Orb Designs Logo


Search this site :

Home

Graffiti

About

Site

Visual

Dev


Daynotes

Go read Brian and Tom's Linux Book NOW!

Orb Designs Grafitti
November 26 thru December 02, 2001

Mon   Tues   Wed   Thu   Fri   Sat   Sun
Last Week  <--  *  -->   Next Week

--> Link to the current week <--

Email Brian Bilbrey

Email


Orb Grafitti is sometimes a conversation, sometimes a soapbox. I use Linux most often, and I write about that and related software frequently. I also have a day job working as a dogsbody for a small manufacturing firm here in the SF Bay Area. Tom Syroid and I have co-authored a Linux Book. We're posting it online, here and here. Have a looksee! I'm glad you've come to visit, and always happy to hear from you.

EMAIL - I publish email sometimes. If you send me an email and you want privacy or anonymity, please say so, I'll pay attention to your wishes.


MONDAY    Tues    Wed    Thu    Fri    Sat    Sun   
November 26, 2001 -    Updates at 0710

There's a fair hunk of email in my box, mostly useful it looks like, but I haven't time to do more than survey it this morning for immediate response items - we slept too long. This doesn't fret Marcia much, with her 5 mile commute. But leaving half an hour late can double my drive time, or more. If you stayed away from the computer this weekend, then you missed my noting that the 2.4.15 kernel has a serious bug. Stay away from that kernel, or track into 2.4.16 (which was released this morning), or something. I'm gonna stick with 2.4.14 for the time being, as I don't see any dramatic reason to upgrade. Yesterday, I came across a plugin to allow Konqueror to work as an SSH client. That's very, very handy...

Good morning. It's chilly here, but the promised five continuous days of rain miraculously compressed themselves into just Saturday. There were high winds with branches, trees and power lines down, all over, too. We were fortunately unaffected by the power problems. Instead, all weekend, we ate turkey leftovers and cooked the carcass along with veg and such down for stock, making the house smell yummy.

From a link found on Slashdot, here's Richard Stallman's answers to the GNOME board candidacy questionnaire. I've gotta give him 10,000 points for consistency and intestinal fortitude. There's lots more to discuss, but now's not the time - I'm late. See you on the flip side.

Top  /  Site Map  /  Orb Home  /  Email to Bilbrey


Mon    TUESDAY    Wed    Thu    Fri    Sat    Sun   
November 27, 2001 -    Updates at 0655

Good morning. Well, I received a spot of decent news yesterday afternoon from $PUBLISHER. Finally, after many changes and delays, I am assured that the AE is presenting my proposal to the Editorial Board on Wednesday, and that we should have the go signal before the end of that day (as the AE is fairly confident that this proposal rocks). Most excellent.

Yesterday I spent alternately doing the Monday systems checks, reading goo-gobs of email, as well as providing customer and sales support on the phone (which ate half the time). Finally, I was organizing my thoughts around a new site design for ETS that enhances our new Sales staff and their boundless energy. This should be fun. I'll put together two or three concepts here, for general review (by staff and you, kind readers). I've come to trust your critiques, and value your input for the works that I do. Thank you!

Once home, I did a number of chores, and then blew off several hours playing Wizardry 8. This is one fun game, people, if you like PRGs. The play is like turns-based AD&D (either phased or continuous), but the visuals are much like a first person shooter, and of generally excellent quality. Fun, fun, fun. I beat a few tough opponents, then put down the keyboard and mouse, and stepped away from the computer. We watched a couple of shows on PBS, then the Carol Burnett special. That sure brought back good memories. Carol put on one of my favorite shows, and that sucker ran for 11 seasons. Gosh, I wish those were available on DVD.

Also arrived yesterday, SuSE 7.3, the Personal and Professional Editions, for my use in reviewing the packages, and for the book. Thanks to the SuSE people, and their PR firm for kicking down these tools for my use. Now to figure out how best to put them to use, sooner rather than later.

With that, I'll bid you adieu, until later.

