Pat Gardner

Solaris 10 ipfilter

2008-07-16T11:50:00.004+01:00

Quick guide for ipfilter on Solaris 10

IP Filter home page:
http://coombs.anu.edu.au/~avalon/

Documentation for IPF is also available from:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/firewalls-ipf.html

Enable interfaces to be used with packet filtering:

Edit /etc/pfil/pfil.ap (old way...now seems to require editing /etc/iu.ap)

Uncomment the device names to enable or add a line to specify the interface:

hme0 -1 0 pfil

For the changes to take effect:

1. svcadm restart /network/pfil and replumb the interfaces
or
2. Reboot

Set the ipfilter service to enabled:

svcadm enable network/ipfilter and replumb the interfaces or reboot

By default the configuration files in /etc/ipf will be read at startup

ipf.conf - ipv4 filtering rules
ipf6.conf - ipv6 filtering rules (if ipv6 is configured)
ipnat.conf - NAT rules (optional)
ippool.conf - refer to many address by a single group name (optional)

A simple ipf.conf to block and log all traffic other than ssh would contain:

pass out quick all keep state
pass in quick on hme0 proto tcp from any to any port = 22 keep state
block in log all

Filtering rules can be loaded from alternative locations:

ipf -f filename

As can NAT rules:

ipnat -f filename

Filter rules sets can either be active or inactive. Doesn't seem to support adding or removing individual rules so the only way of changing the current set seems to be to load an inactive set and to swap that with the running set.

To switch between the active and inactive rule sets:

ipf -s

To modify packet filtering behaviour:

ipf -Fa (remove both incoming and outgoing rule sets)

ipf -Fo (remove outgoing rules only)

ipf -Fi (remove incoming rules only)

ipf -D (disable all packet filtering)

ipf -E (enable packet filtering)

To view currently loaded rules for the active set:

ipfstat -io

To view currently loaded rules for the inactive set:

ipfstat -I -io

To remove all the runnings rules and load a new set from a file:

ipf -Fa -f filename

To load rules to the inactive rule set:

ifp -I -f filename

To append rules to the current active rule set:

echo "block in log on hme0 proto tcp from any to any port = 25" | ipf -f -

Sample rule set for an Solaris 10 host (192.168.93.128) with one zone (192.168.93.132). The interface name is hme0. We all ssh and icmp echo (ping) only to the host, all else being blocked. All outgoing traffic is allowed and stateful. http is allowed through to the Solaris zone hosted on the server:

pass out quick all keep state
pass in quick on hme0 proto icmp from any to any icmp-type 8 keep state
pass in quick on hme0 proto tcp from any to 192.168.93.128 port = ssh keep state
pass in quick on hme0 proto udp from any to 192.168.93.132/32 port = 80 keep state
block in log all

PaTcH_MsG 8 Version of is not installed on this system

2008-07-16T11:50:00.001+01:00

I had to manually run some of the patches in the Solaris patch cluster recently but got this error:

> ./checkinstall: .: filename argument required
> .: usage: . filename
> PaTcH_MsG 8 Version of is not installed on this system.

To fix make sure that the directory tree all the way down to the patch is executable by 'nobody'.

setuid wrapper

2007-03-01T16:08:00.000Z

I needed to run a script with root privileges,but had
forgotten that Solaris (and I guess mosts versions of Unix) will not allow setuid on scripts. The solutions is to write a binary wrapper will will call the script:

#include <unistd.h>
#include <stdio.h>

#define myfile "/path/to/script"

main(argc, argv)
char **argv;
{
setuid(0);
seteuid(0);
execv(myfile, argv);
}

Fix for acroread

2007-01-17T22:18:00.000Z

Adobe reader fails to start on the Gnome desktop on Fedora 6. There
seems to be a conflict withscim (smart common input method).
The fix is to add the following to the top of /usr/bin/acroread:

export GTK_IM_MODULE=xim

GRUB errors

2006-12-04T22:48:00.000Z

After a migration of my home server to a new mirrored 500GB sata setup from my old 160GB pata system, I encountered some problems with booting the server. Intially booting stopped at:

GRUB _

This was fixed by booting from the FC6 DVD and selecting "linux rescue". I then chrooted to my install with "chroot /mnt/sysimage", followed by a "grub-install".

This fixed my first problem but now boot was hanging at:

GRUB loading stage 2

So again, back into the rescue boot and my chroot environment. Now I ran "/sbin/grub" which took me into the grub shell. I ran "root (hd0,0)" to use the first partition of the boot disk, then ran "setup (hd0).

