now tlc faq is updated more regularly – NEVER USES BOTS TO COLLECT DATA. All info is original and/or implementations of specs.

tlc has professional services – inquire to asimon@technology-leadership.com

To enable your local, internal firewall on your Linux server, you need to run a couple of commands as root:

# chkconfig iptables on

# service iptables start

Add a policy to the interface. Let’s say it is a bonded interface called bond0.  This policy will reject all inbound and forward traffic on bond0, except ping (icmp) and connections on port 22, the ssh port.  Create a file called iptables, and place it in /etc/sysconfig/ and add the following content:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-bond0-INPUT – [0:0]
-A INPUT -j RH-Firewall-bond0-INPUT
-A FORWARD -j RH-Firewall-bond0-INPUT
-A RH-Firewall-bond0-INPUT -i bond0 -p icmp –icmp-type any -j ACCEPT
-A RH-Firewall-bond0-INPUT -i bond0 -m state –state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-bond0-INPUT -i bond0 -m state –state NEW -m tcp -p tcp –dport 22 -j ACCEPT
-A RH-Firewall-bond0-INPUT -i bond0 -m state –state NEW -m udp -p udp –dport 22 -j ACCEPT
-A RH-Firewall-bond0-INPUT -i bond0 -j REJECT –reject-with icmp-host-prohibited
COMMIT

Restart iptables service:

# service iptables restart

View your new policy:

# iptables -L

That’s it. Enjoy!
 

US Treasury Bonds

Treasuries, as they are called, are a very safe investment – but safe only at protecting the original principal. In the long run, with any significant inflation, most recent Treasury issues, with their paltry rates of return, will be big money losers.

In the short-term, with extreme volatility in the markets, US Treasuries make an excellent hedge against both equities (long or short) and real estate (discussed below). Treasuries will maintain there value and are backed by the US government, which is critical in this uncertain time.

As the short term problems in financial markets subside, the rewards from Treasuries are far too small to protect against the risk of significant inflation.

In the next section, we will look at real estate.

One of the hot-button technology topics is the desire to automate system administration tasks for organizations with medium to large scale server installations.  Obviously, not an issue for the small concern with a server or two, but as the number of servers increases, so do the effort and costs required to install, manage and maintain them.

Organizations looking to control manpower and licensing costs, therefore, are not comfortable with the ‘variable cost’ aspect of system administration and the per server licensing of commercially available tools.  To reduce growing labor and licensing costs, variable costs associated with manpower and licensing need to be converted to fixed costs.  Theoretically, by doing so, a growing number of servers will not immediately translate into a correspondingly growing number of system support employees and configuration management (support) licenses.

Some recognized Open Source (i.e. free) configuration management tools include:  CFEngine, Puppet, DACS (Distribution and Configuration System), SmartFrog, LCFG ( Large Scale System Configuration), BCFG, Arusha, and many, many others.  The most intriguing aspect of most of these configuration tools (except for SmartFrog) is they require centralized management.   This is because it is erroneously assumed that to be effective, the management tool must have (and therefore, rely on) centralized coordination.

In discussing configuration management theory, I will use the terms ‘parameter’ and ‘aspect’, as defined by Burgess and Couch in their paper “Modeling Next Generation Configuration Management Tools”.  Parameters are ‘units of configuration information’, such as the static IP address of a server.   Aspects are the combination of the configuration parameter and its corresponding constraints, dependencies and preconditions required for the parameter to be functional, such as the fully qualified domain name of the server.

In the above example, the IP address of a server is a simple configuration parameter because it has almost no dependencies beyond the topology (e.g. network segment) in which it is networked.  Once the interface is configured and default route added, the device will be successfully ‘networked’.  The fully qualified domain name, however, has additional requirements for the correct resolv.conf and/or nsswitch.conf domain definitions, and also require external DNS records (likely on a separate DNS server) to match.

The strength of a tool like CFEngine or Puppet is information hiding: users need not cope with the complexity of aspects.  Thus, a good Puppet ‘recipe’ might use parameters such as host name and IP address to figure out what network it is on, and therefore, what the fully qualified domain name should be.  The main problem with these tools are they require a lot of human labor to set up, and require the centralized hosts to generate configurations based on intimate knowledge of each and every server it manages.  Though feasible, it does not scale well if the variety of local parameters and corresponding aspects increase with each new server.

Similarly, the centralized planning functions of these tools cannot react automatically to distributed changes.  Thus, these tools require manual changes to fairly complex configuration scripts, fairly often.

Given today’s generation of configuration management tools, I conclude that a centralized management tool like CFEngine or Puppet can be a cost effective alternative to similar commercial products, but only if your environment has the following qualities: 1) a relatively short list of hardware and OS types to support; 2) a relatively stable and predictable network environment; 3) control over all aspects of service provisioning; 4) and a large installation of servers of ’similar or identical’ services (e.g. little or no variation) to grow and maintain.

However, if every server is different due to application and/or service it provides; different due to OS and hardware configurations, and/or you lack control over significant aspects of external service provisioning, these tools may well cost you more time in set up and maintenance; and in dollars for hardware purchases for centralized servers, than you yield in savings due to automation and/or fewer commercial client licenses.

For instance, if you are provisioning services on the Internet, you will lack control over certain service provisioning, like DNS servers.  If you cannot control DNS records or available DNS servers, for instance, then ’scripts’ or ‘recipes’ to generate the nsswitch.conf file may be prone to failure due to changes you cannot predict or control.

In another example, if you are provisioning local printers to individual users, you may have to maintain a centralized database of ‘nearest printers’, which is an additional database management task required to keep your centralized configuration management tool working.

