Friday, December 02, 2011

I wouldn't be at all surprised to find out I'm the only person in the world running a Counter-Strike Source server on systemd, although I'd be happy to find out that's not the case. Since it was quite painful for me to find useful info on the subject, I figured I'd write up a bit here.

Installing on Linux
First off, Valve's installer won't work if you don't have uncompress on your system. On Fedora, you can make sure with:
yum -y install ncompress

Next, you need to get and run Valve's installer. If you want to keep this stuff in a particular directory, go there, then run:
wget http://storefront.steampowered.com/download/hldsupdatetool.bin
chmod +x hldsupdatetool.bin
./hldsupdatetool.bin
./steam

You will have to type "yes" to the agreement to do the install. Running ./steam should update the platform to the latest version. Next, run this, which could take awhile, to actually install the game server:
./steam -command update -game "Counter-Strike Source" -dir .

After tinkering around, I found that the following command worked well to start the server:
./css/srcds_run -game cstrike -ip 0.0.0.0 -port 27016 -maxplayers 32 -autoupdate +map de_dust

srcds_run is a wrapper that will try to run the right architecture-optimized binary for your system. -ip 0.0.0.0 makes the game listen on all available network interfaces - you probably only really care that it's running on whatever address your system uses to go out to the internet, but the server had trouble figuring which one to use, and this probably won't hurt you. -port 27016 is really optional, but it seems kind of the norm for CS:S servers, at least if you also have a 1.6 server running on 27015, the default. -maxplayers is obvious. -autoupdate will automatically move to any newer versions of the server. +map is different from the other options because it is actually a command that gets run immediately on the server console, not a normal cli option, but you might as well set it here for the sake of automation. FYI, if you have netfilter/iptables running, you could add the following line to /etc/sysconfig/iptables to open up the firewall:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 27016 -j ACCEPT
then run:
service iptables restart

I also had an issue with selinux stopping srcds from from binding to the socket (listening on the network). While I'm sure the "right" thing to do would be to specifically except srcds or even write a policy module for it, I took the easy way out and dropped selinux into Permissive mode. You can do this at runtime by running setenforce 0, and in a persistent way by setting the following in /etc/sysconfig/selinux:
SELINUX=permissive

Now, try running the application, and it should work fine. Yay!

Using systemd
Okay, so first off, I had previously done this with a System V init script, and although it was easier to find examples online regarding how to do that, in the end I'm much happier with my systemd implementation. After searching fruitlessly for help (there's lots of help on running systemctl commands, but not on building unit files), I ended up just using a couple of examples, along with man pages. I started looking at httpd's (apache) unit file, and it turns out it's a little overly-complicated, since httpd understands running as a daemon, so its unit file has Start, Reload and Stop logic. For a simple, non-daemonized application like srcds, I wanted a wrapper that would start it, run it in the background, and just kill it when I send it a stop command. Still, httpd wasn't a bad place to start, and as far as man pages go, systemctl(1)'s SEE ALSO section pointed me to systemd.unit(5), which led me to systemd.service(5) and systemd.exec(5), which were all very helpful as far as understanding directives in the unit file. In the end, here's what I came up with, placed in /lib/systemd/system/cstrike-source.service:

[Unit]
Description=Counter-Strike Source Server
After=syslog.target network.target mysqld.target

[Service]
PIDFile=/var/run/cstrike-source.pid
User=steam
Group=steam
ExecStart=/home/steam/css/srcds_run -game cstrike -ip 0.0.0.0 -port 27016 -maxplayers 32 -autoupdate +map de_dust
KillMode=control-group

[Install]
WantedBy=multi-user.target

The description is arbitrary text, while the "after" section ensures these other services will get started before srcds is run. mysqld was important to me because I use the psychostats (http://www.psychostats.com/) plugin for srcds/sourcemod, with live stats population and in-game stats lookup, which uses mysql as a backend. The PIDFile will be used to track application state. Running as steam prevents some potential security issues. The ExecStart directive gives the actual command to run. Using httpd's unit as an example, I think one could use an EnvironmentFile to configure the command line to run, but I'm keeping everything in this file. KillMode is important, since setting it to "process" would only kill the command systemd ran directly, while the server process under it could just stay running. WantedBy tells systemd what "target" (in SysV land, this is roughly similar to runlevel) to attach this service to. Once this file is created, you can run the following:
chmod +x /lib/systemd/system/cstrike-source.service
systemctl --system daemon-reload
systemctl enable cstrike-source.service
systemctl start cstrike-source.service
systemctl status cstrike-source.service

daemon-reload ensures systemd reads the latest saved version of the unit file. enable turns this service on for starting at boot time. start runs it right now. status tells you it started. At this point, stuff that would've normally printed to your terminal had you run the command yourself will be going to /var/log/messages (assuming a default syslog or syslog-ng configuration). But how will you actually issue commands? One solution is to set an rcon_password in cstrike/cfg/server.cfg, then just run commands over rcon from the game. You could also set up an administration system like mani (http://www.mani-admin-plugin.com/joomla/index.php) or sourcemod (http://www.sourcemod.net/) - in fact, I recommend doing so. However, you can also get rcon access without having a game client running.

