Protect Windows with Virtualbox, pfsense, ipcop, ipfire and t1n1wall

This is a precursor of possible a long post about configuring a software firewall using virtualbox together with an open source firewall distribution such as ipcop, pfsense and t1n1wall (one of the successors of m0n0wall).

I will jot down the most important elements here and these are the results of hours of tests on various combination of configurations.

My network settings

  1. One external IP address directly connected to the outside world.
  2. One physical network card.
  3. MS Loopback network card (installed under Windows to function as the Bridged Network interface).

Network properties in the host machine

Instead of keeping just the Bridge Protocal of vmware and Bridged Networking Driver of virtualbox, I ticked another two additional protocols:

  1. Link-layer Topology Discovery Mapper I/O Driver
  2. Link-layer Topology Discovery Responder

In particular, Link-layer Topology Discovery Responder is essential for connecting to the wireless network. When it is unticked, the WAN interface under ipcop or pfsense finds it very difficult to connect to the wireless router. As a result, the network property for the physical network interface on the Windows host machine looks as follows:

Keep both the bridge protocols and the Link-layer protocols in the host machine
Keep both the bridge protocols and the Link-layer protocols in the host machine

Network configuration under virtualbox

  1. The most important thing is the network configuration under virtualbox. Both the adapter 1 and adapter2 need to be attached to Bridged Adapter (see attached pictures).
  2. I did limited tests and it appeared that selecting the Host-only adapter can also work, since the “VirtualBox Host-Only Network” can still function as a bridge.
  3. To easily identify which NIC is designated to WAN or LAN, click on Advanced and manually edit the automatically generated MAC address to something you can identify. I change the last two digits of the WAN MAC address into something like 080027276FAA and the last two digits of the LAN MAC address into something like 080027698CBB.
virtualbox.adapter1
virtualbox network configuration for ipcop, pfsense adapter1
virtualbox.adapter2
virtualbox network configuration for ipcop, pfsense adapter2. For adapter2, selecting host-only network should also work, but I am not so sure if portforwarding will be affected or not.

Do you need to setup VLAN under t1n1 and pfsense?

No. If you use bridged network, there is no need to setup VLAN.

If you choose to attach the network adapter to Internal Network, you may need to setup VLAN for the LAN to access the Internet, however, I didn’t test it. I am not so sure if you can even choose Internal Network when you want the host Windows machine to access the Internet.

Pfsense

I experienced several problems with pfsense and I don’t recommend using it with virtualbox and vmware if your sole purpose is using a firewall to protect your Windows PC with a firewall.

  1. Time drifts under vmware. pfsense experienced serious time drifts under vmware workstation 9.0. I simply can’t get the accurate time for pfsense under vmware. There is no time-drifting problems for virtualbox and pfsense.
  2. Port forwarding does not work. after numerous attempts, I still can’t reliably forward the ports to bittorrent clients running on the Windows host machine. I setup both NAT and firewall rules, and set the log to record the hits of the rules, however, it either turns up a few hits or no hits at all — even though the bittorrent client is working heavily with multiple downloads. Port forwarding works well under t1n1wall and ipcop, and the firewall log shows up the hit records with no problems.
  3. Overkill for the purpose. I run a single Windows PC as a host and I don’t need all the bells and whistles of pfsense, which have numerous configurations and settings I will never use.

ipcop vs ipfire

  1. Ipcop is simple and elegant. Its settings are easy to understand and intuitive. Just works and serves the purpose as a firewall very well.
  2. Ipfire has many features and packages. It appears it uses much more resources with my limited tests.

t1n1wall and smallwall

  1. t1n1 is simple to use and port forwarding for bittorrent clients works well. Its development is more recent than smallwall.
  2. smallwall should work almost identically with t1n1wall, and I chose t1n1wall simply because its releases are newer.

vmware and its network configuration

  1. For the LAN interface, I created vmnet2 and designated it as host-only network. There is no problems installing ipcop running on it, although I haven’t tested port forwarding heavily on it.
  2. You can also install MS Loopback NIC, create a new vmnet interface and designate it as bridged network.
  3. In virtual machine settings, in the Network Adapter section, click on Advanced, and modify its MAC address so that you will know which interface is assigned to WAN or LAN in the firewall.

acknowledgements

These two resources provides very useful information for sett

  1. http://www.dowdandassociates.com/blog/content/howto-software-routers-on-virtual-machines/
  2. http://timita.org/wordpress/2011/07/31/protect-windows-with-pfsense-and-virtualbox-part-3-installing-virtualbox-and-creating-a-new-vm-for-pfsense/

AxCrypt is evil and it installs heinous Adware on your computer. Avoid at all costs!

