ACPID: Exiting

NM_SYSTEM_SETTING: SCPlugin-Ifupdown: Devices removed (UDI: /org/freedesktop/hal/devices/net_00_30_1B_BE_38_3D)

[601.136038] CIFS VFS: Server not responding
[601.136085] CIFS VFS: No response for CMD 50 mid 166

Then the system would sit for several seconds before doing anything. This never occurred with my Ubuntu 8.04 system (remembering that I installed and configured the network shares the same way).

Side note: For those not familiar, “VFS” refers to “Virtual File System” (node) and “CIFS” is “Common Internet File System). CIFS VFS is a virtual file system / project for Linux to allow access to servers and storage appliances. More from the documentation I found during research, is found on:  http://linux-cifs.samba.org/

As near as I can surmise, since network-manager is installed, this is probably and issue where scripting for shutting down network-manager has higher priority than umount scripting and / or a permissions issue? A case in point is that the umount command would not work until I used sudo.

XKCD Comic - Make me a sandwich

Initially there were two ways I could fix this:

1) Various forums and site suggest removing network-manager from the system and configuring the network myself. It’s a possibility, but I didn’t want to do that.

2) Use terminal to sudo umount //192.168.3.10/sites && sudo umount //192.168.3.10/stock each time I wanted to restart, shutdown, etc. Again that’s a possible solution, but annoying to keep having to do.

Strangely, Google was not helpful (for me) as there were only a few mentions of this error in returned search results, and I could not glean much from them.

I played with the idea of using a script to automatically run the root based umount command each time, but that became problematic for me (I’m not a developer), as I had trouble getting the script to work properly. I did find a thread on Ubuntu forums, “Cifs not unmounting and causing a problem even on shutdown” but it was removed (this link is to the Wayback Internet Archive, that still, luckily,  had a copy of that content), and finally found another script already written by “max.durden” on the same forum: How to: Automatically umount cifs partitions.

I tried his solution and it worked! Because I’m worried about this thread also disappearing (I’ve encountered missing thread links several times on the forum), here are the steps below…

Download Max’s fix file: mountcifs.zip

Extract the contents and copy the extracted  file (named mountcifs) to the /etc/init.d/ directory (sudo cp mountcifs /etc/init.d/).

Make the file executable with the command sudo chmod +x mountcifs

Hard link that file using his names in the commands he specified in the original post:

cd /etc/rc0.d
sudo ln -s /etc/init.d/mountcifs K02mountcifs

cd /etc/rc6.d
sudo ln -s /etc/init.d/mountcifs K02mountcifs

The above fix works perfectly, no more errors, thanks to “Max” at Ubuntu Forums. It you have any questions about his fix, again, please visit his solution at http://ubuntuforums.org/showthread.php?t=293513 for much, much more information and follow up!

Leave the Num Lock on!

I recently (finally) upgraded to Ubuntu 9.04 (I’ve always had issues with x.10 releases for some reason). Until the upgrade I wanted to remain with the LTS track, but (it seems) less developers are supporting it, hence the move. I’ve performed excessive numbers of installs of Ubuntu and various applications on test boxes, but they (obviously) were not my primary system, it’s important to note this, as ordinarily I did not notice a small annoyance regarding Num Lock. On my updated primary system, I noticed this issue immediately, when I tried to log in.

Here’s the rant… If I set the BIOS in my hardware, to turn on the Num Lock, then I’ve done so for a specific reason! For Ubuntu to keep turning it off when I log out, reboot or start up the PC – That’s just plain annoying. I did a bit of Googling to try and find if the issue is being addressed (I remember fixing it using numlockx, and will get to that shortly), but only found a few threads where developers were discussing the “how tos” and “maybe” of the issue. While I’m not a developer, by any stretch of the imagination, I do know that other OS’s accomplish this feat (of abiding by the BIOS num lock settings). So… Ubuntu, please abide by the BIOS settings (with regards to Num Lock).

However, for those of you who want to ensure the Num Lock is on, we can use the numlockx tool. There’s probably a ton of sites listing this and discussing it at great length, but for ease of reference, here are my notes from the last time I had to fix this issue:

Install numlockx via aptitude –> sudo aptitude install numlockx

Edit your desktop management settings (make SURE up BACKUP any important data you do not want to lose, just in case):

sudo gedit /etc/gdm/Init/Default

Add the following just above the statement (in that file), that says “exit 0″:

if [ -x /usr/bin/numlockx ]; then
/usr/bin/numlockx on
fi

Make sure you manually turn your Num Lock off, log out and log back in.

One thing I found was that during the log in, the Num Lock was on, as soon as I logged in, it turned off again.  Grrrrrrrr…. My Bad! It worked properly on subsequent reeboots.

The Ubuntu Wiki for Jaunty says:

“System –> Administration –> Keyboard & Mouse –> Keyboard –>”turn on Numlock on Startup”

But… It’s not an option (Keyboard & Mouse)  in my Jaunty (which I just installed as a clean install).

Maybe there’ll be a fix for this in 10.04? (I hope so).

Have a better solution? PLEASE let us all know. ;)

“…and lots of your posts show us how to do things in a terminal. Each time I have to go to Applications / Accessories / Terminal, isn’t there a faster way, like some key combination or something?…”

In Ubuntu (for that matter pretty much all Linux distros), you can set up “hot keys” to execute functions. In your case we’re going to set up a hot key for opening the Terminal in Ubuntu 8.04LTS. This way, you can access Terminal much faster!

Ubuntu already has a “Keyboard Shortcuts” tool. You can find it via System –> Preferences –> Keyboard Shortcuts

Scroll down (or up) to where it says “Open a terminal window” (as seen in the above screenshot).

Click on that line and select your shortcut by entering the key combination you want. In my case I selected ALT + F12. Now every time I press ALT and F12, a terminal will pop up.

Caveat: MAKE SURE that the key or key combination you select does not interfere with what has been configured for other actions!

In that post, I was careful to install Squid3 first, so that Webmin would use it (in the management interface) instead of the older Squid 2.x; and that the installation would be smoother. One thing I noticed was that webmin was using an older version of squid:

“…I noticed that webmin (for some strange reason) thought squid 2.6 was installed…”

One of our readers (atass) provided a useful comment in that post:

“The reason is that you have also installed squid3 AND 2.6. 2.6 was installed via webmin because it is not configured by default to find squid3

I think you should correct this procedure so that you correctly configure webmin to use squid3 by going to module configuration and changing to squid3 paths. Avoid installing Squid via webmin cause it will install Squid 2.6 regardless if you have squid 3 installed”

So this needed fixing, here are the settings (below) I changed to get Squid3 going. Above all, remember to back up data or settings before changing anything.

