Moving to Linux

Changes a foot

2010-01-13T23:13:00.001Z

In the last few days I've seen quite a few updates available. Two very major ones for me was the update for KDE4 and kernel image 2.6.31-18. For me personally, the kernel update brought about a very welcome surprise. The microphone has started to work again! I'm not sure which particular part of the update got my microphone to work, but whichever part it was has certainly made me very happy!

KDE4 has also brought about welcome changes. The lag I was previously experiencing has been significantly reduced.Unfortunately as I have already changed to Gnome, the effort it will take to return to KDE just doesn't seem worthwhile. I might choose to return to KDE another time at least on my desktop as my notebook still runs KDE.

With the release of 10.04 due out in April bringing along the next long term support version, my initial reaction is to upgrade. This next version shouldn't have any big surprises if they intend it to be a long term support version and should bring even some more welcome patches. I will certainly be looking forward to it.

Three Computers, Three Results, Three Very different problems.

2009-12-31T22:43:00.001Z

A new year is about to begin and as with any TV channel around the world they all do a recap of the year just passed. After installing Ubuntu linux variations on three different computers, I have certainly have had three very different experiences and as it is also the end of the year, it is a good time to do a review.

The first time I installed Ubuntu was on my desktop computer, which most of my articles are based on and is the longest running Ubuntu linux machine i have. The machine itself is five years old with a Pentium 4 processorm an ATI 9600 graphics card and on board Realtek sound card. I'm not sure who produced the motherboard as it came with the case from Shuttle. First installation candidate on the machine was Ubuntu hardy 7.10 LTS and the initial installation was anything but smooth. The two contributing problems were my out of date knowledge of nix systems and a very young Ubuntu distribution. I had tried Suse, Red Hat (before Fedora), Slackware and other distros before hand but couldn't stay with them. There were too many options and too many decisions to make. The beauty of Ubuntu is the decisions are pre-made and works very well out of the box.

Moving on, Ubuntu at the time was still very young. Gnome didn't work out very well for me at the time and I had consistent problems with the graphics card, webcam, virtualisation and NTFS. Some of these problems were solved over time, while others never were. Most problems were resolved and I was happily running Hardy with KDE3.5 for quite some time. Problems started when I saw all the new stuff coming out which I couldn't use on Hardy. That made me want to upgrade to the new Karmic. Now the machine is on Ubuntu 8.10 Karmic and in hindsight I should have stayed on Hardy. Karmic has brought more problems than solving the old ones. Hopefully the next version will resolve many of the problems I am currently experiencing. As far as my desktop experience goes, I am not very happy with Karmic.

Next is my Asus eee pc 701. Xandros was getting to old and there just did not seem to be a straight forward way to upgrade the installation. Personally it is a shame Xandros made it so difficult as I actually like the Xandros distro. It was fast and I thought very practical. As it got so old, I was lucky to have discovered Ubuntu Netbook Release. There is very little I don't like about UNR. Installation was easy and there were very little problems. Main problem was the wireless with regards to hidden SSID. Luckily there is a work around and I learned how to connect to a wireless network via the terminal. Beside hibernating still not working (I'm beginning to suspect it's a space issue), everything works fine which impressed me.

The last system which I've only recently installed it on is my Toshiba notebook. This is a Toshiba Satellite A100 and is primarily my Windows machine. I am not prepared to go full Linux on it, but then I heard about Wubi on FLOSS Weekly, which I thought i would give it a try especially as it leaves my current Windows installation alone. Too my surprise this has so far worked completely flawlessly. Graphics, hibernating, standby, audio, touchpad, keyboard, everything that comes with notebook worked completely flawlessly with Ubuntu Karmic. So far I have found nothing to be a problem. I have yet to test the microphone and the multi card reader, but my impression so far has been very positive.

Ubuntu and linux has certainly come a long way in the past few years and despite all the problems on the way, I have been pretty impressed. The biggest dissappointment has been with my desktop computer which is also the oldest PC still running. I expected the support to be better than some of my newer machine do to its age, but I'm finding the newer machines tend to be better supported. This is a strange turn of events as traditionally linux has always run better on old machines than new.

Why I use linux

2009-12-16T00:56:00.000Z

A friend asked me the other day why I use Linux and he made a good argument why M$ is the better choice. His point of view was M$ provide a piece of software, making sure as much of it is ready for the end user to sit down and use. They have included everything that you possibly want and browse the internet without installing anything extra. For example, they have given you wordpad to type letters, internet explorer to browse the web, media player to manage your music, videos etc. M$ have even included a basic firewall and virus protection as default. Even video editing is included in Media Player. There are GUIs to set everything you need and with Windows 7 you can supposedly even do multi-touch. Without installing all the drivers out there and lots of other software, Windows is very stable. Overall windows is the perfect software for the general user.

I think my friend has made a very good point except for the stability which I tend to disagree. I've had XP fail on first installation, but I agree with the rest of the argument. If you just want to do the basic stuff, windows is actually a very good package. But for anybody who wants to do more than just the basics will find Windows good for some things and bad for others. I come from a CS background and for me Windows has always been limited for my needs. I occasionally do some dabbling in software developments, web development and general hacking (the legal kind). The majority of software I end up running on windows are nix things for windows, like vi, VirtualWin (multi-desktop for windows), tail, gcc, cygwin, qt4, gtk etc. Even some of the windows software I run are also available for nix systems like OpenOffice, Dia, Gimp, Inkscape, Skype and Firefox to name a few. It does suggest I might as well be running linux doesn't it? The only things I can think of I need windows for is Picasa (doesn't run that well under linux, but works), iTunes ('cause I got an ipod), SketchUp (don't actually use it that much anyway), M$ Office (because everybody seems to be producing documents with it) and my Hauppauge HVR-900H with a few bits of hardware that works only with windows. That is actually the only reason I still keep a windows machine around.

The worst being my Hauppauge HVR-900H TV card. This particular TV card has according to http://www.linuxtv.org/wiki/index.php/Hauppauge_WinTV-HVR-900H website a TM6010 chip inside, which:

a) the company do not produce linux drivers (http://www.linuxtv.org/wiki/index.php/Trident_TM6000#TM6000_based_Devices),

It is important to notice that the vendor (Trident) doesn't seem to want helping with open source development. Contacts with the vendor were tried during 2007 and 2008 in order to get their help by opening docs, via Linux Foundation NDA program, without success.

b) design according to http://www.linuxtv.org/wiki/index.php/Trident_TM6000#TM6000_based_Devices is buggy

Those chips are very buggy and they behave badly if the driver doesn't do exactly the same thing as the original one (it starts to loose frames). The reason is unknown, but it is suspected that there is a firmware or hardware bug at those chips.

and c) the open source developer hasn't got the time to work on it.

The driver is still at the TODO list, however its development is currently frosen. Mauro intends to return back to it, but this is not on his current top priorities.

Thus, I've bought a piece of hardware which doesn't work on linux. I would help out if I could, but driver programming is unfortunately an area I am not familiar with. I wished I knew more about it though. Similarly my M$ web cam which is a very good web cam under windows, but just doesn't work quite right under linux. Image is too dark, colours are all wrong. Now I use a Logitech webcam, which works right out of the box. Even the microphone on the camera works!

Is linux better than Windows? The simple answer for me is no. I think it is similar to the argument over KDE or Gnome. Whatever works best at that time for the purpose. For me, linux is the obvious choice, but for my wife and kids Windows is the obvious choice (but I still force them to use Linux).

I would like to try the Mac, but not at the prices they are charging......

Wine raises your PulseAudio

2009-12-07T00:50:00.000Z

It figures! When you think you've solved everything, something else turns up again. This time, purely by chance I discovered when something is running in wine, the rest if the sound system is locked up. I was running a computer game in wine when Skype rang. I saw the message come up that I had a phone call, but I didn't hear it ring. I picked it up and couldn't hear the other end. That was when I realized wine had locked up the sound system.

So the question is how do I run win/dos programs in wine with PulseAudio? Running winecfg and looked at the audio settings. Unfortunately there was nothing for PulseAudio. There was Alsa, Esound, OSS and Jack, but no PulseAudio. Time to google the net again and I came across the following site:

Make Wine and PulseAudio get along

[EDITED]
First, we need to set up Wine correctly. Run this command to set up Wine:
padsp winecfg

The padsp part is important, it makes a virtual OSS device that will talk to the PulseAudio daemon. Next, go to the Audio tab and set the OSS device.

While my initial leaning was to use the ALSA or ESound driver as they would both theoretically work better, ALSA wouldn’t work at all and ESound had issues with skipping (either it’s naively coded or difficult to do in Wine, not sure; I’d guess the latter). So we can use the OSS driver, yet have full mixing and no weirdness due to using the virtual device. Next, to run the program (in this example, we’ll use Starcraft ;) )
padsp wine ~/.wine/drive_c/Program\ Files/Starcraft/starcraft.exe
You should have sound playing without any problems – I don’t know if this method would stand up to a lot of stress though, it uses emulated DirectSound but I had no problem with SC.

Written by Paul Betts
May 27th, 2007 at 7:42 pm

http://blog.paulbetts.org/index.php/2007/05/27/make-wine-and-pulseaudio-get-along/

Changing the audio to OSS and starting the program with padsp has solved the problem for me. I'm hoping they will bring out support for PulseAudio, but based on the following posting:

Acording to Scott Ritchie, during the WineConf 2009 they agree to:

"We’re giving up on separate Pulse/ALSA/OSS/Jack sound driver layers and instead doing the smart thing: passing everything to OpenAL. Maarten Lankhorst will handle most of it."

More info: http://yokozar.org/blog/archives/171

Jaime Rave wrote on 2009-11-17 comment #46 https://bugs.launchpad.net/wine/+bug/371897

Looks like there won't be a solution in the foreseeable future and we'll just have to use padsp in the meantime.

WPA and Netgear

2009-12-06T15:23:00.000Z

I've been running WEP on my wireless network for some time now. The only reason I haven't moved to a more secure network is because it has always been a big headache to get wireless working in the first place. But that was a long time ago and I really should move to a more secure network. This was also one of the reasons I started using OpenVPN. Somebody might be able to get into my network, but they won't get into my files that easy. But as they say, secure is never that secure. So, as I'm having so much problem with networking, I must as well give WPA a chance.

Unfortunately my Netgear box doesn't support WPA2. It is a bit old now, but still works so no particular reason to replace it. Reading all the postings in the forum regarding WPA, it sounded like a nightmare. Too many situations where WPA does not work. I guess the only way to find out was try it myself.

First thing I did was changed from WEP to WPA on the Netgear box. Simple enough of an exercise. Next step I needed to do was set my eee pc to support WPA. Luckily with the kernel update, I had to switch back to the ath5k driver which according to forum posts supports WPA, but MadWifi doesn't. No idea if that is true or not, but I'm not going to test that theory. First thing I needed to do was understand wpa_supplicant which is used to connect to a WPA network. The man pages were very helpful in this case.

First, make a configuration file, e.g. /etc/wpa_supplicant.conf, that describes the networks you are interested in. See wpa_supplicant.conf(5) for details.

I can't find the particular paragraph that tells you this, but you need to execute wpa_passphrase to generate the configuration file, which is simple to do. Type the following:



wpa_passphrase MySSID MyPASSPHRASE > mywlan.conf

You need to pipe it to a file or else it will just display it on the terminal.

Next all you have to do is the following:



sudo ifconfig wlan0 up

sudo iwconfig wlan0  essid MyESSID

sudo wpa_supplicant -c mywlan.conf -B -i wlan0

sudo dhclient wlan0

And hopefully you should be connected to the network. Let's go through each line. The first line brings the device wlan0 up. The next line tells the device what ESSID to use. Not necessary if your SSID is broadcasted. In my case my ESSID is hidden and I need to tell it what it is. wpa_supplicant will then attempt to connect to a box on the wlan0 interface using the SSID and password you provided when generating the configuration file and the -B is to tell it to run as a daemon. The next step is to query the DHCP server and give you an IP address. If you want to see what wpa_supplicant is doing, drop the -B. Then you don't have to go through log files hunting for the output.

And that was basically it! It was simpler than I expected. I was expecting a lot of problems, this not working that not working but none of it happened. It was one of the most straightforward changes I've done in a long time. Hope your experience is just as good.

WiFi Drivers

2009-12-06T14:58:00.003Z

When you think you've finally solved what can be solved, you find something else that needs fixing. In this case, there were actually two things but I tell you the other one in a separate post. The first problem is I upgraded my kernel from 2.6.31-14 to 2.6.31-16 and my wireless on my eee pc stopped working. When I use ifconfig -a (displays all the devices available) it only shows my cable connector and loopback. I should have an ath0 or wlan0 device for my wireless. Neither of them are listed.

My search resulted in finding bug #471877 unable to launch wireless connection after upgrading to karmic with ar5001x. Particularly this posting was interesting.

All you need is to compile the kernel with the MadWIFI controllers again

uwe posted 2009-11-16 comment #6

Does that mean I have to recompile MadWifi everytime the kernel gets updated?

Hi uwe. I believe that recompiling your kernel every time it's updated is a less than ideal solution. If the ath5k driver works for you that process would be unnecessary.

dimas posted on 2009-11-17 comment #7

Sounds like I should try out the ath5k driver again and disable MadWifi. Going into System -> Administration -> Hardware Drivers I disabled MadWifi. Then I edited the file blacklist in /etc/modprobe.d/ and commented out the two lines:



blacklist ath9k

blacklist ath5k

Rebooted and tried to log onto the network via the terminal. One thing did change though, ath0 no longer exists and has become wlan0. So here is what I did:



sudo ifconfig wlan0 up

sudo iwconfig wlan0 essid MyESSID key MyKey

sudo dhclient wlan0

And voila! I was back up and running. Wicd didn't seem to want to play ball till I went into the preference and discovered it was still looking for ath0. Changed it to wlan0 and it was happy too!

ATI? Never again.

2009-12-06T10:49:00.000Z

ATI is like my Land Rover. I will never buy either of those things ever again. ATI in their wisdom have decided not to support some of the older graphics cards. This means any kernel above 2.6.24 has absolutely no supporting graphics driver for ATI 'legacy' cards. For those of us who still have those 'legacy' cards will have to resort to using the open source driver. Here is a link to ATI listing the cards not supported anymore: http://support.amd.com/us/gpudownload/linux/Legacy/Pages/radeon_linux.aspx?type=2.4.2&product=2.4.2.3.4&lang=English

Personally I have nothing against using the open source driver, but the open source driver just is not that advanced. 2D it's fine, but 3D isn't very advanced and it is very slow. I think 2D is slow too, but it isn't noticeable. Windows games using 3D under wine suddenly become unplayable and tuxkart runs into trouble when there are more than 2 karts in view. Hopefully the open source driver will improve in time, but I guess in the mean time this'll have to do.

As an additional note, Flash stutters on my machine and I just found out how to resolve it. Originally I wondered if it had to do with the graphics drivers, but in fact it turned out to be desktop effects. I don't really understand why, but turning desktop effects to none in Preferences -> Appearance -> Visual Effects resolved my flash problems. Go figure!

XDMCP? Forget it.

2009-12-06T02:40:00.003Z

I looked into re-enabling XDMCP. According to the following website all you have to do is do the following:

Copy /usr/share/doc/gdm/examples/custom.conf to /etc/gdm/ – the command line below will do the job for you:
```
gksudo cp /usr/share/doc/gdm/examples/custom.conf /etc/gdm/
```
Edit the file to add the line “Enable=true” after the “[xdmcp]” line (don’t forget to save it):
```
gksudo gedit /etc/gdm/custom.conf
```

The file should look something like this:

# GDM configuration storage

[xdmcp]
Enable=true

[chooser]

[security]

[debug]

Restart GDM with the following command (note that this will kill your current X session, so please make sure you’ve saved anything important first):
```
gksudo restart gdm
```
http://excession.org.uk/blog/setting-up-xdmcp-on-karmic-koala-ubuntu-0910.html

Again, nothing is that straight forward. Having activated XDMCP, I tried connecting to it and it keeps telling me connection refused. Looking at the following website http://www.peppertop.com/blog/?p=690, it looks like XDMCP isn't that simple in Karmic anymore. Getting it to run is, but connecting to it seems to be a much more complicated affair.

After spending half a day trying to connect to my server, I have given up. To be able to access my PC through XDMCP was a very convenient way, but for the amount of time I've spent and still not achieving my goal, VNC seems so much simpler to implement. I'll probably look into XDMCP at some point again when I haven't got so many problems on my list.

Totem freezes when opening a video with subtitle (automatic loading enabled)

2009-12-06T01:40:00.000Z

After lots and lots of hunting on the web, it looks like there is an acknowledged bug in Totem. Here is the link to the bug report: https://bugs.launchpad.net/ubuntu/+source/gstreamer0.10/+bug/441396

In summary, the bug is acknowledged and has been fixed. All you have to do is download it from ppa. As a side note, ppa stands for Personal Package Archive (PPA) and as the website describes:

Using a Personal Package Archive (PPA), you can distribute software and updates directly to Ubuntu users. Create your source package, upload it and Launchpad will build binaries and then host them in your own apt repository.

That means Ubuntu users can install your packages in just the same way they install standard Ubuntu packages and they'll automatically receive updates as and when you make them.

https://help.launchpad.net/Packaging/PPA

Unfortunately I have no idea what the repository is for the update. I guess I'll have to wait for the update to come through the ubuntu stream at some point. LTS version is coming out in a couple of months and beside it being a nuisance, I don't use Totem that much anyway. Most of the time I use VLC and Kaffeine.

Everything is so big!

2009-12-05T23:13:00.001Z

Everything on the Gnome desktop in Ubunut seems so large as if I was running on 800x600, but I wasn't. I do not know why, but the Ubuntu desktop team has set everything large! Actually, thinking about it I think I know why. It is for those people who prefer a things big because of their eyesight. Probably for the elderly. I guess Cannonical are trying to get Ubuntu on everybodys desktop. Not just the geeks and the young. Unfortunately I would not recomment it for my parents as there are too many teething problems that they won't be able to solve on their own. Plus, some of these solutions are far from easy. Can you imagine asking your parents to type sudo apt-get install something in the terminal? It's hard enough to explain it to my wife!

Back to the topic, I simply changed the font size by going to Preferences -> Appearance, click on Fonts tab and changed all the fonts size to 8. This makes things slightly smaller and doesn't feel like the whole desktop is running at a low resolution. Other things I did was change some of the icon sizes.

OpenVPN is here!

2009-12-05T02:12:00.007Z

Everytiume I boot up the machine I see OpenVPN trying to boot up on start. I don't ever remember seeing it on Hardy. Is this something new? Looking in /etc/init.d/ I discovered there was in fact a script to start openvpn! I wondered if it was also on Hardy, but as I deleted Hardy and installed Karmic, I will never know. Looking into the script, apparently OpenVPN tries to start by looking for a config file in /etc/openvpn/ with the extension .conf. Wondering if this was true, I copied my server.ovpn into /etc/openvpn/ and renamed it to server.conf. Rebooted and did a ps aux|grep openvpn and it was actually there, all started up and waiting for connections!

Strangely enough though, this only worked the first time I tried it. For some reason, the next time I tried it OpenVPN wouldn't start on boot. Huh? Doing what I did for my firewall script, I added it back in.



sudo update-rc.d openvpn start 20 2 3 4 5 . stop 99 0 1 6 .

As you will notice I used the exact same numbers as I did for the firewall. I am guessing that starting openvpn at the same runlevel as my firewall should be ok. The network should have come up by then. I suppose there might be a little risk, but unless somebody was there waiting for me to boot my PC, I should be ok.

At least now I never need to start openvpn manually.

I Can't Hear You!

2009-12-04T23:58:00.002Z

3 out of my 9 items are off the list already. Not looking bad! Next up, microphone. Since I re-built my machine, my microphone hasn't worked. I can hear myself through the speakers, but none of the recording software I tried has picked my voice up. Skype call testing, asound and audacity have a failed to pick up a single hint. The strange part is the microphone that comes with my USB camera works, but not the one I plug into the PC.

Looking around the net,I couldn't see a case where it was similar. There were many problems on notebook and laptop computers from the big manufacturers, but mine was a desktop. My eee pc works perfectly fine. Have not had a single problem.

Luckily from all the postings back and forth on the notebook bugs, there was the suggestion of installing a backport of alsa which could potentially fix problems with microphones. I think the posting was about a Dell computer, but unfortunately I've lost the link so I can't refer back to it. All I had to do was peform the following:



sudo apt-get install linux-backports-modules-alsa-karmic-generic

After I restarted the PC again, my microphone worked! Had to fiddle with the input volume a bit, but eventually everything worked fine. Skype call testing confirmed it and another item off the list.

Flash, Firefox, PulseAudio and locking sound systems

2009-12-04T02:40:00.001Z

The sound system seems to be completely messed up. Some of my application can play sounds together while others dominate the sound system completely. Going into each application I had to change the sound output to PulseAudio to resolve the problem. Simple enough for VLC, Amaork, Audacious, Kaffeine and MPlayer. Skype interestingly enough automatically detected PulseAudio as soon as it was installed. Note: Default sound system on Gnome is PulseAudio and KDE4 is phonon. These were simple issues to resolve, but Firefox and Adobe Flash Plugin wasn't. Whatever I did, it refused to play nice with PulseAudio.

Having googled the net, I came across a site describing how to set up PulseAudio and had this section regarding to configuration of ALSA:

ALSA Configuration
Now, type the following:
gksudo gedit /etc/asound.conf
This will open /etc/asound.conf in a Text Editor as the root user.

Normally on Ubuntu 7.10, this file will not exist, so we're creating it.

Paste in the following:
pcm.pulse { type pulse } ctl.pulse { type pulse } pcm.!default { type pulse } ctl.!default { type pulse }
The top two will create new output and input definitions for PulseAudio, and the bottom two will set PulseAudio as the default audio device for programs using the ALSA interface.

https://wiki.ubuntu.com/PulseAudio

This was the first thing I tried as I thought my ALSA wasn't set up properly. In fact, my installation didn't have an asound.conf in the directory. Unfortunately it resolved nothing. Flash in Firefox was still blocking the sounds system.

This was the next thing I tried, which did resolve the problem.

