My personal notes on all things technical and factual....

Fri, 20 Jan 2012

/Linux/misc: Running and Installing Debian from a USB Stick

So unbelievably easy[1]:

cat debian.iso > /dev/sdX
sync

I grabbed the latest net install[2] ISO, did the above, popped it into my new laptop, hit F12 during boot to get the boot menu, and picked the USB option. Never had such a swift and painless install....

Update:

And then there was Ubuntu Lucid. Not so easy. The ISO will not boot from USB per the above. After a bit of flailing around, it seems the easiest way (and so far the only way) that has worked for me is to use usb-creator, which is packaged with Lucid. And only works with X, there is no console version.

Yes, that means you need a running Lucid desktop to do this. Lame. The package that needs to be installed is usb-creator-gtk. Note that you can invoke it from the following menu:

System --> Administration --> Startup Disk Creator

but that did not work for me either, there were errors. What I did was installed the sux package, logged into root in a terminal by invoking sux, and then invoked usb-creator-gtk as root. Then it worked, and the USB stick booted.

[1] http://www.debian.org/releases/stable/i386/ch04s03.html.en
[2] http://www.debian.org/CD/netinst/

posted at: 07:51 | path: /Linux/misc | permanent link to this entry

Thu, 15 Dec 2011

/Linux/CPUfreq: Manual CPU Frequency Control in Linux

In comes Gnome 3, out goes my beloved (out of necessity) CPU frequency applet. It seems Gnome 3 does not do applets, at least not yet. And I have a couple of miscreant laptops that love to overheat under load. One Lenovo is actually almost unusable unless I throttle back the CPU before extended heavy loads like a massive apt-get upgrade.

[1] clued me in to a command-line option to the applet in the cpufreqd package. After installing cpufreqd one must first uncomment the following lines in /etc/cpufreqd.conf:

enable_remote=1
remote_group=root

which basically enables the command-line tools. Now

cpufreqd-get

will list your options, and

is how you choose your CPU speed, and

cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_available_frequencies

displays the available frequencies, and

cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_cur_freq

shows the current frequency in effect. And now I can install Gnome 3 on these handicapped machines....

[1] http://www.go2linux.org/how-to-configure-cpufreqd

posted at: 14:04 | path: /Linux/CPUfreq | permanent link to this entry

Sun, 06 Nov 2011

/Linux/Chinese: Chinese Input with IBUS

Until recently I was a long time user of SCIM, and then, at around the same time I noticed that the Ubuntu Desktop default was IBUS[3], and that SCIM was on it's way out.

Getting SCIM to work has always been somewhat dodgy, and I am happy to say that IBUS is less so.

I recently discovered that there is a native Linux QQ chat client[1], but published by a Chinese company and apparently(?) not Open Source. For a long time I have run Skype on my machine despite the fact that it is not Open Source, and it's bad reputation for security[2]. But an application published by a Government-controlled Chinese company is more then I can tolerate, so I am running my QQ in a Debian VM, where I also eventually intend to exile Skype and others of its ilk.

This is an absolutely minimal VM running only fluxbox. To get Simplified Chinese input going I:

apt-get install ibus ibus-pinyin ttf-arphic-ukai

Then I ran im-config as root to select IBUS as the system master input method. And then ibus-setup as my normal user to turn on the "Chinese Pinyin" input method. I believe I restarted X somewhere along the way, and after that Ctrl-Space had me typing Chinese.

[1] http://im.qq.com/qq/linux/
[2] http://blog.langex.net/index.cgi/Security/skype
[3] http://code.google.com/p/ibus/

posted at: 16:14 | path: /Linux/Chinese | permanent link to this entry

Tue, 14 Jun 2011

/Linux/encryption: Transparently Encrypt Part of Your Home Directory

Update: This all works really well. I now encrypt my entire home directory on all of my machines, plus usually add another encrypted partition for things I do not think need to be backed up. I will leave this howto in the form of encrypting a home subdirectory, as I think that is probably still a good place to start for someone just sticking a toe in these waters.

Laptops are easily stolen. And these days, if you travel internationally, it is not uncommon for the thief to be Customs / Immigration agents who have the power to permanently seize your laptop on little or no grounds. All they need do is invoke the "National Security" bogey-man. Some thought should be given to protecting personal data, especially if setup seems easy.

In the title, I say "transparently" in the sense that once this is setup, everything should work just like before. Under the hood, though, you will have an encrypted subdirectory in your home directory, which is automatically mounted when you login, and unmounted when you logout.

