Just a few hours remaining here until the longest 24h hours in years...

Wie der Guardian berichtet wurden auf einem Feld in England, wo man vor drei Jahren genmodifizierten (pestizidresistenten) Raps anbaute, ein resistenter Acker-Senf gefunden sowie zwei resistente wilde Rüben.

Die Natur beherrscht die Gentechnik immernoch besser als wir - und wenn wir unsere Nutzpflanzen pestizidresistent machen, erreichen wir damit vor allem, dass pestizidresistente Unkräter Vorteile haben...

Da stellt sich bei mir aber auch sofort die Frage, ob nicht "Ökoterroristen" auch früher oder später auf diese Idee kommen... ein Unkraut resistent machen, und gezielt auf den Feldern ausbringen, auf denen resistente Pflanzen angebaut werden.

Umweltschützer würden das wohl nicht machen, weil sie ja genau das verhindern wollen, dass manipulierte Pflanzen in Umlauf geraten...

No more "Intel outside", but now now a "limp ahead"?

Intel has a new annoying marketing slogan. Congrats. Now, could you stop sueing poor users for using regular english words such as inside? (No, I'm not affected, just annoyed) Will you now fight anyone using the word "ahead"?

Ich werde im Januar nach Freiburg zu meinem Bruder fahren, und habe eben Tickets bei der Bahn gekauft. Normalpreis wären 144 Euro. Aber wer den Normalpreis zahlt ist wirklich selber schuld...

• Ohne ICE wirds billiger, und auf der Strecke München-Karlsruhe bringt der ICE eh nicht viel
• Früh buchen, und übers Wochenende fahren: Sparpreis 50
• Bahncard 25 (nicht 50) ist kombinierbar

My mother uses LyX (and thus, LaTeX) to layout her books. She doesn't need much help, but does almost everything herself. Except she was lacking an editor which could replace the quotation marks appropriately, because they are handled somewhat special in LyX (you need an editor which can replace by multiline text, such as VIM).

So every now and then, mostly when she's started layouting a new book, she'll ask me to fix the quotation marks in a lyx file for her.

I decided to write a small python script for it, since she has python installed on her box anyway (also on Windows, although she also has Linux on it).

Maybe someone else has the same problems, so here you go:

#!/usr/bin/python
import re, sys
 
# Use full regexp power to detect as many " properly as possible...
# Note that this is a lot more sophisticated than just \b" and "\b
# and will be able to handle all the 'something ...", said foo' cases, too!
# But yeah, you can do even more, and maybe separate it into more regexps...
qrp1 = re.compile(r'(^\s*|\b[:]?\s+[.:,;?!\-\(]*)"(\b)', re.M)
qrp2 = re.compile(r'(\b[.:,;?!\-\)]*|\b \.\.\.)"([.:,;?!\-\)]*(\s+\b|\s*$))', re.M)
 
# These are for >>-style quotes, german bracketing. If you want other
# quotes, adjust to your style yourself (hint: look at your .lyx file)
q1 = r"""
\\begin_inset Quotes ald
\\end_inset
"""
q2 = r"""
\\begin_inset Quotes ard
\\end_inset
"""
 
# Iterate over all input files...
for name in sys.argv[1:]:
        # Load input file
        fi = file(name, "r")
        data = fi.read()
        fi.close()
        # Replace quotes
        data = qrp1.sub("\\1"+q1+"\\2", data)
        data = qrp2.sub("\\1"+q2+"\\2", data)
        # Write output file with new name
        newname = name + ".quotes.lyx"
        fi2 = file(newname, "w")
        fi2.write(data)
        fi2.close()

Today I've been fighting Planet, the well-known blog aggregator tool. After a while I had found out how/why it was scrambling Atom feeds horribly.

I'm not sure if actually is a planet bug - maybe it is fine with older python versions. The SGML parser of python2.4 however fails on tags such as <br />, a very common case in blogs and thus in atom feeds. Strage additional > brackets appeared in the output.

The reason is, that the SGML parser as of Python2.4 is looking for <tag/foo/ as an equivalent to <tag>foo</tag>, and thus treats <br/><br/> the same as <br>><br<br>> with the inner chars somehow magically escaped...

