Tuesday, February 28, 2006

Walls ablaze part 2

Ok earlier I have set up Firestarter as my firewall GUI tool. Now I would like to make it work just the way I like it.

In the preferences ("Edit -> Preferences") the first thing i ensure is that "Enable tray icon" and "Minimize to tray on window close" is enabled. Another thing to change would be to "Apply policy changes immediately" in the "Policy" section. For the more paranoid cases, enabling "ICMP Filtering" would be the way to go but be careful what you enable as some network tools might not work as expected if you do enable it.

"ToS Filtering" would require an entire posting of its own but for a quck run through, I enabled ToS filtering, chose "Workstation" and optimized the traffic for "Throughput".

Finally in the "Advanced Options", maintaining "Preferred packet rejection method" to "Drop silently" is good. I personally prefer this option because sometimes its harder for another person to know if there is even a machine if they scanned you. Not that they cant find out using, its just that it makes it slightly harder. Anything that gives you even the slightest edge helps right;). Blocking broadcast traffic is a good idea to prevent you from getting DoS-ed. It also helps in reducing excessive traffic and prevents the degredation of network performance.

As a final note I also enable "Block traffic from reserved addresses on public interfaces". If you're connected directly to the internet using a public IP, it would be ridiculous to get a connection from a LAN IP right. You obviously don't want these spoofed addresses eating up your bandwidth. However this is not just restricted to LAN IP connecting to public IP, it also works for multicast traffic or any range which is deemed restricted. Save your preferences and you're back to where you started earlier.

Now that you have a pretty safe machine, you will want to allow certain connections to come INTO you system such as SSH, Torrent, NetBIOS. Click the "Policy" tab and in the "Inbound traffic policy" you have to add any ports and/or IPs that can connect to you in the "Allow service" section. Once you've added it the rule will immediately become active and you can connect to the service. For a workstation this will be more than sufficient. For controlling outbound traffic, change the "Inbound traffic policy" to "Outbound traffic policy" and you will notice whether to allow all traffic by default or restrictive by default. For those who intend to run it as a server or are just plain paranoid, change the default "Permissive" to "Restrictive" and restrict what kind of connections you wish to allow from your system. But do be careful with this as you may deny connections from other system apps that need to connect out.

You can monitor all blocked connections in the "Events" tab. This is a good place to check in case you set your rules too strict or just want to know what kind of traffic you are being hit with.

Well I finally have my first tutorial on something up. Hope to put something else up soon;)

Walls ablaze part 1

For those of you looking to setup a Linux firewall for your workstation, allow me to introduce you to Firestarter. Its a GUI application to manage iptables, which is the kernel level ip filter. Installing it is a piece of cake.
  • apt-get install firestarter -y
and you're done. Hahaha. Now comes the configuration part. For those running GNOME, clicking on "Application -> System Tools -> Firestarter" will execute the application. Since it's a front-end for iptables which requires root privileges, you'll be prompted for the root password (or the sudo password). Just type it in and you're all set. For those wishing to execute it from the terminal (for whatever reason it may be), typing "gksudo firestarter" will execute the program as well.

There is already a good tutorial available from the Firestarer homepage which is accessible through this link but I will run through the 3 step process here as well.
  • Click "Forward" on the first page. This is merely stating that you're ready to begin the setup.
  • In "Network Device Setup", select the interface that you want the filtering to take place. For Linux, the first interface is usually called eth0, the second interface eth1 and so forth. For those using your Linux machine to dial out for DialUp or ADSL, select the "Start firewall on dial-out option". For those who obtain their IP automatically from a DHCP server, do remember to check the "IP address assigned via DHCP" option box. Click "Forward" when you're done.
  • In "Network Device Setup", this is the section that allows your computer to act as a gateway for multiple PC's in your network. Enable it if you wish to share your connection with others. This is also a good tool to be used on gateway servers as it simplifies configuration but I wouldn't recommend running a full fledged GUI on a server. You would need a minimum of two interfaces for thise to work. One for the internal network (where all your clients are) and another which is connected to the internet. In the interface selection, select the interface connected to the internal network. If you wish to assign address to the clients in your personalized LAN, click the "Enable DHCP for local network" and enter the settings as you require it.
  • And your now set to run your newly configured firewall. Just click "save" and your're good to go.
This is the default configuration and setup for Firestarter. From now on everytime you reboot your machine, your firewall rules will automatically be loaded on system startup. If you would like to load Firestarter when you log into your account you will have to make it load using whichever method your desktop uses to start programs on startup. In the next part I'll run through some other configuration options. Till then ciaoz;)

