Python

Minor revision to breadcrumbs.py

I made a slight change to the I wrote as a plugin for . I changed the way the links are displayed, so that the directory seperators (/) are not included in the actual link, and added a rel=”tag” to the links to allow style aggregators understand them better.

As always, you are free to download it from this site and I am open to any hints, suggestions, fixes, updates, or constructive criticism of any sort.

Alaska

Fickle weather

Over the past couple of days the temperature has shifted from hovering around 5°F (-15°C) for the high and -15°F (-26°C) for the low, to suddenly being in the high 30’s (2 to 3°C) with a very light drizzle. What that does to all the snowpack on the roadways is in no way pretty. (Think of how a zamboni prepares the ice for a skating rink.)

Anyhow, all the local schools are closed due to the icy road conditions. I wasn’t aware that the University would be closed, however, until after I got here, and got settled into my desk and ready to crack at another week. But, since I have just gotten the call from higher up I guess I can call it a day. Whew! I never thought I’d have to work a whole day in 12 minutes! And to think – I left early because I knew the roads were bad and spent almost 40 minutes getting here!

I think I may just stay for an hour or three and get some things done. At least the phone won’t be ringing off the hook today!

Apache

Apache 2.2 is out

I realize I am a little late in posting this, but Apache have announced the release of Apache 2.2. From a quick look at the release notes it looks like they have gotten the cache handlers working and stable, including a cache cleaning portion.

Now the question is, do I stick with 2.0.5x or I do I jump on the 2.2 train?

Writings

I miss the oldies . . ..

I find that when it comes to multiplayer online games that I miss the oldies. Remember the heady days of the BBS when you dialed in to a local server and played games like TradeWars?

Sure, there are a lot of MUDs and MMORPGs out there, but I find that they just aren’t the same. It makes me think that maybe I should work on a TradeWar-ish game – maybe do it in turbogears. It would be good practice.

Something I always felt was lacking in TradeWars, however, was the limited “classes” (to use the RPG terminology) available. You were either a trading ship captain or a Pirate captain or a little of each. What about letting players take other roles: Police, Military, Mercenary and so on. I’m sure I could come up with more. And what about instead of just controlling one ship (and getting larger and larger ships and eventually bases and then worlds) you could go from one ship to controlling a battallion, a fleet, an armada, your own space navy? Hmm, maybe need to throw in a little Risk into the mix as well to allow large-scale actions.

Now I just need to determine the structure, and the rules, and then I can start on the development requirements. Coming soon in 2010! (Or something like that.)

Alaska

I think I’ll take the cold. . .

With Augustine currently in a state of near constant ash eruption I think I am willing to live the cold from the high pressure system pushing out of Siberia. It is keeping the high wind pattern moving to the South-East, which means that, for now, we are spared any ashfall here in Anchorage.

Of course, just like any other weather pattern here, this is subject to change without notice. I just hope that if the low trying to move in from the South-West actually manages to push its way into South-Central that it brings enough moisture that the ashfall is contained in snow.

Black snow may be ugly, and heavy, but it doesn’t drift through all the cracks in the windows and doors and settle in your machinery.

Alaska

Ready for breakup too soon

It’s not even February and I am already looking forward to breakup. I know I still have another 6 weeks or so but I’m ready for it now. The cold is starting to frost my mood. At least we are on the increase for daylight, currently gaining about 2 minutes a day.

If you don’t know what breakup is then you aren’t from Alaska. Essentially breakup is our version of Spring. As the temperature rises above freezing the snow starts to melt, the ice on the rivers begins to thin and eventually the running water under the river ice breaks through and the rivers open up. That’s where the term comes from.

There’s more to it than that here in Anchorage, though. We get to look forward to some other special little extras. The trash that has been buried under the snow all winter. The mud that forms as the ground thaws and the ground water rises. And most special of all, the doggie piles that have been buried under the snow thaw out, while at the same time shading the snow underneath, leading to little tiny pedastals holding those little prizes aloft.

