I was playing around with NoMachine’s NX a bit the other day. My thoughts are “I’m impressed, but…” The display protocol/X11 optimizations do seem to work as advertised. It’s just the interface is somewhat awkward and cumbersome.

My goal was to have NX running so I could easily and quickly connect to my existing X session when working remotely (think screen, but for X). The only other options I’ve found are VNC, which is horribly slow on a WAN, and things that start a new X session (like ssh forwarding), which is not what I want.

So, for the most part, NX works fairly well. My desktop was incredibly responsive while connected remotely. There were, however, a few pain points that were enough for me to not want to use NX again until they are fixed.

Awkward point number one: to be able to connect to an existing session, that session must exist as an NX session. In other words, to use my machine locally, I need to establish a loopback NX connection. This isn’t a huge deal really, as it only really affects the login procedure and I completely understand why it is needed. If this was the only problem, I could easily deal with it.

Awkward point number two: after establishing a loopback connection, my keyboard mapping was all messed up. This blog post has explains how to
fix up some key bindings, but the solution described didn’t seem to fix all of the key binding problems. For instance, ctrtl-pgdn didn’t work, but oddly enough, ctrl-pgup did.

Awkward point number three: resolution only seems to downscale. To be fair, I didn’t spend much time investigating this part. What happened is when I connected from home using my laptop, NX quite smoothly scaled my desktop from 1600×1200 to 1440×900. The problem is when I got back to work and made my loopback connection, it didn’t scale it from 1440×900 back up to 1600×1200. I was just left with a 1440×900 desktop in the center of my otherwise empty screen.

All in all, I like the concept of NX (I love screen after all) but until the interface and ease-of-use matches that of plain, old, ssh, I’m not going to be a full-time NX user. If I can type

nxclient user@myhost

and have it do whatever setup it needs to do in order to give me a full desktop, I’ll switch. Until then, I’m stuck on the console with screen.

Okay, so I started using git for my new personal projects. I almost hate to admit that I really like it.

Just so I can find it again, I’m going to link to a page with some recommendations on commit messages that help make the most out of git. By following these rules, many git features can work even better. Not to mention they make tracking down a particular change easier.

So, SPAM is annoying. We all know that, but what can be done? Well, Postfix (a Unix MTA) has a number of features that help cut down on the crap.

You can access my entire /etc/postfix/main.cf file verbatim, or take a look below at some anti-SPAM highlights.

mydestination =
	abstractlogic.net,
	sqrt2.abstractlogic.net,
	localhost.abstractlogic.net,
	localhost
relayhost =

These are probably the most important parameters to prevent your host from becoming a spammer’s dream. mydestination tells postfix which domains are handled by this host. relayhost specifies which hosts you will relay for. This should always be empty for small simple mail sites.

smtpd_delay_reject = yes

This is just an annoyance for spammers. If postfix is going to reject a connection/destination/whatever, it will not do it immediately. This has the effect of slowing down spammers who are trying to hit you, reducing the connection attempts per unit time.

smtpd_helo_required = yes
smtpd_helo_restrictions =
	permit_mynetworks,
	reject_non_fqdn_hostname,
	reject_invalid_hostname,
	permit

Here, the HELO or EHLO message must be the first thing a client says. Also, the host they claim to be must be either (a) on your network, or (b) from a fully-qualified domain name. It is amazing how many spammers use invalid HELO messages.

smtpd_sender_restrictions =
	permit_sasl_authenticated,
	permit_mynetworks,
	reject_non_fqdn_sender,
	reject_unknown_sender_domain,
	permit

This is just a restriction on who can send a message. This is before the message itself is even inspected, so this rule is fairly permissive. Basically, you must have a proper DNS entry or be SASL authenticated to send messages to/through my server.

smtpd_recipient_restrictions =
	reject_unauth_pipelining,
	reject_non_fqdn_recipient,
	reject_unknown_recipient_domain,
	permit_mynetworks,
	permit_sasl_authenticated,
	reject_unauth_destination,
	#reject_rbl_client relays.ordb.orrg,
	#reject_rbl_client list.dsbl.org,
	#reject_rbl_client sbl-xbl.spamhaus.org,
	#check_policy_service unix:private/spfpolicy,
	#check_policy_service inet:127.0.0.1:10023,
	check_policy_service inet:127.0.0.1:60000,
	permit

When the MTA is receiving a message, the message filtered through this block. It will accept mail coming into one of our networks, or accept mail for anyone if the sending users is authenticated. The commented lines are optional checks against blacklists and various other distributed spam checkers. Policy servers are separate servers running to process mail. I have one enabled on port 60000. This server is a greylist server. It delays SPAM by sending a “try again later” message. Finally, after all other checks have passed, the message is accepted and queued for delivery to whomever it is addressed to.

If anyone else has interesting tips/ideas to cut down on SPAM, I’d love to hear about them.

So, my general purpose system is a Macbook Pro. To get it to talk to my (linux) file server, I am working on installing netatalk. Sure, I could use Samba, but that isn’t a very Apple like solution :p

The problem comes when you realize that, under Ubuntu, netatalk doesn’t support DHCAST128 authentication. This is the only authentication method that doesn’t require clear-text passwords to be stored on the filesystem or sent over the wire. To get around this problem, building from source is the only option.