Python RCON
A search revealed several libraries and cli tools out there for RCON access, but I ended up going with SourceLib (https://github.com/frostschutz/SourceLib), mostly because I like Python. So far, it works great, and I've made a little command line wrapper around it. Someday I might add command line history, or even autocompletion, but this works for now. :)

#!/usr/bin/env python
import argparse
from SourceLib.SourceRcon import SourceRcon
def main():
parser = argparse.ArgumentParser(
description='Simple RCON client implemented in Python, based on SourceLib')
parser.add_argument('--password', '-p', required=True,
help='password for server')
parser.add_argument('--host', '-H', required=True,
help='hostname/ip address of server')
parser.add_argument('--port', '-P', default=27015, type=int,
help='listening port of server - Default=%(default)s')
parser.add_argument('--timeout', '-t', default=1.0, type=float, metavar='SECONDS',
help='timout to connect to RCON server - default=%(default)s')
args = parser.parse_args()
conn = SourceRcon(host=args.host, port=args.port, password=args.password,
timeout=args.timeout)

while True:
content = raw_input('>> ')
if content == 'exit':
exit(0)
elif content in ['quit']:
choice = raw_input('"quit" will stop the server. "exit" will stop this program. Really quit? (y/N)')
if choice not in ['y', 'Y']:
continue
response = conn.rcon(content)
print response

if __name__ == "__main__":
main()

Save it, chmod +x it, and run it with --help to get an idea how to use it. Once it's running, you can issue RCON commands, set CVARs, etcetera, to your server. Yay!

Monday, September 20, 2010

For Goodness' Sake...
somebody make it stop! This morning I had a conversation with some good friends about predictions related to the biblical End Times. I'm extremely skeptical about any person or group claiming anything definite about the details of the End Times. Now, don't get me wrong; I 100% believe that the prophecies in Revelation about the end of the world will be completely fulfilled, but when people start claiming they know who the AntiChrist is, or that they know a specific date for Jesus' second coming, or that the EU is the ten-nation coalition (http://www.heisnear.com/newsEUrevivedRomanEmpire.html) prophesied in Revelation 17 (the EU is up to 27 members now [http://europa.eu/about-eu/member-countries/index_en.htm], for those of you keeping track), I call shenanigans. Sure, somebody will probably predict who the AntiChrist is before he comes fully into power, but they'll be right by coincidence, and they'll probably have gotten it wrong a few times before. Apparently neither Hitler (http://revelation13.net/Hitler.html) nor Sadaam Hussein (http://www.bible-codes.org/letters-Saddam-antichrist-type-figure-only.htm)was the AntiChrist, and they both seemed so promising! I know those links only say that these guys were forerunner of the capital-letter AntiChrist, but before their deaths many people claimed that these men, in turn, were the AntiChrist.

Coincidentally, on the heels of this converstation, this afternoon I got a Facebook message from a friend in regards to one of my favorite End Times topics: the mark of the beast. Here's the video, which was linked from http://www.facebook.com/l.php?u=http%253A%252F%252Fwww.nowtheendbegins.com%252Fpages%252Fmark_of_the_beast%252FmarkOF_theBEAST.htm&h=c1355&ref=nf:

Guys like this really frustrates me, so here I will attempt to lay out for you all the reasons I think the guy in the video is either a heretical false prophet, a moron, or both.

1. Terrible presentation. We Christians need better propagandists, so we can make awesome, persuasive videos like this one:
But seriously, if you have skills to make a persuasive media presentation, go work on something important, like stopping abortion, or feeding orphans and widows. Make videos that remind people there's a life beyond this one, and that we need Jesus' salvation to ensure our eternal happiness. Don't help this guy make his videos prettier, please.

2. It's linked from a website that pushes the King James version of the Bible. (http://www.nowtheendbegins.com/pages/KJV/king-james-1611-bible.htm). Now, I have friends who prefer the KJV to other versions, and I can understand that, although I believe it is not only not the best translation, I believe it has many flaws that alternatives like the NASB or ESV don't. But as soon as somebody starts positing that the KJV is the only trustworthy translation, I stop taking them seriously. Someday I'll have to write a whole post about this.

