We host a number of web services and applications on the servers in here in the PaperCut office. We’ve always planned on hosting these on an isolated server inside a demilitarized zone (DMZ) to ensure public applications are isolated from internal servers. This usually requires separate dedicated servers, however with the recent growth in virtualization technology, we decided to see if we could accomplish the same in a virtual environment. There was not a lot of information out there so I embarked on a project to develop our own. The solution has worked very well over the past 6 months so I’ve decided to open source the configuration and control script so others in the Linux community can benefit. (One of my Friday projects when I’m not working on print accounting software!).

The crux of the script is to host a Qemu or KVM virtual machine on an independent subnet via a tun/tap interface. iptables on the host (Dom0) is used to ensure that connections can not be instigated from the VM in the DMZ to any system in the internal network. They say a picture is worth a thousand words, so here’s a diagram:

The key items are:

• The host (dom0) hosted the VM on a tun/tap interface.
• The VM is on a separate subnet.
• A firewall on dom0 (important) prevents access to the internal network.
• A static route has been added to the router so internal network can “find” the systems in the DMZ.
• Public ports (e.g. port 80) on the router are forwarded into the server in the DMZ.

This strategy will provide an extra layer of protection as a compromise on the server in the DMZ (say hosting your website) will not automatically mean a compromise on your internal network. There are however come caveats to this: It may be possible to “jailbreak” from the VM into the host by exploiting vulnerabilities in the hypervisor/host. For example, some exploits were found in QEMU in 2007.

The control script and its brief setup procedure should work on most modern Linux distributions.

file: dmz-vm-controller

#!/bin/sh
### BEGIN INIT INFO
# Provides:          vm-dmz-controller
# Required-Start:    $local_fs $network
# Required-Stop:     $local_fs $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: VM Management in a DMZ
# Description:       QEMU/KVM VM Management in a semi-secured DMZ.
### END INIT INFO

##############################################################################
#
# VM-DMZ-Controller is a wrapper script written to help with the management
# and setup of a VM running inside a secured demilitarized zone (DMZ).  The
# objective is to ensure the host/vm inside the DMZ are firewalled in a way
# that ensures connections from the DMZ to the internal network are not
# possible.
#
# Brief summary:
#
#   1. Install QEMU or KVM, and socat, iptables and tun/tap tunctl
#      (uml-utilities).
#
#   2. Create non-privileged user on your system called "vm".
#
#   3. Create a sub-directory in the VM user's home directory to host your VM
#      files.
#
#   4. Create your disk images (e.g. qemu-img) in this sub-directory.
#
#   5. Copy this script into the directory and modify configuration section
#      below.
#
#   6. Link in this script into /etc/init.d/ and configure runlevels as
#      appropriate.
#
#   7. Add a static route in your internal network default router so internal
#      systems can connect to the VM.
#
#   8. Start your VM and test.  Confirm that the VM is unable to access your
#      internal network.
#
# See here for details:
# http://www.papercut.com/blog/chris/2008/11/14/using-kvm-to-securely-host-servers-in-a-dmz/
#
#
# Copyright (c) 2008, PaperCut Software International Pty. Ltd.
# http://www.papercut.com/
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are met:
#     * Redistributions of source code must retain the above copyright
#       notice, this list of conditions and the following disclaimer.
#     * Redistributions in binary form must reproduce the above copyright
#       notice, this list of conditions and the following disclaimer in the
#       documentation and/or other materials provided with the distribution.
#     * Neither the name of the  nor the
#       names of its contributors may be used to endorse or promote products
#       derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY PAPERCUT SOFTWARE ”AS IS” AND ANY
# EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
# DISCLAIMED. IN NO EVENT SHALL  BE LIABLE FOR ANY
# DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
# ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
# SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
###############################################################################

###############################################################################
# VM Configuration - modify below as appropriate
###############################################################################

# The name of the VM instance (should be unique if hosting multiple VMs)
#
VM_NAME=external-web-server

# The non-privledged user ID used to run the VM.
#
VM_USER=vm

# The VM kernel module to load (e.g. kvm-intel, kvm-amd, qemu). Leave blank if
# using QEmu as a kernel model is required.
#
VM_MODULE=kvm-intel

