Jeder, der Linux-Server verwaltet oder z.B. Linux-SOHO-Router1) betreibt, wird früher oder später mit dem Thema ”iptables/Netfilter” (bzw. ip6tables/Netfilter6) konfrontiert. Oft hangeln sich die jeweiligen Administratoren und Benutzer dann via Google von HowTo zu HowTo, und zimmern sich mit gefährlichem Halbwissen eine iptables-Firewall-Konfiguration zusammen. Alternativ wird zu Shorewall oder vergleichbaren Projekten gegriffen.
Falls man sich mit Linux basierenden Firewalls auseinandersetzen will, kann ich stattdessen jedem das Buch Linux-Firewalls von Ralf Spenneberg in seiner neusten Auflage empfehlen. Es ist sehr gut strukturiert und äußerst verständlich geschrieben, sofern man zumindest die absoluten Grundlagen eines Netzwerks hinsichtlich IP, TCP und UDP beherrscht. Der Autor führt den Leser gut an das Thema heran. Alles beginnt mit der Erklärung einfacher stateless-Paketfilter und geht dann über zu gut nachvollziehbaren stateful-iptables-Regeln. Es wird dabei genau für die Art von Grundverständnis gesorgt, welches bei einfachen Tutorials im Netz meist unter den Tisch fällt. Anschließend werden DMZ, transparente Firewalls, NAT-Router und vieles mehr mit iptables gebaut. Connection Tracking und dessen Konfiguration, wichtige Kernel-Parameter, Protokollierung und hilfreiche Werkzeuge nehmen ebenfalls einen großen Teil des Buchs ein. Auch das Thema IPv6 wird sehr verständlich betrachtet und das nötige Wissen vermittelt, um IPv6-fähige Firewalls betreiben zu können. Alles in allem kann ich das Buch uneingeschränkt empfehlen, auch als Nachschlagewerk.
If you are searching for a powerful laptop to run Fedora 15 Lovelock on, have a look at the Lenovo ThinkPad T420 4180W1G/4180PH1.1) It simply rocks. All the internal peripherals are working out of the box (LAN, WLAN, graphics, sound, microphone, webcam, volume up/down and mute buttons, brightness control buttons, eSATA…). The Intel HD3000 processor graphics runs smoothly. Even no problems with external monitors up to a 2560×1600 resolution or when using both the built-in screen plus an external monitor connected to the Mini Dock Series 3 45N6678 docking station. The Intel Core i5-2520M CPU provides VT-d and VT-x. So everything is fine if you want to run VMs.
Downsides, pitfalls and notes:
- The built-in speakers are really bad, even for a laptop.
- The keyboard shows signs of cosmetic wear after a few weeks of usage.
- Microsoft tax a.k.a. Windows 7 Professional 64bit. At least, you can use the pre-installed Windows to update the laptop's firmware with a few clicks before installing Linux. And the license may be used to run a Windows 7 VM (although the laptop is shipped without installation media, you can download the original Windows 7 ISO images from Digital River).
- I can't tell if the fingerprint sensor and the Class 1 Smartcard Reader are working out of the box because I do not need nor did I test them. But the Smartcard Reader is at least recognized by the OS.
- When using the Mini Dock Series 3 45N6678, the analog sound line-out is not passed-through (everything else works). This means you still have to use the laptop's headphone connector to connect speakers.
- If you are looking for similar models out of the T420 family, you should know that some of them got two graphics adapters (a combination of Intel and NVIDIA). I don't know if these make any trouble or need special configuration because the 4180W1G/4180PH1 comes with Intel graphics only.
Tip for German readers: Studenten, Lehrer, Lehrkräfte und wissenschaftliche Mitarbeiter bekommen das ThinkPad T420 4180PH1 bei Brünings + Sander mit erheblichem Rabatt. Ich habe nichts mit der Firma zu tun und bekomme auch keine Provision. Aber meine Erfahrungen mit B+S waren bisher stets positiv.
