LJ Archive

Letters

Simple iptables Rules for Potentially Hostile Networks

Regarding the October 2009 issue's article on hostile network protection [see Mick Bauer's “Brutally Practical Linux Desktop Security”], I've also found the following iptables rules render my laptop effectively invisible without adversely affecting Web browsing, e-mail, SSH and nearly everything else I do from hotel rooms or while drinking my morning coffee:

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

While most canned kernels will come with everything needed, those who prefer to roll their own will need to ensure that Netfilter and its connection state matching component (NETFILTER_XT_MATCH_STATE) are required. Many of the other Netfilter modules can make life easier as well, so they're worth looking through if you'll need to recompile anyway.

Some of the messier protocols may not work through these rules, so it's best to stay within your distro's init.d firewall script to make them easy to turn on and off. Thanks for the great work guys!


E. Stuart Hicks

Normally I just don my invisibility cloak when I'm using public Wi-Fi, but your method is certainly more reproducible. And, it works outside of fantasy novels. All joking aside, I usually set up a VPN the moment I connect to public access points. Unfortunately, that can adversely affect bandwidth. Thanks for the tip on how to be a bit more stealthy.—Ed.

Linux Already Wins the Desktop

I am finishing a a Master's degree in Education and have generated many pages of various types of documentation in completing my work. I cannot imagine doing this with anything but Linux. The multiple desktops available in Linux made it easy to generate a research report while having multiple on-line journals open, simultaneously generating and inserting graphics into the report, without the multiple layers of overlapping windows the popular operating systems force you to use. It seems to me that the true utility of Linux gets lost when we compare ourselves to Windows and Mac, rather than setting the unique and useful aspects of Linux as metrics for Windows and Mac to meet. For me, the multiple desktop function is one of the single-most useful utilities of Linux in getting real work done. I cannot operate with a single window open. I wonder how many other Linux users recognize this as one of many important strengths of our favorite operating system?


Orlando Ide

Whenever I'm speaking about Linux to a group of enthusiasts, I stress that Linux is awesome enough to stand on its own. When it comes to the desktop experience, you're absolutely right, Linux has nothing to prove. If we can eliminate the dependence on proprietary software, I think Linux will be the obvious choice for most people on the desktop.—Ed.

Using RCS for Configure Files

David Penman, in the September 2009 Letters section, talked about something very important in system administration. I don't see it enough. When you modify system configuration files as root, always make a backup. RCS is a fantastic tool to see how a file changed—it takes discipline. Just make an RCS/ directory; you don't even see the backup files. But often changing configuration files has negative effects weeks after changing them. Rolling back to the original package is a last-ditch effort.


Marty Leisner

Ubuntu 9.04 and Modems

I've been reading your magazine and learning/using Linux on two desktops and purchased a Dell notebook with Ubuntu. Then, when my old desktop PC died, I bought a Dell 530/Vista because it was on sale (Dell's computers with Ubuntu don't seem to go on sale). I installed a second hard drive and proceeded to install Ubuntu 9.04. Imagine my surprise to find no modem support! I downloaded, but could not get gnome-network-admin to work. I wasted hours of time downloading/installing GNOME ppp and dependencies and configuring the modem. I had to download files with Vista and xfer to Ubuntu with a thumbdrive. Vista worked out of the box with its included Dell modem. Vista also worked out of the box with my US Robotics PCI modem (I didn't need to install any software). Ubuntu's decision to break or not offer the modem software seems to be a foolish thing to do—especially if they intend to reach out to the nongeek PC users. And we wonder why we can't get more people to use Linux on the desktop. I know I'm just one small voice in the Linux community. Thanks for reading!


Duane G.

I must admit it's been quite a few years since I've used dial-up networking, but it is sad you had such a hard time setting up your modem! I know in years past “winmodems” were very difficult to configure due to Windows-only drivers. Now it seems the frustration is with Windows-only Wi-Fi drivers. It seems like a conspiracy to keep Linux users from communicating! It sounds like you did get things going, but hopefully the Ubuntu team won't forget about the many folks still using dial-up.—Ed.

