Wednesday, December 26, 2007
What is Ubuntu JeOS (Just Enough Operating System) ?
Ubuntu JeOS (pronounced "Juice") is an efficient variant of the popular desktop and server operating system, configured specifically for virtual appliances.
"The efficiencies inherent in an operating system that is built for a virtualised world mean that ISVs looking to deploy their applications in this lucrative and growing market have an obvious deployment target in the Ubuntu JeOS Edition," said Stephen O'Grady, analyst at RedMonk. "As the delivery platforms and economics of licensing continue to change, the flexibility and reach of the Ubuntu operating system make it an increasingly popular choice for far sighted ISVs."
ISVs looking to develop virtual appliances will have a compelling platform in Ubuntu JeOS, an OS optimised for virtualisation that greatly reduces the complexity and maintenance overhead normally associated with general purpose operating systems. Ubuntu JeOS Edition has been tuned to take advantage of key performance technologies of the latest virtualisation products from VMware. This combination of reduced size and optimized performance ensures that Ubuntu JeOS Edition delivers a highly efficient use of server resources in large virtual deployments.
"Canonical has produced a robust virtualised OS core in the Ubuntu JeOS Edition that is optimized for virtual appliances," said Dan Chu, vice president of emerging products and markets at VMware. "Virtual Appliances are fundamentally changing how software is developed and deployed, with ISVs now including a thin and highly optimized OS along with their application in a ready-to-run virtual machine. We are excited that Canonical is providing Ubuntu JeOS for vendors interested in building VMware virtual appliances."
Business Objects today unveiled a virtual appliance based on Ubuntu JeOS that is being demonstrated at VMworld.
"Ubuntu fits naturally into the place where computing is happening today," said Mark Shuttleworth, founder of the Ubuntu Project. "Virtualisation is the key driver of data center restructuring at present, and Ubuntu's popularity with developers makes it an excellent choice for the next generation of virtualized environments. We have worked with VMware to deliver a version of Ubuntu that complements its exceptional virtualisation capabilities, providing a solution for the ISVs building virtual appliances and for the enterprises planning to deploy them."
download:
Ubuntu-JeOS 8.04 (Hardy Heron) Alpha 2
source: ubuntu.com/news/ubuntu-jeos
"The efficiencies inherent in an operating system that is built for a virtualised world mean that ISVs looking to deploy their applications in this lucrative and growing market have an obvious deployment target in the Ubuntu JeOS Edition," said Stephen O'Grady, analyst at RedMonk. "As the delivery platforms and economics of licensing continue to change, the flexibility and reach of the Ubuntu operating system make it an increasingly popular choice for far sighted ISVs."
ISVs looking to develop virtual appliances will have a compelling platform in Ubuntu JeOS, an OS optimised for virtualisation that greatly reduces the complexity and maintenance overhead normally associated with general purpose operating systems. Ubuntu JeOS Edition has been tuned to take advantage of key performance technologies of the latest virtualisation products from VMware. This combination of reduced size and optimized performance ensures that Ubuntu JeOS Edition delivers a highly efficient use of server resources in large virtual deployments.
"Canonical has produced a robust virtualised OS core in the Ubuntu JeOS Edition that is optimized for virtual appliances," said Dan Chu, vice president of emerging products and markets at VMware. "Virtual Appliances are fundamentally changing how software is developed and deployed, with ISVs now including a thin and highly optimized OS along with their application in a ready-to-run virtual machine. We are excited that Canonical is providing Ubuntu JeOS for vendors interested in building VMware virtual appliances."
Business Objects today unveiled a virtual appliance based on Ubuntu JeOS that is being demonstrated at VMworld.
"Ubuntu fits naturally into the place where computing is happening today," said Mark Shuttleworth, founder of the Ubuntu Project. "Virtualisation is the key driver of data center restructuring at present, and Ubuntu's popularity with developers makes it an excellent choice for the next generation of virtualized environments. We have worked with VMware to deliver a version of Ubuntu that complements its exceptional virtualisation capabilities, providing a solution for the ISVs building virtual appliances and for the enterprises planning to deploy them."
download:
Ubuntu-JeOS 8.04 (Hardy Heron) Alpha 2
source: ubuntu.com/news/ubuntu-jeos
Ubuntu Hardy Heron Alpha 2 released
 | Steve Langasek announced the second alpha release of Ubuntu 8.04 LTS (Hardy Heron) |
Hello Ubuntu developers,
Welcome to Hardy Heron Alpha-2, which will in time become Ubuntu 8.04.
Pre-releases of Hardy are *not* encouraged for anyone needing a stable system or anyone who is not comfortable running into occasional, even frequent breakage. They are, however, recommended for Ubuntu developers and those who want to help in testing, reporting, and fixing bugs.
Alpha 2 is the second in a series of milestone CD images that will be released throughout the Hardy development cycle. The Alpha images are known to be reasonably free of showstopper CD build or installer bugs, while representing a very recent snapshot of Hardy. You can download it here:
http://cdimage.ubuntu.com/releases/hardy/alpha-2/ (Ubuntu)
http://cdimage.ubuntu.com/kubuntu/releases/hardy/alpha-2/ (Kubuntu)
http://cdimage.ubuntu.com/edubuntu/releases/hardy/alpha-2/ (Edubuntu)
http://cdimage.ubuntu.com/jeos/releases/hardy/alpha-2/ (Ubuntu JeOS)
http://cdimage.ubuntu.com/xubuntu/releases/hardy/alpha-2/ (Xubuntu)
http://cdimage.ubuntu.com/gobuntu/releases/hardy/alpha-2/ (Gobuntu)
http://cdimage.ubuntu.com/ubuntustudio/releases/hardy/alpha-2/ (UbuntuStudio)
See http://wiki.ubuntu.com/Mirrors for a list of mirrors.
Alpha 2 includes several new features that are ready for large-scale testing. Please refer to http://www.ubuntu.com/testing/hardy/alpha2 for information on changes in Ubuntu and https://wiki.kubuntu.org/HardyHeron/Alpha2/Kubuntu for changes in Kubuntu.
This is quite an early set of images, so you should expect some bugs. For a list of known bugs (that you don't need to report if you encounter), please see: http://www.ubuntu.com/testing/hardy/alpha2
If you're interested in following the changes as we further develop Hardy, have a look at the hardy-changes mailing list:
http://lists.ubuntu.com/mailman/listinfo/hardy-changes
We also suggest that you subscribe to the ubuntu-devel-announce list if you're interested in following Ubuntu development. This is a low-traffic list (a few posts a week) carrying announcements of approved specifications, policy changes, alpha releases, and other interesting events.
http://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-announce
Bug reports should go to the Ubuntu bug tracker:
https://bugs.launchpad.net/ubuntu
Related Posts:
Ubuntu Hardy Heron Alpha 1 released
Ubuntu 7.10 Released
NetBSD 4.0 released
 | Geert Hendrickx announced the availability of the official release of NetBSD 4.0 |
The NetBSD Project is pleased to announce that release 4.0 of the NetBSD operating system is now available. NetBSD is a free, secure,and highly portable Unix-like Open Source operating system available for many platforms, from 64-bit Opteron machines and desktop systems to handheld and embedded devices. Its clean design and advanced features make it excellent in both production and research environments, and it is user-supported with complete source. Many applications are easily available through pkgsrc, the NetBSD Packages Collection.
Major achievements in NetBSD 4.0 include support for version 3 of the Xen virtual machine monitor, Bluetooth, many new device drivers and embedded platforms based on ARM, PowerPC and MIPS CPUs. New network services include iSCSI target (server) code and an implementation of the Common Address Redundancy Protocol. Also, system security was further enhanced with restrictions of mprotect(2) to enforce W^X policies, the Kernel Authorization framework, and improvements of the Veriexec file integrity subsystem, which can be used to harden the system against trojan horses and virus attacks. Please read below for a list of changes in NetBSD 4.0.
NetBSD 4.0 runs on 54 different system architectures featuring 17 machine architectures across 17 distinct CPU families, and is being ported to more. The NetBSD 4.0 release contains complete binary releases for 51 different machine types, with the platforms amigappc, bebox and ews4800mips released in source form only. Complete source and binaries for NetBSD 4.0 are available for download at many sites around the world. A list of download sites providing FTP, AnonCVS, SUP, and other services is provided at the end of this announcement; the latest list of available download sites may also be found at NetBSD.org/mirrors/. We encourage users who wish to install via a CD-ROM ISO image to download via BitTorrent by using the torrent files supplied in the ISO image area. A list of hashes for the NetBSD 4.0 distribution has been signed with the well-connected PGP key for the NetBSD Security Officer:
ftp://ftp.NetBSD.org/pub/NetBSD/security/hashes/NetBSD-4.0_hashes.asc
NetBSD is free. All of the code is under non-restrictive licenses, and may be used without paying royalties to anyone. Free support services are available via our mailing lists and website. Commercial support is available from a variety of sources; some are listed at NetBSD.org/gallery/consultants.html. More extensive
information on NetBSD is available from our website:
http://www.NetBSD.org/
Dedication
NetBSD 4.0 is dedicated to the memory of Jun-Ichiro "itojun" Hagino, who died in October 2007. Itojun was a member of the KAME project,which provided IPv6 and IPsec support; he was also a member of the NetBSD core team (the technical management for the project), and one of the Security Officers. Due to Itojun's efforts, NetBSD was the first open source operating system with a production ready IPv6 networking stack, which was included in the base system before many people knew what IPv6 was. We are grateful to have known and worked with Itojun, and we know that he will be missed. This release is therefore dedicated, with thanks, to his memory.