3. Enough with the ad hominem, and on to some real arguments. I don't believe this kind of bologna because it's just the next iteration in a long series of guesses. Everything from Social Security numbers (http://www.greaterthings.com/Conspiracy/SSN_SocialSecurityNumber_666/) to credit cards to barcodes (http://www.greaterthings.com/Books/Vision/Appendices/Ap-J_MarkofBeast.htm) to going to church on Sunday (Seventh-Day Adventism, although you won't easily find it on their website) has been accused of being the Mark of the Beast that seals you as God's enemy. Could RFID be the mechanism that is used to implement the prophesied Mark? Certainly. Could it actually be some other technology? Yes. Could it actually have nothing to do with technology, and instead be a literal physical mark? Yes. Could it be purely symbolic, and refer to the World System, perhaps something like owning stocks or having a car loan, just as easily as it could refer to RFID? Yes. Is any of this more than mere speculation? No.

4. Jesus' second coming is neither more nor less immanent today than it was 2,000 years ago. Yes, we have wars and rumors of wars. Yes, we sometimes mistakenly believe we may see peace in the Middle East during our lifetime, and 1948 was a major historic milestone. Yes, technology is making things that once seemed like wild, magical predictions seem tangible. But the Christians in the first century, who had a much better chance than we of understanding exactly what John was talking about, expected Jesus to return during their lifetime. Now, I'm not like the scoffer in 2 Peter 3. I believe Jesus will come a second time, and it could happen before I can click the Publish button, or it could happen years, even hundreds or thousands of years, from now.

5. People won't be tricked into getting the Mark. It's a blatant rejection of God in favor of the world system as run by the Beast. You'll know when they try to give it to you.

6. RFID is a bad candidate anyway. Ease of fraud is, in my opinion, the best reason not to ever attach it to any service with money on the other end. Lack of range is a great reason why it would be a terrible way to track people. I believe that, if you understand the technology, you have to understand why it can't be the Mark. Obviously everybody can't be an expert at everything, but this guy definitely shouldn't be telling people what to believe about RFID.

In summary, RFID is not the Mark of the Beast, and while we should be vigilant, trying to nail down prophetic specifics beyond what the Bible says is probably not the most effective way to apply Scripture to our lives.

For those of you who are interested in some of the really cool possible implementations of the exciting technology that is RFID, check out these news stories:

Monday, September 14, 2009

Obama's Wrong About the Financial Crisis

Of course anybody who listens to news radio or follows any real news source's RSS feed has probably already heard Obama's warning to Wall Street. As I heard it on the radio and read through it on the BBC's site, a few things he said really concerned me. Now, obviously something has to change, but I believe the right change would be to get rid of or start to move away from the Fed. Since the New Deal turned out to be a raw deal, I think we should give capitalism another spin.

'He called on Wall Street to support "the most ambitious overhaul of the financial system since the Great Depression".' This is scary to those of us who believe that the New Deal prolonged rather than alleviated the Great Depression.

"Instead of learning the lessons of Lehman and the crisis from which we are still recovering, they are choosing to ignore them. They do so not just at their own peril, but at our nation's." First of all, I do think it is a bad idea to talk about "they" without naming names. It sucks credibility out of your statements. Secondly, I think it's dangerous to say that bankers are putting our nation in peril. This sounds like a prelude to martial law. It also sounds awfully socialist to blame rich people for ruining our nation. The Nazis did it, the Communists did it, and now Obama's doing it. This is especially interesting to me since it's coming on the heels of Brazil's president, whose country is about to borrow billions of dollars from the US to fund offshore drilling development (link), blaming everything on the rich (link).

'He told Wall Street that it could not resume taking risks without regard for consequences and said they should not expect US taxpayers to bail them out again.' This is wrong on so many levels! To start with, the whole investment system is built from risks and rewards. Wall Street should continue to take risks. Wall Street should eat the consequences when they fail. I whined and complained about the Bush bailout, as did many conservatives, because I believed it would foster an environment of irresponsibility. I opposed the Obama bailout for the same reason. This is like a parent telling their child they really mean it this time. What an enabler! How dare he criticize the irresponsibility he's helped create.

The article also talks about the new powers Obama wants to give to the federal reserve bank, to be able to seize private banks whose collapse might hurt the economy. Wow. Wow. Just Wow.

'Mr Obama said that his recovery was bearing fruit and had "prevented layoffs of tens of thousands of teachers, police officers and other essential public servants".' I guess the government sticks by government employees. Seriously. There's a lot to be said for the old spendulus package joke.

All in all, I just feel like the president, and in fact most politicians, even most media pundits, are on a very different page than I am, perhaps even in a different book. I feel that even most Republican politicians have a fundamentally different value set than I do. It seems to me as though both the D's and the R's are just trying to use big government to advance their agenda, whereas my agenda is to limit government. Third party, are we there yet?

Thursday, September 03, 2009

Not in Kansas Anymore...Wait!

