If you need a pdf viewer on your open source-OS (I tested it on Linux and FreeBSD), you should try PDF studio viewer. Very fast and can do stuff like removing layers from the PDF https://www.qoppa.com/pdfstudioviewer/

Script to "centralize" checking for updates on FreeBSD

I have to administrate several FreeBSD-servers and I need to know which servers need updates. Eveen though I have a poudriere running, I also have a local ports-tree on the machines because they are either not using the poudriere because they are not migrated to it yet or there was some reason to have a locally compiled package. Now I want to know daily which servers need package-updates and if any server has packages that have known CVEs. Thus I update the index of the portstree daily with the following cronjob for root:

0 3 * * * portsnap -I cron updateI have several “classes” of servers, thus I want mails for every class of server. For each class I have a cronjob like this in my personal crontab (or you could put it on one of your servers): 0 6 * * 1-5 /usr/local/scripts/check_for_updates.sh class1The user needs to be able to log into each server with an ssh-key.


case $1 in
SERVERS="server1 server2"
SERVERS="server3 server4 server5"
SERVERS="privateserver1 privateserver2"

for i in $SERVERS; do
  echo "$i:" >> $TMPFILE
  update_count=`ssh $i "pkg version" | grep \< | wc -l`
  if [ $update_count -gt 0 ]; then
    echo "$i needs $update_count updates" >> $TMPFILE
    ssh $i "pkg version" | grep \< >> $TMPFILE
    echo "" >> $TMPFILE
    echo "" >> $TMPFILE
    ssh $i "pkg audit" >> $TMPFILE
    echo "$i needs no updates" >> $TMPFILE
  echo "" >> $TMPFILE
  echo "" >> $TMPFILE

mail -s "$1 update status" $MAILADDRESS < $TMPFILE

mail -s "$1 update status" $MAILADDRESS < $TMPFILE

Blacklistd and pf on FreeBSD

In FreeBSD 11.0 there was a new daemon delivered in base that helps to blacklist IPs on unsuccessful logins called blacklistd. Its advantage over fail2ban: it works with IPv6 and it is part of base. Its disadvantage is that as far as I understand it applications have to be linked against blacklistd, so that they can work with it.

With the recently released FreeBSD 11.1 sshd got linked against blacklistd. Therefore there is a new option in sshd_config: UseBlacklist. Per default it is set to no. Uncomment it, set it to yes and then reload sshd.

The config is in /etc/blacklistd.conf. Usually you define blocking rules in the [local]-section and whitelisting in [remote]. The sample file and the man page are good enough to explain that part.

In addition you need to start the blacklistd-service and enable it in rc.conf or even better in a file in /etc/rc.conf.d.

In /etc/pf.conf you need to add the following line:

 anchor "blacklistd/*" in on $ext_if

Then you need to reload pf with the new rule:

 pfctl -f /etc/pf.conf

Now blocking should already work. To get the blocked IPs use the following command

 blacklistctl -b

If there are IPv6-adresses blocked, you need to add -w, so it is then

 blacklistctl -bw

If you want to unblock an IP you can look into the tables with pfctl. To see for example the table for sshd, the command is:

 pfctl -a blacklistd/22 -t port22 -T show

Now let’s say you want to unblock the IP, then you could issue a:

 pfctl -a blacklistd/22 -t port22 -T delete

This will remove the IP from the table and it is now unblocked. blacklistctl will still show the IP as blocked though. But if the IP tries again to log in and fails often enough, it will get blocked again.

Some plaintext-productivity love with Taskpaper

I finally got my plaintext-todo-system together. It was a bit cumbersome because I did and could not want to use Dropbox, but it works now. The problem is that some of my machines either run FreeBSD or OpenBSD and all the plaintext-productivity apps on iOS either require Dropbox or iCloud[footnote]To be honest, I do not understand why so many iOS-apps expect a Mac on the desktop. Do so many iOS-owners also own a Mac? I would expect that most actually own a Windows-machine[/footnote]. I have a Nextcloud but the Nextcloud-client on iOS does not really integrate into iOS and nearly no one offers to sync with something else than iCloud or Dropbox on iOS.

But there is a really good git-client on iOS: Working Copy. And there is a really good markdown-editor, that also has taskpaper-support and integrates with some workarounds with Working Copy: Editorial[footnote]It does not integrate as Textastic but that might come in the future[/footnote].

