I received my FritzBox 7170 today, as a present from XS4ALL for renewing my ADSL subscription for another year (cheap deal — I would have done that anyway). And it totally blows away my Thompson Speedtouch!

As regular readers of this blog may remember, the Speedtouch doesn’t properly support the “exposed host” feature, whereby all incoming traffic on any port is redirected to a single machine on the internal network, in combination with Voice Over IP. I eventually came up with a really crappy workaround for that, but it never really worked nicely. Also, I never quite managed to explain to the Speedtouch that when a machine on the internal network tried to access 82.95.250.5, it should be sent to the internal address of my server, rather than get stuck in a loop trying to forward traffic to itself.

Well, the FritzBox didn’t have either of these problems. Port forwarding was just a few mouse-clicks away, and configuring VOIP in combination with that was trivially easy. Despite the fact that the router seems to have much more options than my Speedtouch (in ‘Expert mode’, at least), it is much easier to configure thanks to the well-organized menu structure.

So now I have it setup exactly the way I want it: all external traffic gets forwarder to my Linux server at 10.0.0.1, VOIP is handled by the FritzBox (I can even connect my ISDN modem to it!) and when a machine on the WLAN wants to access mwolf.net, it gets sent to 10.0.0.1 as it should. I couldn’t be happier.

Except.. There is one setting in the menu which worries me a bit. On the “Provider Services” tab of the “Network” menu, there is an option called “Permit automatic updates” which apparently allows my service provider to change the device’s settings without having to ask my permission. This setting is enabled and the checkbox is greyed-out so that I cannot disable it:

Suspicious checkbox

Needless to say, I don’t really like the idea of anybody being able to mess around with the gateway to my local network without my consent. Now, I do generally trust XS4ALL, which has a reputation to uphold when it comes to respecting its users’ digital autonomy and privacy, so I assume that there’s an innocent reason for the fact that this checkbox cannot be easily unchecked by the user. I have already mailed AVM, the makers of the FritzBox, about this, and I plan to contact XS4ALL tomorrow. Let’s see what they say about it.

UPDATE: false alarm, fortunately! Turns out it’s just a bit of a misleading user interface. The “permit automatic updates” option is dependent on the “allow automatic configuration” option above it. So when the latter is disabled, the former becomes greyed-out because it is no longer applicable. However, the software remembers what it was set to, resulting in a checkbox which incorrectly suggests that it is still enabled. If it makes you feel better, you can temporarily re-enable the “allow automatic configuration” option, then uncheck the “permit automatic updates” box and then disable automatic configuration again.

In a little over a month, I will be

years old.

What’s that, you didn’t get it? Here, I’ll repeat it for you in terms you may understand more easily:

At work, it has become a bit of a tradition that when people announce their birthday, they do so in an at least somewhat obfuscated format. Hexadecimal, binary and more obscure number formats are always popular, of course, as are silly descriptions of the form “my age is the ninth distinct biprime“. But last year I decided to take it to the next level, and write a little generator in Ruby for expressions such as the ones you see above. As you can probably guess, the expressions are generated using TeX.

You can play with it for yourself, if you want to, and also download the latest version of the code. But please be gentle with my server, as you can probably guess it’s a rather heavy application and I’m running this site on a little home PC..

Now, if it had been the other way around, the explanation would have been obvious: a missing ‘search intra.local‘ entry in /etc/resolv.conf. But being able to resolve short names but not long ones, that was a new problem for me. I used nslookup to verify that the local name server was responding correctly to both forms, and it was. But any other application, from ping to Mozilla Firefox, failed to resolve the long form.

A colleague put me on the path to the solution, however. In the zeroconf protocol, which is implemented in Linux as Avahi and on the Mac as Bonjour, the .local domain is magic and is considered a reserved name. Hence, when Avahi is running, any address resolution queries for a machine name ending in .local, are intercepted and the DNS server never gets to see them (nslookup bypasses the usual resolver API, however).

This is apparently a known issue, but it was new and quite surprising to me. I didn’t bother to investigate who is at fault here: did the zeroconf people blatantly highjack a perfectly valid namespace, or has .local always been reserved and everybody but me knew about it? Anyway, it’s fair to assume that zeroconf is here to stay now, so network administrators take note: better call your local domain something else.

Once you know what it is, the solution is easy. In my case I wasn’t interested in the functionality offered by Avahi, so I just uninstalled it (sudo apt-get remove avahi-daemon). Alternatively, here is a receipt for disabling the special treatment of .local, but keeping the rest of the daemon running.

As you can see, the ADSL router and anything connected to it through the WiFi is considered untrusted: the real access point to my internal network is the Linux machine.

Among other things, the Speedtouch has the ability to support Voice-Over-IP by attaching an analog phone. Unfortunately, this functionality does not work in combination with the “assign public IP to a machine on the local network” setting. Which is a pity, because behind the router is my Linux server, running a web- and mailserver among other things, and I really want that server to have my public IP address. Partly because having the server NATted could cause problems with mail, in particular, in the sense that when I send out mail to another server, some suspicious spamblocker software may take offense if the address reported in the headers of my outgoing mail does not match my actual IP. But mostly because having a web/mail/FTP/whatever server hidden behind a NAT, just feels wrong.

