Qwest / Centurylink DSL Web site timeouts, hangups, or failures while running a firewall or router with static IP addresses.

Recently I setup the Qwest DSL service in my home. It worked great, but after a couple days I started to get hang ups and timeouts or hangups while browsing the web. Speed tests still showed the correct speeds and rebooting all my hardware didn’t solve the issue.

I run PFSense as my internet firewall. (check it out, http://pfsense.org ) I love PFSense, it gives me very fine grained control over just about everything, even simple traffic speed limiters for certain parts of my LAN. (like my kid’s systems, I don’t want them eating my my bandwidth with Youtube!) In the past, I’ve had some issues with my client networks and firewalls while using Qwest DSL and PFSense. I found almost ZERO help on Google searches, which I find surprising, because I can’t be the only one with this setup. But, to get to the point, you need to setup the Qwest modem advanced options to use Dynamic Routing. I use version 2.

If I plug in and connect directly, I do not get the connectivity issues, so I knew something with the PFSense was, to put it mildly, not being cooperative. Setting to Dynamic Routing fixed this issue on 3 client networks AND on my recent install at home.

Note, too, that all these networks have static IP’s or static blocks. I tried setting to use transparent bridging, which didn’t help. But one time I setup PPPoE directly on PFSense, and that did help. In the end, the only way I could reliably run PFSense on Qwest DSL was to disable NAT on the modem, setup Dynamic Routing, and purchase static IP address(s). Keep in mind, you need to use the “Static IP” setup from Qwest and NOT run transparent bridging, like I assumed. Read their docs, there’s a special setup for this in the Quick Setup section of their modem firmware.

Also, I had this issue on most of the later model modems and firmware, but NOT on the oldest Actiontek modems running old firmware. (like the 701′s) But on the newer Qwest firmware (with the blue background and preschool-style-coloring :) I had to enable Dynamic Routing. Also, I have the newer Zyxel Q1000Z modem now, same issue.

I have no understanding of why this happens. It doesn’t make any sense to me. Although, just to throw an idea out there, maybe it has to do with the way the modems manage hops from the external destinations.  From what I read, dynamic routing has something to do with maintaining the hops between routers online.  Maybe, since using the modem with static IP’s basically sets it into bridging mode, it incorrectly maintains that hop information, or at the very least it doesn’t identify itself correctly.  So what may happen is some routers out there get flaky and don’t respond well with your bridged modem by the time they communicate with your firewall.  Some do fine though, which would explain why some sites fail and some don’t.  I don’t believe PFSense is doing any dynamic routing protocol work, at all.  It’s just firewalling my LAN, right?  So all I can assume is, since the Qwest modem is in between me and the rest of the internet, IT has something to do with that communication breakdown using the dynamic routing.  Of course, I really don’t know what I am talking about and making complete assumptions!  But hey, its just an idea. Maybe someone who know’s more than I do can shed some light on it. :)

Somehow my wife got MyWebSearch loaded on my Windows 7 computer, which cleaned off fine, except for Firefox web searching! Every time I used the Awesome Bar to search, MyWebSearch showed the results.

Easy fix…  go to “about:config” in Firefox by typing it in the URL bar.  In the Filter box, type “myweb”.  In my system, it showed 4 items with “mywebsearch” in the name.  All I did was right-click each one and select “Reset” to clear them.  Restart Firefox and BAM!  Solved!  No more MyWebSearch and now I get the normal Google results!

I ran into an issue with Outlook 2010 and Gmail POP3 access today. One of my clients had two computers he wanted his Gmail on, they both use POP3 to get the email. Problem he had was that only one computer would download the email, even with the setting to “leave messages on the server”. Normally, this would work fine, but for some reason, it isn’t with Gmail.

I Googled and found this site, SOLVED!
http://misternifty.com/internet/email-internet/gmail-pop-from-multiple-clients/

Awesome!! That’s all I had to say! And thanks!

The solution was simply to prepend “recent:” to your username in Outlook. So if your Gmail username was this: someuser@gmail.com
You would put this in the account/username box:
recent:someuser@gmail.com

Nice trick! Worked like a charm!

A word of warning though. Once we set this on both computers, Outlook proceeded to re-download ALL the inbox messages again. A little annoying, but the client didn’t care since he could now receive email in two places!

