Made to Order Software Corporation Logo

project

Docker, an advanced chroot utility

Chasm—just like a Docker creates a chasm between two sets of software

SECURITY WARNING

Before installing Docker and containers with services on your Linux system, make sure to read and understand the risks as mentioned on this Docker and iptables page. Especially, Docker will make all your containers visible to the entire world through your Internet connection. This is great if you want to indeed share that service with the rest of the world, it's very dangerous if you are working on that container service since it could have security issues that need patching and such. Docker documents a way to prevent that behavior by adding the following rule to your firewall:

iptables -I DOCKER-USER -i eth0 ! -s 192.168.1.0/24 -j DROP

This means that unless the IP address matches 192.168.1.0/24, the access is refused. The `eth0` interface name should be replaced with the interface name you use as the external ethernet connection. During development, you should always have such a rule.

That has not worked at all for me because my local network includes many other computers on my LAN and this rule blocks them all. So really not a useful idea.

Instead, I created my own entries based on some other characteristics. That includes the following lines in my firewall file:

*filter
:DOCKER-USER - [0:0]

-A DOCKER-USER -j early_forward
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 80 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8080 --ctdir ORIGINAL -j DROP
-A DOCKER-USER -i eno1 -p tcp -m conntrack --ctorigdstport 8081 --ctdir ORIGINAL -j DROP

My early_forward allows my LAN to continue to work. These are my firewall rules that allow my LAN computers to have their traffic forwarded as expected.

Then I have three rules that block port 80, 8080, and 8081 from Docker.

Docker will add new rules that will appear after (albeit not within the DOCKER-USER list) and will open ports for whatever necessary service you install in your Dockers.

Note that the only ports you have to block are ports that Docker will share and that you have otherwise open on your main server. If Docker opens port 5000 and your firewall does not allow connections to port 5000 from the outside, then you're already safe. On my end I have Apache running so as a result I block quite usual HTTP ports from Docker.

Docker

As we are helping various customers, we encounter new technologies.

In the old days, we used chroot to create a separate environment where you could have your own installation and prevent the software from within that environment access to everything on your computer. This is particularly useful for publicly facing services liek Apache, Bind, etc.

Help with version 0.1.7 of Zipios (CVE-2019-13453)

Here is yet another example of why opensource is a really good way of getting things fixed.

Assuming you have a project that is getting used by many, you are likely to see people post issues about bugs and possible enhancements. Your software is even very likely to get improved on its own by enthousiast users. On Github, for example, it is very easy to fork a project (make a copy) and then work on your version of the software. You can then offer a fix to the main authors of the project with a near one to one copy of the project.

In our case, a security professional, Mike Salvatore, was asked ...

Table of Contents Settings

Filter Configuration

At this point, most of the Table of Contents configuration is done in the Table of Contents filter.

This means multiple Input formats allow you to make use of several different configurations.

To Do List (The module —)

To Do List is a Drupal module allowing users to create lists of things to do. A small project management system if you wish.

The latest version includes many features including a block, views support and basic actions support.

The permission model makes the To Do Items hidden but to the few who are given the right to see the To Do List. This is quite useful to work with Organic Groups and other similar advanced Drupal features.

The following pages explain how to use this module to its full extend. With the use of some other modules, it is possible to build a quite robust project system. ...

Projects Similar to Insert Node

Link Node

There is a Link Node project that can be used to generate a link to a node using the node title or another user specified title.

This is similar to using the following with Insert Node:

   [node:<name> title=<my link>;]

Insert View

If you want to include a view, use the insert_view module instead.

Insert Block

If you want to include blocks in your nodes (or other blocks, scary, hey?!), use the insert_block module instead.

 


If you know or have a similar project, please, feel free to post a comment below and I will add it to the list.

Thank ...

The SSWF Project

The SWF Reference by Alexis is part of the free SSWF project.

This documentation is intended for people who want to program a Flash player, editor, or some similar tool handling Flash data.

The project comes with a complete C++ library that is designed to greatly simplify the generation and loading of Flash files.

SWF Action 3 (swf_action3)

SWF Structure Info
Tag Flash Version: 
9
SWF Structure: 

Not documented here yet.

Since Flash version 9, actions can be saved in a new format named abcFormat by the Tamarin project from the Mozilla organization.

The code itself (action script) is the same, but the structure of an swf_action3 holds object oriented information about classes, methods and such in a really clean way (really! in comparison to the old way, that's dead clean!).

At this time, the swf_action3 structure is documented in the abcFormat.html file.

I will duplicate and test the structures at a later time.

DefineSound

Tag Info
Tag Number: 
14
Tag Type: 
Define
Tag Flash Version: 
2
Brief Description: 

Declare a sound effect. This tag defines sound samples that can later be played back using either a StartSound or a DefineButtonSound. Note that the same DefineSound block can actually include multiple sound files and only part of the entire sound can be played back as required.

Tag Structure: 
struct swf_definesound {
	swf_tag			f_tag;		/* 14 */
	unsigned short		f_sound_id;
	unsigned		f_sound_format : 4;
	unsigned		f_sound_rate : 2;
	unsigned		f_sound_is_16bits : 1;
	unsigned		f_sound_is_stereo : 1;
	unsigned long		f_sound_samples_count;
	unsigned char		f_sound_data[<variable size>];
};

A DefineSound tag declares a set of samples of a sound effect or a music.

The sound samples can be compressed or not, stereo or not and 8 or 16 bits. The different modes are not all available in version 2, although the same tag is used in newer versions with additional capabilities.

The f_sound_is_16bits is always set to 1 (16bits samples) if the samples are compressed (neither Raw nor Uncompressed).

About SWF

Brief History

At the very beginning, a company created the SWF format to generate small vector animations on the Internet called Shockwave Flash (hence the name of the format, SWF.) It also included images. This company was bought by Macromedia around 1997 (if I recall properly). This is when Flash v3 was created. Since then, Macromedia created a new version about once a year up to version 8. At that time (in 2005/2006), Macromedia sealed a deal with Adobe which wanted to use the SWF format in their PDF files.

Today (May 1st, 2008), the SWF format is available for free to all. It can be ...

The entire SSWF project license

The following license covers the entire SSWF project.

Copyright (c) 2002-2009 Made to Order Software Corp.