I was reading today that DD-WRT (the free firmware that originally ran on Linksys's WRT54G router) is now available for x86 machines so I thought that I would give it a try. For more information on DD-WRT please see: DD-WRT on a standard X86 pc, and DD-WRT.com.
Installing DD-WRT
To install DD-WRT from Windows please see: DD-WRT on a standard X86 pc.
To install DD-WRT from a UNIX-like system you will need: An x86 compatible pc (i386) or greater with at least 16MB of RAM, 2 network cards, and a hard drive. Also you need to download this image: dd-wrt_public_vga.
To install DD-WRT you need a way of writing the image onto the hard drive you are going to use. I decided to use a LiveCD and dd(1) the image off the usb key. So after downloading the image I placed it on a usb key.
I booted my chosen LiveCD: TrueBSD. Then I inserted my usb key, made a directory in /mnt and mounted the usb key:# mkdir /mnt/usb
# mount -t msdos /dev/da0s1 /mnt/usb
I changed directory into /mnt/usb, and wrote the dd-wrt image to the hard drive:# cd /mnt/usb
# dd if=dd-wrt_public_vga.image of=/dev/ad0
22528+0 records in
22528+0 records out
11534336 bytes transferred in 40.308342 secs (286153 bytes/sec)
Then I unmounted the usb key and rebooted, taking out the livecd.# cd /
# umount /mnt/usb
# shutdown -r now
My Impressions
Well this was a disaster for me I don't know how you will go, but after a couple of hours of total frustration I wiped the hard drive. The errors produced where amazing, varied, and did not stop. No matter how many different things I tried I could not get to the stage of accessing the web front end. For a while I couldn't even get a login prompt. After searching for answers and solutions I felt totally disheartened. I don't very often give up on things, yet this was beyond me. I just could not get this to run. Maybe it was just my hardware?
I hope that others have more luck than I had! Yet I don't think I'll will bother with DD-WRT. To much work for no reward.
Saturday, December 30, 2006
My Experiences with DD-WRT
Wednesday, December 27, 2006
GeekyBits: A Fresh Look
I have been been playing around with the new Template features of Blogger today. I have had heaps of fun playing with colors and labels and so forth. I hope you like Geeky Bits³ new look. I think I am happy with it. If anyone has any suggestions please let me know.
Also today I have been searching for a new domain, gee there are so many domain squatters out there, it is ridiculous. I can't afford to eat more than once a day how am I supposed to afford to purchase a domain name? Oh well I guess I'll have to keep searching for something.
If you are looking for domains check out: PCNames Domain Search, it is "a free site dedicated to developing the most advanced tools for finding domains." It is very good.
Sunday, December 24, 2006
SPAM
I just finished reading this post from Slashdot: Spam Volume Jumps 35% In November. This is ridiculous, it's clogging up the bowels. So if there is around 1 billion people online (with e-mail accounts) and we are hitting averages of 85 billion spam messages a day, that would mean that each person is averaging 85 e-mails a day. Imagine getting that many telemarketing phone calls, or catalogs in the mailbox. Wow!
After this thought I had to revisit the Monty Python sketch "Spam" and I thought that I would share it with you all.
Testing Web Browsers
In my adventures in networking I was testing a couple of things, and discovered that firefox 2 has a bad memory leak on my system. On the 19th Dec there was a new release which had many security fixes: release notes. I have decided instead of updating to 2.0.0.1 that I would try out a couple of other browsers.
Opera 9.10
First I decided to try Opera, recently there was a new release and I have heard many great things about it. Eager to try it for myself I went to the Opera Download site and selected the Ubuntu 6.10 Edgy Eft Package and downloaded it. Once it was downloaded I clicked on the .deb file and gdebi package installer opened, I clicked 'install package' and the next thing you know I had Opera 9.10 on my system.
It took a bit of fiddling around to configure it, there are many more settings and things to play with in this browser. I have to admit that I thought that some of the settings where a little over the top, and were unneeded. I loved the fact that I could change the style view so much. This is something that I have always loved about Opera. It is often handy to view a page without images and other distractions, especially when reading information.New features in Opera 9 are:
- Add your favourite search engines
- Bit-Torrent
- Content blocker
- Fraud protection
- Improved rich text editing
- Site preferences
- Thumbnail preview
- Widgets
My Impressions: Overall although I like many of the features in Opera I still am not happy with the performance or user experience of Opera. Granted it is very different from Firefox and Mozilla, and therefore will take a bit of getting use to. Yet I still do not feel that I could use it all of the time. The text is often hard to read, and jagged. Loading times are slow, and it feels heavy (I know this sounds strange yet I am sure that most of you know what I mean.) To be honest; at the end of the day I would prefer to use an Open Source browser.
Epiphany, the GNOME Web Browser
Next I tried Epiphany, I really like this little browser. It is very simple and easy to use, it's speed amazes me. There are not many settings, and no where near the extensions and other tools as in other browsers. Yet this browser is no more than what it says it is. It is a browser, and it does this really well. Epiphany is powered by the Gecko engine, which also powers Firefox. Epiphany is very uncomplicated and really gives you the web experience without all the mess. I am sure that I will continue to use this browser, even if it is only for fast searching, and a pure http experience.
