iptables conntrack contexts

On a high load iptables gateway, for fine tunings (with sysctl) the ip_conntrack_max value, it might be useful to know how much contexts are used.

Here a way :

awk 'FNR==2 { print "ibase=16;"toupper($1) }' /proc/net/stat/ip_conntrack | bc



For testing or benchmarking purpose of your postfix server, you can send e-mail with the package included program : smtp-source.

It is easier than writing a script using tools like the mail command.

A brief example :

smtp-source \
-s10 -l1024 -m20 -c -M “anti.solit.ude” \
-S “You are not alone” -f ican@help.you -t local_part@domain.tld \

  • -s 10 : 10 sessions at a time
  • -l 1024 : 1024 bytes length
  • -m 20 : 20 messages count
  • -M : followed by the hostname
  • -S : followed by the subject
  • -f : followed by the From: header
  • -t : followed by the To: header
  • -4 : using IPv4
  • : are the host:port here

Galaxy S wifi 5.0

hello in there, was a long time that I did not write something.

And this time, it’ll be kind of “special”, not unix related.
Just a memo about my fresh experience with my new Android toy.
I should have done that even for the previous ones :
Nokia N800 & Nokia N810 (ok these are not running Android, but were precursors with some better way in mind called Maemo)
HTC Magic, HTC Hero, HTC Legend, HTC Desire : now I’m no more an HTC’s fan.
Archos 5 IT, Archos 70 IT : french pride, ok their products are cheap
ZTE Blade : chinese prid, ok their products are cheap
Motorola Defy : I like its form factor and I wanted an TI OMAP soc (with Imagination SGX graphics like iPhone) instead of the Qualcomm that equiped HTC and other brands but I missed somehow amoled screen, sometimes (shiny times) it’s a pain to read on this LCD.

Of course, everytime i buy (second hand) an Android toy, the main purpose is to get rid of the software package (locked firmware) provided.
The main steps people are trying to achieve are : rooting and bootloader unlocking.

Why on earth do we need to root Android (yes, it’s potentially dangerous) ?
Like with Apple’s idevices jailbreak, you will be able to get more features.
A few examples : Titanium backup (backup apps and their settings included system apps) and overclock/downclock (setcpu, setvsel…) require to be root.

Why do we need a new bootloader ?
ClockWorkMod the most popular one will give you the ability to (not exhaustive) : save everything (rom + all data) in an archive onto the SD card and restore it later.
You can also do somes specials tricks like : wipe all, wipe cache partition, wipe dalvik cache, wipe battery stats…

So, that is, I needed (or like to spend my times fighting with new toys) root and ClockWorkMod on my new Samsung Galaxy S wifi 5.0 (aka Samsung Galaxy S Player  5 in the USA).

I bought it refurbished from Pixmania and at 1st run (Android initialisation), it proposes me only US, UK and some weird languages.
I think because it came from another part of the world.
Samsung distribute differents firmwares depending on the regional sells.

An Over-The-Air (OTA) update or via Kies didn’t provide me French language.
It’s not a real problem for the UI but I prefer to get French because contents of the Market (renamed to Play Store now) differs and it’s not handy to write French with the english keyboard and you won’t have suggestions because of the dictionary.
OK, I know I can install some 3rd party keyboards, actually I’ve used some (SmartKeyboard, PerfectKeyboard, Adaptxt, GO keyboard…)… but I WANTED to play with my new toy ! :)

Some steps/requirements :

  • Samsung Kies and the drivers : the adb drivers are required for acting on the dark side. Kies is just crappy, worth the iTunes, I just installed it to have my own jugement…
  • read pages on XDA and some others dedicated forums/web pages.
  • after reading these users/developpers contributions some tools seem to be useful :
  • Odin : this Windows software will help you to push software to your Samsung devices. You may do same tricks with adb commands (provided by Android SDK)
    I used version 1.85 for my tests 
  • some exploits to get root : zergRush and SuperOneClick (it uses zergRush for this device, just provides an UI for novices)
  • some kernels and custom roms (like the well known CyanogenMod of course and MIUI)

