My old connection with Bethere would let me download at about 6Mb and upload at well under 1Mb over ADSL2+.  After the BT engineer upgraded my connection, I almost squealed with glee to see it was almost 37Mb downstream and 8.6Mb upstream.  That’s a serious upgrade!

The engineer installed a new modem and the BT HomeHub router.  Of course I don’t want to use a generic router so I unplugged it and began figuring out how I could plug my trusty Linux Acer Revo 3600 back in.  The modem has 2 ethernet ports on the back, but one is masked off.  Plugging in to that was the easy part.  What I wasn’t sure of was what the modem really was – Was it a real modem or was it like my old BeBox which maintained the connection for me and acted as an invisible bridge?

I spent hours messing around with /etc/network/interfaces and trying various settings.  As it turns out it is a real modem and my Revo needed to treat it as a PPPoE device.  I eventually got it connected but then found that certain web sites weren’t loading or were partially loading from other machines on my network.  That’s a very big indication of an MTU problem.

If you get BT Infinity and decide you want to hook a Linux router up to the modem then do yourself a favour and use pppoeconf.  I didn’t know the program existed until I’d already been messing around for hours.  It has nice prompts which ask you for your login information, the device, and even tells you that you will likely have an MTU problem and that it can fix it for you!  Apparently this is because many PPPoE modems have a maximum MTU of 1460 and there’s another 4 overhead for machines that you’re masquerading on your network.  So your max MTU must be clamped at 1454.  pppoeconf does this by creating a ppp ip-up script which uses iptables.

iptables -t mangle -o "$PPP_IFACE" --insert FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu

Unless you have a good reason not to use pppoeconf, save yourself some time and just run it.

That said, I’d already been configuring my system manually and only needed to add the MTU tweak so that’s what I did.  Below you’ll find the configuration that I use.  Bear in mind my little Revo is running Ubuntu.

/etc/ppp/peers/bt

# Load rp-ppoe.so for kernel mode interface naming compatibility (ie, ppp0, ppp1)
plugin rp-pppoe.so eth1

# Every BT Infinity user uses the same login information.  Don't use
# your personal one - that's just for e-mail.
user "bthomehub@btbroadband.com"

# The device to which the Infinity modem is connected
eth1

#Bind this connection to ppp99
unit 99

# Assumes that your IP address is allocated dynamically by the ISP.
noipdefault

# Try to get the name server addresses from the ISP.
# I have commented this because I run my own full DNS
# server locally.  Most people will want this enabled.
#usepeerdns

# Use this connection as the default route.
defaultroute
replacedefaultroute
hide-password

# Makes pppd "dial again" when the connection is lost.
persist

# Do not ask the remote to authenticate.
noauth

I added this to the end of /etc/ppp/chap-secrets. BT don’t actually require a password but I’ve read that sometimes PPP connections can fail if they’re not provided so I added one anyway.

"bthomehub@btbroadband.com" * "BT"

/etc/ppp/ip-up.d/0clampmss

#!/bin/sh
# Enable MSS clamping (autogenerated by pppoeconf)

iptables -t mangle -o "$PPP_IFACE" --insert FORWARD 1 -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1400:65495 -j TCPMSS --clamp-mss-to-pmtu

And I added this to my /etc/network/interfaces. The pre-up makes eth1 (the port my modem is connected to) available before PPP dials. The provider line tells it to use the details in the “/etc/ppp/peers/bt” file above. eth1 itself is configured as a manual device so that we don’t have to give it an ip address at this stage.

auto bt
iface bt inet ppp
	pre-up /sbin/ip link set dev eth1 up
	provider bt

iface eth1 inet manual

I faced one more “gotcha”. I had to reconfigure my iptables to allow certain connections through my new ppp99 device rather than eth1. I use webmin for a lot of common administration and it uses iptables-restore and iptables-save and of course when I updated my iptables, it removed the MTU clamping rule. To make sure that didn’t happen again, I configured iptables how I wanted it and then re-added the MTU clamping rule. Then I ran iptables-save.

iptables-save > /etc/iptables.up.rules

That’ll ensure the rule doesn’t get accidentally removed again the next time I’m reconfiguring iptables in webmin.

