X-Slacko-4.4 with Xfce

[rg66]

I am reluctant to become involved in this issue because other Puppy builders have shown no interest in it. But here goes.

1. I build hplip_print/scan with an old version of Puppy that ensures maximum backwards compatibility. But it needs genuine libjpeg7. A symlink to libjpeg8 will NOT work. I could start building a parallel version for new Puppies, but I am disinclined to do so.

2. Certain recent versions of CUPS were built against ipv6 and networked printers cannot be detected unless it is loaded. So the patch PET loads it automatically though rc.local. However, I may have seen a comment somewhere that ipv6 interferes with the new firewall.

3. The patch PET also contains some stuff needed by Peasyscan, which has now disappeared from Puppy builds.

1. I could add libjpeg7 and symlink but not sure if it will break something.

2. The firewall is enough of a nightmare without adding more headache, but I will load ipv6 module and test.

3. What exactly is needed for peasyscan, libgphoto links?

[rg66]

Some quick testing with ipv6 and firewall.

Loading ipv6 module doesn't seem to affect the firewall, although I just tested samba and ftp. It does kill netmon_wce applet though. Running from cli gives:

Code: Select all

# netmon_wce
Segmentation fault

[rg66]

Back to the firewall, I think i've sorted it.

since udp and tcp outbound are open

(iptables-save output)
-A tcp_outbound -p tcp -j ACCEPT
-A udp_outbound -p udp -j ACCEPT

it doesn't make sense to have:

iptables -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j ACCEPT
iptables -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j ACCEPT

changing all samba ports (137,138 udp 139,445 tcp) to --source-port fixes the netbios issue and servers show up in thunar.

Not sure about CUPS as I don't have a printer hooked up to test with.

[01micko]

Some quick testing with ipv6 and firewall.

Loading ipv6 module doesn't seem to affect the firewall, although I just tested samba and ftp. It does kill netmon_wce applet though. Running from cli gives:

Code: Select all

# netmon_wce
Segmentation fault

http://www.murga-linux.com/puppy/viewto ... 372#855372

Code: Select all

20160120 netmon_wce-3.1 
----------------------- 
support ipv6 
 -full rewrite of struct iface_info get_info() 
 -added additional headers 
 -call getnameinfo() instead of directly accessing the sockets 
 -code cleanup 
remove the puppyism patch. I might make a separate package. 

---------------------------------------------

I never did get thunar to connect using the samba server netbios name with the firewall on. Looked at iptables and all the ports samba wants are open but it is dropping the netbios info and I don't want to mess with the firewall. My workaround (I like it because it's one click access and looks the same in PCManFM) is to add a bookmark in /root/.config/gtk-3.0/bookmarks. Mine is: smb://192.168.10.14/. My router is set to allocate IPs by mac address so the core machines are effectively static. Thunar won't let you rightclick and add it cause it's not local so...

Here is a solution, but I'm not going to make it default.

Code: Select all

# allow netbios name resolution for Samba
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j ACCEPT

Directly under those lines add this:

Code: Select all

$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 138 -j ACCEPT

If you grab the latest firewall_ng from woof there is ability to add custom ports.

--------------------------------------------------

However, I may have seen a comment somewhere that ipv6 interferes with the new firewall.

Link please? My research suggests we need a separate firewall for ip6tables if ipv6 is loaded.(Can supply links upon request).

-------------------------------------------------

-A tcp_outbound -p tcp -j ACCEPT
-A udp_outbound -p udp -j ACCEPT

I wouldn't do that.

[rg66]

http://www.murga-linux.com/puppy/viewto ... 372#855372

Code: Select all

20160120 netmon_wce-3.1 
----------------------- 
support ipv6 
 -full rewrite of struct iface_info get_info() 
 -added additional headers 
 -call getnameinfo() instead of directly accessing the sockets 
 -code cleanup 
remove the puppyism patch. I might make a separate package. 

Thanks, will add this to the next build.

Here is a solution, but I'm not going to make it default.

Code: Select all

# allow netbios name resolution for Samba
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j ACCEPT

Directly under those lines add this:

Code: Select all

$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 137 -j ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 --destination-port 138 -j ACCEPT

If you grab the latest firewall_ng from woof there is ability to add custom ports.

Added those lines and it didn't make any difference, will checkout latest.

-A tcp_outbound -p tcp -j ACCEPT
-A udp_outbound -p udp -j ACCEPT

I wouldn't do that.

I didn't, firewall_ng did that.

[01micko]

iptables -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j ACCEPT
iptables -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j ACCEPT

changing all samba ports (137,138 udp 139,445 tcp) to --source-port fixes the netbios issue and servers show up in thunar.

I don't know why it isn't working (in Thunar) with --destination but using --source with 0/0 is asking for trouble.