Conversely, if you moved towards a Service Oriented Architecture (SOA), you are not bound by the constraints of the ‘centralized’ server to be all knowing about your environment and local clients.

In the case of configuring DNS on a local client, we could create a local agent not part of the configuration server; but, instead installed on different servers or clients already in that domain, or pre-installed in our new client, to generate the correct nsswitch.conf and resolv.conf files at the time of installation.  As the domain names, servers and related DNS environment changes, dedicated agents in that domain can use available tools (e.g. dig or nslookup) to determine the correct entries in a configuration file for new clients. The CFEngine or Puppet ‘Master’ does NOT need to store this detailed information, nor even generate (cook) the final configuration file.

Similarly, for printer configurations, we could implement a printer configuration ‘agent’ in each local network.  That agent could reside on a local server; already configured local client, or the local print server itself.  This agent can communicate with other ‘local clients’ physically close to itself as determined by network subnet, IP range, MAC address range, or other criteria and provision a ‘local printer’ to the local client.

In this latter example, we did not need a centralized server, or a centralized database of ‘closest printers’ in order to provide the local client with a  local printer.  Instead, we relied on a distributed SOA model to provide the service of ‘local printer configuration’ to devices connecting to the network at that geographic location.

The strength of this type of SOA configuration provisioning is that, as the printer models, names and IP addresses change on that local network segment, the local agent can be responsible for provisioning those changes dynamically and automatically.  We do NOT need a centralized service for this, nor do we need to “inform” a centralized database authority of a printer change, at all.  In fact, as we spend efforts building comparable SOA methods of configuration provisioning, the need for a centralized provisioning ‘master’ diminishes rapidly.

Jeff Hamilton, Technology-Leadership

Technology-Leadership is a leading consultancy company in financial and business management consulting strategies, focusing on issues involving corporate strategy, technology, financing, planning and implementation.

If any of you read my posts from June and July of 2008, you will see that I exited investments in securities and moved the bulk of those investments to bonds and cash, only weeks before the August through November stock market crash.  I kept 6 percent in stocks, which continued to decline to eventually hit 3.7 percent in March 2009.  It’s back to 4 percent, marking a 10 percent comeback.

There is a lot of pain and carnage in terms of lost stock prices, decreasing home values, consumer and commercial debt defaults, and rising unemployment still to come.  Making matters worse, we still have to see a significant drop in valuations for credit default swaps, and other derivatives, such as derivatives based on commerical bonds and commercial paper debt.

But, timing the very bottom of a recession is tricky.  I seriously doubt the bounce in the stock market indexes this week signals the end of protracted up and down movements for the next 18 months.  There may be quite a bit of upward movement – the DOW may approach 10,000 – or even exceed it.  But, by Aug through Nov 2009, we should see a repeat of last years drop, and it could even drop BELOW where we were in March 2009.

But, as uncertain as the stock market has become, the alternative investments in commodities, bonds, and cash are becoming increasingly risky, themselves.   Especially with a very liberal, global money supply, the value of cash will continue to diminish as inflation becomes significant (and it will).  So, to answer the question in the subject, we can use a little math to help get the right answer.

Stocks were down as much as 40% or more from their peak, but have recovered about 10%, meaning we are still down about 33% from their peak.  However, in terms of YEARS, not PERCENTAGES, the market average today stands where it was in 1997 – about 12 years ago!  In otherwords, other than dividends, stocks have AVERAGED ZERO growth for a dozen years.

This is an interesting statistical fluke, since extrapolated out to the past 25 years, and even out past 50 years, stocks have averaged better than a 5% per year increase.  This means that, on average, there is about 12 years of 5%  per year gains hiding in the value of these stocks today!

Thus, today I shifted approximately 10% of my bond holdings and 4% of my cash to stocks.  Why not all of it?  Because I know I am buying on a bounce.  If stocks continue to climb for a number of weeks, I may even buy more.  Ultimately, I am waiting for the market to tank again, wiping out all of the near-term profits I plan to make as the market run-up continues, plus any additional as it fall through today’s prices.  This is also when I will make even more significant investments in stocks: more than 10% of my bond holdings and more than 4% of my cash I made today.

The long-term trend for the NEXT 12 years should statistically show a similar percentage increase of 5% a year (perhaps lower, maybe 4%).  And, from the very lows of March 2009, the average yearly increase should be comparatively high (likely higher than 5%) through 2021.  But, because of 12 years of flat growth from 1997 to 2009, regardeless of the actual rate (be it 3, 4, 5, or 6%), a 24 year average starting at 1997 will be roughly half the percentage calculated from a 12 year average starting from 2009.

To conclude, you have a very high likelihood of approximately doubling your return by buying at 1997 prices today, than you have by waiting until the market recovers most of it’s pre-drop value.  The time between now an 2021 will have ups and downs, so don’t try to time it, especially not to the month.  Buy some stocks now!  Buy a little more later!  As the stock prices run up, you can continue to dump cash and bonds.  Eventually, you will know you are in a bubble because prices are at, or above PEAK levels of DOW 14,000.   Once buying in the DOW 7000 to 9000 range, look to capitalize on DOW 12,000 to 14,000.  If you have a stomach for risk – see if the DOW goes to 16,000 or 20,000.  At some point, we can expect a massive contraction which will takes us down another 40%, and the whole cycle can start all over again – in 12 years!

Jeff Hamilton, Technology-Leadership

Technology-Leadership is a leading consultancy company in financial and business management consulting strategies, focusing on issues involving corporate strategy, technology, financing, planning and implementation.