In this article I will discuss the hardware used in my home-brewed firewall and what I did to bootstrap the firewall with the m0n0wall software image. My m0n0wall firewall is based on an older Dell Dimension V400. To get an idea of the machine age, this photo shows the original stickers promoting the Pentium II, Windows NT and Windows 98. From m0n0wall This machine has a 400 MHz processor and 128 MB of RAM. I removed the hard disk and disconnected the floppy drive. The older CD-ROM drive was replaced with a spare Sony CD-RW. The tray on the original CD-ROM started to make grinding noises and stopped opening when the button was pressed. The machine started with one network adapter and I added two more Linksys LNE-100 PCI adapters. You can see all three 100 Mb PCI network adapters in the following photo. From m0n0wall The most educational part of the project for me was the installation of the compact flash IDE adapter and memory card. This device plugs directly into the IDE cable connector on the motherboard and can be used in place of a hard disk. A compact flash device won’t suffer a head crash or any other type of physical damage associated with a moving, mechanical hard disk. I wanted to eliminate the primary causes of a firewall crash, so it was this approach or a pair of mirrored hard disks. The memory card solution was much less expensive and provided me with some experience if I wanted to move to a Soekris or LogicSupply solid-state PC later. I used a compact flash IDE adapter from StarTech, model IDE2CFINT. You can find them for less than $20. I bought mine from Amazon with a 2 GB memory card. StarTech’s site has several good close-up images of the adapter. In the following photo, you can see the compact flash IDE adapter plugged into the PC’s motherboard IDE cable connector. Along the right side of the compact flash IDE adapter is the memory card, which is plugged into a pin header. Above the memory card is a floppy drive power cable. The power for the adapter can come from the motherboard or from a floppy drive power cable. There is a jumper on the adapter to specify the source of power. I set it up initially this way, and it worked, so I left it. From m0n0wall This machine has two IDE channels, the first is used by the compact flash IDE adapter. The second channel is used by the CD-RW drive. You can see in the blurry background of the above photo the CD-RW cable connected to the motherboard’s second IDE channel below the compact flash IDE adapter. The cable comes up to the left of the compact flash IDE adapter and continues up to the CD-RW. The next step was to power up the machine and see what the Dell’s BIOS thought of these hardware changes. After I the powered the machine and entered the setup screen, the BIOS automatically detected the compact flash IDE adapter and memory card as a 2 GB hard disk. It also recognized the Sony CD-RW. That’s it! Save settings and exit. The next interesting task was to write the m0n0wall software image to the memory card in the PC. I have the one compact flash IDE adapter, so my approach to load the software was somewhat improvisational based on the machine I was using and the resources I had available to me the evening I decided to take this on. For me to be able to load the m0n0wall software, I had to boot the machine with an operating system from the CD-RW and then transfer the m0n0wall image directly from some media to the compact flash IDE adapter. I decided the easy approach would be to boot a FreeBSD or Linux installation disk, enter a rescue mode and get to a command prompt where I would have the basic tools available. For example, the CentOS 5.1 rescue mode on disk 1 has the dd and gunzip utilities I need to write the m0n0wall software image to the memory card. What media would I get the m0n0wall software image from? At this point it was sitting on my PowerBook’s file system after downloading it from the m0n0wall web site. The Dell PC I am using for the firewall has two USB connectors on the back. Since I didn’t want to create a custom boot CD, I decided to try to boot from the CentOS 5.1 disk in the CD-RW and use a USB memory stick with a FAT file system to contain the m0n0wall software image file. I formatted a USB memory stick with a FAT file system and simply copied the m0n0wall generic PC image to it. I plugged the USB memory stick into the back of the Dell and booted the CentOS 5.1 disk 1 from the CD-RW. I selected the rescue mode and made my way to a Bash command prompt after a couple of questions. Once at a command line, I used the dmesg command to see if the kernel had recognized USB memory stick during boot and if it had been assigned a device name. The kernel did find it and created it as a pseudo-SCSI device. The next step was to mount the FAT file system of the USB stick into the rescue file system. The root of the CentOS rescue file system is a RAM disk so this was no problem. I created a directory called /tmp/usb and mounted the USB device there. I could see the m0n0wall image file now. Section 3.2.2 of the m0n0wall handbook provides the basic template for the dd command in Linux to write the image to the memory card. I needed to take note of the different device names and location of the file containing the m0n0wall image. gunzip -c /tmp/usb/generic-pc-1.2XX.img | dd of=/dev/hdX bs=16k This took just a few seconds to complete. During the transfer of data, I could see the activity light on the StarTech IDE2CFINT flickering, so I knew something was really happening. I got a prompt back and summary from dd of how much data was written. I pulled the CentOS disk from the CD-RW and removed the USB stick from the back of the PC, and rebooted. I watched the Dell POST complete and soon after I saw the familiar spinning cursor of the FreeBSD boot loader, followed by kernel messages, and finally a m0n0wall console menu. The Dell PC booted from a compact flash memory card and m0n0wall was ready to be configured. ...

