1000umbrellas.com

When I was in high school, we used to play a simple but addictive shareware game called Scorched Earth, a turn-based artillery game. It involved tanks shooting at each other with crazy weapons, fun upgrades, very basic controls, and a little dumb humor. I was delighted to find out that there is a version of it on the Android platform, called Barrage. I think it captures the essence of the original game perfectly, and is easy to pick up and play on your phone. It’s a lot of fun, especially if you’re a nostalgic gamer.

Barrage Lite is free and includes the entire game. You can purchase the paid version to add more weapons, remove the unobtrusive ads from certain non-gameplay screens, and save your high scores and publish them for all players to see. Sadly, there is no online play, though that would be awesome. Still, it’s very good, and I heartily recommend it if you played the original in the DOS days!

The most popular post on my blog is how to set up the Ubuntu Server firewall via ufw, the Uncomplicated Firewall. I recommend UFW for any standard server, but you might want to move to something more advanced to expand your firewall knowledge, to set up a network gateway, router, or firewall, or to conform with other systems on your network. If UFW is for beginners, then Firehol is for intermediate sysadmins, or those wishing to run proxy servers and the like.

Before I started using ufw, I used to use Firehol to set up the iptables firewall. Firewall does the same thing that UFW does, and a lot more, but in a completely different way. That’s because Firehol is not just a script, but a language, for defining firewalls. You write your rules in a configuration file, and Firehol will convert them into iptables commands, and issue them at boot time or on demand. It can only create “drop/reject everything, allow explicitly” type firewalls, but luckily, that’s the most appropriate type of firewall to create most of the time.

Firehol is useful not only for standard file and web servers, but also for routers and gateways, and can set up rules for transparent proxies, NAT, and so on. Home users such as myself have a hardware router for that, and only need to set up firewalls on home servers as a defense-in-depth measure.

I think that Firehol is more flexible than ufw, can implement more advanced features such as transparent proxies better than ufw, but it is a little to a lot harder to set up. This tutorial covers how you would lock down a simple home server that you wish to access via the Internet, but not leave completely open to the outside world.

Installation

Install the firehol package.

$ sudo apt-get install firehol

Enabling Firehol to Start on Boot

Firehol must be enabled before the rules you define will go into effect. To enable it, you must edit a configuration file.

$ sudo nano /etc/default/firehol

The file will look like this after a clean install:

#To enable firehol at startup set START_FIREHOL=YES
START_FIREHOL=NO
#If you want to have firehol wait for an iface to be up add it here
WAIT_FOR_IFACE=""

Simply change the second line to

START_FIREHOL=YES

and save the file. That will enable the firewall upon reboot. What that means is that Firehol will run its bash scripts, generate iptables rules, and then the iptables will be activated. Firehol does not run continuously as a service.

If you wish to disable the firewall, be sure to edit this file again, and reset the START_FIREHOL variable to NO.

Configuring the Firewall Rules

The configuration file containing the firewall rules is located in /etc/firehol.conf. This is what the default configuration file looks like. It will set your server to block everything coming in, and accept everything going out.

#
# $Id: client-all.conf,v 1.2 2002/12/31 15:44:34 ktsaou Exp $
#
# This configuration file will allow all requests originating from the
# local machine to be send through all network interfaces.
#
# No requests are allowed to come from the network. The host will be
# completely stealthed! It will not respond to anything, and it will
# not be pingable, although it will be able to originate anything
# (even pings to other hosts).
#

version 5

# Accept all client traffic on any interface
interface any world
client all accept

You could edit this file and specify your own services, or you could auto-generate a configuration file. I will walk you through auto-generating a confguration file in the next section.

Bear in mind, though, that a fully-working firewall can be made with a configuration file as simple as this:

#!/sbin/firehol
version 5
interface any world
protection strong
server "ssh http samba webmin" allow
client all accept


If you are only running standard services, it’s best to edit the file manually. If you have custom services, or are curious about Firehol’s abilities, read on.

Auto-generating a Configuration File

Firehol can automatically generate a configuration file for you to get you started. The firehol helpme command identifies aany running services on your server and builds a configuration file that will allow all traffic between them, and block all traffic outside those parameters. After the file is generated, you are then expected to review and modify it, to ensure the rules are correct, prior to activating the firewall.

First, use the firehol helpme command to generate a configuration file and put it into the /tmp folder.