System families supported by NetBSD 4.0
The NetBSD 4.0 release provides supported binary distributions for the following systems:
NetBSD/acorn26 Acorn Archimedes, A-series and R-series systems
NetBSD/acorn32 Acorn RiscPC/A7000, VLSI RC7500
NetBSD/algor Algorithmics, Ltd. MIPS evaluation boards
NetBSD/alpha Digital/Compaq Alpha (64-bit)
NetBSD/amd64 AMD family processors like Opteron, Athlon64, and Intel CPUs with EM64T extension
NetBSD/amiga Commodore Amiga and MacroSystem DraCo
NetBSD/arc MIPS-based machines following the Advanced RISC Computi=ng
spec
NetBSD/atari Atari TT030, Falcon, Hades
NetBSD/cats Chalice Technology's CATS and Intel's EBSA-285 evaluati=on
boards
NetBSD/cesfic CES FIC8234 VME processor board
NetBSD/cobalt Cobalt Networks' MIPS-based Microservers
NetBSD/dreamcast Sega Dreamcast game console
NetBSD/evbarm Various ARM-based evaluation boards and appliances
NetBSD/evbmips Various MIPS-based evaluation boards and appliances
NetBSD/evbppc Various PowerPC-based evaluation boards and appliances
NetBSD/evbsh3 Various Hitachi Super-H SH3 and SH4-based evaluation
boards and appliances
NetBSD/hp300 Hewlett-Packard 9000/300 and 400 series
NetBSD/hp700 Hewlett-Packard 9000 Series 700 workstations
NetBSD/hpcarm StrongARM based Windows CE PDA machines
NetBSD/hpcmips MIPS-based Windows CE PDA machines
NetBSD/hpcsh Hitachi Super-H based Windows CE PDA machines
NetBSD/i386 IBM PCs and PC clones with i386-family processors and up
NetBSD/ibmnws IBM Network Station 1000
NetBSD/iyonix Castle Technology's Iyonix ARM based PCs
NetBSD/landisk SH4 processor based NAS appliances
NetBSD/luna68k OMRON Tateisi Electric's LUNA series
NetBSD/mac68k Apple Macintosh with Motorola 68k CPU
NetBSD/macppc Apple PowerPC-based Macintosh and clones
NetBSD/mipsco MIPS Computer Systems Inc. family of workstations and
servers
NetBSD/mmeye Brains mmEye multimedia server
NetBSD/mvme68k Motorola MVME 68k Single Board Computers
NetBSD/mvmeppc Motorola PowerPC VME Single Board Computers
NetBSD/netwinder StrongARM based NetWinder machines
NetBSD/news68k Sony's 68k-based "NET WORK STATION" series
NetBSD/newsmips Sony's MIPS-based "NET WORK STATION" series
NetBSD/next68k NeXT 68k "black" hardware
NetBSD/ofppc OpenFirmware PowerPC machines
NetBSD/pmax Digital MIPS-based DECstations and DECsystems
NetBSD/pmppc Artesyn's PM/PPC board
NetBSD/prep PReP (PowerPC Reference Platform) and CHRP machines
NetBSD/sandpoint Motorola Sandpoint reference platform
NetBSD/sbmips Broadcom SiByte evaluation boards
NetBSD/sgimips Silicon Graphics' MIPS-based workstations
NetBSD/shark Digital DNARD ("shark")
NetBSD/sparc Sun SPARC (32-bit) and UltraSPARC (in 32-bit mode)
NetBSD/sparc64 Sun UltraSPARC (in native 64-bit mode)
NetBSD/sun2 Sun Microsystems Sun 2 machines with Motorola 68010 CPU
NetBSD/sun3 Motorola 68020 and 030 based Sun 3 and 3x machines
NetBSD/vax Digital VAX
NetBSD/x68k Sharp X680x0 series
NetBSD/xen The Xen virtual machine monitor
Ports available in source form only for this release include the following:
NetBSD/amigappc PowerPC-based Amiga boards
NetBSD/bebox Be Inc's BeBox
NetBSD/ews4800mips NEC's MIPS-based EWS4800 workstation
Major Changes Between 3.0 and 4.0
The complete list of changes can be found in the CHANGES and CHANGES-4.0 files in the top level directory of the NetBSD 4.0 release tree. Some highlights include:
Networking
* agr(4): new pseudo-device driver for link level aggregation.
* IPv6 support was extended with an RFC 3542-compliant API and added for gre(4) tunnels and the tun(4) device.
* An NDIS-wrapper was added to use Windows binary drivers on the i386 platform, see ndiscvt(8).
* The IPv4 source-address selection policy can be set from a number of algorithms. See "IPSRCSEL" in options(4) and in_getifa(9).
* Imported wpa_supplicant(8) and wpa_cli(8). Utilities to connect and handle aspects of 802.11 WPA networks.
* Imported hostapd(8). An authenticator for IEEE 802.11 networks.
* carp(4): imported Common Address Redundancy Protocol to allow multiple hosts to share a set of IP addresses for high availability / redundancy, from OpenBSD.
* ALTQ support for the PF packet filter.
* etherip(4): new EtherIP tunneling device. It's able to tunnel Ethernet traffic over IPv4 and IPv6 using the EtherIP protocol specified in RFC 3378.
* ftpd(8) can now run in standalone mode, instead of from inetd(8).
* tftp(1) now has support for multicast TFTP operation in open-loop mode, server is in progress.
* tcp(4): added support for RFC 3465 Appropriate Byte Counting (ABC) and Explicit Congestion Notification as defined in RFC 3168.
File systems
* scan_ffs(8), scan_lfs(8): utilities to find FFSv1/v2 and LFS partitions to recover lost disklabels on disks and image files.
* tmpfs: added a new memory-based file system aimed at replacing mfs. Contrary to mfs, it is not based on a disk file system, so it is more efficient both in overall memory consumption and speed. See mount_tmpfs(8).
* Added UDF support for optical media and block devices, see mount_udf(8). Read-only for now.
* NFS export list handling was changed to be filesystem independent.
* LFS: lots of stability improvements and new cleaner daemon. It is now also possible to use LFS as root filesystem.
* vnd(4): the vnode disk driver can be used on filesystems such as smbfs and tmpfs.
* Support for System V Boot File System was added, see newfs_sysvbfs(8) and mount_sysvbfs(8).
Drivers
* Audio:
+ Support for new models on drivers such as Intel ICH8/6300ESB, NVIDIA nForce 3/4, etc.
+ Added support for AC'97 modems.
+ auich(4): added support to handle the AC'97 modem as audio device, enabled with the kernel option "AUICH_ATTACH_MODEM".
+ azalia(4): added support for S/PDIF.
* Hardware Monitors:
+ amdpm(4): added support for the i2c bus on the AMD-8111 used on many Opteron motherboards and for the Analog Devices ADT7464 hardware monitor chip.
+ adt7467c(4): new driver for Analog Devices ADT7467 and ADM1030 hardware monitor chips.
+ ipmi(4): new driver for motherboards implementing the Intelligent Platform Management Interface 1.5 or 2.0, from OpenBSD.
+ it(4): new driver for iTE 8705F/8712F and SiS 950 hardware monitors.
+ The lm(4) driver was rewritten and support for more chips was added, for example for Winbond W83627HF, W83627THF, W83627DHG and Asus AS99127F.
+ owtemp(4): new driver for the 1-Wire temperature sensors.
+ tmp121temp(4): new driver for the Texas Instruments TMP121 temperature sensor.
+ ug(4): new driver for Abit uGuru hardware monitor found on newer Abit motherboards.
* Miscellaneous:
+ geodewdog(4): new AMD Geode SC1100 Watchdog Timer driver.
+ gscpcib(4): new AMD Geode SC1100 PCI-ISA bridge that provides support for the GPIO interface.
* Networking:
+ ath(4): updated HALs with support for WiSOC (AR531x) and 32bit SPARC.
+ bge(4): added support for the following chips: BCM5753, BCM5753M, BCM5715, BCM5754, BCM5755 and BCM5787. Numerous improvements and bugfixes were made too.
+ kse(4): new driver for Micrel KSZ8842/8841 PCI network cards.
+ msk(4): new driver for Marvell Yukon 2 GigE PCI network cards, from OpenBSD.
+ nfe(4): new driver for NVIDIA nForce Ethernet network cards, from OpenBSD.
+ ral(4): new 802.11 driver for PCI/Cardbus Ralink RT2500, RT2501, RT2600, RT2661 and RT2500 USB chipsets, from OpenBSD.
+ rum(4): new 802.11 driver for USB Ralink RT2501 and RT2601 chipsets, from OpenBSD.
+ sip(4): now works on sparc64.
+ tlp(4): added support for ASIX AX88140A and AX88141.
+ vr(4): added support for the VIA Rhine III.
+ wm(4): added support for i8003, ICH8, ICH9 and others. Support for IPv6 Rx TCP/UDP Checksum Offloading and more.
+ wpi(4): new driver for Intel PRO/Wireless 3945ABG PCI 802.11 network cards, from OpenBSD.
* Security:
+ glxsb(4): new driver for the AMD Geode LX AES Security Block that provides random numbers and AES acceleration, from OpenBSD.
* Power Management:
+ Support for Intel Speedstep SMI on PIIX4 PCI-ISA for i386.
+ Support for AMD PowerNow and Cool'n'Quiet Technology on K7 and K8 CPUs (both in 32 and 64 bit mode), including Athlon Mobile, Athlon64, Opteron or X2. See options(4) for more information.
+ Support for more Enhanced Speedstep CPUs, including VIA C7/Eden and Intel Core Solo/Duo/Duo2. See options(4) for more information.
+ The Enhanced Speedstep and PowerNow drivers were modified to be able to be scaled in all CPUs available, saving power on SMP systems.
* Storage:
+ ahcisata(4): new driver for AHCI 1.0 and 1.1 compliant SATA controllers.
+ ataraid(4): added support to handle Adaptec HostRAID and VIA V-Tech software RAID.
+ ciss(4): new driver for HP/Compaq 5th+ generation Smart ARRAY controllers, from OpenBSD.
+ fdc(4): added support for SBus based sparc64 machines and fixed formatting on sparc.
+ gcscide(4): new driver for the AMD Geode CS5535 Companion Device IDE controller.
+ jmide(4): new driver for JMicron Technology JMB36x PCIe to SATA II/PATA controllers.
+ mfi(4): new driver for LSI Logic and Dell MegaRAID SAS controllers, from OpenBSD.
+ mpt(4): added support for newer SAS and similar devices.
+ njata(4): new driver for Workbit NinjaATA-32 CardBus IDE controller.
+ pdcsata(4): added support for the Promise PDC20775, PDC20771, PDC40518, PDC40718 and some bugfixes.
+ piixide(4): added support for some ICH8/ICH8-M/ICH9 IDE and SATA controllers.
+ svwsata(4): new driver for Serverworks K2 SATA controllers,from OpenBSD.
+ viaide(4) added support for the VIA VT8237A SATA controller and AMD CS5536 Companion Device IDE Controller.
* USB:
+ ucycom(4): new driver for Cypress microcontroller based serial devices.
+ uipaq(4): new driver for the iPAQ devices.
+ uslsa(4): new driver for Silicon Labs CP210x series serial adapters.
+ utoppy(4): new driver for the Topfield TF5000PVR range of digital video recorders.
Platforms
* i386:
+ Added support for the for Multiboot specification. This means much improved support for loading the kernel by GRUB, including passing in parameters to the kernel.