So, tonight after teaching I was planning on checking out this great little seafood place I'd heard about, but since downtown Kansas City has absolutely no free parking, and no meters either - you got it, just those $1/20 minutes places - I decided to go to Chili's instead. First I took in District 9, so I was already a bit giddy when I walked into the restaurant, but nothing compares with the shell shock I received as the couple down the counter lit up. Yes, they were smoking in the restaurant.

Now, I know we Californians are snobs, but I have to say, smoke really does affect the way your food tastes. And even though I'm a libertarian capitalist, I have to admit that, were the law banning smoking in restaurants and bars in California repealed, I'd have to continue enforcing it with my wallet. In any case, I survived, I'm okay, but next time I might move to the other side of the glass. Ridiculous.

In more exciting news, my baby girl finally has a tooth, or so I'm told! I can't wait to see it tomorrow night.

That is all,
Andrew
These Death Panels

As I listen to the national debate on healthcare, I'm completely amazed by some of the lies propagated, not only by the administration, but also by the media. For an example from the president himself, read this: http://www.politifact.com/truth-o-meter/statements/2009/aug/12/barack-obama/obama-has-praised-single-payer-plans-past/. And, of course, the mainstream media didn't fact-check, somebody else had to find the video for them. But it gets even worse!

In the break room at a teaching site in Phoenix, Arizona, I watched the anchors on MSNBC completely flame the right, asking if people would put up with these scare tactics, talking about "death panels" and the like. The response from both the administration AND the media has been, "What death panels?" "What are you talking about?" But I knew the truth: I have been talking with friends and family about this issue since before "death panel" became a popular term. Why? Because I read about it, in mid-July, on the New York Times website. Read it: http://www.nytimes.com/2009/07/19/magazine/19healthcare-t.html?_r=1&pagewanted=5.

Now, this guy, Peter Singer, is Australian, but he is also professor of bioethics at Princeton, and he's writing here in the Times. It becomes fairly obvious from a brief scan of his wikipedia page that he's very liberal, and we all know the Times is, too. In any case, my answer to the liberal administration and media's question, "What death panels?" is, "These death panels - the ones you say are going to be necessary, and such a good idea."

So, the lesson for today: when liberals say they've never supported something, and would never even consider it, double-check your facts. There's more than a snowball's chance they didn't feel that way a couple years, even a couple months ago, before they realized how much the general public hates their best ideas. And it's always so much more fun to nail them with their own websites.

That is all,
Andrew

Wednesday, August 19, 2009

Dansguardian, Tinyproxy (or squid) and IPTables transparent proxy with multiple users on Fedora Linux.

Update: Fedora now has dansguardian in the updates repository, so there's no longer any need for special download instructions.

I've been working on this system for quite awhile now, and drastically improved it as my own understanding of the parts involved has come along. I intend to update this post as I improve the system even more, and I'm certainly open to suggestions from others. The basic sequence of events by the time we're done will be this:
  • Use firewall (iptables) to grab outbound tcp port 80 (http) traffic, except that belonging to tinyproxy, and redirect it (DNAT) to dansguardian.
  • Use firewall (iptables) to grab the packets again, and rewrite the source address (SNAT) based on the user from whom the packets originated.
  • Dansguardian applies content filtering based on who is looking, and logs everybody.
  • Tinyproxy performs the proxying, going out and fetching the actual pages.
I will try to make this as easy as possible for people not already familiar with 'nix, but at the same time some of this information, or at least the way this is put together, will be new to veterans as well. I have been running this system on Fedora, so my instructions are Fedora-specific, but you can probably do most of it on Ubuntu if you just replace my "yum install" commands with "apt-get install", and other Linux systems should be similar as well. If you are a total newbie, probably the biggest hurdles will be editing text files and switching to root access. To gain root access on your system, open a terminal and run "su -", then provide the root password, which you should have specified at install time. If I remember correctly, in Ubuntu you can just run commands preceded by "sudo" to achieve the same result. Of course sudo is available in any system, but in Fedora it requires configuration. To edit a text file, you really should install vi (yum install vim in Fedora) and run vimtutor to get familiar with vi-improved, but in the meantime you can run gedit /path/to/file, which will open the file in the gnu graphical text editor, very similar to notepad or textedit.

I run this system for some friends who have a couple of kids and a young adult living with them. There is just one computer, a desktop, in the house, and it's running Fedora because I can fix that a lot more easily than Windows. Their router/dsl modem hybrid can't run dd-wrt (http://www.dd-wrt.com/dd-wrtv3/index.php), so I'm stuck configuring all of this on the end-user box. I implemented tinyproxy because squid was thrashing the 1.1Ghz processor and 512M of RAM on the system, but they still needed to allow the adult living with them broader access to the web, so I had to figure out a solution. Here it is.

