Mon, 28 Feb 2005
Transforming an old PC into a commercial-grade firewall/router/VPN appliance.
Yup, it's possible and I'm hashing out the details. Currently the commercial barrier is the lack of some really simple GUI elements for existing utilities like
Packet Filter,
dhcpd and the
IPsec utilities.
While most home firewall/router builders use a web browser interface, the first specific problem with making that work is pfctl must be run as root to get or set any pf data. This means the web server must also be run as root, or better yet, its CGIs must be run as root, or even better the user that calls the CGI should be in the sudoers file and only allowed to execute those commands.
Whew, well where does this leave us? It means that if someone were to find a way to get a shell from exploiting the web server and drop into it as the user the server is running as, they could modify the firewall if the user is allowed to execute the -f or -T flags of pfctl. Otherwise, they would only have read access, which is not as bad but still kind of shitty.
A free utility called
Metacortex uses Apache and PHP 4 to show us data from the system. This goes deeper than just PF data and into the entire process list and memory usage. This is accomplished by a series of shell scripts which are run as root via cron. The web browser just pulls the information in from the generated text file. I don't see this as a feature, as it's less accurate and accomplishing the same thing as using sudo. To set PF rules, it merely has an interface that lets you generate a rule set based on some GUI elements which it then prints out to the screen if it's valid. You have to ssh or local console into the box to actually make the new rules take effect.
While the SonicWall series of products pretty suck on features, they make up for it with support and user interface. I'm looking for something which can take the place of the sonicwall interface, run on commodity hardware or via an appliance, and have an unlimited usage license.
posted at: 01:34 | path:
/hacking |
permanent link to this entry
Fri, 25 Feb 2005
The state of real use of the Sharp Zaurus running Opie and a desktop computer with KDE 3.3 from Debian Testing.
It pretty sucks. Really, it's so hard each time I sit down and think "alright, this is the time I'm going to get the Zaurus to work" I just end up with a small headache from tracking so many back and forth email list conversations on the same subject. So for the record:
There is no simple and fast way to syncronize callendar and addressboox data between Opie 1.0 and KDE 3.3
Here is the closest thing I could find. Even that requires breaking the package manager and
installing a .deb with some aggressive switches.
On the upside, I'm realling liking the KDE PIM stuff. Their little summary view is rad and similar to Evolution's and Outlook's. The Zaurus is also very cool standing on it's own. I updated to
Openzaurus 3.5.1. Getting network connectivity between the USB cradle and Debian
wasn't hard at all.
posted at: 18:17 | path:
/pda |
permanent link to this entry
Sat, 19 Feb 2005
Revolutionary Movements -- Part Two
I'm am
not an island
February 1987: The MRTA occupies seven radio stations in Lima and reads a communique against the increasing militarization of the society .
Same website as the one above.
Disturbingly so.
As I write this, I think this transcript of the Internet and it's most popular
search engine,
Google shows a pretty odd
picture of what the phrase "revolutionary movement" means. But let's go down
the list of Google's hits:
The
third hit is an article by
David Graeber.
Someone who I've been acompanied with as we were cordoned off by police and
told to leave for nothing but walking in the streets during a protest in
Washington DC, only 19 days after September 11th 2001. At my suggestion,
he
ordered pizza.
posted at: 03:02 | path:
/war |
permanent link to this entry
Wed, 16 Feb 2005
I want to become part of the revolutionary movement!
But hell, I've spent the last four years looking to become part of the revolutionary movement. and y'know what? I did! I even got employed by the revolutionary movement, including a job offer from the Communist Party of the USA but I didn't take that one, I took a different one, hah! But those revolutionaries were plagued by infighting and petty bickering. I want a revolutionary movement with flavor. One with loud music and theater and food and drink and good old fashion kicking things! Oh wait...that
is a revolutionary movement...but it's the underground one. The one thats not taken seriously by the
real revolutionary movement. Y'know the ones whose gatekeepers are in their 50s and 60s? The ones who tell us they were the real participants and we are just the spectators of their legacy? Yeah, well let me tell you a secret. That movement is lame. It's stuck in it's own quagmire. The few who were part of it are either fighting to keep their original audience or buried in law and ivory towers. If we don't continue to build our own, we'll just fester in the culture of yesterday.
posted at: 02:00 | path:
/power |
permanent link to this entry
Wed, 09 Feb 2005
Converting xmms playlists to iRiver iHP series format
The iRiver is great but the playlist functions pretty suck.
Here is a Perl
script that converts the playlists you save from XMMS to a format the iHP can
read. It takes two arguments, the first is the playlist file and the second is
the mount point where you mount the iHP on your desktop filesystem. It requires
the program called
todos which is available in
Debian under the name
sysutils.
This program is short, poorly documented and probably won't work unless you
tweak it for your system. YMMV.
posted at: 00:11 | path:
/music |
permanent link to this entry
Thu, 03 Feb 2005
Authenticating Samba as a trusted host to Active Directory
Holy crap that title is long. M$ jargon makes me want to die...but hey, I
figured it out! Here's the
smb.conf and a
small shell script to add the
necessary UNIX user info and announce your host to the directory.
posted at: 15:49 | path:
/hacking |
permanent link to this entry
Tue, 01 Feb 2005
The most intense thing
I think the most intense thing ever is acting out the entire production of
Dogville whilst listening to
Motherfucker (Redeemer) - Part 1 by Godspeed You
Black Emperor.
posted at: 12:18 | path:
/theory |
permanent link to this entry