So far these are the only two browsers I have tried. I am unsure what browsers to try next, if anyone has any suggests please let me know.
Monday, December 18, 2006
Quintura Search, a new way to find what you are looking for.
I have been on the hunt for a new search engine, for the past couple of months. I am not happy with the results of my searches, and I am finding myself resorting to Deep Web searches and other means to find information.
Introducing Quintura
Today I believe that I may have found an answer to my problem: Quintura search. This is a visual search engine, using a cloud visualisation you can navigate and refine your search. So far I am really impressed. Results load in the background while you search, and you can see the results of refining your search without actually doing so.
The results are not only relational, they also are very helpful, I have found some excellent information. I believe that this type of search could help people to search more effectively, finding answers to their questions, and therefore making more information available to more people.
If you are interested there is a tour here: Quintura tour
Or just try a search for yourself: Quintura search
*Note check the hints page, to make Quintura work better for you.
Have fun and happy surfing.
Saturday, December 16, 2006
OpenBSD LiveCD Firewall
Over the past couple of weeks all of my research and experimentation has been leading towards a project. I have been learning how to create my own livecd firewall. Currently I am preparing an environment to create this livecd in.
First I installed a basic version of OpenBSD 4.0. Then I Downloaded the source code using cvsup:# export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.0/packages/i386/
# pkg_add -v cvsup-16.1h-no_x11.tgz
# vi /root/.configs/cvsup-file
added:
# Defaults that apply to all the collections
*default release=cvs
*default delete use-rel-suffix
*default umask=002
*default host=cvsup.jp.OpenBSD.org
*default base=/usr
*default prefix=/usr
*default tag=OPENBSD_4_0
# If your network link is a T1 or faster, comment out the following line.
*default compress
#OpenBSD-ports
#OpenBSD-all
OpenBSD-src
#OpenBSD-www
#OpenBSD-x11
#OpenBSD-xf4
# cvsup -g -L 2 cvsup-file
Once I had done that I made a partition in which to create the livecd in. First I edited the disklabel, then formatted the new partition:
# disklabel -e wd0
# newfs /dev/wd0h
Now create the directory to mount on the new partition:
# mkdir /bootcd
then edit /etc/fstab so that the partition would be mounted at boot time:
# vi /etc/fstab
added:
/dev/wd0h /bootcd ffs rw 1 2then rebooted
Once the system had rebooted and everything was OK I cd into /bootcd and downloaded base40.tgz and etc40.tgz and unpacked them into /bootcd:
# cd /bootcd
# tar -xZf base40.tgz
# tar -xZf etc40.tgz
At the moment I am waiting for my new kernel to compile with my needed options:
# cd /usr/src/sys/arch/i386/conf/
# cp RAMDISK_CD BOOTCD
# vi BOOTCD
commented out this line:
#config bsd root on rd0a swap on rd0b and wd0b and sd0badded this line:
config bsd root on cd0a
# config BOOTCD
# cd ../compile/BOOTCD/
# make clean && make depend && make
I can't wait to see how it works. This is so exciting. I am such a geek...
Saturday, December 09, 2006
Know Your Docs
Over the past couple of days I have written and tested a couple of different pf(4) rulesets and I am really happy with the results. I was surprised how easy I found writing these rulesets.
When I learned FreeBSD's ipfw(8) I struggled a lot with the finer points of configuration. I believe that the difference I have made in learning pf(4) is becoming so familiar with the documentation before moving on to the implementation step. With ipfw(8) I tried to "learn by doing". Even though I think that learning by doing is an effective method, I believe for myself I need to read and know the documentation first, then put what I have learned into practice.
I am really having fun with pf, it is a wonderful and very complete piece of software, and I will be using it much more from now on.
Todays mantra:
- Locate the Documentation
- Read the Documentation
- Follow the Documentation
- BECOME the Documentation
Thursday, December 07, 2006
Reading and Writing
I finally answered all my e-mail today, I haven't had a chance to go through it for a couple of days. I got an e-mail from my little brother he is arriving back in Australia today, he and his girlfriend have been traveling around Laos and Cambodia. It will be really good to see him. Although I will have to wait a couple of weeks, as he lives a few hours away from me.
Also I have been reading a few articles from: OpenBSD Support, Kernel-Panic.it and INETDAEMON.com
Tonight I started to write my first pf.conf file for my firewall. I think that it should go well. I will have to finish it tomorrow though because I'm exhausted. Goodnight all...
