Quick Blog Links

about   root @       
 
  MacOS Applications   [x-code + objective-c]  
 
  SSHPass Automation Program   [python]  
 
  VPN-Like Tunneled Interface & Traffic   [python  /  networking]  
 
  DHCP/ARP Relay-Bridge ~ Proxying   [c  /  networking]  
 
  Linux Kernel IP-DF Flag Header Rewrite   [kernel]  
 
written   Secure LAN Communication   [College Thesis]  
 
  College Project – Teaching Hacking!   [Course Paper]  
 
  ARM Assembly – A Basic Introduction…   [Blog Post]  
 
configs   WiFi Bridge ~ Network Diagram   Firewalling ~ eb|iptables  
 
  Cisco and OpenWRT   Ubiquiti and OpenWRT  
 
gear   Mac Mini   WiFi Networks  
 
 
# Note: github.com/fossjon <- I lost access due to missing 2fa, so now I'm using -> github.com/stoops
for p in `seq 1 3` ; do
  curl -sL "https://fossjon.com/feed/?paged=$p" | grep -Ei '<(title|link)>' \
    | sed -e '[email protected]<[email protected]~<[email protected]' | tr ' \t\r\n' ' ' | tr -s ' ' | tr '~' '\n' \
    | sed -e '[email protected]^.*<title>\(.*\)</title>.*<link>\(.*\)</link>.*[email protected]<a href="\2" style="text-decoration:none;font-family:monospace;">\1</a><br/>@' \
    | grep -i '/fossjon.com/'
done > blog.html
   
   pages  
   1   2   3   4   5   |  6   7   8   9   10   
 11   12   13   14   15   |  16   17   18   19   20 
Quick Blog Links

The Tale Of The Three Tactiles

So I was a little late to the game on mechanical keyboards but I tried my best to catch up in 2022 and so I could try to make it into 2023. The first one I got was the Ducky-Mini with Cherry MX Brown switches which offers a bit of a quieter/smoother version of a tactile switch or a rougher/scratchier version of a linear. This is a good wfh keyboard as it’s not as annoying to type on while in the middle of meetings and it offers more feeling during key travel compared to a linear in addition to lesser sound compared to a clicky. I then picked up a Drop-Alt and put Holy Panda switches in it and the feeling and sound matched more closely to the tactile experience which other reviewers were talking about. It’s a solid and stable keyboard and the key press feedback feeling and sound reminds me more of an olden analogue type writer. It’s a much more enjoyable keyboard to type on — a true tactile experience. I lastly purchased a Matias-Mini with Alps White switches that are both clicky and tactile. This is a fun keyboard to type on for personal projects as it has the same characteristics of the Drop keyboard but with a slightly louder and higher pitched sound to it. It’s a great keyboard for all Mac enthusiasts!

The Tale Of The Three Tactiles

BSD PF firewall has one extra scrub option…

The BSD PacketFilter firewall has an extra scrub option which is, “reassemble tcp”. I was researching and exploring the different types of fragmented-packets/segmented-streams of data that could be forwarded within a network that may have a smaller MTU link in the middle of the routing path. I am still reading about what this option does on a streamed session and if Linux has anything similar to it…

Note: nftables has user-land hooks via nfqueue

# nft insert rule ip mangle FORWARD ip daddr 8.8.4.4 tcp dport 53 counter queue num 1

from scapy.layers.inet import IP
from netfilterqueue import NetfilterQueue

def que_packet(pkt):
    pay = pkt.get_payload()
    ipf = IP(pay)
    print("pkt",pkt)
    ipf.show()
    pkt.accept()

nfqueue = NetfilterQueue()
nfqueue.bind(1, que_packet)

try:
    nfqueue.run()
except:
    print("exit")

nfqueue.unbind()

Update: I found that it was a bit complicated trying to understand when optimized network stacks (software or hardware) will combine multiple TCP segments into bigger IP packet payloads and that trying to perform reassembly at that higher level was a bit challenging/difficult. I came up with a way to solve the occasional web site having slow upload speeds for large files by running an nginx transparent reverse proxy server for HTTP/HTTPS instead!

events {
	worker_connections 4096;
}
http {
	resolver 8.8.8.8 ipv6=off;
	server {
		listen 3128;
		location / {
			proxy_socket_keepalive on;
			proxy_connect_timeout 1m;
			proxy_read_timeout 9h;
			proxy_send_timeout 9h;
			proxy_pass http://$host;
			proxy_set_header Host $host;
		}
	}
}
stream {
	resolver 8.8.8.8 ipv6=off;
	server {
		listen 3129;
		ssl_preread on;
		proxy_half_close off;
		proxy_socket_keepalive on;
		proxy_connect_timeout 1m;
		proxy_timeout 9h;
		proxy_pass $ssl_preread_server_name:443;
	}
}
rdr on en0 proto tcp from any to any port 80 -> 127.0.0.1 port 3128
rdr on en0 proto tcp from any to any port 443 -> 127.0.0.1 port 3129
BSD PF firewall has one extra scrub option…

