Saturday 28 February 2015

Reduce the cost of your energy bills

"Reduce the cost of your energy bills" said the spam.

But actually, you can. It was quite a while ago that I did this. I opted to get my bills via the internet, rather than on paper. Obviously, this is cheaper for the company doing the billing, and by doing this, I avoided a charge of £2 per quarter. Or to put it another way, the cost of my energy bills went from £8 to zero!

I don't think that's what the spam meant, but it's a nice way to make a small reduction in your expenditures.

New torch

I'm a sucker for torches - I always have been, I had my first nice torch at age 10. It used a lantern battery, and it had a red flashing top, and it was so big as to be rather impractical. So when I noticed on Ebay a 5000 lumen head torch that uses three Cree T6's, for only £11.29, I had to have it.

I mean, look at it! That will turn night into day, and blind any cow I encounter. It runs off two 18650 batteries (I already have some of these, so I didn't buy their quality-unknown batteries).

Of course, I don't take the "5000 lumen" claim seriously, any more than I'd believe the claims made by most battery vendors for battery capacity. But if it really has three Cree T6s, then that's a serious torch.

On the back, it has a glowing red LED. I use a flashing red LED on the back of the bike, but another rear light has to be a good idea.

The reason for getting this (or at least, the excuse I gave myself) is that when I fell over on the road a few days ago, I damaged the head torch I was wearing; the place where the strap attaches to the plastic of the head torch broke, so although the torch worked fine, it couldn't be worn.

After I'd bought the new torch (of course), I thought about mending the old one. I drilled a couple of holes in the plastic with my new Dremel drill (a Christmas present), and used a paper clip to make a base for the strap. So that's as good as new now - almost.

But I don't regret ordering this new head torch.

Reubens again

We went down to London yesterday, and ladysolly took me to Reubens. I had chicken soup with lockshen and kneidlach, chopped liver, roast chicken and chips and a latke. Ladysolly had salt beef, and luckily she could only eat half of it. So I had the other half. Then on to Selfridges, where ladysolly had her eye on a zebra-coloured cardigan at an outrageous price.

Then we went on to visit daughter.1 (and daughter.2 was there also), for a long lazy afternoon followed by Pinocchio and a chinese meal. I ate far too much.

Wednesday 25 February 2015

The astrological cure

After laughing at people who believe in the Tooth Fairy and other assorted kidstuff, and after laughing at Americans who think the world was created 6000 years ago, I find that in my own backyard, David Tredinnick says that astrology and complementary medicine could help healthcare and opponents are ‘racially prejudiced’.

I'm an opponent, but it isn't on the grounds of race, it's on the grounds of "you're an idiot".

Let's suppose, for a moment, that astrology is a real thing. Then it ought to be possible to do evidence-based double-blind testing, the same sort of testing that we use for other healthcare systems. But that isn't going to happen, and we all know why.

Likewise homeopathy, which our gullible crown prince has lent his name to. The idea that plain water can cure you of various diseases, is not only foolish, it's dangerous. Because there's no evidence that it's true, and lots that it isn't.

Some people "don't believe in science". You don't have to. All you need to believe, is that for any "cure" there has to be evidence that the "cure" is useful. Lacking that, it doesn't get into the medical bag of any sensible medic.

I can sympathise with anyone who has a condition that modern medicine has no way to cure, and I can understand them buying a bottle of snake oil, because at least they're buying a modicum of hope. But for people in charge of allocating the national health budget, it's important that we get value for the money we spend, which means not buying snake oil that some huckster claims will cure us. It's important to spend money only on those remedies where there is evidence that they are useful.

Astrology isn't one of them.

Tuesday 24 February 2015

Forty thousand

I did two more segments of the Essex Way, and got my total finds to over 40,000. That should have happened last week, but after spending an hour extracting myself from that bog, I didn't have the strength (or clothes) to continue.

66 caches done today, and just before I started my final bike back to the car, I managed to fall over while walking along a tarmac road. No damage done, I'm glad to say, except I think I've strained my already-weakened elbow a bit.

Here's a rather good bridleway I had to go down.

Yes. It's actually a river, pretending to be a bridleway. And the fallen tree in the foreground is the tree that I had to lift out of the way so that I could continue swimming down this bridleway.

Monday 23 February 2015

Advice to a salesman

When someone phones you up with the possibility of a big order of hard drives, and asks you to give your best price, you should do exactly that.

If you want to play silly games, you might give a price for half that order, and a somewhat higher price for the other half of that order, explaining that it'll be necessary to get them in at a higher price.

"And that's your best price?" I asked. It was, said Mr Salesman. "Sorry, then," I said, "no deal" and I decided to go to another vendor, who had quoted me a price lower than either of Mr Salesman's.

"What's your target price?" asked Mr Salesman. So I told him; it was a few percent lower than his lowest price - it was the price I got from the other vendor. Margins in this area are wafer thin, so a few percent is a lot. "Let me see what I can do," he said. "No, please don't," I replied, "there's no point, I already had your best price." And we parted.

So then I called the other vendor, and placed the order.

