Dropbear

Category: Networks

  • Flash sometimes doesn't like SSL

    I found a strange problem recently.  Using Gallery I could always upload new pictures but someone else using Vista could not upload any pictures.  It didn’t matter if she used IE or Firefox, every single upload made Gallery come up with error #2038 (IO). I could say that anyone that uses Vista deserves everything they get, but that would be a little churlish (if true).

    A few searches showed that this basically gallery saying “something bad happened with your upload”. No, really? You mean it’s not supposed to be a big red box and no uploaded file?  It’s not the world’s most useful error message.

    What got me onto the right path was a message on the gallery forums though it was the other way around. Gallery uses a flash uploader which and this is the same flash if you use Firefox or IE.  It seems it doesn’t like “strange” SSL certificates, such as chained certificates like that site uses (and my site too).  No doubt there is probably some work-around or setting to fix it, but being Vista its probably buried in 20 menu items under some obscure reference.

    Setting up the gallery under a non-ssl site fixed it. Perhaps more correctly it was a work-around.

    Enhanced by Zemanta

  • Does your program use gethostbyname() ?

    There has been some discussion on the Debian IPv6 list about how the function gethostbyname() has changed.  The manual page says this function is obsolete and with good reason.

    A new feature of the function is that if a hostname has both IPv4 and IPv6 entries then the order of the return values is not predefined.  In fact it used to be you’d get the IPv4 addresses first, then the IPv6.  That has now changed and with the more recent glibc you will get an IPv6 address first.  Quite often old code doesn’t even check the address family or the size of address structure but just copies the relevant 4 bytes.  You then get the first part of an 16-byte IPv6 address wedged into a 4-byte IPv4 address structure which basically means you get a mess.

    The fix is pretty simple by changing the system call from gethostbyname() and using getaddrinfo() instead.  If you only want the IPv4 addresses, perhaps because other parts of the code have not been checked or changed, then set the hints variable to return only IPv4 addresses.

    If one of your packages is starting to play up and unable to connect to certain remote places and is instead trying to get to some “random” address, have a quick check for gethostbyname(). A quick grep across the source code may save a lot of debugging time.

     

  • Connecting to Internode IPv6 on Debian

    If you are running Debian and are connected to the internet by Australian ISP Internode you can connect to their tunnel broker. This page describes how to do it with a few simple steps.

    For more information about what Internode is doing with IPv6, have a quick look at the Internode IPv6 page. That page will give you some basic overall view of how the system is setup. Don’t use the instructions they give you. While they do work, its a lot more complicated their way.

    ##Information to collect

    Before you start, you will need to know the following information:

    * Your internode username and password, this is the same details that you put in your ADSL modem to connect to the ISP.
    * Decide if you just want the Debian computer using IPv6 in “host mode” or you want everyone on your LAN to route through this computer in “router mode”.

    ##Installation
    You will first need the gateway client program, which is found in the Debian package [gogoc](http://packages.debian.org/gogoc). If you are running in “router mode” you will also need to install
    [radvd](http://packages.debian.org/radvd). Both of these packages are in the Debian main distribution so you can download them the normal way you get your Debian packages.

    Edit the gogoc configuration file */etc/gogoc/gogoc.conf* to suit your situation, the important lines are:

    userid=MY_USERNAME
passwd=MY_PASSWORD
server=sixgw.internode.on.net
auth_method=any
host_type=MY_HOST_TYPE

    For MY_HOST_TYPE, use “host” or “router” depending if you want just this computer or everyone on your LAN to have IPv6 respectively.

    ##Starting gogoc for the first time
    When you first start gogoc it will try to make a secured connection to the tunnel broker. The problem is that it needs to check the key you get is ok. This means that the first time you run gogoc you need to do it on the command line, like this:

    server# invoke-rc.d gw6c stop
Stopping Gateway6 Client: gw6c.
server# gw6c
sixgw.internode.on.net is an unknown host, do you want to add its key?? (Y/N)
server# killall gw6c
server# invoke-rc.d gw6c start
Starting Gateway6 Client : gw6c.

    The server key is now stored in */var/lib/gogoc/gogockeys.pub* and the program will start automatically with no further key problems.

