The Boston Diaries

The ongoing saga of a programmer who doesn't live in Boston, nor does he even like Boston, but yet named his weblog/journal “The Boston Diaries.”

Go figure.

Tuesday, June 24, 2008

Dodging black ICE to do a job …

Yet anther data point for the NAT is eeeeeeeevil meme

Smirk called up and asked if I could set up Cacti for one of our customers. They were having an issue with their local network (broadcast storms) and with Cacti monitoring the network, it would be easy to see the problem box. We already manage their firewall, which is a Linux system using iptables, so it can be easily installed there.

Only in the process of setting up Cacti (not difficult, just tedious as there's several pieces of software that have to be compiled and installed manually) I realized that the firewall wasn't handing the NAT for the customer's network—that was another device behind the firewall. And that means Cacti, running on the firewall, had no way of contacting an individual system on the private network.

Sure, there's port forwarding, but that's one port per box that needs to be configured on the NAT device, and while possible, there's usually a limit to the number of port forwards allowed by such a device.

“Sorry, no can do,” I told Smirk.

About an hour later, he calls back. “They have a Linux server on their network. You can install Cacti there,” he said. “They're port forwarding ssh to their Linux system.”

Okay, so to get to the internal Linux system of our customer, I first have to ssh to my virtual workstation at The Data Center (since The Office no longer exists—we all telecommute), then ssh to their firewall (since the firewall only allows connections from known hosts), then ssh to the NAT system, which forwards the traffic to their Linux system.


So I'm in the process of installing Cacti on this system when I realize that to finish up the install, I have to access a webpage on said Linux server.

Which I can't do, because port 80 isn't being forwarded to said Linux server.


I bring this up to The Weekly Meeting, and the solution is to use ssh to build a rather crazy SOCKS tunnel between my workstation and the Linux server on the customer site, using several intermediary systems to bounce the packets around.


I'm trying to configure a software package, not hack into NORAD or steal confidential corporate material. But, because of NATing, I have to employ some pretty heavy networking to do what should be a simple job.

Interview with a Fed

In April, Kip Hawley, the head of the Transportation Security Administration (TSA), invited me to Washington for a meeting. Despite some serious trepidation, I accepted. And it was a good meeting. Most of it was off the record, but he asked me how the TSA could overcome its negative image. I told him to be more transparent, and stop ducking the hard questions. He said that he wanted to do that. He did enjoy writing a guest blog post for Aviation Daily, but having a blog himself didn't work within the bureaucracy. What else could he do?

This interview, conducted in May and June via e-mail, was one of my suggestions.

Interview with Kip Hawley

Being a former Fed herself, Bunny often takes me to task for some of my more outrageous “anti-government” stances, and the difficulty faced by Federal law enforcement in protecting our country.

But … it's the TSAsecurity theater at it's finest! A target even easier than shooting fish in a barrel.

And to his credit, Kip Hawley even mentions as much in this interview, which I think is well worth reading.

(I had thought of titling this entry “Interview with a Vampire” but thought that might be a bit too much. I would have done “Interview with a Vampire Fed” but adding HTML to the title would render my RSS feed invalid. I only mention this because I really liked the idea.)

Obligatory Picture

[The future's so bright, I gotta wear shades]

Obligatory Contact Info

Obligatory Feeds

Obligatory Links

Obligatory Miscellaneous

You have my permission to link freely to any entry here. Go ahead, I won't bite. I promise.

The dates are the permanent links to that day's entries (or entry, if there is only one entry). The titles are the permanent links to that entry only. The format for the links are simple: Start with the base link for this site:, then add the date you are interested in, say 2000/08/01, so that would make the final URL:

You can also specify the entire month by leaving off the day portion. You can even select an arbitrary portion of time.

You may also note subtle shading of the links and that's intentional: the “closer” the link is (relative to the page) the “brighter” it appears. It's an experiment in using color shading to denote the distance a link is from here. If you don't notice it, don't worry; it's not all that important.

It is assumed that every brand name, slogan, corporate name, symbol, design element, et cetera mentioned in these pages is a protected and/or trademarked entity, the sole property of its owner(s), and acknowledgement of this status is implied.

Copyright © 1999-2024 by Sean Conner. All Rights Reserved.