I instructed 1and1 to transfer my codexsoftware.co.uk domain to Daily so that I could have cheaper renewals, and because that’s where I have most of my other domains. Unfortunately rather than just change the IPS tag and leave everything else as it was, 1and1 decided to also delete my web site and all my mail too… Well, ok then.

Rather than have to deal with another ‘user friendly’ web site to manage my net services, I decided to get a virtual private server and manage it myself. All good in theory, but I made the mistake of choosing virtualservers.com, without first realising they were actually an Easyspace company. It soon became apparent that they weren’t offering proper hypervisors and I tried to cancel my order literally within about 10 minutes of placing it.

Not only would they not cancel it, but apparently in some small print amongst the reams of legal wording in their terms and conditions, and despite the only price shown being the monthly price, I had actually signed up for a 3 month contract. They wouldn’t cancel it. I told them I wanted to cancel it under the UK Distance Selling Regulations, but apparently that wasn’t going to fly either as I’d clicked the ‘business’ box instead of the ‘retail customer’ box and therefore wasn’t eligible. And so there was the good ol’ Easyspace customer service.

Wankers.

With no confidence in their promise to cancel my account after 3 months, I decided to get the server banned instead to ensure that it happened.

#include <stdio.h>

void main()
{
	printf("I really wish you'd cancelled my order instead of being bitches...\n");
	while (1);
}

Apparently consuming 100% of the processing time I was paying for was abusing their system, which I guessed would be the case. Luckily for them I didn’t also decide to make full usage of their advertised ‘unlimited bandwidth’ with a nice spider saving all of its downloads to /dev/null (unlimited disk space wasn’t part of the deal).

After that I decided to try out Amazon Web Services and got a proper virtual server in the EC2 “cloud”, and made sure to make decent backups this time as well. The server has been very reliable and I’m very pleased with it. No hassle at all.

An Example of Good Customer Service

Early in December, my 2 year old  iMac’s 24″ screen started intermittently turning black for random periods of time.  The problem got worse and worse.  Luckily for me I had taken out an AppleCare agreement for it and was covered.  I dropped the iMac in at the store and they told me it would take about 5 days to replace the screen.  I really didn’t like the thought of being without it at all, but I have a Macbook Pro and a fast PC as well, so it wasn’t really a huge problem to do without it for a while.

After 10 days I was beginning to lose patience, so I chased them up to find out what was going on.  They informed me that they’d been waiting for parts but that they’d now arrived and I should expect a call soon.

The next day I woke up to my phone ringing and I answered it.  It was the Apple store.

“Hello Mr Stiles.  It’s Simon from the Apple store here at the Trafford Centre.  We’ve finished replacing the screen on your iMac,” said the voice on the telephone.

“Oh, right.  Good,” I replied, while rubbing my eyes and trying to get both of my mental pistons firing.

“Yes, but I’m afraid it still isn’t working,” he continued.  I groaned.  That was just my luck.  ”So, we’ve decided to give you a brand new one.”

“What?” I asked.  I thought I must still be dreaming.  I was still in bed afterall.  ”Really?” I asked in disbelief.

“Yes, a new one free of charge.  Your old one had a 24 inch screen and this new one has a 27 inch.  Your old processor was a dual core 3.06GHz and this new one is an Intel i3 3.2GHz dual core.  Your old one had 2GB of RAM**, this new one has 4GB and is upgradable to 16GB.  You also had 500GB of disk space and this one has 1TB.  Does that sound, ok?” he asked, sounding slightly resigned.

“Umm, yes…”

“Right.  I’ll process that now then.  Can you get over here this afternoon?”

“Damn right, I can.”

I got myself ready and rushed over there as quickly as I could, to find the nice, brand new iMac waiting for me in its unopened box.  Not only did they give me a whole new machine, but they completely refreshed my AppleCare for a further 3 years.  At this rate I’ll never been to buy a new one again!

Now that’s customer service! <3 Apple

* I can’t remember who called me but I’m going to call him Simon.  In fact these weren’t even fictional Simon’s actual words but you get the idea.
** Actually it had 4GB because I’d upgraded it, but I wasn’t going to argue with the nice man.

I recently decided to replace my nice Draytek 2820 with a Linux box for purely geeky reasons. Since then I’ve come across a couple of little ‘gotchas’.

