Comparing the religions
Enoch the intercessor
This passage from the Book of Enoch is interesting in that it underscores a point that Christian churches almost never point out: God doesn't forgive everyone who repents. Christians say, "God loves you," as easy as drug dealers say, "this is the good stuff."... and well, that's not surprising since it's a lot harder to convince sinners to become Christians if you tell them, "you may not go to hell but let's give it a good try."
What's pernicious about the whole thing is that you end up with a bunch of people who think they're Christian and going to heaven, and when one already believes he's going to heaven, his pride and self-righteousness usually does the rest. This is the same prideful road as those Muslims who believe killing a Jew will land them 72 virgins, and somehow, the word "sex orgy" will have a different meaning in heaven than on earth. On a side note, C.S. Lewis, wrote a terrific chapter on pride in his book, "Mere Christianity."
What's even more horrible is that you also have a bunch of people who think that God can be easily fooled. Want to end up in heaven? well.. just repent at anytime. It worked for the thief who was hung next to Jesus, so why not you? And you end up with people who expect to sin because, well, no one is perfect, right? and if you do, just confess your sins on your deathbed, and away to heaven you go. What a joke.
In this passage, the fallen angels calls on Enoch to be their intercessor and asked God for forgiveness on their behalf. Enoch prayed for them so that they may be forgiven, but he was brought up to God's throne so he could speak in person and meet Him face to face.
The fall of the angels
The fall of the angels is described in the Book of Enoch. This book, for some reason, was excluded from the Bible... which is really too bad because it contains a wealth of information that answers questions to a lot of Bible readers. Enoch was one of a very few select men whom God chose to reveal the mysteries of heaven-- he was brought across all seven levels of heaven and reached God's throne. He was probably the only man, except for Jesus Christ, to skip death completely in that God raised him directly to heaven in his old age (leaving his wife and children behind). Even Moses died and did not have this priviledge.
In this excerpt, we see the fallen angels make a secret agreement with each other to sleep with women of the earth, and have children with them. These children turned to become giants, and they were also evil and corrupt. When we say, "evil spirits," or "demons" it's actually the spirits of these giants, not the spirit of dead grumpy old men who got pissed that they couldn't take their million dollar bank accounts with them.. It's also because of these giants that God decided to wipe out the earth with the flood.
The fallen angels who slept with the women are called "Watchers," and it's they who introduced men to various crafts from making swords to astrology, to women's make-up.
Pay particular attention that Sataniel (i.e. Satan) is not mentioned here. :) Another passage of interest is that the fallen angels later repented and asked for God's forgiveness, but God did not forgive their sins. I lost that passage so I can't give any excerpts here.
God or aliens? the box philosophy
I've started reading "Mere Christianity" by C.S Lewis. For those who aren't into literature, he was the author of the Narnia books, and he was also an atheist who later converted to Christianity with the help of J.R Tolkien (Lord of the Rings). The latter was what interests me since I was curious as to how he became a convert. In one of the chapters, he used a thought mechanism which I call the "box philosophy"-- something that I use. In this chapter, he made a strong assertion that if an all-powerful God exists, he must be good, and he must be One. In other words, there can't be multiple "gods" as in, for example, the Greek mythology where you have Zeus, Athena, Hera, etc.
There are essentially two views of "good and evil." The first view is that "evil" is a corruption in a world of "good." The second view is that there are two independent powers (good and evil), and these two powers are behind everything that is good and evil and there is an endless war between them. This latter view is called dualism, and it's also similar to the Chinese Yin/Yang philosophy.
Now, the fundamental axiom is that evil cannot exist by itself-- that is, you can't do evil for evil sake, but rather, a person who is doing evil is a person who is trying to do good for himself, but in the wrong or immoral way (such as hurting others in the process). A concrete example is someone who robs a bank to obtain wealth for hiimself-- i.e. it's good that he wants wealth, but robbing others is the wrong way of reaching that goal. This axiom invalidates the duality theory because evil is now dependent on good--- i.e. there is no one who does evil just because it's evil.... or in other words, an evil action is good for somebody-- usually the evil-doer. This necessarily implies that pure evil is self-destructing, and cannot exist by itself.
Supposing now that there are two "gods"-- one is good and the other one is evil (as to which one is which is a matter of preference).... then in this case, the god that is doing evil is really someone who is misguided and has gone the wrong path. This realization implies that there's a higher moral standard under which the behavior of these two gods can be judged--- and this higher power is the real God. If you take a more concrete example-- lets say Zeus, a "god" from Greek mythology-- he is married to his wife Hera, who is also a "god." However, he had several affairs with other women, one of which is a mortal woman, and eventually gave birth to a son-- Hercules. By any man's standard, having an affair with another woman is a wrong thing to do... hence, this moral standard cannot possibly come from Zeus himself, who does the immoral act, but must come from a higher authority that is higher than Zeus. Therefore, this higher power is the real God, and Zeus is no more divine or morally superior that the average man.
I call this the "box philosophy" because its similar to fitting something abstract into a bigger box until you can measure some degree of truth. Suppose you're moving to a different house, and you need to move your belongings. How big a truck do you need to move all your stuff? One way is to measure the dimension of each posession you have, and compute their sums (gee, what's the dimension of my broom?). If you do that, you'll never get anything done. The fastest way is to put your belongings into boxes of known sizes, then simply count the number of boxes. You put the smaller box into a bigger box, until you have one big box that's measureable. Ultimately, that one big box is the truck that will carry your belongings.
