View man pages using Preview.app

December 31st, 2005

In this article I learnt how to use the command-line to browse formatted man pages using Preview.app:

man -t whatever | open -f -a /Applications/Preview.app

Posted in Apple, Mac OS X | 4 Comments »

QoS with OpenWRT

December 30th, 2005

I use the following script for my Linksys WRT54GS Wireless router running OpenWRT White Russian -RC4 to setup a QoS firewall that uses Hierarchical Token Bucket (HTB) and Stochastic Fair Queueing (SFQ) to classify the traffic in three cathegories:

  1. Interactive, high priority traffic:
    This class is used for DNS traffic and SSH traffic.
  2. Interactive, normal priority traffic:
    This class is used for HTTP and HTTP/S traffic.
  3. Low priority traffic:
    This class is used for traffic which doesn’t fit any of the previous classes.

Each class is also subclassed with Stochastic Fair Queueing (SFQ) to distribute traffic utilization among the same class evenly.

To make the script run every time the router is powered up, save the script as /etc/init.d/S41qos and turn the executable bit on it.


#!/bin/ash

# Executables
GREP=/bin/grep
INSMOD=/sbin/insmod
TC=/usr/sbin/tc
DEV=vlan1

# Load kernel modules
$GREP -q ^sch_htb /proc/modules || $INSMOD /lib/modules/`uname -r`/sch_htb.o
$GREP -q ^sch_sfq /proc/modules || $INSMOD /lib/modules/`uname -r`/sch_sfq.o
$GREP -q ^cls_u32 /proc/modules || $INSMOD /lib/modules/`uname -r`/cls_u32.o

# Hierarchical Token Bucket (HTB)
$TC qdisc add dev $DEV root handle 1: htb default 30
$TC class add dev $DEV parent 1: classid 1:1 htb rate 1mbit burst 20k cburst 20k

# HTB Classes
$TC class add dev $DEV parent 1:1 classid 1:10 htb \
   rate 768kbit ceil 1mbit burst 15k cburst 15k
$TC class add dev $DEV parent 1:1 classid 1:20 htb \
   rate 256kbit ceil 1mbit burst 20k cburst 20k
$TC class add dev $DEV parent 1:1 classid 1:30 htb \
   rate 128kbit ceil 512kbit burst 5k cburst 5k

$TC qdisc add dev $DEV parent 1:10 handle 10: sfq perturb 10
$TC qdisc add dev $DEV parent 1:20 handle 20: sfq perturb 10
$TC qdisc add dev $DEV parent 1:30 handle 30: sfq perturb 10

# Filters
$TC filter add dev $DEV protocol ip parent 1:0 prio 1 \
   u32 match ip dport 53 0xffff flowid 1:10
$TC filter add dev $DEV protocol ip parent 1:0 prio 2 \
   u32 match ip dport 22 0xffff flowid 1:10
$TC filter add dev $DEV protocol ip parent 1:0 prio 10 \
   u32 match ip dport 80 0xffff flowid 1:20
$TC filter add dev $DEV protocol ip parent 1:0 prio 10 \
   u32 match ip dport 443 0xffff flowid 1:20
Posted in Networking, OpenWRT | 6 Comments »

No a la censura

December 29th, 2005

No a la censura.

No, al menos, en un país democrático como España. No, al menos, en un país donde ya existen formas de evitar el abuso de la libertad de expresión, manifestadas en forma de leyes porque desde siempre, e incluso durante la República, el derecho a legislar sobre la libertad de información y la correctitud de la información ha quedado en manos de los jueces, no de un comité de “expertos” nombrados a dedo por los gobernantes de turno.

Posted in Personal | 4 Comments »

Create a Bluetooth Mac-to-Mac network

December 28th, 2005

Interesting article on how to link to Mac computers using Bluetooth.

Posted in Apple, Bluetooth, Mac OS X, Networking | 1 Comment »

Configuring syslog-ng to store logs into a MySQL database

December 21st, 2005

This short article describes how to configure syslog-ng in order to store the logs into a MySQL backend. This adds more flexibility when performing log analysis, log searching and correlation.

