Undrblog - Linux

SLES 10, your kernel is not safe!

nospam@example.com (War) — Wed, 07 Oct 2009 15:34:00 -0400

So, i recently came across a startling discovery. On a SLES 10 server, when you install a kernel update, the update process kindly DELETES your old kernel. It's not clear to me yet if it does this after its next succesful reboot, or if it does it during the update. In other words, the people at SuSE/Novell are SO confident that you'll never have a problem with a brand spankin new kernel, that they perform without a net. I'm a very conservative sysadmin. I don't like to do anything without a backup plan. When it comes to kernel updates, that backup plan is option 1 in my grub.conf (option 1 being the second option in my boot list, generally, my old kernel). From what I'm reading, there's also no way to tell the update process NOT to delete the old kernel. So you're sort of stuck with this behaviour. This actually bit us a few days ago, when due to some rather odd circumstances, we ended up with a SLES that was trying to boot a kernel that was 1 revision old. Because SLES thought it had cleaned up this kernel, the /lib/modules// directory for this kernel was empty. This obviously caused some confusion on the kernel's part, and it refused to boot. If the update process had left the older boot/module files alone, and left it up to a responsible sysadmin to clean up old kernels when they saw fit, this wouldn't have happened. Granted, in this case, the server had other issues, but that's a different story.

So I've set out to fix this. Giving yourself some peace of mind is as simple as taking your kernel, and its modules, and locking copies of them away in a safe deposit box (or at least a backup directory) during the update process. And then putting them somewhere accessible afterwards, then re-add ing the old kernel to grub. This is all well and good, if you had one, maybe two servers to worry about, go ahead and do it manually. If you have a couple dozen, this is a considerable amount of work to do manually, and it takes up your time!

So, i wrote a script to do it for you! It's a perl script, and it should run on a base install of SLES (or, so it has in my testing).
You can download it here.

Just download it to your SLES server, and run it, it'll do the work for you. Run it before your update, and select option 1, which backs up the kernel. Then run it again after the update, and select option 2, which restores the kernel.

Enjoy!

-War

iostat demystified

nospam@example.com (War) — Thu, 24 Sep 2009 12:27:12 -0400

Recently, we've been looking into our options for a new SAN at work. That I'll save for a whole other post. In our search, it became apparent that we didnt truly understand how much we were utilizing our current system. Our current product requires that we purchase a license in order to check these statistics on the SAN, so we turned to the servers for some more insight.

The majority (if not ALL) of our servers are running some flavour of linux, most of which are RHEL 4.x and 5.x. RHEL (and most other distro's) offer a package called sysstat, which includes an I/O reporting tool called iostat.

The output of iostat looks something like:



[war@somehost ~]$ iostat -x

Linux 2.6.30.5-43.fc11.i686.PAE (somehost) 	09/24/2009



avg-cpu:  %user   %nice %system %iowait  %steal   %idle

           1.87    0.01    1.52    0.22    0.00   96.38



Device:         rrqm/s   wrqm/s     r/s     w/s   rsec/s   wsec/s avgrq-sz avgqu-sz   await  svctm  %util

sda               0.08    24.70    4.79    4.36   258.97   232.48    53.74     0.21   23.45   2.27   2.07

sda1              0.00     0.00    0.00    0.00     0.00     0.00    16.26     0.00    7.58   6.91   0.00

sda2              0.08    24.70    4.79    4.36   258.97   232.48    53.74     0.21   23.45   2.27   2.07

dm-0              0.00     0.00    4.83   28.95   258.63   231.64    14.51     0.04    1.21   0.61   2.07

dm-1              0.00     0.00    0.04    0.10     0.34     0.84     8.00     0.02  120.62   1.57   0.02

This is a bit daunting. Lots of info, and no real descriptions. sda{1,2} are your partitions/mounts, dm-{0,1} are virtual devices used by LVM (if you're using LVM). The rest is somewhat cryptic. The man page for iostat clears things up slightly, but you may not have a full understanding after just reading these descriptions.

