Tuesday, January 29, 2008

PF traffic shaping

Being doing some research to enable traffic shaping, even tho, I have only one box, powered on 24x7 behind the OpenBSD firewall/ router, I want to learn more about it.
Here are a couple of links I have gathered while Googling on the matter:

- Prioritizing empty TCP ACKs with pf and ALTQ
- A brief introduction to altq
- Why do clients running BitTorrent make my router's latency go through the roof?

Labels: , ,

Sunday, January 27, 2008

Adiós unwanted languages



The crud... The crud...
You can use something like Monolingual, with some caution, avoid doing something totally stupid to delete the languages that you don't use from your Os X installation, but, every time that you use Software Update to download a new version or updates, the languages that you deleted will crawl back into place on your Os X system.

Of course, you can use Monolingual once again... But that was exactly how I did something totally totally stupid on my PowerBook, that I thought, it would cost me a total re-install...
The other option, of course, is to de-select the languages that you don't want to install, when you perform the Os X installation on your box; this however will not stop Software Update form downloading the extra languages when a given program in installed.




Confirmation for the deletion!
So, a nice option to regain Hard Disk Drive space, it is to carefully delete those extra languages by hand, doing so, for instance, I have reduced the size of the Safari.app from 69 MB to 7 MB (only left the English language, I don't care about the rest).

Go to the /Applications directory, right-click on the application you would like to Atkins, and select "Get Info" from the pop-up menu.
Scroll down till the bottom of the window, and then select the languages that you don't want, and delete them, one by one.
Leave the english one, no matter what, or bad thing will happen.

Labels: , ,

For whom the bells tolls (4)

System preferences for TZ location
The people at Quadion here in Argentina has released (thru their blog) a (free!) TZ data update to correct the problem with the change of hour from December 30th 2007 ( Link 1 Link 2 ).
I haven't used yet, but it seems to do the work, they also have a Leopard version as well (link).

What I did on Thor, because I wanted to have my clock sync'ed via NTPD once again with Goliath, was to to change the TZ to Uruguay, and then re-enable the automatic sync via System Preferences' "Set date & time automatically".

The only drawback was that on the Terminal, the date included the TZ location as well, so I edited my ~/.profile file like this:

alias date='date "+%a %b %e %H:%M:%S %Y"'


- MAC OS X - HORARIO DE VERANO EN ARGENTINA - AHORA TAMBIÉN PARA TIGER!
- Mac OS X - Horario de verano en Argentina

Labels: , , , , ,

Saturday, January 26, 2008

From the other side

My late iBook G3 12 inches

A little picture from my now dead iBook.
Back on those days, I was runninq Panther, and the (OMG) the MSN version for Apple, what piece of crap that was.
I really loved that small & fragile little white box...

Labels: , , , ,

Friday, January 25, 2008

Play count (2)

My iTunes with the most played
Being listening to a lot of music lately... I have tried to the best that I could to rediscover the music I have not listened to in a while.
The play count did not change that much since the last Play count post, mostly because, using Smart Playlists, I have played the files I have only listened twice, it took me nearly a month to go thru all of those, as of today, I have a every single file played at least 3 times on my Music Library, the main playlist.

Labels: , , ,

Thursday, January 24, 2008

It just funciona??? (well, sort of...)

There is a funny thing, or not so funny, if you stop to think, on the Apple website for Latin America
On the "Get a Mac" site (Spanish English), every model is outdated compared to the ones on the same site for the main website...
Also, not only the hardware is an average a release behind the schedule, but also, all the screenshots showing a running Os X, show Tiger instead of Leopard!

Ok, I might not be on a position to argue, after all, I'm using a Power Macintosh G4 (Quicksilver) from August 2001, but, WTF Apple :D
Are you trying to push the dead stock down here or what?? :p


This Just works newer and better
It just works Yes... It does, only it is newer & faster in the North...





Simplemente funciona...
Simplemente funciona Indeed, brother...

Labels: , ,

Wednesday, January 23, 2008

Firewalling Tiger (IV)

A new update on the firewall script, added new rules to allow NTPD sync with the servers defined on the 'NTPD_SERVERS' variable; it does work with NTPD servers that have a "static" FQDN or if you use an IP address, but, for instance, unless you reload this script periodically, it will fail to sync with the server '0.south-america.pool.ntp.org' since the IP address of this server changes.
That's a special server used specifically to provide NTPD sync to as many clients as it can.