+ Added the unichromefb framebuffer driver that supports the VIA Unichrome Graphics adapter.
+ vesafb(4): added new framebuffer driver that supports VESA BIOS (VBE) 2.0 extensions and up.
+ Added ability to boot from the cd9660 file system to the BIOS bootloader. This adds the ability to load much bigger kernels and the option of selecting different kernels at boot time.
* evbarm: new platform support for Arcom Viper PXA255-based single board, Atmark Techno Armadillo-9 and Armadillo-210, Certance CP-3100, Linksys NSLU2 (a.k.a. "Slug") and I-O DATA HDL-G Giga LANDISK NAS devices.
* evbmips: added support for Alchemy Au1550 processors, DBAu1550 boards, Alchemy Au15XX PCI host, (OMS-AL400/128) and Atheros AR5312 SoC.
* New port ews4800mips: NEC's MIPS based EWS4800 workstations.
* cobalt: added support for booting off raidframe RAID1 mirrors.
* hpcmips: added the teliosio(4) driver for the Sharp Telios LCD screen and Battery unit.
* New port landisk: port to the SH4 processor based NAS appliances, supporting models by I-O DATA (USL-5P, HDL-U, HDL-AV, HDL-W and HDLM-U series, SuperTank LAN Tank, UHDL-160U and UHDL-300U) and Plextor PX-EH16L, PX-EH25L and PX-EH40L.
* macppc: this port has gained support to use accelerated wsdisplay drivers by default (if possible), and uses the appropriate driver rather than the Generic Open Firmware Framebuffer.
* prep: this port has been modernized, and support for five additional machines has been added, among them the IBM 7024-E20 and 7025-F30 models and Motorola Powerstack E1. Additionally, sysinst support was added, and the bootloader process was improved, allowing easy installation and upgrade to future
releases.
* sparc: added support for booting off raidframe RAID1 mirrors.
* Xen: support for Xen3 domU and dom0 (Unprivileged domain and domain 0), including support for hardware virtualization on CPUs that support it.
Kernel subsystems
* Improved Firewire (IEEE1394) support imported from FreeBSD.
* The midi(4) framework got a complete overhaul for better support of Active Sensing and improved handling of tempo and timebase changes.
* Added a Bluetooth protocol stack including:
+ hardware drivers: ubt(4) for USB controllers, and bt3c(4) for the 3Com Bluetooth PC-Card.
+ socket based access to the HCI, L2CAP, RFCOMM and SCO protocols.
+ pseudo drivers for integrating services on remote Bluetooth devices such as Keyboards, Mice and SCO Audio into the NetBSD device framework. See bluetooth(4), bthset(1) and btpin(1).
* Imported the bio(4) framework from OpenBSD, to query/control block hardware RAID device controllers. Currently supporting the mfi(4) driver.
* Kernel uses stateful read-ahead algorithm.
* dkctl(8) can be used to switch buffer queuing strategies on the fly on wd(4) disks, see also bufq(9).
* fileassoc(9) is used by Veriexec, it adds in-kernel and file-system independent file meta-data association interface.
* firmload(9): an API for loading firmware images used by various hardware devices.
* gpio(4): imported General Purpose I/O framework from OpenBSD.
* onewire(4): imported Dallas Semiconductor 1-wire bus framework from OpenBSD.
* The proplib(3) protocol was added for sending property lists to/from the kernel using ioctls.
* spi(4): new SPI (Serial Peripherial Interface) framework.
* timecounter(9) adds a new time-keeping infrastructure along with NTP API 4 nanokernel implementation. Almost all platforms were changed to support this API.
* Start of 32bit-Linux-emulation for amd64 (COMPAT_LINUX32).
* wscons(4) console driver supports splash screens, scrolling, progress bar for kernel and boot messages.
Kernel interfaces have continued to be refined, and more subsystems and device drivers are shared among the different ports. You can look for this trend to continue.
Security
* The FAST_IPSEC IPsec implementation was extended to use hardware acceleration for IPv6, in addition to the hardware accelerated IPv4 that was available before. See fast_ipsec(4) for more information.
* mprotect(2) got restrictions to enforce W^X policies, from PaX. See options(4), sysctl(3), and paxctl(1).
* GCC 4's support for stack smashing protection (SSP) was enabled by adding libssp, see security(8).
* The kernel authorization framework kauth(9) was added, replacing the traditional BSD credential management and privileged operation access control with an abstract layer, allowing the implementation of various security models either as part of the NetBSD distribution or as third-party LKMs. NetBSD's kernel authorization is a hybrid clean-room implementation of a similar interface developed by Apple,extending its capabilities and combining concepts of credential
inheritance control.
Userland
* 3rd party software updates:
+ BIND 9.4.1-P1
+ OpenSSL 0.9.8e
+ CVS 1.11.22
+ OpenSSH 4.4
+ gettext 0.14.4
+ PF from OpenBSD 3.7
+ (n)awk 20050424
+ Postfix 2.4.5
+ am-utils 6.1.3
+ file 4.21
+ zlib 1.2.3
+ GNU binutils 2.16.1
+ GNU groff 1.19.2
+ IPFilter 4.1.23
+ GNU gcc 4.1.2 prerelease
+ GNU gdb 6.5 (some architectures)
+ NTP 4.2.4p2
+ pppd 2.4.4
* cdplay(1): added digital transfer mode support.
* cksum(1) can now verify checksums.
* csplit(1): new utility that splits a file into pieces. From FreeBSD/OpenBSD.
* identd(1): added support for forwarding ident queries and receiving of proxied ident queries.
* getent(1): added support for the ethers database.
* gkermit(1): new program for transferring files using the Kermit protocol.
* mail(1): added support for Mime and multi-character set handling, command line editing and completion.
* utoppya(1): new utility to interface to the utoppy(4) driver.
* init(8): added support for running multi-user in a chroot() environment. Allows / file system on e.g., cgd(4), vnd(4) or ccd(4) volumes.
* gpt(8): new GUID partition table maintenance utility, from FreeBSD.
* iSCSI target (server) code added, see iscsi-target(8); Initiator (client) code is underway.
* lockstat(8): new command to display a summary of kernel locking events recorded over the lifetime of a called program.
* ofctl(8): new command to display the OpenPROM or OpenFirmware device tree for the macppc, shark and sparc64.
* Various utilities to support Bluetooth were added:
+ btconfig(8) for controller configuration.
+ btdevctl(8) to manage pseudo devices relating to remote services.
+ bthcid(8) and btpin(1) for authenticating radio connections.
+ sdpd(8) for providing service discovery to remote devices.
+ sdpquery(1) for querying services on remote devices.
+ rfcomm_sppd(1) to access remote services over RFCOMM via stdio or pty.
+ bthset(1) for making connections to Bluetooth headsets.
About the NetBSD Foundation
The NetBSD Foundation was chartered in 1995, with the task of overseeing core NetBSD project services, promoting the project within industry and the open source community, and holding intellectual property rights on much of the NetBSD code base. Day-to-day operations of the project are handled by volunteers.
As a non-profit organization with no commercial backing, The NetBSD Foundation depends on donations from its users, and we would like to ask you to consider making a donation to the NetBSD Foundation in support of continuing production of our fine operating system. Your generous donation would be particularly elcome assistance with ongoing upgrades and maintenance, as well as with operating expenses for The NetBSD Foundation.
NetBSD mirror sites
Please use a mirror site close to you.
* FTP - http://www.NetBSD.org/mirrors/#ftp
* ISO images - http://www.NetBSD.org/mirrors/#iso
* Anonymous CVS - http://www.NetBSD.org/mirrors/#anoncvs
* BitTorrent - http://www.NetBSD.org/mirrors/#bittorrent
* SUP - http://www.NetBSD.org/mirrors/#sup
* CVSup - http://www.NetBSD.org/mirrors/#cvsup
* rsync - http://www.NetBSD.org/mirrors/#rsync
* AFS - http://www.NetBSD.org/mirrors/#afs
more :
Netbsd-announce/2007/12/19/0000.html
NetBSD-4.0CHANGES-4.0
Labels: netbsd
Damn Small Linux 4.2 released
 | Robert Shingledecker has announced the final release of Damn Small Linux 4.2 |
Change log for v4.2
- New mtpaint replaces xpaint.
- New black/blue theme with "Fractal Movements" background.
- New folder for better support of Visual Styles for JWM .jwmrc-theme and downloadable themes.
- New setTheme.lua, drag-n-drop or double click application style.
- New folder for better support of backgrounds, downloadable "DSL Classics"
- New generic folder.xpm link for easier themeing of folders.
- Updated wallpaper.lua, drag-n-drop or double click application style.
- Improved support for JWM keybindings with .jwmrc-keys
- Improved support for battey names in torsmo, fetched from /proc
- Improved handling of multline menu items as MyDSL folder application shortcut icons.
- Improved cleanup of shortcuts upon normal shutdown.
- Fized bug so that /cdrom/mydsl is not processed twice.
- Fixed "?" icon to open "Getting Started"
- Updated iconViwer for mtpaint change.
- Many icons have been changed, updated, or replaced.
- Updated /opt/.dfmext with more associations.
- Cleanup of xmms when started from dfm icon.
- Cleanup of usused files, modules, and directories (pnp,xfs, hfs,hfsplus,bfs,befs,adfs,ujs,minix,efs)
Files that have changed and likely in your backup (since v4.1).
- .bash_profile
- .dfmdesk/
- .dfminfo
- .fluxbox/menu
- .jwmrc
- .jwmrc-tray
- .xinitrc
- /opt/.dfmext
File that have changed since 4.2RC1
- .dfminfo
- .jwmrc
- /opt/.backgrounds
- /opt/jwmThemes
- /opt/.dfmext
Related Posts:
Damn Small Linux 4.1 Released
Damn Small Linux v4.0 Released
Saturday, December 22, 2007
Kaspersky Lab corrects false positive detection in threat signature database
Kaspersky Lab corrects false positive detection of a particular Windows explorer.exe file.
An incorrect threat signature was added to the company's antivirus databases on December 19, 2007, around 7PM GMT. It falsely detected a relatively uncommon version of explorer.exe as Worm.Win32.huhk.c and quarantined the file. The incorrect signature was removed from the database after two hours.
The version of explorer.exe which was falsely detected was released via Microsoft Windows Update service as an Update for Windows XP on 24.07.2007
Unfortunately, the incorrect signature caused a limited number of Kaspersky Lab product users to experience problems with system functionality.