More Nostalgia The Older I Get

Well, 2022 was a long and crazy year for me (health wise as well) but I’m trying to get back on track and focus and concentrate on new things in life! I’ve been finding that the older I get, the more I think about the olden golden days of being a kid and growing up in an analogue world, before the invention of the internet and computers. Times were simpler but more basic and it’s kinda crazy to think about how much progress and change exists nowadays. I remember a time when my specific search term in Google actually showed me the exact thing I was looking for haha 🙂 Anyway, I’ll try to keep this blog going as a personal hobby of interesting things that I find out along the way in life. Just random tech craziness if you will!

 

~

 

More Nostalgia The Older I Get

Implementing pf-scrub no-df bit in a Netfilter Linux Kernel Module hook – IPV4 Packet Header Rewrite

So, I was searching around for the Linux equivalent of the BSD PF firewall rule “scrub-all no-df” and I was expecting that there would be an “iptables mangle prerouting” version – but – no luck! I just wanted to be able to clear this specific bit in the IPv4 packet header with a Linux router so that it would be able to fragment the packets along the inner routes that may have a lower MTU set. Since I couldn’t find anything I made one myself 🙂

Source: https://github.com/stoops/nf_df

Code Snippet

Test Command

ping -c 1 -M do -s 123 1.1.1.1

Packet Capture

As you can see below, the first IPv4 packet (unmodified) contains the DF bit flag set on (0x0000: …. 4000 ….) compared to the modified packet below in the “After Send” section.

Before Send

21:58:39.473143 fe:00:00:00:01:02 > fe:00:00:00:01:01, ethertype IPv4 (0x0800), 
length 165: 1.3.3.7 > 1.1.1.1: ICMP echo request, id 19298, seq 1, length 131
	0x0000:  4500 0097 0000 4000 4001 6348 0103 0307  [email protected]@.cH....
	0x0010:  0101 0101 0800 6735 4b62 0001 0f74 6d63  ......g5Kb...tmc
	0x0020:  0000 0000 2538 0700 0000 0000 1011 1213  ....%8..........
	0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
	0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
	0x0050:  3435 3637 3839 3a3b 3c3d 3e3f 4041 4243  456789:;<=>[email protected]
	0x0060:  4445 4647 4849 4a4b 4c4d 4e4f 5051 5253  DEFGHIJKLMNOPQRS
	0x0070:  5455 5657 5859 5a5b 5c5d 5e5f 6061 6263  TUVWXYZ[\]^_`abc
	0x0080:  6465 6667 6869 6a6b 6c6d 6e6f 7071 7273  defghijklmnopqrs
	0x0090:  7475 7677 7879 7a                        tuvwxyz

Before Recv

21:58:39.475300 fe:00:00:00:01:01 > fe:00:00:00:01:02, ethertype IPv4 (0x0800), 
length 165: 1.1.1.1 > 1.3.3.7: ICMP echo reply, id 19298, seq 1, length 131
	0x0000:  4500 0097 d279 0000 3901 d7ce 0101 0101  E....y..9.......
	0x0010:  0103 0307 0000 6f35 4b62 0001 0f74 6d63  ......o5Kb...tmc
	0x0020:  0000 0000 2538 0700 0000 0000 1011 1213  ....%8..........
	0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
	0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
	0x0050:  3435 3637 3839 3a3b 3c3d 3e3f 4041 4243  456789:;<=>[email protected]
	0x0060:  4445 4647 4849 4a4b 4c4d 4e4f 5051 5253  DEFGHIJKLMNOPQRS
	0x0070:  5455 5657 5859 5a5b 5c5d 5e5f 6061 6263  TUVWXYZ[\]^_`abc
	0x0080:  6465 6667 6869 6a6b 6c6d 6e6f 7071 7273  defghijklmnopqrs
	0x0090:  7475 7677 7879 7a                        tuvwxyz

