Archive for January, 2006

I think I’ll take the cold. . .

January 30th, 2006 by Sjan Evardsson

With Augustine currently in a state of near constant ash eruption I think I am willing to live the cold from the high pressure system pushing out of Siberia. It is keeping the high wind pattern moving to the South-East, which means that, for now, we are spared any ashfall here in Anchorage.

Of course, just like any other weather pattern here, this is subject to change without notice. I just hope that if the low trying to move in from the South-West actually manages to push its way into South-Central that it brings enough moisture that the ashfall is contained in snow.

Black snow may be ugly, and heavy, but it doesn’t drift through all the cracks in the windows and doors and settle in your machinery.

Ready for breakup too soon

January 29th, 2006 by Sjan Evardsson

It’s not even February and I am already looking forward to breakup. I know I still have another 6 weeks or so but I’m ready for it now. The cold is starting to frost my mood. At least we are on the increase for daylight, currently gaining about 2 minutes a day.

If you don’t know what breakup is then you aren’t from Alaska. Essentially breakup is our version of Spring. As the temperature rises above freezing the snow starts to melt, the ice on the rivers begins to thin and eventually the running water under the river ice breaks through and the rivers open up. That’s where the term comes from.

There’s more to it than that here in Anchorage, though. We get to look forward to some other special little extras. The trash that has been buried under the snow all winter. The mud that forms as the ground thaws and the ground water rises. And most special of all, the doggie piles that have been buried under the snow thaw out, while at the same time shading the snow underneath, leading to little tiny pedastals holding those little prizes aloft.

Simpler iptables firewalls with firehol

January 26th, 2006 by Sjan Evardsson

As everyone knows, security depends on defense-in-depth. (And if you didn’t before, you do now!) The idea being that defense should take place in layers, from the edge of the network to the heart of the system. That’s why we have firewalls, anti-virus, intrusion detection, anti-spam and kernel and compiler hardening mechanisms. But just because you have a firewall at the edge of the network doesn’t mean you can skip the host-based firewall.

The most common Linux host-based firewall is probably iptables. Unfortunately, iptables can be incredibly complex to configure correctly. There are lots of tools to help with this. My favorite has to be firehol. Both from an ease of use standpoint, and from a “don’t kill me while I’m testing” sort of operation. If you are not careful while editing iptables rules it is actually fairly easy to lock yourself out.

Say you are remote in your server via ssh. You edit your iptables firewall rules and disable shh port 22 by placing a comment marker in the wrong line. You HUP the firewall and BANG you’re locked out. The way firehol gets around this is to generate a rule to accept all ESTABLISHED and RELATED connections. So you’re connected via ssh, change the firehol configs, restart the service and you are still connected. Now you start another shell and try to log in and when you find that you can’t you can return to the open connection, fix the error and restart, and so on.

In the interest of showing how firehol works, here is a sample firehol.conf and the generated iptables firewall rules that it created.

interface eth0 internal src "192.168.1.0/24" dst 192.168.1.10/32
  	policy drop
  	server ICMP accept
  	server dns accept
  	server ftp accept
  	server ident accept
  	server microsoft_ds accept
  	server mysql accept
  	server samba accept
  	server time accept
  	server ssh accept
  	server http accept
  	server https accept
  	server ntp accept
  	server vnc accept
  	server webmin accept
  	server smtp accept
  	server pop3 accept
  	client all accept
  interface eth0 outside src not "${UNROUTABLE_IPS} 192.168.1.0/24" dst 192.168.1.10/32
  	policy drop
  	server ICMP accept
  	server dns accept
  	server ftp accept
  	server http accept
  	server https accept
  	server ntp accept
  	server smtp accept
  	server pop3 accept
  	client all accept
  interface lo loopback src "127.0.0.0/8" dst "127.0.0.0/8 192.168.1.10/32"
  	policy accept

Generated rules:

