All of this has, so far, made use only of one network interface (in my case eth0) to set things up. However looking ahead to the next step I am aware that I will want devices inside my network (i.e. my workstations, etc.) to have IPv6 connectivity through this device I am setting up. In other words, this device must, as it does today for IPv4, act as a router.

With IPv4 this is, at a basic level (so forgetting about firewalling and so on) very easy: enable IPv4 forwarding and away you go.

For IPv6? A little more complicated…

sysctl.conf

My first step was to jump in to /etc/sysctl.conf and, just as I have IPv4 forwarding enabled here, do the same for IPv6. There’s even a (likely commented out) entry already there to help you. So I change it to show:

net.ipv6.conf.all.forwarding = 1

Reboot (or if you prefer manually involve the same change via sysctl or simply dropping the value in via /proc/sys/) and it takes effect.

Why has it all stopped working?

After doing this, the first thing I noticed was that suddenly I could no longer ping6 to my test destination. I find that the default route has disappeared from the route table (ip -6 route show)

It turns out that once the device is defined to be a router (i.e. that IPv6 forwarding is enabled) it stops acting on received Router Advertisements from the ISP, arriving on my WAN link eth0.

I was pretty miffed at first, but of course on reflection this is entirely sensible behaviour – I do not actually know who is sending me a given router advertisement. I have no knowledge of how the ISP has built its IPv6 infrastructure, and while I would hope that only the ISP can send an IPv6 Router Advertisement towards me, maybe not? What if someone else manages to do it too?

That’s why an IPv6 router, even in this context, as a home gateway, needs to treat a Router Advertisement with care!

What to do?

With IPv6 forwarding enabled it is possible to allow the RA to be accepted. In sysctl.conf set:

net.ipv6.conf.all.accept_ra = 1

However this then permits the interface(s) to autoconfig so far as addressing is concerned, but still does not pick up a default route. There is also a sysctl of net.ipv6.conf.all.accept_ra_defrtr which could be useful (if you trust your RA in the first place, that is) but anyway I could not make it work as I’d expect.

So really it comes down to making sure that, once IPv6 forwarding is enabled, that a default route is manually defined. Something along the lines of:

ip -6 route add default via fe80::207:cbff:aaaa:bbbb dev eth0

seems to do the trick
Of course the difficulty here is how you obtain the address of the required gateway. My ISP had not told me what it was. I obtained it by looking at what the default route had been prior to enabling IPv6 forwarding. Of course I could also have simply run tcpdump -i eth0 ip6 and waited for a to show up.To make this permanent, a suitable line can be added to /etc/network.interfaces, so mine now looks similar to:

iface eth0 inet6 static
address 2a01:e35:8b25:aaaa::1
netmask 64
gateway fe80::207:cbff:aaaa:bbbb

So with IPv6 forwarding enabled and a default route successfully restored, we can now proceed.

With IPv6 slowly becoming more visible, it was time to get to grips with it. While absolutely not essential (yet!) it seemed like a fun idea: my ADSL provider offers native IPv6 in parallel with IPv4, and my hosting provider is running an IPv6 beta. So I can do native IPv6 end to end between my home and a remote host. “Home” in this case consists of a Linux firewall running iptables, fronted by shorewall. Two ethernet ports: one to the ADSL modem (my “external” interface) and one to the house infrastructure (“internal”)

The Ubuntu server distribution in use is, like most Linux distros, fully IPv6 ready. For example, do an ifconfig and we see

Now I may not know much about IPv6 on Linux yet, but I can see that I’ve got a line beginning “inet addr” which looks kinda IPv6-ish. Good start. Let’s go…

IPv4 – today

As it stands, my home firewall performs the following functions:

• It acts as a DHCP client on its external interface, in order to pick up from the ISP the IPv4 address, plus the DNS server(s) being offered. In fact my IPv4 address is fixed, so strictly speaking I don’t need to act as a DHCP client on this interface, but it’s no real effort to do so and it means I get the DNS servers automatically.
• It acts as a DHCP server on its internal interface, in order to supply IP addresses to the many and various client devices within the house, along with DNS information. (I actually use dnsmasq for this purpose – tremendous piece of software)
• It performs NAT between the internal devices and the Internet, courtesy of iptables.
• It acts as a firewall between the internal devices and the Internet, again courtesy of iptables.

Since no one in their right mind writes “raw” iptables configs of any complexity, I use shorewall to administer the NAT and firewall functions – mostly using the shorewall cli, sometimes using the shorewall GUI within Webmin.

To top things off, I also have a VPN tunnel running between the firewall and a host machine, using OpenVPN.

So what do I need to know even before I think of starting with IPv6?

So as far as I know all the raw elements are available to me: ISP support, host support and all the bit ‘n bobs that Linux offers. So how do I string them together? In fact, hang on a sec before that: Just what is my goal?? The engineer in me frankly just wants to have a damn good play with IPv6, but it’s still good to have an initial goal to provide some sort of framework and direction.

