Constantine A. Murenin

market dominance

Mon, 13 Feb 2012 18:50:00 -0500

The best thing that you could be doing with market dominance is making a change for the better.

What did Apple do with its market dominance? It killed the CPU-hungry and battery-unfriendly Adobe Flash technology, and adopted open standards that any other manufacturer can implement, too, for increased interoperability and convenience of everyone involved (other than Adobe, of course, as well as the people who were too lazy or incompetent to use HTML5 instead of Adobe Flash for making their web-sites).

What did Google do with their market dominance? Through Google Mail and Google Voice, it brought affordable email and telephone solutions to the market, eliminated the need to pay huge fees for text messaging, as well as the ability to have mnemonic telephone numbers for mere mortals.

But what about the rest of the industry? How come most public entities entirely disregard the need to use their market dominance for the greater good?

Say, LowEndBox.com, is arguably the dominant place to get offers on highly competitive VPS hosting. Yet, IMHO, they are currently failing to use their market dominance to improve the market place. Why are there still providers around that offer hosting services without providing any test IPs (let alone download files)? Or even precise locations of their data-centres? Or virtualisation technologies (“Xen PV” is entirely different from “Xen HVM”; WTF is “Xen”?). Or whether or not they support IPv6.

The IPv6 is an interesting topic, IMHO. This year, on 2012-06-06, is the http://www.WorldIPv6Launch.org/ . Even the behemoth US telecoms like AT&T and ubiquitous CDNs like Akamai and Limelight, together with Google and Facebook, have agreed to permanently enable IPv6 for its subscribers, for good. Yet many hosting providers are still keeping quiet about their IPv6 support. (Many actually do support it, so the sole quietness on the subject is not an indication that support is surely lacking). IMHO, sites like LowEndBox.com have a moral obligation to the internet society at large, to use its powers to promote stuff like IPv6 (which is now finally so close to actually being useful within a couple of months) and other transparency. It’s entirely easy to make a simple rule of clearly stating whether IPv6 is supported or not, in every post, making it clear who is who in the business, and giving the clear incentive to the providers in supporting IPv6.

I had a funny dream last night...

Mon, 06 Feb 2012 02:10:00 -0500

I had a funny dream last night (Saturday to Sunday, 2012-02-04/05 PT). I was somewhere like in Europe, and there was something like a tsunami, and I was on a cruise boat (like those we have in Russia), and trying to take the pictures of the thing. And then hiding in the basement of some office-like building…

Surprisingly, I just discovered there was an earthquake with a predicted 1 metre tsunami a few hours ago or so. http://news.yandex.ru/yandsearch?cl4url=www.ria.ru%2Fnatural%2F20120206%2F558210761.html

at&t U-verse 6rd in Santa Clara County

Thu, 02 Feb 2012 22:36:05 -0500

http://www.dslreports.com/forum/remark,26841639 Is at&t for real?

printf "%02x%02x:%02x%02x\n" 76 220 xx xx ; printf "%02x%02x:%02x%02x\n" 99 124 xxx xxx
4cdc:20yy
637c:YYYY

From MSK.

# traceroute6 2602:304:cdc2:0yy0::1 ; traceroute6 2602:306:37cY:YYY0::1
traceroute6 to 2602:304:cdc2:0yy0::1 (2602:304:cdc2:yy0::1) from Z, 16 hops max, 12 byte packets
Skipping 2 intermediate hops
 3  xe012-438.RT.MR.MSK.RU.retn.net  1.320 ms  1.191 ms  1.248 ms
 4  RT.TLX.NYC.US.retn.net  124.866 ms  124.400 ms  125.080 ms
 5  as7018-att.10gigabitethernet2-3.core1.nyc4.he.net  137.598 ms  179.680 ms  150.144 ms
 6  * * *
 7  * * *
 8  2001:1890:ff:ffff:12:122:99:125  139.270 ms  138.714 ms  138.885 ms
 9  2602:300:c533:1510::4  138.903 ms  138.695 ms  138.780 ms
10  2602:300:c533:1510::5  189.738 ms  189.757 ms  190.096 ms
11  * * *
12  * * *
13  * * *
14  2602:300:c533:1510::5  190.810 ms  190.647 ms  190.884 ms
traceroute6 to 2602:306:37cY:YYY0::1 (2602:306:37cY:YYY0::1) from Z, 16 hops max, 12 byte packets
Skipping 2 intermediate hops
 3  xe012-438.RT.MR.MSK.RU.retn.net  1.245 ms  1.090 ms  1.112 ms
 4  RT.TLX.NYC.US.retn.net  124.698 ms  124.320 ms  124.783 ms
 5  as7018-att.10gigabitethernet2-3.core1.nyc4.he.net  137.132 ms  137.704 ms  138.025 ms
 6  * * *
 7  * * *
 8  2001:1890:ff:ffff:12:122:99:125  139.692 ms  140.326 ms  139.774 ms
 9  2602:300:c533:1510::4  138.898 ms  139.584 ms  145.563 ms
10  2602:300:c533:1510::5  189.704 ms  190.298 ms  190.905 ms
11  * * *
12  2602:300:c533:1510::5  194.267 ms  192.703 ms  191.208 ms
13  * * *
14  * * *
15  2602:300:c533:1510::5  191.379 ms *  190.522 ms
16  * * *

From FMT (at&t has a crappy route, but the routing definitely gets full trip to LA and safely back to the Bay Area).

# traceroute6 2602:304:cdc2:0yy0::1 ; traceroute6 2602:306:37cY:YYY0::1
traceroute to 2602:304:cdc2:0yy0::1 (2602:304:cdc2:yy0::1), 16 hops max, 80 byte packets
 2  10gigabitethernet2-3.core1.fmt1.he.net (2001:470:1:1db::1)  8.677 ms  8.680 ms  8.721 ms
 3  gige-g4-8.core1.fmt2.he.net (2001:470:0:2d::2)  0.376 ms  0.427 ms  0.416 ms
 4  10gigabitethernet6-4.core1.lax1.he.net (2001:470:0:18d::2)  8.487 ms  8.496 ms  8.669 ms
 5  10gigabitethernet1-3.core1.lax2.he.net (2001:470:0:72::2)  12.416 ms  12.880 ms  13.510 ms
 6  att-internet4-as7018.10gigabitethernet5-2.core1.lax2.he.net (2001:470:0:1e6::2)  9.267 ms  9.335 ms  9.417 ms
 7  * * *
 8  * * *
 9  2001:1890:ff:ffff:12:122:114:41 (2001:1890:ff:ffff:12:122:114:41)  21.074 ms  21.109 ms  21.086 ms
10  2602:300:c533:1510::5 (2602:300:c533:1510::5)  20.761 ms  20.756 ms  20.812 ms
11  2602:300:c533:1510::5 (2602:300:c533:1510::5)  22.213 ms  21.943 ms  22.371 ms
traceroute to 2602:306:37cY:YYY0::1 (2602:306:37cY:YYY0::1), 16 hops max, 80 byte packets
 2  10gigabitethernet2-3.core1.fmt1.he.net (2001:470:1:1db::1)  0.536 ms  0.499 ms  0.443 ms
 3  gige-g4-8.core1.fmt2.he.net (2001:470:0:2d::2)  4.335 ms  4.997 ms  4.995 ms
 4  10gigabitethernet6-4.core1.lax1.he.net (2001:470:0:18d::2)  8.663 ms  8.649 ms  8.635 ms
 5  10gigabitethernet1-3.core1.lax2.he.net (2001:470:0:72::2)  9.270 ms  9.617 ms  9.201 ms
 6  att-internet4-as7018.10gigabitethernet5-2.core1.lax2.he.net (2001:470:0:1e6::2)  9.574 ms  9.549 ms  9.511 ms
 7  * * *
 8  * * *
 9  2001:1890:ff:ffff:12:122:114:41 (2001:1890:ff:ffff:12:122:114:41)  21.208 ms  21.135 ms  21.165 ms
10  2602:300:c533:1510::5 (2602:300:c533:1510::5)  20.762 ms  20.773 ms  20.798 ms
11  * * *
12  * * *
13  * * *
14  * * *
15  2602:300:c533:1510::5 (2602:300:c533:1510::5)  22.326 ms  23.112 ms  22.765 ms
16  * * *