Hardy and Flash 9

By default, the Firefox Flash 9 plugin doesn't work properly with PulseAudio. In Hardy, Flash support can be enabled by installing the package libflashsupport:
sudo apt-get install libflashsupport
In previous Ubuntu releases, Flash support can be enabled in two ways: by downloading and installing a .deb from logicalnetworking.net or by building a patched version of the Flash plugin from source. (See detailed instructions below.).

If you experience problems with audio synchronization after installation, you may need to edit the file /etc/firefox/firefoxrc. The line referencing FIREFOX_DSP should read
FIREFOX_DSP="padsp"
Restart Firefox for the change to take effect.

Note: For Hardy AMD64 users:

http://ubuntuforums.org/showpost.php?p=4350045&postcount=12

Installing the Flash support package
wget http://logicalnetworking.net/other/libflashsupport_1.0~2219-1_i386.deb sudo dpkg -i libflashsupport_1.0~2219-1_i386.deb
Note: For AMD64 users, there is now a plugin for Flash player 10 from Adobe for 64-bit Linux systems. This invalidates other package installations for flash on this page. Get it here: http://labs.adobe.com/downloads/flashplayer10.html

Restart Firefox to enable simultaneous audio output from flash and other sources (rhythmbox, totem, etc).

Building the Flash plugin from source

wget http://pulseaudio.vdbonline.net/flashplugin-nonfree-pulse_0.1~000.tar.gz tar xvfz flashplugin-nonfree-pulse_0.1~000.tar.gz cd flashplugin-nonfree-pulse-0.1~000 sudo apt-get install libpulse-dev make sudo make install

https://wiki.ubuntu.com/PulseAudio

What I found strange was that all these instructions were for Hardy and not for Jaunty or even Karmic as I did not have this problem on Hardy. To make matters difficult, flashplugin-nonfree-pulse doesn't exist in the Karmic repositories. I had to download the source and compile it. Luckily there weren't any complications and it did get my sound to work in Firefox. Now I can watch a movie, watch youtube, speak on Skype and listen to music all at the same time.

The Return of Gnome

2009-12-02T17:13:00.004Z

I'm finished with KDE. KDE4 just is not up to scratch for day to day use. Reasons? Slow. Too slow. But enough of that. Installed the gnome desktop of Ubuntu and suddenly I get a desktop speed boost. Switching windows is much more instant, windows get moved immediately and not 10 seconds later. And the list goes on. Maybe I'll have a look at KDE4 when it is a lot more mature. For now, Gnome is doing the job for me. Of course, Gnome isn't without its own problems. Here is a list of items I need to resolve in Gnome (in no particular order):

Flash video stutters in Firefox
Flash video locks the sound card instead of sharing it
VLC locks the sound card just like flash
No input from the microphone, despite it passing through to my speakers
Everything looks so big as if I was running in 800x600
Totem freezes everytime I open a video with subtitles (automatic load)
Re-enable XDMCP
Investigate 3D support for my old ATI graphics card
OpenVPN starts on boot up?

Crash and Burn

2009-12-02T02:03:00.001Z

I like the new KDE4. Unfortunately the only available version on Hardy is 4.1. Apparently 4.3 has fixed many of the bugs I'm currently experiencing like crashing plasmoids, refresh problems, settings being lost etc. So I looked around the net for a way to run 4.3 on Hardy, but nobody seems to have a way except to compile from source. After hours of searching, I decided I would have a go at compiling KDE4.3.

This was probably the biggest mistake I made. To compile KDE4.3 I needed to download this and that development package and this and that library. By the time I got everything downloaded, something was still missing and this I couldn't install the missing library because of dependency issues. I tried to resolve it by uninstalling and reinstalling a different version and as the more I kept fiddling, the worse the situation got till I broke my current so badly things were beginning to fall apart. First I lost synaptic, then I lost my kde apps one by one, then I lost the network and that was when I knew this was the end. Loosing the network meant I lost access to the repositories and without the repositories, there was no way to install packages. Without access to the packages, I had no way of repairing my current installation.

Luckily I had a copy of Kubuntu 9.10 CD lying around. As I've lost my complete system, I thought I might as well rebuild from scratch with 9.10 despite all the problems with ATI. The rebuild process went very smoothly and I was back up and running within the hour, plus I had KDE4.3 now. Not the ideal way to move forward, but what is done is done.

In the process, I finally removed my Windows XP partition permanently. I don't think I've booted into XP for over a year now. Never needed to. I am far happier now with Linux than I have ever been with Windows.

Anyway, KDE4.3 is a lot better than 4.1. Everything seems a lot more usable and things tend to work out of the box. Naturally there is always something that doesn't work quite right.

The microphone doesn't seem to record anything
Refresh seems slow compared to 3.5
I hate dragon player.
No more fglrx (no more support for my card)

Strange how some of these seemed to have worked in KDE3 and is broken in KDE4. Here goes tackling the problems!

KDE4

2009-11-28T21:09:00.001Z

I just installed KDE4 and I love it! When I installed it, I wasn't prepared to risk loosing my desktop if KDE4 didn't work out. I wanted KDE3.5 as a backup. That process will take a while to clean up, but KDE4 seems to work quite well. Now I can switch the default manager from KDE3 to KDE4, except I forgot how. Luckily I found this on the web:

How to Switch Between GDM and KDM on Ubuntu

If you have installed the Kubuntu desktop on top of Ubuntu or the other way around, you may want to switch from gdm to kdm, or from kdm to gdm. This is an easy thing to do.

Open a terminal window and type in the following command:

sudo dpkg-reconfigure gdm

Hit enter at the OK prompt, and then you can switch between the two easily:

This article was originally written on 12/13/06

http://www.howtogeek.com/howto/ubuntu/how-to-switch-between-gdm-and-kdm-on-ubuntu/

WEP off WPA on

2009-11-28T11:42:00.002Z

I've been running my WLAN at risk for a very long time by using WEP and have used countermeasures like OpenVPN to protect myself. I've never actually looked into implementing my network using WPA instead. I guess the reason being I have had so much trouble getting all my PCs to talk to the wireless box, I didn't want another level of pain. But I finally come around and have decided to switch to WPA.

Surprisingly this went extraordinary well! To use WPA on linux requires wpa_supplicant. My little 701 already has it installed. The man pages are extremely helpful in this case and with only 10 mins reading, I already knew what I needed to do. Here is my summary:

To get WPA working, you need to initiate after iwconfig, but before dhclient. I'll show you the full script at the end.

The command that needs to be entered is:

wpa_supplicant -c wpa_passwd.conf -B -i ath0

-c tells wpa_supplicant where it can find the configuration file which contains your SSID and password. NOTE: password in the file is unencryted!

-B tells it to run as a daemon, i.e. in the background

-i defined the interface to find the network, in my case ath0

That is basically it! To create the configuration file, you need to run wpa_passphrase like this:

wpa_passphrase SSID PASSWORD > wpa_passwd.conf

You need to redirect the output, else you'll only see it on the console.

Here is the extract of the script to connect to the wireless network:

ifconfig ath0 up iwconfig ath0 essid $ESS_ID wpa_supplicant -c $wpa_passwd.conf -B -i ath0 dhclient ath0

One further point to note, if your SSID is hidden like mine, you need iwconfig to tell it first else wpa_supplicant can't find it as it scans for networks matching your SSID. I suppose if you don't hide your SSID, I guess you can drop the iwconfig line. I'll let you experiment with that. I'm just happy it worked so smoothly.

Smashing Bash and going to Perl

2009-11-28T03:15:00.000Z

Luckily learning perl isn't as complicated as I thought. It is very similar to bash, simpler than C++ and a lot simpler than Qt. A very simple interface can be created in less than 15 lines of code!

#!/usr/local/bin/perl
use Tk;
# Main Window
my $mw = new MainWindow;
my $label = $mw -> Label(-text=>"Hello World") -> pack();
my $button = $mw -> Button(-text => "Quit", 
  -command => sub { exit })
 -> pack();
MainLoop;

Isn't that simple? I think I'm falling in love.......

GUI for Bash?

2009-11-27T23:23:00.001Z

I was thinking how nice it would be to have a little GUI for my script to connect to the network. I didn't want to spend a lot of time on it, so something quick and dirty would do. So I began a searh on google if there was such thing as front end to bash scripts. My search resulted in a number of different ways of creating front ends. Here is a list of quick and dirty ways to create a GUI for scripts: dialog(CLI ncurses), whiptail(newt libs), Xdialog(gtk), gdialog(gnome), zenity(gnome) or kommander(kde).

Reading about Xdialog on the web suggests Xdialog was one of the easiest to implement and relatively quickly. Xdialog works similar to calling a command on the bash script with the difference being in the arguments you can supply. Unfortunately I encounted two problems. The first one is Xdialog is no longer in the repositories and secondly when I tried compiling the source code, it was dependent on gtk1.2. I'm on gtk2.0 which no longer uses gtk-config but pkg-config instead. Unfortunately Xdialog is a bit out of date.

Further searching on google there is a myriad of conversations surrounding the use of Perl TK to produce smple GUIs. The more I investigate the options of producing a GUI, the more it seems I need to learn Perl TK. Or alternatively I work with C++.

Looking at a couple of perl examples, perl looks very similar to bash as it is a scripting language, just much more powerful. And with the addition of TK, it lets you produce GUIs pretty quickly. Luckily perl is already installed by default and all I needed to install in addition is perl tk. this in itself is very simple.

sudo apt-get install perl-tk

And that's done! Now all I have to do is learn perl and tk!

Mashing Bash

2009-11-27T19:48:00.005Z

Continued from Bashing Bash
Well, I have been bashing my head against the wall with this script. Everytime I think I've solved it, something different goes wrong. What I am trying to do is to test if a connection exists. If the connection exists, pass go and do not collect $200.

Having searched on the net, the suggestions I have come across point to pinging a DNS server address to see if a connection exists. At first I thought this would be a good idea. But, I have discovered ping for some reason returns host unreachable just after I connect. I can only assume the script goes onto the next step before everything is ready, thus the next step fails and quits.

What I have discovered is I can test to see if dhclient is running. With dhclient running, there must be a network connection and I can test for it by looking for the process. If the process exists, then connection exists else connect.

BUT dhclient can still be running, but no connection. What I did notice was dhclient itself detects if it is running and kills itself.

There is already a pid file /var/run/dhclient.pid with pid 4587 killed old client process, removed PID file Internet Systems Consortium DHCP Client V3.1.2 Copyright 2004-2008 Internet Systems Consortium. All rights reserved. For info, please visit http://www.isc.org/sw/dhcp/

This suggests I don't really need to check if a connection exists. The process will just re-connect. Here is the final script:

#!/bin/bash LOG_PATH=vlan.log ESS_ID=SOMETHING WIRELESS_KEY=A_KEY START_DATE=$(date) SRCH=$(pgrep openvpn | wc -l ) echo "$START_DATE" > $LOG_PATH echo "Beginning" >> $LOG_PATH echo "Connecting to wireless network" >> $LOG_PATH ifconfig ath0 up 2>&1 >> $LOG_PATH # iwlist ath0 scan >> $LOG_PATH iwconfig ath0 essid $ESS_ID key $WIRELESS_KEY 2>&1 >> $LOG_PATH dhclient ath0 2>&1 >> $LOG_PATH echo "Connection established!" >> $LOG_PATH echo "Sleeping for 10 secs" >> $LOG_PATH sleep 10 echo "Yawn! Awake now!" >> $LOG_PATH if [ "$SRCH" = 0 ]; then echo "Connecting to OpenVPN" >> $LOG_PATH /usr/sbin/openvpn --config client.ovpn >> $LOG_PATH else echo "OpenVPN already connected" >> $LOG_PATH fi

This has so far worked. Only time will tell if this is the best solution.

Reading CMH books

2009-11-22T01:03:00.006Z

I found an old ebook I had on my hard drive which had the CHM extension. I remember it being something from the Windows world, but when I tried to open it under linux, it couldn't recognise it. A quick search gave me this website: http://madphilosopher.ca/2006/09/how-to-convert-chm-files-under-linux/

How to convert CHM files under Linux
September 24th, 2006

CHM files, known as Microsoft Compressed HTML Help files, are a common format for eBooks and online documentation. They are basically a collection of HTML files stored in a compressed archive with the added benefit of an index.
Under Linux, you can view a CHM file with the xchm viewer. But sometimes that’s not enough. Suppose you want to edit, republish, or convert the CHM file into another format such as the Plucker eBook format for viewing on your Palm. To do so, you first need to extract the original HTML files from the CHM archive.
This can be done with the CHMLIB (CHM library) and its included helper application extract_chmLib.
In Debian or Ubuntu:
$ sudo apt-get install libchm-bin $ extract_chmLib book.chm outdir
where book.chm is the path to your CHM file and outdir is a new directory that will be created to contain the HTML extracted from the CHM file.

Now that I have extracted the book, at least I can read but the big question is if there is an alternative to CHM (for Linux of course)?

Bashing Bash

2009-11-17T22:22:00.000Z

I've discovered Bash scripting can be very frustrating. Bash has a lot of little quirks which isn't explained anywhere. The Bash scripting guide and the bash advanced scripting guide are two very good documents, but even they seem to miss out some of the little items which make scripting frustration.

For example, I was writing a script to connect to the network easier as per my earlier post WiFi Scripting. When my wife tried the script out to start the network, she accidentally clicked the icon twice thus creating two instances, which ended with the network connecting, disconnecting and connecting again. This meant I needed to change my script to check for other instances. In fact, this particular problem I have yet to solve. What I did manage to solve is to test for an existing connection. At least this will stop accidental attempt to connect ot the network again. Here is the script:



#!/bin/bash

ESS_ID=orange

WIRELESS_KEY=<hidden&rt;

CNNT=$(ping -c 1 192.168.0.1 2>&1 | grep -i Unreachable | wc -l)

SRCH=$(pgrep openvpn | wc -l 2>&1)



echo "Beginning"

if [ "$CNNT" != 0 ]; then

  echo "Connecting to wireless network"

  ifconfig ath0 up

  iwconfig ath0 essid $ESS_ID key $WIRELESS_KEY

  dhclient ath0



  echo "Connection established!"



else

  echo "Wireless already connected"

fi



  sleep 10



echo "Log begin" >> /home/aprc1/vlan.log

echo $SRCH >> /home/aprc1/vlan.log

echo $SRCH >> /home/aprc1/vlan.log

echo $CNNT >> /home/aprc1/vlan.log

eval 'ping -c 1 192.168.0.1' >> /home/aprc1/vlan.log 

eval 'pgrep openvpn' >> /home/aprc1/vlan.log

if [ "$SRCH" = 0 ]; then

  echo "Connecting to OpenVPN"

  /usr/sbin/openvpn --config /home/aprc1/vpn/client.ovpn

else

  echo "OpenVPN already connected"

fi

Simple enough, init? The two item which gave me the frustration are spacing does matter and the evaluation of commands.

Specifically the spacing problem was in if statements. Nowhere in the documentation and examples I have seen tells you to enter a space after the [ bracket of the if statement. All they guides show it with a space but does not literally tell you! At least not in a manner where I can see it clearly.

The other frustration is executing external programs/script and piping the output into your script. The guide explains defining a program arguments like this:



VARIABLE='ping -c 1 192.168.0.1' # Pings the machine 192.168.0.1 only once

The guide goes on to say the new method should be written like this:



VARIABLE=$(ping -c 1 192.168.0.1)

But both should work. I don't know if this is Ubuntu using something different, but the first method does NOT work. Whatever I do, I couldn't get it to evaluate the formula. In a very simple 2 liner code, for some reason it does! Where is the logic in that?

Anyhow, I guess with more experience I'll probably find more of these "undocumented" quirks.

Skype

2009-11-17T20:33:00.001Z

Next step was to get Skype onto the system, which is a very simple affair. all I had to do was add the following repo line into the sources list, update and install skype as per instructions below.

Skype repository
Just found out that skype has now an apt repository so installing and updating of skype is as easy as any other program in Ubuntu. Thius is far better than using automatix since you will be informed of new updates when they are available.
Using Skype's apt repository

Using sudo and your favorite text editor, add this line to the end of your /etc/apt/sources.list file:

deb http://download.skype.com/linux/repos/debian/ stable non-free
Then run apt-get update to sync to the latest repository and apt-get install skype to install the latest version of Skype on your computer.

Regards
Ramiro
http://ubuntuforums.org/showthread.php?t=404244

Unfortunately Skype uses Qt4 for it's GUI, which meant a lot of the Qt4 libraries needed to be installed as well, which came to about 150MB! A lot of space for my little 701.

Of course nothing ever goes as planned. When I tried to make a call, it couldn't find the audio device. That was strange. I never had a problem before on this machine. Went into the audio devices section of the options and changed the default device to INTEL ICH5, This seems to wotk and gave the best sound. I was told by the other end that my voice seemed quiet. remembering the old trick with alsamixer, I tried it out and turned everything to max. This fixed the problem, but will it remember it the next time I start up the machine? Probably not. Just to make sure, I tried Skype again and the other end could hear me a lot better.

Still concerned over the space utilisation of the drive, which I'm going to have to look into it after I finished "customising" my machine (unless I run out before hand).

Video codecs for UNR

2009-11-17T00:26:00.001Z

Installing the codecs is normally relatively simple. All you do is type the following command:

sudo apt-get install w32codecs

Except in UNR, it couldn't find it in the repositories. A google search did come up with the following which was helpful.

Playing Restricted Formats
Follow these steps to play and record most common multimedia formats, including MP3, DVD, Flash, Quicktime, WMA and WMV, including both standalone files and content embedded in web pages.
Ubuntu 9.04 (Jaunty Jackalope)

Click here to install the ubuntu-restricted-extras package

If you are using a different derivative of Ubuntu, install one of these instead:

kubuntu-restricted-extras

xubuntu-restricted-extras

To play DVDs, you also need to install libdvdcss by opening a terminal and entering the following in addition to installing the restricted extras package:
sudo /usr/share/doc/libdvdread4/install-css.sh
The instructions below for 8.10 and 8.04 should still also work.

Ubuntu 9.04, 8.10, 8.04

Synaptic

Go to Applications → Add/Remove...

Set Show: to All available applications

Search for ubuntu-restricted-extras and install it. Note that there is also xubuntu-restricted-extras (for Xubuntu) and kubuntu-restricted-extras (for Kubuntu.)

Or open the Terminal, and execute the following command:

sudo apt-get install ubuntu-restricted-extras

https://help.ubuntu.com/community/RestrictedFormats

Ok..... So you have to install ubuntu-restricted-extras instead. Looking through the list of items to be installed, which is quite a few, there are some interesting ones that are installed as part of the package.

cabextract flashplugin-nonfree gsfonts-x11 gstreamer0.10-ffmpeg gstreamer0.10-plugins-bad gstreamer0.10-plugins-bad-multiverse gstreamer0.10-plugins-ugly gstreamer0.10-plugins-ugly-multiverse jackd java-common liba52-0.7.4 libavcodec1d libavutil1d libcdaudio1 libdvdread3 libfaac0 libfaad2-0 libfreebob0 libgsm1 libid3tag0 libjack0 liblame0 libltdl3 libmad0 libmjpegtools0c2a libmms0 libmp4v2-0 libmpcdec3 libmpeg2-4 libqt3-mt libquicktime1 libsidplay1 libsoundtouch1c2 libx264-54 libxvidcore4 msttcorefonts odbcinst1debian1 qjackctl sun-java6-bin sun-java6-jre sun-java6-plugin ubuntu-restricted-extras unixodbc unrar

According to the above list, everything you would need seems to be listed above. The only thing missing seems to be libdvdcss2. But as I have no DVD drive on my 701, I won't bother to install it.

One last thing I need to install is Skype to make phone calls.

UNR, SMB, NFS and a patridge in a pear tree!

2009-11-16T09:45:00.001Z

Although both my server and client are Linux machines, I really shouldn't need to use SMB. NFS should be the better option, but as I've never used NFS to connect and SMB is all set up, I'm going to stick to what I know. Maybe I'll set up NFS for another day.

I have never managed to mount a SMB drive via the terminal. I've yet to work out what I'm doing wrong, but in the end I've always mounted through a GUI. The snag with UNR is I couldn't find a network places icon anywhere! Luckily I remembered you can mount drives via Nautilus. Of course I couldn't find an icon called Nautilus, but UNR does have the folders Documents, Videos etc. which opens in Nautilus. Went to File -> Connect to Server.

Selected Windows Share in Service Type, typed in the IP address of the server and everything else it wanted and clicked on connect. And voila! The drive was mounted. Tested accessing my files on the server and it worked! Except for my videos, 'cause I haven't installed the codecs yet and that will be my next task.

Next step: Install codecs

Wifi Scripting

2009-11-14T11:00:00.002Z

My wife wants to use my eee pc 701 netbook now that I have installed UNR. Naturally I have to make it easy for her to access everything she wants. What does that exactly mean? Easy to get online, log on to VPN to access my home network shares for music and videos and of course to use the internet.

Sadly the truth UNR needs a little bit of fiddling to get it to connect to the wireless lan, takes another step to connect via openvpn before she can get into Nautilus to browse the shared files and use the internet. The only solution I could think of was to write a startup script for her. One that would connect it to my wireless lan and log onto the VPN without any user interaction. Quite a challenge really. Firstly, like most users I've come to expect tasks to be performed through GUIs. I've never looked into how to connect to a wireless connection from the command line. I've had to use OpenVPN from the commandline because I could never find a decent GUI client.

So how does one go about writing a script to log onto a wireless lan? And naturally my friend google was more than happy to provide the answer.

Connect to a wireless network via command line

I know, the first thing you are asking is “Why would I want to have to connect to a wireless network from the command line?” To that question I can give you a simple answer…What if you want to create a script to run that will bring up your wireless network as soon as your desktop is loaded? You could get really complex and create a start up script to load a desktop based on what wireless access point you needed to join. That’s one of the beauties of Linux, if you can dream it, you can do it.

But I am getting too far ahead of myself. Let’s get back to the basics shall we? First I am going to assume that your wireless card was detected by your distribution and has the proper drivers loaded. With that accomplished you will need to have the following tools:

ifconfig: Enable your wireless device.

iwlist: List the available wireless access points.

iwconfig: Configure your wireless connection.

dhclient: Get your IP address via dhcp.