# The name of the virtual network tap to bind/host to the DMZ network on.
#
IFNAME=tap0

# The .1 gateway address that denotes the DMZ subnet.
#
DMZ_IP=192.168.100.1

# The subnet range of the internal network (the range to firewall/protect)
#
INTERNAL_SUBNET=192.168.1.0/24

# Your DMZ system may need DNS access provided by your internal network.
# Set this if required. This will leave a hole in the firewall allowing
# DNZ access (UDP source port 53).
#
INTERNAL_DNS_IP=

# The directory with disk images (and pid files, etc.) are hosted
#
VM_DIR=/home/${VM_USER}/${VM_NAME}

MONITORFILE=${VM_DIR}/.${VM_NAME}.monitor
PIDFILE=${VM_DIR}/.${VM_NAME}.pid
LOGFILE=${VM_DIR}/${VM_NAME}.log

# VM Start command-line. No need to define:
#    -pidfile, -net, or -monitor
# as these are all appended as part of this script.
# Add -cdrom and -boot d to boot and install your VM off a CD.
#
VM_START_CMD=”kvm 
        -hda disk1.qcow2 
        -m 384 
        -vnc :0″

# The maximum time to provide the VM to conduct a graceful shutdown.
#
SHUTDOWN_TIMEOUT=20

###############################################################################
# End Configuration - DO NOT MODIFY BELOW THIS LINE
###############################################################################

start_vm() {

    echo_n “Starting VM ${VM_NAME}…”
    if isrunning; then
        echo “ALREADY RUNNING”
        exit 0
    fi

    setup_networking
    start_firewall

    if [ ! -z “${VM_MODULE}” ]; then
        modprobe “${VM_MODULE}”
    fi
    cd “${VM_DIR}”
    su “${VM_USER}” -c “${VM_START_CMD} 
                -net nic -net tap,ifname=${IFNAME},script=no 

                -pidfile ${PIDFILE} 
                -monitor unix:${MONITORFILE},server,nowait 
                >> ${LOGFILE} 2>&1 &”

    for i in 0 1 2 3; do
        sleep 2
        if isrunning; then
            echo “Started ${VM_NAME} at: `date`” >> ${LOGFILE}
            echo “started.”
            exit 0
        else
            echo_n “.”
        fi
    done

    echo “ERROR”
    exit 1
}

stop_vm() {

    echo_n “Stopping VM ${VM_NAME}…”
    if isrunning; then
        # Send nice powerdown command
        echo “system_powerdown” | socat - UNIX-CONNECT:${MONITORFILE} 
                >/dev/null
        clean_shutdown=
        for (( i = 0 ; i <= ${SHUTDOWN_TIMEOUT} ; i++ )); do
            sleep 1
            if isrunning; then
                echo_n "."
            else
                clean_shutdown=y
                break;
            fi
        done

        if [ -z "${clean_shutdown}" ]; then
            echo_n "forcing..."
            kill -TERM "${pid}"
            sleep 2
        fi

        if isrunning; then
            echo "problem stopping!"
            exit 1
        fi

        rm ${MONITORFILE}
        rm ${PIDFILE}
        stop_firewall
        stop_networking
    fi
    echo "Stopped ${VM_NAME} at: `date`" >> ${LOGFILE}
    echo “stopped.”
}

status() {

    if isrunning; then
        echo “Running (pid: ${pid}).”
    else
        echo “Not Running.”
    fi
}

forcekill() {

    if isrunning; then
        kill -9 “${pid}”
    else
        echo “Not running!”
    fi
}

isrunning() {

    if [ -r ${PIDFILE} ]; then
        pid=`cat ${PIDFILE} 2>/dev/null`
        if [ ! -z “${pid}” -a -d /proc/${pid} ]; then
            return 0 #Success - running
        else
            return 1 #Failure - not running
        fi
    else
        return 1 #Failure - not running
    fi
}

setup_networking() {

    tunctl -u ${VM_USER} -t ${IFNAME} >/dev/null

    ifconfig ${IFNAME} ${DMZ_IP} netmask 255.255.255.0 up >/dev/null

}

start_firewall() {

    modprobe ip_tables
    modprobe iptable_nat

    echo “1″ > /proc/sys/net/ipv4/ip_forward

    #
    # Deny new connections to internal network (forwarded) and Dom0 (input)
    #
    iptables -A FORWARD -d $INTERNAL_SUBNET -i $IFNAME -p tcp –syn 
            -m limit –limit 6/h –limit-burst 5 -j LOG

    iptables -A FORWARD -d $INTERNAL_SUBNET -i $IFNAME -p tcp –syn 
            -j DROP

    iptables -A INPUT -d $INTERNAL_SUBNET -i $IFNAME -p tcp –syn 
            -m limit –limit 6/h –limit-burst 5 -j LOG

    iptables -A INPUT -d $INTERNAL_SUBNET -i $IFNAME -p tcp –syn 
            -j DROP