And then I got a phone call from Mr Salesman, offering me a slightly lower price than the price I'd just bought at. And I had to explain to him, "No deal, I already placed the order"

If he hadn't pretended that his previous price was his best price, and that I was lucky to get half of them at that price because the other half would cost even more ... if he hadn't played this game ... then he'd had got the order.

So here's my advice to sales people. Be honest. If you say that a price is your best price, then you should mean it, and if you don't mean it, don't say it. Because I don't want to be messing about with several phone calls to multiple vendors conducting a kind of backwards auction. But more importantly, I have a psychological problem (and there's probably a name for it) whereby I believe what people tell me. So when you told me "This is my best price", I took it as being true, and based my decisions on that.

Tuesday 17 February 2015

Bogged down

I went out today for another bite at the Essex Way. Things went well until the last cache I planned to do before lunch.

I was about 50 yeards from the road, the going was soft. A tree was down, so options for getting to the road were limited. And then I sank in up to my ankle, which means I might get a wet foot. Then I sank in on the other ankle - two wet feet. But on the next step forward, I was in up to my knee, and then, mid thigh.

My bike was fine, it lay lightly on top of the bog, but I was embedded, and thoroughly stuck. I managed to pull one foot out, and make six inches progress, but then both feet were firmly stuck in the bog, about 60 cm under. I pulled and tugged, exhausting myself in the process. And, of course, pulling one foot upwards increased the load on the other foot, which sank deeper. I can see how people get irretrievably stuck in bogs. Eventually, I decided that the only way I was going to get my foot free, was to leave my left boot behind, so that's what I did.

I took my coat off, and folded it up to give me a platform; I also managed to drag a branch over to where I was. And by using that branch, my coat, and my bicycle (now lying flat on the ground) I was able to pull my foot out of the ooze. But I had to leave the boot behind.

I tried to dig the boot out, but I couldn't even get down to it, it was in too deep. So there's a perfectly good boot there, if anyone wants it, and is willing to excavate to get it. 50,000 years from now, an archaeologist will dig up the boot and speculate about a species of one legged cache hoppers.

So there I was, one boot on and one boot missing, in the middle of a bog. At that point, in retrospect, I should have considered the possibility of retreat. It says much for my ability to think that this possibility didn't even occur to me. Worse - I didn't actually stop to think. Forward was the only possibility in my mind, so forward it was. It's only in retrospect that I realise that maybe I should have gone backwards. But how would I get through the bog? That bog lay between me and the road, it had to be traversed.

So, forward! Naturally, things got worse. I abandoned the bike, and on the assumption that four wheel drive would be better, I crawled forwards on hands and knees, until I was able to get to the fallen tree. I used that to reduce the weight borne by the bog, and was able to get to firmer ground.

My coat wasn't just muddy. It was 90% mud. My trousers, likewise. I had one boot, my other foot had just a sock. And my bike was in the middle of the bog.

So I removed the sock. It wasn't really doing much for me. And I thought about how to get my bike; that's an electric bike, and to build another one like it would probably cost me at least £300. Not to mention the naughtiness of leaving bike-litter.

I carry a rope in my coat, but I couldn't see how that would help. So I went back to the bike, approaching it from a different angle, and making use of a fallen branch to stop my feet from sinking in too much. I was able to get to within three yards of the bike; then I pulled my booted foot out of the mud for another step, lost my balance, and sat down in the bog. I cursed, but actually it didn't really make much difference, I was already so wet and muddy that I couldn't get much wetter. I got up, took another couple of steps towards the bike, lost balance again, toppled over, and discovered that yes, I could actually get wetter and muddier. But in this toppled state, I was close enough to the bike to get hold of one handlebar, and I dragged it towards me.

I inched backwards, then dragged the bike, then inched backwards, then dragged the bike, and repeated this until I was on firmer ground - that is, ground where I only sank in to my ankles. Then I wheeled the bike to the stile, sat on the stile, and reflected on the universe and its propensity to not care about me. I took my sock and wrung it out as much as I could, then put it on, reasoning that for the trip back to the car, a sock would be better than nothing. There was no possibility of continuing the Essex Way; besides, this was the point that I'd already decided was going to be where I'd turn back and cycle along the roads back to the car.

I heaved the bike over the gate by the stile and got ready for the journey back. It was about four miles, but along tarmac road, and I had plenty of battery, so I didn't need to pedal, which is just as well because pedalling a bike with a bare foot (or even one protected by a wet sock) isn't easy.

I got back to the car quite quickly; bikes do very well on tarmac. And then I pulled out the complete change of clothing that I keep in the car for just such an eventuallity. I sat on a stile and took off my wet, muddy trousers, and then my soaked underpants, and I frankly didn't care if anyone came along the road and saw the spectacle (no-one did). Dry underpants, shorts and socks cheered me up a bit, hot coffee helped even more, and lunch made me feel a lot better. But I still didn't feel like continuing to the planned second part of the day, so I went home, and put all the wet muddy things in the utility room sink to be dealt with later.

They say that geocaching takes you to places you wouldn't otherwise visit.

Sunday 15 February 2015

Salt beef and latkes

Lunch at The Kitchen was chicken soup with knedlach and lockshen, chopped liver, followed by salt beef, sauerkraut, chips and latkes. Silverspoon, you don't know what you're missing.

