tag:blogger.com,1999:blog-76927473698420583782024-03-19T13:16:58.287+01:00manty's blogSantiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.comBlogger64125tag:blogger.com,1999:blog-7692747369842058378.post-41811677840516337522023-11-09T00:05:00.003+01:002023-11-09T00:06:05.060+01:00Freeing your phone from Linux (with heimdall for Samsung)<p>When I wrote about updating baseband I realised that I hadn't written about how to install an aftermarket ROM, so... here we go.</p>
<p>The typical journey of installing an aftermarket ROM Like <a href="https://lineageos.org/">LineageOS</a>, <a href="https://crdroid.net/">crDroid</a>, ... which means replacing the propietary ROM of your phone with a hopefully free OS that is updated more frequently and for a longer time, starts with unlocking your mobile phone's bootloader, that depends on your maker, or even your model, so you must find an specific guide on that, typically it means enabling developer mode oand then looking for a <listing>OEM unlock</listing> option.</p>
<p>Then you must install a recovery, you have to choose the specific one for your phone from all the available ones. Both <a href="https://lineageos.org/">LineageOS</a> and <a href="https://crdroid.net/">crDroid</a> have their own simple recoveries, and you have of course the good old <a href="https://twrp.me/">TeamWin</a>, <a href="https://orangefox.download/">OrangeFox</a>, ... you just need to find the one you like and is available for your phone and then we install it.</p>
<p>After installing the recovery we have half the work done, as we can boot into it and from there we can flash our chosen OS and then the Google Apps or maybe you prefer to choose <a href="https://microg.org/">microG</a> instead.</p>
<p>But... how do we install the recovery... on some devices you have a fastboot bootloader, there you must use the fastboot tool doing something like: <listing>fastboot flash recovery recovery.img</listing> either if you are on Windows or Linux, but for Samsung devices... you either use Samsung tools for Windows like the old Odin, or if you are on Linux... yes, you need the latest version of heimdall (2.0.2 as I write this).</p>
<p>Once you have the latest heimdall installed we get the phone to start the bootloader or download mode and plug it to our computer, there we can run <listing>heimdall flash --VBMETA vbmeta.img --RECOVERY recovery.img</listing> where the vbmeta image is specific for your model and is needed so that we are allowed to install our recovery and our chosen OS. One thing about heimdall... you can use the --no-reboot option, and so the phone won't reboot after heimdall exits, however, on modern phones and at least on heimdall versions up to and including 2.2, you won't be able to run heimdall again to do some other task without rebooting, it will fail, so... you must reboot anyway.</p>
<p>After installing the recovery we must boot it, not the OS, if you boot to the OS just once, it will restore the old recovery and you'll have to start all over, so... after you execute heimdall, make sure you press the right keys to boot into recovery.</p>
<p>That's it, I know it sounds a bit complicated, but, if you do things right, you can forget about Samsung's crap forever and enjoy your chosen system for a hopefully long time. I hope this new experience with your phone pleases you, enjoy it!</p>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-75120526304301719522023-10-27T00:08:00.003+02:002023-10-27T00:19:28.143+02:00Updating baseband on Samsung devices when you are running aftermarket ROMs.<p>Some time ago <a href="http://blog.manty.net/2021/05/flashing-samsung-stock-rom-using.html">I wrote about heimdall and how you could flash a Samsung official ROM using it</a>. This time we'll be talking quite about the opposite.</p>
<p>When you are running an aftermarket ROM (one that is not the one from the maker of your phone) like an official <a href="https://lineageos.org/">LineageOS</a> or <a href="https://crdroid.net/">crDroid</a> ROM you get regular updates from them, but what you typically don't get is updates for the baseband.</p><p>The baseband is the software that runs the communication processor or modem, it is an important part of your phone as it is in charge of all the communications, so having it updated is important, not only because of the functionalities, but also because of the security issues.</p>
<p>So... the problem here is... how do you update your baseband now that you are no longer running your phone's official ROM? You could backup and flash your updated Samsung official ROM and then reinstall your favourite ROM and restore from backup, but that's a nonsense, so...</p><p>How about flashing just the modem software and leave your favourite ROM untouched?</p>
<p>Well, for that we can rely on heimdall, just make sure that you run the latest version of heimdall (2.0.2 as I write this). First you must download the Samsung updated ROM from your favourite site, we need the CP archive, something like...</p>
<p><listing>CP_A705FNXXU5DWB1_CP23709798_CL24363203_QB62257661_REV00_user_low_ship_MULTI_CERT.tar.md5</listing></p>
<p>for the A70, note that while this ends on md5 it is just a normal tar file, then extract the files from it, in this case modem.bin.lz4 and uncompress it with unlz4 and you'll get the modem.bin file that you must flash, now we just need to find where we need to flash it, we look for the name of this file on the heimdall print-pit output and we'll get the Partition Name, in this case MODEM, so we run...<br /></p>
<p><listing>heimdall flash --MODEM modem.bin</listing></p>
<p>That's it, enjoy your new baseband ;-)</p>
Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-50799725339981439142022-10-09T23:18:00.001+02:002022-10-14T23:03:00.300+02:00Windows 11 en una máquina vieja vía libvirt en Linux <p>Entre los requirimientos de Windows 11 están una CPU moderna, arranque EFI seguro y un dispositivo de seguridad TPM versión 2.0. A continuación os comentaré como lo instalé sin trucos en una máquina virtual dentro de una máquina que no tiene ni TPM ni arranque seguro EFI, así que el único requerimiento que cumplía era el tener una CPU algo moderna, con virtualización hardware, claro.</p>
<p>Para poder probar cosas con el Windows 11 en el trabajo he querido instalar Windows 11 como siempre hago con los Windows, es decir, en una máquina virtual dentro del sobremesa, hasta ahora siempre lo he hecho con VirtualBox, es cómodo y cumplía con lo que yo necesito.</p>
<p>Sin embargo en este caso, si queremos instalar Windows 11 sin trucos, necesitaremos un dispositivo de seguridad TPM, que no existe en VirtualBox, así que... he explorado un poco el mundo de libvirt usando por debajo KVM, que sí que nos permite usar un TPM software y el resto de cosas que necesita Windows 11 para funcionar.</p>
<p>He utilizado los paquetes de Bookworm (ahora en testing mientras no se convierte en la nueva estable) para contar con las últimas versiones y no tener que andar haciendo las cosas "a mano" editando los XML y tal, con las versiones de Bookworm se puede hacer todo en plan gráfico sin problema, con versiones anteriores igual también se puede, pero en algunas hay que tocar los XML a mano.</p>
<p>La cosa para mi ha sido instalar por un lado la parte de libvirt, instalé estos paquetes: <b>virt-manager virt-viewer libvirt-daemon-driver-qemu libvirt-daemon-system libvirt-daemon-system-systemd libvirt-daemon-config-nwfilter libvirt-daemon-config-network libvirt-clients gir1.2-spiceclientgtk-3.0</b></p>
<p>Por otro lado para cumplir con los requerimientos del Windows 11 (TPM y arranque EFI) instalé: <b>swtpm-tools ovmf</b></p>
<p>En algunas pruebas en alguna máquina muy "barebones" no tenía un polkit adecuado así que le instalé: lxpolkit Esto no será necesario en sistemas normales con interfaz gráfica ya que ya tendrán instalado un polkit, sino... el propio virt-manager os lo indicará con un error, sino... arrancarlo con "--debug"</p>
<p>Entre los requerimientos de Windows 11 están la CPU, que tiene que ser moderna y que el arranque sea EFI, por ello definiremos una nueva máquina en el virt-manager poniendo de arranque la ISO del Windows descargada de MS, dejaremos que detecte el operativo (detecta Windows 10, por ahora no tienen 11, pero nos sirve) y justo al final, antes de darle a finish, activaremos "Customize configuration before install" y ahí le ponemos en "overview" tendremos que cambiar el apartado "firmware" de BIOS a UEFI con arranque seguro (secboot), además iremos a la ventana "CPUs" y eligiremos en "Configuration" la opción "host-passthrough".</p>
<p>Si le dimos a "apply" en las opciones podemos volver a "overview" y comprobar en el xml que nos queda algo como esto:</p>
<listing>
machine=pc-q35-7.1
cpu mode='host-passthrough'
...