(from the iostat man page)
rrqm/s: The number of read requests merged per second that were queued to the device.
wrqm/s: The number of write requests merged per second that were queued to the device.
r/s: The number of read requests that were issued to the device per second.
w/s: The number of write requests that were issued to the device per second.
rsec/s: The number of sectors read from the device per second.
wsec/s: The number of sectors written to the device per second.
rkB/s: The number of kilobytes read from the device per second.
wkB/s: The number of kilobytes written to the device per second.
avgrq-sz: The average size (in sectors) of the requests that were issued to the device.
avgqu-sz: The average queue length of the requests that were issued to the device.
await: The average time (in milliseconds) for I/O requests issued to the device to be served.
svctm: The average service time (in milliseconds) for I/O requests that were issued to the device.
%util: Percentage of CPU time during which I/O requests were issued to the device (bandwidth utilization for the device). Device saturation occurs when this value is close to 100%.

Personally, I'm working on learning this output, so I'm going to use this blog entry as my notes on what these stats mean, and how they react to disk activity. I'll review all of the stats which i've been able to figure out.

rrqm/s and wrqm/s, r/s and w/s

These are all about read and write requests that had to be queued because the drive was busy when the request came in. You can drive these up with some simple tests.

Use DD to write a lot of data to a local disk, and you'll see the wrqm/s, and w/s counters raise.

I started iostat, and then started dd, writing a 2GB file to my home directory.
dd:



[war@somehost ~]$ dd if=/dev/zero of=foo bs=8k count=262144

262144+0 records in

262144+0 records out

2147483648 bytes (2.1 GB) copied, 31.0321 s, 69.2 MB/s

[war@somehost ~]$

Now, here's the iostat command, the -x displays extended statistics, and the 1 tells it to refresh every second.



[war@somehost ~]$ iostat -x 1

Linux 2.6.30.5-43.fc11.i686.PAE (somehost) 	09/24/2009



avg-cpu:  %user   %nice %system %iowait  %steal   %idle

           3.71    0.00    2.99    0.00    0.00   93.30



Device:         rrqm/s   wrqm/s     r/s     w/s   rsec/s   wsec/s avgrq-sz avgqu-sz   await  svctm  %util

sda               0.00     0.00    0.00    0.00     0.00     0.00     0.00     0.00    0.00   0.00   0.00

sda1              0.00     0.00    0.00    0.00     0.00     0.00     0.00     0.00    0.00   0.00   0.00

sda2              0.00     0.00    0.00    0.00     0.00     0.00     0.00     0.00    0.00   0.00   0.00

dm-0              0.00     0.00    0.00    0.00     0.00     0.00     0.00     0.00    0.00   0.00   0.00

dm-1              0.00     0.00    0.00    0.00     0.00     0.00     0.00     0.00    0.00   0.00   0.00



avg-cpu:  %user   %nice %system %iowait  %steal   %idle

           1.44    0.00    5.78   12.15    0.00   80.63



Device:         rrqm/s   wrqm/s     r/s     w/s   rsec/s   wsec/s avgrq-sz avgqu-sz   await  svctm  %util

sda               0.00  7811.00    3.00  395.00    40.00 29024.00    73.03    48.30   76.60   1.11  44.10

sda1              0.00     0.00    0.00    0.00     0.00     0.00     0.00     0.00    0.00   0.00   0.00

sda2              0.00  7811.00    3.00  395.00    40.00 29024.00    73.03    48.30   76.60   1.11  44.10

dm-0              0.00     0.00    3.00 8354.00    40.00 66832.00     8.00   949.32   51.63   0.05  44.10

dm-1              0.00     0.00    0.00    0.00     0.00     0.00     0.00     0.00    0.00   0.00   0.00



avg-cpu:  %user   %nice %system %iowait  %steal   %idle

           4.29    0.00    4.29   35.00    0.00   56.43



Device:         rrqm/s   wrqm/s     r/s     w/s   rsec/s   wsec/s avgrq-sz avgqu-sz   await  svctm  %util

sda               0.00 13542.00    0.00  372.00     0.00 108336.00   291.23   141.91  350.92   2.69 100.00