Hence I set myself the somewhat arbitrary goals as follows:

• Between my firewall and my remote host enable simple IPv6 connectivity. ping, ssh, etc.
• Between my firewall and my remote host enable VPN connectivity (i.e. shift the existing IPv4 tunnel to IPv6)
• While leaving the rest of the household blissfully ignorant (and hence unaffected) by IPv6, enable two specific workstations (one Windows, one Linux) to have dual IPv4/IPv6 stacks such that they default to using IPv4 except for traffic destined to the remote host or some other IPv6 end-point, which will go IPv6 end-to-end (i.e. workstation <–> firewall <–> host)

Note that there are a lot of things that I am not yet trying to do. Specifically I am not setting up any gateways to allow IPv4 <–> IPv6 inter-working. For now I will have all my existing IPv4 functionality, with an entirely optional layer of IPv6 for those clients who (a) can talk native IPv6 and (b) have an IPv6 end-point to which they wish to connect. The inter-working side of things is a level of complication that in the first instance I want to avoid. Start simple and build up.

IPv6 Basics

Before anything else there are some IPv6 “basics” that need a little explanation and clarification. As with any technology, the problem is not with finding information. The problem is with finding out which information is useful and which is entirely irrelevant.

IPv6 Addresses

The one thing everyone knows about IPv6 is that it’s got funny looking, and rather large, addresses. Where once we had stuff like good old 192.168.0.1, now I might have fe80::240:63ff:fef5:f93c/64. And that’s one of the shorter ones…!

So what do I really need to know about IPv6 addresses, leaving aside the stuff that’s not required? Here goes.

IPv6 addresses consist of 128 bits. Why? Simple: to provide enough addresses that we’re not likely to run out, as we are perilously close to doing with IPv4. Just how big is “128 bits”? In decimal terms, such numbers have up to 39 digits. Here’s one:

340282366920938463463374607431768211455

In order to make things more manageable, IPv6 addresses are not written as long, decimal numbers. Instead they are written in hexadecimal, broken up in to 16-bit fields by colons. Here’s an IPv6 address lifted from the official IPv6 HowTo:

2001:0db8:0100:f101:0210:a4ff:fee3:9566

To further simplify things, leading zeros can be omitted. Also, contiguous blocks of zeros can also be omitted. For example:

2001:0db8:0100:f101:0000:0000:0000:0001

can be reduced down to

2001:db8:100:f101::1

The most extreme example of this is when the localhost address is considered (analogous to IPv4’s 127.0.0.1) and can be condensed down from

0000:0000:0000:0000:0000:0000:0000:0001

to

::1

Note, however, that the use of ‘::’ and leading-zero suppression is purely a shorthand. All IPv6 addresses are 128-bits in length – these are just cosmetic tricks to make the writing and typing of them a little more friendly.

Just as IPv4 addresses have netmasks, so with IPv6 addresses. More of that when we look specifically at routing later on.

Also, normally we find that the upper 64 bits are considered to be “network” bits and the lower 64 bits are “host” bits.

Network bits

The leading 16 bits of the network portion of an IPv6 address are “special” in so far as some values are reserved as having special meaning. I am not here going to define all the possible values in use. I am confining myself to what matters within the context of the exercise at hand. And for those purposes the two values might be seen.

Local link addresses prefix

fecx (where x is any hex digit, but is normally 0) – Such addresses are local link addresses. Under Linux, when an IPv6-capable interface is enabled, such an address “automatically” appears. It is used solely to talk with other devices on the same link: hi, anything there? anyone looking for a router? Note that such addresses are not used for “normal” data – they are purely for local link management. And now we know where that IPv6-looking address came from in my original ifconfig command:

inet6 addr: fe80::240:63ff:fef5:f93c/64 Scope:Link

(and notice that friendly Linux even puts the “Link” there to remind you that it’s a link address)

Host bits

The bottom 64 bits of an IPv6 address are, essentially, whatever you want them to be. They can be manually defined or, more often, are computed by using the interfaces MAC address (if it has one).

So here’s a simple enough address:

2001:0db8:100:f101::1

Given the 2001:prefix, so we know it’s a global unicast address from an ISP. And the bottom 64 bits consists of just ‘1′ (all the zeros are magic’ed away by the ‘::’)

But what of this “computed from the MAC address”? Recalling the ifconfig I showed back at the start:

Note the hardware MAC address: 00:40:63:f5:f9:3c (and remember that those digits and colons are nothing at all to do with IPv6 notation – they are bog-standard, traditional L2 MAC address format)

What have we got? The interesting parts break down as follows:

1. The interface has a L2 MAC address of 00:16:3e:2e:50:36
2. The IPv4 addressing is as it always has been – No change there.
3. We have a Link address of fe80::216:3eff:fe2e:5036 which should now look familiar: the fe80: prefix and the appearance of the L2 MAC address.
4. And we now have a Global address of 2001:4b98:41::d946:bf36:54 which is familiar at least in so much as it has a prefix of 2001: The rest of the address’s derivation is not of direct concern here. (In fact, after the ISP-specific part, other elements of it are derived from VLAN addresses and other such stuff. No matter.)

