Monday Oct 06, 2008

Power outage scared the bejsesus out of me, but not my Sun Ray

I just had a mini-power outage where all of my screens and printer went off. So did my Sun Ray. My heart is still beating fast from the shock.

I was right in the middle of an important editing session and was just then doing a save. All I could think of was did I get it in time or not?

It didn't matter - my Sun Ray server is on UPS. My Sun Ray had powered back up and I unlocked the screen in under 30 seconds. I could even see that I had just saved the file.

In case you can't tell, I love my Sun Ray setup. My office is quiet, my "machine room" is loud.


Originally posted on Kool Aid Served Daily
Copyright (C) 2008, Kool Aid Served Daily

Tuesday Dec 11, 2007

Updating my Sun Ray Server and DTU firmware

The ice storm in Tulsa is playing havoc with my power - causing brown-outs. My servers are all on UPS, but not my Sun Ray 1G (which is also a DTU in Sun Ray terminology). The upshot is that it recycles and that causes it to get a new DHCP lease. And that causes my punchin session to block the Sun Ray. My configuration is that my w2100z is my Sun Ray server and my punchin client. I connect my Sun Ray to the w2100z, tell the ipsec configuration to bypass traffic to it, and then start up punchin (think VPN client).

Once the IP changes, I have to go in through a console to the w2100z to turn off punchin and then reconfigure the security. I could open up the entire subnet, but that really isn't very polite/secure.

Oh, and my DHCP server is a linksys, so it doesn't support handing out fixed IP. I could move the DHCP server to my web server, but I like having it on the linksys.

So I went looking for answers. I found planet sunray-users, which had a link to Fat Bloke — SGD 4.4 - The Administration Console which looked really cool and in the end, I don't think it does what I want. I installed it anyway, to play with later.

It also had a link to ThinkThin — SRSS 4.0 patch -01 released. I normally do not install patches, because I BFU Nevada systems, but I tried it anyway. (This system is special in that I don't BFU it willy-nilly because of the Sun Ray Server.) The patch failed, it said my packages were wrong.

The next link I found was to Latest News Sun Ray User Group Wiki and an announcement to Sun Ray Software 4 09/07 being released. It has a pop-up GUI by which you can configure the IP. That is what I need! By now, I suspect that I don't have Sun Ray Software 4 at all, despite loading those packages. I followed the install instructions over at Sun Ray Server Software 4.0 Installation and Configuration Guide for the Solaris Operating System and sure enough, it uninstalls Sun Ray Server 3.1.

It saved my 3.1 configuration and I didn't have to step through that again (well, other than to install the Tomcat admin stuff). At one point, I updated the firmware - I think. I also applied the patch set afterwards.

Sun has further documentation which is of help - Sun Ray Server Software 4.0 Administrator's Guide for the Solaris Operating System. It had a section on getting the pop-up GUI to work on the DTU. And since neither Stop-S nor Stop-N worked, but other pop-ups did work, I had to assume I needed to install the GUI firmware. Which is not installed by default.

The only problem was that the firmware process would not reload an existing firmware image:

# /opt/SUNWut/sbin/utfwadm -A -a -N all -f /opt/SUNWut/lib/firmware_gui
        All the units served by "warlock" on the 192.168.2.0
        network interface, running firmware other than version
        "GUI4.0_127553-01_2007.11.09.17.41" will be upgraded at their next power-on.

# /opt/SUNWut/sbin/utfwsync -v

Stopping Authentication Managers on warlock ...

Stopping host 'warlock'
Warning: no private interconnect interfaces configured - no action taken
        All the units served by "warlock" on the 192.168.2.0
        network interface, running firmware other than version
        "4.0_127553-01_2007.11.09.17.41" will be upgraded at their next power-on.

### stopped DHCP daemon
### started DHCP daemon
### reinitialized DHCP daemon

Will restart Authentication Managers in 5 seconds

Restarting Authentication Managers ...

Restarting host 'warlock'
stopping authentication manager
starting authentication manager

The DTU did restart, but the pop-up GUI did not. Looking at the man page, I added '-F':

# /opt/SUNWut/sbin/utfwadm -A -a -N all -F -f /opt/SUNWut/lib/firmware_gui
        All the units served by "warlock" on the 192.168.2.0
        network interface, running firmware other than version
        "GUI4.0_127553-01_2007.11.09.17.41" will be upgraded at their next power-on.

### stopped DHCP daemon
### started DHCP daemon
### reinitialized DHCP daemon

I was upset at first, it was hard to see that 'GUI' in the version string. I redid the 'utfwsync' and I paid attention - I didn't see the DTU tell me it was updating the firmware. And a Stop-V showed it to still be on the old firmware. I did a Ctrl-Alt-Moon and still no luck. The same with pulling the power cord. Grr!