    # Also need to protect the DMZ side of host box.
    iptables -A INPUT -d $DMZ_IP -i $IFNAME -p tcp –syn 
            -m limit –limit 6/h –limit-burst 5 -j LOG

    iptables -A INPUT -d $DMZ_IP -i $IFNAME -p tcp –syn 
            -j DROP

    #
    # Allow DNS UDP packets to DNS server (required if on internal network)
    #
    if [ ! -z “${INTERNAL_DNS_IP}” ]; then
        iptables -A FORWARD -p udp -d $INTERNAL_DNS_IP 
            –dport 53 -i $IFNAME -j ACCEPT
    fi

    #
    # Deny UDP packets to internal network
    #
    iptables -A FORWARD -d $INTERNAL_SUBNET -i $IFNAME -p udp 
            -m limit –limit 6/h –limit-burst 5 -j LOG

    iptables -A FORWARD -d $INTERNAL_SUBNET -i $IFNAME -p udp -j DROP

    iptables -A INPUT -d $INTERNAL_SUBNET -i $IFNAME -p udp 
            -m limit –limit 6/h –limit-burst 5 -j LOG

    iptables -A INPUT -d $INTERNAL_SUBNET -i $IFNAME -p udp -j DROP

    # Don’t log Windows/Samba name broadcasts as they will occure often
    iptables -A INPUT -d $DMZ_IP -i $IFNAME -p udp –dport 137 -j DROP

    iptables -A INPUT -d $DMZ_IP -i $IFNAME -p udp 
            -m limit –limit 6/h –limit-burst 5 -j LOG

    iptables -A INPUT -d $DMZ_IP -i $IFNAME -p udp -j DROP

    #
    # Deny selected ICMP to internal network
    #
    iptables -A FORWARD -d $INTERNAL_SUBNET -i $IFNAME -p icmp 
            –icmp-type echo-request -j DROP
    iptables -A FORWARD -d $INTERNAL_SUBNET -i $IFNAME -p icmp 
            –icmp-type redirect -j DROP
    iptables -A FORWARD -d $INTERNAL_SUBNET -i $IFNAME -p icmp 
            –icmp-type router-advertisement -j DROP

    iptables -A INPUT  -d $INTERNAL_SUBNET -i $IFNAME -p icmp 
            –icmp-type echo-request -j DROP
    iptables -A INPUT -d $INTERNAL_SUBNET -i $IFNAME -p icmp 
            –icmp-type redirect -j DROP
    iptables -A INPUT -d $INTERNAL_SUBNET -i $IFNAME -p icmp 
            –icmp-type router-advertisement -j DROP

    iptables -A INPUT  -d $DMZ_IP -i $IFNAME -p icmp 
            –icmp-type echo-request -j DROP
    iptables -A INPUT -d $DMZ_IP -i $IFNAME -p icmp 
            –icmp-type redirect -j DROP
    iptables -A INPUT -d $DMZ_IP -i $IFNAME -p icmp 
            –icmp-type router-advertisement -j DROP

    #
    # Deny spoofed packets from DMZ
    #
    iptables -A INPUT -s ! ${DMZ_IP}/24 -i $IFNAME -j DROP
    iptables -A FORWARD -s ! ${DMZ_IP}/24 -i $IFNAME -j DROP

}

stop_firewall() {

    #
    # Remove all rules added on the IFNAME interface
    #
    iptables -S | 
            egrep “${IFNAME}” | 
            egrep “^-A ” | 
            sed “s/-A //” | 
            while read rulespec; do
                iptables -D ${rulespec}
            done
}

stop_networking() {

    tunctl -d ${IFNAME} >/dev/null

}

# Hack for POSIX echo -n support on all platforms
if [ “X`echo -n`” = “X-n” ]; then
    echo_n() { echo ${1+”$@”}”c”; }
else
    echo_n() { echo -n ${1+”$@”}; }
fi

