SavvyAdmin.com

Introduced first in Ubuntu 8.04, UFW is Ubuntu’s “uncomplicated firewall”, a remarkably easy to use tool for creating simple iptables firewall rules. The goal behind UFW is to make it easy for administrators and even third party packages to work with firewall rules in a clean and consistent manner. When UFW is enabled, the default set of rules work very well for the average server or desktop platform, as it blocks all non-essential inbound network access without hobbling certain types of useful protocols and return traffic.

In the following example, we will set up a very simple firewall adequate for almost anyone.

First, let’s check the status of UFW, and the currently installed iptables rule set. The following displays that UFW is disabled and that there are no rules for iptables INPUT chain.

Check firewall status

sudo ufw status
Firewall not loaded

sudo iptables -L INPUT -n | column -t
Chain             INPUT  (policy  DROP)
target            prot   opt      source     destination

Enable UFW

Now, let’s enable UFW and examine the change to iptables’ INPUT chain.

sudo ufw enable
Firewall started and enabled on system startup

sudo iptables -L INPUT -n | column -t
Chain             INPUT  (policy  DROP)
target            prot   opt      source     destination
ufw-before-input  all    --       0.0.0.0/0  0.0.0.0/0
ufw-after-input   all    --       0.0.0.0/0  0.0.0.0/0

The default policy was changed to drop all traffic, and two new chains are referenced. For a much better understanding of what the default rules are, take a look at the files “/etc/ufw/before.rules” and “/etc/ufw/after.rules“.

Connection Tracking

For your convenience, UFW also enables some very useful connection tracking rules, which intelligently inspect outbound application traffic and dynamically allows the return traffic for you. By default, TCP, UDP, FTP and IRC connection tracking modules are loaded, but others may be added to the IPT_MODULES variable in the file “/etc/default/ufw“.

For example, I sometimes need to use TFTP for sending and receiving firmware to and from routers. So I typically add “nf_conntrack_tftp” to the variable IPT_MODULES.

IPT_MODULES="nf_conntrack_ftp nf_nat_ftp nf_conntrack_irc nf_nat_irc nf_conntrack_tftp"

Remember to reload UFW so that the conntrack module is loaded.

sudo /etc/init.d/ufw restart

Allowing inbound services

If your system runs server applications such as DNS, SSH, TFTP and web, then you can add them to your firewall rules using these very simple commands. If you don’t run servers on your machine, this step can be skipped.

sudo ufw allow 53
sudo ufw allow 22/tcp
sudo ufw allow 69/udp
sudo ufw allow 80/tcp

Notice that the first command I used did not specify UDP or TCP. When omitted, UFW adds both protocols. DNS uses TCP for larger DNS exchanges like zone transfers and huge replies, so you’ll probably want both.

UFW displays the results very nicely.

sudo ufw status
Firewall loaded

To                         Action  From
--                         ------  ----
53:tcp                     ALLOW   Anywhere
53:udp                     ALLOW   Anywhere
22:tcp                     ALLOW   Anywhere
69:udp                     ALLOW   Anywhere
80:tcp                     ALLOW   Anywhere

SYN cookies and more

UFW can be used to load kernel options, too. These are defined in “/etc/ufw/sysctl.conf“. For example, I wanted to enable SYN cookies which was added to thwart certain TCP DoS attacks. Modify the following line to 1 in order to enable the feature.

net/ipv4/tcp_syncookies=1

Logging can suck

Okay, if you’re on a busy network and don’t want to fill up your syslog, you might want to disable UFW’s logging.

sudo ufw logging off

And really that’s all there is to it. Be sure to check out the man page for some more examples and features you may be interested in.

• Comments (2)

As described by the author, Word War Vi is “a retro styled side scrolling shoot’em up arcade game for linux”. The game play is fast paced, complemented by superb audio and very addictive.

At the time of this writing, there was no Ubuntu/Debian package, but compiling the game is a snap.