AxCrypt is a nightmare for my computer. It downloaded many exe files and installed Conduit Adware across the system. My Firefox starting pages are deleted and the homepage is changed into http://search.conduit.com. An ugly and intrusive toolbar is also install on Internet Explorer (IE).

A virus total scan report shows that AxCrypt is infected with OpenCandy Adware. Actually it is worse than normal Adware because it is so pervasive and intrusive — most important of all, no user consent was acquired before this heinous AxCrypt infected system with Trojan like malicious applications: Malwarebye scan reports that there are about 140 folders, files and registry keys which are infected with conduit malware. Please avoid using AxCrypt at all cost. You have been warned.

To the developers of AxCrypt: shame on you!

Setting up eGPU for Thinking X220

After my X220 arrived to my place through numerous troubles, I still didn’t find time to reinstall its system and use it heavily. But I have time to waste elsewhere: several hours spent on investigating how to make eGPU (external Graphics Processing Unit) working for X220.

Here are my findings. It is totally workable for X220 and does not require too many skills to set up. You only need the right hardware and the software.

Hardware:

  • Graphic card: Zotac Geforce GTX560 Ti 1GB GDDR5. A nVidia card is preferred to an ATI one.
  • Interface: PE4L ( PCIe Adapter ver2.1b ) connects the graphic card and the express card. PE4L 2.1b is capable of transferring 5Gb of data. This is a good match for X220, which has Sandy Bridge platform and Express Card version 2.0.
  • Power supply: Corsair CX430
  • Cables that connect the graphic card with the monitor (Maybe I will just use the default DVI cable. Not sure if this affects performance)

With these gigs, the bandwidth is x1.2Opt which means x1 lane and interface 2.0, and nVidia optimus is helping compressing the data. This is supposed to perform significantly better than x1.1Opt. This information can be found in the section of “Bus Interface” in GPU-Z .

Software:

  • New bios 1.23 and above for X220
  • nVidia Optimus driver for displaying image on the internal LCD
  • no need to restart the system if using Windows 7

I am not longer a gaming person and the only game I can think of playing is Need for Speed. If I can get the papers done, I will implement it and hook it to my TV and play.

The benchmark results of this configuration should be similar to this:

Set-Up: X220 i5 2520m, 8 GB RAM, GTX 560 Ti 448 Cores, PE4L v2.1b

3D Mark 2006: 17.879
Resident Evil: 143,6

3D Mark Vantage GPU: 17.973
Devil May Cry: 181,4

3D Mark 2011: 4.560
Heaven: 1306

 

Installing Win7 Thin PC on HP Dv2000t

Update:

1. The sound does not work well on HP Dv2000t with Win 7 Thin PC.

Even if I mute the system sound, individual programs will still make sound and can not be muted. Sometimes, the whole system is muted even I enable sound, and a reboot is needed for the sound to come out again.

2. The good thing about Thin PC is that it does not have BSOD as Win XP usually did on my laptop.

 

I installed Win 7 Thin PC on my five year old HP dv2000t. The installation process was straightforward. Here are some information you might find useful if you plan to install this stripped-down version of win7.

1. Use diskgenius to partition and align the SSD disk. I didn’t realize diskgenius can easily assign the sector to the new 4K sector and I wasted too much time finding the right partition tool.

2. Then use wintoflash to transfer the ISO image of thinpc into the USB thumb stick and boot from that boot from it. The system will restart twice before the installation is finished and a little patience is required when the installation process seems frozen.

3. The display of Chinese fonts is not so good and some tuning such as clear-type is needed for better display. Installing popular Chinese fonts is also recommended.

4. The Chinese input method is working and the interface as well as the locale can be changed to suit the Chinese language environment. In this respect, it feels like using Linux in a simple way, because I do the same thing under Linux.

5. To run cmd.exe as an administrator, find the file first, then right click and select ‘run as an administrator’. You need admin privilege to run activate commands.

Like any new version of MS OS, the system feels slower and it uses more resources. I am thinking of going back to XP. Thin PC and probably Win7 looks better, but do not necessarily works better than XP.

