June 14, 2010

Country based packet filtering in RHEL 5.x

Filed under: Messaging, Redhat/Fedora, Zimbra, linux — morgan @ 23:51

This is adapted from the Debian instructions found here:
http://www.debian-administration.org/articles/518

install redhat source repository and yum-utils
http://www.cyberciti.biz/faq/yum-download-source-packages-from-rhn

# vi /etc/yum.repos.d/srpm.repo
[rhel-src]
name=Red Hat Enterprise Linux $releasever - $basearch - Source
baseurl=ftp://ftp.redhat.com/pub/redhat/linux/enterprise/$releasever/en/os/SRPMS/
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
# yum install yum-utils
# mkdir /usr/src/redhat

get kernel source.

# yumdownloader --source kernel-2.6.18
# tar xfj /usr/src/redhat/SOURCES/linux-2.6.18.tar.bz2 -C /usr/src

get iptables source

# yumdownloader --source iptables
# tar xfj /usr/src/redhat/SOURCES/iptables-1.3.5.tar.bz2 -C /usr/src

get patch-o-matic—we will use it to patch iptables and the kernel.

# wget http://ftp.netfilter.org/pub/patch-o-matic-ng/snapshot/patch-o-matic-ng-20070414.tar.bz2
# tar xjf patch-o-matic-ng-20070414.tar.bz2

get the geoip patchlet:

# wget http://people.netfilter.org/peejix/patchlets/geoip.tar.gz
# tar xfz geoip.tar.gz -C patch-o-matic-ng-20070414/patchlets

Apply the geoip patchlet

# cd patch-o-matic-ng-20070414
# KERNEL_DIR=/usr/src/linux-2.6.18/ IPTABLES_DIR=/usr/src/iptables-1.3.5/ ./runme geoip

Loading patchlet definitions.................. done

Welcome to Patch-o-matic ($Revision: 6736 $)!

Kernel:   2.6.18, /usr/src/linux-2.6.18/

Iptables: 1.3.5, /usr/src/iptables-1.3.5
Each patch is a new feature: many have minimal impact, some do not.
Almost every one has bugs, so don't apply what you don't need!
-------------------------------------------------------
Already applied:
Testing geoip... not applied
The geoip patch:
   Author: Samuel Jean ; Nicolas Bouliane 
   Status: Stable

This patch makes possible to match a packet
by its source or destination country.

GeoIP options:
        [!]   --src-cc, --source-country country[,country,country,...]

                        Match packet coming from (one of)
                        the specified country(ies)

        [!]   --dst-cc, --destination-country country[,country,country,...]

                        Match packet going to (one of)
                        the specified country(ies)

           NOTE: The country is inputed by its ISO3166 code.

The only extra files you need is a binary db (geoipdb.bin) & its index file (geoipdb.idx).
Take a look at http://people.netfilter.org/peejix/geoip/howto/geoip-HOWTO.html
for a quick HOWTO.
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] ?
Answer one of the following:
  T to test that the patch will apply cleanly
  Y to apply patch
  N to skip this patch
  F to apply patch even if test fails
  A to restart patch-o-matic in apply mode
  R to restart patch-o-matic in REVERSE mode
  B to walk back one patch in the list
  W to walk forward one patch in the list
  Q to quit immediately
  ? for help
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] T
Patch geoip applies cleanly
-----------------------------------------------------------------
Do you want to apply this patch [N/y/t/f/a/r/b/w/q/?] y

Excellent! Source trees are ready for compilation.