Kernel Module

# lsmod | grep -i nf_df
nf_df    16384    0

After Send

21:52:52.646803 fe:00:00:00:01:02 > fe:00:00:00:01:01, ethertype IPv4 (0x0800), 
length 165: 1.3.3.7 > 1.1.1.1: ICMP echo request, id 52199, seq 1, length 131
	0x0000:  4500 0097 0000 0000 4001 a348 0103 0307  [email protected]
	0x0010:  0101 0101 0800 0e11 cbe7 0001 b472 6d63  .............rmc
	0x0020:  0000 0000 56d8 0900 0000 0000 1011 1213  ....V...........
	0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
	0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
	0x0050:  3435 3637 3839 3a3b 3c3d 3e3f 4041 4243  456789:;<=>[email protected]
	0x0060:  4445 4647 4849 4a4b 4c4d 4e4f 5051 5253  DEFGHIJKLMNOPQRS
	0x0070:  5455 5657 5859 5a5b 5c5d 5e5f 6061 6263  TUVWXYZ[\]^_`abc
	0x0080:  6465 6667 6869 6a6b 6c6d 6e6f 7071 7273  defghijklmnopqrs
	0x0090:  7475 7677 7879 7a                        tuvwxyz

After Recv

21:52:52.669611 fe:00:00:00:01:01 > fe:00:00:00:01:02, ethertype IPv4 (0x0800), 
length 165: 1.1.1.1 > 1.3.3.7: ICMP echo reply, id 52199, seq 1, length 131
	0x0000:  4500 0097 79f9 0000 3901 304f 0101 0101  E...y...9.0O....
	0x0010:  0103 0307 0000 1611 cbe7 0001 b472 6d63  .............rmc
	0x0020:  0000 0000 56d8 0900 0000 0000 1011 1213  ....V...........
	0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
	0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123
	0x0050:  3435 3637 3839 3a3b 3c3d 3e3f 4041 4243  456789:;<=>[email protected]
	0x0060:  4445 4647 4849 4a4b 4c4d 4e4f 5051 5253  DEFGHIJKLMNOPQRS
	0x0070:  5455 5657 5859 5a5b 5c5d 5e5f 6061 6263  TUVWXYZ[\]^_`abc
	0x0080:  6465 6667 6869 6a6b 6c6d 6e6f 7071 7273  defghijklmnopqrs
	0x0090:  7475 7677 7879 7a                        tuvwxyz

Edit: In addition to this Linux kernel nftables module, I found out that there is another one running for IPv4 packet defragmentation which should also be similar to the scrub rule “fragment reassemble”. According to the documentation, if you have any stateful connection tracking rules for layer-4 (for example, postrouting nat rules or prerouting udp ports) then the fragmented packets should get reassembled again. I am looking into the scrub rule “reassemble tcp“…

# lsmod | grep -i defrag
nf_defrag_ipv4 16384 1 nf_conntrack

 

~

 

Implementing pf-scrub no-df bit in a Netfilter Linux Kernel Module hook – IPV4 Packet Header Rewrite

Experiment: Tunnelling my WAN over VPN

So I had this Mac Mini that I was originally using as a WiFi relay bridge (layer 2) but since then I was only using it as an rsync backup server. I decided to also turn it into a VPN tunnelling router (layer 3) for my home network setup by using OpenVPN on MacOS (connected to a Debian Linux server). I was testing out its performance and it was holding up pretty good and stable but I wanted to give WireGuard a try as well, just to see and compare. Upon initial configuration, I noticed that WireGuard was defaulting to a lower MTU (1420) compared to what I had set in OpenVPN (1450) and that some of my connections to websites were unstable/slow/hanging. Additionally, with OpenVPN, I was able to set some extra settings like MSS & fragmentation limits and I couldn’t find the equivalent of those with WireGuard. However, I do like the overall simplicity of the WG config and setup process!

I actually lowered the WG MTU (1410) but this could potentially cause larger size packets to fragment. I was searching around and found that it was possible for one to clamp the MSS values on forwarded/routed packets with an iptables forward/mangle rule. Since the Mac is the VPN client and has the BSD PF firewall, I also set a scrub rule as well:

# bsd pf
scrub all no-df random-id max-mss 1330
 
# nix nf
iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1330
 
# iptables-translate ftw!

I was also trying to read more about the “don’t fragment” bit that could get set on packets along the way (sometimes when the PMTUD setting is enabled) and the pf-scrub rule can help to clear that bit (no-df) where I couldn’t yet find the equivalent on the Linux side. I also tried setting these sysctl values as well:

# mac
sysctl net.inet.tcp.path_mtu_discovery=0
 
# nix
sysctl net.ipv4.ip_no_pmtu_disc=1

I’m still playing around with this setup but it’s been an interesting networking experiment so far in terms of seeing how your web connections handle and react to being encapsulated automatically by a network router…

Edit: I have written a Linux kernel module to do the equivalent of “scrub-all no-df

Tunnelled Internet – Speed Tests

OpenVPN:

 
WireGuard:

~

Experiment: Tunnelling my WAN over VPN

A place to finally put all of my stuff!

