blog.crox.net

When performing tests you may sometimes want to send specially crafted icmp packets. hping is a handy tool for that.

However, the default behavior is to refuse to send "unsupported" Type/Code combinations. eg

hping3 -c 1 --icmp -C 33 -K 0 192.168.70.1
HPING 192.168.70.1 (wlan0 192.168.70.10): icmp mode set, 28 headers + 0 data bytes
[send_icmp] Unsupported icmp type!

Fortunately, there is an (undocumented) --force-icmp option that you can add to bypass the check:

hping3 -c 1 --icmp --force-icmp -C 33 -K 0 192.168.70.1
HPING 192.168.70.1 (wlan0 192.168.70.10): icmp mode set, 28 headers + 0 data bytes

--- 192.168.70.1 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

After a fresh pfSense install, I found out that traffic from specific hosts was being dropped when it should have been allowed based on the firewall rules I defined.

It turned out that the option "block bogon networks" was activated on the WAN interface, and that fresh pfSense images come with a slightly outdated bogon list.

If you are facing this problem, you have three options:

1. disable the "Block bogon networks" option at the bottom of the WAN interface page

2. after at most one week, the list will be updated automatically as long as the box is online (there is a cron entry, grep your config file for bogon)

3. if you don't want 1. and can't wait for 2, you can trigger the update process manually by running:

/etc/rc.update_bogons.sh 0

Check the output from the Status -> System Logs -> System page (I ran it from a serial console, but it should work fine by ssh or from the exec.php page too)

Composer le 0868 868 868.

In Ubuntu Karmic (and possibly Jaunty ?), when you install libsane, it adds a file /lib/udev/rules.d/40-libsane.rules which contains rules that match on supported scanners and set the environment variable "libsane_matched" to "yes".

This in turn triggers the following in /lib/udev/rules.d/70-acl.rules:

# USB scanners
ENV{libsane_matched}=="yes", ENV{ACL_MANAGE}="1"

<snip>

# apply ACL for all locally logged in users
LABEL="acl_apply", ENV{ACL_MANAGE}=="?*", TEST=="/var/run/ConsoleKit/database", \
  RUN+="udev-acl --action=$env{ACTION} --device=$env{DEVNAME}"

In the end, the result is that an ACL is created for the device, which allows locally logged in users to use it (read/write permission). eg for my scanner:

~# lsusb
Bus 001 Device 005: ID 04b8:011c Seiko Epson Corp. Perfection 3200
~# ls -l /dev/bus/usb/001/005
crw-rw-r--+ 1 root root 189, 4 2009-12-28 00:11 /dev/bus/usb/001/005
~# getfacl /dev/bus/usb/001/005
getfacl: Removing leading '/' from absolute path names
# file: dev/bus/usb/001/005
# owner: root
# group: root
user::rw-
user:crox:rw-
group::rw-
mask::rw-
other::r--
~#

However, I also wanted to allow access to the scanner from other workstations through saned. In older Ubuntu versions, you could just add saned (or whatever user the service runs as) to the scanner group. This no longer works since the device belongs to root:root, and ACLs are added for specific users. The solution that works for me is to create a file /etc/udev/rules.d/99-sane-group.rules with the following contents:

# change group to scanner for sane devices
ENV{libsane_matched}=="yes", GROUP="scanner"

Then you just need to run

sudo udevadm trigger

and the group of the device magically changes to scanner.

Of course you could also add a similar rule specifically for a certain device instead, in my case this would work too:

ATTRS{idVendor}=="1d6b", ATTRS{idProduct}=="0002", GROUP="scanner"

To check that it worked, run the following:

sudo su -s /bin/bash -c 'scanimage -L' saned

Faced with a noisy Dell Precision 490 computer running Ubuntu Karmic, I found an easy way to reduce the noise level to an acceptable threshold. (fancontrol did not help since it seems not to be compatible with the chipset used by Dell at least on this computer.)

Step 1, install i8kutils:

sudo apt-get install i8kutils

Step 2, add i8k to /etc/modules:

sudo sh -c 'echo i8k >> /etc/modules'

Step 3, edit /etc/default/i8kmon so that it looks like this:

# /etc/default/i8kmon



# Change to one enable i8kmon

ENABLED=1

I8KMON_ARGS="--daemon --nouserconfig --auto"

Step 4, reboot and enjoy!