If your are using shorewall as your firewall, be sure to update the contents of your rfc1918 file periodically, as networks get reassigned by IANA. I had a very out of date version, which was making my website inaccessible to people on various networks.

Fortunately shorewall includes a Python script for generating the appropriate parts of the file.

Daniel Stone and Thom May sit down to smack down Ubuntu's boot time.

While I'm not having problems with downloading Debian packages (I have a cron job that downloads updated packages daily), I think that additional uses for bittorrent is a good thing. apt-torrent is a proxy for apt that uses bittorrent as the transport.

Ubuntu (which means "Humanity to Others") is a new Debian based distribution which looks very promising. OSNews had an interview with Jeff Waugh (from the GNOME team, and one of the Ubunto developers) as well as a bevy of screenshots.

I hope that the Ubuntu community is able to stick to a 6 month release schedule, and that there will be a significant and bidirectional cooperation with the Debian project.

Jon Udell's interview with Michael Tiemann helped me to understand the goals of Fedora. I like the way that Fedora is incorporating new features such as SELinux into the distribution, and it's sort of tempting to take a look at Fedora. Debian has been really good to me, and I haven't heard that any RPM based system can rival the quality of Debian. I just wish that the Debian people would stop letting ideology ruin the distribution. I use Debian because it works the best. Perhaps the Canonical team [via edd] will be able to appeal to folks like me.

The server that we store our digital photos on ran out of space, so I had to slap another hard drive into the machine. While I was at it, I turned on Logical Volume Manger (LVM) support, so that this will be slightly less painful the next time this happens. I had already compiled LVM support into the kernel (2.6.5), so all I needed to do was install Debian's lvm2 package and follow the directions in the LVM-HOWTO. It turned out to be much less painful than I anticipated.

Early this weekend I installed postgrey, a greylister for Postfix based on Postfix 2.1's support for SMTP Access Policy Delgation. The theory behind greylisting is to temporarily delay mail message delivery in the hopes that spambots will not attempt to redeliver delayed messages. Based on my experiences, I'd say that hopes are high.

mailgraph is another utility written by David Schweikert, the author of postgrey. This graph shows the effects of turning on postgrey. I turned postgrey on late Friday/early Saturday, and you can see that the number of messages that were either spam or viruses decreased dramatically, while the number of rejected messages increased. The number of spams delivered to inboxes also decreased.

One thing that you need in order for postgrey to work is an script for starting up and shutting down. In Debian, such scripts go in /etc/init.d. postgrey doesn't supply a script, so I've made mine available. I'm not an init.d wizard, so if you improve the script please let me know. [ update: postgrey is now a package in Debian unstable ]

To date our anti-spam measures consist of postfix, postgrey, amavisd-new, clamav, and spamassasin on the server, and a bayesian filter in the clients. The arms race goes on.

I'm sort of in the market for some new Intel Hardware -- I've been in the market for a new primary Intel box for the last 4 years or so, but for various reasons (almost all related to my inclination to wait for cool features) I keep putting it off. For a while it was 800MHz FSB, then it was Centrino, then it was Dothan, then I got the Powerbook. In the meantime, hardware keeps getting cheaper, and I could really use high performance Intel box -- my primary box has a pair of 750MHz P3's in it, which is hugely behind today's 3-3.4 GHz machines with their 800MHz FSB's. So the latest version of the waiting for cool features game goes like this: AMD64 vs (non-shipping) Intel64. This box is mostly going to run Debian, so the announcement that the AMD64 port for Debian is just about done got my attention.

Ironically, this hasn't been such a high priority for me since I got the Powerbook. Yes, I am popping X windows from the Linux boxes onto the PowerBook, and feeling the lack of speed that way. I'm accessing the existing Windows box via RDC, and that's also feeling the lack of speed. But mostly I'm happy on the Powerbook, except for two or three tasks. Now, if we were talking Powerbook G5, I might be in more of a hurry...

[ via BoneHunter [ via Planet Debian ] ] Postfix 2.1 is out and one of the new features is SMTP Access Policy Delegation which allows you to run some code after Postfix sees the RCPT TO command. The README for this feature includes references to a perl server that performs mail greylisting. This looks something that I'd like to put into operation (having to deal with perl code notwithstanding). Ironically, the file greylist.pl doesn't appear in the Debian package for Postfix 2.1, so I'll have to go grab a source distribution. This is probably going to have to wait till after I get back from San Francisco, as the next day or so are going to be quite full.

