1. LFS - Linux Firewall Script Released

    December 28, 2010

    I started a small new Google project for a new script I wrote called LFS. It stands for Linux Firewall Script.

    I run a small Linux box as an internet router that doubles as a firewall. The firewall is configured using iptables. In my opinion, iptables is not the easiest tool to use and may have a steep learning curve for people new to it.

    The goal of LFS is to provide an easier interface to iptables. It also adds some features that by default are not or difficult to setup using only iptables. The most important additional feature is the use of objects and groups. Object groups can be used to make a single rule affect multiple hosts, networks or services.

    LFS uses a single configuration file which contains the firewall rules. Rules look like this:

    nat 192.168.1.0/24 88.32.44.144 eth0
    port_forward 88.32.44.144 192.158.1.10 80/tcp 8080/tcp
    

    Or by using variables:

    nat "$INTERNAL_NETWORK" "$EXTERNAL_IP" "$NAT_INTERFACE"
    port_forward "$EXTERNAL_IP"  "$INTERNAL_HTTP_SERVER" "80/tcp" "8080/tcp"
    

    Please visit the project page for some examples.

    Tagged as : Uncategorized
  2. Belkin Gigabit USB 2.0 Adapter Works Perfectly With Linux

    December 08, 2010

    My ISP upgraded my internet connection speed to a whopping 120 Mbit. I am using a mac mini as my internet router. As you may be aware, the mini has only one network interface, so I added a second interface using a USB to ethernet adapter. This adapter was limited to 100 Mbit, so to make full use of the 120 Mbit connection, I had to upgrade this adapter.

    I took the gamble and bought the Belkin Gigabit USB 2.0 adapter. I could not figure out if it would work with Linux, but on the box it officially supports Mac OS X, which is always a good sign.

    This adapter is recognized by Debian Linux without a hitch:

    Mini:~# ethtool -i eth0
    driver: asix
    version: 14-Jun-2006
    firmware-version: ASIX AX88178 USB 2.0 Ethernet
    bus-info: usb-0000:00:1d.7-5
    

    lsusb output:

    Bus 005 Device 004: ID 050d:5055 Belkin Components F5D5055 Gigabit Network
    Adapter [AX88xxx]
    

    I did not test the actuall performance of this adapter, but it at least goes beyond the 100 Mbit (it does 120 Mbit at least). I expect it to be limited at say max 300 Mbit, being constrained by the maximum speed of USB 2.0.

    Tagged as : Uncategorized
  3. 'Linux: Using Disk Labels to Counter Storage Device Name Changes'

    November 22, 2010

    My router decided to change the device name for some USB storage devices. So /dev/sdc was swapped for /dev/sdd and vice versa. The result was some file system corruption on /dev/sdc, because it was used on a remote system through iSCSI, using a different file system from /dev/sdd.

    With regular internal disks, attached with PATA, SATA or SAS, the chances are very small that such an event will occur, but it is possible, especially if you start adding/subtracting disks. With USB devices the risk is substantially bigger.

    To prevent your system from mixing up drives because there device names change, use file system labels. All information that follows have been stolen from this location. Since this blog is also my personal notepad, the relevant bits are reproduced here.

    There are three steps involved, the third being optional:

    1. add a label to the file system
    2. add the label to /etc/fstab
    3. update grub boot manager (optional)

    Add a label to the file system

    Setting a label when the file system is created:

    mkfs.ext3 -L ROOT /dev/sda1
    mkfs.xfs -L BIGRAID /dev/sde
    

    Set label for existing file system

    EXT3:

    e2label /dev/sda1 PRIMARY_ROOT
    e2label /dev/sda1
    

    XFS:

    xfs_admin -L DATA1 /dev/sdf
    xfs_admin /dev/sdf
    

    Set label for swap partition

    mkswap -L SWAP0 /dev/sdb5
    

    add the label to fstab

    Example of contents of fstab:

    LABEL=ROOT          /         ext3    defaults        1 1
    LABEL=BOOT          /boot     ext3    defaults        1 2
    LABEL=SWAP          swap      swap    defaults        0 0
    LABEL=HOME          /home     ext3    nosuid,auto     1 2
    

    Update the grub boot manager

    title server
    root (hd0,0)
      kernel (hd0,0)/vmlinuz ro root=LABEL=SERVER_ROOT0 rhgb quiet
      initrd (hd0,0)/initrd.img
    
    Tagged as : Uncategorized
  4. Do Not Buy a Hardware RAID Controller for Home Use

    November 17, 2010

    Hardware RAID controllers are considered 'the best' solution for high performance and high availability. However, this is not entirely true. Using a hardware RAID controller might even endanger your precious data.

    For enterprise environments, where performance is critical, it is more important that the arrays keeps on delivering data at a high speed. Professional RAID controllers use TLER with TLER-enabled disks to limit the time spend on recovering bad sectors. If a disk encounters a bad sector, there is no time to pause and try to fix it. The disk is just dropped out of the RAID array after just a couple of seconds. At that moment, the array still performes relatively well, but there is no redundancy. If another disk fails (another bad sector?) the array is lost, with all its data.

    More people are building NAS boxes for centralized storage of data, for private home use. Since disks are cheap, it is possible to create lots of storage capacity for little money. Creating backups of terabytes of data is however not cheap. Or you have to create two NAS boxes. But that is very expensive and not worth the effort.

    People seem to spend lots of money on expensive enterprise level hardware RAID cards, not understanding that the whole TLER-mechanism causes an increased risk for their data. In enterprise environments, budgets are relatively big, and data is always backed up. They can afford to take the risk of losing a RAID array due to these backups. But consumers often don't have the money to spend on creating backups of terabytes of data. They just go for RAID 5 or RAID 6 and hope for the best.

    For consumers, if the RAID array goes, all data is lost.

    So consumers should choose a RAID solution that will do its best to recover from hardware failure. Performance is not so much an issue. Reliability is. So consumers do want disks to spend 'ages' on recovering bad sectors if this means that the RAID array will survive.

    Linux software RAID and ZFS do not use TLER and therefore are a safer choice for your data then regular hardware RAID controllers. You may still use such controllers (but please test them properly) but only to provide SATA ports with individual disks, the RAID part should be handled by Linux.

    So in my opinion, hardware RAID controllers are more expensive, require more expensive (enterprise) disks and are less safe for your data.

    Tagged as : Uncategorized
  5. Apple Is Killing Off the Optical Drive Just Like the Floppy Disk

    October 23, 2010

    With the release of the new MacBook Air we are one step closer to killing off the cd-rom and the dvd. As with the previous MacBook Air, this device has no optical drive. And that is a good thing. People do not need an optical drive. You have the network and you have USB disks. They are faster, more reliable and have more capacity.

    I may expect that in the upcoming years this trend may continue with the other laptops. Just as Apple killed the floppy disk, it is killing the optical drive, one step at a time. I'd rather have a smaller and lighter laptop or more disk or battery capacity, than an optical drive. So I hope this is a trend that will continue and all other manufacturers will follow.

    Tagged as : Uncategorized

Page 1 / 14