An Cuasán

I have need to add a software firewall to each pc on my home lan. My internet provider does not have a firewall on the DSL modem they gave me, so far as I know (or at least it is not enabled). Also, they do not use NAT on that modem so there is no chance of ‘protection’ from that perspective. Each of my home computers gets an external ip address, and is externally visible to the internet.

As a robust solution, I hope eventually to take the time to set up an old pc as a bridge and firewall between my internal network and the DSL modem. For now, the solution to protecting the internal devices was a choice between a dedicated firewall with NAT translation also, or a software firewall on each device. (Having a software firewall on each computer is probably a good idea anyway, especially if you have a laptop and are likely to be using it on networks outside of your home lan.)

For the Ubuntu machines, I have tried out Guard-dog and Firestarter. What I want is a solution that will allow all outoing connections by default and block all incoming connections by default, on all devices. Flexibility to block specific outgoing traffic, allow specific incomming traffic, blacklisting specific protocols or hosts, etc, would be an advantage.

Guard-dog:

I gave up on guard-dog pretty quickly as it was just too much hassle and I didn’t have the time to read all the documentation and go through all the detailed setup.

And there is a bit of detailed setup required. It is a little awkward (or more secure if you want to look at it that way) in that by default it blocks all traffic. So you have to go out of your way to allow outgoing web browsing, outgoing pop and smtp, outgoing irc, etc. This is just a little bit too secure and too much bother for what I need right now. I’m happy that my pc is ‘clean’, and thus to allow any outgoing connections. What I am worried about is incomming connections.

It did give the impression of the very powerful solution, and is probably worth a more in-depth look. I may come back to this in the future.

A small niggle also is that it did not appear in either the Applications or System->Administration menus after being installed, so I had to start it from the command line (on Ubuntu Edgy, Gnome).

Firestarter:

Firestarter was installed and up and running in a matter of minutes. After installing from Synaptic, I started it from the System->Administration menu, went through the wizard and the firewall started up and I could work away on the net without any trouble.

The wizard simply entailed selecting the external device. You can optionally also set up internet connection sharing here, but I don’t need that. A handy customisation I made to the preferences after it started was to enable the “Minimise to tray on window close” option.

Issues I have with Firestarter are mostly related to using it on my laptop, and using secure tunnels with it.

1. It seems to have the concept of only one device in the external or internet zone. Thus, I find that when I am switching between using the wireless and wired network interfaces I have to re-run the wizard to select the new internet device. If I don’t do this, it blocks my connections attempts!
2. I would thus be not suprised at all if it didn’t allow access both at the same time. What if I need internet access through a wireless link, but also need access to an wired network ? I may be using a trusted lan, or a potentially hostile lan. In general I prefer to treat all networks as hostile and only specifically and temporarily allow local services to be used as required.
3. I have been using OpenVpn lately, and had to go to a bit of bother to get firestarter to allow traffic down this link. I think the solution I got (and iptables command) was just to basically open up the vpn tunnel as a trusted link, allowing all traffic in both directions. Again, I would really like the ability to control this from firestarter, and to be able to put the tunnel into an internet or other, not completly trusted, zone. [Just because I'm connecting to a VPN doesn't mean I'm safe. It may be a requirement to connect exterenally to a network of my employer,  or a client, or whomever. It does not imply that I can trust it is safe and secure.]

Apart from those few little issues, I like it a lot. Exceptions can be allowed for exposing particular services, to particular clients if required. The issues I have would be solved if any future version would allow multiple devices (real or virtual, tunnels etc) to be controlled similtaenously, and to allow manual control over what zone or level of trust each device/virtual-device should relate to.

Sample Traffic

If it is of any interest, here is the list of incomming connections I have seen in the few minutes since I enabled the firewall.

• TCP and UDP connection attempts to unknown services (PORTS 10421, 10426 and 14411 )
• HTTP, SNMP, VNC, MS-SQL-S, MS-SQL-M and POP3 connection attempts.

Being able to save a file as a PDF document is very handy. Whether you want to save something from a browser, a presentation / document you are creating, or the output from any other application, being able to save it as a PDF document offers a number of advantages, but probably most especially when you want to pass it around.

Saving documents and spreadsheets to PDF has long been as simple as a button push with Open Office.org. This approach I would recommend where you can use it, as its’ output is slightly better than the alternatie approach shown here, in that the PDF exports from Open Office can include links, internal and external, and some other stuff to boot probably.