# Generated by iptables-save v1.2.11 on Wed Dec  7 14:49:09 2005
 *mangle
 :PREROUTING ACCEPT [7340:1260938]
 :INPUT ACCEPT [7296:1245746]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [7454:4772446]
 :POSTROUTING ACCEPT [7468:4775764]
 COMMIT
 # Completed on Wed Dec  7 14:49:09 2005
 # Generated by iptables-save v1.2.11 on Wed Dec  7 14:49:09 2005
 *nat
 :PREROUTING ACCEPT [340:49114]
 :POSTROUTING ACCEPT [19:2454]
 :OUTPUT ACCEPT [19:2454]
 COMMIT
 # Completed on Wed Dec  7 14:49:09 2005
 # Generated by iptables-save v1.2.11 on Wed Dec  7 14:49:09 2005
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT DROP [0:0]
 :in_internal - [0:0]
 :in_internal_ICMP_s1 - [0:0]
 :in_internal_all_c14 - [0:0]
 :in_internal_dns_s2 - [0:0]
 :in_internal_ftp_c16 - [0:0]
 :in_internal_ftp_s3 - [0:0]
 :in_internal_http_s10 - [0:0]
 :in_internal_https_s11 - [0:0]
 :in_internal_ident_s4 - [0:0]
 :in_internal_irc_c15 - [0:0]
 :in_internal_microsoft_ds_s5 - [0:0]
 :in_internal_mysql_s6 - [0:0]
 :in_internal_ntp_s12 - [0:0]
 :in_internal_samba_s7 - [0:0]
 :in_internal_ssh_s9 - [0:0]
 :in_internal_time_s8 - [0:0]
 :in_internal_webmin_s13 - [0:0]
 :in_loopback - [0:0]
 :in_outside - [0:0]
 :in_outside_ICMP_s1 - [0:0]
 :in_outside_all_c9 - [0:0]
 :in_outside_dns_s2 - [0:0]
 :in_outside_ftp_c11 - [0:0]
 :in_outside_ftp_s3 - [0:0]
 :in_outside_http_s4 - [0:0]
 :in_outside_https_s5 - [0:0]
 :in_outside_irc_c10 - [0:0]
 :in_outside_ntp_s6 - [0:0]
 :in_outside_ssh_s7 - [0:0]
 :in_outside_webmin_s8 - [0:0]
 :out_internal - [0:0]
 :out_internal_ICMP_s1 - [0:0]
 :out_internal_all_c14 - [0:0]
 :out_internal_dns_s2 - [0:0]
 :out_internal_ftp_c16 - [0:0]
 :out_internal_ftp_s3 - [0:0]
 :out_internal_http_s10 - [0:0]
 :out_internal_https_s11 - [0:0]
 :out_internal_ident_s4 - [0:0]
 :out_internal_irc_c15 - [0:0]
 :out_internal_microsoft_ds_s5 - [0:0]
 :out_internal_mysql_s6 - [0:0]
 :out_internal_ntp_s12 - [0:0]
 :out_internal_samba_s7 - [0:0]
 :out_internal_ssh_s9 - [0:0]
 :out_internal_time_s8 - [0:0]
 :out_internal_webmin_s13 - [0:0]
 :out_loopback - [0:0]
 :out_outside - [0:0]
 :out_outside_ICMP_s1 - [0:0]
 :out_outside_all_c9 - [0:0]
 :out_outside_dns_s2 - [0:0]
 :out_outside_ftp_c11 - [0:0]
 :out_outside_ftp_s3 - [0:0]
 :out_outside_http_s4 - [0:0]
 :out_outside_https_s5 - [0:0]
 :out_outside_irc_c10 - [0:0]
 :out_outside_ntp_s6 - [0:0]
 :out_outside_ssh_s7 - [0:0]
 :out_outside_webmin_s8 - [0:0]
 -A INPUT -i lo -j ACCEPT
 -A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.10 -i eth0 -j in_internal
 -A INPUT -d 192.168.1.10 -i eth0 -j in_outside
 -A INPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -i lo -j in_loopback
 -A INPUT -s 127.0.0.0/255.0.0.0 -d 192.168.1.10 -i lo -j in_loopback
 -A INPUT -m state --state RELATED -j ACCEPT
 -A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
 -A INPUT -j DROP
 -A FORWARD -m state --state RELATED -j ACCEPT
 -A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
 -A FORWARD -j DROP
 -A OUTPUT -o lo -j ACCEPT
 -A OUTPUT -s 192.168.1.10 -d 192.168.1.0/255.255.255.0 -o eth0 -j out_internal
 -A OUTPUT -s 192.168.1.10 -o eth0 -j out_outside
 -A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -o lo -j out_loopback
 -A OUTPUT -s 192.168.1.10 -d 127.0.0.0/255.0.0.0 -o lo -j out_loopback
 -A OUTPUT -m state --state RELATED -j ACCEPT
 -A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
 -A OUTPUT -j DROP
 -A in_internal -j in_internal_ICMP_s1
 -A in_internal -j in_internal_dns_s2
 -A in_internal -j in_internal_ftp_s3
 -A in_internal -j in_internal_ident_s4
 -A in_internal -j in_internal_microsoft_ds_s5
 -A in_internal -j in_internal_mysql_s6
 -A in_internal -j in_internal_samba_s7
 -A in_internal -j in_internal_time_s8
 -A in_internal -j in_internal_ssh_s9
 -A in_internal -j in_internal_http_s10
 -A in_internal -j in_internal_https_s11
 -A in_internal -j in_internal_ntp_s12
 -A in_internal -j in_internal_webmin_s13
 -A in_internal -j in_internal_all_c14
 -A in_internal -j in_internal_irc_c15
 -A in_internal -j in_internal_ftp_c16
 -A in_internal -m state --state RELATED -j ACCEPT
 -A in_internal -m limit --limit 1/sec -j LOG --log-prefix "IN-internal:"
 -A in_internal -j DROP
 -A in_internal_ICMP_s1 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_all_c14 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_dns_s2 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_dns_s2 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ftp_c16 -p tcp -m tcp --sport 21 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_ftp_c16 -p tcp -m tcp --sport 20 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A in_internal_ftp_c16 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A in_internal_http_s10 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_https_s11 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ident_s4 -p tcp -m tcp --sport 1024:65535 --dport 113 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_irc_c15 -p tcp -m tcp --sport 6667 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_microsoft_ds_s5 -p tcp -m tcp --sport 1024:65535 --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_mysql_s6 -p tcp -m tcp --sport 1024:65535 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ntp_s12 -p udp -m udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ntp_s12 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ntp_s12 -p tcp -m tcp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ntp_s12 -p tcp -m tcp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p udp -m udp --sport 137 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p udp -m udp --sport 1024:65535 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p udp -m udp --sport 138 --dport 138 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p udp -m udp --sport 1024:65535 --dport 138 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p tcp -m tcp --sport 1024:65535 --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p tcp -m tcp --sport 1024:65535 --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ssh_s9 -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_time_s8 -p tcp -m tcp --sport 1024:65535 --dport 37 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_time_s8 -p udp -m udp --sport 1024:65535 --dport 37 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_webmin_s13 -p tcp -m tcp --sport 1024:65535 --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_loopback -m state --state RELATED -j ACCEPT
