25/01/2007
Vivodi Full LLU και Packet Filtering ?
Χθες προσπαθούσα να βοηθήσω κάποιον στο IRC να βάλει gentoo (δεν χρειάζονται σχόλια 😛 ). Είχε διαβάσει το gentoo handbook φτάσει στο σημείο που πρέπει να κατεβάσει το stage3 tarball (Παράγραφος 5a του handbook). Αρχίζει να κατεβάζει όλο χαρά το stage3 tarball από το mirror του ntua (http://ftp.ntua.gr/pub/linux/gentoo/releases/x86/current/stages/stage3-i686-2006.1.tar.bz2) και ξαφνικά κολλάει στο 72%. Το ξαναβάζει…τα ίδια. Δοκιμάζει με ftp αντί http….τα ίδια. Του δείχνω το wget -c ώστε να κάνει resume…τίποτα…δεν γινόταν resume. Του λέω ότι εγώ στο σπίτι μου το κατεβάζω κανονικά (Vivodi με γραμμή ΟΤΕ)…και του δίνω το mirror του uoi. Αρχίζει το download από την αρχή, στο 72% πάλι κόψιμο. Δοκιμάζει να κατεβάσει το αρχείο από windows ώστε να το περάσει μετά με usb flash στο gentoo, πάλι κόλλημα στο 72%. Δοκιμάζει mirror από την Γερμανία, τα ίδια…ενώ εγώ να το κατεβάζω κανονικότατα σε 2-3 διαφορετικές dsl. Του λέω δεν γίνεται…κάποιο δικτυακό πρόβλημα έχεις. Του ζητάω να μου ανοίξει ssh πάνω στο PC που θα γινόταν το install, δοκιμάζω και εγώ να το κατεβάσω…τίποτα…ούτε με links ούτε με wget, πάντα κόλλημα στο 72%. H κάρτα δικύου έπαιζε κανονικά…collisions, errors όλα μηδενικά.
Λέω…δεν γίνεται, το modem σου πρέπει να έχει πρόβλημα, κάποιο time-out γίνεται…δεν βγάζω άκρη. Τον ρωτάω αν έχει 2ο adsl modem, μου απαντάει θετικά και το αλλάζει κατευθείαν. Αρχίζει πάλι το download, στο 72% πάλι τα ίδια. Η κατάσταση ήταν πλέον για κλάμματα.
Τον ρωτάω τη σύνδεση έχει και μου απαντάει Vivodi Full LLU στην Πάτρα. Τον ρωτάω έπειτα αν έχει κανένα άλλο φίλο/γνωστό με full LLU στην Πάτρα και μου απαντάει θετικά. Βάζει το γνωστό του να κατεβάσει το ίδιο αρχείο…και ναι…κολλάει στο 72% !!!! Παράλληλα ο γνωστός του αυτός του αναφέρει πως ακούγεται πως η Vivodi έχει στήσει filtering σε κάποια σημεία του δικτύου της…
Η τελευταία ελπίδα ήταν να πειράξω το mirror του uoi ώστε να απαντάει και σε https ώστε τα πακέτα να είναι encrypted και να μην μπορούν να τα πιάσουν τα οποιαδήποτε φίλτρα. Δοκιμάζει να το κατεβάσει με https…και όντως δούλεψε! Πέρασε το 72% και ολοκληρώθηκε χωρίς κανένα πρόβλημα…
Το συμπέρασμα είναι πως σίγουρα το dslam της Vivodi στην Πάτρα είναι προβληματικό. Πολύ πιθανό η Vivodi να εφαρμόζει κάποιο packet filtering, και το συγκεκριμένο αρχείο στο “72%” να κάνει trigger ένα από τα filtra της vivodi και να γίνεται corrupt ύστερα. Εγώ δεν μπορώ να το εξηγήσω διαφορετικά. Αν κάποιος μπορεί και έχει μια άλλη εξήγηση…ευχαρίστως να την ακούσουμε…Αν επίσης κάποιος με full LLU από Vivodi έχει λίγο χρόνο ας δοκιμάσει να κατεβάσει το αρχείο:
http://ftp.uoi.gr/mirror/OS/gentoo/releases/x86/current/stages/stage3-i686-2006.1.tar.bz2
και να μας πει αν κολλάει στο 72%. Αν ναι ας πει και σε ποια πόλη/περιοχή μένει…μήπως και βγει κάποια άκρη…
Εννοείται πως σήμερα όταν ο άνθρωπος αυτός πήρε τηλέφωνο στην Vivodi να ρωτήσει πως και γιατί…δεν είχαν να του πουν τίποτα. Ποιος όμως θα τον αποζημιώσει για τις 4-5 και παραπάνω ώρες που έχασε και κόντεψαν να τον φέρουν σε κατάσταση υστερίας ?
Filed by kargig at 03:30 under Encryption,Gentoo,Greek,Internet,Linux,Networking,Privacy
1 Comment | 8,487 views
24/01/2007
Thoughts on the evolution of Operating Systems
Linux is a multiuser operating system “designed to be secure by design”. Each user has it’s own home directory and can only execute applications that the Administrator (root) of the system has allowed him to. That means that users that want to run priviledged applications must either have root’s permission to do so or are asked for a password to escalate their priviledges. So every linux user not only knows the difference of a simple user and the “root of all evil”, but is well aware of where/when to use passwords, what are file permissions and so on and so on. A linux user has (or had, until recently) given up pretty graphics in favor of a more stable, more secure and more “free” operating system.
