DFWUUG NEWSLETTER 2001

The mission of the DFWUUG is to promote interest in and an understanding of UNIX All meetings are open to the public without charge.

The group meets the first Thursday of the month, with the exception of those months where the Thursday falls on or near a holiday. Everyone is cordially invited to attend. For current information, please check out the user group's web site www.dfwuug.org.

Main Event:
Collaborative Software Development
By Greg Pratt of VA Software

Top

Collaborative Software Development (CSD) is a fairly recent phenomenon that combines the flexibility of SourceForge.net and the best practices of Open Source Development. Greg´s presentation will enlighten you about CSD and how you can bring it behind your firewall.

Greg Pratt is a former Vice President and President of the Dallas Fort Worth Unix Users Group. He is a Senior Systems Engineer with VA Software (formerly VA Linux Systems)

Well, this is it - my last "President's Podium"
article! I can't believe it's been a whole year!

DFWUUG folks, I've really enjoyed being your
president. You've been a great group to work with.
I've followed many great leaders who have done so much
for the group, and I hope I've at least continued the
trend while I was at the helm. I look forward to
helping out still whenever I can.

Being involved with this group has taught me a lot
about leadership and teamwork. If you have any desire
whatsoever to volunteer just a little of your time,
you can gain many benefits from being a leader in the
DFWUUG.

I want to give a special, HUGE thanks for all of the
support that my board and leaders have given me. Each
of you has made such an important contribution to the
health and prosperity of the DFWUUG. I appreciate each
and every one of you more than you'll ever realize.

"All other things being equal", go with the most value, or the lowest cost.

When Brad Corbett owned the Texas Rangers, he figured that if the outfield
fences were moved closer to home plate, the Rangers would hit more home runs,
and "all other things being equal" the Rangers would win more ball games.
The outfield fences were moved, the Rangers hit more home runs, but the
Texas team did not win more ball games. All other things were not equal.
Alas, shorter fences led to more home runs for visiting teams as well.

When is something equal to something else. Is an MBA at one school equi-
valent to an MBA from another? Is a course in C++ or Java one place,
equivalent to a course in C++ or Java somewhere else? Is a seminar course
at Harvard with a dozen students equivalent to a lecture at Harvard with 700?

In 1959 the graduating class of Shimer College put itself on the map with the
Educational Testing Service. That year, over 200 institutions of higher
learning tested their entire graduating classes on liberal arts. Shimer's
graduates tied for first in the Social Sciences, and clearly took the gold in
both the Sciences and the Humanities. Why?

        1) Curriculum--developed over 20 years at the University of Chicago
        2) Faculty--well educated, many with graduate degrees from Chicago
        3) Small discussion classes--maximum of 10 to 18 students
        4) Experience taking comprehensive examinations--taken every Spring
        5) Selectivity of students--not in beginning admissions, but of
           those who stayed long enough to become seniors.

So, what does all this mean, for courses you might take, or which your
company might offer:

        1) Purpose: skills alone, or skills and teambuilding.
           Teambuilding is one reason that companies train
           their own people in groups.

        2) Who are the students? Backgrounds, ability, prerequisites?
           For example, can someone teaching Java expect background in
           C? If so, the = ==, if/else, all kinds of loops, and switches
           can simply be reviewed, and, Java can proceed at a higher level.

3) Instructor. Instructor knowledge, instructor techniques, ability
to both deal in the specific, and in the abstract.

4) Facilities. This includes written materials. Are they readable?
How are they used? A/V and computer facilities count too.

        5) Time and motivation. There is an amount of time needed to teach
           anything, but the time is less with motivated students, and with
           a skilled instructor committed to student learning.

Considering the "cost" of training, consider two things:
        1) cost of not training.
        2) cost of less effective training, say 5 days, for what others do
         in 3. The delta 2 days per employee times 12 in a class, is 24 week
         days, over a month of someone's salary/benefits on a payroll.

A Column Devoted to Computer Security

Firewall Builder – The Easy Way Out of IPTables

I was reading a message on the firewall-wizards mailing list recently wherein a fellow wanted to stop all TCP packets with the SYN and FIN bits set coming into his firewall. This is a desirable thing to do. Here’s why: The TCP specification says that a TCP packet has six flag bits SYN, URG, PSH, RST, FIN, ACK (synchronize, urgent, push, reset, finish, and acknowledge). The specification doesn’t say what to do when a packet with nonsensical combinations of flags bits arrives. One such combination is SYN and FIN set. This combination indicates the start of communication (SYN set) and the end of communication (FIN set). Clearly, this is not sensible, but bad guys on the network use packets like this to fingerprint your systems on the Internet. Depending on how the system replies to this packet, a bad guy can conjecture what sort of system is on the other end and from that, use known vulnerabilities to attack you. The best thing to do in this case is drop the packet without a reply. I thought this is easy with Darren Reed’s IPFilter:

block in quick log proto tcp from any to any flags SF/SF

But as I read on, I found the fellow was doing this on a Linux firewall with iptables. IPFilter doesn’t run on Linux, so he can’t use IPFilter. The good news is iptables with Linux 2.4.x kernel does allow the inspection of the flag bits in a TCP header. So, I began to think how do you go about doing this with iptables. Hmm. There have been some significant changes with iptables over ipchains and not just in syntax. This is not as easy as it might seem at first blush. Rather than dig out the specification on iptables and delve into it, I decided it was time to look into a program I had had my eye on for some time, fwbuilder.