Top  /  Site Map  /  Orb Home  /  Email to Bilbrey


Mon    Tues    WEDNESDAY    Thu    Fri    Sat    Sun   
November 28, 2001 -    Updates at 0652 and 1817

And later it is... good morning. I've been through a lot of email already this morning. From the CBP list there's a good thread on writing for the magazine market. Then there's cookie handling for the Mailman interface, in Konqueror. This is all leavened with the usual agglomeration of spam and solicitied commercial mail (aka newsletters, updates from vendors I care about, etc.) Nothing earth-shaking, though.

Thought for the moment (although Doc has said it a few times), "Around here it's all edge, all the time." I like that. However, my brain isn't starting well this morning. I'll be back with you in a little bit, probably before noon, and maybe later, too, if I get good news. TTFN


1817 - Woo Hoo !!!! Pending all the little details that power life in this universe, I've got a book to write. More details as things finalize. I'll make it formal and hand out more details when the ink is drying on the contract. However, today the AE at Que wrote to let me know that the Editorial Board liked the proposal, and wanted to talk with me about their input, and with my agent, Vicki Harding (at StudioB) about contracts. Looks very good. Major kudos for Tom Syroid in getting my name in front of Vicki at exactly the right time in the process.

OK, here's a good one, just reported to me by Greg. This link to the CIAC site points to a discussion of Windows XP, Office XP and IE > 5.X. These products include an error reporting facility that can send sensitive information (from documents and such) to Microsoft in the event of a program error or crash. Now, we know that MS products hardly ever crash. But all the same, you should probably go read that, and implement the changes therein. Heh. "We're sorry for the inconvenience." That sounds like God's last message to the Universe, according to Doug Adams.

There's more, but it's supper time. It's been one heck of a busy day, and liable not to slow down much. See ya mañana.

Top  /  Site Map  /  Orb Home  /  Email to Bilbrey


Mon    Tues    Wed    THURSDAY    Fri    Sat    Sun   
November 29, 2001 -    Updates at 0700 and 2002

Good morning. In case you weren't paying attention last night: I got the book, it appears. Things we'll learn today: What changes to my proposal are requested by the editorial board. What sort of advance might Que offer? Will it be enough to merit the amount of work that goes into producing the work? These facts and more, all the days of our lives. Heh. Meantime, I'm also in contact with the people at VMware once again, talking about using their tools for book production work. Gonna start being pretty busy round these parts.

There's a new vulnerability in wu-ftp, and Red Hat leapt out of the gate ahead of the pack with their advisory, now the BugTraq advisory is out too. The question one must ask is, "Why, for pete's sake, would you ever run a bug-ridden piece of crap like wu-ftp?" Really, go have a look at PureFTPd and toss that wu-ftp package out the window, folks.

Later today, we'll talk about the DMCA, the Patriot Act, and other bits of governmental crap. But now I must hie myself off to the mines. Take care!


1830 - Evenin'. What a crazy day. No new news on the book front, which is a tad perturbing. I was expecting a phone call, and didn't get one. I don't want to push, but no news is no fun. Sigh. Ah, and in weirder news... Three weeks ago, a California court turned out the preliminary injunction prohibiting Andrew Bunner from publishing DeCSS code on his site. Meantime, yesterday on that wacky Right Side of the continent, a Federal Court of Appeals has upheld the decision of a lower court to prevent 2600 Magazine from posting the same code. Um, what? And all of this over the Hollywood desire to rule the world, or at least, their world of profits. These are the crazy years, aren't they?

Then there's this Patriot Act thingy that Congress cobbled together out of John Ashcroft's wet dream therapy. Darn. I saw a quote yesterday talking about how law enforcement was able to get there hands on data that wasn't previously available. Now I can't find a link to that story. Let's be clear, here, folks. The data is there. But now the Federales don't need a judge to say OK. Now they can just go whisper Terrorist Invesigation, Patriot Act Powers, and we're supposed to grease up, bend over, and let'm have whatever they want. I still don't understand how there's oversight on this one. We've made a terrible mistake, and his name is John Ashcroft.


Well, what else have I learned today? I've been mucking about with the local area networking features available with KDE. Currently, since I am running the bleeding edge of KDE from the Debian unstable tree, there are some configuration hinks. It doesn't work out of the box. But with some minor tweaks here and there, I've got it running right, I think. I'll do some more testing over the next couple of days, then post some results. Right now, I can click on Network --> Local Network and find a list of machine names in the HWN (House Wide Network), then browse into them via the Samba (in the case of Marcia's box, with the appropriate password, etc), NFS, FTP, or HTTP protocols. Most excellent.

