Chevrolet '66

High IQ? Then you can't be a policeman

2008-06-13T14:21:00.002+10:00

A man is barred from interview to the New London police for having too high IQ.

Screen to the rescue

2007-10-31T21:12:00.000+11:00

I couldn't find a BitTorrrent client which can be executed without a terminal (and therefore from within "at") in time for tonight so attaching "screen -d -m btdownloadcurses ..." solved the problem. This starts the command in a detached screen session so on one hand the command thinks it has a terminal while on the other hand I can still start it from inside "at", which doesn't have a terminal. It also has the added benefit of being able to attach back to that screen session later to see how it goes, which is the main advantage of "screen".

Encoding email addresses in HTML pages

2007-10-30T22:52:00.000+11:00

A while ago I noticed that GROX use URL encoding to put their e-mail address
in a "mailto" link. I guess they do this in order to make it more difficult for address harvesters to pick up their e-mail.

In order to do the same for my wife's web site at http://pilatesinsightstudio.com I found the following couple of tricks:

The "mailto" link is encoded using:
perl -e 'use URI::Escape; print uri_escape("the@email.address", "\0-\377"), "\n";'
The title of the link, which I wanted to contain the e-mail address in HTML, was created simply by using the HTML Encoder from CodeHouse

Installing local .deb files with dependencies

2007-10-10T20:15:00.000+10:00

This ("how to install a local .deb file and have all its dependencies automatically pulled from repositories") seems to be an issue which many people ask but nobody gives the current "right answer" which is simply gdebi.

Google Developer Day, Sydney 31 May 2007

2007-05-31T20:28:00.000+10:00

Just returned from the Google Developer Day in Sydney
Learned and refreshed my memory on cool Google staff, especially their API's for integrating extarnal web applications with their.
Some random points, in no particular order:

Contrary to popular perception - Google Earth for Linux does not consist on WINE. It's built on QT. Michael Ashbridge, one of the principal developers, tells me how they keep asking TrollTech to fix some of their quirks (e.g. can't copy a selected a text on Mac using the standard keyboard shortcuts). And before anyone tells me that I'm out of date about "Popular Perception" - another speaker from Google, who works with Google Earth every day, was also sure that it's based on WINE so I'm not the only out of touch.
Google Web Toolkit (GWT) AJAX applications can control which stage in the application will enter the browser history and thus be bookmark-able and possible to return to using the browsers "back" button. I wonder how they do this - maybe they just "manually" add the URL to the browser's history?
Anyway, that's one sour point that WebCollage used to go to lengths in order to achieve it. Knowing that the people at WebCollage are pretty damn bright I suspect this is a relativelly recent addition (my information on WebCollage is circa 2000 so maybe it's no longer relevant).
Google Gears looks cool - maybe it'll allow me to provide a version of Soarcast (the gliding weather conditions forecasting program) which can be downloaded to a mobile device, fetch the relevant data off the web and continue presenting the data and calculation results while being offline in the glider port.

Lots of other ideas come up when hearing about these tools. Theforemost one is about new ways to implement an old idea - a web site which lists the Australian Gliding clubs on a google map and provides soarcast output for each selected club.

Smoother X11 fonts

2007-05-29T10:45:00.000+10:00

Something I found a long time ago and now had to lookup again so it's time to write it down here.

In order to enable smoother (and nicer, IMO) fonts on X11 you have to have the following in your ~/.fonts.conf:


<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "fonts.dtd">
<fontconfig>
 <dir>~/.fonts</dir>
 <match target="font">
  <edit name="autohint" mode="assign">
   <bool>true</bool>
  </edit>
 </match>
</fontconfig>

On Debian things are easier - the global settings for the entire system can be enabled by running the following as root:

# ln -s ../conf.avail/10-autohint.conf /etc/fonts/conf.d

And re-startting the X server (not sure a logout/login is enough).

Setting up Gallery2+PostgresQL+PHP5 on Debian Etch

2007-02-22T16:45:00.000+11:00

The Gallery2 package for Debian Etch seems to be very well done, except one thing - it's geared towards MySQL usage (the Gallery makers recommend MySQL because they say that they use some special MySQL constructs which have to be emulated on other databases).
My view on this is:

I prefer PostgresQL - it's a more mature database.

I prefer Apache2

I prefer PHP5 - I hate this language and think it has tendency to push poor programmers to shoot themselves (and their users) in their feet but if I have to install it on my machine then I'd rather use the latest and greatest.

