In zsh you'll find zmv (autoload zmv) and in zmv it's easy to rewrite bulk files. For example, I had some downloaded files that were something.mp3?id=8795294528 etc and wanted to cut off the cruft at the end.
zmv '(*.mp3)*' '$1'
Saturday 8 November 2014
Saturday 18 October 2014
Strip comments from an XML file
Ever had an xml file bloated with comments? Here's a great one-liner for striping them.
tidy -quiet -asxml -xml -indent -wrap 1024 --hide-comments 1 file.xml
Thanks to http://stackoverflow.com/questions/1464697/stripout-comments-from-xml
tidy -quiet -asxml -xml -indent -wrap 1024 --hide-comments 1 file.xml
Thanks to http://stackoverflow.com/questions/1464697/stripout-comments-from-xml
Thursday 21 August 2014
Convert pem certificate to pkcs12 / p12
openssl pkcs12 -export -in widgets.crt -inkey widgets.key -out widgets.p12
Friday 11 July 2014
Multiple desktops with xrandr on fluxbox
I use fluxbox. Sometimes I work with multiple screens, sometimes I don't, sometimes those screen are various resolutions.
To see what screens I have available I run
xrandr -q
from there I can see what screens and what resolutions I have availble. Then I can configure my setup with appropriately
e.g
xrandr --output VGA1 --mode 1680x1050 --left-of LVDS1
Thanks to http://awesome.naquadah.org/wiki/Using_Multiple_Screens for this one.
To see what screens I have available I run
xrandr -q
from there I can see what screens and what resolutions I have availble. Then I can configure my setup with appropriately
e.g
xrandr --output VGA1 --mode 1680x1050 --left-of LVDS1
Thanks to http://awesome.naquadah.org/wiki/Using_Multiple_Screens for this one.
Thursday 24 April 2014
Simple single user VPN with OpenVPN as NAT Gateway
Here's a quick brain-dump on setting up a single user VPN as a NAT gateway for use when i'm out and about.
I used the openvpn package from epel.
Note that in these examples the -
tunnel endpoint = tun0
server tunnel address = 10.99.66.2
client tunnel address = 10.99.66.1
public interface = eth0
create a user and group "openvpn" (the Epel rpm does this for you)
e.g
groupadd -r openvpn
useradd -r -g openvpn -s /sbin/nologin -c OpenVPN -d /etc/openvpn openvpn
create a static key file which we use on server and on the client and set some secure perms (should be done already)
openvpn --genkey --secret /etc/openvpn/secret.key
sudo chown root:root /etc/openvpn/secret.key
sudo chmod 600 /etc/openvpn/secret.key
create /etc/openvpn/server.conf (I've annotated the options)
# Run in single user tunnel mode
mode p2p
# Run only on the right address / interface
local (host or ip)
# Always setup and use tun0
dev tun0
# set addresses for local and remote tunnel endpoints
# ifconfig local remote
ifconfig 10.99.66.2 10.99.66.1
# Use UDP on port x
proto udp
port 1194
# Drop to openvpn:openvpn after starting
user openvpn
group openvpn
# use a static key
#(gen with openvpn --genkey --secret /etc/openvpn/secret.key)
secret secret.key
# Use separate keys for each traffic direction
# see https://openvpn.net/index.php/download/60-open-source/faq.html
key-direction 0
# Don't re-read key on ping restart as we won't have enough perms
persist-key
# Don't restart tun0 on ping restart as we won't have enough perms
persist-tun
# Keep alive (openvpn ping every 10s, ping restart if no traffic for 120s)
keepalive 10 120
#Use compression
comp-lzo
# Logging and log level
log-append /var/log/openvpn.log
verb 3
Client Config file eg. client.ovpn Notice here how we include the secret key all in one file - this works really well for easy deployment on android vpn client and tunnelblick
<secret>
-----BEGIN OpenVPN Static key V1-----
a4a4d5d7d9d8d7d7d424242......
-----END OpenVPN Static key V1-----
</secret>
Should now be able to ping across the tunnel may need to add a rule to iptables if you are blocking all inbound traffic
i.e.