Goodbye ifconfig, hello ip

Since time immemorial Linux users have been familiar with the command ifconfig. Thus far in this document I’ve used it too, for the sake of familiarity. But dear ifconfig has actually been deprecated now for many years. It lives on, and we all still use it, but with the advent of IPv6 it does now seem an appropriate moment to bid it goodbye. It’s time to use the ip command, in its many forms. While it’s true that ifconfig can still achieve most of what is required, it sometimes falls short. Also, using ip let’s us more clearly and easily distinguish between IPv4 and IPv6, which is maybe not a bad thing!

Compare the ifconfig output from above with a couple of examples of the ip command:

This is analogous to the simple ifconfig: we’ve got L2 MAC, IPv4, and a couple of IPv6 addresses showing.

Look how much neater that is, even just for IPv4: no L2 MAC, no IPv6, just the IPv4-related information.

And similarly here: we just get IPv6-related information, and nothing else.

alias ip6=’ip -6′

and then you can just enter:

which is quite neat.

Key subsystems

The last part of this IPv6 Basics section is to introduce the functional building blocks within Linux which seem to get mentioned in connection with IPv6.

We now know about IPv6 addresses types that matter to us, we have met the command(s) we will use to inspect and manipulate things such as interfaces, routes and so on. We have also assumed that there is something similar to IPv4 iptables (and we’ll come back to that in some detail later as to how we actually use iptables under IPv6). However what subsystems such as DHCP exist and are of interest to us? When reading up on IPv6 Linux implementation one comes across the following mentioned frequently, and you may quickly form the impression that they are three important elements in an IPv6 firewall/router. They are:

• dhcp6c
• dhcp6s
• radvd

dhcp6c

dhcp6c is a Linux DHCP IPv6 client. It is directly comparable to the IPv4 dhclient or dhclient3. It will, for a nominated interface, call out and ask for an IPv6 address which it can allocate to that interface. It may also, optionally, pick up other information, typically DNS-related.

dhcp6s

dhcp6s is a Linux DHCP IPv6 server. It is comparable to the IPv4 dhcpd or, in my network, dnsmasq. Just as in the IPv4 environment, it hands out addresses to other devices and, optionally, other information such as DNS data.

radvd

radvd is a Router Advertisement Daemon. This is less easy to directly compare to the IPv4 environment. It can hand out, to requesting devices, an IPv6 prefix (not a full address…) and a default route to be used. From this the receiving device can then automatically decide upon a host portion to add to the prefix to give it a full IPv6 address. So at first sight, it seems to be a rather inadequate imitation of a DHCP server!

One might very easily conclude that all three are required. After all, we may well use a DHCP client on the Internet side, and a DHCP server for the private network sounds pretty much essential. And a router advertisement daemon? Not entirely sure what it is, but gets a lot of mentions so I probably need that too! In actual fact the only one of these you are likely to need is readvd. You might need any combination of them, depending upon your precise circumstances. But probably not.

DHCP client I get, but what’s with DHCP server versus radvd?

This is an area of considerable confusion! When bouncing around Google trying to find information on setting up IPv6 one minute we appear to be required to use DHCP server, the next minute we appear to need radvd. Which is which and when do I use them? Do I need both?

Well, the answer to the last question, “Do I need both of them?”, it “Probably not, but you might…”

Coming from familiarity with the world of IPv4 one instinctively tends to feel comfortable with the concept of dhcp6s – and while it can be used, radvd may well be simpler and easier in practice. Or, maybe, both… The attraction of rad is that the server does not need to concern itself with any state: no records of addresses allocated – since it dos not allocate any. It just says “Hey, this is the prefix, work the rest out for yourelf.” which is attractively simple! The DHCP server alternative has to remember which address is where and when. The case where you might want both would be where you want to have rad handle the job of initiating address allocation, and then have DHCP pick up to add some icing on the cake: DNS information being the common case.

And us here? We’re going to go with the simpler case, and have radvd handle the job of responding to IPv6-capable devices within our internal network and tell them just enough to allocate addresses themselves and use a default route.

So it actually seems to come down to a pair of subsystems being required:

• dhcp6c talks out to the ISP to handle “outside” IPv6 addressing.
• radvd talks internally to all devices to handle “inside” IPv6 addressing.

Well, maybe… But in these early days of IPv6 there is far from a standard view of how these things are to work. And, as I discovered, your ISP may not actually themselves offer an IPv6 DHCP server at all! In my case that was the situation, although I have little doubt that as time progresses and IPv6 implementations mature such services will become more standard.