sda1              0.00     0.00    0.00    0.00     0.00     0.00     0.00     0.00    0.00   0.00   0.00

sda2              0.00 13542.00    0.00  372.00     0.00 108336.00   291.23   141.91  350.92   2.69 100.00

dm-0              0.00     0.00    0.00 13897.00     0.00 111176.00     8.00  5494.24  349.96   0.07 100.00

dm-1              0.00     0.00    0.00    0.00     0.00     0.00     0.00     0.00    0.00   0.00   0.00



avg-cpu:  %user   %nice %system %iowait  %steal   %idle

           1.44    0.00    4.56   32.73    0.00   61.27



Device:         rrqm/s   wrqm/s     r/s     w/s   rsec/s   wsec/s avgrq-sz avgqu-sz   await  svctm  %util

sda               0.00 18120.00    0.00  468.00     0.00 147456.00   315.08   138.46  316.45   2.14 100.00

sda1              0.00     0.00    0.00    0.00     0.00     0.00     0.00     0.00    0.00   0.00   0.00

sda2              0.00 18120.00    0.00  468.00     0.00 147456.00   315.08   138.46  316.45   2.14 100.00

dm-0              0.00     0.00    0.00 18592.00     0.00 148736.00     8.00  5450.12  313.56   0.05 100.00

dm-1              0.00     0.00    0.00    0.00     0.00     0.00     0.00     0.00    0.00   0.00   0.00

/dev/sda2 is a Logical Volume that contains / on my system.
/dev/dm-0 must be the virtual device for that logvol (honestly, i'm guessing here, look at iostat, you'll see what i mean, look at the w/s on dm-0!)

Now, let's see if we can get the read counters to raise.

First i tried scping a file from my workstation, to my laptop. That didnt really get me the dramatic raise in activity that dd did. Understandably, its a much slower process. Let's see what else i can abuse.

I connected my blackberry via usb 2.0. It's got 8gb of memory. This is the closest thing to a usb mass storage device i had handy.

This was slightly better, but still not extremely fast. I suppose the best way to stress this would be a local drive to local drive copy. At any rate, i did see the r/s and rrqm/s counters rise while the copy was being performed.

Ah Ha! /dev/null is the answer. Copy your 2gb file (created by DD earlier) to /dev/null. You'll see r/s jump. I got about 800 out of my test.

rsec/s and wsec/s

These counters are very similar to r/s and w/s, except that they deal with sectors. Whether these are useful to you are not, depends on what sort of data collection you're looking for.

In our example from earlier, you can see the wsec/s rose as w/s and wrqm/s did.



Device:         rrqm/s   wrqm/s     r/s     w/s   rsec/s   wsec/s avgrq-sz avgqu-sz   await  svctm  %util

sda2              0.00  7811.00    3.00  395.00    40.00 29024.00    73.03    48.30   76.60   1.11  44.10

await

This is a rather important stat. This tells us how long requests sent to the drive are being forced to wait, in milliseconds. The higher this nubmer gets, the more of a bottleneck we can see in our storage.

I'm continuing to work with this utility, I'll post more progress as it comes along. I'm hoping to truly get a feel for the rest of the stats.

-War

PeerGuardian lists, imported to iptables.

nospam@example.com (War) — Fri, 11 Sep 2009 23:28:53 -0400

At home, I have a Smoothwall which connects my network to the internet. It's a very robust replacement for these soho routers that everyone seems to use. It's not quite as plug and play, but it works very well, and I have a lot more control over it.

I also run PeerGuardian, from Phoenix Labs, on my workstations to help block certain access to my machines. Peer Guardian is a great program, and most of the time it works very well. The problem is, sometimes it has issues, and to be honest, I always thought it'd be cleaner to put the firewalling, on my.... Firewall! So i set out to find a way to add peerguardian's lists to my Smoothie.

