My Mac and other computers all have RFC 1918 (private internets, i.e. 10.0.0.x, etc.) static IP addresses and sit behind an OpenBSD 3.7 box running the pf firewall. pf performs stateful packet-filtering and network address translation (NAT). The OpenBSD firewall gets a statically assigned public IP address from a DHCP pool on its external interface.
I had never had any problems using Software Update, until I installed Tiger on my G5. A day after installation, Software Update stopped working -- it would just hang and then time-out. I searched Apple's forums and noticed many other people experiencing a similar problem. Messages on the forums suggested that some people had luck when they switched their Macs to DHCP. The quickest way I could get a DHCP address for my Mac was to connect it directly to the Internet, outside of my OpenBSD firewall. When I did this, Software Update worked. But whenever the Mac was behind the OpenBSD firewall with a static IP address, Software Update didn't work. I assumed this was an OS bug, especially since Software Update used to work, nothing had changed in my firewall configuration, and tcpdump did show traffic between my Mac and swscan.apple.com when it tried to do a Software Update. 10.4.1 and 10.4.2 came out, and I still could not run Software Update (unless my Mac was connected directly to the Internet via DHCP).
To add to my troubles, I also had issues with connecting to the iTunes Music Store. I had no problems connecting in the past ... until iTunes 5 came out. The day I installed iTunes 5, any connections to the Music Store would hang and then time out. Again, I assumed this was some new, frustrating bug -- this time in iTunes.
Then I rememberedsomeposts I had come across last year discussing an apparent RFC 1323 (TCP Extensions for High Performance) implementation problem specific to apple.com. So I modified my OpenBSD pf.conf firewall ruleset, and changed my scrub rules to:
scrub on $ExtIF from any to swscan.apple.com random-id
scrub on $ExtIF from swscan.apple.com to any random-id
scrub on $ExtIF random-id reassemble tcp
After doing this, both Software Update and iTunes Music Store worked!
I mention this not because I think the macosxhints audience uses OpenBSD firewalls, but if anyone else is having similar connectivity issues with swscan.apple.com and phobos.apple.com, it's possible their firewalls are objecting to Apple's servers' inconsistent use of RFC1323 TCP timestamps. (Although I still also suspect there was a bug in 10.4.0 interfering with Software Update).
On September 20, 2005 Google released Google Secure Access, a Windows application that allows users to connect to Google's VPN (Virtual Private Network) to make WiFi connections more secure. While Google did not release a client for Mac OS X, it quickly became apparent that Google's VPN client used PPTP (Point to Point Tunneling Protocol), which is natively supported by Mac OS X.
Seeing this hint on how to make a tarball on the fly while FTP'ing a backup of your home directory to a remote host reminded me of a complimentary hint that I've been using for a little while to provide a nice automated backup solution. It involves cron, tar, ftp, and a free account at streamload.com.
Streamload is a service with an interesting business model: They allow you to upload and store as much stuff as you want, no limit, for free, but charge you for download bandwidth when you want the stuff back. Upload is via web interface or FTP (in beta). Perfect, really, for a backup solution: Get a free account, upload your directory, and if you ever need it, you'll probably be more than willing to pay to get it back.
So the hint, simply, is to get a Streamload account, sign up for the FTP beta trial, and write a .command file based on the script in the previously-mentioned hint. Then set cron to execute the command file, say, every few days, or every week. The servers are always up, and the storage, as long as you don't need anything back, is free.
If you do this, conscience dictates signing on to Streamload once in a while to get rid of old backups. It's good of them to offer this sort of service; let's not clog their servers with terabytes of data.
Recently, for no apparent reason, my chat buddy list was knocked down from 110 users to 34. Afraid that I had lost all of those people, I tried to think of a solution. I knew that I had created contacts in Address Book that had included AIM screen names when I knew them. So using a Smart Folder, I isolated the contacts in Address Book by using the rule "IM status" "Is set."
But this was the tricky part. Dragging and dropping these contacts onto iChat or Adium didn't work. The only app that seems to be able to update your buddy list (that is, communicate with the AOL servers where the buddies are stored) is AOL's own AIM client. And guess which app doesn't seem to support drag and drop?
I tried to use some earlier hints, including one to use AppleScript to automate repopulating my buddy list on AIM, but it didn't seem to work. I tried going into AIM, adding a few buddies manually, and exporting the buddy list file (.blt) to understand the syntax so I could add my own buddies by editing the .blt file itself. However, AOL's AIM just kept crashing when I tried to load in the edited file.
With iTunes 4.9 and its Podcast feature, Apple also introduced two new URL types: itpc:// and pcast://. So you can subscribe, with one click, to a podcast RSS feed formatted with one of those two URL types.