#!/bin/sh

# Variables to simplify maintenance
ipf="/sbin/ipfw"

LAN="192.168.2.0/24"

# You can add more servers, these are comma delimited
DNS_SERVERS="192.168.2.2"
NTPD_SERVERS="192.168.2.2, clock.via.net, 0.south-america.pool.ntp.org"

## ------------------------------------

# Enable firewall logging
#/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1

# Disable firewall logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=0

# Flush existing rules
${ipf} -f flush

# If the rule was added to the dynamic rule table, let it in
${ipf} add check-state

# Allow traffic to flow on the loopback interface
${ipf} add allow all from any to any via lo0

# Allow established connections
${ipf} add allow tcp from any to any established

## ------------------------------------
## Incoming connections
## ------------------------------------

# Allow ICMP traffic
${ipf} add allow icmp from ${LAN} to me icmptype 0,8

# Allow SSH connections
${ipf} add allow tcp from ${LAN} to me 22 keep-state

# Allow DHCP
${ipf} add allow udp from ${LAN} 67-68 to me 67-68

## ------------------------------------
## Outgoing connections
## ------------------------------------

# Allow SSH connections
${ipf} add allow tcp from me to any 22 keep-state

# Allow non-secure web traffic
${ipf} add allow tcp from me to any 80 keep-state

# Allow ntpd traffic
${ipf} add allow tcp from me to ${NTPD_SERVERS} 123 keep-state
${ipf} add allow udp from me to ${NTPD_SERVERS} 123 keep-state

# Allow secure web traffic
${ipf} add allow tcp from me to any 443 keep-state

# Allow IMAPS
${ipf} add allow tcp from me to any 993 keep-state

# Allow Messenger
${ipf} add allow tcp from me to any 1863 keep-state

# Allow Webmin
${ipf} add allow tcp from me to any 10000 keep-state

# Allow me to get to my DNS servers
${ipf} add allow udp from me to ${DNS_SERVERS} 53 keep-state

# Allow ICMP traffic out
${ipf} add allow icmp from me to any out keep-state

## ------------------------------------
## Close down

${ipf} add deny log ip from any to any

# EoF #

Labels: , , , ,

Tuesday, January 22, 2008

For whom the bells tolls (3)

I don't get this, how can Apple take so long to release a simple tzdata update?
The hour change took place on December 30th, 2007; and still nothing from the folks at Curpertino. I'm really fed up with not being able to sync my clock via NTPD, and I don't want to use a different TZ to be able to do use an NTPD server.
I mean, come on, even the Linux distributions out there have released the update, yes, after the hour has changed; but nevertheless, the update is here.
Even Microsoft has a page (in Spanish!) regarding this subject: Sepa cómo realizar el cambio de huso horario, it is specially nice to see the section devoted to the IT slaves out there, as usual, Windows makes your life easier & easier: Recomendaciones para Administradores y Usuarios Empresariales

Labels: , , , , ,

Monday, January 21, 2008

2010: A Cisco odyssey

An article dealing with the lack of networking experienced people. I always take this kind of article with more than a grain of salt... Take a look at the reader's comments (at the bottom of the page) to know what I mean.

En 2010 faltarán en el país más de 6000 especialistas en redes

Labels: ,

Sunday, January 20, 2008

Lazy Sunday afternoon

Sunday afternoon screenshot
Nothing much really, a nice, not so hot Sunday around here.

Labels: , ,

Friday, January 18, 2008

Emacs on a shoestring


I have been an Emacs lover/ user nearly since I have beginning to use Linux, I have always loved it, but, there was something that sometimes worried me about it, since I have used Linux and derivatives on some really sh*ty boxes, and that is the size and the amount of resources that it consumes.

A typical Emacs (no-x) packages these days goes for something like 1.5 to 3 MB in size, depending on the Linux distribution; the plain vanilla 'emacs' package also installs some other libraries needed to run emacs on a X Window environment, and it is even bigger, and the beast also require CPU to start.
That's why I have spent some time searching for smaller alternatives, that offer the familiar key-bindings but on a smaller package, with a far more feeble memory foot print.

