• Bridged is often unacceptable for experimentation due to it’s unrestricted nature. It also does not pass through the standard netfilter interfaces in the kernel to be filtered.
• NAT is often unacceptable because I cannot control it’s filtering policies. It runs a separate daemon to handle the address translation. This blocks many of my filtering options in iptables.
• Host-only is almost never acceptable since I rarely do any experimentation that doesn’t require a network interface to my network outside my machine.

My favorite solution is to use the host-only networking option, and configure my host machine to NAT and route the traffic. This gives me extreme control over the network policies, addresses, etc. All with a familiar iptables interface.

To accomplish this there are a few steps that need to happen.

• Configure your Virtual Machine to use Host-only networking
• Enable IP forwarding on your host.

  echo 1 > /proc/sys/net/ipv4/ip_forward

• Add the address you want your virtual machine to use on your network as an alias to your real interface.

  ifconfig eth0:0 10.49.220.40 netmask 255.255.252.0

• Add a NAT rule with iptables to translate packets to this new address.

  iptables -t nat -A POSTROUTING -i vmnet1 -o eth0 -j SNAT --to-source 10.49.220.40

• Add any rules you wish to impose to the FORWARD chain in the default filter table. Example here defaults to DROP all packets, but allow DNS to a DNS server, and all traffic to a host for the experiment.

  iptables -P FORWARD DROP
  iptables -A FORWARD -d 10.49.1.25 -p udp --dport 53 -j ACCEPT
  iptables -A FORWARD -d 10.49.1.26 -j ACCEPT

Now your experiment will come from your chosen IP as you would have wanted with bridged mode, but you get the awesome power and flexibility of filtering it via iptables. Great for playing with Windows and it’s included vulnerabilities.

I couldn’t find a CLI tool, so I wrote one. The Python API is very handy and easy to understand, but hardly documented at all. Thanks to these people for giving me a jump start.

I tried to make the parameters similar to that of growlnotify… Mostly out of laziness.

Anyway… Here it is. pynotify

First things first. With a recent ATI card you must use Xgl. It will not work with AIGLX. The Free radeon driver doesn’t support these newer cards. This leaves you with resorting to the proprietary ATI driver (fglrx). This driver doesn’t support the Xorg composite extension which is required for AIGLX to work. It’s ok, Xgl isn’t that much harder to setup.

* Install the proprietary ATI driver
apt-get install xserver-xorg-video-ati
* Activate the driver in /etc/X11/xorg.conf (Composite must be disabled for direct rendering to work)

    Section "Device"
        Identifier  "ATI Technologies, Inc. ATI Default Card"
        Driver      "fglrx"
        Option      "DesktopSetup" "horizontal"
        BusID       "PCI:1:0:0"
    EndSection
    Section "Extensions"
        Option  "Composite" "0"
    EndSection

* Verify direct rendering works
glxinfo | grep direct
Should be yes
* Install Xgl
apt-get install xserver-xgl
* Activate Xgl
The Ubuntu Site has other options, but my method of using the Xsession is a lot cleaner.
Add the following line to: /etc/X11/Xsession.options
use-xgl
Save the following script as: /etc/X11/Xsession.d/91Xgl

# This file is sourced by Xsession(5), not executed.

STARTXGL=
XGL="/usr/bin/Xgl"
XGL_OPTIONS=":1 -fullscreen -ac -accel xv:pbuffer -accel glx:pbuffer"

if grep -qs ^use-xgl "$OPTIONFILE"; then
  if [ -x "$XGL" ]; then
    STARTXGL=yes
  fi
  if [ -r /tmp/.X1-lock ]; then
    xglpid=`cat /tmp/.X1-lock`
    if [ -d /proc/$xglpid ]; then
      echo "Xgl already running"
      STARTXGL=
    fi
  fi
fi

if [ -n "$STARTXGL" ]; then
  $XGL $XGL_OPTIONS &
  DISPLAY=:1
fi

# vim:set ai et sts=2 sw=2 tw=80:

* Here you can use the default compiz installation just by activating it in the Desktop Effects panel in System -> Preferences. To get the much better Beryl working we can install it by adding just a few more steps.
* Install Beryl and friends
apt-get install beryl beryl-manager emerald-themes
* Disable compiz if you enabled it (just in case)
* Run Beryl Manager in Applications -> System Tools.

That’s it. You now have the Manager in the tray that lets to change many aspects including the window decorator (Emerald themes are pretty cool), etc. The Beryl Settings manager give to the power to tweak the aspects of the Effects.

A future article to come covering the effects that are actually useful and productive.

