All I Want Is A Linux Firewall!!!

You would think such a thing would exist, but no, not really. This is not a rant, just a statement of fact. I've been looking around for one and here's my review of some of the options available... This does not include the commercial ones, im only intersted in trying out the FOSS ones. I've tried Asataro, Gibralta, etc and they are all quite nice.

Something I should point out, as this post comes across a bit negative. All of those below I found to be wonderful examples of what FOSS manages to achieve and they all do have a very useful set of functionality (there were others I played with that really were quite bad and so I didn't comment on those), but none were particularly viable replacements for a firewall.

One thing i've wanted for a while (especially in the age of virtualisation) is a router/firewall combo that could produce the basics of what these devices should do. To me, if your going to build such an appliance it should be:

1. Web controlled
2. Under 200mb
3. Be able to add and remove interfaces and configure simply
4. have a single login (well, multiple users, but one user database)
5. It should be able to to firewall things ( from ip, to ip, drop accept, you know)

Nice to have, but not required:

1. Routing - (I mean OSPF, BPG, RIP, etc) Protocol based routing abilities.
2. VPN - either point-to-point between firewalls and/or road warrior type things.
3. Load balancing - Do i really need to explain that one?
4. IDS - Intrusion detection is nice when it works
5. Packet accounting - Tell me how much traffic is going where and when.
6. HA - a simple heartbeat failover between two routers.
7. Proxy/HTTP filtering
8. QOS - I want that link going slow!
9. VLAN support - one interface will do me thanks!
   

An install for such a beast should go:

1. insert cd
2. Answer 3 questions -
   
3. Which interface should I use for management?
4. Whats its ip? (netmask, gateway, dns)
5. What harddrive do you want to install onto?
6. Go to web interface and configure the rest.

In the many years i've "done" unix, i've built several of these things and it always ends the same way:

1. Install "normal" distro (ubuntu, fedora, etc)
2. Install webmin

And alas, this is still the best option so far... But here's what I've found after downloading several and having a hack around on them. All these can be found linked off wikipedia, here.

Coyote/Wolverine - requires a IDE hd... seriously? what century are we in again? But really quite good

1. Both have a nice simple install
2. Both required you to configure a WAN and LAN interface on startup, but you couldn't choose what interface was what it just uses eth0 and eth1 - was very bizarre.
3. Does a reasonable mix of things - vlans, NAT, firewall, QOS, VPN (only wolverine does VPN)
4. Firewall rules are simple, but overly so, you cant get "complex".
   
5. Seems to be a bit spurty in terms of dev - big gaps between activity.
   

IPCop - Sadly not too bad actually. Where it fell apart

1. had to choose from a list of possible network interface config's during install (strange naming convensions) and couldn't add another interface later on (at least, not through the gui)
2. Seems more interested in working for little home-router style configs
3. Had to choose 3 passwords during the install, one for web admin, one for console (root) and one for backup. One password is enough thanks!
4. Has the whole Red, Green, Orange, etc interface notation of last century.
   

RedWall - Terribly convoluted:

1. The "install" was a nightmare, and im really not sure if I made it all the way through or not
2. The documentation is ... not good
3. The install is so terribly convoluted it really was far FAR too complex

ZeroShell - Probably the best

1. The install on this one was great
2. The thing is sadly still beta - but quite impressive none the less.
   
3. The firewall interface for adding rules was heavily complex, way more then what is needed - what it could have been is simple "src ip/iprange", "dest ip/iprange", "interface - if specified", "src/dst ports" and "accept, drop, etc" with an "advanced" button for those tricky things - this is primarily what a firewall needs to do
4. Does a firewall/router really need IMAP, POP, Kerberos, etc?
5. Interface config was fantastic, supporting vlan's.
6. Some things were complex, some things were dead straight-forward
   

Smoothwall - Again with IDE? But very decent.