Wow… … What’s next? Finally the 40/10 HSI for BPON subscribers? :-) Or 200/100 HSI with a GPON upgrade? (-:

firstvds: ipfw continues to be broken; now they censor my complaint

Fri, 27 Jan 2012 16:52:00 -0500

written for http://forum.firstvds.ru/viewtopic.php?f=3&t=8233

Перезагрузился, и теперь опять абсолютно даже на IPv4 firewall не работает, как в начале января. Теперь опять показывает все нули по `ipfw show` (вообще ни одно правило не ловит даже IPv4 пакеты), динамические правила по `ipfw -d show` до сих пор отсутствуют — я вообще до сих пор ни разу не видел динамических правил на вашей ISPFreeBSD8. (На ISPFreeBSD6 — без проблем.)

Когда будет исправлено? Почему до сих пор нет ответа? Это затрагивает только пользователей, у которых IPv6, или у всех на ISPFreeBSD8 не работает от перезагрузки к перезагрузке? Почему до сих пор нет никакого официального заявляния, что ваша поддержка IPv6 нифига не работает и делает ipfw непригодным даже для IPv4?

З.Ы. swg, к правилам нечего придираться — попробуйте сами правила писать, когда ни одно из них никакого эффекта не оказывает. Я их писал именно в начале января, когда они вообще никакого эффекта не оказывали. Они кое-как глючно работали исключительно после второй перезагрузки вторым специалистом седьмого числа.

P.P.S. Только что заметил, что вообще моё сообщение о неработоспособности ipfw с IPv6 удалили из новостей! Вот это прогресс! Хотелось бы объяснений!

====

К новости об IPv6 неработоспособность ipfw при IPv6, между прочим, имеет самое что ни на есть прямое отношение. Моё удалённое сообщение в той теме было кратко и по делу, и конкретно про IPv6. Кто не верит, можете сами убедиться: я перепостил, но тема теперь закрыта, причём ещё с возражениями о том, что за “сообщения не по теме” вообще банят.

А мне нечего добавить в поддержку через my.firstvds.ru. Вся проблема (и про v4, и про v6) была описана мной в начале января, осмотрена и протестирована двумя вашими специалистами, которые совершили две перезагрузки моего VDS. Было сообщено, что исправление будет, но вопрос был закрыт.

Это не моя задача открывать закрытые вопросы, когда вам уже должно быть совершенно ясно, что ipfw у вас полностью сломан. Если бы вы являлись порядочной конторой, то уже давным давно следовало бы сообщить, что ваша поддержка IPv6 делает невозможным использование ipfw даже для IPv4. Но это же трудно, после анонса IPv6, признать, что работает всё очень криво. Вот вы и прибегаете к удалению сообщений, вместо признания существующих проблем, которые затрагивают каждого пользователя ISPFreeBSD8 IPv6.

Это проблема не уникальна к моему VDS, поэтому нет смысла решать её исключительно в закрытом порядке. Другим пользователям, небось, тоже интересно.

====

Мне кажется, что вы всё-же продаёте полный набор услуг, а не просто сами адреса и трафик, так что неработоспособность одной из главных функций вашей виртуализации ISPFreeBSD8 является довольно серьёзной проблемой.

Я не знаю, какие правила создаёт ipsmgr, но мне всё-таки так кажется, что если даже ни одно из правил ipfw не может поймать ни одного пакета (все нули по `ipfw show`, даже “65535 0 0 allow ip from any to any”), то ваши ipsmgr правила тоже вряд-ли будут работать. (Разумеется, net.inet.ip.fw.enable включён, =1.)

И в конце концов, как ни крути, но ISPserver это всё-таки тоже ваша контора. В крайнем случае — вы их самый прямой клиент.

Здесь не ошибка в программном обеспечении. Здесь явное отсутствие поддержки ipfw при IPv6, и молчание поддержки, по поводу отсутствия данной поддержки. Если ipfw не поддерживается, то следует об этом просто явно указать, и не будет никаких вопросов. Но мне непонятно, почему после покупки услуги, мне необходимо тестировать и выяснять, по каким причинам ipfw у вас не работает. Я отправил запрос. Это ваше дело разобраться в проблеме, и своевременно сообщить мне о сроках решения. Ни о каких сроках сообщено не было. Вопрос разрешён не был. Ни объяснения причин, ни предложений о замене IPv6 на работающий ipfw IPv4, не поступало.

firstvds сломали свой ispmgr апаче! (mod_rpaf.so)

Thu, 26 Jan 2012 22:25:00 -0500

written for forum.firstvds.ru: http://forum.firstvds.ru/viewtopic.php?f=14&t=8247&p=41815#p41815

Ваши изменения шаблонов привели к неработоспособности apache при стандартных apache22 + nginx из ispmgr (nginx установлен через ispmgr в начале января).

Я apache2 не пользуюсь, но как советуете теперь обращаться к ispmgr?

(Хочу перезагрузить весь сервер, а `shutdown -r +1` не работает. Что следует использовать, кроме ispmgr?)