Then it was time for some link-hopping. The ever-scintillating Doc Searls points us to the website of the Erotic Computation Group at MIT's Media Lab. Go ahead. I dare you to ignore that link... heh. I thought so. Earlier today, Slashdot took me over to a Tom's Hardware Guide review of 3Com's new Wallplate 4 port switch, the NJ100. Nice little piece of hardware, well designed.

Next up, the new Sharp Linux-based PDA called Zaurus is now available in a developer edition here in the US. I've been tracking that one for a while, even as I keep just plugging away with my Agenda Computing VR3d. Note - don't go buy an Agenda from the US site just now - they're in reorganization, and I can't vouch for Agenda USA's future at the moment. Agenda Germany appears active and healthy. We'll see if the US branch can stage a comeback.

And that's it for now, folks. See you tomorrow.

Top  /  Site Map  /  Orb Home  /  Email to Bilbrey


Mon    Tues    Wed    Thu    FRIDAY    Sat    Sun   
November 30, 2001 -    Updates at 0654

TDITW (standing for Thank $DEITY It's The Weekend), or just about, anyway. Only hours have elapsed since my last post, late-ish yesterday evening. And, as usual, the world changes when you're not looking. And then there were just two - Rest in Peace, George Harrison. Of the four young men from Liverpool, I think I liked George's voice best, and he wrote thoughtful songs.

Locally, just two weeks ago, California's water management professionals were meeting to determine how best to meet the threat of a probable drought. Now, with two more storms coming in over the next three days, our major worry is ... mudslides. Since so much of the SF Bay Area is built on the steep slopes of the coastal range, mudslides are a common hazard. While they don't do the same geographic extent of damage as our rather-more-famous earthquakes, mudslides remove abodes from their people every winter around these parts. Never a dull moment, that's what I say!

I'll drop the $AE at Que a line today, and see what's shaking. Maybe we can start some of the balls rolling on this project.. For one, I would certainly like to be engaged in some focused writing. What I do here counts, though. And in some ways, this is as rewarding. Bear in mind that while this site puts NO food on the table, it does provide me with an outlet and a space for my peculiar brand of insanity. Book advances usually aren't quite up to the living wage standards either, unless you're J. K. Rowling, or a writer of bodice rippers. (The latter merely need to do a global search and replace on names, swap a couple of chapters around, and change the FIRST major plot element to a new geographic locale - poof: Whole New Book ... or so I am told)

Hey, anyone out there with Enron stock? Heh. Sorry dude/dudette. They've got some major bad juju out of those overstated earnings and other financial shenanigans, neh? And also today is the day when everyone who's dependent on Excite@Home for their connectivity may get home to non-connectivity. There have been stories on this one for the last couple of weeks, here's one more, also from the SmartMoney site.


Guess what? It's the end of the month. I'll probably cap 130K raw hits and 23K page reads this month. According to the November stats page, I've had 5 days pop up over 1000 page reads for the day. The denizens from 79 distinct top level domains (that is countries, plus the .com, .net, .org, .mil and so on) have come round knocking on this virtual door. That's excellent, awesome and humbling. Thank you, kind readers. Now I'd like to acknowlege some of the more interesting search strings that led people here in the last month:

Top  /  Site Map  /  Orb Home  /  Email to Bilbrey


Mon    Tues    Wed    Thu    Fri    SATURDAY    Sun   
December 01, 2001 -    Updates at 1145

Good morning. A busy day around this joint. I'm upgrading software, kernel and such on Grendel the server. Meanwhile Marcia's putting up the Humbug tree. I've been to the post office picking up a package from Malcom, and to the grocer's for some lunch fixin's. This is good, since I am pretty hungry. I'll be back in a little while with an update.

Top  /  Site Map  /  Orb Home  /  Email to Bilbrey


Mon    Tues    Wed    Thu    Fri    Sat    SUNDAY   
December 02, 2001 -    Updates at 0900 and   1545

Well, that was a day full of learning... sorry, the machine just beeped. Let me go get a cup of mud. I need it.

