Quick Blog Links

about   root @       
 
  MacOS Applications   [x-code + objective-c]  
 
  SSHPass Automation Program   [python / app]  
 
  VPN-Like Tunneled Interface & Traffic   [python  /  networking]  
 
  DHCP/ARP Relay-Bridge ~ Proxying   [c  /  networking]  
 
  Nginx Mod Hook for Stream Proxy Server   [c / networking]  
 
  Linux Kernel IP-DF Flag Header Rewrite   [c / kernel]  
 
written   Secure LAN Communication   [College Thesis]  
 
  College Project – Teaching Hacking!   [Course Paper]  
 
  ARM Assembly – A Basic Introduction…   [Blog Post]  
 
configs   WiFi Bridge ~ Network Diagram   Firewalling ~ eb|iptables  
 
  Cisco and OpenWRT   Ubiquiti and OpenWRT  
 
gear   Mac Mini   WiFi Networks  
 
 
# Note: github.com/fossjon <- I lost access due to missing 2fa, so now I'm using -> github.com/stoops
for p in `seq 1 3` ; do
  curl -sL "https://fossjon.com/feed/?paged=$p" | grep -Ei '<(title|link)>' \
    | sed -e '[email protected]<[email protected]~<[email protected]' | tr ' \t\r\n' ' ' | tr -s ' ' | tr '~' '\n' \
    | sed -e '[email protected]^.*<title>\(.*\)</title>.*<link>\(.*\)</link>.*[email protected]<a href="\2" style="text-decoration:none;font-family:monospace;">\1</a><br/>@' \
    | grep -i '/fossjon.com/'
done > blog.html
   
   pages  
   1   2   3   4   5   |  6   7   8   9   10   
 11   12   13   14   15   |  16   17   18   19   20 
Quick Blog Links

Pseudo-Bridging Layer-2 ARP-Sync

So back in the day I was trying to bridge two layer-2 networks over a wireless relay and I was using a TP-Link Archer C7V5 for the two routers. I initially tried out relayd however I found that it wasn’t doing a good job at managing the ARP/route table entries as they were getting out of sync and not being updated and refreshed properly. I tried modding the framework but eventually gave up and wrote my own solution in C because these router units had very limited RAM and CPU available. The original framework was called ARP-Relay-Bridge (arprb) and it did a lot of work to manage the ARP table, PING the clients, listen for ARP Requests, send Proxied Replies, manage the routing table and I also even had DHCP relay capability as well.

Now, I have replaced all my TP-Link units with the Linksys E8450 which have a bit more power to them so I tried to re-write a simpler solution to this layer-2 bridging problem in Python. This solution simply just sends out the current list of active ARP table entries to another router and when it receives the entries of another router, it adds an entry to the route table to properly redirect the traffic. This simple solution solves the LAN-to-WAN issue and with the help of OpenWRTs Linux based proxy_arp functionality, the LAN-to-LAN issue can also be solved as an extension since the routers know where to route the packets. Basic instructions in the readme!

Source code: https://github.com/stoops/arpsync

Pseudo-Bridging Layer-2 ARP-Sync

Socks-like Proxy + VPN-like Tunnel [2-in-1 Experiment]

For my home network setup, I have a Mac Mini that is connecting to a Linux server with OpenVPN (backup) & WireGuard (primary) to tunnel traffic for the entire network. Due to some lower MTU issues with WG, I have also setup nginx to act as a socks-like transparent proxy which handles the connections on behalf of the client (so that the server side can keep the LAN MTU matching with the client side as well as forcing a defragmentation of the packets before they enter the VPN tunnel). It then opens a matching proxy connection to the requested destination with a lower TUN MTU & TCP MSS set so the packets can be properly segmented and transmitted. It’s been working great so far but I was wondering about the performance and speed of this solution (I had only been redirecting TCP port 443 to nginx and little did I know that the speedtest.net service uses port 8080 behind the scenes so I had to adjust my firewall rules to be more generic and forward almost all TCP & UDP ports now). After improving all of that, the speed tests were all fast and quick along with a little more sysctl tuning!

Anyway, I decided to write a C-based solution (backup) that could theoretically handle both of these services and functions at the same time. It doesn’t have solid crypto as of yet since it was mostly an experiment so far but you could easily swap in a real stream cipher (or possibly block) if you want to. It is multi-process and multi-threaded app with some basic operating instructions in the readme.

It’s called proxytun – no exciting screenshots or anything – just code, like the old days! πŸ™‚

Source code: https://github.com/stoops/proxytun

Socks-like Proxy + VPN-like Tunnel [2-in-1 Experiment]

OpenWRT Switching To Distributed Switch Architecture

Over the years I got used to the simple Switch configuration tab in the OpenWRT web interface to be able to configure which ports are tagged/untagged on which VLANs which I could then bridge later to specific interfaces. This page has since been removed for a more flexible/powerful subsystem that OpenWRT is implementing called DSA. I’m still new to this, however, I had to recently configure a similar interface-to-vlan layout in this new section. It is now listed under the interface bridge configuration page but it has the similar table layout with the same set of options. For example, two LAN switch ports on separated VLAN access ports (untagged) and two LAN switch ports as VLAN trunk ports (tagged) both of which are carrying the other two separated VLAN network traffic.

