Diary of a geek

January 2005
Mon Tue Wed Thu Fri Sat Sun

Andrew Pollock


Other people's blogs


RSS feed

Contact me

JavaScript required

Monday, 31 January 2005


This one just went around work:

A byte walks into a bar and orders a pint. Bartender asks him "What's wrong?" Byte says "Parity error." Bartender nods and says "Yeah, I thought you looked a bit off."

[19:05] [humour] [permalink]

Sunday, 30 January 2005

Migrating enforcement modules is easier

This morning I migrated a Firewall-1 enforcement module in my test enviroment. This was a hell of a lot easier than the previous migration of the management server.

This probably stems from the fact that an enforcement module is really just a container for a security policy, as pushed from a management server. All I had to do was manually transfer the licence, and reset the Secure Internal Communication (SIC).

So my first real live migration is being presented at today's change control meeting, and I think that gets sent to a higher level change control meeting on Wednesday, so if it is approved at both of these, I should be right to go the week after next. I just have to keep myself occupied in the meantime. I'm going to Melbourne for the day next Tuesday to attend an AUUG junket.

[15:58] [work] [permalink]

Sunday, 23 January 2005

LVM on root with d-i

Junichi was wondering about the root device being a logical volume. Jeff said he wasn't sure about d-i doing it. I can personally say that I've performed an install with root on a logical volume using d-i. Been there, done that, got the t-shirt. Whilst it is nice to have everything inside LVM, the downside is, you have to use LILO as your bootloader, and I find GRUB far more flexible. I did such an install a while ago, so it is possible the situation in RC2 or the daily builds is different.

[04:00] [debian] [permalink]

Thursday, 20 January 2005

Migration success (I think)

I think I've had a win (it's always nice to end the week on a high note). I cracked the shits and plugged my laptop in place of the Windows Terminal Server (my laptop also has the Firewall-1 GUI software installed) and with the firewall policy unloaded (via the console) I was able to make a connection to the management server. I then edited the object for the firewall, told it to reget the topology (taking into account the change of interface names) saved it, pushed the policy and lo and behold, I could SSH to the management server.

That said, I now cannot make an RDP connection to the terminal server, so I'm not sure if Windows freaked out over a duplicate IP address and took itself off the network, or if I plugged the cable back into the wrong interface. I'll look at that on Monday.

[22:24] [work] [permalink]

Second attempt at migrating

So given yesterday's attempt failed dismally, I tried the procedure outlined in a different document. This procedure seemed a bit more holus bolus in its approach to what needed to be copied (i.e. you pretty much copy all the files from the server you're migrating, delete a few and hope for the best).

Similiarly poor results. I don't even get anything in the logs this time, which makes it all the more vexing. Using tcpdump and fw monitor shows SYN packets entering the firewall and nothing coming out.

I'm starting to run out of ideas. There's only so much you can do with Firewall-1 from the command line. Hopefully the client's support contract renewal will have been processed by Check Point by Monday...

[20:43] [work] [permalink]

Voicemail galore

Heh, this is funny. One of the other guys noticed that my voicemail light was on on my phone. I haven't been told how to drive my voicemail, or that I indeed had voicemail. He dialled it up to retrieve the messages, and in the meantime I had to help relocate my manager's desk, so I just left the handset on my desk while it played through all the messages. About 45 minutes later, I picked up it to see where it's at. It's at message 63 from June 30 (presumably last year).

I suspect my predecessor didn't know he had voicemail either...

[16:16] [work] [permalink]

ANU's parking policy is stoopid

As I'm only intending to study part-time this year, I'm not eligible for a carpark. This is a PITA because as a part-time student, working full-time, the one thing I don't want to be spending more time than necessary is finding a carpark. I just want to get in, park, attend my classes and get out again.

I was going to try and get creative and enrol as a full-time student and then drop half the subjects before the census date, but it's just not worth the hassle. I'm still dubious about how I'm going to go doing this full-time work/part-time study thing anyway.

[04:30] [uni] [permalink]

Wednesday, 19 January 2005

First attempt at migrating

This morning I attempted to swap the cables that connected the old Firewall-1 Management Server to the rest of the network, and to the test LAN's management segment. It should have Just WorkedTM but it didn't.