But for now, my implementation will be reduced down to simply running radvd on the firewall, with the IPv6 configuration on Internet side being handled semi-statically.

Just one subsystem to be used: radvd. No DHCP client. No DHCP server. Who said IPv6 was complicated?!?

Setting up the firewall box

So at last we get to the actual practicalities of getting IPv6 up and running on the home firewall. The system in question is a Ubuntu-based device. The differences for another Linux system should be fairly negligible (package names maybe, some config file locations, etc.)

Packages to install

All we need to install is radvd if its not already present. Under Ubuntu something like:

sudo apt-get install radvd

should do the job.

Careful now….

And already we come to potentially our first issue!!! Once radvd is up and running on the firewall it will, potentially, start chatting to devices on the home network which are, by default, on the look out for IPv6 routers. Whether it does this by default depends upon the installed configuration file used, and which interface points where, but it’s a real possibility. And that may not be entirely a good thing. Be on the look out for workstations suddenly getting really really slow when, for example, browsing the web. I would suggest disabling IPv6 on any devices which may be susceptible to it. There are numerous ways to do that. On Windows in all its flavours? I have not the faintest idea. Under Linux? Here are some suggestions. Depending upon what is on your home network this may not be required, but if you do run in to the “slow web” issue, be alert to it.

Technical note: for the curious, if you do hit the IPv6 crawl of death issue, it’s actually due to certain services on clients stations being IPv6 aware and thus trying to resolve DNS requests via IPv6. They try, take an age to fail, and eventually fall back to IPv4. But it’s ugly. I wish I could say that I foresaw the issue and planned accordingly. More truthful would be to say that during my diddling around with radvd I got loud complaints from another user on the home network…

Setting up the connection towards the Internet… no hang on, actually not yet…

The first task is to get the public (in my case eth0) interface up and running IPv6. Before actually doing that we need to pause for a moment and consider the implications of what might happen if we indeed succeed in bringing up the IPv6 ISP-connected interface! We are then wide-open to the world, and just asking to be attacked. The only sensible thing to do is to first set up an IPv6 firewall to provide some level of protection before we throw ourselves open.

Sorry. But that’s life. Of course if your public-side connection is already protected via some firewall, then you can skip this. But it probably isn’t, so pay attention. With IPv4 most home networks make use of, by necessity, NAT. While not done for reasons of security it does nonetheless provide as a side-effect a modest level of security in so far as it tends to block unsolicited incoming connections. So even with a poorly configured firewall under IPv4, the use of NAT hides a multitude of nasties from us. But in the brave new world of IPv6 one hugely important difference from IPv4, but one that everyone seems to gloss over, is that NAT is not required. And indeed since not required, it does not exist. All IPv6 devices on the “inside” network will have, in effect, public addresses. No port-forwarding, no NAT, none of that. And while that’s actually a very refreshing thing in general (NAT and large firewalls are a real pain) it does means we can no longer rely on the default level of safety that NAT provides. A tightly configured firewall is absolutely essential.

To drive IPv6 iptables I use shorewall6. I highly recommend it. Here I am going to run through, without too much explanation, the steps to set up a very basic “block almost everything except a bit of stuff for testing” IPv6 firewall on the system. Here goes.

Install the package:

apt-get install shorewall6

The basic level of configuration then has to take place. Navigate to the configuration files:

cd /etc/shorewall6/

Set up the following files in a similar manner as shown here:

rules
# Allow only ping – for testing

Within shorewall6.conf ensure these lines as as follows:
.
.
.
STARTUP_ENABLED=Yes
.
.
.
IP_FORWARDING=Keep

What we have there is a minimal firewall configuration, which blocks absolutely everything except pings to and from the firewall box itself.

Start up the firewall with e.g.:

/etc/init.d/shorewall6 start

And then

shorewall6 show config

should give you a pretty lengthy IPv6 iptables config.

So, with precautions now in place, we may proceed.

[EDIT: shorewall6 and logging may or may not be an issue... See my article here: http://www.ipsidixit.net/2010/02/25/231/]

OK, finally setting up the connection towards the Internet…

Here is the starting point, with an automatically assigned, MAC-derived, link address:

Configuring the addressing

My ISP is free.fr (a French ISP) From them I have a fixed IPv4 address and a fixed IPv6 address. My IPv6 address prefix is 2a01:e35:8b25:7ea0::/64 which looks pretty random but of course is not.

The part 2a01:e3 is, from previous knowledge, a global unicast prefix (the 2xxx: indicates that) and the full form 2a01:e3 is the RIPE-allocated prefix used by Free. The next part, 58 b2 57 ea? Well, I write is deliberately in that format to show that it breaks down to (decimal): 88 178 87 234. This, by no coincidence at all, is my current IPv4 address! Of course Free mapping subscribers’ IPv4 addresses into their IPv6 prefix is entirely arbitrary on their part. It indeed seems like a good idea, but is absolutely not required. In the future, for example, IPv4 addresses will not be used in the first place, so no such mapping would be possible.