Install Dansguardian
First let's get the basic system up and running. Install Dansguardian: yum -y install dansguardian. The main configuration file for dg is /etc/dansguardian/dansguardian.conf, but we shouldn't need to change anything there yet. By default it's just listening on localhost (which is fine for a transparent proxy), on port 8080. I do recommend editing bannedextensionlist and bannedmimetypelist under /etc/dansguardian/lists/, as the default configuration won't allow much. Any sites you want to explicitly allow for everyone can be added on separate lines in /etc/dansguardian/lists/exceptionsitelist, while bannedsitelist acts as an explicit deny list for everyone. An entry of "facebook.com" would allow anything under facebook.com, including "apps.facebook.com". chkconfig dansguardian on sets it to automatically start during boot, and /etc/init.d/dansguardian start gets it up and running right now.

Install Tinyproxy (or squid)
Well, first I suppose I should explain why I'm mainly focusing on tinyproxy, but I actually use squid on my own laptop. Dansguardian does require a proxy, and either one will do the trick. Squid actually has a lot more features than tinyproxy (wow, wasn't that hard to figure out), like caching (whoo-hoo performance boost) and at least three types of user authentication not (yet) supported by tinyproxy. Check out http://www.squid-cache.org/ and https://www.banu.com/tinyproxy/ for more info. So, why bother with tinyproxy at all? Well, it's a lot more lightweight, so if you aren't going to experience heavy usage, and don't care so much about caching, it can be a lot nicer to your hardware.

Squid actually wouldn't really require any configuration for basic usage other than simply yum -y install squid, service squid start and chkconfig squid on, although it is VERY configurable in /etc/squid/squid.conf. Since this file contains a heck of a lot of comments and empty lines, I like to run:
sed -e '/^#/d' -e '/^$/d' /etc/squid/squid.conf

to view just the actual non-default configuration. In a default install on RHEL 5.1, this cuts the line count from 4,325 to 35. By default, squid listens only on the loopback interface, using port 3128. This is the default port on which dansguardian will look for it, so this works out nicely.

Tinyproxy can be installed with yum -y install tinyproxy, and turned on with service tinyproxy start and chkconfig tinyproxy on. Since tinyproxy listens on port 8888 by default rather than 3128, you either need to change the port specification in /etc/tinyproxy/tinyproxy.conf to 3128 or the proxy port in /etc/dansguardian/dansguardian.conf to 8888. I changed tinyproxy to 3128. Tinyproxy just listens on the loopback by default, which is fine for now. service tinyproxy restart will apply any changes to the config file, or service dansguardian restart if that's what you changed.

At this point, we should be able to put redirects in place, and dansguardian should work with just one set of configuration (i.e. treating everyone the same).

Redirect Traffic
iptables
is just a user interface to load firewall rules into kernel-space memory for use by the nefilter kernel module. Check out http://netfilter.org/ for more information about these tools. For our purposes, we need to catch and redirect all outbound tcp port 80 (http) traffic to our dansguardian server, except for packets belonging to our proxy server, which we want to let through. Although it'd be weird for this not to already be in place, we'll want to ensure that all loopback traffic is allowed, but we may want to also block all traffic on port 3128, except packets belonging to dansguardian, and all traffic on port 8080 that's not destined for dansguardian, to prevent script kiddies from bypassing the filter. If you're a business, you are probably already blocking most ports anyway.

To make sure our loopback stuff will be accepted, run:
iptables -t filter -I INPUT -i lo -j ACCEPT
To redirect our outbound tcp port 80, run:
iptables -t nat -I OUTPUT -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080

To exempt squid from this redirect, run:
iptables -t nat -I OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner squid -j ACCEPT
To exempt tinyproxy, run:
iptables -t nat -I OUTPUT -p tcp -m tcp --dport 80 -m owner --uid-owner nobody -j ACCEPT
To block outbound port 3128, run:
iptables -t filter -I OUTPUT -p tcp -m tcp --dport 3128 -j REJECT
To allow dansguardian past this, run:
iptables -t filter -I OUTPUT -p tcp -m tcp --dport 3128 -m owner --uid-owner nobody -j ACCEPT
To block our outbound port 8080, run:
iptables -t filter -I OUTPUT -p tcp -m tcp --dport 8080 -j REJECT
But to allow to dansguardian-destined traffic, run:
iptables -t filter -I OUTPUT -p tcp -m tcp --dport 8080 -d 127.0.0.1 -j ACCEPT
Finally, to save our firewall rules, run:
service iptables save

If you want to act as a gateway, and apply filtering to other systems that route through this one, first add the following line to /etc/sysctl.conf:
net.ipv4.ip_forward = 1
then, run:
sysctl -p
iptables -t nat -I PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 127.0.0.1:8080
iptables -t filter -I FORWARD -j ACCEPT
iptables -t filter -I FORWARD -p tcp -m tcp --dport 8080 -j REJECT
iptables -t filter -I FORWARD -p tcp -m tdp --dport 3128 -j REJECT
service iptables save