    ##Checking its working
    There are a few ways of checking your configuration is working:

    * **pgrep gw6c** returns the pid of the program
    * Use ifconfig program on interface tun0 or (if you are in router mode) eth0 should show inet6 addresses starting with 2001:44b8:: prefix which belongs to Internode.
    * Browse to and watch the bouncing Google words.
    * ifconfig output should look something like the following:

    server$ /sbin/ifconfig  | egrep '(Link|inet6)'
eth0    Link encap:Ethernet  HWaddr 12:34:56:78:9a:bc
     inet6 addr: 2001:44b8:42:22::1/64 Scope:Global
     inet6 addr: fe80::234:56ff:fe78:9abc/64 Scope:Link
lo    Link encap:Local Loopback
     inet6 addr: ::1/128 Scope:Host
tun   Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
     inet6 addr: 2001:44b8:41::43/128 Scope:Global

  • Bridging firewalls for ADSL Connections

    For a long time I’ve had the 56k (hah – If I’m lucky) dialup. Between the modem and my local network was a nice Linux firewall, all was good. Then I changed my connection to ADSL from [Internode][], that was good too. I soon found out that I couldn’t put my firewall in as-is, that was bad.

    ##Why Bridging?
    The problem is that, like a lot of other DSL networks out there, [Internode][] sees your LAN and their network device at the telephone exchange like its one big Ethernet LAN. Normal firewalls expect two different blocks of IP addresses (or subnets) on their “outside” and “inside” interfaces, eg network number 10 on the inside and 42 on the outside. The problem is with the given setup, network 42 is both on the outside and inside, a real problem for a standard firewall.

    A bridging firewall expects all its interfaces on the same network. It looks a lot like an Ethernet switch or a hub and in-fact with no firewall rules it behaves exactly like that. The tricky thing is that it has to act like a switch when passing packets but act like a router when its deciding if it should be passing that packet at all.

    It should be mentioned that you only need a bridging firewall when you want the computers on your local network to all have real live addresses (so no NAT) and your ISP is not expecting you to have a router there.

    ##Kernel Patches and changes
    The standard Linux kernel has firewalling in it, it also has bridging code, so we’re set right? That depends on what version kernel you have. For 2.4.x kernels you need a patch, but the newer 2.6.x kernels have ebtables (which is the project that swallowed up the iptables+bridge code) so no patching is needed.

    I a 2.4.x kernel, the bridge code needs a modification so it goes and “asks” the firewall code if it is OK to forward a packet. Without that patch, your bridge code will happily send any packets that come along.

    ##Compiling 2.4.x kernels

    Now it used to be quite easy as there was only one source of the firewall-bridge linking code. However the code used to sit with the bridge project at sourceforge but has now moved in with the ebtables project also at sourceforge. The following table may make it easier to understand what patch you need

    Kernel version Patch
    2.4.18 bridge-nf-0.0.7-against-2.4.18.diff
    2.4.21 ebtables-brnf-3_vs_2.4.21.diff.gz
    2.4.22 ebtables-brnf-2_vs_2.4.22.diff.gz

    The 2.4.21 kernel patch didn’t work cleanly and I needed to manually fix a few files to get it to patch and compile, the good news is the 2.4.22 kernel patch did work cleanly for a stock 2.4.22 kernel.

    * net/Makefile : Add “bridge/netfilter” to the mod-subdirs line
    * net/ipv4/ip_output.c : Add 4 lines from the rej file. Note that in the last file the pointer handle “skb2” is now called “to” and “skb” is called “from” so make sure you make those adjustments when you do your hand-patching.
    * net/bridge/br_netfilter.c : Uses old route table functions and a structure that doesnt have pmtu any more. Use the patch at .

    You probably should also read the documentation with respect to the different patches. Earlier patches have their Bridge document Page while the newer patches are a poorer cousin to ebtables itself on the newer site but you might dredge up something on the ebtables dcoumentation page

    For compiling, I enabled bridging, netfilter, iptables and the bridge netfilter support. The kernel compiled fine and I then installed it on the firewall.

    ##Compiling 2.6.x kernels
    At the time of this writing, I was unable to use the physdev feature of iptables, which means the bridging firewall was unable to use iptables where the physical interface needed to be specified, iptables gave an invalid argument every time I used -m physdev, I rolled back to kernel 2.4.22.

