lugh.ch

Home Knowledgebase Tools Services About Statistics

Configuration notes: Debian on Fujitsu Amilo v3505

Last updated on 31 March 2010.

• Install media is Debian 5.0.2 netboot, amd64
• Things that worked out of the box: alsa, i915 video, wired networking

Test DRI with aptitude install mesa-utils && glxinfo | grep rendering

Wireless LAN

Driver is iwl3945, which is installed by default. You'll need the firmware (ucode) from intellinuxwireless.org. Run

dmesg | egrep "iwlwifi|firmware"

then download the appropriate archive.

wpa_supplicant

Install wpa_supplicant with aptitude install wpasupplicant, then edit /etc/wpa_supplicant/wpa_supplicant.conf

ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev

# WPA
network={
        ssid="your-ssid"
        scan_ssid=1
        proto=WPA RSN
        key_mgmt=WPA-PSK
        pairwise=CCMP TKIP
        group=CCMP TKIP
        psk=psk-generated-with-wpa_passphrase
        priority=5
        id_str="iface-name-in-network-interfaces"
}

# WEP
network={
        ssid="your-ssid"
        scan_ssid=1
        key_mgmt=NONE
        wep_key0=your-wep-key
        wep_tx_keyidx=0
        priority=10
        id_str="iface-name-in-network-interfaces"
}

network={
        key_mgmt=NONE
}

Edit /etc/network/interfaces:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
auto wlan0
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet dhcp

iface wlan0 inet manual
        wpa-driver wext
        wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf

iface iface-name-in-network-interfaces inet dhcp
iface default inet dhcp

Flash and Java

For Flash, follow the instructions on http://wiki.debian.org/FlashPlayer.

Java: Edit /etc/apt/sources.list and add "non-free". Example:

deb http://ftp.ch.debian.org/debian/ lenny main non-free contrib

aptitude update
aptitude install sun-java6-jdk sun-java6-plugin sun-java6-jre
update-alternatives --config java
java -version

Power saving stuff

Install powertop and add this to /etc/rc.local:

# Suggestion: Enable wireless power saving mode by executing the following command:
echo 5 > /sys/bus/pci/drivers/iwl3945/0000:04:00.0/power_level

# Suggestion: Enable SATA ALPM link power management via:
echo min_power > /sys/class/scsi_host/host0/link_power_management_policy

# Suggestion: increase the VM dirty writeback time from 5.00 to 15 seconds with:
echo 1500 > /proc/sys/vm/dirty_writeback_centisecs

# Suggestion: Disable the unused bluetooth interface with the following command:
hciconfig hci0 down ; rmmod hci_usb</pre>

Raise framebuffer resolution

vga=0x0362 for 1280x800@24bit. Got this with hwinfo --framebuffer.

Firewall

Add this to /etc/init.d/firewall and create appropriate symlinks:

#!/usr/bin/env bash
# Installation:
# update-rc.d firewall defaults

# Load modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp

BLACKLIST=/root/blacklist.txt

case "$1" in
start)

# clear iptables
iptables -F
iptables -X

# default policy
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# allow loopback communication
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# drop new connections without the SYN flag set.
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# persist on connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow ICMP ping
iptables -A INPUT -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -m state --state ESTABLISHED,RELATED -j ACCEPT

# Ban blacklisted IPs
for x in `grep -v ^# $BLACKLIST | awk '{print $1}'`; do
  echo "Blocking $x..."
  iptables -A INPUT -t filter -s $x -j DROP
done

# TCP in
iptables -A INPUT -t filter -p tcp --dport 22 -j ACCEPT
# TCP out
#iptables -A OUTPUT -t filter -p tcp --dport 21 -j ACCEPT
#iptables -A OUTPUT -t filter -p tcp --dport 22 -j ACCEPT
#iptables -A OUTPUT -t filter -p tcp --dport 25 -j ACCEPT
#iptables -A OUTPUT -t filter -p tcp --dport 53 -j ACCEPT
#iptables -A OUTPUT -t filter -p tcp --dport 80 -j ACCEPT
#iptables -A OUTPUT -t filter -p tcp --dport 443 -j ACCEPT
#iptables -A OUTPUT -t filter -p tcp --dport 993 -j ACCEPT
iptables -A OUTPUT -t filter -p tcp --dport 0:65535 -j ACCEPT

# UDP in
iptables -A INPUT -t filter -p udp --dport 631 -j ACCEPT
iptables -A INPUT -t filter -p udp --dport 67 -j ACCEPT
# UDP out
iptables -A OUTPUT -t filter -p udp --dport 53 -j ACCEPT
iptables -A OUTPUT -t filter -p udp --dport 67 -j ACCEPT
iptables -A OUTPUT -t filter -p udp --dport 631 -j ACCEPT

# Dropping startup requests
iptables -A INPUT -t filter -p tcp --syn -j DROP

# Logging
iptables -I INPUT 5 -m limit --limit 49/min -j LOG --log-prefix "iptables DENY: " --log-level 7

      ;;
   stop)
      iptables -F
      iptables -P INPUT ACCEPT
      iptables -P OUTPUT ACCEPT
      echo "Warning! Firewall is stopped, server is unprotected now!"
      ;;
   restart)
      $0 stop
      sleep 1
      $0 start
      ;;
      *)
      echo "Usage $0 {start|stop|restart}"
      ;;
esac

This report is listed at TuxMobil - Linux compatibility guides for laptops, notebooks, PDAs, mobile phones and GPS devices.