So pfBlocker does exactly what it says on the tin

So I was looking for a way of reducing the amount of attacks on my main server. I thought there must be a way of GEO locating IP addresses and blocking, usually Russian attacks on my contact forms. And there is! It’s called pfBlocker, downloads new spam lists every night and seems currently, ‘just to work’. Will monitor for a few more days but first impressions are it works great, not a single hit on either mail or web server. I though there may be an issue with mail as if I drop the connection the sending server will then try and send via a backup server, but it looks like the backup server has a similar spam setup and also refuses the connection. Lets see how it gets on.

Comes to something when you have a will to look after your thirteen year old dog

So went back to Unity and they actually had me down for an appointment. So got stabbed with a needle and took a swab of my arse. Spent a lot of the day doing accounts and admin stuff. Finally got round to my ‘will pack’ from Battersea Dogs Home. Sasha and Dillon are now taken care of in the event of my death. They are thirteen and eleven. Thinking they may outlive me is worrying.

In other news I’m making great progress on SSL certificates. I’ve now produced a CSR with both the firewall and backup firewall subdomains, produced a certificate and tested it on the pfSense box. Even got so far as now SSH into the firewall, pushing the key, pem and php script and then running the script to copy and install the certificate and restart the web interface. Need to do some bash magic server side now.

So ACME almost worked

So fiddling with ACME trying to get it to add the backup route, but annoyingly as the backup is a dynamic IP address it doesn’t exist as an A or a CNAME record, it therefore doesn’t recognise the domain name, tried a few aliases and stuff but it really wasn’t having it. I have a feeling actually it’s the webroot on the firewall which is the issue rather than the domain name itself. Still, it’s working with the primary domain name and it’s a free certificate which should hopefully renew itself, so fairly happy days.

In other happy days I paid my corporation tax, was unable to issue my final dividend as I’m waiting on one savings interest payment. I did though do a complete financial planning spreadsheet, it makes interesting reading, actually it doesn’t, but the results are interesting. It’s certainly something I’m going to be very mindful of.

Meanwhile, I wonder if I can use that ACME thing to generate certificates for my main server….

Acme, pfSense and easyDNS

So I’m not going to mention cheese, or getting soaked, both of which happened.

So this evening I’ve been having fun with the firewall. The challenge being to get a secure connection via an SSL certificate. As it’s only internal I’m certainly not going to pay for one. So found this ACME package that can be setup with ‘Let’s Encrypt’ which is a free CA. There is a handy YouTube video on how to set it up, it does have one flaw though in that it does the domain validation via a local HTTP server and as I have the ports blocked for remote access that wasn’t going to work. However, there was an option to use easyDNS for validation. First you have to sign up for the REST API, this is painless. Don’t bother with the sandbox. Go straight for the production and regenerate the global token, this will then give you the key. I went diving down into a secure shell and edited the damn script by hand. However if you add a new entry on the certificate rather than edit the default it then gives you the boxes to put the keys in. My method worked anyway, but tomorrow I may try and add the secondary domain to the certificate so will delete my edits and try the interface way instead.

Back to the cheese.

Dithering with alpha to coverage

Up fairly early and got on with it. Still on anti-alaising. There’s a couple of extra bits in it as well. One of them is ‘alpha to coverage’. Now normally when you do an alpha test on a pixel you just test it against a threshold and do a discard. But when you are doing multi-sampling you can do a bit better as you have multiple fragments to play with. So you can take the alpha value and then dither it, this gives a nice sort of faded effect which looks like alpha-blending but isn’t. The fun thing you can do in more modern hardware is actually specify which fragments to use in the actual pixel shader, so you can do your own dither patterns. Well that was the excitement of my day.

Walked the dogs, yes both went. Went to Spin, which after yesterdays car crash of a class was nice to get back to normal. Came back and worked far too hard. Upgraded pfSense, due to all this who ha on bloody SSL leaking. I need to re-key all my certificates next, that’ll be an exciting evening. Fitted new hard drive to iMac, that’s an extra 4TB there. The blu-ray recorder doesn’t seem to work though.

Time for cheese, may be wine, may be wine and cheese. (See, dithering again.)

You just gotta love firewalls

This morning started with disappointment. I’ll blame it on a combination of too many pills.

Working on, well, basically testing lots of stuff really. Making sure everything all loads in all combinations, that sort of thing. Bloody horrible miserable day, weather wise.