Next boot all was well.

X Forwarding problems

2006-12-01T21:52:00.000Z

I've set up a new Fedora 6 server using Xen (another story), but no xorg packages were installed. When logging in over ssh with X forwarding enabled (ssh -X) I still couldn't run any GUI applications remotely. Logging in with debug (ssh -Xv):

debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Remote: No xauth program; cannot forward with spoofing.

Turns out the solution is to install xauth:

# yum install xorg-x11-xauth.i386

Configuring apache for webdav

2006-09-08T16:01:00.000+01:00

I wanted to configure my apache server with a webdav directory to test iCal's calender publishing ability. My apache server runs on Fedora Core 5. In /etc/httpd/conf.d I created a file called webdav.conf which along with all the other .conf files in this directory gets read by the master conf file /etc/httpd/conf/httpd.conf. The file webdav.conf has the following content:

<Location /cal>
DAV On
AuthType Basic
AuthName "WebDAV Restricted"
AuthUserFile /var/www/.htusers
require user myuser
</Location>

The location directive refers to a directory called "cal" located at the root of my webserver created with:

mkdir -p /var/www/html/cal
chown apache:apache /var/www/html/cal

"DAV On" enables the webdav access for this location. I'm using basic apache username/password authentication for a pre-existing user "myuser" in the file /var/www/.htusers.

Secure IMAP with Dovecot and SSL

2006-08-28T11:43:00.000+01:00

In common with many other older protocols IMAP traffic is sent in clear text, with potential for anyone to eavesdrop or steal passwords. Like other modern IMAP servers Dovecot provides methods of enhancing security; you can either use secure authentication methods such as cram-md5 or encrypt the whole session using SSL. I've configured my Fedora Core 5 server to use SSL.

By default on FC5 Dovecot allows the following protocols:

imap imaps pop3 pop3s

To only allow imaps we must set:

protocols = imaps

in /etc/dovecot.conf

The server also comes with a dummy "localhost.localdomain" x509 certificate in /etc/pki/dovecot which should be replaced by at your own self-certified certificate (or even better one signed by a CA). There is a script provided ( /usr/share/doc/dovecot-1.0/examples/mkcert.sh ) to automate the process, but first a two files must be modified. Since mkcert.sh has not been written specifically for FC5 we must change the locations in the script so that they look like:

#!/bin/sh

# Generates a self-signed certificate.
# Edit dovecot-openssl.cnf before running this.

OPENSSL=${OPENSSL-openssl}
#SSLDIR=${SSLDIR-/etc/ssl}
SSLDIR=${SSLDIR-/etc/pki/dovecot}
OPENSSLCONFIG=${OPENSSLCONFIG-/etc/pki/dovecot/dovecot-openssl.cnf}

CERTFILE=$SSLDIR/certs/dovecot.pem
KEYFILE=$SSLDIR/private/dovecot.pem

Of course, these values should match what is in /etc/dovecot.conf, but the above is good for a default install. Next, update the contents of /etc/pki/dovecot/dovecot-openssl.cnf to reflect the local country code, organisation and common name (something other than localhost.localdomain!). Now all that is reuired is to run "mkcert.sh" then run a "service dovecot restart", following which any mail clients will need to be configured for SSL.

CUPS Browsing

2006-08-11T21:20:00.000+01:00

The CUPS print software ships with the browse support (or rather the broadcast component of the server) disabled. Once enabled, all clients should be able to detect and browse all printers on the server. There are basically three possible configurations (in /etc/cups/cupsd.conf) for broadcast:

BrowseAddress aaa.bbb.ccc.ddd
BrowseAddress @LOCAL
BrowseAddress @IF(name)

The first will specify a broadcast address such as 192.168.0.255. The second will broadcast to all local nets, whilst ignoring LANS such as point-to-point (dial-up) etc. The last limits broadcasts to an interface, so "BrowseAddress @IF(eth0)" only broadcasts on device eth0.

By default the server will allow incoming packets from any address, so if you wish to restrict access you can use either of the "BrowseAllow" or "BrowseDeny" directives as in:

BrowseDeny badhost.example.net (requires "HostNameLookups On")
BrowseDeny 192.168.1.10
BrowseDeny @IF(eth1)

Solaris and man page troubles

2006-08-04T20:07:00.000+01:00

After a fresh install of Solaris I was unable to use "man -k" as I was getting:

/usr/share/man/windex: No such file or directory

The solution is to run "catman -w" and all is well.