Monday, February 27, 2006


Ubuntu comes with a great command line tool for installing/updating/removing packages called apt* and dpkg*. The * denotes the various applications you can use i.e. apt-get, apt-cache, dpkg, dpkg-reconfigure, etc. The use of each tool is pretty much self explanatory. apt-get downloads and installs/updates packages/distro and apt-cache queries for a package you're looking for. The best part is that it will automatically connect to the server to download it without you having to have it prior to installation. Also since ubuntu is based on debian, all package format is in .deb therefore chances are you can use existing debian packages on ubuntu.

/etc/apt/sources.list is the file that stores the location of repositories to download the .deb files from.

Here are some command line options that I regularly use
  • apt-get install [package_name]
    • downloads and installs [package_name]
  • apt-get remove [package_name]
    • removes [package_name]. I usually use dpkg --purge to completely delete everything, including its configuration files as well.
  • apt-get update
    • downloads the new package information from the repositories
  • apt-get upgrade -y
    • ran after the above command, it will download and update any packages that are outdated. the -y option answers 'yes' to all questions regarding upgrades. It's es.pecially useful when running it from a crontab
  • apt-get dist-upgrade -y
    • this is the best way to upgrade your existing version to the latest version. Just run this command after a few hours, with a mere reboot, you will have your new distro ready for use. Usually most of your previous applications will work just fine but at times you will need to remove and reinstall the application for it to function but its very rare.
  • apt-cache search [package_name]
    • the best way to search for packages instead of searching via packages.ubuntu.com. Useful if you don't know the entire name of the package.
  • dpkg -L
    • list all the files installed by .
These are some of the main commands I use regularly. If i come across any new tips I'll be sure to add it here later;) Till then ciaoz;)

Dragon's Breath

Yesterday i decided to upgrade by Breezy Badger to Dapper Drake (which is still in the testing stage). I just couldn't help myself. I absolutely HAD to see what it's all about. Patience was never one of my strong points anyway. The last time i tried to upgrade my system (from Hoary to Badger) it caused a massive problems i.e. not booting properly, not being able to mount my remote drives, etc. But did those problems and spending days to reconfigure back my machine back to the way i like stop me from trying. HELL NO!!. Especially after what I read about Dapper and its new features. These are the steps i used to upgrade it
  • edited my /etc/apt/sources.list
  • changed all references of "breezy" to "dapper"
  • "apt-get update"
  • "apt-get dist-upgrade -y"
and voila, after 3 hours plus all the new packages were installed and updated and after a reboot, which i find to be faster than Breezy (at least thats how it seems to me), I was presented with my NEW GDM login screen.

The first thing I did was to login to GNOME just to see what changes have been made. Granted that I already had a previous configuration setting for GNOME anyway so i might be missing out on some default settings/layout. Graphically its the same as the previous version but what caught my eye immediately was that the GNOME panel is now slightly smaller (I've been trying to figure out how to change the size but never managed it. Probably have to edit it using gconf but I was too lazy after switching to XFCE4) and they have applets that warn you about your impending hard disk capacity exhaustion. Also it now comes with gnome-screensaver which offers a whole slew of REALLY cool looking screensavers and a OS-X like password prompt.

After that I decided to switch back to fluxbox which somehow seems much faster. However all my fonts are like super humongous at the moment but i'll let it stick for now. It's kinda nice not to have to squint your eyes trying to read all the config file. I've had it running for more than 18 hours now and it seems just fine and dandy. i just hope it stays that way though.

