Home

Search Posts:

Archives

Login

January 2014

S M T W H F S
1 2 3 4
5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31

Today I got a chance to head out to Davi's new range up in north Raleigh. We'd gone up there a few weeks ago and I purchased a Remington 870, but the range wasn't open then and I've had no chance to shoot it until now.

The shotgun feels great when you shoot it, but it's not exactly a precision weapon and it tears through targets fast. After a few shots I got a chance to try out Tim's gun, and this was also the first time I'd shot a handgun. After starting off well, my body seemed to start pre-reacting to the explosion before I pulled the trigger - I got a little jittery and my aim went crazy. I eventually settled back down and did, in my opinion, not badly at all for a first outing.

I almost surely will buy a hand gun at some point in the future, but right now I've got another major purchase to worry about first...

Oddly enough, my blog is being spammed with seemingly random comments from the following individual:

Author : texas holdem poker (IP: 207.58.154.5 , agua.ww2bw.org)
E-mail : sunny@moonlightshadow.us

The posts are attempted every 30 minutes or so, and the IP is different (from different countries even) every time. This is perhaps a new viral spambot tactic, but I don't really know what effect it's supposed to have other than perhaps plastering sites with links in an effort to increase google's pagerank.

I've been forced to enable moderation, so if you wish to post a comment there will now be a delay until I can review it.

The kernel that ships with Debian includes most options that anybody is likely to need out of the box. Lacking, though, are some of the nice additions to the kernel's IP filtering (and also the userland iptables tool) provided by the netfilter project's patch-o-matic. pptp-conntrack-nat is what I was looking for to use on the NAT firewall at work (it allows netfilter to track pptp connections and disconnect cleanly, needed for users vpn'ing into one of our client's networks).

The patch-o-matic stuff is not yet considered stable enough for the Linux kernel proper, and as such it won't ship with Debian. Luckily, even though these patches are considered "use at your own risk," for the most part they work fine - in fact, I've been using ipcop for a while, which includes several of these patches.

I couldn't get the conntrack module to work with the 2.6 kernel sources, so I had to use 2.4. That's not really a big issue, as 2.4 is just fine and dandy for a NAT firewall.

So, onto the good stuff. Let's patch and build (the Debian way) kernel and iptables packages, which we'll install using dpkg.

1) Install packages

You'll need the kernel source and the iptables source, which is very easy to get with Debian. I use the "Debianized" kernel source, which includes all of the Debian patches already - it's quite possible some patch-o-matic modules may conflict with something, and if you run into that just use the vanilla sources.

You'll need apt-src, so grab it if you don't have it already:

aptitude install apt-src

You'll also want kernel-package, which gives us the tools to make a debianized kernel package:

aptitude install kernel-package

Now, get the kernel and iptables sources:

cd /usr/src
aptitude install kernel-source-2.4.x
apt-src install iptables

2) Extract the sources

apt gives us some .tar.bz2 files, so we need to extract them. We're already in our /usr/src directory, so let's just do it:

tar -xjf kernel-source-2.4.x.tar.bz2
tar -xjf iptables-1.2.x.tar.bz2

Now we symlink our source directory to "/usr/src/linux" If you already have a "linux" symlink, you should remove it first, then:

ln -s kernel-source-2.4.x linux

3) patch the kernel

To use patch-o-matic, we must patch both the kernel and iptables sources. The patches we want for both are currently included in the iptables source package:

cd /usr/src/iptables-1.2.x/upstream

Extract both the "pristine" iptables source and the patch-o-matic source:

tar -xjf iptables-1.2.x.tar.bz2
tar -xjf patch-o-matic-xxxxxxxx.tar.bz2

Set some environment variables, so p-o-m can find our sources:

export KERNEL_DIR=/usr/src/linux
export IPTABLES_DIR=/usr/src/iptables-1.2.x/upstream/iptables-1.2.x

Run the patch you want:

cd patch-o-matic-xxxxxxxx
./runme pptp-conntrack-nat

Note that 'pptp-conntrack-nat' is the name of the module I'm adding. Several others may provide additional functionality you want, check the netfilter web site to decide what you want to include. Don't go overboard - remember, all these patches are still "unstable," so if you don't need it, don't include it! Answer "y" to the question and move on.