I prefer mod-php5 as opposed to the other ways to integrate Apache2 with PHP.

In addition, the Debian packages state their dependencies in a way that seems to encourage Aptitude to choose Apache (1), MySQL and PHP4.

So first thing first: After picking gallery2 for installation in Aptitude, go through all the packages it depends on and remove the ones you don't want and which have other alternatives. Get rid of the PHP4 and MySQL dependencies - Aptitude makes it pretty easy by simply making sure that you choose other packages to satisfy the dependencies and remove the rest. Just follow the suggestions made by Aptitude when you ask to remove a package with dependencies on it, and make sure that Aptitude doesn't signal "Broken Packages" before going ahead to execute the changes.

Setup a separate user for gallery:
$ sudo adduser --system --group gallery

Does the trick - add a system user (with a shell of /bin/false), create a home directory for it and a group especially for it.

The following should be pretty self-explanatory but the summary is: Create a new role ("user"), create a database, set a password, allow role to be logged in:
$ sudo -u postgres psql
postgres=# create role gallery;
postgres=# create database gallery owner gallery;
postgres=# alter role gallery encrypted password 'password';
postgres=# alter role gallery login;
postgres=# \q
Allow logging in to role "gallery" from another user without having to run psql as the UNIX user "gallery" by adding the following lines to the end of /etc/postgresql/8.1/main/pg_hba.conf:

local gallery gallery md5

And I also had to enable access to Gallery2's index.php by adding "Indexes" to the Options line in /etc/apache2/conf.d/gallery2 (link to /etc/gallery2/apache.conf

After that I could access my web server's "/photos/" and start the automatic configuration.

How to block Skype traffic with one iptables rule

2007-02-15T11:22:00.000+11:00

There is an interesting lecture (PDF) by Philippe Biondi and Fabrice Desclaux about how and what they learned about the Skype client code and protocol. On page 75 they give the following secret incantation for blocking Skype traffic:
iptables -I FORWARD −p udp −m length −−length 39 −m u32 −−u32 ’27&0x8f=7’ −−u32 ’31=0x527c4833’ −j DROP

xdns - archeological diggings

2007-02-09T12:57:00.000+11:00

Finally I re-found my own DNS Library source still almost at the same place where I left it almost 15 years ago.

Granted - the "xdns" program around it is pretty useless today, and the dns packet creation and parsing library is a classic candidate for C++ -style Object-based interface, but the basics are still there and might be useful for others who still have to deal with raw DNS packets...

SSH breaks when the loopback device isn't configured

2007-02-01T11:24:00.000+11:00

Helping others troubleshooting is great fun and very rewarding - you get to learn some new things yourself.

In this case, this chap had a trouble getting X11 forwarded over an SSH tunnel. Everything looked fine, the same setup on another machine worked just as it should, all the flags (X11Forwarding) were set correctly but still the $DISPLAY envariable wasn't set on the remote side.

The bottom line - the loopback device ("lo") wasn't configured. This can be checked with a simple "ifconfig".

The break-through in the investigation came when he executed sshd in debug mode and received the following errors:

debug2: bind port 6999: Cannot assign requested address
...
Failed to allocate internet-domain X11 display socket.

Some googling revealed the following post, which actually gave the answer (so at least some of the credit should go to Jim Prewett, who bothered to document his findings four years ago): http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=104336969724537

WARNING: You have to run sshd in debug mode on an alternate port because sshd debug mode will only serve one connection then exit, so you have to keep your existing non-debug sshd running or else you'll lock yourself out.

Parallel xargs and faster ssh connection initiation

2006-10-11T15:50:00.000+10:00

You learn something new every day, even with old friends such as ssh and xargs.

SSH: It turns out that it's possible to create a live "Master" connection to a specific remote host which then can be used by other ssh command executions to quickly open sub-channels to that host without going through the authentication process every time and without compromising on security.

Example:


$ ssh -fMN -o ControlPath=~/.ssh-control-sock remote-host
$ ssh -o ControlPath=~/.ssh-control-sock remote-host date

more about this in ssh(1) and ssh_config(5)

XARGS: In response to some Digg pointer to xjobs, which seems to be similar to xargs only it can run multiple jobs in parallel, someone pointed out to xargs' own -P (--max-procs) argument which does exactly the same. Just have to remember to limit the number of file names passed to each job using -n (--max-args), otherwise all the file names will be passed to a single job.