Kaspersky Lab apologizes for any inconvenience caused to users by the error. The company's free 24-hour technical support service is available to assist any affected users in rectifying the problem.
A solution for the issue has also been added to the Kaspersky Lab Technical Support Site. It can be found at http://www.kaspersky.com/support/viruses/computers?qid=208279581 .
Related Posts:
Kaspersky inadvertently quarantines Windows Explorer
Friday, December 21, 2007
Google AdSense: Facts, FAQs and Tools
Google AdSense is probably one of the most popular revenue generators in the Web. We hear the stories about bloggers-genies, who manage to turn their blogs into cash machines overnight. However, it's not that simple to find the actual tips, which stick to Google policies, might increase your revenues and don't try to trick out the readers of your weblog.
We've spent several hours, trying to find out, what might increase your Google AdSense income and which tools you can use to observe and track your revenues. We've selected the key-points of successful stories and useful tips as well as Google AdSense sites and services you can use on a daily basis. Let's take a look.
Things You Probably Don't Know About Google AdSense
- "AdSense Earning = Impression-count x Click-though-rate x Cost-per-click x smart-pricing-factor. Viewing your on website will not get you banned. Just make sure you don't click on the ads.
- However, repeatedly reload your page to jack up page impressions can get you banned. Click-through-rate (CTR) is ratio of clicks per impressions. It can range from 0.1% to 30%, but most commonly around 1% to 10%."
[100 Google Adsense Tips] - "First impressions count: make sure the ad unit with the highest CTR is the first ad unit in the HTML code of your page. Keep in mind that the first ad unit in the source code is not always the first ad unit that your users will see when the page finishes loading in their browser."
[Inside AdSense: First impressions count] - "Ads placed near rich content and navigational aids usually do well because users are focused on those areas of a page. on pages where users are typically focused on reading an article, ads placed directly below the end of the editorial content tend to perform very well."
[Where should I place Google ads on my pages?] - "Format is important for multiple ad units, display your ad units where repeat users will notice them, place a leaderboard immediately after the last post."
[Six AdSense optimization tips for forums] - "The middle, above the fold location performs the best. Best performing ad format is the large rectangle, 336×280. So the wider ad formats are doing better than the other ones and the reason is that they actually take up fewer lines. And so with every additional line, you have a chance of losing that interested user.
- So the wider formats do best so specifically, the top three formats are the 336×280 that you see on the page; the 300×250 medium rectangle; and then the 160×600 wide skyscraper.
- We have a feature in the AdSense account where you are able to multi-select different color palettes that blend with your site to add some variety and freshness to the ads. And that also will help decrease ad blindness."
[Google AdSense Optimization Webinar] - "The second most active placement in terms of click-throughs tends to be the right-hand rail or margin". "Skyscrapers" and vertical banners do well when placed next to the content in the main body. Square and rectangle ads placed within the center column also do well, provided they are placed in context to the content. Ads placed below the fold tend to perform least well, although that isn't a hard-and-fast rule."
[Yahoo! Publisher Network: Location, location, location…] - "I found the most success in placing the Google Adsense medium rectangle either right in the middle of the page or in a middle right column as long as it has content above and below the ad unit. Its is fine to use Adsense Ads on a forum however expect a very low CTR."
[Google Adsense Tips for Webmasters] - "Post Adsense ads on text rich pages, avoid titles like the approved 'Sponsored Links' and 'Advertisements', place Ads above the fold, Match the colors of your ads with the colour scheme of your site, Blend ads with your page - remove the borders by having a similar color as your background."
[How to Increase Google Adsense CTR] - "To remove Public Service Ads (PSA) in Google Adsense develop sufficient good content with keywords, Ensure that META tags like 'title' & 'description' and the headings tags like h1, h2 etc. have content which matches the rest of your site."
[How to Remove Public Service Ads (PSA) in Google Adsense] - "You can now run AdSense on the same page as other contextual ad programs ." (January 2007)
[It's official! You can now run AdSense on the same page as other contextual ad programs] - "Google AdSense Policy: We ask that publishers not line up images and ads in a way that suggests a relationship between the images and the ads."
[Inside AdSense: Ad and image placement: a policy clarification] - "Section targeting uses certain html tweaks to force the google adsense bot to focus on specific content. Section targeting is the latest and most effective addition to AdSense".
[Display Relevant Adsense Ads Using Section Targeting] - "Over the weekend, I decided to change the number of ads units on my blog based upon where the traffic is coming from. I have a small PHP function that checks to see if the referrer is a search engine, and if it is, I display and additional 2 ad units. My Adsense revenue increasing by 284% on Saturday, Sunday and Monday!"
[Positive Adsense Experiment] - "Never click your own adsense ads or get them clicked for whatever reason. Never change the Adsense code. Do not run competitive contextual text ad (2006) or search services on the same site. Do not mask ad elements. Avoid excessive advertising and keyword stuffing."
[ 15 Common Mistakes that Violate Google Adsense TOS ] - "Putting ads on your site won't hurt your traffic. There are 6 sorts of bloggers' income: Google Adsense, Donations (e.g. PayPal), Text Link Ads (sold for a fixed amount per month), Chitika eMiniMalls ads (pay per click), affiliate programs like Amazon, Advertising sold to individual advertisers (three-month campaigns or longer)
[How to Make Money From Your Blog - a VERY extensive article] - "A number of factors come into play when AdSense tries to determine what the page is about: The URL of the page, the page title, the anchor text of links, the keywords that appear most frequently within the page, search engine queries that lead to the page or to another page that links to the page".
[How to Get Relevant AdSense Ads (Especially For Bloggers)] - "Ask yourself if you are willing to compromise your blog's layout and over-all feel by adding ads in them. Look at your traffic and see if it's enough to draw the crowd. Make good use of the Ad Channels. Give it time."
[Tips on Blog Adsensification] - "You can put upto 3 AdSense units on a page. For short articles, CTR is best when ads are placed just above the content. For long articles, CTR improves if ads are placed somewhere in middle of the content. Go Wide - the large rectangle 336×280 is the best paying adsense format."
[Adsense Tips, Layout Optimization Tricks for HigherCTR] - "Google AdSense folks have unveiled another useful feature for Adsense publishers - Section Targeting. The concept is simple but the advantages and possibilities are endless."
[Display relevant Ads in Blogs: Just suggest Google]
Google AdSense: Google's Information and Tools
- Google AdSense FAQ
the Adsense support for official guidelines. - Google AdSense Help Page provides a very detailed FAQ about Google AdSense. Learn optimization essentials, how to design successful ads, savvy ad placement and how to use features wisely.
- Google Adsense Program Policies.
- Google AdSense Ad Formats
an overview. - Google AdSense Success Stories provided by Google itself. Many interesting insights in concrete decisions, which helped to increase Google AdSense revenues.
- Google AdWords: Keyword-Tool
The Keyword Tool generates potential keywords for your ad campaign and reports their Google statistics, including search performance and seasonal trends. Start your search by entering your own keyword phrases or a specific URL. You can then add new keywords to the green box at the right.
Google AdSense Tools, Services
- Getting The Most Out Of Adsense: Top 10 Adsense Tools
Contextual Ads Preview/Comparison Tool (for Google Adsense, Yahoo YPN, Chitika eMiniMalls), AdSense Calculator, AdSense SandBox, AdWords Bidding Tool/Traffic Estimator. - List of AdSense Trackers
15 AdSense trackers. - AdWords and AdSense tools directory
1200 tools and services for Google AdWords and Google AdSense. - Google Adsense Tips and Tools Collection
a compilation of common Google tips and tools to make more money from Google Adsense. Among them dozens of AdSense Tools. - AdLogger » Open-Source Click Fraud Prevention and Click Monitoring
intends to prevent click-fraud on your websites by tracking visitors clicks and limiting the number of clicks one may make. AdLogger tracks AdSense clicks in real time and compiles the data for you to review. - AdsBlackList.com - Filter them and increase your revenue !
increase your adsense revenue up to 50%, increase the reputation of your website by NOT linking to Made for Adsense sites, save the quality of contextual advertising in global. - Adsense Notifier
displays your Adsense earnings on the Firefox statusbar. - AdSense Tracking Software | The Cutting-Edge Ad Tracking Solution
reveals the precise AdSense Ads that are being clicked most frequently on your site, the exact pages that your AdSense Ads are being clicked on, the actual Ad Formats that are bringing you the most clicks and more. - Free Charts Generated from your Google Adsense Reports
Charts include: total earnings, clickthru-rate, earnings per click, number of clicks, earnings per impression, number of page impressions, earnings by day of week and earnings by day of month. Most of charts include 7-day moving averages which allow you to spot trends within your results. - Using The Competitive Ad Filter To Increase AdSense Earnings
The purpose of the Competitive Ad Filter is to enable you to block specific ads, such as competitor's ads, from appearing on your pages.
Google AdSense Tips, Resources
- Adsense Tips for Bloggers
an extensive series of articles on how to make money from the Google Adsense Program. By Problogger Darren Rowse. - 16 Adsense Optimized Wordpress Themes to Maximize your Contextual Ad Earnings
Ads Minded, Typo XP Reloaded, Seo AdSense and Problogger Clean. - 10 Best Wordpress Plugins for Google Adsense
among them AdSense Deluxe, AdRotator Wordpress Plugin. - Monetizing WordPress Plugins
an overview of 8 AdSense-Plugins you can use with Wordpress blog engine. AdSense Widget Wordpress Sidebar, AdSense Paster, AdSense Injection and more. - What are alternatives to Google AdSense?
46 alternatives, among them Yahoo Publisher Network. Over 70 more services can be found on Other Advertising Networks Besides Google AdSense - AdSense Forum
is one of the most popular AdSense-related forums in the Web with thousands of questions and answers. - How To Market Your Blog in 2007
41 ways to kickstart your marketing efforts. - AdSense Niches
If you want to make money with Adsense, NicheGeek's free AdSense niches will show you exactly what niche you need to be in if you want to make 20, 30, 50, 70 cents per click or even more.
source: smashingmagazine.com
Labels: adsense
Kaspersky inadvertently quarantines Windows Explorer
Windows Explorer, one of the most crucial components of Microsoft's operating system, was quarantined earlier this week after being falsely identified as malicious code by an antivirus company.
Users of Kaspersky Lab's antivirus products noticed the issue, which Kaspersky claimed lasted two hours, on Wednesday night.
The security company's systems had decided that a virus called Huhk-C was present in the explorer.exe file, leading to its confinement or, in some cases, deletion. As Windows Explorer is the graphical user interface (GUI) for Windows' file system, this made it difficult to perform many common tasks within the operating system, such as finding files.
