Category: IT

Posted on
by

tl;dr: Add PATH="${PATH}:/bin:/usr/bin:/sbin:/usr/sbin" to /etc/default/firehol when using backported version 3 of firehol on Ubuntu.

firehol – an easy to use but powerful iptables stateful firewall

man firehol

With this out of the way: When installing firehol on aging Xenial (Ubuntu 16.04) you want the backported packages by Andrey Galkin to get version 3 of firehol over version 2 in universe – especially when working with IPv6: https://launchpad.net/~andvgal

When done setting up your rules you may find out after a reboot that the systemd job involved will claim to have started firehol but eventually discover that your iptables are empty despite systemd claiming otherwhise and having set START_FIREHOL=YES in /etc/default/firehol:

● firehol.service - LSB: firehol firewall configuration
   Loaded: loaded (/etc/init.d/firehol; bad; vendor preset: enabled)
   Active: active (exited) since Fr 2020-11-27 15:43:51 CET; 2h 8min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 31555 ExecStop=/etc/init.d/firehol stop (code=exited, status=0/SUCCESS)
  Process: 31574 ExecStart=/etc/init.d/firehol start (code=exited, status=0/SUCCESS)

This is especially weird when you run the startup /sbin/firehol start command manually and it succeeds just fine.

I had to dig deep to find out where the script is in fact falling flat. This was mostly because of old init script /etc/init.d/firehol redirecting the output of the starting process to /dev/null not showing the errors at all:

do_start () {
        # return
        #  0 000 if firewall has been handled
        #  1 001 if firewall could not be activated
        #  4 100 if FireHOL is disabled via /etc/default/firehol
        [ "$START_FIREHOL" = "NO"  ] && return 4
        /sbin/firehol start "$@" > /dev/null 2>&1 || return 1

Now we finally get a result and with INIT_VERBOSE=yes set we do indeed get some useful output:

Nov 27 17:59:38 firehol[27095]: /sbin/firehol: line 33: dirname: command not found
Nov 27 17:59:38 firehol[27095]: /sbin/firehol: line 33: cd: HOME not set
Nov 27 17:59:38 firehol[27095]: /sbin/firehol: line 33: basename: command not found
Nov 27 17:59:38 firehol[27095]: /sbin/firehol: line 36: dirname: command not found
Nov 27 17:59:38 firehol[27095]: Cannot access /install.config
Nov 27 17:59:38 firehol[27095]:    ...fail!

And this is basically yelling at us that the PATH variable is not set because the script can not find and execute required commands. Sadly this fail is not catched or logged without verbose information and thanks to the /dev/null redirect at all.

At first glance I was going to blame systemd isolating the script from environment variables but that was too fast because setting it explicit changed nothing. To blame is the old set-up logic of the init script /etc/init.d/firehol right at the top not allowing /usr/bin where dirname or basename and others are found.

PATH=/bin:/sbin
NAME=firehol
DESC="firewall"
SCRIPTNAME=/etc/init.d/$NAME

test -x /sbin/firehol || exit 0

[ -r /etc/default/firehol ] && set -a && . /etc/default/firehol

I compared the /sbin/firehol script of version 2 with version 3 and there is a subtle difference at the start in version 2 that is missing in version 3:

# EXTERNAL/SYSTEM COMMANDS MANAGEMENT
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------

export PATH="${PATH}:/bin:/usr/bin:/sbin:/usr/sbin"

I’d argue that version 3 missing this is more correct because setting up the PATH is really the job of the system that is running the script. So basically SysVinit or systemd. Sadly that doesn’t help us here and fiddling with a maintainer provided file is a no go because this will be erased on the next update (if any). Luckily we can see from the init script /etc/init.d/firehol that it also sources the file /etc/default/firehol. This means we can set any additional environment variable here:

# FireHOL application default file
# sourced by the initscript `/etc/init.d/firehol'.

PATH="${PATH}:/bin:/usr/bin:/sbin:/usr/sbin"

# To enable firehol at startup set START_FIREHOL=YES (init script variable)
START_FIREHOL=YES

After editing this file we finally get some more information and our iptables are piling up with rules again.