firmware UEFI x86_64: /usr/share/OVMF/OVMF_CODE_4M.secboot.fd
</listing>
<p>El otro requerimiento que tiene Windows 11 y que no suelen cumplir las máquinas menos modernas es el TPM, pero al ser una máquina virtual usamos el TPM software que hemos instalado y listo. Para esto añadimos a la máquina un dispositivo nuevo de tipo TPM y modelo TIS, y listo, ya podemos darle a "Begin installation".</p>
<p>Esta configuración de máquina es con la tarjeta gráfica qxl, cuando terminemos la instalación de Windows será conveniente instalar en el Windows 11 las spice guest tools que podemos descargar de <a href="https://www.spice-space.org/download/windows/spice-guest-tools/spice-guest-tools-latest.exe">spice-space.org</a> para tener un buen soporte del esta y el resto del hardware.</p>
<p>Una vez instalemos eso apagamos la máquina y en el virtual-manager en la ventana de la máquina virtual Windows 11, seleccionamos "view", "scale display" y marcamos "autoresize vm with window"</p>
<p>Listo, con esto Windows debería reconocer todo el hardware y hacer escalado de la pantalla al tamaño de nuestra ventana.</p>
Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-62001949743245106692022-07-12T23:56:00.001+02:002022-07-13T00:07:31.425+02:00Programming Retevis RT46<p>So... some time ago we bought a pair of RT46 for the children, they work pretty well, however we found out on the instructions manual that we can change a lot of parameters through software programming, like disabling CTCSS/DCS so that we can hear other radios that don't have it enabled.</p>
<p>The first thing was to get the software from Retevis. They sent me an exe that looks to be compiled for Windows XP, bad luck there, but we have an old windows tablet around that maybe could run this.</p>
<p>So... we needed the cable and we found this schema:</p>
<div class="separator" style="clear: both;"><a href="http://img.mysku-st.ru/uploads/images/01/35/13/2013/03/13/d90e38.jpg" style="display: block; padding: 1em 0; text-align: center; "><img alt="schema" border="0" data-original-height="511" data-original-width="472" src="http://img.mysku-st.ru/uploads/images/01/35/13/2013/03/13/d90e38.jpg"/></a></div>
<p>To build this we would need a USB to 3.3v serial (like the cable I use for <a href="http://blog.manty.net/2012/04/la-fonera-definitive-cable.html">La Fonera</a>) and a couple of connectors 2.5 and 3.5 mm audio connectors, wich came out of an old Nokia audio cable and other broken things, plus a 3 pin header, we had it all.</p>
<p>After a bit of soldering we had... </p>
<img alt="this adaptor" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEDAaoLGDNVbr8x1Ql95opRPnvlIzWgHfqXqZ9PF6DujX0fMDHJ9ET0h2-ATmJrYL7zdEmEX4A1v9SPER8rsnw35qzIN8ILuIL6UhvlFV_ceUXvYV4mLE2pK3_hwN_T9AxdZDatLF6Pl5Ib5245TjrCH9YZCmnlWM8Y-B17s0ZIj_2L-h47dL1UR5STw/s1600/IMG_20220712_232622.jpg" width="100%"/>
<p>Which seemed ok, but the windows driver for that cable saying... "pl2303hxa phased out since 2012" didn't look ok, and in fact didn't work, we googled to <a href="https://github.com/rubengr/PL2303HXA-Phased-Out">Ruben's github</a> and that solved it, we finally could read the values from the radio and write new ones there :-)</p>
<p>I tried to google some Linux stuff for this products but found none, maybe wine can help here, if I have the time I'll do some tests on this, any better hint?</p>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-33268426323190533692022-07-06T22:48:00.001+02:002022-07-07T00:06:56.902+02:00Abriendo cerradura de manilla con tapa de acceso no visible<p>Buenas.</p>
<p>Hace poco tuvimos un problema con una de las manillas de una cerradura, resulta que se habían aflojado los tornillos, pero... los tornillos no se veían, no eran accesibles, estaban ocultos.</p>
<img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEidJfDCG-FjcFcIEnPgNP1sfvzO4urrRIYHcsszUxNZKkPdgBildAji1U-gRutIUWEp27zzIOxWnBL0h_zy2Xb4KIbDXeIcuhMVsiWc_Sc3LuiWKgxJSzGL9Go7qGH2okOn1x4TtS7LgIevMDQqsdA2mIqd2elysOa3lvqc2YXAE-xcgswfKaK-ObpyuQ/w479-h640/IMG_20220203_173533.jpg" width="100%" />
<p>Obviamente eso significaba simplemente que había un embellecedor tapando los tornillos, pero el caso era... como se sacaba el embellecedor o que parte de la cerradura desmontar para poder acceder a los tornillos o a desmontar el embellecedor.</p>
<p>Pues bien, luego de darle muchas vueltas, buscar fotos, videos y demás cosas por la red... hicimos lo único que podíamos hacer, darle a la cabeza y luego... desmontar los embellecedores, porque.... tenían que estar como la lógica nos indicaba que tenían que estar, es decir...</p>
<img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjW1zHUVUfejHtjvIIg8mY6071Z8n4smv7ho_dWy1Lm6sixI6BVuInnFi2g-WWnnQh47BTFaZo95DrYFlVCyTK-yLoLjRmnM8RVGvgzhJqohApC-276-Rt8Lzk2G-FkZAZE4gVY7IJdez9R3WzhspYaaD8CnJboHF3CrgKFARTTgHFWS0EStu1jA-kyPw/s320/IMG_20220203_173511.jpg" width="100%" />
<p>El embellecedor estaba metido a presión y hubo que sacarlo con mucho cuidado para intentar dañar lo menos posible la pintura.</p>
<img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8XBlfZiF4t04HUmL5YLnYIq5_l5heywLMepdO9B-jKlMRt2alEUr47pV_mfdSp7Zuancj7xFMi6vp8UhdgYDudcqGpDX85WCpnEJOkjucVNQy1QGht5-p14gL-2wM3O39ZDBBJYX6MdgIHO4GONGMn_Ff2FN9JaKk7rq1AR27ofrXmZCu86uCWVEbBA/s320/IMG_20220203_173500.jpg" width="100%" />
<p>Pero al final salió y pudimos apretar los tornillos y solucionar el problema que llevaba meses manifestándose como una holgura.</p>
<img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjk5xInSiFnBQxJFZefK2Vq-ZCaYLu1vKezW_BeeeK0_9hqDv5H4JuPeXUyN-Ck7zrp6xTyy0pCv_iLzAj20fEAf03K83fjWurDmd0-x2Bf359AWFn9_0ldO5SiV-nvA8ZmdZVdPZGRUXPvAkzVDAJYYob-amGE9_zEFtwOBUEgp-cMqdX8aqp65Brjpg/s320/IMG_20220203_165429.jpg" width="100%" />
<p>Y eso es todo, espero que estas fotos sirvan para que otros no se tengan que romper tanto la cabeza como yo mirando videos y fotos que no llevaban a ningún lado, aquí no había agujeros ocultos ni nada por el estilo, solamente presión.</p>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-35399687697049251942022-03-12T00:20:00.000+01:002022-03-12T00:20:04.665+01:00tcpping-nmap a substitute for tcpping based on nmap<p>I was about to setup a tcpping based monitoring on smokeping but then I discovered this was based on tcptraceroute which on Debian comes setuid root and the alternative is to use sudo, so, anyway you put it... this runs with root privileges.</p><p>I didn't like what I saw, so, I said... couldn't we do this with nmap without needing root?</p><p>And so I started to write a little script that could mimic what tcpping and tcptraceroute were outputing but using nmap.</p><p>The result is <a href="https://github.com/mantinan/tcpping-nmap">tcpping-nmap</a> which does this. The only little thing is that nmap only outputs miliseconds while the tcpping gets to microseconds.</p><p>Hope you enjoy it :-)<br /></p>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-32570612719474130772022-01-11T00:08:00.000+01:002022-01-11T00:08:07.746+01:00SUV o la negación de un vehículo urbano deportivo<p>Está claro que los que acuñaron la etiqueta SUV lo hicieron para vender, y visto lo que se ve en las calles, lo han hecho de miedo.</p><p>Han conseguido que se vendan como churros coches más caros, que consumen más, son más inseguros para sus ocupantes y para los atropeyos, ... </p><p>El tema es que, hasta que se definió la equiqueta SUV, un coche urbano y deportivo era el Honda Civic, o incluso un Citroën C2, ¿que en que se parecen a un SUV?</p><p>En que tienen ruedas, más caras, por cierto, y que desgastan más la carretera, también por su peso y tal claro.</p><p>Hace mucho tiempo que quería escribir algo de los SUVs, si me veis conduciendo uno, será que no me ha quedado otra opción, y seguro que no será mío, sino... será que el covid me ha trincado y me ha dejado muy tocado de la cabeza.</p><p>No voy a describir todos los problemas que tiene un "SUV" los podéis leer por ahí, pero igual no hace falta, porque cuando vi este video dije... no hacen falta palabras, esto lo explica a la perfección.<br /></p><p><a href="https://twitter.com/JamesKPatterson/status/1474089696296906770">https://twitter.com/JamesKPatterson/status/1474089696296906770</a><br /></p>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-66125549396748852612021-08-13T23:19:00.002+02:002021-09-09T22:06:45.425+02:00OpenWRT dist-upgrade, or how to update your OpenWRT automatically<p>I've been thinking in writing this post for a long time and with OpenWRT 21.02 hopefully coming I thought it was the perfect time so that you could benefit from it.</p>
<p>Those of us who run Debian love the way you can go from one version to the new one (Bullseye is coming this weekend, btw) without needing to reinstall the machine each time you update, a simple apt dist-upgrade will take care of everything.</p>
<p>I love Debian, but for the really small things I enjoy OpenWRT a lot and I've always missed the Debian dist-upgrade way of things on OpenWRT.</p>
<p>At work we have a lot of OpenWRT routers, so we had a quite automated way of managing things, so that when we had to update, we did the sysupgrade and then logged on the machine and executed something that installed back all the extra things we needed. It was then that I though... hey, what if we use the sysupgrade.conf thing to protect a service that would be run on the first boot of the device with the new version of OpenWRT and then this service would install all the packages we need?</p>
<p>And that's how the reinstall script (calling it a service would be too much) was born. This script will take care of reinstalling all the things that you tell him to install after a sysupgrade, so, all you need to do is to identify what extra packages you have installed and write the names on your /etc/reinstall.conf file, one package per line, also, if you want a service disabled, you would write its name prepending it with a "-", and that's it.</p>
<p>The only limitation that I've found that would annoy me is that reinstall needs network connection to work, so... if you need some of the extra packages to stablish the network connection (like a 4G connected router wich needs its drivers, a full wpa client to connect with WPA-EAP, ...), reinstall will fail, I suppose I could give an option to predownload the packages but that would need the target version of OpenWRT, so maybe that would mean that maybe reinstall should download the sysupgrade image itself along with the packages and launch the sysupgrade, ... well, who knows, maybe I end up writing a beast, but right now... it needs to be able to have network connection with OpenWRT out of the box to be able to reinstall</p>
<p>This is a /etc/reinstall.conf of one of my machines which runs as an AP, so I don't want dhcp or other stuff, but I want some extra packages to be able to access external storage and things like that:</p>
<listing>
-dnsmasq
-uhttpd
-odhcpd
nmap
diffutils
usbutils
kmod-usb-storage
</listing>
<p>BTW: this AP of mine is an ASL26555 with 16MB of RAM which has just been updated from the 19.07 series to 21.02.0-rc4 using reinstall without any problem.</p>
<p>So... you need the reinstall.conf file and we need the script itself, which is at the end of the post, you must save it as /etc/init.d/reinstall and then do a "chmod 755 /etc/init.d/reinstall", but as I told before... we must setup sysupgrade so that reinstall survives after it, so you must add to /etc/sysupgrade.conf at least the three reinstall lines that I have here on this example so that it ends looking something like this:</p>
<listing>
## This file contains files and directories that should
## be preserved during an upgrade.
/etc/firewall.user
/etc/crontabs/root
/root
/etc/init.d/reinstall
/etc/rc.d/S99reinstall
/etc/reinstall.conf
</listing>
<p>So... now you have it all setup... when you are going to do a sysupgrade... you must first do a "/etc/init.d/reinstall enable" in order to enable the service, so that it runs when sysupgrade reboots the device, that's when reinstall installs the wanted packages.</p>
<p>The service will log its actions on /root/reinstall.log by default, then disable itself so that it is not run anymore, and then reboot the machine so that it ends up right how you wanted it to be. After that you can log on the machine to see how everything went, and hopefully your log will look something like this:</p>
<listing>
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 21.02.0-rc4, r16256-2d5ee43dc6
-----------------------------------------------------
Downloading 'http://www.google.com'
Connecting to 142.250.185.4:80
Writing to '/dev/null'
Download completed (14036 bytes)
Thu Aug 12 17:29:39 CEST 2021
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/targets/ramips/rt305x/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_core
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/targets/ramips/rt305x/packages/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/base/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_base
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/base/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/luci/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_luci
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/luci/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/packages/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_packages
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/packages/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/routing/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_routing
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/routing/Packages.sig
Signature check passed.
