mcr at sandelman.ca
Wed, 25 Nov 2009
Port forwarding from something not your firewall
I have a number of web servers which want to express their port 443 to the world. These machines also have IPv6, and that's what I hope many clients will use. Since HTTPS servers can not do virtual hosting, and port 443 on CREDIL's firewall is already taken, what can I do?
We have other public IPs, with other (virtual) machines that have internal and external connections. I could use their port 443s.
I previously did this for port-119 (NNTP). I had set things up like:
iptables -A PREROUTING -d ${myexternalip}/32 -p tcp -m tcp --dport 119 -j DNAT --to-destination ${serverinternalip}:119
iptables -A POSTROUTING -d ${serverinternalip}/32 -p tcp -m tcp --dport 119 -j MASQUERADE
The first statement is relatively ordinary. Change the destination address. The second statement is annoying. It is critical on machines when the default route does not point at it. Basically, it changes the source IP that connects to the ${myinternalip} to be the internal address of the firewall.
This actually necessary even on the default route: without this, internal connections to port 119 do not work — this is because the internal machine sees a connection originating from the internal client IP, to the internal IP. The problem is that the internal client actually has a connection from it's IP, to the external IP of the firewall.
The above method works fine, except.... the internal machine sees the connection as being from the internal IP of the firewall. That really sucks from a point of view of logging!
How to solve it? The problem is that packets with an origin of port 443 needs to go to the other machine... this is what I did:
On the gateway machine:
iptables -A PREROUTING -d ${myexternalip}/32 -p tcp -m tcp --dport 443 -j DNAT --to-destination ${serverinternalip}:443
On the target machine:
iptables -A OUTPUT -t mangle '!' -d ${myinternalnetwork}/24 -j MARK --set-mark 443
ip rule add fwmark 443 table 443
ip route add 0.0.0.0/0 via ${myinternaliP} table 443
It's very important that you set the mark using the mangle chain. It will not work on the NAT or the regular OUTPUT chain!
The result is now that packets with origin port 443, go via this alternate firewall, and the web server itself will see the correct originating IP.
posted at: 13:21 | path: /howto | permanent link to this entry
Mon, 23 Nov 2009
Apparently, at Canadian Tire, and online, if I want multicolour Xmas lights (ideally LEDs), that I have to have a green cord. Only white cords are with white LEDs.
I considered buying one of each and moving the "bulbs", but many of the systems are not socketed.
I want Xmas lights I can put up on the house, staple in, and LEAVE there.
posted at: 18:16 | path: /howto | permanent link to this entry
Wed, 18 Nov 2009
I blame Mike Charlton. I'm pretty sure it was some email of his that suggested that I read The Goal. This was back in Winter 2008, I think. Wait, can Amazon tell me... Yup. Ordered the book in February 1, 2008.
The Goal is a novel, in it we learn about the fate of a branch manager, who learns that his branch, in his original home town, is going to be shutdown, unless he can figure something out in just three months. Our hero learns the Theory of Constraints http://en.wikipedia.org/wiki/Theory_of_Constraints and saves the day... except that now Peter's principle gets applied to him, and in the next book he has to save the division. A great read, and I learnt lots that I didn't think I'd ever use. When I got the second book It's Not Luck, Amazon suggested I get Critical Chain, and I did.
It turns out Critical Chain is about project management of all sorts, including software. It's written ten years later (mid-1990s), and some of it's a bit naive about things, but the essential theory is great, and furthermore, it's very much compatible with Agile Methods.
I wanted more. I wondered how to get more. In early 2009, I started to wonder if I business school might teach me more. I had not quite understood part of the underlying story in Critical Chain was probably autobiological, and that the frustrations of the business professor in the novel expressed Goldratt's experience that it was very hard to get TOC accepted into business schools.
I also began to understand that a difficulty I've had in many companies is that I'm a techie, and I explain things from that point of view often. Unlike other techies, I tend to be pretty good, given some face to face time with a non-technical executive to explain things in terms that he can use, but I am missing many of the shortcuts that would come form having more language in common. It's not enough to talk about ROI, sometimes I think it might have helped to be able to start from the CFO's terminology and relate it back to mine. (i.e. to lead them from where they are, to where I am, instead of having to entice them to start where I am, and discover the path back to where they are)
I investigated executive MBAs. Ottawa U failed to impress me at all. A meeting with the director was offered, but the whole thing just didn't feel right. I went to a Queens executive MBA session, and they got me the information that I wanted... yes it is expensive, yes, the content is mostly there, but doing it in Ottawa is probably a mistake. I won't meet the people that I really want to understand.