The final IPTables setup and some initial results

2006-09-22T20:08:00.000+10:00

Hi and welcome back. I've just realized that I haven't published the final solution for data gathering. So in this post I'll:

Describe the IPTables setup
Show the initial script I wrote to read the results
Show some preliminary raw data

IPTables Setup
I've changed the setup described in the first post about the subject to also add the "foreign" side of each identified Skype connection to the "recent" list (using the "recent" module). That way when an ICMP packet arrives from a host in that list I assume that it's related to Skype (I guess there are very slim chances to have Skype traffic with a server such as web hosts).

Here is the updated setup:


# match all outgoing packets from gid skype, mark their connection
# and add their destination to the "recent list" so we can count ICMP packets to/from them
iptables -A OUTPUT -m owner --gid-owner skype --out-interface eth0   --protocol tcp -m recent --rdest --set --name Skype -j CONNMARK --set-mark 1
iptables -A OUTPUT -m owner --gid-owner skype --out-interface eth0   --protocol udp -m recent --rdest --set --name Skype -j CONNMARK --set-mark 2

# count ICMP packets going to hosts which appear in our "recent" list
iptables -A OUTPUT --out-interface eth0 --protocol icmp -m recent --rdest   --name Skype --update -j ACCEPT -m comment --comment skype-out-icmp

# all packets which match the connection should go through the skype rule
iptables -A OUTPUT -m connmark --mark 1 -m comment --comment skype-out-tcp
iptables -A OUTPUT -m connmark --mark 2 -m comment --comment skype-out-udp

# match all packets on Skype's public TCP port and mark their connection
iptables -A INPUT -p tcp -m tcp --dport 21212 --in-interface eth0 -j CONNMARK --set-mark 1
iptables -A INPUT -p udp -m udp --dport 21212 --in-interface eth0 -j CONNMARK --set-mark 2
# count ICMP packets coming from hosts which appear in our "recent" list
iptables -A INPUT -p icmp --in-interface eth0 -m recent --name Skype   --update -j ACCEPT -m comment --comment skype-in-icmp

# all packets which match the connection
iptables -A INPUT -m connmark --mark 1 -m comment --comment skype-in-tcp
iptables -A INPUT -m connmark --mark 2 -m comment --comment skype-in-udp

The counter reading script was modified to add "icmp" to the list of protocols it looks for and to total bytes/packets over the various planes: direction (total in vs. total out) and protocol (tcp vs. udp vs. icmp)

Here is what the counters look like after about 25 days of data gathering:


$ sudo ./getcounts.pl
tcp_out_bytes   35838386
icmp_out_bytes  155016
tcp_in_pkts     441671
icmp_out_pkts   1023
icmp_in_pkts    4526
udp_out_bytes   242046393
tcp_out_pkts    540629
icmp_in_bytes   505522
udp_out_pkts    1799468
udp_in_pkts     1607313
udp_in_bytes    204286584
tcp_in_bytes    42500198
====== totals =====
tcp_pkts        982300
tcp_bytes       78338584
icmp_pkts       5549
out_pkts        2341120
icmp_bytes      660538
udp_bytes       446332977
in_bytes        247292304
udp_pkts        3406781
out_bytes       278039795
in_pkts         2053510

I'm still looking for time to add writing of these numbers into an RRD file so it'll be possible to graph them across different periods, but for now my simple conslusion is about the "in_bytes" numbers (and to a lesser degree, the "out_bytes"): they are 235.8 incoming mega bytes and 265.1 outgoing mega bytes.

Over a period of 25 days this puts it at around 9.4 incoming mega bytes per day and 10.6 outgoing megabytes per day. Over a month (let's say it's 30 days) it's 283.0 mega bytes per month of incoming traffic and 318.2 mega bytes of outgoing traffic. This includes my own Skype conversations (admittedly, not much this month).

Whether this proves Cringley's point or not? I'm not sure. I didn't believe that there is that much traffic involved until I startted this experiment, but I'm still not completly convinced it's "too much to handle".

In my personal context it's still less than 2% (1.38%, to be precise) of my download quota of 20Gb per month.

So for now I'm not going to give up on the advantages of a smoother connection (which is the reason I configured my desktop as a "Super-node" in the first place).

I'd be glad to learn from you what you think about the experiment (have I missed some packets?) and the result - do you agree with my conclusion so far or not?