Installing MySQL

MySQL can be compiled from source and installed using the FreeBSD ports collection:

# cd /usr/ports/databases/mysql41-server/
# make install distclean

Configuring MySQL

Use the following commands to create the MySQL database directory and install a configuration file:

# mkdir /var/db/mysql
# cp /usr/local/share/mysql/my-small.cnf /var/db/mysql/my.cnf

Optionally, edit /var/db/mysql/my.cnf to adjust some parameters like:

  • Disabling networking support.

    This can be done by uncommenting the skip-networking option from the configuration file.

    This will prevent MySQL from listening on port 3306/tcp. Since we are using MySQL locally, we can use UNIX sockets instead of true networking.

  • Reducing memory usage.

    By adjusting innodb_buffer_pool_size and innodb_additional_mem_pool_size to values suited to the amount of RAM available to FreeBSD

Next, add the following lines into /etc/rc.conf so that MySQL will get launched during system startup:

# MySQL
mysql_enable="YES"
mysql_limits="YES"
mysql_dbdir="/var/db/mysql"
mysql_args=""

Starting MySQL

Use the following command to start MySQL:

# /usr/local/etc/rc.d/mysql-server.sh start

Creating the MySQL database

The logs will get stored into a table named logs on database syslog.
To create the database and table, create a file named syslog.sql with the following SQL commands:

CREATE DATABASE syslog;
USE syslog;
CREATE TABLE logs (
	host varchar(32) default NULL,
	facility varchar(10) default NULL,
	priority varchar(10) default NULL,
	level varchar(10) default NULL,
	tag varchar(10) default NULL,
	timestamp datetime default NULL,
	program varchar(15) default NULL,
	msg text,
	seq int(10) unsigned NOT NULL auto_increment,
	PRIMARY KEY (seq),
	KEY host (host),
	KEY seq (seq),
	KEY program (program),
	KEY timestamp (timestamp),
	KEY priority (priority),
	KEY facility (facility)
);

Then, process those SQL commands using MySQL client:

# mysql -u root -p 

Setting up the communication channel


syslog-ng will issue INSERT INTO SQL commands into a UNIX pipe for every log received and processed. Those SQL commands will be retrieved from the UNIX pipe and will be injected into MySQL.


This UNIX pipe will act as the communication channel between syslog-ng and MySQL. To create the UNIX pipe:


# mkfifo /tmp/mysql.pipe




Also, we will create a startup script used to keep feeding SQL commands sent to the UNIX pipe to MySQL called /usr/local/etc/rc.d/040.mysql-syslog.sh:


( while [ -e /tmp/mysql.pipe ]
  do
        /usr/local/bin/mysql -u root --password= syslog 




This script will get invoked at startup and will keep feeding the SQL commands generated by the mysql syslog-ng destination into the MySQL database.


However, we must make sure this startup script is invoked after MySQL has been started. Thus, in FreeBSD I recommend renaming the MySQL startup script:


# mv /usr/local/etc/rc.d/mysql-server.sh \
     /usr/local/etc/rc.d/030.mysql-server.sh


Setting up syslog-ng


Modify /usr/local/etc/syslog-ng/syslog-ng.conf to add a new source called net used to retrieve logs via the network:


source net { udp(); };


Next, add a new destination for MySQL:


destination mysql { pipe("/tmp/mysql.pipe"
template("INSERT INTO logs (host, facility, priority, level, tag,
timestamp, program, msg) VALUES ( '$HOST', '$FACILITY', '$PRIORITY',
'$LEVEL', '$TAG', '$YEAR-$MONTH-$DAY $HOUR:$MIN:$SEC', '$PRORAM',
'$MSG' );\n") template-escape(yes) ); };




Finally, configure syslog-ng so all logging is sent to the MySQL destination. Since syslog-ng allows multiple destinations, this makes perfectly possible to keep locally-generated log events stored in text files alongside the MySQL database.



log { source(net); destination(mysql); };
log { source(src); destination(mysql); };





Finally, we send the SIGHUP signal to syslog-ng to instruct it to re-read its configuration file and reconfigure accordingly:


# pkill -HUP syslog-ng
Posted in MySQL, Security, Syslog | 1 Comment »

Honestidad

December 21st, 2005

“Solo hay una forma de saber si un hombre es honesto: preguntárselo. Y si responde “sí”, sabes que es un corrupto.”
Groucho Marx