Firstly I found that I couldn’t open any PPTP connections from computers on my network, despite GRE being allowed to pass through my firewall. The solution was to simply load some extra kernel modules.

/sbin/modprobe nf_conntrack_proto_gre
/sbin/modprobe nf_nat_proto_gre
/sbin/modprobe nf_conntrack_pptp
/sbin/modprobe nf_nat_pptp

To do this at boot time, just append the module names to your /etc/modules file. i.e. mine now looks like this:

# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.

loop
lp
nf_conntrack_proto_gre
nf_nat_proto_gre
nf_conntrack_pptp
nf_nat_pptp

The other thing I noticed was that when playing on my Xbox 360, I’d get a warning about some of the features not being available on Xbox Live. At first I thought it was a temporary problem with their service but I got a bit suspicious after a few days and decided to investigate further.

I ran a connection test from the Xbox and it suggested that I should enable a UPnP server on my router if possible. I installed linux-igd with the usual command.

sudo apt-get install linux-igd

Then I edited the /etc/default/linux-igd file to let it know about my interfaces.

# External interface name.  If undefined then upnpd will not be started.
EXTIFACE=eth1

# Internal interface name.  If undefined then upnpd will not be started.
INTIFACE=eth0

Then I restarted the linux-igd service

sudo service linux-igd restart

The Xbox is now happy. Easy peasy.

I hate the idea of all those icons displayed over the desktop too.  I realize it only does that when you use the Launchpad but desktops should be tidy!  It even does that ugly thing that iPhones do with folders.  Blech!

Perhaps this is mostly because they want to cash in and put the App Store on the Mac

http://www.apple.com/macosx/lion/

Well here’s a way to write a message across the centre of the image, if the image has been loaded from any site but your own. To do this we need to create 2 files. One is an .htaccess file for use in Apache and the other is a PHP script. Apache must have the mod_rewrite module enabled and PHP must have been compiled with the GD library for this to work.

The following .htaccess file should be dropped in to the root docs folder of your web site. It contains rules that tells Apache to check the referring domain on any file that contains a jpg, gif or png extension. If the referrer is codexsoftware.co.uk, friendlysite.com, google.com or Google’s cache then it’ll serve the image as normal. If it isn’t then it’ll redirect the request to imagehotlink.php in the document root. You should edit these domains for your own site. Remember to put the backslash before all dots in your domain names.

RewriteEngine On
RewriteCond %{REQUEST_FILENAME} .*jpg$|.*gif$|.*png$ [NC]
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !codexsoftware\.co\.uk [NC]
RewriteCond %{HTTP_REFERER} !friendlysite\.com [NC]
RewriteCond %{HTTP_REFERER} !google\. [NC]
RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]
RewriteRule (.*) /imagehotlink.php?pic=$1

Then all we need to do is drop the following imagehotlink.php file in to your document root. It will load the requested image and write the contents of the $text variable across the centre of the image in as large a font as it can – adjust the text to your amusement

<?php
$pic = strip_tags( $_GET['pic'] );
if (!$pic)
	trigger_error("No picture specified.", E_USER_ERROR);
$path_info = pathinfo($pic);
switch ($path_info['extension']) {
    case 'gif':
        $image = imagecreatefromgif($pic);
        break;
    case 'png':
        $image = imagecreatefrompng($pic);
        break;
    case 'jpg':
    case 'jpeg':
        $image = imagecreatefromjpeg($pic);
        break;
}
if (!$image) {
    header("HTTP/1.0 404 Not Found");
    exit;
}
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache");
header("Content-type: image/png");
$color_text = imagecolorallocate($image, 255, 255, 0);
$color_shadow = imagecolorallocate($image, 0, 0, 0);
$color_bg = imagecolorallocate($image, 0, 0, 50);
$text = "http://www.codexsoftware.co.uk/ pwns this site";
$ypos = imagesy($image) /2;
$font_size = 5;
$text_width = imagefontwidth($font_size)*strlen($text);
while (($text_width > imagesx($image)) && ($font_size > 2)) {
    $font_size--;
    $text_width = imagefontwidth($font_size)*strlen($text);
}
$xpos = ceil(imagesx($image)/2) - ceil($text_width/2);
imagefilledrectangle($image, 0, $ypos,iagesx($image), $ypos + imagefontheight($font_size), $color_bg);
imagestring($image, $font_size, $xpos+1, $ypos+1, $text, $color_shadow);
imagestring($image, $font_size, $xpos, $ypos, $text, $color_text);
imagepng($image);
imagecolordeallocate($image, $color_text);
imagecolordeallocate($image, $color_shadow);
imagecolordeallocate($image, $color_bg);
imagedestroy($image);
?>

