Playing with ipset on Oneiric Ocelot

August 17th, 2011

I finally decided to play with ipset, given that it’s now included in the mainline Linux kernel and enabled in the default Ubuntu kernel. The use of tables/sets (like in OpenBSD’s pf) can make firewalls a lot shorter. Unfortunately Debian/Ubuntu don’t ship current versions of the userland packages. But manhandling the debian-packaging onto newer sources proved easy enough. The resulting amd64 package is available for the daring. A trivial ssh firewall using ipset looks like this:


for family in inet inet6; do
ipset -exist create ssh-allow-$family hash:net family $family
done

for net in $(grep -v ^# /etc/ipset/ssh_allow_inet); do
ipset -exist add ssh-allow-inet $net
done

for net in $(grep -v ^# /etc/ipset/ssh_allow_inet6); do
ipset -exist add ssh-allow-inet6 $net
done

iptables -A INPUT -p tcp -m set --match-set ssh-allow-inet src -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
ip6tables -A INPUT -p tcp -m set --match-set ssh-allow-inet6 src -m tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 22 -j DROP

The contents of /etc/ipset/ssh_allow_inet look like this:

<sten@host:~> cat /etc/ipset/ssh_allow_inet
# me
127.0.0.1
# Work network
192.0.2.0/24
# home
198.51.100.0/24
# friend
203.0.113.1

And the created set looks like this:

<sten@host:~> sudo ipset -l ssh-allow-inet
Name: ssh-allow-inet
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16944
References: 1
Members:
127.0.0.1
192.0.2.0/24
198.51.100.0/24
203.0.113.1

Posted in Unix | Comments Off

The easiest dessert ever

August 5th, 2011

This is a simple red fruit tiramisu which I recently came up with. It really couldn’t be more trivial, which is great because nice fruit shouldn’t be messed with. For 3/4 persons:

  • 500 gram Biogarde Stand (other plain and wet yoghurts should work as well)
  • 250 gram Mascarpone
  • 250 gram Strawberries
  • 250 gram Redcurrants
  • 250 gram Raspberries
  • 15 Ladyfinger biscuits

Whisk the yoghurt and the mascarpone together in a large bowl, the combination should be both fresh and creamy. The wetness of the biogarde also helps quite a bit. It is possible to add some sugar when the strawberries are not that sweet. Grab 3 or 4 desert bowls, first layer in the biscuits, then cover them with the strawberries and the redcurrants. Add the yoghurt/mascarpone mixture to the bowls and lastly cover it with the raspberries. Wait for a few minutes to give the ladyfingers some time to soften and dig in.

Posted in Recipes | Comments Off

Ladvd 0.9.2

September 21st, 2010

This was supposed to be a fixes only release, but then people started requesting features, oh well :) Ladvd is now hosted at googlecode in mercurial. The switch to mercurial allows more people to contribute and makes it much easier the grab the latest development release. Besides that an impressive number of small fixes and features have helped to make 0.9.2 a great release.

  • Vlan Name TLV support
  • LLDP mau support for Linux
  • LLDP autoneg_pmd support for Linux and BSD
  • use the NIC hardware name when no ifdescr is configured (Linux sysfs, FreeBSD sysctl)
  • use lsb-release to report Linux distro information
  • improved locally-generated packet filtering
  • Improved detection of Tun/Tap interfaces, including a switch to use them
  • Skip FreeBSD’s ipfw interfaces
  • FreeBSD dmi/smbios support via kenv()
  • added HACKING documentation
  • fixes for small packets
  • various other small fixes

Posted in Unix | Comments Off

Buildservices

January 28th, 2010

In preparation for the next ladvd release I decided to investigate automated software builds, to make sure that it will work on as many platforms / distributions as possible. I’d like to avoid having to release a .1 version just to fix silly configure on RHEL X.Y Building the virtual machines to do this myself seemed like a lot of work, so I decided to investigate online software compile farms.
The first one I looked at was Launchpad. I started out by adding ladvd as a project to Launchpad, the whole gpg signing and upload dance is very neat. This however doesn’t allow you to actually build software, for that you need to start a PPA, which luckily also is pretty easy. However Launchpad doesn’t provide a lot of control over the compile process, and only Ubuntu is supported.
So I started playing around with the second option, the OpenSUSE Build Service. The initial signup was similar to launchpad, except no gpg this time. Which is a shame because it makes signing the packages impossible. But the amount of distributions supported (RHEL, SuSE, Debian, Ubuntu, Fedora) is great, and I especially like the buildlogs which show you exactly what is going on. Getting the packages built for Debian and Ubuntu was trivial, and even the specfile for RPM distributions was done in a few hours. After that I realized that it would be even better to run unit-tests during the package build. Then I ran into a bug which sadly makes this impossible (check’s pkg-config is missing). But there was a bugzilla link where I’ve reported the issue so hopefully it will be solved soon.