All your traffic should now be running through dansguardian! To test this, I recommend using the text-based browser links, which can be installed with yum install links. Try this:
links http://www.google.com
replacing the url appropriately to test. service iptables save writes the file /etc/sysconfig/iptables, which you can edit manually to add/remove/change rules and their order. After editing the file, run service iptables restart to apply the changes. If you want to see a log of packets that match a particular rule, add a duplicate line above the rule, and change everything after "-j" (the target) to "LOG", apply the changes, and run tail -f /var/log/messages.

Enable IP-based Auth
This one was a real kicker for me...If you are using squid, you have plenty of options for determining who's who, and filtering content based on that. However, since tinyproxy doesn't (yet) support authentication, I had to figure out a different method. The documentation I could find suggested either IDENT, with which I was and am unfamiliar, and IP-based Authentication. Obviously IP-based authentication is easy if all you're trying to do is detect from which computer a request came, but I needed it to distinguish between users on a system. I fooled around with IDENT for awhile unsuccessfully before trying to think of a way to use IP-based Authentication.

I tried writing firewall rules to redirect traffic to 127.0.0.2, .3, etc. instead of 127.0.0.1...and dansguardian listened to it, but didn't distinguish...I was about to create a bunch of aliases for eth0 when I remembered dg isn't looking for the IP address of entry into the system, it's looking for the source IP address...enter SNAT! I'd used MASQUERADE before, but never SNAT, so this was a good learning experience for me. Essentially, I added several of the following rules, one for each user, replacing "username" with the user's actual account name, and "X" with a different number for each user. You could support up to 253 separate users this way, I think, although if you used addresses outside of 127.0.0.0/24, which you could, you could support close to 4 billion users:


iptables -t nat -I POSTROUTING -p tcp -m tcp --dport 8080 -m owner --uid-owner username -j SNAT --to 127.0.0.X

Of course once you're done adding your rules, you'll want to service iptables save. Now, nothing has really changed yet from dg's perspective, but we needed this framework in place before we can identify separate users with dg and tp.

Now, we'll set it up in dansguardian. Edit /etc/dansguardian/dansguardian.conf, and uncomment (remove the preceding # from) the line that says "authplugin = '/etc/dansguardian/authplugins/ip.conf'", as well as the one that says "filtergroupslist = '/etc/dansguardian/lists/filtergroupslist'", and change the value of "filtergroups =" to the number of different filtering groups you intend to support. Now edit /etc/dansguardian/lists/filtergroupslist. Follow the instructions of the comments in the file, and pair an IP address to a filtergroup. I ended up using lines like this, with comments to remind me which user is associated with that address, for when I change it sometime:
127.0.0.2 = filter2 #bob

Now, you need to copy the file /etc/dansguardian/dansguardianf1.conf for each of the filter groups you want to use. So, if you set "filtergroups = 5", you could run:
for i in 2 3 4 5; do cp /etc/dansguardian/dansguardianf1.conf /etc/dansguardian/dansguardianf$i.conf; done
Now you can configure each group separately. Some guides that I've read recommend setting group one's "groupmode = 0", which will completely disable access for the group. Since this is the catchall group, anyone not explicitly recognized that placed in another group would be banned. For all groups, you should set "groupname =" to something appropriate and informative. This is especially useful if you want to enable access logging by group, rather than just by user. Well, before I say anything else...now that we have the framework in place, I'll let you look at a site that's much more thorough on the topic of group filtering than I could be: http://contentfilter.futuragts.com/wiki/doku.php?id=filter_groups_configurations

Of course, once all your changes are in place, you'll want to run service dansguardian restart. The nice thing about SNAT is that, until you actually implement IP-based auth in dg, it won't really change anything functionally.

Squid Log Analysis
Coming Soon...

Tinyproxy Log Analysis
Coming Soon...

Dansguardian Log Analysis
Comings Soon...

Installing Webmin and dg-webmin

Coming Soon...

Tuesday, August 18, 2009

AR-15's at Arizona Healthcare Rally
Update: http://www.abc15.com/content/news/phoenixmetro/central/story/Man-protests-President-Obamas-Phoenix-speech-with/q4OeoN6qZU-efcy1Zoq7xQ.cspx Here is a link to the story on the local station, where it becomes clear the colored man was, indeed, protesting against healthcare and, despite what I can only assume is a typographical error in the story, FOR his right to keep and bear arms.