Tuesday, December 05, 2006
Packet Filter
Today I have been going over all of the documents on Packet Filter (pf). The following are the notes which I made while reading (The notes are not complete, just my reference):
Activation from boot:
Edit /etc/rc.conf.local adding:pf=YES
Activation using pfctl(8):
The pfctl program allows us to activate pf using:# pfctl -e
And deactivate pf using:# pfctl -d
*Note that this just enables or disables PF, it doesn't actually load a ruleset. The ruleset must be loaded separately, either before or after PF is enabled.Configuration
At boot time pf reads /etc/pf.conf for it's configuration. The file has several parts:
Lists
- Macros: User-defined variables that can hold IP addresses, interface names, etc.
- Tables: A structure used to hold lists of IP addresses.
- Options: Various options to control how PF works.
- Scrub: Reprocessing packets to normalize and defragment them.
- Queuing: Provides bandwidth control and packet prioritization.
- Translation: Controls Network Address Translation and packet redirection.
- Filter Rules: Allows the selective filtering or blocking of packets as they pass through any of the interfaces.
Lists allow one rule to contain multiple items, e.g. multiple IP addresses, port numbers etc. Lists are defined by specifying items within { } brackets. e.g:
block out on rl0 from ( 192.168.0.1, 10.0.0.1 } to any
When loading a ruleset and a list is encountered by the pfctl(8) program multiple rules are created. e.g. If pfctl found the above rule it would expand that to:
block out on rl0 from 192.168.0.1 to any
block out on rl0 from 10.0.0.1 to any
*Note that the commas between list items are optional.
Macros
Macros are user-defined variables. They can hold port numbers, IP addresses etc.
Macro names must start with a letter and may contain letters, digits, and underscores. e.g.:
int_if = "sis0"
pass in on $int_if from any to any
Macros can also contain lists.
Tables
Tables hold a groups of IP addresses. Tables are different from lists in that the lookups use less memory and processor and therefore are very fast.
Tables can be used in the following ways:To create a table in pf.conf the
- source and/or destination address in filter, scrub, NAT, and redirection rules.
- translation address in NAT rules.
- redirection address in redirection rules.
- destination address in route-to, reply-to, and dup-to filter rule options.
table
directive is used. There are two attributes that can be specified for each table:const
- Once the table has been created the contents can not be changed. If this attribute is not specified; address can be added or removed using pfctl.persist
- Keep table in memory even if no rules are referring to it.
table <MyNet> { 172.16.2.0/16, !172.16.2.100 }
table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
table <spammers> persist file "/etc/spammers"
block in on vr0 from { <rfc1918>, <spammers> } to any
pass in on vr0 from <MyNet> to any
The file /etc/spammers would contain a list of IP addresses and/or CIDR network blocks, one per line. Any line beginning with # is treated as a comment and ignored.Tables can also be manipulated with pfctl, see: pfctl(8).
Packet Filter
A highly simplified syntax for filter rules is:
action [direction] [log] [quick] [on interface] [af] [proto protocol] \
[from src_addr [port src_port]] [to dst_addr [port dst_port]] \
[flags tcp_flags] [state]
Default Deny
In a default deny filter policy, the first filter rules are:
block in all
block out all
Now traffic has to passed by the firewall other wise it will be dropped.
quick
If a packet matches a rule which is using the
quick
keyword, then no other processing is needed, and the specified action is taken.Keeping State
Keeping state or stateful inspection allows pf to keep track of network connection. Information is stored about each connection in a state table, and pf then determines if a passing packet belongs to an established connection, if it does the packet is passed.
When a rule has the keep state option, the first packet matching the rule creates a "state" between the sender and receiver. Now, not only do packets going from the sender to receiver match the state entry and bypass ruleset evaluation, but so do the reply packets from receiver to sender. For example:Stateful filtering has a number of options:pass out on fxp0 proto tcp from any to any keep state
max number
: The max number of state entries the rule can create.source-track
: Track number of states created per IP.max-src-nodes number
: limit the number of source IP addresses that can simultaneously create state.max-src-states number
: When the source-track option is used, max-src-states will limit the number of simultaneous state entries that can be created per source IP address.
max-src-conn number
: The maximum number of simultaneous TCP connections which a single host can make.max-src-conn-ratenumber / interval
: Limit the rate of new connections to a certain amount per time interval.overload <table>
: Put an offending host's IP address into the named table.flush [global]
: Kill any other states that match this rule and that were created by this source IP. When global is specified, kill all states matching this source IP, regardless of which rule created the state.
- F : FIN - Finish; end of session
- S : SYN - Synchronize; indicates request to start session
- R : RST - Reset; drop a connection
- P : PUSH - Push; packet is sent immediately
- A : ACK - Acknowledgement
- U : URG - Urgent
- E : ECE - Explicit Congestion Notification Echo
- W : CWR - Congestion Window Reduced
flags check/mask
The
mask
tells pf to only inspect the specified flags.The
check
specified which flag must be "on" in the header for a matchTCP SYN Proxy
Proxy the handshake; pf will complete a client handshake, initiate a server handshake, then pass the packets between the two. e.g.:
pass in on $ext_if proto tcp from any to $web_server port www flags S/SA synproxy state
synproxy state
also includes the same functionality as keep state and modulate stateBlocking Spoofed Packets
pf uses the
antispoof
keyword to protect against spoofing.:antispoof [log] [quick] for interface [af]
Unicast Reverse Path Forwarding
An uRPF check compares the source IP of a packet with the routing table, to see if the outbound interface in the routing table is the same as the packet.