Posted in Unix | Comments Off

Ladvd 0.8.5

September 16th, 2009

Last week I’ve released ladvd 0.8.5, a bugfix / cleanup release which solves all known issues. The next release will include a cli and possibly SNMP support.

* use wireless interfaces when the -w option is set
* disable auto-enabled protocols when peers expire
* add port-name to -z ifdescr support
* improved ifdescr supprt (only if needed, multiple peers, etc)
* used strnvis to sanitize strings for ifdescr
* fixed FreeBSD lagg ioctl
* RHEL4 compatibility fixes
* chroot the child, not the master
* use setresuid/setresgid for dropping privileges
* move the child code to child.c an refactor the eventloop
* refactored socket handling in master.c
* sockets are now fully dynamic and always have filters
* bsd vlan detection
* remove multicast registrations on shutdown
* even better unit-tests

This release has been (unit-)tested on Linux (amd64, arm), FreeBSD (i386, amd64) and OpenBSD (sparc64). I’d like to thank Paul de Weerd, Jacek Masiulaniec, Stephan A. Rickauer, David Gwynne and Mattieu Baptiste who have helped to uncover bugs and even submitted patches.

Tarballs and Debian sources are available.

Posted in Unix | Comments Off

Ladvd 0.8

June 21st, 2009

I’ve just released ladvd 0.8, which supports receive mode and a host of other features resulting from that.

  • privilege separation
  • SIOCSIFDESCR support (the -z option)
  • Automatic protocol enablling based on received packets (-a)
  • syslog notifications for new/removed peers (-r)
  • EDP support
  • FDP support
  • NDP / SoNMP support
  • abstracted protocol support
  • rewritten netif and message lists
  • some strict alignment fixes
  • unit-tests including extensive protol tests

This release has been (unit-)tested on Linux (amd64, arm), FreeBSD (i386, amd64) and OpenBSD (amd64, sparc64, vax).
Tarballs and Debian sources are available.

Posted in Unix | Comments Off

Qnap TS-219 Serial

June 11th, 2009

I’ve recently bought a QNAP nas and wanted to make a serial cable for it. The Debian QNAP guru Martin Michlmayr informed me that the connector used is a JST PHR-4. So I ordered some connectors and pins. The second part needed was a ttl-serial convertor. The cheapest solution is a regular old GSM data-cable, I bought 4 Siemens C/S/M 25-45 cables. The pinout required some research, but I settled on:

  • GND – Black
  • RX – Yellow
  • VCC – Red
  • TX – Green

And lo and behold it worked first time round:


Port /dev/ttyS1
__ __ _ _
| \/ | __ _ _ ____ _____| | |
| |\/| |/ _` | '__\ \ / / _ \ | |
| | | | (_| | | \ V / __/ | |
|_| |_|\__,_|_| \_/ \___|_|_|
_ _ ____ _
| | | | | __ ) ___ ___ | |_
| | | |___| _ \ / _ \ / _ \| __|
| |_| |___| |_) | (_) | (_) | |_
\___/ |____/ \___/ \___/ \__| ** LOADER **
** MARVELL BOARD: DB-88F6281A-BP LE

U-Boot 1.1.4 (Feb 9 2009 - 11:13:32) Marvell version: 3.4.4

U-Boot code: 00600000 -> 0067FFF0 BSS: -> 00690DCC

Soc: 88F6281 A0 (DDR2)
CPU running @ 1200Mhz L2 running @ 400Mhz
SysClock = 400Mhz , TClock = 200Mhz