To get the latest version, please visit the Word War Vi site and download the source code.

Install Prerequisites and Dependencies

$ sudo apt-get install build-essential gnome-core-devel portaudio19-dev libvorbis-dev

Extract, Compile and Install
Replace x.xx in the file name with the current version number of the file downloaded. It shouldn’t need to be mentioned, but just in case. :-)

$ tar zxfv wordwarvi-x.xx.tar.gz
$ cd wordwarvi*
$ make && sudo make install

Execute and Have fun

$ wordwarvi

I noticed when running the game, my audio sounded a bit garbled. Changing the Sound Device seemed to clear it up, although the number varied depending on the sound card of each of the machines I’ve tested it on. Try incrementing the number until one sounds normal.

$ wordwarvi --sounddevice 0
$ wordwarvi --sounddevice 1
$ wordwarvi --sounddevice 2


• Comments (3)

The Linux console framebuffer allows you to achieve higher screen resolutions within your Linux console. However, as of this writing, Ubuntu 7.10 Gutsy by default does not load the required kernel modules. By passing the “vga=XXX” kernel option without these modules loaded, you are left with a blinking cursor in the upper-left hand corner of your screen. Here’s how to get the console framebuffer in working order.

1. Ensure the initrd image includes framebuffer support by adding “fbcon” and “vesafb” to /etc/initramfs-tools/modules.

$ echo "vesafb" | sudo tee -a /etc/initramfs-tools/modules
$ echo "fbcon" | sudo tee -a /etc/initramfs-tools/modules

2. Remove (or comment out) “vesafb” from blacklisted modules in /etc/modprobe.d/blacklist-framebuffer.

#blacklist vesafb

3. Add the desired framebuffer variable to the default kernel options section in /boot/grub/menu.lst. For 1024×768, the string should look like the following.

#defoptions=quiet splash vga=791

4. Update GRUB.

$ sudo update-grub

5. If Usplash is configured for a higher resolution than your framebuffer, it will appear off-centered. So adjust /etc/usplash.conf to use the same resolution.

xres=1024
yres=768

6. Update initramfs to rebuild the initrd image.

$ sudo update-initramfs -u

After rebooting, your usplash will appear as normal and you can Ctrl+Alt+F1 to a console after your X environment has finished loading. The text in your console should now appear much smaller and will be much easier to use for large amounts of console work.

• Comments (0)

If you’re interested in learning Oracle, you’ll be pleased to know that you can install a free version of it called Oracle Database Express Edition (XE); and it’s available for Debian and Ubuntu! This is great for anyone looking to learn one of the most popular enterprise databases in the world, without hurting the wallet. You can also freely distribute and develop against this platform, so it’s definitely worth giving it a try.

Visit their site for more details, and instructions for installing it via Oracle’s very own repository:
http://www.oracle.com/technology/tech/linux/install/xe-on-kubuntu.html

Here’s my own paraphrase of the installation procedures.

Add Repository and Install:

$ echo "deb http://oss.oracle.com/debian unstable main non-free" | \
sudo tee -a /etc/apt/sources.list
$ wget http://oss.oracle.com/el4/RPM-GPG-KEY-oracle -O- | sudo apt-key add -
$ sudo apt-get update
$ sudo apt-get install oracle-xe

Configure and Start Database:

$ sudo /etc/init.d/oracle-xe configure

Get Started:
Applications -> Oracle Database 10g Express Edition -> Get Started

For a great tutorial on how to start using Oracle, be sure to check out the book “Hands-On Oracle Database 10g Express Edition for Linux“, (ISBN: 007226327X). You can find it at your local book store or on the web.

