One of the things that I really like about pf, the OpenBSD firewall, is how it lets you define dynamic packet filtering rules — rules that filter based on your network interfaces’ current addresses at the time of filtering. For instance, if I want to allow SSH connections to my laptop only from my local network:

pass in on xl0 inet proto tcp from (xl0:network) to any \
port ssh flags S/SFRA

(xl0:network) is not resolved to a specific address block at configuration load time; if you switch networks — say, if you go from home to work — the rule’s behavior will change accordingly.

Unless I have overlooked some recent change in Linux, this cannot be achieved in a direct fashion with iptables. You can insert a rule to reject non-LAN source addresses, but such a rule is static. When you change network addresses, the rule must be explicitly updated.

In lieu of rewriting all of netfilter to accommodate this use case (*cough*), I just wrote a shell script to help mitigate the pain of manually updating my laptop’s firewall rules — merely a shortcut to cut down on the amount of typing I do on any given …

Read more…

A couple of months ago, I upgraded an old PowerPC machine from OpenBSD 4.2 to 4.3, and I discovered that the new version of pfctl in 4.3 would segfault when reading my old pf.conf file. Some brief poking around with GDB revealed the root of the problem, an uninitialized variable in the new configuration file parser.

If you’ve been bitten by this as well, here’s a patch with the minor change that solved the problem for me:

--- sbin/pfctl/parse.y  Sat Feb 23 15:31:08 2008
+++ sbin/pfctl/parse.y  Thu May 15 08:55:38 2008
@@ -3487,9 +3487,11 @@
qname          : QUEUE STRING                          {
$$.qname = $2;
+                       $$.pqname = NULL;
}
| QUEUE '(' STRING ')'                  {
$$.qname = $3;
+                       $$.pqname = NULL;
}
| QUEUE '(' STRING comma STRING ')'     {
$$.qname = $3;

To apply this patch, perform the following (assuming that you have the OpenBSD 4.3 source code tree at /usr/src on your system):

# cd /usr/src
# patch -p0 </path/to/above/patch
# cd sbin/pfctl
# make && make install

My ISP blocks outbound SMTP traffic, unfortunately, and I didn’t feel like setting up Sendmail relaying just so I could submit a sendbug report, so I couldn’t open a ticket for …

Read more…

I’ve tired of manually pointing my browser at http://www.phys.ufl.edu/weather/ each time I want to check the conditions on campus, so I made a small widget to bring the campus weather report to my NetVibes home page:

Fellow Gators can use this widget too – just click here to add it to your NetVibes home page, or here to add it to iGoogle. Or copy the widget’s URL to manually add it to any other UWA-aware application:

http://markshroyer.com/code/uwa/uf-weather/widget.xhtml

After setting up my apartment’s OpenBSD based network, I decided it would be handy to have a simple report generator to describe active DHCPD leases. I also wanted to brush up on Perl a bit. This Perl script is the natural result of such circumstances.

Run dhcpd-report.pl to generate a plaintext or HTML report of current leases in the DHCPD lease database and reservations in dhcpd.conf. In my usage, I have the script set to run once every five minutes in a cron job, sending output to an HTML file in a web server document root. (On OpenBSD, httpd runs in a chroot jail; if I were to run this script as CGI it wouldn’t have direct access to the DHCPD configuration files.) Thus the script can be used to give you a reasonably up to date web page displaying your network’s DHCP clients.

By default, the program looks for dhcpd.leases and dhcpd.conf in /var/db/ and /etc/, respectively, which are these files’ locations in OpenBSD 4.1. If needed, you can change where the script looks for these files by modifying a pair of constants near the top of the main program …

Read more…

I always thought I was a bit of an oddball for choosing the ancient scheduler Remind as my favorite OS X calendar software. But as it turns out, I’m not quite as alone as I had assumed. I guess OS X is a bigger draw to Unix geeks than I realized.

So I’ve decided to publish a tool that I wrote a few months back, a simple little Objective-C command line application that reads the birthdays of all your OS X AddressBook contacts and outputs them in .reminders format.

The source code bundle is here. After installation, see the manpage remind_birthdays(1) for documentation.

You can also view the source code repository on Github.