I shot these pictures in Utopia park. It is a small park in Beit Hefer, quiet close to Tulkarem. It is best known for its orchids, although the peacock definitely tried to steal the show .

I took these pictures at Alexander river. This is one of the rare places where you can see wild (almost) nature from only few meters away. In the river there are otters, some hungry sheat fish and above all soft shell turtles. All absolutely adoring bread.

I would like to use this opportunity to ask people to stop feeding the animals because this is actually bad for them. They’re supposed to find food on their own. Instead they eat bread. Obviously it is nutritious, but we have to understand that reptile metabolism is totally different from our own – I mean there are insects that eat paper, but it doesn’t mean we can chew pieces of cardboard all day long and be happy about it. Bread is actually bad for these animals. Not to mention they’re getting much more food than they would in other circumstances. So please don’t feed them.

Anyway, the pictures are beautiful and I hope you’ll enjoy them . The gallery is here of course.

These are from Alexander river. This is one of the rare places where you can see wild (almost) nature from only few meters away. In the river there are soft shell turtles, otter and a couple of hangry sheat fishes. All absolutely adoring bread – actually it is a bad thing that people feed these animals because they’re supposed to find food on their own.

In this article I explain how to connect to a computer protected with NAT router using reverse SSH tunnel. I explain problems involved in the process and how to solve them. Enjoy the article here.

Introduction

Few days ago I encountered a problem. How do you connect to a computer behind NAT router? Any NAT router is also a firewall. Sometimes you do have access to firewall configuration and can set up port forwarding. Yet often it is complicated and even impossible. Common situation is when you want to connect to a computer in the office from home. Companies usually hide office computers behind NAT routers and firewalls. Hence you cannot connect to office computer as is.

This is exactly the problem I had to overcome. After googling for couple of minutes I found a solution called reverse SSH tunnel. Yet I could not find a guide that explains how to make it work from A to Z. So I decided to write one.

Understanding the setup

In our basic setup we have a Home Computer. It runs Linux and can freely access the Internet. Office Computer is the Linux machine behind NAT router. We want to connect to Office Computer but can’t because of the NAT router. Server is additional Linux machine. It has to be accessible from both home and office computers via SSH.

Preparations

First, we have to make sure that SSH server on Server has GatewayPorts option turned on. You most likely have openssh SSH server. If so, open /etc/ssh/sshd_config and make sure it has following line.

GatewayPorts yes

If it’s missing, add it and restart SSH service.

Now this is important. Using method described here you can connect to different ports on Office Computer. However, if you want to connect to it via SSH you have to make sure that GatewayPorts is on on the Office Computer as well.

Also, to connect you need access to the Office Computer. I.e. you either have to ask someone to execute commands on Office Computer for you, or you have to run them yourself in advance.

Connecting

This is the easy part.

Assuming you want to connect to port X on Office Computer, do the following.

On Office Computer do the following:

ssh -R 6333:localhost:X user_on_server@server

Server will require regular SSH credentials (either certificate or password) and will open regular SSH session for you. This is the tunnel session. Keep it open as long as you want to stay connected to the Office Computer.

On Home Computer connect to port 6333 on Server as if it was port X on Office Computer. In case you want to connect to SSH port on Office Computer, set X to 22 (SSH port) in step 1 and do the following:

ssh user_on_office_computer@server -p 6333

Again, you may be asked to identify yourself. Do it as you were connecting to Office Computer directly.

Avoiding session expiration

As I mentioned in Preparations section of this guide, you can do step 1 in advance, before going home. Alternatively, you can ask someone to do the command for you. In case you prefer to do it yourself, you may want to make sure that tunnel connection you established won’t expire.

There are three options in /etc/ssh/sshd_config that control SSH session expiration. Once in a while SSH server sends keep-alive messages to connected clients. Temporary connectivity problem can cause it to disconnect certain SSH session, despite this is only a very temporary problem. Depending on the configuration of you SSH server, you may want to prevent these keep-alive messages. On the contrary you may want to increase interval between them or change number of lost keep-alive messages that indicate to SSH server that a connection to a client has been lost.

TCPKeepAlive configuration option enables or disables keep-alive messages. The default is yes (i.e. send keep-alives) and it is a good practice to keep it this way.

ClientAliveInterval specifies number of seconds between every keep-alive message. Depending on quality of connection between Office Computer and the Server we may want to set it to, let’s say 10.

ClientAliveCountMax controls number of lost keep-alive messages that cause SSH server to pull the plug. We want it relatively big, but not too big. With ClientAliveInterval equals 10, its a good idea to loose the connection after keep-alive messages fail for lets say 5 minutes – 300 seconds. This means we can make ClientAliveCountMax equals 30.

I mentioned this several times in my articles and included a link to wikipedia’s definition of CIDR notation. However only now I saw how complex the wiki’s definition is. From the other hand, I guess any formal definition of the subject would be complex and hard to understand. So I took the liberty to describe what CIDR notation is in two words. Read the rest of this entry »

After being so decisive about staying with vpsland I went down and tried to upgrade my VPS to Ubuntu 8.04 (from 7.10). Well… Of course it didn’t work. Obviously, with all respect to Aptitude you cannot tell it to upgrade to Xen enabled kernel. I asked vpsland whether they plan to do anything with Ubuntu 8.04 any time soon, but as expected received no meaningful answer.

As a result, I am now happy customer of slicehost. Although I had few networking issues with slicehost’s VPSs, with them the most important stuff works flawlessly. And I now got a new version of Ubuntu

While shopping for a new VPS, I got paged about hosting company named linode. And although it was already too late for me when I was told about them, they look very impressive and I still may become their customer one day.

Anyway, the transition to the new VPS is over. I just found that mod_rewrite wasn’t working. As a result people couldn’t reach my articles for a few days. It is fixed and it seems that site is fully operational.

I am contantly checking options to improve my web-site. One of the directions is improving the underlying hardware. This web-site runs on a VPS I purchased at vpsland.com. Today, for the first time I ran into a problem with RAM. It seems that 128MB is just isn’t powerful enough for so many services – I recently added DNS server.

Since this was quiet expected, about a week ago I started shoping for a new, upgraded, VPS plan. Bottom line is that I think I am going to stay with vpsland.com.

From what I’ve seen, vpsland gives below average service while beating other firms in terms of prices. There is only one firm those prices were adequate. It’s slicehost, of course. Yet surprisingly, I found that networking condition on slicehost’s slice were worse than those of my old VPS.

Eventually, I decided to stick with vpsland.com.

While evaluating different options, I ran into a web-site named VPS choice. This web-site that evaluates lots of VPS hosting plans in different companies. I could not beleive it, but it seems that this web-site is actually independant

After trying new WordPress 2.5.1 for a week I decided to stick to it. It is one solid piece of software despite few problems here and there.

New version of wordpress is here and I am trying it out. I tried wordpress 2.5 and it was quiet a disappointment because of the editor. I started a support ticket at WordPress’s Trac. They say they fixed the problem. So I will give it a try during next few days. Hope it will went smoothly.