1. Required an IDE harddrive - or at least, didnt understand VMWare's SCSI harddisks.
2. Based off the same IPCop install and its very annoying
3. Had 4 network interfaces (choose 3 during install), couldnt add interfaces after initial install
   
4. Has a really nice web interface
5. Did alot of the "nice to haves" listed above
6. Firewall rules config was great.

eBox - Big and bulky

1. Its not a firewall, its an everything.
2. Based off ubunt/debian with the same installer - its HUGE. Leave aside an hour just for the install.
   
3. Does lots of things and not really useful as simply a firewall/router replacement (i.e. filesharing, chat, dhcp, the words).
4. If you want a box that does almost everything you could want on a lan, this is it.
5. Not bad at all for what its aiming to be - its well worth having a play with.
6. Firewall configuration interface is "annoying"

IPFire - ipCop/Smoothwall, Again

1. Same annoying config as ipcop/smoothwall/etc - interface sets defined at install.
2. Web interface is very complex in places.

BrazilFW - coyote based thingy

1. Its not english - or its english in places, but not enough to get whats going on.
2. im sure its great if your brazilian....

pfSence - BSD, nearly the best of the lot

1. The isntallation is quite odd - you go through and setup the interfaces after booting the cdrom and you can do alot there, or you can go to the web interface - which then forces you to do it all again. I dont understand why they dont choose one of the other. forces you to configure a wan and lan interace (at a minumum) then forces you to do the same again on the website.... very bizare.
   
2. Firewall rules border on over-complex but its still quite good.
3. Web interface can be a little confusing in places - menu's could be better organised, and items could do with more text.
   
4. Supports VPN's, Firewalling, multiple interfaces, vlan's, load balancing, rip
5. All in all, its pretty complete.
   

Untangle - Didn't get very far

1. Takes FOREVER to install
2. Forces you to create an account on untangle (i didnt do this)
3. uses that eternal/internal/dmz network interface config for seemingly no reason (does detect extra cards, calls them "ethx" etc which is fine by me)
   
4. im sure its nice for someone, that someone is not me, and its not a firewall/router replacement. Its trying to be an "everything" server a soho might want.
   

ClarkConnect - Community Edition - not too bad

1. Install was nice and straight forward, but thats where the good times kinda ended
   
2. After install, trying to get to the web interface was a nightmare - had to keep logging onto the console of the box and dropping its iptables - why cant i get to the interface from inside???
3. Can define what "group" an interface belongs to - i.e. "internal", "external"
4. Sadly, had the same idea of "incoming" and "outgoing" in that you'd say "let port 80 in" rather the allowing a useful firewall config - i.e. allow connections from a to b on port x
5. Does vpn'ing and ids
   
6. Is another "does all these things, so im really a single-box soho".
7. Community edition doesnt do 1-to-1 natting (how bizare, its not like linux doesnt it do it out of the box)
8. The interface was quite nice, but still not really what we're looking for in this blog post.

Vyatta - Community Edition - Quite nice but the web interface is truely horrendous

1. Not a great install, but not bad.. The thing boots straigh to linux login prompt and you sit there going "ok, and now..?"... then you run install-system and sit there again going "ok, and now...?" - that could be done much nicer than that.
   
2. Has both a cli and web, which is nice, the cli has obviously had some input from cisco-types. Cisco people wont immediately know how to use it though
3. Has this annoying vyatta logo on the vt which means when you do something like "ifconfig -a |more" the screen pager loses the top 2 lines - frustrating!
4. Runs on a NORMAL web port (i.e. port 80 and 443) with ssl. For some reason, alot of routers do not do this - dont ask me why, its very bizare.
5. The web gui isnt fantastic... All things considered, i'd say the navigation of it is incredibly tedious, but the amount of required info for doing any one action is suitable.. i.e configuring an interface you have to dig down several layers of menu, then the main interface page is simple... you can then configure more things on the interface is deeper menus rather then having to do it all on one page.
6. The firewall part of the interface (i.e. where you set rules) is truely horrible, your forever digging forther and further into the interface. Was the only truely tragic part of the interface really.
   