The HPC 615 was very popular because of its attractive cost-performance ratio.1) I just installed Fedora 15 Lovelock on a HPC 615 with AMD Athlon X2, 320GiB HDD, ATI Radeon HD3200 and 4GiB RAM. Everything works out-of-the-box with one exception: Wireless LAN. There was no firmware for the Broadcom BCM4312 WLAN chip. However. Version 220.127.116.11 of the proprietary firmware works like a charm:
- The B43 firmware cutter tool is used to extract and install the proprietary Broadcom firmware. Use a LAN cable to get internet connection. Open a terminal and install it:
su -c 'yum install b43-fwcutter'
- Download the firmware and use
b43-fwcutterto extract and install it:
su - cd /tmp wget http://downloads.openwrt.org/sources/broadcom-wl-18.104.22.168.tar.bz2 tar xjf ./broadcom-wl-22.214.171.124.tar.bz2 cd ./broadcom-wl-126.96.36.199/driver/ b43-fwcutter -w /lib/firmware/ wl_apsta_mimo.o
Reboot or restart the network. Your WLAN should work now.
Note: I tried several things before. Known solutions and
b43-openfwwf were not able to provide a stable connection when using WPA2. Same for other versions of the proprietary Broadcom firmware.
Font rendering is a matter of taste. However, I personally think Ubuntu's default font rendering is the most eye-pleasing one of the whole Linux eco-system. And if a website's CSS font stack is looking good on Ubuntu, you can be relatively sure that it also works for Mac or MS Windows as long as the used fonts are available on these platforms. It is not hard to get the same font rendering on Fedora. This text is just a bit longer than a few commands because I try to provide additional background information and useful web-search-keywords which you may need if you have other targets than a 100% Ubuntu-like rendering.
To achieve the desired result, you have to know which parameters exist and how to change them. The most important things are:
- Resolution (DPI).
- Font hinting and the used font hinting method.
- Font rasterization. Especially the used anti-aliasing method and its strength.
- The used font rendering engine. The one shipped with Fedora comes without subpixel rendering (more on this later).
So let's look at the defaults applied on Ubuntu 10.10. You can do this on the terminal with
Xft.dpi: 96 Xft.antialias: 1 Xft.hinting: 1 Xft.hintstyle: hintslight Xft.rgba: rgb Xft.lcdfilter: lcddefault
As you can see, Ubuntu is using RGB anti-aliasing with subpixel rendering (lcd-default means “subpixel (LCD)” method) and slight font hinting. Now compare this with the default values on Fedora 15 Lovelock:
Xft.antialias: 1 Xft.dpi: 96 Xft.hinting: 1 Xft.hintstyle: hintmedium Xft.rgba: none
This shows that Fedora does use grayscale anti-aliasing, a stronger font hinting style and no subpixel rendering by default. This is the reason why the same fonts look different on Fedora and Ubuntu.
What to do
- Install the freetype-freeworld package. You need subpixel rendering the achieve the same results as on Ubuntu. The FreeType rendering engine shipped by default comes without it but you can install the
freetype-freeworldpackage out of the RMPfusion-free repository to get a version with subpixel rendering. If not already happend, enable RPM Fusion on your system. Open a terminal and install the
su -c "yum install freetype-freeworld"
You should know that subpixel rendering is patented and therefore not completely free (as in speech). Using this package might not be legal in your country. The choice is yours and it is your legal responsibility to make sure that the software you are installing can be legally used.
