Monday, January 21, 2008

Conquering the Network

Yesterday, I managed to do the most significant accomplishment in this month (year). I got my network working correctly. Previously, my wireless network consisted of the modem connected through a LAN port on my router, which essentially caused it to behave like a hub:
_______
____ | |
Internet | |===============|LAN | (((|)))
=======|___| | | |
Modem |______|-----|
Router
This worked for internet, but not for the more advanced features of networking. For example, port forwarding is not possible, nor is firewalling. The reason for this is because the Modem is what is essentially doing all of the networking. If we have the router do its job, there will be a problem with something called "double NATting", which essentially screws up the internet. Now, for about a month, I was attempting to correct this, but for some reason, it didn't work. My ISP uses PPPoE for providing internet, and as much as I tried, I could not find out how to get the Router to connect to the ISP. Then I ran into this guide (from my Router manufacturer, duh). Of course, this isn't the first time I tried following it, but this is the first time I followed it entirely and successfully. It turns out that getting your router to connect to you ISP correctly is an elaborate ritual of making sure things turn on and off at the right times. I'll show you what I mean.

Now, most importantly, you have to get the modem into bridge mode, this is easy in the original network because typing the address of the gateway takes me to the modem. I go to the PPPoE location and select bridge mode. Now, one thing that I forgot to do was to hard reset the router (to factory defaults). I thought it was just a hard reset, but I needed to get back to factory defaults. That was important. Next thing, my router had an extra field in it that wasn't addressed in the guide called "MAC address". This was a fairly ambiguous field: Does it mean the MAC address of the router? It should already know that. Is it the MAC address of the modem? It doesn't work when I do that. Well, when I reset it to factory defaults, the question was answered. It was the MAC address of the router. After all that is set up, begins the dance of toggling on and off the modem and router. First you unplug the router, then turn off the modem, then turn ON the modem, then repower the router. Once I did that intricate dance, then the router would connect via PPPoE. Once I got that done, here's what my network looks like:

_______
____ | |
Internet | |====== | | (((|)))
=======|___| \========|WAN | |
Modem |______|-----|
Router

Now that the modem is connected to the WAN port, the way it SHOULD be, I can take advantage of all of the services the router provides such as firewalling and port forwarding. However, I still have to use the router to do that stuff. After my past with it, I want to mess with the router as little as possible. It turns out with one service on the router, I can take care of both of those.

Most routers have an option called the Demilitarized Zone (DMZ). This is where the router sends all of the packets that don't get through the firewall. Usually there is nothing in there, so those packets get dropped. Now, in my network, I'm the only one who takes advantage of all of those services. The other family members, not so much. So I figured this, so I don't have to deal with the firewall, I move to a place unprotected by the firewall, i.e. the DMZ.

Now, going to the DMZ without any protection is .... well, kinda stupid. Because, you're leaving the haven of the router firewall into the malicious world of the unadulterated internet. So, you need your own protection. Luckily, most Linux distributions ship with a VERY good firewall called IPTables. Now, since we're in kinda paranoia node, we want to set iptables to drop by default. You do this by typing:
sudo iptables -P INPUT DROP
Next, we don't want to be TOTALLY isolated. If a session has been established, we want to let it through. You do this with
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Now I've simulated the firewall. Now, if I want to forward ports, I put individual rules in it. For example, to let ssh in, you put
sudo iptables -A INPUT -p tcp --dport ssh -j ACCEPT
This lets the port for ssh right through. Instead of putting ssh, you can also put the port number too. It'll still work. The Ubuntu wiki has a more thorough discussion on iptables.

One last thing. These rules will disappear when you restart. The wiki article has more details on how to make the rules permanent, but here's my favorite way. Put these lines in your /etc/network/interface:
pre-up iptables-restore < /etc/iptables.rules
post-down iptables-save > /etc/iptables.rules
This makes sure that ALL of your changes are saved. Since I plan to have iptables change a lot, this is how I like it.

Saturday, January 19, 2008

ATI and AIGLX? Can it be?