I was lead to do this, finally, because this article[1] makes it sound very easy and convenient. Obviously, it would be more secure to encrypt my entire home directory (or even the entire hard drive) but to do this for an already installed system is a bit more trouble and risk. Plus I would like to build a little confidence in my ability to not lose data first, before I commit myself entirely. This way I will protect (and risk) only my most sensitive data (and keep good backups elsewhere should something go wrong with the encrypted partition). On the other side of the ledger, encryption does add a certain amount of overhead to everything you do with the encrypted files, especially on an older machine. There is a reasonable argument, I think, for only encrypting what is necessary.

First step: Make a good backup. Messing with the partition table is risky business. Now use gparted to make space for an empty partition. Be warned that I shrank an 80G partition down to free up 1G, and this took a whole afternoon on a Pentium III, and making changes to your partitions is a process you *really* do not want to interrupt. So if you have a laptop, make sure your battery is charged to guard against power failures. Also note that changing the size of the encrypted partition later may not be easy, so be generous....

In Debian, install packages cryptsetup and libpam-mount, and then next we will create an encrypted volume out of the just-created empty partition hda7. This section is a summary of the corresponding section from [1].

Create the encrypted volume:

cryptsetup luksFormat /dev/hda7

LUKS[3] most noteworthy feature is that is supports unlocking the encrypted volume with any one of several passwords. Now name the encrypted volume "mysecrets", and format it:

cryptsetup luksOpen /dev/hda7 mysecrets
mkfs.ext3 /dev/mapper/mysecrets

Mount the encrypted volume and write a test file, and then unmount:

mount /dev/mapper/mysecrets /home/userid/protected/
date > /home/userid/protected/date.txt
cat /home/userid/protected/date.txt
umount /home/userid/protected/
cryptsetup luksClose mysecrets

Now verify that mount.crypt from libpam-mount will open the encrypted volume:

mount.crypt /dev/hda7 /home/userid/protected/
cat /home/userid/protected/date.txt
umount.crypt /home/userid/protected/

Mount the Encryped Volume Automatically on Login:

Unfortunately, at this point the advice from [1] stopped working for my circa November 2008 Debian installation. This was a bit disconcerting since [1] was only just published. However, a bit of poking around indicated that PAM is a bit of a complex beast, and that there was more then one way to get this to work. So next I tried the "Automagically mounting" section of [2].

As [2] says, for this to work, the user's login password must be the same as one of the passwords assigned to the LUKS-formatted encrypted volume we created in the preceding section.

Next we have to do something a little different then [2], since PAM has evolved a bit since [2] was written. Add the following block to /etc/security/pam_mount.conf.xml:

And that is it. user="username" means this block will only kick in when "username" logs in. The empty strings assigned to the last two parameters above apparently tell PAM to use the user's login password instead of a key file. Now log out, log back in, and you should find that /home/userid/protected has been automatically decrypted and mounted.

(Note: I have since taken to doing this for my whole user directory, and there seem to be permission problems on the first login that kick up some errors and lead to a read-only home directory. So, after the first login, do an Alt-Ctrl-F1 and login as root.) Then fix the permissions:

chown -R username:username /home/username
chmod -R 755 /home/username

Logout and login again, and everything should work.

Future password changes must also be separately applied to the encrypted volume, ie.

cryptsetup luksAddKey /dev/hda7

to first add a new password to the volume (up to a maximum of eight). Note that this will add the new password to the first empty slot, and not overwrite your current password, as the dialog might imply. Then change your Linux user password. And finally

cryptsetup luksDelKey /dev/hda7 0

to delete the oldest password, in the first slot, when you are ready. No rush. That is one of the advantages of using LUKS.

cryptsetup luksDump /dev/hda7

will tell you which password slots are in use (among other things) but obviously will not tell you what the passwords are.

Summary:

I have been running with this setup now for well over a year, and am very satisfied as to usefulness and stability. The only irritation is that, since I am only encrypting a subdirectory of my user directory, after I login my encrypted directory will sometimes automatically unmount after a few seconds if nothing accesses any files in that directory. I just use a terminal to cd into the directory and lock it open the first thing I do after logging in. There is probably a more elegant way to resolve this issue....

I also think this solution is more elegant then what I have read about the new standard Ubuntu encrypted home directory, which though simpler to turn on at install time still requires you to store / remember an encryption key. My setup still only requires you to remember your user password to login and decrypt the user directory.