David Emm, a senior technology consultant at Kaspersky Lab, told ZDNet UK on Friday that the company was still examining its checklist to find out why the false positive "slipped through the net."
"This is classic false-alarm territory," Emm said. "We will check through our systems and see if we can tighten them up so we don't run into this problem in the future. No antivirus company, including ourselves, can say they have never had a false alarm, (but) on all fronts, we do what we can to minimize any potential risk for our customers."
Emm pointed out that Kaspersky adds about 3,000 records per week to its database, demonstrating the "scale of the issue, in terms of testing procedures."
The "offending signature" went out at around 7 p.m. on Wednesday, according to Emm, who claimed that it was pulled two hours later in a "makeshift" attempt to limit the damage while Kaspersky examined the signature.
"We proactively went out to our enterprise customers to make them aware there was this potential issue," Emm said. "Only one corporate customer (in the U.K.) encountered this problem, as well as a handful of home users." He added that users who have not changed their default settings would have found explorer.exe to be only quarantined, rather than deleted.
In March of this year, Kaspersky criticized Microsoft's consumer antivirus product, OneCare, for incorrectly quarantining and, in some cases, deleting Microsoft Outlook files.
source:
David Meyer of ZDNet UK reported from London.
Wednesday, December 19, 2007
What is forex ?
 | The market The currency trading (FOREX) market is the biggest and the fastest growing market on earth. Its daily turnover is more than 2.5 trillion dollars, which is 100 times greater than the NASDAQ daily turnover. (click here to read full market background by Easy-Forexâ„¢). Markets are places to trade goods. The same goes with FOREX. The Forex goods (or merchandise) are the currencies of various countries. You buy Euro, paying with US dollars, or you sell Japanese Yens for Canadian dollars. That's all. |
How does one profit in Forex?
Very simple and obvious: buy cheap and sell for more! The profit is generated from the fluctuations (changes) in the currency exchange market.
The nice thing about the FOREX market, is that regular daily fluctuations, say - around 1%, are multiplied by 100! (in general, Easy-Forexâ„¢ offers trading ratios from 1:50 to 1:200). If, for example, the exchange rate of "your" pair of currencies increased by 0.6% in the last 4 hours, your profit will be 60% on your investment! Such can happen in one business day, or in a few hours, even minutes.
Moreover, you cannot lose more than your "margin"! You may profit unlimited amounts, but you never lose more than what you initially risked and invested.
You can implement your choice (the pair of currencies, the volume amount) under any direction to which the market is moving, and yet make profit. It does not matter whether the exchange rate is going up or down: you can always decide to buy Euro and sell dollar, or vice versa - buy dollar and sell Euro. You don't have to physically possess certain currencies in order to perform "buy" or "sell" with them.
How do I start?
Register (Easy-Forexâ„¢ offers the simplest and quickest registration process, no obligation); deposit your first trading "margin" amount (credit cards are welcome, only by Easy-Forexâ„¢); start trading.
It can't be simpler or easier than that. Need help? We'll provide you with 1-on-1 training and service, as much as necessary (Easy-Forexâ„¢ offers real people service, live, in your own language).
How do I trade Forex?
You select the pair of currencies with which you wish to make a Forex deal. You determine the volume (the amount of the deal). You deposit the "margin" (collateral needed to facilitate the deal. Usually - only a very small portion of the whole deal, say: 1% or 1:100).
Before you finally activate the deal, you can still "freeze" it for a few seconds. That enables you to either change the terms, or accept it as is, or altogether regret the whole idea. The "freeze" feature is a unique service by Easy-Forexâ„¢.
When your Forex deal is running (you hold an "open position"), you can monitor its status and check scenarios online, whenever you wish. You may change some terms in the deal, or close it (and cash the profit, if any, or minimize the loss, if any). Moreover, Easy-Forexâ„¢ lets you determine a "take-profit" rate, with which the deal will close automatically for you, when and if such rate occurs in the market. Meaning: you do not have to stay near your computer when you hold open positions.
Want to know more? Want to get on-line training? Register here (simple, quick, no obligation), we'll be glad to guide you, every step of the way.
Good luck!
Labels: forex, money maker
Earn up to $10,000 USD
Forex-Affiliate is a world leading and highly paying Forex affiliate program. The Forex (currency exchange trading) industry is the biggest market on earth today, with a daily turnover of 3 trillion dollars! Anyone today can trade Forex online. The participants in this market include central banks, organizations, commercial banks, institutional traders, and private individuals throughout the globe. This is a highly exciting market, though risky! Affiliating in the Forex market offers you a great earning potential, with online access to your traffic performance and your commission. The affiliates are provided with online support, marketing creatives and professional tools – free of charge.
The Forex-Affiliate earning programs
Forex-Affiliate offers a win-win earning program – combination of CPA and evenue-Sharing,tailor made to suit you best! As our business partner, your commission is based on the revenue generated by your referrals, plus a flat fee for introducing referrals. In addition, you may well enhance your earning by running the 2nd-tier program (introducing Forex-Affiliates under you). Also the 2nd-tier program offers combined CPA and Comm-Share (flat fee, plus precentage of commission earned by your referred affiliates).
- Earn up to $10,000 USD Per Referred Trader
- Hybrid Solution : Earn both CPA + Revenue Share
Labels: money maker
Monday, December 17, 2007
Divx Pro Free Download is Available for a Limited Time
For a limited time, Divx is offering a complimentary download of their Divx Pro software, which consists of both a converter and the Codec.
All you need is a valid email address and you’ll be set to go.Remember, this is the Pro version which includes DivX Converter and DivX Pro Codec. Here’s a quick overview of the benefits that each provide:
Here’s the link that you’ll need to download DivX for Windows. This link also explains how the free holiday download will work. Essentially you’ll download the file, and then enter in your email address during the installation. Then you’ll receive an email with your serial number for DivX Pro. There’s also a Mac version, and the link for that download is here.
source:cybernetnews.com
All you need is a valid email address and you’ll be set to go.Remember, this is the Pro version which includes DivX Converter and DivX Pro Codec. Here’s a quick overview of the benefits that each provide:
- DivX Converter
- Drag-and-drop nearly any video format to create a high-quality, highly compressed DivX video
- Merge and convert multiple videos into a single DivX file with an automatically generated menu
- DivX Pro Codec
- Higher performance, including multi-threaded support for better performance on all HyperThreaded, dual core and dual CPU (SMP) systems
- More encoding options, including six carefully optimized encoding modes that balance visual quality and performance for virtually any application
Here’s the link that you’ll need to download DivX for Windows. This link also explains how the free holiday download will work. Essentially you’ll download the file, and then enter in your email address during the installation. Then you’ll receive an email with your serial number for DivX Pro. There’s also a Mac version, and the link for that download is here.
source:cybernetnews.com
Labels: software
phpBB3 Gold Released
the phpBB Team has announced the availability of the phpBB 3.0.0 package:
"Please note that we urge you to update. The versions we support here are phpBB 2.0.22 and phpBB 3.0.0.
3.0.0 has seen some some critical bugs fixed, including:
A short explanation of how to do a conversion, installation or update is included within the provided INSTALL.html file, please be sure to read it.
Minimum Requirements
phpBB3 has a few requirements which must be met before you are able to install and use it.
The presence of each of these optional modules will be checked during the installation process.
Security
Security issues found should be reported to our security tracker in the usual way.
Available packages
If you experience problems with the automatic update (white screens, timeouts, etc.) we recommend using the "changed files only" or "patch" method for updating.
With this release, there are four packages available.
Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation, updates or conversions!.
Download/Documentation
Have fun with the release,"
"Please note that we urge you to update. The versions we support here are phpBB 2.0.22 and phpBB 3.0.0.
3.0.0 has seen some some critical bugs fixed, including:
- [Fix] Cleaned usernames contain only single spaces, so "a_name" and "a__name" are treated as the same name (Bug #15634)
- [Fix] Check "able to disable word censor" option while applying word censor on text (Bug #15974)
- [Fix] Rollback changes on failed transaction if returning on sql error, if set
- [Fix] Call garbage_collection() within database updater to correctly close connections (affects Oracle for example)
A short explanation of how to do a conversion, installation or update is included within the provided INSTALL.html file, please be sure to read it.
Minimum Requirements
phpBB3 has a few requirements which must be met before you are able to install and use it.
- A webserver or web hosting account running on any major Operating System with support for PHP
- A SQL database system, one of:
- MySQL 3.23 or above (MySQLi supported)
- PostgreSQL 7.3+
- SQLite 2.8.2+
- Firebird 2.0+
- MS SQL Server 2000 or above (directly or via ODBC)
- Oracle
- PHP 4.3.3+ (>=4.3.3, >4.4.x, >5.x.x, >6.0-dev (compatible)) with support for the database you intend to use.
- getimagesize() function need to be enabled
- These optional presence of the following modules within PHP will provide access to additional features, but they are not required.
- zlib Compression support
- Remote FTP support
- XML support
- Imagemagick support
- GD Support
The presence of each of these optional modules will be checked during the installation process.
Security
Security issues found should be reported to our security tracker in the usual way.
Available packages
If you experience problems with the automatic update (white screens, timeouts, etc.) we recommend using the "changed files only" or "patch" method for updating.
With this release, there are four packages available.
- Full Package
Contains entire phpBB3 source and english language files. - Changed Files Only
Contains only those files changed from previous versions of phpBB3. Please note this archive contains changed files for each previous release. - Patch Files
Contains patch compatible patches from previous versions of phpBB3. - Automatic Update Package
Update package for the automatic updater, containing the changes from previous release to this release.
Please ensure you read the INSTALL and README documents in docs/ before proceeding with installation, updates or conversions!.
Download/Documentation
- phpBB Downloads
- phpBB3 Documentation
- phpBB3 support forum
- phpBB3 bug tracker
- phpBB3 Coding Guidelines
- phpBB3 Sourcecode Documentation
- Press Release
Have fun with the release,"
Labels: phpbb
Make Wget cater to your needs
Most Linux users are familiar with using GNU Wget to download single files by passing the URL as an argument to the wget command, but you can also use Wget with desktop applications. It requires a little preparation, but it's easy to integrate Wget with your favorite browser and other desktop applications. You can also use Wget in scripts to categorize batch downloads and make them fault-tolerant. Here's how to get Wget to sit up and beg for you. If you have a list of files you want to download, you can use Wget's -i option, which tells Wget to read a list of URLs from a file.
