Configuring the network connection in GNU/Linux and basic Security- netfilter/iptables

 

NOTE: The tutorial is for the beginner/medium level.

Configuring the network connection in GNU/Linux and basic Security- netfilter/iptables

by Elena Sefo– our teammate

I will not start to describe how the operating system was developed, nor to explain the philosophy of opensource or approach the subject of licenses. I guess that you already know all of those who made the movement from Microsoft to GNU-Linux. The abstractions applies to all distribution. For convenience GNU/Linux will be shorted to Linux.
This is how I said a tutorial for beginners I thought to share in small chapters, so let’s start:

 

Chapter 1: TCP/IP

 

You may ask why to know all these details… now the Linux distros comes with an user friendly installer or considering you are protected in Linux.

It’s time for network protocols because is good to know some notions for setting up the firewall also to better understand what is happening beyond a click.

Communication between computers is similar to human, needs rules- protocols. Must have a “sender” and a “receiver” better said source and destination.

The Internet is based on a set of protocols TCP/IP also known as tcp/ip stack divided in four levels ot layers:
APPLICATION LEVEL
TRANSPORT LEVEL
NETWORK NETWORK
DATA AND PHYSICS LEVEL
OSI model is divided in seven levels or layers but will not be described because no room here for CCNA (Cisco Certified Network Associate).

IP

 

The best example for IP is a letter; we have an envelope with sender and receiver and the addresses. That’s how it works ip packets (and some other information besides). There is a header inside a package (generally TCP) with source and destination addresses, checksum and other information. To find out more very useful are RFCs, ex RFC 791.

IP Addresses

In the Internet, each computer is assigned a unique IP address. It consists of four numbers from 0 to 255 separated by points. Ex 209.127.112.153. It consists of 4 bytes (32 bits in total).

An IP address consists of 2 parts:

1) Network Address (network address or thread address)
2) Host Address
So the bits of an IP address are network bits and host bits.

So the bits of an IP address are network bits and host bits.
All hosts in the same network must have the same Network Address. A very important concept for ip to exist is the Network Mask. Its purpose is to determine which IP bits are network bits and hosts. There is no IP address without mask, always configured only together.

EX:
255.0.0.0 or 255.0.0.8

Transforming this mask into base 2 we notice that the first 8 bits are 1. It follows that the first 8 bits in the IP address are network bits and the last 24 bits are hosts bits

Classification of ip addresses
Depending on the first bits in the first byte there are 5 classes of IP’s (defined by IANA in RFC 1700)

 

PORTS

Now that we know a little about Ip, we stop at another very important concept – ports. In computer networking, a port is an endpoint of communication. When information passes from one computer to another, it is transmitted from a server application to a client application. Every server program/service has a predetermined port that “listens”, waiting for client requests, client program. The client is built to send requests to the predefined port of the server. IANA (Internet Asigned Numbers Authority) has reserved certain ports to which certain services and their customers are engaged. Some examples:

PORT          SERVICE

21                    FTP

22                    SSH

25                    Mail (SMTP)

80                    HTTP(WWW)

A complete list can be found in the /etc/services directory

[root@sandybell]─[/home/zuzu] └──╼ #more /etc/services

tcpmux

1/tcp

# TCP port service multiplexer

echo

7/tcp

echo

7/udp

discard

9/tcp

sink null

discard

9/udp

sink null

systat

11/tcp

users

daytime

13/tcp

daytime

13/udp

netstat

15/tcp

qotd

17/tcp

quote

msp

18/tcp

# message send protocol

msp

18/udp

chargen

19/tcp

ttytst source

chargen

19/udp

ttytst source

ftp-data

20/tcp

ftp

21/tcp

fsp

21/udp

fspd

ssh

22/tcp

# SSH Remote Login Protocol

ssh

22/udp

telnet

23/tcp

–More–(

Ports 0 up to 1023 are reserved. Only root (UID 0) can connect to these ports, known as privileged ports. For top ports 1024 up to 65.535, anyone including root can connect. More information can be found at RFC 791.
Note: RFC (Request for comments), IANA, IETF are a must-read in our branch.

