Ubuntu Makes Lubuntu an Official Derivative

Lubuntu is now an officially supported Ubuntu derivative.

View the original article here

Using Firewall Builder Objects for Linux Firewalls

Firewall Builder is one of the most powerful and user-friendly firewall creation utilities available for Linux. One of the many reasons Firewall Builder is both powerful and easy to use is its objects feature. Objects are reusable elements that can be added and removed from firewall rules by dragging and dropping the object into firewall rules. Firewall Builder comes with plenty of pre-defined objects that can be used right away, and also makes for easy creation of new objects.

Objects are so crucial to the ease of use and understanding of Firewall Builder, I want to dedicate this entire article to the creation, editing, and use of objects. With a sound understanding of objects under the belt, any one should be able to create secure and flexible firewalls to fit nearly any need.

Firewall Builder stores objects in what are known as Libraries. By default Firewall Builder includes two Libraries.

Standard: The predefined objects that can be dragged and dropped into firewalls. These objects can not be edited.User: An empty pre-categorized library where users can add their own objects and then drag and drop them into firewalls.

To select a library, click on the Library drop-down (see Figure 1) and select either the Standard Library or the User Library. Let's say, for example, the firewall being created will be used to secure an HTTP server. Why bother creating TCP/UDP service objects when they already exist in the Standard Library? Simply open up the Standard Library (click the Library drop-down and click Standard), expand the Services entry, Expand the TCP entry, and the HTTP and HTTPS entries will be available. Drag and drop all of the related entries necessary for the new firewall into the desired rules for the firewall.

Another way to find the object is to use the convenient filter feature, located just below the Library drop down, that lets you quickly filter the objects in the tree to find what you are looking for.

 

It is also possible to create a Custom Library by clicking the drop-down to the left of the Libraries drop-down and selecting New Library.

In my previous article I discussed how to create objects specific to firewall used for SSH connections into a host. The methods discussed in that article describe the creation of objects for the User Library. One of the nice features of Firewall Builder is that those objects can be then reused in other firewalls. So even if the objects were initially created for the SSH firewall, they can then be re-purposed for a firewall focused on a Web server. That doesn't just apply to services; any of the objects created in a previous firewall can be re-used over and over.

Don't think objects are limited to services or addresses. In fact quite a few object types can be created and used, and here is a listing of the types:

Address Ranges: A range of addresses can be configured into a single object.Address Tables: This is an address-based object that can be created when a range of addresses is needed but the actual addresses are not known when the firewall or policy is being written. The Address Tables object has an added feature which allows for the object to be loaded at either compile time (during firewall compilation) or during run time (when Firewall Builder runs the firewall script). More on this in a moment.Addresses: A single address that can be used for an interface, source, or destination (such as a host).DNS Names: This object represents a DNS "A" or "AAAA" name and resolves to an IP address during either compile or run time. What this highlights is the intelligence of the compiler and its ability to resolve addresses to names during compilation.Groups: A group is a container that holds references to multiple objects of the same or similar type (Addresses, Address Ranges, Network Objects).Hosts: A host object represents hosts on a network: Desktops, Workstations, and any other network node that has a network address.Networks: This object describes an IP network or an entire subnet.

A group is a container that holds references to multiple objects of the same or similar type (Addresses, Address Ranges, Network Objects). When a new group is created (see Figure 2) the member objects can either be created from within the configuration of the group itself (click the "Create new object and add to this group" drop-down) or objects can be dragged and dropped into the group from one of the Libraries. During compile time the Firewall Builder compiler will determine if a group should be expanded and multiple chains needed or if a single chain can take care of the group.

 

Make sure the name given to the group adequately describes the purpose of the group so that group can be re-used without having to examine its contents.

Address Tables are incredibly handy. Essentially this object allows you to define a list of addresses and/or networks into a rule, even if the actual addresses are unknown at the time the rule is created. What must be done, however, is (when the addresses are known) a file is created that will house the addresses. That file name and location is configured into the Address Tables setup (see Figure 3).