[code]
# /usr/local/etc/rc.d/apache22 start
Performing sanity check on apache22 configuration:
httpd: Syntax error on line 474 of /usr/local/etc/apache22/httpd.conf: Syntax error on line 1 of /usr/local/etc/apache22/Includes/rpaf.conf: Cannot load /usr/local/libexec/apache22/mod_rpaf.so into server: Cannot open “/usr/local/libexec/apache22/mod_rpaf.so”
Starting apache22.
httpd: Syntax error on line 474 of /usr/local/etc/apache22/httpd.conf: Syntax error on line 1 of /usr/local/etc/apache22/Includes/rpaf.conf: Cannot load /usr/local/libexec/apache22/mod_rpaf.so into server: Cannot open “/usr/local/libexec/apache22/mod_rpaf.so”
/usr/local/etc/rc.d/apache22: WARNING: failed to start apache22
# ll /usr/local/etc/apache22/
total 132
drwxr-xr-x 2 root wheel 512 Jan 7 02:52 Includes
drwxr-xr-x 2 root wheel 512 Jan 7 01:16 envvars.d
drwxr-xr-x 2 root wheel 512 Jan 7 01:16 extra
-rw-r——- 1 root wheel 17239 Jan 3 17:54 httpd.conf
-rw-r——- 1 root wheel 17239 Jan 3 17:06 httpd.conf.2012-01-03T173341-0800.orig
-rw-r——- 1 root wheel 17240 Jan 3 17:54 httpd.conf~
-rw-r—r— 2 root wheel 12958 Sep 22 02:43 magic
-rw-r—r— 2 root wheel 49815 Sep 22 02:43 mime.types
-rw-r—r— 1 root wheel 1164 Dec 30 17:12 server.crt
-rw-r—r— 1 root wheel 887 Dec 30 17:12 server.key
drwxr-xr-x 2 root wheel 512 Jan 7 01:16 ssl.crt
drwx——— 2 root wheel 512 Jan 7 01:16 ssl.key
# ll /usr/local/etc/apache22/Includes/
total 10
-rw-r—r— 2 root wheel 318 Dec 24 2009 awstats.conf
-r—r—r— 2 root wheel 89 Sep 22 02:43 no-accf.conf
-rw-r—r— 2 root wheel 510 Dec 24 2009 phpmyadmin.conf
-rw-r—r— 1 root wheel 106 Jan 3 17:05 rpaf.conf
-rw-r—r— 2 root wheel 352 Oct 7 2010 secure.conf
# ll /usr/local/libexec/apache22/mod_r*
-rwxr-xr-x 2 root wheel 39646 Sep 22 02:43 /usr/local/libexec/apache22/mod_reqtimeout.so
-rwxr-xr-x 2 root wheel 164275 Sep 22 02:43 /usr/local/libexec/apache22/mod_rewrite.so
-rwxr-xr-x 2 root wheel 28584 Jan 25 21:40 /usr/local/libexec/apache22/mod_rpaf2.so
#
[/code]

Собственно, в добавку: почему вообще у вас вот так напросто отсутствует контроль качества?

Очевидно, проблема в том, что ispmgr создаёт rpaf.conf вне шаблона, хотя бывший mod_rpaf.so линковался из шаблона. Так это же значит, что вы все apache22 сломали, у кого nginx был установлен стандартными средствами из ispmgr!

after starting to use Linux (Debian), my list of bugs

Wed, 25 Jan 2012 15:44:00 -0500

After many years in the BSD land, late December 2011 I’ve started using the 2011 release of Debian Linux on Linode512 upgraded to Linode768 (plan to “upgrade” back to 512 after a while on 768).

My list of bugs/annoyances is as follows (I might update this entry later on, too):

* installing ntpd package corrects your date without any trace whatsoever what the correction was; I guesstimate that it’s a package bug, where they run ntpdate or something, but maybe ntpd itself is to blame

* logs are not rotated at midnight. stupid linux runs logrotate as part of the /etc/cron.daily/ at 6:25 on my box (seriously, how entirely dumb is that?) The best fix would probably be `echo “0 0 * * * root /etc/cron.daily/logrotate” »/etc/cron.d/logrotate`, but I’m entirely amazed that anyone finds it acceptable to do daily/weekly/monthly rotation of logs at random times of the day, other than 00:00:00 (renaming a few files doesn’t take that many resources; if you really care about overconsumption at 00:00:00, why not ensure that logs are never compressed during the 00:00:00 run?)

* there is no `jot`. seriously, no jot? `apt-get install athena-jot`

* iptables has no way of storing any rules permanently. Have to install `iptables-persistent` with apt. However, iptables-persistent only works with IPv4, for IPv6 you have to do some hacking. The whole thing where IPv6 is controlled by `ip6tables`, and never by `iptables`, arguably adds to show just how little Linux cares about IPv6 adoption.

Bitbucket and all: do you trust them your private bits?

Mon, 23 Jan 2012 15:13:09 -0500

I started using Bitbucket for my private repositories a very short while ago, since they now support git.

Unlike github.com and gitorious.org, Bitbucket provides unlimited private repository support for both git and hg, and they also have Australian roots, for a bit of redundancy in who to trust your repositories to. :-)

The best thing about git is that due to the strong sha1 hashes and the distributed nature of each individual repository, you don’t have to worry about anyone else messing up with your repository without you ever noticing during the course of normal operations, since that’s merely impossible or at the very least very-very-very improbable for the near future. So, pretty much, any git hosting will do for a public repo, and if they misbehave, it’ll be entirely obvious very quickly and you can drop them with little to no ill effects whatsoever. This is why Linus Torvalds said in his Google tech talk, let me paraphrase / rephrase / extrapolate, that he’d trust an anonymous hoster from Nigeria with a git repo, but wouldn’t ever trust Google Code with an svn one.

However, in case of private repositories, you obviously do care for the private nature of your bits. Which poses a good question: can you actually trust any shared external source service to have even read access for your private repositories? How much care have they taken to safeguard your private repositories, and make sure no unauthorised people ever get access to it?

One thing for sure, is that I would never trust an outside party to have access to my /etc/master.passwd or /etc/shadow (somehow etckeeper on the 2011 Debian does keep track of your shadow file!). For other things, it’s still debatable who to trust, but I can only hope that Bitbucket has taken all the measures at ensuring my private stuff stays private…

I don’t have stuff worth a million dollars in my private repositories (or, at least, I’m not yet aware of such specific and immediate potential), but I still may have stuff there that one might easily classify as trade secrets (and rightly so), hence an unintentional release would make me very uncomfortable to say the least.

Using OpenBSD on non-native hardware is definitely a challange

Sun, 22 Jan 2012 04:32:00 -0500

With OpenBSD 5.0 under KVM on ARPNetworks, all you have to do is “disable mpbios”, and it all seems to work. However, not without subtle problems.

First, I’ve noticed that if you have lots of disk activity, plus lots of output through ssh, then you get periodic networking stalls very easily, with “em0: watchdog timeout — resetting” appearing repeatedly (although, to be fair, the stall only lasts a couple of seconds, and your sessions resume without any noticeable ill effects).

For example, you can find the following in /var/log/messages after checking out all the 3 BSD systems from local CVS trees, locally:

Jan 21 19:51:39 grok /bsd: em0: watchdog timeout -- resetting
Jan 21 19:52:16 grok last message repeated 2 times
Jan 21 19:53:09 grok /bsd: em0: watchdog timeout -- resetting
Jan 21 19:58:32 grok /bsd: em0: watchdog timeout -- resetting

Then, now I’m running Java with {OpenGrok, indexing 3 source trees, and the run queue seems to be merely about 4, as you can see from the load average below. The regular non-mp /bsd. So, guess what, something is broken yet again, and `top` shows all zeros for all the CPU states, and `systat vmstat 1` doesn’t work, either, returning “> The alternate system clock has died!” after a couple of seconds, without updating any info at all whatsoever.