Recompile the kernel image (if there are non-modular netfilter modules).
Recompile the netfilter kernel modules.
Recompile the iptables binaries.
#

Build the kernel module

# cd /usr/src/linux-2.6.18
# make oldconfig
…
    geoip match support (IP_NF_MATCH_GEOIP) [N/m/?] (NEW) m
…
# make modules_prepare


Compile just the netfilter modules

# make -C $(pwd) M=net/ipv4/netfilter/ modules
# cp -i net/ipv4/netfilter/ipt_geoip.ko /lib/modules/2.6.18-128.1.10.el5/kernel/net/ipv4/netfilter/

Build the iptables libipt_geoip.so library

# cd /usr/src/iptables-1.3.5
# make KERNEL_DIR=/usr/src/linux-2.6.18/ extensions/libipt_geoip.so
Making dependencies: please wait...
cc -O2 -Wall -Wunused -I/usr/src/linux-2.6.18//include -Iinclude/ -DIPTABLES_VERSION=\"1.3.5\"  -fPIC -o extensions/libipt_geoip_sh.o -c extensions/libipt_geoip.c
ld -shared  -o extensions/libipt_geoip.so extensions/libipt_geoip_sh.o
# cp extensions/libipt_geoip.so /lib64/iptables

Insert the module into the kernel

# depmod
# modprobe ipt_geoip


Todo: load the module on boot?

Create the IP-country mapping

# wget http://www.maxmind.com/download/geoip/database/GeoIPCountryCSV.zip
# unzip  GeoIPCountryCSV.zip
# wget http://people.netfilter.org/peejix/geoip/tools/csv2bin-20041103.tar.gz
# tar tzf csv2bin-20041103.tar.gz
# cd csv2bin
# make
# ./csv2bin ../GeoIPCountryWhois.csv
# mkdir /var/geoip
# mv geoipdb* /var/geoip

Test
World Cup mania means we happened to have a colleague in South Africa so we blocked the whole country on a test server and had him attempt to connect to https:

# /sbin/iptables -A INPUT -p tcp --dport 443 -m geoip --src-cc ZA -j REJECT

May 27, 2010

“no such account…” during zimbra restores

Filed under: Messaging, Zimbra — morgan @ 10:59

I’m working on a migration where we’re moving users one by one from a production environment to a dev environment. To oversimplify, the process is:
- backup in production,
- zmbackupquery -lb

So:
zmbackup -f -z -a user@domain.com
then


$ zmrestore -c -lb full-20100527.153703.317 -a user@domain.com
Error occurred during restore. Check logs for more details.
The following accounts have not been restored:
  user@domain.com

A look at mailbox.log reveals:


com.zimbra.cs.account.AccountServiceException: no such account: ef423485-424b-4fec-a064-f797ffc4ae29
ExceptionId:btpool0-116://localhost:7071/service/admin/soap/RestoreRequest:1274974984703:209afa27e2965ffa
Code:account.NO_SUCH_ACCOUNT
	at com.zimbra.cs.account.AccountServiceException.NO_SUCH_ACCOUNT(AccountServiceException.java:177)
	at com.zimbra.cs.mailbox.Mailbox.getAccount(Mailbox.java:515)
...

“ef423485-424b-4fec-a064-f797ffc4ae29″ is presumably a zimbraid. I can’t for the life of me figure out where it originates–I can’t find it anywhere in either environment.

The workaround is surprisingly straightforward. Instead of the zmrestore above, restore to a restored_ account and rename the account:


$ zmrestore -c -ca -pre restored_ -lb full-20100527.153703.317 -a user@domain.com
$ zmprov ra restored_user@domain.com user@domain.com

May 14, 2010

Turn on recipient verify in Zimbra

Filed under: Uncategorized — morgan @ 16:05

I’d love to know why Zimbra does not ship with recipient verify turned on. Here’s the use case: a user sends a message from the web interface with an invalid recipient. He/she does not get an error when the message is sent but instead receives an immediate bounce. Sure the info is in the bounce but it’s easy to miss in a cluttered inbox and it’s a hassle to parse.

The solution is very simple. On each host running postfix:

As zimbra:

$ vi /opt/zimbra/postfix/conf/main.cf
relay_recipient_maps = ldap:/opt/zimbra/conf/ldap-vam.cf
$ vi /opt/zimbra/conf/zmmta.cf
POSTCONF smtpd_reject_unlisted_recipient yes
$ zmmtactl restart

This works in zcs 5.0.x and 6.0.6. It will likely work in other versions as well.

