https://wiki.archlinux.org/api.php?action=feedcontributions&user=Jrussell&feedformat=atomArchWiki - User contributions [en]2024-03-28T16:53:05ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=AUR_helpers&diff=283662AUR helpers2013-11-19T14:04:19Z<p>Jrussell: fix grammer</p>
<hr />
<div>[[Category:Arch User Repository]]<br />
[[Category:Package management]]<br />
[[es:Aurbuild]]<br />
[[fr:Assistants AUR]]<br />
[[ja:AUR Helpers]]<br />
[[ru:AUR Helpers]]<br />
[[tr:AUR_Yardımcı_Uygulamaları]]<br />
[[zh-CN:AUR Helpers]]<br />
{{Warning|None of these tools are officially supported by Arch devs. See [https://bbs.archlinux.org/viewtopic.php?pid&#61;828254#p828254 this forum thread].}}<br />
<br />
'''AUR Helpers''' are written to make using the [[Arch User Repository]] more comfortable.<br />
<br />
== AUR uploader helpers ==<br />
<br />
* {{App|aurploader|prompts the user for an AUR username and password and will then upload PKGBUILD tarballs to the AUR. Before uploading each package, the user is prompted to select a category. When the uploads have completed, the user is asked if the cookie file should be kept so that the script can be run again without needing the AUR username and password to be re-entered. It can include comments, vote and toggle notifications as well. It is now part of the python3-aur package, which includes modules for AUR automation and some other helpers. |http://xyne.archlinux.ca/projects/python3-aur|{{AUR|python3-aur}}}}<br />
<br />
* {{App|aurup|a command line tool to upload AUR packages|http://www.pierloz.com/Aurup/|{{AUR|aurup}}}}<br />
<br />
* {{App|burp|fast and simple AUR uploader written in C. Supports persistent cookies for seamless logins|https://github.com/falconindy/burp|{{pkg|burp}}}}<br />
<br />
== AUR search/build helpers ==<br />
This is a list of helper utilities that search and/or build packages.<br />
<br />
* {{App|[[aur.sh]]|A ~150 byte Bash script outside the package system that downloads and builds AUR packages named on the command line (and their dependencies). Useful for bootstrapping more full-featured AUR helpers.|https://github.com/stuartpb/aur.sh|4=<span class="plainlinks" style="font-family: monospace">bash <(curl [http://aur.sh/ aur.sh]) -si ''[package ...]''</span>}}<br />
<br />
* {{App|[[aura]]|a secure, multilingual package manager for Arch Linux written in Haskell. Has all pacman options, new ones for managing AUR packages, and a nifty logo.|https://github.com/fosskers/aura|{{AUR|aura}}}}<br />
<br />
* {{App|aurifere|AUR wrapper for lazy people in Python.|https://github.com/madjar/aurifere|{{AUR|aurifere-git}}}}<br />
<br />
* {{App|aurinstaller|a full of bugs bash AUR helper.|https://github.com/umby213/aurinstaller|{{AUR|aurinstaller-git}}}}<br />
<br />
* {{App|aurnotify|a tool set to notify the status of your favorite packages from AUR.|http://adesklets.sourceforge.net/desklets.html|{{AUR|aurnotify}}}}<br />
<br />
* {{App|aurbuild|tool to download and build packages from the AUR.|http://aurbuild.berlios.de/|{{AUR|aurbuild}}}}<br />
<br />
* {{App|aurget|aims to be a simple, pacman-like interface to the AUR. It tries to make the AUR convenient; whether the user wishes to find, download, build, install, or update AUR packages quickly. Aurget does not wrap any pure pacman commands, this is by design|http://pbrisbin.com/posts/aurget/|{{AUR|aurget}}}}<br />
<br />
* {{App|aurora|very simple frontend for the AUR. It allows the user to install AUR packages, download the AUR packages (for manual installation) and also offers an AUR upgrade feature. By design, aurora does not wrap pacman|http://bitbucket.org/bbenne10/aurora|{{AUR|aurora-hg}}}}<br />
<br />
* {{App|aurpac|light'n'fast AUR and pacman frontend|http://3ed.jogger.pl/2009/02/15/aurpac/|{{AUR|aurpac}}}}<br />
<br />
* {{App|aurquery|caching wrapper around the AUR's RPC interface using the python3-aur modules |http://xyne.archlinux.ca/projects/python3-aur|{{AUR|python3-aur}}}}}}<br />
<br />
* {{App|[[autoaur]]|script for automatic mass downloading, updating, building, and installing groups of AUR packages|https://github.com/stefanhusmann/autoaur|{{AUR|autoaur}}}}<br />
<br />
* {{App|1=cower|2=fast and simple AUR search and download agent, which will also check for updates and download dependencies.<br />
:* [https://bbs.archlinux.org/viewtopic.php?id=97137 Forum page]|3=https://github.com/falconindy/cower|4={{AUR|cower}}}}<br />
<br />
* {{App|meat|front-end for cower ( see above ) and it is fully written in bash<br />
:{{Note|Meat is currently in development/alpha state.}}|https://github.com/e36freak/meat|{{AUR|meat-git}}}}<br />
<br />
* {{App|owl|pacman and cower wrapper focused on simplicity|https://github.com/baskerville/owl<br />
:* [https://bbs.archlinux.org/viewtopic.php?id=129609 Forum page]|https://github.com/baskerville/owl|{{AUR|owl-git}}}}<br />
<br />
* {{App|1=[[pacaur]]|2=fast workflow AUR helper, using cower as backend. It aims at speed and simplicity, and is designed to minimize user prompt interaction and to use an uncluttered interface.<br />
:* [https://bbs.archlinux.org/viewtopic.php?pid=937423 Forum page]|3=https://github.com/Spyhawk/pacaur|4={{AUR|pacaur}}}}<br />
<br />
* {{App|1=packer|2=wrapper for pacman and the AUR. It was designed to be a simple and very fast replacement for the basic functionality of Yaourt. It has commands to install, update, search, and show information for any package in the main repositories and in the AUR. Use pacman for other commands, such as removing a package<br />
:* [https://bbs.archlinux.org/viewtopic.php?id=88115 Forum page]<br />
:* [https://github.com/keenerd/packer/wiki Wiki]|3=https://github.com/keenerd/packer|4={{AUR|packer}}}}<br />
<br />
* {{App|1=paktahn|2=yaourt replacement. Includes improvements such as a local cache for fast searches and interactive installation. Last Updated: 2013-04-15 08:17<br />
:* [https://bbs.archlinux.org/viewtopic.php?id=77674&p=1 Forum page]<br />
|3=https://github.com/skypher/paktahn|4={{AUR|paktahn}}}}<br />
<br />
* {{App|1=pbfetch|2=script which can be used as a pacman-independent AUR helper or a pacman wrapper with additional AUR functionality. Pbfetch aims to be a simple and fast versus the well established yaourt. Pbfetch can be used as a shortcut to simply download PKGBUILDs from AUR or automatically build with dependency resolution among other things. The user can select which AUR packages to upgrade using a simple menu as well as update all AUR packages<br />
:* [https://bbs.archlinux.org/viewtopic.php?id=87789 Forum page]<br />
|3=https://github.com/dalingrin/pbfetch|4={{AUR|pbfetch-git}}}}<br />
<br />
* {{App|pbget|simple command-line tool for retrieving PKGBUILDs and local source files for Arch Linux. It is able to retrieve files from the official SVN and CVS web interface, the AUR and the ABS rsync server|http://xyne.archlinux.ca/projects/pbget|{{AUR|pbget}}}}<br />
<br />
* {{App|1=PKGBUILDer|2=a python3 AUR helper with dependency support. It was (probably) the first helper supporting updates through multiinfo. Contains many useful features and is written to be fast and verbose, to eliminate long waiting times.|3=https://github.com/Kwpolska/pkgbuilder|4={{AUR|pkgbuilder}}}}<br />
<br />
* {{App|1=pkgman|2=script which helps to manage a local repository. It retrieves the PKGBUILD and related files for given name from ABS or AUR and lets you edit them, automatically generates checksums, backs up the source tarball, builds and adds the package to your local repository. Then you can install it as usual with pacman. It also has AUR support for submitting tarballs and leaving comments<br />
:* [https://bbs.archlinux.org/viewtopic.php?id=49023 Forum page]<br />
|3=http://sourceforge.net/apps/mediawiki/pkgman/index.php|4={{AUR|pkgman}}}}<br />
<br />
* {{App|pywer|A python rewrite of cower with a library ({{ic|libaur}}) for use in python scripts, currently in development. It does not build packages. Checks for updates, searches for packages and maintainers and gets information on packages. | http://kaictl.net/docs/pywer/ https://github.com/KaiSforza/pywer | {{AUR|python-pywer-git}}}}<br />
<br />
* {{App|spinach|just another bash AUR helper|http://floft.net/wiki/Scripts/Spinach|{{AUR|spinach}}}}<br />
<br />
* {{App|1=srcman|2=pacman/makepkg wrapper written in Bash, which transparently handles pacman operations on 'source packages'. This means, for example, that packages can be specified for installation either explicitly (pacman's {{Ic|-U}} operation) or can be installed from a (source) repository (-S operation). The address of an AUR pacman database can be found in the corresponding forum thread, by the way. The primary goal of this project is to provide a complete pacman wrapper and therefore, srcman supports all current pacman operations for binary ''and'' source packages|3=https://bbs.archlinux.org/viewtopic.php?id=65501|4={{AUR|srcman}}}}<br />
<br />
* {{App|trizen|A lightweight wrapper for AUR in Perl.|https://github.com/trizen/trizen|{{AUR|trizen}}}}<br />
<br />
* {{App|yaah|A minimalist wrapper for AUR in Bash.|https://bitbucket.org/the_metalgamer/yaah/|{{AUR|yaah}}}}<br />
<br />
* {{App|[[yaourt]] (Yet Another User Repository Tool)|community-contributed wrapper for pacman which adds seamless access to the AUR, allowing and automating package compilation and installation from your choice of the thousands of PKGBUILDs in the AUR, in addition to the many thousands of available Arch binary packages. Yaourt uses the same exact syntax as pacman, which saves you from relearning an entirely new method of system maintenance, but also adds new options. Yaourt expands the power and simplicity of pacman by adding even more useful features and provides pleasing, colorized output, interactive search mode, and much more|http://archlinux.fr/yaourt-en|{{AUR|yaourt}}}}<br />
<br />
== AUR maintaining helpers ==<br />
* {{App|pkgcheck|Uses rules in PKGBUILDs to parse upstream version information or looks for changes by checksuming the web page|https://bbs.archlinux.org/viewtopic.php?id=162816|Repository: [https://github.com/onny/pkgcheck Github]}}<br />
<br />
* {{App|pkgbuild-watch|Looks for changes on the upstream web pages|http://kmkeen.com/pkgbuild-watch|{{AUR|pkgbuild-watch}}}}<br />
<br />
* {{App|pkglivecheck|Parses the source url from PKGBUILDs and tries to find new versions of packages by incrementing the version number and sending requests to the webserver|https://mailman.archlinux.org/pipermail/pacman-dev/2013-April/017048.html |Repositoy: [https://github.com/anatol/pkglivecheck Github]}}<br />
<br />
== Others ==<br />
Other useful libraries.<br />
<br />
* {{App|haskell-archlinux|library to programmatically access the AUR and package metadata from the Haskell programming language|http://hackage.haskell.org/package/archlinux|{{AUR|haskell-archlinux}}}}<br />
<br />
* {{App|parched|pacman package and PKGBUILD parser module written in python|https://github.com/sebnow/parched|{{AUR|parched-git}}}}<br />
<br />
== Quick Comparison Table ==<br />
<br />
{{note|''Secure'' means that the application, by default, doesn't source the PKGBUILD at all, or, before doing it, reminds the user and offers him the opportunity to inspect it manually. Some helpers are known to source PKGBUILDs before the user can inspect them, for example for dependency resolution, and this can allow malicious code to be executed.}}<br />
<br />
{| border="1" cellpadding="4" cellspacing="0" <br />
! Name !! Written in !! Active Project !! Official Repo support !! Pacman-like Syntax !! Shell Tab Completion !! Secure (<small>see&nbsp;note&nbsp;above</small>) !! Multilingual !! Specificity<br />
|- <br />
! [[aura]] <br />
| Haskell || {{Yes}} || {{Yes}} || {{Yes}} || Bash/zsh || {{Yes}} || {{Yes}} || Handles Backups, Downgrades, ABS Support<br />
|-<br />
! aurget<br />
| Bash || {{Yes}} || {{No}} || {{Yes}} || Bash || {{No}} || {{No}} || -<br />
|-<br />
! aurora<br />
| Python3 || {{Yes}} || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || -<br />
|-<br />
! cower<br />
| C || {{Yes}} || {{No}} || {{No}} || Bash/zsh || {{Yes}} || {{No}} || Minimalist helper without automatic build support.<br />
|-<br />
! owl<br />
| Dash || {{Yes}} || {{Yes}} || {{No}} || Bash || {{Yes}} || {{No}} || -<br />
|-<br />
! [[pacaur]]<br />
| Bash/C || {{Yes}} || {{Yes}} || {{Yes}} || Bash || optional || {{Yes}} || Minimize user interaction.<br />
|-<br />
! packer<br />
| Bash || {{Yes}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || {{No}} || -<br />
|-<br />
! paktahn<br />
| Lisp || {{Yes}} || {{Yes}} || {{Yes}} || {{No}} || {{No}} || {{No}} || -<br />
|-<br />
! pbfetch<br />
| Bash || {{Yes}} || {{Yes}} || {{Yes}} || {{No}} || {{Yes}} || {{No}} || -<br />
|-<br />
! PKGBUILDer<br />
| Python3 || {{Yes}} || {{Yes}} ({{Ic|pb}} command) || {{No}} || {{No}} || {{No}} || {{Yes}} || - <br />
|-<br />
! pywer<br />
| Python3 || {{Yes}} || {{No}} (read only libaur.repos) || {{No}} || {{Yes}} (zsh) || {{Yes}} || {{No}} || Includes python3 {{ic|libaur}} library<br />
|-<br />
! spinach<br />
| Bash || {{Yes}} || {{Yes}} || {{No}} || {{No}} || {{Yes}} || {{No}} || -<br />
|-<br />
! yaah<br />
| Bash || {{Yes}} || {{No}} || {{No}} || Bash || {{Yes}} || {{No}} || Minimalist helper without automatic build support.<br />
|-<br />
! [[yaourt]]<br />
| Bash/C || {{Yes}} || {{Yes}} || {{Yes}} || Bash/zsh/fish || {{Yes}} || {{Yes}} || Handles Backups, ABS support<br />
|}<br />
<br />
== See also ==<br />
* [[pacman GUI Frontends]]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Beginners%27_guide&diff=268788Beginners' guide2013-07-30T11:12:53Z<p>Jrussell: changed APPEND line from ro to rw as in syslinux's new config file</p>
<hr />
<div><noinclude><br />
[[Category:Getting and installing Arch]]<br />
[[Category:About Arch]]<br />
[[ar:Beginners' Guide/Installation]]<br />
[[da:Beginners' Guide/Installation]]<br />
[[es:Beginners' Guide/Installation]]<br />
[[hr:Beginners' Guide/Installation]]<br />
[[hu:Beginners' Guide/Installation]]<br />
[[it:Beginners' Guide/Installation]]<br />
[[ja:Beginners' Guide/Installation]]<br />
[[ko:Beginners' Guide/Installation]]<br />
[[nl:Beginners' Guide/Installatie]]<br />
[[pl:Beginners' Guide/Installation]]<br />
[[pt:Beginners' Guide/Installation]]<br />
[[ro:Ghidul începătorilor/Instalare]]<br />
[[ru:Beginners' Guide/Installation]]<br />
[[sr:Beginners' Guide/Installation]]<br />
[[zh-CN:Beginners' Guide/Installation]]<br />
[[zh-TW:Beginners' Guide/Installation]]<br />
{{Tip|This is part of a multi-page article for The Beginners' Guide. '''[[Beginners' Guide|Click here]]''' if you would rather read the guide in its entirety.}}<br />
</noinclude><br />
== Installation ==<br />
<br />
You are now presented with a shell prompt, automatically logged in as root.<br />
<br />
=== Change the language ===<br />
<br />
{{Tip|These are optional for the majority of users. Useful only if you plan on writing in your own language in any of the configuration files, if you use diacritical marks in the Wi-Fi password, or if you would like to receive system messages (e.g. possible errors) in your own language.}}<br />
<br />
By default, the keyboard layout is set to {{ic|us}}. If you have a non-[[Wikipedia:File:KB United States-NoAltGr.svg|US]] keyboard layout, run:<br />
<br />
# loadkeys ''layout''<br />
<br />
...where ''layout'' can be {{ic|fr}}, {{ic|uk}}, {{ic|dvorak}}, {{ic|be-latin1}}, etc. See [[KEYMAP#Keyboard layouts|here]] for a comprehensive list.<br />
<br />
The font should also be changed, because most languages use more glyphs than the 26 letter [[Wikipedia:English alphabet|English alphabet]]. Otherwise some foreign characters may show up as white squares or as other symbols. Note that the name is case-sensitive, so please type it ''exactly'' as you see it:<br />
<br />
# setfont Lat2-Terminus16<br />
<br />
By default, the language is set to English (US). If you would like to change the language for the install process ''(German, in this example)'', remove the {{ic|#}} in front of the [http://www.greendesktiny.com/support/knowledgebase_detail.php?ref=EUH-483 locale] you want from {{ic|/etc/locale.gen}}, along with English (US). Please choose the {{ic|UTF-8}} entry.<br />
<br />
Use {{ic|Ctrl+X}} to exit, and when prompted to save changes, press {{ic|Y}} and {{ic|Enter}} to use the same filename.<br />
<br />
{{hc|# nano /etc/locale.gen|<br />
en_US.UTF-8 UTF-8<br />
de_DE.UTF-8 UTF-8}}<br />
<br />
# locale-gen<br />
# export LANG=de_DE.UTF-8<br />
<br />
Remember, {{ic|LAlt+LShift}} activates and deactivates the keymap.<br />
<br />
=== Establish an internet connection ===<br />
<br />
{{Warning|As of v197, udev no longer assigns network interface names according to the wlanX and ethX naming scheme. If you are coming from a different distribution or are reinstalling Arch and not aware of the new interface naming style, please do not assume that your wireless interface is named wlan0, or that your wired interface is named eth0. You can use the command {{ic|ip link}} to discover the names of your interfaces.}}<br />
<br />
The {{ic|dhcpcd}} network daemon starts automatically during boot and it will attempt to start a wired connection. Try to ping a server to see if a connection was established. For example, Google's webservers:<br />
<br />
{{hc|# ping -c 3 www.google.com|2=<br />
PING www.l.google.com (74.125.132.105) 56(84) bytes of data.<br />
64 bytes from wb-in-f105.1e100.net (74.125.132.105): icmp_req=1 ttl=50 time=17.0 ms<br />
64 bytes from wb-in-f105.1e100.net (74.125.132.105): icmp_req=2 ttl=50 time=18.2 ms<br />
64 bytes from wb-in-f105.1e100.net (74.125.132.105): icmp_req=3 ttl=50 time=16.6 ms<br />
<br />
--- www.l.google.com ping statistics ---<br />
3 packets transmitted, 3 received, 0% packet loss, time 2003ms<br />
rtt min/avg/max/mdev = 16.660/17.320/18.254/0.678 ms}}<br />
<br />
If you get a {{ic|ping: unknown host}} error, first check if there is an issue with your cable or wireless signal strength. If not, you will need to set up the network manually, as explained below. Once a connection is established move on to [[#Prepare the storage drive|Prepare the storage drive]].<br />
<br />
==== Wired ====<br />
<br />
Follow this procedure if you need to set up a wired connection via a static IP address.<br />
<br />
First, disable the dhcpcd service which was started automatically at boot:<br />
<br />
# systemctl stop dhcpcd.service<br />
<br />
Identify the name of your Ethernet interface.<br />
<br />
{{hc|# ip link|<br />
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT<br />
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br />
2: enp2s0f0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT qlen 1000<br />
link/ether 00:11:25:31:69:20 brd ff:ff:ff:ff:ff:ff<br />
3: wlp3s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DORMANT qlen 1000<br />
link/ether 01:02:03:04:05:06 brd ff:ff:ff:ff:ff:ff}}<br />
<br />
In this example, the Ethernet interface is {{ic|enp2s0f0}}. If you are unsure, your Ethernet interface is likely to start with the letter "e", and unlikely to be "lo" or start with the letter "w". You can also use {{ic|iwconfig}} and see which interfaces are not wireless:<br />
<br />
{{hc|# iwconfig|2=<br />
enp2s0f0 no wireless extensions.<br />
wlp3s0 IEEE 802.11bgn ESSID:"NETGEAR97"<br />
Mode:Managed Frequency:2.427 GHz Access Point: 2C:B0:5D:9C:72:BF<br />
Bit Rate=65 Mb/s Tx-Power=16 dBm<br />
Retry long limit:7 RTS thr:off Fragment thr:off<br />
Power Management:on<br />
Link Quality=61/70 Signal level=-49 dBm<br />
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0<br />
Tx excessive retries:0 Invalid misc:430 Missed beacon:0<br />
lo no wireless extensions.}}<br />
<br />
In this example, neither {{ic|enp2s0f0}} nor the loopback device have wireless extensions, meaning {{ic|enp2s0f0}} is our Ethernet interface.<br />
<br />
You also need to know these settings:<br />
<br />
* Static IP address.<br />
* Subnet mask.<br />
* Gateway's IP address.<br />
* Name servers' (DNS) IP addresses.<br />
* Domain name (unless you are on a local LAN, in which case you can make it up).<br />
<br />
Activate the connected Ethernet interface (e.g. {{ic|enp2s0f0}}):<br />
<br />
# ip link set enp2s0f0 up<br />
<br />
Add the address:<br />
<br />
# ip addr add ''ip_address''/''subnetmask'' dev ''interface_name''<br />
<br />
For example:<br />
<br />
# ip addr add 192.168.1.2/24 dev enp2s0f0<br />
<br />
For more options, run {{ic|man ip}}.<br />
<br />
Add your gateway like this, substituting your own gateway's IP address:<br />
<br />
# ip route add default via ''ip_address''<br />
<br />
For example:<br />
<br />
# ip route add default via 192.168.1.1<br />
<br />
Edit {{ic|resolv.conf}}, substituting your name servers' IP addresses and your local domain name:<br />
<br />
{{hc|# nano /etc/resolv.conf|<br />
nameserver 61.23.173.5<br />
nameserver 61.95.849.8<br />
search example.com}}<br />
<br />
{{Note|Currently, you may include a maximum of three {{ic|nameserver}} lines. In order to overcome this limitation, you can use a locally caching nameserver like [[Dnsmasq]]. }}<br />
<br />
You should now have a working network connection. If you do not, check the detailed [[Network Configuration]] page.<br />
<br />
==== Wireless ====<br />
<br />
Follow this procedure if you need wireless connectivity (Wi-Fi) during the installation process.<br />
<br />
First, identify the name of your wireless interface.<br />
<br />
{{hc|# iw dev|2=<br />
phy#0<br />
Interface wlp3s0<br />
ifindex 3<br />
wdev 0x1<br />
addr 00:21:6a:5e:52:bc<br />
type managed<br />
}}<br />
<br />
In this example, {{ic|wlp3s0}} is the available wireless interface. If you are unsure, your wireless interface is likely to start with the letter "w", and unlikely to be "lo" or start with the letter "e". <br />
<br />
{{Note|If you do not see output similar to this, then your wireless driver has not been loaded. If this is the case, you must load the driver yourself. Please see [[Wireless Setup]] for more detailed information.}}<br />
<br />
Bring the interface up with:<br />
<br />
# ip link set wlp3s0 up<br />
<br />
A small percentage of wireless chipsets also require firmware, in addition to a corresponding driver. If you get output like {{ic|SIOCSIFFLAGS: No such file or directory}}, this means you will need to manually load the firmware. If unsure, invoke {{ic|dmesg}} to query the kernel log for a firmware request from the wireless chipset. For example, if you have an Intel chipset which requires and has requested firmware from the kernel at boot:<br />
<br />
{{hc|# dmesg <nowiki>|</nowiki> grep firmware|<br />
firmware: requesting iwlwifi-5000-1.ucode}}<br />
<br />
If there is no output, it may be concluded that the system's wireless chipset does not require firmware.<br />
<br />
{{Warning|Wireless chipset firmware packages (for cards which require them) are pre-installed under {{ic|/usr/lib/firmware}} in the live environment (on CD/USB stick) '''but must be explicitly installed to your actual system to provide wireless functionality after you reboot into it!''' Package installation is covered later in this guide. Ensure installation of both your wireless module and firmware before rebooting! See [[Wireless Setup]] if you are unsure about the requirement of corresponding firmware installation for your particular chipset.}}<br />
<br />
Next, use {{Pkg|netctl}}'s {{ic|wifi-menu}} to connect to a network:<br />
<br />
# wifi-menu wlp3s0<br />
<br />
You should now have a working network connection. If you do not, check the detailed [[Wireless Setup]] page.<br />
<br />
Alternatively, use {{ic|iw dev wlp3s0 scan <nowiki>|</nowiki> grep SSID}} to scan for available networks, then connect to a network with:<br />
<br />
# wpa_supplicant -B -i wlp3s0 -c <(wpa_passphrase "''ssid''" "''psk''")<br />
<br />
You need to replace ''ssid'' with the name of your network (e.g. "Linksys etc...") and ''psk'' with your wireless password, '''leaving the quotes around the network name and password.'''<br />
<br />
Finally, you have to give your interface an IP address. This can be set manually or using the dhcp:<br />
<br />
# dhcpcd wlp3s0<br />
<br />
If that does not work, issue the following commands:<br />
<br />
# echo 'ctrl_interface=DIR=/run/wpa_supplicant' > /etc/wpa_supplicant.conf<br />
# wpa_passphrase <ssid> <passphrase> >> /etc/wpa_supplicant.conf<br />
# ip link set <interface> up # May not be needed as dhcpcd should bring it up but may be needed for wpa_supplicant.<br />
# wpa_supplicant -B -D nl80211 -c /foobar.conf -i <interface name><br />
# dhcpcd -A <interface name><br />
<br />
==== Analog modem, ISDN or PPPoE DSL ====<br />
<br />
For xDSL, dial-up and ISDN connections, see [[Direct Modem Connection]].<br />
<br />
==== Behind a proxy server ====<br />
<br />
If you are behind a proxy server, you will need to export the {{ic|http_proxy}} and {{ic|ftp_proxy}} environment variables. See [[Proxy settings]] for more information.<br />
<br />
=== Prepare the storage drive ===<br />
<br />
{{Warning|Partitioning can destroy data. You are '''strongly''' cautioned and advised to backup any critical data before proceeding.}}<br />
<br />
==== Choose a partition table type ====<br />
<br />
You have to choose between [[GUID Partition Table]] (GPT) and [[Master Boot Record]] (MBR). GPT is more modern and recommended for new installations.<br />
<br />
* If you want to setup a system which dual boots with windows, then you have to pay special attention to this choice. See [[Partitioning#Choosing_between_GPT_and_MBR]] for the gory details.<br />
* It is recommended to always use GPT for UEFI boot, as some UEFI firmwares do not allow UEFI-MBR boot.<br />
* Some BIOS systems may have issues with GPT. See http://mjg59.dreamwidth.org/8035.html and http://rodsbooks.com/gdisk/bios.html for more info and possible workarounds.<br />
<br />
{{Note|If you are installing to a USB flash key, see [[Installing Arch Linux on a USB key]].}}<br />
<br />
==== Partitioning tool ====<br />
<br />
Absolute beginners are encouraged to use a graphical partitioning tool. [http://gparted.sourceforge.net/download.php GParted] is a good example, and is [http://gparted.sourceforge.net/livecd.php provided as a "live" CD]. It is also included on live CDs of most Linux distributions such as [[Wikipedia:Ubuntu (operating system)|Ubuntu]] and [[Wikipedia:Linux Mint|Linux Mint]]. A drive should first be [[partitioning|partitioned]] and the partitions should be formatted with a [[File Systems|file system]] before rebooting.<br />
<br />
{{Tip|When using Gparted, selecting the option to create a new partition table gives an "msdos" partition table by default. If you are intending to follow the advice to create a GPT partition table then you need to choose "Advanced" and then select "gpt" from the drop-down menu.}}<br />
<br />
While gparted may be easier to use, if you just want to create a few partitions on a new disk you can get the job done quickly by just using one of the [[Partitioning#Partitioning_tools|fdisk variants]] which are included on the install medium. There are short usage instructions for both [[Partitioning#Gdisk_usage_summary|gdisk]] and [[Partitioning#Fdisk_usage_summary|fdisk]].<br />
<br />
==== Partition scheme ====<br />
<br />
You can decide into how many partitions the disk should be split, and for which directory each partition should be used in the system. The mapping from partitions to directories (frequently called 'mount points') is the [[Partitioning#Partition_scheme|Partition scheme]]. The simplest, and not a bad choice, is to make just one huge {{ic|/}} partition. Another popular choice is to have a {{ic|/}} and a {{ic|/home}} partition.<br />
<br />
{{Box BLUE|Additional required partitions:|<br />
* If you have a [[UEFI]] motherboard, you will need to create an extra [[Unified Extensible Firmware Interface#EFI System Partition|UEFI System Partition]].<br />
* If you have a BIOS motherboard (or plan on booting in BIOS compatibility mode) and you want to setup GRUB on a GPT-partitioned drive, you will need to create an extra [[GRUB#GUID Partition Table (GPT) specific instructions|BIOS Boot Partition]] of size 1007 KiB and {{ic|EF02}} type code. Syslinux does not need one.<br />
}}<br />
<br />
See [[Swap]] for details if you wish to set up a swap partition or swap file. A swap file is easier to resize than a partition and can be created at any point after installation, but cannot be used with a Btrfs filesystem.<br />
<br />
==== Considerations for dualbooting with windows ====<br />
<br />
If you have an existing OS installation, please keep in mind that if you where to just write a completely new partition table to disk then all the data which was previously on disk would be lost. <br />
<br />
The recommended way to setup a linux/windows dual booting system is to first install windows, only using part of the disk for its partitions. When you have finished the windows setup, boot into the linux install environment where you can create additional partitions for linux while leaving the existing windows partitions untouched.<br />
<br />
Some newer computers come pre-installed with Windows 8 which will be using Secure Boot. Arch Linux currently does not support Secure Boot, but some Windows 8 installations have been seen not to boot if Secure Boot is turned off in the BIOS. In some cases it is necessary to turn off both Secure Boot as well as Fastboot in the BIOS options in order to allow Windows 8 to boot without Secure Boot. However there are potential security risks in turning off Secure Boot for booting up Windows 8. Therefore, it may be a better option to keep the Windows 8 install intact and have an independent hard drive for the Linux install - which can then be partitioned from scratch using a GPT partition table. Once that is done, creating several ext4/FAT32/swap partitions on the second drive may be a better way forward if the computer has two drives available. This is often not easy or possible on a small laptop. Currently, Secure Boot is still not in a fully stable state for reliable operation, even for Linux distributions that support it.<br />
<br />
If you have already created your partitions, proceed to [[#Create_filesystems|Create filesystems]].<br />
<br />
Otherwise, see the following example.<br />
<br />
==== Example ====<br />
<br />
The Arch Linux install media includes the following partitioning tools: {{ic|fdisk}}, {{ic|gdisk}}, {{ic|cfdisk}}, {{ic|cgdisk}}, {{ic|parted}}.<br />
<br />
{{Tip|Use the {{ic|lsblk}} command to list the hard disks attached to your system, along with the sizes of their existing partitions. This will help you to be confident you are partitioning the right disk.}}<br />
<br />
<br />
The example system will contain a 15 GB root partition, and a [[Partitioning#/home|home]] partition for the remaining space. Choose either [[MBR]] or [[GPT]]. Do not choose both!<br />
<br />
It should be emphasized that partitioning is a personal choice and that this example is only for illustrative purposes. See [[Partitioning]].<br />
<br />
===== Using cgdisk to create GPT partitions =====<br />
<br />
# cgdisk&nbsp;/dev/sda<br />
<br />
;Root:<br />
* Choose ''New'' (or press {{ic|N}}) – {{ic|Enter}} for the first sector (2048) – type in {{ic|15G}} – {{ic|Enter}} for the default hex code (8300) – {{ic|Enter}} for a blank partition name.<br />
<br />
;Home:<br />
* Press the down arrow a couple of times to move to the larger free space area.<br />
* Choose ''New'' (or press {{ic|N}}) – {{ic|Enter}} for the first sector – {{ic|Enter}} to use the rest of the drive (or you could type in the desired size; for example {{ic|30G}}) – {{ic|Enter}} for the default hex code (8300) – {{ic|Enter}} for a blank partition name.<br />
<br />
Here is what it should look like:<br />
<br />
Part. # Size Partition Type Partition Name<br />
----------------------------------------------------------------<br />
1007.0 KiB free space<br />
1 15.0 GiB Linux filesystem<br />
2 123.45 GiB Linux filesystem<br />
<br />
Double check and make sure that you are happy with the partition sizes as well as the partition table layout before continuing.<br />
<br />
If you would like to start over, you can simply select ''Quit'' (or press {{ic|Q}}) to exit without saving changes and then restart ''cgdisk''.<br />
<br />
If you are satisfied, choose ''Write'' (or press {{ic|Shift+W}}) to finalize and to write the partition table to the drive. Type {{ic|yes}} and choose ''Quit'' (or press {{ic|Q}}) to exit without making any more changes.<br />
<br />
===== Using fdisk to create MBR partitions =====<br />
{{Note|There is also ''cfdisk'', which is similar in UI to ''cgdisk'', but it currently does not automatically align the first partition properly. That is why the classic ''fdisk'' tool is used here.}}<br />
<br />
Launch ''fdisk'' with:<br />
<br />
# fdisk /dev/sda<br />
<br />
Create the first partition:<br />
<br />
# {{ic|Command (m for help):}} type {{ic|n}} and press {{ic|Enter}}<br />
# Partition type: {{ic|Select (default p):}} press {{ic|Enter}}<br />
# {{ic|Partition number (1-4, default 1):}} press {{ic|Enter}}<br />
# {{ic|First sector (2048-209715199, default 2048):}} press {{ic|Enter}}<br />
# {{ic|Last sector, +sectors or +size{K,M,G} (2048-209715199....., default 209715199):}} type {{ic|+15G}} and press {{ic|Enter}}<br />
<br />
Then create a second partition:<br />
<br />
# {{ic|Command (m for help):}} type {{ic|n}} and press {{ic|Enter}}<br />
# Partition type: {{ic|Select (default p):}} press {{ic|Enter}}<br />
# {{ic|Partition number (1-4, default 2):}} press {{ic|Enter}}<br />
# {{ic|First sector (31459328-209715199, default 31459328):}} press {{ic|Enter}}<br />
# {{ic|Last sector, +sectors or +size{K,M,G} (31459328-209715199....., default 209715199):}} press {{ic|Enter}}<br />
<br />
Now preview the new partition table:<br />
<br />
* {{ic|Command (m for help):}} type {{ic|p}} and press {{ic|Enter}}<br />
<br />
{{bc|<br />
Disk /dev/sda: 107.4 GB, 107374182400 bytes, 209715200 sectors<br />
Units &#61; sectors of 1 * 512 &#61; 512 bytes<br />
Sector size (logical/physical): 512 bytes / 512 bytes<br />
I/O size (minimum/optimal): 512 bytes / 512 bytes<br />
Disk identifier: 0x5698d902<br />
<br />
Device Boot Start End Blocks Id System<br />
/dev/sda1 2048 31459327 15728640 83 Linux<br />
/dev/sda2 31459328 209715199 89127936 83 Linux<br />
}}<br />
<br />
Then write the changes to disk:<br />
<br />
* {{ic|Command (m for help):}} type {{ic|w}} and press {{ic|Enter}}<br />
<br />
If everything went well fdisk will now quit with the following message:<br />
{{bc|<br />
The partition table has been altered!<br />
<br />
Calling ioctl() to re-read partition table.<br />
Syncing disks. <br />
}}<br />
<br />
In case this doesn't work because ''fdisk'' encountered an error, you can use the {{ic|q}} command to exit.<br />
<br />
==== Create filesystems ====<br />
<br />
Simply partitioning is not enough; the partitions also need a [[File Systems|filesystem]]. To format the partitions with an ext4 filesystem:<br />
<br />
{{Warning|Double check and triple check that it is actually {{ic|/dev/sda1}} and {{ic|/dev/sda2}} that you want to format. You can use {{ic|lsblk}} to help with this.}}<br />
<br />
# mkfs.ext4 /dev/sda1<br />
# mkfs.ext4 /dev/sda2<br />
<br />
If you have made a partition dedicated to swap (code 82), do not forget to format and activate it with:<br />
<br />
# mkswap /dev/sda''X''<br />
# swapon /dev/sda''X''<br />
<br />
For UEFI, you should format the ESP partition (usually sda1) with:<br />
# mkfs.vfat -F32 /dev/sda1<br />
<br />
=== Mount the partitions ===<br />
<br />
Each partition is identified with a number suffix. For example, {{ic|sda1}} specifies the first partition of the first drive, while {{ic|sda}} designates the entire drive.<br />
<br />
To display the current partition layout:<br />
<br />
# lsblk /dev/sda<br />
<br />
{{Note|Do not mount more than one partition to the same directory. And pay attention, because the mounting order is important.}}<br />
<br />
First, mount the root partition on {{ic|/mnt}}. Following the example above (yours may be different), it would be:<br />
<br />
# mount /dev/sda1 /mnt<br />
<br />
Then mount the home partition and any other separate partition ({{ic|/boot}}, {{ic|/var}}, etc), if you have any:<br />
<br />
# mkdir /mnt/home<br />
# mount /dev/sda2 /mnt/home<br />
<br />
In case you have a UEFI motherboard, mount the UEFI partition:<br />
<br />
# mkdir -p /mnt/boot<br />
# mount /dev/sda''X'' /mnt/boot<br />
<br />
=== Select a mirror ===<br />
<br />
Before installing, you may want to edit the {{ic|mirrorlist}} file and place your preferred mirror first. A copy of this file will be installed on your new system by {{ic|pacstrap}} as well, so it is worth getting it right.<br />
<br />
{{hc|# nano /etc/pacman.d/mirrorlist|<br />
##<br />
## Arch Linux repository mirrorlist<br />
## Sorted by mirror score from mirror status page<br />
## Generated on 2012-MM-DD<br />
##<br />
<br />
<nowiki>Server = http://mirror.example.xyz/archlinux/$repo/os/$arch</nowiki><br />
...}}<br />
<br />
* {{ic|Alt+6}} to copy a {{ic|Server}} line.<br />
* {{ic|PageUp}} key to scroll up.<br />
* {{ic|Ctrl+U}} to paste it at the top of the list.<br />
* {{ic|Ctrl+X}} to exit, and when prompted to save changes, press {{ic|Y}} and {{ic|Enter}} to use the same filename.<br />
<br />
If you want, you can make it the ''only'' mirror available by getting rid of everything else (using {{ic|Ctrl+K}}), but it is usually a good idea to have a few more, in case the first one goes offline.<br />
<br />
{{Tip|<br />
* Use the [https://www.archlinux.org/mirrorlist/ Mirrorlist Generator] to get an updated list for your country. HTTP mirrors are faster than FTP, because of something called [[Wikipedia:Keepalive|keepalive]]. With FTP, pacman has to send out a signal each time it downloads a package, resulting in a brief pause. For other ways to generate a mirror list, see [[Mirrors#Sorting mirrors|Sorting mirrors]] and [[Reflector]].<br />
* [https://archlinux.org/mirrors/status/ Arch Linux MirrorStatus] reports various aspects about the mirrors such as network problems with mirrors, data collection problems, the last time mirrors have been synced, etc.}}<br />
<br />
{{Note|<br />
* Whenever in the future you change your list of mirrors, always remember to force pacman to refresh all package lists with {{ic|pacman -Syy}}. This is considered to be good practice and will avoid possible headaches. See [[Mirrors]] for more information.<br />
* If you are using an older installation medium, your mirrorlist might be outdated, which might lead to problems when updating Arch Linux (see {{Bug|22510}}). Therefore it is advised to obtain the latest mirror information as described above.<br />
* Some issues have been reported in the [https://bbs.archlinux.org/ Arch Linux forums] regarding network problems that prevent pacman from updating/synchronizing repositories (see [https://bbs.archlinux.org/viewtopic.php?id&#61;68944] and [https://bbs.archlinux.org/viewtopic.php?id&#61;65728]). When installing Arch Linux natively, these issues have been resolved by replacing the default pacman file downloader with an alternative (see [[Improve Pacman Performance]] for more details). When installing Arch Linux as a guest OS in [[VirtualBox]], this issue has also been addressed by using "Host interface" instead of "NAT" in the machine properties.}}<br />
<br />
=== Install the base system ===<br />
<br />
The base system is installed using the [https://github.com/falconindy/arch-install-scripts/blob/master/pacstrap.in pacstrap] script.<br />
<br />
The {{ic|-i}} switch can be omitted if you wish to install every package from the ''base'' group without prompting.<br />
<br />
# pacstrap -i /mnt base<br />
<br />
{{Note|<br />
* If pacman fails to verify your packages, check the system time with {{ic|cal}}. If the system date is invalid (e.g. it shows the year 2010), signing keys will be considered expired (or invalid), signature checks on packages will fail and installation will be interrupted. Make sure to correct the system time, either by doing so manually or with the {{Pkg|ntp}} client, and retry running the pacstrap command. Refer to [[Time]] page for more information on correcting system time.<br />
* If pacman complains that {{ic|error: failed to commit transaction (invalid or corrupted package)}}, run the following command:<br />
# pacman-key --init && pacman-key --populate archlinux<br />
}}<br />
<br />
This will give you a basic Arch system. Other packages can be installed later using [[pacman]].<br />
<br />
=== Generate an fstab ===<br />
<br />
Generate an [[fstab]] file with the following command. UUIDs will be used because they have certain advantages (see [[fstab#Identifying filesystems]]). If you would prefer to use labels instead, replace the {{ic|-U}} option with {{ic|-L}}.<br />
<br />
# genfstab -U -p /mnt >> /mnt/etc/fstab<br />
# nano /mnt/etc/fstab<br />
<br />
{{Warning|The fstab file should always be checked after generating it. If you encounter errors running genfstab or later in the install process, do '''not''' run genfstab again; just edit the fstab file.}}<br />
<br />
A few considerations:<br />
<br />
* The last field determines the order in which partitions are checked at start up: use {{ic|1}} for the (non-{{ic|btrfs}}) root partition, which should be checked first; {{ic|2}} for all other partitions you want checked at start up; and {{ic|0}} means 'do not check' (see [[fstab#Field definitions]]).<br />
* All [[btrfs]] partitions should have {{ic|0}} for this field. Normally, you will also want your ''swap'' partition to have {{ic|0}}.<br />
<br />
=== Chroot and configure the base system ===<br />
<br />
Next, we [[chroot]] into our newly installed system:<br />
<br />
# arch-chroot /mnt<br />
<br />
{{Note|Use {{ic|arch-chroot /mnt /bin/bash}} to chroot into a bash shell.}}<br />
At this stage of the installation, you will configure the primary configuration files of your Arch Linux base system. These can either be created if they do not exist, or edited if you wish to change the defaults.<br />
<br />
Closely following and understanding these steps is of key importance to ensure a properly configured system.<br />
<br />
==== Locale ====<br />
<br />
Locales are used by '''glibc''' and other locale-aware programs or libraries for rendering text, correctly displaying regional monetary values, time and date formats, alphabetic idiosyncrasies, and other locale-specific standards.<br />
<br />
There are two files that need editing: {{ic|locale.gen}} and {{ic|locale.conf}}.<br />
<br />
* The {{ic|locale.gen}} file is empty by default (everything is commented out) and you need to remove the {{ic|#}} in front of the line(s) you want. You may uncomment more lines than just English (US), as long as you choose their {{ic|UTF-8}} encoding:<br />
<br />
{{hc|# nano /etc/locale.gen|<br />
en_US.UTF-8 UTF-8<br />
de_DE.UTF-8 UTF-8}}<br />
<br />
# locale-gen<br />
<br />
This will run on every '''glibc''' upgrade, generating all the locales specified in {{ic|/etc/locale.gen}}.<br />
<br />
* The {{ic|locale.conf}} file does not exist by default. Setting only {{ic|LANG}} should be enough. It will act as the default value for all other variables.<br />
<br />
# echo LANG=en_US.UTF-8 > /etc/locale.conf<br />
# export LANG=en_US.UTF-8<br />
<br />
{{Note|If you set some other language than English (US) at the beginning of the install, the above commands would be something like:<br />
# echo LANG<nowiki>=</nowiki>de_DE.UTF-8 > /etc/locale.conf<br />
# export LANG<nowiki>=</nowiki>de_DE.UTF-8<br />
}}<br />
<br />
To use other locales for other {{ic|LC_*}} variables, run {{ic|locale}} to see the available options and add them to {{ic|locale.conf}}. It is not recommended to set the {{ic|LC_ALL}} variable. An advanced example can be found [[Locale#Setting_system-wide_locale|here]].<br />
<br />
==== Console font and keymap ====<br />
<br />
If you set a keymap at [[#Change_the_language|the beginning]] of the install process, load it now, as well, because the environment has changed. For example:<br />
<br />
# loadkeys ''de-latin1''<br />
# setfont Lat2-Terminus16<br />
<br />
To make them available after reboot, edit {{ic|vconsole.conf}}:<br />
<br />
{{hc|# nano /etc/vconsole.conf|2=<br />
KEYMAP=de-latin1<br />
FONT=Lat2-Terminus16<br />
}}<br />
<br />
* {{ic|KEYMAP}} – Please note that this setting is only valid for your TTYs, not any graphical window managers or Xorg.<br />
<br />
* {{ic|FONT}} – Available alternate console fonts reside in {{ic|/usr/share/kbd/consolefonts/}}. The default (blank) is safe, but some foreign characters may show up as white squares or as other symbols. It is recommended that you change it to {{ic|Lat2-Terminus16}}, because according to {{ic|/usr/share/kbd/consolefonts/README.Lat2-Terminus16}}, it claims to support "about 110 language sets".<br />
<br />
* Possible option {{ic|FONT_MAP}} – Defines the console map to load at boot. Read {{ic|man setfont}}. Removing it or leaving it blank is safe.<br />
<br />
See [[Fonts#Console_fonts|Console fonts]] and {{ic|man vconsole.conf}} for more information.<br />
<br />
==== Time zone ====<br />
<br />
Available time zones and subzones can be found in the {{ic|/usr/share/zoneinfo/<Zone>/<SubZone>}} directories.<br />
<br />
To view the available <Zone>, check the directory {{ic|/usr/share/zoneinfo/}}:<br />
<br />
# ls /usr/share/zoneinfo/<br />
<br />
Similarly, you can check the contents of directories belonging to a <SubZone>:<br />
<br />
# ls /usr/share/zoneinfo/Europe<br />
<br />
Create a symbolic link {{ic|/etc/localtime}} to your zone file {{ic|/usr/share/zoneinfo/<Zone>/<SubZone>}} using this command:<br />
<br />
# ln -s /usr/share/zoneinfo/<Zone>/<SubZone> /etc/localtime<br />
<br />
'''Example:'''<br />
<br />
# ln -s /usr/share/zoneinfo/Europe/Minsk /etc/localtime<br />
<br />
==== Hardware clock ====<br />
<br />
Set the hardware clock mode uniformly between your operating systems. Otherwise, they may overwrite the hardware clock and cause time shifts.<br />
<br />
You can generate {{ic|/etc/adjtime}} automatically by using one of the following commands:<br />
<br />
* '''UTC''' (recommended)<br />
<br />
: {{Note|Using [[Wikipedia:Coordinated Universal Time|UTC]] for the hardware clock does not mean that software will display time in UTC.}}<br />
<br />
: {{bc|# hwclock --systohc --utc}}<br />
<br />
To synchronize your "UTC" time over the internet, see [[Network Time Protocol daemon|NTPd]].<br />
<br />
* '''localtime''' (discouraged; used by default in Windows)<br />
<br />
: {{Warning|Using ''localtime'' may lead to several known and unfixable bugs. However, there are no plans to drop support for ''localtime''.}}<br />
<br />
: {{bc|# hwclock --systohc --localtime}}<br />
<br />
If you have (or planning on having) a dual boot setup with Windows:<br />
<br />
* Recommended: Set both Arch Linux and Windows to use UTC. A quick [[Time#UTC in Windows|registry fix]] is needed. Also, be sure to prevent Windows from synchronizing the time on-line, because the hardware clock will default back to ''localtime''.<br />
<br />
* Not recommended: Set Arch Linux to ''localtime'' and disable any time-related services, like [[Network Time Protocol daemon|NTPd]] . This will let Windows take care of hardware clock corrections and you will need to remember to boot into Windows at least two times a year (in Spring and Autumn) when [[Wikipedia:Daylight saving time|DST]] kicks in. So please do not ask on the forums why the clock is one hour behind or ahead if you usually go for days or weeks without booting into Windows.<br />
<br />
==== Kernel modules ====<br />
<br />
{{Tip|This is just an example, you do not need to set it. All needed modules are automatically loaded by udev, so you will rarely need to add something here. Only add modules that you know are missing.}}<br />
<br />
For kernel modules to load during boot, place a {{ic|*.conf}} file in {{ic|/etc/modules-load.d/}}, with a name based on the program that uses them.<br />
<br />
{{hc|# nano /etc/modules-load.d/virtio-net.conf|<br />
# Load 'virtio-net.ko' at boot.<br />
<br />
virtio-net}}<br />
<br />
If there are more modules to load per {{ic|*.conf}}, the module names can be separated by newlines. A good example are the [[VirtualBox#Arch Linux guests|VirtualBox Guest Additions]].<br />
<br />
Empty lines and lines starting with {{ic|#}} or {{ic|;}} are ignored.<br />
<br />
==== Hostname ====<br />
<br />
Set the [[Wikipedia:hostname|hostname]] to your liking (e.g. ''arch''):<br />
<br />
# echo ''myhostname'' > /etc/hostname<br />
<br />
{{Note|There is no need to edit {{ic|/etc/hosts}}.}}<br />
<br />
=== Configure the network ===<br />
<br />
You need to configure the network again, but this time for your newly installed environment. The procedure and prerequisites are very similar to the one described [[#Establish an internet connection|above]], except we are going to make it persistent and automatically run at boot.<br />
<br />
{{Note|<br />
* For more in-depth information on network configration, visit [[Network Configuration]] and [[Wireless Setup]].<br />
* If you would like to use the old interface naming scheme (ie. eth* and wlan*) you can accomplish this by creating an empty file at {{ic|/etc/udev/rules.d/80-net-name-slot.rules}} which will mask the file of the same name located under {{ic|/usr/lib/udev/rules.d}} (alternatively, instead of an empty file, using a symlink to {{ic|/dev/null}} is also an acceptable masking method).<br />
}}<br />
<br />
==== Wired ====<br />
<br />
===== Dynamic IP =====<br />
<br />
; Using dhcpcd<br />
<br />
If you only use a single fixed wired network connection, you do not need a network management service and can simply enable the {{ic|dhcpcd}} service:<br />
<br />
# systemctl enable dhcpcd.service<br />
<br />
: {{Note|If it doesn't work, use: {{ic|# systemctl enable dhcpcd@''interface_name''.service}} }}<br />
<br />
; Using netctl<br />
<br />
Copy a sample profile from {{ic|/etc/netctl/examples}} to {{ic|/etc/netctl}}:<br />
<br />
# cd /etc/netctl<br />
# cp examples/ethernet-dhcp my-network<br />
<br />
Edit the profile as needed (modify {{ic|Interface}}):<br />
<br />
# nano my-network<br />
<br />
Enable the {{ic|my-network}} profile:<br />
<br />
# netctl enable my-network<br />
<br />
; Using netctl-ifplugd<br />
<br />
Alternatively, you can use {{ic|netctl-ifplugd}}, which gracefully handles dynamic connections to new networks:<br />
<br />
Install {{Pkg|ifplugd}}, which is required for {{ic|netctl-ifplugd}}:<br />
<br />
# pacman -S ifplugd<br />
<br />
Then enable for interface that you want:<br />
<br />
# systemctl enable netctl-ifplugd@<interface>.service<br />
<br />
{{Tip|[[Netctl]] also provides {{ic|netctl-auto}}, which can be used to handle wired profiles in conjunction with {{ic|netctl-ifplugd}}.}}<br />
<br />
===== Static IP =====<br />
<br />
; Using netctl<br />
<br />
Copy a sample profile from {{ic|/etc/netctl/examples}} to {{ic|/etc/netctl}}:<br />
<br />
# cd /etc/netctl<br />
# cp examples/ethernet-static my-network<br />
<br />
Edit the profile as needed (modify {{ic|Interface}}, {{ic|Address}}, {{ic|Gateway}} and {{ic|DNS}}):<br />
<br />
# nano my-network<br />
<br />
* Notice the {{ic|/24}} in {{ic|Address}} which is the [[wikipedia:Classless Inter-Domain Routing#CIDR notation|CIDR notation]] of a {{ic|255.255.255.0}} netmask<br />
<br />
Enable above created profile to start it at every boot:<br />
<br />
# netctl enable my-network<br />
<br />
==== Wireless ====<br />
<br />
{{Note|If your wireless adapter requires a firmware (as described in the above [[#Wireless|Establish an internet connection]] section and also [[Wireless Setup#Drivers and firmware|here]]), install the package containing your firmware. Most of the time, the {{Pkg|linux-firmware}} package will contain the needed firmware. Though for some devices, the required firmware might be in its own package. For example:<br />
{{bc|# pacman -S zd1211-firmware}}<br />
See [[Wireless Setup]] for more info.}}<br />
<br />
Install {{Pkg|iw}}, {{Pkg|wpa_supplicant}} and {{Pkg|wpa_actiond}} which you will need to connect to a network:<br />
<br />
# pacman -S iw wpa_supplicant wpa_actiond<br />
<br />
===== Adding wireless networks =====<br />
<br />
; Using wifi-menu<br />
<br />
Install {{Pkg|dialog}}, which is required for {{ic|wifi-menu}}:<br />
<br />
# pacman -S dialog<br />
<br />
After finishing the rest of this installation and rebooting, you can connect to the network with {{ic|wifi-menu ''interface_name''}} (where {{ic|''interface_name''}} is the interface of your wireless chipset).<br />
<br />
# wifi-menu ''interface_name''<br />
<br />
{{Warning|This must be done *after* your reboot when you are no longer chrooted. The process spawned by this command will conflict with the one you have running outside of the chroot. Alternatively, you could just configure a network profile manually using the following templates so that you do not have to worry about using {{ic|wifi-menu}} at all.}}<br />
<br />
; Using manual netctl profiles<br />
<br />
Copy a network profile from {{ic|/etc/netctl/examples}} to {{ic|/etc/netctl}}:<br />
<br />
# cd /etc/netctl<br />
# cp examples/wireless-wpa my-network<br />
<br />
Edit the profile as needed (modify {{ic|Interface}}, {{ic|ESSID}} and {{ic|Key}}):<br />
<br />
# nano my-network<br />
<br />
===== Connect automatically to known networks =====<br />
<br />
Enable the {{ic|netctl-auto}} service, which will connect to known networks and gracefully handle roaming and disconnects:<br />
<br />
# systemctl enable netctl-auto@''interface_name''.service<br />
<br />
{{Tip|[[Netctl]] also provides {{ic|netctl-ifplugd}}, which can be used to handle wired profiles in conjunction with {{ic|netctl-auto}}.}}<br />
<br />
==== Analog modem, ISDN or PPPoE DSL ====<br />
<br />
For xDSL, dial-up and ISDN connections, see [[Direct Modem Connection]].<br />
<br />
=== Create an initial ramdisk environment ===<br />
<br />
{{Tip|Most users can skip this step and use the defaults provided in {{ic|mkinitcpio.conf}}. The initramfs image (from the {{ic|/boot}} folder) has already been generated based on this file when the {{Pkg|linux}} package (the Linux kernel) was installed earlier with {{ic|pacstrap}}.}}<br />
<br />
Here you need to set the right [[Mkinitcpio#HOOKS|hooks]] if the root is on a USB drive, if you use RAID, LVM, or if {{ic|/usr}} is on a separate partition.<br />
<br />
Edit {{ic|/etc/mkinitcpio.conf}} as needed and re-generate the initramfs image with:<br />
<br />
# mkinitcpio -p linux<br />
<br />
{{Note|Arch VPS installations on QEMU (e.g. when using {{ic|virt-manager}}) may need {{ic|virtio}} modules in {{ic|mkinitcpio.conf}} to be able to boot.<br />
<br />
{{hc|# nano /etc/mkinitcpio.conf|2=<br />
MODULES="virtio virtio_blk virtio_pci virtio_net"<br />
}}<br />
}}<br />
<br />
=== Set the root password ===<br />
<br />
Set the root password with:<br />
<br />
# passwd<br />
<br />
=== Install and configure a bootloader ===<br />
<br />
==== For BIOS motherboards ====<br />
<br />
For BIOS systems, two bootloaders are available: Syslinux and GRUB. Choose the bootloader as per your convenience.<br />
<br />
* Syslinux is (currently) limited to loading only files from the partition where it was installed. Its configuration file is considered to be easier to understand. An example configuration can be found [https://bbs.archlinux.org/viewtopic.php?pid=1109328#p1109328 here].<br />
<br />
* GRUB is more feature-rich and supports more complex scenarios. Its configuration file(s) is more similar to a scripting language, which may be difficult for beginners to manually write. It is recommended that they automatically generate one.<br />
<br />
{{Note|Some BIOS systems may have issues with GPT. See http://mjg59.dreamwidth.org/8035.html and http://rodsbooks.com/gdisk/bios.html for more info and possible workarounds.}}<br />
<br />
===== Syslinux =====<br />
<br />
{{Note|If you opted for a GUID partition table (GPT) for your hard drive earlier, you need to install the {{Pkg|gptfdisk}} package now for this next step to work, assuming you have not installed it already.}}<br />
<br />
Install the {{Pkg|syslinux}} package and then use the {{ic|syslinux-install_update}} script to automatically ''install'' the bootloader ({{ic|-i}}), mark the partition ''active'' by setting the boot flag ({{ic|-a}}), and install the ''MBR'' boot code ({{ic|-m}}):<br />
<br />
# pacman -S syslinux<br />
# syslinux-install_update -i -a -m<br />
<br />
Configure {{ic|syslinux.cfg}} to point to the right root partition. This step is vital. If it points to the wrong partition, Arch Linux will not boot. Change {{ic|/dev/sda3}} to reflect your root partition ''(if you partitioned your drive as in [[#Prepare the storage drive|the example]], your root partition is sda1)''. Do the same for the fallback entry.<br />
<br />
{{hc|# nano /boot/syslinux/syslinux.cfg|2=<br />
...<br />
LABEL arch<br />
...<br />
APPEND root=/dev/sda3 rw<br />
...}}<br />
<br />
For more information on configuring and using Syslinux, see [[Syslinux]].<br />
<br />
===== GRUB =====<br />
<br />
Install the {{Pkg|grub}} package and then run {{ic|grub-install}} to install the bootloader:<br />
<br />
{{Note|<br />
* Change {{ic|/dev/sda}} to reflect the drive you installed Arch on. Do not append a partition number (do not use {{ic|sda''X''}}).<br />
* For GPT-partitioned drives on BIOS motherboards, you also need a "BIOS Boot Partition". See [[GRUB#GUID Partition Table (GPT) specific instructions|GPT-specific instructions]] and [[GRUB#Install_to_GPT_BIOS_boot_partition|Install to GPT BIOS boot partition]] in the GRUB page.<br />
}}<br />
<br />
# pacman -S grub<br />
# grub-install --recheck /dev/sda<br />
<br />
{{Note| If it is an installation on virtualbox as guest, while running grub-install command as in above, you might get an error like "/usr/sbin/grub-bios-setup: warning: this GPT partition label contains no BIOS Boot Partition; embedding won't be possible". Executing {{ic|parted -s /dev/sda set 1 bios_grub on}} and then retrying ''grub-install'' should solve the problem.}}<br />
<br />
While using a manually created {{ic|grub.cfg}} is absolutely fine, it is recommended that beginners automatically generate one:<br />
<br />
{{Tip|To automatically search for other operating systems on your computer, install {{Pkg|os-prober}} ({{ic|pacman -S os-prober}}) before running the next command.}}<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
For more information on configuring and using GRUB, see [[GRUB]].<br />
<br />
==== For UEFI motherboards ====<br />
<br />
For UEFI systems, several options are available. A complete list of options is available at [[UEFI Bootloaders]]. You may find that some options work while others do not. Otherwise, choose one as per your convenience. Here, we give two of the possibilities as examples:<br />
* Boot the Linux kernel directly using [[UEFI Bootloaders#Linux Kernel EFISTUB|EFISTUB]].<br />
* [[gummiboot]] is a simple boot manager, useful if you are dual booting. [[UEFI Bootloaders#Using rEFInd|rEFInd]] is another alternative.<br />
* GRUB is a more complete bootloader, usefull if you run into problems with the other two options.<br />
<br />
{{Note|For UEFI boot, the drive needs to be GPT-partitioned and an [[Unified Extensible Firmware Interface#EFI System Partition|UEFI System Partition]] (512 MiB or larger, type {{ic|EF00}}, formatted with FAT32) must be present. For the following examples, this partition must be mounted on {{ic|/boot}}. If you have followed this guide from the beginning, you have already done all of these.}}<br />
<br />
{{Note|<!--This troubleshooting note should be transferred to [[UEFI Bootloaders]]-->If you run into problems, such as not being able to boot after the bootloader has been installed without any visible error. In this case, you will instead have to enter the UEFI shell and manually add an entry to the UEFI boot menu with the {{ic|bcfg}} command, as described [[Unified Extensible Firmware Interface#bcfg|here]].<br />
* On some ASUS motherboards, there is an EFI bug that always reports {{ic|MaxVariableSize&#61;0}}. Combined with a recent kernel that enforces checks on this value, this prevents {{ic|efibootmgr}} from setting new EFI variables. These motherboards do not support the UEFI Shell v2, so you cannot use the {{ic|bcfg}} method either. To work around this, add {{ic|efi_no_storage_paranoia}} to the kernel command line. You can do this by pressing "e" at the bootloader menu.<br />
* On some UEFI motherboards like the Intel Z77 boards, adding entries with efibootmgr or bcfg from efi shell will not work because they don't show up on the boot menu list after being added to NVRAM.<br />
<br />
:To solve this you have to trick the UEFI firmware that Windows boot manager is present on the ESP partition.<br />
<br />
:Copy the bootx64.efi file from USB drive as bootmgfw.efi efi file to your ESP partition by booting into EFI shell and typing:<br />
<br />
FS1:<br />
cd EFI<br />
mkdir Microsoft<br />
cd Microsoft<br />
mkdir Boot<br />
cp FS0:\EFI\BOOT\bootx64.efi FS1:\EFI\Microsoft\Boot\bootmgfw.efi<br />
<br />
:After reboot, any entries added to NVRAM should show up in the boot menu.<br />
}}<br />
<br />
===== EFISTUB =====<br />
<br />
Install the {{Pkg|efibootmgr}} package and then add an Arch Linux boot entry, replacing {{ic|/dev/sdaX}} with your root partition, usually {{ic|/dev/sda2}}:<br />
<br />
# pacman -S efibootmgr<br />
# efibootmgr -c -L "Arch Linux" -l /vmlinuz-linux -u "root='''/dev/sdaX''' ro initrd=/initramfs-linux.img"<br />
<br />
===== Gummiboot =====<br />
<br />
Install the {{Pkg|gummiboot}} package and then run {{ic|gummiboot install}} to install the boot manager:<br />
<br />
# pacman -S gummiboot<br />
# gummiboot install<br />
<br />
{{Warning|1=<br />
You will probably see an error during gummiboot install, when it fails to add itself to NVRAM because of a [https://bugs.archlinux.org/task/34292 bug]. If you get this error message, manually use efibootmgr to add gummiboot to NVRAM:<br />
{{bc|# efibootmgr -c -L "Gummiboot" -l /EFI/gummiboot/gummibootx64.efi}}<br />
}}<br />
<br />
You will need to manually create a configuration file to add an entry for Arch Linux to the gummiboot manager. Create {{ic|/boot/loader/entries/arch.conf}} and add the following contents, replacing {{ic|/dev/sdaX}} with your root partition, usually {{ic|/dev/sda2}}:<br />
<br />
{{hc|# nano /boot/loader/entries/arch.conf|2=<br />
title Arch Linux<br />
linux /vmlinuz-linux<br />
initrd /initramfs-linux.img<br />
options root='''/dev/sdaX''' ro<br />
}}<br />
<br />
For more information on configuring and using gummiboot, see [[gummiboot]].<br />
<br />
===== GRUB =====<br />
<br />
Install the {{Pkg|grub}} and {{Pkg|efibootmgr}} packages and then run {{ic|grub-install}} to install the bootloader:<br />
<br />
# pacman -S grub efibootmgr<br />
# grub-install --efi-directory=/boot --bootloader-id=arch_grub --recheck<br />
<br />
Next, while using a manually created {{ic|grub.cfg}} is absolutely fine, it is recommended that beginners automatically generate one:<br />
<br />
{{Tip|To automatically search for other operating systems on your computer, install {{Pkg|os-prober}} ({{ic|pacman -S os-prober}}) before running the next command.}}<br />
<br />
# grub-mkconfig -o /boot/grub/grub.cfg<br />
<br />
For more information on configuring and using GRUB, see [[GRUB]].<br />
<br />
=== Unmount the partitions and reboot ===<br />
<br />
Exit from the chroot environment:<br />
<br />
# exit<br />
<br />
Since the partitions are mounted under {{ic|/mnt}}, we use the following command to unmount them:<br />
<br />
# umount /mnt/{boot,home,}<br />
<br />
Reboot the computer:<br />
<br />
# reboot<br />
<br />
{{Tip|Be sure to remove the installation media, otherwise you will boot back into it.}}<br />
<noinclude>{{Beginners' Guide navigation}}</noinclude></div>Jrussellhttps://wiki.archlinux.org/index.php?title=Talk:Btrfs&diff=258965Talk:Btrfs2013-05-26T15:21:56Z<p>Jrussell: /* btrfs with fsck hook and fstab pass */</p>
<hr />
<div>== Comment about stability ==<br />
Btrfs is still under heavy development; it might be useful if someone familiar with btrfs were to add a section commenting on its overall stability. [[User:Vikingurinn|Vikingurinn]] ([[User talk:Vikingurinn|talk]]) 16:52, 17 December 2012 (UTC)<br />
<br />
== <s> Troubleshooting is now outdated </s> ==<br />
Would be great of some early adopters would modernize this section now that the stable release of btrfs-progs has hit [testing]. As the warning says, the package now includes the btrfsfsck which can fix problems on the filesystem!<br />
<br />
[[User:Graysky|Graysky]] 19:27, 28 March 2012 (EDT)<br />
: Fixed. Close. -- [[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 03:31, 11 May 2013 (UTC)<br />
<br />
== <s> Convert Ext3/4 to Btrfs </s> ==<br />
<br />
Just wondering about step #3: "Setup the network"<br />
I can't see any reason that this is needed. [[User:Capturts|Capturts]] ([[User talk:Capturts|talk]]) 18:35, 23 November 2012 (UTC)<br />
<br />
: It's because of Step #5: Installing btrfs-progs. This is based off of the old install mediums, which had local versions of programs, unless the remote repositories were enabled like in step #2. Since the new install mediums are remote-only (however they might have some filesystem tools on them), the entire section needs updating. [[User:Klink-a-dink-dink|Klink-a-dink-dink]] ([[User talk:Klink-a-dink-dink|talk]]) 01:06, 24 November 2012 (UTC)<br />
:: Fixed. Close. -- [[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 03:24, 11 May 2013 (UTC)<br />
<br />
== RAID-1 or RAID-5? ==<br />
<br />
"''3 1TB disks in an md based raid1 yields a /dev/md0 with 1TB free space and the ability to safely loose 2 disks without losing data. '''3 1TB disks in a btrfs volume with data=raid1 will allow the storage of approximately 1.5TB of data before reporting full. Only 1 disk can safely be lost without losing data'''.''"<br />
<br />
That sounds more like some kind of weird, inefficient RAID-5 arrangement than RAID-1. I don't know btrfs enough to say it's wrong, but I know RAID-1 enough to question it?<br />
<br />
[[User:Fukawi2|Fukawi2]] ([[User talk:Fukawi2|talk]]) 23:52, 29 April 2013 (UTC)<br />
<br />
== btrfs with fsck hook and fstab pass ==<br />
<br />
Apparently one does not need to have a btrfs partition fscked on boot, so there should be a '0' for 'pass' in the fstab for any btrfs partion.<br />
I had relatively slow boot ups with a pass of '1' (btrfs was root)<br />
<br />
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/791020/comments/27<br />
<br />
the genfstab script puts a '1' in for 'pass' by default</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Talk:Btrfs&diff=258964Talk:Btrfs2013-05-26T15:18:47Z<p>Jrussell: /* btrfs with fsck hook and fstab pass */ new section</p>
<hr />
<div>== Comment about stability ==<br />
Btrfs is still under heavy development; it might be useful if someone familiar with btrfs were to add a section commenting on its overall stability. [[User:Vikingurinn|Vikingurinn]] ([[User talk:Vikingurinn|talk]]) 16:52, 17 December 2012 (UTC)<br />
<br />
== <s> Troubleshooting is now outdated </s> ==<br />
Would be great of some early adopters would modernize this section now that the stable release of btrfs-progs has hit [testing]. As the warning says, the package now includes the btrfsfsck which can fix problems on the filesystem!<br />
<br />
[[User:Graysky|Graysky]] 19:27, 28 March 2012 (EDT)<br />
: Fixed. Close. -- [[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 03:31, 11 May 2013 (UTC)<br />
<br />
== <s> Convert Ext3/4 to Btrfs </s> ==<br />
<br />
Just wondering about step #3: "Setup the network"<br />
I can't see any reason that this is needed. [[User:Capturts|Capturts]] ([[User talk:Capturts|talk]]) 18:35, 23 November 2012 (UTC)<br />
<br />
: It's because of Step #5: Installing btrfs-progs. This is based off of the old install mediums, which had local versions of programs, unless the remote repositories were enabled like in step #2. Since the new install mediums are remote-only (however they might have some filesystem tools on them), the entire section needs updating. [[User:Klink-a-dink-dink|Klink-a-dink-dink]] ([[User talk:Klink-a-dink-dink|talk]]) 01:06, 24 November 2012 (UTC)<br />
:: Fixed. Close. -- [[User:Fengchao|Fengchao]] ([[User talk:Fengchao|talk]]) 03:24, 11 May 2013 (UTC)<br />
<br />
== RAID-1 or RAID-5? ==<br />
<br />
"''3 1TB disks in an md based raid1 yields a /dev/md0 with 1TB free space and the ability to safely loose 2 disks without losing data. '''3 1TB disks in a btrfs volume with data=raid1 will allow the storage of approximately 1.5TB of data before reporting full. Only 1 disk can safely be lost without losing data'''.''"<br />
<br />
That sounds more like some kind of weird, inefficient RAID-5 arrangement than RAID-1. I don't know btrfs enough to say it's wrong, but I know RAID-1 enough to question it?<br />
<br />
[[User:Fukawi2|Fukawi2]] ([[User talk:Fukawi2|talk]]) 23:52, 29 April 2013 (UTC)<br />
<br />
== btrfs with fsck hook and fstab pass ==<br />
<br />
Apparently one does not need to have a btrfs partition fscked on boot, so there should be a '0' for 'pass' in the fstab for any btrfs partion.<br />
I had relatively slow boot ups with a pass of '1'<br />
<br />
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/791020/comments/27<br />
<br />
the genfstab script puts a '1' in for 'pass' by default</div>Jrussellhttps://wiki.archlinux.org/index.php?title=LightDM&diff=256400LightDM2013-05-08T20:14:47Z<p>Jrussell: add troubleshooting</p>
<hr />
<div>[[Category:Display managers]]<br />
[[es:LightDM]]<br />
[[fr:LightDM]]<br />
{{Article summary start}}<br />
{{Article summary text|Provides an overview and setup of the Light Display Manager.}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Display Manager}}<br />
{{Article summary wiki|GDM}}<br />
{{Article summary wiki|KDM}}<br />
{{Article summary wiki|SLiM}}<br />
{{Article summary end}}<br />
<br />
[http://www.freedesktop.org/wiki/Software/LightDM LightDM] is a cross-desktop display manager that aims to be the standard display manager for the X server. Its key features are:<br />
* A lightweight codebase<br />
* Standards compliant (PAM, ConsoleKit, etc)<br />
* A well defined interface between the server and the user interface.<br />
* Cross-desktop (user interfaces can be written in any toolkit).<br />
<br />
More details about LightDM's design can be found [http://www.freedesktop.org/wiki/Software/LightDM/Design here].<br />
<br />
== Installation ==<br />
Install {{Pkg|lightdm}} from the [[official repositories]]. You can also install {{AUR|lightdm-devel}} for the development branch or {{AUR|lightdm-bzr}} from the [[AUR]].<br />
<br />
=== Greeter===<br />
You will also need to install a greeter (a user interface for LightDM). The reference greeter is ''lightdm-gtk-greeter'', which is provided by {{Pkg|lightdm-gtk3-greeter}}. KDE users can install {{Pkg|lightdm-kde-greeter}}, a greeter based on Qt.<br />
<br />
Other greeters can be installed from the [[AUR]] as well: <br />
* {{AUR|lightdm-webkit-greeter}}: A greeter that uses Webkit for theming.<br />
* {{AUR|lightdm-crowd-greeter}}: A 3D greeter that lets you select your profile from 3D characters walking around.<br />
* {{AUR|lightdm-unity-greeter}}: The greeter used by Ubuntu's [[Unity]].<br />
* {{AUR|razor-lightdm-greeter}}: A greeter for the [[Razor-qt]] desktop environment.<br />
* {{AUR|lightdm-pantheon-greeter}}: A LightDM greeter from the ElementaryOS Project.<br />
<br />
You can change the default greeter by changing the configuration file to state:<br />
{{hc|/etc/lightdm/lightdm.conf|<br />
greeter-session&#61;lightdm-yourgreeter-greeter<br />
}}<br />
<br />
It is also possible to change the default greeter at compile time by changing the line containing:<br />
--with-greeter-session=lightdm-gtk-greeter<br />
to<br />
--with-greeter-session=lightdm-yourgreeter-greeter<br />
<br />
== Enabling LightDM ==<br />
Make sure that the '''lightdm''' daemon is [[Daemons#Managing_daemons|started]] at boot.<br />
<br />
=== Testing ===<br />
First, [[Pacman|install]] {{Pkg|xorg-server-xephyr}} from the [[official repositories]].<br />
<br />
Then, run LightDM as an X application:<br />
$ lightdm --test-mode --debug<br />
<br />
== Optional Configuration and Tweaks ==<br />
Some greeters have their own configuration files. For example, {{Pkg|lightdm-gtk3-greeter}} has:<br />
/etc/lightdm/lightdm-gtk-greeter.conf<br />
and {{Pkg|lightdm-kde-greeter}} has:<br />
/etc/lightdm/lightdm-kde-greeter.conf<br />
as well as a section in KDE's System Settings (recommended).<br />
<br />
LightDM can be configured by directly modifying its configuration script or by using the {{ic|lightdm-set-defaults}} applications<br />
that can be found in {{ic|/usr/lib/lightdm/lightdm/}}. To see some of the options available, execute:<br />
$ man lightdm-set-defaults<br />
<br />
There are, however, a lot more variables to modify in the configuration file than by using the {{ic|lightdm-set-defaults}} application.<br />
<br />
=== Changing Background Images/Colors ===<br />
Users wishing to have a flat color (no image) may simply set the '''background''' variable to a hex color.<br />
<br />
Example:<br />
background=#000000<br />
<br />
If you want to use an image instead, see below.<br />
<br />
==== GTK+ Greeter ====<br />
Users wishing to customize the wallpaper on the greeter screen need to edit {{ic|/etc/lightdm/lightdm-gtk-greeter.conf}} defining the '''background''' variable.<br />
<br />
Example:<br />
background=/usr/share/pixmaps/black_and_white_photography-wallpaper-1920x1080.jpg<br />
<br />
==== Unity Greeter ====<br />
Users using the {{AUR|lightdm-unity-greeter}} must edit the {{ic|/usr/share/glib-2.0/schemas/com.canonical.unity-greeter.gschema.xml}} file and then execute:<br />
# glib-compile-schemas /usr/share/glib-2.0/schemas/<br />
<br />
According to [https://bbs.archlinux.org/viewtopic.php?id=149945 this] page.<br />
<br />
{{Note|It is recommended to place the PNG or JPG file in {{ic|/usr/share/pixmaps}} since the LightDM user needs read access to the wallpaper file.}}<br />
<br />
==== KDE Greeter ====<br />
Go to ''System Settings > Login Screen (LightDM)'' and change the background image for your theme.<br />
<br />
=== Changing the Icon ===<br />
Users wishing to customize the icon on the greeter screen need to edit {{ic|/etc/lightdm/lightdm-gtk-greeter.conf}} defining the '''logo''' variable.<br />
<br />
Example:<br />
logo=/usr/share/icons/hicolor/64x64/devices/archlinux-icon-crystal-64.svg<br />
<br />
==== Sources of Arch-centric 64x64 Icons ====<br />
The {{Pkg|archlinux-artwork}} package from the [[official repositories]] contains some nice examples that install to {{ic|/usr/share/archlinux/icons}} and that can be copied to {{ic|/usr/share/icons/hicolor/64x64/devices}} as follows:<br />
# find /usr/share/archlinux/icons -name "*64*" -exec cp {} /usr/share/icons/hicolor/64x64/devices \;<br />
<br />
After copying, the {{Pkg|archlinux-artwork}} package can be removed.<br />
<br />
=== Enabling Autologin ===<br />
Edit the LightDM configuration file and change these lines to:<br />
{{hc|/etc/lightdm/lightdm.conf|<nowiki><br />
autologin-user=<your_username><br />
autologin-user-timeout=0</nowiki><br />
}}<br />
or execute:<br />
<br />
# /usr/lib/lightdm/lightdm/lightdm-set-defaults --autologin=USERNAME<br />
<br />
LightDM goes through PAM even when {{ic|autologin}} is enabled. You must be part of the {{ic|autologin}} group to be able to login without entering your password:<br />
<br />
# groupadd autologin<br />
# gpasswd -a ''username'' autologin<br />
<br />
{{Note|GNOME users, and by extension any gnome-keyring user will have to set up a blank password to their keyring for it to be unlocked automatically.}}<br />
<br />
=== Migrating from SLiM ===<br />
Move the contents of [[xinitrc]] to [[xprofile]], removing the call to start the [[window manager]] or [[desktop environment]].<br />
<br />
=== NumLock ON ===<br />
Install the {{ic|numlockx}} package and the edit {{ic| /etc/lightdm/lightdm.conf}} adding the following line:<br />
greeter-setup-script=/usr/bin/numlockx on<br />
<br />
=== User switching under xfce4 ===<br />
With the release of Xfce4 4.10, user switching is supported natively. To use it with LightDM, users need only to create a symlink:<br />
# ln -s /usr/lib/lightdm/lightdm/gdmflexiserver /usr/bin/gdmflexiserver<br />
<br />
Alternatively, see the [[XScreenSaver#Lightdm]] article.<br />
<br />
== Troubleshooting ==<br />
If you encounter consistent screen flashing and ultimately no lightdm on boot, ensure that you have defined the greeter correctly in lightdm's config file.<br />
<br />
== See Also ==<br />
* [https://wiki.ubuntu.com/LightDM Ubuntu Wiki article]<br />
* [http://wiki.gentoo.org/wiki/LightDM Gentoo Wiki article]<br />
* [https://launchpad.net/lightdm Launchpad Page]<br />
* [http://www.mattfischer.com/blog/?tag=lightdm LightDM blog]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Compiz&diff=256300Compiz2013-05-07T09:43:44Z<p>Jrussell: /* Initial configuration */</p>
<hr />
<div>[[Category:Eye candy]]<br />
[[Category:Stacking WMs]]<br />
[[el:Compiz]]<br />
[[es:Compiz]]<br />
[[it:Compiz]]<br />
[[ja:Compiz]]<br />
[[pl:Compiz]]<br />
[[pt:Compiz]]<br />
[[ru:Compiz]]<br />
[[tr:Compiz]]<br />
[[zh-CN:Compiz]]<br />
{{Article summary start}}<br />
{{Article summary wiki|Compiz Configuration}}<br />
{{Article summary wiki|AIGLX}}<br />
{{Article summary wiki|Composite}}<br />
{{Article summary wiki|Xcompmgr}}<br />
{{Article summary wiki|Cairo Compmgr}}<br />
{{Article summary end}}<br />
<br />
Compiz is a [[Wikipedia:Compositing window manager|compositing window manager]]. It provides its own window manager, [[Emerald]]. Therefore it cannot be used simultaneously with other window managers such as [[Openbox]], [[Fluxbox]], or [[Enlightenment]]. Users who want to keep their current window managers and add some effects to it may wish to try [[Xcompmgr]] instead.<br />
<br />
== Requirements ==<br />
Users of major [[DE]]s can make good use of {{Pkg|compiz-manager}}, performing brief requirements checking and switching to fallback WM in case of errors. Discovering setup and hardware issues can also be done with {{AUR|compiz-check}} script (available in [[AUR]]).<br />
<br />
== Installation ==<br />
All compiz packages, available in [[official repositories]], can be [[pacman|installed]] with group {{Grp|compiz-fusion}}.<br />
<br />
For those who do not want to install EVERYTHING there are also groups {{Grp|compiz-fusion-gtk}} and {{Grp|compiz-fusion-kde}} for [[Gnome]] or [[KDE]] correspondingly.<br />
<br />
Users who wish to select the packages individually may start with {{Pkg|compiz-core}} and one of [[#Decorators|decorators]].<br />
{{Note|Lack of configured window decorator can render your [[X]] workspace slightly unusable.}}<br />
<br />
=== Initial configuration ===<br />
While the appearance of the windows and their contents is a function of [[GTK+]] and [[Qt]], the frames around the windows are controlled by the Window Decoration plugin. To use it make sure you have a window decorator installed. Depending on what packages you have downloaded you can choose among several window decorators. The most common ones are Emerald, kde-window-decorator, and gtk-window-decorator. The emerald decorator has the advantage that it fits better to compiz's screen handling and offers transparency effects. To set your default window decorator type the following command string in the "Window Decoration" plugin's settings under the field "Command".<br />
<br />
Ensure that the "Window decorator" plugin is enabled in ccsm's "effects" tab, the "command" field is filled in to start a decorator.<br />
<br />
To set emerald as your default window-decorator type:<br />
emerald --replace<br />
To set the kde-window-decorator as an alternative to Emerald type:<br />
kde4-window-decorator --replace<br />
To set the compiz-decorator-gtk as an alternative to Emerald type:<br />
gtk-window-decorator --replace<br />
<br />
<br />
<br />
{{Box RED|Activate important plugins!|<br />
There is high possibility that you will want to activate a few plugins that provide basic window manager behavior or else you will have no ability to drag, scale or close any windows as soon as compiz is activated. Among those plugins are "Window Decoration" under Effects and "Move Window" & "Resize Window" under Window Management. Ccsm may be used to achieve this.<br />
Launch CompizConfig Settings Manager:<br />
$ ccsm<br />
Simply put check marks next to those plugins to activate them.}}<br />
<br />
== Additional software ==<br />
=== Decorators ===<br />
* {{App|[[Emerald]]|Compiz's own window decorator with few dependencies. (Note: Works but is buggy and no longer maintained)|http://www.compiz.org|{{Pkg|emerald}}}}<br />
* {{Pkg|compiz-decorator-gtk}} and {{Pkg|compiz-decorator-kde}} &ndash; alternatives to Emerald, using your desktop environment's configuration backends and looks<br />
=== Other ===<br />
* {{Pkg|ccsm}} (CompizConfig settings manager) &ndash; GUI application that lets you configure all of Compiz's plugins<br />
* {{Pkg|fusion-icon}} &ndash; offers a tray icon and a nice way to start compiz, start ccsm and change the WM / Window Decorator<br />
* [https://aur.archlinux.org/packages.php?K=compiz Lots of quickly dying packages in AUR]<br />
<br />
== Starting Compiz Fusion ==<br />
<br />
=== Manually (with "fusion-icon") ===<br />
<br />
Launch the Compiz Fusion tray icon:<br />
$ fusion-icon<br />
<br />
{{Note|If it fails (almost never), you may try it with dbus-launch:<br />
{{bc|$ dbus-launch "fusion-icon"}}}}<br />
Right click on the icon in the panel and go to 'select window manager'. Choose "Compiz" if it isn't selected already, and you should be set.<br />
<br />
If this fails you can start compiz-fusion by using the following additional command to replace your default window decorator with Compiz's window decorator (Emerald):<br />
$ emerald --replace<br />
<br />
'''Again, note:''' If you want to use compiz window decorations make sure you have the "Window Decoration" plugin marked in the compiz settings through ccsm.<br />
<br />
=== Manually (without "fusion-icon") ===<br />
<br />
Launch Compiz with the following command (which replaces your current window manager):<br />
$ compiz --replace ccp &<br />
<br />
A quick overview over common compiz command-line options:<br />
*--indirect-rendering: use indirect-rendering (AIGLX)<br />
*--loose-binding: can help performance issues (nVidia?)<br />
*--replace: replace current window-manager<br />
*--keep-window-hints: keep the gnome window-manager gconf-settings for available viewports, ...<br />
*--sm-disable: disable session-management<br />
*ccp: the "ccp" command loads the last configured settings from ccsm (CompizConfig Settings Manager) otherwise Compiz will load with no settings and you won't be able to do anything with your windows like dragging, maximizing/minimizing, or moving.<br />
<br />
=== KDE4 ===<br />
{{Note| The first and last methods will load Compiz-Fusion as the default window manager instead of KWin. This is faster than loading Compiz with 'fusion-icon' because it avoids loading two window managers at startup. This also prevents that annoying black screen flicker you might see using other methods (when KWin switches to Compiz on KDE's desktop loading screens). The downside is that if Compiz crashes, it may be more difficult to recover your desktop}}<br />
<br />
==== Use System Settings (easiest)====<br />
Go to: ''System Settings'' --> ''Default Applications'' --> ''Window Manager'' --> ''Use a different window manager''<br />
<br />
'''''If''''' you need to run compiz with custom options select "Compiz custom" (when you run <code>fusion-icon</code> from a terminal you can see the command line with which compiz was started).<br />
Create a file called "compiz-kde-launcher" in <code>/usr/bin</code>. Then make the file executable: <code>chmod +x /usr/bin/compiz-kde-launcher</code>.<br />
<br />
For example:<br />
#!/bin/bash<br />
LIBGL_ALWAYS_INDIRECT=1<br />
compiz --replace ccp &<br />
wait<br />
<br />
==== Autostart with "fusion-icon" ====<br />
<br />
Add a symbolic link, that points to the fusion-icon executable, in your KDE Autostart directory:<br />
$ ln -s /usr/bin/fusion-icon ~/.kde4/Autostart/fusion-icon<br />
<br />
Next time KDE is started, it will load fusion-icon automatically.<br />
<br />
==== Autostart Link without "fusion-icon" ====<br />
<br />
{{Warning|DO NOT create compiz.desktop if you intend to install compiz-decorator-gtk; it will create a file conflict.}}<br />
<br />
* Append a desktop entry in the KDE Autostart directory. If it doesn't already exist (it should), create the file {{ic|~/.kde4/Autostart/compiz.desktop}} with the following:<br />
<br />
[Desktop Entry]<br />
Type=Application<br />
Encoding=UTF-8<br />
Name=Compiz<br />
Exec=/usr/bin/compiz ccp --replace<br />
NoDisplay=true<br />
# name of loadable control center module<br />
X-GNOME-WMSettingsModule=compiz<br />
# autostart phase<br />
X-GNOME-Autostart-Phase=WindowManager<br />
X-GNOME-Provides=windowmanager<br />
# name we put on the WM spec check window<br />
X-GNOME-WMName=Compiz<br />
# back compat only<br />
X-GnomeWMSettingsLibrary=compiz<br />
<br />
{{Note| If {{ic|compiz.desktop}} already exists, you may have to add "--replace" and/or "ccp" to the Exec variable. Without "--replace", Compiz won't load since it will detect another window manager already loaded. Without "ccp", Compiz will not load any of the settings and plugins that you have enabled through CompizConfig Settings Manager (ccsm) and you won't be able to manipulate any of your windows.}}<br />
<br />
* If you want to use the optional {{ic|fusion-icon}} application, launch ''fusion-icon''. If you log out normally with ''fusion-icon'' running, KDE should restore your session and launch ''fusion-icon'' the next time you log in if this setting is enabled. If it doesn't appear to be working, ensure you have the following line in {{ic|~/.kde4/share/config/ksmserverrc}}:<br />
<br />
loginMode=restorePreviousLogout<br />
{{Note| This is a KDE specific setting that will allow you to restore other apps next time you log in, not just fusion-icon.}}<br />
<br />
==== Export KDEWM without "fusion-icon" (preferred) ====<br />
<br />
As root you must create a short script by doing the following in your terminal. This will allow you to load compiz with the switches because doing it directly via {{ic|1=export KDEWM="compiz --replace ccp --sm-disable"}} doesn't seem to work.<br />
$ echo "compiz --replace ccp --sm-disable &" > /usr/bin/compiz-fusion<br />
<br />
{{Note| If this line doesn't work, make sure the "fusion-icon" package is installed and then use this line instead:<br />
$ echo "fusion-icon &" > /usr/bin/compiz-fusion<br />
Be sure to complete the whole method before trying this substitute.}}<br />
<br />
Ensure that {{ic|/usr/bin/compiz-fusion}} has executable (+x) permissions.<br />
$ chmod a+x /usr/bin/compiz-fusion<br />
<br />
Choose one of the following:<br />
<br />
:1) Compiz for your user only --> Edit the file {{ic|~/.kde4/env/compiz.sh}} and add the following line so KDE will load compiz (via the script you just created) instead of loading KWin.<br />
: {{bc|1=KDEWM="compiz-fusion"}}<br />
<br />
:2) Compiz system wide --> Edit the file {{ic|/etc/kde/env/compiz.sh}} and add the following line so KDE will load compiz (via the script you just created) instead of loading KWin.<br />
: {{bc|1=KDEWM="compiz-fusion"}}<br />
<br />
{{Note| If that still doesn't work, yet another alternate way to accomplish the above method is to include the line<br />
{{bc|1=export KDEWM="compiz-fusion"}}<br />
in your user's {{ic|~/.bashrc}} file.}}<br />
{{Note| If you optionally use the {{ic|/usr/local/bin}} directory it may not work. In that case you should export the script including the whole path:<br />
{{bc|1=export KDEWM="/usr/local/bin/compiz-fusion"}}}}<br />
<br />
=== GNOME ===<br />
If you have installed [[GNOME3]] with gnome-shell, either enable forced Fallback Mode (System Info > Graphics) or simply uninstall gnome-shell.<br />
{{Note|Fallback Mode is not necessary if you choose the Compiz/Cairo-Dock session method below.}}<br />
<br />
==== Alternate Session for GNOME (Preferred Method for Experienced Compiz/Dock Users) ====<br />