However, what about the rest of the applications you use ?

Saving a web document as html can get messy if you are moving things around and forget a piece (such as the files folder). It is also messier to pass things around in this format.

PDF is simply a single file to deal with whether you are making a back-up copy or passing it on. But probably a more significant point is that the format is accessible to almost anybody with a computer, whether a desktop, portable or handheld, thanks to Acrobat reader.

If we take the example of an online resource, I have tried printing to a file, essentially saving it as a postscript document. I was a little disappointed, however, to find that Envince wouldn’t output Postscript to PDF. A quick search showing this made me happy again. It’s a more elegant solution in that it goes directly to PDF rather than using PostScript as an intermediate that is visible in the process. I have taken that solution, but progress on a slightly different route, while still using the Ubuntu flavour of Gnu/Linux.

[ Primo PDF is a nice free app for windows that achieves the same results.]

So here we go with Ubuntu, The Edgy/6.10 release.

First off, you will need to get and install the cups-pdf package. Open Synaptic… (use your own password if prompted, this is for administration functions required to install packages )

… and search for cups-pdf, select it for install and click apply.

Next, open the CUPS web interface at http://localhost:631. This was up and listening by default on my install of Ubuntu.

Fill in the details for the new printer. The ‘Name‘ is what the printer will be shown to you as by application you later want to print from. Thus it makes sense to be explicit that it is a virtual PDF printer, especially if you have lots of printers on your network.

select the Virtual PDF printer…

Pick Postscript as the make…

Select the generic postscript colour printer, click Add Printer.

At this point you may be prompted for a username and password, simply enter your own details. It is possible to disable this security measure, but probably not wise if you are on a public network.

And you are done

To test it out, I went to Java World, picked a random article and switched to the print version in order to print it cleanly (without menus etc. from the web site showing.).

Just make sure the printer selected is the cups pdf printer just set up, and click print…

And your job is printed, the output actually being sent to the local file system in the form of a PDF document

When the print job is complete, browse to ~/PDF/ and your file should be there. This location is probably /home/<username>/PDF/ on most systems, but to be sure, you can you can press CTRL+L in the Nautilus File Browser (the default file browser on Ubuntu Gnome) and type in ~/PDF/ manually into the location bar.

Your PDF file should be ready to be viewed.

And that is it !

I have been using this for a while now without issue, and it can be used from almost any application.

From applications that provide a more basic printing interface, I have used “lpr -P pdf-printer ” as the print command to ensure the output goes through this PDF generation process I have set up.

If you want to keep the links from a web-page working in your output PDF document, this does not yet work with this approach. Where this would be useful, I have simply selected and copied the data from my browser and pasted it into Open Office, and then output to PDF from there. A more automated solution would of course be preferrable, maybe down the road firefox will have an “export to PDF” function

It might be nice to configure the target location of the PDFs to somewhere else, or have the option of specifying a location when you hit print, and this is possible, but I prefer not to have to take that extra step. The output is always in the PDF folder in my home directory, so I always know where to find them.

Now that I am using it a while, being able to specify a file name might well be useful. Especially when printing from web pages, where the title is used. I do however find myself going to the PDF folder after printing, renaming the output and putting it somewhere else in my filesystem. Stil, it would be a nice feature to have.

I am taking a course at WIT since Autumn 2006.

I found it interesting to hear one of the lecturers discuss “Gnu/Linux” rather than just “Linux”.

In my experience that latter is the norm. Ok it is less of a mouthful, though on the other hand however this is a free platform, developed primarily by individual voluntary efforts, so I can understand the sentiment that the major groups involved should get credit where it is due.

The “Linux” bit comprises the OS Kernel, and “provides the basic services and device drivers used by all other programs running” (http://www.linux.org) on the system.

The GNU utilities and programs make up most of the basic OS and other tools.

There seems to have been quite a bit of discussion elsewhere about this, see this article on GNU.org and this wikipedia entry. The Debian distribution (http://www.debian.org/ ) is one flavour of the platform that actually use GNU/Linux rather than just Linux in their name. I am not sure if there are many others.

Perhaps interestingly, between the flavours even there may be cause for similar discussion. Ubuntu ( http://www.ubuntu.com/ ) for instance, is heavily based on Debian GNU/Linux (http://www.debian.org/misc/children-distros).  However I can’t recall ever seeing a mention of it while using or installing the system…

Should we rename to Ubuntu Debian GNU/Linux ?

Lets have a vote, who is for and against ?

(”,)