nested pf.conf macros

Many of my FreeBSD servers are not behind a firewall.  They sit naked on the Internet, and I protect their services with PF.  I have several “trusted” networks, and want to use them in macros.  Keeping track of serveral networks in a macro is error-prone, however.  Previously, I used macros like this one:

#lucas_house=10.20.20.0/28
#main_office=192.168.1.0/25
#monitor=17.16.1.1
#boss_house=10.20.30.0/24
mgmt_networks ="{ 10.20.20.0/28, 192.168.1.0/25, 172.16.1.1, 10.20.30.0/24 "}"

This meant entering each IP address twice.  Complicated numbers hurt my feeble brain, and the result is errors.  Entering each address multiple times is begging for an error.  I found that you can nest macros, however, with careful placement of single and double quotes.

lucas_house='"10.20.20.0/28"'
main_office='"192.168.1.0/25"'
monitor='"17.16.1.1"'
boss_house='"10.20.30.0/24"'
mgmt_networks ="{" $lucas_house $main_office $monitor $boss_house "}"

Note that each address is in single quotes (‘), enclosed by double quotes (“).  In the mgmt_networks macro, put double quotes around the enclosing brackets. This is in the man page example, but you have to look very closely at it.

I can then allow SSH, SNMP, SIP, etc, from my management networks to the server, and my addresses will be consistent.

price points in the kindle/paper war

(Disclosure:  I have a Kindle, and I think it’s fabulous.  My newer books are available on Kindle. I expect that everything I write from now on will also be on Kindle.)

As an author, I think ebooks should be cheaper than paper books.  Ebooks are an inferior product.  Yes, you can get them more quickly, but you don’t actually get a book: you get a license to have a copy of a book attached to your account.  You can’t resell ebooks.  You can’t loan them out. You can’t express your disgust by using them as toilet paper.   Anyone in the IT industry knows the difference between owning a piece of software and licensing it.

When ebooks are more expensive than a hardback, people who have “invested” in an ebook reader become angry.  Amazon has many 1-star reviews of ebooks because the price is above that of a hardcover.  This leads to angry emotional arguments from both sides.  You can see lots of reader arguments on Amazon, and then there’s publishers’ arguments like this one from the SFWA.  But buried in the recent SFWA post are a couple of interesting facts that aren’t getting enough attention:

  • ebook prices are set by the publisher
  • physical book prices are set by Amazon

Amazon specifically dislikes the agency model under which books are sold.  They tried to use a more traditional model, but were forced out of that.  All indications are that Amazon is very unhappy about the agency model.

Amazon discounts their books under a formula known only to Amazon.  One side effect of this is that ebook devotees are angered by the price differences — and they’re getting angry at the publisher, not at Amazon.  And Amazon has previously used paper books as loss leaders.

I cannot say that Amazon is deliberately feeding this anger by choosing to price hardbacks slightly below the publisher’s ebook price.  But they make a point of labeling ebook prices as “set by the publisher,” where they don’t say that hardback prices are “set by Amazon.”  I think it’s fair to say that Amazon is aiming the anger.

And for those folks who say that publishers need to die, preferably soon:  I wholeheartedly disagree.  My books would not be nearly so good without my publisher.

Finally, on a completely different topic, but still about writing:  There’s a popular article kicking around now about reasons to date a writer.  I wanted to do a corrected, realistic version, but thankfully it’s already been done.

More NFA reviews…

I don’t want to do a separate blog post for every review of Network Flow Analysis that comes out.  But it seems that I haven’t posted any for two months now.  If I’m going to batch these, I need to figure out a happy medium, say, every month or so.  Of course, now that the book has been out for a few months, the number of reviews is going to decline rapidly.

But to catch up: there’s been reviews at javaranch, from Henrik Kramshøj, from the Linux Users of Australia,  a few comments in Japanese, from Utah, and the Security and Risk blog.  There’s also a review in the illustrious Dr. Dobbs.  Back in the day, Dr. Dobbs’ was The Source for geek stuff.  A positive review there makes me feel like I have Arrived, that I am Someone of Substance.  Woo for me!

I’d like to thank all the folks who took the time to review NFA.

A writer’s view on the OOo/LibreOffice split

I started writing books on computer in the 1980s.  I used a Commodore plus/4, a Macintosh Classic, a mid-90s Mac laptop, and assorted UNIX boxes.  This assortment of platforms has taught me something important:  as an author, I don’t want my writing tied to any single software vendor.  My documents should be in a format that I can easily access on any operating system or platform.  This excludes proprietary solutions, such as the Commodore plus/4’s text editor, MacWrite, or Microsoft Word.

