IPv6 with gateway in a different subnet

I’ve run across this peculiar problem. I was trying to set up IPv6 on a Centos 6 machine. I thought that it would be a simple task – a couple of minutes at most – as I had done that on other Centos 6 machines before. But I was wrong.

My initial configuration steps were:

Take note of the two (obfuscated) IP addresses, the machine IP address 2a01:xxxx:xxxx:xxxx::1 is in a different subnet than the IP address 2a01:xxxx:xxxx:yyyy::1 of the default gateway given to me by the ISP.

On other machines I had configured in the past, IPV6_DEFAULTGW was 2a01:xxxx:xxxx::1, in other words – my own machine’s IP address 2a01:xxxx:xxxx:xxxx::1 was in a subnet that was a part of the bigger 2a01:xxxx:xxxx:: subnet in which the ISP’s gateway machine was located. In those cases, IPv6 worked without any problems when I used the above mentioned simple configuration. But here, it didn’t work, I was getting the following warning and wasn’t able to connect/ping anywhere:

I tried specifying the interface, like this:

but that didn’t help either.

Eventually, I got an advice from a friend who’s far more IPv6 savvy than I am. I had thought that it was not possible to have default gateway in a completely different subnet and that this was the reason why I was running into this problem, but I was told that IPv6, unlike IPv4, did actually allow for a gateway to be in a different subnet, but in those cases, addtional network script has to be configured like this:

Having set the gateway this way, I had to remove it from the interface configuration file, of course:

After restarting network, this machine was finally IPv6 ready.

Tagged with: ,

Raspberry Pi – analog output noise

I got Raspberry Pi 2 as a present from my brother. It’s a nice toy, I was trying out OpenELEC, it makes for a really nice home theater in combination with a NAS on local network. The only drawback was that the analog sound output produced kind of unpleasant noise. I tried to follow a lot of pieces of advice found around on forums, changed the operating system, drivers, nothing helped. It seemed that the noise was a design problem of the analog sound (the digital sound output was all right).

In the end, I installed Raspbian and started using this Pi as a “thin client” to connect to other computers using X2Go remote sessions. It was a nice use case, but I didn’t need it so often as to actually miss sound. Eventually, I was advised to use an external sound card. A small, $10 USB card did the trick. The noise was gone and now, when using Raspberry as a thin client, I’m able to listen to music on it, too.

Tagged with: , , , ,

Scroll emulation with Trackman Marble in Debian 9

images-duckduckgo-comSpending a lot of time with mouse and keyboard, I decided I would give it a try with trackball. A friend lent me Logitech Trackman Marble for a week to see if I can get used to it. The one drawback in Linux is that there’s no support for scroll emulation by default. It was relatively easy to set this up on my laptop with help of xinput, but at home, where I’m using Debian 9 (currently ‘testing’ branch) with Mate, this didn’t work. So this had to go to a good old X.Org configuration file:

By the way, after two days of using it, I think I’m getting used to it, so I’ll probably buy one for myself.

Tagged with: , , ,

header_checks and Spamassassin headers in Postfix 2.6

images.duckduckgo.comI’ve had this mail server of mine for some time. I was an early adopter of Gmail back then, but as years went on and it became obvious that messages were data-mined by Gmail, I eventually started running my own Postfix server. Not just for me, but for family and eventually other people. Now, the thing is that some folks insist on having their emails forwarded to another service, like Gmail, Yahoo, etc. I can understand that. The problem is that if such mailbox receives a lot of spam messages, those messages get forwarded to Gmail and Yahoo as well, and as a result, my mail server can get bad reputation because of that – I can’t just explain to the other side that those spams are only forwarded.

I’m using Spamassassin to mark spam, but all it can do is to mark the messages for users’ MUAs, it can’t do anything else, like drop or reject unsolicited bulk email so that it doesn’t get forwarded. I’ve used Amavis somewhere in the past and it could have solved the problém here, too, but here it felt as too large a gun for the task. All I wanted was to prevent the most obvious spam with high score points from being forwarded. So I created a file with a regular expression to catch all messages marked as Spamassassin with help of X-Spam-Level header.

and uncommented this line in:

The above mentioned HOLD action will put the messages into the hold queue for further inspection. Other option is to REJECT the messages (more here external_link).

To my dismay, it just didn’t work when I gave it a try with help of Gtube. What I didn’t realize was that header_checks happen while message is being received. Spamassassin, however, works as a milter that adds extra headers later, so it couldn’t work. There is a Postfix feature designed to solve this problem – milter_header_checks – which does the same thing, except it takes headers added by milters into account, too. The only tiny drawback was that this feature was added to Postfix 2.7 and my Centos 6 had Postfix 2.6 running. There was a patch on Postfix page which backported milter_header_checks into version 2.6, but I just didn’t have enough courage to go for it. Instead I used the workaround discussed here external_link (many thanks). The trick is to create another service in master.cf and use it as a content filter for the main smtp service. That way, the Spamassassin headers get applied and on the second run, they get noticed by header_checks.

