In The Institutes of the Christian Religion (Book II, Chapter 7), Calvin describes three distinct “uses” of the law. Each has a purpose, and each reveals something about God and about us.

Let’s walk through them together.

1. The Law as a Mirror: Revealing Our Sin and Our Need

The first use of the law is like holding a mirror up to our souls. It shows us the reality of our hearts before a holy God.

“The law is like a mirror. In it we contemplate our weakness, then the iniquity which proceeds from this, and finally the curse coming from both.”
— Calvin, Institutes II.7.7

This is perhaps the hardest use to face. God’s commands—You shall have no other gods before me; You shall not covet; You shall love your neighbor as yourself—reflect His perfect righteousness, but they also expose how far short we fall.

Yet this exposure is not cruelty. It’s mercy. It’s the piercing honesty that drives us away from self-reliance and into the arms of Christ. Without the law, we might go on believing that we are “good enough.” With the law, we see that our righteousness must come from Another.

So when the law convicts you—don’t turn away in despair. That conviction is the Spirit’s gentle work, leading you to the cross, where grace meets guilt, and mercy triumphs over judgment.

2. The Law as a Curb: Restraining Evil

The second use of the law is what Calvin calls its civil or political use. Here the law serves to restrain sin in society.

“By fear of punishment, those who are untouched by any care for what is just and right are kept within the bounds of outward obedience.”
— Institutes II.7.10

This doesn’t mean the law changes hearts—it can’t. But it does keep sin from running unchecked in the world. It’s a means by which God preserves a measure of order, justice, and peace, even among those who don’t believe.

This use reminds us that the moral fabric of creation still matters. Laws against theft, murder, or perjury echo the eternal moral law of God written on human hearts. Even in a fallen world, the law’s presence restrains chaos and preserves space for the gospel to be heard.

It is, in that sense, another expression of grace: God’s common grace, holding the world together until Christ makes all things new.

3. The Law as a Guide: Directing the Redeemed

The third use of the law is the one Calvin loved most—and perhaps the one most easily misunderstood.

For those who are in Christ, the law no longer condemns. Instead, it becomes a guide—a lamp for our feet and a light for our path (Psalm 119:105).

“The law is to the flesh like a whip to an idle and balky ass, to urge it on; and, for the spiritual man, in whom the Spirit of God already lives and reigns, it is a lamp and a guide to life.”
— Institutes II.7.12

Here the law becomes not a prison guard, but a tutor and friend. It teaches us how to live in a way that pleases our Father—not to earn His love, but because we already have it.

In this sense, obedience is not legalism. It is gratitude. The law becomes the shape of love, describing what love for God and neighbor looks like in action.

Grace Does Not Erase the Law—It Writes It on Our Hearts

When Calvin speaks of the threefold use of the law, he is ultimately describing how grace restores what sin has broken.

Outside of Christ, the law condemns.
In the world, the law restrains.
In Christ, the law guides.

But in all three uses, the same truth shines through: God’s law reveals God’s heart. It is not the enemy of grace—it is the companion of grace. The gospel doesn’t set us free from the law; it sets us free to love the law, because through the Spirit, the law is now written not on tablets of stone but on hearts made new (Jeremiah 31:33).

So when you read God’s commands, don’t hear a harsh voice of condemnation. Hear the steady voice of your Father, inviting you to walk in the life that He has already given you in Christ.

“Oh how I love your law! It is my meditation all the day.” — Psalm 119:97

May we, like the psalmist and like Calvin, learn to say those words not with fear, but with joy.

The post The Threefold Use of God’s Law: Calvin’s Beautiful Clarity for Troubled Hearts appeared first on David Westerfield.

There was a time after 9/11 I was all about those actions: the War on Terror, the Patriot Act, and so on, justifying every aspect, annoyingly so I might add. My brother fought in both theatres. In Iraq twice. It had to mean something, in light of 9/11, but also for our soldiers’ sacrifices.

Hindsight is 20/20 though. Patriot Act. DHS. TSA. NSA expansion. And now to the present: Disinformation Governance Boards. How did we get here? America really did change that day on 9/11. None of our actions rescinded or with an expiration date.