The {{AUR|gnome-session-compiz}} can be used to add an additional menu entry in the GNOME session login dialog. This method does not require foced fallback mode and/or modifications to sensitive system files/settings. Also, you can switch between GNOME Shell and Compiz/Cairo-Dock between sessions. If you can't get it working, you can always go back to your original GNOME session.<br />
<br />
For this method to work, Compiz and Cairo-Dock (Taskbar/Panel) may have to be [[#Configuration|configured initially]] for fresh accounts, from another working session (ccsm in GNOME Shell worked fine for me).<br />
<br />
This method completely replaces the GNOME's window manager and panel (they are not launched at all, rather than being replaced or killed later). So, before actually switching to this alternate session, you may want to configure corresponding/alternate features of the original panel application in Cairo-Dock:<br />
* Add Application Menu icon to Cairo-Dock and remember its key-bindings.<br />
* Remap Application Menu key-bindings to ALT+F1 and ALT+F2, for convenience.<br />
* Add Clock, WiFi, NetSpeed icons to the dock as applicable.<br />
* Add Log-out icon:<br />
** Set the command for logout to "gnome-session-quit --logout"<br />
** Set the command for shutdown to "gnome-session-quit --power-off"<br />
* Add the Notification Area Old (systray) icon to Cairo-Dock.<br />
<br />
==== Autostart (without "fusion-icon") (Preferred Method) ====<br />
This Method makes use of the [http://standards.freedesktop.org/desktop-entry-spec/latest/ Desktop Entry Specification] to specify a Compiz Desktop Entry and of the GConf default windowmanager setting. Thanks to the Desktop Entry you should be able to select Compiz as a windowmanager out of GDM.<br />
<br />
'''1)'''If the following file doesn't already exist (it should), create it {{ic|/usr/share/applications/compiz.desktop}} containing the following:<br />
<br />
[Desktop Entry]<br />
Type=Application<br />
Encoding=UTF-8<br />
Name=Compiz<br />
Exec=/usr/bin/compiz ccp #Make sure ccp is included so that Compiz loads your previous settings.<br />
NoDisplay=true<br />
# name of loadable control center module<br />
X-GNOME-WMSettingsModule=compiz<br />
# autostart phase<br />
##-> the folloing line cause gnome-session warning and slow startup, so try not to enable this<br />
# X-GNOME-Autostart-Phase=WindowManager <br />
X-GNOME-Provides=windowmanager<br />
# name we put on the WM spec check window<br />
X-GNOME-WMName=Compiz<br />
# back compat only<br />
X-GnomeWMSettingsLibrary=compiz<br />
<br />
{{Note| If {{ic|compiz.desktop}} already exists, you must make sure that the "ccp" is included in the Exec variable. Having "ccp" included simply tells Compiz to load your previous settings, otherwise you won't have any functionality.}}<br />
<br />
If the above doesn't work (in most cases it does), for example if you notice some issues with windows refreshing or low performance, try:<br />
<br />
{{bc|1=Exec=/usr/bin/compiz ccp --indirect-rendering}}<br />
<br />
or<br />
<br />
{{bc|1=Exec=/usr/bin/compiz --replace --sm-disable --ignore-desktop-hints ccp --indirect-rendering}}<br />
<br />
Instead of<br />
<br />
{{bc|1=Exec=/usr/bin/compiz ccp}}<br />
<br />
Some Users noticed a "lag" of 4-10 seconds when loging in from a login manager. The solution is to change the command to:<br />
{{bc|1=Exec=bash -c 'compiz ccp decoration --sm-client-id $DESKTOP_AUTOSTART_ID'}}<br />
as noted [https://bbs.archlinux.org/viewtopic.php?pid=655237#p655237 in the forum]. You can also add the extra parameters as described above if needed.<br />
<br />
'''2)''' Set some GConf parameters using the gconftool-2 command in a terminal window or do it visually with Configuration Editor (gconf-editor). The following outlines using the command line method, but you can also see which keys to change using gconf-editor:<br />
<br />
{{Note| Since those parameters apply to a given user, you '''must''' logout from the root account and log in as that other user before proceeding with the next steps. GConf will fail, if called from a root account.}}<br />
<br />
gconftool-2 --set -t string /desktop/gnome/session/required_components/windowmanager compiz<br />
<br />
The following are optional and in most cases not necessary (the respective keys are deprecated since GNOME 2.12). But iny any case, if the above didn't succeed the next two statements are still valid and should be tried.<br />
<br />
gconftool-2 --set -t string /desktop/gnome/applications/window_manager/current /usr/bin/compiz<br />
gconftool-2 --set -t string /desktop/gnome/applications/window_manager/default /usr/bin/compiz<br />
<br />
==== Autostart (without "fusion-icon") (With gnome3 fallback mode session) ====<br />
Edit file {{ic|/usr/share/gnome-session/sessions/gnome-fallback.session}}:<br />
<br />
Replace your windows manager (gnome-shell,metacity...) with ''compiz'' in '''RequiredComponents''' line.<br />
<br />
Change ''DefaultProvider-windowmanager'' line to ''DefaultProvider-windowmanager=compiz''<br />
<br />
Here is part of my {{ic|gnome-fallback.session}}:<br />
<br />
{{bc|1=<br />
RequiredComponents=compiz;gnome-settings-daemon;<br />
RequiredProviders=windowmanager;notifications;<br />
DefaultProvider-windowmanager=compiz<br />
DefaultProvider-notifications=notification-daemon<br />
}}<br />
<br />
{{Note| I took out gnome-panel as I am using avant-window-navigator as my panel.<br />
I'am using gnome3 fallback mode with compiz, make gtk-window-decorator start with compiz, and make avant-window-navigator start automatically.}}<br />
<br />
==== Autostart (without "fusion-icon", Gnome prior to 2.24) ====<br />
This is a way that works if you use GDM (and I'd assume KDM too).<br />
<br />
Make a file called /usr/local/bin/compiz-start-boot with the contents:<br />
#!/bin/bash<br />
export WINDOW_MANAGER="compiz ccp"<br />
exec gnome-session<br />
<br />
and make it executable ({{ic|chmod +x /usr/local/bin/compiz-start-boot}}). Next create the file {{ic|/etc/X11/sessions/Compiz.desktop}} containing the following:<br />
[Desktop Entry]<br />
Version=1.0<br />
Encoding=UTF-8<br />
Name=Compiz on GNOME<br />
Exec=/usr/local/bin/compiz-start-boot<br />
Icon=<br />
Type=Application<br />
<br />
Select Compiz on Gnome as your session and you're good to go.<br />
<br />
==== Autostart (with "fusion-icon") ====<br />
To start Compiz fusion automatically when starting a session go to System > Preferences > Startup Applications. In the Startup Programs tab, click the Add button.<br />
<br />
You will now see the Add Startup Program dialogue. Fill it in as follows.<br />
<br />
Name:<br />
Compiz Fusion<br />
Command:<br />
fusion-icon<br />
Comment: (Put anything you like or leave blank.)<br />
<br />
{{Note| You can also use "compiz --replace ccp" instead of "fusion-icon" to load compiz but there will be no fusion-icon.<br />
<br />
The ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
When you're done hit the Add button. You should now see your startup program in the list in the Startup Programs tab. It must be checked to be enabled. You can uncheck it to disable Compiz on startup and switch back to Metacity.<br />
<br />
You may also need to use the gconftool-2 command in a terminal window to set the following parameter, otherwise fusion-icon might not load the windows decorator.<br />
gconftool-2 --type bool --set /apps/metacity/general/compositing_manager false<br />
<br />
{{Note| This method will be slower due to the fact that Gnome will first load the default window manager (Metacity), then will launch fusion-icon which will load the Compiz window manager to replace Metacity. Essentially, it will take the amount of time that it takes to load two window manangers to get Compiz loaded. The first method is preferred and eliminates this issue.}}<br />
<br />
=== Mate Desktop ===<br />
==== Autostart (without "fusion-icon") (Preferred Method) ====<br />
As with Gnome, create a compiz.desktop file (see [[Compiz#Autostart_.28without_.22fusion-icon.22.29_.28Preferred_Method.29]]), then set Compiz as the default window manager :<br />
* on Mate prior to 1.6, edit the following mateconf entries (note: the last two are deprecated values):<br />
mateconftool-2 --set -t string /desktop/mate/session/required_components/windowmanager compiz<br />
mateconftool-2 --set -t string /desktop/mate/applications/window_manager/current /usr/bin/compiz<br />
mateconftool-2 --set -t string /desktop/mate/applications/window_manager/default /usr/bin/compiz<br />
<br />
* on Mate 1.6 and higher, edit the following gsettings value<br />
gsettings set org.mate.session.required-components windowmanager compiz<br />
<br />
=== XFCE ===<br />
==== Xfce autostart (without "fusion-icon") ====<br />
This method will start Compiz directly through the XFCE session manager without loading Xfwm.<br />
<br />
Please note the change to xml config files in XFCE newer than 4.2<br />
<br />
To install the session manager, install {{Pkg|xfce4-session}}.<br />
<br />
Now we have to configure the default/failsafe session of XFCE.<br />
<br />
Edit the {{Ic|~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}} or (to make the change for all XFCE users) {{Ic|/etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}:<br />
<br />
Replace the xfwm startup command,<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="xfwm4"/><br />
</property><br />
<br />
with the following:<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="compiz"/><br />
<value type="string" value="ccp"/><br />
</property><br />
<br />
{{Note| the ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
To prevent the default session from being overwritten you may also add this:<br />
<br />
<property name="general" type="empty"><br />
...<br />
...<br />
<property name="SaveOnExit" type="bool" value="false"/><br />
</property><br />
<br />
To remove the existing sessions, run:<br />
$ rm -r ~/.cache/sessions<br />
<br />
==== Xfce autostart (with "fusion-icon") ====<br />
=====Method 1:=====<br />
{{Note| This method is the least preferred since it loads both window managers. All the other XFCE methods only load Compiz without loading Xfwm.}}<br />
This will load Xfwm first then replace it with Compiz.<br />
<br />
Open the XFCE Settings Manager & then Sessions & Startup. Click the Application Autostart tab.<br />
<br />
Add<br />
(Name:) Compiz Fusion<br />
<br />
(Command:) fusion-icon<br />
<br />
{{Note| You can also use "compiz --replace ccp" instead of "fusion-icon" to load compiz but there will be no fusion-icon.<br />
<br />
The ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
=====Method 2:=====<br />
Edit the following file (settings in this file is used in preference)<br />
$ nano ~/.config/xfce4-session/xfce4-session.rc<br />
<br />
Or to make the change for all XFCE users (root access required)<br />
# nano /etc/xdg/xfce4-session/xfce4-session.rc<br />
<br />
Add the following<br />
[Failsafe Session]<br />
Client0_Command=fusion-icon<br />
<br />
Comment out Client0_Command=xfwm4 if it exists.<br />
<br />
This will cause xfce to load Compiz instead of Xfwm when the user has no existing sessions.<br />
<br />
To prevent the default session from being overwritten you may also add<br />
[General]<br />
AutoSave=false<br />
SaveOnExit=false<br />
<br />
To remove the existing sessions<br />
rm -R ~/.cache/sessions<br />
<br />
=====Method 3:=====<br />
Check if this file exists:<br />
~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml<br />
<br />
If not do:<br />
cp /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml ~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml<br />
<br />
and edit {{Ic|~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}<br />
<br />
or (to make the changes for all xfce4 users) {{Ic|/etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}:<br />
<br />
Edit Client0_Command that it look like this:<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="fusion-icon"/><br />
<value type="string" value="--force-compiz"/><br />
</property><br />
if '''--force-compiz''' doesn't work use '''compiz --replace --sm-disable --ignore-desktop-hints ccp''' instead.<br />
<br />
Add the '''SaveOnExit property''' if missing and set it to '''false''':<br />
<property name="general" type="empty"><br />
<property name="FailsafeSessionName" type="string" value="Failsafe"/><br />
<property name="SessionName" type="string" value="Default"/><br />
<property name="SaveOnExit" type="bool" value="false"/><br />
</property><br />
<br />
finally remove old xfce4 sessions:<br />
rm -r ~/.cache/sessions<br />
<br />
Now xfce4 will load compiz instead of Xfwm.<br />
<br />
=== As a Standalone Window Manager ===<br />
The package compiz-core by itself is sufficient to start using compiz-fusion. However ccsm and emerald (or another window-decorator) are additional highly recommended packages. You may install fusion-icon, compiz-fusion-plugins-main, compiz-fusion-plugins-extra or any other package later on at any time.<br />
<br />
To autostart compiz-fusion configure .xinitrc to launch compiz as:<br />
{{hc|~/.xinitrc|<nowiki><br />
exec compiz ccp<br />
</nowiki>}}<br />
You can also add other [[Compiz_fusion#Manually_.28without_.22fusion-icon.22.29|command-line options]] to your .xinitrc<br />
<br />
Or if using fusion-icon, configure .xinitrc as<br />
{{hc|~/.xinitrc|<nowiki><br />
exec fusion-icon<br />
</nowiki>}}<br />
<br />
However chances are you will need additional apps (e.g a panel) for optimal usability. So to autostart such apps simply add them to your .xinitrc as:<br />
{{hc|~/.xinitrc|<nowiki><br />
tint2 &<br />
cairo-dock &<br />
exec fusion-icon<br />
</nowiki>}}<br />
<br />
{{Note| Add a terminal-emulator to this autostart list while starting for the first time to help [[Compiz_fusion#Configuration|configure]] compiz.}} <br />
<br />
An alternative method, utilizing a simple script entitled '''start-fusion.sh''':<br />
{{hc|start-fusion.sh|<nowiki><br />
#!/bin/sh<br />
# add more apps here if necessary or start another panel, tray like pypanel, bmpanel, stalonetray<br />
xfce4-panel&<br />
fusion-icon<br />
</nowiki>}}<br />
If this script dosn't work for you, or you get issues with '''dbus''' utilize this script:<br />
{{hc|start-fusion.sh|<nowiki><br />
#!/bin/sh<br />
cd /home/<yourusername><br />
eval `dbus-launch --sh-syntax --exit-with-session`<br />
/usr/bin/X :0.0 -br -audit 0 -nolisten tcp vt7 &<br />
export DISPLAY=:0.0<br />
sleep 1<br />
compiz-manager decoration move resize > /tmp/compiz.log 2>&1 &<br />
# add more apps here if necessary or start another panel, tray like pypanel, bmpanel, stalonetray<br />
xfce4-panel&<br />
fusion-icon<br />
</nowiki>}}<br />
Make it executable<br />
<br />
chmod +x start-fusion.sh<br />
<br />
And add it to .xinitrc, like this:<br />
{{hc|~/.xinitrc|<nowiki><br />
exec /path/to/file/start-fusion.sh<br />
</nowiki>}}<br />
<br />
Feel free to use a different panel, tray, or start a whole bunch of applications with your session.<br />
See [https://bbs.archlinux.org/viewtopic.php?id=51282 this forum thread] for more info.<br />
<br />
{{Note | Using a separate script instead of running everything from xinitrc is the only way to let all launching applications use ConsoleKit: see [[ConsoleKit#Running_several_applications_from_.7E.2F.xinitrc|this article]].}}<br />
<br />
==== Add a root menu ====<br />
To add a root menu similar to that in Openbox, Fluxbox, Blackbox etc. you must install the package {{AUR|compiz-deskmenu}}.<br />
Upon a restart of Compiz-Fusion, you should be able to middle click on your desktop to launch the menu.<br />
<br />
If it does not automatically work, enter the CompizConfig Settings Manager, and in Commands tab, within the General Settings menu, ensure that there is a command to launch Compiz-Deskmenu, and the appropriate key binding is set to Control+Space.<br />
<br />
If it still does not work, enter the Viewport Switcher menu, and change "Plugin for initiate action" to core (NOTE: for versions 0.8.2+ it's 'commands' instead of 'core'), and "Action name for initiate" to run_command0_key.<br />
<br />
An alternative is to use [https://aur.archlinux.org/packages.php?ID=29564 mygtkmenu], also in [[AUR]].<br />
<br />
==== Allow users to shutdown/reboot ====<br />
Refer to [[Allow_Users_to_Shutdown|this]] wiki page. If using "The Modern way" of policykit You can add the command to ccsm->General->Commands and assign a short-cut key to it or alternatively you can use a launcher application.<br />
<br />
== Misc ==<br />
<br />
=== Configuration ===<br />
[[Compiz#Configuration|You must do this so your windows function like you expect them to!]]<br />
<br />
=== Using compiz-manager ===<br />
<br />
In order to use compiz-manager, you need to install it from community:<br />
pacman -S compiz-manager<br />
<br />
Compiz-manager, that is now installed in {{ic|/usr/bin/compiz-manager}}, is a simple wrapper for Compiz and ALL of its options. For example, you can run <br />
compiz-manager <br />
and see what the console returns for more info. You can use it in all the scripts that start Compiz. Very simple!<br />
<br />
=== Using gtk-window-decorator ===<br />
<br />
In order to use gtk-window-decorator, install the package ''compiz-decorator-gtk'' and select "GTK Window Decorator" instead of "Emerald" as your window decorator in fusion-icon or whatever other program you are using to configure compiz.<br />
<br />
=== gconf: Additional Compiz Configurations ===<br />
<br />
To achieve more satisfying results from Compiz, you can tweak its config with gconf-editor:<br />
<br />
$ gconf-editor<br />
<br />
Note that now compiz-core isn't built with gconf support; It is now built with gconf support through compiz-decorator-gtk. So, you need to install it if you want to use gconf-editor to edit your Compiz configuration.<br />
The Compiz gconf configuration is located in in the key <b>apps</b> > <b>compiz</b> > <b>general</b> > <b>allscreens</b> > <b>options</b>.<br />
<br />
"Active plugins" is where you specify the plugins you would like to use. Simply edit the key and add a value(refer to the key <b>apps</b> > <b>compiz</b> > <b>plugins</b> to see possible values). Plugins I’ve found useful are screenshot, png, fade, and minimize. Please do not remove those enabled by default.<br />
<br />
=== ATI R600/R700 Notes ===<br />
While using fusion-icon you shouldn't experience any problems because it takes care of everything for you, but if you are using one of the autostart methods that do not involve fusion-icon you will run into trouble. For example when using the Xfce autostart method without fusion icon you must edit ~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml per the instructions above. However, if you follow the directions above explicity you will find that compiz does not load. You must instead make your xfce4-session.xml file look like this<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="LIBGL_ALWAYS_INDIRECT=1"/><br />
<value type="string" value="compiz"/><br />
<value type="string" value="--sm-disable"/><br />
<value type="string" value="--ignore-desktop-hints"/><br />
<value type="string" value="ccp"/><br />
<value type="string" value="--indirect-rendering"/><br />
</property><br />
<br />
This example targeted Xfce specifically, but it can be adapted to any desktop environment. It's just a matter of figuring out how to add it to the proper config file. The key thing is the required command which if typed on a command line would look like this<br />
<br />
LIBGL_ALWAYS_INDIRECT=1 compiz --sm-disable --ignore-desktop-hints ccp --indirect-rendering<br />
<br />
This is how Xfce's session manager interprets the above XML code. Notice that you do not need --replace because you are not first loading xfwm and then compiz.<br />
<br />
== Tips and tricks ==<br />
=== Fallback ===<br />
If you are using [[KDE]], [[GNOME]] or [[XFCE]] and something is not right, for example you don’t see borders for your window, you can switch back to default DE window manager with this command:<br />
<br />
''wm_name'' --replace<br />
<br />
with kwin, metacity or xfwm4 instead of ''wm_name''.<br />
<br />
=== Keyboard Shortcuts ===<br />
Default plugin keyboard shortcuts (plugins have to be activated!)<br />
<br />
* Switch windows = {{Keypress|Alt + Tab}}<br />
* Switch desktops on cube = {{Keypress|Ctrl + Alt + Left/Right Arrow}}<br />
* Move window = {{Keypress|Alt + left-click}}<br />
* Resize window = {{Keypress|Alt + right-click}}<br />
<br />
A more detailed list can be found under [http://wiki.compiz-fusion.org/CommonKeyboardShortcuts CommonKeyboardShortcuts] in the Compiz wiki or you can always just look at your plugin's configuration (ccsm).<br />
<br />
== Troubleshooting ==<br />
{{Out of date}}<br />
<br />
=== Missing GLX_EXT_texture_from_pixmaps ===<br />
==== On ATI cards (first solution) ====<br />
https://bbs.archlinux.org/viewtopic.php?id=50073<br />
If you run into the following error when trying to run Compiz Fusion on an ATI card:<br />
<br />
Missing GLX_EXT_texture_from_pixmap<br />
<br />
This is because Compiz Fusion's binary was compiled against Mesa's OpenGL library rather than ATI's OpenGL library (which is what you are using). Re-install libgl-dri (yes you will have to uninstall fglrx temporarily) to get Mesa's OpenGL library. <br />
<br />
copy the library into a directory to keep it because ATI's drivers will over write it. <br />
<br />
mkdir /lib/mesa<br />
cp /usr/lib/libGL.so.1.2 /lib/mesa<br />
<br />
Once you have it copied, you can reinstall your fglrx drivers (It should have been removed when you installed libgl-dri). Now you can start Compiz Fusion using the following example syntax: <br />
<br />
LD_PRELOAD=/lib/mesa/libGL.so.1.2 compiz --replace &<br />
<br />
==== On ATI cards (second solution) ====<br />
An other problem could arise with GLX_EXT_texture_from_pixmap, it is possible that the card could only render it indirectly, then you have to pass the option to your libgl like that :<br />
<br />
LIBGL_ALWAYS_INDIRECT=1 compiz --replace ccp &<br />
<br />
(Workaround tested on the following card : ATI Technologies Inc Radeon R250 [Mobility FireGL 9000] (rev 02))<br />
<br />
==== On Intel chips ====<br />
First off, check that you're using the intel driver as opposed to i810. Then, run the following command to run compiz (must use this every time.).<br />
LIBGL_ALWAYS_INDIRECT=true compiz --replace --sm-disable ccp &<br />
If you then do not have borders, run<br />
emerald --replace<br />
As at 17-Oct-07 the [http://wiki.compiz-fusion.org/Troubleshooting Compiz-Fusion Wiki] states: <i>"If you are using an Intel GMA card with AIGLX, you will need to start Compiz Fusion with LIBGL_ALWAYS_INDIRECT=1 appended.</i>"<br />
<br />
=== Compiz starts, but no effects are visible ===<br />
If you have installed compiz-decorator-gtk:<br />
Check if GConf schema was correctly installed: <br />
gconftool-2 -R /apps/compiz/plugins | grep plugins<br />
make sure that all plugins are listed (not only fade!). If not, try to install compiz schema manually (do this as normal user, not as root!!!): <br />
gconftool-2 --install-schema-file=/usr/share/gconf/schemas/compiz-decorator-gtk.schemas<br />
<br />
Note: Compiz basic plugins are not enabled by default. You should enable "Move Window", "Resize Window", and "Window decoration" plugins in settings manager from fusion-icon to have a usable window manager.<br />
<br />
=== Compiz starts, but gtk-window-decorator does not ===<br />
It is a configuration problem for gconf and gconfd. I solved it by removing ".gconf" dir in my home, but I'm using KDE. If you are using Gnome you should enter your ".gconf" directory and remove all compiz keys. This will erase your compiz settings, so be sure to reconfigure.<br />
Finally exec as user:<br />
<br />
gconftool-2 --install-schema-file=/usr/share/gconf/schemas/compiz-decorator-gtk.schemas<br />
<br />
=== Compiz appears to start, but there are no window borders ===<br />
When you run fusion-icon from commandline, you get output like this:<br />
<br />
* Detected Session: gnome<br />
* Searching for installed applications...<br />
* NVIDIA on Xorg detected, exporting: __GL_YIELD=NOTHING<br />
* Using the GTK Interface<br />
* Metacity is already running<br />
* Setting window manager to Compiz<br />
... executing: compiz --replace --sm-disable --ignore-desktop-hints ccp<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
<br />
All you need to do is edit your {{Ic|/etc/X11/xorg.conf}} and find the "Depth" directive inside the "Screen" section; change all occurences of this value to 24. This occured to me with my colour depth set to 16; but also happens when it is set to 32.<br />
<br />
----<br />
<br />
You may also try adding ''Option "AddARGBGLXVisuals" "True"'' & ''Option "DisableGLXRootClipping" "True"'' to your "Screen" section if you are using the Nvidia binary driver. (Radeon, and the open 'nv' driver will not work with this option as far as I can tell.) If you used any other Options elsewhere in {{Ic|xorg.conf}} to get compiz working and still have no luck, try commenting them out and using only the aformentioned ARGBGLXVisuals and GLXRootClipping Options.<br />
<br />
'''Note''': Check that "Window decoration", "Move" and "Resize" plugins are enabled with Compiz Settings Manager or gconf-editor.<br />
<br />
With gconf-editor you can easly enable "Window decoration", "Move" and "Resize" plugins.<br />
<br />
$ gconf-editor<br />
<br />
Navigate to apps/compiz/general/allscreens/options<br />
<br />
Add/Edit "active_plugins" Key (Name: active_plugins, Type: List, List type: String).<br />
<br />
Add "decoration", "move", and "resize" to the list.<br />
<br />
----<br />
<br />
'''Another way to fix this''':<br />
* Launch '''ccsm'''.<br />
* Find '''windows decoration''' and make sure it is enabled.<br />
* Now click on it, to edit the options.<br />
* If the entry behind '''command''' is empty, put the value '''gtk-window-decorator''' there.<br />
** Alternatives are '''kde-window-decorator''' and '''emerald'''<br />
* Click '''Back''' and '''Close'''<br />
* If all went well, the borders should appear.<br />
<br />
=== Compiz starts and borders appear, but windows won't move ===<br />
Be sure you have the "Move Window" plugin installed and enabled in the compiz settings manager.<br />
<br />
=== Blank screen on resume from suspend-to-ram using the Nvidia binary drivers ===<br />
If you receive a blank screen with a responsive cursor upon resume, try disabling sync to vblank:<br />
<br />
gconftool -s /apps/compiz/general/screen0/options/sync_to_vblank-t boolean false<br />
<br />
=== fusion-icon doesn't start ===<br />
If you get an output like this from the command line:<br />
[andy@andylaptop ~]$ fusion-icon<br />
* Detected Session: gnome<br />
* Searching for installed applications...<br />
Traceback (most recent call last):<br />
File "/usr/bin/fusion-icon", line 57, in <module><br />
from FusionIcon.interface import choose_interface<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/interface.py", line 23, in <module><br />
import start<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/start.py", line 36, in <module><br />
config.check()<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/util.py", line 362, in check<br />
os.makedirs(self.config_folder)<br />
File "/usr/lib/python2.5/os.py", line 172, in makedirs<br />
mkdir(name, mode)<br />
OSError: [Errno 13] Permission denied: '/home/andy/.config/compiz'<br />
<br />
the problem is with the permission on {{Ic|~/.config/compiz}}. You have set the owner of a folder in your area as root. To change this, run (as root)<br />
chown <username> /home/<username>/.config/compiz<br />
<br />
=== Choppy animations, even though everything configured correctly ===<br />
If everything is configured correctly but you still have poor performance on some effects, try disabling CCSM->General Options->Display Settings->"Detect Refresh Rate" and instead choose a value manually. Tested on both nvidia and intel chips. Can work wonders.<br />
<br />
Alternatively, if your chip is nvidia and you are experiencing an inadequate refresh rate with "Detect Refresh Rate" enabled in Compiz, it's likely due to an option called DynamicTwinView being enabled by default which plays a factor in accurately reporting the maximum refresh rate that your card and display support. You can disable DynamicTwinView by adding the following line to the "Device" or "Screen" section of your xorg.conf file, and then restarting your computer:<br />
<br />
Option "DynamicTwinView" "False"<br />
<br />
Doing so will allow XrandR to accurately report the refresh rate to anything that detects it, including Compiz. You should be able to leave "Detect Refresh Rate" enabled and get excellent performance. Once again, this only applies to nvidia chips.<br />
<br />
=== Fix Gnome Screenshot ===<br />
To re-enable gnome-screenshot (the default behavior caused by hitting {{Keypress|PrtScn}}) simply go to Settings Manager>Commands and map 'gnome-screenshot' to the 'PrtScn' key. This is advantageous because you can also use the Compiz-Fusion 'Screenshot' plugin at the same time since the action that enables it is <Super>Button1 thereby giving you two methods to do a screen capture (one of which gives a full screen capture in a single keystroke).<br />
<br />
=== Get GNOME Workspace Switcher work with Compiz-Fusion ===<br />
In older versions of Compiz, the Gnome Workspace Switcher applet would actually work with Compiz-Fusion (i.e. rotate cube/move plane etc.), but recent versions seem not to. This is due to a new feature introduced in Compiz, which allows real seperate workspaces. For example, if you have a desktop plane with four planes, and have four desktops enabled in Gnome, it sums up to a total of 16 different workspaces. Currently, there is no animation associated with "real" workspace changing. To get the Workspace Switcher work, do the following:<br />
<br />
In GConf, set the following options:<br />
<br />
/apps/compiz/general/screen0/options/number_of_desktops = '''1'''<br />
/apps/compiz/general/screen0/options/hsize = 4 (this is an example)<br />
/apps/compiz/general/screen0/options/vsize = 1 (this is an example)<br />
<br />
=== Screen flicks with NVIDIA card ===<br />
For fixing it, create /etc/modprobe.d/nvidia.conf file and add line:<br />
options nvidia NVreg_RegistryDwords="PerfLevelSrc=0x2222"<br />
<br />
=== Fix Custom Cursor Theme on Gnome 2.30 ===<br />
Create or edit /usr/share/icons/default/index.theme for default, or per user '''(non-root)''' ~/.icons/default/index.theme, and add this lines:<br />
<br />
[Icon Theme]<br />
#Name=''foo''<br />
Name=''foo''<br />
#Inherits=''foo''<br />
Inherits=''foo''<br />
[Desktop Entry]<br />
Name[en_US]=index.theme<br />
<br />
"Foo" is the name of the cursor theme.<br />
<br />
=== Screen artifacts on Firefox / Thunderbird ===<br />
{{Note|Altough this issue is not strictly related to Compiz, it has been added here due to popular misconception that Compiz itself may be the cause.}}<br />
<br />
Some users noticed a strange behavior with AMD/ATI Catalyst drivers starting from 10.6 release. Artifacts are visible mainly with Mozilla applications, where the GUI shows black spots of variable size. This is caused by different 2D acceleration tecnique introduced with Catalyst 10.6.<br />
The problem can be fixed following the troubleshooting steps in the [[ATI_Catalyst#Black.2Fgrey.2Fwhite_boxes.2Fartifacts_mainly_in_firefox.2Fthunderbird|ATI Catalyst page]]<br />
<br />
=== Setting the window manager back to Metacity after uninstall ===<br />
Removing compiz with pacman does not set your window manager back to metacity. This can result in no window borders being drawn, an inability to minimize, and an inability to change the focus. To change it back, run the command "gconf-editor" in the terminal (install it if you do not have it already). Use this to set the value of the key {{Ic|/desktop/gnome/session/required_components/window_manager}} from "compiz" to "metacity". Log out and back in for this change to take effect.<br />
<br />
=== Context menu in applications (firefox, ...?) disappears on mouseover ===<br />
Try disabling "focus stealing prevention" (general options).<br />
<br />
=== External notes ===<br />
[http://wiki.compiz.org/Troubleshooting Troubleshooting page] on compiz.org<br />
<br />
== See also ==<br />
*[http://compiz.org Compiz Website] -- including wiki and forum</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Compiz&diff=256299Compiz2013-05-07T09:42:40Z<p>Jrussell: /* Initial configuration */</p>
<hr />
<div>[[Category:Eye candy]]<br />
[[Category:Stacking WMs]]<br />
[[el:Compiz]]<br />
[[es:Compiz]]<br />
[[it:Compiz]]<br />
[[ja:Compiz]]<br />
[[pl:Compiz]]<br />
[[pt:Compiz]]<br />
[[ru:Compiz]]<br />
[[tr:Compiz]]<br />
[[zh-CN:Compiz]]<br />
{{Article summary start}}<br />
{{Article summary wiki|Compiz Configuration}}<br />
{{Article summary wiki|AIGLX}}<br />
{{Article summary wiki|Composite}}<br />
{{Article summary wiki|Xcompmgr}}<br />
{{Article summary wiki|Cairo Compmgr}}<br />
{{Article summary end}}<br />
<br />
Compiz is a [[Wikipedia:Compositing window manager|compositing window manager]]. It provides its own window manager, [[Emerald]]. Therefore it cannot be used simultaneously with other window managers such as [[Openbox]], [[Fluxbox]], or [[Enlightenment]]. Users who want to keep their current window managers and add some effects to it may wish to try [[Xcompmgr]] instead.<br />
<br />
== Requirements ==<br />
Users of major [[DE]]s can make good use of {{Pkg|compiz-manager}}, performing brief requirements checking and switching to fallback WM in case of errors. Discovering setup and hardware issues can also be done with {{AUR|compiz-check}} script (available in [[AUR]]).<br />
<br />
== Installation ==<br />
All compiz packages, available in [[official repositories]], can be [[pacman|installed]] with group {{Grp|compiz-fusion}}.<br />
<br />
For those who do not want to install EVERYTHING there are also groups {{Grp|compiz-fusion-gtk}} and {{Grp|compiz-fusion-kde}} for [[Gnome]] or [[KDE]] correspondingly.<br />
<br />
Users who wish to select the packages individually may start with {{Pkg|compiz-core}} and one of [[#Decorators|decorators]].<br />
{{Note|Lack of configured window decorator can render your [[X]] workspace slightly unusable.}}<br />
<br />
=== Initial configuration ===<br />
While the appearance of the windows and their contents is a function of [[GTK+]] and [[Qt]], the frames around the windows are controlled by the Window Decoration plugin. To use it make sure you have a window decorator installed. Depending on what packages you have downloaded you can choose among several window decorators. The most common ones are Emerald, kde-window-decorator, and gtk-window-decorator. The emerald decorator has the advantage that it fits better to compiz's screen handling and offers transparency effects. To set your default window decorator type the following command string in the "Window Decoration" plugin's settings under the field "Command".<br />
To set emerald as your default window-decorator type:<br />
emerald --replace<br />
To set the kde-window-decorator as an alternative to Emerald type:<br />
kde4-window-decorator --replace<br />
To set the compiz-decorator-gtk as an alternative to Emerald type:<br />
gtk-window-decorator --replace<br />
<br />
Ensure that the "Window decorator" plugin is enabled in ccsm's "effects" tab, the "command" field is filled in to start a decorator, you can use:<br />
gtk-window-decorator --replace<br />
or<br />
emerald --replace<br />
<br />
{{Box RED|Activate important plugins!|<br />
There is high possibility that you will want to activate a few plugins that provide basic window manager behavior or else you will have no ability to drag, scale or close any windows as soon as compiz is activated. Among those plugins are "Window Decoration" under Effects and "Move Window" & "Resize Window" under Window Management. Ccsm may be used to achieve this.<br />
Launch CompizConfig Settings Manager:<br />
$ ccsm<br />
Simply put check marks next to those plugins to activate them.}}<br />
<br />
== Additional software ==<br />
=== Decorators ===<br />
* {{App|[[Emerald]]|Compiz's own window decorator with few dependencies. (Note: Works but is buggy and no longer maintained)|http://www.compiz.org|{{Pkg|emerald}}}}<br />
* {{Pkg|compiz-decorator-gtk}} and {{Pkg|compiz-decorator-kde}} &ndash; alternatives to Emerald, using your desktop environment's configuration backends and looks<br />
=== Other ===<br />
* {{Pkg|ccsm}} (CompizConfig settings manager) &ndash; GUI application that lets you configure all of Compiz's plugins<br />
* {{Pkg|fusion-icon}} &ndash; offers a tray icon and a nice way to start compiz, start ccsm and change the WM / Window Decorator<br />
* [https://aur.archlinux.org/packages.php?K=compiz Lots of quickly dying packages in AUR]<br />
<br />
== Starting Compiz Fusion ==<br />
<br />
=== Manually (with "fusion-icon") ===<br />
<br />
Launch the Compiz Fusion tray icon:<br />
$ fusion-icon<br />
<br />
{{Note|If it fails (almost never), you may try it with dbus-launch:<br />
{{bc|$ dbus-launch "fusion-icon"}}}}<br />
Right click on the icon in the panel and go to 'select window manager'. Choose "Compiz" if it isn't selected already, and you should be set.<br />
<br />
If this fails you can start compiz-fusion by using the following additional command to replace your default window decorator with Compiz's window decorator (Emerald):<br />
$ emerald --replace<br />
<br />
'''Again, note:''' If you want to use compiz window decorations make sure you have the "Window Decoration" plugin marked in the compiz settings through ccsm.<br />
<br />
=== Manually (without "fusion-icon") ===<br />
<br />
Launch Compiz with the following command (which replaces your current window manager):<br />
$ compiz --replace ccp &<br />
<br />
A quick overview over common compiz command-line options:<br />
*--indirect-rendering: use indirect-rendering (AIGLX)<br />
*--loose-binding: can help performance issues (nVidia?)<br />
*--replace: replace current window-manager<br />
*--keep-window-hints: keep the gnome window-manager gconf-settings for available viewports, ...<br />
*--sm-disable: disable session-management<br />
*ccp: the "ccp" command loads the last configured settings from ccsm (CompizConfig Settings Manager) otherwise Compiz will load with no settings and you won't be able to do anything with your windows like dragging, maximizing/minimizing, or moving.<br />
<br />
=== KDE4 ===<br />
{{Note| The first and last methods will load Compiz-Fusion as the default window manager instead of KWin. This is faster than loading Compiz with 'fusion-icon' because it avoids loading two window managers at startup. This also prevents that annoying black screen flicker you might see using other methods (when KWin switches to Compiz on KDE's desktop loading screens). The downside is that if Compiz crashes, it may be more difficult to recover your desktop}}<br />
<br />
==== Use System Settings (easiest)====<br />
Go to: ''System Settings'' --> ''Default Applications'' --> ''Window Manager'' --> ''Use a different window manager''<br />
<br />
'''''If''''' you need to run compiz with custom options select "Compiz custom" (when you run <code>fusion-icon</code> from a terminal you can see the command line with which compiz was started).<br />
Create a file called "compiz-kde-launcher" in <code>/usr/bin</code>. Then make the file executable: <code>chmod +x /usr/bin/compiz-kde-launcher</code>.<br />
<br />
For example:<br />
#!/bin/bash<br />
LIBGL_ALWAYS_INDIRECT=1<br />
compiz --replace ccp &<br />
wait<br />
<br />
==== Autostart with "fusion-icon" ====<br />
<br />
Add a symbolic link, that points to the fusion-icon executable, in your KDE Autostart directory:<br />
$ ln -s /usr/bin/fusion-icon ~/.kde4/Autostart/fusion-icon<br />
<br />
Next time KDE is started, it will load fusion-icon automatically.<br />
<br />
==== Autostart Link without "fusion-icon" ====<br />
<br />
{{Warning|DO NOT create compiz.desktop if you intend to install compiz-decorator-gtk; it will create a file conflict.}}<br />
<br />
* Append a desktop entry in the KDE Autostart directory. If it doesn't already exist (it should), create the file {{ic|~/.kde4/Autostart/compiz.desktop}} with the following:<br />
<br />
[Desktop Entry]<br />
Type=Application<br />
Encoding=UTF-8<br />
Name=Compiz<br />
Exec=/usr/bin/compiz ccp --replace<br />
NoDisplay=true<br />
# name of loadable control center module<br />
X-GNOME-WMSettingsModule=compiz<br />
# autostart phase<br />
X-GNOME-Autostart-Phase=WindowManager<br />
X-GNOME-Provides=windowmanager<br />
# name we put on the WM spec check window<br />
X-GNOME-WMName=Compiz<br />
# back compat only<br />
X-GnomeWMSettingsLibrary=compiz<br />
<br />
{{Note| If {{ic|compiz.desktop}} already exists, you may have to add "--replace" and/or "ccp" to the Exec variable. Without "--replace", Compiz won't load since it will detect another window manager already loaded. Without "ccp", Compiz will not load any of the settings and plugins that you have enabled through CompizConfig Settings Manager (ccsm) and you won't be able to manipulate any of your windows.}}<br />
<br />
* If you want to use the optional {{ic|fusion-icon}} application, launch ''fusion-icon''. If you log out normally with ''fusion-icon'' running, KDE should restore your session and launch ''fusion-icon'' the next time you log in if this setting is enabled. If it doesn't appear to be working, ensure you have the following line in {{ic|~/.kde4/share/config/ksmserverrc}}:<br />
<br />
loginMode=restorePreviousLogout<br />
{{Note| This is a KDE specific setting that will allow you to restore other apps next time you log in, not just fusion-icon.}}<br />
<br />
==== Export KDEWM without "fusion-icon" (preferred) ====<br />
<br />
As root you must create a short script by doing the following in your terminal. This will allow you to load compiz with the switches because doing it directly via {{ic|1=export KDEWM="compiz --replace ccp --sm-disable"}} doesn't seem to work.<br />
$ echo "compiz --replace ccp --sm-disable &" > /usr/bin/compiz-fusion<br />
<br />
{{Note| If this line doesn't work, make sure the "fusion-icon" package is installed and then use this line instead:<br />
$ echo "fusion-icon &" > /usr/bin/compiz-fusion<br />
Be sure to complete the whole method before trying this substitute.}}<br />
<br />
Ensure that {{ic|/usr/bin/compiz-fusion}} has executable (+x) permissions.<br />
$ chmod a+x /usr/bin/compiz-fusion<br />
<br />
Choose one of the following:<br />
<br />
:1) Compiz for your user only --> Edit the file {{ic|~/.kde4/env/compiz.sh}} and add the following line so KDE will load compiz (via the script you just created) instead of loading KWin.<br />
: {{bc|1=KDEWM="compiz-fusion"}}<br />
<br />
:2) Compiz system wide --> Edit the file {{ic|/etc/kde/env/compiz.sh}} and add the following line so KDE will load compiz (via the script you just created) instead of loading KWin.<br />
: {{bc|1=KDEWM="compiz-fusion"}}<br />
<br />
{{Note| If that still doesn't work, yet another alternate way to accomplish the above method is to include the line<br />
{{bc|1=export KDEWM="compiz-fusion"}}<br />
in your user's {{ic|~/.bashrc}} file.}}<br />
{{Note| If you optionally use the {{ic|/usr/local/bin}} directory it may not work. In that case you should export the script including the whole path:<br />
{{bc|1=export KDEWM="/usr/local/bin/compiz-fusion"}}}}<br />
<br />
=== GNOME ===<br />
If you have installed [[GNOME3]] with gnome-shell, either enable forced Fallback Mode (System Info > Graphics) or simply uninstall gnome-shell.<br />
{{Note|Fallback Mode is not necessary if you choose the Compiz/Cairo-Dock session method below.}}<br />
<br />
==== Alternate Session for GNOME (Preferred Method for Experienced Compiz/Dock Users) ====<br />
The {{AUR|gnome-session-compiz}} can be used to add an additional menu entry in the GNOME session login dialog. This method does not require foced fallback mode and/or modifications to sensitive system files/settings. Also, you can switch between GNOME Shell and Compiz/Cairo-Dock between sessions. If you can't get it working, you can always go back to your original GNOME session.<br />
<br />
For this method to work, Compiz and Cairo-Dock (Taskbar/Panel) may have to be [[#Configuration|configured initially]] for fresh accounts, from another working session (ccsm in GNOME Shell worked fine for me).<br />
<br />
This method completely replaces the GNOME's window manager and panel (they are not launched at all, rather than being replaced or killed later). So, before actually switching to this alternate session, you may want to configure corresponding/alternate features of the original panel application in Cairo-Dock:<br />
* Add Application Menu icon to Cairo-Dock and remember its key-bindings.<br />
* Remap Application Menu key-bindings to ALT+F1 and ALT+F2, for convenience.<br />
* Add Clock, WiFi, NetSpeed icons to the dock as applicable.<br />
* Add Log-out icon:<br />
** Set the command for logout to "gnome-session-quit --logout"<br />
** Set the command for shutdown to "gnome-session-quit --power-off"<br />
* Add the Notification Area Old (systray) icon to Cairo-Dock.<br />
<br />
==== Autostart (without "fusion-icon") (Preferred Method) ====<br />
This Method makes use of the [http://standards.freedesktop.org/desktop-entry-spec/latest/ Desktop Entry Specification] to specify a Compiz Desktop Entry and of the GConf default windowmanager setting. Thanks to the Desktop Entry you should be able to select Compiz as a windowmanager out of GDM.<br />
<br />
'''1)'''If the following file doesn't already exist (it should), create it {{ic|/usr/share/applications/compiz.desktop}} containing the following:<br />
<br />
[Desktop Entry]<br />
Type=Application<br />
Encoding=UTF-8<br />
Name=Compiz<br />
Exec=/usr/bin/compiz ccp #Make sure ccp is included so that Compiz loads your previous settings.<br />
NoDisplay=true<br />
# name of loadable control center module<br />
X-GNOME-WMSettingsModule=compiz<br />
# autostart phase<br />
##-> the folloing line cause gnome-session warning and slow startup, so try not to enable this<br />
# X-GNOME-Autostart-Phase=WindowManager <br />
X-GNOME-Provides=windowmanager<br />
# name we put on the WM spec check window<br />
X-GNOME-WMName=Compiz<br />
# back compat only<br />
X-GnomeWMSettingsLibrary=compiz<br />
<br />
{{Note| If {{ic|compiz.desktop}} already exists, you must make sure that the "ccp" is included in the Exec variable. Having "ccp" included simply tells Compiz to load your previous settings, otherwise you won't have any functionality.}}<br />
<br />
If the above doesn't work (in most cases it does), for example if you notice some issues with windows refreshing or low performance, try:<br />
<br />
{{bc|1=Exec=/usr/bin/compiz ccp --indirect-rendering}}<br />
<br />
or<br />
<br />
{{bc|1=Exec=/usr/bin/compiz --replace --sm-disable --ignore-desktop-hints ccp --indirect-rendering}}<br />
<br />
Instead of<br />
<br />
{{bc|1=Exec=/usr/bin/compiz ccp}}<br />
<br />
Some Users noticed a "lag" of 4-10 seconds when loging in from a login manager. The solution is to change the command to:<br />
{{bc|1=Exec=bash -c 'compiz ccp decoration --sm-client-id $DESKTOP_AUTOSTART_ID'}}<br />
as noted [https://bbs.archlinux.org/viewtopic.php?pid=655237#p655237 in the forum]. You can also add the extra parameters as described above if needed.<br />
<br />
'''2)''' Set some GConf parameters using the gconftool-2 command in a terminal window or do it visually with Configuration Editor (gconf-editor). The following outlines using the command line method, but you can also see which keys to change using gconf-editor:<br />
<br />
{{Note| Since those parameters apply to a given user, you '''must''' logout from the root account and log in as that other user before proceeding with the next steps. GConf will fail, if called from a root account.}}<br />
<br />
gconftool-2 --set -t string /desktop/gnome/session/required_components/windowmanager compiz<br />
<br />
The following are optional and in most cases not necessary (the respective keys are deprecated since GNOME 2.12). But iny any case, if the above didn't succeed the next two statements are still valid and should be tried.<br />
<br />
gconftool-2 --set -t string /desktop/gnome/applications/window_manager/current /usr/bin/compiz<br />
gconftool-2 --set -t string /desktop/gnome/applications/window_manager/default /usr/bin/compiz<br />
<br />
==== Autostart (without "fusion-icon") (With gnome3 fallback mode session) ====<br />
Edit file {{ic|/usr/share/gnome-session/sessions/gnome-fallback.session}}:<br />
<br />
Replace your windows manager (gnome-shell,metacity...) with ''compiz'' in '''RequiredComponents''' line.<br />
<br />
Change ''DefaultProvider-windowmanager'' line to ''DefaultProvider-windowmanager=compiz''<br />
<br />
Here is part of my {{ic|gnome-fallback.session}}:<br />
<br />
{{bc|1=<br />
RequiredComponents=compiz;gnome-settings-daemon;<br />
RequiredProviders=windowmanager;notifications;<br />
DefaultProvider-windowmanager=compiz<br />
DefaultProvider-notifications=notification-daemon<br />
}}<br />
<br />
{{Note| I took out gnome-panel as I am using avant-window-navigator as my panel.<br />
I'am using gnome3 fallback mode with compiz, make gtk-window-decorator start with compiz, and make avant-window-navigator start automatically.}}<br />
<br />
==== Autostart (without "fusion-icon", Gnome prior to 2.24) ====<br />
This is a way that works if you use GDM (and I'd assume KDM too).<br />
<br />
Make a file called /usr/local/bin/compiz-start-boot with the contents:<br />
#!/bin/bash<br />
export WINDOW_MANAGER="compiz ccp"<br />
exec gnome-session<br />
<br />
and make it executable ({{ic|chmod +x /usr/local/bin/compiz-start-boot}}). Next create the file {{ic|/etc/X11/sessions/Compiz.desktop}} containing the following:<br />
[Desktop Entry]<br />
Version=1.0<br />
Encoding=UTF-8<br />
Name=Compiz on GNOME<br />
Exec=/usr/local/bin/compiz-start-boot<br />
Icon=<br />
Type=Application<br />
<br />
Select Compiz on Gnome as your session and you're good to go.<br />
<br />
==== Autostart (with "fusion-icon") ====<br />
To start Compiz fusion automatically when starting a session go to System > Preferences > Startup Applications. In the Startup Programs tab, click the Add button.<br />
<br />
You will now see the Add Startup Program dialogue. Fill it in as follows.<br />
<br />
Name:<br />
Compiz Fusion<br />
Command:<br />
fusion-icon<br />
Comment: (Put anything you like or leave blank.)<br />
<br />
{{Note| You can also use "compiz --replace ccp" instead of "fusion-icon" to load compiz but there will be no fusion-icon.<br />
<br />
The ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
When you're done hit the Add button. You should now see your startup program in the list in the Startup Programs tab. It must be checked to be enabled. You can uncheck it to disable Compiz on startup and switch back to Metacity.<br />
<br />
You may also need to use the gconftool-2 command in a terminal window to set the following parameter, otherwise fusion-icon might not load the windows decorator.<br />
gconftool-2 --type bool --set /apps/metacity/general/compositing_manager false<br />
<br />
{{Note| This method will be slower due to the fact that Gnome will first load the default window manager (Metacity), then will launch fusion-icon which will load the Compiz window manager to replace Metacity. Essentially, it will take the amount of time that it takes to load two window manangers to get Compiz loaded. The first method is preferred and eliminates this issue.}}<br />
<br />
=== Mate Desktop ===<br />
==== Autostart (without "fusion-icon") (Preferred Method) ====<br />
As with Gnome, create a compiz.desktop file (see [[Compiz#Autostart_.28without_.22fusion-icon.22.29_.28Preferred_Method.29]]), then set Compiz as the default window manager :<br />
* on Mate prior to 1.6, edit the following mateconf entries (note: the last two are deprecated values):<br />
mateconftool-2 --set -t string /desktop/mate/session/required_components/windowmanager compiz<br />
mateconftool-2 --set -t string /desktop/mate/applications/window_manager/current /usr/bin/compiz<br />
mateconftool-2 --set -t string /desktop/mate/applications/window_manager/default /usr/bin/compiz<br />
<br />
* on Mate 1.6 and higher, edit the following gsettings value<br />
gsettings set org.mate.session.required-components windowmanager compiz<br />
<br />
=== XFCE ===<br />
==== Xfce autostart (without "fusion-icon") ====<br />
This method will start Compiz directly through the XFCE session manager without loading Xfwm.<br />
<br />
Please note the change to xml config files in XFCE newer than 4.2<br />
<br />
To install the session manager, install {{Pkg|xfce4-session}}.<br />
<br />
Now we have to configure the default/failsafe session of XFCE.<br />
<br />
Edit the {{Ic|~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}} or (to make the change for all XFCE users) {{Ic|/etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}:<br />
<br />
Replace the xfwm startup command,<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="xfwm4"/><br />
</property><br />
<br />
with the following:<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="compiz"/><br />
<value type="string" value="ccp"/><br />
</property><br />
<br />
{{Note| the ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
To prevent the default session from being overwritten you may also add this:<br />
<br />
<property name="general" type="empty"><br />
...<br />
...<br />
<property name="SaveOnExit" type="bool" value="false"/><br />
</property><br />
<br />
To remove the existing sessions, run:<br />
$ rm -r ~/.cache/sessions<br />
<br />
==== Xfce autostart (with "fusion-icon") ====<br />
=====Method 1:=====<br />
{{Note| This method is the least preferred since it loads both window managers. All the other XFCE methods only load Compiz without loading Xfwm.}}<br />
This will load Xfwm first then replace it with Compiz.<br />
<br />
Open the XFCE Settings Manager & then Sessions & Startup. Click the Application Autostart tab.<br />
<br />
Add<br />
(Name:) Compiz Fusion<br />
<br />
(Command:) fusion-icon<br />
<br />
{{Note| You can also use "compiz --replace ccp" instead of "fusion-icon" to load compiz but there will be no fusion-icon.<br />
<br />
The ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
=====Method 2:=====<br />
Edit the following file (settings in this file is used in preference)<br />
$ nano ~/.config/xfce4-session/xfce4-session.rc<br />
<br />
Or to make the change for all XFCE users (root access required)<br />
# nano /etc/xdg/xfce4-session/xfce4-session.rc<br />
<br />
Add the following<br />
[Failsafe Session]<br />
Client0_Command=fusion-icon<br />
<br />
Comment out Client0_Command=xfwm4 if it exists.<br />
<br />
This will cause xfce to load Compiz instead of Xfwm when the user has no existing sessions.<br />
<br />
To prevent the default session from being overwritten you may also add<br />
[General]<br />
AutoSave=false<br />
SaveOnExit=false<br />
<br />
To remove the existing sessions<br />
rm -R ~/.cache/sessions<br />
<br />
=====Method 3:=====<br />
Check if this file exists:<br />
~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml<br />
<br />
If not do:<br />
cp /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml ~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml<br />
<br />
and edit {{Ic|~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}<br />
<br />
or (to make the changes for all xfce4 users) {{Ic|/etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}:<br />
<br />
Edit Client0_Command that it look like this:<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="fusion-icon"/><br />
<value type="string" value="--force-compiz"/><br />
</property><br />
if '''--force-compiz''' doesn't work use '''compiz --replace --sm-disable --ignore-desktop-hints ccp''' instead.<br />
<br />
Add the '''SaveOnExit property''' if missing and set it to '''false''':<br />
<property name="general" type="empty"><br />
<property name="FailsafeSessionName" type="string" value="Failsafe"/><br />
<property name="SessionName" type="string" value="Default"/><br />
<property name="SaveOnExit" type="bool" value="false"/><br />
</property><br />
<br />
finally remove old xfce4 sessions:<br />
rm -r ~/.cache/sessions<br />
<br />
Now xfce4 will load compiz instead of Xfwm.<br />
<br />
=== As a Standalone Window Manager ===<br />
The package compiz-core by itself is sufficient to start using compiz-fusion. However ccsm and emerald (or another window-decorator) are additional highly recommended packages. You may install fusion-icon, compiz-fusion-plugins-main, compiz-fusion-plugins-extra or any other package later on at any time.<br />
<br />
To autostart compiz-fusion configure .xinitrc to launch compiz as:<br />
{{hc|~/.xinitrc|<nowiki><br />
exec compiz ccp<br />
</nowiki>}}<br />
You can also add other [[Compiz_fusion#Manually_.28without_.22fusion-icon.22.29|command-line options]] to your .xinitrc<br />
<br />
Or if using fusion-icon, configure .xinitrc as<br />
{{hc|~/.xinitrc|<nowiki><br />
exec fusion-icon<br />
</nowiki>}}<br />
<br />
However chances are you will need additional apps (e.g a panel) for optimal usability. So to autostart such apps simply add them to your .xinitrc as:<br />
{{hc|~/.xinitrc|<nowiki><br />
tint2 &<br />
cairo-dock &<br />
exec fusion-icon<br />
</nowiki>}}<br />
<br />
{{Note| Add a terminal-emulator to this autostart list while starting for the first time to help [[Compiz_fusion#Configuration|configure]] compiz.}} <br />
<br />
An alternative method, utilizing a simple script entitled '''start-fusion.sh''':<br />
{{hc|start-fusion.sh|<nowiki><br />
#!/bin/sh<br />
# add more apps here if necessary or start another panel, tray like pypanel, bmpanel, stalonetray<br />
xfce4-panel&<br />
fusion-icon<br />
</nowiki>}}<br />
If this script dosn't work for you, or you get issues with '''dbus''' utilize this script:<br />
{{hc|start-fusion.sh|<nowiki><br />
#!/bin/sh<br />
cd /home/<yourusername><br />
eval `dbus-launch --sh-syntax --exit-with-session`<br />
/usr/bin/X :0.0 -br -audit 0 -nolisten tcp vt7 &<br />
export DISPLAY=:0.0<br />
sleep 1<br />
compiz-manager decoration move resize > /tmp/compiz.log 2>&1 &<br />
# add more apps here if necessary or start another panel, tray like pypanel, bmpanel, stalonetray<br />
xfce4-panel&<br />
fusion-icon<br />
</nowiki>}}<br />
Make it executable<br />
<br />
chmod +x start-fusion.sh<br />
<br />
And add it to .xinitrc, like this:<br />
{{hc|~/.xinitrc|<nowiki><br />
exec /path/to/file/start-fusion.sh<br />
</nowiki>}}<br />
<br />
Feel free to use a different panel, tray, or start a whole bunch of applications with your session.<br />
See [https://bbs.archlinux.org/viewtopic.php?id=51282 this forum thread] for more info.<br />
<br />
{{Note | Using a separate script instead of running everything from xinitrc is the only way to let all launching applications use ConsoleKit: see [[ConsoleKit#Running_several_applications_from_.7E.2F.xinitrc|this article]].}}<br />
<br />
==== Add a root menu ====<br />
To add a root menu similar to that in Openbox, Fluxbox, Blackbox etc. you must install the package {{AUR|compiz-deskmenu}}.<br />
Upon a restart of Compiz-Fusion, you should be able to middle click on your desktop to launch the menu.<br />
<br />
If it does not automatically work, enter the CompizConfig Settings Manager, and in Commands tab, within the General Settings menu, ensure that there is a command to launch Compiz-Deskmenu, and the appropriate key binding is set to Control+Space.<br />
<br />
If it still does not work, enter the Viewport Switcher menu, and change "Plugin for initiate action" to core (NOTE: for versions 0.8.2+ it's 'commands' instead of 'core'), and "Action name for initiate" to run_command0_key.<br />
<br />
An alternative is to use [https://aur.archlinux.org/packages.php?ID=29564 mygtkmenu], also in [[AUR]].<br />
<br />
==== Allow users to shutdown/reboot ====<br />
Refer to [[Allow_Users_to_Shutdown|this]] wiki page. If using "The Modern way" of policykit You can add the command to ccsm->General->Commands and assign a short-cut key to it or alternatively you can use a launcher application.<br />
<br />
== Misc ==<br />
<br />
=== Configuration ===<br />
[[Compiz#Configuration|You must do this so your windows function like you expect them to!]]<br />
<br />
=== Using compiz-manager ===<br />
<br />
In order to use compiz-manager, you need to install it from community:<br />
pacman -S compiz-manager<br />
<br />
Compiz-manager, that is now installed in {{ic|/usr/bin/compiz-manager}}, is a simple wrapper for Compiz and ALL of its options. For example, you can run <br />
compiz-manager <br />
and see what the console returns for more info. You can use it in all the scripts that start Compiz. Very simple!<br />
<br />
=== Using gtk-window-decorator ===<br />
<br />
In order to use gtk-window-decorator, install the package ''compiz-decorator-gtk'' and select "GTK Window Decorator" instead of "Emerald" as your window decorator in fusion-icon or whatever other program you are using to configure compiz.<br />
<br />
=== gconf: Additional Compiz Configurations ===<br />
<br />
To achieve more satisfying results from Compiz, you can tweak its config with gconf-editor:<br />
<br />
$ gconf-editor<br />
<br />
Note that now compiz-core isn't built with gconf support; It is now built with gconf support through compiz-decorator-gtk. So, you need to install it if you want to use gconf-editor to edit your Compiz configuration.<br />
The Compiz gconf configuration is located in in the key <b>apps</b> > <b>compiz</b> > <b>general</b> > <b>allscreens</b> > <b>options</b>.<br />
<br />
"Active plugins" is where you specify the plugins you would like to use. Simply edit the key and add a value(refer to the key <b>apps</b> > <b>compiz</b> > <b>plugins</b> to see possible values). Plugins I’ve found useful are screenshot, png, fade, and minimize. Please do not remove those enabled by default.<br />
<br />
=== ATI R600/R700 Notes ===<br />
While using fusion-icon you shouldn't experience any problems because it takes care of everything for you, but if you are using one of the autostart methods that do not involve fusion-icon you will run into trouble. For example when using the Xfce autostart method without fusion icon you must edit ~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml per the instructions above. However, if you follow the directions above explicity you will find that compiz does not load. You must instead make your xfce4-session.xml file look like this<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="LIBGL_ALWAYS_INDIRECT=1"/><br />
<value type="string" value="compiz"/><br />
<value type="string" value="--sm-disable"/><br />
<value type="string" value="--ignore-desktop-hints"/><br />
<value type="string" value="ccp"/><br />
<value type="string" value="--indirect-rendering"/><br />
</property><br />
<br />
This example targeted Xfce specifically, but it can be adapted to any desktop environment. It's just a matter of figuring out how to add it to the proper config file. The key thing is the required command which if typed on a command line would look like this<br />
<br />
LIBGL_ALWAYS_INDIRECT=1 compiz --sm-disable --ignore-desktop-hints ccp --indirect-rendering<br />
<br />
This is how Xfce's session manager interprets the above XML code. Notice that you do not need --replace because you are not first loading xfwm and then compiz.<br />
<br />
== Tips and tricks ==<br />
=== Fallback ===<br />
If you are using [[KDE]], [[GNOME]] or [[XFCE]] and something is not right, for example you don’t see borders for your window, you can switch back to default DE window manager with this command:<br />
<br />
''wm_name'' --replace<br />
<br />
with kwin, metacity or xfwm4 instead of ''wm_name''.<br />
<br />
=== Keyboard Shortcuts ===<br />
Default plugin keyboard shortcuts (plugins have to be activated!)<br />
<br />
* Switch windows = {{Keypress|Alt + Tab}}<br />
* Switch desktops on cube = {{Keypress|Ctrl + Alt + Left/Right Arrow}}<br />
* Move window = {{Keypress|Alt + left-click}}<br />
* Resize window = {{Keypress|Alt + right-click}}<br />
<br />
A more detailed list can be found under [http://wiki.compiz-fusion.org/CommonKeyboardShortcuts CommonKeyboardShortcuts] in the Compiz wiki or you can always just look at your plugin's configuration (ccsm).<br />
<br />
== Troubleshooting ==<br />
{{Out of date}}<br />
<br />
=== Missing GLX_EXT_texture_from_pixmaps ===<br />
==== On ATI cards (first solution) ====<br />
https://bbs.archlinux.org/viewtopic.php?id=50073<br />
If you run into the following error when trying to run Compiz Fusion on an ATI card:<br />
<br />
Missing GLX_EXT_texture_from_pixmap<br />
<br />
This is because Compiz Fusion's binary was compiled against Mesa's OpenGL library rather than ATI's OpenGL library (which is what you are using). Re-install libgl-dri (yes you will have to uninstall fglrx temporarily) to get Mesa's OpenGL library. <br />
<br />
copy the library into a directory to keep it because ATI's drivers will over write it. <br />
<br />
mkdir /lib/mesa<br />
cp /usr/lib/libGL.so.1.2 /lib/mesa<br />
<br />
Once you have it copied, you can reinstall your fglrx drivers (It should have been removed when you installed libgl-dri). Now you can start Compiz Fusion using the following example syntax: <br />
<br />
LD_PRELOAD=/lib/mesa/libGL.so.1.2 compiz --replace &<br />
<br />
==== On ATI cards (second solution) ====<br />
An other problem could arise with GLX_EXT_texture_from_pixmap, it is possible that the card could only render it indirectly, then you have to pass the option to your libgl like that :<br />
<br />
LIBGL_ALWAYS_INDIRECT=1 compiz --replace ccp &<br />
<br />
(Workaround tested on the following card : ATI Technologies Inc Radeon R250 [Mobility FireGL 9000] (rev 02))<br />
<br />
==== On Intel chips ====<br />
First off, check that you're using the intel driver as opposed to i810. Then, run the following command to run compiz (must use this every time.).<br />
LIBGL_ALWAYS_INDIRECT=true compiz --replace --sm-disable ccp &<br />
If you then do not have borders, run<br />
emerald --replace<br />
As at 17-Oct-07 the [http://wiki.compiz-fusion.org/Troubleshooting Compiz-Fusion Wiki] states: <i>"If you are using an Intel GMA card with AIGLX, you will need to start Compiz Fusion with LIBGL_ALWAYS_INDIRECT=1 appended.</i>"<br />
<br />
=== Compiz starts, but no effects are visible ===<br />
If you have installed compiz-decorator-gtk:<br />
Check if GConf schema was correctly installed: <br />
gconftool-2 -R /apps/compiz/plugins | grep plugins<br />
make sure that all plugins are listed (not only fade!). If not, try to install compiz schema manually (do this as normal user, not as root!!!): <br />
gconftool-2 --install-schema-file=/usr/share/gconf/schemas/compiz-decorator-gtk.schemas<br />
<br />
Note: Compiz basic plugins are not enabled by default. You should enable "Move Window", "Resize Window", and "Window decoration" plugins in settings manager from fusion-icon to have a usable window manager.<br />
<br />
=== Compiz starts, but gtk-window-decorator does not ===<br />
It is a configuration problem for gconf and gconfd. I solved it by removing ".gconf" dir in my home, but I'm using KDE. If you are using Gnome you should enter your ".gconf" directory and remove all compiz keys. This will erase your compiz settings, so be sure to reconfigure.<br />
Finally exec as user:<br />
<br />
gconftool-2 --install-schema-file=/usr/share/gconf/schemas/compiz-decorator-gtk.schemas<br />
<br />
=== Compiz appears to start, but there are no window borders ===<br />
When you run fusion-icon from commandline, you get output like this:<br />
<br />
* Detected Session: gnome<br />
* Searching for installed applications...<br />
* NVIDIA on Xorg detected, exporting: __GL_YIELD=NOTHING<br />
* Using the GTK Interface<br />
* Metacity is already running<br />
* Setting window manager to Compiz<br />
... executing: compiz --replace --sm-disable --ignore-desktop-hints ccp<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
<br />
All you need to do is edit your {{Ic|/etc/X11/xorg.conf}} and find the "Depth" directive inside the "Screen" section; change all occurences of this value to 24. This occured to me with my colour depth set to 16; but also happens when it is set to 32.<br />
<br />
----<br />
<br />
You may also try adding ''Option "AddARGBGLXVisuals" "True"'' & ''Option "DisableGLXRootClipping" "True"'' to your "Screen" section if you are using the Nvidia binary driver. (Radeon, and the open 'nv' driver will not work with this option as far as I can tell.) If you used any other Options elsewhere in {{Ic|xorg.conf}} to get compiz working and still have no luck, try commenting them out and using only the aformentioned ARGBGLXVisuals and GLXRootClipping Options.<br />
<br />
'''Note''': Check that "Window decoration", "Move" and "Resize" plugins are enabled with Compiz Settings Manager or gconf-editor.<br />
<br />
With gconf-editor you can easly enable "Window decoration", "Move" and "Resize" plugins.<br />
<br />
$ gconf-editor<br />
<br />
Navigate to apps/compiz/general/allscreens/options<br />
<br />
Add/Edit "active_plugins" Key (Name: active_plugins, Type: List, List type: String).<br />
<br />
Add "decoration", "move", and "resize" to the list.<br />
<br />
----<br />
<br />
'''Another way to fix this''':<br />
* Launch '''ccsm'''.<br />
* Find '''windows decoration''' and make sure it is enabled.<br />
* Now click on it, to edit the options.<br />
* If the entry behind '''command''' is empty, put the value '''gtk-window-decorator''' there.<br />
** Alternatives are '''kde-window-decorator''' and '''emerald'''<br />
* Click '''Back''' and '''Close'''<br />
* If all went well, the borders should appear.<br />
<br />
=== Compiz starts and borders appear, but windows won't move ===<br />
Be sure you have the "Move Window" plugin installed and enabled in the compiz settings manager.<br />
<br />
=== Blank screen on resume from suspend-to-ram using the Nvidia binary drivers ===<br />
If you receive a blank screen with a responsive cursor upon resume, try disabling sync to vblank:<br />
<br />
gconftool -s /apps/compiz/general/screen0/options/sync_to_vblank-t boolean false<br />
<br />
=== fusion-icon doesn't start ===<br />
If you get an output like this from the command line:<br />
[andy@andylaptop ~]$ fusion-icon<br />
* Detected Session: gnome<br />
* Searching for installed applications...<br />
Traceback (most recent call last):<br />
File "/usr/bin/fusion-icon", line 57, in <module><br />
from FusionIcon.interface import choose_interface<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/interface.py", line 23, in <module><br />
import start<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/start.py", line 36, in <module><br />
config.check()<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/util.py", line 362, in check<br />
os.makedirs(self.config_folder)<br />
File "/usr/lib/python2.5/os.py", line 172, in makedirs<br />
mkdir(name, mode)<br />
OSError: [Errno 13] Permission denied: '/home/andy/.config/compiz'<br />
<br />
the problem is with the permission on {{Ic|~/.config/compiz}}. You have set the owner of a folder in your area as root. To change this, run (as root)<br />
chown <username> /home/<username>/.config/compiz<br />
<br />
=== Choppy animations, even though everything configured correctly ===<br />
If everything is configured correctly but you still have poor performance on some effects, try disabling CCSM->General Options->Display Settings->"Detect Refresh Rate" and instead choose a value manually. Tested on both nvidia and intel chips. Can work wonders.<br />
<br />
Alternatively, if your chip is nvidia and you are experiencing an inadequate refresh rate with "Detect Refresh Rate" enabled in Compiz, it's likely due to an option called DynamicTwinView being enabled by default which plays a factor in accurately reporting the maximum refresh rate that your card and display support. You can disable DynamicTwinView by adding the following line to the "Device" or "Screen" section of your xorg.conf file, and then restarting your computer:<br />
<br />
Option "DynamicTwinView" "False"<br />
<br />
Doing so will allow XrandR to accurately report the refresh rate to anything that detects it, including Compiz. You should be able to leave "Detect Refresh Rate" enabled and get excellent performance. Once again, this only applies to nvidia chips.<br />
<br />
=== Fix Gnome Screenshot ===<br />
To re-enable gnome-screenshot (the default behavior caused by hitting {{Keypress|PrtScn}}) simply go to Settings Manager>Commands and map 'gnome-screenshot' to the 'PrtScn' key. This is advantageous because you can also use the Compiz-Fusion 'Screenshot' plugin at the same time since the action that enables it is <Super>Button1 thereby giving you two methods to do a screen capture (one of which gives a full screen capture in a single keystroke).<br />
<br />
=== Get GNOME Workspace Switcher work with Compiz-Fusion ===<br />
In older versions of Compiz, the Gnome Workspace Switcher applet would actually work with Compiz-Fusion (i.e. rotate cube/move plane etc.), but recent versions seem not to. This is due to a new feature introduced in Compiz, which allows real seperate workspaces. For example, if you have a desktop plane with four planes, and have four desktops enabled in Gnome, it sums up to a total of 16 different workspaces. Currently, there is no animation associated with "real" workspace changing. To get the Workspace Switcher work, do the following:<br />
<br />
In GConf, set the following options:<br />
<br />
/apps/compiz/general/screen0/options/number_of_desktops = '''1'''<br />
/apps/compiz/general/screen0/options/hsize = 4 (this is an example)<br />
/apps/compiz/general/screen0/options/vsize = 1 (this is an example)<br />
<br />
=== Screen flicks with NVIDIA card ===<br />
For fixing it, create /etc/modprobe.d/nvidia.conf file and add line:<br />
options nvidia NVreg_RegistryDwords="PerfLevelSrc=0x2222"<br />
<br />
=== Fix Custom Cursor Theme on Gnome 2.30 ===<br />
Create or edit /usr/share/icons/default/index.theme for default, or per user '''(non-root)''' ~/.icons/default/index.theme, and add this lines:<br />
<br />
[Icon Theme]<br />
#Name=''foo''<br />
Name=''foo''<br />
#Inherits=''foo''<br />
Inherits=''foo''<br />
[Desktop Entry]<br />
Name[en_US]=index.theme<br />
<br />
"Foo" is the name of the cursor theme.<br />
<br />
=== Screen artifacts on Firefox / Thunderbird ===<br />
{{Note|Altough this issue is not strictly related to Compiz, it has been added here due to popular misconception that Compiz itself may be the cause.}}<br />
<br />
Some users noticed a strange behavior with AMD/ATI Catalyst drivers starting from 10.6 release. Artifacts are visible mainly with Mozilla applications, where the GUI shows black spots of variable size. This is caused by different 2D acceleration tecnique introduced with Catalyst 10.6.<br />
The problem can be fixed following the troubleshooting steps in the [[ATI_Catalyst#Black.2Fgrey.2Fwhite_boxes.2Fartifacts_mainly_in_firefox.2Fthunderbird|ATI Catalyst page]]<br />
<br />
=== Setting the window manager back to Metacity after uninstall ===<br />
Removing compiz with pacman does not set your window manager back to metacity. This can result in no window borders being drawn, an inability to minimize, and an inability to change the focus. To change it back, run the command "gconf-editor" in the terminal (install it if you do not have it already). Use this to set the value of the key {{Ic|/desktop/gnome/session/required_components/window_manager}} from "compiz" to "metacity". Log out and back in for this change to take effect.<br />
<br />
=== Context menu in applications (firefox, ...?) disappears on mouseover ===<br />
Try disabling "focus stealing prevention" (general options).<br />
<br />
=== External notes ===<br />
[http://wiki.compiz.org/Troubleshooting Troubleshooting page] on compiz.org<br />
<br />
== See also ==<br />
*[http://compiz.org Compiz Website] -- including wiki and forum</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Compiz&diff=256298Compiz2013-05-07T09:41:24Z<p>Jrussell: /* Xfce autostart (without "fusion-icon") */</p>
<hr />
<div>[[Category:Eye candy]]<br />
[[Category:Stacking WMs]]<br />
[[el:Compiz]]<br />
[[es:Compiz]]<br />
[[it:Compiz]]<br />
[[ja:Compiz]]<br />
[[pl:Compiz]]<br />
[[pt:Compiz]]<br />
[[ru:Compiz]]<br />
[[tr:Compiz]]<br />
[[zh-CN:Compiz]]<br />
{{Article summary start}}<br />
{{Article summary wiki|Compiz Configuration}}<br />
{{Article summary wiki|AIGLX}}<br />
{{Article summary wiki|Composite}}<br />
{{Article summary wiki|Xcompmgr}}<br />
{{Article summary wiki|Cairo Compmgr}}<br />
{{Article summary end}}<br />
<br />
Compiz is a [[Wikipedia:Compositing window manager|compositing window manager]]. It provides its own window manager, [[Emerald]]. Therefore it cannot be used simultaneously with other window managers such as [[Openbox]], [[Fluxbox]], or [[Enlightenment]]. Users who want to keep their current window managers and add some effects to it may wish to try [[Xcompmgr]] instead.<br />
<br />
== Requirements ==<br />
Users of major [[DE]]s can make good use of {{Pkg|compiz-manager}}, performing brief requirements checking and switching to fallback WM in case of errors. Discovering setup and hardware issues can also be done with {{AUR|compiz-check}} script (available in [[AUR]]).<br />
<br />
== Installation ==<br />
All compiz packages, available in [[official repositories]], can be [[pacman|installed]] with group {{Grp|compiz-fusion}}.<br />
<br />
For those who do not want to install EVERYTHING there are also groups {{Grp|compiz-fusion-gtk}} and {{Grp|compiz-fusion-kde}} for [[Gnome]] or [[KDE]] correspondingly.<br />
<br />
Users who wish to select the packages individually may start with {{Pkg|compiz-core}} and one of [[#Decorators|decorators]].<br />
{{Note|Lack of configured window decorator can render your [[X]] workspace slightly unusable.}}<br />
<br />
=== Initial configuration ===<br />
While the appearance of the windows and their contents is a function of [[GTK+]] and [[Qt]], the frames around the windows are controlled by the Window Decoration plugin. To use it make sure you have a window decorator installed. Depending on what packages you have downloaded you can choose among several window decorators. The most common ones are Emerald, kde-window-decorator, and gtk-window-decorator. The emerald decorator has the advantage that it fits better to compiz's screen handling and offers transparency effects.To set your default window decorator type the following command string in the "Window Decoration" plugin's settings under the field "Command".<br />
To set emerald as your default window-decorator type:<br />
emerald --replace<br />
To set the kde-window-decorator as an alternative to Emerald type:<br />
kde4-window-decorator --replace<br />
To set the compiz-decorator-gtk as an alternative to Emerald type:<br />
gtk-window-decorator --replace<br />
<br />
{{Box RED|Activate important plugins!|<br />
There is high possibility that you will want to activate a few plugins that provide basic window manager behavior or else you will have no ability to drag, scale or close any windows as soon as compiz is activated. Among those plugins are "Window Decoration" under Effects and "Move Window" & "Resize Window" under Window Management. Ccsm may be used to achieve this.<br />
Launch CompizConfig Settings Manager:<br />
$ ccsm<br />
Simply put check marks next to those plugins to activate them.}}<br />
<br />
== Additional software ==<br />
=== Decorators ===<br />
* {{App|[[Emerald]]|Compiz's own window decorator with few dependencies. (Note: Works but is buggy and no longer maintained)|http://www.compiz.org|{{Pkg|emerald}}}}<br />
* {{Pkg|compiz-decorator-gtk}} and {{Pkg|compiz-decorator-kde}} &ndash; alternatives to Emerald, using your desktop environment's configuration backends and looks<br />
=== Other ===<br />
* {{Pkg|ccsm}} (CompizConfig settings manager) &ndash; GUI application that lets you configure all of Compiz's plugins<br />
* {{Pkg|fusion-icon}} &ndash; offers a tray icon and a nice way to start compiz, start ccsm and change the WM / Window Decorator<br />
* [https://aur.archlinux.org/packages.php?K=compiz Lots of quickly dying packages in AUR]<br />
<br />
== Starting Compiz Fusion ==<br />
<br />
=== Manually (with "fusion-icon") ===<br />
<br />
Launch the Compiz Fusion tray icon:<br />
$ fusion-icon<br />
<br />
{{Note|If it fails (almost never), you may try it with dbus-launch:<br />
{{bc|$ dbus-launch "fusion-icon"}}}}<br />
Right click on the icon in the panel and go to 'select window manager'. Choose "Compiz" if it isn't selected already, and you should be set.<br />
<br />
If this fails you can start compiz-fusion by using the following additional command to replace your default window decorator with Compiz's window decorator (Emerald):<br />
$ emerald --replace<br />
<br />
'''Again, note:''' If you want to use compiz window decorations make sure you have the "Window Decoration" plugin marked in the compiz settings through ccsm.<br />
<br />
=== Manually (without "fusion-icon") ===<br />
<br />
Launch Compiz with the following command (which replaces your current window manager):<br />
$ compiz --replace ccp &<br />
<br />
A quick overview over common compiz command-line options:<br />
*--indirect-rendering: use indirect-rendering (AIGLX)<br />
*--loose-binding: can help performance issues (nVidia?)<br />
*--replace: replace current window-manager<br />
*--keep-window-hints: keep the gnome window-manager gconf-settings for available viewports, ...<br />
*--sm-disable: disable session-management<br />
*ccp: the "ccp" command loads the last configured settings from ccsm (CompizConfig Settings Manager) otherwise Compiz will load with no settings and you won't be able to do anything with your windows like dragging, maximizing/minimizing, or moving.<br />
<br />
=== KDE4 ===<br />
{{Note| The first and last methods will load Compiz-Fusion as the default window manager instead of KWin. This is faster than loading Compiz with 'fusion-icon' because it avoids loading two window managers at startup. This also prevents that annoying black screen flicker you might see using other methods (when KWin switches to Compiz on KDE's desktop loading screens). The downside is that if Compiz crashes, it may be more difficult to recover your desktop}}<br />
<br />
==== Use System Settings (easiest)====<br />
Go to: ''System Settings'' --> ''Default Applications'' --> ''Window Manager'' --> ''Use a different window manager''<br />
<br />
'''''If''''' you need to run compiz with custom options select "Compiz custom" (when you run <code>fusion-icon</code> from a terminal you can see the command line with which compiz was started).<br />
Create a file called "compiz-kde-launcher" in <code>/usr/bin</code>. Then make the file executable: <code>chmod +x /usr/bin/compiz-kde-launcher</code>.<br />
<br />
For example:<br />
#!/bin/bash<br />
LIBGL_ALWAYS_INDIRECT=1<br />
compiz --replace ccp &<br />
wait<br />
<br />
==== Autostart with "fusion-icon" ====<br />
<br />
Add a symbolic link, that points to the fusion-icon executable, in your KDE Autostart directory:<br />
$ ln -s /usr/bin/fusion-icon ~/.kde4/Autostart/fusion-icon<br />
<br />
Next time KDE is started, it will load fusion-icon automatically.<br />
<br />
==== Autostart Link without "fusion-icon" ====<br />
<br />
{{Warning|DO NOT create compiz.desktop if you intend to install compiz-decorator-gtk; it will create a file conflict.}}<br />
<br />
* Append a desktop entry in the KDE Autostart directory. If it doesn't already exist (it should), create the file {{ic|~/.kde4/Autostart/compiz.desktop}} with the following:<br />
<br />
[Desktop Entry]<br />
Type=Application<br />
Encoding=UTF-8<br />
Name=Compiz<br />
Exec=/usr/bin/compiz ccp --replace<br />
NoDisplay=true<br />
# name of loadable control center module<br />
X-GNOME-WMSettingsModule=compiz<br />
# autostart phase<br />
X-GNOME-Autostart-Phase=WindowManager<br />
X-GNOME-Provides=windowmanager<br />
# name we put on the WM spec check window<br />
X-GNOME-WMName=Compiz<br />
# back compat only<br />
X-GnomeWMSettingsLibrary=compiz<br />
<br />
{{Note| If {{ic|compiz.desktop}} already exists, you may have to add "--replace" and/or "ccp" to the Exec variable. Without "--replace", Compiz won't load since it will detect another window manager already loaded. Without "ccp", Compiz will not load any of the settings and plugins that you have enabled through CompizConfig Settings Manager (ccsm) and you won't be able to manipulate any of your windows.}}<br />
<br />
* If you want to use the optional {{ic|fusion-icon}} application, launch ''fusion-icon''. If you log out normally with ''fusion-icon'' running, KDE should restore your session and launch ''fusion-icon'' the next time you log in if this setting is enabled. If it doesn't appear to be working, ensure you have the following line in {{ic|~/.kde4/share/config/ksmserverrc}}:<br />
<br />
loginMode=restorePreviousLogout<br />
{{Note| This is a KDE specific setting that will allow you to restore other apps next time you log in, not just fusion-icon.}}<br />
<br />
==== Export KDEWM without "fusion-icon" (preferred) ====<br />
<br />
As root you must create a short script by doing the following in your terminal. This will allow you to load compiz with the switches because doing it directly via {{ic|1=export KDEWM="compiz --replace ccp --sm-disable"}} doesn't seem to work.<br />
$ echo "compiz --replace ccp --sm-disable &" > /usr/bin/compiz-fusion<br />
<br />
{{Note| If this line doesn't work, make sure the "fusion-icon" package is installed and then use this line instead:<br />
$ echo "fusion-icon &" > /usr/bin/compiz-fusion<br />
Be sure to complete the whole method before trying this substitute.}}<br />
<br />
Ensure that {{ic|/usr/bin/compiz-fusion}} has executable (+x) permissions.<br />
$ chmod a+x /usr/bin/compiz-fusion<br />
<br />
Choose one of the following:<br />
<br />
:1) Compiz for your user only --> Edit the file {{ic|~/.kde4/env/compiz.sh}} and add the following line so KDE will load compiz (via the script you just created) instead of loading KWin.<br />
: {{bc|1=KDEWM="compiz-fusion"}}<br />
<br />
:2) Compiz system wide --> Edit the file {{ic|/etc/kde/env/compiz.sh}} and add the following line so KDE will load compiz (via the script you just created) instead of loading KWin.<br />
: {{bc|1=KDEWM="compiz-fusion"}}<br />
<br />
{{Note| If that still doesn't work, yet another alternate way to accomplish the above method is to include the line<br />
{{bc|1=export KDEWM="compiz-fusion"}}<br />
in your user's {{ic|~/.bashrc}} file.}}<br />
{{Note| If you optionally use the {{ic|/usr/local/bin}} directory it may not work. In that case you should export the script including the whole path:<br />
{{bc|1=export KDEWM="/usr/local/bin/compiz-fusion"}}}}<br />
<br />
=== GNOME ===<br />
If you have installed [[GNOME3]] with gnome-shell, either enable forced Fallback Mode (System Info > Graphics) or simply uninstall gnome-shell.<br />
{{Note|Fallback Mode is not necessary if you choose the Compiz/Cairo-Dock session method below.}}<br />
<br />
==== Alternate Session for GNOME (Preferred Method for Experienced Compiz/Dock Users) ====<br />
The {{AUR|gnome-session-compiz}} can be used to add an additional menu entry in the GNOME session login dialog. This method does not require foced fallback mode and/or modifications to sensitive system files/settings. Also, you can switch between GNOME Shell and Compiz/Cairo-Dock between sessions. If you can't get it working, you can always go back to your original GNOME session.<br />
<br />
For this method to work, Compiz and Cairo-Dock (Taskbar/Panel) may have to be [[#Configuration|configured initially]] for fresh accounts, from another working session (ccsm in GNOME Shell worked fine for me).<br />
<br />
This method completely replaces the GNOME's window manager and panel (they are not launched at all, rather than being replaced or killed later). So, before actually switching to this alternate session, you may want to configure corresponding/alternate features of the original panel application in Cairo-Dock:<br />