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/telephony/Packages.gz
Updated list of available packages in /var/opkg-lists/openwrt_telephony
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/telephony/Packages.sig
Signature check passed.
Disabling -dnsmasq
Disabling -uhttpd
Disabling -odhcpd
Installing nmap
Installing nmap (7.80-3) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/packages/nmap_7.80-3_mipsel_24kc.ipk
Installing libpcap1 (1.9.1-3) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/base/libpcap1_1.9.1-3_mipsel_24kc.ipk
Installing libstdcpp6 (8.4.0-3) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/targets/ramips/rt305x/packages/libstdcpp6_8.4.0-3_mipsel_24kc.ipk
Installing zlib (1.2.11-3) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/base/zlib_1.2.11-3_mipsel_24kc.ipk
Installing libpcre (8.44-3) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/base/libpcre_8.44-3_mipsel_24kc.ipk
Configuring libpcre.
Configuring libpcap1.
Configuring libstdcpp6.
Configuring zlib.
Configuring nmap.
Installing diffutils
Installing diffutils (3.7-3) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/packages/diffutils_3.7-3_mipsel_24kc.ipk
Configuring diffutils.
Installing usbutils
Installing usbutils (013-2) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/packages/usbutils_013-2_mipsel_24kc.ipk
Installing librt (1.1.24-3) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/targets/ramips/rt305x/packages/librt_1.1.24-3_mipsel_24kc.ipk
Installing libusb-1.0-0 (1.0.24-4) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/base/libusb-1.0-0_1.0.24-4_mipsel_24kc.ipk
Installing libevdev (1.10.1-1) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/packages/libevdev_1.10.1-1_mipsel_24kc.ipk
Installing libudev-zero (0.4.5-2) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/packages/libudev-zero_0.4.5-2_mipsel_24kc.ipk
Installing usbids (0.347-1) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/packages/mipsel_24kc/packages/usbids_0.347-1_mipsel_24kc.ipk
Configuring libevdev.
Configuring librt.
Configuring libusb-1.0-0.
Configuring libudev-zero.
Configuring usbids.
Configuring usbutils.
Installing kmod-usb-storage
Installing kmod-usb-storage (5.4.137-1) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/targets/ramips/rt305x/packages/kmod-usb-storage_5.4.137-1_mipsel_24kc.ipk
Installing kmod-scsi-core (5.4.137-1) to root...
Downloading https://downloads.openwrt.org/releases/21.02.0-rc4/targets/ramips/rt305x/packages/kmod-scsi-core_5.4.137-1_mipsel_24kc.ipk
Configuring kmod-scsi-core.
Configuring kmod-usb-storage.
Everything went Ok, reinstall has finished without errors.
</listing>
<p>I guess, that's all I have to say, hope you enjoy it, keep in mind that embedded devices are always tricky and that if your machine is not stable... you should probably not do automatic things like this on it, as always I take no resposability on anything, use it at your own risk, as for me, I trust OpenWRT so much that I have just reinstalled my ASL26555 from outside using it and everything went Ok ;-)</p>
<p>So... <a href="https://github.com/mantinan/openwrt-reinstall">here is reinstall</a></p>
<p>Edit: Originally I had pasted the code in the page, but that was an error due to how bad blogger works, so... now I have published it on github and added the link to it</p>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-54330947891936859942021-05-09T21:23:00.001+02:002021-05-11T11:25:32.624+02:00Flashing a Samsung stock ROM using heimdall from the command line.<p>I've read many times how to flash a Samsung official rom from Windows using Samsung's official tools and some other times I've read complex ways to do it using the Heimdall's grafical interface, ... but I never felt any of this ways was for me.</p><p>Fortunately I always flash custom ROMs instead, so I never had the need to flash a stock one, till recently, when I wanted to test andOTP on old Android versions, that's when I wanted to install the ancient stock versions of a couple of Samsung phones, and luckily I came to a quick commandline script that did it all for me.</p><p>WARNING: this procedure will wipe out all your data on the device in a way that you won't be able to recover it, I'm not resposable for any data loss or any damage to the device that any of the things I describe here may cause to the devices.</p><p>First of all you must unpack the stock rom (typically a zip file that inside has a whatever.tar.md5 file which is really a tar file, not a md5 one, so, you untar the tar.md5 file and you get the images of the phone's partitions (recovery.img, modem.bin, boot.img, ...) you can now remove that .tar.md5 file.<br /></p><p>So... if you have clear that you are going to delete all your data on the phone and want to continue, I assume you have made a good backup of your data and you have verified that the backup is ok, or that you don't mind loosing it all. In any way...</p><p>You must start by wiping your data partition from your recovery or from the system itself by doing a factory reset and then going directly do the bootloader. The easiest way is by selecting reset to bootloader on the recovery after wiping data, or rebooting pressing the bootloader key convination for your device, but making sure that you didn't boot into the system after doing the wiping.</p><p>If you are sure you have formated data and booted directly to bootloader, you may need to confirm on bootloader that you want to "Continue" to flash your rom, that way you'll get to the "Downloading..." droid.</p><p>Now that we are on the bootloader on download mode we do:</p><p><listing>heimdall print-pit --no-reboot > pit</listing></p><p>and after we have downloaded the pit file:</p><p><listing>heimdall flash --resume $(for i in *.*;do grep -B 1 $i pit|tr '\n' ' ';echo;done|sed "s/.*ame: \([^ ]*\) .*ame: \(.*\)/--\1 \2/"|tr '\n' ' ')</listing></p><p>And you are done. The script will flash all the partitions that are included on the stock rom and after that it will reboot for the system to do its job after flashing, so... it will be a first time boot that will take a while, but that's it.</p><p>Just some side notes, using --no-reboot and then --resume has never really worked for me, maybe it was a problem with heimdall's version or my devices or whatever, in those cases the second heimdall command will fail, you must reboot to booloader again (without going to system, otherwise you'll have to format data again) and execute the flash command again without the --resume. <br /></p>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-21346899741071608652021-05-03T00:23:00.000+02:002021-05-03T00:51:41.570+02:00Windows and Linux software Raid dual boot BIOS machine<p>One could think that nowadays having a machine with software raid doing dual boot should be easy, but... my experience showed that it is not that easy.</p><p>Having a Windows machine do software raid is easy (I still don't understand why it doesn't really work like it should, but that is because I'm used to Linux software raid), and having software raid on Linux is also really easy. But doing so on a BIOS booted machine, on mbr disks (as Windows doesn't allow GPT on BIOS) is quite a pain.</p><p>The problem is how Windows does all this, with it's dynamic disks. What happens with this is that you get from a partitioning like this:</p><p><listing>/dev/sda1 * 2048 206847 204800 100M 7 HPFS/NTFS/exFAT
/dev/sda2 206848 312580095 312373248 149G 7 HPFS/NTFS/exFAT
/dev/sda3 312580096 313165823 585728 286M 83 Linux
/dev/sda4 313165824 957698047 644532224 307,3G fd Linux raid autodetect
</listing></p><p>To something like this:</p><p><listing>/dev/sda1 63 2047 1985 992,5K 42 SFS
/dev/sda2 * 2048 206847 204800 100M 42 SFS
/dev/sda3 206848 312580095 312373248 149G 42 SFS
/dev/sda4 312580096 976769006 664188911 316,7G 42 SFS
</listing></p><p>These are the physical partitions as seen by fdisk, logical partitions are still like before, of course, so there is no problem in accesing them under Linux or windows, but what happens here is that Windows is using the first sectors for its dynamic disks stuff, so... you cannot use those to write grub info there :-(</p><p>So... the solution I found here was to install Debian's mbr and make it boot grub, but then... where do I store grub's info?, well, to do this I'm using a btrfs /boot which is on partition 3, as btrfs has room for embedding grub's info, and I setup the software raid with ext4 on partition 4, like you can see on my first partition dump. Of course, you can have just btrfs with its own software raid, then you don't need the fourth partition or anything.</p><p>There are however some caveats on doing all this, what I found was that I had to install grub manually using grub-install --no-floppy on /dev/sda3 and /dev/sdb3, as Debian's grub refused to give me the option to install there, also... several warnings came as a result, but things work ok anyway.</p><p>One more warning, I did all this on Buster, but it looks like for Grub 2.04 which is included on Bullseye, things have gotten a bit bigger, so at least on my partitions there was no room for it, so I had to leave the old Buster's grub around for now, if anybody has any ideas on how to solve this... they are welcome.<br /></p>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com1tag:blogger.com,1999:blog-7692747369842058378.post-21342435761592846282020-05-20T23:59:00.000+02:002020-05-20T23:59:38.702+02:00Trabajando en remoto sobre Debian<p>La situación actual nos ha llevado a muchos a trabajar en remoto, algo para lo que hay muchas opciones, hablemos de alguna de ellas.</p>
<h3>SSH</h3>
<p>Es el sistema de acceso remoto por excelencia, lo usamos todos desde siempre, o al menos desde que la seguridad en la red importa, aunque no siempre fuera así, los ancianos del lugar usábamos el telnet, pero mejor no hablar de temeridades, no? ;-)</p>
<p>El secure shell como su propio nombre indica está diseñado para acceder a un shell, es decir, para acceso remoto a un entorno modo texto, pero como ya sabréis permite hacer túneles de todo tipo, desde puertos hasta forwarding de clientes X.</p>
<p>Si bien el SSH nos permite acceder a nuestros clientes X y traerlos hasta el servidor local de nuestro ordenador en casa, resulta que las X no están diseñadas para que el cliente y el servidor estén separados por las latencias de una wan por medio, por lo que aunque tengamos 1 giga de ancho de banda, nuestras aplicaciones X en remoto irán muy lentas, por eso... veamos que podemos utilizar para la parte gráfica...</p>
<h3>x2go</h3>
