// Buchempfehlung: Linux-Firewalls von Ralf Spenneberg

Cover, Ralf Spenneberg: Linux-Firewalls Jeder, der Linux-Server verwaltet oder z.B. Linux-SOHO-Router1) betreibt, wird früher oder später mit dem Thema “iptables/Netfilter” (bzw. ip6tables/Netfilter6) konfrontiert. Oft hangeln sich die jeweiligen Administratoren und Benutzer dann via Google von HowTo zu HowTo, und zimmern sich mit gefährlichem Halbwissen eine iptables-Firewall-Konfiguration zusammen. Alternativ wird zu Shorewall oder vergleichbaren Projekten gegriffen.

Falls man sich mit Linux basierenden Firewalls auseinandersetzen will, kann ich stattdessen jedem das Buch Linux-Firewalls von Ralf Spenneberg in seiner neusten Auflage empfehlen. Es ist sehr gut strukturiert und äußerst verständlich geschrieben, sofern man zumindest die absoluten Grundlagen eines Netzwerks hinsichtlich IP, TCP und UDP beherrscht. Der Autor führt den Leser gut an das Thema heran. Alles beginnt mit der Erklärung einfacher stateless-Paketfilter und geht dann über zu gut nachvollziehbaren stateful-iptables-Regeln. Es wird dabei genau für die Art von Grundverständnis gesorgt, welches bei einfachen Tutorials im Netz meist unter den Tisch fällt. Anschließend werden DMZ, transparente Firewalls, NAT-Router und vieles mehr mit iptables gebaut. Connection Tracking und dessen Konfiguration, wichtige Kernel-Parameter, Protokollierung und hilfreiche Werkzeuge nehmen ebenfalls einen großen Teil des Buchs ein. Auch das Thema IPv6 wird sehr verständlich betrachtet und das nötige Wissen vermittelt, um IPv6-fähige Firewalls betreiben zu können. Alles in allem kann ich das Buch uneingeschränkt empfehlen, auch als Nachschlagewerk.

1)
Ich schreibe absichtlich SOHO-Router: man will für gewöhnlich keinen 10GbE-Router mit iptables betreiben/bauen.

// Linux laptop recommendation: ThinkPad T420 4180W1G / 4180PH1

If you are searching for a powerful laptop to run Fedora 15 Lovelock on, have a look at the Lenovo ThinkPad T420 4180W1G/4180PH1.2) It simply rocks. All the internal peripherals are working out of the box (LAN, WLAN, graphics, sound, microphone, webcam, volume up/down and mute buttons, brightness control buttons, eSATA…). The Intel HD3000 processor graphics runs smoothly. Even no problems with external monitors up to a 2560×1600 resolution or when using both the built-in screen plus an external monitor connected to the Mini Dock Series 3 45N6678 docking station. The Intel Core i5-2520M CPU provides VT-d and VT-x. So everything is fine if you want to run VMs.

Downsides, pitfalls and notes:

  • The built-in speakers are really bad, even for a laptop.
  • The keyboard shows signs of cosmetic wear after a few weeks of usage.
  • Microsoft tax a.k.a. Windows 7 Professional 64bit. At least, you can use the pre-installed Windows to update the laptop's firmware with a few clicks before installing Linux. And the license may be used to run a Windows 7 VM (although the laptop is shipped without installation media, you can download the original Windows 7 ISO images from Digital River).
  • I can't tell if the fingerprint sensor and the Class 1 Smartcard Reader are working out of the box because I do not need nor did I test them. But the Smartcard Reader is at least recognized by the OS.
  • When using the Mini Dock Series 3 45N6678, the analog sound line-out is not passed-through (everything else works). This means you still have to use the laptop's headphone connector to connect speakers.
  • If you are looking for similar models out of the T420 family, you should know that some of them got two graphics adapters (a combination of Intel and NVIDIA). I don't know if these make any trouble or need special configuration because the 4180W1G/4180PH1 comes with Intel graphics only.