OpenWRT Switching To Distributed Switch Architecture

The Best Looking iPhone 15 Pro Renders

So I’ve been tracking the iPhone 15 rumors and I think the best looking renders so far are the ones that keep the antenna bands as a straightened-flattened ribbon wrapping around the phone with the back glass being curved itself at the edges. It will then look like the two different pieces have come together to make up the overall phone. This, along with the flush camera lenses, which dates back to the beautiful iPhone 4S design, would help make it look a lot more stylish as well. I will greatly miss the silencing physical dip switch if Apple decides to remove it but let’s see what they end up doing! πŸ™‚

The Best Looking iPhone 15 Pro Renders

Turning an iPad into a Network Bandwidth Monitor Graph + Weather Station

I wanted a quick and easy way to visualize and summarize the WAN traffic going through my home network so I wrote what started out as a basic Python script that acts as a simple server/javascript client to query my OpenWRT router for that information. It then uses chart.js to graph and plot the data being returned along with placing little display cards that show me the wind speed, wind direction, cloud graphic, time stamp, and weather summary for the next 5 hours πŸ™‚

I didn’t post the source code for this one as it was more of a highly specialized project that I thought applies for my particular use case and requirements.

Turning an iPad into a Network Bandwidth Monitor Graph + Weather Station

Cloudflare Graphs – A Big Spike In Traffic – One Time

So one evening recently I got an email alert for a big spike in traffic going to this blog. I don’t know why it happened and I don’t see my post view counts getting that high either so it was a strange event. Thankfully Cloudflare’s service was able to handle the total requests being made as I don’t have much visibility on the WordPress side of things. My blog setup here is a bit simplified unfortunately!

Cloudflare Graphs – A Big Spike In Traffic – One Time

A History Of Console Gaming

So I usually try to save my money where possible and I don’t celebrate my birthday but I wanted get an updated gaming console so that I could continue to play Fortnite when I have some free down time. Way back in the day, my grandpa gave me an original Nintendo (which I sadly didn’t think of keeping over time) and eventually I got the Nintendo 64 when it came out as well. I then purchased the original Xbox (which had the Halo title on it) and that was one of my first Microsoft products that I enjoyed owning. After that, I switched over to the Sony side and purchased the Playstation 2 – and then the Playstation 3 – and then the Playstation 4 (so that I could keep playing the different GTA versions).

For my birthday this Jan 2023, after spending years playing with the original PS4, it was getting a little old and hot and dusty so I purchased myself a gift of the Playstation 5 (to be able to play the Fortnite battle royals). However, once I turned it on, configured it, updated it, downloaded the game and launched it – the entire system powered off. I tried it again and the same thing happened at the same spot in the game. I also tried to download a free title that came with the system and it also shut off, right before the game play starts. I recorded a long boring video of it because I couldn’t believe it!

This new unit left me in such disbelief that I went back to Microsoft and purchased an Xbox Series X instead! I have to say that as a long time Playstation fan, I was pretty impressed with the build quality of this gaming console. It has a good weight to it, it’s less bulky, has proper ventilation holes near the back bottom for cool air and the main fan near the top has nice big blades which quietly moves the air upwards and outwards – it’s properly engineered and designed – it reminds me of a little chimney stack! My only improvement would be if they could just round out the corners with a small radius to make them a little more user friendly and less sharp feeling/looking πŸ™‚

The PS5 is fairly big and bulky, the fan blades are way too small sized and it doesn’t really have proper ventilation holes or airflow direction – and according to my online searches, other people have also been facing power / heat issues with it. The only downside to the Xbox is that I highly prefer the PS5 controller over it as the bumper/trigger buttons are less bulky, the joy-sticks are symmetrically aligned, the D-Pad is in the proper location and the overall feeling/comfort is much nicer while holding it. I was even able to buy a little add-on attachment for the Xbox that allows me to still continue to use the PS5 controller which is amazing!

The ultimate gaming console setup for me in 2023 is the: Microsoft Xbox Series X ++ Sony Playstation 5 Controller

A History Of Console Gaming

Last keyboard mod before the end of the year!

Well, this year has been a long and crazy one for me and I wanted to upgrade the style of my first mechanical keyboard. Even though it’s not my fav one to type on, it is still a memorable part of my collection and it’s a great WFH keeb. I bought a wood case which raises it up a little but it’s much more solid, better sounding and nicer styling compared to the cheaper, thinner, and hollow plastic case that comes with ducky keyboards!

Last keyboard mod before the end of the year!

First keyboard build for the year end!

This was my first mechanical keyboard build and they have made it a pretty smooth process (took me half a day to lube the stabs). This is the KBD67 ANSI hot-swap and I put in a mixture of everything into it. It has holy panda switches for the alphas, halo true switches for all else, and ducky plus drop keycaps. It has a pretty good typing feeling, feedback, and sound to it – it’s a little lower in pitch compared to the Drop Alt’s open top metal frame (I think the plastic and padding underneath help deepen the sound). It’s a great overall keyboard to have as part of the collection! πŸ™‚

First keyboard build for the year end!

