tl;dr: Add PATH="${PATH}:/bin:/usr/bin:/sbin:/usr/sbin" to /etc/default/firehol when using backported version 3 of firehol on Ubuntu.

firehol – an easy to use but powerful iptables stateful firewall

man firehol

With this out of the way: When installing firehol on aging Xenial (Ubuntu 16.04) you want the backported packages by Andrey Galkin to get version 3 of firehol over version 2 in universe – especially when working with IPv6: https://launchpad.net/~andvgal

When done setting up your rules you may find out after a reboot that the systemd job involved will claim to have started firehol but eventually discover that your iptables are empty despite systemd claiming otherwhise and having set START_FIREHOL=YES in /etc/default/firehol:

● firehol.service - LSB: firehol firewall configuration
   Loaded: loaded (/etc/init.d/firehol; bad; vendor preset: enabled)
   Active: active (exited) since Fr 2020-11-27 15:43:51 CET; 2h 8min ago
     Docs: man:systemd-sysv-generator(8)
  Process: 31555 ExecStop=/etc/init.d/firehol stop (code=exited, status=0/SUCCESS)
  Process: 31574 ExecStart=/etc/init.d/firehol start (code=exited, status=0/SUCCESS)

This is especially weird when you run the startup /sbin/firehol start command manually and it succeeds just fine.

I had to dig deep to find out where the script is in fact falling flat. This was mostly because of old init script /etc/init.d/firehol redirecting the output of the starting process to /dev/null not showing the errors at all:

do_start () {
        # return
        #  0 000 if firewall has been handled
        #  1 001 if firewall could not be activated
        #  4 100 if FireHOL is disabled via /etc/default/firehol
        [ "$START_FIREHOL" = "NO"  ] && return 4
        /sbin/firehol start "$@" > /dev/null 2>&1 || return 1

Now we finally get a result and with INIT_VERBOSE=yes set we do indeed get some useful output:

Nov 27 17:59:38 firehol[27095]: /sbin/firehol: line 33: dirname: command not found
Nov 27 17:59:38 firehol[27095]: /sbin/firehol: line 33: cd: HOME not set
Nov 27 17:59:38 firehol[27095]: /sbin/firehol: line 33: basename: command not found
Nov 27 17:59:38 firehol[27095]: /sbin/firehol: line 36: dirname: command not found
Nov 27 17:59:38 firehol[27095]: Cannot access /install.config
Nov 27 17:59:38 firehol[27095]:    ...fail!

And this is basically yelling at us that the PATH variable is not set because the script can not find and execute required commands. Sadly this fail is not catched or logged without verbose information and thanks to the /dev/null redirect at all.

At first glance I was going to blame systemd isolating the script from environment variables but that was too fast because setting it explicit changed nothing. To blame is the old set-up logic of the init script /etc/init.d/firehol right at the top not allowing /usr/bin where dirname or basename and others are found.

PATH=/bin:/sbin
NAME=firehol
DESC="firewall"
SCRIPTNAME=/etc/init.d/$NAME

test -x /sbin/firehol || exit 0

[ -r /etc/default/firehol ] && set -a && . /etc/default/firehol

I compared the /sbin/firehol script of version 2 with version 3 and there is a subtle difference at the start in version 2 that is missing in version 3:

# EXTERNAL/SYSTEM COMMANDS MANAGEMENT
#
# ------------------------------------------------------------------------------
# XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# ------------------------------------------------------------------------------

export PATH="${PATH}:/bin:/usr/bin:/sbin:/usr/sbin"

I’d argue that version 3 missing this is more correct because setting up the PATH is really the job of the system that is running the script. So basically SysVinit or systemd. Sadly that doesn’t help us here and fiddling with a maintainer provided file is a no go because this will be erased on the next update (if any). Luckily we can see from the init script /etc/init.d/firehol that it also sources the file /etc/default/firehol. This means we can set any additional environment variable here:

# FireHOL application default file
# sourced by the initscript `/etc/init.d/firehol'.

PATH="${PATH}:/bin:/usr/bin:/sbin:/usr/sbin"

# To enable firehol at startup set START_FIREHOL=YES (init script variable)
START_FIREHOL=YES

After editing this file we finally get some more information and our iptables are piling up with rules again.