The first command you need to use is ifconfig. With this command you are going to enable your wireless device. Most likely your device will be called wlan0. So in order to enable this you would enter the command (as root):

ifconfig wlan0 up

You won’t see any feedback unless there is a problem.

The next step is to scan for your wireless network to make sure it is available. Do this with the following command:

iwlist wlan0 scan

With this command you will see output like the following:
Cell 01 - Address: 00:21:43:4E:9B:F0 ESSID:"HAIR STROBEL" Mode:Master Channel:5 Frequency:2.432 GHz (Channel 5) Quality=100/100? Signal level:-45 dBm? Noise level=-95 dBm Encryption key:on IE: WPA Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : TKIP Authentication Suites (1) : PSK IE: IEEE 802.11i/WPA2 Version 1 Group Cipher : TKIP Pairwise Ciphers (1) : CCMP Authentication Suites (1) : PSK Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 22 Mb/s 6 Mb/s; 9 Mb/s; 12 Mb/s; 18 Mb/s; 24 Mb/s 36 Mb/s; 48 Mb/s; 54 Mb/s Extra:tsf=000002f1d9be01b7
So you know this network is available. From the above output you can also see this network is employing WPA2, so you will need a passkey. If you don’t know that passkey, you are out of luck (which would be the case no matter if you were using a front end in Linux, Windows, or Mac.)

Now it’s time to configure your connection. To do this issue the command:

iwconfig wlan0 essid NETWORK_ID key WIRELESS_KEY

Where NETWORK_ID is the ESSID of the network with which you want to connect and WIRELESS_KEY is the security key needed to connect to the wireless access point.

Note: iwconfig defaults to using a HEX key. If you want to use an ascii key you will have to add the “s:” prefix to your key like so:
iwconfig wlan0 essid NETWORK_ID key s:WIRELESS_KEY

Now that you have your configuration set, it’s time to get an IP address with the help of dhclient. Issue the command:
dhclient wlan0

If no output is reported there are no errors. You should now be up and running.
Make it a script
Of course who wants to type out all of those commands. Instead of doing this you could create a script for this like so:
#! /bin/bash ifconfig wlan0 iwconfig wlan0 essid NETWORK_ID key WIRELESS_KEY dhclient wlan0

Where NETWORK_ID is the actually essid of the network and WIRELESS_KEY is the security key for that network. Save this script with the filename wireless_up.sh and then make this script executable with the command:
chmod u+x wireless_up.sh

You can make this a global command by placing this script in /usr/local/bin. You can now issue the command wireless_up.sh from anywhere in your directory structure and it will run, connecting you to the configured wireless access point.

If you frequent many wireless access points you can create a script for each one giving them each unique names. By doing this, when you need to connect to a specific access point, just run the script associated with that access point and you’re good to go.

Author: Jack Wallen
http://www.ghacks.net/2009/04/14/connect-to-a-wireless-network-via-command-line/

Google keywords used: connect wireless network command line (1st result)

Wow! That completely solved my problem in one go. Never found a solution to my problem this quickly before. All I had to do was change wlan0 to ath0, enter my SSID and KEY in and add the line:

openvpn --config /home/user/vpn/client.ovpn

Now all I had to do was chmod 755 the script. But annoyingly because the commands has to be run with admin rights, i.e. sudo script, I had to somehow make the script run without asking for a password. Remembering something from my past, I know you can configure what needs a password and what doesn't. First port of call was to have a look at the man pages of sudo.

sudo allows a permitted user to execute a command as the superuser or another user, as specified in the sudoers file.

http://www.sudo.ws/sudo/man/sudo.html

So where is the sudoers file?

sudo determines who is an authorized user by consulting the file /etc/sudoers.

http://www.sudo.ws/sudo/man/sudo.html

Looking in /etc, I found sudoers is a text based file, which shouldn't be edited through the normal editor route. You need to use visudo to be able to change the sudoers file:

visudo edits the sudoers file in a safe fashion, analogous to vipw(8). visudo locks the sudoers file against multiple simultaneous edits, provides basic sanity checks, and checks for parse errors. If the sudoers file is currently being edited you will receive a message to try again later.

http://www.sudo.ws/sudo/man/visudo.html

Browsing through the man pages, I found out you need to the option -f to be able to edit the file:

sudo visudo -f /etc/sudoers

Thus using the excerpt and example below I added a line into the sudoers file based on the man pages regarding the sudoers file, specifically NOPASSWD section of the document:

NOPASSWD and PASSWD

By default, sudo requires that a user authenticate him or herself before running a command. This behavior can be modified via the NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used to reverse things. For example:

ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm

would allow the user ray to run /bin/kill, /bin/ls, and /usr/bin/lprm as root on the machine rushmore without authenticating himself. If we only want ray to be able to run /bin/kill without a password the entry would be:
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm

Note, however, that the PASSWD tag has no effect on users who are in the group specified by the exemptgroup option.

By default, if the NOPASSWD tag is applied to any of the entries for a user on the current host, he or she will be able to run sudo -lsudo -v without a password if the NOPASSWD tag is present for all a user's entries that pertain to the current host. This behavior may be overridden via the verifypw and listpw options.

without a password. Additionally, a user may only run

sudoers man page

I added the line just below "Cmnd alias specification" as that seems to be the most appropriate.

username  ALL=NOPASSWD: /usr/sbin/openvpn,
/usr/sbin/synaptic

But when I tried it out, sadly sudo still asked for a password.

With more research, I cam across this posting in the ubuntu forum.

Re: sudo does not respect NOPASSWD

ok I finally figured this out. turns out I didn't add myself to the last line like someone suggested. I thought i did but I must have not tested right. "kinda busy with other work also"
so it turns out the real issue is %admin ALL=(ALL) ALL overides all NOPASSWD statements since the default install user is added
to admin. if you added a new regular user this wouldn't be the case.

and if you actually uncommented #%sudo ALL=NOPASSWD: ALL and add your username to the sudo group . Odds are it wont work since %admin would override it . so you would have to move it to the last line also. see https://answers.launchpad.net/ubuntu/+question/31811

anyways, thanks for the help everyone

Schizoid May 2nd, 2008
http://ubuntuforums.org/showthread.php?t=779487&page=2

Interesting...... Went back into sudoers file and moved my line to the last line in the file. Let's see if that worked. Regrttably sudo didn't ask for my password for anything. Is there a timer somewhere in sudo?

Strangely enough my search ended in a MacOS X forum, where they were discussing how to increase sudo timeout.

I'm not a fan of extending sudo's timeout for security reasons, but it is possible to alter the timeout by adding a line like this to the /etc/sudoers file:

Defaults:your_username timestamp_timeout=SECONDS

Note that you should only edit this file with visudo. Replace "SECONDS" with, well, however many seconds you want.

Mikey-San 12-24-2007, 02:13 AM

http://forums.macosxhints.com/showthread.php?t=83344

Reading on, Mikey-San made a little mistake as baf pointed out in his posting

Yes.

From man sudoers:

Code:
timestamp_timeout Number of minutes that can elapse before sudo will ask for a passwd again. The default is 5. Set this to 0 to always prompt for a password. If set to a value less than 0 the user's timestamp will never expire. This can be used to allow users to create or delete their own timestamps via sudo -v and sudo -k respectively.

So use visudo to edit that file and add something like:
timestamp_timeout 15

should give you 15 minutes timeout.

baf 12-24-2007, 02:17 AM
http://forums.macosxhints.com/showthread.php?t=83344

Quickly added in the above line just above my inserted line, quit and tried opening something with sudo that wasn't synaptic or openvpn. Immediately asked for my password. Good! Now I try opening synaptic and it didn't ask me for a password!!! Yippee! It works!!

Go OpenVPN!

2009-11-13T23:15:00.002Z

Installing OpenVPN on UNR is considerably easier than on Xandros. Xandros never had the repositories for all these applications and you ended up having to use Debian repositories which are not really compatible with Xandros. Specifically the problems were with dependencies.

Under UNR, all I had to do was:

sudo apt-get install openvpn

and that was it. Put back the old keys and config file for OpenVPN and tried it out.

OpenVPN connected and I could ping the VPN server. Everything seemed to be working. The only thing which remained a problem is that I am not the only one using this computer. My wife uses it too and let's just say she isn't as computer literate as I am. Thus I needed to create something that allows her to access OpenVPN in a much simpler way than in a terminal. Searching on the net, I found the network manager which I was having so much problems with actually supports OpenVPN client. Snag is of course, I can't use it because it was causing me this many problems. Wicd doesn't support it in its client. Looks like I will have to write a script for it. But before I do, I thought I might do a little bit more googling.

Luckily I did, for I discovered a program called gopenvpn.

From what I can tell, the program is basically the same as OpenVPN GUI for Windows. Unfortunately it is nowhere to be found in the repositories, which is a shame. I decided to try and compile it from source, but apparently I was missing some sort of library and not knowing which library, I decided to grab the deb file instead. Although it says it was compiled for Jaunty, I decided to try it anyway and as expected, the deb files works just as well under Karmic.

Running the program is as easy as running it under windows. Double click on the icon and click on connect. Naturally it failed the first time as I haven't told it where to find the config file, but to my surprise there was no option to tell it where!

Based on the following comment, apparently it looks in /etc/openvpn for the config file and there is no way to change it except in the source code!

configuration files

gopenvpn will look in the directory /etc/openvpn for OpenVPN configuration files. OpenVPN configuration files with suffixes ".conf" and ".ovpn" are recognized. Any configuration files found will appear in gopenvpn's context menu.

http://gopenvpn.sourceforge.net/

My solution was simply to create a symbolic link:

ln -s /home/user/vpn/client.ovpn /etc/openvpn/client.ovpn

Ran GOpenVPN again and it connected!

Next step: Mount drives via SMB

Wifi Sigh

2009-11-13T20:06:00.003Z

Although Wifi now works, it doesn't quite work that well. I have to manually go into the Wifi window and tell wicd what the SSID name of my hidden wlan is, else it won't connect to the network. Apparently, this is quite a common error with wicd as they have it listed on the bug list.

The way we handle hidden networks right now doesn't work very well. We need to fix it. A couple of things need to happen:
1) When a wireless driver has an entry for an AP both with an essid and without, we should only display the one with an essid.
2) We need to properly remember the real essid of a hidden network. We end up displaying <hidden>when we should already know the real essid in many cases.
3) We should probably switch to a system where the user presses a button to assign an essid to a particular AP, rather than us using iwconfig/iwlist to try and make the real network name appear. This has a tendency to not work very well and cause issues.
Bug# 388116 (https://bugs.launchpad.net/wicd/+bug/388116 )

Unfortunately before I found this bug report, I saw on the homepage the newest version of wicd was 1.6.2 and I had 1.6.1 installed from the ubuntu repository. Naturally, I added the repository from wicd website to update it to the newest version.

Installing Wicd in Ubuntu
If you are using Ubuntu 9.04 (Jaunty), Wicd 1.5.9 is in the universe repository, so a simple sudo apt-get install wicd will do it. If you want the latest version of Wicd when it comes out, though, you'll need to add the Wicd repository. Jaunty users who need to download the Wicd deb package can grab it from Ubuntu's Universe repository.

Non-Jaunty versions of Ubuntu (Intrepid, Hardy, etc) or Jaunty users who want the latest updates will have to add the Wicd repository to the Ubuntu package manager. To open the package manager in Gnome, go to Administration > Synaptic Package Manager. When it appears, go to Settings > Repositories > Third Party Software > Add..., and enter the following line:
deb http://apt.wicd.net jaunty extras
where "jaunty" is your version of Ubuntu in lowercase (dapper, edgy, feisty, gutsy, hardy, intrepid, jaunty). You'll also need to add the key used for signing Wicd by running the following command in a terminal:
wget -q http://apt.wicd.net/wicd.gpg -O- sudo apt-key add -
Now, click Reload, and wait while the package lists are downloaded. Now, search for "Wicd", and right click on it. Select Install, then press Apply, and Wicd will automatically be downloaded and installed for you. This will also keep you automatically up to date with the latest and greatest version of Wicd. Please note that this will remove network-manager, which is the default GNOME network manager and may cause loss of network connection temporarily.

http://wicd.sourceforge.net/download.php

Normally you would expect the next version to work better than the previous version. In fact, whatever bugs they fixed in 1.6.2 made it worse for trying to connect to a hidden SSID network. Before, I had to manually type in my SSID to connect and now I can't even do that! Looking into the log files in /var/log/wicd/wicd.log suggests 1.6.2 replaces the hidden SSID not with the SSID you've told it, but with the word <hidden>. If you read the comments attached to the bug report, that is exactly what the code seems to be doing.

To clarify #2 (as discussed in http://wicd.net/punbb/viewtopic.php?id=597), wicd doesn't just "end up displaying <hidden>," it also tries to associate using an essid of <hidden>. The impact is that association fails, and the user must manually initiate the connection rendering the auto connect feature inoperable.

Don wrote on 2009-06-17: https://bugs.launchpad.net/wicd/+bug/388116

According to list of bugs, they might try and resolve it for the 1.6.3 release.

Additionally, the discussion on the forum (http://wicd.net/punbb/viewtopic.php?id=597) implies the problem may be related to the network drivers. Personally, this is a big implication, which I think is unfounded considering my wifi works in 1.6.1.

Luckily, reverting back to 1.6.1 wasn't too difficult. I just had to plug the LAN cable in to get back on the net so that apt-get could download the previous version of the repositories. Once that was all done and the machine rebooted, everything was back to normal. I'm hoping they will have fixed the problem for the 1.6.3 release, but in the meantime I'll just have to get used to connecting to my WIFI the old fashion way.

WiFi No Fly

2009-11-12T21:55:00.005Z

Unfortunately after the very first time, I could never get wifi to work again. I just couldn't figure out why. As with all PC related problems, I had to resort back to asking my old friend Google for the answer. Essentially, it looked like the problem lies with the Atheros driver.

Using the command lspci -nn tells you which chipset is used and this particular line is what I was after:

01:00.0 Ethernet controller [0200]: Atheros Communications Inc. AR5001 Wireless Network Adapter [168c:001c] (rev 01)

I knew I had an atheros chipset in my eee pc 701, but I wasn't sure which one. This will help me narrow down the search in Google..... Sesame Street 40th Birthday! (Google doodle of the day).... Sorry, digressing....

I found the following interesting:

If your Eee Pc has an Atheros wireless chip, then there are actually two drivers that can be used for it. Xandros and Ubuntu originally used a version of the Madwifi driver. Other distributions were using the ath5k driver.
With the latest release of Ubuntu (9.04) they switched the default driver to ath5k. This may be why you are experiencing differences in your connections. You should be able to switch to the Madwifi driver by running this:
System-->Administration-->Hardware Drivers
Select the Madwifi driver and enable it. I don't know if it will automatically remove and blacklist the ath5k driver, so you may need to do this.

waterhead Poasted 2009-05-16 10:07:58 am http://forum.eeeuser.com/viewtopic.php?id=67511

Unfortunately looking under Hardware Drivers, there was none listed. Further googling resulted in finding a page which tells you how to install the MadWIFI drivers.

Madwifi installation for Atheros card in Karmic koalay
Hi guys in this thread you will the instructions to install Madwifi drivers for Atheros wireless cards. Please follow the instructions to the word.
Open the 'terminal' by navigating through Applications-->Accessories--> Terminal
Now type the following commands in terminal
1. sudo nano /etc/apt/sources.list
From there make sure you uncomment anything that starts with "deb" in there. So changer it from "#deb" to "deb" Something along thoes lines. To exit and save hit "CTRL+X" the answer "YES" to do you want to save, then finally hit "ENTER"
2. sudo apt-get update && sudo apt-get upgrade
3. sudo apt-get install build-essential libssl-dev
4. sudo apt-get install linux-headers-`uname -r`
5. sudo apt-get install subversion
6. sudo -i
7. sudo svn checkout http://svn.madwifi-project.org/madwifi/trunk/ madwifi-ng
8. cd madwifi-ng
9. echo "" >> /etc/modprobe.d/blacklist
10. echo "#Remove To Install MadWIFI Drivers" >> /etc/modprobe.d/blacklist
11. echo "blacklist ath9k" >> /etc/modprobe.d/blacklist
12. echo "blacklist ath5k" >> /etc/modprobe.d/blacklist
13. make && make install
14. echo ath_pci >> /etc/modules

Restart your machine.
It should work
Well i use Wicd to connect to the wireless modem
To install Wicd type the following commands in terminal

sudo apt-get update
sudo apt-get install wicd
Best of Luck
Dr Kurian
Last edited by drpjkurian; 1 Week Ago at 10:22 AM..

http://ubuntuforums.org/showthread.php?t=1309072

Since MadWIFI does not seem to be in the repositories anymore, looks like this is the only way to install these drivers. I just have to compile them from source. As this is going to be on my eee pc, I was kinda worried about the space requirements, but luckily everything fit. Basically followed all the commands as written.

There is one step the author seemed to have missed or maybe it is particular to the URN. Once the machine has rebooted, you need to go to System -> Hardware Drivers and activate the MadWIFI drivers. Only then will the drivers be active. At this point I can't remember if I rebooted the machine or not. I'll leave you to find out.

Unfortunately wifi still didn't work. The network manager refused to connect to my hidden wireless! I told it everything it needed to know, but it seems to refuse to even try! Thus, at the end I decided to do what Dr Kurian did for the last step and install wicd. And to my total surpise wicd works straight out of the box (after configuration). wicd may not be perfect, but it is certainly better.

EEE PC 701 and Ubuntu Netbook Remix

2009-11-11T23:55:00.000Z

As much as I like my 701 with Xandros Linux on it, the version I have is getting old. I've already run out of user space trying to keep the machine up to date and I've got conflicting package dependencies left and right. Having looked at some of the reviews out on the net regarding Ubunutu Netbook Remix (UNR), it sounds like 9.10 is a very good replacement. Further searching on the net regarding 701 and UNR has resulted in a few problems with Wifi, but they all seem to be fixed in 9.10. Or are they? Well, the only way to find out I guess is to try it.

Instead of making a full installation, I decided to try it out as a live CD or in this case a live USB. You can get the image from Ubuntu's own site at:

http://www.ubuntu.com/getubuntu/download-netbook

They also have a link to the instructions on how to create your own bootable USB:

https://help.ubuntu.com/community/Installation/FromUSBStick

BUT, there is a problem with the instructions. It does not tell you for the Linux installation method that you need to have at least Intrepid installed to perform the following command:

usb-creator (sudo apt-get install usb-creator)

I have Hardy still installed on my system due to my old ATI graphics card and according to the following posting (found it through google), Hardy does not have the tool in its repository.

Intrepid comes with the handy USB Creator tool, something I already covered earlier. Not so with Hardy, though; and neither is the tool found in the Hardy repositories

http://ubuntuliving.blogspot.com/2008/11/usb-creator-for-hardy.html

Interestingly enough, the author continues on to suggest installing the tool manually:

Fortunately, it is possible to get it via Launchpad and install manually.

Here are the sources:

USB Creator for AMD64 (https://launchpad.net/ubuntu/intrepid/amd64/usb-creator)

USB Creator for i386 (https://launchpad.net/ubuntu/intrepid/i386/usb-creator)

The packages were built for Intrepid but should install nicely in Hardy. Thanks to Scot's Newsletter for the tip. The forum also reports that the latest two versions, 0.1.9 and 0.1.10, have problems; I choise to install 0.1.8 instead.

Note: USB Creator relies on syslinux and mtools so make sure to install them before installing usb-creator. usb-creator is also a plain .deb file, so you have to install it via

sudo dpkg -i usb-creator_0.1.8_all.deb

http://ubuntuliving.blogspot.com/2008/11/usb-creator-for-hardy.html

Now, I didn't try this method because I was tired and as I have a Windows based Notebook, I created the bootable USB using the instructions for Windows. Not ideal, but whatever works.

I then plugged the USB stick into my EEE PC and booted it up. It was slow booting up UNR, not sure if it was because it was running off my USB instead of the SSD. But as soon as it booted up, it was surprisingly very responsive. The look & feel of the interface felt very much superior to Xandros and everything seemed to work. The shortcut key for the volume control worked, with the OSD coming up notifying of changes.

Power management seemed to work seamless. Closed the lid, goes into suspend. Open back up, press the power button and starts up as expected. Everything seems to work so far.

Screen buttons make the screen go darker and lighter as expected.

Wifi button seemed to work as well, turning the receiver on and off as expected. Set up the wireless and the set up tool froze on me. Not a good sign. Linux was still running, just the whole gnome desktop manager froze. Reset the machine, as apparently ctrl-alt-backspace doesn't seem to work and tried setting up wireless again. This time it worked flawlessly. Was on the net, browsed a few web pages and as far as I could tell everything worked out of the box.

Now that I've tested UNR on my 701, time to make the change permanent but that is something for tomorrow night.

Overall I'm impressed. The look and feel, the organisation and the ease of use has certainly been convincing. Not being a fan of Gnome and gtk, I still find this remix distribution very attractive. I only hope when the final KDE version of the remix comes out, it will be just as impressive (or should be even better with KDE4). For the moment I'll stick with this version.

Skype, mics and sound

2009-10-17T19:23:00.000+01:00

For some strange reason, the microphone recording my voice was getting quieter and quieter. The other side was finding it harder and harder to hear me. I wasn't sure why at first, so I tested it with different settings on kmix trying to boost the sound to no avail. It seemed to make no difference. Was my microphone going bust? Plugging the thing into a Windows machine seems to work perfectly fine. What could the problem be? Then I remembered reading something on Eee User website, specifically the Eee Hardware FAQ (http://wiki.eeeuser.com/eee_hardware_faq) under "6.2 The speakers on my Eee don't work but I can hear sound through headphones". Here is the excerpt:

This appears to be a bug with the Linux operating system that comes with the Eee. The solution is to mute and then unmute the sound by pressing Fn + F7 twice; note that using the system tray applet to mute/unmute might not have the same effect. Alternatively, others report that plugging in headphones and then unplugging them several times in succession resumes correct speaker operation. 5) Perhaps also it works to increase the master volume level via Alsa mixer: Open up a console window (in Easy Mode: Ctrl+Alt+T). At the prompt, type alsamixer, then Enter. The PCM slider should be colored in red. Use PageUp or PageDown to adjust the volume. Then press Esc to quit Alsa mixer.

