This blog turned four on monday. So… happy birthday dear blog, and to the next four years

I recently spent half an afternoon translating the firewalling rules of a server from some hand-knitted maintenance script¹⁾ into a better structured ferm script. “What is this ferm” you might ask, and indeed I have never mentioned this tiny little tool so far which has helped me writing firewall rulesets now since I discovered it some months ago thanks to bzed. I think it's about time to change that

So first of all, a definition, and I think I'll just quote the website here as IMHO that already expresses perfectly well what ferm²⁾ is all about:

ferm is a tool to maintain complex firewalls, without having the trouble to rewrite the complex rules over and over again. ferm allows the entire firewall rule set to be stored in a separate file, and to be loaded with one command. The firewall configuration resembles structured programming-like language, which can contain levels and lists.

So basically, what ferm does is provide you with a DSL for defining iptables rules. The features of that small language include variables (e.g. for IPs), lists (e.g. for a set of IPs, subnets, interfaces or ports), the ability to define functions (e.g. to forward ports) and to nest definitions.

A small example of what ferm can do? Take this (totally senseless) script:

@def $SOME_IP = 192.168.23.42;

@def &TCP_TUNNEL($port, $dest) = {
    table filter chain FORWARD interface ppp0 proto tcp dport $port daddr $dest outerface eth0 ACCEPT;
    table nat chain PREROUTING interface ppp0 proto tcp dport $port daddr 1.2.3.4 DNAT to $dest;
}

&TCP_TUNNEL(http, 192.168.23.33);
&TCP_TUNNEL(ftp, 192.168.23.30);
&TCP_TUNNEL((ssh smtp), $SOME_IP);

domain (ip ip6) chain INPUT {
    proto tcp {
        ACCEPT dport (ssh http ftp);
        ACCEPT dport 1024:65535 ! syn;
        jump MYCHAIN proto tcp saddr $SOME_IP {
            daddr google.com dport 80;
            dport 23;
        }
        DROP;
    }
}

chain MYCHAIN {
    RETURN;
}

Once you get used to the syntax (which is explained to great detail in the manual/manpage and IMHO quite intuitive), it gets easy and fast to both write and understand such scripts. The translated iptables output on the other hand…

/sbin/iptables -t nat -P PREROUTING ACCEPT
/sbin/iptables -t nat -F
/sbin/iptables -t nat -X
/sbin/iptables -t filter -P FORWARD ACCEPT
/sbin/iptables -t filter -P INPUT ACCEPT
/sbin/iptables -t filter -F
/sbin/iptables -t filter -X
/sbin/iptables -t filter -A FORWARD -d 192.168.23.33 -i ppp0 -o eth0 -p tcp -m tcp --dport http -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -d 1.2.3.4 -i ppp0 -p tcp -m tcp --dport http -j DNAT --to-destination 192.168.23.33
/sbin/iptables -t filter -A FORWARD -d 192.168.23.30 -i ppp0 -o eth0 -p tcp -m tcp --dport ftp -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -d 1.2.3.4 -i ppp0 -p tcp -m tcp --dport ftp -j DNAT --to-destination 192.168.23.30
/sbin/iptables -t filter -A FORWARD -d 192.168.23.42 -i ppp0 -o eth0 -p tcp -m tcp --dport ssh -j ACCEPT
/sbin/iptables -t filter -A FORWARD -d 192.168.23.42 -i ppp0 -o eth0 -p tcp -m tcp --dport smtp -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -d 1.2.3.4 -i ppp0 -p tcp -m tcp --dport ssh -j DNAT --to-destination 192.168.23.42
/sbin/iptables -t nat -A PREROUTING -d 1.2.3.4 -i ppp0 -p tcp -m tcp --dport smtp -j DNAT --to-destination 192.168.23.42
/sbin/iptables -t filter -A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp -m tcp --dport http -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp -m tcp --dport ftp -j ACCEPT
/sbin/iptables -t filter -A INPUT -p tcp -m tcp ! --syn --dport 1024:65535 -j ACCEPT
/sbin/iptables -t filter -N MYCHAIN
/sbin/iptables -t filter -A INPUT -s 192.168.23.42 -d google.com -p tcp -m tcp --dport 80 -j MYCHAIN
/sbin/iptables -t filter -A INPUT -s 192.168.23.42 -p tcp -m tcp --dport 23 -j MYCHAIN
/sbin/iptables -t filter -A INPUT -p tcp -j DROP
/sbin/iptables -t filter -A MYCHAIN -j RETURN
/sbin/ip6tables -t filter -P INPUT ACCEPT
/sbin/ip6tables -t filter -F
/sbin/ip6tables -t filter -X
/sbin/ip6tables -t filter -A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
/sbin/ip6tables -t filter -A INPUT -p tcp -m tcp --dport http -j ACCEPT
/sbin/ip6tables -t filter -A INPUT -p tcp -m tcp --dport ftp -j ACCEPT
/sbin/ip6tables -t filter -A INPUT -p tcp -m tcp ! --syn --dport 1024:65535 -j ACCEPT
/sbin/ip6tables -t filter -N MYCHAIN
/sbin/ip6tables -t filter -A INPUT -s 192.168.23.42 -d google.com -p tcp -m tcp --dport 80 -j MYCHAIN
/sbin/ip6tables -t filter -A INPUT -s 192.168.23.42 -p tcp -m tcp --dport 23 -j MYCHAIN
/sbin/ip6tables -t filter -A INPUT -p tcp -j DROP