April 15, 2010

Belated thoughts on Hawaii

Filed under: motorcycles, travelogue — morgan @ 16:55

(Photos are here.)

In February B attended a burn “conference” held on Maui, Hawaii. I am not much of a beach person but it seemed silly to turn down a week of free lodging in Hawaii as I’d never been.

She was busy from 8-12 each day at the conference so I rented a motorcycle and had a look around the island. I rented a Harly Fat Bob the first day which I’m a little embarrassed to admit is a pretty nice motorcycle. Cost and image aside I could consider owning one. The position is leaned way back with your feet and arms stretched far forward.. The forward controls are surprisingly comfortable, the only real disadvantage is that your heels drag in even moderate turns. The passenger accommodations are horrendous.. I suspect some quality time with Sargents would fix the problem but B still complains about how uncomfortable the seat was.

The Harley motor is not unlike the Guzzi motor in that it’s a laid back, torquey twin. It makes it’s max torque very low making in comfortable for just, well, cruising around. It’s plenty fast by real-world standards.

I switched to a Heritage Softtail which I would give about a 7 out 10 for rider position, comfort and style. B really liked the passenger accomodations and it had bags so ultimately was a better choice for us. The riding position was neither laid back nor leaned forward–really just a little further back than a “standard” motorcycle and equally awkward.. The style is just too “classic” for my tastes.. between the huge white fenders and the studs I just felt like a fool riding it around.

The island is surprisingly small, there couldn’t be more than a few hundred miles of paved road and a lot of them are highway that just connect one place to another. A lot of the island is a state park which means there are no shortcuts–if you go down many a road a distance you either have to follow it all the way around the island which can be a multi-hour ride and, as in the case with the road to Hana a washed out dirt road.

We skipped the road to Hana in favor of seeing the rest of the island.. A combination of lack of time and anxiety about piloting a huge Harley though roads that the rental company is apparently not insured for.. So we rode around West Maui and much of central Maui. The stretch from Kahului to Kahakuloa is beautiful on the scale of the Pacific Coast Highway along the Northern California Coast. The surface is pretty bad in spots but it’s very passable.

Another day we took the road to Haleakala which is supremely frustrating with it’s seemingly endless switchbacks, generally cold and dreary demeanor for the first half. The ride pays off however as you break the cloud cover somewhere around 15 miles into the ride and it is clear and sunny with a view of the top of the clouds you just passed through. I remember the revelation of breaking through the clouds and upon arriving at checkpoint to pay the entry fee I enthusiastically asked if breaking out of the clouds so dramatically was common.. The ranger gave me a bored look and simply said, “oh, yes..”

The top of Haleakala is almost exclusively volcanic rock, post of it red. It truly looks like the surface of Mars. It is populated by Nene, which appear to be a strange mix of a goose and a pigeon. They make chirping noises are are relatively tame, likely because people feed them.

We stayed at The Makena Golf and Beach resort, formerly the Maui Prince–an aging independent resort that was in the hands of a slightly neglectful investment group.. It was either for sale or in the process of being sold. The downside is the overpriced restaurants closed early and pretty mediocre menus.. just enough to be considered a restaurant really. The up side was the staff didn’t seem terribly concerned about late night hot tub use.. B and I spent quality time tempting fate with a few beers in the hot tub. We did go up to the Four Seasons one night for dinner but by and large you had to make the 20 minute drive to Kihei for dinner.

Makena is a perfect example of place at the end of a road with no alternate routes–it’s 20 minutes from access to anything else on the island. Not far below the resort was a public beach (Big Beach) which was clearly populated by locals and had an attached seemingly unofficial but far from secret nude beach (Little Beach).. Little Beach also had much better waves.

I can’t stress enough how beautiful Maui’s beaches really are.. the water is a clear blue-green, you can stand neck deep it water and see your feet. The water has got to be 80 degrees in February. It’s really amazing. I don’t like the beach and I found it pleasant.