<p>Seguro que es el sistema más currado y más complejo para acceso remoto, soporta no sólo Linux, pero... si lo probáis veréis que hace muchas cosas por su cuenta sin contárnoslas, así que uno no deja de preguntarse... ¿para qué es todo esto? Lo tenemos soportado en Debian con paquetes tanto para hacer de servidor como para cliente, aunque ya os digo que a mi me pareció demasiado complejo y poco transparente.</p>
<p>Sin embargo si miramos debajo del capó vemos que utiliza la tecnología de NX que me parece más sencilla y entendible.</p>
<h3>NX</h3>
<p>Se trata de una tecnología que nos permitirá la utilización de aplicaciones nativas X tal cual, se basa en la proxificación de los clientes X de modo que los eventos no tengan tanta latencia y por lo tanto todo vaya mucho más fluido. Además añadiremos un servidor X en el lado remoto que nos permitirá tener una mejor respuesta y sesiones permanentes.</p>
<p>Su uso es sencillo, veamos un ejemplo, la idea es que accedemos al sistema remoto via ssh -L 4008:localhost:4008 host.remoto (forwardeamos el puerto 4008 que usaremos para el proxy de NX que correremos con :8 o sea usando el puerto 4008) y allí ejecutamos un proxy al que nos conectamos desde localhost a través de este puerto que hemos forwardeado. Esa es la parte de proxificado, pero vamos a añadir el agente que lo que hace es añadir un servidor X local sobre que lanzaremos las aplicaciones X y que nos dará también una sesión permanente que nos permite desconectarnos y conectarnos cuando queramos, veamos esto:</p>
<listing>
Remoto: nxproxy -C :8 &
Local: nxproxy -S localhost:8 &
Remoto: nxagent -display nx/:8 -geometry 1276x976 :9 &
DISPLAY=:9 startlxqt
</listing>
<p>En el ejemplo arrancamos el lxqt, pero se puede arrancar lo que sea. Esta sesión sera permanente, ya que como dijimos estamos arrancando un servidor X en el equipo remoto, en este caso el DISPLAY será :9, contra el que irán las aplicaciones X. Aunque apaguemos el equipo local, se corten las comunicaciones o lo que sea, podremos reconectar. Para esto sólo hay que rearrancar las partes del proxy remoto y local y luego avisar al nxagent de que queremos que nos vuelva a mandar el display utilizando por ejemplo:</p>
<listing>killall nxagent -HUP</listing>
<h3>VNC</h3>
<p>Que decir de VNC, ha estado ahí desde hace muchos años.</p>
<p>Tenemos el servidor al estilo windows, en el paquete x11vnc que podemos arrancar así:
<listing>
x11vnc -rfbport 5900 -bg -o %HOME/.vnc/x11vnc.log.%VNCDISPLAY -rfbauth ~/.vnc/passwd -display :0
</listing>
o el tigervnc-scraping-server que al igual que el anterior nos permitirá acceder vía cliente VNC a unas X que estén corriendo, aunque ahora tenemos también la extensión de X tigervnc-xorg-extension que nos dará la misma funcionalidad pero de una manera mucho más eficiente. Estos están bien para ver lo que hay en ejecución en la pantalla de un equipo y por ejemplo ofrecer ayuda remota.</p>
<p>Además tenemos el tigervnc-standalone-server y el tightvncserver que lo que nos permiten es tener todas las sesiones X que queramos (ya que no van atadas a nuestra gráfica ni nada) y accederlas en remoto vía VNC, y por supuesto varios clientes específicos de vnc como tigervnc-viewer y xtightvncviewer además de otros que soportan VNC y otros protocolos.</p>
<p>El handicap de siempre del VNC es que todo va en claro, nada va cifrado, así que necesita sí o sí de SSH o similar para cifrar los datos.</p>
<h3>RDP</h3>
<p>Este protocolo diseñado por Microsoft tiene ahora tanto servidores como clientes para Linux, requiere mucho menos ancho de banda que VNC y soporta diversos tipos de cifrado, tanto cifrado propio como incluso una capa de TLS.</p>
<p>Al igual que en el caso de VNC tenemos también servidores para acceso a un servidor X ya existente, como el freerdp-shadow-cli en el paquete freerdp2-shadow-x11. Lo podemos lanzar con esta orden para acceder a las X corriendo en :0:</p>
<listing>DISPLAY=:0 freerdp-shadow-cli /port:12345</listing>
<p>Ya sabéis, como en el caso del VNC, es muy útil para ayuda remota. Si bien es conveniente tener en cuenta <a href="https://bugs.debian.org/958230">este bug</a> ya que hace que nofuncione la autenticación mientras que no lo arreglemos, así que o bien recompilamos o bien añadimos el parámetro -auth, pero entonces cualquiera que tenga acceso al puerto podrá tomar control de la sesión X.</p>
<p>También tenemos clientes como el clásico rdesktop o el xfreerdp del paquete freerdp2-x11 y otros clientes que soportan VNC, RDP y más, como vinagre, de GNOME o remmina.</p>
<p>Pero si lo que queremos es un acceso remoto a un entorno de trabajo Linux persistente tendremos que fijarnos en xrdp, todo un servidor rdp para dar acceso a tantas sesiones de escritorios Linux como queramos, estas sesiones serán permanentes y podremos conectarnos y desconectarnos de las mismas cuando queramos, además soporta sonido, aunque eso requerirá que compilemos los módulos siguiendo <a href="https://github.com/neutrinolabs/pulseaudio-module-xrdp/wiki/README">estas instrucciones</a>, la reproducción de sonido es estándar, por lo que funcionará en cualquier cliente, pero si queremos mandar nuestro micro al server deberemos utilizar por ejemplo el paquete de rdesktop de buster (lo he probado y funciona) o algún otro compatible, ya que han hecho una implementación no estándar :-(</p>
<p>No voy a hablar de más protocolos (que los hay) pero si quería hablar de algo que me parece muy interesante, un potente cliente web de todos estos protocolos y más...</p>
<h3>Guacamole</h3>
<p>Esto si que no lo tenemos en Debian, aunque hubo algún intento de paquetización antiguo y probablemente os podáis encontrar todavía por ahí los paquetes viejos, no os los aconsejo porque tienen varios bugs de seguridad. Este cliente es bastante complejo, con diversas partes, basado en java, requiere al menos un tomcat para mover el servidor, ... pero a cambio tendremos acceso a servidores RDP, VNC, ssh, ... con seguridad de dos factores en varios estilos y colores y el cliente no necesitará nada más que un navegador web, algo que nos puede aligerar los requisitos para los trabajadores que tengan que acceder en remoto.</p>
<p>Bueno, eso es todo lo que se ocurre ahora mismo, podéis sugerir otras ideas en los comentarios.</p>
<p>Saludos.</p>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com1tag:blogger.com,1999:blog-7692747369842058378.post-91492290776592895462019-11-23T01:00:00.000+01:002019-11-23T01:00:03.409+01:00ING y PSD2<p>ING parece que quiere que todos los clientes tengan su app instalada y que operen a través de ella. La verdad, es mucha la gente que no trata su móvil como un elemento confiable, no le gusta tener nada que tenga que ver con los bancos en el móvil, tengo que reconocer que yo soy una de esas personas, por eso me he quedado de piedra cuando me he enterado de que ING ha mandado correos este día 20 a sus usuarios diciendo que o bien se instalan su app o no podrán operar a partir del día 25.</p>
<p>O Sea, resumiendo, que ING ha dado 5 días a sus clientes para que se instalen la app :-O Por lo que he podido leer luego parece ser que la cosa ya viene de antes, así que entiendo que este correo será la última advertencia antes de cortarles el acceso.</p>
<p>Me he puesto a analizar un poco el tema este de la app de ING y me pregunto hasta que punto cumple con la PSD2, es decir, la PSD2 se supone que es para hacer más seguro el acceso, todo el mundo habla de un segundo factor de autenticación, lo que está muy bien, entiendo que tenga que tener una APP porque no quieren pagar por los SMS, pero lo que no entiendo es que para entrar en dicha APP tenga que meter todos los factores de autenticación que tengo con el banco, que en el caso de ING vienen siendo el DNI y la fecha de nacimiento (dos datos que si bien no siempre son públicos son muy fáciles de obtener) además de una clave de 6 caracteres numéricos.</p>
<p>Hace años que me pregunto que tipo de gente lleva la seguridad de los bancos, con ING ya he tenido mis problemas, dado que el correo que uso sólo con ellos acabó en manos de spammers, como le ocurrió a alguna otra persona que también contactó con ING y que obtuvo la misma respuesta que yo, o sea, que no era culpa de ING, que ellos no habían sufrido ningún tipo de fuga de información.</p>
<p>Todo esto es un despropósito monumental, tanto es así que no sé que más añadir, así que expondré yo como haría que la APP fuera un segundo factor de autenticación válido y seguro para que la gente que como yo no nos fiamos de la seguridad de nuestros juguetes, no huyéramos del banco por este tipo de acciones temerarias.</p>
<p>La app no es el problema, el problema es que te pide los mismos datos que la web, por lo que no sirve para mejorar la seguridad, al contrario, la debilita. Pero si en lugar de pedirte la clave y todo esto, hacemos que nos pida sólo el DNI, y que luego tengas que introducir en ella un código que se nos de en la web o similar, dejando esta instalación de la APP unida a ese usuario (con criptografía fuerte y tal y tal), tendremos un canal seguro para que el banco pueda mandar a este usuario su segundo factor sin gastar un duro y sin que este usuario tenga que poner en jaque la seguridad de su cuenta por la instalación de la app en un sistema que al menos en mi caso considero menos seguro que los ordenadores donde accedo a los bancos.</p>
<p>En fin, señores de ING, parece mentira que lleven tanto tiempo en esto y sepan tan poco de sus clientes o de la gente en general, mezclar los juguetes con la seguridad electrónica... no parece una buena idea, y mucha gente considera que sus móviles están bien para jugar, divertirse, ... pero ya tienen demasiados datos nuestros como para aún encima poner los del banco, mala idea, denle otra pensada al tema y luego hablamos.</p>
<p>Saludos.</p>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com1tag:blogger.com,1999:blog-7692747369842058378.post-12130125891994393342019-09-10T23:49:00.000+02:002019-09-10T23:49:38.028+02:00mdadm: how to add a disk to do a replacementWhen playing with two disks raid 1 devices it is typical that when one drive fails you just remove it and replace it with a new one and that's it.<br />
But... what if the drive that is left finds an error when you are reconstructing the array? Then... you have a problem.<br />
So when replacing a disk that is starting to fail... it would be better to use the two disks instead of just discarding one.<br />
Luckily the Linux software raid system allows you to add a third disk and sync the array to this disk from the other two, this way, you have two disks to feed the new one and if you are lucky enough you get a good copy of each of the sectors of the raid 1 array to finish the job.<br />
The commands to do this would be... first to add the new disk:<br />
<listing>mdadm --add /dev/md1 /dev/sdc1</listing>
which just adds it as an spare, but then you tell Linux you want it to use the three disks as active disks like this:
<listing>mdadm --grow /dev/md1 -f -n 3</listing>
When this finishes you should have all the three disks on the array being active, or maybe you get failed drives in the way, but hopefully you get the new drive with a full copy of the data, so... all you have to do is get back to the two disks setup, for this if you don't have the failed drive marked as such... you fail it:
<listing>mdadm --fail /dev/md1 /dev/sda1</listing>
and then you remove it from the array like this:
<listing>mdadm --remove /dev/md1 /dev/sda1</listing>
and put the array in the two disks mode like it was before:
<listing>mdadm --grow /dev/md1 -f -n 2</listing>
And that's it :-)<br />
All this commands were tested on a Debian 10 (Buster) setup, hope they help you.<br />
Regards.Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-51189136503599682052019-07-31T17:28:00.000+02:002019-07-31T17:28:07.689+02:00Tiempos de "fontanería" (grifos termostáticos y más)Parece que estamos en esa época del año en la que me toca lidiar con este tipo de cosas, esta vez ha tocado cambiar un grifo de cisterna, cambiar un grifo de bañera por uno monomando y por último "arreglar" un grifo termostático.<br />
<br />
Si el finde pasado disfruté de la ducha en la bañera de la aldea luego de haber sustituido el viejo grifo por un monomando que además va a evitar que tiremos agua y hacer que cualquiera pueda cerrarlo, no os quiero contar lo que disfruté de la ducha de hoy luego de llevar una temporada casi escaldándome en la ducha de casa porque el termostático no funcionaba como debiera.<br />
<br />
No os voy a mentir, el tema del termostático me tenía un poco acojonadillo porque nunca había desmontado ninguno, este era en una columna de ducha que uso a diario, por lo que si tardaba en conseguir repuestos me quedaba sin servicio en ese baño, en fin... que luego de ver unos videos en youtube <a href="https://www.youtube.com/watch?v=CWTT7zIphl8">explicando como se limpia</a>, <a href="https://www.youtube.com/watch?v=a9le4Pi_vo8">como se desmontan por dentro</a>
(este se parece bastante al mío) y sobre todo ver en una columna <a href="https://www.youtube.com/watch?v=Ax2dDOfw7zA">como se saca</a> y que en aliexpress (no se me había ocurrido) hay bastantes modelos genéricos...<br />
<br />
Ayer me dispuse a ello, saqué el cartucho, lo desmonté, metí todas las piezas en agua con vinagre al 50% (respetando lo de la media hora máximo para no estropear las juntas) y luego cepillo de dientes y tal para quitar toda la suciedad de 10 años de uso. Luego montar y dar vaselina a todo y probarlo, milagrosamente eso fue todo, ¡funcionaba!<br />
<br />
Esta mañana por fin pude darme un ducha un poco fresquita que acompañase al veranillo y tal, no veas como se agradeció el trabajo de ayer y sobre todo lo poco que costó al final eso que me parecía tan difícil, la verdad es que pensaba que lo mínimo iba a ser cambiar el cartucho, pero al final ya véis, con una limpieza.... listo.Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-78411090576386888602019-06-04T00:04:00.000+02:002019-06-04T00:04:24.809+02:00Fallos en el rutado de MasMovil y también en su ZTE F680Desde hace un tiempo soy cliente de la fibra de MasMovil, desde entonces mi router es un ZTE F680 y he venido sufriendo ciertos problemas tanto en la conexión de MasMovil como en el propio router.<br />
<br />
Sobre los problemas de MasMovil, se trata de un problema de rutado entre equipos en la red de MasMovil que están fuera de su CGNAT (Carrier Grade NAT), es decir, los que han solicitado tener una IP directa de Internet en su router y no estar detrás de los firewalls de MasMovil.<br />
<br />
Entre algunas de estas IPs de MasMovil (no en todas, pero sí entre algunas) se pierde gran parte del tráfico. Por ejemplo, ahora mismo tengo la IP 46.6.0.131 y hace un rato la 46.6.5.195, pues bien, desde estas un ping a 46.6.11.88 o a 46.6.11.223 presenta una pérdida del orden del 90% como se puede ver:<br />
<listing>PING 46.6.11.223 (46.6.11.223) 56(84) bytes of data.
64 bytes from 46.6.11.223: icmp_seq=12 ttl=61 time=45.8 ms
64 bytes from 46.6.11.223: icmp_seq=36 ttl=61 time=46.1 ms
64 bytes from 46.6.11.223: icmp_seq=41 ttl=61 time=44.8 ms
^C
--- 46.6.11.223 ping statistics ---
45 packets transmitted, 3 received, 93.3333% packet loss, time 998ms
rtt min/avg/max/mdev = 44.786/45.542/46.052/0.572 ms</listing>
He intentado contactar con MasMovil sobre este problema, que evita que podamos hacer una conexión TCP de entre estas IPs de clientes de MasMovil, sin conseguir nada (no conseguí llegar a un nivel de soporte suficientemente alto, sólo se limitaron a comprobar que mi linea estaba bien, cosa que ya sé, no pierdo tráfico contra Inet, sólo contra ciertas IPs de MasMovil).<br />
<br />
Por el contrario, el problema del propio router acabo de "solventarlo". En realidad se trata de un workaround, pero vamos, ya estoy contento.<br />
<br />
El problema del F680, al menos en las versiones ZTEGF6804P1T6 y ZTEGF6804P1T13 es que cuando defines un port forwarding y luego desde la red interna intentas acceder al puerto redireccionado en la IP externa, la primera vez funciona sin problema, pero la segunda se queda como si se le estuviera haciendo un DROP, y así consecutivamente, es decir, funcionan como la mitad de las conexiones.<br />
<br />
La forma que se me ha ocurrido de evitar este problema, que por ejemplo, hacía que no pudiera acceder a mi propia web desde mi propia conexión, es utilizar la DMZ en lugar de hacer un port forwarding, esto es matar moscas a cañonazos, pero al menos no parece causar esos problemas, claro está que deberemos activar firewall en la máquina que pongamos en la DMZ ya que dejará de estar protegida por el firewall del ZTE.<br />
<br />
Espero que esto último os ayude a solucionar los problemas que podáis tener con vuestro ZTE F680, yo hasta ahora ha sido el único problema que he tenido, si consiguiera que MasMovil revisase el problema de los rutados y lo solucionase ya sería la monda :-)<br />
Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com1tag:blogger.com,1999:blog-7692747369842058378.post-44913198116259142312017-01-07T22:21:00.000+01:002017-01-07T22:21:29.580+01:00061 en Galicia, teléfono equivalente
<p>Sigo sen entender o tema de non dar os teléfonos equivalentes dos números especiais en calquera servicio, así a xente ou a empresa que presta o servicio están suxeitas ós cargos que fagan as operadoras, mentres que se se dan os números equivalentes as chamadas pasan a estar incluídas dentro das tarifas que temos contratadas cos nosos operadores, cun coste normalmente inferior ou gratis.</p>
<p>Un exemplo deste tipo é o teléfono 061, que en Galicia o xestiona a <a href="http://061.sergas.es">Fundación Pública Urxencias Sanitarias de Galicia</a> que na sua web espefica un formulario de contacto (se non tes presa) e os teléfonos 061 e 902 400 116 como forma de contacto se temos presa, foi precisamente este último teléfono o que me levou á <a href="http://www.nomas900.org/902400116">entrada de Danae</a> en <a href="http://www.nomas900.org/">no más 900</a> onde se especifica o 981953400 como número equivalente ó 061 en Galicia, o probei e funciona perfectamente.</p>
<p>En fin... esperemos que pouco a pouco os organismos e empresas que utilizan todavía os 901/2 e outros números especiais vaian dando os equivalentes para poder cortar co negocio este dos números especiais</p>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-27185372686621068112015-05-04T17:25:00.000+02:002017-01-02T22:07:52.415+01:00ScreenLock on Jessie's systemd<p>Something I was used to and which came as standard on wheezy if you installed acpi-support was screen locking when you where suspending, hibernating, ...</p>
<p>This is something that I still haven't found on Jessie and which somebody had point me to solve via /lib/systemd/system-sleep/whatever hacking, but that didn't seem quite right, so I gave it a look again and this time I was able to add some config files at /etc/systemd and then a script which does what acpi-support used to do before</p>
<p><b>Edit:</b> Michael Biebl has sugested on my google+ post that this is an ugly hack and that one shouldn't use this solution and instead what we should use are solutions with direct support for logind like desktops with built in support or xss-lock, the reasons for this being ugly are pointed at <a href="https://bugs.debian.org/755888">this bug</a></p>
<p><b>Edit (2):</b> I've just done the recommended thing for LXDE but it should be similar for any other desktop or window manager lacking logind integration, you just need to apt-get install xss-lock and then add @xss-lock -- xscreensaver-command --lock to .config/lxsession/LXDE/autostart or do it through lxsession-default-apps on the autostart tab. Oh, btw, you don't need acpid or the acpi-support* packages with this setup, so you can remove them safely and avoid weird things.</p>
<p>The main thing here is this little config file: <b>/etc/systemd/system/screenlock.service</b></p>
<listing>
[Unit]
Description=Lock X session
Before=sleep.target
[Service]
Type=oneshot
ExecStart=/usr/local/sbin/screenlock.sh
[Install]
WantedBy=sleep.target
</listing>
<p>This config file is activated by running: <b>systemctl enable screenlock</b></p>
<p>As you can see that config file calls <b>/usr/local/sbin/screenlock.sh</b> which is this little script:</p>
<listing>
#!/bin/sh
# This depends on acpi-support being installed
# and on /etc/systemd/system/screenlock.service
# which is enabled with: systemctl enable screenlock
test -f /usr/share/acpi-support/state-funcs || exit 0
. /etc/default/acpi-support
. /usr/share/acpi-support/power-funcs
if [ x$LOCK_SCREEN = xtrue ]; then
. /usr/share/acpi-support/screenblank
fi
</listing>
<p>The script of course needs execution permissions. I tend to combine this with my power button making the machine hibernate, which was also easier to do before and which is now done at <b>/etc/systemd/logind.conf</b> (doesn't the name already tell you?) where you have to set: <b>HandlePowerKey=hibernate</b></p>
<p>And that's all.</p>
Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com4tag:blogger.com,1999:blog-7692747369842058378.post-26807489595700121642015-04-15T00:15:00.001+02:002015-04-15T00:15:27.770+02:00Hello Debian Planet and Jessie's question<p>This was just meant to say hello to the Debian Planet readers, but I'll end it with a Jessie related question, so...</p>
<h4>Intro</h4>
<p>For those who don't know me, I was born in Betanzos, A Coruña, Galicia, in the North-West of Spain and I currently live on A Coruña. I've been a Debian developer since year 2000 when I was quite more involved than currently (live changes), but I'm always expecting to be able to dedicate more time to the project, I hope this will happen when my two children grow up a little bit.</p>
