Monday, March 27, 2006

Linux Firewall HOWTO

I stumbled upon a Brief Introduction to Firewalls that aims to help newbies at making their first steps in the linuxland building a firewall. Well, all right. I do recommend this for all of you that want to set up a linux box and (also) use it as a firewall. With a note. This author obviously thinks all services in existence use both, TCP and UDP, connections. Not so: HTTP (ports 80 and 443) only runs over TCP, SSH (port 22) only runs through TCP, and so on for TCP, POP, FTP, ... In contrast, NTP runs only through UDP. And for DHCP you also need to permit access for raw ethernet frames, not just for UDP packets.
Of course in theory anything running over TCP can be made to run over UDP, and the other way around, but it's not always practical and so in practise does not.
But that doesn't stop IANA to assign the ports for both, TCP and UDP, to services. So, basically, the author is correct in providing such examples. But I would never, for example, permit a port 80 UDP access, as there is nowhere a web browser or server that does UDP connections, as far as I know.

Friday, March 24, 2006

Linux Kernel 2.6.16 and ISDN FRITZ!Card PCI

In case anyone out there owns an ISDN FRITZ!Card PCI and wants to install the Linux kernel 2.6.16: you're in a bit of a trouble. The official CAPI driver will not compile. I threw an eye at it and came up with a simple patch that solves it:

--- fritz/src/tools.h 2005-07-07 00:00:00.000000000 +0200
+++ fritz-kernel-2.6/src/tools.h 2006-03-21 16:13:32.000000000 +0100
@@ -71,12 +71,14 @@

/*---------------------------------------------------------------------------* \*---------------------------------------------------------------------------*/
+#ifndef atomic_xchg
static inline unsigned long atomic_xchg (
volatile atomic_t * v,
unsigned value
) {
return __xchg (value, &v->counter, sizeof (unsigned));
} /* atomic_xchg */
+#endif

/*---------------------------------------------------------------------------* \*---------------------------------------------------------------------------*/

Still here, still here!

Yes yes yes, I should be seriously barked at for leaving this blog rot for a while. And for virtually disappearing from everyone's life. The excuse is, as always, work. But now it's eased up a bit, so I have the time to write something here.
The player project is finished, only one elusive bug remains that I just can't put my fingers on, but it seems more and more it's LinuxThreads' fault. Damn servers run the ancient Debian Woody distro. Perhaps I'll convert it to pseudo-threading, but it's not a critical bug so it's more probable the time will come when the servers will be upgraded to at least Debian Sarge (which runs the player nicely in all of my tests, with the NPTL (New POSIX Threads Library) that came with the linux kernel branch 2.6), before I'd delve into the beauties of pseudo-threading.
I also implemented a reporting facility for Windows. It's a Delphi module that uses Word via OLE automation. You write a reporting template (which is just normal text with field names (not to be confused with native Word fields) and commands placed between two # characters) and define database queries and manual input edit boxes and the modules does all the rest. It's designed this way because the customer wanted it this way, but I think it would have been wiser if I used OpenOffice, which is free and also supports OLE automation.
I also developed a love-hate relationship with the Debian GNU/Linux distribution. It's a wonderfully designed distro, as wonderful for casual windows-like users as for power-hungry sysadmins, with a plethora of distribution-specific utilities for everything, from simple installation and maintenance, to complex package (re)building and development, and the stable branch is really, well, stable. And tends to become old. As was the case with Woody. What, three years without a major software update? Only the last-year released Sarge brought the loooong awaited updates of essentials, like support for kernel branch 2.6, NPTL support, glibc 2.3.2, gcc 3.3, and so on. And when you get a server with Woody installed and are requested to install, say, a more recent php 4.3 (which isn't even the latest) and enable the Oracle 10.1 support, then you really start to hate the damn distro. I just pulled the source from the Sarge branch and thought to rebuild it for Woody. Forget it. The build dependencies resolve to about a zillion packages to be rebuilt. It came even down to the gcc and X window having to be rebuilt. Of course, php doesn't need X libraries to run, or the latest gcc to be built and installed, but packages with tools it needs to compile with or libraries it needs to link with eventually resolve down to it. I'd be finished way and way and way sooner if I'd upgrade the server to Sarge, but the contracting company doesn't allow for it, because it all runs nicely as it is and they don't want to touch it. That's, uhm... troubling, at least from the security standpoint as there won't be any official security updates anymore past the May of this year (May or April, something like that).
And I've designated the state as my enemy. I didn't much trouble myself in the past with what exactly to think of the state and the government and how to relate to it, but the debacles and idiotisms of the current right-wing government just make me want to shoot them all and be done with it. Me, a reasonably non-offending and hard-to-offend person, that tends not to care if you're a masterpiece of an idiotic nincompoop, is seriously becoming furiously allergic to the current government. They've developed the art of perverted self-righteous aristocratic governing to such a marvelous level I tend to get sick about twice a week, when I read about it in the newspapers. It curiously starts to resemble the way the Church operates.