Michael W. Lucas's Blog, page 83

I secure my BSD servers with PF. In FreeBSD 9, PF has been updated to the same version as in OpenBSD 4.5.

I use lists in my PF configuration, as shown in this /etc/pf.conf snippet:

mgmt_hosts="{ 10.0.1.0/24, 172.19.8.0/24}"




When I have new management hosts, I add their IP address or subnets to the mgmt_hosts list. When PF reads this configuration file, every place that a rule references the list, an additional rule is created for each member of the l...

(Anyone who is a big enough fan of my work to actually track down this blog is almost certainly not the target of this rant. But today, it happened one too many times.)

I had a little bit of writing time this morning before work. How did I spend it? Sending DMCA takedown notices. You can get my books for free. Even the brand new ones. They are frequently scanned and uploaded to file sharing sites, sometimes even before I get my author's copies. I send out DMCA notices when I find them, if the ...

I'm installing a jail on a freshly upgraded DragonFly BSD 2.13-DEVELOPMENT box. There's instructions in the DragonFly manual, and on the Web site. They're fine as far as they go, but to make the jail truly useful you need to do a little more.

Before starting, decide some important facts about your jail.

My jail hostname will be mwltest4, on the IP 192.0.2.9, in the directory /jail/mwltest4.

A jail requires...

I have two DragonFly BSD boxes that I want to upgrade to the latest rev. At the moment, they're running:

$ uname -a

DragonFly screw.lodden.com 2.10-RELEASE DragonFly v2.10.1.1.gf7ba0-RELEASE #1: Mon Apr 25 19:48:10 UTC 2011 root@pkgbox32.dragonflybsd.org:/usr/obj/usr/src/sys/GENERIC i386

Unlike most other BSDs, DragonFly uses git for source code management. DragonFly provides make wrappers to git updates, however. If you don't have the source code already installed, get it with:

$ cd /usr
...

I know people are waiting for the next books. So, how are they going?

The last month or so has basically been a loss for writing. We bought a new house. I've painted most of the rooms, removed rancid carpet, stripped, sanded, stained, and sealed the underlying battered-but-intact hardwood floors, and generally made the house inhabitable.

I now have a standing desk, made out of stuff found in abandoned Detroit buildings. Here's the best photo I could take with my free-with-service BlackBerry.

I recommend using sudo for privileged access to systems. I also recommend requiring keys for SSH authentication, with agent forwarding to trusted systems. The default settings in these two programs collide head-on when you become superuser via sudo and want to copy files from one server to another with scp or sftp.

If you're using an SSH agent, your environment contains the location of your authentication socket.

# env | grep SSH
SSH_CLIENT=192.0.2.2 51502 22
SSH_CONNECTION=192.0.2.2 51502...

As a long-time IT guy, I've grown accustomed to randomly discovering that the boss has purchased some new toy and wants me to put it into production. Usually, both the application and the underlying platform are completely incompatible with everything else we have. This demonstrates that one can grow accustomed to anything. This job is a little different, though. I came into the office to find that Fearless Leader installed a pair of new Dragonfly BSD machines and left me a shopping list of s...

I now have three horror stories available on all ebook reader platforms and stores. For September 2011, you can get all of them for free via Smashwords. All have been previously published elsewhere. If you like one of them, please leave a review at your favorite ebook site. (Yes, this is a blatant, transparent attempt to gather reviews.) Follow the link, use the coupon code, and download the stories in your preferred format.

Be warned: "Opening the Eye" contains blood and gore. The others are ...

I needed to mass-configure MikroTik Routerboards. Each needed a very similar but not identical configuration: they would have a unique management IP, and a unique username and password for their VPN connection back to my employer's headquarters. I don't have time or desire to do this routine configuration myself, so I needed a method that would let a less technical person do the work.

You can back up and restore RouterOS configurations, but then I'd need to have the user do all sorts of...

I completed a first draft of the OpenSSH book last night around 10:30PM EDT. It's out for tech edit now. At this point, I'm going systematically through the tech edits and making sure I've corrected the earlier chapters. After that, the manuscript goes to copyediting. Once copyedit is complete, I'll release the ebook and start contracting out the POD version.

I normally write both nonfiction and fiction simultaneously. When I get frustrated with one project, I switch to the other. The context ...