Friday, December 28, 2007

Accessing Services behind packet filtered firewall

This article details the work around I use to accomplish several different technological hurdles in implementing a firewall / snort implementation for my home network. The goal is was to use a firewall based on Linux or BSD that was "appliance" in nature and I really did not have to devote alot of brain power to. I would rather use that power to solve other problems.

While this solution is somewhat specific to my needs I hope you will find it useful and can adapt part or all of it for your own situation.

Problem #1: Using DSL with PPPoE, I needed a way that I could deploy Snort on the "naked" internet to see traffic before it hit the firewall ruleset, without trying to delve in dissecting PPPoE traffic.
Problem #2: Need a firewall with a minimum of 3 interfaces, WAN, LAN and DMZ.
Problem #3: I would like to be able to host a web server in the DMZ and access it using the URL. (See Packet Filter Problem below). This problem will likely be manifested with a variety of firewalls on varying platforms.

The solution does involve a kludge but does work and satisfy the above requirements. In order to solve Problem #1, I determined that I would deploy a Linksys router that would handle the PPPoE negotiation. Set the linksys to be a gateway, no dhcp and assign a host (your firewall) as the DMZ (linksys terminology). What this does in essense is make the Linksys a bridge from PPPoE to Ethernet.

The host that you put in the Linksys DMZ configuration should be the WAN interface on the firewall, in this case I choose to run m0n0wall (Problem 2 solved). Configure m0n0wall's WAN interface for Static, for example 192.168.0.2. The LAN interface on the Linksys should be set to 192.168.0.1, so you now have a private network between the Linksys and the external WAN interface on the firewall.

With this "private LAN" between the Linksys and your firewall, your firewall now sees all traffic from the "internet". If you put a HUB in between the Linksys and the Firewall you can deploy another port for SNORT and it will see all traffic outside the firewall. This configuration is good for building a honeypot architecture. NOTE: You could bypass using the hub and deploy an ethernet tap for SNORT and achieve the same functionality.

A little more about why I did this. In order for firewall rules to process requests (hence being able to surf your own website via URL) the packets must originate from outside the firewall, by putting the Linksys router upstream, you force all packets to go to the linksys, then they come back in the same direction and look as if the request actually comes from outside the network.



Continue with the rest of the configuration:

Now connect the LAN (192.168.1.0/24) interface to a small HUB, and then cascade that HUB to a switch, which is where all of your servers are connected. This will allow you to again plug snort into the LAN on the HUB and see all of the traffic that is inside the firewall, which is good for verifying that rulesets are behaving as expected. (Again you could use an ethernet tap instead of the hub).

Solving problem 3: Configure the DMZ on the m0n0wall (192.168.2.0/24) and setup your web server. If you do not have a static IP, I recommend using DNSexit's service to register your IP with DNS so the rest of the world can see your website, send you email or whatever.

Configure m0n0wall with the NAT rules to allow the port 80 traffic into your DMZ web server and you should be in business. If you so choose to also put a hub on the DMZ you can then use SNORT to watch raw traffic at each point on your network and possibly even trap some packet captures that the script kiddies and robots launch at your website.

If there is sufficient interest I would be happy to post a simple drawing of this setup and maybe some screen shots of the m0n0wall and Linksys configs. I would appreciate your feedback on whether or not this was helpful or just a waste of typing.



email: paul dot pescitelli at gmail dot com


Packet Filter Problem:
Taken from the m0n0wall FAQ - http://doc.m0n0.ch/handbook-single/#id2610631

It is not possible to access NATed services using the public (WAN) IP address from within LAN (or an optional network). Example: you've got a server in your LAN behind m0n0wall and added a NAT/filter rule to allow external access to its HTTP port. While you can access it just fine from the Internet, you cannot access http://your-external-ip/ from within your LAN.

Reason. This is due to a limitation in ipfilter/ipnat (which are used in m0n0wall). Read the ipfilter FAQ for details. m0n0wall does not (and probably will not) include a "bounce" utility.

A Solution for m0nowall: If you use m0n0wall's built-in DNS forwarder for your LAN clients, you can add one or more overrides so that they will get the internal (LAN) IP address of your server instead of the external one, while external clients still get the real/public IP address. Note: This will only work if you use m0n0wall as the primary DNS server on your LAN hosts. If you use another DNS server, you need to use its functionality to resolve that host to the appropriate private IP. See your DNS server documentation for more information.

Using mini_httpd with PHP on OpenBSD

This article details the steps I used to get mini_httpd working on OpenBSD 3.8 with PHP. Getting mini_httpd running is trivial, compile and go. Getting mini_httpd working with PHP on the surface is not really difficult, however the challenge is in getting the POST variables to pass between mini_httpd and PHP.

Initially, I spent a couple of days of trying to get mini_httpd to work with PHP on OpenBSD 3.8 using the PHP build from the ports tree and it just was not working. The fix required two things.