:!: Tip for German readers: Studenten, Lehrer, Lehrkräfte und wissenschaftliche Mitarbeiter bekommen das ThinkPad T420 4180PH1 bei Brünings + Sander :lang_de: mit erheblichem Rabatt. Ich habe nichts mit der Firma zu tun und bekomme auch keine Provision. Aber meine Erfahrungen mit B+S waren bisher stets positiv.

2)
Don't get confused: 4180W1G and 4180PH1 are two model numbers for the same hardware.

// Fedora 15 on a HP Compaq 615 laptop: WLAN

The HPC 615 was very popular because of its attractive cost-performance ratio.3) I just installed Fedora 15 Lovelock on a HPC 615 with AMD Athlon X2, 320GiB HDD, ATI Radeon HD3200 and 4GiB RAM. Everything works out-of-the-box with one exception: Wireless LAN. There was no firmware for the Broadcom BCM4312 WLAN chip. However. Version 4.150.10.5 of the proprietary firmware works like a charm:

  1. The B43 firmware cutter tool is used to extract and install the proprietary Broadcom firmware. Use a LAN cable to get internet connection. Open a terminal and install it:
    su -c 'yum install b43-fwcutter'
  2. Download the firmware and use b43-fwcutter to extract and install it:
    su -
    cd /tmp
    wget http://downloads.openwrt.org/sources/broadcom-wl-4.150.10.5.tar.bz2
    tar xjf ./broadcom-wl-4.150.10.5.tar.bz2
    cd ./broadcom-wl-4.150.10.5/driver/
    b43-fwcutter -w /lib/firmware/ wl_apsta_mimo.o

    Reboot or restart the network. Your WLAN should work now.

Note: I tried several things before. Known solutions and b43-openfwwf were not able to provide a stable connection when using WPA2. Same for other versions of the proprietary Broadcom firmware.

3)
well: this is not true for all option models. But most of the ones shipped with FreeDOS instead of MS Windows were damn cheap.

// How to change Fedora's font rendering to get an Ubuntu-like result [Update]

Font rendering is a matter of taste. However, I personally think Ubuntu's default font rendering is the most eye-pleasing one of the whole Linux eco-system. And if a website's CSS font stack is looking good on Ubuntu, you can be relatively sure that it also works for Mac or MS Windows as long as the used fonts are available on these platforms. It is not hard to get the same font rendering on Fedora. This text is just a bit longer than a few commands because I try to provide additional background information and useful web-search-keywords which you may need if you have other targets than a 100% Ubuntu-like rendering.

The basics

To achieve the desired result, you have to know which parameters exist and how to change them. The most important things are:

  • Resolution (DPI).
  • Font hinting and the used font hinting method.
  • Font rasterization. Especially the used anti-aliasing method and its strength.
  • The used font rendering engine. The one shipped with Fedora comes without subpixel rendering (more on this later).

So let's look at the defaults applied on Ubuntu 10.10. You can do this on the terminal with xrdb -query:

Xft.dpi:	96
Xft.antialias:	1
Xft.hinting:	1
Xft.hintstyle:	hintslight
Xft.rgba:	rgb
Xft.lcdfilter:	lcddefault

As you can see, Ubuntu is using RGB anti-aliasing with subpixel rendering (lcd-default means “subpixel (LCD)” method) and slight font hinting. Now compare this with the default values on Fedora 15 Lovelock:

Xft.antialias:	1
Xft.dpi:	96
Xft.hinting:	1
Xft.hintstyle:	hintmedium
Xft.rgba:	none

This shows that Fedora does use grayscale anti-aliasing, a stronger font hinting style and no subpixel rendering by default. This is the reason why the same fonts look different on Fedora and Ubuntu.

What to do

  1. Install the freetype-freeworld package. You need subpixel rendering the achieve the same results as on Ubuntu. The FreeType rendering engine shipped by default comes without it but you can install the freetype-freeworld package out of the RMPfusion-free repository to get a version with subpixel rendering. If not already happend, enable RPM Fusion on your system. Open a terminal and install the freetype-freeworld package:
    su -c "yum install freetype-freeworld"

    You should know that subpixel rendering is patented and therefore not completely free (as in speech). Using this package might not be legal in your country. The choice is yours and it is your legal responsibility to make sure that the software you are installing can be legally used.