Windows is a (multiuser?) operating system with emphasis on usability. Since the first windows versions, the users of windows got used to being able to do almost everything without ever being asked for another password than the one at the login screen. Sometimes there wasn’t even such a login screen. A windows user is used to doing administrative tasks with his every day account. Most windows users don’t even know about file permissions and how to use them on their system. That makes life both easier and riskier.
Until broadband came to our lives at the very end of the 20th century, when Windows 98 and ME ruled the IT universe, windows users had very little to fear. While they only exchanged files with their friends on floppies and cdroms, and their computers were not 24/7 online, remote exploits, internet worms and trojans were unknown words to them. A decent antivirus was the only thing required. Windows 98/ME did not even have “services” running on them by default (apart from shared folders). During that time Microsoft only had to worry about making their users’ OS easier and more beautiful. And they were pretty successful in that.
Their server (NT) version though had tons of problems. It was very incompatible with a lot of software and was easily attacked by internet worms. The number of service packs for NT reached a ridiculous number, and still Microsoft couldn’t handle all the problems. Their enhanced server edition, Windows 2000 was a lot better than NT, but the security weaknesses remained. What made Windows NT and Windows 2000 so insecure was that they were supposed to be 24/7 online. The bad guys attacked WinNT and Win2K because they could then use them for their own purposes. A hacked win98 box behind a dialup was useless compared to an always online windows server. While more and more windows 2000 servers were getting online and worms hammered them, more and more people started bitching Microsoft about it. Microsoft tried to fix problems those problems with numerous service packs, but that wasn’t enough.
Then came Windows XP, the first Microsoft OS for users that had various services enabled by default. At the same time more and more people started having broadband at their homes. Now the bad guys had something new and more powerful to fiddle, and it wasn’t long until the first remotely exploitable problems appeared. The bad guys created worms and trojans that attacked WinXP, the OS of millions users. Users’ machines are millions more than server machines, and they were all probable targets/victims for those worms. If a remotely exploitable vulnerability was somehow found for Win98, the impact would be a lot smaller because the number of online PCs was a lot smaller back then . Every remotely exploitable hole found for XP drove users crazy. XP was not designed to be secure, it was to designed to be a _lot_ more beautiful than 98/ME. It was designed with multimedia, games, office work, etc in mind. People started asking for more than an antivirus for their PCs and a new word came to every windows user life, “Firewall”. Then came service pack 1, then service pack 2…and problems still existed and will exist even if a service pack 3 is launched sometime in the future. One of the basic problems with Microsoft XP is that it doesn’t help users understand how and when to use the Administrator account. Most users create a user with Administrator privileges during XP’s installation process and then run their machines with that admin account. This is _plain_ wrong. Every windows XP user feels that he can do everything he wants with his PC without ever being asked for a single password. So when something infects their PC and runs with their user’s privileges, it actually runs as the administrator of the machine. This leads to total destruction.
Vista is said to have a different approach to security though. It has supposedly been built from scratch with security in mind. Users are now ‘just users’ and their default account does not have administrative privileges. So every time they want to do an administrative task dozens of warnings appear before them. That supposedly ensures that nothing can run with administrative privilege unless the user explicitly wants it to be that way. Someone I know who used Vista told me that Vista makes you think that it’s for more advanced users than XP was. All these notifications that pop up asking you for permission to do this and that, makes you feel a bit uncomfortable. New users of computers, that first stumble upon Vista will feel much more uncomfortable with that OS than they would feel if their first OS was XP. And that’s bad for a “Windows OS”, every version until Vista was easier to use than the previous one, apart from Vista…which is harder.
Microsoft with Vista acts as parent who has spoiled their children for a veeeery long time, giving them free chocolates and candies even though they knew that by doing this they hurt their children’s health, and are now trying to put them on a diet. And this just can’t be done. Windows have spoiled users for more than 10-15 years and it’s too late to start telling people, “Hey mind your security!”. “Your account is now on a diet, no more candies for you”.
When Vista starts spreading among users (maybe in 1 year from now?), users themselves will eventually understand more and more about security concepts. They will start to understand why it is so important that the administrative account is something completely different than theirs and why they should only “touch” it occasionally. Vista might be a lot more beautiful as an OS but it will be a lot more difficult for users to “manage”. Nag screens will be all over the place. Passwords might be frequently asked to change something fundamental for the system.
Where does this lead ? Users will get more and more acquainted with the whole administrator’s rights idea and Linux will not look so much like an alien OS to them. The transition from Windows to Linux for users will get easier and easier as linux becomes (slowly and painfully) more good looking and windows becomes (slowly and painfully) more secure.
Every OS has a different beginning and a different approach on evolution, but they tend to meet at some place in the future. They have just taken different roads to reach their goal. Windows prefers user-friendliness over security and stability and linux prefers it the other way around.
Filed by kargig at 03:28 under General,Internet,Linux,Privacy
1 Comment | 6,316 views
14/01/2007
Traffic shaping TorrentFlux
*Update on peers supporting encryption at the end of the post*
TorrentFlux is a great program/interface to download your torrents remotely on a linux machine. It is based on php and it uses a modified bittornado client to download the torrents.
The problem: The bittornado client is able to put specific limits on a per torrent basis. That means that you can put a 100kb/sec download and 50kb/sec upload limit per torrent through torrentflux’s web interface. If you have 20 torrents though, this easily becomes 20*50=1Mb/sec upload “limit”. There are cases that you don’t want this to happen and you want both a per torrent limit (eg 50kb/sec) and a global limit (eg 300kb/sec).