 -A in_loopback -j ACCEPT
 -A in_outside -s 0.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 2.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 5.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 7.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 23.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 27.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 31.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 36.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 39.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 41.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 42.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 73.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 74.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 76.0.0.0/252.0.0.0 -j RETURN
 -A in_outside -s 89.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 90.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 92.0.0.0/252.0.0.0 -j RETURN
 -A in_outside -s 96.0.0.0/224.0.0.0 -j RETURN
 -A in_outside -s 173.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 174.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 176.0.0.0/248.0.0.0 -j RETURN
 -A in_outside -s 184.0.0.0/252.0.0.0 -j RETURN
 -A in_outside -s 189.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 190.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 197.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 223.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 240.0.0.0/240.0.0.0 -j RETURN
 -A in_outside -s 10.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 169.254.0.0/255.255.0.0 -j RETURN
 -A in_outside -s 172.16.0.0/255.240.0.0 -j RETURN
 -A in_outside -s 192.0.2.0/255.255.255.0 -j RETURN
 -A in_outside -s 192.88.99.0/255.255.255.0 -j RETURN
 -A in_outside -s 192.168.0.0/255.255.0.0 -j RETURN
 -A in_outside -s 192.168.1.0/255.255.255.0 -j RETURN
 -A in_outside -j in_outside_ICMP_s1
 -A in_outside -j in_outside_dns_s2
 -A in_outside -j in_outside_ftp_s3
 -A in_outside -j in_outside_http_s4
 -A in_outside -j in_outside_https_s5
 -A in_outside -j in_outside_ntp_s6
 -A in_outside -j in_outside_ssh_s7
 -A in_outside -j in_outside_webmin_s8
 -A in_outside -j in_outside_all_c9
 -A in_outside -j in_outside_irc_c10
 -A in_outside -j in_outside_ftp_c11
 -A in_outside -m state --state RELATED -j ACCEPT
 -A in_outside -m limit --limit 1/sec -j LOG --log-prefix "IN-outside:"
 -A in_outside -j DROP
 -A in_outside_ICMP_s1 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_all_c9 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_dns_s2 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_dns_s2 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ftp_c11 -p tcp -m tcp --sport 21 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_ftp_c11 -p tcp -m tcp --sport 20 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A in_outside_ftp_c11 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A in_outside_http_s4 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_https_s5 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_irc_c10 -p tcp -m tcp --sport 6667 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_ntp_s6 -p udp -m udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ntp_s6 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ntp_s6 -p tcp -m tcp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ntp_s6 -p tcp -m tcp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ssh_s7 -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_webmin_s8 -p tcp -m tcp --sport 1024:65535 --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal -j out_internal_ICMP_s1
 -A out_internal -j out_internal_dns_s2
 -A out_internal -j out_internal_ftp_s3
 -A out_internal -j out_internal_ident_s4
 -A out_internal -j out_internal_microsoft_ds_s5
 -A out_internal -j out_internal_mysql_s6
 -A out_internal -j out_internal_samba_s7
 -A out_internal -j out_internal_time_s8
 -A out_internal -j out_internal_ssh_s9
 -A out_internal -j out_internal_http_s10
 -A out_internal -j out_internal_https_s11
 -A out_internal -j out_internal_ntp_s12
 -A out_internal -j out_internal_webmin_s13
 -A out_internal -j out_internal_all_c14
 -A out_internal -j out_internal_irc_c15
 -A out_internal -j out_internal_ftp_c16
 -A out_internal -m state --state RELATED -j ACCEPT
 -A out_internal -m limit --limit 1/sec -j LOG --log-prefix "OUT-internal:"
 -A out_internal -j DROP
