Friday Frankness

As I promised in this article, I am updating you on when patches have been released for Debian Lenny. Today, when I did a quick aptitude run I discovered that the libssl0.98 and openssl packages have been updated. Thus far, the gnutls library does not appear to have been upgraded.

Surprisingly, after installing the new packages, I was not offered the opportunity to restart effected daemons and so I elected to reboot my system to ensure all services picked up the new library. You may wish to restart Apache and other effected services rather than go for the Microsoft approach.

After six years of supporting the CensorNet filtering proxy and nursing it through from an Open Source project through to a paid for service with far superior capabilities, I have decided it is time to move along.

So I'm on the job hunt. I have, over the time I've worked for CensorNet learned about Active Directory Systems, arranged to support generic LDAP servers for those people that don't use AD, configured and maintained VoIP systems and thats to name just a few. I will leave them with a mail service that is as bullet proof as one can make one and still accept emails at all.

So where am I looking to move. Well, I'm not wholly certain. I like the Bristol area where I live at the moment, but as we have the best and most comfortable trains in the country, I'm considering leaving the swivel chair at home and travel around a bit. I've just applied for a job that may lead to lots of travel, most of that expensed, but I was amused by many of the questions they have to ask. I can't tell you who that is, naturally. Indeed, I find this posting is the first mention of my current employer I can find in this blog and I couldn't but offer that protection to any new one that may choose to employ me.

For the time being, I'm still available for emergencies, but you should use the standard support number in the first instance.

As I suspected in this posting, Barclays deemed my purchases of new software for the phone as fraudulent activity and promptly blocked my card. Having phoned them only yesterday about a different issue they did at least phone me this time, whilst I was on the phone to Voda attempting to pay my bill. It was when that failed last month that I learned of the block, and so it was again.

As a result I probably won't be setting "number unknown" or "number blocked" calls to receive an engaged signal, although that is possible, but instead I will be forcing them to suffer voice mail.

If you remember ISDN (Integrated Services Digital Network) you may remember that users of the service were quite capable of controlling which calls they accepted, which they rejected, etc. Something that most users of standard land line phones can only dream of.

With a modern mobile phone, you have all the abilities that ISDN users used to have. Its not provided out of the box but if you purchase some software for your phone then you can take more control of what happens.

I looked at both Handy Blacklist and Advanced Call Manager. In the end I went for the latter software because most of the reviews said how good it was and the one review that damned it was clearly written by someone who couldn't be bothered to read the manual. Yes, it is complex software, as good software often is.

If you install it in trial mode, it will filter 30 calls for you (rather than lasting for 14 days like most trial software) before it expires. Well, I use my mobile for business and I couldn't take the risk of missing calls, and Handango had a 25% discount day which rather forced my hand into purchasing it now rather than later.

On installation, it nicely defaults to "Accept all calls (inactive)" which should mean you don't miss any calls whilst you are setting it up.

For the first test I left it like that but did chose to reject calls from "Hidden Callers" - those who withold their numbers, or whose number is unavailable.

That causes the software to use the Default action, which again nicely defaults to diverting the call to your voice mail.

I tested it by phoning my mobile from my landline whilst witholding the number, and it was immediately diverted. Phoning again and giving out the number meant that the call was available to be taken.

So far so good, it was time to actually configure the system to do what I want. As I mentioned earlier I use the phone a lot for business calls and because I don't withold my number some customers obtain it from their own caller displays. Other customers are given my number when its preferable that they bypass the company switch in order to be sure of getting me.

Of those customers, some then take advantage and take it upon themselves to phone outside my normal working hours, or when its otherwise not when I wish to take calls.

So next I set up a list called "Customers" and added every customer from my phone book to that list.

Second, I set up two profiles. One called "Daytime" which performs the default actions mentioned earlier, to wit accepting all calls except unknown numbers which it diverts to voice mail. A second called "Evening" which rejects calls from the "Customers" list, also rejects calls from hidden callers and diverts these rejected calls to voice mail.

Finally, I set up a "Daytime" and "Evening" schedule which invoke the corresponding profiles at the appropriate time. FYI thats 10:00 for the daytime profile and 18:00 for the evening profile.

People not in the customer list can get through at any time for the time being, but now that I'm happy all of this is working, I'm inclined to set up something to bar unknown callers - that is those who give out their number but are not in the phone book.

My thanks to Brian who kindly phoned me out of hours to ensure callers were dumped to voice mail, and who called me again today during business hours and got straight through. He'll be going into a different list now (when I can think of a suitable name for it).

Unfortunately, we made this mistake this week and sent him off to the NEC in Birmingham.