I also had to add permit_mynetworks in recipient restrictions, but that was probably relevant just to my particular setup.

After the postfix reload, the spam messages with score higher than defined in /etc/postfix/header_checks finally got caught and stopped.

Update 21. 2. 2017:

There was one unintended side effect with the above mentioned solution – all forwarded emails were duplicated and arrived into the final mailbox twice. When there was forwarding set in the aliases file, the rule got applied on both smtpd service, the external one, as well as the internal one, where the header_checks happened. So this behaviour had to be suppressed using receive_override_options=no_address_mappings option to prevent this unintended duplication:

Tagged with: , ,

Apache and umask 002

downloadI ran into a problem with Apache on Centos 6. For some time, I was the only person who had access to this particular machine so permissions were not a problem. However, now that somebody else is taking care of the website hosted there, they had troubles editing files that were uploaded via website and owned by apache. So I added the user to the apache group and put this line:

into file:

That way, any file created by apache user was by default writable by the apache group so the given user would be able to work with those files. When I tried it out, however, it didn’t work, the user was not able to modify those files, to my frustration. Now, I was left with two options, either pull my hair off, or modify the httpd init script, neither of them much to my liking. Eventually, I found out that the solution was pretty easy – the PHP upload script was explicitly setting the permissions to 644 so members of apache group were not able to modify the file. When I modified the application and its chmod command, everything worked like a charm.

Update 17. 4. 2017

I came to face the same situation with nginx on Centos 7. The issue was basically the same, only the file where umask directive had to be placed to was different:

and umask had to be placed into the [Service] section:

Tagged with: , , , ,

“Lazy” Synolocker

A funny thing happened to me the other day. Someone brought me a 4-bay Synology NAS which had been hit by ransomware called Synolocker. The usual scenario – the NAS was exposed to the internet, maybe not updated as regularly as it should have been, and eventually targeted by ransomware. The bright side was that the owner kept an offline copy of the data that was stored on the NAS, so no big harm done. I was only asked to restore the NAS to the original settings to get rid of the nasty piece of software and make the NAS usable again.

RAID 5

RAID 5

synolocker

The funny fact was that once I restored the operating system (thus removing the infected system) and was about to go and blank the encrypted volumes, I was surprised to find out that the data was still there, perfectly intact. This particular piece of ransomware was so “lazy” that it didn’t even bother to actually encrypt the data. It simply demanded ransom and waited for anyone who would panic enough to go and pay up.

Tagged with: ,

Blackthorne

Yet another game from the 90’s that I wanted to tick off as done. Here are a few screenshots:

Tagged with: ,

Centos 7 – bridge for KVM

nicubunu-RPG-map-symbols-stone-bridge-100pxI got a machine on which I wanted to try Centos 7 and KVM virtualization. As usual, I had to search for how to do a network bridge as it’s been quite long since I did it last time (on Centos 6). So these are the basic steps. First, dont’t forget to install bridge-utils while installing the KVM-related packages:

Now, this was the default config file for the network interface:

I had to change it to point to a bridge interface called bridge0.

And this is where the new network configuration goes. It’s probably worth mentioning that it’s been changed from DHPC to a static IP address:

and also that the GATEWAY has been moved to /etc/sysconfig/network.

After

you should be able to connect KVM VMs directly to the LAN.

Tagged with: , , ,

Systemd problem

At home, I’ve been using rolling release of Debian for my desktop for quite some time. The good thing about it is that years go by and you need not worry about the end of life of this or that particular release. Sometimes, things can go awry, of course, but that happens quite rarely and running apt-get dist-upgrade usually takes care of the problem. Yesterday, however, I ran into a funny error message:

I have to admit that as far as the current flamewars regarding systemd are concerned, I don’t feel my insight is deep enough to allow me to contribute to those discussions one way or the other, but in the light of the current spiteful debate, it was a really funny error message 🙂

screenshot-systemd

Tagged with: ,

Hardware repairs

kids helped a lot

kids helped a lot

I’ve been tinkering with my computers ever since the days of ZX Spectrum, more or less. In the last eight years or so, however, people would come to me with their broken laptops and computers every now and then. It didn’t happen too often to become a nuisance; instead, it was a welcome distraction from my regular daily tasks (with the exception, maybe, of the time when I had seven laptops at my office at once 🙂 ).

Read more ›

Tagged with:
Top