When I was back in high school, I made an assertion that probably still stands even now: you must either believe in God, or believe in aliens.
What?
Consider this: the universe is either infinite, or is not. If the universe is not infinite, then there is a well-defined boundary which necessarily means that the boundary is created and designed. Why? In the movie, "The Truman Show" Jim Carrey attempted to sail the world, until his boat hits the wall... why is the wall there? clearly, the wall is there because someone put it there. A goldfish might ask, "why am I in a bowl?" The existence of the bowl proves the existence of its owner, and the fish knows that there's something beyond the bowl, beyond the boundary, but this is something that it can't reach. If the universe had an end, you might ask, well,... what is the "end" made of? if you had a spaceship, will your spaceship hit rubber material? or solid rock? but what is that made of? what's beyond this material that limits the universe? Lets start drilling and find out about this "bigger" reality -- e.g. maybe the universe is wrapped inside another universe that's even bigger? But if the universe was truly finite, there would be an absolute end. A piece of material where you can't drill through... this is where you find your maker... the creator of the wall... i.e. God, on the other side of the wall. This is the point where you realize that you're the fish in the bowl.
Now, if you consider the universe as infinite, with inifinite number of planets and stars.... if you had a spaceship and start travelling one way, your spaceship will never see any end. There's always more planets, more suns, more galaxies,... an endless number of them. In this case, you must necessarily believe in the existence of aliens. Why? consider the question: what is the probability of life in the universe? Whatever the answer is, it is greater than zero because we exist. If the universe is infinite, then it will beat that probability, no matter how small it is, and therefore, there must be life on another planet somewhere.
You could argue that perhaps the universe is infinite, but the number of stars are finite, however this is a self-defeating argument because what you're essentially saying is that the universe is vastly empty except for a super-micro section of it that contains life. It's as self-defeating as saying that the universe contains infinite number of stars, but we happen to be the only living things that ever existed in the universe. Logically and mathematically, these arguments doesn't make sense. To say that we're the only living forms to have ever existed in an infinite universe has the same profound implication as the Christian view of creation and in fact align itself to it. You could also argue that the universe does have a boundary, but no one built it--- however, this argument is as absurd and insane as a man walking into the Great Wall of China and believing that no one built it and that it always existed for no reason at all.
For Christians though, they needn't worry about the infinite because the number of stars in the sky is finite. God counts them and calls each star by name (Psalm 174:4), so the probability of aliens existing in our universe is much, much smaller! :)
Time, and the meaning of respect.
I came across this New York Times article which lists the top 100 things that waiters should never do. Although most, if not everyone, will probably agree that they're pretty good etiquettes to follow, one of them stands out among the rest:
34. Do not have a personal conversation with another server within earshot of customers.
I had lunch at a diner one day, and the waitresss was having a loud, hearty conversation with another customer. We were all sitting at the bar, so everyone within twenty-feet can hear what the conversation was about. Now, the waitress was pretty busty, and although the man was married, he was talking to her the same way a teenage guy would talk to a cute girl among other male peers--- with a mission to impress and standout among the rest. In a different, more upscale social setting, he'd probably be identifiable as the guy who drives a Bugatti with something to compensate.
But I digress. These two were having their private conversation straight through my meal, and it annoyed me so much I left without leaving anything on the table. Annoyed is actually putting it rather lightly. Disrespect is a more accurate word. Why is that? What exactly, then, is the meaning of respect?
How does one 'respect' a person? Is it done through verbal recognition, such as calling a man "sir" instead of "dude" ? Does respect manifest in an action, like an employee sucking up to the boss through flattery and being agreeable all the time? The dictionary defines 'respect' as "to hold in esteem or honor." -- useless as usual, they just give you the runaround by stating similar words. I can follow the dictionary's definition of "honor" and it will go back to "respect" which eventually tells me nothing about the real meaning.
Respect, is an acknowledgement and deference to one's existence. How does one 'respect' a person? Ironically, the most appropriate example of one giving respect is at a funeral when someone gives the dead person a moment of silence. In more simpler terms, the measurement of respect is time. Someone who is respectful of others is someone who knows how to shut their mouths and speak only at the appropriate time, which the waitress obviously had no clue about.
Are you following me? A more real life example may make more sense. I hate it when people talk to me while doing other things. If you want to talk to me, stop whatever you're doing and give me 100% of your time and attention. If you're talking to me and making a sandwich at the same time, it shows that your sandwich is just as important as I am, which is insulting because I'm definitely more important than a sandwich.
So, do you respect your wife? Turn off the TV when you speak to her and look at her eyes. Do you respect your husband? Have the same courtesy.
All-you-can-eat travel from JetBlue
A question of loneliness
Loneliness happens when there's a lack of purpose in one's life, and as this void seeps into one's consciousness, it manifests itself into different symptoms-- for example, a deep feeling of boredom, an unexplainable desire for excitement, or something to do with friends (clubbing, dining, rafting, skydiving, or what have you). This social interaction masks and compensates for this void. That isn't to say that people who have friends are lonely, but rather, lonely people need friends because this social circle creates a sense of purpose and meaning in life. Afterall, what does the phrase, "have a life" mean? It is, in fact, referring to social life and the activities within. Friends, husbands, wives, dogs, cats, they're all included.
