• The Author – Bart Busschots

  

  • About
  • On Flickr
  • On YouTube
  • On Mastodon
  • On BlueSky

  
  

  

  

  

  

  

• Site Search

  
  

• Site Map

  • About Bart
  • Blog
    • My Development Toolkit
    • Programming by Stealth
    • Taming the Terminal
    • Photo of the Week
    • Observer’s Log
  • Photography
  • Publications
    • Podcasts
    • Presentations
    • Software
      • HSXKPasswd – A Secure Memorable Password Generator

• Blog Categories

  • 42 (Life the Universe & Everything)
  • Computers & Tech
    • Automation
    • Security
    • Software Development
    • System Administration
  • Cooking & Food
  • History & Geography
  • My Projects
  • Photography
  • Polemics & Politics
  • Science & Astronomy

• Featured Tags

  • presentation
  • review
  • software release
  • tutorial

• Creative Commons

  Unless otherwise stated, the content on this site is licensed under Creative Commons Attribution, Noncommercial, No Derivative Works 3.0 License

  

I had a Chinese takeaway from the Royal City in Maynooth for the first time in AGES and decided to get Fillet of Beef in Black Pepper sauce, my favorite dish in C3. In C3 it is rather spicy and tastes of black pepper but also has more flavor and leaves your mouth in-tact enough to actually taste the food, the Royal City version tasted as if they had taken an entire packet of black pepper, pured it into some rubbish beef and added some water and thickener. It was so hot that I could only take one mouthful and it tasted of NOTHING but intense and sickeningly over-powering black pepper. I threw it in the bin and will not be giving them my business again.

It’s with great sadness that I report that my sources tell me that Europe’s rather coolly named "OverWhelmingly Large Telescope" or OWL is not to be. Apparently the project got scrapped today. The idea was to built the absolute largest optical telescope on the planet (100M) and since they called their previous best the Very Large Telescope (VLT) despite it ‘only’ being 16m (and the largest in the world) they thought it would be funny to pull the piss out of themselves and call this proposed telescope OverWhelmingly large!

All in all a sad day for funny TLAs and of course European Astronomy.

OS X comes with SSH built in but it is command line only and gives you no easy way to store all your bookmarks or customise your SSH windows. For your average user this is probably not a problem but when you have to SSH to as many servers as I do it becomes a real shortcoming. However, after much googling I found the answer – JellyfiSSH for OS X.

First things first, you can get JellyfiSSH from here: www.arenasoftware.com/grepsoft

Needless to say it does the basics like allow you to save hostnames, usernames and tunnels but it also allows you to group your bookmarks and, best of all, to have different window settings for each bookmark. The OS X terminal is very powerful and very configurable so rather than re-inventing the wheel what JellyfiSSH does is to spawn a terminal windows with your settings for you and then send the SSH command for your bookmark to that terminal.

Because the OS X terminal lets you set a background image this means you can set your backgrounds to different things for each server. I did up a template with the GIMP so my SSH shells now all have the name of the server in huge writing on the background and in the case of the servers here at work I’ve colour-coded them to have a red background if they are production servers and a blue background if they are fail-over/test/development servers. Basically, if I see red I take extra care because one slip-up could bring the entire campus network crashing down around us all! The other nice thing about this is that our servers in work are not called after their function because stuff gets moved from server to server all the time but by their hostnames which are all trees/fruits. Since I only started work here a few weeks ago I still get very confused as to what is what so I’ve added the function to the background image too so at a glance I can see that Larch is the production mail server etc.

Once you get everything set up just the way you like it you’ll never understand how you lived without it! Anyhow, below are some screen-shots from my system to show JellyFiSSH in action.

The Basic JellyfiSSH GUI

The Extended JellyfiSSH GUI

JellyfiSSH in Action

If you use iCal on multiple machines you would of course like to see your calendars from them all, well, if your mac has a permanent Internet connection here’s the FREE and easy way to do it. BTW the non-free but also very easy way to do it is to publish your calendars to your .mac account.

