omniverse theirix's Thoughts About Research and Development

How to make a network quarantine with firewalld

17 Dec 2015

Surely it is not about reinventing a wheel but a short how-to about commands I cannot remember every time.

Sometimes it is needed to make a fully quarantined machine without incoming and outgoing network access, just with SSH connection from the local network. It can be achieved with a few firewalld / iptables commands.

RHEL 7 and CentOS 7 switched from a lot of well-known command line tools such as sysvinit, netstat, ipconfig to newer technologies (literally - systemctl, journalctl, ss, ip). Using iptables directly is not recommended too due to introducing the firewalld. Best tutorial I found is found at Digital Ocean. Native firewalld zones do no allow outgoing traffic filtering so it is needed to add “direct” rules which are clearly iptables rules. There are also Rich rules but I have not tried them yet.

So let’s assume you are in network 192.168.1.0/255. To filter limit outgoing traffic only to IPv4 SSH connections to local network run as root:

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --sport=22 -s 192.168.1.0/16 -d 192.168.1.0/16 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -p tcp -m tcp --dport=22 -s 192.168.1.0/16 -d 192.168.1.0/16 -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 98 -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 99 -j DROP

Then reload the firewalld:

firewall-cmd --reload

Rules are saved permanently at /etc/firewalld/direct.xml. Check the list of loaded rules:

firewall-cmd --direct --get-all-rules

To remove all direct rules run:

firewall-cmd --direct --remove-rules ipv4 filter OUTPUT
firewall-cmd --direct --remove-rules ipv6 filter OUTPUT
firewall-cmd --reload

UNIX way to live preview AsciiDoc

21 Jun 2015

AsciiDoc is a nice markup language and I am slowly migrating my documents from various flavours of Markdown to the AsciiDoc.

For converting I prefer AsciiDoctor. Ruby AsciiDoctor implementation seems more robust and modern than original Perl implementation. I edit AsciiDoc documents in TextMate with a AsciiDoc-TextMate-2 plugin. It is a fork of great plugin by mattneub and it is slightly modified for my demands (syntax, AsciiDoctor support).

There are three ways to get a HTML webpage from the document:

  1. Launch a command to get a notes.html file:

     asciidoctor notes.adoc

  2. Use Ctrl+Shift+H shortcut to regenerate html from the current document.

  3. Use a live reload preview feature.

I love an idea of a live preview and I am using it at my LaTeX workflow.

Official documentation suggests several ways to track changes in editing document and reload a browser. They seems a little complex and insecure for me (browser extensions) so I used a simple shell command:

fswatch -o notes.adoc | xargs -L1 sh -c "asciidoctor notes.adoc && chrome-cli reload"

Utility fswatch is a cross-platform wrapper for file notifications. Each file change is propagated to the asciidoctor command and then to the chrome-cli utility (AppleScript chrome wrapper) that reloads a current tab emits characters for each file change. That is it. You launch a command in a shell only when you need it and then terminate with Ctrl+C.

The best way may be an active browser reloading from TextMate plugin using chrome-cli command but it is not very portable between browsers. Unfortunately built-in open command (xdg-open analogue) does not know about browser internals and cannot reload a tab or even open document in a current tab.