So, I have two conflicting desires here: I want to use VOIP over a phone connected to the Speedtouch, and I want my server to believe that it is listening directly on my public IP. A little googling confirms that a lot of other people have this same problem, but if anybody has found a solution already, I didn’t see it.

There does exist a way to expose the server to the outside world without breaking VOIP: use the “game and application sharing” feature to forward all TCP and UDP ports except port 5060 (which is the SIP port used by the VOIP service) to the server. But then we are using NAT again, which is not what we want. What I want is: port 5060 is handled by the Speedtouch, all other packets are sent straight to my Linux server, which should receive them on the public IP address of my Internet account. Unfortunately, it seems that there isn’t any way to configure the Speedtouch like that.

How I eventually solved this problem is by adding an iptables rule on my server, which uses DNAT to translate the source address of each packet back into my public IP before the server sees it.

Like this:

• A packet comes in from the outside world on my public IP address (82.95.250.5).
• The router sees it, and if the packet is not aimed at the VOIP port (5060), sends it on to my server, which has a local IP of 10.0.0.1 (assigned to it by the router through DHCP).
• An iptables rule on my server intercepts the packet and changes the source address back to 82.95.250.5. This way, all services running on my server can pretend that they are connected directly to the Net, without any special configuration needed.
• As my server sends a response to the packet, the destination address is changed back to the router’s address (10.0.0.138).
• The router performs a second layer of NAT, translating the destination address of the response packet back into 82.95.250.5 again, before sending it along to its final destination.

So every packet exchanged between my server and the rest of the world, is NATted twice: once by the router, once by the server. Not a particularly elegant solution, but it will have to do until somebody comes along with a better way to bend the Speedtouch to his will (or until I buy a better ADSL router).

Here’s the magic iptables statement:

iptables -A PREROUTING -t nat -i $EXTERNAL -d $FAKEPUBLICIP -j DNAT –to-destination $PUBLICIP

In my case, $EXTERNAL would be eth1 and $FAKEPUBLICIP is 10.0.0.1.

As I said, it’s not a particularly elegant solution. One annoying consequence is the fact that if you try to browse to mwolf.net from the WiFi network, you’ll get an error because the router will get confused about where to send packets for 82.95.250.5. This could be solved with a bit of DNS magic.

But maybe somebody has already found a nice, clean way to configure the Thomson router to do what I want, and I just missed it. Any ideas would be appreciated.

(Bias alert: my friend Dirk-Jan works for Nokia in Finland as a project manager on the N810, so that made me a little more interested in this gadget than I would otherwise have been.)

With a 4.1″ screen, the N810 is a little bigger than your average PDA or smartphone. From the negative side, that means it’s just too large to comfortably fit in my pants pockets (especially since it still requires a separate phone to make UMTS calls — the device does not have built-in UMTS capability) while not being large or powerful enough to be a laptop replacement. From the positive side, it’s a lot more pleasant to do webbrowsing or e-mail on than a regular PDA (after all, not so long ago many people would have considered an 800-pixels-wide screen perfectly adequate for a laptop or even a desktop) while still fitting easily in a pocket of my jacket. My Sony Vaio SZ is pretty lightweight for a laptop with a full-sized keyboard, but I expect to leave it home more and more often now that I have the N810.

Apart from the size, it’s a really cool-looking toy: sleek, with good “fit and finish” and no more bumps and frillies on the outside than necessary. And of course there’s the slide-out keyboard, the lack of which was what made me decide to pass on the N800. In several reviews, I had read some complaints that it takes a while to get used to the keyboard, because there’s no space between the keys so it’s easy to unintentionally hit multiple keys at once. However, I didn’t have much trouble with that. The trick, in true Zen style, is not to worry about hitting multiple keys: just hit the one you’re aiming for right-on, without consciously avoiding the eight keys around it, and the keyboard will usually register only the one in the middle. On the other hand, if you try to awkwardly avoid hitting multiple keys by touching them with the edge of a finger or with a fingernail, typing will be slow and frustrating.

But of course, the real reason why I went for this device instead of the hundreds of other PDAs on the market, is that it runs Linux — Maemo to be precise. By default, you get a shell, a bunch of standard Unix tools (from Busybox), Perl, and a minimalist version of vi, in addition to the stuff you would normally expect on a device like this, such as a webbrowser, e-mail client and media player. Needless to say, there is already a sizeable community around Maemo, which has ported all kinds of Linux software such as the SSH client and server, Vim, Python, Ruby, MPlayer, lots of games including LXDoom, rdesktop and many others. Except for a couple of toy scripts in Perl and Python, I haven’t tried building any software myself yet; from what I understand, Maemo has its own GUI framework so porting an X11 app may require some code changes, but porting a simple command-line tool should be a matter of just doing a cross-compile to the ARM platform, in many cases.