Zile, IMHO, it is the winner by far. It has all the things that you can expect from the "real thing", but the final executable (at least on PPC Os X) is less than 500 KB in size.
It has all the features that you might find on Emacs, even customization via a DOT file, called 'zile', even the region selection has color support, something that the plain vanilla Emacs didn't had up until the 20th release (for the CLI at least)
There are even Zile ports for Os X, zile version 2.2.29 for Mac OS X 10.5 Leopard and Zile 2.2.32

The other options that I have tested, Ersatz Emacs & Microemacs Clone, are very good too, but I prefer Zile, which offers exactly what I want on a really small envelope.
Besides, I have compiled Zile without any issue on Thor.

Labels: , , , ,

Thursday, January 17, 2008

SquirrelMail: Protect your nuts with a Captcha

Squirrelmail, the friendly Squirrel
Setting up a catpcha enabled login on any recent SquirrelMail is as easy as 1,2,3. On this case, I'll setup the reCAPTCHA implementation, which is totally web based, and it also serves a very good cause
First, get the plugin CAPTCHA, download it to your 'plugins' directory.
Untar it:

tar zxf captcha-x.x-x.x.x.tar.gz


cd' onto the new directory, copy/ rename the sample configuration file:

cp config.sample.php config.php

Open with your favorite text editor the config.php file, and scroll all the way till the end of the file, and add the captcha you'll want to use:

$captcha_backend = 'recaptcha';


Then, do a similar thing for the recaptcha configuration file, cd' to the directory 'plugins/captcha/backends/recaptcha/', and copy/ rename the configuration file:

cp recaptcha_config.sample.php recaptcha_config.php


If you already have a reCAPTCHA account, then edit the recaptcha_config.php file with the Public & Private key; if you don't have one, go to the Sign up page, it's free, and in less than 2 minutes, you'll have you key pair ready to go.

Once the keys are in place, and the file is edited and saved, cd' to the 'config' directory on your SquirrelMail setup, and run './conf.pl', type 8 to go to the Plugins section, and add the Captcha one, save, and you are done, you'll have a Captcha enabled login page on SquirrelMail.

One last thing you might want to experiment are the 'themes' of the recaptcha, edit the 'recaptcha_config.php' file on the 'plugins/captcha/backends/recaptcha/' directory, on my case, I like the one called "white".

Labels: , , ,

Wednesday, January 16, 2008

Show me the Cisco!


The Cisco's I-Prize got a 30 days extension: from the site's FAQ Why was Phase I extended by 30 days?
This is your chance of getting those U$S 250 K! :p

On the contest blog there are 4 topics, or like they say "interesting sources for potential innovation"

Those are:

1. Energy (Green-save)
2. Healthcare (aging of the workforce)
3. Wireless Connectivity (unwire the world)
4. Automotive (connect my car)

Labels: ,

Tuesday, January 15, 2008

The chicken with the google eggs

Google, doh!
There was an interview on yesterday's newspaper to one of the local head honchos, er... top brass bosses, Gonzalo Alonso on the Google Argentina office (yes, they have one in Buenos Aires).
He swears that Google opens its local offices not because of the current economic conditions, which are really, really good for anyone coming from abroad (specially if you come from abroad and you come with a fist full of U$S).

Una compañía poco tradicional, en un lugar lejano del Sur

Labels: ,

Green rooftops & Blade Runner

Green rooftops on NYC
Ever since I saw on TV, by pure chance, the CNN bit on green rooftops, (linked below, the first one); I couldn't not stop to relate those images with Do androids dream of electric sheep?, the novel from which the film Blade Runner was inspired.
On the original novel the main character, Rick Deckard, used to live on a building that had a green rooftop and it even had mechanical goats (pretending to be real) wandering around the rooftop.

Green rooftop technology saves energy, cools air
Green roof for healthy cities
The Big Green Apple
How green is my rooftop
Google Images - Green rooftops

Labels: , , , ,

For whom the bells tolls (2)

You cant un-ring a bell
There is an excellent chronology on how the different Linux distributions managed to get along with the change of hour later on December of 2007.
The post, also, deals on how the so called 'Enterprise' distributions fail miserably to fulfill the expectations.
Once again, I believe it is not all their fault, my government should at least pretend that it gives a damn about planning, and perhaps, it should have been convenient to wait for at least a week since they made de announcement and the actual change to hour.

