Mat Trudel

Hello filewall

2010-07-13T00:00:00-07:00

Hello filewall

I'm sick of firewalls. I'm sick of how arcane and arbitrary their config systems are. I'm sick of the fact that they're never really reproducible, and that only one guy in most organizations understands their network (mostly because that guy was usually me).

On the other hand, I've always liked shorewall. Its config language has always seemed very flexible and easy to grok, it has great documentation, and since it's just iptables under the covers, there's no magic to it. Thinking about things further, I realized that most of my pain points were really more about how people go about setting up firewalls than about firewalls themselves. Such a central and yet seldom-touched piece of infrastructure is exactly the kind of place you want repeatability and process, and exactly the wrong place for ad-hoc hacks. Hence, filewall was born.

In one line, git + capistrano + shorewall = filewall

Filewall is a mix of capistrano and shorewall that lets you keep your firewall configuration in SCM, and lets you deploy it to your routers in a simple, sane and structured way. It takes a great firewall and marries it to a great deployment system to make a great deployable firewall. Wicked.

Changes made with filewall are safely deployable; deployments incorporate a dead-man switch, wherein the rule changes are temporarily turned up for a timeout duration, and actually made permanent only if you subsequently affirm that they do what you intended them to. If you accidentally fry your config, filewall will restore your old configuration as soon as the timeout expires. You'll never be locked out again.

Committed configurations are immediately wired into the filesystem, so your firewall works predictably across reboots. And since it's capistrano based, you have access to all the rollback awesomeness that capistrano provides.

If you're responsible for a more complex network, you can easily store all of your configurations as branches and keep all of your sensitive network config in one place, keeping all of your routers locked up with one public key. And don't forget that software routers are fast, so you probably won't be outgrowing filewall anytime soon (and even if you do, filewall is hardware agnostic. As long as it runs Debian, it runs filewall).

So say hi to filewall. It's what you want.

75Ω

2010-06-04T00:00:00-07:00

75Ω

Ryan Tomayko's post about Unicorn is one of my favourite pieces of the past year. He's spot on the money that despite all of the change in the past several decades of systems development, idiomatic use of the Posix APIs will still carry the day. And it got me to thinking about the differences between the (majority of) the Ruby / Python community and how it contrasts to the PHP / Java community in terms of embracing idioms and striking a balance between tools doing too much and too little. I'm christening this concept tooling impedance.

What we do as developers today isn't any different than how developers worked twenty years ago. We still create text files that get parsed and transmogrified by a compiler (or an interpreter, but that's immaterial to my point). We still write code and work with relation to a filesystem. While we've graduated from linear style to a nearly universal embrace of objects, the way we actualize these concepts is still file-and-compilation-unit-centric.

Despite the seemingly immutable nature of our code, there has been an explosion of IDEs over the past decade or so. As a consequence, the complexity of tooling relative to code has risen far above what it once was. I'm not suggesting that we all need to go back to using ed to get things done, but I think it's certainly worth taking a step back from the tooling landscape before we suffocate underneath IDEs.

I remember Reg Braithwaite's excellent talk at RubyFringe a number of years ago, and one of the quotes he offered up therein:

"All problems can be solved by adding another layer of abstraction, except the problem of having too many layers of abstraction."

I defy anyone out here to try and extend Eclipse without writing any code. As an IDE, it presents so much abstraction between the screen and the filesystem that it's often not always even clear which file you're operating on. An IDE that 'helps you' by abstracting away the fundamental metaphor of development is doing you a tremendous disservice, all the more so if it's coddling you into believing that those metaphors are dead. Introducing this kind of impedance mismatch into the development cycle may help you as long as you're inside the walls of the IDE, but find yourself outside those walls, and you end up having to recreate those abstractions on your own.

Fuck that noise.

Whether or not vi / emacs / TextMate is forever isn't at all important. What is important is that they all treat code as text, and not some heavyweight abstraction. Whichever one you choose (and just to be clear, it doesn't matter), they're all superior to IDE's because they don't try to punch above their weight. There's zero impedance mismatch between your editor as a tool, and your code as text. Understanding comes from clarity, and you can't have that if you can't see what it is you're doing.

I'm sure people will point out that this is regressive, that this is the ranting of a crotchety old man averse to change. Horseshit -- I've delivered actual, real products in both Eclipse and XCode bigger than anything you've done this year, and I've spent enough time with both of them to know that they're both trying to do too much. They're both trying to keep coders away from code, which is so patently wrong I don't know where to begin (in fairness, Eclipse is much more guilty of this than XCode).

In the end, I think Ryan's original post is dead on. In 30 years, smart people will still be solving hard problems using fork(2) and exec(2). I'm just pushing that statement out further, and saying that if Posix calls are still around, then text will still be king. And if text is still king, then the humble editor will still be around, long after your vaunted IDEs and code fashions de jour have passed into antiquity.

my brain hurts

2010-05-13T00:00:00-07:00

Brilliant

Lessons

2010-04-19T00:00:00-07:00

Lessons

For those of us who may like to pretend that the buildings of the past are best buried in the name of progress, may I present a memory burned into my brain forever:

I never realized that the building housing the Tate Modern came as close as it did to being lost. I think I speak for everyone who has ever stood in awed and humble reverence of the Turbine Hall when I say that I'm glad the axe never fell.

stencilrific

2010-04-07T00:00:00-07:00

stencilrific

Short and sweet: I just made and published a quick little OmniGraffle stencil for use in drawing git branching models. It's based on the figure styles in Scott Chacon's excellent Pro Git book, and published on Graffletopia.