* Add Application Menu icon to Cairo-Dock and remember its key-bindings.<br />
* Remap Application Menu key-bindings to ALT+F1 and ALT+F2, for convenience.<br />
* Add Clock, WiFi, NetSpeed icons to the dock as applicable.<br />
* Add Log-out icon:<br />
** Set the command for logout to "gnome-session-quit --logout"<br />
** Set the command for shutdown to "gnome-session-quit --power-off"<br />
* Add the Notification Area Old (systray) icon to Cairo-Dock.<br />
<br />
==== Autostart (without "fusion-icon") (Preferred Method) ====<br />
This Method makes use of the [http://standards.freedesktop.org/desktop-entry-spec/latest/ Desktop Entry Specification] to specify a Compiz Desktop Entry and of the GConf default windowmanager setting. Thanks to the Desktop Entry you should be able to select Compiz as a windowmanager out of GDM.<br />
<br />
'''1)'''If the following file doesn't already exist (it should), create it {{ic|/usr/share/applications/compiz.desktop}} containing the following:<br />
<br />
[Desktop Entry]<br />
Type=Application<br />
Encoding=UTF-8<br />
Name=Compiz<br />
Exec=/usr/bin/compiz ccp #Make sure ccp is included so that Compiz loads your previous settings.<br />
NoDisplay=true<br />
# name of loadable control center module<br />
X-GNOME-WMSettingsModule=compiz<br />
# autostart phase<br />
##-> the folloing line cause gnome-session warning and slow startup, so try not to enable this<br />
# X-GNOME-Autostart-Phase=WindowManager <br />
X-GNOME-Provides=windowmanager<br />
# name we put on the WM spec check window<br />
X-GNOME-WMName=Compiz<br />
# back compat only<br />
X-GnomeWMSettingsLibrary=compiz<br />
<br />
{{Note| If {{ic|compiz.desktop}} already exists, you must make sure that the "ccp" is included in the Exec variable. Having "ccp" included simply tells Compiz to load your previous settings, otherwise you won't have any functionality.}}<br />
<br />
If the above doesn't work (in most cases it does), for example if you notice some issues with windows refreshing or low performance, try:<br />
<br />
{{bc|1=Exec=/usr/bin/compiz ccp --indirect-rendering}}<br />
<br />
or<br />
<br />
{{bc|1=Exec=/usr/bin/compiz --replace --sm-disable --ignore-desktop-hints ccp --indirect-rendering}}<br />
<br />
Instead of<br />
<br />
{{bc|1=Exec=/usr/bin/compiz ccp}}<br />
<br />
Some Users noticed a "lag" of 4-10 seconds when loging in from a login manager. The solution is to change the command to:<br />
{{bc|1=Exec=bash -c 'compiz ccp decoration --sm-client-id $DESKTOP_AUTOSTART_ID'}}<br />
as noted [https://bbs.archlinux.org/viewtopic.php?pid=655237#p655237 in the forum]. You can also add the extra parameters as described above if needed.<br />
<br />
'''2)''' Set some GConf parameters using the gconftool-2 command in a terminal window or do it visually with Configuration Editor (gconf-editor). The following outlines using the command line method, but you can also see which keys to change using gconf-editor:<br />
<br />
{{Note| Since those parameters apply to a given user, you '''must''' logout from the root account and log in as that other user before proceeding with the next steps. GConf will fail, if called from a root account.}}<br />
<br />
gconftool-2 --set -t string /desktop/gnome/session/required_components/windowmanager compiz<br />
<br />
The following are optional and in most cases not necessary (the respective keys are deprecated since GNOME 2.12). But iny any case, if the above didn't succeed the next two statements are still valid and should be tried.<br />
<br />
gconftool-2 --set -t string /desktop/gnome/applications/window_manager/current /usr/bin/compiz<br />
gconftool-2 --set -t string /desktop/gnome/applications/window_manager/default /usr/bin/compiz<br />
<br />
==== Autostart (without "fusion-icon") (With gnome3 fallback mode session) ====<br />
Edit file {{ic|/usr/share/gnome-session/sessions/gnome-fallback.session}}:<br />
<br />
Replace your windows manager (gnome-shell,metacity...) with ''compiz'' in '''RequiredComponents''' line.<br />
<br />
Change ''DefaultProvider-windowmanager'' line to ''DefaultProvider-windowmanager=compiz''<br />
<br />
Here is part of my {{ic|gnome-fallback.session}}:<br />
<br />
{{bc|1=<br />
RequiredComponents=compiz;gnome-settings-daemon;<br />
RequiredProviders=windowmanager;notifications;<br />
DefaultProvider-windowmanager=compiz<br />
DefaultProvider-notifications=notification-daemon<br />
}}<br />
<br />
{{Note| I took out gnome-panel as I am using avant-window-navigator as my panel.<br />
I'am using gnome3 fallback mode with compiz, make gtk-window-decorator start with compiz, and make avant-window-navigator start automatically.}}<br />
<br />
==== Autostart (without "fusion-icon", Gnome prior to 2.24) ====<br />
This is a way that works if you use GDM (and I'd assume KDM too).<br />
<br />
Make a file called /usr/local/bin/compiz-start-boot with the contents:<br />
#!/bin/bash<br />
export WINDOW_MANAGER="compiz ccp"<br />
exec gnome-session<br />
<br />
and make it executable ({{ic|chmod +x /usr/local/bin/compiz-start-boot}}). Next create the file {{ic|/etc/X11/sessions/Compiz.desktop}} containing the following:<br />
[Desktop Entry]<br />
Version=1.0<br />
Encoding=UTF-8<br />
Name=Compiz on GNOME<br />
Exec=/usr/local/bin/compiz-start-boot<br />
Icon=<br />
Type=Application<br />
<br />
Select Compiz on Gnome as your session and you're good to go.<br />
<br />
==== Autostart (with "fusion-icon") ====<br />
To start Compiz fusion automatically when starting a session go to System > Preferences > Startup Applications. In the Startup Programs tab, click the Add button.<br />
<br />
You will now see the Add Startup Program dialogue. Fill it in as follows.<br />
<br />
Name:<br />
Compiz Fusion<br />
Command:<br />
fusion-icon<br />
Comment: (Put anything you like or leave blank.)<br />
<br />
{{Note| You can also use "compiz --replace ccp" instead of "fusion-icon" to load compiz but there will be no fusion-icon.<br />
<br />
The ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
When you're done hit the Add button. You should now see your startup program in the list in the Startup Programs tab. It must be checked to be enabled. You can uncheck it to disable Compiz on startup and switch back to Metacity.<br />
<br />
You may also need to use the gconftool-2 command in a terminal window to set the following parameter, otherwise fusion-icon might not load the windows decorator.<br />
gconftool-2 --type bool --set /apps/metacity/general/compositing_manager false<br />
<br />
{{Note| This method will be slower due to the fact that Gnome will first load the default window manager (Metacity), then will launch fusion-icon which will load the Compiz window manager to replace Metacity. Essentially, it will take the amount of time that it takes to load two window manangers to get Compiz loaded. The first method is preferred and eliminates this issue.}}<br />
<br />
=== Mate Desktop ===<br />
==== Autostart (without "fusion-icon") (Preferred Method) ====<br />
As with Gnome, create a compiz.desktop file (see [[Compiz#Autostart_.28without_.22fusion-icon.22.29_.28Preferred_Method.29]]), then set Compiz as the default window manager :<br />
* on Mate prior to 1.6, edit the following mateconf entries (note: the last two are deprecated values):<br />
mateconftool-2 --set -t string /desktop/mate/session/required_components/windowmanager compiz<br />
mateconftool-2 --set -t string /desktop/mate/applications/window_manager/current /usr/bin/compiz<br />
mateconftool-2 --set -t string /desktop/mate/applications/window_manager/default /usr/bin/compiz<br />
<br />
* on Mate 1.6 and higher, edit the following gsettings value<br />
gsettings set org.mate.session.required-components windowmanager compiz<br />
<br />
=== XFCE ===<br />
==== Xfce autostart (without "fusion-icon") ====<br />
This method will start Compiz directly through the XFCE session manager without loading Xfwm.<br />
<br />
Please note the change to xml config files in XFCE newer than 4.2<br />
<br />
To install the session manager, install {{Pkg|xfce4-session}}.<br />
<br />
Now we have to configure the default/failsafe session of XFCE.<br />
<br />
Edit the {{Ic|~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}} or (to make the change for all XFCE users) {{Ic|/etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}:<br />
<br />
Replace the xfwm startup command,<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="xfwm4"/><br />
</property><br />
<br />
with the following:<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="compiz"/><br />
<value type="string" value="ccp"/><br />
</property><br />
<br />
{{Note| the ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
To prevent the default session from being overwritten you may also add this:<br />
<br />
<property name="general" type="empty"><br />
...<br />
...<br />
<property name="SaveOnExit" type="bool" value="false"/><br />
</property><br />
<br />
To remove the existing sessions, run:<br />
$ rm -r ~/.cache/sessions<br />
<br />
==== Xfce autostart (with "fusion-icon") ====<br />
=====Method 1:=====<br />
{{Note| This method is the least preferred since it loads both window managers. All the other XFCE methods only load Compiz without loading Xfwm.}}<br />
This will load Xfwm first then replace it with Compiz.<br />
<br />
Open the XFCE Settings Manager & then Sessions & Startup. Click the Application Autostart tab.<br />
<br />
Add<br />
(Name:) Compiz Fusion<br />
<br />
(Command:) fusion-icon<br />
<br />
{{Note| You can also use "compiz --replace ccp" instead of "fusion-icon" to load compiz but there will be no fusion-icon.<br />
<br />
The ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
=====Method 2:=====<br />
Edit the following file (settings in this file is used in preference)<br />
$ nano ~/.config/xfce4-session/xfce4-session.rc<br />
<br />
Or to make the change for all XFCE users (root access required)<br />
# nano /etc/xdg/xfce4-session/xfce4-session.rc<br />
<br />
Add the following<br />
[Failsafe Session]<br />
Client0_Command=fusion-icon<br />
<br />
Comment out Client0_Command=xfwm4 if it exists.<br />
<br />
This will cause xfce to load Compiz instead of Xfwm when the user has no existing sessions.<br />
<br />
To prevent the default session from being overwritten you may also add<br />
[General]<br />
AutoSave=false<br />
SaveOnExit=false<br />
<br />
To remove the existing sessions<br />
rm -R ~/.cache/sessions<br />
<br />
=====Method 3:=====<br />
Check if this file exists:<br />
~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml<br />
<br />
If not do:<br />
cp /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml ~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml<br />
<br />
and edit {{Ic|~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}<br />
<br />
or (to make the changes for all xfce4 users) {{Ic|/etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}:<br />
<br />
Edit Client0_Command that it look like this:<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="fusion-icon"/><br />
<value type="string" value="--force-compiz"/><br />
</property><br />
if '''--force-compiz''' doesn't work use '''compiz --replace --sm-disable --ignore-desktop-hints ccp''' instead.<br />
<br />
Add the '''SaveOnExit property''' if missing and set it to '''false''':<br />
<property name="general" type="empty"><br />
<property name="FailsafeSessionName" type="string" value="Failsafe"/><br />
<property name="SessionName" type="string" value="Default"/><br />
<property name="SaveOnExit" type="bool" value="false"/><br />
</property><br />
<br />
finally remove old xfce4 sessions:<br />
rm -r ~/.cache/sessions<br />
<br />
Now xfce4 will load compiz instead of Xfwm.<br />
<br />
=== As a Standalone Window Manager ===<br />
The package compiz-core by itself is sufficient to start using compiz-fusion. However ccsm and emerald (or another window-decorator) are additional highly recommended packages. You may install fusion-icon, compiz-fusion-plugins-main, compiz-fusion-plugins-extra or any other package later on at any time.<br />
<br />
To autostart compiz-fusion configure .xinitrc to launch compiz as:<br />
{{hc|~/.xinitrc|<nowiki><br />
exec compiz ccp<br />
</nowiki>}}<br />
You can also add other [[Compiz_fusion#Manually_.28without_.22fusion-icon.22.29|command-line options]] to your .xinitrc<br />
<br />
Or if using fusion-icon, configure .xinitrc as<br />
{{hc|~/.xinitrc|<nowiki><br />
exec fusion-icon<br />
</nowiki>}}<br />
<br />
However chances are you will need additional apps (e.g a panel) for optimal usability. So to autostart such apps simply add them to your .xinitrc as:<br />
{{hc|~/.xinitrc|<nowiki><br />
tint2 &<br />
cairo-dock &<br />
exec fusion-icon<br />
</nowiki>}}<br />
<br />
{{Note| Add a terminal-emulator to this autostart list while starting for the first time to help [[Compiz_fusion#Configuration|configure]] compiz.}} <br />
<br />
An alternative method, utilizing a simple script entitled '''start-fusion.sh''':<br />
{{hc|start-fusion.sh|<nowiki><br />
#!/bin/sh<br />
# add more apps here if necessary or start another panel, tray like pypanel, bmpanel, stalonetray<br />
xfce4-panel&<br />
fusion-icon<br />
</nowiki>}}<br />
If this script dosn't work for you, or you get issues with '''dbus''' utilize this script:<br />
{{hc|start-fusion.sh|<nowiki><br />
#!/bin/sh<br />
cd /home/<yourusername><br />
eval `dbus-launch --sh-syntax --exit-with-session`<br />
/usr/bin/X :0.0 -br -audit 0 -nolisten tcp vt7 &<br />
export DISPLAY=:0.0<br />
sleep 1<br />
compiz-manager decoration move resize > /tmp/compiz.log 2>&1 &<br />
# add more apps here if necessary or start another panel, tray like pypanel, bmpanel, stalonetray<br />
xfce4-panel&<br />
fusion-icon<br />
</nowiki>}}<br />
Make it executable<br />
<br />
chmod +x start-fusion.sh<br />
<br />
And add it to .xinitrc, like this:<br />
{{hc|~/.xinitrc|<nowiki><br />
exec /path/to/file/start-fusion.sh<br />
</nowiki>}}<br />
<br />
Feel free to use a different panel, tray, or start a whole bunch of applications with your session.<br />
See [https://bbs.archlinux.org/viewtopic.php?id=51282 this forum thread] for more info.<br />
<br />
{{Note | Using a separate script instead of running everything from xinitrc is the only way to let all launching applications use ConsoleKit: see [[ConsoleKit#Running_several_applications_from_.7E.2F.xinitrc|this article]].}}<br />
<br />
==== Add a root menu ====<br />
To add a root menu similar to that in Openbox, Fluxbox, Blackbox etc. you must install the package {{AUR|compiz-deskmenu}}.<br />
Upon a restart of Compiz-Fusion, you should be able to middle click on your desktop to launch the menu.<br />
<br />
If it does not automatically work, enter the CompizConfig Settings Manager, and in Commands tab, within the General Settings menu, ensure that there is a command to launch Compiz-Deskmenu, and the appropriate key binding is set to Control+Space.<br />
<br />
If it still does not work, enter the Viewport Switcher menu, and change "Plugin for initiate action" to core (NOTE: for versions 0.8.2+ it's 'commands' instead of 'core'), and "Action name for initiate" to run_command0_key.<br />
<br />
An alternative is to use [https://aur.archlinux.org/packages.php?ID=29564 mygtkmenu], also in [[AUR]].<br />
<br />
==== Allow users to shutdown/reboot ====<br />
Refer to [[Allow_Users_to_Shutdown|this]] wiki page. If using "The Modern way" of policykit You can add the command to ccsm->General->Commands and assign a short-cut key to it or alternatively you can use a launcher application.<br />
<br />
== Misc ==<br />
<br />
=== Configuration ===<br />
[[Compiz#Configuration|You must do this so your windows function like you expect them to!]]<br />
<br />
=== Using compiz-manager ===<br />
<br />
In order to use compiz-manager, you need to install it from community:<br />
pacman -S compiz-manager<br />
<br />
Compiz-manager, that is now installed in {{ic|/usr/bin/compiz-manager}}, is a simple wrapper for Compiz and ALL of its options. For example, you can run <br />
compiz-manager <br />
and see what the console returns for more info. You can use it in all the scripts that start Compiz. Very simple!<br />
<br />
=== Using gtk-window-decorator ===<br />
<br />
In order to use gtk-window-decorator, install the package ''compiz-decorator-gtk'' and select "GTK Window Decorator" instead of "Emerald" as your window decorator in fusion-icon or whatever other program you are using to configure compiz.<br />
<br />
=== gconf: Additional Compiz Configurations ===<br />
<br />
To achieve more satisfying results from Compiz, you can tweak its config with gconf-editor:<br />
<br />
$ gconf-editor<br />
<br />
Note that now compiz-core isn't built with gconf support; It is now built with gconf support through compiz-decorator-gtk. So, you need to install it if you want to use gconf-editor to edit your Compiz configuration.<br />
The Compiz gconf configuration is located in in the key <b>apps</b> > <b>compiz</b> > <b>general</b> > <b>allscreens</b> > <b>options</b>.<br />
<br />
"Active plugins" is where you specify the plugins you would like to use. Simply edit the key and add a value(refer to the key <b>apps</b> > <b>compiz</b> > <b>plugins</b> to see possible values). Plugins I’ve found useful are screenshot, png, fade, and minimize. Please do not remove those enabled by default.<br />
<br />
=== ATI R600/R700 Notes ===<br />
While using fusion-icon you shouldn't experience any problems because it takes care of everything for you, but if you are using one of the autostart methods that do not involve fusion-icon you will run into trouble. For example when using the Xfce autostart method without fusion icon you must edit ~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml per the instructions above. However, if you follow the directions above explicity you will find that compiz does not load. You must instead make your xfce4-session.xml file look like this<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="LIBGL_ALWAYS_INDIRECT=1"/><br />
<value type="string" value="compiz"/><br />
<value type="string" value="--sm-disable"/><br />
<value type="string" value="--ignore-desktop-hints"/><br />
<value type="string" value="ccp"/><br />
<value type="string" value="--indirect-rendering"/><br />
</property><br />
<br />
This example targeted Xfce specifically, but it can be adapted to any desktop environment. It's just a matter of figuring out how to add it to the proper config file. The key thing is the required command which if typed on a command line would look like this<br />
<br />
LIBGL_ALWAYS_INDIRECT=1 compiz --sm-disable --ignore-desktop-hints ccp --indirect-rendering<br />
<br />
This is how Xfce's session manager interprets the above XML code. Notice that you do not need --replace because you are not first loading xfwm and then compiz.<br />
<br />
== Tips and tricks ==<br />
=== Fallback ===<br />
If you are using [[KDE]], [[GNOME]] or [[XFCE]] and something is not right, for example you don’t see borders for your window, you can switch back to default DE window manager with this command:<br />
<br />
''wm_name'' --replace<br />
<br />
with kwin, metacity or xfwm4 instead of ''wm_name''.<br />
<br />
=== Keyboard Shortcuts ===<br />
Default plugin keyboard shortcuts (plugins have to be activated!)<br />
<br />
* Switch windows = {{Keypress|Alt + Tab}}<br />
* Switch desktops on cube = {{Keypress|Ctrl + Alt + Left/Right Arrow}}<br />
* Move window = {{Keypress|Alt + left-click}}<br />
* Resize window = {{Keypress|Alt + right-click}}<br />
<br />
A more detailed list can be found under [http://wiki.compiz-fusion.org/CommonKeyboardShortcuts CommonKeyboardShortcuts] in the Compiz wiki or you can always just look at your plugin's configuration (ccsm).<br />
<br />
== Troubleshooting ==<br />
{{Out of date}}<br />
<br />
=== Missing GLX_EXT_texture_from_pixmaps ===<br />
==== On ATI cards (first solution) ====<br />
https://bbs.archlinux.org/viewtopic.php?id=50073<br />
If you run into the following error when trying to run Compiz Fusion on an ATI card:<br />
<br />
Missing GLX_EXT_texture_from_pixmap<br />
<br />
This is because Compiz Fusion's binary was compiled against Mesa's OpenGL library rather than ATI's OpenGL library (which is what you are using). Re-install libgl-dri (yes you will have to uninstall fglrx temporarily) to get Mesa's OpenGL library. <br />
<br />
copy the library into a directory to keep it because ATI's drivers will over write it. <br />
<br />
mkdir /lib/mesa<br />
cp /usr/lib/libGL.so.1.2 /lib/mesa<br />
<br />
Once you have it copied, you can reinstall your fglrx drivers (It should have been removed when you installed libgl-dri). Now you can start Compiz Fusion using the following example syntax: <br />
<br />
LD_PRELOAD=/lib/mesa/libGL.so.1.2 compiz --replace &<br />
<br />
==== On ATI cards (second solution) ====<br />
An other problem could arise with GLX_EXT_texture_from_pixmap, it is possible that the card could only render it indirectly, then you have to pass the option to your libgl like that :<br />
<br />
LIBGL_ALWAYS_INDIRECT=1 compiz --replace ccp &<br />
<br />
(Workaround tested on the following card : ATI Technologies Inc Radeon R250 [Mobility FireGL 9000] (rev 02))<br />
<br />
==== On Intel chips ====<br />
First off, check that you're using the intel driver as opposed to i810. Then, run the following command to run compiz (must use this every time.).<br />
LIBGL_ALWAYS_INDIRECT=true compiz --replace --sm-disable ccp &<br />
If you then do not have borders, run<br />
emerald --replace<br />
As at 17-Oct-07 the [http://wiki.compiz-fusion.org/Troubleshooting Compiz-Fusion Wiki] states: <i>"If you are using an Intel GMA card with AIGLX, you will need to start Compiz Fusion with LIBGL_ALWAYS_INDIRECT=1 appended.</i>"<br />
<br />
=== Compiz starts, but no effects are visible ===<br />
If you have installed compiz-decorator-gtk:<br />
Check if GConf schema was correctly installed: <br />
gconftool-2 -R /apps/compiz/plugins | grep plugins<br />
make sure that all plugins are listed (not only fade!). If not, try to install compiz schema manually (do this as normal user, not as root!!!): <br />
gconftool-2 --install-schema-file=/usr/share/gconf/schemas/compiz-decorator-gtk.schemas<br />
<br />
Note: Compiz basic plugins are not enabled by default. You should enable "Move Window", "Resize Window", and "Window decoration" plugins in settings manager from fusion-icon to have a usable window manager.<br />
<br />
=== Compiz starts, but gtk-window-decorator does not ===<br />
It is a configuration problem for gconf and gconfd. I solved it by removing ".gconf" dir in my home, but I'm using KDE. If you are using Gnome you should enter your ".gconf" directory and remove all compiz keys. This will erase your compiz settings, so be sure to reconfigure.<br />
Finally exec as user:<br />
<br />
gconftool-2 --install-schema-file=/usr/share/gconf/schemas/compiz-decorator-gtk.schemas<br />
<br />
=== Compiz appears to start, but there are no window borders ===<br />
When you run fusion-icon from commandline, you get output like this:<br />
<br />
* Detected Session: gnome<br />
* Searching for installed applications...<br />
* NVIDIA on Xorg detected, exporting: __GL_YIELD=NOTHING<br />
* Using the GTK Interface<br />
* Metacity is already running<br />
* Setting window manager to Compiz<br />
... executing: compiz --replace --sm-disable --ignore-desktop-hints ccp<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
<br />
All you need to do is edit your {{Ic|/etc/X11/xorg.conf}} and find the "Depth" directive inside the "Screen" section; change all occurences of this value to 24. This occured to me with my colour depth set to 16; but also happens when it is set to 32.<br />
<br />
----<br />
<br />
You may also try adding ''Option "AddARGBGLXVisuals" "True"'' & ''Option "DisableGLXRootClipping" "True"'' to your "Screen" section if you are using the Nvidia binary driver. (Radeon, and the open 'nv' driver will not work with this option as far as I can tell.) If you used any other Options elsewhere in {{Ic|xorg.conf}} to get compiz working and still have no luck, try commenting them out and using only the aformentioned ARGBGLXVisuals and GLXRootClipping Options.<br />
<br />
'''Note''': Check that "Window decoration", "Move" and "Resize" plugins are enabled with Compiz Settings Manager or gconf-editor.<br />
<br />
With gconf-editor you can easly enable "Window decoration", "Move" and "Resize" plugins.<br />
<br />
$ gconf-editor<br />
<br />
Navigate to apps/compiz/general/allscreens/options<br />
<br />
Add/Edit "active_plugins" Key (Name: active_plugins, Type: List, List type: String).<br />
<br />
Add "decoration", "move", and "resize" to the list.<br />
<br />
----<br />
<br />
'''Another way to fix this''':<br />
* Launch '''ccsm'''.<br />
* Find '''windows decoration''' and make sure it is enabled.<br />
* Now click on it, to edit the options.<br />
* If the entry behind '''command''' is empty, put the value '''gtk-window-decorator''' there.<br />
** Alternatives are '''kde-window-decorator''' and '''emerald'''<br />
* Click '''Back''' and '''Close'''<br />
* If all went well, the borders should appear.<br />
<br />
=== Compiz starts and borders appear, but windows won't move ===<br />
Be sure you have the "Move Window" plugin installed and enabled in the compiz settings manager.<br />
<br />
=== Blank screen on resume from suspend-to-ram using the Nvidia binary drivers ===<br />
If you receive a blank screen with a responsive cursor upon resume, try disabling sync to vblank:<br />
<br />
gconftool -s /apps/compiz/general/screen0/options/sync_to_vblank-t boolean false<br />
<br />
=== fusion-icon doesn't start ===<br />
If you get an output like this from the command line:<br />
[andy@andylaptop ~]$ fusion-icon<br />
* Detected Session: gnome<br />
* Searching for installed applications...<br />
Traceback (most recent call last):<br />
File "/usr/bin/fusion-icon", line 57, in <module><br />
from FusionIcon.interface import choose_interface<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/interface.py", line 23, in <module><br />
import start<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/start.py", line 36, in <module><br />
config.check()<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/util.py", line 362, in check<br />
os.makedirs(self.config_folder)<br />
File "/usr/lib/python2.5/os.py", line 172, in makedirs<br />
mkdir(name, mode)<br />
OSError: [Errno 13] Permission denied: '/home/andy/.config/compiz'<br />
<br />
the problem is with the permission on {{Ic|~/.config/compiz}}. You have set the owner of a folder in your area as root. To change this, run (as root)<br />
chown <username> /home/<username>/.config/compiz<br />
<br />
=== Choppy animations, even though everything configured correctly ===<br />
If everything is configured correctly but you still have poor performance on some effects, try disabling CCSM->General Options->Display Settings->"Detect Refresh Rate" and instead choose a value manually. Tested on both nvidia and intel chips. Can work wonders.<br />
<br />
Alternatively, if your chip is nvidia and you are experiencing an inadequate refresh rate with "Detect Refresh Rate" enabled in Compiz, it's likely due to an option called DynamicTwinView being enabled by default which plays a factor in accurately reporting the maximum refresh rate that your card and display support. You can disable DynamicTwinView by adding the following line to the "Device" or "Screen" section of your xorg.conf file, and then restarting your computer:<br />
<br />
Option "DynamicTwinView" "False"<br />
<br />
Doing so will allow XrandR to accurately report the refresh rate to anything that detects it, including Compiz. You should be able to leave "Detect Refresh Rate" enabled and get excellent performance. Once again, this only applies to nvidia chips.<br />
<br />
=== Fix Gnome Screenshot ===<br />
To re-enable gnome-screenshot (the default behavior caused by hitting {{Keypress|PrtScn}}) simply go to Settings Manager>Commands and map 'gnome-screenshot' to the 'PrtScn' key. This is advantageous because you can also use the Compiz-Fusion 'Screenshot' plugin at the same time since the action that enables it is <Super>Button1 thereby giving you two methods to do a screen capture (one of which gives a full screen capture in a single keystroke).<br />
<br />
=== Get GNOME Workspace Switcher work with Compiz-Fusion ===<br />
In older versions of Compiz, the Gnome Workspace Switcher applet would actually work with Compiz-Fusion (i.e. rotate cube/move plane etc.), but recent versions seem not to. This is due to a new feature introduced in Compiz, which allows real seperate workspaces. For example, if you have a desktop plane with four planes, and have four desktops enabled in Gnome, it sums up to a total of 16 different workspaces. Currently, there is no animation associated with "real" workspace changing. To get the Workspace Switcher work, do the following:<br />
<br />
In GConf, set the following options:<br />
<br />
/apps/compiz/general/screen0/options/number_of_desktops = '''1'''<br />
/apps/compiz/general/screen0/options/hsize = 4 (this is an example)<br />
/apps/compiz/general/screen0/options/vsize = 1 (this is an example)<br />
<br />
=== Screen flicks with NVIDIA card ===<br />
For fixing it, create /etc/modprobe.d/nvidia.conf file and add line:<br />
options nvidia NVreg_RegistryDwords="PerfLevelSrc=0x2222"<br />
<br />
=== Fix Custom Cursor Theme on Gnome 2.30 ===<br />
Create or edit /usr/share/icons/default/index.theme for default, or per user '''(non-root)''' ~/.icons/default/index.theme, and add this lines:<br />
<br />
[Icon Theme]<br />
#Name=''foo''<br />
Name=''foo''<br />
#Inherits=''foo''<br />
Inherits=''foo''<br />
[Desktop Entry]<br />
Name[en_US]=index.theme<br />
<br />
"Foo" is the name of the cursor theme.<br />
<br />
=== Screen artifacts on Firefox / Thunderbird ===<br />
{{Note|Altough this issue is not strictly related to Compiz, it has been added here due to popular misconception that Compiz itself may be the cause.}}<br />
<br />
Some users noticed a strange behavior with AMD/ATI Catalyst drivers starting from 10.6 release. Artifacts are visible mainly with Mozilla applications, where the GUI shows black spots of variable size. This is caused by different 2D acceleration tecnique introduced with Catalyst 10.6.<br />
The problem can be fixed following the troubleshooting steps in the [[ATI_Catalyst#Black.2Fgrey.2Fwhite_boxes.2Fartifacts_mainly_in_firefox.2Fthunderbird|ATI Catalyst page]]<br />
<br />
=== Setting the window manager back to Metacity after uninstall ===<br />
Removing compiz with pacman does not set your window manager back to metacity. This can result in no window borders being drawn, an inability to minimize, and an inability to change the focus. To change it back, run the command "gconf-editor" in the terminal (install it if you do not have it already). Use this to set the value of the key {{Ic|/desktop/gnome/session/required_components/window_manager}} from "compiz" to "metacity". Log out and back in for this change to take effect.<br />
<br />
=== Context menu in applications (firefox, ...?) disappears on mouseover ===<br />
Try disabling "focus stealing prevention" (general options).<br />
<br />
=== External notes ===<br />
[http://wiki.compiz.org/Troubleshooting Troubleshooting page] on compiz.org<br />
<br />
== See also ==<br />
*[http://compiz.org Compiz Website] -- including wiki and forum</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Compiz&diff=256240Compiz2013-05-06T17:19:51Z<p>Jrussell: /* Xfce autostart (without "fusion-icon") */</p>
<hr />
<div>[[Category:Eye candy]]<br />
[[Category:Stacking WMs]]<br />
[[el:Compiz]]<br />
[[es:Compiz]]<br />
[[it:Compiz]]<br />
[[ja:Compiz]]<br />
[[pl:Compiz]]<br />
[[pt:Compiz]]<br />
[[ru:Compiz]]<br />
[[tr:Compiz]]<br />
[[zh-CN:Compiz]]<br />
{{Article summary start}}<br />
{{Article summary wiki|Compiz Configuration}}<br />
{{Article summary wiki|AIGLX}}<br />
{{Article summary wiki|Composite}}<br />
{{Article summary wiki|Xcompmgr}}<br />
{{Article summary wiki|Cairo Compmgr}}<br />
{{Article summary end}}<br />
<br />
Compiz is a [[Wikipedia:Compositing window manager|compositing window manager]]. It provides its own window manager, [[Emerald]]. Therefore it cannot be used simultaneously with other window managers such as [[Openbox]], [[Fluxbox]], or [[Enlightenment]]. Users who want to keep their current window managers and add some effects to it may wish to try [[Xcompmgr]] instead.<br />
<br />
== Requirements ==<br />
Users of major [[DE]]s can make good use of {{Pkg|compiz-manager}}, performing brief requirements checking and switching to fallback WM in case of errors. Discovering setup and hardware issues can also be done with {{AUR|compiz-check}} script (available in [[AUR]]).<br />
<br />
== Installation ==<br />
All compiz packages, available in [[official repositories]], can be [[pacman|installed]] with group {{Grp|compiz-fusion}}.<br />
<br />
For those who do not want to install EVERYTHING there are also groups {{Grp|compiz-fusion-gtk}} and {{Grp|compiz-fusion-kde}} for [[Gnome]] or [[KDE]] correspondingly.<br />
<br />
Users who wish to select the packages individually may start with {{Pkg|compiz-core}} and one of [[#Decorators|decorators]].<br />
{{Note|Lack of configured window decorator can render your [[X]] workspace slightly unusable.}}<br />
<br />
=== Initial configuration ===<br />
While the appearance of the windows and their contents is a function of [[GTK+]] and [[Qt]], the frames around the windows are controlled by the Window Decoration plugin. To use it make sure you have a window decorator installed. Depending on what packages you have downloaded you can choose among several window decorators. The most common ones are Emerald, kde-window-decorator, and gtk-window-decorator. The emerald decorator has the advantage that it fits better to compiz's screen handling and offers transparency effects.To set your default window decorator type the following command string in the "Window Decoration" plugin's settings under the field "Command".<br />
To set emerald as your default window-decorator type:<br />
emerald --replace<br />
To set the kde-window-decorator as an alternative to Emerald type:<br />
kde4-window-decorator --replace<br />
To set the compiz-decorator-gtk as an alternative to Emerald type:<br />
gtk-window-decorator --replace<br />
<br />
{{Box RED|Activate important plugins!|<br />
There is high possibility that you will want to activate a few plugins that provide basic window manager behavior or else you will have no ability to drag, scale or close any windows as soon as compiz is activated. Among those plugins are "Window Decoration" under Effects and "Move Window" & "Resize Window" under Window Management. Ccsm may be used to achieve this.<br />
Launch CompizConfig Settings Manager:<br />
$ ccsm<br />
Simply put check marks next to those plugins to activate them.}}<br />
<br />
== Additional software ==<br />
=== Decorators ===<br />
* {{App|[[Emerald]]|Compiz's own window decorator with few dependencies. (Note: Works but is buggy and no longer maintained)|http://www.compiz.org|{{Pkg|emerald}}}}<br />
* {{Pkg|compiz-decorator-gtk}} and {{Pkg|compiz-decorator-kde}} &ndash; alternatives to Emerald, using your desktop environment's configuration backends and looks<br />
=== Other ===<br />
* {{Pkg|ccsm}} (CompizConfig settings manager) &ndash; GUI application that lets you configure all of Compiz's plugins<br />
* {{Pkg|fusion-icon}} &ndash; offers a tray icon and a nice way to start compiz, start ccsm and change the WM / Window Decorator<br />
* [https://aur.archlinux.org/packages.php?K=compiz Lots of quickly dying packages in AUR]<br />
<br />
== Starting Compiz Fusion ==<br />
<br />
=== Manually (with "fusion-icon") ===<br />
<br />
Launch the Compiz Fusion tray icon:<br />
$ fusion-icon<br />
<br />
{{Note|If it fails (almost never), you may try it with dbus-launch:<br />
{{bc|$ dbus-launch "fusion-icon"}}}}<br />
Right click on the icon in the panel and go to 'select window manager'. Choose "Compiz" if it isn't selected already, and you should be set.<br />
<br />
If this fails you can start compiz-fusion by using the following additional command to replace your default window decorator with Compiz's window decorator (Emerald):<br />
$ emerald --replace<br />
<br />
'''Again, note:''' If you want to use compiz window decorations make sure you have the "Window Decoration" plugin marked in the compiz settings through ccsm.<br />
<br />
=== Manually (without "fusion-icon") ===<br />
<br />
Launch Compiz with the following command (which replaces your current window manager):<br />
$ compiz --replace ccp &<br />
<br />
A quick overview over common compiz command-line options:<br />
*--indirect-rendering: use indirect-rendering (AIGLX)<br />
*--loose-binding: can help performance issues (nVidia?)<br />
*--replace: replace current window-manager<br />
*--keep-window-hints: keep the gnome window-manager gconf-settings for available viewports, ...<br />
*--sm-disable: disable session-management<br />
*ccp: the "ccp" command loads the last configured settings from ccsm (CompizConfig Settings Manager) otherwise Compiz will load with no settings and you won't be able to do anything with your windows like dragging, maximizing/minimizing, or moving.<br />
<br />
=== KDE4 ===<br />
{{Note| The first and last methods will load Compiz-Fusion as the default window manager instead of KWin. This is faster than loading Compiz with 'fusion-icon' because it avoids loading two window managers at startup. This also prevents that annoying black screen flicker you might see using other methods (when KWin switches to Compiz on KDE's desktop loading screens). The downside is that if Compiz crashes, it may be more difficult to recover your desktop}}<br />
<br />
==== Use System Settings (easiest)====<br />
Go to: ''System Settings'' --> ''Default Applications'' --> ''Window Manager'' --> ''Use a different window manager''<br />
<br />
'''''If''''' you need to run compiz with custom options select "Compiz custom" (when you run <code>fusion-icon</code> from a terminal you can see the command line with which compiz was started).<br />
Create a file called "compiz-kde-launcher" in <code>/usr/bin</code>. Then make the file executable: <code>chmod +x /usr/bin/compiz-kde-launcher</code>.<br />
<br />
For example:<br />
#!/bin/bash<br />
LIBGL_ALWAYS_INDIRECT=1<br />
compiz --replace ccp &<br />
wait<br />
<br />
==== Autostart with "fusion-icon" ====<br />
<br />
Add a symbolic link, that points to the fusion-icon executable, in your KDE Autostart directory:<br />
$ ln -s /usr/bin/fusion-icon ~/.kde4/Autostart/fusion-icon<br />
<br />
Next time KDE is started, it will load fusion-icon automatically.<br />
<br />
==== Autostart Link without "fusion-icon" ====<br />
<br />
{{Warning|DO NOT create compiz.desktop if you intend to install compiz-decorator-gtk; it will create a file conflict.}}<br />
<br />
* Append a desktop entry in the KDE Autostart directory. If it doesn't already exist (it should), create the file {{ic|~/.kde4/Autostart/compiz.desktop}} with the following:<br />
<br />
[Desktop Entry]<br />
Type=Application<br />
Encoding=UTF-8<br />
Name=Compiz<br />
Exec=/usr/bin/compiz ccp --replace<br />
NoDisplay=true<br />
# name of loadable control center module<br />
X-GNOME-WMSettingsModule=compiz<br />
# autostart phase<br />
X-GNOME-Autostart-Phase=WindowManager<br />
X-GNOME-Provides=windowmanager<br />
# name we put on the WM spec check window<br />
X-GNOME-WMName=Compiz<br />
# back compat only<br />
X-GnomeWMSettingsLibrary=compiz<br />
<br />
{{Note| If {{ic|compiz.desktop}} already exists, you may have to add "--replace" and/or "ccp" to the Exec variable. Without "--replace", Compiz won't load since it will detect another window manager already loaded. Without "ccp", Compiz will not load any of the settings and plugins that you have enabled through CompizConfig Settings Manager (ccsm) and you won't be able to manipulate any of your windows.}}<br />
<br />
* If you want to use the optional {{ic|fusion-icon}} application, launch ''fusion-icon''. If you log out normally with ''fusion-icon'' running, KDE should restore your session and launch ''fusion-icon'' the next time you log in if this setting is enabled. If it doesn't appear to be working, ensure you have the following line in {{ic|~/.kde4/share/config/ksmserverrc}}:<br />
<br />
loginMode=restorePreviousLogout<br />
{{Note| This is a KDE specific setting that will allow you to restore other apps next time you log in, not just fusion-icon.}}<br />
<br />
==== Export KDEWM without "fusion-icon" (preferred) ====<br />
<br />
As root you must create a short script by doing the following in your terminal. This will allow you to load compiz with the switches because doing it directly via {{ic|1=export KDEWM="compiz --replace ccp --sm-disable"}} doesn't seem to work.<br />
$ echo "compiz --replace ccp --sm-disable &" > /usr/bin/compiz-fusion<br />
<br />
{{Note| If this line doesn't work, make sure the "fusion-icon" package is installed and then use this line instead:<br />
$ echo "fusion-icon &" > /usr/bin/compiz-fusion<br />
Be sure to complete the whole method before trying this substitute.}}<br />
<br />
Ensure that {{ic|/usr/bin/compiz-fusion}} has executable (+x) permissions.<br />
$ chmod a+x /usr/bin/compiz-fusion<br />
<br />
Choose one of the following:<br />
<br />
:1) Compiz for your user only --> Edit the file {{ic|~/.kde4/env/compiz.sh}} and add the following line so KDE will load compiz (via the script you just created) instead of loading KWin.<br />
: {{bc|1=KDEWM="compiz-fusion"}}<br />
<br />
:2) Compiz system wide --> Edit the file {{ic|/etc/kde/env/compiz.sh}} and add the following line so KDE will load compiz (via the script you just created) instead of loading KWin.<br />
: {{bc|1=KDEWM="compiz-fusion"}}<br />
<br />
{{Note| If that still doesn't work, yet another alternate way to accomplish the above method is to include the line<br />
{{bc|1=export KDEWM="compiz-fusion"}}<br />
in your user's {{ic|~/.bashrc}} file.}}<br />
{{Note| If you optionally use the {{ic|/usr/local/bin}} directory it may not work. In that case you should export the script including the whole path:<br />
{{bc|1=export KDEWM="/usr/local/bin/compiz-fusion"}}}}<br />
<br />
=== GNOME ===<br />
If you have installed [[GNOME3]] with gnome-shell, either enable forced Fallback Mode (System Info > Graphics) or simply uninstall gnome-shell.<br />
{{Note|Fallback Mode is not necessary if you choose the Compiz/Cairo-Dock session method below.}}<br />
<br />
==== Alternate Session for GNOME (Preferred Method for Experienced Compiz/Dock Users) ====<br />
The {{AUR|gnome-session-compiz}} can be used to add an additional menu entry in the GNOME session login dialog. This method does not require foced fallback mode and/or modifications to sensitive system files/settings. Also, you can switch between GNOME Shell and Compiz/Cairo-Dock between sessions. If you can't get it working, you can always go back to your original GNOME session.<br />
<br />
For this method to work, Compiz and Cairo-Dock (Taskbar/Panel) may have to be [[#Configuration|configured initially]] for fresh accounts, from another working session (ccsm in GNOME Shell worked fine for me).<br />
<br />
This method completely replaces the GNOME's window manager and panel (they are not launched at all, rather than being replaced or killed later). So, before actually switching to this alternate session, you may want to configure corresponding/alternate features of the original panel application in Cairo-Dock:<br />
* Add Application Menu icon to Cairo-Dock and remember its key-bindings.<br />
* Remap Application Menu key-bindings to ALT+F1 and ALT+F2, for convenience.<br />
* Add Clock, WiFi, NetSpeed icons to the dock as applicable.<br />
* Add Log-out icon:<br />
** Set the command for logout to "gnome-session-quit --logout"<br />
** Set the command for shutdown to "gnome-session-quit --power-off"<br />
* Add the Notification Area Old (systray) icon to Cairo-Dock.<br />
<br />
==== Autostart (without "fusion-icon") (Preferred Method) ====<br />
This Method makes use of the [http://standards.freedesktop.org/desktop-entry-spec/latest/ Desktop Entry Specification] to specify a Compiz Desktop Entry and of the GConf default windowmanager setting. Thanks to the Desktop Entry you should be able to select Compiz as a windowmanager out of GDM.<br />
<br />
'''1)'''If the following file doesn't already exist (it should), create it {{ic|/usr/share/applications/compiz.desktop}} containing the following:<br />
<br />
[Desktop Entry]<br />
Type=Application<br />
Encoding=UTF-8<br />
Name=Compiz<br />
Exec=/usr/bin/compiz ccp #Make sure ccp is included so that Compiz loads your previous settings.<br />
NoDisplay=true<br />
# name of loadable control center module<br />
X-GNOME-WMSettingsModule=compiz<br />
# autostart phase<br />
##-> the folloing line cause gnome-session warning and slow startup, so try not to enable this<br />
# X-GNOME-Autostart-Phase=WindowManager <br />
X-GNOME-Provides=windowmanager<br />
# name we put on the WM spec check window<br />
X-GNOME-WMName=Compiz<br />
# back compat only<br />
X-GnomeWMSettingsLibrary=compiz<br />
<br />
{{Note| If {{ic|compiz.desktop}} already exists, you must make sure that the "ccp" is included in the Exec variable. Having "ccp" included simply tells Compiz to load your previous settings, otherwise you won't have any functionality.}}<br />
<br />
If the above doesn't work (in most cases it does), for example if you notice some issues with windows refreshing or low performance, try:<br />
<br />
{{bc|1=Exec=/usr/bin/compiz ccp --indirect-rendering}}<br />
<br />
or<br />
<br />
{{bc|1=Exec=/usr/bin/compiz --replace --sm-disable --ignore-desktop-hints ccp --indirect-rendering}}<br />
<br />
Instead of<br />
<br />
{{bc|1=Exec=/usr/bin/compiz ccp}}<br />
<br />
Some Users noticed a "lag" of 4-10 seconds when loging in from a login manager. The solution is to change the command to:<br />
{{bc|1=Exec=bash -c 'compiz ccp decoration --sm-client-id $DESKTOP_AUTOSTART_ID'}}<br />
as noted [https://bbs.archlinux.org/viewtopic.php?pid=655237#p655237 in the forum]. You can also add the extra parameters as described above if needed.<br />
<br />
'''2)''' Set some GConf parameters using the gconftool-2 command in a terminal window or do it visually with Configuration Editor (gconf-editor). The following outlines using the command line method, but you can also see which keys to change using gconf-editor:<br />
<br />
{{Note| Since those parameters apply to a given user, you '''must''' logout from the root account and log in as that other user before proceeding with the next steps. GConf will fail, if called from a root account.}}<br />
<br />
gconftool-2 --set -t string /desktop/gnome/session/required_components/windowmanager compiz<br />
<br />
The following are optional and in most cases not necessary (the respective keys are deprecated since GNOME 2.12). But iny any case, if the above didn't succeed the next two statements are still valid and should be tried.<br />
<br />
gconftool-2 --set -t string /desktop/gnome/applications/window_manager/current /usr/bin/compiz<br />
gconftool-2 --set -t string /desktop/gnome/applications/window_manager/default /usr/bin/compiz<br />
<br />
==== Autostart (without "fusion-icon") (With gnome3 fallback mode session) ====<br />
Edit file {{ic|/usr/share/gnome-session/sessions/gnome-fallback.session}}:<br />
<br />
Replace your windows manager (gnome-shell,metacity...) with ''compiz'' in '''RequiredComponents''' line.<br />
<br />
Change ''DefaultProvider-windowmanager'' line to ''DefaultProvider-windowmanager=compiz''<br />
<br />
Here is part of my {{ic|gnome-fallback.session}}:<br />
<br />
{{bc|1=<br />
RequiredComponents=compiz;gnome-settings-daemon;<br />
RequiredProviders=windowmanager;notifications;<br />
DefaultProvider-windowmanager=compiz<br />
DefaultProvider-notifications=notification-daemon<br />
}}<br />
<br />
{{Note| I took out gnome-panel as I am using avant-window-navigator as my panel.<br />
I'am using gnome3 fallback mode with compiz, make gtk-window-decorator start with compiz, and make avant-window-navigator start automatically.}}<br />
<br />
==== Autostart (without "fusion-icon", Gnome prior to 2.24) ====<br />
This is a way that works if you use GDM (and I'd assume KDM too).<br />
<br />
Make a file called /usr/local/bin/compiz-start-boot with the contents:<br />
#!/bin/bash<br />
export WINDOW_MANAGER="compiz ccp"<br />
exec gnome-session<br />
<br />
and make it executable ({{ic|chmod +x /usr/local/bin/compiz-start-boot}}). Next create the file {{ic|/etc/X11/sessions/Compiz.desktop}} containing the following:<br />
[Desktop Entry]<br />
Version=1.0<br />
Encoding=UTF-8<br />
Name=Compiz on GNOME<br />
Exec=/usr/local/bin/compiz-start-boot<br />
Icon=<br />
Type=Application<br />
<br />
Select Compiz on Gnome as your session and you're good to go.<br />
<br />
==== Autostart (with "fusion-icon") ====<br />
To start Compiz fusion automatically when starting a session go to System > Preferences > Startup Applications. In the Startup Programs tab, click the Add button.<br />
<br />
You will now see the Add Startup Program dialogue. Fill it in as follows.<br />
<br />
Name:<br />
Compiz Fusion<br />
Command:<br />
fusion-icon<br />
Comment: (Put anything you like or leave blank.)<br />
<br />
{{Note| You can also use "compiz --replace ccp" instead of "fusion-icon" to load compiz but there will be no fusion-icon.<br />
<br />
The ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
When you're done hit the Add button. You should now see your startup program in the list in the Startup Programs tab. It must be checked to be enabled. You can uncheck it to disable Compiz on startup and switch back to Metacity.<br />
<br />
You may also need to use the gconftool-2 command in a terminal window to set the following parameter, otherwise fusion-icon might not load the windows decorator.<br />
gconftool-2 --type bool --set /apps/metacity/general/compositing_manager false<br />
<br />
{{Note| This method will be slower due to the fact that Gnome will first load the default window manager (Metacity), then will launch fusion-icon which will load the Compiz window manager to replace Metacity. Essentially, it will take the amount of time that it takes to load two window manangers to get Compiz loaded. The first method is preferred and eliminates this issue.}}<br />
<br />
=== Mate Desktop ===<br />
==== Autostart (without "fusion-icon") (Preferred Method) ====<br />
As with Gnome, create a compiz.desktop file (see [[Compiz#Autostart_.28without_.22fusion-icon.22.29_.28Preferred_Method.29]]), then set Compiz as the default window manager :<br />
* on Mate prior to 1.6, edit the following mateconf entries (note: the last two are deprecated values):<br />
mateconftool-2 --set -t string /desktop/mate/session/required_components/windowmanager compiz<br />
mateconftool-2 --set -t string /desktop/mate/applications/window_manager/current /usr/bin/compiz<br />
mateconftool-2 --set -t string /desktop/mate/applications/window_manager/default /usr/bin/compiz<br />
<br />
* on Mate 1.6 and higher, edit the following gsettings value<br />
gsettings set org.mate.session.required-components windowmanager compiz<br />
<br />
=== XFCE ===<br />
==== Xfce autostart (without "fusion-icon") ====<br />
This method will start Compiz directly through the XFCE session manager without loading Xfwm.<br />
<br />
Please note the change to xml config files in XFCE newer than 4.2<br />
<br />
To install the session manager, install {{Pkg|xfce4-session}}.<br />
<br />
Now we have to configure the default/failsafe session of XFCE.<br />
<br />
Edit the {{Ic|~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}} or (to make the change for all XFCE users) {{Ic|/etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}:<br />
<br />
Replace the xfwm startup command,<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="xfwm4"/><br />
</property><br />
<br />
with the following:<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="compiz"/><br />
<value type="string" value="ccp"/><br />
</property><br />
<br />
{{Note| the ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
To prevent the default session from being overwritten you may also add this:<br />
<br />
<property name="general" type="empty"><br />
...<br />
...<br />
<property name="SaveOnExit" type="bool" value="false"/><br />
</property><br />
<br />
To remove the existing sessions, run:<br />
$ rm -r ~/.cache/sessions<br />
<br />
Ensure that in the "Window decorator" plugin in ccsm's "effects" tab, the "command" field is filled in to start a decorator, you can use:<br />
gtk-window-decorator --replace<br />
or<br />
emerald --replace<br />
<br />
==== Xfce autostart (with "fusion-icon") ====<br />
=====Method 1:=====<br />
{{Note| This method is the least preferred since it loads both window managers. All the other XFCE methods only load Compiz without loading Xfwm.}}<br />
This will load Xfwm first then replace it with Compiz.<br />
<br />
Open the XFCE Settings Manager & then Sessions & Startup. Click the Application Autostart tab.<br />
<br />
Add<br />
(Name:) Compiz Fusion<br />
<br />
(Command:) fusion-icon<br />
<br />
{{Note| You can also use "compiz --replace ccp" instead of "fusion-icon" to load compiz but there will be no fusion-icon.<br />
<br />
The ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
=====Method 2:=====<br />
Edit the following file (settings in this file is used in preference)<br />
$ nano ~/.config/xfce4-session/xfce4-session.rc<br />
<br />
Or to make the change for all XFCE users (root access required)<br />
# nano /etc/xdg/xfce4-session/xfce4-session.rc<br />
<br />
Add the following<br />
[Failsafe Session]<br />
Client0_Command=fusion-icon<br />
<br />
Comment out Client0_Command=xfwm4 if it exists.<br />
<br />
This will cause xfce to load Compiz instead of Xfwm when the user has no existing sessions.<br />
<br />
To prevent the default session from being overwritten you may also add<br />
[General]<br />
AutoSave=false<br />
SaveOnExit=false<br />
<br />
To remove the existing sessions<br />
rm -R ~/.cache/sessions<br />
<br />
=====Method 3:=====<br />
Check if this file exists:<br />
~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml<br />
<br />
If not do:<br />
cp /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml ~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml<br />
<br />
and edit {{Ic|~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}<br />
<br />
or (to make the changes for all xfce4 users) {{Ic|/etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}:<br />
<br />
Edit Client0_Command that it look like this:<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="fusion-icon"/><br />
<value type="string" value="--force-compiz"/><br />
</property><br />
if '''--force-compiz''' doesn't work use '''compiz --replace --sm-disable --ignore-desktop-hints ccp''' instead.<br />
<br />
Add the '''SaveOnExit property''' if missing and set it to '''false''':<br />
<property name="general" type="empty"><br />
<property name="FailsafeSessionName" type="string" value="Failsafe"/><br />
<property name="SessionName" type="string" value="Default"/><br />
<property name="SaveOnExit" type="bool" value="false"/><br />
</property><br />
<br />
finally remove old xfce4 sessions:<br />
rm -r ~/.cache/sessions<br />
<br />
Now xfce4 will load compiz instead of Xfwm.<br />
<br />
=== As a Standalone Window Manager ===<br />
The package compiz-core by itself is sufficient to start using compiz-fusion. However ccsm and emerald (or another window-decorator) are additional highly recommended packages. You may install fusion-icon, compiz-fusion-plugins-main, compiz-fusion-plugins-extra or any other package later on at any time.<br />
<br />
To autostart compiz-fusion configure .xinitrc to launch compiz as:<br />
{{hc|~/.xinitrc|<nowiki><br />
exec compiz ccp<br />
</nowiki>}}<br />
You can also add other [[Compiz_fusion#Manually_.28without_.22fusion-icon.22.29|command-line options]] to your .xinitrc<br />
<br />
Or if using fusion-icon, configure .xinitrc as<br />
{{hc|~/.xinitrc|<nowiki><br />
exec fusion-icon<br />
</nowiki>}}<br />
<br />
However chances are you will need additional apps (e.g a panel) for optimal usability. So to autostart such apps simply add them to your .xinitrc as:<br />
{{hc|~/.xinitrc|<nowiki><br />
tint2 &<br />
cairo-dock &<br />
exec fusion-icon<br />
</nowiki>}}<br />
<br />
{{Note| Add a terminal-emulator to this autostart list while starting for the first time to help [[Compiz_fusion#Configuration|configure]] compiz.}} <br />
<br />
An alternative method, utilizing a simple script entitled '''start-fusion.sh''':<br />
{{hc|start-fusion.sh|<nowiki><br />
#!/bin/sh<br />
# add more apps here if necessary or start another panel, tray like pypanel, bmpanel, stalonetray<br />
xfce4-panel&<br />
fusion-icon<br />
</nowiki>}}<br />
If this script dosn't work for you, or you get issues with '''dbus''' utilize this script:<br />
{{hc|start-fusion.sh|<nowiki><br />
#!/bin/sh<br />
cd /home/<yourusername><br />
eval `dbus-launch --sh-syntax --exit-with-session`<br />
/usr/bin/X :0.0 -br -audit 0 -nolisten tcp vt7 &<br />
export DISPLAY=:0.0<br />
sleep 1<br />
compiz-manager decoration move resize > /tmp/compiz.log 2>&1 &<br />
# add more apps here if necessary or start another panel, tray like pypanel, bmpanel, stalonetray<br />
xfce4-panel&<br />
fusion-icon<br />
</nowiki>}}<br />
Make it executable<br />
<br />
chmod +x start-fusion.sh<br />
<br />
And add it to .xinitrc, like this:<br />
{{hc|~/.xinitrc|<nowiki><br />
exec /path/to/file/start-fusion.sh<br />
</nowiki>}}<br />
<br />
Feel free to use a different panel, tray, or start a whole bunch of applications with your session.<br />
See [https://bbs.archlinux.org/viewtopic.php?id=51282 this forum thread] for more info.<br />
<br />
{{Note | Using a separate script instead of running everything from xinitrc is the only way to let all launching applications use ConsoleKit: see [[ConsoleKit#Running_several_applications_from_.7E.2F.xinitrc|this article]].}}<br />
<br />
==== Add a root menu ====<br />
To add a root menu similar to that in Openbox, Fluxbox, Blackbox etc. you must install the package {{AUR|compiz-deskmenu}}.<br />
Upon a restart of Compiz-Fusion, you should be able to middle click on your desktop to launch the menu.<br />
<br />
If it does not automatically work, enter the CompizConfig Settings Manager, and in Commands tab, within the General Settings menu, ensure that there is a command to launch Compiz-Deskmenu, and the appropriate key binding is set to Control+Space.<br />
<br />
If it still does not work, enter the Viewport Switcher menu, and change "Plugin for initiate action" to core (NOTE: for versions 0.8.2+ it's 'commands' instead of 'core'), and "Action name for initiate" to run_command0_key.<br />
<br />
An alternative is to use [https://aur.archlinux.org/packages.php?ID=29564 mygtkmenu], also in [[AUR]].<br />
<br />
==== Allow users to shutdown/reboot ====<br />
Refer to [[Allow_Users_to_Shutdown|this]] wiki page. If using "The Modern way" of policykit You can add the command to ccsm->General->Commands and assign a short-cut key to it or alternatively you can use a launcher application.<br />
<br />
== Misc ==<br />
<br />
=== Configuration ===<br />
[[Compiz#Configuration|You must do this so your windows function like you expect them to!]]<br />
<br />
=== Using compiz-manager ===<br />
<br />
In order to use compiz-manager, you need to install it from community:<br />
pacman -S compiz-manager<br />
<br />
Compiz-manager, that is now installed in {{ic|/usr/bin/compiz-manager}}, is a simple wrapper for Compiz and ALL of its options. For example, you can run <br />
compiz-manager <br />
and see what the console returns for more info. You can use it in all the scripts that start Compiz. Very simple!<br />
<br />
=== Using gtk-window-decorator ===<br />
<br />
In order to use gtk-window-decorator, install the package ''compiz-decorator-gtk'' and select "GTK Window Decorator" instead of "Emerald" as your window decorator in fusion-icon or whatever other program you are using to configure compiz.<br />
<br />
=== gconf: Additional Compiz Configurations ===<br />
<br />
To achieve more satisfying results from Compiz, you can tweak its config with gconf-editor:<br />
<br />
$ gconf-editor<br />
<br />
Note that now compiz-core isn't built with gconf support; It is now built with gconf support through compiz-decorator-gtk. So, you need to install it if you want to use gconf-editor to edit your Compiz configuration.<br />
The Compiz gconf configuration is located in in the key <b>apps</b> > <b>compiz</b> > <b>general</b> > <b>allscreens</b> > <b>options</b>.<br />
<br />
"Active plugins" is where you specify the plugins you would like to use. Simply edit the key and add a value(refer to the key <b>apps</b> > <b>compiz</b> > <b>plugins</b> to see possible values). Plugins I’ve found useful are screenshot, png, fade, and minimize. Please do not remove those enabled by default.<br />
<br />
=== ATI R600/R700 Notes ===<br />
While using fusion-icon you shouldn't experience any problems because it takes care of everything for you, but if you are using one of the autostart methods that do not involve fusion-icon you will run into trouble. For example when using the Xfce autostart method without fusion icon you must edit ~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml per the instructions above. However, if you follow the directions above explicity you will find that compiz does not load. You must instead make your xfce4-session.xml file look like this<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="LIBGL_ALWAYS_INDIRECT=1"/><br />
<value type="string" value="compiz"/><br />
<value type="string" value="--sm-disable"/><br />
<value type="string" value="--ignore-desktop-hints"/><br />
<value type="string" value="ccp"/><br />
<value type="string" value="--indirect-rendering"/><br />
</property><br />
<br />
This example targeted Xfce specifically, but it can be adapted to any desktop environment. It's just a matter of figuring out how to add it to the proper config file. The key thing is the required command which if typed on a command line would look like this<br />
<br />
LIBGL_ALWAYS_INDIRECT=1 compiz --sm-disable --ignore-desktop-hints ccp --indirect-rendering<br />
<br />
This is how Xfce's session manager interprets the above XML code. Notice that you do not need --replace because you are not first loading xfwm and then compiz.<br />
<br />
== Tips and tricks ==<br />
=== Fallback ===<br />
If you are using [[KDE]], [[GNOME]] or [[XFCE]] and something is not right, for example you don’t see borders for your window, you can switch back to default DE window manager with this command:<br />
<br />
''wm_name'' --replace<br />
<br />
with kwin, metacity or xfwm4 instead of ''wm_name''.<br />
<br />
=== Keyboard Shortcuts ===<br />
Default plugin keyboard shortcuts (plugins have to be activated!)<br />
<br />
* Switch windows = {{Keypress|Alt + Tab}}<br />
* Switch desktops on cube = {{Keypress|Ctrl + Alt + Left/Right Arrow}}<br />
* Move window = {{Keypress|Alt + left-click}}<br />
* Resize window = {{Keypress|Alt + right-click}}<br />
<br />
A more detailed list can be found under [http://wiki.compiz-fusion.org/CommonKeyboardShortcuts CommonKeyboardShortcuts] in the Compiz wiki or you can always just look at your plugin's configuration (ccsm).<br />
<br />
== Troubleshooting ==<br />
{{Out of date}}<br />
<br />
=== Missing GLX_EXT_texture_from_pixmaps ===<br />
==== On ATI cards (first solution) ====<br />
https://bbs.archlinux.org/viewtopic.php?id=50073<br />
If you run into the following error when trying to run Compiz Fusion on an ATI card:<br />
<br />
Missing GLX_EXT_texture_from_pixmap<br />
<br />
This is because Compiz Fusion's binary was compiled against Mesa's OpenGL library rather than ATI's OpenGL library (which is what you are using). Re-install libgl-dri (yes you will have to uninstall fglrx temporarily) to get Mesa's OpenGL library. <br />
<br />
copy the library into a directory to keep it because ATI's drivers will over write it. <br />
<br />
mkdir /lib/mesa<br />
cp /usr/lib/libGL.so.1.2 /lib/mesa<br />
<br />
Once you have it copied, you can reinstall your fglrx drivers (It should have been removed when you installed libgl-dri). Now you can start Compiz Fusion using the following example syntax: <br />
<br />
LD_PRELOAD=/lib/mesa/libGL.so.1.2 compiz --replace &<br />
<br />
==== On ATI cards (second solution) ====<br />
An other problem could arise with GLX_EXT_texture_from_pixmap, it is possible that the card could only render it indirectly, then you have to pass the option to your libgl like that :<br />
<br />
LIBGL_ALWAYS_INDIRECT=1 compiz --replace ccp &<br />
<br />
(Workaround tested on the following card : ATI Technologies Inc Radeon R250 [Mobility FireGL 9000] (rev 02))<br />
<br />
==== On Intel chips ====<br />
First off, check that you're using the intel driver as opposed to i810. Then, run the following command to run compiz (must use this every time.).<br />
LIBGL_ALWAYS_INDIRECT=true compiz --replace --sm-disable ccp &<br />
If you then do not have borders, run<br />
emerald --replace<br />
As at 17-Oct-07 the [http://wiki.compiz-fusion.org/Troubleshooting Compiz-Fusion Wiki] states: <i>"If you are using an Intel GMA card with AIGLX, you will need to start Compiz Fusion with LIBGL_ALWAYS_INDIRECT=1 appended.</i>"<br />
<br />
=== Compiz starts, but no effects are visible ===<br />
If you have installed compiz-decorator-gtk:<br />
Check if GConf schema was correctly installed: <br />
gconftool-2 -R /apps/compiz/plugins | grep plugins<br />
make sure that all plugins are listed (not only fade!). If not, try to install compiz schema manually (do this as normal user, not as root!!!): <br />
gconftool-2 --install-schema-file=/usr/share/gconf/schemas/compiz-decorator-gtk.schemas<br />
<br />
Note: Compiz basic plugins are not enabled by default. You should enable "Move Window", "Resize Window", and "Window decoration" plugins in settings manager from fusion-icon to have a usable window manager.<br />
<br />
=== Compiz starts, but gtk-window-decorator does not ===<br />
It is a configuration problem for gconf and gconfd. I solved it by removing ".gconf" dir in my home, but I'm using KDE. If you are using Gnome you should enter your ".gconf" directory and remove all compiz keys. This will erase your compiz settings, so be sure to reconfigure.<br />
Finally exec as user:<br />
<br />
gconftool-2 --install-schema-file=/usr/share/gconf/schemas/compiz-decorator-gtk.schemas<br />
<br />
=== Compiz appears to start, but there are no window borders ===<br />
When you run fusion-icon from commandline, you get output like this:<br />
<br />
* Detected Session: gnome<br />
* Searching for installed applications...<br />
* NVIDIA on Xorg detected, exporting: __GL_YIELD=NOTHING<br />
* Using the GTK Interface<br />
* Metacity is already running<br />
* Setting window manager to Compiz<br />
... executing: compiz --replace --sm-disable --ignore-desktop-hints ccp<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
<br />
All you need to do is edit your {{Ic|/etc/X11/xorg.conf}} and find the "Depth" directive inside the "Screen" section; change all occurences of this value to 24. This occured to me with my colour depth set to 16; but also happens when it is set to 32.<br />
<br />
----<br />
<br />
You may also try adding ''Option "AddARGBGLXVisuals" "True"'' & ''Option "DisableGLXRootClipping" "True"'' to your "Screen" section if you are using the Nvidia binary driver. (Radeon, and the open 'nv' driver will not work with this option as far as I can tell.) If you used any other Options elsewhere in {{Ic|xorg.conf}} to get compiz working and still have no luck, try commenting them out and using only the aformentioned ARGBGLXVisuals and GLXRootClipping Options.<br />
<br />
'''Note''': Check that "Window decoration", "Move" and "Resize" plugins are enabled with Compiz Settings Manager or gconf-editor.<br />
<br />
With gconf-editor you can easly enable "Window decoration", "Move" and "Resize" plugins.<br />
<br />
$ gconf-editor<br />
<br />
Navigate to apps/compiz/general/allscreens/options<br />
<br />
Add/Edit "active_plugins" Key (Name: active_plugins, Type: List, List type: String).<br />
<br />
Add "decoration", "move", and "resize" to the list.<br />
<br />
----<br />
<br />
'''Another way to fix this''':<br />
* Launch '''ccsm'''.<br />
* Find '''windows decoration''' and make sure it is enabled.<br />
* Now click on it, to edit the options.<br />
* If the entry behind '''command''' is empty, put the value '''gtk-window-decorator''' there.<br />
** Alternatives are '''kde-window-decorator''' and '''emerald'''<br />
* Click '''Back''' and '''Close'''<br />
* If all went well, the borders should appear.<br />
<br />
=== Compiz starts and borders appear, but windows won't move ===<br />
Be sure you have the "Move Window" plugin installed and enabled in the compiz settings manager.<br />
<br />
=== Blank screen on resume from suspend-to-ram using the Nvidia binary drivers ===<br />
If you receive a blank screen with a responsive cursor upon resume, try disabling sync to vblank:<br />
<br />
gconftool -s /apps/compiz/general/screen0/options/sync_to_vblank-t boolean false<br />
<br />
=== fusion-icon doesn't start ===<br />
If you get an output like this from the command line:<br />
[andy@andylaptop ~]$ fusion-icon<br />
* Detected Session: gnome<br />
* Searching for installed applications...<br />
Traceback (most recent call last):<br />
File "/usr/bin/fusion-icon", line 57, in <module><br />
from FusionIcon.interface import choose_interface<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/interface.py", line 23, in <module><br />
import start<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/start.py", line 36, in <module><br />
config.check()<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/util.py", line 362, in check<br />
os.makedirs(self.config_folder)<br />
File "/usr/lib/python2.5/os.py", line 172, in makedirs<br />
mkdir(name, mode)<br />
OSError: [Errno 13] Permission denied: '/home/andy/.config/compiz'<br />
<br />
the problem is with the permission on {{Ic|~/.config/compiz}}. You have set the owner of a folder in your area as root. To change this, run (as root)<br />
chown <username> /home/<username>/.config/compiz<br />
<br />
=== Choppy animations, even though everything configured correctly ===<br />
If everything is configured correctly but you still have poor performance on some effects, try disabling CCSM->General Options->Display Settings->"Detect Refresh Rate" and instead choose a value manually. Tested on both nvidia and intel chips. Can work wonders.<br />
<br />
Alternatively, if your chip is nvidia and you are experiencing an inadequate refresh rate with "Detect Refresh Rate" enabled in Compiz, it's likely due to an option called DynamicTwinView being enabled by default which plays a factor in accurately reporting the maximum refresh rate that your card and display support. You can disable DynamicTwinView by adding the following line to the "Device" or "Screen" section of your xorg.conf file, and then restarting your computer:<br />
<br />
Option "DynamicTwinView" "False"<br />
<br />
Doing so will allow XrandR to accurately report the refresh rate to anything that detects it, including Compiz. You should be able to leave "Detect Refresh Rate" enabled and get excellent performance. Once again, this only applies to nvidia chips.<br />
<br />
=== Fix Gnome Screenshot ===<br />
To re-enable gnome-screenshot (the default behavior caused by hitting {{Keypress|PrtScn}}) simply go to Settings Manager>Commands and map 'gnome-screenshot' to the 'PrtScn' key. This is advantageous because you can also use the Compiz-Fusion 'Screenshot' plugin at the same time since the action that enables it is <Super>Button1 thereby giving you two methods to do a screen capture (one of which gives a full screen capture in a single keystroke).<br />
<br />
=== Get GNOME Workspace Switcher work with Compiz-Fusion ===<br />
In older versions of Compiz, the Gnome Workspace Switcher applet would actually work with Compiz-Fusion (i.e. rotate cube/move plane etc.), but recent versions seem not to. This is due to a new feature introduced in Compiz, which allows real seperate workspaces. For example, if you have a desktop plane with four planes, and have four desktops enabled in Gnome, it sums up to a total of 16 different workspaces. Currently, there is no animation associated with "real" workspace changing. To get the Workspace Switcher work, do the following:<br />
<br />
In GConf, set the following options:<br />
<br />
/apps/compiz/general/screen0/options/number_of_desktops = '''1'''<br />
/apps/compiz/general/screen0/options/hsize = 4 (this is an example)<br />
/apps/compiz/general/screen0/options/vsize = 1 (this is an example)<br />
<br />
=== Screen flicks with NVIDIA card ===<br />
For fixing it, create /etc/modprobe.d/nvidia.conf file and add line:<br />
options nvidia NVreg_RegistryDwords="PerfLevelSrc=0x2222"<br />
<br />
=== Fix Custom Cursor Theme on Gnome 2.30 ===<br />
Create or edit /usr/share/icons/default/index.theme for default, or per user '''(non-root)''' ~/.icons/default/index.theme, and add this lines:<br />
<br />
[Icon Theme]<br />
#Name=''foo''<br />
Name=''foo''<br />
#Inherits=''foo''<br />
Inherits=''foo''<br />
[Desktop Entry]<br />
Name[en_US]=index.theme<br />
<br />
"Foo" is the name of the cursor theme.<br />
<br />
=== Screen artifacts on Firefox / Thunderbird ===<br />
{{Note|Altough this issue is not strictly related to Compiz, it has been added here due to popular misconception that Compiz itself may be the cause.}}<br />
<br />
Some users noticed a strange behavior with AMD/ATI Catalyst drivers starting from 10.6 release. Artifacts are visible mainly with Mozilla applications, where the GUI shows black spots of variable size. This is caused by different 2D acceleration tecnique introduced with Catalyst 10.6.<br />
The problem can be fixed following the troubleshooting steps in the [[ATI_Catalyst#Black.2Fgrey.2Fwhite_boxes.2Fartifacts_mainly_in_firefox.2Fthunderbird|ATI Catalyst page]]<br />
<br />
=== Setting the window manager back to Metacity after uninstall ===<br />
Removing compiz with pacman does not set your window manager back to metacity. This can result in no window borders being drawn, an inability to minimize, and an inability to change the focus. To change it back, run the command "gconf-editor" in the terminal (install it if you do not have it already). Use this to set the value of the key {{Ic|/desktop/gnome/session/required_components/window_manager}} from "compiz" to "metacity". Log out and back in for this change to take effect.<br />
<br />
=== Context menu in applications (firefox, ...?) disappears on mouseover ===<br />
Try disabling "focus stealing prevention" (general options).<br />
<br />
=== External notes ===<br />
[http://wiki.compiz.org/Troubleshooting Troubleshooting page] on compiz.org<br />
<br />
== See also ==<br />
*[http://compiz.org Compiz Website] -- including wiki and forum</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Compiz&diff=256239Compiz2013-05-06T17:18:35Z<p>Jrussell: Xfce autostart (without "fusion-icon") make sure 'command' is set for window decorator plugin</p>
<hr />
<div>[[Category:Eye candy]]<br />
[[Category:Stacking WMs]]<br />
[[el:Compiz]]<br />
[[es:Compiz]]<br />
[[it:Compiz]]<br />
[[ja:Compiz]]<br />
[[pl:Compiz]]<br />
[[pt:Compiz]]<br />
[[ru:Compiz]]<br />
[[tr:Compiz]]<br />
[[zh-CN:Compiz]]<br />
{{Article summary start}}<br />
{{Article summary wiki|Compiz Configuration}}<br />
{{Article summary wiki|AIGLX}}<br />
{{Article summary wiki|Composite}}<br />
{{Article summary wiki|Xcompmgr}}<br />
{{Article summary wiki|Cairo Compmgr}}<br />
{{Article summary end}}<br />
<br />
Compiz is a [[Wikipedia:Compositing window manager|compositing window manager]]. It provides its own window manager, [[Emerald]]. Therefore it cannot be used simultaneously with other window managers such as [[Openbox]], [[Fluxbox]], or [[Enlightenment]]. Users who want to keep their current window managers and add some effects to it may wish to try [[Xcompmgr]] instead.<br />
<br />
== Requirements ==<br />
Users of major [[DE]]s can make good use of {{Pkg|compiz-manager}}, performing brief requirements checking and switching to fallback WM in case of errors. Discovering setup and hardware issues can also be done with {{AUR|compiz-check}} script (available in [[AUR]]).<br />
<br />
== Installation ==<br />
All compiz packages, available in [[official repositories]], can be [[pacman|installed]] with group {{Grp|compiz-fusion}}.<br />
<br />
For those who do not want to install EVERYTHING there are also groups {{Grp|compiz-fusion-gtk}} and {{Grp|compiz-fusion-kde}} for [[Gnome]] or [[KDE]] correspondingly.<br />
<br />
Users who wish to select the packages individually may start with {{Pkg|compiz-core}} and one of [[#Decorators|decorators]].<br />
{{Note|Lack of configured window decorator can render your [[X]] workspace slightly unusable.}}<br />
<br />
=== Initial configuration ===<br />
While the appearance of the windows and their contents is a function of [[GTK+]] and [[Qt]], the frames around the windows are controlled by the Window Decoration plugin. To use it make sure you have a window decorator installed. Depending on what packages you have downloaded you can choose among several window decorators. The most common ones are Emerald, kde-window-decorator, and gtk-window-decorator. The emerald decorator has the advantage that it fits better to compiz's screen handling and offers transparency effects.To set your default window decorator type the following command string in the "Window Decoration" plugin's settings under the field "Command".<br />
To set emerald as your default window-decorator type:<br />
emerald --replace<br />
To set the kde-window-decorator as an alternative to Emerald type:<br />
kde4-window-decorator --replace<br />
To set the compiz-decorator-gtk as an alternative to Emerald type:<br />
gtk-window-decorator --replace<br />
<br />
{{Box RED|Activate important plugins!|<br />
There is high possibility that you will want to activate a few plugins that provide basic window manager behavior or else you will have no ability to drag, scale or close any windows as soon as compiz is activated. Among those plugins are "Window Decoration" under Effects and "Move Window" & "Resize Window" under Window Management. Ccsm may be used to achieve this.<br />
Launch CompizConfig Settings Manager:<br />
$ ccsm<br />
Simply put check marks next to those plugins to activate them.}}<br />
<br />
== Additional software ==<br />
=== Decorators ===<br />
* {{App|[[Emerald]]|Compiz's own window decorator with few dependencies. (Note: Works but is buggy and no longer maintained)|http://www.compiz.org|{{Pkg|emerald}}}}<br />
* {{Pkg|compiz-decorator-gtk}} and {{Pkg|compiz-decorator-kde}} &ndash; alternatives to Emerald, using your desktop environment's configuration backends and looks<br />
=== Other ===<br />
* {{Pkg|ccsm}} (CompizConfig settings manager) &ndash; GUI application that lets you configure all of Compiz's plugins<br />
* {{Pkg|fusion-icon}} &ndash; offers a tray icon and a nice way to start compiz, start ccsm and change the WM / Window Decorator<br />
* [https://aur.archlinux.org/packages.php?K=compiz Lots of quickly dying packages in AUR]<br />
<br />
== Starting Compiz Fusion ==<br />
<br />
=== Manually (with "fusion-icon") ===<br />
<br />
Launch the Compiz Fusion tray icon:<br />
$ fusion-icon<br />
<br />
{{Note|If it fails (almost never), you may try it with dbus-launch:<br />
{{bc|$ dbus-launch "fusion-icon"}}}}<br />
Right click on the icon in the panel and go to 'select window manager'. Choose "Compiz" if it isn't selected already, and you should be set.<br />
<br />
If this fails you can start compiz-fusion by using the following additional command to replace your default window decorator with Compiz's window decorator (Emerald):<br />
$ emerald --replace<br />
<br />
'''Again, note:''' If you want to use compiz window decorations make sure you have the "Window Decoration" plugin marked in the compiz settings through ccsm.<br />
<br />
=== Manually (without "fusion-icon") ===<br />
<br />
Launch Compiz with the following command (which replaces your current window manager):<br />
$ compiz --replace ccp &<br />
<br />
A quick overview over common compiz command-line options:<br />
*--indirect-rendering: use indirect-rendering (AIGLX)<br />
*--loose-binding: can help performance issues (nVidia?)<br />
*--replace: replace current window-manager<br />
*--keep-window-hints: keep the gnome window-manager gconf-settings for available viewports, ...<br />
*--sm-disable: disable session-management<br />
*ccp: the "ccp" command loads the last configured settings from ccsm (CompizConfig Settings Manager) otherwise Compiz will load with no settings and you won't be able to do anything with your windows like dragging, maximizing/minimizing, or moving.<br />
<br />
=== KDE4 ===<br />
{{Note| The first and last methods will load Compiz-Fusion as the default window manager instead of KWin. This is faster than loading Compiz with 'fusion-icon' because it avoids loading two window managers at startup. This also prevents that annoying black screen flicker you might see using other methods (when KWin switches to Compiz on KDE's desktop loading screens). The downside is that if Compiz crashes, it may be more difficult to recover your desktop}}<br />
<br />
==== Use System Settings (easiest)====<br />
Go to: ''System Settings'' --> ''Default Applications'' --> ''Window Manager'' --> ''Use a different window manager''<br />
<br />
'''''If''''' you need to run compiz with custom options select "Compiz custom" (when you run <code>fusion-icon</code> from a terminal you can see the command line with which compiz was started).<br />
Create a file called "compiz-kde-launcher" in <code>/usr/bin</code>. Then make the file executable: <code>chmod +x /usr/bin/compiz-kde-launcher</code>.<br />
<br />
For example:<br />
#!/bin/bash<br />
LIBGL_ALWAYS_INDIRECT=1<br />
compiz --replace ccp &<br />
wait<br />
<br />
==== Autostart with "fusion-icon" ====<br />
<br />
Add a symbolic link, that points to the fusion-icon executable, in your KDE Autostart directory:<br />
$ ln -s /usr/bin/fusion-icon ~/.kde4/Autostart/fusion-icon<br />
<br />
Next time KDE is started, it will load fusion-icon automatically.<br />
<br />
==== Autostart Link without "fusion-icon" ====<br />
<br />
{{Warning|DO NOT create compiz.desktop if you intend to install compiz-decorator-gtk; it will create a file conflict.}}<br />
<br />
* Append a desktop entry in the KDE Autostart directory. If it doesn't already exist (it should), create the file {{ic|~/.kde4/Autostart/compiz.desktop}} with the following:<br />
<br />
[Desktop Entry]<br />
Type=Application<br />
Encoding=UTF-8<br />
Name=Compiz<br />
Exec=/usr/bin/compiz ccp --replace<br />
NoDisplay=true<br />
# name of loadable control center module<br />
X-GNOME-WMSettingsModule=compiz<br />
# autostart phase<br />
X-GNOME-Autostart-Phase=WindowManager<br />
X-GNOME-Provides=windowmanager<br />
# name we put on the WM spec check window<br />
X-GNOME-WMName=Compiz<br />
# back compat only<br />
X-GnomeWMSettingsLibrary=compiz<br />
<br />
{{Note| If {{ic|compiz.desktop}} already exists, you may have to add "--replace" and/or "ccp" to the Exec variable. Without "--replace", Compiz won't load since it will detect another window manager already loaded. Without "ccp", Compiz will not load any of the settings and plugins that you have enabled through CompizConfig Settings Manager (ccsm) and you won't be able to manipulate any of your windows.}}<br />
<br />
* If you want to use the optional {{ic|fusion-icon}} application, launch ''fusion-icon''. If you log out normally with ''fusion-icon'' running, KDE should restore your session and launch ''fusion-icon'' the next time you log in if this setting is enabled. If it doesn't appear to be working, ensure you have the following line in {{ic|~/.kde4/share/config/ksmserverrc}}:<br />
<br />
loginMode=restorePreviousLogout<br />
{{Note| This is a KDE specific setting that will allow you to restore other apps next time you log in, not just fusion-icon.}}<br />
<br />
==== Export KDEWM without "fusion-icon" (preferred) ====<br />
<br />
As root you must create a short script by doing the following in your terminal. This will allow you to load compiz with the switches because doing it directly via {{ic|1=export KDEWM="compiz --replace ccp --sm-disable"}} doesn't seem to work.<br />
$ echo "compiz --replace ccp --sm-disable &" > /usr/bin/compiz-fusion<br />
<br />
{{Note| If this line doesn't work, make sure the "fusion-icon" package is installed and then use this line instead:<br />
$ echo "fusion-icon &" > /usr/bin/compiz-fusion<br />
Be sure to complete the whole method before trying this substitute.}}<br />
<br />
Ensure that {{ic|/usr/bin/compiz-fusion}} has executable (+x) permissions.<br />
$ chmod a+x /usr/bin/compiz-fusion<br />
<br />
Choose one of the following:<br />
<br />
:1) Compiz for your user only --> Edit the file {{ic|~/.kde4/env/compiz.sh}} and add the following line so KDE will load compiz (via the script you just created) instead of loading KWin.<br />
: {{bc|1=KDEWM="compiz-fusion"}}<br />
<br />
:2) Compiz system wide --> Edit the file {{ic|/etc/kde/env/compiz.sh}} and add the following line so KDE will load compiz (via the script you just created) instead of loading KWin.<br />
: {{bc|1=KDEWM="compiz-fusion"}}<br />
<br />
{{Note| If that still doesn't work, yet another alternate way to accomplish the above method is to include the line<br />
{{bc|1=export KDEWM="compiz-fusion"}}<br />
in your user's {{ic|~/.bashrc}} file.}}<br />
{{Note| If you optionally use the {{ic|/usr/local/bin}} directory it may not work. In that case you should export the script including the whole path:<br />
{{bc|1=export KDEWM="/usr/local/bin/compiz-fusion"}}}}<br />
<br />
=== GNOME ===<br />
If you have installed [[GNOME3]] with gnome-shell, either enable forced Fallback Mode (System Info > Graphics) or simply uninstall gnome-shell.<br />
{{Note|Fallback Mode is not necessary if you choose the Compiz/Cairo-Dock session method below.}}<br />
<br />
==== Alternate Session for GNOME (Preferred Method for Experienced Compiz/Dock Users) ====<br />
The {{AUR|gnome-session-compiz}} can be used to add an additional menu entry in the GNOME session login dialog. This method does not require foced fallback mode and/or modifications to sensitive system files/settings. Also, you can switch between GNOME Shell and Compiz/Cairo-Dock between sessions. If you can't get it working, you can always go back to your original GNOME session.<br />
<br />
For this method to work, Compiz and Cairo-Dock (Taskbar/Panel) may have to be [[#Configuration|configured initially]] for fresh accounts, from another working session (ccsm in GNOME Shell worked fine for me).<br />
<br />
This method completely replaces the GNOME's window manager and panel (they are not launched at all, rather than being replaced or killed later). So, before actually switching to this alternate session, you may want to configure corresponding/alternate features of the original panel application in Cairo-Dock:<br />
* Add Application Menu icon to Cairo-Dock and remember its key-bindings.<br />
* Remap Application Menu key-bindings to ALT+F1 and ALT+F2, for convenience.<br />
* Add Clock, WiFi, NetSpeed icons to the dock as applicable.<br />
* Add Log-out icon:<br />
** Set the command for logout to "gnome-session-quit --logout"<br />
** Set the command for shutdown to "gnome-session-quit --power-off"<br />
* Add the Notification Area Old (systray) icon to Cairo-Dock.<br />
<br />
==== Autostart (without "fusion-icon") (Preferred Method) ====<br />
This Method makes use of the [http://standards.freedesktop.org/desktop-entry-spec/latest/ Desktop Entry Specification] to specify a Compiz Desktop Entry and of the GConf default windowmanager setting. Thanks to the Desktop Entry you should be able to select Compiz as a windowmanager out of GDM.<br />
<br />