Then why did I install Thin PC in the first place? Because I have a 40G SSD drive and Win7 or Thin PC is optimized for SSD hard drive. Also, Thin PC uses less space than Win7 which has many extra features I do not need.

For now, I will stick to this Thin PC system for a while and may eventually return to a self-customized version of XP.

Three ways to use Twitter on Symbian phones

I am no twitter fan but as G.F*W gets so omnipotent, I guess I should dig a tiny hole in it by using twitter anyway.

After a few days of search, I found the following ways to access twitter on my Nokia Symbian phone.

  1. The easiest way is to visit http://wkg.me and input your twitter account information. After that, you will have an quite intuitive interface to do your normal tweets.
  2. Using http://twittermail.com and register your twitter account. After that, you can send a tweet to your secret email account suffixed by @twittermail.com. But for users from China, one needs to climb over G.F*W to visit the twittermail site.
  3. Install the application Mobitile on the phone and send tweets from it. I put it at the bottom of the list because I don’t like its ads and keyboard operations — especially its slow flash interface.

You can find more mobile phone applications for twitter at Twitter Fan Wiki.

Update: I found Snaptu quite handy when it comes to serving as a mobile phone feed center. Using twitter on Snaptu is hassle free and I enjoy using its News&Blogs app. Also, since Twitter is so open to the third-party API, it is impossible to gfw it.

How to bypass firewalls under Firefox

I previously used QuickProxy addon for Firefox but found that it failed to load Youtube for me. Today I changed my proxyfier into FoxyProxy and it solved all my problems. Here is a brief tutorial of how to use it under Firefox.

After installing it, you need to add a proxy server. Here I conviently named the profile ‘Beyond the Wall”.

Next step is putting in the address of the proxy server. I use a ssh tunnel between the localhost and the remote host, so the address here is 127.0.0.1 and the port I designated under putty is 9000. Be sure to select “SOCKS proxy?” otherwise the page won’t load.

I don’t want to use this tunnel for all the sites, so I need to tell FoxyProxy to only proxify sites I want. Still under the new proxy server interface, add the patterns for the sites to visit.

I don’t know if configuring using this is totally secure and anonymous or not. If you know better ways to use ssh tunnel and Firefox, tell me.

Running Hiren’s BootCD from hard drive

Update: Running Hiren’s BootCD from hard drive has become much simpler in its recent releases (at least version 10.0 and above). Please use the following method instead to boot it from your hard drive:

  1. make sure the partition is FAT32 not NTFS (let’s assume its C: from this point on)
  2. in the HBCD directory of the ISO image, find the two files menu.lst and grldr, and copy them to C:
  3. copy the entire directory HBCD to C:
  4. download grub4dos, extract grub.exe to C:
  5. modify boot.ini file for XP, and add C:GRLDR=”Hiren” to it

Now reboot the system and choose Hiren in the menu. You are good to go. As a side note, Hiren should include the NTFS support into boot.gz image. If you feel adventurous, you can try to do it yourself, thus enabling booting Hiren from a NTFS partition.

The following is the old method, and only use it for the old version of Hiren BootCD.

Hiren’s BootCD is easily rankings itself among the best boot cds and system maintenance tools. I have configured it to run both from my USB stick or directly from hard disk. Here is how to boot Hiren’s BootCD from the hard disk using grub for dos (grub4dos).

    1. The first step is getting grub4dos and release the GRLDR, grub.exe and MENU.lst to the root directory of C:
    2. Open the ISO file of Hiren’s BootCD using Daemon Tools or Winimage and extract the directory HBCD to the root directory of C:
    3. Edit MENU.lst and put the following code into it:
timeout 30
default 0

title Start Hiren's BootCD
find --set-root /HBCD/boot.gz
map --mem /HBCD/boot.gz (fd0)
map --hook
chainloader (fd0)+1
rootnoverify (fd0)
map --floppies=1
boot
    1. Edit the boot.ini file under C: and put the following line into it. This will make Windows load grub4dos, and then grub4dos will load Hiren’s boot file to boot it.
C:GRLDR="Hiren"
    1. You can also boot the mini WinXP in the HBCD directory by adding the following code into the MENU.lst file.
title Mini Windows Xp
find --set-root /HBCD/XPLOADER.BIN
chainloader /HBCD/XPLOADER.BIN

After the modifications, reboot the system to use your Hiren’s BootCD from the hard disk. Becaues the boot.gz under HBCD does does not come with ntfs drivers, this method only works when C: is in FAT32 format.