So I quickly called up alsamixer in the terminal and guess what! The volume on the capture device was virtually on 0! Increased it to maximum and performed a Skype test call. Suddenly my voice was coming out loud and clear. The question of course is why does increasing the volume to max in kmix have no effect on the volume in alsa?

Wubi

2009-05-30T15:29:00.010+01:00

Wubi is an officially supported Ubuntu installer for Windows users that can install and uninstall Ubuntu as any other Windows application, in a simple and safe way.

https://wiki.ubuntu.com/WubiGuide

And it works! I ran it on my Toshiba notebook which is still running Windows and I wanted to see how well it responds to linux on it. I didn't want to do a complete installation as I've done with my desktop, especially as the chances are high that I would need to reinstall windows. So I heard about Wubi on FLOSS weekly (http://twit.tv/FLOSS) Episode 63 April 4th, 2009. Leo Laporte and Randall Schwartz were interviewing the makers of Wubi and I highly recommend listening to the podcasts of the show.

The advantage of Wubi is installing ubuntu without the need for it's own partition. You don't need to move files around freeing up space, messing about with the partition table or anything similar. All you have to do is run the installer and ubuntu is installed onto a virtual partition. What that means is ubuntu sits in a single file in your windows partition without affecting your partition tables. In fact, you can access the file from within windows! But I haven't tried that part out yet.

Another plus point is that you can choose to install ubuntu, kubuntu or xubuntu. I personally prefer KDE, so I installed kubuntu which comes with KDE4. My desktop is still on KDE 3.5, so I'm actually quite impressed by KDE4.

It took a while to install on my system as it needed to download the whole kubuntu iso, but once it was done, just needed to reboot and select ubuntu as your operating system. In fact, it was so easy a noob PC user could even do it.

But there was one problem.For some reason the windows boot manager only gave me 1 second to choose. Obviously I changed it, but I just wonder how come it was set for 1 second. Is it a bug or is it just my particular installation? As it's a minor problem, I'm not going to worry about it further.

My initial impression is very positive, but only time will tell what other problems there will be.

In the meantime, check out these two websites which I found very usefull:
http://wubi-installer.org/
https://wiki.ubuntu.com/WubiGuide

Bloated or Fat? - Disk space and old Kernels

2009-04-05T15:46:00.015+01:00

It's been a while since I wrote anything, despite having discovered quite a few new things on linux since then. Today I discovered I'm running out of space on the OS partition. Linux was suppose to be "lighter" than the opposition, but for some reason on a 10GB partition, it is currently using 8.5GB. My first thought would be something is left over in the /tmp directory. Cleared it out. Next is apt cache. That reduced my disk consumption down to 7GB. But I remember at first install, the system was only 4GB and I have not installed that much since then. So what is taking up all that space?

Doing some googling around the web, I came across this webpage:

http://www.ubuntugeek.com/cleaning-up-all-unnecessary-junk-files-in-ubuntu.html

It has some great tips helping you clean your system, such as:

Remove Residual Config packages

In Synaptic Package Manger, there is a built-in feature that gets rid of old Residual Config packages. Residual Config packages are usually dependency packages that are left behind after you uninstall a package from your machine. To use this feature, go to System >Administration > Synaptic Package Manager. On the bottom left hand corner of the window,click the Status button. In the list above the Sections, Status, Search, and Custom buttons, you should see the following text
Installed Installed(auto removable) Installed(local or obsolete) Installed(upgradable) Not installed Not Installed (Residual config) Click on the “Residual config” text. (If the “Residual config dialogue does not appear, that means you do not have any Residual Config packages on your machine. If you want to remove you need to select those packages and click on apply from menu bar Remove packages are in progress

Remove partial packages

This is yet another built-in feature, but this time it is not used in Synaptic Package Manager. It is used in theTerminal. To access the Terminal, go to Applications > Accessories > Terminal. Now, in the Terminal, key in the following command:
sudo apt-get autoclean

Remove unnecessary locale data

For this we need to install localepurge. Automagically remove unnecessary locale data.This is just a simple script to recover diskspace wasted for unneeded locale files and localized man pages. It will automagically be invoked upon completion of any apt installation run.
Install localepurge in Ubuntu
sudo apt-get install localepurge
After installing anything with apt-get install, localepurge will remove all translation files and translated man pages in languages you cannot read.
If you want to configure localepurge you need to edit /etc/locale.nopurge
This can save you several megabytes of disk space, depending on the packages you have installed.

Remove “orphaned” packages

If you want to remove orphaned packages you need to install deborphan package.
Install deborphan in Ubuntu
sudo apt-get install deborphan
Using deborphan
Open Your terminal and enter the following command
sudo deborphan | xargs sudo apt-get -y remove –purge

debfoster - Keep track of what you did install

debfoster maintains a list of installed packages that were explicitly requested rather than installed as a dependency. Arguments are entirely optional, debfoster can be invoked per se after each run of dpkg and/or apt-get.
Alternatively you can use debfoster to install and remove packages by specifying the packages on the command line. Packages suffixed with a - are removed while packages without a suffix are installed.
If a new package is encountered or if debfoster notices that a package that used to be a dependency is now an orphan, it will ask you what to do with it. If you decide to keep it, debfoster will just take note and continue. If you decide that this package is not interesting enough it will be removed as soon as debfoster is done asking questions. If your choices cause other packages to become orphaned more questions will ensue.
Install debfoster in Ubuntu
sudo apt-get install debfoster
Using debfoster to create the initial keepers file use the following command
sudo debfoster -q
you can always edit the file /var/lib/debfosterkeepers which defines the packages you want to remain on your system.
to edit the keepers file type
sudo vi /var/lib/debfoster/keepers
To force debfoster to remove all packages that aren’t listed in this list or dependencies of packages that are listed in this list. It will also add all packages in this list that aren’t installed. So it makes your system comply with this list. Do this
sudo debfoster -f To keep track of what you installed additionally do once in a while : sudo debfoster

http://www.ubuntugeek.com/cleaning-up-all-unnecessary-junk-files-in-ubuntu.html

The above is only an excerpt of what the web page describes, but are the processes I followed to clear some space.

Although running these were all very good, it didn't really save much space. About 500MB worth. Still 6.5GB of unexplained. The last tool on the website was xdiskusage.

xdiskusage - Check where the space on your hard drive goes Displays a graphic of your disk usage with du.xdiskusage is a user-friendly program to show you what is using up all your disk space. It is based on the design of the “xdu” program written by Phillip C. Dykstra. Changes have been made so it runs “du” for you, and can display the free space left on the disk, and produce a PostScript version of the display.xdiskusage is nice if you want to easily see where the space on your hard drive goes. Install xdiskusage in Ubuntu sudo apt-get install xdiskusage If you want to open this application you need to use the following command sudo xdiskusage

This tool was quite useful to track down the space usage and to my surprise I discovered it to be my kernel taking up all the space! Specifically old kernels I never deleted when I moved onto the new kernel when I upgraded through synaptic! But how do I delete the old kernels? I thought about just using rm -f on the old kernels, but I thought there must be a better way under linux as I might destroy a reference or link I was not aware off. Thus, back to googling and came up with this website: http://www.cyberciti.biz/faq/proper-way-to-remove-old-linux-kernels/

Here is a copy and paste of the website itself:

Safely Remove / Delete Old Linux Kernel from a Linux Server by Vivek Gite

Q. We have 4 different versions of Linux kernel installed by yum command under CentOS Linux. Currently I'm using only latest version 2.6.18-53.1.4.el5. What is the proper and suggested method to remove old kernels from a CemtOS / Debian Linux server? A.Most Linux distro keeps old kernel files so that you can revert back in case of emergency pop up due to hardware / software incompatibility issues. Kernel is nothing but other files on Linux box. Following is the suggested way to remove old kernels.

Step #1: Find current kernel version

uname -r Output:

2.6.18-53.1.4.el5

Step #2: List all installed kernels

Use rpm or dpkg command: # rpm -q kernel Output:

kernel-2.6.12-1.el5 kernel-2.6.18-17.el5 kernel-2.6.18-53.el5 kernel-2.6.18-53.1.4.el5

Debian / Ubuntu Linux user, enter: $ dpkg --list 'linux-image*' Output:

Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Installed/Config-f/Unpacked/Failed-cfg/Half-inst/t-aWait/T-pend |/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad) ||/ Name Version Description +++-=============================-=============================-========================================================================== ii linux-image 2.6.22.14.21 Generic Linux kernel image. un linux-image-2.6 (no description available) rc linux-image-2.6.20-15-generic 2.6.20-15.27 Linux kernel image for version 2.6.20 on x86/x86_64 ii linux-image-2.6.20-16-generic 2.6.20-16.32 Linux kernel image for version 2.6.20 on x86/x86_64 ii linux-image-2.6.22-14-generic 2.6.22-14.47 Linux kernel image for version 2.6.22 on x86/x86_64 ii linux-image-generic 2.6.22.14.21 Generic Linux kernel image

Step #3: Remove all old kernels

WARNING! These examples may result into unstable system if not executed with care. Do not remove the kernel the system is currently running.

Choose which kernel you want to uninstall from the list of those installed. Type the following command to remove the kernel package under RHEL / CentOS / Fedora Linux: # rpm -e kernel-2.6.12-1.el5 Type the following command to remove the kernel package under Debian / Ubuntu Linux: $ sudo apt-get remove linux-image-2.6.22-14-generic

Vivek Gite (http://www.cyberciti.biz/faq/proper-way-to-remove-old-linux-kernels/)

Removing the kernels brought my disk usage back down to 4.5GB which is basically where I expect it to be. It is surprising how much the old kernels plus their headers actually take up.

Conclusion: If you are running out of space, make sure you do not have old kernels still lurking in the system. And never copy and paste into blogspot, it doesn't work properly......

ATI Woes

2008-06-27T15:07:00.000+01:00

After months of ignoring my graphics driver problem, I have finally gotten around to fixing it.

Here is the back story. When I installed Ubuntu and turned it into KUbuntu, my graphics driver I was using was the open source version for ATI cards. The problem I had was not that I was using the open source driver, but the fact that 3D didn't work at all. I was running my box completely on 2D using the processor instead of the graphics card. Well, I am.... but.... you know what I mean. Rendering 'n stuff. Anyway, I saw that Flight Gear had released version 1 and I just felt like playing a flying game again.

I didn't particularly wanted to reboot the machine and go into windows to play the game and frankly wine I don't think can handle M$ Flight Simulator. So all that I had left was to use Flight Gear which is pretty good anyhow. Maybe not as fancy graphics as MSFS, but still just as fun. So as you do, started up adept and installed Flight Gear. As soon as I started Flight Gear after install, my machine ground to a halt. It just couldn't cope with the graphics which is something you expect without 3D support. As you can guess, instead of having some fun flying, I ended up spending the evening getting the graphics drivers sorted. To solve the problem, I naturally went and googled it and came up with the following site: Unofficial Wiki for the ATI Linux Driver (http://wiki.cchtml.com/index.php/Main_Page). I knew I had already installed the drivers, but I thought I go through the installation instructions they had on the wiki, just in case I missed something. Here is the quoted instructions for the Ubuntu installation:

This will install the current driver in Ubuntu's repository. It is older than the one AMD has released, but will be supported by the Ubuntu people. Catalyst 8.3 is in the repositories.
sudo apt-get update 
sudo apt-get install linux-restricted-modules-generic restricted-manager
sudo apt-get install xorg-driver-fglrx
sudo depmod -a
The second line may not be necessary as you may already have restricted modules installed. Run it just in case. If the third line fails, you probably don't have the restricted repository enabled. See Pre-Installation.
After this, you'll may need to edit Xorg.conf:
sudo gedit /etc/X11/xorg.conf
In the device section, if it is not already there add:

File: /etc/X11/xorg.conf

Driver "fglrx"
Then to make sure Xorg is set up correctly, you'll have to let aticonfig "initialize" it:
sudo aticonfig --initial -f
After this you should be able to restart your computer and have the driver working. To test type
fglrxinfo
into a terminal. If the vendor string is not ATI, but Mesa, check #Removing Mesa drivers

Post-Installation Tweaks
To enable hardware accelerated video on pre-R500 cards, edit /etc/X11/xorg.conf to include the following lines without [...]
Section "Device"
 [...]
 Driver "fglrx"
 Option "VideoOverlay" "on"
 Option "OpenGLOverlay" "off"
 [...]
EndSection
Note that when Visual Effects (Compiz) are active, flickering and artifacts may occur in OpenGL applications and hardware accelerated video windows (particularly with R300 chipset). To prevent this, disable Visual Effects.

I never actually got to "sudo aticonfig --initial -f" as apt-get said that I already have the newest version installed. But as soon as I ran the command: fglrxinfo

The vendor string said Mesa and not ATI. So I followed the link above "Removing Mesa drivers", which states "Remove the package xserver-xgl". The only snag is that when I tried to remove it with apt-get, it told me that it isn't installed. Now I was stumped. Searching around on the website didn't really provide me with an answer, but it did tell me run this command:

glxinfo | grep direct

lsmod | grep fglrx

which outputs the following:

(EE) fglrx(0): [agp] unable to acquire AGP, error "xf86_ENODEV" (EE) fglrx(0): cannot init AGP (II) fglrx(0): [drm] removed 1 reserved context for kernel (II) fglrx(0): [drm] unmapping 8192 bytes of SAREA 0x2000 at 0xb6f31000 (WW) fglrx(0): *********************************************** (WW) fglrx(0): * DRI initialization failed! * (WW) fglrx(0): * (maybe driver kernel module missing or bad) * (WW) fglrx(0): * 2D acceleraton available (MMIO) * (WW) fglrx(0): * no 3D acceleration available * (WW) fglrx(0): *********************************************

The problem is even described on ATI's own website!

X Fails to Load on Systems with Linux Kernel Version 2.6.x

This information applies to the following system configurations:
Linux kernel version 2.6.x

Any ATI Linux driver
A blank screen may appear momentarily when X starts to load. The following error message (or similar) may appear on the text console or in /var/log/XFree86.0.log:

(EE) fglrx(0): [agp] unable to acquire AGP, error ""xf86_ENODEV""xf86_ENODEV""

This is not a problem with the display driver.

Version 2.6 kernels require a second kernel module in addition to agpgart, which should be named similar to the manufacturer of your motherboard AGP chipset. This error message should occur if the other agp module is not loaded.

This issue can be worked around as follows:

First make sure that agpgart is loading properly.
To find out which AGP controller your motherboard uses, issue the following command: lspci | grep AGP

To find a list of AGP related kernel modules installed on your machine, issue the following command and look for a module (*.ko file) that suits your AGP Controller: ls /lib/modules/`uname -r`/kernel/drivers/char/agp

Use the modprobe command (as root) to load the module. For example: On a motherboard using a VIA® AGP Controller, you would load the via-agp.ko using modprobe as follows (notice that the trailing .ko is omitted): modprobe via-agp

Check the modprobe manpage for more information on loading kernel modules.

To verify that the AGP module is already loaded, run lsmod as root. With the X server running and the connection established, the usage count of this module must be greater than zero.
If you cannot find a suitable agp module for your motherboard, then you may want to upgrade to the latest version of the Linux kernel, or check your motherboard manufacturer's website for more information.

(http://www2.ati.com/drivers/linux/linux_8.12.10.html)

The solution though doesn't work and where am I suppose to get a suitable agp module from? Anyhow, further searching came up with this Bug Report: Bug #57451, first reported on 2006-08-23 by Kibbled_bits ATI 9800XT No Direct Rendering - Cannot Init AGP (https://bugs.launchpad.net/ubuntu/+source/linux-restricted-modules-2.6.15/+bug/57451) which describes the problem in detail and came up with this little tidbit:

Kibbled_bits wrote on 2007-01-03: (permalink)
The bug is not in fglrx it is in the driver for agpgart that which is built in. This is an open source driver to my knowledge. Note: the problem is not with fglrx, it's with a motherboard that has an ATI chipset which is presently not supported by our agpgart.
Thanks, Scott

It sounded like that was the end, but I don't know what I searched on in google, but I did come across this bug report: AGP not detected on Intel 8285P and E7205 chipsets using kernels higher than 2.6.17 (https://launchpad.net/ubuntu/+source/linux-source-2.6.20/+bug/78684).

Reading the comments on the bug, there seems to be a particular problem with one module and when the following is added as per comment below resolves the problem.

Nicolas Gorguès wrote on 2007-04-20: (permalink)
Also confirmed here with kernel 2.6.20 (Feisty Fawn 7.04): - Shapphire RADEON X800 XL (AGP) - Chipset Intel 865PE (MB ASUS P4P800)
As a soft workaround, blacklisting the modules has worked perfectly. => add the following two lines at the beginning of /etc/modprobe.d/blacklist:
blacklist i82875p_edac blacklist edac_mc
Now desktop effects (wobbly+cube) work like a charm with the open source RADEON driver.

Naturally, I immediately tried it myself and after a reboot and entering the command fglrxinfo now still states MESA. More browsing and thinking later, I became suspicious it might be my xorg.conf that is wrong. So I decided to do the following, but don't ask me why I did what I did. Probably because it was 2AM in the morning and mad things come to mind. Anyway, I ran "sudo aticonfig --initial -f" and then went into my xorg.conf and added/edited:

Section "Device"
 [...]
 Driver "fglrx"
 Option "VideoOverlay" "on"
 Option "OpenGLOverlay" "off"
 [...]
EndSection

Restart of X didn't work for some reason, but on a total reboot of the system and then running fglrxinfo, resulted in the following:

display: :0.0 screen: 0 OpenGL vendor string: ATI Technologies Inc. OpenGL renderer string: ATI RADEON 9600 Series OpenGL version string: 2.1.7412 Release

Whoohoo! Finally got it working. Time to try Flight Gear and ....... it works!!!!! No problems, smooth gameplay, no graphic glitches I could tell. Now how do you control the aircraft?

Obviously the above solution is not ideal by excluding modules, but as long as it works and till a more permanent solution is found I'm quite happy to stick to this method for now.

SCIM

2008-03-26T15:15:00.000Z

My next challenge is to get Chinese input to work on KDE. A quick search on google came up with this article.

Select KMenu -> System -> Language Support (in Kubuntu 7.10 it is KMenu -> System Settings -> Regional & Language) Select Chinese from the language list, click 'Apply', and allow the package manager Adept to finish downloading the language pack Close the Adept window when the download is complete Right click the SKIM icon in your taskbar and select Configuration -> General SCIM -> "Other" Tab Under the 'Panel Program' dropdown, select 'scim-panel-kde' Under the 'Config Module' dropdown, select 'kconfig' If your default language coincides with your new input language (e.g. Installed Chinese input for a Chinese desktop), Go onto to step 6. For users utilizing different default and input languages (e.g. Chinese input for an English Desktop). Open up Konsole and type: mkdir ~/.xinput.d
cp /etc/X11/xinit/xinput.d/scim-pinyin ~/.xinput.d/default
Restart your computer. Once you are logged in, you should be able to activate SKIM with CTRL-Space or SHIFT-Space within any application that allows keyboard inputs. e.g. Start Kate Press CTRL-Space. A SKIM toolbar would have poped up. Choose Chinese input -> Smart PinYin on the SKIM toolbar You can now input Chinese in Kate
To switch back to the default language of your desktop, press the shortcut key in (ii), which is used to toggle between the desktop default language and the input method set up in (iii).
https://help.ubuntu.com/community/SCIM/Kubuntu

But it doesn't work. I still can't type Chinese in any of the windows. When clicking on SKIM to select input methods, all I get is a blank list. I did find another website on how to set up scim for Vietnamese input. The following paragraph was of particular interest.

Ubuntu 7.10 Gutsy Gibbon
After doing the few steps below, you will be able to use SCIM in some applications by right-clicking and changing input method by SCIM but it wont work in Open Office and some GTK applications.
Install scim-bridge and scim-bridge-client-qt (for KDE applications)
sudo apt-get install scim-bridge
sudo apt-get install scim-bridge-client-qt
Edit this file:
sudo "editor" /etc/X11/xinit/xinput.d/scim
Modify the next lines:
GTK_IM_MODULE=xim
by
GTK_IM_MODULE="scim-bridge"
and
QT_IM_MODULE=xim
by
QT_IM_MODULE="scim-bridge"
Save the file, erase the 2 folders (.scim and .xinput) in your home directory and restart the computer.
All should be fine
http://www.hanoilug.org/dokuwiki/soft:scimtelex

Modifying /etc/X11/xinit/xinput.d/scim was something I hadn't seen in the previous instructions, so I tried it out. Restarted X and it hanged after login. Tried to restart X two more times, but it still hung after login. Decided to try and reboot the whole machine and see if that would make a difference. After a full reboot, X started up properly with KDE etc. all started as normal except for one thing. All the fonts are tiny! On the upside though, SKIM works! The only problem is the Font is a little too small. Played around with the font settings in KDE, but nothing seems to look right. I do remember somewhere in the forums stating that SCIM works with GTK, but not particularly with QT.

DosBox

2008-02-25T00:08:00.002Z

I felt a bit nostalgic the other day and wanted to play some of my old DOS games. The first game that came to mind was Sam & Max and I knew there was the ScummVM app which could play all the old LucasArts adventure games, but I thought I would be a little more challenging and have a look at actually getting DosBox to run under Linux. Both ScummVM and DosBox are available in the repositories making installation a cinch. Getting ScummVM to run is a cinch as well. Everything is graphical, but DosBox on the other hand isn't. In Windows you could get the graphical add on D-Fend, but there doesn't seem to be a similar piece of software in Linux that can be easily installed from the repositories. Luckily, DosBox isn't too difficult to set up. Tried playing the first game I came across in my archives of disks and two things went wrong. 1. No midi sound 2. My mouse seems to be stuck at the bottom right corner 1. MIDI This was actually a bit more difficult to resolve than I thought. Getting midi to work required me to create a directory in my home directory

mkdir .dosboxrc

within this directory, I could copy the default version

cp /usr/share/doc/dosbox/dosbox.conf.example.gz dosbox.conf

Open dosbox.conf and change to the following

mpu401=intelligent device=alsa config=128:0

Everytime I start DosBox now, midi works. Well, nearly everytime. There seems to be occasions where DosBox seems to start and ignore the config settings. By force starting DosBox as follows seems to correct it.

dosbox -conf ~/.dosboxrc/dosbox.conf

2. Mouse The mouse was solved reading the following forum thread which suggested the following line be entered before starting DosBox

export SDL_VIDEO_X11_DGAMOUSE=0
http://ubuntuforums.org/showthread.php?t=187907

I decided to put the whole lot into a script file.