Well it’s been a tough number of years for me as all of my personal belongings have been packed up in boxes the entire time, however, I have finally been able to move into a new space and a new place.

As a new decorative piece to hang on the wall, I was able to get a large size, glass print of the MacOS flying Apple desktop background wallpaper I created from Fracture Me. It helps to add a little more fun and colour inside and they have pretty good quality printers (quick service as well).

This will be a new journey for me!

 

 

 

 

~

 

 

 

A place to finally put all of my stuff!

OpenWRT Switches From iptables To nftables!

So after many years of using and learning iptables, one of my favourite firewalls, I had to translate my command line ruleset into a new format/syntax. It wasn’t too bad but with the added power and flexibility of nftables, it can be harder to find the order/priority of the rules for a given filter hook, for example, INPUT. However, I really appreciate how the new firewall incorporates some previous features that I used to have to install via iptables modules like ipset and hashlimit, which provides the rate limiting functionality!

hook="input"
nft list ruleset                               \
  | sed -e 's/counter.*[0-9]//g'               \
  | tr '\t' ' ' | tr '\r\n' '~' | tr '{}' '\n' \
  | grep -i "hook.${hook}"                     \
  | tr '~' '\n'                                \
  | grep -i '[a-z]'                            \
  | sed -e 's/^[ ]*//'
type filter hook input priority filter; policy accept;
iifname "lo"  accept
iifname "lan" udp dport 67  accept
iifname "wan" ct state established,related  accept
drop
OpenWRT Switches From iptables To nftables!

Hacky – Restart Network Interface On OpenWRT

So on OpenWRT for example, a WAN interface can be set get an IP address via DHCP, however, this will launch a separate independent process on Linux to act as the client. On the web interface, there is a button on each network interface which allows you to restart that individual interface (and in addition, it will be smart enough to kill the previous client process and launch a new one as well as re-initialize the firewall and other stuff). I could not find the equivalent command line option to this as a simple ifdown/sleep/ifup would not capture all of these sub-actions as per the extra configurations set on the interface. So I searched and read a helpful hint that can give a similar workaround using the network init startup script. You can modify some small part of the network interface configuration and then call network reload which will be smart enough to pick up the diff/changes only. This helps greatly in case you need to script or schedule a specific interface restart:

#!/bin/sh
r=$(/bin/date | /usr/bin/md5sum | /usr/bin/cut -c 1-8)
/sbin/uci set network.wan.hostname="owrt${r}"
/sbin/uci commit network
/etc/init.d/network reload
Hacky – Restart Network Interface On OpenWRT

Local HTTP Proxy Server – Bypass Host Regex Match – Multi Destination Client Connection

No usage documentation, however, posting this for historical purposes:

#ok:www.google.com:false
python3 proxy.py ~/.proxy.txt host:port
export https_proxy='http://127.0.0.1:9090'
import os, sys, re
import select, socket, socketserver


class proxysrv(socketserver.BaseRequestHandler):
    def init(self):
        self.size = (8 * 1024)
        self.file = sys.argv[1]
        self.info = sys.argv[2].split(":")
        self.host = (self.info[0], int(self.info[1]), True)
        self.sock = self.request

    def config(self, file):
        proxlist = []
        try:
            fobj = open(file, "r")
            for line in fobj.readlines():
                line = line.strip().split(":")
                stat = False
                if ("true" in line[2].lower()):
                    stat = True
                proxlist.append([line[0], line[1], stat])
        except:
            print("error","config")
        return proxlist

    def checks(self, conf, data):
        try:
            proxyreq = data.decode().split("\n")
            hostreqs = proxyreq[0].strip().split(" ")
            hostinfo = hostreqs[1].split(":")
            hostname = hostinfo[0]
            hostport = int(hostinfo[1])
            lasthost = ()
            for item in conf:
                regx = re.match("^.*%s$" % (item[1]), hostname)
                if ((item[0] == "no") and (not regx)):
                    lasthost = (hostname, hostport, item[2])
                if ((item[0] == "ok") and regx):
                    lasthost = (hostname, hostport, item[2])
            if (lasthost and (not lasthost[2])):
                return lasthost
        except:
            print("error","checks")
        return self.host

    def newcon(self, srcs, data, host):
        try:
            senddata = "HTTP/1.1 200 Connection established\r\nProxy-Connection: Keep-Alive\r\n\r\n".encode()
            sockobjc = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sockobjc.connect((host[0], host[1]))
            if (host[2]):
                sockobjc.sendall(data)
            else:
                srcs.sendall(senddata)
            return sockobjc
        except:
            print("error","newcon")
        return None

