ICMP redirects no longer working

by Michael Urspringer - 04.02.2017

I do have a test LAN with its own IP range and I want to reach that test LAN from my productive LAN.

For that, I have a software router based on pfSense, which has one virtual network interface in my production LAN and one in the test LAN. On my main router I added a static route for that.

About two weeks ago, that setup suddenly did no longer work. At least from all Linux and Mac OS based machines, I was unable to reach IP addresses in the test LAN. From Windows machines this still did work.

To be able to explain it a bit better, let us assume the following IP addresses:

The message I got, if I tried to ping an address in the test LAN (e.g. from a machine with IP, was something like

So it is quite normal that the main router sends the client an ICMP redirect, because there is a more direct route to the network via the pfSense virtual router on So no need to go first to

The Windows machines were still correctly responding to these ICMP redirects, the Linux and Mac OS machines did not.

I have no idea what might have changed, in either my network configuration or in Linux/Mac OS, that this no longer worked. Maybe there was some kind of patch currently delivered to Linux and Mac OS which disabled that.

However, because ICMP redirects could be a potential security whole, I decided that all machines in the production LAN should get a direct the static route to the test network. As all my devices are using DHCP to configure the network parameters automatically (also the ones which should have a fixed IP address!), I was able to just push the static route via the DHCP “classless static routing” option. So no need to configure it on every single device. This should work with most of the current devices.

The DHCP option for classless static routing is “121” and you need to use a special syntax for that:

So for the example above (class C network, network, address of the router it is:

Here are the steps for DNSMASQ (the DHCP server I am using on my OpenWRT based router):

  • Edit “/etc/config/dhcp”
  • Add the following dhcp_option line to your DHCP LAN definition:

  • Restart DNSMASQ:
    /etc/init.d/dnsmasq restart

Now as soon as a device renews its DHCP configuration, it should also get a static route to the network via

Tagged with:  

Dockingstation für iPhone und Apple Watch

by Michael Urspringer - 21.01.2017

Immer mehr Geräte wollen auf dem Nachttisch Platz finden. Damit das Ganze nicht in einen unordentlichen Kabelsalat ausartet, habe ich nun diese Dockingstation für iPhone und Apple Watch auf dem Nachttisch stehen:

Die Dockingstation kommt mit einem 48W-Netzteil und hat zusätzlich noch 2 USB-Anschlüsse um bis zu zwei weitere Geräte zu laden. Bei mir wird z.B. noch der Kindle aufgeladen (auch wenn das nur alle paar Wochen mal nötig ist …).

Man kann die Watch zwar auch quer auf die Halterung legen. Allerdings ist der Winkel nicht steil genug, so dass die Uhr nicht in den Wecker-Modus geht. Das sollte man wissen, falls man dieses Feature benötigt. Ich selbst nutze das Feature aber nicht.

Leider wird bei der Dockingstation kein eigenes Kabel für die Apple Watch mitgeliefert, so dass man das noch zusätzlich bestellen muss. Und da ärgert mich mal wieder die Apple-Preispolitik. Für ein Lade-Kabel 35 EUR zu verlangen, ist einfach ein Witz. Leider gibt es wohl keine günstigeren Nachbauten bislang.


Tagged with:  

Zusätzliches Netzteil für den Macbook Pro

by Michael Urspringer - 17.01.2017

Mein Netzteil für das Macbook Pro ist zuhause am Schreibtisch ein wenig verbaut und es ist ziemlich mühsam, jedesmal umzustecken, wenn ich das Macbook irgendwohin mitnehme. Daher musste ein zusätzliches Netzteil her.  Da ich keine Lust hatte, über 80 EUR für ein Original-Apple-Netzteil auszugeben, habe ich nach günstigeren Alternativen gesucht.

Meine Wahl fiel auf das Salcar 60W Magsafe 2 T Form . Das Teil ist 145 gr. leicht und hat zusätzlich noch 2 USB-Ladeports mit 2 A.

Damit kann ich neben dem Macbook auch noch mein iPhone oder mein Bluetooth-Headeset laden und den UMTS-Router mit Strom versorgen, wenn ich unterwegs bin. Und ich muss dafür keinen der USB-Ports am Rechner verbraten. Die bleiben dann frei für USB-Stick und externe Platte.

Zusammen mit so einem Kombi-USB-Kabel lässt sich so ziemlich alles laden, was man so mit dabei hat.

Auch wenn noch keine Langzeiterfahrungen vorliegen, bisher eine klare Kaufempfehlung.