On a strategic note, if you are going to cross a border with your now-encrypted directory, I would suggest you create a dummy user account with a throw-away password. That way, if the immigration goons seize your laptop and insist that you give them "the password", you can give them one that does not matter, and in particular, does not unlock your encrypted directory. Likewise, make sure that the root password is not the same password as the user password that unlocks your encrypted partition, as they might be smart enough to demand the root password as well.

[1] http://www.linux.com/feature/151989
[2] http://pupeno.com/blog/encrypted-home-in-ubuntu
[3] http://luks.endorphin.org/

posted at: 03:03 | path: /Linux/encryption | permanent link to this entry

Mon, 22 Feb 2010

/Linux/audio: Switching Between Multiple Soundcards

As a fan of USB audio devices, something that has caused me dissatisfaction for a very long time in my Debian Linux desktop environment has been the inability to gracefully and easily switch between multiple installed sound cards.

I just installed the pavucontrol module[1] and perhaps this is a thing of the past, at least for Gnome / Pulseaudio users. After installing pavucontrol I get a second loudspeaker / mixer icon in my desktop tray, which is a little confusing, and both mixers seem to interact and have some control over sound volumes. Not elegant, but the key addition inside the pavucontrol "Sound Preferences" dialog is an "Output" pane that lists my available audio outputs: "Internal Audio" and "Audio Adaptor" (USB headset), with a radio button beside each.

Clicking on the radio buttons transparently switches the audio back and forth between my laptop speakers and my USB headset. Outstanding.

[1] http://0pointer.de/lennart/projects/pavucontrol/

posted at: 17:28 | path: /Linux/audio | permanent link to this entry

Sun, 13 Sep 2009

/Linux/misc: Removable Storage Should Always Mount on the Same Mount Point

I am writing this as of the kernel 2.6.30/udev era, on Debian testing.

I have a an external USB hard drive that I use all the time. When I boot from scratch, the default udev configuration always assigns the first partition to /dev/sda1. However, when I suspend and then resume, udev likes to put it somewhere else, /dev/sdb1 for instance. Therefore an /etc/fstab entry of the following variety:

/dev/sda1 /mnt/usbfat vfat user,exec,dev,suid,rw,umask=0000 0 0

will not always work because there is no guarantee the partition will get /dev/sda1 every time. The solution is to identify the partition by its label in /etc/fstab. First assign a label to the partition.

For a FAT partition, use the mtools package. First configure mtools by adding the following line

drive x: file="/dev/sdb1"

to /etc/mtools.conf. (This of course assumes that the drive is being assigned currently to /dev/sdb1, which you can verify in /var/log/syslog.) Then write the label to the partion:

# mlabel x:
Volume has no label
Enter the new volume label : USBFAT1

For an ext2/ext3 partition, use:

# e2label /dev/sdb1 USBEXT1

For KDE users, and probably Gnome users as well, this is already enough, it should automount on insertion to the same mount point every time. If you are using a window manager with fewer bells'n'whistles, you probably need to explicitly specify the mount point. There are two ways to set up /etc/fstab. Edit /etc/fstab to contain ONE of the following lines:

LABEL=USBFAT1 /mnt/usbfat vfat user,exec,dev,suid,rw,umask=0000 0 0

OR

/dev/disk/by-label/USBFAT1 /mnt/usbfat vfat user,exec,dev,suid,rw,umask=0000 0 0

Unplug your USB drive, wait a few seconds, then plug it back in. Now type:

mount /mnt/usbfat

References:

http://wiki.archlinux.org/index.php/Persistent_block_device_naming
http://reactivated.net/writing_udev_rules.html

posted at: 05:51 | path: /Linux/misc | permanent link to this entry

Sat, 12 Sep 2009

/Linux/Debian: Quick Start Networking on Debian

This simple tutorial is meant to show the basics of how to get networking working on Debian Linux from the command line, and assumes at least that your network card has been recognized, the appropriate kernel module has been loaded, and a viable network interface initialized for the network card. This should all happen automatically on boot or card insertion, and if it does not, getting your card to work is unlikely to be a simple task.

(Note that there are various GUIs that try to make networking "easy" in Linux, but in my experience they do not work very well, and once you know the command line method you will rarely crave a GUI....)