Hey, the 'utfwsync' told me what went on:

# /opt/SUNWut/sbin/utfwsync -v

Stopping Authentication Managers on warlock ...

Stopping host 'warlock'
Warning: no private interconnect interfaces configured - no action taken
        All the units served by "warlock" on the 192.168.2.0
        network interface, running firmware other than version
        "4.0_127553-01_2007.11.09.17.41" will be upgraded at their next power-on.

I need to tell it as well to get the right firmware version. Hmm, I need to change this link:

# ls -la /tftpboot/Sun\*
lrwxrwxrwx   1 root     root          39 Dec 11 14:17 /tftpboot/SunRayP8 -> SunRayP8-4.0_127553-01_2007.11.09.17.41
-rwxr-xr-x   1 root     sys       474976 Nov  9 19:48 /tftpboot/SunRayP8-4.0_127553-01_2007.11.09.17.41
-rwxr-xr-x   1 root     sys       475004 Nov  9 19:48 /tftpboot/SunRayP8-GUI4.0_127553-01_2007.11.09.17.41
-rw-r--r--   1 root     root          62 Dec 11 14:17 /tftpboot/SunRayP8.parms
# cd /tftpboot
# rm SunRayP8
# ln -s SunRayP8-GUI4.0_127553-01_2007.11.09.17.41 SunRayP8

And try again ... only to have my hopes dashed again!

Some interesting info:

# cd /opt/SUNWut/sbin
# ./utfwload
  2.0 th199096 192.168.2.2     P7.0003baa8c261    4.0_127553-01_2007.11.09.17.41
# ./utfwadm -P
System Version(P1)      4.0_127553-01_2007.11.09.17.41

Domain          Intf    Upgrade to
------------    ------  --------------------------
192.168.2.0     subnet  4.0_127553-01_2007.11.09.17.41
# cd /tftpboot
# more SunRayP8.parms
version=4.0_127553-01_2007.11.09.17.41
revision=3
barrier=321

So I can change that manually, but I think that the 'utwadm' command should have done that with the '-f'. Okay, I took the easy road and edited it. And that still didn't work! Where is 'utfwsync' getting that info? Hmm, the link is back:

lrwxrwxrwx   1 root     root          39 Dec 11 14:40 SunRayP8 -> SunRayP8-4.0_127553-01_2007.11.09.17.41

Hmm, I think I am making this too hard. Let's look at the output of 'utfwadm':

        All the units served by "warlock" on the 192.168.2.0
        network interface, running firmware other than version
        "GUI4.0_127553-01_2007.11.09.17.41" will be upgraded at their next power-on.

I bet I shouldn't be running 'utfwsync' after it. And that does the trick. Do the 'utfwadm' and then CTRL-ALT-MOON the DTU. I'd still like to know how to change the default firmware image.

I now have a fixed IP (must note to watch the MTU setting, I picked the default of 1500, which is also what the linksys was handing out). I can make sure that my ipsec configuration is set. And I've gotten a great feel for using the interfaces to the Sun Ray firmware.

The links I have provided were great, especially the planet sunray-users and Latest News Sun Ray User Group Wiki! And looking at the URLs, they are the same site. :-> The docs and the man pages helped - next time I'll try and not make it so hard.


Originally posted on Kool Aid Served Daily
Copyright (C) 2007, Kool Aid Served Daily

Monday Dec 10, 2007

Firefox is free, as in you don't need to provide any information

My computer crashed and the first two real pieces of software I want to install are Thunderbird and Firefox. I do not want Internet Explorer - ever again.

Thunderbird must not be as popular - the search for it took me straight there, I downloaded it and there it was.

Firefox was a different matter - the top searches from Live and google.com both took me to sites which wanted me to register for Firefox. If you see this, exit the page immediately - it is phishing in its worst form.

You can always go to http://www.mozilla.com/firefox/. They don't pester you for your personal details, you just download.


Originally posted on Kool Aid Served Daily
Copyright (C) 2007, Kool Aid Served Daily

Friday Dec 07, 2007

NewEgg.com and customer serivice

I'm on a customer service low of late. Valve/Steam and my ex-credit card company rank down there. (My ex-credit card company decided my card was stolen while I was on a business trip. They would not let me charge the tank of gas or my rental car. When I canceled my card, they said I was a great customer and what would it take to change my mind. I said where was that attitude when I needed you?)

So it is always a joy to order something from NewEgg.com. I had googled a 4 USB port KVM and found it for $99. I added it to my cart and then went to NewEgg.com. They had it for $74 and I didn't have to mail off a rebate form. But what really sold it is their policy of putting up pictures of everything in the box. So I could see it really did have cables with it. I could see what they looked like and I could realize any plan of using my old VGA connectors from a previous KVM were ill advised.

