Wednesday, August 25, 2010

irssi behind proxy (via ssh port forwarding)

A Problem
To get natty technical questions answered, sometimes you hafta go to the source and drop a line to the mavens on IRC (Internet Relay Chat). But IRC uses a specific port (6667) denied by the average corporate firewall. Unfortunately, I could not get irssi functioning through my http proxy at work. What to do? Well..secure SSH tunneling and port forwarding to the rescue!
ssh -p 443 -L 1234:irc.freenode.net:6667 user@homemachine

But what the heck is all that stuff? I will explain.

The Solution
Like most companies, my company allows port 443 traffic through their firewall. I decided to use this open access to create a secure tunnel from my workstation in the office to a machine in my home network that has a running SSH server. I then use a very nice feature of SSH to forward traffic through the tunnel to my machine at home and onto a specific server out in the internet. This *should* be as easy as 1 - 2 - 3 (shown below), though to me, it's a bit mindbending. Read on..

1 - Configure the Home Router/Firewall
In order to get the above solution working, I needed to configure my home firewall to forward requests for port 443 to the SSH server (port 22) at home. Most home routers/firewalls have the ability to setup this hardware-based port forwarding.

2 - SSH Tunnel and Forward
After making sure that the port forwarding described in Step 1 is setup, I then use SSH on my machine at work to:
1) create a secure tunnel to my home machine over port 443 (ssh -p 443 user@homemachine)
2) create a listener on my local machine on port 1234 (-L 1234:)
3) forward requests to a specific IRC server on a specific port via that secure tunnel. In this case, port 6667 on irc.freenode.net , like so (:irc.freenode.net:6667)

The whole shebang is efficiently handled with that one ssh command string:
ssh -p 443 -L 1234:irc.freenode.net:6667 user@homemachine

On the host at work
After making sure Step 1 was completed, I received a "Password:" prompt after hitting "enter" on the above SSH command line:
$ ssh -p 443 -L 1234:irc.freenode.net:6667 user@homemachine
Password:
Last login: Wed Aug 25 11:20:09 2010 from 26.176.213.71


Now that I'm properly authenticated, I checked to see that the local machine is listening on port 1234. I did this by opening a second command prompt on the machine at work and looking at the output of "netstat -na":
$ netstat -na grep LISTEN
..
TCP 127.0.0.1:1234 0.0.0.0:0 LISTENING
TCP 127.0.0.1:5152 0.0.0.0:0 LISTENING
TCP 127.0.0.1:8198 0.0.0.0:0 LISTENING

SSH has opened that local port and will forward traffic bound for it to the remote SSH server. But I'm not done yet. IRSSI needs to point to that local port in order to use my home machine to connect to the IRC server. Much like a frog uses one lily pad to hop to another.

3 - IRSSI config change
To point IRSSI to utilize that SSH tunnel, I made two minor tweaks to IRSSI's configuration: proxy_address and proxy_port via the /SET command:
[(status)] /set proxy_address 127.0.0.1
[(status)] /set proxy_port 1234
[(status)] /set use_proxy ON

[(status)] /set 
15:33 [proxy]
15:33 proxy_address = 127.0.0.1
15:33 [proxy]
15:33 proxy_port = 1234
15:33 [proxy]
15:33 use_proxy = ON

Note the localhost IP address in "proxy_address" and, of course, the appropriate port that I've opened.

With these tweaks in place and the secure tunnel created, I can then startup IRSSI and successfully connect to the IRC node via the local port, 1234:
11:35 -!- Irssi: Looking up irc.freenode.net
11:35 -!- Irssi: Connecting to irc.freenode.net [127.0.0.1] port 6667
11:35 -!- Irssi: Connection to irc.freenode.net established
11:35 !gibson.freenode.net *** Looking up your hostname...
11:35 !gibson.freenode.net *** Checking Ident
11:35 !gibson.freenode.net *** Found your hostname
11:35 !gibson.freenode.net *** No Ident response
11:35 -!- You have not registered
11:35 -!- Welcome to the freenode Internet Relay Chat Network user
11:35 -!- Your host is gibson.freenode.net[213.179.58.83/6667], running version ircd-seven-1.0.0
11:35 -!- This server was created Sat Jan 30 2010 at 01:13:47 CET
11:35 -!- Highest connection count: 6923 (6922 clients) (3140303 connections received)
11:35 -!- - gibson.freenode.net Message of the Day -
11:35 -!- - Welcome to gibson.freenode.net in Norway, EU! Thanks to
11:35 -!- - SSC Networks (www.ssc.no) for sponsoring this server!

Yahoo!

Conclusion
In the fashion of port forwarding, SSH works its magic to create a listener on the local machine, forward the packets destined for it through an SSH tunnel to my home server and onto somewhere else. In my case, I use my machine at home to forward my IRC requests onto irc.freenode.net. Very cool! Don't forget this same port forwarding feature of SSH can be applied to other TCP applications, such as VLC running on that same remote machine:
ssh -p 443 -L 1234:localhost:5900 user@homemachine

Have a good one,
TAG

Reference
http://www.techanswerguy.com/2006/09/irssi-chat-client.html
http://blag.andrewyates.net/2008/06/17/dynamic-port-forwarding-with-ssh-ssh-d/

Monday, August 02, 2010

drobo fs install, review

If all computer technology was like the Drobo, there would be less people complaining that their tech is difficult to use or doesn't work. I've had my Drobo FS for three days, but man, I love the thing. It is such a pleasure to not have to worry about RAID arcana just to have your systems safely backed up.

