Sep 05

pfSense: The Definitive Guide

I haven’t been posting much lately, as per usual, and also as per usual I keep thinking I’ll get around to posting more. Well, this little tidbit does deserve a new post:

These past few months I’ve been working with the great folks behind pfSense, an awesome FreeBSD-based firewall system that has really impressed me at every turn. We’ve been using it quite a bit at work over the past year, so I’ve been contributing back in the form of documentation, code, testing, and other help wherever I can.

Along the way I started working with one of the project’s co-founders, Chris Buechler, on a book for the project.  It’s now available from several retailers, and more will be coming soon.

So if you are interested in pfSense, FreeBSD, firewalls, or other related concepts, you’re bound to find something useful in our book:

pfSense: The Definitive Guide to the pfSense Open Source Firewall and Router Distribution
by Christopher M. Buechler and Jim Pingle

It’s being published by Reed Media Services, and is now available Amazon and Barnes & Noble.

Feb 26

More PHP Woes: PHP 5.2.8 and libxml 2.7.x

EDIT: PHP 5.2.9 is out for FreeBSD, so this may be fixed.

There seems to be a bug in the way PHP’s xml library handles data when compiled against libxml 2.7.x. Supposedly, this will be fixed in the next release of PHP, but for now you have to back down to libxml 2.6.x, or compile against expat instead of libxml.

I first noticed this with a Joomla installation, a component was erroring out, saying “Fatal error: Call to a member function getTagName() on a non-object” (Z Weather, for those interested in knowing). Investigating this led me to this bug entry for PHP. I then found another server of mine with problems, this one was using XMLRPC and was getting back responses stripped of the < and > characters, rendering returned HTML code quite broken.

For those of you on FreeBSD who have no idea how to downgrade to the earlier version, it’s actually pretty simple, it can be done like so:

# cd /usr/ports/ports-mgmt/portdowngrade/
# make DEFAULT_CVS_SERVER="" install clean
# portdowngrade libxml2

When presented with the choice, choose textproc/libxml2 (Probably option #2).
It will then start listing all prior version of the libxml2 port. When you see version 2.6.32, press enter. Use the most recent copy of 2.6.32, for me it was timestamped 2008/11/19 19:23:07.
Press the number (probably 3) at the start of the line for the version you want, and let portdowngrade do its thing. As suggested by the output of portdowngrade, finish up like so:

# portsdb -Uu
# portupgrade -f libxml2
# /usr/local/etc/rc.d/apache22 restart

Be aware that the portsdb -Uu run can take a while on older systems. Also, you may substitute that last line with whatever command you typically use to restart apache (shutdown and start again, not a graceful restart)

Danger Will Robinson!: Note that if you update your ports tree it will bring libxml2 back to the most recent version, be careful not to upgrade it again until after the next release of PHP!

Feb 24

Fix for Belt-Driven CD-ROM/DVD Drives that won’t open

Lately I’ve had a rash of optical drives (DVD-RW/CD-ROM/CD-RW) that refuse to open without a little nudge from a paper clip via the manual eject mechanism. I’d press the button and hear a soft “thunk” but the drive tray barely budged. All of the drives that have this issue have been belt-driven. The old gear-driven trays were louder, but they worked much more reliably.

After cleaning the drive trying to replace the belt without success, and even trying to replace a drive motor, I stumbled upon an answer so simple I didn’t believe it would work: Wash the belt in soap and water! For good measure, I also used a Q-Tip with rubbing alcohol on it to clean the pulleys. This has saved several drives from the trash heap, and likely many more in the future.

If you have the right tools, you can even unloop the belt, wash it off, and replace it without removing the drive case. Just be careful, and make sure the power is off before you attempt to work inside the drive.

I hope this saves others a bit of sanity.

Oct 28

Pride of Paoli Pictures

By their request, my wife Destany and I have been taking pictures of her former high school marching band, The Pride of Paoli (From Paoli Jr-Sr High School in Paoli, Indiana) this year. We’ve posted the pictures at

So far we have pictures up from the Salem Invitational, Regional at Jeffersonville, and Semi-State at Franklin.

For more information, or to view the pictures, visit the site above.


Oct 26

Long time…

I’m well aware that it’s been more than a year since my last post. There has been plenty to write about, but nothing I’ve really taken the time to post for public consumption.

Hopefully some more stuff will show up in the not-too-distant future.

Sep 22

PHP Crashes Caused By Extension Ordering: A Workaround

As I posted about nearly a year ago, I was (and still am) seeing Apache crashes caused by PHP extension ordering issues. So far, there has been no official or even unofficial workaround for the problem. I wrote a small shell script (/bin/sh for better portability) that will reorder the extensions in php.ini into the order that seems to cause the least problems for me.

