Managing Windows XP Services with the Service Controller Command SC

Many processes and functions of the Windows XP operating system and other software are classified under the general rubric of “services”. Managing services with the graphical facility called the Services Console is discussed at a sister site. In addition to a GUI method of managing services, Windows XP also has a powerful command-line utility.This utility, the Service Controller, is opened by entering "sc' into the command prompt and contains a large assembly of subcommands that we will survey.
The command-line method of managing services has the advantage of being available for scripts. It also allows for quickly stopping and starting services for troubleshooting purposes. Systems administrators use it for managing services on networks and for very detailed configuration. For the average PC user, it provides a quick and easy way to turn services on and off to see how system performance is affected.

The SC subcommands

The "sc" command comes with numerous subcommands. A list can be seen at the this Microsoft page or by entering "sc /?" into a command prompt. There is also a list in the Windows XP Help and Support Center. Altogether, 24 subcommands are listed. Each subcommand in turn may have a subset of different commands. The table below shows a selection of the subcommands and their functions that are of most relevance to a typical PC owner. Much more detailed information is available at the XP Help and Support Center by searching "sc".
Table I. Selected subcommands for SC
Command Function
sc config Configures service startup and login accounts
sc continue Resumes a paused service
sc enumdepend Lists the services that cannot run unless the specified service is running
sc failure Specifies what action to take upon failure of the service
sc pause Pauses a service
sc qc Displays the configuration of a particular service
sc query Displays information about the specified service, driver, type of service, or type of driver
sc start Starts a service running
sc stop Sends a STOP request to a service (not all will respond)

Examples of some useful ways to apply SC

The suite of commands that are available are very powerful and allow for much configuring of services. Although not all functions will be of interest to the average PC use, some are applicable to everyday experience. You can learn if a service is runninng, stop, start. or pause it, and determine if it will run when the system is started up. Here are examples of some commands that I think might be of interest.
sc config
This command has a number of functions but one is to determine the status of a service at system startup. A service can be set to run automatically, manually or not at all. The commands aresc config ServiceName start= flagHere ServiceName is the name of the service and flag has one of the values auto, demand. or disabled . For example, to set a service to run manually the command is sc config ServiceName start= demandNote that there must be a space after the equals sign. The correct value for the parameter ServiceName may not always be obvious and the next command can be used to find it for all services.
sc query
Information about services and drivers can be obtained with this command. Used alone it returns a list of running services with various information about the service. Lists can be inconvenient to read on a screen and they can be redirected to a text file. To create a text list of running services use the commandsc query > serviceslist.txt The path for the text file serviceslist.txt can be anywhere that is convenient. To create a list of all services, usesc query type= service state= all > allserviceslist.txt To create a list of active drivers, use sc query type= driver Or for a list of everything, use sc query state= all
sc start
To start up a service that is not running, usesc start ServiceName
sc stop
To stop a running service, use sc stop ServiceName However, some services cannot or should not be stopped

List post titles in alphabetical or chronological order


In this tutorial I will show you how to list all your post titles. If you are looking for an alternative to Blogger’s Archive gadget, then this might be it. This list can also be used as a Table Of Contents. This list is made possible with the use of Yahoo! Pipe.
See the demo in Blogger Sentral Widget Showcase.
The list comes with several options:
  1. List them inside a widget or inside a post.
  2. Select whether to arrange them in alphabetical or chronological order. If you use your blog as an online serial novel, then chronological order is just what you need.
  3. Select whether to include comment count at the end of each title.
  4. Select ordered (numbered) or unordered (bulleted) list style.
Let’s get started.

The code





Make your own





Put list in a (dedicated) post

  1. For the code to work, you must disable line breaks conversion in your blog. Go to Settings > Formatting and on Convert Line Breaks, select No.
  2. Go to Blogger Post Editor.
  3. Switch to Edit HTML mode.
  4. Copy and paste the code in the editing window.
  5. Save your post and view it. The list should be showing inside the post.
  6. You may want  to add a direct link to the post from your homepage. This can be done by adding navigation tabs or better still turn the dedicated post into a static page.