<p>I had been wanting to send my blog's Debian related posts to the planet but always failed to do so, yesterday I found the planet wiki page and I said... it's so easy that I don't have any excuse not to do it, so here I am.</p>
<p>Oh, BTW... if I ever comment on Debian's anniversary (16th of August) that at Betanzos we are launching <a href="http://www.tesourosdegalicia.com/en/el-globo-de-san-roque-de-betanzos/">a really huge paper balloon</a>, it is not to commemorate Debian's date but in honour of San Roque, even though maybe we should talk to the Pita family to have Debian's logo on it for our 25th anniversary :-)</p>
<h4>Jessie's question</h4>
<p>In Jessie we no longer have update-notifier-common which had the /etc/kernel/postinst.d/update-notifier script that allowed us to automatically reboot on a kernel update, I have apt-file searched for something similar but I haven't found it, so... who is now responsible of echoing to /var/run/reboot-required.pkgs on a kernel upgrade so that the system reboots itself if we have configured unattended-upgrades to do so?</p>
<p>I really miss this stuff, I don't know if it should be on the kernel, on unattended-upgrades or where, but now that we have whatmaps... we need this feature to round it all.</p>
<h4>End</h4>
<p>Well, to finish I just want to say that I'm very happy to be a part of the Debian community and that I enjoy reading you guys on the planet. Thanks a lot to all the Debian folks for making Debian not only a great OS, but also a great community.</p>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com5tag:blogger.com,1999:blog-7692747369842058378.post-26015070226499831332015-03-22T02:29:00.001+01:002015-04-13T20:39:32.632+02:00Hard asterisk times (or how sip made me unhappy till I fixed this peer definition)It must be that I no longer touch asterisk like I used to do that it took me a while to write a type=peer section this last days.<br />
<br />
At my first attempt copying the entry from an old peer definition I was getting a "404 Not Found" message with the asterisk server not even trying to authenticate to the peer when I was trying to make a phone call.
I thought it was a problem with my asterisk not wanting to authenticate but it wasn't. What should had happen is that the asterisk should have gotten a "401 Unauthorized" message, and then it would try to authenticate.<br />
<br />
After reading a lot I came to the solution by myself comparing asterisk messages with a csipsimple client that I had running, my asterisk was saying something like...<br />
<br />
From: "Anonymous" <sip:username anonymous.invalid="">;tag=xxxx<br />
<br />
While the csipsimple client has the server (IP or hostname) specified instead of anonymous.invalid. This first problem was solved with a fromdomain=whateveryourpeerexpects line on the peer definition.<br />
<br />
So, I then got the 401 message and the asterisk was trying to authenticate, but this server was expeting to have an authuser on the registration (what is also called the digest username, ...) and even though on asterisk sip.conf doc there are examples on how to use authuser on "register" commands there is none explaining how to do that on a peer definition, I got to a lot of doc explaining how to do that with ways that people was saying that weren't working, patches for asterisk, ... I tested and tested and nothing worked.<br />
<br />
I was almost going to go to bed again without fixing this (and it is about time 2AM already) when I started to test things by myself and found that it was defaultuser where I shoud specify this authuser, in fact I had tested this already but it was when I was having the 404 error, so it wouldn't work until I fixed that.<br />
<br />
If you read the sip.conf doc, you'll find that:<br />
;defaultuser=yourusername ; Authentication user for outbound proxies<br />
which is quite clear and it's why I had tested it at first, but getting the 404 message made it not work, so in the end my peer looks like this:<br />
<listing>
[thepeer]
type=peer
host=thehostip
nat=no
disallow=all
allow=ulaw
allow=alaw
fromdomain=thehostip
defaultuser=theauthuser
fromuser=theotheruser
secret=thepassword
</listing>
:-)<br />
Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-20017640559259976112014-12-28T01:44:00.002+01:002015-04-13T20:38:54.598+02:00haproxy as a very very overloaded sslh <p>After using haproxy at work for some time I realized that it can be configured for a lot of things, for example: it knows about SNI (on ssl is the method we use to know what host the client is trying to reach so that we know what certificate to present and thus we can multiplex several virtual hosts on the same ssl IP:port) and it also knows how to make transparent proxy connections (the connections go through haproxy but the ending server will think they are arriving directly from the client, as it will see the client's IP as the source IP of the packages).</p>
<p>With this two little features, which are available on haproxy 1.5 (Jessie's version has them all), I thought I could give it a try to substitute sslh with haproxy giving me a lot of possibilities that sslh cannot do.</p>
<p>Having this in mind I thought I could multiplex several ssl services, not only https but also openvpn or similar, on the 443 port and also allow this services to arrive transparently to the final server. Thus what I wanted was not to mimic sslh (which can be done with haproxy) but to get the semantic I needed, which is similar to sslh but with more power and with a little different behaviour, cause I liked it that way.</p>
<p>There is however one caveat that I don't like about this setup and it is that to achieve the transparency one has to run haproxy as root, which is not really something one likes :-( so, having transparency is great, but we'll be taking some risks here which I personally don't like, to me it isn't worth it.</p>
<p>Anyway, here is the setup, it basically consists of a setup on haproxy but if we want transparency we'll have to add to it a routing and iptables setup, I'll describe here the whole setup</p>
<p>Here is what you need to define on /etc/haproxy/haproxy.cfg:</p>
<listing>
frontend ft_ssl
bind 192.168.0.1:443
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
acl sslvpn req_ssl_sni -i vpn.example.net
use_backend bk_sslvpn if sslvpn
use_backend bk_web if { req_ssl_sni -m found }
default_backend bk_ssh
backend bk_sslvpn
mode tcp
source 0.0.0.0 usesrc clientip
server srvvpn vpnserver:1194
backend bk_web
mode tcp
source 0.0.0.0 usesrc clientip
server srvhttps webserver:443
backend bk_ssh
mode tcp
source 0.0.0.0 usesrc clientip
server srvssh sshserver:22
</listing>
<p>An example of a transparent setup can be found <a href="http://blog.haproxy.com/2013/09/16/howto-transparent-proxying-and-binding-with-haproxy-and-aloha-load-balancer/">here</a> but lacks some details, for example, if you need to redirect the traffic to the local haproxy you'll want to use the xt_TPROXY, there is a better doc for that at <a href="http://wiki.squid-cache.org/Features/Tproxy4">squid's wiki</a>. Anyway, if you are playing just with your own machine, like we typically do with sslh, you won't need the TPROXY power, as packets will come straight to your 443, so haproxy will be able to get the without any problem. The problem will come if you are using transparency (source 0.0.0.0 usesrc clientip) because then packets coming out of haproxy will be carrying the ip of the real client, and thus the answers of the backend will go to that client (but with different ports and other tcp data), so it will not work. We'll have to get those packets back to haproxy, for that what we'll do is mark the packages with iptables and then route them to the loopback interface using advanced routing. This is where all the examples will tell you to use iptables' mangle table with rules marking on PREROUTING but that won't work out if you are having all the setup (frontend and backends) in just one box, instead you'll have to write those rules to work on the OUTPUT chain of the mangle table, having something like this:</p>
<listing>
*mangle
:PREROUTING ACCEPT
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:POSTROUTING ACCEPT
:DIVERT -
-A OUTPUT -s public_ip -p tcp --sport 22 -o public_iface -j DIVERT
-A OUTPUT -s public_ip -p tcp --sport 443 -o public_iface -j DIVERT
-A OUTPUT -s public_ip -p tcp --sport 1194 -o public_iface -j DIVERT
-A DIVERT -j MARK --set-mark 1
-A DIVERT -j ACCEPT
COMMIT
</listing>
<p>Take that just as an example, better suggestions on how to know what traffic to send to DIVERT are welcome. The point here is that if you are sending the service to some other box you can do it on PREROUTIING, but if you are sending the service to the very same box of haproxy you'll have to mark the packages on the OUTPUT chain.</p>
<p>Once we have the packets marked we just need to route them, something like this will work out perfectly:</p>
<listing>
ip rule add fwmark 1 lookup 100
ip route add local 0.0.0.0/0 dev lo table 100
</listing>
<p>And that's all for this crazy setup. Of course, if, like me, you don't like the root implication of the transparent setup, you can remove the "source 0.0.0.0 usesrc clientip" lines on the backends and forget about transparency (connections to the backend will come from your local IP), but you'll be able to run haproxy with dropped privileges and you'll just need the plain haproxy.cfg setup and not the weird iptables and advanced routing setup.</p>
<p>Hope you like the article, btw, I'd like to point out the main difference of this setup vs sslh, it is that I'm only sending the packages to the ssl providers if the client is sending SNI info, otherwise I'm sending them to the ssh server, while sslh will send ssl clients without SNI also to the ssl provider. If your setup mimics sslh and you want to comment on it, feel free to do it.</p>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com3tag:blogger.com,1999:blog-7692747369842058378.post-20300959436635638122014-12-11T13:49:00.001+01:002014-12-11T13:49:50.829+01:00Add a Debian source repository to your ubuntu<p>Debian does all the work that Ubuntu bases its system on, so... if you want to add our latest Debian source package repository to ubuntu, so that you can compile and use it under Ubuntu, that should be as easy as to add to your /etc/apt/sources.list file:</p>
<listing>
deb-src http://ftp.debian.org/debian/ testing main
deb-src http://ftp.debian.org/debian/ unstable main
deb-src http://ftp.debian.org/debian/ ../project/experimental main
</listing>
<p>Well, just the line you want, if you want the future version of Debian (currently Jessie) use the testing one, if you want current develpment, use unstable, and sometimes you even get a experimental version if you want to test really bleeding edge versions.</p>