The fix is quite simple: add

sgmllib.shorttag = re.compile('<([a-zA-Z][-.a-zA-Z0-9]*)/(/*)>')

I told you that I'm not really sure whether this is a planet bug: It might be a bug of pythons sgmllib, too. But maybe Planet should just use a XML parser for XML files, and fallback to an SGML parser (or maybe a robust XML parser) for other files (unfortunately, many blogs - including mine - do not ensure correct XML). And Planet could use some proper XML handling, too, anyway... Right now, the code is so string-array-based, it makes me sick.

You might also want some extra magic to re-fold <br/> tags to not confuse older browsers.

Some time ago I tried skype... now I wanted to use it to call someone, tried starting it... the main window came up, and immedeately closed itself again.

Nothing I can do about it, no error message, nothing I could do differently.

So I was looking for a different/newer version, and found out that Skype itself provides downloads for Skype on Debian. Except they are uninstallable.

What a crap! Use an open standard, like SIP, which works much better - and where you can use different applications such as linphone or kphone.

... auch wenn das ganze "Xmas"-Zeugs immer lästiger wird...

Früher war mal die Weihnachtszeit die "stille Zeit". Wo man sich darauf besonnen hat, wer und was einem richtig wichtig ist. Etwas, was vielen Leuten heutzutage leider fehlt. Dafür ist die Weihnachtszeit jetzt geprägt von exzessivem "shopping" unter Dauerbedröhnung... :-(

Ich wünsche Euch allen ein frohes und ruhiges Weihnachtsfest, und habe für Euch hier eine kleine elektronische Weihnachtskarte

... and stop that annoying "Xmas" thing. Oh, and I hate all the red santa claus (shouldn't he be caled X-man?) stuff everywhere. Christmas used to be something very different than it is now, you know.

Merry christmas, and enjoy what used to be the 'quiet time' of the year:

Electronic christmas greeting card

... and why Galeon is still my favourite browser:

In galeon I can just paste an URL onto the new-tab button (which is missing by default, isn't it?) and it will open a new tab with that URL. In firefox, nothing happens. This annoys me each time I run firefox.

Ein guter Freund von mir ist Mittwoch abend, am Heimweg vom Tollwood feige hinterrücks niedergeschlagen worden. Ich kann es immer noch nicht ganz glauben.

Er war auf dem Weg zur UBahn, und sah unterwegs wie jemand seine Freundin ziemlich böse schlug. Anscheinend hat sie geblutet und so. Also hat er ihn von ihr weggerissen, so dass sie weg konnte; er ist dann weiter zur Ubahn gegangen.

5 Minuten später oder so hat ihm anscheinend dieses feige Arschloch hinterrücks mit einer Metallstange oder einem Holzprügel eins übergezogen und ihn im Schnee liegen gelassen. Wie kann ein "Mann" nur so feig sein?

Mein Freund ist dann am nächsten Tag irgendwann im Krankenhaus wieder aufgewacht. Schaut übel zugerichtet aus.

Was für ein Weichei war denn dass. Richtet erst seine Freundin übel zu, und brät nacher hinterrücks jemandem, der "Sozialcourage" zeigt auch noch eins über. Hinterrücks, mit ner Waffe. Feiger gehts doch wirklich nicht mehr.

Wenn sich jetzt nur ein Zeuge finden würde, oder die Freundin ihn anzeigt...

Ich habe mich beim Zeitungslesen neulich gehörtig verschluckt, als ich in einem Interview mit Erwin Huber (sueddeutsche.de) folgendes lesen musste:

Wir setzen mit der Magnetschwebebahn das fortschrittlichste Verkehrsmittel ein, das leiser, schneller, besser und auch noch billiger ist. Ich setze beim Transrapid die bisherige Politik nahtlos fort.

Billiger im Sinne von "da fließt mehr in meine eigene Tasche, also billiger"? Haben ihm "Spezln" aus der Betonbranche einen guten Preis genannt? So wie das hier in Bayern üblich ist, Arroganz-Arena und so?

Naja, demnächst haben wir ja dank "grüner Gentechnik" auch fliegende Schweine, und alles nur für den Verbraucher!

I today received another obvious scam. Well, basically any email from a bank referring to PIN and/or TANs (for those poor US bank customers: german banks all use one-time-passwords) is ovisouly scam. Especially when it's a really bad translation...

So I wonder whether I, as an intelligent user, should maybe still go to this scammers page - and enter deliberately incorrect data.