To configure the file the addresses will be read from click the Choose File button and then navigate to file.

When you have configured the Address Table to be aware of the file containing the addresses, it is also possible to directly edit the file from within Firewall Builder. To do this click the Edit File button and the Firewall Builder Script Editor will open (see Figure 4).

Figure 4
fwbuilder_script_editor.png

You can create a file using the script editor, just enter the full path to the file and click Edit. The file will be created when you click Save.

The services objects are all fairly self-explanatory (Custom, Groups, ICMP, IP, TCP, UDP, Users). The only Service that may need explanation is the TagServices. The TagServices object allows packets to be tagged by one rule and then acted on by another rule. Packet tagging is fairly complex. Essentially a TagServices object is created and configured with either a tag number or string. To match a tag in a rule just drag and drop the service object to the Service column of the rule. To create a rule that sets the tag, set the Action to Tag and drag and drop the TagService to the bottom of the screen where it says "Drop object here."

It is also important to know that TCP and UDP Services can have definitions for both source and destination ports configured and that if a configuration of 0 is used all ports will be matched. Say, for example, it is necessary to create a service for HTTP using port 8080 as the destination, but a specific source port is not necessary. To do this enter 8080 as the destination port and leave the source port as is (set at 0).

A handy trick to know is how to locate where a service is being used within a firewall. With a firewall open, navigate to a service (either from the Standard or User Library) and right-click the service. When the context menu opens select Where Used. A pane will open in the lower half of the Firewall Builder window (see Figure 5) that will, upon clicking the Find button, display where the service is used within the firewall. This is especially handy when trying to troubleshoot a particular firewall.

 

If any child services were created from the original, make sure to search for those as well.

The creation and manipulation of objects serves as the foundation and building blocks which all firewalls are created within Firewall Builder. Because objects make the creation of firewalls more efficient and user friendly, it is important to understand how they can be best utilized. When used correctly, Firewall Builder objects help to make the administration of firewalls a far easier task.

View the original article here

VMware Debuts Horizon App Manager

Running enterprise applications on cloud infrastructure is one thing, getting those applications to integrate with enterprise identity and authentication systems is quite another.

View the original article here

W3C Last Call for HTML5 Review

The World Wide Web Consortium (W3C) sends out last call for public review of HTML5 specifications.

View the original article here

How To Install A (Canon) Printer On Debian And Debian-Like Systems

This tutorial will cover how to install the well-known CUPS printing system, and optionally tell you how to have your Canon printer work. There are extra details about where to find Canon drivers and how to install the "Print to PDF" feature.

If you didn't check any option at the Debian network installation, you will need to download and install a few packages.

Run the following command as root:

# apt-get install cups cups-client "foomatic-db*"

This will install CUPS and download a database of printer drivers.

As the Debian distribution installs a secure Linux system on your computer, most of the permissions involved by installing packages are "opt-in". This means you have to explicitly grant permission to users so that they can print.

This is done by adding them to the lpadmin group:

# adduser YOUR_NORMAL_ACCOUNT lpadmin

Power on and plug your printer, and then browse to http://localhost:631/

Go to the Administration tab and click Add printer. At that point you will be required to type your normal user and password (not root).

CUPS will look for printers available on the network or attached to your computer.

Choose your printer in the Local printers section.

Fill the form if you want to, then see if your printer driver is in the list.
NB: Your exact model number is probably not in the list, however if you've got a 3030 printer, the 3000 driver is the one you need.

If you don't find your printer in the list, either the driver just doesn't exist for non-Windows OS / Mac OS, or it is proprietary (non-free).

If you bought a Brother or HP printer, you're lucky because all of their current printers are provided with an opensource driver. Install the hplip package for Hewlett Packard printers.

You can't find Canon drivers on non-free repositories. You have to go to the Canon website and download them.