    As previously mentioned, the 2.6.x kernels have ebtables built in, so there is no need for patching. ebtables used to be just for filtering based on layer-2 information, such as ethernet MAC addresses but it now allows the Linux bridge to look at the same things ipfilter can see. Some 2.6 kernel and iptables setups cannot handle the physdev module, so you might need ebtables anyway.

    There’s two ways of filtering IP packets in 2.6 kernels. You can use ipfilters which can see bridged packets and you can use ebtables which has some limited support of IP. Unless there is a good reason, go with the iptables, it has a lot more features for IP packets.

    For compiling, I enabled bridging, netfilter, iptables and iptables physdev. If you want ebtables support too enable , ebtables, ebt: filter table, ebt: log support and ebt: IP filter support. These are found in the networking options submenu of the kernel configuration.

    ##Helper Programs
    You will need two helper programs for your firewall. They both don’t need patching which is wonderful! The first is iptables for manipulating the firewall rules and the second is bridge-utils which makes the bridges. If you want to use ebtables too, get it as well.

    I run the Debian distribution so to download the two required packages was a matter of a apt-get command and I was done. If you don’t run Debian I’m sure you’ll find the programs for your distribution somewhere.

    ##Configuration
    It’s remarkably simple to make a bridging firewall. You make the bridge, then you add firewall rules in. I was pleasantly surprised by this; the hardest thing for me was to get a second Ethernet card working in my stupid hardware that has flakey ISA buses and a PCI slot that makes anything in it misbehave, luckily I had 3 other sensible PCI slots.

    To make a bridge, I use the following commands:

    myfirewall# brctl addbr br0
myfirewall# brctl addif br0 eth0
myfirewall# brctl addif br0 eth1

    That was it, one working bridge! This meant that any packets that needed to cross the bridge were allowed through. Next I had to add some firewall rules in. What to put into a firewall is explained much better elsewhere, look at the iptables reference given above.

    The way the interfaces are handled changes in the kernels. For 2.4 kernels, you use the standard iptables input and output (-i and -o ) flags to specify what your incoming and outgoing interfaces should be. For 2.6 kernels you need to use the physical device module. So whever you see a rule that has -i or -o flags, replace them with -m physdev –physdev-in or -m physdev –physdev-out to specify which interface you want (this is what breaks on my system). If you use -i and -o it will mis-match because iptables thinks the input and output interfaces are whatever you call the bridge (br0 if you use my example).

    Pretty simple stuff. I hope it was helpful for you. If there is a part that doesn’t make any sense or you’d like me to explain it better drop me a line at the address below.
    Very simple iptables rules example

    Here is a very simple example of iptables ruleset. It won’t do very much except allow everyone from the inside network to connect and for the reply packets to come back. It’s based on Rusty’s quick example. It assumes your external interface is eth0. First is the 2.4 kernel example:

    iptables -N FORWARD
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -j DROP

    Next is the 2.6 kernel example. The only change is the line specifying what interface we accept new connections from.

    iptables -N FORWARD
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -m physdev --physdev-in ! eth0 -j ACCEPT
iptables -A FORWARD -j DROP

    ##NATing on a Bridging Firewall
    It may seem strange that if you have a bridging firewall, why would you use NAT and in fact how can you use it. The answer is you may have several IP address but more computers. Put the servers into the DMZ with real addresses and NAT the PCs.

    The setup I have has the hosts with the real and private addresses on the same physical network. This is generally a bad idea and is called multi-netting. If you can, put the private hosts on a third ethernet card.

    With multi-netting, you get the bizzare situation where everything revolves around a single interface and the firewall is part bridge, part router, based on what IP address it sees.

    The first thing to do is give the bridge interface (br0 in the example) two IP addresses. It needs to be in both the public and private networks to do the routing and NATing. If you are going the three interface method, the third interface gets the private address and the bridge interface gets the public one.

