blog.crox.net

now with IPv6

nospam@example.com (crox) — Mon, 30 Jan 2012 20:23:26 +0100

In anticipation of World IPv6 Day, this website is now fully reachable over IPv6.

VaudTax 2007 sous Gentoo 64 bit (VaudTax linux amd64)

nospam@example.com (crox) — Wed, 03 Sep 2008 00:22:00 +0200

- Lu à plusieurs reprises (mais pas vérifié moi-même) : il est difficile, mais pas impossible, de faire fonctionner VaudTax avec une VM Java 64 bits. (Il faut remplacer le swt.jar fourni par une série de liens symboliques.) Par contre, le format des fichiers sauvegardés n'est semble-t-il pas compatible d'une version 32 bits à une version 64 bits et vice-versa... J'ai donc opté pour la version téléchargeable qui inclut une JVM (32 bits).

- L'installation s'est déroulée sans peine, mais ensuite en exécutant VaudTax j'ai obtenu le message suivant :

Vous devez installer le navigateur Internet Mozilla Firefox afin de pouvoir visualiser l'aide de VaudTax 2007, se référer ici : http://www.eclipse.org/swt/faq.php#browserlinuxrcp

Ne souhaitant pas renoncer à l'aide en ligne, j'ai fini par trouver après de nombreux essais infructueux une procédure qui devrait fonctionner dans la plupart des cas :

- Télécharger xulrunner depuis http://releases.mozilla.org/pub/mozilla.org/xulrunner/releases/1.8.0.1/linux-i686/en-US/ (avec la version 1.9 ça ne fonctionne pas chez moi)

- Décompacter xulrunner-1.8.0.1.en-US.linux-i686.tar.gz dans le répertoire dans lequel VaudTax est installé (chez moi et par défaut : $HOME/VaudTax2007)

- Modifier le script qui démarre VaudTax (chez moi et par défaut : $HOME/VaudTax2007/VaudTax2007) en ajoutant les lignes suivantes juste après #!/bin/sh :

export MOZILLA_FIVE_HOME=$HOME/VaudTax2007/xulrunner
export LD_LIBRARY_PATH=$MOZILLA_FIVE_HOME:$LD_LIBRARY_PATH

Liens utiles :

http://ymartin59.free.fr/wordpress/index.php/2008/02/17/suisse-vaudtax-2007-sur-linux-64-bits/
http://www.eclipse.org/swt/faq.php#browserlinux

Numéro pour vérifier la présélection téléphonique (opérateurs en Suisse)

nospam@example.com (crox) — Wed, 16 Jun 2010 00:53:20 +0200

Composer le 0868 868 868.

VaudTax 2010 avec Ubuntu linux 64-bit

nospam@example.com (crox) — Mon, 18 Apr 2011 17:07:21 +0200

Les instructions pour Linux fournies sur le site officiel ne fonctionnent pas pour moi (Maverick / Ubuntu 10.10 desktop amd64).

Il semble qu'il ne soit toujours pas possible d'importer des fichiers sauvegardés dans une version 32 bit de VaudTax avec la version 64 bits, et vice-versa (crash de VaudTax avec une erreur cryptique [1]). Deux options, soit recommencer sa déclaration sans importer les données de l'année précédente, soit faire tourner VaudTax avec une JVM 32-bits ([2]). Pour l'instant j'ai toujours opté pour la deuxième variante. Jusqu'à l'année passée (VaudTax2009), on pouvait télécharger une version incluant une JVM (32-bits), cette option n'est plus disponible mais il est toujours possible d'arriver au même résultat :

1ère étape, avant de commencer le processus d'installation :

$ sudo update-alternatives --config java
There are 3 choices for the alternative java (providing /usr/bin/java).

  Selection    Path                                       Priority   Status
------------------------------------------------------------
* 0            /usr/lib/jvm/java-6-openjdk/jre/bin/java    1061      auto mode
  1            /usr/lib/jvm/ia32-java-6-sun/jre/bin/java   63        manual mode
  2            /usr/lib/jvm/java-6-openjdk/jre/bin/java    1061      manual mode
  3            /usr/lib/jvm/java-6-sun/jre/bin/java        63        manual mode

Press enter to keep the current choice[*], or type selection number: 1
update-alternatives: using /usr/lib/jvm/ia32-java-6-sun/jre/bin/java to provide /usr/bin/java (java) in manual mode.