For now, this is the state of these hacking :

  • zergRush v4 (latest one) will be able to root (install superuser apk) to this device (YP-G70CW) only with some firmwares.
    I successfully used it when I downgraded to official FroYo (2.2.2) ROM : G70XXKD6-REV00-PDA-low-CL1001984
    and with chinese/korean Gingerbread (2.3.6) official rom : G70ZCKP9
    but it wasn’t able to root the latest (march 2012) INTL Gingerbread (2.3.6) version : YP-G70_XET_G70XXKPH_G70XXKPH_G70XXKPH
  • Odin is very useful, I had bricked my new toy and it saved my life
  • boot time buttons shortcuts :
    hold VolumeUP+power and then release Power when Samsung logo appears will brings the official recovery (Android System Recovery 3e). You will be able to wipe all/factory reset with that tool
    hold VolumeDOWN+home+power to get into “Downloading” mode. This mode will allow you to push some software (firmware, kernels, addons…) with Odin or others methods.
  • patching Rumirand’s kernel r14 (well known as rj’s kernel) will provide you ClockWorkMod in place of ASR 3e. I patched it over official INTL 2.3.6 rom
  • CyanogenMod 7 (CM7) is not final (RC1) and have some bugs : no backlit on the buttons (you’ll have to change screen’s backlight to get it to work), camcorder (video recorder) doesn’t work and icons of the apps launcher are really crappy (no antialiasing)… 
    CM7 is Gingerbread (2.3.7) based. 
  • CyanogenMod 9 (CM9) is at beta stage : I had to apply a patch (noisyfox’s one) to get my buttons working. It is very cute and smooth compared to CM7 but I cannot keep it at this time on my device.
    CM9 is Ice Cream Sandwich (ICS) based the latest Android provided only with  the latest devices (starting with Google Galaxy Nexus).
    Why ? Because hardware video decoders are not yet supported.
    I tried to play some 720p videos dumped from YouTube (with TubeMate) and MX player wasn’t able to switch to HW mode (software mode is ready bad).

So, waiting for CyanogenMod (all my others Android toys, except Archos ones run
CyanogenMod) enhancements, I use this device with Official 2.3.6 and rumirand’s kernel.

There is a bug : while plugged to the computer with USB cable, if I shut it down (the PMP, not the computer), it will boot loop, have to disconnect it.

Special keyboard codes :

  • confirm the newly installed firmware : *#1234#
  • full factory reset : *2767*3855#

Credits go to : http://androidromupdate.com/2012/03/20/how-to-flashinstall-g70xxkph-android-2-3-6-firmware-update-for-samsung-galaxy-player-5-0-wi-fi/


cisco mac to unix mac with Vim

suppose you have cisco MAC addresses like that :


and would like to convert it :


then obtain :



claws-mail reply model

tired of Mozilla Thunderbird, I’m testing (more deeply this time) claws-mail.

One funny feature is the Model writing script (see settings).
Here follows my reply-model script :



(i) en réponse au message de %fullname (%email),
(i) du %date_fmt{%d/%m/%Y} à %date_fmt{%H:%M}, ?s{intitulé "%subject", } !s{sans sujet (!)}
(i) adressé à : %to
?c{(i) en copie à : %cc \n}?i{(i) message id : %messageid }



[find] using -regextype

I don’t know about you.

But for me it’s a pain to escape special chars like that :

[survietamine@desktop omsa-live]$ find -iregex '.*\(contact\|dset\).*'

So, I think it’s better to set an aliases that add ‘-regextype posix-extended’ (or whatever extended regexp you prefer), to be able to write like this :

[survietamine@desktop omsa-live]$ find -regextype posix-extended -iregex '.*(contact|dset).*'


[imageMagick] easy resize of images with ratio keeping

ImageMagick is a real swiss knife for people that want to manipulate pictures.
In this post, I’ll only give an easy way to resize an image and keep its proportions.