● firehol.service - LSB: firehol firewall configuration
   Loaded: loaded (/etc/init.d/firehol; bad; vendor preset: enabled)
  Drop-In: /etc/systemd/system/firehol.service.d
   Active: active (exited) since Fr 2020-11-27 18:17:41 CET; 1s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 14337 ExecStop=/etc/init.d/firehol stop (code=exited, status=0/SUCCESS)
  Process: 14511 ExecStart=/etc/init.d/firehol start (code=exited, status=0/SUCCESS)

Nov 27 18:17:39 systemd[1]: Starting LSB: firehol firewall configuration...
Nov 27 18:17:39 firehol[14511]: Params
Nov 27 18:17:39 firehol[14511]: FireHOL: Saving active firewall to a temporary file...  OK
Nov 27 18:17:40 firehol[14511]: FireHOL: Processing file '//etc/firehol/firehol.conf'...  OK  (470 iptables rules)
Nov 27 18:17:41 firehol[14511]: FireHOL: Activating ipsets...  OK
Nov 27 18:17:41 firehol[14511]: FireHOL: Fast activating new firewall...  OK
Nov 27 18:17:41 firehol[14511]: FireHOL: Saving activated firewall to '//var/spool/firehol'...  OK
Nov 27 18:17:41 systemd[1]: Started LSB: firehol firewall configuration.

Personally I can’t wait for all init scripts to sink into oblivion because debugging this sort of errors is hard and a waste of time and usually revolves about problems solved already in many different ways before – each falling flat in some corner case.

Posted on
by

I seldom dabble in the corporate hell of Windows devices but sometimes I have to “use” a laptop to access some VPN to do my magic job and I have no idea how anyone can work like this.

I’m talking about the full set here starting with BitLocker, Cisco AnyConnect (yuk), virus protection and gods know what else.

Every time I start this I get to wait for 2-4 hours until all the updates are done while I’m getting swamped with pop-ups from all kinds of pre installed software each in their individual fashion and style asking me to click, tap, accept, proceed or acknowledge something I’ve no idea about.

Speaking of I usually even have a hard time reading anything on this excuse of a display. For unknown reasons someone thought it’s a good idea to design a default theme with probably fifty shades of grey (I know about high contrast mode but that makes it worse).

I am only a user on such a device without any admin permissions. Why am I even bothered with all this? And while I wiggle my way through all the pop-ups overlapping each other stealing input focus again and again trying to get anything done… Reboot required. Now. Reboot and… repeat! There are more updates we didn’t know of before!

In between an occasional error pops up about something not being able to install something because of some error. The amount of provided information is killing me.

And it’s slow. So gorram slow. What is this thing doing with an i5 processor all the time? And why do I have to babysit it for updates at all?

Eventually I may be able to use the device only to be prompted to change my password due to reasons. And bite me, every time I have to figure out what new password may be fine because the prompt won’t suggest the password rules or anything.

At the end of the day I’m happy that I can use a system again that, as odd as it may seem, provides a much better user experience [to me]: A Fedora Workstation. It just works.

Posted on
by

Today I scratched an itch I had with and . Every time I run it on my PC I have to drag around the window until it fills my 3 displays setup. It’s tricky because it’s a grown installation and the displays have different resolutions.

Gnome has smart borders auto-sizing windows when you come close to a border. Usually that’s awesome but in this case it’s not. wmctrl to my rescue!