$ sudo firehol helpme > /tmp/firehol.conf

Then, review the automatically generated configuration file.

$ nano /tmp/firehol.conf

The automatically generated configuration file is pretty verbose. This is what mine looks like, for a server that runs SSH, Samba, Transmission, Dropbox, and Lighttpd web server (it could be Apache or any other web server, really).

Note that there are two interfaces set up: one for my LAN (10.0.0.0/24) and one for the Internet (i.e, anything outside my router’s subnet). When I reviewed it, I notice that the peer ports for my transmission-daemon service are not all mapped, just the one currently in use. Therefore, you definitely have to tweak this file to suit your needs.

#!/sbin/firehol
# : firehol.sh,v 1.273 2008/07/31 00:46:41 ktsaou Exp $
#
# This config will have the same effect as NO PROTECTION!
# Everything that found to be running, is allowed.
# YOU SHOULD NEVER USE THIS CONFIG AS-IS.
#
# Date: Fri May 14 10:43:37 EDT 2010 on host thor
#
# IMPORTANT:
# The TODOs bellow, are *YOUR* to-dos!
#

# INFO: Processing interface 'eth0'
# INFO: Processing IP 10.0.0.3 of interface 'eth0'
# INFO: Is 10.0.0.3 part of network 10.0.0.0/24? yes

# Interface No 1.
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP 10.0.0.3 (net: "10.0.0.0/24").
# TODO: Change "interface1" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 10.0.0.3' if this is dynamically assigned.
interface eth0 interface1 src "10.0.0.0/24" dst 10.0.0.3

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop

# If you don't trust the clients behind eth0 (net "10.0.0.0/24"),
# add something like this.
# > protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
client dhcp accept
server http accept
server ICMP accept
server ms_ds accept
server ntp accept
server samba accept
server ssh accept
server webmin accept

# The following eth0 services are not known by FireHOL:
# tcp/17500 tcp/20550 tcp/9091 udp/10000 udp/17500 udp/20550

# Custom service definitions for the above unknown services.
server custom if1_tcp_17500 tcp/17500 any accept
server custom if1_tcp_20550 tcp/20550 any accept
server custom if1_tcp_9091 tcp/9091 any accept
server custom if1_udp_10000 udp/10000 any accept
server custom if1_udp_17500 udp/17500 any accept
server custom if1_udp_20550 udp/20550 any accept

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
#       client services you really need.
client all accept

# INFO: Is 10.0.0.1  part of network 10.0.0.0/24? yes
# INFO: Default gateway 10.0.0.1  is part of network 10.0.0.0/24

# Interface No 2.
# The purpose of this interface is to control the traffic
# from/to unknown networks behind the default gateway 10.0.0.1 .
# TODO: Change "interface2" to something with meaning to you.
# TODO: Check the optional rule parameters (src/dst).
# TODO: Remove 'dst 10.0.0.3' if this is dynamically assigned.
interface eth0 interface2 src not "${UNROUTABLE_IPS} 10.0.0.0/24" dst 10.0.0.3

# The default policy is DROP. You can be more polite with REJECT.
# Prefer to be polite on your own clients to prevent timeouts.
policy drop

# If you don't trust the clients behind eth0 (net not "${UNROUTABLE_IPS} 10.0.0.0/24"),
# add something like this.
# > protection strong

# Here are the services listening on eth0.
# TODO: Normally, you will have to remove those not needed.
client dhcp accept
server http accept
server ICMP accept
server ms_ds accept
server ntp accept
server samba accept
server ssh accept
server webmin accept

# The following eth0 services are not known by FireHOL:
# tcp/17500 tcp/20550 tcp/9091 udp/10000 udp/17500 udp/20550

# Custom service definitions for the above unknown services.
server custom if2_tcp_17500 tcp/17500 any accept
server custom if2_tcp_20550 tcp/20550 any accept
server custom if2_tcp_9091 tcp/9091 any accept
server custom if2_udp_10000 udp/10000 any accept
server custom if2_udp_17500 udp/17500 any accept
server custom if2_udp_20550 udp/20550 any accept

# The following means that this machine can REQUEST anything via eth0.
# TODO: On production servers, avoid this and allow only the
#       client services you really need.
client all accept

# INFO: Processing interface 'wlan0'

# IMPORTANT:
# Ignoring interface 'wlan0' because does not have an IP or route.

# The above 2 interfaces were found active at this moment.
# Add more interfaces that can potentially be activated in the future.
# FireHOL will not complain if you setup a firewall on an interface that is
# not active when you activate the firewall.
# If you don't setup an interface, FireHOL will drop all traffic from or to
# this interface, if and when it becomes available.
# Also, if an interface name dynamically changes (i.e. ppp0 may become ppp1)
# you can use the plus (+) character to match all of them (i.e. ppp+).