This sense of meaning goes deeper than one's driven purpose in life (i.e. why am I here?) as it fulfills its fundamental essence. In some of my evolutionary arguments, I often ask, "why do we have a face?" Did we "evolve" to have a face just because its convenient for our eyes to be right on top of our noses? No. This is why I'm a creationist, not an evolutionist. We have a face so it can be seen by others-- this is the purpose of one's face... i.e. a man exist not for himself, but so that others can see him.
Is it any surprise, then, that social networking like facebook, friendster, etc, on the internet have grown to the size that it has? These sites exist because people need them. They need them so they can tell their friends what they're doing, what they're feeling, what they're eating, what they're living. But why? Why do people need to broadcast to their friends what they're doing or whether they feel happy or sad? The answer is that they need to do this in order to validate their lives. For example, there is no point in winning the lottery if you're the only person that exists in this world.. If a tree falls in the forest and no one hears it, then the tree might as well have never existed.
Understanding this is the beginning to the wisdom of faith. A person in whom God lives, is never lonely, because he is never without purpose.
"If you belonged to the world, the world would love you as one of its own. But because you do not belong to the world and I have chosen you out of it, the world hates you." - John 15:19
A great VI tutorial - part 1
Part 1: Vi Editor Fundamentals
By Walter Alan Zintz.
Why Vi?
A HEARTWARMING EDIT. Pity poor Hal, a corporate maintenance
programmer. A large module of badly- broken, poorly-patched
legacy code -- the spaghetti variety -- finally broke down
completely yesterday, leaving one corporate division running at
half speed. By dint of some inspired fixes during an all-nighter,
Hal has the module up and running again this morning...but just
as he's ready to go out for food that isn't from a vending
machine, in walks the corporation's VP of IS, with a big
surprise.
``Nice work on that crash fix, Hal; but right now I need some
formatted technical data about it, in a hurry. The Board of Directors'
Information Systems Committee has called a rush meeting this morning
to convince themselves they're on top of the problem. I'll be in
the hotseat, and I need technical data I can put up on the video
projector to keep them occupied.``They'll want me to discuss the logfile of errors that led up
to the crash . . . yes, I know that's in/oltp/err/m7,
but appending puts the latest report lines at the bottom of the file.
Those suits aren't interested in what they think is ancient history,
and they wouldn't be caught reading anything but a commuter train
timetable from the bottom up,
so you'll have to make a copy with the order of the lines reversed:
what was the last line becomes the first line, what was the second
to the last line is now line number two, and so on.``And let's take a look at that logfile.
374a12 44872 130295/074457 nonabort
5982d34 971 130295/221938 nonabort
853f7 2184 140295/102309 abort
...Hmmm. Explaining the second column to them would be
advertising the fact that we knew this failure was just waiting
for a chance to happen. So while you're at it, go through and
erase all but the first and last digits of each number in column
two.``Oh, and when they get tired of that they'll want to
scrutinize the Lint report. Last month I told them that our Lint
substitute was the greatest thing since Marilyn Monroe, so now
they'll want me to tell them why the messages it still generates
on this module aren't real hazards. Just run Lint over the
revamped module; then combine the Lint output with a copy of the
source file by taking each message line like:
Line 257: obsolete operator +=and putting the significant part at the end of the source line it
refers to. And put a separator, likeXXX, between
the source line and the message so I can page through quickly.
Nothing like a hefty dose of source code they can't begin to fathom
to make the meeting break up early.``And get right on this. The meeting starts in 35 minutes.''
Our VP walks away inwardly smiling, thinking he's getting out
of detailed explanations and putting all the blame on an
underling, just by demanding more editing than anyone could do in
the time available. ``I'll tell the Information Systems
Committee that I made it perfectly clear to the programmer that
we needed this at 9:30, but when I asked him for it a minute ago
he said it wasn't finished and he wasn't sure when it would be.
Then I'll remark that those programmers just can't understand
that keeping management informed is every bit as important as
writing code!''
But Hal has a secret weapon against this squeeze play: an expert
knowledge of the Vi editor.
Reversing the order of the lines in a file is a piece of cake
with this editor. The eight keystrokes in:
:g/^/m0(ret)
will do it. Taking the digits out of the middle of the second column
throughout the file also requires just one command line:
:%s/^\([^ ]* [0-9]\)[0-9]*\([0-9] \)/\1\2(ret)
And integrating the Lint messages into a copy of the source
code? Even that can be automated with the Vi editor. The editor
command:
:%s/Line \([0-9][0-9]*\): \(.*\)/\1s;$; XXX \2(ret)
will turn that file of Lint messages into an editor script,
and running that script on a copy of the source file will mark it
up as requested.
Rather than being portrayed as a bungler, Hal can have it all
ready in a couple of minutes, just by typing a few lines. He'll
even have time to guard against vice-presidential prevarication,
by disappearing into the coffee shop across the street and
reappearing just as the meeting is getting started, to tell the
VP (and everyone else in earshot), ``Those files you wanted are
in slash-temp-slash-hal''.
THE PLAN OF THIS ONGOING TUTORIAL.
I'm writing here for editor users who have
some fluency in Vi/Ex at the surface level. That is, you know
how to do the ordinary things that are belabored in all the
``Introducing Vi'' books on the market, but rarely venture beyond
that level.
This tutorial series will explore a lot of other capabilities
that hardly anyone knows are in Vi/Ex. That includes quite a few
tricks that may be built on editor functions we all use every day,
but which nonetheless are not obvious -- for instance, telling the
global command to mark every line it encounters. I'll also be
clarifying the real nature of the many misunderstood aspects of
this editor.
