When working with virtualization technologies like KVM on Debian, you might need to configure bridge interfaces which are not attached to a physical interfaces (for example for a non-routed management network or similar).
Debian uses the directive bridge_ports in /etc/network/interfaces to indicate whether an interface is a bridge interface or not. The syntax checker does not accept an empty bridge_ports directive since he expects a list of physical interfaces to attach to the bridge interface.

When needing a bridge interface without any physical interfaces attached, usually people configure this interface by hand or with a special script.
Since I manage /etc/network/interfaces with my Puppet module, I would like to use it to configure all network interfaces including the unattached bridge interfaces.
It turns out that this can be done by passing none as parameter for the bridge_ports directive like this:

interface br0 inet static
	address 192.0.2.1
	netmask 255.255.255.0
	bridge_ports none

Since the default templates of HAVP look like being stuck in the 90's, I created some nice-looking templates.
You can download them from GitHub: https://github.com/x-way/havp-templates
Currently there is only the german version, feel free to send me a pull-request with another translation :-)

For basic virus protection I'm running a proxy with HAVP and ClamAV.
Since some time I was using HAVPs blacklist functionality to block Ads (by blacklisting *.doubleclick.net and *.ivwbox.de). As such a manual blacklist is not very efficient I wanted to have an auto-updating list of adservers, thus I started to write the shellscript below which generates an up-to-date blacklist based on the adserverlist from pgl.yoyo.org.

Shortly after this I extended the script to also incorporate a Phising blacklist based on the data from PhishTank.
Currently I'm using the version below which runs in a cronjob every two hours and keeps the HAVP blacklist up-to-date. Please note that you need to insert your own free PhishTank API key when using this script.

#!/bin/sh

cd /etc/havp

OUTFILE=/etc/havp/blacklist

ADSERVERLIST=/etc/havp/adserverlist
PHISHTANK=/etc/havp/phishtank
MYBLACKLIST=/etc/havp/myblacklist

wget -q -N "http://pgl.yoyo.org/adservers/serverlist.php?hostformat=webwasher;showintro=0;mimetype=plaintext"
sed -e 's_^//_#_g' serverlist.php* | sort | uniq > $ADSERVERLIST

wget -q -N http://data.phishtank.com/data/<PhishTank API key>/online-valid.csv.bz2
bzcat online-valid.csv.bz2 | sed \
	-e 's/^[0-9]*,//' \
	-e 's@,http://www.phishtank.com/phish_detail.php?phish_id=[0-9]*,.*$@@' \
	-e 's/^"\(.*\)"$/\1/'  \
	-e 's_^https\?://__' \
	-e 's_/$_/*_' \
	-e 's_^\([^/]*\)$_\1/*_' \
	-e 's/?.*/*/' | \
grep -vF 'phish_id,url,phish_detail_url,submission_time,verified,verification_time,online,target' | \
iconv -f utf8 -t ascii -c - | sort | uniq > $PHISHTANK


echo "# blacklist file generated by $0, `date`" > $OUTFILE

echo "\n# MYBLACKLIST:" >> $OUTFILE
cat $MYBLACKLIST >> $OUTFILE

echo "\n# ADSERVERLIST:" >> $OUTFILE
cat $ADSERVERLIST >> $OUTFILE

echo "\n# PHISHTANK:" >> $OUTFILE
cat $PHISHTANK >> $OUTFILE

To avoid the timeconsuming manual configuration of a proxy server on all computers, phones and tablets, the proxy configuration can be provided automatically via DHCP by using WPAD.

For this setup, the following components are needed:

1. A DHCP server which announces DHCP option 252 with the URL of the PAC file (wpad.dat).
2. A webserver which serves the wpad.dat file
3. A wpad.dat PAC file where the Proxy IP is defined

On a MikroTik system, the DHCP server configuration looks like this:

/ip dhcp-server option
add code=252 name=local-pac-server value="http://192.168.0.2:80/wpad.dat\?"
/ip dhcp-server network
add address=192.168.0.0/24 dhcp-option=local-pac-server dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24

Please note the trailing questionmark in the URL for the PAC file. This is a workaround for yet another occurrence of RFC nitpicking where some implementations might misinterpret the DHCP option and add an encoded NULL-byte character to the end of the URL when requesting the PAC file from the webserver.
With the questinmark at the end of the URL, any additional trailing NULL-byte character will be ignored by the webserver and the PAC file will be loaded just fine.

Following the example above, on the machine 192.168.0.2, we serve the following wpad.dat file:

function FindProxyForURL ( url, host ) {
	return "PROXY 1.2.3.4:8080; DIRECT";
}

With this setup, all systems will use the proxy at 1.2.3.4 and if the proxy is not available try to connect directly to the Internet.
While this is fine for a home network where the proxy is mostly used for adblocking, you probably want to remove the DIRECT part in an enterprise setup.

Thanks to the ngx_echo module, it is trivially easy to build a clone of the icanhazip.com service with nginx:

server {
	listen 80; 
	listen [::]:80;

	location / { 
		echo $remote_addr;
	}   
}

The Cisco WAP121 runs a Linux based firmware. This is how you get a Rootshell on it:

1. Login to the Web GUI of the WAP121 and enable the SSH management access
2. Login with SSH and enter this command: sh

This probably works with the Cisco WAP321 as well (I only tested with the WAP121).
Also when having still only the one 'cisco' user account configured you can directly get a Rootshell via SSH like this: ssh -l root@<WAP121 IP>

After the summer festivals of Sydney, now also the festivals in Switzerland start again.
First one this year: Artiphys 2012

While playing around with my Puppet configuration I discovered that the 'system facts' returned by the Facter helper tool were not consistent on my Debian boxes.

On some machines Facter properly reported all LSB related facts of the system, while on other machines it did not report any such information.
The problem occurred on about 50% of the hosts, so I excluded a bug introduced by manual over-tuning of the system configuration.

Further investigation showed that Facter uses the lsb_release command to collect the LSB information of the system.
On Debian this command is provided by the lsb-release package which was only installed on half of my systems...

Now my Puppet manifests include the following configuration directive which should prevent this problem in the future :-)

package { 'lsb-release':
	ensure => installed,
}

One advantage of being in Australia during the swiss winter is that you can go to music festivals in January! And so I did :-)

Last thursday I went to the Big Day Out festival in Sydney.
What is interesting compared to festivals in Europe is that in Australia the festival starts at 11 in the morning and ends at 11:45 in the evening, whereas in Switzerland festivals start around 5 in the afternoon and end around 5-6 in the morning.

I really liked the performances of Parkway Drive, Miss Kittin, Röyksopp, Bassnectar, Kasabian, Soundgarden and Regurgitator.
Also it was nice to catch a glimpse of The Jezabels, Hilltop Hoods, Kitty, Daisy & Lewis and the show of Kayne West.
A bit disapointing was the performance of Cavalera Conspiracy. They even had to fallback to popular Sepultura songs (Refuse/Resist, Roots Bloody Roots) in order to get the crowd moving. On the other hand it was lucky for me, so I got to see a live concert of Sepultura (performed by the founders of Sepultura!), something I didn't think I would ever see after Max Cavalera had left the band.
Unfortunately the last train back was before the end of the festival and so I did miss Nero.