# No router statements have been produced, because your server
# is not configured for forwarding traffic.

Customizing the Configuration File

The auto-generated configuration file lists “TODO” items for you to do as you review the file. You can rename the interfaces to something meaningful, such as “lan” and “internet”. You can remove any of the named or unnamed (“custom”) services that it includes rules for. A few more of the rules that Firehol generated for my server bear some explanation:

• UDP/17500 is used by the Dropbox service to identify other Dropbox clients on the LAN. This rule cannot be removed
• TCP and UDP/25500 is one of the peer ports I set up for transmission-daemon. This I actually have to change, because I have a port range open for those services.
• UDP/10000 can be removed, because webmin runs on TCP/10000.

Server vs. Client Rules

Firehol considers all incoming requests “server” requests and all outgoing requests “client” requests. You might see client accept all in a configuration file. That means that client requests from any service are allowed. If you only want to allow certain services to be allowed, you can specify them much like server services are specified.

client http allow

Setting up Custom Services

To clean up custom services—for Transmission or Dropbox in this case—you can either give them names and define them inline…

server custom transmission-daemon tcp/9091 any accept
server custom dropbox-lan-peers udp/17500 any accept
server custom transmission-peers “tcp/20550:20599 udp/20550:20599” any accept

…or define them at the top of the script as variables…

# Transmission front-end
server_txf_ports="tcp/9091"
client_txf_ports="default"

# Transmission peers
server_txp_ports="tcp/20500:20599 udp/20500:20599"
client_txp_ports="default"

# Dropbox-related LAN functions
server_dpbx_ports="udp/17500"
client_dpbx_ports="default"

…and then invoke them very simply:

# custom services
server txf accept
server txp accept
server dpbx accept

To specify a port range, use a colon instead of a dash to indicate “through.” To specify both tcp and udf ports, use a space-delimited list, enclosed in quotation marks.

Different Rules for LAN vs. Internet

If you run Samba for file sharing, you’ll want to allow your LAN users to use Samba file shares, and block Internet users from doing so. (It’s true that the Samba ports should also be blocked on your router/gateway, if you have one, but bear with me.) To do so, you’ll want to include rules to allow Samba on your LAN interface (interface1 in the automatically-generated file above), and not include those Samba-related rules in the Internet interface (interface2, above). You might wish to remove webmin and other services from the Internet-side, too. I do both in my configuration file, which is reproduced below.

My Configuration File

Here is my configuration file. It implements kinder rules for the LAN and stricter rules for the Internet.

#!/sbin/firehol
# -----------------------------------------------
# Set up custom services
# -----------------------------------------------

# Transmission front-end
server_txf_ports="tcp/9091"
client_txf_ports="default"

# Transmission peers
server_txp_ports="tcp/20500:20599 udp/20500:20599"
client_txp_ports="default"

# Dropbox-related LAN functions
server_dpbx_ports="udp/17500"
client_dpbx_ports="default"

# -----------------------------------------------
# Set up interfaces
# -----------------------------------------------

# LAN Interface
# The purpose of this interface is to control the traffic
# on the eth0 interface with IP 10.0.0.3 (net: "10.0.0.0/24").
interface eth0 lan src "10.0.0.0/24" dst 10.0.0.3

	# policies
	policy reject

	# standard services
	server dhcp accept
	server http accept
	server ICMP accept
	server ms_ds accept
	server ntp accept
	server samba accept
	server ssh accept
	server webmin accept

	# custom services
	server txf accept
	server txp accept
	server dpbx accept

	# client section
	client all accept

# Internet Interface
# The purpose of this interface is to control the traffic
# from/to unknown networks behind the default gateway 10.0.0.1.
interface eth0 internet src not "${UNROUTABLE_IPS} 10.0.0.0/24" dst 10.0.0.3

	# policies
	policy drop
	protection strong

	# Here are the services listening on eth0.
	# TODO: Normally, you will have to remove those not needed.
	server http accept
	server ICMP accept
	server ntp accept
	server ssh accept

	# custom services
	server txf accept
	server txp accept

	# client section
	client http accept
	client https accept
	client ICMP accept
	client ntp accept
	client ssh accept
	client txp accept
	client txf accept

Note that I have cleaned it up considerably and defined custom services at the top of the file. This is not the most condensed configuration file I could make, but it is easy to understand.