The final piece that was missing where some reminders which work somehow automagically. There is a way to create iOS-reminders in Editorial from Taskpaper-files but there I would need to run a workflow in Editorial manually to create them. And I wouldn’t get a mail in the morning with a summary of tasks that are due, overdue etc. But I have now some scripts and cronjobs which create the mail and will send out push notifications via Pushover[footnote]I use Pushover because our Icinga2, the monitoring system we use at work, already uses pushover to send notifications when an alert is coming up.[/footnote].

How does it work?

I created a git-repo on my server. And have it checked out on my clients and in the home-directory of my user on the server. When I change something on the clients, I commit and push to the server. On the server there is cronjob in the crontab of my user running every minute to pull the repo. Additionally there is a cronjob running a python-script that checks if a task has an alarm set. If one is set, it will send the task as message to pushover, which sends a push notification to my iPhone. At 4 am in the morning there is an additional cronjob that runs a script that will generate a summary mail and sends it to me via e-mail.

The scripts expect the following tags, so that they can work:

  • @today or @due[YYYY-MM-DD]
  • @alarm[YYYY-MM-DD HH:MM]

The basis is the Taskpaper-Parser from github-user kmarchand. My push-script is a derivate from the script[footnote]Please forgive me since I am not very knowledgable in the arts of programming and just hacked around to get a works-for-me-thing[/footnote]:


[code language=“python”] from datetime import datetime, timedelta from collections import namedtuple from dateutil import parser import sys import re import httplib import urllib

tpfile = sys.argv[1]

with open(tpfile, ‘rb’) as f: tplines = f.readlines()

Flagged = namedtuple(‘Flagged’, [‘type’, ‘tasktime’, ‘taskdate’, ‘project’, ‘task’]) flaglist = [] errlist = []

project = ''

for line in tplines: try: if ‘@done’ in line: continue if ‘:\n’ in line: project = line.strip()[:-1] if ‘@alarm’ in line: alarmtag = re.search(r'@alarm((.*?))', line).group(1) tasktime = datetime.time(parser.parse(alarmtag)) taskdate = datetime.date(parser.parse(alarmtag)) #print(tasktime) #print(taskdate) flaglist.append( Flagged(‘alarm’, tasktime, taskdate, project, line.strip())) except Exception, e: errlist.append((line, e))

today = alarm = overdue = duethisweek = startthisweek = None today_date = datetime.date(datetime.now()) today_time = datetime.time(datetime.now()) time_tmp = datetime.now() - timedelta(minutes = 1) today_time_less1min = time_tmp.time()

for task in flaglist: if task.type == ‘alarm’ and today_date == task.taskdate and today_time > task.tasktime and today_time_less1min < task.tasktime: alarm = True #print ‘\t[%s] %s’ % (task.project, task.task) conn = httplib.HTTPSConnection("api.pushover.net:443") conn.request("POST", "/1/messages.json", urllib.urlencode({ "token": "APP-Token", "user": "User-Token", "message": task.project + " " + task.task, }), { "Content-type": "application/x-www-form-urlencoded" }) conn.getresponse() if not alarm: print ‘\t (none)’ [/code]

It is simple, it could be probably far more elegant but it works for me™.

In addition there is a simple shell-script[footnote]I am running it on my FreeBSD-server, thus the path to python is /usr/local/bin/python2 - when you are running Linux the path is probably /usr/bin/python2[/footnote]:

[code language=“bash”] #!/bin/sh /usr/local/bin/python2 /home/user/python/tpp.py /home/user/taskpaper/Work.taskpaper > /tmp/taskpaper.mail /usr/local/bin/python2 /home/user/python/tpp.py /home/user/taskpaper/Personal.taskpaper >> /tmp/taskpaper.mail mail -s ‘Your Daily Taskpaper Summary’ my@mailaddress.org < /tmp/taskpaper.mail [/code]

And here is my crontab:


          • /bin/sh -c ‘cd ~user/taskpaper && /usr/local/bin/git pull -q origin master’ >> ~/git.log
          • /usr/local/bin/python2 /home/user/bin/tpp_alarms.py /home/user/taskpaper/Work.taskpaper
          • /usr/local/bin/python2 /home/user/bin/tpp_alarms.py /home/user/taskpaper/Personal.taskpaper 0 4 * * * /home/user/bin/taskpaper_mail.sh [/code]

Since I am running FreeBSD on my server I have to rely on a crontab and cannot use systemd-timers.

