Search

fwbuilder: Manage Firewalls Professionally

March 15th, 2009 edited by Vicho

Article submitted by Vadim Kurland. Guess what? We still need you to submit good articles about software you like!

Firewall Builder is available from the libfwbuilder and fwbuilder packages in both Debian and Ubuntu in Universe. Packages for the current development builds are available from the project download area on SourceForge.

Eveyone knows about netfilter/iptables, a powerful firewall framework and command line tool that is part of every Linux distribution. Unfortunately, managing a security policy with it remains a non-trivial task for several reasons. Partially this is because of the complex syntax of the command line interface and the vast amount of available options and parameters. Another reason is that the administrator has to understand the internal path of the packet inside the Linux kernel and its interaction with different parts of netfilter in order to build rules correctly. This is not a specific problem of iptables though, other popular Open Source firewall platforms, such as OpenBSD PF, ipfilter and ipfw present similar challenges.

What is needed is a tool that lets an administrator define the security policy on a higher level of abstraction and hide the internal structure of the target firewall platform. For example, such a tool should decide which iptables chain is right for each generated iptables rule automatically, without the administrator’s input. It should also pick the right iptables targets for both policy and NAT rules as well as properly use most popular iptables modules, all automatically. Such tool should also implement best practices in policy design and help administrator deploy and activate generated policy on the firewall.

Firewall Builder does just that.

Introduction

Firewall Builder is a GUI firewall configuration and management tool that supports iptables (netfilter), ipfilter, pf, ipfw, Cisco PIX (FWSM, ASA) and Cisco routers extended access lists. It presents all supported firewalls to the administrator in terms of unified abstract firewall that takes the best features from all of them and hides their specifics and inconveniences. Firewall Builder is more complex than many basic firewall configuration GUIs such as Firestarter, but on the other hand one can build very complex policies with Firewall Builder and fully utilize flexibility and power of iptables and other supported firewalls.

The general idea should be familiar to anyone who has ever worked with commercial firewall management systems. All configuration management operations can be performed from one central place: the Firewall Builder GUI. You create and manage collection of objects that describe network addresses, hosts and firewalls, as well as services, and then build firewall policy and NAT rules using these objects. Policy rules are defined in terms of “Source” and “Destination” addresses and “Service” and can have additional parameters such as interface association, direction, time interval and optional platform-dependent attributes. NAT rules are defined by addresses and services before and after translation.

Example of a policy rule

Rules are built with simple drag and drop operations and then firewall configuration can be generated with one click of a mouse. In the end, Firewall Builder produces a script or configuration file in the language of the target firewall. For iptables, it creates shell script that loads iptables rules, while for other platforms it creates a configuration file suitable for them. This makes it simple to deploy and activate the generated policy and also helps integrate Firewall Builder with existing automation scripts.

Fragment of the standard TCP objects library
The program comes with a collection of over 100 standard objects that can be used to describe popular TCP, UDP and ICMP services.

Firewall Builder implements many best practices in firewall policy design and firewall management procedures. Here are just a few examples:

  • It enforces a policy structure that denies all traffic by default and only permits what is necessary.
  • The administrator can easily define IP address of the management workstation and Firewall Builder will automatically add a rule to ensure that ssh access from it to the firewall is always permitted. This rule is designed to assure that ssh session over which the installer activates a new policy does not break or hang. This helps to avoid accidents when errors in the policy rules cut off remote access to the firewall in the middle of an activation, making it impossible to fix the error and causing prolonged network outage.
  • For Cisco PIX (ASA) and IOS access lists, where each access-list commands are immediately activated as they are entered, Firewall Builder can optionally create temporary access lists to ensure uninterrupted ssh access from the management workstation to the firewall for the duration of the policy reload session. This method provides the best protection against outages caused by loss of contact with the firewall because of errors in policy.
  • For iptables, Firewall Builder can generate a script using iptables-restore for atomic activation. If iptables-resore detects an error in the script and refuses to load the policy, script leaves the firewall in the state it was in before. For other firewall platforms it uses appropriate activation methods to achieve the same goal.
  • The built-in policy installer supports “test” install mode with automatic roll-back. This is another safety mechanism that helps minimize outages in case of errors in the policy. These measures are available for all supported systems, such as Linux/iptables, *BSD/pf, Cisco PIX and Cisco IOS.