All commands in this tutorial require a root terminal. The commands we are going to use are:

ifconfig: query (and modify) status of network interfaces
ifup: activate a network interface
ifdown: de-activate a network interface
iwconfig: query (and modify) the status of a wireless network interface
iwlist: find out what wireless access points are within range

To find out what live network interfaces you have, enter ifconfig:

In the above example, "lo" is the loopback interface (important but irrelevant to this tutorial) and "eth1" is the network interface with the outside world. In eth1, note:

inet addr: 192.168.8.6

which tells you that eth1 has an IP address (and in fact is my wireless card as I write this). Though not always strictly true, for the purposes of this tutorial, if there is no IP address, the network is not working. Now enter "ifconfig -a":

Note that "eth4" has now joined the party, and does not have an IP address. eth4 in fact is my on-board wired network card which I am not using and have turned off. "ifconfig" shows all active network interfaces, and "ifconfig -a" shows all network interfaces, including those that are not turned on.

udev is the piece of software that is supposed to assign a unique network name (eth0, eth1, eth3, wlan0, etc.) to every network card plugged into your system, which should remain stable over reboots. (Of course, you can change this behavior and even choose what name is assigned to a given card.....)

Now have a look at the file /etc/network/interfaces with your favorite text editor. Mine looks like this:

Interfaces with an "auto" line should be started automatically on boot, in this case lo and eth1. "man interfaces" will tell you lots more about the contents of this file, but for the simplest case,

iface eth4 inet dhcp

specifies the configuration of the eth4 wired interface: the network will be queried for a dynamically assigned IP address via DHCP, and

will do the same for the eth1 wireless interface. The 2nd and 3rd lines give the wireless card permission to connect to any wireless access point that it can find. (Of course, one can also not use DHCP and assign a static IP, and also specify the access point.... not covered here.)

With a /etc/network/interfaces file with the above contents, at the root prompt issuing

ifup eth1

will start the wireless interface. If the card finds a willing and appropriately configured access point, ifconfig should show eth1 as having an IP address. You can find out more about what is going on with your wireless card (and reconfigure it) with the iwconfig command:

You can also have a look at what other access points the wireless card is seeing with the iwlist command:

Just one access point in this neighborhood....

Suppose this is your home configuration, and at work you have a wireless network called 2WIRE162 protected (not very) with a WEP key. Add the following stanza to your /etc/network/interfaces file:

In our /etc/network/interfaces file we have three physical network interfaces (lo, eth1, and eth4) and now we have added a "logical" interface called "work". A physical interface corresponds to a network card ("lo" is a special case that does not) and a logical interface *can be* associated with any physical interface. Ie.

ifup eth1

will cause eth1 to connect to any open access point in the vicinity, whereas

ifup eth1=work

will permit eth1 to only connect to an access point with an SSID of "2WIRE162" and a WEP key of "0642243084".

WPA encryption, unlike WEP, provides real security, but is a little complicated to setup and will not be covered here. If you want WPA, you need to configure a piece of software called "wpasupplicant".

posted at: 13:13 | path: /Linux/Debian | permanent link to this entry

Sat, 23 May 2009

/Linux/Debian: Software Package Management in Debian (and Ubuntu)

I particularly dislike graphical package managers, as they are all seem slow and, I think, not much easier to use then the command line. Here is a little quick start guide to using the command line to install and remove software in Debian or Ubuntu:

Search for software:

apt-cache search {space separated list of key words}

Display information about a particular package:

apt-cache show {name of package}

Upgrade: update your software list and then upgrade all installed software to the latest version:

apt-get update
apt-get upgrade

Install a defined list of packages:

apt-get install {space separated list of package names}

wajig, a useful utility: install wajig and less:

apt-get update
agt-get install wajig less

Then "wajig list-commands", which will produce output that is more then one page long, so even better is:

"wajig list-commands | less"

(Exit less by entering "ZZ")

"|" is the "pipe" operator, found on the same key as "\" on my keyboard, and is one of those whiz-bang UNIX features that, after you accumulate a short list, will leave you quite disinterested in ever going back to Micro$oft Windows.

Hold a package and exclude it from automatice upgrades:

'echo -e "python-pysqlite2 hold" | dpkg --set-selections'

where python-pysqlite2 is the package to be held. Thereafter, when one performs an "apt-get upgrade" the held package appears in the "following packages have been kept back" section, and requires a manual "apt-get install python-pysqlite2" to re-instate the latest version.

