Dear Governor Kitzhaber,

Please take a stand against the ongoing deterioration of our constitutionally guaranteed Liberties. We need to defeat the Patriot Act, additional Executive War Powers and the Federal moves to undermine our rights. These rights are not negotiable. The greatest minds of history were heard from in the construction of our founding documents. They are great works of rational humanity. The voices of people honoring secular and sacred traditions were instrumental in the thought that preceded the documents themselves.

We need your voice to add significance in defense of our future. The TSA is growing out of control and has become an epidemic in our society. The ongoing mistreatment of innocent civilians at the airport coupled with expansive powers which erode our 10th, 6th, 5th, 1st and 4th amendments.

History predicts the precipice which we now stand upon. Men of great courage now will be remembered in the future, even if their popularity wanes at present. Please take a stand for the future of our country, for generations which are unseen at present. Please act with intelligence, passion and strength. Don't leave the care of our Constitutional rights to those bent on destruction, paranoia or tyranny.

Sincerely, Joshua Schmidlkofer

Dear ,

Please stand against the Patriot Act, let it expire. Please stand against granting new/additional or ongoing war powers to the Executive Branch of Government. Some of the foundations for our Bill of Rights are already being breached by the TSA. We are losing our liberty for nothing.

This is the future of our entire civilization. Please have the courage to stand against tyranny. Stop the Patriot Act. Stop the TSA. This is an embarrassment to all that we are. Please don't steal from the future of America by fearing the Liberty which so many have bled to ensure and protect.

Take sane and rational action. Please band together with other legislators in their efforts to uphold The Constitution of our Republic and hold the Office of President accountable for the sworn oath of office to uphold our core beliefs.

Sincerely, Joshua Schmidlkofer

Practical Troubleshooting

I love pfSense. So far it's superior to every Linux-based routing appliance. No product is perfect, but the 2.0 release is very promising. I have been troubleshooting tunnels which inexplicably do not work. I have been recieving the following error during phase1 connection:

racoon: ERROR: couldn't find configuration

This usually means a significant mismatch exists in phase1 negotiations. Despite my meticulous efforts the tunnels would not start. I watched the IPsec logs hopelessly, trying many different things. What finally worked was connecting to the console, killing racoon and starting it manually as follows:

racoon -d -v -F -f /var/etc/racoon.conf

By monitoring the output, I discovered during debugging that the packets were coming from the wrong source IP address. One of my sites has multiple WAN links, and racoon was using the wrong source address for IPsec negotiation. The phase1 arrival was clearly logged and rejected - because it didn't match any existing configuration.

Once complete, I was quickly able to determine what to do. However, if you don't have access to a host behind the pfSense firewall then you may have problems creating IPsec tunnels. I used this to force a packet:

My firewall's LAN address, which is part of the IPsec local subnet scope, is 192.168.0.1. The remote network is 10.1.1.0/24. I need to create a single packet from 192.168.0.1 to something in 10.1.1.x.

ping -S 192.168.0.1 -c 1 10.1.1.3

What could be better.

Feedback for improvement would begin with one admonition: Don't trust the log output of Racoon. I should have used TCP-dump on both ends, watching for packets setting up sessions.

[2.0-RC1][root@gateway.site-a.com]/root(1): tcpdump -ni re0 port 500
16:39:07.697695 IP 192.168.81.126.500 > 10.1.101.217.500: isakmp: phase 2/others I inf[E]
16:40:26.980944 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:40:36.982740 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:40:46.983927 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:40:56.985122 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg
16:41:06.986307 IP 10.1.101.217.500 > 192.168.81.126.500: isakmp: phase 1 I agg

Had I done this at both ends, I would have clearly seen that the wrong interface was emitting packets. Both ends. That was my mistake. I trusted logs at Site-A, and I never verified my problem at Site-B. Hours of painstaking troubleshooting for no good reason.

Work Around

My current imperfect workaround is to add the following line to each of my remote sites crontab:

cat crontab|grep newsys






root    /sbin/ping -S 192.168.0.1 -c 10.1.1.1

Obviously I turfed this above, I just thought I would share it with everyone. This has the net effect of a 60 second tunnel keep alive. May not be appropriate for some environments. Good luck.

The legal doctrine of Corporate Personhood is a dangerous one. If I "threaten" the "Corporate Person" of Microsoft, am I a criminal? Is this constitutionally protected free speech? I certainly hope so.

Microsoft, how I hate thee.
You make my life a misery.
I pine and toil with your crap.
Your products make a sorry pack
Of lies and shite, a shithouse shack.

You waste my life, I hate you.

Today I had to help a a poor unfortunate victim of Microsoft's success in pimping Windows. The task is so simple.

• Connect Remotely*
• Install Logmein*
• Reconnect w/ Logmein
• Complete the tedious process of migrating a domain profile to a local profile.*
• Test Profile
• Win

Seeds of Hate

I use the great 'RDP'. The Mac client has several problems which make issues.

First, the client doesn't seem to work via the normal SBS Remote Windows Workplace gateway. That shit requires Internet Explorer. USELESS CRAP.

Second, once I login, if I use Command-Tab to flip to another app, when I return to Remote Desktop, I will have an odd variety of key-states which means that any key I hit is likely to be "Windows+key". So, upon returning I have to tap my various meta-keys to be sure they're ok. e.g. "Alt, Tab, Shift, Control, Command/Windows". USELESS CRAP.

After all this, I am using an administrative connection to a server in order to use the "mstsc" client to connect to a system - because, of course, I am using a Mac. So, now everything is SLOWER and manifestly more complex. The new problem is that this increases the rate at which the meta keys eff up. USELESS CRAP.