Of course their network prefix is, as per standard IPv6, 64 bits in length. So the second 64 bits (the host portion) is entirely mine to use as I see fit. That is a seriously large amount of address space, all globally routable, and all entirely mine to use as I wish.

Since my ISP themselves run radvd (or some equivalent) on their routers, when everything is IPv6 enabled on my firewall system, the Internet-facing interface, eth0, should automatically pick up the required prefix and use it. However in addition to the ISP-prefix + MAC-derived host portion I also want a simplified address on the interface. It’s absolutely not required, but I want it to make my life slightly easier.

So prior to the reboot I edit

/etc/network/interfaces

and add a section as follows:

With this I am specifying that in addition to any automatic address the interface picks up, I also want to statically assign a PREFIX+::1 address to the interface.

After the boot I inspect the results and see:

Excellent! We see the link address that was there previously. And now we have two global addresses. The one marked dynamic which is clearly the MAC-derived address (notice how the prefix is as expected – this was picked up not from any of our config but from a remotely received router advertisement from the ISP) and the one marked tentative which is as manually configured by me.

Testing

When we set up the shorewall6 firewall, everything was marked as blocked except for ipv6-icmp. Ostensibly this was to permit what we are about to do now, a ping test, which makes use of ICMP. However it was also in the knowledge that the Router Advertisements which we picked up from the ISP, and which gave us the prefix to be used for the dynamic address, are also, coincidentally, ICMP6. Two birds with one stone: we allow pings to go in and out, and also allow IPv6 Router Advertisements to pass unhindered.

So, to test our interface, let’s try something:

It works!!

Which is great, but where’s the routing and so forth that is being used here? Let’s look at that too:

That’s kind of like our IPv4 ARP table: where is, in Layer 2 terms, the next hop? And we see it at the given link address, with a corresponding MAC address, and a marker of REACHABLE. That REACHABLE can change as entries get set up and then age out, and values such as DELAY or STALE might also be seen.

Note that the default route is, automatically, via the adjacent router we learned about from the router advertisement.

.
.
.

So at this point we now know that we have basic IPv6 connectivity in and out of the firewall.

Summary

What we’ve done here, after a quick recap of IPv6 addressing techniques, is to:

In the next part I will look at extending IPv6 inside the private network, and examining options for moving the VPN to a native IPv6 implementation.

The judge said “You are a religious man and you know this is not acceptable behaviour.”

The fact that the judge in question is Cherie Blair, wife of former-prime minister Tony Blair, just confirms that this couple appear able to justify almost anything in their own minds based upon their beliefs and superstitions.

Apparently the UK’s National Secular Society has complained about it, but in true British don’t-kick-up-a-fuss tradition not much more will happen.

So remember: before violently assaulting someone in Britain, say a prayer. No, not to ask for any sort of forgiveness for what you will do, just pray that you get this lunatic women as your judge afterwards.

Aware that this is unpopular (the laws have widespread support) he has chosen a rather devious and obfuscated line of attack.

He singles out for criticism the UK’s Equality Bill, currently passing through Parliament. He tells us the effect of some of the legislation designed to achieve this goal has been to impose unjust limitations on the freedom of religious communities to act in accordance with their beliefs. Unjust. That’s the key word there. And then goes on:

“In some respects it actually violates the natural law upon which the equality of all human beings is grounded and by which it is guaranteed.”

Of course the concept of Natural Law is wonderfully vague. One assumes he is referring to some or other Aquinas-style philosophy of everything is OK, so long as it is OK with God too. However that aside, what is he really objecting to? Well, that is made fairly clear by further Church-comment on the matter. Firstly we are told that:

Religious leaders have voiced concern that the Equality Bill may force churches to employ sexually active gay people and transsexuals when hiring staff other than priests or ministers.

I love the language. “Forcing them to employ gay people.” For them, gay = evil. Well, more accurately sex = evil. Gay  = double evil. Which is all the more amusing considering the proportion of Catholic priests who themselves are gay.

Here’s a suggestion Mr Pope: if you’re so worried about sexual deviance, why don’t you stop fretting about homosexuals and instead cease employing and empowering paedophiles (gay and straight)? Clear out the layers of child abusers and their protectors who still litter your organisation and then I will at least take as non-hypocritical your objection to what you view as “sexual deviance” (although let me be unequivocally clear: I do not view homosexuality as any sort of “deviance” – what consenting adults choose to do in private is none of my business, except in so far as I robustly defend their right to do it)

Adoption

The other subtle line of gay-bashing from the Catholic Church yesterday concerns the desire for Catholic adoption agencies to function outside of the law. The proposed act would not allow child adoption agencies to discriminate against gay couples when considering their suitability as adoptive parents. Let’s get out of the way the issue of whether or not gay couples should adopt children: personally I have no issue with it at all. For me, the suitability of a couple (or indeed a single person) to care for a child has nothing to do with what they do in the bedroom. It has everything to do with other factors far removed from their sexuality. However I do not have a great objection, as such, to those who think that the ideal for children is father-figure + mother-figure, even if I do not agree with it. And, given that, it may seem that I would thus not object to a Catholic adoption agency holding similar views and wishing to implement them, despite not actively supporting them myself.