Revert a package to an older version:

For instance, if you track "testing", but want to use the occasional unbroken package in "stable", your "/etc/apt/sources.list" should contain the following two lines:

deb http://ftp.us.debian.org/debian/ testing main contrib non-free
deb http://ftp.us.debian.org/debian/ stable main contrib non-free

"testing" will take precedence over "stable" as it appears first in the list. Now suppose a just updated piece of "testing" software is broken. First find out what versions are available in your current archive:

apt-cache policy python-pysqlite2

To install an older version:

apt-get install python-pysqlite2=2.4.1-1

where the version identifier comes after the "=". And now, to prevent your just downgraded package from being clobbered by automatic upgrades, put the package on "hold", as described in the previous section.

posted at: 08:35 | path: /Linux/Debian | permanent link to this entry

Thu, 16 Apr 2009

/Linux/misc: 101 Things You Can Do On Linux But Not on Microsoft Windows

I might not make it all the way to 101, but I will give it a go:

You can update almost all system software (except for the kernel) without rebooting.
In fact, Linux can be kept running for months through many updates, without a single shutdown or reboot or system crash. Server administrators literally do this all the time.
Go for years without having to re-install your computer. "Bit rot" does not exist in Linux. It will keep booting and working without deterioration through an endless succession of minor and major software updates, until your hard drive finally fails (don't forget to make periodic backups!!).
Take no specific precautions against viruses / trojans / worms / malware, and go for years without seeing one infect your computer. (I have gone ten years, most of that a full-time Linux user.)
If your screen is locked-up, your system is not necessarily crashed. It might be just the X-Window Server that is hosed. First try to restart the X-server with Ctrl-Shift-BackSpace. If the keyboard is not responding, try to login to the machine from another computer with SSH[1] and restart the Window manager (kill the "X" process). Either of these options would be better for your hard drive then killing the power.
Not enough memory to run everything you want to run at the same time? Run a piece of software on another (UNIX / Linux) computer and display its window on the computer you are sitting at. Just login to the other computer from a terminal using "ssh -X", start the program from the command line of the terminal that is now talking to the other computer, and its window will pop up right where you are sitting.
Trivially run a web server or e-mail server on your desktop. Most Linux distributions install most servers with defaults that have it running almost instantly, out of the box. Little or no configuration required.
If you are experiencing system problems, see the low-level error logs that your system is producing (and Microsoft Windows invariably hides) in the files contained within the /var/log/ directory.
Trivially get the source code for any sofware running on your computer, and (non-trivially) fix / change it, if you so desire.
Have a complete functioning computer system that will do most of what most people need, where all installed (Open Source[2]) software is completely free, and legally so.
(For common Linux distributions[3]) Install and update all of the above software, both system AND USER PROGRAMS, from one single unified software archive. (No chasing all over the internet to find software....)
For software that is not available in the free archives, find almost anything else you want, also for free, in other archives that may or not be legal in the jurisdiction where you live. Add these to your list of archives, and updating all installed software continues to be a simple one-step process.
If you have problems with a given piece of software, usually it is easy to find and send a bug report to the programmers who work on it. If the problem you are reporting is serious, or the fix very simple, they will probably give you a quick reply.
Have your main computer be a zippy Linux install, that the latest bloated version of Microsoft Windows cannot even be installed on, let alone run on. In 2008, my fastest machine is a Pentium III 1.1 GHz with 256M of memory. I am a power user so the memory is a bit light, I need to spend some more money on this machine that I bought for just over US$200.
Build your own Linux router[4] (wired, wireless, or both, just need to somehow provide the requisite number of network cards) with the latest and greatest up-to-date software using an almost worthless Pentium One laptop. All you need are two PCMCIA card slots so that you can plug in two network cards.
Have multiple IDENTICAL copies of files or directories in different places. Edit one copy and all are changed, because all the copies are POINTING TO THE SAME CONTENT on the disk. In the Unix world, there are actually two slightly different ways to do this: "symbolic" links and "hard" links.
Choice: choose and install different "kinds" (distributions[5][6][7]) of Linux specializing in special needs: speed, mimimum use of disk space, "bleeding edge" vs. stable software, education, etc....
More choice: from within any installed Linux distribution, choose from a long list of different window managers, allowing one to choose between desktops that are radically different in appearance and function.

[1] http://www.openssh.com/
[2] http://en.wikipedia.org/wiki/Open_source_software
[3] http://distrowatch.com/
[4] http://blog.langex.net/index.cgi/Linux/router-bridge/build-your-own-router.html
[5] http://en.wikipedia.org/wiki/List_of_Linux_distributions
[6] http://www.linux.org/dist/list.html
[7] http://distrowatch.com/

posted at: 04:54 | path: /Linux/misc | permanent link to this entry

Fri, 10 Apr 2009

/Linux/router-bridge: How to Build Your Own Linux Network Router

Gentoo is justifiably held in great esteem for their very good documentation. I am going to give you a simplified version of this guide[1], from a Debian perspective, and also, some of the things I do while building a router are simpler by design. Here are a couple other interesting links for background reading: [2][3]

Why would you want to do this? Cheap commercial routers often do not work very well, choking up on certain kinds of traffic, even locking up regularly so that someone must manually cycle the power to restart them. If you build your own router, you can keep the software up-to-date, which is a big security advantage over the commercial competition. And you can install any software you want on it, like your own web and e-mail server, for instance. This is not meant to be an exhaustive list....

