Build a secure desktop firewall with ufw-part I

I’ve recently been using Debian again, and noticed that after configuring a mixed system, Firestarter fails to start. That’s not a problem as this is an opportunity (or excuse) to look into a terminal setup for desktop use –which is the optimal choice (X11 or no X11). After all, X11 sometimes fails after an install or an upgrade –which demonstrates the necessity of a terminal orientated firewall. I eventually came across ufw –which also has a GUI front end (Gufw), but that’s not part of this article (at any rate, it also failed to start graphically). The problem with ufw is, exhaustive walk-through documentation to configure an ufw firewall is lacking –despite the man page and the official Ubuntu wiki –with bits and pieces fragmented all over the net (a common BSD critique of Gnu-Linux software documentation, but at least documentation is not overwhelming as with BSD’s). Thus, this article –which amounts to a relatively short manual in of itself– and which is the result of trial and error, but more than that –it’s intended to be a hold-your-hand/illustrative guide to building a secure desktop firewall.

To sum ufw up in a few sentences, it’s a command line type firewall with syntax based on OpenBSD’s PF –only it works with iptables (rather than PF). It’s an Ubuntu project, that has made itself into the Debian repositories. Ufw is under active development and it’s capabilities are rapidly changing.

At of the time of writing, ufw is available on Debian testing (Squeeze). I can’t suggest Squeeze (as base) as it’s too unstable at this point in time –in my estimation. As hinted at earlier, programs from both testing and unstable can be installed simultaneously onto stable (if configured to do so), creating a mixed Debian system, but this is a topic for another article and one that might come to fruition –time permitting.

This article presents two rule sets, the first is simple (part one of this article) –dealing with FTP, HTTP, HTTPS, and EMail with IMAP and SMTP– and the second (part two) is more complete –covering rule deletion (and creation), and blocking outgoing connections. The earlier is meant as a didactic exercise to explain the latter –although the first is a good base in of itself –but not suggested unless a minimal, quick and easy setup is desired. (Feel free to skip past the rule deletion of the first rule set and go onto the second –once both are published). The third –last and final– part gives a quick skim of the advanced rule set (suggested in part two). It also introduces how to: allow and block IP addresses, enable/disable free access of ports per app, enable/disable firewall logging, editing of ufw files, and ends with a caveat on pinging. Administration of ufw is entirely done as root in this article. Use sudo if preferred. The article assumes the reader is familiarized with the terminal, basic security terminology (such as firewall and port) and –lastly– is comfortable issuing line commands. For the record, the version used herein is 0.29-5 on top of Lenny (stable at the time of writing). To find out the version installed in any particular Gnu/Linux system, cast the following.

# ufw version

Read more…

Lakitas Matriasaya, a feminist musical group breaking the patriarchal hold on Andean music

Lakitas Matriasaya is an independent Andean musical band that consists mainly of Andean panpipes and two drums –a bass and snare drum (and a third percussionist by way of hand-held cymbals). Fifteen members make up the band at present. Twelve pipers sing and play the pipes, while three play percussion. The band formed in Valparaíso, Chile, six years ago –consisting of members from all parts of Chile which have encompassed (at one time or another), Vivi, Jime, Mariela, Vale, Cata, Pame, Nicole, Claudia, Nati, Anita, Marcel, Ange, Mapa, Anto, Leo, Marcia, Lore, Paloma, and Javi.

On November 22, 2009, I had the chance to see them perform at the Teatro Municipal de Chillán (municipal theater of Chillán), Chile –after which I was invited to tag along to a pizzeria with them. The following article is a compilation of that night.

Read more…

Bell proposes end to ‘unlimited internet’

If there’s one thing I hate about Canada is how some companies there try to take advantage of the regulatory environment and the nation’s social net. They believe this net applies to large corporations, but in reality, these should only be considered under the gravest conditions –as they should be self-sufficient. After all they’re private businesses, not public. The technique usually involves a sappy story about not being able to stay afloat, because of current economic conditions, and how it’s necessary to give leeway. Sacrifices may come in the way of wage cuts, benefits, and/or demand public financial support, and as will be outlined below, also come as a costly –to the customer– billing system.

Read more…

Convert PDF to JPEG on OS X

I had a student of mine complain that the .PDF material I’d provided was illegible. I attributed the problem to her ignorance, and to her lack of knowledge of the magnification tool, but the customer is always right, … right? I decided to hard copy the material myself and personally hand it in to her at our next class a week away. In the meantime I wanted to convert the .PDF material to something that she may have been more adept at using, even if in a rastorized format. So, I decided to convert the .PDF to –wait for it– .JPGs! Googling brought me to an article that details a script that converts .PDF to .JPG but –in true mac fashion– it only works with the latest and greatest pay-ware version of OS X, 10.5, while I use 10.4 –leaving murmurers such as myself lost in the wilderness as the faithful continue to the promised land with their glorious and fearless leader, Jobs. Now, my problem is not with converting .PDF to .JPEG. I think this should easily be possible considering both formats are so pervasive. My problem is that it would seem –according to the Machead in the article previously mentioned– to necessitate underlying technology which only works with 10.5 OS X, and if there are other options for 10.4 users, why not mention them? Well, I found out there are other options, two –of which I’m now aware– in fact.
Read more…

BSD Needs Spiced up Atmosphere-bsdtalk

I’m not sure why I can’t post comments to bsdtalk. Maybe it’s because I’m not signed up with the hosting service or because it doesn’t support Firefox. I can’t remember as I quit trying sometime ago. Anyways … seeing that I can’t post, I thought I’d post a comment on my own blog.

