zone “007arcadegames.com” {type master; file “/etc/namedb/blockeddomain.hosts”;};
zone “008i.com” {type master; file “/etc/namedb/blockeddomain.hosts”;};
zone “008k.com” {type master; file “/etc/namedb/blockeddomain.hosts”;};

SAGA-dc.org even provides the empty zone file, to do this in an automated fashion:

put in your root crontab:

31 0,6,12,18 * * * /usr/bin/wget -q -O - http://dns-bh.sagadc.org/files/spywaredomains.zones | sed ‘s/\/namedb\//\/bind\//’ > /etc/bind/spywaredomains.zones 2>&1 && pkill -HUP named

setup named to read this new zone info, add to the bottom of your named.conf:

include “/etc/bind/spywaredomains.zones”;

Now, anyone that uses your recursive resolver should better protected than before…

1) open Terminal.app (Applications/Utilities/Terminal.all or if you see below and install quicksilver: Cmd-space Term)

2) use ssh-keygen to make a key:

mba:~ you$ ssh-keygen -t dsa -f .ssh/id_dsa
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase): (put in your passphrase here)
Enter same passphrase again: (repeat passphrase)
Your identification has been saved in .ssh/id_dsa.
Your public key has been saved in .ssh/id_dsa.pub.
The key fingerprint is:
d6:d3:54:79:16:14:ab:42:cf:80:52:6f:9b:55:5e:4e morrowc@mba.local

3) scp that id_dsa.pub to your ssh bastion host

mba:~ you$ scp .ssh/id_dsa.pub you@bastion:.ssh/mba_id_dsa.pub
Password: (your passwd here)

4) ssh to the bastion and append the mba_id_dsa.pub to your .ssh/authorized_keys file

bastion:~ you$ cat .ssh/mba_id_dsa.pub >> .ssh/authorized_keys
bastion:~ you$ chmod 400 .ssh/authorized_keys

5) exit the ssh and attempt an ssh again, you should be prompted for your passPHRASE not passWORD.

All good! Now for the tunneling bits, I suggest:

1) 8080 for web traffic (http/https/ftp)
2) 8000 for chat traffic (aim/gtalk don’t like squid for some reason, but don’t mind socks proxying)

We’ll be setting up an alias command that does all the hard work for us, this alias lives in your ~/.bash_profile file, here’s the setup:

1) edit ~/.bash_profile (vi ~/.bash_profile)
2) add this

alias proxy="ssh you@ssh-bastion -D127.0.0.1:8000 -L8080:127.0.0.1:3128”

Now, to test this, do:

mba:~ you$ . .bash_profile
mba:~ you$ proxy

which should log you into your bastion host and setup the tunnels, which you can verify with firefox/safari provided you setup the proxy-bits on those applications.

All this said, i’d get the following additional applications for your Mac:

1) Adium-X the all-over-goodness chat client (yahoo/msn/gtalk/aim and more protocols available)
2) QuickSilver a replacement to the horrid Spotlight searching, includes app launching capabilties as well

########
# special additions for tcp speedups
net/ipv4/tcp_tw_reuse = 1
net/ipv4/tcp_tw_recycle = 1
net/core/somaxconn = 1024
net/ipv4/ip_local_port_range = 2048 65000
#
# nf_conntrack additions
net/netfilter/nf_conntrack_generic_timeout = 300
net/netfilter/nf_conntrack_tcp_timeout_established = 14400
net/netfilter/nf_conntrack_tcp_timeout_fin_wait = 20
net/netfilter/nf_conntrack_tcp_timeout_close_wait = 20
net/netfilter/nf_conntrack_tcp_timeout_last_ack = 10
net/netfilter/nf_conntrack_tcp_timeout_time_wait = 20
net/netfilter/nf_conntrack_tcp_timeout_close = 10
net/netfilter/nf_conntrack_udp_timeout = 10
net/netfilter/nf_conntrack_udp_timeout_stream = 30
net/netfilter/nf_conntrack_icmp_timeout = 5

This reduces some conntrack timeouts significantly, take:

net/netfilter/nf_conntrack_tcp_timeout_established = 14400

for instance which was set to something on the order of: 432000 which is about (432000/86400 = 5 days). So, anything that didn’t end properly (apparently lots of spambots fall into this category) would stick around for almost 5 days time. With a limit of 65k sessions in the nf_conntrack state-table this is obviously a bad thing. So, add the above text to your /etc/sysctl.conf and reload that with sysctl -p /etc/sysctl.conf…

-A INPUT -s ip-block/mask -j DROP
-A INPUT -s ip-block/mask -j DROP
-A INPUT -s ip-block/mask -j DROP

downloads available at:

linky-loo

Obviously you can sed/awk/perl your way into the final listing that fits your model better. Some other resources on blocking known bad traffic can be found over at:

DShield
MyNetWatchman

Note that the list I have isn’t from either of these… but they are great resources none-the-less.

