Chronophage's Blog

Software

Learning How to Firewall… Part 1

by on Apr.12, 2013, under Hardware, Security, Software

So, it’s time for my annual blog post.

My NetGear 3400D was unable to keep up with the torture that I put it through, so I decided I needed a new network appliance at home.

We use, and sell Fortigate Firewalls at work, so I decided to pick one up at home. This would a) be more robust than a consumer “router” and b) would allow me to work on developing some badly needed network/firewall/vpn knowledge. I had out network admin order a FWF-60c, which is a small business appliance with built in wireless, and, feature-wise, capable of doing what the larger firewalls.

Installing the Fortigate was dead simple, I used the FortiClient software and the wizard to get me off the ground. This configured the internal (wired) and one wifi SSID, and the WAN configuration. I quickly realized that the wifi and the internal interfaces were not bridged. This would present a problem that I would have to solve a little later.

I then decided to test upgrading the firmware from the 4.0 tree to the 5.0 tree. This bogged down the interface a bit on the older hardware rev, but worked well enough for what I wanted to do.

I then refined my policies to match what I had on the NetGear and brought it home.

Performance was astounding.

The first problem I ran into was that I have a first generation Playstation 3, the 20GB edition without wireless. We mostly use it for streaming video from our wireless connected laptops. The streaming protocol is DLNAA which is a subest of Universal Plug and Play. The Fortigate doesn’t support UPnP. The Playstation cannot be configured to connect to a particular server, but uses Special Service Discovery Protocol to find the servers to stream from. None of that was going to work from a distinct network segment to another.

So, out of the box, the streaming wasn’t going to work. I started to look for a solution, but there wasn’t anything online to help me with this, as this was a fairly corner case; people don’t use these for home networking much. I had to do some snooping. Running a few packet captures revealed that SSDP used multicast. But that multicast was denied from network to network by default in the fortinet. Some google-fu taught me how to enable multicast on a fortigate. It has to be done from the CLI, but is like any firewall policy. You’ll need two, one from “internal” to “wifi” and one from “wifi” to “internal”


config firewall multicast-policy
edit 1
set action accept
set srcintf wifi
set dstintf internal
set srcaddr all
set dstaddr all
edit 2
set action accept
set srcintf internal
set dstintf wifi
set srcaddr all
set dstaddr all
end

Then, elsewhere in the firewall, put in standard policies to allow the network to pass other traffic to each other, since they are internal, I let the open any ports. I’m sure you can find a list of the myriad streaming ports required if you want something more restrictive. I enabled NAT between the two, I don’t know if that’s necessary, but it worked. And Voila, I can stream! (and do other UPnP things, without the “helpful” daemon.)

Part 2, VPNs

Leave a Comment more...

Webcluster Active Statistics

by on Nov.23, 2011, under Administration, Software, UNIX 101

So, I decided I needed a bit of a landing page for web.chronophage.net. I wanted to show certain active statistics, but I didn’t like the format, or information leakage that mod_status showed.

So I did some googling, and found this: http://www.phpclasses.org/package/3613-PHP-Retrieve-and-parse-Apache-server-status.html

Unfortunately, the examples were set to just show the stats of one server, and I had four.

Well, an array, for loop and some php rejiggering, and viola! Active server stats!

Now I can see all the worms attempting to XSS my websites.

Wee!

Leave a Comment more...

New Chronophage Mail Settings

by on Nov.11, 2011, under Administration, E-Mail, Software, UNIX 101

So, I changed mail, splitting mail.chronophage.net into a 3 host mail cluster, and a shell server.

Unfortunately, I have shell users who were using mail.chronophage.net as their moniker for pop/imap. This also broke their ability to log in to the antispam area and change their spam settings. I have fixed both of these issues.

Dovecot has a passwd-file facility, which uses passwd formatted files to do authentication. I simply added such a file to my mail cluster, with the shell username and {CRYPT} hashes (out of master.passwd) and added a proxy=y statement and a host=(shell server’s ip)

So now, when they log in, it’ll authenticate them, and then pass the authentication over to the shell server’s POP3 or IMAP server. Since they authenticate locally first, SASL works for sending mail.

This gives them one point for external clients, and still lets them log in via the shell server, or use procmail (via a .forward) if they so choose.