All you need for this to work is Mac that is visible on the Internet with an out-of-the-box install of Apache (comes with OS X whether you like it or not!). Then just follow these simple instructions to configure the Mac with web access to use WebDAV and then you can publish straigh from iCal as shown by the screen shots below.

Step 1

OR

Step 2

Step 3

Following on from my last article about Breezy I’m afraid things have not gotten any better. KUbuntu is just broke! At first I thought the mac style control panel was really cool until I discovered that I can’t get into administrator mode on any of the dialogs. I click the button, enter the password, the border goes red, the panel goes blank, stays blank for some timeout period and then brings me back to the non-admin display. I can click that button all I want but I can never edit any settings that you need to be root for. Yet again not acceptable from a Linux that is supposed to be for "human beings".

NOTE: tested on OS X 10.7 Lion, works fine!

These instructions are for setting up a mac to use connect.c to get SSH through a SOCKS proxy. If you are not using OS X this may still be of some use to you because connect.c will compile on Windows and *nix as well. If you’re in the NUIM oncampus accommodation and are having problems SSHing this could be the answer to your problems!

The first step is to get a copy of connect.c and compile it. The website contains instructions for doing this on other platforms but for the mac use:

gcc connect.c -o connect -lresolv

This will spool out a ream of warnings but don’t worry about that.

Then you have to copy this to a folder in the path and set up the correct permissions:

sudo cp connect /usr/bin
sudo chmod 555 /usr/bin/connect
sudo chown root:wheel /usr/bin/connect

At this stage connect.c is installed, you now need to tell SSH to use this proxy for any servers you want to connect to that is outside the campus.

To do this you need to add lines of this form to ~/.ssh/config:

Host xxx.yyy.com
  ProxyCommand connect -a none -S socks.yyy.com %h %p

The example above is for connection to xxx.yyy.com, you’ll need pairs like this for each host you want to connect to. You should separate the pairs with a bank line.

That’s it, you can now ssh as normal and ssh will use the SOCKS proxy.

ssh [email protected]

I posted an article the other day about how to configure OS X to use a custom firewall script but explicitly didn’t discuss the actual rules, in this article I’m going to focus only on the firewall rules and assume that you are using an IPFW configuration that is working correctly on some OS that uses IPFW. Please note that I have tested these rules on OS X only but I can’t see why they wouldn’t work on any other IPFW enabled system.

So, without further ado, here is my /etc/rc.firewall (with all specific IP addresses blanked out of course!):

#!/bin/sh

#
# Declare variables
#
IPFW='/sbin/ipfw'
LOOPBACK_INTERFACE=lo0
PRI_DNS=XXX.XXX.XXX.XXX
SEC_DNS=XXX.XXX.XXX.XXX

#
# Flush the rules so we start with an empty pallet
#
$IPFW -f -q flush

#
# Do some house keeping
#

# allow through all genuinely local packets
$IPFW add 00001 allow ip from any to any via $LOOPBACK_INTERFACE

# deny all spoofed local packets
$IPFW add 00010 deny ip from 127.0.0.0/8 to any in
$IPFW add 00011 deny ip from any to 127.0.0.0/8 in
$IPFW add 00012 deny ip from 224.0.0.0/3 to any in
$IPFW add 00013 deny tcp from any to 224.0.0.0/3 in

# allow through established connections
$IPFW add 00020 allow ip from any to any established

# filter ICMP packets to only allow through some types
$IPFW add 00030 allow icmp from any to any icmptypes 0,3,4,8,11,12
$IPFW add 00031 deny icmp from any to any

# allow through DNS
$IPFW add 00040 allow udp from me to $PRI_DNS 53 keep-state
$IPFW add 00041 allow udp from me to $SEC_DNS 53 keep-state

# allow myself to make outgoing connections
$IPFW add 00050 allow tcp from me to any keep-state
$IPFW add 00051 allow udp from me to any keep-state