  2. Adjust the hinting style and enable RGB anti-aliasing. Ubuntu it using hintslight hinting by default, Fedora comes with hintmedium. Additionally, we need RGB instead of grayscale anti-aliasing. Open a terminal and execute the following commands to set the anti-aliasing and hinting style:
    gsettings "set" "org.gnome.settings-daemon.plugins.xsettings" "hinting" "slight"
    gsettings "set" "org.gnome.settings-daemon.plugins.xsettings" "antialiasing" "rgba"
  3. Activate the lcddefault lcdfilter. Unfortunately, there is no GSettings key for it (at least as I'm writing this), therefore you have to create a hidden .Xresource file with the Xft.lcdfilter: lcddefault setting in your home directory. Open a terminal and execute the following command to do so:
    echo "Xft.lcdfilter: lcddefault" > ~/.Xresources
  4. Some settings need a restart to take effect, so reboot your system. If everything worked you should get the following xrdb -query output (the output order does not matter if the values are the same):
    Xft.antialias:	1
    Xft.dpi:	96
    Xft.hinting:	1
    Xft.hintstyle:	hintslight
    Xft.lcdfilter:	lcddefault
    Xft.rgba:	rgb

Additional notes

  • You may find the gnome-tweak-tool interesting. E.g. it provides an option to switch the window-title-bar font. Use the following command to install it:
    su -c "yum install gnome-tweak-tool"
  • I used the command line tool gsettings to adjust the GSettings key values above. If you want to influence and explore available keys by using a GUI, have a look at the dconf-editor. Use the following command to install it:
    su -c "yum install dconf-editor"
  • You may want to use the Ubuntu fonts, too. They are not included in the main repositories right now,4) therefore I wrote the install-ubuntufonts-fedora.sh bash script to make the font installation faster and easier. There is a high probability that this script will never be useful to someone else than myself. But you never know. If you want to use it, open a terminal and run the following commands to download and execute it (copy and paste recommended):
    wget "http://blog.andreas-haerter.com/_export/code/2011/07/18/install-ubuntufonts-fedora.sh?codeblock=1" -O "/tmp/install-ubuntufonts-fedora.sh"
    chmod a+rx "/tmp/install-ubuntufonts-fedora.sh"
    su -c "/tmp/install-ubuntufonts-fedora.sh"

    Please read the Ubuntu Font Licence for all the rules that govern the use of the fonts.

  • If you want to go any further, you should know some things about the fontconfig system. First of all, it is controlled by *.conf files. Fedora is looking for them at the /etc/fonts/conf.d/ directory and they get imported in alphabetical order.5) Please note that every file in this directory should be a symlink pointing to a real config file located in /etc/fonts/conf.avail/. This makes it possible to deactivate settings by deleting the symlink in /etc/fonts/conf.d/ without loosing the corresponding config file in /etc/fonts/conf.avail/. It is also recommended to follow the rule “one setting, one file”. This makes sure you always know which files configures what.
    All settings at /etc/fonts/conf.d/ are affecting all user accounts and therefore you need root privileges to create or edit the files. If you want to influence only a specific user account, it is also possible to place files in the user's ~/.fontconfig/ directory (simply create it if it is not already existing).
  • I assume that your display is using RGB pixels (the subpixel layout test page can help you to verify this). If your monitor is using BGR, V-RGB, or V-BGR pixels, you might want to use another anti-aliasing setting than rgba.

Screenshots

Edit 2011-07-21: Here are the demanded screenshots. You can use your keyboard to navigate trough them ( and key). The last one shows a terminal with Ubuntu fonts.