Xgl on Fedora Core 5

2006-07-05T14:44:00.000+01:00

I've got Xgl running by following the instructions here. I've been waiting quite a while for somebody to provide an easy and non destructive way of installing Xgl. I have previously tried using Aiglx, but that didn't seem as stable; blurry fonts and X server hangs when switching between virtual consoles.

Xgl works very well on my desktop (P4 2.8, 1 GB Ram, nVidia fx5700 256MB) with the nVidia driver, but not so well on my laptop (P4 2.4, 1 GB Ram, ATI 340M IGP). As ATI haven't released a linux driver for the 320/340 IGP series I have to use the open source 'radeon' driver which doesn't yet support the pixel-buffer required by Xgl. As a result some of the effects are rendered in software, and some graphical glitches are visible.

To view/modify the shortcut keys for compiz (which provides all the cool effects) you'll need to run 'gconf-editor' and look at 'apps/compiz'.

Remote name daemon control (rndc) for BIND

2006-06-28T23:34:00.000+01:00

Using the rndc command you can send commands to your DNS servers over TCP authenticated by digital signatures. Without any parameters the command prints out its options:

Usage: rndc [-c config] [-s server] [-p port]
[-k key-file ] [-y key] [-V] command

command is one of the following:

reload Reload configuration file and zones.
reload zone [class [view]]
Reload a single zone.
refresh zone [class [view]]
Schedule immediate maintenance for a zone.
retransfer zone [class [view]]
Retransfer a single zone without checking serial number.
freeze zone [class [view]]
Suspend updates to a dynamic zone.
thaw zone [class [view]]
Enable updates to a frozen dynamic zone and reload it.
reconfig Reload configuration file and new zones only.
stats Write server statistics to the statistics file.
querylog Toggle query logging.
dumpdb [-all|-cache|-zones] [view ...]
Dump cache(s) to the dump file (named_dump.db).
stop Save pending updates to master files and stop the server.
stop -p Save pending updates to master files and stop the server
reporting process id.
halt Stop the server without saving pending updates.
halt -p Stop the server without saving pending updates reporting
process id.
trace Increment debugging level by one.
trace level Change the debugging level.
notrace Set debugging level to 0.
flush Flushes all of the server's caches.
flush [view] Flushes the server's cache for a view.
flushname name [view]
Flush the given name from the server's cache(s)
status Display status of the server.
recursing Dump the queries that are currently recursing (named.recursing)
*restart Restart the server.

* == not yet implemented
Version: 9.3.2

Because digital signatures are used for authentication with the name server daemon, you must speicify either a key-file ( -k option) or key on the command line ( -y option). If no key or key-file is sepcified then rndc will look in the rndc.conf file.

So now you can do cool stuff like turn query logging on and off with:

# rndc querylog
# ping -c 1 www.google.com
# tail /var/log/messages
Jun 28 23:48:21 poseidon named[1986]: query logging is now on
Jun 28 23:48:48 poseidon named[1986]: client 192.168.116.10#33362: query: www.google.com IN A +
# rndc querylog
# tail /var/log/messages
Jun 28 23:51:32 poseidon named[1986]: query logging is now off

You can dump the name server cache with the command:

# rndc dumpdb -cache

The dump file will be specified in the named.conf file in the options directive:

dump-file "/var/named/data/cache_dump.db";

Since my server runs in a chrooted environment the location is actually /var/named/chroot/var/damed/data/cache_dump.db. The file itself is just plain text so you can view it in any editor.

DB2 upgrade

2006-06-27T22:13:00.000+01:00

I had a DB2 V8.1 fixpack 2 installation on one of my FC5 systems which I upgraded to the (currently) latest fixpack 12. After completing the upgrade and running the post install tasks (iupdate) I found I couldn't run any of the utils such as db2cc:

[db2inst1@medusa ~]$ db2cc
stackpointer=0x1c3aa4
Writing Java core file ....
Written Java core to /tmp/javacore11599.1151439455.txt
DB2JAVIT : RC = 11

Oops! Something was clearly very wrong here. It turns out that the Java SDK (1.31) originally installed with DB2 doesn't work with FC5 or my kernel (2.6.17). My problem was resolved by downloading and installing the Java 1.42 SDK rpm from IBM, and running the following command as user db2inst1:

db2 update dbm cfg using JDK_PATH /opt/IBMJava2-142

Mirroring websites with wget

2006-06-24T23:07:00.000+01:00

I'm sure it's already quite well known, but I've just discovered how to mirror web sites with wget. I'd been wanting to make sure I had a back up of this blog and was already sure that wget would be the tool to use. A quick search turned up this command:

wget --mirror –w 2 –p --html-extension –-convert-links –P /home/pat/documents/blogger/ http://patgardner.blogspot.com