The solution: My solution is based on iptables, layer7 filter and tc (iproute2). I am using layer7 filter to pick out the bittorrent packets, iptables to mark those packets with specific values and tc to shape those marked packets into categories. Beware that the method I am using works mostly on the “uploading” part (outgoing traffic). It is not that hard to make it work for the incoming traffic as well, but it is my personal view that downloading with a few Mb/sec is not as harmfull as uploading with a few Mb/sec. I usually have my downloads seeded over many weeks…so it’s good for my ratio to have the torrent downloaded as fast as possible and then seed it endlessly. I usually like to seed until i get a ratio over 1000% per torrent (that means 10 times as much uploaded traffic than downloaded). The following example configs are created for use on a 100mbit line and keeping in mind that outgoing torrent traffic should not exceed 2-2.5Mbits (~250-300kb/sec).
The procedure:
0) Before you begin make sure you have the kernel sources on /usr/src/linux.
1) Then, you need to patch your kernel for layer7 filtering and enable marking. On gentoo linux you only need to:
#emerge -avt net-misc/l7-filter net-misc/l7-protocols
and then configure your kernel for marking.
Here’s how my netfilter configuration looks like:
CONFIG_NETFILTER=y
# CONFIG_NETFILTER_DEBUG is not set
# CONFIG_BRIDGE_NETFILTER is not set#
# Core Netfilter Configuration
#
# CONFIG_NETFILTER_NETLINK is not set
CONFIG_NETFILTER_XTABLES=y
CONFIG_NETFILTER_XT_TARGET_CLASSIFY=m
# CONFIG_NETFILTER_XT_TARGET_CONNMARK is not set
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFQUEUE=m
CONFIG_NETFILTER_XT_MATCH_COMMENT=m
CONFIG_NETFILTER_XT_MATCH_CONNBYTES=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_DCCP=m
CONFIG_NETFILTER_XT_MATCH_ESP=m
CONFIG_NETFILTER_XT_MATCH_HELPER=m
CONFIG_NETFILTER_XT_MATCH_LENGTH=m
CONFIG_NETFILTER_XT_MATCH_LIMIT=m
CONFIG_NETFILTER_XT_MATCH_MAC=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
# CONFIG_NETFILTER_XT_MATCH_POLICY is not set
CONFIG_NETFILTER_XT_MATCH_MULTIPORT=m
CONFIG_NETFILTER_XT_MATCH_PKTTYPE=m
# CONFIG_NETFILTER_XT_MATCH_QUOTA is not set
CONFIG_NETFILTER_XT_MATCH_REALM=m
CONFIG_NETFILTER_XT_MATCH_SCTP=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
# CONFIG_NETFILTER_XT_MATCH_STATISTIC is not set
CONFIG_NETFILTER_XT_MATCH_STRING=m
CONFIG_NETFILTER_XT_MATCH_TCPMSS=m#
# IP: Netfilter Configuration
#
CONFIG_IP_NF_CONNTRACK=m
CONFIG_IP_NF_CT_ACCT=y
CONFIG_IP_NF_CONNTRACK_MARK=y
# CONFIG_IP_NF_CONNTRACK_EVENTS is not set
CONFIG_IP_NF_CT_PROTO_SCTP=m
CONFIG_IP_NF_FTP=m
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_NETBIOS_NS=m
CONFIG_IP_NF_TFTP=m
CONFIG_IP_NF_AMANDA=m
CONFIG_IP_NF_PPTP=m
CONFIG_IP_NF_H323=m
CONFIG_IP_NF_SIP=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_IPRANGE=y
CONFIG_IP_NF_MATCH_LAYER7=m
# CONFIG_IP_NF_MATCH_LAYER7_DEBUG is not set
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_RECENT=m
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_OWNER=m
CONFIG_IP_NF_MATCH_ADDRTYPE=m
CONFIG_IP_NF_MATCH_HASHLIMIT=m
CONFIG_IP_NF_FILTER=y
CONFIG_IP_NF_TARGET_REJECT=y
CONFIG_IP_NF_TARGET_LOG=y
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=y
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_IP_NF_TARGET_REDIRECT=m
CONFIG_IP_NF_TARGET_NETMAP=m
CONFIG_IP_NF_TARGET_SAME=m
CONFIG_IP_NF_NAT_SNMP_BASIC=m
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_NAT_TFTP=m
CONFIG_IP_NF_NAT_AMANDA=m
CONFIG_IP_NF_NAT_PPTP=m
CONFIG_IP_NF_NAT_H323=m
CONFIG_IP_NF_NAT_SIP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_IP_NF_TARGET_TOS=m
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=m
CONFIG_IP_NF_TARGET_TTL=m
CONFIG_IP_NF_TARGET_CLUSTERIP=m
# CONFIG_IP_NF_RAW is not set
CONFIG_IP_NF_ARPTABLES=m
CONFIG_IP_NF_ARPFILTER=m
CONFIG_IP_NF_ARP_MANGLE=m
You can clearly see layer7 being enabled as a module: CONFIG_IP_NF_MATCH_LAYER7=m
Rebuild your kernel and install the proper modules. If you need to reboot your machine to apply the new kernel do it now.
