MavEtJu's Distorted View of the World - 2008-04

Posted on 2008-04-27 22:00:09, modified on 2008-04-27 22:00:00
Tags: Networking, Free Internet

I had the luxury of a short break at the Magenta Shores near Tuggerah Lake and being for four days away without internet access is a real challenge. But nothing to worry about, the hotel has internet access for an outrageous price. So, how does their network work?

IP address allocation is easy: Use DHCP and you get an IP address out of the 10.0.0.0/21 range. Your default gateway is a FreeBSD box which blocks all traffic except ICMP and DNS and listens on port 3128 (with a Squid proxy), port 80 (Apache + mod_php), port 53 (DNS), port 22 (SSH), port 25 (SMTP) and port 21 (a non-anonymous FTP server).

The first /24 of the /21 has a couple of other IP addresses in it which respond to pings, but it all were switches. With passwords.

So, what fun can we have?

First, the SMTP server is forwarding all messages to the internet: You can send email but you can't receive it.

The proxy server is properly locked, I couldn't find a way around it. All traffic towards it was redirected to the webserver on the default gateway asking for your password. In the root of the webserver was a menu for hotel management and system management, but it was all password protected.

The DNS service on the default gateway is working too, and... port 53/UDP is unblocked! I bought half an hour of internet time from them, used the SSH over the HTTP/CONNECT trick and seven minutes later I had an OpenVPN link up and running through that hole. I had been thinking about using the DNS tunneling application, but I would never manage to get that up and running in the half hour I paid for.

Just running tcpdump itself shows that there is a lot of multicast traffic being broadcasted by the default gateway. Unfortunately mplayer couldn't make sense of it. The traffic was most likely for the boxes connected to the TV (and the network of course): Resetting one gave a DHCP request and an IGMP join packet. The boxes itself were without brand, name, type or anything else useful to identify them: I didn't open them because they were attached with tie-straps which I couldn't replace.

And the last thing I did was running traceroute in firewall evasion mode. After the default gateway came an 192.168.1.1 address and then an iiNet broadband connection. Funny that they didn't manage to change the 192.168. address to an 10. address.

Posted on 2008-04-27 21:00:00
Tags: Cycling, Cycling in Australia, Lake Tuggerah

The Tuggerah Lake is a trip which takes you past Norah Head, Toukley, Gorokan, Wyongah, Wyong, Tuggerah, Chittaway Bay and then all the way around the lake to the Entrance. Good for some 50 kilometers of travel, which is mostly flat. Google Map

I started at Magenta, at the eastern part of the lake. From there to Norah head is a asphalted road through the nature area. Through Carlton Beach past the lake and then over the bridge to Gorokan. If you are brave and curious enough you can visit the One Stop Rock and Voodoo Shop which is on this strip. After Gorokan you will see in the distance a traffic light with a huge hill, turn left (south) before the hill, there is enough road left for getting tired later. You can't cycle directly next to the lake here, you are always one block of houses away from it.

Once past Rocky Point you end up on a beautiful stretch next to the river. And when the road goes away from the river you go to a nice forest area again. If it has rained a lot, which it did for about 12 days before I did this trip, then the river is very high and all the moats in front of the houses are filled up; Not a picture you see often in Australia.

Under the railroad tunnel and the Pacific Highway and you end up back in the reality of a stretch of commercialism: The sudden overflow of cognitive impulses which fight for your attention is enormous. Luckily that the part of this road is very short, and you can relax on the road to Chittaway Bay and then back to the lake.

The next part up to the bridge at The Entrance is a piece of cake it isn't too late in the morning or when it hasn't rained for 12 days in advance: Too late in the morning and it will be all filled with little children cycling there and lots of people walking, and if it has rained for 12 days it will be flooded at certain parts. The flooding part isn't that bad, just make some speed, lift your feet and you get through it without too much problems: It doesn't get deeper than 10 centimeters. Except for two places: Just before the Rotary Park there was a whole street flooded and the last three meters suddenly brought the water up to the chains; and a silly low bridge near the Picnic Point Reserve which on both sides had very deep water on the path.

Once I left the Picnic Point Reserve (with or without dry feet) I went up the bridge and north back to the Magenta Shores. The trip took 200 minutes and included two breaks of say 15 minutes each.

Posted on 2008-04-13 15:00:09, modified on 2008-04-13 15:00:00
Tags: Bacula, Networking

Today I finished my "Bacula client-side user exclusion flag"patch. Let me explain what it is:

• Bacula is a backup program.
• Client side means the computers which are going to be backed up.
• User means that it is not a client-side configuration issue but that the end-user can specify it.
• Exclusion flag means a way to tell that it doesn't need to be done.

How it works: In your FileSet add the option IgnoreDir:

FileSet {
    Name = "Remote Specified"
    Include {
	Options {
	    signature = MD5
	}
	File = "\\</etc/bacula-include"
	IgnoreDir = .nobackup
    }
    Exclude {
	File = "\\</etc/bacula-exclude"
    }
}

/usr/local/etc
/etc
/home

[~] edwin@>find . -name .nobackup
cvs/ports/.nobackup
temp/.nobackup
tmp/.nobackup
www/cache/.nobackup

Posted on 2008-04-12 09:00:09, modified on 2008-04-12 09:00:00
Tags: IPv6, Networking

In a whimp last month I decided to apply for a chunk of IPv6 IP space at APNIC. Why? No idea, but it was influenced by the advertisements of APNIC about IPv6 training in Sydney and a request of PIPE Networks about searching for people who want to do IPv6 on their regional internet exchanges in Australia. It took some time before I my hands on it, mostly due to incorrect configured webservers whose emails get blocked because their SMTP envelope from addresses are not verifiable. But that's being taken care of by APNIC :-)

Last thursday I got an email that I have been allocated a chunk of IPv6 IP space:

[~] edwin@k7>whois -A barnetwork-ap-20080410
% [whois.apnic.net node-2]
% Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html

inet6num:     2001:DF0:9::/48
netname:      barnetwork-ap-20080410
descr:        BarNetwork Pty Limited, Internet Service Provider, Sydney, Austral
ia
country:      AU
admin-c:      EG46-AP
tech-c:       EG46-AP
mnt-by:       APNIC-HM
status:       ASSIGNED PORTABLE
remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks:      This object can only be updated by APNIC hostmasters.
remarks:      To update this object, please contact APNIC
remarks:      hostmasters and include your organisation's account
remarks:      name in the subject line.
remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed:      hm-changed@apnic.net 20080410
source:       APNIC

A /48 is big. If you take into consideration that an IPv6 address is 128 bits, then it's very big. But luckely that IPv6 subnets are the upper /64 of an address, so we only have (in the old IPv4 terms) an IPv4 /16. An IPv4 /16 is big too, it's 65536 subnets we can allocate now. 65535 subnets of the size of an /64 is bigger, It's something like 1.2 * 10²⁴.

Anyway, how good are we at this IPv6 stuff? Our FreeBSD and Linux servers will have no problem with it. Windows boxes also will be fine, the ones that run Windows 2003 that is. Our Extreme Networks backbone network equipment is fine with it. Our Juniper IPSec routers do support it. Our Cisco Call Manager based telephone system does not support it. Oh well, enough to play with.

The first thing I need to do is to get APNIC to create DNS NS records for 9.0.0.0.0.f.d.0.1.0.0.2.ip6.arpa to our nameservers. I keep you posted on the progress!