#
# Begin Main
#

userid=`id | sed “s/^uid=([0-9][0-9]*).*$/1/”`
if test “${userid}” -ne 0; then
    echo “Error: You must be root to run this program” 1>&2
    exit 1
fi

if [ -z `which iptables` ]; then
    echo “Error: Please install iptables.” 1>&2
    exit 1
fi

if [ -z `which socat` ]; then
    echo “Error: Please install socat.” 1>&2
    exit 1
fi

if [ -z `which tunctl` ]; then
    echo “Error: Please install tunctl.” 1>&2
    exit 1
fi

case “${1}” in
    start)
        start_vm
        ;;

    stop)
        stop_vm
        ;;

    forcekill)
        forcekill
        ;;

    restart)
        stop_vm
        sleep 1
        start_vm
        ;;

    stopfirewall)
        stop_firewall
        ;;

    startfirewall)
        start_firewall
        ;;

    status)
        status
        ;;

    *)
        echo “Usage: vm-dmz-controller start|stop|restart|status” >&2
        echo “Advanced Options: stopfirewall|startfirewall|forcekill” >&2
        exit 1
        ;;
esac

A quick thanks to all the beta testers helping us with testing our new PaperCut version for iPrint on OES Linux. We’ve had a series of bugs/suggests reported and I’ve actioned most of these in today’s release. The 8.5.6708 release contains:

• Support for a various username formats seen on Novell networks (e.g. username@macadd, .username.domain, username\domain).
• Improved auto detection of eDirectory LDAP settings.
• Added warning if installing on any 64-bit OS. The beta release is currently targeting 32-bit only but we’ll support 64-bit on final release. (We’re just trying to minimize variables during the beta program!)
• Documented the need to open ports 9191 and 9192 in the firewall. OES has strict firewall defaults!
• Miscellaneous documentation improvements that should make installation a little easier and/or more “the Novell way”.

The remaining suggestion not actioned in this release is the auto-registration of printers. At the moment a single print job is required on each printer to trigger of the registration of the printer. I’m conducting some R&D in this area and hope to have a better solution soon.

You’ll find the latest release on the PaperCut NG downloads page.

Thanks again to all the testers and please continue to email me with your ideas (and dare I say, “bugs”!).

Here is another “behind the scenes” post of the happenings here at PaperCut. Last Wednesday was National Ride To Work Day. This is an initiative of our local bicycle association to raise awareness and get more people riding to work around the country. Tom, Matt and myself already regularly ride to work (at least on the sunny days!) and we decided to put the invitation out to all to join us. Priyanka took up the challenge even though she has not ridden a bike in many years.

Here are some pictures of the day. Tom, Priyanka and myself met in Glen Iris and did the 30 minute ride along the Gardiner’s Creek trail through to our office in Mount Waverley. I’m sure Priyanka now has a good appreciation of the word “Mount” in Mount Waverley after tackling the climb for the first time!

Matt, Priyanka, Chris and Tom after the morning ride

Priyanka and Tom climbing the “mountain”!

Hope you all find the behind the scenes look interesting, and yes, we don’t just work on printer log software all the time!

OK. It’s been a frustrating month for me (and all the prospective Novell testers). I’ve been in regular correspondence with Dean Giles at Novell with very little progress. The frustrating thing is that we have a copy (under NDA) of the “new iPrint”, fully working and running fine in here. However due to internal politics on the Novell side it has not been possible to make this publicly available to others (i.e. our test sites) because of an NDA. Instead we’ve had to wait until OES2 SP1 was publicly available. It finally looks like there is some light at the end of the tunnel. I receive an email from Novell letting me know that SP1 is not in a public (non private) beta period. Yet to see any post on their website but I’m sure it’s only a day or so away. Finally it looks like we can start official testing and we’ll all have a proper print management solution on iPrint!

Please check out this page for more information on the PaperCut Novell OES Linux testing program, download information, etc. I assume the OES 2 SP1 download will be located here when live. Fingers cross the train will be rolling again soon.

Update: The word from Novell, “The beta has been approved by the core team, but may take a day or two to get posted.”

The Dev. Team here at PaperCut recently did a presentation about Apache Derby at the Australian Java User’s Group (AJUG) meeting in Melbourne. Apache Derby is the default database option supplied with PaperCut. Even thought we offer a choice of MS SQL Server, Oracle and Postgres within PaperCut, we find that 90% of our 10,000+ users stick with Derby. It’s a great choice for most of the medium to smaller sizes organizations as it’s a self-managing database. This means that you as an administrator don’t have to get involved with traditional DBA management tasks such as off-line backups, indexing, and performance tuning. The application and embedded database handles this all for you!

