Friday, December 28, 2007

Accessing Services behind packet filtered firewall

This article details the work around I use to accomplish several different technological hurdles in implementing a firewall / snort implementation for my home network. The goal is was to use a firewall based on Linux or BSD that was "appliance" in nature and I really did not have to devote alot of brain power to. I would rather use that power to solve other problems.

While this solution is somewhat specific to my needs I hope you will find it useful and can adapt part or all of it for your own situation.

Problem #1: Using DSL with PPPoE, I needed a way that I could deploy Snort on the "naked" internet to see traffic before it hit the firewall ruleset, without trying to delve in dissecting PPPoE traffic.
Problem #2: Need a firewall with a minimum of 3 interfaces, WAN, LAN and DMZ.
Problem #3: I would like to be able to host a web server in the DMZ and access it using the URL. (See Packet Filter Problem below). This problem will likely be manifested with a variety of firewalls on varying platforms.

The solution does involve a kludge but does work and satisfy the above requirements. In order to solve Problem #1, I determined that I would deploy a Linksys router that would handle the PPPoE negotiation. Set the linksys to be a gateway, no dhcp and assign a host (your firewall) as the DMZ (linksys terminology). What this does in essense is make the Linksys a bridge from PPPoE to Ethernet.

The host that you put in the Linksys DMZ configuration should be the WAN interface on the firewall, in this case I choose to run m0n0wall (Problem 2 solved). Configure m0n0wall's WAN interface for Static, for example 192.168.0.2. The LAN interface on the Linksys should be set to 192.168.0.1, so you now have a private network between the Linksys and the external WAN interface on the firewall.

With this "private LAN" between the Linksys and your firewall, your firewall now sees all traffic from the "internet". If you put a HUB in between the Linksys and the Firewall you can deploy another port for SNORT and it will see all traffic outside the firewall. This configuration is good for building a honeypot architecture. NOTE: You could bypass using the hub and deploy an ethernet tap for SNORT and achieve the same functionality.

A little more about why I did this. In order for firewall rules to process requests (hence being able to surf your own website via URL) the packets must originate from outside the firewall, by putting the Linksys router upstream, you force all packets to go to the linksys, then they come back in the same direction and look as if the request actually comes from outside the network.



Continue with the rest of the configuration:

Now connect the LAN (192.168.1.0/24) interface to a small HUB, and then cascade that HUB to a switch, which is where all of your servers are connected. This will allow you to again plug snort into the LAN on the HUB and see all of the traffic that is inside the firewall, which is good for verifying that rulesets are behaving as expected. (Again you could use an ethernet tap instead of the hub).

Solving problem 3: Configure the DMZ on the m0n0wall (192.168.2.0/24) and setup your web server. If you do not have a static IP, I recommend using DNSexit's service to register your IP with DNS so the rest of the world can see your website, send you email or whatever.

Configure m0n0wall with the NAT rules to allow the port 80 traffic into your DMZ web server and you should be in business. If you so choose to also put a hub on the DMZ you can then use SNORT to watch raw traffic at each point on your network and possibly even trap some packet captures that the script kiddies and robots launch at your website.

If there is sufficient interest I would be happy to post a simple drawing of this setup and maybe some screen shots of the m0n0wall and Linksys configs. I would appreciate your feedback on whether or not this was helpful or just a waste of typing.



email: paul dot pescitelli at gmail dot com


Packet Filter Problem:
Taken from the m0n0wall FAQ - http://doc.m0n0.ch/handbook-single/#id2610631

It is not possible to access NATed services using the public (WAN) IP address from within LAN (or an optional network). Example: you've got a server in your LAN behind m0n0wall and added a NAT/filter rule to allow external access to its HTTP port. While you can access it just fine from the Internet, you cannot access http://your-external-ip/ from within your LAN.

Reason. This is due to a limitation in ipfilter/ipnat (which are used in m0n0wall). Read the ipfilter FAQ for details. m0n0wall does not (and probably will not) include a "bounce" utility.

A Solution for m0nowall: If you use m0n0wall's built-in DNS forwarder for your LAN clients, you can add one or more overrides so that they will get the internal (LAN) IP address of your server instead of the external one, while external clients still get the real/public IP address. Note: This will only work if you use m0n0wall as the primary DNS server on your LAN hosts. If you use another DNS server, you need to use its functionality to resolve that host to the appropriate private IP. See your DNS server documentation for more information.

Using mini_httpd with PHP on OpenBSD

This article details the steps I used to get mini_httpd working on OpenBSD 3.8 with PHP. Getting mini_httpd running is trivial, compile and go. Getting mini_httpd working with PHP on the surface is not really difficult, however the challenge is in getting the POST variables to pass between mini_httpd and PHP.

Initially, I spent a couple of days of trying to get mini_httpd to work with PHP on OpenBSD 3.8 using the PHP build from the ports tree and it just was not working. The fix required two things.