- Adjust the hinting style and enable RGB anti-aliasing. Ubuntu it using
hintslighthinting by default, Fedora comes with
hintmedium. Additionally, we need RGB instead of grayscale anti-aliasing. Open a terminal and execute the following commands to set the anti-aliasing and hinting style:
gsettings "set" "org.gnome.settings-daemon.plugins.xsettings" "hinting" "slight" gsettings "set" "org.gnome.settings-daemon.plugins.xsettings" "antialiasing" "rgba"
- Activate the lcddefault lcdfilter. Unfortunately, there is no GSettings key for it (at least as I'm writing this), therefore you have to create a hidden
.Xresourcefile with the
Xft.lcdfilter: lcddefaultsetting in your home directory. Open a terminal and execute the following command to do so:
echo "Xft.lcdfilter: lcddefault" > ~/.Xresources
- Some settings need a restart to take effect, so reboot your system. If everything worked you should get the following
xrdb -queryoutput (the output order does not matter if the values are the same):
Xft.antialias: 1 Xft.dpi: 96 Xft.hinting: 1 Xft.hintstyle: hintslight Xft.lcdfilter: lcddefault Xft.rgba: rgb
- You may find the
gnome-tweak-toolinteresting. E.g. it provides an option to switch the window-title-bar font. Use the following command to install it:
su -c "yum install gnome-tweak-tool"
- I used the command line tool
gsettingsto adjust the GSettings key values above. If you want to influence and explore available keys by using a GUI, have a look at the
dconf-editor. Use the following command to install it:
su -c "yum install dconf-editor"
- You may want to use the Ubuntu fonts, too. They are not included in the main repositories right now,1) therefore I wrote the
install-ubuntufonts-fedora.shbash script to make the font installation faster and easier. There is a high probability that this script will never be useful to someone else than myself. But you never know. If you want to use it, open a terminal and run the following commands to download and execute it (copy and paste recommended):
wget "http://blog.andreas-haerter.com/_export/code/2011/07/18/install-ubuntufonts-fedora.sh?codeblock=1" -O "/tmp/install-ubuntufonts-fedora.sh" chmod a+rx "/tmp/install-ubuntufonts-fedora.sh" su -c "/tmp/install-ubuntufonts-fedora.sh"
Please read the Ubuntu Font Licence for all the rules that govern the use of the fonts.
- If you want to go any further, you should know some things about the fontconfig system. First of all, it is controlled by
*.conffiles. Fedora is looking for them at the
/etc/fonts/conf.d/directory and they get imported in alphabetical order.2) Please note that every file in this directory should be a symlink pointing to a real config file located in
/etc/fonts/conf.avail/. This makes it possible to deactivate settings by deleting the symlink in
/etc/fonts/conf.d/without loosing the corresponding config file in
/etc/fonts/conf.avail/. It is also recommended to follow the rule “one setting, one file”. This makes sure you always know which files configures what.
All settings at
/etc/fonts/conf.d/are affecting all user accounts and therefore you need root privileges to create or edit the files. If you want to influence only a specific user account, it is also possible to place files in the user's
~/.fontconfig/directory (simply create it if it is not already existing).
- I assume that your display is using RGB pixels (the subpixel layout test page can help you to verify this). If your monitor is using BGR, V-RGB, or V-BGR pixels, you might want to use another anti-aliasing setting than
Edit 2011-07-21: Here are the demanded screenshots. You can use your keyboard to navigate trough them (← and → key). The last one shows a terminal with Ubuntu fonts.
When Fedora 15 Lovelock was just a few days old, the generally known commands to build an appropriate package did not work.1) Therefore (and because I think it is a bit extreme to create a package just to get some fonts), I wrote
install-msttcorefonts-fedora.sh to make the font installation faster and easier. There is a high probability that this script will never be useful to someone else than myself. But you never know. If you want to use it:
- Open a terminal.
- Run the following commands to download and start the script (copy and paste recommended):
wget "http://blog.andreas-haerter.com/_export/code/2011/07/01/install-msttcorefonts-fedora.sh?codeblock=1" -O "/tmp/install-msttcorefonts-fedora.sh" chmod a+rx "/tmp/install-msttcorefonts-fedora.sh" su -c "/tmp/install-msttcorefonts-fedora.sh"
prereqerrors. However, it seems to work in the meantime.
SSH provides the possibility to use Public Keys to log in to a target system (which is very likely more secure than a password). To make this possible:
- The user has to create a Public/Private Key pair
- The user's Public Key(s) has/have to be stored on the target system running the SSH Server (normally within
- The server's Public Key has to be stored on the local system running the SSH Client (normally within
Some popular services like GitHub do not even provide a password based authentication for data exchange, forcing you to use a SSH Public Key. Same for the Fedora Account System (FAS) where I created an account recently.