 -A out_internal_ICMP_s1 -p icmp -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_all_c14 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_dns_s2 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_dns_s2 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ftp_c16 -p tcp -m tcp --sport 1024:4999 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_ftp_c16 -p tcp -m tcp --sport 1024:4999 --dport 20 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ftp_c16 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A out_internal_ftp_s3 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ftp_s3 -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A out_internal_ftp_s3 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_http_s10 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_https_s11 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ident_s4 -p tcp -m tcp --sport 113 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_irc_c15 -p tcp -m tcp --sport 1024:4999 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_microsoft_ds_s5 -p tcp -m tcp --sport 445 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_mysql_s6 -p tcp -m tcp --sport 3306 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ntp_s12 -p udp -m udp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ntp_s12 -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ntp_s12 -p tcp -m tcp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ntp_s12 -p tcp -m tcp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p udp -m udp --sport 137 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p udp -m udp --sport 137 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p udp -m udp --sport 138 --dport 138 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p udp -m udp --sport 138 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p tcp -m tcp --sport 139 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p tcp -m tcp --sport 445 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ssh_s9 -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_time_s8 -p tcp -m tcp --sport 37 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_time_s8 -p udp -m udp --sport 37 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_webmin_s13 -p tcp -m tcp --sport 10000 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_loopback -m state --state RELATED -j ACCEPT
 -A out_loopback -j ACCEPT
 -A out_outside -d 0.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 2.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 5.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 7.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 23.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 27.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 31.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 36.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 39.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 41.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 42.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 73.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 74.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 76.0.0.0/252.0.0.0 -j RETURN
 -A out_outside -d 89.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 90.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 92.0.0.0/252.0.0.0 -j RETURN
 -A out_outside -d 96.0.0.0/224.0.0.0 -j RETURN
 -A out_outside -d 173.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 174.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 176.0.0.0/248.0.0.0 -j RETURN
 -A out_outside -d 184.0.0.0/252.0.0.0 -j RETURN
 -A out_outside -d 189.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 190.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 197.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 223.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 240.0.0.0/240.0.0.0 -j RETURN
 -A out_outside -d 10.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 169.254.0.0/255.255.0.0 -j RETURN
 -A out_outside -d 172.16.0.0/255.240.0.0 -j RETURN
 -A out_outside -d 192.0.2.0/255.255.255.0 -j RETURN
 -A out_outside -d 192.88.99.0/255.255.255.0 -j RETURN
 -A out_outside -d 192.168.0.0/255.255.0.0 -j RETURN
 -A out_outside -d 192.168.1.0/255.255.255.0 -j RETURN
 -A out_outside -j out_outside_ICMP_s1
 -A out_outside -j out_outside_dns_s2
 -A out_outside -j out_outside_ftp_s3
 -A out_outside -j out_outside_http_s4
 -A out_outside -j out_outside_https_s5
 -A out_outside -j out_outside_ntp_s6
 -A out_outside -j out_outside_ssh_s7
 -A out_outside -j out_outside_webmin_s8
 -A out_outside -j out_outside_all_c9
 -A out_outside -j out_outside_irc_c10
 -A out_outside -j out_outside_ftp_c11
 -A out_outside -m state --state RELATED -j ACCEPT
 -A out_outside -m limit --limit 1/sec -j LOG --log-prefix "OUT-outside:"
 -A out_outside -j DROP
 -A out_outside_ICMP_s1 -p icmp -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_all_c9 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_outside_dns_s2 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_dns_s2 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ftp_c11 -p tcp -m tcp --sport 1024:4999 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_outside_ftp_c11 -p tcp -m tcp --sport 1024:4999 --dport 20 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ftp_c11 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A out_outside_ftp_s3 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ftp_s3 -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A out_outside_ftp_s3 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_http_s4 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_https_s5 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_irc_c10 -p tcp -m tcp --sport 1024:4999 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_outside_ntp_s6 -p udp -m udp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ntp_s6 -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ntp_s6 -p tcp -m tcp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ntp_s6 -p tcp -m tcp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ssh_s7 -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_webmin_s8 -p tcp -m tcp --sport 10000 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 COMMIT
 # Completed on Wed Dec  7 14:49:09 2005