Devil abolished

The Church of England has abolished the Devil. Good idea, I say, and about time. Let's hope that Lucifer goes along with this arrangement, although you have to have some sympathy for the sad lad, being abolished must be painful.

But seriously, it's a good idea. I don't thnk many people believed in Beelzebub, so when the Church asks you “Do you reject the Devil" you don't have to pretend any more, and say "No such thing" which isn't quite the same as rejecting him.

But I think they should go further.  There's a whole bunch of imaginary and invisible friends that they could abolish. If they can replace "reject The Devil" with "reject evil", (which us atheists can certainly go along with) then surely they could also replace all references to "god" with "goodness"?

But what about Hell? Who's in charge there now?

Friday 13 February 2015

University fees

It costs £27,000 to go to university in tuition fees alone. When you add the cost of living for three years, you'll looking at over £40,000.

When I went to university, tuition was paid for by the state, and in addition the state gave me £370 per year for living on, and that was a lot, 50 years ago. Enough for a student, with no expenses besides lodging, food, books and beer, not necessarily in that order.

I can hardly believe that it was a Labour government that changed this free eduation into paid-for. That is such a daft idea. The education of our children is the best investment we could make, And by education, I mean education, not the awarding of degrees in subjects I can barely believe.Would I have gone to university in 1966 if the cost had been that steep? Possibly. Probably. Our family culture was very pro-education. But I didn't have to think about it, off I went to waste three years playing bridge. And just scraping a degree in Maths, which got me a decent job playing with computers, and the rest followed from that.

I recently said that if any political party were to offer to reverse this decision, I might vote for them, which for me, is a big step. And then, shortly after I said that, I discovered that UKIP says:

– Subject to academic performance UKIP will remove tuition fees for students taking approved degrees in science, medicine, technology, engineering, maths on the condition that they live, work and pay tax in the UK for five years after the completion of their degrees. 

Well - that's so close to what I want, I'm tempted, quite tempted, so lean towards voting UKIP. But they still want to leave the EEC, and I'm strongly against leaving. I voted to join back in 1975, and I still think it's a jolly good idea. So, UKIP, drop the "leave the EU" policy, and you might get my vote.


rdate is very nice. It keeps my computers on time.

Computers have a clock, but it isn't accurate. Far from it. People often wonder why computer clocks are so inaccurate - the answer is, they aren't clocks, they're computers. It would cost nearly $0.01 to make computers have accurate clocks, so it isn't going to happen.

But when you have a network, it's good to have all your computers have the same time. This is because some things need to happen after other things, and if they're on different computers, you need the clocks to be together.

Enter rdate. Once per day, I run "rdate -s" on my computer named xanth, and once per day, I run "rdate -s xanth" no all the other computers. rdate gets the time from port 37, on a service called "time-stream", which is built in to xinetd, the super-server, which I install by default on all my servers.

This works well. But it might not work in future. rdate has become "deprecated", and is on the way to being obsolete. That's a shame, because it means that one day I might have to change everything.

There's ntpdate that replaces it, which is a client to ntp (network time protocol). That's altogether more sophisticated and much more clever, and can syncronise much better than the "within a second or so" that rdate does. But the rdate sync is good enough for me. I hope I can continue to use it in future, because changing everything over to use ntp will be a bit of a pain.

Wednesday 11 February 2015


A week ago, I had a tooth problem. I was eating prawn crackers, one of them wasn't crispy like it should have been, it had a rock hard bit inside. And I damaged a tooth.

Today my usual dentist had a look at it. "No big deal", he said, "you can get the same problem with popcorn". I'll remember that. He cheerfully started on it with his drill. They don't use the old rotating cord-driven drill these days, and if you've ever experienced one, you'll know why. It's a very fast water driven thing now, and not quite so awful. He had to get the old filling out before he could reconstruct, and that involved drilling it out.

Drilling it out must have been very easy, because while he was doing it, he was dealiing with various elements of paperwork for other patients, via his team of denti assistants. Then he filled it with something like isopon, stuch an ultra-violet source inside my mouth to cure the filling, make it hard, and that was that. He's really very good. Then he gave me the bad news. Although I've been doing very good cleaning on my teeth, for the last week or so, I haven't been touching the region that had the damaged tooth, for fear of making it worse. So I needed to visit the dental hygenist. And it so happened that she had a cancelled appointment today, so I booked myself in for the afternoon.

The hygenist is actually the dentist's daughter, and she's also very good. As she scraped away, first with a water-jet, then with a stainless steel implement that I didn't want to examine too closely, we chatted. I asked her who does her teeth. For fillings, she goes to dad, but for cleaning she does it herself. Wow, I though, that can't be easy.

I asked her about flossing; she said that what I was doing (using an interdental brush) is a lot better. So I'll go on doing that.

Then she gave my teeth a final polish, and I was out of there, brightening up the world with my smile.

The whole thing was pretty straightforward, and because of the NHS, cost me £65. In America, that would be ten times as much.

One weird old trick to fend off spam

I don't know about you, but for me spam is a real issue. If you're using gmail, or hotmail, or something like that, then they're probably despamming for you and you don't even know about it. But despammers are never perfect; they make two kinds of mistake.

