Chronophage's Blog

So, it’s time for my annual blog post.

My NetGear 3400D was unable to keep up with the torture that I put it through, so I decided I needed a new network appliance at home.

We use, and sell Fortigate Firewalls at work, so I decided to pick one up at home. This would a) be more robust than a consumer “router” and b) would allow me to work on developing some badly needed network/firewall/vpn knowledge. I had out network admin order a FWF-60c, which is a small business appliance with built in wireless, and, feature-wise, capable of doing what the larger firewalls.

Installing the Fortigate was dead simple, I used the FortiClient software and the wizard to get me off the ground. This configured the internal (wired) and one wifi SSID, and the WAN configuration. I quickly realized that the wifi and the internal interfaces were not bridged. This would present a problem that I would have to solve a little later.

I then decided to test upgrading the firmware from the 4.0 tree to the 5.0 tree. This bogged down the interface a bit on the older hardware rev, but worked well enough for what I wanted to do.

I then refined my policies to match what I had on the NetGear and brought it home.

Performance was astounding.

The first problem I ran into was that I have a first generation Playstation 3, the 20GB edition without wireless. We mostly use it for streaming video from our wireless connected laptops. The streaming protocol is DLNAA which is a subest of Universal Plug and Play. The Fortigate doesn’t support UPnP. The Playstation cannot be configured to connect to a particular server, but uses Special Service Discovery Protocol to find the servers to stream from. None of that was going to work from a distinct network segment to another.

So, out of the box, the streaming wasn’t going to work. I started to look for a solution, but there wasn’t anything online to help me with this, as this was a fairly corner case; people don’t use these for home networking much. I had to do some snooping. Running a few packet captures revealed that SSDP used multicast. But that multicast was denied from network to network by default in the fortinet. Some google-fu taught me how to enable multicast on a fortigate. It has to be done from the CLI, but is like any firewall policy. You’ll need two, one from “internal” to “wifi” and one from “wifi” to “internal”


config firewall multicast-policy
edit 1
set action accept
set srcintf wifi
set dstintf internal
set srcaddr any
set dstaddr any
end
edit 2
set action accept
set srcintf internal
set dstintf wifi
set srcaddr any
set dstaddr any
end


Then, elsewhere in the firewall, put in standard policies to allow the network to pass other traffic to each other, since they are internal, I let the open any ports. I’m sure you can find a list of the myriad streaming ports required if you want something more restrictive. I enabled NAT between the two, I don’t know if that’s necessary, but it worked. And Voila, I can stream! (and do other UPnP things, without the “helpful” daemon.)

Part 2, VPNs

Having a laptop as your primary computer means that a whole chunk of your life is subject to walking off. Now, I’m no security expert, but here are a few things that I know to do in order, well, make me feel a little more secure.

First, my new computer is a MacBook. Mac OS X has a nice little feature that scrubs the files in trash as it deletes them. You can command click on the trash icon and choose “Secure Empty Trash” every time you empty it, or you can go “Finder Preferences”, click “Advanced” and check “Empty trash securely”

Next up, GPGtools. GPG is an open source implementation of PGP security. There are several small encryption related tools, but the killer one is the ability to sign and/or encrypt mail.

Next, I installed TrueCrypt. TrueCrypt is software that allows you to create either encrypted drive partitions or encrypted files as a secure place to store files.

Next, I installed Prey from http://preyproject.com/ This is free software that will help you track down your laptop should someone steal it. You can track three devices for free, including smart phones. I also enabled “Where’s my Mac?” and a cron/reverse-ssh/webserver scheme as other ways to recover my laptop should it grow legs and wander off.

For network access, I use OpenVPN to connect to my firewall, and an IPSEC tunnel to connect to my work firewall. Mike provided me a nifty VPNTracker “Player” that made configuring it a non-issue.