Like most ATI users, I needed to use XGL in order to get the pretty eye candy like compiz. And XGL has a reputation of being bloated and really clunky and memory-intensive. However, I was content with that because there was no other choice. ATI didn't give any sorts of drivers to allow AIGLX (Accelerated Indirect GLX) until recently. I chanced upon an announcement in Linux Pro Magazine that ATI released new drivers which enable "preliminary" AIGLX support. If you have an ATI Radeon X1000, X800, X700, X550/X300, or any of the 9800, 9700, 9600, and 9500 series, this driver will be able to help you. I have a Radeon 9550, so I fit in (barely). The article was talking about the release of the Catalyst 7.10 drivers, but ATI has already moved to 8.1, so that's what we'll be dealing with. And this guide will probably keep working as the version numbers go up and up.

Now, the first thing to do is to get the updated driver from AMD's web site. Select Linux and your video card then you should be directed to the driver. Download it, and if you'd like, make a separate folder for it and move it in there after it's done, because we're gonna get kinda messy:
mkdir ~/ati
mv ~/Desktop/ati-driver-installer-8-01-x86.x86_64.run ~/ati
cd ~/ati
Now we follow the steps on the Ubuntu Wiki to install the driver:
chmod +x ati-driver-installer-8-01-x86.x86_64.run
./ati-driver-installer-8-01-x86.x86_64.run --buildpkg Ubuntu/gutsy
This creates a series of .deb packages which we can now install using dpkg. So, we do that right now:
sudo dpkg -i fglrx-kernel-source_8.452.1-1_i386.deb
sudo dpkg -i xorg-driver-fglrx_8.452.1-1_i386.deb
Now run
sudo aticonfig --initial
to rebuild your /etc/X11/xorg.conf file. If it says it didn't do anything, that's fine.

Reboot, and then you should get something like this:
$fglrxinfo
display: :0.0 screen: 0
OpenGL vendor string: ATI Technologies Inc.
OpenGL renderer string: ATI Radeon 9550 / X1050 Series
OpenGL version string: 2.1.7276 Release
This completes the ATI binary installation. Now we move on to AIGLX with compiz. This, I borrowed heavily from CombatWombat, but a lot of his things were kinda unclear to me. So, I hope to clear it up. First thing you do is follow this tutorial on the Ubuntu forums (It's around the bottom by michael37. It has big headline-y letters. You can't miss it), but DO NOT install xserver-xgl. In fact, you should probably uninstall it if you have it. You won't be needing it.

Now, you need to edit the file /usr/bin/compiz using a text editor. There, you need to add fglrx to the whitelist. You do that by finding the line (around line 54) that says WHITELIST= and has a group of keywords. Add fglrx to that group surrounded by whitespaces. So, it should read (or mine reads):
WHITELIST="nvidia intel ati radeon i810 fglrx"
The next thing is to remove your video card from the blacklist which should be right under the whitelist. If you don't know which line is your card, you can figure it out by typing
compiz --replace
in a terminal if you don't have XGL. It should fail and tell you which one is on the blacklist. When you figure that out, comment out the line by placing a "#" without quotes in front of it. Any time you upgrade compiz, you'll have to do this again. But it's not too bad.

So now we've got the compiz script running, now it's time to edit the /etc/X11/xorg.conf file. There are two ways of doing this, the way CombatWombat did it (I'm not too sure if it), and the way the Ubuntu Wiki did it. Since the Wiki is pretty self-explanatory, and I'd like to know if CombatWombat's way works, I'll show you how to make his edits. Underneath where it says "Section "Module""... EndSection put
Section "ServerFlags"
Option "AIGLX" "on"
EndSection
Where it says "Section "Device"", add to the end:
Option "VideoOverlay" "on"
Option "OpenGLOverlay" "off"
Option "DRI" "true" #
Option "ColorTiling" "on"
Option "EnablePageFlip" "true"
Option "AccelMethod" "EXA"
Option "XAANoOffscreenPixmaps" #
Option "RenderAccel" "true"
Option "AGPMode" "4"
Option "AGPFastWrite" "on"
Option "KernelModuleParm" "agplock=0"
Option "UseInternalAGPGART" "no"
Option "EnablePrivateBackZ" "no"
Option "DisableGLXRootClipping" "true"
Option "AddARGBGLXVisuals" "true"
Option "AllowGLXWithComposite" "true"
Option "mtrr" "on"
The ones with hashes are the ones you REALLY need. The rest are other options I guess. And at the end of the file, where the Section is "Extensions", change the line to
Option "Composite" "Enable"
And at the very end, put this section:
Section "DRI"
Mode 0666
EndSection
And now just restart X and you should be able to enable compiz without XGL. This guide may not be exactly right, because I messed with A LOT of things while troubleshooting, and I tried to trim it down to what is REALLY needed. If you get problems, feel free to leave a comment. If your X dies, from a command line type:
sudo dpkg-reconfigure -phigh xserver-xorg
from the command-line to rebuild the X server so that it works again, and tell me what went wrong, so I can make corrections. If X doesn't die but compiz doesn't work, run
compiz --replace
and post the output. Thank you!