(si l'option JVM 32-bits n'apparaît pas, il faut d'abord installer le paquet ia32-sun-java6-bin)

Une fois VaudTax installé, il faut télécharger et décompacter xulrunner :

$ cd $HOME/VaudTax2010
$ wget http://releases.mozilla.org/pub/mozilla.org/xulrunner/releases/1.9.2.16/runtimes/xulrunner-1.9.2.16.en-US.linux-i686.tar.bz2
$ tar -xpf xulrunner-*

Finalement, il faut encore modifier le fichier VaudTax2010 en ajoutant ces deux lignes juste après `VM_SEARCH_PATH="$PATH"' :

export MOZILLA_FIVE_HOME=$HOME/VaudTax2010/xulrunner
export LD_LIBRARY_PATH=${LD_LIBRARY_PATH}:${MOZILLA_FIVE_HOME}

Note : une fois VaudTax2010 installé, on peut exécuter à nouveau "sudo update-alternatives --config java" pour rétablir la configuration initiale - les paramètres sont en effet enregistrés dans le fichier VaudTax2010.lax

[1]

The program 'SWT' received an X Window System error.
This probably reflects a bug in the program.
The error was 'RenderBadPicture (invalid Picture parameter)'.
  (Details: serial 5455 error_code 161 request_code 149 minor_code 7)
  (Note to programmers: normally, X errors are reported asynchronously;
   that is, you will receive the error a while after causing it.
   To debug your program, run it with the --sync command line
   option to change this behavior. You can then get a meaningful
   backtrace from your debugger if you break on the gdk_x_error() function.)

[2] la troisième variante serait d'étudier le format de fichier produit par chacune des versions pour créer un outil de conversion

IPv6 test websites

nospam@example.com (crox) — Mon, 23 Jan 2012 00:33:00 +0100

http://ipv6-test.com/ (also has a speed test, shows your MAC address when available)

http://test-ipv6.com/ (provides detailed technical info and "readiness score")

http://whatismyv6.com/ (IPv4 only, IPv6 only)

http://www.whatismyipv6.net/ (provides traceroute and ping, also suports IPv4)

Enabling IPv6 Privacy Extensions on all interfaces (Ubuntu Linux, may work for other distros too)

nospam@example.com (crox) — Mon, 23 Jan 2012 00:22:01 +0100

According to the Wikipedia IPv6 article, Privacy extensions are, except for the Windows platform and Mac OS X since 10.7 as well as iOS since version 4.3, not enabled by default.

In theory, one can enable the IPv6 Privacy Extensions on all interfaces at once using sysctl like this:

sudo sysctl net.ipv6.conf.all.use_tempaddr=2

However, this currently doesn't work as expected, so I'm using this one-liner in /etc/rc.local:

for IF in `/bin/ls /proc/sys/net/ipv6/conf/*/use_tempaddr` ; do echo 2 > $IF ; done

This also sets "use_tempaddr" for "default", which means it should also apply to interfaces added to the system afterwards.

A simple check to verify that the new configuration is working: ipv6-test.com will print your MAC address when available...

See also: Linux Kernel Bug 11655

bash: how to send output to the console and through a pipe at the same time with tee

nospam@example.com (crox) — Fri, 01 Apr 2011 16:51:51 +0200

Let's say you want some output to be echoed to the console but also to be passed to a pipe. Specifically, in my case I wanted a message to be displayed to the user and also to be sent to syslog. You could of course just print it twice, but in some cases it's not possible, or it makes it more complicated than it should be.

There is a simple solution with tee:

echo "a test" | tee >(logger)

gulp - tcpdump alternative for lossless capture on Linux

nospam@example.com (crox) — Mon, 28 Feb 2011 00:37:54 +0100

tcpdump and wireshark are the tools that usually come to mind when you have to capture network traffic. But in some situations where you have to record a large amount of data and you want to avoid losing packets, tcpdump has some limitations. When I was hit myself by the tcpdump packet loss problem, I quickly found out that I was not alone and that a number of people had already researched the topic and/or provided alternatives.*

In particular, I found two different tools to perform the task: Corey Satten's gulp (http://corey.elsewhere.org/gulp/) and lindump from HP Labs (http://tesla.hpl.hp.com/opensource/)

I also found two interesting papers about capturing high volumes of traffic: http://www.usenix.org/events/fast09/tech/full_papers/anderson/anderson_html/ and http://docs.di.fc.ul.pt/jspui/bitstream/10455/3299/1/thesis-nhenriqu.pdf (the second quotes the first one among others, and also contains useful info to optimally spread the load among different cores)

After some tests I quickly became a happy gulp user, and thanks to the software being open source I was able to add features to it that I missed from the latest tcpdump versions:

-n - allows to change the default filename template
-t - allows to add a timestamp to the filename
-G - rotate pcap file every n seconds
-F - allows to skip the check for an ethernet interface

I've sent a patch to Corey Satten, who intends to setup a repository to hold the various contributions he gets for gulp. In the meanwhile, you can find my changes in the attached file (02-gulp-ntGF.patch.gz). For your convenience and for completeness, I also provide here the patch from Guy Harris that fixes issues on 64 bit systems (see http://seclists.org/wireshark/2009/Oct/105, apply that one first).