I also tried this on Windows XP (under Virtual PC), but it seems not to work there.
While looking at websites for trojan removers for Windows, I came across several pages (such as this one) that do not allow you to see the destination of a given link on the page. You can't control-click at all, and if you do a View Source, you won't see the source to the complete page.
The way around this is to hit Command-A to select everything on the page, then copy/paste it to TextEdit (in RTF mode). Then you can control-click on a link and choose Edit Link, which will allow you to see where you would be redirercted. This process comes from my untrusting nature with being redirected to fake sites from within a hijacked page. I tried this on Panther and it does not work, so it must be just in Tiger.
I plan on spending more time with my PowerBook in cafes and other offices over the summer to beat the heat. One thing always worried me, though. As you know, normal email clients send your email account name and password in "plain text," so if there is some bad guy next to you at the cafe, then he can scoop it up using a sniffer app.
Well, the best solution is to use SSL or POPS or other secure forms of email communication so that your account name and password will be encrypted. The problem is that my ISP (verizon.net) does not have secure email. I've had this email for years, so it's not possible for me to drop it and start over with something like gmail, which does support SSL, so I looked around for another solution. What I came up with is simple and perhaps obvious, but it works great.
Most of the suggestions I found say to use a SSH tunnel or some such, which you still need a server for. Forget that. Way too complicated for me. Here's my little trick, assuming you have at least one SSL-enabled email account somewhere (which is not your main account).
My Verizon account lets me forward all my email to another address. I am a .mac subscriber (which DOES SSL email) so i forward my verizon email (which is an insecure account) to my .mac account (which is secure). I then "de-enabled" my Verizon account in Apple Mail, and now do all my mail off of .Mac using the Apple Mail client. Secure. and yet another reason to keep my .Mac account.
For the most part, this hint applies to Tiger only, but there may be aspects of it surrounding ssh and connections in general that are good for pre-Tiger as well.
First, lets start with the slow SSH logins. As you may be aware, the Apple Discussion Forums has been getting a little noise about this problem, where ssh'ing into remote machines takes an unusually long amount of time. Between that and other sites, there areseveralpostswherepeoplehave this problem, along with varying solutions
I have seen this issue pop up on the openSSH mailing list, and google groups as well, so it is getting more and more attention. Of all the workarounds, none worked for me at all, I was averaging 45 second connection times to servers over ssh. The only constant was Tiger. Linux and pre Tiger had no such problems. If you read the links, you will find varying solutions from editing configuration files to creating local entries in /etc/hosts. Again, none worked for me.
I wanted to be able to access my machine at home via SSH, but I didn't want to waste electricity to have it awake all the time and I didn't want it sitting there exposed to brute force password attempts. I came up with a way to use the wake-on-LAN feature from anywhere on the Internet, even though my Mac, like many, is behind a NAT router.
For those unfamiliar with wake-on-LAN: a specially-formed data packet containing your ethernet device's MAC address can be used to tell your computer to wake up. Most implementations of this functionality work only on your LAN. They send the packet to your TCP network's broadcast address so it goes to all the computers available on the local network. Only the one with the matching MAC address will actually wake up. However, I found a website that will send the magic packet for you to any IP address (and you could probably roll your own site using sample Perl scripts that are readily accessible via Google). So, here's how to make it work. Instructions are for the interface in 10.3 and 10.4, though this will work with any Mac OS version on any hardware that supports wake-on-LAN. And before anyone asks: yes, the computer must be connected via ethernet.
Up until now, Mac users have been unable to watch archived games on baseball's TV website (mlb.tv) in full screen mode -- this is due to these games only being available via an embedded Windows Media Player. But if you simply trash the WMP plugin found in System/Library/Internet Plugins.
The next time you attempt to watch an archived game, you will get a dialog box saying "Safari can't display content on this page ... some content on this page requires an Internet plug-in that Safari doesn't support. The application 'Windows Media Player' may be able to display this content. Would you like to try?" Just click OK, and Windows Media Player will launch, and you will be able to use full screen mode.
I decided to post this here because mlb.tv seems incapable of providing this simple workaround, and I get lots of traffic to my blog from frustrated Mac users.
[robg adds: I can't test this one (mlb.tv is a subscription site), but it makes sense in theory.]
My Mac and other computers all have RFC 1918 (private internets, i.e. 10.0.0.x, etc.) static IP addresses and sit behind an OpenBSD 3.7 box running the pf firewall. pf performs stateful packet-filtering and network address translation (NAT). The OpenBSD firewall gets a statically assigned public IP address from a DHCP pool on its external interface.
