How I learned to stop worrying and love the firewall-cmd

With the advent of Centos 7, I had to face it that firewalld is a way of life. I guess it’s probably part of the systemd controversy.

I tried to go back to vanilla iptables. But… I just felt dirty. I’ve been living with firewalld on my Fedora workstations for… a while now. But, I never wanted to manage it much. I basically just kept it locked down — it’s workstations anyways, and I was still using iptables on Centos 6. I tried to be lazy — and run firewall-config over an x11 forwarded connection, but… That seemed to be proving harder than actually learning firewall-cmd.

So, I stopped worrying. I might as well use it. Hell, for about 8 zillion years I’ve been having to google stuff like “cyberciti iptables drop” to remember what the hell to do with iptables anyways. I just needed a recipe every time. And, then I used firewall-cmd.

Really, I needed to read the Centos 7 page on using firewalld in detail, before I got it.

Once I figured out that I could define what the zones meant by doing an --add-source, it clicked for me. So, here’s my cheatsheet of what I did to get my bearings, and I have to say, it’s kind of a better world. (I’m still struggling with systemctl… I’m like blinded by oldschool sysv style init scripts). I was really trying to just open up for openVPN and then disable SSH was my first goal, so I used two zones “public” (for everything) and then a specific source for the LAN which I called “trusted”. Here, I just really play around so I could test it out and proved that it worked according to my assumptions and newly learned tid-bits about firewalld / firewall-cmd

# Check out what it looks like...
firewall-cmd --get-active-zones
firewall-cmd --zone=public --list-all
# Try a port:
firewall-cmd --zone=public --add-port=5060-5061/udp
firewall-cmd --zone=public --list-ports
# Let's setup the trusted zone:
firewall-cmd --permanent --zone=trusted --add-source=
firewall-cmd --permanent --zone=trusted --list-sources
# I needed to reload before I saw the changes:
firewall-cmd --reload
firewall-cmd --get-active-zones
# Now let's configure that up:
firewall-cmd --zone=trusted --add-port=80/tcp --permanent
firewall-cmd --zone=trusted --add-port=443/tcp --permanent
firewall-cmd --zone=public --add-port=1194/udp --permanent
firewall-cmd --zone=public --add-port=1194/tcp --permanent
# Now list what you've got
firewall-cmd --zone=trusted --list-all
firewall-cmd --zone=public --list-all
Posted in Uncategorized

Oh t3h noes! You just borked your Fedora 20 install!

So, I made a nice boo-boo with my Fedora 20 install on my laptop this morning. I accidentally rebooted before a yum update was finished. Annnd…. I figured it was better off to re-install rather than try to figure out how to recover — doubly so since I lost network connectivity, making it really hard to get references.

If you’re a MEAN stack developer on Fedora 20, you might install some of the same tools I do when I reinstall, so I took some note for me, and… For you.

First things first, install chrome: install chrome: & then I disable SELinux.

# Command line basic tools.
yum install nano terminator rsyslog
# install your MEAN stack developers stuff
yum install mongodb mongodb-server nodejs nginx npm git rubygem-compass
# install robomongo
yum install glibc.i686 libstdc++.i686
rpm -ivh robomongo_version.rpm
# install your super sweet grunt & yeoman globally install npm packages
npm install -g grunt-cli yo
Posted in Uncategorized

Stegosaurus JS – A steganographic device

Last weekend I whipped together a toy steganography device called “Stegosaurus” [github] — it will take a PNG image, and using a (very very basic) steganography [wikipedia] algorithm stores a payload in the least significant bits of the color definition of pixels in an image. It’s a node.js module, and you can even install it with NPM.

Each year a friend of mine puts together a party where people stay for multiple days, and work on art projects at a farm in Vermont. I kept revisiting the wikipedia page over some months, and decided I’d make my own little steganography toy, and just hack it together as quick as possible. Some things need a little work, it’s conversion back and forth from binary

It could use a little improvement if anyone is interested in forking it! It needs some testing with binary files. It needs a way to store the length of the message. And ideally, it’d use a pre-shared key (maybe?) to allow you both: A. define where the payload is hidden in the image, and B. actually encrypt the payload (which is, as of now, unencrypted). Which makes it so it doesn’t follow Kerckhoff’s Principle [wikipedia].

…Unfortunately every single message is decoded as “Drink more ovaltine” [youtube] (…just kidding. it’ll do whatever message you want)

Posted in Geekery

Decompressing gzipped data with Javascript

I found myself in a situation where I needed to work with gzipped files with javascript. In my case, they were gzipped ASCII text. I couldn’t find an exact recipe, however, I did find a really nice tip on stack exchange, which primarily led me to Mozilla’s javascript docs about working with binary data. This relies on the imaya/zlib.js project, which has a nicely packed up gunzip module.