The Theory of Constraints does not figure prominently in either program. At least Queens mentioned it. I started from the other end, who teaches this? Google told me that it's popular at one university in Mumbai, at the Goldratt Institute, and that the Harvard MBA also teaches it now. I talked to my mother's cousin about all of this, and he pointed me at Henry Minceberg. http://www.henrymintzberg.com/
I highly recommend reading: http://www.henrymintzberg.com/pdf/productivity2008.pdf
He hasn't got nice things to say about the MBA. I certainly agree. MBAs should only be done as executive MBAs, you need ten years out there before any it can make any sense. Harvard only offers the residential 2 year MBA.
Many of my colleagues and mentors quietly discouraged me from an MBA. One of them pointed me at http://www.personalmba.com/ --- essentially a reading list. In August, I decided, this would do, and the price was right.
So far I've read:
10 days to faster reading
Crucial Conversations: Tools for Talking When Stakes Are High
Indispensable: How To Become The Company That Your Customers Can't Live Without
Necessary But Not Sufficient: A Theory of Constraints Business Novel
I'm in the middle of reading:
Results Without Authority: Controlling a Project When the Team Doesn't Report to You, A Project Manager's Guide
The Unwritten Laws of Business
Throughput Accounting
Managing
Necessary But Not Sufficient is another novel. Set in 1998/1999, and apparently written just after the dot-bust, it explains the dot-bust very well, but also talks a lot about software companies, and manufacturing companies, and ERP systems. It's supportive of Agile Methods (even though I don't think Goldratt knows that term, it certainly wasn't coined until after the book was in print).
More important, it basically concludes that software is best sold as a service, not a product, and that actually there no value in the software itself, only in how it reduces or eliminates limitations, permitting a person or company to do more.
I take this to suggest that open source licensing of a lot of software is the right way to go, particularly for anything which is targetted at business.
posted at: 07:12 | path: /personalmba | permanent link to this entry
Fri, 06 Nov 2009
Dear Fido:
Please cease telling me about my fido dollars. (I've received two emails in the last 24 hours)
Your fido dollars have no value. Not only are they not going to keep me as a customer --- I prefer to have an unlocked phone, and I'll pay for it.
In fact, your recent change to prevent me from spending my credits on whatever I want means that I will look for alternate GSM providers as soon as they appear.
I'd gladly trade my 284 fido dollars for a bluetooth headset, (now required in Ontario), and I tried to do so a year ago. You changed your rules without any real notice last March.
But, it's hard to pick the right headset when you can not see it. And I can not redeem through your stores. and your web site was totally useless.
No, I do not think Fido Cares about me. I think Fido is busy humping Ted Roger's leg.
posted at: 20:34 | path: /netneutrality | permanent link to this entry
dumping list of active services
From the shell of your rooted android phone run:
# dumpsys activity.services
Currently running services:
activity.services
-------------------------------------------------------------------------------
DUMP OF SERVICE activity.services:
Services in Current Activity Manager State:
Active services:
* ServiceRecord{43a3dca0 com.android.inputmethod.latin/.LatinIME}
intent={act=android.view.InputMethod cmp=com.android.inputmethod.latin/.LatinIME}
packageName=com.android.inputmethod.latin
processName=com.android.inputmethod.latin
permission=android.permission.BIND_INPUT_METHOD
baseDir=/system/app/LatinIME.apk/system/app/LatinIME.apk dataDir=/data/data/com.android.inputmethod.latin
app=ProcessRecord{43a3e670 660:com.android.inputmethod.latin/10002}
isForeground=false lastActivity=-296633
startRequested=false startId=0 executeNesting=0 executingStart=-296565 crashCount=0
totalRestartCount=0 restartCount=0 restartDelay=0 restartTime=-296633 nextRestartTime=-329523
* IntentBindRecord{43a3e110}:
intent={act=android.view.InputMethod cmp=com.android.inputmethod.latin/.LatinIME}
binder=android.os.BinderProxy@4392a698
requested=true received=true hasBound=true doRebind=false
* Client AppBindRecord{43a3e288 ProcessRecord{439c0190 572:system/1000}}
Per-process Connections:
ConnectionRecord{43a3e400 com.android.inputmethod.latin/.LatinIME:@43a3da60}
All Connections:
ConnectionRecord{43a3e400 com.android.inputmethod.latin/.LatinIME:@43a3da60}
Connection bindings to services:
* ConnectionRecord{43a3e400 com.android.inputmethod.latin/.LatinIME:@43a3da60}
binding=AppBindRecord{43a3e288 com.android.inputmethod.latin/.LatinIME:system}
conn=android.app.ActivityThread$PackageInfo$ServiceDispatcher$InnerConnection@43a3da60 flags=0x1
If you run it without any arguments, you get a big huge dump of all sorts of interesting things. I do not yet know how to get it to give me a list of just the services that have registered themselves, or are actively running.
posted at: 13:46 | path: /android | permanent link to this entry