Suggestions and improvements are more than welcome. I submitted this script to the PHP port maintainer for FreeBSD but have not yet heard back, which could be due to the hackishness of my script…

Anyhow, I’m pleased to announce that It Works For Me(TM) and you’re welcome to try it:

You may have to edit the file to correct pathnames and such, but if you build PHP from FreeBSD’s ports system, it should work. It’s especially nice when used with portupgrade like so:

portupgrade -A /root/bin/ php5-\*

That will cause portupgrade to execute that script after each module is rebuilt. This will help if you have any cron or CLI PHP scripts that would reload modules while the upgrade is happening. I tried this method on several servers and it worked well. The only problem was a server running Cacti that polls every 5 minutes. I had two crashes while the upgrade was going on, but that is far better than the dozens it was getting when doing this by hand.

Update 11/21/07: I updated the script to also put at the end of the file. It needs to be loaded after or PHP may crash Apache when a process terminates — either with a full shutdown or when an extra forked process is killed.

Update 6/25/08: Script updated to ensure comes before, which caused problems with PHP when used at the command line (CLI). Reported by Octaviao Ionescu.

Update 2/22/09: I updated the script again. I found that now must come after, or it complains about missing symbols. I also moved xml to the end hoping to fix another issue, but it did not help. It didn’t hurt, either, so I left the change in. Let me know if there are problems.

Update 1/21/10: Another script update. Had more crashes until I moved pdo/pdo_sqlite/pdo_mysql around a bit.

Jul 28

Comment/Trackback Spam

Lately this site has been overrun with comment and trackback spam, not that it shows because I moderate everything. Still, my inbox has been full of junk because of it. I enabled a CAPTCHA image on comment posts. I hope this isn’t much of an inconvenience, but it was either this or disable comments completely. I also disabled trackbacks site-wide. I never used trackbacks anyhow, so it’s no big loss.

I don’t receive many comments, but when I do they are usually meaningful or informative in some way, so I did not want to drop them.

Now, if I can just find the time to post more often…

May 13

PHP Crashes Caused By Extensions II

As I wrote about previously, I have had problems with Apache and PHP crashing due to various PHP Extensions. I have come upon another combination that triggers a problem, but after investigating it a little I see that it’s been reported before, and nobody wants to fix it. PHP blames PHP accelerator systems, and Zend claims it’s a shared memory configuration problem (it isn’t — at least on my system)

The error happens whenever attempting a graceful restart of Apache via “apachectl graceful”:

  • [notice] seg fault or similar nasty error detected in the parent process

The environment:

  • Apache 2.2.4
  • PHP 5.2.1
  • Zend Optimizer 3.2.8

The culprit:

  • Some interaction between the Zend Optimizer being loaded along with the PHP pspell module.

If I disable one or the other, the crash goes away. Since this particular installation does not require the pspell module, I disabled it and things have been stable ever since.

I did follow Zend’s recommendations for increasing certain shared memory tunables on FreeBSD, as well as trying to recompile everything involved. For more information on shared memory tuning check the FreeBSD man page tuning(7) as well as this Zend Knowledge Base article. Note that certain sysctl settings may only be modified at boot time via /boot/loader.conf and/or /etc/sysctl.conf.

More information to come if I can find anything else…

Update 11/21/2007 – I found that in more recent version of PHP (Around 5.2.4-5.2.5) having loaded before in extensions.ini will result in crashes when an httpd process is stopped/killed. Moving pspell anywhere after spl will clear this up (so far…).

Mar 01

IPSec VPN Between PIX and SonicWall

This post is mainly so there is a record of these error messages and what they might indicate. It’s also to help out others so they don’t shoot themselves in the foot as I did. I found no matching pages on Google when I tried to search for the errors I was seeing; now there should be at least one.

I was following along with this nice Cisco document that does a good job of explaining how to get a PIX and a SonicWall to talk IPSec back and forth. I’ll leave out the details of how I configured both sides as that document gets into more detail than most people need, and I’d rather not repeat things unnecessarily. Even though the SonicWall I was using was considerably older, the settings were similar. I did stray from the document in one way: I used 3DES/SHA. Due to the age of the SonicWall it did not support the newer/stronger methods.

When it was all said and done, the VPN appeared to work for a bit but then stopped, and I was getting errors on both sides. On the PIX side I saw (from “debug crypto isakmp”):

ISAKMP (0): retransmitting phase 2 (0/0)… mess_id 0x1eefa9e
ISAKMP: error, msg not encrypted

In the SonicWall log, I saw:

IKE Responder: IPSec proposal not acceptable

It turns out that I had made a typo in the subnet mask for the LAN side of the SonicWall when I entered it into an ACL on the PIX side. Gun, meet foot. Foot, meet gun. I noticed that on the PIX there were two SAs being created (“show crypto ipsec sa”) one for the proper subnet mask, as given by the SonicWall side, and one for the improper subnet mask as desired by the PIX. After I fixed the ACL and re-entered each of the lines that contained a reference to it, everything was copasetic.