#!/bin/bash export SDL_VIDEO_X11_DGAMOUSE=0 dosbox -conf ~/.dosboxrc/dosbox.conf

That way I don't have to keep typing out the same thing everytime. Anyhow, my game seems to work now with sound, music and mouse.

Gnome vs KDE. The Great Debate

2008-02-21T22:05:00.000Z

I tried figuring out why everything feels so sluggish and I really don't know why, but I'm somehow guessing it has something to do with this great new compiz thing, which I know won't work on my system anyway. This lag is beginning to bug me. I'm going to install KDE and see if that makes any difference. Went into Synaptic, selected the kdesktop and all the related dependencies, selected the options when the popped up and restarted the graphics system by pressing ctrl-alt-backspace. But that didn't switch into KDE. Gnome came back up. Logged out and chose KDE as the primary window manager. KDE came back up and everything is working, but is it any better? Initial feeling seems to be quicker than Gnome but we'll have to wait and see. Well, after about an hour browsing the net, housekeeping, watching videos, looking at pictures, KDE does seem to be smoother. I'll stick with it for now and see how it goes. It really does seem better than Gnome. If all else fails, I'll switch to Xfce as the last resort. KDE certainly looks different from Gnome. Somehow it feels more "organised" than Gnome. Even some of the little things that annoyed me in Gnome, seem to dissapear in KDE. For example some of the expectation of a certain key or mouse click doesn't work the way I expect in Gnome but does in KDE. At this stage I feel as if Gnome is trying to constantly be in the forefront of desktop environment development while KDE is making sure all the bugs are worked out before moving onto the next great thing. At least for now, KDE seems to be the better choice for me.

APE & FLAC

2008-02-20T23:04:00.001Z

I've got a couple of files in APE format, which is known as Monkey's Audio.

Monkey’s Audio is a file format for audio data compression. Being a lossless compression format, Monkey’s Audio does not remove information from the audio stream, as lossy compression formats such as MP3, AAC, and Vorbis do.

Like other methods of compression, the main advantage of using Monkey’s Audio lies in a reduction of bandwidth and/or a reduction in storage requirements, but, in the case of Monkey’s Audio, there is no sacrificing of the integrity of the audio source (as there would be with, for example, MP3). For example, a digital recording (such as a CD) encoded to Monkey’s Audio can be decompressed into an identical copy of the audio data. Audio sources encoded to Monkey’s Audio are typically reduced to about half of the original size.^[1]

Monkey’s Audio is suitable for distribution, playback and archival purposes. However, it is a proprietary software, it is often too slow to decode on portable audio devices, and it has limited/problematic support on software platforms other than Windows. There are alternatives that provide the user with more freedom and official support for more platforms, such as the FLAC format.

http://en.wikipedia.org/wiki/Monkey%27s_Audio

Because it is a proprietary software, again Linux distributions do not support it by default. The suggestion of using the FLAC format instead certainly got me interested, thus I had a look at FLAC.

Free Lossless Audio Codec (FLAC) is a file format for audio data compression. Being a lossless compression format, FLAC does not remove information from the audio stream, as lossy compression formats such as MP3, AAC, and Vorbis do.

Like other methods of compression, FLAC's main advantage is the reduction of bandwidth or storage requirements, but without sacrificing the integrity of the audio source. For example, a digital recording (such as a CD) encoded to FLAC can be decompressed into an identical copy of the audio data. Audio sources encoded to FLAC are typically reduced in size 40 to 50 percent (47% according to their own comparison).^[2]

FLAC is suitable for everyday playback and audio archival, with support for tagging, cover art and fast seeking. FLAC's free and open source royalty-free nature makes it well-supported by many software applications. FLAC playback support in portable audio devices and dedicated audio systems is limited but growing.^[3] Josh Coalson is the primary author of FLAC.
http://en.wikipedia.org/wiki/Flac

What this tells me is that it might worth converting all the APEs I have into FLACs. A search on Google resulted in the following web page. An excellent little article describing exactly what I wanted to do.

Converting Monkey’s Audio (ape) to flac in Ubuntu

Converting .ape files to the flac format in linux requires both the “mac” and “flac” software packages. For details on installing mac in ubuntu see here. To install flac enter the following in a terminal window:

sudo aptitude install flac

Audio file format conversions can be performed from the command line, or via the GUI using soundKonverter.

If you prefer to work from the command line, then you will want to install shntool:

sudo aptitude install shntool

Shntool functions as a frontend of sorts for lossless audio software (mac, flac, wavpack). It performs a range of functions including facilitating the conversion of music files between the various lossless formats (ape, flac, wv, wav, etc). Note that shntool has native support for .wav files only; if you want it to work with .ape, .flac or .wv files then you must have the appropriate helper programs (mac, flac, wavpack respectively) installed. For a full list of the lossless formats supported by shntool type “shntool -f”. To convert all .ape files in a directory to flac using shntool:

shntool conv -o flac *.ape

This command can also be given as:

shnconv -o flac *.ape

An alternative to using shntool is to work via the mac and flac programs directly; to convert a monkey’s audio file to flac:

mac sample.ape sample.wav -d

flac -o sample.flac sample.wav

It is possible to pipe the output of mac directly into the flac tool - you would get equivalent results by issuing:

mac sample.ape - -d | flac -o sample.flac -

To convert a directory of ape files to flac:

for i in *.ape; do mac “$i” - -d | flac -o “${i%*.ape}.flac” -; done

(Note: if you are copying the above command and it pasting into the terminal window, you will need to replace the “curly quotes” used by WordPress with the straight/ non-curly quotation marks used by the shell.)

You could put the above line in a bash script to simplifiy the conversion process.

SoundKonverter - Audio file format converter

SoundKonvertor is a GUI frontend to programs such as mac and flac. It allows you to convert your music files between the various formats using a point and click interface. This is an excellent option if you find working with the command line to be tedious. Note that SoundKonverter requires mac and flac to be installed to be able to work with monkey’s audio and flac formats respectively. To install soundKonverter:

sudo aptitude install soundkonverter

soundKonverter can be launched by selecting the appropriate icon from your applications menu (in KDE it is installed under the Multimedia menu).

Preserving ape tags

Unfortunately shntool and soundKonverter do not preserve existing tag information (album, artist, genre, etc.) when converting monkey’s audio files to flac or other lossless formats.

Jared Breeland has written a nice bash script (convtoflac.sh) which will convert your monkey’s audio files to flac preserving your precious tag information in the process. The convtoflac.sh script was written on a Gentoo system but with a very slight amount of tweaking it will work on your Ubuntu/ Kubuntu system. Note: the script calls on a small program (apeinfo) to extract tag information information from the ape files which is then transferred to your converted files. Jared provides a binary (compiled) version of apeinfo and the source code. The binary was compiled on a Gentoo Linux system (running GCC 3.4.4 and glibc 2.3.5) - it works fine on my Ubuntu and Kubuntu 7.04 installations. Instructions for Ubuntu/ Kubuntu users: If you don’t already have one, create a directory called “bin” in your home directory, and download and place the convtoflac.sh script and the apeinfo binary file there. Open the convtoflac.sh script in a text editor and make these two small changes to the script: 1) look for the line containing “SED=/usr/bin/sed” and change it to “SED=/bin/sed” (this is needed because the sed binary - a text processing program - is located differently in Ubuntu than Gentoo). 2) Look for the line containing “APEINFO=/usr/local/bin/apeinfo” and change it to “APEINFO=~/bin/apeinfo”. You also need to ensure that the script and also the apeinfo binary have their execute bit set (this allows them to be run):

chmod a+x ~/bin/convtoflac.sh chmod a+x ~/bin/apeinfo

To convert an ape file to flac using the convtoflac.sh script enter the following in a terminal window:

convtoflac.sh sample.ape

To convert an entire directory of ape files to flac:

for i in *.ape; do convtoflac.sh “$i”; done

(Note: if you are copying the above command and it pasting into the terminal window, you will need to replace the “curly quotes” used by WordPress with the straight/ non-curly quotation marks used by the shell.)

This entry was written by aidanjm and posted on February 4, 2007 at 9:54 pm and filed under Linux, Monkey's Audio, Ubuntu, ape, flac, mp3. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.
http://aidanjm.wordpress.com/2007/02/04/converting-monkey%E2%80%99s-audio-ape-files-to-flac-in-ubuntu/

Following the top instructions worked for me. I installed the shntools and used konverter to convert all my APE files to FLAC. Now the BPMx, Amarok, Audacious and XMMS all play them without any problems. Aidanjm has a few more articles which are also worth looking at:

Using Monkey’s Audio (ape) files in Ubuntu

To work with monkey’s audio (ape) files you need the “mac” command line tool. This software isn’t available in the Ubuntu repositories so you will need to either compile mac yourself, or alternatively install it from a .deb file.

Installing mac from a .deb file

I’ve put a .deb file for the mac software here (this is for 386 systems). Use it to install mac when you do not want to compile from source. It was compiled on a Kubuntu 6.10 system (works fine with Kubuntu/ Ubuntu 7.04). Save the file by right-clicking on the link and choosing “Save target as” or “Save as”. To install, open a terminal window, navigate to the directory containing the downloaded file, then enter the following:

sudo dpkg -i mac-3.99-u4_b3-1_i386.deb

To confirm the install went ok type “mac” in the terminal window - you should get a listing of mac’s usage details.

[Note: RareWares provides monkey’s audio deb install files for Debian users - look in this directory for the libmac and monkey’s audio .deb files.]

Compiling mac from the source code

You need to install the development tools required to compile a program from source:

sudo aptitude install build-essential

Note that “nasm” (a dependency of mac) must also be installed before attempting to compile mac:

sudo aptitude install nasm

Click here to download the latest version (3.99) of the mac source code from the author’s web page.

Open a terminal window and uncompress the source code, and navigate into the source directory:

tar -zxvf mac-3.99-u4-b5.tar.gz cd mac-3.99-u4-b5.tar.gz

Configure, make and install the source:

./configure make sudo make install

Confirm the install went ok by typing “mac” in the terminal window (should get a listing of mac’s usage details).

This entry was written by aidanjm and posted on January 26, 2007 at 5:53 pm and filed under Linux, Ubuntu, ape. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

http://aidanjm.wordpress.com/2007/01/26/using-monkeys-audio-ape-files-in-ubuntu/

And this one:

Split lossless audio (ape, flac, wv, wav) by cue file in Ubuntu

Lossless audio files can be split by cue file using “shnsplit” (part of the “shntool” package). You will also need the “cuebreakpoints” tool (part of the “cuetools” package). To install cuetools and shntool in Ubuntu/ Kubuntu, open a terminal window and enter the following:

sudo aptitude install cuetools shntool

You will also need software for your prefered lossless audio format. For Monkey’s Audio you need to install “mac” - see here for details. For FLAC and WavPack formats you need to install “flac” and “wavpack” respectively:

sudo aptitude install flac wavpack

Shnsplit requires a list of break-points with which to split an audio file. Conveniently, cuebreakpoints prints the break-points from a cue or toc file in a format that can be used by shnsplit. You can pipe the output of cuebreakpoints to shnsplit as follows:

cuebreakpoints sample.cue | shnsplit -o flac sample.flac

In this example, a flac file called “sample.flac” is split according to the break-points contained in “sample.cue” and the results are output in the flac format.

The output file format is specified via the “-o” option. If you don’t specify an output format your split files will be in shntool’s default format (i.e., wave files, “wav”).

To split a monkey’s audio file by cue file and output the results in the flac format:

cuebreakpoints sample.cue | shnsplit -o flac sample.ape

Note that a default prefix “split-track” is used to name the output files. (The default output format is split-track01, split-track02, split-track03, …). You can specify your own prefix via the “-a” option.

To see all the options for shntool split type “shntool split -h” or “shnsplit -h”.

Transferring tags

The audio files output by shnsplit do not contain tag data. However you can use the “cuetag” script (installed as part of the cuetools package) to transfer tag data directly from a cue file to your split audio files. You specify the individual audio files corresponding to the tracks contained in your cue file as follows:

cuetag sample.cue split-track01.flac split-track02.flac split-track03.flac split-track04.flac

This will transfer the tag data contained in “sample.cue” to the flac audio tracks “split-track01.flac” “split-track02.flac” “split-track03.flac” and “split-track04.flac”.

The above command could be streamlined as:

cuetag sample.cue split-track*.flac

Cuetag works with flac, ogg and mp3 files. The cuetag script is not currently able to handle file names containing spaces.

Note: If you are running flac version 1.1.4 or higher then you may need to make some small changes to the cuetag script before it will work correctly with flac files. Open the cuetag script (for Ubuntu installations it will be located at /usr/bin/cuetag) in a text editor and make these two changes: 1) search for “remove-vc-all” and replace with “remove-all-tags”. 2) search for “import-vc-from” and replace with “import-tags-from”. For more information see here.

This entry was written by aidanjm and posted on February 15, 2007 at 7:54 am and filed under Linux, Ubuntu, ape, cue, cuetag, cuetools, flac. Bookmark the permalink. Follow any comments here with the RSS feed for this post. Post a comment or leave a trackback: Trackback URL.

http://aidanjm.wordpress.com/2007/02/15/split-lossless-audio-ape-flac-wv-wav-by-cue-file/

RMVB

2008-02-19T22:13:00.001Z

I was trying to watch a vidoe in RMVB format the other day and naturally Kaffeine and MPlayer can't open the file. RMVB is described in Wikipedia as follows:

RealMedia Variable Bitrate (RMVB) is a variable bitrate extension of the RealMedia multimedia container format developed by RealNetworks.

As opposed to the more common RealMedia container, which holds streaming media encoded at a constant bit rate, RMVB is typically used for multimedia content stored locally. Files using this format have the file extension ".rmvb".

What it also means is that the format is proprietary and such wouldn't be included in any Linux distro as standard. The good news was that Real Player 10 exists for Linux directly from Real's website (http://www.real.com/linux). Downloaded the binary package, chmod 755 on it and executed the file. Installed fine, opened Real Player and it played my file. I would have left it at this point, except I was wondering if I couldn't convert the RMVB into something more appropriate, like MPEG or even a DVD. Thus began my journey through the web looking for a way to convert RMVB. The first useful website I came across was a forum posting.

convert rmvb to avi

In this article, I am going to show how to convert a rmvb file to an avi file (mpeg4 video + mp3 audio) Tools 1. mplayer 2. mencoder 3. essential codecs for mplayer note: to install the above tools, please take a look to http://stanton-finley.net/fedora_co...tion_notes.html File 1. rmvb file: in.rmvb 2. avi file: out.avi Information for the avi file Video format: mpeg4 bitrate:1200 kb/s fps: 25 fps Audio format: mp3 bitrate: 128 kb/s Command mencoder in.rmvb -oac mp3lame -lameopts preset=128 -ovc lavc -lavcopts vcodec=mpeg4:vbitrate=1200 -ofps 25 -of avi -o out.avi Explanation -oac: output audio codec mp3lame: library used for audio encoding -lameopts: options used along with lame preset: values for audio bitrate, you can set 64, 128, 224, etc -ovc: ouput video codec lavc: library used for video encoding -lavcopts: options used along with lavc vcodec: video codec, you can use mpeg1video, mpeg4, etc vbitrate: video bitrate, you can set 600, 1000, 1200, etc -ofps: outpt frame per second ( fps) -of: output file container type -o: output filename Mencoder is a powerful tool to convert multimedia, just like the above example, we can use it to convert rmvb to avi. With suitable library and codecs, we can even use it to convert file format like rm, wmv etc. Reference link: http://gentoo-wiki.com/HOWTO_Mencod...roduction_Guide

by Sunny, http://forums.fedoraforum.org/forum/showthread.php?p=963770

This suggests that I need to have MPlayer installed. I further search revealed another forum posting with regards to actually being able to play RMVB in MPlayer.

Guide for playing RMVB real media in mplayer

bhuthogg
November 18th, 2007, 08:03 AM
This is a copy paste but i have found it so usefull Here is original link (http://www.simplehelp.net/2007/07/27/how-to-play-rmvb-files-in-ubuntu/) How to play .rmvb files in Ubuntu July 27th, 2007 by Ross McKillop | Print This Post Print This Post Linux This tutorial will take you step by step through installing all of the software necessary to play rmvb (RealMedia Variable Bitrate) files in Ubuntu Linux. Though the steps and screenshots are specific to Ubuntu, they will likely be similar for other versions of Linux. With that said, be sure to read the MPlayer README file if you’re not using Ubuntu. Similar to some of the other tutorials on Simplehelp, this is almost certainly not the only way to play .rmvb files in Ubuntu, but it’s the easiest way I could find. If you know of a easier method, by all means please feel free to leave a comment. 1. The first step in playing .rmvb files in Ubuntu is to use the Synaptic Package Manager to install MPlayer. When you mark MPlayer for installation, you’ll be prompted to install additional software packages (if they’re not already installed). play rmvb files in ubuntu linux click to enlarge 2. After MPlayer has been installed, exit out of the Synaptic Package Manager and visit the MPlayer binary codec download page. Download the codec package for your platform (for example, if you’re using a 32bit Intel or AMD processor, download the Linux x86 package). Save the file to your desktop (or home folder). Once the download has completed, double-click that file. Select the folder to uncompress, and click the Extract button. play rmvb files in ubuntu linux click to enlarge 3. Choose a location to extract the files (your desktop is ideal) and again click Extract. play rmvb files in ubuntu linux click to enlarge 4. Make sure the files extracted correctly. They’ll be in a folder titled essential-date. play rmvb files in ubuntu linux 5. Open up a Terminal by selecting Applications -> Accessories -> Terminal. play rmvb files in ubuntu linux 6. Enter the following commands (and your password when prompted): cd Desktop cd essential-date sudo mkdir /usr/lib/win32 sudo cp * /usr/lib/win32 play rmvb files in ubuntu linux click to enlarge 7. Launch MPLayer by selecting Applications -> Sound & Video -> MPlayer Movie Player. Right-click in the Mplayer - Video window and select Preferences from the menu. play rmvb files in ubuntu linux 8. Select the Video tab and change the Available drivers: to x11 X11 (XImage/Shm). play rmvb files in ubuntu linux click to enlarge 9. Select the Codecs & demuxer tab and change the Video codec family: to RealVideo decoder and the Audio codec family: to FFmpeg/libavcodec audio decoders. When you’re done, click OK and close down MPlayer. 9a 1. Open Synaptic Package Manager. 2. Search libstdc++5 and install it. 3. Download new Codec from http://www.mplayerhq.hu/design7/dload.html and install it. play rmvb files in ubuntu linux click to enlarge 10. Locate one of your .rmvb files, right-click it and select Properties. play rmvb files in ubuntu linux 11. Select the Open With tab and change whatever the default is to MPlayer Movie Player. Click Close. play rmvb files in ubuntu linux click to enlarge 12. Double-click any of your .rmvb files and they should open up in MPlayer and start playing. play rmvb files in ubuntu linux Hope this helps someone as it did me :)

bhuthogg, http://ubuntuforums.org/archive/index.php/t-616353.html

Looking at the link bhuthogg suggested was a very easy to follow guide at http://www.simplehelp.net/2007/07/27/how-to-play-rmvb-files-in-ubuntu/. Although I followed both postings procedure, I still couldn't get MPlayer to play RMVB. I was getting sound but no picture. I was wondering at this point if I even had the right codecs to play RMVB. Reading on down the postings, I did find this one:

Ocxic
January 1st, 2008, 03:02 AM
https://help.ubuntu.com/community/Medibuntu the easy way

Ocxic, http://ubuntuforums.org/archive/index.php/t-616353.html

I wasn't sure what Ocxic was talking about as I never heard of Medibuntu, but naturally I had to check out the website.

Medibuntu (Multimedia, Entertainment & Distractions In Ubuntu) is a repository of packages that cannot be included into the Ubuntu distribution for legal reasons (copyright, license, patent, etc).

https://help.ubuntu.com/community/Medibuntu

Interesting. Reading on it requires the user to add a repository.

Below are the instructions to add the Medibuntu repository to your system's list of APT repositories.

Add Medibuntu to your sources.list, as well as its GPG key to your keyring. Make sure to use the correct sources.list that corresponds to your current distribution.
Ubuntu 7.10 "Gutsy Gibbon":
sudo wget http://www.medibuntu.org/sources.list.d/gutsy.list -O /etc/apt/sources.list.d/medibuntu.list
Then, add the GPG Key:
wget -q http://packages.medibuntu.org/medibuntu-key.gpg -O- | sudo apt-key add - && sudo apt-get update

https://help.ubuntu.com/community/Medibuntu

Added the repositories and had a look in Synaptic what new options I had. The item w32codecs looks like what I was missing. Had it installed and tried playing RMVB in MPlayer and to my utter surprise it worked! Now I have no need for Real Player anymore and have the ability to convert RMVB files to any other format supported by MEncoder.

Kernels

2008-02-18T23:15:00.001Z

I came across an article which I think is worth sharing. It's about the two types of Kernels that Ubuntu comes with which you'll see at the boot up screen in Grub. The "Server" version and the "Generic" version. I was wondering what that actually meant on a day to day basis and this article describes it pretty well. Not exactly in laments terms, but if you understand something about how OSes work, it is quite informative. The article is titled: Ubuntu Server: Kernel Configuration Considerations ( http://www.serverwatch.com/tutorials/article.php/3715071) although it describes what the differences between the Generic and Server kernels. Here is an excerpt of the most interesting part.

I/O Scheduler
There are four different types of I/O scheduling: CFQ (Completely Fair Queuing), Deadline, NOOP, and Anticipatory. Ubuntu makes CFQ the default for desktop kernels, and Deadline for server kernels. The goal is the same for all of them: to optimize hard disk bandwidth for different classes of workloads. In your configuration file, this is the CONFIG_DEFAULT_IOSCHED option, plus the CONFIG_IOSCHED_CFQ, _DEADLINE, _AS, and _NOOP options.

