Ahmed Rashid in his recent column on the BBC website makes a point that the Pakistani media, with their conspiracy theories and obsession with demonizing the civilian govt.,  is undermining the state of Pakistan. At a time of war and instability, this is an alarming occurrence as it diverts public attention away from the pressing issues that plague the country.  The following is an excerpt from his column:

Pakistan is going through a multi-dimensional series of crises and a collapse of public confidence in the state. Suicide bombers strike almost daily and the economic meltdown just seems to get worse. But this is rarely apparent in the media, bar a handful of liberal commentators who try and give a more balanced and intellectual understanding by pulling all the problems together.

The explosion in TV channels in Urdu, English and regional languages has brought to the fore large numbers of largely untrained, semi-educated and unworldly TV talk show hosts and journalists who deem it necessary to win viewership at a time of an acute advertising crunch, by being more outrageous and sensational than the next channel.On any given issue the public barely learns anything new nor is it presented with all sides of the argument.Every talk show host seems to have his own agenda and his guests reflect that agenda rather than offer alternative policies.

Recently, one senior retired army officer claimed that Hakimullah Mehsud – the leader of the Pakistani Taliban which is fighting the army in South Waziristan and has killed hundreds in daily suicide bombings in the past five weeks – had been whisked to safety in a US helicopter to the American-run Bagram airbase in Afghanistan. In other words the Pakistani Taliban are American stooges, even as the same pundits admit that US-fired drone missiles are targeting the Pakistani Taliban in Waziristan.

Nobody discusses the failure of the education system that is now turning out hundreds of suicide bombers, rather than doctors and engineers.

Or the collapsing and corrupt national health system that forces the poorest to seek expensive private medical treatment, or the explosion in crime or suicides by failed farmers and workers who have lost their jobs.

Pakistan cannot tackle its real problems unless the country’s leaders – military and civilian – first admit that much of the present crisis is a result of long-standing mistakes, the lack of democracy, the failure to strengthen civic institutions and the lack of investment in public services like education, even as there continues to be a massive investment in nuclear weapons and the military.Pakistan’s crisis must first be acknowledged by officialdom and the media before solutions can be found.

The alternative is a continuation of the present paralysis where people are left confused, demoralised and angry.

Read the complete column here.

Picture that says  “Stop conspiring against people’s democratic government” was taken at Korangi Rd. when I was stuck in traffic congestion due to PPP’s procession of 43rd foundation day. Rest you figure out!

With no freedom to chose within Pakistan, people of Sindh will chose freedom…

- Iqbal Tareen, Washington, DC

People of Sindh clearly see a Noora Kushty in conflict between PML (N) and MQM. Politically naive people couldn’t get the drift of MQM at all. MQM excels in “Use and lose” game. In my book “Harvest will come” I had predicted that MQM will stab PPP in the back because Nawaz Sharrif and MQM have common family tree going all the way to Zia-ul-Haq. Combined with all other rightist parties this is another IJI, which is once again engaged against a party that was not manufactured in GHQ. Many so-called “progressive and people friendly activists” have been taken for a ride.

Although many rightist organizations used PPP’s reconciliation with MQM as a pretext to demean PPP but their real motive was an overthrow of a representative democracy to replace it with GHQ preferred and hand-picked gang of a few. Now that Nawaz Sharif and other pro-Uma parties are ready to baptize Altaf Hussain, the MQM will overnight turn from a Haraam party to a Halaal party.

The dating game between MQM and Muslim (N) actually started when Javed Hashmi came up with his weird idea of 12 provinces. Through him PML (N) actually extended an olive branch to MQM. The idea of 12 provinces and PPP-hate has placed all the bad eggs in one basket.

NRO and corruption issues are nothing less than a stunt pulled by these parties combined together. Nawaz Sharrif lived in Medina Sharrif for almost 8 years under the selective blessings of NRO midwife by the Saudis and granted by Musharraf.

Altaf Hussein and his party leaders including present governor of Sindh live cot free under amnesty from murder and felony cases granted to them by Musharraf government and his kangaroo courts.

As far as corruption and crime is concerned, it is embedded in Pakistani society from top to the bottom and sideways. From judiciary to Pakistani military brass, bureaucracy, politicians, Ulema, business leaders, and civil society members, and educators all are deep into corruption and favoritism.

None of the opposing political and religious parties are free from corruption and crime. Pakistani establishment thrives on systemic corruption and power abuse. Absolute majority of civil and military officers live imperial lives beyond their means. Many are directly and indirectly beneficiaries of drug business in Pakistan and have their hands stained with blood for assassinations and murders of innocent civilians and their political rivals. It is beyond me to see bunch of unscrupulous people preaching scruples.

The menace of corruption should be dealt with by a fair and open judicial process. You don’t overthrow a mandate because some of the members of ruling party are also corrupt.

To the people of small provinces the current hate movement is all about zero tolerance of their representative government by bunch of pro-establishment hate-driven parties, which are bent upon creating environment leading to an overthrow of a democratically elected government in Pakistan.

Baloch people have already lost faith in provincial autonomy or even talk about 1940 Resolution. They are clearly demanding freedom for Balochistan. People of Sindh are also pondering if Pakistan is a viable arrangement for the recourse of their decades old grievances. It is an overwhelming perception of people of Sindh that none of the small province based leadership is ever acceptable to Punjab-Muhajir dominated body of politics in Pakistan, which constitutes a core of Pakistani Establishment.

Many Sindhi and Baloch leaders and parties have worked on the premises that “Whenever Sindhis and Baloch participate in national politics, the Sindh and Baloch rights will are compromised” According to them thus “It is a futile exercise to waste any effort into a lost cause”

They raise a question that if moderate and pro-Pakistan Sindhi and Baloch leaders like ZA Bhutto, Mohtarma Benazir Bhutto, Ghous Bux Bezenjo, Wali Khan, and Akbbar Bugti were not acceptable to Pakistani establishment, how can any Sindh or Balochistan rights party or leaders can find a sympathetic ear in the present setup.

A singled out onslaught on Asif Zardari is also perceived as a zero tolerance for a Sindhi leader in Pakistani national politics. PML (N), PML (Q), MQM, and all religious parties are united in bringing one man down. Entire media has issued a eulogy on Zardari’s government already.