Log into your webmin interface and select “Squid Proxy Server” from the left side navigation menu.
At the top select “Module Config“.
Change the following values:

Full path to squid config file: /etc/squid3/squid.conf
Squid executable: squid3
Full path to squid cache directory: /var/spool/squid3
Full path to squid log directory: /var/log/squid3

Now remember to stop squid and start squid3, via ssh (substituting for your IP address instead of mine):

ssh root@192.168.1.200

sudo /etc/init.d/squid3 restart

sudo /etc/init.d/squid stop

Now try surfing with your web browser configured to use the Squid3 proxy. If you get an error message (like I did):

————————————————————————–

The requested URL could not be retrieved

While trying to retrieve the URL: http://ubuntulinuxhelp.com/

The following error was encountered:

* Access Denied. Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect.

Your cache administrator is xxxx@xxxx.com.

Generated Tue, 01 Dec 2009 17:44:31 GMT by squidbox (squid/3.0.STABLE1)

————————————————————————–

Double check your Access Control in the “Squid Proxy Server”, Select the padlock icon that says “Access Control”.

Mirror the original settings you had in the Access Control for the older version of Squid. Then select the “Proxy Restrictions” tab, and again mirror the settings.

Then I restarted Squid3

sudo /etc/init.d/squid3 restart

And tried to surf the web… and everything works!

Big thanks to the reader that pointed out the issue. That’s appreciated! :)

More information on Firewall Builder, pre-built binary packages and source code, documentation and Firewall Builder Cookbook can be found on the project web site at www.fwbuilder.org. Watch Project Blog for announcements and articles on all aspects of using Firewall Builder.

After firewall configuration has been generated by one of the policy compilers and saved in a file on disk in the format required by the target firewall, it needs to be transferred to the firewall machine and activated. This function is performed by the component we call “Policy Installer” which is part of the Firewall Builder GUI.

Starting with version 2.0, Firewall Builder comes with built-in installer that uses SSH to communicate with the firewall. Installer works on all OS where Firewall Builder is available: Linux, FreeBSD, Windows and Mac OS X. On Linux, *BSD and Mac OS X it uses standard ssh client that comes with the system; on Windows it uses putty.

Installer needs to be able to copy generated firewall script to the firewall and then run it there. In order to do so, it uses secure shell. The program does not include ssh code, it uses external ssh client. On Linux, BSD and Mac OS X it uses standard ssh client ssh and secure shell file copy program scp that come with the system; on Windows it uses plink.exe and pscp.exe. Full directory path to ssh client program can be configured in the Preferences dialog (accessible via Edit/Preferences menu), however if you are on Linux, *BSD or Mac and use standard ssh client that is available via your PATH environment variable, you do not need to change default value there.

Installer works differently depending on the targert platform. In case of Linux and BSD based firewalls it uses scp to copy generated configuration files to the firewall machine and then uses ssh to log in and run the script. In case of Cisco routers or ASA appliance (PIX), it logs in, switched to enable and then configuration mode and executes configuration commands one by one in a manner similar to expect scripts. It inspects router’s replies looking for errors and stops if it detects one. In the end, it issues command write mem to store new configuration in memory and logs out.

Built-in policy installer has been designed to work with dedicated firewall machine, that is, when computer where you run Firewall Builder GUI and actual firewall are different machines. Nevertheless, it can be used when they are the same machine as well. The only difference is that in all commands below you would use the name or address of the machine where you run Firewall Builder instead of the name or address of the dedicated firewall. SSH client will then connect back to the same machine where it runs and everything will work exactly the same as if it was different computer.

How does installer decide what address to use to connect to the firewall

Installer does not use the name of the firewall to connect to, it always connects to its IP address. It starts by scanning interfaces of the firewall object looking for one that is marked as “Management interface” using checkbox in the interface object dialog. Installer will use address of this interface to connect to. The “management interface” checkbox looks like shown on the next screenshot:

If your firewall has multiple addresses and you want to use the one that is not assigned to its interface in the fwbuilder object, then you can overwrite the address using entry field in the “installer” tab of the “advanced” firewall object settings dialog, like this:

More about other input fields in this dialog below.

Finally you can overwrite the address on one-time basis just for the install session using entry field in the installer options dialog. This is the same dialog where you enter password:

This works for all supported firewall platforms, i.e. iptables on Linux, pf on OpenBSD and FreeBSD, ipfw on FreeBSD and Mac OS X, ipfilter on FreeBSD, Cisco IOS access lists and Cisco ASA (PIX). Regardless of the platform, installer follows the rules described here to determine what address it should use to connect to the firewall.

Configuring installer on Windows

You can skip this section if you run Firewall Builder GUI on Linux, *BSD or Mac OS X.

Here is the link to slide show that demonstrates the process.

Download and install putty.exe, plink.exe and pscp.exe somewhere on your machine (say, in C:putty). Download URL is http://www.chiark.greenend.org.uk/~sgtatham/putty/

Installer does not use putty.exe but it will be very useful for troubleshooting and for setting up sessions and ssh keys.

In the Edit/Preferences dialog, in the “SSH” tab, use “Browse” buttons to locate plink.exe. Hit “OK” to save preferences. If you installed it in C:putty, then you should end up with C:puttyplink.exe in this entry field. Do the same to configure path to pscp.exe.

You may log in to the firewall using regular user account or as root. See instructions below for an explanation how to configure sudo if you use regular user accounts. This part of the configuration does not depend on the OS you run Firewall Builder.

Before you try to use fwbuilder installer with plink.exe and pscp.exe, test it from the command line to make sure you can log in to your firewall. If this is the first time you try to log in to the firewall machine using putty.exe, plink.exe or pscp.exe, then it will discover new host key and ask you if it is correct and if you want to save it in cache. There are lots of resources on the Internet that explain what does this mean and how you should verify key accuracy before you accept it. If the key is already known to the program it will not ask you about it and will just proceed to the part where it asks you to enter password. Enter the password and hit “Return” to see if you can log in and see command line prompt from the firewall.

Here is the command (assuming you use account “fwadmin” to manage firewall “guardian”):

C:Usersvadim>c:PuTTYplink.exe -l fwadmin guardian

NOTE: Built-in installer does not use GUI ssh client putty.exe, it uses command line utilities that come from the same author plink.exe and pscp.exe. You can test with putty.exe but do not enter path to it in the SSH tab of the Preferences dialog in fwbuilder, it won’t work.

Configuring installer to use regular user account to manage the firewall:

Before v3.0.4 built-in installer could only use regular account to activate policy if this account was configured on the firewall to use sudo without password. Starting with v3.0.4 this is not necessary anymore because installer can recognize sudo password prompts and enter password when needed.