This is what `top -U opengrok -s1` shows, notice the 0.00% for all CPU times, as well as for the process 30390 itself. It shows “98.4% idle” on first iteration, but then goes back to 0.0% as below. (However, wallclock works just fine, without any abnormalities, and the system otherwise appears to run just fine, too.)

load averages:  3.80,  3.78,  3.92
36 processes:  1 running, 33 idle, 1 stopped, 1 on processor
CPU states:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  0.0% idle
Memory: Real: 346M/581M act/tot Free: 402M Cache: 187M Swap: 32M/1012M

  PID USERNAME PRI NICE  SIZE   RES STATE     WAIT      TIME    CPU COMMAND
30390 opengrok  59    0  543M  297M run       -       207:20  0.00% java
24752 opengrok  -6    0  924K 1668K sleep     piperd    0:15  0.00% ectags
32716 opengrok  -6    0  656K 1528K idle      piperd    0:10  0.00% ectags
11857 opengrok  -6    0  840K 1580K sleep     piperd    0:10  0.00% ectags
 2934 opengrok  18    0 1340K 2092K idle      pause     0:01  0.00% tcsh

So, doesn’t really look like this would be providing a reliable and dependable server solution without some extra hacking…

How to list open files on a UNIX system.

Sat, 21 Jan 2012 21:54:00 -0500

This is a nice question which I recall being asked in one of my interviews a few years back.

I recall I answered it with a `sockstat` (FreeBSD), but the interviewer expected more on the lines of `lsof` (Linux and other *NIX). The pages below provide an excellent overview of just how flexible (yet divergent) UNIX systems are, and how a little shell scripting can get you a long way.

http://troysunix.blogspot.com/2011/03/finding-open-files-in-freebsd.html
http://troysunix.blogspot.com/2011/03/finding-open-files-in-linux.html
http://troysunix.blogspot.com/2011/03/finding-open-files-in-solaris.html

In addition, a short cheat-sheet summary would be:

* fstat(1) on 4.3BSD-derived systems (FreeBSD, OpenBSD, NetBSD, but not OS X);

* fuser(1) with some shell scripting on some POSIX systems (Linux, OpenBSD, OS X, FreeBSD since 9.0);

* lsof(1) on Linux, FreeBSD ports, OS X;

* sockstat(1) on FreeBSD, especially if you want just the listening sockets;

* proc(5) on Linux.

The fuser(1), being POSIX, seems especially entertaining: it outputs the PIDs onto stdout, yet the hints of which kinds of files are open onto stderr, which makes it possible to redirect the stderr output to /dev/null, whereas use the stdout output in further processing as command-line arguments to ps(1) and such, without any need for any more advanced inline editing. Really cool stuff. :-)

In turn, if you just need the listening and open sockets:

`lsof | fgrep -e TCP -e UDP` (is there a better way?) on Linux or OS X;

`sockstat` on FreeBSD;

`fstat | fgrep internet` on OpenBSD.

Статус ISPFreeBSD8 ipfw: глючит IPv4, отсутствует IPv6

Fri, 20 Jan 2012 15:53:00 -0500

written for forum.firstvds.ru: http://forum.firstvds.ru/viewtopic.php?f=3&t=8233

В интересах продолжения темы IPv6 до сих пор не работает из форума Новости, хотелось бы разъяснений, почему ipfw всё же даже на IPv4 не работает. Далее приведу наглядный пример с сервера без каких-либо изменений с перезагрузки. Прошу заметить, что правило 02200, которое замечательно работает на вашей ISP FreeBSD6 и ловит все пакеты на порту ssh, на данной ISP FreeBSD8 до сих пор не поймало ни одного пакета вообще. По неизвестным причинам, весь мой ssh трафик с домашней сети ловится правилом 44300, которое ну исключительно только под порт 443 предназначено.

Хочется заметить, что даже если бы я использовал порт 443 вместо 22 для ssh, то всё равно не может данное 02200 правило быть незадействованным в течение целой недели. Но на порте 443 у меня крутится обычный Apache, а не OpenSSH. Пока что использую IPv4 для ssh, настройки по умолчанию.

Пожалуйста, разъясните — я совершенно перепутал синтаксис ipfw, или он у вас действительно очень и очень серьёзно глючит до неузнаваемости? Почему вы до сих пор не сделали каких-либо Security Advisory про неработоспособность? Пользователи должны быть сами в курсе, что ipfw у вас не работает? Уже более двух недель прошло с момента моего оригинального запроса по поводу неработоспособности ipfw, никаких ETA до сих пор не получал.

# ipfw show ; uptime ; uname -mrsv ; date
00100  74098 23241496 allow ip from any to any via lo0
00200      0        0 deny ip from any to 127.0.0.0/8
00300      0        0 deny ip from 127.0.0.0/8 to any
00400      0        0 deny ip from any to ::1
00500      0        0 deny ip from ::1 to any
00600      0        0 allow ipv6-icmp from :: to ff02::/16
00700      0        0 allow ipv6-icmp from fe80::/10 to fe80::/10
00800      0        0 allow ipv6-icmp from fe80::/10 to ff02::/16
00900      0        0 allow ipv6-icmp from any to any ip6 icmp6types 1
01000      0        0 allow ipv6-icmp from any to any ip6 icmp6types 2,135,136
02200      0        0 allow tcp from any to me dst-port 22 in setup limit src-addr 12
05300    644    43646 allow tcp from any to me dst-port 53 in setup limit src-addr 7
08080     26     1384 deny tcp from any to me dst-port 808
08099   2716  1448701 allow tcp from any to me dst-port 80 in setup limit src-addr 16
44300 419807 59061309 allow tcp from { 76.220.XX.XX or 99.124.XXX.XXX/27 } to me dst-port 443 in setup limit src-addr 16
44310      8      412 deny tcp from any to me dst-port 443 in setup limit src-addr 4
65535 153984 73335150 allow ip from any to any
11:57AM  up 6 days,  7:53, 5 users, load averages: 0.01, 0.05, 0.04
FreeBSD 8.2-STABLE FreeBSD 8.2-STABLE #0 r112:113: Mon Dec 19 08:17:00 IRKT 2011     root@freebsd8-amd64.ispsystem.net:/root/src/sys/amd64/compile/ISPSYSTEM  amd64
Fri Jan 20 11:57:06 PST 2012

`apt-get install ntp` in Debian 6

Wed, 18 Jan 2012 20:16:38 -0500

Apparently, installing ntp in Debian results in your clock being corrected, with no proof whatsoever that the correction took place, and the amount of any such correction. An obvious security flaw, if you ask me. On the other hand, in the Linux land, that’s probably just another day.

firstvds.ru ipv6

Tue, 17 Jan 2012 17:57:00 -0500

Заказал тридцатого декабря местного времени FreeBSD8 сервер с IPv6 под новогоднюю скидку. С самого начала, IPv6 адрес вообще не работал — очевидно, у сервера забыли настроить gateway. Починили в течение суток после обращения в поддержку.

Потом оказалось, что firewall (ipfw) вообще тоже не работает. На IPv4 просто-напросто не влияет на пакеты, а на IPv6 — даже не выключается и не включается (нет прав на изменение `sysctl net.inet6.ip6.fw.enable`). Перезагрузка сервера (2012-01-03/04) не помогла, после перезагрузки всё так же сплошные нули по `ipfw show`, и выдаётся ошибка при добавлении правила 65535. В течение недели после запроса каким-то образом молча вроде стал работать IPv4 числа эдак седьмого (причём работает очень подозрительно: элементарное правило, которое ловило ssh пакеты во FreeBSD6, на новом FreeBSD8 пакеты не ловит, пропуская пакеты к более высоким правилам), а про IPv6 до сих пор вообще ничего. При этом сам запрос числится закрытым (нет иконки про то, что над ним кто-то всё ещё работает), последнее сообщение датировано седьмым числом, «В течение ближайшего времени проблема будет устранена. Приносим извинения за неудобства.», проблема до сих пор присутствует десять дней после последнего сообщения, ETA отсутствует.