Just a friendly warning if you bring down a strong proponent of “Pakistan Khappay”, you will be hard-pressed to find any soul in Sindh calling Pakistan Khappay again. A domino’s effect in already in action grabbing Muslim world into its grip. Pakistan falling into the hands of pro-Taliban and spineless political forces will trigger downing of various South Asian Muslim states. The fall of representative democracy will give rise to total Talibanization in Pakistan.

Any overthrow of their elected representatives will force people of Sindh to vote with their feet. They will simply walk away from Pakistan. Sindh is nation of Latif, Sachal, Sami, and Lal Qalandar. People of Sindh are not in the business of hate and violence. But they will not allow spin doctors to undo their mandate.

People of Sindh have no part of establishment on its side. Sindhis have only ballot power to leverage. Majority of Sindhis believe that given peaceful and fair elections they hope to witness vanishing of politics of corruption, incompetence, and power abuse within a decade or two. If their mandate is stolen and their power of ballot is diminished Sindhi people will lose their right to choose.

With no freedom to choose within Pakistan, people of Sindh will likely choose their freedom without Pakistan.

November 26, 2009

by: K. Ashraf

That is the impression MQM leadership is trying to give that the killing people is lesser crime than corruption. MQM has created a territory for itself. Govt. auditors cannot audit Karachi and Hyderabad city governments.

One of the conditions agreed upon MQM and PPP to become coalition partners was to leave Karachi and Hyderabad’s finances unaudited. It is not only MQM and PPP, basically Pakistan’s total ruling elite has become addicted to corruption. They cannot survive without it. They don’t give a damn if Pakistan survives or not.

Courtesy: K. Ashraf & crdp@yahoogorups.com

The TV media is abuzz with Zardari’s statement at a political rally that  ‘a handful of political actors’ are trying to destabilize the current government. It is being interpreted as a swipe at the Jang group and specifically at Shahid Masood. Shahid Masood has recently accused the PPP of putting pressure on the UAE govt., from where he broadcasts his show, in order to shut him down.  This is presently being denied by government spokespeople.

The dynamics of a typical Pakistani TV news channel chat show, very popular with the public, usually take the shape of four versus one. It’s the government spokesperson versus the rest of the three member panel, a guest caller and the TV anchor who has most often an anti government bias. This anti-government anchor bias, which became pervasive in the Musharraf era, still continues and in the case of a few anchors has become more prominent.

There have been news reports after the PPP Executive committee meeting that Zardari was not happy with the performance of his media team. It is being speculated that this is why he felt the need to take this recent swipe at the media. No one can honestly blame him for  feeling insecure after witnessing Information Minister Qamar Zaman Kaira or Information Secretary Fauzia Wahab get skewered almost every night on Pakistani TV channels. Kaira is so woeful that he makes Maj. Athar Abbas look like Alistair Campbell. As far as Ms.Wahab is concerned the less said about her the better.

So there I was lamenting the fact that the government desperately needs to revamp its media team when I switched over to  the Dunya TV channel where a verbose Faisal Raza Abidi, who I had never seen before, impressed me a great deal. Faisal, who holds the position of being the political secretary to the President, is smart, aggressive and able to get his point across clearly and quickly.  The problem with Kaira is that he is neither very bright nor has the rhetorical ability to challenge some of his peers from other parties. Like PML-Q’s former Information Minister Muhammad Durrani, Kaira also has trouble getting his point across in a short space of time and sometimes ends up looking like a bumbling blithering idiot. I could not find the video of last nights show in which Faisal took part however I looked at another video of one of his appearances where he goes toe to toe with the experienced rhetoricians Sheikh Rashid and Ahsan Iqbal. The look of Sheikh Rashid’s face ,when Faisal points out that he is being hypocritical by berating the PPP govt. for not repealing the 17th amendment  when he never raised the issue while he was in government, was simply priceless.  It can be compared with Kaira’s chat with Talat Hussain last night  here. 

The ineffective and inconsistent narrative for the war against the  Taliban is contributing to a loss of confidence in the state. Pointless rhetoric such as Rehman Malik’s anti-india diatribe is counterproductive. In Rehman’s case it simply lent credence to the  fear mongering of conspiracy theorists who also call  the PPP govt.  US stooges. This is something which comes under the purview of a media manager. Someone who can co-ordinate with the various ministers and effective spokespeople to help deliver a consistent and solid message to the public. It is time, for the PPP, to change its current media team and bring in more effective personnel.

Whom the gods would destroy, they first make mad, said Euripides. This saying exactly fits in to the current PPP regime who to mark the party’s 43rd foundation day in Karachi thrashed almost everyone including media. Such an unprofessional attitude from the party’s top leadership exposed the fear and stress they have been confronting for quite sometime. The ‘Awami’ president  from his highly secured president house via telephonic address “warned” the nation (minus PPP supporters) that they are here because they have a mandate and PPP will foil all attempts of political actors. Mr. Zardari and co. during his bullying referred MQM, PML N, PTI, JI and Geo Tv as political actors who want to derail democratic set up by not supporting PPP’s corruption and mismanagement, in a sense he lashed at almost all the political parties and mainstream media out of frustration however the response came from the so called political actors should be much appreciated as they understand what the Awami government is currently going through and how fragile they are. The nation knows that a single long march or a comprehensive media campaign can topple this highly unpopular Government.

I believe at this point of time PPP should reconsider their governing strategy (if any) and include all the party veterans in their central executive committee who would not only sincerely advise the perplexed president but help PPP’s brand building as well. Currently Zardari brigade seems to be on defensive side as they have widely been criticized across the nation but unfortunately instead of fixing their blunders they have chosen to capitalize sympathy vote by portraying themselves innocent which is a sure way to self-destruction, People’s party under the disguise of democracy are putting all energies to earn people’s sympathy without realizing the fact that the hurdles of free media, courts and  now an alert Army would never let the nation befooled as we are facing one of the worst times in the history of Pakistan. This is the time when even opposition is reluctant to take charge of country and demand mid term elections despite their growing popularity graph but again whom gods would destroy, they first make mad.