If you are like me, you don’t have time to run nmap scans and do other network maintenance. Running nmap is one of those really fun and useful tools that are easy to use, but since I rarely use it, I never remember the options.  Today was one of those situations where I needed to hunt down a host on my client’s network remotely running certain software. It wasn’t responding to any remote services (like RDP) or pings, so I didn’t even know if it was on the correct IP address.  I thought it would easy enough to do a quick network scan with nmap to discover the hosts running.

At a simple level, and on a small, class C network, I just ran this:

sudo nmap -PR 192.168.0.*

This allowed me to quickly see all the hosts that were up on the local subnet, and here’s an example showing the end of the output on the last host found:

Interesting ports on 192.168.0.210:
Not shown: 992 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
139/tcp  open  netbios-ssn
427/tcp  open  svrloc
443/tcp  open  https
515/tcp  open  printer
631/tcp  open  ipp
9100/tcp open  jetdirect
MAC Address: 00:1B:xx:xx:xx:xx (NEC AccessTechnica)
Nmap done: 256 IP addresses (20 hosts up) scanned in 42.07 seconds

That was super helpful.  The host I needed showed right up, at the correct IP address, with most of the ports I expected. (not the one shown above) Now I just need to remote into the system (if I can) and adjust things.  Nmap made it real easy on our Linux server.

There are some more useful commands, and as I need them, I’ll blog them. For today, this was all I needed.

I tested Windows 7, Jolicloud, Ubuntu 10.10 Maverick, and Ubuntu 10.04 Lucid on my new Dell Inspiron Mini 10 (1012) Netbook.  First let me say, Window 7 on this netbook is barely usable. If you wait for the OS to finish booting, which takes at least 5 minutes before all the background processes finish loading, then it operates *Ok*.  But to be honest, I didn’t want to run this thing with Windows from the start.  Biggest reason…  from initial power on, it takes 3 minutes and 13 seconds to boot, connect to Wifi, and have your home page open.  WHAT!  Are you kidding me?  That’s just way too long for something that you want for some periodic web use.  And remember, that’s Windows 7 without any Antivirus software loaded up (at least any that I saw from a fresh Dell install from factory).  Once you load up some basic programs, Antivirus, Dropbox, backup software (I prefer Crashplan, but you could consider Dropbox just for essentials.), Office, just basic stuff for any Windows system, it’s going to slow down even further.   I don’t expect much from this little, underpowered Atom-based, mini laptop, but it should be something reasonable to use.  I think another post is coming for “My advice on buying a Netbook, for non-Geeks.”

So… I didn’t like the idea of Windows on my netbook. I am a Linux/Unix guy anyway, and I know there’s been some big improvements in the Linux Desktop area.  I use Ubuntu 10.04 Lucid as my primary desktop and laptop OS anyway, and I love it.  ( I still have a secondary Windows 7 system though.)  I wanted to give Ubuntu Netbook Remix 10.10 Maverick a try. I installed it, and immediately noticed something, I had no wireless.  Man, still!  For the last 1 to 2 years I’ve tried netbooks with Linux based OS’s and they always have issues with the wirless!  And to make it worse, getting the wireless to work looked easy, but it didn’t work. The “restricted drivers” in Ubuntu didn’t want to load. I did get everything working, but Maverick has some major issues that drove me nuts.

Maverick netbook version uses that nice looking, and clever user interface called Unity.  But I had a very hard time with it.  For one, I couldn’t add my own launchers.  Right click menu’s didn’t work, and it customizing it, if you even can, was very difficult.  For two, it crashed constantly!  For three, once I added the current Apt updates, the whole thing slowed so much I could barely operate it!  Maverick was such a pain to use, I just formatted and loaded Lucid after wasting over a day of tweaks and adjustments.

I will say this, Ubuntu Maverick did boot quickly. Times below are from initial power button, which includes BIOS POST.
- In about 50 seconds I had a desktop.
- 1:13 I saw the Wifi connection established
- 1:27 the web was launched and home page loaded.
Not too bad, in my opinion.

However, continuing with Maverick was a NO-GO.  Next, I installed Ubuntu 10.04 Lucid. Install was easy, just like Maverick, but I didn’t see the crashing, it got all the updates and didn’t slow to a crawl, and most importantly, the Restricted Drivers for the Broadcom Wireless adapter loaded without an issue and connected right away.  NICE! Even better, the boot times were almost identical to Maverick! Including waiting 20 seconds for the Dell to POST, it was about a minute and a half and I was online surfing.