This check is performed using the
urpf-failed
keywords in filter rules:block in quick from urpf-failed label uRPF
OS finger Printing
Using the
os
keyword in a rule, can detect the operating system of a remote host.IP Options
To allow packets with IP options set which are block by default you need to use the
allow-opts
keyword.NAT - Network Address Translation
A highly simplified syntax for a NAT rule is:
nat [pass [log]] on interface [af] from src_addr [port src_port] to dst_addr [port dst_port] -> ext_addr [pool_type] [static-port]
Example: (tl0 is external, dc0 internal):
nat on tl0 from dc0:network to any -> (tl0)
This rule says to perform NAT on the tl0 interface for any packets coming from the dc0 interfaces network and to replace the source IP with the current address of the tl0 interface.
Bidirectional Mapping (1:1 mapping)
A bidirectional mapping can be established by using the binat rule. A binat rule establishes a one to one mapping between an internal IP address and an external address.
Rule Exceptions
Exceptions can be made to translation rules by using the no keyword. e.g.:
no nat on tl0 from 192.168.1.208 to any
nat on tl0 from 192.168.1.0/24 to any -> 24.2.74.79
The entire 192.168.1.0/24 network would have its packets translated to the external address 24.2.74.79 except for 192.168.1.208.
The no keyword can be used with nat, binat and rdr rules.
NAT Status
To view the active NAT translations pfctl(8) is used with the -s state option.
Redirection (Port Forwarding)
Redirection allows
incoming traffic to be sent to a machine behind the NAT gateway.e.g.:
rdr on tl0 proto tcp from any to any port 80 -> 192.168.1.20
This line redirects TCP port 80 (web server) traffic to a machine inside the network at 192.168.1.20. So, even though 192.168.1.20 is behind your gateway and inside your network, the outside world can access it.
Saturday, December 02, 2006
No Power
I have been busy the past couple of days cleaning the house and paying bills. So much fun I know. I hope to get back to reading and building my firewall tomorrow. I feel lost not being on my computer.
I lost the power for a couple of hours the other night. It was the first night of the Sci Fi channel being on Austar. My partner and I sat down to watch the first show on at 12am. It was a repeat in true Austar style, so I went back to the computer room. I was in the middle of writing a post when the power went. I don't have an UPS (cause I can't afford one) so everything died. We sat and waited for the power to come back.
After about five minutes I was bored I started messing with the mobile, taking photos by candle light and I changed the wallpaper. Then my partner and I started playing a two player mobile game. I am not big on mobile games but desperate times. Anyway we were playing for about 2 hours when the mobile started giving the battery low beep, it only beeped twice then died in my partners hands. It was so funny I forgot to tell him that I had changed the wallpaper so the screen went from -> his move in the game -> then flashed the wallpaper -> then went black.
(click on it to see full size.)
Anyway just as we were about to bring out the pocket calculators; the power was restored and all was well.
I have been enjoying the Sci Fi channel. There have been some good things on so far. I have been waiting to see some of them. I will have to get my laptop fixed soon though cause it is annoying not having Internet access anywhere in the house. Currently my laptop looks like this:So as you can see I am not doing a lot with it. Oh well, have to fix it.
Tuesday, November 28, 2006
9 Words representing the Most Important things that I have learned this year
It was my 27th Birthday yesterday, 27 on the 27th. I had a awesome day. My darling, made me yummy meals and beautiful apple pie (pictured left). I had a really wonderful day. I went to bed with a smile on my face.
Through out the day I was sitting and thinking, and I contemplated all of the things I have learned this year. There have been so many of them. It made me wonder if I could boil it all down to a few really important things that I have learned.
The Most Important things that I have learned this year.
This turned out to be a more difficult question than I realized. I started thinking through my achievements,
e.g. Giving up smoking and completing 2 diplomas.
I realized I was thinking way to low, and narrow. (That is Low thought process, and narrow field of perception.)
Well what did these achievements teach me?
e.g. About my health, and about cigarette damage. Or perhaps about project management, and dealing with teachers.
What where my failings and what did they teach me?
e.g. What plans didn't succeed? What ideas weren't implemented?
I still wasn't delving deep enough, there was more there. What lessons where learned? What inspired me?
All these are good questions, producing many answers, yet still there is way more. Then I stopped for a moment. As per usual I had forgotten the golden rule of 'keepen' it simple'.
I realized that I could think of 9 or 10 words to cover everything. Each word would represent which I have learned through out the year.
9 Words representing the Most Important things that I have learned this year.
After doing this exercise I was truly amazed with the results. I slowly sat and looked over the words that I had chosen and realized that all of the lessons that I had learned this year fitted into them in one way or another. Also each word had at least one flip meaning, a warning, or balance.
