/ Andreas | System administrator /

A nice new feature in Ubuntu 8.04 is the so called Uncomplicated Firewall (UFW). It’s a command line tool to handle simple firewall rules on a stand alone computer.

Basically UFW acts as a fronted, with its own configurations files, to iptables-restore. Besides keeping track of saving and loading your firewall rules, the thing which makes UFW really neat is its simple syntax. Assuming you have set it to default deny, and you want to open up port 80 for example, all you have to type is

$ ufw allow 80

If you want to do something more specific there’s a PF-inspired syntax availible.

$ ufw allow proto tcp from 192.168.0.42 to any port 22

Currently there isnt’t that much online documentation available on UFW. Luckily it has a rather well written man(ual) page in ufw(8).

A new version of Ubuntu ( Hardy Heron / 8.04 ) is now available. To my great surprise I noticed that there’s an OpenVZ-kernel included in the universe-repository. Considering OpenVZ being my favorite approach on server virtualization, this is really good news.

Seems as if Ubuntu’s OpenVZ-support is still somewhat experimental thought.  One thing is the lack of polish; such as /etc/sysctl.conf not being automatically updated, the absence of a downloadable template, etc. Then there’s the slightly bigger issue of my test computer not even booting of the provided OpenVZ-kernel. (Bug #210672)

The alternative, to those of us who live in the world of apt and deb,  is to run Debian together with the external debian.systs.org-repository. While I generally prefer not to rely on third party repositories, this one has been around for a while now and seems quite reliable.

Anyhow, I’m really looking forward to see Ubuntu’s OpenVZ support improving. Perhaps I won’t use OpenVZ with current version of Ubuntu, but it’s most definitely something I’ll enjoy in future versions.

At those times when I get paranoid about security I get especially nervous about my web browser. How can I not be, considering all the content of unknown origin it’s exposed to? Also, as the web becomes more interactive the area vulnerable for exploits grows exponentially.

While it’s some comfort to have Firefox run as a non-administrative user it would still feel a lot better if that user didn’t happen to be my regular user, with access to all my files, settings, keys, etc. That is why I now run my Firefox completely virtualized.

The setup I’ve initially chosen is based on having VirtualBox power a virtual Debian stable. Inside that virtual machine Firefox (IceWeasel) is launched from an unprivileged X-environment. Openbox seemed like a suitable window manager.

Of course, there are still the risk of a web-session being used to attack another, the issue of keeping my certificates safe, the potential of VirtualBox being exploitable, etc. Stil, keeping your computer safe is something of a journey and this virtualized solution is hopefully a step in the right direction.

One of the exciting parts of being a system administrator are the situations when you need to get something working Right Now. Working under time pressure, trying to find a creative solution to an unexpected technical problem, that’s not entirely unlike doing the job of MacGyver.

Earlier this week I had to deal with the result of a failing DNS server. What made this a real problem was a bunch of Windows computer which refused to talk to any other DNS servers they had been, or were being, told of. Perhaps not the most exciting of examples, but it will do for the point I’m about to make.

The otherwise extremely stable server failed due to a bad hard drive. Considering the age of the hard drive in question I can’t really claim to be surprised. Had I actually replaced the hard drive earlier on, then there wouldn’t have been a problem. Also, had I actually verified that all computers really talked to the secondary DNS server I wouldn’t have had a problem which needed to be solved Right Now.

No matter how fun it can be to solve problems, your users will most likely prefer it if the problems weren’t there in the first place. While the heroic actions of MacGyver are important you musn’t forget the all so important, and somewhat more mundane, proactive measures which has to be done routinely.

Well, then there is of course the small detail of having the time…

I really like the concept of OpenID. From a technical point of view it’s a beautiful solution as it takes a creative approach on authentication while still relying on existing (and proven) technologies. Then there is the part about it having the potential of making my, and others, life easier. It would be awfully nice not having to use a separate login for every forum, wiki, etc I happen to visit now and then.

While there are lots of official support for the standard and plenty of OpenID providers available, the web sites where you can actually use your OpenID are still few. If you operate a web site which require visitors to login, please take a close look at OpenID. I would most definitely like to be able to use my OpenID more.

Myself I work on a project which, among other things, hopefully will enable OpenID login at the Swedish Ubuntu LoCo. In case you happen to be familiar with the language, you can read more about it in the thread OpenID, SSO, etc för ubuntu-se.org.

Yes, I would really appreciate it if you took a closer look at OpenID.

When it comes to online services I most definitely prefer no nonsense providers. I don’t want any specially designed tools or extravagant web pages, I merely want a basic service done well.

Two great examples are the DNS provider primary.se and the offsite storage rsync.net. They give you a quality service accessed by standard protocols. Nothing more, nothing less.

Let’s simply call it services by geeks, for geeks.