Additionally, I’ve got it posted on PasteAll. (which is a wicked nice paste bin if you haven’t used it, simple, pretty, and run by a really good OSS guy.)

function loadCompressedASCIIFile(request_url) {
    var req = new XMLHttpRequest();
    // You gotta trick it into downloading binary.'GET', request_url, false);
    req.overrideMimeType('text\/plain; charset=x-user-defined');    
    // Check for any error....
    if (req.status != 200) {
        return '';
    // Here's our raw binary.
    var rawfile = req.responseText;
    // Ok you gotta walk all the characters here, to remove the high-order values.
    // Create a byte array.
    bytes = [];
    // Walk through each character in the stream.
    for (var fileidx = 0; fileidx < rawfile.length; fileidx++) {
        var abyte = rawfile.charCodeAt(fileidx) & 0xff;
    // Instantiate our zlib object, and gunzip it.    
    // Requires:
    // (remove the map instruction at the very end.)
    var  gunzip  =  new  Zlib.Gunzip ( bytes ); 
    var  plain  =  gunzip.decompress ();
    // Now go ahead and create an ascii string from all those bytes.
    // Seeing we've just got a big ole byte buffer, but, not an ASCII file.
    var asciistring = "";
    for (var i = 0; i < plain.length; i++) {         
         asciistring += String.fromCharCode(plain[i]);
    return asciistring;



Posted in Uncategorized

Node.js + Forever + Raspbian on Raspberry Pi: The Recipe

Another recipe here for you! Something I thought should be really quick that took me a while. I really like Forever — it’s a great way to get a daemon running with your Node.js project. It requires almost no extra work, and acts as a watchdog to restart your daemon, should it exit prematurely.

Summary: You can simply install Node.js from a binary (look for the pi version on the node.js distribution downloads). You’ll copy the binary distribution into /opt/node, and then you’ll set your path correctly and install Forever globally. The thing that tripped me up most, was the path. Having the path begin with the node directory is what made me wind up with success.

If you’re having this problem where you’re running Node.js and Forever and raspberry pi, and you go to run Forever, and you get something like this:

Error: Cannot find module './daemon.v0.6.19'

There’s two things going on here, first — You probably want a newer version of node, which is easy enough to do. Let’s go ahead and install it from a binary package from

sudo mkdir /opt/node
cd /tmp
tar xvzf node-v0.10.2-linux-arm-pi.tar.gz
sudo cp -r node-v0.10.2-linux-arm-pi/* /opt/node

After you install it, edit your path by modifying /etc/profile

sudo nano /etc/profile

Go ahead and add these two lines before “export $PATH”


Log out and back in for it to take effect.

But, to install Forever globally, you’ll need to do it as root. I couldn’t get pure sudo to see the path properly to install, even with “sudo -E”, so I did a sudo su, changed my path, and then installed it. Then de-escalated my privileges back to pi (good practice, using sudo su is a stop-gap / work-around here, not a good habit).

sudo su
npm install forever -g

Now! You should be able to “run forever” (literally and figuratively, I guess!)

# print help text about forever
forever -h
Posted in Uncategorized

Pidora + Node.js + i2c = Wewt.

So after fighting a lot with this HiPi perl module (which unapologetically says ‘if you don’t like that, don’t use it’), I decided… Maybe it wasn’t worth the long arduous time spent messing with CPAN modules. And, I’m fiddling with Pidora. So far it seems rather convenient for development.

NOTE! I didn’t have luck installing this with Node 0.10.5 — So I emailed the author of the i2c module. I recommend using 0.10.2.

So, having an interest in node.js, I found this i2c npm module! And all in all it’s simple.

Here’s a great over-view on how to get node up and running on your pi! (It also includes a nice little sys-v style init script, too)

tar -xzvf node-v0.10.5-linux-arm-pi.tar.gz 
mkdir /opt/node
cp -r node-v0.10.5-linux-arm-pi/* /opt/node/

And then add these lines to your /etc/profile

export PATH

Once that’s good to go, log out and back in (or reload your path, if you care to) and then we can install the one RPM we need from YUM and then npm install the module:

yum install gcc-c++
npm install i2c

I love my perl, but, this module was much less painful to install (including the fact that it took me like 90 minutes to compile the pre-reqs for LWP::Simple just to find out I’d have trouble installing HiPi! Node.js & i2c, here I come!)