4) Configure the new kernel

Now you must make a choice - do you wish to create your own kernel config from scratch, or do you want to start with the debian base kernel config? Unless you have a specific need to reduce your kernel size, or if you know exactly what you're doing and have free time, I recommend starting with an existing debian configuration. There are advantages to having a lean kernel, primarilly in compile time, but you must wade through the kernel config and make sure you select the appropriate options.

I opted to start with the existing 2.4.x kernel config file, which can be found in /boot and will be named 'config-2.4.x-arch'

Copy the file to your source directory:
cd /usr/src/linux
cp /boot/config-2.4.x-arch ./.config

Now you have a starting place - configure your kernel:

make menuconfig

(Note you need ncurses, if make complains you don't have it just 'aptitude install libncurses5')

The only changes you should need to make will be under "Networking Options" -> "IP: Netfilter Configuration." In my case, I enabled GRE and pptp as modules under "connection tracking."

5) Compile the kernel

We're doing this the Debian way, so forget the standard way to compile and install a kernel. Luckily for us, it's even easier in Debian:

make-kpkg clean
make-kpkg --initrd --append-to-version=-pom kernel_image

I use the "append-to-version=-pom" flag to help me identify the kernel as being "patch-o-matic"ed. This will be used in both the name of the kernel itself and in the name of its .deb package. Note that this will take a while! Depending on the speed of your system this could take hours, so it is recommended that you do it within a screen session or with nohup if you're logging in remotely. While this is running, you can start on the next step.

6) Configure and compile a custom iptables package

While your system is busy compiling the kernel, you can get started on creating an iptables package to match it. You must patch iptables with the same p-o-m patches as the kernel, or they might not be compatible!

You might be thinking we've already done this, and you'd be right. However, we want to do things the Debian way to create a nice iptables deb package, so we'll have to do a little extra work.

cd /usr/src/iptables-1.2.x
vi scripts/prep.sh

Now, change the "pomng_extensions" variable in this file to include the names of your additional p-o-m modules. You may also edit the kernel version in this file, but it doesn't seem to have any impact(?) Save your changes, then run:

dpkg-buildpackage

Yes, you're also building the kernel at the same time, but iptables isn't that large and it won't take too long even so. When done, in the /usr/src directory you'll have a shiny new iptables_1.2.x_arch.deb file waiting for you.

7) Install the new packages

Once the kernel finishes compiling, you'll want to install both it and your new iptables package. Be sure to remove the old iptables package if you already have it installed.

cd /usr/src
dpkg -i kernel-image-2.4.x-pom_10.00.Custom_arch.deb
dpkg -i iptables_1.2.x_arch.deb

8) Make the new kernel the default, reboot

vi /boot/grub/menu.lst
Change "default" to represent the number of your new kernel (note the first kernel is 0, second is 1, etc). Now you'll want to reboot, but a word of warning - if something didn't go according to plan, your system may not reboot at all! If you have any doubts, make sure you have physical access to the machine before rebooting so you can fall back to an old kernel from your grub menu.

9) Load modules

Once the kernel reboots, try to load your new modules:

insmod ip_nat_proto_gre
insmod ip_conntrack_proto_gre
insmod ip_nat_pptp
insmod ip_conntrack_pptp
lsmod

They should all show up in the list! Test iptables to make sure it's working as well (if you don't have a save file, just add some rules manually):

iptables_restore your.iptables.save.file
iptables -L

And that should just about do it. You'll probably want to load those modules with the same script from which you're currently loading your firewall rules.

Some friends at the office were moderately surprised when I mentioned to them that anybody can search the NC voter registration database, which will tell you not only whether a person is registered, but also where they vote, what party they are affiliated with, and which elections they've voted in previouisly.