As it is coming up to the end of the year, try this exercise for yourself and find out how much you have truly grown this year. I was amazed with what I found.
Friday, November 24, 2006
Back to Ubuntu
I am back to Ubuntu for a while. I have some work to do, and I need to focus. I had trouble finding gnome tools for OpenBSD, and I am thinking of going back to FreeBSD as my desktop.
I used to have FreeBSD a while back, it was a wonderful desktop, then I started having troubles after updating to 6.1 so I decided to try something different for a while. I think I will enjoy going back to it though. I would just be better off making my own system from a FreeBSD base, that way I'll have everything I want when I want it. It should be fun.
But first I need to finish my firewall. I wrote my notes, diagrams and configurations for my network today. Now I just need to write my firewall & NAT rules, and then install everything, including the proxies, overall it shouldn't take to long. If I get off my but and do it. I have been a little preoccupied lately. I need to get my head back in to it.
At the moment I am sitting and reading the pf users guide, which is a really excellent reference.
If anyone knows of any good links they are willing to share please let me know :) Thank you. Have a good one.
Wednesday, November 22, 2006
OpenBSD Desktop
After backing up my data, and rebooting yesterday I decided to go for an OpenBSD Desktop.
It should be fun, and it will help me to learn heaps more about the system.
So I am sitting her at the moment in lynx. Which works quite well in blogger beta.
I am really enjoying OpenBSD so far, I feel comfortable, even though I have a lot to learn. I am finding answers to my problems very quickly.
I know that there are probably much faster and more effiecent ways of operating OpenBSD, but these are all things that I need to learn.
I miss the mouse in the commandline. Sounds strange I know, yet I got really used to it in FreeBSD
I am currently Installing gnome and playing around with other settings.
My aim is to try to get a nice easy to use desktop environment, I may need to add a few little gui tools, I will see how I go. For now I am having fun learning.
Have a good day :)
Monday, November 20, 2006
Device hell
After installing my new DVD player, and a new network card I seem to be in device hell on my Ubuntu (edgy) desktop. The DVD player has a different name every time I boot. Yet more annoying than this is my new network card, which can't make up it's mind weather it is eth1 or eth2. I can't get it to be stable, it changes every time I boot, and messes up my iptables script, and many of my other tools.
I am going to do a re-install. I can't see any other way to get the kernel to pick up the devices properly. I am thinking that I maybe better off with a different OS.
Setting up the Sound card in FreeBSD
Setting up the sound card in FreeBSD
System:
- This howto is for FreeBSD and FreeBSD based systems.
- root access to the system
- A text editor (I will use vi for this tutorial)
As FreeBSD is a server operating system things like sound are not configured to work out of the box. Yet getting sound working is a very simple task once you know how.
Step one:
Firstly you need to find out what driver you need to use with your sound card, (If you already know this you can move onto Step two). This step is not as scary as it sounds.
First try to load the snd_driver module, This module loads all of the most common sound device drivers at once:
# kldload snd_driver
You can now easily see which driver to use, by using the following command:
# cat /dev/sndstat
FreeBSD Audio Driver (newpcm)
Installed devices:
pcm0: at io 0xd800, 0xdc80 irq 5 bufsz 16384
kld snd_ich (1p/2r/0v channels duplex default)
The output will vary depending on your system. Yet from the above output we can see that snd_ich is the driver needed.
*Note if you did not get a response you can do a couple of other things:If anyone has any other suggestions please let me know.
- You could look at the FreeBSD 6.1 Hardware Notes, or the FreeBSD 5.5 Hardware notes to find out if your card is supported.
- Investigate the use of another sound system e.g. OSS (Open Sound System).
Step two:
Now that we know which sound driver to use you can load that exact sound driver every time you boot by adding it to your /boot/loader.conf file. You do this by adding a line like this:
snd_YourDriverName_load="YES"
an example using the above driver would be:
# vi /boot/loader.conf
add:
snd_ich_load="YES"
For more information please see: FreeBSD Handbook - Setting up sound and snd(4) man page.
Thursday, November 16, 2006
New DVD Burner
I got a present today, it is so cool. I have now moved into the new age of optical storage. I only had a CD burner before this. Now I have a Dual layer DVD burner. It is a LiteOn I have always liked LiteOn, so I am very happy with it.
After installing the burner into it's new place in my tower it booted straight away and all of my software picked it up fine. I installed a few DVD codecs away I went with my all time favourite DVD.
I am so happy with it. Thank you Babe!!!
Wednesday, November 15, 2006
Dia
I have been busy the past couple of days getting my life on track, and also playing with my new firewall. I have been going walking 2 times a day, which is scary. Yesterday I had a bit of a play with NetBSD Live. It is based on NetBSD 4.0_BETA/i386. It runs a KDE desktop environment, and there are a few configuration steps to go through to run it. For more info please see the following links: NetBSD Recent changes, READMES in English and German.
Inside of NetBSD live there was a really cool little program called Dia Which is a diagram creation program. Dia is a gtk+ based diagram creation program released under the GPL license. I love this program, you can draw diagrams of SO many things.