Linux on the Desktop, Continued

I read with interest the continued discussion regarding Linux on the desktop [see the September 2009 Letters]. I am old enough to remember the OS/2 vs. Windows war. In those days, lots and lots of Microsofties were unleashed onto an unsuspecting Usenet; their job was to portray ordinary users trashing OS/2 and defending Windows. The two letters you published look like MS is doing again what it is known to have done before, only this time it is trashing Linux instead of OS/2. The incredulity of the original assertion (Linux lacks stability) is what makes me strongly suspect MS operatives are at work here. Back then, IBM didn't know what hit them. This old adage rings true: “Fool me once shame on you, fool me twice shame on me.”


Robert Solomon

Desktop Hardening

Re: Mick Bauer's “Brutally Practical Linux Desktop Security” [October 2009 issue]: why not make the target for an aggressor as small as possible—a kernel with only the drivers and modules your laptop needs? A filesystem like debootstrap or your distro's base system? It's much less exposure, as you have installed only what you use from the hardware up.

Thanks for all the fine Paranoid Penguin articles Mick. Editor, I would like to see more meat in the diet.


Charles Hewson

Mick Bauer replies: One cool thing about loadable kernel modules is that when you don't have a given piece of hardware attached, the corresponding modules generally won't load. But I get your broader point that just as unnecessary userspace software should be uninstalled or disabled, so should unnecessary kernel code—you're quite correct that hardening is about minimizing your attack surface.

I've long advocated running custom-compiled kernels on bastion servers for that very reason. But in my article's specific scenario of preparing a laptop for a trip, that might be more trouble than it's worth (especially given my earlier point). It's the difference between spending 45 minutes or less hardening your system and spending hours. For most users (certainly for nonexperts), compiling kernels remains one of the uglier and more time-consuming parts of the Linux experience.

Thanks so much for your kind words! We're all doing what we can to maintain and even improve LJ's protein-to-carb ratio.

OtherInbox.com

Having used a similar method to what Kyle Rankin describes in “Spam: the Ham Hack” [October 2009], I'm happy to have found OtherInbox.com, which automates most of the process. You can use it with your own domain or with their own and a personalized subdomain. You can create an e-mail address on the fly, and it automatically will create a corresponding mailbox. I encourage people who are having trouble managing their e-mail to check it out.


Josh Bernstein

Music Notation Software

I am very new to Linux Ubuntu, and I can't find any program I can download that will give me MP3 availability (like Limewire) that will download successfully. Can you help? I also am having trouble finding a music notation program that does not cost the earth. I used to run Cappella, but that runs only on Windows. I am not a computer buff, so any suggestions need to be at dummy level.


Brian

Limewire should work on Linux. You'll need to install Java first, if it's not already installed. See this link for more on some music notation programs for Linux: www.linuxjournal.com/content/music-notation-programs-recent-releases.—Ed.

Make My Headphones Work

I have used Linux since Slackware 0.91, but I still have trouble getting headphones to work. I have the latest Ubuntu and just expected that when I plugged in my new Logitech headphones, they would work automatically and all sound would go to/through them. How do I make that happen?


Eric

At LinuxCon in September 2009, I heard the kernel developers speak of this very issue. Apparently, audio hardware is one of those things that is so inconsistently built, getting all the different revisions to work proves to be very difficult. With Windows, you can download a specific driver from the vendor, but as Linux users, we must depend on drivers based on “standards” that should be built in to hardware. Sadly, those standards rarely are in place. Sometimes it's possible to Google for a specific hardware configuration and find settings to tweak in order to make things like headphones work. Either way, it's frustrating as an end user to have something as simple as headphones not work.—Ed.

Dark Days?