# allow through all DHCP packets
$IPFW add 00060 allow udp from any to any 67
$IPFW add 00061 allow udp from any to any 68

# deny UDP
$IPFW add 00070 deny udp from any to any

#
# Allow services
#

# ssh just from within my departments range
$IPFW add 00100 allow tcp from XXX.XXX.XXX.0:255.255.255.0 to me 22

#
# Allow in exceptions for me
#

# allows the FTP server to connect back to me for active FTP
$IPFW add 00200 allow tcp from XXX.XXX.XXX.XXX 20 to me

#
# end with deny all
#
$IPFW add 65534 deny ip from any to any

OK, so now I’m going to go through this bit by bit to explain why I’m doing things the way I am. There is logic behind each line and I’ve spent a lot of time and effort this week getting this right. I’ll also mention some pitfalls to look out for along the way.

I should also point out what I was trying to achieve with these rules. The first thing is that these rules allow me to go out on any port to anywhere I want, they are not designed to stop me doing stuff. Secondly, these rules are designed to expose as few as possible services on this machine and any services that are exposed should be exposed to as few hosts as possible. Finally, these rules are also designed to filter out a lot of the UDP rubbish floating round on the network I work on because of all the Windows boxes on it.

So, into the rules, the way I have it set up is that the only parts that you should need to edit are the top bit that defines the variables and the bottom bit that defines the services you want to open up, the bits in between that should not need to be edited as there are no specific IP addresses anywhere in them.

The first line is obviously a shebang line, if you don’t know what that is please stop reading now because you are not ready to set up a custom firewall script! So, the next bit is the definition of some variables:

IPFW='/sbin/ipfw'
LOOPBACK_INTERFACE=lo0
PRI_DNS=XXX.XXX.XXX.XXX
SEC_DNS=XXX.XXX.XXX.XXX

The first one is obviously defining the location of the IPFW binary and the second line is the definition of the loop-back interface. Be careful here, some scripts you see use lo* here and that is very dangerous, using it made my machine un-usable till I changed it back to lo0. The next two lines define the IP addresses for the DNS servers that the firewall should allow the machine to use.

The next thing you have to do is to flush all the rules that may be in the firewall already out so you know exactly what will be in there when your script ends, to do this we use the flush command but we must also use the -f flag to force it to do the flush without asking us if we are sure.

$IPFW -f -q flush

The next stage is to ensure that all loopback traffic can flow but that no one can spoof the localhost address on another interface, anyone doing so is definitely up to no good!

# allow through all genuinely local packets
$IPFW add 00001 allow ip from any to any via $LOOPBACK_INTERFACE

# deny all spoofed local packets
$IPFW add 00010 deny ip from 127.0.0.0/8 to any in
$IPFW add 00011 deny ip from any to 127.0.0.0/8 in

The next two lines are standard in all firewalls OS X’s firewall interface generates so I have added them to my rules too. They block certain types of multi-cast traffic.

$IPFW add 00012 deny ip from 224.0.0.0/3 to any in
$IPFW add 00013 deny tcp from any to 224.0.0.0/3 in

The next thing to do is to allow packets belonging to contections that have already been established to pass through the firewall without needing to be checked off all the rules again. This a great optimisation but is only any good if you have it close to the start of your rules.

$IPFW add 00020 allow ip from any to any established

At this point the next thing we are going to deal with is ICMP packets. Many people block all of these packets but I am not a fan of that. ICMP is there for a good reason and blocking it will probably make your system administrator grumpy! The way I filter ICMP I can ping people, people can ping me, I can traceroute to people and people can traceroute to me. I am however still blocking loads of other potential ICMP traffic that is just not needed (note that to get traceroute working you also need UDP to be allowed out).

$IPFW add 00030 allow icmp from any to any icmptypes 0,3,4,8,11,12
$IPFW add 00031 deny icmp from any to any

Next I allow through DNS to my specific DNS servers. These rules are technically not needed if you decide to allow yourself to send out traffic on all UDP ports using a state-full rule (see rule 00051) but I like to put these in explicitly because I sometimes like to just kill all UDP connections later in the rules.