Invoke wget -i filelist and wait until it finishes the job, and your files are downloaded!
Most download managers, when you pause downloading, you close the connection to the server and open it again when you choose to resume. When you download a file using Wget, you can pause by pressing Ctrl-Z, and the connection will not be lost if you resume quickly enough (the connection usually times out after 60 seconds). That means you don't lose time when reconnecting.
If you stop Wget before it has finished downloading the list of files, you may want to continue from the last file it was downloading. In that case, using wget -i filelist won't do the job anymore. What you need is a script that will delete a URL from the list after Wget finishes downloading the appropriate file. This short script will do the job:
With this technique, you store the list of URLs in a file called .wget-list, one URL per line. On each line you can not only write URLs but also additional options for Wget. For example, if you want to set the name of the output file, you can add a line like <URL> -O <filename> to .wget-list, where -O is a Wget command-line option and <filename> is the the name you want it to use. You can add the -c option to be sure that the download will be continued from the same place Wget (or another application) stopped at. Consult the wget manpage for other options.
When Wget is finished downloading the first file in the list, the first line of .wget-list is deleted, so on the next loop Wget starts downloading the next file in list. If you press Ctrl-C, the next time you run wget-list it will continue downloading the same file.
If you want to categorize the files you download, you could create several directories to place files in, such as src, movie-trailers, and docs. Create a file .wget-list in each directory, and use a master script like wget-all below to process the .wget-list files in each subdirectory:
This script looks for files named .wget-list and executes the command wget-list in every directory where it found the file.
If you want to set priorities between the categories, to specify which will be processed first, you need to be able to specify the order to work on the directories, as in wget-dirs:
This script should be executed with parameters: if you want to download files in the src directory, and then files in the docs directory, you should invoke wget-dirs src docs (don't forget to change the current directory to the one containing those directories, or else specify the full paths). In this script pushd changes the current directory and remembers the previous one in its stack, and popd changes the current directory to the last remembered one.
Desktop integration
Now you need an easy way of adding URLs to list. You can use this add-url script to add a URL to the .wget-list category:
Add-url is a handy script if you're at the command line, but KDE users can take more advantage of it by using Klipper's ability to run commands on any string copied to the clipboard. Open the configuration dialog by right-clicking on the Klipper icon in the system tray or the Klipper applet, and choose Configure Klipper, and go to the Actions tab. You will notice that you can set different groups of actions for strings matching different regular expressions.
There should already be a group for HTTP links ("^https?://."). Right-click on this group and choose Add Command, then type "add-url %s" for the command and "Add URL to download queue" for the description. Then go to Global Shortcuts tab and select a shortcut to invoke the action. From then on, every time you use this shortcut, you will see a menu of actions available for the string currently in clipboard, which will now include the item for running the script you prepared to add URLs to the Wget queue.
Klipper helps you to automate adding URLs from any application, but most of the time you will grab URLs from the browser, so why not add an item to its context menu?
The FlashGot for Firefox extension helps you to integrate any download manager into Firefox. After downloading and installing FlashGot, select FlashGot -> Settings from Firefox's Tools menu. Enter the path of the add-url script, and leave the URL template as "[URL]". Now you can use FlashGot's context menu items, including "Download the link via FlashGot" and "Download everything via FlashGot," to download files with Wget.
Opera users can also use Wget as a download manager. In the main Opera menu select Tools -> Preferences. Go to the Advanced tab, select Toolbars in the list at the left side. Click on Opera Standard in Menu Setup and click on Duplicate. Don't close the dialog, just minimize the Opera main window. Now open the file ~/.opera/menu/standard_menu (1).ini and add this line to the Link Popup Menu and Image Link Popup Menu sections:
Item, "Add to download queue"="Execute program, "/home/user/bin/add-url","%l""
This assumes that /home/user/bin/add-url is the full path to add-url -- don't use ~ there.
Now restore the Opera window, select the Copy of Opera Standard menu setup, and click OK. You should notice the new items in the context menu when you right-click.
Those are several ways that an "old-style" command-line tool like Wget can be easily integrated into a GUI environment. If you are a fan of GUI tools, you can also use Wget front ends such as Gwget for GNOME and KGet for KDE.
Segmented downloading
Some download managers support segmented downloading, which means downloading several pieces of file simultaneously. Segmented downloading is supposed to help utilize bandwidth more efficiently, but this is not always true: if your connection speed is not high, you will create more traffic, but downloading files will not be faster. For that reason, some webmasters ban the use of segmented downloading (though this is rare).
Single-threaded downloading has its benefits, especially when Wget is concerned. Other download managers have internal databases to help them keep track of which parts of files are already downloaded. Wget gets this information simply by scanning a file's size. This means that Wget is able to continue downloading a file which another application started to download; most other download managers lack this feature. Usually I start by downloading a file with my browser, and if it is too large, I stop downloading and finish it later with Wget.
Still want to try the segmented downloading? The Aria2 console download utility supports it.
Article written By Aleksey 'LXj' Alekseyev .
Invoke wget -i filelist and wait until it finishes the job, and your files are downloaded!
Most download managers, when you pause downloading, you close the connection to the server and open it again when you choose to resume. When you download a file using Wget, you can pause by pressing Ctrl-Z, and the connection will not be lost if you resume quickly enough (the connection usually times out after 60 seconds). That means you don't lose time when reconnecting.
If you stop Wget before it has finished downloading the list of files, you may want to continue from the last file it was downloading. In that case, using wget -i filelist won't do the job anymore. What you need is a script that will delete a URL from the list after Wget finishes downloading the appropriate file. This short script will do the job:
#!/bin/sh
# wget-list: manage the list of downloaded files
# invoke wget-list without arguments
while [ `find .wget-list -size +0` ]
do
url=`head -n1 .wget-list`
wget -c $url sed -si 1d .wget-list
done
With this technique, you store the list of URLs in a file called .wget-list, one URL per line. On each line you can not only write URLs but also additional options for Wget. For example, if you want to set the name of the output file, you can add a line like <URL> -O <filename> to .wget-list, where -O is a Wget command-line option and <filename> is the the name you want it to use. You can add the -c option to be sure that the download will be continued from the same place Wget (or another application) stopped at. Consult the wget manpage for other options.
When Wget is finished downloading the first file in the list, the first line of .wget-list is deleted, so on the next loop Wget starts downloading the next file in list. If you press Ctrl-C, the next time you run wget-list it will continue downloading the same file.
If you want to categorize the files you download, you could create several directories to place files in, such as src, movie-trailers, and docs. Create a file .wget-list in each directory, and use a master script like wget-all below to process the .wget-list files in each subdirectory:
#/bin/sh # wget-all: process .wget-list in every subdirectory
# invoke wget-all without arguments
find -name .wget-list -execdir wget-list ';'
This script looks for files named .wget-list and executes the command wget-list in every directory where it found the file.
If you want to set priorities between the categories, to specify which will be processed first, you need to be able to specify the order to work on the directories, as in wget-dirs:
#!/bin/sh
# wget-dirs: run wget-all in specified directories
# invoking: wget-dirs <path-to-directory> ...
for dir in $*
do
pushd $dir
wget-all
popd
done
wget-all
This script should be executed with parameters: if you want to download files in the src directory, and then files in the docs directory, you should invoke wget-dirs src docs (don't forget to change the current directory to the one containing those directories, or else specify the full paths). In this script pushd changes the current directory and remembers the previous one in its stack, and popd changes the current directory to the last remembered one.
Desktop integration
Now you need an easy way of adding URLs to list. You can use this add-url script to add a URL to the .wget-list category:
#!/bin/sh
# add-url: add URL to list
# invoking: add-url URL
echo $* >>~/download/.wget-list
# assuming that ~/download is the directory for downloaded files
Add-url is a handy script if you're at the command line, but KDE users can take more advantage of it by using Klipper's ability to run commands on any string copied to the clipboard. Open the configuration dialog by right-clicking on the Klipper icon in the system tray or the Klipper applet, and choose Configure Klipper, and go to the Actions tab. You will notice that you can set different groups of actions for strings matching different regular expressions.
There should already be a group for HTTP links ("^https?://."). Right-click on this group and choose Add Command, then type "add-url %s" for the command and "Add URL to download queue" for the description. Then go to Global Shortcuts tab and select a shortcut to invoke the action. From then on, every time you use this shortcut, you will see a menu of actions available for the string currently in clipboard, which will now include the item for running the script you prepared to add URLs to the Wget queue.
Klipper helps you to automate adding URLs from any application, but most of the time you will grab URLs from the browser, so why not add an item to its context menu?
The FlashGot for Firefox extension helps you to integrate any download manager into Firefox. After downloading and installing FlashGot, select FlashGot -> Settings from Firefox's Tools menu. Enter the path of the add-url script, and leave the URL template as "[URL]". Now you can use FlashGot's context menu items, including "Download the link via FlashGot" and "Download everything via FlashGot," to download files with Wget.
Opera users can also use Wget as a download manager. In the main Opera menu select Tools -> Preferences. Go to the Advanced tab, select Toolbars in the list at the left side. Click on Opera Standard in Menu Setup and click on Duplicate. Don't close the dialog, just minimize the Opera main window. Now open the file ~/.opera/menu/standard_menu (1).ini and add this line to the Link Popup Menu and Image Link Popup Menu sections:
Item, "Add to download queue"="Execute program, "/home/user/bin/add-url","%l""
This assumes that /home/user/bin/add-url is the full path to add-url -- don't use ~ there.
Now restore the Opera window, select the Copy of Opera Standard menu setup, and click OK. You should notice the new items in the context menu when you right-click.
Those are several ways that an "old-style" command-line tool like Wget can be easily integrated into a GUI environment. If you are a fan of GUI tools, you can also use Wget front ends such as Gwget for GNOME and KGet for KDE.
Segmented downloading
Some download managers support segmented downloading, which means downloading several pieces of file simultaneously. Segmented downloading is supposed to help utilize bandwidth more efficiently, but this is not always true: if your connection speed is not high, you will create more traffic, but downloading files will not be faster. For that reason, some webmasters ban the use of segmented downloading (though this is rare).
Single-threaded downloading has its benefits, especially when Wget is concerned. Other download managers have internal databases to help them keep track of which parts of files are already downloaded. Wget gets this information simply by scanning a file's size. This means that Wget is able to continue downloading a file which another application started to download; most other download managers lack this feature. Usually I start by downloading a file with my browser, and if it is too large, I stop downloading and finish it later with Wget.
