Made to Order Software Corporation Logo

map

Docker, an advanced chroot utility


Chasm—just like a Docker creates a chasm between two sets of software

SECURITY WARNING

Before installing Docker and containers with services on your Linux system, make sure to read and understand the risks as mentioned on this Docker and iptables page. Especially, Docker will make all your containers visible to the entire world through your Internet connection. This is great if you want to indeed share that service with the rest of the world, it's very dangerous if you are working on that container service since it could have security issues that need patching and such. Docker documents a way to prevent that behavior by adding the following rule to your firewall:

iptables -I DOCKER-USER -i eth0 ! -s 192.168.1.0/24 -j DROP

This means that unless the IP address matches 192.168.1.0/24, the access is refused. The `eth0` interface name should be replaced with the interface name you use as the external ethernet connection. During development, you should always have such a rule.

That has not worked at all for me because my local network includes many other computers on my LAN and this rule blocks them all. So really not a useful idea.

Instead, I created my own entries based on some other characteristics. That includes the following lines in my firewall file:

*filter
:DOCKER-USER - [0:0]

-A DOCKER-USER -j early_forward
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8080 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8081 --ctdir ORIGINAL -j DROP

My early_forward allows my LAN to continue to work. These are my firewall rules that allow my LAN computers to have their traffic forwarded as expected.

Then I have three rules that block port 80, 8080, and 8081 from Docker.

Docker will add new rules that will appear after (albeit not within the DOCKER-USER list) and will open ports for whatever necessary service you install in your Dockers.

Note that the only ports you have to block are ports that Docker will share and that you have otherwise open on your main server. If Docker opens port 5000 and your firewall does not allow connections to port 5000 from the outside, then you're already safe. On my end I have Apache running so as a result I block quite usual HTTP ports from Docker.

Docker

As we are helping various customers, we encounter new technologies.

In the old days, we used chroot to create a separate environment where you could have your own installation and prevent the software from within that environment access to everything on your computer. This is particularly useful for publicly facing services liek Apache, Bind, etc.

US Zip Code overlay on Google Maps

Today I had a need to find out a set of zip codes that would match a delivery area for one of my customers. I was wondering how could I find out all the zip codes over a given area...

Searching a little bit I found a website named zipmap which actually does just that. The entire US is covered and you can navigate it just like you navigate a regular Google Map view. Very practical!

You can easily move around, zoom in and out, and you even see the map with street names in the background.

DefineFont2

Tag Info
Tag Number: 
48
Tag Type: 
Define
Tag Flash Version: 
3
Brief Description: 

Define a list of glyphs using shapes and other font metric information.

Tag Structure: 
struct swf_definefont2 {
	swf_tag			f_tag;		/* 48 or 75 */
	unsigned short		f_font2_id;
	unsigned		f_font2_has_layout : 1;
	if(version >= 6) {
		unsigned	f_font2_reserved : 1;
		if(version >= 7) {
			unsigned	f_font2_small_text : 1;
		}
		unsigned	f_font2_reserved : 1;
	}
	else {
		unsigned	f_font2_shiftjis : 1;
		unsigned	f_font2_unicode : 1;
		unsigned	f_font2_ansii : 1;
	}
	unsigned		f_font2_wide_offsets : 1;
	unsigned		f_font2_wide : 1;	/* always 1 in v6.x+ */
	unsigned		f_font2_italic : 1;
	unsigned		f_font2_bold : 1;
	if(version >= 6) {
		unsigned char	f_font2_language;
	}
	else {
		unsigned char	f_font2_reserved;
	}
	unsigned char		f_font2_name_length;
	unsigned char		f_font2_name[f_font2_name_length];
	unsigned short		f_font2_glyphs_count;
	if(f_font2_wide_offsets) {
		unsigned long		f_font2_offsets[f_font2_glyphs_count];
		unsigned long		f_font2_map_offset;
	}
	else {
		unsigned short		f_font2_offsets[f_font2_glyphs_count];
		unsigned short		f_font2_map_offset;
	}
	swf_shape		f_font2_shapes[f_font2_glyphs_count];
	if(f_font_info_wide) {
		unsigned short		f_font2_map[f_font2_glyphs_count];
	}
	else {
		unsigned char		f_font2_map[f_font2_glyphs_count];
	}
	if(f_font2_has_layout) {
		signed short		f_font2_ascent;
		signed short		f_font2_descent;
		signed short		f_font2_leading_height;
		signed short		f_font2_advance[f_font2_glyphs_count];
		swf_rect		f_font2_bounds[f_font2_glyphs_count];
		signed short		f_font2_kerning_count;
		swf_kerning		f_font2_kerning[f_font2_kerning_count];
	}
};
/* DefineFont3 is the same as DefineFont2 */
typedef struct swf_definefont2 swf_definefont3;

It is common to use the DefineFont2 tag in order to create an array of shapes later re-used to draw strings of text on the screen. This tag must be used whenever a DefineEditText references a font; and in that case it is suggested you include a full description of the font with layouts.