Open Source

Simpler iptables firewalls with firehol

As everyone knows, security depends on defense-in-depth. (And if you didn’t before, you do now!) The idea being that defense should take place in layers, from the edge of the network to the heart of the system. That’s why we have firewalls, anti-virus, intrusion detection, anti-spam and kernel and compiler hardening mechanisms. But just because you have a firewall at the edge of the network doesn’t mean you can skip the host-based firewall.

The most common Linux host-based firewall is probably iptables. Unfortunately, iptables can be incredibly complex to configure correctly. There are lots of tools to help with this. My favorite has to be firehol. Both from an ease of use standpoint, and from a “don’t kill me while I’m testing” sort of operation. If you are not careful while editing iptables rules it is actually fairly easy to lock yourself out.

Say you are remote in your server via ssh. You edit your iptables firewall rules and disable shh port 22 by placing a comment marker in the wrong line. You HUP the firewall and BANG you’re locked out. The way firehol gets around this is to generate a rule to accept all ESTABLISHED and RELATED connections. So you’re connected via ssh, change the firehol configs, restart the service and you are still connected. Now you start another shell and try to log in and when you find that you can’t you can return to the open connection, fix the error and restart, and so on.

In the interest of showing how firehol works, here is a sample firehol.conf and the generated iptables firewall rules that it created.

interface eth0 internal src "192.168.1.0/24" dst 192.168.1.10/32
  	policy drop
  	server ICMP accept
  	server dns accept
  	server ftp accept
  	server ident accept
  	server microsoft_ds accept
  	server mysql accept
  	server samba accept
  	server time accept
  	server ssh accept
  	server http accept
  	server https accept
  	server ntp accept
  	server vnc accept
  	server webmin accept
  	server smtp accept
  	server pop3 accept
  	client all accept
  interface eth0 outside src not "${UNROUTABLE_IPS} 192.168.1.0/24" dst 192.168.1.10/32
  	policy drop
  	server ICMP accept
  	server dns accept
  	server ftp accept
  	server http accept
  	server https accept
  	server ntp accept
  	server smtp accept
  	server pop3 accept
  	client all accept
  interface lo loopback src "127.0.0.0/8" dst "127.0.0.0/8 192.168.1.10/32"
  	policy accept


Generated rules:


# Generated by iptables-save v1.2.11 on Wed Dec  7 14:49:09 2005
 *mangle
 :PREROUTING ACCEPT [7340:1260938]
 :INPUT ACCEPT [7296:1245746]
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [7454:4772446]
 :POSTROUTING ACCEPT [7468:4775764]
 COMMIT
 # Completed on Wed Dec  7 14:49:09 2005
 # Generated by iptables-save v1.2.11 on Wed Dec  7 14:49:09 2005
 *nat
 :PREROUTING ACCEPT [340:49114]
 :POSTROUTING ACCEPT [19:2454]
 :OUTPUT ACCEPT [19:2454]
 COMMIT
 # Completed on Wed Dec  7 14:49:09 2005
 # Generated by iptables-save v1.2.11 on Wed Dec  7 14:49:09 2005
 *filter
 :INPUT DROP [0:0]
 :FORWARD DROP [0:0]
 :OUTPUT DROP [0:0]
 :in_internal - [0:0]
 :in_internal_ICMP_s1 - [0:0]
 :in_internal_all_c14 - [0:0]
 :in_internal_dns_s2 - [0:0]
 :in_internal_ftp_c16 - [0:0]
 :in_internal_ftp_s3 - [0:0]
 :in_internal_http_s10 - [0:0]
 :in_internal_https_s11 - [0:0]
 :in_internal_ident_s4 - [0:0]
 :in_internal_irc_c15 - [0:0]
 :in_internal_microsoft_ds_s5 - [0:0]
 :in_internal_mysql_s6 - [0:0]
 :in_internal_ntp_s12 - [0:0]
 :in_internal_samba_s7 - [0:0]
 :in_internal_ssh_s9 - [0:0]
 :in_internal_time_s8 - [0:0]
 :in_internal_webmin_s13 - [0:0]
 :in_loopback - [0:0]
 :in_outside - [0:0]
 :in_outside_ICMP_s1 - [0:0]
 :in_outside_all_c9 - [0:0]
 :in_outside_dns_s2 - [0:0]
 :in_outside_ftp_c11 - [0:0]
 :in_outside_ftp_s3 - [0:0]
 :in_outside_http_s4 - [0:0]
 :in_outside_https_s5 - [0:0]
 :in_outside_irc_c10 - [0:0]
 :in_outside_ntp_s6 - [0:0]
 :in_outside_ssh_s7 - [0:0]
 :in_outside_webmin_s8 - [0:0]
 :out_internal - [0:0]
 :out_internal_ICMP_s1 - [0:0]
 :out_internal_all_c14 - [0:0]
 :out_internal_dns_s2 - [0:0]
 :out_internal_ftp_c16 - [0:0]
 :out_internal_ftp_s3 - [0:0]
 :out_internal_http_s10 - [0:0]
 :out_internal_https_s11 - [0:0]
 :out_internal_ident_s4 - [0:0]
 :out_internal_irc_c15 - [0:0]
 :out_internal_microsoft_ds_s5 - [0:0]
 :out_internal_mysql_s6 - [0:0]
 :out_internal_ntp_s12 - [0:0]
 :out_internal_samba_s7 - [0:0]
 :out_internal_ssh_s9 - [0:0]
 :out_internal_time_s8 - [0:0]
 :out_internal_webmin_s13 - [0:0]
 :out_loopback - [0:0]
 :out_outside - [0:0]
 :out_outside_ICMP_s1 - [0:0]
 :out_outside_all_c9 - [0:0]
 :out_outside_dns_s2 - [0:0]
 :out_outside_ftp_c11 - [0:0]
 :out_outside_ftp_s3 - [0:0]
 :out_outside_http_s4 - [0:0]
 :out_outside_https_s5 - [0:0]
 :out_outside_irc_c10 - [0:0]
 :out_outside_ntp_s6 - [0:0]
 :out_outside_ssh_s7 - [0:0]
 :out_outside_webmin_s8 - [0:0]
 -A INPUT -i lo -j ACCEPT
 -A INPUT -s 192.168.1.0/255.255.255.0 -d 192.168.1.10 -i eth0 -j in_internal
 -A INPUT -d 192.168.1.10 -i eth0 -j in_outside
 -A INPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -i lo -j in_loopback
 -A INPUT -s 127.0.0.0/255.0.0.0 -d 192.168.1.10 -i lo -j in_loopback
 -A INPUT -m state --state RELATED -j ACCEPT
 -A INPUT -m limit --limit 1/sec -j LOG --log-prefix "IN-unknown:"
 -A INPUT -j DROP
 -A FORWARD -m state --state RELATED -j ACCEPT
 -A FORWARD -m limit --limit 1/sec -j LOG --log-prefix "PASS-unknown:"
 -A FORWARD -j DROP
 -A OUTPUT -o lo -j ACCEPT
 -A OUTPUT -s 192.168.1.10 -d 192.168.1.0/255.255.255.0 -o eth0 -j out_internal
 -A OUTPUT -s 192.168.1.10 -o eth0 -j out_outside
 -A OUTPUT -s 127.0.0.0/255.0.0.0 -d 127.0.0.0/255.0.0.0 -o lo -j out_loopback
 -A OUTPUT -s 192.168.1.10 -d 127.0.0.0/255.0.0.0 -o lo -j out_loopback
 -A OUTPUT -m state --state RELATED -j ACCEPT
 -A OUTPUT -m limit --limit 1/sec -j LOG --log-prefix "OUT-unknown:"
 -A OUTPUT -j DROP
 -A in_internal -j in_internal_ICMP_s1
 -A in_internal -j in_internal_dns_s2
 -A in_internal -j in_internal_ftp_s3
 -A in_internal -j in_internal_ident_s4
 -A in_internal -j in_internal_microsoft_ds_s5
 -A in_internal -j in_internal_mysql_s6
 -A in_internal -j in_internal_samba_s7
 -A in_internal -j in_internal_time_s8
 -A in_internal -j in_internal_ssh_s9
 -A in_internal -j in_internal_http_s10
 -A in_internal -j in_internal_https_s11
 -A in_internal -j in_internal_ntp_s12
 -A in_internal -j in_internal_webmin_s13
 -A in_internal -j in_internal_all_c14
 -A in_internal -j in_internal_irc_c15
 -A in_internal -j in_internal_ftp_c16
 -A in_internal -m state --state RELATED -j ACCEPT
 -A in_internal -m limit --limit 1/sec -j LOG --log-prefix "IN-internal:"
 -A in_internal -j DROP