● firehol.service - LSB: firehol firewall configuration
   Loaded: loaded (/etc/init.d/firehol; bad; vendor preset: enabled)
  Drop-In: /etc/systemd/system/firehol.service.d
   Active: active (exited) since Fr 2020-11-27 18:17:41 CET; 1s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 14337 ExecStop=/etc/init.d/firehol stop (code=exited, status=0/SUCCESS)
  Process: 14511 ExecStart=/etc/init.d/firehol start (code=exited, status=0/SUCCESS)

Nov 27 18:17:39 systemd[1]: Starting LSB: firehol firewall configuration...
Nov 27 18:17:39 firehol[14511]: Params
Nov 27 18:17:39 firehol[14511]: FireHOL: Saving active firewall to a temporary file...  OK
Nov 27 18:17:40 firehol[14511]: FireHOL: Processing file '//etc/firehol/firehol.conf'...  OK  (470 iptables rules)
Nov 27 18:17:41 firehol[14511]: FireHOL: Activating ipsets...  OK
Nov 27 18:17:41 firehol[14511]: FireHOL: Fast activating new firewall...  OK
Nov 27 18:17:41 firehol[14511]: FireHOL: Saving activated firewall to '//var/spool/firehol'...  OK
Nov 27 18:17:41 systemd[1]: Started LSB: firehol firewall configuration.

Personally I can’t wait for all init scripts to sink into oblivion because debugging this sort of errors is hard and a waste of time and usually revolves about problems solved already in many different ways before – each falling flat in some corner case.

I seldom dabble in the corporate hell of Windows devices but sometimes I have to “use” a laptop to access some VPN to do my magic job and I have no idea how anyone can work like this.

I’m talking about the full set here starting with BitLocker, Cisco AnyConnect (yuk), virus protection and gods know what else.

Every time I start this I get to wait for 2-4 hours until all the updates are done while I’m getting swamped with pop-ups from all kinds of pre installed software each in their individual fashion and style asking me to click, tap, accept, proceed or acknowledge something I’ve no idea about.

Speaking of I usually even have a hard time reading anything on this excuse of a display. For unknown reasons someone thought it’s a good idea to design a default theme with probably fifty shades of grey (I know about high contrast mode but that makes it worse).

I am only a user on such a device without any admin permissions. Why am I even bothered with all this? And while I wiggle my way through all the pop-ups overlapping each other stealing input focus again and again trying to get anything done… Reboot required. Now. Reboot and… repeat! There are more updates we didn’t know of before!

In between an occasional error pops up about something not being able to install something because of some error. The amount of provided information is killing me.

And it’s slow. So gorram slow. What is this thing doing with an i5 processor all the time? And why do I have to babysit it for updates at all?

Eventually I may be able to use the device only to be prompted to change my password due to reasons. And bite me, every time I have to figure out what new password may be fine because the prompt won’t suggest the password rules or anything.

At the end of the day I’m happy that I can use a system again that, as odd as it may seem, provides a much better user experience [to me]: A Fedora Workstation. It just works.

Today I scratched an itch I had with and . Every time I run it on my PC I have to drag around the window until it fills my 3 displays setup. It’s tricky because it’s a grown installation and the displays have different resolutions.

Gnome has smart borders auto-sizing windows when you come close to a border. Usually that’s awesome but in this case it’s not. wmctrl to my rescue!

Find out about current window position when satisfied: wmctrl -G -l -x

Use that information for a one liner script: wmctrl -x -r code.Code -e 0,0,109,5276,1136

This will do until I get a 4k display or learn how to auto-run this snippet on the launch of vscode (like I do this with RisingWorld to force semi borderless fullscreen) 🤣

This isn’t strictly based on sources. The goal was a church for a walled city center ~14C in England. There’s a lot of free interpretation here since I don’t know all the details and I’m somewhat limited by the engine, of course. I mean creating arches and getting the geometry right in Rising World is a pain in the neck. I’m still very happy with the outcome especially considering that this is on a survival server.

This build will now go to another person to add the final details and textures.

Visited the theme park at Cleebronn 74389 / Germany. Since we made almost no trips this year we finally gave in for a day of entertainment and roller coasters before the off-season would end for the winter break.

It’s a very old theme park and I remember many of it’s attractions from my own childhood. It’s really weird (in a good way) how memories came up at almost every ride. Nowadays I also appreciate the timber framed constructions – even the ones that are obviously fake but made to look like the real thing – or are in parts 😀 Some of the roots of this place go really far back.