You can read it here:

Red Hat, clones and tzdata-2007k

Labels: , , , ,

Monday, January 14, 2008

Simple backups with (nc)FTP & ncftpput

Adding a little more from the previous ncFTP post, here is a little script that will copy all the contents of the directory defined on the 'BACKUP_DIR' variable to the FTP server defined by 'SERVER', on the server, the files are stored on the 'STORE_DIR' directory.
Since you are storing the password on the plain text file, set a permission on the script so that only root can see it:

chmod 0700 /usr/local/etc/scripts/backups/backup.ftp.sh


Here is the script:

#!/bin/sh

## /usr/local/etc/scripts/backups/backup.ftp.sh
## This script uses ncftp (& ncftpput) to copy files
## to the FTP server

BACKUP_DIR="/usr/local/share/backups/localhost/"
STORE_DIR="directory_name_on_the_server/"
FTP_COMMAND="/usr/local/bin/ncftpput"
USER="username.here"
PASSWD="password.here"
SERVER="ftp.server.URL.or.IP.address"

${FTP_COMMAND} -m -R -u ${USER} -p ${PASSWD} ${SERVER} ${STORE_DIR} ${BACKUP_DIR}

# EoF #

Labels: , , ,

Sunday, January 13, 2008

Povera MacBook

Olibook laptop
Well, since my employer can't give me the crappy laptop, I have been looking around for a nice laptop.
It has to be a laptop because of space constrains at home, it has to be able to run Linux on it & it has to be as cool looking as possible (yes, that's right, I'm that superficial)
Of course, also, it doesn't have to cost an eye & a leg... Like this: Black MacBook on Argentina, that's U$S 2420, or close by.

One model that caught my attention ever since I heard about them, was the Olivetti Olibook, it is somehow cheap, comes 1 GB of RAM, 80 GB HDD, it is totally black, has a decent native resolution & it is small (14").
The only problem I can see is the video RAM, I hope it is enough to run Beryl without problems...

Some links related to the laptop:


Garbarino - Olibook 820-WVHB
Musimundo - Olibook T2050 1GB/80 WVISHE
Press release when the laptop were launched on Argentina
Another review
A review, written from the Linux perspective
Some (old) tips on installing Ubuntu
Comparisson with other similar laptops
Olivetti's distributor on Argentina

Labels: , , ,

The few, the proud

An excellent article/ post on howto recognize a good programmer.

How to recognise a good programmer

It is written, or aimed, to the non tech guy who is hiring, but, nevertheless it is a very good read.
Don't forget to take a look at the linked article The 18 mistakes that kill startups, anything & everything I have read by Paul Graham is really interesting.

Labels: ,

Saturday, January 12, 2008

In praise of the good'ol (nc)FTP

Even tho it is 2008, we, the IT slaves :D, are still asked to either build an FTP server, or sometimes connect to one.

On every linux box I have to do anything that involves connecting to an FTP server, I install NcFTP (client), which is the best FTP client I have ever used.
It has a few options no other FTP CLI clients has, but the most useful is Tab completion (link 1 link 2), both local as well as remote, and of course, the cream of the crop, scripting capabilites! ncftpget & ncftput, which allow you to automate uploading or downloading files.

Yesterday I was making some tests on a remote server from a linux box, and I have discovered yet another very cool (and secure) thing from ncFTP.
You can start the program giving the optional values from username & password from the FTP server you wish to connect to, all on the CLI, like this:

[user1@server ~]$ ncftp -u username.here -p password.here some.remote.FTP.server


What I found out was that if you list what all the users of that system are doing, ncFTP hashes the username & password bit, so it can be seen, like this:

[user1@server ~]$ w
14:15:00 up 19:23, 3 users, load average: 0.08, 0.08, 0.08
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user1 pts/0 xxxxxxx 13:04 25.00s 0.21s 0.19s ncftp -u ***** -p **** some.remote.site
user2 pts/1 xxxxxxx 13:53 19:20 0.02s 0.01s sshd: user2 [priv]
user1 pts/2 xxxxxxx 13:54 0.00s 0.01s 0.00s w


Of course, in the end, it doesn't matter, since plain vanilla FTP transmits everything in plain text... But it is a very nice touch.

Labels: , , ,

Friday, January 11, 2008

Nagios & Terra Incognita

Nageographer
I have become quite an addict to network monitoring programs/ systems ever since I discovered them, started with Netsaint, then Nagios, and now Zabbix.

To me one of the most important elements of those programs is the ability they offer (different levels for each one) to map your network, and show you a real time functioning health map of it, on Nagios is called Status map, the status maps for Zabbix are, as the program itself, far more complex.

