Changing XP firewall without loggin in as Admin

Tips for Windows XP:
You can easily change your firewall settings, as normal user, without having to switch to the Administrator account.

Type the following command:

• runas /USER:administrator wscntfy
  

You will be prompted for the administrator password, so type it.
Then you will notice a small icon on the tray. Then just right click this icon and click on the "Open Security Center" option, highlighted in yellow.
That it.

Playing around with sparse files

This article is sparse. ;)
I am changing it all the time, because I am still learning how to work efficiently with sparse files.
Or...how it works at all.

Here's an example, using bash:

root@fuji log]# echo $F
wtmp lastlog
[root@fuji log]# F="$F rpmpkgs"
[root@fuji log]# du -ak $F ; ls -ldh $F
232 wtmp
28 lastlog
12 rpmpkgs
-rw-r--r-- 1 root root 571k Mar 21 11:39 lastlog
-rw-r--r-- 1 root root 11k Mar 21 04:02 rpmpkgs
-rw-rw-r-- 1 root utmp 225k Mar 21 11:39 wtmp

'Lastlog' is definitly a sparse file: it occupies just 28 k-bytes in disk, but is actually seen as a 571 k-bytes (as 'ls' shows).

Sourceforge is great, and complex

Sourceforge is a great, vast site.
For the end-user, it's appealing, and easy to work; for the packager, programmer, site maintainer, is most complex. In my opinion the worst aspect of maintainability is the way the "File Release" is organized. Uploads take around 15 mins, excluding the time for the files to be uploaded...

Here's the snapshot of one of the steps to make the file release:

[henrique@fuji t]$ ftp upload.sourceforge.net
Connected to upload.sourceforge.net (66.35.250.221).
220-********************************************************************
220- SourceForge.net FTP server - San Jose (osdn.dl.sourceforge.net)
220- Mirrors, try 'rsync osdn.dl.sourceforge.net::'
220-
220- Got a fat pipe and something to prove? Host a SourceForge download
220- server! Email ftpadmin@sourceforge.net for opportunities.
220-
220- On This Site:
220- /incoming SourceForge.net Project File Upload
220- *********************************************************************
220-
220
Name (upload.sourceforge.net:henrique): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bin
200 Switching to Binary mode.
ftp> cd /incoming
250 Directory successfully changed.
ftp> [followed by regular ftp commands]

You can surely use another ftp client, but this is just one of the steps!
Then you have to go along multiple pages and buttons, wait for the pages to update, writing / uploading the release notes.

The great advantage is the impressive uptime and bandwidth of Sourceforge servers.
As of today, there were 164,955 projects, and 1,751,725 users. It's really impressive.

On my own, I have two projects: they are libUnicode-Plus, from which the Wiki and packaging has most of the work, and mp3query - I have paused this project.

Rotating logs, a script - especially useful for Freesco boxes

Logs in a Freesco-box are limited by default: /var/log (or actually var) is mounted on RAM.
Since my Freesco-box is small, like most boxes around with Freesco, and I have Exim running, I felt the need for rotating exim logs. logrotate is an expensive solution for these boxes.
Limited RAM space looks like this:

[Linux] df /
Filesystem 1024-blocks Used Available Capacity Mounted on
/dev/ram0 2901 2005 896 69% /

Having logs on RAM improves speed, but if space runs out, Exim just dies.
Fortunately since v0.3.2 there is an almost (*) automatic detection of lost network. In this case network is shut down and restarted, along with a nice rc_user stop and start. This is handled in Freesco rc scripts as newip. I also stop and start Exim in such cases; it is not necessary, but since network is down anyway, it gives me some advantage to use this restart to spin logs around.
At my rc_user I call the script fbox_save_logs.sh in-between rc_exim stop and rc_exim start:

• http://moreira.dnsalias.org/linux/freesco_tips/rc_user.txt

fbox_save_logs.sh is, so to speak, a poor parent of logrotate, but does its job nicely in this small box.

Refer to:

• http://moreira.dnsalias.org/linux/freesco_tips/fbox_save_logs.sh.txt

(*)
It is written "almost" detects, because due to a Kernel bug, network hangs sporadically.
Try this script, if suits for your Freesco-box:

• http://moreira.dnsalias.org/linux/freesco_tips/restart_net.sh.txt

Configure your email client for Gmail

Configuring your incoming email client for Gmail: fetchmail

Gmail uses a nice POP3S email (POP-3 over SSL) you can use.

1. Enable POP in your Gmail account.

2. Find out where X.509/“privacy-enhanced-mail (PEM)” certificates live on your system, e.g., in the /usr/share/ssl/certs/ directory. The “locate .pem” command may help you figure this out, or you can just create a new world-readable directory exclusively for this.