I ordered from NewEgg.com, not because of the price break, but because I knew I could count on their customer service.


Originally posted on Kool Aid Served Daily
Copyright (C) 2007, Kool Aid Served Daily

Monday Jul 30, 2007

Just got my Sun Ray 2 to replace my Cisco 831

We got an incredible offer to trade our Cisco 831s in for Sun Ray 2s at no cost to our departments. I did this and I've got to say that connecting these boxes up through our VPN is just simple. The combination of Sun Ray 1(G) to Cisco 831 to Linksys to internet was kludgey. Whenever you had a tech call in, the troubleshooting was basically, power everything off and back on in a certain order. It didn't matter what your problem was, that was the answer.

Well, the new Sun Ray 2 just connects to my Linksys (I bet in a pinch it could go out directly to the internet) and then I have to authenticate who I am. During the log on process, there is a lot of visual feedback - at times it might go to fast, but you get the feeling that things are proceeding. You aren't stuck with a spinning hour glass and wondering if the only thing running is the hour glass animation code.

The box has a nice form factor, it makes me wonder if I can use it like a Linksys NSLU2. Hmm, I wonder if I could boot it from a USB stick? :-> Anyway, it looks quiet and gives off a vibe that it doesn't consume that much power - very green.

I also have to wonder if it is hardcoded in the firmware to go to the Sun Microsystem's VPN boxes or if I could get it to go to a local Sun Ray server? I know I can certainly buy a Sun Ray 2 in that configuration.

All points to ponder....


Originally posted on Kool Aid Served Daily
Copyright (C) 2007, Kool Aid Served Daily

Thursday Jan 25, 2007

My Belkin 54G died yesterday

I lost connection to the SWAN (Sun Wide Area Network) yesterday. It turns out that both the punchin (Solaris IPSEC/VPN tool) servers at Sun and my home router decided to misbehave. The first really illustrated how difficult it is for a company to broadcast that services are down when they use that medium to spread knowledge. And the second was frustrating on several fronts.

I pulled a network cable slightly at one point in the early triaging, so I couldn't ping from one side of the office to the next. When I fixed that issue, I still couldn't ping outside the house. So I called up Cox 's customer service. I was really amazed by their phone system trying to triage my issue. It walked me through isolating the issue on the cable modem, then my router, and finally my computer. Like the normal technicians, it had no clue about OSes other than WinXP or Mac OSX. It would ping and probe my cable modem and the router. It made me feel good that it couldn't get past the router.

After 25 productive minutes with the automated system (I'm serious - at the end of the session with it, I knew the problem was with my router.), I got passed to a live tech. He started to repeat the stuff the automated system had me do, but I got him past that quickly. He did isolate that my cable modem was in standby - the automated system should have done that.

He had me connect my desktop up to the cable modem directly and I was getting out. So there was the nail.

Now I've done everything but reset the factory settings on this router. Evidently the WAN ethernet port is hosed. I also had at least two power outages in the morning. My computers are protected, the router is not.

Anyway, I dropped a Linksys WRT55AG in there and I remembered quickly why I hadn't done that in the past. Most broadband routers support simple firewalls and port blocking. Both the Belkin and the Netscreen 10 box allowed you to punch open a port and also allowed you to redirect it. So, port 8085 on my Belkin became port 80 on my internal web server. The Linksys does allow you to open ports, but it does not allow you to redirect them. I tried my Linksys WRT54GL, hoping since it was more modern it would be easier to configure. Nope, it still didn't have the feautures that I wanted. (I've got WRT54GL because I wanted to install a Linux distro on it and look at putting a slimmer OpenSolaris on it.) I ended up keeping the WRT54GL as my router - when I went back to the WRT54GL, it wasn't working like I wanted.

The big fear for me wasn't configuring apache to serve two addresses. No, it was in getting sendmail to listen to two ports. See, cox.net blocks port 25. They say they only block it coming out, but they also block it going in. It turns out my version of sendmail had support to handle this:

[tdh@adept mail]> diff sendmail.mc sendmail.mc.stock
113c113
< DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
---
> dnl DAEMON_OPTIONS(`Port=smtp, Name=MTA')dnl
120c120
< DAEMON_OPTIONS(`Port=submission, Name=MSA, M=Ea')dnl
---
> dnl DAEMON_OPTIONS(`Port=XXXX, Name=MSA, M=E')dnl

If you just do the MSA change, you loose the ability get mail on port 25, so you need to also uncomment the line for MTA. Also, I had to remove the 'a' option since mail was being rejected due to not being authorized:

Diagnostic-Code: smtp; 530 5.7.0 Authentication required

So now I could get out and things could get in. This was when I found out that I still could not punchin. I thought perhaps that the router was blocking IPSEC/VPN requests, but the version of punchin I was using let me know that a IPSEC-ized ping was getting through to the punchin servers. I tried different boxes (both clients and servers), still no result. I used my laptop to get into the VPN servers. And I got a new version of punchin.