Embedded video from CNN Video
Wow. Obviously this one's gonna be a touchy issue. And of course anyone can see the dangers in allowing guns to be brought to presidentail speeches, and anyone concerned about civil liberty and the loss thereof can see the dangers in disallowing it. I know I'm just a tinfoil hat-wearing conservative, but here are my thoughts that I think most people won't pick up on.

1. Notice how there is very little discussion regarding what's actually happening, and in fact the reporter is confounded when asked anything but superficial questions. In fact, most of the discussion here is just commentary and speculation, not news.

2. I love how the anchorman was flabbergasted that this could be happening to the Obama! It sounds like he's thinking, "well, with Bush I could understand...but people are supposed to like Obama!"

3. Notice how he's quick to speculate that maybe the colored person in the video is carrying his AR-15 in support of Obama. What are the odds of that? God forbid that anyone but those rascist white Christian males should criticize the great Obama.

I was amazed last week when I noticed the training facility at which I was teaching had FOX News playing in the lobby, but MSNBC playing in the break room...I guess they were trying to please all sides. I knew both of those sources were hideously biased one way or the other, but I was still trying to convince myself that CNN at least tries not to take sides. Guess it's nothing but the Guardian, the BBC, slashdot and the Onion for me from here on out.

Monday, August 17, 2009

Evolution!!!!

So, on August 10th I shared a link on Facebook, and commented about it...here: http://www.facebook.com/posted.php?id=1534917542&share_id=111962853649&comments=1&ref=ss

Anyhow, if you read the comments, you'll see where my brother-in-law started a conversation with me about it. I decided to actually view some of the stuff he posted, as he is a pretty sharp guy (sorry, but I would probably have just ignored anything most people put there). Because I actually respect him, and because I really was due to stick my nose in this stuff again, I decided to try to write up a response. But it'll actually take a few responses, since he provided such a wealth of material to start with. Pascal, if you ever read this, I want you to know that what I'm writing here is not directed at you, but at the material you shared. Furthermore, I should add the disclaimer that I get a little intense sometimes when I debate, and it's not out of any ill will toward anyone. I respect you very much, or else I wouldn't be writing this.

So, here's our list of stuff to process over the next however many days:

Six videos in this playlist: http://www.youtube.com/watch?v=KLNoRlxjvJI&feature=PlayList&p=7C90EE51FA96E8CE&index=0

This list of 45 articles (of course we probably won't do all of them): http://home.nctv.com/jackjan/item13.htm

The video series is intended to display, based on six well-accepted criteria, that evolution is scientific. Well, here goes with the first of those six videos "Observational data":

Unfortunately I couldn’t find any links to sources in the video or on the dvd site, so I’m limited to what I could find in a short time.

Right at the outset, the creator of the video (henceforth, for the sake of irony, "the creator"), shows off a website from "Creation Ministries International" (or CMI), which he claims is the new front of Answers In Genesis (AIG, but not to be confused with the guys the US government just handed our grandkids' paychecks). The actual website in question is http://creation.com. Wait a second! Upon investigation, CMI has absolutely NOTHING to do with AIG. Compare with http://www.answersingenesis.org. Sure, they seem to have the same goals, but their staff is different, CMI has NO references to AIG, and AIG’s website is completely different. Granted, this has absolutely nothing to do with the actual content of our discussion, and anyone who knows their stuff will quickly call me on the carpet for use of ad hominem, but I sure hope the creator did better research regarding science than he did regarding the ownership of the site. Furthermore, he pronounced “extant” incorrectly – but then again most presidents (including BHO) mispronounce words liberally. Oh, and you will notice that many of my links are to AIG’s site, not CMI’s, as AIG is one of, if not the, most trusted resource(s) in the young earth community.

Now, the creator attempts to discredit the article's claim (http://creation.com/is-evolution-scientific) regarding Richard Dawkins' statement, "Evolution has been observed. It's just that it hasn't been observed while it's happening." Well, regardless of what you may or may not have intimated from his book, that is what the man said. Read it in context here: http://www.pbs.org/now/transcript/transcript349_full.html#dawkins.

Next, the creator accuses CMI of setting up a straw man in the article by saying, "Ask the average person what evolution means and you’ll get the same idea. Often they will describe it like ‘We came from monkeys’..." However, the creator is the one really setting up the straw man here. If you read the article, that paragraph is preceded by this: "According to a text evolution published by Pergamon, evolution is: ‘ … the theory that all the living forms in the world have arisen from a single source which itself came from an inorganic form.’" The creator is trying to imply that the article doesn't really understand what evolution is, whereas, in fact, the quote he uses is used in the article only to accentuate the quotation from a text book. And, in fact, throughout the video his definition of evolution seems to revolve around speciation from one original organism to the diversity of life we see today. Again, this has nothing to do with the validity of evolution, but it really gives me pause about the creator.