3. The Gmail POP3-over-SSL (pop3s) server presents a server certificate at every secure-socket-layer (SSL) connection establishment; we will want to be able to verify its authenticity.

(A new server certificate was rolled out by Gmail on 2005-12-13 when the old one expired on that same day with a few minutes of POP service unavailability.)

That server certificate is itself signed by a certificate authority (CA), Equifax Secure (now GeoTrust), using a self-signed root certificate having the “Equifax Secure Certificate Authority” organizational unit name (OU) and no common name (CN). You need to download, install in its own file, and index this root certificate.

sh# cd /usr/share/ssl/certs

sh# wget -O Equifax_Secure_Certificate_Authority.pem \

         https://www.geotrust.com/resources/root_certificates/certificates/Equifax_Secure_Certificate_Authority.cer

sh# chmod 644 Equifax_Secure_Certificate_Authority.pem

sh# openssl x509 -in Equifax_Secure_Certificate_Authority.pem \

                 -fingerprint -subject -issuer -serial -hash -noout

MD5 Fingerprint=67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4

subject= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

issuer= /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

serial=35DEF4CF

594f1775

sh# c_rehash .

sh# file 594f1775.*

594f1775.0: symbolic link to `Equifax_Secure_Certificate_Authority.pem'

The c_rehash command is a Perl script that comes with the OpenSSL toolkit; it creates symbolic links to certificate files (with a “.pem” extension) using symlink names based on a hash of each certificate's whole subject name. Fetchmail uses the OpenSSL libraries and will only try to open the installed file by looking it up under the 594f1775.0 (or 594f1775.1 and so on) file name in the end.

The server certificate itself does not need to be stored anywhere.

4. The fetchmail client does not need to present a client certificate. Instead, client authentication is performed using the USER and PASS post-office-protocol version 3 (POP3) commands within the SSL connection, once it has been properly established.

5. Edit the appropriate .fetchmailrc file, depending on how you run fetchmail (i.e., as root or as a lesser-privileged local user). The contents of this file are documented by the fetchmail(1) man page, which can be consulted using the “man fetchmail” command. You will need an entry such as this one:

poll pop.gmail.com with proto POP3

    user 'eric.schmidt@gmail.com' there with password 'xxxxxxxx' is eric here

        options keep ssl sslfingerprint '59:51:61:89:CD:DD:B2:35:94:BB:44:97:A0:39:D5:B4'

            sslcertck sslcertpath /usr/share/ssl/certs

Add any other option according to your preferences. If other family members also have a Gmail account and this is root's .fetchmailrc file, you can add similar three-line user subsections under this same poll section; the last two lines will redundantly be identical for every Gmail account.

The specified password is that of the Gmail account, not the local user's password. Since this configuration file contain passwords, it must be non-world-readable:

sh# chmod 600 $HOME/.fetchmailrc

The MD5 fingerprint is that of the “pop.gmail.com” server certificate delivered by the Gmail POP3-over-SSL server, not that of the “Equifax Secure Certificate Authority” root certificate.

Note that this will not be enough to perform certificate-revocation-list (CRL) verifications, which fetchmail/OpenSSL does not support; however, this shortcoming is somewhat mitigated by the MD5 fingerprint verification, at the price of a loss in unattended flexibility (should Gmail wish to change its server certificate for some unlikely reason).

There is no need to inform fetchmail that the POP3-over-SSL (pop3s) TCP port is 995; it's smart enough to figure it out on its own.

Note that POP3-over-SSL is not the same as regular (non-SSL) POP3 with use of the STLS command and capability (i.e., RFC 2595's POP3 STARTTLS extension), which Gmail does not support.

6. You should be able to test this with

sh# fetchmail -d0 -v pop.gmail.com

once you complete the email-forwarding/email-delivery part of fetchmail's configuration and integration (which is beyond the email-retrieval scope of this help document).

7. The Gmail POP3-over-SSL server specifies that it does not want to be polled more than once every five minutes (i.e., 300 seconds), as can be verified by executing the following command:

sh$ openssl s_client -connect pop.gmail.com:995 -CApath /usr/share/ssl/certs -quiet

depth=1 /C=US/O=Equifax/OU=Equifax Secure Certificate Authority

verify return:1

depth=0 /C=US/ST=California/L=Mountain View/O=Google Inc./CN=pop.gmail.com

verify return:1

+OK Gpop x99xx9999xxx ready.

CAPA

+OK Capability list follows

USER

RESP-CODES

EXPIRE 0

LOGIN-DELAY 300

X-GOOGLE-VERHOEVEN

.

USER eric.schmidt@gmail.com

+OK send PASS

PASS xxxxxxxx

+OK Welcome.

CAPA

+OK Capability list follows

USER

RESP-CODES

PIPELINING

EXPIRE 0

LOGIN-DELAY 300

TOP

UIDL

X-GOOGLE-VERHOEVEN

.