• Create an account on the firewall (say, “fwadmin”), create a group “fwadmin” and make this user a member of this group. Most modern Linux systems automatically create group with the name the same as the name of the user account.

  useradd fwadmin

• Create directory /etc/fw/ on the firewall, make it belong to group fwadmin, make it group writable

  mkdir /etc/fw
  chgrp fwadmin /etc/fw
  chmod g+w fwadmin /etc/fw

• Configure sudo to permit user fwadmin execute firewall script and a couple of other commands used by fwbuilder policy installer. Run visudo on the firewall to edit file /etc/sudoers as follows:

  Defaults:%fwbadmin !lecture , passwd_timeout=1 , timestamp_timeout=1
  # User alias specification
  %fwbadmin ALL = PASSWD: /etc/fw/<FWNAME>.fw , /usr/bin/pkill , /sbin/shutdown

  here <FWNAME> is the name of the firewall. Installer will log in to the firewall as user fwadmin, copy firewall script to file /etc/fw/<FWNAME>.fw and then use the following command to execute it:

  ssh fwadmin@firewall sudo -S /etc/fw/<FWNAME>.fw

  Installer needs to be able to run pkill shutdown to kill shutdown command that may be running if you tried to install policy in testing mode before. In testing mode installer copies firewall script to temporary directory /tmp then runs command shutdown -r timeout to schedule reboot in a few minutes and finally runs firewall script. To cancel scheduled reboot you need to install policy again, with test mode checkbox turned off. In this case installer will copy firewall script to its permanent place and use pkill to kill running shutdown command to cancel reboot.

• set up ssh access to the firewall. Make sure you can log in as user fwadmin using ssh from your management workstation:

  ssh -l fwadmin <FWNAME>

  You may use either password or public key authentication; the installer will work either way. Use putty.exe or plink.exe to test ssh access if you are on Windows (see above for the explanation how to do this on Windows).

• in the “installer” tab of the “firewall settings” dialog of the firewall object put user name you use to log in to the firewall (here it is “fwadmin”):
• if you need to use alternative name or IP address to communicate with the firewall, put it in the corresponding field in the same dialog page
• Make sure entry field “directory on the firewall where script should be installed” is set to /etc/fw. Firewall Builder is not going to create this directory, so you need to create it manually before you install firewall policy (see above).
• Leave “Policy install script” and “Command line options” fields blank.

Configuring installer if you use root account to manage the firewall:

• Create directory /etc/fw/ on the firewall, make it belong to root, make it writable
• set up ssh access to the firewall. Make sure you can log in as root using ssh from your management workstation:

  ssh -l root <firewall_name>

  You may use either password or public key authentication; the installer will work either way.

• in the “installer” tab of the “firewall settings” dialog of the firewall object put “root” as the user name you use to log in to the firewall
• Make sure entry field “directory on the firewall where script should be installed” is set to /etc/fw
• Leave “Policy install script” and “Command line options” fields are blank

Configuring installer if you regularly switch between Unix and Windows workstations using the same .fwb file and want to manage the firewall from both

First of all, the .fwb file is portable and can be copied back and forth between Linux/BSD and windows machines. Even comments and object names entered in local language should be preserved since the GUI uses UTF-8 internally.

Built-in installer relies on path settings for ssh and scp in Edit/Preferences/SSH. Since preferences are stored outside of the .fwb file, the installer should work just fine when .fwb file is copied from Unix to Windows and back. Just configure path to ssh program in preferences on each system using default settings “ssh” on Linux and path to plink.exe on windows and give it a try.

Always permit SSH access from the management workstation to the firewall

One of the typical errors that even experienced administrators make sometimes is block ssh access to the firewall from the management workstation. You need your workstation to be able to communicate with the firewall in order to be able to make changes to the policy, so you always need to add a rule to permit this. Firewall Builder can simplify this and generate this rule automatically if you put an IP address of your workstation in the entry field on the first page of firewall settings dialog. Here is the screenshot that illustrates this setting for an iptables firewall; management station has an IP address 192.168.1.100

Using putty sessions on Windows

putty allows one to store destination host name or address, user name and bunch of other parameters in a session so that they all can be called up at once. If you wish to use sessions, do the following:

• Configure putty as usual, create and test session for the firewall, test it using putty outside of the Firewall Builder. When you use session, firewall host name and user name are stored in the session file. Firewall Builder allows you to enter session name in the entry field in the firewall settings dialog where you would normally enter alternative address of the firewall. Comment next to the entry field reminds you about this. Just type session name in that field, leave user name field blank and save the settings.
• Once you start the installer, do not enter user name in the “User name” field on the first page of installer wizard, however you need to enter the login and enable passwords. Configure the rest of installer options as usual, they do not change when you use putty sessions.

How to configure installer to use alternative ssh port number

If ssh daemon on your firewall is listening on an alternative port, then you need to configure built-installer so that it will run scp and ssh clients with command line parameters that would make them connect to this port. This is done in the “installer” tab of the firewall object “advanced” settings dialog as shown on the following screenshot (here we set the port to “2222″):

On Unix command line option that specifies port number is different for ssh and scp. It is lowercase -p for ssh and uppercase -P for scp. If you use putty tools plink.exe and pscp.exe on Windows, the option to specify alternative port number is -P (capital “P”) for both.

You can use the same input fields in this dialog to add any other command line parameters for ssh and scp, for example this is where you can confiugre parameters to make it use alternative identity file (private keys). This information is saved with a firewall object rather than globally because you may need to use different parameters for different firewall machines, such as different key files or ports.

How to configure installer to use ssh private keys from a special file

You can use the same entry fields in this dialog to provide other additional command line parameters for ssh and scp, for example to use keys from a different identity file. Here is how it looks like:

Here I configure ssh and scp to use alternative port and alternative identity file ~/.ssh/fwadmin_identity. The command line parameter for the port is different for ssh and scp, but parameter for the identity file is the same -i for both utilities.

On Windows, the simplest way (or may be the only way) to use alternative keys is to use putty sessions.

Troubleshooting ssh access to the firewall

Built-in policy installer will not work if ssh access to the firewall is not working. Test it using this command on Linux if use you user “fwadmin” to manage firewall:

ssh -l fwadmin firewall

If you use root account to manage the firewall, the command becomes

ssh -l root firewall

On Windows use putty.exe or plink.exe to do this:

C:Usersvadim>c:PuTTYplink.exe -l fwadmin firewall

C:Usersvadim>c:PuTTYplink.exe -l root firewall

If you can not log in using ssh at this point, verify that ssh daemon is working on the firewall, that existing firewall policy does not block ssh access and ssh daemon configuration in /etc/ssh/sshd_config permits login for root (if you plan to use root account to manage the policy).

Running built-in installer to copy generated firewall policy to the firewall machine and activate it there.

Now that all preparations are complete, we can move on and actually try to install newly generated firewall policy. Select firewall object in the object tree in Firewall Builder GUI, click right mouse button and use menu item “Install”. The program will recompile the policy and open installer dialog.

(This how installer options dialog looks like for iptables, pf, ipfilter and ipfw firewalls).

Here the program already entered user name fwadmin in the “User Name” field, but you can change it for one installation session if you wish. Next you need to enter the password for this user. This is the password of user fwadmin on the firewall machine. Address that will be used to comunicate with the firewall is also entered by the program automatically, it is taken from the firewall settings. You can change it for one installation session as well.