On a common Linux system, all needed SSH client tools should be installed by default. If not (e.g. because they were removed), simply install the
openssh-clients package on Fedora or the
openssh-client package on Debian/Ubuntu. After installation, the SSH tool for authentication, key generation, management and conversion is available via terminal:
Creating a Public/Private Key pair
As already said,
ssh-keygen is the tool for creating a key pair. It brings a lot of options, I'm going into detail on the most important ones:1)
From the manpage: “Specifies the number of bits in the key to create. For RSA keys, the minimum size is 768 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits[…]”.
Specifies the type of key to create. The cryptographic algorithm to use will selected through specifying this parameter. For SSH2, you can choose between “rsa” and “dsa”.2)
Provides a comment for the key. The comment is used as “name” for the key in most applications. If not given,
username@hostwill be set by default. You can change the comment later without any problems.
Using a 2048bit long RSA key is a good choice for most use-cases. 1024bit RSA is no longer regarded as indisputably secure, 4096bit RSA is for paranoid person like me. Please make sure you set a passphrase to protect your key. Otherwise everyone who may gets access to it (e.g. because someone steals your laptop and copies the keyfile) is able to get instant access to all systems you used the key for logging in. In contrast, you should have enough time to change the keys on all affected system without any danger if you used a good passphrase for a leaked private key. Additionally, it is no problem to use multiple SSH keys. So if you need a SSH key without password (e.g. for a quickly hacked backup script), create a separate key for this special task but do not use it for logging in to important systems.
Before you start: If you do not answer the question “Enter file in which to save the key” properly, you possibly overwrite an already existing key pair (if any). So take care which filename you are using for storage. The defaults are
id_dsa (depending on the used algorithm). You have been warned!
Now open a terminal and let's go:
user@local:~$ ssh-keygen -t rsa -b 2048 -C "user@local" Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa):
As you can see, the key will be stored into
~/.ssh/id_rsa by default. To choose another file, you have to provide the complete path (→
~/ normally does not work to point to your home dir). I use the non-default path
/home/user/.ssh/mykey in this example.
You should store all SSH keys into the default directory
~/.ssh (no matter which filenames you are using for them). Otherwise, many tools and programs are not able to locate your SSH keys by default, leading to more configuration issues. None the less, it is possible to store your keys in another directory than the default one.
ssh-add /path/to/your_key is your friend.
Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/mykey Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/mykey. Your public key has been saved in /home/user/.ssh/mykey.pub. The key fingerprint is: 10:af:1e:58:a3:a2:2a:7e:11:23:52:bf:c2:32:61:fa user@local The key's randomart image is: +--[ RSA 2048]----+ | ... o | | + o | | . o = . | | ... o + | |.. . . S | | o . | |Bo. . .+ | |E oo. | | +o+o | +-----------------+
Done. Now you got the needed key pair:
/home/user/.ssh/mykeyis the private key. Never share this one with someone else. Simply keep the Private Key… well, private.
/home/user/.ssh/mykey.pubis the public key (also called “ID file” or “identity file”). This is the one you have to upload to the remote systems.
Tips and tricks
- If you never heard about the “randomart image”, you may have a look at ”What is randomart produced by ssh-keygen?”.
- Close ssh if the session is not responding anymore: The command
~.closes the ssh client program if the server hangs (e.g. because it was unexpectedly shut down or your internet connection is not stable).
- Copy the Public Key(s) to a remote system:
ssh-copy-idhelps you to copy your SSH Public Key into the
~/.ssh/authorized_keysfile of the remote system and/or copy the remote system's public key into your local
ssh-copy-id -i "~/.ssh/mykey.pub" email@example.com
- Change the passphrase of a SSH key:
ssh-keygenis also the tool of choice to change a key's password. The
-fparameter specifies the private key file you want to change. The
-pparameter tells the program that you want to change the password of an existing key, preventing the generation of a new one:
ssh-keygen -f /path/to/your_key -p
- Change the comment of a SSH key:
ssh-keygenis also the tool of choice to change a key's comment. The
-fparameter specifies the private key file you want to change. The
-cparameter tells the program that you want to change the comment of an existing key, preventing the generation of a new one:
ssh-keygen -f /path/to/your_key -c
This article provides a step-by-step guide on how to install an Ubuntu Linux system with full disk encryption (new installation). However, you should take a relaxed day as topical newbie for further reading. You don't have to keep everything in mind but it is never an error to acquaint oneself with something new.
