by R.I. Pienaar | Feb 28, 2005 | Usefull Things
FreeBSD has recently added a method for storing large amounts of cidr addresses in a lookup table that can then be matched in a single rule.
I use these on my country blocking to optimize things a bit.
Previously I put a large block of ipfw deny‘s very early up in my rule set and just block it all on everything. This was not optimal since for some IP’s I’d like to keep certain ports open – like port 80. I did not want to have per host block lists since that would mean hosts x 3000 rules. Lookup tables are the answer.
My current setup goes more or less like this:
- General counter rules per jail
- Denies on frequently scanned ports like 1433 – without logging
- Blocks of rules per host – allow TCP, allow UDP, deny TCP, deny UDP, deny ICMP
I am now amending the per host block by adding a single rule above the deny rules that kills off all the traffic from the dodgy countries – without logging it – then I have denies with logging. This keeps my logs reasonably empty of IPFW DENY log entries so I can monitor them easily.
I first create the table, each table is numbered I just chose 1 for my table.
ipfw -q table 1 add 220.228.0.0/15
ipfw -q table 1 add 220.232.64.0/18
ipfw -q table 1 add 220.232.128.0/17
I then simply have to add a single rule for each host which in effect is the equivelant of duplicating all 3000 rules I previously had on a per host basis. Now I can have my port 80’s etc open and still kill off the dodgy traffic without polluting my logs. Perfect.
A sample table rule:
ipfw add 21999 set 15 deny ip from “table(1)” to 1.2.3.4
The quotes around the table(1) are very important since the shell you run the command under may cause havoc with the ()’s. You could alternatively escape the ()’s, example: table\(1\)
by R.I. Pienaar | Feb 27, 2005 | Uncategorized
I have not been using my pocket pc for a long time now, since I started using Sunbird because no way exist to sync the two.
Over the weekend I thought I’d have another troll through the net and came across two good things.
The first is a repository of free Pocket PC software, well worth a look.
The 2nd is a promising one way syncing system for ics files -> Pocket Outlook. It is called KCal and can take ics files and replace all your existing calendar entries with what is in the ics file.
So this is good if you do all your entering of events in Sunbird and just need a mobile copy of it, no syncing back to Sunbird. This is a good start and probably pretty much exactly what I need.
I did some testing, it works ok for non recurring events but it has a problem with recurring events. I sent the author some feedback on this and he already responded that he will fix this in the next release. I also asked if it were possible to support loading more than one ics file at sync time.
by R.I. Pienaar | Feb 23, 2005 | Code
I have a number of FreeBSD machines with jails on them that require me to keep stats and graphs of their bandwidth usage.
The solution I came up with is to add counter rules in the kernel IPFW firewall table and then plug a simple perl script into Net SNMP which will put each ipfw counter rule’s current byte count on a unique OID that you can query and graph using something Cacti.
This same technique can be used to graph things like only HTTP, SMTP, etc traffic, or infact anything that you can express as a IPFW counter rule.
Read the full entry for details on how I implemented this.
(more…)
by R.I. Pienaar | Feb 22, 2005 | Usefull Things
I have been contemplating rolling out a Jabber server for my employer for a while, I have always been persuaded not to do it by the lack of graphical (web or otherwise) configuration tools for the server.
Ease of user management is key since I do not want to burden my systems administrators with even more silly account management stuff which can easily be done by other people.
After a recent outage on MSN I decided to take another look and came across Jive Messenger. It is a Java 1.5 based Jabber server implementing the XMPP protocol. It has a good web based user and server management tool, I would suggest anyone looking for a corporate IM server take a look at this.
One caveat though is that its SSL implementation does not comply with the current XMPP specification so you may we have issues getting encryption going between client and server. Up side though is the developer community is quite active on their forums and have regular online conferences with users and other developers to find where they should address new features and bug fixes etc.
by R.I. Pienaar | Feb 22, 2005 | Front Page
It seems that the music industry is finally going after allofmp3.com.
I wonder what this means for people who bought music from them, if they will perhaps send emails to all those customers demanding they destroy the ‘illegal’ download etc?