Oracle also has a free online tutorial located on their website:
http://st-curriculum.oracle.com/tutorial/DBXETutorial/index.htm

• Comments (0)

Ubuntu Studio, released in May of 2007, is one of the latest flavors of the Ubuntu family cropping up these days aimed at sound, video and graphics enthusiasts and professionals alike. Sporting the same clean installation one would expect from a standard Ubuntu install, Ubuntu Studio offers a polished desktop, and a slew of open source multimedia applications. If content creation is your cup of tea, check out Ubuntu Studio 7.04 at www.ubuntustudio.org.

• Comments (0)

Updated (11/21/2007): I’ve added an updated version of this How-to on the community supported Ubuntu documentation site. The new document can be found at: https://help.ubuntu.com/community/SinglePacketAuthorization.

Single Packet Authorization (SPA) using “fwknop” is probably one of the coolest recent innovations in server and network access control technology. Just what is SPA, you ask? SPA is a method of limiting access to server and network resources by cryptographically authenticating users before any type TCP/IP stack access is allowed.

In it’s simplest form, your Linux server can have an inbound firewall rule that by default drops all access to any of it’s listening services. Nmap scans will completely fail to detect any open ports, and zero-day attacks will not have any effect on vulnerable services since the firewall is blocking access to the applications.

The server however has a nifty trick up it’s sleeve. An authorized user sends a single encrypted UDP packet that is passively sniffed and analyzed by the fwknopd service running on the server using pcap. If successfully authenticated, fwknopd dynamically creates an iptables firewall rule, granting the source IP address of the authorized client access to the service for a defined period of time (default is 30 seconds). Pretty frickin’ cool, eh?

Okay, so here’s how to get it working in Ubuntu 7.04.

• Continue reading or Comments (3)

UPDATE (11-03-2008): These instructions are no longer applicable to Ubuntu version 8.10 and higher. The latest versions of Ubuntu allow you to use a blank password for your keyring, which will allow user accounts automatically logged in by GDM to access the keyring.

If you are not using the the GDM auto login feature, simply make sure your keyring password is the same as your login password, this way it is automatically unlocked for you. The keyring passwords are now easy to change from “Applications… Accessories… Passwords and Encryption Keys… Edit menu… Preferences… Password Keyrings.” Highlight the “login” entry, and use the “Change Unlock Password” button.

The original instructions below ONLY apply to versions previous to Ubuntu 8.04.

ORIGINAL POST:
If you would like to avoid having to type in a password to access your gnome keyring, then you are in luck. To quote from the authors web site, “PAM_KEYRING is a pam module that launches the gnome-keyring-daemon and then unlocks a keyring using your login password.”

In Ubuntu 7.04, this comes in handy when using Network Manager to connect to your wireless network. Typically users are prompted for the “master” password to their keyring manager immediately after logging on to gnome, and this can become tedious. Installing and configuring PAM_KEYRING is a snap.

1. Install libpam-keyring from universe repositories.

$ sudo apt-get install libpam-keyring

2. Add the pamkeyring module to /etc/pam.d/gdm

$ echo "@include common-pamkeyring" | sudo tee -a /etc/pam.d/gdm

UPDATED: (10/25/2007)
With the release of Ubuntu 7.10 Gutsy, libpam-keyring is no longer needed, as this feature has been built by default in with the package “libpam-gnome-keyring”.

UPDATED: (04/21/2008) - For GDM Auto-Login Users

Sorry for not updating this post sooner. I helped someone else with this offline a while back. Here’s an excerpt from my email. It works well with Ubuntu 7.10 Gutsy, and “should” work with Hardy, unless there’s been some major changes with the libpam-gnome-keyring package that I don’t know about.

The auto login feature of GDM relies on the GDM processes ability to run Gnome as your user account, but it does not have to know the password, as it’s using an “su” command to accomplish the magic.

There lies the problem. The keyring uses the password supplied by the user to unlock itself, and being that no password is supplied to pam, it cannot unlock the keyring.

From a useful bug report, one fellow outlined how he has always done it previously using a login script. He used a tool called “pam-keyring-tool” included with the libpam-keyring package. The new libpam-gnome-keyring package does not include this binary, so in order for this to work, you need compile it from source.