Unfortunately, this means that I have to manually keep password in sync in two places. But my users don’t change their passwords often, and there aren’t too many of them

So, for posterity

mail.chronophage.net (POP3, IMAP, SMTP)
https://mail.chronophage.net (webmail via roundcube)
https://mail.chronophage.net/squirrelmail (webmail via squirrelmail)
https://mail.chronophage.net/antispam (for antispam services)
gaia.chronophage.net (shell server)

Leave a Comment more...

Work Blogging

by on Nov.10, 2011, under Administration, Cloud, Software, UNIX 101, Virtualization

Working on a post for work. Part 1 is pending edits and approval. Here’s a chart I’ve made for Part 2:

Made with LucidChart, because I'm cheap.

*UPDATE* Post approved: http://blogs.iphouse.net/2011/11/10/infrastructure-and-other-games/

Leave a Comment :, , , , more...

Clusterin’ clusterin’ Yeah!

by on Oct.21, 2011, under Administration, Cloud, E-Mail, News, Software, Virtualization

So I did a little bit of load testing on my new web cluster.

Not bad for not having a real load balancer…

(continue reading…)

Leave a Comment more...

Cloudy With a Chance of Productivity…

by on Oct.11, 2011, under Administration, Cloud, E-Mail, Hardware, News, Software, UNIX 101, Virtualization

I’ve been waiting, and working.

I’ve been waiting for my work to release a its new product. I’ve been waiting, politely, for my boss to blog about it. I’ve been waiting to show off this new product.

I’ve been working on provisioning, and working with customers on beta testing the new product. I’ve been working on templates, and auto install media, to make everyone’s life easier. I’ve been working on documentation for customers.

I’ve been waiting for, and working on, a VMware vCloud Director based product known as vmForge VDC.

This is cool stuff!

(continue reading…)

Leave a Comment :, , , , , , , , , , , , more...

badger.py

by on Jul.22, 2011, under Frivolous, Software

For reference: http://www.albinoblacksheep.com/flash/badgers

i = 1
strOut = ""

while i > -1  :
    if i == 12 :
        strOut = "Mushroom"
        i = i + 1

    elif i == 13 :
        strOut = "Mushroom"
        i = i + 1

    elif (i == 27) :
        strOut = "A big ol' snake - snake a snake oh it's a snake";
        i = 0

    else :
        strOut = "Badger"
        i = i + 1

    print strOut
Leave a Comment more...

IPv6

by on Mar.30, 2011, under Administration, E-Mail, Hardware, Security, Software, UNIX 101, Virtualization

So…

It’s been awhile.

Recently, I’ve decided to make sure that all of my servers were IPv6 addressable. This was made infinitely easier by working at a forward thinking ISP. So a quick email to our network admin and bam! IPv6 routed to my vlan!
Now, what to do with it?

(continue reading…)

Leave a Comment :, , , , , , , , , , , , , , more...

RHEL

by on Jan.18, 2011, under Administration, E-Mail, Software, UNIX 101

(..sigh) There’s a lot I like about RedHat. I like the fact that they’re worth more than a billion dollars as an OpenSource company. I like how they’ve been in the Linux game for a long time, and keep finding new ways to innovate and expand. I like how they have a competitive, yet accessible application stack, that runs on a wide variety of hardware. Their partner program, and resources are outstanding, especially when compared to other software vendors. I like a lot about RedHat. I just don’t like their operating system.

(continue reading…)

Leave a Comment more...

Ubuntu Apache2 Auto Config BASH script

by on Jan.12, 2011, under Administration, Software, UNIX 101

Man, I’ve been busy… I’ve recently been promoted to being a System’s Administrator! This has forced me to program a few BASH scripts. This one is for a customer that wants a managed system, but wants to be able to add websites at will. It’s pretty simple, and relies on an existing example.com template. Why example.com? Because I follow RFCs dammit! The template allows me to adjust the Apache specific settings, without recoding the script.  A little REGEX here, and a pipe to sed there, some error checking, formatting and a dash of some SUDO magic and voila! The customer doesn’t need to email/call me to add a website.  Sure beats paying for a crappy control panel ;)

(continue reading…)

Leave a Comment :, , , more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!