 

TCP (TRANSMITION CONTROL PROTOCOL)

TCP accounts for more than 90% of the LAN traffic average. Establish a client/server connection through a three-way connection method:
1. The client (eg FTP client) sends a TCP/IP packet to the server on port 21. In the header of this packet requesting to connect to the FTP server, (1) the SYN bit and the other bits are activated on 0 (ACK, RST, UR). The package also contains a random number with the sequence initiation.
This type of connection is called a three way handshake.

 

When the server listens to requests, it sees the packet with the SYN bit enabled, activates the ACK bit (now both SYN and ACK have a value of 1), increments the sequence number, and sends the packet as a response.
When the client receives the SYN-ACK package, it increments the sequence number and deletes SYN (puts the bit on 0), leaving only the ACK with value 1.

After the server receives the ACK package, it quits the queue and the connection is established. There are many explanations about this type of connection, I do not know if mine is the clearest. The image above (taken from Google) is quite explicit. Those who are interested can search for CCNA courses with authorized instructors, or even find Cisco curriculum on the net. However, keep this in mind, it is of utmost importance to understand how connection establishment works.
Why did I write about this if the tutorial eventually wanted to be a beginner firewall? For that, we need to understand how a firewall distinguishes between new and established connections.

UDP ( USER DATAGRAM PROTOCOL)

UDP is an unrelated protocol to connections. It is used when data integrity is not important. While TCP uses a set of strict rules to ensure the intact data transmission, assembly in the correct order and error-free, UDP does exactly the opposite.
UDP/IP (currently writing only UDP), is used for small and insignificant packages. Packages may or not reach their destination. It is used for DNS queries, where all information fits into a single package. If the packet does not reach, DNS asks again until it reaches the destination.

ICMP (INTERNET CONTROL MESSAGE PROTOCOL)

Ping Package”. It does not use ports but communicates with an Ethernet card and uses “types” for identification.
ICMP type 0 is an echo request packet used to test the network connection between two points. Completing with type 8 that echo’s response.
Many paranoid security people is blocking ICMP (and I also did), but it’s not really a very good idea. For example, Linux uses ICMP to discover MTU (Maximum Transmission Units). It does sending large packets (1500bits) marked with DNF bit (Do not fragment). If on the road or a router should defragment a package, could not, and would send it back. Then Linux would send another smaller package and continue until the packet passes. Also, it is not a good idea to block type 3 packages that indicate that a host is unreachable (I did and I’ll show you how if you still want it) because communication would become very slow.
There is still a lot to be written about the ICMP, but next time …

 

2. CONFIGURAREA REȚELEI SUB DEBIAN ( și derivate) -COMENZI DE BAZĂ

 

Theoretically nowadays everything is working after installing the operating system at least for home users, but it’s not a bad thing to know some basic commands to configure/troubleshooting the network.
The main commands are:
ifconfig, (used to configure, initiate, turn off the network interface device, and also to find the ip and other network data using the console. Eg:

└──╼ #ifconfig
eth0 Link encap:Ethernet HWaddr 54:be:f7:86:23:56
UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) Interrupt:19

I use wifi, in my case is ifconfig -a (indicates all network interfaces) and iwconfig.
For both ifconfig and any Linux command, there is a man (ex: man ifconfig) in terminal, a reliable utility, because we do not all know all commands or command options on top.

Example ifconfig to manually configure an interface (ip + netmask, now you understand why I made the little introduction about ip)

ifconfig eth0 192.168.0.2 netmask 255.255.255.0 broadcast 192.168.0.255

This line only configures the network interface but don’t give us access to the internet. We must have a connection, the gateway to the internet, a router, for short. Here the route command helps us.

route is a utility that allows us to specify a default gateway (a predetermined gateway) for Internet. Using the above data (ip), we can configure it as following:

route add default gw 192.168.0.1

To work, write carefully commands in the correct order. To check if everything is correct we can take a look at the routing table, or even a ping to an Internet address.