Note to Will Backman, bsdtalk Host
I like your podcasts but it’s starting to seem to me that the shows always have the same general theme, people sitting around talking about why BSD (and sometimes OSS in general) is so great –amounting to “feel good” interviews.

In episode number 139 you ask what “we” can do to improve BSD bookshelf visibility. I think generating interest might attract public attention and translate in hard book visibility. So, why not diversify and talk about threats to BSD development (whether they be internal/external, from proprietary competing OSS sources, and conflict (such as political/power struggles, or personality conflicts). Each postcast need not be entirely controversial as potential solutions to problems could also be pondered.

Here’s an idea I’ve thrown your way before. When are you ever going to cover comments by C. Hannum stating that”NetBSD is Dead”. See: <http://mail-index.netbsd.org/netbsd-users/2006/08/30/0016.html>. Read more…

Jack White Sells Out with Alicia Keys?

I never really liked Run DMC’s remake, if that’s what you can call it, of Aerosmith’s hit “Walk this Way”. Depending on how you look at it, it may not have been a remake as much as a legitimate new creative product. I doubt the latter, as the guitar riff is unmistakably Aerosmith, and for it to be a legit new product, entire and easily recognizable portions of a “song” –if you can refer to rap as “song”– can’t be mirrored in other songs. It can be reminiscent, but not a copy paste scenario.

Setting aside issues of legitimate authorship and musical taste, the remake did have some good effects. It salvaged Aerosmith’s butts, whose career was on its way to being relegated as a “goodies oldies bar band” –whose prospects were probably only seedy truck stops and corresponding bars.

Also in the process, Run DMC introduced good ol’ rock and roll to kids that probably had never seen, heard, and probably hadn’t conceptualized an electric guitar. They also introduced rap to rhythmicly challenged white folks. This might be called a market cross-over ploy.

On the part of Run DMC, I’m not sure if this was a thought out market plan. This might be giving them too much credit. If anything, they got people that would have never bothered to listen to rap to do so –if only to satisfy (morbid?) curiosity.

Having said that, as I’m sit here listening to the White Stripes singer Jack White perform a duet with a R&B female singer named Alicia Keys, I wonder about this obvious marketing ploy. I usually hate these marketing tactics, finding them cheap, predicable, even morally decadent. Read more…

Collanos Standalone Phone dead, & “Expropriated” into Workplace

Feb 14, 09 UPDATE: Peter Helfenstein has confirmed that a stand alone is in production. Read the comments section for details.

What irks me about big business is how they sometimes take GPL software, sometimes created by non-profit communities (let’s call it community software), and incorporate it into their product without regard for where the software originated and that community’s sensibilities and social contract.

This is what I feel has happened with the Collanos Phone, a product that I once believed to be a viable GPL replacement for Skype (I even recommended it to others) and the successor to WengoPhone. In fact, I think Collanos Phone was based on much of the same code as was WengoPhone, although the Collanos forum [1]¹¹¹¹¹¹ is vague about the exact providence stating, “Collanos Phone is based on many pre-existing open-source components and governed under the General Public License (GPL)”. True, Wengo might not qualify as a “software community” but I understand the code upon which WengoPhone was based was and continues to be community driven (ie., the libgaim library from Pidgin, previously known as Gaim).

If you haven’t clued in yet, Collanos has effectively cancelled the stand alone Collanos Phone. The download page now only mentions, “Collanos Workplace … now includes Collanos Phone”. The first of this that should have sounded bells off is a Dec. 16, 08 email I received from Peter Helfenstein and Franco Dal Molin mentioning the extension of Workplace’s capability to that of video and audio based telephony. It didn’t mention the killing off of the softphone project, but that’s public relations for you. You can “read into” this change-over on Helfenstein’s blog entry from January 28, 09 entitled “Team – It’s Time to Talk [2]²²²²²²“.

Read more…

EndNote creator sues Zotero creator

Actually, it’s Thomson Ruerters (creators of EndNote) that is suing George Mason University (Virginia), which funds Zotero, They are suing for 10 million annually. As I understand it, there are two aspects to this. One, is that Zotero allows accessing EndNote’s proprietary format. Two, Thomson alleges that Zotero reverse engineered the proprietary format through decompiling EndNote.

Read more…

Mentioned in linux today

Ha!! It seems I made it onto “linux today”, although this was some time ago.

Read more…

Is David Grohl playing for the Mexican band Café Tacuba?!

Chilean cable t.v. is endlessly looping Café Tacuba’s latest music video. It’s by way of this that I came to ask myself, “Is it just me or does David Grohl from the Foo Fighters look like Emmanuel del Real from Café Tacuba?”.

Emmanuel del Real or David Grohl?

Read more…