7. The interface is very raw, like someone had an xml config file and decided to wrap a gui around it as a side-though. Like, if you go to an interface and click on "vif", all you get is a dialog that says "vif: "... then if you type in an invalid ip address it says "this is not of type uint32"... right, good ol uint32.
   
8. Supports almost everything a router/firewall replacement should support - Firewall, vpn (multiple types), bridging, vrrp, vip's, load balancing, OSPF, RIP, BGP, clustering, ipv6, some services (proxy for eg).
   
9. The interface does have this little yellow ball thing that tells you were you might have problems, and that was quite nice.
   

And that is pretty much all of them.. see now why i say standard distro + webmin is actually an improvement on most of them? the iptables interface in webmin is actually not bad at all. Its a pity too cause linux and bsd both have such strong networking backbones, with alot of support software. But if you want to replace an old router, or perhaps just add one into a testing system its either get fedora 12 or ubuntu 9.10 (or any other current distro) and hit the webmin install button, you'll be much better off really.

linux async replication - dm-replicator?

My last blog post, i was talking about how i wish I had the time to implement a replication scheme based on lvm/dm.

Well, a while ago i stumbled on a thing called dm-replicator which was presented at a conference around October 2008... but that was the last i'd heard of it. That was until the last week when suddenly lvm/dm got some patches as did some kernel level patches suddenly appear.

Im quite excited, but details are very thin, and reading the code kinda disappoints me.

From what I can tell, its going to be another targetting-the-remote-computer style config's, which is a shame because keeping it local-only would simplify things and probably avoid alot of patent trouble (there are alot of storage vendors that hold patents around remote replication).

Secondly, anything you could do locally you can do remotely (think iscsi, vblade/aot, network block device, etc)... Consider the following situations where local replication is good (at the lvm level):

1) I have a usb drive that i plug into my laptop occasionally - sync logical volume root into volume group usbdrive
1.1) I have a ata-over-ethernet device sitting at home that i want my laptop to sync to whenever im on that network.
2) I have a iscsi brick sitting in a data center a long way away, there are no servers - lets talk directly to the storage brick.
3) im using shared LV's with clvmd, how can i do ordered replication between multiple hosts talking to the one LV? - woot, lvm-level replication solves this problem
4) keep it simple - a network layer to replication makes it complex - see drbd.

Im still sorely tempted to actually write a replication device - not within lvm - but that is lvm intelligent.

I really hope the lvm dm-replicator gets a simple form of async, local-only replication cause if its remote-only it'd be a sore loss of functionality to what is (in my opinion) one of linux's greatest storage software.

I'd love to ask some questions on the mailing list, but its hard to know which one to ask on because the code has mostly been synced into lvm's cvs rather them dm's yet most of the code is actually kernel level device-mapper code...

Linux Replicaiton, one of those things i wish i had the time for....

Asynchronous Replication is a wonderful technology - when it works right (actually, usually it always works right, its implementers that screw it up). But linux has never really had a good solution for it.

There is drbd, and thats about all there is. Now its quite pretty and all, and does what you want to some degree, but it lacks (rather annoyingly) some functionality. DRBD is designed such that you create a block device that you pass-thru for replication. It them transmits the changes to a remote machine also running drbd that then replicates the changed blocks onto the remote block device. Essentially, thats what replication should be about and drdb has some configurability around that - like synchronous replication.

Let me explain that a bit better from an OS perspective. When a program writes to the disk, it opens a file name, does some writes and then closes it. Now depending on the FS, the device its writing to and a number of other factors, this may or may not occur straight away, however the program (when it calls close()) gets a return from the kernel saying "your writes are complete" (well, not really how it happens but essentially it means your writes are "commited" to the disk).

Now, when you setup a mirror disk (i.e. LVM or meta devices) what happens is that the write isn't complete until both disks have committed the write. This is synchronous replication, i.e. both disks have the data. Async means that only one disk commits the write and the other disk can commit the write at any time.