11:23:09 drop >bge0 product: VPN-1 & FireWall-1; src:; s_port: 2730; dst:; service: 22; proto: tcp;
th_flags: 19; message_info: TCP packet out of state;

is what the logs said. Jono said that should only happen if there's a routing error, which there isn't. I'm wondering if it's got something to do with the change in interface names. Unfortunately, the way this test network is setup, the Windows Terminal Server from where I can run the management GUI is through this Management Server (it's also an Enforcement Node), so until I can convince it to pass traffic as per its policy, I can't manage it terribly well. It's really annoying, because the Lightwave that is attached to its console is also through the firewall, so I have to go into the computer room with my laptop and physically plug into the console port, which means I can't be sitting outside testing network connectivity with my laptop plugged into the normal management LAN.

[16:59] [work] [permalink]

Tuesday, 18 January 2005


**************** Interface Configuration ****************

Scanning for unknown interfaces...
Firewall-1 found that you are using interface bge, which is not supported.
Please refer to Check Point's SecureKnowledge article ID 55.0.4089734.2604361
for a list of supported interfaces and known issues.
This interface will not be protected by Firewall-1.

Press Enter to continue.

Update: Apparently you can hack $FWDIR/boot/ifdev to convince it to support such interfaces. I love Firewall-1. Really.

[20:30] [work] [permalink]

Quality Microsoft software

This has been doing the email rounds today:

Check this one out for taking the scenic route.


1. In Start and End, pull down "Address in" and choose Norway. 2. In
Start, enter "Haugesund" into City. 3. In End, enter "Trondheim" into
City. 4. Press "Get Directions"

[19:21] [humour] [permalink]

Weird login problem

So I'm trying to migrate a Firewall-1 Management Server from one box to a freshly installed box. I have an image that takes care of the baseline installation of Solaris and an unconfigured Firewall-1 NG installation. I just tried blatting /etc/{passwd,shadow,group} as well as configuring the hostname and all the interfaces. I gave it a reboot to see how it all went, and wasn't able to login. I'd just get

cannot chdir to /root, errno = 2

After providing a username and get returned to a login prompt. What I believed to be the root password wasn't accepted in single-user mode. I'm not sure if it's a permissions thing. I was relatively careless and just went

cat > /etc/passwd
<pasted contents of /etc/passwd on existing server here>

(and so on for /etc/shadow and /etc/group). This potentially left an /etc/shadow with suboptimal permissions, but you wouldn't expect it to lock you out altogether. I did fail to create home directories, but again, I wouldn't expect that to lock me out either. So now I've booted into single-user mode from a Solaris CD... Brown paper bag job by the looks of it. I think I pasted /etc/group into /etc/shadow. That'll do it.

Now this is humorous:

# grep sarah /mnt/etc/passwd
sarahr:x:2001:500:Sarah Kay Roper:/home/sarahr:/bin/false

She contracted out here a long time ago. I guess this is a test machine, so the password database isn't maintained (or was based on an old snapshot of the production password database). Still, it's funny.

Yet I have digressed, and I have spoken too soon. That doesn't seem to have resolved my lockout problems. I tire of this two-man reset and break to PROM crap.

{1} ok setenv auto-boot? false
auto-boot? =          false

Subsequent power cycling will result in a PROM prompt without any further ado.

Ah, the problem is quite simple (I think I was grepping the wrong /etc/passwd when I booted from CD and mounted the hard drive on /mnt). Some brainiac has changed root's home directory to be /root (I actually prefer this, but it's not the norm for Solaris) and this directory didn't exist. That's quite incredible how if root's home directory doesn't exist, no one can log in...

[18:32] [work] [permalink]

I didn't think this was possible

While on the topic of breaking into Sun boxes...

SC Alert: Host System has Reset

Sun Fire V240, No Keyboard
Copyright 1998-2003 Sun Microsystems, Inc.  All rights reserved.
OpenBoot 4.13.2, 2048 MB memory installed, Serial #60810497.
Ethernet address 0:3:ba:9f:e5:1, Host ID: 839fe501.

Initializing  1008MB of memory at addr        1000000000
SC Alert: SC Request to send Break to host.

