EGOPOLY

I finally got around to replacing my Apple Airport Extreme as my home router. Airports have a few nice features, such as nice seamless extension of a wireless network, and sharing of HFS-formatted hard drives. But as routers, they pretty much blow. You can’t add static routes, and they don’t have integrated VPN capabilities.

I selected a NetGear FVS318 v3 as a router, mostly because I had read some posts that many people had made it work with the IPSec VPN utility IPSecuritas. It pretty much worked out of the box: I set up the router normally (I have a fixed IP address at home), then followed the instructions built in to IPSecuritas for the 318 router.

I was careful to select an internal network scheme that is unlikely to collide with common schemes found at internet cafes and most companies. That is, my home network is *not* in 192.168.0.0/16 or 172.16.0.0/*, nor is it 10.0.0.0/24. There seems to be a way to configure IPSec to “reverse NAT” so that inbound remote connections masquerade as an address on the local network. I need to figure that one out.

Testing an IPSec VPN at home is a little tricky. Most people don’t have an extra external IP address at home they can use as a test, so one would have to set things up and then test connecting to home from the office or a neighbor’s house. But I have a Sprint EVDO USB, so I was able to connect with that.

The FVS318 also allowed me to add a static route so that my OpenVPN (which is running on my old Linux machine) will work as well, so I have two VPNs, in case there is an address conflict with the IPSec network.

oh yes.

http://videogum.com/archives/the-ultimate-argument-settler/lightsaber_010339.html

I’m not superstitious or anything.

11:44:05 up 222 days, 22:22, 1 user, load average: 0.75, 0.71, 0.90

You’d think this would just be on the install DVD, but I couldn’t find it.

http://www.apple.com/server/macosx/resources/

I’m playing around with Leopard server for my wife’s work. While it pains me to pay $500 for an operating system, Leopard server does make a number of things very easy that should save me way more than that much in time and frustration.

One of the things you can set up on a Leopard server is the software update service. This is akin to setting up a yum repository on your local LAN for Red Hat or whatever they call the distro thing on Debian. It’s pretty easy/obvious to set up the server side; you just turn on the service, it shows ALL the software updates from Apple from forever (or so it seems). Then it starts downloading them to the server.

What is not obvious is how to point your local Macs to this update server instead of the one at Apple. At my wife’s work, they will have 10-15 Macs, so it can save a lot of bandwidth/time if every single machine can download patches locally.

I find this kind of situation quite often in Leopard server (and previous versions of OS X server as well.) Apple creates a feature that clearly does what you want, but does not document the client half of things very well. One is left to search the web, and eventually stumble upon the answer in a forum or on a blog.

So what’s the answer? On your client machine, do this:

% defaults write /Library/Preferences/com.apple.SoftwareUpdate CatalogURL "http://10.0.67.13:8088/"

This assumes that your SERVER is at IP address 10.0.67.13. Yours probably isn’t. You can also use a DNS name, or a name from your local /etc/hosts file.

I found this in an apple discussion article.

Some further digging revealed the answer deep in this document, on page 88.

Update: to undo, and go back to apple as software update source:

defaults delete /Library/Preferences/com.apple.SoftwareUpdate CatalogURL

Most firewalls now support IPSec tunnels for VPN access. My experience has been that you need to buy some client that matches the firewall, and of course that means it has to support the OS you are running. That means that Mac support is hard to come by on the vast majority of firewalls. Cisco supports Mac with their client, but there are two problems with that: Cisco is darn expensive, and their software is ugly.

A little bit of research turned up some interesting stuff. First, OS X has IPSec support (via “kame/raccoon“) built-in. Unfortunately, there’s no GUI or wizard, so configuration requires knowledge that is pretty unattainable to non-network programming geeks, and an inconvenient learning curve for the geeks. Second, there are at least two solutions available to configure IPSec on Mac with various documentation for different firewalls.

One is VPN Tracker, which is a commercial product that costs between $150-$250. It appears to have a very good UI, a great web site, lots of documentation and a responsive support staff. The documentation and support is important because there are hundreds of firewalls out there, and they all have their own specific ways of setting up IPSec tunnels. VPN Tracker seems to have pretty good coverage: every VPN-capable firewall I’ve seen is on the list. I was not able to get the trial version working with either our Fortigate-60 or our Netscreen-50 here at work, but I might be able to; their support staff has contacted me with some questions. I’m pretty confident I could get it to work.

The other solution I found is IPSecuritas. It’s totally free, which is kind of mind-blowing as the software and website is maybe 95% as nice/slick as VPN Tracker. There seems to be a lot less documentation on various firewalls, but there’s a community-driven mechanism where people can post their solutions. I was able to get IPSecuritas working through our NetScreen 50 with the help of this web page. (And, I think I’d be able to go back and get the VPN Tracker working as well. The documentation for VPN tracker didn’t include policy changes, which I thought was odd at the time. Turns out it was odd: you need to add policies to allow the tunnel from the internet to your LAN.)

One disappointment is that the IPSecuritas software promises “split DNS.” The idea is that for hostnames internal to your LAN, it will send requests into the LAN DNS server, and for others, it will use the DNS server of where ever you are. It doesn’t work for me. This seems part of the larger problem I have with DNS on Leopard: it is exceedingly difficult to override a DNS server that comes with a DHCP address. I’m trying to figure out the story behind that.

If you’re a fan of The Sopranos, and you’re still puzzling about the series finale, read this article. It’s fascinating. Spoilers galore, of course.

These instructions worked well. The one problem I had was my openssl is out of sync with the latest 8.3 version, so I just configured without ssl.

./configure --prefix=/usr/local/pgsql \
--enable-thread-safety \
--without-docdir \
--with-perl \
--with-gssapi \
--with-pam \
--with-bonjour \
--without-openssl


I had forgotten about this until Kristin reminded me of it.

LOLTrek

Sometimes the things sales people say just makes you want to go crazy and get all rude and sarcastic. But you really shouldn’t. It’s not their fault they’ve been given some stupid-assed company line to tow, or have had insufficient training. So you have to smile and say “Thank you.” But it’s fun to imagine what you would say if you were a big, giant meany.

I’m shopping around for online billing software/services for my wife’s medical practice. The first question I ask is “What are the browser requirements/do you support Firefox on Mac?”

The first amusing answer I got was on the phone.

Sales Guy: “Well, uh, it’s a proprietary system, so they want to really control what’s on there, and they don’t really allow just anything to run. So it’s only IE on Windows.”
Me (confused): “Um, you mean [your company name] wants to control what browser people use with your system?”
Sales Guy: “No, Apple doesn’t allow it.”
What I actually said: “Well, that’s not really, you know, true, but whatever. Thanks.”
What I wanted to say: “Dude, how fucking stupid do you think I am? Buh-bye.”

OK, the next one was just today. One of those chat window sales things popped up on the site.

Me: “Does [your product name] support Firefox on Mac?”
Sales Chatter Dude: “We only support IE on Windows for Security Reasons.”
Me (actual): “OK, Thanks.”
Me (desired): “So, by security reasons, you mean you want to create the largest number of scenarios where my medical office computer is infected with worms, spyware, and virus, so I can then use it to access your Windows .NET based server system. Which, I take it, has also been chosen for the security reason that you want to create the worst possible security situation. Is that right? Jesus H Roosevelt Christ, get a friggin clue!”