The Trouble

For the last little while I have been using pfSense as my firewall and I have been generally liking it. Nice balance between having features and being minimal. However, one of the things that has been bugging me about it is the fact that it can't block ad-sites using wildcards. You can add an individual host name to its DNS Forwarder Service, but you can't tell it to resolve all hostnames below a given domain. You can provide an authoritative DNS server for a given domain but that is not quite what I am looking for. So for example, if you want to block

server1.intellitxt.com
server2.intellitxt.com
server3.intellitxt.com

… you have to create individual entries for each one. And frankly, with a bunch of chumps like IntelliTXT you can be sure they'll have plenty of "hostnames" on their list. What's more is that I want to be able to have my list of "bAD sites" replicated to other firewalls that I control so that even if I go elsewhere I'll still be sheltered from that crap.

I haven't had shitloads of free time lately and as a result have not had time go searching through the pfSense forums for answers… until yesterday. I found a post by some guy looking for generally the same thing but for different reasons. Then I found another post explaining that if you simply create a /usr/local/etc/dnsmasq.conf file you can throw in configuration directives as described at the dnsmasq webite. So here is what to do…

The Steps

1. Login to the pfSense web interface and enable sshd (under System -> Advanced)
2. SSH into the firewall

I don't like to leave sshd open by default, there are just too many douchebags constantly pounding on port 22 all the time. If you are managing your firewall from a Windows based machine you can SSH to it by using something like KiTTY or PuTTY. If you don't know how to SSH into your firewall you may want to consider buying a "hardware router" at your local computer shop.

3. pkg_add -r wget

The wget package will be used to download the list of crappy sites from a central distribution point. That way you just update the copy on my webserver and all routers you control will be updated.

4. mkdir /usr/local/etc/dnsmasq.d

Later on we will be telling dnsmasq that ALL files in this directory are to be considered config files. That way you can simply add another file if you want to configure dnsmasq for some other purpose (and keep your config files segregated by function).

5. vi /usr/local/bin/noads_update.sh

Use vi to create a small script that will update the "bad sites" list and then restart dnsmasq so that it will reload the new list.

#!/bin/sh
cd /usr/local/etc/dnsmasq.d
/bin/rm ad_hosts.txt
/usr/local/bin/wget http://www.your-domain.com/ad_hosts.txt
/usr/bin/killall dnsmasq
/usr/local/sbin/dnsmasq

NOTE: that you will of course have to change the URL above to YOUR list of bad sites… you will want to make your ad_hosts.txt easily modifiable by you and readily downloadable by your firewalls.

6. chmod 755 noads_update.sh

Don't forget to make the script executable.

7. Logout of your SSH session
8. Return to the web interface and disable sshd

Seriously, people suck, just turn it off.

9. Add the cron package

Go to "System -> Packages" and add in cron, which will tell pfense to run your little script every now and then.

10. Add a cron entry for /usr/local/bin/noads_update.sh to run as admin

You can run it as frequently as you wish though I would think that once a day is enough.

11. Create a new file: /usr/local/etc/dnsmasq.conf

Go to "Diagnostics -> Edit File" and first try to LOAD /usr/local/etc/dnsmasq.conf… it should not find anything, then add the following line and save it:

conf-dir=/usr/local/etc/dnsmasq.d

12. Restart the cron service from "Status -> Services" so it will reread its configs and will know that it is supposed to run your script.

A Little More Explanation

Now to some that might look a little scattered. So here it essentially what it all does. The /usr/local/etc/dnsmasq.conf file you added at the end is a dnsmasq config file, by adding conf-dir=/usr/local/etc/dnsmasq.d to it you are telling dnsmasq to look in the dnsmasq.d directory and treat [almost] all the files in there as further config files. The cron job you created is for automatically (once daily) running the script you made, and the script just downloads a new copy of the list.