Put list in a gadget e.g. sidebar

  1. Go to Design > Page Elements.
  2. Click Add A Gadget link.
  3. Select HTML/Javascript gadget.
  4. Enter the title of your widget e.g. All Posts List.
  5. Copy and paste the code inside the content box.
  6. Save and view your blog.
This widget will show your blog’s latest 1000 post titles. Replace http://www.bloggersentral.com (the value of YourBlogUrl) with your own blog url, in code line 20. Do not include the slash (as in .com/).
Style the list with the inline style attribute in line 4.
If your list becomes too long, you might want to put it in a scroll box.

Selecting the options

  • Listing order -the default order is alphabetical. To change to chronological order, just change the word alphabet in code line 21 to chrono.
  • Comment count - comment count is displayed as default. To remove comment count, delete code line 13.
  • List style -the default is bulleted list. To change to numbered list, replace ul (in line 4 and 16) with ol.

Customizing the pipe (optional)

If you want further customize the widget output, you need to edit the (Yahoo) pipe itself. Follow the steps below:
  1. Go to the Yahoo! pipe.
  2. Log in to your Yahoo! account.
  3. Create a clone by clicking the Clone button.
  4. Click edit source to edit it in anyway you like.
  5. When you’re done editing and saving, test run it by clicking Run Pipe button to confirm the output of the pipe.
  6. To use your edited pipe, copy the pipe id and paste it to replace the existing id in line 22. (To get the id, look in your browser’s address bar. The id is the end part the url when you are viewing or editing the pipe.)
Enjoy!

Removing Newer and Older Post Links in Blogger Blog

If you are using Blogger as blogging platform, you might be used to some of the built-in features, that you consider hard coded, but can be changed with slight template code modification. One of the hacks, presented in this publication, addresses a seemingly minor issue on the page - two links “Older Posts” and “Newer Posts” on the bottom of the page.

For those, who prefer their blog to be maximally close to the static webpages, these links not just unnecessary, but are plainly irritating. There is a way to remove them once and forever. And that is quite easy to do, even for not very experienced users. Note, that this hack will also remove “home” link from the bottom of the blog page.

Open Layout Tab in your blog profile page, choose Edit HTML, and search your code in your blog template for the following text:
#blog-pager-newer-link {
float: left;
}
#blog-pager-older-link {
float: right;
}
#blog-pager {
text-align: center;
}


Now replace that code with the following code:

#blog-pager-newer-link {
display: none;
}
#blog-pager-older-link {
display: none;
}
#blog-pager {
display: none;
}


Save the template and you are done.b

Remove Subscribe To Posts(Atom) Link From Blogger Blog


RSS




You must have seen that at the botton of your blogger template there is a Subscribe to: Posts (Atom) link. Blogger has added it so that the blog visitors can subscribe to your Atom feeds. However many people use RSS for their
blog feeds . Moreover it occupies space at the bottom of the template and it doesn't look nice.

Many people must have tried to remove it by visiting the Edit HTML option, but they wont find the Subscribe to: Posts (Atom) part anywhere in the template. This is because it isn't written within the a href tag. However removing it is very easy.


Before you start the work, make a backup of your template as a precautionary measure. To remove it click on Layout and click on Edit HTML
Blogger Basics












Now select Expand Widget Templates. After selecting it, search for the following code in the template


< b:include name='feedLinks'/>

Once you find the code, remove it and save your template. Refresh your blog and now the Subscribe to: Posts (Atom) link wont be there on your blog.

How to install OSX 10.5 Leopard on your Intel computer


Don't forget to read this before installing
I forgot the 'requirements' section on purpose. Please read through the whole guide and write down the things you need. This sounds stupid, but I want to force you to read through the whole guide prior to trying things out.

The actual guide 0. First you need to check if your CPU supports at least SSE2 (if you already know that your CPU supports at least SSE2, skip to the next step).

>> Download CPU-Z
>> Unzip and start the program. In the CPU tab, look if you see SSE2 somewhere (if you also see SSE3, congratulations, you have the perfect CPU!). If you only see SSE, ask your dad for a new CPU, otherwise this won't work.

1. If you are using Windows XP go to step 2. If you are using Windows Vista, skip to step 3.

2. You need to create at least 6GB unallocated space on your hard disk. If you know how to do this, don't hesitate to use your preferred method. If you don't know how to do this, download Partiton Magic 8 and shrink one of the partitions on your hard drive. After you've done that, skip to step 4.