Так что, резюмируя, даже сами IPv6 адреса не работают — никто интернетом без firewall’а в наши времена не пользуется. :-( Дополнительно, даже ipfw на IPv4 глючит. В прибавку, за все эти проблемы ещё нужно целый рубль каждый месяц выкладывать! Грабёж среди бела дня! ;-)

Подробнее: http://forum.firstvds.ru/viewtopic.php?f=15&t=8060&start=30#p41737

How you should not run a web-site.

Sun, 15 Jan 2012 22:09:00 -0500

What can I say? HGST provides an excellent example of how you should NOT be running your web-site.

% http_ping -count 4 -interval 1 "http://www.hitachigst.com/internal-drives/deskstar/deskstar-7k1000d"; date
29131 bytes from http://www.hitachigst.com/internal-drives/deskstar/deskstar-7k1000d: 3544.97 ms (7.376c/3485.42r/52.173d)
29131 bytes from http://www.hitachigst.com/internal-drives/deskstar/deskstar-7k1000d: 3694.24 ms (8.122c/3612.4r/73.713d)
29131 bytes from http://www.hitachigst.com/internal-drives/deskstar/deskstar-7k1000d: 3228.26 ms (7.236c/3160.14r/60.882d)
29131 bytes from http://www.hitachigst.com/internal-drives/deskstar/deskstar-7k1000d: 3626.39 ms (19.465c/3558r/48.926d)

--- http://www.hitachigst.com/internal-drives/deskstar/deskstar-7k1000d http_ping statistics ---
4 fetches started, 4 completed (100%), 0 failures (0%), 0 timeouts (0%)
total    min/avg/max = 3228.26/3523.46/3694.24 ms
connect  min/avg/max = 7.236/10.5497/19.465 ms
response min/avg/max = 3160.14/3453.99/3612.4 ms
data     min/avg/max = 48.926/58.9235/73.713 ms
Sun 15 Jan 2012 19:05:01 PST

3.5s to generate a static 29k web-page? Repeatedly, three and a half seconds? Are they nuts or what? You can certainly notice the slowness as you try to navigate the actual site, so this is not some kind of test artefact.

No, seriously, how can you slow do a static web-site like that? Someone, please explain? The site doesn’t even have any kind of shop or anything. Entirely static!

AT&T U-verse on BroadbandMap.Gov.

Thu, 12 Jan 2012 19:39:00 -0500

We’ve all heard that the fcc.gov et al has spent 350 million USD on the National Broadband Map. Has anyone actually bothered to visit it recently?

http://www.broadbandmap.gov/about-provider/at&t-inc./nationwide/ T
http://www.broadbandmap.gov/about-provider/verizon-communications-inc./nationwide/ VZ
http://www.broadbandmap.gov/about-provider/surewest-communications/nationwide/ SureWest in Sacramento, CA
http://www.broadbandmap.gov/about-provider/cincinnati-bell-inc./nationwide/ Cincinnati Bell in Ohio

I’ve looked at it repeatedly just now, and I have no idea what those numbers are, or how they could be useful to anyone who is interested in broadband. Keep in mind, I’m an engineer, fascinated with math and numbers. I have no idea what a regular person would be doing with any of those numbers. Numbers by each provider simply make no sense. SureWest has all zero-dot-something percentages, so does Cincinnati Bell. I found no option on the site to get the numbers to make any kind of sense. Was BroadbandMap.Gov simply designed to be the map of AT&T and Verizon coverage?

Yet, apparently, according to the map, even AT&T doesn’t offer FTTP to anyone! If you’ve heard people discussing their FTTP, they must simply be confused by the marketing, AT&T doesn’t actually offer, as BroadbandMap.gov unambiguously puts it, “Optical Carrier - Fiber to the End User”. Also, Sonic.net and Paxio.net are myths, they don’t exist, and don’t offer anything to anyone, let alone any Gigabit speeds for mere pennies on the Mbps! So is Webpass.net, they don’t offer 200/200 speeds for 45$/month in San Francisco Bay Area, either.

Also, apparently, AT&T doesn’t even use VDSL2. Note that VDSL2 is not “Asymmetric xDSL” technology; VDSL2 is symmetric and capable of 100/100 speeds at 0.5km loop lengths. Surprise, surprise!

Another note is that AT&T does offer 6Mbps upload speeds… Hmm… Note that there’s a single page for wired and wireless divisions… Yeap, you’ve guessed it — 6Mbps uploads is the artefact of the wireless networks. :-) No 6Mbps upload luck for any U-verse users!

Written for, and discussion at, http://www.dslreports.com/forum/r26762551-AT-T-U-verse-on-BroadbandMap.Gov.

routers and open firmwares

Thu, 12 Jan 2012 04:09:00 -0500

A couple of months earlier, I’ve got a ZyXEL NBG4615 and a NETGEAR WNR3500L GigE 802.11n routers in the attempt to replace my buggy 2Wire. Anyhow, it seems like neither one wants to work with my static ip setup, trying to NAT my static subnet instead of simply passing it through.

The WNR3500L is marketed by NETGEAR as their “open-source router”. So, what does this actually entail?

First off, NETGEAR has been selling the v2 version of 3500L since the summer of 2011, in other words, since about 5 months ago, and there is still not a single open-source firmware released for the “open-source router” WNR3500Lv2, which has been on the market, as just mentioned a sec ago, for almost half a year now!

Second, what is actually behind all those firmwares, that are advertised to work with 3500L? The myopenrouter.com has a whole list!

DD-WRT.com. Turns out, it has become commercial a few years back, and either way, the last update for the 3500L firmware, and the whole release in general, is dated quite a while back; seems like the whole project is no longer really active or engaged in much development. I cannot believe they haven’t had any bugs in about 2 to 4 years since the last v24 release in 2008/2009. Supposedly, IPv6 wouldn’t work by default, either. In addition, it seems like DD-WRT has a history of GPL violations itself, and in general seems kinda fishy. Some good story about DD-WRT and stuff at http://bitsum.com/about-ddwrt.htm, not sure how much is true, but I think stuff adds up very much so.

OpenWrt.org? Seems interesting, and seems like it’s probably the one I might be interested in using, since they have a CLI philosophy (by default comes with no GUI?), and seem to be really a true OSS project, instead of being a commercial product disguised to be an OSS one like DD-WRT. But, apparently, the official web-site states that WNR3500L is not supported, or, only “may be supported”. WTF?

Tomato. Apparently, a few variations exist, and the project indeed sounds interesting. The last official incarnation is called TomatoUSB.org, but it has been stagnant for a little over a year, too. Might be worth checking out, however, IPv6 GUI is only available in git, without any official builds yet, supposedly.

Now, let’s go back to myopenrouter.com. The site is a joke. NETGEAR pays a company called CaptiveNetworks.com to run the site for them, and CaptiveNetworks employs some annoying lamer to act as an administrator of the site. The site is a questionable and made up fake “community”, full of confused users, unsorted info and mods of questionable origins. Apparently, some mods they publish are authored by anonymous users which don’t even have any kind of web-site whatsoever! Imagine, running software on your gateway that’s been written by a guy named Toastman, who hosts this said software on some file host web-site, with no contact information, or changelogs, or anything. Nice, eh? Nothing against Toastman personally, seems like a nice guy with a friendly userpic, and I’m sure his builds are good, too.