I'm now at last unaffiliated. You can also see that, after going 3 for 3 since 1996 (when I turned 18 on a Presidential election day no less), I failed to vote in the last midterm election.

Don't worry, it won't happen again.

Could it happen that an ultra-conservative right wing idealogue's lesbian daughter could be used to make him look better to other ultra-conservative right wing idealogues?

Let's remember, being gay is (to most of the extreme X-tian right, which is arguably this administration's strongest base) not only a choice, but also a sin. You might think that having a gay child would appear to them as a sign of failed parenthood.

Kerry, in a prime example of douchebaggery, played the "your VP has a lesbian daughter" card in the last debate. Kerry obvioiusly hoped to paint the Bush administration as a bunch of gay-loving queer-raising hypocrites, who, while they may talk tough about protecting God-fearing breeder families from the gay scourge, were all the while creating homosexual offspring themselves. The horror!

But this was a retarded thing for Kerry to do, for several reasons:

1) Edwards already played the card, why reiterate?
2) As a "Masachussetts liberal," he's not supposed to hate gay people and use others' hatred of gay people as a political weapon. He's at least equally alienating his own base with this bullshit.
3) The ultra-Christian-right will never, ever vote for Kerry, no matter how gay Cheney's daughter is, due to some basic clashes of ideology (right to choose primarilly)
4) Now Kerry's ready to be painted as evil for bringing Cheney's daughter into the mess of politics

Of course, the Bush administration is now turning this into a scandal, rallying their base against those "vicious" attacks by John Kerry, but I remain unconvinced that these particular crocodile tears will have the desired impact.

Kerry never actually said anything bad about Cheney or his daughter, he only mentioned her existence in an effort to let the public connect the dots. It's pretty obvious how he wanted those dots to be connected, but there's nothing he said that can be quoted to make him look like he was criticizing Cheney - which is going to make Bush's attempted spin difficult. In the world of uninformed voters making decisions based on 45-second snippets on the local news and 30-second attack ads, if you can't produce a soundbyte to prove it, it never happened.

I'm no Kerry appologist, and it was certainly a stupid and annoying thing for him to say, but let's look at the bigger picture: mentioning that your opponent's running mate has a lesbian daughter, or rushing to war over false pretenses? Sorry W, you're still not convincing me.

Of course, neither is John Kerry.

...the bike or the sunset.

And yes, that's in Cary, about half a mile from the interstate.

So I've taken to using a Mac for my primary system lately. Despite the fact that the scam wasn't resolved at the time, I took a leap of faith and purchased on credit a brand new, 15", 1.5 GHz PowerBook. This post has been delayed a couple of months (perhaps irrationally?), since I didn't want Qamar knowing anything about the replacement. In retrospect that seems silly, but I'm sure it made sense at the time.

I absolutely love the machine. I've heard many complaints about Apple's overpriced systems, but after actually owning a PowerBook I can say with certainty that the device is well worth the money. There's just no x86 laptop that can compare. Slot loading DVD burner, backlit keyboard, integrated Bluetooth, 802.11g, gigabit ethernet, 128 MB Radeon 9700 Mobility, 5400 RPM hard drive, DVI and SVideo out, super-crisp 1280x854 high pixel density display... the thing is a monster with just about every feature you could ask for, in a package that's sleek and sexy as hell weighing in around 5 lbs.

I also generally enjoy working with OS X. The GUI is wonderful, both speedy and beautiful. Expose is great, the lack of malware is a major plus, and the system's FreeBSD underpinnings are just the ticket for a geek like me. Most things just work in intuitive ways, and at times I almost completely forget the Unixy core of the system - in a lot of ways, OS X is the best operating system I've ever used.

The FreeBSD roots of OS X have attracted a lot of open source developers, which is fortunate indeed for users such as myself. OS X ships with a lot of great open source software (ssh, samba, apache?!, etc), but it's supplemented nicely by the fink project, which aims to provide pretty much any useful GPL'd utility to OS X via apt repositories. Thanks, guys! Of course, you can also compile most software designed for Linux or BSD yourself without too much hassle, if it hasn't already been done for you.