Finally, someone let me know the servers were hosed.

I've confirmed all of my services are working correctly (last time I had to change my internal server before a trip, I couldn't ssh back in). Guess I'll have to get another WRT54GL to play with.


Originally posted on Kool Aid Served Daily
Copyright (C) 2007, Kool Aid Served Daily

Sunday Jan 14, 2007

Ice storm and the view from my office

This is the view from my office, which since I am a telecommuter, happens to also be from my home:

Not shown

Click on it to see the full glory. It is hard to capture that the branches and twigs are coated with ice.


Originally posted on Kool Aid Served Daily
Copyright (C) 2007, Kool Aid Served Daily

Monday Jul 10, 2006

Follow-up on getting the Sun Ray 1G working with my Dell 2007FPW

In The Monster got a computer, I wrote about how I got a Dell 2007FPW monitor and that my Sun Ray 1G could not drive the full resolution. Things just look stretched. Anway, I quickly had a comment posted on how to make a change on the server to allow my machine to drive the 2007FPW:

$ /opt/SUNWut/sbin/utresdef -a -c "Dell 2007FPW" 1680x1050@60d 1680x1050 <<EOF
  htotal=2256
  hfp=104
  hsyncwidth=184
  vtotal=1087
  vfp=1
  vsyncwidth=3
  vcomposite=8
  pixclock=14714
  xres=1680
  yres=1050
  hz=60
  EOF

Then use 'utresadm' to associate that timing with a particular DTU,
and make sure that the access token being presented by that DTU
does not already have a stale cached timing setting:

$/opt/SUNWut/sbin/utresadm -d -c <DTU> -t <token>
$/opt/SUNWut/sbin/ utresadm -a -c <DTU> -t <token> 1680x1050@60d
$/opt/SUNWut/lib/utresexec -k -c <DTU> -t <token>

I tried to do this and discovered I did not have root on the server - which, come to think of it, is a very good idea. No problem, I eventually submitted a help desk request. The first round of support helped me change my frequency, which was not what I was asking for... Anyway, the upshot of it all was that Sun IT does not support any settings other than the default. It was suggested that I have my manager purchase me a monitor from some approved list.

I did find out to access the current settings, use shift-Props. Another thing I just found out was that to power-cycle the thing, use ctrl-quarter moon. This is the white key in the upper-right. Sometimes when my Sun Ray does not connect to the server, I have to power down my router, Cisco 831, and the Sun Ray. Until now, that meant pulling the plug.


Technorati Tags:
Orginally posted on Kool Aid Served Daily
Copyright (C) 2006, Kool Aid Served Daily

Friday Jun 09, 2006

My status report reveals the joy of telecommuting

I have to send off a biweekly status report. Sometimes I get down trying to justify what I did for the last two weeks. They can go by in a blur and it can be hard to write down my contributions.

Other times, I get to have a lot of fun barbing the group. I normally get feedback on this stuff.

Anyway, I just wrote a section and realized it was very much in tune with the category of Telecommuting:

[Misc]
o World Cup watch party starts
  o Wireless phone reaches couch
  o Wireless laptop reaches couch
  o Wired son breaches my sanity

The mixture of the Monster and summer break always tests my resolve. I want to watch things during the day like the World Cup, the Tour de France (he hates Lance now), etc. He either wants to watch Sponge Bob, Timmy Turner, etc, or play on the Play Station. He considers himself an athelete - but that doesn't mean he wants to watch others.

Anyway, Germany v Costa Rica starts in 25 minutes. Now, if it were only on some channel other than ESPN. I'd like that if I were traveling, I could get ESPN. But I'd really prefer a more soccer friendly channel. They normally air the UEFA and Champions Cups. I haven't even tried to get a MLS game on recently. I'll have to check their schedule for it after the World Cup is over.

Gotta go, I think the Monster is awake and I want that TV. Err, I mean I want to test my wireless connectivity!


Technorati Tags:
Orginally posted on Kool Aid Served Daily
Copyright (C) 2006, Kool Aid Served Daily

Wednesday Jun 07, 2006

Using www.no-ip.com Mail Reflector

I couldn't stand it. I like cox.net when I don't have to talk to them and wanted my email. So I extended my www.no-ip.com services to get an external mail reflector. The first step was to configure my Belkin router to map a couple of non-standard port numbers to port 25. By the way, I use the Belkin because it supports my Cisco 831 router for the Sun Ray 1G and it also allows me the ability to remap port services. I then checked that this worked.