"great!" i hear you say, "i'm going to have a mirror thats out of sync, what the piss is the point of that". Well, glad you asked because its really quite useful. Lets start with a simple example of where it isn't used but could be. Lets say you have a computer with two really fast 15k RPM 300Gb SAS drives and a fair of 7.2k RPM 1TB SATA drives. What you could do is setup a mirror of the 15k drives and then asynchronously replication on to the SATA's. Sure, my SATA's wont have the most up to date data, but if my SAS drives fail they'll at least have most of it. Essnetially, what your trying to do is protect your data with cheap disk without impacting the performance of your fast disk. Now lets expand this some to places where it is used.

A very common scenario is DR (disaster recovery). Typically this will involve two sites and usually centralised storage (replication is very rare at the server level, its usually done on a SAN type system). So what I do is I have some really fast SAN that holds all my data at my primary site, but im a company of a decent size and I really dont want to be screwed if I have a complete site failure. Examples of this are:

1. SAN device completely fails
2. building blows up
3. natural disaster wipes out building

Bsaically, anything that has the power to turn my primary site into sludge. So what I want is a backup site where I can replicate my data, but you also want it a decent distance away from my primary site (after all, a bomb that hits my primary site could very well hit my secondary site, or think earthquakes, floods, tidal waves, all sorts of natural disasters that buildings wont stand up to).

Now you essentially buy 2 SAN's and put one at each site, however in order to mirror to my remote SAN I need some serious cash because the kind of through put on a SAN would usually require serious fibre links between the two sites capable of handling the entire workload (at its maximum) and that can cost you significantly more then your actual SAN (ouch). So what you do instead is cheap out. You buy a SAN at the remote site with less impressive specs (i.e. remove those 15k rpm, 300G expensive Fibre Channel drives and replace them with sata drives at the remote site) and provision a cheap link between the sites. Then you setup asyncronous replication. Practically any SAN on the planet can do replication (in fact aside from the dirt-cheap ones, I dont really know any SAN that would be used in a company that cant do it). The idea is simple, you watch the data changes occuring on your SAN and then ship those changes to the remote SAN as fast as you can where it then writes them to disk.

Keep in mind, all this is async, so when my server writes my data, it can then go off and do more writes elsewhere while the remote SAN may not have even caught up with the first set of writes. Now this means during peek load, that slow link is probably getting flooded and the remote SAN is falling behind by a significant amount - however, at least you still have some data you can work with. During the low-load times my remote SAN catches back up to the lastest data changes.

That in a nutshell is async replication, quite widely used and very useful in terms of protection. This is also what i've wanted to code into linux for a long time simple cause DRBD is fairly nasty and large while not being able to do simple things. I also find DRBD isnt great across slow links and my idea was simple "use whats already available".

In my mind, thats LVM. LVM already exists at the right layer in the kernel to be able to do this and all it would require is some meta-data store (for storing the id's of blocks that have changed) and a command to initiate it all (lets ignore "remote" for now). Keep in mind, I had planned for something that is useful even on desktops here.

So what I do is plug in a disk (lets say its a usb) and my desktop is running a 300gb 2.5" 7.2k rpm Hd, while my usb disk is a 1tb 5.4k rpm slow-as-buggery drive. Now my desktop was installed with LVM on the main disk so I'm already half way there (lets say my root VG is rootvg and my root LV is rootlv). I create another VG on the 1tb sata called replicavg. I then do this: lvreplicate -r -s /dev/rootvg/rootlv -d /dev/replicavg.

What this command would do is tell LVM to replication the logical volume "rootvg/rootlv" into the volume group "replicavg". LVM (in the background) then goes off and creates a logical volume large enough to store my replica data and begins the process of replication. Now being a USB disk, im probably not going to have it pluged in all the time and thats where the metadata store would come in handy - it would just keep its log of changed blocks while It waits until it can see replicavg again. Kewl? with me so far? So now your desktop machine has a viable option for replicating your important data externally on a drive you dont have to carry around all the time.