Other installer parameters do the following:

• Quiet install: as the name implies, this checkbox suppresses all progress output of the installer
• Verbose: this checkbox has the opposite action, it makes the installer print a lot of debugging information, including ssh client debug output.
• Store a copy of fwb file on the firewall: if this checkbox is on, the installer will copy not only generated firewall configuration files to the directory on the firewall machine which is configured in the “installer” tab of the firewall object dialog, but also original .fwb data file as well. Use of this option is discouraged if you manage many firewalls from the same .fwb file because distributing file that contains security policy of multiple firewalls to all of them is a bad idea.
• Test run: if this checkbox is on, policy installer will copy firewall configuration files to a temporary directory on the firewall and will run them from there. The intent is to test generated configuration without making it permanent. If firewall machine reboots, it will activate previous firewall policy. Installer uses subdirectory “tmp” inside installation directory on the firewall machine which is configured in the “installer” tab of the firewall object dialog. If installation directory configured there is /etc/fw (as in the screenshot earlier in this HOWTO), then installer will put files in the directory /etc/fw/tmp when test install option is in effect. You need to create this directory on the firewall before using this installation mode.
• Schedule reboot in… : If this option is on, installer schedules firewall reboot after given time in minutes. This can be used as a measure of last resort to protect against lost of communication with the firewall which may happen if there is an error in the new firewall policy which makes it block ssh access from the management machine. Installer uses command shutdown -r +10min to schedule reboot in 10 min. If installation has been successfull and everything works right, you need to repeat installation with options “test install” and “Schedule reboot” turned off to cancel reboot and install new policy permanently.

After all parameters are set and the password entered, hit “OK” to start installation.

If this is the first time your management machine is logging in to the firewall via ssh, it will find out that ssh host key of the firewall is unknown to it and will present you with a dialog:

Here is says that it does not know host key of the firewall “crash”. This is nothing more than a copy of the warning message presented by the ssh client. You should verify the host key manually and if it matches, click “Yes”. If you click “No” in the dialog, installation process will be interrupted.

Installer only recognizes ssh client warning message about unknown public host keys. If you rebuld your firewall machine, which means its host key changes, ssh will print different warning message which fwbuilder installer does not recognise. In this case you will see this message in the installer progress window, but installation process will get stuck. You need to use ssh client (ssh on Unix or putty.exe on Windows) to update host key before you can use fwbuilder policy installer with this firewall again.

After this, installer copies files to the firewall and runs policy script there. You can monitor its progress in the dialog as shown on the screenshot:

This is an example of successfull installation session. Installer records the status in the left hand side panel of the dialog. If you use installer to update several firewall machines in one session, their names and corresponding status of the installation session for each will be shown in the panel on the left. You can save installer log to a file using “Sabe log to file” button, this can be useful for documentation or troubleshooting.

Running built-in installer to copy generated firewall policy to Cisco router or ASA (PIX)

From the user’s point of view the installer works the same when you manage Cisco router or ASA firewall, with only few minor differences. First of all, the first screen of the installer, where you enter the password, offers another input field for the enable password as well.

You should be able to use IPv6 address to communicate with the router.

Most of the options and parameters in this dialog are the same as those for Linux firewalls (see above). The following parameters work differently for Cisco devices:

• Test run: if this checkbox is on, policy installer will copy new access lists configuration to the router or ASA appliance but will not issue write mem command in the end.
• Schedule reboot in… : If this option is on, installer issues command reload in NNN after new configuration has been loaded. This schedules reboot in NNN minutes. In combination with “test run” option this can serve as a roll-back mechanism in case of complete loss of contact with the router or firewall because of an error in the policy. Since “test run” does not perform “write mem” in the end, the original access list stays in startup configuration of the router and will be loaded after reboot.
• Cancel reboot if policy activation was successful: If this option is on, installer issues command reload cancel in the end of the policy activation process to cancel previously scheduled reboot.

Here is a screenshot of installation session to a Cisco router. Note the output at the very top of the log that shows how installer detected previously unknown RSA host key and accepted it after the user clicked “Yes” in the pop-up dialog (not shown on the screenshot). It then logged into the router; you can see the banner motd output from the router. After this, installer switched to enable mode, set terminal width and turned off terminal pagination using terminal length 0 command and finally switched to the configuration mode. It then started enterig generated configuration line by line.

The final part of the installation session looks like this:

This was a successful installation session, with no errors. Installer finished entering configuration lines and issued exit command to exit configuration mode, then wr mem command to save configuration to memory and finally exit again to log out.

“I have a ati r128 graphics driver. I dont see the driver in hardware drivers at all. The driver is a inf file. I dont know how to install it. Please help me!”

I don’t have much information provided in the question (more information is always helpful and allows for better answers).  However, I hope the following will help.

First, the inf file is a Windows based file, you don’t need that in Linux. I had an ATI Rage 128 card a while back, and a do remember having issues. If I recall correctly (this was a few years ago for me), the issue was that the card was not detected properly. In your case, I’d suggest that the card driver is not ATI, instead you’ll want R128 because (again, if I remember correctly) X11 detects the card incorrectly.

If you’re not sure what “X11″ means, please see the article: X Window System

From their site:

“…The X Window System (commonly X or X11) is a computer software system and network protocol that provides a graphical user interface (GUI) for networked computers, and was initially developed as part of Project Athena. It implements the X display protocol and provides windowing on raster graphics (bitmap) computer displays and manages keyboard and pointing device control functions…”

Here’s one approach you can take to try and fix this…

As mentioned, you need to ensure that R128 is the used driver. To accomplish this, please edit your xorg.conf file, but make a BACKUP FIRST! In fact, it’s good practise to keep a backup of any data you find valuable, that way if you feel a need to reinstall your OS, you will not lose all your valuable files. So, ALWAYS keep a current backup of files you never want to lose – I learned this the hard way (more than once).

Here’s the terminal command to do this:

sudo gedit /etc/X11/xorg.conf

Look for two lines that starts with:

Section “Device”
Identifier    “Configured Video Device”

Now ensure the following line (just under those) that says:

Boardname “ATI Rage 128″

is changed to reflect the real name of your video card.

Next look for the line that says:

Driver “ati”

and change it to say:

Driver “r128″

The other directives should be okay. Save the file and reboot your system: sudo shutdown -r now

I hope this information helps you overcome the driver issue.

It’s an older IBM Thinkpad T22, Type 2647 with 256MB of RAM and a 20GB hard drive. A couple years ago, I had 2o of these units, bought from a recycling depot. I sold them all on eBay, and only have a couple left now.