Of course, I’ve also heard recently that there’s this OS called Jolicloud.  So I had to test that out too.  I guess its Ubuntu 10.04 based, so should be easy and familiar for me.  And it was! Install didn’t work using their USB creator. I had to get a separate tool and do a manual USB disk creation of their ISO, but I am not complaining about that because you have to deal with this for all the Linux-USB-netbook installations.  It just didn’t use their own USB creator as described on their website and required more steps, but still easy.

Jolicloud installed effortlessly on the netbook! I had pre-allocated about 30G of free space on the hard drive just for this. When install ran, it asked if it could install into the free space, I said Yes, and it was easy from there.  You do have the option to resize and change the partitions if you want, I had done this previously with Ubuntu in my case.  Install took same amount of time as Ubuntu,and I think was about 20-30 minutes.

Initial boot asked for user credentials and to create an account with Jolicloud.  You can even use Facebook login with it, but the base Linux still requires a user account.  I think the developers don’t really intent it to be used by more than one person, just for ease of use.  But I wanted my family accounts on there, so I created one for each, which is a little odd and buggy process. (it didn’t work right away, gave me an error, looked like it was crashing, but then did actually work with a disabled account.)

Best thing about Jolicloud was, THE WIRELESS JUST WORKED!  I love it!  Install was easy, system booted, and I clicked the icon to use my Wifi connection.  Nice!  Even better, I was online and adding their apps easily and everything just worked in that area.  For most people, this is all you need.  It installed and things get you online and functional with ease.  Next best thing… it boots with the same times as Ubuntu!  In about 1 minute 30 seconds, I am online and browsing, from the moment I pushed power.

Two things I don’t like about Jolicloud.  1. Suspend doesn’t seem to work, but that may not be the fault of Jolicloud, and rather a driver issue or Dell issue.  Hibernate works great, so I setup the system to use that on lid close. (which takes about 17 seconds to power down).  2. They seem to want you to use their apps.  I can understand that, but this is Linux,and I like to geek-out!  I couldn’t find a way to make a launcher, anywhere, for specialized apps.  In my particular case, I was using Netbeans, which installed fine, but there was no way to launch it, except to A) use command line, or B) browse to the folder and double-click the launch script.  I have other apps that may be an issue with this. I don’t like it,and I don’t like being confined to their launcher interface. Although, their user interface is very nice and for most all other operations it works very well and I like it!

Also, I don’t think they recommend it, but I used “apt-get” easily with no configuration. Everything I wanted to load with apt, worked without issue, so far.  I installed Mercurial, Apache2 and PHP5 to run a testing web server. Yes, I know, why would you do that on a Netbook?  Well, because, my son and I are playing with Javascript and PHP, and the netbook is really handy for him to play with while I use my laptop next to him.  Its fun!  Plus, with Jolicloud, using their built-in app install UI, they have about a Gazillion games and there’s lots to do on there for a kid.

So far, for me anyway, I am really liking Jolicloud. For most people, they’ll like it too, and its faster than Windows and you don’t need to deal with AV software. Not that you can’t get spyware or viruses, just that its not Windows, where you WILL get one without AV.

As for the Dell Mini 1012 netbook, I like it!  It’s got a nice, high-res display at 1366×768, unlike most netbooks that have only 1024×600. It’s battery is great too, and so far is lasting close to 5 hours. (probably average about 4 hours)  And with hibernation and only periodic use, it goes a couple days till I need to charge. Charging is slow though!  The keyboard is a little small for me, but usable.

This is not a post about comparison with an iPad, but I just have to say, even though I like this netbook and Jolicloud, it will only have limited use.  Now that my family has had an iPad for about 9 months or so, they don’t really want to use the netbook.  Main reason being… even with fairly quick boot time and ease of use, the iPad is WAY FASTER and easier to get online!  There’s also a “cool” factor, but even my anti-technology wife, she insists on using the iPad.  They all like it for that reason more than anything, that it powers on and you are online in literally a few seconds.  Also, the batter needs charging about once a week for us on the iPad.  I should also say, there’s no logins, weird moments where you need to “wait for that thing to show you are online”, or confusion about what to click and where to go. For the non-tech people, the iPad is hands down the best casual web device.  My kids use it for super quick Facebook checks and updates, my wife handles her recipes and does quick web lookups, and all if it without any of my help, and all of it very fast and easy.  A netbook, even with Windows, just doesn’t even compare.