To do all this, I'll be explaining things in more depth than
you might think warranted at first. I'll also throw in exercises
wherever they seem helpful. And to save you readers from gross
information overload, I'll write this tutorial in a large number
of fairly small modules, to be put up on our website at a calm,
reasonable pace.
The Editor's Basic Concepts
To get a real grasp on this editor's power, you need to know
the basic ideas embodied in it, and a few fundamental building
blocks that are used throughout its many functions.
One cause of editor misuse is that most users, even
experienced ones, don't really know what the editor is good at
and what it's not capable of. Here's a quick rundown on its
capabilities.
First, it's strictly a general-purpose editor. It doesn't
format the text; it doesn't have the handholding of a word
processor; it doesn't have built-in special facilities for
editing binaries, graphics, tables, outlines, or any programming
language except Lisp.
It's two editors in one. Visual mode is a better full-screen
editor than most, and it runs faster than those rivals that have
a larger bag of screen-editing commands. Line editing mode
dwarfs the ``global search and replace'' facilities found in word
processors and simple screen editors; its only rivals are
non-visual editors like Sed where you must know in advance exactly
what you want to do. But in the Vi/Ex editor, the two sides are
very closely linked, giving the editor a combination punch that
no other editor I've tried can rival.
Finally, this editor is at its best when used by people who
have taken the trouble to learn it thoroughly. It's too capable
to be learned well in an hour or two, and too idiosyncratic to be
mastered in a week, and yet the power really is in it, for the
few who care to delve into it. A large part of that power
requires custom-programming the editor: that's not easy or
straightforward, but what can be done by the skillful user goes
beyond the direct programmability of any editor except (possibly)
Emacs.
Search Patterns
In quite a few functions of this editor, you can use
string-pattern searching to say where something is to be done or
how far some effect is to extend. These search patterns are a
good example of an editor function that is very much in the Unix
style, but not exactly the same in detail as search patterns in
any other Unix utility.
Search patterns function in both line editing and visual
editing modes, and the work the same way in both, with just a few
exceptions. But how you tell the editor you're typing in a
search pattern will vary with the circumstances.
SEARCHING FROM WHERE YOU ARE NOW.
The more common use for search patterns is
to go to some new place in the file, or make some editing change
that will extend from your present position to the place the
pattern search finds. (In line editing mode it's also possible
to have an action take place from one pattern's location to where
another pattern is found, but both searches still start from your
present location.)
If you want to search forward in the file from your present
location (toward the end of the file), precede the search pattern
with a slash (/) character, and
type another to end the pattern. So if you want to move forward
to the next instance of the string ``j++'' in your file,
typing:
/j++/(ret)
will do it. And so will:
/j++(ret)
When there is nothing between the pattern and the RETURN key,
the RETURN itself will indicate the end of the search pattern, so
the second slash is not necessary. And if you are in visual
mode, the ESCAPE key works as well as RETURN does for ending
search input, so
/j++(esc)
is yet another way to make the same request from visual mode.
To search backward (toward the start of the
file), begin and end with a question mark instead of a slash.
The same rules of abbreviation apply to backward searches, so
?j++?(ret)
?j++(ret)
?j++(esc)
are all ways to head backward in the file to the same pattern.
Either way, you've expressed both your request for a pattern
search and the direction the search is to take in just one
keystroke. But don't assume that if you search backward, any
matching pattern the editor finds will be above your present
position in the file, and vice versa if you search forward. The
editor looks there first, certainly, but if it gets to the top or
bottom line of the file and hasn't found a match yet, it wraps
around to the other end of the file and continues the search in
the same direction. That is, if you used a question mark to
order a backward search and the editor searches all the way
through the top line of the file without finding a match, it will
go on to search the bottom line next, then the second-to-the-bottom
line, and so on until (if necessary) it gets back to the point
where the search started. Or if you were searching forward and
the editor found no match up through the very last line of the
file, it would next search the first line, then the second line,
etcetera.
If you don't want searches to go past either end of the file,
you'll need to type in a line mode command:
:set nowrapscan(ret)
This will disable the wraparound searching during the present
session in the editor. If you want to restore the wraparound
searching mechanism before you leave the editor, typing
:set wrapscan(ret)
will do it, and you can turn this on and off as often as you like.
Up to now, I've been considering searches
that find just one instance of the pattern; the one closest to
your current location in the file, in the direction you chose for
the search. But there is another style of search, used primarily
by certain line editing mode commands, such asglobal and substitute. This search
finds every line in the file (or in a selected part of the file)
that contains the pattern and operates on them all.
Don't get confused when using the global andsubstitute commands. You'll often use both styles of
search pattern in one command line. But the find-one-instance
pattern or patterns will go before the command name or abbreviation,
while the find-them-all pattern will come just behind it.
For example, in the command:
:?Chapter 10?,/The End/substitute/cat/dog/g(ret)
the first two patterns refer to the preceding line closest to
the current line that contains the string ``Chapter 10'' and the
closest following line containing the string ``The End''. Note
that each address finds only one line. Combined with the
intervening comma, they indicate that the substitute
command is to operate on those two lines and all the lines in
between them. But the patterns immediately after thesubstitute command itself tell the command to find
every instance of the string ``cat'' withing that range of lines
and replace it with the string ``dog''.