Anyhow, the whole open router thing is a big disappointment. Should probably find an x86 box, and install pfSense or even straight my own version of OpenBSD. Shuttle XG41 with dual GigE, DDR3 and LGA775 for 154 USD seems like an attractive offer, LGA775 Dual-Core 45nm Wolfdale processors start at just under 50 bucks (Celeron and Pentium). The http://pcengines.ch/alix2d13.htm and «Netgate m1n1wall 2D13 Red» (http://store.netgate.com/-P218.aspx) seems very interesting, too, although with shipping and stuff, it’s essentially in the same price range as a GigE solution for a mere 100Mbps system. However, pcengines.ch is definitely much more competitive than the overpriced Soekris (checkout their official stores: PC Engines Alix.2d13 (LX800 / 256MB / 3 LAN) costs only 115 USD! Enclosures are 10 bucks! Compare to Soekris, where similar net5501-60 runs for 253 USD, over twice as much!), so I do have a feeling that when their GigE solutions will come out, it’ll make a very reasonable x86 router.

Any consumer routers that can do routing? Or, the router that isn't.

Wed, 11 Jan 2012 05:18:00 -0500

I’m looking for a robust consumer router that can do the simplest routing function of all — simply forward packets between the WAN and LAN interfaces. The option of NAT’ing the RFC 1918 addresses would be awesome, too.

Spoiler alert: after several very long conversations with ZyXEL NA tech support (including the managers; by the way, ZyXEL’s tech support is outsourced to Anaheim, CA), I was told that noone makes such devices for the consumer market at all. Is that really true?

I have a 99.124.xxx.xxx/27 Static IP address allocation from AT&T U-verse FTTP; however, the way it worked with 2Wire is that you still get a single regular “dynamic” IP address via DHCP from their common and shared 76.220.xx.xx/22 pool, through which all your traffic to your static IP addresses (in a totally different subnet, as you may have noticed) is then routed. The 2Wire 3800HGV-B then has a setting called “Public Networks” → “User Defined Supplemental Networks”, where the user has to manually specify the allocation they have received; subsequently, for each individual device on the LAN (as well as in the default options for the LAN DHCP server itself) you can either assign a public address from the public pool, or a private address from the private pool (with the option of specifying which public address the private address will be NAT’ed to). However, I’m getting rid of 2Wire PoS due to the unlimited number of bugs, stability issues, as well as unacceptable power consumption (2× to 3× higher than the devices below, without even supporting GigE or 802.11n).

Prior to buying the routers as below, I’ve tried connecting my OpenBSD netbook to the Ethernet port on the SBC ONT directly, to see if I can indeed ditch 2Wire 3800HGV-B PoS, and after some playing with `ifconfig` and `route`, indeed was I getting all the packets for the static block from the internet without any problems!

I’ve got a ZyXEL NBG4615 to replace 2Wire, then subsequently NETGEAR WNR3500L to replace ZyXEL. Both were (and still are) marketed as routers. When setting up each, I’ve changed the MAC-address to the one used by 2Wire, and set up my /27 subnet to be used for their LAN interfaces. Apparently, both ZyXEL and NETGEAR happily do NAT of publicly routable IP addresses instead of passing it straight, and neither one can do packet forwarding (also known as “routing”, surprise!) between the WAN and LAN interfaces without the NAT.

The ZyXEL does have an option of disabling NAT, so, according to their interface, it’s all supposed to work just dandy. However, apparently, in practice it doesn’t do any routing between the two interfaces once the NAT is disabled (I presume they erroneously also do something like `sysctl net.inet.ip.forwarding=0` or `sysctl net.ipv4.ip_forward=0` when you disable NAT), so my internet simply stops working immediately and as soon as I disable NAT within their interface. I’ve contacted the ZyXEL tech support, and they seem to misunderstand what routing is all about, they also claim that no consumer-oriented router can do routing without [also] doing NAT. Is that really true?

In any case, I tell them they have a clear bug with their user interface not functioning the way anyone would expect it to, yet they repeatedly conclude that they’ll only address the problem if other comparable products on the market also have the feature (“have implemented their own feature set correctly”, they mean?). Pardon me, but how are the obvious bugs in one’s interface are related to any other products by any other manufacturer? Especially if all that’s concerned is literally a one-byte change (0 to 1, that’s merely a bit even!); strike that, most likely is merely a matter of actually removing one or more lines of code that disables ip forwarding through sysctl when NAT is disabled through the interface. After all, this GigE router is based on Linux 2.6, from what I gather and based on nmap.

The NETGEAR doesn’t have any options to disable NAT in their default firmware. Although, to be fair, I would argue that having a default of doing NAT of non-RFC1918 addresses is a major bug in and of itself, and any NAT-disable options in any interface are only really meant to apply to the RFC1918 addresses in the first place.

So, just out of curiosity, any consumer routers that can actually do the simple routing, please?

Is AT&T’s setup of two different subnets (as explained above) really so uncommon in the ISP world to not get any attention of third-party consumer router manufacturers?

Am I actually doing something wrong, and is this whole thing supposed to be configured some other way? Or is this really too advanced and is not supposed to work with consumer off-the-shelf routers at all?

Any firmwares to recommend for WNR3500L that were actually thought out to be a great fit for packet forwarding and multiple routable IP addresses, over two subnets as above? I just want my subnet to work, nothing too fancy, really. That said, it would be disappointing to actually have fewer features than what was available back with 2Wire, e.g. it would be nice to continue having the ability to have two IP-address pools for my LAN, one public and one private. A SIP registration server, HE’s IPv6 TunnelBroker.net support and authoritative DNS would be a plus, too, though. SNMP won’t hurt, either. (-: Looking for something stable that I could install with uptime of months, and which would not break when I need to make simple changes of adding new LAN devices etc.

P.S. BTW, apparently, the ZyXEL tech support guys in Anaheim quite misunderstand what routing between two interfaces is all about. They claim that I want some kind of “advanced router”, whereas their product only offers NAT routing (what is “NAT routing” anyways? do they mean “routing + NAT”?), disregarding the fact that they explicitly have the option of disabling NAT in their interface, where the router is still advertised to be in the Router mode (they have a separate option to select the Mode between Router Mode, Access Point Mode etc). I assume that their NAT-disable option not only disables NAT, but also sets `sysctl net.ipv4.ip_forward` to 0. ZyXEL tech support suggested all sorts of things, from using the router in bridge mode, and configuring my host computers to be on my /27, yet somehow have me specify the AT&T gateway from the shared /22 (I’m, like, really?).

Written for, and discussion at, http://www.dslreports.com/forum/r26754312-Any-consumer-routers-that-can-do-routing-

переделегирование с ns1.domenus.ru

Sat, 31 Dec 2011 18:13:00 -0500

У domenus.ru хорошие цены и быстрая круглосуточная поддержка по телефону, однако интерфейс доволно скудный. Дополнительно, если вы вдруг использовали их ns1.domenus.ru. и ns2.domenus.ru., то при переделегировании доменов, ваши домены мгновенно перестанут работать до того момента, пока зона .su/.ru не обновится, т.к. их интерфейс, очевидно, мгновенно удаляет записи с их собственных DNS серверов ещё до того, как корневые зоны обновятся.