OpenOffice interested me right away.  I could write and mark up documents, and they would be stored in XML.  Even if OOo died tomorrow, I could find a Perl script to extract my text.  Oracle buying Sun, and getting OOo with it, is enough to make the paranoid angels who live in the back of my head start their chorus.  Oracle cannot take away the software that’s freely available today, but Oracle has absolutely mastered the proprietary software business model.  Oracle is excellent at extracting every possible dollar from every available asset.  And Oracle is smarter than I am.

That’s why the new Document Foundation LibreOffice interests me.  It’s a proactive move to block Oracle from dominating the free office suite space.  (I’d like to commend the Document Foundation on not waiting for Oracle to toss them overboard.)  And the Document Foundation is sponsored by several companies who have publicly committed to, and are even built upon, an open-source ecosystem.  I downloaded and installed LibreOffice on my laptop.

LibreOffice is supposedly the latest OpenOffice, plus fixes for many long-standing bugs that outside developers couldn’t get into the main OpenOffice code.  They’ve replaced the Oracle logos in the latest OOo update, and the window decorations are slightly different.  The LibreOffice beta looks and feels just like OOo.  OOo crashed on me every few weeks, and I haven’t run LibreOffice long enough to reproduce such a crash, but on the whole it seems perfectly fine.

My one complaint is that LibreOffice didn’t import my OOo dictionary.  I write many documents with specialized vocabulary, and I spent a great deal of time getting everything into my OOo spellcheck dictionary.  LibreOffice means that I have to start over.  In the grand scheme, however, this is a minor annoyance compared to the threat that Oracle poses to my writing.

The Document Foundation has stressed that they are not offering an OOo fork.  Oracle is welcome to join with them, or otherwise demonstrate their good intentions.  I feel confident in predicting that in 2012, however, LibreOffice will be a better choice than OOo.

opennebula with one iscsi target per VM

OpenNebula users know that NFS is just too slow for virtual machine disk images.  Fiber Channel works, but is too expensive for me.  Rather than deal with disk image speed issues, I’m using NFS on ZFS for file storage and booting my systems diskless.  Diskless servers have a lot of advantages, but speed isn’t one of them.  This is fine for most applications, but a few things (databases come to mind) perform better on a speedy disk.  I want the ability to use diskless machines where appropriate, but use cheap networked disk when necessary.  Ideally, I want iSCSI on top of ZFS.  Short of ideal, I’ll take iSCSI any way I can get it.  I want the virtualization server to attach to the iSCSI target, and then offer that target to the VM as if it was a local disk.

There’s an alpha one-iSCSI-target-per-VM transfer manager driver.  It’s intended for a Linux iSCSI server, which I don’t have and don’t intend to run.  Instead, I have a stack of cheap NAS appliances.  Here’s how I got one target per VM running in my OpenNebula instance. Continue reading “opennebula with one iscsi target per VM”

forthcoming video interview

I’ve been asked to do an interview on AT&T’s Tech Channel.  I’m no Steven Bellovin, but what the heck.  It’ll be recorded in NYC on 11 November 2010, the day before NYCBSDCon starts.  No idea when it’ll actually be available.

The TechChannel shows are available online.  It seems that they’re also used as content snippets in real TV shows.  One day, if I’m lucky, my head will appear on a TV near you, with a text label beneath it and my words taken completely out of context.  Probably in a faux-reality TV show about ghost hunting or something.  Ah, fame at last…

Network collisions running hosts under KVM

I use KVM and OpenNebula on Ubuntu for virtualization. Getting such a cluster up and running is easy, but making it perform well takes much more work.  Many times, the statement “my virtualization cluster works well” is equivalent to “I’m not paying attention.”  My FreeBSD hosts help point out problems, though.  All of my FreeBSD servers send me a daily email to tell me they’re still alive and to point out potential issues.  That’s how I found out I was getting network collisions on my virtualized hosts, and here’s how I investigated them. Continue reading “Network collisions running hosts under KVM”

Short story by yours truly published

My short story Wednesday’s Seagulls was just posted on short-story.me.

For those who wonder why I don’t publish more fiction:  I have this weird idea that I should get paid for my work.  The amount doesn’t matter a great deal — this story made enough for a couple of hot fudge sundaes.  The Internet has made “getting published” almost meaningless, but:  if a piece of writing isn’t good enough that someone will buy it, I don’t want it out there with my name on it.

I’d much rather have less work available of higher quality than publish reams of sewage.