Quick Tour

Main window

The main window of the program includes objects tree on the left (1), brief information about object selected in the tree (2), current firewall policy view (3) and a dialog panel where you can edit objects parameters (4).

As all Open Source projects, Firewall Builder depends on the user community who provide testing, bug reports and other forms of feedback. You can file bug reports and feature requests using the bug tracking system. The mailing list is a great place to ask for help and discuss the program with other users.

This was just a brief introduction to the Firewall Builder package. If you are interested in the program, you can find more information on the project web site at http://www.fwbuilder.org. The slideshows Introduction to Firewall Builder 3.0 for the impatient and Getting starter with Firewall Builder can help you get more familiar with the program.

Posted in Debian, Ubuntu | Comments Off

PIDA: the Python Integrated Development Application

March 8th, 2009 edited by Tincho

Article submitted by Javier Derderian. Guess what? We still need you to submit good articles about software you like!

PIDA screenshotPIDA is an IDE (integrated development environment) written in Python and the pygtk graphical toolkit. It is slightly different from other IDEs: rather than attempting to write a set of development tools of its own, PIDA reuses available tools. In this regards PIDA can be used as a framework for putting together your own customized IDE.

Although still a young application, PIDA already boasts a huge number of features because of the power of some of the tools it integrates. For example features such as code completion and syntax highlighting are well implemented in PIDA’s integrated editors far better than any editor built for a commercial IDE. PIDA currently features many code editing helpers: syntax highlighting, code completion, automatic indenting, block commenting, etc; project management, version control management, Python debugger and profiler, GTK+ GUI building and rapid application design.

Among the already integrated components you can find:

  • VIM and Emacs as embedded editors with full support of each one’s features:
    • Syntax Higlighting
    • Code completion
    • Plugins
  • Bazaar, Git, Subversion (and more) as version control systems.

It’s actually designed to program in any language, but it has some Python specific features like a Python shell. You can program you own plugins, and there’s a very nice API documentation to help you go trought the plugin development path.

Some already available plugins are:

Pastebin
Send code to a pastebin service
PdfTex preview
PdfTex preview compiles and displays pdf documents every time the buffer is saved.
Python
Show class/function from python file, and show compilation errors
Python Debugger
Python Debugger based on RPDB2 the WinPDB Back End
Unit Tester
Perform unit tests
Docbook browser
Browse local docbook
Todo manager
Manage a personnal todo list per project
RFC Viewer
Download RFC index, search and view RFC pages inside PIDA
Bazaar
This plugin, developed outside of the project, integrates lots of Bazaar function that are not included in the base version control integration

PIDA is a great way of keep using Vim and have a nice GUI around to help you work faster with the file browser, the project manager and the internal shells. You can get more info on using and developing PIDA in the handbook

There are official packages available in both Debian and Ubuntu for a long time now.

And remember: PIDA LOVES YOU!

Posted in Debian, Ubuntu | 10 Comments »

bash-completion: the greatest things since bash completion

March 1st, 2009 edited by Tincho

Article submitted by Andre Masella. Guess what? We still need you to submit good articles about software you like!

Pressing the tab key in bash to auto-complete a file name is one of the most time saving tricks especially when dealing with very long file names. Unfortunately, file name completion is not always the right behavior. Take Subversion for example. The first argument to svn is the sub-command to use. The file name is also restricted: svn add only takes files not under revision control and svn rm only takes files that are under revision control.