Aside from the difference in meaning, the
two styles also have different standards for the delimiters that
mark pattern beginnings and (sometimes) endings. With a find-
them-all pattern, there's no need to indicate whether to search
forward or backward. Thus, you aren't limited to slash and
question mark as your pattern delimiters. Almost any punctuation
mark will do, because the editor takes note of the first
punctuation mark to appear after the command name, and regards it
as the delimiter in that instance. So
:?Chapter 10?,/The End/substitute;cat;dog;g(ret)
:?Chapter 10?,/The End/substitute+cat+dog+g(ret)
:?Chapter 10?,/The End/substitute{cat{dog{g(ret)
are all equivalent to the substitution command above. (It is
a good idea to avoid using punctuation characters that might have
a meaning in the command, such as an exclamation point, which
often appears as a switch at the end of a command name.)
The benefit of this liberty comes when
the slash mark will appear as itself in the search pattern. For
example, suppose our substitution command above was to find each
pair of consecutive slash marks in the text, and separate them
with a hyphen -- that is, change // to /-/.
Obviously,
:?Chapter 10?,/The End/substitute/////-//g(ret)
won't work; the command will only regard the first three slashes as
delimiters, and everything after that as extraneous characters at the
end of the command. This can be solved by backslashing:
:?Chapter 10?,/The End/substitute/\/\//\/-\//g(ret)
but this is even harder to type correctly than the first attempt was.
But with another punctuation mark as the separator
:?Chapter 10?,/The End/substitute;//;/-/;g(ret)
the typing is easy and the final command is readable.
SIMPLE SEARCH PATTERNS. The simplest search pattern is just a
string of characters you want the editor to find, exactly as
you've typed them in. For instance: ``the cat''. But, already
there are several caveats:
- This search finds a string of characters, which may or may not
be words by themselves. That is, it may find its target in the middle
of the phrase ``we fed the cat boiled chicken'', or in
the middle of ``we sailed a lithe catamaran down the coast''.
It's all a matter of which it encounters first. - Whether the search calls ``The Cat'' a match or not depends
on how you've set an editor variable named
ignorecase. If you've left that variable in its
default setting, the capitalized version will not match.
If you want a capital letter to match its lower-case equivalent,
and vice versa, type in the line mode command.:set ignorecase(ret)
To resume letting caps match only caps and vice versa, type
:set noignorecase(ret) - The search absolutely will not find a match where ``the''
occurs at the end of one line and ``cat'' is at the start of the
next line:
and with Michael's careful help, we prodded the
cat back into its cage. Next afternoon severalIt makes no difference whether there is or isn't a space
character between one of the words and the linebreak. Finding a
pattern that may break across a line ending is a practically
impossible task with this line-oriented editor. - Where the search starts depends on which editor mode you're using.
A search in visual mode starts with the character next to the cursor.
In line mode, the search starts with the line adjacent to the current
line.
METACHARACTERS. Then there are search metacharacters or ``wild cards'':
characters that represent something other than themselves in the
search. As an example, the metacharacters . and* in
/Then .ed paid me $50*!/(ret)
could cause the pattern to match any of:
Then Ted paid me $5!
Then Red paid me $5000!
Then Ned paid me $50!
or a myriad of other strings. Metacharacters are what give
search patterns their real power, but they need to be well
understood.
To understand these, you must know the varied uses of the
backslash (\) metacharacter in turning the ``wild
card'' value of metacharacters on and off.
In many cases, the meta value of the metacharacter is on
whenever the character appears in a search pattern unless it is
preceded by a backslash; when the backslash is ahead of it the
meta value is turned off and the character simply represents
itself. As an example, the backslash is a metacharacter by
itself, even if it precedes a character that never has a meta
value. The only way to put an actual backslash in your search
pattern is to precede it with another backslash to remove its
meta value. That is, to search for the pattern ``a\b'', type
/a\\b/(ret)
as your search pattern. If you type
/a\b/(ret)
the backslash will be interpreted as a metacharacter without
any effect (since the letter b is never a metacharacter) and your
search pattern will find the string ``ab''.
Less-often-used metacharacters are used in exactly the
opposite way. This sort of character represents only itself when
it appears by itself. You must use a preceding backslash to turn
the meta value on. For example, in
/\<cat/
the left angle bracket (<) is a metacharacter; in
/<cat/
it only represents itself. These special metacharacters are
pointed out in the list below.
Finally there is a third class, the most difficult to keep
track of. Usually these metacharacters have their meta values on
in search patterns, and must be backslashed to make them
represent just themselves: like our first example, the backslash
character itself. But if you've changed the default value of an
editor variable named magic to turn it off, they work
oppositely -- you then must backslash them to turn their meta value
on: like our second example, the left angle bracket. (Not that
you are are likely to have any reason to turn magic
off.) These oddities are also noted in the list below.
And don't forget the punctuation
character that starts and ends your search pattern, whether
it is slash or question mark or something else. Whatever it is,
if it is also to appear as a character in the pattern you are
searching for, you'll have to backslash it there to prevent the
editor thinking it is the end of the pattern.
TABLE OF SEARCH PATTERN METACHARACTERS
.- A period in a search pattern matches any single character,
whether a letter of the alphabet (upper or lower case), a digit,
a punctuation mark, in fact, any ASCII character except the
newline. So to find ``default value'' when it might be spelled
``default-value'' or ``default/value'' or ``default_value'',
etcetera, use/default.value/as
your search pattern. When the editor variable magic
is turned off, you must backslash the period to give it its meta
value. *- An asterisk, plus the character that precedes it, match any
length string (even zero length) of the character that precedes
the asterisk. So the search string/ab*c/would match ``ac'' or
``abc'' or ``abbc'' or ``abbbc'', and so on. (To find a string
with at least one ``b'' in it, use/abb*c/as your search string.)