Many will have heard about databases like Oracle or MySQL. Apache Derby however is a little more discreet. The reason for this is that it’s an embedded database. That is, it’s designed to be pre-packaged with applications as a library rather than being deployed as a separate standalone component. However just because it’s has a “low profile” doesn’t mean its not good. It our opinion it’s one of the best databases around. Its performant, packaged full of features, and has a fantastic pedigree being born out of the database development teams at IBM, Informix and Sun. Apache Derby was open-sourced in 2005 when IBM donated it to the Apache Foundation. In now continues to be activly developed under the stewardship of the Apache Foundation along with many other world-class projects such as the Apache HTTP server.

If any are interested in knowing more about Apache Derby and its behind the scenes use in our print monitor application then please check out the slides from the presentation (PDF or HTML).

My first son William arrived yesterday. Unlike our planning here at PaperCut which usually run a few weeks behind schedule, my first child has decided to buck the trend and run ahead of schedule. William weighed in at 1.795kb (just under 4 pounds) - very small but strong and healthy. Both Mother and baby are doing well and Dad is very proud.

William’s bound to be a “tech baby” and I’m sure will be writing computer code in a few years. I was meant to be presenting at the Australian Java User’s Group the night he arrived. He was obviously very keen to get out and attend (also thanks to Matt who stepped in and did the presentation for me). He’s first taste of technology was his photo being sent out to everyone a few minutes after his birth courtesy of a 3G iPhone!

I’m sure to have my hands full over the next months. Lots of time looking after baby and working on print control software between feeds!

Another update for the sites participating in the Novell OES Linux beta program. It looks like we’ll have to wait a few more weeks to get proper print quota on iPrint. The iPrint update required to run PaperCut will now not be available until next week. Novell will be undertaking the last validation tests on Friday and assuming they all pass, they’ll be looking at supplying us with the update on Monday. The build is going to be based on the iPrint Beta 4 release. I’ll keep you all posted and let you know if there are any further delays.

Last week we announced the start of the official beta testing period for PaperCut on Novell. Novell is our last remaining platform so it’s great to see this finally in beta. We already have close to 50 sites that have contacted us expressing eagerness to participate in the beta testing program. There is a lot of excitement out there and a lost of organizations are happy to finally see best of breed print auditing and print control on iPrint.

As discussed in this page, I am going to post updates, news and announcements in our developer blog. One of the immediate announcements is with respect to the availability of the new iPrint release from Novell. PaperCut targets a yet-to-be-released iPrint version. This is a new version of iPrint scheduled for official release in Novell OES Linux 2 SP1 and includes the API hooks we required to get PaperCut working and cooperating with iPrint. Dean and Devon at Novell are working through the internal procedures at the moment so all beta test sites have early access to this iPrint update. The plan was to have this available last week but it’s been delayed. Dean is aiming to have all approved and available on Thursday the 21st.

In the meantime please regularly check this Blog for any news. Also if you have any questions or what a sneak peek, please check out the announcement and/or feel free to email me at support.

Many companies have a Jobs/Employment section on their website. We’re a small company with very low staff turn over and hence rarely advertise positions. We do however have one going right now! Quite a few people subscribe to our blog, so I thought we’d do some shameless self promotion and post the position here:

(more…)

Since we release our free print logging program a few years back its been a hit with hundreds of thousands of downloads. Every now and then we receive a thank you email or a short story about how people are finding it useful. One user recently wrote to us to thank us for helping him track down why his ink was disappearing. He had no explanation as to why his home printer ran out of ink every few weeks. Print Logger to the rescue! A quick audit of print activity shows that his kids did a lot of printing before he got home from work. Now printing in his household is restricted to homework use only and he’s happy again!

There are also plenty of other examples at the big end of town. Today I received an email from PepsiCo and HP outlining their use of PaperCut Print Logger. It’s great to see that this little free program has uses ranging from small homes to the largest corporates.

For us, PaperCut Print Logger serves two purposes:

1) It’s a great test bed for our printer page analysis technology. With hundreds of thousands of users, we quickly get reports about incompatibility with new drivers. The program actively encourages users to report incompatibilities and in turn this ensures that all our applications offer the widest range of support.

2) It’s also a fantastic way to get a “taste” of our applications. Many schools for example will install PaperCut Print Logger to get a quick view of what’s going on on their networks. It’s then only a small jump to move to PaperCut to implement print control, quotas, reporting, and of course monitor the environmental impact of printing.

If you’re running print logger, please take a few moments to send us an email and share your stories.