• Netfilter Conntrack Memory Usage

  June 17th, 2009

  On a busy Linux Netfilter-based firewall, you usually need to up the maximum number of allowed tracked connections (or new connections will be denied and you’ll see log messages from the kernel link this: nf_conntrack: table full, dropping packet.

  More connections will use more RAM, but how much?  We don’t want to overcommit, as the connection tracker uses unswappable memory and things will blow up. If we set aside 512MB for connection tracking, how many concurrent connections can we track?

  There is some Netfilter documentation on wallfire.org, but it’s quite old. How can we be sure it’s still correct without completely understanding the Netfilter code? Does it account for real life constraints such as page size, or is it just derived from looking at the code? A running Linux kernel gives us all the info we need through it’s slabinfo proc file.
  Read the rest of this entry »

  Tags: conntrack, firewall, iptables, kernel, limit, linux, max, netfilter, performance, ram, slab

  Posted in Tech | 1 Comment »

• Virtualized Storage Talk at WYLUG

  November 10th, 2008

  I’m doing a talk tonight about virtualizing your storage with LVM on Linux at the West Yorkshire Linux User Group. Sorry about the short notice here (it was announced earlier in the week elsewhere though).

  My mate Paul Brook is talking about RAID on Linux too.

  Come along for the talk, or the beer, or the socialising – or all three.

  Tags: linux, lvm, raid, storage, talks, virtualization, wylug

  Posted in Tech | No Comments »

• Sun’s ZFS on Linux via FUSE

  February 8th, 2007

  Ricardo Correia has been porting Sun’s recently GPLed ZFS to Linux using FUSE. I’ve been playing with it and I’m quite impressed. The FUSE port is alpha quality, so isn’t to be trusted with important data yet – but it’s fun to play with.

  ZFS merges the concept of a volume manager and a filesystem. It’s a bit like LVM, with zpools being volume groups and zfs being formatted logical volumes. Zfs “partitions” can change size at any time in any way. It’s also hierarchical, so zfs partitions can have child partitions inheriting their attributes. It also does away with fstab – all mount points are specified as zfs attributes and are automatically mounted when a zpool is brought online.

  Read the rest of this entry »

  Tags: filesystem, fuse, linux, solaris, sun, zfs

  Posted in Tech | No Comments »

• IPSEC VPN problems upgrading to Ubuntu Edgy

  November 2nd, 2006

  I upgraded my home gateway firewall to Edgy today in the hope of fixing some SATA problems I’ve been experiencing. The new Edgy kernel might help – we’ll see.

  Anyway, it went pretty well. Two runs (?) of apt-get dist-upgrade -u, a reboot and there I was.

  Unfortunately I had two problems with my Openswan IPSEC VPNs. I’m not so sure if these count as bugs. I’ll be investigating further and reporting if so. Anyway, techie details follow…
  Read the rest of this entry »

  Tags: dapper, edgy, icmp, ipsec, iptables, kernel, linux, NAT, netfilter, openswan, pmtu, Ubuntu

  Posted in GNU/Linux, Networks and Firewalls, Tech, Ubuntu | 1 Comment »

• Half a LUGRadio meet

  December 13th, 2005

  I met Stuart Langridge and Jono Bacon from LUG Radio last night as they came to Leeds where Jono talked at my local LUG. Wookey also gave a talk about the latest stuff going on in the Emdebian world.

  And of course I also met up with some of the WYLUG regulars (Robert Speed, Jim Jackson, James Holden, et al) and some perhaps not so regular (which would include me btw).

  We enjoyed the talks, went to a local Italian place for dinner then to a local pub. Was a great night.

  Tags: emdebian, leeds, linux, LUG, lugradio, user group, wylug

  Posted in Personal, Tech | 1 Comment »

• netfilter ip_conntrack_ftp and tls

  December 7th, 2005

  Here I am attempting to connect to a server using lftp wondering why the firewall is blocking the incoming data connections, even though ip_conntrack_ftp has been working for years.

  lftp supports tls, and so does the server I’m connecting to. This means the control connection is encrypted, so the netfilter ftp connection tracker can’t peek inside the packets to find out which ports to open up to allow the data connections. DUH. Ftp sucks.

  Anyway, the only way I found to disable tls support in lftp is to add the following line to ~/.lftp/rc:

  set ftp:ssl-allow false
  Tags: conntrack, firewall, ftp, lftp, linux, netfilter, tcp, tls

  Posted in Networks and Firewalls, Tech | 2 Comments »

• Xorg xserver $HOME/xorg.conf

  September 16th, 2005

  It turns out that xorg will use $HOME/xorg.conf if it finds it, rather than the default in /etc/X11/xorg.conf.

  I didn’t know this, and didn’t notice that it was telling me this in the logs. I’ve now wasted a bunch of time troubleshooting a font problem on Ubuntu where xorg couldn’t find my fonts and I was working from the WRONG CONFIG FILE. AGH!

  Anyway, in other Ubuntu xorg related news, something changed in the latest Breezy upgrades that causes /dev/input/mice not to be created. Xorg then bombs on boot as that’s my core pointer. If you restart udev the device nodes get created fine. Not sure what this is yet.