I ventured out and did pump, appear to have injured my left wrist somehow.

Now I wanted to block a certain person from viewing this blog. Interesting challenge. I have one thing to my advantage, the user has an email account on one of my servers. So into Ubuntu, var/logs/mail.log look for user….ah yes, and found the IP address. Now into pfSense, add new rule, block pot 80 & 443 from said ip, and oh, lets log it for gloating purposes. Lovely, job done. Bath time.

Thank you VPN, you’ve officially driven me insane

Got up, PC powered down just as I sat down to it, it’s been running a virus scan all night. Started it up again, twiddled about. Then tried to log into the VPN. Timeout. Great. Uninstalled it, re-installed it. Timeout. Great. Tried VPN on the iMac, timeout. Started shouting at the pfSense firewall. Timeout. Twiddled with pfSense, timeout. Powered off main machine. iMac now connects no problem. Powered on main machine, timeout. Tried iMac, timeout. Powered off main machine, iMac can connect again. Got notebook out, installed Cisco VPN client, connected. Powered on main machine, tried notebook again, timeout. Okay, this was getting weird, something on main machine was causing the VPN to not connect. Powered on main machine, uninstalled and re-installed VPN client. Connected. Notebook, connected. iMac, connected. Open IE, now nothing connects. Restarted main machine, connect to VPN no problem. Opened mail, tried to reconnect, all dead. Hmmm….What’s changed since yesterday, well nothing….except. My old mail server SSL certificates have expired, I never got round to installing the new ones for courier. So finally installed an updated courier.pem file on the mail server, restarted imapd. Flushed the SSL cache, restarted PC. Opened mail, opened IE, connect VPN all fine. So somehow an outdated SSL certificate was causing some authentication error and completely buggered up tunneling on pfSense for all machines. Very very odd, drove me bloody nuts.

Walked the dog.

Ate a sandwich.

Then ended up working solid till gone nine to make up for this mornings problems. Still, got quite a lot done.

Torture porn night, although I think I’ll end up watching Luther.

Network partitioning and mammaries

So today started kind of late. May be at my grand old age of forty-one it’s just nice to stay in bed and spoon your husband and the dog. The radio was on in the background and I was kind of dozing. Mind you there is something to be said about getting a blow job while Richard Madeley is doing newspaper reviews. Elaine Paige came on, I then started singing ‘Mammaries’, rather than ‘Memories’ from ‘Cats’, while cupping Jamie’s rather pert titties, he was not amused.

I got up and picked up all the dog shit. I then had lunch. We decided as it was not pissing down that we would take the dog to the same field I did yesterday. It was actually very nice, we got to the top field and let her off her lead. She belted off but stayed mainly around us. We got her ball out and started chucking it around, she had a great time. Very well behaved, we had no problem calling her back and putting her lead on again, she was a really good girl.

Came back and got on with the sanding. Finished off all the coving, put some more filler on one one the cracked corners. Then actually rang out of work so put the door back on. Next job is the messy one, sanding all the walls, so I need to order a load of dust sheets. I’ll do that this week, in case next weekend is pants then I can get on with it. Want to do it in one hit really because of all the dust.

Ah yes, the network partitioning. Well I have servers mapped to one lot of IP’s, DHCP handing out a load of other addresses, plus all Jamie’s stuff was on fixed IP’s and now we have all the uPnp crap as well. It was time for a rethink. Now the servers are on a public IP starting at .136, I have a 8 IP range, so the mask is 29, leaving 3 bits in the subnet (so 8 IP’s, get-it?). So that goes from 136 to 143. So I now mapped the servers internally to 192.168.0.136->192.168.0.143 or in the rules table it will be 192.168.0.136/29. So that’s the servers covered. Now I want Jamie to be in his own subnet so I can throttle him to hell when he wears my socks, but I also need him to have a allocation that can use uPnp for the consoles. I also need an allocation for uPnp for my consoles. So I decided to have three subnets of 16 IP’s, but one of them overlapping a subnet of 32 IP’s for the uPnp. So I allocated 192.168.0.160 to 192.168.0.175 or in other words 192.168.0.160/28 to Jamie as uPnp, I then allocated 192.168.0.176/28 to me for uPnp. So the first bank I could add a rule to include the throttling for Jamie, the second bank was free. Also the first bank I set up to use Virgin and the second bank to use Zen, this is because I need me dev kits to talk on a white listed static IP. Now in the uPnp section of pfSense I then set it to 192.168.0.160/27, notice the 27, so this covers all 32 IP’s on one rule. I then finally added another subnet on 192.168.0.192/28 for Jamie’s non-consoles, this still has the throttling but not the uPnp, as that’s somewhat dangerous from a PC. Finally I then set up DHCP to hand out anything between .20 and .127, that then leaves me .1 to .19 as reserved and a block between .128 and . 135. Also I have a subnet .144 to .159 which I use for static IP’s for things like the web cam and the Sam Knows box. So there we go, all reorganised and now everything works, including all the consoles.