However what this issue really raises is actually glossed over most of the time: just what is a “Catholic adoption agency”? Why on earth does the UK have religiously-affiliated adoption agencies? Adoption is a childcare issue. Adoption is a social issue. Adoption is absolutely not a religious issue.  The very fact that adoption agencies are religiously affiliated infuriates and worries me, since there is only one reason I can think of why they are so: it is to perpetuate their religious beliefs, using desperately vulnerable children as the weapon of choice.

The Catholic church’s argument is intellectually offensive: Catholics run adoption agencies. Catholics think gay parents are wrong. Therefore Catholics don’t want to allow them to adopt children. And, to boot, if you try and stop us behaving in that manner we’ll cry “Religious oppression!”

So not only does the church wish to use orphans and the parent-less as its foot-soldiers, it wants to be above the law too. This is not about religious freedom at all. No one requires that an adoption agency be religiously affiliated. Would it be acceptable for the Catholic church to run some other business and practice their discrimination? How about a Catholic garage, but if you are gay you can’t have your car mended there? People would say “Oh, but don’t be silly.” But that is exactly what is happening here. A business or charity setting itself up to provide a service BUT only if it is allowed to be outside both the law and the commonly-held standards of morality within the country. And it’s all OK because it’s a religious belief. It staggers me that people allow it.

Go away

The only glimmer of good news is that reports indicate that already about half of all Catholic adoption agencies in the UK have shut down due to their inability to comply with the current and future legislation. And I say hooray to that. Parent-less children do not need religious bigotry and hatred guiding their future. To the Pope I say: Take your absurd beliefs and your sick, twisted morality and keep it to yourself. Preach all you like to a consenting adult audience. Our society defends your right to do that. But by definition that means keep away from those of us who do not consent to hear you or have our lives affected by you, and leave our children alone, as they cannot even give consent.

If you care so much about children, stop your priests from abusing them

This has nothing to do with true religious freedom, which is about who or what to worship, if anything, and in a manner of your choosing. It is rather all about intolerance, hatred and superstition. This man is free to visit the UK, but he should be loudly condemned by any right-thinking person.

In the space of ten minutes or so today I moved from fruit juice to triclavianism, via the Cathars.

Started with a quick visit to Wikipedia to get some information on the chemical composition of passion-fruit juice. But then you just can’t resist haring off down those links that you find and end up in the most byzantine (tee hee) backwaters of medieval theology… Or at least I can’t.

So my dull juice enquiry ends up with me discovering that triclavianism was declared a sin by Pope Innocent III, much to the annoyance of the Albigenses and the Waldensians, who heretically insisted that only three nails were used to hang Jesus from the cross, and he got a spear in the left side. The Pope’s infallible word was that four nails were used and he got speared on the right side.

Which is wonderful enough. Until you cross-reference to The Catholic Encyclopedia (“Copyright © 2009 by Kevin Knight. Dedicated to the Immaculate Heart of Mary.”), subsection “Holy Nails”, where we discover that there are apparently still in existence up to 30 of the original nails used.

Who’d have thought it?

BMW France – you just lost my business. A few weeks ago my wife bought a new car. A BMW. Fine car. Superbly designed and tremendous quality. As a car, we are delighted with it.

Next year I’ll be replacing my car. I had my eye on a sparkling new BMW estate. But so long as I have to buy it from BMW France, it’s not going to happen. Shame, as I really do like the cars. I just can’t stand the company. In the short time we’ve had the new car I’ve had two major issues. Neither concern the quality of the car itself.

BMW France have a typical finance package for new cars: rental for 3 years, then option to purchase. And, like many of their competitors, sometimes they offer that with the extra attraction of a “No money down…” package. Fantastic. We’ll have that please. It’s then that the dealer starts to play games…

Gissus ya focking money

Now I admit that BMW France do not directly benefit (as far as I can tell) from the scam they operate. But I also have no doubt at all that it’s conducted with the full knowledge and connivance of HQ. They need a “deposit” to secure the order. Never mind the clearly printed terms & conditions from BMW. They want 10% of the full purchase price to proceed with the order.

Frankly I was about to walk away then, but since my wife was really keen on the car I kept quiet and paid the money, with the dealer solemnly promising me it gets returned on the very same day the car is delivered. Needless to say that’s a load of bullshit. They lie. They have no intention of returning the money than. It took two weeks of waiting and getting increasingly pissed with the dealer before the money comes back, and then with not a word of apology or explanation for the delay. Still, you can see the attraction for the BMW dealer: not only does he sell a car but he gets the customer to lend him a large lump of money, interest free, for a period of some weeks or months. Good scam.