Still want to try the segmented downloading? The Aria2 console download utility supports it.
Article written By Aleksey 'LXj' Alekseyev .
Labels: linux
CHM viewers for Linux
Even if you work only in Linux, you'll likely have to use Microsoft Compiled HTML Help (CHM) files at one time or another. Several open source projects use this common format, including Apache, MySQL, PostgreSQL, Python, and PHP.
Microsoft developed CHM as a proprietary format for Windows 98, leaving behind the previous WinHelp (HLP) format. CHM is still alive and kicking in XP and Vista, though some applications use the newer Microsoft Help 2 format.
CHM files comprise a set of Web pages, plus a hyperlinked table of contents and an index, compressed with LZX. CHM offers small size (because of compression), full text searches, and the ability to join several CHM files into a single file with a common table of contents and index.
Even though CHM is a Microsoft format, several projects have written CHM file viewers for Linux.
KchmViewer
KchmViewer is the standard KDE viewer for CHM files. The current production version 3.1 was released in June, though version 4.0 is now available in beta; I tested the former. It's released under the GNU General Public License (GPL), and it uses some code from another viewer, xCHM.
KchmViewer is available in most distribution repositories. You can also download it and install it (make sure you have the qt3-devel package) through the usual configure and make commands; check the specific instructions on the download page.
Under KDE, KchmViewer is associated with CHM files by default, so it runs automatically when you click on such a file. It can use either a Trolltech Qt widget or KDE's own KHTML widget to show the text (change widget from the Settings menu). I found one CHM file that wouldn't display correctly, and changing widgets solved the problem.
KchmViewer supports tabbed browsing, and it provides Contents, Index, and Search views. It correctly deals with foreign languages and multibyte character sets. You can generate bookmarks to mark your place in a document, and you can edit and delete bookmarks at will. You can view the original HTML code, and even specify which editor to use for this function via the Settings menu option.
Help Explorer Viewer
Help Explorer Viewer, developed by Kama Software, is free but not open source. It comes in both Windows and Linux versions, which is an advantage if you work with dual booting systems or in an environment with both operating systems. You can use Help Explorer Viewer to view not only CHM files, but HLP (older) and HXS (newer) help file formats as well. According to the Web site, you can integrate Help Explorer Viewer into your application through its API.
Installation is simple. Go to its Downloads page and get the Linux version, which currently stands at 3.0. Go to the directory where you downloaded the file, and enter these commands as root:/p>
tar zxf HelpExplorer3.0_LINUX.tar.gz cd Setup/ ./setup.sh
After you view the end-user license agreement (EULA), Help Explorer Viewer is installed in /usr/local/HelpExplorer. If you want to uninstall it, you can run the uninstall.sh script in that directory. The installation asked if I wanted to install KDE/GNOME menu items, but even though I answered yes, the program didn't appear in the main menu, in the Konqueror menus, or even in the context menu when I right-clicked on a CHM file; I don't know where it's supposed to appear, but I couldn't find it.
Help Explorer Viewer includes all the usual search mechanisms: table of contents (organized hierarchically, as a tree), index (a list of keywords), and common searching. The help files showed up correctly in all tests I ran, but I wish I could have changed the font the program used, because it displayed pixelated. You can change views between Contents, Index, Search, and Favorites (called Bookmarks in other viewers).
ChmSee
ChmSee is an open source Gtk2+ package for GNOME whose Web site is written mostly in Chinese; if it weren't for some parts in English, you'd be sorely tested to install or use ChmSee. It's free under the GPL, and version 1.0 was released in August.
Installing ChmSee could be a bother, but it appears in openSUSE standard repositories, which greatly simplifies things. If you want to build it from source, you'll need Gtk2+, libglade-2.0, gecko, chmlib, and OpenSSL. After getting the source package, you need to enter these commands:
tar xzf chmsee-1.0.0.tar.gz cd chmsee-1.0.0 ./configure make sudo make install
You might have to add a parameter to the configure command (--with-chmlib=/path/to/chmlib) if it cannot find chmlib. After installation, ChmSee was added to my openSUSE menus, but not my Konqueror or context menus.
You can configure the fonts used for display (something lacking in both KchmViewer and Help Explorer Viewer) by going to Edit -> Setup. Be careful with the Clear function, which deletes all ChmSee work files and causes the viewer to crash. If you opt for this, you'll have to reopen the CHM file. ChmSee doesn't offer Index or Search views; in fact, it has no search function at all. Also, in my testing, some CHM files displayed weird messages (and the text didn't get displayed), and some images didn't show at all.
ChmSee looks promising, but it still has a way to go before being at the same level as KchmViewer and Help Explorer Viewer.
Other candidates
Firefox users can download the CHM Reader add-on, currently at version 0.2.1.1. Installation is simple. The utility adds a new Open CHM Files entry to the Firefox File menu. When you open a CHM file, the table of contents is hidden by default, but you can bring it up by pressing Ctrl-E. Viewing files works fine, but CHM Reader doesn't offer a global search function, and the Firefox search function works only within the current page.
I tried to look at GnoCHM, xCHM, and KCHM (seemingly abandoned; its latest version is from 2003), but I got into dependency hell problems. I couldn't find distribution-ready packages, and installation from source was troublesome.
Conclusion
KchmViewer offers the easiest installation and greatest integration with the desktop environment. Help Explorer Viewer is useful for developers and users who work with both Linux and Windows. ChmSee has some bugs to be worked out, so I wouldn't recommend it for normal usage. CHM Reader is a good add-on, but its lack of searching power is a hindrance.
Article written By Federico Kereki, he is an Uruguayan systems engineer with more than 20 years' experience developing systems, doing consulting work, and teaching at universities.
Microsoft developed CHM as a proprietary format for Windows 98, leaving behind the previous WinHelp (HLP) format. CHM is still alive and kicking in XP and Vista, though some applications use the newer Microsoft Help 2 format.
CHM files comprise a set of Web pages, plus a hyperlinked table of contents and an index, compressed with LZX. CHM offers small size (because of compression), full text searches, and the ability to join several CHM files into a single file with a common table of contents and index.
Even though CHM is a Microsoft format, several projects have written CHM file viewers for Linux.
KchmViewer
KchmViewer is the standard KDE viewer for CHM files. The current production version 3.1 was released in June, though version 4.0 is now available in beta; I tested the former. It's released under the GNU General Public License (GPL), and it uses some code from another viewer, xCHM.
KchmViewer is available in most distribution repositories. You can also download it and install it (make sure you have the qt3-devel package) through the usual configure and make commands; check the specific instructions on the download page.
Under KDE, KchmViewer is associated with CHM files by default, so it runs automatically when you click on such a file. It can use either a Trolltech Qt widget or KDE's own KHTML widget to show the text (change widget from the Settings menu). I found one CHM file that wouldn't display correctly, and changing widgets solved the problem.
KchmViewer supports tabbed browsing, and it provides Contents, Index, and Search views. It correctly deals with foreign languages and multibyte character sets. You can generate bookmarks to mark your place in a document, and you can edit and delete bookmarks at will. You can view the original HTML code, and even specify which editor to use for this function via the Settings menu option.
Help Explorer Viewer
Help Explorer Viewer, developed by Kama Software, is free but not open source. It comes in both Windows and Linux versions, which is an advantage if you work with dual booting systems or in an environment with both operating systems. You can use Help Explorer Viewer to view not only CHM files, but HLP (older) and HXS (newer) help file formats as well. According to the Web site, you can integrate Help Explorer Viewer into your application through its API.
Installation is simple. Go to its Downloads page and get the Linux version, which currently stands at 3.0. Go to the directory where you downloaded the file, and enter these commands as root:/p>
tar zxf HelpExplorer3.0_LINUX.tar.gz cd Setup/ ./setup.sh
After you view the end-user license agreement (EULA), Help Explorer Viewer is installed in /usr/local/HelpExplorer. If you want to uninstall it, you can run the uninstall.sh script in that directory. The installation asked if I wanted to install KDE/GNOME menu items, but even though I answered yes, the program didn't appear in the main menu, in the Konqueror menus, or even in the context menu when I right-clicked on a CHM file; I don't know where it's supposed to appear, but I couldn't find it.
Help Explorer Viewer includes all the usual search mechanisms: table of contents (organized hierarchically, as a tree), index (a list of keywords), and common searching. The help files showed up correctly in all tests I ran, but I wish I could have changed the font the program used, because it displayed pixelated. You can change views between Contents, Index, Search, and Favorites (called Bookmarks in other viewers).
ChmSee
ChmSee is an open source Gtk2+ package for GNOME whose Web site is written mostly in Chinese; if it weren't for some parts in English, you'd be sorely tested to install or use ChmSee. It's free under the GPL, and version 1.0 was released in August.
Installing ChmSee could be a bother, but it appears in openSUSE standard repositories, which greatly simplifies things. If you want to build it from source, you'll need Gtk2+, libglade-2.0, gecko, chmlib, and OpenSSL. After getting the source package, you need to enter these commands:
tar xzf chmsee-1.0.0.tar.gz cd chmsee-1.0.0 ./configure make sudo make install
You might have to add a parameter to the configure command (--with-chmlib=/path/to/chmlib) if it cannot find chmlib. After installation, ChmSee was added to my openSUSE menus, but not my Konqueror or context menus.
You can configure the fonts used for display (something lacking in both KchmViewer and Help Explorer Viewer) by going to Edit -> Setup. Be careful with the Clear function, which deletes all ChmSee work files and causes the viewer to crash. If you opt for this, you'll have to reopen the CHM file. ChmSee doesn't offer Index or Search views; in fact, it has no search function at all. Also, in my testing, some CHM files displayed weird messages (and the text didn't get displayed), and some images didn't show at all.
ChmSee looks promising, but it still has a way to go before being at the same level as KchmViewer and Help Explorer Viewer.
Other candidates
Firefox users can download the CHM Reader add-on, currently at version 0.2.1.1. Installation is simple. The utility adds a new Open CHM Files entry to the Firefox File menu. When you open a CHM file, the table of contents is hidden by default, but you can bring it up by pressing Ctrl-E. Viewing files works fine, but CHM Reader doesn't offer a global search function, and the Firefox search function works only within the current page.
I tried to look at GnoCHM, xCHM, and KCHM (seemingly abandoned; its latest version is from 2003), but I got into dependency hell problems. I couldn't find distribution-ready packages, and installation from source was troublesome.