1)  Labelling something as spam that isn't
2) Not labelling someting as spam that is.

The second sort of mistake is mildly annoying, but the first kind of mistake means you could miss an important email.

So I run my own mail server, and do my own despamming.

I do this in several stages. Stage one, is to do with the mail servers that I announce to the world. I run six mail servers. The first one I call, imaginativly, mail1. That is where your mailer should deliver any mail for me. The second exists in case the first one crashes and I don't notice, and I call that, guess what, mail2.

I don't read my mail on those servers; I have another server, my mail processor, that collects any mail from mail1 and mail2 using IMAP. It also visits various other email addresses that I have, mostly set up donkeys years ago (a donkey year is about 20 years). Mail1 has priority 10, and mail2 has priority 20. So your mailer knows that it should preferentially deliver to mail1, because when it gets the list of my mail servers, it can parse the informatin that comes back, and see the priorities.

I also have four more mail servers, and you can probably guess the names. These have priority 200, 300, 400 and 500. So really, they shouldn't get any mail unless both mail1 and mail2 are out of action, and if that's happened, then it'll be caused by a total comms outage, so mail3 to mail6 won't be accessible either.

But they do get mail. Lots and lots of mail. And every single email they get, is spam. What's happening, I think, is this. People who spew out spam, don't really care about doing things right. When you do "dig mx" on a domain name (that's asking for the list of mail servers) the list comes back in a random order; you're supposed to read it to decide which is the highest priority server (in my case, mail1). But spammers just send their spam to the first on the list; this is slightly quicker for them And that's why, everything I get on mail3 to mail6 is spam. And mail3 to mail6 is actually just one server with different names, so I don't even have to run extra servers.

I'd guess that this simple trick, fends off about 2/3 of the spam sent to me (and you could add a hundred more servers to fend off a lot more spam, all actually just the one sever).

On the server that collects all my email together from various sources, I run the despammer what I wrote. That also does a few simple things before doing the complicated thing.

It has a look at the subject and the header. If this isn't using the Roman character set (maybe it's Chinese, or Russian) then I'm not going to be able to understand it anyway. So it's spam, and it's put into a "non-roman" mailbox. if it wasn't actually spam, tough, I can't read Chinese.

It has a look at who the email is addressed so. If that isn't one of a limited list (or if there's no-one that it's addressed to) then it's spam, put into a "not-me" mailbox..

How many people was it addressed to?  If someone sends an email to six people, of which I'm one, then I doubt if I want to read it - spam, into the "spam" mailbox..

If it passes all those tests, then it's put through my despammer program, which looks for things like "make money fast" and "prescription".

And if it passes all that, then I have one final weird old trick - I sort the mail into alphabetical order. Most people view their mail sorted into date order, and that makes a lot of sense. But for despamming, you want alphabetical order. When you see fifteen emails with the subject "Breakthrough Baldness Cure" you can swiftly delete them all. More importantly, when you see seven emails all entitled "Outstanding Invoice" then you know they're spam.

So when I read my email, nearly all the spam has been fended off, and what wasn't fended, is more clearly spam because of the alphabetical order. Then, when I've dealt with the mail, I check the "non-roman" and the other mailboxes, just in case there's something in one of them that I ought to read ... but there very rarely is.

Tuesday 10 February 2015

More Essex Way

Once more unto the Essex Way. I parked, got the bike out, and discovered that the front tire was totally flat. So I got out my electric air pump (it's also my emergency car-starting battery) and discovered that the battery was flat. Oh no! So I got out the pump that I always carry on the bike, pumped it up with that, and it stayed pumped. All this fuffing about, of course, took time.

Today was a day of lots of mud, which slowed me down, a few stupid blunders which had the same effect, but I found 37 caches, incl;uding sveral that weren't Essex Way, so not too bad.

And this:

Monday 9 February 2015

DNS on the DMZ

Servers on the inside of my network have IPs like 10.x.y.z, but servers in my DMZ have IPs like 192.168.y.z. So when I want to talk to a server "fred", then the IP address I need to use, depends on whether I'm calling fred from inside, or from the dmz.

The pix has a clever way of dealing with this. I think. It's so clever, I don't have a hope in hell of understanding it. It does "DNS doctoring", and it looks ... difficult. But I already know how to set up a DNS server, so I decided to do it that way.

Now, I have two DNS servers; the one that people on the outside use, that translates my accessible server names into accessible IP addresses. And I have another DNS server on the inside, that translates my internal names into IP addresses. So I don't have to remember that fred is at

Another way to do this, is with a hosts file. But the trouble with that, is that you need a copy of the hosts file on every computer that's going to talk to other computers, and keeping that up to date is a nightmare - I know this, because that's what I did before I got the hang of DNS.

But in future, I'll need three DNS servers. One for people on the outside, so that names like "" are translated into IP addresses that you can access. The second is the same inside one I already have; the third will be another one for use by servers sitting on the DMZ, because they'll use a different address for servers on the inside, from the addresses that insiders use.

I hope that's clear. It wasn't very clear to me. And I made a lot of blunders while setting it up.

