Category Archives: Sys Admin

How to configure IPFW on Snow Leopard

Posted by on December 30, 2011 No comments

Snow Leopard’s default, GUI based firewall is convenient, but not very configurable. You can block or allow certain applications, but you can’t filter at the port or host level, can’t NAT, etc…

Fortunately, OS X 10.6 and earlier comes with IPFW (IPFIREWALL), a nice little packet filter that was included in FreeBSD for many years. By default, it’s managed through text files and the command line. If you want a GUI interface for ipfw management, try Waterroof (get it?). But here’s how you configure ipfw to run at boot on your Snow Leopard or earlier machine with just the tools Steve gave you.

Create the file /etc/ipfw.conf. This is where your filtering rules go. By default, ipfw runs one rule, which allows all traffic (65535 allow from any to any). If you’re configuring ipfw, you obviously want something more. You can get information on how to write ipfw rules from the FreeBSD site.

Once you have created and saved your configuration, you need to tell the OS to run ipfw at boot. On a Mac, this is done through the use of a launch daemon, which is configured using an XML file.

Create the file /Library/LaunchDaemons/com.ipfw.plist, and include the following text -

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN” “http://
www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
<key>Label</key>
<string>ipfw</string>
<key>Program</key>
<string>/sbin/ipfw</string>
<key>ProgramArguments</key>
<array>
<string>/sbin/ipfw</string>
<string>/etc/ipfw.conf</string>
</array>
<key>RunAtLoad</key>
<true />
</dict>
</plist>

This tells OS X to run ipfw using the configuration file /etc/ipfw.conf.

Change ownership of the launch daemon file to root:admin

sudo chown root:admin /Library/LaunchDaemons/com.ipfw.plist

This is necessary for the OS to be able to run the daemon.

And finally, load your rules right now, instead of waiting for the next reboot

sudo /sbin/ipfw /etc/ipfw.conf

You can check what rules are loaded at any time using sudo ipfw list. And you can clear all rules using sudo ipfw flush.

 

Setup DNS on macos from command line

Posted by on December 30, 2011 No comments

If you get to remotely manage mac users over ssh, the networksetup command is a great tool.

The full manual is here : https://developer.apple.com/library/mac/#documentation/Darwin/Reference/ManPages/man8/networksetup.8.html

Here’s how to setup a dns server:
1. find the interface name

networksetup -listnetworkserviceorder

2. your output would look similiar to this:

(1) Bluetooth DUN
(Hardware Port: Bluetooth DUN, Device: Bluetooth-Modem)

(2) Ethernet
(Hardware Port: Ethernet, Device: en0)

(3) AirPort
(Hardware Port: AirPort, Device: en1)

3.choose the device you want to apply the dns settings to and run this command ( in this example were applying it to the AirPort interface ), change the google dns addresses to your preferred ones.

networksetup -setdnsservers AirPort 8.8.8.8 8.8.8.4

4. verify your changes using :

scutil –dns

Join multiple lines together using TR

Posted by on November 30, 2011 No comments

tr “\\n” “,”

APG ( automated password generator ) runs slow on CentOS

Posted by on November 1, 2011 No comments

I use apg to generate random password all the time. On a new vpn server I built, apg was taking a long time to generate a pass, I traced it back to “not enough entropy”

You can see how much entropy you have with this command:

cat /proc/sys/kernel/random/entropy_avail

It should be at least in the hundreds, if its not you can use rng-tools to help you out.

sudo yum install rng-tools
echo “rngd -r /dev/urandom -o /dev/random -f -t 3″ >> /etc/rc.local
rngd -r /dev/urandom -o /dev/random -f -t 3

that should generate enough entropy and you can go back to doing some real work :)

OCSinventory install on FreeBSD – Apache-DBI error

Posted by on October 15, 2010 No comments

some ports depend on apache 1.3 and die with error :

Error from bsd.apache.mk. apache20 is installed (or APACHE_PORT is defined) and port requires 1.3.

solution :

make install WITH_MODPERL2=yes