QUIT

+OK Farewell.

read:errno=0

(Authenticating is not strictly necessary for this test. It was done to show how Gmail's POP3 server presents a different list of capabilities before and after login.)

Make sure to respect this delay if automatic polling is configured. This can be achieved by specifying “set daemon 300” in the .fetchmailrc file, or by specifying “-d 300” on the fetchmail command line, where 300 can be replaced by a greater number if desired.

* Did you click ‘Save Changes’ after enabling POP in Gmail? To ensure that Gmail can communicate with your mail client, be sure to click ‘Save Changes’ on the Gmail ‘Mail Settings’ page.

Using Outlook

On a windowzed POP3 client (like Outlook), do not select "Secure Password Authentication", unless you know what you are doing. On the "incoming mail (POP3)", select: "this server requires a secure connection (SSL)"; port selected should be 995 (means POP-3 over SSL).

HOW TO install a pop3s server

There are two basic options on Debian: courier-pop-ssl and dovecot; the first is older, I prefer the latter program.

% apt-get install dovecot-common dovecot-pop3d
% vi /etc/dovecot/dovecot.conf

Edit configuration and choose:

protocols = pop3 pop3s

Default configuration avoids plain text passwords; to allow it (usually on POP3, i.e. on port 110), insert

disable_plaintext_auth = no

instead of default commented line:

#disable_plaintext_auth = yes

Debian Sarge package does not come with logging; use, for instance:

log_path = /var/log/dovecot.log
info_log_path = /var/log/dovecot-info.log

On a windowzed POP3 client (like Outlook), do not select "Secure Password Authentication", unless you know what you are doing. On the "incoming mail (POP3)", select: "this server requires a secure connection (SSL)"; port selected should be 995 (means POP-3 over SSL).

Dozens HOW TOs, most of them for Debian distros:

• http://cole.homedns.org/index.php?subject=howto

A Freesco box running an intranet MTA for outbound email

With Exim4 you can use "local_interfaces" configuration to restrict the interfaces it listens port 25 (the SMTP connection port), or even change the listening port.
Restricting the interface to your local intranet is easy:

• local_interfaces = <; 127.0.0.1.25 ; 10.0.0.20.25

In this case only the local loop interface (aka lo) and one of the networks (in my case the Freesco box has it's local intranet interface, eth1, at 10.0.0.20).
It is possible to combine this Exim (let's call it the intranet-MTA) with another instance of Exim running for inbound email (the most usual usage of Exim in Freesco boxes... let's call it internet-MTA), as follow:

• local_interfaces = <; 85.2.3.4.25

85.2.3.4 is just an example to illustrate the fact you can only select an IP interface by it's IP address, not an ethernet device (like ppp0, or any other.)
Usually people running Freesco boxes use dynamic IP addresses, so this IP is not fixed at all.

It is possible to tackle this problem as follow.
There is a special argument that is passed to the /rc/rc_user when an IP changes: it's the 'newip' part of this script; I have chosen to restart Exim in this situation, to allow a new configuration (with updated IP) to be taken for the internet-MTA.
Starting Exim in a Freesco box: there is usually an associated starting script (/pkg/rc/rc_exim) that should be able to launch both intranet and internet-MTAs. For the internet-MTA there is a teak: the configuration is generated due to the nature of the dynamic IP.
Refer to the following excerpt:

MY_IP=`ifconfig ppp0 | grep inet.addr: | sed 's/.* addr:\([^ ]*\) .*/\1/'`
MY_A=/usr/exim/conf-autogen
echo "local_interfaces = <; ${MY_IP}.25" > $MY_A
cat /usr/exim/conf-init >> $MY_A
/bin/exim -C /usr/exim/intra.conf -bd -q30m -om
/bin/exim -bd -q30m -om

This will depend on how you have installed Exim. The version I actually use takes the configuration file at: /usr/exim/configure. The first Exim call chooses the fixed configuration (for the intranet-MTA), whilst the second call executes the usual internet-MTA.

The first is used for all my intranet outbound messages, the second for all inbound messages.
The port is always the standard (25, i.e. SMTP).

Naturally the inbound configuration is much more strict: should not allow any relay, contains some spam-blocking, etc. On the other hand, the outbound configuration is totally relaxed, allowing relay to any host (foreign MTAs, usually on the internet.) I assume thereby all intranet insiders behave well, do not send spam, etc.

The motivation for achieving this scheme: if I used a single Exim instance, and since I run greylist, all mails sent to the outside world would be stalled for around 1 hour (until the greylist expires), or eventually have an error on the MUA, something like: "your message could not be sent". It is also possible to costumize the inbound and outbound Exim instances, in a much easier way.