Last week, a few of us from OSAF had a meeting with Greg Stein to talk about protocols that we might use for our item sharing feature. In addition to a very interesting discussion, I learned about ClamAV, a GPL'ed virus scanner that runs on Linux. I was already running spamassassin on our mail box but I didn't know there was a good virus scanner for Linux. So I spent this morning installing the Debian ClamAV packages, as well as amavisd-new, which I used to hook both spamassassin (I had been using per-user procmail files) and ClamAV up to postfix.

Thanks to the folks who wrote and recommended nameif as the solution for my kernel 2.6 interface swapping woes. It turns out that nameif isn't able to swap interfaces easily. In order to make it work you need to give your eth1 a bogus name, swap that interfaces MAC to eth0 and the swap the other MAC to eth1. Thanks (as usual) to Google and the debian-users list for the fix. Note that you cannot do this from an /etc/mactab, so you need to change /etc/init.d/networking (on Debian) and include the calls to nameif directly. You have to modify /etc/init.d/networking anyway because it doesn't check for an /etc/mactab and try to run nameif, and that's probably just as well.

At least I'm happily running 2.6 now.

Keith and Rick from the BIGeeks, this one's for you...

Periodically, (that is, every time I talk to someone about linux), I end up recommending that they look at Debian. I tend to focus on the technical aspects of Debian -- the quality of the packages and the ease with which the can be upgraded. Manoj Srivasta has written an explanation of why you should choose Linux, and why that Linux should be Debian. He explains the technical stuff way better than I do, and he also shows how some of that stuff is a result of the kind of community that Debian is.

So, my new answer is: "What Manoj said".

The appearance of MyDoom this week has prompted me to install some additional security measures for our network at home.

1. Disallow connections to port 25 from inside the firewall
This is long overdue since lots of e-mail worms like to install their own SMTP server. The only way you're going out via SMTP is via our SMTP server.
2. Enable SMTP AUTH via SASL
Only authorized users should be able to use our SMTP server. This turned out to be a major headache since postfix on Debian runs chrooted, and was having trouble talking to saslauthd's socket. I ultimately gave up on using saslauthd and hacked around it using the sasldb method of checking passwords. But even that took me way too long to figure out. It would be nice if the Debian maintainers for postfix or SASL would include some documentation on how to do SASL based SMTP auth inside the postfix chroot environment (using SASL2).
3. Enable TLS support for postfix
I've grabbed the postfix-tls deb and installed. Next I need to generate the certificates. The problem is that I already have certifications for Apache and UW-IMAP (although I'm probably going to junk that in favor of Dovecot). I also want the SMTP TLS to require a client certificate (yes, I'm paranoid). So I pretty much need to setup my own CA to issue client and server certificates. What I'm not clear about is whether I need a server cert for each service (www, imaps, smtp) that I plan to offer -- I only have a single IP address. There's also the small matter of which of the many different HOWTO's or documents to follow to generate the certificates properly. Last time I used the makecert.sh that comes with Debian's modssl.

Bottom line: this stuff is a huge pain to do and do correctly. I can't see any reason why these features shouldn't be easy to turn on, but I've used up a bunch of energy trying to get them all to work. If anybody out there is running a setup like what I'm proposing, let me know. I'll try to publish a record of what I've done once I get it all working.

Ars Technica is reporting that Ian (the ian in Debian) Murdock's, Progeny has ported Red Hat's Anaconda installer to Debian. I was more interested in the news that Progeny is modifying apt to work with RPM packages.

If that weren't enough, the DebToo project is working to create tools to build Debian source packages using custom compile flags, just like Gentoo. In addition, Eric Wong has written APT-Fu, which can build packages using custom gcc flags.

Convergence is good.

I just read Don Park's evaluation of Red Hat 9. This jives with what I heard at last night's SeaJUG meeting, too. Mark Ashworth, the speaker last night, was running Suse, but he mentioned that more and more of his friends are running Debian. I run Debian for the package quality, not the politics, but it is true that there's no company behind Debian that will suddenly change the nature of the distribution.

The uptime on the machine that is {www,mail}.sauria.com is 271 days. It would have been longer, but I had to replace the UPS. This machine is regularly updated to Debian unstable. If you are less adventurous, you could set your apt sources list to use testing.