First: was to patch the mini_httpd 1.19 as described by Ben Hochstrasser (see his article)

Second: was to build PHP 4.3.x with the following command:
./configure --prefix=/usr --sysconfdir=/etc --with-config-file-path=/etc \
--disable-force-cgi-redirect --without-mysql \
--with-zlib --disable-cli --enable-discard-path --enable-debug --enable-ftp --without-pear

This solved the problem of passing the POST variables from mini_httpd to PHP. The catch to this method is that you must put #!/usr/bin/php at the beginning of each .php file. To start mini_httpd you should change directories to the one containing the PHP files then,
use the following syntax:

/usr/local/sbin/mini_httpd -p 80 -c \"**.php\" -l /var/log/httpd.log

While this solution is somewhat specific to my needs I hope you will find it useful and can adapt part or all of it for your own situation. Many thanks to Ben Hochstrasser for his assistance in debugging the setup.

email: paul dot pescitelli at gmail dot com

Friday, December 21, 2007

Dangerous Things you SHOULD let your kids do...

The world has become increasingly safe, some from government that wants to protect you, others from stupid labels on coffee cups that say "WARNING: Contents are HOT".. duhh...

Another pet peeve of mine, why are chemistry kits becoming obsolete? Well they have chemicals that can be dangerous, well yeah that was part of the attraction. If the concern is about terrorism and extremists that will build bombs and hurt people, trust me, if they want to hurt people, they will find a way, stopping the supply of chemistry sets won't curtail the efforts...

If you can buy stuff at the grocery or farm supply store to make a bomb, why can't we have simple chemistry sets ? truly absurd...

This video is just an example of some of things that we should encourage all of our children to experience.

Also a short plug for the book "The Dangerous Book for Boys"
also check out the You Tube Video

Tuesday, December 18, 2007

Appliance Connector Reference

Here is a decent reference for various types of appliance power plugs and their mates.

Copied here for easy reference. Source URL

Connector Type Connector (1) Appliance
Inlet (2)
Class of Equipment (3) Maximum
Temperature of Appliance Inlet(2)
Rated Current of Appliance Coupler(4)
(RMS Amps)
iec320-c1 appliance connector C1 C2 II 70°C 0.2
iec320-c5 appliance connector C5 C6 I 70°C 2.5
iec320-c7 appliance connector C7 C8 II 70°C 2.5
iec320-c9 appliance connector C9 C10 II 70°C 6.0
iec320-c13 appliance connector C13 C14 I 70°C 10.0
iec320-c15 appliance connector C15 C16 I 120°C 10.0
iec320-c15a appliance connector C15A C16A I 155°C 10.0
iec320-c17 appliance connector C17 C18 II 70°C 10.0
iec320-c19 appliance connector C19 C20 I 70°C 16.0
iec320-c21 appliance connector C21 C22 I 155°C 16.0
iec320-c23 appliance connector C23 C24 II 70°C 16.0

The information in the table below is based on IEC 60320

Connector Type Connector (1) Appliance
Inlet (2)
Class of Equipment (3) Maximum
Temperature of Appliance Inlet(2)
Rated Current of Appliance Coupler(4)
(RMS Amps)
iec320-c3 appliance connector C3 C4 II 70°C 2.5
iec320-c11 appliance connector C11 C12 II 70°C 10.0
(1) Connector Part of the appliance coupler integral with, or intended to be attached to, the cord connected to the supply. Only one cord is connected to the Connector.
(2) Appliance Inlet Part of the Appliance Coupler integrated or incorporated in the appliance or equipment or intended to be fixed to it. An Appliance Inlet integrated in an appliance or equipment is an Appliance Inlet (the shroud and base of) which is formed by the housing of the appliance or equipment. An Appliance Inlet incorporated in an appliance or an equipment is a separate Appliance Inlet built in or fixed to an appliance or equipment.
(3) Class of Equipment Class I equipment has an earth connector. Class II equipment has only active & neutral pins with no earth.
(4) Appliance Coupler A means of enabling the connection and disconnection at will, of a cord to an appliance or other equipment. It consists of two parts: a Connector and an Appliance inlet.

Sunday, December 16, 2007

Atlanta Slam

We had some pretty good seats for the event. Here is Andy Roddick and Robby Ginepri pal'ing around at the end of the event...

Friday, December 14, 2007

Comic Book Photo


While surfing the web I found a tutorial to turn a photo into a comic book rendering. This is more than just a filter, it is about a 10 step process. Here is the first attempt from a Halloween picture of my boy.

Saturday, December 8, 2007

Camera Gear Bag for Cheap

While browsing the net I stumbled across the Strobist Site, it brought me back to earlier days when I learned to use an off camera flash Sunpak 120J while learning from the wonderful Terry Wawro.

I thought, well heck I have most of this stuff, I just need to unpack it. We recently moved and I still needed a good reason to unpack. So I started gathering the light stands, tripods, monopods and the like.

So while running errands today, I stopped by Sports Authority and in the baseball section they had a sale on the following Nike "Keystone" bat bag and it was on clearance for $14.97.















I picked one up thinking it looked about the right length for my needs and took it home. As you can see below, it is the right size to fit most of my gear.