--mirror

get files recursively, but depending on timestamp

-w

wait a number of seconds between retrieval

-p

download all page requisites such as images

--html-extension

makes sure that all the copies of files have .html file extensions

--convert-links

convert links suitable for local viewing

-P

path to save files to

iFolder

2006-06-20T12:16:00.000+01:00

I've just discovered iFolder, a storage solution originally created by Novell but now released as an open source project. With iFolders you can set up directories to replicate to a server, which in turn will replicate to any other computer that has the client software installed. Client software is available for Windows XP, Linux and OS X. Without the client software you can still upload/download files via the web interface.

Slow Firefox

2006-06-16T13:30:00.000+01:00

Firefox 1.5.0.3 provided with Fedora 5 seems very slow (more so on my laptop) particularly when scrolling. Cpu usage can easily hit 100% when scrolling up and down a page. A short term solution until they fix it is to put:

export MOZ_DISABLE_PANGO=1

In your .bash_profile.

Zeroconf service discovery

2006-06-16T11:18:00.000+01:00

Another new addition to the latest release of Fedora is avahi support, better known as zeroconf or bonjour in the Apple world. This allows for service discovery on the network, such as printers automatically anouncing their presence or bookmarks being broadcast to the LAN. The avahi-daemon takes care of advertising services whilst application such as Gnome (2.14) are avahi aware. Here is an example of how to get avahi up and running.

1. Configure some services. The directory /etc/avahi/services is initially empty, so we'll create a few files:

apache.service
ssh-ftp.service
ssh.service

We populate the files with the following data:

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name>Apache Server Documentation</name>
<service>
<type>_http._tcp</type>
<port>80</port>
<txt-record>path=/manual</txt-record>
</service>
</service-group>

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">SFTP File Transfer on %h</name>
<service>
<type>_sftp-ssh._tcp</type>
<port>22</port>
</service>
</service-group>

<?xml version="1.0" standalone='no'?>
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">Remote Terminal on %h</name>
<service>
<type>_ssh._tcp</type>
<port>22</port>
</service>
</service-group>

2. Enable the avahi-daemon, and have it auto start on system boot.

# service avahi-daemon start
# chkconfig avahi-daemon on

3. We can also enable Gnome file sharing from "Desktop/Preferences/Personal File Sharing" which provides WebDAV access to ~/Public.

4. If we now start nautilus and click on "network" or go to the "network:///" Gnome-VFS, you can see that in addition to the Windows SMB network we also have the "Public" WebDAV share as well as the secure FTP resources displayed:

5. Epiphany (the Gnome web browser) is the only browser which supports avahi bookmarks at this time. We can see this working if we start Epiphany:

There are a couple of other tools which can display zeroconf services, the avahi provided 'avahi-discover' and the 'Zeroconf discovery applet' which is avaible from the avahi website. Download the service-discovery-applet tarball, unpack and run:

# ./configure && make && make install

You should now be able to add the applet to your gnome-panel:

It's clearly early days for zeroconf support in Linux, but what there is works well. I hope that the Gnome team and other application developers continue to integrate and extend avahi support.

Sendmail SmtpGreetingMessage

2006-06-01T23:47:00.000+01:00

Call me old fashioned, but I still use sendmail. Yeah, I know there are lots of more modern and easy to use MTA's out there but I don't have the time to learn them right now. Sometimes best to stick with what you know. Anyhow...

I was wondering how to change the greeting message on an smtp connection and a long search through my O'Reilly sendmail 3rd Edition provided the answer. The following is an mc configuration for versions 8.7 or above:

define(`confSMTP_LOGIN_MSG',`message')

Where "message" is a string that must at least contain the localhost name. By default message would be:

$j Sendmail $v/$Z; $b

In sendmail.cf which results in something like:

220 mailhost.mydomain.com ESMTP Sendmail 8.13.6/8.13.6; Thu, 1 Jun 2006 23:19:51 +0100

Where:

$j = fully qualified hostname
$v = sendmail version
$Z = configuration file version
$b = current date and time

I placed this new definition in my sendmail.mc:

define(`confSMTP_LOGIN_MSG',`$j MTA ready and waiting ; $b')

Which displays:

220 mailhost.mydomain.com ESMTP MTA ready and waiting ; Fri, 2 Jun 2006 00:06:08 +0100

Why did I do this? Well it's usually better with sendmail (or indeed any MTA or service) to hide the version from the outside world as this can make it a little harder to exploit.

