OSX application firewall not working: FIXED

Recently I encountered problem with the OSX Application Firewall getting confused on Lion (and maybe even on Snow Leopard) - it basically blocks services (e.g. ssh) even when they appear to be set up with 'allow incoming connections' in the Advanced... section of the Firewall, under Security and Privacy, in System Preferences.

I managed to reset mine by doing the following (with the firewall off):

sudo rm /Library/Preferences/com.apple.alf.plist

Then reboot.

When the machine has rebooted in the Firewall advanced settings you should only see the system services that were already enabled (e.g. SSH). Any other entries will have gone, but when you start network based applications that need to accept incoming connections through the OSX firewall - you will be asked if you want to permit the application or not again.

If for some reason the Advanced firewall settings have not changed then ensure the firewall was off when you removed the file and also you could try killing the process named 'writeconfig' (which actually opens that config file) - however you should reboot soon as there may be unexpected consequences.

For more info Apple's Application Firewall see here. Also note that Apple's application firewall is different to the old BSD/Dummynet ipfw firewall - which maybe controlled via the ipfw command (see the man page - e.g. man ipfw). ipfw provides lower level firewalling and can provide for more general network restrictions and control.

Linux traffic Control (tc)

The world of Linux's Traffic control is mysterious thing - you end up spending hours Googling or days reading source code.

TC Filters

Creating:
Here's some good info on the u32 filter (here and here). Some more with a quick overview from LARTC mail list (the source of most useful info on tc etc). Someone put together a tc manual.

Listing:
Running this command:

sudo tc filter show dev eth0 root

Results in the following example output:

filter parent ffff: protocol ip pref 49152 u32

Deleting:
To delete the above example filter:

sudo tc filter del dev eth0 parent ffff: protocol ip pref 49152 u32

[updated:17feb12: more explanations]

OSX Lion #fails (plus some good stuff)

So I thought OSX Lion sounded interesting and I went and upgraded... Only to find out there's a bunch of stuff removed and changed for worse - not made that clear in the reviews/press. Also the claimed 'new' features are few. So here's a list of a few gripes I have with it so far:

• No colour icons in the Sidebar - Not a big deal but it just makes it less use-able
• Here's a way to fix it!
• Quick look video preview slow - It's performance is now so bad that my fan kicks in when viewing (it seems to use WAY more CPU than the Quicktime app)
• 'Full Screen' is no different from Apple-F in the previous OSX versions as far as I can see (though some additional apps have it now like Terminal).
• Never seen the need for the iphone-esk 'LauncherPad' - a bit of a waste of time.
• Frontrow removed - It was handy for viewing a bunch of movies
• 'Leather' look for iCal and Address Book - That is seriously Cheesy style?! (Fortunately it can be tweaked away...but with hackery)

On the plus side there are some benefits but so far not many:

• Resize handles on every side of a window (not the just the bottom right)
• Slightly more helpful searching in folders - it prompts you with 'filename'
• Terminal finally has full screen (but I gave up on it years ago for iTerm2, as Apple's Terminal still doesn't work with vim and others properly)
• Air Drop anyone? (not managed to try it yet.... but it sounds nice: Wifi file transfer)

iPhone3G SSL bug fix

If you've got an old iPhone 3G and you've heard about the SSL bug which Apple don't seem interested in fixing for older iPhones then here's a fix - though you've gotta be running a jail broken iPhone. This bug is a bit nasty as it means that you could potentially be misled into connecting to a site that you think is a trusted site (e.g. your bank) but in actual fact it is a scam site. This can occur due to the fact that the iPhone's SSL stack doesn't check any site's SSL certificate properly - and the certificate is normally the thing that tells you you're connected to who you think you are.

Apple have recently released a fix for newer iPhones/iPads in iOS 4.3.5, but if you've got an old iPhone3G then the latest version of iOS it can run is 4.2.1 so you're a bit stuck. So since Apple isn't bothering to provide any more updates you might as well bite the bullet and jail break your phone - then at least you can add some more features and updates. I found redsn0w 0.9.6rc18 to do the job quite well after many failed attempts with greenpois0n.

Once you have jailbroken your phone you need to run Cydia and search for iSSLfix and install it (as also explained here) - then you're covered.