Now that everything will fit length wise, I will go back tomorrow and pick up another one. Then I can have 1 bag for the mono pod and tri-pod, and another bag for 2-4 light stands. The light stand in the picture above is a Manfrotto 3372

Also on the back side of the bag is a pocket that runs the length of the bag that is a completely separate compartment, so you could fit 1 more light stand in there and carry as many as 5 or 6 in one bag.

Sunday, December 2, 2007

Single Flash Model Shoot

Good short tutorial at photonovice.net 3 Clips from Bert Stefani

Monday, November 26, 2007

Linux TCP Congestion Variants

High level overview of the TCP congestion control mechanisms

LINK

Saturday, November 17, 2007

ADI Pronghorn Info

ADI Link here

Thursday, November 15, 2007

EIA-561

Use this pinout with any ethernet cable for RS-232 on RJ45 connectors, courtesy of this blog

 pair     4-pair     RJ-45  color   DB9  DB25  signal  circuit  DTE  DCE
-----------------------------------------------------------------------
1 blue/white 4 red 5 7 SG AB - -
1 white/blue 5 green 2 3 RD BB in out
2 white/orange 3 black 4 20 DTR CD out in
2 orange/white 6 yellow 3 2 TD BA out in
3 white/green 1 blue 9 22 RI CE in out
3 green/white 2 orange 1 8 DCD CF in out
4 white/brown 7 brown 8 5 CTS CB in out
4 brown/white 8 white 7 4 RTS CA out in
- - - - 6 6 DSR CC in out

column legend:
pair = twisted pair number in standard 4-pair cable
4-pair = base/stripe colors in standard 4-pair cable
RJ-45 = pin number
color = wire color on standard RJ-45 connector
DB9 = pin number
DB25 = pin number
signal = EIA signal name (abbreviated form)
circuit = EIA circuit designation
DTE = electrical input or output for Data Terminal Equipment (PC)
DCE = electrical input or output for Data Communications Equipment (modem)

Tuesday, November 13, 2007

PXEBoot from LiveCD

Here is a handy utility from the folks at metrix.net that will allow you to boot several different apps onto an embedded device such as Soekris boards...

PXEBootLiveCD

Calculate POE voltage loss

http://www.demarctech.com/techsupport/poecalculate.htm

Saturday, November 10, 2007

ADM 9F8 GR Pinout

ADM 9F8 GR - rj45 to db9 fem frys part number 2402340

1 - blu
2 - org
3 - blk
4 - red
5 - grn
6 - yel
7 - brn
8 - wht

Tuesday, November 6, 2007

Linux Filesystems

A decent article to get your appetite for linux filesystems

here

OpenBSD 4.2

Since I have done some porting for the wireless project this was of particular interest

"Enable interrupt holdoff on sis(4) chips that support it. Significant performance gain for slower CPU devices with sis(4), such as Soekris." Would you like to tell us more about this?

Chris Kuethe: Quite a number of network adapters have a configurable mechanism to prevent the machine from being run into the ground under network load. This is known as holdoff, mitigation or coalescing. The general idea is that the network adapter does not immediately raise an interrupt as soon as a frame is arrived; rather the interrupt is delayed a short time—usually one frame or a few hundred microseconds—in case another frame might arrive very soon thereafter.

Picking a good delay value, or set of conditions under which to signal the arrival of a frame is not easy. Too much holdoff and network performance is severely degraded, too little and no benefit will be noticed. When ping times go up and TCP stream speeds go down, you're delaying too much.

In the case of the Soekris (or anything else that uses sis(4)), interrupt holdoff was not enabled. By enabling holdoff, we allow the network controller to delay and buffer a few frames. This spreads cost of the interrupt across several packets.

full story

Amazon GPS

Mapping Africa

Monday, November 5, 2007

More mobile wireless adhoc

http://moment.cs.ucsb.edu/aodv-ietf/

Wireless Mobile Mesh

Software for creating adhoc mobile networks.

http://www.mitre.org/work/tech_transfer/mobilemesh/

SIP Proxy/Registrar

Siproxd is a proxy/masquerading daemon for the SIP protocol. It handles registrations of SIP clients on a private IP network and performs rewriting of the SIP message bodies to make SIP connections work via an masquerading firewall (NAT).

It allows SIP software clients (like kphone, linphone) or SIP hardware clients (Voice over IP phones which are SIP-compatible, such as those from Cisco, Grandstream or Snom) to work behind an IP masquerading firewall or NAT router.

SIP (Session Initiation Protocol, RFC3261) is the protocol of choice for most VoIP (Voice over IP) phones to initiate communication. By itself, SIP does not work via masquerading firewalls as the transfered data contains IP addresses and port numbers. There do exist other solutions to traverse NAT existing (like STUN, or SIP aware NAT routers), but such a solutions has its disadvantages or may not be applied to a given situation. Siproxd does not aim to be a replacement for these solutions, however in some situations siproxd may bring advantages.


http://siproxd.sourceforge.net/

Monday, September 10, 2007

Interesting Wireless protocol

While watching some discussion about LinLink, this subject came up.

See if makes sense to incorporate into OpenHSMM

FEC/ARQ