'''1)'''If the following file doesn't already exist (it should), create it {{ic|/usr/share/applications/compiz.desktop}} containing the following:<br />
<br />
[Desktop Entry]<br />
Type=Application<br />
Encoding=UTF-8<br />
Name=Compiz<br />
Exec=/usr/bin/compiz ccp #Make sure ccp is included so that Compiz loads your previous settings.<br />
NoDisplay=true<br />
# name of loadable control center module<br />
X-GNOME-WMSettingsModule=compiz<br />
# autostart phase<br />
##-> the folloing line cause gnome-session warning and slow startup, so try not to enable this<br />
# X-GNOME-Autostart-Phase=WindowManager <br />
X-GNOME-Provides=windowmanager<br />
# name we put on the WM spec check window<br />
X-GNOME-WMName=Compiz<br />
# back compat only<br />
X-GnomeWMSettingsLibrary=compiz<br />
<br />
{{Note| If {{ic|compiz.desktop}} already exists, you must make sure that the "ccp" is included in the Exec variable. Having "ccp" included simply tells Compiz to load your previous settings, otherwise you won't have any functionality.}}<br />
<br />
If the above doesn't work (in most cases it does), for example if you notice some issues with windows refreshing or low performance, try:<br />
<br />
{{bc|1=Exec=/usr/bin/compiz ccp --indirect-rendering}}<br />
<br />
or<br />
<br />
{{bc|1=Exec=/usr/bin/compiz --replace --sm-disable --ignore-desktop-hints ccp --indirect-rendering}}<br />
<br />
Instead of<br />
<br />
{{bc|1=Exec=/usr/bin/compiz ccp}}<br />
<br />
Some Users noticed a "lag" of 4-10 seconds when loging in from a login manager. The solution is to change the command to:<br />
{{bc|1=Exec=bash -c 'compiz ccp decoration --sm-client-id $DESKTOP_AUTOSTART_ID'}}<br />
as noted [https://bbs.archlinux.org/viewtopic.php?pid=655237#p655237 in the forum]. You can also add the extra parameters as described above if needed.<br />
<br />
'''2)''' Set some GConf parameters using the gconftool-2 command in a terminal window or do it visually with Configuration Editor (gconf-editor). The following outlines using the command line method, but you can also see which keys to change using gconf-editor:<br />
<br />
{{Note| Since those parameters apply to a given user, you '''must''' logout from the root account and log in as that other user before proceeding with the next steps. GConf will fail, if called from a root account.}}<br />
<br />
gconftool-2 --set -t string /desktop/gnome/session/required_components/windowmanager compiz<br />
<br />
The following are optional and in most cases not necessary (the respective keys are deprecated since GNOME 2.12). But iny any case, if the above didn't succeed the next two statements are still valid and should be tried.<br />
<br />
gconftool-2 --set -t string /desktop/gnome/applications/window_manager/current /usr/bin/compiz<br />
gconftool-2 --set -t string /desktop/gnome/applications/window_manager/default /usr/bin/compiz<br />
<br />
==== Autostart (without "fusion-icon") (With gnome3 fallback mode session) ====<br />
Edit file {{ic|/usr/share/gnome-session/sessions/gnome-fallback.session}}:<br />
<br />
Replace your windows manager (gnome-shell,metacity...) with ''compiz'' in '''RequiredComponents''' line.<br />
<br />
Change ''DefaultProvider-windowmanager'' line to ''DefaultProvider-windowmanager=compiz''<br />
<br />
Here is part of my {{ic|gnome-fallback.session}}:<br />
<br />
{{bc|1=<br />
RequiredComponents=compiz;gnome-settings-daemon;<br />
RequiredProviders=windowmanager;notifications;<br />
DefaultProvider-windowmanager=compiz<br />
DefaultProvider-notifications=notification-daemon<br />
}}<br />
<br />
{{Note| I took out gnome-panel as I am using avant-window-navigator as my panel.<br />
I'am using gnome3 fallback mode with compiz, make gtk-window-decorator start with compiz, and make avant-window-navigator start automatically.}}<br />
<br />
==== Autostart (without "fusion-icon", Gnome prior to 2.24) ====<br />
This is a way that works if you use GDM (and I'd assume KDM too).<br />
<br />
Make a file called /usr/local/bin/compiz-start-boot with the contents:<br />
#!/bin/bash<br />
export WINDOW_MANAGER="compiz ccp"<br />
exec gnome-session<br />
<br />
and make it executable ({{ic|chmod +x /usr/local/bin/compiz-start-boot}}). Next create the file {{ic|/etc/X11/sessions/Compiz.desktop}} containing the following:<br />
[Desktop Entry]<br />
Version=1.0<br />
Encoding=UTF-8<br />
Name=Compiz on GNOME<br />
Exec=/usr/local/bin/compiz-start-boot<br />
Icon=<br />
Type=Application<br />
<br />
Select Compiz on Gnome as your session and you're good to go.<br />
<br />
==== Autostart (with "fusion-icon") ====<br />
To start Compiz fusion automatically when starting a session go to System > Preferences > Startup Applications. In the Startup Programs tab, click the Add button.<br />
<br />
You will now see the Add Startup Program dialogue. Fill it in as follows.<br />
<br />
Name:<br />
Compiz Fusion<br />
Command:<br />
fusion-icon<br />
Comment: (Put anything you like or leave blank.)<br />
<br />
{{Note| You can also use "compiz --replace ccp" instead of "fusion-icon" to load compiz but there will be no fusion-icon.<br />
<br />
The ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
When you're done hit the Add button. You should now see your startup program in the list in the Startup Programs tab. It must be checked to be enabled. You can uncheck it to disable Compiz on startup and switch back to Metacity.<br />
<br />
You may also need to use the gconftool-2 command in a terminal window to set the following parameter, otherwise fusion-icon might not load the windows decorator.<br />
gconftool-2 --type bool --set /apps/metacity/general/compositing_manager false<br />
<br />
{{Note| This method will be slower due to the fact that Gnome will first load the default window manager (Metacity), then will launch fusion-icon which will load the Compiz window manager to replace Metacity. Essentially, it will take the amount of time that it takes to load two window manangers to get Compiz loaded. The first method is preferred and eliminates this issue.}}<br />
<br />
=== Mate Desktop ===<br />
==== Autostart (without "fusion-icon") (Preferred Method) ====<br />
As with Gnome, create a compiz.desktop file (see [[Compiz#Autostart_.28without_.22fusion-icon.22.29_.28Preferred_Method.29]]), then set Compiz as the default window manager :<br />
* on Mate prior to 1.6, edit the following mateconf entries (note: the last two are deprecated values):<br />
mateconftool-2 --set -t string /desktop/mate/session/required_components/windowmanager compiz<br />
mateconftool-2 --set -t string /desktop/mate/applications/window_manager/current /usr/bin/compiz<br />
mateconftool-2 --set -t string /desktop/mate/applications/window_manager/default /usr/bin/compiz<br />
<br />
* on Mate 1.6 and higher, edit the following gsettings value<br />
gsettings set org.mate.session.required-components windowmanager compiz<br />
<br />
=== XFCE ===<br />
==== Xfce autostart (without "fusion-icon") ====<br />
This method will start Compiz directly through the XFCE session manager without loading Xfwm.<br />
<br />
Please note the change to xml config files in XFCE newer than 4.2<br />
<br />
To install the session manager, install {{Pkg|xfce4-session}}.<br />
<br />
Now we have to configure the default/failsafe session of XFCE.<br />
<br />
Edit the {{Ic|~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}} or (to make the change for all XFCE users) {{Ic|/etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}:<br />
<br />
Replace the xfwm startup command,<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="xfwm4"/><br />
</property><br />
<br />
with the following:<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="compiz"/><br />
<value type="string" value="ccp"/><br />
</property><br />
<br />
{{Note| the ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
To prevent the default session from being overwritten you may also add this:<br />
<br />
<property name="general" type="empty"><br />
...<br />
...<br />
<property name="SaveOnExit" type="bool" value="false"/><br />
</property><br />
<br />
To remove the existing sessions, run:<br />
$ rm -r ~/.cache/sessions<br />
<br />
Ensure that in the "Window decorator", the "command" field is filled in to start a decorator, you can use:<br />
gtk-window-decorator --replace<br />
or<br />
emerald --replace<br />
<br />
==== Xfce autostart (with "fusion-icon") ====<br />
=====Method 1:=====<br />
{{Note| This method is the least preferred since it loads both window managers. All the other XFCE methods only load Compiz without loading Xfwm.}}<br />
This will load Xfwm first then replace it with Compiz.<br />
<br />
Open the XFCE Settings Manager & then Sessions & Startup. Click the Application Autostart tab.<br />
<br />
Add<br />
(Name:) Compiz Fusion<br />
<br />
(Command:) fusion-icon<br />
<br />
{{Note| You can also use "compiz --replace ccp" instead of "fusion-icon" to load compiz but there will be no fusion-icon.<br />
<br />
The ccp value will tell compiz to load your previous Compiz settings as configured with CompizConfig Settings Manager (ccsm).}}<br />
<br />
=====Method 2:=====<br />
Edit the following file (settings in this file is used in preference)<br />
$ nano ~/.config/xfce4-session/xfce4-session.rc<br />
<br />
Or to make the change for all XFCE users (root access required)<br />
# nano /etc/xdg/xfce4-session/xfce4-session.rc<br />
<br />
Add the following<br />
[Failsafe Session]<br />
Client0_Command=fusion-icon<br />
<br />
Comment out Client0_Command=xfwm4 if it exists.<br />
<br />
This will cause xfce to load Compiz instead of Xfwm when the user has no existing sessions.<br />
<br />
To prevent the default session from being overwritten you may also add<br />
[General]<br />
AutoSave=false<br />
SaveOnExit=false<br />
<br />
To remove the existing sessions<br />
rm -R ~/.cache/sessions<br />
<br />
=====Method 3:=====<br />
Check if this file exists:<br />
~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml<br />
<br />
If not do:<br />
cp /etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml ~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml<br />
<br />
and edit {{Ic|~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}<br />
<br />
or (to make the changes for all xfce4 users) {{Ic|/etc/xdg/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml}}:<br />
<br />
Edit Client0_Command that it look like this:<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="fusion-icon"/><br />
<value type="string" value="--force-compiz"/><br />
</property><br />
if '''--force-compiz''' doesn't work use '''compiz --replace --sm-disable --ignore-desktop-hints ccp''' instead.<br />
<br />
Add the '''SaveOnExit property''' if missing and set it to '''false''':<br />
<property name="general" type="empty"><br />
<property name="FailsafeSessionName" type="string" value="Failsafe"/><br />
<property name="SessionName" type="string" value="Default"/><br />
<property name="SaveOnExit" type="bool" value="false"/><br />
</property><br />
<br />
finally remove old xfce4 sessions:<br />
rm -r ~/.cache/sessions<br />
<br />
Now xfce4 will load compiz instead of Xfwm.<br />
<br />
=== As a Standalone Window Manager ===<br />
The package compiz-core by itself is sufficient to start using compiz-fusion. However ccsm and emerald (or another window-decorator) are additional highly recommended packages. You may install fusion-icon, compiz-fusion-plugins-main, compiz-fusion-plugins-extra or any other package later on at any time.<br />
<br />
To autostart compiz-fusion configure .xinitrc to launch compiz as:<br />
{{hc|~/.xinitrc|<nowiki><br />
exec compiz ccp<br />
</nowiki>}}<br />
You can also add other [[Compiz_fusion#Manually_.28without_.22fusion-icon.22.29|command-line options]] to your .xinitrc<br />
<br />
Or if using fusion-icon, configure .xinitrc as<br />
{{hc|~/.xinitrc|<nowiki><br />
exec fusion-icon<br />
</nowiki>}}<br />
<br />
However chances are you will need additional apps (e.g a panel) for optimal usability. So to autostart such apps simply add them to your .xinitrc as:<br />
{{hc|~/.xinitrc|<nowiki><br />
tint2 &<br />
cairo-dock &<br />
exec fusion-icon<br />
</nowiki>}}<br />
<br />
{{Note| Add a terminal-emulator to this autostart list while starting for the first time to help [[Compiz_fusion#Configuration|configure]] compiz.}} <br />
<br />
An alternative method, utilizing a simple script entitled '''start-fusion.sh''':<br />
{{hc|start-fusion.sh|<nowiki><br />
#!/bin/sh<br />
# add more apps here if necessary or start another panel, tray like pypanel, bmpanel, stalonetray<br />
xfce4-panel&<br />
fusion-icon<br />
</nowiki>}}<br />
If this script dosn't work for you, or you get issues with '''dbus''' utilize this script:<br />
{{hc|start-fusion.sh|<nowiki><br />
#!/bin/sh<br />
cd /home/<yourusername><br />
eval `dbus-launch --sh-syntax --exit-with-session`<br />
/usr/bin/X :0.0 -br -audit 0 -nolisten tcp vt7 &<br />
export DISPLAY=:0.0<br />
sleep 1<br />
compiz-manager decoration move resize > /tmp/compiz.log 2>&1 &<br />
# add more apps here if necessary or start another panel, tray like pypanel, bmpanel, stalonetray<br />
xfce4-panel&<br />
fusion-icon<br />
</nowiki>}}<br />
Make it executable<br />
<br />
chmod +x start-fusion.sh<br />
<br />
And add it to .xinitrc, like this:<br />
{{hc|~/.xinitrc|<nowiki><br />
exec /path/to/file/start-fusion.sh<br />
</nowiki>}}<br />
<br />
Feel free to use a different panel, tray, or start a whole bunch of applications with your session.<br />
See [https://bbs.archlinux.org/viewtopic.php?id=51282 this forum thread] for more info.<br />
<br />
{{Note | Using a separate script instead of running everything from xinitrc is the only way to let all launching applications use ConsoleKit: see [[ConsoleKit#Running_several_applications_from_.7E.2F.xinitrc|this article]].}}<br />
<br />
==== Add a root menu ====<br />
To add a root menu similar to that in Openbox, Fluxbox, Blackbox etc. you must install the package {{AUR|compiz-deskmenu}}.<br />
Upon a restart of Compiz-Fusion, you should be able to middle click on your desktop to launch the menu.<br />
<br />
If it does not automatically work, enter the CompizConfig Settings Manager, and in Commands tab, within the General Settings menu, ensure that there is a command to launch Compiz-Deskmenu, and the appropriate key binding is set to Control+Space.<br />
<br />
If it still does not work, enter the Viewport Switcher menu, and change "Plugin for initiate action" to core (NOTE: for versions 0.8.2+ it's 'commands' instead of 'core'), and "Action name for initiate" to run_command0_key.<br />
<br />
An alternative is to use [https://aur.archlinux.org/packages.php?ID=29564 mygtkmenu], also in [[AUR]].<br />
<br />
==== Allow users to shutdown/reboot ====<br />
Refer to [[Allow_Users_to_Shutdown|this]] wiki page. If using "The Modern way" of policykit You can add the command to ccsm->General->Commands and assign a short-cut key to it or alternatively you can use a launcher application.<br />
<br />
== Misc ==<br />
<br />
=== Configuration ===<br />
[[Compiz#Configuration|You must do this so your windows function like you expect them to!]]<br />
<br />
=== Using compiz-manager ===<br />
<br />
In order to use compiz-manager, you need to install it from community:<br />
pacman -S compiz-manager<br />
<br />
Compiz-manager, that is now installed in {{ic|/usr/bin/compiz-manager}}, is a simple wrapper for Compiz and ALL of its options. For example, you can run <br />
compiz-manager <br />
and see what the console returns for more info. You can use it in all the scripts that start Compiz. Very simple!<br />
<br />
=== Using gtk-window-decorator ===<br />
<br />
In order to use gtk-window-decorator, install the package ''compiz-decorator-gtk'' and select "GTK Window Decorator" instead of "Emerald" as your window decorator in fusion-icon or whatever other program you are using to configure compiz.<br />
<br />
=== gconf: Additional Compiz Configurations ===<br />
<br />
To achieve more satisfying results from Compiz, you can tweak its config with gconf-editor:<br />
<br />
$ gconf-editor<br />
<br />
Note that now compiz-core isn't built with gconf support; It is now built with gconf support through compiz-decorator-gtk. So, you need to install it if you want to use gconf-editor to edit your Compiz configuration.<br />
The Compiz gconf configuration is located in in the key <b>apps</b> > <b>compiz</b> > <b>general</b> > <b>allscreens</b> > <b>options</b>.<br />
<br />
"Active plugins" is where you specify the plugins you would like to use. Simply edit the key and add a value(refer to the key <b>apps</b> > <b>compiz</b> > <b>plugins</b> to see possible values). Plugins I’ve found useful are screenshot, png, fade, and minimize. Please do not remove those enabled by default.<br />
<br />
=== ATI R600/R700 Notes ===<br />
While using fusion-icon you shouldn't experience any problems because it takes care of everything for you, but if you are using one of the autostart methods that do not involve fusion-icon you will run into trouble. For example when using the Xfce autostart method without fusion icon you must edit ~/.config/xfce4/xfconf/xfce-perchannel-xml/xfce4-session.xml per the instructions above. However, if you follow the directions above explicity you will find that compiz does not load. You must instead make your xfce4-session.xml file look like this<br />
<br />
<property name="Client0_Command" type="array"><br />
<value type="string" value="LIBGL_ALWAYS_INDIRECT=1"/><br />
<value type="string" value="compiz"/><br />
<value type="string" value="--sm-disable"/><br />
<value type="string" value="--ignore-desktop-hints"/><br />
<value type="string" value="ccp"/><br />
<value type="string" value="--indirect-rendering"/><br />
</property><br />
<br />
This example targeted Xfce specifically, but it can be adapted to any desktop environment. It's just a matter of figuring out how to add it to the proper config file. The key thing is the required command which if typed on a command line would look like this<br />
<br />
LIBGL_ALWAYS_INDIRECT=1 compiz --sm-disable --ignore-desktop-hints ccp --indirect-rendering<br />
<br />
This is how Xfce's session manager interprets the above XML code. Notice that you do not need --replace because you are not first loading xfwm and then compiz.<br />
<br />
== Tips and tricks ==<br />
=== Fallback ===<br />
If you are using [[KDE]], [[GNOME]] or [[XFCE]] and something is not right, for example you don’t see borders for your window, you can switch back to default DE window manager with this command:<br />
<br />
''wm_name'' --replace<br />
<br />
with kwin, metacity or xfwm4 instead of ''wm_name''.<br />
<br />
=== Keyboard Shortcuts ===<br />
Default plugin keyboard shortcuts (plugins have to be activated!)<br />
<br />
* Switch windows = {{Keypress|Alt + Tab}}<br />
* Switch desktops on cube = {{Keypress|Ctrl + Alt + Left/Right Arrow}}<br />
* Move window = {{Keypress|Alt + left-click}}<br />
* Resize window = {{Keypress|Alt + right-click}}<br />
<br />
A more detailed list can be found under [http://wiki.compiz-fusion.org/CommonKeyboardShortcuts CommonKeyboardShortcuts] in the Compiz wiki or you can always just look at your plugin's configuration (ccsm).<br />
<br />
== Troubleshooting ==<br />
{{Out of date}}<br />
<br />
=== Missing GLX_EXT_texture_from_pixmaps ===<br />
==== On ATI cards (first solution) ====<br />
https://bbs.archlinux.org/viewtopic.php?id=50073<br />
If you run into the following error when trying to run Compiz Fusion on an ATI card:<br />
<br />
Missing GLX_EXT_texture_from_pixmap<br />
<br />
This is because Compiz Fusion's binary was compiled against Mesa's OpenGL library rather than ATI's OpenGL library (which is what you are using). Re-install libgl-dri (yes you will have to uninstall fglrx temporarily) to get Mesa's OpenGL library. <br />
<br />
copy the library into a directory to keep it because ATI's drivers will over write it. <br />
<br />
mkdir /lib/mesa<br />
cp /usr/lib/libGL.so.1.2 /lib/mesa<br />
<br />
Once you have it copied, you can reinstall your fglrx drivers (It should have been removed when you installed libgl-dri). Now you can start Compiz Fusion using the following example syntax: <br />
<br />
LD_PRELOAD=/lib/mesa/libGL.so.1.2 compiz --replace &<br />
<br />
==== On ATI cards (second solution) ====<br />
An other problem could arise with GLX_EXT_texture_from_pixmap, it is possible that the card could only render it indirectly, then you have to pass the option to your libgl like that :<br />
<br />
LIBGL_ALWAYS_INDIRECT=1 compiz --replace ccp &<br />
<br />
(Workaround tested on the following card : ATI Technologies Inc Radeon R250 [Mobility FireGL 9000] (rev 02))<br />
<br />
==== On Intel chips ====<br />
First off, check that you're using the intel driver as opposed to i810. Then, run the following command to run compiz (must use this every time.).<br />
LIBGL_ALWAYS_INDIRECT=true compiz --replace --sm-disable ccp &<br />
If you then do not have borders, run<br />
emerald --replace<br />
As at 17-Oct-07 the [http://wiki.compiz-fusion.org/Troubleshooting Compiz-Fusion Wiki] states: <i>"If you are using an Intel GMA card with AIGLX, you will need to start Compiz Fusion with LIBGL_ALWAYS_INDIRECT=1 appended.</i>"<br />
<br />
=== Compiz starts, but no effects are visible ===<br />
If you have installed compiz-decorator-gtk:<br />
Check if GConf schema was correctly installed: <br />
gconftool-2 -R /apps/compiz/plugins | grep plugins<br />
make sure that all plugins are listed (not only fade!). If not, try to install compiz schema manually (do this as normal user, not as root!!!): <br />
gconftool-2 --install-schema-file=/usr/share/gconf/schemas/compiz-decorator-gtk.schemas<br />
<br />
Note: Compiz basic plugins are not enabled by default. You should enable "Move Window", "Resize Window", and "Window decoration" plugins in settings manager from fusion-icon to have a usable window manager.<br />
<br />
=== Compiz starts, but gtk-window-decorator does not ===<br />
It is a configuration problem for gconf and gconfd. I solved it by removing ".gconf" dir in my home, but I'm using KDE. If you are using Gnome you should enter your ".gconf" directory and remove all compiz keys. This will erase your compiz settings, so be sure to reconfigure.<br />
Finally exec as user:<br />
<br />
gconftool-2 --install-schema-file=/usr/share/gconf/schemas/compiz-decorator-gtk.schemas<br />
<br />
=== Compiz appears to start, but there are no window borders ===<br />
When you run fusion-icon from commandline, you get output like this:<br />
<br />
* Detected Session: gnome<br />
* Searching for installed applications...<br />
* NVIDIA on Xorg detected, exporting: __GL_YIELD=NOTHING<br />
* Using the GTK Interface<br />
* Metacity is already running<br />
* Setting window manager to Compiz<br />
... executing: compiz --replace --sm-disable --ignore-desktop-hints ccp<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
compiz (core) - Warn: No GLXFBConfig for depth 32<br />
<br />
All you need to do is edit your {{Ic|/etc/X11/xorg.conf}} and find the "Depth" directive inside the "Screen" section; change all occurences of this value to 24. This occured to me with my colour depth set to 16; but also happens when it is set to 32.<br />
<br />
----<br />
<br />
You may also try adding ''Option "AddARGBGLXVisuals" "True"'' & ''Option "DisableGLXRootClipping" "True"'' to your "Screen" section if you are using the Nvidia binary driver. (Radeon, and the open 'nv' driver will not work with this option as far as I can tell.) If you used any other Options elsewhere in {{Ic|xorg.conf}} to get compiz working and still have no luck, try commenting them out and using only the aformentioned ARGBGLXVisuals and GLXRootClipping Options.<br />
<br />
'''Note''': Check that "Window decoration", "Move" and "Resize" plugins are enabled with Compiz Settings Manager or gconf-editor.<br />
<br />
With gconf-editor you can easly enable "Window decoration", "Move" and "Resize" plugins.<br />
<br />
$ gconf-editor<br />
<br />
Navigate to apps/compiz/general/allscreens/options<br />
<br />
Add/Edit "active_plugins" Key (Name: active_plugins, Type: List, List type: String).<br />
<br />
Add "decoration", "move", and "resize" to the list.<br />
<br />
----<br />
<br />
'''Another way to fix this''':<br />
* Launch '''ccsm'''.<br />
* Find '''windows decoration''' and make sure it is enabled.<br />
* Now click on it, to edit the options.<br />
* If the entry behind '''command''' is empty, put the value '''gtk-window-decorator''' there.<br />
** Alternatives are '''kde-window-decorator''' and '''emerald'''<br />
* Click '''Back''' and '''Close'''<br />
* If all went well, the borders should appear.<br />
<br />
=== Compiz starts and borders appear, but windows won't move ===<br />
Be sure you have the "Move Window" plugin installed and enabled in the compiz settings manager.<br />
<br />
=== Blank screen on resume from suspend-to-ram using the Nvidia binary drivers ===<br />
If you receive a blank screen with a responsive cursor upon resume, try disabling sync to vblank:<br />
<br />
gconftool -s /apps/compiz/general/screen0/options/sync_to_vblank-t boolean false<br />
<br />
=== fusion-icon doesn't start ===<br />
If you get an output like this from the command line:<br />
[andy@andylaptop ~]$ fusion-icon<br />
* Detected Session: gnome<br />
* Searching for installed applications...<br />
Traceback (most recent call last):<br />
File "/usr/bin/fusion-icon", line 57, in <module><br />
from FusionIcon.interface import choose_interface<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/interface.py", line 23, in <module><br />
import start<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/start.py", line 36, in <module><br />
config.check()<br />
File "/usr/lib/python2.5/site-packages/FusionIcon/util.py", line 362, in check<br />
os.makedirs(self.config_folder)<br />
File "/usr/lib/python2.5/os.py", line 172, in makedirs<br />
mkdir(name, mode)<br />
OSError: [Errno 13] Permission denied: '/home/andy/.config/compiz'<br />
<br />
the problem is with the permission on {{Ic|~/.config/compiz}}. You have set the owner of a folder in your area as root. To change this, run (as root)<br />
chown <username> /home/<username>/.config/compiz<br />
<br />
=== Choppy animations, even though everything configured correctly ===<br />
If everything is configured correctly but you still have poor performance on some effects, try disabling CCSM->General Options->Display Settings->"Detect Refresh Rate" and instead choose a value manually. Tested on both nvidia and intel chips. Can work wonders.<br />
<br />
Alternatively, if your chip is nvidia and you are experiencing an inadequate refresh rate with "Detect Refresh Rate" enabled in Compiz, it's likely due to an option called DynamicTwinView being enabled by default which plays a factor in accurately reporting the maximum refresh rate that your card and display support. You can disable DynamicTwinView by adding the following line to the "Device" or "Screen" section of your xorg.conf file, and then restarting your computer:<br />
<br />
Option "DynamicTwinView" "False"<br />
<br />
Doing so will allow XrandR to accurately report the refresh rate to anything that detects it, including Compiz. You should be able to leave "Detect Refresh Rate" enabled and get excellent performance. Once again, this only applies to nvidia chips.<br />
<br />
=== Fix Gnome Screenshot ===<br />
To re-enable gnome-screenshot (the default behavior caused by hitting {{Keypress|PrtScn}}) simply go to Settings Manager>Commands and map 'gnome-screenshot' to the 'PrtScn' key. This is advantageous because you can also use the Compiz-Fusion 'Screenshot' plugin at the same time since the action that enables it is <Super>Button1 thereby giving you two methods to do a screen capture (one of which gives a full screen capture in a single keystroke).<br />
<br />
=== Get GNOME Workspace Switcher work with Compiz-Fusion ===<br />
In older versions of Compiz, the Gnome Workspace Switcher applet would actually work with Compiz-Fusion (i.e. rotate cube/move plane etc.), but recent versions seem not to. This is due to a new feature introduced in Compiz, which allows real seperate workspaces. For example, if you have a desktop plane with four planes, and have four desktops enabled in Gnome, it sums up to a total of 16 different workspaces. Currently, there is no animation associated with "real" workspace changing. To get the Workspace Switcher work, do the following:<br />
<br />
In GConf, set the following options:<br />
<br />
/apps/compiz/general/screen0/options/number_of_desktops = '''1'''<br />
/apps/compiz/general/screen0/options/hsize = 4 (this is an example)<br />
/apps/compiz/general/screen0/options/vsize = 1 (this is an example)<br />
<br />
=== Screen flicks with NVIDIA card ===<br />
For fixing it, create /etc/modprobe.d/nvidia.conf file and add line:<br />
options nvidia NVreg_RegistryDwords="PerfLevelSrc=0x2222"<br />
<br />
=== Fix Custom Cursor Theme on Gnome 2.30 ===<br />
Create or edit /usr/share/icons/default/index.theme for default, or per user '''(non-root)''' ~/.icons/default/index.theme, and add this lines:<br />
<br />
[Icon Theme]<br />
#Name=''foo''<br />
Name=''foo''<br />
#Inherits=''foo''<br />
Inherits=''foo''<br />
[Desktop Entry]<br />
Name[en_US]=index.theme<br />
<br />
"Foo" is the name of the cursor theme.<br />
<br />
=== Screen artifacts on Firefox / Thunderbird ===<br />
{{Note|Altough this issue is not strictly related to Compiz, it has been added here due to popular misconception that Compiz itself may be the cause.}}<br />
<br />
Some users noticed a strange behavior with AMD/ATI Catalyst drivers starting from 10.6 release. Artifacts are visible mainly with Mozilla applications, where the GUI shows black spots of variable size. This is caused by different 2D acceleration tecnique introduced with Catalyst 10.6.<br />
The problem can be fixed following the troubleshooting steps in the [[ATI_Catalyst#Black.2Fgrey.2Fwhite_boxes.2Fartifacts_mainly_in_firefox.2Fthunderbird|ATI Catalyst page]]<br />
<br />
=== Setting the window manager back to Metacity after uninstall ===<br />
Removing compiz with pacman does not set your window manager back to metacity. This can result in no window borders being drawn, an inability to minimize, and an inability to change the focus. To change it back, run the command "gconf-editor" in the terminal (install it if you do not have it already). Use this to set the value of the key {{Ic|/desktop/gnome/session/required_components/window_manager}} from "compiz" to "metacity". Log out and back in for this change to take effect.<br />
<br />
=== Context menu in applications (firefox, ...?) disappears on mouseover ===<br />
Try disabling "focus stealing prevention" (general options).<br />
<br />
=== External notes ===<br />
[http://wiki.compiz.org/Troubleshooting Troubleshooting page] on compiz.org<br />
<br />
== See also ==<br />
*[http://compiz.org Compiz Website] -- including wiki and forum</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Simple_stateful_firewall&diff=256105Simple stateful firewall2013-05-04T20:05:09Z<p>Jrussell: </p>
<hr />
<div>[[Category:Firewalls]]<br />
[[ru:Simple stateful firewall]]<br />
This page explains how to set up a stateful firewall using [[iptables]]. It also explains what the rules mean and why they are needed. For simplicity, it is split into two major sections. The first section deals with a firewall for a single machine, the second sets up a NAT gateway in addition to the firewall from the first section.<br />
<br />
{{Warning| The rules are given in the order that they are executed. If you are logged into a remote machine, you may be locked out of the machine while setting up the rules. You should only follow the steps below while you are logged in locally.<br />
<br />
The [https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall#Example_iptables.rules_file example config file] can be used to get around this problem.<br />
}}<br />
<br />
==Prerequisites==<br />
{{Note| Your kernel needs to be compiled with iptables support. All stock Arch Linux kernels have iptables support.}}<br />
<br />
First, install the userland utilities:<br />
<br />
# pacman -S iptables<br />
<br />
This HOWTO assumes that there are currently no iptables rules set. To check this, try the command<br />
<br />
# iptables-save<br />
<br />
If not, you can reset the rules by loading a default rule set:<br />
<br />
# iptables-restore < /etc/iptables/empty.rules<br />
<br />
== Firewall for a single machine ==<br />
<br />
{{Note|Because iptables processes rules in linear order, from top to bottom within a chain, it is advised to put frequently-hit rules near the start of the chain. Of course there is a limit, depending on the logic that is being implemented. Also, rules have an associated runtime cost, so rules should not be reordered solely based upon empirical observations of the byte/packet counters.}}<br />
<br />
=== Creating necessary chains ===<br />
<br />
For this basic setup, we will create two user-defined chains that we will use to open up ports in the firewall.<br />
<br />
# iptables -N TCP<br />
# iptables -N UDP<br />
<br />
=== The FORWARD chain ===<br />
<br />
If you want to set up your machine as a NAT gateway, please look at the second section of this HOWTO. For a single machine, however, we simply set the policy of the '''FORWARD''' chain to '''DROP''' and move on:<br />
<br />
# iptables -P FORWARD DROP<br />
<br />
=== The OUTPUT chain ===<br />
<br />
We have no intention of filtering any outgoing traffic, as this would make the setup much more complicated and would require some extra thought. In this simple case, we set the '''OUTPUT''' policy to '''ACCEPT'''.<br />
<br />
# iptables -P OUTPUT ACCEPT<br />
<br />
=== The INPUT chain ===<br />
<br />
First, we set the default policy for the '''INPUT''' chain to '''DROP''' in case something somehow slips by our rules. Dropping all traffic and specifying what is allowed is the best way to make a secure firewall.<br />
{{Warning|This is the step where you will be locked out if you are in logged via ssh. Therefore do this step following your rule regarding port 22 (or whatever port you're using for SSH) to prevent being locked out.}}<br />
<br />
# iptables -P INPUT DROP<br />
<br />
Every packet that is received by any network interface will pass the '''INPUT''' chain first, if it is destined for this machine. In this chain, we make sure that only the packets that we want are accepted.<br />
<br />
The first rule will allow traffic that belongs to established connections, or new valid traffic that is related to these connections such as ICMP errors, or echo replies (the packets a host returns when pinged). '''ICMP''' stands for '''Internet Control Message Protocol'''. Some ICMP messages are very important and help to manage congestion and MTU, and are accepted by this rule.<br />
<br />
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The second rule will accept all traffic from the "loopback" (lo) interface, which is necessary for many applications and services.<br />
<br />
{{Note|You can add more trusted interfaces here such as "eth1" if you do not want/need the traffic filtered by the firewall, but be warned that if you have a NAT setup that redirects any kind of traffic to this interface from anywhere else in the network (let's say a router), it'll get through, regardless of any other settings you may have.}}<br />
<br />
# iptables -A INPUT -i lo -j ACCEPT<br />
<br />
The third rule will drop all traffic with an "INVALID" state match. Traffic can fall into four "state" categories: NEW, ESTABLISHED, RELATED or INVALID and this is what makes this a "stateful" firewall rather than a less secure "stateless" one. States are tracked using the "nf_conntrack_*" kernel modules which are loaded automatically by the kernel as you add rules.<br />
<br />
{{Note|This rule will drop all packets with invalid headers or checksums, invalid TCP flags, invalid ICMP messages (such as a port unreachable when we did not send anything to the host), and out of sequence packets which can be caused by sequence prediction or other similar attacks. The "DROP" target will drop a packet without any response, contrary to REJECT which politely refuses the packet. We use DROP because there is no proper "REJECT" response to packets that are INVALID, and we do not want to acknowledge that we received these packets.}}<br />
<br />
{{Note|ICMPv6 Neighbor Discovery packets remain untracked, and will always be classified "INVALID" though they are not corrupted or thelike. Keep this in mind, and accept them before this rule! iptables -A INPUT -p 41 -j ACCEPT}}<br />
<br />
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP<br />
<br />
The next rule will accept all new incoming '''ICMP echo requests''', also known as pings. Only the first packet will count as NEW, the rest will be handled by the RELATED,ESTABLISHED rule. Since the computer is not a router, no other ICMP traffic with state NEW should needs to be allowed.<br />
<br />
# iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Now we append the OPEN chains to INPUT chain to handle all new incoming connections. Once a connection is accepted by the OPEN chains, it is handled by the RELATED/ESTABLISHED traffic rule. The OPEN chains will either accept new incoming connections, or politely reject them. New TCP connections must be started with SYN packets.<br />
<br />
{{Note| NEW but not SYN is the only invalid TCP flag not covered by the INVALID state. The reason is because they are rarely malicious packets, and they should not just be dropped. Instead, we simply do not accept them, so they are rejected with a TCP RST by the next rule.}}<br />
<br />
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP<br />
<br />
We reject TCP connections with TCP RST packets and UDP streams with ICMP port unreachable messages if the ports are not opened. This imitates default Linux behavior (RFC compliant), and it allows the sender to quickly close the connection and clean up.<br />
<br />
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
<br />
For other protocols, we add a final rule to the INPUT chain to reject all remaining incoming traffic with icmp protocol unreachable messages. This imitates Linux's default behavior.<br />
<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Example iptables.rules file===<br />
<br />
{{Box BLUE|Example of iptables.rules file after running all the commands from above:|<br />
# Generated by iptables-save v1.4.18 on Sun Mar 17 14:21:12 2013<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [38:3956]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
COMMIT<br />
# Completed on Sun Mar 17 14:21:12 2013<br />
}}<br />
<br />
This file is generated with:<br />
iptables-save > /etc/iptables/iptables.rules <br />
and can be used to prevent blocking yourself out if you are setting up the firewall remotely, just remember to append:<br />
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT<br />
which will allow ssh in. (Assuming ssh on port 22)<br />
<br />
=== The OPEN chains ===<br />
<br />
The OPEN chains contain rules for accepting new incoming TCP connections and UDP streams to specific ports.<br />
<br />
{{Note|This is where you need to add rules to accept incoming connections, such as SSH, HTTP or other services that you want to access remotely.}}<br />
<br />
====Opening ports to incoming connections====<br />
<br />
To accept incoming TCP connections on port 80 for a web server:<br />
<br />
# iptables -A TCP -p tcp --dport 80 -j ACCEPT<br />
<br />
To accept incoming TCP connections on port 443 for a web server (HTTPS):<br />
<br />
# iptables -A TCP -p tcp --dport 443 -j ACCEPT<br />
<br />
To allow remote SSH connections (on port 22):<br />
<br />
# iptables -A TCP -p tcp --dport 22 -j ACCEPT<br />
<br />
To accept incoming UDP streams on port 53 for a DNS server:<br />
<br />
# iptables -A UDP -p udp --dport 53 -j ACCEPT<br />
<br />
See `{{Ic|man iptables}}` for more advanced rules, like matching multiple ports.<br />
<br />
==== Port Knocking ====<br />
<br />
(xtables-addons ships with xt_pknock which does not require an extra daemon.)<br />
<br />
knockd is a [http://www.portknocking.org/ port knocking] daemon that can provide an added layer of security to your network. The knockd [http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki wiki] provides three example port knocking configurations. These configs can be easily altered to intergrate properly with firewall described here. You should simply substitue the {{Ic|INPUT}} chain specification, with the custom {{Ic|open}} chain used in the firewall.<br />
<br />
For example:<br />
[options]<br />
logfile = /var/log/knockd.log<br />
[opencloseSSH]<br />
sequence = 2222:udp,3333:tcp,4444:udp<br />
seq_timeout = 15<br />
tcpflags = syn,ack<br />
start_command = /usr/sbin/iptables -A TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
cmd_timeout = 10<br />
stop_command = /usr/sbin/iptables -D TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
<br />
It is wise to randomly select the ports that you use for the knock sequence. [https://www.random.org/ random.org] can help you generate a selection of ports between 1 and 65535. To check that you have not inadvertantly selected commonly used ports, use this [https://www.grc.com/PortDataHelp.htm port database], and/or your {{Ic|/etc/services}} file.<br />
<br />
=== Protection against spoofing attacks ===<br />
<br />
Blocking reserved local addresses incoming from the internet or local network is normally done through setting the {{Ic|rp_filter}} sysctl to 1. To do so, add the following line to your {{Ic|/etc/sysctl.conf}} to enable source address verification which is built into Linux kernel itself. The verification by the kernel will handle spoofing better than individual iptables rules for each case.<br />
<br />
net.ipv4.conf.all.rp_filter=1<br />
<br />
Only when asynchronous routing and/or rp_filter=0 is used, need extra checks be used:<br />
<br />
# iptables -I INPUT ! -i lo -s 127.0.0.0/8 -j DROP<br />
<br />
=== "Hide" your computer ===<br />
<br />
If you are running a desktop machine, it might be a good idea to block some incoming requests.<br />
<br />
==== Block Ping Request ====<br />
<br />
A 'Ping' request is an ICMP packet sent to the destination address to ensure connectivity between the devices. If your network works well, you can safely block all ping requests. It is important to note that this ''does not'' actually hide your computer — any packet sent to you is rejected, so you will still show up in a simple nmap "ping scan" of an IP range.<br />
<br />
This is rudimentary "protection" and makes life difficult when debugging issues in the future. You should only do this for education purposes.<br />
<br />
To block echo requests, add the following line to your {{Ic|/etc/sysctl.conf}} file:<br />
<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
Rate-limiting is a better way to control possible abuse. This first method implements a global limit (ie, only X packets per minute for all source addresses):<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<br />
<br />
Or using the 'recent' module, you can impose a limit per source address:<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --set<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --update --hitcount 6 --seconds 4 -j DROP<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT<br />
<br />
If you choose to use either the rate limiting or the source limiting rules the PING rule that already exists in the INPUT chain needs to be deleted. This can be done as shown below, or alternatively don't use it in the first place. <br />
# iptables -D INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Next you need to decide where you wish to place the rate limiting or source limiting rules. If you place the rules below the RELATED,ESTABLISHED rule then you will be counting and limiting new ping connections, not each ping sent to your machine. If you place them before the RELATED,ESTABLISHED rule then these rules will count and limit each ping sent to your machine, not each ping connection made. <br />
<br />
More information is in the iptables man page, or reading the docs and examples on the webpage http://snowman.net/projects/ipt_recent/<br />
<br />
====Tricking port scanners====<br />
{{Note|This opens you up to a form of [[Wikipedia:Denial-of-service attack|DoS]]. An attack can send packets with spoofed IPs and get them blocked from connecting to your services.}}<br />
<br />
Port scans are used by attackers to identify open ports on your computer. This allows them to identify and fingerprint your running services and possibly launch exploits against them.<br />
<br />
The INVALID state rule will take care of every type of port scan except UDP, ACK and SYN scans (-sU, -sA and -sS in nmap respectively). <br />
<br />
''ACK scans'' are not used to identify open ports, but to identify ports filtered by a firewall. Due to the SYN check for all TCP connections with the state NEW, every single packet sent by an ACK scan will be correctly rejected by a TCP RST packet. Some firewalls drop these packets instead, and this allows an attacker to map out the firewall rules.<br />
<br />
The recent module can be used to trick the remaining two types of port scans. The recent module is used to add hosts to a "recent" list which can be used to fingerprint and stop certain types of attacks. Current recent lists can be viewed in {{Ic|/proc/net/xt_recent/}}.<br />
<br />
===== SYN scans =====<br />
<br />
In a SYN scan, the port scanner sends SYN packet to every port. Closed ports return a TCP RST packet, or get dropped by a strict firewall. Open ports return a SYN ACK packet regardless of the presence of a firewall.<br />
<br />
The recent module can be used to keep track of hosts with rejected connection attempts and return a TCP RST for any SYN packet they send to open ports as if the port was closed. If an open port is the first to be scanned, a SYN ACK will still be returned, so running applications such as ssh on non-standard ports is required for this to work consistently.<br />
<br />
First, insert a rule at the top of the TCP chain. This rule responds with a TCP RST to any host that got onto the TCP-PORTSCAN list in the past sixty seconds. The {{Ic|--update}} switch causes the recent list to be updated, meaning the 60 second counter is reset.<br />
<br />
# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
Next, the rule for rejecting TCP packets need to be modified to add hosts with rejected packets to the TCP-PORTSCAN list.<br />
<br />
# iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
# iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
===== UDP scans =====<br />
<br />
UDP port scans are similar to TCP SYN scans except that UDP is a "connectionless" protocol. There are no handshakes or acknowledgements. Instead, the scanner sends UDP packets to each UDP port. Closed ports should return ICMP port unreachable messages, and open ports do not return a response. Since UDP is not a "reliable" protocol, the scanner has no way of knowing if packets were lost, and has to do multiple checks for each port that does not return a response.<br />
<br />
The Linux kernel sends out ICMP port unreachable messages very slowly, so a full UDP scan against a Linux machine would take over 10 hours. However, common ports could still be identified, so applying the same countermeasures against UDP scans as SYN scans is a good idea.<br />
<br />
First, add a rule to reject packets from hosts on the UDP-PORTSCAN list to the top of the OPEN-UDP chain.<br />
<br />
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach<br />
<br />
Next, modify the reject packets rule for UDP:<br />
<br />
# iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach<br />
# iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach<br />
<br />
===== Restore the Final Rule =====<br />
<br />
If either or both of the portscanning tricks above were used the final default rule is no longer the last rule in the INPUT chain. It needs to be the last rule otherwise it will intercept the trick port scanner rules you just added and they will never be used. Simply delete the rule (-D), then add it once again using append (-A) which will place it at the end of the chain.<br />
<br />
# iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Protection against other attacks ===<br />
<br />
See the [[Sysctl#TCP/IP stack hardening|TCP/IP stack hardening]] guide for relevant kernel parameters.<br />
<br />
====SSH bruteforce attacks====<br />
{{Warning| Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, if the attacker knows your IP address, they can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}<br />
To ban IP that makes too many password failures you can use [[Fail2ban]] or [[Sshguard]]. These update firewall rules to reject the IP address.<br />
<br />
<br />
Here are some rules which help to mitigate ssh brute force attacks using iptables:<br />
<br />
# iptables -N IN_SSH<br />
# iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH<br />
# iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcounts 3 --seconds 10 -j DROP<br />
# iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcounts 4 --seconds 1800 -j DROP <br />
# iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT<br />
<br />
Ensure that:<br />
# iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH<br />
is in an appropriate position in the iptables.rules file. <br />
<br />
This arrangement works for the IN_SSH rule if you followed this entire wiki so far:<br />
*<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
*<br />
<br />
reference: <br />
[http://compilefailure.blogspot.com/2011/04/better-ssh-brute-force-prevention-with.html compilefailure.blogspot.com]<br />
<br />
=== Saving the rules ===<br />
<br />
The ruleset is now finished and should be saved to your hard drive so that it can be loaded on every boot.<br />
<br />
The systemd unit file points to the location where the rule configuration will be saved:<br />
<br />
<pre><br />
iptables=/etc/iptables/iptables.rules<br />
ip6tables=/etc/iptables/ip6tables.rules<br />
</pre><br />
<br />
Save the rules with this command:<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded on boot:<br />
<br />
# systemctl enable iptables.service<br />
<br />
Check that the rules load correctly using:<br />
<br />
# systemctl start iptables.service && systemctl status iptables.service<br />
<br />
=== IPv6 ===<br />
If you do not use IPv6 (most ISPs do not support it), you should [[Disabling IPv6|disable it]].<br />
<br />
Otherwise, you should enable the firewall rules for IPv6. Just copy '''/etc/iptables/iptables.rules''' to '''/etc/iptables/ip6tables.rules''' and change IPs from v4 format to v6 format and change reject messages from <br />
--reject-with icmp-port-unreachable<br />
to<br />
--reject-with icmp6-port-unreachable<br />
etc.<br />
<br />
Please be aware that '''--reject-with icmp6-proto-unreachable''' does not exist for ICMPv6, so you may reject without any message. (Does anyone know what message would be correct? communication-prohibited? port-unreachable?).<br />
<br />
Now you need to enable the ip6tables service using [[systemd]]:<br />
<br />
# systemctl enable ip6tables.service<br />
<br />
== Setting up a NAT gateway ==<br />
<br />
This section of the HOWTO deals with NAT gateways. It is assumed that you already read the first part of the HOWTO and set up the '''INPUT''', '''OUTPUT''', '''OPEN''' and '''interfaces''' chains like described above. All rules so far have been created in the '''filter''' table. In this section, we will also have to use the '''nat''' table.<br />
<br />
=== Setting up the filter table ===<br />
<br />
==== Creating necessary chains ====<br />
<br />
In our setup, we will use another two chains in the filter table, the '''fw-interfaces''' and '''fw-open''' chains. Create them with the commands<br />
<br />
# iptables -N fw-interfaces<br />
# iptables -N fw-open<br />
<br />
==== Setting up the FORWARD chain ====<br />
<br />
Setting up the '''FORWARD''' chain is similar to the '''INPUT''' chain in the first section.<br />
<br />
Now we set up a rule with the '''conntrack''' match, identical to the one in the '''INPUT''' chain:<br />
<br />
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The next step is to enable forwarding for trusted interfaces and to make all packets pass the '''fw-open''' chain.<br />
<br />
# iptables -A FORWARD -j fw-interfaces <br />
# iptables -A FORWARD -j fw-open <br />
<br />
The remaining packets are denied with an '''ICMP''' message:<br />
<br />
# iptables -A FORWARD -j REJECT --reject-with icmp-host-unreach<br />
# iptables -P FORWARD DROP<br />
<br />
==== Setting up the fw-interfaces and fw-open chains ====<br />
<br />
The meaning of the '''fw-interfaces''' and '''fw-open''' chains is explained later, when we deal with the '''POSTROUTING''' and '''PREROUTING''' chains in the '''nat''' table, respectively.<br />
<br />
=== Setting up the nat table ===<br />
<br />
All over this section, we assume that the outgoing interface (the one with the public internet IP) is '''ppp0'''. Keep in mind that you have to change the name in all following rules if your outgoing interface has another name.<br />
<br />
==== Setting up the POSTROUTING chain ====<br />
<br />
Now, we have to define who is allowed to connect to the internet. Let's assume we have the subnet '''192.168.0.0/24''' (which means all addresses that are of the form 192.168.0.*) on '''eth0'''. We first need to accept the machines on this interface in the FORWARD table, that is why we created the '''fw-interfaces''' chain above:<br />
<br />
# iptables -A fw-interfaces -i eth0 -j ACCEPT<br />
<br />
Now, we have to alter all outgoing packets so that they have our public IP address as the source address, instead of the local LAN address. To do this, we use the '''MASQUERADE''' target:<br />
<br />
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE<br />
<br />
Do not forget the '''-o ppp0''' parameter above. If you omit it, your network will be screwed up.<br />
<br />
Let's assume we have another subnet, '''10.3.0.0/16''' (which means all addresses 10.3.*.*), on the interface '''eth1'''. We add the same rules as above again:<br />
<br />
# iptables -A fw-interfaces -i eth1 -j ACCEPT<br />
# iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o ppp0 -j MASQUERADE<br />
<br />
The last step is to enable IP Forwarding (if it is not already enabled):<br />
<br />
# echo 1 > /proc/sys/net/ipv4/ip_forward<br />
<br />
Then edit the relevant line in /etc/sysctl.conf so it persists through reboot:<br />
<br />
net.ipv4.ip_forward = 1<br />
<br />
Machines from these subnets can now use your new NAT machine as their gateway. Note that you may want to set up a DNS and DHCP server like '''dnsmasq''' or a combination of '''bind''' and '''dhcpd''' to simplify network settings DNS resolution on the client machines. This is not the topic of this HOWTO.<br />
<br />
==== Setting up the PREROUTING chain ====<br />
<br />
Sometimes, we want to change the address of an incoming packet from the gateway to a LAN machine. To do this, we use the '''fw-open''' chain defined above, as well as the '''PREROUTING''' chain in the '''nat''' table<br />
<br />
I will give two simple examples: First, we want to change all incoming SSH packets (port 22) to the ssh server in the machine '''192.168.0.5''':<br />
<br />
# iptables -A fw-open -d 192.168.0.5 -p tcp --dport 22 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 22 -j DNAT --to 192.168.0.5<br />
<br />
The second example will show you how to change packets to a different port than the incoming port. We want to change any incoming connection on port '''8000''' to our web server on '''192.168.0.6''', port '''80''':<br />
<br />
# iptables -A fw-open -d 192.168.0.6 -p tcp --dport 80 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.6:80<br />
<br />
The same setup also works with udp packets.<br />
<br />
=== Saving the rules ===<br />
<br />
Save the rules<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded when you boot<br />
<br />
# systemctl enable iptables.service<br />
<br />
== See Also ==<br />
*[[Internet Share]]<br />
*[[Router]]<br />
*[[Firewalls]]<br />
*[[Uncomplicated Firewall]]<br />
*[http://www.webhostingtalk.com/showthread.php?t=456571 Methods to block SSH attacks]<br />
*[http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/ Using iptables to Block Brute Force Attacks]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Simple_stateful_firewall&diff=256104Simple stateful firewall2013-05-04T20:04:39Z<p>Jrussell: </p>
<hr />
<div>[[Category:Firewalls]]<br />
[[ru:Simple stateful firewall]]<br />
This page explains how to set up a stateful firewall using [[iptables]]. It also explains what the rules mean and why they are needed. For simplicity, it is split into two major sections. The first section deals with a firewall for a single machine, the second sets up a NAT gateway in addition to the firewall from the first section.<br />
<br />
{{Warning| The rules are given in the order that they are executed. If you are logged into a remote machine, you may be locked out of the machine while setting up the rules. You should only follow the steps below while you are logged in locally.<br />
<br />
The [https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall#Example_iptables.rules_file] can be used to get around this problem.<br />
}}<br />
<br />
==Prerequisites==<br />
{{Note| Your kernel needs to be compiled with iptables support. All stock Arch Linux kernels have iptables support.}}<br />
<br />
First, install the userland utilities:<br />
<br />
# pacman -S iptables<br />
<br />
This HOWTO assumes that there are currently no iptables rules set. To check this, try the command<br />
<br />
# iptables-save<br />
<br />
If not, you can reset the rules by loading a default rule set:<br />
<br />
# iptables-restore < /etc/iptables/empty.rules<br />
<br />
== Firewall for a single machine ==<br />
<br />
{{Note|Because iptables processes rules in linear order, from top to bottom within a chain, it is advised to put frequently-hit rules near the start of the chain. Of course there is a limit, depending on the logic that is being implemented. Also, rules have an associated runtime cost, so rules should not be reordered solely based upon empirical observations of the byte/packet counters.}}<br />
<br />
=== Creating necessary chains ===<br />
<br />
For this basic setup, we will create two user-defined chains that we will use to open up ports in the firewall.<br />
<br />
# iptables -N TCP<br />
# iptables -N UDP<br />
<br />
=== The FORWARD chain ===<br />
<br />
If you want to set up your machine as a NAT gateway, please look at the second section of this HOWTO. For a single machine, however, we simply set the policy of the '''FORWARD''' chain to '''DROP''' and move on:<br />
<br />
# iptables -P FORWARD DROP<br />
<br />
=== The OUTPUT chain ===<br />
<br />
We have no intention of filtering any outgoing traffic, as this would make the setup much more complicated and would require some extra thought. In this simple case, we set the '''OUTPUT''' policy to '''ACCEPT'''.<br />
<br />
# iptables -P OUTPUT ACCEPT<br />
<br />
=== The INPUT chain ===<br />
<br />
First, we set the default policy for the '''INPUT''' chain to '''DROP''' in case something somehow slips by our rules. Dropping all traffic and specifying what is allowed is the best way to make a secure firewall.<br />
{{Warning|This is the step where you will be locked out if you are in logged via ssh. Therefore do this step following your rule regarding port 22 (or whatever port you're using for SSH) to prevent being locked out.}}<br />
<br />
# iptables -P INPUT DROP<br />
<br />
Every packet that is received by any network interface will pass the '''INPUT''' chain first, if it is destined for this machine. In this chain, we make sure that only the packets that we want are accepted.<br />
<br />
The first rule will allow traffic that belongs to established connections, or new valid traffic that is related to these connections such as ICMP errors, or echo replies (the packets a host returns when pinged). '''ICMP''' stands for '''Internet Control Message Protocol'''. Some ICMP messages are very important and help to manage congestion and MTU, and are accepted by this rule.<br />
<br />
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The second rule will accept all traffic from the "loopback" (lo) interface, which is necessary for many applications and services.<br />
<br />
{{Note|You can add more trusted interfaces here such as "eth1" if you do not want/need the traffic filtered by the firewall, but be warned that if you have a NAT setup that redirects any kind of traffic to this interface from anywhere else in the network (let's say a router), it'll get through, regardless of any other settings you may have.}}<br />
<br />
# iptables -A INPUT -i lo -j ACCEPT<br />
<br />
The third rule will drop all traffic with an "INVALID" state match. Traffic can fall into four "state" categories: NEW, ESTABLISHED, RELATED or INVALID and this is what makes this a "stateful" firewall rather than a less secure "stateless" one. States are tracked using the "nf_conntrack_*" kernel modules which are loaded automatically by the kernel as you add rules.<br />
<br />
{{Note|This rule will drop all packets with invalid headers or checksums, invalid TCP flags, invalid ICMP messages (such as a port unreachable when we did not send anything to the host), and out of sequence packets which can be caused by sequence prediction or other similar attacks. The "DROP" target will drop a packet without any response, contrary to REJECT which politely refuses the packet. We use DROP because there is no proper "REJECT" response to packets that are INVALID, and we do not want to acknowledge that we received these packets.}}<br />
<br />
{{Note|ICMPv6 Neighbor Discovery packets remain untracked, and will always be classified "INVALID" though they are not corrupted or thelike. Keep this in mind, and accept them before this rule! iptables -A INPUT -p 41 -j ACCEPT}}<br />
<br />
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP<br />
<br />
The next rule will accept all new incoming '''ICMP echo requests''', also known as pings. Only the first packet will count as NEW, the rest will be handled by the RELATED,ESTABLISHED rule. Since the computer is not a router, no other ICMP traffic with state NEW should needs to be allowed.<br />
<br />
# iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Now we append the OPEN chains to INPUT chain to handle all new incoming connections. Once a connection is accepted by the OPEN chains, it is handled by the RELATED/ESTABLISHED traffic rule. The OPEN chains will either accept new incoming connections, or politely reject them. New TCP connections must be started with SYN packets.<br />
<br />
{{Note| NEW but not SYN is the only invalid TCP flag not covered by the INVALID state. The reason is because they are rarely malicious packets, and they should not just be dropped. Instead, we simply do not accept them, so they are rejected with a TCP RST by the next rule.}}<br />
<br />
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP<br />
<br />
We reject TCP connections with TCP RST packets and UDP streams with ICMP port unreachable messages if the ports are not opened. This imitates default Linux behavior (RFC compliant), and it allows the sender to quickly close the connection and clean up.<br />
<br />
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
<br />
For other protocols, we add a final rule to the INPUT chain to reject all remaining incoming traffic with icmp protocol unreachable messages. This imitates Linux's default behavior.<br />
<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Example iptables.rules file===<br />
<br />
{{Box BLUE|Example of iptables.rules file after running all the commands from above:|<br />
# Generated by iptables-save v1.4.18 on Sun Mar 17 14:21:12 2013<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [38:3956]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
COMMIT<br />
# Completed on Sun Mar 17 14:21:12 2013<br />
}}<br />
<br />
This file is generated with:<br />
iptables-save > /etc/iptables/iptables.rules <br />
and can be used to prevent blocking yourself out if you are setting up the firewall remotely, just remember to append:<br />
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT<br />
which will allow ssh in. (Assuming ssh on port 22)<br />
<br />
=== The OPEN chains ===<br />
<br />
The OPEN chains contain rules for accepting new incoming TCP connections and UDP streams to specific ports.<br />
<br />
{{Note|This is where you need to add rules to accept incoming connections, such as SSH, HTTP or other services that you want to access remotely.}}<br />
<br />
====Opening ports to incoming connections====<br />
<br />
To accept incoming TCP connections on port 80 for a web server:<br />
<br />
# iptables -A TCP -p tcp --dport 80 -j ACCEPT<br />
<br />
To accept incoming TCP connections on port 443 for a web server (HTTPS):<br />
<br />
# iptables -A TCP -p tcp --dport 443 -j ACCEPT<br />
<br />
To allow remote SSH connections (on port 22):<br />
<br />
# iptables -A TCP -p tcp --dport 22 -j ACCEPT<br />
<br />
To accept incoming UDP streams on port 53 for a DNS server:<br />
<br />
# iptables -A UDP -p udp --dport 53 -j ACCEPT<br />
<br />
See `{{Ic|man iptables}}` for more advanced rules, like matching multiple ports.<br />
<br />
==== Port Knocking ====<br />
<br />
(xtables-addons ships with xt_pknock which does not require an extra daemon.)<br />
<br />
knockd is a [http://www.portknocking.org/ port knocking] daemon that can provide an added layer of security to your network. The knockd [http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki wiki] provides three example port knocking configurations. These configs can be easily altered to intergrate properly with firewall described here. You should simply substitue the {{Ic|INPUT}} chain specification, with the custom {{Ic|open}} chain used in the firewall.<br />
<br />
For example:<br />
[options]<br />
logfile = /var/log/knockd.log<br />
[opencloseSSH]<br />
sequence = 2222:udp,3333:tcp,4444:udp<br />
seq_timeout = 15<br />
tcpflags = syn,ack<br />
start_command = /usr/sbin/iptables -A TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
cmd_timeout = 10<br />
stop_command = /usr/sbin/iptables -D TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
<br />
It is wise to randomly select the ports that you use for the knock sequence. [https://www.random.org/ random.org] can help you generate a selection of ports between 1 and 65535. To check that you have not inadvertantly selected commonly used ports, use this [https://www.grc.com/PortDataHelp.htm port database], and/or your {{Ic|/etc/services}} file.<br />
<br />
=== Protection against spoofing attacks ===<br />
<br />
Blocking reserved local addresses incoming from the internet or local network is normally done through setting the {{Ic|rp_filter}} sysctl to 1. To do so, add the following line to your {{Ic|/etc/sysctl.conf}} to enable source address verification which is built into Linux kernel itself. The verification by the kernel will handle spoofing better than individual iptables rules for each case.<br />
<br />
net.ipv4.conf.all.rp_filter=1<br />
<br />
Only when asynchronous routing and/or rp_filter=0 is used, need extra checks be used:<br />
<br />
# iptables -I INPUT ! -i lo -s 127.0.0.0/8 -j DROP<br />
<br />
=== "Hide" your computer ===<br />
<br />
If you are running a desktop machine, it might be a good idea to block some incoming requests.<br />
<br />
==== Block Ping Request ====<br />
<br />
A 'Ping' request is an ICMP packet sent to the destination address to ensure connectivity between the devices. If your network works well, you can safely block all ping requests. It is important to note that this ''does not'' actually hide your computer — any packet sent to you is rejected, so you will still show up in a simple nmap "ping scan" of an IP range.<br />
<br />
This is rudimentary "protection" and makes life difficult when debugging issues in the future. You should only do this for education purposes.<br />
<br />
To block echo requests, add the following line to your {{Ic|/etc/sysctl.conf}} file:<br />
<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
Rate-limiting is a better way to control possible abuse. This first method implements a global limit (ie, only X packets per minute for all source addresses):<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<br />
<br />
Or using the 'recent' module, you can impose a limit per source address:<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --set<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --update --hitcount 6 --seconds 4 -j DROP<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT<br />
<br />
If you choose to use either the rate limiting or the source limiting rules the PING rule that already exists in the INPUT chain needs to be deleted. This can be done as shown below, or alternatively don't use it in the first place. <br />
# iptables -D INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Next you need to decide where you wish to place the rate limiting or source limiting rules. If you place the rules below the RELATED,ESTABLISHED rule then you will be counting and limiting new ping connections, not each ping sent to your machine. If you place them before the RELATED,ESTABLISHED rule then these rules will count and limit each ping sent to your machine, not each ping connection made. <br />
<br />
More information is in the iptables man page, or reading the docs and examples on the webpage http://snowman.net/projects/ipt_recent/<br />
<br />
====Tricking port scanners====<br />
{{Note|This opens you up to a form of [[Wikipedia:Denial-of-service attack|DoS]]. An attack can send packets with spoofed IPs and get them blocked from connecting to your services.}}<br />
<br />
Port scans are used by attackers to identify open ports on your computer. This allows them to identify and fingerprint your running services and possibly launch exploits against them.<br />
<br />
The INVALID state rule will take care of every type of port scan except UDP, ACK and SYN scans (-sU, -sA and -sS in nmap respectively). <br />
<br />
''ACK scans'' are not used to identify open ports, but to identify ports filtered by a firewall. Due to the SYN check for all TCP connections with the state NEW, every single packet sent by an ACK scan will be correctly rejected by a TCP RST packet. Some firewalls drop these packets instead, and this allows an attacker to map out the firewall rules.<br />
<br />
The recent module can be used to trick the remaining two types of port scans. The recent module is used to add hosts to a "recent" list which can be used to fingerprint and stop certain types of attacks. Current recent lists can be viewed in {{Ic|/proc/net/xt_recent/}}.<br />
<br />
===== SYN scans =====<br />
<br />
In a SYN scan, the port scanner sends SYN packet to every port. Closed ports return a TCP RST packet, or get dropped by a strict firewall. Open ports return a SYN ACK packet regardless of the presence of a firewall.<br />
<br />
The recent module can be used to keep track of hosts with rejected connection attempts and return a TCP RST for any SYN packet they send to open ports as if the port was closed. If an open port is the first to be scanned, a SYN ACK will still be returned, so running applications such as ssh on non-standard ports is required for this to work consistently.<br />
<br />
First, insert a rule at the top of the TCP chain. This rule responds with a TCP RST to any host that got onto the TCP-PORTSCAN list in the past sixty seconds. The {{Ic|--update}} switch causes the recent list to be updated, meaning the 60 second counter is reset.<br />
<br />
# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
Next, the rule for rejecting TCP packets need to be modified to add hosts with rejected packets to the TCP-PORTSCAN list.<br />
<br />
# iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
# iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
===== UDP scans =====<br />
<br />
UDP port scans are similar to TCP SYN scans except that UDP is a "connectionless" protocol. There are no handshakes or acknowledgements. Instead, the scanner sends UDP packets to each UDP port. Closed ports should return ICMP port unreachable messages, and open ports do not return a response. Since UDP is not a "reliable" protocol, the scanner has no way of knowing if packets were lost, and has to do multiple checks for each port that does not return a response.<br />
<br />
The Linux kernel sends out ICMP port unreachable messages very slowly, so a full UDP scan against a Linux machine would take over 10 hours. However, common ports could still be identified, so applying the same countermeasures against UDP scans as SYN scans is a good idea.<br />
<br />
First, add a rule to reject packets from hosts on the UDP-PORTSCAN list to the top of the OPEN-UDP chain.<br />
<br />
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach<br />
<br />
Next, modify the reject packets rule for UDP:<br />
<br />
# iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach<br />
# iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach<br />
<br />
===== Restore the Final Rule =====<br />
<br />
If either or both of the portscanning tricks above were used the final default rule is no longer the last rule in the INPUT chain. It needs to be the last rule otherwise it will intercept the trick port scanner rules you just added and they will never be used. Simply delete the rule (-D), then add it once again using append (-A) which will place it at the end of the chain.<br />
<br />
# iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Protection against other attacks ===<br />
<br />
See the [[Sysctl#TCP/IP stack hardening|TCP/IP stack hardening]] guide for relevant kernel parameters.<br />
<br />
====SSH bruteforce attacks====<br />
{{Warning| Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, if the attacker knows your IP address, they can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}<br />
To ban IP that makes too many password failures you can use [[Fail2ban]] or [[Sshguard]]. These update firewall rules to reject the IP address.<br />
<br />
<br />
Here are some rules which help to mitigate ssh brute force attacks using iptables:<br />
<br />
# iptables -N IN_SSH<br />
# iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH<br />
# iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcounts 3 --seconds 10 -j DROP<br />
# iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcounts 4 --seconds 1800 -j DROP <br />
# iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT<br />
<br />
Ensure that:<br />
# iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH<br />
is in an appropriate position in the iptables.rules file. <br />
<br />
This arrangement works for the IN_SSH rule if you followed this entire wiki so far:<br />
*<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
*<br />
<br />
reference: <br />
[http://compilefailure.blogspot.com/2011/04/better-ssh-brute-force-prevention-with.html compilefailure.blogspot.com]<br />
<br />
=== Saving the rules ===<br />
<br />
The ruleset is now finished and should be saved to your hard drive so that it can be loaded on every boot.<br />
<br />
The systemd unit file points to the location where the rule configuration will be saved:<br />
<br />
<pre><br />
iptables=/etc/iptables/iptables.rules<br />
ip6tables=/etc/iptables/ip6tables.rules<br />
</pre><br />
<br />
Save the rules with this command:<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded on boot:<br />
<br />
# systemctl enable iptables.service<br />
<br />
Check that the rules load correctly using:<br />
<br />
# systemctl start iptables.service && systemctl status iptables.service<br />
<br />
=== IPv6 ===<br />
If you do not use IPv6 (most ISPs do not support it), you should [[Disabling IPv6|disable it]].<br />
<br />
Otherwise, you should enable the firewall rules for IPv6. Just copy '''/etc/iptables/iptables.rules''' to '''/etc/iptables/ip6tables.rules''' and change IPs from v4 format to v6 format and change reject messages from <br />
--reject-with icmp-port-unreachable<br />
to<br />
--reject-with icmp6-port-unreachable<br />
etc.<br />
<br />
Please be aware that '''--reject-with icmp6-proto-unreachable''' does not exist for ICMPv6, so you may reject without any message. (Does anyone know what message would be correct? communication-prohibited? port-unreachable?).<br />
<br />
Now you need to enable the ip6tables service using [[systemd]]:<br />
<br />
# systemctl enable ip6tables.service<br />
<br />
== Setting up a NAT gateway ==<br />
<br />
This section of the HOWTO deals with NAT gateways. It is assumed that you already read the first part of the HOWTO and set up the '''INPUT''', '''OUTPUT''', '''OPEN''' and '''interfaces''' chains like described above. All rules so far have been created in the '''filter''' table. In this section, we will also have to use the '''nat''' table.<br />
<br />
=== Setting up the filter table ===<br />
<br />
==== Creating necessary chains ====<br />
<br />
In our setup, we will use another two chains in the filter table, the '''fw-interfaces''' and '''fw-open''' chains. Create them with the commands<br />
<br />
# iptables -N fw-interfaces<br />
# iptables -N fw-open<br />
<br />
==== Setting up the FORWARD chain ====<br />
<br />
Setting up the '''FORWARD''' chain is similar to the '''INPUT''' chain in the first section.<br />
<br />
Now we set up a rule with the '''conntrack''' match, identical to the one in the '''INPUT''' chain:<br />
<br />
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The next step is to enable forwarding for trusted interfaces and to make all packets pass the '''fw-open''' chain.<br />
<br />
# iptables -A FORWARD -j fw-interfaces <br />
# iptables -A FORWARD -j fw-open <br />
<br />
The remaining packets are denied with an '''ICMP''' message:<br />
<br />
# iptables -A FORWARD -j REJECT --reject-with icmp-host-unreach<br />
# iptables -P FORWARD DROP<br />
<br />
==== Setting up the fw-interfaces and fw-open chains ====<br />
<br />
The meaning of the '''fw-interfaces''' and '''fw-open''' chains is explained later, when we deal with the '''POSTROUTING''' and '''PREROUTING''' chains in the '''nat''' table, respectively.<br />
<br />
=== Setting up the nat table ===<br />
<br />
All over this section, we assume that the outgoing interface (the one with the public internet IP) is '''ppp0'''. Keep in mind that you have to change the name in all following rules if your outgoing interface has another name.<br />
<br />
==== Setting up the POSTROUTING chain ====<br />
<br />
Now, we have to define who is allowed to connect to the internet. Let's assume we have the subnet '''192.168.0.0/24''' (which means all addresses that are of the form 192.168.0.*) on '''eth0'''. We first need to accept the machines on this interface in the FORWARD table, that is why we created the '''fw-interfaces''' chain above:<br />
<br />
# iptables -A fw-interfaces -i eth0 -j ACCEPT<br />
<br />
Now, we have to alter all outgoing packets so that they have our public IP address as the source address, instead of the local LAN address. To do this, we use the '''MASQUERADE''' target:<br />
<br />
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE<br />
<br />
Do not forget the '''-o ppp0''' parameter above. If you omit it, your network will be screwed up.<br />
<br />
Let's assume we have another subnet, '''10.3.0.0/16''' (which means all addresses 10.3.*.*), on the interface '''eth1'''. We add the same rules as above again:<br />
<br />
# iptables -A fw-interfaces -i eth1 -j ACCEPT<br />
# iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o ppp0 -j MASQUERADE<br />
<br />
The last step is to enable IP Forwarding (if it is not already enabled):<br />
<br />
# echo 1 > /proc/sys/net/ipv4/ip_forward<br />
<br />
Then edit the relevant line in /etc/sysctl.conf so it persists through reboot:<br />
<br />
net.ipv4.ip_forward = 1<br />
<br />
Machines from these subnets can now use your new NAT machine as their gateway. Note that you may want to set up a DNS and DHCP server like '''dnsmasq''' or a combination of '''bind''' and '''dhcpd''' to simplify network settings DNS resolution on the client machines. This is not the topic of this HOWTO.<br />
<br />
==== Setting up the PREROUTING chain ====<br />
<br />
Sometimes, we want to change the address of an incoming packet from the gateway to a LAN machine. To do this, we use the '''fw-open''' chain defined above, as well as the '''PREROUTING''' chain in the '''nat''' table<br />
<br />
I will give two simple examples: First, we want to change all incoming SSH packets (port 22) to the ssh server in the machine '''192.168.0.5''':<br />
<br />
# iptables -A fw-open -d 192.168.0.5 -p tcp --dport 22 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 22 -j DNAT --to 192.168.0.5<br />
<br />
The second example will show you how to change packets to a different port than the incoming port. We want to change any incoming connection on port '''8000''' to our web server on '''192.168.0.6''', port '''80''':<br />
<br />
# iptables -A fw-open -d 192.168.0.6 -p tcp --dport 80 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.6:80<br />
<br />
The same setup also works with udp packets.<br />
<br />
=== Saving the rules ===<br />
<br />
Save the rules<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded when you boot<br />
<br />
# systemctl enable iptables.service<br />
<br />
== See Also ==<br />
*[[Internet Share]]<br />
*[[Router]]<br />
*[[Firewalls]]<br />
*[[Uncomplicated Firewall]]<br />
*[http://www.webhostingtalk.com/showthread.php?t=456571 Methods to block SSH attacks]<br />
*[http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/ Using iptables to Block Brute Force Attacks]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Router&diff=254835Router2013-04-21T19:04:31Z<p>Jrussell: /* Shorewall configuration */</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, /var, /tmp and /home should be separate from the / partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. /var should be the largest partition - it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting /tmp as tmpfs is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that /tmp is mounted as tmpfs by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming===<br />
When you let [[udev]] handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1, etc. (This might not be true, see [http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames PredictableNetworkInterfaceNames], and [[Network_Configuration#Device_names]])<br />
<br />
To fix this problem, read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netcfg]] profiles, instead of the regular [[network]] daemon. You will need to create two profiles.<br />
<br />
* /etc/network.d/extern0-profile<br />
CONNECTION='ethernet'<br />
DESCRIPTION='Public Interface.'<br />
INTERFACE='extern0'<br />
IP='dhcp'<br />
<br />
* /etc/network.d/intern0-profile<br />
CONNECTION='ethernet'<br />
DESCRIPTION='Private Interface.'<br />
INTERFACE='intern0'<br />
IP='static'<br />
ADDR='10.0.0.1'<br />
NETMASK='255.255.255.0'<br />
BROADCAST='10.0.0.255'<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the netmask and broadcast to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces.<br />
<br />
* Define the profiles in {{ic|/etc/conf.d/netcfg}}:<br />
NETWORKS=(extern0-profile intern0-profile)<br />
<br />
* Replace the {{ic|network}} daemon with {{ic|net-profiles}} in {{ic|/etc/[[rc.conf]]}}:<br />
DAEMONS=( ... net-profiles ... )<br />
<br />
* If using [[systemd]], net-profiles.service is a symlink to netcfg.service. So you may do:<br />
# systemctl enable net-profiles.service<br />
or if that fails:<br />
# systemctl enable netcfg.service<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though, otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
===Configuration: rp-pppoe===<br />
/usr/sbin/pppoe-setup <br />
The questions are all documented. You can select "no firewall" because we will let Shorewall / iptables handle that part.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites.<br />
<br />
First, install '''dnsmasq''':<br />
# pacman -S dnsmasq<br />
<br />
Now, dnsmasq needs to be configured. To do this:<br />
<br />
Edit /etc/dnsmasq.conf and add the following lines<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# /etc/rc.d/dnsmasq start<br />
and add the daemon to the DAEMONS list in /etc/rc.conf.<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
Time to configure Shorewall! Open its config file in /etc/shorewall/shorewall.conf and start editing. The file is very well documented.<br />
SUBSYSLOCK=/var/lock/shorewall<br />
IP_FORWARDING=On : it is a gateway, remember! ;)<br />
STARTUP_ENABLED=Yes # when you are done editing<br />
<br />
After installing shorewall, run<br />
$ pacman -Ql shorewall | grep Sample<br />
to see where the sample files are. cd into the directory "two-interfaces" and copy the contents to the /etc/shorewall/ directory.<br />
Now use [http://www.shorewall.net/two-interface.htm Shorewall's guide] to set up the files correctly.<br />
<br />
Read the document carefully. Take special care to '''change eth0 and eth1 (or ppp0 in if you are using PPPoE where appropriate''' in your config files as the Shorewall guide uses different names for the interfaces. When you have followed it thoroughly, make the following changes:<br />
* /etc/shorewall/interfaces : add "dhcp" to the ''loc'' line to allow computers on the LAN to make use of our DHCP server<br />
* /etc/shorewall/rules : add<br />
ACCEPT loc $FW TCP 2367<br />
but change 2367 into whatever port you have your SSH server listening on.<br />
<br />
Finally, run<br />
$ systemctl enable shorewall.service<br />
$ systemctl start shorewall.service<br />
<br />
From here on, the Arch box is operational. Connect a hub or switch to intern0 and a computer to the LAN to test it.<br />
<br />
=====Port forwarding (DNAT)=====<br />
* /etc/shorewall/rules : here is an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.<br />
DNAT net loc:10.0.0.85:80 tcp 5000<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Router&diff=254833Router2013-04-21T19:02:31Z<p>Jrussell: Undo revision 254830 by Jrussell (talk)</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, /var, /tmp and /home should be separate from the / partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. /var should be the largest partition - it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting /tmp as tmpfs is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that /tmp is mounted as tmpfs by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming===<br />
When you let [[udev]] handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1, etc. (This might not be true, see [http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames PredictableNetworkInterfaceNames], and [[Network_Configuration#Device_names]])<br />
<br />
To fix this problem, read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netcfg]] profiles, instead of the regular [[network]] daemon. You will need to create two profiles.<br />
<br />
* /etc/network.d/extern0-profile<br />
CONNECTION='ethernet'<br />
DESCRIPTION='Public Interface.'<br />
INTERFACE='extern0'<br />
IP='dhcp'<br />
<br />
* /etc/network.d/intern0-profile<br />
CONNECTION='ethernet'<br />
DESCRIPTION='Private Interface.'<br />
INTERFACE='intern0'<br />
IP='static'<br />
ADDR='10.0.0.1'<br />
NETMASK='255.255.255.0'<br />
BROADCAST='10.0.0.255'<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the netmask and broadcast to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces.<br />
<br />
* Define the profiles in {{ic|/etc/conf.d/netcfg}}:<br />
NETWORKS=(extern0-profile intern0-profile)<br />
<br />
* Replace the {{ic|network}} daemon with {{ic|net-profiles}} in {{ic|/etc/[[rc.conf]]}}:<br />
DAEMONS=( ... net-profiles ... )<br />
<br />
* If using [[systemd]], net-profiles.service is a symlink to netcfg.service. So you may do:<br />
# systemctl enable net-profiles.service<br />
or if that fails:<br />