There's a Project called moblock, which is supposed to do this. Well, i've never seen it work. Thats not to say it doesnt work, i just couldnt get it working on my Smoothie. So for a very long time, i went on using peer guardian locally. Well recently I happened to be watching peer guardian run its update, and realized that it;s pulling its lists from an http address. Makes sense that i might be able to do the same, right? So i pointed my web browser there, and sure enough, i'm presented with a list of rules! Rules that dont match iptables, but look very easy to parse! So, I did just that. I started writing my own parser, and before long, i had a very long list of iptables compatible rules. By very long, I mean long! Over 226000 lines!

I decided that the best way to make this list easy to update was to create a new chain, called PGBLOCK, and put my rules in there. I also created a chain called PGALLOW which supersedes the block list. So i can add exceptions if i'd like.

So, on my Fedora 11 Test machine in added the following to /etc/sysconfig/iptables.

After the chain definitions (the :CHAINNAME [number:number] lines) i added 4 lines.
-N PGALLOW
-N PGBLOCK
-A INPUT -j PGALLOW
-A INPUT -j PGBLOCK

This adds the chains, and adds them to the iptables INPUT chain. This tells iptables to pass all inbound packets through my chains before they even touch any other rules.

At first, i tried entering all of my rules into the PGBLOCK chain. This worked, but delayed every inbound packet to the point that my network connection was almost useless.

So I made a slight change. I made a new chain for each class a. 253 in all (i skipped 10. and 127.), and then i setup more specific rules inside of the PGBLOCK chain. PGBLOCK now contains lines similar to:

-A INPUT -s 1.0.0.0/8 -j PGBLOCK1
-A INPUT -s 2.0.0.0/8 -j PGBLOCK2
..
-A INPUT -s 254.0.0.0/8 -j PGBLOCK254
-A INPUT -s 255.0.0.0/8 -j PGBLOCK255

Now each packet gets subjected to a couple hundred (or thousand) rules instead of 226000 of them.

Wondering if you can get ahold of my script?
Here it is: http://www.undrground.org/scripts/getpg.tar.gz

Making this work is pretty easy.
There are a few variables at the top of the scipt that point to where you'd like some things to be saved. It needs a scratch directory for the lists it downloads. You need write access as the user youre running as, to the directory you're running it from, and the lists directory, of course. But just set all that up, and run the script. It'll generate a file called pg.firewall. Use that along with iptables-restore to build the firewall.

iptables-restore --noflush < pg.firewall

Now, updating the firewall is a little more tricky, you need to flush the tables manually before re-importing. I did this with a perl script that looks something like:

#!/usr/bin/perl
foreach (1..255) {
if ($ eq 10 || $ eq 127) {
next;
}
system("/usr/sbin/iptables -F PGBLOCK$_");
}
system("/usr/sbin/iptables-restore --noflush < /root/pg.firewall");

This flushes the tables, and then imports the new list.

I hope this helps someone else out along the way. Enjoy!

-War

Install SLES 10, via Autoyast through KickStart.

nospam@example.com (War) — Fri, 15 May 2009 16:23:35 -0400

I work in a predominantly RedHat Enterprise Linux shop. We have a number of servers, all running RHEL. Doing a number of different things. Things like mail, and dns, and other such services that you'd expect to see running at a college.

We also have a number of Novell servers, which are doing, primarily, file services for employee's and students. We are in the process of migrating from Novell's proprietary netware platform, to SLES (Suse Linux Enterprise Server). There are linux equivelant services which run on SLES for each of the NetWare services that we offer. This means we have the need to build a number of SLES servers. We already have a KickStart server setup in order to install RHEL in a rapid fashion, including all of our standard packages, ssh keys, and whatnot. We thought it might not be a bad idea to look into whatever SUSE offers that might be similar to Kickstart. I looked into it, and found out about AutoYast. Yast is the setup tool that SUSE uses to install with (just like RHEL's anaconda), and just like RHEL, when you install a SUSE box, it generates a config file, for use with its installer, which summarises the options which you configured.