Prevent Directory Listing in Lighttpd

How to prevent files under wp-content/uploads to be listed in the browser? It is actually a one-liner under Lighttpd (lighty).

Edit /etc/lighttpd/lighttpd.conf and change server.dir-listing into disable.

 server.dir-listing          = "disable"

If you choose to enable directory listing, you can set the encoding of the file names to be displayed:

 dir-listing.encoding        = "utf-8"

There are wonderful resources about lighty in the following two sites: Flexion.Org and Calomel.org

Debian Squeeze minior tweaks

Yes, I upgraded from Debian Lenny to Squeeze because I need ibus to replace scim as my default Chinese input program. So far the experience with ibus is good but the same was half-true with Squeeze. I spent quite some time to make Squeeze more comfortable to use.

Touchpad tapping and scrolling

I need to create an option file under /etc/modprobe.d to enable tapping and scrolling. Just create a file with any name under modprobe.d and put the following line into it:

options psmouse proto=imps

Undervolting core2duo CPU

Under Windows you have the convenient way to use rmclock to undervolt the CPU to reduce the heat generated by CPU operations. Linux has the equivalent method, but only a little harder. The answer is Linux PHC. To implement it as quickly as you can, the following steps are involved:

Compiling and installing it is fairly easy. You just need to have kernel-headers and build essentials (gcc, libc, make, etc). You do not need the kernel source to compile this kernel module.
Find the workable voltage for your CPU. You can use rmclock in Windows to select the voltage and write down the number or search the Internet for the limit of the undervolting for your CPU.
Use PHCTool (old version) to convert the voltage into VIDs (voltage IDs) for Linux PHC.

PHCTool

The voltage for my T7200 are translated into these four PHC VIDs 24 23 19 19. To pass these values, I edited /etc/init.d/rc.local and put the following two lines at the bottom of that file. Since I have two CPU cores, two lines are needed:

echo "24 23 19 19" > /sys/devices/system/cpu/cpu0/cpufreq/phc_vids
echo "24 23 19 19" > /sys/devices/system/cpu/cpu1/cpufreq/phc_vids

Underclocking Nvidia Geforce Go 7200

I have little luck with underclocking Geforce Go 7200 on my HP DV2000t laptop. By the way, this laptop is very hot and noisy so I don’t think I am gonna buy a HP lappy again. I basically followed the instructions by Artem and ended up putting the following lines into my /etc/X11/xorg.conf, but I am not sure if it worked or not. Maybe I should change the driver and try again?

Section "Device"
    Identifier     "NVIDIA GeForce"
    Driver         "nvidia"
    Option         "RegistryDwords" "PowerMizerEnable=0x1; PerfLevelSrc=0x3333; PowerMizerDefault=0x3; PowerMizerDefaultAC=0x3"
    VendorName     "NVIDIA Corporation"
EndSection

ibus input method

ibus works great under Debian Squeeze. Just remember to run ibus-setup first and enable the pinyin input method for ibus to handle.

disabling auto-starting services

Bum (Boot-up Manager) is a great tool to view the system services and disable them. It is better than rcconf and sysv-rc-conf.

bum

Capturing screen

The screenshot was taken by shutter under gnome. shutter is quiet powerful to use and its plugins can perform almost everything you want in a screen capturer. But it’s still a diamond in the rough because I struggled a little bit trying to find the resize function under this program. It turned out that resizing is supported by a plugin and it hides under the ‘screenshot’ menu. The screenshot of bum above is a an art of creation by shutter.

Convert mp3 tags into UTF-8

Install python-mutagen package first and then run this command in the directory of the mp3 files.

find .  -iname  "*.mp3"  -execdir  mid3iconv  -e  GBK  {}  ;

Java based program ID3iconv is also know to perform the same task.

Some say by setting an environment parameter in /etc/X11/Xsession.d/95setenv like this will save the hassle of running the tag conversion when you have new music

 echo "GST_ID3_TAG_ENCODING=GBK" > /etc/X11/Xsession.d/95setenv

Right now I am using Exaile as the music player. Too bad it does not allow me to sort music by directory sources like foobar in Windows.

More to come about the movie/music player and other cool stuff under Linux.