Whilst packing up the stuff to cart off, it occurred to me that I could put this old laptop to work by installing a proxy / caching server on it, and have my we browsers, pull much of the regularly requested web content off a locally cached network server. This means installing Squid. Not sure what Squid is: Squid (software), from their site:

“…Squid is a proxy server and web cache daemon. It has a wide variety of uses, from speeding up a web server by caching repeated requests, to caching web, DNS and other computer network lookups for a group of people sharing network resources, to aiding security by filtering traffic. Although primarily used for HTTP and FTP, Squid includes limited support for several other protocols including TLS, SSL, Internet Gopher and HTTPS. The development version of Squid (3.1) includes IPv6 and ICAP support…”

Needless, as I currently enjoy using Ubuntu, that’s what I used as the OS for this project. Installing a Squid server on the network, provided me with a few important benefits:

• Less bandwidth usage.
• Faster web surfing.
• Network cached copies of pages I regularly visit (if the original server is down).

Firstly, make sure you’ve installed a copy of Ubuntu 8.04 Server (Hardy) on the old laptop. Not sure how to do that? Here’s a guide: The Perfect Server – Ubuntu Hardy Heron (Ubuntu 8.04 LTS Server). In my case I skipped (did not install) Apache, MySQL, Postfix, BIND9, Proftpd, POP3/IMAP and Webalizer. I don’t need those, I only need the Squid proxy / caching server. I also installed Webmin (see below), so that I can easily manage this server remotely. A word to the wise however, I found out (about 2 years ago) to install Squid first! – That way the Webmin installation goes much smoother (I was using Debian for the server  at that time, and Ubuntu in another instance). Also, for those of you who have been following my blog (and for my welcomed new readers), I also played with Squid and Ubuntu about a year ago, in this post: Speed Up and Improve Web Surfing With an Ubuntu Squid Server. My earlier Ubuntu, Squid post was based on Ubuntu 6.06LTS and Squid 2.6 – Things have changed and applications, etc. have improved, so I though a revisit and reinstallation of the Squid server was in order.

I downloaded and burned a copy of the Ubuntu 8.04 LTS Server from Ubuntu’s official site at: http://www.ubuntu.com/getubuntu/download-server. The bare minimum requirements are:

300 MHz x86 processor
64 MB of system memory (RAM)
At least 4 GB of disk space (for full installation and swap space)
VGA graphics card capable of 640×480 resolution
CD-ROM drive or network card

256MB of RAM, made the install slower than I’m used to. You can find more requirements info for Ubuntu Server (Hardy) at Ubuntu System Requirements.

After downloading, and burning a copy of the ubuntu-8.04.2-server-i386 CD, complete a base install of Ubuntu server (using the howtoforge.com guide above as a reference). I also installed an SSH server so that I could tuck the old laptop away and complete everything else in  comfort,  using my desktop.

sudo aptitude install ssh openssh-server

will get the ssh server up and running for you.

Throughout this post, you’ll need to substitute your IP addresses and names to match those in your own network. After the installation of the base server is complete, open a terminal from your (comfortable) desktop and enter:

ssh root@192.168.1.200

192.168.1.200 is the address of  there server I just installed.

Use the command:

su

to enter root. That way I don’t have to keep typing “sudo”.

Install Squid usingthe command:

aptitude install squid3

After Squid has finished installing and you’ve rebooted the system, you may want to install Webmin, a GUI interface to manage that server, still in terminal, you can download a copy of the webmin package into and directory you like. The command to download is:

wget http://prdownloads.sourceforge.net/webadmin/webmin-1.470.tar.gz

Untar it like this:

tar xzvf webmin-1.470.tar.gz

Webmin needs perl to run, so I installed some packages:

aptitude install install libauthen-pam-perl libnet-ssleay-perl libpam-runtime openssl perl perl-modules

Enter my extracted contents of the webmin-1.470.tar.gz package  by:

cd webmin-1.470

And run the installation for webmin:

./setup.sh

I changed the port number away from 10000 to 26395. I changed the admin account to “root”, and entered a new password.

At the end of the webmin installation, I got the success message that include the URL: http://squid.localdomain:26395/

On my local PC, I had to edit my hosts file like this:

sudo gedit /etc/hosts

Then added the following line:

192.168.1.200 squid.localdoman    squid

Now we want to reboot the squid server using:

shutdown -r now

After rebooting the server and logging back in (via ssh), you can see if the webmin service is running by using the command:

sudo /etc/init.d/webmin status

You should see something like:

webmin (pid 4573) is running

To see if it is listening on the correct port number, the command to check that is:

sudo netstat -tap

You should find a line in the output of the above command that says something like:

tcp    0    0 *:26395    *:*    LISTEN    4573/perl

(Remember, port 26395 was the one we chose to tun webmin on – And webmin uses perl).

Now open a web browser and visit webmin. The URL I would use is:

http://squid.localdomain:26395/

(Again, remember that I added the appropriate information to my hosts file so that the browser can find the URL).

I chose not to enable SSL for logging into webmin (as I don’t need it in this LAN). After logging in, we want to configure squid. Look for something (on the left) that says “Unused Modules” and look for “Squid Proxy Server“, click that link. You will see an option to install the squid (webmin) module. Select that link to install it.

After installing, look on the left side menu and under “Servers” you will see “Squid Proxy Server“. Select “Squid Proxy Server” and then select the “Ports and Networking” option.

Note that squid is running on the default port 3128. Now return back to the squid module page by clicking “Module Index” (at the top of the page). Select the “Access Control” icon and see a button at the bottom of the page that says “Browser Regexp” – That contains a drop down list. Use the drop down list to select “Client Address” then click the button that says “Create new ACL“.

Enter your values in the form. I used the following:

ACL Name: localdomain
From IP: 192.168.1.0
To IP: 192.168.1.255
Netmask: 255.255.255.0

I didn’t change anything else and clicked on “Save”.

Now click the tab (at the top) that says “Proxy restrictions“. Click (at the bottom) “Add proxy restrictions” and look for the new ACL name you just created (mine was called “localdomain”) *** Make sure you are looking under the column that says “Match ACLS” *** and click on that name. Now click the radio button that says “Allow“. Then select “save” at the bottom.

In the new screen that display, use the up arrow to move “localdomain” (or whatever you called your new ACL rule) so that it is just above the line that says “Deny all”. If you don’t, your browsers will not be able to get access.

Now in your ssh window, use the command:

shutdown -r now

This will restart the server and squid3 (along with then new configuration). I noticed that webmin (for some strange reason) thought squid 2.6 was installed. Therefore, webmin was unable to start the server. But after rebooting the system, the “Stop Squid” button appeared – so I assume the webmin module has started working properly (no need for me to play with webmin again, as I’ll use SSH to access and reboot, etc., so I did not try).

As a final step, make sure that you set the proxy server address in your web browser. In my case the information to enter as a proxy server for each web browser is:

192.168.1.200:3128

Update, July 03, 2009: I found a problem when trying to access statistics. Here’s the issue and fix…

Issue:  When trying to access the “Cache Manager Statistics” under “Squid Proxy Server”, the following error displays:

“The Squid cache manager program /usr/lib/cgi-bin/cachemgr.cgi was not found on your system. Maybe your module configuration is incorrect.”