2) Now it’s time to install iptables and iproute2 if you don’t have them already. On gentoo linux:
#echo "net-firewall/iptables extensions l7filter" >> /etc/portage/package.use
#emerge -avt net-firewall/iptables sys-apps/iproute2
3) Now it’s the iptables marking time. I am going to show you (some of) the output of my iptables-save command. Change it to fit your neeeds:
# Generated by iptables-save v1.3.5 on Fri Jan 12 20:50:52 2007
*mangle
:PREROUTING ACCEPT [1102387:193393325]
:INPUT ACCEPT [1102372:193390208]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2100485:2922693566]
:POSTROUTING ACCEPT [2100483:2922690566]
-A PREROUTING -s IP.OF.MACHINE -p tcp -m multiport --sports 22,80 -j MARK --set-mark 1001
-A PREROUTING -d IP.OF.MACHINE -p tcp -m multiport --dports 22,80 -j MARK --set-mark 1001
-A PREROUTING -m layer7 --l7proto ssh -j MARK --set-mark 1001
#-A PREROUTING -m layer7 --l7proto bittorrent -j MARK --set-mark 11090
-A PREROUTING -m mark --mark 1001 -j RETURN
-A POSTROUTING -s IP.OF.MACHINE -p tcp -m multiport --sports 22,80 -j MARK --set-mark 1001
-A POSTROUTING -d IP.OF.MACHINE -p tcp -m multiport --dports 22,80 -j MARK --set-mark 1001
-A POSTROUTING -m mark --mark 1001 -j RETURN
-A POSTROUTING -m connmark --mark 0x0 -j MARK --set-mark 11030
-A POSTROUTING -m layer7 --l7proto dns -j MARK --set-mark 11010
-A POSTROUTING -m layer7 --l7proto ssh -j MARK --set-mark 11010
-A POSTROUTING -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j MARK --set-mark 11010
-A POSTROUTING -p icmp -j MARK --set-mark 11010
-A POSTROUTING -m layer7 --l7proto bittorrent -j MARK --set-mark 11090
COMMIT
# Completed on Fri Jan 12 20:50:52 2007
# Generated by iptables-save v1.3.5 on Fri Jan 12 20:50:52 2007
*nat
:PREROUTING ACCEPT [407:30699]
:POSTROUTING ACCEPT [111:6662]
:OUTPUT ACCEPT [111:6662]
COMMIT
# Completed on Fri Jan 12 20:50:52 2007
# Generated by iptables-save v1.3.5 on Fri Jan 12 20:50:52 2007
*filter
:INPUT ACCEPT [266369:32040284]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [479227:676859047]
COMMIT
# Completed on Fri Jan 12 20:50:52 2007
You need to change IP.OF.MACHINE with the IP of your linux box.
4) And now the traffic shaping part:
# Main Link
LINK=100000
SHAPEDLINK=50000
# High Priority
HIGHPRIO=10000
HIGHPRIO_MAX=$SHAPEDLINK
# Normal
NORMAL=512
NORMAL_MAX=$SHAPEDLINK
# Downloads
TOR=512
TOR_MAX=2048
# del old
tc qdisc del dev $DEV root 2> /dev/null > /dev/null
# add root
tc qdisc add dev $DEV root handle 100: htb default 1
tc class add dev $DEV parent 100: classid 100:1 htb rate ${LINK}kbit
tc qdisc add dev $DEV parent 100:1 handle 1: htb
tc class add dev $DEV parent 1: classid 1:1 htb rate ${SHAPEDLINK}kbit
# some more rules
tc class add dev $DEV parent 100: classid 100:1 htb rate ${LINK}kbit
tc qdisc add dev $DEV parent 100:1 sfq perturb 10
tc filter add dev $DEV parent 100:0 protocol ip prio 1 handle 1001 fw flowid 100:1
tc class add dev $DEV parent 1:1 classid 1:10 htb rate ${SHAPEDLINK}kbit ceil ${SHAPEDLINK}kbit prio 5
tc qdisc add dev $DEV parent 1:10 sfq perturb 10
# High priority
tc class add dev $DEV parent 1:10 classid 1:1010 htb rate ${HIGHPRIO}kbit ceil ${HIGHPRIO_MAX}kbit prio 0
tc qdisc add dev $DEV parent 1:1010 sfq perturb 10
tc filter add dev $DEV parent 1:0 protocol ip prio 0 handle 11010 fw flowid 1:1010
# normal
tc class add dev $DEV parent 1:10 classid 1:1030 htb rate ${NORMAL}kbit ceil ${NORMAL_MAX}kbit prio 5
tc qdisc add dev $DEV parent 1:1030 sfq perturb 10
tc filter add dev $DEV parent 1:0 protocol ip prio 5 handle 11030 fw flowid 1:1030
# bittorent
tc class add dev $DEV parent 1:10 classid 1:1090 htb rate ${TOR}kbit ceil ${TOR_MAX}kbit prio 10
tc qdisc add dev $DEV parent 1:1090 sfq perturb 10
tc filter add dev $DEV parent 1:0 protocol ip prio 10 handle 11090 fw flowid 1:1090
The rules are pretty straightforward…so I am not going to fully explain them. The basic concept is that you create a “shaped” partition of your bandwith and you add classes (high priority, normal , bittorrent) there. The trick is that you can skip anything you don’t want shaped by marking it with iptables 1001 mark.
In my iptables example above, I mark as 1001 the outgoing ssh and http traffic. This way I can shape the seeding of my torrents using TorrentFlux but I can download via http without any traffic shaping the torrents to my PC at home. I can also ssh to the machine without any latency caused by the shaping because the sshd port (22) is marked with 1001.