Finally, what am I greeted with? A System upon which I have never remotely connected with my workstation administrator login. Connect, authenticate, new profile, the requisite wait, etc. Once logged in, I start I.E. Now a stunning list of retarded-ass questions. I.DON'T.EFFING.CARE!!! Chome makes this easy. Start Chrome, Pick a Search Engine, DONE. Internet Exploiter has to get all up in your shit. I take the 'Ask me later' box, but it turns out that my poor unfortunate user has installed Bing. That's not a problem, but in order to avoid more pointless questions , I tell it "no" or "cancel" or I can't remember what. Now the stupid shit which is the BingBar begins a 5 minutes uninstallation. Five minutes, (it seems like). Just to use the gorram browser. FIVE MINUTES. What is wrong with you a**holes who make Microsoft Products? I hate this, I can't stand it. USELESS CRAP.

I finally arrive at a state in which I am pissed enough that I must vent somewhere. I open Chome (Mac), login to my blog and begin to type. Just as I am getting to this line, the stupid screen goes black and I need to re-authenticate to unlock my screen. This is a gigantic circle-jerk, because NOW, the Caps-lock state has flipped. What's CAPS on my Mac is NOT CAPS on Windows, and vice-versa. We're stuck in this twilight frontier where everything has changed, and it doesn't seem to warn me. USELESS CRAP.

Everything has become progressively slower now. Maybe it's the net. Maybe that "bingbar", who knows? All I do know is that every Microsoft Logo, or a Microsoft term I see, makes me want to spit.

Up to this point, I have simply been trying to login. Once I succeed I need to migrate a profile. While I think that the corporate person is equally liable for the third-world sewage field that is the profile-management on Windows, I can't fault them for this. This is the pain I have been experiencing my entire career.

Alas, though, the problem of no simple tools for migrating a domain profile to local-machine profile in Windows 7. Why do I even bother?

Conclusion

This all comes to a head when I run into an unfortunate person who tells me; "Well, it keeps you employed, right?". It's exactly this point that creates the hardship for me. That statement is functionally equivalent with the idea that littering creates jobs. In fact, it's just about as sound of reasoning as an argument that "child abusers help create jobs for Child Protective Services", or that we're benefitted by the criminally insane or the severely mentally handicapped because of the jobs they create. (Note: This could seem insensitive. I don't want to besmirch the mentally handicapped persons. They have a dignity and right to life which every person has. I simply wanted to point out, that when a drug company makes a drug which turns normal babies into them, we shouldn't celebrate. I consider this to be on-topic because I am speaking of MIcrosoft.)

I am not such a useless waste of space that I need people to make a mess of things on purpose just so I can come and fail to put them in perfect order. I personally don't think anyone is worthy of the demeaning role which that requires. There may be people who put so little effort into their life that this is simply the best they ever learn to expect, but I think that is part of the horror of this cycle.

In the past five years of this blog, I have stopped using it as a vitriolic dumping groud. Some days, some sinus infections and some weeks of pressure leave me unable to let go of my anger without trying to communicate it.

If you're a business person, and you must use computers, please use Linux. Apple hates your freedom, and Microsoft hates your intelligence. Sony just hates you personally, because when you're an asshole as big as they are, everywhere you look you only see yourself.

Plea

If you're a compelling song writer, please contact me. I would desperately love to develop my peudo-limerick into a song. Let's sing it, go viral, and spread the hate, in a very persuasive and personal fashion. Let's make a top-40 hit, even though I shudder at Pop. I want this song on every lip from here to Zimbabwe.

I have gig networking, lots of disks, etc, etc. I need speed Oh, and this improved my internet speeds as well.

# Controls the use of TCP syncookies
net.ipv4.tcp_syncookies = 1

# don't cache ssthresh from previous connection
net.ipv4.tcp_no_metrics_save = 1
# recommended to increase this for 10G NICS
net.core.netdev_max_backlog = 30000

# increase TCP max buffer size setable using setsockopt()
# 16 MB with a few parallel streams is recommended for most 10G paths
# 32 MB might be needed for some very long end-to-end 10G or 40G paths
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216

# increase Linux autotuning TCP buffer limits
# min, default, and max number of bytes to use
net.ipv4.tcp_mem = 129940 129940 33554432
net.ipv4.tcp_rmem = 28800 129940 16777216
net.ipv4.tcp_wmem = 28800 129940 16777216

net.ipv4.tcp_congestion_control=cubic
net.ipv4.tcp_mtu_probing=1
net.ipv4.tcp_base_mss=1460

No one knows if this is good or not, but I think it's rad.

/usr/bin/TuneTCP -- run this as root.

#!/bin/bash

sysctl -w net.local.stream.sendspace=163840
sysctl -w net.local.stream.recvspace=163840
sysctl -w net.inet.tcp.sendspace=131072
sysctl -w net.inet.tcp.recvspace=358400
sysctl -w net.local.dgram.recvspace=4096

sysctl -w net.inet.tcp.slowstart_flightsize=89
sysctl -w net.inet.tcp.local_slowstart_flightsize=10
sysctl -w net.inet.tcp.mssdflt=1460
sysctl -w net.inet.tcp.delayed_ack=3

#sysctl -w  net.inet.tcp.delayed_ack=0
sysctl -w net.inet.tcp.delayed_ack=3

In which Joshua attempts the heavy burden of selecting a NAS platform for use with legacy hardware in support of our VMware ESXi Clusters, Extreme Switches, and Plethora of VLANs.