Category Archives: Nerd stuff

PF cheatsheet

Cheatsheet for the PF firewall (*BSD, macOS/iOS, Solaris, QNX/BlackBerry).

Show rules:

# pfctl -sr

The same, but more verbose:

# pfctl -vsr

Show anchors:

# pfctl -sA

Show anchors recursively:

# pfctl -vsA

Show rules recursively (including anchors):

# pfctl -a '*' -sr

Show anchors within the f2b anchor:

# pfctl -a 'f2b' -sA

Show rules for f2b/sshd anchor:

# pfctl -a 'f2b/sshd' -sr

Show rules recursively within the f2b anchor:

# pfctl -a 'f2b/*' -sr

Show tables:

# pfctl -sT

The same, but more verbose:

# pfctl -vsT

Show tables for f2b/sshd anchor:

# pfctl -a 'sshd' -sT

Recursively listing tables is not possible.

Show the contents of table <trusted>:

# pfctl -t 'trusted' -Ts

Show the contents of table <f2b-sshd> in the anchor f2b/sshd:

# pfctl -a 'f2b/sshd' -t 'f2b-sshd' -Ts

The same, but more verbose:

# pfctl -a 'f2b/sshd' -t 'f2b-sshd' -vTs

Add an IP address or IP range to table <trusted>:

# pfctl -t 'trusted' -Ta 203.0.113.12
# pfctl -t 'trusted' -Ta 203.0.113.0/24

Delete an IP address or IP range from table <trusted>:

# pfctl -t 'trusted' -Td 203.0.113.12
# pfctl -t 'trusted' -Td 203.0.113.0/24

Empty (flush) table <blocked>:

# pfctl -t 'blocked' -Tf

Logging must be enabled explicitly in pf.conf on a per-rule basis; see the PF User’s guide for more info..

Display log in real time:

# tcpdump -tttt -n -e -i pflog0

End output with ^C.

List all log entries for outbound traffic to port 80:

# tcpdump -tttt -n -e -r /var/log/pflog outbound and port 80

The same, but more verbose:

# tcpdump -v -tttt -n -e -r /var/log/pflog outbound and port 80

Get even more verbosity with -vv or -vvv.

Search the log file for a certain IP address:

# tcpdump -tttt -n -e -r /var/log/pflog host 203.0.113.12

The same, but with a compressed log file:

# bunzip2 -c /var/log/pflog.0.bz2 | tcpdump -tttt -n -e -r - host 203.0.113.12

List inbound traffic, except traffic to the TOR relay or directory info:

# tcpdump -tttt -n -e -r /var/log/pflog inbound and not port 9001 and not port 9030

Since the output of tcpdump is plaintext, it can be further processed by tools like grep, sed, awk, etc.

Find all outgoing traffic that was not initiated by the users with UIDs 53, 123 and 256:

# tcpdump -tttt -n -e -r /var/log/pflog outbound | grep -Ev '\[uid (53|123|256)\]'

Logging of UIDs must be enabled explicitly in pf.conf, e.g.:

pass out log (user) all keep state

More info:


Note:

When using fail2ban, the f2b anchors should NOT be specified like this in pf.conf:

anchor "f2b/*"

Instead, all anchors should be specified explicitly, otherwise recursive listing won’t work:

anchor f2b {
    anchor apache-auth
    anchor dovecot
    anchor postfix
    anchor sshd
}

Reprocess mbox file

Say you’ve found an mbox file somewhere, and you’d like Postfix to reprocess the messages it contains, to have them imported into your regular mailbox.

Then you may want to copy this script:

#!/usr/bin/env python3

# Script to reprocess an mbox file.

################################################################################
#
# Copyright (c) 2021 Rob LA LAU <https://www.ohreally.nl/>
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#
# 1. Redistributions of source code must retain the above copyright notice,
# this list of conditions and the following disclaimer.
#
# 2. Redistributions in binary form must reproduce the above copyright notice,
# this list of conditions and the following disclaimer in the documentation
# and/or other materials provided with the distribution.
#
# 3. Neither the name of the copyright holder nor the names of its contributors
# may be used to endorse or promote products derived from this software
# without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
# OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
################################################################################

import mailbox, os, subprocess, sys

if len(sys.argv) < 3:
	print('Usage:')
	print('  %s recipient@example.com /path/to/mbox/file' % sys.argv[0])
	sys.exit(1)

recipient = sys.argv[1]
mbox = sys.argv[2]
if not os.access(mbox, os.R_OK):
	print('mbox file is not accessible')
	sys.exit(1)

for message in mailbox.mbox(mbox):
	proc = subprocess.Popen(
		['sendmail', '-i', recipient],
		stdin = subprocess.PIPE,
		text = True
	)
	proc.communicate(message.as_string())

Save that script as ~/bin/resend_mbox.py, make it executable, and execute it as follows:

# ~/bin/resend_mbox.py george@example.com /var/mail/root

Obviously, you replace george@example.com with your own email address (don’t spam poor George, please), and /var/mail/root with the path to your mbox file.

JWPlayer errors

Error Code 224002: This video file cannot be played
Error Code 224003: This video file cannot be played
Error Code 232011: This video file cannot be played

A few of the more common web video player errors, but they tell you nothing.

If you search the internet for these errors, all you find are generic bullshit ‘solutions’: clear cache, disable all extensions, disable hardware acceleration, etc. So, here’s the actual list of JWPlayer error codes: Player errors reference. Get you some real answers.