{1} ok boot -s
FATAL: OpenBoot initialization sequence prematurely terminated.

FATAL: system is not bootable, boot command is disabled
{1} ok reset-all

Sun Fire V240, No Keyboard
Copyright 1998-2003 Sun Microsystems, Inc.  All rights reserved.
OpenBoot 4.13.2, 2048 MB memory installed, Serial #60810497.
Ethernet address 0:3:ba:9f:e5:1, Host ID: 839fe501.

Boot device: disk0  File and args:
SC Alert: SC Request to send Break to host.

Type  'go' to resume
{1} ok boot -s

Sun Fire V240, No Keyboard
Copyright 1998-2003 Sun Microsystems, Inc.  All rights reserved.
OpenBoot 4.13.2, 2048 MB memory installed, Serial #60810497.
Ethernet address 0:3:ba:9f:e5:1, Host ID: 839fe501.

Rebooting with command: boot -s

So apparently you can break out the PROM initialisation and leave the box in an unbootable state. Nice...

[18:07] [work] [permalink]

Give me Cyclades Console Access Servers any day

We use these horribly Lightwave Console Server 3200 things, and they really suck. The CLI is ordinary, but the really annoying feature is that frequently when I powercycle a Sun box, it'll drop the TCP connection, but keep the telnet session open internally, so it keeps me attached to the port, and won't let anyone else have it. Sometimes it times out the connection after a while (but who wants to wait?) and so you have to login in on the administrative port, and forcibly close the connection.

So when you get off your fat arse to walk the (non-trivial) distance to the server room, unlock your rack, kick your Sun box in the guts, lock your rack, and bolt back to try and send a break before the box boots past the point of sending a break, and you discover your console session has died in the arse, it really sucks. You then have to clear out your stuck session, and repeat the whole process again...

I'm not looking forward to when we move downstairs. It'll be completely impractical to bolt anywhere then, and breaking into a Sun box will require one person to perform the power cycle whilst another person sits watching the console (or I take a laptop with me and do it in situ).

At least Lightwave seem to have superceded the 3200 with something that hopefully sucks less (and is more dense). In my experience Cyclades have never sucked, and running embeded Linux makes them inherently more cool.

[18:00] [work] [permalink]

Please, don't bring back Beazley

Disclaimer: I'm not terribly pro-Labor, I'm more Liberal, however I'm pissed at Howard over the war in Iraq.

Can the Opposition please get it's act together and give us a credible leader and alternative Prime Minister? Kim Beazley is just not it. The media have already elected him as leader of the Labor Party, however I personally hope it doesn't happen.

So we've just had an Opposition Leader who's had to resign because of health problems. Let's not replace him with an overweight has-been, who hasn't been free of his own health problems in recent times. He kept saying he was healthy today in his press conference, but I have my doubts. I suppose he's going to have to swear off the KFC again and restart running up Mount Ainslie at 5am? He can't be looking forward to that.

Kim Beazley just isn't Prime Minister material, in my opinion. Neither was Simon Crean. I think Mark Latham was the closest thing Labor's come up with since they were last in government. I think there is a serious lack of credible candidates. I think the party's full of people who'd like to think they'd make Prime Minister one day, but until the party can publically get its act together and stop infighting, every 18 months when they have a leadership stoush just puts another nail in the collective political coffin, and leaves them languishing in the political wilderness even longer.

So in the interests of having a viable Opposition, and keeping the Howard Government accountable, will the Labor Party please get its freaking act together?

[03:12] [politics] [permalink]

Monday, 17 January 2005


So I think I'll start blogging about the technical aspects of my work, as a record of the technical achievements I make, and the problems I solve. I'll just have to try not to whinge too much about the political aspects...

[18:46] [work] [permalink]

Sunday, 16 January 2005

Not as nerdy as I thought...

I am
nerdier than 46% of all people. Are you nerdier? Click here to find out!

Well, I am more of a geek than a nerd...

[22:34] [life] [permalink]

Saturday, 15 January 2005

On microwave oven power

Last week, our microwave oven stopped heating things. It'd go through the motions, but after it finished, your dinner was still stone, motherless cold. I dropped it into the repair place, and a week later (after much nagging) they told me the magnetron tube had died. It was going to be comparable to getting a new microwave in repair costs, so I decided to get a new one rather than getting it repaired, as the display was dodgey.