CFQ tries to balance all read/write requests equally.
Deadline gives a higher priority to read requests, and will re-order read/write requests aggressively to meet the goal of completing read requests within a specified time, without "starving" write requests, which are not given deadlines.
Anticipatory aims to reduce latency by giving priority to already-running applications. It is supposed to be suitable for smaller systems with one or two hard disks, and single or dual-core CPUs.
NOOP is a minimal scheduler for systems with hardware that handles I/O scheduling, like large SCSI RAID arrays.

The question of which one is appropriate depends on your systems and how you use them: how many CPUs, how many hard disks and controllers, what types of applications, and the loads your systems have to handle. You can run benchmarks, and then tune your systems accordingly. You can pass scheduler options in as boot-time options, or you can even enable different schedulers per block device and change them on-the-fly (see Resources). The Ubuntu defaults are good starting points, and if you must tweak the settings, they're just as tweakable as on any Linux.
Preemption

The server kernel has kernel preemption turned off (CONFIG_PREEMPT_NONE=y), while the desktop kernel has it enabled (CONFIG_PREEMPT_BKL=y, CONFIG_PREEMPT_VOLUNTARY=y). Preemption works along with scheduling to fine-tune performance, efficiency and responsiveness. In non-preemptive kernels, kernel code runs until completion; the scheduler can't touch it until it's finished. But the Linux kernel allows tasks to be interrupted at nearly any point (but not when it is unsafe, which is a whole huge fascinating topic all by itself), so that tasks of lesser-priority can jump to the head of the line.

This is appropriate for desktop systems because users typically have several things going at once: writing documents, playing music, Web surfing, downloading and so on. Users don't care how responsive background applications are; they care only about the ones they're actively using. So if loading a Web page takes a little longer while the user is writing an e-mail, it's an acceptable trade-off. Overall efficiency and performance are actually reduced but not in a way that annoys the user.
On servers you want to minimize any and all performance hits, so turning off preemption is usually the best practice.
Memory

The 32-bit server kernel supports up to 64 GB of memory; the desktop kernel, a mere 4 GB (CONFIG_HIGHMEM64G=y, CONFIG_HIGHMEM4G=y). You'll only see these options in 32-bit kernels because the 32-bit address space is big enough to support only 4 GB without trickery. Or by using the Intel Physical Address Extension (PAE) mode, if you want to get technical. Linux supports PAE, and you also need PAE support in your CPU. Anything newer than a Pentium Pro or AMD K6-3 should be fine. On a 64-bit system you won't see any memory options because it doesn't need hacks to overcome a lack of memory addressing space; you should be fine until your needs exceed 16 exabytes of RAM.
Ticks and HZ

Both kernels support on-demand interrupt timers (CONFIG_NO_HZ=y), or the so-called "tickless" option. This means that during periods of no activity, the system goes into a truly idle state, which is supposed to save on power and cooling.
The server kernel is set to a timer interrupt rate of 100 Hz (CONFIG_HZ=100, CONFIG_HZ_100=y), which means it accepts 100 interrupts per second. Another way to think of this is the kernel looks up and peers around 100 times per second for something to do. The desktop kernel is set to 250 Hz — lower numbers equal lower overhead and higher latency; higher numbers equal higher overhead and lower latency. Higher numbers generally mean the system feels more responsive, at the price of higher CPU usage. Some processes require more interrupts; for example, video processing and VoIP servers need 1000 Hz. If you need to change the Hz value it requires a kernel re-compile.

MIDI

2008-02-18T21:04:00.001Z

I tried to play a midi file in Audacious today and discovered that there is no default midi set up in Ubuntu. I would have thought that was something which came as default. Browsing the forums I discovered that it doesn't and there doesn't seem to be a simple way of getting midi running.

MIDI support has been asked for mostly musically involved people who use Linux, and it hasn't come easily. Most of the HOW-TOs for setting up MIDIs don't even work, and I'd know. So, today, after almost a month of working towards it, I've finally been able to listen, play, and create MIDIs with ease. It's actually not very difficult; you just need the right packages and a loaded GM Soundfont.
Quest-Master (http://ubuntuforums.org/showthread.php?t=8736)

They basically seem to suggest installing FluidSynth, but I did find on the following page: http://www.funnestra.org/ubuntu/gutsy/#timidity on how to install timidity. Timidity seems simpler to set up than fluidsynth. The only problem is that Timidity hasn't been worked on since 2004. Thinking about it, that might be a good thing as it probably runs with less resources. After all my PC is not the newest anymore. After installing Timidity through synaptic, I decided to try it out in Audacious. Had to do some config changes in the plugins to point the port away from default ALSA Midi port to timidity port, but it works. I can now listen to things in Midi.

A Vision

2008-02-17T23:28:00.001Z

For the last post of the day, I thought I would give you a look at how my desktop looks like. I've altered the picture to hide some identifiable bits on the pic.

To Bridge or Not To Bridge

2008-02-17T18:01:00.001Z

That is the big question. If you remember, I couldn't decide if I should bridge the network to allow my VirtaulBox VM to be a host on its own or as part of the linux host. Let's have a look at the pros and cons. Pros ----- Can use Windows as a server when needed Can run virtually independent from the host Possibly avoid the iptables firewall through forwarding? Is it worth it? Cons ----- Bridging isn't as simple as a few clicks. Need to possibly study networking in detail to understand it. Makes Windows more vulnerable to attacks Do I have the time and energy to do all this? My first thought was to see if anybody else has posted something in the direction of something similar when I came across this article:

HOWTO VirtualBox Host networking I started messing around with this stuff (Virtualbox.org) a couple of weeks ago just like everyone else, frantically searching for how to uninstall it (http://www.virtualbox.org/wiki/User_FAQ) when it broke my laptop But the last several days, off and on, I have had it running and wanted to get out of the NAT mode of operation. I looked hard at this doc HTML Code: https://help.ubuntu.com/community/VirtualBox#head-ac88c03223e773c78dbb46b4b13c109de1143a03 But for me, there were a couple of commands missing, as I followed this doc to a tee! (Great doc, you should start there!) So when I finally saw my virtual w2k machine boot and get an ip from my local dhcp server, I thought, I HAVE to put all of this down here in the forum. So here are the commands ripped right out of my HISTORY. Some things to make this easier to read. My eth0 on my host is 192.168.0.45. My tap0 is going to get 192.168.0.94 (totally arbitrary.. ping it first, just to make sure it isn't in use). The "user" in the first command is the user you login with. Code: sudo tunctl -t tap0 -u user sudo chmod 666 /dev/net/tun sudo /usr/sbin/brctl addbr br0 sudo /sbin/ifconfig eth0 0.0.0.0 promisc sudo /usr/sbin/brctl addif br0 eth0 sudo /sbin/dhclient br0 sudo /usr/sbin/brctl addif br0 tap0 sudo ifconfig tap0 192.168.0.94 up sudo bash -c 'echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp' sudo route add -host 192.168.0.45 dev tap0 sudo arp -Ds 192.168.0.45 eth0 pub Those first 7 commands are from the help.ubuntu.com page I listed above (bottom of that page.. long page.. but good!). The rest of the commands are actually in the man page for 'tunctl' (man tunctl at a prompt). I just stumbled on them because the first 7 commands alone were NOT doing it for me (Dapper). Add tap0 into the Interface name under Virtual machine/Network Tab/Adapter 0 Save and start machine. And on a personal note... I am an old Novell guy (some say that is like being a Jedi these days).. then an old Microsoft guy (have to pay the bills), then an old Cisco guy.. but the last couple of years have been RH, SuSE.. then I found Debian, and now this. Been running it as the only OS in the house for about 18 months... THAT is the real reason I wrote this.. I have to give something back to this incredible community!! Thanks!!
ipguru99 (http://ubuntuforums.org/showthread.php?t=346185)

11 lines to do exactly what I want! Let's see if I understand what this script actually does.

sudo tunctl -t tap0 -u user

This line builds the virtual ethernet connector tap/tun (http://en.wikipedia.org/wiki/TUN/TAP) as per the tunctl man page.

NAME tunctl — create and manage persistent TUN/TAP interfaces SYNOPSIS tunctl [-f tun-clone-device] [-u owner] [-t device-name] tunctl [-f tun-clone-device] -d device-name

Next line.

sudo chmod 666 /dev/net/tun

This line makes the device tun read and writable by everybody. Is that actually necessary?

sudo /usr/sbin/brctl addbr br0

This creates the bridge as per the man page:

brctl is used to set up, maintain, and inspect the ethernet bridge configuration in the linux kernel. ...... The command brctl addbr creates a new instance of the ethernet bridge. The network interface corresponding to the bridge will be called . The command brctl delbr deletes the instance of the ethernet bridge. The network interface corresponding to the bridge must be down before it can be deleted! The command brctl show shows all current instances of the ethernet bridge.

-------

sudo /sbin/ifconfig eth0 0.0.0.0 promisc

This one is a bit harder to decipher. Ifconfig is to configure a network interface. In this case eth0. The 0.0.0.0 means all traffic routed to this interface and promisc is defined in the man page as:

Enable or disable the promiscuous mode of the interface. If selected, all packets on the network will be received by the interface.

------

sudo /usr/sbin/brctl addif br0 eth0

This line adds eth0 into the bridge.

sudo /sbin/dhclient br0

As far as I can figure out from the man page of dhclient is that it requests a new IP address from the DHCP server, in my case the router.

The names of the network interfaces that dhclient should attempt to configure may be specified on the command line. If no interface names are specified on the command line dhclient will normally identify all network interfaces, elimininating non-broadcast interfaces if possible, and attempt to configure each interface.
dhclient man page

sudo /usr/sbin/brctl addif br0 tap0

This adds the virtual device created for Virtual Box into the bridge

sudo ifconfig tap0 192.168.0.94 up

Activates the virtual device.

sudo bash -c 'echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp'

This line I don't understand, but there is an article I read regarding setting up a VPN that does the same to the ARP.

Setting up Proxy ARP In order for the system to work correctly, the VPN server should respond to all ARP requests for 192.168.8/24 on eth0. However, in Linux version 2.2, the ability to instruct the kernel to reply to any ARP packet for addresses in a given subnet was removed, and replaced by automatic proxy ARP. For the automatic proxy ARP to work, the VPN server must think it has a different route to the virtual client subnet. The following should enable proxy ARP in the configuration required. ip addr add 192.168.8.1/24 dev tap0 echo 1 > /proc/sys/net/ipv4/conf/tap0/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp Once this is set up, you should be able to get full communication between VPN clients and servers on the corporate LAN. Test this by pinging the remapped address of a machine on the LAN (from 10.22.8.10 to 10.22.1.12) from the client and the non-remapped client address from said machine (from 192.168.1.12 to 192.168.8.10).
Dirty NAT tricks to get a VPN to work, Nick Martin (http://nimlabs.org/~nim/dirtynat.html)

sudo route add -host 192.168.0.45 dev tap0

Adds an entry into the route table to filter all traffic to the Virtual Box at this IP address and the device tap0.

sudo arp -Ds 192.168.0.45 eth0 pub

And the last line does something to the ARP cache, but I'm not sure what. At this point I'll accept that it is a valid command as the rest seems to be above board. Once I run the script, it does present a little problem with my iptables set up. My firewall script is all based on eth0. After running the bridge network, I noticed the firewall was dropping all traffic because everything was going through br0 instead of eth0. It looks like having added eth0 to the bridge, everything goes through the bridge now at br0. What this means is that I will have to change my firewall script to accept connections through br0. But at boot up, br0 doesn't exist yet! I decided to put the 11 lines building the bridge in a script and call it just before running all my IPTables scipts. That way the bridge is built and the firewall is set up after the existence of br0. A quick reboot of the system, launched firefox and I can browse the web. Start Windows in the VM session and it gets its own IP address. Everything seems to work! It did require me to change this section in every single firewall script I created though.

# Lan address pool LANIF="eth0" LANIP="192.168.0.0" LANMSK="255.255.255.0" LANNET="$LANIP/$LANMSK"

Every single LANIF in every single firewall script needed to become br0 as follows.

# Lan address pool LANIF="br0" LANIP="192.168.0.0" LANMSK="255.255.255.0" LANNET="$LANIP/$LANMSK"

Luckily it didn't take as long as I expected, but I still haven't found something that requires it in Windows. Maybe I'll try using uTorrent in Windows instead of Azureus in Linux.

The Art of Partitioning and Resolving Performance Issues

2008-02-16T23:58:00.001Z

Or rather the case of not resolving the performance issues. The partitioning re-organisation took all night and a bit more. But it did give a me chance to browse the internet on my other PC about performance issues in Gnome. The desktop felt a bit sluggish. I thought it was all that fancy desktop animation, but when I went to turn it off in the settings, I discovered that they were turned off already. I actually didn't find anything on the net that was similar. The general census seems to be that Gnome and KDE were resource hogs and one should try some of the other options such as Xfce or Fluxbox. Somehow I remember last time I installed Ubuntu on this machine it wasn't this slow. I might try and see if KDE performs any better. I might leave that till I get the bridging of the VirtualBox vm image first. I've been arguing if I should or not to bridge the vm or just use NAT over the host. I couldn't think of which software I would need in Windows that would require bridging. And at this point I have to leave that thought till next time.

I Hate Bugs

2008-02-15T20:11:00.001Z

As mentioned last time, I decided to look into the Flash thing. Flash under Firefox didn't seem to work and every time I try to install the Adobe Flash plugin it fails with the following:

Binary package hint: flashplugin-nonfree flashplugin-nonfree package fails to install with the following error: md5sum mismatch install_flash_player_9_linux.tar.gz The Flash plugin is NOT installed.

A search on google came back with this link:

https://bugs.launchpad.net/ubuntu/+source/flashplugin-nonfree/+bug/173890

which is a bug report on Ubuntu, Bug #173890. Basically what they are saying is that Ubuntu has an old version of the Flash player in the repository than the one Adobe is currently distributing. Now if you scroll down long enough you'll find a response that suggests doing the following:

$ wget http://kubuntu.org/~jriddell/tmp/flashplugin-nonfree_9.0.48.0.2+really0ubuntu12.2_i386.deb $ sudo dpkg --install flashplugin-nonfree_9.0.48.0.2+really0ubuntu12.2_i386.deb

This will get the newest version of the plugin and install it. Restart Firefox and I went to the first flash website I could think of and there it is. At least this was a relatively simple fix. At this point I am seriously running out of HDD space and I need to re-organise my drives. Luckily I still have an old copy of Partition Magic on my Windows partition, so if you'll excuse me, I'll just pop back into Windows and start moving the drives around a bit to free up some more space.

Groupings

2008-02-14T21:13:00.001Z

I had to do some fiddling with my firewall settings, specifically blocking and allowing outgoing connections and I got tired of scrolling up and down trying to find the right place. I decided to spend the time and split the script into multiple files which can be called. Thus, my main script now looks like this:

#!/bin/bash ########################################################################### # Variable definitions ########################################################################### IPT='/sbin/iptables' SCR='/opt/scripts/fw' # Loop device/localhost LPDIF="lo" LPDIP="127.0.0.1" LPDMSK="255.0.0.0" LPDNET="$LPDIP/$LPDMSK" # Lan address pool LANIF="eth0" LANIP="192.168.0.0" LANMSK="255.255.255.0" LANNET="$LANIP/$LANMSK" # OpenVPN address pool VPNIF="tun+" VPNIP="10.8.0.0" VPNMSK="255.255.255.0" VPNNET="$VPNIP/$VPNMSK" ########################################################################### # Flush all chains ########################################################################### $IPT --flush $IPT -X ########################################################################### # Set default policies ########################################################################### $IPT --policy INPUT DROP $IPT --policy OUTPUT DROP $IPT --policy FORWARD DROP ###########################################################################p # Create user defined chains ########################################################################### $IPT -N bad_packets $IPT -N user_input $IPT -N user_icmp_input $IPT -N user_vpn_input $IPT -N user_output $IPT -N user_icmp_output $IPT -N user_vpn_output $IPT -N user_spec_output ########################################################################### # Populating chains with rules ########################################################################### # bad_packets Chain $SCR/fw_bad_packets.script $SCR/fw_icmp_input.script $SCR/fw_icmp_output.script $SCR/fw_user_input.script $SCR/fw_user_output.script $SCR/fw_user_vpn_input.script $SCR/fw_user_vpn_output.script $SCR/fw_user_spec_output.script ########################################################################### # INPUT Chain ########################################################################### # Drop bad packets $IPT -A INPUT -p ALL -j bad_packets # User defined input chain $IPT -A INPUT -p ALL -j user_input $IPT -A INPUT -p ALL -j user_vpn_input $IPT -A INPUT -p ALL -j user_icmp_input # Deny all new tcp connections from remote machines $IPT -A INPUT -p tcp -m state --state NEW -j LOG --log-prefix "Rule Block NEW in" $IPT -A INPUT -p tcp -m state --state NEW -j DROP # Finally Deny everything else. $IPT -A INPUT -j LOG --log-prefix " Rule Block ALL in: " $IPT -A INPUT -j DROP ########################################################################### # OUTPUT Chain ########################################################################### # Drop bad packets $IPT -A OUTPUT -p ALL -j bad_packets # All out transactions allowed # $IPT -A OUTPUT -p tcp -j ACCEPT # $IPT -A OUTPUT -p udp -j ACCEPT # Allow all established and related connection $IPT -A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT # User defined output chain $IPT -A OUTPUT -p ALL -j user_output # $IPT -A OUTPUT -p udp -j ACCEPT # Allow all established and related connection $IPT -A OUTPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT # User defined output chain $IPT -A OUTPUT -p ALL -j user_output $IPT -A OUTPUT -p ALL -j user_vpn_output $IPT -A OUTPUT -p ALL -j user_icmp_output # Special blocks $IPT -A OUTPUT -p ALL -j user_spec_output # Finally Deny everything else. $IPT -A OUTPUT -p ALL -j LOG --log-prefix "Rule Block ALL out: " $IPT -A OUTPUT -p ALL -j DROP ############################################################################## # FORWARD Chain ########################################################################### $SCR/fw_forward.script

As you can see, this is the main script which will call all the other specific packet rules. One snag I did discover is the variable definitions are specific to the file, which means I would have to repeat the variable definitiong in each file I create. Maybe there is a way to have them set globally, but I haven't figured out how to do that just yet. What I was actually doing was changing the output criteria for connections. This was for trying to run a bittorrent client which I decided was going to be Azureus. Although the forums say you should open port 6881 to 6889 or was it something else? I can't remember what was said in the posting (forgot to bookmark it). So I needed to change the way it connects from only allowing certain ports to blocking only certain ports and alolowing all traffic to flow out.

#!/bin/bash ########################################################################### # Variable definitions ########################################################################### IPT='/sbin/iptables' # Loop device/localhost LPDIF="lo" LPDIP="127.0.0.1" LPDMSK="255.0.0.0" LPDNET="$LPDIP/$LPDMSK" # Lan address pool LANIF="eth0" LANIP="192.168.0.0" LANMSK="255.255.255.0" LANNET="$LANIP/$LANMSK" ############################################################################## # user_output ############################################################################## # Allow localhost to access everything $IPT -A user_output -o $LPDIF -p ALL -d $LPDIP -j ACCEPT ############################################################################## # WHITELIST ############################################################################## # DNS $IPT -A user_output -o $LANIF -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A user_output -o $LANIF -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # DHCP $IPT -A user_output -o $LANIF -p udp --dport 67 -j ACCEPT $IPT -A user_output -o $LANIF -p udp --dport 68 -j ACCEPT # Web Browsers incl. Skype $IPT -A user_output -o $LANIF -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A user_output -o $LANIF -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # FTP $IPT -A user_output -o $LANIF -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # NTP $IPT -A user_output -o $LANIF -p tcp --dport 123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Open VPN $IPT -A user_output -o $LANIF -p udp --sport xxxx -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A user_output -o $LANIF -p udp --dport xxxx -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Allow all established and related connection $IPT -A user_output -o $LANIF -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A user_output -o $LANIF -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A user_output -o $LANIF -p tcp --dport 0:1024 -j DROP $IPT -A user_output -o $LANIF -p udp --dport 0:1024 -j DROP $IPT -A user_output -o $LANIF -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A user_output -o $LANIF -p udp -m state --state NEW,ESTABLISHED,RELATED # Allow all established and related connection $IPT -A user_output -o $LANIF -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A user_output -o $LANIF -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A user_output -o $LANIF -p tcp --dport 0:1024 -j DROP $IPT -A user_output -o $LANIF -p udp --dport 0:1024 -j DROP $IPT -A user_output -o $LANIF -p tcp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A user_output -o $LANIF -p udp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # If all good return $IPT -A user_output -p ALL -j RETURN

As you can see, I've blocked the first 1024 ports and set up a whitelist of the traffic aloud out. And this resolves the issue with BitTorrent and aMule connecting out. This leaves only 6 more things left to resolve: Keyboard XKB error Running out of HDD space Virtual Box Host Interface Performance Flash VNC I'll cross VNC off the list as OpenVPN works as expected which leaves 5 things left to resolve. I might just tackle the Flash problem next as that seems to be an easy one.

Block those packets

2008-02-14T16:01:00.000Z

As I've been getting my system running as I want it, I haven't as yet got my firewall up and running yet. All I've got is my router firewall currently protecting me and that's really not good at all. Time to put my firewall script into action! I actually had to go back and read my own blog to find out what I needed to do. Now my PC is secure with the new firewall settings in place. Went into Synaptics, installed OpenVPN and changed the paths in the config files. Started OpenVPN and it connected from my notebook PC without a hitch. Checked the logs that everything was running ok, BUT there was nothing about the firewall blocking anything..... I had forgotten to chmod 755 and chown root:root the firewall script. D'oh! Tried it again and this time it worked. A little too well. The syslog was being flooded with log additions from iptables. I was logging way too much. Going back into the script, I commented out every instance of logging that wasn't required. Hopefully this will slim down the log files. I'm really beginning to think the script is becoming a bit unwieldy, especially making changes. I might have to start thinking about splitting the script into separate sections i.e. split it into separate files each performing a specific part of the firewall. First though I'll make sure all the software I intend to run will work. Starting Firefox and searching something random in google proved that at least I can browse the internet. Starting OpenVPN and connecting from my notebook proved that the port for OpenVPN works. DHCP and DNS seem to be working properly or else I wouldn't be able to browse the internet and the machine wouldn't be able to assign itself an IP address. Next on the list was SMB which in Ubuntu was surprisingly easy to set up. All I had to do was go to the menu section for samba, set it up, define which paths I wanted to share and set up the users who had access to them. Very simple indeed. Connecting from my notebook PC through OpenVPN seems to work. I can see the drives, mount them, and read and write to file. Perfect! Next on the list is P2P clients. Luckily I know the equivalent of eMule for Linux which is called aMule. Back into synaptic, installed aMule, started aMule, went through the set up wizard, copied over the server.met file from eMule and everything seemed to connect properly. Although some of the servers in my server list seemed to have dissapeared in the meantime. At least this resolves one more problem.

