Fixed iChat AV thru OpenBSD PF Firewall

This has been bugging me for ages, but the fix is so simple.
I use OpenBSD for my router, and have PF (Packet Filter) running the firewall and NAT rules.

I have previously setup the port forwarding, etc. according to Apple, but never could get a successful connection using video or audio (or screen sharing).

After reading a post on the OpenBSD misc mailing list I went back and read the OpenBSD 4.5 pf.conf man page.

There is a section of the man page that states (my emphasis):

fragment reassemble
Using scrub rules, fragments can be reassembled by normalization.
In this case, fragments are buffered until they form a complete
packet, and only the completed packet is passed on to the filter.
The advantage is that filter rules have to deal only with complete
packets, and can ignore fragments. The drawback of caching frag-
ments is the additional memory cost. But the full reassembly
method is the only method that currently works with NAT. This is
the default behavior of a scrub rule if no fragmentation modifier
is supplied.

My scrub settings were such that I was filtering not complete packets, but fragments. The moment I changed the scrub settings to this:

scrub in on $ext_if all fragment reassemble


All worked perfect. I can initiate iChat calls and receive them too. Desktop sharing now works as well. All using Google talk (jabber) in iChat.

Note that in OpenBSD 4.6 or current there have been PF changes, so the wording of the scrub rule may be different. Always read the pf.conf man page for the release you are on.

Clone a part of an SVN repository in git

I was trying to clone my wordpress plugin from the wordpress svn repo using git-svn. I had no luck for about the past 8 weeks, with this problem:

Initialized empty Git repository in /Users/lantrix/tweet/.git/
Using higher level of URL: http://plugins.svn.wordpress.org/tweet => http://plugins.svn.wordpress.org

And it would proceed to hit up the entire wordpress repo.
After reading a possible solution on Charlie’s Old blog, I stubmled across a newer way to do this.

As of v1.6.4 of git, you can now use a –no-minimize-url when doing a git-svn clone. This makes git clone only the part of the repo you want; and the added bonus is you can get all your tags and branches.

Here is how I did it:

git svn clone --prefix=svn/ --stdlayout \
--authors-file=authors.txt \
--no-minimize-url http://plugins.svn.wordpress.org/tweet/


It still took a while to parse all the SVN history, and now of course this stands out in the git-svn doco

The authors.txt file just mapped my svn users to git user/email pair, e.g.:

lantrix = Lantrix 
plugin-master = none 
(no author) = none 

You will probably want to have a look at these set of scripts. Have a read of NothingMuch’s perl blog for extra steps and details on extra svn conversion scripts.