January 30, 2010

Sprint EVDO multiple connections fix

Filed under: Uncategorized, Why you should own a mac — morgan @ 12:47

After too many hours fighting with poor quality free wireless I am trying out mobile broadband. A friend loaned me his Sierra Wireless 597 3g. After installing the Snow Leopard drivers from Sprint it works fine.

However if I attempt to connect a pptp or ipsec vpn the connection drops with the error: “Disconnected. Multiple connections are not allowed. Your CDMA connection was terminated.” It behaves the same way if you attempt to connect to a wireless network.

The fix turns out to be simple. In SmartView:
Tools->Settings
click Hardware
select ‘Allow Simultaneous Connections.’

Here’s the link that got me on the right track:
http://forums.juniper.net/t5/SSL-VPN/Sprint-SmartView-disconnects-when-NC-launches/td-p/9579;jsessionid=C56E06204F45FFF85712812235447301

January 11, 2010

Clever Art/Tech Project

Filed under: Uncategorized — morgan @ 15:43

http://vimeo.com/8201309

I generally don’t post web links but it’s been slow here on the blog and this is a clever project.

They built a series of simple, nicely designed chairs, left them on the streets of NYC, monitored them via video and GPS to see who took them.

November 19, 2009

Transparently handle first argument to Perl Package subroutines

Filed under: Perl, Programming — morgan @ 16:11

It’s always baffled me that Perl subroutines behave differently when called from inside the Package vs. outside.

The use case may be obvious but I’ll say it: you write a small utility routine that you want to call as $pack->func(1); and from within the Package as func(1);;

The problem of course is that when called as $pack->func(1); the first arg will the object itself and when called as func(1); from within the package the first arg will be “1.”

There’s a very simple solution:
shift if ((ref $_[0]) eq __PACKAGE__);

Here’s a simple example:


#!/usr/bin/perl -w
#
package Pack;

sub new {
    my $c = shift;

    my $self = {};
    bless $self, $c;
    return $self;
}

sub func {
    shift if ((ref $_[0]) eq __PACKAGE__);
    my $a = shift;

    print "passed in: $a\n";
}

sub call_func {
    print "calling func from inside ", __PACKAGE__, ":\n";
    func(2);
}
1;

my $p = new Pack;

print "calling func from main:\n";
$p->func(1);

$p->call_func();

Try commenting the “shift” line in sub func() and see how it behaves differently.

October 28, 2009

How to locate perl modules in the same directory as the script

Filed under: Perl, Programming — morgan @ 10:48

Perl of course allows you to identify the location of your perl modules by modifying @INC but is surprisingly rigid when it comes to placing module(s) in the same directory with the script.

This is fine for permanent installations or for scripts that depend on an installer but if you want to distribute a script plus module(s) for general use or just want flexibility to copy it from system to system without modifying the code the solution is relatively simple:

Setup: you write a perl module MyModule.pm that you’d like to include in the same directory as your script myScript.pl and allow the script to be called from anywhere.

in myScript.pl you would:


use MyModule.pm;

To contain your script and its supporting files in an arbitrarily located myScript directory you’d have to change into the myScript directory before executing myScript.pl:


$ mv myScript.pl myModule.pm /path/to/myScript
$ cd /path/to/myScript && ./myScript.pl

suppose you just want to execute it as


$ /path/to/myScript/myScript.pl

You’d get:


Can't locate MyModule.pm in @INC (@INC contains: /usr/lib..

Well the solution is fairly straightforward: parse the content of $0 to identify the location of myScript.pl (ostensibly MyModule.pm) and put it at the beginning of @INC:


BEGIN {
    my $script_dir = $0;
    if ($0 =~ /\/[^\/]+$/) {
        $script_dir =~ s/\/[^\/]+\/*\s*$//;
        unshift @INC, $script_dir;
    }
}

October 23, 2009

SSL Certificates in Zimbra 5.0.x

Filed under: Messaging, Zimbra, linux — morgan @ 11:28

Using these links as a starting place,

http://www.jransomed.com/mywiki/Zimbra/InstallingSSLCertificate

http://wiki.zimbra.com/index.php?title=5.x_Commercial_Certificates_Guide

Here’s a run-down of installing SSL certificates in Zimbra Collaboration Suite (ZCS) 5.0.x. It’s relatively straightforward once you wrap your head around the steps. You’ll want to do these steps as root.

