Well. Today I relived my college days as a student taking Math 110 (Business Calculus). I felt like I understood…so much that I thought I got a 90% or above on the exam…then reality would set in and I would get a 47%. Welcome to 2004, Networking/DNS now replaces Math 110…and I am stuck on trying to understand subnets. All day long tryng to figure all this out…but I have to say, I stumbled upon a great resource, and the reason for my posting: Learntosubnet.com. I hope others can benefit from this great resource like I did. I look forward to getting the last bit of the equation so I fully understand these crazy things called subnet. Until then, I am burnt out.
Sometimes the GUI is awesome. Sometimes you just need more control over your conf files that the GUI offers. I wanted to have more specific firewall rules for my computers and servers running Mac OS X Client, more than the default OS X 10.3 built-in firewall configuration that is provided.
First, let’s look at all the files involved with Apple’s default firewall.
- System Preferences: Sharing: Firewall tab.If you want the security of a basic firewall, you can simply “start” the firewall. Using this option, Mac OS X will look at what services you have enabled (ex. Personal File Sharing, FTP, Remote Login, etc) and automatically allow allow traffic to the default ports those services need, while blocking everything else. At home on my iBook, I use the Mac OS X GUI to control my firewall rules because I do not need anything special.
- /Library/Preferences/com.apple.sharing.firewall.plist. This is a basic plist file written in XML. There is not too much to do in this file, and there is not much editting capability to it either.
So, now you know the players in the default firewall configuration, but you want to take advantage of ipfw. Personally, I did not want to use another GUI such as BrickHouse because I have turned the corner and want to learn more about UNIX than about GUIs. Working with UNIX, you always have the command line, but not always have GUI.
First thing is first, browse through the ipfw man pages. (
man ipfw). The man pages will help you as you are adding/deleteing/customizing your firewall rules.
- Stop the default Mac OS X firewall in the System Preferences. You no longer will use the GUI. You will now use some basic ipfw commands for adding/deleting rules.
- Create a directory for your StartupItems: /Library/StartupItems/ipfw. You need to create a directory in /Library/StartupItems for your startup script and StartupPerameters.plist file. (
sudo mkdir /Library/StartupItems/ipfw) **More about StartupItmes.
- Create a StartupParameters.plist file for ipfw. To create the
sudo pico /Library/StartupItems/ipfw/StartupParameters.plist.The file should contain: StartupPerameters.plist Make sure this file has the proper permissions:
chmod 644 /Library/StartupItems/ipfw/StartupParameters.plist.**More about StartupParameters.
- The ipfw startup script
To create the Startup script:
sudo pico /Library/StartupItems/ipfw/ipfw. The script is: ipfw You need to create a script to start your service at startup. Make sure this file has the proper permissions:
sudo chmod 755 /Library/StartupItems/ipfw/ipfw.And of course, from reading the man pages, you realize that the order matters.
- Create the ipfw.conf file for all your ipfw rules.
*I like standards. I did some research on how BSD UNIXs set up and used ipfw in a default install. I then followed the example to create a
ipfw.conffile in the
sudo pico /etc/ipfw.conf)
- Re-read the man pages. You do not lock yourself out of your computer when adding rules.
- Add rules to ipfw.conf. You can finally specifiy custom rules for your firewall. (Official Port List) Here is my basic configuration (
sudo pico /etc/ipfw.conf): ipfw.conf
These rules are based on my needs. You can add more rules by either using the
sudo ipfw add/delete(see man pages for proper syntax) or by editing your
ipfw.confdirectly. There are a lot of options that I do not even begin to cover, so if you really need an “industrial strength” firewall for your computer…and do not want to use hardware, really examine the man pages and other on-line resources.
- Reboot your computer. When you reboot your computer, your rules should be in place. To see if your rules are in place, at your prompt:
sudo ipfw listand hopefully the list of rules you defined show up! If not: look at your system.log, it is very useful, go back to the man pages, or email me.