When the asterisk follows another metacharacter, the two match
any length string of characters that the metacharacter matches.
That means that/a.*b/will find
``a'' followed by ``b'' with anything (or nothing) between them.
When the editor variable magic is turned off, you must
backslash the asterisk to give it its meta value. ^- A circumflex as the first character in a search pattern means
that a match will be found only if the matching string occurs at
the start of a line of text. It doesn't represent any character
at the start of the line, of course, and a circumflex anywhere in
a search pattern except as the first character will have no meta
value. So/^cat/will find
``cat'', but only at the start of a line, while/cat^/will find ``cat^'' anywhere
in a line. $- A dollar sign as the last character in a search pattern means
the match must occur at the end of a line of text. Otherwise
it's the same as circumflex, above. \<- At the start of a search pattern, a backslashed left-angle
bracket means the match can only occur at the start of a simple
word; at any other position in a search pattern it is not a
metacharacter. (In this editor, a ``simple'' word is either a
string of one or more alphanumeric character(s) or a string of
one or more non-alphanumeric, non-whitespace character(s), so
``shouldn't'' contains three simple words.) Thus/\<cat/will find the last three
characters in ``the cat'' or in ``tom-cat'', but not in
``tomcat''. To remove the meta value from the left angle bracket,
remove the preceding backslash:/<cat/will find ``<cat''
regardless of what precedes it. \>- At the end of a search pattern, a backslashed right angle
bracket means the match can occur only at the end of a simple
word. Otherwise the same as the left angle bracket, above. ~- The tilde represents the last string you put into a line by
means of a line modesubstitutecommand, regardless
of whether you were in line mode then or ran it from visual mode
by preceding it with a colon
(``:''). For instance, if your last
line mode substitution command wass/dog/cat/then a/the ~/search pattern will find
``the cat''. But the input string of asubstitute
command can use metacharacters of its own, and if your last use
involved any of those metacharacters then a tilde in your search
pattern will give you either an error message or a match that is
not what you expected. When the editor variable magic
is turned off, you must backslash the tilde to give it its meta
value.
CHARACTER CLASSES. There is one metastring form (a
``multicharacter metacharacter'') used in search patterns. When
several characters are enclosed within a set of brackets
([]), the group matches any one
of the characters inside the brackets. That is,/part [123]/ will match ``part 1'',
``part 2'' or ``part 3'', whichever the search comes to first.
One frequent use for this feature is in finding a string that may
or may not be capitalized, when the editor variable
ignorecase is turned off (as it is by default). Typing/[Cc]at/ will find either ``Cat''
or ``cat'', and /[Cc][Aa][Tt]/ will
find those or ``CAT''. (In case there was a slip of the shift key
when ``CAT'' was typed in, the last pattern will even find
``CaT'', ``CAt'', etcetera.)
There's more power (and some complication) in another feature
of this metastring: there can be metacharacters inside it.
Inside the brackets, a circumflex as the first character reverses
the meaning. Now the metastring matches any one character that
is NOT within the brackets. A /^[^ ]/
search pattern finds a line that does not begin with a space character.
(You're so right if you think that the different meta values of the
circumflex inside and outside the character class brackets is not
one of the editor's best points.) A circumflex that is not the
first character inside the brackets represents just an actual
circumflex.
A hyphen can be a metacharacter within the brackets, too.
When it's between two characters, and the first of the two other
characters has a lower ASCII value than the second, it's as if
you'd typed in all of the characters in the ASCII
collating sequence from the first to the second one,
inclusive. So /[0-9]%/ will find
any numeral followed by the percent sign (%), just
as /[0123456789]%/ would. A/[a-z]/ search pattern will match
any lower-case letter, and /[a-zA-Z]/
matches any letter, capital or lower case. These two internal
metacharacters can be combined: /[^A-Z]/
will find any character except a capital letter. A hyphen that
is either the first or the last character inside the brackets has
no meta value. When a character-hyphen-character string has a
first character with a higher ASCII value than the last
character, the hyphen and the two characters that surround it are
all ignored by the pattern search, so/[ABz-a]/ is the same as/[AB]/.
Backslashing character classes is complex. Within the
brackets you must backslash a right bracket that's part of the
class; otherwise the editor will mistake it for the bracket that
closes the class. Of course you must backslash a backslash that
you want to be part of the class, and you can backslash a
circumflex at the start or a hyphen between two characters if you
want them in the class literally and don't want to move them
elsewhere in the construct. Elsewhere in a search pattern you
will have to backslash a left bracket that you want to appear as
itself, or else the editor will take it as your attempt to begin
a character class. Finally, if magic is turned off,
you'll have to backslash a left bracket when you do want it to
begin a character class.
Integrating OpenVPN and Yubikey
plugin /usr/lib/openvpn/openvpn-auth-pam.so openvpn
client-cert-not-required
username-as-common-name
The "openvpn" is the pam module filename located in /etc/pam.d. In client.ovpn, add this line:
user-auth-pass
Now, in /etc/pam.d, create a mapping file for your users. The format of the file is:
username:publicId
Where publicId is the first 12 ASCII characters of your OTP from the Yubikey. My mapping file is called yubimap. Now create /etc/pam.d/openvpn file containing the following line:
auth required /usr/local/lib/security/pam_yubico.so authfile=/etc/pam.d/yubimap id=16
@include common-auth
@include common-account
@include common-session
@include common-password
That's supposed to be it. However I ran into a problem where the PAM authentication spits out this error:
PAM [error: /lib/security/pam_yubico.so: undefined symbol: pam_set_data]
pam_authenticate FAILED for. Reason: Module is unknown
The solution for this is to modify the /etc/init.d/openvpn script and add to the beginning of the file:
export LD_PRELOAD=/lib/libpam.so.0.81.6
And that's all. The Yubikey is now required for OpenVPN authentication.