O putem face folosind comanda route -n

route -n

Kernel IP routing table

Destination

Gateway

Genmask

Flags Metric Ref Use Iface

0.0.0.0

192.168.0.1

0.0.0.0

UG

1024

0

0 wlan1

192.168.0.0

0.0.0.0

255.255.255.0

U

0

0

0 wlan1

As you can see the router has the ip (on the internal interface) 192.168.0.1 and theoretically anyone should have access to the Internet if properly configured the network card and the router.

ping command
Verify that the device is “up” by sending an eco ICMP request to the device.

man ping  🙂 you have all the options and explanations you need to get the most out of this command.

traceroute command
The name is quite suggestive. Used to see which route the packages use to reach the destination, or where they stop if they have not arrived.
netstat command
We get information about how packets are routed, open connections, open ports, and ready to accept connections. Comes with options ,eg:
netstat -avn
These are the commands that any linux user should know. Also, we may also be useful to reinstall your network card:

 /etc/init.d/networking restart

 

3. FIREWALL IP, NETFILTER, IPTABLES

 

I’m not going to write here about ipmasquerade-disguise though it’s done with iptables and NAT, because I’m going to do it in the next tutorial (linux routers).
Good 🙂  let’s get started!
As far as I know, we have two types of firewall (I can not define a firewall, I do not think it is necessary nowadays).
Proxy firewall application
Network-based firewall based on package filtering (what we will use)
The proxy firewall is divided into:

Standard – a client connects to a special port and is redirected to go through another port.
Transparent – the client don’t use a special port but a software.

Although Linux finds now firewall softwares installed (requires only small configurations), they are using iptables in the background, so I personally prefer to interact with this utility. Yes, iptables is just a utility to apply some rules for packet filtering. Correctly should be netfilter/iptables.
Netfilter comes as a Linux kernel module and allows us to intercept/manipulate network packets.
When we use a network-based firewall by packet filtering, we can give/deny access to/within the host based on different variables such as: address, protocol, port number, content.
A well-configured firewall (advanced options) can help us overcome spoofing attacks, Dos attacks even to turn the network into invisible network for outside.
The Linux kernel defines three tables of rules:
1. filter– used for packet filtering→ with INPUT, OUTPUT, FORWARD chains
2. nat– for NAT system→ with the PREROUTING, OUTPUT, POSTROUTING chains
3. mangle– used for specialized check of packages → INPUT, OUTPUT, FORWARD PREROUTING, POSTROUTING

* When a packet enters the system passes through the network interface, then the kernel decides whether the package is intended for the local machine – INPUT chain, or another computer- FORWARD chain.
The process is similar to the output of a package, except that the OUTPUT chain is used.
Through the PREROUTING chain, they pass the packages before their route to the destination is also established by the POSTROUTING chain after they have been routed but before leaving the system.
Each chain contains some rules and actions are applied to it (ACCEPT, DROP, REJECT). If the rule specifies the ACCEPT action, the package is no longer verified, but is allowed to pass, if it has DROP, is not allowed to reach its destination, and if it has REJECT, it is not allowed to pass to the destination but an error package is sent to the sender.
So these are some minimal notions about how a Linux firewall works. Many believe iptables is linux firewall, but it’s wrong. Iptables is just a program wherewith we execute some commands to manipulate firewalls and rules, in my opinion the non-specialist would be a netfilter fromt-end.

Iptables syntax:

iptables command rule [ options ]

Commands :

-A, –append chain rule-specification

Append one or more rules to the end of the selected chain.

-I, –insert chain [rulenum] rule-specification

Insert one or more rules in the selected chain as the given rule number.

-D, –delete chain rule-specification
-D, –delete chain rulenum

Delete one or more rules from the selected chain.

-L, –list [chain]

List all rules in the selected chain.

-F, –flush [chain]

Flush the selected chain (all the chains in the table if none is given).

There are plenty of commands (see netfilter.org, man iptables) but if I write them all I will do a tutorial Chinese Wall like.

Rule specification:

-s, –source [!] address[/mask]

Source specification. Generally a network IP address IP but can be either a network name, a hostname.

-d, –destination [!] address[/mask]

Destination specification.

-p, –protocol [!] protocol

The protocol of the rule or of the packet to check. The specified protocol can be one of tcp, udp, icmp, or all.

-i, –in-interface [!] name

Name of an interface via which a packet was received.

-o, –out-interface [!] name

Name of an interface via which a packet is going to be sent.

-j, –jump target

This specifies the target of the rule.