Are you a software engineer? Today is a good day. Have you read the news? Read here for a quick review about the SM-3 missile versus the USA-193 satellite smack-down that took place over the Pacific Ocean. This event was not exciting to me because it was a demonstration of American military capability - I mean, it was that, but my interests in the event have a different motivation. It was exciting to me because this was a hammering success for the software engineers that modified the Navy’s systems to pop that satellite over a hundred miles above the planet without a warhead. It wasn’t like the Navy had to get close enough to detonate the missile. They had to be dead on because this was a kinetic kill at closing speeds over 20,000 MPH. This event was a strong example of software as a differentiator. Missiles and rockets are becoming commodity items. Russia has them, China has them, and the Middle East has them or is testing them. In fact, most countries with a vowel in their name have missile capabilities. A missile is not a big deal - a tube with propellant. Light it off, it might go up, sideways, spin wildly or just fall over and explode. The SM-3 has been around for a few years, but the military has never admitted to trying to use it to shoot down a satellite in orbit. The SM-3 was originally designed to go nose-to-nose with incoming short and medium range missiles. The exciting story-behind-the-story for me is that software brought that satellite down and the SM-3 missile provided a reliable and high-performance lift for the software to find it’s target.Today software is the key differentiator in a world of commodity technology. Think about it. A majority of us have cell phones. They are shrinking in size and expanding in capability. Where does that capability ultimately come from? Why would you buy one phone over another? I select a phone and carrier based on features. Where do the features come from? Is it in the case, the antenna, the battery, the screen, or the memory card? All cell phones have these in one form or another. What differentiates them from one another is the software. The phone’s software realizes the capability to share a chat in your social network, send a ring tone to a friend, find an archived text message from your sibling, and to learn about the latest discounts at the stores in your area reported by the GPS.Have you seen Ford’s new commercials recently? They are touting the Sync system. In fact, they are spending a lot of money showcasing that and not MPG, crash tests, 60-0 stopping ability, etc. Whether or not that is a good idea is yet to be seen. The hardware that goes into Sync goes into a lot of in-car entertainment and phone systems: speakers, radio, CD, MP3 player, microphone, antenna, LCD screen and little buttons on the steering wheel. Big deal. Commodity items. What differentiates Sync is the voice recognition system and the integration of pieces inside and outside the system. So, what is Sync? It is the software that realizes the features and value proposal of the Sync concept.Today software is what differentiates individual pieces and parts from something innovative that creates new value. My final example is the Toyota Prius. It has something called Hybrid Synergy Drive. It not enough to say it is a gas and electric hybrid. That wouldn’t do it justice. It is a drive-by-wire system, and at it’s heart: software making the decisions when to go electric, gas, recharge, and much more. A human tasked with driving and making these continuous decisions on how to generate power most efficiently from all the available choices would not be practical or possible.Today is one more good day for software engineers - the people behind the Wizard’s curtain. Well done. I’ll see you at the bar for a toast. Without you, it’s just a box of pieces and parts. ...

