www.devco.net by r.i.pienaar

28Feb/052

ipfw tables

FreeBSD has recently added a method for storing large amounts of cidr addresses in a lookup table that can then be matched in a single rule.
I use these on my country blocking to optimize things a bit.
Previously I put a large block of ipfw deny's very early up in my rule set and just block it all on everything. This was not optimal since for some IP's I'd like to keep certain ports open - like port 80. I did not want to have per host block lists since that would mean hosts x 3000 rules. Lookup tables are the answer.
My current setup goes more or less like this:

  • General counter rules per jail
  • Denies on frequently scanned ports like 1433 - without logging
  • Blocks of rules per host - allow TCP, allow UDP, deny TCP, deny UDP, deny ICMP

I am now amending the per host block by adding a single rule above the deny rules that kills off all the traffic from the dodgy countries - without logging it - then I have denies with logging. This keeps my logs reasonably empty of IPFW DENY log entries so I can monitor them easily.
I first create the table, each table is numbered I just chose 1 for my table.

ipfw -q table 1 add 220.228.0.0/15
ipfw -q table 1 add 220.232.64.0/18
ipfw -q table 1 add 220.232.128.0/17

I then simply have to add a single rule for each host which in effect is the equivelant of duplicating all 3000 rules I previously had on a per host basis. Now I can have my port 80's etc open and still kill off the dodgy traffic without polluting my logs. Perfect.
A sample table rule:

ipfw add 21999 set 15 deny ip from "table(1)" to 1.2.3.4

The quotes around the table(1) are very important since the shell you run the command under may cause havoc with the ()'s. You could alternatively escape the ()'s, example: table\(1\)

Tagged as: , , , 2 Comments
27Feb/059

Sunbird and Pocket PC

I have not been using my pocket pc for a long time now, since I started using Sunbird because no way exist to sync the two.
Over the weekend I thought I'd have another troll through the net and came across two good things.
The first is a repository of free Pocket PC software, well worth a look.
The 2nd is a promising one way syncing system for ics files -> Pocket Outlook. It is called KCal and can take ics files and replace all your existing calendar entries with what is in the ics file.
So this is good if you do all your entering of events in Sunbird and just need a mobile copy of it, no syncing back to Sunbird. This is a good start and probably pretty much exactly what I need.
I did some testing, it works ok for non recurring events but it has a problem with recurring events. I sent the author some feedback on this and he already responded that he will fix this in the next release. I also asked if it were possible to support loading more than one ics file at sync time.

Tagged as: 9 Comments
23Feb/050

ipfw rule counters via snmpd

I have a number of FreeBSD machines with jails on them that require me to keep stats and graphs of their bandwidth usage.
The solution I came up with is to add counter rules in the kernel IPFW firewall table and then plug a simple perl script into Net SNMP which will put each ipfw counter rule's current byte count on a unique OID that you can query and graph using something Cacti.
This same technique can be used to graph things like only HTTP, SMTP, etc traffic, or infact anything that you can express as a IPFW counter rule.
Read the full entry for details on how I implemented this.

Tagged as: , , Continue reading
22Feb/051

Jive Messenger

I have been contemplating rolling out a Jabber server for my employer for a while, I have always been persuaded not to do it by the lack of graphical (web or otherwise) configuration tools for the server.
Ease of user management is key since I do not want to burden my systems administrators with even more silly account management stuff which can easily be done by other people.
After a recent outage on MSN I decided to take another look and came across Jive Messenger. It is a Java 1.5 based Jabber server implementing the XMPP protocol. It has a good web based user and server management tool, I would suggest anyone looking for a corporate IM server take a look at this.
One caveat though is that its SSL implementation does not comply with the current XMPP specification so you may we have issues getting encryption going between client and server. Up side though is the developer community is quite active on their forums and have regular online conferences with users and other developers to find where they should address new features and bug fixes etc.

Tagged as: 1 Comment
22Feb/050

More allofmp3.com legal questions

It seems that the music industry is finally going after allofmp3.com.
I wonder what this means for people who bought music from them, if they will perhaps send emails to all those customers demanding they destroy the 'illegal' download etc?

Tagged as: No Comments
17Feb/050

cacert.org

While reading my favorite guide to creating a private CA I noticed it mentions cacert.org.
It is basically a CA like any of the commercial ones, web interface to creating and managing your keys and so forth the only catch is the root key isn't in the browsers and so forth. It is nice though to do all your keys through them and only have to bother importing a single CA.
Initially your keys will expire after only 6 months but there is a web of trust and a points system that will earn you the right to create longer lasting keys.

Tagged as: , , No Comments
13Feb/055

Managing Jails on FreeBSD 5

While configuring up my new FreeBSD 5.3 server I noticed that the rc system now supports starting up your jails using settings in /etc/rc.conf. I am not sure when this came about, I have not used FreeBSD 5.x much but I have to say it is a lot nicer than my own hacked up RC scripts.
Read on for more details about this and some other tools that is useful for jail management.

Tagged as: , Continue reading
11Feb/050

RAW mode Digital Photography

I have been shooting in RAW mode exclusively for about 6 months now and for me there is no going back. If your camera gives adequate performance in RAW mode and you are serious about photography there is no reason why you shouldn't be using it.
Past cameras I had that supported RAW mode was very slow or the images were HUGE. This has been fixed in my D70 at least with its lossless RAW compression and speedy processing that does the compression in about 1/4 second, the camera also has a big enough buffer that you can fire off a couple of RAW shots quickly without having to wait. The D70 also has a very fast bus and card writing system so it makes good use of the faster memory cards, all of this combines to a no hassle RAW mode camera.
Some articles were published this week that goes into the whys of shooting in RAW links to them below, all of these were first found on the excellent Photography Blog.
Image Sushi: Sometimes RAW is better
The RAW truth
and for Nikon users a new version of Nikon Capture has been released, Capture is the premium RAW converter from Nikon.

Tagged as: No Comments
5Feb/050

Sunbird 0.2 released

Via Slashdot I notice that Mozilla has released version 0.2 for Linux, Windows and Mac OS X.
From their page:

Tuesday, February 4th, 2005:
The Sunbird team is proud to announce its first official release: Sunbird 0.2 for Windows, Linux and Mac OS X. You can find builds for the different platforms on our download page.

It is worth checking out if you haven't yet, never mind the fact that they don't know what day the 4th of February was :)

Tagged as: No Comments
   

Links

Tweets

Reading

Planned books:

Current books:

  • Ariel: A Book of the Change

    Ariel: A Book of the Change by Steven R. Boyett

Recent books:

View full Library

Categories

Archives

Licence

Blog under the Creative Commons Attribution-NonCommercial 3.0 License
Creative Commons License