iptables-restore
Utilisation classique d'iptables
iptables(8)/ip6tables(8) est le principal outil de gestion du pare-feu Netfilter de Linux : c'est une commande qui permet en fait de configurer ce pare-feu en modifiant sa liste de règles. Il est le plus souvent utilisé dans des scripts shell qui effectuent une longue succession d'appels pour définir chaque règle :
# Supprimer les règles existantes ip6tables -f ip6tables -P INPUT DROP ip6tables -P OUTPUT ACCEPT ip6tables -A INPUT -i lo -j ACCEPT ip6tables -A INPUT -p ipv6-icmp -j ACCEPT ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ip6tables -A INPUT -p tcp --dport ssh -j ACCEPT ip6tables -A INPUT -p tcp --dports smtp -j ACCEPT […]
Cette approche souffre de plusieurs défauts :
- en appelant de multiple fois la commande
ip(6)tables, elle effectue beaucoup de lectures et d'écritures inutiles dans la table de règles de Netfilter ; - si une erreur se produit pendant l'exécution du script, le pare-feu se retrouve dans une configuration à moitié appliquée.
Coding a new BitTorrent tracker?
The BitTorrent protocol works with trackers, that track the clients or peers that share a given file. This is one specific design of a peer-to-peer protocol, very appropriate for official distribution: for instance, Debian runs a tracker for distributing the installation images.
Wrapper to use su as sudo (or sudo as su)
Classified in : Homepage, Debian, Command line
The problem
Some programs require root privileges for part of their work: most notably Debian building tools such as dpkg-buildpackage or pdebuild. So, several command can be used to obtain real or fake root privileges: su, sudo, fakeroot, etc. Among them, su is quite distinct, because it only takes a quoted command to pass it to a shell. That is why its interface is completely incompatible with the others':
$ su -c "pbuilder --build package.dsc" $ sudo pbuild --build package.dsc
This is annoying when real root privileges are needed, for instance by pbuilder, a tool to build Debian packages inside a minimal chroot. Indeed, in such a case I only know one command to obtain the root privileges, sudo, and some people (read: me) prefer using su.
PGP signatures with trust and verification level
Classified in : Homepage, Debian, To remember
Identity checks and trust
The OpenPGP web of trust is composed of keys linked to each other by two things:
- identity checks: signing a key means that you verified the link between a key with user IDs, an official identity document with a photograph, and a person with a face;
- trust: on your public key ring, you manually decide who you trust to correctly check other people's identity.
With these two pieces of information, GnuPG is able to determine whether or not the key of someone you never met can trusted to belong to its alleged owner.
Signatures
Signing a key is usually a binary action: either you sign it or you do not sign it. Thus your signature on a key will give other people a rough identity check information and no trust information at all.
In fact, the OpenPGP standard does allow to publish precise identity check and trust information on signatures, but unfortunately this is now enabled with GnuPG by default. These features are called certification level and trust signatures.
Uninstalling a single component of a meta-package
Classified in : Homepage, Debian, Command line, To remember
Or how to get rid of Evolution without removing your whole system
There is a complain I have heard several times from people after they installed Debian: “I use Icedove/Thunderbird so I do not need Evolution: I tried to remove it but this would remove my whole system, that sucks!”