Power Management

2006-05-31T16:24:00.000+01:00

Fedora Core 5 comes with the new "gnome-power-manager" which is rather good, as it provides a few more features than the old battery applet such as suspend-to-ram (suspend) and suspend-to-disk (hibernate). However, I can't get my Compaq Presario 2104EU to suspend-to-ram properly; it suspends ok, but powering on just gives me a blank screen. I'd tried to add boot options such as 'acpi_sleep=s3_bios', but to no avail. Either it's a flaky bios or I need to remove some modules before putting the laptop into suspend. What does work is hibernate, though I do have to run 'service network restart' upon resume as it seems to loose its network settings.

For FC5 you can update the 'gnome-power-manager' to the lastest version by adding this file to /etc/yum.repos.d/ and running:

# yum -y update gnome-power-manager.i386

Restarting your gnome session you get this new applet:

Choosing "information" from the menu displays extra's that aren't on the official FC5 release:

Loopback file systems

2006-05-30T11:05:00.000+01:00

I had to mount a hard disk image today and found this excellent guide for loopback filesystems on Linux.

Picasa for Linux

2006-05-27T20:10:00.000+01:00

Picasa, the google photo manager, has been released for Linux. It's not a fully native port as it runs using WINE, but even so the performance doesn't seem to suffer for it and I've not noticed any missing features. Download and further information from here .

I'd suggest setting the 'Folder Manager' to only scan /home as by default it scans the whole file system, which makes Picasa take forever to load subsequently!

For anybody that doesn't like the ugly 'winfile' when you 'Locate on Disk' in Picasa just create a script called 'picasa-hook-filemanager.sh' with the following content somewhere in your path (this only works for Gnome):

#/bin/bash
nautilus `dirname "$1"`

This is from the Picasa/Linux FAQ.

"You may be surprised that Picasa can't locate files on your Gnome system. Unfortunately, we weren't able to find a way to make Nautilus to open with the correct file highlighted."

I couldn't get the highlight working either even though this link suggests it may be possible on 2.14.

Fix that eject button!

2006-05-26T16:10:00.000+01:00

On Linux systems there really is no need to have the cd-rom drawer locked when a disc is inside and having to run the "eject" command to open the tray. This behaviour can be easily fixed with:

# echo "dev.cdrom.lock=0" >> /etc/sysctl.conf

Followed by a reboot. To have it take effect immediately:

# sysctl -w dev.cdrom.lock=0

Nautilus Actions

2006-05-26T14:33:00.000+01:00

As much as I like the Gnome desktop there are times when I want to perform a specific action (send a file via bluetooth for example) on a file or directory and have to use gnome-terminal because nautilus (the gnome file manager) doesn't support what I'm trying to do. Forunately I have now discovered two ways around this; the package nautilus-actions and the native nautilus scripting. I prefer the first method which allows custom right-click actions on objects in nautilus, and here is how you go about it (tested on FC5):

1. Install "nautilus-actions"

#yum -y install nautilus-actions

2. Launch the nautilus-actions configurer from the Gnome panel

Desktop/Preferences/More Preferences/Nautilus Actions Configuration

3. Nautilus-actions will start with no preconfigured actions so we must click on "Add"

4. I'm using "Send files via bluetooth" as an example

Here is the definition of the editable values:

"Label"
How this will appear on the right-click menu

"Tooltip"
An optional descriptive text that will appear at the bottom of the nautilus window

"Icon"
Optional icon to precede the label

"Path"
The executable or script that we wish to perform the action (full path is only necessary if the executable is outside of your normal path ie /sbin )

"Paramters"
Paramters passed to the executable

I'm using "%M" which will pass the full name and path of the files selected to the executable, in this case "gnome-obex-send".

5. Configure the conditions and advance conditions. These allow you to set the actions behaviour so that it will only work on certain file types, or if the action applies to local or remote (network) file systems.

6. Click ok to save then close the application.

7. Test by opening a naultilus window, selecting a file and right clicking:

We have a new nautilus action!

I also tried to add an action to send files via thunderbird (I don't like evolution much) by using this command:

thunderbird -compose "attachment='file:///%M'"

It seems that Thunderbird 1.5 is broken at this time and doesn't process its command line arguments properly.