I could have modified sendmail to listen on a different port, but then I need to remember that fact.

I then signed up for the reflector service (which will also store mail for 5 days if there is an outage) and enabled it. I tried to test and got a bounce:

[-- Attachment #1 --]
[-- Type: text/plain, Encoding: 7bit, Size: 0.5K --]

The original message was received at Wed, 7 Jun 2006 13:11:51 -0700
from localhost.localdomain [127.0.0.1]

   ----- The following addresses had permanent fatal errors -----

    (reason: 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1))

   ----- Transcript of session follows -----
... while talking to mail1.no-ip.com.:
>>> DATA
<<< 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)
550 5.1.1 ... User unknown
<<< 503 RCPT first (#5.5.1)

[-- Attachment #2 --]
[-- Type: message/delivery-status, Encoding: 7bit, Size: 0.4K --]

Reporting-MTA: dns; virt18c.secure-wi.com
Received-From-MTA: DNS; localhost.localdomain
Arrival-Date: Wed, 7 Jun 2006 13:11:51 -0700

Final-Recipient: RFC822; XXX@YYY.com
Action: failed
Status: 5.1.3
Remote-MTA: DNS; mail1.no-ip.com
Diagnostic-Code: SMTP; 553 sorry, that domain isn't in my list of allowed rcpthosts (#5.7.1)

I didn't sweat this too much, I figured I had a bit more to do and found this Blocked Port 25? .. Mail on a Non-Standard Port on the No-IP web site. I needed to set up some MX records. By the way, I really like how No-IP produces guides for their services.

In looking back at the prvious fragment of email, it is now clear that it was no-ip.com bouncing it and not my domain. Anyway, I followed the directions and was soon getting all of my important email - mostly test messages from various accounts I have outside the domain. Remember, it is always the principle!

I'm forced by geography to use cox.net. I use both no-ip.net and webintellects.com because I like their services. I could move my internal domain to webintellects.com, but I actually do test configurations for work and write things up based on having what looks like a full domain.


Technorati Tags:
Orginally posted on Kool Aid Served Daily
Copyright (C) 2006, Kool Aid Served Daily

Why cox.net is tweaking me

I think what is really getting me mad is that the cox.net tech support people are all claiming that my port 25 is not being blocked inbound, yet their Virtual Customer Service Representative has this to say:

You: block port 25
Instant
Answers: Blocked Ports 
 
Port: 25 
  Transport: TCP 
  Protocol: SMTP 
  Direction: Both\* 
  Reason for Filtering: SMTP relays 
 
Port: 80 
  Transport: TCP 
  Protocol: HTTP 
  Direction: Inbound 
  Reason for Filtering: Web servers, worms 
 
\* SMTP is only permitted outbound to Cox-provided SMTP servers 
 
Type more to continue.
You: more
Instant
Answers: Port: 135 
  Transport: UDP 
  Protocol: NetBios 
  Direction: Both 
  Reason for Filtering: Net Send Spam/pop-ups, worms 
 
Port: 136-139 
  Transport: UDP, TCP 
  Protocol: NetBios 
  Direction: Both 
  Reason for Filtering: Worms, Network Neighborhood 
 
Type more to continue.
more to continue.
You: more
Instant
Answers: Port: 445 
  Transport: TCP 
  Protocol: MS-DS/NetBios 
  Direction: Both 
  Reason for Filtering: Worms, Network Neighborhood 
 
Port: 1433 
  Transport: TCP 
  Protocol: MS-SQL 
  Direction: Inbound 
  Reason for Filtering: Worms, Trojans 
 
Type more to continue.
You: more
Instant
Answers: Port: 1434 
  Transport: UDP 
  Protocol: MS-SQL 
  Direction: Inbound 
  Reason for Filtering: Worms, SQLslammer 
 
Port: 1900 
  Transport: UDP 
  Protocol: MS-DS/ NetBios 
  Direction: Both 
  Reason for Filtering: Worms, Network Neighborhood 
 
Type more to continue.
You: more
Instant
Answers: Port: 27374 
  Transport: TCP 
  Protocol: Subseven 
  Direction: Both 
  Reason for Filtering: SubSeven Trojan 
 
Would you like to see more about Internet security?

They need to get their story straight. I don't care if their answer is as valid as any other IT urban myth.

The only thing keeping me from spewing forth how many years of IT and system development experience I have is the fact that I once again live in Oklahoma. I.e., I can drive to Tuttle in no time and see Jerry Taylor in person. Read the City manager misunderstanding prompts international response for spin and denial.

Frak...