>> Click on ‘Resize/Move Partition
>> Move the slider to make the partition smaller and hit OK
>> Click on ‘Apply’
>> Close Partition Magic


3. You need to create at least 6GB unallocated space on your hard drive. To do this, follow the steps below.

>> Press the windows logo in the bottom left corner of you screen
>> Right click ‘computer’ and select ‘manage’
>> Select ‘Disk Management’ in the ‘Computer Management’ screen.
>> Select a partition with at least 6GB of free space
>> Right click it and hit ’shrink volume”
>> Type in the amount of space to shrink (at least 6GB) and hit ‘Shrink’.
>> Close all open windows.


4. In Vista, hit [windows button] + R. In XP, go to start > Run. Type 'diskpart' (without quotes) in the run window and press OK.

5. In the command window, type:

>> List disk
>> Select disk [disk #]
>> List partition
>> create partition primary id=af
>> active

6. Insert the Leopard install disk (if you don't have it, search for a ToH RC2 disk on the usual places...) and reboot your computer.If it doesn't boot up your Leopard disk you may have to change your BIOS settings to alow booting from a DVD.

7. Wait for the DVD to boot up and select a language. Somewhere in the toolbar at the top of your screen (after you selected a language!) you'll see 'Disk Utility'. Open it and select the partition you created in step 5. Format it to HFS+ (journaled) and call it Leopard.

8. Follow all installation steps on your screen. Choose the HFS+ (journaled) partition you created in step 7 and don't forget to hit customize. Depending on the install disk you use you need to select or deselect packages.

9. The install will take about an hour, depending on your computer configuration. Take a cup of coffee and start praying.

10. When the installation finishes your computer should boot into Leopard! If it does, skip to step 16. If it does't, go to the next step.

11. Boot the Leopard instalation DVD again.

12. Open a terminal window (see the toolbar, it should be there) and type:

>> /usr/misc/script.sh Leopard (if you named the partition 'Leopard', if you gave it another name, replace 'Leopard' with your name)

13. Leopard should start booting now! If you are lucky, you can use it now, if you get a kernel panic, read on, otherwise, skip to step 16..

14. Restart the computer and hit F8 when you see the bootloader. Type in "cpus=1" and hit enter. If you still get a kernel panic, read on, otherwise skip to step 16.

15. Boot into your BIOS and disable SpeedStep. Try to boot Leopard now, still not working? Try to boot it in safe mode (type -x in the command line). if it's still not working, go to step 16.

16. When booted into Leopard, play with it for a while and then fire up a new terminal window. Type

sudo nano /library/preferences/systemconfiguration/com.apple.boot.plist

17. Type cpus=1 in the kernel flag string if you needed that flag in step 15. Add

Timeout
5
below the last string to setup a timeout for the bootloader. This'll allow you to choose your Windows partition when you start your computer.

18. You should now have a working dual boot configuration! Maybe there are still a few things not working like you hoped, search the forums at forums.osx86scene.org and forum.insanelymac.com for help. If you search the board before posting and use common sense, I'm sure that the community will help you.

OPTIONAL: Now you installed OSX on your computer using this great site, please visit our weblog. We're just starting it and it would be great if you could give it some exposure on your blog. Thanks!

FTP Server in Ubuntu

File Transfer Protocol (FTP) is a TCP protocol for uploading and downloading files between computers. FTP works on a client/server model. The server component is called an FTP daemon. It continuously listens for FTP requests from remote clients. When a request is received, it manages the the login and sets up the connection. For the duration of the session it executes any of commands sent by the FTP client.
Access to an FTP server can be managed in two ways:
  • Anonymous
  • Authenticated
In the Anonymous mode, remote clients can access the FTP server by using the default user account called 'anonymous" or "ftp" and sending an email address as the password. In the Authenticated mode a user must have an account and a password. User access to the FTP server directories and files is dependent on the permissions defined for the account used at login. As a general rule, the FTP daemon will hide the root directory of the FTP server and change it to the FTP Home directory. This hides the rest of the file system from remote sessions.

