Regarding the October 2009 issue's article on hostile network protection [see Mick Bauer's “Brutally Practical Linux Desktop Security”], I've also found the following iptables rules render my laptop effectively invisible without adversely affecting Web browsing, e-mail, SSH and nearly everything else I do from hotel rooms or while drinking my morning coffee:
iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT
While most canned kernels will come with everything needed, those who prefer to roll their own will need to ensure that Netfilter and its connection state matching component (NETFILTER_XT_MATCH_STATE) are required. Many of the other Netfilter modules can make life easier as well, so they're worth looking through if you'll need to recompile anyway.
Some of the messier protocols may not work through these rules, so it's
best to stay within your distro's init.d firewall script to make them easy
to turn on and off. Thanks for the great work guys!
E. Stuart Hicks
Normally I just don my invisibility cloak when I'm using public Wi-Fi, but your method is certainly more reproducible. And, it works outside of fantasy novels. All joking aside, I usually set up a VPN the moment I connect to public access points. Unfortunately, that can adversely affect bandwidth. Thanks for the tip on how to be a bit more stealthy.—Ed.
I am finishing a a Master's degree in Education and have generated many
pages of various types of documentation in completing my work. I cannot
imagine doing this with anything but Linux. The multiple desktops available
in Linux made it easy to generate a research report while having multiple
on-line journals open, simultaneously generating and inserting graphics
into the report, without the multiple layers of overlapping windows the
popular operating systems force you to use. It seems to me that the true
utility of Linux gets lost when we compare ourselves to Windows and Mac,
rather than setting the unique and useful aspects of Linux as metrics for
Windows and Mac to meet. For me, the multiple desktop function is one of
the single-most useful utilities of Linux in getting real work done. I
cannot operate with a single window open. I wonder how many other Linux
users recognize this as one of many important strengths of our favorite
Whenever I'm speaking about Linux to a group of enthusiasts, I stress that Linux is awesome enough to stand on its own. When it comes to the desktop experience, you're absolutely right, Linux has nothing to prove. If we can eliminate the dependence on proprietary software, I think Linux will be the obvious choice for most people on the desktop.—Ed.
David Penman, in the September 2009 Letters section, talked about something very important
in system administration. I don't see it enough.
When you modify system configuration files as root, always make a backup.
RCS is a fantastic tool to see how a file changed—it takes discipline.
Just make an RCS/ directory; you don't even see the
But often changing configuration files has negative effects weeks after
Rolling back to the original package is a last-ditch effort.
I've been reading your magazine and learning/using Linux on two desktops
and purchased a Dell notebook with Ubuntu. Then, when my old desktop PC died,
I bought a Dell 530/Vista because it was on sale (Dell's computers with Ubuntu
don't seem to go on sale). I installed a second hard drive and proceeded to
install Ubuntu 9.04. Imagine my surprise to find no modem support! I
downloaded, but could not get gnome-network-admin to work. I wasted hours
of time downloading/installing GNOME ppp and dependencies and configuring the
modem. I had to download files with Vista and xfer to Ubuntu with a thumbdrive. Vista worked out of the box with its included Dell modem. Vista
also worked out of the box with my US Robotics PCI modem (I didn't need to
install any software). Ubuntu's decision to break or not offer the modem
software seems to be a foolish thing to do—especially if they intend to
reach out to the nongeek PC users. And we wonder why we can't get more
people to use Linux on the desktop. I know I'm just one small voice in the
Linux community. Thanks for reading!
I must admit it's been quite a few years since I've used dial-up networking, but it is sad you had such a hard time setting up your modem! I know in years past “winmodems” were very difficult to configure due to Windows-only drivers. Now it seems the frustration is with Windows-only Wi-Fi drivers. It seems like a conspiracy to keep Linux users from communicating! It sounds like you did get things going, but hopefully the Ubuntu team won't forget about the many folks still using dial-up.—Ed.
I read with interest the continued discussion regarding Linux on the
desktop [see the September 2009 Letters]. I am old enough to remember the
Windows war. In those days, lots and lots of Microsofties were unleashed
onto an unsuspecting Usenet; their job was to portray ordinary users
trashing OS/2 and defending Windows. The two letters you published
look like MS is doing again what it is known to have done before, only this
time it is trashing Linux instead of OS/2. The incredulity of the original
assertion (Linux lacks stability) is what makes me strongly suspect MS
operatives are at work here. Back then, IBM didn't know what hit them. This old
adage rings true: “Fool me once shame on you, fool me twice shame on
Re: Mick Bauer's “Brutally Practical Linux Desktop Security” [October 2009 issue]: why not make the target for an aggressor as small as possible—a kernel with only the drivers and modules your laptop needs? A filesystem like debootstrap or your distro's base system? It's much less exposure, as you have installed only what you use from the hardware up.
Thanks for all the fine Paranoid Penguin articles Mick. Editor, I would like to
see more meat in the diet.
Mick Bauer replies: One cool thing about loadable kernel modules is that when you don't have a given piece of hardware attached, the corresponding modules generally won't load. But I get your broader point that just as unnecessary userspace software should be uninstalled or disabled, so should unnecessary kernel code—you're quite correct that hardening is about minimizing your attack surface.
I've long advocated running custom-compiled kernels on bastion servers for that very reason. But in my article's specific scenario of preparing a laptop for a trip, that might be more trouble than it's worth (especially given my earlier point). It's the difference between spending 45 minutes or less hardening your system and spending hours. For most users (certainly for nonexperts), compiling kernels remains one of the uglier and more time-consuming parts of the Linux experience.
Thanks so much for your kind words! We're all doing what we can to maintain and even improve LJ's protein-to-carb ratio.
