March 27, 2008

OpenBSD on alix2c0

Filed under:, , , , , — cwage @ 12:04 am

I recently bought a alix2c0 board and enclosure as a cheaper alternative to my preferred (but somewhat pricier) Soekris Net4501 platform for running OpenBSD for a local firewall/router. I didn't have a modern copy of OpenBSD anymore (my current firewall is still running 3.9), so I didn't have a convenient platform to use flashdist to dump a working install onto the CF card. Such a thing was necessary back in the day when I was dealing with 64M of space, because you had to be Really Picky (pickier than the barebones install) about what you install. Now, however, I am recycling a 1G CF card for my firewall (I just bought 2 new 4G CF cards for photography, w00t), so I have a reasonable amount of space. I figured I'd try a more standard install. Here were the steps I took:

  • Enable tfp on my firewall in inetd by uncommenting:

    tftp dgram udp wait root /usr/libexec/tftpd tftpd -s /tftpboot

  • kill -HUP inetd
  • added this to /etc/dhcpd.conf:

    filename "pxeboot";

    See the OpenBSD FAQ section on PXE booting for more on this. (as well as the following steps)

  • kill -HUP dhcpd
  • Hook up the alix2c0 board via a serial null modem (38400, 8N1, no flow control) and turn it on. Hit 'S' during the memory test to enable setup. Hit 'E' to enable PXE/network boot and quit, saving the settings.
  • Grab pxeboot and bsd.rd for the version of OpenBSD you want to install
  • Put those two files in a directory called /tftpboot on your dhcpd/tfp server (as referenced in inetd.conf above), along with a /tftpboot/etc/boot.conf with the following:

    set tty com0
    stty com0 38400
    boot bsd.rd

  • Reboot your alix2c0, and it should request an IP via DHCP and then start requesting the aforementioned files via TFTP. If all goes well, it should switch the console to com0, grab bsd.rd and boot you into the OpenBSD kernel with a ramdisk that will dump you into the normal install process. Voila!

July 2, 2006

ignoring the wall

Filed under:, , , , — cwage @ 12:05 am

Via Bruce Schneier, an interesting paper about a technique to bypass the filtering technique currently employed by China's Great Firewall. I am gonna get a little nerdy here -- something I generally reserve for the CentreBlog -- so bear with me here:

The way this firewall works is precisely the same as many commonly-available content-based filtering appliances available here. (I tested and evaluated a number of them for the TN K-12 school system back when I worked for ENA.) It's not the routers or firewalls themselves that monitor for keywords and allow/drop connections, but rather servers that sit on an adjacent port on a switch and sniff the traffic. When they see a verboten word, they make an attempt to kill the connection. This is done utilizing a very simple technique.

In any TCP connection on the Internet, there is a packet with a certain flag that can be sent at any time by either end to reset the connection. The flag is called RST, which stands for .. you guessed it.. "reset". So, in order to kill a connection, these servers merely spoof RST packets both to the source and the destination of the connection, effectively terminating the connection. More advanced products hijack the connection entirely -- sending RST packets to the origin webserver and delivering a "block page" instead of the requested content to the client, letting them know that the content is forbidden, or perhaps in this case, that the storm troopers are en route to their house.

This is a fairly effective technique with one major drawback: it's subject to race conditions. If the server monitoring traffic gets bogged down, it may not get around to issuing the RST packets before the connection has already proceeded and data has been transferred. At the time, this was a major reason we opted not to use this technology at ENA. The amount of hardware needed to ensure a "race" was never lost was exorbitant in the face of more cost-effective methods. Apparently this isn't an issue for China.

But anyways, back to the paper. They are pointing out another obvious downside to this technique: if both sides of the connection ignore the RST packets, the connection won't be terminated. So, theoretically, firewall administrators in China could simply configure their firewall to ignore RST packets and if the server on the other end did the same, there would be no censorship. But of course this is useless if the other end doesn't cooperate. It raises an interesting possibility: a movement on the rest of the Internet to cooperate, and implement firewall rules to ignore RST packets on port 80 from IP addresses in China? Are there any possible negative side-effects of this? Other than some very dysfunctional situations in the event that a connection actually needs to be reset.

F1ght the P0w3r D00dZ!!

February 15, 2006


Filed under:, , , , , , , , — cwage @ 1:40 am

I have written a new WordPress plugin called DNSBLCheck. As you might expect from the name, it's a plugin that allows you to .. check DNSBLs before allowing comments/trackbacks.

I haven't really had much of a problem with trackback spam since I installed this trackback validator plugin. However, as their plugin is written, even though it stops the spam, it still e-mails you about it, which is quite annoying (I gave up wading through the wordpress plugin architecture to figure out why it was still e-mailing).

Making things worse was that I was getting hit by trackback spam by a large botnet (over 100 IPs and counting), most of which were listed on It wasn't getting through, but I was getting 1-2 email notifications an hour, nonetheless.

So, at Chris's prodding, I went ahead and hacked up this little plugin to check DNSBLs. I am currently checking and for now. If any of you experience any problems leaving comments, let me know.

February 4, 2006

tags and categories

Filed under:— cwage @ 10:46 am

I acknowledge and accept that the categorization of my posts on this blog are largely worthless. 90% of what I post about gets lumped into "politics" or "misc".

I am not drinking the tagging kool-aid entirely, but I do think it would be more useful for my blog than how I currently use categories (which is basically hardly at all).

I am considering installing and using Ultimate Tag Warrior, but one thing concerns me: it uses data external from wordpress itself -- potentially in such a way that it differs from other tagging plugins, or even from how WordPress eventually may implement tagging.