This code was inspired by this excellent article http://www.alistapart.com/articles/hotlinking/ It has a good explanation of the .htaccess rules and how referrers work, but I liked the idea of returning a modified image rather than an HTML block as it allows me to write amusing messages across bandits’ web pages.

How to get your Linux-based AFP server to show up correctly in Leopard’s new Finder

My Linux server is running Ubuntu 10.10 and the steps I needed to get it working were slightly different, but generally easier since Netatalk seems to have come a long way since that blog post.

sudo -i
apt-get install netatalk
apt-get install avahi-daemon
cd /etc/avahi/services
wget http://www.disgruntled-dutch.com/media/afpd.service
service netatalk restart
service avahi-daemon restart

Worked for me

Apparently you can even use the new Netatalk as a server for Time Machine!

If you’re on an older version of Ubuntu then you might get an error after installing netatalk like this

Starting Netatalk services (this will take a while): nbp_rgstr: Connection timed out
Can't register cctv:Workstation@*

Unfortunately at this stage the system considers the netatalk installation to have failed. I found that in order to make aptitude happy, I had to do this:

apt-get remove netatalk
apt-get install netatalk

The remove instruction still leaves your edited /etc/netatalk/atalkd.conf in place which netatalk uses upon installation. Everything should work fine and aptitude should now stop moaning every time you use it.

Additionally you may want to disable AppleTalk, which (I think) only older Mac OS versions use.

ATALKD_RUN=no
PAPD_RUN=no

Then restart netatalk.

OpenVPN wasn’t an option since the Draytek doesn’t support it so I decided to go with Openswan.  It took me a while to figure out but I now seem to have a rock solid link to my co-workers.  I thought I’d paste my /etc/ipsec.conf file below in case it’s of use to anyone else looking to do something similar.

The Draytek at the other end has its call direction set to “Dial-in” so it’s my router’s responsibility to open the connection.  They use an IKE Pre-Shared-Key to authenticate.  I’ve changed IP addresses below to fictional ones.

version	2.0	# conforms to second version of ipsec.conf specification

# basic configuration
config setup
	interfaces=%defaultroute
	myid=200.200.200.100
	nat_traversal=yes
	oe=no
	protostack=netkey
	syslog=syslog.debug
	virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12%,v4:!192.168.1.0/24

conn net-to-net
	type=tunnel
	connaddrfamily=ipv4
	authby=secret
	auto=start
	compress=no
	ike=3des-sha1,des-md5
	phase2alg=3des-sha1,des-md5
	phase2=esp
	ikelifetime=3600s
	keyexchange=ike
	keylife=28800s
	keyingtries=%forever
	left=%defaultroute
	leftsourceip=192.168.2.1
	leftid=200.200.200.100
	leftsubnet=192.168.2.0/24
	pfs=yes
	dpdaction=restart
	right=200.200.200.200
	rightid=200.200.200.200
	rightsourceip=192.168.1.1
	rightsubnet=192.168.1.0/24

My StarCraft II beta code came through a few months ago so I decided to log in to my Battle.net account to add the code.  As I tried to log in, the site unexpectedly asked me for an authenticator code.  Blizzard authenticators are devices that are associated with a Battle.net account that produce a code that you have to type in to the web site in order to log in – you may use a similar device for logging in to your online bank account.  As I hadn’t associated an authenticator I was very confused.

I rang Blizzard Europe and discovered that my account had been hacked and that the hackers had associated their own authenticator with my account, preventing me from accessing it.  After they were happy with my identity, they removed the authenticator from my account and advised I associate my own.  They then also advised me that one of my US accounts had been banned and that I had to ring Blizzard US to explain the situation.

To protect my account from further security problems, I decided to download the official Blizzard Mobile Authenticator to my iPhone and used that.  Problem solved, right?