Having used a similar method to what Kyle Rankin describes in “Spam: the Ham
Hack” [October 2009], I'm happy to have found OtherInbox.com, which automates most of the
process. You can use it with your own domain or with their own and a
personalized subdomain. You can create an e-mail address on the fly, and it
automatically will create a corresponding mailbox. I encourage people who
are having trouble managing their e-mail to check it out.
I am very new to Linux Ubuntu, and I can't find any program I can download
that will give me MP3 availability (like Limewire) that will
download successfully. Can you help? I also am having trouble finding a
music notation program that does not cost the earth. I used to run
Cappella, but that runs only on Windows. I am not a computer buff, so any
suggestions need to be at dummy level.
Limewire should work on Linux. You'll need to install Java first, if it's not already installed. See this link for more on some music notation programs for Linux: www.linuxjournal.com/content/music-notation-programs-recent-releases.—Ed.
I have used Linux since Slackware 0.91, but I still have trouble getting
headphones to work.
I have the latest Ubuntu and just expected that when I plugged in my new
Logitech headphones, they would work automatically and all sound would go
How do I make that happen?
At LinuxCon in September 2009, I heard the kernel developers speak of this very issue. Apparently, audio hardware is one of those things that is so inconsistently built, getting all the different revisions to work proves to be very difficult. With Windows, you can download a specific driver from the vendor, but as Linux users, we must depend on drivers based on “standards” that should be built in to hardware. Sadly, those standards rarely are in place. Sometimes it's possible to Google for a specific hardware configuration and find settings to tweak in order to make things like headphones work. Either way, it's frustrating as an end user to have something as simple as headphones not work.—Ed.
I am not a computer specialist, nor do I have any interest in
computer code. But, I use a computer most of the day, every day. Having been
stuck with Windows (which I don't like because of the way everything I do
is controlled by Microsoft), I recently bought a small laptop with Linux as
the operating system. It is an absolute disaster area. To start, it is
incompatible with 3 mobile broadband (I have read a number of blogs, and
even the experts agree on that). I have had no success in loading Java,
which is essential for the work I do. And, I can't even load a 56k modem for
emergency use. In short, it is totally useless to me, and I am going to have
to load up Windows XP instead, much against my wishes. I had hoped that
Linux was a serious competitor to Microsoft, but in reality, it is
light-years away, strictly for computer specialists. Of course, I could spend days
and days reading about how to make it work, but why should I? I only want
to use the computer, not re-invent it. Kernels, shells, command
prompts—these things are of no interest to me whatsoever. It's back to the dark days
of MS-DOS all over again.
I'm sorry to hear you're having such a bad Linux experience. You should be able to install Java on your laptop without a problem. The Sun distribution works fine on my Linux system. I also see indications on the Internet that people have been able to get 3 mobile broadband to work with Linux. Modems shouldn't be a problem either. Without knowing more about what distribution you have and what hardware you have, it's hard to be much more specific.
Concerning your remarks about the command line and the dark days of MS-DOS, I always find these types of comments interesting, because in my opinion, Microsoft took a giant step backward when it decided to poo-poo the command line. A decent shell (which command.com and/or cmd.exe never were) and a good complement of shell commands, at least for certain types of work, give you power that doesn't exist anywhere in the GUI world.
Having said all that and implied much more, in no way should it be taken that I think Linux is perfect. It's not. But by the same token, Windows has its own set of problems. I often find it as frustrating to work with as you're finding Linux to be.
If you'd like to post some of the details of your Linux troubles on the LinuxJournal.com forums, we'll try our best to help you through them.—Ed.
I was just reading John Knight's “Fresh from the Labs”, specifically the article on htop, in the October 2009 issue. htop is great, and I have been using it for quite some time. To quote from the article: “...enter the usual:”
$ ./configure $ make $ sudo make install
“the usual”? I do not use sudo, and I do not use Ubuntu. A minor thing, I agree. Today it just annoyed me. Thanks for a great magazine.
PS. Yes, I work for Mandriva, but it's not the only distro I use.
also use Slackware, Fedora and Absolute Linux.
John Knight replies: An angry letter, at last! This is my first one for LJ. I thought it'd come from a Debian developer though (I've been stirring them up for several years)....
htop's brilliant, isn't it? Yes, I know what you mean about Ubuntu-isation of Linux, and it annoys me too, but isn't sudo on most modern distros, and its use encouraged? Note that sudo isn't a Ubuntu invention (quote from Wikipedia): “The program was originally written by Bob Coggeshall and Cliff Spencer around 1980 at the Department of Computer Science at SUNY/Buffalo. The current version is under active development and is maintained by OpenBSD developer Todd C. Miller and distributed under a BSD-style license.”
I can't speak for Oklahoma, but here in Australia in the LUGs, the use of sudo is more or less assumed, and the use of root logins discouraged (and strangely enough, the local LUGgers seem to gravitate toward Debian). Nevertheless, I used to write “(as root or sudo)” before the make install command, but figured it was about time just to use sudo for cleanliness' sake. Do you think I should switch back?
Have a photo you'd like to share with LJ readers? Send your submission to firstname.lastname@example.org. If we run yours in the magazine, we'll send you a free T-shirt.
Webinar: 8 Signs You’re Beyond Cron
11am CDT, April 29th
- Users, Permissions and Multitenant Sites
- New Products
- Not So Dynamic Updates
- Flexible Access Control with Squid Proxy
- Security in Three Ds: Detect, Decide and Deny
- DevOps: Everything You Need to Know
- Tighten Up SSH
- Solving ODEs on Linux
- Non-Linux FOSS: MenuMeters
- diff -u: What's New in Kernel Development