The List To Create

Okay, so what about the list? Well, you would create something like this (notice how wildcard entries start with a "dot"):

# This is a sample of my ad_hosts.txt file
# Start with wildcard entries
address=/.ad-flow.com/127.0.0.1
address=/.adbrite.com/127.0.0.1
address=/.addthis.com/127.0.0.1
address=/.addtoany.com/127.0.0.1
address=/.adsonar.com/127.0.0.1
address=/.adtechus.com/127.0.0.1
# And then individual host names
address=/adcounter.theglobeandmail.com/127.0.0.1
address=/adlog.com.com/127.0.0.1
address=/ads1.msn.com/127.0.0.1

Now you COULD add these entries for "bad servers" directly into the /usr/local/etc/dnsmasq.conf file but by using the /usr/local/etc/dnsmasq.d directory to store your config files, you could easily add another function to dnsmasq later on very easily. Say for example, that you had local network devices that are not very aware of things like DHCP and DNS. You could create another config file (and another script for cron to run) that has your

address=/printer.my-cool-domain.com/192.168.1.100
address=/ipod.my-cool-domain.com/192.168.1.101
address=/whatever.my-cool-domain.com/192.168.1.102

Now you would have one config file for blocking ad servers and another for resolving names of local "DNS unaware" devices.

Additional Notes

I have chosen to resolve these names to 127.0.0.1 which is localhost, you could really use any IP address you wish (but of course you would want a fast webserver that shows nothing). Since most of my "surfing" is done from a Windows box, I like to use Homer Webserver on my Windows boxes to serve up a single transparent GIF file to all requests. That way the blocked sites are about as invisible as I can get them.

Personally I would like to find a better automated way to restart dnsmasq than using "killall dnsmasq" but I seem to be struggling on this one.

Even if you control some networks on which you do NOT use pfSense as your firewall, you can still use the same ad_hosts.txt file (assuming you are bright enough to be using dnsmasq for DNS on those networks).

So hMailServer is working out pretty good. As stated previously, I have a Windows 2000 (SP3) machine running hMailServer v5.x, and last night I got some nifty antispam shit setup. I found this sweet website that provides a DNS blacklist based on country of origin. Interesting you say eh? So what can you do with that? Well, here is how you can setup your hMailServer to disallow mail from selected countries. If you run different mail software let me first hope that it is not Exchange and then tell you that this may still help in concept.

1. First, you want to understand what a DNSBL is and how it works. Start by checking out the DNSBL page on Wikipedia and maybe this little tutorial. If you find yourself becoming concerned about the "criticisms" part of the wiki entry stop and think about it for a moment. The primary argument of DNSBL haters is that it serves as censorship. This is a crock of shit, the whole concept of free speech is that you can say whatever the fuck you want AND I also have the choice to not listen to your fucking crap. All DNSBLs do is provide people with a way to not listen to the free (and annoying) speech of spammers. DNSBLs are not censorship, they are about providing choice to the listener instead.

2. If you have decided that DNSBLs are for you, then you need to setup your mail server to use them. Now hMailServer comes with a couple of default DNSBLs that can simply be turned on. I personally use the spamhaus list but not the spamcop list on my server. To enable spamhaus (or spamcop), connect to your server with the hMailServer client and navigate through the left pane to Settings -> Anti-spam. By default v5.x should come with entries already listed for both. Just select enable and voila it is ready to start evaluating crapmail.

Things to take note of are the "Expected Result" and the "Score". If the DNSBL server returns one of the IP addresses in "expected result" then "score" will be added to the message. Expected Result is a list of IP addresses separated by pipe symbols and score is an integer value (can also be negative). The scores that a message receives are then used to determine what action hMailServer will take on the message. Click on Anti-spam in the left pane to see the config settings for this.