By Shaheen Sehbai

Here is the strongest man in the country so rattled by a few reports and articles by me, or a few talk shows by Dr Shahid Masood, that he forgets to mention anything about the infamous NRO, the shame of the Kerry Lugar Bill, the gross charges of corruption, money laundering or misuse of power against him and his cronies. He did not mention the issues of sugar, atta, electricity and unemployment. He did not praise the soldiers and people fighting the deadly terrorists. He and his few people now sharing power were only worried about their own fate, with the loud spoken Zulfikar Mirza declaring to the world that he would use the Sindh Card, if worse comes to worst. Read the full article here.

President Zadari, instead of discussing the never ending and the ever growing problems being faced by the country, used this political gathering to hit out against some journalists, namely Shaheen Sehbai and Dr. Shahid Masood, calling them “political actors”. This comes just days after he banned Dr. Shahid Masood’s popular talk show, ‘Meray Mutabiq’.

Zardari did not speak out against the Taliban, he did not discuss the problems being faced by the people and nor he discussed the problems being faced by the country. Sitting in the highly fortified President house, it seems perhaps that the President feels threatened by a couple of harmless journalists, who are just performing their duties.

Add to: Facebook | Digg | Del.icio.us | Stumbleupon | Reddit | Blinklist | Twitter | Technorati | Yahoo Buzz | Newsvine

With the NRO mess not going away, and more stories of corruption by Sharif Brothers making the news, more and more signs are pointing towards the two families (three if you can call MQM a family) joining hands to cover each others back.

First was the attack by PML-N stalwarts against Zardari detractors and today we learn the two are collaborating not only on NRO-Plus and plan to pass it unanimously, but have jointly written a script to blame someone else for their corruption in order to ‘prove’ all cases were ‘politically motivated’ and they are clean as a whistle:

PPP’s New Line:  “Jehangir Badr, whose prime target was no other than former President Farooq Ahmed Khan Leghari during the entire press conference, said that not only the NRO beneficiaries, but those who had to pay billions of rupees to banks should also be held accountable.“

PML-N’s New Line: “Punjab Chief Minister Mian Shahbaz Sharif Wednesday said it was Farooq Leghari who filed lawsuits against the leaders of Pakistan People’s Party (PPP).“

Please remind me which is the ruling party and which one is the opposition?! And isn’t Shahbaz forgetting about Saif-ur-Rehman???

Note: No doubt I agree with Jehangir Badar that “Farooq Leghari, his son Awais Leghari and other members of their family, should be held accountable for their various corruption scandals such as cooperatives and PTCL scandals” but it should be done alongside the holding accountable PPP and PML-N and other NRO beneficiaries and not instead of it, as seems to be the plan. And why didn’t Badar think of this before???? Farooq Leghari’s corruption did begin when PPP was in power. Also, how is PPP going to deal with the fact that Zardari’s henchman Malik Riaz of Bahria Town is a business partner of Farooq Leghari?

I am surprised Badar left out the name of his colleague Senator Jamal Leghari, the elder son of Farooq, who is no less corrupt. That Farooq and Awais are guilty of corruption, there is no doubt about that either. It is a fact that Farooq Leghari (and Jamal and Awais jointly) had less than 1250 acres of land when he became president but today Farooq Leghari alone has acquired more than 12,500 acres of agricultural land (I have no clue about the acquisitions by Awais and Jamal Leghari but they have been on a land buying spree as well). And this does not include other property and bank accounts. Awais alone built his house in Islamabad at a cost of Rs 8 crore. His cousin Sumaira Malik of the ‘Cat House’ fame has spent twice that. Her sister Ayla Malik’s (these days with DunyaTV)   husband (now ex) Sardar Rind has bought another 12,500 acres in the same area as Farooq Leghari. Farooq’s cousins of course are not only among NRO beneficiaries but also big loan defaulters (but sitting pretty in the National Assembly or as Nazims)

Note: Let me remind Mr Badr that it was Awais Leghari who became Privatization Minister for a day to sign the sale of Pakistan Steel Mill (PSM), the sale that was over-turned by CJ Iftikhar and was the main and last straw that led to the CJ’s dismissal by Mush. I am sure Awais got offered a pretty penny to go along with that scam.

1) Afinal, o que é PPP ?
R: PPP é a sigla de Perfil Profissiográfico Previdenciário, um documento histórico-laboral do trabalhador, apresentado em formulário instituído pelo INSS, contendo informações detalhadas sobre as atividades do trabalhador, exposição a agentes nocivos à saúde, resultados de exames médicos e outras informações de caráter administrativo. O modelo do formulário encontra-se no Anexo XV da Instrução Normativa INSS/PR nº 20/2007.

2) Qual o objetivo do PPP ?
R: Apresentar, em um só documento, o resumo de todas as informações relativas à fiscalização do gerenciamento de riscos e existência de agentes nocivos no ambiete de trabalho, além de ser o documento que orienta o processo de reconhecimento de aposentadoria especial.

3) O Perfil Profissiográfico foi instituído por uma Intrução Normativa do INSS ?
R: Não. A Instrução Normativa INSS/PR nº 20/2007 regulamenta e formata o PPP, cuja exigência encontra-se prevista na Lei nº 8.213/91 e no Regulamento da Previdência Social (Decreto nº 3.048/99). Veja a letra da Lei: "A empresa deverá elaborar e manter atualizado perfil profissiográfico abrangendo as atividades desenvolvidas pelo trabalhador e fornecer a este, quando da rescisão do contrato de trabalho, cópia autêntica desse documento. (art. 58, parágrafo 4, Lei 8.213/91)"

4) Onde se obtém as informações necessárias para preenchimento do PPP ?
R: As informações devem ser extraídas do Laudo Técnico de Condições Ambientais do Trabalho (LTCAT), do Programa de Prevenção de Riscos Ambientais (PPRA), do Programa de Controle Médico de Saúde Ocupacional (PCMSO) e do Programa de Gerenciamento de Riscos (PGR), este último no caso de empresas de mineração.

5) Quem está obrigado a fazer o PPP ?
R: A elaboração e atualização do PPP é obrigatória para todos os empregadores, bem como sua entrega ao trabalhador na ocasião da rescisão do contrato de trabalho. O formulário deve ser assinado pelo representante legal da empresa com a indicação dos responsáveis técnicos pelo PCMSO e LTCAT.

