t work when it was built for i386 and the kernel was built for athlon. This didn’t see quite right to me, but the modules would give me unresolved symbols. In the end, I ended up doing the same thing as I did for the CONNMARK patch above: I let the wanpipe stuff patch a copy of the kernel, diff‘ed the two, applied that patch, rebuilt kernel RPM. Voila, now the modules that ship with the kernel are just fine. I should split the modules out of my wanpipe RPM.

That was yesterday. Today I came up with a checklist of things that I have to do to hosts to bring them over to the new reserved IPs I’m switching to on the Internal network. I also added new iptables rules in preparation for the switch.

I ran into problems with DNS, though. I’ve got two weird DNS situations:

1. Hosts in our domain need to resolve to internal IPs when queried from the inside, and external IPs when queried from the outside.

2. At home I need some of the hosts from my primary domain name to resolve to internal IPs, and some to resolve the same as they would everywhere else. The rest of the hosts should resolve to one address regardless of where I’m querying them from.

I’ll start with (1); (2)’s not too related to work, really. I was going to use views to do (1), but then I remembered that you had to define every zone for each view; i.e., you can’t have some zones in a view and some outside (like “all zones in your specific view are checked first, then any zones not in a specific view are checked”). I also only have one DNS server (really two, but primary and secondary) so typical split horizon DNS as described in Bv9ARM isn’t real do-able. (I don’t want to run multiple copies of bind.) I didn’t want to maintain each zone directive in each view.

So rather than hit an obvious solution (coming later) I went off on tangents. I looked at a patch I had made to allow records like * NS ns1.foo.com which actually works, but is applicable to (2) and not really (1). Then I started reading on DNS and eventually hit some random guy’s “Frequently Given Answers” which had some information on DJBDNS. I started looking in to it and decided I should perhaps try DJBDNS. I actually started to like the idea of synchronizing between master and slave(s) with ssh/rsync. I came to accept the idea that I would run tinydns on one IP and dnscache on another IP. OK. Then I realized it didn’t support RFC 2136 dynamic updates like Bind 9. Then I read some more and really thought hard about DJBDNS’ sort of lack of standards support. The only other thing I can really think of that it doesn’t support is DNSSIG (or was it DNSSEC? You know what I mean), which isn’t really done nor too useful – especially if you listen to DJB and his advocates. (BTW, I recommend reading a DJB vs. Bind thread or something similar on any number of mailing lists like IETF’s namedroppers list for example. His page on DJBDNS also has a bit about how he’s being oppressed by the moderator for namedroppers, I believe it was.) I could probably live without DNSSIG, at least for now, but dynamic updates? I really like those. I also read about the extreme overhead some people had for doing a make (rebuilding the CDB files, AFAIK) with large numbers of records. They had much, much, much greater demands than I, but I still thought about it. Now that I think about it, I doubt Bind could keep up with some of their needs too.

Anyway, I ended up dropping DJBDNS. I considered running three views in Bind 9: one for internal zones, one for external zones, and one for “common” zones that needed to be queried from either of the first two views with the same resolutions (RR’s, IP’s returned, whatever) for both. I was going to have the server listen on port 54 in addition to the usual ports. Then I would setup the internal and external views to match based on the source, and set them up as forward only views. They would answer queries for the few (two, I much later realized) internal zones they had information for, but forward to localhost port 54 for any other queries. localhost:54 would be caught by the common view. Voila, a union of sorts. One problem I thought of, though, was CNAMEs: request comes in for www.customer.com, internal zone gets query, doesn’t have authoritative information for it in this view and so forwards to localhost:54, common view gets it, finds www.customer.com. CNAME web1.ourdomain.com., goes to look up web1.ourdomain.com. (Note: at this point I’m not sure I’m correct. The name server might not try to look this up, but instead return the CNAME with no other information back to the internal view. In this case, the rest of this example is moot.) Now it tries to look up ourdomain.com, which is a zone that has different addresses depending on whether it’s queried internally or externally. However, if localhost:54 tries to send a query to localhost:53, and the internal/external zones match on source address of the query, which view do they answer from for the address of www.customer.com? Kaplooey, brokenness.

Then I somehow started thinking about DNS tools, and I kind of hit me: hey, isn’t there an include statement. Sure enough, and it says it basically just acts like the contents of the named file were inserted into the configuration at that point. Bingo: create internal-zones.conf, external-zones.conf, and common-zones.conf. Two views that discriminate based on query source, they both have all the zones that we’re authoritative for, and I don’t have to manage two separate lists of zone statements in two separate view statements. I haven’t tested this yet, but I suspect it will work. The only odd thing about this might be my one dynamic zone; I’m not sure if it’s going to reflect the changes to the zone in both views if I simply point the zone statements at the same files. I’m kind of worried about the journal I believe it makes. I’ll get back to you later if this actually all works out.

I don’t actually feel like writing much about (2) right now. My wildcard NS patch (which I’ll make available upon request; mail me if you want it) fixes things up. My home server is configured with this patch, and the real primary/secondary for the domains are listed with * NS on my home server. In this manner, my home server tries to match the record from more specific records in the zone it has, but if it can’t find any will just return the referral to my real primary/secondary servers.