This would be lovely, but could work for servers as well - but first let me explain what else I would implement. Snapshot replication. Snapshots on LVM are wonderful. But if i can do them ordered on a replica, they're even kewler. So basically rather then snapshotting my local storage I can say "snapshot my local filesystem at the replica when it catches up to this point in time". Which would be very kewl.

Now, I said "forget remote" and I meant it, I also said it'd be useful on servers and your probably thinking "whats the point of servers without remote replication and that whole dr thing?" right?. Well its quite simple actually, here's where you introduce things like iscsi or aoe (vblade). re-use the tech thats available, and KEEP IT SIMPLE STUPID!. All the LVM has to know is where its replicating to (the volume group), leave it up to the tech that already exists to deal with the rest. LVM wouldn't require too much work to do all this, it would have alot more functionality that drbd (i.e. its useful to almost anyone). DRBD forces you to make choices and can only really do remote. Take an LVM vg for example, do you replicate the underlying volumes (i.e. create the VGs passing through drbd or do you replicate the LV's - tough choices to make and they dont give you the ability to snap effectively). Ultimately LVM was the perfect place to implement a replication scenario and i've always (for years) wanted to do just that but never have the time. Now btrfs is out Im wondering if it would be a better option for doing just that? who knows... its all too hard really. On top of all this you either sacrafice the things lvm brings to the table (things like dynamic volume sizing) just to do replication.

Its not easy, dont get me wrong, there are a lot of complication. For eg, ordered data is tough.

for eg: lets say I have 5 blocks on a disk that change like so:

1. 1a 2a 3a 4a 5a
2. 1b 2a 3b 4b 5a
3. 1b 2b 3c 4b 5a
4. 1c 2b 3c 4c 5b

Then i plug in my drive. The disks on the source volume look like point 4, yet my drive is going to try and replicate in order through each point, now lets say I let it get to point 2. What it'll do is copy blocks 1 3 and 4 because thats all thats changed at point 2 (PAINFUL!), yet at the source, we have 1c 3c and 4c. So my remote disk looks like: 1c 2a 3c 4c 5a - this doesnt correspond to any point in my ordered data stream and if these are blocks in a mysql data table, your going to be pissed off to say the least because part of a table (perhaps even part of a single column/row) are at the latest data while parts of it are at the oldest. This sucketh and ultimately has the capacity to kill the entire replicated data.

This is where it can hurt performance because you either copy the block at each write point to preseve blocks that got tampered with or you just "live with it"... dont really know the answer to that in reality.

Nokia Maemo - WOW!

Lately, well actually since the openmoko I've been very entertained by a phone aimed at linux hackers such as myself. Unfortunately the openmoko was slightly disappointing from a number of aspects that included things like not-quite-open hardware and lack of connectivity.

Then along came google with android and suddenly the field changed a bit. Google certianly courted the linux community with a phone OS that had some serious possibilities. I really wanted one but was turned off somewhat by the thought of coding in java (again). I dislike java. Still, the android phones were quite interesting to behold and when the HTC hero came out I found myself very much wanting one.

That was, until the cyanogen disaster - so here's a bit of back story. I nearly had a Hero. Sometimes the worst type of frustration (at the time) can turn out to be the biggest lucky break. I was going to buy a Hero from a local distributor but a set of annoying email exchanges (and a fair amount frustration) gave time for the cyanogen mess to unfold and for me to go from a google loving fan boy to a "why would google attack its own hacking community" then finally "I can see no good excuse for this"... Even MS done do things like google did, and thats really saying something.

(you could also mention the iphone, but its just not a great hackers phone when it comes down to it).

Then along came the maemo and a couple of friends who I'd deem linux hackers were quite intersted in it. Finally it peeked my curiosity enough for me to take a good look at what this maemo actually was and heres what impressed me.