A thing that has always bothered me, regarding the creation of maps on Nagios, is that you have to supply the coordinates for placing the different hosts by hand, if you chose not to use any of the prebuilt templates.

So, I have looked around for a program for Os X to write the map, using a GUI, for free... And there is one: Nageographer

Nageographer SourceForge page
Nageographer Freshmeat page

Labels: , , ,

Thursday, January 10, 2008

When the deal goes down

The Compaq Presario that would never be
Well, the laptop that my employer uses for nothing but to store it on a shelf it is not gonna come my way...

I found out about it the other day, this make me really angry, what the hell would they want that ultra. mega, hiper crappy laptop for? I mean, they even tried to run Windows 98 on it, and it crapped out on them... What on Earth can they do with it? Run Floppix?

This will somehow put a delay on some of my plans, specially, I think, on running OpenBSD as a main OS for a while.
ITOH, I might get my hands on another Goliath, this time not from my employer, tho; but a friend of the family, who described the box as "being from 1998"... :)

Labels:

Wednesday, January 09, 2008

Oh, (dot)Emacs, My (dot)Emacs!

After another 38 degree hot & humid Bs As day, it is time to have some fun, and post my Emacs dot file, the core of the editor's customization; like I said before, I'm a big Emacs fan & user.

This one should work on any modern (<21) Emacs around.
I simply hate how the default Emacs setup populates my file systems with all those "backup.txt~" files... That's why I have setup the .emacs file to store all the backups on a given directory, and then use a cronjob to delete the older than X days automatically; for this to work, you have to have a '$HOME/emacs/backups' directory.
Also, there is a snip regarding Timestamp, I use it all the time for writing changelogs.
The 'pc-selection' bit highlights the selection, when you use the keyboard, via Ctrl + Space bar.

The easiest way of making this changes for all users and just one time, is to populate the skel directory of your ditribution, usually on the /etc directory, with whatever you want to be common to all users.


;; ---------------------------------------------------
;; ~/.emacs default file
;; ---------------------------------------------------

;; -----------------------------------------------
;; Safe defaults

(setq inhibit-startup-message t)
(setq default-major-mode 'text-mode)
(menu-bar-mode nil)
(setq bell-volume 100)
(setq visible-bell t)

;; -----------------------------------------------
;; Modeline customization

(display-time)
(setq line-number-mode t)
(setq column-number-mode t)

;; -----------------------------------------------
;; Keyboards shortcuts

(define-key global-map "\C-h" 'backward-delete-char)
(define-key global-map "\M-h" 'backward-kill-word)
(define-key global-map "\C-x\C-u" 'undo)

(global-set-key [f5] 'bury-buffer)

(pc-selection-mode)

;; Esc + the arrow keys as a way to delete words
(define-key esc-map [right] 'kill-word) ;; esc -> kill-word
(define-key esc-map [left] 'backward-kill-word) ;; esc <- backward-kill-word

;; -----------------------------------------------
;; Backups

(defun make-backup-file-name (file-name)
"Create the non-numeric backup file name for `file-name'."
(require 'dired)
(if (file-exists-p "~/emacs/backups")
(concat (expand-file-name "~/emacs/backups/")
(dired-replace-in-string "/" "|" file-name))
(concat file-name "~")))

;; -----------------------------------------------

;; Turn on color syntax
(global-font-lock-mode t)

;; -----------------------------------------------
;; Insert timestamp
(defvar insert-time-format "%T")

(defvar insert-date-format "%d %m %Y"
"*Format for \\[insert-date] (c.f. 'format-time-string' for how to format).")

(defun iTime ()
(interactive "*")
(insert (format-time-string insert-time-format
(current-time))))
(defun iDate ()
(interactive "*")
(insert (format-time-string insert-date-format
(current-time))))
(defun iDate ()
(interactive "*")
(insert (format-time-string insert-date-format
(current-time))))
(defun iDateTotal ()
(interactive "*")
(progn
(iDate)
(insert " ")
(iTime)))

;; -----------------------------------------------

;; EoF ;;


Happy, happy, joy, joy.

Labels: ,

Tuesday, January 08, 2008

Firewalling Tiger (III)

I have found some missing (and need to be open!) ports, while using Safari today, to access some special websites at work, which are redirected thru alternative ports, and reverse proxies... I got an error on Safari, with this message:

“POSIX error: Permission denied” (NSPOSIXErrorDomain:13)

Of course, as usual, the first thing that comes to your head is that the 'other' part is working incorrectly... After double checking IP addresses, ports, running Apache processes, firewall settings on the remote server, on the remote router, and banging my head a few times, I decided too Google it! After a couple of minutes, find out that it was/ is a common problem, on the first link; and then a probable cause on the second one.