Nope… There has since been a software update for this little iPhone application that has caused it to wipe it’s settings.  This has basically once again left me locked out of my account.  I’ve tried contacting Blizzard Europe by e-mail but I’ve had no response yet.  I’ve tried by telephone and they’re so busy that they’re not even accepting new calls in to their queuing system!

The most annoying thing of all is that the login name for Battle.net accounts are e-mail addresses.  So if you tend to use the same password for various things, such as forums, and someone gets hold of that data then they can look at your e-mail address and the password you used and just use that info to log in to your Battle.net account.

If I can’t rely on the authenticator to work properly then the best idea is going to be to change the password to something I don’t use for anything else at all, and also make it relatively complex since the username doesn’t need to be guessed at all!

After my wife, Becki, had finished hanging out the washing to dry, she came in with Xander.  Marvel followed them around to the side of the house but then decided to hop over the fence and stroll across the park towards the road.  He loved being outside in nice weather and would disappear for days at a time in summer.

Fifteen minutes later a friend from around the corner knocked on our door to tell us that a cat had been run down on the road at the top of my street and that she thought he was ours.  She identified him because of his very large size and distinctive colouring.  I came with her and there lying at the side of the very quiet road is Marvel, surrounded by kids.  Thankfully he was dead, as his injuries were horrific and not something I want to detail here in case my family read my blog.  I can only hope he died instantly.

I didn’t let anyone else in my family see his body because I want them to remember him for who he was and not what became of him.  We have many happy memories of him as we’d raised him since he was a kitten. Xander still calls for him.  He calls “Muh-uh?” while pointing around at the top of the kitchen units to where he’d usually spot him.  I explain to him that Marvel’s gone.  He understands “Marvel” and “gone” but doesn’t understand how Marvel can be gone so keeps calling for him.  It’s heart-breaking.  I’m sure he’ll forget soon as he’s so young but the rest of us won’t.

We live on a very quiet modern housing estate and there are no busy roads around us.  In fact the road that Marvel died on isn’t even properly surfaced yet as the builders are still putting up houses.  The motorist that ran him down didn’t have the humanity to stop.  Instead they left it up to children to find Marvel and take it upon themselves to find his owner.  Eventually the kids knocked on our friend’s door who then identified him.

The law in the UK states that that motorists have to stop if they run over a dog, but cats are not entitled to the same privilege.  I find that ridiculous.  Marvel was a marble Bengal pedigree cat and was bigger than some dogs.  If the law is based on size then they should stop.  If it’s based on the expense of the animal then they should stop.  It makes no sense at all.

We’re all hurting because we don’t know how he died.  It seems unlikely that he just walked in front of a car as he was 4 and a half years old and healthily fearful of cars.  We don’t know if he suffered.  We don’t know because the asshole in the car didn’t stop.  We all miss him and so does his brother, Mynx.

Accidents happen but if you run over a cat or any domestic animal then please stop, because they belong to a family and that family deserves to know what happened.

Update: Just 5 weeks later, our other cat Mynx was hit by a car and killed on the same section of road.  The girl that found him and came to tell us is actually the daughter of our friend that found Marvel.  Mynx and Marvel were brothers of the same age.  I can’t really understand how or why this has happened to them both on such a quiet road within such a short time frame, after having both lived here for 4 and a half years.  I wouldn’t like to calculate the odds on that.

I even considered the possibility that someone had done it on purpose but Marvel was killed in the late afternoon and Mynx was killed in the early morning, and it would be almost impossible to predict when to find a cat in the road.

After Marvel was killed, Mynx didn’t seem to know what to do with himself.  We gave him as much attention as we could to comfort him and every evening he’d cuddle up to our daughter, Brianne, on the sofa.

Usually I’d put the cats in the kitchen before going to bed, but I started letting him sleep on the sofa since he was comfortable.  Mostly because I felt sorry for him.

Once again, Xander doesn’t know what’s happened.  He knows he’s “gone”.  If I say the word “Mynx”, he’ll say “gone all gone”.  Now he looks out of the window for neighbours’ cats in our garden and shouts excitedly when he sees them.

We’ll miss you Mynx and Marvel.  I’m sorry we couldn’t prevent what happened.  It was cruel and unnecessary.  I doubt the motorist on each occasion even saved themselves 30 seconds by speeding along that road.