Go to www.canon.com, select your country and language, then go to the Support page, find your printer (in category "Printer" or "Multifunction").
Choose "Linux" as your operating system. Let the language setting as it is. (Because maybe the drivers could be hidden if the included manual doesn't exist in your language).

Download that UFR II driver file.

You'll end up with a zip file / archive.

Open your Terminal again, change to your Downloads directory, and unzip that file:

$ unzip *ufr2*.zip

The unzipped directory is the language you choose, e.g. "english" or "italiano". cd to that directory, then open the "driver" directory corresponding to your architecture (32 or 64 bits), and finally open the RPM folder.

As you may know, RPM is the "Red Hat Package Manager", but Debian uses APT. RPM files have the ".rpm" extension and Debian packages get a ".deb" extension.

So, we will have to convert them.

For that purpose, install a program called alien. And I'd advice to install fakeroot as well. (Fakeroot allows you to work on Debian packaging without root privileges, which are not needed until the installation part.)

# apt-get install alien fakeroot

Then convert the packages:

 $ fakeroot alien --to-deb *.rpm

Finally you can now install them as usual:

# dpkg -i *.deb

Reload the "Add printer" page on the CUPS web interface, and this time you should be able to find your printer model in the list. (You can also press "Choose another ...." and go back to "Canon" again.)

You should not need to restart cups, but if you want to, just to be sure, do the following as root:

# service cups restart

Voilà ! You've successfully installed your printer!

Here is a trick that could be helpful. If you're using an application that doesn't provide an "Export to PDF" function, you can simply print as normally and select a special "PDF printer."

In order to do that, you have to install the "cups-pdf" package:

# apt-get install cups-pdf

Your "PDF printed" documents will be put in a folder called "PDF" in your home directory, i.e. ~/PDF/

You may have to create this directory yourself if you have issues with the cups PDF printer.

The CUPS web user interface is the place to go whether you need to manage your printers and printing jobs, and find the reasons of printing issues. You can pause or cancel a job and even re-print a document.

Note you have to modify your /etc/cups/cupsd.conf configuration file if you want the interface to be accessible from other computers in your network.

View the original article here

Weekend Project: Manage Bugs with Mantis

All kinds of organizations need bug trackers. Whether it's software developers, Web site developers, or just organizations with significant IT needs, bugs must be tracked. (And, you know, fixed.) To that end, there are plenty of bug tracking tools available, but none that are open source and as easy to install and manage as Mantis Bug Tracker. This weekend, get started tracking bugs with Mantis!

Since the installation of Mantis is such an easy (and well documented) task, I want to focus on the management and flow of the work done within the tool. This means managing projects as well as reporting and managing the flow of reported bugs. The only assumption made will be that Mantis is already up and running.

Before bugs can be reported, there must be a project to report bugs on. In order to manage projects log into Mantis as the administrative user and then click on the Manage link. From this new page (see Figure 1), click on the Manage Projects link.Obviously, all Mantis management is tackled from this page, so make sure whoever has the key to this kingdom knows what they are doing — or should, anyway.

From within the Manage Projects page all that is necessary is to click the Create New Project button. From within the new page, the following information is necessary:

Project Name: Human Readable name for project. This is the only field that is required.Status: Choose from development, release, stable, obsolete.View Status: Choose from public or private.Inherit Global Categories: On or off.Upload File Path: Path for file upload. This path must be readable and writable by the web server and does not (nor should) need to be within the document root or the Mantis directory.Description: Human readable description of project.

Below the Description there are other fields that can be filled out. Per-project categories can be created on this page. Per-project categories are very important and useful to make the flow of bugs easier to follow. Getting as granular as possible in the categorization will not only make it easier for developers and admins to follow the flow of information, it will also make it much easier for reporters to report bugs (and be more specific when doing so.) Use this only if there will be categories that are only related to this particular project. The main categories are global and can be used by all projects.

