by R.I. Pienaar | Sep 9, 2004 | Uncategorized
A few years ago I decided to switch to PHP as my web development language of choice – I used Perl before that – since then I have done all my web development in PHP and tend to pick projects developed in PHP over non PHP ones.
Most notably I use Horde with some of it’s modules, most notably IMP. Other systems I wrote myself using RoadSend Site Manager. These rely on PEAR modules to function, I keep Horde and IMP up to date as possible but my own system I wrote about 3 years ago have not been updated since, and neither has Site Manager.
Last week I updated some PEAR module using portupgrade and suddenly I ended up with weird behaviour in IMP where it won’t show some attachments in mail, but not all. Eventually I gave up and just started upgrading my whole PHP and Apache system to new versions since mine was getting a bit old and outdated.
So I uninstalled all the old stuff after making backups and started fresh, when it was all done and moved to the new FreeBSD PHP build system and PEAR all up to date I thought it will all be good, but it was not. Horde started having issues, strangely only with mozilla, it would not do the redirect to the login page correctly. My own code would fail due to some change in the DB abstraction that caused calls to fetchrow() on a DB Handle to return unknown method errors and still the attachments were broken. Essentially the stuff was not backward compatible at all.
I fixed things by getting hold of old copies of PEAR and placing it in the directories of each application and overriding the PHP include paths for those applications to point to their own older instance of PEAR. This kind of thing just winds me up and it is totally typical of the Open Source world where breaking backwards compability and forever redoing code is the order of the day.
I can understand that expecting 3 year old code to still work is pushing my luck a bit, but HORDE and IMP is recent projects that I keep up to date, you wouldn’t expect them to use functionality that is that outdated.
by R.I. Pienaar | Sep 5, 2004 | Photography
I went to drop someone off at Victoria Coach Station today, on the way there we walked through a little mall called Fountain Square, at first I thought its pretty grimy and dirty but on the way back I took another look and noticed it was actually a pretty kewl place. I took a couple of photos that can be seen here.
by R.I. Pienaar | Sep 5, 2004 | Uncategorized
Today a friend and I went for a walk on the Thames South Bank and noticed a photographic exhibition at the OXO Tower Wharf. The exhibition was by Colin O’Brien and showed a collection of his images from 1954 to 2004.
His work that was shown was all Black and White and shot for the biggest part in and around London where he lives. I picked up a nice, signed, book with the images that was on shown. His work is well worth a look.
by R.I. Pienaar | Sep 4, 2004 | Uncategorized
I have been going through some of pbase‘s favorite galleries and came across one by someone who calls himself Knox. Of his photos there are two collections that really impressed me the one of Paris / London and one about City Cats.
It is not often that someone takes good photos of cats, they all tend to be a cliche or just a snap of a kitty, this guy though has a collection of absolutely stunning photos of cats in NYC. The collection is part of a book of which more can be read on its site http://alleycatphotos.com/. From this site is a short bio of Knox:
Always seeking the perfect and pure musical note, Knox can be found in both recording and photographic studios from NYC to Katmandu. Around age 5 he was amazed at “the feel” of the first 35mm camera he stole. The sound you hear in a New York City alley could very well be coming from the bottom of a dumpster – a man in black, coaxing a little kitty to “smile for the camera.” He is well maintained by Lukas, a Giant Schnauzer of disreputable character.
Knox can be reached by e-mail at <email removed>
and boasts numerous Web sites, including www.AvatarPhotoArt.com and www.ArcadiaRocks.com.
It does not look like their book is published, I would certainly buy a copy when it comes out.
by R.I. Pienaar | Sep 2, 2004 | Uncategorized
Most products have some quirks that you don’t like, some requires you to slightly amend the way you work and I am usually quite happy with that. The Cisco PIX has one major annoyance that I just can’t come to grips with.
When adding a VPN to the PIX you put one policy set on the interface that the traffic will leave. For each interface you define a crypto map with various sub groups of information associated with individual VPNs.
access-list 101 permit ip host y.y.y.y host z.z.z.z
crypto ipsec transform IPSECXFORM esp-des esp-sha-hmac
crypto map IPSECMAP 20 ipsec-isakmp
crypto map IPSECMAP 20 match address 101
crypto map IPSECMAP 20 set peer x.x.x.x
crypto map IPSECMAP 20 set transfrom-set IPSECXFORM
crypto map IPSECMAP 20 set security-association lifetime seconds 28800
crypto map IPSECMAP interface outside
These few commands will essentially set up the phase 2 of the IPSEC connection. Later on when you want to add a second VPN you just add a new numbered submap to the IPSECMAP since each interface can only ever have one MAP assigned to it.
When you type any of the above crypto map commands a new submap gets initialized with defaults:
# crypto map MAP 1 set peer 1.1.1.1
# sh crypto map
Crypto Map: “MAP” interfaces: { outside }
Crypto Map “MAP” 1 ipsec-isakmp
WARNING: This crypto map is in an incomplete state!
(missing peer or access-list definitions)
Peer = 1.1.1.1
No matching address list set.
Current peer: 1.1.1.1
Security association lifetime: 4608000 kilobytes/28800 seconds
PFS (Y/N): N
Transform sets={ }
The problem here is that if the IPSECMAP crypto map is active on the outside interface at the time, this incomplete crypto map will prevent all traffic from flowing. Only when you have both the peer and the match address specified will it have enough information to not try and crypt all the traffic on the interface.
The PIX CLI has no way to send a batch of commands to it, and there is no way to enable/disable just a sub crypto map. Cisco’s documentation has the following suggestion:
While a new crypto map instance is being added to the PIX Firewall, all clear and SSH traffic to the firewall interface stops because the crypto peer/ACL pair has not yet been defined. To workaround this, use PIX Device Manager (PDM) to add the new crypto map instance or, through the PIX Firewall CLI, remove the crypto map interface command from your configuration, add the new crypto map instance and fully configure the crypto peer/ACL pair, and then reapply the crypto map interface command back to the interface. In some conditions the CLI workaround is not acceptable as it temporarily stops VPN traffic also.
So you either use the GUI or you turn off ALL OTHER VPN’s while adding a new one!? That is insane, there are so many ways to elegantly fix this problem, they can have a simple addition to the crypto map command set, something like crypto map IPSECMAP 20 disable and make that the default state, only when you have configured the whole sub map would you enable it, however now I am stuck using the GUI!
UPDATE: This seems to only affect PIX Firewall Version 6.2, from 6.3 onwards the problem goes away, the bit of output from sh crypto map is from a 6.3 PIX and it knows the MAP is incomplete, 6.2 initialised it to 0.0.0.0 matching all traffic. Time to upgrade my lab PIX machines ๐