• make software .tar available via tftp
• login to AP
• enable
• archive download-sw /overwrite tftp://tftpboot-server/c1200-k9w7-tar.123-8.JEB1.tar
• copy run start
• reboot
• rejoice

Hopefully that all works out well, of course you may want to copy your config elsewhere just in case…

Edit the key in question:

gpg --edit <keyid>


use the commands:

1. key - select the key inside edit-mode
2. expire - change expire date inside edit-mode (set date to sometime in the future)
3. remember to select the primary and secondary keys and repeat expire command
4. save - save your work and get outta there!

All done! easy-peasy…

Initially a few software/things will be required:

• some perl modules - XML::Simple, Date::Parse, Data::Dumper (installed via perl -MCPAN -e shell)
• curl
• perl

To get the feed data you’ll have to grab the calendar private URL from gcal:
Calendar settings -> calendars -> select-your-cal -> click-on-private-xml-url -> copy link

Then save that away in a txt file for your use later. I like cron for repeating tasks, Devan says it may be deprecated and going away past 10.4 I’ll check my 10.5 machine later and see if this will last past an upgrade. We’ll use cron and curl to grab the URL and save that in a file for later processing.

the crontab entry looks like:

*/10 * * * * /usr/bin/curl -f -s {private xml url} -o {destination for .gcalfeed.xml} > /tmp/gcal-feed.log 2>&1

Now that the data will get pulled down each 10 minutes we can use Devan’s perl-foo to massage that into something geektool will display. I believe I made some changes to this script at home, I’ll find those and post a diff so that others can benefit from whatever changes I made.

Now, make GeekTooldo it’s magic running the script every 10 mins and displaying that out on your desktop:

1) you are a FiOS customer
2) you decide you want ‘static ip addresses’
3) you realize this means you need to switch from ‘residential service’ to ‘business service’
4) you realize you want more than 1 IP address

you start paying (note that paying for ip addresses is also against the ARIN policies) 40$/month for 5 ip addresses, you then realize that your personal information is being included in the SWIP data ala:

Verizon Internet Services Inc. VIS-BLOCK (NET-71-240-0-0-1)
71.240.0.0 - 71.255.255.255
Maysenstein,Sally FTTP (NET-71-246-230-120-1)
71.246.230.120 - 71.246.230.127

So, you call tech support (1-800-553-1555) and open 6 tickets talking to 6 different techs, all of which say: “if you want to make that info private you can’t cause it’s a business account, get a residential account and it’ll all be private”. Note that the logic of: “I want static ips, so I must have business service” is lost on the tech support folks, all save one I talked to today a nice fellow named: “Laston”. (most even implied it was illegal effectively to privatize this information, despite the ARIN policy bits that clearly state it as an option, and even include wording to this effect in the reassign-simple.txt)

Finally the answer is basicaly you can initiate this change on your own without involving tech support, email your request to: IPMGMT@verizon.com and within the day your information will turn into:

Verizon Internet Services Inc. VIS-BLOCK (NET-71-240-0-0-1)
71.240.0.0 - 71.255.255.255
Private customer - Verizon Internet Services Inc. FTTP (NET-71-246-230-120-1)
71.246.230.120 - 71.246.230.127

How very nice of Verizon, please take the time to thank the IPMGMT folks (Mike L in particular).

Hurray for us!

1. which destinations are not accepting email today from you?
2. which queues need to be flushed?
3. how many messages in a given timeframe to how many actual recipients?
4. delete all remaining ‘outdated’ messages in the queue

Simple just use your old friend awk/sed/for… your shell.

To see what things are backed up:

for d in `find postfix-IP* -type f -print | grep def | grep -v pid | grep -v config ` ; do \
  grep "^reci" ${d}  >> /tmp/recips 
done

awk -F\@ '{print $2}' /tmp/recips  | sort | uniq -c | sort -rn |more

This assumes that all your postfix config directories are in something remote named like: “postfix-IP”, adjust that to your needs, of course. To flush the queues for all your postfix instances:

for d in `ls -d postfix-IP*/config` ; do 
  postqueue -c ${d} -f
done

To get some stats in a running-total sort of manner:

while : ; do 
   perl -e 'print time()' >> /tmp/mail-stats.log 
   grep "some-uniq-to-line" mail.log | \
                                    grep nrcpt | \
                   awk -F"nrcpt=" '{print $2}' | \
   awk '{TOT=TOT + $1; ALL=ALL + 1} END{ print " connects: " ALL " reciepts: " TOT}' >> /tmp/mail-stats.log 
   sleep 30 
done

This will make a file in /tmp called mail-stats.log which has about this sort of content:

1174833091 connects: 17405 reciepts: 52372
1174833121 connects: 17433 reciepts: 52481

which you can later parse and report on via perl or excel (yick) or whatever you prefer… ‘connects’ means messages sent through the system, ‘reciepts’ means number of addresses uniquly sent. This is for instances where you send a message like:

To: mom, dad
From: you
Subject: Lookie ma, no hands!

look, I typed with my feets!

Now, to delete all the old messages lost in the queue let’s do this:

for d in `ls -d /full-path/to/postfix-IP*/config` ; do 
  postsuper -c${d} -d ALL defer 
done

Simple, eh? shell commands… lost in space!