Fix:  aptitude install squid-cgi

Cache manager statistics will now work.

Other sites with related information:

• Howto Block websites using Squid Proxy in Ubuntu Linux
• Howto Block a Port in Squid Proxy , Ubuntu Linux
• [Ubuntu]Installing an HTTP proxy server (Squid)
• Installing Squid Proxy using Webmin on Ubuntu Server 8.04.1
• Paranoid Penguin – Building a Secure Squid Web Proxy, Part I

Enjoy faster web surfing as less external files are requested for pages you commonly visit and local cached copies are delivered to your browser. I hope you ladies and gents have fun playing with this, as I hope this post helps you out. Questions, suggestions, corrections, even additions?…. Please feel free to add them to you comments!

Firewall Builder is packaged with most Linux distributions and is available under “System/Administration” menu.

Accessing Firewall Builder

If it is not there, then it probably needs to be installed on your system. You need to install the package that has supporting the API library libfwbuilder and the package for  fwbuilder that contains the Firewall Builder GUI and policy compilers. Use apt-get or aptitude to find and install them:

# aptitude install libfwbuilder fwbuilder

On FreeBSD and OpenBSD Firewall Builder is part of ports, you can find it in /usr/ports/security/fwbuilder.

Packages shipping with Ubuntu are always one or two minor revisions behind. If you want to try the latest version, you can use the pre-built binary .deb packages offered on the project’s web site or build from source using our online installation instructions. Pre-built binary packages and source code tar.gz archives can be downloaded from this page.

If the system menu item is not there or you have built the program from source, you can always launch it from the command line by just typing “fwbuilder” on the shell prompt:

$ fwbuilder

The program starts and opens the main window and greeting dialog. The dialog provides links to the project web site where you can find more tutorials, FAQ, Firewall Builder CookBoook and other documentation, as well as a bug tracking system and links to user forums and the mailing list. Clicking on the link in the dialog opens corresponding web page in your web browser. This works the same on all supported OS: Linux, Windows and Mac OS X. You can always open this dialog later using an item in the main menu “Help”.

Firewall Builder startup greeting

Lets create our first firewall object. To do this, we’ll use the object creation menu that appears when you click on the icon in the small toolbar right above the object tree. Choose menu item “New Firewall” from the menu that appears.

Setup new firewall

The program presents a wizard-like dialog that will guide you through the process for creation of the new firewall object. In the first page of the wizard you can enter the name for the new firewall object (here it is “guardian”), its platform (“iptables”) and host OS (“Linux”).

There are two ways a new firewall can be created: you can use one of the preconfigured template firewall objects or create it from scratch. This tutorial demonstrates the first method (using template object). To do this, check checkbox “Use preconfigured template firewall objects”. The template can be taken from the library of template objects that comes with the Firewall Builder package or from a file provided by the user. The latter is useful when the administrator wants to distribute a library of predefined templates to other users in the enterprise. We are using one of the standard templates in this guide and therefore leave the standard template library path and name in the “Template file:” input field. Click “Next” to move on to the next page of the wizard.

Note that the template firewall object comes completely configured, including addresses and netmasks of its interfaces and some basic policy and NAT rules. This configuration is intended as a starting point only. You should reconfigure the addresses of interfaces to match those used on your network; and most likely will have to adjust rules to match your security policy.

Configure firewall template

This page of the wizard shows template objects and their configuration. Standard template objects represent firewalls with two or three interfaces, a host with one interface, web server or Cisco router. Choose firewall with three interfaces for this guide. Note that template comes with completely configured firewall objects, including a set of interfaces and their IP addresses – And some basic firewall policy. You will see how addresses can be changed later on in this guide. Click “Finish” to create a new firewall object using the chosen template.

Firewall objects

Here is our new firewall object. Its name is guardian, it appears in the object tree in the left hand side of the main window in the folder Firewalls. When an object is selected in the tree, a brief summary of its properties appears in the panel under the tree. Double-clicking on the object in the tree opens it in the editor panel at the bottom of the right hand side panel of the main window. The editor for the firewall object allows the user to change its name, platform and host OS and also provides buttons that open dialogs for “advanced” settings for the firewall platform and host OS. We will inspect these a little later in this tutorial.

You can always resize the main window to make all columns of the policy view more visible.

Guardian/Policy view

Now would be a good time to save the data to a disk file. This is done in a usual way using main menu File/Save As.

Lets take a little tour of the network and service objects that come standard with the program. You can use these preconfigured objects to build policy and NAT rules for your firewall.

Objects in the tree are orginized in libraries, you can switch between libraries using the interfaces’ drop-down menu above the tree. Firewall Builder comes with a collection of address, network, service and time interval objects in the library called “Standard”. Lets take a look at them. Notice that the background color of the panel that shows objects tree depends on the chosen object library. This makes it easier to keep track of the library currently opened in the program.

The libraries

Folder Objects/Hosts contains few host objects used in standard firewall templates. Folder Objects/Network contains network objects that represent various standard address ranges and blocks, such as multicast, net 127/8, networks defined in RFC1918 and so on.

Network objects

Firewall Builder also comes with extensive collection of TCP, UDP and ICMP service objects that describe commonly used protocols. This image shows some TCP objects (all of them do not fit in the screenshot).

TCP (protocol) objects

Here is an example of a simple TCP service. It defines source and destination port ranges (in this case source port range is not defined and there is only one destination port 80). TCP service object can also define any combination of TCP flags the firewall should inspect and also which ones of them should be set in order for a packet to match this object. In the case of the service “http” we do not need to define any flags.

TCP service

Now lets take a look at the objects created as part of the new firewall object guardian. In order to do this, switch to the library User where this object was created. To open an object in the editor panel to inspect or change it, double click on it in the tree. Also, if you click on an object in the policy rule to select it, it will automatically open in the tree on the left.

Object Guardian in user library

First, the firewall object itself.

Every object in fwbuilder has basic attributes such as its name and comment. Other attributes depend on the object type.

Attributes of the firewall object include platform (can be iptables, pf, ipfilter, etc.), version (platform-depended) and host OS. Buttons Host OS Settings and Firewall Settings open dialogs with many additional attributes that depend on the firewall platform and host OS. More on these later.

Object attributes

Here are the choices for the firewall platform, version (for iptables) and host OS.

Platform choices for the firewall

Interfaces of the firewall are represented by objects located below the Firewall object in the tree. We refer to them as “children” of the firewall object. This image demonstrates properties of the interface eth0. To open it in the editor double click on it in the tree. If editor panel is already open and shows some object, it is sufficient to select new object in the tree to reveal it in the editor panel (no need to double click).

IP and MAC addresses of interfaces are represented by child objects in the tree located below corresponding interface.

Firewall interfaces

Interface object has several attributes that define its function, such as “Management interface”, “external” etc.