At kernel configure.
Install genkernel and lvm tools “emerge genkernel lvm2″
sensible default config
zcat /proc/config.gz > /usr/share/genkernel/x86/kernel-config-2.6
genkernel --lvm2 --menuconfig all
Continue normally

At Configuring the boot loader.
The grub menu entry may look like this:

title Gentoo LVM
root (hd0,0)
kernel /kernel-genkernel-x86-2.6.19-gentoo-r5 udev dolvm2 root=/dev/ram0 real_root=/dev/vg/root init=/linuxrc
initrd /initramfs-genkernel-x86-2.6.19-gentoo-r5

Continue normally

My procmailrc sorts most of my mail into folders for me. When I was writing the script to parse I decided to categorize my folders to make the statistics more meaningful. This leaves me with 4 types of mail: work (automated reports, logs, and such), [tag]spam[/tag] (SpamAssasin, and discarded mail), lists (mailing lists), and Inbox (everything else).

These stats turned out to be quite interesting, at least to me. Since I am the sysadmin for an ISP, I get tons of email. I get the output for any and all cron jobs, interesting snippets of logs, and all mail addressed to common aliases (postmaster, root, webmaster, abuse, daemon, security, etc). This will cause my work category to be quite large. You can see that my work mail accounts for more than half of all deliveries. If you leave out the work category, my spam accounts for about 80% of all of my email, and that doesn’t count all the crap that SpamAssassin or my own filters don’t catch. Holy cow. Spam is a huge problem.

The big dip this week is caused by my experimentation with new anti-spam techniques. I tried out OpenBSD’s spamd. It is amazing. It reduces spam quite a bit, as you can see here. It would show even better results, but I only used it on one of several balanced incoming mail servers. It is a great implementation of [tag]greylisting[/tag]. However, this technique causes some legitimate mail to be delayed by 5min – a few hours. We had a few complaints from customers about delayed mail, so I had to turn it off. I highly recommend this technique for anyone who is battling spam, doesn’t have extremely picky users, and don’t mind slightly delayed mail from time to time.

I was initially turned off RPM based distributions long ago by the pain of dealing with dependencies, tracking down RPMs, and bloated default installs. I had given them up long since RedHat 8.0. Since then I have given half-assed efforts to look at them a couple of times. Once with FC3, and again with OpenSuse 10.1. Both times was immediately turned off by bloated installs and/or having to hack in apt and external repositories.

This time is going to be different. I am going to keep an open mind. Here are my thoughts as I progressed.

• I just downloaded the DVD image of Fedora Core 6 since my test machine has a DVD drive. I really like single CD installation sources, but maybe I won’t mind a single DVD.
• Why have the installation verify the medium by default. It is extremely rare to get even this far if your medium is somehow damaged. Lame defaults, not lame functionality.
• The installation program (anaconda) is extremely solid and professional looking. RedHat has always had good install programs. IMHO, the installation program isn’t that important, so whoop-de-do.
• The installation has a wonderful partition editor, it allows you to set up complex raids, and/or LVM. Wow! Best one I have ever seen.
• Install seems much quicker than I remeber. I always thought RPM based distros took forever. Perhaps it is because this system is so much faster than my previous test machines.
• Couldn’t boot Fedora. The installer didn’t give me the option to install the boot loader in the MBR of sdb so I picked sdb1. The FreeBSD boot manager couldn’t start it. Oh well, I just ran the rescue from the install disc, and installed grub manually into the MBR of sdb. All better boots fine. Not a problem with Fedora really, just a complicated setup on my end.
• Booted, finished the first boot install step. Holy cow. It properly detected my monitor’s native resolution. Sweet! I have a widescreen LCD with a native resolution of 1680×1050.
  
• Launched Firefox, clicked on the Fedora FAQ link. I learned that Fedora doesn’t install any non-free software. That is wonderful. Even Ubuntu installs a tainted kernel by default. I am so proud.
• I had a look at the xorg.conf and saw the smallest xorg configuration evar. There was no font, monitor, resolution, or mouse configuration info. xorg detected and made everything work perfectly. Is this a feature of xorg 7.1.1, or is this Fedora specific?
  