The customer on which this example is based had existing Comodo wildcard certificates for their *.domain.edu.

Browse to http://instantssl.com
log in
Arrow over to Comodo PreimumSSL Wildcard Certificate for *.domain.edu
click on ‘Download as .zip’

You should have three files that start with ‘STAR.’ rename them:
STAR_domain_edu.crt to commercial.crt
STAR_domain_edu.crt to commercial_ca.crt
STAR_domain_edu.key to commercial.key

Copy the commercial* files to each of the Zimbra hosts.


# mv commercial.key /opt/zimbra/ssl/zimbra/commercial
# mv commercial.crt commercial_ca.crt /var/tmp

Deploy the cert:


# cd /var/tmp
# zmcertmgr deploycrt comm ./commercial.crt commercial_ca.crt

This may not apply to you but we were unable to get openssl and by extension Zimbra to verify the Comodo cert chain. If zmcertmgr deploycrt is failing for you and you’re relatively confident your certs are okay here’s how I fixed it. It’s unconventional but it works. I am open to correction if someone has a more conventional fix for this..

Cd to /opt/zimbra/bin, copy zmshutil and zmcertmgr to /var/tmp and edit zmcertmgr in /var/tmp. Comment out the lines as below and add two lines also as below:


# cd /opt/zimbra/bin
# cp zmshutil /var/tmp/zmshutil
# cp zmcertmgr /var/tmp/zmcertmgr
# vi /var/tmp/zmcertmgr
    #  result=`${openssl} verify -purpose sslserver -CAfile $ca_crt $crt`
    #  if [ x"${result}" = x"${crt}: OK" ]; then
    #   echo "Valid Certificate: $result"
    echo "(artificially) Valid Certificate: $result"
    #  else
    #    echo "${ERROR_PREFIX} Invalid Certificate: $result"
    #    exit 1
    #  fi

    #  result=`${openssl} verify -purpose sslserver -CAfile $cafile $crt`

    #  if [ x"${result}" = x"${crt}: OK" ]; then
    #      echo "Valid Certificate Chain: $result"
    echo "(artificially) Valid Certificate Chain: $result"
    #  else
    #    echo "${ERROR_PREFIX} Invalid Certificate Chain: $result"
    #    exit 1
    #  fi

Once you’ve saved the modified version of zmcertmgr, run it from /var/tmp to deploy the certificates:


# cd /var/tmp
# ./zmcertmgr deploycrt comm ./commercial.crt commercial_ca.crt
** Verifying ./commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (./commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
(artificially) Valid Certificate:
** Copying ./commercial.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain commercial_ca.crt to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Saving server config key zimbraSSLCertificate...done.
** Saving server config key zimbraSSLPrivateKey...done.
** Installing mta certificate and key...done.
** Installing slapd certificate and key...done.
** Installing proxy certificate and key...done.
** Installing CA to /opt/zimbra/conf/ca...done.

Now your certificates are installed. You need to restart Zimbra for them to take effect:


# su - zimbra -c "zmcontrol stop && zmcontrol start"

You’ll need to repeat the above for each of your servers if you have a multi-server environment: stores, mtas, ldap, etc.

If you have a relatively recent version of openssl you can test that your certificate is working by testing tls on your mta(s):


$ openssl s_client -starttls smtp -connect mta.domain.edu:25

August 22, 2009

RSI update March-August

Filed under: repetitive strain injury (RSI) — morgan @ 2:10

Let me start with a time line to set up the history:

I was nearly pain free until the end of March.
3/25: Went to a 3 day conference and typed for 3-4 hours with my laptop in my lap. I was not in pain at the time.