I started reading about how to setup a SLES boot server, similar to our KickStart server, and found a number of similarities, in fact, they're almost identical. They both use tftp as a means of getting boot images out to the clients, they both use their own internal DHCP servers to assign addresses to PXE clients, and they both use PXE. So it got me thinking. Can i just add SLES to my KickStart boot menu? Hell, it s worth a shot!

This is not a complete howto. It's intended to show you how to add an autoyast setup to an existing kickstart server. My setup may differ from yours, but if you're familiar with KickStart, you should be able to take the information and apply it to your setup.

There are a few things you'll need.
A setup, and fucntional kickstart server
a SLES install disc (or iso image thereof)
an autoinst.xml file from a SLES install.

First, take your SLES install files, and copy the boot files off of it, into a directory inside of your tftp root. For me, this was:
From install media: /boot/x86_64/loader/initrd and /boot/x86_64/loader/linux
Copy to: /tftpboot/linux-install/sles/initrd.img and /tftpboot/linux-install/sles/vmlinuz

Now, you'll need to make the install media accessible to the pxe booted installer.
I did this via http. I happened to be working with an ISO image of the cd. So i mounted the iso to /var/www/html/sles with something like:
mount -o loop /path/to/iso/file.iso /var/www/html/sles
This makes the install media available via http://kickstart.server.com/sles

Now you need to put your autoinst.xml file into a web accessible area, i put it in /var/www/html. so it would be available at http://kickstart.server.com/autoinst.xml

These are all obviously sensitive files, if i were you i'd secure them somehow.

We have our kickstart server running on a private network, and we power it down when we're not actively installing anything.

Now, there are some config changes to make. We have things setup such:
/tftproot/linux-install/pxelinux.cfg/default is where we keep the boot loader config, and
/tftproot/linux-install/msgs/boot.msg is where we keep the menu display file.
Add something like this to your equivalent of my "default" boot loader config:
label 5
kernel sles/vmlinuz
append initrd=sles/initrd.img ramdisk_size=65536 autoyast=http://kickstart.server.com/autoinst.xml install=http://kickstart.server.com/sles/

Then add something denoting "5" as the item for sles, on your boot.msg file.

This is just about it, you'll want to have a good look at the autoinst.xml file, you can read about what's in there, and how to modify it here: http://www.suse.de/~ug/autoyast_doc/Profile.html

I am still in the process of tweaking my config, but that should get you up and runing, and to the same point that i'm at. Which is, the kick start portion is out of the way, and it's just getting the auto install xml file perfect.

Happy kickstarting!

-War

Linux, and XM.

nospam@example.com (War) — Mon, 13 Apr 2009 11:41:31 -0400

Over the past week or so, I've been trying to figure out a way to get XM Radio Online to work in Linux.
I just wanted to share my experience, findings, and eventually, success!

XM's online web player does not work in linux. Or, I havent been able to get it to work anyway. I'm running Fedora Core 10, when I tried to load a stream throug the XMRO web interface, firefox loaded a player (i think it was totem, but its difficult to tell...) and basically hung. Not firefox,the player. It loads embedded in the page, and you cannot interact with it. I assume trying to load the stream hung the player.

So i started googling. I ran across a few references to a few players that would play mms:// streams (the format that xmro uses), but you need to get the stream's address. I wasn't really sure how to get that address. So these options were less attractive. Then I ran across uniXM. http://sourceforge.net/projects/unixm

It uses qt, so you'll need qt installed, maybe even KDE. I already had KDE installed, so I did not need to install qt. I did need to install qt-devel through yum in order to get qmake. You basically download the package, make sure you have the dpendancies, and then qmake, make.

I ran into some issues, detailed in this thread on linuxquestions.org, http://www.linuxquestions.org/questions ... ec-717227/.

Detailed in that thread, you'll see links to downloads for the codecs needed, and the packages you'll need to grab from yum to get xine setup with the right libraries.

Thus far, I like the player. It loads my presets, and channel data from xmro. It displays the song title and artist, and it doesnt have the 2 hour cut off that the web player has.

Good app, alittle difficult to setup, but with the info in that thread you should be good.