4)
There is only a ubuntu-title-fonts package which does not install the normal Ubuntu font
5)
Numerical prefixes are used to adjust the import order. See /etc/fonts/conf.d/README for details

// Install Microsoft TTF core fonts on Fedora without using a RPM package

When Fedora 15 Lovelock was just a few days old, the generally known commands to build an appropriate package did not work.6) Therefore (and because I think it is a bit extreme to create a package just to get some fonts), I wrote install-msttcorefonts-fedora.sh to make the font installation faster and easier. There is a high probability that this script will never be useful to someone else than myself. But you never know. If you want to use it:

  1. Open a terminal.
  2. Run the following commands to download and start the script (copy and paste recommended):
    wget "http://blog.andreas-haerter.com/_export/code/2011/07/01/install-msttcorefonts-fedora.sh?codeblock=1" -O "/tmp/install-msttcorefonts-fedora.sh"
    chmod a+rx "/tmp/install-msttcorefonts-fedora.sh"
    su -c "/tmp/install-msttcorefonts-fedora.sh"
6)
At least for me. There were buildprereq and prereq errors. However, it seems to work in the meantime.

// How to create SSH keys

SSH provides the possibility to use Public Keys to log in to a target system (which is very likely more secure than a password). To make this possible:

  1. The user has to create a Public/Private Key pair
  2. The user's Public Key(s) has/have to be stored on the target system running the SSH Server (normally within ~/.ssh/authorized_keys)
  3. The server's Public Key has to be stored on the local system running the SSH Client (normally within ~/.ssh/known_hosts)

Some popular services like GitHub do not even provide a password based authentication for data exchange, forcing you to use a SSH Public Key. Same for the Fedora Account System (FAS) where I created an account recently.

On a common Linux system, all needed SSH client tools should be installed by default. If not (e.g. because they were removed), simply install the openssh-clients package on Fedora or the openssh-client package on Debian/Ubuntu. After installation, the SSH tool for authentication, key generation, management and conversion is available via terminal: ssh-keygen

Creating a Public/Private Key pair

As already said, ssh-keygen is the tool for creating a key pair. It brings a lot of options, I'm going into detail on the most important ones:7)

  • -b <bits>:
    From the manpage: “Specifies the number of bits in the key to create. For RSA keys, the minimum size is 768 bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. DSA keys must be exactly 1024 bits[…]”.
  • -t <type>:
    Specifies the type of key to create. The cryptographic algorithm to use will selected through specifying this parameter. For SSH2, you can choose between “rsa” and “dsa”.8)
  • -C "<comment>":
    Provides a comment for the key. The comment is used as “name” for the key in most applications. If not given, username@host will be set by default. You can change the comment later without any problems.

Using a 2048bit long RSA key is a good choice for most use-cases. 1024bit RSA is no longer regarded as indisputably secure, 4096bit RSA is for paranoid person like me. Please make sure you set a passphrase to protect your key. Otherwise everyone who may gets access to it (e.g. because someone steals your laptop and copies the keyfile) is able to get instant access to all systems you used the key for logging in. In contrast, you should have enough time to change the keys on all affected system without any danger if you used a good passphrase for a leaked private key. Additionally, it is no problem to use multiple SSH keys. So if you need a SSH key without password (e.g. for a quickly hacked backup script), create a separate key for this special task but do not use it for logging in to important systems.

Before you start: If you do not answer the question “Enter file in which to save the key” properly, you possibly overwrite an already existing key pair (if any). So take care which filename you are using for storage. The defaults are id_rsa and id_dsa (depending on the used algorithm). You have been warned!

Now open a terminal and let's go:

user@local:~$ ssh-keygen -t rsa -b 2048 -C "user@local"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):

As you can see, the key will be stored into ~/.ssh/id_rsa by default. To choose another file, you have to provide the complete path (→ ~/ normally does not work to point to your home dir). I use the non-default path /home/user/.ssh/mykey in this example.

You should store all SSH keys into the default directory ~/.ssh (no matter which filenames you are using for them). Otherwise, many tools and programs are not able to locate your SSH keys by default, leading to more configuration issues. None the less, it is possible to store your keys in another directory than the default one. ssh-add /path/to/your_key is your friend.

