Juniper firewalls, both netscreen and SRX, use a concept of security zones. Each interface is assigned to a zone and firewall policies are created between zones to permit traffic. This is very useful as you can safely use the "Any" object in firewall rules without unexpected results. However, sometimes its useful to create policies regardless of the source and destination zones. The most common reason is to create a default deny rule with logging enabled.

On netscreen firewalls, there was a global rulebase which was evaluated if there was no matching rule in the regular rulebase. On SRX series however, there is no global rulebase. So in order to create default deny rules with logging enabled, you have to create rules for each possible combination of source and destination zone. This can be a lot of work as the number of policies required increases exponentially.

Tired of creating so many rules, I figured there had to be an easier way. This device is running JUNOS, there must be some feature or script that can help simplify this, and there is. Its a feature called configuration groups which makes it easy to repeat a piece of configuration multiple times. This following example create a firewall rule that drops and logs all traffic. This rule is then appended to each rule set:

set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop match source-address any
set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop match destination-address any
set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop match application any
set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop then deny
set groups global-policy security policies from-zone <*> to-zone <*> policy default-logdrop then log session-init
 
set security policies apply-groups global-policy

This can easily be extended to create address objects in multiple zones at once, or modified to apply only to select rule sets.

The apply-group is not entirely the same as the global policy on netscreen, it will only create a default log+drop rule in each existing rule set. So if there are two zones for which no policy exists yet, no drop rule will be installed either.

I'm supposed to travel to Budapest tomorrow and my brothers flight was scheduled to depart this morning so we had to monitor the news. As the traditional media take ages to update, here are a couple of online resources to check:

Eurocontrol CFMU : The news headlines section updates at least hourly, listing all closed airspace. Note that times are in UTC.

Met Office ash cloud forcast : Updated every 4 hours.

Eurocontrol on twitter : eurocontrol is doing a good job posting updates and links to interesting resources on twitter.

Brussels airport : current status of Brussels Airport.

Images from METEOSAT-9 : satellite image with dust concentrations

Webcams : want to see the volcano that causing all this trouble? Its not really going to help you though..

And of course, check the airline website. SN Brussels has canceled all flights until Monday noon but getting some information from Hungarian airlines has proven to be more difficult.

Unfortunately, many people traveling to San Fransisco for drupalcon are also stranded, they even created a map to see where everyone is: Drupalistas stuck in Europe. Some people are already planning minicons in the UK and Belgium for those who can't make it to SF, this drupalcon won't soon be forgotten :)

A few months ago, I decided to purchase a SheevaPlug Development Kit to replace my previous home server which was an old Dell workstation. The main reason to replace the old machine was power usage, for a machine that is sitting idle most of the time, it costs a lot of money to run.
All I needed was a device on which I could run linux to run some typical core network services (DNS, DHCP, NTP) as well a some extras like my internal mail server and proxy. With a power consumption of only a few Watts, the SheevaPlug was ideal for this purpose. Its a pretty small device with the following specifications:

Update: This no longer works with the 3.1 firmware - go thank Apple & Mobistar for that..

The easiest way to enable tethering on your iPhone is to browse to websites like http://help.benm.at which have configuration files that you can install on your phone. However, all the mobileconfig files I found online didn't work for me as they used the wrong APNs. My account needs to use "web.pro.be" for data and "mms.be" for MMS.

So I created my own mobileconfig, attached to this article. Use at your own risk, I'm not going to guarantee that anything here is correct, but it has been confirmed to work (both tethering and MMS) by several people. To install, simply open the attached file from your iPhone.

Of course, keep an eye on your bandwidth consumption, it isn't cheap.