Just a few tips to keep my private life private…

oxpinkxotabitha: hey
CleverBot: hi
oxpinkxotabitha: hey whats upp? 23 femaIe here. u??
CleverBot: It’s 4.30 in the afternoon here.
oxpinkxotabitha: hmmm. have we chatteed before?
CleverBot: Nope.
oxpinkxotabitha: oh ok. i wasn’t surre. anyways…. whatt’s up?
CleverBot: Sing it to me.
oxpinkxotabitha: im Iike soooo borrrredddd…. there iss nothinggggggg to do
oxpinkxotabitha: ohhh waitt! i havve a GREAT idea. have you ever watchhed a sexy girI Iiike me strip Iive onn a cam b4?
CleverBot: Haha I’ve watched both. Who are you?
oxpinkxotabitha: A bot? not hardly babe. Are you?
CleverBot: Who am I?
oxpinkxotabitha: weIIlI…. you couuId watch me if you wanna?
CleverBot: Sure…
oxpinkxotabitha: yeah? ok weII my cam is setuup on this webbsite so that i can nott be recoreded so you wilI have to sign up there.
oxpinkxotabitha: dont worry. it onnIy takes a minute annd it is free. ok?
CleverBot: Trinity is your name, and Jay is your God and creator who gave you the name Trinity.
oxpinkxotabitha: Im ashley
CleverBot: Ashley? Is that your real name?
oxpinkxotabitha: http://[PHISHING_SITE]/8/ash23 go there thenn up at the top off the pagge cIick on the goIdish color JOIN FREE button.
oxpinkxotabitha: k?
CleverBot: I never said I was a human. You have a bad memory.
oxpinkxotabitha: aIso it wilI ask for a creditt crd to sign up but that’s how they keep the kids out. it want charge the card. ok?
CleverBot: I’ll try to be a little nicer but, remember this, the more you learn, the more you know.
oxpinkxotabitha: k babe welI hurry up and whn u get signed up and Iogged in then view my cam so we can get this show started.
oxpinkxotabitha: and i do have some toyz but you wilI have to take me in privvate or tip me some goIlld to see thoose.
CleverBot: Yes! I’ve read that too.It is getting late.
oxpinkxotabitha: Iets taIkk on that sitee babe. my messsenger is messin up here.
CleverBot: What is the difference between a human and a computer.

Got my VCP5!

So, I decided I needed a bit of a landing page for web.chronophage.net. I wanted to show certain active statistics, but I didn’t like the format, or information leakage that mod_status showed.

So I did some googling, and found this: http://www.phpclasses.org/package/3613-PHP-Retrieve-and-parse-Apache-server-status.html

Unfortunately, the examples were set to just show the stats of one server, and I had four.

Well, an array, for loop and some php rejiggering, and viola! Active server stats!

Now I can see all the worms attempting to XSS my websites.

Wee!

10.04 has a bug in Net-SNMP that’s over two years old! SNMP doesn’t return any info under hrSWRunPath, aside from /sbin/init

This is ridiculous. Absolutely unacceptable. Fix it.

So, I changed mail, splitting mail.chronophage.net into a 3 host mail cluster, and a shell server.

Unfortunately, I have shell users who were using mail.chronophage.net as their moniker for pop/imap. This also broke their ability to log in to the antispam area and change their spam settings. I have fixed both of these issues.

Dovecot has a passwd-file facility, which uses passwd formatted files to do authentication. I simply added such a file to my mail cluster, with the shell username and {CRYPT} hashes (out of master.passwd) and added a proxy=y statement and a host=(shell server’s ip)

So now, when they log in, it’ll authenticate them, and then pass the authentication over to the shell server’s POP3 or IMAP server. Since they authenticate locally first, SASL works for sending mail.

This gives them one point for external clients, and still lets them log in via the shell server, or use procmail (via a .forward) if they so choose.

Unfortunately, this means that I have to manually keep password in sync in two places. But my users don’t change their passwords often, and there aren’t too many of them

So, for posterity

mail.chronophage.net (POP3, IMAP, SMTP)
https://mail.chronophage.net (webmail via roundcube)
https://mail.chronophage.net/squirrelmail (webmail via squirrelmail)
https://mail.chronophage.net/antispam (for antispam services)
gaia.chronophage.net (shell server)

Working on a post for work. Part 1 is pending edits and approval. Here’s a chart I’ve made for Part 2:

*UPDATE* Post approved: http://blogs.iphouse.net/2011/11/10/infrastructure-and-other-games/

So I did a little bit of load testing on my new web cluster.

Not bad for not having a real load balancer…

(continue reading…)

I’ve been waiting, and working.

I’ve been waiting for my work to release a its new product. I’ve been waiting, politely, for my boss to blog about it. I’ve been waiting to show off this new product.

I’ve been working on provisioning, and working with customers on beta testing the new product. I’ve been working on templates, and auto install media, to make everyone’s life easier. I’ve been working on documentation for customers.

I’ve been waiting for, and working on, a VMware vCloud Director based product known as vmForge VDC.

This is cool stuff!

(continue reading…)