 -A in_internal_ICMP_s1 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_all_c14 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_dns_s2 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_dns_s2 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ftp_c16 -p tcp -m tcp --sport 21 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_ftp_c16 -p tcp -m tcp --sport 20 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A in_internal_ftp_c16 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A in_internal_http_s10 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_https_s11 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ident_s4 -p tcp -m tcp --sport 1024:65535 --dport 113 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_irc_c15 -p tcp -m tcp --sport 6667 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_internal_microsoft_ds_s5 -p tcp -m tcp --sport 1024:65535 --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_mysql_s6 -p tcp -m tcp --sport 1024:65535 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ntp_s12 -p udp -m udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ntp_s12 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ntp_s12 -p tcp -m tcp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ntp_s12 -p tcp -m tcp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p udp -m udp --sport 137 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p udp -m udp --sport 1024:65535 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p udp -m udp --sport 138 --dport 138 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p udp -m udp --sport 1024:65535 --dport 138 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p tcp -m tcp --sport 1024:65535 --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_samba_s7 -p tcp -m tcp --sport 1024:65535 --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_ssh_s9 -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_time_s8 -p tcp -m tcp --sport 1024:65535 --dport 37 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_time_s8 -p udp -m udp --sport 1024:65535 --dport 37 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_internal_webmin_s13 -p tcp -m tcp --sport 1024:65535 --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_loopback -m state --state RELATED -j ACCEPT
 -A in_loopback -j ACCEPT
 -A in_outside -s 0.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 2.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 5.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 7.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 23.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 27.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 31.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 36.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 39.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 41.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 42.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 73.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 74.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 76.0.0.0/252.0.0.0 -j RETURN
 -A in_outside -s 89.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 90.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 92.0.0.0/252.0.0.0 -j RETURN
 -A in_outside -s 96.0.0.0/224.0.0.0 -j RETURN
 -A in_outside -s 173.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 174.0.0.0/254.0.0.0 -j RETURN
 -A in_outside -s 176.0.0.0/248.0.0.0 -j RETURN
 -A in_outside -s 184.0.0.0/252.0.0.0 -j RETURN
 -A in_outside -s 189.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 190.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 197.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 223.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 240.0.0.0/240.0.0.0 -j RETURN
 -A in_outside -s 10.0.0.0/255.0.0.0 -j RETURN
 -A in_outside -s 169.254.0.0/255.255.0.0 -j RETURN
 -A in_outside -s 172.16.0.0/255.240.0.0 -j RETURN
 -A in_outside -s 192.0.2.0/255.255.255.0 -j RETURN
 -A in_outside -s 192.88.99.0/255.255.255.0 -j RETURN
 -A in_outside -s 192.168.0.0/255.255.0.0 -j RETURN
 -A in_outside -s 192.168.1.0/255.255.255.0 -j RETURN
 -A in_outside -j in_outside_ICMP_s1
 -A in_outside -j in_outside_dns_s2
 -A in_outside -j in_outside_ftp_s3
 -A in_outside -j in_outside_http_s4
 -A in_outside -j in_outside_https_s5
 -A in_outside -j in_outside_ntp_s6
 -A in_outside -j in_outside_ssh_s7
 -A in_outside -j in_outside_webmin_s8
 -A in_outside -j in_outside_all_c9
 -A in_outside -j in_outside_irc_c10
 -A in_outside -j in_outside_ftp_c11
 -A in_outside -m state --state RELATED -j ACCEPT
 -A in_outside -m limit --limit 1/sec -j LOG --log-prefix "IN-outside:"
 -A in_outside -j DROP
