Security

I've had a bad run with security issues. Reading the Linux NAT code I discover that it's not really meant to be a firewall. For example, unparsable packets are usually handled with NF_ACCEPT, which leaves a lot of room for nastiness. This choice makes sense from a NAT point of view -- many packets don't need NATing and so if you can't parse the packet, then just change the network-layer headers, punt it through and see how it goes. But from a firewalling NAT point of view, it's not so hot.

There's also a severe problem with port allocation. Linux NAT tries to use the same ports on the Outside of the NAT as on the Inside of the NAT. Handy for fault tracing. But consider a malicious Inside user who uses port 80. Assuming there is no one currently holding port 80, then the NAT will use port 80.

So we have a race condition on system start. Who will get port 80 first: our malicious Insider with the phishing web site, or our server. Well the networking starts before Apache, so the odds are stacked in favour of our insider.

Cisco need not look smug at this point. A little testing shows a problem in that camp too.

Thinking about it more, systems are plagued with race conditions on start. The sensible thing to do would be to configure a "client mode" firewall, bring up the system, then re-configure the firewall into a "server mode" stance. This carries the implication that host firewalls do have substantial benefits, something not appreciated by "corporate firewall appliance" vendors.

I don't understand much beyond networking, but I also wonder what joys are being unleashed by the current trend of operating systems allowing users to log in before the system initialisation completes. That race condition used to be avoided by setting /etc/nologin at system start and removing it once the system was running sucessfully.

I also don't understand the conntrack code. Each conntrack module seems to allocate a 64KB packet parsing buffer. That's going to lead to more packet copying than is healthy. But also, consider the "network applicance" case. Those vendors are going to install every conntrack module they can -- so that user's applications just work through their ADSL gateways. But most users won't use all of the protocols, so some of those allocations will never be touched. Even if the parsing buffer is retained, then lazy allocation of the buffer is called for.

OpenOffice Impress slide backgrounds

My employer is onto its nth slide template. Since they are created by professional graphics firms they are huge bitmaps in the background. That sucks from a lot of points of view, but worst of all this isn't resolution-independent and I usually hand out print outs of the slides since I normally give very technical presentations. That means that everything has to be in vector formats, otherwise the detail on the handouts is as poor as the detail on the screen.

There's a lot of work making the OpenOffice template look like the PowerPoint template, but suck less. Replace white bitmap backgrounds with a real background, replace bitmap text with text, replace bitmap lines with lines. Export and crop photos using the Gimp. And so on.

[Aside: if you are asking a graphics agency to design your logo make sure you get the logo in the source vector format, a license to the fonts used, and the Pantone colours used. Without those you are bound to that graphics agency forever.]

Converting the EPS logo to SVG then loading that into OpenOffice actually worked. This took a small amount of manual editting of the SVG, since Inkscape insisted on inserting a background. There's probably some Inkscape secret handshake you can use rather than editing the SVG with Emacs.

The new slides have a funky background, which looks very much like a old 3270 terminal with the Contrast turned to maximum. So it has to be a bitmap background. I use Gimp to reduce the entire slide's background to something which can be tiled, and then look to put it into OpenOffice.

In a complete user interface disaster this is how you set a bitmap background in Impress:

1. Format | Area (you weren't expecting that, aye)

2. Bitmaps | Add

3. View | Master | Slide master

4. Format | Page | Background. Select Bitmap from the drop-down box and select the bitmap you added previously.

On the plus side, now I've got the new template done, Impress was very good at importing the 250+ slides of networking equipment, maps, etc and applying the new template.

OpenOffice still sucks for network diagrams, the user interface isn't good for a "place and route" approach. I use Dia, export to SVG, and then import the SVG into OpenOffice (there's a nice extension at www.ipd.uka.de/~hauma/svg-import).