Start with the cheapest, oldest laptop you can find with the capacity for the number of network cards you want to use (two for a wired *or* wireless local network, three for a wired *and* wireless local network). One network card is needed to connect to the outside world (presumably, the internet) and another one for *each* local network that you want to connect to the internet (typically, a wired and / or a wireless network).

Note that a really old laptop, like the Pentium One that I use, has no CD and no USB. The easiest way to install Linux on it is to remove the hard drive and place it temporarily in another computer (or a USB enclosure) for the Linux installation. A minimal install is all that is necessary, just enough to get a terminal command prompt and functioning networking. Note that at least on Debian, standard kernels will work right off the shelf. Then replace the newly installed drive in your soon-to-be router.

Get a Wireless Card that Will Work

Setting up a router for a wired LAN (Local Area Network) is actually a subset of setting up a wireless router, so I will just describe a wireless router here. (Turning a wireless configuration into a wired configuration just requires a minor alteration or two....) You need a wireless card that will talk to the hostap_cs kernel driver, and also supports "Master" mode. These are not easy to find in, in my experience. I have stumbled across two, one of which broke and I am now having quite a hard time replacing it.

The orinoco_cs and hostap_cs drivers support many of the same cards. Best to just blacklist the orinoco_cs driver and take your laptop shopping for cards. You really need to test the card before buying it (easy in the second hand Chinese markets I shop in). If you find a card that the hostap_cs driver recognizes, test for Master mode with the iwconfig command:

iwconfig wlan0 mode Master

If the card does not like Master mode, you will get an error something like:

# iwconfig eth1 mode Master
Error for wireless request "Set Mode" (8B06) :
SET failed on device eth1 ; Invalid argument.

If it works, ifconfig will show, in part:

wlan0 IEEE 802.11b ESSID:"clayton" Nickname:""
Mode:Master Frequency:2.462 GHz

(Note the "Mode:Master" part.)

Configure Networking

I will avoid great detail here. The most probable options are, your "outside world" network card will either connect directly and probably be called "eth0", or it will connect using PPPOE which you will probably configure with a very simple and straight-forward piece of software called "pppoeconf" and result in a "ppp0" interface. For routing purposes, all you need to know is what the interface is called, and that it works.

As for the wireless card: give it a static IP and set it to Master mode in /etc/network/interfaces:

auto eth0
iface eth0 inet dhcp

auto wlan0
iface wlan0 inet static
  wireless-essid somename
  address 192.168.8.1
  netmask 255.255.255.0
  network 192.168.8.0
  broadcast 192.168.8.255
  wireless-mode Master
  wireless-channel 11
  wireless-key somepassword

Note that in the above, eth0 connects to the internet, and therefore in this case I am not using PPPOE. I will address the slightly more complicated case of PPP in /etc/network/interfaces at a later date.

Set Up Routing and Firewall

We will do them at the same time because the same software does both! Install the "firehol" package. Then create a /etc/firehol/firehol.conf file as follows:

# firehol configuration for a masquerading server

version 5

# The network of our internal LAN.
home_ips="192.168.8.0/24"

# try "mac  " to filter on MAC addresses

# blacklist full 192.168.8.101 192.168.8.51 192.168.8.53

# DHCP needs 0.0.0.0/255.255.255.255 access.
interface wlan0 dhcp1
  policy return
  server dhcp accept

# interface eth0 internet src not "${UNROUTABLE_IPS}"
interface eth0 internet
   protection strong 10/sec 10
   server "smtp http icmp ssh"  accept
   server donkey2 accept
   server ident reject with tcp-reset
   client all   accept
   # reduce noise in the syslog by dropping this stuff silently
   server "dhcp samba" drop

interface wlan0 wlan src "${home_ips}"
   policy reject
   server "http dns ssh icmp" accept
   client all   accept
   # server dhcp drop

interface eth1 lan src "${home_ips}"
   policy reject
   server "http dns ssh icmp" accept
   client all   accept

router internet2wlan inface eth0 outface wlan0
   masquerade reverse
   client all      accept
   server ident    reject with tcp-reset

router internet2lan inface eth0 outface eth1
   masquerade reverse
   client all      accept
   server ident    reject with tcp-reset

There are tutorials out there that will step you through the creation of this file, which is how I started, but if you are careful about the customizaion process, you should be able to use my config as your starting point.