• Further exploration of the gui reveals all the standard Gnome-y goodness I come to love and expect from my distro.
• The "Add/Remove Programs" is slightly different from Ubuntu, but works just about as well.
• There is a lot of stuff installed by default, but not to the extreme like it used to.
• sudo is not setup by default. I really liked the way Ubuntu locks root, and uses sudo for everything. I had to assign myself to group wheel and enable sudo for the group manually.
• I wanted to install a few other basics I expect to have available. Some are already installed (rsync, mutt, sudo). Some are easily installed using yum (nmap). Some are nowhere to be found (tcpflow, tcptraceroute, etc). This is horrible. After some more reading and poking around I find that there are third parties that publish these packages. WTF! tcpflow and tcptraceroute should be in the Core repository, or at least in Extras. This is a total F$#! up. Why can’t the Fedora community come together and merge the Dag/Dries repository with the Extras repository. They can leave out the non-free stuff, but at least get the obvious stuff.
• On a side note, I think it is very funny that http://ftp.freshrpms.net/ is "Powered by" Debian. ROFL.

In summary, Fedora is no longer a distro to be detested. It’s dedication to Free Software; addition and focus on yum; use of new technology like xorg 7.1; and more conservative default install has made it usable, and almost recommendable. However, it’s repository is extremely lacking, and it needs more thought into default options for some things.

Very early in the article I was upset by a huge lie.

But while Torvalds has been enshrined as the Linux movement’s creator, a lesser-known programmer–infamously more obstinate and far more eccentric than Torvalds–wields a startling amount of control as this revolution’s resident enforcer. Richard M. Stallman is a 53-year-old anticorporate crusader who has argued for 20 years that most software should be free of charge. He and a band of anarchist acolytes long have waged war on the commercial software industry, dubbing tech giants "evil" and "enemies of freedom" because they rake in sales and enforce patents and copyrights–when he argues they should be giving it all away.

This is a complete lie. The FSF has nothing against selling software. The term "Free" they refer to is not about price, but about Freedom. Any journalist with an ounce of responsibility would easily find references to the talk about _Free as in Freedom, not Free as in Beer_. There is even a complete article written by RMS all about selling software.

This immediate lie angered me already. I could handle reading a biased, commercial, anti-Linux article without getting angry. However, once they outright lied about something so obvious, I became very quick to anger. The rest of the article is so obviously biased, I won’t even bother detailing them. I instead will focus on the inaccuracies, or the twisting of hard facts.

Stallman hopes to use that licensing power to slap the new restraints on the big tech vendors he so reviles. At worst it could split the Linux movement in two–one set of suppliers and customers deploying an older Linux version under the easier rules and a second world using a newer version governed by the new restrictions. That would threaten billions of dollars in Linux investment by customers and vendors alike.

The licensing power referred to here is deserved as he and his group actually wrote most of what makes up the "Linux" system. Linux is actually just the kernel of the OS. Lots of other people make the mistake of calling the OS Linux, when it should be GNU/Linux, so I’ll give them a little slack here.

This licensing power is also the same power wielded by "big tech vendors" to do much more heinous things. Examples include: preventing you from playing your **purchased** songs on any player you wish; Restricting your ability to use, modify, and share software that you own; Preventing you from expanding technology.

The only vendors the GPLv3 might threaten are those that are using Free Software to actively do very non-Free things, like Patent lawsuits, DRM, etc. These vendors are not the majority in the industry. It doesn’t threaten customers (end-users) at all.

A cantankerous and finger-wagging freewheeler, Stallman won’t comment on any of this because he was upset by a previous story written by this writer. But his brazen gambit already is roiling the hacker world. His putsch "has the potential to inflict massive collateral damage upon our entire ecosystem and jeopardize the very utility and survival of open source," says a paper published in September by key Linux developers, who "implore" Stallman to back down. "This is not an exaggeration," says James Bottomley, the paper’s chief author. "There is significant danger to going down this path." (Stallman’s camp claims Bottomley’s paper contains "inaccurate information.")

No comment … upset at this writer … I wonder why. Could it be that you tell lies, skew the truth, and bias every word? The only damage it will do is to possibly make vendors, like Tivo, to maintain old versions of GPLv2 software themselves. Is this a big deal? What has Tivo done for our community anyway? This paper sounds just like something Microsoft wrote about Open Source not too long ago. Our ecosystem may change a bit, but if it is good, it will persevere.

Even the Linux program’s progenitor and namesake, Linus Torvalds, rejects Stallman’s new push to force tech companies to design their software his way and to abandon patent rights. Torvalds vows to stick with the old license terms, thereby threatening the split that tech vendors so fear. The new license terms Stallman proposes "are trying to move back into a more ‘radical’ and ‘activist’ direction," Torvalds says via e-mail. "I think it’s great when people have ideals–but ideals (like religion) are a hell of a lot better when they are private. I’m more pragmatic."

Yes, Linus disagrees with RMS. However there is no split to fear. Any developer can choose which version of the GPL to use.