First: was to patch the mini_httpd 1.19 as described by Ben Hochstrasser (see his article)

Second: was to build PHP 4.3.x with the following command:
./configure --prefix=/usr --sysconfdir=/etc --with-config-file-path=/etc \
--disable-force-cgi-redirect --without-mysql \
--with-zlib --disable-cli --enable-discard-path --enable-debug --enable-ftp --without-pear

This solved the problem of passing the POST variables from mini_httpd to PHP. The catch to this method is that you must put #!/usr/bin/php at the beginning of each .php file. To start mini_httpd you should change directories to the one containing the PHP files then,
use the following syntax:

/usr/local/sbin/mini_httpd -p 80 -c \"**.php\" -l /var/log/httpd.log

While this solution is somewhat specific to my needs I hope you will find it useful and can adapt part or all of it for your own situation. Many thanks to Ben Hochstrasser for his assistance in debugging the setup.

email: paul dot pescitelli at gmail dot com

Friday, December 21, 2007

Dangerous Things you SHOULD let your kids do...

The world has become increasingly safe, some from government that wants to protect you, others from stupid labels on coffee cups that say "WARNING: Contents are HOT".. duhh...

Another pet peeve of mine, why are chemistry kits becoming obsolete? Well they have chemicals that can be dangerous, well yeah that was part of the attraction. If the concern is about terrorism and extremists that will build bombs and hurt people, trust me, if they want to hurt people, they will find a way, stopping the supply of chemistry sets won't curtail the efforts...

If you can buy stuff at the grocery or farm supply store to make a bomb, why can't we have simple chemistry sets ? truly absurd...

This video is just an example of some of things that we should encourage all of our children to experience.

Also a short plug for the book "The Dangerous Book for Boys"
also check out the You Tube Video

Tuesday, December 18, 2007

Appliance Connector Reference

Here is a decent reference for various types of appliance power plugs and their mates.

Copied here for easy reference. Source URL

Connector Type Connector (1) Appliance
Inlet (2)
Class of Equipment (3) Maximum
Temperature of Appliance Inlet(2)
Rated Current of Appliance Coupler(4)
(RMS Amps)
iec320-c1 appliance connector C1 C2 II 70°C 0.2
iec320-c5 appliance connector C5 C6 I 70°C 2.5
iec320-c7 appliance connector C7 C8 II 70°C 2.5
iec320-c9 appliance connector C9 C10 II 70°C 6.0
iec320-c13 appliance connector C13 C14 I 70°C 10.0
iec320-c15 appliance connector C15 C16 I 120°C 10.0
iec320-c15a appliance connector C15A C16A I 155°C 10.0
iec320-c17 appliance connector C17 C18 II 70°C 10.0
iec320-c19 appliance connector C19 C20 I 70°C 16.0
iec320-c21 appliance connector C21 C22 I 155°C 16.0
iec320-c23 appliance connector C23 C24 II 70°C 16.0

The information in the table below is based on IEC 60320

Connector Type Connector (1) Appliance
Inlet (2)
Class of Equipment (3) Maximum
Temperature of Appliance Inlet(2)
Rated Current of Appliance Coupler(4)
(RMS Amps)
iec320-c3 appliance connector C3 C4 II 70°C 2.5
iec320-c11 appliance connector C11 C12 II 70°C 10.0
(1) Connector Part of the appliance coupler integral with, or intended to be attached to, the cord connected to the supply. Only one cord is connected to the Connector.
(2) Appliance Inlet Part of the Appliance Coupler integrated or incorporated in the appliance or equipment or intended to be fixed to it. An Appliance Inlet integrated in an appliance or equipment is an Appliance Inlet (the shroud and base of) which is formed by the housing of the appliance or equipment. An Appliance Inlet incorporated in an appliance or an equipment is a separate Appliance Inlet built in or fixed to an appliance or equipment.
(3) Class of Equipment Class I equipment has an earth connector. Class II equipment has only active & neutral pins with no earth.
(4) Appliance Coupler A means of enabling the connection and disconnection at will, of a cord to an appliance or other equipment. It consists of two parts: a Connector and an Appliance inlet.

Sunday, December 16, 2007

Atlanta Slam

We had some pretty good seats for the event. Here is Andy Roddick and Robby Ginepri pal'ing around at the end of the event...

Friday, December 14, 2007

Comic Book Photo


While surfing the web I found a tutorial to turn a photo into a comic book rendering. This is more than just a filter, it is about a 10 step process. Here is the first attempt from a Halloween picture of my boy.

Saturday, December 8, 2007

Camera Gear Bag for Cheap

While browsing the net I stumbled across the Strobist Site, it brought me back to earlier days when I learned to use an off camera flash Sunpak 120J while learning from the wonderful Terry Wawro.

I thought, well heck I have most of this stuff, I just need to unpack it. We recently moved and I still needed a good reason to unpack. So I started gathering the light stands, tripods, monopods and the like.

So while running errands today, I stopped by Sports Authority and in the baseball section they had a sale on the following Nike "Keystone" bat bag and it was on clearance for $14.97.















I picked one up thinking it looked about the right length for my needs and took it home. As you can see below, it is the right size to fit most of my gear.














Now that everything will fit length wise, I will go back tomorrow and pick up another one. Then I can have 1 bag for the mono pod and tri-pod, and another bag for 2-4 light stands. The light stand in the picture above is a Manfrotto 3372

Also on the back side of the bag is a pocket that runs the length of the bag that is a completely separate compartment, so you could fit 1 more light stand in there and carry as many as 5 or 6 in one bag.

Sunday, December 2, 2007

Single Flash Model Shoot

Good short tutorial at photonovice.net 3 Clips from Bert Stefani