Vadim Kurland and Vadim Zaliva have written a program called Firewall Builder to make it easy to create and maintain firewall rulesets. Firewall Builder consists of an object-oriented GUI and a set of policy compilers for various firewall platforms, like iptables. In Firewall Builder, a firewall policy is a set of rules; each rule consists of abstract objects that represent real network objects and services (hosts, routers, firewalls, networks, and protocols). Firewall Builder helps firewall administrators maintain a database of objects and allows policy editing using simple drag-and-drop operations. Preferences and object databases are stored in XML format. Once the ruleset is written, Firewall Builder compiles the ruleset into a script that implements the security policy described by the ruleset.

I downloaded the source from http://fwbuilder.sourceforge.net to build the components of Firewall Builder: fwbuilder, fwbuilder iptables compiler, libfwbuilder and libfwbuilder development. I also had to download and build gtkmm-1.2.5 as Firewall Builder requires this. Everything built without a hitch once I had gtkmm-1.2.5 built as well.

To start Firewall Builder, type

fwbuilder &

This brings up a window showing the objects that come predefined in Firewall Builder. There are standard objects representing the standard services such as TCP and UDP services like telnet and NFS. There are user-defined objects for defining objects of interest to you. I clicked on “Firewall” and then Insert -> Firewall. Now I have a firewall. At this point I am presented with forms to fill in information about the firewall such as a name. It’s very important to name your firewall something meaningful since this name will be used to create other files related to the firewall. Hint: don’t use spaces in the name. I fill in that it is a Linux 2.4 firewall and the firewall software, in this case, iptables. Next, go to the Interfaces tab on the firewall and fill in the network interface names and IP addresses. These are necessary if you have rules that are specific to an interface. In this case, the rule is a global rule and not specific to any interface. After all, you might get probed from the inside by one of your own guys. Next, I selected some option on the Firewall tab: I set the log level to ‘warning’ and don’t want any sessions open prior to the start of the firewall to be considered valid. Finally, click “Apply” and I have a firewall named “Demo-Firewall” in the layout viewer. I expand that entry and it has a “Policy” and a “NAT” entry. Before I get into making the “Policy”, I need to define the special case I want to guard against. So, I click on open the “Services” in the directory viewer. Then I open “TCP” under the “Services”. I want to create an object that represents the specific TCP condition I want to filter out. I pull down Insert -> TCP to create the object. I get a form to fill in that has port information, TCP flags, a name for this object, and commentary fields. I fill in the form with a name of “tcp-syn-fin” and click on the flags SYN and FIN, and then “Apply” to create the object. Now, I go back to the directory listing and select my firewall “Demo-Firewall” and the “Policy” underneath it. There is a rule numbered ‘00’ with a source, destination, and service set to “Any”, an action of “Deny”, a time of “Any” and a blank comment. I drag-and-drop my tcp-syn-fin
object to the service column and click “Apply”. There you have it; from any source to any destination deny tcp-syn-fin any time. I pull down Rules -> Compile. I get the standard sort of dialog box about where I want the result to go. The policy compiles without errors. The output from the compilation look like this:

#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_iptables v1.0.0
#
# Generated Mon Feb 25 13:19:29 2002 CST by gsmith1
#
#
#
#

if [ -x /usr/bin/logger ]; then
logger -p warning "Activating firewall script Demo-Firewall.fw generated Mon Feb 25 13:19:29 2002 CST by gsmith1"
fi

modprobe ip_conntrack || exit 1
modprobe ip_conntrack_ftp || exit 1
modprobe ip_nat_ftp || exit 1
FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_intvl
iptables -P OUTPUT DROP
iptables -P INPUT   DROP
iptables -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
iptables -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        iptables -t $table -F $chain
      fi
done
iptables -t $table -X
done
ip addr flush dev eth0 scope link
ip addr flush dev eth1 scope link
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT   -p tcp ! --syn -m state --state NEW -j LOG
iptables -A INPUT   -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#
#    Rule #0
#
#    Block SYN/FIN TCP packets.
#
iptables -N RULE_0
iptables -A OUTPUT -p tcp -m state --state NEW -j RULE_0 --tcp-flags ALL SYN,FIN
iptables -A INPUT -p tcp -m state --state NEW -j RULE_0 --tcp-flags ALL SYN,FIN
iptables -A FORWARD -p tcp -m state --state NEW -j RULE_0 --tcp-flags ALL SYN,FIN
iptables -A RULE_0 -j LOG   --log-level warning --log-prefix "RULE 0 -- Deny "
iptables -A RULE_0 -j DROP
#
# Final rules
#
iptables -A INPUT      -j DROP
iptables -A OUTPUT     -j DROP
iptables -A FORWARD    -j DROP
echo "$FWD" > /proc/sys/net/ipv4/ip_forward