Conclusion
KchmViewer offers the easiest installation and greatest integration with the desktop environment. Help Explorer Viewer is useful for developers and users who work with both Linux and Windows. ChmSee has some bugs to be worked out, so I wouldn't recommend it for normal usage. CHM Reader is a good add-on, but its lack of searching power is a hindrance.
Article written By Federico Kereki, he is an Uruguayan systems engineer with more than 20 years' experience developing systems, doing consulting work, and teaching at universities.
iptables as a replacement for commercial enterprise firewalls
With IT budgets getting tighter, managers need to trim costs. Service contracts are expensive for any technology; firewalls are no exception. Netfilter, the project that provides the packet filtering program iptables, is a free firewall alternative. While it lacks the service contract of commercial solutions and a pretty interfaces to make firewall modification easy, it has solid performance, performs effectively at firewalling, and allows for add-on functionality to enhance its reporting and response functions.
As a case study to demonstrate the feasibility of iptables as an enterprise firewall, consider the network I manage at University of Illinois at Urbana-Champaign. The network supports 2,000 devices and has a 1-gigabit uplink with two firewall zones (DMZ and secure). Daily bandwidth outbound averages around 100 gigabytes. The network is protected by two dedicated firewall machines running iptables, each with three network cards (two for the bridging firewall, one for management access), and each running 1.5GHz single-core processors with 1GB RAM. Processing power is not critical in this case; you could save money by using a machine with a lower-end CPU.
We experience no latency attributed to the firewalls, and they do as good a job as can be expected of blocking bad traffic. Once the firewalls were properly tuned, we saw no downtime due to software issues.
There are, however, a couple of "gotchas" to keep in mind. The connection table can get filled on firewalls that are routinely being scanned or are on high-traffic networks. To solve this problem, increase the net.ipv4.ip_conntrack_max kernel parameter (mine is currently at 131071) and decrease net.ipv4.tcp_keepalive_time (3600 is a good choice). As long as the firewalls have plenty of memory to spare, these settings should not pose a problem, and the firewalls will happily run without needing any hand-holding. The result is a firewall with no packet loss and unnoticeable latency that's highly available (assuming good hardware).
Effectiveness at filtering traffic according to policy
A firewall is only as good as its ruleset, no matter which firewall you are using. The rules for iptables are generally easy to understand. Here is an example rule:
iptables -A INPUT -m state -p tcp --dport 80 -s 192.168.5.0/24 --state NEW,ESTABLISHED,RELATED -j ACCEPT
This command adds (-A) an input rule (traffic going to the machine the firewall is on) that checks state (-m) for any new, established, or related traffic from the 192.168.5.0 subnet on port 80 (Web traffic). If you want to log dropped packets (and you should) you also have to create both a DROP rule and a REJECT rule just to handle the logging.
You can block malformed packets (i.e. packets which may be part of a SYN scan) easily with rules checking just the TCP header flags. Other tools such as fwsnort allow for more detailed packet inspection to block clearly malicious traffic. fwsnort converts Snort rules into iptables rules that embed some IPS capability into the iptables. However, iptables allows for easy addition of IP address blacklists to stop all traffic from known hostile netspaces. Once you're familiar with the conventions for writing iptables rules and you have a basic knowledge of IP headers, you'll find it easy to write new rules.
Add-on functionality for reporting and active response
Several add-on tools can help you get more out of iptables log data. Most standard system log scanners can be configured to pull out interesting information, but they certainly aren't designed for that purpose. psad can be configured to provide email alerting on apparent attacks above a certain threshold, and to actively block hostile IP addresses once a defined threshold has been met.
You can perform additional management of the connection tables with the conntrack-tools from Netfilter. This software allows command-line access to the connection tables and allows for grabbing statistics on that information. Lastly, you can set up firewalling up to layer 7 (the application layer) with l7-filter. For instance, an academic environment could use l7-filter to limit peer-to-peer traffic bandwidth as a way to cut back on those fun MPAA/RIAA cease-and-desist letters.
On the downside, because iptables doesn't do the heavy lifting of making rules for you like commercial firewall appliances, it requires users have a more in-depth understanding of firewalling. While tools such as Firewall Builder and KMyFirewall making configuring iptables more user-friendly, a security admin will have to learn about firewalling and the applications in general. This means lots of time and up-front testing.
There is also the problem that when things break there is no one to call to fix it. This requires that knowledge be cultivated in house. However, information on open source solutions tends to be in the public domain, so training costs tend to be a factor of time and perhaps buying some books at Amazon.
At the end of the day, organizations can gain tremendous cost savings by using iptables for firewalls. An added bonus is the additional flexibility that an open source solution provides.
Article written By John C. A. Bambenek, he is a handler at the Internet Storm Center and a security administrator at the University of Illinois at Urbana-Champaign. He has written numerous articles on security, contributed to several computer security courses, and recently contributed the chapter out "Botnets: Proactive System Defense" to the book Botnets: Countering the Largest Security Threat.
As a case study to demonstrate the feasibility of iptables as an enterprise firewall, consider the network I manage at University of Illinois at Urbana-Champaign. The network supports 2,000 devices and has a 1-gigabit uplink with two firewall zones (DMZ and secure). Daily bandwidth outbound averages around 100 gigabytes. The network is protected by two dedicated firewall machines running iptables, each with three network cards (two for the bridging firewall, one for management access), and each running 1.5GHz single-core processors with 1GB RAM. Processing power is not critical in this case; you could save money by using a machine with a lower-end CPU.
We experience no latency attributed to the firewalls, and they do as good a job as can be expected of blocking bad traffic. Once the firewalls were properly tuned, we saw no downtime due to software issues.
There are, however, a couple of "gotchas" to keep in mind. The connection table can get filled on firewalls that are routinely being scanned or are on high-traffic networks. To solve this problem, increase the net.ipv4.ip_conntrack_max kernel parameter (mine is currently at 131071) and decrease net.ipv4.tcp_keepalive_time (3600 is a good choice). As long as the firewalls have plenty of memory to spare, these settings should not pose a problem, and the firewalls will happily run without needing any hand-holding. The result is a firewall with no packet loss and unnoticeable latency that's highly available (assuming good hardware).
Effectiveness at filtering traffic according to policy
A firewall is only as good as its ruleset, no matter which firewall you are using. The rules for iptables are generally easy to understand. Here is an example rule:
iptables -A INPUT -m state -p tcp --dport 80 -s 192.168.5.0/24 --state NEW,ESTABLISHED,RELATED -j ACCEPT
This command adds (-A) an input rule (traffic going to the machine the firewall is on) that checks state (-m) for any new, established, or related traffic from the 192.168.5.0 subnet on port 80 (Web traffic). If you want to log dropped packets (and you should) you also have to create both a DROP rule and a REJECT rule just to handle the logging.
You can block malformed packets (i.e. packets which may be part of a SYN scan) easily with rules checking just the TCP header flags. Other tools such as fwsnort allow for more detailed packet inspection to block clearly malicious traffic. fwsnort converts Snort rules into iptables rules that embed some IPS capability into the iptables. However, iptables allows for easy addition of IP address blacklists to stop all traffic from known hostile netspaces. Once you're familiar with the conventions for writing iptables rules and you have a basic knowledge of IP headers, you'll find it easy to write new rules.
Add-on functionality for reporting and active response
Several add-on tools can help you get more out of iptables log data. Most standard system log scanners can be configured to pull out interesting information, but they certainly aren't designed for that purpose. psad can be configured to provide email alerting on apparent attacks above a certain threshold, and to actively block hostile IP addresses once a defined threshold has been met.
You can perform additional management of the connection tables with the conntrack-tools from Netfilter. This software allows command-line access to the connection tables and allows for grabbing statistics on that information. Lastly, you can set up firewalling up to layer 7 (the application layer) with l7-filter. For instance, an academic environment could use l7-filter to limit peer-to-peer traffic bandwidth as a way to cut back on those fun MPAA/RIAA cease-and-desist letters.
On the downside, because iptables doesn't do the heavy lifting of making rules for you like commercial firewall appliances, it requires users have a more in-depth understanding of firewalling. While tools such as Firewall Builder and KMyFirewall making configuring iptables more user-friendly, a security admin will have to learn about firewalling and the applications in general. This means lots of time and up-front testing.
There is also the problem that when things break there is no one to call to fix it. This requires that knowledge be cultivated in house. However, information on open source solutions tends to be in the public domain, so training costs tend to be a factor of time and perhaps buying some books at Amazon.
At the end of the day, organizations can gain tremendous cost savings by using iptables for firewalls. An added bonus is the additional flexibility that an open source solution provides.
Article written By John C. A. Bambenek, he is a handler at the Internet Storm Center and a security administrator at the University of Illinois at Urbana-Champaign. He has written numerous articles on security, contributed to several computer security courses, and recently contributed the chapter out "Botnets: Proactive System Defense" to the book Botnets: Countering the Largest Security Threat.
Make Money
Recent Posts
1 BTC equals 9199.46 USD
NYT Technology: How to Fight Health ‘Cures’ Online
NASA Image of the Day: Perseverance Rover Mated to...
NYT Technology: Massachusetts Sues Uber and Lyft O...
U.S. crude oil and natural gas production in April...
Air Force says service still needs to be bigger - ...
Facebook reportedly considers ban on political ads...
1 BTC equals 9310.0801 USD
NYT Technology: YouTube’s Factory Workers Are Angry
NASA Image of the Day: Hubble Sees a Star Called H...
NYT Technology: How to Fight Health ‘Cures’ Online
NASA Image of the Day: Perseverance Rover Mated to...
NYT Technology: Massachusetts Sues Uber and Lyft O...
U.S. crude oil and natural gas production in April...
Air Force says service still needs to be bigger - ...
Facebook reportedly considers ban on political ads...
1 BTC equals 9310.0801 USD
NYT Technology: YouTube’s Factory Workers Are Angry
NASA Image of the Day: Hubble Sees a Star Called H...
Archive
January 2006April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
February 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
April 2008
May 2008
July 2008
August 2008
September 2008
October 2008
November 2008
January 2009
May 2009
June 2009
July 2009
August 2009
September 2009
December 2009
March 2010
June 2010
July 2010
September 2010
October 2010
November 2010
January 2011
March 2011
February 2013
April 2013
September 2013
December 2013
August 2014
September 2014
October 2014
November 2014
January 2015
January 2016
September 2018
October 2018
November 2018
December 2018
January 2019
February 2019
March 2019
April 2019
May 2019
June 2019
July 2019
August 2019
September 2019
October 2019
November 2019
December 2019
January 2020
February 2020
March 2020
April 2020
May 2020
June 2020
July 2020
SEO Stats