Testing Your Configuration File

To test the configuration file you have edited, run the firehol test command.

$ sudo firehol test /tmp/firehol.conf

This will do a syntax check of your configuration file, then allow you to commit the changes to the firewall by typing "commit" at a prompt. I recommend that you don't type commit if your configuration file is not in the right place. Let's move the tested, working configuration file there first.

Enabling Your Configuration

Once you have customized and tested your configuration file, copy it to where it belongs.

$ sudo cp /tmp/firehol.conf /etc/firehol/firehol.conf

And then initialize the firewall.

$ sudo /etc/init.d/firehol start

And you're done!

I hate getting up in the morning, and have long had trouble falling asleep at night. These two apps by Mobitobi work together to make it a bit easier.

Gentle Alarm

Thanks to the Motorola Droid’s dock and clock (ahem, “Multimedia Station”) mode, my phone became my alarm clock the day I brought it home. (Of course, due to the insanely bright LED lights on the Droid, I have to shut off the display before turning in for bed! The LEDs Hack doesn’t work for me very well.) Android’s default alarm clock is fine, but I really wanted an alarm that didn’t blast me out of bed in the morning, but started out quietly instead, and gradually increased in volume until it woke me up. Luckily, the Gentle Alarm app exists for just this purpose.

Gentle Alarm provides alarms that fade in over a user-definable period, and customizable snooze times, too. It can ring any alarm, audio file, or ringtone on your phone. (The app, and your Android ROM, come with a number of alarm sounds by default.) Gentle Alarm’s defining feature is its “pre-alarm” feature, which tries to take advantage of your sleep cycles to wake you up when you are refreshed. The idea is to ring a very quiet alarm, prior to your normal wake-up time, to rouse you if you are already almost awake. If you are still in a deep sleep, you won’t be able to hear it. (It’s true!) The app helps you calibrate the volume, so the pre-alarm will only wake you up when you are not sleeping deeply, and the main alarm will always ring loud enough (eventually) to rouse you out bed. I’ve found that the pre-alarm helps me wake up earlier, or at least hit snooze less often, and still refreshed.

If you’re worried about replacing Android’s tried and true alarm system with a third-party, and potentially unstable, application, don’t be. Gentle Alarm hooks into Android’s normal alarm routines, so, short of your battery dying, you can be assured that the alarm will ring.

It took only one night’s trial for me to fall in love with and purchase the Gentle Alarm app. (The free version only works 6 days per week.)

Sleep Now

Sleep Now is a great app for the power napper or anyone who has trouble getting to sleep at night. It’s a fancy white-noise generator and alarm clock wrapped up into one package. I really like it, because I think it helps me fall asleep faster, and sleep more soundly, than I did without it.

You set up programs to fall asleep to music or white noise.

1. Relax to music (whatever is on your phone), white noise, or other sounds included with the app.
2. Sleep to white noise, other sounds, or silence.
3. Wake up to a gentle alarm.

Programs can be configured to a fixed sleep timeframe, such as a 20-minute power nap, or to prompt you for a sleep duration when you run them. The alarms are similar to the Gentle Alarm app, but cannot be scheduled to exact times of day, and do not include the pre-alarm function. Like Gentle Alarm, Sleep Now allows you to calibrate your volume.

Two Apps?!

I bought both apps and use them every day. I think that Gentle Alarm could be folded into Sleep Now, because only two features of Gentle Alarm (alarm scheduling and the pre-alarm) are missing from Sleep Now as it is. The developer may do that in the future. Because the apps are not that expensive, I use them every day, and I like to support small developers, I didn’t hesitate to buy both.

Here are instructions on how to overclock your Motorola Droid. I learned how to do this through various forum posts and a blog posts, some of which were a confusing mess of information and misinformation. My goals is to summarize what I have learned in one place, to act as a more-or-less definitive guide.