During the war years of the late 2000’s, two documentaries from Adam Curtis, The Power of Nightmares and Century of the Self, were eye-opening for me, causing me to analyze my own convictions, gradually to be sure.

However, in 2005 in particular, four years after 9/11, while I was still solidly in support of the wars, reports came out from a former AT&T tech of a data room (641A) in an AT&T CO building in downtown San Fran, housing a Narus data mirroring device. What it did I didn’t fully understand at the time. Data splitting and mirroring on fiber lines sounded ominous though. It was like a rock in my shoe. But it was too conspiratorial right? Couldn’t be.

Digging further, it was alleged to be related to NSA surveillance, data mining, and analytics. Those initial claims and reports turned out to be true a year later when former NSA exec @Thomas_Drake1 blew the whistle and said as much. And then @Snowden, 12 years after 9/11, regardless of what you think of what he did and how he did it, exploded the truth onto the world and confirmed it all beyond a shadow of a doubt: a vast array of warrantless data aggregation and mining programs within our own nations’ communications and internet infrastructure that is now all likely a permanent fixture, and expanding, improving.

And that brings us to the present: was it… is it all worth it? Has entrenched power formed and is centralized government growing stronger to the point where one can’t resist these mechanisms, even at the ballot box? And so the debate goes on: liberty vs. security. How much is the populace willing to tolerate regarding privacy in order to be protected? Is the populace willing to relinquish basic civil liberties in the cause of greater supposed security? Or are the tools now becoming more of a threat to the populace than a protector?

The debate really hasn’t changed much in all these years. The tools have. And I don’t know how much choice we really have.

The post Was It All Worth It? appeared first on David Westerfield.

This content is password-protected. To view it, please enter the password below.

Password:

The post Protected: Falcon Install appeared first on David Westerfield.

(Banner photo credit: Dark Winter Days by Inge Bovens)

“Or do you presume on the riches of his kindness and forbearance and patience, not knowing that God’s kindness is meant to lead you to repentance?”

Romans 2:4

Why is it that if God’s kindness, patience and forbearance leads us to repentance from our sin to embrace Christ, we don’t assume the same posture and manner when dealing with others with whom we see falling? Whether it’s our own children, a friend who is wandering, or a relative who pains you with their bad choices leading to a ruined life, or for me as an elder, a congregant/parishioner who is straying from the gospel or at least a life centered upon Christ? Why would we think that anything other than grace and kindness and love and a posture of humility will do when dealing with others in these states of wandering from the truth?

The Risk of Pain and Hurt

I think it’s because grace and mercy toward others is risky. What is it we risk? Not controlling an outcome, or handling a situation correctly, fear of loss, fear of man, maybe reputation. When we’re gracious and kind and forbearing with the faults of others, we risk losing that person to what we fear they’re going after. Or we willingly take the pain they’re causing in ourselves without fighting back against them. Ultimately, we risk injury, because loving others hurts. We open and expose ourselves to pain. So another reason may be self-protection.

Graciousness doesn’t mean not saying hard things. It is in fact gracious to speak the truth, but to do so in love. The question is how do you say it? How do you engage the situation? Is it with the open hands of faith in God’s own mercy to You and having the same open hands of faith in God’s healing, regenerative power toward a falling sinner and being there for them even when disagreeing with their choices?

The risk is real in love. We make ourselves vulnerable to the pain of loss and hurt and betrayal. Which is interesting since this is exactly what Jesus did and experienced Himself.

