HomeGraffitiAboutSitemapVisualDevWorkEmail BrianGPG Key |
GRAFFITI -- January 02, 2006 thru January 08, 2006>> Link to the Current Week <<Last Week << Mon Tues Wed Thu Fri Sat Sun >> Next Week Welcome to Orb Graffiti, a place for me to write daily about life and computers. Contrary to popular belief, the two are not interchangeable. About eMail - I publish email sometimes. If you send me an email and you want privacy or anonymity, please say so clearly at the beginning of your message. |
|
MONDAY
Tues
Wed
Thu
Fri
Sat
Sun
January 2, 2006
0816 - Good morning. Around here, it's weeks, not years, that rule the roost. So there's no December 32 on these pages (although Bob Thompson's solution is perfectly valid for some other reality). Grin. So here, I start pages in a New Year with the first Monday that falls in that New Year. Here we are. I'm going to post this and make sure all the happy-crappy redirection stuff happens to get you from one directory to another when the Next Week and Last Week links are clicked. Then I'll have some coffee, and see if there's anything else worth talking about today. See you back here in a bit.
1046 - While I thought about our troops, and the fallen, yesterday, I was in a bit of a bind, because I purposely downed the Comcrap Internet connection so that I can reconfigure around the "New" service plan they're going to move me to... more about that in a bit. In 2005, in the cause of exporting democracy to Iraq and Afghanistan, our willing and able soldiers, sailors, marines, flyers, reservists, and DoD civilians together lost nearly 900 souls, most of those in combat, many to "Improvised Explosive Devices". We're working on that, according to DoD. In the meantime, I want to wish every one of our serving men and women a Happy New Year, and let you know that you're appreciated, supported, and that we're proud of you and the work that you're doing. Rock on! Now to the fallen...
Changes in connectivity. I'd written previously about my fun with Comcast, yes? We currently have a level of service known as Comcast Pro. At the moment, that means (according to a couple of different speed tests) slightly over 6 mbps download, and over 700 kbps upload. I have the ability to use five long-lease dynamic IP addresses. I don't know about their mail and DNS services because I run my own, at Zidane and locally, respectively. In February, we're begin migrated to Comcast Workplace Standard. That will give me an advertised 6 mbps down, 768 kbps up, and one dynamic IP address. Hmmm, yeah, that reads like a downgrade to me, too. I've had my bitch session with the account rep already, and fundamentally there's nothing I can do about it. Oh, one more thing ... For the privilege of having our service downgraded, we get to sign up to a one-year service agreement with unspecified (yeah, the paperwork really doesn't say) penalties for early termination. Oh, or I can stay month-to-month, at a $50 increase in fees. What a fucking scam! I'll be finding out what the termination fees are before I sign and fax in the paperwork. DSL really isn't an option. Although it's much cheaper than Comcrap, it's half the speed down, and less than half up. I move too much data around here to downgrade service. I sure wish Verizon were starting to tear up the neighborhood to install FIOS, but they aren't yet.
Figure 1 -- Network before Comcast "Upgrade"
The downgrade in addresses means changes in our network. Previously, I was using those extra IPs for assorted DMZ-like purposes. Greg and I ran tServe, a White Box Enterprise Linux machine, as a testbed for new services, upgrades in software, and backups from Zidane to here. Of those, the backups were the most important service, allowing us to easily repopulate the EV1-based dedicated server after catastrophic failure, moves or changes. I've written a new pull-based backup routine to get the data from Zidane to inside, here. It's better because it is based on root-level access, which lets all the permissions and files get read and stored properly. That's safe because I can setup PermitRootLogin to be "without-password" in /etc/ssh/sshd_config. That doesn't mean open access. That means public key access only. Works like a champ. And in the process of writing the new backup routine, I found that we'd had a couple of glitches in the prior setup. All the data was still there, but recovery would have been ... more work. Now it's easier, and I'm likely to setup a rotation that lets me keep a week's worth of daily backups, a safer situation for restoration in case of hackage.
I also had a wireless AP running in one of the "DMZ" IPs. That could go down the tubes, too, but I've changed how we're doing business...
