12.19.2002 PenguinREPORT |
| Lockergnome's Compendium of Linux Knowledge Focusing on the core functionality built into every Linux distribution, these tomes contain a wealth of information on everything from the kernel, to core services, to networking and printing issues. Find your way around the command line functionality, so that your Linux install works the way you want it to. You won't be an expert overnight, but it will certainly lead you in the right direction. Dowload your Linux tips today. |
The MCC includes the following:
- Boot: Used for creating a boot disk, choosing your boot manager, setting up autologin, and selecting the default user.
- Hardware: Provides a hardware list and allows configuration of monitor, X Window, TV cards, keyboard, mouse, printer, and scanner.
- Mount Points: Provides configuration tools for mounting hard drives, DVDs, floppies, Network File System (NFS), Samba, WebDAV, and partition sharing.
- Network and Internet: Tools for configuring connection, proxy and connection sharing.
- Security: Provides configuration of security level, security permissions and the shorewall firewall package.
- System: Configures all sorts of system settings, including menus, services, fonts, date and time, logs, console, users, cron, and backups.
- Software Management: A package manager in the classic mold. Allows the user to install and remove software, manage the update sources, and configure and utilize the Mandrake Update system.
Tomorrow, we'll take a look at the security level of a default Mandrake install.
Tony Steidler-Dennison
GnomeTWEAK |
Firewall Boxes - Part VII
We're near the end of the firewall series. With two days left, we've got an important topic to discuss today.
Packet filtering is a critical part of firewalling. Obviously, there are some other important elements, but when the rubber meets the road, it's packet filtering that gathers the traction.
In the December 5 GnomeCORE section, we talked about TCP connections. To understand packet filtering, you should understand the concepts outlined in that issue. Specifically, you should understand that TCP packets (the vehicle for data on the Internet) contain a header and a body. The header contains a variety of information including source, destination and packet type. A connection is established between a client and server when the client sends a packet with a SYN flag, the server responds with a SYN/ACK-flagged packet, and the client returns the ACK.
Packet filtering is the process of examining the header of a packet and, based on some built in rules, deciding the fate of that packet on the spot. Depending on the rule set, the packet filtering software might accept the packet. It might deny the packet. This tosses out the packet without providing any indication to the client that the packet has been killed. Or, the software may reject the packet. This drops the packet and sends notification to the client that it's done so. You can see that packet filtering provides a pretty high level of security for your firewall box.
Prior to the 2.4 kernel, packet filtering was provided by ipchains. With the introduction of the 2.4 kernel, iptables became the packet filtering software of choice. It's more configurable, and covers a broader range of possibilities than ipchains, providing a higher level of security.
iptables can be a complex topic. As with other elements of the firewall series, I'll point you to some other research for detailed theory and implementation. However, the high-level view is pretty simple to understand.
Your Linux kernel starts with three chains (don't be confused - even iptables uses chains) - input, output and forward. Any packet intended for your machine passes from the network interface to the input chain. If it's accepted by the machine, it's passed to the right destination. If the packet is destined to another network interface, your kernel must include forwarding for the packet to reach its destination. If not, the packet's dropped. If the kernel includes forwarding, the packet is passed to the forward chain, where it's matched against the rule set. If it's accepted, it's passed to the proper interface. Finally, packets sent from within the network to the outside world are passed to the output chain. If the chain accepts the packet, it's sent along to its destination post haste.
That gives you the fundamental theory you'll need to create chains and start using iptables. As promised, here's a list of more detailed background and tutorials:
YoLinux: Using iptables/ipchains
Robert Graham: Firewall Forensics
LinuxGuruz: Linux iptables HowTo
Netfilter.org: Iptables Tutorial
We'll wrap things up on the firewalling series tomorrow with a look at a few other essential pieces of your firewall box configuration.
Recommend It!
Send us a
GnomeTWEAK
GnomeSCRIPT |
Clickable Directory Indices
Scribbled by Lee Holmes
Here's a script that I made recently that I find very handy. It goes through the files in a directory, and makes a clickable index.html. The idea is that you dump a bunch of files into a directory, run this script, then you have an easy way to publish files.