Firewall Redirect Connection State Hook Mod for NGINX Stream Proxy Server

So nginx has a stream proxy module that you can use for transparent SSL/TLS relaying/forwarding, however, it is only capable of reading the SNI hostname upon the initial handshake of the connection. In addition, the destination IP address is replaced because of the firewall redirect pointing to the proxy server. I wrote a small modification that can be compiled into nginx which allows you to run a script that can pull the missing destination IP address from a given state connection table in a firewall, for example pfctl or iptables.

Source: https://github.com/stoops/nginx

Reproduction Test:

echo 'test' | nc 8.8.4.4 443

Error Log:

[error]: no host in upstream ":443", client: 192.168.X.Y, server: 0.0.0.0:3129, …

Hook Mod:

 

This code mod above will allow you to run a shell script of your choosing if nginx cannot get the hostname or address of a connection requesting to be proxied. You can then look up the destination IP address based on source IP + port combo from the connection state mapping table of the firewall. The result is a much more stable proxying experience for HTTPS connections without needing to wait for the SNI or hostname of the initial handshake!

~

Firewall Redirect Connection State Hook Mod for NGINX Stream Proxy Server

The Tale Of The Three Tactiles

So I was a little late to the game on mechanical keyboards but I tried my best to catch up in 2022 and so I could try to make it into 2023. The first one I got was the Ducky-Mini with Cherry MX Brown switches which offers a bit of a quieter/smoother version of a tactile switch or a rougher/scratchier version of a linear. This is a good wfh keyboard as it’s not as annoying to type on while in the middle of meetings and it offers more feeling during key travel compared to a linear in addition to lesser sound compared to a clicky. I then picked up a Drop-Alt and put Holy Panda switches in it and the feeling and sound matched more closely to the tactile experience which other reviewers were talking about. It’s a solid and stable keyboard and the key press feedback feeling and sound reminds me more of an olden analogue type writer. It’s a much more enjoyable keyboard to type on — a true tactile experience. I lastly purchased a Matias-Mini with Alps White switches that are both clicky and tactile. This is a fun keyboard to type on for personal projects as it has the same characteristics of the Drop keyboard but with a slightly louder and higher pitched sound to it. It’s a great keyboard for all Mac enthusiasts!

The Tale Of The Three Tactiles

BSD PF firewall has one extra scrub option…

The BSD PacketFilter firewall has an extra scrub option which is, “reassemble tcp”. I was researching and exploring the different types of fragmented-packets/segmented-streams of data that could be forwarded within a network that may have a smaller MTU link in the middle of the routing path. I am still reading about what this option does on a streamed session and if Linux has anything similar to it…

Note: nftables has user-land hooks via nfqueue

# nft insert rule ip mangle FORWARD ip daddr 8.8.4.4 tcp dport 53 counter queue num 1

from scapy.layers.inet import IP
from netfilterqueue import NetfilterQueue

def que_packet(pkt):
    pay = pkt.get_payload()
    ipf = IP(pay)
    print("pkt",pkt)
    ipf.show()
    pkt.accept()

nfqueue = NetfilterQueue()
nfqueue.bind(1, que_packet)

try:
    nfqueue.run()
except:
    print("exit")

nfqueue.unbind()

Edit: I found that it was a bit complicated trying to understand when optimized network stacks (software or hardware) will combine multiple TCP segments into bigger IP packet payloads and that trying to perform reassembly at that higher level was a bit challenging/difficult. I came up with a way to solve the occasional web site having slow upload speeds for large files by running an nginx transparent reverse proxy server for HTTP/HTTPS instead!

user root wheel;
worker_processes auto;
worker_rlimit_nofile 8192;
events {
	accept_mutex off;
	multi_accept on;
	worker_connections 1024;
	use select;
}
stream {
	resolver 1.1.1.1 ipv6=off;
	server {
		listen 127.0.0.1:3129;
		ssl_preread on;
		proxy_half_close off;
		proxy_socket_keepalive off;
		proxy_connect_timeout 15s;
		proxy_timeout 9000s;
		proxy_pass $ssl_preread_server_name:443;
	}
}
rdr on en0 inet proto tcp from any to any port 443 -> 127.0.0.1 port 3129

Update: Modifying the nginx framework to proxy more generically/reliably

~

BSD PF firewall has one extra scrub option…

More Nostalgia The Older I Get

Well, 2022 was a long and crazy year for me (health wise as well) but I’m trying to get back on track and focus and concentrate on new things in life! I’ve been finding that the older I get, the more I think about the olden golden days of being a kid and growing up in an analogue world, before the invention of the internet and computers. Times were simpler but more basic and it’s kinda crazy to think about how much progress and change exists nowadays. I remember a time when my specific search term in Google actually showed me the exact thing I was looking for haha πŸ™‚ Anyway, I’ll try to keep this blog going as a personal hobby of interesting things that I find out along the way in life. Just random tech craziness if you will!

 

~

 

More Nostalgia The Older I Get