If any of you readers have further questions regarding Jolicloud or Ubuntu Lucid or the Dell Mini, just comment and ask. I have the 250G drive loaded with all 3 in a triple boot setup, so I can probably check for specific issues if you like.

UPDATE 3/14/11 :

I added a new post on resource usage of each OS, if you are interested, with Screen shots.

Go here to check it out: http://www.1stbyte.com/2011/03/14/resource-usage-on-dell-inspiron-mini-1012-with-window-7-ubuntu-10-04-lucid-and-jolicloud/

I am always getting ideas, and this might be a cool one. I want a new Facebook. I want to make my own version of it. Only, not centrally controlled, and not a direct single-place-to-go site to be social.

Why? Because I foresee a downfall. And because Facebook, if its not already there, is becoming an evil giant that not only controls your personal data, it legally owns it. Leo Laporte actually removed his account from there because of their policies. (although, he may have recreated one.) And its also becoming a source of malware, or rather a “vector of attack” for malware. The general public will never care about the privacy issues, even though they say they do, but that’s the problem, I think. We need something better.

We need an open-source version of it. It needs to be distributed, and federated, like email, and not centrally owned/managed on one persons servers. It also needs security by default. Also, everything needs to be opt-in by default. It needs to be simple.

I want to build this! Guess what, Google Wave has the beginnings of this. Problem is, Wave isn’t going anywhere, and it doesn’t have the federated services yet. If it did, Wave could potentially form into what I would want. (to some extent) Another thing, guess who else created some of the needed technology? P2P networks! all the file/mp3 networks out there already created, in part, the idea I’ve got. Only they did it for file sharing. I think some of those concepts, including the way email works, could be utilized for a “Facebook-like-net-web-app” that’s cross platform.

It would take these parts: (off the top of my head)
- A peering web service, that anyone can run on their own servers.
- A web service, that connects using the peering services, anyone can run and connect to the fbnet. (FB = First Byte, by the way!)
- A web app, where one can manage their profile. (that can be hosted by anyone on existing web servers)
- A client app, like for Winblows, Mac, Linux, Iphone, Droid, etc.

Technically it works distributed like email servers do, crossed with the way P2P servers work. Only, from a user’s perspective, its like email meets twitter and blogs, and personal web pages, complete with public profiles, wall’s, status messages, and comments like Facebook has.

Kewl idea, I think. But, just like all my other ones, it’s gonna take a lot of money!

Well, if you’re like me, you probably love Google Chrome browser.  And although the latest version of Firefox (3.6) is much improved in speed, it launches fast and browses quick, I still like Chrome better now that I am used to it.  Especially now that it’s got my two favorite extensions, Lastpass and mouse gestures.

Anyway, to the point. Using Chrome 4.x. (It did say Beta still? weird?) Chrome has been acting kind of laggy lately on my desktop system.  It opens quick, but then is slow to show any pages and on mouse clicks they pause for a second before any action.  First I thought, disable any extensions.  Ok, did that. Relaunched Chrome, same thing.  Alright, this time I’ll remove all the extensions.  Relaunch and same thing.

At this point I thought, is there some sort of weird proxy or dns thing going on here?  No, not DNS.  If it was, my laptop would be slow too, right?  We all use the same DNS.  And I even benchmarked it with DNS Benchmark at GRC.com. (search for that at that site to download, cool little tool!) 

Firefox and IE don’t exhibit the same issues. Hmm…  not sure about this one.  Ok, fairly quick test.  Uninstall Chrome, completely, including any saved/cached data.  Make sure I don’t have any profile data in c:\users\username\appdata\google\chrome folder.  If there is, delete that folder.  (keep in mind, you will be deleting EVERYTHING saved in chrome, FYI)  No big deal though, I have all my bookmarks synced on my Gmail account and I use Lastpass to store passwords and sites. 

Reboot the computer, find and download Chrome again, run the installer.  Get my two favorite extensions and I am in business!  Now Chrome is launching fast, like it normally does!  And mouse clicks are responsive again.

Just a note, it says my version is now: 4.0.249.89 (38071)
And it doesn’t say “beta” anymore.

Maybe that’s what the issue was, there was something not upgraded automagically by Google and there was still older beta code used somehow.  Whatever it was, problem solved.

