Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Friday, October 20, 2006

pf based nat gateway for office network

tags: , ,

Tonight i replace old FreeBSD based NAT gateway to OpenBSD based NAT gateway and firewall. This is short article about pf configuration.

I use Intel Celeron 500MHz based server with two network cards (vr0 and vr1). Here is configuration steps:

  1. buy more beer and pizza!
  2. install openbsd
  3. set net.inet.ip.forwarding sysctl value to “1” and add string net.inet.ip.forwarding=1 to /etc/sysctl.conf file
  4. activate pf. add pf=YES line to /etc/rc.conf.local file
  5. let’s edit /etc/pf.conf file:
    # macros
    ext_if="vr0"
    int_if="vr1"

    # options
    set block-policy return
    set loginterface $ext_if
    set skip on lo

    # scrub
    scrub in

    # network address translation (NAT)
    nat on $ext_if from !($ext_if) to any -> ($ext_if)

    #filter
    block in
    pass out keep state
    antispoof quick for { lo $int_if }
    pass quick on $int_if
  6. load config file. pfctl -f /etc/pf.conf
…and read “The OpenBSD Packet Filter”.

Friday, September 8, 2006

scan with netcat

tags: ,

nc(1) can be used for simple and fast network scan. Here is sample of localhost scan (ports range: 1-1024).

$ nc -v -z 127.0.0.1 1-1024
localhost [127.0.0.1] 80 (www) open
localhost [127.0.0.1] 25 (smtp) open
localhost [127.0.0.1] 22 (ssh) open

Thursday, September 7, 2006

secure surfing from public place

tags: ,

Use OpenSSH port forwarding to browse web from public place.
ssh(1) can act as a SOCKS server. SOCKS4 and SOCKS5 protocols are supported. All you need is shell access to remote machine.
Example:

ssh -D 4545 user@IP
Now you can specify “localhost” as SOCKS host and “4545” as SOCKS port in connections settings of your browser.

security engineering - the book

tags:

Available online now for downloading by chapters.
Security Engineering: A Guide to Building Dependable Distributed Systems

Monday, April 17, 2006

remote ipfw module loading

tags: , ,

Remote ipfw module loading dangerous, because, if your firewall rules don’t right, you can lose remote access to the server. To prevent this create at(1) job with `kldunload ipfw’ command. If module loaded and you can login to server remotly with ssh(1) client just delete this job.
Checklist:

  • Create /etc/rc.firewall script with ipfw rules;
  • Make sure about remote access using ssh(1) through firewall;
  • Create at(1) job with `kldunload ipfw’;
  • Load ipfw module using `kldload ipfw’;
  • Try got access to allowed services;
  • If all right delete at(1) job.