vsftpd - FTP Server Installation

vsftpd is an FTP daemon available in Ubuntu. It is easy to install, set up, and maintain. To install vsftpd you can run the following command:
sudo apt-get install vsftpd 

vsftpd - FTP Server Configuration

You can edit the vsftpd configuration file, /etc/vsftpd.conf, to change the default settings. By default only anonymous FTP is allowed. If you wish to disable this option, you should change the following line:
anonymous_enable=YES
to
anonymous_enable=NO
By default, local system users are not allowed to login to FTP server. To change this setting, you should uncomment the following line:
#local_enable=YES
By default, users are allowed to download files from FTP server. They are not allowed to upload files to FTP server. To change this setting, you should uncomment the following line:
#write_enable=YES
Similarly, by default, the anonymous users are not allowed to upload files to FTP server. To change this setting, you should uncomment the following line:
#anon_upload_enable=YES
The configuration file consists of many configuration parameters. The information about each parameter is available in the configuration file. Alternatively, you can refer to the man page, man 5 vsftpd.conf for details of each parameter.
Once you configure vsftpd you can start the daemon. You can run following command to run the vsftpd daemon:
sudo /etc/init.d/vsftpd start 

[Note]
Please note that the defaults in the configuration file are set as they are for security reasons. Each of the above changes makes the system a little less secure, so make them only if you need them.

Turning Mac OS X Into A Web Server

Now that you have been using OS X for a few weeks and are likely growing more comfortable with it, we can take a look at some of the very neat features that Apple has bundled with the new OS.
OS X's Unix core means that the OS is well equipped to handle industrial strength, OS reliant tasks such as ftp and Web serving. Apple has kindly provided a very simple way to access both features in OS X, but this week we are only going to talk about Web serving.
A Web server is a computer that sits patiently waiting for users to request documents (like HTML files) and images that reside somewhere on its hard drive. As you know, the World Wide Web essentially knows no time or space boundaries, meaning that a Web server must run reliably 24 hours a day, 7 days a week. Most of this also happens without a system administrator having to intervene all that frequently. When put in this perspective, the responsibility of a Web server is enormous. It must run, all the time, with almost no human attention. Attempting to use Mac OS 8/9 as a Web server, for just that reason, was often problematic if not impossible. While it can be argued that the traditional Mac OS is more stable than its consumer oriented Windows counterparts, system problems and crashes were often far too frequent to use it as a Web server.
OS X does not suffer from such limitations.
OS X's Unix architecture is the same that runs nearly all modern day Web servers. Combined with the flexible and powerful Apache Web Server software, OS X is ready, out of the box, to host your Web site. Some non-OS related limitations include the amount of bandwidth you have available. Not only does the computer need to be on all the time, it needs to be actively connected to the Internet all the time as well. With the wide spread adoption of broadband connections like DSL and cable, this is often not as much of a problem as it once was. So, you have OS X, a fat pipe to the Internet, and you want to host some Web pages; what do you do next?
How Do I Set Up Web Sharing?
This is remarkably easy with OS X's interface for Apache. To enable Apache, users need to simply check a few boxes in Apple's System Preference area. Following is step-by-step run down of how to activate OS X's built-in Web server.

  1. Open OS X's System Preferences application.
  2. Choose the "Sharing" setting.
  3. Under where it says "Web Sharing," click "Start"
  4. If this works correctly, the window should now say "Web Sharing On" and the "Start" button has turned into a "Stop" button.

The Sharing preferences in your System Preferences.
(Click the thumbnail for a larger image.)
That is the basic part of it. Once you follow the above steps, your OS X computer is ready and waiting to be a Web server. But how do you get to it? Where do you put your HTML files?
At the bottom of the Sharing window under System Preferences you will see your system's current IP address (provided you are connected to the Internet). This is the "phone number" for your computer that other people can use to contact it. If you want to see proof that your computer is set up as a Web server, enter the IP address into a Web browser in this format: http://111.22.33.444 or whatever your IP address is. You will now be connected to your own Web serving computer.
Where Do I Put The Actual Web Site?
All of your Web site documents are stored in the Documents folder inside your Web Server folder. The full path is: computer/osx/library/webserver/documents
A number of files already reside in that folder. The first page that a Web browser looks for in a directory on any Web server is a file called index.html. If you look in your Documents folder in your WebServer folder, you will see a number of files that read "index.html.en" or something similar. To create a "home page" for your Web server, change the file that reads "index.html.en" to "index.html". Once you do this, go back to your Web browser and click the Refresh or Reload button. Now, if everything has gone right, you should see a page that looks like this:


The default Web page displayed
when you successfully install Apache.
(Click the thumbnail for a larger image.)
But I Have a Changing, or Dynamic, IP!
The single biggest problem for setting up your personal machine to function as a Web server is that most users have an IP address, or "computer phone number," that is always changing. This type of IP address is called a Dynamic IP, and can be problematic for establishing a Web site. Imagine if somebody tried to call you but your phone number changed every day? Now you see the problem.
Fortunately this can be corrected with a free service called dyndns.org. This service, combined with the free application DNSUpdate, allow users to set a "plain English" URL that is always mapped to their current system, regardless of what the current IP address is. This works by DNSUpdate sending a message to the dyndns.org servers every time your dynamic IP is changed. The dyndns.org servers then correctly map your most current IP address with whatever URL you decide to use. So, for example, you might be able to use the URL: osxiscool.dyndns.org
If the system is set up correctly, and you install the DNSUpdate client on your OS X computer, that URL should always reach your machine.
This is, of course, the most basic set of instructions for getting your new OS X computer running as a Web server. There are a large number of security issues to consider, and then there is the small matter of actually designing a Web site. However, if you are feeling motivated, this should get you headed in the right direction.

How to Add a Program to the Ubuntu Startup List (After Login)



If you are coming from Windows, you are probably familiar wtih adding a shortcut to the Startup folder in the Start menu so that the program will start after you log in.
Ubuntu provides a little utility to help you accomplish the same thing, but it’s not named quite what you’d think, so you may not have found this.
And yes, for the more technical users, you can modify the startup script and accomplish the same thing.
You’ll find the tool on the System \ Preferences\ Sessions menu item:
Click the Add button, and type in the full path to the executable you are trying to start if it’s not in your path already. For instance, if you wanted to start the vmware toolbox, you’d put in vmware-toolbox into the textbox. You can also browse directly to the item you want to start.

UFW Mechanics

Now that you have some security set up it is time to just see how it all works.  The easiest method is to allow access to a specific port to everyone.  For example, if you wanted to allow everyone access to your web server on port 80 you could do this command:
sudo ufw allow 80/tcp
This allows everyone access to the web server using the tcp protocol.  Simple, but this may not be what you want to do.  Maybe you want to only allow some people access to the server.  Here is how you could limit access to your web server for just one IP Address.
ufw1
Ufw is the command followed by “allow” which determines access.  The protocol must be listed as you do not want to allow udp on port 80 as it is not needed or used.  You will create security holes if you just open a port to both tcp and udp.  You must specifically indicate the protocol in each of your rules.  The “from” determines access from specific IP Addresses or subnets.  The “to any” provides access to the server and if the server is forwarding traffic, would allow access to internal machines as well.
Delete a Rule
When you want to delete a rule you will need to know what the rule was that you created and then just place ufw delete in front of the rule.
ufw2
You can stop connections from specific IP Addresses or subnets by using the deny option.
ufw3
If you wanted to stop all connections from a subnet you would just list that subnet:
sudo ufw deny from 192.168.4.0/24
Always use the status to check if your command is correct.
sudo ufw status
Status: active
To                         Action      From
–                         ——      —-
22/tcp                     ALLOW       192.68.5.0/24
Apache                     ALLOW       Anywhere
Anywhere                   DENY        192.168.4.0/24

Ubuntu 9.10 UFW Firewall

ufw Firewall
UFW or Uncomplicated Firewall, is a text based firewall that works with  iptables.  UFW is designed to be an easier way to manage a firewall from the command line.  Whether this is easier than learning iptables or not, you can decide.  But UFW comes partially set up when you install Ubuntu.  Now it is not activated by default so you have not protection but some basic settings are in place when you do start up UFW.
The Ubuntu 9.10 server brings three new features to the UFW firewall; outgoing filtering update, filtering by interface and bash completion.  This now brings a total of 12 new features since the UFW was first released in version 8.04.  Finally, the UFW is reaching a mature stage where you can use it instead of writing rules with iptables.