By the way, this is one of my favorite reasons to use Firefox or Chrome over Internet Explorer. There are many others, but this is a big one, IMHO.  You can actually remove the browser and all the settings and cached data from your system.  You can’t with IE.  Even with the options to delete any saved data in IE, the program is still on your system, doing who-knows-what in there.  The only way I know of to really clear out any issues with IE is to create a new user profile on the system, login as that user and test if IE still has an issue. If it does not, your problem is in IE in your old user account.  That’s really a huge pain!  Much easier to remove the program and any associated data and reload it to clear out any bugs.

I had a client recently that had their browsers hijacked. Everything they typed in the browser ended up redirecting them to some test_s.php file at “www.fes.sk”.  (Don’t open that, or you might end up with a virus!  I just wanted people to find this in case it might help clean this bug off!)

Not sure what this virus was, but it disable Microsoft Security Essentials and blocked even MalwareBytes and SuperAntispyware from detecting it.  I couldn’t find it and I was almost to the point of just reloading the computer because in this case it would have been faster to just copy the docs of and reload Windows XP.

I thought, let’s search that URL?  This was key, because it brought up some forum posts and someone mentioned HitMan PRO.  www.surfright.nl/en/hitmanpro

Never heard of this program, but thought since it had a 30 day trial I’d give it a quick shot.  I was very impressed, it scanned in litterally a few minutes. (like 2 or 3!)  It found a “Rootkit”, nothing more than that though, in a file called “ipsec.sys” in the system32/drivers directory.  Then it said, “Reboot to clean.” 

My client was very pleased to see it reboot, do another very quick scan, and he was able to browse the web again.

Hitman Pro was free for 30 days, but you had to activate it.  I believe it has a subscription price of just under $30/year for 3 PC’s. (as of 02/09/2010)  That’s not too bad I think.  Keep in mind though, this looks like a “remover” , not a real-time antivirus protection program.  You’ll still want Norton, NOD32, MSSE, whatever you like, for that.

Now, I have to ask… because all my clients are starting to ask… why do they need this when they already have MSSE, Norton, etc?  Why doesn’t the AV real-time protection actually protect them in the first place?  Well, I can’t answer that one.  But it drives me nuts, and it make it worthless to pay for a subscription to Norton or McAfee (or any other) when all they do is get subverted and taken down, even if it’s the clients fault.  Because of this I will only suggest a free product for now, at least until I start seeing the “for pay” products doing what they were paid to do.  And if I see a Rootkit or Trojan that I can’t easily clean off, I’ll recommend HitmanPro for now.  If that can quickly remove bugs for my clients every time I use it, I’ll tell them (my clients) to use it and even purchase it as a quick cleaning tool in addition to MSSE.

Just wanted to add a quick note about this as I couldn’t find a reason why dynamic DNS on my Ubuntu 9.04 system were failing. I had all the right perms, ownership, etc. I even opened up the files to full world writable and still, I got errors that the journal files could not be written to.

Log snippets:

error: journal open failed: unexpected error

jnl: create: permission denied

Learning as I go… there’s a thing in Ubuntu called Apparmor. Never even heard of this. This is what was keeping the files from being written to by the bind daemon.  I guess Apparmor has been in this for a while now, but for several yeas now, I have not run into a situation where I had to mess with it.

Here’s what you change.  And keep in mind, this is NOT the correct way to handle this on a production or public DNS server.  You’ll need to read up more on the correct config for this one.  But on my tiny LAN or at home, here’s what I did.  In the /etc/apparmor.d directory, edit the usr.sbin.named file.  Find the line:

/etc/bind/** r,

Change it to:

/etc/bind/** rw,

Then restart the apparmord daemon.  If your DDNS config in Bind and DHCP are correct, you should start seeing successful updates now.

Here’s a coulple links that were helpful on the DDNS setup:

http://brunogirin.blogspot.com/2007/11/dhcp-and-dynamic-dns-on-ubuntu-server.html
http://ubuntuforums.org/showthread.php?t=274665
http://www.ops.ietf.org/dns/dynupd/secure-ddns-howto.html

Also, I wanted to make a note to myself. Creating a new key for DDNS:

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dhcp-update-key

That creates keyfiles in which you’ll get your key string, this is added in your dhcpd.conf and named.conf.* files as “secret”.   RTFM dnssec-keygen. and read up on the links above. :)

In Exchange 2007, you have a nice little GUI to set your FQDN on your Send Connector. (Mine is called Outbound, as shown below.)