Web-based editing with TinyMCE

January 23rd, 2006 by Sjan Evardsson

While it’s not specific to PHP, I have found what is perhaps the best web-based WYSISYG editor going: TinyMCE. The only reason I am mentioning it here is because of the framework I built behind it.

The goal was to build an admin page for “blosxom-ish” blogs (like Blosxom, pyBlosxom, phpBlosxom, etc) that use text files for entries. The inital idea was to do it in Python/PSP using mod_python. I quickly abandoned this for the following reasons:

  1. No matter what I tried, I could not get the PSP include directive to work.
  2. The mod_python PSP documentation is sparse and generally not helpful.
  3. I wanted to bang it out and get it done, and I am already familiar with PHP enough to be comfortable with it.

I do have plans to re-implement in a Python cgi-style format, and will offer it to the community at large at that time, but until then this version seems to be working ok for me (at least at the moment).

If you would like a copy of the source for this (WARNING! It is not commented and seriously shows the signs of being hacked out in one evening!) drop me a line and let me know.

By the way: I almost forgot the important part. What is it that makes me think TinyMCE is the best web-based WYSIWYG editor? The fact that it generates <p> tags for paragraphs (rather than stuffing in a couple <br>s), uses <strong> and <em> rather than <b> and <i>, has a working link and image insertion tool, a preview button, and it applies itself to all the textareas in a form page without jumping through a bunch of hoops with id and style attributes. Generally it produces valid HTML 4.0 Transitional. (I think it could be tweaked to produce valid XHTML 1.x Strict, though.)

So what could be tweaked?

  • The “tidy” tool doesn’t strip out the M$ Word class=”MsoNormal” attributes when pasting from Word.
    • Possible fix for now: strip those out in the back-end processing
    • Long-term fix: Find the javascript code that does the tidying and add the logic to delete the Mso* attributes.
  • It uses <font> tags rather that <style> tages to apply color and font-face changes.
    • Possible fix for now: replace the <font color=”#??????”> tags with <span style=”color:#??????;”> in the backend.
    • Avoid using font face changes and allow the css of the site that is going to be displaying the page handle it.
    • Long-term fix: Find the javascript code that produces the font tags and replace it with span.