Some of the other changes include Firefox 1.5 and Thunderbird 1.5 that comes default with Dapper. Previously I had to download Firefox manually and do some reconfiguring (which aint hard anyway) but now that i have it default it makes me even happier. Also i get to retain my extensions that I have already been using ;).

Will post more as I come across newer features/changes ;) Time for lunch:D

Change is in the air

Ok I've finally changed my template to something new. Got a lot of complaints regarding the pinky-ness. I've been trying to change the look to something more pleasant but didn't succeed so I changed the entire theme. Will get back to having blood red (or is it maroon) theme once i get to it

Sunday, February 26, 2006

I am what I am because of who we all are

What DOES the title mean anyway? No its not about some human rights discussion or a cool catch phrase (actually it just might. Hmm). Actually its the definition of the Linux distro I've been using as of last year. Ubuntu.

Linux. Ahhh...my favorite OS. Aside from OS-X that is. Not that I haven't tried out any *bsd systems its just that Linux just works better for me (And easier too. Though i know of 1 or 2 people would disagree with me). Anyways I've tried out quite a few distro's i.e. RedHat, Slackware (my FAVORITE distro EVER), Fedora Core, CentOS and of course, Ubuntu. Now Ubuntu is TRULY a distro suited for the masses IMHO. It has such a simplistic and intuitive installer. If memory serves me right you just need to answer 6 questions to get a fully functional system.

I've been using Ubuntu 5.0.4 or more commonly known as Hoary Hedgehog (they seem to like to name their releases using animal names). The default desktop is GNOME (there are versions for other desktops or window managers i.e. Kubuntu using the KDE desktop). Ubuntu uses Debian as a base so for all of you who have used Debian before this would be a breeze. Regardles of the system you choose, you can opt to install any of the desktops using apt-get. Ubuntu itself can be obtained from ubuntu.com

In Breezy Badger (5.1.10) they also offered another desktop option, which incidentally does not have its own release cd, called xubuntu which uses XFCE4 as the desktop environment. I've had a liking for this as it was small and simple so the moment i knew it was available i decided to download it. Obtaining it was rather simple. ALl i had to do was type "apt-get install xubuntu-desktop" and watch apt-get perform its miracle by downloading, installing and setting up the new desktop for me and i've been using it ever since. Quite recently i stumbled upon another ubuntu version called nubuntu.org which uses the fluxbox window manager for those looking for a more simplestic and HIGHLY configurable wm. I decided to give fluxbox a try since I've been hearing so many good things about it. I'll post my guide to configuring fluxbox later. Once I can find where i stuffed that tutorial of mine in the 1st place :P.

Why oh why did I write this blog

The real reason i created this blog was to put up any tutorial I did whilst doing configuration for my machine. Since i have a nasty habit of writing up some minimalistic guide so that i can remember it for future use AND losing it, thus putting up online seems to be the sanest thing to do. I got this idea from a friend of mine who puts up lots of food tutorials and guides for *BSD (or *NIX) in general. Thx geek;)

What's in a name (and looks)

Why oh WHY did i pick THIS color scheme :S. Gosh it's PINK. Or is it dark red. Its, its, its, HORRIBLE. ARGH!!. Never blindly pick a template without looking at it properly. Sigh. No matter i'll change it when i come around to it.

The name "afriel" was stumbled upon when i was busy searching for some RPG stuff. Turns out the name i chose is an angels name and it supposedly means
Afriel is known as the Angel of Youth and encourages exploration of all things new and inspires us with Hope.


Either way the name sounds cool so i decided to use this as the name for this blog. And besides, an angel that encourages us to do new things is my kinda guy. Or gal, whichever suits it. :D

My First Post

Gosh I finally have my own blog. Weird considering i swore i'd never create one of my own. Goes to show how true the old adage "Never say never" is. Now if i can just remember to post frequently ;)

Anyway peace ya'll