There is one small hiccup with creating the categories at this point. When a category is created, it's always smart to assign that category to a user. But if no users have been created, this isn't possible. To really make the most out of the system, each category should be assigned a lead so all notifications can be funneled to the proper person. So, instead of creating Categories next, migrate over to users and create the users that will serve as the heads of the various categories. Don't worry, the project can be modified later, after users have been created. Naturally, this won't be necessary on a Mantis installation that already contains the necessary users.

The managing of users is a fairly straight-forward task, but it's one that's quite important. When users are created they are assigned an access level which dictates their effective permissions within Mantis. So, it should go without saying, to pay close attention to the access level of a new user. To create said new user click on (from the Mantis home page) Manage > Manage Users. From the Manage Users page, click the Create New Account button and fill out the necessary information:

Username: The username the user will log in with.Real Name: The human readable name of the user.E-mail: E-mail address for the user.Access Level: Choose from viewer, reporter, updater, developer, manager, or administrator.Enabled: Check to enable to user. Uncheck to temporarily disable the user.Protected: When an account is protected its attributes can not be changed.

With the users created, now it's possible to assign categories to those users to further refine how Mantis is used.

Go back to the Manage Projects page. From this page it is possible to create Global Categories. As mentioned earlier, Global Categories are available to all projects, so do not create categories here that relate to a specific project. To create a category simply type the category name in the field to the left of the Add Category button and click Add Category. This will add the category, but will not assign the category to a user. In order to assign a category to a user click the Edit button associated with the category, which will open that category up for editing (see Figure 2).

 

At this point the category name can also be changed.

To assign the category to a user, just select the user from the drop-down and then click Update Category. With the project, categories, and users created it is now possible for users to report bugs against the project.

As crucial as categories are to the ability for reports and manages to work the flow of information, email alerts are, without a doubt, the single most important feature of Mantis for quick response to issues. These alerts make those who need to know aware when bugs are reported and/or have status changes. This feature, of course, requires a working SMTP server configured in the config_inc.php configuration file. With that in place, do the following:

Go to the Mantis main page.Click on the Manage link.Click on the Manage Configuration link.Click on the E-mail Notifications link.Configure Access Levels for each user type (See Figure 3.)Click Update Configuration.

Settings highlighted in green override all others. Settings in blue are project-specific.

The flow of bug tracking can range from the fairly simple to the very complex. This will be dictated on how detailed bugs become, how frequent bugs are reported, and how granularly those bugs are managed. Regardless of how complex your bug reporting can get, this is how Mantis manages the flow of bugs:

User logs onto Mantis site.User reports issue for a particular project, making sure to select either a Global or Project-specific category.Notification is sent to Project Manager (or whoever is configured to receive notifications.)Manager (or administrator) of project confirms bug and assigns bug to developer.Developer resolves bug and sets bug status to resolved.Manager (or administrator) can then close bug when resolution is confirmed.

As is shown in Figure 4, it is very easy to access quite a large amount of information about a bug. Each blue link is clickable and will reveal different aspects about an individual but, a category, a user, a project, and more.

 

In this example there are two projects with a bug attached, Mobuntu and WidgetOne.

A user with the correct permissions could click on any of the listed bugs and view, edit, promote, demote, assign, and much more. Bugs can even have their status changed in batches by checking off all the bugs to be changed and then selecting the new status from the drop-down (below the bug listing window). Once the new status is selected, click the OK button to update. Depending the change, a new window may be opened for user interaction (such as with an assigning of bugs.)

Different companies will use Mantis differently. Some will be able to function with just the very basics, whereas others will depend upon a highly detailed usage. Regardless of how it is used, it is important to know that Mantis Bug Tracker offers numerous ways to manage the flow of bugs in and out of the system.

View the original article here

Paravirtualization With Xen On CentOS 5.6 (x86_64)

This tutorial provides step-by-step instructions on how to install Xen (version 3.0.3) on a CentOS 5.6 (x86_64) system.