Some time ago my employer asked if I would like to participate in a pilot of AT&T CallVantage from my office. This service is a competitive offering to Vonage’s VOIP service. With CallVantage, you get to pick a phone number in an area code of your preference, they send you a telephone adapter in the mail and off you go. The telephone adapter connects over the Internet to the phone company, bypassing the local carrier’s wires. Within the week I had the telephone adapter. Getting the CallVantage service up and running was no trouble at all. There is a web portal to customize the service, like recording voice mail greetings and setting up a do-not-disturb schedule. You can review call history through the portal and place numbers into a phone book. You can also initiate calls from the web site. The service will ring your phone, wait for you to answer and then ring the other party’s phone.The telephone adapter I received in the mail was manufactured by D-Link. It is actually a combination telephone adapter and firewall, if you choose to use it that way. The network here was already equipped with a firewall, so I decided to use up one of my static IP addresses and place the adapter outside the firewall. The first time the adapter connected over the Internet with AT&T, it spent a few minutes downloading new code and rebooted a couple of times, and when it was ready for service the phone connected to it rang once. The status lights on the adapter showed all green.I had been using CallVantage for a few days and everything was working great until … one day I was on a VOIP call and hosting a screen sharing session with some of my co-workers around the country. I was doing a code review, paging through an editor, showing some diagrams and talking about the design. From the network point-of-view there was a large amount of constant outbound traffic, some consisting of the screen data and some consisting of my VOIP data. Every couple of minutes someone would ask me to repeat something I said, because my voice had broken up for a brief moment. They described it as sounding similar to a cell phone breaking up, and other times they said I just went to dead air for a few seconds. I knew exactly what was happening - there was competition between VOIP and non-VOIP traffic and there was no control over which would leave my network first at any given time. It was time to seriously consider a solution to prioritize network traffic.The D-Link adapter has the ability to prioritize traffic if you use it as a pass-through device. You can configure the D-Link as a NAT router or a bridge, placing it between your ISP’s router and your private network or existing firewall. The D-Link adapter will give priority to packets for VOIP and slow down or drop packets from your network devices to accomplish a poor man’s QoS. I call it a poor man’s approach because I don’t actually think D-Link put a lot of thought and effort into it. I was always suspicious that the telephone adapter had a 10 Mbit network port on the WAN side. They put 100 Mbit ports on the LAN side. The WAN port speed was just a little too close to the upper bandwidth of the Internet connection here. There are days we get well over 10 Mbit on the inbound side of our connection, so this just seemed like a bad idea. In fact, it was a bad idea after I tried it. There was no improvement in the number of voice drop-outs. The next strategy was to move the D-Link adapter behind the firewall, reconfigure it for DHCP and use more robust approach for traffic shaping and prioritization. The D-Link adapter would only be the source and destination for VOIP traffic. No other traffic would move through it. The solution I eventually adopted is open source. I will talk more on the actual implementation in a future post.The first thing to understand about VOIP audio quality is that you can only prioritize and shape outbound traffic. This is traffic leaving your network heading for your VOIP provider. I mean, you can prioritize inbound traffic on the receiving side, but by the time this happens, the traffic has already traversed your connection and has used up some portion of bandwidth. Prioritizing inbound traffic on the receiving side will rarely improve the audio quality you hear. There are reasons beyond VOIP to prioritize and shape inbound traffic on the receiving side, like slowing down the person downloading ISO files all day on Friday. A good example from the real world is highway traffic control. Traffic signals are placed at the on-ramps to the highway, not the off-ramps. Your Internet connection is like a point-to-point highway between your ISP and your site. If you want to prioritize inbound traffic for the purposes of VOIP audio quality, talk to your ISP (the on-ramp for the traffic coming to you) so they prioritize packets before sending them to your place. What about packets traveling between the VOIP provider and your ISP? Anything can happen there and it’s out of your control. Usually these interconnections are so fast, it’s not a significant factor in quality.The next bit of knowledge about prioritizing network traffic is to have only one device at your end making the determination about which packets go out first. This means you don’t want to flood your DSL or cable router with packets, because it’s queuing strategy might undo the order of packets you send to it. The only way to be sure the packet order is maintained is to reduce your outbound bandwidth slightly to make sure only one device on your end is queuing packets in the order you specify. You want to send packets just a little slower than your connection’s upper limit, to keep all the other device queues empty. If your ISP router gets a packet and it’s queue is empty, it can send that packet right out.We will use my office setup as an example. The outbound connection speed at my office is about 1.5 Mbit. We specify to our traffic shaping device to limit outbound speeds to about 1.4 Mbit. If you don’t do some amount of reduction and just blast packets to your ISP router at full speed, it may reorder them based on it’s internal rules, or it may just start dropping packets because the manufacturer designed it with a shallow queue. Because these are usually closed, proprietary devices, you just have to accept that you don’t know what it will do as packets queue up. For our case we have the traffic shaping device reduce our outbound speed by about 6.5%. You might need more or less of a reduction, and experimentation and tuning is a required step. Re-tuning should be done once or twice a year.Next, you need a way to identify traffic from specific devices on your network and determine what the classes of priority should be. In our network we have three classes of priority for outbound traffic. The highest priority traffic comes from the VOIP devices. Medium priority traffic comes from workstations. Lowest priority traffic comes from servers. Remember these priorities are only for traffic leaving the network for the Internet. Our internal network is 100 Mbit wired or 54 Mbit wireless, so workstations connecting to the local SMTP server don’t feel any of this prioritization. The reason servers are at the lowest priority is because there are a few non-essential web sites hosted here and an SMTP server that relays outbound mail. We really don’t care if it takes 5 seconds or 20 seconds to relay an outbound email, because it is all done as background work. The VOIP devices and servers are given internal, static addresses by the DHCP server, so we can determine a packet’s priority by source IP address.The device or software you choose to prioritize your traffic may have constraints on how traffic can be identified. For example, it may only be able to identify traffic based on source and destination IP port numbers, or protocol. A simple hardware device may prioritize traffic based on physical network port connections. I have a small consumer firewall that has five 100 Mbit LAN ports, and each port can be assigned a low, medium, or high priority. Do your research and work out your strategy before committing to a solution.I decided on an open source solution called m0n0wall and a basic Dell PC with multiple network adapters. I stripped out the hard disk and floppy disk, kept the CD-ROM, added an IDE compact flash reader and a couple of extra fans just in case. I will go into details about my m0n0wall firewall and shaper settings in the next post. ...

