Category Archives: Firewalls

Spending a weekend re-installing my firewall appliance was not my plan

So recently while trouble shooting that mail log in problem from my phone, I started going through the web interface on my pfSense box. While in the LAN interface, and it being 4am, I was like why is block RFC1918 for the Wan (which is on every interface tab), and block Bogons, not checked.

So I did what anyone half sleep deprived would do, I checked the boxes and hit apply.  Then I couldn’t get back in to the silly thing. Console wouldn’t work. I just got a blank screen, rebooting while consoled  in would go through the post and loading of BSD but after pfSense started, I didn’t get a menu.

Hey I know, I’m a Nix person, I’ll boot from the live image, go in to recovery find and turn off that setting, sync to the hard drive and reboot.

Continue reading

It’s all about the pcaps baby

So my android phone as an interesting problem, granted it’s an S4, running not the latest build so I don’t know if that problem still exists. Apparently the way the default mail application is set up, it can’t sync the mailboxes unless the Sync button is turned on. But that doesn’t stop that the mail application from trying to sync on a schedule.

Continue reading

home lab – more pfsense work

Finally got time to pick up from where I left off last time. I’ve had a hard time getting to do lab work. Anyway. I connected my pfSense box to my AT&T U-verse Router Gateway, something I’ve been worried about, and it worked. I was worried because in the past, it would shut down the RG saying there was a network behind network, turn on DMZ Plus mode, and everything would be broken.

Continue reading

home lab – firewall installing pfSesne

There are lots of good howtos out there to get the system installed. I followed this one, since it was for the same hardware: Build an awesome APU based pfSense Router.

Issues were with the installer software. It took a few tries to figure out I needed to run it as admin, mostly because the screens are all in German (I think). I tried other software (the one I use for the Raspberry Pi stuff) didn’t work.

Booted off the console, used the installer (after I got the right image, can’t use the iso image), and installed it. Next up, getting it on a network to use the Web interface to configure the box. Or use SSH. Maybe just plug in the laptop and see what happens. That’s half the fun anyway, or so I think.

Home Lab – Firewall PC Engine APU1D4 DYI Build

Got the first firewall for the lab. It is a PC Engine APU1D4 D.Y.I Kit from Netgate. This hardware has been going out of stock constantly. I got the 30 gig flash drive from Amazon, for less. I should have taken pictures as I was building it, but was just excited to be building it.

The good:

  • easy open packaging
  • other than the heat spreader it went together really quickly
  • Online documentation available

The bad:

  • No Instructions in the box
  • The heat spreaders didn’t like to stay on the chips
  • the heat sink move pulling the spreader off with it while putting the bottom on. Didn’t cause problems, but had to stop and reline up the head spreader to the chips (stuck to heat sink).

Continue reading

vmware problem trying to share bridged interface

I’ve spent the last 2 days trying to get Vmware Player on a Windows 7 host, to provide internet to any of the guests  using bridged mode.  I have 2 firewalls installed. Windows firewall, and Avast’s Firewall (part of the Internet Security Suite). I had both installed previously before I rebuilt my laptop in September, and didn’t have a problem or had to do anything.

If I turned off one of the firewalls it worked fine, for bridged interfaces. But with both on, it didn’t work. Even though there are rules in place for avast to allow vmware.

After digging I finally found a thread dealing with the same issue on VirtualBox. The fix is to turn on Internet Connection Sharing in Avast. This doesn’t turn it on for Windows but just Avast from what I can tell.

All the ip addresses that DenyHosts blocked

One of the things I did after getting iptables tweaked, was to clear my /etc/hosts.deny file. About 99% of these were put there by DenyHosts. Which is a great little background daemon that looks for failed log in attempts over ssh and then blocks the attacker by adding them to the /etc/hosts.deny file.

Since I know some people are looking for these types of addresses for different reasons, and there are over 2300+ unique ones in the list, I shared it publicly. You can get the list at pastebin.

 

 

Firewalls and the default deny rule, does that make us bad?

Over the last few weeks I’ve been thinking of redoing my iptables, but by putting in a default deny rule, does that make us bad netizens? By dropping everything that isn’t allowed, it actually makes it harder to fix the original problem. The fact that there are attacks to begin with, and the fact that boxes are compromised.

Over the last few months, since fixing the IMAPS part of my mail server, I noticed people hitting the server and failing to log in. These were not targeted attacks; they were automated bots, using the same users and possible passwords. I’d block them at the firewall but every day, there would be at least 2 new networks. Not all of them from overseas.

For historical reasons I take a stance of contacting the abuse email for North American companies, and some European ones. I found that the large Cable Company ISPs, usually turn out to be black holes. The smaller ones though actually reply back.

Last week I went through a week’s worth of logs, and out of the 47 ip addresses, there were about 30 networks. I actually sent 17 emails, and blocked only 13 networks. From that, 9 replied. Granted they were mostly the auto-replys, but I did have 2 that were interesting. One was from an ISP in England and they thanked me for letting them know. The other was an educational ISP in California. They replied back where they found the problem, and the IR procedures, with a thank you.

That worked because I wasn’t blocking the inbound connections, and letting other tools protect the server’s processes. However the iptable rules had become larger than I wanted to maintain (over 100) for inbound access.  So I re-wrote them using a default deny. I now state what on my network can be talked to, and in some cases by what networks. Everything else gets dropped and logged.

The down side to this is that while I can see the dropped connection attempts, I can’t see what the people are trying to do. Is it just a null hit, a failed loggin attempt, something else. I also can’t report it back to other interested parties. While I feel better about their failures, I realize that I’m a bad Netizen because I can’t contact their upstream, with logs showing the problem.

Yes, I know I could set up a honey pot system and fight for both the user and the internet that way, but it feels more like just being the complaint department than it does trying to solve things.

While I am going to keep using the default deny, because it’s easier to handle the rules on the firewall, I still don’t like that I’m walling myself off from the real problem, and not trying to fix underlying issue.