I’ve just put up a new tutorial (strangely enough about the title)! You can read it here.

I’ve been a little lax in properly reading my RSS feeds of late. But this article on Australia being 11th in broadband penetration caught my eye before I used the magic mark all as read.

While I am entirely hesitant to truly believe what is said in this article: 1) because it seems deliberately vague; and 2) There are no references nor can I find another correlating story. If it is true then my initial response must be: being 11th doesn’t mean it’s good enough. But then one should look a little deeper at the top 10 results: South Korea, Singapore, and Taiwan are very different, demographically and geographically, from Australia you’re really comparing apples and oranges which, we all know, just doesn’t work.

Compare two metro areas: Sydney and Seoul. I know that Sydney will have worse services at higher prices. Which obliterates the “is good enough” argument. I feel that access should be equivelent – it’s not like the technology doesn’t exist. And then to bring it home: Sydney vs Cobar; no points for guessing the outcome there.

All this got me thinking though: I just managed to crack the 3 digit friends size on Facebook (shameless linking). If all we’re generally using our broadband for is socialising: do we need 100Mbps or FTTH? No I don’t think so. And believe me I like my internet(s) to be fast.

That’s apathy though.

To Senator Minchin: it’s not a competition, it’s about having good service for reasonable price, and those stats to be globally equivelent. Let’s pick the technology we should have in place nation wide and implement it.

I really like pfsense it makes a really good firewall, router, vpn connector – alone or together. The web interface is intuitive and the first-run wizard “just works”. I am using it to run an OpenVPN VPN.

OpenVPN comes with a feature called “TLS Auth”: which basically uses TLS to encrypt the SSL handshake between client and server. Ok that wasn’t basic: makes saying hello safe. However the pfsense GUI for configuring an OpenVPN server does not, yet, support tls-auth. As documented in the previous link you can add custom configuration options and manually create the file until v1.3 is released.

Here’s the point: The pfsense + openvpn boot scripts will write the OpenVPN configuration files and security certificates to: /var/etc/openvpn_serverX.* (X being the instance number). So for consistency you might be inclined to create your tls-auth file as /var/etc/openvpn_serverX.tls.

DON’T!

The /var/etc folder gets cleared on reboot. Which is a feature of pfsense’s PHP init scripts + in hind sight sensible.

So today’s lesson is: When manually specifying tls-auth support for OpenVPN on pfsense-1.2.X put the tls-auth file in /etc/openvpn_serverX.tls so that it is persistent.

The government announced NBN2 and the globe kept spinning; nothing new to see here. However we (as in Australia) got a regulatory review and that was probably a good outcome. As I’ve been half following the NBN in the news I’m finding some of the review findings/submissions interesting. However there are some things that just make me want to go into cryogenic stasis – I might see something change that way.

To think that this is even a source of contention is rediculous. The practical requirement, in my opinion, of getting HIGH speed internet(s) is Fiber to the x, FTTN being the most likely for a first build out, which means optical fiber needs to be run to every pit of every exchange. (NB. I refuse to use the word broadband as it is really a description of relative technologies; not a service).

The risks of having hanging cables are many. Downtime from damage is a biggie. But that is entirely irrelevent. Pits can flood shorting out the copper circuits; someone can dig before dialing; etc… and security wise: it’s not like the current copper network is at all protected from someone who knows how to patch a copper pair – having said that optical fiber splicing is arguably harder so that’s a plus for “back to the exchange”.

None of those risks qualify my statement of rediculous though.

We have perfectly functional cabling conduit and other accesses for rolling out FTTN. The position should be they will be used. To all the people involved: Get over the bureaucracy and get something done for once. Conroy/DBCDE: buy back the wholesale stuff from Telstra – that’s the governments penalty for not seperating during the privatisation; Telstra shareholders: set a price for the buy out – consider it a forced buy out or unfriendly takeover if you will but take a spoon of toughen up: other countries privatisation arrangements seperated wholesale and retail from the outset; Telstra was a bubble that is now going to either burst or be popped; and that writing was on the wall from day one.

In summary: there shouldn’t be an option. It’s rediculous.

The Australian government should buy back Telstra’s wholesale and infrastructure. At a cost amicable to the shareholders but, as is the case with stock risk, for no more than what the current market would expect.

That’s it. That’s my idea.

If you want a reason go lookup the NBN project; Telstra’s opposition to it; ACC investigations into monopolising and then some; current Telstra share price; comparative international service cost differences; etc… in other words there are many reasons.