Some salient points:

eth0 connects to the outside world, wlan0 is the wireless LAN, eth1 is the wired LAN. Lines in "interface" blocks that begin with "server" list the kinds of connections that the firewall will accept on that interface. All other incoming connections will not be accepted by default.
"router" blocks define which interfaces traffic is allowed to pass between.
this config file was pulled from a currently running eth0 / wlan0 router, so it *will* work for setting up a wireless network.
I am not currently using eth1 on the machine from which I pulled this example, so it may not work out of the box for eth1. I think the eth1 DHCP block is missing, for starters.
DHCP needs very special and careful treatment or it will not work.
Port forwarding can be done, but I have not yet provided an example.

DHCP with dnsmasq

Install the dnsmasq package. Add the following line to /etc/dnsmasq.conf:

dhcp-range=192.168.8.50,192.168.8.150,12h

Restart dnsmasq, and your router should now respond to DHCP requests from the wireless network.

Wasn't that simple? Comments / errata welcome.

[1] http://www.gentoo.org/doc/en/home-router-howto.xml
[2] http://www.bit-tech.net/bits/2008/06/27/build-your-own-router/1
[3] http://thoughtattic.com/security/MakeYourOwnRouter.html

posted at: 07:32 | path: /Linux/router-bridge | permanent link to this entry

Wed, 11 Mar 2009

/Linux/Awesome: Awesome Window Manager Upgrade Breakage

March 2009: location and contents of the $HOME config file have changed. Awesome now looks in ~/.config/awesome/rc.lua instead of ~/.awesomerc, and very little of the documentation seems to reflect this fact. On the bright side, for those of us who do not have a "Windows" key, it is now much easier to reassign the "Default modkey" to something else. To do so, make a local copy of config file:

cp /etc/xdg/awesome/rc.lua ~/.config/awesome/rc.lua

Then edit ~/.config/awesome/rc.lua:

modkey = "Mod1"

Mod1 is the Alt key, which is what you now must use for almost all keyboard shortcuts.

As of early 2009, Awesome upgrades over-write /usr/share/xsessions/awesome.desktop without asking, causing my status bar clock to disappear and my screen locker to not get started. Keep a backup copy and manually restore this file after each upgrade.

posted at: 13:23 | path: /Linux/Awesome | permanent link to this entry

/Linux/Awesome: Autostarting Applications in Awesome

It would seem I have discovered a hole in the Linux OS: there is no generalized method for autostarting applications upon login. KDE and Gnome each have their own, and if you use one of the other window managers some have something built-in, others (awesome?) apparently do not.

This is my latest attempt to get a screen locker (xautolock / xtrlock) and a status bar clock going in my setup, borrowed from here[1]. In ~/.xinitrc I have put the following:

And I have modified /usr/share/xsessions/awesome.desktop as follows, such that the "Exec" line invokes .xinitrc rather then invoking awesome directly:

And finally, for the record, this is the contents of ~/bin/better-awesome-clock (borrowed from where I do not recall):

[1] http://urukrama.wordpress.com/2008/07/10/first-steps-with-awesome-window-manager/

posted at: 13:10 | path: /Linux/Awesome | permanent link to this entry

Tue, 06 Jan 2009

/Linux/Debian: Debian: How to Modify a Source Package / Build a New Binary Package[1]

Downloading, building, tweaking, and rebuilding a source tarball is not that difficult a concept for me at this point. Debian, however, has a very sophisticated (complex? obtuse? But I still love Debian....) packaging system.

Quick & Dirty Method[5]:

Say I am trying to debug something with the cron package:

apt-get build-dep cron
cd /to/where/you/want/to/install/your/source
apt-get source cron
cd cron-3.0
modify the code
DEB_BUILD_OPTIONS=debug,nostrip fakeroot debian/rules binary
debi

where dpkg-buildpackage builds a .deb and places it one directory up and debi installs the package. DEB_BUILD_OPTIONS are optional, but extremely useful if you are going to use gdb for debugging.

Note that the package version is not changed with this method, and the next time you run "apt-get upgrade" it will want to replace your debug version of the package with the repository version.