6) Quem é o responsável técnico pelo LTCAT ?
R: O LTCAT – Laudo Técnico de Condições Ambientais do Trabalho, por determinação expressa da legislação previdenciária, deve ser expedido por médico do trabalho ou engenheiro de segurança do trabalho.

7) Qual a diferença entre o LTCAT e o PPRA ?
R: O LTCAT, como o nome diz, é um laudo técnico, isto é, um documento que retrata as condições do ambiente de trabalho de acordo com as avaliações dos riscos, concluindo sobre a caracterização da atividade como especial. O PPRA, por sua vez, é um programa de ação contínua, não é apenas um documento (ver FAQ do PPRA neste website) . O LTCAT pode ser um dos documentos que integram as ações do PPRA.O PPRA é uma exigência da legislação trabalhista (Norma Regulamentadora nº 9) e o LTCAT da legislação previdenciária. Veja a letra da Lei: "A comprovação da efetiva exposição do segurado aos agentes nocivos será feita mediante formulário, na forma estabelecida pelo Instituto Nacional do Seguro Social – INSS, emitido pela empresa ou seu preposto, com base em laudo técnico de condições ambientais do trabalho expedido por médico do trabalho ou engenheiro de segurança do trabalho. (art 58, parágrafo 1º, Lei 8.213/91)"

O PPP é mais um documento que deverá ser apresentado à fiscalização do INSS ?
R: Ele deve estar disponível para a fiscalização, mas ele é mais que isso. O PPP substitui, a partir de 01/01/2004, o formulário DIRBEN 8030 (antigo SB-40). Ele não é um formulário a mais, ele concentra todas as informações do laudo técnico e dos formulários antigos.

9) O PPP deve ser feito apenas para trabalhadores expostos a agentes nocivos à saúde ?
R: Por enquanto sim. A empresa deve elaborar e manter atualizado o PPP para todos os trabalhadores expostos a agentes nocivos e fornecer cópia autêntica do documento ao trabalhador na ocasião da rescisão do contrato de trabalho.

10) Qual a relação de agentes nocivos à saúde capaz de gerar direito à aposentadoria especial ?
R: A relação de agentes nocivos químicos, físicos, biológicos ou associação de agentes prejudiciais à saude ou à integridade física, considerados para fins de concessão de aposentadoria especial, consta do Anexo IV do Regulamento da Previdência Social ( Decreto 3.048/99 ).

Ricardo Pereira de Mattos, Eng. Segurança do Trabalho

IPFW:check-state/keep-state advanced stateful rules.  By Joe Barbish  07/22/2002  All rights reserved.
As most new ipfw users, I had a typical ipfw rules file built from the simple stateful rules in rc.firewall. I had originally been using user ppp with it’s internal Nat function, but went to natd as the simple stateful type in rc.firewall showed. Since the sample rc.firewall (simple) was pretty much just what I wanted to do, I just assumed this was the correct and proper way, so I cut out the simple type code from rc.firewall to create my own ipfw firewall rules. In searching FBSD and the many sites found by google search I saw many many other people before me had done the same thing. From a technical point of view the whole rc.firewall file is based on simple stateful rules using setup/established with some stateless rules thrown in. As a new ipfw user I did not know the difference and the comments sure did not call out the difference.
When I tried to change my simple stateful [established/setup] to advanced stateful [check-state/keep-state] rules, I kept having trouble with ip address being mismatched. Technically the mismatches showed up in /var/log/security as packets that got denied by the (default deny everything rule) for all packets that reach the end of the rule set with out matching any rule. Configuration looked like this.
Divert natd (network address translation)                   (                   (LAN PC’s  < — > IPFW  < — >  internetPrivate IP     advanced        public ip  Address      stateful rules    address
I spend weeks playing around trying different combinations of ipfw rules, but kept having mismatches in the dynamic table. Finally I removed the natd divert rule from the ipfw rules set and deactivated natd in rc.conf and re-activated ppp -Nat in rc.conf, and the advanced stateful [check-state/keep-state] rules started to work. Configuration looked like this.

LAN PC’s  < — > IPFW  < — >  user ppp -nat < — > internetPrivate IP     advanced        network address      public ip  Address      stateful rules    translation           address
In this configuration IPFW only knows the private ip address on the LAN and the advanced stateful rules functioned just like described in the man documentation.
I wrote emails to the IPFW authors, gave then 2 documented examples of rules sets using exclusively advanced stateful rules and user ppp dial up ISP, the only difference was one used user ppp -nat and did not have the divert natd rulecd ../ one had the divert natd rule and no user ppp -nat and did not work. After much conflicting correspondences the results were that they were not going to do anything about it and I was left on my own.
The real problem here is ipfw advanced stateful rules are relatively new to the IPFW program (FBSD version 4.0 year 2000) and still does not fit cleanly into the divert natd program logic.
IPFW was originally designed as a firewall using stateless rules and/or simple stateful rules which is nothing more than an rules file coding logic technique based on the TP flags setup/established. Using these very primitive type of rules IPFW function’s correctly. When advanced stateful rules are used to tighten down the control of packets passing through the firewall by dynamically creating an internal rules table based on the by-directional exchange of packets which have to match the pre-known ip address, flow direction, and packet sequence numbers the divert natd function malfunctions. This problem is not limited to dial up internet access, but also occurs for ‘all ways on’ environments (DSL, Cable, T1) with or without DHCP support.
Many users reach this point using the advanced check-state/keep-state stateful rules and go back to simple stateful rule set using established/setup simple because they can not get the advanced stateful rules to work. The rc.firewall file was created for FBSD 2.0 and has not been updated to exclusively utilize the advanced stateful rule set, so it is a very poor example to be using for your ipfw rules set.
Cable internet access became available in my area and I was forced to revisit the divert natd / advanced stateful rules again because (DSL, Cable, T1) ‘all ways on’ environments normally use the ISP’s DHCP server to get it’s network configuration information so user ppp -nat is not used in this case. This meant I had to use the divert natd ipfw statement to provide the NAT function so I could use private ip address for my LAN because my cable ISP only issues one dynamic public ip address per customer account.
After many days of trial and error testing I finally found an rules coding logic which functioned correctly using exclusively advanced check-state/keep-state stateful rules and the divert natd rule statement. Normally the rule to allow the packets from local LAN Nic cards to pass through the ipfw firewall come before the divert natd rule as seen in the rc.firewall file. But for advanced stateful rules it has to be moved after the divert natd rule and the ‘keep-state’ option has to be used so the dynamic rules table knows about the packet activity before they get passed through the rules file the second time. Technically this means each packet will have 2 sets of dynamic table rules, one set for the private Nic interface and one for the public Nic interface. This is an resource waste, decreases performance, and not necessary if the nat function is done outside of ipfw.
The simplest and best solution to the advanced stateful rules problem is to use ‘user ppp -nat’ for all dialup ISP environments and have no divert natd rule in the ipfw rules file.  For all DSL, cable, and T1 connection where the ISP’s DHCP is used to configure FBSD’s public network you have to use the divert natd rule in your ipfw rules set followed by this rule for each private Nic interface,  ’allow all from any to any via xl0 keep-state’
where xl0 is the private Nic card interface device name. This solution has been tested in FBSD version 4.5 & 4.6.
The IPFW rules listed below are my current firewall rules file configured for a cable divert natd environment. Here are the matching /etc/rc.conf optionsifconfig_rl0=”DHCP”ppp_enable=”NO”             natd_enable=”YES”natd_interface=”rl0″natd_flags=”-dynamic”firewall_enable=”YES”                 firewall_script=”/etc/ipfw.rules.conf”