On my computers I am an avid vim-user and I use taskpaper.vim for having syntax highlighting and some additional shortcuts for marking tasks as done or today etc.

In Editorial I use the Working Copy-workflow.

It is all very simple and not very elegant. But it works and brings me the funtcionality I was missing from using apps like Todoist or on the “local” level Taskmator. And everything runs on my own machines except the delivery for the push notifications. But the only chance to get there my own solution would be to develop an iOS-app because you can’t get in any other way push notifications to your iOS-device. And if I should switch back to Android at any point, I still can use pushover. I pushover goes down, I hope there are alternatives… ;)

OpenVPN, pf and alias-IP-adresses

Recently I had to build an OpenVPN-server on a FreeBSD-machine that uses already port 443. But I wanted to use port 443 because its reachability is usually guaranteed. So I added a second IP-address to the interface. Let’s say for this example the adresses are and[footnote]Yes, I know…the original host has routable adresses there[/footnote]. And then I followed the few hints I found on the net for NATing through the interface. Since it is FreeBSD and I have pf available, I use it of course. And after that I opened up certain hosts to on the other hosts.

What is the rule you find when you google?

nat on $ext_if inet from $vpn_clients to any -> $ext_if

ext_if is your interface to the outside world. In my case the one with the two IP-adresses. $vpn_clients is the openvpn-network[footnote]by default[/footnote].

And then I was up to a surprise. When I connected to the VPN and then tried to connect to the hosts I wanted to reach through the NAT via ssh the following happened: ssh host1 - connection denied, ssh host1 - please log in. If I waited a short moment instead of trying to connect immediately a second time the connection was denied again. And some other strange behavior like that was observable.

What happend? FreeBSD NATed all the time through either address 1 or address 2 but never through the same.

What you can do is define the address for the NATing you want to rewrite to. So it becomes:

nat on $ext_if inet from $vpn_clients to any -> $vpn_nat_ip

In this case vpn_nat_ip is

Another side-note: you don’t want to add a second interface for the second IP-address but use an alias-IP on the first network card. Otherwise you have to start use routing tables etc. for getting your traffic correctly moved through your system.

Current state: looking into a book about shell scripts and I wonder which she’ll they use. sh or do I need bash? How about other shells?

I really wonder why there is no ‘ssh-copy-id’ for OpenBSD…

The Podlove Podcast Publisher works again. The team reacted quite fast on the issue (the package php71-filter was missing). Thanks a lot.

Moved from ports to pkg…besides being a bit of pita, it broke Podlove. I have no idea why but suddenly having podlove activated will blank out this site. I wonder why…Well, I’ve opened an issue…

But moving to ports allows me faster updates I have to think about less. And I don’t have special options activated anyways. I use up a bit more space but that’s it. I am running RELEASE anyways…

What did you do sunday evening?

I installed mosh, which updated OpenSSL which meant that I took the shotgun and shot myself into the foot

FreeBSD can be a throwback to the good, old times. I just needed 90 minutes to set up a printer >_<

That also means that I am now Linux-free except one server which I want to keep on CentOS for testing-purposes and everything else runs *BSD

I set now the laptop up with TrueOS. The only issues that remain are resume and not having glitches graphics that force me to reboot and accidental trackpad-input. HardenedBSD 12-Current already started to make problems with the Wifi-chip which didn’t get recognized for whatever reason. And when it already starts out that way, I do not necessarily want to go further…

Tonight I will install HardenedBSD (Current) on my T460. I wonder if Geli with EFI will work…

OpenBSD would be nicer if it wouldn’t have all those limitations. But it is probably so nice because it has all those limitations >_<

This USB-WLAN-stick doesn’t want to work with FreeBSD 11. But it porbably works with TrueOS and OpenBSD. So:

TrueOS or OpenBSD?