The microwave I had was 1000W, and the microwave I bought to replace it is 1200W. I remember when they used to be 650W. It's all good that they're constantly getting stronger, as they cook faster, but it really stuffs around microwave recipes and cooking instructions. The microwave dinners that we frequently eat are geared towards a 1000W microwave, so we've got to experiment with the time to avoid overcooking them.

The power levels apparently do something like Medium High = 70% (so 840W) and Medium = 50%, and so on. I'd rather see them have the ability to dial up the wattage directly instead, so if something had cooking instructions that said "8 minutes on high, assuming a 1000W microwave oven", you could set the power to 1000W, and cook for 8 minutes, instead of having to come up with something less than 8 minutes that cooks the food properly without overdoing it.

Maybe I should have just shopped around more...

[01:34] [life] [permalink]

Friday, 14 January 2005

SSH daemon weirdness

This Saturday and last Saturday, Nagios has told me that it couldn't ssh to daedalus, my server in Brisbane. I figured out last weekend that what seems to be happening is the SSH daemon is getting filled up by connections to its MaxStartups limit (which is 10 by default in the Debian ssh package). The Debian default value for LoginGraceTime (which is how long to hold an unauthenticated connection open for) is 10 minutes.

So you can make a good DoS attack on a default Debian SSH daemon by just doing something like:

while :
	nc $VICTIM 22 &

So I decided to file #289573. Lowering LoginGraceTime won't really resolve the problem, but it'll shorten the length of the DoS (hopefully).

My initial suspicion is that it's related to those brute force SSH login attempts that have been running around for months, however, I had a brief look into today's DoS, and whilst there were the 10 or so unauthenticated sshd's lingering around tying things up, there weren't any actual TCP connections associated with them, so I'm now wondering if there's a bug in OpenSSH that is being tickled by all this...

The fact that it only seems to be an issue on Saturdays makes me suspect script kiddies...

[19:07] [tech] [permalink]

Tuesday, 11 January 2005

changelogs.debian.net moved

As I'm soon to be moving, and my ADSL will be out of action for $DEITY knows how long, I've moved changelogs.debian.net from running on caesar at home to daedalus in Brisbane. Hopefully the transition has been transparent. I'll leave it running on caesar for a while until the DNS updates.

[14:24] [debian] [permalink]

Open house

Because we're moving out, and our landlord Dave is going to have total strangers renting his house instead of a former co-worker, his partner and a random, he's decided that as he's in Singapore, he'll use a real estate agent to let the place.

I got a phone call from said real estate agent yesterday, saying that a prospective new tenant that had looked at the place previously wanted to have another look with his prospective co-tenant mates. I told her that 6:30pm on Tuesday would be okay.

So what seems to have happened is she's subsequently told all other interested punters to go around and have a look at the place at 6:30pm on Tuesday. Here we all are expecting to show the house to three people, and instead, more cars than you can poke a stick at are lined up on the kerb at 6:25pm. We had about 30 people traipse through the house. It was quite an unsettling experience having that many people wandering around the house looking at everything. Hopefully they'll get enough applications from that lot so we won't have to endure another such exhibition. The rental market must be pretty hot at the moment.

Still, I can't see why anyone would rent this place when for exactly the same money you can have this place instead...

[04:40] [life] [permalink]

Tuesday, 04 January 2005

On quality property management (or the myth thereof)

As a rental property owner, one of my pet peeves is crap property management. You fork out the bucks for a property, you entrust the management of it to a company, and they take a not inconsequential slice of the rent each week, and you just don't get any quality. And you're the paying customer. I shudder to think how they look after the tenant.

So as a tenant, when I get what I consider to be a shoddy customer experience, I get equally irate. Like today.

Today we went in to sign the lease for the townhouse we're going to rent. We don't get it until the 14th, but we signed the lease and handed over the bond today. We went to the office of the real estate agent who is doing the property management in our lunch break and met the property manager. He was alright. He asked us how much time we had, and I indicated I'd only paid for 20 minutes parking, and so he whizzed through the lease reasonably quickly. It was a standard ACT Residential Tenancy Agreement, so that wasn't an issue.