Of course, nothing is perfect, and the more I've used the machine the more minor annoyances I've encountered. While this isn't the first OS X-era Mac I've owned, daily use as my primary system has revealed several annoyances that I overlooked on my little iBook.

Let's start with Airport. It'll automatically connect to a network if you leave it on, which is fine, but it won't automatically disconnect when you plug into a 100 megabit connection. Now, that's not normally a big issue, but I've found a surefire way to get the rainbow beachball of doom in the Finder - mount an SMB share on a wireless connection, plug into a wall outlet on the same subnet, and then turn off wireless. BAM! The Finder will suck it down, big time. I strongly believe that there should be an option to disable wireless automatically if a physical connection is enabled, as that would help extend battery life.

1 button mice are annoying, and Apple's mouse control panel applet leaves much to be desired. Why can't I control acceleration independently of speed? Of course there's also the well-known Apple lovefest for one-button mice, which normally just means I ignore Apple mice - but damn, they make the best/most reasonably priced Bluetooth mouse for OS X, and the damn thing has ONLY ONE BUTTON! Come on guys, what's the point of this crap? Do you just make this thing to taunt me?

Blech.

The one-button touchpad has been enhanced with a little utility called "sidetrack," which allows for taps in corners to map to alternate buttons. Very handy, and very workable - of course, it's a 3rd party utility, so don't expect it to come with your Mac.

The Finder sucks. If you change a view in a Finder window and navigate somewhere, the next time you open a new Finder window you may be stuck in a different view. It seems that the starting view you end up with when you launch the Finder in a directory is based on the view you used when you last CLOSED a Finder window IN that directory (if this sounds confusing, that's because it is). I initially thought this view inconsistency was just random, but understanding now how it works doesn't make me any more forgiving of the behavior.

While we're talking about the Finder, its SMB network browsing interface is crap. There's no way to view computer description fields that I can find. Double clicking on network servers can sometimes cause a beachball of doom, even though you can connect just fine using smbclient or smbmount manually. Aliases to SMB shares don't always work properly, either.

Safari is lacking in various ways, which is only a problem because Firefox is broken in OS X (middle mouse click doesn't open new tabs). Safari has no type-ahead-find, no /text style searching, no adblock extension... all of the little things that make Firefox so great. Safari isn't terrible - it renders pages just fine and pretty quickly - but it lacks some of the power Firefox provides.

The built-in terminal.app is pretty weak, but it's quickly replaced with the open source iTerm. Hint to the guys in Cali - throw a beefed-up version of iTerm in Tiger and make me happier.

Mail.app and Safari both really hate SSL certs that aren't signed by an official CA. I have my own self-generated CA for both work and home, and I've found no way to disable the warning dialogue box in these apps. I actually find Thunderbird superior to Mail.app anyway, but I'm not sure why there's no GUI option to import a 3rd party CA, or to suppress the error message when it encounters certificates signed by one.

It should probably be an indicator as to how pleased I am with the system that these gripes are the worst I can throw at it, but this thing is not only beautiful but also a joy to use. If you've been avoiding Macs due to System 7 "bomb" icons or fruity colored cases, you really need to give them another look now.

Just to clarify, the fact that I got a refund from American Express doesn't mean I consider the matter closed. Paypal has Shehryar's bogus Powerbook and I have a full refund, but I don't know what's coming to Shehryar Qamar - he never made anything good with me, and as far as I know Paypal just sucked up the loss and payed off Amex. That leaves Shehryar out way ahead, still holding onto the cash - I don't like that and I don't want him to get away with this, even if I no longer have a personal financial stake in the matter.

I still consider him a criminal at large.

... but instead, it got me a bike.

I'm now the proud owner of a $1080 bike, though I don't have it yet. I purchased a Cannondale T800 (pictured above, pretty ain't it?) from a shop in Durham. After upgrading the seat and shifters and picking up other miscellaneous crap, I walked out of the bike shop with $1450 less than when I entered it.