 -A in_outside_ICMP_s1 -p icmp -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_all_c9 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_dns_s2 -p udp -m udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_dns_s2 -p tcp -m tcp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ftp_c11 -p tcp -m tcp --sport 21 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_ftp_c11 -p tcp -m tcp --sport 20 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A in_outside_ftp_c11 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 20 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_ftp_s3 -p tcp -m tcp --sport 1024:65535 --dport 1024:4999 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A in_outside_http_s4 -p tcp -m tcp --sport 1024:65535 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_https_s5 -p tcp -m tcp --sport 1024:65535 --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_irc_c10 -p tcp -m tcp --sport 6667 --dport 1024:4999 -m state --state ESTABLISHED -j ACCEPT
 -A in_outside_ntp_s6 -p udp -m udp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ntp_s6 -p udp -m udp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ntp_s6 -p tcp -m tcp --sport 123 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ntp_s6 -p tcp -m tcp --sport 1024:65535 --dport 123 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_ssh_s7 -p tcp -m tcp --sport 1024:65535 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A in_outside_webmin_s8 -p tcp -m tcp --sport 1024:65535 --dport 10000 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal -j out_internal_ICMP_s1
 -A out_internal -j out_internal_dns_s2
 -A out_internal -j out_internal_ftp_s3
 -A out_internal -j out_internal_ident_s4
 -A out_internal -j out_internal_microsoft_ds_s5
 -A out_internal -j out_internal_mysql_s6
 -A out_internal -j out_internal_samba_s7
 -A out_internal -j out_internal_time_s8
 -A out_internal -j out_internal_ssh_s9
 -A out_internal -j out_internal_http_s10
 -A out_internal -j out_internal_https_s11
 -A out_internal -j out_internal_ntp_s12
 -A out_internal -j out_internal_webmin_s13
 -A out_internal -j out_internal_all_c14
 -A out_internal -j out_internal_irc_c15
 -A out_internal -j out_internal_ftp_c16
 -A out_internal -m state --state RELATED -j ACCEPT
 -A out_internal -m limit --limit 1/sec -j LOG --log-prefix "OUT-internal:"
 -A out_internal -j DROP
 -A out_internal_ICMP_s1 -p icmp -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_all_c14 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_dns_s2 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_dns_s2 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ftp_c16 -p tcp -m tcp --sport 1024:4999 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_ftp_c16 -p tcp -m tcp --sport 1024:4999 --dport 20 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ftp_c16 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A out_internal_ftp_s3 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ftp_s3 -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A out_internal_ftp_s3 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_http_s10 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_https_s11 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ident_s4 -p tcp -m tcp --sport 113 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_irc_c15 -p tcp -m tcp --sport 1024:4999 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_microsoft_ds_s5 -p tcp -m tcp --sport 445 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_mysql_s6 -p tcp -m tcp --sport 3306 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ntp_s12 -p udp -m udp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ntp_s12 -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ntp_s12 -p tcp -m tcp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ntp_s12 -p tcp -m tcp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p udp -m udp --sport 137 --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p udp -m udp --sport 137 --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p udp -m udp --sport 138 --dport 138 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p udp -m udp --sport 138 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p tcp -m tcp --sport 139 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_samba_s7 -p tcp -m tcp --sport 445 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_ssh_s9 -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_time_s8 -p tcp -m tcp --sport 37 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_time_s8 -p udp -m udp --sport 37 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_internal_webmin_s13 -p tcp -m tcp --sport 10000 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_loopback -m state --state RELATED -j ACCEPT