• Name: the name of the interface object in Firewall Builder must match exactly the name of the interface of the firewall machine it represents. This will be something like “eth0″, “eth1″, “en0″, “br0″ and so on.
• Label: On most OS this field is not used and serves the purpose of a descriptive label. Firewall Builder GUI uses a label, if it is not blank, to show interfaces in the tree. One of the suggested uses for this field is to mark interfaces to reflect the network topology (’outside’, ’inside’) or the purpose (’web frontend’ or ’backup subnet’). The label is mandatory for Cisco PIX though, where it must reflect the network topology.
• “Management interface”: Sometimes the host has several network interfaces in which case one of them can be marked as the ’manaagement interface’. The management interface is used for all communication between Firewall Builder and the host.
• “External interface (insecure)”: marks an interface that connects to the Internet.
• “Unprotected interface”: marks interface to which fwbuilder should not assign any access lists (used only with Cisco IOS platform)
• “Regular Interface”: Use this option if the interface has an IP address assigned to it manually.
• “Address is assigned dynamically”: Use this option if the interface has a dynamic address (obtained by means of DHCP or PPP or another protocol); in this case an address is unknown at the moment when Firewall Builder generates the firewall policy.
• “Unnumbered interface”: Use this option if the interface can never have an IP address, such as the ethernet interface used to run PPPoE communication on some ADSL connections, tunnel endpoint interface, or an interface on a bridging firewall. See below Section 5.3.1 for more detailed discussion of these different types of interfaces.
• “Bridge port”: this option is used for port of bridged firewall.
• “Security level”: security level of this interface, used only with Cisco PIX (ASA)
• “Network zone”: network zone of this interface, used only with Cisco PIX (ASA). Network zone drop-down list shows all network obejcts and groups of addresses and networks present in the tree. Choose one of them to tell the compiler which networks and blocks of addresses can be reached through this interface. Compiler uses this information to decide which interface each ACL rule should be associated with based on the addresses used in the destination of the rule.

View interface

Here is IP address of interface eth0, external interface of the firewall. The address and netmask are attributes of the child object of the type “IPv4 address”. Here the address is “192.0.2.1″ and netmask “255.255.255.0″. Button “DNS Lookup” can be used to determine IP address using DNS. The program runs DNS query for the “A” record for the name of the parent firewall object.

IP address of interface eth0

Lets look at the IP address of the internal interface of the firewall. The address used in the template is “192.168.1.1″ with netmask “255.255.255.0″. This is rather typical address used for small and home networks. Some commercial firewall appliances come preconfigured with this address.

IP addresses of internal interfaces

If address 192.168.1.0/24 matches address of your local network, you can skip this part of the guide and move to the page 4. Otherwise, you need to reconfigure the address of the internal interface of the firewall object that you just created in fwbuilder and also change address object used in the policy rules. Start with changing address attribute (and possibly netmask, if necessary) of the object guardian:eth1:ip as shown in the screenshot:

Change IP address

Now we need to change IP address used in the rules. To do this, we create new Network object with correct address and replace object net-192.168.1.0 in all rules with this new network object.

Use new object menu to create Network object.

Create new network object

New Network object is created with default name ‘New Network’ and IP address 0.0.0.0.

Default network created

Edit object name and address, then hit “Apply”.

Editing network object

Use menu Object / Find to activate search and replace dialog. The Find and Replace dialog opens at the bottom of the right hand side panel in the main window, below the policy rules view.

Searching for objects

Locate object object net-192.168.1.0 in any policy rule where it is used or in its location in the tree in library Standard and drag and drop it to the left object well in the search and replace dialog as shown on the screenshot:

Drag and drop object

Change the scope setting to “Policy of all firewalls”. If you have many firewalls in the tree, use scope “policy of the opened firewall” instead. Locate new Network object you just created in the tree and drag and drop it to the right object well in the search and replace dialog as shown on the screenshot:

Changing scope of all policies

Now hit “Replace all” button. Pop-up dialog should appear and report how many replacements the program had to make in all rules of the firewall. Note that the replacement is done not only in the policy rules, but in NAT rules as well.

Replace all button results

Now that you have created a new object and replaced old network object with new one in all rules, do not forget to save data to a file using menu File/Save

Lets inspect properties of the firewall object. Double click on the firewall “guardian” in the tree to open it in the editor panel, then click “Firewall Settings” button in the editor. This opens new dialog that looks like this. Notice button “Help” in this dialog, clicking this button opens help as shown on the image below.

IP tables advanced settings

Online help explains all attributes and paramaters located in each tab of the firewall settings dialog. I enourage you to explore it as many parameters are important and affect generated iptables script in different ways.

Next few screenshots show other tabs of the firewall settings dialog. You can find detailed explanations of all parameters in the online help.

Detailed explanation screen

This page defines various parameters for the built-in policy installer. Installer uses ssh client (pscp.exe and plink.exe on Windows) to transfer generated script to the firewall machine and activate it there.

Policy installer, script generator

User can define shell commands that will be included in the generated script at the beginning and in the end of it. These commands can do anything you want, such as configure some subsystems, set up routing etc.

Include shell command in script generator

Parameters for logging.

Logging parameter settings

More options for the script generation. Notice that fwbuilder can produce iptables script in two formats: 1) as a shell script that calls iptables utility to add each rule one by one, or 2) it can use iptables-restore script to activate the whole policy at once. Other parameters are explained in the online help.

Further script generation options

Starting with v3.0 Firewall Builder can generate both IPv4 and IPv6 policy. This tab controls the order in which they are added to the script if user defined rules for both address families in the Policy objects of the firewall.

IPv4 and IPv6 support

Lets take a look at the policy of the template firewall. These rules are intended to be an example, a starting point to help you create your own policy quicker. Most likely you will want to modify them to suite your requirements. Explanation of the rules given here is rather brief because the goal of this guide was only to demonstrate how to use Firewall Builder.

• Rule 0: this is an anti-spoofing rule. It block incoming packets with source address that matches addresses of the firewall or internal or DMZ networks. The rule is associated with outside interface and has direction set to “Inbound”.
• Rule 1: this rule permits any packets on loopback interface. This is necessary because many services on the firewall machine communicate back to the same machine via loopback.
• Rule 2: permit ssh access from internal network to the firewall machine. Notice service object “ssh” in the column “Service”. This object can be found in the Standard objects library, folder Services/TCP.

Policy rules template

Policy rules belong to the object “Policy”, which is a child object of the firewall and can be found in the tree right below it. As any other object in Firewall Builder, Policy object has some attributes that you can edit if you double click on it in the tree.

• Policy can be either IPv4, or IPv4 or combined IPv4 and IPv6. In the latter case you can use a mix of IPv4 and IPv6 addess objects in the same policy (in different rules) and Firewall Builder will automatically figure out which one is which and will sort them out.
• Policy can translate to only mangle table, or a combination of filter and mangle tables. Again, in the latter case policy compiler decides which table to use based on the rule action and service object. Some actions, such as “Tag” (translates into iptables target MARK) go into mangle table.
• “Top ruleset” means that compiler will place generated iptables rules into built-in chains INPUT/OUTPUT/FORWARD. If policy is not marked as “top ruleset”, generated rules will go into user-defined chain with the name the same as the name of the policy object.