By the way, the meaning of the above errors:

  • Failed to decode the associated resource (224002),
  • Failed to play the associated resource because it is not supported by this browser (224003), and
  • A manifest request was made without proper crossdomain credentials (232011)

(The manifest is a file that contains the URLs for the various segments that make up the entire video.)

Counting annotations in a PDF

Suppose that you wrote a book, and your publisher sent you a PDF of the final proof to review and correct, before the book is printed. Then you may want to know how many notes you’ve added to the document when you’re done.

$ env LC_CTYPE=C tr -d '\000-\011\013\014\016-\037' < FILENAME.pdf | grep -E '^<</Type /Annot /Rect \[[0-9\. ]+\] /Subtype /Text' | wc -l

It’s that simple…

And if you’d like to know how many terms you highlighted, all you have to do is replace /Text with /Highlight.

$ env LC_CTYPE=C tr -d '\000-\011\013\014\016-\037' < FILENAME.pdf | grep -E '^<</Type /Annot /Rect \[[0-9\. ]+\] /Subtype /Highlight' | wc -l

Inline notes are of subtype /FreeText.

And to count all your annotations, regardless of type, just delete the subtype altogether.

$ env LC_CTYPE=C tr -d '\000-\011\013\014\016-\037' < FILENAME.pdf | grep -E '^<</Type /Annot' | wc -l

Open your PDF in less to see what other interesting things you could do with grep; pipe the file through tr to get rid of the control characters.

$ env LC_CTYPE=C tr -d '\000-\011\013\014\016-\037' < FILENAME.pdf | less

FreeBSD jails: a complete example

FreeBSD jails are a great way to separate and compartmentalize processes, which enhances the security of your system. A jail is an enhanced chroot: it prevents an attacker who manages to compromise a service from gaining access to the rest of the system.

This post documents the setup of 2 jails that serve data to the outside world, and communicate between each other (through a Unix Domain Socket, not a TCP socket).

Read More

FreeBSD: which ports/packages did I update today?

A FreeBSD oneliner this time.
This won’t work on Linux!

Tools like portmaster and portupgrade allow you to update all installed ports/packages in a single run, which is great.
But these tools do not list the ports and packages that have been upgraded, leaving you to guess which daemons and services must be restarted…

Luckily, all installed packages are registered in an SQLite database, together with a timestamp for their last upgrade (or installation). Add the following alias to your ~/.bashrc:

alias puptd='sqlite3 /var/db/pkg/local.sqlite "select origin from packages where time > $(date -v-2d +%s) order by origin" | less'

Clearly, if you don’t use the Bash shell, you should figure out how to add aliases in your shell. The alias will be active after you re-login; invoke it like any other command.

$ puptd

This alias will list all ports/packages that were updated (or installed) in the last 2 days (an update of all ports can run for quite some time). Obviously you should feel free to change the -v-2d to any other period (-v-3h for the last 3 hours, -v-1w for the last week, …). You can then check the list to see if any services must be restarted, configurations must be verified, etc.

If you’re going to play around with that database to see what other info you can extract from it, you should probably make a copy of it, to make sure you don’t accidentally write to the original; you don’t want to mess up your package database.

P.s.: the name for the alias comes from ‘Ports UPdated ToDay’; change it to anything you like.

Multigrep

I am an author. And even though the actual books are well-organized, the writing process isn’t always. For a single book I have many mega-bytes of PDFs, ODTs and text files full of notes, drafts, documentation, etc.
So I needed a simple tool to find that one note I once wrote, in that huge pile of data.
Now, if those files were all text-based, I could use grep. But they aren’t. So I wrote a wrapper around grep, that allows me to also search PDFs and OpenDocument files.

Read More

Installation et configuration d’un serveur internet

Et voilà mon nouveau livre !

Ce livre guide le lecteur ou la lectrice à travers l’installation et la configuration d’un serveur internet.

Ce livre s’adresse aux administrateurs système, débutants comme plus expérimentés, qui souhaitent, à partir d’un serveur sur lequel seul le système d’exploitation est installé, configurer un serveur internet d’entreprise fonctionnel, prêt à être mis en production.

Pour bien appréhender la lecture, un minimum de connaissances sur Unix/Linux, sur le fonctionnement de l’interface en ligne de commande et la configuration à l’aide des fichiers texte est conseillée. La connaissance de commandes de base telles que cd, ls, cat, less, tar et gzip est également un plus.

Après un chapitre sur les bases d’un système Unix/Linux, l’auteur amène rapidement le lecteur au cœur de la mission d’administration système avec la mise en œuvre de la configuration d’un serveur, illustrée avec plusieurs systèmes d’exploitation tels que FreeBSD, Debian et CentOS.

A l’aide d’exemples de configuration et de commandes, l’auteur explique étape par étape l’installation et la configuration d’un pare-feu, d’un serveur DNS, d’un serveur web (Apache ou Nginx) et d’un serveur mail.

Il détaille également le chiffrement par SSL/TLS des connexions (web et courriels) ainsi que la gestion dans un annuaire LDAP des utilisateurs n’ayant pas besoin de l’accès shell. Ce livre propose également des pistes pour l’analyse de problèmes éventuels, pour la maintenance quotidienne et les sauvegardes, ainsi que pour donner la possibilité à l’administrateur système de faire évoluer le serveur.

Des éléments complémentaires sont en téléchargement sur le site de l’éditeur et sur le site de l’auteur.

→ Plus d’informations sur www.librobert.net, ou commandez-le directement dans la boutique en ligne de mon éditeur Éditions ENI.

Ce livre est également disponible en néerlandais.
La version anglaise sortira début 2021.