Overall, it does what it says, and that makes it another of those things that I like: stuff that works!

Checking out TurboGears

January 22nd, 2006 by Sjan Evardsson

On the recommendation of Ted Leung (a former boss of mine and a font of programming wisdom) I decided to look into TurboGears. WOW!

I have seen all kinds of claims along the lines of “this framework is so special because . . .” – and well, most of them just don’t live up to it.

TurboGears does exactly what it says. It provides a means for rapid web application development. And as proof they provide a video that shows the creation of a wiki in right around 23 minutes, start to finish. It doesn’t get much better than that, now does it?

The best tools for the job – part 3

January 19th, 2006 by Sjan Evardsson

Programming:

I work in a couple languages and develop everything from full-blown applications to web applications to scripts for server maintenance. These are my top picks for whatever language I am working in at the moment.

Java:
I have been using (for several years) and am partial to NetBeans [Linux - BSD - Windows - OSX]. This Java IDE has progressed into a full-featured environment including the following integrated pieces:

  • Tomcat server
  • local Pointbase database
  • Javadoc Index search
  • Internationalization
  • refactoring engine
  • JUnit testing

I haven’t really tested Eclipse [Linux - BSD - OSX - Windows] more than to install it and run it for a short while. Truthfully, I just didn’t feel like overcoming the learning curve, since I already know how to do what I want to do in NetBeans.

Bash Scripting:
Of course it is always best to do Bash scripting in a bash shell, preferably in XEmacs [Linux - BSD - OSX - Windows] or Nano [Linux - BSD - OSX - Windows (DOS)].When I can, that is exactly what I do. Often, however, I am forced at work to develop Bash scripts for servers from my desktop (Windows) PC. For this I have found evolvEd [Windows] to be the tool of choice. It provides syntax highlighting and code completion hints which help a great deal when you are unable to paste a line of code into a terminal window and see how it runs. Of course, I can test those scripts (at least partially) in Cygwin [Windows] which I make sure to install on every Windows box I am expected to work with, but those tests are limited in that calls to other programs don’t work if those programs aren’t installed in Cygwin.

Python:
Python is fairly new to me still, for anything beyond server scripts, and large text file parsing, which is what got me started in Python. (Python can do a line-by-line parse of a 280MB text file, determining the interesting non-empty lines by the characters in the 12th – 20th position and writing them out to a series of 1200 line files in a matter of a couple minutes – as opposed to the constant hung process I was getting with a Bash script to do the same thing.) Being new to Python I have really only worked with IDLE [Linux - BSD - Windows - OSX] which is included with the current distribution of Python. There may be better things out there – perhaps jEdit [Linux - BSD - Windows - OSX] or something else, but I am still too new in the game to make that decision, even for myself.

The best tools for the job – part 2

January 18th, 2006 by Sjan Evardsson

Music Creation and Editing

When it comes to music creation/editing software and tools there are rabid fans of just about anything you can find. These tools are by no means the only thing available, and there might even be some that don’t do the job as well as others. These (as all the picks in this series) are just the ones I happen to like.

Sequencing:
For sequencing (MIDI) work I like Anvil Studio [Windows]. I have been using it for several years now, (since around ’99 or ’00 or so) and it works great for composing music. I generally create a complete melodic piece, and then split it into ‘chunks’ which I can use in my loop composition package. I then work out the harmonic tracks based on the whole, figure out the thematic elements and work that into a set of harmony ‘chunks’ which are (mostly) interchangeable throughout the melody line.

Using MIDI pieces directly in a loop composition package is generally not such a good idea. You’re generally stuck with whatever MIDI interpreter is built into the package. Which is why I then take my ‘chunks’ and convert them to wav files using TiMidity++ [Windows - Linux - BSD - OSX]. Since TiMidity++ uses Gravis Ultrasound compatible patch files and/or SoundFonts (essentially sample libraries) to convert to wave, you get the benefits of a sampling board, and you can turn your MIDI files into well-voiced wavs.

