I, for some time now, created RPM's for git. I will not
do that anymore, because Dag Wieers RPMForge now has them and
even up-to-date ones as well.
I also removed the git archive RPM's.
As blogged before I had my first IPv6 visitor, but of course the first IPv6 type that tried to enter my network could not be far of. Yep and there he/she is.
It's IP address 2002:4e6d:8112::1 and that does not resolve to something
useful, yet, because it's a 6to4 network address.
Recalculating to an IPv4 address this gives me: 78.109.129.18 and digging that
results in
; <<>> DiG 9.6.0-APPLE-P2 <<>> -x 78.109.129.18
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31228
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;18.129.109.78.in-addr.arpa. IN PTR
;; ANSWER SECTION:
18.129.109.78.in-addr.arpa. 3600 IN PTR 18.static.ppp.dianet.info.
;; AUTHORITY SECTION:
129.109.78.in-addr.arpa. 172799 IN NS ns3.netcorp.ru.
129.109.78.in-addr.arpa. 172799 IN NS ns1.netcorp.ru.
;; Query time: 694 msec
;; SERVER: 192.168.63.4#53(192.168.63.4)
;; WHEN: Mon Aug 30 21:06:50 2010
;; MSG SIZE rcvd: 129
So: From Russia with love!
This dude or dudette tried to connect to port 51777 (uTorrent I guess) for a
meager 21514 times. I would guess you should know there's nothing to get after
a couple of times (say 10). I do not run torrents and even if I did, you
wouldn't get anything.
Last night I had my first genuine visitor with IPv6. It seems it's a webcrawler from the Erlangen University in Germany.
The IPv6 address is 2001:638:a00:4f::83bc:4e1e and this results
in
; <<>> DiG 9.7.1-P2 <<>> -x 2001:638:a00:4f::83bc:4e1e
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33203
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;e.1.e.4.c.b.3.8.0.0.0.0.0.0.0.0.f.4.0.0.0.0.a.0.8.3.6.0.1.0.0.2.ip6.arpa. IN PTR
;; ANSWER SECTION:
e.1.e.4.c.b.3.8.0.0.0.0.0.0.0.0.f.4.0.0.0.0.a.0.8.3.6.0.1.0.0.2.ip6.arpa. 86291 IN PTR legolas.rrze.uni-erlangen.de.
;; AUTHORITY SECTION:
0.0.a.0.8.3.6.0.1.0.0.2.ip6.arpa. 86291 IN NS faui45.informatik.uni-erlangen.de.
0.0.a.0.8.3.6.0.1.0.0.2.ip6.arpa. 86291 IN NS ns.rrze.uni-erlangen.de.
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Mon Aug 30 09:07:47 2010
;; MSG SIZE rcvd: 181
To the Erlangen University: Congratulations!!
I've been running this blog for some time now and for the IPv6 certificate
I needed this site to be IPv6 capable. Therefore I had to run my own nameserver
and stuff like that and so I decided that it would be nice if you could
reach me at http://pa1ton.nl as well.
Well, you can. Just click here.
Some URL's need some tweaking, but the first hurdles have been taken.
It took me some time and some tweaking of nameservers, webservers and mailservers, but I finally got it.
I got the Hurricane Electric IPv6 Certification nailed for the "Sage" level. This is the highest level, so only a simple test to go and a daily submission of some logs for maximum points. the maximum points you can get is 1500, so I'm well on my way.
As an extra HE gives you a nice, nerdy T-Shirt, stating that
you are an IPv6 guru. I can't wait to put it on 
This is the certificate.
Last night (Aug. 22 2010 at 00:25:47) SIDN signed the Dutch .nl zone and made it public. This is, of course, reason for a party and calls for the signing of my own zones. Unfortunately it's not possible to use secure delegation, but that's something for the future.
I do have two domains up and running and I signed them both.
--- read more ---This is what I did:
First you need a Zone Signing Key (ZSK) and a Key Signing Key (KSK) and these can be made with
dnssec-keygen -e -a RSASHA1 -b 2048 -n ZONE tonkersten.com
dnssec-keygen -a RSASHA1 -b 2048 -n ZONE -f KSK tonkersten.com
This results in two sets of two files (after a very long time)
Ktonkersten.com.+005+42559.key
Ktonkersten.com.+005+42559.private
Ktonkersten.com.+005+61598.key
Ktonkersten.com.+005+61598.private
The key-generating process can be sped up using the -u /dev/urandom option,
but that results in a lower entropy and thus in lower security.
Now include the two public keys in the zone file
$include keys/Ktonkersten.com.+005+42559.key
$include keys/Ktonkersten.com.+005+61598.key
and sign the zone:
dnssec-signzone \
-d keys \
-K keys \
-N increment \
-o tonkersten.com \
-S tonkersten.com
giving me a file called db.tonkersten.fwd.signed.
This file should now be used in /etc/named.conf as the zone file
for the signed zone.
So, when I do a query for the tonkersten.com domain, I get
$ dig +dnssec +multiline DNSKEY home.tonkersten.com
; <<>> DiG 9.7.1-P2 <<>> +dnssec +multiline DNSKEY home.tonkersten.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34594
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;home.tonkersten.com. IN DNSKEY
;; AUTHORITY SECTION:
tonkersten.com. 3600 IN SOA home.tonkersten.com. tonk.tonkersten.com. (
2010082303 ; serial
21600 ; refresh (6 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)
tonkersten.com. 3600 IN RRSIG SOA 5 2 3600 20100922081850 (
20100823081850 61598 tonkersten.com.