Posted in Uncategorized

Moment of Zen: Make a textual QR Code from the command line

[dude@talos werkkeys]$ yum install qrencode
[dude@talos werkkeys]$ qrencode -t utf8 "foobar"

Use it to:

  • Get plain text on your cell (remember: copy to clipboard, it’s not just for URLs)
  • Transfer a strong (and long) password from a terminal session
  • Get URLs from a remote terminal session
  • Impress the ladies. [optional?]
Posted in Geekery

Raspberry Pi w/ Arch Linux: Static IPs the easy way

Disclaimer! …Might’ve been changes to the Arch Distro since I wrote this. I went back to it to try to replicate it, and… No luck. I wound up setting a static DHCP lease on my dd-wrt :(

So you want a static IP in your Arch distribution on your Raspberry Pi because you don’t wanna hunt down DHCP huh? Yeah, I don’t.

I used a variety of tutorials, but…. Nothing was easy. And almost all of them invariably make it so you have to log in once, first.

I like to change my network settings by pulling the SD card out and then changing the files — if I’m between locations with my Pi. I might carry it in my backpack and use it on up to 4 networks (home, studio, werk, and inevitably @ Laboratory B)

Well, take a stroll on easy street. The default configuration lives @ [I think! Chris thanks for pointing out that I had the wrong location in this post!!] /etc/network.d/interfaces/ethernet-eth0

If you can’t find the file there, go for a:

find /etc/. | grep -i "eth0"

Find this section and change it up (especially, uncomment it) to suit your network. Also, comment out the DHCP stuff, too (it’s up at the top)

## Change for static
DESCRIPTION='A basic static ethernet connection using iproute'
##ROUTES=(' via')

Boot, and enjoy.

Or if you’re already at the command line, go ahead and reset it with

[user@host]$ netcfg -r ethernet-eth0
Posted in raspberryPi

Raspberry Pi Bluetooth w/ GBU321 — the solution.

Got yourself one of these? A GBU321, as recommended in the verified peripherals?

I didn’t have a cake walk. Namely, I kept running into an error like “hci0 command tx timeout” — and lots of flakiness. Sometimes my hci0 would come up in a up state, sometimes a down. Here’s my lsusb:

pi@raspberrypi ~ $ lsusb
Bus 001 Device 004: ID 0a5c:4500 Broadcom Corp. BCM2046B1 USB 2.0 Hub (part of BCM2046 Bluetooth)
Bus 001 Device 005: ID 0a5c:4502 Broadcom Corp. Keyboard (Boot Interface Subclass)
Bus 001 Device 006: ID 0a5c:4503 Broadcom Corp. Mouse (Boot Interface Subclass)
Bus 001 Device 007: ID 0a5c:2148 Broadcom Corp. BCM92046DG-CL1ROM Bluetooth 2.1 Adapter

I have what I believe to be the silver bullet. It appears that the Raspberry Pi Github has an issue listed that is what did the trick, for mine.

It appears that the issue might be with the USB speed negotiation. So, here’s a work-around in your /boot/cmdline.text, add “dwc_otg.speed=1″ near the end. My entire line now looks like:

dwc_otg.lpm_enable=0 console=ttyAMA0,115200 kgdboc=ttyAMA0,115200 console=tty1 root=/dev/mmcblk0p2 rootfstype=ext4 elevator=deadline dwc_otg.speed=1 rootwait

To install up the requirements — I followed this method for a PS3 controller as recommended by a guy in this raspi forum post (which I mean to comment on: note to self!)

/* asdf foo */
root@raspberrypi:~# apt-get install bluetooth
root@raspberrypi:~# apt-get install bluetooth --fix-missing
root@raspberrypi:~# reboot
root@raspberrypi:~# hciconfig -a
root@raspberrypi:~# hciconfig hci0 piscan
root@raspberrypi:~# bluez-simple-agent 
Agent registered
RequestConfirmation (/org/bluez/1824/hci0/dev_B0_D0_9C_58_XX_YY, 614348)
Confirm passkey (yes/no): yes
root@raspberrypi:~# bluez-test-device trusted B0:D0:9C:58:XX:YY yes
Posted in raspberryPi

Asterisk + Zoiper on Android Sample Configuration, with IAX

Yep, this is really the thing that makes Zoiper worthwhile as a softphone is that you can use an IAX connection. Pretty nice.

I figured I’d post up my configuration in case any one else is looking for an example:

Here’s my /etc/asterisk/iax.conf

disallow=lpc10                  ; Icky sound quality...  Mr. Roboto.

And on my Zoiper softphone:

Account name: [arbitrary]
Host: [your hostname/ip/etc]
Username: theuser
Password: makeagoodsecret
Context: yourextensioncontext

I whiffed a good couple times trying to get it to work, it seemed to be a combo between A. not setting the context in Zoiper, and B. possibly having the wrong “type” (friend/peer/user) in the iax.conf section.

Posted in Asterisk, Uncategorized