  Tags: fonts, gdm, kernel, linux, Ubuntu, udev, xorg, xserver

  Posted in Tech, Ubuntu | 1 Comment »

• grsecurity and selinux

  September 28th, 2004

  I’m playing with the grsecurity patches for Linux. Unfortunately 2.6.8 changed in a way that causes major headache for the grsec team, so no planned release date for a new patch. Having some problems with strange enforcements of rlimits, potentially linked to the rlimit auditing code. I’ll hopefully get time to tinker with SELinux too.

  Tags: grsec, linux, Security, selinux

  Posted in GNU/Linux, Security, Tech | No Comments »

• 2.6.7-8 default window scaling settings

  September 4th, 2004

  My new Fedora installation was playing up with certain web sites resulting in *very* slow download (I could see the words drawing on my screen one by one). A ethereal dump showed a nice big window size, but max 120 byte packets and an ack for each one!

  Well it turns out since about kernel 2.6.7, the default tcp_window_scale setting has been 7. The problem is, as was with ECN, there are lots of broken routers out there which break window scaling (they strip the TCP options, which is totally against RFC, and common sense). So the other end doesn’t know you’re scaling, so it’ll think you set (or you think it set) a tiny ikle window size.

  Anyway I fixed it for now with a ‘net.ipv4.tcp_default_win_scale = 0′ in my /etc/sysctl.conf, but there is a new kernel patch floating around which seems to be a bit cleverer and will be due in the next kernel.

  Tags: ethereal, fedora, linux, tcp

  Posted in Tech | No Comments »

• RedHat, Firestorm, 802.11b and rpm2html

  March 22nd, 2004

  I’ve been working on my qmail rpms for RedHat ES/AS/Fedora. I’ve even started some documentation. It’s all on my RedHat page.

  I’ve also been working on Firestorm, improving the arp decoder and developing my macwatch arpwatch clone. Hopefully this will appear in the latest Firestorm tree soon.

  I recently ditched my aging Linux wireless bridge/router/firewall in favour of a little Linksys device that cost no more than 60 pounds, uses considerably less electricity and makes almost no noise. The price is impressive and even the device seems to work ok. One thing it can’t deal with properly at all is the TCP ECN flag. The web admin port just sends a RST. Can you believe a Cisco company would make this mistake? Yes. I can.

  Also, I’ve created an rpm2html index of all the RPMs in my downloads tree. Some are old crap I’ve not bothered deleting yet, but there is some stuff in there that will be useful to someone (not just google).

  Gianni will be home from Luxembourg soon.

  Tags: cicsco, ecn, fedora, firestormnids, linksys, linux, nids, qmail, redhat

  Posted in GNU/Linux, Tech | No Comments »

• RedHat

  November 11th, 2003

  RedHat have reannounced the dropping support for some old versions (ands April 2004, still lots of warning). I say reannounced due to the fact they originally announced this December 2002. And have had it on their website ever since (very clearly). If you want a supported RedHat distro now (by supported I mean the fixing of security and functional bugs) you either neeed to pay for and use one of the RedHat Enterprise Linuxes, or use the Fedora Project distro. The RHEL versions are released every 18 months and supported for 5 years. Fedora looks to be an ongoing thing, but community supported. Lots of freeloaders are moaning and complaining. They don’t seem to understand that if you don’t have the skills to pay the bills (and patch, fix and recompile software yourself) you pay somebody else to do it for you. This support system is how people are expected to make money from GPL/open source software (and yes, people ARE allowed to make money). It sounds like it’s mostly coming from morons who list “cost” as the main benefit of using GNU/Linux as a server operating system. Get a clue.

  Tags: fedora, linux, redhat

  Posted in GNU/Linux, Tech | No Comments »

• Linux Access Point

  July 4th, 2003

  Most 802.11g cards allow only Managed or Ad-Hoc modes. With the hostap Linux driver for Prism based wireless cards, the Master mode becomes available, allowing to run your own access point. I now have my central box (babaracus) as an access-point and the client laptops in Managed mode. This has severly increased throughput as I could usually only manage less than 1Mb but now can utilise the full 11. Using the userspace hostapd you can do clever things like Radius authentication and dynamic WEP keys, but I’ve not played with that yet. I’ve had a few problems (lock ups on an SMP and loss of clients after restarting the AP) but it’s early days yet.

  Tags: linux, wep, wireless

  Posted in Tech | No Comments »

• John Leach

  • John Leach is a human being living in Leeds, UK.

• Twitter

  • John ooh, I bug I reported in libvirt in Ubuntu Hardy in May 2008 just got into hardy-proposed! The system works! http://is.gd/aJzU7 10 hrs ago
  • More twitter updates →

• Author Stuff

  • Brightbox Rails Hosting
  • Compost This
  • ELER Web Comic
  • New World Odour
  • News Sniffer
  • Photography
  • Profile and History
  • Recycle This
  • The Gillroyd Parade
  • Things to do today
  • Website

• Friends

  • Caius Durling
  • Deb Bassett
  • Gianni Tedesco
  • Ian Higgins
  • Louisa Parry
  • Rahoul Baruah
  • Sleepy Kev
  • Tim Waters
  • Tom Hall

• Stuff

  • ifup
  • Media Lens
  • Mia Bambina
  • News from nowhere

• Meta

  • Log in
  • Entries RSS
  • Comments RSS

• Search

The text of this blog is licensed under the Creative Commons BY-ND license