Patches & Versioning:

Sorting out how to mess with source code using the "Debian way"[3] is not at all transparent. Roberto Sanchez' "Debian Package Customization HOWTO"[4] is better:

Suppose someone sends you a patch that you want to test. Here is how you would obtain, patch, and build the source to create a new .deb with a unique version number, ready for installation:

apt-get source foo
cd foo-1.0
patch -p0 < /path/to/patch/file/ # apply patch to source
debchange -nmu  # See note below
sudo apt-get build-dep foo # install build dependencies
dpkg-buildpackage # build binary package from source

"debchange -nmu" will bring up the changelog in your default editor. In addition to modifying the text of the log, it is also possible to modify the package version number in the header of the changelog entry. Sanchez[4] recommends decrementing the version, adding a ".0.0" to the end, then adding a "name.0" to that. "name.0" is the part you use locally to track local changes. The preceding decremented-version.0.0 tries to ensure that any packages that appear in the repository afterwards will take precedence over the local package, so that upstream updates get installed (assuming that is what you want).

You should find your new .deb one directory up (..) with the version number as specified in the changelog.

Note that you might optionally want to put the source under the control of the git[2] revision control system if you are going to make modifications yourself and submit patches.

[1] http://www.debian-administration.org/articles/556
[2] http://blog.langex.net/index.cgi/Coding/git-basics.html
[3] http://www.debian.org/doc/maint-guide/
[4] http://people.connexer.com/~roberto/howtos/debcustomize
[5] http://women.debian.org/wiki/English/BuildingTutorial

posted at: 13:24 | path: /Linux/Debian | permanent link to this entry

Tue, 16 Dec 2008

/Linux/Debian/WPA: Easy wpasupplicant on Debian

A little poking around revealed that this file /usr/share/doc/wpasupplicant/README.Debian.gz was the secret sauce for getting wpasupplicant painlessly functioning on a Debian machine.

Like with wireless-tools, Debian has integrated wpasupplicant into the /etc/network/interfaces file.

To talk to a simple WEP-encrypted access point, this is the stanza I am using in /etc/network/interfaces:

auto eth1
iface eth1 inet dhcp
   wpa-ssid linksys
   wpa-key-mgmt NONE
   wpa-wep-key0 8453017892
   wpa-wep-tx-keyidx 0

To achieve the same with wireless-tools instead, I have this stanza:

iface home inet dhcp
   wireless-channel 11
   wireless-mode managed
   wireless-key 8453017892
   wireless-essid linksys

and of course, "ifup eth1" and "ifup eth1=home" will both connect, the former using wpasupplicant and the latter using wireless-tools.

Of course, the whole point of wpasupplicant is to talk to a WPA-encrypted access point. Stay tuned until I get a chance to try it again....

posted at: 08:10 | path: /Linux/Debian/WPA | permanent link to this entry

Fri, 05 Dec 2008

/Linux/Awesome: Introduction to the "Awesome" Window Manager

I recently made the switch to Awesome mainly because of some ongoing pain in my right arm, which I am attributing to "mouse abuse". So I installed Awesome, which promises to be keyboard-centric rather then mouse-centric, and unplugged my mouse.

A few days later, so far so good, with some reservations. I certainly do use the mouse less, as the Awesome keyboard shortcuts do make it very convenient to jump around between windows / applications. A bonus feature is more efficient use of screen real estate, as Awesome by default does not have window title bars, and its automatic window layouts are oriented toward displaying all windows at the same time, side-by-side. Though where appropriate, for some applications, you can choose to stack windows on top of one another, and you do get to choose which windows display together. And for many applications, I find myself using them now full-screen all the time, in their own workspace, without a title bar. Firefox, for instance, really seems to display a lot more on one screen (my laptop LCD is a smallish 1024x768).

Reservations?

I still use my laptop stick-mouse more then I would like. For certain activities with certain kinds of applications (browsing on a web browser, for instance) there is no way to get away from the mouse. At least I have not found one. For the part of your day you spend dealing with text, though (programming in terminals? writing this blog?) Awesome can almost completely eliminate mouse use.

Awesome, by default, heavily depends on using the "Windows" key found on many keyboards. My Thinkpad X24 does not have one. The commonly made suggestion is to let the "Alt" key take-over this duty, my changing all instances of "Mod4" to "Mod1" in ~/.awesomerc. It works, but.... many common tabbed apps like Firefox are setup to use Alt-n to switch between tabs. Since Awesome has taken over the Alt key, I must use the MOUSE now to switch between tabs. Yuck.

posted at: 04:22 | path: /Linux/Awesome | permanent link to this entry

Home

Contact

Resumé / C.V.

Links

Categories:

Archives:

Subscribe XML RSS Feed