Deploying IPsec in small LAN in 3 easy steps

I think about installing IPsec on computers in my home LAN for some time. There are many configurations possible: tunnel mode, transport mode, peer-to-peer solution or star topology with single VPN hub. Also there are different IPsec implementations. KAME for *BSD, Openswan, strongSwan and Linux 2.6 PF_KEY implementation (which can be used with setkey and racoon or with OpenBSD’s isakmpd). Choosing one is not easy, but for me the simplest method was best. I choose Linux 2.6 PF_KEY with ipsec-tools and racoon for dynamic key exchange (now part of ipsec-tools). Its simple, easy to implement and… configuration files without any modification (except file paths) can be used also in FreeBSD (tested with 6.3-RELEASE).

Continue reading “Deploying IPsec in small LAN in 3 easy steps”

Monitoring mailbox in Maildir format with bash and pam_mail

After switch to Maildir format mailbox my bash stopped monitoring new mail. To bring this functionality back I need to set location of my new mailbox:

export MAIL=~/Maildir

And after $MAILCHECK seconds I got You have new mail in /home/kb/Maildir.

To set $MAIL for all login shells and for all user I use pam_mail. To enable checking ~/Maildir for new mail use:

session    optional standard dir=~/Maildir

Probably modification in /etc/pam.d/login and /etc/pam.d/sshd are sufficient.

Adding S3TC Support to Mesa/DRI in Debian

S3TC (sometimes called DXTn or DXTC) is a proprietary image compression algorithm. This was patented (US Patent 5,956,431) and thus Mesa cannot use it directly nor external library can enter Debian archive. If you want to have libtxc-dxtn installed you have to do it yourself.

Continue reading “Adding S3TC Support to Mesa/DRI in Debian”

ZSNES + AMD64 + Debian + OpenGL = troubles?!

ZSNES is a GPL licensed emulator of the Super Famicom and Super Nintendo Entertainment System (SNES) video game systems. Large part of ZSNES is written in assembly. Fortunately it works under GNU/Linux. Debian has a zsnes package, but unfortunately only for i386. Binary package is not available for AMD64. So? Lets build one!

Continue reading “ZSNES + AMD64 + Debian + OpenGL = troubles?!”

Limiting access to ptrace() call in Linux

Ability to trace and debug software on servers is not needed for most users. Giving them right to trace processes may leak information and if ptrace() is vulnerable lead to more problems.

Sptrace is a secure ptrace() Linux Kernel Module (LKM). It limits users’ access to the ptrace() call. It can disable strace (and ltrace) altogether, or if you add a ptrace group to your system, only users in that group will be able to use ptrace() call.

Continue reading “Limiting access to ptrace() call in Linux”

ESE Key Daemon

ESE Key Daemon is a multimedia keyboard driver for Linux. With the 2.6 kernel series it can also handle remote controls, as they are presented as keyboards. No kernel patch is required. It is a userspace program that pools /dev/input/event? interfaces for incoming keyboard key presses. Package also includes Funkey daemon for 2.4.

Continue reading “ESE Key Daemon”

How to restrict Internet access to known IP/MAC on OpenWRT?

I decided to restrict Internet access from my LAN to known IP/MAC pairs only. Primary to block Internet access from my PS3, virtual machines and computers that do not need it. Simplest way to achieve this on Linux: filter packet coming from LAN interface in FORWARD chain.

On OpenWRT custom firewall rules can be defined in /etc/firewall.user. Before creating rules we need some method to create and (easily) maintain IP/MAC pairs. I decided t use /etc/ethers and /etc/hosts that already contains MACs, hostnames nad IPs (used by dnsmasq).

Continue reading “How to restrict Internet access to known IP/MAC on OpenWRT?”