It currently has special objects to help draw entity relationship diagrams, UML diagrams, flowcharts, network diagrams, and many other diagrams. It is also possible to add support for new shapes by writing simple XML files, using a subset of SVG to draw the shape.So if you are drawing heaps of diagrams all the time, or even if you only draw them occasionally this program is very much worth a look. It can make your design time much shorter.
This screen shot is of me working on a dia drawn network diagram.
Have fun.
Sunday, November 12, 2006
Learning Networking, OpenBSD style
I have only been learning OpenBSD for the past couple of weeks, so I am still eagerly learning how the Networking side of things works.
Until today I have never looked much into pf. I have used IPFW2 and IPF many times, and iptables a bit, but never pf. I started out with the information in the OpenBSD FAQ. I always find that this is a good place to start. Then the man pages available on the subject
Reading: I started out with the OpenBSD FAQ Networking section:
http://openbsd.org/faq/faq6.html
As well as investigating the following pages:
lo(4);
The loop interface is a software loopback mechanism which may be used for performance analysis, software testing, and/or local communication.
pflog(4);
The pflog interface is a pseudo-device which makes visible all packets logged by the packet filter, pf(4). Logged packets can easily be monitored in real time by invoking tcpdump(8) on the pflog interface, or stored to disk using pflogd(8).
sl(4);
The sl interface allows serial lines to be used as network interfaces using the slip protocol
ppp(4);
The ppp interface allows serial lines to be used as network interfaces using the Point-to-Point Protocol (PPP).
tun(4);
The tun driver provides a network interface pseudo-device. Packets sent to this interface can be read by a userland process and processed as desired.
enc(4);
The enc interface is a software loopback mechanism that allows hosts or firewalls to filter ipsec(4) traffic using pf(4).
bridge(4);
The bridge device creates a logical link between two or more Ethernet interfaces or encapsulation interfaces
vlan(4);
The vlan Ethernet interface allows construction of virtual LANs when used in conjunction with IEEE 802.1Q-compliant Ethernet devices.
gre(4);
The gre network interface allows tunnel construction using the Cisco GRE or the Mobile-IP (RFC 2004) encapsulation protocols.
gif(4);
The gif interface is a generic tunnelling pseudo-device for IPv4 and IPv6.
carp(4);
The carp interface is a pseudo-device which implements and controls the CARP protocol. carp allows multiple hosts on the same local network to share a set of IP addresses.
tcpdump(8);
tcpdump prints out the headers of packets on a network interface that match the boolean expression.
pflogd(8);
pflogd is a background daemon which reads packets logged by pf(4) to a pflog(4) interface, normally pflog0, and writes the packets to a logfile (normally /var/log/pflog) in tcpdump(8) binary format.
pf(4);
Packet filtering takes place in the kernel. A pseudo-device, /dev/pf, allows userland processes to control the behaviour of the packet filter through an ioctl(2) interface.
ioctl(2);
The ioctl() function manipulates the underlying device parameters of special files. In particular, many operating characteristics of character special files (e.g., terminals) may be controlled with ioctl() requests.
pf.conf(5);
The pf(4) packet filter modifies, drops or passes packets according to rules or definitions specified in pf.conf.
altp(9);
altq - kernel interfaces for manipulating output queues on network interfaces
Posted by Kris at 3:57 am 1 comments
Labels: Firewall, Manual Pages, Networking, OpenBSD, Packet Filter
Saturday, November 11, 2006
OpenBSD Firewall links
I have been working hard today one getting information and requirements I need to redesign and build my home network. Mostly I have been investigating the Firewall, and I have come across some handy links:
Friday, November 10, 2006
Exaile (Media Player) on Ubuntu
I have been looking around for a while for a good OpenSource media player. The only one I found that even came close to what I wanted was AmaroK, Yet this is written for KDE, and I run Gnome. Anyway after looking around for a while I stumbled across Exaile at Gnome files.
This is a really nice media player, it is very simular to AmaroK, yet it feels lighter to run, and it's for GTK+.
"It incorporates many of the cool things from AmaroK (and other media players) like automatic fetching of album art, handling of large libraries, lyrics fetching, artist/album information via the wikipedia, last.fm support, optional iPod support" ExaileTo install Exaile in Ubuntu (Edgy) is really easy:
Download the Edgy version from here: exaile_0.2.5b_i386.deb
*Note If you have another OS other than Ubuntu Edgy, then see the download page: DownloadNow open the directory in which you downloaded the .deb file.
Then click on the .deb file it will open GDebi package installer, and click Install.
This program will get the needed dependencies as well as install Exaile, very handy.
Python Day 1
Yesterday I started my adventures in learning python, and these are my notes:
First looking at how to run python,
- Download and install python: http://www.python.org/download
- Then running commands in the interactive python shell
- Saving files with a .py extension then running them by using the command:
- #python name_of_program.py
- Saving files with a header, therefore running them from a command line.