# systemctl enable netcfg.service<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though, otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
===Configuration: rp-pppoe===<br />
/usr/sbin/pppoe-setup <br />
The questions are all documented. You can select "no firewall" because we will let Shorewall / iptables handle that part.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites.<br />
<br />
First, install '''dnsmasq''':<br />
# pacman -S dnsmasq<br />
<br />
Now, dnsmasq needs to be configured. To do this:<br />
<br />
Edit /etc/dnsmasq.conf and add the following lines<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# /etc/rc.d/dnsmasq start<br />
and add the daemon to the DAEMONS list in /etc/rc.conf.<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
Time to configure Shorewall! Open its config file in /etc/shorewall/shorewall.conf and start editing. The file is very well documented.<br />
SUBSYSLOCK=/var/lock/shorewall<br />
IP_FORWARDING=On : it is a gateway, remember! ;)<br />
STARTUP_ENABLED=Yes # when you are done editing<br />
<br />
After installing shorewall, run<br />
$ pacman -Ql shorewall | grep Sample<br />
to see where the sample files are. cd into the directory "two-interfaces" and copy the contents to the /etc/shorewall/ directory.<br />
Now use [http://www.shorewall.net/two-interface.htm Shorewall's guide] to set up the files correctly.<br />
<br />
Read the document carefully. Take special care to '''change eth0 and eth1 (or ppp0 in if you are using PPPoE where appropriate''' in your config files as the Shorewall guide uses different names for the interfaces. When you have followed it thoroughly, make the following changes:<br />
* /etc/shorewall/interfaces : add "dhcp" to the ''loc'' line to allow computers on the LAN to make use of our DHCP server<br />
* /etc/shorewall/rules : add<br />
ACCEPT loc $FW TCP 2367<br />
but change 2367 into whatever port you have your SSH server listening on.<br />
<br />
Finally, run<br />
# /etc/rc.d/shorewall start<br />
<br />
From here on, the Arch box is operational. Connect a hub or switch to intern0 and a computer to the LAN to test it.<br />
<br />
=====Port forwarding (DNAT)=====<br />
* /etc/shorewall/rules : here is an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.<br />
DNAT net loc:10.0.0.85:80 tcp 5000<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Router&diff=254832Router2013-04-21T19:01:59Z<p>Jrussell: Undo revision 254831 by Jrussell (talk)</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, /var, /tmp and /home should be separate from the / partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. /var should be the largest partition - it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting /tmp as tmpfs is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that /tmp is mounted as tmpfs by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming===<br />
When you let [[udev]] handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1, etc. (This might not be true, see [http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames PredictableNetworkInterfaceNames], and [[Network_Configuration#Device_names]])<br />
<br />
To fix this problem, read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[Netctl]] profiles, instead of the regular [[network]] daemon. You will need to create two profiles.<br />
<br />
* /etc/netctl/extern0-profile<br />
Connection=ethernet<br />
Description='Public Interface.'<br />
Interface=extern0<br />
IP='dhcp'<br />
<br />
* /etc/netctl/intern0-profile<br />
Connection=ethernet<br />
Description='Private Interface.'<br />
Interface=intern0<br />
IP=static<br />
ADDR=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the netmask and broadcast to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces.<br />
<br />
netctl start extern0-profile<br />
<br />
netctl start intern0-profile<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though, otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
===Configuration: rp-pppoe===<br />
/usr/sbin/pppoe-setup <br />
The questions are all documented. You can select "no firewall" because we will let Shorewall / iptables handle that part.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites.<br />
<br />
First, install '''dnsmasq''':<br />
# pacman -S dnsmasq<br />
<br />
Now, dnsmasq needs to be configured. To do this:<br />
<br />
Edit /etc/dnsmasq.conf and add the following lines<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# /etc/rc.d/dnsmasq start<br />
and add the daemon to the DAEMONS list in /etc/rc.conf.<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
Time to configure Shorewall! Open its config file in /etc/shorewall/shorewall.conf and start editing. The file is very well documented.<br />
SUBSYSLOCK=/var/lock/shorewall<br />
IP_FORWARDING=On : it is a gateway, remember! ;)<br />
STARTUP_ENABLED=Yes # when you are done editing<br />
<br />
After installing shorewall, run<br />
$ pacman -Ql shorewall | grep Sample<br />
to see where the sample files are. cd into the directory "two-interfaces" and copy the contents to the /etc/shorewall/ directory.<br />
Now use [http://www.shorewall.net/two-interface.htm Shorewall's guide] to set up the files correctly.<br />
<br />
Read the document carefully. Take special care to '''change eth0 and eth1 (or ppp0 in if you are using PPPoE where appropriate''' in your config files as the Shorewall guide uses different names for the interfaces. When you have followed it thoroughly, make the following changes:<br />
* /etc/shorewall/interfaces : add "dhcp" to the ''loc'' line to allow computers on the LAN to make use of our DHCP server<br />
* /etc/shorewall/rules : add<br />
ACCEPT loc $FW TCP 2367<br />
but change 2367 into whatever port you have your SSH server listening on.<br />
<br />
Finally, run<br />
# /etc/rc.d/shorewall start<br />
<br />
From here on, the Arch box is operational. Connect a hub or switch to intern0 and a computer to the LAN to test it.<br />
<br />
=====Port forwarding (DNAT)=====<br />
* /etc/shorewall/rules : here is an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.<br />
DNAT net loc:10.0.0.85:80 tcp 5000<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Router&diff=254831Router2013-04-21T18:58:58Z<p>Jrussell: /* IP configuration */</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, /var, /tmp and /home should be separate from the / partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. /var should be the largest partition - it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting /tmp as tmpfs is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that /tmp is mounted as tmpfs by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming===<br />
When you let [[udev]] handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1, etc. (This might not be true, see [http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames PredictableNetworkInterfaceNames], and [[Network_Configuration#Device_names]])<br />
<br />
To fix this problem, read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[Netctl]] profiles, instead of the regular [[network]] daemon. You will need to create two profiles.<br />
<br />
* /etc/netctl/extern0-profile<br />
Connection=ethernet<br />
Description='Public Interface.'<br />
Interface=extern0<br />
IP='dhcp'<br />
<br />
* /etc/netctl/intern0-profile<br />
Connection=ethernet<br />
Description='Private Interface.'<br />
Interface=intern0<br />
IP=static<br />
ADDR=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the netmask and broadcast to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces.<br />
<br />
netctl start extern0-profile<br />
netctl start intern0-profile<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though, otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
===Configuration: rp-pppoe===<br />
/usr/sbin/pppoe-setup <br />
The questions are all documented. You can select "no firewall" because we will let Shorewall / iptables handle that part.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites.<br />
<br />
First, install '''dnsmasq''':<br />
# pacman -S dnsmasq<br />
<br />
Now, dnsmasq needs to be configured. To do this:<br />
<br />
Edit /etc/dnsmasq.conf and add the following lines<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# /etc/rc.d/dnsmasq start<br />
and add the daemon to the DAEMONS list in /etc/rc.conf.<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
Time to configure Shorewall! Open its config file in /etc/shorewall/shorewall.conf and start editing. The file is very well documented.<br />
SUBSYSLOCK=/var/lock/shorewall<br />
IP_FORWARDING=On : it is a gateway, remember! ;)<br />
STARTUP_ENABLED=Yes # when you are done editing<br />
<br />
After installing shorewall, run<br />
$ pacman -Ql shorewall | grep Sample<br />
to see where the sample files are. cd into the directory "two-interfaces" and copy the contents to the /etc/shorewall/ directory.<br />
Now use [http://www.shorewall.net/two-interface.htm Shorewall's guide] to set up the files correctly.<br />
<br />
Read the document carefully. Take special care to '''change eth0 and eth1 (or ppp0 in if you are using PPPoE where appropriate''' in your config files as the Shorewall guide uses different names for the interfaces. When you have followed it thoroughly, make the following changes:<br />
* /etc/shorewall/interfaces : add "dhcp" to the ''loc'' line to allow computers on the LAN to make use of our DHCP server<br />
* /etc/shorewall/rules : add<br />
ACCEPT loc $FW TCP 2367<br />
but change 2367 into whatever port you have your SSH server listening on.<br />
<br />
Finally, run<br />
# /etc/rc.d/shorewall start<br />
<br />
From here on, the Arch box is operational. Connect a hub or switch to intern0 and a computer to the LAN to test it.<br />
<br />
=====Port forwarding (DNAT)=====<br />
* /etc/shorewall/rules : here is an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.<br />
DNAT net loc:10.0.0.85:80 tcp 5000<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Router&diff=254830Router2013-04-21T18:58:43Z<p>Jrussell: updated to show info for netctl</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, /var, /tmp and /home should be separate from the / partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. /var should be the largest partition - it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting /tmp as tmpfs is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that /tmp is mounted as tmpfs by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming===<br />
When you let [[udev]] handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1, etc. (This might not be true, see [http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames PredictableNetworkInterfaceNames], and [[Network_Configuration#Device_names]])<br />
<br />
To fix this problem, read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[Netctl]] profiles, instead of the regular [[network]] daemon. You will need to create two profiles.<br />
<br />
* /etc/netctl/extern0-profile<br />
Connection=ethernet<br />
Description='Public Interface.'<br />
Interface=extern0<br />
IP='dhcp'<br />
<br />
* /etc/netctl/intern0-profile<br />
Connection=ethernet<br />
Description='Private Interface.'<br />
Interface=intern0<br />
IP=static<br />
ADDR=('10.0.0.1/24')<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the netmask and broadcast to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces.<br />
<br />
netctl start extern0-profile<br />
<br />
netctl start intern0-profile<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though, otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
===Configuration: rp-pppoe===<br />
/usr/sbin/pppoe-setup <br />
The questions are all documented. You can select "no firewall" because we will let Shorewall / iptables handle that part.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites.<br />
<br />
First, install '''dnsmasq''':<br />
# pacman -S dnsmasq<br />
<br />
Now, dnsmasq needs to be configured. To do this:<br />
<br />
Edit /etc/dnsmasq.conf and add the following lines<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# /etc/rc.d/dnsmasq start<br />
and add the daemon to the DAEMONS list in /etc/rc.conf.<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
Time to configure Shorewall! Open its config file in /etc/shorewall/shorewall.conf and start editing. The file is very well documented.<br />
SUBSYSLOCK=/var/lock/shorewall<br />
IP_FORWARDING=On : it is a gateway, remember! ;)<br />
STARTUP_ENABLED=Yes # when you are done editing<br />
<br />
After installing shorewall, run<br />
$ pacman -Ql shorewall | grep Sample<br />
to see where the sample files are. cd into the directory "two-interfaces" and copy the contents to the /etc/shorewall/ directory.<br />
Now use [http://www.shorewall.net/two-interface.htm Shorewall's guide] to set up the files correctly.<br />
<br />
Read the document carefully. Take special care to '''change eth0 and eth1 (or ppp0 in if you are using PPPoE where appropriate''' in your config files as the Shorewall guide uses different names for the interfaces. When you have followed it thoroughly, make the following changes:<br />
* /etc/shorewall/interfaces : add "dhcp" to the ''loc'' line to allow computers on the LAN to make use of our DHCP server<br />
* /etc/shorewall/rules : add<br />
ACCEPT loc $FW TCP 2367<br />
but change 2367 into whatever port you have your SSH server listening on.<br />
<br />
Finally, run<br />
# /etc/rc.d/shorewall start<br />
<br />
From here on, the Arch box is operational. Connect a hub or switch to intern0 and a computer to the LAN to test it.<br />
<br />
=====Port forwarding (DNAT)=====<br />
* /etc/shorewall/rules : here is an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.<br />
DNAT net loc:10.0.0.85:80 tcp 5000<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Router&diff=254828Router2013-04-21T18:49:46Z<p>Jrussell: /* Persistent naming */</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, /var, /tmp and /home should be separate from the / partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. /var should be the largest partition - it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting /tmp as tmpfs is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that /tmp is mounted as tmpfs by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming===<br />
When you let [[udev]] handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1, etc. (This might not be true, see [http://www.freedesktop.org/wiki/Software/systemd/PredictableNetworkInterfaceNames PredictableNetworkInterfaceNames], and [[Network_Configuration#Device_names]])<br />
<br />
To fix this problem, read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netcfg]] profiles, instead of the regular [[network]] daemon. You will need to create two profiles.<br />
<br />
* /etc/network.d/extern0-profile<br />
CONNECTION='ethernet'<br />
DESCRIPTION='Public Interface.'<br />
INTERFACE='extern0'<br />
IP='dhcp'<br />
<br />
* /etc/network.d/intern0-profile<br />
CONNECTION='ethernet'<br />
DESCRIPTION='Private Interface.'<br />
INTERFACE='intern0'<br />
IP='static'<br />
ADDR='10.0.0.1'<br />
NETMASK='255.255.255.0'<br />
BROADCAST='10.0.0.255'<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the netmask and broadcast to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces.<br />
<br />
* Define the profiles in {{ic|/etc/conf.d/netcfg}}:<br />
NETWORKS=(extern0-profile intern0-profile)<br />
<br />
* Replace the {{ic|network}} daemon with {{ic|net-profiles}} in {{ic|/etc/[[rc.conf]]}}:<br />
DAEMONS=( ... net-profiles ... )<br />
<br />
* If using [[systemd]], net-profiles.service is a symlink to netcfg.service. So you may do:<br />
# systemctl enable net-profiles.service<br />
or if that fails:<br />
# systemctl enable netcfg.service<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though, otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
===Configuration: rp-pppoe===<br />
/usr/sbin/pppoe-setup <br />
The questions are all documented. You can select "no firewall" because we will let Shorewall / iptables handle that part.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites.<br />
<br />
First, install '''dnsmasq''':<br />
# pacman -S dnsmasq<br />
<br />
Now, dnsmasq needs to be configured. To do this:<br />
<br />
Edit /etc/dnsmasq.conf and add the following lines<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# /etc/rc.d/dnsmasq start<br />
and add the daemon to the DAEMONS list in /etc/rc.conf.<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
Time to configure Shorewall! Open its config file in /etc/shorewall/shorewall.conf and start editing. The file is very well documented.<br />
SUBSYSLOCK=/var/lock/shorewall<br />
IP_FORWARDING=On : it is a gateway, remember! ;)<br />
STARTUP_ENABLED=Yes # when you are done editing<br />
<br />
After installing shorewall, run<br />
$ pacman -Ql shorewall | grep Sample<br />
to see where the sample files are. cd into the directory "two-interfaces" and copy the contents to the /etc/shorewall/ directory.<br />
Now use [http://www.shorewall.net/two-interface.htm Shorewall's guide] to set up the files correctly.<br />
<br />
Read the document carefully. Take special care to '''change eth0 and eth1 (or ppp0 in if you are using PPPoE where appropriate''' in your config files as the Shorewall guide uses different names for the interfaces. When you have followed it thoroughly, make the following changes:<br />
* /etc/shorewall/interfaces : add "dhcp" to the ''loc'' line to allow computers on the LAN to make use of our DHCP server<br />
* /etc/shorewall/rules : add<br />
ACCEPT loc $FW TCP 2367<br />
but change 2367 into whatever port you have your SSH server listening on.<br />
<br />
Finally, run<br />
# /etc/rc.d/shorewall start<br />
<br />
From here on, the Arch box is operational. Connect a hub or switch to intern0 and a computer to the LAN to test it.<br />
<br />
=====Port forwarding (DNAT)=====<br />
* /etc/shorewall/rules : here is an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.<br />
DNAT net loc:10.0.0.85:80 tcp 5000<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Router&diff=254825Router2013-04-21T18:46:41Z<p>Jrussell: changed link to network_configuration for persistant device names</p>
<hr />
<div>[[Category:Networking]]<br />
[[Category:Security]]<br />
{{Out of date|No more rc.conf, no more eth0,1,2}}<br />
This article is a tutorial for turning a computer into an internet gateway/router. It focuses on ''security'', since the gateway is connected directly to the Internet. It should not run '''any''' services available to the outside world. Towards the LAN, it should only run gateway specific services. It should not run httpd, ftpd, samba, nfsd, etc. as those belong on a server in the LAN as they introduce security flaws.<br />
<br />
This article does not attempt to show how to set up a shared connection between 2 PCs using cross-over cables. For a simple internet sharing solution, see [[Internet Share]].<br />
<br />
==Hardware Requirements==<br />
* At least 1 GB of hard drive space. The base install will take up around 500MB of space and if you want to use a caching web proxy, you will need to reserve space for the cache as well.<br />
* At least two physical network interfaces: a gateway connects two networks with each other. You will need to be able to connect those networks to the same physical computer. One interface must connect to the external network, while the other connects to the internal network.<br />
* A hub, switch or UTP cable: You need a way to connect the other computers to the gateway<br />
<br />
==Conventions==<br />
Conventions in this guide will be to use non-realistic interface names, to avoid confusion about which interface is which.<br />
<br />
* '''intern0''': the network card connected to the LAN. On an actual computer it will probably have the name eth0, eth1, etc.<br />
* '''extern1''': the network card connected to the external network (or WAN). It will probably have the name eth0, eth1, etc.<br />
<br />
==Installation==<br />
{{Note | For a full installation guide, see the [[Official Arch Linux Install Guide]].}}<br />
<br />
A fresh install of Arch Linux is the easiest to start from, as no configuration changes have been made and there is a minimal amount of packages installed. This is helpful when attempting to reduce security risk.<br />
<br />
===Partitioning===<br />
<br />
For security purposes, /var, /tmp and /home should be separate from the / partition. This prevents disk space from being completely used up by log files, daemons or the unprivileged user. It also allows different mount options for those partitions. If you have already partitioned your drive, the [http://gparted.sourceforge.net/ gparted livecd] can be used to resize, move, or create new partitions.<br />
<br />
Your home and root partitions can be much smaller than a regular install since this is not a desktop machine. /var should be the largest partition - it is where databases, logs and long-term caches are stored. If you have a lot of RAM, mounting /tmp as tmpfs is a good idea, so making a disk partition for it during the initial install is unnecessary. Note that /tmp is mounted as tmpfs by default in Arch.<br />
<br />
===Post-Installation===<br />
After creation of non-root account you are recommended to install [[sudo]] and [[sudo#Disable root login|disable root login]].<br />
<br />
==Network interface configuration==<br />
<br />
===Persistent naming===<br />
When you let [[udev]] handle loading the modules, you will notice your NIC's switch names: one boot your LAN NIC is eth0, the other boot it is eth1, etc.<br />
<br />
To fix this problem, read [[Network_Configuration#Device_names]].<br />
<br />
===IP configuration===<br />
Now you will need to configure the network interfaces. The best way to do so is using [[netcfg]] profiles, instead of the regular [[network]] daemon. You will need to create two profiles.<br />
<br />
* /etc/network.d/extern0-profile<br />
CONNECTION='ethernet'<br />
DESCRIPTION='Public Interface.'<br />
INTERFACE='extern0'<br />
IP='dhcp'<br />
<br />
* /etc/network.d/intern0-profile<br />
CONNECTION='ethernet'<br />
DESCRIPTION='Private Interface.'<br />
INTERFACE='intern0'<br />
IP='static'<br />
ADDR='10.0.0.1'<br />
NETMASK='255.255.255.0'<br />
BROADCAST='10.0.0.255'<br />
<br />
{{Note|The example configuration above assumes a full subnet. If you are building the gateway for a small amount of people, you will want to change the netmask and broadcast to accommodate a smaller range.}}<br />
<br />
Next up is to set up the interfaces.<br />
<br />
* Define the profiles in {{ic|/etc/conf.d/netcfg}}:<br />
NETWORKS=(extern0-profile intern0-profile)<br />
<br />
* Replace the {{ic|network}} daemon with {{ic|net-profiles}} in {{ic|/etc/[[rc.conf]]}}:<br />
DAEMONS=( ... net-profiles ... )<br />
<br />
* If using [[systemd]], net-profiles.service is a symlink to netcfg.service. So you may do:<br />
# systemctl enable net-profiles.service<br />
or if that fails:<br />
# systemctl enable netcfg.service<br />
<br />
==ADSL connection==<br />
Using rp-pppoe, we can connect an ADSL modem to the extern1 of the firewall and have Arch manage the connection. Make sure you put the modem in ''bridged'' mode though, otherwise the modem will act as a router too.<br />
# pacman -S rp-pppoe<br />
<br />
===Configuration: rp-pppoe===<br />
/usr/sbin/pppoe-setup <br />
The questions are all documented. You can select "no firewall" because we will let Shorewall / iptables handle that part.<br />
<br />
==DNS and DHCP==<br />
We will use [[dnsmasq]], a DNS and DHCP daemon for the LAN. It was specifically designed for small sites.<br />
<br />
First, install '''dnsmasq''':<br />
# pacman -S dnsmasq<br />
<br />
Now, dnsmasq needs to be configured. To do this:<br />
<br />
Edit /etc/dnsmasq.conf and add the following lines<br />
interface=intern0 # make dnsmasq listen for requests only on intern0 (our LAN)<br />
expand-hosts # add a domain to simple hostnames in /etc/hosts<br />
domain=foo.bar # allow fully qualified domain names for DHCP hosts (needed when<br />
# "expand-hosts" is used)<br />
dhcp-range=10.0.0.2,10.0.0.255,255.255.255.0,1h # defines a DHCP-range for the LAN: <br />
# from 10.0.0.2 to .255 with a subnet mask of 255.255.255.0 and a<br />
# DHCP lease of 1 hour (change to your own preferences)<br />
<br />
Somewhere below, you will notice you can also add "static" DHCP leases, i.e. assign an IP-address to the MAC-address of a computer on the LAN. This way, whenever the computer requests a new lease, it will get the same IP. That is very useful for network servers with a DNS record. You can also deny certain MAC's from obtaining an IP.<br />
<br />
Now start dnsmasq:<br />
# /etc/rc.d/dnsmasq start<br />
and add the daemon to the DAEMONS list in /etc/rc.conf.<br />
<br />
==Connection sharing==<br />
<br />
Time to tie the two network interfaces to each other.<br />
===iptables===<br />
[[Simple stateful firewall]] documents the setup of an [[iptables]] firewall and NAT.<br />
<br />
===Shorewall===<br />
Shorewall, an iptables frontend, can be used as an easier alternative.<br />
<br />
# pacman -S shorewall<br />
<br />
====Shorewall configuration====<br />
<br />
Time to configure Shorewall! Open its config file in /etc/shorewall/shorewall.conf and start editing. The file is very well documented.<br />
SUBSYSLOCK=/var/lock/shorewall<br />
IP_FORWARDING=On : it is a gateway, remember! ;)<br />
STARTUP_ENABLED=Yes # when you are done editing<br />
<br />
After installing shorewall, run<br />
$ pacman -Ql shorewall | grep Sample<br />
to see where the sample files are. cd into the directory "two-interfaces" and copy the contents to the /etc/shorewall/ directory.<br />
Now use [http://www.shorewall.net/two-interface.htm Shorewall's guide] to set up the files correctly.<br />
<br />
Read the document carefully. Take special care to '''change eth0 and eth1 (or ppp0 in if you are using PPPoE where appropriate''' in your config files as the Shorewall guide uses different names for the interfaces. When you have followed it thoroughly, make the following changes:<br />
* /etc/shorewall/interfaces : add "dhcp" to the ''loc'' line to allow computers on the LAN to make use of our DHCP server<br />
* /etc/shorewall/rules : add<br />
ACCEPT loc $FW TCP 2367<br />
but change 2367 into whatever port you have your SSH server listening on.<br />
<br />
Finally, run<br />
# /etc/rc.d/shorewall start<br />
<br />
From here on, the Arch box is operational. Connect a hub or switch to intern0 and a computer to the LAN to test it.<br />
<br />
=====Port forwarding (DNAT)=====<br />
* /etc/shorewall/rules : here is an example for a webserver on our LAN with IP 10.0.0.85. You can reach it on port 5000 of our "external" IP.<br />
DNAT net loc:10.0.0.85:80 tcp 5000<br />
<br />
==Cleanup==<br />
<br />
Now that the installation has been performed, it is necessary to remove as many packages as possible. Since we are making a gateway, keeping unneeded packages only "bloats" the system, and increases the number of security risks.<br />
<br />
First, check for obsolete/deprecated packages (likely after a fresh install and massive series of updates):<br />
<br />
$ pacman -Qm<br />
<br />
Review the list of explicitly installed packages that are not dependencies and remove any that are unneeded. Having only needed packages installed is an important security consideration.<br />
<br />
$ pacman -Qet<br />
<br />
Completely remove the packages you do not need along with their configuration files and dependencies:<br />
<br />
# pacman -Rsn package1 package2 package3<br />
<br />
== Logrotate ==<br />
<br />
You should review the [[logrotate]] configuration to make sure the box is not brought down by lack of diskspace due to logging.<br />
<br />
Logrotate is installed by default, so you will not have to install it.<br />
<br />
==Optional additions==<br />
<br />
===UPnP===<br />
The above configuration of shorewall does not include [http://en.wikipedia.org/wiki/UPnP UPnP] support. Use of [http://en.wikipedia.org/wiki/UPnP UPnP] is discouraged as it may make the gateway vulnerable to attacks from within the LAN. However, some applications such as MSN require this to function correctly.<br />
<br />
Read the [http://www.shorewall.net/UPnP.html Shorewall guide on UPnP] for more information<br />
<br />
===Remote administration===<br />
<br />
[[SSH|OpenSSH]] can be used to administer your router remotely. This is useful for running it "headless" (no monitor or input devices).<br />
<br />
=== Caching web proxy ===<br />
<br />
See [[Squid]] or [[Polipo]] for the setup of a web proxy to speed up browsing and/or adding an extra layer of security.<br />
<br />
=== Time server ===<br />
To use the router as a time server, see [[Network Time Protocol]].<br />
<br />
Then, configure shorewall or iptables to allow NTP traffic in and out.<br />
<br />
=== Content filtering ===<br />
<br />
Install and configure [[DansGuardian]] if you need a content filtering solution.<br />
<br />
=== Traffic shaping ===<br />
<br />
Traffic shaping is very useful, especially when you are not the only one on the LAN. The idea is to assign a priority to different types of traffic. Interactive traffic (ssh, online gaming) probably needs the highest priority, while P2P traffic can do with the lowest. Then there is everything in between.<br />
<br />
==== Traffic shaping with shorewall ====<br />
<br />
Read [http://www.shorewall.net/traffic_shaping.htm Shorewall's Traffic Shaping/Control] guide.<br />
<br />
Here is my config as an example:<br />
* /etc/shorewall/tcdevices : here is where you define the interface you want to have shaped and its rates. I have got a ADSL connection with a 4MBit down/256KBit up profile.<br />
ppp0 4mbit 256kbit <br />
* /etc/shorewall/tcclasses : here you define the minimum (rate) and maximum (ceil) throughput per class. You will assign each one to a type of traffic to shape.<br />
# interactive traffic (ssh)<br />
ppp0 1 full full 0<br />
# online gaming<br />
ppp0 2 full/2 full 5<br />
# http<br />
ppp0 3 full/4 full 10<br />
# rest<br />
ppp0 4 full/6 full 15 default<br />
* /etc/shorewall/tcrules : this file contains the types of traffic and the class it belongs to.<br />
1 0.0.0.0/0 0.0.0.0/0 tcp ssh<br />
2 0.0.0.0/0 0.0.0.0/0 udp 27000:28000<br />
3 0.0.0.0/0 0.0.0.0/0 tcp http<br />
3 0.0.0.0/0 0.0.0.0/0 tcp https<br />
I have split it up my traffic in 4 groups: <br />
# interactive traffic or ssh: although it takes up almost no bandwidth, it is very annoying if it lags due to leechers on the LAN. This get the highest priority.<br />
# online gaming: needless to say you ca not play when your ping sucks. ;)<br />
# webtraffic: can be a bit slower<br />
# everything else: every sort of download, they are the cause of the lag anyway.<br />
<br />
===Intrusion detection and prevention with snort===<br />
<br />
See [[Snort]].<br />
<br />
==See also==<br />
*[[Simple stateful firewall]]<br />
*[[Internet Share]]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=PulseAudio/Examples&diff=254707PulseAudio/Examples2013-04-20T16:14:09Z<p>Jrussell: /* Zeroconf (Avahi) publishing */</p>
<hr />
<div>[[Category:Audio/Video]]<br />
[[it:PulseAudio/Examples]]<br />
=== Simultaneous HDMI and Analog Output ===<br />
PulseAudio allows for simultaneous output to multiple sources. In this example, some applications are configured to use HDMI while others are configured to use analog. Multiple applications are able to receive audio at the same time.<br />
<br />
{{Note| To list devices aplay is used. This program is part of the alsa-utils package and is NOT required to output to multiple sources. It is required to list playback devices therefore users can remove this package when finished with it.}}<br />
<br />
First, users need to understand the system's audio layout. This is accomplished using ''aplay'' which is part of the {{pkg|alsa-utils}} package.<br />
<br />
{{bc|$ aplay -l<br />
**** List of PLAYBACK Hardware Devices ****<br />
card 0: Intel [HDA Intel], device 0: ALC889A Analog [ALC889A Analog]<br />
Subdevices: 0/1<br />
Subdevice #0: subdevice #0<br />
card 0: Intel [HDA Intel], device 1: ALC889A Digital [ALC889A Digital]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 0: Intel [HDA Intel], device 3: HDMI 0 [HDMI 0]<br />
Subdevices: 0/1<br />
Subdevice #0: subdevice #0}}<br />
<br />
The key to a configuration like this is to understand that whatever is selected in pavucontrol under Configuration>Internal AUdio is the default device. Load pavucontrol>Configuration and select HDMI as the profile. <br />
<br />
Add the following to {{ic|/etc/pulse/default.pa}} to setup the analog as a secondary source:<br />
### Load analog device<br />
load-module module-alsa-sink device=hw:0,0<br />
load-module module-combine-sink sink_name=combined<br />
set-default-sink combined<br />
<br />
Restart PulseAudio, run pavucontrol and select the "Output Devices" tab. Three settings should be displayed:<br />
# Internal Audio Digital Stereo (HDMI)<br />
# Internal Audio<br />
# Simultaneous output to Internal Audio Digital Stereo (HDMI), Internal Audio<br />
<br />
Now start a program that will use pulseaudio such as mplayer, vlc, mpd, etc. and switch to the "Playback" tab. A pulldown should be available for the running program to select one of the three sources.<br />
<br />
Also see [https://bbs.archlinux.org/viewtopic.php?id=118026 this thread] for a variation on this theme and [http://www.freedesktop.org/wiki/Software/PulseAudio/FAQ#Can_I_use_PulseAudio_to_playback_music_on_two_sound_cards_simultaneously.3F PulseAudio FAQ].<br />
<br />
===Surround sound systems===<br />
Many people have a surround card, but have speakers for just two channels, so PulseAudio cannot really default to a surround setup. To enable all the channels, edit {{ic|/etc/pulse/daemon.conf}}: uncomment the default-sample-channels line (i.e. remove the semicolon from the beginning of the line) and set the value to '''6''' For a ''5.1'' setup, or '''8''' for a ''7.1'' setup etc.<br />
# Default<br />
default-sample-channels=2<br />
# For 5.1<br />
default-sample-channels=6<br />
# For 7.1<br />
default-sample-channels=8<br />
<br />
After doing the edit, restart Pulseaudio.<br />
<br />
====Splitting front/rear====<br />
Connect speakers to front analog output and headphones to rear output. It would be usefull to split front/rear to separate sinks. Add to {{ic|/etc/pulse/default.pa}}:<br />
<br />
load-module module-remap-sink sink_name=speakers remix=no master=alsa_output.pci-0000_05_00.0.analog-surround-40 channels=2 master_channel_map=front-left,front-right channel_map=front-left,front-right<br />
load-module module-remap-sink sink_name=headphones remix=no master=alsa_output.pci-0000_05_00.0.analog-surround-40 channels=2 master_channel_map=rear-left,rear-right channel_map=front-left,front-right<br />
<br />
(replace alsa_output.pci-0000_05_00.0.analog-surround-40 in the sound card name shown from 'pacmd list-sinks')<br />
<br />
Switch player between speakers and headphones.<br />
<br />
====LFE remixing====<br />
By default Pulseaudio remixes the number of channels to the default-sample-channels, however it dose not do this for the LFE channel. To enable LFE remixing uncomment the line:<br />
<br />
; enable-lfe-remixing = no<br />
<br />
and replace no with yes:<br />
<br />
enable-lfe-remixing = yes<br />
<br />
then restart Pulseaudio.<br />
<br />
===Advanced ALSA Configuration===<br />
In order for ALSA to use PulseAudio it needs a special {{ic|/etc/asound.conf}} (system wide settings) (recommended) or {{ic|~/.asoundrc}} (settings on a per user basis):<br />
{{hc|/etc/asound.conf|<nowiki><br />
pcm.pulse {<br />
type pulse<br />
}<br />
ctl.pulse {<br />
type pulse<br />
}<br />
pcm.!default {<br />
type pulse<br />
}<br />
ctl.!default {<br />
type pulse<br />
}<br />
</nowiki>}}<br />
<br />
Omission of the last two groups will cause Pulseaudio not to be used by default. Change the ALSA device to "pulse" in the applications to make it work.<br />
<br />
{{Note|The above configuration is provided by the package {{Pkg|pulseaudio-alsa}}.}}<br />
<br />
====ALSA Monitor source====<br />
To be able to record from a monitor source (a.k.a. "What-U-Hear", "Stereo Mix"), use {{ic|pactl list}} to find out the name of the source in Pulseaudio (e.g. {{ic|alsa_output.pci-0000_00_1b.0.analog-stereo.monitor}}). Then add lines like the following to {{ic|/etc/asound.conf}} or {{ic|~/.asoundrc}}:<br />
pcm.pulse_monitor {<br />
type pulse<br />
device alsa_output.pci-0000_00_1b.0.analog-stereo.monitor<br />
}<br />
<br />
ctl.pulse_monitor {<br />
type pulse<br />
device alsa_output.pci-0000_00_1b.0.analog-stereo.monitor<br />
}<br />
<br />
Now you can select {{ic|pulse_monitor}} as a recording source.<br />
<br />
Alternatively, you can use pavucontrol to do this : make sure you've set up the display to "All input Devices", then select "Monitor of [your soundcard]" as the recording source.<br />
<br />
===HDMI output configuration===<br />
As outlined in ftp://download.nvidia.com/XFree86/gpu-hdmi-audio-document/gpu-hdmi-audio.html#_issues_in_pulseaudio unless the hdmi port is the first<br />
output, PulseAudio will not be able to have any audio when using certain graphics cards with hdmi audio support. This is because of a bug in pulseaudio where it will only select the first HDMI output on a device. A work around posted further down is to first find which hdmi output is working by using the aplay utility from alsa.<br />
<br />
The original title for this section indicated the problem is specific to nVidia cards. As seen in [https://bbs.archlinux.org/viewtopic.php?id=133222 this forum thread] other cards are affected as well. The rest of the section will use an nVidia card as a case-study but the solution should carry over for people using other affected cards.<br />
<br />
====Finding HDMI output====<br />
Then find the working output by listing the available cards<br />
# aplay -l<br />
<br />
sample output:<br />
**** List of PLAYBACK Hardware Devices ****<br />
card 0: NVidia [HDA NVidia], device 0: ALC1200 Analog [ALC1200 Analog]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 0: NVidia [HDA NVidia], device 3: ALC1200 Digital [ALC1200 Digital]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 1: NVidia_1 [HDA NVidia], device 3: HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 1: NVidia_1 [HDA NVidia], device 7: HDMI 0 [HDMI 0]<br />
Subdevices: 0/1<br />
Subdevice #0: subdevice #0<br />
card 1: NVidia_1 [HDA NVidia], device 8: HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 1: NVidia_1 [HDA NVidia], device 9: HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
<br />
====Testing for the correct card====<br />
Now a list of the detected cards is known, users will need to test for which one is outputing to the tv/monitor<br />
# aplay -D plughw:1,3 /usr/share/sounds/alsa/Front_Right.wav<br />
<br />
where 1 is the card and 3 is the device substitute in the values listed from the previous section. If there is no audio then try substituting a different device (on my card I had to use card 1 device 7)<br />
<br />
====Manually configuring pulseaudio to detect the Nvidia HDMI====<br />
Having identified which HDMI device is working, PulseAudio can be fored to use it via an edit to {{bc|/etc/pulse/default.pa}}:<br />
# load-module module-alsa-sink device=hw:1,7<br />
<br />
where the 1 is the card and the 7 is the deivce found to work in the previous section<br />
<br />
restart pulse audio<br />
# killall pulseaudio<br />
<br />
open the sound settings manager, make sure that under the hardware tab the graphics cards HDMI audio is set to "Digital Stereo (HDMI) Output" ( My graphics card audio is called "GF100 High Definition Audio Controller"<br />
<br />
Then open the output tab there should now be two HDMI outputs for the graphics card test which one works by selecting one of them and then using a program to play audio i.e use vlc to play a movie if it doesn't work the select the other.<br />
<br />
===PulseAudio over network===<br />
One of PulseAudio's magnificent features is the possibility to stream audio from clients over TCP to the server running the PulseAudio daemon, allowing sound to be streamed through the LAN.<br />
<br />
To accomplish this, one needs to enable module-native-protocol-tcp, and copy the pulse-cookie to the clients. <br />
<br />
====TCP support (networked sound)====<br />
To enable the TCP module, add this to (or uncomment, if already there) {{ic|/etc/pulse/default.pa}}:<br />
load-module module-native-protocol-tcp<br />
<br />
Note: If experiencing trouble connecting, use (on server)<br />
pacmd list-modules<br />
<br />
====TCP support with anonymous clients====<br />
<br />
If it is undesirable to copy the pulse-cookies from clients, allow anonymous clients, by giving these parameters to module-native-protocol-tcp (again in {{ic|/etc/pulse/default.pa}}):<br />
<br />
load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1;192.168.0.0/24 auth-anonymous=1<br />
<br />
Remember to change the LAN ip prefix should it be different from 192.168.0.0.<br />
<br />
====Zeroconf (Avahi) publishing====<br />
For the remote Pulseaudio server to appear in the PulseAudio Device Chooser ({{ic|padevchooser}}), load the appropriate zeroconf modules, and enable the [[Avahi]] [[daemon]].<br />
<br />
On both machines run:<br />
$ systemctl start avahi-daemon.service<br />
$ systemctl enable avahi-daemon.service<br />
On the server, add {{ic|load-module module-zeroconf-publish}} to /etc/pulse/default.pa, on the client, add {{ic|load-module module-zeroconf-discover}} to {{ic|/etc/pulse/default.pa}}. Now redirect any stream or complete audio output to the remote pulseaudio server by selecting the appropriate sink.<br />
<br />
====Switching the PulseAudio server used by local X clients====<br />
To switch between servers on the client from within X, the {{ic|pax11publish}} command can be used. For example, to switch from the default server to the server at hostname foo:<br />
$ pax11publish -e -S foo<br />
<br />
Or to switch back to the default:<br />
$ pax11publish -e -r<br />
<br />
Note that for the switch to become apparent, the programs using Pulse must be restarted.<br />
<br />
====When everything else seems to fail====<br />
The following is a quickfix and NOT a permanent solution<br />
<br />
On the Server: <br />
$ paprefs <br />
Go to Network Access -> Enable access to local sound devices (Also check both 'Allow discover' and 'Don't require authentication').<br />
<br />
On the Client: <br />
$ export PULSE_SERVER=server.ip && mplayer test.mp3<br />
<br />
===PulseAudio through JACK the new new way===<br />
This configuration only works with jackdbus (JACK2 compiled with D-Bus support). Add to {{ic|/etc/pulse/default.pa}}:<br />
load-module module-jackdbus-detect<br />
As described on the [http://trac.jackaudio.org/wiki/JackDbusPackaging Jack-DBUS Packaging] page:<br />
<br />
''Server auto-launching is implemented as D-Bus call that auto-activates JACK D-Bus service, in case it is not already started, and starts the JACK server. Correct interaction with PulseAudio is done using a D-Bus based audio card "acquire/release" mechanism. When JACK server starts, it asks this D-Bus service to acquire the audio card and PulseAudio will unconditionally release it. When JACK server stops, it releases the audio card that can be grabbed again by PulseAudio.''<br />
<br />
{{ic|module-jackdbus-detect.so}} dynamically loads and unloads module-jack-sink and module-jack-source when jackdbus is started and stopped.<br />
<br />
If PulseAudio sound does not work, check with {{ic|pavucontrol}} to see if the relevant programs appear in the playback tab. If not, add the following to {{ic|~/.asound.conf}} or {{ic|/etc/asound.conf}} to redirect ALSA to PulseAudio:<br />
<br />
pcm.pulse {<br />
type pulse<br />
}<br />
<br />
ctl.pulse {<br />
type pulse<br />
}<br />
<br />
pcm.!default {<br />
type pulse<br />
}<br />
ctl.!default {<br />
type pulse<br />
}<br />
<br />
If it still doesn't work, check with {{ic|pavucontrol}} in the playback tab and make sure the relevant programs are outputting to PulseAudio JACK Sink instead of your audio card (which JACK has control of, so it won't work).<br />
<br />
===PulseAudio through JACK the new way===<br />
The basic idea is that killing PulseAudio is bad idea, it may crash any apps using PulseAudio, and disrupt any audio playing<br />
<br />
the flow of how this setup works:<br />
<br />
# PulseAudio releases the sound card<br />
# JACK grabs sound card and starts up<br />
# script redirects PulseAudio to JACK<br />
# manually send PulseAudio apps to JACK output (pavucontrol may come in helpful for this)<br />
# use JACK programs etc<br />
# via script, stop redirecting PulseAudio to JACK<br />
# stop JACK and release soundcard<br />
# PulseAudio grabs sound card and reroutes audio to it directly<br />
<br />
with QJackCTL setup these scripts:<br />
<br />
{{ic|pulse-jack-pre-start.sh}} set it up as the execute script on startup script<br />
#!/bin/bash<br />
pacmd suspend true<br />
<br />
{{ic|pulse-jack-post-start.sh}} set this one up as execute script after startup<br />
#!/bin/bash<br />
pactl load-module module-jack-sink channels=2<br />
pactl load-module module-jack-source channels=2<br />
pacmd set-default-sink jack_out<br />
pacmd set-default-source jack_in<br />
<br />
{{ic|pulse-jack-pre-stop.sh}} "execute script on shutdown"<br />
#!/bin/bash<br />
SINKID=$(pactl list | grep -B 1 "Name: module-jack-sink" | grep Module | sed 's/[^0-9]//g')<br />
SOURCEID=$(pactl list | grep -B 1 "Name: module-jack-source" | grep Module | sed 's/[^0-9]//g')<br />
pactl unload-module $SINKID<br />
pactl unload-module $SOURCEID<br />
sleep 5<br />
<br />
{{ic|pulse-jack-post-stop.sh}} "execute script after shutdown"<br />
#!/bin/bash<br />
pacmd suspend false<br />
<br />
===Pulseaudio through JACK the old way===<br />
The JACK-Audio-Connection-Kit is popular for audio work, and is widely supported by Linux audio applications. It fills a similar niche as Pulseaudio, but with more of an emphasis on professional audio work. In particular, audio applications such as Ardour and Audacity (recently) work well with Jack.<br />
<br />
Pulseaudio provides module-jack-source and module-jack-sink which allow Pulseaudio to be run as a sound server above the JACK daemon. This allows the usage of per-volume adjustments and the like for the apps which need it, play-back apps for movies and audio, while allowing low-latency and inter-app connectivity for sound-processing apps which connect to JACK. However, this will prevent Pulseaudio from directly writing to the sound card buffers, which will increase overall CPU usage.<br />
<br />
To just try PA on top of jack, have PA load the necessary modules on start:<br />
pulseaudio -L module-jack-sink -L module-jack-source<br />
<br />
To use pulseaudio with JACK, JACK must be started up before Pulseaudio, using whichever method one prefers. sPulseaudio then needs to be started loading the 2 relevant modules. Edit {{ic|/etc/pulse/default.pa}}, and change the following region:<br />
### Load audio drivers statically (it is probably better to not load<br />
### these drivers manually, but instead use module-hal-detect --<br />
### see below -- for doing this automatically)<br />
#load-module module-alsa-sink<br />
#load-module module-alsa-source device=hw:1,0<br />
#load-module module-oss device="/dev/dsp" sink_name=output source_name=input<br />
#load-module module-oss-mmap device="/dev/dsp" sink_name=output source_name=input<br />
#load-module module-null-sink<br />
#load-module module-pipe-sink<br />
<br />
### Automatically load driver modules depending on the hardware available<br />
.ifexists module-udev-detect.so<br />
load-module module-udev-detect<br />
.else<br />
### Alternatively use the static hardware detection module (for systems that<br />
### lack udev support)<br />
load-module module-detect<br />
.endif<br />
<br />
to the following:<br />
### Load audio drivers statically (it is probably better to not load<br />
### these drivers manually, but instead use module-hal-detect --<br />
### see below -- for doing this automatically)<br />
#load-module module-alsa-sink<br />
#load-module module-alsa-source device=hw:1,0<br />
#load-module module-oss device="/dev/dsp" sink_name=output source_name=input<br />
#load-module module-oss-mmap device="/dev/dsp" sink_name=output source_name=input<br />
#load-module module-null-sink<br />
#load-module module-pipe-sink<br />
load-module module-jack-source<br />
load-module module-jack-sink<br />
<br />
### Automatically load driver modules depending on the hardware available<br />
#.ifexists module-udev-detect.so<br />
#load-module module-udev-detect<br />
#.else<br />
### Alternatively use the static hardware detection module (for systems that<br />
### lack udev support)<br />
#load-module module-detect<br />
#.endif<br />
<br />
Basically, this prevents module-udev-detect from loading. module-udev-detect will always try to grab the sound-card (JACK has already done that, so this will cause an error). Also, the jack source and sink must be explicitly loaded.<br />
<br />
====QjackCtl with Startup/Shutdown Scripts====<br />
Using the settings listed above, use QjackCtl to execute a script upon startup and shutdown to load/unload PulseAudio. Part of the reason users may wish to do this is that the above changes disable PulseAudio's automatic hardware detection modules. This particular setup is for using PulseAudio in an exclusive fashion with JACK, though the scripts could be modified to unload and load an alternate non-JACK setup, but killing and starting PulseAudio while programs might be using it would become problematic.<br />
<br />
The following example could be used and modified as necessary as a startup script that daemonizes PulseAudio and loads the ''padevchooser'' program (optional, needs to be built from AUR) called {{ic|jack_startup}}:<br />
#!/bin/bash<br />
#Load PulseAudio and PulseAudio Device Chooser<br />
<br />
pulseaudio -D<br />
padevchooser&<br />
<br />
as well as a shutdown script to kill PulseAudio and the Pulse Audio Device Chooser, as another example called {{ic|jack_shutdown}} also in the home directory:<br />
#!/bin/bash<br />
#Kill PulseAudio and PulseAudio Device Chooser<br />
<br />
pulseaudio --kill<br />
killall padevchooser<br />
<br />
Both scripts need to be made executable:<br />
chmod +x jack_startup jack_shutdown<br />
<br />
then with QjackCtl loaded, click on the ''Setup'' button and then the ''Options'' tab and tick both "Execute Script after Startup:" And "Execute Script on Shutdown:" and put either use the ... button or type the path to the scripts (assuming the scripts are in the home directory) {{ic|~/jack_startup}} and {{ic|~/jack_shutdown}} making sure to save the changes.<br />
<br />
===Pulseaudio through OSS===<br />
Add the following to {{ic|/etc/pulse/default.pa}}:<br />
load-module module-oss<br />
<br />
Then start Pulseaudio as usual making sure that sinks and sources are defined forOSS devices.<br />
<br />
===Pulseaudio from within a chroot (ex. 32-bit chroot in 64-bit install)===<br />
Since a chroot sets up an alternative root for the running/jailing of applications, pulseaudio must be installed within the chroot itself ({{ic|pacman -S pulseaudio}} within the chroot environment).<br />
<br />
Pulseaudio, if not set up to connect to any specific server (this can be done in {{ic|/etc/pulse/client.conf}}, through the PULSE_SERVER environment variable, or through publishing to the local X11 properties using module-x11-publish), will attempt to connect to the local pulse server, failing which it will spawn a new pulse server. Each pulse server has a unique ID based on the machine-id value in {{ic|/var/lib/dbus}}. To allow for chrooted apps to access the pulse server, the following directories must be mounted within the chroot:-<br />
/var/run<br />
/var/lib/dbus<br />
/tmp<br />
~/.pulse<br />
<br />
{{ic|/dev/shm}} should also be mounted for efficiency and good performance. Note that mounting /home would normally also allow sharing of the {{ic|~/.pulse}} folder.<br />
<br />
For specific direction on accomplishing the appropriate mounts, please refer to the wiki on installing a bundled 32-bit system, especially the [https://wiki.archlinux.org/index.php?title=Arch64_Install_bundled_32bit_system#Additional_mount_option_to_allow_32-bit_apps_to_access_the_64-bit_Pulseaudio_server additional section] specific to Pulseaudio.<br />
<br />
===System-wide Equalizer===<br />
Pulseaudio can be configured to sound much better through the use of a system-wide equalizer. There are a few tools to do this. Extra information on the cons of each [http://ubuntuforums.org/showthread.php?t=1378087 here] . Individual apps can be excluded via {{Ic|pavucontrol}} .<br />
<br />
====pulseaudio-equalizer====<br />
A simple, user-friendly gtk tool in the AUR: [https://aur.archlinux.org/packages.php?ID=48316 here]. <br />
<br />
{{Note| If users remove pulseaudio-equalizer, be sure should comment out the respective generated section in {{Ic| $HOME/.pulse/default.pa}} or risk strange issues.}}<br />
{{Note|If users have trouble with the volume resetting to the maximum level or making harsh noise upon switching sound sources, do [https://wiki.archlinux.org/index.php/Pulseaudio#Volume_gets_louder_every_time_a_new_application_is_started this] and then find the "Equalized audio configuration" section in {{Ic| $HOME/.pulse/default.pa}} and comment out only the "set-sink-volume" line there.}}<br />
<br />
====qpaeq====<br />
A simple qt tool that comes with pulseaudio and includes support for more bands than pulseaudio-equalizer (just resize the window horizontally), but presently lacks easily accessible presets and may need to be set as the default manually. Located at {{Ic|/usr/bin/qpaeq}} and requires {{Ic|python2-pyqt}} to run. <br />
<br />
{{Note| If qpaeq crashes at startup, be sure that {{Ic|load-module module-equalizer-sink}} is in {{Ic|/etc/pulse/default.pa}} or {{Ic|$HOME/.pulse/default.pa}} }}<br />
<br />
{{Note| If the equalizer has no effect (e.g., setting the ''qpaeq'' preamp bar to zero doesn't mute all sound), check that a link to applications' audio sinks to the equalizer. Do this by adding the line {{Ic|set-default-sink equalized}} to {{Ic|/etc/pulse/default.pa}} or {{Ic|$HOME/.pulse/default.pa}}.}}<br />
<br />
===Disabling Auto Spawning of PulseAudio Server===<br />
Some users may prefer to manually start the pulseaudio server before running certain programs and then stop the pulseaudio server when they are finished. A simple way to accomplish this is to edit {{ic|/etc/pulse/client.conf}} and change autospawn = yes to autospawn = no, and set daemon-binary to /bin/true. Make sure the two lines are uncommented as well.<br />
{{hc|/etc/pulse/client.conf|<nowiki><br />
autospawn = no<br />
daemon-binary = /bin/true <br />
</nowiki>}}<br />
Now you can manually start the pulseaudio server with<br />
$ pulseaudio --start<br />
and stop it with<br />
$ pulseaudio --kill<br />
You may also have to move or delete a .desktop file in /etc/xdg/autostart if it exists.</div>Jrussellhttps://wiki.archlinux.org/index.php?title=PulseAudio/Examples&diff=254706PulseAudio/Examples2013-04-20T16:12:33Z<p>Jrussell: /* Zeroconf (Avahi) publishing */</p>
<hr />
<div>[[Category:Audio/Video]]<br />
[[it:PulseAudio/Examples]]<br />
=== Simultaneous HDMI and Analog Output ===<br />
PulseAudio allows for simultaneous output to multiple sources. In this example, some applications are configured to use HDMI while others are configured to use analog. Multiple applications are able to receive audio at the same time.<br />
<br />
{{Note| To list devices aplay is used. This program is part of the alsa-utils package and is NOT required to output to multiple sources. It is required to list playback devices therefore users can remove this package when finished with it.}}<br />
<br />
First, users need to understand the system's audio layout. This is accomplished using ''aplay'' which is part of the {{pkg|alsa-utils}} package.<br />
<br />
{{bc|$ aplay -l<br />
**** List of PLAYBACK Hardware Devices ****<br />
card 0: Intel [HDA Intel], device 0: ALC889A Analog [ALC889A Analog]<br />
Subdevices: 0/1<br />
Subdevice #0: subdevice #0<br />
card 0: Intel [HDA Intel], device 1: ALC889A Digital [ALC889A Digital]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 0: Intel [HDA Intel], device 3: HDMI 0 [HDMI 0]<br />
Subdevices: 0/1<br />
Subdevice #0: subdevice #0}}<br />
<br />
The key to a configuration like this is to understand that whatever is selected in pavucontrol under Configuration>Internal AUdio is the default device. Load pavucontrol>Configuration and select HDMI as the profile. <br />
<br />
Add the following to {{ic|/etc/pulse/default.pa}} to setup the analog as a secondary source:<br />
### Load analog device<br />
load-module module-alsa-sink device=hw:0,0<br />
load-module module-combine-sink sink_name=combined<br />
set-default-sink combined<br />
<br />
Restart PulseAudio, run pavucontrol and select the "Output Devices" tab. Three settings should be displayed:<br />
# Internal Audio Digital Stereo (HDMI)<br />
# Internal Audio<br />
# Simultaneous output to Internal Audio Digital Stereo (HDMI), Internal Audio<br />
<br />
Now start a program that will use pulseaudio such as mplayer, vlc, mpd, etc. and switch to the "Playback" tab. A pulldown should be available for the running program to select one of the three sources.<br />
<br />
Also see [https://bbs.archlinux.org/viewtopic.php?id=118026 this thread] for a variation on this theme and [http://www.freedesktop.org/wiki/Software/PulseAudio/FAQ#Can_I_use_PulseAudio_to_playback_music_on_two_sound_cards_simultaneously.3F PulseAudio FAQ].<br />
<br />
===Surround sound systems===<br />
Many people have a surround card, but have speakers for just two channels, so PulseAudio cannot really default to a surround setup. To enable all the channels, edit {{ic|/etc/pulse/daemon.conf}}: uncomment the default-sample-channels line (i.e. remove the semicolon from the beginning of the line) and set the value to '''6''' For a ''5.1'' setup, or '''8''' for a ''7.1'' setup etc.<br />
# Default<br />
default-sample-channels=2<br />
# For 5.1<br />
default-sample-channels=6<br />
# For 7.1<br />
default-sample-channels=8<br />
<br />
After doing the edit, restart Pulseaudio.<br />
<br />
====Splitting front/rear====<br />
Connect speakers to front analog output and headphones to rear output. It would be usefull to split front/rear to separate sinks. Add to {{ic|/etc/pulse/default.pa}}:<br />
<br />
load-module module-remap-sink sink_name=speakers remix=no master=alsa_output.pci-0000_05_00.0.analog-surround-40 channels=2 master_channel_map=front-left,front-right channel_map=front-left,front-right<br />
load-module module-remap-sink sink_name=headphones remix=no master=alsa_output.pci-0000_05_00.0.analog-surround-40 channels=2 master_channel_map=rear-left,rear-right channel_map=front-left,front-right<br />
<br />
(replace alsa_output.pci-0000_05_00.0.analog-surround-40 in the sound card name shown from 'pacmd list-sinks')<br />
<br />
Switch player between speakers and headphones.<br />
<br />
====LFE remixing====<br />
By default Pulseaudio remixes the number of channels to the default-sample-channels, however it dose not do this for the LFE channel. To enable LFE remixing uncomment the line:<br />
<br />
; enable-lfe-remixing = no<br />
<br />
and replace no with yes:<br />
<br />
enable-lfe-remixing = yes<br />
<br />
then restart Pulseaudio.<br />
<br />
===Advanced ALSA Configuration===<br />
In order for ALSA to use PulseAudio it needs a special {{ic|/etc/asound.conf}} (system wide settings) (recommended) or {{ic|~/.asoundrc}} (settings on a per user basis):<br />
{{hc|/etc/asound.conf|<nowiki><br />
pcm.pulse {<br />
type pulse<br />
}<br />
ctl.pulse {<br />
type pulse<br />
}<br />
pcm.!default {<br />
type pulse<br />
}<br />
ctl.!default {<br />
type pulse<br />
}<br />
</nowiki>}}<br />
<br />
Omission of the last two groups will cause Pulseaudio not to be used by default. Change the ALSA device to "pulse" in the applications to make it work.<br />
<br />
{{Note|The above configuration is provided by the package {{Pkg|pulseaudio-alsa}}.}}<br />
<br />
====ALSA Monitor source====<br />
To be able to record from a monitor source (a.k.a. "What-U-Hear", "Stereo Mix"), use {{ic|pactl list}} to find out the name of the source in Pulseaudio (e.g. {{ic|alsa_output.pci-0000_00_1b.0.analog-stereo.monitor}}). Then add lines like the following to {{ic|/etc/asound.conf}} or {{ic|~/.asoundrc}}:<br />
pcm.pulse_monitor {<br />
type pulse<br />
device alsa_output.pci-0000_00_1b.0.analog-stereo.monitor<br />
}<br />
<br />
ctl.pulse_monitor {<br />
type pulse<br />
device alsa_output.pci-0000_00_1b.0.analog-stereo.monitor<br />
}<br />
<br />
Now you can select {{ic|pulse_monitor}} as a recording source.<br />
<br />
Alternatively, you can use pavucontrol to do this : make sure you've set up the display to "All input Devices", then select "Monitor of [your soundcard]" as the recording source.<br />
<br />
===HDMI output configuration===<br />
As outlined in ftp://download.nvidia.com/XFree86/gpu-hdmi-audio-document/gpu-hdmi-audio.html#_issues_in_pulseaudio unless the hdmi port is the first<br />
output, PulseAudio will not be able to have any audio when using certain graphics cards with hdmi audio support. This is because of a bug in pulseaudio where it will only select the first HDMI output on a device. A work around posted further down is to first find which hdmi output is working by using the aplay utility from alsa.<br />
<br />
The original title for this section indicated the problem is specific to nVidia cards. As seen in [https://bbs.archlinux.org/viewtopic.php?id=133222 this forum thread] other cards are affected as well. The rest of the section will use an nVidia card as a case-study but the solution should carry over for people using other affected cards.<br />
<br />
====Finding HDMI output====<br />
Then find the working output by listing the available cards<br />
# aplay -l<br />
<br />
sample output:<br />
**** List of PLAYBACK Hardware Devices ****<br />
card 0: NVidia [HDA NVidia], device 0: ALC1200 Analog [ALC1200 Analog]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 0: NVidia [HDA NVidia], device 3: ALC1200 Digital [ALC1200 Digital]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 1: NVidia_1 [HDA NVidia], device 3: HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 1: NVidia_1 [HDA NVidia], device 7: HDMI 0 [HDMI 0]<br />
Subdevices: 0/1<br />
Subdevice #0: subdevice #0<br />
card 1: NVidia_1 [HDA NVidia], device 8: HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 1: NVidia_1 [HDA NVidia], device 9: HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
<br />
====Testing for the correct card====<br />
Now a list of the detected cards is known, users will need to test for which one is outputing to the tv/monitor<br />
# aplay -D plughw:1,3 /usr/share/sounds/alsa/Front_Right.wav<br />
<br />
where 1 is the card and 3 is the device substitute in the values listed from the previous section. If there is no audio then try substituting a different device (on my card I had to use card 1 device 7)<br />
<br />
====Manually configuring pulseaudio to detect the Nvidia HDMI====<br />
Having identified which HDMI device is working, PulseAudio can be fored to use it via an edit to {{bc|/etc/pulse/default.pa}}:<br />
# load-module module-alsa-sink device=hw:1,7<br />
<br />
where the 1 is the card and the 7 is the deivce found to work in the previous section<br />
<br />
restart pulse audio<br />
# killall pulseaudio<br />
<br />
open the sound settings manager, make sure that under the hardware tab the graphics cards HDMI audio is set to "Digital Stereo (HDMI) Output" ( My graphics card audio is called "GF100 High Definition Audio Controller"<br />
<br />
Then open the output tab there should now be two HDMI outputs for the graphics card test which one works by selecting one of them and then using a program to play audio i.e use vlc to play a movie if it doesn't work the select the other.<br />
<br />
===PulseAudio over network===<br />
One of PulseAudio's magnificent features is the possibility to stream audio from clients over TCP to the server running the PulseAudio daemon, allowing sound to be streamed through the LAN.<br />
<br />
To accomplish this, one needs to enable module-native-protocol-tcp, and copy the pulse-cookie to the clients. <br />
<br />
====TCP support (networked sound)====<br />
To enable the TCP module, add this to (or uncomment, if already there) {{ic|/etc/pulse/default.pa}}:<br />
load-module module-native-protocol-tcp<br />
<br />
Note: If experiencing trouble connecting, use (on server)<br />
pacmd list-modules<br />
<br />
====TCP support with anonymous clients====<br />
<br />
If it is undesirable to copy the pulse-cookies from clients, allow anonymous clients, by giving these parameters to module-native-protocol-tcp (again in {{ic|/etc/pulse/default.pa}}):<br />
<br />
load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1;192.168.0.0/24 auth-anonymous=1<br />
<br />
Remember to change the LAN ip prefix should it be different from 192.168.0.0.<br />
<br />
====Zeroconf (Avahi) publishing====<br />
For the remote Pulseaudio server to appear in the PulseAudio Device Chooser ({{ic|padevchooser}}), load the appropriate zeroconf modules, and enable the [[Avahi]] [[daemon]].<br />
<br />
On both machines run:<br />
systemctl start avahi-daemon.service<br />
systemctl enable avahi-daemon.service<br />
On the server, add {{ic|load-module module-zeroconf-publish}} to /etc/pulse/default.pa, on the client, add {{ic|load-module module-zeroconf-discover}} to {{ic|/etc/pulse/default.pa}}. Now redirect any stream or complete audio output to the remote pulseaudio server by selecting the appropriate sink.<br />
<br />
====Switching the PulseAudio server used by local X clients====<br />
To switch between servers on the client from within X, the {{ic|pax11publish}} command can be used. For example, to switch from the default server to the server at hostname foo:<br />
$ pax11publish -e -S foo<br />
<br />
Or to switch back to the default:<br />
$ pax11publish -e -r<br />
<br />
Note that for the switch to become apparent, the programs using Pulse must be restarted.<br />
<br />
====When everything else seems to fail====<br />
The following is a quickfix and NOT a permanent solution<br />
<br />
On the Server: <br />
$ paprefs <br />
Go to Network Access -> Enable access to local sound devices (Also check both 'Allow discover' and 'Don't require authentication').<br />
<br />
On the Client: <br />
$ export PULSE_SERVER=server.ip && mplayer test.mp3<br />
<br />
===PulseAudio through JACK the new new way===<br />
This configuration only works with jackdbus (JACK2 compiled with D-Bus support). Add to {{ic|/etc/pulse/default.pa}}:<br />
load-module module-jackdbus-detect<br />
As described on the [http://trac.jackaudio.org/wiki/JackDbusPackaging Jack-DBUS Packaging] page:<br />
<br />
''Server auto-launching is implemented as D-Bus call that auto-activates JACK D-Bus service, in case it is not already started, and starts the JACK server. Correct interaction with PulseAudio is done using a D-Bus based audio card "acquire/release" mechanism. When JACK server starts, it asks this D-Bus service to acquire the audio card and PulseAudio will unconditionally release it. When JACK server stops, it releases the audio card that can be grabbed again by PulseAudio.''<br />
<br />
{{ic|module-jackdbus-detect.so}} dynamically loads and unloads module-jack-sink and module-jack-source when jackdbus is started and stopped.<br />
<br />
If PulseAudio sound does not work, check with {{ic|pavucontrol}} to see if the relevant programs appear in the playback tab. If not, add the following to {{ic|~/.asound.conf}} or {{ic|/etc/asound.conf}} to redirect ALSA to PulseAudio:<br />
<br />
pcm.pulse {<br />
type pulse<br />
}<br />
<br />
ctl.pulse {<br />
type pulse<br />
}<br />
<br />
pcm.!default {<br />
type pulse<br />
}<br />
ctl.!default {<br />
type pulse<br />
}<br />
<br />
If it still doesn't work, check with {{ic|pavucontrol}} in the playback tab and make sure the relevant programs are outputting to PulseAudio JACK Sink instead of your audio card (which JACK has control of, so it won't work).<br />
<br />
===PulseAudio through JACK the new way===<br />
The basic idea is that killing PulseAudio is bad idea, it may crash any apps using PulseAudio, and disrupt any audio playing<br />
<br />
the flow of how this setup works:<br />
<br />
# PulseAudio releases the sound card<br />
# JACK grabs sound card and starts up<br />
# script redirects PulseAudio to JACK<br />
# manually send PulseAudio apps to JACK output (pavucontrol may come in helpful for this)<br />
# use JACK programs etc<br />
# via script, stop redirecting PulseAudio to JACK<br />
# stop JACK and release soundcard<br />
# PulseAudio grabs sound card and reroutes audio to it directly<br />
<br />
with QJackCTL setup these scripts:<br />
<br />
{{ic|pulse-jack-pre-start.sh}} set it up as the execute script on startup script<br />
#!/bin/bash<br />
pacmd suspend true<br />
<br />
{{ic|pulse-jack-post-start.sh}} set this one up as execute script after startup<br />
#!/bin/bash<br />
pactl load-module module-jack-sink channels=2<br />
pactl load-module module-jack-source channels=2<br />
pacmd set-default-sink jack_out<br />
pacmd set-default-source jack_in<br />
<br />
{{ic|pulse-jack-pre-stop.sh}} "execute script on shutdown"<br />
#!/bin/bash<br />
SINKID=$(pactl list | grep -B 1 "Name: module-jack-sink" | grep Module | sed 's/[^0-9]//g')<br />
SOURCEID=$(pactl list | grep -B 1 "Name: module-jack-source" | grep Module | sed 's/[^0-9]//g')<br />
pactl unload-module $SINKID<br />
pactl unload-module $SOURCEID<br />
sleep 5<br />
<br />
{{ic|pulse-jack-post-stop.sh}} "execute script after shutdown"<br />
#!/bin/bash<br />
pacmd suspend false<br />
<br />
===Pulseaudio through JACK the old way===<br />
The JACK-Audio-Connection-Kit is popular for audio work, and is widely supported by Linux audio applications. It fills a similar niche as Pulseaudio, but with more of an emphasis on professional audio work. In particular, audio applications such as Ardour and Audacity (recently) work well with Jack.<br />
<br />
Pulseaudio provides module-jack-source and module-jack-sink which allow Pulseaudio to be run as a sound server above the JACK daemon. This allows the usage of per-volume adjustments and the like for the apps which need it, play-back apps for movies and audio, while allowing low-latency and inter-app connectivity for sound-processing apps which connect to JACK. However, this will prevent Pulseaudio from directly writing to the sound card buffers, which will increase overall CPU usage.<br />
<br />
To just try PA on top of jack, have PA load the necessary modules on start:<br />
pulseaudio -L module-jack-sink -L module-jack-source<br />
<br />
To use pulseaudio with JACK, JACK must be started up before Pulseaudio, using whichever method one prefers. sPulseaudio then needs to be started loading the 2 relevant modules. Edit {{ic|/etc/pulse/default.pa}}, and change the following region:<br />
### Load audio drivers statically (it is probably better to not load<br />
### these drivers manually, but instead use module-hal-detect --<br />
### see below -- for doing this automatically)<br />
#load-module module-alsa-sink<br />
#load-module module-alsa-source device=hw:1,0<br />
#load-module module-oss device="/dev/dsp" sink_name=output source_name=input<br />
#load-module module-oss-mmap device="/dev/dsp" sink_name=output source_name=input<br />
#load-module module-null-sink<br />
#load-module module-pipe-sink<br />
<br />
### Automatically load driver modules depending on the hardware available<br />
.ifexists module-udev-detect.so<br />
load-module module-udev-detect<br />
.else<br />
### Alternatively use the static hardware detection module (for systems that<br />
### lack udev support)<br />
load-module module-detect<br />
.endif<br />
<br />
to the following:<br />
### Load audio drivers statically (it is probably better to not load<br />
### these drivers manually, but instead use module-hal-detect --<br />
### see below -- for doing this automatically)<br />
#load-module module-alsa-sink<br />
#load-module module-alsa-source device=hw:1,0<br />
#load-module module-oss device="/dev/dsp" sink_name=output source_name=input<br />
#load-module module-oss-mmap device="/dev/dsp" sink_name=output source_name=input<br />
#load-module module-null-sink<br />
#load-module module-pipe-sink<br />
load-module module-jack-source<br />
load-module module-jack-sink<br />
<br />
### Automatically load driver modules depending on the hardware available<br />
#.ifexists module-udev-detect.so<br />
#load-module module-udev-detect<br />
#.else<br />
### Alternatively use the static hardware detection module (for systems that<br />
### lack udev support)<br />
#load-module module-detect<br />
#.endif<br />
<br />
Basically, this prevents module-udev-detect from loading. module-udev-detect will always try to grab the sound-card (JACK has already done that, so this will cause an error). Also, the jack source and sink must be explicitly loaded.<br />
<br />
====QjackCtl with Startup/Shutdown Scripts====<br />
Using the settings listed above, use QjackCtl to execute a script upon startup and shutdown to load/unload PulseAudio. Part of the reason users may wish to do this is that the above changes disable PulseAudio's automatic hardware detection modules. This particular setup is for using PulseAudio in an exclusive fashion with JACK, though the scripts could be modified to unload and load an alternate non-JACK setup, but killing and starting PulseAudio while programs might be using it would become problematic.<br />
<br />
The following example could be used and modified as necessary as a startup script that daemonizes PulseAudio and loads the ''padevchooser'' program (optional, needs to be built from AUR) called {{ic|jack_startup}}:<br />
#!/bin/bash<br />
#Load PulseAudio and PulseAudio Device Chooser<br />
<br />
pulseaudio -D<br />
padevchooser&<br />
<br />
as well as a shutdown script to kill PulseAudio and the Pulse Audio Device Chooser, as another example called {{ic|jack_shutdown}} also in the home directory:<br />
#!/bin/bash<br />
#Kill PulseAudio and PulseAudio Device Chooser<br />
<br />
pulseaudio --kill<br />
killall padevchooser<br />
<br />
Both scripts need to be made executable:<br />
chmod +x jack_startup jack_shutdown<br />
<br />
then with QjackCtl loaded, click on the ''Setup'' button and then the ''Options'' tab and tick both "Execute Script after Startup:" And "Execute Script on Shutdown:" and put either use the ... button or type the path to the scripts (assuming the scripts are in the home directory) {{ic|~/jack_startup}} and {{ic|~/jack_shutdown}} making sure to save the changes.<br />
<br />
===Pulseaudio through OSS===<br />
Add the following to {{ic|/etc/pulse/default.pa}}:<br />
load-module module-oss<br />
<br />
Then start Pulseaudio as usual making sure that sinks and sources are defined forOSS devices.<br />
<br />
===Pulseaudio from within a chroot (ex. 32-bit chroot in 64-bit install)===<br />
Since a chroot sets up an alternative root for the running/jailing of applications, pulseaudio must be installed within the chroot itself ({{ic|pacman -S pulseaudio}} within the chroot environment).<br />
<br />
Pulseaudio, if not set up to connect to any specific server (this can be done in {{ic|/etc/pulse/client.conf}}, through the PULSE_SERVER environment variable, or through publishing to the local X11 properties using module-x11-publish), will attempt to connect to the local pulse server, failing which it will spawn a new pulse server. Each pulse server has a unique ID based on the machine-id value in {{ic|/var/lib/dbus}}. To allow for chrooted apps to access the pulse server, the following directories must be mounted within the chroot:-<br />
/var/run<br />
/var/lib/dbus<br />
/tmp<br />
~/.pulse<br />
<br />
{{ic|/dev/shm}} should also be mounted for efficiency and good performance. Note that mounting /home would normally also allow sharing of the {{ic|~/.pulse}} folder.<br />
<br />
For specific direction on accomplishing the appropriate mounts, please refer to the wiki on installing a bundled 32-bit system, especially the [https://wiki.archlinux.org/index.php?title=Arch64_Install_bundled_32bit_system#Additional_mount_option_to_allow_32-bit_apps_to_access_the_64-bit_Pulseaudio_server additional section] specific to Pulseaudio.<br />
<br />
===System-wide Equalizer===<br />
Pulseaudio can be configured to sound much better through the use of a system-wide equalizer. There are a few tools to do this. Extra information on the cons of each [http://ubuntuforums.org/showthread.php?t=1378087 here] . Individual apps can be excluded via {{Ic|pavucontrol}} .<br />
<br />
====pulseaudio-equalizer====<br />
A simple, user-friendly gtk tool in the AUR: [https://aur.archlinux.org/packages.php?ID=48316 here]. <br />
<br />
{{Note| If users remove pulseaudio-equalizer, be sure should comment out the respective generated section in {{Ic| $HOME/.pulse/default.pa}} or risk strange issues.}}<br />
{{Note|If users have trouble with the volume resetting to the maximum level or making harsh noise upon switching sound sources, do [https://wiki.archlinux.org/index.php/Pulseaudio#Volume_gets_louder_every_time_a_new_application_is_started this] and then find the "Equalized audio configuration" section in {{Ic| $HOME/.pulse/default.pa}} and comment out only the "set-sink-volume" line there.}}<br />
<br />
====qpaeq====<br />
A simple qt tool that comes with pulseaudio and includes support for more bands than pulseaudio-equalizer (just resize the window horizontally), but presently lacks easily accessible presets and may need to be set as the default manually. Located at {{Ic|/usr/bin/qpaeq}} and requires {{Ic|python2-pyqt}} to run. <br />
<br />
{{Note| If qpaeq crashes at startup, be sure that {{Ic|load-module module-equalizer-sink}} is in {{Ic|/etc/pulse/default.pa}} or {{Ic|$HOME/.pulse/default.pa}} }}<br />
<br />
{{Note| If the equalizer has no effect (e.g., setting the ''qpaeq'' preamp bar to zero doesn't mute all sound), check that a link to applications' audio sinks to the equalizer. Do this by adding the line {{Ic|set-default-sink equalized}} to {{Ic|/etc/pulse/default.pa}} or {{Ic|$HOME/.pulse/default.pa}}.}}<br />
<br />
===Disabling Auto Spawning of PulseAudio Server===<br />
Some users may prefer to manually start the pulseaudio server before running certain programs and then stop the pulseaudio server when they are finished. A simple way to accomplish this is to edit {{ic|/etc/pulse/client.conf}} and change autospawn = yes to autospawn = no, and set daemon-binary to /bin/true. Make sure the two lines are uncommented as well.<br />
{{hc|/etc/pulse/client.conf|<nowiki><br />
autospawn = no<br />
daemon-binary = /bin/true <br />
</nowiki>}}<br />
Now you can manually start the pulseaudio server with<br />
$ pulseaudio --start<br />
and stop it with<br />
$ pulseaudio --kill<br />
You may also have to move or delete a .desktop file in /etc/xdg/autostart if it exists.</div>Jrussellhttps://wiki.archlinux.org/index.php?title=PulseAudio/Examples&diff=254705PulseAudio/Examples2013-04-20T16:03:43Z<p>Jrussell: updated command to list modules</p>
<hr />
<div>[[Category:Audio/Video]]<br />
[[it:PulseAudio/Examples]]<br />
=== Simultaneous HDMI and Analog Output ===<br />
PulseAudio allows for simultaneous output to multiple sources. In this example, some applications are configured to use HDMI while others are configured to use analog. Multiple applications are able to receive audio at the same time.<br />
<br />
{{Note| To list devices aplay is used. This program is part of the alsa-utils package and is NOT required to output to multiple sources. It is required to list playback devices therefore users can remove this package when finished with it.}}<br />
<br />
First, users need to understand the system's audio layout. This is accomplished using ''aplay'' which is part of the {{pkg|alsa-utils}} package.<br />
<br />
{{bc|$ aplay -l<br />
**** List of PLAYBACK Hardware Devices ****<br />
card 0: Intel [HDA Intel], device 0: ALC889A Analog [ALC889A Analog]<br />
Subdevices: 0/1<br />
Subdevice #0: subdevice #0<br />
card 0: Intel [HDA Intel], device 1: ALC889A Digital [ALC889A Digital]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 0: Intel [HDA Intel], device 3: HDMI 0 [HDMI 0]<br />
Subdevices: 0/1<br />
Subdevice #0: subdevice #0}}<br />
<br />
The key to a configuration like this is to understand that whatever is selected in pavucontrol under Configuration>Internal AUdio is the default device. Load pavucontrol>Configuration and select HDMI as the profile. <br />
<br />
Add the following to {{ic|/etc/pulse/default.pa}} to setup the analog as a secondary source:<br />
### Load analog device<br />
load-module module-alsa-sink device=hw:0,0<br />
load-module module-combine-sink sink_name=combined<br />
set-default-sink combined<br />
<br />
Restart PulseAudio, run pavucontrol and select the "Output Devices" tab. Three settings should be displayed:<br />
# Internal Audio Digital Stereo (HDMI)<br />
# Internal Audio<br />
# Simultaneous output to Internal Audio Digital Stereo (HDMI), Internal Audio<br />
<br />
Now start a program that will use pulseaudio such as mplayer, vlc, mpd, etc. and switch to the "Playback" tab. A pulldown should be available for the running program to select one of the three sources.<br />
<br />
Also see [https://bbs.archlinux.org/viewtopic.php?id=118026 this thread] for a variation on this theme and [http://www.freedesktop.org/wiki/Software/PulseAudio/FAQ#Can_I_use_PulseAudio_to_playback_music_on_two_sound_cards_simultaneously.3F PulseAudio FAQ].<br />
<br />
===Surround sound systems===<br />
Many people have a surround card, but have speakers for just two channels, so PulseAudio cannot really default to a surround setup. To enable all the channels, edit {{ic|/etc/pulse/daemon.conf}}: uncomment the default-sample-channels line (i.e. remove the semicolon from the beginning of the line) and set the value to '''6''' For a ''5.1'' setup, or '''8''' for a ''7.1'' setup etc.<br />
# Default<br />
default-sample-channels=2<br />
# For 5.1<br />
default-sample-channels=6<br />
# For 7.1<br />
default-sample-channels=8<br />
<br />
After doing the edit, restart Pulseaudio.<br />
<br />
====Splitting front/rear====<br />
Connect speakers to front analog output and headphones to rear output. It would be usefull to split front/rear to separate sinks. Add to {{ic|/etc/pulse/default.pa}}:<br />
<br />
load-module module-remap-sink sink_name=speakers remix=no master=alsa_output.pci-0000_05_00.0.analog-surround-40 channels=2 master_channel_map=front-left,front-right channel_map=front-left,front-right<br />
load-module module-remap-sink sink_name=headphones remix=no master=alsa_output.pci-0000_05_00.0.analog-surround-40 channels=2 master_channel_map=rear-left,rear-right channel_map=front-left,front-right<br />
<br />
(replace alsa_output.pci-0000_05_00.0.analog-surround-40 in the sound card name shown from 'pacmd list-sinks')<br />
<br />
Switch player between speakers and headphones.<br />
<br />
====LFE remixing====<br />
By default Pulseaudio remixes the number of channels to the default-sample-channels, however it dose not do this for the LFE channel. To enable LFE remixing uncomment the line:<br />
<br />
; enable-lfe-remixing = no<br />
<br />
and replace no with yes:<br />
<br />
enable-lfe-remixing = yes<br />
<br />
then restart Pulseaudio.<br />
<br />
===Advanced ALSA Configuration===<br />
In order for ALSA to use PulseAudio it needs a special {{ic|/etc/asound.conf}} (system wide settings) (recommended) or {{ic|~/.asoundrc}} (settings on a per user basis):<br />
{{hc|/etc/asound.conf|<nowiki><br />
pcm.pulse {<br />
type pulse<br />
}<br />
ctl.pulse {<br />
type pulse<br />
}<br />
pcm.!default {<br />
type pulse<br />
}<br />
ctl.!default {<br />
type pulse<br />
}<br />
</nowiki>}}<br />
<br />
Omission of the last two groups will cause Pulseaudio not to be used by default. Change the ALSA device to "pulse" in the applications to make it work.<br />
<br />
{{Note|The above configuration is provided by the package {{Pkg|pulseaudio-alsa}}.}}<br />
<br />
====ALSA Monitor source====<br />
To be able to record from a monitor source (a.k.a. "What-U-Hear", "Stereo Mix"), use {{ic|pactl list}} to find out the name of the source in Pulseaudio (e.g. {{ic|alsa_output.pci-0000_00_1b.0.analog-stereo.monitor}}). Then add lines like the following to {{ic|/etc/asound.conf}} or {{ic|~/.asoundrc}}:<br />
pcm.pulse_monitor {<br />
type pulse<br />
device alsa_output.pci-0000_00_1b.0.analog-stereo.monitor<br />
}<br />
<br />
ctl.pulse_monitor {<br />
type pulse<br />
device alsa_output.pci-0000_00_1b.0.analog-stereo.monitor<br />
}<br />
<br />
Now you can select {{ic|pulse_monitor}} as a recording source.<br />
<br />
Alternatively, you can use pavucontrol to do this : make sure you've set up the display to "All input Devices", then select "Monitor of [your soundcard]" as the recording source.<br />
<br />
===HDMI output configuration===<br />
As outlined in ftp://download.nvidia.com/XFree86/gpu-hdmi-audio-document/gpu-hdmi-audio.html#_issues_in_pulseaudio unless the hdmi port is the first<br />
output, PulseAudio will not be able to have any audio when using certain graphics cards with hdmi audio support. This is because of a bug in pulseaudio where it will only select the first HDMI output on a device. A work around posted further down is to first find which hdmi output is working by using the aplay utility from alsa.<br />
<br />
The original title for this section indicated the problem is specific to nVidia cards. As seen in [https://bbs.archlinux.org/viewtopic.php?id=133222 this forum thread] other cards are affected as well. The rest of the section will use an nVidia card as a case-study but the solution should carry over for people using other affected cards.<br />
<br />
====Finding HDMI output====<br />
Then find the working output by listing the available cards<br />
# aplay -l<br />
<br />
sample output:<br />
**** List of PLAYBACK Hardware Devices ****<br />
card 0: NVidia [HDA NVidia], device 0: ALC1200 Analog [ALC1200 Analog]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 0: NVidia [HDA NVidia], device 3: ALC1200 Digital [ALC1200 Digital]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 1: NVidia_1 [HDA NVidia], device 3: HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 1: NVidia_1 [HDA NVidia], device 7: HDMI 0 [HDMI 0]<br />
Subdevices: 0/1<br />
Subdevice #0: subdevice #0<br />
card 1: NVidia_1 [HDA NVidia], device 8: HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 1: NVidia_1 [HDA NVidia], device 9: HDMI 0 [HDMI 0]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
<br />
====Testing for the correct card====<br />
Now a list of the detected cards is known, users will need to test for which one is outputing to the tv/monitor<br />
# aplay -D plughw:1,3 /usr/share/sounds/alsa/Front_Right.wav<br />
<br />
where 1 is the card and 3 is the device substitute in the values listed from the previous section. If there is no audio then try substituting a different device (on my card I had to use card 1 device 7)<br />
<br />
====Manually configuring pulseaudio to detect the Nvidia HDMI====<br />
Having identified which HDMI device is working, PulseAudio can be fored to use it via an edit to {{bc|/etc/pulse/default.pa}}:<br />
# load-module module-alsa-sink device=hw:1,7<br />
<br />
where the 1 is the card and the 7 is the deivce found to work in the previous section<br />
<br />
restart pulse audio<br />
# killall pulseaudio<br />
<br />
open the sound settings manager, make sure that under the hardware tab the graphics cards HDMI audio is set to "Digital Stereo (HDMI) Output" ( My graphics card audio is called "GF100 High Definition Audio Controller"<br />
<br />
Then open the output tab there should now be two HDMI outputs for the graphics card test which one works by selecting one of them and then using a program to play audio i.e use vlc to play a movie if it doesn't work the select the other.<br />
<br />
===PulseAudio over network===<br />