My ISP is Comcast and I couldn’t be happier. “What!?” you say. I know, I know. Realize that most people deal with Comcast as a residential customer and the horror stories I hear are typically related to that class of service. There is another Comcast - the business services group. I am not sure at what point in the corporate hierarchy the two groups separate.Comcast provides an a la carte business service called Comcast Workplace. I have this service at my office. I pay monthly for two things: a connection that averages 10 Mbit inbound and 1.5 Mbit outbound, and a block of static IP addresses. Actually, the service agreement is for about 9 Mbit, but some days we get upwards of 12 Mbit. That’s it, no bundles, no block of useless email addresses, no free web storage, no browser toolbars, nothing. I am paying for exactly what is needed - bandwidth and addresses - no more. This is a business connection, and I run web and email servers here for a few low traffic domains. Inbound and outbound VPN is almost always running. The catch? In terms of paying for exactly what you need and obtaining a phone number directly to network engineers, expect to pay 2-3 times what you pay for residential cable Internet service. “What!?” you say again.A positive example of the service I get was when I needed to change the reverse lookup on the IP addresses. The customer support person at Comcast knew exactly what needed to happen and replied, “Please hold while I transfer you to network engineering.” The process took about 10 minutes on the phone and about 6 hours later the changes were live. After having the service in place since January 2006, the connection has been down once for a total of about 2-3 hours. That outage was due to a deep freeze here in Denver and that impacted equipment at Comcast’s location. They were attentive enough to send someone to my office within 45 minutes of reporting the outage to work the problem back to their site.For now, the office is happy and Comcast stays. ...

It really has been about 1.5 years since my last post. I have been busy and now have plenty to write about. A few months ago I deployed a dedicated system running m0n0wall at the edge of my network. I needed to find a firewall and router that could do the usual firewally things. I needed support for inbound and outbound NAT, DHCP and DNS for LAN clients, and inbound VPN when I am away. I did not want the firewall to rely on any other system in the network aside from the ISP’s router. Last year a new requirement surfaced in that the office needed shaping and prioritizing of traffic to and from the Internet. There is a VOIP adapter here for AT&T CallVantage. Skype is also used periodically. Real time traffic needs priority over everything else. Traffic related to the web and email servers need to run at the lowest priority. Services like SMTP don’t need the full bandwidth of my connection here in either direction. I often find bursts of incoming SMTP can cause drop-outs on the VOIP calls. The several workstations on the network here need reasonable connectivity - high priority than the servers but less than the VOIP traffic. Finally, if a class of service is not competing with any other, that service should get the bulk of available bandwidth regardless of priority. Here is a high-level diagram of my network. From m0n0wall With the next few postings, I will go into detail of how I successfully deployed m0n0wall on this network to satisfy these requirements. ...

I recently updated my PGP/GPG keys. I uploaded the public key to the MIT key server and a Google Sites page. MIT Server Google Drive

AOL, Google, and Yahoo have been in the news about their responses to a Justice Department request for search terms used by the worldwide Internet community. AOL and Yahoo have agreed, while Google has refused to hand over the information. A court battle is on the way.I really haven’t given this subject much thought until the other night when I was looking for references to my family name using Google. I searched on my name, family member’s names, addresses and even phone numbers. Then it occurred to me - search terms do contain private data. How many times have I put someone’s name into a search engine to find out about them? By now, hundreds of times. The government has said repeatedly they are not interested in who is performing the search, but I also believe there is enough private data in search terms to restrict that data as well. Considering the amount of time Google and Yahoo have probably been archiving usage data for profiling and optimizing their services, there has to be mountains of search terms that would make an NSA analyst wet themself.How many people have put their social security number into a search engine to see if it has been compromised? How many people have put a credit card number into a search engine for the same reason? How many times have you searched on something related only to you? Perhaps something private about you?The more I thought about it, the more I believe that every bit of data related to Internet search should be maintained as private and should only be obtained through proper court authority. ...