Dear customer. Screw you.

OK. So the purchase was over. At least she can enjoy the car now? Disaster struck: after less than a month the car suffers a puncture. Bad luck. Hard to tell what did it, but we think it was some large-ish stones that had fallen on to the road. Now, a short detour: like many BMWs, this one has no spare tyre. Also, oddly, it does not have run-flat tyres either. It has a “temporary reinflation” kit to repair the type and get you home or to the nearest garage. Not wildly keen on that, but that’s life. Trouble was in this case that at least part of the tire damage was to the sidewall, kinda where it meets the bottom of the tire. That was clearly visible as damaged. Maybe more – who can tell? Anyway, you don’t try a temporary repair on a tyre with a suspect sidewall.

What to do? Well, we had no worries actually: when we bought the car we had asked about the lack of a spare wheel. “No problem” the dodgy dealer tells us, and he then showed us chapter and verse in the handbook that comes with the car. The BMW handbook assures you that if you suffer a puncture (or indeed any other sort of failure – but it singles out punctures for explicit mention) you are in good hands: just call the number given and all will be well. You’ll be rescued, helped, sorted out and generally taken care of.

Fantastic! So despite being still shaken up by the puncture, my wife (Woman. On her own. Unable to move her car.) calls the BMW care-line for help. Bottom line from BMW: “Go fuck yourself. Not our problem.” I paraphrase slightly – I don’t think they swore. The operator asked for details of the puncture. My wife is a helpful sort and describes it accurately, how the tyre is completely flat and how she can see damage to the sidewall as well. “Oh well, that’s not a puncture. That’s an *accident*. Speak to your insurance company about it. Goodbye.”

It would be funny if it wasn’t true. “That’s not a puncture. That’s an accident.” I am still unable to tell anyone what sort of puncture is NOT an accident. Presumably one you do on purpose?

Hello Audi, Hello Mercedes. Hello anyone but BMW.

So there we have it. My wife has a tremendous car, which she enjoys very much. Maybe you might buy one too? If you’re in France, good luck to you. You are expected to make an interest-free loan of an indefinite period to the dealer before you even get your car. And once you’ve got it the after-care you were promised is just non-existent. They’ve got your money and don’t give a flying shit about you anymore.

When I go car shopping for my new car in a few months time I’ll be anywhere but at the local BMW dealer. Maybe the others are just as bad? Well, we’ll see. They sure couldn’t be a lot worse. You conned me once BMW France. You won’t get a second chance.

As detailed in previous posts, I have a server at home which I use to download and seed torrents (and, before you ask, yes most of the torrent are indeed legal!!) The torrent-side of this server needs to be remotely accessible and manageable to me from a number of places, so some sort of web-interface is required.

There are surprisingly few good web-based applications out there to do this. For a long time I’ve been using torrentflux-b4rt to provide a web-interface to BitTornado. It’s a great piece of software, but I’m now stopping using it. It’s always been a bit bloated and heavy, but once set up the way you want it, this has not mattered too much. The main reason I am moving away from it is that there are a few smaller issues which will, alas, never get fixed. From monitoring the project for some time it is clear that there is negligible development work taking place on it. For me the final issues were:

• one process per torrent – this get incredibly “expensive” in terms of CPU and, particularly, memory when one runs many torrents concurrently.
• inability to manage bandwidth overall: I can set a per torrent bandwith cap, but not an “all torrent combined cap”. I’ve mitigated the effects of this in the past by using QoS under iptables, but it’s a headache I could do without.
• minor bugs here and there. Since the development seems permanently stalled, maybe I could fix them myself? To that end I spent some time looking at the code-base. In line with the project’s history and breadth, I find a lump of code that might take weeks of effort to understand enough to fix some minor bugs. I do not have that time.

So what to use?

I spent some hours dabbling with rutorrent, which sits on top of the rtorrent client.It’s a nice GUI, but has a fatal flaw: it sits on top of rtorrent……! Now rtorrent itself seems fine in isolation – a curses-based cli client (so kinda halfway between a pure cli and a GUI) but it just does not seem right. rtorrent cannot natively daemonize itself – it has to be started up under “screens” and then detached and left to run in a headless mode, while rutorrent find it and talk to it. This is really not nice or reliable.

So I’ve ended up, for now, using Deluge. This looks interesting! For a start it’s architected sanely: core daemon, with various GUI/cli options on top, of which the web interface interests me most. The web-server is self-contained (not a choice I prefer, but I understand why they do it) It has the key features such as “overall limits” for all torrents taken together. It’s also very “light”: one daemon process for all torrents. The web interface is far from perfect, but it shows signs of very active development in this direction. The AJAX-ified interface is not quite complete, but is very usable and shows great promise.

I’ve not looked at the code yet, so cannot comment on how accessible it is. However there seems to be a working plugin-API which could allow some interesting dabbling without getting to grips with the entire project’s code.