Our preparations were warm clothes, a handcart full of replacement clothes, towels, food, water and candy. That worked well. The children had a lot of fun, could eat whenever they felt hungry and naturally fell asleep in the car on our journey back home. I was surprised that they really tried everything they were allowed to try (by age and size) including all the roller coasters. I felt sick after various rides but the children wouldn’t stop begging for more.

We had pre purchased a slot for the family (the park has limited entry due to Corona virus), kept our distance to other people as good as others let us (*sigh) and we kept our masks on most of the time – even outdoors. The only exceptions were quiet places when nobody else was around. A good effect of the policies were next to zero waiting times for the rides – but I bet the park managers would argue otherwise on this topic 😅

The uneasy feeling especially with infections on the raise again never left me though and came back full force when the park closed in the evening and all people flocked to the departure gate. This was when we went in the opposite direction to visit a way less frequented public toilet one last time before we left the park as some of the very last visitors eventually.

…and I got a new sticker for the back of our Renault Zoe 😉

https://tripsdrill.de/en/

There’s a weird issue with (snap) on that starts when using voice chat causing really bad lag and short freezes (input, rendering, everything) that became worse over time. My journal filled up with looping messages from appindicator causing this.

appindicatorsupport(at)rgcjonas.gmail.com[2514]: discord1, Impossible to lookup icon for 'discord1_12-panel'

Followed by a JS exception and trace:

JS ERROR: Exception in callback for signal: icon: Error: Argument 'filename' (type filename) may not be null

When I finally found the cause of this I went on looking for a solution and it seems like the unsung hero @3v1n0 fixed this long standing bug like 8 days ago: https://github.com/ubuntu/gnome-shell-extension-appindicator/commit/745c66a73e0a15a870e92e5aa461e2e9e646b899

Here is a more coherent report on this: https://bugs.launchpad.net/ubuntu/+source/gnome-shell-extension-appindicator/+bug/1849142

Fun thing is: I only have that indicator because Discord would eventually crash without trying to access this.

Now it’s patched and gone – back to 😁

Man, this is a 180° turn for me. When I started out with Linux the GPUs where usually troublemakers and I kinda got used to throw moar power at it to solve the problem. Spent nights fiddling with Elsa Winner or 3Dfx Vodoo or some ATI cards (that eventual became AMD). When laptops of mine could no longer be used because AMD simply dropped support for perfectly fine hardware I was really never again buying from it again.

The background for finally ripping out the heart of my Linux PC is basically this issue: https://beko.famkos.net/2020/01/17/computer-fallen

NVRM: GPU 0000:01:00.0: GPU has fallen off the bus.

This is followed by a frozen X server rendering all HID interfaces dead until reboot. It happened once or twice a week. NVIDIA support has no idea and while the card is still fine and up for any task I finally decided to get a more recent GPU hoping that the problem will be gone (and not be an issue from the mainboard).

So here I am in 2020 ripping out the heart of my Linux PC.

The decision to try AMD again after a decade was basically made because I read so much positive news on their open source drivers and general good support by Mesa nowadays. Since nothing about the old fglrx days is valid any more this is sort of a jump into cold water for me 🙂

I decided for the slightly older RX 5600 XT 14Gbps 6GB (THICC III Pro) edition by XFX that seems to be good for 1080p gaming and this is close to my main display resolution of 1920×1200. While I never heard of XFX before I was hooked by NO RGB and that tiny vBios switch it has offering a backup bios. That’s a feature I like in my mainboards as well.

Speaking of I heard a lot of confusion on said vBioses on this series so I digged deeper on this topic. Thankfully a lot of the legwork was already done for me by André Almeida who describes the process for Linux PC on https://andrealmeid.com/post/2020-05-01-vbios2/ after a lot of research in part 1.

With the help of the mentioned tool amdvbflash I was able to drag the following vBios information out of the GPU:

AMDVBFLASH version 4.71, Copyright (c) 2020 Advanced Micro Devices, Inc.