He Emptied Himself in Love

This classic Philippians 2:4-11 passage of Christ emptying Himself in love for His enemies to make them children of God puts in action an actual, tangible real accomplishment for us and a demonstration what this kind of gracious, interactive love risks:

Let each of you look not only to his own interests, but also to the interests of others. Have this mind among yourselves, which is yours in Christ Jesus, who, though he was in the form of God, did not count equality with God a thing to be grasped, but emptied himself, by taking the form of a servant, being born in the likeness of men. And being found in human form, he humbled himself by becoming obedient to the point of death, even death on a cross. Therefore God has highly exalted him and bestowed on him the name that is above every name, so that at the name of Jesus every knee should bow, in heaven and on earth and under the earth, and every tongue confess that Jesus Christ is Lord, to the glory of God the Father. (ESV)

Philippians 2:4–11

In short, to love is to be willing to empty yourself for others, precisely because that’s what Christ has done for You. And that’s painful. We don’t like pain. We don’t want to be hurt… again by others. We cover up, control, manipulate, and attempt the use of power to get results. It is the American way after all. As Luther put it, in at least a tangential sense, this is a Theology of Glory. “I want to see their life changed so I’m willing to make it happen.” The ends justify the means. In other words, we don’t want to wait on God in prayer and in His timing. We refuse to relinquish control.

The Theology of the Cross though is one of suffering for the sake of others, taking in yourself the pain you experience in the lives of others, whether it’s pain of their making or a pain inflicted upon them. It’s a road marked by weakness, brokenness and few are willing to travel down it because in this life, sometimes it not only gives you nothing, but gives you hurt. To love is to pour yourself out.

However, as also seen in the Philippians passage, the end result is glory. Christ’s glory as the end result is one of His exaltation to possess the name above every name, every knee bowing. Our glory is that we get to really and truly and finally share in that with Him for all eternity as adopted children of the King.

The Impossible Task of Real Love, Possible Only Through Weakness

So how do you move forward if loving like this sounds impossible for you? Well, an acknowledgement of the fact alone is a great start! The truth is this is not something you can just conjure up or accomplish on your own strength with any longevity, but only through the strengthening grace of the love of Christ poured into you. It’s through giving yourself to practices of the faith, or the means of grace (Word, sacraments, prayer): giving yourself to the Word, to prayer, to silence and solitude and meditation on His Word and works in history, fasting and feasting, resting well, creating rhythms of grace (Cosper) that bring you into the work that God by His Spirit is already doing in the world.

Spiritual Formation

This kind of love I’m speaking of isn’t born in a vacuum. Our pastor has done a series of blogs here and a lecture series here that get at the vital importance of these practices in the life of believers. I can’t stress the importance of pursuing them in your life, because to be filled by Christ to overflowing is to be ready and willing and able to pour yourself out for others, even when that is really risky to do and may yield no immediate results.

The way of the cross is foolishness and weakness to the world, but weakness is God’s way of working resurrection life into the world. Let’s take up our cross and follow Him, in His resurrection strength, not our own.

For consider your calling, brothers: not many of you were wise according to worldly standards, not many were powerful, not many were of noble birth. But God chose what is foolish in the world to shame the wise; God chose what is weak in the world to shame the strong; God chose what is low and despised in the world, even things that are not, to bring to nothing things that are, so that no human being might boast in the presence of God. And because of him you are in Christ Jesus, who became to us wisdom from God, righteousness and sanctification and redemption, so that, as it is written, “Let the one who boasts, boast in the Lord.”

1 Corinthians 1:26–31

The post The Risk of Grace appeared first on David Westerfield.

Father we pray for the unborn today, those made in Your image that are subject to some of the greatest brutality in our nation and world, that You would enter into justice on their behalf and bring about needed change, but that this change would start primarily at the level of all of our hearts, change which can only come at the deepest levels through gospel transformation from the inside out. Would You protect these image bearers and bring about the greatest good for the most vulnerable among us, and would we, Your church, come alongside mothers to aid them in their distress when this seems like the only option for them.

Father, as we come to MLK day tomorrow, we’re reminded of the rights and privileges that have been deprived of our fellow image bearers for so long, those mistreated and held in a dehumanizing light by society at large. Father, though we are so thankful for the rights and privileges afforded by the work of so many including Martin Luther King during the civil rights era, we know there is still a long ways to go in bringing about the best possible flourishing for so many minorities and others in our country and pursuing justice on their behalf. Lord help us in this where we see need in our spheres of influence.

For both of these groups, the unborn and those affected by various forms of injustice, would You make us a people that holistically pursues and upholds life from birth to death as those entrusted with the message of eternal reconciliation and resurrection. Would this desire flow from the grace we’ve been shown in the good news of the gospel. For this Lord, You are glorious and worthy to be praised. 