Perhaps the script (firewall_ng) should be more intelligent and detect the subnet, but then there are those that complain that they can't build the firewall before they make a net connection! How do you figure out the subnet then? Chook and egg

[rg66]

Even YASSM won't connect with netbios name with firewall enabled and samba ports open using -dport.

firewall off

Code: Select all

nmblookup win7
IP=192.168.1.101
SHARE=Data
mount.cifs //192.168.1.101/Data /root/YASSM/Data@win7 -o username=rg,password=
'[' 0 -eq 0 -o 0 -eq 16 ']'
rox /root/YASSM/Data@win7
rox -x /root/YASSM/Data@win7

Code: Select all

# nmblookup win7
192.168.1.101 win7<00>

firewall on

Code: Select all

nmblookup win7
IP=name_query
SHARE=Data
mount.cifs //name_query/Data /root/YASSM/Data@win7 -o username=rg,password=
'[' 1 -eq 0 -o 1 -eq 16 ']'
gettext 'No connection to'
Xdialog --title YASSM --msgbox 'No connection to Data!' 0 0

Code: Select all

# nmblookup win7
name_query failed to find name win7

iptables-save (snip)

Code: Select all

-A tcp_inbound -p tcp -m tcp --dport 139 -j ACCEPT
-A tcp_inbound -p tcp -m tcp --dport 445 -j ACCEPT
-A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A udp_inbound -p udp -m udp --dport 137 -j ACCEPT
-A udp_inbound -p udp -m udp --dport 138 -j ACCEP

[rcrsn51]

Even YASSM won't connect with netbios name with firewall enabled and samba ports open using -dport.

When using YASSM with the old firewall, the standard procedure was to declare the local subnet as "trusted". Philosophically, this makes sense because you are trusting other local users to access your Samba shares.

[rg66]

I don't know why it isn't working (in Thunar) with --destination but using --source with 0/0 is asking for trouble.

Will it be worse than not using the firewall at all?

When using YASSM with the old firewall, the standard procedure was to declare the local subnet as "trusted". Philosophically, this makes sense because you are trusting other local users to access your Samba shares.

I will add the latest firewall_ng but leave it as is. For my personal use, if I even use it, I will edit it to add "-s 192.168.1.0/24 -sport 137" etc.

[gcmartin]

@RG66, you @01Micko, and @Rcrsn51 are addressing something similarly. That subnet is important for setting definition within the F/W. Thus to set iptables, both timing of the ethernet connects and correct statics in iptables configuration are related for F/W. Not to mention the multiple LAN adapters a PC can have ...

But, as mentioned, there may be a need to process ipv4/ipv6 a little different than present.

On the F/W settings after desktop and DHCP setup, I see that problem. My subnet is 23, NOT 24 on a ipv4 network.

[01micko]

Ok, I've added a separate entry for Samba Client in firewall_ng.

I just tested this pfix=ram on xslacko-4b1

here are the rules that get written.

Code: Select all

# allow netbios name resolution for Samba client
$IPT -A udp_inbound -p UDP -s 192.168.1.0/24 --source-port 137 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A udp_inbound -p UDP -s 192.168.1.0/24 --source-port 138 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 192.168.1.0/24 --source-port 139 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 192.168.1.0/24 --source-port 445 -m state --state NEW,ESTABLISHED -j ACCEPT

The subnet is worked out programatically with a ip and route routine that should work if you are on a large network, even if it has been subnetted, but only for that subnet. I can't test that right now but if the busybox programs work as expected then there shouldn't be a problem.

Here is a small script demonstrating:

Code: Select all

#!/bin/bash

#uses bashisms

while read -r dest gateway genmask flags metric ref use face;do
	case $dest in
		default)iface=$face
		;;
	esac
	case $face in
		$iface)
		case $dest in
			[0-9]*.[0-9]*.[0-9]*.[0-9]*)host=$dest # very lazy regex
			break;;
		esac
		;;
	esac
done < <(busybox route)

while read -r inet subnet rest;do
	case $inet in
		inet)sub=${subnet#*/} && break;;
	esac		
done < <(busybox ip addr show $iface)
echo ${host}/${sub}
echo $iface

There is no checking just yet for not being connected so the variables will have null values if there is no connection. When I figure out the best way to handle this I'll upload it to woof-ce. EDIT - fixed by way of a popup explaining that the firewall will need to be reconfigured after establishing a network connection.

Attached is the latest firewall_ng script with above improvements. This one also has the button for adding custom rules.

Thanks for your help rg66.

----

My subnet is 23, NOT 24 on a ipv4 network.

Well you are a prime candidate to test the new script then. Should pick up whatever subnet and host address. (which for the benefit of others, isn't always xxx.xxx.xxx.0).

[rg66]

This one is confirmed to work, thank's 01micko.

I've tried similar things with limited success:
\$IPT -A udp_inbound -p UDP -s 192.168.1.0/24 -m conntrack --ctstate NEW --dport 137 -j ACCEPT
\$IPT -A udp_inbound -p UDP -s 192.168.1.0/24 -m conntrack --ctstate NEW,ESTABLISHED --dport 137 -j ACCEPT

and a bunch more that didn't completely work, I finally went back to:
-s 192.168.1.0/24 --sport 137 -j ACCEPT

I found a few websites that said -m state is depreciated and to use "-m conntrack --ctstate", but not sure if it really matters as state seems to work.