First, I found that pinging from the DMZ to the outside worked ... but very slowly. Ping times were good, but I was only seeing one ping every 20 seconds, instead of the one per second you should see. Eventually, I realised that if I used ping -n instead of ping, the pings came one per second. -n tells it not to translate ip addresses back into names, and the reason what that was so much faster than without the -n, was that I'd forgotten to do reverse DNS. I hadn't actually forgotten, I was planning to do it later, because unless you have accurate reverse DNS, AOL (and some other companies) won't accept your email. But I hadn't planned on doing it just yet. Well, it's easy to do, so I did it.

By the way, if you think that you might be having reverse DNS problems, you can test whether yours is working, go here.  Or here.

So after I got reverse DNS working, pings went quickly. But then I did a bit more editing of the DNS files that resulted in DNS not working, and it took me ages to realise that the "SERVFAIL" message I kept getting from dig, was because, although the DNS server was working, it wasn't working for the domain name that I was testing.

The cause was a hole I I have tripped over so many times. If you want to put a comment in your zone file (or comment out one of the lines) you start the line with a semicolon. For most of the things I use, that would be an octothorpe (#). If you put an octothorpe as the first character in a line of a zone file, then the DNS server (bind9) barfs on that file, and although bind9 will still run, it won't be doing anything for the domain with the octothorpe. I've made that mistake so many times, you'd think I'd have learned by now.

So I fixed that, and then I ran my regression test, that I set up a few days ago. That checks that all the things that should be allowed, are allowed, and all the things that should be denied, are denied. And that worked well. So I think I've got my three DNS servers working; inside, dmz and outside. Except, of course, that I can't make any of this stuff active until my line arrives, which might be in April. But definitely before Christmas. Definitely.

Sunday 8 February 2015

To Welwyn

Ladysolly and I went out today to do a bit of caching. We nearly didn't go, because ladysolly had pigged out two days ago at her birthday dinner at the nearby Italian, and all the olive oil had given her a tummy pain. But she bravely decided to carry on regardless.

We walked about 5 kilometers, accoring to Memory Map; 11 kilometers according to her pedometer. We found all the caches except one. The weather was great, and we were glad that we didn't fester indoors today.

While we were out, we met three teams of cachers; we've never met so many in one day before.

Saturday 7 February 2015

Are you happy or cross?

I wanted to run the 515 and the 525 side by side. It took me a while to find a serial cable to the pix that worked, but what really got me excited was ... the pix has a USB port! So why don't I connect to that instead of messing around trying to find a serial cable with the right characteristic?

Cables are either cross or happy. Most cables are happy, but sometimes you need a cross cable - for example, if you connect two computers back to back. With a happy cable between them, they sulk and won't talk, but if you use a cross cable, the computers are happy.

As with serial cables, so with ethernet, except that it's complicated by the fact that some clever switches work out for themselves whether the cable you're using is cross or happy, and adjust accordingly. And some don't. I, of course, have a mixture of these.

I try to keep track by saying "all red or yellow cables are cross, all others are happy". I just did some testing, and although I've mostly kept that rule, I do have five yellow happy cables, and one beige cross one. I've labelled the contrary ones so I don't get confused in future.

One nice thing about USB, is that any cable will do; you don't have to worry whether they're cross or happy. Of course, USB makes up for this by having umpteen sizes of connector; USB A, USB B, mini, micro and probably others I've forgotten about, and all in flavours of male and female. Serial only has two sizes; 25 pin and 9 pin. And, of course, two sexes. Unless you're a pix, in which case you have an RJ45 connector.

So you can see why, when I noticed the USB port on the pix, I was happy. But when I discovered, after a bit of googling, that the apparent USB port isn't connected to anything inside ... I was cross.

A mysterious DSL problem

One of my servers, foggy, is routed to the outside world via a DSL line instead of my 2mb leased line. This is so that I can do backups of my servers in Cheltenham, to here, without saturating my leased line. And, of course, the DSL is three times faster.

So I woke up today to a voice saying "One hundred and sixty eight alerts". I looked, and they were nearly all foggy, complaining of being unable to contact the world outside. So I looked at it. Foggy couldn't ping the DSL router. So, first thing, I told the router to reboot. That didn't fix it. So I used my remote power thingy (an APC PDU) to power-cycle the router, That didn't help. Foggy couldn't ping the router, but I could ping it from another server. So, I thought, that probably means a problem with foggy, rather than a problem with the router.

So I restarted foggy's network with "/etc/init.d/network restart" then re-established the gateway to the DSL router with:

/sbin/route add -net 0/0 gw em1
/sbin/route del -net 0/0 gw em1

and everything worked. I have no idea what happened here - foggy just seemed to have forgotten where the DSL router was?

One step back, four steps forward

I finished setting up the pix525 today - I've been having problems getting nfs file sharing to work. It turns out that whereas for years and years I've been putting 

/home/drsolly/shared 10.*.*.*(rw,async)

in my exports file, and I thought it was working, what was actually working was the other line

/home/drsolly/shared *,async)

And the correct syntax for the first line is


It's been working fine before, because I had my DNS working. But on my lan lab setup, I haven't got DNS yet. So it tried to use the IP address line, and that didn't work. Once I corrected that mistake, there was much rejoicing in the lan lab.