Get It

Today's terminal timesaver

2010-03-28T00:00:00-07:00

Today's terminal timesaver

Via Allan Odgaard, a simple and super useful terminal tweak. The cd command looks for a CDPATH environment variable, which specifies directories cd will always look at when trying to change directories. Essentially, what PATH is to executing programs, CDPATH is to changing directories.

The upshot of this is you can always change to commonly used directories no matter where you are in the filesystem. For example, I use the following setting:

export CDPATH=::~:~/Work:~/Desktop:~/Code

and now no matter where I am in the filesystem, I can always change to any subdirectory of my home directory (or ~/Work, ~/Desktop or ~/Code). So, entering cd Downloads will bring me to ~/Downloads no matter where I am.

cue the Dylan

2010-03-15T00:00:00-07:00

Once in a blue moon, something will come along that just screams out to you a truth you've long known, the tangible metaphor making it all the more real.

I've just spent the past six months working on bant (thank you, I'm quite proud of it). Now that we're in the process of adding in our secondary localizations for 1.0.1, our designer just sent us this:

and it hit me; I'm writing software for the entire world. Barely fifty years ago, 'no ticky, no laundry' was considered to be a benign and appropriate form of humour (though some people apparently have yet to get the memo). Today my work isn't complete unless I take into account a country I've never even been to.

The times really are a changin'. What a wonderful time to be alive.

on backwards dinosaurs

2010-03-09T00:00:00-08:00

I've said it before, but github's pages feature is a great application of one of git's most unsung features. to wit:

git repos are cheap. at their minimum, they're just a single top-level subdirectory with some easily parseable files tied to a real, working copy of your repo's contents. One command away, in place on top of an existing working copy. they're so cheap, in fact, that some of the lightest sharing systems out there are based on git.

Those of us unfortunate enough to remember a life under subversion may or may not remember the steps involved in setting up a repository (as the tooling guy for a team of five developers, I had to go back to the manual every time I had to set one up). That was bad enough. Those of us who also remember having to clean up after someone checked a subversion repo into your subversion repo probably realized it a bit more acutely; a feeling someone, somewhere, was laughing their ass off at your expense.

In a world where repos are cheap & easy to create, they start making sense as a generic representation of 'chunks of data' being moved around. Why bother using a blog service with some clunky web-based posting interface? Why risk using a flavour of the month silo of a cloud store? Why bother trusting just anyone to be the sole steward of your digital life?

A way forward here seems really easy and obvious given the fact that owning, copying, and generally marshalling sets of data around in the most efficient way possible is exactly what git does. In this far-off futureland, you publish to your blog by pushing to a remote git repo, you copy files between computers by syncing repos, and you share your address book with your email provider as a bunch of open format files inside a repository. In all these cases, you yourself own a first-class version of the data in question, locally and under your control. Where's the data? It's everywhere it needs to be, including in your safe hands for as long as your care to care for it.

Imagine that. Cloud computing where 'my own personal cloud, please stay the hell out unless I invite you in' is a subset. Cool.

I know people ride my ass about being so hot and bothered about a piece of fucking software. And I am. But I'm excited because I feel like git is the first tool to really nail this sort of interaction, and I see it being the jumping off point for a million great tools. It feels like the future, but one that's untamed and wild enough to help shape. It feels like new.

this post ought to have begun with a link

2010-02-15T00:00:00-08:00

This post ought to have begun with a link, and it obviously doesn't.

It doesn't because the thing I want to reply to, the opinion I want to tender for discussion, is on Facebook. Thus there's no universal way to refer to anything ever said there.

That fucking sucks, and it's exactly what's wrong with social networking sites today.

I want to begin a discussion on something my buddy Bryan said that will stand the test of time. I want to nurture a dialogue in a way that will (in my own little narcissistic way) give my and Bryan's ideas the memory of the ages. I want this to become a discussion that lives on beyond today; to possibly become an anecdote that one of us may recount in thirty years when recalling how we got to know each other, maybe the material of a footnote to one of our biographies. Or maybe it will come to nothing, forgotten away in in the internet's basement.

Either way, if it's worth talking about, it's probably also worth archiving, and I can't do that if you're talking to me from inside the social networking silo of the day.

is this valid academia?

2010-02-15T00:00:00-08:00

Is it?

neato

2010-01-27T00:00:00-08:00

Check this out

This sounds like a wonderful example of art meets learning. Not sure about its appropriateness in a university setting, but this is exactly what high school should be like in my mind.

What the Hell is in the water in Redmond? Bleach?

2009-10-25T00:00:00-07:00

From here:

'All computers in the store come with support and Microsoft Signature; a free service that removes all the "free" antivirus and other PC manufacturer software that crufts up a new PC, and gives customers a pristine installation of Windows 7.'

I'm sorry but, uh, are you fucking kidding me??? Who approves product briefs up there? Bozos.

Today's dterm trick

2009-10-14T00:00:00-07:00

From any application with context tied to the filesystem, open DTerm and run open . to get a Finder window focused on that content. Easy peasy 50/50 shell / GUI magic. Who needs quicksilver with a context aware terminal lying around?