If you run the ufw command you will see a listing of the most important commands to run the ufw firewall.  Take some time to look this over as you will need this as a resource.
ufw
Usage: ufw COMMAND
Commands:
enable                          enables the firewall
disable                         disables the firewall
default ARG                     set default policy
logging LEVEL                   set logging to LEVEL
allow ARGS                      add allow rule
deny ARGS                       add deny rule
reject ARGS                     add reject rule
limit ARGS                      add limit rule
delete RULE                     delete RULE
insert NUM RULE                 insert RULE at NUM
status                          show firewall status
status numbered                 show firewall status as numbered list of RULES
status verbose                  show verbose firewall status
show ARG                        show firewall report
version                         display version information
Application profile commands:
app list                        list application profiles
app info PROFILE                show information on PROFILE
app update PROFILE              update PROFILE
app default ARG                 set default application policy
Managing UFW
The first step in managing the firewall is to check the status.
sudo ufw status
Status: inactive
When you see a status as inactive you know that your server is vulnerable to attacks on open ports. It is important that you get UFW up and protecting your server before you connect to the Internet.
The first thing to do is to make sure you have access to the server remotely using SSH.  Be sure you have installed SSH on the server with:
sudo apt-get install ssh
Now create a firewall rule before you actually activate the firewall so if you are accessing it from SSH you will not break your connection.
As root complete the following commands.
sudo ufw allow proto tcp from 192.68.5.0/24 to any port 22
Rules updated
sudo ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup
Note that a subnet was allowed for connection on port 22. If you wanted to enter a single IP Address just change it to the IP Address you want.
Now you have access using SSH it is important before you create additional rules to understand what your firewall looks like from the outside, what ports are really open.
sudo apt-get install nmap
nmap 192.168.5.96
Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-13 07:05 MDT
Interesting ports on 192.168.5.96:
Not shown: 996 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
State Rules
There are already several common rules that are configured into the firewall immediately.  One of those is the state rules that provide for any RELATED or ESTABLISHED connections.  This means that if you connect to a web server from a machine it will allow the information you requested from the web server to return based on the fact that the local machine established the connection and the returning information was related to that request.

The Linux kernel includes the Netfilter subsystem, which is used to manipulate or decide the fate of network traffic headed into or through your server. All modern Linux firewall solutions use this system for packet filtering.
The kernel's packet filtering system would be of little use to administrators without a userspace interface to manage it. This is the purpose of iptables. When a packet reaches your server, it will be handed off to the Netfilter subsystem for acceptance, manipulation, or rejection based on the rules supplied to it from userspace via iptables. Thus, iptables is all you need to manage your firewall if you're familiar with it, but many frontends are available to simplify the task.

ufw - Uncomplicated Firewall

The default firewall configuration tool for Ubuntu is ufw. Developed to ease iptables firewall configuration, ufw provides a user friendly way to create an IPv4 or IPv6 host-based firewall.
ufw by default is initially disabled. From the ufw man page:
ufw is not intended to provide complete firewall functionality via its command interface, but instead provides an easy way to add or remove simple rules. It is currently mainly used for host-based firewalls.
The following are some examples of how to use ufw:
  • First, ufw needs to be enabled. From a terminal prompt enter:
    sudo ufw enable
  • To open a port (ssh in this example):
    sudo ufw allow 22
  • Rules can also be added using a numbered format:
    sudo ufw insert 1 allow 80
  • Similarly, to close an opened port:
    sudo ufw deny 22
  • To remove a rule, use delete followed by the rule:
    sudo ufw delete deny 22
  • It is also possible to allow access from specific hosts or networks to a port. The following example allows ssh access from host 192.168.0.2 to any ip address on this host:
    sudo ufw allow proto tcp from 192.168.0.2 to any port 22
    Replace 192.168.0.2 with 192.168.0.0/24 to allow ssh access from the entire subnet.
  • Adding the --dry-run option to a ufw command will output the resulting rules, but not apply them. For example, the following is what would be applied if opening the HTTP port:
     sudo ufw --dry-run allow http
    *filter
    :ufw-user-input - [0:0]
    :ufw-user-output - [0:0]
    :ufw-user-forward - [0:0]
    :ufw-user-limit - [0:0]
    :ufw-user-limit-accept - [0:0]
    ### RULES ###
    
    ### tuple ### allow tcp 80 0.0.0.0/0 any 0.0.0.0/0
    -A ufw-user-input -p tcp --dport 80 -j ACCEPT
    
    ### END RULES ###
    -A ufw-user-input -j RETURN
    -A ufw-user-output -j RETURN
    -A ufw-user-forward -j RETURN
    -A ufw-user-limit -m limit --limit 3/minute -j LOG --log-prefix "[UFW LIMIT]: "
    -A ufw-user-limit -j REJECT
    -A ufw-user-limit-accept -j ACCEPT
    COMMIT
    Rules updated
  • ufw can be disabled by:
    sudo ufw disable
  • To see the firewall status, enter:
    sudo ufw status
  • And for more verbose status information use:
    sudo ufw status verbose
  • To view the numbered format:
    sudo ufw status numbered
[Note]
If the port you want to open or close is defined in /etc/services, you can use the port name instead of the number. In the above examples, replace 22 with ssh.
This is a quick introduction to using ufw. Please refer to the ufw man page for more information.