Suppose you have an nice wallpaper (eg, downloaded from Vlad Studio site) on your “full HD” (ok, now i’m supposed to say “hd 1080p”…), and your girlfriend wants it on her laptop which resolution is 1440x900.

Consider these assertions :
1980x1080 is the TV/cinema (16/9) format (now imported to most computer monitors)
1440x900 is an computer format (16/10)

Their ratios are :
16/9 (or 1920/1080) : 1.77777777777777777777
16/10 (or 1440/900, 1280/800, 1920/1200) : 1.6

In this example, i’ll only use 2 ImageMagick commands (see documentation for more) :

syntax : convert image_src -resize geometry image_dst

example :
[survietamine@desktop Downloads]$ identify vladstudio_atlantis_docking_1920x1080.jpg
vladstudio_atlantis_docking_1920x1080.jpg JPEG 1920x1080 1920x1080+0+0 8-bit DirectClass 529KB 0.000u 0:00.000

[survietamine@desktop Downloads]$ echo '1920/1080' | bc -l

[survietamine@desktop Downloads]$ convert vladstudio_atlantis_docking_1920x1080.jpg -resize 1440 vladstudio_atlantis_docking_1440.jpg

[survietamine@desktop Downloads]$ identify vladstudio_atlantis_docking_1440.jpg
vladstudio_atlantis_docking_1440.jpg JPEG 1440x810 1440x810+0+0 8-bit DirectClass 351KB 0.000u 0:00.000

[survietamine@desktop Downloads]$ echo '1440/810' | bc -l

For more information about the ‘geometry’ section of ImageMagick :


chmod +X

For those that already know well how to change permissions, this memo won’t be usefull.
Maybe, it can be usefull to some others.

umask is generally fixed to 022.
This mask will be applied every times you create files and directories.

For directories, umask will be combinated with max permissions 0777 :
0777 - 022 = 755 (rwxr-xr-x)
For files, umask will be combinated with 0666 :
0666 - 022 = 644 (rw-r—r—)

You can change umask() value for 1 user or the whole system.

But, sometimes, you don’t want to do that and need to set permissions for only 1 directory.

example :
Suppose you (leader of a project) have 1 directory with normal 755.
Now, you want to share it with your team, you want to put it in some share.
On the share, now you want 750 for directories and 640 for files.

So you start with something like this :
drwxr-xr-x leader team  15 oct.  2009 /some/common/directory

You want : group (team) to be able to read files and directories above /some/common/directory

By doing : chmod -R g+r /some/common/directory
All files will be readable by group (team).
But the bad is that directories need ‘x’ bit to be accessed.
If you do : chmod -R g+x /some/common/directory
You’ll set ‘x’ for files and directories.

Before starting to write a script based on `find -type d`, have a look at `chmod +X` (X in capital) will ask chmod to set ‘x’ only where needed.
It will set ‘x’ only for directories.
So, for our case, something like this :
chmod -R go-rx /some/common/directory
chmod -R g+rX /some/common/directory


[proxy] SSL interception using squid

In this article, I’ll show you how to configure Squid to act like an ‘man-in-the-middle’ with HTTPS connections.
If you’re not doing that for yourself (eg : your company/association, you MUST tell people about that, it is ILLEGAL).

credits : to achieve this, I mainly have read this documentation (but I did not yet implement dynamic certificates generation) :

Normal behavior of proxies while serving HTTPS sites is to “not acting as mandatoring”.
The connection between the web site and the client is direct.

The only thing you can see in logs (access.log) is ip/fqdn address with method CONNECT (instead of GET/POST) :
1293606062.453    188 TCP_MISS/200 5595 CONNECT secured.site.org:443 - DIRECT/ -

As Squid don’t know about URL, you will only be able to write an ACL that focus on the domain (eg : dstdomain) or ip address.

If for some reasons, you need to allow an HTTPS site (domain/ip), but want to forbid an URL on it, this can be done with usage of ssl-bump feature of Squid.

