Taxes

Posted on February 4, 2009 by kaufman

A blogger of my acquaintance writes, regarding Sen. Daschle:

I don’t think it’s too righteous of me to expect senators to pay their taxes like all the rest of us. Is it?

Am I a cynic to say that I want my public servants to be effective more than I want them to be pure? Purity is a fine standard for the other 98 senators; let my 2 be the ones who can actually get things done.

Same thing for the executive branch. The purest president of my memory must be Jimmy Carter. He failed us with OPEC, failed us in Iran, and introduced religion into national politics where it could be ridden by Reagan and G. W. Bush. He was right on alternate energy, but failed to convince us. I’m not sure we can afford that much purity this time around.

Oh, and by the way – I pay my taxes, and I’m sure you pay yours – but there must be some reason why the IRS auditors exist. I suspect senators pay their taxes just like the rest of us, which is to say sometimes they don’t.

Posted in Politics | Leave a comment

Restart

Posted on May 11, 2008 by kaufman

I loaded up this software 2.5 years ago, wrote a few posts, and dropped it. But I’ve recently upgraded the software – the old posts are still there – so let’s restart and see how things go.

Posted in Uncategorized | Leave a comment

Multi-homing Linux

Posted on October 20, 2005 by kaufman

I’m running multi-homed while I exercise FiOS and make sure everything works. It took a few tricks to make everything work. My Linux box actually has three Ethernet NICs:

  • eth0, the onboard 100M NIC, for FiOS
  • eth1, a 10M NIC, for RCN
  • eth2, a 1G NIC, for the internal LAN

The first thing to do is adjust your firewall. I run iptables, with very few dependencies on the external IP address. I did have to add some rules to the FORWARD and INPUT chains for the FiOS NIC – but only for network 192.168.0.0/16, because of the d-link firewalling. Things will get more interesting if/when the d-link comes out of the network, because I’ve seen VZ allocate IP addresses from both net 70 and net 71. I’ll probably change things around so the network-specific rules get changed dynamically, as the IP address changes.

The next thing you have to do is set up per-interface route tables. If you don’t do this then only one external IP will actually work, because a packet may be received on NIC A, but its reply be routed out NIC B. This especially doesn’t work in a NATted environment! A good reference to get you started is an article in Linux Journal.

The third thing is to make sure that your various services don’t rely on specific IP addresses. DNS (BIND) and Apache configuration are good places for this dependency to sneak in. I’ve been around this block before, so I didn’t have those problems. I did get bitten by my CUPS configuration, because it “knew” that eth1 was the LAN interface – when the LAN moved to eth2, CUPSd was broadcasting its notifications on the wrong network.

Email is another challenge. I’m running my outbound email server (postfix) bound to the RCN IP address for the time being. (The dynamic Verizon IP addresses are running into SPAM filters around the network.) I have worked out how to feed email from my domain into Verizon’s servers. You need to a) turn on SMTP AUTH, and b) pass your Verizon username & password in the SMTP AUTH transaction. In postfix this looks like:

  1. /etc/postfix/main.cf

    smtp_sasl_auth_enable = yes
    smtp_sasl_security_options =
    smtp_sasl_password_maps = hash:/etc/postfix/saslpass

  2. /etc/postfix/saslpass

    # remote user:password
    outgoing.verizon.net user@verizon.net:password

  3. create /etc/postfix/saslpass.db with:

    % sudo postmap /etc/postfix/saslpass

  4. Last thing: I noted above that my outgoing email is all coming off the RCN IP address. This broke the connection to amavis, the Virus/Spam scanner. Previously amavis was set up to only accept connections from the loopback (127.0.0.1) IP address, now it needs to accept the RCN IP address as well:

    in /etc/amavisd.conf

    @inet_acl = qw(207.172.210.134 127.0.0.1 [::1]);

Posted in Tech topics | Leave a comment

FiOS, d-link, and firewalling

Posted on October 19, 2005 by kaufman

I already mentioned that I want access to my Linux server from the network. Verizon’s d-link – still in my network, but not forever – is set up to prevent this. Verizon assumes you have a standard PC, so they preconfigure the d-link to firewall any incoming connections.

That’s not my situation, I have a Linux server with extensive firewalling and more than a few services running on it. I want all the network traffic coming to MY firewall, please, not Verizon’s.

The solution – partial as usual – is the “DMZ” setting. In the d-link configuration you can set a “DMZ” host, which gets most of the traffic the d-link sees forwarded to it. Specifically it seems to forward TCP and UDP traffic, which is a big step. But it’s still intercepting ICMP – so any Ping or traceroute traffic goes to d-link, not Linux. Yet another reason to disable the d-link.

Posted in FiOS | Leave a comment

FiOS and d-link, part II

Posted on October 18, 2005 by kaufman

The embedded web server on the VZ FiOS d-link box sucks. That’s all there is too it. I’m polling it every 10 minutes to check the IP address, and it consistently locks up in less than an hour. Every. Single. Time.

The only way to reset the Web server, that I’ve found, is to power-cycle the box. This has a nice symmetry, because power-cycling the d-link gets you a new PPPoE tunnel which gets you a new IP address. But it’s unacceptable that VZ can change my public IP address when the d-link web server is locked up, and I won’t know it.

At least it’s only the web server that locks up, the d-link keeps forwarding packets.

So what are the choices?
1. Restart the d-link every hour – impractical :-)
2. Rewrite script to use http://dynamic.zoneedit.com/checkip.html – works, but not very elegant
3. Turn off the d-link and bring the PPPoE tunnel all the way to my Linux box

Stay tuned.

Posted in FiOS | Leave a comment