For an user ppp dialup modem ISP connection using ‘divert natd’ make following changes to the ipfw rules below   Change  oif=”rl0″  to  oif=”tun0″
Here are the matching /etc/rc.conf options#ifconfig_rl0=”DHCP”ppp_enable=”YES”ppp_mode=”ddial”             ppp_profile=”papchat”        ppp_nat=”NO”                       natd_enable=”YES”natd_interface=”tun0″natd_flags=”-dynamic”firewall_enable=”YES”                 firewall_script=”/etc/ipfw.rules.conf

For an user ppp dialup modem ISP connection using ‘user ppp -nat’ make following changes to the ipfw rules belowChange  oif=”rl0″  to  oif=”tun0″  Add    $cmd 00130 allow all from any to any via xl0Delete $cmd 00150 divert natd all from any to any via $oifDelete $cmd 00210 allow all from any to any via xl0 keep-state
Here are the matching /etc/rc.conf options#ifconfig_rl0=”DHCP”ppp_enable=”YES”ppp_mode=”ddial”             ppp_profile=”papchat”        ppp_nat=”YES”                       natd_enable=”NO”#natd_interface=”tun0″#natd_flags=”-dynamic”firewall_enable=”YES”                 firewall_script=”/etc/ipfw.rules.conf

Following the rules file below are some other IP stack security options which are specified in the /etc/rc.conf file and kernel that you can use as a guide to configure your own world.
/etc/ipfw.rules.conf############################################################################# Define IPFW firewall rules for gateway.poweruser.net # 7/04/2002  Joe Barbish  ##   Cable modem connection to ISP with dynamic IP addresses assigned.#   Private Ip address used inside.#   3 win98 boxes on LAN with DHCP used for auto private network configure. #   Protect the whole private network from loss of service attacks#   These rules can be reloaded with out rebooting by issuing this command#   sh /etc/ipfw.rules.conf##   The use of ‘me’ in rules means IP address 127.0.0.0 localhost #   # Firewall Policy Statement.#   Each public internet function must be explicitly allowed by a rule.#   Only valid response to the packets I’ve sent out are allowed in.#   All packets must use the IPFW advanced “dynamic” rules function.#   No state-less rules or simple-stateful rules are allowed to grant#   internet function.#############################################################################
# Flush out the list before we begin./sbin/ipfw -q -f flush
# Set rules command prefix# The -q option on the command is for quite mode. # Do not display rules as they load. Remove during development to see.cmd=”/sbin/ipfw -q add”
# Set defaults  # set your outside interface network device name and # domain name servers IP address to values issued by your ISP.

oif=”rl0″                  # Nic card to cable modem public internet connectionodns1=”24.50.201.66″       # ISP’s dns server 1 IP addressodns2=”24.52.201.66″       # ISP’s dns server 2 IP address
# Set these to your inside interface network and ip address rangeiif=”xl0″                  # Nic card to private internal Local area network

# This is the start of the rules. # All traffic coming in from the internet or# leaving the local LAN start here

# Internal gateway housekeeping# Rules # 100 exempt everything on localhost behind the firewall from this rules set.# Rules # 110 & 120 deny the reference to the localhost default IP address.$cmd 00100 allow all from any to any via lo0  # allow all localhost$cmd 00110 deny log  all from any to 127.0.0.0/8  # deny use of localhost IP $cmd 00120 deny log  all from 127.0.0.0/8 to any  # deny use of localhost IP

# This does the  Network Address translation of every packet coming in# or going out over the public internet.
$cmd 00150 divert natd all from any to any via $oif
#*** TESTING PURPOSES ONLY *** TESTING PURPOSES ONLY *** TESTING PURPOSES ONLY# The following rule if un-commented will change the behavior of this# Firewall rule set from closed to completely open, thus bypassing all of the# following rules. This single rule is placed here for TESTING PURPOSES ONLY.#$cmd 00160 allow log logamount 500 all from any to any#$cmd 00161 allow all from any to any

########  control section  ############################################# Start of IPFW advanced Stateful Filtering using “dynamic” rules.# The check-state statement behavior is to match bi-directional packet traffic# flow between source and destination using protocol/IP/port/sequence number. # The dynamic rule has a limited lifetime which is controlled by a set of# sysctl(8) variables. The lifetime is refreshed every time a matching# packet is found in the dynamic table.
# Allow the packet through if it has previous been added to the # the “dynamic” rules table by an allow keep-state statement. $cmd 00200 check-state
# Run all private Lan packet traffic through the dynamic rules# table so the IP address are in sync with Natd.$cmd 00210 allow all from any to any via xl0 keep-state
# Deny all fragments as bogus packets $cmd 00250 deny all from any to any frag in via $oif
# Deny  ACK packets that did not match the dynamic rule table$cmd 00260 deny tcp from any to any established in via $oif