OpenVPN installation and gateway issues
"Cannot read current default gateway from system"
It took me over an hour to figure out why: The server-bridge parameter should specify the gateway on your LAN instead of the OpenVPN server.
server-bridge 192.168.1.100 255.255.255.0 192.168.1.200 192.168.1.220
In this case 192.168.1.100 is the LAN gateway, not the OpenVPN server (say 192.168.1.50).
On the client side,
redirect-gateway def1
dhcp-option DNS 192.168.1.100
The "def1" in redirect-gateway causes the default route to use 128/0 netmask instead of 0/0 so your original default route isn't wiped out.
On the server side,
push "dhcp-option DOMAIN blah.com"
Pushing the domain to the client seems to cause problems with DNS lookups so that blah.com is used as the domain suffix. For example, looking up www.msnbc.com through nslookup ends up in www.msnbc.com.blah.com.
DNSmasq is running on my gateway, and for some reason pointing the DNS there (via "dhcp-option DNS") seems to avoid the problem. So, everything is working well so far, and now I can create an encrypted tunnel to my LAN whenever I'm mobile and not worry too much about someone snooping my wifi traffic.
Apart from the above issues, the OpenVPN installation and setup was pretty painless. I used JeOS (based on Ubuntu) as the operating system. Installation consists of:
- Installing the OpenVPN package
- Setting up the bridge interface
- Generating the server certificate
- Generating the client certificate
- Creating the scripts to bring the bridge interfaces up and down.
All of the above steps are described in detail below in case the original Ubuntu page is down for some reason. Note that following the steps below results in split-tunneling-- i.e. your internet traffic does not go through the VPN.
Intro/Overview
Overview
OpenVPN is a Virtual Private Networking (VPN) solution provided in the Ubuntu Repositories. It is flexible, easy-to-use, reliable and secure. I'll walk you through setting up a Bridged VPN on Ubuntu 8.04 using x509 certs. Furthermore, I will walk you through general administration tasks.
What is a bridged VPN?
A bridged VPN allows the clients to appear as though they are on the same local area network (LAN) as the server system. The VPN accomplishes this by using a combination of virtual devices one called a bridge and the other called a tap device. A tap device acts as a virtual Ethernet adapter and the bridge device acts as a virtual hub. When you bridge a physical Ethernet device and a tap device, you are essential creating a hub between the physical network and the remote clients. Therefore, all LAN services are visible to the remote clients. My use case was creating a virtual lab for my companies Sale's Engineers so that it was possible to net boot remote embedded clients anywhere in the world.
Setting up the System
Setting up a bridged VPN solution is not hard. However, it does require that you understand how to use the Linux shell and the Linux networking stack.
This entire installation was performed using Ubuntu Jeos 8.04 in a KVM virtual machine but could just have easily been performed on Ubuntu Server. In my configuration eth0 is connected to the internet and eth1 is connected to the network that will be bridged. All of my comments in configuration files are proceeded by two pound signs (##).
Installing the Server
OpenVPN is installed by
sudo apt-get install openvpn bridge-utils
Setting up the Bridge
Now you need to edit /etc/network/interfaces
Commonly, you have a linux server behind a NAT firewall, and you want to provide access to a small network. Your /etc/network/interfaces probably looks something like
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo eth0
iface lo inet loopback
# The primary network interface
## This device provides internet access.
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1
We're going to edit this and add a bridge interface. Go ahead and
sudo vi /etc/network/interfaces
After you're done editing it, it it should look approximately like below
## This is the network bridge declaration
auto lo br0 ## start on boot
iface lo inet loopback
iface br0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.1
bridge_ports eth0
iface eth0 inet manual
up ifconfig $IFACE 0.0.0.0 up
up ip link set $IFACE promisc on
down ip link set $IFACE promisc off
down ifconfig $IFACE down
If you are running linux inside a virtual machine, you may want to add the following parameters to the bridge connection:
bridge_fd 9 ## from the libvirt docs (forward delay time)
bridge_hello 2 ## from the libvirt docs (hello time)
bridge_maxage 12 ## from the libvirt docs (maximum message age)
bridge_stp off ## from the libvirt docs (spanning tree protocol)
to restart networking run
sudo /etc/init.d/networking restart
The bridging decelerations here come from the libvirt documentation. I really only understand the bridge_ports directive and the bridge_stp directive. Therefore if you know more than me help me out.
Generating Certificates
Next, we need to generate certificates for the server. In order to do this I will setup my own Certificate Authority using the provided easy-rsa scripts in the /usr/share/doc/openvpn/examples/easy-rsa/ directory. Another alternative is using the graphical program tinyca to create your CA.