One of PulseAudio's magnificent features is the possibility to stream audio from clients over TCP to the server running the PulseAudio daemon, allowing sound to be streamed through the LAN.<br />
<br />
To accomplish this, one needs to enable module-native-protocol-tcp, and copy the pulse-cookie to the clients. <br />
<br />
====TCP support (networked sound)====<br />
To enable the TCP module, add this to (or uncomment, if already there) {{ic|/etc/pulse/default.pa}}:<br />
load-module module-native-protocol-tcp<br />
<br />
Note: If experiencing trouble connecting, use (on server)<br />
pacmd list-modules<br />
<br />
====TCP support with anonymous clients====<br />
<br />
If it is undesirable to copy the pulse-cookies from clients, allow anonymous clients, by giving these parameters to module-native-protocol-tcp (again in {{ic|/etc/pulse/default.pa}}):<br />
<br />
load-module module-native-protocol-tcp auth-ip-acl=127.0.0.1;192.168.0.0/24 auth-anonymous=1<br />
<br />
Remember to change the LAN ip prefix should it be different from 192.168.0.0.<br />
<br />
====Zeroconf (Avahi) publishing====<br />
For the remote Pulseaudio server to appear in the PulseAudio Device Chooser ({{ic|padevchooser}}), load the appropriate zeroconf modules as well as to enable Avahi. On both machines add {{ic|avahi-daemon}} to the DAEMONS in rc.conf.<br />
On the server, add {{ic|load-module module-zeroconf-publish}} to /etc/pulse/default.pa, on the client, add {{ic|load-module module-zeroconf-discover}} to {{ic|/etc/pulse/default.pa}}. Now redirect any stream or complete audio output to the remote pulseaudio server by selecting the appropriate sink.<br />
<br />
====Switching the PulseAudio server used by local X clients====<br />
To switch between servers on the client from within X, the {{ic|pax11publish}} command can be used. For example, to switch from the default server to the server at hostname foo:<br />
$ pax11publish -e -S foo<br />
<br />
Or to switch back to the default:<br />
$ pax11publish -e -r<br />
<br />
Note that for the switch to become apparent, the programs using Pulse must be restarted.<br />
<br />
====When everything else seems to fail====<br />
The following is a quickfix and NOT a permanent solution<br />
<br />
On the Server: <br />
$ paprefs <br />
Go to Network Access -> Enable access to local sound devices (Also check both 'Allow discover' and 'Don't require authentication').<br />
<br />
On the Client: <br />
$ export PULSE_SERVER=server.ip && mplayer test.mp3<br />
<br />
===PulseAudio through JACK the new new way===<br />
This configuration only works with jackdbus (JACK2 compiled with D-Bus support). Add to {{ic|/etc/pulse/default.pa}}:<br />
load-module module-jackdbus-detect<br />
As described on the [http://trac.jackaudio.org/wiki/JackDbusPackaging Jack-DBUS Packaging] page:<br />
<br />
''Server auto-launching is implemented as D-Bus call that auto-activates JACK D-Bus service, in case it is not already started, and starts the JACK server. Correct interaction with PulseAudio is done using a D-Bus based audio card "acquire/release" mechanism. When JACK server starts, it asks this D-Bus service to acquire the audio card and PulseAudio will unconditionally release it. When JACK server stops, it releases the audio card that can be grabbed again by PulseAudio.''<br />
<br />
{{ic|module-jackdbus-detect.so}} dynamically loads and unloads module-jack-sink and module-jack-source when jackdbus is started and stopped.<br />
<br />
If PulseAudio sound does not work, check with {{ic|pavucontrol}} to see if the relevant programs appear in the playback tab. If not, add the following to {{ic|~/.asound.conf}} or {{ic|/etc/asound.conf}} to redirect ALSA to PulseAudio:<br />
<br />
pcm.pulse {<br />
type pulse<br />
}<br />
<br />
ctl.pulse {<br />
type pulse<br />
}<br />
<br />
pcm.!default {<br />
type pulse<br />
}<br />
ctl.!default {<br />
type pulse<br />
}<br />
<br />
If it still doesn't work, check with {{ic|pavucontrol}} in the playback tab and make sure the relevant programs are outputting to PulseAudio JACK Sink instead of your audio card (which JACK has control of, so it won't work).<br />
<br />
===PulseAudio through JACK the new way===<br />
The basic idea is that killing PulseAudio is bad idea, it may crash any apps using PulseAudio, and disrupt any audio playing<br />
<br />
the flow of how this setup works:<br />
<br />
# PulseAudio releases the sound card<br />
# JACK grabs sound card and starts up<br />
# script redirects PulseAudio to JACK<br />
# manually send PulseAudio apps to JACK output (pavucontrol may come in helpful for this)<br />
# use JACK programs etc<br />
# via script, stop redirecting PulseAudio to JACK<br />
# stop JACK and release soundcard<br />
# PulseAudio grabs sound card and reroutes audio to it directly<br />
<br />
with QJackCTL setup these scripts:<br />
<br />
{{ic|pulse-jack-pre-start.sh}} set it up as the execute script on startup script<br />
#!/bin/bash<br />
pacmd suspend true<br />
<br />
{{ic|pulse-jack-post-start.sh}} set this one up as execute script after startup<br />
#!/bin/bash<br />
pactl load-module module-jack-sink channels=2<br />
pactl load-module module-jack-source channels=2<br />
pacmd set-default-sink jack_out<br />
pacmd set-default-source jack_in<br />
<br />
{{ic|pulse-jack-pre-stop.sh}} "execute script on shutdown"<br />
#!/bin/bash<br />
SINKID=$(pactl list | grep -B 1 "Name: module-jack-sink" | grep Module | sed 's/[^0-9]//g')<br />
SOURCEID=$(pactl list | grep -B 1 "Name: module-jack-source" | grep Module | sed 's/[^0-9]//g')<br />
pactl unload-module $SINKID<br />
pactl unload-module $SOURCEID<br />
sleep 5<br />
<br />
{{ic|pulse-jack-post-stop.sh}} "execute script after shutdown"<br />
#!/bin/bash<br />
pacmd suspend false<br />
<br />
===Pulseaudio through JACK the old way===<br />
The JACK-Audio-Connection-Kit is popular for audio work, and is widely supported by Linux audio applications. It fills a similar niche as Pulseaudio, but with more of an emphasis on professional audio work. In particular, audio applications such as Ardour and Audacity (recently) work well with Jack.<br />
<br />
Pulseaudio provides module-jack-source and module-jack-sink which allow Pulseaudio to be run as a sound server above the JACK daemon. This allows the usage of per-volume adjustments and the like for the apps which need it, play-back apps for movies and audio, while allowing low-latency and inter-app connectivity for sound-processing apps which connect to JACK. However, this will prevent Pulseaudio from directly writing to the sound card buffers, which will increase overall CPU usage.<br />
<br />
To just try PA on top of jack, have PA load the necessary modules on start:<br />
pulseaudio -L module-jack-sink -L module-jack-source<br />
<br />
To use pulseaudio with JACK, JACK must be started up before Pulseaudio, using whichever method one prefers. sPulseaudio then needs to be started loading the 2 relevant modules. Edit {{ic|/etc/pulse/default.pa}}, and change the following region:<br />
### Load audio drivers statically (it is probably better to not load<br />
### these drivers manually, but instead use module-hal-detect --<br />
### see below -- for doing this automatically)<br />
#load-module module-alsa-sink<br />
#load-module module-alsa-source device=hw:1,0<br />
#load-module module-oss device="/dev/dsp" sink_name=output source_name=input<br />
#load-module module-oss-mmap device="/dev/dsp" sink_name=output source_name=input<br />
#load-module module-null-sink<br />
#load-module module-pipe-sink<br />
<br />
### Automatically load driver modules depending on the hardware available<br />
.ifexists module-udev-detect.so<br />
load-module module-udev-detect<br />
.else<br />
### Alternatively use the static hardware detection module (for systems that<br />
### lack udev support)<br />
load-module module-detect<br />
.endif<br />
<br />
to the following:<br />
### Load audio drivers statically (it is probably better to not load<br />
### these drivers manually, but instead use module-hal-detect --<br />
### see below -- for doing this automatically)<br />
#load-module module-alsa-sink<br />
#load-module module-alsa-source device=hw:1,0<br />
#load-module module-oss device="/dev/dsp" sink_name=output source_name=input<br />
#load-module module-oss-mmap device="/dev/dsp" sink_name=output source_name=input<br />
#load-module module-null-sink<br />
#load-module module-pipe-sink<br />
load-module module-jack-source<br />
load-module module-jack-sink<br />
<br />
### Automatically load driver modules depending on the hardware available<br />
#.ifexists module-udev-detect.so<br />
#load-module module-udev-detect<br />
#.else<br />
### Alternatively use the static hardware detection module (for systems that<br />
### lack udev support)<br />
#load-module module-detect<br />
#.endif<br />
<br />
Basically, this prevents module-udev-detect from loading. module-udev-detect will always try to grab the sound-card (JACK has already done that, so this will cause an error). Also, the jack source and sink must be explicitly loaded.<br />
<br />
====QjackCtl with Startup/Shutdown Scripts====<br />
Using the settings listed above, use QjackCtl to execute a script upon startup and shutdown to load/unload PulseAudio. Part of the reason users may wish to do this is that the above changes disable PulseAudio's automatic hardware detection modules. This particular setup is for using PulseAudio in an exclusive fashion with JACK, though the scripts could be modified to unload and load an alternate non-JACK setup, but killing and starting PulseAudio while programs might be using it would become problematic.<br />
<br />
The following example could be used and modified as necessary as a startup script that daemonizes PulseAudio and loads the ''padevchooser'' program (optional, needs to be built from AUR) called {{ic|jack_startup}}:<br />
#!/bin/bash<br />
#Load PulseAudio and PulseAudio Device Chooser<br />
<br />
pulseaudio -D<br />
padevchooser&<br />
<br />
as well as a shutdown script to kill PulseAudio and the Pulse Audio Device Chooser, as another example called {{ic|jack_shutdown}} also in the home directory:<br />
#!/bin/bash<br />
#Kill PulseAudio and PulseAudio Device Chooser<br />
<br />
pulseaudio --kill<br />
killall padevchooser<br />
<br />
Both scripts need to be made executable:<br />
chmod +x jack_startup jack_shutdown<br />
<br />
then with QjackCtl loaded, click on the ''Setup'' button and then the ''Options'' tab and tick both "Execute Script after Startup:" And "Execute Script on Shutdown:" and put either use the ... button or type the path to the scripts (assuming the scripts are in the home directory) {{ic|~/jack_startup}} and {{ic|~/jack_shutdown}} making sure to save the changes.<br />
<br />
===Pulseaudio through OSS===<br />
Add the following to {{ic|/etc/pulse/default.pa}}:<br />
load-module module-oss<br />
<br />
Then start Pulseaudio as usual making sure that sinks and sources are defined forOSS devices.<br />
<br />
===Pulseaudio from within a chroot (ex. 32-bit chroot in 64-bit install)===<br />
Since a chroot sets up an alternative root for the running/jailing of applications, pulseaudio must be installed within the chroot itself ({{ic|pacman -S pulseaudio}} within the chroot environment).<br />
<br />
Pulseaudio, if not set up to connect to any specific server (this can be done in {{ic|/etc/pulse/client.conf}}, through the PULSE_SERVER environment variable, or through publishing to the local X11 properties using module-x11-publish), will attempt to connect to the local pulse server, failing which it will spawn a new pulse server. Each pulse server has a unique ID based on the machine-id value in {{ic|/var/lib/dbus}}. To allow for chrooted apps to access the pulse server, the following directories must be mounted within the chroot:-<br />
/var/run<br />
/var/lib/dbus<br />
/tmp<br />
~/.pulse<br />
<br />
{{ic|/dev/shm}} should also be mounted for efficiency and good performance. Note that mounting /home would normally also allow sharing of the {{ic|~/.pulse}} folder.<br />
<br />
For specific direction on accomplishing the appropriate mounts, please refer to the wiki on installing a bundled 32-bit system, especially the [https://wiki.archlinux.org/index.php?title=Arch64_Install_bundled_32bit_system#Additional_mount_option_to_allow_32-bit_apps_to_access_the_64-bit_Pulseaudio_server additional section] specific to Pulseaudio.<br />
<br />
===System-wide Equalizer===<br />
Pulseaudio can be configured to sound much better through the use of a system-wide equalizer. There are a few tools to do this. Extra information on the cons of each [http://ubuntuforums.org/showthread.php?t=1378087 here] . Individual apps can be excluded via {{Ic|pavucontrol}} .<br />
<br />
====pulseaudio-equalizer====<br />
A simple, user-friendly gtk tool in the AUR: [https://aur.archlinux.org/packages.php?ID=48316 here]. <br />
<br />
{{Note| If users remove pulseaudio-equalizer, be sure should comment out the respective generated section in {{Ic| $HOME/.pulse/default.pa}} or risk strange issues.}}<br />
{{Note|If users have trouble with the volume resetting to the maximum level or making harsh noise upon switching sound sources, do [https://wiki.archlinux.org/index.php/Pulseaudio#Volume_gets_louder_every_time_a_new_application_is_started this] and then find the "Equalized audio configuration" section in {{Ic| $HOME/.pulse/default.pa}} and comment out only the "set-sink-volume" line there.}}<br />
<br />
====qpaeq====<br />
A simple qt tool that comes with pulseaudio and includes support for more bands than pulseaudio-equalizer (just resize the window horizontally), but presently lacks easily accessible presets and may need to be set as the default manually. Located at {{Ic|/usr/bin/qpaeq}} and requires {{Ic|python2-pyqt}} to run. <br />
<br />
{{Note| If qpaeq crashes at startup, be sure that {{Ic|load-module module-equalizer-sink}} is in {{Ic|/etc/pulse/default.pa}} or {{Ic|$HOME/.pulse/default.pa}} }}<br />
<br />
{{Note| If the equalizer has no effect (e.g., setting the ''qpaeq'' preamp bar to zero doesn't mute all sound), check that a link to applications' audio sinks to the equalizer. Do this by adding the line {{Ic|set-default-sink equalized}} to {{Ic|/etc/pulse/default.pa}} or {{Ic|$HOME/.pulse/default.pa}}.}}<br />
<br />
===Disabling Auto Spawning of PulseAudio Server===<br />
Some users may prefer to manually start the pulseaudio server before running certain programs and then stop the pulseaudio server when they are finished. A simple way to accomplish this is to edit {{ic|/etc/pulse/client.conf}} and change autospawn = yes to autospawn = no, and set daemon-binary to /bin/true. Make sure the two lines are uncommented as well.<br />
{{hc|/etc/pulse/client.conf|<nowiki><br />
autospawn = no<br />
daemon-binary = /bin/true <br />
</nowiki>}}<br />
Now you can manually start the pulseaudio server with<br />
$ pulseaudio --start<br />
and stop it with<br />
$ pulseaudio --kill<br />
You may also have to move or delete a .desktop file in /etc/xdg/autostart if it exists.</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Simple_stateful_firewall&diff=252801Simple stateful firewall2013-04-03T18:05:31Z<p>Jrussell: /* Example rules file */</p>
<hr />
<div>[[Category:Firewalls]]<br />
[[ru:Simple stateful firewall]]<br />
This page explains how to set up a stateful firewall using [[iptables]]. It also explains what the rules mean and why they are needed. For simplicity, it is split into two major sections. The first section deals with a firewall for a single machine, the second sets up a NAT gateway in addition to the firewall from the first section.<br />
<br />
{{Warning| The rules are given in the order that they are executed. If you are logged into a remote machine, you may be locked out of the machine while setting up the rules. You should only follow the steps below while you are logged in locally.<br />
<br />
The [https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall#Example_rules_file example config file] can be used to get around this problem.<br />
}}<br />
<br />
==Prerequisites==<br />
{{Note| Your kernel needs to be compiled with iptables support. All stock Arch Linux kernels have iptables support.}}<br />
<br />
First, install the userland utilities:<br />
<br />
# pacman -S iptables<br />
<br />
This HOWTO assumes that there are currently no iptables rules set. To check this, try the command<br />
<br />
# iptables-save<br />
<br />
If not, you can reset the rules by loading a default rule set:<br />
<br />
# iptables-restore < /etc/iptables/empty.rules<br />
<br />
== Firewall for a single machine ==<br />
<br />
{{Note|Because iptables processes rules in linear order, from top to bottom within a chain, it is advised to put frequently-hit rules near the start of the chain. Of course there is a limit, depending on the logic that is being implemented. Also, rules have an associated runtime cost, so rules should not be reordered solely based upon empirical observations of the byte/packet counters.}}<br />
<br />
=== Creating necessary chains ===<br />
<br />
For this basic setup, we will create two user-defined chains that we will use to open up ports in the firewall.<br />
<br />
# iptables -N TCP<br />
# iptables -N UDP<br />
<br />
=== The FORWARD chain ===<br />
<br />
If you want to set up your machine as a NAT gateway, please look at the second section of this HOWTO. For a single machine, however, we simply set the policy of the '''FORWARD''' chain to '''DROP''' and move on:<br />
<br />
# iptables -P FORWARD DROP<br />
<br />
=== The OUTPUT chain ===<br />
<br />
We have no intention of filtering any outgoing traffic, as this would make the setup much more complicated and would require some extra thought. In this simple case, we set the '''OUTPUT''' policy to '''ACCEPT'''.<br />
<br />
# iptables -P OUTPUT ACCEPT<br />
<br />
=== The INPUT chain ===<br />
<br />
First, we set the default policy for the '''INPUT''' chain to '''DROP''' in case something somehow slips by our rules. Dropping all traffic and specifying what is allowed is the best way to make a secure firewall.<br />
{{Warning|This is the step where you will be locked out if you are in logged via ssh. Therefore do this step following your rule regarding port 22 (or whatever port you're using for SSH) to prevent being locked out.}}<br />
<br />
# iptables -P INPUT DROP<br />
<br />
Every packet that is received by any network interface will pass the '''INPUT''' chain first, if it is destined for this machine. In this chain, we make sure that only the packets that we want are accepted.<br />
<br />
The first rule will allow traffic that belongs to established connections, or new valid traffic that is related to these connections such as ICMP errors, or echo replies (the packets a host returns when pinged). '''ICMP''' stands for '''Internet Control Message Protocol'''. Some ICMP messages are very important and help to manage congestion and MTU, and are accepted by this rule.<br />
<br />
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The second rule will accept all traffic from the "loopback" (lo) interface, which is necessary for many applications and services.<br />
<br />
{{Note|You can add more trusted interfaces here such as "eth1" if you do not want/need the traffic filtered by the firewall, but be warned that if you have a NAT setup that redirects any kind of traffic to this interface from anywhere else in the network (let's say a router), it'll get through, regardless of any other settings you may have.}}<br />
<br />
# iptables -A INPUT -i lo -j ACCEPT<br />
<br />
The third rule will drop all traffic with an "INVALID" state match. Traffic can fall into four "state" categories: NEW, ESTABLISHED, RELATED or INVALID and this is what makes this a "stateful" firewall rather than a less secure "stateless" one. States are tracked using the "nf_conntrack_*" kernel modules which are loaded automatically by the kernel as you add rules.<br />
<br />
{{Note|This rule will drop all packets with invalid headers or checksums, invalid TCP flags, invalid ICMP messages (such as a port unreachable when we did not send anything to the host), and out of sequence packets which can be caused by sequence prediction or other similar attacks. The "DROP" target will drop a packet without any response, contrary to REJECT which politely refuses the packet. We use DROP because there is no proper "REJECT" response to packets that are INVALID, and we do not want to acknowledge that we received these packets.}}<br />
<br />
{{Note|ICMPv6 Neighbor Discovery packets remain untracked, and will always be classified "INVALID" though they are not corrupted or thelike. Keep this in mind, and accept them before this rule! iptables -A INPUT -p 41 -j ACCEPT}}<br />
<br />
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP<br />
<br />
The next rule will accept all new incoming '''ICMP echo requests''', also known as pings. Only the first packet will count as NEW, the rest will be handled by the RELATED,ESTABLISHED rule. Since the computer is not a router, no other ICMP traffic with state NEW should needs to be allowed.<br />
<br />
# iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Now we append the OPEN chains to INPUT chain to handle all new incoming connections. Once a connection is accepted by the OPEN chains, it is handled by the RELATED/ESTABLISHED traffic rule. The OPEN chains will either accept new incoming connections, or politely reject them. New TCP connections must be started with SYN packets.<br />
<br />
{{Note| NEW but not SYN is the only invalid TCP flag not covered by the INVALID state. The reason is because they are rarely malicious packets, and they should not just be dropped. Instead, we simply do not accept them, so they are rejected with a TCP RST by the next rule.}}<br />
<br />
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP<br />
<br />
We reject TCP connections with TCP RST packets and UDP streams with ICMP port unreachable messages if the ports are not opened. This imitates default Linux behavior (RFC compliant), and it allows the sender to quickly close the connection and clean up.<br />
<br />
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
<br />
For other protocols, we add a final rule to the INPUT chain to reject all remaining incoming traffic with icmp protocol unreachable messages. This imitates Linux's default behavior.<br />
<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Example iptables.rules file===<br />
<br />
{{Box BLUE|Example of iptables.rules file after running all the commands from above:|<br />
# Generated by iptables-save v1.4.18 on Sun Mar 17 14:21:12 2013<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [38:3956]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
COMMIT<br />
# Completed on Sun Mar 17 14:21:12 2013<br />
}}<br />
<br />
This file is generated with:<br />
iptables-save > /etc/iptables/iptables.rules <br />
and can be used to prevent blocking yourself out if you are setting up the firewall remotely, just remember to append:<br />
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT<br />
which will allow ssh in. (Assuming ssh on port 22)<br />
<br />
=== The OPEN chains ===<br />
<br />
The OPEN chains contain rules for accepting new incoming TCP connections and UDP streams to specific ports.<br />
<br />
{{Note|This is where you need to add rules to accept incoming connections, such as SSH, HTTP or other services that you want to access remotely.}}<br />
<br />
====Opening ports to incoming connections====<br />
<br />
To accept incoming TCP connections on port 80 for a web server:<br />
<br />
# iptables -A TCP -p tcp --dport 80 -j ACCEPT<br />
<br />
To accept incoming TCP connections on port 443 for a web server (HTTPS):<br />
<br />
# iptables -A TCP -p tcp --dport 443 -j ACCEPT<br />
<br />
To allow remote SSH connections (on port 22):<br />
<br />
# iptables -A TCP -p tcp --dport 22 -j ACCEPT<br />
<br />
To accept incoming UDP streams on port 53 for a DNS server:<br />
<br />
# iptables -A UDP -p udp --dport 53 -j ACCEPT<br />
<br />
See `{{Ic|man iptables}}` for more advanced rules, like matching multiple ports.<br />
<br />
==== Port Knocking ====<br />
<br />
(xtables-addons ships with xt_pknock which does not require an extra daemon.)<br />
<br />
knockd is a [http://www.portknocking.org/ port knocking] daemon that can provide an added layer of security to your network. The knockd [http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki wiki] provides three example port knocking configurations. These configs can be easily altered to intergrate properly with firewall described here. You should simply substitue the {{Ic|INPUT}} chain specification, with the custom {{Ic|open}} chain used in the firewall.<br />
<br />
For example:<br />
[options]<br />
logfile = /var/log/knockd.log<br />
[opencloseSSH]<br />
sequence = 2222:udp,3333:tcp,4444:udp<br />
seq_timeout = 15<br />
tcpflags = syn,ack<br />
start_command = /usr/sbin/iptables -A TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
cmd_timeout = 10<br />
stop_command = /usr/sbin/iptables -D TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
<br />
It is wise to randomly select the ports that you use for the knock sequence. [https://www.random.org/ random.org] can help you generate a selection of ports between 1 and 65535. To check that you have not inadvertantly selected commonly used ports, use this [https://www.grc.com/PortDataHelp.htm port database], and/or your {{Ic|/etc/services}} file.<br />
<br />
=== Protection against spoofing attacks ===<br />
<br />
Blocking reserved local addresses incoming from the internet or local network is normally done through setting the {{Ic|rp_filter}} sysctl to 1. To do so, add the following line to your {{Ic|/etc/sysctl.conf}} to enable source address verification which is built into Linux kernel itself. The verification by the kernel will handle spoofing better than individual iptables rules for each case.<br />
<br />
net.ipv4.conf.all.rp_filter=1<br />
<br />
Only when asynchronous routing and/or rp_filter=0 is used, need extra checks be used:<br />
<br />
# iptables -I INPUT ! -i lo -s 127.0.0.0/8 -j DROP<br />
<br />
=== "Hide" your computer ===<br />
<br />
If you are running a desktop machine, it might be a good idea to block some incoming requests.<br />
<br />
==== Block Ping Request ====<br />
<br />
A 'Ping' request is an ICMP packet sent to the destination address to ensure connectivity between the devices. If your network works well, you can safely block all ping requests. It is important to note that this ''does not'' actually hide your computer — any packet sent to you is rejected, so you will still show up in a simple nmap "ping scan" of an IP range.<br />
<br />
This is rudimentary "protection" and makes life difficult when debugging issues in the future. You should only do this for education purposes.<br />
<br />
To block echo requests, add the following line to your {{Ic|/etc/sysctl.conf}} file:<br />
<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
Rate-limiting is a better way to control possible abuse. This first method implements a global limit (ie, only X packets per minute for all source addresses):<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<br />
<br />
Or using the 'recent' module, you can impose a limit per source address:<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --set<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --update --hitcount 6 --seconds 4 -j DROP<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT<br />
<br />
If you choose to use either the rate limiting or the source limiting rules the PING rule that already exists in the INPUT chain needs to be deleted. This can be done as shown below, or alternatively don't use it in the first place. <br />
# iptables -D INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Next you need to decide where you wish to place the rate limiting or source limiting rules. If you place the rules below the RELATED,ESTABLISHED rule then you will be counting and limiting new ping connections, not each ping sent to your machine. If you place them before the RELATED,ESTABLISHED rule then these rules will count and limit each ping sent to your machine, not each ping connection made. <br />
<br />
More information is in the iptables man page, or reading the docs and examples on the webpage http://snowman.net/projects/ipt_recent/<br />
<br />
====Tricking port scanners====<br />
{{Note|This opens you up to a form of [[Wikipedia:Denial-of-service attack|DoS]]. An attack can send packets with spoofed IPs and get them blocked from connecting to your services.}}<br />
<br />
Port scans are used by attackers to identify open ports on your computer. This allows them to identify and fingerprint your running services and possibly launch exploits against them.<br />
<br />
The INVALID state rule will take care of every type of port scan except UDP, ACK and SYN scans (-sU, -sA and -sS in nmap respectively). <br />
<br />
''ACK scans'' are not used to identify open ports, but to identify ports filtered by a firewall. Due to the SYN check for all TCP connections with the state NEW, every single packet sent by an ACK scan will be correctly rejected by a TCP RST packet. Some firewalls drop these packets instead, and this allows an attacker to map out the firewall rules.<br />
<br />
The recent module can be used to trick the remaining two types of port scans. The recent module is used to add hosts to a "recent" list which can be used to fingerprint and stop certain types of attacks. Current recent lists can be viewed in {{Ic|/proc/net/xt_recent/}}.<br />
<br />
===== SYN scans =====<br />
<br />
In a SYN scan, the port scanner sends SYN packet to every port. Closed ports return a TCP RST packet, or get dropped by a strict firewall. Open ports return a SYN ACK packet regardless of the presence of a firewall.<br />
<br />
The recent module can be used to keep track of hosts with rejected connection attempts and return a TCP RST for any SYN packet they send to open ports as if the port was closed. If an open port is the first to be scanned, a SYN ACK will still be returned, so running applications such as ssh on non-standard ports is required for this to work consistently.<br />
<br />
First, insert a rule at the top of the TCP chain. This rule responds with a TCP RST to any host that got onto the TCP-PORTSCAN list in the past sixty seconds. The {{Ic|--update}} switch causes the recent list to be updated, meaning the 60 second counter is reset.<br />
<br />
# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
Next, the rule for rejecting TCP packets need to be modified to add hosts with rejected packets to the TCP-PORTSCAN list.<br />
<br />
# iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
# iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
===== UDP scans =====<br />
<br />
UDP port scans are similar to TCP SYN scans except that UDP is a "connectionless" protocol. There are no handshakes or acknowledgements. Instead, the scanner sends UDP packets to each UDP port. Closed ports should return ICMP port unreachable messages, and open ports do not return a response. Since UDP is not a "reliable" protocol, the scanner has no way of knowing if packets were lost, and has to do multiple checks for each port that does not return a response.<br />
<br />
The Linux kernel sends out ICMP port unreachable messages very slowly, so a full UDP scan against a Linux machine would take over 10 hours. However, common ports could still be identified, so applying the same countermeasures against UDP scans as SYN scans is a good idea.<br />
<br />
First, add a rule to reject packets from hosts on the UDP-PORTSCAN list to the top of the OPEN-UDP chain.<br />
<br />
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach<br />
<br />
Next, modify the reject packets rule for UDP:<br />
<br />
# iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach<br />
# iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach<br />
<br />
===== Restore the Final Rule =====<br />
<br />
If either or both of the portscanning tricks above were used the final default rule is no longer the last rule in the INPUT chain. It needs to be the last rule otherwise it will intercept the trick port scanner rules you just added and they will never be used. Simply delete the rule (-D), then add it once again using append (-A) which will place it at the end of the chain.<br />
<br />
# iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Protection against other attacks ===<br />
<br />
See the [[Sysctl#TCP/IP stack hardening|TCP/IP stack hardening]] guide for relevant kernel parameters.<br />
<br />
====SSH bruteforce attacks====<br />
{{Warning| Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, if the attacker knows your IP address, they can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}<br />
To ban IP that makes too many password failures you can use [[Fail2ban]] or [[Sshguard]]. These update firewall rules to reject the IP address.<br />
<br />
<br />
Here are some rules which help to mitigate ssh brute force attacks using iptables:<br />
<br />
# iptables -N IN_SSH<br />
# iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH<br />
# iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcounts 3 --seconds 10 -j DROP<br />
# iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcounts 4 --seconds 1800 -j DROP <br />
# iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT<br />
<br />
Ensure that:<br />
# iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH<br />
is in an appropriate position in the iptables.rules file. <br />
<br />
This arrangement works for the IN_SSH rule if you followed this entire wiki so far:<br />
*<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
*<br />
<br />
reference: <br />
[http://compilefailure.blogspot.com/2011/04/better-ssh-brute-force-prevention-with.html compilefailure.blogspot.com]<br />
<br />
=== Saving the rules ===<br />
<br />
The ruleset is now finished and should be saved to your hard drive so that it can be loaded on every boot.<br />
<br />
The systemd unit file points to the location where the rule configuration will be saved:<br />
<br />
<pre><br />
iptables=/etc/iptables/iptables.rules<br />
ip6tables=/etc/iptables/ip6tables.rules<br />
</pre><br />
<br />
Save the rules with this command:<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded on boot:<br />
<br />
# systemctl enable iptables.service<br />
<br />
Check that the rules load correctly using:<br />
<br />
# systemctl start iptables.service && systemctl status iptables.service<br />
<br />
=== IPv6 ===<br />
If you do not use IPv6 (most ISPs do not support it), you should [[Disabling IPv6|disable it]].<br />
<br />
Otherwise, you should enable the firewall rules for IPv6. Just copy '''/etc/iptables/iptables.rules''' to '''/etc/iptables/ip6tables.rules''' and change IPs from v4 format to v6 format and change reject messages from <br />
--reject-with icmp-port-unreachable<br />
to<br />
--reject-with icmp6-port-unreachable<br />
etc.<br />
<br />
Please be aware that '''--reject-with icmp6-proto-unreachable''' does not exist for ICMPv6, so you may reject without any message. (Does anyone know what message would be correct? communication-prohibited? port-unreachable?).<br />
<br />
Now you need to enable the ip6tables service using [[systemd]]:<br />
<br />
# systemctl enable ip6tables.service<br />
<br />
== Setting up a NAT gateway ==<br />
<br />
This section of the HOWTO deals with NAT gateways. It is assumed that you already read the first part of the HOWTO and set up the '''INPUT''', '''OUTPUT''', '''OPEN''' and '''interfaces''' chains like described above. All rules so far have been created in the '''filter''' table. In this section, we will also have to use the '''nat''' table.<br />
<br />
=== Setting up the filter table ===<br />
<br />
==== Creating necessary chains ====<br />
<br />
In our setup, we will use another two chains in the filter table, the '''fw-interfaces''' and '''fw-open''' chains. Create them with the commands<br />
<br />
# iptables -N fw-interfaces<br />
# iptables -N fw-open<br />
<br />
==== Setting up the FORWARD chain ====<br />
<br />
Setting up the '''FORWARD''' chain is similar to the '''INPUT''' chain in the first section.<br />
<br />
Now we set up a rule with the '''conntrack''' match, identical to the one in the '''INPUT''' chain:<br />
<br />
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The next step is to enable forwarding for trusted interfaces and to make all packets pass the '''fw-open''' chain.<br />
<br />
# iptables -A FORWARD -j fw-interfaces <br />
# iptables -A FORWARD -j fw-open <br />
<br />
The remaining packets are denied with an '''ICMP''' message:<br />
<br />
# iptables -A FORWARD -j REJECT --reject-with icmp-host-unreach<br />
# iptables -P FORWARD DROP<br />
<br />
==== Setting up the fw-interfaces and fw-open chains ====<br />
<br />
The meaning of the '''fw-interfaces''' and '''fw-open''' chains is explained later, when we deal with the '''POSTROUTING''' and '''PREROUTING''' chains in the '''nat''' table, respectively.<br />
<br />
=== Setting up the nat table ===<br />
<br />
All over this section, we assume that the outgoing interface (the one with the public internet IP) is '''ppp0'''. Keep in mind that you have to change the name in all following rules if your outgoing interface has another name.<br />
<br />
==== Setting up the POSTROUTING chain ====<br />
<br />
Now, we have to define who is allowed to connect to the internet. Let's assume we have the subnet '''192.168.0.0/24''' (which means all addresses that are of the form 192.168.0.*) on '''eth0'''. We first need to accept the machines on this interface in the FORWARD table, that is why we created the '''fw-interfaces''' chain above:<br />
<br />
# iptables -A fw-interfaces -i eth0 -j ACCEPT<br />
<br />
Now, we have to alter all outgoing packets so that they have our public IP address as the source address, instead of the local LAN address. To do this, we use the '''MASQUERADE''' target:<br />
<br />
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE<br />
<br />
Do not forget the '''-o ppp0''' parameter above. If you omit it, your network will be screwed up.<br />
<br />
Let's assume we have another subnet, '''10.3.0.0/16''' (which means all addresses 10.3.*.*), on the interface '''eth1'''. We add the same rules as above again:<br />
<br />
# iptables -A fw-interfaces -i eth1 -j ACCEPT<br />
# iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o ppp0 -j MASQUERADE<br />
<br />
The last step is to enable IP Forwarding (if it is not already enabled):<br />
<br />
# echo 1 > /proc/sys/net/ipv4/ip_forward<br />
<br />
Then edit the relevant line in /etc/sysctl.conf so it persists through reboot:<br />
<br />
net.ipv4.ip_forward = 1<br />
<br />
Machines from these subnets can now use your new NAT machine as their gateway. Note that you may want to set up a DNS and DHCP server like '''dnsmasq''' or a combination of '''bind''' and '''dhcpd''' to simplify network settings DNS resolution on the client machines. This is not the topic of this HOWTO.<br />
<br />
==== Setting up the PREROUTING chain ====<br />
<br />
Sometimes, we want to change the address of an incoming packet from the gateway to a LAN machine. To do this, we use the '''fw-open''' chain defined above, as well as the '''PREROUTING''' chain in the '''nat''' table<br />
<br />
I will give two simple examples: First, we want to change all incoming SSH packets (port 22) to the ssh server in the machine '''192.168.0.5''':<br />
<br />
# iptables -A fw-open -d 192.168.0.5 -p tcp --dport 22 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 22 -j DNAT --to 192.168.0.5<br />
<br />
The second example will show you how to change packets to a different port than the incoming port. We want to change any incoming connection on port '''8000''' to our web server on '''192.168.0.6''', port '''80''':<br />
<br />
# iptables -A fw-open -d 192.168.0.6 -p tcp --dport 80 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.6:80<br />
<br />
The same setup also works with udp packets.<br />
<br />
=== Saving the rules ===<br />
<br />
Save the rules<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded when you boot<br />
<br />
# systemctl enable iptables.service<br />
<br />
== See Also ==<br />
*[[Internet Share]]<br />
*[[Router]]<br />
*[[Firewalls]]<br />
*[[Uncomplicated Firewall]]<br />
*[http://www.webhostingtalk.com/showthread.php?t=456571 Methods to block SSH attacks]<br />
*[http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/ Using iptables to Block Brute Force Attacks]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Openbox_Themes_and_Apps&diff=252799Openbox Themes and Apps2013-04-03T17:38:51Z<p>Jrussell: changed some package links for packages that had moved into the official repos from the AUR</p>
<hr />
<div>[[Category:Stacking WMs]]<br />
[[it:Openbox Themes and Apps]]<br />
[[ru:Openbox Themes and Apps]]<br />
[[es:Openbox Themes and Apps]]<br />
[[zh-CN:Openbox Themes and Apps]]<br />
{{Note|This article is a supplement to the main [[Openbox]] article.<br />
<br />
This wiki article deals with customizing the appearance of Openbox in Arch Linux. Helper programs such as panels and trays are also explained. <br />
}}<br />
== Themes and appearance ==<br />
<br />
With the exception of the Openbox Themes topic, the following section is intended for users who have configured Openbox to run as a standalone desktop, without the assistance of [[GNOME]], [[KDE]] or [[Xfce]].<br />
<br />
=== Openbox themes ===<br />
<br />
Openbox themes control the appearance of window borders, including the titlebar and titlebar buttons. They also determine the appearance of the application menu and on-screen display (OSD). <br />
<br />
Some themes are available for [[Pacman|installation]] with the {{Pkg|openbox-themes}} package in the [[official repositories]].<br />
<br />
This package is by no means definitive. You can download more themes at websites such as:<br />
* [http://www.box-look.org/index.php?xcontentmode=7402 www.box-look.org]<br />
* [http://customize.org/browse/tags/openbox www.customize.org]<br />
* [http://www.minuslab.net/themes/ www.minuslab.net]<br />
* [http://celo.wordpress.com/themes/ celo.wordpress.com]<br />
* [http://vault.openmonkey.com/pages/openbox vault.openmonkey.com]<br />
<br />
Downloaded themes should be extracted to {{ic|~/.themes}} or {{ic|~/.local/share/themes}} and selected from {{Pkg|obconf}} or {{Pkg|lxappearance-obconf}}. Theme selection can also be done manually by opening {{ic|rc.xml}} and changing the ''<name>'' key in the ''<theme>'' section. <br />
<br />
Creating new themes is fairly easy and [http://openbox.org/wiki/Help:Themes well-documented]. For those who prefer a GUI, {{AUR|obtheme}} is a very capable editor.<br />
<br />
=== X11 mouse cursors ===<br />
<br />
See [[Cursor Themes]].<br />
<br />
=== GTK themes ===<br />
<br />
See [[GTK+#Themes]].<br />
<br />
=== Desktop icons ===<br />
<br />
Openbox does not provide a means to display icons on the desktop. To provide this function, one can use:<br />
* {{App|[[Xfce|Xfdesktop]]|The desktop manager for Xfce.|http://docs.xfce.org/xfce/xfdesktop/start|{{Pkg|xfdesktop}}}}<br />
* {{App|[[PCManFM]]|An extremely fast and lightweight file manager used by the LXDE desktop.|http://pcmanfm.sourceforge.net/|{{Pkg|pcmanfm}}}}<br />
* {{App|[[ROX#Usage|ROX]]|A small and fast file manager which can optionally manage the desktop background and panels, part of the ROX Desktop.|http://roscidus.com/desktop/|{{Pkg|rox}}}}<br />
* {{App|[[Idesk|IDesk]]|A simple tool that gives users of minimal wm's (Fluxbox, pekwm, Window Maker, Obenbox, etc) icons on their desktop.|http://idesk.sourceforge.net/html/index.html|{{Pkg|idesk}}}}<br />
* {{App|[[Nautilus]]|The file manager of the GNOME desktop.|https://live.gnome.org/Nautilus|{{Pkg|nautilus}}}}<br />
* {{App|[[Spacefm]]|A GTK multi-panel tabbed file manager.|http://ignorantguru.github.com/spacefm/|{{Pkg|spacefm}}}}<br />
<br />
=== Desktop wallpaper ===<br />
<br />
Openbox itself does not include a way to change the wallpaper. This can be done easily with programs like [[Feh]] or [[Nitrogen]]. Other options include {{Pkg|imagemagick}}, {{Pkg|hsetroot}}, '''xsetbg''' and more advanced choices such as PCmanFM or Xfdesktop.<br />
<br />
You can disable the wallpaper loading in ''gnome-settings-daemon'' like this:<br />
$ gconftool-2 --set /apps/gnome_settings_daemon/plugins/background/active --type bool False<br />
<br />
In Gnome 3 use:<br />
$ gsettings set org.gnome.desktop.background draw-background false<br />
<br />
One approach, using {{ic|hsetroot}} is possible by placing the following command in {{ic|autostart}}:<br />
hsetroot -fill /path/to/image.file<br />
<br />
A similar command for {{ic|feh}} is:<br />
feh --bg-scale /path/to/image.file<br />
<br />
== Recommended programs ==<br />
{{accuracy|reason=This is completely subjective, so it likely belongs in a user namespace instead.}}<br />
{{Note|The main [[Openbox]] article has information on installing Openbox, but this additional section details specific lightweight applications you may want to deploy after installing Openbox.}}<br />
<br />
For a more complete choice of applications available on Arch, look at the [[List of Applications]]. You can also look at the [http://openbox.org/wiki/Help:Contents#Cool_programs_to_run_with_Openbox list] recommended on the Openbox wiki, although most overlap with the following suggestions. <br />
<br />
=== Display managers ===<br />
{{Box||See the main article: [[Display Manager]].|#E5E5FF|#FCFCFC}}<br />
<br />
* {{App|[[SLiM]] (Simple Login Manager)|A lightweight and elegant graphical login solution.|http://slim.berlios.de/|{{Pkg|slim}}}}<br />
* {{App|[[Qingy]]|An ultralight and very configurable graphical login independent on X Windows (uses DirectFB). It supports login to either a text console or an X session.|http://qingy.sourceforge.net/|{{Pkg|qingy}}}}<br />
<br />
=== Desktop compositing ===<br />
* {{App|[[Cairo Compmgr|Cairo Composite Manager]]|A versatile and extensible composite manager which uses [http://www.cairographics.org/ Cairo] for rendering.|http://cairo-compmgr.tuxfamily.org/|{{AUR|cairo-compmgr-git}}}}<br />
* {{App|[[Compton]]|A fork of Xcompmgr containing many fixes.|https://github.com/chjj/compton|{{AUR|compton-git}}}}<br />
* {{App|[[Xcompmgr]]|A lightweight composite manager capable of rendering drop shadows, fading and simple window transparency within Openbox and other window managers.|http://cgit.freedesktop.org/xorg/app/xcompmgr/|{{Pkg|xcompmgr}} {{AUR|xcompmgr-dana}} {{AUR|xcompmgr_tint2-git}}}}<br />
<br />
=== Desktop utilities ===<br />
<br />
A number of utilities provide panels / taskbars, system trays, or pagers to Openbox:<br />
<br />
==== Panels ====<br />
{{Box||For more examples see: [[Common Applications#Taskbars]].|#E5E5FF|#FCFCFC}}<br />
<br />
* {{App|[[Avant Window Navigator]]|A lightweight dock which sits at the bottom of the screen.|http://wiki.awn-project.org/|{{Pkg| avant-window-navigator}}}}<br />
* {{App|[[Bmpanel]]|A lightweight, NETWM compliant panel for the X11 system.|http://nsf.110mb.com/bmpanel/|{{AUR|bmpanel}}}}<br />
* {{App|[[Cairo-Dock]]|A highly customizable dock/laucher.|http://www.glx-dock.org/|{{Pkg|cairo-dock}}}}<br />
* {{App|Docker|A docking application which acts as a system tray.|http://icculus.org/openbox/2/docker/|{{Pkg|docker}}}}<br />
* {{App|[[fbpanel]]|A lightweight, NETWM compliant desktop panel.|http://fbpanel.sourceforge.net/|{{Pkg|fbpanel}}}}<br />
* {{App|LXPanel|A lightweight X11 desktop panel and part of the LXDE DE.|http://lxde.org/|{{Pkg|lxpanel}}}}<br />
* {{App|Pancake|A highly configurable, modular panel for X.|http://www.failedprojects.de/pancake/|{{AUR|pancake}}}}<br />
* {{App|[[Tint2]]|Simple panel/taskbar developed specifically for Openbox.|http://code.google.com/p/tint2/|{{Pkg|tint2}}}}<br />
* {{App|[[wbar]]|A quick launch bar developed with speed in mind.|http://freecode.com/projects/wbar/|{{Pkg|wbar}}}}<br />
* {{App|[[GNOME#GNOME panel|GNOME Panel]]|The default [[Gnome]] panel.|https://live.gnome.org/GnomePanel|{{Pkg|gnome-panel}}}}<br />
* {{App|PerlPanel|A lightweight panel that supports applets.|http://savannah.nongnu.org/projects/perlpanel|{{Pkg|perlpanel}}}}<br />
* {{App|[[PyPanel]]|A lightweight panel/taskbar for X11 window managers written in Python.|http://pypanel.sourceforge.net/|{{Pkg|pypanel}}}}<br />
* {{App|[[Wikipedia:Screenlets|Screenlets]]|A widget framework that consists of small owner-drawn applications (weather widget, clocks, system monitors, mail checkers, etc.).|http://screenlets.org/index.php/Home|{{Pkg|screenlets}}}}<br />
* {{App|[[Xfce#Panel|Xfce Panel]]|The default [[Xfce]] panel.|http://docs.xfce.org/xfce/xfce4-panel/start|{{Pkg|xfce4-panel}}}}<br />
<br />
==== Trays ====<br />
* {{App|[[Stalonetray]]|A stand-alone system tray with minimal dependecies.|http://stalonetray.sourceforge.net/|{{Pkg|stalonetray}}}}<br />
* {{App|Trayer|A lightweight GTK2-based systray.|https://gna.org/projects/fvwm-crystal/|{{Pkg|trayer}}}}<br />
<br />
==== Pagers ====<br />
* {{App|IPager|A configurable pager with transparency, originally developed for Fluxbox.|http://useperl.ru/ipager/index.en.html|{{AUR|ipager}}}}<br />
* {{App|Neap|An non-intrusive and light pager that runs in the notification area of your panel.|http://code.google.com/p/neap/|{{Pkg|neap}}}}<br />
* {{App|Netwmpager|A NetWM/EWMH compatible pager.|http://sourceforge.net/projects/sf-xpaint/files/netwmpager/|{{Pkg|netwmpager}}}}<br />
* {{App|Pager|A highly configurable pager compatible with Openbox Multihead.|https://github.com/BurntSushi/pager-multihead|{{Pkg|pager-multihead-git}}}}<br />
<br />
If you wish to set desktop layout without using a pager, try the {{AUR|obsetlayout}} package from [[AUR]].<br />
<br />
=== File managers ===<br />
{{Box||For more examples see: [[Common Applications#File managers]].|#E5E5FF|#FCFCFC}}<br />
<br />
Three popular lightweight file managers are:<br />
* {{App|[[PCManFM]]|An extremely fast and lightweight file manager used by the LXDE desktop.|http://pcmanfm.sourceforge.net/|{{Pkg|pcmanfm}}}}<br />
* {{App|[[ROX#Usage|ROX]]|A small and fast file manager which can optionally manage the desktop background and panels, part of the ROX Desktop.|http://roscidus.com/desktop/|{{Pkg|rox}}}}<br />
* {{App|[[Thunar]]|The file manager of the Xfce Desktop with many plugins and features.|http://thunar.xfce.org/|{{Pkg|thunar}}}}<br />
<br />
For even lighter options, consider:<br />
* {{App|Gentoo|A lightweight file manager for GTK.|http://www.obsession.se/gentoo/|{{AUR|gentoo}}}}<br />
* {{App|emelFM2|A file manager that implements the popular two-pane design.|http://emelfm2.net/|{{Pkg|emelfm2}}}}<br />
* {{App|Xfe|A Microsoft Explorer-like file manager for X (X File Explorer).|http://sourceforge.net/projects/xfe/|{{Pkg|xfe}}}}<br />
* {{App|muCommander|A lightweight, cross-platform file manager with a dual-pane interface written in Java.|http://www.mucommander.com/|{{AUR|mucommander}}}}<br />
<br />
Alternatively, you may use GNOME's Nautilus as your file manager. It is heavier and slower than the previous solutions, but Nautilus has many helpful features such as [http://en.wikipedia.org/wiki/Virtual_file_system virtual file systems], allowing folder access via SSH, FTP, or Samba.<br />
<br />
=== Application launchers ===<br />
{{Box||For more examples see: [[Common Applications#Application Launchers]].|#E5E5FF|#FCFCFC}}<br />
<br />
* {{App|[[gmrun]]|A lightweight GTK based application launcher, with ability to run programs inside a terminal and other handy features. To enable {{Keypress|Alt+F2}} functionality add the following to the ''<keyboard>'' section:<br />
{{hc|~/.config/openbox/rc.xml|<nowiki><br />
<keybind key="A-F2"><br />
<action name="execute"><execute>gmrun</execute></action><br />
</keybind><br />
</nowiki>}}<br />
|http://sourceforge.net/projects/gmrun/|{{Pkg|gmrun}}}}<br />
<br />
* {{App|[[dmenu]]|A fast and lightweight dynamic menu for X, which is also useful as an application launcher. To enable {{Keypress|Alt+F2}} functionality add the following to the ''<keyboard>'' section:<br />
{{hc|~/.config/openbox/rc.xml|<nowiki><br />
<keybind key="A-F2"><br />
<action name="execute"><execute>dmenu_run</execute></action><br />
</keybind><br />
</nowiki>}}|http://tools.suckless.org/dmenu/|{{Pkg|dmenu}}}}<br />
<br />
* {{App|Bashrun2|Provides a different, barebones approach to a run dialog, using a specialized Bash session within a small xterm window. To enable {{Keypress|Alt+F2}} functionality add the following to the ''<keyboard>'' section:<br />
{{hc|~/.config/openbox/rc.xml|<nowiki><br />
<keybind key="A-F2"><br />
<action name="execute"><execute>bashrun2</execute></action><br />
</keybind><br />
</nowiki>}}<br />
<br />
To make Bashrun2 act more like a traditional run dialog add the following to the ''<applications>'' section:<br />
{{hc|~/.config/openbox/rc.xml|<nowiki><br />
<application name="bashrun2-run-dialog"><br />
<desktop>all</desktop><br />
<decor>no</decor> # switch to yes if you prefer a bordered window<br />
<focus>yes</focus><br />
<skip_pager>yes</skip_pager><br />
<layer>above</layer><br />
</application><br />
</nowiki>}}|https://code.google.com/p/bashrun2/|{{AUR|bashrun2}}}}<br />
<br />
* {{App|Kupfer|A launcher inspired by [[Wikipedia:Quicksilver (software)|Quicksilver]], written in Python. To enable {{Keypress|Alt+F2}} functionality add the following to the ''<keyboard>'' section:<br />
{{hc|~/.config/openbox/rc.xml|<nowiki><br />
<keybind key="A-F2"><br />
<action name="execute"><execute>kupfer</execute></action><br />
</keybind><br />
</nowiki>}}|http://engla.github.com/kupfer/|{{AUR|kupfer}}}}<br />
<br />
* {{App|[[Wikipedia:launchy|Launchy]]|A less minimalistic approach; it is skinnable and offers more functionality such as a calculator, checking the weather, etc. It is launched with the {{Keypress|Ctrl+Space}} key combination.|http://www.launchy.net/|{{Pkg|launchy}}}}<br />
<br />
* {{App|LXPanel|A lightweight X11 desktop panel and part of the LXDE DE. The run dialog can be executed with:<br />
$ lxpanelctl run<br />
|http://lxde.org/|{{Pkg|lxpanel}}}}<br />
<br />
* {{App|[[GNOME#GNOME panel|GNOME Panel]]|The default [[Gnome]] panel. The run dialog of the GNOME Panel can be executed with:<br />
$ gnome-panel-control --run-dialog<br />
|https://live.gnome.org/GnomePanel|{{Pkg|gnome-panel}}}}<br />
<br />
=== Clipboard managers ===<br />
{{Box||For more examples see: [[Common Applications#Clipboard managers]].|#E5E5FF|#FCFCFC}}<br />
<br />
You may wish to install a [[Clipboard|clipboard manager]] for a richer copy/paste experience. The following are the more lightweight options:<br />
* {{App|Clipman|A clipboard manager for Xfce. It keeps the clipboard contents around while it is usually lost when you close an application. It is able to handle text and images, and has a feature to execute actions on specific text selections by matching them against regular expressions.|http://goodies.xfce.org/projects/panel-plugins/xfce4-clipman-plugin|{{Pkg|xfce4-clipman-plugin}}}}<br />
* {{App|[[Wikipedia:Glipper|Glipper]]|A clipboard manager for GNOME with more features and plugin support.|https://launchpad.net/glipper|{{AUR|glipper}}}}<br />
* {{App|Parcellite|A lightweight yet feature-rich clipboard manager.|http://parcellite.sourceforge.net/|{{Pkg|parcellite}}}}<br />
* {{App|ClipIt|A fork of Parcellite with additional features and bugfixes.|http://sourceforge.net/projects/gtkclipit/|{{Pkg|clipit}}}}<br />
<br />
Make sure you add your chosen clipboard manager to {{ic|~/.config/openbox/autostart}}.<br />
<br />
=== Volume managers ===<br />
<br />
* {{App|GVolWheel|An audio mixer which lets you control the volume through a tray icon.|http://sourceforge.net/projects/gvolwheel/|{{AUR|gvolwheel}}}}<br />
* {{App|GVTray|A master volume mixer for the system tray.|http://code.google.com/p/gtk-tray-utils/|{{AUR|gvtray}}}}<br />
* {{App|Obmixer|A GTK mixer applet for Openbox that runs in the system tray. It is lightweight and works with both pulseaudio and alsa, has mute/umute feature which remembers your previous volume.|http://jpegserv.com/obmixer/|{{AUR|obmixer}}}}<br />
* {{App|PNMixer|A fork of Obmixer. It has many new features such as ALSA channel selection, connect/disconnect detection, shortcuts, etc.|https://github.com/nicklan/pnmixer/wiki|{{AUR|pnmixer}}}}<br />
* {{App|Volti|A GTK application for controlling audio volume from system tray with an internal mixer and support for multimedia keys that uses only ALSA.|http://code.google.com/p/volti/|{{AUR|volti}}}}<br />
* {{App|VolumeIcon|Another volume control for your system tray with channel selection, themes and an external mixer.|http://softwarebakery.com/maato/volumeicon.html|{{Pkg|volumeicon}}}}<br />
* {{App|VolWheel|A little application which lets you control the sound volume easily through a tray icon you can scroll on.|http://oliwer.net/b/volwheel.html|{{Pkg|volwheel}}}}<br />
<br />
=== Battery & CPU ===<br />
{{Box||For more examples see: [[Common Applications#System Monitoring]].|#E5E5FF|#FCFCFC}}<br />
<br />
* {{App|[[Trayfreq]]|A light battery monitor and a CPU frequency scaler.|http://trayfreq.sourceforge.net|{{AUR|trayfreq}}}}<br />
<br />
=== Keyboard layout switchers ===<br />
<br />
* {{App|fbxkb|A NETWM compliant keyboard indicator and switcher. It shows a flag of current keyboard in a systray area and allows you to switch to another one.|http://fbxkb.sourceforge.net/|{{AUR|fbxkb}}}}<br />
* {{App|xxkb|A lightweight keyboard layout indicator and switcher.|http://sourceforge.net/projects/xxkb/|{{Pkg|xxkb}}}}<br />
* {{App|qxkb|A keyboard switcher written in Qt.|http://code.google.com/p/qxkb/|{{AUR|qxkb}}}}<br />
* {{App|[[Wikipedia:X Neural Switcher|X Neural Switcher]]|A text analyser, it detects the language of the input and corrects the keyboard layout if needed.|http://www.xneur.ru/|{{AUR|xneur}}, {{AUR|gxneur}} (GUI)}}<br />
<br />
=== Logout dialog ===<br />
<br />
A few simple shutdown managers are available:<br />
* {{App|exitx|A logout dialog for Openbox that uses [[Sudo]].|http://www.linuxsir.com/bbs/lastpostinthread350740.html|{{AUR|exitx}}}}<br />
* {{App|exitx-polkit|A GTK logout dialog for Openbox with PolicyKit support.|https://github.com/z0id/exitx-polkit|{{AUR|exitx-polkit-git}}}}<br />
* {{App|exitx-systemd|A GTK logout dialog for Openbox with systemd support.|https://github.com/z0id/exitx-systemd|{{AUR|exitx-polkit-git}}}}<br />
* {{App|obshutdown|A great GTK/Cairo based shutdown manager for Openbox and other window managers.|https://github.com/panjandrum/obshutdown|{{AUR|obshutdown}}}}<br />
<br />
Alternatively, you can also use Openbox's menus to create a simple dialog. Which can also be binded to a key for easy access.<br />
<br />
An example with {{ic|exit-menu}} as the ''id'' and {{ic|Exit}} as the ''label'' in a local {{ic|systemd-logind}} user session:<br />
<br />
{{bc|<nowiki><br />
<menu id="exit-menu" label="Exit"><br />
<item label="Log Out"><br />
<action name="Execute"><br />
<command>openbox --exit</command><br />
</action><br />
</item><br />
<item label="Shutdown"><br />
<action name="Execute"><br />
<command>systemctl poweroff</command><br />
</action><br />
</item><br />
<item label="Restart"><br />
<action name="Execute"><br />
<command>systemctl reboot</command><br />
</action><br />
</item><br />
<item label="Suspend"><br />
<action name="Execute"><br />
<command>systemctl suspend</command><br />
</action><br />
</item><br />
<item label="Hibernate"><br />
<action name="Execute"><br />
<command>systemctl hibernate</command><br />
</action><br />
</item><br />
</menu><br />
</nowiki>}}<br />
<br />
Add this to your {{ic|~/.config/openbox/menu.xml}}, then later in your menu or pipemenu of choice add:<br />
<br />
<menu id="exit-menu"/><br />
<br />
If you would like to bind this to a key, simply add this example keybind to the ''<keyboard>'' section:<br />
<br />
{{hc|~/.config/openbox/rc.xml|<nowiki><br />
<keybind key="XF86PowerOff"><br />
<action name="ShowMenu"><br />
<menu>exit-menu</menu><br />
</action><br />
</keybind><br />
</nowiki>}}<br />
<br />
This will bind it to your power button, if you prefer otherwise change ''XF86PowerOff'' to your preferred key.</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Simple_stateful_firewall&diff=251971Simple stateful firewall2013-03-26T11:57:59Z<p>Jrussell: Added reference to example config file in first warning of needing to be logged in locally</p>
<hr />
<div>[[Category:Firewalls]]<br />
[[ru:Simple stateful firewall]]<br />
This page explains how to set up a stateful firewall using [[iptables]]. It also explains what the rules mean and why they are needed. For simplicity, it is split into two major sections. The first section deals with a firewall for a single machine, the second sets up a NAT gateway in addition to the firewall from the first section.<br />
<br />
{{Warning| The rules are given in the order that they are executed. If you are logged into a remote machine, you may be locked out of the machine while setting up the rules. You should only follow the steps below while you are logged in locally.<br />
<br />
The [https://wiki.archlinux.org/index.php/Simple_Stateful_Firewall#Example_rules_file example config file] can be used to get around this problem.<br />
}}<br />
<br />
==Prerequisites==<br />
{{Note| Your kernel needs to be compiled with iptables support. All stock Arch Linux kernels have iptables support.}}<br />
<br />
First, install the userland utilities:<br />
<br />
# pacman -S iptables<br />
<br />
This HOWTO assumes that there are currently no iptables rules set. To check this, try the command<br />
<br />
# iptables-save<br />
<br />
If not, you can reset the rules by loading a default rule set:<br />
<br />
# iptables-restore < /etc/iptables/empty.rules<br />
<br />
== Firewall for a single machine ==<br />
<br />
{{Note|Because iptables processes rules in linear order, from top to bottom within a chain, it is advised to put frequently-hit rules near the start of the chain. Of course there is a limit, depending on the logic that is being implemented. Also, rules have an associated runtime cost, so rules should not be reordered solely based upon empirical observations of the byte/packet counters.}}<br />
<br />
=== Creating necessary chains ===<br />
<br />
For this basic setup, we will create two user-defined chains that we will use to open up ports in the firewall.<br />
<br />
# iptables -N TCP<br />
# iptables -N UDP<br />
<br />
=== The FORWARD chain ===<br />
<br />
If you want to set up your machine as a NAT gateway, please look at the second section of this HOWTO. For a single machine, however, we simply set the policy of the '''FORWARD''' chain to '''DROP''' and move on:<br />
<br />
# iptables -P FORWARD DROP<br />
<br />
=== The OUTPUT chain ===<br />
<br />
We have no intention of filtering any outgoing traffic, as this would make the setup much more complicated and would require some extra thought. In this simple case, we set the '''OUTPUT''' policy to '''ACCEPT'''.<br />
<br />
# iptables -P OUTPUT ACCEPT<br />
<br />
=== The INPUT chain ===<br />
<br />
First, we set the default policy for the '''INPUT''' chain to '''DROP''' in case something somehow slips by our rules. Dropping all traffic and specifying what is allowed is the best way to make a secure firewall.<br />
{{Warning|This is the step where you will be locked out if you are in logged via ssh. Therefore do this step following your rule regarding port 22 (or whatever port you're using for SSH) to prevent being locked out.}}<br />
<br />
# iptables -P INPUT DROP<br />
<br />
Every packet that is received by any network interface will pass the '''INPUT''' chain first, if it is destined for this machine. In this chain, we make sure that only the packets that we want are accepted.<br />
<br />
The first rule will allow traffic that belongs to established connections, or new valid traffic that is related to these connections such as ICMP errors, or echo replies (the packets a host returns when pinged). '''ICMP''' stands for '''Internet Control Message Protocol'''. Some ICMP messages are very important and help to manage congestion and MTU, and are accepted by this rule.<br />
<br />
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The second rule will accept all traffic from the "loopback" (lo) interface, which is necessary for many applications and services.<br />
<br />
{{Note|You can add more trusted interfaces here such as "eth1" if you do not want/need the traffic filtered by the firewall, but be warned that if you have a NAT setup that redirects any kind of traffic to this interface from anywhere else in the network (let's say a router), it'll get through, regardless of any other settings you may have.}}<br />
<br />
# iptables -A INPUT -i lo -j ACCEPT<br />
<br />
The third rule will drop all traffic with an "INVALID" state match. Traffic can fall into four "state" categories: NEW, ESTABLISHED, RELATED or INVALID and this is what makes this a "stateful" firewall rather than a less secure "stateless" one. States are tracked using the "nf_conntrack_*" kernel modules which are loaded automatically by the kernel as you add rules.<br />
<br />
{{Note|This rule will drop all packets with invalid headers or checksums, invalid TCP flags, invalid ICMP messages (such as a port unreachable when we did not send anything to the host), and out of sequence packets which can be caused by sequence prediction or other similar attacks. The "DROP" target will drop a packet without any response, contrary to REJECT which politely refuses the packet. We use DROP because there is no proper "REJECT" response to packets that are INVALID, and we do not want to acknowledge that we received these packets.}}<br />
<br />
{{Note|ICMPv6 Neighbor Discovery packets remain untracked, and will always be classified "INVALID" though they are not corrupted or thelike. Keep this in mind, and accept them before this rule! iptables -A INPUT -p 41 -j ACCEPT}}<br />
<br />
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP<br />
<br />
The next rule will accept all new incoming '''ICMP echo requests''', also known as pings. Only the first packet will count as NEW, the rest will be handled by the RELATED,ESTABLISHED rule. Since the computer is not a router, no other ICMP traffic with state NEW should needs to be allowed.<br />
<br />
# iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Now we append the OPEN chains to INPUT chain to handle all new incoming connections. Once a connection is accepted by the OPEN chains, it is handled by the RELATED/ESTABLISHED traffic rule. The OPEN chains will either accept new incoming connections, or politely reject them. New TCP connections must be started with SYN packets.<br />
<br />
{{Note| NEW but not SYN is the only invalid TCP flag not covered by the INVALID state. The reason is because they are rarely malicious packets, and they should not just be dropped. Instead, we simply do not accept them, so they are rejected with a TCP RST by the next rule.}}<br />
<br />
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP<br />
<br />
We reject TCP connections with TCP RST packets and UDP streams with ICMP port unreachable messages if the ports are not opened. This imitates default Linux behavior (RFC compliant), and it allows the sender to quickly close the connection and clean up.<br />
<br />
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
<br />
For other protocols, we add a final rule to the INPUT chain to reject all remaining incoming traffic with icmp protocol unreachable messages. This imitates Linux's default behavior.<br />
<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Example rules file===<br />
<br />
{{Box BLUE|Example of iptables.rules file after running all the commands from above:|<br />
# Generated by iptables-save v1.4.18 on Sun Mar 17 14:21:12 2013<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [38:3956]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
COMMIT<br />
# Completed on Sun Mar 17 14:21:12 2013<br />
}}<br />
<br />
This file is generated with:<br />
iptables-save > /etc/iptables/iptables.rules <br />
and can be used to prevent blocking yourself out if you are setting up the firewall remotely, just remember to append:<br />
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT<br />
which will allow ssh in. (Assuming ssh on port 22)<br />
<br />
=== The OPEN chains ===<br />
<br />
The OPEN chains contain rules for accepting new incoming TCP connections and UDP streams to specific ports.<br />
<br />
{{Note|This is where you need to add rules to accept incoming connections, such as SSH, HTTP or other services that you want to access remotely.}}<br />
<br />
====Opening ports to incoming connections====<br />
<br />
To accept incoming TCP connections on port 80 for a web server:<br />
<br />
# iptables -A TCP -p tcp --dport 80 -j ACCEPT<br />
<br />
To accept incoming TCP connections on port 443 for a web server (HTTPS):<br />
<br />
# iptables -A TCP -p tcp --dport 443 -j ACCEPT<br />
<br />
To allow remote SSH connections (on port 22):<br />
<br />
# iptables -A TCP -p tcp --dport 22 -j ACCEPT<br />
<br />
To accept incoming UDP streams on port 53 for a DNS server:<br />
<br />
# iptables -A UDP -p udp --dport 53 -j ACCEPT<br />
<br />
See `{{Ic|man iptables}}` for more advanced rules, like matching multiple ports.<br />
<br />
==== Port Knocking ====<br />
<br />
(xtables-addons ships with xt_pknock which does not require an extra daemon.)<br />
<br />
knockd is a [http://www.portknocking.org/ port knocking] daemon that can provide an added layer of security to your network. The knockd [http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki wiki] provides three example port knocking configurations. These configs can be easily altered to intergrate properly with firewall described here. You should simply substitue the {{Ic|INPUT}} chain specification, with the custom {{Ic|open}} chain used in the firewall.<br />
<br />
For example:<br />
[options]<br />
logfile = /var/log/knockd.log<br />
[opencloseSSH]<br />
sequence = 2222:udp,3333:tcp,4444:udp<br />
seq_timeout = 15<br />
tcpflags = syn,ack<br />
start_command = /usr/sbin/iptables -A TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
cmd_timeout = 10<br />
stop_command = /usr/sbin/iptables -D TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
<br />
It is wise to randomly select the ports that you use for the knock sequence. [https://www.random.org/ random.org] can help you generate a selection of ports between 1 and 65535. To check that you have not inadvertantly selected commonly used ports, use this [https://www.grc.com/PortDataHelp.htm port database], and/or your {{Ic|/etc/services}} file.<br />
<br />
=== Protection against spoofing attacks ===<br />
<br />
Blocking reserved local addresses incoming from the internet or local network is normally done through setting the {{Ic|rp_filter}} sysctl to 1. To do so, add the following line to your {{Ic|/etc/sysctl.conf}} to enable source address verification which is built into Linux kernel itself. The verification by the kernel will handle spoofing better than individual iptables rules for each case.<br />
<br />
net.ipv4.conf.all.rp_filter=1<br />
<br />
Only when asynchronous routing and/or rp_filter=0 is used, need extra checks be used:<br />
<br />
# iptables -I INPUT ! -i lo -s 127.0.0.0/8 -j DROP<br />
<br />
=== "Hide" your computer ===<br />
<br />
If you are running a desktop machine, it might be a good idea to block some incoming requests.<br />
<br />
==== Block Ping Request ====<br />
<br />
A 'Ping' request is an ICMP packet sent to the destination address to ensure connectivity between the devices. If your network works well, you can safely block all ping requests. It is important to note that this ''does not'' actually hide your computer — any packet sent to you is rejected, so you will still show up in a simple nmap "ping scan" of an IP range.<br />
<br />
This is rudimentary "protection" and makes life difficult when debugging issues in the future. You should only do this for education purposes.<br />
<br />
To block echo requests, add the following line to your {{Ic|/etc/sysctl.conf}} file:<br />
<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
Rate-limiting is a better way to control possible abuse. This first method implements a global limit (ie, only X packets per minute for all source addresses):<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<br />
<br />
Or using the 'recent' module, you can impose a limit per source address:<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --set<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --update --hitcount 6 --seconds 4 -j DROP<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT<br />
<br />
If you choose to use either the rate limiting or the source limiting rules the PING rule that already exists in the INPUT chain needs to be deleted. This can be done as shown below, or alternatively don't use it in the first place. <br />
# iptables -D INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Next you need to decide where you wish to place the rate limiting or source limiting rules. If you place the rules below the RELATED,ESTABLISHED rule then you will be counting and limiting new ping connections, not each ping sent to your machine. If you place them before the RELATED,ESTABLISHED rule then these rules will count and limit each ping sent to your machine, not each ping connection made. <br />
<br />
More information is in the iptables man page, or reading the docs and examples on the webpage http://snowman.net/projects/ipt_recent/<br />
<br />
====Tricking port scanners====<br />
{{Note|This opens you up to a form of [[Wikipedia:Denial-of-service attack|DoS]]. An attack can send packets with spoofed IPs and get them blocked from connecting to your services.}}<br />
<br />
Port scans are used by attackers to identify open ports on your computer. This allows them to identify and fingerprint your running services and possibly launch exploits against them.<br />
<br />
The INVALID state rule will take care of every type of port scan except UDP, ACK and SYN scans (-sU, -sA and -sS in nmap respectively). <br />
<br />
''ACK scans'' are not used to identify open ports, but to identify ports filtered by a firewall. Due to the SYN check for all TCP connections with the state NEW, every single packet sent by an ACK scan will be correctly rejected by a TCP RST packet. Some firewalls drop these packets instead, and this allows an attacker to map out the firewall rules.<br />
<br />
The recent module can be used to trick the remaining two types of port scans. The recent module is used to add hosts to a "recent" list which can be used to fingerprint and stop certain types of attacks. Current recent lists can be viewed in {{Ic|/proc/net/xt_recent/}}.<br />
<br />
===== SYN scans =====<br />
<br />
In a SYN scan, the port scanner sends SYN packet to every port. Closed ports return a TCP RST packet, or get dropped by a strict firewall. Open ports return a SYN ACK packet regardless of the presence of a firewall.<br />
<br />
The recent module can be used to keep track of hosts with rejected connection attempts and return a TCP RST for any SYN packet they send to open ports as if the port was closed. If an open port is the first to be scanned, a SYN ACK will still be returned, so running applications such as ssh on non-standard ports is required for this to work consistently.<br />
<br />
First, insert a rule at the top of the TCP chain. This rule responds with a TCP RST to any host that got onto the TCP-PORTSCAN list in the past sixty seconds. The {{Ic|--update}} switch causes the recent list to be updated, meaning the 60 second counter is reset.<br />
<br />
# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
Next, the rule for rejecting TCP packets need to be modified to add hosts with rejected packets to the TCP-PORTSCAN list.<br />
<br />
# iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
# iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
===== UDP scans =====<br />
<br />
UDP port scans are similar to TCP SYN scans except that UDP is a "connectionless" protocol. There are no handshakes or acknowledgements. Instead, the scanner sends UDP packets to each UDP port. Closed ports should return ICMP port unreachable messages, and open ports do not return a response. Since UDP is not a "reliable" protocol, the scanner has no way of knowing if packets were lost, and has to do multiple checks for each port that does not return a response.<br />
<br />
The Linux kernel sends out ICMP port unreachable messages very slowly, so a full UDP scan against a Linux machine would take over 10 hours. However, common ports could still be identified, so applying the same countermeasures against UDP scans as SYN scans is a good idea.<br />
<br />
First, add a rule to reject packets from hosts on the UDP-PORTSCAN list to the top of the OPEN-UDP chain.<br />
<br />
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach<br />
<br />
Next, modify the reject packets rule for UDP:<br />
<br />
# iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach<br />
# iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach<br />
<br />
===== Restore the Final Rule =====<br />
<br />
If either or both of the portscanning tricks above were used the final default rule is no longer the last rule in the INPUT chain. It needs to be the last rule otherwise it will intercept the trick port scanner rules you just added and they will never be used. Simply delete the rule (-D), then add it once again using append (-A) which will place it at the end of the chain.<br />
<br />
# iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Protection against other attacks ===<br />
<br />
See the [[Sysctl#TCP/IP stack hardening|TCP/IP stack hardening]] guide for relevant kernel parameters.<br />
<br />
====SSH bruteforce attacks====<br />
{{Warning| Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, if the attacker knows your IP address, they can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}<br />
To ban IP that makes too many password failures you can use [[Fail2ban]] or [[Sshguard]]. These update firewall rules to reject the IP address.<br />
<br />
<br />
Here are some rules which help to mitigate ssh brute force attacks using iptables:<br />
<br />
# iptables -N IN_SSH<br />
# iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH<br />
# iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcounts 3 --seconds 10 -j DROP<br />
# iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcounts 4 --seconds 1800 -j DROP <br />
# iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT<br />
<br />
Ensure that:<br />
# iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH<br />
is in an appropriate position in the iptables.rules file. <br />
<br />
This arrangement works for the IN_SSH rule if you followed this entire wiki so far:<br />
*<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
*<br />
<br />
reference: <br />
[http://compilefailure.blogspot.com/2011/04/better-ssh-brute-force-prevention-with.html compilefailure.blogspot.com]<br />
<br />
=== Saving the rules ===<br />
<br />
The ruleset is now finished and should be saved to your hard drive so that it can be loaded on every boot.<br />
<br />
The systemd unit file points to the location where the rule configuration will be saved:<br />
<br />
<pre><br />
iptables=/etc/iptables/iptables.rules<br />
ip6tables=/etc/iptables/ip6tables.rules<br />
</pre><br />
<br />
Save the rules with this command:<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded on boot:<br />
<br />
# systemctl enable iptables.service<br />
<br />
Check that the rules load correctly using:<br />
<br />
# systemctl start iptables.service && systemctl status iptables.service<br />
<br />
=== IPv6 ===<br />
If you do not use IPv6 (most ISPs do not support it), you should [[Disabling IPv6|disable it]].<br />
<br />
Otherwise, you should enable the firewall rules for IPv6. Just copy '''/etc/iptables/iptables.rules''' to '''/etc/iptables/ip6tables.rules''' and change IPs from v4 format to v6 format and change reject messages from <br />
--reject-with icmp-port-unreachable<br />
to<br />
--reject-with icmp6-port-unreachable<br />
etc.<br />
<br />
Please be aware that '''--reject-with icmp6-proto-unreachable''' does not exist for ICMPv6, so you may reject without any message. (Does anyone know what message would be correct? communication-prohibited? port-unreachable?).<br />
<br />
Now you need to enable the ip6tables service using [[systemd]]:<br />
<br />
# systemctl enable ip6tables.service<br />
<br />
== Setting up a NAT gateway ==<br />
<br />
This section of the HOWTO deals with NAT gateways. It is assumed that you already read the first part of the HOWTO and set up the '''INPUT''', '''OUTPUT''', '''OPEN''' and '''interfaces''' chains like described above. All rules so far have been created in the '''filter''' table. In this section, we will also have to use the '''nat''' table.<br />
<br />
=== Setting up the filter table ===<br />
<br />
==== Creating necessary chains ====<br />
<br />
In our setup, we will use another two chains in the filter table, the '''fw-interfaces''' and '''fw-open''' chains. Create them with the commands<br />
<br />
# iptables -N fw-interfaces<br />
# iptables -N fw-open<br />
<br />
==== Setting up the FORWARD chain ====<br />
<br />
Setting up the '''FORWARD''' chain is similar to the '''INPUT''' chain in the first section.<br />
<br />
Now we set up a rule with the '''conntrack''' match, identical to the one in the '''INPUT''' chain:<br />
<br />
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The next step is to enable forwarding for trusted interfaces and to make all packets pass the '''fw-open''' chain.<br />
<br />
# iptables -A FORWARD -j fw-interfaces <br />
# iptables -A FORWARD -j fw-open <br />
<br />
The remaining packets are denied with an '''ICMP''' message:<br />
<br />
# iptables -A FORWARD -j REJECT --reject-with icmp-host-unreach<br />
# iptables -P FORWARD DROP<br />
<br />
==== Setting up the fw-interfaces and fw-open chains ====<br />
<br />
The meaning of the '''fw-interfaces''' and '''fw-open''' chains is explained later, when we deal with the '''POSTROUTING''' and '''PREROUTING''' chains in the '''nat''' table, respectively.<br />
<br />
=== Setting up the nat table ===<br />
<br />
All over this section, we assume that the outgoing interface (the one with the public internet IP) is '''ppp0'''. Keep in mind that you have to change the name in all following rules if your outgoing interface has another name.<br />
<br />
==== Setting up the POSTROUTING chain ====<br />
<br />
Now, we have to define who is allowed to connect to the internet. Let's assume we have the subnet '''192.168.0.0/24''' (which means all addresses that are of the form 192.168.0.*) on '''eth0'''. We first need to accept the machines on this interface in the FORWARD table, that is why we created the '''fw-interfaces''' chain above:<br />
<br />
# iptables -A fw-interfaces -i eth0 -j ACCEPT<br />
<br />
Now, we have to alter all outgoing packets so that they have our public IP address as the source address, instead of the local LAN address. To do this, we use the '''MASQUERADE''' target:<br />
<br />
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE<br />
<br />
Do not forget the '''-o ppp0''' parameter above. If you omit it, your network will be screwed up.<br />
<br />
Let's assume we have another subnet, '''10.3.0.0/16''' (which means all addresses 10.3.*.*), on the interface '''eth1'''. We add the same rules as above again:<br />
<br />
# iptables -A fw-interfaces -i eth1 -j ACCEPT<br />
# iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o ppp0 -j MASQUERADE<br />
<br />
The last step is to enable IP Forwarding (if it is not already enabled):<br />
<br />
# echo 1 > /proc/sys/net/ipv4/ip_forward<br />
<br />
Then edit the relevant line in /etc/sysctl.conf so it persists through reboot:<br />
<br />
net.ipv4.ip_forward = 1<br />
<br />
Machines from these subnets can now use your new NAT machine as their gateway. Note that you may want to set up a DNS and DHCP server like '''dnsmasq''' or a combination of '''bind''' and '''dhcpd''' to simplify network settings DNS resolution on the client machines. This is not the topic of this HOWTO.<br />
<br />
==== Setting up the PREROUTING chain ====<br />
<br />
Sometimes, we want to change the address of an incoming packet from the gateway to a LAN machine. To do this, we use the '''fw-open''' chain defined above, as well as the '''PREROUTING''' chain in the '''nat''' table<br />
<br />
I will give two simple examples: First, we want to change all incoming SSH packets (port 22) to the ssh server in the machine '''192.168.0.5''':<br />
<br />
# iptables -A fw-open -d 192.168.0.5 -p tcp --dport 22 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 22 -j DNAT --to 192.168.0.5<br />
<br />
The second example will show you how to change packets to a different port than the incoming port. We want to change any incoming connection on port '''8000''' to our web server on '''192.168.0.6''', port '''80''':<br />
<br />
# iptables -A fw-open -d 192.168.0.6 -p tcp --dport 80 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.6:80<br />
<br />
The same setup also works with udp packets.<br />
<br />
=== Saving the rules ===<br />
<br />
Save the rules<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded when you boot<br />
<br />
# systemctl enable iptables.service<br />
<br />
== See Also ==<br />
*[[Internet Share]]<br />
*[[Router]]<br />
*[[Firewalls]]<br />
*[[Uncomplicated Firewall]]<br />
*[http://www.webhostingtalk.com/showthread.php?t=456571 Methods to block SSH attacks]<br />
*[http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/ Using iptables to Block Brute Force Attacks]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Simple_stateful_firewall&diff=251970Simple stateful firewall2013-03-26T11:50:29Z<p>Jrussell: added iptables rules for brute force mitigation</p>
<hr />
<div>[[Category:Firewalls]]<br />
[[ru:Simple stateful firewall]]<br />
This page explains how to set up a stateful firewall using [[iptables]]. It also explains what the rules mean and why they are needed. For simplicity, it is split into two major sections. The first section deals with a firewall for a single machine, the second sets up a NAT gateway in addition to the firewall from the first section.<br />
<br />
{{Warning| The rules are given in the order that they are executed. If you are logged into a remote machine, you may be locked out of the machine while setting up the rules. You should only follow the steps below while you are logged in locally.}}<br />
<br />
==Prerequisites==<br />
{{Note| Your kernel needs to be compiled with iptables support. All stock Arch Linux kernels have iptables support.}}<br />
<br />
First, install the userland utilities:<br />
<br />
# pacman -S iptables<br />
<br />
This HOWTO assumes that there are currently no iptables rules set. To check this, try the command<br />
<br />
# iptables-save<br />
<br />
If not, you can reset the rules by loading a default rule set:<br />
<br />
# iptables-restore < /etc/iptables/empty.rules<br />
<br />
== Firewall for a single machine ==<br />
<br />
{{Note|Because iptables processes rules in linear order, from top to bottom within a chain, it is advised to put frequently-hit rules near the start of the chain. Of course there is a limit, depending on the logic that is being implemented. Also, rules have an associated runtime cost, so rules should not be reordered solely based upon empirical observations of the byte/packet counters.}}<br />
<br />
=== Creating necessary chains ===<br />
<br />
For this basic setup, we will create two user-defined chains that we will use to open up ports in the firewall.<br />
<br />
# iptables -N TCP<br />
# iptables -N UDP<br />
<br />
=== The FORWARD chain ===<br />
<br />
If you want to set up your machine as a NAT gateway, please look at the second section of this HOWTO. For a single machine, however, we simply set the policy of the '''FORWARD''' chain to '''DROP''' and move on:<br />
<br />
# iptables -P FORWARD DROP<br />
<br />
=== The OUTPUT chain ===<br />
<br />
We have no intention of filtering any outgoing traffic, as this would make the setup much more complicated and would require some extra thought. In this simple case, we set the '''OUTPUT''' policy to '''ACCEPT'''.<br />
<br />