Ext3 and full data journaling

2006-05-25T18:19:00.000+01:00

Ext3 is a stable and mature file system, offering a good balance of speed and reliability. But what many people do not realise is that the default journaling support is only for meta-data, not all data. Here is the relevant section from 'man tune2fs':

journal_data
When the filesystem is mounted with journalling
enabled, all data (not just metadata) is committed
into the journal prior to being written into the
main filesystem.

journal_data_ordered
When the filesystem is mounted with journalling
enabled, all data is forced directly out to the main
file system prior to its metadata being committed to
the journal.

journal_data_writeback
When the filesystem is mounted with journalling
enabled, data may be written into the main filesys-
tem after its metadata has been committed to the
journal. This may increase throughput, however, it
may allow old data to appear in files after a crash
and journal recovery.

So the default mount option is with "journal_data_ordered". This is considered the fastest option, but at the expense of full data recovery in the event of a power outage etc. You can look at many of the tunable parameters with 'tune2fs -l /dev/hdx' or in my case as I'm using LVM:

# tune2fs -l /dev/mapper/VolGroup00-LogVol00
tune2fs 1.38 (30-Jun-2005)
Filesystem volume name:
Last mounted on:
Filesystem UUID: b0c69d9c-234f-444d-ba95-f979a4902f4d
Filesystem magic number: 0xEF53
Filesystem revision #: 1 (dynamic)
Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery sparse_super large_file
Default mount options:
Filesystem state: clean
Errors behavior: Continue
Filesystem OS type: Linux
Inode count: 19005440
Block count: 19005440
Reserved block count: 950272
Free blocks: 5362926
Free inodes: 18381437
First block: 0
Block size: 4096
Fragment size: 4096
Reserved GDT blocks: 1024
Blocks per group: 32768
Fragments per group: 32768
Inodes per group: 32768
Inode blocks per group: 1024
Filesystem created: Wed Jul 6 20:23:44 2005
Last mount time: Thu May 25 10:03:33 2006
Last write time: Thu May 25 10:03:33 2006
Mount count: 226
Maximum mount count: -1
Last checked: Wed Jul 6 20:23:44 2005
Check interval: 0 ()
Reserved blocks uid: 0 (user root)
Reserved blocks gid: 0 (group root)
First inode: 11
Inode size: 128
Journal inode: 8
First orphan inode: 695882
Default directory hash: tea
Directory Hash Seed: 11dc53e2-545c-4880-a6a6-792557a40a3d
Journal backup: inode blocks

The value 'Default mount options: ' is empty meaning its only using the meta-data journaling. To set a new value here we run:

# tune2fs -o journal_data /dev/mapper/VolGroup00-LogVol00

NOTE: I've run this command on a mounted file system (in fact on the root file system / ) with no ill effects. However, if you are concerned about your data (and I suggest you always have backups) then only run this command on file systems after they are dismounted; either boot in rescue mode or from a bootable cd like Knoppix.

Also, we can edit our /etc/fstab to set the default mount option there by adding the "data=journal" option:

/dev/VolGroup00/LogVol00 / ext3 defaults,noatime,data=journal 1 1

Thats it. We now need to reboot the system (for / ) or remount (for any other file system) to begin taking advantage of full data journaling.

I've not noticed any performance degredation with "journal_data" and have heard reports that it is actually faster in some circumstances .

Encryption with LUKS, Gnome and HAL

2006-05-25T14:47:00.000+01:00

I've been playing around with the various disk/file encryption methods for Linux and I'm particulcarly impressed by LUKS on the Gnome desktop as described here. LUKS is a standard for hard disk encryption using the linux kernel (2.6) crypto API and dm-crypt mapper.

What I really wanted from disk encryption was ease of use and cross platform portability. I have tried out truecrypt which fits the bill for being cross platform but I found is still a little tedious for use on the desktop (perhaps I'll do another post about my adventures with truecrypt).

Anyhow, LUKS/HAL only just made it into Fedora Core 5 (without much fanfare) and really does make linux disk encryption easy; encrypt your partition, create a file system, plug in your device! The instructions below were based of the how-to from here .

1. Identify the volume you will be encrypting with dmesg. In my case the partition is /dev/sda1 on an external usb2 hard disk which I had previously created with fdisk.

2. Make sure the device is not mounted:

# umount /dev/sda1

3. Create the LUKS partition on the usb drive:

# cryptsetup --verbose --cipher "aes-cbc-essiv:sha256" --key-size 256 -verify-passphrase luksFormat /dev/sda1

Enter and confirm the passphrase for the volume. I suggest using a long passphrase (at least 10 characters, but the more the better obviously!) with a mix of case and numbers.