* other people have reported a performance drop with libpcap version 1.0 compared to previous builds, see http://thread.gmane.org/gmane.network.tcpdump.devel/4629 or http://seclists.org/tcpdump/2010/q3/index.html#11

Linux: enable encrypted swap (Ubuntu / Debian)

nospam@example.com (crox) — Mon, 15 Nov 2010 22:40:37 +0100

1. create and enable a "regular" swap partition (fdisk / mkswap / swapon)

2. install ecryptfs-utils and run ecryptfs-setup-swap

sudo apt-get install ecryptfs-utils
sudo ecryptfs-setup-swap

Thunderbird - change default message forward mode from "inline" to "attached"

nospam@example.com (crox) — Sun, 10 Oct 2010 20:48:42 +0200

For years the default behaviour in Thunderbird had been to forward e-mails as attachments, but at some point it was changed to "inline". You can still manually choose how you'd like to transfer a message by going to "Message" -> "Forward as", but I couldn't find a way to set the default in the preferences.

There is, however, a way to change it without messing with manual edit of config files. Go to "Preferences" -> "Advanced" -> "Config Editor...", and look for "mail.forward_message_mode". 0 is for "attached", 2 is for "inline".

hping - [send_icmp] Unsupported icmp type

nospam@example.com (crox) — Fri, 17 Sep 2010 22:47:01 +0200

When performing tests you may sometimes want to send specially crafted icmp packets. hping is a handy tool for that.

However, the default behavior is to refuse to send "unsupported" Type/Code combinations. eg

hping3 -c 1 --icmp -C 33 -K 0 192.168.70.1
HPING 192.168.70.1 (wlan0 192.168.70.10): icmp mode set, 28 headers + 0 data bytes
[send_icmp] Unsupported icmp type!

Fortunately, there is an (undocumented) --force-icmp option that you can add to bypass the check:

hping3 -c 1 --icmp --force-icmp -C 33 -K 0 192.168.70.1
HPING 192.168.70.1 (wlan0 192.168.70.10): icmp mode set, 28 headers + 0 data bytes

--- 192.168.70.1 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

Linksys WAG200G-EU stops routing UDP after a while (scripted reboot how-to)

nospam@example.com (crox) — Fri, 07 Mar 2008 11:04:25 +0100

It seems that after having been up for a couple of days, the WAG200G starts having issues routing UDP packets properly. This particularly affects VoIP traffic (here IAX2 on port 4569). The symptoms are that "regular surfing" works flawlessly, but the registration with the asterisk server fails. tcpdump shows no traffic on the server side. Restarting the WAG200G immediately solves the problem.

Here is how I restarted the router from the command line:

wget --http-user=admin --http-password=pa55w0rd \
     --post-data='reboot=1&save=Enregistrer+les+param%E8tres&todo=reboot&h_reboot=1&this_file=Reboot.htm&next_file=index.htm&message=' \
     http://192.168.0.1/setup.cgi

(replace password and IP address as appropriate)

pfSense dropping packets from specific hosts (outdated bogons lists)

nospam@example.com (crox) — Thu, 16 Sep 2010 23:14:52 +0200

After a fresh pfSense install, I found out that traffic from specific hosts was being dropped when it should have been allowed based on the firewall rules I defined.

It turned out that the option "block bogon networks" was activated on the WAN interface, and that fresh pfSense images come with a slightly outdated bogon list.

If you are facing this problem, you have three options:

1. disable the "Block bogon networks" option at the bottom of the WAN interface page

2. after at most one week, the list will be updated automatically as long as the box is online (there is a cron entry, grep your config file for bogon)

3. if you don't want 1. and can't wait for 2, you can trigger the update process manually by running:

/etc/rc.update_bogons.sh 0

Check the output from the Status -> System Logs -> System page (I ran it from a serial console, but it should work fine by ssh or from the exec.php page too)