Of course, well-voiced wavs still aren’t completely ready to pull into a loop composition. They need to be edited, manipulated, sometimes warmed and riched, sometimes fuzzed and occasionally pitch-shifted or time-stretched (when the piece starts to deviate radically from what I started with – which happens more often than you may think). Plus there are those direct recorded samples (usually done with something like the built-in Windows sound-recorder) of things like hand drums, didgeridoo, or some weird sound that I thought would be cool. All of these need to be edited before importing and for that I currently use WavePad [Windows]. I used to use Syntrillium CoolEdit (which has now become Adobe Audition) but I couldn’t keep up with the ever rising license costs. So far, WavePad has been able to do everything I need it to do, so I’m not feeling too bad about it. I have also tried Audacity which I love under Linux, but feel the interface of WavePad suits better.

Once I have all my chunks and loops, it’s time to assemble them. For this I use eJay Music Director Gold [Windows]. I have tried other packages (like Acid and FruityLoops) but so far have been pleased with what I can do in Music Director. I may try other packages again some time in the future – but for now I am sticking with what works!

The best tools for the job

January 17th, 2006 by Sjan Evardsson

I am often asked by my Linux-using friends why I am using Windows, while my my Windows-centric friends wonder why I am using Linux or BSD and my Mac-user friends ask why I’m not using Mac at all. The answer to the last is easiest – I don’t have a Mac.

As to the other questions, it depends on what I am doing at the moment. I don’t think that Windows is inherently better or worse than Linux or BSD, nor do I think that all software that costs money is evil. I think it all comes down to asking the question: “What is the best tool for the job I am doing?”

With that in mind, here is the first installment in the list of my picks:

Web Development (HTML/PHP/JavaScript): Adobe HomeSite (previously Macromedia HomeSite, previously Allaire HomeSite). [Windows]

I have been using HomeSite for several years now, and despite the changes in company ownership, it continues to be the best tool available for general web development.

In the realm of rapid development, HomeSite has a built-in ftp client, and you can also set it to use a server running locally to see PHP pages and Perl CGI in action. For that I prefer Xampp from ApacheFriends, because of its ease of installation on Windows and the fact that it makes creating a local Apache/PHP/MySQL setup a snap.

The down side to HomeSite is that it doesn’t understand Python/PSP, and changing the tab settings to use spaces instead of tabs seems to be broken in the latest version. I thought it used to do that, but I may be mistaken.

The only tool that comes close is Bluefish [Linux] which seems to be improving in great strides. When I need to whack out a quick web document while in Linux that is the tool for which I reach.

Although Bluefish understands Python it still doesn’t quite work the way I would like it to when highlighting and parsing PSPs. Maybe, when I have the time I can write a plug-in for HomeSite to do just that.

Tomorrow: Music Editing/Creation Tools

I’m still here

January 16th, 2006 by Sjan Evardsson

Just to let the myriad of my readers know (all both of them!) that I am still here. I just decided to take a weekend.

I figured that since I had a three-day weekend I would avoid working on anything other than the house for a couple days. That was actually very nice.

Now, however, I find out that not checking my email accounts several times a day, in fact letting them go for more than two whole days, I am facing an incredible amount of catch-up I have to do. The old saw that “Hard work pays off later, procrastination pays off right now” comes with an unspoken caveat: while procrastination might pay off right now, the check still needs to be handled later!

(Yet Another) Augustine Update

January 13th, 2006 by Sjan Evardsson

Word just came over the radio that all flights into and out of Anchorage International Airport and the Kenai Peninsula have been
postponed until 3PM tomorrow due to the danger of ash above the 30,000 foot range.

CORRECTION: Listening to the rebroadcast (which was much more in-depth than the first announcement) it turns out that Era Aviation and
Alaska Airlines have suspended all flights between:
Anchorage and Fairbanks
Anchorage and Homer
Anchorage and Ninilchick
Anchorage and Seattle
and all flights in and out of Homer and Ninilchick, while all flights in and out of Kenai are expected to stopped at dark (because of the inability to see any ash clouds.)

Needless to say, we are currently on “alert” here at the university, getting ready to shut down and bag everything if the higher-level winds shift.

One of our coworkers who is currently involved in a cross-country ski competition in the lower 48 says there is no news of
the volcano down there.