4. Create a device mapping from the virtual crypto volume to the physical device:

# cryptsetup luksOpen /dev/sda1 usbdisk

This will create a block device /dev/mapper/usbdisk.

5. Make a new file system on our new device:

# mkfs.vfat -v -F 32 -n "20GB USB" /dev/mapper/usbdisk

This will create a FAT32 file system on my external usb disk (I hope to use this with windows too at some point!)

6. Now we just unplug and re-insert the usb disk and:

Up pops the password dialogue box for our disk! Enter the passphrase for the volume and the disk will be mounted in /media with a conveniant shortcut on the desktop.

Sony Ericsson K750i

2006-05-03T16:25:00.000+01:00

I've recently bought myself a new mobile phone, and I'm pleasently surprised by how well it works with Linux. Below is the output from dmesg after pluging the phone into a usb port:

May 3 16:21:07 poseidon kernel: usb 7-1.3: new full speed USB device using ehci_hcd and address 10
May 3 16:21:07 poseidon kernel: usb 7-1.3: configuration #1 chosen from 1 choice
May 3 16:21:07 poseidon kernel: cdc_acm 7-1.3:1.1: ttyACM0: USB ACM device
May 3 16:21:07 poseidon kernel: cdc_acm 7-1.3:1.3: ttyACM1: USB ACM device
May 3 16:21:07 poseidon kernel: scsi4 : SCSI emulation for USB Mass Storage devices
May 3 16:21:12 poseidon kernel: Vendor: Sony Eri Model: Memory Stick Rev: 0000
May 3 16:21:12 poseidon kernel: Type: Direct-Access ANSI SCSI revision: 00
May 3 16:21:12 poseidon kernel: SCSI device sdb: 126912 512-byte hdwr sectors (65 MB)
May 3 16:21:12 poseidon kernel: sdb: Write Protect is off
May 3 16:21:12 poseidon kernel: sdb: assuming drive cache: write through
May 3 16:21:12 poseidon kernel: SCSI device sdb: 126912 512-byte hdwr sectors (65 MB)
May 3 16:21:12 poseidon kernel: sdb: Write Protect is off
May 3 16:21:12 poseidon kernel: sdb: assuming drive cache: write through
May 3 16:21:12 poseidon kernel: sdb: sdb1
May 3 16:21:12 poseidon kernel: sd 4:0:0:0: Attached scsi removable disk sdb
May 3 16:21:12 poseidon kernel: sd 4:0:0:0: Attached scsi generic sg2 type 0
May 3 16:21:15 poseidon kernel: SELinux: initialized (dev sdb1, type vfat), uses genfs_contexts

The on-board memory stick (which I must upgrade as it's only 64mb!) is automatically mounted by gnome with a removable file-system icon on the desktop. Gthumb even starts and asks if I wish to import photo's! I can even use the phone as a modem (dev/ttyACM0) when connect via the supplied usb cable. Presumably I'll be able to use the K750i as a modem over bluetooth as I was with my previous T610, but I've not tried yet...

Sendmail, dovecot, squirrelmail and Maildir

2006-05-03T15:29:00.000+01:00

I had to advise somebody today on how to configure sendmail/dovecot/squirrelmail with Maildir. There really is no excuse not to switch to Maildir; it's both faster than mbox and supports sub directories!
I know this works on Fedora 4/5 so I just thought I'd post the config before I forget:

/etc/procmailrc (just the one line needed)
DEFAULT=$HOME/Maildir/

/etc/dovecot.conf (replace the appropriate line in your existing config)
default_mail_env = maildir:/%h/Maildir

/usr/share/squirrelmail/config/config.php (this section is near the beginning of the file)
$domain = 'yourdomain.com';
$imapServerAddress = 'localhost';
$imapPort = 143;
$useSendmail = true;
$smtpServerAddress = 'localhost';
$smtpPort = 25;
$sendmail_path = '/usr/sbin/sendmail';
$pop_before_smtp = false;
$imap_server_type = 'courier';
$invert_time = false;
$optional_delimiter = '.';
$encode_header_key = '';

Problems with yum

2006-04-19T13:16:00.000+01:00

I recently upgraded both my laptop and desktop from FC4 to FC5, starting with my laptop as a testbed. All went well with my laptop (well, pretty much anyway) so I decided I was ready to go ahead with the desktop upgrade. First thing after the upgrade of course, I needed to run a 'yum update' to get all the software package updates, particularly the kernel upgrade which would allow the use of nvidia drivers. Imagine my annoyance when I got this from the 'yum update' command:

failure: repodata/repomd.xml from base: [Errno 256] No more mirrors to try

I tried all sorts of cures: Re-installing yum, re-installing fedora-release rpm. All failed with the same error. It turns outs that you need to remove a 'nisplus' entry (if you have one) on the hosts line of /etc/nsswitch.conf.