Technorati Tags:
Orginally posted on Kool Aid Served Daily
Copyright (C) 2006, Kool Aid Served Daily

Rudely dropped by 2nd level cox.net support

I decided to show that the problem on my inbound port 25 traffic couldn't be on my end. To that end, I decided to connect my WinXP laptop directly up to my cable modem. This bypassed my router/firewall. I also disabled the firewall software on the laptop.

Of course I couldn't get access. I needed some servers to be listening on some ports. I did a quick google and decided to follow the instructions on exim on cygwin to install both cygwin and exim. I'd recommend also installing vim at this point. I had a mail server up and running in no time. I could get to it via a command window, but that wasn't a real test. I ssh'ed into a remote site and I was blocked on coming back on port 25.

Now I had to show that the exim software was really working. I installed apache2 on the laptop. I was able to configure the httpd.conf pretty easily myself, but to get the software running, I had to do some more searching. Note I don't have my normal cut-and-paste examples, these are DOS windows we are talking about. Anyway, I found this Re: [Pre-ITP] httpd-2.0.53-0.3. I was able to use it to get started:

Oops.

I forgot to document:

Apache2 requires cygserver.
Make sure cygserver is running, and that your CYGWIN envvar contains "server".

You need to edit your environment variable for CYGWIN to look like ntsec server. The above link on exim on cygwin tells you how to get to the environment variable. Note that you need the ' '. Neither ',' nor ';' worked for me.

You need to get a new cygwin session going (or manually edit the CYGWIN environment variable for an existing one) and then start cygserver:

net start cygserver

At that point, you can start apache2 via:

$ cd /usr/sbin
$ ./apachectl2 -k start

By the way, I made apache listen on both ports 80 and 8085. I did this since I know cox.net blocks port 80!

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the 
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
#Listen 12.34.56.78:80
Listen 80
Listen 8085

Okay, I tested the web server and sure enough port 80 was blocked but I could get the default home page on port 8085:

It works!

Okay, armed with this knowledge, I called up Cox.net support. After about 30 minutes, I got a live human. His name was Chris and he was convinced it was my software. He also stated that they were not allowed to try and check port connectivity. I asked him to try telnet IP 25 and he made it quite clear that was not allowed at all. I asked to be passed to a support person who could help me.

I got handed to the queue and spent another 15-20 minutes waiting. I then got to talk to Andrew. He spent a couple of minutes talking to me when the cable modem reset itself. I know this because my ssh session died and the phone cut itself off. He provided no warning and never called me back up to check on what happened. I've talked to their support before where they warned me about a restart and then called me back up. No, no common courtesy this time.

I don't normally yell, scream, and shout obscenities when my son is close by. My wife came up to check on me...

The really sad parts are that I lost the IP I've had for the past year or so and also that unlike large urban centers on the coasts, there is no real market pressure for broadband providers. I'm 1/2 mile away from being able to get a decent DSL provider, i.e., I live east of Memorial and I refuse to go back to Valor (they stopped using the really expensive DSL provider and rolled out their own).

So I'm trying the online support process now. I've dusted off the cox.net account and I figure that at some point I'll find a reflector to get past this stupid policy of cox.net. Bob Marley isn't even cheering me up at this point. Time to find some Cadbury.

Frak...


Technorati Tags:
Orginally posted on Kool Aid Served Daily
Copyright (C) 2006, Kool Aid Served Daily

Tuesday Jun 06, 2006

cox.net is filtering incoming port 25

I called Tech Support and they stated that they are not filtering inbound port 25 traffic. Yet their web pages state that they are:

Port Transport Protocol Direction Reason for Filtering 
25   TCP       SMTP     Both\*     SMTP Relays 
80   TCP       HTTP     Inbound   Web servers, worms 

I found a site which states that cox.net just started filtering inbound on them: Notice to Cox High Speed Internet Users. An interesting excerpt is:

Cox has been contacted regarding the filtering of individual email
on their outgoing SMTP servers, but they have refused to admit
doing it. However after extensive tests of their service, it has
been demonstrated repeatedly that legitimate personal email messages
are being stopped.

I'm pretty sure that they are doing it to me. I've sent email to abuse@cox.net asking them if they are indeed blocking port 25.

My firewall is configured to allow ssh traffic (redirecting the port), http traffic to both port 80 and a redirected port, and smtp traffic to port 25. Both ssh and http traffic to the redirected ports is allowed in my firewall. I've never seen port 80 traffic make it in and now I'm seeing the same symptoms on port 25.

This really irks me as I pay attention to my security, I make sure to also batten down my mail server. My mail traffic is very light, I probably bog down less with my email than a porn surfing neighbor. And I certainly drive more traffic transfering cores and ISO images. I had to go through 5 minutes of security verificiation to get my cox.net account. I had to log into it to check that mail for the support tech. I had 160 pieces of spam and nothing of interest. They probably wasted more resources storing that spam than I used in getting NFS related email delivered to my door.