For starters, whenever I go to the nokia site I think "symbian" and locked-down-to-carriers and heavily-locked-developement phones with a very highly corporate and dumb-consumer focus. What I found astounded me. For starters the Maemo site looks very pretty, very nokia in some ways, but not in others. Then I discovered the "hacker" side of things. Links to things like irc channels on freenode and the like, and that one thing really made me sit up and pay attention. IT may sound a little shallow to base the whole thing on one link to a freenode irc channel, and thats not what nailed it for me but it is what made me really sit up and pay attention.

That nokia is aimed at "me". Its aimed at guys who mess around in ubuntu and fedora (or any other linux distro really) cause they love it and yet it has the ability to be a really impressive phone as well. In the very least it makes me realise its something worth waiting for.

Now a bit of phone back story for me. My best experiences have been nokia's, but nokia's have always had a feel of "im a mobile phone, dont screw with me cause you cant" unlike some of the other phones I've had. My first step away from nokia was when I moved from from vodafone to three and 3g (this was many years ago when three started up in AU - i.e. the very begginings) and I got an NEC e606 (not a great phone in reality, but it put up with alot of punishment). Nokia didn't have a phone worth getting back then (or at least, they were so expensive in the 3g range they just weren't worth considering). My next phone (some years later) was a Sony Erricson - the most disappointing phone i've ever owned in most respects. It put up with alot of punishment but was slow as a dog, it did however have a decent battery. My next phone was a Dopod D810 (my first windows mobile) and that wasn't a terrible phone. It was stolen about 4 months later and I ended up using my Sony phone again for a bit. Work started getting new phones and I ended up getting a TYTN2 phone. That was about 18 months ago. This was a thoroughly frustrating and disappointing phone to begin with (especially after the dopod). It was slow and bulky (stupid keyboard). But later I discovered the xda-developers hacker community for the phones and my interest stepped up a thousand notches. Ultimately it made the phone "fun" and so I kept at it for a while (consider: im a linux guy who is very anti-MS and anti-apple).

Later, people started porting the linux kernel to the phone and even various android (including the hero) interfaces. Those were the things that made me interested in Android again (the playing i'd had with android 1.0 was mostly disappointing, but it was fun playing in their dev environment). OF course, porting the linux kernel to the tytn2 had some interesting consequences such as being able to run other mobile-focused environments on the phone (opie, gpe, openmoko, etc). So the tytn2 has certainly made my life fun in ways I didn't expect straight out and I still do enjoy it.

I wonder who can really be thanked for the sudden uptake of "open" in the phone business? Openmoko maybe? Who knows...

Cyanogen and Android: How could Google possibly be hurt by this?

Android Developers Blog: A Note on Google Apps for Android

If you follow android like I do, you have heard about the Cyanogen mess. And perhaps Google's response.

What I don't understand about it all (after reading about it for days and days and trying to get what is going on) is what Google could possibly be thinking. What would Google possibly have to lose with people distributing their closed source apps on custom roms?

I seriously am asking that question - there's piracy and then there's what brain did I leave at home today. I wish someone could answer that question.

See the thing is i've got a HTC TytnII phone and it kinda sucks as phones go. But when linux got ported to it (and later android) it made it worth using (or at least playing with)... even more importantly though, once the magic and hero came out, I wanted one. In some ways its was a shame that i'd finally decided i'd get a magic and then I found out about the Hero and now im kinda stuck between a rock and another rock cause of the Hero not really being available in AU, etc etc etc.... Anyways, i'd finally decided i'd go with the Hero (despite the fact that I could get screwed by compatibility problems if the company I work for switches carriers) because it just looked pretty dam awesome.

I played with the hero port on my tytn2 and its good (not 100% usable, but quite impressive). Impressive enough that I really wanted one.

Enter cyanogen mess.

I was literally 10 minutes from buying the hero when I saw the slashdot article in my rss reader.

Now lets take a bit of a detour. On my tytn2 i've gone to the xda-developers website (alot) and downloaded the 6.5 rom's that are available, all without much thought to the fact that technically thats piracy right? (or is it?) My phone comes with a license for 6.1, not 6.5. Yet MS have never raised a finger (that I know of) about these modders. The rom's include lots of MS software too.