The only problem I faced with those scripts was that sometimes the layer7 filter for bittorrent let’s some torrent traffic pass by. My solution to that was to change NORMAL_MAX=$SHAPEDLINK to NORMAL_MAX=2048 for example. Then, even “normal traffic” was shaped. Remember that anything I didn’t want shaped, was marked as 1001 on the iptables script…so the machine was still very responsive even after shaping the “normal traffic”.
To check how your scripts are doing in terms of shaping you can download this excellent perl script: tc-viewer. Click here for a screenshot: tc-viewer htb screenshot
The above example configs are very very generic. If you have a server that serves many other duties apart from ssh, http and bittorrent, then this script might not work out of the box for you.
*Update*
It looks like the problem I had with layer7 bittorrent filter missing packets was not actually a layer7’s “problem”, but rather a new feature of the latest version of bittornado. I was using bittornado version 0.3.18 (experimental) which is the first bittornado version that comes with Message_Stream_Encryption. What this means: whenever bittornado finds another peer with encryption capabilities, it encrypts all traffic between you and the other peer, so the layer7 filter cannot understand that these flows are torrent traffic anymore, and categorizes them as “normal” traffic. That’s why I needed to “shape” normal traffic as well.
There are three ways to cope with encrypted bittorrent traffic. The first one is the one I described above without even knowing about it (shaping normal traffic). The second way is to go back to a version without encryption (0.3.17), which I think is a _really_ bad idea. Encryption came to help us hide our traffic from ISP filters, and is a step we can all take to protect ourselves. The third way is to mark the port range that torrentflux uses (check the admin panel of torrentflux for it) as torrent traffic by our iptables script. If the port range is high enough it can be almost certain that no other service will use those ports, so no priority traffic will be mis-matched as “torrent traffic”. If, for example, you have defined your port range to be from port 61000 to port 63000, then inject a command like:
-A POSTROUTING -p tcp --sport 61000:63000 -j MARK --set-mark 11090
just below the
-A POSTROUTING -m layer7 --l7proto bittorrent -j MARK --set-mark 11090
command of the iptables script above.
Enjoy shaped encrypted bittorent uploads! Keep seeding…
Filed by kargig at 16:08 under Gentoo,Internet,Linux,Networking
6 Comments | 12,116 views
12/01/2007
Random stuff
I’ve made a few changes to the sidebar of my blog, I’ve added last.fm Recent Tracks listing and a Meebome widget. The meebome widget is a very nice flash application that let’s you chat with visitors of your site while being online on meebo. I was introduced to meebo sometime ago by thatha. It is an “Instant Messaging Portal”, you create an account and then you can log in to your msn, icq, yahoo, aim, jabber and gtalk account. I use it whenever I am away from my pc, since I find it a lot more “comfortable” to log in to the networks I am interested through meebo than through Portable Gaim that I keep on my usb flash drive.
btw…Gaim is so broken these days…Looks like noone is interested to fix the aging problems it has. No nat-to-nat transfers, random crashes even on normal filetransfers. Even the developer(s) suggest that you use the beta version to log in to msn. How dumb is this ? What are they waiting for ? Since even the developer promotes the beta in favor to the “stable”..shouldn’t the beta be named as “stable” now ? Noone is still using Gaim 1.5.0 …all the latest gnome based distros use 2.0-betaX…
I’ve steadily become more and more unsupportive of OLPC. There are many reasons to this. First of all I think that it made by western people believing that they know what is better for africans or asians. That’s plain wrong. In my view the OLPC is something that western rich kids will enjoy far more than poor africans or asians. It’s a “western toy” for “western rich kids”. Then comes the “open-ness” of the whole project. In the beggining everything looked very promising, then came the closed source drivers and firmwares. I don’t care for whatever reasons Marvell doesn’t open source the wifi driver, but if someone touts for a “complete open source project”, then e v e r y t h i n g must be open source. Not whatever we like. Oh, and then came the added sd card slot in order for the OLPC to be able to run a version of windows. That’s open source too right ? More bashing of the OLPC on beranger.
Filed by kargig at 03:47 under General,Internet
2 Comments | 5,081 views
21/12/2006
Ευρωπαικά Ερευνητικά Δίκτυα
Στα πλαίσια της τελευταίας εκδήλωσης του ΕΔΕΤ Grnet Tech Event o κ. Μάγκλαρης, πρόεδρος του NREN-PC έδωσε μια ομιλία για τα ευρωπαικά ερευνητικά δίκτυα, μέλος των οποίων είναι το ΕΔΕΤ. Εξηγεί αρκετά καλά την ιστορία των δικτύων στην Ευρώπη καθώς και ποιες είναι οι τάσεις αυτό το καιρό (10-40-100Gbit, dark fiber, virtual open source routers, κτλ).
Δείτε το Video για να καταλάβετε τον νέο “ψηφιακό πόλεμο” και το “ψηφιακό χάσμα” στην “δημοκρατική Ευρώπη”.
Filed by kargig at 05:23 under Greek,Internet,Networking
No Comments | 11,643 views
14/12/2006
Netroute firmware 577
After asking some people, I have finally decided to post netroute’s firmware version 577 on my blog.
I hope I won’t be forced to remove it any time soon…so here it is: netroute-firmware-577.tar.gz
I won’t publish any update instructions. You are on your own…I don’t want to be held responsible if you bork your router…
Filed by kargig at 04:22 under Internet,Linux,Networking
3 Comments | 4,899 views
09/11/2006
Guli LiveCD
It’s been a while now, since May 2006, that me and some others from the local Ioannina LUG are trying to create a new livecd, the Guli LiveCD. This livecd is geared mostly towards students, scientists and developers. It’s geared towards us…it’s something that will make our lives easier while travelling or while visiting a friend or … or … or …
It is Gentoo based, severy influenced by DSL (damn small linux) as well as other minimalistic livecds, but it’s size has grown to a full CD due to the hundreds of applications we wanted to add. There is of course X windows support, with fluxbox as a window manager, but it is not started by default, yet.