*Using quotation marks e.g. "" and '', to print out literal/string statements
*Also adding commas to continue the print expression
Operations:
*Python has six basic operations for numbers:
Exponentiation**
5 ** 3 == 125
Multiplication*
2 * 3 == 6
Division/
14 / 3 == 4
Remainder%
14 % 3 == 2
Addition+
1 + 2 == 3
Subtraction-
4 - 3 == 1
Getting input from a user:- raw_input returns a string while
- input returns a number.
- type which tells what a variable is, e.g. int, float, string.
- Numbers are of type int or float (which are short for 'integer' and 'floating point' respectively).
- strings
Here is the list of some string operations:
Repetition*
"i" *5 == "iiiii"
Concatenation+
"Hello, " + "World!" == "Hello, World!"
Wednesday, November 08, 2006
My New DLink router
I received a graduation and an early birthday present today! I love it so much, it is a DLink DSL-504T router. I have the Greatest best friend in the world!
I thought at first it was going to be a world of pain and disasters, but everything turned out ok in the end. Here is the story;
I excitingly unpacked the present from the box and plugged everything in, booted into my desktop, loaded up the router's web interface in my browser and started playing with the configs.
At first there wasn't a problem, I did a default pre-configuration and tested connectivity, everything looked sweet so I continued tweaking settings here and there. Once I had everything the way I wanted it; I rebooted the router and my desktop.
Everything was going along really well, for around an hour or so, (I was impressed with the speed and all my boxes where happily enjoying the ride. I knew that my old router was getting pretty bad, I just didn't realise how bad.)
When all of a sudden the router stopped routing...
Everything stopped, no connectivity anywhere, in anyway. I did some testing and found nothing. None of my settings had changed, nothing seemed wrong, all of the logs where fine, all of the configs where fine all of the lights where blinking just right. I was stumped, not a single idea entered my head, not one.
So I went back to the store with my best friend and replaced the dodgy one with another one. I was worried about the new one straight away, there was no plastic around the box. It had already been opened and the box was slightly damaged. Yet it was the only one they had left in stock. So I wandered home and plugged in the new router, I went to configure it when I noticed that the settings where not default, no the last guy who returned it had left his settings and password in the router. I decided that this was probably a really bad sign.
I reset the router and added my settings, but it was a failure, there was no nothing, the connection was not working at all. It was dead in the water from before it landed in my home.
I stormed down to the store, a little 'pissed off' and spoke to the people there they returned my money, they where really nice about it. My friend and I then wondered along to another computer store to discover that the only router in there was the exact same type as the one we had just taken back.
After slightly scaring a young man in there over being able to bring it back if it was like the last two, we paid $18 more and purchased the router. I checked the batch and serial numbers it was not even close to the same. I hoped that was a good sign...
I plugged it in (by this stage I knew exactly where everything was and where it needed to go, so it was very quick), I added all my settings, and guess what...
it didn't go... I sat and pondered my navel for a while.
Then it came to me... in one last effort to get the router before this one going I had modified the DNS settings on my desktop... opps, so I changed these settings back to my ISP's DNS servers and away it went.
This router is awesome, I love it. I am glad that I didn't go for another brand, I thought about it but now I am so happy to have this one.
I have the coolest best friend. None of these weird graduation gifts, no flowers (which would just die), or pendants (which I will never look at again), no none of that, the most perfect gift you could give a Network Engineer and Sys admin a: DLink Router.
I am so lucky...
Thank you.
Tuesday, November 07, 2006
Unix Images
I haven't been up to much today. It has been a public holiday here, so I decided to have a slow day. I did how ever do a few things with the gimp (GNU Image Manipulation Program) that I thought I might share, I hope you enjoy:
Saturday, November 04, 2006
Today's Happenings
Today has not been the most productive of days online, today has been a day of sorting things out in the real world. I know shocking isn't it. I had to go and fill out paperwork and lots of other fun things :s. Yet I did manage to get some computer things done.
- First I had a look at TrueBSD, and wrote a short review on it.
- Also I found some really good Firefox2 tweaks at LifeHacker.org which are well worth a look if you haven't already: top-firefox-2-config-tweaks.
- I read through the following RFC, a couple of times:
RFC0002 : Host software B. Duvall [ April 1969 ] ( TXT = 17145 bytes)
TrueBSD review
I heard yesterday of a new FreeBSD based Operating system called TrueBSD, after having a look around the website I decided to download the iso and have a look.
I was really impressed with this little system, especially as it was the first stable release. TrueBSD is a LiveCD OS, based on FreeBSD. There are many handy applications on it, and a very nicely configured xfce4 window manager (although there are others available). The system felt light and easy to use. There was no effort involved in having a play around. Especially after reading the TrueBSD Handbook.
When you first boot the system you will see the familiar FreeBSD styled boot menu, and boot messages. After logging in with the username root and a blank password you end up with a lovely green prompt, and instructions on where to find the handbook, and a configure command.