    Next, you need to add some firewall rules to do the NAT itself. This is reasonably standard. You will need to qualify the rule with the private LAN address so you don’t NAT the public IP addresses too. The example assumes the external IP address is 1.2.3.4

    iptables -t nat -A POSTROUTING -s 192.168.1.0/24 --to 1.2.3.4

    Finally protect your firewall, it now unfortunately has a public IP address so it can do NAT. You may want to make sure that your daemons, such as SSH, only listen to your private IP addresses. Also some firewall rules such as the following can help. Other than traffic already established, the firewall only accepts traffic to itself if it is from the private LAN IP range and it came from the internal interface and it is destined to the firewall itself. It also accepts traffic on the loopback interface but drops the rest.

    iptables -F INPUT
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
iptables -A INPUT -j ACCEPT -s 192.168.1.0/24 -i eth1 -d 192.168.1.1
iptables -A INPUT -j ACCEPT -i lo
iptables -A INPUT -j DROP

    [Internode]: http://www.internode.on.net/

  • SNMP Information from your DLink DSL-300 ADSL Modem

    Not many people know it, but the DLink DSL-300 ADSL modem has SNMP management capabilities. And for such a small and cheap network device, its not too bad an implementation of it. Or perhaps I’ve just seen a lot of dead-awful ones to compare objectively. Of course the displaying of the private community in the MIB, which is something the DSL-300 does, is a pretty dumb idea.

    I should point out right here that these instructions work for me. They might work for you, or you might just find some easter egg in the modems firmware that turns it into a smoke machine So do any of this stuff at your own risk.

    You will have to connect to the modem using a serial port first to find out the IP address and change either your computers or the modems IP address so they are in the same network. Note that this address is not the same as the one your provider gives. And the communities are the very hard to guess public and private for read-only and read-write respectively.

    The modem has some of the standard SNMP MIBs that anyone who’s played with SNMP will quickly recognise, such as.

    * system information
    * interface information including the ifTable
    * IP MIB – Packets in out, discards etc
    * ip routes
    * TCP MIB
    * SNMP MIB, which is statistics about the agent itself
    * SNMPv2-SMI::mib-2.17.4

    All pretty standard stuff you see in pretty much any device. All the good information is always found in the private enterprises part of the MIB, and the DSL-300 is no exception. The problem is that if you ask
    DLink about it, they will tell you nothing. The nice thing about DLink is they’re pretty consistent about annoying the hell out of their customers by denying them technical information.

    With that rant out of the way, its time to work out for myself what these values are for. I’ve got some worked out but it will take some more time to get it all clear and possibly some will never be worked out, thanks DLink!

    All OIDs start with private.enterprises.171.11 There are quite a few gaps so if you know what the missing values mean, drop me a line.