Next, I created my regression tests. It's so that after I make some changes, I can very quickly verify that everything that should be allowed, is allowed, and everything that should be denied, is denied. So I tested my regression tests, and they tested OK, so now the next step.

I downed the pix525, and carefully extracted one of the four-port network cards. Then I powered it up again and checked that it still worked.

Then I opened up the pix515e failover unit that I have, and put the network card in. This is because as it stands, it only has two ports, inside and outside, and I'm using three. But ... it rejected it! Even though it looks exactly like the one in the pix515E that does have a card, it doesn't work in the pix515efo.

I was sold these as a working pair; main unit and failover. But they couldn't be used that way. Oh well. It means that I'll just use the pix515e as my main firewall, and if that should ever fail, I'll just plug in the pix525 until I can either fix the 515e, or get a replacement. I'm not bothered; I've been using three pixes for several years, and in all that time, I haven't had a single failure.

So next, I tried to install the lovely lovely user interface in the pix515e. I tried a couple of version of asdm, and a couple of versions of pdm, all to no avail. Well, I wasn't really expecting this to fly, and it's not too awful. In working with the 525 and the user interface, I've learned a lot about how the command line works, so I can make small changes to the 515 that way. Although in my experience, that isn't needed very often. And if I need to do big changes, I can do them on the 525, test them, then copy them to the 515e.

While the 525 was up, I copied the configuration to my tftp server. With the 515e running, I copied that configuration to the 515e, and it worked! So I ran my regression tests, and everything was tickety-boo.

Something I've learned here - I've been using pixes for 15 years or so, and in all that time, I never really understood them. I found things that worked, and used those, and found things that didn't, and avoided those. But it was all hit-and-miss; I'd try things until something worked. Now I feel that I understand them a lot better, and I know why I need things (most of the time). It isn't just a magic incantation any more.

I've also discovered why my Samba shares weren't always working (the extra <cr> in the credentials file), how to write nfs exports files, why you can use ftp through a pix and a few other things unrelated to firewalls.

Friday 6 February 2015

From the network lab ...

Yes, I now have a network lab. It consists of pixes:

A 525 with 10 interfaces and a failover licence, which means it reboots every 24 hours, but it has the lovely lovely ASDM interface.
A 515E with 6 interfaces and a full licence.
A 515E with two interfaces and a failover licence

And computers:

A computer on the IP which represents the outside world
A computer on the IP which is on the DMZ
A computer on the IP which is on the inside interface
A computer on the IP which is also on the inside

The four computers above stand in for my full network, and share three monitors.

A computer on the IP which is also on the inside. That's running the linux gui, and is used to control the pix via the asdm interface, and go look up things using google.

There's also the usual mess of cables, switches, keyboards and bits of paper. I'm now setting up my regression testing. This means that for every possible combination of inside/dmz/outside (six possibilities) and for all the important services (ssh, http, https, smtp, dns, samba and nfs) I test each one (so far, 30-odd tests) to check that the packet flow is correctly allowed or correctly denied. So far, I've got everything working except nfs and dns, and that's because I've run out of time today.

Tomorrow, I'll finish the regression test setup. Then I'll unhook the 525 and try it all out on the 515. I haven't decided yet which one will be the main pix, but probably the 515 (since it doesn't reboot every 24 hours, leaving one minute of non-service which could be a bit of a pain). And I'll use the 525 as a backup firewall, so if the 515 should stop working, I can just swap in the 525 until I get the 515 fixed (or buy a new one). I'll also look at the 515 failover unit, except that I can't use it for that as it stands, it only has two interfaces. But maybe I can take one of the four-port cards out of the 525 and put it in the 515 failover.

Something important I've learned - if you're a network engineer, and you know your stuff, you've got a job for life.

Wednesday 4 February 2015

Suddenly ...

And suddenly, there's the Raspberry Pi 2. It has twice the memory (1gb, the Pi 1 is 512 mb) a clock speed of 900mhx (the Pi 1 is 700 if you dn't overclock it) and it's quad core, meaning that it has four CPUs, and linux will nicely take advantage of those.  It has four USB ports (the old Pi had two).The old Pi 1 was $35; the new Pi 2 is $35, so that's a 0% increase.

I want one.

RS components are, of course, out of stock. Oh well, I don't want one urgently. The Pi 1's that I'm using (a dozen or so) are working very well, and most importantly, they are very stable. They've been running for more than a year, and they just don't crash at all!

Vitamins for your hair

I see advertisements on TV for products that "nourish your skin", products that "detox your body" and now I've seen "vitamins for healthy hair".

What rubbish this all is. Holland and Barrett, for example, sell "Viviscal hair growth programme tablets", at £200 for one treatment (takes six months). The claim they make is "helps maintain normal healthy hair growth from within".  At the end of six months, you'll find that your hair has grown normally? ... wow! I get the same effect without doing anything. I even have to pay someone to cut some of it off.

Likewise "detox". My kidneys and liver do that for me. H&B offer 38 products in their "detox" category. But the whole "detox" industry is based on a lie.