1. Root your Droid. (Note that I rooted my Droid before 2.1 came out, so I have not followed the instructions that I have linked to, and cannot comment upon them.)
2. Install ROM Manager from the Android Market. This app, and the ClockworkMod Recovery it comes with, make flashing ROMs a lot simpler than the process used to root your phone.
3. Flash ClockworkMod Recovery via ROM Manager. (You don’t need the paid version for this tutorial.)
   1. Launch the ROM Manager.
   2. Click the first option: “Flash ClockwordMod Recovery.”
   1. Grant the app root access (and check “Always Allow”) when it asks you.
   1. A popup will ask you to confirm your phone model. Just click on “Motorola Droid (CDMA)”.
   2. This will download and install the ClockworkMod recovery image. Just wait a couple minutes. There’s no need to reboot your phone afterwards.
4. Install the latest stable CyanogenMod via ROM Manager.
   1. In ROM Manager, click the “Download ROM” option, then click “CyanogenMod”, then click the latest stable release. As of this writing, the latest stable release for the Droid is 5.0.6.2.
   2. A popup will appear. Check the box next to “Google Apps” and click “OK”.
   3. ROM Manager will then download the ROMs for Cyanogen and Google Apps. When the downloads are complete, ROM Manager will alert you for more options prior to installation.
   4. When the downloads are complete, a “ROM Pre-Installation” popup will appear. Check the option to “Backup Existing ROM” just to be safe. If you are doing this for the first time, or are changing themes, check “Wipe Data and Cache”; you may leave it unchecked if you are upgrading to a new version of the same ROM. Click “OK”.
   5. The phone will then reboot into recovery, back up your current ROM to the SD card, install CyanogenMod, and then reboot when it is done. The first boot into the new ROM might take a little longer than normal. Don’t worry.
5. Set up your phone again.
   1. You will need to sign into Google again and re-download all your apps. (Yes, this is a pain, but you did just reinstall everything on your phone!) You can re-download your apps after overclocking, if you wish. You will not have to pay again for any paid applications you purchased from the Android Market. You will not have problems “reactivating” your phone.
   2. If Google apps, such as Google Maps, are missing, that means that you didn’t check “Google Apps” when you downloaded the ROM. You will have to install Rom Manager and then reinstall CyanogenMod with Google Apps to fix this.
6. Install the bekit kernel, which allows you to overclock your CPU.
   1. Open ROM Manager.
   2. Click “Download Rom”, then “CyanogenMod”, then “bekit Kernals (0.8.3)”.
   3. Choose your bekit kernel from the popup that appears. I recommend “5 Slot 800MHz 0.8.3 *Low Voltage*” (which I use for this tutorial) or “5 Slot 1.0 GHz 0.8.3 *Low Voltage*”. A “slot” is an operating frequency. 5-slot means that there are 5 speed settings at which you can set your CPU. 7-slot kernals have 2 more speed settings. I don’t see much need to set the CPU to a whole bunch of different frequencies, so 5-slot kernals are good enough for me. You should stick to the “Low Voltage” kernels (scroll down in the list to find them) to avoid overheating your CPU or decreasing battery life more than necessary.
   4. The kernel install process through the ROM Manager works similarly to the CyanogenMod ROM install process. When the kernel download is complete, a “ROM Pre-Installation” popup will appear. Check “Backup Existing ROM” if this is your first time changing kernels, or if you don’t have a recent backup. Do not check “Wipe Data and Cache”. Click “OK”.
   5. The phone will reboot into recovery, back up your current ROM to the SD card (if you selected that option), install the new kernel, and then reboot when it is done.
7. Purchase and install SetCPU from the Android Market. It costs $1.99 as of this writing, and is totally worth it. Read more about SetCPU here.
8. Set up SetCPU’s global settings.
   1. Launch SetCPU.
   2. Click the “Autodetect Speeds” button. Grant the app root access (and check “Always Allow”) when it asks you.
   3. SetCPU will display the maximum and minimum CPU speeds your kernel supports. Using the “5 Slot 800MHz 0.8.3 *Low Voltage*” bekit kernel, you should see 800MHz max and 250 MHz min.
   4. Adjust the sliders on SetCPU’s main screen to set the global minimum and maximum CPU speeds. I tend to leave the minimum as 250MHz and the maximum as 800MHz. Remember that the stock Motorola Droid CPU is underclocked from 600MHz to 550 MHz, so 250MHz is actually underclocking (better for battery life) and 800MHz is overclocking (better for performance).
   5. Set the CPU Governor. I recommend using default CPU Governor: “ondemand.” This means that the CPU will scale up when the phone is busy (i.e., when you are using it) and will scale down when the phone is idle (i.e., sleeping). The “conservative” CPU Governor scales speeds up more slowly than “ondemand” does; I find that it makes games a little laggy. The “performance” CPU Governor simply always uses the maximum speed setting; this seems unnecessary for a device that spends most of the time sleeping.
   6. Check “Set on Boot”. The only reasons not to have “Set on Boot” checked is if you are flashing a new ROM, or if you are overclocking by a lot (say, to 1.2 GHz) and are concerned about stability.
9. Set up SetCPU Profiles. (This step is optional, but recommended.)
   1. In SetCPU, click the “Profiles” button. A popup will appear.
   2. Check “Profiles On” in the popup.
   3. To update a profile, click on its “Enabled” checkbox, click the “Modify” button, set the CPU speed sliders and CPU Governors in the popup, and click the “Apply” button. My recommended profile settings (for my 800MHz kernel) follow.
   4. Enable the “Charging” profile. Set to 550 Max, 250 Min, ondemand. You don’t want to overclock while charging, because the battery is already hotter while charging, and you don’t want to overheat your phone.
   5. Enable the “Sleep/Standby” profile. Set to 550 Max, 400 Min, ondemand. You can set the minimum speed to 250MHz, but I like 400MHz, because the phone wakes up a little faster.
   6. Enable the “Battery Profiles”, which will be in use most of the time you actually are using the phone. You have to set up all 3 profiles for them to work. I like to set them to scale back the CPU speed as the battery is depleted.
      1. Enable a “Power < 100%” profile. Set to 800 Max, 400 Min, ondemand, if battery is under 100%.
      2. Enable a “Power < 50%” profile. Set to 600 Max, 400 Min, ondemand, if battery is under 50%. This steps down the CPU a bit to eke out more battery life.
      3. Enable a “Power < 15%” profile. Set to 550 Max, 250 Min, ondemand, if battery is under 15%. This steps down the CPU a bit more to eke out more battery life.
   7. Leave the “Failsafe Profile” as is, and enabled. This profile kicks in when the phone starts to overheat. I’ve never had my phone overheat for any reason. SetCPU reports the battery temperature of my phone as 30° C to 40° C, which is well under the danger zone for this CPU (which starts, I believe, at 50°C).