A Prayer from the Book of Common Prayer for this Second Sunday after Epiphany:

Almighty God, whose Son our Savior Jesus Christ is the light of the world: Grant that Your people, illumined by Your Word and Sacraments, may shine with the radiance of Christ’s glory, that he may be known, worshiped, and obeyed to the ends of the earth; through Jesus Christ our Lord, who with You and the Holy Spirit lives and reigns, one God, now and forever. Amen.

The post Sanctity of Life Sunday and MLK Day – A Prayer appeared first on David Westerfield.

Setting up ModSecurity with NGINX and Log4J rules: https://davidwesterfield.net/2021/12/log4j-and-modsecurity/

Setting up ModSecurity with Apache and Log4J rules: https://davidwesterfield.net/2021/12/log4j-apache-and-modsecurity/

The post Log4J Examples in the Wild appeared first on David Westerfield.

Credit to Christian Folini at coreruleset.org for providing the rule.

A major vulnerability has been discovered in Java web apps basic logging function called Log4J/Log4Shell. The best remedy for this is to update Log4j itself, or update the web app platform running Log4j with a newer version provided by the vendor. But that may take a while in many instances to fully implement.

As a stopgap solution, you can implement ModSecurity and Apache (reverse proxy setup) as a Web App Firewall reverse proxy (WAF) in front of your web applications in order to mitigate the potential for attacks. This is merely a front end mitigation, you still need to fix the source of the problem. Most large operations already have some sort of WAF in front of their web apps and just need to add a rule to prevent this attack until they can fix Log4j in their environments.

However in some cases, smaller operations in the cloud or elsewhere may need something pretty quick to mitigate attacks as they don’t have the resources or personnel to tackle such a project.

What follows is a very brief explanation of how to go about doing that (this is assuming a lot of background):

1. In a Linux environment (Ubuntu, Debian, et al) or even a container in the cloud, setup Apache as well as the ModSecurity module.
2. Setup Apache to function as a reverse proxy, pointing to your internal web apps.
3. Using this OWASP rule below, modify the ModSecurity rules, specifically setting it as a rule before the main core rules (CRS) to include the following definition:

# Generic rule against CVE-2021-44228 (Log4j / Log4Shell)
# See https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/|XML://@ "@rx (?:${[^}]{0,4}${|${(?:jndi|ctx))" 
    "id:1005,
    phase:2,
    block,
    t:none,t:urlDecodeUni,t:cmdline,
    deny,
    log,
    msg:'Potential Remote Command Execution: Log4j CVE-2021-44228', 
    tag:'application-multi',
    tag:'language-java',
    tag:'platform-multi',
    tag:'attack-rce',
    tag:'OWASP_CRS',
    tag:'capec/1000/152/137/6',
    tag:'PCI/6.5.2',
    tag:'paranoia-level/1',
    ver:'OWASP_CRS/3.4.0-dev',

I have modified the above to deny the request instead of just logging it as it was doing on my system for some reason (maybe designed to do that?). So instead of just logging it and allowing the 200 request to pass through regardless, I send it a 403 to block it altogether.

You’ll also want to include the following. From the blog post at coreruleset.org:

The quick fix is to add the User-Agent and the Referer to the targets of the rule. Do this by adding the following two directives after the CRS include in your configuration:

# Defense against CVE-2021-44228
SecRuleUpdateTargetById 932130 "REQUEST_HEADERS:User-Agent"
SecRuleUpdateTargetById 932130 "REQUEST_HEADERS:Referer"

There is a certain chance this update will trigger new false positives. Personally I do not expect too many, but you have been warned.

If you want to extend the coverage to all HTTP headers, then the following should be applied:

# Defense against CVE-2021-44228 
SecRuleUpdateTargetById 932130 "REQUEST_HEADERS"

Hope this provides some kind of prevention for your web applications.

This post will be updated as new rules come out to thwart exploit attempts as new bugs are discovered.

The post Log4J, Apache and ModSecurity appeared first on David Westerfield.