Repetitive, kinda cryptic, and it's difficult to spot the important parts. I don't know about you, but I'd prefer ferm

For more examples of ferm scripts, you might want to take a look at this or that.

As previously announced, this weekend marked the first ever DokuWiki meetup at this year's FrOSCon. I arrived at Siegburg/Bonn on Friday at around 19:30 and – after checking in at my hotel which I btw definitely recommend – spent the evening eating and chit-chatting in a nice Pizzeria with Andreas Gohr, Michael Klier and Guy Brand.

Saturday and Sunday were both mostly dedicated to coding¹⁾ and discussing DokuWiki²⁾, and thanks to this I actually did not attend any talks at all, although the keynotes by Andrew Tanenbaum and Rasmus Lerdorf as well as a talk about documentation were on my list. Given how awesome it was to meet all those nice people³⁾ for the first time ever in real-life and how much fun we had⁴⁾, I don't regret this a bit though Even the two guys from TWiki paying us a visit on Saturday seemed to feel comfortable

Sadly, I had to leave at around 15:50 on Sunday to catch my train in Siegburg (which then actually was cancelled thanks to some problem with its engine what then caused me spending one hour something sitting on the floor in the substitute train – did I mention that I simply love the Deutsche Bahn?). Even though I'm awfully tired and will prolly have to survive this week with this being the case, I thoroughly enjoyed the weekend, and I really hope there will be a next time for all that grouphugging and productivity boost, even if there are no DokuWiki stickers⁵⁾ or a drink-of-your-choice flatrate at some social event⁶⁾

Update: Andi and Michael blogged about it too .

May I present thee my first car?

It's a Nissan Almera N16 Hatchback, manufactured in 2000 (which btw. will celebrate its eighth birthday tomorrow as I just realized), and its mine

I just drove it for the first time from Friedberg (where I bought it) to Darmstadt¹⁾ – that was my first long distance drive since I got my license back in September, and I was bloody nervous but calmed down thankfully after I discovered that I still can drive.

Grocery shopping and getting to places in general just got a whole lot easier²⁾.

A while ago, we upgraded all 50 backup tapes in the tape library at work from LTO-2 to LTO-3. This of course meant unpacking, inserting and labeling those tapes, both physically as well as electronically. While the physical labeling could not be automated¹⁾, I finally sat down to at least make the electronic labeling using amanda's amlabel a little bit less unworthy of a sysadmin The result was a small python script²⁾ capable of bulk labeling a bunch of tapes based on a formatstring pattern of the label format that at least works perfectly fine in our environment – YMMV I decided to post it here nevertheless as it might be of help for somebody out there besides us³⁾. Some basic usage instructions, the code and a download link follow.

→ Read more...