Enter file in which to save the key (/home/user/.ssh/id_rsa): /home/user/.ssh/mykey
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/mykey.
Your public key has been saved in /home/user/.ssh/mykey.pub.
The key fingerprint is:
10:af:1e:58:a3:a2:2a:7e:11:23:52:bf:c2:32:61:fa user@local
The key's randomart image is:
+--[ RSA 2048]----+
| ...     o       |
|     + o         |
|  . o = .        |
| ... o +         |
|.. .  . S        |
| o  .            |
|Bo.  .       .+  |
|E oo.            |
| +o+o            |
+-----------------+

Done. Now you got the needed key pair:

  • /home/user/.ssh/mykey is the private key. Never share this one with someone else. Simply keep the Private Key… well, private. ;-)
  • /home/user/.ssh/mykey.pub is the public key (also called “ID file” or “identity file”). This is the one you have to upload to the remote systems.

Tips and tricks

  • If you never heard about the “randomart image”, you may have a look at “What is randomart produced by ssh-keygen?”.
  • If you need a GUI, have a look at GNOME Seahorse or PuTTY.
  • Have a look at IBM: Shhh ... secrets about SSH and GitHub: Multiple SSH keys if you have trouble when using more than one SSH key.
  • Close ssh if the session is not responding anymore: The command ~. closes the ssh client program if the server hangs (e.g. because it was unexpectedly shut down or your internet connection is not stable).
  • Copy the Public Key(s) to a remote system: ssh-copy-id helps you to copy your SSH Public Key into the ~/.ssh/authorized_keys file of the remote system and/or copy the remote system's public key into your local ~/.ssh/known_hosts file. Usage:
    ssh-copy-id -i "~/.ssh/mykey.pub" remote-user@remote.example.com
  • Change the passphrase of a SSH key: ssh-keygen is also the tool of choice to change a key's password. The -f parameter specifies the private key file you want to change. The -p parameter tells the program that you want to change the password of an existing key, preventing the generation of a new one:
    ssh-keygen -f /path/to/your_key -p
  • Change the comment of a SSH key: ssh-keygen is also the tool of choice to change a key's comment. The -f parameter specifies the private key file you want to change. The -c parameter tells the program that you want to change the comment of an existing key, preventing the generation of a new one:
    ssh-keygen -f /path/to/your_key -c
7)
it is very likely you do not need any others. Consider the manpage otherwise.
8)
Which one is better is arguable. I wrote about this in another context. :lang_de:

// Full disk encryption with Ubuntu (9.04 Jaunty or newer), LVM and LUKS

This article provides a step-by-step guide on how to install an Ubuntu Linux system with full disk encryption (new installation). However, you should take a relaxed day as topical newbie for further reading. You don't have to keep everything in mind but it is never an error to acquaint oneself with something new.

// Vollverschlüsseltes System mit Ubuntu (ab 9.04 Jaunty), LVM und LUKS

Dieser Artikel beschreibt, wie ein vollverschlüsseltes :lang_en: System mit Hilfe von Ubuntu-Linux eingerichtet wird (Neuinstallation). Der gesamte Artikel kann dabei Schritt für Schritt nachvollzogen werden um ans Ziel zu kommen. Dennoch sollte man sich als Neuling einen ruhigen Tag Zeit nehmen, um die Thematik zu erfassen. Man muss sich bei weitem nicht alles merken, sich aber einmal eingelesen zu haben schadet nie.

// Time synchronisation with NTP on Ubuntu (and Debian)

The Network Time Protocol (NTP) is a protocol for synchronising the clocks of computers over TCP/IP networks. I don't go into detail here,9) but NTP is helpful if you need a really10) exact system time (e.g. on special Database servers) or just to get a correct clock setting on your common desktop. There are two ways to use NTP to set your system's clock:

  • ntpdate – Simple NTP client, syncs your system's clock instantly by polling specified NTP server(s) every time it is called.
  • ntpd – NTP server daemon, calculates the drift of your system's hardware clock and continuously adjusts it. Can act as NTP server for other NTP servers and clients.