My blog has always been relatively agnostic as to what software it's using as far as the data specific to any one post. When it came time to migrate from movable type to wordpress, there was no third-party data I had to figure out how to cram into WordPress. It was just the basic stuff. It's not a big deal, but I find myself wondering if starting to rely on tags as gathered, stored, and displayed separately by a one-off third-party plugin will be a headache if/when I ever decide to move to some other platform.

Naturally if push came to shove I'm sure it would not be brain surgery to write a script by hand to migrate the data from one to the other, but still.

UPDATE: Okay, to hell with it. I went ahead and installed Ultimate Tag Warrior and modified my templates to use tags. It shows the top 10 tags on the right where categories used to be, and you can view a full tag-cloud as well, which for now is mostly just the old categories I used.

February 2, 2006

Look Ma, No Wires!

Filed under:, , , , , , , — cwage @ 11:53 pm

Over at NiT Brittney links to Mike Sechrist discussing some of the upcoming changes in the land of broadcast TV and the spectrum it uses, which FCC has finally mandated is going away in 2009. He's promising more commentary on this topic, and I can't hold my tongue, so I am gonna go ahead and toss in my two cents.

Brittney asks "Okay, so they want the analog spectrum back, but why is this law? It seems a very odd thing to be legislating, especially if taxpayers are covering the hardware upgrade." It's a good question. Kevin, in the comments, offers an explanation, "It has to be legislated at the Federal level. No one can broadcast with significant wattage in the US without FCC approval, which is expensive, scarce, and complicated."

This, though, is not a sufficient explanation. To really understand what this is all about, I am going to try to succinctly explain the situation (and perhaps toss in a diatribe later).


January 18, 2006

wordverify update

Filed under:— cwage @ 7:50 pm

Posted a small fix to WordVerify today. If are using WordVerify and have noticed that trackbacks and pingbacks suddenly stopped working, well, join the club.

Turns out the comment routine that WordVerify hooks into in WordPress is the same as used for trackbacks and pingbacks, so those were getting killed. I added an exclusion there so only actual comments require verification.

Update: Gah. And with that I promptly got 3 trackback spam.

January 17, 2006

jabber s2s

Filed under:— cwage @ 7:22 pm

So, check it out, Google Talk has opened s2s to the rest of the Internet.

This probably doesn't seem like a big deal to you, but for me it's huge. (Because I am a huge nerd.)

To understand why this is so awesome, it will help if I explain a bit. Jabber/XMPP is an open standard for an instant messaging protocol. Just like there is SMTP for E-mail, HTTP for the Web, etc., so too, say the Jabber advocates, should there be XMPP for Instant Messaging. It's an open, secure, flexible, totally awesome alternative to the propietary IM networks like AIM, MSN, Yahoo, etc. If you're tired of having to constantly add a billion different networks in your multi-protocol client just to talk to all your friends, you should really be looking forward to Jabber. It doesn't make sense for IM to be something that requires talking over closed, proprietary networks. To wrap your brain around how silly this is, imagine that you went to and got your nifty new e-mail address. But then you found out that you could only e-mail other people on Pretty silly, right? Why do we put up with it in the world of IM? Well, Jabber/XMPP offered an alternative, but no one was listening.

I kvetched, bitched and moaned about Jabber/XMPP advocacy, and despite my constant whining, no one ever seemed to interested in Jabber. The reasons for its stagnancy were much debated, and a big part of the consensus was that it just wasn't being adopted by enough Big Organizations.

So, cut to last summer: there were rumors flying that Google (a very Big Organization), flush with IPO cash, was going to launch a new IM service. Google-zealots frothed at the mouth, but those of us that knew better just moaned and groaned: "Oh geez, not another lame proprietary IM network."

Then, in August, Google shocked us all by opening up their IM servers for Google Talk, complete with full XMPP support. This was a thrilling discovery, but it was quickly tempered by the fact that Google hadn't enabled s2s -- that is, you could use a Jabber client to talk to Google Talk, but you couldn't talk to other Jabber users on any other servers -- which, frankly, didn't make much sense.

Thankfully, Google has again surprised me, and opened up their servers for s2s. I can now let loose the nerdy celebratory cry of joy I had been cautiously withholding until now. I think this will prove to be a huge shot in the arm for Jabber/XMPP adoption, and the beginning of the end of annoying, bloated, proprietary IM networks. Hallelujah.

So what does this mean for you? Well, maybe nothing. If you've got a gmail account, you may want to grab Google Talk, or any other Jabber client and start using it. You can then use it to talk to not only anyone on Google Talk, but anyone else in the world using Jabber.

For example, me:

Kudos to Google for doing the right thing. Happy instant messaging.

January 13, 2006

blogging frequency

Filed under:, — cwage @ 2:15 am

My blogging frequency:


wordpress plugins

Filed under:— cwage @ 2:09 am

Jackson just migrated to WordPress.

I figured I'd give a rundown of the plugins I find useful, for his benefit and others:

January 12, 2006

instapundit RSS

Filed under:— cwage @ 11:51 pm

I have on several occasions considered reading, but every time I do, I remember how horrible his RSS feed. What's the deal? His blog posts are as a rule usually like 15 words or less anyway, and yet his RSS feed only provides excerpts -- and with HTML links stripped out, to boot. The feed is basically worthless.. And it seems others have noticed this as well.


Hm, I take it back. the index.xml has full content and HTML where the index.rdf doesn't. Nevermind!

Next Page »