After all this, your phone will be overclocked during use and underclocked at rest. I find that a little overclocking makes the Droid a lot more pleasant to use, and doesn’t hamper battery life much, and doesn’t affect stability at all. The whole process will cost you about $2 for SetCPU. If you love ROM Manager, buy that app, too, and support the developers. The premium version of ROM Manager unlocks a lot of ROMs and themes, and provides notifications if an update is available for your ROM.

I bought my Motorola Droid the morning it was released to the public. The first app I installed on it was Locale, which promised to automatically set the phone’s volume, wifi settings, and so on, based on its current location. I thought this was a great idea: I could automatically silence my phone at the office, and turn the ringer on while at home. Unfortunately, after a couple days, I realized that Locale basically never updated my location, so it never worked right. I still stuck with Locale for a while, because it also allows you to set you phone’s volume (etc.) based on the time of day. After Locale became a $9.99 app, I uninstalled it in favor of a free alternative: Timeriffic.

Timeriffic allows you to change your phone’s volume (ringer and notifications), wifi, Bluetooth, screen brightness, and airplane mode, based on whatever day and time schedules you create. It is easy to set up (though the UI colors are kind of garish), stable (no force closes), and has almost no effect on battery life.

I use Timeriffic to silence my phone while I am asleep. Typically, I don’t receive phone calls in the middle of the night, but I receive a lot of notifications, which I don’t want to wake me up. Silencing the ringer or notifications with Timeriffic is an all-or-nothing setting. The downside to Timeriffic, as opposed to Locale, is that you can’t “whitelist” phone numbers to ensure that certain people can reach you, even when you’re phone is set to silent. That isn’t a problem for me, but then again, I don’t have a job that requires me to be on call.

Locale has more features and a better user interface, but it is way too expensive, for what it is, to recommend. For my needs, the free Timeriffic is more than adequate.