Credit to Christian Folini at coreruleset.org for providing the rule.

A major vulnerability has been discovered in Java web apps basic logging function called Log4J/Log4Shell. The best remedy for this is to update Log4j itself, or update the web app platform running Log4j with a newer version provided by the vendor. But that may take a while in many instances to fully implement.

As a stopgap solution, you can implement ModSecurity and NGINX (reverse proxy setup) as a Web App Firewall proxy (WAF) in front of your web applications in order to mitigate the potential for attacks. You could also use Apache as a reverse proxy with ModSecurity as well, and in some situations may be easier to setup. But this is what I did using NGINX. This is merely a front end mitigation, you still need to fix the source of the problem, Log4J. Most large operations already have some sort of WAF in front of their web apps and just need to add a rule to prevent this attack until they can fix Log4j in their environments.

However in some cases, smaller operations in the cloud or elsewhere may need something pretty quick to mitigate attacks as they don’t have the resources or personnel to tackle such a project.

What follows is a very brief explanation of how to go about doing that:

1. In a Linux environment (Ubuntu, Debian, et al) or even an NGINX container in the cloud, download and install NGINX and compile the ModSecurity module along side of it.
2. Setup NGINX to function as a reverse proxy, pointing to your internal web apps.
3. Using this OWASP rule below, modify the ModSecurity rules, specifically setting it as a rule before the main core rules (I did this in the /etc/nginx/modsec/owasp-modsecurity-crs/rules/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf file) to include the following definition:

# Generic rule against CVE-2021-44228 (Log4j / Log4Shell)
# See https://coreruleset.org/20211213/crs-and-log4j-log4shell-cve-2021-44228/
SecRule REQUEST_LINE|ARGS|ARGS_NAMES|REQUEST_COOKIES|REQUEST_COOKIES_NAMES|REQUEST_HEADERS|XML:/|XML://@ "@rx (?:\${[^}]{0,4}\${|\${(?:jndi|ctx))" \
    "id:1005,\
    phase:2,\
    deny,\
    t:none,t:urlDecodeUni,t:cmdline,\
    log,\
    msg:'Potential Remote Command Execution: Log4j CVE-2021-44228', \
    tag:'application-multi',\
    tag:'language-java',\
    tag:'platform-multi',\
    tag:'attack-rce',\
    tag:'OWASP_CRS',\
    tag:'capec/1000/152/137/6',\
    tag:'PCI/6.5.2',\
    tag:'paranoia-level/1',\
    ver:'OWASP_CRS/3.4.0-dev',\

I have modified the above to deny the request instead of just logging it as it was doing on my system for some reason (maybe designed to do that?). So instead of just logging it and allowing the 200 request to pass through regardless, I send it a 403 to block it altogether.

You’ll also want to include the following. From the blog post at coreruleset.org:

The quick fix is to add the User-Agent and the Referer to the targets of the rule. Do this by adding the following two directives after the CRS include in your configuration:

# Defense against CVE-2021-44228
SecRuleUpdateTargetById 932130 "REQUEST_HEADERS:User-Agent"
SecRuleUpdateTargetById 932130 "REQUEST_HEADERS:Referer"

There is a certain chance this update will trigger new false positives. Personally I do not expect too many, but you have been warned.

If you want to extend the coverage to all HTTP headers, then the following should be applied:

# Defense against CVE-2021-44228 
SecRuleUpdateTargetById 932130 "REQUEST_HEADERS"

Hope this provides some kind of prevention for your web applications.

This post will be updated as new rules come out to thwart exploit attempts as new bugs are discovered.

The post Log4J, NGINX and ModSecurity appeared first on David Westerfield.

https://help.ui.com/hc/en-us/articles/360018189493-EdgeRouter-Manual-TFTP-Recovery#7

(Archived): https://westerfunk.net/archives/technology/EdgeRouter%20TFTP%20Manual%20Recovery/

The post EdgeRouter: End of the Road Ultimate Reset appeared first on David Westerfield.

The post Elbit America Army Night Vision Video on Washington Examiner appeared first on David Westerfield.