Work journal - u32 isn't going to make it(?)

2006-09-07T21:31:00.000+10:00

I was planning to use the IPTables U32 module to look at the "original packet" which is included in the ICMP packets destined to Skype-related connection attempts but this might not cut it because there are other ICMP messages involved, not just the "port unreachable" I saw at first.

Instead, now I plan to use the "recent" module.

(Note: try running "iptables -m recent -h" to list options not mentioned in the manual. Apparently it's a good thing to do with any IPTables module)

The "recent" module is designed with "keep the bad guys out" situation in mind (by adding attacker's source address to a tempoary list) but with the "secret" --rdest option, which allows me to add destination addresses of outgoing packets, it might be possible to add the IP of any host with which Skype have just attempted to converse to a temporary cache which will allow this host to send back errors and which will automatically expire in a preset time.

Counting Skype traffic - Part 1 - Gathering the data

2006-09-07T14:13:00.000+10:00

In his weekly column "I, Cringly", Robext X. Cringly made the statement that Skype's Supernodes (nodes which offer to mediate traffic for other nodes which can't talk directly with each other because both of them are behind NAT) suffer from a very high load of traffic which isn't actually used for the Supernode's owner benefit but for other users.

In a later entry in his column, in response to comments he received from readers, he goes on to insist that his statement is true and gives Standford University banishment of Skype for that reason as a proof.

This is an interesting topic for me since I set up my home box as a Supernode because this cuts down dramatically the number of hops skype uses to connect me with people abroad (from 4 hops to 0). Since I buy quota for my ADSL line from my ISP I was concerned how much Skype uses out of this but so far, over a year since I started doing this, I haven't noticed that I use any significant part of my quota, but I couldn't tell exactly which part of my traffic is Skype-related.

That is, until Cringley's column made that itch to scratch too much and I got off my butt to find out.

After a quick check around with colleagues and a quick question on Linux-Il I learned that Linux's IPTables have an "owner" module which does basically just that - filter packets based on the attributes of the process which generates them, be it by command name, uid, gid or similar stuff.

There are some warnings in the IPTables documents that uid and command-name checks work only on non-SMP kernels. The warnings don't mention problems with GID checks. That shouldn't be a big problem in my particular case since I have an old Athlon AMD x32 CPU but for sake of completeness I created a group "skype", made the Skype binary belong to that group and turned on its set-group-id bit, so any process executing this binary actually has GID of "skype".

It also turns out that Skype apparently sends lots of packets to itself over the loopback interface, so I had to make sure I don't count these since they shouldn't affect my Internet traffic.

But that would work only for outgoing traffic - what about incoming traffic on these connections?

Simple! When Skype sends an outgoing packet the entire connection can be marked as "belonging to Skype" so even incoming packets on the same connection will be counted. So I got this part covered.

For sake of curiosity, I mark TCP and UDP connections with different marks so I can distinguish them in the statistics.

Here are the iptable rules related to this:


# iptables -A OUTPUT -m owner --gid-owner skype --out-interface eth0 --protocol tcp -j CONNMARK --set-mark 1
# iptables -A OUTPUT -m owner --gid-owner skype --out-interface eth0 --protocol udp -j CONNMARK --set-mark 2

The first line means: "Append a rule to the OUTPUT chain which will mark TCP connections containing packets from GID 'skype' with connection mark '1'". The second line does the same for UDP only it marks the connections with connection mark '2'.

This should solve the problem for connections initiated by my Skype client.

Now there is another kind of connections - those initiated by other clients.

Now what does it actually mean that my Skype client is configured as a Supernode? It means that it listens on certain UDP and TCP ports for incoming connections (something that non-Supernodes don't have to do since all their traffic is done over connections which they initiate). Any host on the Internet can access these ports through the firewall directly to my Skype client. (In my case I actually had to also configure my ADSL modem/router/NAT to allow incoming connections to this port but that's a separate issue which shouldn't affect the subject of this post).

