Archive for the ‘g33k’ Category
So I am a very large geek, and proud of it. It hurt to walk past a cupboard at work knowing there was 30+ Cisco PIX 501 firewalls sitting in there collecting dust. One day it dawned on me, I wonder how crap internet would be sitting behind 30 of those slow ass god awful to use and configure firewalls. So here are the results:
Network Diagram
(Click for larger image)
Sample PIX 501 conf:
[plain]
hostname fwX
password cisco
enable password cisco
domain-name cooperlees.com
ip address inside 10.N.0.1 255.255.255.0
ip address outside 10.N1.0.2 255.255.255.0
interface ethernet0 auto
interface ethernet1 100full
route outside 0 0 10.N1.0.1
nat (inside) 1 10.N.0.0 255.255.255.0
global (outside) 1 interface
access-list outbound permit any any
access-group outbound in interface inside
access-list ping_acl permit icmp any any
access-group ping_acl in interface outside
[/plain]
Video of the Results
[youtube https://www.youtube.com/watch?v=BrlwzZZp8tM&w=640&h=390]
Thanks to Jason Leschnik, Anthony Noonan, Kyle Seton and Chris Steven for their assistance.
Tags: 3.0, 501, address, levels, netscreen, network, pix, screenos, skype, speedtest, translation
Posted in cisco, g33k, juniper |
So I thought I would share a good IPTables starting template, all tested on Ubuntu 10.10.
[plain]
# Cooper Lees IPTables Rules
# Last Updated 20110409
# Drop by default
iptables -P INPUT DROP
iptables -A INPUT -i lo -j ACCEPT
#ICMP is Good
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Only allow 4 new SSH connection per minute from a certain IP address
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --second 60 --hitcount 4 -j DROP
iptables -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
# Handy if you have a IPv4 to IPv6 Tunnel ...
iptables -A INPUT -p 41 -s ${IPv4-Tunnel-Address} -j ACCEPT
# Handy for debuging what is getting blocked ...
iptables -A INPUT -j LOG --log-level debug --log-prefix "iptables INPUT: "
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
[/plain]
- Load from CLI then use iptables-save > /etc/iptables.up.rules
- In Ubuntu add to /etc/network/interfaces "pre-up iptables-restore < /etc/iptables.up.rules" on to the loopback interface
Tags: allowed, core, iptables, only, services, SSH, template
Posted in g33k, linux |
So a new chapter of my life begins next month when I change my place of work from 4.5 years of being a HPC / Unix admin @ ANSTO (http://www.ansto.gov.au) to become a senior security focused network engineer.
I will be moving to ICT Security, being based in North Sydney with a main focus on Juniper Networks security equipment and solutions. So expect to see Cooper @ more Sydney events and actually in the city. e.g. SAGE meetings etc.
Posted in g33k, work |
Question: What do you do with an old cool looking huge Sun server that you can not give away?
Sun v880 now next to bed.cooperlees.com ...
Answer: Make it a bedside table. Epic Win.
Tags: bed, retired, server, side, sparc, sun, table, v880
Posted in g33k |
Embedding was disabled so go here and watch these parents pwn !
Pwning Parents
Tags: 1337, boyfriend, l33t, parents, pwn
Posted in g33k, humour |
After I spent hours thinking I have lost the plot, I finally read about how IPF is configured by default now. I am not sure what build this was changed, but now, by default IPF on OpenIndiana does not look @ /etc/ipf/ipf.conf for default IPv4 IPF Rules to load @ start. To make it look @ this file apply the following.
[bash]
#!/bin/bash
IPFW_CFG="/etc/ipf/ipf.conf"
PRIV_EXEC="pfexec"
# Turn IPF back to legacy text file usage
$PRV_EXEC svccfg -s ipfilter:default setprop firewall_config_default/policy = astring: "custom"
$PRV_EXEC svccfg -s ipfilter:default setprop firewall_config_default/custom_policy_file = astring: "$IPFW_CFG"
$PRV_EXEC svcadm refresh ipfilter:default
echo "Done - Edit $IPFW_CFG and enable IPF now ..."