What’s a bit disappointing is the lack of tooling to synchronize e-mail and calendar entries with Outlook/Exchange. I guess when you specifically go out of your way to get a Linux-based device rather than the much more common Windows Mobile based ones, you don’t really have much standing to complain about that. Nevertheless, since this is one of the most obvious uses of such a device, and most businesses use Exchange, it would have been nice if something were included by default. But of course, there are various open-source options being worked on by third parties. Haven’t tried them yet, though.

Another thing I’m still looking for is the perfect media player for this device. The built-in player would be perfectly adequate for my needs, except for one snag. By default, it does not support Ogg Vorbis audio files. Fortunately, that’s easy enough to add. However, when you do that, suddenly hundreds if not thousands of .ogg files from the Navicore directory (which contains a demo version of the Wayfinder route planning software) are added to the library. There does not seem to be any way to tell the media player to ignore that directory. The alternative UKMP skips the Navicore directory by default, but it doesn’t seem very stable — it has already crashed on me several times. Then there’s Kagu, which is mostly written in Python so it’s very easy to modify the list of directories to be searched. However, while it looks nice, the user interface does not work well for me at all — you apparently need to add all your songs to the playlist individually before you can play anything. The ‘add all’ button only appears when you’re already at the list of songs for a particular album. Hmm, it’s written in Python — how hard could it be to modify that? In the meantime, I’m open to suggestions on either a different media player to use, or on how to solve the problems I’m having with the three ones mentioned.

So yesterday, as happens every couple of months, a spammer somewhere in Pakistan decided to randomly pick the mwolf.net domain as the fake ‘from’ address for his various unsavoury commercial offerings. Which means, of course, that I get a few hundred bounces from well-meaning but naive mailservers, configured by well-meaning but naive admins.

Hello everybody: spammers lie! Their pills don’t work, their stock tips are scams, they won’t deposit several million dollars into your bank account if you just let them use your account number for a couple of days, and their return addresses aren’t valid. If you have determined that a given e-mail is probably spam, then sending anything to the ‘from’ or ‘reply-to’ address is just about the least useful thing you could do. It makes you a part of the problem, not the solution. By sending an automated response to that address, you are allowing the spammer to use your server to effectively spam me. I get plenty of spam myself, but SpamAssassin deals with that pretty well; the bounce messages are a bigger problem.

In a world where e-mail to a non-existent username is a lot more likely to be spam or a virus than an innocent typo, sending reply messages to such mail should be condemned as bad netiquette. Either accept all mail for your domain and swallow the spam silently, or set up your system so that it generates an error message as part of the SMTP exchange. And never, ever send any kind of response to a message which your filter software has already identified as being probable spam.

And then, of course, there are the ‘callback’ systems, which send an automated response to every mail they receive, asking the server to click on a link or in some other way prove that they are a real person. Of course, this also means that they send out one harassing message to an innocent third party for every spam message they receive, thus effectively becoming a spammer themselves.

In other spam news, and related to my previous post: it turns out that some of my own legitimate mail is not being received because it is being identified as spam by over-eager filters. Why? Because my ADSL account, with a server running 24*7 on a fixed IP address, is listed as a dial-up in some blacklists. Now, I can kind of see the logic behind that — after all, blocking dial-up users is probably fairly successful in getting rid of a lot of spam from botnets. But there’s a baby in the bathwater: a lot of technically savvy people like to run their own mailserver, ironically often with spam filtering as an important motive. As I once tried to explain to my previous employer: are these really the people whose job applications you want to block? There are much better ways of spam filtering, which don’t yield so many false positives. Please don’t do it.

You can download his firewall script here. You can contact the author at the address meetscott at the domain netscape.net.

I started out, of course, with the procedure described here. That worked to the point that I was succesfully authenticated and connected to the network, but then PPPD immediately complained that the modem hung up.

So, what turned out to be the problem? Just one little thing. The script on that page contains the following connect string:

AT+cgdcont=1,”IP”,”internet”,,0,0

Here, internet is the name of the UMTS/GPRS APN. However, that’s incorrect. It should be umts.xs4all.nl, or even just an empty string, but not internet. Once I fixed that, the procedure as described there worked fine.

However, I actually prefer to use wvdial, which is slightly easier to configure. Here’s the contents of my /etc/wvdial.conf:

[Dialer Defaults]
Modem = /dev/ttyUSB0
Baud = 460800
SetVolume = 0
Dial Command = ATD
FlowControl = NOFLOW
Init1 = ATZ
Init2 = ATM0

[Dialer umts]
Username = wolfm
Password = [CENSORED]
Phone = *99***1#
Stupid Mode = 1
Init3 = AT+CGDCONT=1,”IP”,”umts.xs4all.nl”,,0,0
Dial Attempts = 3

Now I can simply start the UMTS connection with wvdial umts. That’s all! Well, except that you may need to manually set the UMTS gateway as your default gateway: route add default gw 10.64.64.64.

Oh, and a little trick from here: you can disable the PIN code by sending the command AT+CLCK=”SC”,0,”0000″ to the modem (e.g. using Minicom), assuming that 0000 is your current PIN.