 -A out_loopback -j ACCEPT
 -A out_outside -d 0.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 2.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 5.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 7.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 23.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 27.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 31.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 36.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 39.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 41.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 42.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 73.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 74.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 76.0.0.0/252.0.0.0 -j RETURN
 -A out_outside -d 89.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 90.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 92.0.0.0/252.0.0.0 -j RETURN
 -A out_outside -d 96.0.0.0/224.0.0.0 -j RETURN
 -A out_outside -d 173.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 174.0.0.0/254.0.0.0 -j RETURN
 -A out_outside -d 176.0.0.0/248.0.0.0 -j RETURN
 -A out_outside -d 184.0.0.0/252.0.0.0 -j RETURN
 -A out_outside -d 189.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 190.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 197.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 223.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 240.0.0.0/240.0.0.0 -j RETURN
 -A out_outside -d 10.0.0.0/255.0.0.0 -j RETURN
 -A out_outside -d 169.254.0.0/255.255.0.0 -j RETURN
 -A out_outside -d 172.16.0.0/255.240.0.0 -j RETURN
 -A out_outside -d 192.0.2.0/255.255.255.0 -j RETURN
 -A out_outside -d 192.88.99.0/255.255.255.0 -j RETURN
 -A out_outside -d 192.168.0.0/255.255.0.0 -j RETURN
 -A out_outside -d 192.168.1.0/255.255.255.0 -j RETURN
 -A out_outside -j out_outside_ICMP_s1
 -A out_outside -j out_outside_dns_s2
 -A out_outside -j out_outside_ftp_s3
 -A out_outside -j out_outside_http_s4
 -A out_outside -j out_outside_https_s5
 -A out_outside -j out_outside_ntp_s6
 -A out_outside -j out_outside_ssh_s7
 -A out_outside -j out_outside_webmin_s8
 -A out_outside -j out_outside_all_c9
 -A out_outside -j out_outside_irc_c10
 -A out_outside -j out_outside_ftp_c11
 -A out_outside -m state --state RELATED -j ACCEPT
 -A out_outside -m limit --limit 1/sec -j LOG --log-prefix "OUT-outside:"
 -A out_outside -j DROP
 -A out_outside_ICMP_s1 -p icmp -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_all_c9 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_outside_dns_s2 -p udp -m udp --sport 53 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_dns_s2 -p tcp -m tcp --sport 53 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ftp_c11 -p tcp -m tcp --sport 1024:4999 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_outside_ftp_c11 -p tcp -m tcp --sport 1024:4999 --dport 20 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ftp_c11 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A out_outside_ftp_s3 -p tcp -m tcp --sport 21 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ftp_s3 -p tcp -m tcp --sport 20 --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A out_outside_ftp_s3 -p tcp -m tcp --sport 1024:4999 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_http_s4 -p tcp -m tcp --sport 80 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_https_s5 -p tcp -m tcp --sport 443 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_irc_c10 -p tcp -m tcp --sport 1024:4999 --dport 6667 -m state --state NEW,ESTABLISHED -j ACCEPT
 -A out_outside_ntp_s6 -p udp -m udp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ntp_s6 -p udp -m udp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ntp_s6 -p tcp -m tcp --sport 123 --dport 123 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ntp_s6 -p tcp -m tcp --sport 123 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_ssh_s7 -p tcp -m tcp --sport 22 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 -A out_outside_webmin_s8 -p tcp -m tcp --sport 10000 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
 COMMIT
 # Completed on Wed Dec  7 14:49:09 2005