For example by calling

wget "http://202.129.53.211:8081/postbank/privat/app/submit.php?konto=$RANDOM&pin=$RANDOM&tan1=$RANDOM&tan2=$RANDOM&tan3=$RANDOM"

Yeah, they probably have to filter their data anyway. But are you sure they can tell "good" from "bad" values apart? How likely do you think I accidentally hit a legitimate users' account number and he might suffer from his account becoming accidentially locked?

Does this help the banks to detect this scammer, and filter him somehow (e.g. by saying "invalid PIN" even when it's valid) after enough incorrect tries?

Hmm... maybe the banks should provide an API to request invalid account numbers to submit to scammers. Then they could e.g. set a cookie or setup IP filters and fight back these scammers.

I'm Spider-Man:

Spider-Man 85% Robin 75% Superman 65% Hulk 60% Green Lantern 40% Wonder Woman 35% Supergirl 35% The Flash 25% Iron Man 20% Catwoman 15% Batman 10%

You are intelligent, witty, a bit geeky and have great power and responsibility.

A long time, the common way of working around MSIE CSS bugs was to exploit parser bugs and missing features in it's CSS parser.

Recently I read about a cleaner approach; I tested it recently and it seems to work quite well. Judging from the W3C validator, it's compatible with XHTML, too. It's nor perfect, but it probably is the best we can do currently. (And definitely cleaner than the parser-bug-exploits listed before.)

The approach is simple: given the string <!--[if IE]> Foobar <![endif]--> in an HTML file, almost any parser will treat this as an comment. Except for Internet Exploiter, which will treat "Foobar" as if it was part of the regular text. Instead of "Foobar", you can load an override stylesheet to work around Internet Explorer bugs. Note that as a side effect, MSIE is not a standards compliant parser for XHTML. ;-)

Now for the drawbacks:

• The part hidden from every parser except IE is not validated by tools
• The converse construct (remove --), to hide stuff from IE only, is not valid XHTML
• The conditional needs to be in every HTML file, it's not in the CSS and not cached with the CSS, so sligthly less performant than other solutions.
• It doesn't nest, you can't use comments in this construct
• They are, after all, a hack

For comparison, a few of the older tricks in CSS:

body      { background-color: red; }
html>body { background-color: green; }

body {
  voice-family: "\"}\""; /* some browsers have a parsing bug */
                         /* and will ignore the following rules */
  voice-family: inherit;
  background-color: green;
}

Alexa, obviously owned by Amazon and using Google to power its search function, has interesting graphs on the pageviews and reach of some websites. Interestingly, my personal homepage is now barely in the top million (which I consider impressive), but only the top 100.000 have publicly visible graphs.

A very interesting graph I obtained is this:

So the top three sites are yahoo.com, msn.com and google.com; followed by ebay, passport (what is passport used for except hotmail?) and amazon (English pages only, the worldwide fourth is a chinese search engine). I was really suprised to see MSN and passport that high, I would have expected google to be #1 actually. But I obviously underestimated how many people didn't change the Internet Explorer start page...

Unfortunately alexa seems to be broken somehow - around 50% of my requests will result in a blank page I have to reload... and right now, I can't get any graphs anymore.

Update: alexa works better now again, and I was pointed to Alexa Top Sites with some more top-ranked sites.

Oh, and I wonder how these stats are generated. I first thought they are using click counters in search engines (most likely in google?) but OTOH that wouldn't explain yahoo or MSN being that high...

My nice, 13 months old now, is so cute. And the happiest child I can remember. So well behaved, eagerly exploring everything and smiling so sweetly...

As you can tell from that shot, she'll be a computer god soon.

Meine Nichte, jetzt 13 Monate alt, ist soooo süß! Sie ist das glücklichste Kind das ich kenne... lacht immer, dauernd dabei die Welt zu erkunden... und dabei so brav und vorsichtig, man braucht sich gar keine Sorgen um sie machen.

Wie man erkennen kann wird sie bald ein Computer-Gott sein!

My niece playing with an old keyboard.

Gestern abend, die letzte S-Bahn heim. Mir setzt sich gegenüber eine hübsche Frau hin. Wirkte ziemlich müde, aber auch irgendwie traurig.

Irgendwie kam mir da das Lied "Mädchen lach doch mal" von den Wise Guys in den Sinn...