VirtualBox

2008-02-13T23:56:00.000Z

Unexpectedly VirtualBox (http://www.virtualbox.org/) is actually quite good. Supports USB, performance is on par with VMWare and everything seems to run. I could even use my webcam in the VM session in Skype! The only strange thing is that when viewing your own image it displays only the first image, but the other side sees you fine. My machine does grind running Skype with video under XP in a VM session. Probably need one of those new quad core machines but at least I got it to work and is usable even it I can't do anything else on the machine at the same time. The manual isn't that great. A number of things just aren't as clear cut. For example click on box on screen. Which box? But at least it covers the basics. One hitch I discovered was that I actually installed the binary version and not the OSE version. Apparently the OSE version doesn't support USB or allow the sharing of folders on the host machine. Ah well, as I'm using this for my personal use and not for business it doesn't break their license agreement. I haven't got as far as trying to bridge network the vm yet, but I'll come back to that later. There is still more work needed on the main linux box before I start playing around with the networks.

Virtualization

2008-02-12T15:14:00.000Z

Now that linux "works", I started on the next priority and that was to get Windows XP to work under a virtual session. Naturally, I thought installing vmware and running the previous version of the image I built would be the easiest method. Except naturally windows didn't want to play ball. It started complaining about finding new hardware and needed access to the net to download new drivers. To cut a long story short, everything was broken at the end and I decided to scrap the lot and rebuild the image from scratch. Naturally took forever to rebuild the windows image under vmware and the problems didn't end there. As soon as I ran the automatic update in windows and installed all the patches MS ever released, windows crashed with the famous BSOD and would never recover. After the third rebuild (don't ask), it finally was in a usable state. My primary concern was to use Skype with video in windows as I know the Linux version is nowwhere near the quality. Skype installs fine and seems to work ok as well. Then I discovered two things which bothered me. 1) Vmware Server was using 100% CPU and 2) It wouldn't recognise my USB Camera. I used top and discovered it wasn't actually Vmware server using 100% CPU, but it was the ntfs-3g driver. Apparently the driver doesn't like constant read and write from the NTFS drive where I was running the image off. At least this problem was easily solvable by simply moving the image file from the NTFS drive onto a ext3 drive. Getting the USB to work was a whole new set of problems. Apparently vmware have decided to reserve the use of USB to the paid version of their software. I just couldn't find an article anywhere stating so and nobody on the ubuntu forums seem to have an answer to the problem. Running out of ideas at this point, I decided to give QEMU a try. BIG mistake. The performance on QEMU was terrible. It took 4 hours to get XP installed into an image. I didn't even bother to try it anymore after the installation. I did find something else on the net though. A new piece of software called VirtualBox. Supposedly supports USB and performance is on par with Vmware. As I've had failures with 2 products, why not try VirtualBox. Third time lucky?

One Thing After Another

2008-02-11T15:04:00.000Z

Well, as these things go nothing ever goes smoothly. There just seems to be one problem after another. Here is a list of the problems I had to solve in no particular order: 1. Desktop resolution 2. Keyboard XKB error 3. Mouse button 4. VMWare, USB and rawdisk access 5. Running out of HDD space 6. NTFS Access CPU load 7. Virtual Box USB 8. Virtual Box Host Interface 9. Virtual Box Drive Mapping 10. Virtual Box raw disk access 11. Webcam 12. Skype 13. Firewall 14. Performance 15. Flash 16. BitTorrent 17. eMule 18. SMB 19. VPN 20. VNC I was too hopeful last time that the resolution problem would be fixed. In fact, the problem isn't as simple as I thought. Activating the fglrx did fix it for a while, but after the next reboot the same problem appeared again. Somewhere on the net I did find a post in a forum (which I've lost the link to), which had a solution to the problem. One needed to edit xorg.conf and remove all the resolutions the monitor won't support as X tries to use the highest resolution possible. Having only the following lines in xorg.conf seems to have solved the problem.

Section "Screen" Identifier "Default Screen" Device "ATI Technologies Inc RV350 AP [Radeon 9600]" Monitor "PS576W" Defaultdepth 24 SubSection "Display" Modes "1280x800" "1024x768" "800x600" "640x480" EndSubSection EndSection

During installation, I must have selected the wrong keyboard type as my dot on the numpad doesn't seem to work. I originally set my keybaord to 105 keys, but after counting the number of keys on my keyboard I found out it's only 104 keys. Changed the setting in xorg.conf and in Gnome and that seems to have fixed the problem. But I still get the XKB error......

Section "InputDevice" Identifier "Generic Keyboard" Driver "kbd" Option "CoreKeyboard" Option "XkbRules" "xorg" Option "XkbModel" "pc104" Option "XkbLayout" "gb" Option "XkbVariant" "gb" EndSection

I've got a 5 button Microsoft IntelliMouse and the two buttons on the side don't work. Apparently xorg has treated it as if it were a 3 button mouse and of course to fix that I needed to change xorg.conf again! The autodetect on xorg really doesn't work very well. Here is the code for the mouse section:

Section "InputDevice" Identifier "Configured Mouse" Driver "mouse" Option "CorePointer" Option "Device" "/dev/input/mice" Option "Protocol" "ExplorerPS/2" Option "ZAxisMapping" "4 5" Option "Emulate3Buttons" "true" Option "Buttons" "7" Option "ButtonMapping" "1 2 3 6 7" EndSection

This at least solved the basic usability problems.

Today is a day to celebrate

2008-01-24T16:24:00.000Z

Today is a day to celebrate! I have finally made the leap to linux. My PC is now running Ubuntu 7.10! Yippee! Installation was as smooth as it possibly could be. Less than 30 mins from CD into the tray till linux is up and running. I was very impressed especially as I've been struggling to get XP re-installed and failed miserably. I won't go into the details, except that M$ automatic update installed an update which screwed up windows. Unfortunately not everything went as peachy as I initially though. When I went to change the screen resolution, I couldn't change it to a resolution which was native to my LCD screen. The obvious error that I could think of was linux wrongly detected my monitor or graphics card. After a little bit of googling, I found an article suggesting how to fix the video resolution problem (https://help.ubuntu.com/community/FixVideoResolutionHowto). The first suggestion the article had was to run the autodetect script again as follows:

sudo dpkg-reconfigure xserver-xorg

After following through all the instructions and restarted the x-server everything was the same. I thought this may need a complete reboot although it only affects the x server. Did a reboot and it still didn't work. Luckily I remembered that there is an ATI driver for linux called fglrx. Installed it through Synaptic, activated it in GDM and rebooted the machine. Now linux runs at the native resolution for my LCD monitor and now I can install VMWare. Moving things around and basically doing some housekeeping on the system in preparation to install vmware server, I discovered to my complete surprise that I can now read and write to my NTFS drives! I was absolutely astounded. This means that I can save things on my NTFS drives and I don't need to move everything over to ext3 or FAT32. That is the biggest surprise as linux has never been able to write to NTFS drives. I'll have to have a look on the net about this at a later date. In the meantime I installed vmware server through synaptic and was trying to run a previous image of windows off it. As soon as it boots up, the software crashes. No log file, no error messages, nothing. Just couldn't figure out why. Tried a few options here and there, googled but to no avail. Solution: removed vmware server and install vmware player. The first time I tried booting up the image all I got was a black screen and the error "can not render screen" or something similar. Back to googling the net and reading an article about enabling 3D in VMware suggested adding these lines in the VMX.

mks.enable3d = "TRUE" svga.vramSize = "67108864" vmmouse.present = "FALSE" (http://ubuntuforums.org/archive/index.php/t-372928.html)

I thought what if I instead of enabling 3D, disable 3D? Changed mks.enable3d to FALSE and tried the image again. This time it boots up fine, except speed seemed to be an issue. My CPU was working overtime and XP was running as if it was installed on a 486. Opened a terminal window in linux, called top and on top of the list of CPU usage was ntfs-3g. It was the ntfs driver that was causing the lag and the high cpu usage. Looks like the driver implementation is not quite perfect. Went back into the vm session, shut down windows and copied it across to the ext3 partition. Tried it again and speeds were much better and so was the load on the CPU. Unfortunately Windows didn't want to play ball with me. Kept going on about new hardware found, can't find drivers and so forth. At this point it was late and I was getting fed up. I'm going to re-install windows into a clean vmimage again and hopefully that will solve these darned problems. Will let you know how it goes.

OpenVPN? Easy! At least I thought.....

2007-12-22T02:38:00.000Z

It can not be this difficult!!! I finally got around to doing something more on my virtual linux box. Having built and established a secure firewall, I decided to start implementing some of the other applications I wanted running on my box. I thought I would tackle getting OpenVPN to work. As this computer will be the VPN server where all clients connect to, it is sort of on the highest list of priority applications I need running. Luckily as OpenVPN is a open source product and originally designed for linux in the first place, I thought it would only take a little tweaking with the paths. The first problem I came up with was getting OpenVPN to be installed. It wasn't on the repository list. How can it not be there? Quick google and it turns out it is located in the universe part of the repository which I thought I had included. Back into synaptic, activated the repository (oops, thought it was active already), updated the apt list and there it was. Installed it and copied all the keys, certs and config file over from my windows installation, changed the paths in the configuration file and was ready to give it go. Started up OpenVPN and with no surprise it started up without any errors. Came back with the message "Initialization Sequence Complete". Sounded good. Now all I need to do is get a client to connect to it. Got my notebook PC (laptop to some) and tried to connect. Guess what! It didn't work. No surprises there then. I suspected it had something to do with my firewall setting and naturally there it was. I had defined the input on port 1194, but never the output. i.e. OpenVPN could hear requests, but couldn't respond to them. Added the line:

$IPT -A user_output -i $LANIF -p udp --sport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

Updated iptables and then got the message:

UDPv4 Write operation failed

At this point I spent 3 hours hunting on the internet for a solution. Tried many recommend methods till suddenly I found the solution right in front of my eyes. I did it again. I defined my output interface with a -i instead of a -o. D'oh!

$IPT -A user_output -i $LANIF -p udp --sport 1194 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

And of course everything worked as soon as I changed that single character. But not everything worked. Next came the message:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)

Ummm..... Firewall issue again? Certainly every article I've looked at on the net tells me that. Of course most of the them quote what the FAQ has said in the first place:

A perimeter firewall on the server's network is filtering out incoming OpenVPN packets (by default OpenVPN uses UDP or TCP port number 1194).
A software firewall running on the OpenVPN server machine itself is filtering incoming connections on port 1194. Be aware that many OSes will block incoming connections by default, unless configured otherwise.
A NAT gateway on the server's network does not have a port forward rule for TCP/UDP 1194 to the internal address of the OpenVPN server machine.
The OpenVPN client config does not have the correct server address in its config file. The remote directive in the client config file must point to either the server itself or the public IP address of the server network's gateway.
Another possible cause is that the windows firewall is blocking access for the openvpn.exe binary. You may need to whitelist (add it to the "Exceptions" list) it for OpenVPN to work

Not much help there. There was talk on the forum about D-Link routers failing to properly NAT UDP packets. I wonder if this is what is happening with the fact that I am running my linux box through VMWare. Unfortunately the only way for me to test that theory out is to install Linux on the box properly, which I am not really ready to do just yet. I guess I will have leave this little problem to the end.

Saving IPTables

2007-07-18T00:04:00.000+01:00

I have gotten to the point where I believe that the system is as secure as I can make it without further testing. With luck this should stop the majority of attacks. Probably not much use if somebody truly wants to get in, but at least it will stops the opportunists. The last thing to do is make the rules load up automatically on boot up. Following the instructions as per tutorial Iptables Tutorial 1.1.19 (http://www.faqs.org/docs/iptables/iptables-save.html ) I entered the command iptables-save. Rebooted the machine, entered iptables --list and......... the table is blank............. Obviously that did not work. After some searching using a google, I came up with this site http://townx.org/simple_firewall_for_ubuntu_using_iptables which has an article describing a simple set up for a firewall. The firewall rules itself aren't that interesting as it is very basic, but what follows it. As quoted from document:

then created a simple init script to start/stop the firewall (in /etc/init.d/firewall):
#!/bin/bash
if [[ $1 == start ]] ; then
sudo /opt/scripts/iptables.script
else
sudo iptables -F
fi
Then I symlinked this into my /etc/rc.* directories using the update-rc.d tool, so the firewall starts before the network comes up:
update-rc.d firewall start 20 2 3 4 5 . stop 99 0 1 6 .
I find having this script helps me a lot. I have it integrated with a start/stop script with my network, so I can easily switch network and firewall configuration from the command line.

That is exactly what I was looking for. A simple solution that is very clear and concise. Well, I did exactly what the website said. Even renamed my rules file and put it exactly where the person put theirs and rebooted. Run iptables --list and voila! All my rules are there, so the script works and I've resolved probably the most difficult part of the project. Personally, Linux can not go mainstream for the simple reason is that the learning curve is far too steep. It really is not designed for the everyday Joe. Don't get me wrong, it has come a very long way with Ubuntu but still has a long way to go.

Attack of the Bytes

2007-07-16T23:30:00.000+01:00

I have been busy playing computer games recently thus I have not posted anything for quite a while. Now that I am finished with the computer game I can get back to working on my Linux firewall. The sooner I switch the faster I can get away from the temptation to play computer games. What an awful waste of time. At least in Linux you won't be tempted as much as there aren't that many games for it, which I think is a good thing. I decided to download Damn Small Linux (DSL) to use as my platform to launch my attacks from, but could not get the damn distro to install onto my HDD! Spent about an hour fiddling with it and decided it was too much fuss. Well, I actually managed to get Puppy Linux to be installed in VMWare, but I can not get Nessus installed. Nessus requires a compiler and Puppy linux a) does not have one and b) does not have a binary for it. This is certainly taking longer than I anticipated. It was suppose to be quick and easy like 1-2-3 and it is turning out to be a nightmare! It was quicker installing Ubuntu than DSL. Maybe if I spent the time on it, it might be easier but that is exactly where I do not want to spend the time on. That is for one reason I never believe Linux will overtake M$ Windoze. But that is a debate for another day. As I am now fed up looking for a linux distro that works, I'm going to install Ubuntu in vmware, which I know works despite its size. At least through apt-get I can get everything up and running very quickly. Then all I got to do is hit the machine as hard as possible with Nessus. I have successfully got Ubuntu to run in VMWare, have installed Nessus successfully through Synaptic and am now running a full scan. Let's see how we do. Apparently the only thing that Nessus has to report is that my plugins isn't up to date. Without any other evidence I assume this is good news. I think I will just get those plugins updated and see what it churns out then. After all, better safe than sorry. Hmmm.... Well, apparently to get the plugins I need to register with a valid email address. Well, there is no harm in that I guess. Just one more place more spam will come from. Anyway, that is all done now, got my registration key and all I need to do now is run nessus-fetch --register [key] and then run nessus-update-plugins. Now that I've done all that, let us attack the system again. Surprisingly Nessus has come back with an empty report! Actually, that is kind of worrying as I do have at least one port open for new connections. Let's see what is in the logs. Took a while for me to trawl through the log file. The only assumption I can make is that the port is closed when there is actually nothing listening on it. If that is the case, I need to get something to listen for connections. I wonder what I can set up that is quick and easy. Actually I did not need to at the end. I ran the attack again and this was the result that Nessus came back with.

The remote host is considered dead - not scanning

I guess there must be some bug in Nessus. Now it comes back with a report. I think I will still open a port for it to attack, probably allow it to ping and see what I get in the report then. Do allow ping in and respond (pong), I have added the following two lines in the input section:

$IPT -A user_icmp_input -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A user_icmp_input -p icmp --icmp-type echo-request -j ACCEPT

and two lines in the output section:

$IPT -A user_icmp_output -p icmp --icmp-type echo-reply -j ACCEPT $IPT -A user_icmp_output -p icmp --icmp-type echo-request -j ACCEPT

And it does actually tell me that the mission is alive! Although not the fact that ping is allowed. Ah well, better than nothing I guess. I'll just run the scan a couple of times just to make sure I have probably run these tests already about 10 different times now, basically playing around with the settings in Nessus. Every time I finish one scan, I find some other option I have not enabled. Anyway, this is the last time I'm running the scan and this time it did actually find the open port for ping, but it didn't find anything else. Looks like my linux box is as secure as far as I can tell. I'll just comment those lines out and do an iptables-save (http://linux.web.cern.ch/linux/scientific3/docs/rhel-rg-en-3/s1-iptables-saving.html). That's enough for this session.

Let the Race begin

2007-05-21T11:09:00.000+01:00

"Housten, we have a problem!". The first time I ran the script, no errors were visible. As far as IPTables was concerned everything was syntactically correct, but that was far from error free. The first thing I tried was to start Firefox and call up a website. I tried calling up CNN's website as they've got dynamic content to make sure that I'm not calling something from cache. In hindsight, I should have just cleared my cache before going to any web pages. Didn't make a difference though as I couldn't reach any website whatsoever. Next thing to look at is in /var/log/syslog and this is what I found:

May 19 03:54:46 mogul kernel: [17184433.712000] Rule Block ALL in: IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.152.1 DST=192.168.152.2 LEN=93 TOS=0x00 PREC=0x00 TTL=128 ID=65318 PROTO=UDP SPT=53 DPT=1033 LEN=73 May 19 03:54:46 mogul kernel: [17183813.308000] Rule Block ALL in: IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=192.168.152.1 DST=192.168.152.2 LEN=116 TOS=0x00 PREC=0x00 TTL=128 ID=65250 PROTO=UDP SPT=53 DPT=1024 LEN=96 May 19 03:54:47 mogul kernel: [17183674.120000] Rule Block ALL out: IN= OUT=eth0 SRC=192.168.152.2 DST=192.168.152.1 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=33730 DF PROTO=UDP SPT=1024 DPT=53 LEN=41 May 19 03:54:47 mogul kernel: [17183674.124000] Rule Block ALL out: IN= OUT=eth0 SRC=192.168.152.2 DST=192.168.152.1 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=33731 DF PROTO=UDP SPT=1024 DPT=53 LEN=41

And it just went on like this. I know for a fact, that I've put in a rule for DNS to come in, so why is it not letting the packets through? Going through the script and the manuals, I had to correct two problems.

The first problem was that my input rule for DNS had the destination port set to 53 instead of having it set to source port. That's an easy change to make and the other problem I found was that the interface switch for output is -o instead of -i. I originally assumed that the -i switch represents interface, but what it actually represents is in-interface and the -o switch represent out-interface. After a slight modification in my script, I ran it again.

This time everything should work. At least there were no more DNS errors and DHCP seems to be working fine except for this:

May 19 03:37:57 mogul dhclient: DHCPREQUEST on eth0 to 192.168.152.254 port 67 May 19 03:37:57 mogul dhclient: DHCPACK from 192.168.152.254 May 19 03:37:57 mogul dhclient: can't create /var/lib/dhcp3/dhclient.eth0.leases: Permission denied May 19 03:37:57 mogul dhclient: bound to 192.168.152.2 -- renewal in 738 seconds.

My first thought was huh? And after a little browsing around on the web, I've discovered that apparently Ubuntu Dapper Drake 6.06 had a bug in dhcp3. As everything seems to be working despite that message, I decided to make the decision to ignore it. Too much effort for too little value to fix the problem.

Next I opened a browser again and tried going to CNN again and nothing came up. Back into syslog and this is what I found:

May 19 04:07:50 mogul kernel: [17184456.580000] Rule Block ALL in: IN=eth0 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=208.65.153.251 DST=192.168.152.2 LEN=44 TOS=0x00 PREC=0x00 TTL=128 ID=65335 PROTO=TCP SPT=80 DPT=2801 WINDOW=64240 RES=0x00 ACK SYN URGP=0

The first thought I had was "that's pretty good" because I realised how detailed IPTables can really go. It's not enough to establish a connection out, but you need to accept the established connection in as well. Thus I've had to only add one extra line into my IPTables script:

$IPT -A user_input -i $LANIF -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT

And suddenly the web came alive! With luck, this should give me a relatively high level of security. All I need left to do is to permanently save the script into IPTables and then hit it with Nessus and see what other holes still need to be closed. Before I do that though, might be worth getting the system up to par with what I've currently got in Windows. This means, installing Privoxy, Vmware, Dosbox, ClamAV, all the multimedia stuff on Linux, Gimp, Picasa, OpenVPN and I'm sure there are many other things too.

One Step Closer

2007-05-18T12:51:00.000+01:00

I went back over my script over the weekend and made some changes. Actually I've made quite a few changes. I've introduced variables into the file and have added a few more rules which I'll explain in more detail below.

To start off with, these are the variables I've decided to define straightaway. As you can see, I've put together my ip ranges for my LAN and my ip ranges for my VPN. I use VPN over my wireless LAN. I will need to set it up so that I can access my VPN from work, but I'll do that part last.

#!/bin/bash ####################################################################### # Variable definitions ####################################################################### IPT='/sbin/iptables' # Loop device/localhost LPDIF="lo" LPDIP="127.0.0.1" LPDMSK="255.0.0.0" LPDNET="$LPDIP/$LPDMSK" # Lan address pool LANIF="eth0" LANIP="192.168.0.0" LANMSK="255.255.255.0" LANNET="$LANIP/$LANMSK" # OpenVPN address pool VPNIF="tap+" VPNIP="10.8.0.0" VPNMSK="255.255.255.0" VPNNET="$VPNIP/$VPNMSK"

I think the above is relatively straight forward although I'm not quite sure what the interface for OpenVPN is yet. I've added something new here, because every time I run this script Linux complains that the chains are already set up. Now I delete the chains and build them again.