Hmmm. All this from just one rule! Let’s look at what this does. The first part including the ‘modprobe’s log the starting up of the firewall and make sure the necessary kernel modules are loaded. The next four lines dealing with /proc save the current state of IP forwarding, turn IP forwarding off and adjust some TCP parameters. The next three iptables commands set the default policy on the OUTPUT, INPUT, and FORWARD chain to DROP, a good policy to have. The next bit of shell manipulations clear any previous rules out of all the existing chains so the firewall starts with a clean slate. The next six iptables statements get rid of and log any TCP sessions that exist at the starting of the firewall. Again, this is starting with a clean slate. Now we get to the crux of the biscuit, as the late Frank Zappa would say, Rule 0. First, iptables creates a new chain called RULE_0. The next three iptables commands append rules to the OUTPUT, FORWARD, and INPUT chains specifying that when a new TCP connection comes in with the SYN and FIN bits set, jump to the chain named RULE_0. The iptables command sets the warning level (warning) and the message (RULE 0 – Deny) that will go into syslog if the rule is matched. The next iptables command says that a match causes the packet to be unceremoniously dropped. The next three iptables commands are catchall rules in case something might be slipping in that we didn’t consider; best to drop those things. The last statement restores the state of IP forwarding.

Wow! All that from one rule! Talk about bang for the buck! This was just setting up one rule; if you had more (and you would in a real world firewall) the rulesets would outweigh the overhead. The important thing to note here is that we were able to abstract the idea of dropping any TCP packets with SYN and FIN set as a policy without getting mired down the intricacies of iptables. This just like using a compiler write a program instead of assembly language. Just as compilers free us from the hassles of keeping up with registers, storage locations and weird/arcane instructions and lets us abstract our problems at a higher level, Firewall Builder frees us from the hassles of keeping up with similar low level stuff and lets us abstract our security policy at higher level. Just as compilers give us more maintainable code, Firewall Builder gives us more maintainable firewalls.

Check out Firewall Builder at http://fwbuilder.sourceforge.net.

BOOK REVIEW Mastering Regular Expressions

Review By Danny R. Faught

Top

A review of the book Mastering Regular Expressions, Jeffrey E. F. Friedl, O'Reilly & Associates, Inc., 1997, ISBN 1-56592-257-3, 7th printing This book has been on my reading list for a while, and I finally got around to tackling it to help with writing a section on regular expressions in a training course that I developed. What are regular expressions? According to the Perl regular expressions tutorial, "A regular expression is simply a string that describes a pattern." In a scripting language, text editor, and in a few other types of tools, these patterns can help you match text. You can pull apart pieces of the matched text for further processing, and if you'd like, you can replace parts of the text. That's a very general description of a very general tool that has uses in just about any text processing task.

I've used regular expressions ("regexes" for short) for many different things, such as automated test code that checks program output against expected results, in CGI scripts that handle forms on my web page, and in my email filter. A single regex can replace dozens of lines of code that do parsing. Regexes are very compact and powerful, but that compactness also leads many people to complain that they're difficult to understand after you've written them. Regexes are combinations of /, \, ^, $, (, and many other punctuation characters, along with ordinary letters and numbers. The most extreme example, on the last page of the book, is a 6600 character monstrosity that looks somewhat like a photo mosaic when viewed from a distance. However, the book gives some techniques for making regexes more understandable, such as embedding comments, and storing pieces of a complex regex in variables and then splicing them together.

To appreciate the book, you'll need to have some programming experience, or some other background that steels you for the task of reading dense jumbles of arcane symbols. The first three chapters are an introduction to regexes. Beginners may not make it past this section, but that's okay, because the book is worth the purchase just for the first three chapters.

The second section, chapters four and five, discusses details about regexes. Luckily, the author doesn't dive into the computational theories behind regular expressions (if he did, we'd find that our regular expressions aren't so regular after all). Even so, this is pretty deep stuff. The third section, chapters six and seven, give details about using regexes in particular tools. Chapter seven, on Perl, comprises a full third of the book.