Last time I ended downloading the tarball for netatalk and doing a custom build/install to /usr/local. This time around, I thankfully found a nice page that does essentially the same thing, but with the Ubuntu source package. The nice thing about the latter is that dpkg still knows about netatalk.

The page How to install on Ubuntu with DHX is part of the netatalk wiki and quite helpful.

Okay, it’s a little sad, but my first post of the year is going to be some random complaining. Today, I will complain about Vim 7.0.164 and Linux in general. I was using a lot of

command | vim -

on the console, and then I started getting sigpipe (my most dreaded of all signals) every time I ran the command. Turns out, vim was to blame in this case. Any time I tried to open a new instance of vim, it would segfault. I logged out and back in, and vim still segfaulted. I killed all but the essential processes, and vim still segfaulted. I tried as a different user, and vim still segfaulted. Now, at this point I was quite concerned. This shouldn’t happen in general, and it really shouldn’t happen under Linux. The next step was to do the unthinkable–reboot my machine. I’m actually worried that such a Windows-like solution fixed the problem. Or rather, fixed the symptom of a potentially larger problem. Ugh, it’s going to be one of those years.

I just finished cleaning up my mac. By that, I mean I removed BootCamp so that Windows is no longer polluting my machine. The process was trivially easy. Launch the BootCamp Assistant, say you want to remove the BootCamp partition, reboot. Done.

The only downside is that next LAN party I will have to install Windows from scratch. Although since I’ve been doing that for every other LAN party, I don’t think it’ll matter that much.

Yesterday, my housemate and I sat down and built a Sun server. We basically combined parts from all the old Sun machines we’d been collecting and put the best of the best into one machine. In the end, the specs are:

• Sun Enterprise 220R chassis
• 2x UltraSPARC 2 450 MHz processors
• 1664 MB ECC RAM
• 6 GB SCSI hard drive
• 2 GB SCSI hard drive
• SCSI DVD-ROM drive
• redundant power supplies
• 10/100 ethernet

Our major stumbling point was getting a console on the thing. We couldn’t find a Sun PCI video card to get a console with. So, since Sun servers are amazing, we figured we’d use a serial console. Small problem: the wiring is insane. I had a 9-pin null-modem cable, but the server took 25-pin. I put an 9-to-25-pin adapter on, but then realized the sex was wrong. Finally, the cable was created as follows: Sun -> 25-pin to cat5 -> cat5 -> cat5 to 25-pin -> 25-pin to 9-pin -> null-modem cable -> serial port on other machine. This would have worked fine at first, except I originally used an ethernet cat5. Bad call. For serial, it wanted a 1-1 pin mapping. So, after searching for my crimper, I put some new ends on the wire. This was the last thing that was needed! The terminal emulator we had running on the other machine started getting data and we saw the machine’s open firmware prompt.

Now today is being spent loading Solaris 10 onto the machine and figuring out what we actually want to use it for.

So, after 6 years, I’ve decided to replace my fileserver. Originally built in 2001, my first fileserver was a 4U machine with six 80 GB hard drives in RAID 5. Now, with 750 GB in a single drive, it seems much less impressive and is also much less practical. I’ve started loading my DVDs onto the server in preparation for my new media system–this is taking a lot of space. So, as a result of aging hardware and a requirement for more storage, I’ve decided to build fileserver v2.0!

So far, the only component I’ve purchased is a chassis. This time around, I’m going with a Chenbo RM21508 2U case. I’ve used some Chenbro cases in the past and they are amazing. This one has 8 hot-swap bays on the front which will hold the data; it also has an internal drive bay to house the OS.

The next step is going to be deciding which motherboard and processor to use. I’m torn on if I want to go “true server” and use a Xeon processor or if I should just go the cheaper route and throw in a Core 2 Duo. Most likely, I will go with the desktop variety of processor, which in turn, will mean a cheaper motherboard and cheaper RAM.

A good RAID card is key. I’m quite fond of the 3Ware 9650 series cards so I’ll probably end up using their 8 port version. It’s a little cheaper than the Areca card and it’s better quality than the Promise card.

Today I was doing some work for an old client of mine, and, since he uses Windows in his office, I was forced to remember a lot of old keyboard shortcuts. While using the edit program (in a dos window), I was using alt-f,s a lot. I think it must have damaged my brain or something since I just tried to save a file on my MacBook by using alt-f,s! What was I thinking? Next thing you know I’m going to be trying to copy/paste with ctrl/shift insert!

Also while working today, I was reminded of the *ahem* joys of IRQ conflicts. Trying to get a legacy ISA voice card to work in a modern system is a pain and a half. Trust me on this one. To make matters worse, the card is discontinued, the company that made it no longer exists, and the internet has almost no information on it at all. This makes things…. interesting. Oddly enough, I found out what its hardcoded I/O port was fairly quickly; it just took me two hours to find out that its hardcoded IRQ was conflicting with a plug-and-play device. It sure would have been nice to get a warning instead of just silently not working. Regardless, after finding out this problem and making a few changes to the BIOS settings things were running smoothly.

Okay, I’ve installed a new system for managing this blog: WordPress. I didn’t really have anything against dotclear except that it lacked some of the fancier features that are implemented as WordPress plugins. Most of this is probably just due to WP having a much larger user base. Anywho, let’s see how this new fangled thing ends up working out.