As you can see, I have set my "spam mark threshold" to 1, which means that anytime an email scores 1 or higher, it will have headers added to it by hMailServer. My "spam delete threshold" is set to 20 (which my messages never reach) so hMailServer never deletes any of my spam, it simply marks it with headers. What do my headers look like as a result of these headings? Here's a sample from this morning…

Return-Path: androgen5@100straight.com
Received: from speedtouch.lan ([190.167.45.217]) by mail.snork.ca ; Tue, 24 Aug 2010 08:02:59 -0400
Received: from 190.167.45.217 by mail.100straight.com; Tue, 24 Aug 2010 14:02:56 +0100
Message-ID: <000d01cb4384$49dee6c0$6400a8c0@androgen5>
From: "Ethan Moreno" <androgen5@100straight.com>
To: <fakeaddress@snork.ca>
Subject: Ethan Moreno sent you a message on Facebook
Date: Tue, 24 Aug 2010 14:02:56 +0100
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="—-=_NextPart_000_0007_01CB4384.49DEE6C0"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-hMailServer-Spam: YES
X-hMailServer-Reason-1: Rejected by Spamhaus. – (Score: 3)
X-hMailServer-Reason-Score: 3

Some people may think this is just a lot of crap, but it is really not that hard to understand once you get used to seeing information in this format. You'll notice that my mail server (mail.snork.ca) received a message from the IP address 190.167.45.217 and as it turns out, that address is listed in the spamhaus DNSBL. The last three lines of that header were put there by my mail server. They say that

1. YES it is spam because
2. the IP address is listed at spamhaus (which added 3 to it's score)
3. giving the message a final score of 3

Other than that, the message is essentially unchanged. So how does that help? Well in my email client I setup rules that say "If X-hMailServer-Spam is YES, then move message to Spam Folder"… additionally I also set it to mark the message as read so I don't have to see an unread message count on my spam folder. Cool eh? But what about this blocking by country stuff? Well, if you do a quick lookup on the above IP address you'll see that it is from Dominican Republic, which I am not blocking. Let's see how country blocking works:

1. Now that you know a bit about how hMailServer tags messages and how a DNSBL works, you can imagine how the DNSBL for countries works as well. The guy who runs http://countries.nerd.dk/ has setup a DNS server that will return a different IP address for your mail server's queries based on what country the sender is in. It does not evaluate whether the message has the word V1AgRA or R01EX, it does not evaluate whether or not that IP address has been caught sending spam previously, it does not evaluate anything other than where it is from. Individual mail administrators are able to use this information to block countries they do not wish to accept mail from.

2. In order to use this you need to first decide which countries you want to block. Start by going to Wikipedia and looking at the list of country codes and write down all of the two-letter codes of the countries you wish to block. Then go to the results list chart at countries.nerd.dk and record the corresponding IP addresses. I found that it was helpful to simply put a text file on my desktop that looks something like this:

CN 127.0.0.156
HK 127.0.1.88
KH 127.0.0.116
KP 127.0.1.152
RU 127.0.2.131
TW 127.0.0.158

… and so on. It is a good idea to keep this recorded in an accessible place so that later on, if someone gives you shit for blocking them, you can quickly check your country blocks (instead of trying to reverse lookup the chart).

3. Now that you have this list you can setup a new DNSBL service on your mail server. Go back to where you enabled spamhaus (Settings -> Anti-spam -> DNS Blacklists) and add a new blacklist. you'll want to set it up similar to the shot shown here:

The red arrow shows the address of the DNSBL which is zz.countries.nerd.dk, the blue arrow is where you put your list of IP addresses (separated by pipes), and the green arrow shows the score which is what will be added to the message if the country is on your block list. If you don't know what a pipe character is (you gotta seriously consider whether running a mail server is a good idea for you) it is what you get when you hold down SHIFT and press the backslash (\) key. It should look like a vertical line (Jesus I can't believe I just typed that).

How that you have added this entry (and enabled it) you should start to see new headers and new scores in your email headers. Here's one that matched both of my DNSBLs:

Return-Path: disgraceful93@damowalsh.com
Received: from AIHWJTQU ([119.153.1.85]) by mail.snork.ca ; Mon, 23 Aug 2010 08:41:33 -0400
Return-path: <fakeaddress@snork.ca>
Received: from [119.153.1.85] (port=9969 helo=wasim386f00157) by
mailserver.damowalsh.com with asmtp id 0C5E2C-000745-48 for
<snork@snork.ca>; Mon, 23 Aug 2010 05:41:28 -0800
Message-ID: <337AB431D9244A4FA777CF49413FDF5C@wasim386f00157>
From: "Carlo Springer" <disgraceful93@damowalsh.com>
To: <fakeaderss@snork.ca>
Subject: Get a promotion at work after you get another diploma.
Date: Mon, 23 Aug 2010 05:41:28 -0800
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="—-=_NextPart_000_0005_01CB42C0.817C4470"
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Windows Mail 6.0.6001.18000
X-MimeOLE: Produced By Microsoft MimeOLE V6.0.6001.18049
X-Spam: Not detected
X-Mras: Ok
X-hMailServer-Spam: YES
X-hMailServer-Reason-1: Rejected by country. – (Score: 2)
X-hMailServer-Reason-2: Rejected by Spamhaus. – (Score: 3)
X-hMailServer-Reason-Score: 5

Notice the new header that shows it was found in the country DNSBL as well? Turns out that IP address is in Pakistan which is on my list of countries to block. And notice that this message has scored a total of 5? If you have elevated trust in a particular country to not send spam you could create another DNSBL that would reduce the score. I am considering setting hMailServer to delete anything that achieves a score of 5 (on both blacklists) so that my mail client never even sees it. In the end, it is up to you the mail administrator to decide what scores are appropriate and which are not. Good luck with that.

Some people like to use Instant Messages to communicate with others… and some like to use MSN Messenger or Windows Live Messenger or whatever Microsoft will decide to call it next week. Personally I'm not a big fan of Microsoft wanting to decide which software people use. It is just like the old IE anti-trust bullshit over and over again. There's nothing stopping people from using different clients and different services to accomplish the same goal (or better ones in some cases).

My IM client of choice these days is Miranda IM. It is pretty minimalistic and works just Jim Fucking Dandy to send IM messages. There are plenty of plugins for it to extend it's abilities as well (though I don't like to load my Miranda installation with extra goodies). I have an old ICQ account that I use with Miranda and it has all the chatting ability I need.

If you don't like Miranda IM you can always find another client… there is tons of information on Wikipedia about IM clients.

So if you play video games on your PC then you may have heard of TeamSpeak. It is an application that lets groups of people carry on voice communications while playing games. Actually it could be used for ANY type of voice communication but they like to play up the gamer angle. On the TeamSpeak System Requirements page it clearly states that the server component is compatible with Windows 2000. This is not true.

It WILL work on Windows 2000 but it will not work using the native Windows 2000 DLL files. If you go to the TeamSpeak Forums and search for "Windows 2000" you'll see plenty of posts from people having all kinds of problems running it on Win2k. And if you read thoroughly enough you might even find this post which has a way of getting it to work (scroll down to the post by Arkan). Now I followed the instructions and got it to work just fine but I did find that collecting the required files was a pain in the ass (especially with the old version of IE that comes with Windows 2000). So I have decided to reproduce the information here and provide copies of the files so you won't have to go clicking all over banner-laden sites or waiting for non-premium downloads from pay sites.

1) Copy kernel32.dll, wtsapi32.dll, and ws2_32.dll from WINNT\system32 to TeamSpeak folder
2) Rename them to kernel32_ORG.dll, wtsapi32_ORG.dll, and ws2_32_ORG.dll
3) Place kernel32.dll, wtsapi32.dll, and ws2_32.dll in your TeamSpeak folder
4) Run ExcludeFromKnownDlls.reg if it's your first time using the wrapper.
5) Get Dbghelp.dll, unzip and put it in the same folder.
6) Get psapi.dll and put it in the same folder.
7) Run Teamspeak

If for any reason you are unable to download DLL or REG files then simply download this ZIP file with all of them in it.

Tell me this ain't pimpin' daddy.

Samantha is wiggida wiggida whack Jack!

Yeah, I got sick of Wordpress screwing with my quotes all the time! So I got THIS.

Through complete randomness today I found The Kingdom Of Loathing.