The marketers have taken the concept of "vitamins" and harnessed it for their own benefit. A vitamin is a chemical that your body can't synthesise (or can't synthesise enough of) and so you have to eat some. But once you have enough of it, more of the vitamin does nothing for you.

More broadly, the marketers have hijacked everyone's understandable desire for good health, and they try to persuade you that their product is essential for your wellbeing. 

If you don't get enough vitamin C, you get scurvy. It's actually quite difficult to not get enough vitamin C, you have to be at sea for months on end and not eat any citrus fruit. Vitamin deficiency diseases are, in populations rich enough to waste money on unnecessary pills, very rare.

I'm not going to give you health advice. Except that, unless your GP has told you to, don't waste your money on "health products".

And don't get me started on homeopathy, alternative and complementary medicine. That's what killed Steve Jobs.

Tuesday 3 February 2015


I struck gold. I can now have a computer on the "outside" of my network, with the IP address of (which belongs to someone, I don't know who, but I'm only using this within my lab) to a server with the ip address, which is on the "inside" interface of the pix.

The key realisation came, once again, when I looked at things from the point of view of the packet. So, I'm trying to log on from "jane" (which is my pretended outside computer) to "silverspoon" which is a computer on the inside interface, using ssh. First, I told the pix to allow this. Then I set up the NAT, equating the actual address of jane ( to an address that I've been allocated, which will be used by outside people. Then I told jane to route packets that weren't for her local subnet (jane's local subnet is all IP addresses starting with 9.9.9, so that's a /24, or in other words a netmask of to the pix, with the two commands:

route add a.b.c.d/32 dev eth0 
(where a.b.c.d is the outside interface of the pix)
route add -net 0/0 gw a.b.c.d eth0

So now packets could reach the pix, the pix would process them, decide they were kosher, and send them to its "inside" interface. The packets would emerge from the pix, and look for, on the local subnet, find it, and trundle happily to silverspoon. But what about packets going the other way? I had to tell silverspoon that if a packet wasn't for the local network, send them to the pix's inside interface.

route add -net 0/0 gw eth0

So using all this, I was able to log in from jane to silverspoon. One small problem - something was slowing things down very badly, and the pix was saying that jane was trying to do DNS lookups (and failing, because I haven't provided a DNS server for jane). I thought about that a bit, and went to sshd_config and ssh_config and disabled GSSAPIAuthentication. And then login was instant. I've seen this before.

To make this permanent (i.e., to survive a reboot) I think I have to add this to the file   


So. Now I can access the inside of my network from the outside, and vice versa. I can access the DMZ from the inside and vice versa. And I'd guess that dmz-to-outside is going to be a doddle, because it's going to be similar to the previous cases. So, overall, I feel that I'm now on top of the pix. All I need now, is for my line to arrive, and that's held up by the need for BT to check the pipe under the road, which needs permission from the Traffic Authority. Which might happen some time this year. The latest estimate is the end of April.


I had planned to go caching today, but the snow put paid to that idea. It's not that an inch of snow is a big problem ... unless you're caching on a bike. A) you can't see the ground you're riding over, which could be perilous and B) the caches can be invisible under a layer of snow.

So instead, I did some work in the Data Center. First, I've set up a new workstation there. My brother-in-law donated his old computer - I didn't even look at it for a few weeks, assuming it would be an old clunker, but when I did, I was very surprised. It's a Dell Inspirion, a 4-core 2.4 ghz AMD processor with a brand name I don't remember; fantasticon or something. 8gb of memory, 1tb of hard disk, and a DVI video interface. Fortunately, I have a DVI-to-VGA converter that I'm using until I can get a DVI cable. There's no PS/2 keyboard or mouse port, so I'm using a USB mouse, and one of my old IBM AT keyboards with a PS/2 to USB converter. I installed Fedora core 20, and it runs like the wind! I tried it on 1920 by 1200 pixels, and it worked, but the display was very twitchy. At first, I put it down to the age of the monitor, but then I had a thought, and tried it n 1920 by 1080, and that works very well.

I'm still working on the pix, and what I'm trying to do now, is connect up a computer that will be on the outside interface, to check that access to the dmz and inside works. So I set up a computer with the ip address, connected that to the outside interface of the pix, and ... nothing. The problem was that the"outside" computer couldn't route packets to the pix, because the outside interface of the pix is on a different subnet. I tried to tell it the route to the pix, with

route add -net 0/0 gw a.b.c.d eth0 (where a.b.c.d is the outside interface of the pix)

but it wouldn't accept that. After some googling, I tried:

route add a.b.c.d/32 dev eth0
route add -net 0/0 gw a.b.c.d eth0

And that worked! So now, packets from the "outside" computer intended for my inside network, were at least getting to the pix ... which was dropping them. I'll sort that out, though.

Another thing I discovered. If you're using the ASDM from one computer and try to use it from another, it doesn't work and you get a very misleading error message. After a while, I realised that it was probably too optimistic to expect this to work, closed one of them down, and now it works from my new Data Center workstation.  So now I can:

- reconfigure the "outside" computer (which I can only do sitting in front of it, because it's on this phony IP address)
- reconfigure the pix using the lovely web-based ASDM on the Inspirion
- see the pix error messages via the pix's serial port, connected to another computer that I log into and run a comms program (minicom) from the Inspirion.