########  outbound section  ############################################# Interrogate packets originating from behind the firewall, private net.# Upon a rule match, it’s keep-state option will create a dynamic rule.
# Allow out non-secure standard www function$cmd 00300 allow tcp  from any to any 80  out via $oif setup keep-state
# Allow out secure www function https over TLS SSL$cmd 00301 allow tcp  from any to any 443 out via $oif setup keep-state
# Allow out access to my ISP’s Domain name server. $cmd 00310 allow tcp  from any to $odns1 53 out via $oif setup keep-state $cmd 00311 allow udp  from any to $odns1 53 out via $oif keep-state$cmd 00315 allow tcp  from any to $odns2 53 out via $oif setup keep-state  $cmd 00316 allow udp  from any to $odns2 53 out via $oif keep-state
# Allow out send & get email function$cmd 00330 allow tcp from any to any 25  out via $oif setup keep-state$cmd 00331 allow tcp from any to any 110 out via $oif setup keep-state
# Allow out & in FBSD (make install & CVSUP)  functions# Basically give user id root  ”GOD”  privileges.$cmd 00340 allow tcp from me to any out via $oif setup keep-state uid root
# Allow out & in console traceroot command$cmd 00342 allow udp from me to any 33435-33500 out via $oif keep-state  $cmd 00343 allow log icmp from any to me icmptype 3,11 in via $oif limit src-addr 2
# Allow out ping $cmd 00350 allow icmp from any to any   out via $oif keep-state
############ passive FTP rules to public Internet ####### Allow passive FTP control channel 21 & data high ports $cmd 00375 allow tcp  from me to any 21  out via $oif setup keep-state$cmd 00376 allow tcp  from me to any 10000-65000  out via $oif setup keep-state############ End of passive FTP rules to public Internet ######
# Allow out ssh $cmd 00380 allow tcp  from any to any 22   out via $oif setup keep-state
# Allow out TELNET $cmd 00390 allow tcp  from any to any 23    out via $oif setup keep-state
# Allow out Network Time Protocol (NTP) queries #$cmd 00394 allow tcp  from any to any 123   out via $oif setup keep-state#$cmd 00395 allow udp  from any to any 123   out via $oif keep-state
# Allow out Time $cmd 00396 allow tcp  from any to any 37    out via $oif setup keep-state$cmd 00397 allow udp  from any to any 37    out via $oif keep-state
# Allow out ident#$cmd 00400 allow tcp  from any to any 113   out via $oif setup keep-state#$cmd 00401 allow udp  from any to any 113   out via $oif keep-state
# Allow out IRC#$cmd 00410 allow tcp  from any to any 194   out via $oif setup keep-state#$cmd 00411 allow udp  from any to any 194   out via $oif keep-state
# Allow out whois$cmd 00412 allow tcp  from any to any 43    out via $oif setup keep-state$cmd 00413 allow udp  from any to any 43    out via $oif keep-state
# Allow out whois++#$cmd 00415 allow tcp  from any to any 63    out via $oif setup keep-state#$cmd 00416 allow udp  from any to any 63    out via $oif keep-state
# Allow out finger#$cmd 00420 allow tcp  from any to any 79    out via $oif setup keep-state#$cmd 00421 allow udp  from any to any 79    out via $oif keep-state
# Allow out nntp news$cmd 00425 allow tcp  from any to any 119   out via $oif setup keep-state$cmd 00426 allow udp  from any to any 119   out via $oif keep-state
# Allow out gopher#$cmd 00430 allow tcp  from any to any 70    out via $oif setup keep-state#$cmd 00431 allow udp  from any to any 70    out via $oif keep-state

########  inbound section  ############################################# Interrogate packets originating from in front of the firewall, public net.# Place statements here to allow public requests for service.
# Allow in www$cmd 00600 allow tcp from any to any 80 in via $oif setup keep-state limit src-addr 4
# Allow  TCP FTP control channel in & data channel out $cmd 00610 allow tcp from any to me 21  in via $oif setup keep-state limit src-addr 4$cmd 00611 allow tcp from any 20 to any 1024-49151 out via $oif setup keep limit src-addr 4
# Allow in ssh function $cmd 00620 allow log tcp from any to me 22 in via $oif setup keep-state limit src-addr 4
# Allow in Telnet  $cmd 00630 allow tcp from any to me 23 in via $oif setup keep-state limit src-addr 4
# Allow in Ping $cmd 00635 allow log icmp from any to me icmptype 0,8  in via $oif
# This sends a RESET to all ident packets.#$cmd 00640 reset log tcp from any to me 113  in via $oif limit src-addr 4
########  Catch all section  ############################################
#### Start Special rules for Adelphia Cable  #########################
#valid dhcp broadcast from Adelphia dhcp server$cmd 00700 allow UDP from 0.0.0.0 68 to 255.255.255.255 67 in via rl0
# valid FBSD dhcp client request for dns config info$cmd 00701 allow udp from me 68 to $odns1 67      out via rl0$cmd 00702 allow udp from $odns1 67 to me 68       in via rl0
# invalid bogus packets on Adelphia Cable network.$cmd 00705 deny udp from any to 255.255.255.255    in via rl0$cmd 00706 deny udp from 0.0.0.0 to any            in via rl0#               P:2$cmd 00707 deny all  from 192.168.100.1 to 224.0.0.1   in via rl0$cmd 00708 deny udp from $odns1 53 to me           in via rl0#### End Special rules for Adelphia Cable  #########################

# Stop & log external redirect requests.$cmd 00720 deny log icmp from any to any icmptype 5  in via $oif
# Stop & log spoofing Attack attempts.# Examine incoming traffic for packets with both a source and destination# IP address in my local domain as per CIAC prevention alert.$cmd 00730 deny log ip from me to me  in via $oif
# Stop & log ping echo attacks# stop echo reply (ICMP type 0), and echo request (type 8).$cmd 00740 deny log icmp from any to me icmptype 0,8  in via $oif
# Reject & Log all setup of tcp incoming connections from the outside$cmd 00750 deny log tcp from any to any  setup  in via $oif
# Reject & Log all netbios service. 137=name, 138=datagram, 139=session# netbios is ms/windows sharing services.$cmd 00760 deny log tcp from any to any 137,138,139  in via $oif$cmd 00761 deny log udp from any to any 137,138,139  in via $oif
# Reject all port 80 http packets that fall through to here.# These packets are auto spawn web page requests from within # original web page request.$cmd 00770 deny  tcp from any to any 80   out via $oif
# Everything else is denied by default # deny and log all packets that fell through to see what they are$cmd 00950 deny log logamount 500 all from any to any
################## End Of IPFW Firewall Rules  #########################