  • installation :
    As this is not normal behaviour and you break the trust on SSL by doing this, many distros won’t provide this feature in their binary packages.
    If you are running on Debian based distro, you’ll need to get the sources of Squid and to compile it with ‘—enable-ssl' option.
    For now, I personnaly gave up with Debian/Ubuntu for this Squid mitm install and did it with ArchiLinux and it works like a charm.

  • self-signed certificate (pem format) generation :
    openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout your.company.com.pem  -out your.company.com

  • if needed, you can generate the certificate to import on browsers (to avoid the warnings about the security breach) :
    openssl x509 -in www.yourcompany.com.pem -outform DER -out www.yourcompany.com.der

  • Squid configuration (squid.conf) :
    I post here only important parts.

    acl …
    acl …
    # you must have CONNECT acl
    acl CONNECT method CONNECT

    acl clientsboxes dstdomain www.secure.clientsboxes.com
    acl nationalbank dstdomain www.nationalbank.biz

    # write some ACL to test URL filter on HTTPS (interception)
    acl rebootbox url_regex ^https://www.secure.clientsboxes.com/path/*to/*reboot/*servers

    acl dropaccount url_regex

    # maybe not in the future, but we need this :
    always_direct allow all

    # permissions sections (allow / deny)
    http_access allow…
    http_access allow…
    http_access allow…
    http_access deny …
    http_access deny …
    http_access deny …

    # some sites need this :
    sslproxy_cert_error allow nationalbank
    #sslproxy_flags DONT_VERIFY_PEER

    # ssl_bump means that you want to intercept (MITM) this SSL connection
    ssl_bump allow clientsboxes
    ssl_bump allow nationalbank

    # and we don’t want to intercept others SSL sites :

    ssl_bump deny all

    # now, you can tell Squid you want to forbid theses HTTPS url :
    http_access deny rebootbox
    http_access deny dropaccount

    http_access allow localnet
    http_access allow localhost

    http_access deny all

    # tell Squid you want to intercept SSL
    # /!\ SSL interception is not compatible with transparent proxy
    # so DON’T write here ‘intercept’ (new name for ‘transparent’)
    http_port 3128 ssl-bump cert=/path/to/your/self-signed/cert/www.yourcompany.com.pem

Now, you’ll see full URL in logs and url based ACL will be operationnal.


web coding basics : REST

I see so much dirty apps and ERP with their own ways to write/exchange data ;
so if I can advice coders to re-read this article about REST regularly before writing their crappy codes [hope… ]


Several translations are available, below the-one for French people :


hard disk data recovery

Recently, I had to recover data on a defective hard drive.

Informations on this page helped me : https://help.ubuntu.com/community/DataRecovery

So, this is a memo (in case the source page disappear) :

  • if your partition table is broken, try to fix it with tools like : testdisk, ntfsfix (ntfsprogs package)
  • install ddrescue (on Debian based) :
    apt-get install gddrescue

    ddrescue is able to build an image file of your disk/partition

  • try to recover maximum data, the fastest way possible :
    ddrescue —no-split /dev/hda1 imagefile logfile

  • you can ask ddrescue to retry (3 times here) :
    ddrescue —direct —max-retries=3 /dev/hda1 imagefile logfile

  • you want more (retrim = reread full sector) ?
    ddrescue —direct —retrim —max-retries=3 /dev/hda1 imagefile logfile

  • now, you can install foremost
    This tool will be able to read your image file to recover files and store them by mime-types (extensions) : pdf, xls, xlsx, doc, docx…
    foremost can do partition to partition recovery, partition to directory
    Equivalent to foremost : magicrescue, photorec, scalpel

  • ask foremost to rebuild files :
    mkdir -p /mnt/recovery/foremost
    foremost -i image -o /mnt/recovery/foremost

    of course, the destination of recovered files must not be on the junk drive !

[ssh] remove hash for an host

When connecting to a new host, the corresponding RSA fingerprint is showing up and you are prompted to add it

This hash is checked every time you connect to the host.
If this hash has changed (OS reinstall, servers upgrade/switching…), a warning is displayed and you are not able to connect to the host.