Tagged with:  

I had some new issues while migrating a customer environment from IBM Connections 5.0 to 5.5 (Oracle) and I would like to document them here:

ORA-01722: invalid number during Homepage upgrade


While running the script “homepage/oracle/upgrade-50CR4-55.sql” we got the following errors in the log file:

The reason for that was, that the sequence of the columns in the table “HOMPAGE.NR_DISCOVERY_VIEW” was different from the sequence of the columns when you create that table from scratch. I guess it was because this table has been upgraded already many times (since IBM Connections 3.0). We had another (test) environment where the sequence of the columns were correct (but the database of that environment has been created from scratch somewhere in Connections 4.5 or so).

The SQL script does read the content of a database row into an array and then uses this array to insert the data to another table. While inserting the data via an array, the target table needs to have exactly the same order of the columns in order to insert the values into the right column.

To solve the issue I changed the following statement from


which then solved the issue.

No migrated entries in “Discover” view of the Homepage


After the migration, the “Discover” view on the Homepage was empty. Only new entries appeared but all entries from before the migration were not displayed. I solved that by changing the same SELECT statement mentioned above from


The old statement writes the value “23” to that column in the target table, regardless of the original value. The original value of all entries in our case was “17”. So we just removed the “23” in front of the column name so that the correct values were written to the target table. Afterwards the “Discover” view has been populated correctly with the values from before the migration.

Additional Homepage java migration necessary for 5.0 to 5.5


We also realized that a Java migration for Homepage is not only necessary while migrating from 4.5 to 5.0 but also while migrating from 5.0 to 5.5. This is not currently mentioned in the documentation. There is one hint here, but the description in this chapter is currently not correct and should not be used that way. The correct way to do the Java migration from 5.0 to 5.5 for Homepage including the missing JAR file can be found in that technote.

Be aware of the fact that the parameter for JDBC URL, DB User and DB password do not have a prefix like “-dburl / -dbuser / -dbpassword” but just written without that. This is different from the Java migration for version 4.5 to 5.0. And also make sure you got the newest version of that JAR file in the technote. It has been updated January 11th, 2017 with a new version (fixed bugs for Oracle).

Wrong documentation which scripts should be run for Homepage migration


The documentation has currently a wrong description which SQL scripts you should run for upgrading Homepage if your DB schema version is “479”. The documentation currently says:

but it should read:

I requested to update the documentation with all the issues found, so hopefully in future the documentation will be correct again.

Tagged with:  

I am a long year user of “Remember The Milk” (RTM) to manage all my tasks. Although they do still not have a native app on the iPhone, you are able to use Siri on the Apple Watch to automatically create a task in RTM without touching your iPhone.

This is really something I am using very often throughout the day. Especially as Audi has killed Siri in my A3 if the iPhone is connected via Bluetooth to the car system. Siri on the watch is still working like a charm.

Here is described how to enable Siri with RTM on the iPhone.

Tagged with:  

DBEAVER – Universal Database Manager

by Michael Urspringer - 04.01.2017

I normally used “Squirrel” as a free universal database client to connect to databases like DB2, Oracle etc.

I just found a new tool called “DBeaver“, which is also free. It looks very nice and it will replace Squirrel for me now.

Tagged with:  
Tagged with:  

Publishing PGP Keys in DNS

by Michael Urspringer - 06.11.2016

As I now have secured my DNS server with DNSSEC, I was able to publish my public  PGP key also via DNS. There are two different possibilities to do that:

PKA (public key association)

This puts a pointer where to obtain a key into a TXT record. At the same time that can be used to verify that a key belongs to a mail address. You can find more about that here (only in German).

My DNS TXT record looks like that:

The part before “._pka.” is the local part of my mail address (“michael”) and the part after “._pka.” is the domain name “urspringer.de”. The “v=pka;” specifies the version of PKA (currently V1). The value “fpr=7F3F203B94F85C3B7969BF58C5F5860FF6160414” is the finger print of my PGP key. The value “uri=http://www.urspringer.de/media/Michael_Urspringer.asc” specifies the URL where my PGP public key can be downloaded.

You can test if it is working e.g. with gpg like that:



With an OPENPGPKEY resource record the complete key is stored in DNS. You need to have a Bind9 version of  9.9.7 or  9.10.2 and newer.

The name under which the record is located is built up as described below:

  • the local part of the email address associated with the key, hashed with the SHA2-256 hash function and truncated to the first 28 octets;
  • the _openpgpkey label;
  • the domain part of the email address.
  • The record data is the PGP public key

It looks something like that:

To create that record you can use the tool on this website. Just put in your PGP public key, select “Standard (OPENPGPKEY)” as output format and click on “Generate”.

You can test if it is working with OPENPGPKEY.info.