Other IP stack security options.The main run control configuration file /etc/rc.conf has a whole group of run time security options to control the flood of falsified packets entering the system which get control before IPFW evens knows their coming in.
The following is from my rc.conf file.
# Required IPFW  kernel firewall support# For more info see # www.onlamp.com/pub/a/bsd/2001/04/25/FreeBSD_Basics.html #
firewall_enable=”YES”                 # Start daemonfirewall_script=”/etc/ipfw.stdrules”  # run my custom rules if present                                      # sh /etc/ipfw.stdrules will load                                       # new rules file after editing.filewall_logging=”YES”                # Enable events logging

# Extra firewalling optionslog_in_vain=”YES”           # NO is default. YES enables logging of                             # connection attempts to ports that have no                            # listening socket on them. Put msg on consol
icmp_drop_redirect=”YES”    # YES will cause the kernel to ignore                            # ICMP REDIRECT packets.
tcp_drop_synfin=”YES”       # YES will cause the kernel to ignore TCP                            # frames that have both the SYN and FIN flags                            # set. Only available if the kernel was built                            # with the TCP_DROP_SYNFIN option.                            # change to NO if web server behind firewall.
tcp_restrict_rst=”YES”      # YES will cause the kernel to refrain from                             # emitting TCP RST frames in response to                             # invalid TCP packets (e.g., frames destined                            # for closed ports). This option is only                             # available if the kernel was built with the                            # TCP_RESTRICT_RST option.
syslogd_flags=”-ss”         # Don’t use network sockets so portscan          # will not find (security tip)
portmap_enable=”NO”         # Don’t allow nfs portmapper (security tip)

The  log_in_vain=”YES” option will post a message to the root console screen every time it stops a packet. This became very annoying so I changed the syslog to put these messages in the security log. All the ipfw messages that were going to the /var/log/security file was also going to the /var/log/message file. I did not think it was wise to be posting ipfw messages in more that one place, so I stopped them from going to the message file.  Below are the lines I changed in /etc/syslog.conf to make this happen.

The original lines.*.err;kern.debug;auth.notice;mail.crit /dev/console*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messagessecurity.* /var/log/security
replaced by this lines# kern.info is where the log_in_vain messages come from. The following# will stop the log_in_vain messages from coming out on root console &# put them in the security log.  2/20/2002 Joe Barbish# remove kern.info messages from /dev/console & /var/log/messages# and put them into /var/log/security.*.err;auth.notice;mail.crit /dev/consolekern.notice;kern.=debug /dev/console*.notice;lpr.info;mail.crit;news.err /var/log/messageskern.notice;kern.=debug /var/log/messagessecurity.*;kern.=info /var/log/security

Another very obscure option is blackhole, new in FBSD 4.4
The blackhole sysctl(8) is used to control system behavior when connection requests are received on TCP or UDP ports where there is no socket listening.
Normal behavior, when a TCP SYN segment is received on a port where there is no socket accepting connections, is for the system to return a RST segment, and drop the connection. The connecting system will see this as a “Connection reset by peer”.
By setting the TCP blackhole MIB to a numeric value of 1, the incoming SYN segment is merely dropped, and no RST is sent, making the system appear as a blackhole.
By setting the MIB value to 2, any segment arriving on a closed port is dropped without returning a RST.  This provides some degree of protection against stealth port scans.
In the UDP instance, enabling blackhole behavior turns off the sending of an ICMP port unreachable message in response to a UDP datagram which arrives on a port where there is no socket listening. It must be noted that this behavior will prevent remote systems from running traceroute(8) to a system.
The blackhole behavior is useful to slow down anyone who is port scanning a system, attempting to detect vulnerable services on a system. It could potentially also slow down someone who is attempting a denial of service attack.
The sysctl net.inet.tcp.blackhole=2 command can be entered from the command line and will be in effect until the next boot. The sysctl command can also be in the /etc/sysctl.conf file (which you must create) and if present will be activated during the boot process. Read man sysctl for command format to display settings of this option and some others that allow you to change to default dynamic rules time out values. For the really advanced technical ipfw user check out ipfw user patches at  http://people.freebsd.org/~cjc/
See http://bsdvault.net/sections.php?op=viewarticle&artid=57 for info on sysctl.
See http://www.practicallynetworked.com/sharing/app_port_list.htm  for a list of ports used by different applications.
/etc/sysctl.conf  file contents
sysctl net.inet.tcp.blackhole=2sysctl net.inet.udp.blackhole=1

Here are the statements for the kernel source to include IPFW in the kernel.## The following options add sysctl variables for controlling how certain # TCP packets are handled by the kernel. #options        ICMP_BANDLIM        # Enables icmp error response bandwidth                                      # limiting. This will help protect from                                       # D.O.S. packet attacks.option          TCP_DROP_SYNFIN       # Adds support for ignoring TCP packets                                       # with SYN+FIN. This prevents nmap from                                       # identifying the TCP/IP stack, but                                       # breaks support for RFC1644 extensions                                      # & is not recommended for web servers.
# not supported in 4.4 & newer#option          TCP_RESTRICT_RST     # Adds support for blocking emission of                                      # TCP RST packets. Useful in limiting                                       # SYN floods & port scanning.

# Enable kernel IPFW, the FBSD supplied packet filtering and accounting system# Has a FBSD supplied user land control utility ipfw.# option IPFIREWALL                  # Adds filtering code into kerneloption IPFIREWALL_VERBOSE          # enable logging thru syslogd(8)option IPFIREWALL_VERBOSE_LIMIT=10 # stop attack via syslog floodingoption         IPFIREWALL_IPDIVERT         # Enable NATD divert function

It seems that Pakistan Feudal Party (also known as PPP) government in full swing

to confront independent media using all their internal resources and their external

links to put curbs on genuine journalism and news analysis.