Overall though, I'm very pleased with FC5; it's polished, fast and beginning to show what desktop linux is capable of.

Security Updates

2006-02-28T10:31:00.000Z

Having had much more free time recently (or at least not being at work) I've had time to review my network security. What started out as annoyance at looking at /var/log/secure daily and seeing multiple attempts to access my system via brute-force ssh, combined with an interest to learn a few new skills turned into something of an obsession with locking down just about every application and service I could find.

It all started with my log files. Day after day, my host on the LAN which had ssh forwarded to it was logging numerous failed attempts from all over the world to login, and I was not alone; reports of the same activity are all over the internet of brute-force attacks. Initially it didn't seem very worrying as the usernames sent were all of the type root, apache, mysql, admin and I had only allowed myself to login via ssh in the config file. Later though I noticed all sorts of other names being sent so it was inevitable that mine would be used at some point, and sometimes the same IP address would be logged several hundred times just in one day. I was reluctant to disable the forwarding rule on my firewall at this time as I was finding remote access too useful. My first counter-measure was denyhosts, a script which runs as a cronjob searching the logfiles for repeated failed login attempts (you can set the threshold) then adding these IP addresses to /etc/hosts.deny. This did indeed work as my steadily growing hosts.deny faile proved, but the attacks continued and I still felt uneasy. What if some one got lucky between runs of the cronjob? Next on the list of defenses was public-key access. Yes I admit that I was still using username/password combination; I'd simply never got around to understanding how to apply public-key crypto to ssh. I'm not going to explain here either as there are many excellent guides already on the internet such as Steve Friedl's here.

At about the same kind of time I discovered openvpn, an SSL site to site vpn which supports most flavours of Linux/Unix as well as Mac and Windows. Even better, its released under the GPL. Unlike many 'SSL' vpn's you may have seen/heard about which are just web front ends to applications, openvpn is a true network level (OSI 2/3) vpn solution which while using the proven security of openssl, avoids the complexity and problems of ipsec. Once you've got your head around generating and deploying the certificates it really is so easy to setup, with easy to read config files only a few lines long for the most simple configurations (the openvpn website has a lot of good documentation/exampls and a quick start guide). You may have guessed by now that I really like it :) - Anyway, I started thinking - why use ssh when I've got openvpn which is at least as secure now (probably more so) and which also gives me access to my entire network remotely?

So now ssh forwarding is turned off on my firewall and I use openvpn for remote access. There is still loads that I haven't mentioned yet like clamav, WPA, rkhunter, truecrypt. I'll have to write part 2 later.....

Fedora Core 4, DHCP and DNS Dynamic Update

2006-02-26T12:31:00.000Z

Having previously posted about dynamic update with Solaris 10 reminded my of my earlier problems with FC4 in updating my dns records with BIND (via dhcpd). Whilst I thought about it I'd thought I'd add the solution that worked for my laptop here. Create a file called /etc/dhclient.conf with the following content:

send host-name "myhostname";

For further information: man dhclient , man dhclient.conf

Solaris 10, DHCP and DNS Dynamic Update

2006-02-24T16:22:00.000Z

I recently managed to find the time to install Solaris 10 on my Ultra2. Since I've now moved away from assigning static ip's on my network (except for a few essential hosts) I choose the DHCP option when running the installer. Interestingly the installer never asked for a hostname during setup and sure enough when I first booted my Ultra2 it was now known as 'unknown' and of course no hostname was registered in DNS. To fix this I created the file /etc/nodename which contained just the hostname for the system and /etc/hostname.hme0 which contains one line:

inet hostname

The suffix in the above file name refers to the interface name.

A reboot later my Ultra2 was successfully registering its hostname in DNS.

All things google

2006-02-24T15:01:00.000Z

Following an invite by my friend Marcus to join googlemail, I have now signed up for their free webspace with the beta Google Pages an AJAX web publishing application. Had a quick play but I'm not quite sure what I'm going to do with it yet (which probably puts me in the same boat as all the other people who signed up on day one just to see what all the fuss was about). Anyway, this all brought me to yet another google offering: blogspot. Will I have the time for this? Time will tell....

All things have a beginning

2006-02-24T14:04:00.000Z

OK, so we can't preview unless we've got a posting. Fair enough.