Fix ugly thick fonts

Default Mac OS X settings make some fonts look ug-lee. Read JWZ's post for some details. Some fonts end up looking thicker and more jagged than they should be.

Here's how my Terminal and NetNewsWire looked when I had to re-install my Mac:

And after the fix, here's how they look now:

What fixed this? Go to System Preferences > Appearance and set Font Smoothing Style to "Standard".

Leopard Firewall Sucks

I like host based firewalls that block ports, not processes. Sure, there are merits to blocking access based on processes. I would have preferred a combination of both - access control based on both ports as well as processes. I can live without a process level access control mechanism, but I can't live without a port level access control mechanism.

Apple: "If it ain't broke, don't fix it".

Solution: I went back to ipfw. I sure wish Tiger's ipfw front-end GUI was available through some preference pane!

a) Disable the system firewall (Allow all incoming connections)

b) Create an entry in /Library/LaunchDaemons/ipfw_firewall.plist [link to pastie]

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST

1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>ipfw_firewall</string>

<key>ProgramArguments</key>

<array>

<string>/usr/local/etc/ipfw_firewall.sh</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>UserName</key>

<string>root</string>

<key>GroupName</key>

<string>wheel</string>

</dict>

</plist>

c) Create /usr/local/etc/ipfw_firewall.sh and /etc/ipfw.conf - see code at the bottom of this message.

d) Modify /etc/syslog.conf [link to pastie] to create a separate ipfw log file

*.err;kern.*;auth.notice;authpriv,remoteauth,install.none;mail.crit /dev/console

*.notice;authpriv,remoteauth,ftp,install.none;kern.debug;mail.crit /var/log/system.log

# Send messages normally sent to the console also to the serial port.

# To stop messages from being sent out the serial port, comment out this line.

#*.err;kern.*;auth.notice;authpriv,remoteauth.none;mail.crit /dev/tty.serial

# The authpriv log file should be restricted access; these

# messages shouldn't go to terminals or publically-readable

# files.

auth,authpriv.*;remoteauth.crit /var/log/secure.log

lpr.info /var/log/lpr.log

mail.* /var/log/mail.log

ftp.* /var/log/ftp.log

netinfo.err /var/log/netinfo.log

install.* /var/log/install.log

install.* @127.0.0.1:32376

local0.* /var/log/ipfw.log

*.emerg *

Reference:

http://www.macosxhints.com/article.php?story=20071102151607110

/usr/local/etc/ipfw_firewall.sh [link to pastie]

#!/bin/sh

## Boot Script for firewall

#

# CONSTANTS

#

IPFW=/sbin/ipfw

SYSCTL=/usr/sbin/sysctl

#

# Required startup script statements

#

. /etc/rc.common

ConsoleMessage "Configuring Firewall"

#

# Enable logging to /var/log/ipfw.log

#

/usr/libexec/ipfwloggerd

$SYSCTL -w net.inet.ip.fw.verbose=2

$SYSCTL -w net.inet.ip.fw.verbose_limit=100

#

# Enable Blackholes

#

$SYSCTL -w net.inet.tcp.blackhole=2

$SYSCTL -w net.inet.udp.blackhole=1

#

# Purge existing rules, this blanks any existing rules

#

$IPFW -f flush

#

# Load rule set from /etc/ipfw.conf

#

$IPFW -q /etc/ipfw.conf

/etc/ipfw.conf [link to pastie]

####################

# Localhost Settings

####################

# Allow everything on the localhost (127.0.0.1)

add 00100 set 0 allow ip from any to any via lo*

# Prevent spoofing attacks via localhost

add 00200 set 0 deny log all from 127.0.0.0/8 to any in

add 00201 set 0 deny log all from any to 127.0.0.0/8 in

add 00202 set 0 deny log ip from 224.0.0.0/3 to any in

add 00203 set 0 deny log tcp from any to 224.0.0.0/3 in

##############################################################

# ip-options

# (per FreeBSD Security Advisory: FreeBSD-SA-00:23.ip-options)

##############################################################

add 00250 set 0 deny log ip from any to any ipoptions ssrr,lsrr,ts,rr

############################################

# Allow outbound TCP, UDP & ICMP keep-state

############################################

add 00300 set 1 check-state

add 00301 set 1 deny log all from any to any frag in

add 00302 set 1 deny log tcp from any to any established

add 00303 set 1 allow tcp from me to any out setup keep-state

add 00304 set 1 allow udp from me to any out keep-state

add 00305 set 1 allow icmp from any to any out keep-state

# Allow traceroute out for diagnostics

add 00307 set 1 allow udp from me to any 33434-33525 out keep-state

add 00308 set 1 allow log udp from any to any 33434-33525 in keep-state

# Prevent spoofing attacks

add 00309 set 1 deny log ip from me to me in keep-state

# Deny Inbound NetBios traffic which just clogs up the logs

add 00311 set 1 deny tcp from any to any 137,138,139 in setup keep-state

add 00312 set 1 deny udp from any to any 137,138,139 in keep-state

# Prevent ident requests

add 00313 set 1 deny log tcp from any to me 113 in setup keep-state

# Attempt to prevent os fingerprinting, port 0 is commonly used for fingerprinting purposes

add 00314 set 1 deny log tcp from any to any 0 in setup keep-state

add 00315 set 1 deny log udp from any to any 0 in keep-state

#####################################

# DNS, Rendevouz, DHCP & NTP Services

#####################################

# Allow DNS

add 00400 set 2 allow tcp from any to any 53 out setup keep-state

add 00401 set 2 allow udp from any to any 53 out keep-state

#Allow Rendezvous packets (mDNS Responder)