    Product Name is :    NAVI10 A1/A2 D1990301 XLE 6GB 300e/875m 
    Device ID is    :    731F
    Bios Version    :    017.001.000.068.000000
    Bios P/N is     :    113-170WCNAVIXLE6
    Bios SSID       :    5710
    Bios SVID       :    1682
    Bios Date is    :    03/27/20 21:25 

The extracted rom of the active vBios (switch was set on position closer to power connector) has the sha1sum 9ce7ecc9625d7ff39b3b08c45916b6c2e3bf4a8c and is according to the flashing tool valid and signed. I understood it’s a bad idea to flash with an unsigned rom because the GPU will probably refuse to boot. I’d upload it to techpowerup that seems to collect such roms and allows hassle free downloading but their extract and upload tool seems to be for Windows PC only.

XFX has vBios roms for the 12Gbps variant on it’s website but currently none for this one so it seems it is up to date already.

Installing it was a breeze. I upgraded to Fedora Workstation 32 before changing the GPU to make sure I get more recent drivers and that was it. System booted up just fine and the card worked out of the box. Unlike NVIDIA I didn’t need to download a specific driver first or add some further repository. There’s this nice tool CoreCtrl that shows me a power consumption of only 14W while the card is in idle with zero spinning fans. That’s right – no noise! When not in use this card consumes next to no resources which begs the question how I’m going to heat my man cave from now on 😀

CoreCtrl in action

This surprised me as well. All the cool bits are laid out for me to play with at /sys/class/drm/card1/device/. I mean I’m not much into over-clocking but it’s all there. This brings me to benchmarking the new GPU. I’m not some YTer so you’ll only get the Unigine Superposition benchmark with basically irrelevant OpenGL (I know of no nifty Vulkan benchmark like this yet) for Linux PC gaming.

The tool picked up the wrong model (it really is a FX 5600 XT)

That’s rad! My old Titan X has it’s stronger side in other features but managed only a total result of 3055 without over-clocking on this benchmark.

I’ve not much gaming experience with it yet. I just made sure that Valheim (beta) and X4 Foundations works fine with it. There seems to be some sound issue with Discord + Fullscreen that I found so far but I solved this by switching to windowed mode on the games seeing no difference in FPS.

The one notable issue I have compared with NVIDIA is that I have to set the environment variable DRI_PRIME=1 or games will pick up the integrated GPU of the i5-8600K. This is probably because I’ve a display connected to it as well so it’s active. Going to play with this a little until I get the idea. Will need some adapters first tho 😅

Update: Just as guessed. Once I had all my adapters in place the integrated GPU was not needed any more and does no longer show up. No need to use DRI_PRIME=1 for each 3D application any more.

Sunday and way too hot. On top my children kept bugging me: “Boring, I want to do something!”. So what’s better than hiding in the cool basement and build something?

We had this construction kit for an insect hotel laying around for quite some time now and this was the perfect day to assemble it.

The kit was short on pipe objects so in the end we drilled some ourselves to fill the hotel up properly. Such things are usually packed by weight so this can happen.

I’m surprised how well that went. Kids didn’t get into a fight and even sticked around until the end. They even painted it together. That’s quite something for our little circus here.

Now we have to find a good spot in the garden for it.

It was way to warm today so I hid in the basement for most of the day getting some stuff done. Mostly cleaning up. The place was a mess.

While doing so I cleaned all my swords that were cluttered all over the place 🤓 Other gear was also in dire need of training. My fencing vest was probably occupied by a cat for a long time and used as a nest. Tried it on after months and all the training pays off. It fits again – breathing included 🤺

Fitting in my fencing vest again – feels good

While clearing my workbench I found a cable drum waiting for a new plug. Later I found replacement plugs so I got that finally fixed too 😀

Good as new plug for the cable drum

I also found this little treasure of 19 FFP2 masks filled in 2009. Lucky me, eh? Feeling very rich now 😀

Box of old but good FFP2 masks

Kids were also around most of the time and had a lot of fun with various training tools. Don’t get it wrong, we’re not particular athletic here. Stuff just piles up.

Busy day.

“Releases for PC”. Oh we Linux gamers know this phrase well. So it seems that is taking another approach now instead of the usual “PC is not Windows”. Liam changed the wording on the news slightly:

Beyond a Steel Sky to release for Linux PC during July

https://www.gamingonlinux.com/2020/06/beyond-a-steel-sky-to-release-for-linux-pc-during-july

I like that approach and I shall also use “Linux PC” in the future. And not just for my .