$IPFW add 00040 allow udp from me to $PRI_DNS 53 keep-state
$IPFW add 00041 allow udp from me to $SEC_DNS 53 keep-state

The next thing I do is allow myself to make outgoing connections to any host on any TCP port and to send UDP to any port on any host. If you want to be able to use traceroute you have to allow UDP traffic out. Again, if you allow all UDP out using a state-full rule like the one below you don’t need to explicitly allow DNS so you can leave out the two lines above if you wish.

$IPFW add 00050 allow tcp from me to any keep-state
$IPFW add 00051 allow udp from me to any keep-state

One more thing to bear in mind is that if you do not include rule 00051 above to allow out and back all UDP ports then you would need to explicitly allow NTP if you wanted to use it.

The next thing to do is to make sure that you let all DHCP packets through. If you don’t use DHCP you can leave these two lines out.

$IPFW add 00060 allow udp from any to any 67
$IPFW add 00061 allow udp from any to any 68

At this point I like to deny all UDP traffic because there is just so much of it on our network but you can leave this line out if you wish, the last line will catch these packets too. The reason I put this rule here is for efficiency.

$IPFW add 00070 deny udp from any to any

Then we get to the second last part of the script where we define the services on our machine that we will allow be visible (to part of) the outside world. I like to tie things down very tightly so that I expose as few services as possible to as as few people as possible, hence, I only have two entries in this part of the script (and one is not technically a service). The first thing I do is allow SSH access to my machine but ONLY from within the subnet used by people within my department, not to anyone else on campus or beyond.

$IPFW add 00100 allow tcp from 149.157.4.0:255.255.255.0 to me 22

The second entry I have in here is needed to allow me to use active FTP to communicate with a web server I have to publish stuff to.

$IPFW add 00200 allow tcp from ccintranet.nuim.ie 20 to me

Finally, AND MOST IMPORTANLY, you must end with a rule to deny all packets not yet accepted. If you don’t your rule set will be utterly pointless and your machine will be pretty much completely open.

$IPFW add 65534 deny ip from any to any

And there you have it, my full set of Firewall rules for OS X. Now, please note that although I’ve been working with IPFW rules for many years both on OS X and FreeBSD I would still not consider myself an expert, hence, these rules come with absolutely no guarantees. I’m confident they are an excellent set of rules that combine the best bits of the other scripts I found on the web for OS X but you will need to make your own judgement call before using them.

My final bit of advice is to NEVER put a line onto your rules that you do not understand 100%, if you’re not sure what a rule does it should not be in your script! When you are done with your rules you should then check them by getting someone to nmap your machine or by using a free online service like ShieldsUp! from Gibson Research Corporation. Happy firewalling!

For the vast majority of home users the GUI in the OS X System Preferences application for managing your Firewall is all you’ll ever need, however, once you start wanting to have different rules for different hosts you have no choice but to either fork-out cash for something like Brickhouse or to get your hands dirty and write your own firewall rules with IPFW, the firewall that is part of OS X.

In this article I’m going to walk you through the right way to set up your mac to use custom IPFW rules, I am NOT going to give a tutorial on IPFW, I will be assuming that you are familiar with it and basic firewalling concepts. If you don’t know what you are doing with IPFW then DO NOT SET UP YOUR OWN CUSTOM RULES, you are playing with fire here people, if you mess them up you can actually stop your computer from working or leave it open to attack, neither are good!

The first step in setting up a custom firewall is to create a Startup item to manage it as a service. There are many different scripts out there to do this but most do this in a very poor way that does not use the standard files and is not controllable in the standard BSD way. The script I give here DOES do things the Right-Way_(tm).

As root you will need to make a folder /Library/StartupItems/Firewall, in this folder you will have to create two files. The first is the script to control your firewall, the second is the list of parameters the OS needs about your firewall service.