DRAM CAS Latency = 5 tRP = 5 tRAS = 18 tRCD=6
DRAM CS[0] base 0x00000000 size 256MB
DRAM CS[1] base 0x10000000 size 256MB
DRAM Total size 512MB 16bit width
[16384kB@f8000000] Flash: 16 MB
Addresses 8M - 0M are saved for the U-Boot usage.
Mem malloc Initialization (8M - 7M): Done

CPU : Marvell Feroceon (Rev 1)

Streaming disabled

Posted in Unix | Comments Off

fifo.sh -> fifo.nl

April 5th, 2009

Last december I obtained the fifo.nl domain, as a going-away present from my former boss. This made the fifo.sh domain obsolete, which was only ever used because the .nl was taken. The fact that .sh domains cost about 13 times more than .nl domains made the decision somewhat easier. However quite a few people were used to the fifo.sh name, and would have to be instructed to change their ways. Just removing the domain woudn’t work, it just leads to things like this:

<Punica> is fifonet uit de lucht btw ?
<Punica> ken m nie resolven

As a first step a public notice was posted. Naturally nobody notices public notices, that would be like reading manpages. So I added http-redirects pointing to the new domain, which worked but nobody really noticed the change. Then it became time to post a similar notice via the fifo.sh rss-feeds, which some people noticed. A few days after that I added redirects to funny places which alerted people that something had changed:

<Wiebel> waarom krijg ik shit op de fifo.nl feed?
<Habbie> omdat je de fifo.sh rss feed hebt
<Wiebel> failblog krap

And:

<rqsall> en www.fifo.sh bood ook al geen uitkomst :)
<rqsall> kittyhell.com wtf

Finally I needed to find a way communicate the same message for irc.fifo.sh, after some experimenting it turned out that sending ascii-art movies works quite well for most irc-clients. So I took the starwars asciimation, added some custom frames, and presto:

<Fluor> snore, wtf man, met je fifo.sh :)
<Martin> die irc.fifo.sh is grappig

BDFL – Snore

Posted in Uncategorized | 2 Comments »

Ladvd for Cyclades ACS

March 15th, 2009

I recently bought an Cyclades ACS32 console server, and figured that because it runs Linux it should be able to run ladvd. This isn’t as easy as it seems because of the embedded PPC cpu used. I started by building a crosscompiler using crosstool, which succeeded after a few patches. Unfortunately the resulting binary didn’t work. It started ok, but couldn’t find any interfaces. After some headscratching it turns out that the glibc (2.3.2) used by Cyclades has an incomplete getifaddrs implementation (IPv4 only). The quick way to fix this is to use a C-library which does, uClibc seemed like a good choice. So I created another toolchain, GCC and uClibc, using buildroot. The resulting binary again didn’t work…. This time it was because ethtool support is either missing or broken on the Cyclades ACS, which results in ladvd not accepting the “eth0″ interface. After a small fix all is well and ladvd 0.6.1 runs on my ACS32:

Chassis id: 0060.2e01.cdf1
Port id: eth0
Port Description - not advertised
System Name: zem
System Description:
Linux 2.6.22 #1 Tue Sep 30 11:12:38 PDT 2008 ppc

Posted in Unix | Comments Off

ladvd 0.6.1 released

September 22nd, 2008

I’ve just released ladvd 0.6.1, which was destined to fix bugs found in 0.6.0, but a fair number of new features and improvements have crept in as well.

  • Fix for interfaces without link-layer addresses (ppp0/pptp0)
  • Reset (router/wlan/bridge) capabilities after each run
  • Improved the linux virtual interface detection
    (the previous method only worked on 2.6.23+ kernels)
  • Add support for OpenBSD’s interface descriptions
  • Add support for TIA inventory management TLV set
    using dmi information available on OpenBSD and Linux
  • Use an ISC-licensed strlcpy for certain string operations
  • Add -m/-M switches to specify management addresses
    via the commandline
  • Add ioctl code to linux bonding/bridge detection which
    works on hosts without sysfs
  • Add minimal LLDP civic location support using the LOC type
    and the -C (country) switch
  • Add pcap headers to debug output to make it suitable for
    piping to tcpdump.

This release owes a lot to Paul de Weerd and Alexander Ottl, their tests and patches have helped to make this release as stable as possible.

Tarballs and Debian sources are available.

Posted in Unix | Comments Off

« Older Entries