Irgendwo im Zug sagte jemand, für alle hörbar sowas wie "Hey, nicht einschlafen, nächste Station müssen wir raus". Das ganze Abteil schmunzelt. Gelegenheit ein Gespräch anzufangen.

Offenbar war der neue King-Kong-Film ziemlich enttäuschend. Zu absurd manches, irgendwelche komischen Viecher, Schleimbälle mit großem Maul und Zähnen, die ihn angreifen oder so... Und eine Hauptdarstellerin, der eigentlich die ganze Zeit Rippen und Arme brechen müssten, wenn der Film auch nur irgendwie realistisch wäre (schonmal an den Armen gefesselt gewesen und abgerissen worden - was hält mehr aus, ein dickes Seil oder ein Handgelenk?).

Und so haben wir uns ein paar Minuten nett über Kino unterhalten (jetzt sah sie wenigstens nicht mehr traurig aus) - und schon kam wieder meine Haltestelle, ich musste aussteigen, und weiss von meiner S-Bahn-Begegnung nicht mal den Namen und werde sie wohl nie mehr wieder sehen. Tja, so gehts im Leben...

Nicht gerade neu, aber sehr unterhaltsam: Corporate redesign für Weihnachten (auf "Weihnachten heißt jetzt X-Mas" klicken) - es heisst jetzt X-Mas, der Weihnachtsmann konsequenterweise X-Man und der 1. Advent "X-Mas kick-off". Nicht zu vergessen dass der "X-mas rollout" durch wichtige "meetings" und "come togethers" eingeleitet wird.

Eignet sich auch gut zum Bullshit-Bingo-Spielen, aber mal ehrlich: die BWLler reden doch echt so, oder? Feinstes Denglish...

The latest buzzword acronym, AJAX, is getting on my nerves. Javascript is not cool. It's an annoying, slow language. If you have ever written code in Python or Ruby or Lua, you'll agree that the syntax and library sucks.

Usually I'm annoyed by the long loading times of Ajax, so please use it only where it's absoultely necessary.

I agree that google maps is cool, because the alternatives would have been an even slower pure html version, an annoying flash which doesn't work properly (say hello to 'new' yahoo maps) or a very slowly starting java applet.

I watched the Ruby on Rails and TurboGears intro screencasts today, because I wanted to find out how these frameworks are like to work with. The part I liked least was then in the turbogears screencast they did that pointless ajax thingy, writing javascript code and such...

I liked the template engine of turbogears, python "kid". Thats a really nice XMLish template language. Read: proper XML, XHTML.

Ruby on Rails templates had this ancient eperl feeling to me. Also kind of PHP like, but not as worse. In contrast to PHP you can actually parse it. Still, you can't properly validate your XHTML template files.

So I'll probably try out TurboGear sometime soon, and if I'm not happy with it maybe Ruby on Rails next. I'm very happy to see these new frameworks for free languages. I heard a lot about Java Frameworks recently, but they all seemed so overengineered, and then there is this Java annoyance... A python or ruby solution is much nicer there.

Daniel Stone retorts whether I think that Debian delivers.

Yes, I do. It is basically part of the "design" of Debian that it's not updated as often as e.g. Ubuntu. This is a big benefit for servers IMHO.

In fact, I'm still running some woody systems. They work fine, so why should I go through the "hassle" (however low this is with Debian) of upgrading?

Apparently Microsoft has pushed back the beta Test of their upcoming Internet Explorer 7, which was expected to be released today.

So Microsoft doesn't deliver.

Again.

The XBox 360 apparently has heat issues and is crashing a lot for some users. Also it has been said that Microsoft is losing quite some money with each unit sold - they are aggressively trying to obtain market share.

"Vista" was stripped of all the interesting features, apparently all that is left is a prettier UI with tons of effects (and requring a DirectX 9 capable graphics board). The big feature enhancements like WinFS will not be included and will take at least one more year to be ready for beta...

"Windows Live" and "Office Live" (which are neither Windows nor Office) don't live up to their names either: They are just web-based add-ons, even supporting Firefox, and offering pretty much the same as Yahoo and other portals do as well as an online version of SharePoint apparently. They are a meagre attempt of Microsoft to be not totally left behind by Google when it comes to web applications. Heck, these could (and probably are!) be from some other company that Microsoft just bought.