The practical meaning of this is that incoming packets which initiate a new connection to Skype don't get counted as belonging to it because the IPTable "owner" module only recognizes outgoing packets. The connections will still eventually get counted because Skype will (hopefully) reply to these connections - but the first incoming packet of that connection won't be counted because it will be gone by the time IPTables realizes that this is a "Skype" traffic. The way to identify incoming new connections is simply to mark all new connections to the published TCP and UDP ports as belonging to Skype too:

# iptables -A INPUT -p tcp -m tcp --dport 21212 --in-interface eth0 -j CONNMARK --set-mark 1
# iptables -A INPUT -p udp -m udp --dport 21212 --in-interface eth0 -j CONNMARK --set-mark 2

The first line says "Append a line to the INPUT chain which marks all incoming TCP connections to Skype's designated TCP port (21212) which come from the Ethernet card with connection mark '1'". The second line does the same for UDP packets and using connection mark of "2".

All these rule do is to attach connection marks to packets. In order to actually count the packets I setup four separate rules with comments, and later grab the data off these rules:


# iptables -A OUTPUT -m connmark --mark 1 -m comment --comment skype-out-tcp
# iptables -A OUTPUT -m connmark --mark 2 -m comment --comment skype-out-udp
# iptables -A INPUT -m connmark --mark 1 -m comment --comment skype-in-tcp
# iptables -A INPUT -m connmark --mark 2 -m comment --comment skype-in-udp

All these rule do is to match the relevant packets - they don't have to do anything about the packet - IPTables already keeps counts of all matching packets and number of bytes for each rule, and the attached comments make it easy to identify the relevant rules:


#!/usr/bin/perl
use IPTables::IPv4;
sub get_counts {
  my %counts = ();
  my $table = IPTables::IPv4::init('filter');
  unless ($table) {
    warn "failed to initialize: $!\n"; return undef;
  }

  my @rules = ($table->list_rules("INPUT"), $table->list_rules("OUTPUT"));
  foreach my $rule (@rules) {
    exists $rule->{'comment-match-raw'} or next;
    $rule->{'comment-match-raw'} =~ /^skype-(in|out)-(tcp|udp)\0+$/ or next;
    $counts{"$2_$1_bytes"} = $rule->{bcnt};
    $counts{"$2_$1_pkts"} = $rule->{pcnt};
  }
  return %counts;
}

my %counts = get_counts;
while (my ($key, $value) = each %counts) {
  print "$key => $value\n";
}

The "$2_$1_bytes" and "$2_$1_pkts" strings are preparations for DataSource (DS) names to be used in RRD files.

Still to come:

Counting ICMP ECHO requests ("ping") coming from other Skype users (and letting them through but still keeping requests from non-Skype users out) using IPTAbles U32 matching module and possibly "recent" module.

Saving the results in RRD files.

Graphing the results from the RRD files.

Drawing conclusions?

Listing the body of a Bash function

2006-08-29T12:05:00.000+10:00

Everybody who knows something knows that typing "set" in bash(1) will list the values of all shell variables, aliases and functions.

But I wanted to find the definition of a function without having to "set | less" and manually looking for it in the output.

Turns out that typing "type " will give me what I wanted. Only "drawback" is that it also gives a line at the top saying " is a function", which is sort of good because it should allow some automatic way to know what to expect next.

Accessing private web servers through SSH

2006-07-05T05:13:00.000+10:00

I've always knew that it's possible to channel any TCP traffic through ssh but never got around to actually use it (beyond running the SSH client with "-X" to forward X11 traffic) but today I got around to actually test this.

The problem: access devices like my Dlink DSL504G ADSL modem web interface or Sipura SPA-3000 ATA's web interface from my desktop at work.

The solution: actually there are a few of them, I'll list them by the order I tried them:

1. "ssh -L 30000:192.168.1.3:80 my-home-machine" - This tells my SSH client at work that if I connect to port 3000 on my desktop at work it should connect host "192.168.1.3" port "80" from my home machine. This is the private-network address of my ADSL modem. Now I just typed "localhost:30000" in Firefox on my work desktop and got the web interface of my ADSL modem at home. I could add another port (let's say port 30001) to forward connections to my ATA device.

2. Just "ssh my-home-machine" then type "~C" this brings up a command line interface which allows me to then type "-L 30000:192.168.1.3:80" - the effect is just the same as specifying this command line argument on the ssh command line but the advantage is that I don't have to open a new session if I already have one.

3. Last but not least (but I ended up not using it): add a line to the configuration in ~/.ssh/config saying "LocalForward 30000 10.1.1.5:80".

Right now I plan to use option 2 - that way my private home devices are not open to anyone on my workplace network whenever I ssh home but on the other hand I don't have to open a new session whenever I want to access my home network devices.