Firstly, the script to control your firewall, this file MUST be named identically to the startup item so in this case Firewall. The script should contain the following:

#!/bin/sh

##
# Firewall
##

. /etc/rc.common

StartService ()
{
  if [ "${FIREWALL:=-NO-}" = "-YES-" ]
  then
    ConsoleMessage "Starting Firewall"
    sh /etc/rc.firewall > /dev/null
  fi
}

StopService ()
{
  ConsoleMessage "Stopping Firewall"
  /sbin/ipfw -f -q flush
}

RestartService ()
{
  StopService
  StartService
}

RunService "$1"

This script has the advantage that it allows your firewall to be started, stopped and restarted like any OS service and it also allows the firewall to be enabled and disabled from /etc/hostconfig (without this you would have to delete the startup item to disable it). As you can see this file does not actually contain our firewall rules, those should be defined in /etc/rc.firewall.

The second file MUST be called StartupParameters.plist and should contain:

{
  Description     = "Firewall";
  Provides        = ("Firewall");
  Requires        = ("NetworkExtensions","Resolver");
  OrderPreference = "Late";
  Messages =
  {
    start = "Starting firewall";
    stop  = "Stopping firewall";
  };
}

The next step is to create your custom firewall rules and store them in /etc/rc.firewall. As I said I am not going to go into a discussion on creating firewall rules in this article, I am assuming that you know what you are doing when it comes to creating firewalls with IPFW! Hence I am going to skip straight on to enabling the service in /etc/hostconfig. This is exceptionally simple, all you have to do is add the line:

FIREWALL=-YES-

to the end of the file.

That’s it, you now have a custom IPFW firewall running correctly on OS X. If at any stage you want to temporarily stop using your custom firewall all you have to do is stop the service with /Library/StartupItems/Firewall/Firewall stop and then set the entry for your firewall in /etc/hostconfig to FIREWALL=-NO- to disable it.

I may well do a follow-up article to this one discussing firewall rules for OS X and/or logging but I’ll make no promises!

	
Tagged with: firewall • OS X • tutorial


	
	
	

	

	
Dec
	
4
	
	

    
	
The Witch-hunt Begins
	
Filed Under Polemics & Politics | Leave a Comment
	
	

The Catholic Church’s major policy document on homosexuality in the church was flawed and bad enough but to add insult to injury news of a private letter sent to all Bishops to accompany the new policy has been made public and it shows that there is now an actual witch-hunt underway. The Vatican are sending "inspectors" to all seminaries to look for "evidence of homosexuality". This kind of witch-hunt makes a mockery of the churches supposed love of gay people and plea that they not be discriminated against. This is the most un-Christian thing I have seen the Vatican do in my lifetime.

Firstly, I want to talk about the policy document, I will go through each of the flaws in it in turn. This policy bans homosexuals from joining the priesthood. Not only does it ban homosexuals but also people who "support the gay culture". The policy also makes a distinction between "Transitory Homosexuality" and "Deep-seated Homosexuality" and re-iterates the church’s view that homosexuality is a disorder and that it can be "cured".
Ignores Scientific Realities
Both the distinction between the two kinds of Homosexuality (which the Vatican made up) and the definition of homosexuality are at direct odds with the scientific study of homosexuality and show that rather than dealing with the realities of homosexuality the church would prefer to stick it’s head in the sand like a great big ostrich. I heard the Catholic stance on sexuality described as being like a house of cards this week. This may explain why the love between two men can cause so much trouble. Accepting the obvious realities about homosexuality, that it is natural, not a choice and not a disease, would bring all the church’s out-dated and illogical policies on human sexuality crumbling down around their ears. Simply put, in order to conserve the status-quo gays must be pushed back into the closet. The views on homosexuality that the church issue as fact are straight from the middle of the last century and ignore half a century of scientific research and study.
Children Left in Danger