Я это заметил на практике, т.к. один из доменов перестал работать в процессе переделегирования, но можно и просто посмотреть на то, как отвечают их серверы — оба являются рекурсивными. Крайне не рекомендую использовать ns1.domenus.ru.

installing java on freebsd

Sat, 31 Dec 2011 06:43:29 -0500

First off, the FreeBSD documentation regarding Java is just terrible outdated.

However, it’s pretty easy once you get the gist. `pkg_add -r openjdk6` is all that was needed to get `java` and `javac` onto the FreeBSD 8.2 VDS 8-stable system. However, `pkg_add -r tomcat7` didn’t work as expected, since, apparently, it depends on java/jdk16, so it tries installing jdk-1.6.0.3p4_27, and fails, not installing tomcat7, either. Also, it seems like tomcat7 tries installing a bunch of other packages of questionable benefit, probably due to the java dependancy?

In any case, I guess just about all java software on FreeBSD (and is it only java software?) has to be installed with the —no-deps option. Indeed, `pkg_add -r —no-deps tomcat7` worked just perfectly fine, without any perl or python dependences that it seemed to try installing earlier just for tomcat7, and `/usr/local/etc/rc.d/tomcat7 onestart` was successful in bringing dependentless tomcat7 up and running, as casual on port 8080.

Anyhow, it shows a few things: documentation in FreeBSD is indeed very outdated; ports tree dependencies are still quite horrible and reasonably broken; yet Java actually seems to work on FreeBSD with little initial effort. :-)

firstvds.ru — the highest level of incompetence

Sat, 31 Dec 2011 03:23:00 -0500

This is seriously the highest level of incompetence for a hosting company that claims to be the number one in the Russian market for virtual dedicated servers. The company is actually owned (or otherwise has roots) to ISPsystem, the people who make the FreeBSD VDS thing, together with a number of (rather horrible, must I say) control panels (the FreeBSD virtualisation itself that they offer seems nice, although given the other parts, I’d not be surprised if it’s equally horrible deep within, too).

Below is a session from a brand new VDS server from firstvds.ru, created 2011-12-31. Notice that they’ve been offering IPv6 addresses since a few months ago, since 2011-10-14.

cvs# time traceroute www.netbsd.org
traceroute to www.netbsd.org (204.152.190.12), 64 hops max, 52 byte packets
 1  gw.webdc.ru (188.120.247.254)  3.283 ms  0.479 ms  0.446 ms
 2  92.63.108.89 (92.63.108.89)  0.329 ms  0.797 ms  0.581 ms
 3  xe012-438.RT.MR.MSK.RU.retn.net (87.245.254.61)  1.375 ms  3.878 ms  1.553 ms
 4  xe000-8.RT.TLX.NYC.US.retn.net (87.245.233.114)  124.487 ms  124.173 ms  123.801 ms
 5  nyiix.r1.lga1.isc.org (198.32.160.95)  124.964 ms  125.565 ms  126.134 ms
 6  int-0-5-0-0.r1.pao1.isc.org (149.20.65.137)  199.516 ms  199.786 ms  199.262 ms
 7  int-0-0-1-0.r1.sql1.isc.org (149.20.65.10)  202.798 ms  202.221 ms  203.148 ms
 8  www.netbsd.org (204.152.190.12)  196.944 ms  199.323 ms  196.995 ms
0.006u 0.009s 1:01.06 0.0%	0+0k 0+0io 0pf+0w
cvs# time traceroute6 www.netbsd.org
connect: No route to host
0.000u 0.020s 0:05.29 0.3%	24+136k 0+0io 1pf+0w
cvs# time host www.netbsd.org
;; reply from unexpected source: 188.120.242.64#53, expected 127.0.0.1#53
www.netbsd.org has address 204.152.190.12
;; reply from unexpected source: 188.120.242.64#53, expected 127.0.0.1#53
www.netbsd.org has IPv6 address 2001:4f8:3:7:2e0:81ff:fe52:9a6b
;; reply from unexpected source: 188.120.242.64#53, expected 127.0.0.1#53
www.netbsd.org mail is handled by 10 mail.netbsd.org.
0.007u 0.061s 0:03.52 1.7%	1935+475k 0+0io 14pf+0w
cvs# cat /etc/resolv.conf 
nameserver      127.0.0.1
nameserver      188.120.247.2
nameserver      188.120.247.8
nameserver      82.146.59.250
cvs# dig cvs.su
;; reply from unexpected source: 188.120.242.64#53, expected 127.0.0.1#53

; <<>> DiG 9.6.-ESV-R5 <<>> cvs.su
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27038
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cvs.su.				IN	A

;; ANSWER SECTION:
cvs.su.			2560	IN	A	188.120.242.64

;; Query time: 10 msec
;; SERVER: 188.120.247.2#53(188.120.247.2)
;; WHEN: Sat Dec 31 08:03:37 2011
;; MSG SIZE  rcvd: 40

cvs# time dig cvs.su
;; reply from unexpected source: 188.120.242.64#53, expected 127.0.0.1#53

; <<>> DiG 9.6.-ESV-R5 <<>> cvs.su
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40280
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;cvs.su.				IN	A

;; ANSWER SECTION:
cvs.su.			2560	IN	A	188.120.242.64

;; Query time: 4 msec
;; SERVER: 188.120.247.2#53(188.120.247.2)
;; WHEN: Sat Dec 31 08:03:51 2011
;; MSG SIZE  rcvd: 40

0.000u 0.006s 0:01.00 0.0%	0+0k 0+0io 0pf+0w
cvs# ifconfig 
igb0: flags=8843 metric 0 mtu 1500
	options=1bb
	ether 00:1e:67:05:9b:5e
	inet 188.120.242.64 netmask 0xffffffff broadcast 188.120.242.64
	inet6 2a01:230:2::10d prefixlen 64 
	nd6 options=3
	media: Ethernet autoselect (100baseTX )
	status: active
igb1: flags=8802 metric 0 mtu 1500
	options=1bb
	ether 00:1e:67:05:9b:5f
	media: Ethernet autoselect
	status: no carrier
ipfw0: flags=8801 metric 0 mtu 65536
lo0: flags=8049 metric 0 mtu 16384
	options=3
cvs# uname -a
FreeBSD cvs.su 8.2-STABLE FreeBSD 8.2-STABLE #0 r112:113: Mon Dec 19 08:17:00 IRKT 2011     root@freebsd8-amd64.ispsystem.net:/root/src/sys/amd64/compile/ISPSYSTEM  amd64
cvs# netstat -rn
netstat: kvm not available: /dev/mem: No such file or directory
Routing tables
rt_tables: symbol not in namelist
cvs#

Note that it’s supposed to come with IPv6, for which they do actually charge you 1 RUR monthly fees, but the extra IPv6 (was part of the order) doesn’t actually work at all.

This is in addition to them not actually providing any IPv6 name servers, neither local nor authoritative (the .su and .ru do actually already support IPv6).