Tonight’s fun: upgrading my home server from Linux to FreeBSD :D


Sooo…wie bereits angekündigt habe ich nun Japanbezug und retrogames.kobschaetzki.net runtergefahren. EMUI habe ich in dieses Blog integriert. Eine Feed-URL habe ich noch nicht. Daurm kümmere ich mich, wenn ich irgendwann mal eine neue Folge veröffentlichen sollte. Es sind Projekte, die ich einmal mit viel Ambition gestartet habe und dann feststellte, dass ich eigentlich nicht die Zeit dazu habe.Kurzfristig habe ich überlegt auch dieses Blog wieder zu einem statischem zu machen, aber am Ende bedeutet das auch mehr Arbeit als Nutzen. Und es gibt eine Sache auf die ich warte, die mit Wordpress einfacher sein sollte.

Und so wie es aussieht wird mein neuer Job als Sysadmin bei einem Webhoster mich noch eine ganze Weile auf Trab halten bis ich mich in alles so eingearbeitet habe, dass es ruhiger wird. Komplexe Strukturen, die verstanden und beherrscht werden wollen.

Ich habe viel über FreeBSD die letzten Monate gelernt durch den Job. Vermutlich werde ich auch privat eine ganze Menge nach FreeBSD ziehen. Dieses Blog hier läuft inzwischen auch auf einem FreeBSD-Server. Aber auf dem Desktop fühlt sich FreeBSD wie vor 5 - 10 Jahren an. Der Hardware-Support ist lange nicht auf dem Level von Linux. Dafür gefällt mir die ganze Struktur besser, die Dokumentation ist viel besser und es gibt ZFS. Ich hab gelesen, dass die FreeBSD-Leute wohl häufig Apple-Laptops einsetzen und durch das fehlende Dogfooding der Hardware-Support im Desktop-Bereich nicht so dolle ist. Auf einem Laptop hatte ich kurz OpenBSD drauf, das ist auch sehr schick. Aber aus Gründen gibt es da halt kein Wine und als Virtualisierer nur Qemu. Damit wird das ganze schon um einiges härter. Als reine Arbeitsmaschine ginge das sogar; aber an sich brauch ich vermutlich den Virtualisierer allein um sowas wie IPMIs[footnote]eine Art Remote-Zugriff auf Server, wenn die Kiste gar nicht mehr will[/footnote] weil die alten noch komische Java-Wünsche haben. Aber auch OpenBSD fand ich von den Konzepten um einiges schicker als Linux. Und die BSD-Lizenz ist nun mal noch freier als die GPL, was sie mir schon immer sympathischer machte.

Und dann gibt es noch TrueOS, ein FreeBSD-Abkömmling. Der ist ganz schick aber leidet z.Z. an einem Bug, durch den Festplattenverschlüsselung und die Nutzung von EFI sich ausschließen. Und ich finde es müßig, dass sie OpenRC einsetzen. Nun ja, am Ende ist es aber nah an FreeBSD dran. Wenn das Festplattenverschlüsselungsproblem gelöst ist, kommt es vermutlich auf meinen Laptop drauf.

Der Retrozirkel kommt hoffentlich bald auch wieder öfter. Eine Folge ist schon aufgenommen und muss “nur” noch veröffentlicht werden. Ich hoffe Lucie ist auch bald wieder mit dabei. Nur wann ich spielen soll, ist mir noch nicht ganz klar. Vielleicht mal wieder mehr in der U-Bahn zocken…

Nun ja, es geht weiter. Altlasten habe ich jetzt eingestampft und das beruhigt. Weniger Dinge um die ich mich kümmern muss.

Yesterday’s surprise: you need UTF-8 as locale (and therefore a system built with locales) to be able to run tmux. screen works without.

Btw. any ideas which password manager besides LastPass works on iOS, Linux, FreeBSD and OpenBSD (sync with Nextcloud)?

And in OpenBSD the WLAN-USB-stick works immediately… setting up now a secondary laptop with OpenBSD.

I am downloading now an openbsd-USB-image for the X201 Interested how that works out.

And OpenRC on TrueOS is surprisingly confusing.

Here is a real neat and simple vim-plugin-manager: https://github.com/junegunn/vim-plug

What? OpenBSD has better laptop-support than FreeBSD? Oo I didn’t expect that one.

This time I tried installing FreeBSD with 11-stable on the laptop. FDE worked but no 3D-acceleration, no suspend & a lot of work…