    



    
Read More
  • January 26, 2006
  • October 23, 2007
  • sjan





        




        JavaScript
        
Web-based editing with TinyMCE

    




    


        
While it’s not specific to PHP, I have found what is perhaps the best web-based WYSISYG editor going: TinyMCE. The only reason I am mentioning it here is because of the framework I built behind it.


The goal was to build an admin page for “blosxom-ish” blogs (like Blosxom, pyBlosxom, phpBlosxom, etc) that use text files for entries. The inital idea was to do it in Python/PSP using mod_python. I quickly abandoned this for the following reasons:


    

  1. No matter what I tried, I could not get the PSP include directive to work.
    2. 

  2. The mod_python PSP documentation  is sparse and generally not helpful.
    3. 

  3. I wanted to bang it out and get it done, and I am already familiar with PHP enough to be comfortable with it.
    4. 



I do have plans to re-implement in a Python cgi-style format, and will offer it to the community at large at that time, but until then this version seems to be working ok for me (at least at the moment).


If you would like a copy of the source for this (WARNING! It is not commented and seriously shows the signs of being hacked out in one evening!) drop me a line  and let me know.


By the way: I almost forgot the important part. What is it that makes me think TinyMCE is the best web-based WYSIWYG editor? The fact that it generates <p> tags for paragraphs (rather than stuffing in a couple <br>s), uses <strong> and <em> rather than <b> and <i>, has a working link and image insertion tool, a preview button, and it applies itself to all the textareas in a form page without jumping through a bunch of hoops with id and style attributes. Generally it produces valid HTML 4.0 Transitional. (I think it could be tweaked to produce valid XHTML 1.x Strict, though.)


So what could be tweaked?


    

  • The “tidy” tool doesn’t strip out the M$ Word class=”MsoNormal” attributes when pasting from Word.

      

    • Possible fix for now: strip those out in the back-end processing
      • 

    • Long-term fix: Find the javascript code that does the tidying and add the logic to delete the Mso* attributes.
      • 

    

    • 

  • It uses <font> tags rather that <style> tages to apply color and font-face changes.

      

    • Possible fix for now: replace the <font color=”#??????”> tags with  <span style=”color:#??????;”> in the backend.
      • 

    • Avoid using font face changes and allow the css of the site that is going to  be displaying the page handle it.
      • 

    • Long-term fix: Find the javascript code that produces the font tags and replace it with span.
      • 

    

    • 



Overall, it does what it says, and that makes it another of those things that I like: stuff that works!


    



    




        




        Python
        
Checking out TurboGears

    




    


        
On the recommendation of Ted Leung (a former boss of mine and a font of programming wisdom) I decided to look into TurboGears. WOW!


I have seen all kinds of claims along the lines of “this framework is so special because . . .” – and well, most of them just don’t live up to it.


TurboGears does exactly what it says. It provides a means for rapid web application development. And as proof they provide a video that shows the creation of a wiki in right around 23 minutes, start to finish. It doesn’t get much better than that, now does it?


    



    




        




        Tools
        
The best tools for the job – part 3

    




    


        
Programming:


I work in a couple languages and develop everything from full-blown applications to web applications to scripts for server maintenance. These are my top picks for whatever language I am working in at the moment.


Java:

I have been using (for several years) and am partial to NetBeans [Linux – BSD – Windows – OSX]. This Java IDE has progressed into a full-featured environment including the following integrated pieces:


    

  • Tomcat server
    • 

  • local Pointbase database
    • 

  • Javadoc Index search
    • 

  • Internationalization
    • 

  • refactoring engine
    • 

  • JUnit testing
    • 



I haven’t really tested Eclipse [Linux – BSD – OSX – Windows] more than to install it and run it for a short while. Truthfully, I just didn’t feel like overcoming the learning curve, since I already know how to do what I want to do in NetBeans.


Bash Scripting:

Of course it is always best to do Bash scripting in a bash shell, preferably in XEmacs [Linux – BSD – OSX – Windows] or Nano [Linux – BSD – OSX – Windows (DOS)].When I can, that is exactly what I do. Often, however, I am forced at work to develop Bash scripts for servers from my desktop (Windows) PC. For this I have found evolvEd [Windows] to be the tool of choice. It provides syntax highlighting and code completion hints which help a great deal when you are unable to paste a line of code into a terminal window and see how it runs. Of course, I can test those scripts (at least partially) in Cygwin [Windows] which I make sure to install on every Windows box I am expected to work with, but those tests are limited in that calls to other programs don’t work if those programs aren’t installed in Cygwin.


Python:

Python is fairly new to me still, for anything beyond server scripts, and large text file parsing, which is what got me started in Python. (Python can do a line-by-line parse of a 280MB text file, determining the interesting non-empty lines by the characters in the 12th – 20th position and writing them out to a series of 1200 line files in a matter of a couple minutes – as opposed to the constant hung process I was getting with a Bash script to do the same thing.) Being new to Python I have really only worked with IDLE [Linux – BSD – Windows – OSX] which is included with the current distribution of Python. There may be better things out there – perhaps jEdit [Linux – BSD – Windows – OSX] or something else, but I am still too new in the game to make that decision, even for myself.