-A INPUT -i tun0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
Finally enable routing at the kernel level, routing through iptables and NAT
sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -s 10.99.66.1/32 -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -d 10.99.66.1/32 -i eth0 -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.99.66.1 -o eth0 -j MASQUERADE
For reference here is my /etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# NAT traffic coming from the remote VPN endpoint to the internet
-A POSTROUTING -s 10.99.66.1/32 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Allow all inbound traffic on lo
-A INPUT -i lo -j ACCEPT
# Allow vpn and ssh on public interface
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
# Allow outbound related traffic back in
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ping inbound on the vpn - useful for testing
-A INPUT -i tun0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allow NATed traffic which has to be routed across the interfaces
-A FORWARD -s 10.99.66.1/32 -i tun0 -o eth0 -j ACCEPT
-A FORWARD -d 10.99.66.1/32 -i eth0 -o tun0 -j ACCEPT
COMMIT
I used the openvpn package from epel.
Note that in these examples the -
tunnel endpoint = tun0
server tunnel address = 10.99.66.2
client tunnel address = 10.99.66.1
public interface = eth0
create a user and group "openvpn" (the Epel rpm does this for you)
e.g
groupadd -r openvpn
useradd -r -g openvpn -s /sbin/nologin -c OpenVPN -d /etc/openvpn openvpn
create a static key file which we use on server and on the client and set some secure perms (should be done already)
openvpn --genkey --secret /etc/openvpn/secret.key
sudo chown root:root /etc/openvpn/secret.key
sudo chmod 600 /etc/openvpn/secret.key
create /etc/openvpn/server.conf (I've annotated the options)
# Run in single user tunnel mode
mode p2p
# Run only on the right address / interface
local (host or ip)
# Always setup and use tun0
dev tun0
# set addresses for local and remote tunnel endpoints
# ifconfig local remote
ifconfig 10.99.66.2 10.99.66.1
# Use UDP on port x
proto udp
port 1194
# Drop to openvpn:openvpn after starting
user openvpn
group openvpn
# use a static key
#(gen with openvpn --genkey --secret /etc/openvpn/secret.key)
secret secret.key
# Use separate keys for each traffic direction
# see https://openvpn.net/index.php/download/60-open-source/faq.html
key-direction 0
# Don't re-read key on ping restart as we won't have enough perms
persist-key
# Don't restart tun0 on ping restart as we won't have enough perms
persist-tun
# Keep alive (openvpn ping every 10s, ping restart if no traffic for 120s)
keepalive 10 120
#Use compression
comp-lzo
# Logging and log level
log-append /var/log/openvpn.log
verb 3
Client Config file eg. client.ovpn Notice here how we include the secret key all in one file - this works really well for easy deployment on android vpn client and tunnelblick
remote (ip or host of VPN server)
dev tun
ifconfig 10.99.66.1 10.99.66.2
proto udp
port 1194
comp-lzo
ping 10
key-direction 1
<secret>
-----BEGIN OpenVPN Static key V1-----
a4a4d5d7d9d8d7d7d424242......
-----END OpenVPN Static key V1-----
</secret>
Should now be able to ping across the tunnel may need to add a rule to iptables if you are blocking all inbound traffic
i.e.
-A INPUT -i tun0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
Finally enable routing at the kernel level, routing through iptables and NAT
sysctl -w net.ipv4.ip_forward=1
iptables -A FORWARD -s 10.99.66.1/32 -i tun0 -o eth0 -j ACCEPT
iptables -A FORWARD -d 10.99.66.1/32 -i eth0 -o tun0 -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.99.66.1 -o eth0 -j MASQUERADE
For reference here is my /etc/sysconfig/iptables
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# NAT traffic coming from the remote VPN endpoint to the internet
-A POSTROUTING -s 10.99.66.1/32 -o eth0 -j MASQUERADE
COMMIT
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
# Allow all inbound traffic on lo
-A INPUT -i lo -j ACCEPT
# Allow vpn and ssh on public interface
-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
# Allow outbound related traffic back in
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow ping inbound on the vpn - useful for testing
-A INPUT -i tun0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allow NATed traffic which has to be routed across the interfaces
-A FORWARD -s 10.99.66.1/32 -i tun0 -o eth0 -j ACCEPT
-A FORWARD -d 10.99.66.1/32 -i eth0 -o tun0 -j ACCEPT
COMMIT
Tuesday 15 April 2014
Juniper SSG debug
I had a strange issue with VIPs over multiple zones on my SSG5 today. I was going to dump the debug commands but someone else has already done so quite well. The block / log policy I had for the trust zone VIP was also blocking on another zone, strange - but easy to pick up with the SSG debugging.
http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Troubleshooting-Tips-Debug-commands/td-p/6203
http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Troubleshooting-Tips-Debug-commands/td-p/6203
Sunday 26 January 2014
Opensuse 13.1 and Macosx NFS with static ports
Since my new lab setup, everything on my main opensuse Linux machine is now in a different Juniper zone to my mac laptop and thus firewalled.