From reading the Handbook before downloading the system I knew that by using the following commands I could quickly configure and run the X-server, which is where I wanted to have a look around;
# /sysutils/xconfI was introduced to a lovely xfce4 system, with a really professional look. I was Really impressed with the fact that the screen resolution preferences were open, ready for me to use. I loved being able to adjust this setting without having to spend 10 Minutes searching for it's location, all the while squinting my eyes at the screen.
# startx
After having a look at a few of the applications available I wanted to use an Internet based tool, only to discover that I didn't have Internet access. I decided to give the `trueconf' tool a spin. So I opened a terminal and typed in:
# /sysutils/trueconfan easy to understand and use menu opened and I chose my selection from it, and it configured my network perfectly.
I was shocked at some of the applications, as they seemed to big to run from a CD yet I had no problems at all. In fact everything that I opened ran very smoothly and quickly, especially considering that this is a LiveCD.
You can also run TrueBSD from a hard-disk there is the option to install the system. I like this it means that if I wanted a FreeBSD based system running on my system with heaps of preconfigured software than it would not be a hassle.
I was a little disappointed that there was more than one of some types of programs, I very much live by the philosophy; 'one piece of software for one job'. Yet I understand that often this can keep many more people happy.
Overall though this is a friendly and easy to use system, I liked it and will most certainly keeping my eye on this project. If you would like to have a look around TrueBSD I would suggest having a quick read of the TrueBSD Handbook (It is only short) and then downloading and trying TrueBSD for yourself.
Have Fun!
Thursday, November 02, 2006
The things that I have learnt today
As the day is drawing to a close, I like to look over the things that I have read about and learned through out the day. This helps to clarify these things in my mind and also to have a reference for further study.
RFC exploration, I read through the following RFC, a couple of times to gain a good understanding of it:
RFC0001 : Host Software, S. Crocker [ April 1969 ] (TXT = 21088 bytes)
Man Pages, I had a bit of a re-read of the following man pages:
netstat(1), ifconfig(8), carp(4)
Wikipedia, I read the following wikipedia pages:
IMP, IP address, IPX, AppleTalk, RPC
I also started to read: Understanding IP Addressing
Overall I am trying to gain a better understanding of my area of interest. I have recently completed my Network Engineering and Systems Administration diplomas and I don't feel that I know my subjects as well as possible. I think in the school environment you get way to caught up in the format of the work (i.e. layout of assignments, and documents), in project management and other matters, which are not necessarily important in gaining knowledge in the area. Therefore I believe that I now need to make sure that my knowledge is sufficient. I will admit that I possibly have way higher expectations on myself than is sometimes necessary. :)
OpenBSD4.0
OpenBSD 4.0 was released yesterday, I was quick to get my hands on it to try it out. I installed it into my testing environment.
There are many new features in OpenBSD 4.0, Including:
Improved hardware support, especially for wireless devices. Increased functionality in many tools, including:
ftp(1) which now supports https,
IPsec, which has been improved in many ways,
carp(4) now has improved failover handling,
cdio(1) can now blank a re-writable disk and preform track-at-once burning,
pf(4) supports uRPF checks for simplified ingress filtering.
As well as improvements in many other tools.
For a complete list of what is new please see: http://openbsd.org/40.html#new. And for a detailed log of changes between the 3.9 and 4.0 releases see: http://openbsd.org/plus40.html
The official OpenBSD 4.0 CD set is available from OpenBSD's online store.
I downloaded the Network install of OpenBSD 4.0 from: http://www.openbsd.org/ftp.html. The i386/cd40.iso is available here: ftp://ftp5.usa.openbsd.org/pub/OpenBSD/4.0/i386/cd40.iso (4.88MB, MD5)
The Install
The install procedure has not changed since 3.9, anyone who has ever installed OpenBSD will find it very easy to follow. Install instructions can be found at: OpenBSD 4.0 Installation Guide. I completed a standard install. I was not interested in the X windows system or anything like that at this stage, as I am building a firewall.
Once I had completed the install I ended up with a root login, from there I added another user, and locked down the root account.
Then I started playing around with all of the new features, and seeing how they work and the options and switches that make them do so. So far all of the things that I have tried have worked perfectly, and it has not been difficult to set them up or to workout there command structure.
I have personally never read more helpful man pages than those produced by the OpenBSD team, they are clear, concise and easy to follow. So before you get stuck try them out, I hope you find them as informative as I do.
Overall I have found OpenBSD 4.0 to be a very fine system, congratulations to the OpenBSD team, once again you have produced an outstanding Operating System which you should be Very proud of. I know that I will be honoured to run this system.
Wednesday, November 01, 2006
GeekyBits³
Hello and welcome to my Blog.
GeekyBits³ is a place to share my tech notes, thoughts, ideas, tutorials, geeky moments and other computer related information, with the rest of the world.
If you have a suggestion for a topic, or would like help with a computer related problem; please send me an email or leave a comment. I will do my best to help, and to bring you the information you are looking for...
I would love to hear from you.
Welcome to my Computer Blog ::