Options for tcp,udp,icmp packets
–sport ,–dport (port ) -indicates the source port and the destination port of the package

–tcp-flags –sy n
–icmp-type

Specifies the type of icmp message

This is the basic theory… more or less. I’m not expert but when needed I google.
Here’s an example of a basic firewall for a home user.

#!/bin/bash iptables -F

iptables -A OUTPUT -o loopback -j ACCEPT iptables -A INPUT -i loopback -j ACCEPT

#iptables -A INPUT -p tcp –dport 80 –syn -m limit –limit 5/s -j ACCEPT #iptables -A INPUT -p tcp –dport 80 –syn -j DROP

iptables -A INPUT -p icmp –icmp-type 8 -j REJECT –reject-with icmp-net-unreachable iptables -A OUTPUT -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -P INPUT DROP iptables -P OUTPUT DROP

As you can see

  • the first line (iptables -F) indicates the deletion of the rules, we accept the loopback interface /(127.0.0.1/32) both on the INPUT chain and OUTPUT.
  • in the lines below I tried to use the above written theory .. but I commented on them because now I have no apache installed on the system, but you can investigate what that line does, I’ve already given you clues.

In Linux all chains are default=ACCEPT. This can be seen by commanding iptables -vnL. We will get a similar result:

[root@sandybell]─[~]

└──╼ #iptables -vnL

Chain INPUT (policy ACCEPT 387K packets, 496M bytes)

pkts bytes target

prot opt in

out

source

destination

670 122K ACCEPT

udp — *

* 0.0.0.0/0

0.0.0.0/0

multiport dports 5353

0 0 ACCEPT

tcp

— *

*

0.0.0.0/0

0.0.0.0/0

multiport dports 4000

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target

prot opt in

out

source

destination

Chain OUTPUT (policy ACCEPT 247K packets, 26M bytes)

pkts bytes target

prot opt in

out

source

destination

After writing the little script for firewall, I give permissions (chmod + x (or 777) firewall_name and run it. We’ll see how it works, yet the efficacy can be tested with nmap, wireshark, etc.

┌─[]─[root@sandybell]─[~]

└──╼ #chmod +x fw

┌─[root@sandybell]─[~]

└──╼ #./fw

#iptables -vnL

Chain INPUT (policy DROP 5 packets, 809 bytes)

pkts bytes target

prot opt in

out

source

destination

0

0 ACCEPT

all

loopback *

0.0.0.0/0

0.0.0.0/0

0

0 REJECT

icmp — *

*

0.0.0.0/0

0.0.0.0/0

icmptype 8 reject-with

icmp-net-unreachable

475

120K ACCEPT

all

*

*

0.0.0.0/0

0.0.0.0/0

state

RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)

pkts bytes target

prot opt in

out

source

destination

Chain OUTPUT (policy DROP 0 packets, 0 bytes)

pkts bytes target

prot opt in

out

source

destination

0

0 ACCEPT

all

*

loopback 0.0.0.0/0

0.0.0.0/0

523 72872 ACCEPT

all

*

*

0.0.0.0/0

0.0.0.0/0

state

NEW,RELATED,ESTABLISHED

Something important left behind willingly … you noticed that I used NEW, ESTABLISHED, RELATED. I didn’t talk about these packages before because I waited to show the script and then explain it. These rules allow out of the system (we have used the output chain) the packages that are new-required, established and related, and letting (on INPUT CHAIN) established and related connections.

It’s very easy to understand the concept of connection tracking and you can find it very comprehensive at netfilter.org.

Because I’m time-pressed for now I’ll leave a little more advanced script (we’ll use variables).

#! /bin/bash

IPT=/sbin/iptables

PRIVATE_IPCLASSES=”10.0.0.0/8 172.16.0.0/12 169.254.0.0/16 192.0.2.0/24 192.88.99.0/24 192.168.0.0/16 201.63.40.0/24 66.249.66.0/24″ PUBLIC_NIC=eth1