# iptables -P OUTPUT ACCEPT<br />
<br />
=== The INPUT chain ===<br />
<br />
First, we set the default policy for the '''INPUT''' chain to '''DROP''' in case something somehow slips by our rules. Dropping all traffic and specifying what is allowed is the best way to make a secure firewall.<br />
{{Warning|This is the step where you will be locked out if you are in logged via ssh. Therefore do this step following your rule regarding port 22 (or whatever port you're using for SSH) to prevent being locked out.}}<br />
<br />
# iptables -P INPUT DROP<br />
<br />
Every packet that is received by any network interface will pass the '''INPUT''' chain first, if it is destined for this machine. In this chain, we make sure that only the packets that we want are accepted.<br />
<br />
The first rule will allow traffic that belongs to established connections, or new valid traffic that is related to these connections such as ICMP errors, or echo replies (the packets a host returns when pinged). '''ICMP''' stands for '''Internet Control Message Protocol'''. Some ICMP messages are very important and help to manage congestion and MTU, and are accepted by this rule.<br />
<br />
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The second rule will accept all traffic from the "loopback" (lo) interface, which is necessary for many applications and services.<br />
<br />
{{Note|You can add more trusted interfaces here such as "eth1" if you do not want/need the traffic filtered by the firewall, but be warned that if you have a NAT setup that redirects any kind of traffic to this interface from anywhere else in the network (let's say a router), it'll get through, regardless of any other settings you may have.}}<br />
<br />
# iptables -A INPUT -i lo -j ACCEPT<br />
<br />
The third rule will drop all traffic with an "INVALID" state match. Traffic can fall into four "state" categories: NEW, ESTABLISHED, RELATED or INVALID and this is what makes this a "stateful" firewall rather than a less secure "stateless" one. States are tracked using the "nf_conntrack_*" kernel modules which are loaded automatically by the kernel as you add rules.<br />
<br />
{{Note|This rule will drop all packets with invalid headers or checksums, invalid TCP flags, invalid ICMP messages (such as a port unreachable when we did not send anything to the host), and out of sequence packets which can be caused by sequence prediction or other similar attacks. The "DROP" target will drop a packet without any response, contrary to REJECT which politely refuses the packet. We use DROP because there is no proper "REJECT" response to packets that are INVALID, and we do not want to acknowledge that we received these packets.}}<br />
<br />
{{Note|ICMPv6 Neighbor Discovery packets remain untracked, and will always be classified "INVALID" though they are not corrupted or thelike. Keep this in mind, and accept them before this rule! iptables -A INPUT -p 41 -j ACCEPT}}<br />
<br />
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP<br />
<br />
The next rule will accept all new incoming '''ICMP echo requests''', also known as pings. Only the first packet will count as NEW, the rest will be handled by the RELATED,ESTABLISHED rule. Since the computer is not a router, no other ICMP traffic with state NEW should needs to be allowed.<br />
<br />
# iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Now we append the OPEN chains to INPUT chain to handle all new incoming connections. Once a connection is accepted by the OPEN chains, it is handled by the RELATED/ESTABLISHED traffic rule. The OPEN chains will either accept new incoming connections, or politely reject them. New TCP connections must be started with SYN packets.<br />
<br />
{{Note| NEW but not SYN is the only invalid TCP flag not covered by the INVALID state. The reason is because they are rarely malicious packets, and they should not just be dropped. Instead, we simply do not accept them, so they are rejected with a TCP RST by the next rule.}}<br />
<br />
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP<br />
<br />
We reject TCP connections with TCP RST packets and UDP streams with ICMP port unreachable messages if the ports are not opened. This imitates default Linux behavior (RFC compliant), and it allows the sender to quickly close the connection and clean up.<br />
<br />
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
<br />
For other protocols, we add a final rule to the INPUT chain to reject all remaining incoming traffic with icmp protocol unreachable messages. This imitates Linux's default behavior.<br />
<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Example rules file===<br />
<br />
{{Box BLUE|Example of iptables.rules file after running all the commands from above:|<br />
# Generated by iptables-save v1.4.18 on Sun Mar 17 14:21:12 2013<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [38:3956]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
COMMIT<br />
# Completed on Sun Mar 17 14:21:12 2013<br />
}}<br />
<br />
This file is generated with:<br />
iptables-save > /etc/iptables/iptables.rules <br />
and can be used to prevent blocking yourself out if you are setting up the firewall remotely, just remember to append:<br />
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT<br />
which will allow ssh in. (Assuming ssh on port 22)<br />
<br />
=== The OPEN chains ===<br />
<br />
The OPEN chains contain rules for accepting new incoming TCP connections and UDP streams to specific ports.<br />
<br />
{{Note|This is where you need to add rules to accept incoming connections, such as SSH, HTTP or other services that you want to access remotely.}}<br />
<br />
====Opening ports to incoming connections====<br />
<br />
To accept incoming TCP connections on port 80 for a web server:<br />
<br />
# iptables -A TCP -p tcp --dport 80 -j ACCEPT<br />
<br />
To accept incoming TCP connections on port 443 for a web server (HTTPS):<br />
<br />
# iptables -A TCP -p tcp --dport 443 -j ACCEPT<br />
<br />
To allow remote SSH connections (on port 22):<br />
<br />
# iptables -A TCP -p tcp --dport 22 -j ACCEPT<br />
<br />
To accept incoming UDP streams on port 53 for a DNS server:<br />
<br />
# iptables -A UDP -p udp --dport 53 -j ACCEPT<br />
<br />
See `{{Ic|man iptables}}` for more advanced rules, like matching multiple ports.<br />
<br />
==== Port Knocking ====<br />
<br />
(xtables-addons ships with xt_pknock which does not require an extra daemon.)<br />
<br />
knockd is a [http://www.portknocking.org/ port knocking] daemon that can provide an added layer of security to your network. The knockd [http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki wiki] provides three example port knocking configurations. These configs can be easily altered to intergrate properly with firewall described here. You should simply substitue the {{Ic|INPUT}} chain specification, with the custom {{Ic|open}} chain used in the firewall.<br />
<br />
For example:<br />
[options]<br />
logfile = /var/log/knockd.log<br />
[opencloseSSH]<br />
sequence = 2222:udp,3333:tcp,4444:udp<br />
seq_timeout = 15<br />
tcpflags = syn,ack<br />
start_command = /usr/sbin/iptables -A TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
cmd_timeout = 10<br />
stop_command = /usr/sbin/iptables -D TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
<br />
It is wise to randomly select the ports that you use for the knock sequence. [https://www.random.org/ random.org] can help you generate a selection of ports between 1 and 65535. To check that you have not inadvertantly selected commonly used ports, use this [https://www.grc.com/PortDataHelp.htm port database], and/or your {{Ic|/etc/services}} file.<br />
<br />
=== Protection against spoofing attacks ===<br />
<br />
Blocking reserved local addresses incoming from the internet or local network is normally done through setting the {{Ic|rp_filter}} sysctl to 1. To do so, add the following line to your {{Ic|/etc/sysctl.conf}} to enable source address verification which is built into Linux kernel itself. The verification by the kernel will handle spoofing better than individual iptables rules for each case.<br />
<br />
net.ipv4.conf.all.rp_filter=1<br />
<br />
Only when asynchronous routing and/or rp_filter=0 is used, need extra checks be used:<br />
<br />
# iptables -I INPUT ! -i lo -s 127.0.0.0/8 -j DROP<br />
<br />
=== "Hide" your computer ===<br />
<br />
If you are running a desktop machine, it might be a good idea to block some incoming requests.<br />
<br />
==== Block Ping Request ====<br />
<br />
A 'Ping' request is an ICMP packet sent to the destination address to ensure connectivity between the devices. If your network works well, you can safely block all ping requests. It is important to note that this ''does not'' actually hide your computer — any packet sent to you is rejected, so you will still show up in a simple nmap "ping scan" of an IP range.<br />
<br />
This is rudimentary "protection" and makes life difficult when debugging issues in the future. You should only do this for education purposes.<br />
<br />
To block echo requests, add the following line to your {{Ic|/etc/sysctl.conf}} file:<br />
<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
Rate-limiting is a better way to control possible abuse. This first method implements a global limit (ie, only X packets per minute for all source addresses):<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<br />
<br />
Or using the 'recent' module, you can impose a limit per source address:<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --set<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --update --hitcount 6 --seconds 4 -j DROP<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT<br />
<br />
If you choose to use either the rate limiting or the source limiting rules the PING rule that already exists in the INPUT chain needs to be deleted. This can be done as shown below, or alternatively don't use it in the first place. <br />
# iptables -D INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Next you need to decide where you wish to place the rate limiting or source limiting rules. If you place the rules below the RELATED,ESTABLISHED rule then you will be counting and limiting new ping connections, not each ping sent to your machine. If you place them before the RELATED,ESTABLISHED rule then these rules will count and limit each ping sent to your machine, not each ping connection made. <br />
<br />
More information is in the iptables man page, or reading the docs and examples on the webpage http://snowman.net/projects/ipt_recent/<br />
<br />
====Tricking port scanners====<br />
{{Note|This opens you up to a form of [[Wikipedia:Denial-of-service attack|DoS]]. An attack can send packets with spoofed IPs and get them blocked from connecting to your services.}}<br />
<br />
Port scans are used by attackers to identify open ports on your computer. This allows them to identify and fingerprint your running services and possibly launch exploits against them.<br />
<br />
The INVALID state rule will take care of every type of port scan except UDP, ACK and SYN scans (-sU, -sA and -sS in nmap respectively). <br />
<br />
''ACK scans'' are not used to identify open ports, but to identify ports filtered by a firewall. Due to the SYN check for all TCP connections with the state NEW, every single packet sent by an ACK scan will be correctly rejected by a TCP RST packet. Some firewalls drop these packets instead, and this allows an attacker to map out the firewall rules.<br />
<br />
The recent module can be used to trick the remaining two types of port scans. The recent module is used to add hosts to a "recent" list which can be used to fingerprint and stop certain types of attacks. Current recent lists can be viewed in {{Ic|/proc/net/xt_recent/}}.<br />
<br />
===== SYN scans =====<br />
<br />
In a SYN scan, the port scanner sends SYN packet to every port. Closed ports return a TCP RST packet, or get dropped by a strict firewall. Open ports return a SYN ACK packet regardless of the presence of a firewall.<br />
<br />
The recent module can be used to keep track of hosts with rejected connection attempts and return a TCP RST for any SYN packet they send to open ports as if the port was closed. If an open port is the first to be scanned, a SYN ACK will still be returned, so running applications such as ssh on non-standard ports is required for this to work consistently.<br />
<br />
First, insert a rule at the top of the TCP chain. This rule responds with a TCP RST to any host that got onto the TCP-PORTSCAN list in the past sixty seconds. The {{Ic|--update}} switch causes the recent list to be updated, meaning the 60 second counter is reset.<br />
<br />
# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
Next, the rule for rejecting TCP packets need to be modified to add hosts with rejected packets to the TCP-PORTSCAN list.<br />
<br />
# iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
# iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
===== UDP scans =====<br />
<br />
UDP port scans are similar to TCP SYN scans except that UDP is a "connectionless" protocol. There are no handshakes or acknowledgements. Instead, the scanner sends UDP packets to each UDP port. Closed ports should return ICMP port unreachable messages, and open ports do not return a response. Since UDP is not a "reliable" protocol, the scanner has no way of knowing if packets were lost, and has to do multiple checks for each port that does not return a response.<br />
<br />
The Linux kernel sends out ICMP port unreachable messages very slowly, so a full UDP scan against a Linux machine would take over 10 hours. However, common ports could still be identified, so applying the same countermeasures against UDP scans as SYN scans is a good idea.<br />
<br />
First, add a rule to reject packets from hosts on the UDP-PORTSCAN list to the top of the OPEN-UDP chain.<br />
<br />
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach<br />
<br />
Next, modify the reject packets rule for UDP:<br />
<br />
# iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach<br />
# iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach<br />
<br />
===== Restore the Final Rule =====<br />
<br />
If either or both of the portscanning tricks above were used the final default rule is no longer the last rule in the INPUT chain. It needs to be the last rule otherwise it will intercept the trick port scanner rules you just added and they will never be used. Simply delete the rule (-D), then add it once again using append (-A) which will place it at the end of the chain.<br />
<br />
# iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Protection against other attacks ===<br />
<br />
See the [[Sysctl#TCP/IP stack hardening|TCP/IP stack hardening]] guide for relevant kernel parameters.<br />
<br />
====SSH bruteforce attacks====<br />
{{Warning| Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, if the attacker knows your IP address, they can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}<br />
To ban IP that makes too many password failures you can use [[Fail2ban]] or [[Sshguard]]. These update firewall rules to reject the IP address.<br />
<br />
<br />
Here are some rules which help to mitigate ssh brute force attacks using iptables:<br />
<br />
# iptables -N IN_SSH<br />
# iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH<br />
# iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcounts 3 --seconds 10 -j DROP<br />
# iptables -A IN_SSH -m recent --name sshbf --rttl --rcheck --hitcounts 4 --seconds 1800 -j DROP <br />
# iptables -A IN_SSH -m recent --name sshbf --set -j ACCEPT<br />
<br />
Ensure that:<br />
# iptables -A INPUT -p tcp --dport ssh -m conntrack --ctstate NEW -j IN_SSH<br />
is in an appropriate position in the iptables.rules file. <br />
<br />
This arrangement works for the IN_SSH rule if you followed this entire wiki so far:<br />
*<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j IN_SSH<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
*<br />
<br />
reference: <br />
[http://compilefailure.blogspot.com/2011/04/better-ssh-brute-force-prevention-with.html compilefailure.blogspot.com]<br />
<br />
=== Saving the rules ===<br />
<br />
The ruleset is now finished and should be saved to your hard drive so that it can be loaded on every boot.<br />
<br />
The systemd unit file points to the location where the rule configuration will be saved:<br />
<br />
<pre><br />
iptables=/etc/iptables/iptables.rules<br />
ip6tables=/etc/iptables/ip6tables.rules<br />
</pre><br />
<br />
Save the rules with this command:<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded on boot:<br />
<br />
# systemctl enable iptables.service<br />
<br />
Check that the rules load correctly using:<br />
<br />
# systemctl start iptables.service && systemctl status iptables.service<br />
<br />
=== IPv6 ===<br />
If you do not use IPv6 (most ISPs do not support it), you should [[Disabling IPv6|disable it]].<br />
<br />
Otherwise, you should enable the firewall rules for IPv6. Just copy '''/etc/iptables/iptables.rules''' to '''/etc/iptables/ip6tables.rules''' and change IPs from v4 format to v6 format and change reject messages from <br />
--reject-with icmp-port-unreachable<br />
to<br />
--reject-with icmp6-port-unreachable<br />
etc.<br />
<br />
Please be aware that '''--reject-with icmp6-proto-unreachable''' does not exist for ICMPv6, so you may reject without any message. (Does anyone know what message would be correct? communication-prohibited? port-unreachable?).<br />
<br />
Now you need to enable the ip6tables service using [[systemd]]:<br />
<br />
# systemctl enable ip6tables.service<br />
<br />
== Setting up a NAT gateway ==<br />
<br />
This section of the HOWTO deals with NAT gateways. It is assumed that you already read the first part of the HOWTO and set up the '''INPUT''', '''OUTPUT''', '''OPEN''' and '''interfaces''' chains like described above. All rules so far have been created in the '''filter''' table. In this section, we will also have to use the '''nat''' table.<br />
<br />
=== Setting up the filter table ===<br />
<br />
==== Creating necessary chains ====<br />
<br />
In our setup, we will use another two chains in the filter table, the '''fw-interfaces''' and '''fw-open''' chains. Create them with the commands<br />
<br />
# iptables -N fw-interfaces<br />
# iptables -N fw-open<br />
<br />
==== Setting up the FORWARD chain ====<br />
<br />
Setting up the '''FORWARD''' chain is similar to the '''INPUT''' chain in the first section.<br />
<br />
Now we set up a rule with the '''conntrack''' match, identical to the one in the '''INPUT''' chain:<br />
<br />
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The next step is to enable forwarding for trusted interfaces and to make all packets pass the '''fw-open''' chain.<br />
<br />
# iptables -A FORWARD -j fw-interfaces <br />
# iptables -A FORWARD -j fw-open <br />
<br />
The remaining packets are denied with an '''ICMP''' message:<br />
<br />
# iptables -A FORWARD -j REJECT --reject-with icmp-host-unreach<br />
# iptables -P FORWARD DROP<br />
<br />
==== Setting up the fw-interfaces and fw-open chains ====<br />
<br />
The meaning of the '''fw-interfaces''' and '''fw-open''' chains is explained later, when we deal with the '''POSTROUTING''' and '''PREROUTING''' chains in the '''nat''' table, respectively.<br />
<br />
=== Setting up the nat table ===<br />
<br />
All over this section, we assume that the outgoing interface (the one with the public internet IP) is '''ppp0'''. Keep in mind that you have to change the name in all following rules if your outgoing interface has another name.<br />
<br />
==== Setting up the POSTROUTING chain ====<br />
<br />
Now, we have to define who is allowed to connect to the internet. Let's assume we have the subnet '''192.168.0.0/24''' (which means all addresses that are of the form 192.168.0.*) on '''eth0'''. We first need to accept the machines on this interface in the FORWARD table, that is why we created the '''fw-interfaces''' chain above:<br />
<br />
# iptables -A fw-interfaces -i eth0 -j ACCEPT<br />
<br />
Now, we have to alter all outgoing packets so that they have our public IP address as the source address, instead of the local LAN address. To do this, we use the '''MASQUERADE''' target:<br />
<br />
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE<br />
<br />
Do not forget the '''-o ppp0''' parameter above. If you omit it, your network will be screwed up.<br />
<br />
Let's assume we have another subnet, '''10.3.0.0/16''' (which means all addresses 10.3.*.*), on the interface '''eth1'''. We add the same rules as above again:<br />
<br />
# iptables -A fw-interfaces -i eth1 -j ACCEPT<br />
# iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o ppp0 -j MASQUERADE<br />
<br />
The last step is to enable IP Forwarding (if it is not already enabled):<br />
<br />
# echo 1 > /proc/sys/net/ipv4/ip_forward<br />
<br />
Then edit the relevant line in /etc/sysctl.conf so it persists through reboot:<br />
<br />
net.ipv4.ip_forward = 1<br />
<br />
Machines from these subnets can now use your new NAT machine as their gateway. Note that you may want to set up a DNS and DHCP server like '''dnsmasq''' or a combination of '''bind''' and '''dhcpd''' to simplify network settings DNS resolution on the client machines. This is not the topic of this HOWTO.<br />
<br />
==== Setting up the PREROUTING chain ====<br />
<br />
Sometimes, we want to change the address of an incoming packet from the gateway to a LAN machine. To do this, we use the '''fw-open''' chain defined above, as well as the '''PREROUTING''' chain in the '''nat''' table<br />
<br />
I will give two simple examples: First, we want to change all incoming SSH packets (port 22) to the ssh server in the machine '''192.168.0.5''':<br />
<br />
# iptables -A fw-open -d 192.168.0.5 -p tcp --dport 22 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 22 -j DNAT --to 192.168.0.5<br />
<br />
The second example will show you how to change packets to a different port than the incoming port. We want to change any incoming connection on port '''8000''' to our web server on '''192.168.0.6''', port '''80''':<br />
<br />
# iptables -A fw-open -d 192.168.0.6 -p tcp --dport 80 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.6:80<br />
<br />
The same setup also works with udp packets.<br />
<br />
=== Saving the rules ===<br />
<br />
Save the rules<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded when you boot<br />
<br />
# systemctl enable iptables.service<br />
<br />
== See Also ==<br />
*[[Internet Share]]<br />
*[[Router]]<br />
*[[Firewalls]]<br />
*[[Uncomplicated Firewall]]<br />
*[http://www.webhostingtalk.com/showthread.php?t=456571 Methods to block SSH attacks]<br />
*[http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/ Using iptables to Block Brute Force Attacks]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Simple_stateful_firewall&diff=251968Simple stateful firewall2013-03-26T11:37:28Z<p>Jrussell: /* Example rules file */</p>
<hr />
<div>[[Category:Firewalls]]<br />
[[ru:Simple stateful firewall]]<br />
This page explains how to set up a stateful firewall using [[iptables]]. It also explains what the rules mean and why they are needed. For simplicity, it is split into two major sections. The first section deals with a firewall for a single machine, the second sets up a NAT gateway in addition to the firewall from the first section.<br />
<br />
{{Warning| The rules are given in the order that they are executed. If you are logged into a remote machine, you may be locked out of the machine while setting up the rules. You should only follow the steps below while you are logged in locally.}}<br />
<br />
==Prerequisites==<br />
{{Note| Your kernel needs to be compiled with iptables support. All stock Arch Linux kernels have iptables support.}}<br />
<br />
First, install the userland utilities:<br />
<br />
# pacman -S iptables<br />
<br />
This HOWTO assumes that there are currently no iptables rules set. To check this, try the command<br />
<br />
# iptables-save<br />
<br />
If not, you can reset the rules by loading a default rule set:<br />
<br />
# iptables-restore < /etc/iptables/empty.rules<br />
<br />
== Firewall for a single machine ==<br />
<br />
{{Note|Because iptables processes rules in linear order, from top to bottom within a chain, it is advised to put frequently-hit rules near the start of the chain. Of course there is a limit, depending on the logic that is being implemented. Also, rules have an associated runtime cost, so rules should not be reordered solely based upon empirical observations of the byte/packet counters.}}<br />
<br />
=== Creating necessary chains ===<br />
<br />
For this basic setup, we will create two user-defined chains that we will use to open up ports in the firewall.<br />
<br />
# iptables -N TCP<br />
# iptables -N UDP<br />
<br />
=== The FORWARD chain ===<br />
<br />
If you want to set up your machine as a NAT gateway, please look at the second section of this HOWTO. For a single machine, however, we simply set the policy of the '''FORWARD''' chain to '''DROP''' and move on:<br />
<br />
# iptables -P FORWARD DROP<br />
<br />
=== The OUTPUT chain ===<br />
<br />
We have no intention of filtering any outgoing traffic, as this would make the setup much more complicated and would require some extra thought. In this simple case, we set the '''OUTPUT''' policy to '''ACCEPT'''.<br />
<br />
# iptables -P OUTPUT ACCEPT<br />
<br />
=== The INPUT chain ===<br />
<br />
First, we set the default policy for the '''INPUT''' chain to '''DROP''' in case something somehow slips by our rules. Dropping all traffic and specifying what is allowed is the best way to make a secure firewall.<br />
{{Warning|This is the step where you will be locked out if you are in logged via ssh. Therefore do this step following your rule regarding port 22 (or whatever port you're using for SSH) to prevent being locked out.}}<br />
<br />
# iptables -P INPUT DROP<br />
<br />
Every packet that is received by any network interface will pass the '''INPUT''' chain first, if it is destined for this machine. In this chain, we make sure that only the packets that we want are accepted.<br />
<br />
The first rule will allow traffic that belongs to established connections, or new valid traffic that is related to these connections such as ICMP errors, or echo replies (the packets a host returns when pinged). '''ICMP''' stands for '''Internet Control Message Protocol'''. Some ICMP messages are very important and help to manage congestion and MTU, and are accepted by this rule.<br />
<br />
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The second rule will accept all traffic from the "loopback" (lo) interface, which is necessary for many applications and services.<br />
<br />
{{Note|You can add more trusted interfaces here such as "eth1" if you do not want/need the traffic filtered by the firewall, but be warned that if you have a NAT setup that redirects any kind of traffic to this interface from anywhere else in the network (let's say a router), it'll get through, regardless of any other settings you may have.}}<br />
<br />
# iptables -A INPUT -i lo -j ACCEPT<br />
<br />
The third rule will drop all traffic with an "INVALID" state match. Traffic can fall into four "state" categories: NEW, ESTABLISHED, RELATED or INVALID and this is what makes this a "stateful" firewall rather than a less secure "stateless" one. States are tracked using the "nf_conntrack_*" kernel modules which are loaded automatically by the kernel as you add rules.<br />
<br />
{{Note|This rule will drop all packets with invalid headers or checksums, invalid TCP flags, invalid ICMP messages (such as a port unreachable when we did not send anything to the host), and out of sequence packets which can be caused by sequence prediction or other similar attacks. The "DROP" target will drop a packet without any response, contrary to REJECT which politely refuses the packet. We use DROP because there is no proper "REJECT" response to packets that are INVALID, and we do not want to acknowledge that we received these packets.}}<br />
<br />
{{Note|ICMPv6 Neighbor Discovery packets remain untracked, and will always be classified "INVALID" though they are not corrupted or thelike. Keep this in mind, and accept them before this rule! iptables -A INPUT -p 41 -j ACCEPT}}<br />
<br />
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP<br />
<br />
The next rule will accept all new incoming '''ICMP echo requests''', also known as pings. Only the first packet will count as NEW, the rest will be handled by the RELATED,ESTABLISHED rule. Since the computer is not a router, no other ICMP traffic with state NEW should needs to be allowed.<br />
<br />
# iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Now we append the OPEN chains to INPUT chain to handle all new incoming connections. Once a connection is accepted by the OPEN chains, it is handled by the RELATED/ESTABLISHED traffic rule. The OPEN chains will either accept new incoming connections, or politely reject them. New TCP connections must be started with SYN packets.<br />
<br />
{{Note| NEW but not SYN is the only invalid TCP flag not covered by the INVALID state. The reason is because they are rarely malicious packets, and they should not just be dropped. Instead, we simply do not accept them, so they are rejected with a TCP RST by the next rule.}}<br />
<br />
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP<br />
<br />
We reject TCP connections with TCP RST packets and UDP streams with ICMP port unreachable messages if the ports are not opened. This imitates default Linux behavior (RFC compliant), and it allows the sender to quickly close the connection and clean up.<br />
<br />
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
<br />
For other protocols, we add a final rule to the INPUT chain to reject all remaining incoming traffic with icmp protocol unreachable messages. This imitates Linux's default behavior.<br />
<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Example rules file===<br />
<br />
{{Box BLUE|Example of iptables.rules file after running all the commands from above:|<br />
# Generated by iptables-save v1.4.18 on Sun Mar 17 14:21:12 2013<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [38:3956]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
COMMIT<br />
# Completed on Sun Mar 17 14:21:12 2013<br />
}}<br />
<br />
This file is generated with:<br />
iptables-save > /etc/iptables/iptables.rules <br />
and can be used to prevent blocking yourself out if you are setting up the firewall remotely, just remember to append:<br />
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT<br />
which will allow ssh in. (Assuming ssh on port 22)<br />
<br />
=== The OPEN chains ===<br />
<br />
The OPEN chains contain rules for accepting new incoming TCP connections and UDP streams to specific ports.<br />
<br />
{{Note|This is where you need to add rules to accept incoming connections, such as SSH, HTTP or other services that you want to access remotely.}}<br />
<br />
====Opening ports to incoming connections====<br />
<br />
To accept incoming TCP connections on port 80 for a web server:<br />
<br />
# iptables -A TCP -p tcp --dport 80 -j ACCEPT<br />
<br />
To accept incoming TCP connections on port 443 for a web server (HTTPS):<br />
<br />
# iptables -A TCP -p tcp --dport 443 -j ACCEPT<br />
<br />
To allow remote SSH connections (on port 22):<br />
<br />
# iptables -A TCP -p tcp --dport 22 -j ACCEPT<br />
<br />
To accept incoming UDP streams on port 53 for a DNS server:<br />
<br />
# iptables -A UDP -p udp --dport 53 -j ACCEPT<br />
<br />
See `{{Ic|man iptables}}` for more advanced rules, like matching multiple ports.<br />
<br />
==== Port Knocking ====<br />
<br />
(xtables-addons ships with xt_pknock which does not require an extra daemon.)<br />
<br />
knockd is a [http://www.portknocking.org/ port knocking] daemon that can provide an added layer of security to your network. The knockd [http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki wiki] provides three example port knocking configurations. These configs can be easily altered to intergrate properly with firewall described here. You should simply substitue the {{Ic|INPUT}} chain specification, with the custom {{Ic|open}} chain used in the firewall.<br />
<br />
For example:<br />
[options]<br />
logfile = /var/log/knockd.log<br />
[opencloseSSH]<br />
sequence = 2222:udp,3333:tcp,4444:udp<br />
seq_timeout = 15<br />
tcpflags = syn,ack<br />
start_command = /usr/sbin/iptables -A TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
cmd_timeout = 10<br />
stop_command = /usr/sbin/iptables -D TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
<br />
It is wise to randomly select the ports that you use for the knock sequence. [https://www.random.org/ random.org] can help you generate a selection of ports between 1 and 65535. To check that you have not inadvertantly selected commonly used ports, use this [https://www.grc.com/PortDataHelp.htm port database], and/or your {{Ic|/etc/services}} file.<br />
<br />
=== Protection against spoofing attacks ===<br />
<br />
Blocking reserved local addresses incoming from the internet or local network is normally done through setting the {{Ic|rp_filter}} sysctl to 1. To do so, add the following line to your {{Ic|/etc/sysctl.conf}} to enable source address verification which is built into Linux kernel itself. The verification by the kernel will handle spoofing better than individual iptables rules for each case.<br />
<br />
net.ipv4.conf.all.rp_filter=1<br />
<br />
Only when asynchronous routing and/or rp_filter=0 is used, need extra checks be used:<br />
<br />
# iptables -I INPUT ! -i lo -s 127.0.0.0/8 -j DROP<br />
<br />
=== "Hide" your computer ===<br />
<br />
If you are running a desktop machine, it might be a good idea to block some incoming requests.<br />
<br />
==== Block Ping Request ====<br />
<br />
A 'Ping' request is an ICMP packet sent to the destination address to ensure connectivity between the devices. If your network works well, you can safely block all ping requests. It is important to note that this ''does not'' actually hide your computer — any packet sent to you is rejected, so you will still show up in a simple nmap "ping scan" of an IP range.<br />
<br />
This is rudimentary "protection" and makes life difficult when debugging issues in the future. You should only do this for education purposes.<br />
<br />
To block echo requests, add the following line to your {{Ic|/etc/sysctl.conf}} file:<br />
<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
Rate-limiting is a better way to control possible abuse. This first method implements a global limit (ie, only X packets per minute for all source addresses):<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<br />
<br />
Or using the 'recent' module, you can impose a limit per source address:<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --set<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --update --hitcount 6 --seconds 4 -j DROP<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT<br />
<br />
If you choose to use either the rate limiting or the source limiting rules the PING rule that already exists in the INPUT chain needs to be deleted. This can be done as shown below, or alternatively don't use it in the first place. <br />
# iptables -D INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Next you need to decide where you wish to place the rate limiting or source limiting rules. If you place the rules below the RELATED,ESTABLISHED rule then you will be counting and limiting new ping connections, not each ping sent to your machine. If you place them before the RELATED,ESTABLISHED rule then these rules will count and limit each ping sent to your machine, not each ping connection made. <br />
<br />
More information is in the iptables man page, or reading the docs and examples on the webpage http://snowman.net/projects/ipt_recent/<br />
<br />
====Tricking port scanners====<br />
{{Note|This opens you up to a form of [[Wikipedia:Denial-of-service attack|DoS]]. An attack can send packets with spoofed IPs and get them blocked from connecting to your services.}}<br />
<br />
Port scans are used by attackers to identify open ports on your computer. This allows them to identify and fingerprint your running services and possibly launch exploits against them.<br />
<br />
The INVALID state rule will take care of every type of port scan except UDP, ACK and SYN scans (-sU, -sA and -sS in nmap respectively). <br />
<br />
''ACK scans'' are not used to identify open ports, but to identify ports filtered by a firewall. Due to the SYN check for all TCP connections with the state NEW, every single packet sent by an ACK scan will be correctly rejected by a TCP RST packet. Some firewalls drop these packets instead, and this allows an attacker to map out the firewall rules.<br />
<br />
The recent module can be used to trick the remaining two types of port scans. The recent module is used to add hosts to a "recent" list which can be used to fingerprint and stop certain types of attacks. Current recent lists can be viewed in {{Ic|/proc/net/xt_recent/}}.<br />
<br />
===== SYN scans =====<br />
<br />
In a SYN scan, the port scanner sends SYN packet to every port. Closed ports return a TCP RST packet, or get dropped by a strict firewall. Open ports return a SYN ACK packet regardless of the presence of a firewall.<br />
<br />
The recent module can be used to keep track of hosts with rejected connection attempts and return a TCP RST for any SYN packet they send to open ports as if the port was closed. If an open port is the first to be scanned, a SYN ACK will still be returned, so running applications such as ssh on non-standard ports is required for this to work consistently.<br />
<br />
First, insert a rule at the top of the TCP chain. This rule responds with a TCP RST to any host that got onto the TCP-PORTSCAN list in the past sixty seconds. The {{Ic|--update}} switch causes the recent list to be updated, meaning the 60 second counter is reset.<br />
<br />
# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
Next, the rule for rejecting TCP packets need to be modified to add hosts with rejected packets to the TCP-PORTSCAN list.<br />
<br />
# iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
# iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
===== UDP scans =====<br />
<br />
UDP port scans are similar to TCP SYN scans except that UDP is a "connectionless" protocol. There are no handshakes or acknowledgements. Instead, the scanner sends UDP packets to each UDP port. Closed ports should return ICMP port unreachable messages, and open ports do not return a response. Since UDP is not a "reliable" protocol, the scanner has no way of knowing if packets were lost, and has to do multiple checks for each port that does not return a response.<br />
<br />
The Linux kernel sends out ICMP port unreachable messages very slowly, so a full UDP scan against a Linux machine would take over 10 hours. However, common ports could still be identified, so applying the same countermeasures against UDP scans as SYN scans is a good idea.<br />
<br />
First, add a rule to reject packets from hosts on the UDP-PORTSCAN list to the top of the OPEN-UDP chain.<br />
<br />
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach<br />
<br />
Next, modify the reject packets rule for UDP:<br />
<br />
# iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach<br />
# iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach<br />
<br />
===== Restore the Final Rule =====<br />
<br />
If either or both of the portscanning tricks above were used the final default rule is no longer the last rule in the INPUT chain. It needs to be the last rule otherwise it will intercept the trick port scanner rules you just added and they will never be used. Simply delete the rule (-D), then add it once again using append (-A) which will place it at the end of the chain.<br />
<br />
# iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Protection against other attacks ===<br />
<br />
See the [[Sysctl#TCP/IP stack hardening|TCP/IP stack hardening]] guide for relevant kernel parameters.<br />
<br />
====SSH bruteforce attacks====<br />
{{Warning| Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, if the attacker knows your IP address, they can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}<br />
To ban IP that makes too many password failures you can use [[Fail2ban]] or [[Sshguard]]. These update firewall rules to reject the IP address.<br />
<br />
=== Saving the rules ===<br />
<br />
The ruleset is now finished and should be saved to your hard drive so that it can be loaded on every boot.<br />
<br />
The systemd unit file points to the location where the rule configuration will be saved:<br />
<br />
<pre><br />
iptables=/etc/iptables/iptables.rules<br />
ip6tables=/etc/iptables/ip6tables.rules<br />
</pre><br />
<br />
Save the rules with this command:<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded on boot:<br />
<br />
# systemctl enable iptables.service<br />
<br />
Check that the rules load correctly using:<br />
<br />
# systemctl start iptables.service && systemctl status iptables.service<br />
<br />
=== IPv6 ===<br />
If you do not use IPv6 (most ISPs do not support it), you should [[Disabling IPv6|disable it]].<br />
<br />
Otherwise, you should enable the firewall rules for IPv6. Just copy '''/etc/iptables/iptables.rules''' to '''/etc/iptables/ip6tables.rules''' and change IPs from v4 format to v6 format and change reject messages from <br />
--reject-with icmp-port-unreachable<br />
to<br />
--reject-with icmp6-port-unreachable<br />
etc.<br />
<br />
Please be aware that '''--reject-with icmp6-proto-unreachable''' does not exist for ICMPv6, so you may reject without any message. (Does anyone know what message would be correct? communication-prohibited? port-unreachable?).<br />
<br />
Now you need to enable the ip6tables service using [[systemd]]:<br />
<br />
# systemctl enable ip6tables.service<br />
<br />
== Setting up a NAT gateway ==<br />
<br />
This section of the HOWTO deals with NAT gateways. It is assumed that you already read the first part of the HOWTO and set up the '''INPUT''', '''OUTPUT''', '''OPEN''' and '''interfaces''' chains like described above. All rules so far have been created in the '''filter''' table. In this section, we will also have to use the '''nat''' table.<br />
<br />
=== Setting up the filter table ===<br />
<br />
==== Creating necessary chains ====<br />
<br />
In our setup, we will use another two chains in the filter table, the '''fw-interfaces''' and '''fw-open''' chains. Create them with the commands<br />
<br />
# iptables -N fw-interfaces<br />
# iptables -N fw-open<br />
<br />
==== Setting up the FORWARD chain ====<br />
<br />
Setting up the '''FORWARD''' chain is similar to the '''INPUT''' chain in the first section.<br />
<br />
Now we set up a rule with the '''conntrack''' match, identical to the one in the '''INPUT''' chain:<br />
<br />
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The next step is to enable forwarding for trusted interfaces and to make all packets pass the '''fw-open''' chain.<br />
<br />
# iptables -A FORWARD -j fw-interfaces <br />
# iptables -A FORWARD -j fw-open <br />
<br />
The remaining packets are denied with an '''ICMP''' message:<br />
<br />
# iptables -A FORWARD -j REJECT --reject-with icmp-host-unreach<br />
# iptables -P FORWARD DROP<br />
<br />
==== Setting up the fw-interfaces and fw-open chains ====<br />
<br />
The meaning of the '''fw-interfaces''' and '''fw-open''' chains is explained later, when we deal with the '''POSTROUTING''' and '''PREROUTING''' chains in the '''nat''' table, respectively.<br />
<br />
=== Setting up the nat table ===<br />
<br />
All over this section, we assume that the outgoing interface (the one with the public internet IP) is '''ppp0'''. Keep in mind that you have to change the name in all following rules if your outgoing interface has another name.<br />
<br />
==== Setting up the POSTROUTING chain ====<br />
<br />
Now, we have to define who is allowed to connect to the internet. Let's assume we have the subnet '''192.168.0.0/24''' (which means all addresses that are of the form 192.168.0.*) on '''eth0'''. We first need to accept the machines on this interface in the FORWARD table, that is why we created the '''fw-interfaces''' chain above:<br />
<br />
# iptables -A fw-interfaces -i eth0 -j ACCEPT<br />
<br />
Now, we have to alter all outgoing packets so that they have our public IP address as the source address, instead of the local LAN address. To do this, we use the '''MASQUERADE''' target:<br />
<br />
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE<br />
<br />
Do not forget the '''-o ppp0''' parameter above. If you omit it, your network will be screwed up.<br />
<br />
Let's assume we have another subnet, '''10.3.0.0/16''' (which means all addresses 10.3.*.*), on the interface '''eth1'''. We add the same rules as above again:<br />
<br />
# iptables -A fw-interfaces -i eth1 -j ACCEPT<br />
# iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o ppp0 -j MASQUERADE<br />
<br />
The last step is to enable IP Forwarding (if it is not already enabled):<br />
<br />
# echo 1 > /proc/sys/net/ipv4/ip_forward<br />
<br />
Then edit the relevant line in /etc/sysctl.conf so it persists through reboot:<br />
<br />
net.ipv4.ip_forward = 1<br />
<br />
Machines from these subnets can now use your new NAT machine as their gateway. Note that you may want to set up a DNS and DHCP server like '''dnsmasq''' or a combination of '''bind''' and '''dhcpd''' to simplify network settings DNS resolution on the client machines. This is not the topic of this HOWTO.<br />
<br />
==== Setting up the PREROUTING chain ====<br />
<br />
Sometimes, we want to change the address of an incoming packet from the gateway to a LAN machine. To do this, we use the '''fw-open''' chain defined above, as well as the '''PREROUTING''' chain in the '''nat''' table<br />
<br />
I will give two simple examples: First, we want to change all incoming SSH packets (port 22) to the ssh server in the machine '''192.168.0.5''':<br />
<br />
# iptables -A fw-open -d 192.168.0.5 -p tcp --dport 22 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 22 -j DNAT --to 192.168.0.5<br />
<br />
The second example will show you how to change packets to a different port than the incoming port. We want to change any incoming connection on port '''8000''' to our web server on '''192.168.0.6''', port '''80''':<br />
<br />
# iptables -A fw-open -d 192.168.0.6 -p tcp --dport 80 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.6:80<br />
<br />
The same setup also works with udp packets.<br />
<br />
=== Saving the rules ===<br />
<br />
Save the rules<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded when you boot<br />
<br />
# systemctl enable iptables.service<br />
<br />
== See Also ==<br />
*[[Internet Share]]<br />
*[[Router]]<br />
*[[Firewalls]]<br />
*[[Uncomplicated Firewall]]<br />
*[http://www.webhostingtalk.com/showthread.php?t=456571 Methods to block SSH attacks]<br />
*[http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/ Using iptables to Block Brute Force Attacks]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Simple_stateful_firewall&diff=251967Simple stateful firewall2013-03-26T11:36:43Z<p>Jrussell: /* Example rules file */</p>
<hr />
<div>[[Category:Firewalls]]<br />
[[ru:Simple stateful firewall]]<br />
This page explains how to set up a stateful firewall using [[iptables]]. It also explains what the rules mean and why they are needed. For simplicity, it is split into two major sections. The first section deals with a firewall for a single machine, the second sets up a NAT gateway in addition to the firewall from the first section.<br />
<br />
{{Warning| The rules are given in the order that they are executed. If you are logged into a remote machine, you may be locked out of the machine while setting up the rules. You should only follow the steps below while you are logged in locally.}}<br />
<br />
==Prerequisites==<br />
{{Note| Your kernel needs to be compiled with iptables support. All stock Arch Linux kernels have iptables support.}}<br />
<br />
First, install the userland utilities:<br />
<br />
# pacman -S iptables<br />
<br />
This HOWTO assumes that there are currently no iptables rules set. To check this, try the command<br />
<br />
# iptables-save<br />
<br />
If not, you can reset the rules by loading a default rule set:<br />
<br />
# iptables-restore < /etc/iptables/empty.rules<br />
<br />
== Firewall for a single machine ==<br />
<br />
{{Note|Because iptables processes rules in linear order, from top to bottom within a chain, it is advised to put frequently-hit rules near the start of the chain. Of course there is a limit, depending on the logic that is being implemented. Also, rules have an associated runtime cost, so rules should not be reordered solely based upon empirical observations of the byte/packet counters.}}<br />
<br />
=== Creating necessary chains ===<br />
<br />
For this basic setup, we will create two user-defined chains that we will use to open up ports in the firewall.<br />
<br />
# iptables -N TCP<br />
# iptables -N UDP<br />
<br />
=== The FORWARD chain ===<br />
<br />
If you want to set up your machine as a NAT gateway, please look at the second section of this HOWTO. For a single machine, however, we simply set the policy of the '''FORWARD''' chain to '''DROP''' and move on:<br />
<br />
# iptables -P FORWARD DROP<br />
<br />
=== The OUTPUT chain ===<br />
<br />
We have no intention of filtering any outgoing traffic, as this would make the setup much more complicated and would require some extra thought. In this simple case, we set the '''OUTPUT''' policy to '''ACCEPT'''.<br />
<br />
# iptables -P OUTPUT ACCEPT<br />
<br />
=== The INPUT chain ===<br />
<br />
First, we set the default policy for the '''INPUT''' chain to '''DROP''' in case something somehow slips by our rules. Dropping all traffic and specifying what is allowed is the best way to make a secure firewall.<br />
{{Warning|This is the step where you will be locked out if you are in logged via ssh. Therefore do this step following your rule regarding port 22 (or whatever port you're using for SSH) to prevent being locked out.}}<br />
<br />
# iptables -P INPUT DROP<br />
<br />
Every packet that is received by any network interface will pass the '''INPUT''' chain first, if it is destined for this machine. In this chain, we make sure that only the packets that we want are accepted.<br />
<br />
The first rule will allow traffic that belongs to established connections, or new valid traffic that is related to these connections such as ICMP errors, or echo replies (the packets a host returns when pinged). '''ICMP''' stands for '''Internet Control Message Protocol'''. Some ICMP messages are very important and help to manage congestion and MTU, and are accepted by this rule.<br />
<br />
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The second rule will accept all traffic from the "loopback" (lo) interface, which is necessary for many applications and services.<br />
<br />
{{Note|You can add more trusted interfaces here such as "eth1" if you do not want/need the traffic filtered by the firewall, but be warned that if you have a NAT setup that redirects any kind of traffic to this interface from anywhere else in the network (let's say a router), it'll get through, regardless of any other settings you may have.}}<br />
<br />
# iptables -A INPUT -i lo -j ACCEPT<br />
<br />
The third rule will drop all traffic with an "INVALID" state match. Traffic can fall into four "state" categories: NEW, ESTABLISHED, RELATED or INVALID and this is what makes this a "stateful" firewall rather than a less secure "stateless" one. States are tracked using the "nf_conntrack_*" kernel modules which are loaded automatically by the kernel as you add rules.<br />
<br />
{{Note|This rule will drop all packets with invalid headers or checksums, invalid TCP flags, invalid ICMP messages (such as a port unreachable when we did not send anything to the host), and out of sequence packets which can be caused by sequence prediction or other similar attacks. The "DROP" target will drop a packet without any response, contrary to REJECT which politely refuses the packet. We use DROP because there is no proper "REJECT" response to packets that are INVALID, and we do not want to acknowledge that we received these packets.}}<br />
<br />
{{Note|ICMPv6 Neighbor Discovery packets remain untracked, and will always be classified "INVALID" though they are not corrupted or thelike. Keep this in mind, and accept them before this rule! iptables -A INPUT -p 41 -j ACCEPT}}<br />
<br />
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP<br />
<br />
The next rule will accept all new incoming '''ICMP echo requests''', also known as pings. Only the first packet will count as NEW, the rest will be handled by the RELATED,ESTABLISHED rule. Since the computer is not a router, no other ICMP traffic with state NEW should needs to be allowed.<br />
<br />
# iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Now we append the OPEN chains to INPUT chain to handle all new incoming connections. Once a connection is accepted by the OPEN chains, it is handled by the RELATED/ESTABLISHED traffic rule. The OPEN chains will either accept new incoming connections, or politely reject them. New TCP connections must be started with SYN packets.<br />
<br />
{{Note| NEW but not SYN is the only invalid TCP flag not covered by the INVALID state. The reason is because they are rarely malicious packets, and they should not just be dropped. Instead, we simply do not accept them, so they are rejected with a TCP RST by the next rule.}}<br />
<br />
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP<br />
<br />
We reject TCP connections with TCP RST packets and UDP streams with ICMP port unreachable messages if the ports are not opened. This imitates default Linux behavior (RFC compliant), and it allows the sender to quickly close the connection and clean up.<br />
<br />
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
<br />
For other protocols, we add a final rule to the INPUT chain to reject all remaining incoming traffic with icmp protocol unreachable messages. This imitates Linux's default behavior.<br />
<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Example rules file===<br />
<br />
{{Box BLUE|Example of iptables.rules file after running all the commands from above:|<br />
# Generated by iptables-save v1.4.18 on Sun Mar 17 14:21:12 2013<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [38:3956]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
COMMIT<br />
# Completed on Sun Mar 17 14:21:12 2013<br />
}}<br />
<br />
This file is generated with <br />
iptables-save > /etc/iptables/iptables.rules <br />
and can be used to prevent blocking yourself out if you are setting up the firewall remotely, just remember to append:<br />
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT<br />
to allow ssh in. (Assuming ssh on port 22)<br />
<br />
=== The OPEN chains ===<br />
<br />
The OPEN chains contain rules for accepting new incoming TCP connections and UDP streams to specific ports.<br />
<br />
{{Note|This is where you need to add rules to accept incoming connections, such as SSH, HTTP or other services that you want to access remotely.}}<br />
<br />
====Opening ports to incoming connections====<br />
<br />
To accept incoming TCP connections on port 80 for a web server:<br />
<br />
# iptables -A TCP -p tcp --dport 80 -j ACCEPT<br />
<br />
To accept incoming TCP connections on port 443 for a web server (HTTPS):<br />
<br />
# iptables -A TCP -p tcp --dport 443 -j ACCEPT<br />
<br />
To allow remote SSH connections (on port 22):<br />
<br />
# iptables -A TCP -p tcp --dport 22 -j ACCEPT<br />
<br />
To accept incoming UDP streams on port 53 for a DNS server:<br />
<br />
# iptables -A UDP -p udp --dport 53 -j ACCEPT<br />
<br />
See `{{Ic|man iptables}}` for more advanced rules, like matching multiple ports.<br />
<br />
==== Port Knocking ====<br />
<br />
(xtables-addons ships with xt_pknock which does not require an extra daemon.)<br />
<br />
knockd is a [http://www.portknocking.org/ port knocking] daemon that can provide an added layer of security to your network. The knockd [http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki wiki] provides three example port knocking configurations. These configs can be easily altered to intergrate properly with firewall described here. You should simply substitue the {{Ic|INPUT}} chain specification, with the custom {{Ic|open}} chain used in the firewall.<br />
<br />
For example:<br />
[options]<br />
logfile = /var/log/knockd.log<br />
[opencloseSSH]<br />
sequence = 2222:udp,3333:tcp,4444:udp<br />
seq_timeout = 15<br />
tcpflags = syn,ack<br />
start_command = /usr/sbin/iptables -A TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
cmd_timeout = 10<br />
stop_command = /usr/sbin/iptables -D TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
<br />
It is wise to randomly select the ports that you use for the knock sequence. [https://www.random.org/ random.org] can help you generate a selection of ports between 1 and 65535. To check that you have not inadvertantly selected commonly used ports, use this [https://www.grc.com/PortDataHelp.htm port database], and/or your {{Ic|/etc/services}} file.<br />
<br />
=== Protection against spoofing attacks ===<br />
<br />
Blocking reserved local addresses incoming from the internet or local network is normally done through setting the {{Ic|rp_filter}} sysctl to 1. To do so, add the following line to your {{Ic|/etc/sysctl.conf}} to enable source address verification which is built into Linux kernel itself. The verification by the kernel will handle spoofing better than individual iptables rules for each case.<br />
<br />
net.ipv4.conf.all.rp_filter=1<br />
<br />
Only when asynchronous routing and/or rp_filter=0 is used, need extra checks be used:<br />
<br />
# iptables -I INPUT ! -i lo -s 127.0.0.0/8 -j DROP<br />
<br />
=== "Hide" your computer ===<br />
<br />
If you are running a desktop machine, it might be a good idea to block some incoming requests.<br />
<br />
==== Block Ping Request ====<br />
<br />
A 'Ping' request is an ICMP packet sent to the destination address to ensure connectivity between the devices. If your network works well, you can safely block all ping requests. It is important to note that this ''does not'' actually hide your computer — any packet sent to you is rejected, so you will still show up in a simple nmap "ping scan" of an IP range.<br />
<br />
This is rudimentary "protection" and makes life difficult when debugging issues in the future. You should only do this for education purposes.<br />
<br />
To block echo requests, add the following line to your {{Ic|/etc/sysctl.conf}} file:<br />
<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
Rate-limiting is a better way to control possible abuse. This first method implements a global limit (ie, only X packets per minute for all source addresses):<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<br />
<br />
Or using the 'recent' module, you can impose a limit per source address:<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --set<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --update --hitcount 6 --seconds 4 -j DROP<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT<br />
<br />
If you choose to use either the rate limiting or the source limiting rules the PING rule that already exists in the INPUT chain needs to be deleted. This can be done as shown below, or alternatively don't use it in the first place. <br />
# iptables -D INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Next you need to decide where you wish to place the rate limiting or source limiting rules. If you place the rules below the RELATED,ESTABLISHED rule then you will be counting and limiting new ping connections, not each ping sent to your machine. If you place them before the RELATED,ESTABLISHED rule then these rules will count and limit each ping sent to your machine, not each ping connection made. <br />
<br />
More information is in the iptables man page, or reading the docs and examples on the webpage http://snowman.net/projects/ipt_recent/<br />
<br />
====Tricking port scanners====<br />
{{Note|This opens you up to a form of [[Wikipedia:Denial-of-service attack|DoS]]. An attack can send packets with spoofed IPs and get them blocked from connecting to your services.}}<br />
<br />
Port scans are used by attackers to identify open ports on your computer. This allows them to identify and fingerprint your running services and possibly launch exploits against them.<br />
<br />
The INVALID state rule will take care of every type of port scan except UDP, ACK and SYN scans (-sU, -sA and -sS in nmap respectively). <br />
<br />
''ACK scans'' are not used to identify open ports, but to identify ports filtered by a firewall. Due to the SYN check for all TCP connections with the state NEW, every single packet sent by an ACK scan will be correctly rejected by a TCP RST packet. Some firewalls drop these packets instead, and this allows an attacker to map out the firewall rules.<br />
<br />
The recent module can be used to trick the remaining two types of port scans. The recent module is used to add hosts to a "recent" list which can be used to fingerprint and stop certain types of attacks. Current recent lists can be viewed in {{Ic|/proc/net/xt_recent/}}.<br />
<br />
===== SYN scans =====<br />
<br />
In a SYN scan, the port scanner sends SYN packet to every port. Closed ports return a TCP RST packet, or get dropped by a strict firewall. Open ports return a SYN ACK packet regardless of the presence of a firewall.<br />
<br />
The recent module can be used to keep track of hosts with rejected connection attempts and return a TCP RST for any SYN packet they send to open ports as if the port was closed. If an open port is the first to be scanned, a SYN ACK will still be returned, so running applications such as ssh on non-standard ports is required for this to work consistently.<br />
<br />
First, insert a rule at the top of the TCP chain. This rule responds with a TCP RST to any host that got onto the TCP-PORTSCAN list in the past sixty seconds. The {{Ic|--update}} switch causes the recent list to be updated, meaning the 60 second counter is reset.<br />
<br />
# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
Next, the rule for rejecting TCP packets need to be modified to add hosts with rejected packets to the TCP-PORTSCAN list.<br />
<br />
# iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
# iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
===== UDP scans =====<br />
<br />
UDP port scans are similar to TCP SYN scans except that UDP is a "connectionless" protocol. There are no handshakes or acknowledgements. Instead, the scanner sends UDP packets to each UDP port. Closed ports should return ICMP port unreachable messages, and open ports do not return a response. Since UDP is not a "reliable" protocol, the scanner has no way of knowing if packets were lost, and has to do multiple checks for each port that does not return a response.<br />
<br />
The Linux kernel sends out ICMP port unreachable messages very slowly, so a full UDP scan against a Linux machine would take over 10 hours. However, common ports could still be identified, so applying the same countermeasures against UDP scans as SYN scans is a good idea.<br />
<br />
First, add a rule to reject packets from hosts on the UDP-PORTSCAN list to the top of the OPEN-UDP chain.<br />
<br />
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach<br />
<br />
Next, modify the reject packets rule for UDP:<br />
<br />
# iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach<br />
# iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach<br />
<br />
===== Restore the Final Rule =====<br />
<br />
If either or both of the portscanning tricks above were used the final default rule is no longer the last rule in the INPUT chain. It needs to be the last rule otherwise it will intercept the trick port scanner rules you just added and they will never be used. Simply delete the rule (-D), then add it once again using append (-A) which will place it at the end of the chain.<br />
<br />
# iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Protection against other attacks ===<br />
<br />
See the [[Sysctl#TCP/IP stack hardening|TCP/IP stack hardening]] guide for relevant kernel parameters.<br />
<br />
====SSH bruteforce attacks====<br />
{{Warning| Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, if the attacker knows your IP address, they can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}<br />
To ban IP that makes too many password failures you can use [[Fail2ban]] or [[Sshguard]]. These update firewall rules to reject the IP address.<br />
<br />
=== Saving the rules ===<br />
<br />
The ruleset is now finished and should be saved to your hard drive so that it can be loaded on every boot.<br />
<br />
The systemd unit file points to the location where the rule configuration will be saved:<br />
<br />
<pre><br />
iptables=/etc/iptables/iptables.rules<br />
ip6tables=/etc/iptables/ip6tables.rules<br />
</pre><br />
<br />
Save the rules with this command:<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded on boot:<br />
<br />
# systemctl enable iptables.service<br />
<br />
Check that the rules load correctly using:<br />
<br />
# systemctl start iptables.service && systemctl status iptables.service<br />
<br />
=== IPv6 ===<br />
If you do not use IPv6 (most ISPs do not support it), you should [[Disabling IPv6|disable it]].<br />
<br />
Otherwise, you should enable the firewall rules for IPv6. Just copy '''/etc/iptables/iptables.rules''' to '''/etc/iptables/ip6tables.rules''' and change IPs from v4 format to v6 format and change reject messages from <br />
--reject-with icmp-port-unreachable<br />
to<br />
--reject-with icmp6-port-unreachable<br />
etc.<br />
<br />
Please be aware that '''--reject-with icmp6-proto-unreachable''' does not exist for ICMPv6, so you may reject without any message. (Does anyone know what message would be correct? communication-prohibited? port-unreachable?).<br />
<br />
Now you need to enable the ip6tables service using [[systemd]]:<br />
<br />
# systemctl enable ip6tables.service<br />
<br />
== Setting up a NAT gateway ==<br />
<br />
This section of the HOWTO deals with NAT gateways. It is assumed that you already read the first part of the HOWTO and set up the '''INPUT''', '''OUTPUT''', '''OPEN''' and '''interfaces''' chains like described above. All rules so far have been created in the '''filter''' table. In this section, we will also have to use the '''nat''' table.<br />
<br />
=== Setting up the filter table ===<br />
<br />
==== Creating necessary chains ====<br />
<br />
In our setup, we will use another two chains in the filter table, the '''fw-interfaces''' and '''fw-open''' chains. Create them with the commands<br />
<br />
# iptables -N fw-interfaces<br />
# iptables -N fw-open<br />
<br />
==== Setting up the FORWARD chain ====<br />
<br />
Setting up the '''FORWARD''' chain is similar to the '''INPUT''' chain in the first section.<br />
<br />
Now we set up a rule with the '''conntrack''' match, identical to the one in the '''INPUT''' chain:<br />
<br />
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The next step is to enable forwarding for trusted interfaces and to make all packets pass the '''fw-open''' chain.<br />
<br />
# iptables -A FORWARD -j fw-interfaces <br />
# iptables -A FORWARD -j fw-open <br />
<br />
The remaining packets are denied with an '''ICMP''' message:<br />
<br />
# iptables -A FORWARD -j REJECT --reject-with icmp-host-unreach<br />
# iptables -P FORWARD DROP<br />
<br />
==== Setting up the fw-interfaces and fw-open chains ====<br />
<br />
The meaning of the '''fw-interfaces''' and '''fw-open''' chains is explained later, when we deal with the '''POSTROUTING''' and '''PREROUTING''' chains in the '''nat''' table, respectively.<br />
<br />
=== Setting up the nat table ===<br />
<br />
All over this section, we assume that the outgoing interface (the one with the public internet IP) is '''ppp0'''. Keep in mind that you have to change the name in all following rules if your outgoing interface has another name.<br />
<br />
==== Setting up the POSTROUTING chain ====<br />
<br />
Now, we have to define who is allowed to connect to the internet. Let's assume we have the subnet '''192.168.0.0/24''' (which means all addresses that are of the form 192.168.0.*) on '''eth0'''. We first need to accept the machines on this interface in the FORWARD table, that is why we created the '''fw-interfaces''' chain above:<br />
<br />
# iptables -A fw-interfaces -i eth0 -j ACCEPT<br />
<br />
Now, we have to alter all outgoing packets so that they have our public IP address as the source address, instead of the local LAN address. To do this, we use the '''MASQUERADE''' target:<br />
<br />
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE<br />
<br />
Do not forget the '''-o ppp0''' parameter above. If you omit it, your network will be screwed up.<br />
<br />
Let's assume we have another subnet, '''10.3.0.0/16''' (which means all addresses 10.3.*.*), on the interface '''eth1'''. We add the same rules as above again:<br />
<br />
# iptables -A fw-interfaces -i eth1 -j ACCEPT<br />
# iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o ppp0 -j MASQUERADE<br />
<br />
The last step is to enable IP Forwarding (if it is not already enabled):<br />
<br />
# echo 1 > /proc/sys/net/ipv4/ip_forward<br />
<br />
Then edit the relevant line in /etc/sysctl.conf so it persists through reboot:<br />
<br />
net.ipv4.ip_forward = 1<br />
<br />
Machines from these subnets can now use your new NAT machine as their gateway. Note that you may want to set up a DNS and DHCP server like '''dnsmasq''' or a combination of '''bind''' and '''dhcpd''' to simplify network settings DNS resolution on the client machines. This is not the topic of this HOWTO.<br />
<br />
==== Setting up the PREROUTING chain ====<br />
<br />
Sometimes, we want to change the address of an incoming packet from the gateway to a LAN machine. To do this, we use the '''fw-open''' chain defined above, as well as the '''PREROUTING''' chain in the '''nat''' table<br />
<br />
I will give two simple examples: First, we want to change all incoming SSH packets (port 22) to the ssh server in the machine '''192.168.0.5''':<br />
<br />
# iptables -A fw-open -d 192.168.0.5 -p tcp --dport 22 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 22 -j DNAT --to 192.168.0.5<br />
<br />
The second example will show you how to change packets to a different port than the incoming port. We want to change any incoming connection on port '''8000''' to our web server on '''192.168.0.6''', port '''80''':<br />
<br />
# iptables -A fw-open -d 192.168.0.6 -p tcp --dport 80 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.6:80<br />
<br />
The same setup also works with udp packets.<br />
<br />
=== Saving the rules ===<br />
<br />
Save the rules<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded when you boot<br />
<br />
# systemctl enable iptables.service<br />
<br />
== See Also ==<br />
*[[Internet Share]]<br />
*[[Router]]<br />
*[[Firewalls]]<br />
*[[Uncomplicated Firewall]]<br />
*[http://www.webhostingtalk.com/showthread.php?t=456571 Methods to block SSH attacks]<br />
*[http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/ Using iptables to Block Brute Force Attacks]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Simple_stateful_firewall&diff=251966Simple stateful firewall2013-03-26T11:35:45Z<p>Jrussell: Added example of the rules file from commands run above this section</p>
<hr />
<div>[[Category:Firewalls]]<br />
[[ru:Simple stateful firewall]]<br />
This page explains how to set up a stateful firewall using [[iptables]]. It also explains what the rules mean and why they are needed. For simplicity, it is split into two major sections. The first section deals with a firewall for a single machine, the second sets up a NAT gateway in addition to the firewall from the first section.<br />
<br />
{{Warning| The rules are given in the order that they are executed. If you are logged into a remote machine, you may be locked out of the machine while setting up the rules. You should only follow the steps below while you are logged in locally.}}<br />
<br />
==Prerequisites==<br />
{{Note| Your kernel needs to be compiled with iptables support. All stock Arch Linux kernels have iptables support.}}<br />
<br />
First, install the userland utilities:<br />
<br />
# pacman -S iptables<br />
<br />
This HOWTO assumes that there are currently no iptables rules set. To check this, try the command<br />
<br />
# iptables-save<br />
<br />
If not, you can reset the rules by loading a default rule set:<br />
<br />
# iptables-restore < /etc/iptables/empty.rules<br />
<br />
== Firewall for a single machine ==<br />
<br />
{{Note|Because iptables processes rules in linear order, from top to bottom within a chain, it is advised to put frequently-hit rules near the start of the chain. Of course there is a limit, depending on the logic that is being implemented. Also, rules have an associated runtime cost, so rules should not be reordered solely based upon empirical observations of the byte/packet counters.}}<br />
<br />
=== Creating necessary chains ===<br />
<br />
For this basic setup, we will create two user-defined chains that we will use to open up ports in the firewall.<br />
<br />
# iptables -N TCP<br />
# iptables -N UDP<br />
<br />
=== The FORWARD chain ===<br />
<br />
If you want to set up your machine as a NAT gateway, please look at the second section of this HOWTO. For a single machine, however, we simply set the policy of the '''FORWARD''' chain to '''DROP''' and move on:<br />
<br />
# iptables -P FORWARD DROP<br />
<br />
=== The OUTPUT chain ===<br />
<br />
We have no intention of filtering any outgoing traffic, as this would make the setup much more complicated and would require some extra thought. In this simple case, we set the '''OUTPUT''' policy to '''ACCEPT'''.<br />
<br />
# iptables -P OUTPUT ACCEPT<br />
<br />
=== The INPUT chain ===<br />
<br />
First, we set the default policy for the '''INPUT''' chain to '''DROP''' in case something somehow slips by our rules. Dropping all traffic and specifying what is allowed is the best way to make a secure firewall.<br />
{{Warning|This is the step where you will be locked out if you are in logged via ssh. Therefore do this step following your rule regarding port 22 (or whatever port you're using for SSH) to prevent being locked out.}}<br />
<br />
# iptables -P INPUT DROP<br />
<br />
Every packet that is received by any network interface will pass the '''INPUT''' chain first, if it is destined for this machine. In this chain, we make sure that only the packets that we want are accepted.<br />
<br />
The first rule will allow traffic that belongs to established connections, or new valid traffic that is related to these connections such as ICMP errors, or echo replies (the packets a host returns when pinged). '''ICMP''' stands for '''Internet Control Message Protocol'''. Some ICMP messages are very important and help to manage congestion and MTU, and are accepted by this rule.<br />
<br />
# iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The second rule will accept all traffic from the "loopback" (lo) interface, which is necessary for many applications and services.<br />
<br />
{{Note|You can add more trusted interfaces here such as "eth1" if you do not want/need the traffic filtered by the firewall, but be warned that if you have a NAT setup that redirects any kind of traffic to this interface from anywhere else in the network (let's say a router), it'll get through, regardless of any other settings you may have.}}<br />
<br />
# iptables -A INPUT -i lo -j ACCEPT<br />
<br />
The third rule will drop all traffic with an "INVALID" state match. Traffic can fall into four "state" categories: NEW, ESTABLISHED, RELATED or INVALID and this is what makes this a "stateful" firewall rather than a less secure "stateless" one. States are tracked using the "nf_conntrack_*" kernel modules which are loaded automatically by the kernel as you add rules.<br />
<br />
{{Note|This rule will drop all packets with invalid headers or checksums, invalid TCP flags, invalid ICMP messages (such as a port unreachable when we did not send anything to the host), and out of sequence packets which can be caused by sequence prediction or other similar attacks. The "DROP" target will drop a packet without any response, contrary to REJECT which politely refuses the packet. We use DROP because there is no proper "REJECT" response to packets that are INVALID, and we do not want to acknowledge that we received these packets.}}<br />
<br />
{{Note|ICMPv6 Neighbor Discovery packets remain untracked, and will always be classified "INVALID" though they are not corrupted or thelike. Keep this in mind, and accept them before this rule! iptables -A INPUT -p 41 -j ACCEPT}}<br />
<br />
# iptables -A INPUT -m conntrack --ctstate INVALID -j DROP<br />
<br />
The next rule will accept all new incoming '''ICMP echo requests''', also known as pings. Only the first packet will count as NEW, the rest will be handled by the RELATED,ESTABLISHED rule. Since the computer is not a router, no other ICMP traffic with state NEW should needs to be allowed.<br />
<br />
# iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Now we append the OPEN chains to INPUT chain to handle all new incoming connections. Once a connection is accepted by the OPEN chains, it is handled by the RELATED/ESTABLISHED traffic rule. The OPEN chains will either accept new incoming connections, or politely reject them. New TCP connections must be started with SYN packets.<br />
<br />
{{Note| NEW but not SYN is the only invalid TCP flag not covered by the INVALID state. The reason is because they are rarely malicious packets, and they should not just be dropped. Instead, we simply do not accept them, so they are rejected with a TCP RST by the next rule.}}<br />
<br />
# iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
# iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP<br />
<br />
We reject TCP connections with TCP RST packets and UDP streams with ICMP port unreachable messages if the ports are not opened. This imitates default Linux behavior (RFC compliant), and it allows the sender to quickly close the connection and clean up.<br />
<br />
# iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
# iptables -A INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
<br />
For other protocols, we add a final rule to the INPUT chain to reject all remaining incoming traffic with icmp protocol unreachable messages. This imitates Linux's default behavior.<br />
<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Example rules file===<br />
<br />
{{Box BLUE|Example of iptables.rules file after running all the commands from above:|<br />
# Generated by iptables-save v1.4.18 on Sun Mar 17 14:21:12 2013<br />
*filter<br />
:INPUT DROP [0:0]<br />
:FORWARD DROP [0:0]<br />
:OUTPUT ACCEPT [38:3956]<br />
:TCP - [0:0]<br />
:UDP - [0:0]<br />
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
-A INPUT -i lo -j ACCEPT<br />
-A INPUT -m conntrack --ctstate INVALID -j DROP<br />
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP<br />
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP<br />
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable<br />
-A INPUT -p tcp -j REJECT --reject-with tcp-reset<br />
-A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
COMMIT<br />
# Completed on Sun Mar 17 14:21:12 2013<br />
}}<br />
<br />
This file is generated with iptables-save > /etc/iptables/iptables.rules and can be used to prevent blocking yourself out if you are setting up the firewall remotely, just remember to append:<br />
-A TCP -p tcp -m tcp --dport 22 -j ACCEPT<br />
to allow ssh in. (Assuming ssh on port 22)<br />
<br />
=== The OPEN chains ===<br />
<br />
The OPEN chains contain rules for accepting new incoming TCP connections and UDP streams to specific ports.<br />
<br />
{{Note|This is where you need to add rules to accept incoming connections, such as SSH, HTTP or other services that you want to access remotely.}}<br />
<br />
====Opening ports to incoming connections====<br />
<br />
To accept incoming TCP connections on port 80 for a web server:<br />
<br />
# iptables -A TCP -p tcp --dport 80 -j ACCEPT<br />
<br />
To accept incoming TCP connections on port 443 for a web server (HTTPS):<br />
<br />
# iptables -A TCP -p tcp --dport 443 -j ACCEPT<br />
<br />
To allow remote SSH connections (on port 22):<br />
<br />
# iptables -A TCP -p tcp --dport 22 -j ACCEPT<br />
<br />
To accept incoming UDP streams on port 53 for a DNS server:<br />
<br />
# iptables -A UDP -p udp --dport 53 -j ACCEPT<br />
<br />
See `{{Ic|man iptables}}` for more advanced rules, like matching multiple ports.<br />
<br />
==== Port Knocking ====<br />
<br />
(xtables-addons ships with xt_pknock which does not require an extra daemon.)<br />
<br />
knockd is a [http://www.portknocking.org/ port knocking] daemon that can provide an added layer of security to your network. The knockd [http://www.zeroflux.org/cgi-bin/cvstrac.cgi/knock/wiki wiki] provides three example port knocking configurations. These configs can be easily altered to intergrate properly with firewall described here. You should simply substitue the {{Ic|INPUT}} chain specification, with the custom {{Ic|open}} chain used in the firewall.<br />
<br />
For example:<br />
[options]<br />
logfile = /var/log/knockd.log<br />
[opencloseSSH]<br />
sequence = 2222:udp,3333:tcp,4444:udp<br />
seq_timeout = 15<br />
tcpflags = syn,ack<br />
start_command = /usr/sbin/iptables -A TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
cmd_timeout = 10<br />
stop_command = /usr/sbin/iptables -D TCP -s %IP% -p tcp --dport 22 -j ACCEPT<br />
<br />
It is wise to randomly select the ports that you use for the knock sequence. [https://www.random.org/ random.org] can help you generate a selection of ports between 1 and 65535. To check that you have not inadvertantly selected commonly used ports, use this [https://www.grc.com/PortDataHelp.htm port database], and/or your {{Ic|/etc/services}} file.<br />
<br />
=== Protection against spoofing attacks ===<br />
<br />
Blocking reserved local addresses incoming from the internet or local network is normally done through setting the {{Ic|rp_filter}} sysctl to 1. To do so, add the following line to your {{Ic|/etc/sysctl.conf}} to enable source address verification which is built into Linux kernel itself. The verification by the kernel will handle spoofing better than individual iptables rules for each case.<br />
<br />
net.ipv4.conf.all.rp_filter=1<br />
<br />
Only when asynchronous routing and/or rp_filter=0 is used, need extra checks be used:<br />
<br />
# iptables -I INPUT ! -i lo -s 127.0.0.0/8 -j DROP<br />
<br />
=== "Hide" your computer ===<br />
<br />
If you are running a desktop machine, it might be a good idea to block some incoming requests.<br />
<br />
==== Block Ping Request ====<br />
<br />
A 'Ping' request is an ICMP packet sent to the destination address to ensure connectivity between the devices. If your network works well, you can safely block all ping requests. It is important to note that this ''does not'' actually hide your computer — any packet sent to you is rejected, so you will still show up in a simple nmap "ping scan" of an IP range.<br />
<br />
This is rudimentary "protection" and makes life difficult when debugging issues in the future. You should only do this for education purposes.<br />
<br />
To block echo requests, add the following line to your {{Ic|/etc/sysctl.conf}} file:<br />
<br />
net.ipv4.icmp_echo_ignore_all = 1<br />
<br />
Rate-limiting is a better way to control possible abuse. This first method implements a global limit (ie, only X packets per minute for all source addresses):<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j DROP<br />
<br />
Or using the 'recent' module, you can impose a limit per source address:<br />
<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --set<br />
iptables -A INPUT -p icmp --icmp-type echo-request -m recent --name ping_limiter --update --hitcount 6 --seconds 4 -j DROP<br />
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT<br />
<br />
If you choose to use either the rate limiting or the source limiting rules the PING rule that already exists in the INPUT chain needs to be deleted. This can be done as shown below, or alternatively don't use it in the first place. <br />
# iptables -D INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT<br />
<br />
Next you need to decide where you wish to place the rate limiting or source limiting rules. If you place the rules below the RELATED,ESTABLISHED rule then you will be counting and limiting new ping connections, not each ping sent to your machine. If you place them before the RELATED,ESTABLISHED rule then these rules will count and limit each ping sent to your machine, not each ping connection made. <br />
<br />
More information is in the iptables man page, or reading the docs and examples on the webpage http://snowman.net/projects/ipt_recent/<br />
<br />
====Tricking port scanners====<br />
{{Note|This opens you up to a form of [[Wikipedia:Denial-of-service attack|DoS]]. An attack can send packets with spoofed IPs and get them blocked from connecting to your services.}}<br />
<br />
Port scans are used by attackers to identify open ports on your computer. This allows them to identify and fingerprint your running services and possibly launch exploits against them.<br />
<br />
The INVALID state rule will take care of every type of port scan except UDP, ACK and SYN scans (-sU, -sA and -sS in nmap respectively). <br />
<br />
''ACK scans'' are not used to identify open ports, but to identify ports filtered by a firewall. Due to the SYN check for all TCP connections with the state NEW, every single packet sent by an ACK scan will be correctly rejected by a TCP RST packet. Some firewalls drop these packets instead, and this allows an attacker to map out the firewall rules.<br />
<br />
The recent module can be used to trick the remaining two types of port scans. The recent module is used to add hosts to a "recent" list which can be used to fingerprint and stop certain types of attacks. Current recent lists can be viewed in {{Ic|/proc/net/xt_recent/}}.<br />
<br />
===== SYN scans =====<br />
<br />
In a SYN scan, the port scanner sends SYN packet to every port. Closed ports return a TCP RST packet, or get dropped by a strict firewall. Open ports return a SYN ACK packet regardless of the presence of a firewall.<br />
<br />
The recent module can be used to keep track of hosts with rejected connection attempts and return a TCP RST for any SYN packet they send to open ports as if the port was closed. If an open port is the first to be scanned, a SYN ACK will still be returned, so running applications such as ssh on non-standard ports is required for this to work consistently.<br />
<br />
First, insert a rule at the top of the TCP chain. This rule responds with a TCP RST to any host that got onto the TCP-PORTSCAN list in the past sixty seconds. The {{Ic|--update}} switch causes the recent list to be updated, meaning the 60 second counter is reset.<br />
<br />
# iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
Next, the rule for rejecting TCP packets need to be modified to add hosts with rejected packets to the TCP-PORTSCAN list.<br />
<br />
# iptables -D INPUT -p tcp -j REJECT --reject-with tcp-rst<br />
# iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst<br />
<br />
===== UDP scans =====<br />
<br />
UDP port scans are similar to TCP SYN scans except that UDP is a "connectionless" protocol. There are no handshakes or acknowledgements. Instead, the scanner sends UDP packets to each UDP port. Closed ports should return ICMP port unreachable messages, and open ports do not return a response. Since UDP is not a "reliable" protocol, the scanner has no way of knowing if packets were lost, and has to do multiple checks for each port that does not return a response.<br />