Today I learned a different way to configure the firewall on my Ubuntu 10.04 Lucid Lynx Server: the ufw command. UFW stands for “Uncomplicated FireWall,” and it’s just that. It provides a simpler interface to add or remove firewall rules to iptables, the default Linux firewall. It’s installed on Ubuntu Server by default (and has been, since Ubuntu 8.04), and I find a little simpler than the application I used to use to configure my firewall: Firehol. (Here’s how to set up Firehol, if you are interested. It’s more difficult than ufw, in my opinion, but a lot easier than setting up iptables manually!)

A new Ubuntu Server install (as of 10.04) contains a firewall (iptables) that is not enabled. Ubuntu.com has a great tutorial that explains that ufw is the default configuration tool for iptables. After I set up my server, I used ufw to close all ports by default, then open up ports for the services I use. I don’t have complex security needs or run a proxy server, so my rules are simple.

Adding Rules

Before adding rules, it’s best to explicitly set the default behavior. By default, I like to block everything: both incoming and outgoing traffic. After that is done, I selectively open ports to support the services I wish to run. In contrast, UFW, by default, denies all incoming traffic but allows all outgoing traffic. That setup is accomplished manually with the following commands.


$ sudo ufw default deny incoming
$ sudo ufw default allow outgoing


The following commands open ports for named services that I use: namely, SSH (port 22), a web server (port 80), and Webmin (port 10000). Any services named in /etc/services may be identified by name instead of port number.

$ sudo ufw allow ssh
$ sudo ufw allow www
$ sudo ufw allow webmin

UFW also has a list of application presets, for common servers such as Apache, OpenSSH, Lighttpd, and Samba. You can view the list by issuing the command:

$ sudo ufw app list

You can implement firewall rules for Samba and Lighttpd by using the commands below, which specify the application name, not the service name. Note that you must enclose in quotation marks any application names that include spaces.

$ sudo ufw allow Samba

It’s better to limit Samba access to hosts on your LAN. Using ufw’s more complex syntax, you can do just that. Note that you have to add “app” before the application name in this case.

$ sudo ufw allow from 10.0.0.0/8 to 127.0.0.1 app Samba
$ sudo ufw allow to 10.0.0.0/8 from 127.0.0.1 app Samba

The following commands open the ports required by my Transmission-Daemon server. Here I must specify port numbers explicitly. Note that you use a colon instead of a dash to specify port ranges. Plus, when creating rules for port ranges, you must specify whether they apply to TCP or UDP.

$ sudo ufw allow 9091
$ sudo ufw allow 20500:20599/tcp
$ sudo ufw allow 20500:20599/udp


The following command opens up ports needed for MySQL, but only to hosts within the local network.

$ sudo ufw allow from 10.0.0.0/8 to any port 3306/tcp

If you wish to open up MySQL to the world, you could use a simpler syntax.

$ sudo ufw allow mysql

Deleting Rules

Deleting rules is pretty simple. Just use the following syntax, and replace <…> with the entire rule that you wish to delete.

$ sudo ufw delete <...>

For example:

$ sudo ufw delete allow ssh
$ sudo ufw delete allow 10000

You can also delete all the rules with a single command.

$ sudo ufw reset

Enabling the Firewall

The following command enables the firewall rules immediately, and upon subsequent system restarts. This command will also refresh the rules. Run this command each time you update your firewall configuration.

$ sudo ufw enable

Disabling the Firewall

To disable the firewall, simply issue the following command.

$ sudo ufw disable

Checking the Configuration

You can check your configuration by issuing one of the following commands. The “verbose” version shows more information.

$ sudo ufw status
$ sudo ufw status verbose

Firewall Configuration Script

Here is a script that I wrote to set up my firewall. This script resets the firewall to deny everything but the services/applications I have installed on my server. Run it with sudo. You only have to run it once, not on every boot.