He'd told us he was going to sell carrots to other people, and then came back with sackfuls of neeps and taters.

As if our mail system was not complex enough, now he wanted me to run two trials of alternate anti-spam systems whilst arranging to not break what was in place for everything else.

Fortunately we have plenty of underused and almost obsolete domains which still receive plenty of spam which, thankfully, the current anti-spam system had been blocking.

So why change? Well, its the beans yer see. We resell this stuff and the farmer is just not giving us enough.

So anyway, back to the technical. It was relatively easy. You will recall from the above linked article that as it is, I have to allow mail connections from anywhere and then use ACLs to block mail to certain domains that are protected. All that was necessary was to clone this setup for the supplier of neeps and taters.

The taters have already come back with the details that are necessary and we're feeding on them now. Just a tweak of regulo MX and the domain is coming in via the new route (yes, thats route, not root). Unfortunately, the supplier of neeps hasn't woken up to the request yet. Something I'm not too disappointed with, as they seem to want to know all of our users and all of our aliases - at their end. Seems like too much of a faff to me. Still, if they ever do answer the mail I'm all set to treat with the right kind of compost.

I have, in the past, written scathing reviews when using the above logo. Normally, this is the usual thing to do with (lack of) customer service.

However, you will recall that during February I suffered 3 weeks without ADSL at home, and so I used the 3G connectivity on both my phone and my netbook more than I had ever done before. Whilst ensuring I didn't do sillly things like watching movies, I wasn't certain what this month's bill would bring.

Well, the only time I started incurring additional charges was on phone calls, on February 27th. Fortunately, that was the day BT got their act together and finally connected my ADSL and so soon I was no longer commuting and didn't need to make so many phone or data calls. In all, I'm only paying the minimum charges that my phone and netbook data contracts require, so next time, I won't be so worried should I suffer another extended DSL outage. However, the taxi fares were onerous and I'd rather not have to repeat those.

When you're working on a fixed machine on your LAN it is unlikely you're going to take it elsewhere and use it on a network without a proxy. However, many a company allow their users to use a portable of some description. When these users are on the corporate network they require them to use the company proxy. When working from home, this isn't required. Furthermore, they don't want these users to have to mess about changing settings when they switch location.

The technology to do this has been around for a while. Some people call them proxy.pac files, others wpad.dat¹ files, but they do the same thing. They save you from having to determine whether you're going to go via the proxy or go direct. Normally, for any web server on your own LAN you want to go direct; for any other site you go via the proxy.

Here is the simple script I use :-

function FindProxyForURL(url, host)
{
     // Target is on our network
     if (isInNet(host, "192.168.13.0", "255.255.255.0"))
         return "DIRECT";

     // Localhost needs to use direct as well
     if (shExpMatch(host, "localhost*") ||
       shExpMatch(host, "127.0.0.1*"))
           return "Direct";

     // Not localhost and not on our network so use proxy
     return "PROXY 192.168.13.2:8080";

}

This should be fairly obvious, but what it does is check to see if I'm going anywhere on my own LAN, if so go direct.

The next part checks to see if I'm going to localhost. Now this may seem odd until you realise that I often ssh to places which then allow me to tunnel to their web interfaces. I point my browser at localhost in these situations and end up talking to their web server. I want to avoid the proxy for those too.

For anything else, point my browser at the proxy.

All good so far, now just get a willing web server on your network to offer the script, and then arrange to have it offered automatically.

The first part simply requires a quick configuration of a web server; having the script offered automatically involves offering it via either DHCP and/or DNS.

Since I have no Windows servers on my network, I chose to offer it via DNS.

I have been running a caching-only DNS server on my network for some time, but had recently set it up to offer internal DNS for yaffles-corner.co.uk simply so that I could use the netbook with DHCP and have whatever IP it was provided with resolved both forward and in reverse - the proxy likes it for identification.

Having done this already it was a simple matter to add a forward record for wpad.yaffles-corner,co.uk resolving to the web server offering up the wpad.dat file. Finally, I had to configure the DHCP server on my ADSL router to offer my internal DNS server to any client using its services. By default, it offers the name servers it picks up from the ADSL connection, and those don't know about wpad.yaffles-corner.co.uk.

Now to test things; first, the hard wired machine on static settings, no DHCP involved.

The first order of business was to modify the network configuration so that it would always place yaffles-corner.co.uk at the end of any partial name. Having configured this, typing ping wpad into the run box elicited replies from wpad.yaffles-corner.co.uk.

Next, I configured Firefox, Internet Explorer and Thunderbird to use automatic detection and then shut them off.