Another straw man shows up during the discussion of "micro" versus "macro" evolution. Creationists do see the evolutionary model as a tree, not a ladder. This is nothing but petty squabbling over semantics. Our contention is that what we call “macroevolution”, the divergence of one species into two, is not observable in nature. When has a species diverged to the point that a completely new, sustainable branch exists? The ONLY reason the divergence of two species is said to take so much time is BECAUSE it's never been observed.

The creator of the video engages in a serious misrepresentation of the young earth creationist’s position. Even a casual perusal of AIG material should reveal that young earth creationists believe in a somewhat different system of classification than the current model, which has its basis in evolutionary theory. I suppose that, if you think about it, both sides are begging the question by using a classification system that depends on their own theory. The creationists are at least honest about it, however.

Of course the “kind” system of classification has its roots in the Bible, as does the idea that the cosmos is constantly expanding. In fact, I'd say that the whole modern scientific situation is described very well in 1 Timothy 3: "always learning yet never coming to the knowledge of the truth".

Fruit Flies…Mutations are not beneficial, and do not result in any new speciation – something we might hope to see in an animal with such a short lifecycle. Here are a few articles from AIG that talk about fruit flies. Fruit flies have been part of the debate for a LONG time, so it shouldn't take much googling (sorry for using that as a verb) to find mucho plenny articles on all sides of the issue.

Here: http://www.answersingenesis.org/articles/cm/v20/n2/genetics

Here: http://www.answersingenesis.org/tj/v14/i2/junk_dna.asp

Here: http://www.answersingenesis.org/articles/tj/v17/n2/admissions

New species of iguana: Did we observe it make the jump from one species to a new one? If not, are we simply filtering the data through preconceptions, adding it into its supposed location on the tree?

Here: http://www.cbc.ca/technology/story/2009/01/05/pink-iguana.html?ref=rss

Here: http://www.answersingenesis.org/articles/2009/01/10/news-to-note-01102009

Here: http://news.bbc.co.uk/2/hi/science/nature/7811875.stm

I don’t see how this is any more significant to evolution than the existence of Chihuahuas and great danes. That said, the bit about the lizard supposedly diverging prior to the existence of the Galapagos islands is pretty funny to me, although they do have a possible explanation. In my mind this is an example of scientists making needless assumptions about other areas of science (geological history) to accommodate evolution. Sure, Creationists do it too, but at least we admit it.

Greenback lizard

Here: http://www.answersingenesis.org/articles/aid/v3/n1/life-designed-to-adapt

Here: http://www.sciencedaily.com/releases/2008/04/080417112433.htm

Here: http://www.bio.umass.edu/biology/irschick/Irs_papers/Herrel%20et%20al%202008%20PNAS.pdf

I wish I had access to the original document, but it sounds as though even the authors who suspect genetic change admit that there may be other explanations, such as “phenotypic plasticity and maternal effects”, which do sound like a highly plausible option. Now, I know these guys are probably smarter than me, but it is highly suspect in my view that they suspect a genetic basis for the change, even while using the fact that the lizards are genetically indistinguishable to prove that the lizards are both podarcis sicula. As the AIG article points out, however, “only mitochondrial DNA was sequenced”. Unless there’s new research I wasn’t able to find, this is another example of the creator of the video not finishing his homework.

Change in color of fish is micro, not macro. Cichlids in Lake Victoria.

Here: http://www.answersingenesis.org/articles/2008/10/11/news-to-note-10112008

Here: http://www.physorg.com/news142615133.html

It really does seem like this is just variation within a species…especially since the enviroNazis are worried that pollution will cause the fish to start interbreeding again, and since the cessation of interbreeding was only due to the segregation. Also, I would love to know for sure whether the divergent fish had more or less genetic density than their predecessors…I would guess less, but that sort of guessing is why I’d make a bad scientist.

In conclusion for this one, I want to point out a couple of things about my position:

1. I am a young earth creationist. This means that I believe God created everything, and that He created it all pretty much at the same time. Specifically, I do NOT believe that He used Darwinian, Neo-Darwinian or even Post-Neo-Darwinian evolutionary diversification of species as part of His creative process.

2. I understand that there are Christians who believe the Bible is true, but believe the creation narrative is not to be taken literally, thus allowing for a belief in evolution. This just shows a lack of literary prowess. Read it...it's meant to be literal, although, in all honesty, if you could prove to me, beyond all doubt, that young earth creationism is wrong, I'd have to admit I was wrong about this one.

3. I don't think people are stupid for believing in evolution. I think they're wrong, but I can definitely see how they could believe it. I also don't think atheists are stupid, just wrong. I do, however, think that people (like Richard Dawkins) who make those of use who do believe in God out to be stupid are being very intellectually dishonest. And seriously, if you've ever listened to Dawkins for longer than a couple of minutes...let's just say I'd rather listen to Obama.