#!/bin/sh

# obtain server's IP address
SERVERIP=`hostname --all-ip-addresses | cut --fields 1 --delimiter " "`

# disable firewall
ufw disable

# reset all firewall rules
ufw reset

# set default rules: deny all incoming traffic, allow all outgoing traffic
ufw default deny incoming
ufw default allow outgoing

# open port for SSH
ufw allow OpenSSH

# open port for Webmin
ufw allow webmin

# open ports for Samba file sharing
ufw allow from 10.0.0.0/8 to $SERVERIP app Samba
ufw allow to 10.0.0.0/8 from $SERVERIP app Samba

# open ports for Transmission-Daemon
ufw allow 9091
ufw allow 20500:20599/tcp
ufw allow 20500:20599/udp

# open port for MySQL
ufw allow proto tcp from 10.0.0.0/8 to any port 3306

# open ports for Lighttpd
ufw allow “Lighttpd Full”

# open port for network time protocol (ntpd)
ufw allow ntp

# enable firewall
ufw enable

# list all firewall rules
ufw status verbose

NewsRob is a paid app* that I use every day to access Google Reader. You might think that it is a mindless luxury, because Google Reader actually has a decent mobile site. That said, the Android Browser is pretty slow, and loading the content often took more time than was worthwhile.

NewsRob solves the loading time problem for me by fetching updates from Reader on a regular (configurable) basis. It will download the feed, the entire article, and, if you want, the entire web page (mobile or regular). You can choose to be notified of feed updates via the Android notification system, or via a home screen widget (I prefer the latter). NewsRob will sync your read/unread, starred, and shared items back to Google Reader.

I like using NewsRob because it saves me time. It was definitely worth the cost to buy the Pro version, because the notifications, widget, and improved loading time of articles allows me to consume my RSS feeds far quicker than Google Reader’s mobile version does alone. If you are a heavy Google Reader user, I recommend NewsRob for your Android phone.

* A free, ad-supported version is coming/available.

Verizon charges a monthly fee for Exchange access, which is exorbitant and ridiculous. For the first couple months I owned my Android phone, I didn’t have access to my company email or calendar, because I wasn’t willing to pay an additional monthly fee.

Later, a coworker recommended I try out Touchdown, a $20 app that integrates Exchange with my Android phone. Instead of a monthly fee to Verizon, you pay the developers one time for registration. It’s definitely an acceptable trade-off. I’ve used Touchdown daily for months now, and think that it is worth every penny.

Touchdown works very well. Its interface won’t blow you away, but it is certainly easy enough to use, and the push notifications and home screen widgets work perfectly. The initial setup wizard used to connect with the Exchange server is easy to use. The other settings are voluminous and a little intimidating, but it is nice that the app allows you to tweak it so thoroughly.

Having work email on your smartphone is a mixed blessing, I’ve found, but it is hard to argue against having appointment reminders (i.e., your work calendar) on your phone. If you’re on Verizon, and would like Exchange support without adding more costs to your contract, Touchdown is the app of choice.

As a consultant, sometimes I have to take a plane or train to work and back each week. Last year I stayed in hotels almost 50 nights—and that was a pretty light year for travel. Traveling is stressful. Trains are late. Flights get cancelled—sometimes when I’m sitting on the plane. Gates get switched three or four times for no apparent reason. Printed itineraries get lost. Confirmation numbers get forgotten. It’s incredibly tough sometimes to keep everything straight. Fortunately, just before my last business trip to California, I discovered two Android (and web) apps that have helped me pull everything together, fairly neatly, and allow me to relax a bit about all the particulars.

TripIt is a well-known web service that allows you to easily build itineraries, share them with people, and take them with you on your Android phone, iPhone, or iPod Touch. It’s a powerful service, and easy to use, because most of the work is done for you. You just email your itineraries and confirmation emails to TripIt, and it structures the entire trip for you. You don’t even need to set up an account: you can log in using Google or Facebook credentials (I love this feature!). TripIt is free and very useful, but it doesn’t do absolutely everything for you. The phone app does not let you edit your itinerary; you have to use the web app for that. More importantly, the TripIt app does not notify you if your flight status changes. For that, you can sign up for TripIt Pro for $69/year, which will text you whenever there’s a change.

If you want to save a bit of money, though, you can purchase a $10 Android app that will notify you of all the flights you sent to TripIt: FlightTrack Pro. FlightTrack Pro does one thing very well: it tells you whether your flight is on time, delayed, or canceled, and which gate it is at. The non-pro version is $5, and requires you to enter your flight information manually. The pro version, an additional $5, reads your flights from TripIt. It’s worth the $10, I think, to save the annual fee for TripIt Pro. Plus, it loads your flights much quicker than TripIt, and has a handsome widget for your home screen.