POSIX error
NSPOSIXErrorDomain:13 error in Safari

What I have to do to get past the Safari error was to add the ports I need to connect to the firewall script, of course on the 'Outgoing connections' section, with the same syntax, but using the ports I need to connect to; and then re-run the script.

Happy, happy, joy, joy.

Labels: , , , ,

Monday, January 07, 2008

Christmas are over

And yet, I still have a wish list... :D These are the books I currently have on it:

Computer related:

- Mac OS X Tiger Pocket Guide *
- Mastering FreeBSD and OpenBSD Security

* Yes, I heard about Leopard, but I'll continue to use Tiger on G4 boxes for a while now.

Other things related:

- The Polysyllabic Spree
- The World Without Us **

** On this case, the spannungsbogen will serve me good, because I'll be able to get it on paperback

Labels:

Sunday, January 06, 2008

Firewalling Tiger (II)

Here is the script I'm running right now, it assumes that your DNS server is on the IP 192.168.2.2, and that you are not running any service on your Os x box, except for an sshd server (Remote Login) and Samba, if you want to share files with a Windows box, the '# Allow SMB/CIFS' line, if you aren't you might delete those.
Anyway, the services are only opened for the network (private, hopefully) that you define on the 'LAN' variable, the other open bit are DHCP, to get an IP address from the server, as well as ping, so you can make basic connectivity tests to the Os X box.

On the outgoing rules, you might want to add either a POP3 or IMAP (or the secure version of POP3) if that is what you are using for email.
I have used the firewall script here: Locking down the Os X firewall, as the template to write this one, which is an excellent resource, but it doesn't allow anything coming to the Os X box.

To use the script, copy it, save it, say as 'rc.firewall', on your Desktop, and then:


sudo cp ~/Desktop/rc.firewall /etc/rc.firewall
sudo chmod +x /etc/rc.firewall


To begin using it:

sudo sh /etc/rc.firewall


If you want to to stop and clear the rules, allowing everything once again:

sudo ipfw -f flush


If you want to see the rules in use, type:

sudo ipfw list



#!/bin/sh

# Variables to simplify maintenance
ipf="/sbin/ipfw"

# LAN MyLAN
LAN="192.168.2.0/24"

# You can add more servers, these are comma delimited
DNS_SERVERS="192.168.2.2"

## ------------------------------------

# Enable firewall logging
/usr/sbin/sysctl -w net.inet.ip.fw.verbose=1

# Flush existing rules
${ipf} -f flush

# If the rule was added to the dynamic rule table, let it in
${ipf} add check-state

# Allow traffic to flow on the loopback interface
${ipf} add allow all from any to any via lo0

# Allow established connections
${ipf} add allow tcp from any to any established

## ------------------------------------
## Incoming connections
## ------------------------------------

# Allow ICMP traffic
${ipf} add allow icmp from ${LAN} to me icmptype 0,8

# Allow SSH connections
${ipf} add allow tcp from ${LAN} to me 22 keep-state

# Allow DHCP
${ipf} add allow udp from ${LAN} 67-68 to me 67-68

# Allow SMB/CIFS
${ipf} add allow tcp from ${LAN} to me 139 keep-state

## ------------------------------------
## Outgoing connections
## ------------------------------------

# Allow SSH connections
${ipf} add allow tcp from me to any 22 keep-state

# Allow SMTP connections
${ipf} add allow tcp from me to any 25 keep-state

# Allow non-secure web traffic
${ipf} add allow tcp from me to any 80 keep-state

# Allow secure web traffic
${ipf} add allow tcp from me to any 443 keep-state

# Allow IMAPS traffic
${ipf} add allow tcp from me to any 993 keep-state

# Allow Messenger traffic
${ipf} add allow tcp from me to any 1863 keep-state

# Allow query to DNS servers
${ipf} add allow udp from me to ${DNS_SERVERS} 53 keep-state

# Allow ICMP traffic out (Ping anything on the internet)
${ipf} add allow icmp from me to any out keep-state

## ------------------------------------
## Close down

${ipf} add deny log ip from any to any


# EoF #

Labels: , , , ,

Saturday, January 05, 2008

Firewalling Tiger (I)

I have spent a few hours testing an increased security version of the built-in's firewall. Tiger's firewall is the famous ipfw, a free and very, very secure and stable firewall, built inside of the operating system kernel.
I'm very pleased with the results of the the firewall script, it is a very tight one, limiting not only what is allowed to connect to the Os X box, but also, what is actually allowed to go to the outside.
I'll keep testing it a little more, and then post it here.