Saturday, January 12, 2008

Ron Paul

Terras kinda sums up my views of Ron Paul quite well. However, I'll elaborate on some of the things that particularly tick me off.

For one thing, disabling the EPA IS NOT a good idea. Even though the EPA has been giving my state a bit of trouble, it has a vast responsibility and to be truthful, I don't trust private enterprises or the people to take that responsibility. The whole point of regulation is to prevent disease before it happens (ideally this would happen if we allowed the EPA to do its job instead of strangling it). In none of the times when public health was compromised did the people manage to quickly solve it without the loss of life. Take the EPA's List of Lists; It was painstakingly compiled from decades of science which showed those chemicals to be hazardous. And the thing about most of those chemicals is that their effects are not immediate. It's not like a factory that dumps poison in the water which causes everyone to get sick at the same time. People could be consuming some of those carcinogens for decades without feeling effects. Only when people start getting cancer or other diseases will they be aware that they are being contaminated. By now, it's far too late to file a lawsuit! The whole town has already been exposed for years to the carcinogen and will have to live with it for the rest of their lives. Had the EPA been monitoring the air and water, the chemical would have been found before it caused damage to people. Of course, this probably follows the inner selfishness of libertarianism, where as long as it's not you that's at risk, it's ok.

Now, Ron Paul also has the same attitude toward the FDA. Orac has this covered VERY well. However, there are MANY more examples of why we need the FDA to regulate and why mere lawsuits will NOT work. During the Bush administration, the FDA has taken a similar hit like the EPA to its budget and power, which led to less effectiveness. For example, take the whole thing with poisoned dog food. The FDA is currently under a huge shortage of inspectors (due to budget cuts and a transfer of regulation to private enterprise which is NOT working), so there are currently many food hazards coming into this country. I'm just using the dog food as an example. The only reason it was recalled eventually was because numerous pets eventually died after eating it. I don't know about you, but I would rather regulate my food instead of risking it killing me. And that's just the food portion of the FDA, to see what he'll do to medicine, I'd recommend reading Orac's post.

The next craziest thing Ron Paul has come up with is wanting to dismantle the Federal Reserve, which is one of the worst ideas in American history. This is one thing that I can definitively say has been tried and was a HORRIBLE idea. Back in the 1830s, President Andrew Jackson succeeded in destroying the Second Bank of the United States, which was essentially the Federal Bank at the time. Afterwards:
The destruction of the Bank loosed American enterprise from its only central restraint. Gorged with federal deposits and with no one to control their note issues, state banks went on a lending spree that built up a speculative bubble and ended, just as Jackson left office in 1837, in a sickening crash.
The destruction started almost two hundred years of extreme boom/bust cycles in the economy. It wouldn't be until Lincoln temporarily resurrected the bank to finance the civil war and Roosevelt finally established the Federal Reserve in 1913 when the American economy was finally stabilized. Now, in this period of even MORE globalization, I can imagine that the destruction of the Federal Reserve will have even GREATER consequences, and that again is one risk I DO NOT want to take.

Friday, January 04, 2008

The Awesome Clock of Awesomeness

From those people who brought you ......... nine! Comes the clock which is made out of nines!


















[Oooohhhh Aaaaahhhhh]

This would be an excellent present to give to a math teacher who you appreciate! Only $12.50! Unfortunately, the very fact that it costs money brings the probability of me buying it close to zero. But it's still a VERY cool item!

Telescope tip to Phil!