<p>The problem here is that after you add the lines you want to your sources.list file and you run your</p>
<listing>
apt-get update
</listing>
<p>You will end with a GPG error because the ubuntu's apt-key keyring doesn't know about Debian's keys, so... we'll have to run a few commands to get rid of this, but first we must locate the needed key for example <a href="https://ftp-master.debian.org/keys.html">here</a></p>
<listing>
wget https://ftp-master.debian.org/keys/archive-key-7.0.asc -O -|apt-key add -
apt-get update
</listing>
<p>Now hopefully your Ubuntu will recognize your Debian sources and you'll be able to get your Debian favourite source into your good old Ubuntu by doing something like this as user (we'll use fakeroot):</p>
<listing>
apt-get install fakeroot
apt-get apt-get build-dep your_favourite_package
apt-get source your_favourite_package
cd your_favourite_package_source_dir
dpkg-buildpackage -rfakeroot
</listing>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-74801871117542904222014-12-11T00:02:00.000+01:002014-12-12T14:46:23.189+01:00Squid proxy being transparent also for ssl and other tcp connections by using ssl bump<p>A long time ago I was trying to have a transparent proxy setup by using squid, but squid traditionally only knows about http, ftp and https in explicit proxy mode. There is no way to handle non http (for example https) transparently on a traditional setup, so that setup was not what I was looking for.</p>
<p>After looking into TLS SNI and other things, trying even to implement things like that on some tools like socat that would proxify things for squid, I discovered ssl bump on squid3, which just does all the magic I was looking for.</p>
<p>Squid traditionally has several ways of listening to requests, one of which is the explicit proxy port (http_port 3128) and the other typical ones are for transparent proxy, this is indicated by flags:</p>
<ul>
<li>transparent: used to intercept server queries and parse http host headers to forward them through squid to the servers
<li>tproxy: used to spoof outgoing address to that of the client, so that squid is really transparent
</ul>
<p>Well, none of this allows us to forward https or tcp requests (say for example ssh, imap, ...) for a client that doesn't have explicit proxy support. Unluckily this means that a transparent proxy using this technology nowadays is of no use.</p>
<p>This is where ssl bump comes to the rescue, the old transparent mode of squid, which is currently called intercept, on squid3 has an extra flag: ssl-bump, which has the power of being able to intercept ssl traffic and things like that, allowing squid to cache https webs, but to do this, one has to create a Certificate Authority and the clients must trust this CA that squid uses to issue certificates for the web sites we want to visit.</p>
<p>However ssl-bump can work without issuing these certificates and in this case squid won't mess with https requests, but it will still allow us to do a pretty neat thing, which is to forward all tcp connections from any client (doesn't even have to know what a proxy is) transparently. In this case what squid does is to ask netfilter (iptables) where was the connection that squid is handling supposed to go, and squid makes this connection for the client so that it starts talking to the other end with all the traffic going through squid.</p>
<p>One might ask himself why would he want this traffic on squid, well, you'll have all of squid features, you can control the speed, you get all the typical logs and acls, ...</p>
<p>Of course that if you don't want this you can go with iptables and traffic shaper and that's good as well.</p>
<p>So... you like this idea? Well, then if your distro has squid compiled with ssl support you can read the config section, but if you are (like me) using Debian, you must recompile your squid3 with ssl support. Debian doesn't compile squid3 with ssl support as there are problems between openssl license and squid3 one (squid developers are looking forward to somebody porting the code to gnutls :-)</p>
<br />
<b>Rebuilding squid3 with ssl-bump</b>
<p>Well, to rebuild the squid3 package with ssl support you must install the needed packages:</p>
<listing>
apt-get install fakeroot libssl-dev
apt-get build-dep squid3
</listing>
<p>There you may find that your distro doesn't have all the packages needed to compile, like for example libecap2-dev, in this case you'll have to apt-get source these packages, compile and install them like we'll do with squid3</p>
<p>And then do a few things as user (we'll use fakeroot which we have just installed) I've tested this using squid3 from Debian testing (the next version, which will be Jessie)</p>
<p>Start with:</p>
<listing>
apt-get source squid3
</listing>
<p>And then we'll edit a couple of files on the source, so cd into the source dir and in the debian/control file you must add to the build-depends: libssl-dev and in the debian/rules file you must add this configure options:</p>
<listing>
--enable-ssl \
--enable-ssl-crtd \
</listing>
<p>One can then run debchange -i and add something like this on the changelog:</p>
<listing>
Build with --enable-ssl and --enable-ssl-crtd.
</listing>
<p>Now the source is ready to build using your favourite command, like for example:</p>
<listing>
dpkg-buildpackage -rfakeroot
</listing>
<p>and at last install the needed packages using dpkg -i</p>
<br />
<b>Configuration</b>
<p>The main configuration file is stored at /etc/squid3/squid.conf, even though it can be split into separate files. On these files we must set as SSL_ports all the ports for the protocols that we want to allow through squid using an acl like this:</p>
<listing>
acl SSL_ports port 1935 # rtmp
acl SSL_ports port 5222 # xmpp
acl SSL_ports port 5223 # xmpp over ssl
acl SSL_ports port 5228 # googletalk
acl SSL_ports port 5242 # viber
acl SSL_ports port 4244 # viber
</listing>
<p>And we'd typically want to define several proxy ports, one for explicit http, another one for http interception (classic transparent proxy) and our ssl-bump port, like this:</p>
<listing>
http_port 3128
http_port 80 intercept
https_port 3127 intercept ssl-bump generate-host-certificates=off cert=/etc/squid3/squid.pem
acl ssl-bump_port myportname 3127
always_direct allow ssl-bump_port
</listing>
<p>The direct thing is to force the squid server to send ssl-bump requests directly and not through other caches, as this wouldn't work at all. The certificate is needed even though we won't be using it, just generate one using make-ssl-cert from the ssl-cert package or plain openssl x509 power.</p>
<p>Make sure we have all our client networks listed on our localnet acl and that they are allowed to use the proxy:</p>
<listing>
acl localnet src 127.0.0.1/32 192.168.0.0/16
http_access allow localnet
</listing>
<p>Several misc settings like: make sure that ssl-bump doesn't generate certificates for any host at all (just in case), set the language for the errors and allow a good number of filedescriptors so that we don't run out of them</p>
<listing>
ssl_bump none all
error_default_language es
max_filedescriptors 8192
</listing>
<p>And that is pretty much what is needed on the squid configuration, of course you can do this and more writing it all in different ways. I have found out that the directory for the ssl certs is not created by default, we must run: /usr/lib/squid3/ssl_crtd -c -s /var/lib/ssl_db</p>
<br />
<b>Routing it all through squid</b>
<p>You may be wondering how does all the traffic that we are going to allow through squid get to it. Well, the answer is easy if you have ever configured some kind of transparent proxy or similar, we do it through iptables, in the PREROUTING chain of the nat table we send things to the ssl-bump port or to our transparent proxy port as we like and then we open the ports on which we are serving all this on the INPUT chain of the filter table with something like this which can be loaded with iptables-restore myiptables.cfg:</p>
<listing>
*nat
:PREROUTING ACCEPT
:POSTROUTING ACCEPT
:OUTPUT ACCEPT
-A PREROUTING -i eth0 -s 192.168.0.0/16 ! -d 192.168.0.0/16 -p tcp --dport 1935 -j REDIRECT --to-ports 3127
-A PREROUTING -i eth0 -s 192.168.0.0/16 ! -d 192.168.0.0/16 -p tcp --dport 3389 -j REDIRECT --to-ports 3127
-A PREROUTING -i eth0 -s 192.168.0.0/16 ! -d 192.168.0.0/16 -p tcp --dport 5222 -j REDIRECT --to-ports 3127
-A PREROUTING -i eth0 -s 192.168.0.0/16 ! -d 192.168.0.0/16 -p tcp --dport 5223 -j REDIRECT --to-ports 3127
-A PREROUTING -i eth0 -s 192.168.0.0/16 ! -d 192.168.0.0/16 -p tcp --dport 5228 -j REDIRECT --to-ports 3127
-A PREROUTING -i eth0 -s 192.168.0.0/16 ! -d 192.168.0.0/16 -p tcp --dport 5242 -j REDIRECT --to-ports 3127
-A PREROUTING -i eth0 -s 192.168.0.0/16 ! -d 192.168.0.0/16 -p tcp --dport 4244 -j REDIRECT --to-ports 3127
-A PREROUTING -i eth0 -s 192.168.0.0/16 ! -d 192.168.0.0/16 -p tcp --dport 80 -j REDIRECT --to-ports 80
#This is not for squid but I like these too (local ntp and dns cache)
-A PREROUTING -i eth0 -s 192.168.0.0/16 ! -d 192.168.0.0/16 -p udp --dport ntp -j REDIRECT --to-ports 123
-A PREROUTING -i eth0 -s 192.168.0.0/16 ! -d 192.168.0.0/16 -p tcp --dport domain -j REDIRECT --to-port 53
-A PREROUTING -i eth0 -s 192.168.0.0/16 ! -d 192.168.0.0/16 -p udp --dport domain -j REDIRECT --to-port 53
COMMIT
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -i eth0 -p tcp --dport http -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 3127:3128 -j ACCEPT
-A INPUT -i eth0 -p udp --dport bootps -j ACCEPT
-A INPUT -i eth0 -p udp --dport ntp -j ACCEPT
-A INPUT -i eth0 -p udp --dport domain -j ACCEPT
-A INPUT -i eth0 -p tcp --dport domain -j ACCEPT
COMMIT
</listing>
<p>I believe that's all, of course this is generally speaking and you'll have to adapt it to fit your needs, but there it is. Just add a dhcp server for convenience and ntp and dns servers so that you don't need to forward those protocols and in order to save more bandwith using the dns server cache and local ntp answers and you're done.</p>
<p>Note that these iptables are dropping all forwarding as in the example the kernel doesn't need to forward anything, squid does it, and for dns and ntp we are using local servers. Of course that if you want to forward some udp traffic, you'll need to add forwarding rules for that.</p>
Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com3tag:blogger.com,1999:blog-7692747369842058378.post-38445580185930982022014-12-09T00:49:00.000+01:002014-12-11T00:07:54.926+01:00Transitioning from 0xF6A32A8E to 0xD876D5A3 (moving to stronger cryptography)<listing>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1,SHA256
Hi!