The new office version of Microsoft fancies again mostly a new UI, that will be very different and probably confuse users a lot (especially if they have to alternate between office versions); Microsoft also has the reputation of breaking it's own file format again and again; the new office will use an incompatible file format again. The UI also doesn't help people to give their documents a more semantic meaning (for efficient processing by automatic tools such as desktop search engines), but will be more visually-oriented than ever (i.e. styles such as "headline" which do add a semantic meaning are degraded as "quick styles", whereas the bold- and underline buttons are more prominent than ever - good bye, corporate design!)

Microsoft has been promising lots of new stuff recently, but has it showed any? Where is Microsoft Windows for Supercomputers? They are totally under control by Unix and Linux. Linux is gaining on Mobile phones and embedded devices. When was the last time you read about WinCE? Heck, even the WiFi network at Microsoft is now powered by Linux...

Gerade bei einer Ebay-Auktion für einen Laptop-Akku entdeckt:

Unsere Portorate schließt die Unkosten des Verschiffens ein und faßt an und hohe QualitÀtsverpacken Mehrfache Einzelteile müssen in einem Paket kombiniert werden und in einer Zahlung gezahlt werden, wenn sie in der gleichen Zeit schlossen. Erkundigen Sie bitte sich nach Porto für mehrfache Einzelteile. Die Einzelteile werden im Allgemeinen aus dem folgenden Werktag versendet, nachdem Zahlung überprüft worden ist (gesessen u. Sonne ausgeschlossen)

Wer genau wie ich rätselt, warum sie nicht arbeiten wenn sie sitzen oder die Sonne genießen: Vermutlich stand da mal "except sat and sun"...

Apparently, blogger.com does a referrer check for images. Therefore, if you have your blog there and it's syndicated to a Planet, all images will disappear. Unless they are cached in your browser, of course...

Therefore: don't use blogger.com

Most workstations are well-served with firewall rules like this:

*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT

Yes, this is just two rules. Use iptables-restore to load.

No need to fire up a complex firewall builder tool for that. ;-)

The first input rule enabled loopback traffic, the second allows data traffic for established and related connections (ftp data channels for example).

If you want to allow incoming SSH, add

-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT

Oh, unless of course you want to run filesharing and such. You might want to allow incoming connections on other ports as well.

Folgenden Screenshot hat mir mein Vater neulich im Word gemacht:

Ich meine, die richtige Korrektur zu finden ist jetzt nicht wirklich schwierig, wie Word hingegen auf diese Absurden Vorschläge da kommt ist mir unerklärlich... (Zum Vergleich: der unix "aspell" spellchecker korrigiert das richtig... und sogar das vom Word vorgeschlagene Rahmenbedinguzungen korrigiert er noch...)

Wie man hier sehen kann (Windows Media Video) kann der neueste Sober-Virus bei Verwendung des Microsoft Media Centers auch Menschen infizieren...

Liebe PC-Nutzer: Finger Weg von Drogen und Outlook!

I love food and thus I love cooking. Yesterday I cooked "Geschnetzeltes" in a sauce with mushrooms, sweet pepper, tomato and Crème fraîche.

Ich liebe Essen und ich liebe auch zu kochen! Gestern hab ich mal wieder Geschnetzeltes gemacht, die Sauce war diesmal ein gelungenes Experiment mit Paprika, Pilzen, Zwiebeln, Tomate und Crème fraîche.

Geschnetzeltes ist nicht kompliziert und man kann es leicht freihändig kochen. Ich hatte (für 2-3 Portionen) ca. 400 g Fleisch (freundlicherweise von der Fleischwarenfachverkäuferin gleich für mich geschnetzelt), dazu etwa 200 g Pilze, eine rote Paprika, eine Zwiebel, ein Becher Crème fraîche und Tomatensauce. Eine etwas "festere" Tomatensauce, oder auch Tomatenmark, ist hier praktischer, da es der Sauce mehr Festigkeit verleit - frische Tomaten oder Tomaten aus der Dose haben viel mehr Wasser.

Zubereitung ist harmlos: als erstes die Zwiebeln und Pilze schneiden und in die Pfanne, etwas anbraten. Dann das Fleisch dazu und zusammen weiterbraten (deswegen das Fleisch nicht zu spät dazu, die Zwiebeln sollen ja nicht ganz schwarz werden. ;-)) Wenn das Fleisch genug gebraten ist die restlichen Zutaten hinzugeben, etwas abschmecken und würzen und fertig.