Even the Linux program’s progenitor and namesake, Linus Torvalds, rejects Stallman’s new push to force tech companies to design their software his way and to abandon patent rights. Torvalds vows to stick with the old license terms, thereby threatening the split that tech vendors so fear. The new license terms Stallman proposes "are trying to move back into a more ‘radical’ and ‘activist’ direction," Torvalds says via e-mail. "I think it’s great when people have ideals–but ideals (like religion) are a hell of a lot better when they are private. I’m more pragmatic."

But then, Richard Stallman rarely is pragmatic–and in some ways he is downright bizarre. He is corpulent and slovenly, with long, scraggly hair, strands of which he has been known to pluck out and toss into a bowl of soup he is eating. His own Web site (www.stallman.org) says Stallman engages in what he calls "rhinophytophilia"–"nasal sex" (also his term) with flowers; he brags of offending a bunch of techies from Texas Instruments by plunging his schnoz into a bouquet at dinner and inviting them to do the same.

Come on. This has nothing to do with the article. If his strangeness would have any effect on the community, it would have happened many years ago. This is total crap.

And though he styles himself as a crusader for tech "freedom," Stallman labors mightily to control how others think, speak and act, arguing, in Orwellian doublespeak, that his rules are necessary for people to be "free." He won’t speak to reporters unless they agree to call the operating system "GNU/Linux," not Linux. He urges his adherents to avoid such terms as "intellectual property" and touts "four freedoms" he has sworn to defend, numbering them 0, 1, 2 and 3. In June Stallman attempted to barge into the residence of the French prime minister to protest a copyright bill, then unrolled a petition in a Paris street while his adoring fans snapped photos.

Another lie. RMS never said his rules (GPL) are necessary for people to be free. His GPL is just another Free Software license developers can use if they want. His organization publishes a list of other Free Software license alternatives.

As programmers wrote hundreds of building blocks to add to Linux, Stallman’s Free Software Foundation persuaded them to hand over their copyrights to the group and let it handle licensing of their code. Stallman wrote the central license for Linux: the GNU General Public License or GPL. For his part, Linux creator Torvalds never signed his creation over to the group–but he did adopt the GNU license, granting Stallman further sway.

What programmers? If the author is referring to the programmers of GNU, they did most of their work long before Linux. Therefore Linux was added to GNU, not vice-versa. If the author was referring to any Open Source programmer, he never asked nor required any of them to hand over their copyrights. Stallman has no control over programmers who choose the GPL. However he will help defend them, when they need it.

In recent years Stallman and the FSF have been cracking down on big Linux users, enforcing terms of the existing license (GPLv2, for version 2) and demanding that the big tech outfits crack open their proprietary code whenever they inserted lines from Linux. Cisco and TiVo have been targets; Cisco caved in to Stallman’s demands rather than endure months of abuse from his noisy worldwide cult of online jihadists. Nvidia, which makes graphics cards for Linux computers but won’t release enough of the code behind them to satisfy Stallmanites, also came under attack. "It’s an enemy of the free software community, so we call them ‘inVideous,’" says Peter Brown, executive director of the Free Software Foundation.

This is true, but the description of jihadists should be placed on Cisco and TiVo. It was Cisco that was trying to steal the GPL code and use it for their own purposes. This is breaking the terms of the license, hence breaking the law. Cisco caved in because they were caught breaking the law and didn’t want to piss off the Free Software community, especially since we make up a huge portion of their customers.

One big potential victim of the Stallman stunt is Red Hat, the leading Linux distributor, with 61% market share. Red Hat bundles together hundreds of programs contributed by thousands of outside coders. If Linus Torvalds sticks with his old kernel under the older and less restrictive version-2 license, and Stallmanites ship version-3 code, what is Red Hat to do? The two licenses appear to be incompatible. There’s also the problem of forfeiting patent enforcement rights if Red Hat ships v3 code. Red Hat could stay with an entirely "v2" Linux system, taking on the burden of developing its own versions of whatever programs move to v3. But it’s not clear that Red Hat has the staffing to do that.

More crap. First, RedHat has not commented on anything regarding GPLv3. Second, GPLv2 and GPLv3 are compatible. In fact, GPLv3 is more compatible with other licenses than GPLv2 was. RedHat would only be forfeiting patent enforcement rights on code RedHat wrote and released unter GPLv3. RedHat is more than capable of releasing their own code under the GPLv2 and ship it with other programs licensed under GPLv3. Shipping programs together does not mean they must be licensed the same.