SWF Any Filter (swf_any_filter)

SWF Structure Info
Tag Flash Version: 
8
SWF Structure: 
/* the filter type */
struct swf_filter_type {
	unsigned char	f_type;
};

struct swf_filter_glow {
	swf_filter_type	f_type;		/* 0, 2, 3, 4 or 7 */
	if(f_type == GradientGlow || f_type == GradientBevel) {
		unsigned char		f_count;
	}
	else {
		f_count = 1;
	}
	swf_rgba		f_rgba[f_count];
	if(f_type == Bevel) {
		swf_rgba		f_highlight_rgba[f_count];
	}
	if(f_type == GradientGlow || f_type == GradientBevel) {
		unsigned char		f_position[f_count];
	}
	signed long fixed	f_blur_horizontal;
	signed long fixed	f_blur_vertical;
	if(f_type != Glow) {
		signed long fixed	f_radian_angle;
		signed long fixed	f_distance;
	}
	signed short fixed	f_strength;
	unsigned		f_inner_shadow : 1;
	unsigned		f_knock_out : 1;
	unsigned		f_composite_source : 1;
	if(f_type == Bevel) {
		unsigned		f_on_top : 1;
	}
	else {
		unsigned		f_reserved : 1;
	}
	if(f_type == GradientGlow || f_type == GradientBevel) {
		unsigned		f_passes : 4;
	}
	else {
		unsigned		f_reserved : 4;
	}
};

struct swf_filter_blur {
	swf_filter_type		f_type;	/* 1 */
	unsigned long fixed	f_blur_horizontal;
	unsigned long fixed	f_blur_vertical;
	unsigned		f_passes : 5;
	unsigned		f_reserved : 3;
};

struct swf_filter_convolution {
	swf_filter_type	f_type;		/* 5 */
	unsigned char	f_columns;
	unsigned char	f_rows;
	long float	f_divisor;
	long float	f_bias;
	long float	f_weights[f_columns × f_rows];
	swf_rgba	f_default_color;
	unsigned	f_reserved : 6;
	unsigned	f_clamp : 1;
	unsigned	f_preserve_alpha : 1;
};

struct swf_filter_colormatrix {
	swf_filter_type	f_type;		/* 6 */
	long float	f_matrix[20];
};

struct swf_any_filter {
	swf_filter_type			f_fitler_type;
	swf_filter_blur			f_filter_blur;
	swf_filter_colormatrix		f_filter_colormatrix;
	swf_filter_convolution		f_filter_convolution;
	swf_filter_glow			f_filter_glow;
};

A filter defines how to transform the objects it is attached to. The first byte is the filter type. The data following depend on the type. Because each filter is much different, they are defined in separate structures. You can attach a filter to an object using an ActionScript or the PlaceObject3 tag.

The following describes the different filters available since version 8.

DefineFontInfo

Tag Info
Tag Number: 
13
Tag Type: 
Define
Tag Flash Version: 
1
Brief Description: 

Information about a previously defined font. Includes the font style, a map and the font name.

Tag Structure: 
struct swf_definefontinfo {
	swf_tag			f_tag;		/* 13 or 62 */
	unsigned short		f_font_info_id_ref;
	unsigned char		f_font_info_name_length;
	unsigned char		f_font_info_name[f_name_length];
	if(version >= 7 && f_tag.f_tag == DefineFontInfo2) {
		unsigned		f_font_info_reserved : 2;
		unsigned		f_font_info_small_text : 1;
		unsigned		f_font_info_reserved : 2;
	}
	else if(version >= 6 && f_tag.f_tag == DefineFontInfo2) {
		unsigned		f_font_info_reserved : 5;
	}
	else {
		unsigned		f_font_info_reserved : 2;
		unsigned		f_font_info_unicode : 1;
		unsigned		f_font_info_shiftjis : 1;
		unsigned		f_font_info_ansii : 1;
	}
	unsigned		f_font_info_italic : 1;
	unsigned		f_font_info_bold : 1;
	unsigned		f_font_info_wide : 1;	/* always 1 in v6.x+ */
	if(version >= 6 && f_tag.f_tag == DefineFontInfo2) {
		unsigned char		f_font_info_language;
	}
	if(f_font_info_wide) {
		unsigned short		f_font_info_map[f_font_glyphs_count];
	}
	else {
		unsigned char		f_font_info_map[f_font_glyphs_count];
	}
};

A DefineFontInfo tag will be used to complete the definition of a DefineFont tag. It uses the exact same identifier (f_font_info_id_ref = f_font_id). You must have the corresponding font definition appearing before the DefineFontInfo since it will use the number of glyphs defined in the DefineFont to know the size of the map definition in the DefineFontInfo tag.

When it looks like it perfectly matches an existing system font, the plugin may use that system font (as long as no rotation is used, it will work fine.) It is also possible to force the use of the system font by declaring an empty ...

DefineFont

Tag Info
Tag Number: 
10
Tag Type: 
Define
Tag Flash Version: 
1
Brief Description: 

List shapes corresponding to glyphs.

Tag Structure: 
struct swf_definefont {
	swf_tag			f_tag;		/* 10 */
	unsigned short		f_font_id;
	/* there is always at least one glyph */
	f_font_glyphs_count = f_font_offsets[0] / 2;
	unsigned short		f_font_offsets[f_font_glyphs_count];
	swf_shape		f_font_shapes[f_font_glyphs_count];
};

It is common to use the DefineFont tag in order to create an array of shapes later re-used to draw strings of text on the screen. Note that the definition of the shape within a font is limited since it can't include any specific fill and/or line style. Also, each shape is assumed to be defined within a 1024x1024 square. This square is called the EM Square. Fig 1. below shows you the EM Square and how it is used. The characters baseline can be placed anywhere within the EM Square (it certainly can be outside too if you wish?!?).

A new concept: Throwaway Software.

More and more, people are learning new software as they go. A few will stick to one software for a long time simply because it is easier, but changing is easy too, especially if the new system is easy to use.

But how do you produce throwaway software? And is it worth the trouble?

As we see things evolving, more and more, people want to use software anywhere they go. This means software that runs on the Internet in some ways. For instance, you can use Google Map anywhere you go, as long as you have a computer to access the Internet.