You can see my FQDN, set under the Hub Transport/Send Connectors of the Exchange Management Console.

However, if you send mail out to an external address, you’ll notice in the headers that your internal server name is still listed! What!? What’s the point of the GUI?

You have top open Exchange Management Shell, and type in a command to solve this. It’s easy.

As shown above, you just type in the command:

set-sendconnector “Outbound” –fqdn mail.1stbyte.com

Replace “outbound” with the name of your send connector, and of course, change to your own FQDN, not mine.

It will come back in error, or success. If success, you can check your headers on and external account right away.

Have fun!

Had to spend a few minutes reminding myself how to configure this. Easy as pie! Even works with images now!!! Yay!

While in a “New Blog” in Word 2007, click the Manage Accounts buton. (A wizard will probably start the process the first time you do this, but here’s the manual way.) This assumes you already have a WordPress blog setup, of course. I tested this with my own WordPress installation, on my own web host, so I am not sure if this works the same with “WordPress.com”, but I would assume so.

In the Blog Accounts, you can click New or Change.

In the next screen, enter your domain URL and make sure it ends with /xmlrpc.php.

Add your username and password, and for me, I like to Remember, but that’s up to you.

Then click Picture Options.

Make sure you have selected “My Blog Provider”, and click OK.

Then you’ll be back at the New WordPress Account windows, just click OK.

You should see a message that “Account created successfully” or something like that. If not, the errors are not very helpful, but when I did get one, it was just that I didn’t enter the right password. And remember, this will be the username and password IN YOUR WORDPRESS system, NOT your hosting system. (stupid mistake I made, I knew better!)

One thing I don’t see how to do, is select the account I want to publish to within Word, besides the obvious “default” setting. Maybe I need to do that in each doc. I will post when I test it.

EDIT: Duh! Right in Word, at the top of the doc is an Account selection. Just select the account for the blog, if you have more than one.

I’ve run into this a few times, thought I’d record the solution for once so I remember it.

After adding a new user account, the user does not show up in Outlook’s Global Address List, but does show in All Users. (If you click “To” in a new message, for example, and in the Select Names windows under “Show names from the:” drop down, you select All Users.) Even if I go into Active Directory Sites and Services and manually force replication it does not work. (under the NTDS Settings for each server) Normally, I would even go into Recipient Update Services and manually update, but this does not work either.

I found out that if you have Outlook in Cached Exchange Mode, the Global Address List does not update for up to 24 hours. I don’t know the details on that, but I can force it to update. This is on a per-machine basis, so doing this across the whole network won’t work. (Although, there may be a way to do this, I just don’t know how.)

Go into Outlook, go to Tools, Send/Receive, then click Download Address Book. Make sure you have Global Address List under the Choose Address Book drop down, and click OK. Problem solved.

By the way, I am using Exchange 2003 and Outlook 2003.

In Internet Explorer 7, Tools, Internet Options, Advanced tab. The checkbox for “enable integrated windows authentication” is very confusing. You would think this means “just log me in with my windows credentials”, but no, there’s more to it than that. And what I found was, it simply enables “Negotiate”. It set’s this registry key to 1:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate

After some research, this actually means that IE will negotiate between NTLM or Kerberos authentication. In some situations, Kerberos will fail. I don’t understand well enough to explain this one. But that’s ok, because the point of all this is… I want IE to authenticate automatically on my Intranet! Anyway, if you uncheck this setting in IE, it will set Negotiate to disabled. (0) If Negotiate is disabled, IE will use NTLM by default. BAM! I can login automatically.

Wouldn’t it be much more helpful if Microsoft had labeled that for what it was? Like: Negotiate Kerberos or NTLM Authentication.

Word of caution… some Intranet apps might depend on Kerberos, so this might cause more problems down the road of you disable this on all your client systems.

Another note… IE6, as I understand it, does not behave this way. It has a similar setting to enable windows authentication and I believe it uses NTLM by default. I HAVE NOT TESTED THIS, and I don’t know for sure if this is true, but according to my Googling, this is the case.