This NFS setup for me was one of the few times where it was easier to do the same thing in RHEL5. I was also unable to find any documentation for this from suse.
This brief post shows the firewall ports and software configuration I used to set up for nfs-server on opensuse and nfs client on Mountain Lion. The mac client configuration was not required for my OpenElec box.
This NFS setup is for read-only. There may be additional requirements for rw which I have not covered.
It also makes the assumption that ports 111 and 2049 UDP and TCP have already been accounted for. The ports I used for MountD, StatD and LockD are arbitrary.
Setting Static Ports for MountD, StatD and LockD
MountD
In /etc/sysconfig/nfs set
MOUNTD_PORT="21000"
StatdD
In /etc/sysconfig/nfs set
STATD_OPTIONS="-p 22000"
LockD / nlm
This one took me a while to work out, I was trying to trace the executable that owned the open port with lsof, and when that drew a blank I realised it must be set at kernel level.
These need to be set with sysctl. I put my values in /etc/sysctl.conf and reloaded with sysctl -p
fs.nfs.nlm_tcpport = 23000
fs.nfs.nlm_udpport = 23000
Disable NFSv4
Theo de Raadt wrote: "NFSv4 is not on our roadmap. It is a ridiculous bloated protocol which they keep adding crap to."
I came across this on the Wikipedia page for NFS when checking to see which versions I really wanted. Since I'm not doing authentication and Theo says it wont make it into OpenBSD I'm keen to disable it.
In /etc/sysconfig/nfs set
NFS4_SUPPORT="no"
Restart Server
Once you restart NFS and run rpcinfo -p you should find all the ports you need can now be accounted for.
Mac client configuration
Although using a mac most days, I'm not that well versed on how to administer it. Anyway, with the above setup I was finding that from the command line I could read the export fine, but Finder was really not playing ball. No directory listing makes it effectively useless unless using the cli. I also strongly dislike most of user contributed documentation for mac on the internet (which tends to consist of "Steve Jobs didn't want you to do it like that" or "I bought this (closed source) app which works for me")
Anyway, as it turns out Mountain Lion is pretty slick to setup nfs and the man pages are pretty good. Using rpcinfo -p and setting a block and log policy on my Juniper I was able to work out that you just need to set the LockD and StatD ports in /etc/nfs.conf
nfs.lockd.port = 23000
nfs.statd.port = 22000
Export and mount settings
For reference, these are the export and mount settings I am using
in /etc/exports
/[path] [client_ip](fsid=0,crossmnt,ro,root_squash,sync,no_subtree_check)
mount on mac
sudo mount -t nfs -o resvport,nfc[server_ip]:[export_path] [mount_path]
This NFS setup for me was one of the few times where it was easier to do the same thing in RHEL5. I was also unable to find any documentation for this from suse.
This brief post shows the firewall ports and software configuration I used to set up for nfs-server on opensuse and nfs client on Mountain Lion. The mac client configuration was not required for my OpenElec box.
This NFS setup is for read-only. There may be additional requirements for rw which I have not covered.
It also makes the assumption that ports 111 and 2049 UDP and TCP have already been accounted for. The ports I used for MountD, StatD and LockD are arbitrary.
Setting Static Ports for MountD, StatD and LockD
MountD
In /etc/sysconfig/nfs set
MOUNTD_PORT="21000"
StatdD
In /etc/sysconfig/nfs set
STATD_OPTIONS="-p 22000"
LockD / nlm
This one took me a while to work out, I was trying to trace the executable that owned the open port with lsof, and when that drew a blank I realised it must be set at kernel level.
These need to be set with sysctl. I put my values in /etc/sysctl.conf and reloaded with sysctl -p
fs.nfs.nlm_tcpport = 23000
fs.nfs.nlm_udpport = 23000
Disable NFSv4
Theo de Raadt wrote: "NFSv4 is not on our roadmap. It is a ridiculous bloated protocol which they keep adding crap to."
I came across this on the Wikipedia page for NFS when checking to see which versions I really wanted. Since I'm not doing authentication and Theo says it wont make it into OpenBSD I'm keen to disable it.
In /etc/sysconfig/nfs set
NFS4_SUPPORT="no"
Restart Server
Once you restart NFS and run rpcinfo -p you should find all the ports you need can now be accounted for.