OK, you can delete the line by editing ~/.ssh/known_hosts file.
But the proper way is the following via ssh-keygen command :

[survietamine@mybox ]$ ssh-keygen -R remoteHost
/home/survietamine/.ssh/known_hosts updated.
Original contents retained as /home/survietamine/.ssh/known_hosts.old


[archlinux] VirtualBox post-installation steps

This is printed after installation of virtualbox-sun package.
So, if you prefer virtualbox-ose (Open Source Edition) since Sun is now a part of Oracle, check these points :

»> NOTE:
»>  - Run “sudo /etc/rc.d/vboxdrv setup”, every time your kernel is upgraded,
»>    to compile virtualbox driver modules for a new kernel version.
»>  - Add your users to the vboxusers group:
»>      gpasswd -a USERNAME vboxusers
»>  - Customize your “/etc/conf.d/vboxdrv”; usually, defaults are OK.
»>  - Add “vboxdrv” to DAEMONS array in your “/etc/rc.conf”, if needed.
»>  - If USB does not work for you out-of-the-box, add the following line
»>    to your “/etc/fstab”:
none /proc/bus/usb usbfs auto,busgid=108,busmode=0775,devgid=108,devmode=0664 0 0
Dépendances optionnelles pour virtualbox-sun
    dkms: for building and loading VirtualBox modules
    qt: for Oracle VirtualBox QT4 GUI on X-Window System
    sdl: for Oracle VBoxSDL and VirtualBox GUI on console
    vfuse: for mounting VBox (VDI/VMDK/VHD) disk images


clonezilla-live config

  • unlike Microsoft Windows, unix-like systems installation like BSD or GNU/Linux need only a few GB
  • usb sticks with 8 GB and more are now really cheap
  • yes, clonezilla is fine
  • yes, clonezilla server version is very fine
  • but sometimes, it’s pretty fine too to be able to backup and restore system disks/partitions images from only 1 usb stick.
  • so let’s go

As I spent some time on this project, I wrote here a memo about “clonezilla live” on USB stick config

Here are the few importants highlights, in near future, i’ll post an complete version with all commands :

  1. create the clonezilla like described on their page
  2. boot on the USB stick and choose “clonezilla-live in RAM” mode under “Other clonezilla-live modes” menu.
  3. if you booted the “in RAM” version, you could select your usb stick in the “user_local” window
  4. select the root (/) directory from the usb stick to store the image
  5. give it a explicit name, my choose is “YYYYMMDD-model-osversion”
  6. when image is created, mount the stick and move the image directory (for me : /YYYYMMDD-model-osversion) to /home/partimage directory of the usb stick
  7. for automated restoration modify the file /syslinux/syslinux.cfg with a section like this (under MENU) :
    label restore mybox
      # MENU HIDE
      MENU restore mybox
      kernel /live/vmlinuz
      append initrd=/live/initrd.img boot=live union=aufs hostname=lucid quiet noswap edd=on noprompt ocs_live_run=”ocs-live-restore” ocs_live_extra_param=”-g auto -p reboot restoredisk 20100608-dell-vostro320 sda” ocs_live_keymap=”/usr/share/keymaps/i386/azerty/fr-latin9.kmap.gz” ocs_live_batch=”no” ocs_lang=”fr_FR.UTF-8” video=uvesafb:mode_option=1024x768-32 ip=frommedia  nosplash
      image restoration of my lovely linux box
  8. comment out the other MENU DEFAULT entry from MENU section.

[archlinux] apt-file equivalent

pacman and yaourt are great but…

Q: Is there an equivalent to apt-file (GNU/Debian) that allows to search for a file within packages not installed (on repositories) ?

A: pacfile

eg :
pacfile mkfs.vfat
extra/dosfstools-3.0.9-1 sbin/mkfs.vfat
extra/dosfstools-3.0.9-1 usr/share/man/man8/mkfs.vfat.8.gz

update : it’s now pkgfile instead