I had to configure outbound PPTP access this week, and my base IPFW ruleset didn't allow it. I found one page with mostly good information, but it wasn't 100% and didn't explain it clearly enough for me to extrapolate what I needed.

To get a PPTP VPN outbound working, you need to allow TCP service PPTP (port 1723) and GRE inbound and outbound from/to the client/server IP's, plus allow outbound from the external IP of the firewall. So here you go:

#
# fwcmd - "ipfw" with options
# oip - external ip of the firewall
# oif - external interface of the firewall
# vpnserv - ip of the VPN server # vpnclient - ip of the VPN client #
${fwcmd} add allow tcp from any to any established
${fwcmd} add allow tcp from ${vpnclient} to ${vpnserv} 1723 out via ${oif} setup
${fwcmd} add allow tcp from ${vpnserv} to ${vpnclient} 1723 in via ${oif} setup
${fwcmd} add allow gre from ${oip} to ${vpnserv} out via ${oif}
${fwcmd} add allow gre from ${vpnclient} to ${vpnserv} out via ${oif}
${fwcmd} add allow gre from ${vpnserv} to ${vpnclient} in via ${oif}

Mozilla Firefox has a Bookmark Syncronization extension. Strange that it's taken this long, as I thought this would be a killer feature more than six years ago.

Working on adding IPv6 functionality to my home network. I configured it for local network traffic, but my upstream provider doesn't offer it and I haven't signed up for any tunneling service. Unfortunately, adding IPv6 support requires moving to some newer software versions; blech, extra work.
RFC Covering IPv6
IPv6 on FreeBSD
IPv6 on Solaris

Adding IPv6 DNS records to Bind was fairly easy, though my version of Bind doesn't support listening on IPv6 interfaces.
IPv6 records in Bind HOWTO
IPv6 records in Bind examples

I've sworn off conference rooms on Yahoo servers. I've used IRC for years, but while they're great for support their size makes them too large for "chatting". I signed up for a Yahoo account (because I could) and was checking out some of their channels. The *nix channel had some interesting characters, but they lend themselves more towards hobbyists and newbs than professionals. I realize now that I was talking above their heads, but after being labelled a troll multiple times I decided that I hadn't hope of real discourse. Anything that didn't mesh with "Linux RULZ!" was trampelled down; ironic, when I would state something in favor of Linux but they were too dumb to recognize it. Bah. If only I could find jabber rooms that were more populated.

This iBook sucks. It is incredibly slow, compared to similarly spec'd x86 laptops running Linux. Firefox has font issues; there isn't a good IM program (jabber, aim, yahoo, conferences); it can't play SVCD without being choppy; and I miss all my nifty Xwindows features like Alt+Right-click to resize, Alt+Left-click to drag. Bah.

Minutes turn to hours, hours to days, days to weeks and months and years and generations. Somewhere in there I'd like to finish a project I start.

Many moons ago, back when I was using dial-up, I had created a FreeBSD box to handle all the stuff you normally get from a appliance from Linksys or D-Link. As small as my free time may be, my free cash is smaller. So I built this thing to handle PPP, routing, NAT, DHCP, firewalling, etc. It was pretty sweet, considering I hadn't messed with any of it before, including FreeBSD.

So it was mostly good--I kept it patched, but not updated, and it lacked some nice extras. I eventually took the time to set up a local NTP service, but I still wanted to upgrade to a newer base OS and set up a DNS server for both caching and local hosts. A few weekends ago, however, I took the time.

Because the box was my router, a lengthy downtime was a no-no. CD upgrade was out. I wanted to cvsup the box, but I kept having trouble getting the sources. I had written the supfile properly, but I think the problem was I hadn't properly "gotten" the source via sysconfig. I started over, nuking my /usr/src directory (saved my kerner configs first) and re-running sysconfig. I let it use all the defaults, as I think one of my tweaks is what kept it from ever updating properly. Once sysconfig was finished, I ran cvsup and my source tree was solid. I thought the make buildworld was lengthy, but I had no idea. I ran make buildkernel and make installkernel (just a default kernel, to test), but it complained because I didn't have an smmsp user. I had to run make mergemaster to modify the /etc config files; what a pain in the ass.

I feel the need to note that make mergemaster sucks balls. In Debian, apt knows if the file is the one that was installed as part of the old package; FreeBSD can't tell you if you've modified it or not so it PROMPTS YOU EVERY TIME to compare the files. SLOW.

So after the quick make mergemaster, make kernelinstall went through properly; reboot. System comes up, all good. Reboot into single-user mode, run the full make mergemaster and wait, then make installworld. mergemaster is slow because you have to run through every config file under the sun, but I can't imagine what the excuse was here. It took a good hour. Once this was done, I booted into multi-user mode and things were good. All in all, it didn't take much time outside when I was running installworld in single-user mode.

So now I have a nifty FreeBSD 4.10 box (because upgrading to 5.3 wasn't in my game plan). Next step was DNS. There is a port of BIND (two actually, one v8 and one v9), but there is also one installed by default. I pretty much followed the FreeBSD manual word for word, set up caching to start and then wrote forward and reverse DNS records for my local domain. The only problem I had was that named wouldn't start, but I wasn't getting any real errors. Apparently, named fails if it can't log; no errors, nada. I had to strace and take some educated guesses. It didn't like my syslog config so it puked. I wrote an entry into my config file to log to it's application directory and all was kosher.

Writing this up took an incredible amount of time on its own. But I feel very accomplished that I could cross these two items off my "Get to it eventually" list.

I had written some log pruning scripts, but they weren't working 100%; the first script found everything older than 7 days and gzip'd them, the second script found everything older than 31 days and rm'd them. The intent was to find anything that hadn't been modified (logged to) in that period, but because I was testing ctime it was using the date that I gzip'd them and not being aggressive enough.

My old copy of O'Reilly's Unix in a Nutshell describes ctime (under the find command) as "more inclusive than mtime or atime", but that's both vague and inaccurate.

ctime is really the last time the inode was modified, whereas mtime covers when the data/content was modified and atime when it was last accessed (read). gzip modifies the inode but doesn't really change the data, so my script was all dorked up.

I got passed a post from an apache spam list which gave a much better run-down; I also managed to find a quick comparison tonight. I can't see many real uses for ctime, since usually you're looking for changes to the data, covered by mtime.

Microsoft has announced that they are opening the XML schema for Visio 2003. The Cover Pages has a bit more in-depth picture of what this means. It would be great if we could finally have an F/OSS which can handle Visio diagrams; currently, I have to get someone with a Windows copy to export it as a PNG.