It reminds us of Musharraf’s emergency days when similar was done to stop the voices against their mistakes and crimes.

Recent victim of this PPP government’s feudal martial law is “Meray Mutabiq” of Dr. Shahid Masood which has been banned by the Dubai government to go on air from Dubai.

Recently government, agencies, government sponsored media and journalists have started a massive campaign against independent media and the elements and methods used were pretty much same as of Musharraf times even the allegations are similar like being paid by opposition or serving the foreign agenda (We all know our governments have been serving the foreign agenda not the independent media).

We condemn this action of Pakistan and UAE governments and show our full solidarity with independent media.

We expect the genuine journalists and analysts to continue their role which they have played against dictatorship, against emergency,against innocent killings and illegal abductions, against imperialist takeover of our country ,against NRO and corruption and the role to restore the independent judiciary of Pakistan.

————————————————————————————————————————

Geo’s program ‘Meray Mutabiq’ banned from Dubai

Source: http://www.thenews.com.pk/updates.asp?id=92070

KARACHI: A ban has been imposed on airing of Geo News’ program ‘Meray Mutabiq’ from Dubai.

According to sources, the high government officials of Pakistan exerting pressure on the Dubai government had the airing of the program stopped.

Geo’s administration has said that this step of the government is tantamount to targeting the freedom of expression.

It may be mentioned here that the senior analyst Dr. Shahid Masood was the anchor of ‘Meray Mutabiq’.

Praha hlavní nádraží, is the main train station in Prague. Opened in 1871, it was extended several times, in 1901, 1909 and in the 1970’s. Depending on which side of the station you are entering the building, the impressions can be radically different. I eventually had the opportunity to discover the station and its three main historical layers from the oldest to the newer ones.

First an old art nouveau building, with the famous Fanta cafe and a second-hand clothes hall in one of the tall galleries. An old century remains, the atmosphere may be weird for some visitors, or completely charming, as I thought. Moving further, some stairs going down offer a view a long, dark and partly destroyed 1970’s corridor going under the tracks the hall on the other side of the station. On the opposite entry of this hall, fancy walls, glasses and electronic displays suddenly appear. A completely new hall, renovated, still in construction on some parts. It reminded me some airports, or the main station in Berlin. Shops, everywhere. And some signs, explaining that there is a “modernization” of the station, still in progress.

After some researches, I found out that the railway systems in Czech Republic is concerned by an European operational program, “co-funded by the European Regional Development Fund (ERDF) and the Cohesion Fund under the Convergence Objective “.

According to the European Commission website, this program “ aims to improve accessibility by focusing on constructing and upgrading the Trans-European Transport Networks (TEN-T) network, introducing modern management methods and setting up advanced transport technologies. The completion of the backbone network will enhance the overall transport networks and improve accessibility for the individual regions and their connections. Improving the transport networks, building additional facilities, reducing their environmental impact (e.g. noise barriers) and improving transport quality for users will facilitate the development of transport connections among and within regions, thereby contributing to worker mobility and employment, improved competitiveness and increased quality of life for citizens.”

Some sections of these “renovation and modernization” of the station are financed by the Czech State, and this European Fund. An other, larger part, because it concerns the entire station, is financed through a lease to Grandi Stazioni, an Italian company owned at 60% by the Italian public railways. Grandi Stazioni is in charge of the 13^th biggest station in Italy, and ran the Roma Termini station “modernization” as well. For Prague’s main station, Grandi Stazioni finances the renovation in exchange of a 30 years lease, it expects to get its investment back thanks to the commercial activities in this renovated station. As was explaining the architect Patrik Kotas, in charge of this project, to Radio Praha :

“The main purpose is that there won’t be groups of people that expect the same services as at a street market. What we want are clients similar to those at an airport. And for sure there should not be stands with sausages, bread and mustard served on plastic plates and beer in plastic cups.” And also to say, about the architects of the previous building, who have to give their prior agreement for some changes, “I think that the main worry is the aim of Grandi Stazioni, which is to bring commercial elements to the main station. It might give rise to a fear that it will be turned into a shopping mall. But that is not going to happen. As long as I am a part of the project it isn’t going to happen.”

As the station was apparently insecure, the aim was also to prevent the homeless from staying in the station: Changing the environment at the main train station, changing its character and surrounding, is going to push away those groups – they will not feel comfortable there anymore.”

These statements go back to 2006. When I entered the new part of the station I had a feeling confirmed by these design principles supported by the architect:

Homeless are not in the station’s new part which is indeed too fancy. But they are just outside the building, in front of it. When you can’t fight poverty and homelessness, you hide it. Design is a way to do it.

Private-Public partnership works, but the fears of a new shopping mall, were right I guess. No public space, many shops. Maybe the “modernization” still in progress is about to improve this aspect. The architect was indeed underlining that it wouldn’t be only about these 11,000 square meters of retail spaces : “It’s also about creating space for social interaction. No one would want this station to simply become a shopping mall. A train station should be a meeting place.“

However, if we look again to the goals of the European Transport Programs, it is to improve infrastructures “contributing to worker mobility and employment, improved competitiveness and increased quality of life for citizens”. But here citizens aren’t the homeless; citizens are workers, expected to be good consumers as well.

References

http://www.szdc.cz/en/pro-media/tiskove-zpravy/praha-hlavni-nadrazi.html

http://www.thepraguepost.com/articles/2008/12/10/main-train-station-facelift-unveiled.php

http://ec.europa.eu/regional_policy/country/prordn/details_new.cfm?gv_PAY=CZ&gv_reg=ALL&gv_PGM=1023&LAN=7&gv_per=2&gv_defL=7

http://ec.europa.eu/regional_policy/country/prordn/details_new.cfm?gv_PAY=CZ&gv_reg=ALL&gv_PGM=1023&LAN=7&gv_per=2&gv_defL=7

http://www.radio.cz/en/article/47368

http://www.sydos.cz/cs/rocenka-2005/yearbook/htm_uk/uvod.html

http://www.grandistazioni.it/

http://www.ebrd.com/new/stories/2006/060502.htm

http://www.myczechrepublic.com/prague/main-train-station.html

http://old.radio.cz/en/article/80599