In other news, I’m still without high-speed Internet access at home. ardent, euphorik and I have discussed using 802.11b to set up a secure link between our two apartments, and then euphorik and I will get DSL while ardent keeps his cable. In this way we’d hopefully never both be out of Internet access (unless we lost power or something) and can use the other person’s connection as a backup. Details to be finalized, and we’re not even sure if we can get the wireless link through the building — which is how it’s going to have to be, I think. I don’t think the apartment complex would much appreciate me extending an arm off my third story porch 10′-15′ to point an antenna at ardent’s porch.

Things you need, and the versions I used (in order of building):

• libpcap 0.7.1

• Ethereal 0.9.7

• GpsDrive 1.30

• Kismet 2.6.2

In addition, my YDL machine needed ImageMagick >= 5.4.7 and ucd-snmp-devel (and ucd-snmp probably, maybe ucd-snmp-utils if you feel like it). I also used the latest version of the airo_cs driver. Install these packages before building the above.

I grabbed the ucd-snmp SRPM from Red Hat 7.3 and rebuilt it in YDL 2.3. Ethereal (IIRC) uses the ucd-snmp-devel package; while it’s not required, I tried to build as much stuff in as I could. You will need to edit your /usr/include/ucd-snmp/snmp.h file, though, for Ethereal’s configure script to successfully enable its SNMP support. After:

#ifdef __cplusplus
extern "C" {
#endif

Which is near the top, add:

#include <ucd-snmp/asn1.h>

Also, the ImageMagick SRPM from RH 8.0 seems to be broken WRT include files. Here’s my ImageMagick spec file that worked for YDL 2.3.

ucd-snmp and ImageMagick I built RPMs for and installed. The other stuff I kept in my (non-root) user’s home directory. I made a root directory there. Use this root directory with the --prefix option for all the packages’ configure scripts. Building with PPC I also put RPM’s value for RPM_OPT_FLAGS in the CFLAGS environment variable before I ran the configure scripts. For example, I built Kismet with:

CFLAGS='-O2 -fsigned-char' ./configure --prefix=$HOME/wireless/root           
                                --with-ethereal=$HOME/wireless/ethereal-0.9.7 
                                --disable-setuid

(BTW, IIRC you can see rpm’s value for RPM_OPT_FLAGS with rpm --eval '%{optflags}n'.) After doing this don’t forget to edit the path to any files in kismet.conf and kismet_ui.conf. Also, beware that there may be a bug in either the newest airo_cs driver or in YDL’s 2.4.19-4a kernel. If you have problems finding files in /proc/driver/aironet reboot the system.

I edited the kismet script as well, to make it run without assuming it’s suid root (and without assuming . is in the path). Here’s my kismet script.

Battery life on darkbook seems good enough. Probably something like three hours. I thought I could use pmud to put the system into “low power usage” or something like that, but if so I can’t figure out how to do that now. Actually, while I was typing this the system suddenly went from 0:22 minutes showing in the battery meter on my Gnome panel, to warnings on my screen saying “one minute remaining”, to going into snooze. At least it figured out that (perhaps?) the battery remaining time was wrong and put the system to sleep.

You don’t realize how much you like your creature comforts until your power goes out.

Some of you may have heard the bit about “bad storms in North Carolina.” (Indeed most people reading this quite likely are in North Carolina.) Apparently it was true. Usually I pooh-pooh any winter weather warnings in this state. After all, I’m a Yankee. We saw snow in Chicago a bit more than you do here. In this case, though, all hell really broke loose. Traffic lights are out all over the city and people are driving like idiots. On Wednesday night, in the middle of me fixing up our firewall to pass traffic to our new name server IPs, the power went out. It stayed our until about 1030 on Thursday.

It’s scary being without power. I don’t hear the sound of my boxes running at night. I miss the slight light that all the LEDs and such give off in my room. I don’t have the white noise of the bathroom fan running when I go to pee. (We didn’t really miss the heat. We still have the A/C on.) I realized how little there is to do without computers. I could have fired up my laptop, but I didn’t have any Internet access and I wanted to conserve the battery in case I really needed it for something. I woke up once in the middle of the night and swore I saw a blue flash in my window. I was either abducted by aliens or it was another Transformer blowing. Our cable service, and therefore our cable modem, is out. We’re sharing my VNet 56K dial-up connection right now. Oh the horrors.

I take back the nice things I said about NSI previously. When I called them on Wednesday to figure out why they refused to change the IPs for my name servers, they first told me my original rejection was basically a data entry error on their part. (The guy actually said, “someone must have hit the wrong button.”) Then it came back and said something like “we’re unable to make these changes because this DNS server already exists.” Yes, thank you, I know it exists. I want to modify it. So I call back again, and now, on the third or fourth call (I forget which) the guy says, “hey, we can’t change these name servers: they’re in a domain that’s not registered with us.” Unfortunately this is what I told the first fucking guy I called. Went to Dotster and finally found the place to change the IPs there. Worked like a charm.