4/1-30: I was in pretty constant (4-5/10) pain for most of April. I had only been doing nerve glides 1-2 a day so I increased frequency to 4-5 times a day. By May 1 I was nearly pain free again.

5/1-10: B and I went on vacation near the end of which we spend a few days riding a motorcycle all day. Pain stayed minimal.

5/17: I rode my dirt bike for the first time in quite a while. The pain returned at 4-5/10 at the end of May.

My six month follow-up visit with the hand surgeon was approaching and I was starting to worry so I made an appointment with the physical therapist. She and I put together the time line above, she pointed out that nerve pain is often delayed: something you do Sunday may not cause pain until Wednesday. She also felt strongly that motorcycling was contributing to my increase in pain even though there was not a direct relationship. I left that day discouraged. I continued nerve glides 4-5 times a day.

Pain decreased little by little over a period of weeks. I did not ride motorcycles less, I did continue to type with correct posture but still typed full time.

I finally has my follow-up EMG at the end of July. The results show very close to normal in my left elbow and within normal level in my right. The surgeon released me!

Though the pain is reduced I am still in pain about half the time. The pain varies from 1-3/10 with a periodic 4/10 but it’s minimal. I asked the surgeon about the pain and she described it as the nerve is still irritated but no longer damaged.

The bottom line is that nerve glides and behavior modification works. I can’t thank my therapist at the Hand Center here in Philadelphia for correcting my bad habits and ultimately showing me how to correct this without surgery.

I ride motorcycles as much or as more as ever. I type on a computer 10-15 hours a day 5-6 days a week. I am by all measures healing and able to do my work and my hobby.

It may help others at an earlier stage of recovery from Cubital Tunnel Syndrome to know what I believe was the cause(s) and how I corrected each. I am not a doctor or therapist so this is my experience only.

Sleeping with my arms bent: I have always slept with my arms bent either under my head or under my torso. I have consciously taught myself to sleep with my arms straight. It took a few months until I could consistently sleep without waking up with my arm bent. Here’s what works best for me now: pile two pillows, rest your head in one direction and put the arm behind your head under the pillows straight up. Put the other arm in front of your face over the pillow straight up. You need to slide down so your feet are hanging off the end of the bed. It may sound odd but it works very well and is the one position I can sleep in comfortably every time.

Poor posture at the keyboard: your knees, hips and elbows should all be 90 degrees. Your elbows should be at your side. Put the keyboard at a height that you can type on it without hunching your shoulders: this means either a keyboard tray or just a low table. Arch your lower back and get your head over your torso. Your chair should provide some back support and be the correct height such that your feet rest on the floor with your knees bent 90 degrees.

Raise the monitor/laptop. I use a Rain designs stand on my Mac. I have an iFold for travel. Both are a little low but get the screen up so I’m not looking way down when in the right posture. This reduces your tendency to want to hunch to get your eyes lined up to the screen.

Split keyboard: this makes a surprising difference. It should be essentially two pieces and allow adjustment. Hold your arms in the position described above and put your hands over the keyboards but keep your wrists straight. your keyboards should line up such that you don’t have to angle your wrists. I have 2 Kineses Freestyles and just bought a Goldtouch Go! I can type all day on either the Goldtouch or the Kinesis. Just a few minutes typing on a standard keyboard is painful..

Do your nerve glides! No one does physical therapy generally.. but seriously nerves respond to these exercises. I noticed a huge difference when I first started doing them and when I forget my arms hurt.. I’m still doing them 4-5 times a day. If you use a Mac install this: http://www.dejal.com/timeout. It reminds me to stop every hour.

Get a rest for your mouse. I use a goldtouch gel pad with a 1/4″ piece of high density foam stuck underneath it. This allows me to wrest the base of my hand while I mouse and thus not bend my wrist. It’s little but it makes a huge difference. I use a regular mouse otherwise: usually cheap corded mouse or inexpensive wireless mouse.

Older Posts »

Powered by WordPress