This is where the bash-completion package steps in. After installing it with a quick apt-get install bash-completion, a few lines need to be uncommented in sudo vim /etc/bash.bashrc and the shell restarted. After that, try this:

$ svn <TAB><TAB>
add         cl          diff        list        move        propdel     rename      unlock
annotate    cleanup     export      lock        mv          propedit    resolve     update
blame       co          -h          log         pdel        propget     resolved    --version
cat         commit      help        ls          pedit       proplist    revert
changelist  copy        --help      merge       pget        propset     rm
checkout    cp          import      mergeinfo   plist       pset        status
ci          delete      info        mkdir       praise      remove      switch

Ta-da! Smarter completion for subversion.

bash-completion will alter the behavior of most commands to limit the display to relevant files. For example, mpg321 will only display MP3 files in the list. Programs like rmmod, iwconfig, ifup, and lvm will display relevant choices that are not files at all. Even bash’s fg and bg will now tab-complete with job identifiers.Completion for man is useful as it will auto-complete only man pages that exist and allows you to incrementally narrow your search by providing the beginning of the man page name, just like with regular files.

Occasionally, it doesn’t behave as expected. Particularly, sometimes a file with the wrong extension will be filtered out by bash-completion. For example, if you save an image for certain Internet forums, the file will sometime lack an extension. bash-completion will then filter out that file because it does not have the right extension. This can also happen if the capitalization is unusual. For example, bash-completion will suggest files that end in .mp3 or .MP3 for mpg321, but not .Mp3. In that case, either rename the file or insert # at the beginning of the line. The # makes bash think this line is a comment and bash-completion returns to regular file name completion. Once finished, remove the # and run the command.

bash-completion is available in Debian and Ubuntu. If it isn’t available, it is very easy to install from source.

Posted in Debian, Ubuntu | 18 Comments »

Fonty Python: manage your fonts

February 22nd, 2009 edited by Tincho

Article submitted by Donn Ingle. We’ve run out of articles! If you like Debian Package of the Day please submit good articles about software you like!

FP logoFonty Python is available from the fontypython package in both Debian and Ubuntu in Universe. Fonty is a wxPython app so will work in any desktop environment. It also has a command-line interface which avoids the gui.

What the font?

As a graphic designer, one is called-upon to create artwork for many things. Fonts change from one client to another, from one job to another. If busy enough, then one can soon amass a vast pile of font files. Some are downloaded from the net as freeware, others are purchased, others are supplied by the clients for their work.

These font-files are stored somewhere, independently of the system fonts managed by the Debian package manager, possibly sorted in whatever fashion you prefer. It’s crazy to have these fonts all installed at the same time. Besides whatever that may do to your computer’s speed, it has one gigantic drawback: it clutters up font-selection boxes. Have you ever tried to find a font in a list of 500 fonts? Bleh.

What you need is a way to herd fonts and that’s what Fonty does.

Bring out yer fonts!

FP screenshot
Fonty will let you gather your fonts and structure them into “collections” —or what I call “Pogs”— a place to keep tyPOGraphy (well, why not?)

Think of Pogs as “groups”, “bags”, “cases”, “boxes” —that kind of thing. It’s an oddball word invented to describe a bunch of font files.

Ye olde basic idea

You visually gather fonts into Pogs. You then install a Pog and all the fonts within it are active on the system. You finish your work and then uninstall the Pog.

Your fonts never move from where they live (so don’t worry). Neither are copies of your fonts made; only links to the original files are used to install the fonts into your home .fonts subdirectory.

For example, you might have a Pog called logoZoo into which you place all the TTFs you need to design a logo for a Zoo. After that, when you need to work with them, you simply install the logoZoo Pog and start your design app. All those fonts will now appear in Inkscape or The Gimp, and other apps. Do your work as normal, and forget about fonts.

When you are done designing, you uninstall logoZoo and all those fonts go away. The links to the original files are removed from your home .fonts
directory, effectively uninstalling each font.

Fonty is also great for just looking at fonts wherever they are on your computer, without having to install them first. Fonty also has a command-line, allowing very quick use. You can install or remove pogs without having to start the entire gui, which is neat.

Quick tour

The layout of Fonty is supposed to be as simple as possible. I stayed away from context-menus and drag and drop because I find them hard to use. The flow is left-to-right with the sources of fonts on the left and their targets on the right.