-War

CentOS5!

nospam@example.com (War) — Fri, 15 Feb 2008 14:34:14 -0500

I've upgraded my linux server to CentOS5! The move was actually pretty easy. Other than some PHP 4 vs PHP 5 issues, everything just sort of ported right over. It's amazing how easy it is to migrate a Linux server to a new install. Working with windows servers all day has me dreading moves like this. It was refreshing to get back to a stable, flexible operating system for a change.

New features? Well, there arent many. Just PHP5, and newer, faster hardware. I;m still not running on state of the art equipment, but i dont expect i ever will be. This server just isnt important enough for that.

-War

Linux on your TV - MythTV

nospam@example.com (War) — Wed, 07 Nov 2007 15:42:06 -0500

I;ve got a PC connected to my living room tv at home. (Does that surprise you?) We use the PC as a media center. It;s currently running XP Pro. Not a bad setup, but recently i've been having problems with XP.. It'll jump while playing DVD's, and it's just not performing like it did when i first installed it. As happes to most XP installs, it's probably time to wipe it, and reinstall. Man.. I hate windows.

Anyway, I took this opportunity to start looking into alternatives. I know i can get a DVD player for Linux, and for me it'd be great, but i need something that;s user friendly enough that my wife can sit down and watch a movie while i'm at work, or whatever. I've been unable to find a dvd player for linux that lives up to my expectations. Sure, i can watch a DVD, but the UI is usually a little less than friendly. While that's no problem for me, it makes it difficult for anyone else to just use it as a player. In XP i just have an icon on the desktop for WinDVD and the program's UI is easy enough for just about anyone to figure out. I've tried Ogle on Fedora Core 7, and while it worked, the UI wasnt nice, and it didnt expand to full screen nicely. Xine does a better job of playing, but the UI isnt friendly.

Enter MythTV. I've read about it before, in fact i read a very long write-up on setting up MythTV as an all in one PVR with network storage. Excellent! I dont have the resources at the moment to setup a whole network just for my entertainment, but i DO have one PC, connected to a TV, that needs a nice friendly DVD player. MythTV does it all! There's plugins for all sorts of things, news feeds, game system front ends, and, of course, DVD playback. Myth was originally designed as a PVR. With a TV Turner card, you can use Myth to build your own cable box, with a channel guide, timed recordings, the works! So i've set out on the quest of getting Myth configured for DVD playback, and once i have the spare cash, i'm going to get a tuner card for it. I'll post more once i've actually done this.

I tried to install Myth on my FC7 install, but it just wasnt cooperating. It runs, but i'm getting some backend erros, and for some reason displayed fonts dont work? So i found this modified FC6 distribution called MythDora It takes Fc6, and pre-builds Myth into the install. I just went through an install of it on my Laptop, just to test it out, and it looks damn nice. We'll see how it pans out when i get home and install it on my entertainment pc.

-War

The Mentor's Last Words

nospam@example.com (War) — Wed, 05 Sep 2007 22:40:13 -0400

A blast from the past... I was cleaning up my computer room and I ran across my "stash" from when I was a teenage hacker kid. Which consisteded of 10 floppy disks, containing things like, The Nowhere Utilities, CyberPhreak, VCL, a bunch of old outdated warez serials, and a ton of text files! I never did anything other than tinker with CyberPhreak, the Nowhere utilities were just a cool pack of utilities, VCL.. hell, i dont have it in me to create a virus, and actually distribute it to anyone other than the kid down the street that cheated me in Doom, but the texts.... man, i used to spend hours reading all the text info I could find. Thats probably why I am who I am today, and probably why I chose the IT field as my profession. One of the most profound things I can recall reading back in those days was "The Mentor's Last Words", by, of course, The Mentor. It was (somewhat) featured in the movie "Hackers" though it was chopped up a bit. I'd read it long before Hollywood stumbled across it and put it in their movie.

When I was in Business School, for PC Networking, I had a public speaking class, and I used this piece as the subject of one of my speaches. I'd like to think that the class took something away from the whole presentation. Anyway, because things like this seem to be fading to the background in todays age of script kiddies, botnets, bullshit malicious viruses, and people who care more about the allmighty dollar than even a shred of knowledge... (ranting.. i know), I've decided to post this bit of computer history here, for everyone to (re)read...