There are a few main categories of applications:
There are a lot of networking tools inside this livecd what will help you identify and correct problems inside your network. These include scanners, packet sniffers, tunneling software, and so on…
Scientific applications were included in order for some of us to be able to travel and still have a way to implement a new idea that strikes us. The main interest so far is Chemistry, Mathematics and Physics. Full tex/latex support is included.
Since many of the ILUG members are students of the Computer Science department it was inevitable that many development tools would be included. There is support for many languages (C, fortran, Java, Haskell, prolog, php, python, perl, ruby,etc), with their compilers and debuggers. The full man pages are also kept so that they serve as a reference for those who want them.
Last but not least we have included a lot of tools that could salvage your system in case of an emergency. These are file recovery tools, password reset tools (even for windows) and lots of others.
There are of course applications like firefox, sylpheed, abiword, gnucalc, gaim, skype, etc included on Guli for everyday tasks.
The total number of executables on this LiveCD is quite large, a double tab pressing on the console will give you something like this:
Display all 3355 possibilities? (y or n)
And there are more to come…
The current version was released yesterday and it is an anniversary edition for ILUG’s 1 year of existence. You can find more information, full list of packages and the download link about this live cd at ILUG’s forums (currently only in Greek, until Guli gets a proper website).
This liveCD is not geared towards new users who want to see a fancy livecd with XGL and stuff like that. People who have never before used linux might find it a bit diffucult to navigate through the livecd.
We would appreciate any comments/bugs either on the forum or on the bug tracker
Filed by kargig at 15:50 under General,Gentoo,Internet,Linux,maths,Networking
2 Comments | 4,366 views
26/10/2006
Μπανανια.bn
Διαβάζοντας κάποιος το http://www.knowhow.gr/ecPage.asp?id=34859&nt=105 θα υποθέσει πως η Ελλάδα είναι από τις χώρες που προστατεύουν την ελεύθερη διακίνηση ιδεών στο Internet..
Σήμερα έχουμε όμως το εξής απίστευτο: To blogme.gr δέχθηκε μύνηση!!
Συνοπτικά:
Προσφάτως, δημόσιο πρόσωπο μήνυσε το Blogme.gr για δυσφήμιση και άσεμνο σατυρικό περιεχόμενο.
Το πρόσωπο αυτό σατιρίζονταν μέσα από τις σελίδες κάποιου άλλου blog, το οποίο ήταν καταχωρημένο στο directory του Blogme και στις υπηρεσίες ροής RSS. Ως αποτέλεσμα των παραπάνω, ακολούθησαν: διαδικασία του αυτοφώρου, κατάσχεση του σκληρού δίσκου, παραμονή στο κρατητήριο και προσαγωγή στην εισαγγελία.
Περισσότερα στο http://e-roosters.blogspot.com/2006/10/blogme.html και στο http://www.blogme.gr/blog/post/index/21/BLOGME
Από ότι λέει ο κόσμος το δημόσιο αυτό πρόσωπο είναι ο κ. Λ…
Και θυμάμαι εγώ τώρα ότι η “Διάσκεψη Κορυφής για την Κοινωνία της Πληροφορίας” που έγινε πέρυσι, και στην οποία αποφασίστηκε ότι η Ελλάδα θα διοργανώσει το “1ο Παγκόσμιο Φόρουμ για τη Διακυβέρνηση του Διαδικτύου”, επιλέχτηκε να γίνει στην Τύνιδα επειδή εκεί υπήρχαν προβλήματα λογοκρισίας…ώστε να ενισχυθούν οι ελεύθερες φωνές/γνώμες. Και πάμε εμείς τώρα που κάνουμε μυνήσεις σε άσχετο κόσμο να πούμε στον κόσμο για την διακυβέρνηση στο Internet. Μια από τα ίδια είμαστε και εμείς…τα ίδια και χειρότερα γιατί εμείς νομίζουμε κιόλας ότι όλα εδώ πάνε καλά…Αυτό είναι ακόμα πιο επικίνδυνο από το να ξέρεις ότι δεν πάνε καλά τα πράγματα…
edit: slashdotted!! http://yro.slashdot.org/yro/06/10/29/2040220.shtml
way to go!
Επίσης χθες ο τηλε-ευαγγελιστής Εισαγγελάτος στην εκπομπή του άρχισε να τρομοκρατεί τον κόσμο λέγοντας πώς μπορεί κάποιος να βάλει διάφορα στο κινητό του και να παρακολουθεί τον καθένα με την ελάχιστη δυνατή προσπάθεια. Ας σπείρουμε τον φόβο στον κόσμο λέγοντάς του μισές αλήθειες…εύγε… περισσότερα και πιο αναλυτικά στο http://www.myphone.gr/forum/showthread.php?t=154376
Και για να επιστρέψω στο πρώτο θέμα…μήπως θα ήταν καλή ιδέα να μαζευτούν οι bloggers στο Φόρουμ αυτό που ξεκινάει στις 30/10 και να πουν τι έγινε προχθές μπροστά στον υπόλοιπο κόσμο που θα παρακολουθεί ?