    def relays(self, srcs, dsts):
        try:
            while True:
                (readlist, _, _) = select.select([srcs, dsts], [], [])
                for sockitem in readlist:
                    if (sockitem == dsts):
                        data = dsts.recv(self.size)
                        print("dsts",len(data))
                        if (not data):
                            raise
                        srcs.sendall(data)
                    if (sockitem == srcs):
                        data = srcs.recv(self.size)
                        print("srcs",len(data))
                        if (not data):
                            raise
                        dsts.sendall(data)
        except:
            pass

    def handle(self):
        self.init()

        proxlist = self.config(self.file)
        recvdata = self.sock.recv(self.size)
        desthost = self.checks(proxlist, recvdata)
        sockobjc = self.newcon(self.sock, recvdata, desthost)

        print("addr",self.client_address)
        print("data",recvdata)
        print("host",desthost)

        if (sockobjc):
            self.relays(self.sock, sockobjc)


if (__name__ == "__main__"):
    for e in ["http_proxy", "https_proxy", "no_proxy"]:
        for v in [e.upper(), e.lower()]:
            print("envr",v)
            os.environ[v] = ""

    sockobjc = socketserver.TCPServer(("127.0.0.1", 9090), proxysrv)
    sockobjc.serve_forever()
Local HTTP Proxy Server – Bypass Host Regex Match – Multi Destination Client Connection

Bored on Reddit and submitting funny coding comments

So there was a Reddit thread today that was diverging into bad coding tests plus grade evaluation puns (C++) – so I tried to make a purposefully confusing C program behave in a way that a coder or programmer wouldn’t exactly expect. After I wrote it, I had to put in some for-loop-printf-debug statements just to confirm and demonstrate how the right-to-left side value-lookup to delayed-increase to index-assignment works in C, it’s pretty neat to try and analyze how and why this is “working” lol!

#include <stdio.h>
int main()
{
    char A = 'A', B = 'B', C = 'C', D = 'D', E = 'E', F = 'F';
    char grades[256];
    grades[A++] = A++;
    grades[B++] = B++;
    grades[C++] = C++;
    grades[D++] = D++;
    grades[E++] = E++;
    grades[F++] = F++;
    printf("My grade is %c!\n",grades[C++]);
}

And basically this will print out “My grade is D!” – but it’s fun to trace through how each line will process the value statement first and then the assignment index is processed afterwards. In addition, each line will affect the next statement below because of the increases that take place in between processing sides, so the future lookup index values are being changed along the way! 🙂

Bored on Reddit and submitting funny coding comments

Another Helper App – BrowserBot

So, there was one more app I needed to complete my personal trilogy, and it’s named BrowserBot! It’s an app that will help “curl” the web for any page you’d like to monitor for changes, and you can feed it custom commands (similar to ClippyCommand) so it will parse out any field/value you specify. I had scripts running in a crontab to do this but I wanted a more centralized and official place to quickly view the latest and refreshed web data that I was interested in tracking for security reasons!

Source Code: github.com/stoops/BrowserBot

Another Helper App – BrowserBot

A new MacOS app – ClippyCommand!

So as a Mac/Linux/BSD fan, I’ve posted a few different Microsoft related creations/customizations that I use as a daily reminder of the good old days! Even though I wasn’t the biggest fan of Windows and Explorer, I still tried to make some dock icons to appreciate and represent both of them in the future. I was just missing one last memory of mine, which was, Clippy! I created a new MacOS app that allows you to pipe the copy-paste buffer into a set of your own customized bash shell command line programs and it will rewrite the paste buffer so you are ready to go! This is the second custom app in my dock, along side my DynaDock application.

Source Code: github.com/stoops/ClippyCommand

Some of my more useful and commonly used editing/formatting commands!

A new MacOS app – ClippyCommand!

A World Of Different Switches

So I recently ordered a Drop Alt keyboard with Halo True switches as it offered the ability to hot-swap them out. The case and frame is much more stable and solid compared to the Ducky Mini and it produces a much more clunky-analogue, type-writer kind of sound. I put in some Holy Panda switches and they have a greater feeling tactile bump at the start of the key travel along with a slightly lighter spring force for an easier press downwards. Both are great switches to type on overall!

Edit: For comparison, the Cherry Brown switch has a tactile resistance during the key travel, but the bump in the beginning is not as noticeable or pronounced as to what some of the other switches offer and the spring force is much lighter.

A World Of Different Switches