"Red Hat gets a lot of code from people who don’t work for Red Hat. They would have to replace all that and do the work in-house," says Larry W. McVoy, chief executive of software developer Bitmover and a longtime Torvalds collaborator. Even then, however, Stallman and his loyalists may carry on developing their own v3 versions. This "forking" of multiple incompatible versions could lead to "Balkanization" and derail Linux, the Torvalds camp warns.

Red Hat and other Linux promoters also may find themselves in an awkward spot with customers. "IT managers want to buy stuff that puts them at as little risk as possible. If there was a risk that Stallman could become such a loose cannon, that’s something most IT managers would have wanted to know before they bet their companies on Linux," McVoy says.

The only reason why RedHat may want to "fork" GPLv3 licensed programs, is if they want to modify these programs in such a way that would be disallowed by the GPLv3, or sell to a client that wants to do this. It is important to ignore this author’s assumption that the whole operating system must be licensed the same way. Just because Bash might be licensed GPLv3, doesn’t mean that Apache is licensed that way. You would only need to fork Bash if you want to modify Bash to add in DRM, or to enforce patents you have in your modifications to Bash. Obviously this is highly unnecessary.

It is quite interesting that the author would talk to McVoy about this. McVoy has even less credibility on this issue than just about anyone else. His company BitMover sells a proprietary product called BitKeeper. Yes, McVoy collaborated with Torvalds. In fact, Torvalds was using BitKeeper for his Linux development. Torvalds later found out that using proprietary software could bite him in the butt when he had to switch to something else.

Both McVoy and Torvalds should know more than anyone that the risk in using proprietary software is much greater than that of using Free Software. The absolute worse case scenario you can have with Free Software is having to maintain updates to it yourself. Worst case in proprietary software could mean finding another software package, but possible loss of data. No intelligent IT manager would consider the issue of the GPLv3 to be more of a risk than that of proprietary software.

Bottom Line is that neither Richard Stallman’s crusading, nor the GPLv3 will tear the GNU/Linux community apart. It may cause a few minor problems for patent enforcers, and DRM developers that are leeching off the GNU/Linux community. These vendors won’t hurt that much either, they can just maintain their own old versions, or switch to any of the BSD-licensed alternatives.

Last week I used quite a bit of bandwidth on my colocated server. Part of it was due to leaving a bittorrent of a few episodes of “Weeds” running for a few days. Those sure are popular, but I have the max upload rate limited to 800KBps. Not enough to cause problems, but enough to share my generous amount of bandwidth.

While Bittorrent can eat up quite a bit of bandwidth, it wasn’t the culprit. The problem was Tor! I misread the documentation for BandwidthRate and BandwidthBurst. I thought it was in bps (bits), but, in fact, it was in Bps (bytes). Whoops! When I was going through the normal everyday sysadmin duties I noticed that our primary backbone link was a lot closer to being full than it normally should be. A little poking around and I found that my own server was eating up about 14Mbps. I shut it off immediately, and headed for the documentation. To my surprise FAQ 5.17 is very clear about the units for the BandwidthRate. I am a total idiot. Config fixed, tor restarted.

I am not one of those privacy nuts that won’t do anything that isn’t anonymized or encrypted. In fact I tried using tor myself for about 2 minutes. It was painfully slow. I don’t really care who sees most of my traffic, and the traffic I do care about is already either SSL’d or ssh tunneled. However, I understand the occasional need for tor, and it’s obvious benefits. Since I have so much bandwidth available that no one will be using, I thought I would share. Ain’t it nice to be sysadmin of your own ISP.

Interesting note: So far in the first 10 days of this month I have used 981GB on my server. Holy bejeezus

My dad’s cell phone died. He was still using my old Motorola v60i phone on the
old legacy AT&T network. I am going to add him to my Sprint plan, and here
comes the good part. It is a great chance to buy a new phone for myself, and
give him my old one! Yay, new phone. I really wanted the new Chocolate by LG,
or the RAZR. Both really hot phones. But Sprint doesn’t have either.
So I picked the next best phone they have… the Samsung
A900.
It is almost as hawt as the RAZR, and doesn’t cost an arm and a leg. Now, I
just have to wait for it to ship.

I am totally digging Joanna
Newsom. She has a totally strange
voice that grows on you. I heard Bridges and
Balloons on
Yeast Radio quite a few times, and fell in love.
Since then, I have bought the whole album. Check it out.

* Freedom 0: The freedom to run the program, for any purpose.
* Freedom 1: The freedom to study how the program works, and adapt it to your needs. Access to the source code is a precondition for this.
* Freedom 2: The freedom to redistribute copies so you can help your neighbor.
* Freedom 3: The freedom to improve the program, and release your improvements to the public, so that the whole community benefits. Access to the source code is a precondition for this.