Find out about current window position when satisfied: wmctrl -G -l -x

Use that information for a one liner script: wmctrl -x -r code.Code -e 0,0,109,5276,1136

This will do until I get a 4k display or learn how to auto-run this snippet on the launch of vscode (like I do this with RisingWorld to force semi borderless fullscreen) 🤣

Posted on
by

There’s a weird issue with (snap) on that starts when using voice chat causing really bad lag and short freezes (input, rendering, everything) that became worse over time. My journal filled up with looping messages from appindicator causing this.

appindicatorsupport(at)rgcjonas.gmail.com[2514]: discord1, Impossible to lookup icon for 'discord1_12-panel'

Followed by a JS exception and trace:

JS ERROR: Exception in callback for signal: icon: Error: Argument 'filename' (type filename) may not be null

When I finally found the cause of this I went on looking for a solution and it seems like the unsung hero @3v1n0 fixed this long standing bug like 8 days ago: https://github.com/ubuntu/gnome-shell-extension-appindicator/commit/745c66a73e0a15a870e92e5aa461e2e9e646b899

Here is a more coherent report on this: https://bugs.launchpad.net/ubuntu/+source/gnome-shell-extension-appindicator/+bug/1849142

Fun thing is: I only have that indicator because Discord would eventually crash without trying to access this.

Now it’s patched and gone – back to 😁

Posted on
by

Man, this is a 180° turn for me. When I started out with Linux the GPUs where usually troublemakers and I kinda got used to throw moar power at it to solve the problem. Spent nights fiddling with Elsa Winner or 3Dfx Vodoo or some ATI cards (that eventual became AMD). When laptops of mine could no longer be used because AMD simply dropped support for perfectly fine hardware I was really never again buying from it again.

The background for finally ripping out the heart of my Linux PC is basically this issue: https://beko.famkos.net/2020/01/17/computer-fallen

NVRM: GPU 0000:01:00.0: GPU has fallen off the bus.

This is followed by a frozen X server rendering all HID interfaces dead until reboot. It happened once or twice a week. NVIDIA support has no idea and while the card is still fine and up for any task I finally decided to get a more recent GPU hoping that the problem will be gone (and not be an issue from the mainboard).

So here I am in 2020 ripping out the heart of my Linux PC.

The decision to try AMD again after a decade was basically made because I read so much positive news on their open source drivers and general good support by Mesa nowadays. Since nothing about the old fglrx days is valid any more this is sort of a jump into cold water for me 🙂

I decided for the slightly older RX 5600 XT 14Gbps 6GB (THICC III Pro) edition by XFX that seems to be good for 1080p gaming and this is close to my main display resolution of 1920×1200. While I never heard of XFX before I was hooked by NO RGB and that tiny vBios switch it has offering a backup bios. That’s a feature I like in my mainboards as well.

Speaking of I heard a lot of confusion on said vBioses on this series so I digged deeper on this topic. Thankfully a lot of the legwork was already done for me by André Almeida who describes the process for Linux PC on https://andrealmeid.com/post/2020-05-01-vbios2/ after a lot of research in part 1.

With the help of the mentioned tool amdvbflash I was able to drag the following vBios information out of the GPU:

AMDVBFLASH version 4.71, Copyright (c) 2020 Advanced Micro Devices, Inc.

    Product Name is :    NAVI10 A1/A2 D1990301 XLE 6GB 300e/875m 
    Device ID is    :    731F
    Bios Version    :    017.001.000.068.000000
    Bios P/N is     :    113-170WCNAVIXLE6
    Bios SSID       :    5710
    Bios SVID       :    1682
    Bios Date is    :    03/27/20 21:25

The extracted rom of the active vBios (switch was set on position closer to power connector) has the sha1sum 9ce7ecc9625d7ff39b3b08c45916b6c2e3bf4a8c and is according to the flashing tool valid and signed. I understood it’s a bad idea to flash with an unsigned rom because the GPU will probably refuse to boot. I’d upload it to techpowerup that seems to collect such roms and allows hassle free downloading but their extract and upload tool seems to be for Windows PC only.

XFX has vBios roms for the 12Gbps variant on it’s website but currently none for this one so it seems it is up to date already.