Als Beilage bieten sich Reis oder Spätzle an. Und ein Salat. ;-)

I love food! - Geschnetzeltes

Neulich, im "Electronic Program Guide" am Fernseher:

Das nenne ich mal eine akkurate Klassifikation! So muss es sein!

Mathematik ist schön.

If you are responsible for a network with many "nomadic" users, e.g. students, you'll notice quite often they "forget" to shut down their bittorrent programs.

Port filters only work up to a certain amount, so I wanted to try out the "string" match included in recent kernels (e.g. 2.6.14).

You'll need iptables 1.3.4, which is not yet in Debian, but you can grab some temp packages from my debian directory.

The filter rule I tested was

iptables -I OUTPUT -j DROP -m string --string "BitTorrent protocol" --algo bm --from 0 --to 100

(I don't know if algo bm or algo kmp is more performant, or which performance hit this is going to have on your router. The from parameter could be increased to skip the tcp header, too)

Note that you might want to add high-volume "usually good" ports with accept rules in front, like port 80 (www), ssh (22) or mail (25, 465, 110, 995, 143, 993). Be careful with using "state ESTABLISHED", too: the string will be sent over an already established connection, not a new, so this is where you need to apply the filter!

A friend of mine likes dark themes a lot. I tried finding some good dark themes for GTK, but all have been rather disappointing so far.

The current icon sets (including Tango) are all designed for a bright, colorful desktop, aren't they? They look somewhat weird when placed on a dark background...

Maybe the graphic artists could also do some iconsets that work fine with such themes. (I prefer bright ones though ;-))

Was uns die Medien glauben machen wollten, mit den umgeknickten Strommasten und so - alles Unfug.

Anerkannte Wahrsager haben schon vor Jahren vorhergesagt, was in Önkelstieg, äh, Ochtrup, wirklich passierte.

Viel Spaß denjenigen, die das noch nicht kennen...

I just finished rewriting an old firewall tool from Perl to Python. Since it's in Python and about firewalling I dubbed it Pyroman.

I investigated a dozen of firewall-tools before, including shorewall and firehol. Each had it's stength and its weaknesses. After writing iptables rules in a shell script every now and then for a more complex project (with like 6 networks of which 3 are bridged together) and two dozen of differently configured hosts, NATs, VPN, everything. My predecessor had written a shell script to configure the firewall, but this was really bad to maintain.

So I ended up writing a perl application to generate the rules from a modular configuration (read: usually one file per host, containing a perl hashmap)

Well, after happily using this script for two years, I dedcided it's about time to rewrite it and document it extensively. I chose python for the rewrite. You can get the result here: Pyroman 0.1.1.

The good:

• Written in pretty python
• Extensively documented (Python docstrings)
• Much faster than sh+awk based solutions
• Really easy syntax to add hosts, nats
• You can add custom iptables rules when needed
• Designed for complex networks
• Lots of verification checks done before execution
• Designed to use the same configuration files on multiple hosts (e.g. failover firewalls or the destination host itself; it will detect if you are talking about a local or a remote host
• It will report file name and line number on parser errors, verification errors and execution errors.
• If any rule fails to setup, a rollback will occur, restoring your previous firewall
• (will likely have auto-rollback if you lock yourself out in the next version with a simple timer)
• Extensive configuration example

• Not yet tested in production
• Doesn't completely hide iptables complexity (some core config files are just containing iptables rules, but why invent a new syntax?)
• Only iptables, no TC/Shaping, no IPsec, proxy arp setup, VPN, ifconfig (I use other tools for that, e.g. heartbeat)

To tease you a little more into testing, here's an example host configuration: ("dmz" is an interface alias - where the web server is connected to -, as are "INT", "DMZ" and "ANY" for clients on these interfaces)

"""
A really simple webserver configuration.
These examples are just boring... ;-)
But without NAT they would be even more boring. ;-)
"""
# web server
add_host(
        name="web",
        ip="10.100.1.2",
        iface="dmz"
)
# offering, well, web service.
allow(
        client="ANY DMZ INT",
        server="web",
        service="www ssh ping"
)
# internal hosts may access FTP, too
allow(
        client="INT",
        server="web",
        service="ftp"
)
# setup NAT
add_nat(
        client="ANY INT",
        server="web",
        ip="12.34.56.80"
)