ufw Application Integration

Applications that open ports can include an ufw profile, which details the ports needed for the application to function properly. The profiles are kept in /etc/ufw/applications.d, and can be edited if the default ports have been changed.
  • To view which applications have installed a profile, enter the following in a terminal:
    sudo ufw app list
  • Similar to allowing traffic to a port, using an application profile is accomplished by entering:
    sudo ufw allow Samba
  • An extended syntax is available as well:
    ufw allow from 192.168.0.0/24 to any app Samba
    Replace Samba and 192.168.0.0/24 with the application profile you are using and the IP range for your network.
    [Note]
    There is no need to specify the protocol for the application, because that information is detailed in the profile. Also, note that the app name replaces the port number.
  • To view details about which ports, protocols, etc are defined for an application, enter:
    sudo ufw app info Samba
Not all applications that require opening a network port come with ufw profiles, but if you have profiled an application and want the file to be included with the package, please file a bug against the package in Launchpad.

IP Masquerading

The purpose of IP Masquerading is to allow machines with private, non-routable IP addresses on your network to access the Internet through the machine doing the masquerading. Traffic from your private network destined for the Internet must be manipulated for replies to be routable back to the machine that made the request. To do this, the kernel must modify the source IP address of each packet so that replies will be routed back to it, rather than to the private IP address that made the request, which is impossible over the Internet. Linux uses Connection Tracking (conntrack) to keep track of which connections belong to which machines and reroute each return packet accordingly. Traffic leaving your private network is thus "masqueraded" as having originated from your Ubuntu gateway machine. This process is referred to in Microsoft documentation as Internet Connection Sharing.

ufw Masquerading

IP Masquerading can be achieved using custom ufw rules. This is possible because the current back-end for ufw is iptables-restore with the rules files located in /etc/ufw/*.rules. These files are a great place to add legacy iptables rules used without ufw, and rules that are more network gateway or bridge related.
The rules are split into two different files, rules that should be executed before ufw command line rules, and rules that are executed after ufw command line rules.
  • First, packet forwarding needs to be enabled in ufw. Two configuration files will need to be adjusted, in /etc/default/ufw change the DEFAULT_FORWARD_POLICY to “ACCEPT”:
    DEFAULT_FORWARD_POLICY="ACCEPT"
    Then edit /etc/ufw/sysctl.conf and uncomment:
    net.ipv4.ip_forward=1
    Similarly, for IPv6 forwarding uncomment:
    net.ipv6.conf.default.forwarding=1
  • Now we will add rules to the /etc/ufw/before.rules file. The default rules only configure the filter table, and to enable masquerading the nat table will need to be configured. Add the following to the top of the file just after the header comments:
    # nat Table rules
    *nat
    :POSTROUTING ACCEPT [0:0]
    
    # Forward traffic from eth1 through eth0.
    -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
    
    # don't delete the 'COMMIT' line or these nat table rules won't be processed
    COMMIT
    The comments are not strictly necessary, but it is considered good practice to document your configuration. Also, when modifying any of the rules files in /etc/ufw, make sure these lines are the last line for each table modified:
    # don't delete the 'COMMIT' line or these rules won't be processed
    COMMIT
    For each Table a corresponding COMMIT statement is required. In these examples only the nat and filter tables are shown, but you can also add rules for the raw and mangle tables.
    [Note]
    In the above example replace eth0, eth1, and 192.168.0.0/24 with the appropriate interfaces and IP range for your network.
  • Finally, disable and re-enable ufw to apply the changes:
    sudo ufw disable && sudo ufw enable
IP Masquerading should now be enabled. You can also add any additional FORWARD rules to the /etc/ufw/before.rules. It is recommended that these additional rules be added to the ufw-before-forward chain.