Tagged with:  

Debian Jessie: Upgrade BIND9 to newer version

by Michael Urspringer - 06.11.2016

I wanted to update BIND9 on my Debain Jessie Linux system to a newer version than the currently packaged version 9.9. Here are the steps to upgrade it to version 9.11:

This will install the new version of BIND9 to “/usr/local/sbin”. So you can have installed the new version of BIND9 in parallel to the packaged version of Debian Jessie (which resides in “/usr/sbin”). So in case of problems you can always go back to the original BIND9 version.

You now need to modify the start script of BIND9 so that thew new version will be used. You can do that with the following steps:

  1. Stop BIND9 with “service bind9 stop”
  2. Make a backup of the original start script: “cp /etc/init.d/bind9 /etc/init.d/bind9.ORG”
  3. Open “/etc/init.d/bind9” in an editor
  4.  Add the path “/usr/local/sbin” at the end of the path statement so that it looks like “PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin”
  5. Replace all “/usr/sbin/named” to “/usr/local/sbin/named” and all “/usr/sbin/rndc” to /usr/local/sbin/rcd”.
  6. Make a backup of the original service definition: “cp /lib/systemd/system/bind9.service /lib/systemd/system/bind9.service.ORG”
  7. Open “/lib/systemd/system/bind9.service” in an editor
  8. Replace all “/usr/sbin” with “/usr/local/sbin”
  9. Run the following commands:
    ln -s /etc/bind/named.conf /etc/named.conf
    ln -s /etc/bind/rndc.key /etc/rndc.key
  10. Start BIND9 again with “service bind9 start”

Now BIND9 should run with the new version.



Tagged with:  

Technical Changes Behind the Scene …

by Michael Urspringer - 05.11.2016

Long time ago since I posted something here. The reason for that is, that I did some massive technical changes in the background.

First, all my stuff is now running on a plain Linux virtual server (based on Debian Jessie) instead of a Linux server manged via Plesk. It was simply too much overhead and very hard to figure out where to do changes which will not be overwritten by Plesk later again. So adding new stuff or configuring existing things is much easier now.

I also improved my internal mail system. In the past I used already my own mail server but forwarded all mails to Google Mail as I really like the Gmail front end and especially the archive and search functionality. Antispam had also been outsourced to Spamfence. Both worked very well for me but all my mails were sent and stored to third party providers. So changed that and now everything is done on my own server. I reconfigured Postfix so that most of the spamming attempts is now already blocked on the SMTP level and never reaches my system. The very few spammers, who are successful in delivering mails, are filtered out by SpamAssassin which now works very well. Same is true for dangerous mails like viruses, executables etc. I added also support for SPF and DKIM both for incoming and outgoing mails

I installed Dovecot as IMAP server together with Sieve for mail filtering and as front end I am now using Roundcube. I like its user interface and it has built-in support for PGP encryption already. I added all my mails since 2013 from Google to Dovecot so that I can do at least some basic searching.

If I really need some more sophisticated search features I have all mails archived to my local computer via MailStore Home. I tried to implement Solr to search within my IMAP account but that was not yet successful as it always chrashes while searching virtual folders. So there is still something to improve in future 🙂

I am now also hosting my own DNS server, which was in the past something my provider did for me. The main reason for that is, that I wanted to implement DNSSEC (secure DNS) together with DANE for verifiying my SSL certificates and my provider was not yet supporting DNSSEC. So I switched all my domains to INWX and installed my own DNS server which now work as the primary and the INWX servers work as secondary.

In addition, I needed to switch all my SSL certificates from StartSSL to something else because of  a security issue. As I needed something where I can get several certificates with no or very low cost I have choosen LetsEncrypt as my new SSL provider.

This works pretty well (I am using this script as basis) and has only one disadvantage: All certificates need to be refreshed every 90 days. Although this normally is not really a problem it could lead to problems because all my certificates are now protected by DANE and the certificate’s fingerprint needs to be updated in my DNS as soon as the certificate changes. So this will still be a challenge in the next weeks.

Last but not least, I decided to have a backup server for SMTP and DNS so I needed to built and configure that as well. My main hosting provider is still Host Europe (I have very good experience with them in the last years) but for a backup server (which is not really needed ;-)) it was to expensive. So my backup server is a small virtual machine hosted by IP Interactive, a small provider near by my home.

To be able to monitor all that stuff, I added all servers and services to my Icinga monitoring system on my Raspberry Pi which now monitors over 22 hosts and almost 80 services.

All servers capable of sending SYSLOG messages were consolidated to a central SYSLOG server also hosted on my Raspberry Pi with Loganalyzer as front end.

Doing all that was quite some work but I have again learned very much about Linux, SMTP, DNS and other stuff. So it was worth the effort. But I guess that now explains that I did not have much time to write blog entries but hopefully this will now change again … 🙂

Some links which helped me in configuring some of these things:





Tagged with:  
© 2000-2015 Michael Urspringer