[/bash]
Sample Conf:
[bash]
# Default policies
pass out all keep state
block in all
block return-rst in log first proto tcp all
block return-icmp(host-unr) in log proto udp all
# Allow Loopback
pass in quick on lo0 all
pass out quick on lo0 all
# Allow ICMP
pass out quick proto icmp all keep state
pass in quick proto icmp all keep state
# Allow SSH
pass in quick proto tcp from any to any port = 22 flags S/FSRPAU keep state keep frags
# Allow SSH
pass in quick proto tcp from any to any port = 80 keep state
[/bash]
Now just enable the service
pfexec svcadm enable svc:/network/ipfilter:default
Handy IPF Commands
ipf -E : Enable ipfilter when running
: for the first time.
: (Needed for ipf on Tru64)
ipf -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file
: into the active firewall.
ipf -Fa -f /etc/ipf/ipf.conf : Flush all rules, then load rules in
: /etc/ipf/ipf.conf into active firwall.
ipf -Fi : Flush all input rules.
ipf -I -f /etc/ipf/ipf.conf : Load rules in /etc/ipf/ipf.conf file
: into inactive firewall.
ipf -V : Show version info and active list.
ipf -s : Swap active and inactive firewalls.
ipfstat : Show summary
ipfstat -i : Show input list
ipfstat -o : Show output list
ipfstat -hio : Show hits against all rules
ipfstat -t -T 5 : Monitor the state table and refresh every
: 5 seconds. Output is similiar to
: 'top' monitoring the process table.
ipmon -s S : Watch state table.
ipmon -sn : Write logged entries to syslog, and
: convert back to hostnames and servicenames.
ipmon -s [file] : Write logged entries to some file.
ipmon -Ds : Run ipmon as a daemon, and log to
: default location.
: (/var/adm/messages for Solaris)
Tags: filter, ipf, openindiana, opensolaris, packet
Posted in g33k, solaris |
Jr Coops killing it ...
[youtube=http://www.youtube.com/watch?v=T4ChcMtiiic&w=480&h=385]
Posted in humour |
IPMP in Solaris allows you to have redundancy with your network on mission critical servers. It is really excellent as it allows you to mix speed of NICs (e.g. a Ten Gigabit Ethernet with Gigabit Ethernet). Below will demonstrate the 'passive' IPMP configuration. Active mode allows you to check the ability to ping a defined host as well as the same checks of passive, but does require more extensive configuration.
NIC Setup
Stop the scary nwam service
- svcadm disable svc:/network/physical:nwam
Plumb each nic
- ifconfig NIC0 plumb
- ifconfig NIC1 plumb
Add to group
- ifconfig NIC0 group GROUPNAME
- ifconfig NIC1 group GROUPNAME
Edit /etc/hostname.interface
- Primary NIC: IP/NETMASK group GROUPNAME up
- Secondary NIC: group GROUPNAME standby
Enable traditional Solaris Networking
- svcadm enable svc:/network/physical:default
You should now be done. Have fun yanking network cables and seeing your server stay online.
Zone Setup
Once your networking is set up just set the zone up as you normally would, but use the ipmpX as your physical zone NIC in zonecfg.
- add net
- set physical=ipmpX
- end
- verify
- commit
For more zone configuration command information visit GenUnix Wiki.
Tags: containers, ifconfig, ip, ipmp, multipathing, openindiana, opensolaris, plumb, zonecfg, zones
Posted in g33k, solaris |
A great quote, that is so true ...
“A programmer is much like a virtuoso musician. They know their instrument extremely well. They may know, and occasionally play other instruments, but tend to focus almost exclusively on one. A sysadmin is more like the conductor. They have to know about all the instruments, the characteristics of each, how they play and sound together and in contrast with others. Then [they] need to understand the timing, the sound characteristics of the hall, etc. and make everything work together.”
- System administrator
Tags: administrator, conductor, music, musician, programmer, specialist, sysadmin, system
Posted in g33k |
8:00am Monday morning driving to work - Time for a weekly dose of Twit !
GG Telstra 3G - Coverage 95% + of the way ..
Hi Leo and Mr Dvorak - You're live in Wollongong, NSW AU there 🙂
Tags: 3g, 4, iphone, live, stream, telstra, tiwt
Posted in g33k |