Installing it was a breeze. I upgraded to Fedora Workstation 32 before changing the GPU to make sure I get more recent drivers and that was it. System booted up just fine and the card worked out of the box. Unlike NVIDIA I didn’t need to download a specific driver first or add some further repository. There’s this nice tool CoreCtrl that shows me a power consumption of only 14W while the card is in idle with zero spinning fans. That’s right – no noise! When not in use this card consumes next to no resources which begs the question how I’m going to heat my man cave from now on 😀

CoreCtrl in action

This surprised me as well. All the cool bits are laid out for me to play with at /sys/class/drm/card1/device/. I mean I’m not much into over-clocking but it’s all there. This brings me to benchmarking the new GPU. I’m not some YTer so you’ll only get the Unigine Superposition benchmark with basically irrelevant OpenGL (I know of no nifty Vulkan benchmark like this yet) for Linux PC gaming.

The tool picked up the wrong model (it really is a FX 5600 XT)

That’s rad! My old Titan X has it’s stronger side in other features but managed only a total result of 3055 without over-clocking on this benchmark.

I’ve not much gaming experience with it yet. I just made sure that Valheim (beta) and X4 Foundations works fine with it. There seems to be some sound issue with Discord + Fullscreen that I found so far but I solved this by switching to windowed mode on the games seeing no difference in FPS.

The one notable issue I have compared with NVIDIA is that I have to set the environment variable DRI_PRIME=1 or games will pick up the integrated GPU of the i5-8600K. This is probably because I’ve a display connected to it as well so it’s active. Going to play with this a little until I get the idea. Will need some adapters first tho 😅

Update: Just as guessed. Once I had all my adapters in place the integrated GPU was not needed any more and does no longer show up. No need to use DRI_PRIME=1 for each 3D application any more.

Posted on
by

“Releases for PC”. Oh we Linux gamers know this phrase well. So it seems that is taking another approach now instead of the usual “PC is not Windows”. Liam changed the wording on the news slightly:

Beyond a Steel Sky to release for Linux PC during July

https://www.gamingonlinux.com/2020/06/beyond-a-steel-sky-to-release-for-linux-pc-during-july

I like that approach and I shall also use “Linux PC” in the future. And not just for my .

 

Posted on
by

While checking some very old backups of mine I stumbled over some really old HTML files. Turns out they are old websites of mine – including my very own that apparently went live on the 23rd June in 2000 on the free hoster FortuneCity.

Screenshot of the FortuneCity hosted first website of mine – sadly I didn’t bother to backup the images. Disk space was sacred.

For a quick recap: In 2000 WordPress didn’t exist yet, webspace and bandwidth were costly and a database was an extra you had to pay for. People wrote their websites in very unique styles and ways and many started out doing so at all. SelfHTML was my browser “home” for months.

Back then I went with the nick DukeBernd, or Duke for short. It still shows in various domains and mail addresses of mine but was soon replaced by beko, that was not only shorter but also way less popular and also holds parts of my real name (and that was actually never a secret by the way).

While learning more and more on HTML I also started with Warhammer 40k tabletop and LARP. As a student I obviously had all the time of the world. The website changed a lot in appearance during the early days and yes I had it all, animated gifs, blinking text, under construction signs and… browser requirements. Here some more screenshots for [y]our amusement from 2000 to 2002:

Hosting changed also all the time. There was a brief episode with Crosswinds but the roundtrip was awful and the website was slow to a point that images stopped loading so I was quite happy when my school started to offer some tiny amount of webspace that I used to offload most of my images – mostly drawings – as some sort of handicraft content distribution system. I had also various domains pointing to intro and landing pages. It was a huge mess and most are dead by now and I only kept the current .net domain.

This was also about the time when I came in contact with Linux, as you can guess from the next screenshot showing a design I was quite happy with and went with for years to come.

Website redesign in bash / terminal look (blinking cursor gif included)

While most of this is offline nowadays some of the LARP articles survived but I had no desire to migrate ~400 hand written HTML files (no frames) about Warhammer into a CMS some years later. My drawings are also best forgotten 😉

In 2004 I migrated to 1&1 hosting with a database. That was a goal for years and I could finally afford to pay for this. Soon I discovered this brand new content management system called WordPress and started learning PHP.

