Louwrentius

Until now, I was hosting my blog on Google's blogger. I switched to using Blogofile. I wanted to have more control over my content and the layout.

I had many issues with the blogger blog post editor, resulting in ugly posts with too much white space, strange fonts and fonts sizes. Also, showing programming code examples with syntax highlighting is not possible with Blogger. As a nerd, I'm a control freak and I was not in control enough over my blog on blogger.

So I first started thinking about hosting my own wordpress site, but soon I concluded that this is not what I want. Wordpress has similar limitations as blogger and I no longer want to be depending on some special blog software without direct access to my content. So after a tip of a friend of mine I started to look at blogofile. Blogofile generates a static HTML website, which is a real benefit if you are hosting your own site. The most important benefits are:

• Security
• Performance
• Ownership

Security

Most websites get hacked because they are basically live applications accessible from the Internet. Applications can contain bugs. If it contains security related bugs, you are toast. Software like wordpress has an awful track record regarding security. Basically, if you are running a wordpress site, you must be in a state of constant fear. You also constantly have to upgrade to the latest version within a short time frame or you will be hacked. I think that wordpress is a security hazard.

Blogofile generates plain text static HTML web pages. There is no dynamic content and thus no program running, except for the web server itself. There is no serious security risk.

Performance

Plain text web sites are fast. It is just data. When a visitor requests some web pages, there is no application running, laying pressure on the CPU, just plain data transfers. I bet you could host this blog without much performance problems on a recent smart phone like an Android or iOS device.

Ownership

All content is stored in a text-only format that can always easily be transformed into some other format. I use markdown syntax to write new blog posts. But plain HTML can also be used. Comments can be posted through discus. It seems however that I will loose all existing comments of my original blog. New comments are showing up without a hitch, but existing imported comments do not show up. I do want to preserve them but how? I'm not sure yet. I'm thinking about incorporating them in my posts as an appendix.

The whole process of migrating to blogofile

All steps taken so far as to migrate away from blogger:

1. Create a wordpress installation
2. Export blogger blog.
3. Import blogger blog in wordpress installation
4. 'Import' the converted wordpress blog to blogofile 'format' using wordpress2blogofile.py
5. Hack, script and fight to change all URLs so they are correct for the new site.
6. hack, script and kill to get the old comments to show up, to no avail.
7. Learn markdown
8. Learn blogofile
9. Create + steal a new website design and have to learn css and html all over again.
10. Convert all posts from html to markdown.
11. Fix all converted posts where necessary
12. Put all external hosted content into a local folder and fix all links.

I started a small new Google project for a new script I wrote called LFS. It stands for Linux Firewall Script.

I run a small Linux box as an internet router that doubles as a firewall. The firewall is configured using iptables. In my opinion, iptables is not the easiest tool to use and may have a steep learning curve for people new to it.

The goal of LFS is to provide an easier interface to iptables. It also adds some features that by default are not or difficult to setup using only iptables. The most important additional feature is the use of objects and groups. Object groups can be used to make a single rule affect multiple hosts, networks or services.

LFS uses a single configuration file which contains the firewall rules. Rules look like this:

nat 192.168.1.0/24 88.32.44.144 eth0
port_forward 88.32.44.144 192.158.1.10 80/tcp 8080/tcp

Or by using variables:

nat "$INTERNAL_NETWORK" "$EXTERNAL_IP" "$NAT_INTERFACE"
port_forward "$EXTERNAL_IP"  "$INTERNAL_HTTP_SERVER" "80/tcp" "8080/tcp"

Please visit the project page for some examples.

When configuring my new firewall using iptables, I noticed something very peculiar. Even if all input, forward and output traffic was dropped, DHCP traffic to and from my DHCP server was not blocked even if there were no rules permitting this traffic.

I even flushed all rules, put a drop all rule on all chains and only allowed SSH to the box. It did not matter. The DHCP server received the DHCP requests and happily answered back.

How on earth is this possible? In my opinion, a firewall should block all traffic no matter what.

But at least I found out the cause of this peculiar behaviour. The ISC DHCP daemon does not use the TCP/UDP/IP stack of the kernel. It uses RAW sockets. Raw sockets bypass the whole netfilter mechanism and thus the firewall.

So remember: applications using RAW sockets cannot be fire walled by default. Applications need root privileges to use RAW sockets, so RAW sockets thankfully cannot be used by arbitrary unprivileged users on a system, but never the less. Be aware of this issue.

Please understand that if a serious security vulnerability is found in the ISC DHCP daemon, you cannot protect your daemon with a local firewall on your system. Patching or disabling would then be the only solution.

My ISP upgraded my internet connection speed to a whopping 120 Mbit. I am using a mac mini as my internet router. As you may be aware, the mini has only one network interface, so I added a second interface using a USB to ethernet adapter. This adapter was limited to 100 Mbit, so to make full use of the 120 Mbit connection, I had to upgrade this adapter.

I took the gamble and bought the Belkin Gigabit USB 2.0 adapter. I could not figure out if it would work with Linux, but on the box it officially supports Mac OS X, which is always a good sign.

This adapter is recognized by Debian Linux without a hitch:

Mini:~# ethtool -i eth0
driver: asix
version: 14-Jun-2006
firmware-version: ASIX AX88178 USB 2.0 Ethernet
bus-info: usb-0000:00:1d.7-5

lsusb output:

Bus 005 Device 004: ID 050d:5055 Belkin Components F5D5055 Gigabit Network
Adapter [AX88xxx]

I did not test the actuall performance of this adapter, but it at least goes beyond the 100 Mbit (it does 120 Mbit at least). I expect it to be limited at say max 300 Mbit, being constrained by the maximum speed of USB 2.0.