W9qamKcSdTfCwOJk+m+tRZsRwdvZVzHzONGCehfX41/I
...
FJ0uZPzfaujQAcKa1NnB89Ccd7m18XL0Gw== )
home.tonkersten.com. 3600 IN NSEC mail.tonkersten.com. A AAAA RRSIG NSEC
home.tonkersten.com. 3600 IN RRSIG NSEC 5 3 3600 20100922081850 (
20100823081850 61598 tonkersten.com.
ZdeRhW5RxqFZguFMOtZhnes/OGA/E2K2CgLLVW3Z00T0
...
PQn52goXz8nXMovgDuB8HNWbzKwSCs07Ug== )
;; Query time: 52 msec
;; SERVER: 80.126.204.63#53(80.126.204.63)
;; WHEN: Mon Aug 23 12:30:43 2010
;; MSG SIZE rcvd: 734
Now it's your turn.
Good luck
It took me some time, but now I have it up and running. My home network runs IPv6 and my server can be reached on an IPv6 address.
Unfortunately I don't have a native IPv6 address and my provider (UPC/Chello) will not supply one. So I had to use a tunnel broker. After experimenting a bit I got stuck on the tunnelbroker of Hurricane Electric.
My m0n0wall firewall supports the Tunnelbroker IPv6/IPv4 tunnels and after configuring some firewall rules everything is up and running.
Have to grab some screenshots and after that I'll post how I did it.
My server at home runs CentOS 5 and this has OpenSSH version 4.3. Running updates doesn't update this version, because RedHat keeps the version number stable.
But I wanted a newer OpenSSH because of some nice new features. But when I do compile a new version I'm still stuck with old OpenSSL, and that's not what I want.
Well, you can guess it by now, this is what I did.
--- read more ---
I first got the newest version of OpenSSL and compiled it with
./config shared --prefix=/usr/local/openssl
make
make install
this way this SSL is completely seperate from the one on the system, so nothing gets broken.
After this I wanted to compile OpenSSH, and I did get the message
configure: error: Your OpenSSL headers do not match your library
It took a look at Google and I found a lot of answers, including one where you had to copy all the header files all over the place. I was completely flabbergasted when I read this solution. A short example (there where a lot more. To protect this lunatic I removed his userid from the lines below)
cd /home/x/openssl/openssl-*
cd include/openssl
cp * /usr/include
cp * /usr/local/ssl/include
cp * /usr/local/ssl/include/openssl
cd /home/x/openssl/openssl-*/include/openssl
cp * /usr/local/ssl/include
cd /home/x/openssl/openssl-*
cp lib* /usr/local/ssl/lib/
cp lib* /usr/lib/
ldconfig
cd /home/x/openssl/openssl-*/include/openssl
cp * /usr/include/
cp * /usr/local/ssl/include/
cp * /usr/local/ssl/include/openssl
Well, let's put it this way: ARE YOU NUTS!!!
If you want to break things, that's the way to go.
And after all this copying he got the message:
Connecting to server...
OpenSSL version mismatch. Built against 90603f, you have 90607f
Couldn't read packet: Connection reset by peer
And guess what, this was solved with more copying of libraries and header files. What a mess. Thank God he lives in the States and his resume says he is only a Linux Systems Expert working for a brain surgeon. I'll reckon he will never touch my brain or machines.
I experimented somewhat with the configure options and it's quiet easy
export LDFLAGS=/usr/local/openssl/lib
./configure \
--with-pam \
--with-kerberos5 \
--with-ssl-engine \
--includedir=/usr/local/openssl/include \
--with-ssl-dir=/usr/local/openssl
and now OpenSSH compiles with the special OpenSSL without polluting your entire system.
Have fun and don't mess up!
Some time ago I switch from m0n0wall to pfSense and I did like it a lot.
But a problem with PPTP tunneling made me think again. Was pfSense the way to go?
Well, it wasn't. When I was trying to get IPv6 up and running it turned out that pfSense doesn't support IPv6 out of the box. And m0n0wall does. There where some answers on the internet, but I was not willing to hack the pfSense box if that was not needed. And the pfSense website states that IPv6 support will come after the release of 2.0. I'm not going to hold my breath that long. And the PPTP tunneling problem can only be solved when you have a dual external IP address. My provider won't give me a static one, so two statics is completely out of the question.
So, here is what I did. I took my old firewall and installed m0n0wall (version 1.32, the latest stable) on it. After that I implemented all the firewall thingies I had in the pfSense box and put all the stuff in to make it work.
Then I switched firewalls to test it for a couple of days and see if everything works. And it did. So, I installed m0n0wall on the primary firewall and left it running for some time.
OK, time to implement IPv6, but that is a different story. When I have it completely up and running, you are the first to here it.
About a month or two ago I was contacted by my ISP asking if I would like a lot faster internet connection and a lower price. Well, you have to be nuts to deny such an offer, so I decided to comply.
About a week later the new internet modem showed up and I connected everything up.
Running speedtest made me very happy.
Not bad at all 