Oh I’d love to be there when someone introduced this as a bill to parliament.

If you’re running Zimbra, or planning to, then chances are you will want to use SSL to secure your client connections. The Zimbra wiki has quite a few articles on doing this but they all seem a little over written if all you need to do is create a CSR and sign it (with your own CA or using a paid for service).

So here is my no frills howto make, sign, and deploy:

Always use absolute path names – otherwise you’ll get strange warnings – everything seems to work – but you’ll get strange warnings.

1. Generate a CSR (as root):
   /opt/zimbra/bin/zmcertmgr createcsr comm -new -subject "/C=Country/ST=State/L=City/O=Company/OU=Department/CN=zimbra.domain.name" -subjectAltNames "webmail.domain.name,pop3.domain.name"
   You can leave out subjectAltNames altogether if you don’t need it.
2. This will create /opt/zimbra/ssl/zimbra/commercial/commericial.csr (and .key) copy the CSR to where your CA needs it.
3. Sign the CSR. If you’re using your own CA:
   openssl ca -config openssl.cnf -policy policy_anything -out certs/commercial.crt -infiles commercial.csr
4. Copy signed CRT + CA CRT to:
   • /opt/zimbra/ssl/zimbra/commercial/commercial.crt
   • /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt
5. Install the certificate (as root):
   /opt/zimbra/bin/zmcertmgr deploycrt comm /opt/zimbra/ssl/zimbra/commercial/commercial.crt /opt/zimbra/ssl/zimbra/commercial/commericial_ca.crt

Now use zmcontrol to stop and restart your Zimbra processes and off you go.

If you receive errors about TLS and ctx when trying to start LDAP then it’s likely your CA didn’t install properly. Follow the instructions in this post and then zmcontrol start. Once up and running try step 5 again.

I spent a few hours this afternoon upgrading some of the work firewalls, which run pfSesne, from v1.2 to v1.2.1. Which was released a few days ago. Here are my notes and warnings after following the Install and Upgrade documentation.

In theory, the upgrade is meant to be fairly straight forward. You can try to do an online upgrade. However there are documented issues with that. The other option is to reinstall, which in this case means: reflash the CF cards. So long as you have a config backup then you can simply restore your settings and off you go. All in all:

1. Download the new image file
2. Stick the CF card in your CF card adapter
3. zcat pfsense.img.gz | dd of=/dev/XYZ bs=16k
4. Stick the CF card back in the firewall
5. Boot and restore the config

Gotcha #1: The new image does not have any network setup by default. In theory, once again, you should have a serial cable (DSUB 9) that you use to access the serial console of your firewall. Configure a LAN interface address, then use the web interface to restore the config file. Unfortunately I did not have a serial cable; we’ll leave why out of it. I dealt with this by building a config file within the embedded image before writing to the CF card. You’ll need QEMU to do this. Note these steps derived from the Mac_OS_X_together_with_qemu section of the Install documentation.

# Unzip the embedded image and start it with QEMU;
# - Two NICs LAN / WAN
# - The qemu command is all one line
gunzip pfsense.img.gz
qemu -hda pfsense.img -net nic,vlan=0 -net nic,vlan=1 -serial telnet::7890,server,nowait
# Now open a terminal and fake a serial console with telnet
telnet localhost 7890
# You'll need to configure your network devices during boot.
# I used generic settings so I could flash the image to multiple cards
# When you reach the main menu push 8 for a shell
mount -u /cf
cd /conf
vi config.xml
# Check the interfaces are configured properly then
exit
# Choose option 6 to halt the emulated machine.
# Write the updated image to your CF card
dd if=pfsense.img of=/dev/XYZ bs=16k

QEMU is available for most major incarnations of most operating systems. The above are fairly Linux specific but should be easy enough to translate; dd is a physical disk dump program.

Gotcha #2: Bogon Networks! Are updated by a cron script on the 1st of each month at 3:01AM. Unfortunately the default list includes IP’s assigned by Optus Wireless Broadband – which means if I’m using one of Works USB modems I can’t access the servers. That’s bad!. Really the bogon list should be updated during the setup wizard if you turn bogon filtering on. See this pfSense forum topic for how to manually update your bogon filter.

Gotcha #3: Your backup config file DOES NOT contain certain settings. OpenVPN configurations for example. Make sure you have a copy of any custom settings not contained in the backup config file; otherwise be prepared to reconfigure.