iptables Masquerading

iptables can also be used to enable masquerading.
  • Similar to ufw, the first step is to enable IPv4 packet forwarding by editing /etc/sysctl.conf and uncomment the following line
    net.ipv4.ip_forward=1
    If you wish to enable IPv6 forwarding also uncomment:
    net.ipv6.conf.default.forwarding=1
  • Next, execute the sysctl command to enable the new settings in the configuration file:
    sudo sysctl -p
  • IP Masquerading can now be accomplished with a single iptables rule, which may differ slightly based on your network configuration:
    sudo iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE
    The above command assumes that your private address space is 192.168.0.0/16 and that your Internet-facing device is ppp0. The syntax is broken down as follows:
    • -t nat -- the rule is to go into the nat table
    • -A POSTROUTING -- the rule is to be appended (-A) to the POSTROUTING chain
    • -s 192.168.0.0/16 -- the rule applies to traffic originating from the specified address space
    • -o ppp0 -- the rule applies to traffic scheduled to be routed through the specified network device
    • -j MASQUERADE -- traffic matching this rule is to "jump" (-j) to the MASQUERADE target to be manipulated as described above
  • Also, each chain in the filter table (the default table, and where most or all packet filtering occurs) has a default policy of ACCEPT, but if you are creating a firewall in addition to a gateway device, you may have set the policies to DROP or REJECT, in which case your masqueraded traffic needs to be allowed through the FORWARD chain for the above rule to work:
    sudo iptables -A FORWARD -s 192.168.0.0/16 -o ppp0 -j ACCEPT
    sudo iptables -A FORWARD -d 192.168.0.0/16 -m state --state ESTABLISHED,RELATED -i ppp0 -j ACCEPT
    The above commands will allow all connections from your local network to the Internet and all traffic related to those connections to return to the machine that initiated them.
  • If you want masquerading to be enabled on reboot, which you probably do, edit /etc/rc.local and add any commands used above. For example add the first command with no filtering:
    iptables -t nat -A POSTROUTING -s 192.168.0.0/16 -o ppp0 -j MASQUERADE

Logs

Firewall logs are essential for recognizing attacks, troubleshooting your firewall rules, and noticing unusual activity on your network. You must include logging rules in your firewall for them to be generated, though, and logging rules must come before any applicable terminating rule (a rule with a target that decides the fate of the packet, such as ACCEPT, DROP, or REJECT).
If you are using ufw, you can turn on logging by entering the following in a terminal:
sudo ufw logging on
To turn logging off in ufw, simply replace on with off in the above command.
If using iptables instead of ufw, enter:
sudo iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: "
A request on port 80 from the local machine, then, would generate a log in dmesg that looks like this:

[4304885.870000] NEW_HTTP_CONN: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58288 DF PROTO=TCP SPT=53981 DPT=80 WINDOW=32767 RES=0x00 SYN URGP=0

The above log will also appear in /var/log/messages, /var/log/syslog, and /var/log/kern.log. This behavior can be modified by editing /etc/syslog.conf appropriately or by installing and configuring ulogd and using the ULOG target instead of LOG. The ulogd daemon is a userspace server that listens for logging instructions from the kernel specifically for firewalls, and can log to any file you like, or even to a PostgreSQL or MySQL database. Making sense of your firewall logs can be simplified by using a log analyzing tool such as fwanalog, fwlogwatch, or lire.

Other Tools

There are many tools available to help you construct a complete firewall without intimate knowledge of iptables. For the GUI-inclined:
  • Firestarter is quite popular and easy to use.
  • fwbuilder is very powerful and will look familiar to an administrator who has used a commercial firewall utility such as Checkpoint FireWall-1.
If you prefer a command-line tool with plain-text configuration files:
  • Shorewall is a very powerful solution to help you configure an advanced firewall for any network.
  • ipkungfu should give you a working firewall "out of the box" with zero configuration, and will allow you to easily set up a more advanced firewall by editing simple, well-documented configuration files.
  • fireflier is designed to be a desktop firewall application. It is made up of a server (fireflier-server) and your choice of GUI clients (GTK or QT), and behaves like many popular interactive firewall applications for Windows.

References

  • The Ubuntu Firewall wiki page contains information on the development of ufw.
  • Also, the ufw manual page contains some very useful information: man ufw.
  • See the packet-filtering-HOWTO for more information on using iptables.
  • The nat-HOWTO contains further details on masquerading.

You might also like :

Related Posts with Thumbnails