  • FP layoutPoint 1: You choose a Source Folder (or Source Pog) on the left.
  • Point 2 & 3: You then see the fonts in the middle. You can page or Point or search around (Points 5,7). You click the fonts you want to use.
  • Point 4: On the right, you choose a Pog, or make a new one.
  • Point 6: Once you have a Target Pog selected, you can place fonts that you ticked into it.
  • Point 8: On the bottom-right you then Install or Uninstall Pogs as you need them.
  • There is a settings box (ctrl+s) where you can change the sample text and sizes.
  • Check the help too — it’s full of tips and quite short.
FP screenshot

Bad fonts

Some fonts are simply bad to the bone. Fonty relies on freetype and PIL to open and draw the glyphs, and when this fails so does Fonty. I have put a lot of effort into catching this, but it does not always work. When a font crashes Fonty, you should get a popup box telling you which one did the deed. You really ought to remove that font! Some fonts cannot be displayed, and Fonty will show that by using coloured bars in the display area.

There is also a menu item (File > Check Fonts) that you can point at a given directory and scan it for fonts that will crash Fonty. Use this when you want to cull all the fonts that are bad.

Font Flavours

Originally, Fonty could only show TTF files. Since then I have expanded it to include OTF, Type1 and TTC files. As far as I can tell, being only seminiscient, this all works.

i18n

Fonty speaks your language; or it will if you translate it. There are a few translations available and you can join the project to contribute others.

Fonty needs help

With Python heading for version 3 and all kinds of other changes, Fonty is falling behind. She still works quite well, but I cannot spend the time I want to on her. If there’s anyone out there who wants to stick a fork in her and run —please do.

I hope to find some time this year to have another go; fix some bugs and include a few translations I have been sent, but I can’t be relied upon.

You can check out the author’s home page for Fonty and the project home page.

Posted in Debian, Ubuntu | 2 Comments »

localepurge: Automagically remove unnecessary locale data

February 15th, 2009 edited by Vicho

Article submitted by Geoffroy Youri Berret. We’ve run out of articles! If you like Debian Package of the Day please submit good articles about software you like!

localepurge allows you to remove unnecessary locale data you have on your system and prevents installing unneeded locales when installing new packages.

During the initial installation of localepurge you’ll be asked which languages you want in your system. The installation process will ask you if you want to purge also manpages for unwanted locales. Once installed, localepurge will be launched each time you install a new package on your system and will inform you of the amount of space you saved.

On a regular desktop installation you may save up to one hundred or more MiB. Even though space is no longer that expensive, this kind of tool might still be useful on netbooks, laptops and, in general, mobile technology with limited disk space.

nota bene: You have to be aware that localepurge is considered a hack of the package system, this is not a feature (localepurge(8)). localepurge is independent and not a part of dpkg/apt. Consider using it at your own risk. This warning sounds worrying but my personal experience of localepurge for the past 5 years tells me there is no reason to be afraid of —I never identified a problem on my system I could blame on localepurge. It’s nonetheless important to keep that in mind.

Let’s see of efficient it is with a mplayer installation on Debian Lenny for instance:

$ aptitude install mplayer
[...]
Preconfiguring packages …
Selecting previously deselected package libopenal1.
(Reading database … 95241 files and directories currently installed.)
Unpacking libopenal1 (from …/libopenal1_1%3a1.4.272-2_i386.deb) …
Selecting previously deselected package mplayer-skin-blue.
Unpacking mplayer-skin-blue (from …/mplayer-skin-blue_1.6-2_all.deb) …
Selecting previously deselected package mplayer.
Unpacking mplayer (from …/mplayer_1.0~rc2-17+lenny3_i386.deb) …
Processing triggers for man-db …
Processing triggers for menu …
Setting up libopenal1 (1:1.4.272-2) …
Setting up mplayer-skin-blue (1.6-2) …
Setting up mplayer (1.0~rc2-17+lenny3) …
Configuring mplayer …done
Processing triggers for menu …
localepurge: Disk space freed in /usr/share/man: 780K
[...]
$

localepurge is available in Debian since quite a long time, you’ll find it in old stable Sarge, Etch and Lenny. It’s also been available in Ubuntu (universe) for ages.

Posted in Debian, Ubuntu | 8 Comments »

« Previous Entries Next Entries »