The reasoning behind the policy is also fundamentally flawed, scientific studies have shown that homosexuality is not linked to pedophilia yet this policy is being billed as the Vatican’s solution to the child sex abuse problem. Thing is, the evidence shows that this policy is based on flawed logic and that the real cause of the child sex abuse is probably poor handling of celibacy by some priests and that it was definitely facilitated by the Bishops who hushed it up and protected offending priests. Hence the most important reform would be to deal with the Bishops who facilitated the sexual abuse of children and to deal openly with the problems enforced celibacy can cause. However, doing this would make things difficult for the leaders of the church, which includes many of the Bishops who facilitated the abuse in the first place! Hence, the Vatican are using gays as scapegoats to save themselves from some uncomfortable home truths. 
This is despicable enough because it is very un-Christian to abuse a whole swathe of the population like this but it is made infinitely worse because it does not actually resolve the serious problem of children having their innocence stripped away by being horribly abused by people who should be protecting them. The church officials are hanging gays out to dry and sacrificing children to save their own skins. This is utterly revolting.

Fuels Homophobia

Every gay person should be alarmed by the reasoning behind this ban and the language in the policy. We have all been branded as pedophiles and as being mentally ill. These kind of broad generalisations are always dangerous but are extra dangerous when they are made by an organisation claiming to be the voice of God and because they are using something as emotive as child sex abuse to justify their discrimination.
Makes no Sense and is Un-needed
Priests must be celibate, a major part of becoming a priest is to learn to repress the natural human sex drive. Homosexuality only defines your sexual preferences, nothing more, hence not having gay sex is no different to not having straight sex and giving up gay sex poses exactly the same challenges as giving up straight sex. To be a good priest you effectively have to become non-sexual, what difference does it make what sex you are not having!
This policy is utterly pointless because once you take away sex, gay people are no different to straight people and since priests are celibate and have mastered their sex drive it could be argued there is no such thing as a gay or a straight priest!
Bad for the Catholic Church
The catholic church is facing a crisis in the western world, they have far far too few priests and far far too few people filling the pews on Sundays. Why is this? Well, the Church’s out-dated views on Women priests and sexuality certainly don’t help and in places like Ireland the evil of the Church’s protection and facilitation of pedophiles also plays a huge part. Hateful policies like this only serve to drive more people from the church. Yet another negative message from an increasingly negative church that seems to be running to the past at an ever faster pace.
Letter to the Bishops
The letter to the bishops informing them of the witch-hunt that is about to begin removes all doubt about how this policy was intended. This cannot be seen as anything but a witch-hunt against all gays in the Catholic church. Congratulations Joe, you’ve taken your organisation of love back 5 centuries into an organisation of hate, more interested in persecuting gay people than dealing with Child sex abuse or the other real problems facing this world. I don’t think Christ would be happy to see his church persecuting people like this, I don’t remember any parables about excluding people or about discriminating against people but I do remember lots of bible stories about how much Jesus loved children. 

	


	
	
	

	

	
Nov
	
30
	
	

    
	
Mighty Mouse – Mighty Disappointment
	
Filed Under Computers & Tech | Leave a Comment
	
	

So, I got my very shinny new PowerMac (dual 2.0Ghz G5 with 2GB RAM) today and I’m just blown away by just about everything about it (it’s FAST, the Apple Cinema Display ROCKS) but one thing has proved a real disappointment, the Mighty Mouse that came free with it.
I have been playing with the settings for ages and all I can’t get the right "button" to do ctrl+click (right click to non-mac users) like any PC mouse will do when plugged into a mac. I can get it to do "Button 2" which is ctrl+click sometimes but only sometimes! The side buttons are useless and the only thing I can see them doing is giving people RSI! "Just squeeze" is what Apple say, gimme a bloody vice and I might have a chance! I don’t have particularly big hands and I can tell you now I’d do myself an injury if I had to use that "button" a lot.
Thank heavens there is a Logitech Comfort Cordless Desktop winging it’s way towards me as I type!


	
Tagged with: Apple • review • hardware • mouse


	
	
	

		« more recent posts — older posts »