    OID Type Description
    1.1.1.0 STRING Software version eg “R1.14AU”
    1.1.2.0 STRING PROM firmware version “Ver. 1.00”
    1.1.3.0 STRING Hardware version “Rev. 1.00”
    1.1.4.0 INTEGER Management Protocols supported: 2=snmp-ip
    1.1.5.1 Table Table showing what MIBs are supported
    1.1.5.1.1.X INTEGER  – Index of Table
    1.1.5.1.2.X STRING  – Name of MIB supported eg “DSL504-MIB”, “RFC1213-MIB”
    1.1.5.1.3.X INTEGER  – Version of MIB supported
    1.1.5.1.4.X INTEGER  – Type of MIB
    30.1.1.0 INTEGER Bridge/Router: 1=PPPoA-Router, 2=PPPoA-Bridge, 3=RFC1483-Router, 4=RFC1483-Bridge
    30.1.2.0 INTEGER Config Save 1
    30.1.3.0 INTEGER System Restart 1
    30.1.4.0 INTEGER ?? 1
    30.2.1.0 INTEGER ADSL Driver Mode: 0=link down, 1=T1-413, 2=G-lite, 3=G-DMT
    30.2.2.0 INTEGER Upstream rate in kbps
    30.2.3.0 INTEGER Downstream rate in kbps
    30.2.4.0 STRING Device driver version
    30.2.5.0 INTEGER ADSL Link Status: 0=Idle, 1=Connecting, 2=Connected
    30.2.6.0 INTEGER Driver Path: 0=Fast, 1=Interleave
    30.2.7.0 INTEGER Near End FEC line error count
    30.2.8.0 INTEGER Far End FEC line error count
    30.2.9.0 INTEGER Near End CRC line error count
    30.2.10.0 INTEGER Far End CRC line error count
    30.2.11.0 INTEGER Near End HEC line error count
    30.2.12.0 INTEGER Far End HEC line error count
    30.2.13.0 INTEGER Near End LOS (Loss Of Signal) count
    30.2.14.0 INTEGER Far End LOS (Loss Of Signal) count
    30.2.15.0 INTEGER Near End LOF (Loss Of Frame) count
    30.2.16.0 INTEGER Far End LOF (Loss Of Frame) count
    30.2.17.0 INTEGER Near End line error count
    30.2.18.0 INTEGER Far End line error count
    30.2.19.0 INTEGER Near End Alarm Indication Signal: 0=no alarm, 1=alarm
    30.2.20.0 INTEGER Far End Alarm Indication Signal: 0=no alarm, 1=alarm
    30.2.21.0 INTEGER Near End Remote Defect Identification: 0=no defect, 1=defect
    30.2.22.0 INTEGER Far End Remote Defect Identification: 0=no defect, 1=defect
    30.2.23.0 INTEGER Upstream Capacity (in percent)
    30.2.24.0 INTEGER Downstream Capacity (in percent)
    30.2.25.0 INTEGER Upstream line attenuation
    30.2.26.0 INTEGER Downstream line attenuation
    30.2.27.0 INTEGER Upstream Noise Margin
    30.2.28.0 INTEGER Downstream Noise Margin
    30.2.29.0 INTEGER Upstream Output Power
    30.2.30.0 INTEGER Downstream Output Power
    30.2.31.0 INTEGER Link retrain count
    30.2.32.0 Array Carrier Load Array
    30.2.33.0 INTEGER Unable to initialize count
    30.2.34.1.1.1-96 INTEGER A 96 row table, index column. The value equals the instance.
    30.2.34.1.2.1-96 INTEGER Near End Error Second
    30.2.34.1.3.1-96 INTEGER Far End Error Second
    30.2.35.0 INTEGER Near End Error Second count for the day
    30.2.36.0 INTEGER Far End Error Second count for the day
    30.2.37.1.1.1-7 INTEGER Error Second for the day table – instance. Value = instance
    30.2.37.1.2.1-7 INTEGER Near End Error Second count for the day
    30.2.37.1.3.1-7 INTEGER Far End Error Second count for the day
    30.3.1.0 INTEGER Spanning Tree State: 0=other, 1=disabled, 2=enabled
    30.3.2.0 INTEGER VPI of bridged PVC
    30.3.3.0 INTEGER VCI of bridged PVC
    30.4.1.1.1.1 INTEGER Index of table
    30.4.1.1.2.1 IpAddress IP address of modem
    30.4.1.1.3.1 IpAddress Network mask of modem
    30.4.1.1.4.1 INTEGER Send RIP 1=RIPv1 2=RIPv2 3=Both RIP 4=None
    30.4.1.1.5.1 INTEGER Accept RIP 1=RIPv1 2=RIPv2 3=Both RIP 4=None
    30.4.1.1.6.1 INTEGER IP Forwarding: 2=None 3=All
    30.4.1.1.7.1 INTEGER DHCP Client: 1=other, 2=disabled, 3=enabled
    30.4.1.1.8.1 INTEGER NAT State: 1=other, 2=disabled, 3=enabled
    30.4.2.1.0 INTEGER Static Route Count 0
    30.4.3.1.1.1.6
     .112.117.98.108.105.99    		 Hex-STRING SNMP read-only community, 28 bytes long with 0 padding. eg fred = 66 72 65 64 00…
    30.4.3.1.1.1.7
     .112.114.105.118.97.116.101    		 Hex-S SNMP read/write community, same encoding as Read-only
    30.4.3.1.1.2.6
     .112.117.98.108.105.99    		 INTEGER ?? 1
    30.4.3.1.1.2.7
     .112.114.105.118.97.116.101    		 INTEGER ?? 2
    30.9.1.0 IpAddress IP address of TFTP server
    30.9.2.0 String Remote filename on TFTP server
    30.9.3.0 String Local filename
    30.9.4.0 INTEGER Set to 1 to make modem connect to server
    30.9.5.0 INTEGER Set to 1 to get remote file
    30.9.6.0 INTEGER TFTP status: 0=idle, 1=Wait ACK, 2=Wait Data, 3=Sent Write Request, 4=Sent Read Request, 5=Done

    Some definitions you might find useful:

    * Error Second (ES) – Any second where at least one bit error was received.