ESTABLISHED might be redundant as line 1097 has:
\$IPT -A INPUT -p ALL $IOPT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
which seems to work if a connection is made before enabling the firewall, will test this again but not sure if it matters.

Edit: Mixed results, best left as is. Thanks!

[Marv]

Ok, I've added a separate entry for Samba Client in firewall_ng.

Attached is the latest firewall_ng script with above improvements. This one also has the button for adding custom rules.

Detecting my /24 subnet correctly and working well on X-slacko 4b1 here. Thanks for the welcome addition and sorry for starting this go-round. A note for testers with savefiles: Delete the old /root/.config/firewall/fw.conf before testing or it will abort.
Edit: Also tested in LxPupSc 16.03.4. As expected, works fine there also, both with Go>Network and entering smb: in PCManFM.

Thanks rg66 and 01micko.

[rg66]

X-slacko-4b2 delta is available

http://smokey01.com/rg66/X-slacko/testing

Should be the last beta

[Marv]

X-slacko-4b2 delta is available

Quicktest: Delta downloaded and applied. md5sum on iso generated correct. Installed pristine frugal Grub4Dos to core 2 duo laptop. Net and firewall set up smoothly with SNS. Allowing samba client makes shares acessable directly through Network in thunar sidepane (netbios name working). Set up networked HP4500 printer using my patched hplip 3.14.10 pet ( I put the /usr/lib/libjpeg.so.7.0 and the libjpeg.so.7 symlink to it in the hplip pet) with no problems. I haven't found anything that that pair breaks but my usage is relatively limited. Posting from firefox in the pristine install now. I'll update the cleaned 4b1 savefile next.

edit: Up (pristine frugal) on the Bay Trail box also, samba shares served with trusted network. Savefiles on both carefully cleaned and updated. Both machines running well, timesharing with LxPupSc 16.03.6 on both.

[rg66]

X-slacko-4.0 will most likely be released by the weekend at the latest. I'll probably go with the Tahr-6.0.5 3.14.56 PAE kernel. I will not be releasing a Non-PAE version as the forcepae boot option is suppost to be working (Marv, can you confirm this?) and basically only 400Mhz Pentium-M are effected.

[Marv]

X-slacko-4.0 will most likely be released by the weekend at the latest. I'll probably go with the Tahr-6.0.5 3.14.56 PAE kernel. I will not be releasing a Non-PAE version as the forcepae boot option is suppost to be working (Marv, can you confirm this?) and basically only 400Mhz Pentium-M are effected.

Took a little while as lots of reboots involved on a pretty slow lappie. Sorry to say the 3.14.56 PAE kernel used in Tahr-6.0.5 does not have that patch enabled so it will not be able to boot on the Pentium Ms. Not a big deal in my opinion as kernel swapping is pretty simple.
The kernels that I just checked for the patch and that passed ordered from newest to oldest are:

4.4.6-lxpup-32-pae ...............from LxPupSc 16.03.5
4.4.1-Emsee-32-pae-rt3 ........from LxPupSc 16.03.?
3.17.7-pae ..........................from TahrPup 6.0
3.15.4 ................................from TahrPup 5.8.3
3.14.20-pae-update-tahr ......was a staple of mine for quite a long time

Posting from 4b2 running the 4.4.6 kernel on a Pentium M 725 series processor now. I have run the 4.4.1 on this laptop for days to a week with no issues to date.

[rg66]

Thanks for testing Marv, my pentium M lappy died some time ago (ran for 10 years, not bad).

These days I doubt too many people are running Non-PAE CPU's and as you say, kernel swaps are a piece of cake. Are you the only one still running an M?

[Marv]

Thanks for testing Marv, my pentium M lappy died some time ago (ran for 10 years, not bad).

These days I doubt too many people are running Non-PAE CPU's and as you say, kernel swaps are a piece of cake. Are you the only one still running an M?

At this point I wish I weren't as they are pretty CPU-power limited for todays browsers but they absolutely refuse to die or even waver, people are using them, all running either 3.1n or 1b3 on CF cards super reliably, and I can't make myself toss them. The Fujitsu S62xx series was a jewel! I am sniffing around a couple more of their core 2 duo descendents and if I get them at least 2 of the Pentium Ms will go beyond. Eons ago at work I screwed an early IBM laptop I had outgrown to a wall and used it to display the output of an electronic balance with a bad display. Brought groans and comments about my ancestry but worked and the numbers were BIG.

Cheers,

[rg66]

Lol, got two of the Pentium-M's working! One needed the LCD replaced and the other had the power button stuck so it killed itself (the third needs a keyboard which I doubt I'll find here). The kids each have one now so no more fighting over the shared computer.