Converting a regular BIND ZONE to DNSSEC
Recently I wanted to sign a regular zone in BIND9.7. Google wasn't very helpful so I thought I'd write up a little bit about it here.
My /etc/named.conf looks like this:
zone "myzone.com" IN { type master; file "/var/named/zones/myzone.com/myzone.com"; notify no; };
I want to keep my dnssec zones in a separate directory.
# mkdir -p /var/named/signed/myzone.com/ # cp /var/named/zones/myzone.com/myzone.com /var/named/signed/myzone.com/
Now I sign the zone.
# cd /var/named/signed/myzone.com/ # dnssec-keygen -r /dev/urandom myzone.com # dnssec-keygen -r /dev/urandom -f KEY myzone.com # dnssec-signzone -r /dev/urandom -S myzone.com # ls myzone.com Kmyzone.com.+005+02971.key Kmyzone.com.+005+29262.private myzone.com.signed Kmyzone.com.+005+02971.private dsset-myzone.com. Kmyzone.com.+005+29262.key
Finally I want to change the named.conf to the myzone.com.signed.
zone "myzone.com" IN { type master; file "/var/named/signed/myzone.com/myzone.com.signed"; notify no; };
Make sure that all the files are owned by user "named" and reload bind
# chown -R named:named /var/named/signed # /etc/init.d/named reload
XeLaTeX fun
After reading this post I wanted to dabble with TeX again. I haven't used it since university days so I thought it was time to polish off the rust. I am on a Debian box, so these are the steps I took to get XeLateX to work.
$ apt-get install texlive-full texlive-formats-extra $ mkdir ~/.fonts && cd ~/.fonts $ wget http://www.gust.org.pl/projects/e-foundry/tex-gyre/pagella/qpl1.103otf.zip $ unzip qpl1.103otf.zip $ rm qpl1*.zip
After about 20 minutes I had everything set up and was ready to follow the tutorial.
My sample.tex file looks like this:
\documentclass{article}
\usepackage{fontspec}
\setromanfont{TeX Gyre Pagella}
\begin{document}
Testing XeLaTeX!
Greek: τεχ
\end{document}
Now to make sure everything works...
$ xelatex sample.tex This is XeTeXk, Version 3.141592-2.2-0.996-patch1 (Web2C 7.5.6) %&-line parsing enabled. entering extended mode (./sample.tex LaTeX2e <2005/12/01> Babel and hyphenation patterns for english, usenglishmax, dumylang, no yphenation, arabic, farsi, croatian, ukrainian, russian, bulgarian, czech, slo ak, danish, dutch, finnish, basque, french, german, ngerman, ibycus, greek, mo ogreek, ancientgreek, hungarian, italian, latin, mongolian, norsk, icelandic, nterlingua, turkish, coptic, romanian, welsh, serbian, slovenian, estonian, es eranto, uppersorbian, indonesian, polish, portuguese, spanish, catalan, galici n, swedish, ukenglish, loaded. (/usr/share/texmf-texlive/tex/latex/base/article.cls Document Class: article 2005/09/16 v1.4f Standard LaTeX document class (/usr/share/texmf-texlive/tex/latex/base/size10.clo)) (/usr/share/texmf-texlive/tex/xelatex/fontspec/fontspec.sty (/usr/share/texmf-texlive/tex/generic/ifxetex/ifxetex.sty) (/usr/share/texmf-texlive/tex/latex/tools/calc.sty) (/usr/share/texmf-texlive/tex/latex/xkeyval/xkeyval.sty (/usr/share/texmf-texlive/tex/latex/xkeyval/xkeyval.tex (/usr/share/texmf-texlive/tex/latex/xkeyval/keyval.tex))) (/usr/share/texmf/tex/latex/lm/lmodern.sty) (/usr/share/texmf-texlive/tex/latex/base/fontenc.sty (/usr/share/texmf-texlive/tex/xelatex/euenc/eu1enc.def) (/usr/share/texmf-texlive/tex/xelatex/euenc/lm/eu1lmr.fd)) fontspec.cfg loaded. (/usr/share/texmf-texlive/tex/xelatex/fontspec/fontspec.cfg)) (./sample.aux) [1] (./sample.aux) ) Output written on sample.pdf (1 page). Transcript written on sample.log.
Success!
Next time I'll create something a little more substantive.
aria2 download tool
I ran into an interesting downloading application, Aria2. I was reminded of a GetRight utility I ran into years ago. The thing I really liked about GetRight at the time was the ability to download linux ISOs from multiple mirrors and merge the results into one coherent file. It really sped up downloading new Slackware releases :-) This to me is the most compelling feature of Aria2 and it works thus:
aria2c -s2 http://host/image.iso http://mirror1/image.iso http://mirror2/image.iso
The main page has plenty of examples with many different transfer protocols. Too bad the parallel download features seem to have disappeared with the invention of bit torrent.
IpTables
Task
Write a iptables script that blocks everything except ping (icmp) and ssh (port 22), http (80) and https (443).
Solution
#!/bin/bash export ipt=/sbin/iptables $ipt -F #Flush all the rules one by one #Allow SSH $ipt -A INPUT -p tcp --dport 22 -j ACCEPT #Allow HTTP $ipt -A INPUT -p tcp --dport 80 -j ACCEPT #Allow HTTPS $ipt -A INPUT -p tcp --dport 443 -j ACCEPT # Set default policies for INPUT, FORWARD and OUTPUT chains $ipt -P INPUT DROP $ipt -P FORWARD DROP $ipt -P OUTPUT ACCEPT # Set access for localhost $ipt -A INPUT -i lo -j ACCEPT # Accept packets belonging to established and related connections $ipt -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT #Allow pings #Ping requires the ability to accept packets and send packet back out. #Ping is a layer 3,ICMP operation. #In order to allow it our protocol now becomes icmp instead of tcp. #Ping packets are able to be received. $ipt -I INPUT -p icmp -j ACCEPT #Ping packets are able to be sent $ipt -I OUTPUT -p icmp -j ACCEPT # List rules $ipt -L -v
-m says load a module state which allows access to the connection tracking state of the packets
--state precedes a comma separated list of the connection states to match. In this case it's NEW.
NEW the packet has started a new connection or a connection that has not seen packets going in both directions
-m tcp load the tcp module (just like we loaded the state module) this module allows us extra functionality with tcp
-p tcp specifies protocol, in my case TCP
--dport 22 feature provided by the -m tcp module, in this case I want the rule to be applicable to port 22 (ssh).
-j ACCEPT means the results of this chain is to accept the packets. (-j specifies the target of the rule if the packet matches the rule. If I said -j DROP we would block all traffic to port 22).