I’ve successfully got it working using the following procedures:

Step 1: Download latest pam_keyring source code. I like to place all source code in /usr/src/:

cd /usr/src/
sudo wget http://www.hekanetworks.com/opensource/pam_keyring/pam_keyring-0.0.9.tar.gz

Step 2: Unpack source code

sudo tar zxfv pam_keyring-0.0.9.tar.gz

Step 3: Install prerequisites

sudo apt-get install build-essential libglib1.2-dev libglib2.0-dev
sudo apt-get install libtool libgnome-keyring-dev libpam0g-dev

Step 4: Compile and Install

cd /usr/src/pam_keyring-0.0.9
sudo ./configure --prefix=/usr
sudo make
sudo cp src/pam-keyring-tool /usr/bin/

Note: I’m not doing a “make install” because I only want this binary to be installed and nothing else)

Step 5: Test binary

/usr/bin/pam-keyring-tool --help

If you get a nice usage menu, you’ll see what the tool options are, and your compilation is complete.

Step 6: Create login script called “unlock-keyring.sh”.

Since the file will contain your password in clear text, you’ll want to keep it in your home folder, readable only by your user. Yes… I know this is lame.

mkdir ~/scripts
sudo chmod 750 ~/scripts
touch ~/scripts/unlock-keyring.sh
sudo chmod 750 ~/scripts/unlock-keyring.sh
sudo gedit ~/scripts/unlock-keyring.sh

Add the following to the script:


#!/bin/bash
echo "PASSWORD_HERE" | /usr/bin/pam-keyring-tool -u -s

Step 7: Add the script to your gnome session startup scripts

System -> Preferences -> Sessions

Under Startup Programs, add a new entry that will appear first in the list. e.g. “1-unlock-keyring”

The command will be:
“/home/USERNAME_HERE/scripts/unlock-keyring.sh”

Step 8: Ensure your /etc/pam.d/gdm-autologin is set to it’s defaults. This was the default Gutsy 7.10 version for reference.

#%PAM-1.0
auth requisite pam_nologin.so
auth required pam_env.so readenv=1
auth required pam_env.so readenv=1 envfile=/etc/default/locale
auth required pam_permit.so
@include common-account
session required pam_limits.so
@include common-session
@include common-password

Step 9: Restart GDM or simply reboot.

I really hope this helps you guys out.

• Comments (19)

If you would like to get your Creative Zen V Plus or related portable music player working in Ubuntu 7.04 and above, you’re in luck!

All you need is “Gnomad2″ as the graphical front end to your players music and playlists, and several libraries that are installed as dependencies (i.e. libmtp5). MTP stands for Microsoft Transfer Protocol, and libmtp5 is the key component to making this work.

As of this writing, the Creative Zen V Plus was not added to the libmtp5 udev rules file. This means that you would need root privileges to run Gnomad2, unless you changed the default permissions. No worries… correcting this is very easy to do.

• Continue reading or Comments (5)

UPDATE (11-04-2008): NetworkManager 0.7 has been introduced with Ubuntu 8.10. This major overhaul includes native support for Mobile Broadband card as shown in the screen-shots below. The great news is that virtually all CDMA cards work right out of the box with no configuration necessary. Thank you, NetworkManager developers! I suggest upgrading to the latest version of Ubuntu, or use the NetworkManager PPA or SVN to at least upgrade to version 0.7.

ORIGINAL POST: Great news! The internal Dell Wireless 5700 Mini PCI Express Card for use with CDMA/EVDO networks is very easy to get working with Linux. The following tutorial was written for Ubuntu 7.04 (and works with 7.10 Gutsy), but the procedures are essentially the same for most Linux distributions. Please consult with your distribution documentation to assist with any differences.

Here’s how to get it going.

• Continue reading or Comments (26)