They also treated me like an idiot - "reboot windows", "restart Outlook Express", etc. Every time he started on a new script, I had to remind him I was not running an OS he was familiar with. I told him multiple times I was not getting email from pop.central.cox.net.

It really got me at the end. He could look past the cable modem and tell me he saw a Belkin router/firewall. (I never said "Belkin", just firewall.) But he couldn't tell me if port 25 traffic was being stopped at the cable modem. I asked him to telnet to port 25 of it and he refused. He either didn't have the knowledge or the technology. (You can set PuTTy to the telnet protocol and port 25 to check a remote mail server>)

Great, abuse@cox.net has replied stating that my complaint was not properly formatted and did not fall into one of their handy categories. I.e., they don't have a form to report them as the abusers.

Ahh, I could rant about them forever. Their Acceptable Use Policy is a model of customer abuse - We reserve the right to change this AUP without notice and have it be legally binding.

I'm sure I drew attention when my mail server was down and my port 25 traffic was being ignored. If I'd kept the server up, I'd have been safe for a couple of more days.


Technorati Tags:
Orginally posted on Kool Aid Served Daily
Copyright (C) 2006, Kool Aid Served Daily

Sendmail not working for my domain after storm

So, my mail services were working last night, but not today. A huge thunderstorm went through the city this morning. The Monster came screaming into the bedroom, the wife yelled, "The computers!", and I ran upstairs just in time for the UPSes to kick in. I powered everything down and went back to bed. I haven't gotten mail at my domain since then. Notice that my cable modem was up, so someone upstream could have gotten mad at me and cut me off. I am able to send mail out via the cox.net relay. Oh yeah, cox filters ports, but they claim they only filter port 25 outgoing. You have to connect to one of their machines.

Alright, lets start debugging this puppy. The first steps are to send email to both an account at the domain and somewhere else, say at work or gmail. If you get the remote one, you at least know email is flowing. I can check that off. As I said, I can also send email out - so I know something is working. The next thing I tried was local email:

[spud@adept ~]$ /usr/sbin/sendmail -v tdh@excfb.com
fkfkkjfsljklf11111111111111
.
tdh@excfb.com... Connecting to [127.0.0.1] via relay...
220 adept.internal.excfb.com ESMTP Sendmail 8.13.6/8.13.4; Tue, 6 Jun 2006 21:23:28 -0500
>>> EHLO adept.internal.excfb.com
250-adept.internal.excfb.com Hello localhost.localdomain [127.0.0.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-DELIVERBY
250 HELP
>>> MAIL From: SIZE=28 AUTH=spud@adept.internal.excfb.com
250 2.1.0 ... Sender ok
>>> RCPT To:
>>> DATA
250 2.1.5 ... Recipient ok
354 Enter mail, end with "." on a line by itself
>>> .
250 2.0.0 k572NSmc004845 Message accepted for delivery
tdh@excfb.com... Sent (k572NSmc004845 Message accepted for delivery)
Closing connection to [127.0.0.1]
>>> QUIT
221 2.0.0 adept.internal.excfb.com closing connection

And all that tells me is that I can connect via the loopback - not very interesting at all, is it? How about a quick test from another machine on the subnet?

# telnet adept 25
Trying 192.168.2.108...
Connected to adept.internal.excfb.com.
Escape character is '\^]'.
220 adept.internal.excfb.com ESMTP Sendmail 8.13.6/8.13.4; Tue, 6 Jun 2006 21:25:53 -0500
help
214-2.0.0 This is sendmail version 8.13.6
214-2.0.0 Topics:
214-2.0.0       HELO    EHLO    MAIL    RCPT    DATA
214-2.0.0       RSET    NOOP    QUIT    HELP    VRFY
214-2.0.0       EXPN    VERB    ETRN    DSN     AUTH
214-2.0.0       STARTTLS
214-2.0.0 For more info use "HELP ".
214-2.0.0 To report bugs in the implementation send email to
214-2.0.0       sendmail-bugs@sendmail.org.
214-2.0.0 For local information send email to Postmaster at your site.
214 2.0.0 End of HELP info

To recap, I've shown that sendmail is working on my mail server and is accepting protocol on port 25. Lets show that it fails miserably from a remote system:

Last login: Tue Jun  6 16:19:47 2006 from ip68-0-87-35.tu.ok.cox.net
-bash-2.05b$ uname -a
Linux virt18c.secure-wi.com 2.4.22-1.2199.5.legacy.nptlsmp #1 SMP Sat Apr 30 21:00:06 EDT 2005 i686 i686 i386 GNU/Linux
-bash-2.05b$ telnet mail.excfb.com 25
Trying 68.0.87.35...

telnet: connect to address 68.0.87.35: Connection timed out
-bash-2.05b$ telnet mail.excfb.com XXXX
Trying 68.0.87.35...
Connected to mail.excfb.com.
Escape character is '\^]'.