Got It!
I bought the Drobo FS from Amazon (about $694 with free shipping) and set it up between yesterday and today. I installed the Drobo Dashboard, the utility program for the Drobo, on my MacBook Pro, rebooted the Mac, popped a combination of five 250GB and 500GB drives in, hooked up the power and the ethernet cables and fired it up. Drobo Dashboard saw the unit as it sat attached to my router.

The Basics
Dashboard asked me if I wanted to upgrade the firmware..so I did. There was a small hiccup with Dashboard not seeing the Drobo after doing the firmware, so I had to hard power it down. But second time around, the firmware update worked. Dashboard then asked me if I wanted to upgrade the Dashboard software, which I did. I restarted the Mac. I then went into Advanced Settings -> Tools and configured email alerts to send me an email if Drobo becomes too full or has problems.

Create Shares
Back in Dashboard, I created a couple of shares, one as backup for my main Linux video editing workstation and the other for my MacBook and TimeMachine. I setup my MacBook to use 500GB of storage as a TimeMachine backup. The TimeMachine hook up worked like a charm and started backing up.

Stress Test Drobo!
I decided to test it hard out of the box and ran that TimeMachine backup from the mac (connected wirelessly) coincident with a big copy from my Linux video editing box. On my Linux box, I mounted the Drobo via SMB/CIFS and copied over my 460GB archive. The backup of the Linux archive took about 3.5 hours at about 25MiB/s over wired ethernet. Not bad for over gigE and with contention from the Time Machine backup.

The next morning, I got tired of waiting for the wireless TM backup of 130GB to finish, so I stopped the TM backup and then hooked up the Mac to a hard wired ethernet connection. Still took about five hours to copy over the remaining 80GB.

Update
I recently created a 760GB archive of my video workstation using fsarchiver. Copying the one file from my workstation to the Drobo took about 10 hours (8pm to 6am). That was with contention from a 40GB Time Machine backup that was running at the same time.
***end update***

Drobo Apps
Today I installed a few Drobo Apps (apache/droboutils/dropbear). DroboUtils is an easier way to manage Drobo Apps and as a prerequisite, it requires Apache to be installed. I used Apache for another function, setup of my personal website. I haven't cutover to using the apache web server as my main webserver yet because I need to tweak the apache config to hide some of the directory structures.

There is no telnet client for DroboApps, but DropBear is the SSH server for the Drobo. After installing, it was pretty cool to be able to logon to the device.

syslog entries
Sep 13 17:40:23 MAC sudo[57338]: root : TTY=unknown ; PWD=/ ; USER=newuser ; COMMAND=/sbin/mount_afp afp://user:pass@192.168.1.87/DroboApps /Volumes/DroboFS/0db102670141/1/DroboApps
Sep 13 17:40:24 MAC kernel[0]: AFP_VFS afpfs_mount: /Volumes/DroboFS/0db112312341/1/DroboApps, pid 57338
Sep 13 17:44:09 MAC /System/Library/CoreServices/backupd[57359]: Backup requested by user
Sep 13 17:44:09 MAC /System/Library/CoreServices/backupd[57359]: Starting standard backup
Sep 13 17:44:24 MAC kernel[0]: AFP_VFS afpfs_mount: /Volumes/MacTimeMachine, pid 57360
Sep 13 17:44:24 MAC /System/Library/CoreServices/backupd[57359]: Mounted network destination using URL: afp://user@Drobo.local/MacTimeMachine
Sep 13 17:44:24 MAC /System/Library/CoreServices/backupd[57359]: Backup destination mounted at path: /Volumes/MacTimeMachine
Sep 13 17:44:30 MAC /System/Library/CoreServices/backupd[57359]: Disk image /Volumes/MacTimeMachine/MAC_0017f2ca5f8b.sparsebundle mounted at: /Volumes/Backup of MAC
Sep 13 17:44:30 MAC /System/Library/CoreServices/backupd[57359]: Backing up to: /Volumes/Backup of MAC/Backups.backupdb

Summary
All-in-all, the process was super smooth and the device is everything I hoped for. With the ability to expand drive space at will, I shouldn't outgrow the FS very soon. I'm also looking forward to using more Drobo Apps and letting that be my server, instead of my XP VM on my Mac!

Long live Drobo!

Some Pics of the Process
drobo formatting my stack of drives


updating the firmware on the drobo


drobo temporarily loses its mind during firmware update


don't touch drobo while firmware is being updated!


drobo starting up after successful firmware update


drobo successfully updates its firmware


drobo dashboard download for update


time machine backup using drobo!


25MiBps (Mebibytes per second) network copy speed (with two backups to Drobo running..Time Machine and a backup of a 438GB archive)


Update 2010/08/14
Drobo shell commands

Found some good links on cross-compiling packages for the Drobo:

Ethtool specific links

Drobo Forums
Feel free to drop me a line or ask me a question.