Zing.

All the research in the world had gotten me pretty much nowhere, but I'm ultimately pretty comfortable with this purchase. That makes for two obscenely-high-dollar toys I've bought this year (my Powerbook being the other), but I have no regrets - the Powerbook has already proven itself, and I'm sure the bike will do likewise.

If I end up doing nothing more than commuting, I think it'll still be worth it.

I'm currently involved in one of the most frustrating shopping experiences I've ever had.

After riding my Trek 930 mountain bike to work for a while, I've decided that I should just plop down the cash on a nice touring bike. I hope (some day) to be able to trek across the country on bike - it's a very cool idea and one I want to persue.

Touring bikes are an interesting breed. They're designed to be rugged and smooth over long distances, with the ability to carry a bunch of weight comfortably. For just pure commuting they're overkill, but they're about the best possible choice if you're willing to pay.

The problem? Nobody carries touring bikes, because apparently almost nobody does touring. I think a big reason for touring's lack of popularity is that it's not perceived as being "extreme" enough. You aren't fighting the terrain as on a mountain bike, and you aren't pushing your limits for speed as on a road racer. Touring isn't a "sport" in either the X-Games or traditional sense of the word - it's recreation.

I've got a mountain bike for the trails, and that's fun and all, but I've always loved just... driving. I used to take my car everywhere I could, heading down back roads and exploring the countryside. I think the bike is a logical extension of that - I want to experience the trip in a way that just can't be replicated in a car. When you're zipping along at 55+ mph, you really just don't stop and smell the roses very often.

But finding the bike... my God, what a pain. You go into some places and ask for a touring bike, and the sales kid just looks at you like you're crazy. Other places try to sell you a hybrid or a cyclocross bike. Some places have some recommendations they can order, but of course they don't actually carry them - so it's not like you can actually test ride them or anything.

And then, there are a very few places that actually have touring bikes.

The first one I found was a Trek 520 at Franklin Street Cycles, in Chapel Hill. I headed over there one afternoon and checked the bike out. It had a steel frame, which most seem to regard as a plus for a touring bike. Barend shifters, not my favorite but also favored by many tourers. On the downside, the stock rack seemed flimsy and the gearing is probably too high. The sales guy tried to sell me the one they had on the floor (21"), but I remain unconvinced that it's the right size (my mountain bike is 21", but I've heard road bikes should be larger). I haven't ruled the Trek 520 out yet, but I'm weighing options.

Next, I check all the local Cary bike shops. One tries to sell me a Sirrius, which seemed to me more like a hybrid than a touring bike. It did have the braze-ons for racks, but without drop bars I wasn't very interested. Another shop pointed me to the Lemond Poprad (cyclocross), which actually rode pretty well. The frame was nice and light, still steel though. Too bad for the Poprad was that it only had 2 chainrings on the front, which lead to gearing that was just too high for me.

The next day I tracked down a shop with a Giant OCR Touring, which I liked well enough. It was a medium to my large, but it was within the realm of adjustment and I took it for a spin. Aluminum frame, STI shifters (frowned upon by hardcore tourers, but I do like them)... it was certainly an OK bike. The Giant moved to the top of my list.

Yesterday I found a Cannondale T800 - in my size, no less - and I loved it. It was geared lower than the others which is more suitable for long treks up mountains and hills, though it would tend to reduce my top speed. Aluminum frame and STI shifters may be negatives, but the fork was Cromo which would smooth out the ride some. I slammed it into a couple of small potholes and didn't feel much worse for the wear.

There are a few bikes left that I'd really like to try, but am having a bitch of a time tracking down:

Fuji Touring/World. I've never heard anything but good about Fuji bikes, but I can't find any.

Bianci Volpe. Also supposedly a nice bike, one shop can order this for me but I'd hate to buy sight unseen.

Cannondale T2000 - the big brother of the T800 with better components.

So, the journey continues. Right now, the Cannondale T800 is at the top of my list, but I haven't given up looking just yet...