[updated:17feb12: Corrected problem description]

Converting video for DVD players

Most of today's DVD players will not only playback normal MPEG2 DVD video discs (i.e. normal DVDs) but also other video formats that allow for much more video to be packed onto a writable DVD disc like DIVX and XVID. They are actually very similar formats and are basically ISO MPEG4 video (which is closely related to ITU-T's H.264 video standard). There are loads of dodgy commercial tools out there for conversion but you can do it easily using the very powerful ffmpeg tool (it runs on MacOSX, Windows, Linux and others). So to convert something (e.g. an MP4 video named video.mp4) to XVID use:

ffmpeg -i video.mp4 -vcodec libxvid -b 800k vid-xvid.avi

This says compress it using the libxvid codec and set the bandwidth to 800kbits/sec - which looks ok whilst still compressing well - feel free to play with this though don't too high (e.g above 5Mb/s) as DVD players can have trouble playing it back. The name of the output file is vid-xvid.avi. I have found this format to be slightly better supported, although it slower to convert than the DIVX.

If you want to compress to DIVX use the following:

ffmpeg -i video.mp4 -vcodec mpeg4 -vtag divx -b 800k vid-divx.avi

This says use the mpeg4 codec to compress and mark the output video with the DIVX fourcc tag which will let the DVD player know it is DIXV video.

The the file can be burned to a DVD using your favourite DVD burner app - usually using the operating systems default one. To make it easier on the DVD player use names with 8(.3) characters that are then followed by the .avi suffix.

[14sept11: Corrected some minor errors]

Post mortem: IPv6 Day

The day seemed to go pretty smoothly in general. Whilst a lot of the main contenders switched IPv6 off again, it was said that 2/3 actually maintained IPv6 functionality after the day (see IETF talk below). Well when I say they switched it off - The visible aspect was to remove their IPv6 addresses (their AAAA records) for their main sites from the Internet's Domain Name Service (DNS) again. However a lot of work went on under the hood: Lots of web helper stuff to notify people if there was a problem, Various mods to custom code, and various dual stack proxies and some tunnels to provide IPv6. The main players do have IPv6 versions of their sites accessible both before and after the day - only they're either on a separate domain name (e.g. ipv6.google.com). A number of these folks put up their own post mortem analysis pages (yes some of them did use some 1337 Hack0r IPv6 names;) : FACE::B00C, Google, C:15C0:D06:F00D, ISOC.Though probably the most in-depth analysis was provided in a presentation (by a combination of key players) at the IETF81 in July at Quebec, with good coverage from Arstechnica.

It seems that there are browser tricks to speed up IPv6 failover and now even OS level approaches to provide for it - notably OSX Lion has introduced some new black magic for IPv6 path selection.

World IPv6 Day....

Well maybe you've heard about IPv6, though you're less likely to have heard about World IPv6 Day (8 June 2011 not far now...) - A ruse from the guys at ISOC to get people talking about it. Well it is also that some of the world's biggest content providers (Google, Yahoo, Facebook, Akamai and others) will enable IPv6 on their main services that day - should be fun... (They mostly have IPv6 enabled offering already but you need to use special addresses ipv6.google.com).  On that day they will enable the lookup of the IPv6 addresses for their main addresses e.g. www.google.com will provide an IPv6 address (an AAAA record) from the normal DNS. Currently the only way to obtain IPv6 addresses for Google's main services is to use a whitelisted DNS server - such as those provided by he.net.

And talk about it people should! Given we really are (even the BBC are talking about it) about to run out of [old] IP [v4] addresses - (see my new gadget to the right) - the last bunch of IPv4 addresses were ceremoniously handed out and then everyone will be scurrying around trying to buy or sell addresses for while until they realise that IPv6 is the way forward.

Of course I've been IPv6 connected for ages....yeah yeah um - well it mostly just works, though since it's often via a tunnel it's not always the fastest option available... But all you Windows 7 users are already automatically connected to IPv6 via Teredo (which is available for other OSes - a free version is miredo).

Sorting out clock wierdness on dual boot Windows and OSX/Linux

I just installed Windows 7 on my MacBook and Windows STILL stores the local time in the hardware clock (as opposed to UTC) so when you reboot between the two OSes the time changes - dang! It turns out that there's a secret registry key that gets Windows to behave 'normally' in this respect. You just need to add a new DWORD key, called RealTimeIsUniversal (which should be set to 1), at the following place in the registry (and then reboot to make it take effect):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

Here's all the details from a man who knows....