And that’s all.

I am a little bored; and very hot. In search of something to do: Something, productive, to do. I decided to come back to the blog. This will be my grand 7th post for the year. Wow going strong. Which has made me start to consider the foot print I have made, or has been made for me, in the vast interwebs. A few years back, circa 2001, a Google ego search was pretty pointless, but now it can be an interesting thing to do.

For example my name is used for page rank boosting. For those who care I realise that search algorithms are much more complex. My point is simple: the foot print is more like graffiti – all over the place – some good and, well… you get the point. And finally: impossible to eradicate. There is also a prominent GCC mailing list post that is totally misleading bordering on stupidly wrong. More generally, people have covered the web with information. And as my grand total of 7 posts would seem to indicate. Often interest in maintaining that information dies. Thus the information is left to it’s posterity. Whatever that may be.

What follows is just random things I remember. If you want the references look them up yourself.

2008 has been the year we’ve seem explosive growth in the micro-blog (i.e. Facebook / Twitter); the call for “death of blogs” / “long live the blog”; chrome; increased censorship debate; ongoing and expanding delivery of the OLPC; daily mashups helped along by hosted libraries and apis; the smart phone; and so on… We have sufficient disk space to store it all. Search will continue to develop as our gateway to the info. Eventually we may even get a semantic web.

However, what is the ongoing point of dead (i.e. unmaintained) information? What is it’s posterity? Some would argue, as evidenced by the NASA lost ability to read tapes farce, that the posterity is in the accessibility. Others perhaps would lean towards Catch-22: Why not?

Both are valid. But both ignore that it’s not 1300 anymore. You can’t know everything. So I wonder: Are we going to end up with billions of “Fermat’s Last Theorem”-esque pieces of information? Probably. Does it really matter? Probably not.

And so, finally, back to this blog: What is it’s posterity? Hopefully being relevant enough to keep useless information out of the way. But, just as in life, you live for the day, the information here was, is and future posts will continue to be, relevant for their publication date. If you’re reading this in December of 2108: Sorry but I probably can’t help you. Not unless I live to 124. And hey that’d be another piece of information. Because, at least officially, the oldest living person to date is 122. How ironic

I’ve just uploaded a new tutorial to the Tutorials page on MultiWAN Routing with a Linux server (direct link).

At work recently, to meet our growing on-the-go connection demands, we got hold of some of the Optus Wireless USB modems. The rebadged Huawei E220. In the spirit of my previous posts on Telstra NextG under Linux, I want to use these with Linux. They are natively supported in recent kernels which is great news. There were a few gotchas with Ubuntu 8.04 though.

Gotcha 1
It seems in there is a bug in the airprime module in the kernel I am running. There is a bug report for the error and fortunately an easy enough fix.
$ uname -ar
Linux pegasus 2.6.24-19-generic #1 SMP Wed Jun 18 14:15:37 UTC 2008 x86_64 GNU/Linux

To fix you need to blacklist the airprime module so it does not load. This of course is only until a proper code fix / new kernel is released. You can read about how to black list here. You will need to unplug / replug the device after removing the module and blacklisting.

Gotcha 2
I use pppconfig and the associated pon / poff / plog commands to dial up. There are graphical programs available but the CLI ones are so much quicker for me: plug in modem, open terminal, run pon optus, use connection.

In the case of the Next G device pppconfig managed to create a working set of ppp scripts. Unfortunately that wasn’t the case for the OWB device. Here are the ppp and chat scripts I am using the connect:

cat /etc/ppp/peers/optus
hide-password
noauth
connect "/usr/sbin/chat -v -f /etc/chatscripts/optus"
/dev/ttyUSB0
115200

user ppp
password ppp

noipdefault
replacedefaultroute
defaultroute
persist
noauth
usepeerdns

user ppp
password ppp

debug
local
novj
nodeflate
nobsdcomp
passive

holdoff 5
lcp-echo-interval 0
crtscts

AND

cat /etc/chatscripts/optus
TIMEOUT 3
ABORT BUSY
ABORT 'NO CARRIER'
ABORT VOICE
ABORT 'NO DIALTONE'
ABORT 'NO DIAL TONE'
ABORT 'NO ANSWER'
ABORT DELAYED
"" ATZ

OK AT&FE0Q0V1
OK 'AT+CGDCONT=1,"IP","Connect"'

OK ATDT*99***1#
TIMEOUT 30
CONNECT ""

Happy interneting!