I found this site with info regarding EnableNegotiate:

http://ie7triage.spaces.live.com/blog/cns!3B6634EF5458F389!422.entry

Here’s another blog you might find useful:

http://blog.super-networking.net/systems/internet-explorer-enable-integrated-windows-authentication/

One of the main reasons I don’t use Firefox in an Intranet environment, is due to the logon prompt from IIS Windows Authentication. I keep having problems with IE7 on Vista losing the auto-NTLM auth, where it asks for my password, when it’s supposed to just log me in based on my domain logon! ARgh! So I started Google-ing and found out that Firefox can do this too!!! I never knew that, in all these years of Firefox use!

You have to set which sites are allowed to do this though. But that’s fine, not like I login with NTLM all over the place, just a couple sites from the Intranet. Go to about:config in Firefox, lookup all the “network:auth” items and you’ll see this one:

network.automatic-ntlm-auth.trusted-uris

Open that, and enter the website address. (even port if needed) BAM! That’s it!

For example:

webapp.servername.local:8080

This will use automatic NTLM logons based on your windows logon. But note: I do not know if this works if your machine is not a member of a domain.

Quick update on 3/31/2011:

It was pointed out to me that there is a newer about:config key:
network.negotiate-auth.trusted-uris

I don’t think this is a newer key though, and it appears to have different meaning.  My understanding is that network.negotiate-auth.trusted-uris lists sites that are permitted to use SPNEGO authentication, which is not the same as “permitting trusted sites to use NTLM authentication”, which is was network.automatic-ntlm-auth.trusted-uris is for.  I haven’t tested these settings recently, so I can’t say if they work for sure. But I can say, that I found a site last updated in 2005 that mentioned this second key, so its been around for a while.  I’d just set only the NTLM key and see if it works. If not, try this second key and see.

I love how people always say that a software firewall like IPCop is a “lesser” product than a hardware system. I ran into one site speaking of Netsentron as a hardware solution. I’d also include Endian Firewall and Untangle when we talk about a “linux based hardware firewall”. Well here’s my thought. These systems offer a hardware solution, but aren’t these products really the same thing as the downloaded software version they provide? And if so, these products are really only a “hardware/software bundle”, right? (I think they actually advertise them this way anyway, but my gripe is with all those techs out there under the notion that these are real hardware based products.)

I can’t comment on any Cisco or Sonicwall, hardware firewalls, because I have not used any of them. But are these also just software running on hardware? And the main thing I’ve heard from security people about the lesser quality software products is that they are not good at defending against DOS attacks. Is this really true? Even if so, in the last 10 years I’ve ran some sort of Linux based firewall, whether home-brewed or special firewall distribution, I’ve not once had a break in. I’ve not once had a DOD attack. (THIS IS NOT AN INVITATION!)

Now, I have had a DOD attack directly on and Exchange or IIS server that was port forwarded directly to the Internet. Not pretty! Which is a big reason why I don’t run these systems directly anymore. But this is off topic. (maybe another blog coming!)

I’ll do some of my own research, but maybe if someone out there can shed some light on the deficiencies of a Linux firewall, in particular IPCop or Smoothwall. For my use, IPCop with a few addons, make for a fantastic filtering firewall, provided we pick good hardware to run it, and configure it properly. Is Sonicwall truly better at providing security?

Ah, just thinking out loud again. I am sure someone out there will give me hell for saying things like this. I am not a security expert, not even close. But, sometimes I just wonder about thing.

EDIT 03/08/2010 ::

Since I wrote this article, I’ve since switched to PFSense as my firewall of choice.  It does way more and better than I could do with IpCop. (still like IPcop though!)  PFsense is a FreeBSD based solution.  It can handle multiple WAN connections, can add several interfaces all with IP aliases, and has all the “lock down” rules in place from the start.  Not to mention, there are plugins that make tracking down traffic issues much easier.  I LOVE IT!

The only gripe I might have is in the complexity of the traffic shaper, although, I could actually use it as opposed to trying to figure out the Linux way. (which I never did figure out.)

Having said all that, my original point of the post is still standing.  Who cares if you have a Sonicwall or Pix?  Are they truly more secure?  Are they not also just software running on hardware, making them really just “embedded apps” or a sort?  I think PFSense can run embedded, right?  (Which really just translates to, “I can run this on a flash media drive and on a tiny little computer.”)  So yes, I still need to research this on my own, but I really don’t get what is better about those expensive solutions.  I’d rather have PFSense, or similar, on generic hardware that can be swapped and troubleshooted easier.  Just my opinion.