The scripting language that's the undisputed regex champion is my favorite language, Perl. The book focuses on Perl. However, there's also reasonable coverage of other tools such as egrep, awk, tcl, GNU Emacs, plus some mentions of vi, sed, lex, Python, and Expect. There are many differences in the regex implementation among these tools, some obvious and others very subtle. This book is the best reference for sorting through the differences. This is especially useful if you're getting confused when using more than one of these tools at a time, or if you learned regexes in one tool and you're getting surprising results using another.

The author tells me that he's working on an update to the book because some aspects of it are dated. "The real meat of the book -- Chapters 4 and 5 -- is as valid and useful as ever, but some of the specifics have changed. Python and TCL, for example, have changed their engines to be more Perl like," said Friedl. This means that much of the Perl-specific information will be shifted to the parts of the book are aren't tool-specific.

Even accomplished script hackers are usually humbled by the masterful and comprehensive treatment of regexes that this book provides. I have been using regexes for years, and I was surprised, not so much by the advanced features that I mostly knew were there and just hadn't had the need to learn yet, but actually by the gotchas that exist even in simple expressions.

Like most O'Reilly books, this book is associated with the type of animal that is shown on the cover. The author says on his web page that this is the "Hip Owls Book," distinguishing his book from the other O'Reilly owl book, Learning the UNIX Operating System.

Tracking down further information from the author was not easy. All three URLs given in the appendix are defunct. Further searching turned up a pile of additional URLs that are also mostly defunct. Finally I found what looks like a home page for the book at http://public.yahoo.com/~jfriedl/regex/. This page includes a comprehensive list of errata, and an updated "About the Author" blurb, which mentions that Friedl went to work for Yahoo. I also found an interview of Friedl at amazon.com, done in 1997.

The bottom line? Beginners who have some appreciation for program code will benefit from reading the first three chapters and using the rest of the book as a reference when needed. Experts who read the book all the way through will come away with their tails between their legs, significantly smarter about all the things that regular expressions can do, and quite a bit more wary about how they can get themselves into trouble.

This month's topic for the Security SIG will be on SNARE: Host-Based Linux Intrusion Detection.

Is your networking NOT WORKING???!!

Do you dread talking about yourself?

Are you tired of contacting friends and family about job openings?

Have you lost control of your job search?

Is calling another person about a job the LAST THING you want to do?

Have you had little or no success using the Internet in landing a new job?

The truth is you have nothing to lose and everything to gain from making
contact directly with humans who have the control to hire you. Finding and
talking effectively with those humans is where it gets difficult! Ginger
till tell you how to connect and succeed in focused networking. In her
experience as a Licensed Professional Counselor and Founder of Get a Job
University, she's helped thousands of job seekers succeed in landing a new
job quickly and with less pain! She will conduct the JOB SEARCH SIG at our
meeting on April 4, 2002. Please join us.

Ginger Shelhimer, MA, LPC, CRP
Get A Job University
P.O. Box 794603
Dallas, TX 75379
214.227.1306
877.566.5628
www.getajobu.com
ginger@getajobu.com

How would you like to expand your technical library AT NO EXPENSE? You can review up to two books at a time from the O'Reilly catalog http://www.oreilly.com and then keep the books for your technical library. The procedure is to select the books you want to review. Then email John Dyer at jdyer@gte.net with the names of the books, your name and email address(s) and a phone number. John will then order the books and will notify you when the books arrive. When you receive the books, read them, write your review(s) and email your review to John for publication. As you review a book, you can request another one. You can look at the newsletter for a sample of what the reviews should look like..

John J Dyer
Home: 972-790-3311
jdyer@gte.net
Work: 214-951-2220
john.dyer@exxonmobil.com

********************************************************************** O'Reilly User Group Program members receive 20% discount on conference prices. Register early--limited space is available. Please use the discount code *DSUG* when registering. This discount is meant for use by your current UG members only. If posting information about this conference on your website, please do not include discount information. For more details or brochures, please contact Denise Olliffe, deniseo@oreilly.com or 707-829-0515 ext 339. **********************************************************************

O'Reilly is a registered trademark of O'Reilly & Associates, Inc. All other trademarks are property of their respective owners.

Using sounds in applets
http://javaboutique.internet.com/tutorials/Java_Game_Programming/SoundinAppletsEng.html

The question is, or how do you recycle those technical books and journals you never read anymore? The answer is, bring them to the next DFWUUG meeting and put them on display so members can browse through them and take home whatever is of interest. There is no monetary reward but you may find something you want and your stuff may get recycled through another great mind. Due to storage limitations, please be prepared to take you leftover stuff home with you afterward. Otherwise it will be sent to the trash. Think of it as a form of spring house cleaning.
John J Dyer
Home: 972-790-3311
jdyer@gte.net
Work: 214-951-2220
john.dyer@exxonmobil.com