Time for a bath.

I had a dream about getting a parking ticket

So I was dreaming…..for some reason I was at a family gathering at a castle. I’d parked the car at a pay and display car park at the bottom of a hill. I was at the castle then had a horrible feeling that I’d failed to buy a ticket. So I walked back down to the car. Sure enough, on the windscreen was a parking ticket for £450. I was rather annoyed so tried to purchase a ticket, but the machine wouldn’t take my money as it was gone past 6PM when then charging stopped. I then woke up.

Spent the day going through conference material. Again, can’t really say any more than that.

Rang up GoDaddy.com about my SSL certificates expiring and asked if I can just change to a 3 year 5 domain one. Apart from the American on the end of the phone continuously to me as ‘you guys’ it was all pretty smooth. It’s now all on one certificate, so I have that on mannmansion, then I added my other blog (and it’s www equivalent) and the pfSense firewall. All is good and now expires 2016, I cocked up a little bit as the original certs don’t expire until the end of July, but considering I only paid a tenner each for them anyway and now got a 40% discount I’m not going to kick up a fuss. Install appears to have gone fine with all Apache sites working fine and mail still appears to be sending (actually I better test that). I need to sort courier out which is the odd one as that uses different certificates based on IP address, I guess I can remove that bit now and just point it to the one. That’ll be a job for another day though. Yes, mail is sending.

Walked the dog. It was very nice lunchtime. She was very well behaved with a couple of other dogs we came across.

Right, I’m done for the day then. Bath and wine.

Dynamic DNS and the joys of ‘Youtube’

So started off working on some stuff to do with points on a circular path. Not the most exciting thing on the planet but again something that had to be solved. After a couple of hours it was. Took a break and did a bit more Japanese. Then the Vigor 110 decided it had enough of being synced for two days, so re-synced and then pfSense wouldn’t start PPP. So I took the opportunity to go back to the Vigor 120. This synced fine, I’m still at 12db margin, but it’s only dropped down to 11db after eight hours with 6 CRC’s so hopefully if it stays synced it will drop. If not I’ll need to kick someone at Zen.

Went for a run, had lunch. Did multiple other line, radius things throughout the day. Ended up with a video of what I was working on. TRying to upload it to the works forum, failed every time. Ended up putting it on ftp, then one of the guys put a link to it on the forum using Youtube. After some chatting I now know how to upload videos to Youtube and embed them on the forum. Very useful.

Anyway, I was looking into perhaps using the Virgin line as a backdoor to the firewall, so if the Zen line hangs I can still contact the pfSense box and give it a kick. Problem is the Virgin line uses a dynamic DNS. This means it’s IP address changes on a regular basis. This is a pain. However, pfSense supports about ten different dynamic DNS providers. One of which just happens to be EasyDNS, my DNS provider. The account I have with EasyDNS gives me access to dynamic DNS. Now I though this isn’t going to work as I want all my domain names to be on a static DNS, however it allows multiple sub-domains to be dynamic. So I added a sub-domain (mind your own business) and set it to dynamic. I then produce a token. Back in pfSense I selected dynamic DNS, added an entry for EasyDNS and filled in all the required fields. I then clicked save and expected it to crash as normal. However it went back to the status page and said it had updated the IP records. Back on EasyDNS and I checked, it now had an IP address against the sub-domain. I was amazed. Something actually worked first time. After a bit of piddling about with firewall rules I now have by alternative access to pfSense.

Did a bit more Japanese. It’s torture porn night, I was going to avoid wine all week, but as I’ve had quite a long day then I’m going to forget that. So shower, salad, and then some god awful film no doubt.