Early days, but I tentatively recommend Deluge as worth a try.

I was even, ironically, signed up as one of their Premium Customers, which ensured they got even MORE business out of me!

I liked their prices – not always cheapest, but close enough.

I liked their web-site.

I liked their customer service – when something “went wrong” they would sort it out. It has to be said, though, that my experience of Amazon’s customer service is more based upon dealing with Amazon UK in times past, not so much with Amazon France.

So I was a keen customer and advocate, and spent oodles of money with Amazon. So how come today I cancel my Premium account and, once my final orders have limped in some time next week, will cancel my whole account and never, ever, darken their web site again?

Things go wrong… I know

I work in customer service, albeit of a rather different type. Things go wrong. People make mistakes. Stuff fails. That’s why customer service exists – to sort it out and make things good again.

Amazon France, though, seem to take a rather different view. It appears that their view of customer service is to tell me why I am wrong, to ignore the bits where it’s clear that they are wrong and to generally drop dead before saying “Hey sorry! We screwed up – this is what we’re doing to fix it!”

This post is not the place to bore anyone with the minutiae. But this week I had reason to contact Amazon France’s customer service regarding three separate orders (see what I mean about a good customer!! Three orders on the go at once!)

Most of the issues were within their direct control.

What do I expect? I expect to be listened to. To be understood. To, if appropriate, receive an apology. To be told what action is being taken to rectify things. Simple stuff. Customer Service 101.

What do I get? Evasion. Defensiveness. Lack of rectifying action. No apology.

Based upon my recent experience, Amazon France treat their customers like fools. They will push back on things they think they can push back on, and simply ignore any things which are indefensible.

Amazon France has lied to me (and I don’t use the word “lie” lightly). It has treated me like an idiot. It doesn’t care about me.

We won’t meet again

Time to explore the alternatives. Books? I’ll see what FNAC are like these days. Photographic equipment? I used Miss Numerique once or twice. Time to go back. Toys? King Jouet here I come! And so on. I’m actually rather looking forward to it.

It was nice having it all consolidated under Amazon before. But all things must come to an end. Treat your customer like dirt and what can you expect?

Nasty little vulnerability, found in all known TCP implementations. Given the right circumstances (read up on it) it allows a very neat DoS attack to be mounted on a large destination with minimal attacking resource. And the really elegant part is that it exploits a fundamental weakness in the very architecture of TCP as implemented on all major platforms.

This short post is not going to go in to details of sockstress, nor even the various fixes that vendors have made available – for those read the widely-available advisories and get patched! All I want to document here is how to implement the Linux iptable mitigation solution published by Red Hat on a host using Shorewall as its iptables front-end. An interesting aside is that Linux vendors, as Red Hat here being an example, are not directly issuing patches for this. Given the nature of the vulnerability they appear to be adopting an approach of leaving the base implementation of TCP unchanged but using existing tool sets to protect the system. Whether this is a good or bad approach depends on your technological ideology more than anything. Personally I like it, but I can see that for a desktop, non-technical user environment it may be less than ideal. Still, I’m protecting servers here, so the point is moot.

So, how to mitigate on a machine using Shorewall? Actually very simple, but for some reason I couldn’t even find a clear pointer to this on the Shorewall site, let alone anywhere else. All you need to do is drop the set of iptables mitigation rules in to file /etc/shorewall/start and then restart Shorewall. Easy as that.

You might typically expect to find a dummy of such a file (and its partner /etc/shorewall/stop - not used here) in situ. However, on my systems anyway (Ubuntu Server Edition) neither was present.

But create them as required, add these (or other arbitrary) iptables commands, check the persmisions are -rw-r–r–, owner:group are root:root, and restart Shorewall. If you want to check the rules have “taken” you can do an iptables -S and/or iptables -L to observe them.

Note that the exact values used in the rules are, as the Red Hat advisory points out, going to be site specific. However the values given are a pretty good starting (and for many of us, finishing) point.

For completeness, here are the iptables rules as per the Red Hat advisory, 16 Sep 2009. If in doubt, check the original!

# The following rule accepts a packet that is associated with an established connection,
# or that is starting a new connection that is associated with an existing connection:
iptables -A INPUT -p tcp -m conntrack –ctstate RELATED,ESTABLISHED -j ACCEPT
# The following rule removes the source address (from the recent list) of a packet
# that has the FIN flag set and that is also in the recent list:
iptables -A INPUT -p tcp –tcp-flags FIN FIN -m recent –remove
# The following rule adds the source address of the packet to the recent list.
# If an entry for the packet already exists in the recent list, the entry is updated:
iptables -A INPUT -p tcp -m recent –set
# The following rule drops the packet if it is seen at least 10 times in the last
# five minutes:
iptables -A INPUT -p tcp -m recent –update –seconds 300 –hitcount 10 -j DROP