Error messages are sometimes very misleading. If you think about this from the point of view of the programmer, he can detect that something isn't working, but once things aren't working right, it can be difficult, or even impossible, to say what's wrong. So you shold treat all error messages as meaning "Something is wrong, I don't know what" and regard anything more specific as potentially useful, but also potentially misleading.

Monday 2 February 2015

New batteries!

One of my big UPSes has been showing a red "Battery dead" light for a while. And every now and then it has a fit of beeping. So I finally decided to do something about it.

First, I needed a UPS to put in while I worked on it. I have several old UPSes from BPC, that haven't worked for a long time. So I decided to put new batteries on those. I got eight batteries so that I could revive two of them, each set of four was £74, which is pretty cheap compared to a new UPS - on Ebay, 3000 AV UPSes with new batteries go for about £300. The batteries for the APC 3000 cost £95 for a set of eight, I've done this a few times.

The first one rebatteried easily, although it was a struggle to get the old batteries out. When batteries get really old, they swell slightly. But my faithful crowbar helped, and I got them out. Replacing was easy, except when I connected up the last battery connection, there was a big fat spark. Quite alarming if you aren't expecting it. That's the capacitors charging up.

Then I re-batteried the second one. But when I powered it up, it dodn't work. So I took the battery tray out and put it in a third one, which worked fine.

The big UPSes I use are 3000 AV, which is about 2200 watts - enough for a dozen or so computers. But I only put half that many on each one, it means that in the event of a power failure, I get twice the run time. They have 8 batteries, each 12 volts, 7ah, so that's 672 watt-hours. The smaller BPCs are also 3000 AV, but they use four batteries at 12 AH, giving 576 watt-hours. So they'll handle the same load, but will last 15% less time, This isn't a problem. And the BPCs feel somewhat lighter; I can actually walk while lifting one, which I can't with the APCs.

For comparison  - when I go out on my electric bike, I take three sets of batteries; each set is three 4S batteries at 5 AH. So each set is 288 watt-hours, and my saddlebag total is 864. And I can lift it with one hand, whereas the big APC UPSes I can barely lift with both, it's 60 kilograms. My three sets of bike batteries are about 5 kg. That's partly the difference between LiPo and lead-acid, and partly the great weight of the transformer inside the UPS.

So I disconnected all the computers from the UPS I was worried about, and connected them up to one of the newly-batteried ones. The batteries on the old APC are vintage 2011 (when I put batteries in a UPS, I stick a label on with the date). So it's not too surprising that four year old batteries aren't good. But then I powered the UPS off, and back on again, and whatever error condition was worrying it, seems to have cleared. No red light!

So maybe I should have done that first.

Sunday 1 February 2015

Bandwidth display completed

It turned out there were a couple of complications. The worst was with ifconfig. When the number of bytes transmitted or received reaches 4gb, it "goes around the clock" to zero. It took me a while to sort that out, but the answer turned out to be simple. If there seems to be a negative number when you subtract the older figure from the newer one, add 4gb.

So then I had to fumble around a bit, getting the bugs out of my code, until I got nice pretty graphs, in png format. So now I could work on putting them up on a refreshing display.

First, I chose the four most interesting graphs; that's for the total bandwidth used here and at my colocation (I get those from the pixes). Then two servers, one there and one here, the ones most likely to be heavily used. And then ImageMagick. Montage to combine the four PNGs into a single one, Convert to resize them to 800 by 480 for these smaller screens, and then ffmpeg to convert them to framebuffer format.

So now I have no excuse for avoiding work in the pix.

Bandwidth display

I thought, wouldn't it be nice to have a continuously-updating display of how much bandwidth each server is using? And I wondered how to get the pix to tell me how much was going through, broken down by server. I can get the total going through the pix (I do that already, to keep an eye on saturation of my line), but per server? I couldn't see how.

And then I thought of ifconfig. When you run that on a server, it gives you lots of information about the interfaces, including a cumulative total of bytes received and transmitted.

So, I wrote a dozen-line program which loops round a list of servers, uses ssh to remotely run ifconfig, and parses the results to a line that is:

servername, epoch time, bytes rx, bytes tx

and it writes that to a file. I found, in doing that, that different versions of ifconfig have a slightly different output format, but that was easy to overcome.

Cron runs the program once per minute. Of course, that won't be *exactly* a minute, but that wont matter.

Then I have another program that reads the file, and works out the time interval between two takes (which will be roughly a minute, but not exactly), and hence the bytes per second.
Then the program chews through what it's read, and spits out a png file for each server, over a perod of one day, one week and one month. So for six servers, that's 18 graphs. The program is only 90 lines, I was quite surprised.

Still to do ... testing the above. Converting the png to suitable framebuffers, so that I can just blurt it to the screen in a rolling display, server by server. I've ordered another LCD monitor, to go in the server farm (costing £18, Ebay), and the display will be on that, as well as on the monitors that I currently use to display, outside temperature, time and the number of server alerts outstanding.

Of course, what I'm *really* doing here, is finding a way to avoid working on the pix.