######################################################################### # Flush all chains ######################################################################### $IPT --flush $IPT -X ######################################################################### # Set default policies ######################################################################### $IPT --policy INPUT DROP $IPT --policy OUTPUT DROP $IPT --policy FORWARD DROP

I've created a new chain for the VPN. I might as well keep the VPN rules separate from the rest.

########################################################################## # Create user defined chains ######################################################################### $IPT -N bad_packets $IPT -N user_input $IPT -N user_icmp_input $IPT -N user_vpn_input $IPT -N user_output $IPT -N user_icmp_output $IPT -N user_vpn_output $IPT -N user_spec_output

And here is our bad_packets rules again.

######################################################################## # Populating chains with rules ####################################################################### ####################################################################### # bad_packets Chain ####################################################################### # Drop INVALID packets immediately $IPT -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "bad_packet: Invalid packet: " $IPT -A bad_packets -p ALL -m state --state INVALID -j DROP # bad_packets chain # # All tcp packets will traverse this chain. # Every new connection attempt should begin with # a syn packet. If it doesn't, it is likely a # port scan. This drops packets in state # NEW that are not flagged as syn packets. $IPT -A bad_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "bad_packet: New not syn: " $IPT -A bad_packets -p tcp ! --syn -m state --state NEW -j DROP $IPT -A bad_packets -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "bad_packet: Stealth scan: " $IPT -A bad_packets -p tcp --tcp-flags ALL NONE -j DROP $IPT -A bad_packets -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "bad_packet: Stealth scan: " $IPT -A bad_packets -p tcp --tcp-flags ALL ALL -j DROP $IPT -A bad_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "bad_packet: Stealth scan: " $IPT -A bad_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPT -A bad_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "bas_packet: Stealth scan: " $IPT -A bad_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPT -A bad_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "bad_packet: Stealth scan: " $IPT -A bad_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPT -A bad_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "bad_packet: Stealth scan: " $IPT -A bad_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # ICMP packets should fit in a Layer 2 frame, thus they should # never be fragmented. Fragmented ICMP packets are a typical sign # of a denial of service attack. $IPT -A bad_packets --fragment -p ICMP -j LOG --log-prefix "bad_packet: ICMP Fragment: " $IPT -A bad_packets --fragment -p ICMP -j DROP # All good, so return $IPT -A bad_packets -p ALL -j RETURN #########################################################################

Here are all the input connection rules. I've allowed it for DNS, DHCP and NTP. I've added OpenVPN, but I've commented it out for now, but I have defined the services that I'll be using under OpenVPN namely Samba and VNC. I have also added in some P2P rules, but I can't remember what ports they are on. I'll leave them till later as well.

######################################################################## # user_input chain ######################################################################## # Allow localhost to access everything $IPT -A user_input -i $LPDIF -p ALL -s $LPDIP -j ACCEPT # Accept Established Connections # $IPT -A user_input -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT # DNS $IPT -A user_input -i $LANIF -p tcp --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A user_input -i $LANIF -p udp --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT # DHCP $IPT -A user_input -i $LANIF -p udp --dport 68 -j ACCEPT # NTP port 123 $IPT -A user_input i $LANIF -p udp --dport 123 -m state --state ESTABLISHED,RELATED -j ACCEPT # FTP # eMule # uTorrent # OpenVPN # $IPT -A user_input i $LANIF -p udp --dport XXXX -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # eMule - Need outside to connect state NEW # $IPT -A user_input -p tcp --destination-port XXXX -m state --state NEW -j LOG --log-prefix "Rule eMule in: " # $IPT -A user_input -p tcp --destination-port XXXX -m state --state NEW -j ACCEPT # Azureus -need outside to connect state NEW # $IPT -A user_input -p tcp --destination-port XXXX -m state --state NEW -j LOG --log-prefix "Rule Azureus in: " # $IPT -A user_input -p tcp --destination-port XXXX -m state --state NEW -j ACCEPT # If all good return $IPT -A user_input -p ALL -j RETURN ######################################################################### # user_vpn_input ######################################################################### # Samba $IPT -A user_vpn_input -i $VPNIF -p tcp -s $VPNNET -d $VPNNET --dport 137:139 -j LOG --log-prefix "Rule SAMBA TCP in: " $IPT -A user_vpn_input -i $VPNIF -p tcp -s $VPNNET -d $VPNNET --dport 137:139 -j ACCEPT $IPT -A user_vpn_input -p tcp --dport 137:139 -j LOG --log-prefix "Rule Block SAMBA TCP in: " $IPT -A user_vpn_input -p tcp --dport 137:139 -j DROP $IPT -A user_vpn_input -i $VPNIF -p udp -s $VPNNET -d $VPNNET --dport 137:139 -j LOG --log-prefix "Rule SAMBA UDP in: " $IPT -A user_vpn_input -i $VPNIF -p udp -s $VPNNET -d $VPNNET --dport 137:139 -j ACCEPT $IPT -A user_vpn_input -p udp --dport 137:139 -j LOG --log-prefix "Rule Block SAMBA UDP in: " $IPT -A user_vpn_input -p udp --dport 137:139 -j DROP # If all good return $IPT -A user_vpn_input -p ALL -j RETURN ########################################################################

Block all ICMP traffic.

######################################################################### # user_icmp_input chain ######################################################################### $IPT -A user_icmp_input -p icmp -j LOG --log-prefix "Rule Block ICMP in: " $IPT -A user_icmp_input -p icmp -j DROP ########################################################################

And restricted what can connect outwards. Obviously, DNS and DHCP need to connect and I've allowed my web browsers to connect outwards. Skype apparently uses the same ports as well. FTP is something that I need to look at in more detail as it's not as simple as just connecting outwards.

######################################################################### # user_output ######################################################################### # Allow localhost to access everything $IPT -A user_output -i $LPDIF -p ALL -d $LPDIP -j ACCEPT # DNS $IPT -A user_output -i $LANIF -p tcp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A user_output -i $LANIF -p udp --dport 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # DHCP $IPT -A user_output -i $LANIF -p udp --dport 67 -j ACCEPT # Web Browsers incl. Skype $IPT -A user_output -i $LANIF -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPT -A user_output -i $LANIF -p tcp --dport 443 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # FTP $IPT -A user_output -i $LANIF -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # NTP $IPT -A user_output -i $LANIF -p tcp --dport 123 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Open VPN # eMule # uTorrent # Skype # If all good return $IPT -A user_output -p ALL -j RETURN ######################################################################### ######################################################################### # user_vpn_output ######################################################################### # VNC # Samba $IPT -A user_vpn_output -i $VPNIF -p tcp -s $VPNNET -d $VPNNET --dport 137:139 -j LOG --log-prefix "Rule SAMBA TCP out: " $IPT -A user_vpn_output -i $VPNIF -p tcp -s $VPNNET -d $VPNNET --dport 137:139 -j ACCEPT $IPT -A user_vpn_output -p tcp --dport 137:139 -j LOG --log-prefix "Rule Block SAMBA TCP out: " $IPT -A user_vpn_output -p tcp --dport 137:139 -j DROP $IPT -A user_vpn_output -i $VPNIF -p udp -s $VPNNET -d $VPNNET --dport 137:139 -j LOG --log-prefix "Rule SAMBA UDP out: " $IPT -A user_vpn_output -i $VPNIF -p udp -s $VPNNET -d $VPNNET --dport 137:139 -j ACCEPT $IPT -A user_vpn_output -p udp --dport 137:139 -j LOG --log-prefix "Rule Block SAMBA UDP out: " $IPT -A user_vpn_output -p udp --dport 137:139 -j DROP # If all good return $IPT -A user_vpn_output -p ALL -j RETURN ######################################################################## ######################################################################## # user_icmp_output chain ######################################################################## $IPT -A user_icmp_output -p icmp -j LOG --log-prefix "Rule Block ICMP out: " $IPT -A user_icmp_output -p icmp -j DROP ########################################################################

The next section I block traffic from M$ Word. For some reason it always wants to talk to the Verisign servers. I don't know why it does it, but for whatever reason I don't like it and I'm stopping it.

######################################################################### # user_spec_output chain ######################################################################### # Block Verisign queries from MS Word $IPT -A OUTPUT -p tcp -d 12.158.80.0/24 -j LOG --log-prefix "Rule Verisign 1 out: " $IPT -A OUTPUT -p tcp -d 12.158.80.0/24 -j DROP $IPT -A OUTPUT -p tcp -d 64.94.110.0/24 -j LOG --log-prefix "Rule Verisign 2 out: " $IPT -A OUTPUT -p tcp -d 64.94.110.0/24 -j DROP #########################################################################

And now the traversal method of the packet. I've let any arriving packet go through the bad_packets chain and then through the rest till it hits the end and gets rejected if no rule matches.

######################################################################## # INPUT Chain ######################################################################## # Drop bad packets $IPT -A INPUT -p ALL -j bad_packets # User defined input chain $IPT -A INPUT -p ALL -j user_input $IPT -A INPUT -p ALL -j user_vpn_input $IPT -A INPUT -p ALL -j user_icmp_input # Deny all new tcp connections from remote machines $IPT -A INPUT -p tcp -m state --state NEW -j LOG --log-prefix "Rule Block NEW in: " $IPT -A INPUT -p tcp -m state --state NEW -j DROP # Finally Deny everything else. $IPT -A INPUT -j LOG --log-prefix " Rule Block ALL in: " $IPT -A INPUT -j DROP

Same for the output chain

######################################################################### # OUTPUT Chain ######################################################################### # Drop bad packets $IPT -A OUTPUT -p ALL -j bad_packets # All out transactions allowed # $IPT -A OUTPUT -p tcp -j ACCEPT # User defined output chain $IPT -A OUTPUT -p ALL -j user_output $IPT -A OUTPUT -p ALL -j user_vpn_output $IPT -A OUTPUT -p ALL -j user_icmp_output # Special blocks $IPT -A OUTPUT -p ALL -j user_spec_output # Finally Deny everything else. $IPT -A OUTPUT -p ALL -j LOG --log-prefix "Rule Block ALL out: " $IPT -A OUTPUT -p ALL -j DROP

I'm still not quite sure if I need to forward anything. Theoretically I shouldn't need to, but........

######################################################################### # FORWARD ######################################################################### $IPT -A FORWARD -j LOG --log-prefix "Rule Block ALL forward: " $IPT -A FORWARD -j DROP #########################################################################

I know there is still a lot of work needed, but I've got the majority of services I used covered. I did see some other examples on the net which are far more complex and does a lot more too, but I think this will be quite enough. Of course I've got a firewalled router in front already to filter out the majority of garbage. Anyway, the next thing I need to do is run this and see what errors come up.

Testing the Firewall

2007-05-11T16:58:00.000+01:00

I tried running a simple test as described in The Linux Networking Administrators Guide and found that the option -C doesn't actually exist in iptable. I even checked the man pages and it's not listed. I guess the guide is out of date or something. But I found this article instead which had a pretty good suggestion: http://www.samag.com/documents/s=9365/sam0307e/0307e.htm

The article suggests:

One common solution to this problem is to set up a virtual test machine within the firewall host using VMWare.

Although it does suggest using User-Mode Linux (UML) instead:

Although VMWare does successfully scan the firewall from within the firewall host, it also costs a lot, takes a lot of resources, and only runs in graphical mode, which is not good for scripting purposes. Also, the VMWare solution requires you to migrate your complete firewall rules to a VMWare session to run complete tests.
I devised an alternative solution around the shareware virtual machine tool User-Mode Linux (UML). UML, which can be found at: http://user-mode-linux.sourceforge.net
uses virtual machine technology and Linux kernel modifications to create an instance of Linux that can run as a User-Mode program. UML's processes are seen by, and can be controlled by, the host. Implementing UML is straightforward and relatively simple. All it requires is disk space, at least initially, and the installation of some new tools.

Since my intention is to install VMWare anyway to run M$ Windows, I might as well use it to run Nessus or nmap from a smaller linux distro. Maybe use Puppy Linux or Damn Small Linux, but I'll leave that till later. I think I'll first continue with setting up all my rules. Then I can perform an exhaustive test.

I've just been reading up on firewalls again as I've forgotten a lot of it and I remember thinking of this when I played around with IPTables the last time I installed Linux.

In reference to the layers where the traffic can be intercepted, three main categories of firewalls exist:
Network layer firewalls. An example would be iptables.
Application layer firewalls. An example would be TCP Wrappers.
Application firewalls. An example would be restricting ftp services through /etc/ftpaccess file
(http://en.wikipedia.org/wiki/Firewall_(networking ))

And this brings up an old question I had back then. If iptables is a network layer firewall, then is there an application layer firewall for linux? I certainly would love to be able to control access not just at network level, but also at apps level. Definitely something to look at a later date.

I'm sure somebody out there is going to ask: Why would you want such tight control on a desktop PC? Well, the only answer I can give is that I'm completely PARANOID when it comes to the internet. And of course as the old saying goes: You can never be too careful.

Dos 2 Linux

2007-05-10T19:05:00.000+01:00

Grumble. I tried running the firewall script and it fell apart. When I put the script together, I typed it in windows notepad at work and of course once I copied it onto linux the carriage returns and line feed problem appears. Luckily I found a quick solution on the internet from http://soft.zoneo.net/Linux/dos_to_unix.php.

#!/usr/bin/perl -pi s/\r\n/\n/;

Ran the file through the script and voila! The rules are run and no errors came back. At least no immediate errors I should say. Now we still need to test the firewall, but it's late so I'll leave it till next time. Essentially, this is what I found so far regarding testing the firewall from The Linux Networking Administrator's Guide:

For ipfwadm , you must use the -c option to specify that this command is a test, while for ipchains and iptables , you must use the -C option. In all cases you must always specify the source address, destination address, protocol, and interface to be used for the test. Other arguments, such as port numbers or TOS bit settings, are optional. (http://www.faqs.org/docs/linux_network/x-087-2-firewall.checkingconf.html)

Sounds easy enough as per example from the guide:

Let's take a quick look at what a manual test transcript would look like for our naïve example with ipchains. You will remember that our local network in the example was 172.16.1.0 with a netmask of 255.255.255.0, and we were to allow TCP connections out to web servers on the net. Nothing else was to pass our forward chain. Start with a transmission that we know should work, a connection from a local host to a web server outside: # ipchains -C forward -p tcp -s 172.16.1.0 1025 -d 44.136.8.2 80 -i eth0 accepted Note the arguments had to be supplied and the way they've been used to describe a datagram. The output of the command indicates that that the datagram was accepted for forwarding, which is what we hoped for. Now try another test, this time with a source address that doesn't belong to our network. This one should be denied: # ipchains -C forward -p tcp -s 172.16.2.0 1025 -d 44.136.8.2 80 -i eth0 denied Try some more tests, this time with the same details as the first test, but with different protocols. These should be denied, too: # ipchains -C forward -p udp -s 172.16.1.0 1025 -d 44.136.8.2 80 -i eth0 denied # ipchains -C forward -p icmp -s 172.16.1.0 1025 -d 44.136.8.2 80 -i eth0 denied Try another destination port, again expecting it to be denied: # ipchains -C forward -p tcp -s 172.16.1.0 1025 -d 44.136.8.2 23 -i eth0 denied You'll go a long way toward achieving peace of mind if you design a series of exhaustive tests. While this can sometimes be as difficult as designing the firewall configuration, it's also the best way of knowing that your design is providing the security you expect of it.

Basic IPTable rules

2007-05-10T18:49:00.000+01:00

Although you might have guessed it, I didn't actually say in my last posting what exactly I was about to research. My intended topic of research was setting up the rules for iptables. I don't intend to go into the intricate details of altering and compiling any source code. Just simply setting up a number of rules of what traffic I want to block and what I want to let through. So, what have I discovered so far? Well, let's start with some of the basic traffic I need to let through. My router assigns IP addresses via DHCP and has a NAT as well. Thus, my PC needs rules for:

DHCP
and DNS

Everything else I can add later. Let's start with some basic iptables routines then.

#!/bin/bash ########################################################################### # Flush all chains ########################################################################### iptables --flush ########################################################################### # Set default policies ########################################################################### iptables --policy INPUT DROP iptables --policy OUTPUT DROP iptables --policy FORWARD DROP

That covers the basics. Now I'll create some custom chains hopefully making the rules easier to manage at a later date.

############################################################################## # Create user defined chains ############################################################################## iptables -N bad_packets iptables -N user_input iptables -N user_icmp_input iptables -N user_output iptables -N user_icmp_output

I've set up the chains based on a tutorial I've read on the net at http://iptables-tutorial.frozentux.net/iptables-tutorial.html with slight modifications. I'm going to copy and paste the bad_packets chain from Frozen Tux. As far as I can tell Frozen Tux has covered the majority of bad packets.

########################################################################### # bad_packets Chain ########################################################################### # Drop INVALID packets immediately iptables -A bad_packets -p ALL -m state --state INVALID -j LOG --log-prefix "iptables : Invalid packet: " iptables -A bad_packets -p ALL -m state --state INVALID -j DROP # bad_packets chain # # All tcp packets will traverse this chain. # Every new connection attempt should begin with # a syn packet. If it doesn't, it is likely a # port scan. This drops packets in state # NEW that are not flagged as syn packets. iptables -A bad_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "iptables : New not syn: " iptables -A bad_packets -p tcp ! --syn -m state --state NEW -j DROP iptables -A bad_packets -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "iptables : Stealth scan: " iptables -A bad_packets -p tcp --tcp-flags ALL NONE -j DROP iptables -A bad_packets -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "Stealth scan: " iptables -A bad_packets -p tcp --tcp-flags ALL ALL -j DROP iptables -A bad_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "Stealth scan: " iptables -A bad_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A bad_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "Stealth scan: " iptables -A bad_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A bad_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: " iptables -A bad_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A bad_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "Stealth scan: " iptables -A bad_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # ICMP packets should fit in a Layer 2 frame, thus they should # never be fragmented. Fragmented ICMP packets are a typical sign # of a denial of service attack. iptables -A bad_packets --fragment -p ICMP -j LOG --log-prefix "ICMP Fragment: " iptables -A bad_packets --fragment -p ICMP -j DROP # All good, so return iptables -A bad_packets -p tcp -j RETURN

Now I'll start creating some of the input chain rules.

############################################################################## # user_input chain ############################################################################## # Allow localhost to access everything iptables -A user_input -p ALL -s 127.0.0.1 -j ACCEPT # Accept Established Connections iptables -A user_input -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT # DNS iptables -A user_input -p udp --dport 53 -j ACCEPT iptables -A user_input -p tcp --dport 53 -j ACCEPT # DHCP iptables -I user_input -i eth0 -p udp --dport 68 -j ACCEPT

I've covered the input chain and need to do the equivalent for output chain.

############################################################################## # user_output ############################################################################## # Allow localhost to access everything iptables -A user_output -p ALL -s 127.0.0.1 -j ACCEPT # Accept Established Connections # iptables -A user_output -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT # DNS iptables -A user_output -p udp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A user_output -p tcp --destination-port 53 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# DHCP iptables -I user_output -i eth0 -p udp --dport 67 -j ACCEPT

I'm not quite convinced about the section of "Accept Established Connections", thus I've commented it out for now. Essentially this should have covered all the basics. Now I just need to let my apps access the net. I'll just add web browsing first just to check that everything works.

# Browser iptables -A user_output -p tcp --destination-port 80 -j ACCEPT iptables -A user_output -p tcp --destination-port 443 -j ACCEPT

I know that so far the script is a bit messy. I've not been consistent with the way I've been setting up my rules and that is something I'll need to go back and review at a later date. All I have to do now is put the script onto Ubuntu, run it and see if I can access the net. Although one thought just came into my mind is how am I going to run an attack on the box? I need a second box running linux with Nessus to be able to attack this box, but I haven't got a second PC with linux running on it. I'm sure there must be a way. Have to go back onto the net and see what other people have done. I'll let you know what I find.

The Plan

2007-05-09T23:39:00.000+01:00

I've tried many distributions of Linux, Red Hat when it was still free, SUSE before it got taken over by Novell and even tried Mandrake at one point. At the end of the day, none of them really suited me as a) it was too bulky b) there was far too much configuration settings I needed to do. I still remember going through endless lines of configuration information just to get my sound card to work. Nevermind the network settings for dial up. At the end, I reverted back to Windows and till today I've been stuck on it. But Linux has moved on and now it's so much simpler thus I've decided to use Ubuntu as I can get the system up and running in no time. Installing Ubuntu is as simple as any other operating system. Put the CD in, boot the computer and already it starts up as a Live CD session. Click on the install button and off you go. Answer some of the simple questions and before you know it you've got a linux desktop all set up and ready to go. Of course if you prefer KDE, then install Kubuntu instead which is what I've done. Now I need to put together a list of things to do: 1. Secure machine, i.e. configure firewall 2. Install an anti-virus 3. Install vmware to use the windows programs 4. Install apps Obviously I could have used wine instead to run windows programs, but not everything works and there are still areas not implemented. Thus, running vmware is the only method to guarantee what I want to run actually runs properly. The way I see it is once I get Linux secure, I've essentially cracked "the big nut". Everything else is relatively simple in terms of set up. I've checked out a number of GUI apps for linux to help set up your firewall, but none of them gives me confidence. They're all either a) unclear what you are blocking and what you are letting in or b) don't tell you. Thus, the only way to make sure I feel confident in knowing what I have blocked and haven't blocked is to write the rules for the IPTABLE by myself. But first I need to do some research........

Moving to Linux

2007-05-07T00:59:00.000+01:00

What's this blog about then? Well, with a lack of other resources at hand I thought this would be the best way to keep track of my little project at the moment. More than anything, this blog is more for myself as a reminder than for anybody out in the world. So, what's the project? It's simply trying to move away from running a windows desktop PC to running a Linux based desktop PC. I've tried moving to Linux already for a long time and I've never succeeded. There was always something that has stopped me from moving over. I believe that is why many tech savvy people have really not gone over to Linux. There is always one piece of software that you can't live without. I've tried it so many times in the last 10 years trying to switch they I was about to give up. But then something extraordinary happened. VMWare. Not just that virtualisation suddenly became as simple as installing firefox, but the fact that they are giving the player away for free. Now, I know there is also QEMU, but unfortunately I haven't had the time to look into it and I've started using VMWare already. Now with the advent of VMWare, I just might be able to switch to Linux as I'll still be able to run all those windows programs I end up relying upon and thus this blog is a record of my successes, failures and the knowledge I've picked up on the way.