They preferred to have the rent paid by direct debit, and this is where I started to get disappointed by their setup. They couldn't cope with us electronically transferring the rent to their bank account, it had to be them sucking it from our bank account. They couldn't cope with sucking from two bank accounts, it had to be just one. They only suck the money out on the Tuesday after the rent is due, not on the day it's due, and if the Tuesday in question happens to not be a business day, they suck the following Tuesday. If the direct debit is dishonoured for whatever reason, they try again the following Tuesday, then they cancel it and get in touch. (We're paying fortnightly). So that's the main gripe, their payment options suck big time (no pun intended). The only other option is cash over the counter. After having paid electronically for probably the last 2 years, I have no desire to darken the door of the real estate office ever again. I might be inclined to give them a piece of my mind or something. Give me BPay or at least the ability to do a direct deposit puhleaze.

The property manager went to get the receptionist to process the bond receipt while we were still signing paperwork and filling out forms, so that the receipt would be ready on the way out. So when we're ready to leave, we get back to the reception desk, and the receptionist has been too busy gasbagging to someone else about her Christmas to have actually started processing the bond. She then proceeds to stuff up the receipt multiple times, processing it as a rent payment, getting the amount wrong, having to reverse transactions etc before a correct receipt is printed.

It's pretty obvious that all the awards that they like to brag about receiving are for sales and not for property management.

This is where I have one of my pipedream business ideas - a property management company that deals specifically in quality property management, and looks after the tenants. I envisage something like allhomes, but where tenants can apply online, landlords can view applications and comment on them, landlords can see property reports. I was thinking of something where the company could negotiate good rates with painters, plumbers, tradespeople in general, and get quality repair work done when required. Perhaps call centre driven. I had a creative thought tonight about using VoIP and having a distributed call centre of property managers working from home. Like all of my pipedream business ideas, I lack the guts and motivation to put my money where my mouth is and take it anywhere though...

[03:46] [rant] [permalink]

Dude, where's my Synaptic toolbar?

So I fired up synaptic today for my daily dist-upgrade, and immediately noticed that something was missing... Seems I have been bitten by #288445. I hope someone figures out what the problem is...

[00:48] [debian] [permalink]

Monday, 03 January 2005

Additional DAM

I just read that Joerg Jaspert has been appointed as an additional Debian Account Manager. This is great news, as it will hopefully improve the processing of the New Maintainer queue, and take some load (and hopefully flack) off James.

Joerg was my Application Manager when I went through the NM process, and I was impressed by the depth and thoroughness of his questions. I think he is an excellent choice.

[02:35] [debian] [permalink]

Sunday, 02 January 2005

New, non-RC dstat uploaded

Martin Godisch kindly helped resolve bug #283019 by uploading a version of sleuthkit with /usr/bin/dstat renamed to /usr/bin/diskstat, and I have uploaded a version of dstat that conflicts with all previous versions of sleuthkit, and mentions where to find Sleuthkit's dstat in its manpage.

[04:52] [debian] [permalink]

Home again

Just got home. We left Brisbane yesterday morning, and drove to Port Macquarie (we went via the Pacific Highway this time for a change of scenery). We camped in a caravan park (it was very hard to find one with any vacancies) and discovered that the tent pegs seem to have become separated from the rest of the tent since the last time it was used.

Fortunately, using a rock, the picnic table at the caravan park, some miscellaneous Christmas presents and the car, we were able to secure the fly on the tent making what I called "Camp Bodgey". Luckily the weather held out and it wasn't too windy, or we might have had a bad night...

We briefly stopped off in Newcastle for lunch with Elise (Michael was asleep because he had worked the night before). Traffic was significantly heavier than on the New England highway on the way up. The overtaking lanes north of Newcastle were all closed for some unfathomable reason, really slowing down the traffic. It took us 16 hours and 1208 kilometres, including the time spent for lunch in Newcastle, and the kilometres running around Port Macquarie.

The car's clutch survived, fortunately. My brother, who is a mechanic, reckons it doesn't have much left in it.

[02:27] [life] [permalink]