Figure 2 -- Network after refurbishing
I started a couple of nights ago. First I took our internal home server (for SMB, NFS, DNS, IMAP) and migrated it from old hardware to new hardware, upgrading some of the services in the process. I added in the remote backup routine from Zidane to here. Once I got all that working, I backed up the homes directory from tServe and took that out of service. That freed up two P3-933 boxen for re-purposing. One becomes the new OpenBSD firewall, another becomes spare parts for that system. Yesterday I set up OpenBSD on the new (old) machine, and started configuring bits. Once I had the pf.conf file to the point where I thought I could start migrating the inside network, I did that. Then I enabled things one at a time, and tested from inside to outside, making sure that access worked where allowed, and didn't when it wasn't. LAN_0 is on 192.168.1.0/24, DMZ_0 is another Class C, 192.168.2.0/24. DMZ_1 is unconfigured at the moment. I allow some connectivity from LAN_0 to DMZ_0 for administrative purposes. DMZ_0 only has access to the outside. So I can safely have the wireless access point available for guests, without allowing guests (or wardrivers) access to my internal network.
I have a couple more tests to do, and I need to setup rules to allow inbound SSH connections from specific IP ranges for remote access to home. Then it's time to clean up. In the process of reorganizing, I've taken a 5 port switch, an old Netgear MR314 Gateway/Router, and one computer out of service. I need to delve behind the desk and re-rationalize cabling, power and such, then sort the electronics into [Label and Save], [Prep for Donation], and [Trash] categories. That should easily fill the rest of the day. Oh, and I have to start thinking about Marcia's new desktop system. Her laptop isn't cutting it for day-to-day use.
Happy Monday. Hey, have you noticed how much my personal life resembles my professional life? Yeah, me too.... Grin!
Mon
TUESDAY
Wed
Thu
Fri
Sat
Sun
January 3, 2006
0800 - Good morning, such as it is. It's raining out (boo), I've got only a three day work-week to face (yay), but there's the Exploit-WMF vulnerability to ruin everyone's day. I mailed this to some friends and assorted IT folk I know, last night (now with updated links):
Subjext: Exploit-WMF ... The SANS infocon is at yellow-pants. After talking with our in-house ISC handler, we've decided to apply the following patch: http://handlers.sans.org/tliston/wmffix_hexblog14.exe this is the executable version that's been audited and checked explicitly by the ISC team. http://isc.sans.org/diary.php?storyid=994 should always have the latest details, check there to see if there's a version later than 1.4 I'm also considering unregistering the vulnerable DLL, as ISC also recommends that action. Start -> Run: regsvr32 -u %windir%\system32\shimgvw.dll That's less of a solution, as other apps can happily re-reg the DLL. But in combination, I guess I feel as okay as I'm going to about this until well after MS puts out a patch. best, .brian -- Brian Bilbrey : http://www.orbdesigns.com/ " Kirk to Enterprise -- beam down yeoman Rand and a six-pack." |
Mon
Tues
WEDNESDAY
Thu
Fri
Sat
Sun
January 4, 2006
No Post...
Mon
Tues
Wed
THURSDAY
Fri
Sat
Sun
January 5, 2006
1444 - Good afternoon. I've been fighting battles with printers, print servers, Linux compatibility, and all that fun goo. That and lots of running about at work preparing for me to be gone for a few days (while we're out in California). Busy, busy, busy. Linda Rose will be staying at the house, guarding the dogs with her 12 gauge. The dogs, well, they'll guard the dogfood. I've got more stuff to do, and less time to do it in. See you soon...
Mon
Tues
Wed
Thu
FRIDAY
Sat
Sun
January 6, 2006
No post..... Travel day.
Mon
Tues
Wed
Thu
Fri
SATURDAY
Sun
January 7, 2006
1529 -Hi. Safe, sound, and having fun with a belated gift exchange out in California. The dogs are taking good care of LindaRose, we hear. But mostly it is wonderful to see all of the family. Time to get back to the festivities. Ciao!
Mon
Tues
Wed
Thu
Fri
Sat
SUNDAY
January 8, 2006
No Post.......
Last Week << Mon Tues Wed Thu Fri Sat Sun >> Next Week
Visit the rest of the DAYNOTES GANG, a collection of bright minds and sharp wits. Really, I don't know why they tolerate me <grin>. My personal inspiration for these pages is Dr. Jerry Pournelle. I am also indebted to Bob Thompson and Tom Syroid for their patience, guidance and feedback. Of course, I am sustained by and beholden to my lovely wife, Marcia. You can find her online too, at http://www.dutchgirl.net/. Thanks for dropping by.
All Content Copyright © 1999-2011 Brian P. Bilbrey.
Except where otherwise noted, this site is licensed under the
Creative
Commons Attribution-Noncommercial-Share Alike 3.0 United States
License.