Posted in Frases célebres | No Comments »

Política

December 21st, 2005

“La política es el arte de buscar problemas, encontrarlos, hacer un diagnostico falso y aplicar después los remedios equivocados.”
Groucho Marx

Posted in Frases célebres | 1 Comment »

La televisión

December 21st, 2005

“La televisión ha hecho maravillas por mi cultura. En cuanto alguien enciende la televisión, voy a la biblioteca y me leo un buen libro.”
Groucho Marx

Posted in Frases célebres | 1 Comment »

Defense seldom wins a war

December 19th, 2005

Comenta Richard Bejtlich en su diario:

When the attacker is allowed freedom of maneuver, the defender will lose. The side with initiative has the superior position, unless the defenses are so unsurmountable that attack is more costly than defense. Let’s return to the Famous Romans lecture for a moment. Prior to the rule of the emperor Hadrian, the Roman Empire had pursued an expansionist foreign policy. Rome had lost many battles to its neighbors, but those neighbors essentially remained on the defensive. They feared Rome would invade, conquer, and eliminate them (at worse).

When Hadrian became emperor in 117 AD, he changed Rome’s foreign policy. He decided to consolidate the empire’s borders. His most famous action was the building of Hadrian’s Wall, separating England from Scotland. The wall was the ultimate statement of defense, as is sought to keep barbarians separated from Roman cities like London.

In some respects, this ultimate defensive maneuver was a success; London flourished. However, the building of the wall signalled weakness to Rome’s enemies. Instead of being seen as a statement of strength, barbarians interpreted as a sign the Romans would not seek to conquer them. Rome looked weak, not strong. Within a century Rome would come under increasing barbarian attack, and the remaining shell of the western “empire” was formally overthrown in 476 AD.

Creo que el valor de esta anotación histórica es significativo, y estoy de acuerdo con Richard en que la defensa raras veces es la estrategia a seguir en una batalla. El enemigo que está ahí fuera dispone de los medios y recursos necesarios para hacer que la guerra dure casi eternamente, ya que no existe un desgaste físico, y el desgaste mayor de recursos técnicos, económicos o financieros suele corresponder a las fases iniciales del ataque: aprovisionamiento de medios técnicos y la elaboración de un plan de ataque.

Por último comenta:

In the final analysis, what makes you feel safer — a lack of criminals on your street, or iron bars on your windows?

Creo que no hay más que añadir.

Posted in Personal | 3 Comments »

Controlling the WRT54G/GS leds

December 11th, 2005

The Cisco/Linksys WRT54G/GS router has two leds just beneath the Cisco Systems logo. One is a white led, while the other is an amber led. It is possible to turn them on or off using the GPIO pins on the mainboard.

  • GPIO #3 controls the amber led beneath the Cisco Systems logo:

    Disabling GPIO #3 turns on the amber led.
    Enabling GPIO #3 turns off the amber led.

  • GPIO #2 controls the white led beneath the Cisco Systems logo:

    Disabling GPIO #2 turns on the white led.
    Enabling GPIO #2 turns off the white led.

  • GPIO #7 controls the DMZ led:

    Disabling GPIO #7 turns on the DMZ led.
    Enabling GPIO #7 turns off the DMZ led.

To control those GPIO pins with the OpenWRT firmware, download gpio.tar.gz or gpio.tar.gz and install the gpio binary into /usr/bin:

# cd /tmp
# wget http://openwrt.org/downloads/gpio.tar.gz
# tar -zxf gpio.tar.gz
# mv gpio /usr/bin
# rm /tmp/gpio.*

Use “/usr/bin/gpio disable n” to disable GPIO #n, or use “/usr/bin/gpio enable n” to enable GPIO #n.

Additionally, I customized the /etc/init.d/S99done script in order to turn on the white led under the Cisco Systems logo once the system booted:

# rm /etc/init.d/S99done
# cat > /etc/init.d/S99done < < EOF
> #!/bin/sh
> /rom/etc/init.d/S99done
> /usr/bin/gpio disable 2
> EOF
# chmod +x /etc/init.d/S99done
Posted in OpenWRT | 7 Comments »