Mmmmm. Better. Good morning! I know, I never made it back here, but yesterday was busy. I have one last repair to my ruleset to test, so ... Voila. It works, huzzah! What I've been doing is adding an IPtables stateful firewall to Grendel, the server for our little network. He is no longer the firewall for our whole House Wide Network, instead this sturdy Gateway box sits lonesome in the DMZ. However, while putting the exposed services in a DMZ box protects the rest of our network, we still need two things: To protect Grendel, and communicate with him, without letting in black hats.

There are multiple levels to such protection. Using inetd and tcpserver permits me to specify which IP addresses are permitted to access any given monitored service. This works well for FTP, since the only person needing FTP access to Grendel is my lovely Marcia, when she publishes updates to her Musings and Meanderings pages via the Netscape composer. All the other services are simply secured by port and IP restrictions in their configurations (when available), and by paying attention to the security mailing lists, and the announce mailing lists for the packages that I run to offer services.

With the 2.4 Linux kernel, there was a new addition to the security toolkit for every Linux box owner/administrator. But let me digress for a moment. "Owner/administrator" That's one of the parts of Linux that scares people off, pretty frequently. I read and hear people say, "Well sure it could probably do the job, but I'm not a system administrator, and I can't learn those things."

Honestly, it doesn't matter what kind of computer or operating system you run, you are the administrator. You add software, you keep your anti-virus software up to date, you resolve conflicts between IRQs with your network and sound cards, you reboot when the OS dies (OK, that last isn't a problem with Linux, usually) - all of these are administrative tasks. The question is how much REAL control do you have over the box that you administer? Equally important, how fundamentally vulnerable is the platform you're in charge of? In a comparison between Windows and Linux, the answer to both of those questions leads some people quickly over to the Linux side of the pasture. OK, enough evangelizing... [note: I am just learning about this stuff, so I may get something fundamentally WRONG - consult other documentation, and conduct extensive testing on your own work, as I've done with mine]

Netfilter (aka IPtables) is the latest and greatest network packet handling facility for the Linux kernel. It replaces completely ipfwadm (Internet Packet ForWarding ADMinistration, a modular tool introduced with the 2.0 kernel series) and IPchains (a more user-friendly ruleset-based set of functions that came in with the 2.2 series). Like IPchains, IPtables is based on chains of rules. Each packet that enters or exits the system traverses one or more chains of rules that attempt to match with the packet, and determine it's fate based upon at least the following factors. Who it's from (the source IP address); Who it's going to (the destination IP address); Which service it's requesting (the destination port); and how well-formed the packet is.

What's new is that IPtables is stateful. That is, it has the capability (if enabled) to keep track of streams of related packets. This permits, for instance, an FTP connection that sets up a passive port up at 1077 to operate, since the packet filter "knows" that this service at this port was set up by an allowed connection down at port 21, where the initial FTP connection occurred. Here, let's look at a couple of sample rules:

iptables -t filter -P INPUT DROP

That's a policy statement, saying that if no other rule on the INPUT chain of the filter table catches a packet, and disposes of it, that packet will be dropped. Another way of looking at a policy statement is that it's the default in a case switch. There are three tables, filter, nat and mangle. filter allows you to protect input and output on the local box, nat (Network Address Translation) enables the equivalent of Internet Connection Sharing, although with much more power, and mangle is a table for rules to do generalized packet rewriting. There are also three built-in chains to which you can add rules: INPUT, FORWARD, and OUTPUT. Additionally, you can define and use your own chains. Note: Policy statements can only be made for the built-in chains.

iptables -A INPUT -p tcp -i eth0 --dport 21 -s $TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp -i eth0 --dport 21 -s ! $TRUSTED_IP -j logdrop

Above, there are two lines. Both add (-A) rules to the INPUT chain. Each addresses TCP packets (-p tcp), on the external interface in my setup (-i eth0), with a destination port of 21, for FTP service (--dport 21). The first rule looks in the packet for a source IP that's been previously defined as a TRUSTED_IP (-s $TRUSTED_IP). If the packet matches all the foregoing, then it is jumped to the "target" called ACCEPT. This means that no further processing is done on the packet, it is valid and approved.