PUBLIC_IP=enter_the_interconnect_ip

PUBLIC_IP_CLASS=allocated_public_IPs_class /mask

PRIVATE_NIC=eth0

PRIVATE_IP=192.168.1.1

PRIVATE_CLASS=192.168.1.0/24

$IPT -t filter -P INPUT ACCEPT

$IPT -t filter -P OUTPUT ACCEPT

$IPT -t filter -P FORWARD ACCEPT

/bin/echo -n “Firewall start…

$IPT -t filter -F

$IPT -t nat -F

$IPT -t mangle -F

#INPUT CHAIN

#\

##########################################################################

#

#/

$IPT -t filter -A INPUT -p tcp ! –syn -m state –state NEW -j

DROP

$IPT -t filter -A INPUT -p all -m state –state INVALID -j DROP

#Private classes that have nothing to look for via the Internet. for clasa in $PRIVATE_IPCLASSES; do

$IPT -t filter -I INPUT -s $clasa -i $PUBLIC_NIC -j DROP $IPT -t filter -I FORWARD -s $clasa -i

$PUBLIC_NIC -j DROP

done

#Supported input connections; the order matters! #Admin SSH via PROVIDER ip

$IPT -t filter -A INPUT -i $PUBLIC_NIC -d $PUBLIC_IP -m state –state NEW -p tcp –dport 22 -j LOG –log-prefix “ALL-SSH:”

$IPT -t filter -A INPUT -i $PUBLIC_NIC -s ipulme1 -d $PUBLIC_IP -m state –state NEW -p tcp –dport 22 -j ACCEPT

$IPT -t filter -A INPUT -i $PUBLIC_NIC -s ipulmeu2 -d $PUBLIC_IP -m state –state NEW -p tcp –dport 22 -j ACCEPT

$IPT -t filter -A INPUT -i $PUBLIC_NIC -s ipulmeu3 -d $PUBLIC_IP -m state –state NEW -p tcp –dport 22 -j ACCEPT

#different stuff access

#only smtp for all  via PROVIDER ip

$IPT -t filter -A INPUT -i $PUBLIC_NIC -d $PUBLIC_IP -m state –state NEW -p tcp –dport 25 -j ACCEPT

$IPT -t filter -A INPUT -i $PUBLIC_NIC -d $PUBLIC_IP_CLASS -m state –state NEW -p tcp –dport 25 -j ACCEPT

#$IPT -t filter -A INPUT -i $PUBLIC_NIC -d $PUBLIC_IP -m state –state NEW -p tcp –dport 80 -j ACCEPT

#$IPT -t filter -A INPUT -i $PUBLIC_NIC -d $PUBLIC_IP -m state –state NEW -p tcp –dport 443 -j ACCEPT

#$IPT -t filter -A INPUT -i $PUBLIC_NIC -d $PUBLIC_IP -m state –state NEW -p tcp –dport 21 -j ACCEPT

#$IPT -t filter -A INPUT -i $PUBLIC_NIC -d $PUBLIC_IP -m state –state NEW -p udp –dport 21 -j ACCEPT

#$IPT -t filter -A INPUT -i $PUBLIC_NIC -d $PUBLIC_IP -m state –state NEW -p tcp –dport 110 -j ACCEPT

#$IPT -t filter -A INPUT -i $PUBLIC_NIC -d $PUBLIC_IP -m state –state NEW -p tcp –dport 143 -j ACCEPT

#via lan

$IPT -t filter -A INPUT -i $PRIVATE_NIC -d $PRIVATE_IP -s $PRIVATE_CLASS -m state –state NEW -j ACCEPT

$IPT -t filter -A INPUT -i $PRIVATE_NIC -d $PUBLIC_IP -s $PRIVATE_CLASS -m state –state NEW -j ACCEPT

$IPT -t filter -A INPUT -i $PRIVATE_NIC -d $PUBLIC_IP_CLASS -s $PRIVATE_CLASS -m state –state NEW -j ACCEPT

#———————–>

$IPT -t filter -I INPUT -i lo -j ACCEPT

$IPT -t filter -I INPUT -p icmp -i $PUBLIC_NIC -s any/0 -d $PUBLIC_IP -m limit –limit 5/s -j ACCEPT

$IPT -t filter -I INPUT -p icmp -i $PUBLIC_NIC -s any/0 -d $PUBLIC_IP_CLASS -m limit –limit 5/s -j ACCEPT

$IPT -t filter -I INPUT -p icmp -i $PRIVATE_NIC -s $PRIVATE_CLASS -m limit –limit 5/s -j ACCEPT