<br />
The Linux kernel sends out ICMP port unreachable messages very slowly, so a full UDP scan against a Linux machine would take over 10 hours. However, common ports could still be identified, so applying the same countermeasures against UDP scans as SYN scans is a good idea.<br />
<br />
First, add a rule to reject packets from hosts on the UDP-PORTSCAN list to the top of the OPEN-UDP chain.<br />
<br />
# iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with port-unreach<br />
<br />
Next, modify the reject packets rule for UDP:<br />
<br />
# iptables -D INPUT -p udp -j REJECT --reject-with icmp-port-unreach<br />
# iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreach<br />
<br />
===== Restore the Final Rule =====<br />
<br />
If either or both of the portscanning tricks above were used the final default rule is no longer the last rule in the INPUT chain. It needs to be the last rule otherwise it will intercept the trick port scanner rules you just added and they will never be used. Simply delete the rule (-D), then add it once again using append (-A) which will place it at the end of the chain.<br />
<br />
# iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
# iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable<br />
<br />
=== Protection against other attacks ===<br />
<br />
See the [[Sysctl#TCP/IP stack hardening|TCP/IP stack hardening]] guide for relevant kernel parameters.<br />
<br />
====SSH bruteforce attacks====<br />
{{Warning| Using an IP blacklist will stop trivial attacks but it relies on an additional daemon and successful logging (the partition containing /var can become full, especially if an attacker is pounding on the server). Additionally, if the attacker knows your IP address, they can send packets with a spoofed source header and get you locked out of the server. [[SSH keys]] provide an elegant solution to the problem of brute forcing without these problems.}}<br />
To ban IP that makes too many password failures you can use [[Fail2ban]] or [[Sshguard]]. These update firewall rules to reject the IP address.<br />
<br />
=== Saving the rules ===<br />
<br />
The ruleset is now finished and should be saved to your hard drive so that it can be loaded on every boot.<br />
<br />
The systemd unit file points to the location where the rule configuration will be saved:<br />
<br />
<pre><br />
iptables=/etc/iptables/iptables.rules<br />
ip6tables=/etc/iptables/ip6tables.rules<br />
</pre><br />
<br />
Save the rules with this command:<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded on boot:<br />
<br />
# systemctl enable iptables.service<br />
<br />
Check that the rules load correctly using:<br />
<br />
# systemctl start iptables.service && systemctl status iptables.service<br />
<br />
=== IPv6 ===<br />
If you do not use IPv6 (most ISPs do not support it), you should [[Disabling IPv6|disable it]].<br />
<br />
Otherwise, you should enable the firewall rules for IPv6. Just copy '''/etc/iptables/iptables.rules''' to '''/etc/iptables/ip6tables.rules''' and change IPs from v4 format to v6 format and change reject messages from <br />
--reject-with icmp-port-unreachable<br />
to<br />
--reject-with icmp6-port-unreachable<br />
etc.<br />
<br />
Please be aware that '''--reject-with icmp6-proto-unreachable''' does not exist for ICMPv6, so you may reject without any message. (Does anyone know what message would be correct? communication-prohibited? port-unreachable?).<br />
<br />
Now you need to enable the ip6tables service using [[systemd]]:<br />
<br />
# systemctl enable ip6tables.service<br />
<br />
== Setting up a NAT gateway ==<br />
<br />
This section of the HOWTO deals with NAT gateways. It is assumed that you already read the first part of the HOWTO and set up the '''INPUT''', '''OUTPUT''', '''OPEN''' and '''interfaces''' chains like described above. All rules so far have been created in the '''filter''' table. In this section, we will also have to use the '''nat''' table.<br />
<br />
=== Setting up the filter table ===<br />
<br />
==== Creating necessary chains ====<br />
<br />
In our setup, we will use another two chains in the filter table, the '''fw-interfaces''' and '''fw-open''' chains. Create them with the commands<br />
<br />
# iptables -N fw-interfaces<br />
# iptables -N fw-open<br />
<br />
==== Setting up the FORWARD chain ====<br />
<br />
Setting up the '''FORWARD''' chain is similar to the '''INPUT''' chain in the first section.<br />
<br />
Now we set up a rule with the '''conntrack''' match, identical to the one in the '''INPUT''' chain:<br />
<br />
# iptables -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT<br />
<br />
The next step is to enable forwarding for trusted interfaces and to make all packets pass the '''fw-open''' chain.<br />
<br />
# iptables -A FORWARD -j fw-interfaces <br />
# iptables -A FORWARD -j fw-open <br />
<br />
The remaining packets are denied with an '''ICMP''' message:<br />
<br />
# iptables -A FORWARD -j REJECT --reject-with icmp-host-unreach<br />
# iptables -P FORWARD DROP<br />
<br />
==== Setting up the fw-interfaces and fw-open chains ====<br />
<br />
The meaning of the '''fw-interfaces''' and '''fw-open''' chains is explained later, when we deal with the '''POSTROUTING''' and '''PREROUTING''' chains in the '''nat''' table, respectively.<br />
<br />
=== Setting up the nat table ===<br />
<br />
All over this section, we assume that the outgoing interface (the one with the public internet IP) is '''ppp0'''. Keep in mind that you have to change the name in all following rules if your outgoing interface has another name.<br />
<br />
==== Setting up the POSTROUTING chain ====<br />
<br />
Now, we have to define who is allowed to connect to the internet. Let's assume we have the subnet '''192.168.0.0/24''' (which means all addresses that are of the form 192.168.0.*) on '''eth0'''. We first need to accept the machines on this interface in the FORWARD table, that is why we created the '''fw-interfaces''' chain above:<br />
<br />
# iptables -A fw-interfaces -i eth0 -j ACCEPT<br />
<br />
Now, we have to alter all outgoing packets so that they have our public IP address as the source address, instead of the local LAN address. To do this, we use the '''MASQUERADE''' target:<br />
<br />
# iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE<br />
<br />
Do not forget the '''-o ppp0''' parameter above. If you omit it, your network will be screwed up.<br />
<br />
Let's assume we have another subnet, '''10.3.0.0/16''' (which means all addresses 10.3.*.*), on the interface '''eth1'''. We add the same rules as above again:<br />
<br />
# iptables -A fw-interfaces -i eth1 -j ACCEPT<br />
# iptables -t nat -A POSTROUTING -s 10.3.0.0/16 -o ppp0 -j MASQUERADE<br />
<br />
The last step is to enable IP Forwarding (if it is not already enabled):<br />
<br />
# echo 1 > /proc/sys/net/ipv4/ip_forward<br />
<br />
Then edit the relevant line in /etc/sysctl.conf so it persists through reboot:<br />
<br />
net.ipv4.ip_forward = 1<br />
<br />
Machines from these subnets can now use your new NAT machine as their gateway. Note that you may want to set up a DNS and DHCP server like '''dnsmasq''' or a combination of '''bind''' and '''dhcpd''' to simplify network settings DNS resolution on the client machines. This is not the topic of this HOWTO.<br />
<br />
==== Setting up the PREROUTING chain ====<br />
<br />
Sometimes, we want to change the address of an incoming packet from the gateway to a LAN machine. To do this, we use the '''fw-open''' chain defined above, as well as the '''PREROUTING''' chain in the '''nat''' table<br />
<br />
I will give two simple examples: First, we want to change all incoming SSH packets (port 22) to the ssh server in the machine '''192.168.0.5''':<br />
<br />
# iptables -A fw-open -d 192.168.0.5 -p tcp --dport 22 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 22 -j DNAT --to 192.168.0.5<br />
<br />
The second example will show you how to change packets to a different port than the incoming port. We want to change any incoming connection on port '''8000''' to our web server on '''192.168.0.6''', port '''80''':<br />
<br />
# iptables -A fw-open -d 192.168.0.6 -p tcp --dport 80 -j ACCEPT<br />
# iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 8000 -j DNAT --to 192.168.0.6:80<br />
<br />
The same setup also works with udp packets.<br />
<br />
=== Saving the rules ===<br />
<br />
Save the rules<br />
<br />
# iptables-save > /etc/iptables/iptables.rules<br />
<br />
and make sure your rules are loaded when you boot<br />
<br />
# systemctl enable iptables.service<br />
<br />
== See Also ==<br />
*[[Internet Share]]<br />
*[[Router]]<br />
*[[Firewalls]]<br />
*[[Uncomplicated Firewall]]<br />
*[http://www.webhostingtalk.com/showthread.php?t=456571 Methods to block SSH attacks]<br />
*[http://www.ducea.com/2006/06/28/using-iptables-to-block-brute-force-attacks/ Using iptables to Block Brute Force Attacks]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=GNOME_tips&diff=251541GNOME tips2013-03-21T14:10:45Z<p>Jrussell: /* Enable Volume Control as tray notification */</p>
<hr />
<div>[[Category:Desktop environments]]<br />
[[it:GNOME Tips]]<br />
[[nl:GNOME Tips]]<br />
[[ru:GNOME Tips]]<br />
[[zh-CN:GNOME Tips]]<br />
{{out of date}}<br />
{{Merge|GNOME}}<br />
<br />
==XDG User Directories==<br />
<br />
See [[Xdg user directories]].<br />
<br />
==Configuration Tips==<br />
===Add/Edit GDM Sessions===<br />
<br />
Each session is a {{ic|.desktop}} file located at {{ic|/usr/share/xsessions/}}.<br />
<br />
'''To add a new session:'''<br />
<br />
1. Copy an existing {{ic|.desktop}} file to use as a template for a new session:<br />
$ cd /usr/share/xsessions<br />
# cp gnome.desktop other.desktop<br />
2. Modify the template {{ic|*.desktop}} file to open the required window manager:<br />
# nano other.desktop<br />
<br />
Alternatively, you can open the new session in KDM which will create the *.desktop file. Then return to using GDM and the new session will be available.<br />
<br />
===GDM appearance===<br />
<br />
You can use {{AUR|gdm3setup}} from the [[Arch User Repository|AUR]].<br />
<br />
====GDM wallpaper====<br />
{{Accuracy|1=these scripts were recovered from [https://wiki.archlinux.org/index.php?title=GNOME&diff=161398&oldid=prev] and may require testing.}}<br />
<br />
These scripts assist in setting up the GDM wallpaper and are an addition to [[GNOME#Login screen]]. Place these files in a suitable location and make them executable. An example of running these scripts appears below.<br />
<br />
{{hc|/usr/local/bin/prep-gdm-vars|<nowiki># This script must be run using '.' or 'source'<br />
`dbus-launch | sed "s/^/export /"`</nowiki>}}<br />
<br />
{{hc|/usr/local/bin/show-avail-gdm-bkgd|<nowiki>#!/bin/bash<br />
# Usage: show-avail-gdm-bkgd [folder]<br />
# Specify any folder within /usr/share/backgrounds.<br />
# If you omit the folder, you'll be shown available choices.<br />
file_part="/usr/share/backgrounds/"<br />
if ! [ $1 ]; then<br />
echo -en \\n Please specify one of these directories:\\n\\n\\040<br />
ls $file_part; echo; exit 1; fi<br />
ls ${file_part}/$1<br />
</nowiki>}}<br />
<br />
{{hc|/usr/local/bin/revise-gdm-bkgd|<nowiki>#!/bin/bash<br />
# Usage: revise-gdm-bkgd gnome/filename.jpg<br />
# Specify any file path within /usr/share/backgrounds.<br />
org_part="org.gnome.desktop.background picture-uri"<br />
file_full="/usr/share/backgrounds/$1"<br />
# Trap when argument is: missing, a mere directory, a bad filename.<br />
if ( ! [ $1 ] || [ -d $file_full ] ); then<br />
echo -en \\n Specify a file. Use this example:<br />
echo -e \ \ revise-gdm-bkgd \ gnome/TwoWings.jpg\\n; exit 1; fi<br />
if ! [ -r $file_full ]; then<br />
echo -e \\n Specifed file does not exist or is not readable.\\n; exit 2; fi<br />
GSETTINGS_BACKEND=dconf gsettings set $org_part "file://${file_full}"<br />
</nowiki>}}<br />
<br />
Here is a session showing how a user might change the GDM wallpaper using the scripts listed above. It starts with a normal user's terminal and assumes he is able to open a bash session as root. The root user then opens a session as "gdm" and changes the wallpaper.<br />
<br />
$ su -<br />
Password: <br />
<br />
# xhost +<br />
access control disabled, clients can connect from any host<br />
# su - gdm -s /bin/bash<br />
<br />
'''-bash-4.2$''' . prep-gdm-vars # Must use . to execute this script!<br />
access control disabled, clients can connect from any host<br />
<br />
'''-bash-4.2$''' show-avail-gdm-bkgd gnome<br />
Aqua.jpg FreshFlower.jpg Spaceflare-nova.jpg Terraform-green.jpg YellowFlower.jpg<br />
Blinds.jpg Garden.jpg Spaceflare-supernova.jpg Terraform-orange.jpg<br />
BlueMarbleWest.jpg GreenMeadow.jpg SundownDunes.jpg TwoWings.jpg<br />
FootFall.png Spaceflare.jpg Terraform-blue.jpg Wood.jpg<br />
<br />
'''-bash-4.2$''' revise-gdm-bkgd gnome/GreenMeadow.jpg<br />
<br />
'''-bash-4.2$''' logout<br />
<br />
# logout<br />
$<br />
<br />
Script {{ic|revise-gdm-bkgd}} may also be used to change your normal user background from the command prompt. Admittedly, the script name does not quite fit when used for that purpose.<br />
<br />
===Default applications===<br />
You may want to configure system-wide default applications and file associations. This is extremely useful when you have some KDE applications installed, but still prefer a GNOME ones to be launched by default.<br />
<br />
To do that you can install {{AUR|gnome-defaults-list}} from the [[Arch User Repository|AUR]]. It will place your configuration file at {{ic|/etc/gnome/defaults.list}}.<br />
<br />
If you want to do everything manually, create {{ic|/usr/share/applications/defaults.list}} with the following format:<br />
[Default Applications]<br />
application/pdf=evince.desktop<br />
image/jpeg=eog.desktop<br />
...<br />
<br />
===Enable Volume Control as tray notification===<br />
Some users will have noticed that there is no volume control by default. It either can be added as an object to the panel or as a notification icon in the systray. To do the last one you have to replace {{pkg|gnome-media}} with {{pkg|gnome-media-pulse}}. This will [[pacman|install]] the volume control manager developed by Red Hat and used in distributions such as Ubuntu or Fedora.<br />
<br />
===Fonts Seem Skewed===<br />
You can alter the DPI of your fonts in GNOME with right-click on the desktop ''&rarr; Change desktop background &rarr; Fonts &rarr; Details &rarr; Resolution''<br />
<br />
===Change the Default Background Image===<br />
The default background is that zoomed in picture of a green leaf. It appears for newly created users, but more importantly, this is the image shown when the screen is locked. As of 25-Apr-2009, you can find this image here<br />
/usr/share/pixmaps/backgrounds/gnome/background-default.jpg<br />
To change it, simply copy your favorite image to this location (as root) and rename it.<br />
<br />
===Change the Default Background Color, Opacity, etc.===<br />
The default background color is green. You might want to change it if you're using a transparent PNG as background.<br />
$ sudo gconf-editor<br />
Go to ''File &rarr; New Defaults Window'' and edit the keys<br />
/desktop/gnome/background/primary_color<br />
and<br />
/desktop/gnome/background/secondary_color<br />
You can also find keys for opacity, shading style, etc.<br />
<br />
===Disable confirmation window when closing gnome-terminal===<br />
The terminal always prompts a confirmation window when trying to close the window while one is logged in as root. To avoid this confirmation start '''gconf-editor''' and disable '''confirmation_window_close''' variable in '''/apps/gnome-terminal/global'''. Please note that although this setting is not set via dconf-editor it also works in the GNOME Shell.<br />
<br />
==Miscellaneous Tips==<br />
===Screen Lock===<br />
#Make sure that dbus is running (probably a good idea to add it to the daemons array in {{ic|/etc/rc.conf}}).<br />
#[[pacman|Install]] {{pkg|xscreensaver}}.<br />
#Go to Desktop -> Preferences -> Screensaver<br />
#Enable one or more screensavers<br />
#Lock Screen will now start your screensaver and require your password to stop it.<br />
<br />
'''or''' you can install {{pkg|gnome-screensaver}}.<br />
<br />
Also you can find [http://ubuntuforums.org/showthread.php?t=195557 here] how to replace gnome-screensaver with xscreensaver.<br />
<br />
===Nautilus Tips===<br />
Get a certain path in spatial view? Just press {{Keypress|Ctrl+l}}.<br />
<br />
====Change Browser Mode (Spatial View)====<br />
#Start gconf-editor<br />
#Browse to apps/nautilus/preferences<br />
#Change the value of "always_use_browser" (it's a yes/no value and should be visible as a checkbox or say "false", for the later change the value to "true")<br />
Or you can do this through the preferences:<br />
#In a Nautilus window go to Edit>>Preferences<br />
#Change to the Behaviour tab<br />
#Check (or uncheck) Always Open in Browser Windows<br />
<br />
====Music Information Columns in List View (bit rate, etc.)====<br />
Nautilus lacks the ability to display metadata for music files in list view mode. A Python script was written to add columns for:<br />
*Artist<br />
*Album<br />
*Track Title<br />
*Bit Rate<br />
<br />
First, [[pacman|install]] the package {{pkg|mutagen}}.<br />
<br />
And, from the [[Arch User Repository|AUR]], install {{AUR|python-nautilus}}.<br />
<br />
Now, create a directory called ''python-extensions'' in {{ic|~/.nautilus}}. Place the following script, named {{ic|bsc.py}}, in this newly created folder. You may download the script here: [[http://stefanwilkens.eu/bsc.py bsc.py]] (please drop --[[User:Stefanwilkens|stefanwilkens]] a line if this goes down)<br><br />
Mirror: [[http://kclkcl.webege.com/files/bsc.py bsc.py]]<br />
<br />
[http://ubuntuforums.org/showthread.php?t=878683 bas-v2.py] adds fixes and more media support (link at bottom of 4th post).<br><br />
Mirror: [http://www.rnstech.com/mirror/bsc-v2.py bsc-v2.py]<br />
<br />
Restart nautilus. You can now configure this new functionallity in Edit -> Preferences -> List Columns<br />
<br />
====Stop Nautilus drawing the desktop====<br />
You need to open the ''gconf-editor'':<br />
apps>nautilus>preferences untick "show_desktop"<br />
<br />
In breezy you also need to go to:<br />
desktop>gnome>background and untick "draw_background"<br />
<br />
====Thumbnails====<br />
You will need a tool for creating thumbnails, such as ffmpegthumbnailer. Make sure the necessary codecs are installed.<br />
<br />
In a command line, enter these two lines:<br />
gconftool-2 -s "/desktop/gnome/thumbnailers/video@mpeg/enable" -t boolean "true"<br />
gconftool-2 -s "/desktop/gnome/thumbnailers/video@mpeg/command" -t string "/usr/bin/ffmpegthumbnailer -s %s -i %i -o %o -c png -f -t 10"<br />
<br />
You can replace 'video@mpeg' in that line with any filetype that ffmpeg can open - just right-click > Properties on a file in Nautilus and look at the bit in brackets in the 'Type:' field (don't forget to replace the forward slash with an @ symbol). Some common filetypes are video@mpeg, video@x-matroska, video@x-ms-wmv, video@x-flv, video@x-msvideo, video@mp4; which are usually .mpg, .mkv, .wmv, .flv, .avi, .mp4 respectively.<br />
<br />
====Turn off Authentication needed to mount internal drive in Nautilus====<br />
In Ubuntu and other distros you are allowed to mount internal drives by clicking on them without the need for entering a password.<br />
To get this behaviour in stock GNOME, just create the following file in [[PolicyKit]] Local Authority:<br />
{{hc|/etc/polkit-1/localauthority/50-local.d/50-filesystem-mount-system-internal.pkla|2=<nowiki><br />
[Mount a system-internal device]<br />
Identity=*<br />
Action=org.freedesktop.udisks2.filesystem-mount-system<br />
ResultActive=yes<br />
</nowiki>}}<br />
<br />
===Speed Up Panel Autohide===<br />
====panel_show_delay / panel_hide_delay====<br />
If you find that your panels are taking too long to appear/disappear when using the Panel Autohide feature, try this;<br />
# Start gconf-editor<br />
# Browse to /apps/panel/global<br />
# Set panel_hide_delay and panel_show_delay to more sensible (integer) values. Note that these values represent milliseconds!<br />
<br />
The default panel_hide_delay of 500 works well in most cases, but the panel_show_delay default of 500 is horribly slow. After experimenting, a panel_show_delay between 100-200 seems much better.<br />
<br />
====Panel animation_speed====<br />
<br />
Now that the panel show/hide delay has the panels beginning to appear in a reasonable length of time, why does it take the panel so long to actually pop up? There is one more setting you need to add/change to make the panel behavior crisp. The setting: '''animation_speed''' This setting can be applied globally or on a per-panel basis just like the panel_show_delay and panel_hide_delay. The official description is:<br />
<br />
The speed in which panel animations should occur. Possible values are slow, medium and fast. This key is only relevant if the enable_animations key is true. <br />
<br />
To apply globally, just add or change the animation_speed key as a (string) value in:<br />
<br />
* /apps/panel/global<br />
<br />
To apply the setting on a per-panel basis, just add/change the key in, for example:<br />
<br />
* /apps/panel/toplevels/bottom_panel_screen0/ (usually the default name for the bottom panel)<br />
* /apps/panel/toplevels/panel_0/ (usually the default name for the first additional panel)<br />
<br />
'''Note:''' the key panel_amination_speed is deprecated, use: animation_speed.<br />
<br />
===GNOME Menu Tips===<br />
====Speed Tweak====<br />
You can remove the delay in GNOME menus by running this command:<br />
echo "gtk-menu-popup-delay = 0" >> ~/.gtkrc-2.0<br />
<br />
Or just add "{{ic|1=gtk-menu-popup-delay = 0}}" to .gtkrc-2.0<br />
<br />
However, this setting is reported to crash banshee, and possibly other programs.<br />
<br />
====Menu Editing====<br />
Most GNOME users complain about the menu. Changing menu entries system-wide or for one or several users alone is poorly documented.<br />
<br />
=====User menus=====<br />
Older versions of GNOME (i.e. 2.22 or earlier) have a menu editor in which you can de-select menu entires, but not add new menu entries. Right-click on the menu panel and select Edit Menus. Unchecking the box next to a entry will prevent it from displaying.<br />
<br />
To add new menu entries, create a .desktop file in the $XDG_DATA_HOME/applications directory (most likely $HOME/.local/share). A sample .desktop file can be seen below, or take a look at [http://library.gnome.org/admin/system-admin-guide/stable/menustructure-desktopentry.html.en the GNOME documentation].<br />
<br />
Or install [https://www.archlinux.org/packages/?sort=&q=alacarte&maintainer=&last_update=&flagged=&limit=50 Alacarte], which makes it easy to create, change and remove menu entries with a GUI.<br />
<br />
=====Group menus, System menus=====<br />
You will find common GNOME menu entries as 'appname.desktop' objects inside one of the {{ic|$XDG_DATA_DIRS/applications}} directories (most likely {{ic|/usr/share/applications}}). To add new menu items for all users, create an 'appname.desktop' file in one of those directories.<br />
* Edit one of them to fit your needs for a new application, then save it.<br />
* Save it as a menu entry for all users <br> Most often, you will set this files permissions to 644 (root: rw group: r others: r), so all users can see it.<br />
* Save it as a menu entry for a group or user alone <br> You may also have different user permissions; for example, some menu entries should only be available for a group or for one user.<br />
<br />
Here is an example how a Scite menu entry definition file could look:<br />
<br />
{{bc|1=<br />
[Desktop Entry]<br />
Encoding=UTF-8<br />
Name=SciTE<br />
Comment=SciTE editor<br />
Type=Application<br />
Exec=/usr/bin/scite<br />
Icon=/usr/share/pixmaps/scite_48x48.png<br />
Terminal=false<br />
Categories=GNOME;Application;Development;<br />
StartupNotify=true<br />
}}<br />
<br />
====Change the GNOME Foot Icon to an Arch Icon====<br />
{{Note|Thanks to arkham who posted this method in [[https://bbs.archlinux.org/viewtopic.php?id=74881 this forum post]] which I have typed up here.}}<br />
<br />
*Download [[http://img23.imageshack.us/img23/9679/starthere.png this Arch icon]] (filename is {{ic|starthere.png}})<br />
*Alternatively get the artwork package by installing {{pkg|archlinux-artwork}}, this puts all artwork in the {{ic|/usr/share/archlinux}} directory, and resize your desired logo to 24x24px<br />
*Figure out which icon set you are using (right-click desktop>Change Background Image>Theme>Customize>Icon). For example, Crux, *GNOME, High Contrast, High Contrast Inverse, Mist, etc.)<br />
*Now make a backup of your current GNOME icon in the correct directory. In the example below, I am using the GNOME icons but adjust the directory structure accordingly for your icon set:<br />
# mv /usr/share/icons/gnome/24x24/places/start-here.png /usr/share/icons/gnome/24x24/places/start-here.png-virgin<br />
*Copy {{ic|starthere.png}} you just downloaded to the same directory renaming it start-here.png<br />
# cp /path/to/starthere.png /usr/share/icons/gnome/24x24/places/start-here.png<br />
*Restart your gnome-panels and the new Arch logo should be displayed<br />
$ pkill gnome-panel<br />
<br />
{{Note|To get this to work ({{pkg|gnome}} 2.28) I had to delete the icon-theme.cache file in {{ic|/usr/share/icons/gnome}}.}}<br />
<br />
====Change the GNOME Foot Icon to an Arch Icon (without root access)====<br />
*Figure out which icon set you're using (right-click desktop>Change Background Image>Theme>Customize>Icon). For example, Crux, *GNOME, High Contrast, High Contrast Inverse, Mist, etc.)<br />
*Duplicate that icon set's directory structure for 24x24/places in your home directory under .icons<br />
$ mkdir -p ~/.icons/<your-icon-set>/24x24/places<br />
*Download [http://img23.imageshack.us/img23/9679/starthere.png this Arch icon] into that directory as 'start-here.png'<br />
$ wget -O ~/.icons/<your-icon-set>/24x24/places/start-here.png http://img23.imageshack.us/img23/9679/starthere.png<br />
*Alternatively get the artwork package using "pacman -S archlinux-artwork", this puts all artwork in the /usr/share/archlinux directory, and resize your desired logo to 24x24px and copy it into that directory as 'start-here.png'<br />
*Restart your gnome-panels and the new Arch logo should be displayed<br />
$ pkill gnome-panel<br />
{{Note|To get this to work ({{pkg|gnome}} 2.28) I had to delete the icon-theme.cache file in {{ic|/usr/share/icons/gnome}}.}}<br />
<br />
====Custom Icon using gconf-editor====<br />
<br />
# Open the configuration editor in GNOME (it should be in System Tools of your main menu) or run {{ic|gconf-editor}}<br />
# In the configuration editor go to apps > panel > objects > find the object for your menu (an easy way to spot the correct object is that it will have "Main Menu" in the tool tip section).<br />
# Set the path to your icon in the "Custom_Icon" field.<br />
# Check "Use_Custom_Icon" a little ways down.<br />
# The panel should reload momemtarily, if not, open a terminal window and type:<br />
$ killall gnome-panel<br />
<br />
====Removing default icons from desktop====<br />
I like to keep my desktop clean, and perhaps someone else too. So here is how to remove home folder, computer and trash from desktop:<br />
<br />
# Open terminal<br />
# On terminal type: gconf-editor<br />
# Configuration Editor opens. From there navigate to: apps --> nautilus --> desktop<br />
# Untick all the icons you dont want to see<br />
# You are done, the icons should disappear immediately<br />
<br />
=== Disabling scroll in taskbar ===<br />
For years there is a "bug" in the GNOME taskbar: the mouse scroll switches the windows. The annoying feature if you have a good mice turns to be a real pain if you have the touchpad. It is impossible to scroll precisely using touchpad, so if you accidentally touch it when your mouse is on the taskbar, then all the windows will flash/switch wildly. There is no setting in gconf/preferences, that can disable this functionality. This is true for [[KDE]] 3, I do not know if problem persist in KDE 4. The solution was to install xfce4-panel, which hasn't scrolling at all and looks like default GNOME panel. The bug is better described here [https://bugs.launchpad.net/ubuntu/+source/gnome-panel/+bug/39328].<br />
<br />
This bug will be probably never fixed, but we have the [[Arch Build System]], so we can build custom software. Install {{pkg|abs}} (+70Mb), then<br />
<br />
cp -r /var/abs/extra/libwnck /home/{your name}/Desktop/somewhere<br />
<br />
Navigate to that directory, then<br />
makepkg --nobuild<br />
<br />
This will download and extract the sources. Go to src/libwnck-{version}/libwnck. Edit tasklist.c, search for "scroll-event". You will see somethign like<br />
<br />
g_signal_connect(obj, "scroll-event", G_CALLBACK(wnck_tasklist_scroll_cb), NULL);<br />
<br />
This line enables scroll-event handler, comment the line out (place /* before and */ after the line). Now go back to {{ic|~/Desktop/somewhere}} and<br />
makepkg --noextract --syncdeps<br />
<br />
You will need [[sudo]] to be able to install missing dependencies (intltool), but you can always install them separately if you do not want --syncdeps automatically. The --noextract option tells makepkg to not extract sources and use existing src/<br />
<br />
pacman -U libwnck-{version}.pkg.tar.gz<br />
<br />
Then log out, log back in, and enjoy. Delete dir with the sources from you desktop, you may also uninstall abs if you want. Next step will be to add gconf option, but I will leave this for GNOME gurus. I just do not need this "feature", not even if I use the mouse ({{Keypress|Alt+Tab}} is better anyway).<br />
<br />
===Custom transitioning background===<br />
This will create a transitioning background similiar to the "cosmos" background found in the [[GNOME#Installation|gnome-backgrounds]] package. There are three ways to do this.<br />
{{Note|The image filenames must not have spaces in them.}}<br />
====Manual====<br />
You can create an XML file similiar to the one created by {{pkg|gnome-backgrounds}} in {{ic|/usr/share/backgrounds/cosmos/}}.<br />
{{bc|<br />
<background><br />
<starttime><br />
<hour>00</hour><br />
<minute>00</minute><br />
<second>01</second><br />
</starttime><br />
<nowiki><!-- The first section set an arbitrary start time. --></nowiki><br />
<static><br />
<duration>1795.0</duration><br />
<file>/path/to/background1.jpg</file><br />
</static><br />
<transition><br />
<duration>5.0</duration><br />
<from>/path/to/background1.jpg</from><br />
<to>/path/to/background2.jpg</to><br />
</transition><br />
<static><br />
<duration>1795.0</duration><br />
<file>/path/to/background2.jpg</file><br />
</static><br />
<transition><br />
<duration>5.0</duration><br />
<from>/path/to/background2.jpg</from><br />
<to>/path/to/background1.jpg</to><br />
</transition><br />
</background><br />
}}<br />
<br />
Note that the <duration> tag sets each image as the background for 1795 seconds, or 29 minutes and 55 seconds, and the <transition> then takes 5 seconds. You can add any number of images as long as the last one transitions back to the first (if you want a full loop). Once completed, the XML file can be added to GNOME under System > Preferences > Appearance > Background tab > Add.<br />
<br />
====Automatic====<br />
There is also a script which automates this process:<br />
{{bc|<nowiki><br />
#!/bin/sh<br />
#This script creates XML files that can act as dynamic wallpapers for GNOME by referring to multiple wallpapers<br />
#Coded by David J Krajnik<br />
<br />
if [ "$*" = "" ]; then<br />
echo "This script creates XML files that can act as dynamic backgrounds for GNOME by referring to multiple wallpapers";<br />
echo "Usage: mkwlppr target-file.xml [duration] pic1 pic2 [pic3 .. picN]";<br />
else<br />
files=$*;<br />
#Grab the name of the target xml file<br />
xmlfile=`echo $files | cut -d " " -f 1`;<br />
#remove the first item from $files<br />
files=`echo $files | sed 's/^\<[^ ]*\>//'`;<br />
if [ "`echo $xmlfile | grep '\.xml$'`" = "" ]; then<br />
echo "Your target file must be an XML file";<br />
else<br />
inputIsValid="true";<br />
firstItem=`echo $files | cut -d " " -f 1`;<br />
duration="1795.0";#set the default duration<br />
if [ "`echo $firstItem | grep '^[0-9]\+\.[0-9]\+$'`" != "" ]; then<br />
echo "The duration must be an integer";<br />
files=`echo $files | sed 's/^\<[^ ]*\>//'`;<br />
inputIsValid="";<br />
elif [ "`echo $firstItem | grep '^[0-9]\+$'`" != "" ]; then<br />
#If the item is a number, then use it as the duration for each wallpaper image<br />
duration="`expr $firstItem - 5`.0";<br />
#remove the duration from the list of files<br />
files=`echo $files | sed 's/^\<[^ ]*\>//'`;<br />
fi<br />
if [ "$files" = "" ]; then<br />
echo "You must enter image files to associate with the XML file";<br />
else<br />
for file in $files<br />
do<br />
if [ ! -f $file ]; then<br />
echo "\"$file\" does not exist";<br />
inputIsValid="";<br />
elif [ "`echo $file | sed 's/^.*\.\(jpg\|jpeg\|bmp\|png\|gif\|tif\|tiff\|jif\|jfif\|jp2\|jpx\|j2k\|j2c\)$//'`" != "" ]; then<br />
echo "\"$file\" is not an image file";<br />
inputIsValid="";<br />
fi<br />
done<br />
if [ $inputIsValid ]; then<br />
currDir=`pwd`;<br />
echo "<background>" >> $xmlfile<br />
echo " <starttime>\n <year>2009</year>\n <month>08</month>\n <day>04</day>" >> $xmlfile;<br />
echo " <hour>00</hour>\n <minute>00</minute>\n <second>00</second>\n </starttime>" >> $xmlfile;<br />
echo " <!-- This animation will start at midnight. -->" >> $xmlfile;<br />
firstFile=`echo $files | cut -d " " -f 1`;#grab the first item<br />
if [ "`echo $firstFile | sed 's/\(.\).*/\1/'`" != "/" ]; then<br />
#If the first character in the filename is not '/', then it is a relative path and must have the current directory's path appended<br />
firstFile="$currDir/$firstFile";<br />
fi<br />
firstFile=`echo $firstFile | sed 's/[^/]\+\/\.\.\/\?//g'`;#Remove occurrences of ".." from the filepath<br />
files=`echo $files | sed 's/^\<[^ ]*\>//'`;#remove the first item<br />
prevFile=$firstFile;<br />
currFile="";<br />
#TODO add absolute path to the filenames<br />
#if $currFile =~ "^/.*" then the file needs to path appended<br />
echo " <static>\n <duration>$duration</duration>\n <file>$firstFile</file>\n </static>" >> $xmlfile;<br />
for currFile in $files<br />
do<br />
if [ "`echo $currFile | sed 's/\(.\).*/\1/'`" != "/" ]; then<br />
#If the first character in the filename is not '/', then it is a relative path and must have the current directory's path appended<br />
currFile="$currDir/$currFile";<br />
fi<br />
currFile=`echo $currFile | sed 's/[^/]\+\/\.\.\/\?//g'`;#Remove occurrences of ".." from the filepath<br />
echo " <transition>\n <duration>5.0</duration>\n <from>$prevFile</from>\n <to>$currFile</to>\n </transition>" >> $xmlfile;<br />
echo " <static>\n <duration>$duration</duration>\n <file>$currFile</file>\n </static>" >> $xmlfile;<br />
prevFile=$currFile;<br />
done<br />
echo " <transition>\n <duration>5.0</duration>\n <from>$currFile</from>\n <to>$firstFile</to>\n </transition>" >> $xmlfile;<br />
echo "</background>" >> $xmlfile;<br />
fi<br />
fi<br />
fi<br />
fi<br />
</nowiki>}}<br />
Copy the code for the script above into a file called mkwlppr (short for "make wallpaper"). Make the script executable by typing:<br />
{{bc|sudo chmod 711 mkwlppr}}<br />
Move the file so that you can run it from any directory by just using its name: <br />
{{bc|sudo mv mkwlppr /bin}}<br />
Execute the script; it will tell you what input it requires from you. Use the script with input to create as many wallpaper XML files as you want.<br />
<br />
Notes:<br />
Since this script is not interactive, you can use Unix's wildcards with it if you want to use all files in a directory and/or if you do not care about the order of the images.<br />
You can specify paths relative to your current directory, and the script will put the files' absolute paths into the XML file for you; so you can create the XML file anywhere you want and move it afterward without rendering it useless.<br />
If you want to run the script inside the /usr/share/backgrounds/ directory, you might have problems with permissions unless you run the command with sudo like this:<br />
{{ic|sudo mkwlppr -parameters}}<br />
If you do not know what duration to specify for the images, simply do not provide a number in the input, and the progam will use the default values of 29 minutes and 55 seconds per image and a 5 second transition.<br />
For more information, please see [http://www.linuxjournal.com/content/create-custom-transitioning-background-your-gnome-228-desktop this page].<br />
<br />
====GUI====<br />
If you prefer using a GUI, you can install [https://aur.archlinux.org/packages.php?ID=39935 CreBS] from the AUR, which is a PyGTK app for creating background slideshows for GNOME.<br />
<br />
===Change default size of gnome-terminal===<br />
====Method 1====<br />
The terminal emulator {{pkg|gnome-terminal}} does neither allow the set a default size nor does remember the last size. In order to set the default size consider the following steps:<br />
# Change the following line in {{ic|/usr/share/vte/termcap/xterm}} accordingly:<br/>{{Ic|:co#80:it#8:li#24:}}<br/>Here 80 stands for the number of '''co'''lumns (i.e. width in characters) and 24 for the number of '''li'''nes (i.e. height in characters).<br />
# To prevent pacman from overwriting this file when upgrading the package {{ic|vte}}, make enter the following in {{ic|/etc/pacman.conf}}<br/>{{Ic|NoUpgrade &#61; usr/share/vte/termcap/xterm}}<br />
# Terminate all gnome-terminal processes to let the changes take effect.<br />
<br />
====Method 2====<br />
Another option is to simply use the --geometry switch when starting {{pkg|gnome-terminal}} (can be done via a right-click/properties on the launcher, then enter the following in the "Command" field: gnome-terminal --geometry 105x25+100+20).<br />
<br />
===Install a cursor theme===<br />
The default cursor theme of Xorg looks pretty outdated. See [[X11 Cursors]] for easy instructions on installing new cursor themes. Then go to to the desktop -> right click -> Change background -> Theme tab -> customise -> cursor to apply them.<br />
<br />
===Autostart programs===<br />
You can place {{ic|.desktop}} files in the {{ic|~/.config/autostart}} directory (which you might need to create) to have them started automatically after starting a GNOME session.<br />
<br />
==gnome-screensaver==<br />
===Leave message feature in gnome-screensaver===<br />
This is a cool feature provided by {{pkg|gnome-screensaver}} 2.20, somebody can leave a message for you when you are not at your desk.<br />
Please install notification-daemon to make this work.<br />
<br />
===Change gnome-screensaver background===<br />
There isn't any option to change the screensaver's default background. The only way is to:<br />
su<br />
cd /usr/share/pixmaps/backgrounds/gnome<br />
rm background-default.jpg<br />
ln -s /home/user/my_background.jpg background-default.jpg<br />
<br />
{{Note| You can save your wallpaper to a ''static'' path like {{ic|/home/user/wall.jpg}} and [[GNOME_2.28_Changes#Changing_Background_Image| configure gdm]], gnome-desktop and gnome-screensaver to point at it. This way you can have the same wallpaper on each of them. }}<br />
<br />
== Toolbar style in GTK applications ==<br />
The default setting in GNOME 2.30 displays text next to icons in the toolbar of GTK applications. This means labels will only appear near buttons that the developer marks as "important". To have labels always show under the buttons in the toolbar:<br />
gconftool-2 --set --type string /desktop/gnome/interface/toolbar_style both<br />
Possible values are:<br />
* both (text is always displayed below the button's icon)<br />
* both-horiz (default, text is only displayed next to "important" buttons)<br />
* text (only labels on buttons, no icons)<br />
* icons (only icons on buttons, no labels)<br />
<br />
== Missing icons in System Menu ==<br />
The default setting under 2.30 does not display the usual icons under the System menu. In the 2.28 version, they could be enabled from '''System >> Preferences >> Appearance >> Interface'''. This case is not possible anymore. Now this can be enabled from:<br />
gconftool-2 --set --type boolean /desktop/gnome/interface/menus_have_icons true<br />
<br />
== Nautilus location entry ==<br />
Since GNOME 2.30, Nautilus does not have an icon to switch the location type between using a text input entry and of a pathbar. Since pathbar is enabled by default, to change to text input entry do:<br />
gconftool-2 --set --type boolean /apps/nautilus/preferences/always_use_location_entry true<br />
<br />
==See also==<br />
*[[GNOME]]</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Universal_Media_Server&diff=241531Universal Media Server2012-12-24T12:00:17Z<p>Jrussell: </p>
<hr />
<div>[[Category:Audio/Video]]<br />
[[Category:Networking]] <br />
[[es:Universal Media Server]]<br />
[http://www.universalmediaserver.com/ Universal Media Server] is a DLNA-compliant UPnP Media Server.<br />
It is based on PS3 Media Server by shagrath. It is actually an evolution of the "SubJunk Build" of PMS.<br />
UMS was started by SubJunk, an official developer of PMS, in order to ensure greater stability and file-compatibility.<br />
<br />
Because it is written in Java, Universal Media Server supports all major operating systems, with versions for Windows, Linux and Mac OS X.<br />
The program streams or transcodes many different media formats with little or no configuration.<br />
It is powered by MEncoder, FFmpeg, tsMuxeR, AviSynth, MediaInfo and more, which combine to offer support for a wide range of media formats.<br />
<br />
<br />
== Installation ==<br />
<br />
Universal Media Server is available in the [[AUR]] via {{AUR|ums}}.</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Universal_Media_Server&diff=241530Universal Media Server2012-12-24T11:59:30Z<p>Jrussell: </p>
<hr />
<div>[[Category:Audio/Video]]<br />
[[Category:Networking]] <br />
[[es:Universal Media Server]]<br />
[http://www.universalmediaserver.com/ Universal Media Server] is a DLNA-compliant UPnP Media Server.<br />
It is based on PS3 Media Server by shagrath. It is actually an evolution of the "SubJunk Build" of PMS.<br />
UMS was started by SubJunk, an official developer of PMS, in order to ensure greater stability and file-compatibility.<br />
<br />
Because it is written in Java, Universal Media Server supports all major operating systems, with versions for Windows, Linux and Mac OS X.<br />
The program streams or transcodes many different media formats with little or no configuration.<br />
It is powered by MEncoder, FFmpeg, tsMuxeR, AviSynth, MediaInfo and more, which combine to offer support for a wide range of media formats.</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Universal_Media_Server&diff=241529Universal Media Server2012-12-24T11:59:00Z<p>Jrussell: Created page with "Category:Audio/Video es:Universal Media Server [http://www.universalmediaserver.com/ Universal Media Server] is a DLNA-compliant UPnP Media Server. It is based on PS3 ..."</p>
<hr />
<div>[[Category:Audio/Video]]<br />
[[es:Universal Media Server]]<br />
[http://www.universalmediaserver.com/ Universal Media Server] is a DLNA-compliant UPnP Media Server.<br />
It is based on PS3 Media Server by shagrath. It is actually an evolution of the "SubJunk Build" of PMS.<br />
UMS was started by SubJunk, an official developer of PMS, in order to ensure greater stability and file-compatibility.<br />
<br />
Because it is written in Java, Universal Media Server supports all major operating systems, with versions for Windows, Linux and Mac OS X.<br />
The program streams or transcodes many different media formats with little or no configuration.<br />
It is powered by MEncoder, FFmpeg, tsMuxeR, AviSynth, MediaInfo and more, which combine to offer support for a wide range of media formats.</div>Jrussellhttps://wiki.archlinux.org/index.php?title=Streaming_media&diff=241528Streaming media2012-12-24T11:53:09Z<p>Jrussell: /* Using a uPNP or DLNA-compliant server */</p>
<hr />
<div>[[Category:Networking]]<br />
Businesses are storing their data on the network for ages now, but the past few years, there has been a trend in home networking to put all content on a central server and distributing it to the home computers and dedicated appliances on the network. This page offers an overview of the possible packages to stream digital media (video, audio and images, and in several cases also online content) from your server to your clients.<br />
<br />
== Serverside ==<br />
=== Using a uPNP or DLNA-compliant server ===<br />
==== Generic instructions ====<br />
# Your server should be set up to use multicasting. This will ensure that your clients will always find the server automatically on the network:<br />
## Setting it up manually in /etc/rc.conf:<br />
{{bc|1=<br />
ROUTES=(!gateway multicast)<br />
gateway=""<br />
multicast="-net 239.0.0.0 netmask 255.0.0.0 eth0"<br />
}}<br />
## Using avahi and mdns<br />
<br />
# Some of the hereafter mentioned software packages do not get along together. If you are experiencing problems, make sure you are not running two of them at the same time.<br />
<br />
==== Mediatomb ====<br />
See [[MediaTomb]]<br />
<br />
==== minidlna ====<br />
<br />
See [[Minidlna]]<br />
<br />
==== Fuppes [http://fuppes.ulrich-voelkel.de/] ====<br />
<br />
==== uShare ====<br />
See [[uShare]]<br />
<br />
==== Coherence [http://coherence.beebits.net] ====<br />
Fairly new server, implemented in Python. Should be handling transcoding in the svn-version. Looked very promising, but development seems to have stalled somehow.<br />
<br />
==== PS3 Mediaserver [http://ps3mediaserver.org/forum/] ====<br />
See [[PS3 Mediaserver]]<br />
<br />
==== Universal Media Server ====<br />
<br />
A DLNA-compliant UPnP Media Server [http://www.universalmediaserver.com/]<br />
<br />
==== Rygel [http://live.gnome.org/Rygel] ====<br />
Server and client based on GUPnP and written in Vala - will be used in Gnome 3.0<br />
<br />
=== Using other software ===<br />
==== MPD ====<br />
See article at [[Mpd]]<br />
<br />
== Clientside ==<br />
The [[VLC media player]] includes a ''Universal Plug'n'Play'' module and can browse and play from a server.<br />
<br />
=== uPNP / DLNA ===<br />
<br />
=== Using other software ===<br />
<br />
==== MPD: MPC ====</div>Jrussellhttps://wiki.archlinux.org/index.php?title=PulseAudio&diff=241379PulseAudio2012-12-23T12:58:24Z<p>Jrussell: /* Volume gets louder every time a new application is started */</p>
<hr />
<div>[[Category:Audio/Video]]<br />
[[cs:PulseAudio]]<br />
[[es:PulseAudio]]<br />
[[fr:PulseAudio]]<br />
[[it:PulseAudio]]<br />
[[pt:PulseAudio]]<br />
[[ru:PulseAudio]]<br />
[[tr:PulseAudio]]<br />
[[Wikipedia:PulseAudio|PulseAudio]] is the default sound server that serves as a proxy to sound applications using existing kernel sound components like [[ALSA]] or [[OSS]]. Since [[ALSA]] is included in Arch Linux by default so the most common deployment scenarios include PulseAudio with [[ALSA]].<br />
<br />
{{Article summary start}}<br />
{{Article summary text|'''PulseAudio''' is a general purpose sound server. For a list of features, see [[Wikipedia:PulseAudio#Features]].}}<br />
{{Article summary heading|Related Articles}}<br />
{{Article summary wiki|PulseAudio/Examples}}<br />
{{Article summary end}}<br />
<br />
==Installation==<br />
*Required PKG: {{Pkg|pulseaudio}}<br />
*Optional GUIs: {{Pkg|paprefs}} and {{Pkg|pavucontrol}}<br />
*Optional volume control via mapped keyboard keys: {{AUR|pulseaudio_ctl}}<br />
*Optional console mixer: {{AUR|ponymix-git}} and {{AUR|pamixer-git}}<br />
*Optional system tray icon: {{AUR|pasystray-git}}<br />
*Optional kde plasma applet: {{AUR|kdeplasma-applets-veromix}}<br />
<br />
==Running==<br />
{{Note|Pulseaudio requires [[D-Bus]] to function.}}<br />
{{Note|Most X11 environments start pulseaudio automatically with the X11 session.}}<br />
<br />
In the unlikely event that pulseaudio is not automatically called upon entering X, it can can be started with:<br />
$ pulseaudio --start<br />
<br />
PulseAudio can be stopped with:<br />
$ pulseaudio --kill<br />
<br />
==Equalizer==<br />
<br />
Newer pulseaudio versions have an intergrated 10-band equalizer system. In order to use the equalizer do the following:<br />
<br />
===Load equalizer sink module===<br />
<br />
$ pactl load-module module-equalizer-sink<br />
<br />
===Install and run the gui frontend===<br />
<br />
# pacman -S --needed python2-pyqt<br />
<br />
$ qpaeq<br />
<br />
{{Note|If qpaeq has no effect, install pavucontrol and change "ALSA Playback on" to "FFT based equalizer on ..." while the media player is running.}}<br />
<br />
===Load equalizer module on every boot===<br />
<br />
Edit the file {{ic|/etc/pulse/default.pa}} with your favorite editor and append the following lines:<br />
<br />
### Load the integrated pulseaudio equalizer module<br />
load-module module-equalizer-sink<br />
<br />
==Backend Configuration==<br />
<br />
{{Out of date|Arch has moved to systemd and rc.conf is now deprecated.}}<br />
<br />
===ALSA===<br />
*Recommended PKG: {{Pkg|pulseaudio-alsa}}<br />
*Optional PKGs: {{Pkg|lib32-libpulse}} and {{Pkg|lib32-alsa-plugins}}<br />
<br />
{{Note|Optional PKGs are needed only if running x86_64 and wanting to have sound for 32 bit programs (like Wine).}}<br />
<br />
For the applications that do not support PulseAudio and support ALSA it is '''recommended''' to install the PulseAudio plugin for ALSA. This package also contains the necessary {{ic|/etc/asound.conf}} for configuring ALSA to use PulseAudio.<br />
<br />
To prevent applications from using ALSA's OSS emulation and bypassing Pulseaudio (thereby preventing other applications from playing sound), make sure the module {{ic|snd_pcm_oss}} is not in the {{ic|MODULES}} array in {{ic|/etc/[[rc.conf]]}}. If it is currently loaded (<code>lsmod|grep oss</code>), disable it by executing:<br />
# rmmod snd_pcm_oss<br />
<br />
===OSS===<br />
There are multiple ways of making OSS-only programs play to PulseAudio:<br />
<br />
====ossp====<br />
Start {{Pkg|ossp}} with:<br />
rc.d start osspd<br />
<br />
Afterwards, add it to DAEMONS in {{ic|rc.conf}}.<br />
<br />
====padsp wrapper (part of PulseAudio)====<br />
Programs using OSS can work with PulseAudio by starting it with padsp:<br />
<br />
$ padsp OSSprogram<br />
A few examples:<br />
$ padsp aumix<br />
$ padsp sox foo.wav -t ossdsp /dev/dsp<br />
<br />
One can also rename the {{ic|OSSprogram-bin}} binary and replace it with a script like this: <br />
{{hc|/usr/bin/OSSProgram|<nowiki><br />
#!/bin/sh<br />
if test -x /usr/bin/padsp; then<br />
exec /usr/bin/padsp /usr/bin/OSSprogram-bin "$@"<br />
else<br />
exec /usr/bin/OSSprogram "$@"<br />
fi<br />
</nowiki>}}<br />
<br />
===GStreamer===<br />
To make [[GStreamer]] use PulseAudio, you need to install {{Pkg|gstreamer0.10-good-plugins}}, execute {{ic|gstreamer-properties}} (part of ''gnome-media'' package) and select ''PulseAudio Sound Server'' in both Audio Input and Output. Alternatively, this can be done by setting the gconf variables {{ic|/system/gstreamer/0.10/default/audiosink}} to ''pulsesink'' and {{ic|/system/gstreamer/0.10/default/audiosrc}} to ''pulsesrc'':<br />
$ gconftool-2 -t string --set /system/gstreamer/0.10/default/audiosink pulsesink<br />
$ gconftool-2 -t string --set /system/gstreamer/0.10/default/audiosrc pulsesrc<br />
<br />
Some applications (like Rhythmbox) ignore the ''audiosink'' property, but rely instead on ''musicaudiosink'', which cannot be configured using {{ic|gstreamer-properties}} but needs to be manually set using {{ic|gconf-editor}} or the {{ic|gconftool-2}}:<br />
$ gconftool-2 -t string --set /system/gstreamer/0.10/default/musicaudiosink pulsesink<br />
<br />
===OpenAL===<br />
OpenAL Soft should use PulseAudio by default, but can be explicitly configured to do so: {{hc|/etc/openal/alsoft.conf|2=drivers=pulse,alsa}}<br />
<br />
===libao===<br />
Edit the libao configuration file:<br />
{{hc|/etc/libao.conf|2=default_driver=pulse}}<br />
<br />
===ESD===<br />
PulseAudio is a drop-in replacement for the enlightened sound daemon (ESD). While PulseAudio is running, ESD clients should be able to output to it without configuration.<br />
<br />
==Desktop Environments==<br />
===General X11===<br />
{{Note|As mentioned previously, PulseAudio is very likely launched automatically via either {{ic|/etc/X11/xinit/xinitrc.d/pulseaudio}} or the files in {{ic|/etc/xdg/autostart/}} if users have some DE installed.}}<br />
<br />
Check to see if PulseAudio is running:<br />
<br />
$ ps aux | grep pulse<br />
facade 1794 0.0 0.0 360464 6532 ? S<l 15:33 0:00 /usr/bin/pulseaudio --start<br />
facade 1827 0.0 0.0 68888 2608 ? S 15:33 0:00 /usr/lib/pulse/gconf-helper<br />
<br />
If Pulseaudio is not running and users are using X, the following will start PulseAudio with the needed the X11 plugins manually:<br />
$ start-pulseaudio-x11<br />
<br />
If you are not running Gnome, KDE or XFCE and your {{ic|~/.xinitrc}} does not source the scripts in {{ic|/etc/X11/xinit/xinitrc.d}} (such as is done in the example file {{ic|/etc/skel/.xinitrc}}) then you can launch PulseAudio on boot by adding the following line to ~/.xinitrc:<br />
/usr/bin/start-pulseaudio-x11<br />
<br />
===GNOME===<br />
As of GNOME 3, GNOME fully integrates with PulseAudio and no extra configuration is needed.<br />
<br />
===KDE 3===<br />
PulseAudio is ''not'' a drop-in replacement for aRts. Users of KDE 3 cannot use PulseAudio. However note, recent versions of PulseAudio may have eliminated the prohibition:<br />
<br />
See: http://www.pulseaudio.org/wiki/PerfectSetup KDE 3 uses the artsd sound server by default. However, artsd itself can be configured to use an Esound backend. Edit kcmartsrc (either in /etc/kde or /usr/share/config for global configuration or .kde/share/config to configure only one user) like this:<br />
<br />
[Arts]<br />
Arguments=\s-F 10 -S 4096 -a esd -n -s 1 -m artsmessage -c drkonqi -l 3 -f<br />
NetworkTransparent=true<br />
SuspendTime=1<br />
<br />
===KDE Plasma Workspaces and Qt4===<br />
PulseAudio, it will be used by KDE/Qt4 applications. For more information see the [http://www.pulseaudio.org/wiki/KDE KDE page in the PulseAudio wiki].<br />
<br />
PulseAudio support has been merged into KMix, the default KDE sound mixer.<br />
<br />
One useful tidbit from that page is to add {{ic|load-module module-device-manager}} to {{ic|/etc/pulse/default.pa}}.<br />
<br />
Additionally, the {{AUR|kdeplasma-applets-veromix}} is available in the [[AUR]] as a KDE alternative to KMix or pavucontrol.<br />
<br />
===Xfce===<br />
Applications running under Xfce can take advantage of PulseAudio. To manage PulseAudio settings you can use {{Pkg|pavucontrol}}.<br />
<br />
==Applications==<br />
===Audacious===<br />
[[Audacious]] natively supports PulseAudio. In order to use it, set Audacious Preferences -> Audio -> Current output plugin to 'PulseAudio Output Plugin'.<br />
<br />
===Java/OpenJDK 6===<br />
Create a wrapper for the java executable using padsp as seen on the [[Java#Java_sound_with_Pulseaudio|Java sound with Pulseaudio]] page.<br />
<br />
===Music Player Daemon (MPD)===<br />
[http://mpd.wikia.com/wiki/PulseAudio configure] [[MPD]] to use PulseAudio.<br />
<br />
===MPlayer===<br />
[[MPlayer]] natively supports PulseAudio output with the "{{ic|-ao pulse}}" option. It can also be configured to default to PulseAudio output, in {{ic|~/.mplayer/config}} for per-user, or {{ic|/etc/mplayer/mplayer.conf}} for system-wide:<br />
{{hc|/etc/mplayer/mplayer.conf|2=ao=pulse}}<br />
<br />
===Skype (x86_64 only)===<br />
Install {{Pkg|lib32-libpulse}}, otherwise the following error will occur when trying to initiate a call: "Problem with Audio Playback".<br />
<br />
==Troubleshooting==<br />
===No sound after install===<br />
<br />
====Muted audio device====<br />
If one experiences no audio output via any means while using ALSA, attempt to unmute the sound card. To do this, launch alsamixer and make sure each column has a green 00 under it (this can be toggled by pressing 'm')<br />
$ alsamixer -c 0<br />
<br />
====Bad configuration files====<br />
If after starting pulseaudio, the system outputs no sound, it may be necessary to delete the contents of {{ic|~/.pulse}}. Pulseaudio will automatically create new configuration files on its next start.<br />
<br />
====Flash Content====<br />
Since Adobe Flash does not directly support PulseAudio the recommended way is to [https://wiki.archlinux.org/index.php/PulseAudio#ALSA configure ALSA to use the virtual PulseAudio soundcard].<br />
<br />
Alternatively you may try out {{AUR|libflashsupport-pulse}} from the [[AUR]].<br />
{{Note|This may invariably crash the flash plugin.}}<br />
<br />
====No cards====<br />
If PulseAudio starts, run {{ic|pacmd list}}. If no cards are reported, make sure that the ALSA devices are not in use:<br />
$ fuser -v /dev/snd/*<br />
$ fuser -v /dev/dsp<br />
<br />
Make sure any applications using the pcm or dsp files are shut down before restarting PulseAudio.<br />
<br />
====The only device shown is "dummy output"====<br />
This may be caused by different reasons, one of them being the .asoundrc file in $HOME is taking precedence over the systemwide /etc/asound.conf.<br />
<br />
The user file is modified also by the tool '''asoundconf''' or by its graphical variant '''asoundconf-gtk''' (the latter is named "Default sound card" in the menu) as soon as it runs. Prevent the effects of .asoundrc altogether by commenting the last line like this:<br />
<br />
#</home/<yourusername>/.asoundrc.asoundconf><br />
<br />
====KDE4====<br />
It may be that another output device set as preferred in phonon. Make sure that every setting reflects the preferred output device at the top, and check the playback streams tab in kmix to make sure that applications are using the device for output.<br />
<br />
===Bluetooth headset replay problems===<br />
Some user [https://bbs.archlinux.org/viewtopic.php?id=117420 report] huge delays or even no sound when the bluetooth connection does not send any data. This is due to an idle-suspend-module that puts the related sinks/sources automatically into suspend. As this can cause problems with headset, the responsible module can be deactivated. <br />
<br />
1. cp /etc/pulse/default.pa ~/.pulse/default.pa<br />
2. comment out the "load-module module-suspend-on-idle" line in ~/.pulse/default.pa<br />
3. pulseaudio -k && pulseaudio --start<br />
<br />
[http://robert.orzanna.de/2011/08/10/prevent-idle-suspend-with-a-bluetooth-headset-and-a2dp/ More information]<br />
<br />
===Automatically switch to Bluetooth or USB headset===<br />
Add the following to your /etc/pulse/default.pa:<br />
<br />
# automatically switch to newly-connected devices<br />
load-module module-switch-on-connect<br />
<br />
===Pulse overwrites ALSA settings===<br />
Pulseaudio usually overwrites the ALSA settings- for example set with alsamixer- at start up, even when the alsa daemon is loaded. Since there seems to be no other way to restrict this behaviour, a workaround is to restore the alsa settings again after pulseaudio had started. Add the following command to {{ic|.xinitrc}} {{ic|.bash_login}} or any other autostart file:<br />
<br />
restore_alsa() {<br />
while [ -z "`pidof pulseaudio`" ]; do<br />
sleep 0.5<br />
done<br />
alsactl -f /var/lib/alsa/asound.state restore <br />
}<br />
restore_alsa &<br />
<br />
===Daemon startup failed===<br />
Try resetting PulseAudio. To do that:<br />
$ pulseaudio --kill<br />
$ killall pulseaudio<br />
$ killall -9 pulseaudio<br />
$ rm -rf ~/.pulse*<br />
$ rm -rf /tmp/pulse*<br />
<br />
Afterwards, start PulseAudio again.<br />
<br />
===padevchooser===<br />
If one cannot launch the PulseAudio Device Chooser, first (re)start the Avahi daemon as follows:<br />
$ rc.d restart avahi-daemon<br />
<br />
===Glitches, skips or crackling===<br />
The newer implementation of PulseAudio sound server uses a timer-based audio scheduling instead of the traditional interrupt-driven approach. <br />
<br />
Timer-based scheduling may expose issues in some ALSA drivers. On the other hand, other drivers might be glitchy without it on, so check to see what works on your system. <br />
<br />
To turn timer-based scheduling off, replace the line:<br />
load-module module-udev-detect <br />
in {{ic|/etc/pulse/default.pa}} by:<br />
load-module module-udev-detect tsched=0<br />
Then restart the PulseAudio server.<br />
<br />
Do the reverse to enable timer-based scheduling, if not already enabled by default.<br />
<br />
Please report any such cards to [http://pulseaudio.org/wiki/BrokenSoundDrivers PulseAudio Broken Sound Driver page]<br />
<br />
===Setting the default fragment number and buffer size in Pulseaudio===<br />
<br />
1. Finding out your audio device parameters<br />
<br />
Run the following Bash commands to find your sound card buffering settings:<br />
echo autospawn = no >> ~/.pulse/client.conf<br />
killall pulseaudio<br />
LANG=C timeout --foreground -k 10 -s kill 10 pulseaudio -vvvv 2>&1 | grep device.buffering -B 10<br />
sed -i '$d' ~/.pulse/client.conf<br />
<br />
For each sound card detected by Pulseaudio, you will see output similar to this:<br />
I: [pulseaudio] source.c: alsa.long_card_name = "HDA Intel at 0xfa200000 irq 46"<br />
I: [pulseaudio] source.c: alsa.driver_name = "snd_hda_intel"<br />
I: [pulseaudio] source.c: device.bus_path = "pci-0000:00:1b.0"<br />
I: [pulseaudio] source.c: sysfs.path = "/devices/pci0000:00/0000:00:1b.0/sound/card0"<br />
I: [pulseaudio] source.c: device.bus = "pci"<br />
I: [pulseaudio] source.c: device.vendor.id = "8086"<br />
I: [pulseaudio] source.c: device.vendor.name = "Intel Corporation"<br />
I: [pulseaudio] source.c: device.product.name = "82801I (ICH9 Family) HD Audio Controller"<br />
I: [pulseaudio] source.c: device.form_factor = "internal"<br />
I: [pulseaudio] source.c: device.string = "front:0"<br />
I: [pulseaudio] source.c: device.buffering.buffer_size = "768000"<br />
I: [pulseaudio] source.c: device.buffering.fragment_size = "384000"<br />
<br />
Take note the buffer_size and fragment_size values for the relevant sound card.<br />
<br />
2. Calculate your fragment size in msecs and number of fragments<br />
<br />
Pulseaudio's default sampling rate and bit depth are set to 44100Hz @ 16 bits.<br />
<br />
With this configuration, the bit rate we need is 44100*16 = 705600 bits per second. That's 1411200 bps for stereo.<br />
<br />
Let's take a look at the parameters we've found in the previous step:<br />
<br />
device.buffering.buffer_size = "768000" => 768000/1411200 = 0.544217687075s = 544 msecs<br />
device.buffering.fragment_size = "384000" => 384000/1411200 = 0.272108843537s = 272 msecs<br />
<br />
3.Modify Pulseaudio's configuration file<br />
<br />
Edit the configuration file located at {{ic|/etc/pulse/daemon.conf}} using the editor of your choice.<br />
<br />
For example:<br />
sudo vi /etc/pulse/daemon.conf<br />
<br />
Locate & uncomment (remove leading semicolons) these lines:<br />
<br />
; default-fragments = X<br />
; default-fragment-size-msec = Y<br />
<br />
<br />
In the previous step, we calculated the fragment size parameter.<br />
The number of fragments is simply buffer_size/fragment_size, which in this case (544/272) is 2.<br />
<br />
Edit the lines to use your calculated settings:<br />
<br />
default-fragment-size-msec = 272<br />
default-fragments = 2<br />
<br />
Save the file.<br />
<br />
<br />
4.Restart the Pulseaudio daemon<br />
<br />
pulseaudio -k<br />
pulseaudio --start<br />
<br />
Source: [http://forums.linuxmint.com/viewtopic.php?f=42&t=44862 kwevej @ Linux Mint Forums]<br />
<br />
===Laggy sound===<br />
This issue is due to incorrect buffer sizes.<br />
Edit {{ic|/etc/pulse/daemon.conf}}<br />
<br />
Either disable any modifications (if any) to these entries, or, if issue still exists, uncomment and change them in the following way:<br />
default-fragments = 8<br />
default-fragment-size-msec = 5<br />
<br />
===Choppy, overdriven sound===<br />
Choppy sound in pulsaudio can result from wrong settings for the sample rate in {{Ic|/etc/pulse/daemon.conf}}. Try changing the line <br />
; default-sample-rate = 44100<br />
to <br />
default-sample-rate = 48000<br />
and restart the PulseAudio server.<br />
<br />
If one experiences choppy sound in applications using openAL, change the sample rate in /etc/openal/alsoft.conf:<br />
frequency = 48000<br />
<br />
Setting the PCM volume above 0dB can cause clipping of the audio signal. Running {{ic|alsamixer -c0}} will allow you to see if this is the problem and if so fix it.<br />
<br />
===Volume adjustment does not work properly===<br />
Check:<br />
{{ic|/usr/share/pulseaudio/alsa-mixer/paths/analog-output.conf.common}}<br />
<br />
If the volume does not appear to increment/decrement properly using {{ic|alsamixer}} or {{ic|amixer}}, it may be due to pulseaudio having a larger number of increments (65537 to be exact). Try using larger values when changing volume (e.g. {{ic|amixer set Master 655+}}).<br />
<br />
===Volume gets louder every time a new application is started===<br />
Per default, it seems as if changing the volume in an application sets the global system volume to that level instead of only affecting the respective application. Applications setting their volume on startup will therefore cause the system volume to "jump".<br />
<br />
Fix this by uncommenting the line<br />
flat-volumes = yes<br />
and changing it to:<br />
flat-volumes = no<br />
in<br />
/etc/pulse/daemon.conf<br />
and then restarting PulseAudio by executing<br />
pulseaudio --kill && pulseaudio --start<br />
<br />
When Pulse comes back after a few seconds, applications will not alter the global system volume anymore but have their own volume level again.<br />
<br />
{{Note|A previously installed and removed pulseaudio-equalizer may leave behind remnants of the setup in {{Ic|$HOME/.pulse/default.pa}} which can also cause maximized volume trouble. Comment that out as needed.}}<br />
<br />
===No mic on ThinkPad T400/T500/T420===<br />
Run<br />
alsamixer -c 0<br />
Maximize the volume of/unmute the "Internal Mic".<br />
<br />
Once you see the device with<br />
arecord -l<br />
you might still need to adjust the settings. The microphone and the audio jack are duplexed. Set the configuration of the internal audio in pavucontrol to ''Analog Stereo Duplex''.<br />
<br />
===No mic input on Acer Aspire One===<br />
Install pavucontrol, unlink the microphone channels and turn down the left one to 0.<br />
Reference: http://getsatisfaction.com/jolicloud/topics/deaf_internal_mic_on_acer_aspire_one#reply_2108048<br />
<br />
===Sound output is only mono on M-Audio Audiophile 2496 sound card===<br />
Add the following to /etc/pulseaudio/default.pa:<br />
load-module module-alsa-sink sink_name=delta_out device=hw:M2496 format=s24le channels=10 channel_map=left,right,aux0,aux1,aux2,aux3,aux4,aux5,aux6,aux7<br />
load-module module-alsa-source source_name=delta_in device=hw:M2496 format=s24le channels=12 channel_map=left,right,aux0,aux1,aux2,aux3,aux4,aux5,aux6,aux7,aux8,aux9<br />
set-default-sink delta_out<br />
set-default-source delta_in<br />
<br />
===Static Noise in Microphone Recording===<br />
If we are getting static noise in skype, gnome-sound-recorder, arecord, etc.'s recordings then the sound card samplerate is incorrect. That is why there is static noise in linux microphone recordings. To fix this We need to set sample-rate in /etc/pulse/daemon.conf for the sound hardware.<br />
<br />
====1. Determine soundcards in the system====<br />
This requires alsa-utils and related packages to be installed:<br />
$ arecord --list-devices<br />
<br />
output:<br />
**** List of CAPTURE Hardware Devices ****<br />
card 0: Intel [HDA Intel], device 0: ALC888 Analog [ALC888 Analog]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
card 0: Intel [HDA Intel], device 2: ALC888 Analog [ALC888 Analog]<br />
Subdevices: 1/1<br />
Subdevice #0: subdevice #0<br />
<br />
soundcard is hw:0,0<br />
<br />
====2. Determine sampling-rate of the sound card====<br />
arecord -f dat -r 60000 -D hw:0,0 -d 5 test.wav<br />
<br />
output:<br />
"Recording WAVE 'test.wav' : Signed 16 bit Little Endian, Rate 60000 Hz, Stereo<br />
Warning: rate is not accurate (requested = 60000Hz, '''got = 96000Hz''')<br />
please, try the plug plugin<br />
<br />
observe, the '''got = 96000Hz''', this is the max sample-rate of our card.<br />
<br />
====3. Setting the soundcard's sampling rate into pulse audio configuration====<br />
the default sample-rate in pulseaudio is<br />
grep "sample-rate" /etc/pulse/daemon.conf<br />
<br />
output:<br />
; default-sample-rate = 44100<br />
<br />
It is 44100 and is disabled. Let us set our sound card's settings into pulseaudio configuation file<br />
su -c "sed 's/; default-sample-rate = 44100/default-sample-rate = 96000/g' -i /etc/pulse/daemon.conf"<br />
<br />
Let us verify the changes to deamon.conf<br />
grep "sample-rate" /etc/pulse/daemon.conf <br />
output:<br />
default-sample-rate = 96000<br />
and it is done.<br />
<br />
====4. Restart pulseaudio to apply the new settings====<br />
pulseaudio --kill<br />
pulseaudio --start<br />
<br />
====5. Finally check by recording and playing it back====<br />
Let us record some voice using mic for say 10 seconds. Make sure the mic is not muted and all<br />
arecord -f cd -d 10 test-mic.wav<br />
<br />
After 10 seconds, let us play the recording...<br />
aplay test-mic.wav<br />
<br />
Now hopefully, there is no static noise in microphone recording anymore.<br />
<br />
=== My Bluetooth device is paired but does not play any sound ===<br />
[[Bluetooth#My_device_is_paired_but_no_sound_is_played_from_it|See the article in Bluetooth section]]<br />
<br />
Starting from PulseAudio 2.99 and bluez 4.101 you should '''avoid''' using Socket interface. Do NOT add <br />
[General]<br />
Enable=Socket<br />
to your /etc/bluetooth/audio.conf.<br />
If you face problems with A2DP and PA 2.99 make sure you have SBC library:<br />
pacman -S sbc <br />
<br />
=== Subwoofer stops working after end of every song ===<br />
Known issue: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/494099<br />
<br />
To fix this, must edit: {{ic|/etc/pulse/daemon.conf}} and enable {{ic|enable-lfe-remixing}} :<br />
{{hc|/etc/pulse/daemon.conf|<nowiki><br />
enable-lfe-remixing = yes<br />
</nowiki>}}<br />
<br />
=== Pulseaudio uses wrong microphone ===<br />
If Pulseaudio uses the wrong microphone, and changing the Input Device with Pavucontrol did not help, take a look at alsamixer. It seems that Pavucontrol does not always set the input source correctly.<br><br />
Run:<br />
<br />
$ alsamixer<br />
<br />
press F6 and choose your sound card, e.g. HDA Intel. Now press F5 to display all items. Try to find the item: {{ic|Input Source}}. With the up/down arrow keys you are able to change the input source. <br><br />
Now try if the correct microphone is used for recording.<br />
<br />
=== Choppy Sound with Analog Surround Sound Setup ===<br />
<br />
The low-frequency effects (LFE) channel is not remixed per default. To enable it the following needs to be set in {{ic|/etc/pulse/daemon.conf}} :<br />
{{hc|/etc/pulse/daemon.conf|<nowiki><br />
enable-lfe-remixing = yes<br />
</nowiki>}}<br />
<br />
==External links==<br />
*[http://www.pulseaudio.org/wiki/PerfectSetup http://www.pulseaudio.org/wiki/PerfectSetup] - A good guide to make your configuration perfect<br />
*[http://www.alsa-project.org/main/index.php/Asoundrc http://www.alsa-project.org/main/index.php/Asoundrc] - Alsa wiki on .asoundrc<br />
*[http://www.pulseaudio.org/ http://www.pulseaudio.org/] - PulseAudio official site<br />
*[http://www.pulseaudio.org/wiki/FAQ http://www.pulseaudio.org/wiki/FAQ] - PulseAudio FAQ</div>Jrussellhttps://wiki.archlinux.org/index.php?title=GTK&diff=240860GTK2012-12-19T10:48:06Z<p>Jrussell: /* GTK+ 2.x */</p>
<hr />
<div>[[Category:Development]]<br />
[[Category:Eye candy]]<br />
[[Category:Desktop environments]]<br />
[[cs:GTK+]]<br />
[[de:GTK+]]<br />
[[es:Improve GTK Application Looks]]<br />
[[it:GTK+]]<br />
[[uk:GTK+]]<br />
[[zh-CN:GTK+]]<br />
{{Article summary start}}<br />
{{Article summary text|This articles details theme configuration of GTK+ applications. GTK+ (GIMP Toolkit) is a cross-platform widget toolkit for creating graphical user interfaces. This article will explore the tools used to configure the GTK+ theme, style, icon, font and font size, and also detail manual configuration.}}<br />
{{Article summary heading|Related}}<br />
{{Article summary wiki|Uniform Look for Qt and GTK Applications}}<br />
{{Article summary wiki|Qt}}<br />
{{Article summary wiki|GNU Project}}<br />
{{Article summary end}}<br />
<br />
From the [http://www.gtk.org GTK+ website]:<br />
:''GTK+, or the GIMP Toolkit, is a multi-platform toolkit for creating graphical user interfaces. Offering a complete set of widgets, GTK+ is suitable for projects ranging from small one-off tools to complete application suites.''<br />
<br />
GTK+, The GIMP Toolkit, was initially made by the [[GNU Project]] for the [[GIMP]] but is now a very popular toolkit with bindings for many languages. <br />
<br />
== Configuration programs ==<br />
<br />
These GUI programs allow theme selection and at least customising of a font. They generally overwrite the {{ic|~/.gtkrc-2.0}} file.<br />
<br />
* {{Pkg|lxappearance}}: A configuration tool from the [[LXDE]] project, which does not require any other parts of LXDE or other desktop environment. More flexible customisation than the other programs.<br />
* {{Pkg|gtk-chtheme}}<br />
* {{Pkg|gtk-theme-switch2}}<br />
* {{Pkg|gtk2_prefs}}<br />
<br />
Example install command:<br />
# pacman -S gtk-theme-switch2<br />
<br />
See also [[Uniform Look for Qt and GTK Applications#Changing styles in each toolkit]].<br />
<br />
== Themes ==<br />
<br />
=== GTK+ 1.x ===<br />
Old GTK+ 1 apps (like xmms) often do not look very nice at first. This is because they use ugly themes by default.<br />
To change this, you need to:<br />
# download and install some nice themes<br />
# change the theme<br />
<br />
Some nice themes are in the [[Arch User Repository|AUR]]. To install them, see {{AUR|gtk-smooth-engine}}.<br />
<br />
To change the theme you can use ''gtk-theme-switch2''. Run it with the 'switch' command.<br />
<br />
=== GTK+ 2.x ===<br />
<br />
Major [[Desktop Environment|desktop environments]] provide tools to configure the GTK+ theme, icons, font and font size. Alternatively, tools such as those mentioned above may be used.<br />
<br />
It is recommended to [[pacman|install]] some GTK+ 2 themes as well. The popular ''Clearlooks'' theme is included within the {{Pkg|gtk-engines}} package.<br />
<br />
Further themes can be found in the [[Arch User Repository|AUR]]:<br />
*https://aur.archlinux.org/packages.php?O=0&K=gtk2-theme&do_Search=Go<br />
*https://aur.archlinux.org/packages.php?O=0&K=gtk-theme&do_Search=Go<br />
<br />
Alternatively, GTK+ settings can be configured manually by editing {{ic|~/.gtkrc-2.0}}. A list of GTK+ settings can be found in the [http://library.gnome.org/devel/gtk/stable/GtkSettings.html GNOME library]. To manually change the GTK+ theme, icons, font and font size, add the following to {{ic|~/.gtkrc-2.0}}:<br />
<br />
{{hc|~/.gtkrc-2.0|2=<br />
gtk-icon-theme-name = "[name-of-icon-theme]"<br />
gtk-theme-name = "[name-of-theme]"<br />
gtk-font-name = "[font-name] [size]"<br />
}}<br />
<br />
For example:<br />
{{hc|~/.gtkrc-2.0|2=<br />
gtk-icon-theme-name = "Tango"<br />
gtk-theme-name = "Murrine-Gray"<br />
gtk-font-name = "DejaVu Sans 8"<br />
}}<br />
<br />
{{Note| The above example requires the packages {{Pkg|ttf-dejavu}}, {{Pkg|tangerine-icon-theme}}, {{Pkg|gtk-engine-murrine}} from the [[Official Repositories|official repositories]], and {{AUR|murrine-themes-collection}} from the AUR.}}<br />
<br />
=== GTK+ 3.x ===<br />
<br />
If you use GNOME 3, the theme can be changed with the {{pkg|gnome-tweak-tool}}.<br />
<br />
If you use [[Xfce]] 4.8, both GTK+ 3.x and GTK+ 2.x themes can be managed by Appearance tool. Go to Settings-->Appearance. If selected style has both GTK+ 2.x and GTK+ 3.x themes, they will be used. If selected style has only GTK+ 2.x theme, it will be used for GTK+ 2.x applications and (ugly) defaults will be used for GTK+ 3.x applications. If selected style has only GTK+ 3.x theme, it will be used for GTK+ 3.x applications and (ugly) defaults will be used for GTK+ 2.x applications. Thus for uniform UI appearance and best experience one can use style that has both GTK+ 2.x and GTK+ 3.x themes. Search packages and [[AUR]]. One example of this is theme {{AUR|clearwaita-gtk-theme}}.<br />
<br />
If you use a GTK+ 2.x based DE, like [[Xfce]], [[LXDE]], gnome-tweak-tool won't work; see {{bug|23644}}. You need to [[pacman|install]] {{pkg|librsvg}}, and set your theme manually in {{ic|$XDG_CONFIG_HOME/gtk-3.0/settings.ini}} (this is usually {{ic|~/.config/gtk-3.0/settings.ini}}. An example {{ic|settings.ini}} file:<br />
{{hc|$XDG_CONFIG_HOME/gtk-3.0/settings.ini|2=<br />
[Settings]<br />
gtk-application-prefer-dark-theme = false<br />
gtk-theme-name = Zukitwo<br />
gtk-fallback-icon-theme = gnome<br />
gtk-icon-theme-name = [icon theme name]<br />
gtk-font-name = [font name] [font size]<br />
<br />
}}<br />
<br />
If it still does not change, delete old {{ic|gtk-3.0}} folder in {{ic|$XDG_CONFIG_HOME}} and copy {{ic|gtk-3.0}} folder from /path/to/theme to {{ic|$XDG_CONFIG_HOME}}. Example: <br />
<br />
$ rm -r ~/.config/gtk-3.0/<br />
$ cp -r /usr/share/themes/Zukitwo/gtk-3.0/ ~/.config/ <br />
<br />
After this, you need to set the same theme in your DE's appearance configuration tool. There are only a few themes which provide a uniform look for GTK+ 3.x and GTK+ 2.x apps. A few examples:<br />
#Adwaita for GTK+ 3 and Advaicium for GTK+ 2<br />
#Newlooks for GKT+ 3 and Clearlooks for GTK+ 2<br />
#Zukitwo<br />
#Elegant Brit<br />
#Atolm<br />
#Hope<br />
<br />
You could find what themes installed on your system have both an GTK+ 2.x and GTK+ 3.x version by using this command (don't work with names containing spaces):<br />
find $(find ~/.themes /usr/share/themes/ -wholename "*/gtk-3.0" | sed -e "s/^\(.*\)\/gtk-3.0$/\1/")\<br />
-wholename "*/gtk-2.0" | sed -e "s/.*\/\(.*\)\/gtk-2.0/\1"/<br />
<br />
<br />
{{Note|There probably are other themes. Some of these themes are available in the AUR. Also, some of them are not usable as is for displaying a GTK+ 2.x panel (light text over light background), so you need to use the provided [http://i.imgur.com/QmeyN.png panel background].}}<br />
<br />
=== GTK+ and Qt ===<br />
If you have GTK+ and Qt (KDE) applications on your desktop then you know that their looks do not blend well. If you wish to make your GTK+ styles match your Qt styles please read [[Uniform Look for Qt and GTK Applications]].<br />
<br />
== Configuration file ==<br />
<br />
{{Note|See the [http://library.gnome.org/devel/gtk/stable/GtkSettings.html#GtkSettings.properties ''GtkSettings'' properties] in the GTK+ programming reference manual for the full list of GTK configuration options.}}<br />
<br />
The purpose of this section is to collect GTK+ configuration settings which can e.g. be used within {{Ic|~/.gtkrc-2.0}}. <br />
<br />
=== Enabling Customizable Keyboard Shortcuts ===<br />
<br />
You can customize your GTK+ applications' keyboard shortcuts (those are called ''accelerators'' in GTK+ terminology) by hovering your mouse over a menu item and pressing your desired key combination. However, this feature is disabled by default. To enable it, set <br />
gtk-can-change-accels = 1<br />
<br />
=== Speed up your GNOME menu ===<br />
<br />
This setting controls the delay between you pointing the mouse at a menu and that menu opening in GNOME. Change this to a setting you prefer. I guess the number is in milliseconds, e.g. 250 being a quarter of a second.<br />
gtk-menu-popup-delay = 0<br />
<br />
=== Reduce widget sizes ===<br />
<br />
If you have a small screen or you just do not like big icons and widgets, you can resize things easily. <br />
To have icons without text in toolbars, use<br />
gtk-toolbar-style = GTK_TOOLBAR_ICONS<br />
To use smaller icons, use a line like this:<br />
gtk-icon-sizes = "panel-menu=16,16:panel=16,16:gtk-menu=16,16:gtk-large-toolbar=16,16\<br />
:gtk-small-toolbar=16,16:gtk-button=16,16"<br />
Or to remove icons from buttons completely:<br />
gtk-button-images = 0<br />
You can also remove icons from menus:<br />
gtk-menu-images = 0<br />
<br />
There is some more tweaking to do in your themes gtkrc like explained [http://martin.ankerl.com/2008/10/10/how-to-make-a-compact-gnome-theme/ here] and there's another [http://gnome-look.org/content/show.php/Simple+eGTK?content=119812 theme] that does it all.<br />
<br />
== Development ==<br />
<br />
When writing a start-from-scratch GTK+ 3 program with C, it's necessary to add CFLAGS for gcc:<br />
gcc -g -Wall `pkg-config --cflags --libs gtk+-3.0` -o base base.c<br />
-g and -Wall parameters are not necessary since they are only for verbose debugging outputs.<br />
You may try out the official [http://developer.gnome.org/gtk-tutorial/stable/c39.html#SEC-HELLOWORLD Hello World example].<br />
<br />
=== Write a simple message dialog app ===<br />
You can write your own GTK+ 3 message dialog easily in many programming languages through GObject-Introspection or bindings, or you can simply use bash.<br />
<br />
The following examples display a simple "Hello world" in a message dialog.<br />
<br />
====Bash====<br />
*Dependency: {{Pkg|zenity}}<br />
{{hc|hello_world.sh|<nowiki>#!/bin/bash<br />
zenity --info --title='Hello world!' --text='This is an example dialog.'</nowiki>}}<br />
<br />
====Boo====<br />
*Dependency: {{AUR|gtk-sharp-git}} from AUR ({{Pkg|boo}})<br />
*Makedependency: {{Pkg|boo}}<br />
*Build with: {{ic|booc hello_world.boo}}<br />
*Run with: {{ic|mono hello_world.exe}} (or {{ic|booi hello_world.boo}})<br />
<br />
{{hc|hello_world.boo|<nowiki>import Gtk from "gtk-sharp"<br />
Application.Init()<br />
Hello = MessageDialog(null, DialogFlags.Modal, MessageType.Info, ButtonsType.Close, "Hello world!")<br />
Hello.SecondaryText = "This is an example dialog."<br />
Hello.Run()</nowiki>}}<br />
<br />
====C====<br />
*Dependency: {{Pkg|gtk3}}<br />
*Build with: {{Ic|gcc -o hello_world `pkg-config --cflags --libs gtk+-3.0` hello_world.c}}<br />
{{hc|hello_world.c|<nowiki>#include <gtk/gtk.h><br />
void main (int argc, char *argv[]) {<br />
gtk_init (&argc, &argv);<br />
GtkWidget *hello = gtk_message_dialog_new (NULL, GTK_DIALOG_MODAL, GTK_MESSAGE_INFO, GTK_BUTTONS_OK, "Hello world!");<br />
gtk_message_dialog_format_secondary_text (GTK_MESSAGE_DIALOG (hello), "This is an example dialog.");<br />
gtk_dialog_run(GTK_DIALOG (hello));<br />
}</nowiki>}}<br />
<br />
====C++====<br />
*Dependency: {{Pkg|gtkmm3}}<br />
*Build with: {{Ic|g++ -o hello_world `pkg-config --cflags --libs gtkmm-3.0` hello_world.cc}}<br />
{{hc|hello_world.cc|<nowiki>#include <gtkmm/main.h><br />
#include <gtkmm/messagedialog.h><br />
int main(int argc, char *argv[]) {<br />
Gtk::Main kit(argc, argv);<br />
Gtk::MessageDialog Hello("Hello world!", false, Gtk::MESSAGE_INFO, Gtk::BUTTONS_OK);<br />
Hello.set_secondary_text("This is an example dialog.");<br />
Hello.run();<br />
}</nowiki>}}<br />
<br />
====C#====<br />
*Dependency: {{AUR|gtk-sharp-git}} from AUR<br />
*Build with: {{ic|mcs -pkg:gtk-sharp-3.0 hello_world.cs}}<br />
*Run with: {{ic|mono hello_world.exe}}<br />
{{hc|hello_world.cs|<nowiki>using Gtk;<br />
public class HelloWorld {<br />
static void Main() {<br />
Application.Init ();<br />
MessageDialog Hello = new MessageDialog (null, DialogFlags.Modal, MessageType.Info, ButtonsType.Close, "Hello world!");<br />
Hello.SecondaryText="This is an example dialog.";<br />
Hello.Run ();<br />
}<br />
}</nowiki>}}<br />
<br />
====Genie====<br />
*Dependency: {{Pkg|gtk3}}<br />
*Makedependency: {{Pkg|vala}}<br />
*Build with: {{Ic|valac --pkg gtk+-3.0 hello_world.gs}}<br />
{{hc|hello_world.gs|<nowiki>uses <br />
Gtk<br />
init<br />
Gtk.init (ref args)<br />
var Hello=new MessageDialog (null, Gtk.DialogFlags.MODAL, Gtk.MessageType.INFO, Gtk.ButtonsType.OK, "Hello world!")<br />
Hello.format_secondary_text ("This is an example dialog.")<br />
Hello.run ()</nowiki>}}<br />
<br />
====Java====<br />
*Dependency: {{AUR|java-gnome}} from AUR<br />
*Makedependency: java-environment<br />
*Build with: {{ic|mkdir HelloWorld && javac -classpath /usr/share/java/gtk.jar -d HelloWorld HelloWorld.java}}<br />
*Run with: {{ic|java -classpath /usr/share/java/gtk.jar:HelloWorld HelloWorld}}<br />
<br />
{{hc|HelloWorld.java|<nowiki>import org.gnome.gtk.Gtk;<br />
import org.gnome.gtk.Dialog;<br />
import org.gnome.gtk.InfoMessageDialog;<br />
<br />
public class HelloWorld<br />
{<br />
public static void main(String[] args) {<br />
Gtk.init(args);<br />
Dialog Hello = new InfoMessageDialog(null, "Hello world!", "This is an example dialog.");<br />
Hello.run();<br />
}<br />
}</nowiki>}}<br />
<br />
====JavaScript====<br />
*Dependencies: {{Pkg|gtk3}}, {{Pkg|gjs}} (works also with {{Pkg|seed}})<br />
{{hc|hello_world.js|<nowiki>#!/usr/bin/gjs<br />
Gtk = imports.gi.Gtk<br />
Gtk.init(null, null)<br />
Hello = new Gtk.MessageDialog({type: Gtk.MessageType.INFO,<br />
buttons: Gtk.ButtonsType.OK,<br />
text: "Hello world!",<br />
"secondary-text": "This is an example dialog."})<br />
Hello.run()</nowiki>}}<br />
<br />
====Perl====<br />
*Dependency: {{AUR|perl-gtk3}} from AUR<br />
{{hc|hello_world.pl|<nowiki>#!/usr/bin/perl<br />
use Gtk3 -init;<br />
my $hello = Gtk3::MessageDialog->new (undef, 'modal', 'info', 'ok', "Hello world!");<br />
$hello->set ('secondary-text' => 'This is an example dialog.');<br />
$hello->run;</nowiki>}}<br />
<br />
====Python====<br />
*Dependencies: {{Pkg|gtk3}}, {{Pkg|python-gobject}}<br />
{{hc|hello_world.py|<nowiki>#!/usr/bin/python<br />
from gi.repository import Gtk<br />
Gtk.init(None)<br />
Hello=Gtk.MessageDialog(None, Gtk.DialogFlags.MODAL, Gtk.MessageType.INFO, Gtk.ButtonsType.CLOSE, "Hello world!")<br />
Hello.format_secondary_text("This is an example dialog.")<br />
Hello.run()</nowiki>}}<br />
<br />
====Vala====<br />
*Dependency: {{Pkg|gtk3}}<br />
*Makedependency: {{Pkg|vala}}<br />
*Build with: {{Ic|valac --pkg gtk+-3.0 hello_world.vala}}<br />
{{hc|hello_world.vala|<nowiki>using Gtk;<br />
public class HelloWorld {<br />
static void main (string[] args) {<br />
Gtk.init (ref args);<br />
var Hello=new MessageDialog (null, Gtk.DialogFlags.MODAL, Gtk.MessageType.INFO, Gtk.ButtonsType.OK, "Hello world!");<br />
Hello.format_secondary_text ("This is an example dialog.");<br />
Hello.run ();<br />
}<br />
}</nowiki>}}<br />
<br />
====Visual Basic .NET====<br />
*Dependency: {{AUR|gtk-sharp-git}} from AUR<br />
*Makedependency: {{Pkg|mono-basic}}<br />
*Build with: {{ic|vbnc -r:/usr/lib/mono/gtk-sharp-3.0/gio-sharp.dll -r:/usr/lib/mono/gtk-sharp-3.0/glib-sharp.dll -r:/usr/lib/mono/gtk-sharp-3.0/gtk-sharp.dll hello_world.vb}}<br />
*Run with: {{ic|mono hello_world.exe}}<br />
<br />
{{hc|hello_world.vb|<nowiki>Imports Gtk<br />
Public Class Hello<br />
Inherits MessageDialog<br />
Public Sub New<br />
MyBase.New(Me, DialogFlags.Modal, MessageType.Info, ButtonsType.Close, "Hello world!")<br />
Me.SecondaryText = "This is an example dialog."<br />
End Sub<br />
Public Shared Sub Main<br />
Application.Init<br />
Dim Dialog As New Hello<br />
Dialog.Run<br />
End Sub<br />
End Class</nowiki>}}<br />
<br />
== Resources ==<br />
* [http://www.gtk.org/ The official GTK+ website]<br />
* [[wikipedia:GTK+|Wikipedia article about GTK+]]<br />
* [http://developer.gnome.org/gtk-tutorial/stable/ GTK+ 2.0 Tutorial]<br />
* [http://developer.gnome.org/gtk3/stable/ GTK+ 3 Reference Manual]<br />
* [http://developer.gnome.org/gtkmm-tutorial/stable/ gtkmm Tutorial]<br />
* [http://developer.gnome.org/gtkmm/stable/ gtkmm Reference Manual]</div>Jrussell