It gives you a bit more flexibility than setting Apache to let users view directory contents.
index.sh
#/bin/bash
echo "<html>"
echo "<body>"
ls | awk -f ~/index.awk
echo "</body>"
echo "</html>"
index.awk
{
printf("<a
href=\"%s\">%s</a><br>\n", $0, $0);
}
Put index.sh in your path, index.awk in your home directory. If you put index.awk somewhere else, make sure to change line 5 of index.sh.
Usage:
index.sh > index.html
Recommend It!
Send us a
GnomeSCRIPT
GnomeCORE |
| Get your favorite Linux flavor on CD: Pick your favorite Linux flavor and get it on CD for as low as $1.95. Find Linux gear, books, and software for Linux at Linux Central . Check out the selection today! |
The third and final piece of the login triumvirate is - oddly enough - login. init spawns the child process getty, which then passes data to login to allow access to a Linux system.
login actually looks for several files and their contents. If the user is not root, and the file /etc/nologin exists, the login will be dropped. In other words, the existence of /etc/nologin means only root can log into the machine.
If the user is root, the login has to happen on one of the ttys (terminal screens, for simplicity) listed in /etc/securetty. Any tty logins other than those listed in /etc/securetty will be disallowed.
login also looks for the .hushlogin file in the user's /home directory. If .hushlogin exists, login performs a "quiet" login. Last login time, mail checking and message of the day are all suppressed. Instead, the existence of /var/log/lastlog will print the last login time.
Finally, after checking these files, the user shell fires up. /etc/passwd defines the user's default shell. If no default shell is shown in /etc/passwd, the system assumes bash (/bin/sh). The shell is started within the home directory, also noted in /etc/passwd.
Little efficient programs, working together to accomplish a bigger task. The coordination of init, getty and login to allow user access to a system is a perfect example.
Recommend It!
Send us a GnomeCORE
tip
GnomeFILE |
Very Simple Network Monitoring 2.0.0 Beta
http://www.probam.be/nmonitor/
"Very Simple Network Monitor is a bash shell script CGI that monitors a number of services on a network. It currently checks for node-up, TCP service up, and UDP service up. A service or system can be put in maintenance status to avoid repetitive alarms. It is easy to customize, trigger alarms by email, or whatever you like (depends on nmap for TCP/UDP service checks). Installation is also simple. It generates HTML with all statuses, and for all services just in one view."
Recommend It!
Send us a GnomeFILE
suggestion
GnomeVOICE |
Pre-Plunge Questions
Scribbled by Frank Owen
"I have been trying to read up on Linux for a while now; reading your Penguin Shell (which even though I know little to nothing about Linux, I've found very fun & informative), perusing the websites & chat boards, etc.
"I don't currently have a Linux distro, but I have been contemplating getting Red Hat 8.0 personal edition. One of my concerns is hardware compatibility. I have an HP Pavilion with a P4 2.53 ghz processor, 768 megs of DDR ram, an 80 gig hard drive, with Win XP Home OS. I'm assuming this meets all requirements, but am not sure. A call to Red Hat only brought a ten-minute wait on hold and a salesperson that didn't know what a Pentium processor was, let alone knew if Red Hat supported P4.
"Any help there would be awesome.
"My next question was whether or not to dual-boot, or just splurge for a new hard drive, and a multiple drive selector. I hope this isn't asking for too much of your time, but I really haven't been able to find any satisfactory answers elsewhere.
"Thanks very much for any help you can give me. I really like your newsletter and I hope you keep it coming for a long time to come."
Recommend It!
Speak your
GnomeVOICE
GnomeCLICK |
I've Installed Linux, What Next?
http://www.firstlinux.com/articles/WhatNext.shtml
This is one of the very few intentionally repeated links in the year-plus history of Penguin Shell. The site is based on a common question: what's next after installing Linux. It's a question that's almost as important as any other question asked regarding Linux. It's one thing to complete a quick and easy install - it's altogether another to put Linux to solid use in your everyday computing. That's where the real Linux users are born. Today's GnomeCLICK asks and answers that fundamental question with lots of tips, tricks and tools to make Linux your everyday platform.
Recommend It!
Suggest a
GnomeCLICK