Step 1:
- Copy files to the /etc/openvpn/easy-rsa/ directory
sudo mkdir /etc/openvpn/easy-rsa/
sudo cp -R /usr/share/doc/openvpn/examples/easy-rsa/2.0/* /etc/openvpn/easy-rsa/
Step 2:
- Edit /etc/openvpn/easy-rsa/vars
sudo vi /etc/openvpn/easy-rsa/vars
Change these lines at the bottom so that they reflect your new CA.export KEY_COUNTRY="US"
export KEY_PROVINCE="CA"
export KEY_CITY="SanFrancisco"
export KEY_ORG="Fort-Funston"
export KEY_EMAIL="me@myhost.mydomain"
Step 3:
- Setup the CA and create your first server certificate
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
sudo chown -R root:admin . ## make this directory writable by the system administrators
sudo chmod g+w . ## make this directory writable by the system administrators
source ./vars ## execute your new vars file
./clean-all ## Setup the easy-rsa directory (Deletes all keys)
./build-dh ## takes a while consider backgrounding
./pkitool --initca ## creates ca cert and key
./pkitool --server server ## creates a server cert and key
cd keys
openvpn --genkey --secret ta.key ## Build a TLS key
sudo cp server.crt server.key ca.crt dh1024.pem ta.key ../../
Your Certificate Authority is now setup and the needed keys are in /etc/openvpn/
Configuring the Server
By default all servers specified in *.conf files in the /etc/openvpn/ directory are started on boot. Therefore, all we have to do is creating a new file named server.conf in the /etc/openvpn/ directory.
First, we're going to create a couple of new scripts to be used by the openvpn server.
sudo vi /etc/openvpn/up.sh
This script should contain the following
#!/bin/sh
BR=$1
DEV=$2
MTU=$3
/sbin/ifconfig $DEV mtu $MTU promisc up
/usr/sbin/brctl addif $BR $DEV
Now, we'll create a "down" script.
sudo vi /etc/openvpn/down.sh
It should contain the following.
#!/bin/sh
BR=$1
DEV=$2
/usr/sbin/brctl delif $BR $DEV
/sbin/ifconfig $DEV down
Now, make both scripts executable.
sudo chmod +x /etc/openvpn/up.sh /etc/openvpn/down.sh
And now on to configuring openvpn itself.
sudo vi /etc/openvpn/server.conf
mode server
tls-server
local## ip/hostname of server
port 1194 ## default openvpn port
proto udp
#bridging directive
dev tap0 ## If you need multiple tap devices, add them here
up "/etc/openvpn/up.sh br0"
down "/etc/openvpn/down.sh br0"
persist-key
persist-tun
#certificates and encryption
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
tls-auth ta.key 0 # This file is secret
cipher BF-CBC # Blowfish (default)
comp-lzo
#DHCP Information
ifconfig-pool-persist ipp.txt
server-bridge 192.168.1.10 255.255.255.0 192.168.1.100 192.168.1.110
push "dhcp-option DNS your.dns.ip.here"
push "dhcp-option DOMAIN yourdomain.com"
max-clients 10 ## set this to the max number of clients that should be connected at a time
#log and security
user nobody
group nogroup
keepalive 10 120
status openvpn-status.log
verb 3
Don't forget to either reboot or run the command below. This will restart openvpn and load the new config.
sudo /etc/init.d/openvpn restart
Getting Clients Connected
This section walks you through creating client certificate and key files, plus setting up a client configuration file. The files can then be used with OpenVPN on a client platform. The described configuration will work with OpenVPN installations of OpenVPN GUI for Windows and Tunnelblick for Mac OS X clients. For a detailed discussion of each, refer to their respective home pages. It should also be compatible with Linux OpenVPN clients.
Generating Client Certificate and Key
Generating certificates and keys for a client is very similar to the process used for generating server certificates. It is assumed that you have already set up the /etc/openvpn/easy-rsa/ directory and updated the /etc/openvpn/easy-rsa/vars file as described above. You should have already setup your Certificate Authority and created your server certificate and keys.
cd /etc/openvpn/easy-rsa/ ## move to the easy-rsa directory
source ./vars ## execute your vars file
./pkitool client ## create a cert and key named "client"
Configuring the Client
The client configuration has been adapted from the OpenVPN 2.0 sample configuration file. For Windows, the file should be named client.ovpn and for other operating systems, the file should be named client.conf. The file can be created using vi or other editor that can create plain text files.
The configuration file assumes that there is only one TUN/TAP device configured on the client.
### Client configuration file for OpenVPN
# Specify that this is a client
client
# Bridge device setting
dev tap
# Host name and port for the server (default port is 1194)
# note: replace with the correct values your server set up
remote your.server.example.com 1194
# Client does not need to bind to a specific local port
nobind
# Keep trying to resolve the host name of OpenVPN server.
## The windows GUI seems to dislike the following rule.
##You may need to comment it out.
resolv-retry infinite
# Preserve state across restarts
persist-key
persist-tun
# SSL/TLS parameters - files created previously
ca ca.crt
cert client.crt
key client.key
# Since we specified the tls-auth for server, we need it for the client
# note: 0 = server, 1 = client
tls-auth ta.key 1
# Specify same cipher as server
cipher BF-CBC
# Use compression
comp-lzo
# Log verbosity (to help if there are problems)
verb 3
Place the client.ovpn (or client.conf) configuration file along with the certificate and key files in the openvpn configuration directory on the client. With the above set up, the following files should be in the configuration directory.
client.ovpn
ca.crt
client.crt
client.key
ta.key
For OpenVPN GUI for Windows, the default location for the files is C:\Program Files\OpenVPN\config.
For Tunnelblick for Mac OS X, the default location for the files is ~username/Library/openvpn.
For further instructions, you may consult the official OpenVPN Howto