Προτείνω επίσης να ζητήσουμε από το Brunei το TLD του…το .bn και να τους δώσουμε το δικό μας..το .gr
Μπανανία.bn … μας πάει καλύτερα…
Filed by kargig at 15:10 under General,Greek,Internet,Privacy
No Comments | 5,717 views
27/07/2006
Wireless Community Networks at their best
I am back in my hometown, Thessaloniki, for about a week and I carried with me the old laptop that I had tried installing the rule project…
I had nothing to do tonight..so I plugged in my wireless card, booted Damn Small Linux CD and went out to the balcony. Why not try to check if there are any wireless networks around ? In fact there was one:
root@ttyp2[root]# iwlist ath0 scan
ath0 Scan completed :
Cell 01 - Address: 00:30:4F:4B:66:6C
Mode:Master
Encryption key:off
Quality:17/94 Signal level:-78 dBm Noise level:-95 dBm
Mode:Master
ESSID:"nkoumle"
Frequency:2.412GHz
Bit Rate:1Mb/s
Bit Rate:2Mb/s
Bit Rate:5Mb/s
Bit Rate:11Mb/s
I connected there..and ran the dhcp client…
root@ttyp2[root]# iwconfig ath0 essid nkoumle
root@ttyp2[root]# pump -i ath0
Drums rolling….ta ta!!
root@ttyp2[root]# ifconfig ath0
ath0 Link encap:Ethernet HWaddr 00:20:A6:4C:BD:7F
inet addr:10.103.5.61 Bcast:10.103.5.63 Mask:255.255.255.192
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
The IP seemed quite weird to be from a home…and looked like it was from the range that Thessaloniki Wireless Metropolitan Network (TWMN) was given a few years ago, when each greek major city was given an IP range for their Wireless Networks inside the 10.0.0.0/8 range. Pinging the router/AP gave me results of 10-100ms. I tried finding a spot in the balcony where I could get more stable ping times but I couldn’t find one. It didn’t really matter though…I was so excited that a few msecs wouldn’t stop me!
Even though I could resolve internet hostnames and addresses I couldn’t ping or browse any internet hosts. Then I tried surfing around TWMN. I opened up http://www.twmn and I looked around. I tried to register with their forums but I couldn’t because they require a confirmation email. Since I can’t access any of my email accounts without internet access I can’t register in their wireless forum either. The bad thing is that it’s not even readable as a wireless guest.
I knew that TWMN and Athens Wireless Metropolitan Network (AWMN) are linked together, so I tried surfing http://www.awmn. Success!! Everything worked quite smoothly there. I even sent a pm to a TWMN user that I know, orion, from AWMN’s forum.
Then it was time for IRC. Damn Small Linux features a tiny irc client named “naim”. I tried to connect to irc.twmn…but there was no luck. Then I tried irc.awmn and I got instantly connected.
I had also heard about AWMN’s proxy mesh network. It’s an effort by many awmn users that share their dsl bandwith by creating a squid proxy mesh network with lots siblings, so there is some kind of load balancing. I started reading the last pages of the thread but I couldn’t find any working proxies. Then I remembered that it was koki that started it all…and looked for her website inside awmn. I came up to http://koko.awmn and there she had information about how to connect to her proxy.
So I entered 10.20.220.2 port 3128 at my firefox preferences…and that was it!!! SUCCESS! I had full access to websites through koki’s proxy server. I am in Thessaloniki and my “internet provider” is 500km away…in Athens!
Here’s the traceroute to her proxy server:
root@ttyp0[root]# traceroute 10.20.220.2
traceroute to 10.20.220.2 (10.20.220.2), 30 hops max, 40 byte packets
1 ap.nkoumle.twmn (10.103.5.1) 526.158 ms 151.747 ms *
2 doom2nkoumle.bb.twmn (10.122.255.177) 143.23 ms 368.749 ms 130.249 ms
3 taz2doom.bb.twmn (10.107.255.81) 13.83 ms 60.137 ms 317.052 ms
4 uom2taz.bb.twmn (10.107.255.57) 32.055 ms 14.761 ms 64.038 ms
5 volto2uom.bb.twmn (10.107.255.33) 82.341 ms 78.228 ms 49.779 ms
6 sourdos2volto.bb.twmn (10.107.255.49) 83.058 ms 61.406 ms 72.943 ms
7 dfragos2sourdos.bb.twmn (10.107.255.2) 81.377 ms 41.603 ms 101.131 ms
8 thmmy2dfragos.bb.twmn (10.106.255.254) 200.073 ms 105.749 ms *
9 thmmy.swn (10.106.3.1) 65.299 ms 132.49 ms 361.869 ms
10 10.17.122.158 (10.17.122.158) 529.931 ms 368.65 ms 313.583 ms
11 10.17.122.131 (10.17.122.131) 417.191 ms 74.76 ms 48.881 ms
12 10.17.122.129 (10.17.122.129) 64.119 ms 84.001 ms 79.828 ms
13 10.17.122.169 (10.17.122.169) 82.863 ms 41.323 ms 93.686 ms
14 10.80.190.121 (10.80.190.121) 87.61 ms 68.538 ms 90.206 ms
15 10.26.35.181 (10.26.35.181) 132.605 ms 343.975 ms 120.142 ms
16 10.26.35.54 (10.26.35.54) 134.826 ms 105.009 ms 128.925 ms
17 10.20.220.74 (10.20.220.74) 79.456 ms 89.032 ms 196.706 ms
18 10.20.220.2 (10.20.220.2) 144.206 ms 150.446 ms 103.555 ms
I am actually posting this entry for this insane connection!