Recently I sent out an email to my "blog subscribers" to tell them of the domain name change… I sent it via my Google Apps account but I used an email alias to send it. My real email address was disclosed in the email and that bothers me, I thought that was the whole idea of the fuckin email alias. As a result I have been considering bringing my email internal again and using something like SPF/PRA/SenderID/Whatever. Of course my thoughts were to make a Debain based server, possibly with Postfix and some other fun stuff like Dovecot. I ended up finding this article on Debian's position regarding Sender ID.

Thanks Debian… thank you for holding the position that my data should be mine, while the means by which I use it, should be free, available for use by all, and not subject to someone else's ownership.

Sweet… gives me the warm and fuzzies.

Sometimes things bug me… OK, often things bug me. Google might be a decent search engine, but it just bugs me how they want to rule the world. They want to make people as dependent on them as possible and then that'll put them in a position to dole out the information the way they see fit. Most people don't give a shit, but then again… most people are complacent as all fucking hell and that's why our planet sucks donkey balls.

I occasionally look for a better engine, and today I ran across DuckDuckGo. Yeah the name is fucked up but it seems to work pretty well so far. I had some trouble integrating it into SeaMonkey though, seems that SeaMonkey sucks for adding in new search engines. Here's some tips:

1. Seriously, if you are not using SeaMonkey you're missing out. IE is a pig, FireFox has that craptastic bar, and Opera is out to lunch. Go get SeaMonkey.

2. You need to go to the searchplugins folder in your SeaMonkey directory and put in this little PNG file.

3. In that same directory, create a text file called iduckit.src and put the following crap in it

# Mozilla/Duckduckgo plug-in
#
# I just copied shit from the existing plugins and modified them to
# point me to duckduckgo.com instead.
# Last updated 2010-05-28 – Snorkasaurus

<search
name="DuckDuckGo"
description="DuckDuckGo Search Engine"
method="GET"
action="http://duckduckgo.com"
queryCharset="utf-8"
>

<input name="q" user>
<inputnext name="page" factor="1">
<inputprev>

<interpret
browserResultType="result"
charset="utf-8"
resultListStart='<html>'
resultListEnd='</html>'
resultItemStart='class="L4"'
resultItemEnd='class="T1"'
>

</search>

4. Open SeaMonkey and go to Edit -> Preferences. Under the Browser section you'll see an entry for Internet Search. There is where you can select DuckDuckGo as your default search engine.

5. Open SeaMonkey and go to the URL about:config. This may give you a warning telling you to be careful. This URL shows you a whack of configuration options for SeaMonkey. In the search bar at the top you should type in browser.search.defaulturl. You should see only 1 entry, and you should double click on that entry so you can change it to say http://duckduckgo.com/?q=.

6. Now type keyword.URL in the search bar and change that one to http://duckduckgo.com/?q= as well.

Now go use DuckDuckGo and see how you like it eh.

So on the advice of a couple of people, I went to FreePhoneLine.ca and signed up for a free line. It turned out to be pretty bitchin' I think. Here's the deal… you give them a regular phone number to call you at and register for a free line. At the end of registration it gives you an email with a 3 digit code. You login to their website and click the "call me" button which of course gets their system to call you. Punch in the 3 digit code and you now have a phone line that an be used with their software. It includes free calling to a number of cities across Canada and does not require payment of any kind.

What's the catch? None really… if you want to pay for SIP credentials (so you can use regular phones instead of their softphone) it is $50, if you want to buy an ATA off them it is $79, and if you want to port your current number to them it is $20. I wouldn't really call any of those "catches" though. If you need long distance service because you make calls to places that are not on the list, you can get unlimited Canadian calling for $4 a month and unlimited to 50 countries for $14 a month. now that has gotta beat Bell eh?

I had to go to Perth today to pickup my bike… on the way home I was a little hungry so I pulled over at Woody's Pit Stop for some fries. The service was great and so were the fries. The parking lot even included a long stripe to accommodate people pulling trailers or driving long RV's. Next time I pass by there I think I am gonna have to try a poutine for sure! They don't have a website but you'll find them right on HWY7 just west of Carleton Place (just before the Innisville bridge over Mississippi Lake).