Dieser Artikel beschreibt, wie ein vollverschlüsseltes System mit Hilfe von Ubuntu-Linux eingerichtet wird (Neuinstallation). Der gesamte Artikel kann dabei Schritt für Schritt nachvollzogen werden um ans Ziel zu kommen. Dennoch sollte man sich als Neuling einen ruhigen Tag Zeit nehmen, um die Thematik zu erfassen. Man muss sich bei weitem nicht alles merken, sich aber einmal eingelesen zu haben schadet nie.
The Network Time Protocol (NTP) is a protocol for synchronising the clocks of computers over TCP/IP networks. I don't go into detail here,1) but NTP is helpful if you need a really2) exact system time (e.g. on special Database servers) or just to get a correct clock setting on your common desktop. There are two ways to use NTP to set your system's clock:
ntpdate– Simple NTP client, syncs your system's clock instantly by polling specified NTP server(s) every time it is called.
ntpd– NTP server daemon, calculates the drift of your system's hardware clock and continuously adjusts it. Can act as NTP server for other NTP servers and clients.
One of my older desktops is based on a Gigabyte GA-MA78GM-UD2H mainboard (AMD 780G North Bridge, AMD SB700 South Bridge). Booting Fedora 15 Lovelock on this machine did not work. It took ~4h [sic!] to boot because the USB hardware detection was freaking out (you will only see a gray background with a white, blinking cursor for several hours and you have to wait when looking at
However, the solution is simple: make sure you got the latest mainboard BIOS (version F9B 2010/07/08 as I'm writing this) which fixes several bugs Fedora seems to stumble upon. Everything works perfect then.
Update: Don't halloo till you're out of the wood! After a few days of usage, there are still “it hangs” problems during boot and poor performance at all. E.g. you have to (un)plug a USB device when the OS does not do anything. In short: it sucks. But it does not matter. Time to get a new machine anyway.
Every now an then, I need MS Windows for doing tests. I'm running different testing VMs and often have to deal with static IP settings on different LANs and VPNs. Therefore it is nice to know how to import and export IP settings without any GUI involved. I tested it only on XP/2k3 but it should also work on Vista/7.
- Export: Configure your network settings as you like. Open a command prompt afterwards and use
netshto export the settings into a file:
netsh -c interface ip dump > X:\network-foobar
Repeat the task for every needed network.
- Import: Use
-fto load files like
netsh -f X:\network-foobar
Now put the import command for different networks into separate batch files and name them properly to change the settings with simple double clicks. You might want to use
runas for the
netsh call because you need admin privileges to change IP settings.
Using DokuWiki is fun. It gives you all you need to manage different types of content like common text, quotes, files, data tables and source code. It displays your content in a proper way, including typography replacements and many other features (see Syntax for some examples). It is especially perfect to write about IT where console output or code snippets matter. You can even include RSS feeds and create galleries with a single line of text. Additionally, DokuWiki is very easy to administrate and maintain (this is my personal killer feature). Installing updates is damn simple (in principle, you just have to copy the new files over the old ones). And you can do backups by downloading everything from your webserver. No database dumps and stuff needed. Because plain text files are used as storage, you can even access the raw data offline with a simple text editor.1) So why not using DokuWiki as easy maintainable blog? Exactly!
There are two common ways to create a DokuWiki based weblog. The traditional one, using the Blog plugin in combination with a bunch of others.2) And the new BlogTNG plugin which is meant as successor of the Blog plugin and already contains components like comments and tags. The following text is about creating a cool WikiBlog with BlogTNG.
I just did the basic setup of my Nexus S (i0923 with SCLD). What should I say? It totally rocks. The pre-installed Android 2.3.3 is a pure revelation compared to the older versions running on my Motorola Milestone. All those small but annoying bugs seem to be gone. And most important: no more PITA regarding Android Updates.1) The phone comes with a micro-USB connector as my Milestone and most other new non-Apple phones do. Therefore there is no need to buy new USB-A→micro-USB-B cables.2)