I was a bit afraid, since I was doing exactly the same thing, editing the internal firewall, when my old & beloved iBook died on me.

Labels: , , , ,

Friday, January 04, 2008

Another shot of my Quickie

My beautiful QuickSilver once again
Not much to say...

Labels: , ,

Thursday, January 03, 2008

Safari niceness

Safari resize text input box
I have found a very nice thing on Safari, a little thing, really, but really handy. You can resize the text input boxes, making those bigger, if you run at a higher resolution than the one the site designed it. Since I can run my monitor at 1440x900, this comes very, very handy indeed.
There is not a similar option for Firefox, neither on Os X or Windows (I have not tested on the Safari version for Windows)

Labels: , ,

Wednesday, January 02, 2008

PF: Going a little farther & tighter

OpenBSD logo, Puffy
As I said before I have installed an OpenBSD box on my LAN, to work as firewall, for the setup and rules, I have used one of the built-in example scripts supplied with the distro, the one called 'faq-example1', there are many other examples listed on the same OpenBSD installed box, under the '/usr/share/pf/' directory; or you can take a look at it on this page: Firewall for Home or Small Office.
What this sample script does exactly is this:

In this example, PF is running on an OpenBSD machine acting as a firewall and NAT gateway for a small network in a home or office. The overall objective is to provide Internet access to the network and to allow limited access to the firewall machine from the Internet, and expose an internal web server to the external Internet.


The thing is, I don't want to serve any site from my LAN, and also, I don't want the SSH port to be open to the public internet... So I have modified the script, to close those things up.
Here is a copy of how the edited file looks like:

# macros
ext_if="ne3"
int_if="dc0"
icmp_types="echoreq"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021

# filter rules
block in

pass out

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }

pass in inet proto icmp all icmp-type $icmp_types

pass quick on $int_if no state


After editing and saving it, execute this, to make it active:

sudo pfctl -f /etc/pf.conf


This will block anything & everything coming from the outside, except for ping, which you'll get a reply from the external, the public, IP address of the OpenBSD's server; you can certainly close that as well, but I like to be able to know from any location if my ISP is working or not.

Labels: , , ,

Tuesday, January 01, 2008

In praise of the Emacs key bindings

Space kadetkeyboard
I'm a big Emacs fan and user, and Bash also; maybe because of laziness, or simply because "it works" for all my needs, since it came default on the Linux boxes I started, and then, installing Emacs is one of the first things I do, when I have to configure a Linux box at work, not to mention, one of my own.

One thing I have always loved about Emacs, from day one, is the Emacs key bindings, I feel them to be quite natural, really useful ones; don't know how to tell it, but I believe I type better while on Emacs.

While doing some research on getting the Emacs key bindings globally for Gnome, I found a couple of links that are really interesting, particularly on the history or implementation of those key bindings.


- Emacs key bindings through the ages

- Why Emacs's Keyboard Shortcuts Are Painful

- The Modernization of Emacs

- Space-cadet keyboard

- Space Cadet keyboard  Take a look at the pictures on this site!

Labels: ,

Promises, promises (Or so many OSes, so little time)

A couple of things I would like to test this year (with luck, before June, or even less)

- Vyatta

- OpenBSD, not only as my headless router/ BitTorrent box, but I want to use it as main box, on this case, on the laptop that my employer uses for nothing but to store it on a shelf ;)

- Install a test box with CentOS 5, specially, getting things to work with the CD server, since it seems like the stuff got a little harder.

- Get a Ubuntu server CD, and try to make it the new standard Linux distro at work, specially for smaller, non Oracle boxes (specially if the CentOS Server CD turns to be a PITA to install from only one CD)

It is funny, but for Os X, I don't have any plan... Or everything works the way it should, or it is becoming a very expensive platform to play with :D
The only thing I would like, is getting an Intel one, to play with virtualization, but unless some of my boxes die this year, I doubt it.

Labels: , , ,