When I restarted each piece of software both Firefox and Thunderbird cheerfully issued a login prompt as required by the proxy. I had a little issue with IE before I had it do the same. The fix was to tell it not to try dialling up if it could not spot a connection. The fact it did this should have warned me as to what was to follow. Anyway, I was happy with the configuration of the fixed machine and now it was time to try things out on the Netbook, which does use DHCP.

Having turned it on, the first thing I did was fire up the command prompt and type ipconfig /all | more which lists all the network connections. I was pleased to see that the Wireless connection did indeed show my internal DNS server as the one available. I also noticed that the Vodafone interface had an IP address. I checked the Vodafone applet which told me that it was not connected.

So, I configured the Wireless interface to postpend yaffles-corner.co.uk on the end of any partial names, just as earlier, and configured all three pieces of software to use automatic configuration. Once again, Firefox and Thunderbird worked as expected. IE totally refused to offer a login prompt from the proxy, yet it did reach the external site which is its home page.

I attempted to log in to one of our machines using SSH and it refused to connect. I tried a few of our customers systems, some connected, and some didn't. Hmm...was it a routing issue at my ISP?

I fired up a command prompt and started using tracert to various sites, to discover that the traces were going not via the WiFi connection, but by the Vodafone connection.

Checked the Applet again and it still maintained that it was not connected, yet I recalled seeing the interface with an IP address.

I have seen Windows do this before. I once worked on a customer's machine which had two NICS, both plugged into the same network, and they weren't paired for bandwidth usage, they had separate IP addresses. With that machine, there seemed no rhyme or reason as to which interface a packet went down. This seemed to be the case here too.

Fortunately, the Vodafone Applet offers the ability to disable the interface completely. I did this and re-started IE. What do you know. Now, it offered the login prompt from the proxy server. So I had successfully proven that automatic configuration really did work, dependent upon which network was in use. I also learned not to trust the Vodafone applet when it claims the card is not connected. As to why any particular piece of software chooses the interface it does, well...who knows. The normal rules of routing and metrics did not appear to have any bearing on the matter.

Regular readers will know that disabling the Voda interface will not cause me any hardship. I can just turn it on when I really need to use it, which is how I thought I had it configured in the first place. So take care you don't incur any Voda charges you weren't expecting, if you should configure your system in a similar fashion.



Note 1: WPAD stands for Web Proxy Automatic Detction

Tomorrow, Saturday December 6th, will mark one calendar year since BT plumbed in my line. I gave details of the installation a while ago in this article.

In the 366 (there's been a leap year) days since then, I still have not seen a single jot of paperwork from our incumbent telco despite numerous efforts to obtain paperwork and their acceptance of the fact that I have asked.

Most people wouldn't be at all worried by this, but I dislike taking services and not paying for them, no, not even when its BT. Every time I dial the BT News Line (which used to be an interesting weekly take on new technologies) it is mostly discussing financials these days.

So come on BT, get your act together. Neither of us can keep this up for much longer.

About 15 minutes after I wrote the previous article I sloped off for lunch, having just successfully migrated the Singapore server to a shiny new box. Fifteen minutes after that, one of our other systems started bleating that it could not reach the new Singapore server. Another 15 minutes and I returned to the keyboard only to discover the messages and immediately raised support tickets.

Through no fault of our provider, this failure lasted for a full 15 hours - the new data centre really did not come up trumps.

What had happened, it seems, is that the supplier's rack, far from being put in the Gold Zone (with redundant routing) had been put in the Silver Zone. If routing fails there, its good night nurse. A major power disruption had taken out the switch connecting the new server with the network on which its default router lies. We were just one of 3000 servers effected.

The exact details of the power outage are unknown to me. Certainly, our server didn't suffer a power outage, as I was eventually able to ascertain from the MRTG web page I'd configured earlier.

Eventually, after we'd all been messed around, Netnibble offered us a new VPS in the Gold Zone, but it was a little late at night to start messing with computers - so I went and had a somewhat disturbed sleep.

In the morning, the server had returned to the fold and so I wrote a mail asking whether we were sticking with it or going with the VPS. We stuck with the new full server, which was good because I'd managed, during all the other panic, to get the glue (see previous article) pointing at that box.

I asked for 24 hours to ascertain the new box was happy. What I needed was a full days CSRV records to be received and then made available to our APAC customers. This morning, I was in the happy position of viewing a very populated MRTG graph and I issued the mail advising Netnibble they could take down both the old, and new temporary VPS systems.

In one of my earlier postings I had said "Thank goodness for the weekend.". That goes double this week.