Mac client configuration
Although using a mac most days, I'm not that well versed on how to administer it. Anyway, with the above setup I was finding that from the command line I could read the export fine, but Finder was really not playing ball. No directory listing makes it effectively useless unless using the cli. I also strongly dislike most of user contributed documentation for mac on the internet (which tends to consist of "Steve Jobs didn't want you to do it like that" or "I bought this (closed source) app which works for me")
Anyway, as it turns out Mountain Lion is pretty slick to setup nfs and the man pages are pretty good. Using rpcinfo -p and setting a block and log policy on my Juniper I was able to work out that you just need to set the LockD and StatD ports in /etc/nfs.conf
nfs.lockd.port = 23000
nfs.statd.port = 22000
Export and mount settings
For reference, these are the export and mount settings I am using
in /etc/exports
/
mount on mac
sudo mount -t nfs -o resvport,nfc
Monday 20 January 2014
Creating disk images in mac osx with DD and diskutil
I keep forgetting the diskutil commands so I've dumped them in the this post.
To use dd in mac you have to remember to umount the volume first (as everything gets auto mounted)
mount - find the path for the mounted volume i.e /dev/disk3s1 (diskutil list) is also useful
sudo diskutil unmount /dev/disk3s1 - unmount it
sudo dd bs=512k if=imagefile.img of=/dev/disk3
mount - find the path for the mounted volume i.e /dev/disk3s1 (diskutil list) is also useful
sudo diskutil unmount /dev/disk3s1 - unmount it
sudo dd bs=512k if=imagefile.img of=/dev/disk3
Saturday 18 January 2014
opensuse repository for transmission 2.42
ftp://ftp5.gwdg.de/pub/opensuse/repositories/openSUSE:/Maintenance:/1433/openSUSE_12.1_Update/
Friday 3 January 2014
Creating a new service definition for Suse firewall
I use uhare a bit at home and I wanted it to work nicely with SuSE Firewall.
All I had to do was create a new service description in /etc/sysconfig/SuSEfirewall2.d/services/ (I called mine ushare) and created the file accordingly.
I copied it from the /etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE
After a bit of reading it seems you can use a service name corresponding to an entry in /etc/services or just the port number. I used the latter. I also had to set this port appropriately in /etc/ushare.conf
All I had to do was create a new service description in /etc/sysconfig/SuSEfirewall2.d/services/ (I called mine ushare) and created the file accordingly.
I copied it from the /etc/sysconfig/SuSEfirewall2.d/services/TEMPLATE
After a bit of reading it seems you can use a service name corresponding to an entry in /etc/services or just the port number. I used the latter. I also had to set this port appropriately in /etc/ushare.conf
## Name: ushare ServerNow I can just select the service from the drop down in the firewall gui. For me this fits the workflow I would use from Juniper SSG (custom services)
## Description: Opens ports for ushare
# space separated list of allowed TCP ports
TCP="49200"
openSUSE KVM getting started notes
Some sparse notes on installing KVM on openSUSE locally
Configure libvirtd
Firstly, lets not have to be root every time I want to use virt-manager and without using policy kit. In /etc/libvirt/libvirtd.conf uncomment and set
Set default url
I'm just using kvm locally and I don't want to have to type virsh -c qemu:///system every-time to admin on the command-line so I create
virsh command hosts
Configure libvirtd
Firstly, lets not have to be root every time I want to use virt-manager and without using policy kit. In /etc/libvirt/libvirtd.conf uncomment and set
unix_sock_group = "libvirt" unix_sock_ro_perms = "0770" unix_sock_rw_perms = "0770" auth_unix_ro = "none" auth_unix_rw = "none"(https://doc.opensuse.org/documentation/htmlsingle/openSUSE_122/opensuse-kvm.html#sec.libvirt.connect.auth.libvirt.traditional)
Set default url
I'm just using kvm locally and I don't want to have to type virsh -c qemu:///system every-time to admin on the command-line so I create
~/.config/libvirt/libvirt.confand add
uri_default = "qemu:///system"Now I can just type
virsh list --all(http://libvirt.org/uri.html)
virsh command hosts
virsh nodeinfo dump CPU and RAM info for the hypervisorvirsh commands domain management
virsh list --all list info on all vm (domains) virsh (start|shutdown|reboot|reset) domain virsh (suspend|resume) domain virt-viewer domain - open the graphical console for the domainvirsh commands domain info gathering
virsh dominfo domain - show overview of domain (name, cpu, state etc) virsh domstate domain - show the state of the domain (shut off, running etc) virsh dumpxml domain - dump the xml configuation for the domain to stdout virsh edit domain - open the xml configuration for the domain in $EDITOR virsh define (file) - import a domain from an xml config
Subscribe to:
Posts (Atom)