Policy rules set

Here are preconfigured NAT rules.

• Rule 0: tells the firewall that no address translation should be done for packets coming from network 192.168.2.0 going to 192.168.1.0 (because Translated Source, Translated Destination and Translated Service are left empty)
• Rule 1: packets coming to the firewall from internal and DMZ networks should be translated so that source address will change and become that of the outside interface of the firewall.
• Rule 2: packets coming from the Internet to the interface “outside” will be translated and forwarded to the internal server on DMZ represented by the host object “server on dmz”.

Preconfigured NAT rules

Now we should be ready to compile policy of the firewall guardian and generate iptables script. To do this, select firewall in the tree and click right mouse button. Choose item “Compile” in the pop-up menu. The dialog that appears lists all firewall objects defined in the objects tree and lets you select which ones should be compiled. The firewall guardian has just been created and has never been compiled and dialog shows that. Make sure checkbox next to the firewall object guardian is checked and click button “Next”.

Select firewalls for compilation

Firewall Builder calls policy compiler (which is by the way an external program which can be used on the command line). The next page of the dialog shows compiler progress and result.

Compiler progress

Compiler generates iptables script in the file with the name the same as the name of the firewall object, with extension “.fw”. The file is placed in the same directory where the data file .fwb is located.

$ ls -la test2.fwb guardian.fw
-rwxr-xr-x 1 vadim vadim 11253 2009-02-16 16:41 guardian.fw
-rw-r--r-- 1 vadim vadim 24696 2009-02-16 16:41 test2.fwb

Here is how generated script looks like. This is just a fragment from the middle to show some generated iptables commands.

# ================ IPv4

# ================ Table ‘filter’, automatic rules
$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP

cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test “X$c” = “XChain” ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done

$IPTABLES -A INPUT   -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# ================ Table ‘nat’,  rule set NAT
# NAT compiler errors and warnings:
#
#
# Rule 0 (NAT)
#
echo “Rule 0 (NAT)”
#
# no need to translate
# between DMZ and
# internal net
$IPTABLES -t nat -A POSTROUTING   -s 192.168.2.0/24 -d 172.16.22.0/24 -j ACCEPT
$IPTABLES -t nat -A PREROUTING   -s 192.168.2.0/24 -d 172.16.22.0/24 -j ACCEPT
#

Now you can transfer it to the firewall and execute it there to install iptables rules. However it is much more convenient to use built-in policy installer to do this. To use installer, click right mouse button on the firewall object in the tree and use menu item Install. Firewall Builder will compile the policy if necessary and then open dialog where you can configure parameters of the installer. Here you need to enter password to authenticate to the firewall. Once you click OK, installer will connect to the firewall using ssh client. First, it will copy generated script to the directory /etc on the firewall (or different one, if configured in the Installer tab of firewall settings dialog), then it will run this script and check for errors. Its progress will be visible in the panel of the installer wizard, just like the progress of policy compiler.

Install options for firewall 'guardian'

This guide walked you step by step through the process of creating of a firewall object, making some minor changes in its parameters and policy rules, compiling the policy and activating it on the firewall machine. This guide did not touch advanced topics such as built-in revision control system, working with multiple data files, working with multiple firewall objects, IPv6. You can find documentation and guides on these topics and more on our project web site at http://www.fwbuilder.org.

The command is simple:

sudo aptitude install openssh-server

Installing an SSH client? PuTTY:

sudo aptitude install putty

I decided to install the SSH Server via aptitude after LAMP, because I found out (the first time I did this) that updating the SSH Server would cause me to have to update the certificates as well. Doing it this way, saves me extra steps.

Needless to say, this step was very simple, but very powerful in that it allows me to manage the server remotely, in comfort. :)

1. Download the iso image from: http://www.ubuntu.com/getubuntu/download and burn it to a CD.

2. Order the CD from https://shipit.ubuntu.com/login-server.

Once you have a copy, make sure the BIOS on the PC is set to boot off the CD drive. Put the CD in the drive and simply restart the unit. It should now boot off the CD and display the “select language” screen as seen below.

After you’ve selected the language, you’ll be presented with the installation menu. Simply select “Install Ubuntu Server”, as seen below.

Remember that this is a server, ideally we’d like to have a static IP address for this server. There is a selectable boot option called “F6 – Other Options” where you could enter the following command to disable DHCP:

netcfg/disable_dhcp=true

At which point you will be required to manually configure the network settings. I am going to include that information below. However, for some reason I was not able to set up the network card after the installation (I could not see it) , so I used this work around instead…

I logged into the router and checked the logs so that I could get the MAC address of the network card. I then configured a DHCP reservation in the LAN/DHCP setting of the router so that the MAC address of the network card would always get the same IP address. Because I did not want to install a DNS server (my ISP made me take the DNS server down last time I set it up), I then, simply added the IP to hostname record, into the host file of each unit I wanted to connect to the web server.

During the installation (just follow the prompts it gives you), you will need to provide the following (among other obvious questions/answers):

1. A hostname for your web server (the hostname is independent of whatever domain name you’re going to use. For example, the hostname of this server is “webbox” and the domain I’ll use to access the web server on it is “local.ubuntulinuxhelp.com”).
2. I selected to use the “Guided – use entire disk” when prompted for the partitioning.
3. A username and password that you are going to remember.

You’ll eventually come to a prompt for the type of server (Software Selection), select LAMP, like the image below.

I chose to install the other components later, because I found out it will reduce some of the tweaking and updating later. During the software installation, you will be asked for a MySQL password. Write it down or don’t forget it! (You’ll need it later to use phpMyAdmin). The remainder is very straight forward, but as I mentioned earlier, here’s the static network configuration information. Remember, your network configuration addresses will probably be different from mine.

Because there is no GUI yet, we’ll be using the command line to configure the network.

Login after rebooting.

You can use a simple text editor like nano, vi, etc.

sudo nano /etc/network/interfaces

For those who left DHCP enabled, look for this:

auto eth0
iface eth0 inet dhcp

and change it to this:

auto eth0
iface eth0 inet static

Under the line that says “iface eth0 inet static”, you’ll enter your network information. An example of mine is:

address 72.138.51.130
netmask 255.255.255.0
network 72.138.51.0
broadcast 72.138.51.255
gateway 72.138.50.1

So the file would look something like this:

auto eth0
iface eth0 inet static
address 72.138.51.130
netmask 255.255.255.0
network 72.138.51.0
broadcast 72.138.51.255
gateway 72.138.50.1

Additionally, I made sure the host file contained the following information:

127.0.0.1 localhost webbox
172.138.51.130 local.ubuntulinuxhelp.com webbox

After configuring the network interface, restart the network using the following command:

sudo /etc/init.d/networking restart

The basic LAMP installation should be complete. :)