9)
The whole system and the client software is a lot more complex than you might think. Look at the Weblinks and/or search the www if you are interested.
10)
we are talking about ~200 milliseconds

// Fedora 15 Lovelock on Gigabyte GA-MA78GM-UD2H

One of my older desktops is based on a Gigabyte GA-MA78GM-UD2H mainboard (AMD 780G North Bridge, AMD SB700 South Bridge). Booting Fedora 15 Lovelock on this machine did not work. It took ~4h [sic!] to boot because the USB hardware detection was freaking out (you will only see a gray background with a white, blinking cursor for several hours and you have to wait when looking at ehci_hcd messages).

However, the solution is simple: make sure you got the latest mainboard BIOS (version F9B 2010/07/08 as I'm writing this) which fixes several bugs Fedora seems to stumble upon. Everything works perfect then.

Update: Don't halloo till you're out of the wood! After a few days of usage, there are still “it hangs” problems during boot and poor performance at all. E.g. you have to (un)plug a USB device when the OS does not do anything. In short: it sucks. But it does not matter. Time to get a new machine anyway. ;-)

// Export/import IP settings on MS Windows with netsh

Every now an then, I need MS Windows for doing tests. I'm running different testing VMs and often have to deal with static IP settings on different LANs and VPNs. Therefore it is nice to know how to import and export IP settings without any GUI involved. I tested it only on XP/2k3 but it should also work on Vista/7.

  • Export: Configure your network settings as you like. Open a command prompt afterwards and use netsh to export the settings into a file:
    netsh -c interface ip dump > X:\network-foobar

    Repeat the task for every needed network.

  • Import: Use -f to load files like X:\network-foobar:
    netsh -f  X:\network-foobar

Now put the import command for different networks into separate batch files and name them properly to change the settings with simple double clicks. You might want to use runas for the netsh call because you need admin privileges to change IP settings.

// How to create a DokuWiki based blog (BlogTNG plugin)

Using DokuWiki is fun. It gives you all you need to manage different types of content like common text, quotes, files, data tables and source code. It displays your content in a proper way, including typography replacements and many other features (see Syntax for some examples). It is especially perfect to write about IT where console output or code snippets matter. You can even include RSS feeds and create galleries with a single line of text. Additionally, DokuWiki is very easy to administrate and maintain (this is my personal killer feature). Installing updates is damn simple (in principle, you just have to copy the new files over the old ones). And you can do backups by downloading everything from your webserver. No database dumps and stuff needed. Because plain text files are used as storage, you can even access the raw data offline with a simple text editor.11) So why not using DokuWiki as easy maintainable blog? Exactly!

There are two common ways to create a DokuWiki based weblog. The traditional one, using the Blog plugin in combination with a bunch of others.12) And the new BlogTNG plugin which is meant as successor of the Blog plugin and already contains components like comments and tags. The following text is about creating a cool WikiBlog with BlogTNG. 8-)

11)
which is perfect e.g. if you screwed your webserver and documented its configuration in the wiki running on it. ;-) Just open the last backup and access the text files you need in the pages subdir of DokuWiki's data directory

// Nexus S

I just did the basic setup of my Nexus S (i0923 with SCLD). What should I say? It totally rocks. The pre-installed Android 2.3.3 is a pure revelation compared to the older versions running on my Motorola Milestone. All those small but annoying bugs seem to be gone. And most important: no more PITA regarding Android Updates.13) The phone comes with a micro-USB connector as my Milestone and most other new non-Apple phones do. Therefore there is no need to buy new USB-A→micro-USB-B cables.14)

BTW: You'll find some app hints for new Android users below… ;-).15)

Must-have apps for common tasks and daily usage:

13)
“Pure Google”, you know.
14)
I got one for every PC to charge my phone wherever I am. They are very cheap… all of mine cost between ~80ct and 1,50€
15)
The names are linking QR Code images (created with goQR.me/QR-Server) containing an Android Market search query. Simply scan the code e.g. with the mentioned “Barcode Scanner” and visit the URL to install.
I'm no native speaker (English)
Please let me know if you find any errors (I want to improve my English skills). Thank you!
QR Code: URL of current page
QR Code: URL of current page start (generated for current page)