This seems to be a topic of increasing discussion both inside IBM and within the Eclipse Process Framework community. Questions such as “Which offering will get feature XYZ first?” “Are they functionally equivalent?” “Should the customer buy Rational Method Composer or will EPF Composer do the same thing?” are asked weekly. To refresh everyone, Rational Method Composer is a commercial tool by IBM Rational Software for the authoring of method content and for publishing configurations of method content as processes. EPF Composer is a subset of RMC code and was donated by IBM to the Eclipse Foundation as open source. The idea over time is that EPF Composer will be a core component of RMC, while RMC will add value through proprietary features and support that might not be possible in a purely open source offering.I would like to see the relationship between EPF Composer and Rational Method Composer develop in the same way the relationship of Red Hat Enterprise Linux and Fedora Core Linux has evolved. Red Hat Enterprise Linux and Fedora Core Linux are the result of Red Hat’s experience in developing, maintaining, and selling Linux distributions over more than a decade. Red Hat Enterprise Linux is a commercial distribution of Linux that is sold by Red Hat. You cannot download RHEL executable code for free. Each major release of Red Hat Enterprise Linux is stable, evolves conservatively, and this all works very well if you are an IT administrator who does not want to deal with constant architectural churn of your server operating system. Fedora Core Linux, on the other hand, is entirely open source and is available in source or binary form for download by anyone. Fedora Core Linux pushes the technology barrier to the bleeding edge. One could consider Fedora Core Linux unstable in terms of constant change, yet revolutionary in terms of the capabilities it incorporates with this regular cycle of change. An example would be the inclusion of Xen virtualization technology recently added to Fedora Core 5. Xen is developed out of University of Cambridge. Imagine having virtual machine technology, like what mainframes have had for decades, as a standard feature of your PC operating system. How would having the ability to partition the operating system into multiple, independent virtual systems change the landscape of data center design? It will. Once it is there, administrators will begin to count on it. Xen is not quite stable, yet adding it to Fedora Core 5 will push Xen toward stability by making it accessible in a highly popular Linux distribution. As cutting edge features are added to Fedora Core Linux and stabilized, they are eventually consumed by Red Hat Enterprise Linux and supported over the long term [years] by the RHEL teams. We will see Xen show up in a future release of Red Hat Enterprise Linux when it has stabilized enough for commercial adoption. Additionally, proprietary features such as hardware device drivers and other closed-source capabilities can be found in RHEL, but will never make it to Fedora Core Linux.Let’s project this idea onto Rational Method Composer and EPF Composer. Imagine EPF Composer is where new experimental ideas are realized into the tool for authoring and publishing software processes. Risks would be taken here, changes happen quickly, and the essence of the tool represents the cutting edge of ideas in the IT process authoring space from experts in business and academia. As new concepts are stabilized in EPF Composer and deemed fit for commercial inclusion, they are consumed by Rational Method Composer and supported by the world’s largest Information Technology company and the service professionals behind it. This would not mean that Rational Method Composer would be behind the times in terms of features. It means those features taken from EPF Composer and added into Rational Method Composer would be supported over the long term [years] and allow for a predictable maintenance path for CIOs, on-site technical support and formal training professionals. Additionally, Rational Method Composer might get capabilities that are not applicable to an entirely open source tool. A partnership with another vendor might allow Rational Method Composer to import and export data with another commercial closed source tool. Such an agreement would not be possible in open source.I think it is important to define the nature of the relationship between these two offerings and how they will benefit from each other’s existence. This is one possible approach for how that relationship might evolve. ...

After losing two dogs to completely different illnesses within one year, we recently adopted a new family member named Tater from New Hope Cattle Dogs of Colorado. He is about five months old now, and he appears to be mixed Cattle Dog and Pointer. We joke that he has a internal conflict of wanting to flush small animals out of bushes and then herd them back together. Tater ...

The following message was received today on the epf-dev mailing list for the Eclipse Process Framework. This is an exciting announcement from Donald Firesmith because it is another example of the process engineering community, both commercial and academic, bringing the content it has been developing for years to EPF to take advantage of the standardization of metamodel and tooling to author and publish the material.On behalf of the OPEN Process Framework Repository Organization (www.opfro.org) and the OPEN Consortium (http://www.open.org.au/), I would like to officially announce that we will be donating our complete OPFRO repository of over 1,100 reusable, open-source method components to the eclipse epf project as an additional third repository. Currently, our repository is based on the OPEN Metamodel, but we will shortly begin translating it to fit the epf SPEM metamodel andassociated xml xsd. We will also be working over the next few weeks to determine what level of effort support we can donate to epf.Donald FiresmithChair, OPFRO ...