Get /


501 Method Not Implemented

Method Not Implemented

Get to /index.html not supported.


Apache/2.0.54 (Fedora) Server at www.excfb.com Port 80
Connection closed by foreign host. -bash-2.05b$ man traceroute -bash-2.05b$ man traceroute -bash-2.05b$ traceroute -p 25 mail.excfb.com traceroute to mail.excfb.com (68.0.87.35), 30 hops max, 38 byte packets 1 207.158.22.1 (207.158.22.1) 0.455 ms 0.752 ms 0.448 ms 2 sdtc.br02.g4-0-0.americanis.net (206.251.233.237) 0.229 ms 0.262 ms \* 3 unknown.Level3.net (209.245.56.201) 1.235 ms 1.192 ms 49.856 ms 4 ge-7-0-0.mp2.SanDiego1.Level3.net (4.68.113.69) 1.216 ms 1.238 ms 1.077 ms 5 ae-0-0.bbr2.Dallas1.Level3.net (64.159.1.110) 29.348 ms as-3-0.bbr1.Dallas1.Level3.net (64.159.3.214) 29.469 ms 29.750 ms 6 ge-7-0-0-56.gar1.Dallas1.Level3.net (4.68.122.162) 29.972 ms ge-6-0-0-51.gar1.Dallas1.Level3.net (4.68.122.2) 29.941 ms ge-7-0-0-52.gar1.Dallas1.Level3.net (4.68.122.34) 30.055 ms 7 COX-ENTERPRI.gar1.Level3.net (4.78.232.2) 38.508 ms 38.185 ms 38.366 ms 8 68.12.14.34 (68.12.14.34) 38.207 ms 68.12.14.22 (68.12.14.22) 38.482 ms 68.12.14.34 (68.12.14.34) 38.232 ms 9 68.12.14.65 (68.12.14.65) 44.302 ms 68.12.14.61 (68.12.14.61) 42.770 ms 68.12.14.65 (68.12.14.65) 44.176 ms 10 10.5.0.1 (10.5.0.1) 43.758 ms 43.521 ms 44.908 ms 11 ip68-0-87-35.tu.ok.cox.net (68.0.87.35) 53.471 ms 57.920 ms 53.876 ms 12 ip68-0-87-35.tu.ok.cox.net (68.0.87.35) 53.540 ms 53.614 ms 51.476 ms -bash-2.05b$ -bash-2.05b$

Note that I'm not convinced that the ping -p 25 means anything valid. It does tell me that there is a path, but not much more. I happen to not have root on any remote boxes which can directly connect to my mail server, so the direct sendmail -v will not work. What will? How about this mail relay checker: whatsdown.net

This May Take a Minute or Two.. Please Wait...

Connecting to excfb.com (68.0.87.35)...
\*Could not connect to excfb.com (68.0.87.35): Operation timed out
\*
Test Failed

To recap, my mail is being serviced quite fine internally, but it looks like my port 25 is being blocked. This blockage could be my firewall, my cable modem, or my ISP (cox.net). I rebooted my router/firewall - it has a small syslog buffer and I can't see anything other than DOS type attacks. The next trick, since it is out of hours for customer support from my ISP, is to reboot the cable modem and then my router. I've had to wait until Gilmore Girls got Tivo'ed, otherwise I would be in a different world of trouble.

No, that did not improve anything. I'm going to go out on a limb and blame my ISP. If my router/firewall were hosed, I shouldn't be able to get in at all. I really hate cox.net for tech support. The original cable contract was in my wife's name and I have to know all of her security information in order to get help. You can't post URLs for their web pages, they use javascript to foil that. And I see contradictory information on whether or not they block port 25 inbound.

Frak...


Technorati Tags:
Orginally posted on Kool Aid Served Daily
Copyright (C) 2006, Kool Aid Served Daily

Friday Mar 24, 2006

Yet another UPS delivery

This time I missed getting the package by 30s - I had to run downstairs.

Not shown

This was an extra 512M of RAM for my Ultra 10 Sparc. The contents were securely packaged. Another good buy on Ebay.

Sweet!

ok �Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 333MHz), No Keyboard
OpenBoot 3.19, 1024 MB (50 ns) memory installed, Serial #12676883.
Ethernet address 8:0:20:c1:6f:13, Host ID: 80c16f13.

Orginally posted on Kool Aid Served Daily
Copyright (C) 2006, Kool Aid Served Daily
About

tdh

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today