The second rule differs in two ways. First, an exclamation point is inserted into the source IP selection; this negates the statement. That is, it matches any source IP that isn't the TRUSTED_IP. Then, all things matching, the packet is jumped to the "target" logdrop. That's a user-defined chain (that I haven't shown you) that logs the miscreant for my future notice and action, then drops the packet outright.

There's more to this gig, and I'll return to it at a later time, but let's look at the difference between using the tcpserver to protect FTP and using IPtables. First, with tcpserver, port 21 (FTP) shows as open from any host. Then the connection is rejected, if the IP doesn't match. That looks like this:

[bilbrey@hydras]:/export/home/bilbrey # ftp -i orbdesigns.com
Connected to orbdesigns.com.
421 Service not available, remote server has closed connection

With IPtables, the packet is examined in the kernel. If the packet doesn't match, it is logged, and then the packet is dropped - we don't even respond, or acknowledge that an FTP server is running on the system. This generates this sort of response, and permits no fancy packets that might exploit a vulnerability in ftpd or in the tcpserver.

[bilbrey@hydras]:/export/home/bilbrey # ftp -i orbdesigns.com
ftp: connect: A remote host did not respond within the timeout period.

Isn't that nice. There's more, but I am out of time for the moment - It's time to get ready for a BUSY day of errands and more. I hope to be back later today. Meantime, thanks to Doc Searls for the honorable mention in his blog yesterday. See ya later.


1545 - Welcome back. To return to the topic at hand, let's look at a few more types of connections that can be controlled with IPTables. The nat table is home to rule chains that permit or constrain what's known in the Windows world as Internet Connection Sharing. Why are you interested in NAT? For example, your cable modem (before it was cut off in a spate of corporate stupidity and animosity) allowed you a single IP address. To connect more computers to the cable modem required either an additional fee to the cable company, extra equipment (e.g.: a DSL/Cable Modem router), or a late model Windows box running ICS. Now, I don't know about you, but I'm flatly not going to trust a Windows box to be my face to the Internet. There are too many uncontrolled bits of software that run under windows, and I can't keep track of security with closed source software and virtually non-existent user-level tools. Sure, there are Windows firewall products... I probably could gin up a reasonably secure Windows box. What I couldn't do is also use it as a workstation. There's no separation between administrative and user permissions in most versions of windows, or where there is, the machines often aren't configured properly, since MS is driven by the market to create usable (rather than secure) software. This yields machines with webservers running, and the user none the wiser: Personal versions of IIS that are vulnerable to Code Red and it's ilk. Ah, ah... Sorry. [end rant mode]

You can use IPtables to control the type of connections that are allowed, and from which machines, in both directions. For instance, some types of worm/virus beastie set up an FTP or an IRC server on your box, and then broadcast their availability to the greater community of black hats. Much of this can be nipped in the bud with rules that only permit outbound connections from monitored machines, of specific allowed types like http, ftp, email and such. Inbound connections that aren't related to authorized outbound traffic can be killed dead.

Another thing that can be done with IPtables - you can provide extraordinary protection for young ones. Let's say you only approve of three websites for your youngster. If you give that child access only from a machine that's his, the IP address (and even the MAC address) can be detected, and outbound requests for http service can be restricted to just those permitted sites. While this can be a pain when the list of sites grows long-ish, for the little ones who should only be on the sites of their favorite purple extinct beast, or Sesame Street, and links from those sites to other places can't be followed, the child can be protected in the manner you desire. Of course, if you don't adequately cover your other machines with password protected screensavers, boot passwords and such, well... one does what one can.

Here's the best resource I found for IPtables: Linux 2.4 Packet Filtering HOWTO. Rusty's examples and explanations are really quite good.


Top  /  Site Map  /  Orb Home  /  Email to Bilbrey


Mon   Tues   Wed   Thu   Fri   Sat   Sun
Last Week  <--  *  -->   Next Week

Visit the rest of the DAYNOTES GANG, a collection of bright minds and sharp wits. Really, I don't know why they tolerate me <grin>. My personal inspiration for these pages is Dr. Jerry Pournelle. I am also indebted to Bob Thompson and Tom Syroid for their patience, guidance and feedback. Of course, I am sustained by and beholden to my lovely wife, Marcia. You can find her online too, at http://www.dutchgirl.net/. Thanks for dropping by.

All Content Copyright © 1999-2001 Brian P. Bilbrey.