Sites that helped/frustated me:
Well, I am halfway through my UNIX filesystem training and I wanted to share some useful commands I have learned along the way:
- grep -i = grep ignoring cases
- grep -v name = grep ignoring all lines with “name” in it
- grep word * = grep in the current directory for all lines with “word” in it
- pwd = command to tell you waht directory you are in
- cat = will display files quickly (like pico but read only)
- hitting “q ” in while viewing a man page or other text will take you to a prompt
- less = reads a file (less is used to show man pages by default) you can use the arrow keys to scroll in the document
- which = finds command path
- locate = finds filename in filename database (database is updated with the command updatedb)
- find = finds file names, but actually looks through the filesystem (more resource intensive)
- tar xzvf file.tar.gz = that will decrompress and exapnd the archive
I will be adding more as I go through the rest of my training, but so far I am very happy with my training through O’Reilly and the University of Illinios.
Spam. We are all sick of it. Contact information…if you have a web site it is most likely you will need to post your contact information (email address) somewhere. To stop robots from spidering your email address, I would suggest encoding it. Yeah, if you notice my email address is not always encoded on my personal sites, but all email address on any non password protected page on my professional sites are always encoded, using the Email Address Enocder on a web site I found years back. So if you are tired of spam and you want to do something about it, check it out.
If there is one application Apple has released in the last few years that I should be using more, it is iCal. There are lots of little tricks and cool stuff you can do with iCal…like my favorite:
In a terminal window type:
cat /usr/share/calendar/calendar.history | grep McDonald and look at the goodies. Yes, I was a big fan of hunting for Easter Eggs as the new versions of pre-OS X cam out. Now I am too busy. (Sad)
Anyway, for cool tricks and some good tips, general calendars, and iCal support, check out: http://www.icalworld.com/.
If you ever need to serve a web site for, let’s say a presentation, on a local address and need to connect to another computer…perhaps your database/ Web Objects server locally as well, and you are running Mac OS X…then I have some information for you.
- If you want to serve the web site on 10.0.0.2 and have your other server on 10.0.0.3, open the terminal and type in: sudo ifconfig en0 10.0.0.2. This will change the IP address. (changing the IP address in the network control panel was not enough)
- Next, edit the apache conf file:
sudo pico /etc/httpd/httpd.confand add
Listen 10.0.0.2:80and then restart apache
Now you can serve 10.0.0.2 on your local machine and connect to a computer on your local network. (connected by an ethernet cable)
Ever since I started monitoring what search engine robots indexed on my web sites, I have also been using Google Alert. Google sends me reports (html email or plain text, your choice) of any web site that has been indexed with keywords that you specify. Not only can you make sure Google is following the rules set up in your robots.txt document, but you can also see what other web sites are being picked up by certain keywords that you use to attract users. Google Alert is free and very useful and I would recommend using it if you want to monitor your web presence as well as your competitor’s.
Well, I have been fishing for the last few days, which I enjoy…but I do not enjoy the fishy smelling hands that I have after I get home. After 2 days of no solution…my not so in-law brother in law told me he finally figured out how to kill the smell: sun tan lotion. I had washed my hands 3 times at this point with no luck, so I tried it and it works great! No more fishy smell. Of course wash your hands first…but when the soap does not kill the smell, put some sun tan lotion on them and enjoy clean smelling hands.
I often perform the same tasks over and over and yet forget some little thing. This post is a reminder for me.
General Apple hints.
- What to do when you get the “Do not enter sign”. (besides wonder how to describe it while searching for a solution)
- Starting up in target disk mode: hold down “t”
- Starting up in single user mode: hold down Apple +”s”
- How to set up open firmware password protection
- Command to check for user preference errors: sudo plutil -s ~/Library/Preferences/*.plist
Mac OS X Server hints, aka Industrial Strength hints.
- Don’t change Mac OS X Server’s IP 😉
- When installing SSL certs on OS X Server (at least in 10.3 and below), if you change the cert file location from anything but the default, you will also need to change it in all your sites or Mac OS X Server will not be able to restart apache.
- Apple: “Well Known” TCP and UDP Ports Used By Apple Software Products
- Server Monitor not working after a clone? Make sure it is by adding: hwmond:respawn:/usr/sbin/hwmond # Hardware Monitor daemon to /etc/watchdog.conf
Tutorials and general resources.
- That web site I am always trying to remember, but never bookamrk: http://www.entropy.ch/home/welcome.php
- Web site that tests your mail server for open relay
- Awesome web tutorial web site
- All kinds of great tutorials
- Great web developer’s resource
Web development hints.