Enjoy!

Mentor's Last Words

"Mentor's Last Words"

Another one got caught today, it's all over the papers. "Teenager
Arrested in Computer Crime Scandal", "Hacker Arrested after Bank
Tampering"... Damn kids. They're all alike. But did you, in your three-
piece psychology and 1950's technobrain, ever take a look behind the
eyes of the hacker? Did you ever wonder what made him tick, what forces
shaped him, what may have molded him? I am a hacker, enter my world...
Mine is a world that begins with school... I'm smarter than most of the
other kids, this crap they teach us bores me... Damn underachiever.
They're all alike. I'm in junior high or high school. I've listened to
teachers explain for the fifteenth time how to reduce a fraction.
I understand it. "No, Ms. Smith, I didn't show my work. I did it in
my head..." Damn kid. Probably copied it. They're all alike.
I made a discovery today. I found a computer. Wait a second, this is
cool. It does what I want it to. If it makes a mistake, it's because I
screwed it up. Not because it doesn't like me... Or feels threatened by
me.. Or thinks I'm a smart ass.. Or doesn't like teaching and shouldn't be
here... Damn kid. All he does is play games. They're all alike. And then
it happened... a door opened to a world... rushing through the phone line
like heroin through an addict's veins, an electronic pulse is sent out,
a refuge from the day-to-day incompetencies is sought... a board is found.
"This is it... this is where I belong..." I know everyone here... even
if I've never met them, never talked to them, may never hear from them
again... I know you all... Damn kid. Tying up the phone line again.
They're all alike... You bet your ass we're all alike... we've been
spoon-fed baby food at school when we hungered for steak... the bits of
meat that you did let slip through were pre-chewed and tasteless.
We've been dominated by sadists, or ignored by the apathetic. The few
that had something to teach found us willing pupils, but those few are
like drops of water in the desert.
This is our world now... the world of the electron and the switch, the
beauty of the baud. We make use of a service already existing without
paying for what could be dirt-cheap if it wasn't run by profiteering
gluttons, and you call us criminals. We explore... and you call us
criminals. We seek after knowledge... and you call us criminals. We
exist without skin color, without nationality, without religious bias...
and you call us criminals. You build atomic bombs, you wage wars, you
murder, cheat, and lie to us and try to make us believe it's for our
own good, yet we're the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is
that of judging people by what they say and think, not what they look like.
My crime is that of outsmarting you, something that you will never
forgive me for. I am a hacker, and this is my manifesto. You may stop
this individual,but you can't stop us all... after all, we're all alike.
+++The Mentor+++

Hope you've enjoyed the read...

-War

Smooooth

nospam@example.com (War) — Tue, 21 Aug 2007 19:40:11 -0400

Have you ever built a firewall from scratch?

Did you build it, thinking that you'd thought of everything, just to find out later than you missed something? I have... So when I decided to replace my old, tired, un-reliable Linksys SoHo router with a full blown firewall, I dug for pre-built linux-like firewall distributions.

A co-worker turned me on to Smoothwall Express. It runs a linux kernel, iptables, and a host of custom written seciruty apps. On top of that, there's a whole team of coders/security guys working to develop it. AND you can download the whole source tree, and build it on your own!

I downloaded the Smoothwall Express 3.0 Beta SP2 ISO. Installed it, and loved the features! A day or so later, I decided that I wanted to limit the number of simultaneous connections allowed to my BBS, so i tried to add an ip connlimit rule to iptables.... NO! Ip-connlimit is busted. So i took the smoothwall down in an effort to find a better solution. Well, no better solution exists. So I spent A MONTH working on building a custom, from source, smoothwall, with a patched, and working ip-connlimit module. The end result? A rock solid firewall, with a ton of nifty geeky tools, AND connection limiting. One of the developers even hinted that he might be taking my work, and putting it into the release! Pretty nice if you ask me.

-War