As Debian is retirying good old 1024 bit keys I'm transitioning to a new
4096 bits key.
I still don't have many signatures on my new key, but it is signed with the
old one wich to date isn't known to be compromised.
My old key was:
pub 1024D/F6A32A8E 2000-09-16 Santiago Garcia Mantinan (manty) <manty@debian.org>
Primary key fingerprint: 3F0A 12FC 0B55 A917 D791 82D3 72FD C205 F6A3 2A8E
My new key is:
pub 4096R/D876D5A3 2014-10-06 Santiago Garcia Mantinan (manty) <manty@debian.org>
Primary key fingerprint: 06A3 E576 0F61 1B4B B1A9 0E68 B868 8CA3 D876 D5A3
I hope to get this new key on Debian's keyring before the end of the year
and hopefully contribute to a stronger keyring.
Regards.
Santiago García Mantiñán (manty)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlSGNrIACgkQcv3CBfajKo5yRACguwN5wahVJrIli3FGde9KS83W
TbYAn2NAf7JZuG9WiiKAX/7DKfc/1J33iQIcBAEBCAAGBQJUhjayAAoJELhojKPY
dtWjjE8QAM87bl3z00YgykCGCH7FElqivOesJ3Op16tDU2/o0AP249iA0rRToH9q
SR0Ik1oiziWjh7ccUDHmVeIgV2wpso8wcKmJuZbOqQJ4sVvIzRd0IN2G0kBfyFDn
+ff/J6aGcDCFLp0nIStEJiycKd4UWcqAoA+RB+wpBwIqH/yXw5l8mEyv7XHwfeHT
3D2r9ocpVdRu9QzElxs8sO7cXOtJ6+wKUurGaDobAIZC/1GIF6UlcAfaV5y0uxYa
ZguAye8ff4ggrFxH/dxzTrC/ushIXn7MkjQSIphbkHcpbUwRjXaEBRL49WLnbHpZ
lmKfmnUeW8a3zkuTQEfJV3i97k5WHLV/AQpfIbAbTFivXleDBIbf6XIvV3EOVPrr
nGN1S625Qj9lrcHpIK1PB8xElqJ31bUss62nlFghaEzEq8eLalJRDMRfOddj/NtN
4Ig7DdJSXUbCjxYVkBPzaRVoTT92sQHJ/c8siH8F5I2+YcwTNTQaOXf3LCfvvKd2
a+x1wc9FlJgi7hrRFiV63MQN68WIDzY2g+irWQSgzLFsA4k4RYGgC+6Ap5R3umln
EnBCR6vRmrONS92bb0SuMis1D9WOz62z34OSMNh68Mg1BaWlM2lIczcdTyoIcKLM
c0PWnsWTRYjQn+QbAH35YnmB395Z8bNoL2k/XhkuEEVCqXK/hWsm
=Tm5k
-----END PGP SIGNATURE-----
</listing>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-8323926391306705062014-07-06T01:37:00.000+02:002014-12-11T00:08:25.536+01:00Hibernating on power button with DebianIt's been years since I started hibernating my machine by pressing the power button instead of halting it. This started at work, my mate Ramón wanted to get all machines automatically hibernated through the night and was doing some tests on the old Windows XP, I didn't knew how to hibernate at Linux at that time, so I started taking a look at it, saw it was easy and worked flawlessly, and so I've been doing it since then (how the Windows thing ended is another story with another end).<br />
<br />
Lately what I had done was install acpi-support package and at /etc/acpi/events/powerbtn-acpi-support file I changed its action to: <listing>action=/etc/acpi/sleep_suspend.sh suspend</listing>
Which basically means when you press the power button hibernate (suspend to disk).<br />
<br />
This used to work ok on most of my devices, however an old AMD socket 939 board did two hibernations each time the power button was pressed, and you could see the machine go to hibernate when you were waking it up. It seems I even had blogged about this <a href="http://manty.net/2011/11/executing-with-keybutton-how-to.html">here</a>.<br />
<br />
My latest solution for this problem seems that it was as simple as to do this little change to /etc/acpi/sleep_suspend.sh:
<listing>
29c29
< pm-hibernate
---
> (sleep 1;pm-hibernate) &
</listing>
I don't remember how I ended up with this solution instead of my first locking solution, but it did work for my desktop until it left sysvinit in favour of upstart but that's another story.<br />
<br />
The thing is that ever since kernel 3.14 started to hit Debian I found the same sleep two times problem on my old laptop as well, and this still happens on 3.15.3. I have applied my solution to sleep_suspend.sh and it still works, but... I think I'll have to pick the details on this and file a bug, the question is... against Debian kernel? or try to post again to the linux-acpi mailing list <a href="http://www.spinics.net/lists/linux-acpi/msg33317.html">like I did on 2011</a> and see if we get better results this time?<br />
<br />
We'll see tomorrow, now it is time to go to bed, night.
Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0tag:blogger.com,1999:blog-7692747369842058378.post-10675272726216060092014-04-20T02:16:00.000+02:002014-04-20T02:18:17.357+02:00Wifi repeater (AP and STA with one radio) using DebianIt is a long time since I last "repeated" a radio using my laptop as I typically use a OpenWRT small device, so... I had to look it all up again, hey, we are on the nl80211 days.<br />
<br />
So... I tried to look this up starting from one of my working setups, a OpenWRT device, and what did I find there? I found they are using a patched wpa_supplicant which says:
<br />
<br />
<div style="text-align: center;">
<b>-H = connect to a hostapd instance to manage state changes
</b></div>
<div style="text-align: center;">
<br /></div>
However this patch doesn't seem to have reached upstream, so... is it needed? Well I don't think it is, at least one can make a setup which works without it. BTW, if somebody can clarify on this option and why it hasn't reached upstream it would be great.
<br />
<br />
Well, here is my setup which seems to work OK on my Debian Jessie.<br />
<br />
I'll be using hostapd and dnsmasq, what I do is disable them so that they are not started on boot and I start them whenever I need them (use update-rc.d for this or any other method you like).<br />
<br />
I have defined an interface (ap0) which is not automatic or hotplug and which I ifup manually when I want to repeat a wifi:<br />
<listing>iface ap0 inet static
hwaddress XX:XX:XX:XX:XX:XX
address XX.XX.XX.XX
netmask 255.255.255.0
pre-up iw phy phy0 interface add ap0 type __ap || true
up cp /etc/hostapd/hostapd.conf.nochannel /etc/hostapd/hostapd.conf
up iw dev ath0 info|sed -n "s/.*channel \([^ ]*\) .*/channel=\1/p" >> /etc/hostapd/hostapd.conf
up /etc/init.d/hostapd start
up /etc/init.d/dnsmasq start
up iptables-restore /etc/iptables.masq
up echo 1 > /proc/sys/net/ipv4/conf/ap0/forwarding;echo 1 > /proc/sys/net/ipv4/conf/ath0/forwarding
down echo 0 > /proc/sys/net/ipv4/conf/ap0/forwarding;echo 0 > /proc/sys/net/ipv4/conf/ath0/forwarding
down /etc/init.d/dnsmasq stop
down /etc/init.d/hostapd stop
post-down iw dev ap0 del || true
</listing>On the interfaces file what I do is: I create the new AP interface, set up a hostapd.conf file adding the current channel for my client interface (ath0), start hostapd and dnsmasq and set up masquerading and forwarding.<div>
<br />
The /etc/hostapd/hostapd.conf.nochannel file is a simple config file, something like this works:
<br />
<listing>interface=ap0
ctrl_interface=/run/hostapd-phy0
driver=nl80211
ssid=Whatever
hw_mode=g
wpa=2
wpa_pairwise=CCMP
wpa_passphrase=BlaBlaBla
country_code=ES
ignore_broadcast_ssid=0
</listing>
And of course you can add all the parameters you want, for example, for my 802.11N radio I use:
<listing>wmm_enabled=1
ieee80211n=1
ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40]
</listing>
I won't get to dnsmasq details, I don't use it much, but I think I should know it better, I only added this couple of lines to the default config:
<listing>interface=ap0
dhcp-range=StartingIP,EndingIP,12h
</listing>
Well, I guess that pretty much is it, as for the iptables rules... you know, allow forwarding from your AP to your client wifi and add a POSTROUTING with -j MASQUERADE to traffic going out and that's it.
<br />
<br />
Hope you find this usefull, and if you want to enlighten the -H parameter history feel free to comment.
<br />
<br />
What I think after reading the commit (https://dev.openwrt.org/browser/trunk/package/network/services/hostapd/patches/453-ap_sta_support.patch?rev=37738) is that they are having wpa_supplicant reload any time the client reconnects or whatever, but this can also be done on wpa_cli, so that must be why it hasn't reached upstream (but that's just what I'm guessing, any light out there?).
<br />
<br />
It feels nice to write after such a long time :-) Regards.</div>Santiago García Mantiñánhttp://www.blogger.com/profile/04766337312954063775noreply@blogger.com0