I am not a computer specialist, nor do I have any interest in computer code. But, I use a computer most of the day, every day. Having been stuck with Windows (which I don't like because of the way everything I do is controlled by Microsoft), I recently bought a small laptop with Linux as the operating system. It is an absolute disaster area. To start, it is incompatible with 3 mobile broadband (I have read a number of blogs, and even the experts agree on that). I have had no success in loading Java, which is essential for the work I do. And, I can't even load a 56k modem for emergency use. In short, it is totally useless to me, and I am going to have to load up Windows XP instead, much against my wishes. I had hoped that Linux was a serious competitor to Microsoft, but in reality, it is light-years away, strictly for computer specialists. Of course, I could spend days and days reading about how to make it work, but why should I? I only want to use the computer, not re-invent it. Kernels, shells, command prompts—these things are of no interest to me whatsoever. It's back to the dark days of MS-DOS all over again.


Richard

I'm sorry to hear you're having such a bad Linux experience. You should be able to install Java on your laptop without a problem. The Sun distribution works fine on my Linux system. I also see indications on the Internet that people have been able to get 3 mobile broadband to work with Linux. Modems shouldn't be a problem either. Without knowing more about what distribution you have and what hardware you have, it's hard to be much more specific.

Concerning your remarks about the command line and the dark days of MS-DOS, I always find these types of comments interesting, because in my opinion, Microsoft took a giant step backward when it decided to poo-poo the command line. A decent shell (which command.com and/or cmd.exe never were) and a good complement of shell commands, at least for certain types of work, give you power that doesn't exist anywhere in the GUI world.

Having said all that and implied much more, in no way should it be taken that I think Linux is perfect. It's not. But by the same token, Windows has its own set of problems. I often find it as frustrating to work with as you're finding Linux to be.

If you'd like to post some of the details of your Linux troubles on the LinuxJournal.com forums, we'll try our best to help you through them.—Ed.

“The Usual” sudo?

I was just reading John Knight's “Fresh from the Labs”, specifically the article on htop, in the October 2009 issue. htop is great, and I have been using it for quite some time. To quote from the article: “...enter the usual:”

$ ./configure
$ make
$ sudo make install

“the usual”? I do not use sudo, and I do not use Ubuntu. A minor thing, I agree. Today it just annoyed me. Thanks for a great magazine.

PS. Yes, I work for Mandriva, but it's not the only distro I use. I also use Slackware, Fedora and Absolute Linux.


Stephen Germany

John Knight replies: An angry letter, at last! This is my first one for LJ. I thought it'd come from a Debian developer though (I've been stirring them up for several years)....

htop's brilliant, isn't it? Yes, I know what you mean about Ubuntu-isation of Linux, and it annoys me too, but isn't sudo on most modern distros, and its use encouraged? Note that sudo isn't a Ubuntu invention (quote from Wikipedia): “The program was originally written by Bob Coggeshall and Cliff Spencer around 1980 at the Department of Computer Science at SUNY/Buffalo. The current version is under active development and is maintained by OpenBSD developer Todd C. Miller and distributed under a BSD-style license.”

I can't speak for Oklahoma, but here in Australia in the LUGs, the use of sudo is more or less assumed, and the use of root logins discouraged (and strangely enough, the local LUGgers seem to gravitate toward Debian). Nevertheless, I used to write “(as root or sudo)” before the make install command, but figured it was about time just to use sudo for cleanliness' sake. Do you think I should switch back?

Photo of the Month

Have a photo you'd like to share with LJ readers? Send your submission to info@linuxjournal.com. If we run yours in the magazine, we'll send you a free T-shirt.

For the summertime, I went on holiday to the Dutch coast with my family. For a day on the beach, we took along typical beach stuff, like a windscreen, kites, food and sand toys and, of course, several Linux Journal issues to do some interesting Linux reading. Submitted by Geert Jan Klinkhamer.

LJ Archive