This changed everything since the idea of dynamically assembled website code was totally new and alien to me. I dived into what is nowadays known Full Stack Development and as usual my own website and various projects became the playground.

A lot has happened since the early beginnings. I finished formal education, ditched Windows, became that Linux Jack, started working on T3 vans, emigrated to sweden [and back 🙁 ], visited places with my van, worked as driver, distributor and postman until I eventually went back into tech settled down, married and forked/got two children. Who would have guessed.

  • Der Bus läuft

I never stopped programming, gaming, tinkering, trying and gathering know-how.

And it’s all here – mostly. There are some holes thanks to social networks and forums that raised and vanished again taking heaps of bits written with them.

I got takeouts of most of such silos before they vanished but sorting this and migrating it back into my own blog is quite a burden. Still I do so on occasion and on days like this I’m happy for the extra work. It’s the satisfaction of looking back on my own life, having it all in one place. Like a diary. It’s just not as private as a diary but it brings back the memories just the same.

This blog survived twenty years unlike e.g. Google+ and there is still the occasional visitor sent here by an old forum article or by search engine looking for some info or image. And I happily serve. Fixing dead links or wrong wording and re-uploading articles and images in better resolutions as I find them.

Blogging ain’t dead.

Posted on
by

Things were going smooth for a while. The pirates didn’t stop harassing my ships so I decided for drastic action. We slacked their station in the system.

The Scale Plate Pact station is no more

That sure put a damper on their actions in the sectors nearby. Surviving ships were hunted down, boarded and taken over. It was glorious. The fleet was unstoppable for a while and with each carefully picked battle it grew.

Gate duty helped to train the fleet further and a lot of sweet loot to improve and modify ships further could be collected.

  • Hunting down Minotaurs
  • Boarding destroyers
  • Light em up
  • Xen pestered the gates
  • And were hunted down
  • Claiming more ships

The highlight was two Xenon K jumping into the sector to be annihilated by my fleet of two destroyers, plenty of small fighters and an auxiliary ship used as bullet sponge.

Battling Xenon K at the gates

This was when I decided to contact the Split while extending my mining business all over the galaxy big time. I started with a bad reputation towards Split – that’s kinda default for most races in the X4 universe – so I had a hard time to make them like me… somewhat. This was mostly achieved by destroying enemy ships near to their stations.

  • Contacting the Split
  • Eventually they accepted my offers
  • Magnetar mining ship

Meanwhile I bought several Magnetar mining ships so keep the needed raw materials on my prospering stations coming. Everything was going nicely and I decided to claim the sector Heretics End.

While I was busy building my stations to do so my new not-exactly-enemies decided to go to battle in freakin Argon Prime. Four Rattle Snake destroyers went basically unchallenged into the Argon heart and took out the Wharf. I didn’t want to interference since I just made not-exactly-enemy with the Split. From here it went downhill fast. Almost all of Argon Prime was wiped out – and I had bought most of my ships there. This! Hurt! Business!

I had not much time to mourn though. While I was busy with my new stations in Heretics End I was ended by a very surprising Xenon attack myself. First two more K ships showed up that I hardly managed to destroy – especially since most of my fleet was busy rescuing some Teladi trading station from another K.

  • Frell, I was not prepared for this
  • Boom, second K goes down in a blaze

While I was busy counting my losses _it_ showed up. The worst nightmare X4 has to offer: The Xenon Branch 9 Destroyer I entered the sector and all I had to offer were two half built stations, some Interceptors and my badly damaged Argon Behemoth destroyer.

Xenon Branch 9 Destroyer I

I tried to keep my distance while waiting for my fleet to arrive. This worked for a while but it eventually was going to destroy my station so I tried to get into it’s blind spot. That was my last stand. Out of mines and turrets, low on interceptors and badly damaged my destroyer went down with me on the bridge.

I accept this glorious defeat – for now 😀