In addition, notice the fuck up with the nameservers that they specify: they specify 127.0.0.1, whereas either due to their virtualisation or whatever else, the named doesn’t actually reply from 127.0.0.1, so, nothing that makes any use of any names actually works smoothly, due to obvious security concerns within the resolver software. In turn, this amounts to a delay of at least one second for every name query. The sshd logins, the traceroute, anything, extra multiple-second delays. The whole thing is honestly far below any possible incompetence.

The final remark I have to say in my mother tongue.

Честное слово, ну не дебилы?

HE.net / AT&T connectivity woes continue

Wed, 28 Dec 2011 21:29:00 -0500

As reported earlier, HE.net / AT&T connectivity woes continue.

# mtr --report{,-wide} 76-220-32-XX.lightspeed.sntcca.sbcglobal.net ; date
HOST: liXXX-XXX                                    Loss%   Snt   Last   Avg  Best  Wrst StDev
  1. 184.105.143.85                                0.0%    10    0.6   0.6   0.4   1.2   0.2
  2. 10gigabitethernet2-3.core1.fmt1.he.net        0.0%    10    0.6   5.2   0.5  11.9   4.8
  3. 10gigabitethernet1-1.core1.pao1.he.net        0.0%    10   11.4   4.3   0.8  11.4   3.4
  4. sjo-bb1-link.telia.net                        0.0%    10    1.3   3.1   1.1  19.8   5.9
  5. las-bb1-link.telia.net                        0.0%    10   14.1  15.0  14.1  22.7   2.7
  6. att-ic-149001-las-bb1.c.telia.net            30.0%    10   23.6  32.0  23.6  38.5   5.0
  7. cr2.la2ca.ip.att.net                         50.0%    10   35.0  34.8  30.0  39.7   4.1
  8. cr2.sffca.ip.att.net                         30.0%    10   32.5  36.0  30.2  41.3   4.0
  9. 12.122.149.141                               50.0%    10   27.3  35.9  27.3  40.4   5.3
 10. ???                                          100.0    10    0.0   0.0   0.0   0.0   0.0
 11. ???                                          100.0    10    0.0   0.0   0.0   0.0   0.0
 12. ???                                          100.0    10    0.0   0.0   0.0   0.0   0.0
 13. 76-220-32-XX.lightspeed.sntcca.sbcglobal.net 80.0%    10   31.1  34.4  31.1  37.8   4.8
Wed Dec 28 21:17:53 EST 2011

  2.|-- 76-220-32-3.lightspeed.sntcca.sbcglobal.net             10.0%    10    2.2   2.6   2.2   3.6   0.4
  3.|-- ???                                                     100.0    10    0.0   0.0   0.0   0.0   0.0
  4.|-- ???                                                     100.0    10    0.0   0.0   0.0   0.0   0.0
  5.|-- 12.83.39.137                                             0.0%    10    1.8   1.9   1.7   2.3   0.2
  6.|-- 12.122.200.9                                             0.0%    10   45.4  17.5   2.9 105.5  33.7
  7.|-- 208.51.134.1                                             0.0%    10    4.9  10.5   4.9  58.4  16.8
    |  `|-- 192.205.32.46
    |   |-- 192.205.32.50
    |   |-- 208.178.58.185
  8.|-- po1-20G.ar3.SJC2.gblx.net                                0.0%    10    5.3   5.1   5.0   5.3   0.1
  9.|-- Hurrican-Electric-LLC.Port-channel100.ar3.SJC2.gblx.net 10.0%    10   40.7  42.3  36.2  49.4   4.4
 10.|-- 10gigabitethernet1-1.core1.fmt1.he.net                  50.0%    10   40.3  47.4  40.3  51.9   4.3
 11.|-- linode-llc.10gigabitethernet2-3.core1.fmt1.he.net       60.0%    10   40.8  38.9  36.7  40.8   1.7
 12.|-- li163-159.members.linode.com                            20.0%    10   39.4  39.4  38.2  41.2   1.1
Wed 28 Dec 2011 18:18:22 PST

  2.|-- 76-220-32-3.lightspeed.sntcca.sbcglobal.net 10.0%    10    2.2   3.4   2.2  12.3   3.3
  3.|-- ???                                         100.0    10    0.0   0.0   0.0   0.0   0.0
  4.|-- 71.145.0.80                                 90.0%    10    4.6   4.6   4.6   4.6   0.0
  5.|-- 12.83.39.137                                 0.0%    10    1.7   3.4   1.7  17.6   5.0
  6.|-- 12.122.137.125                               0.0%    10    2.8  19.8   2.8  47.5  16.0
  7.|-- att-gw.sanjoseequinix.savvis.net             0.0%    10    4.6  10.5   4.5  61.3  17.9
  8.|-- er1-te-3-1.SanJoseEquinix.savvis.net         0.0%    10    4.6  24.4   4.5 169.3  52.0
  9.|-- cr1-tenge-0-3-5-0.sanfrancisco.savvis.net    0.0%    10    7.0   6.6   6.3   7.0   0.2
 10.|-- cr1-tengig-0-0-2-0.losangeles.savvis.net     0.0%    10   16.4  16.4  15.7  17.1   0.4
 11.|-- ber1-tenge-2-1.losangeles.savvis.net         0.0%    10   15.7  16.6  15.6  23.4   2.4
 12.|-- 209.144.203.214                              0.0%    10   16.3  16.2  15.1  17.1   0.6
 13.|-- arpnetworks-lax2-gw.cust.trit.net            0.0%    10   33.8  18.9  16.7  33.8   5.3
 14.|-- arpnetworks.com                              0.0%    10   16.8  16.8  16.4  17.1   0.2
Wed 28 Dec 2011 18:20:24 PST

  2.|-- ???                                                     100.0    10    0.0   0.0   0.0   0.0   0.0
  3.|-- ???                                                     100.0    10    0.0   0.0   0.0   0.0   0.0
  4.|-- ???                                                     100.0    10    0.0   0.0   0.0   0.0   0.0
  5.|-- 12.83.39.137                                             0.0%    10    1.7   1.9   1.6   2.3   0.2
  6.|-- 12.122.200.9                                             0.0%    10    2.9   8.1   2.9  41.8  12.5
  7.|-- 208.51.134.1                                             0.0%    10    5.0  62.9   5.0 199.6  69.7
    |  `|-- 192.205.32.46
    |   |-- 192.205.32.50
    |   |-- 208.178.58.185
  8.|-- po1-20G.ar3.SJC2.gblx.net                                0.0%    10    5.5  57.7   4.9 228.9  87.6
  9.|-- Hurrican-Electric-LLC.Port-channel100.ar3.SJC2.gblx.net 30.0%    10   38.0  39.1  33.9  47.7   4.5
 10.|-- 10gigabitethernet1-1.core1.fmt1.he.net                  30.0%    10   43.5  45.6  33.1  92.9  21.2
 11.|-- linode-llc.10gigabitethernet2-3.core1.fmt1.he.net       60.0%    10   34.2  37.7  34.2  40.3   2.6
 12.|-- li163-159.members.linode.com                            20.0%    10   38.1  36.7  32.7  40.1   2.6
Wed 28 Dec 2011 18:21:00 PST

Somehow no noticeable ssh packet loss whatsoever, though.