This is really inspiring. Community networks at their best. Thanks a lot to everyone that contributed in order for this to happen. Thanks a lot to nkoumle (whom I don’t know) and to koki (that I only know her though IRC and forums)…
Filed by kargig at 02:14 under General,Internet,Linux,Networking
5 Comments | 4,040 views
28/05/2006
Change gtk theme in Gentoo even if not using Gnome
Do your friends make fun of you because their “gtk apps look better” ? How many times have you heard about that damn “clearlooks theme“. Time for revenge then!
Just emerge gtk-theme-switch
and run switch2
on the command line. Select your favorite theme…restart your gtk apps…and enjoy! Now can have that damn “clearlooks theme” too. 🙂
After you’ve finished you can emerge -C gtk-theme-switch
Btw, if you are looking for some nice fluxbox themes have a look at boxwhore
Filed by kargig at 14:45 under Internet
4 Comments | 11,496 views
11/02/2006
Google to offer e-mail hosting services ?
Well it looks like google is going to offer massive storage for e-mail accounts on any domain… just check this page: https://www.google.com/hosted/Home
Very interesting, and simple…you probably just need to change the MX record of your domain to a server IP that they will send you.
If only the interface was a bit better…if it had encryption support…if … if…if they could be trusted not to make your e-mails searchable in public one day in the future…
Filed by kargig at 03:36 under General,Internet,Privacy
1 Comment | 3,430 views
24/01/2006
SSH Escape Characters
I am sure a LOT of people reading this blog use ssh in their everyday work/life/etc. I am not sure though how many of you have heard of ssh EscapeChar unless you’ve read the ssh_config file (and even if you have done so, did you pay any attention to it ?). So what can you do with EscapeChar ? not a lot, but certainly very usefull stuff.
My most frequent problem with ssh is sessions that sometimes they don’t end as they are supposed to. You logout from the remote system and you never get a prompt on yours because something has stuck somewhere, sometime. Wouldn’t you wish there was an escape sequence to end this suffering, like telnet’s ctrl+] ? Well there is! Just edit your client’s ssh config file (/etc/ssh/ssh_config for gentoo) and add to the end:
EscapeChar ~
now try ssh to a host and when you are in, try this: ~?
. You will see a list of helpfull options. The solution to the previous described problem of stale connections is ~.
Dummy-safe: So to get it to escape press[alt gr] + [~] two times and then [.]
If that doesn’t work, try pushing Enter before “~”.
What’s also very helpfull is the ability to start/end portforwarding during an active ssh session! Say you have opened an ssh connection to a host and you now have to portforward a port, what do you do ? New ssh connection with -L/-R options ? nope! You just press ~C
and do what you want from the ssh “command shell”.
enjoy!
Filed by kargig at 13:16 under Encryption,Internet,Linux,Networking
Tags: connection, escape, escape chars, Linux, ssh, tilde
8 Comments | 120,569 views
17/01/2006
howto use utorrent rss feeds with bitme and bitmetv
Latest utorrent has the ability to fetch rss feeds from torrent sites so you can download automatically (or automagically if you prefer :P) your favorite content without user interaction.
It’s kinda tricky though to enable it for bitme and bitmetv. As an example I will use the Desperate Houswives rss feed. If you go to bitmetv’s Links page and select RSS feed (Choose Category Feed) you will see a full listing of various categories. Pick Desperate Housewives and then “Download Link” from Feed Type and “Standard” from Login Type. It should give you a url like this:
http://www.bitmetv.org/rss.php?feed=dl&cat=75&passkey=YOUR-PASSKEY
In order to enter that feed inside utorrent’s rss parser you need to find out your UID and PASS from bitme or bitmetv cookies. You can learn how to do that for each browser here: utorrent faq on “Torrent_support_RSS_feeds”
Let’s say you got that UID and PASS. Now press ctrl+r inside utorrent and paste the following url REPLACING your own YOUR-PASSKEY, YOUR-UID, and YOUR-PASS variables!
DH|http://www.bitmetv.org/rss.php?feed=dl&cat=75&passkey=YOUR-PASSKEY:COOKIE:uid=YOUR-UID;pass=YOUR-PASS
If you were able to do that now go to Releases tab. Pick the one you would like to download from now on…let’s say “Desperate Housewives HR”, right click and “Add to Favorites”. Now you should be at Favorites tab. Leave the “Filter” as utorrent created it for you and just pick a download location (in “Save in”) for the new torrents. I have chosen the same location where my other torrents go.
If you only want specific episodes to download, just click on the proper checkbox in “Favorites” tab and enter something like “2×12”.If you want all episodes from a specific season just do it like this: “2×1-25”.
You can now go to bed and let the torrents come to your hard disk automatically. Happy downloading.
P.S. I have nothing to do with any of the sites mentioned. Whatever you do is at your own risk. You might get to jail for downloading copyrighted material…so you better use utorrent to download your favorite and latest linux ISOs 🙂
Filed by kargig at 22:00 under Internet
8 Comments | 20,309 views
19/12/2005
A list of interesting things to find on Google :)
How many network cameras are unprotected ?
Cameras ?
No, No, Mooore Cameras
I was sure there were some more!
And what about a list with even more cameras with a screenshot of each one ?
Enough with cameras…I know I can find mp3s on Google, but is there anything more worth searching for ?
just enjoy the power of Googling 🙂
Filed by kargig at 20:35 under General,Internet,Privacy
No Comments | 3,030 views