So someone, anyone please explain to me how google lose out from someone distributing the google marketplace application?

I mean, my tytn2 has obviosuly never had a license for google marketplace yet how do google loose from me having it? If I buy software online do google not get a cut or something?

Im truely lost as to what drove google to this decision, and even more importanly I've lost faith in them, at least for now. It's been a long time since i've felt that kind of disappointment, its the kind of "loss-of-innocence" thing you go through when your grow up - something you don't expect when you hit 30+.

Additional:
Just so people understand where im coming from, I could understand if the person google went after was some rogue manufacturer of handsets who took the closed source apps and started producing an android phone. This was not, this was an enthusiastic developer with a large following of other enthusiastic developers. Traditionally this has been what has driven alot of what google do, so now Google wants to bite the hand that feeds it? So be it.

Even if google were FORCED to do this by their partners in the Open Handset Alliance, it could have been done much better without attacking people. If google had printed an "open letter" to android hackers saying "please dont distribute our apps", the community would have responded well.

In reality, google probably owe cyanogen money, cause I know at least a few people who bought android phones after seeing the cyanogen hack.

Contextual ToDo - an interesting idea...

Now and then I think up something I don't believe yet exists (though it possibly does), and here's one.

I like cutting code but I often find that I dont have heaps of time to do it. For example, right now I would love to have a todo list that doesn't suck, and there are a few, but none of them inspire me to do anything. Currently I use Tasque on gnome and its not bad but it falls out of use often. I realise that alot of the reasons for that is that its often not visible to me so I forget what it is I have to do.

Now, back when I used to use KDE for my desktop (back when it was usable at 3 and not an ugly space-wasting mess) it had a wonderful RSS app that produced a scrolling list of RSS items in the panel (FANTASTIC!). I've always wanted that app so badly under gnome, I miss it greatly. However, I always thought that replacing the notification area with something like this would be much more useful then the current notification area.

Basically, whenever anything wanted to publish to the area it would add it as a text scrolly and it would stay there until it was acknowledged (or something else occured to remove it).

But, back to my task list app. What I had in mind was first an area like the above, where your current (applicable) tasks scroll across so you've always got the reminder there. If you scroll over the edge of the bar, a full list shows up (top to bottom). But i've also always wanted context with some simple rules and various task lists. For example if I'm on an IP address of a.b.c.* then I'm at work and I want my work task list, if im on x.y.z.* im at home and want that one....

Personally, i'd love to see something like that and If I had the time I'd make a project out of it.. but Alas, it wont happen anytime soon!.

Avahi - another great example of a missed opportunity (so far)?

So I (dont ask me how, I dont remember) stumble across a little piece of software while looking for something linuxy called "avahi"... Its been there for a long time and i've never really bothered to learn much about it.

Until now. I cant remember what it was I was searching for, but I ended up at a wikipedia entry and was mostly stunned at what avahi actually is.

Consider I've been using linux since '92.

Avahi is a (so far) miss opportunity for linux (imho) now that I understand what it is. It is essentially a mdns service discovery tool for publishing available services from a machine to the local LAN (it can be broadcast across segments, but thats not so important).

At first I thought "Ahh, its so gnome can grab local machine resources easily" - not so, and when I realised what it did I soon discovered the service discovery applet for gnome. Wow that is very interesting. So you kick the applet in the guts and it sees all this stuff thats running on your network. In my case it turned up every server running ssh, a samba share and a few other non-essential things.

At least, thats what It did when I told the service discovery applet to look for everything.

Now imagine this in an enterprise - avahi can publish to real dns so that your servers could easily publish their available services to clients.

Now, there is the argument that "so anyone plugged into your lan can see the services available".. If this is what your worried about, you dont know security.

Still, What annoys me most is that its been around for a while and I never really heard anything about it. On top of that, the implementation is very limited at the client while the server side is probably the best server side implementation going.

Very annoying.