Saturday, 19 March 2011

Thecus n5200 / pro with 5 x 2Tb hard drives 4k sector size

I have a n5200 and a n5200 Pro NAS box.

According to Thecus only a limited set of HDDs are supported, at most 1.5Tb - this could possibly due to the 4k sector size....

Sadly, some HDDs are aligned on 4k sectors - and these are usually the newer 2Tb drives. Older drives, are aligned to 512byte sectors. If 512 byte data has to be written across two physical 4KB blocks, the hard drive will have to read the 4KB blocks that are affected, introduce the modifications, and write them back onto the drive. 

Windows Vista and Windows 7 are sector-aware, meaning they will automatically align 512 byte sectors with the hard drive’s physical sectors starting at LBA block 2048. Xp doesn't have this, and starts writing at LBA sector number 63, all following sectors will be misaligned, causing a noticeable performance impact.

There is a more detailed article here: Linux on 4KB-sector disks

So basically - under linux, issue this:
fdisk -H 224 -S 56 /dev/sda

What a pain this issue is.... but if you don't align the sectors, you could be getting 10-15MB/s instead of 35-45MB/s

Posted by at No comments:

Ubuntu boot freezes at fsck from util-linux-ng 2.16 2.17-2

Well if this happens to you, and the machine freezes on bootup after (may be) one or 2 successful fscks on a drive, and then it continues to boot up in teh background (so networking works), but the screen is non-responsive.
Then.... the reason could be that the device mappings have changed for teh drives you mapped in fstab!

Yup that sucks....
in my case /dev/sdc1 changed to /dev/sdb1

This happened when I migrated a VM from one ESX host to another, and then back again.
Posted by at No comments:

Setting up a linux firewall with Ubuntu

The most important lines are:
:INPUT DROP     [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT  [0:0]

# SECTION THAT DEALS WITH NAT/MASQ
*nat 
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth2 -j MASQUERADE

It's that simple!
Of course, this is a pretty open config, and you'll need to beef up the security.
assuming eth0 is your internal (LAN) interface and eth2 you external (WAN) interface.

The INPUT DROP basically uses the DROP rule for all input to the firewall. This is an important distinction between INPUT and FORWARD.
INPUT is trafficwhich ultimate destination is the firewall itself (inlcudes traffic destined to another device e.g. apache server behind the firewall). FORWARD is for traffic that will pass though the traffic via the firewall.

Also if you do a lot of torrenting, you'll nee to increase the max connections in sysctl.conf
net.ipv4.netfilter.ip_conntrack_max = 262144

Otherwise 10 or so torrents will totally max out your firewall, and you won't be able to make outgoing connections anymore!

I won't go further into it, but there are more articles on this to get the best out of your firewall
Posted by at 1 comment:

Port knocking

Port knocking is a very handy way of opening ports in your firewall e.g. You want to run SSH on the standard port 22, but you don't want this open all the time.

So...
your basic iptables input rule is DENY
Sample iptables.rules file for use with iptables-restore < iptables.rules
:INPUT DROP     [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT  [0:0]

.
To open this port, you can use a specially sequenced TCP SYN on certain ports to open the SSH port.

e.g. sync connect on ports 1000,2000,3000 and 4000 then your system will open port 22

[options]
        logfile = /var/log/knockd.log

[openSSH]
        sequence    = 1000,2000,3000,4000
        seq_timeout = 5
        command     = iptables -A INPUT -p tcp --dport 22 - j ACCEPT
       tcpflags    = syn


similarly, you can use another sequence to close port 22

Posted by at No comments:

Squid proxying for BBC iplayer and such...

Well this started as my friends will be moving back to their respective home countries.... they wanted to be able to stream bbc iplayer. This also enabled them to view BBC streams from Japan during the on going disaster...
First install squid (linux/win). Linux get the RPM or apt-get. Windows get the native port from http://squid.acmeconsulting.it/index.html

Ok... well on to the config!

Firstly, squid is being installed (2.7) compile or install the package

Despite what all the documentation says on the net - some of it is just plain god-damn wrong!

The important parts of the squid config are:
auth_param basic program /usr/lib/squid/ncsa_auth /etc/squid/squid_users
auth_param basic children 5
auth_param basic realm Phil's streaming proxy
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off

acl auth_users proxy_auth REQUIRED
acl all src all
acl all_others dst 0.0.0.0/0.0.0.0
acl safe_sites dstdomain "/etc/squid/allowed_sites"
# Only allow cachemgr access from localhost
acl filetypes urlpath_regex -i "/etc/squid/denied_files"
http_access allow purge localhost
http_access allow safe_sites
http_access deny purge

http_access deny to_localhost
http_access deny all_others
cache_dir null /tmp
cache_deny all


with allowed_sites:
.bbc.co.uk
.bbcimg.co.uk
.edgefcs.net
.llnwd.net
.markiza.sk
.itv.co.uk
.itv.com
.national-lottery.co.uk
.securesuite.co.uk

and the squid_users file full of htpasswd entries
 e.g.
phil:xxxxxxx
bob:xxxxxx


with denied_files in regex format:
\.(mp4)$


Posted by at No comments:
Subscribe to: Posts (Atom)