add 00402 set 2 allow udp from any 5353 to any in keep-state

#Multicast packet required by Rendezvous

add 00403 set 2 allow ip from any to 224.0.0.251 out keep-state

# Allow DHCP

add 00500 set 2 allow udp from any 68 to any 67 out keep-state

add 00501 set 2 allow log udp from any 67 to any dst-port 68 in keep-state

# Allow NTP

add 00600 set 2 allow udp from any to any 123 out keep-state

add 00601 set 2 allow tcp from any to any 123 out setup keep-state

##################

# Services Inbound

##################

# Allow SSH inbound

add 00700 set 3 count log tcp from any to any dst-port 22 in setup

add 00701 set 3 allow tcp from any to any dst-port 22 in setup keep-state

# Allow TCP 2456 inbound

add 00710 set 3 allow log tcp from any to any dst-port 2456 in setup keep-state

# Allow TCP 6881 inbound

add 00720 set 3 allow log tcp from any to any dst-port 6881 in setup keep-state

# Deny any TCP setup requests from the outside world

add 00800 set 3 deny log tcp from any to any setup in keep-state

######

# ICMP

######

# Deny ICMP

add 00900 set 4 deny log icmp from any to me in icmptypes 0,3,4,8,11,12

# Deny external ICMP redirect requests

add 00901 set 4 deny log icmp from any to any icmptype 5 in keep-state

# Silent block on router advertisements

add 00902 set 4 deny log icmp from any to any icmptypes 9

# Drop all other ICMP

add 00903 set 4 deny log icmp from any to any

#########

# Cleanup

#########

# Default deny rule

add 10000 set 5 deny log logamount 500 all from any to any

Further References:

http://www.oreillynet.com/pub/a/mac/2005/03/15/firewall.html

http://www.hanynet.com/waterroof/

http://www.macshadows.com/kb/index.php?title=Firewall_Tunning_on_Mac_OS_X

http://www.ibiblio.org/macsupport/ipfw/

http://www.ibiblio.org/macsupport/ipfw/osxs_ipfw.html

http://www.ibiblio.org/macsupport/ipfw/firewall_2

http://www.fwbuilder.org/

iCal publish URLs lost after moving to a new Mac

I had a Mac disaster two weeks ago. To cut a long story short, Apple was nice enough to give me a new Unibody MacBook Pro when my older MBP died for the 4th time in one year. I am very vigilant about backups, and maintain a regular Time Machine backup.

The new Mac asked me to restore from an existing Time Machine backup, which I did. It took around 12 hours to restore from a 250GB backup.

One of the many things that did not get restored were my iCal publish URLs. Upon opening iCal, I noticed that my publish options had been reset to MobileMe. I had to dig through my old notes and find out what my original publish URLs were, since there is no easy way of digging that info out of my raw Time Machine backup.

ls in colour

I have become used to ls generating coloured file listings.

Add the following to your .profile file to enjoy coloured file listings whenever using ls:

export LSCOLORS=exfxbxdxcxegedabagacad

export CLICOLOR=1

alias "ls"="ls -GF"

Links:

http://mipsisrisc.com/lscolors/

http://www.macosxhints.com/article.php?story=20031025162727485

Safari - delete permanent cookies

Permanent cookies are a pain. I don't want to save any permanent cookies on my system.

Firefox allows me to automatically dump all permanent cookies when closing the browser:

Safari has no such option. Apple - this is a suggestion for you.

I have been tricking browsers into dumping cookies since 2001. For Netscape Navigator on Unix, it was easy. Simply symlink the cookies.txt file to /dev/null :) This forced every cookie to be treated as a session cookie.

For Safari, I had to write a wrapper script.

1. Go to /Applications/Safari.app/Contents/MacOS
2. Rename "Safari" to "Safari1"
3. Create a shell script called "Safari" in the same directory as follows

#!/bin/sh

rm -f ~/Library/Cookies/Cookies.plist

${0}1 $*

rm -f ~/Library/Cookies/Cookies.plist

This will cause Safari to erase all cookies upon launching and exiting. Crude, but works.

Verbose boot-up messages

I don't like staring at a white boot up screen with an apple in the middle and a spinning wheel below it. I want to know what's going on. I want to see messages fly by like Linux.

Open up your Terminal and type:

sudo nvram boot-args="-v"

Links:

http://osxdaily.com/2007/03/25/always-boot-mac-os-x-in-verbose-mode/