$IPT -t filter -A INPUT -p tcp -i $PUBLIC_NIC -m state –state NEW

-j DROP

$IPT -t filter -A INPUT -p tcp -i $PUBLIC_NIC -m state –state

ESTABLISHED,RELATED -j ACCEPT

$IPT -t filter -A INPUT -p udp -i $PUBLIC_NIC -m state –state NEW

-j DROP

$IPT -t filter -A INPUT -p udp -i $PUBLIC_NIC -m state –state

ESTABLISHED,RELATED -j ACCEPT

$IPT -t filter -A INPUT -p tcp -i $PRIVATE_NIC -m state –state NEW

-j DROP

$IPT -t filter -A INPUT -p tcp -i $PRIVATE_NIC -m state –state

ESTABLISHED,RELATED -j ACCEPT

$IPT -t filter -A INPUT -p udp -i $PRIVATE_NIC -m state –state NEW

-j DROP

$IPT -t filter -A INPUT -p udp -i $PRIVATE_NIC -m state –state

ESTABLISHED,RELATED -j ACCEPT

$IPT -t filter -A INPUT -j DROP

#OUTPUT CHAIN

#\

#########################################################################

#

#/

$IPT -t filter -A OUTPUT -p tcp ! –syn -m state

–state NEW -j DROP

$IPT -t filter -A OUTPUT -p all -m state –state

INVALID -j DROP

$IPT -t filter -A OUTPUT -o $PRIVATE_NIC -d ! $PRIVATE_CLASS -j DROP

$IPT -t filter -A OUTPUT -s

$PUBLIC_IP -j ACCEPT

$IPT -t filter -A OUTPUT -s

$PUBLIC_IP_CLASS -j

ACCEPT

$IPT -t

filter -A

OUTPUT -p

all

-m state –state NEW -j ACCEPT

$IPT

-t

filter

-A

OUTPUT

-p

all

-m state –state ESTABLISHED,RELATED -j ACCEPT

$IPT

-t

filter

-A

OUTPUT

-j

DROP

#FORWARD CHAIN

#\

#########################################################################

#

#/

#Restrictionam SMTP si DNS, vor folosi doar relay local

$IPT -t filter -A FORWARD -i $PRIVATE_NIC -s $PRIVATE_CLASS -p tcp –dport 25 -j DROP

$IPT -t filter -A FORWARD -i $PRIVATE_NIC -s $PRIVATE_CLASS -p tcp –dport 53 -j DROP

$IPT -t filter -A FORWARD -p icmp -i $PRIVATE_NIC -s $PRIVATE_CLASS -m limit –limit 5/s -j ACCEPT

$IPT -t filter -A FORWARD -i $PRIVATE_NIC -s $PRIVATE_CLASS -j ACCEPT

$IPT -t filter -A FORWARD -p icmp -i $PUBLIC_NIC -d $PRIVATE_CLASS -m limit –limit 5/s -j ACCEPT

$IPT -t filter -A FORWARD -i $PUBLIC_NIC -d $PRIVATE_CLASS -j ACCEPT $IPT -t filter -A FORWARD -j DROP

#NAT + mangle

$IPT -t nat -I POSTROUTING -s $PRIVATE_CLASS -o $PUBLIC_NIC -j SNAT –to $PUBLIC_IP

$IPT -t mangle -I PREROUTING -i $PUBLIC_NIC -j TTL –ttl-set=64

#exemplu de DNAT

$IPT -t nat -I PREROUTING -i $PUBLIC_NIC -s unamltip -d $PUBLIC_IP -p tcp –dport 3389 -j DNAT –to 192.168.1.211:3389

echo “1”> /proc/sys/net/ipv4/ip_forward echo “DONE”

#sleep 120

#iptables -F

 I’m sorry, but the explanations will come next time (when I’m going to write about linux routers, as you can see above, we have more network cards defined as eth0 and eth1, we have internal and external ips for those boards, nat (network address translation), so we need to take it step by step.
Whoever has trouble contacting me … there are similar scripts on the Internet, there are many tutorials, much better than mine. Thank you if you liked, if not thank you for patience to read to the end.

Leave a Comment