Xen lets you create guest operating systems (*nix operating systems like Linux and FreeBSD), so called "virtual machines" or domUs, under a host operating system (dom0). Using Xen you can separate your applications into different virtual machines that are totally independent from each other (e.g. a virtual machine for a mail server, a virtual machine for a high-traffic web site, another virtual machine that serves your customers' web sites, a virtual machine for DNS, etc.), but still use the same hardware. This saves money, and what is even more important, it's more secure. If the virtual machine of your DNS server gets hacked, it has no effect on your other virtual machines. Plus, you can move virtual machines from one Xen server to the next one.

I will use CentOS 5.6 (x86_64) for both the host OS (dom0) and the guest OS (domU).

This howto is meant as a practical guide; it does not cover the theoretical backgrounds. They are treated in a lot of other documents in the web.

This document comes without warranty of any kind! I want to say that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

This guide will explain how to set up image-based virtual machines and also LVM-based virtual machines.

Make sure that SELinux is disabled or permissive:

vi /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - SELinux is fully disabled.SELINUX=disabled# SELINUXTYPE= type of policy in use. Possible values are:# targeted - Only targeted network daemons are protected.# strict - Full SELinux protection.SELINUXTYPE=targeted

If you had to modify /etc/sysconfig/selinux, please reboot the system:

reboot

To install Xen, we simply run

yum install kernel-xen xen

This installs Xen and a Xen kernel on our CentOS system.

Before we can boot the system with the Xen kernel, please check your GRUB bootloader configuration. We open /boot/grub/menu.lst:

vi /boot/grub/menu.lst

The first listed kernel should be the Xen kernel that you've just installed:

[...]title CentOS (2.6.18-238.9.1.el5xen) root (hd0,0) kernel /xen.gz-2.6.18-238.9.1.el5 module /vmlinuz-2.6.18-238.9.1.el5xen ro root=/dev/VolGroup00/LogVol00 module /initrd-2.6.18-238.9.1.el5xen.img[...]

Change the value of default to 0 (so that the first kernel (the Xen kernel) will be booted by default):

The complete /boot/grub/menu.lst should look something like this:

# grub.conf generated by anaconda## Note that you do not have to rerun grub after making changes to this file# NOTICE: You have a /boot partition. This means that# all kernel and initrd paths are relative to /boot/, eg.# root (hd0,0)# kernel /vmlinuz-version ro root=/dev/VolGroup00/LogVol00# initrd /initrd-version.img#boot=/dev/sdadefault=0timeout=5splashimage=(hd0,0)/grub/splash.xpm.gzhiddenmenutitle CentOS (2.6.18-238.9.1.el5xen) root (hd0,0) kernel /xen.gz-2.6.18-238.9.1.el5 module /vmlinuz-2.6.18-238.9.1.el5xen ro root=/dev/VolGroup00/LogVol00 module /initrd-2.6.18-238.9.1.el5xen.imgtitle CentOS (2.6.18-238.el5) root (hd0,0) kernel /vmlinuz-2.6.18-238.el5 ro root=/dev/VolGroup00/LogVol00 initrd /initrd-2.6.18-238.el5.img

Afterwards, we reboot the system:

reboot

The system should now automatically boot the new Xen kernel. After the system has booted, we can check that by running

uname -r

[root@server1 ~]# uname -r
2.6.18-238.9.1.el5xen
[root@server1 ~]#

So it's really using the new Xen kernel!

We can now run

xm list

to check if Xen has started. It should list Domain-0 (dom0):

[root@server1 ~]# xm list
Name                                      ID Mem(MiB) VCPUs State   Time(s)
Domain-0                                   0     3343     2 r-----     18.1
[root@server1 ~]#

Paravirtualization With Xen On CentOS 5.6 (x86_64) - Page 2

View the original article here