click and you got money
Wednesday, November 30, 2011
How to Make Healthy Eating More Fun
The Party Isn't Over When You Get Healthy
*http://exercise.about.com/od/plateausmotivation/a/enjoyexercise.htm
*http://healthy-diet-guidesntips.blogspot.com/2011_06_01_archive.html
Are you annoyed by people who seem to enjoy exercise? What about people who eat healthfully with little effort? Why is it so easy for them and such a struggle for you? One simple reason could be time.
The longer you follow healthy behaviors, the easier they become and the best part is, you actually start to enjoy them. Your first step in getting to that happy place is to change your attitude.
The Party Isn't Over
What does a healthy lifestyle look like? For some people, it looks like a lifestyle without any kind of fun. You have to slog through boring workouts, avoid going out to restaurants and eat twigs and berries. What kind of fun is that? At first, it may look like you have to give up everything to lose weight, but what you gain from those changes is much more meaningful and satisfying. Not only will your body change, but your mind will change as well.
Can You Enjoy Healthy Foods?
Here's what will happen if you keep maintaining that healthy diet:
Your priorities change. The way your body feels after a healthy meal will become more important to you than the instant pleasure of having something loaded with fat or sugar.
You'll enjoy healthy food. Take it from the Junk Food Queen I used to be, you can live without chips and Cokes and you'll gladly give those things up once you experience how your body feels after healthier meals.
You'll still enjoy your favorite foods. The only difference is the frequency. Now, instead of having it several times a week, you might indulge once or twice a month.
You'll get rid of the guilt. By not indulging every time you want a treat, you'll savor it even more.
You'll see food in a different light. Food becomes fuel rather than something that controls your life. If you exercise, you'll learn very quickly how food affects your workouts. Eating a heavy, fatty meal makes you tired and your workouts suffer. Soon, you'll want better workouts which will motivate you to eat better.
You'll become more adventurous. Eating healthy often opens the door to more options than you usually give yourself. You'll try new vegetables and grains and experiment with herbs and flavors you've never tried.
Your friends and family will benefit. Even if you're the only one eating healthy, those habits rub off on others. Being a good role model for your kids or co-workers is one way to teach them how to live healthy.
You'll have tools to deal with temptation. Healthy eaters are much better at avoiding the usual pitfalls like party foods or overloaded buffets. They make an effort to eat regular meals so they're not starving, fill up on healthy foods first to eat less of the bad stuff, and choose a few quality treats to enjoy instead of everything in front of them.
These changes come over time, sometimes weeks, months or years of slowly working on your habits and choices. Allowing yourself this time is crucial for permanently changing how you look at food and healthy eating.
The positive changes don't just end there. Your feelings and perspective on exercise change as well. Here's how it works.
Thursday, November 24, 2011
Configuring VPN connections with firewalls
The process of setting up connections for a virtual private network has been greatly enhanced and simplified by software solutions for Windows NT/2000, NetWare, and Linux/UNIX, as well as by hardware solutions offered by vendors such as Cisco and CheckPoint.
However, configuring VPN connections to pass through firewalls, proxy servers, and routers continues to bring many network administrators to their knees in exasperation and submission to the gods of the network cloud. Thus, we are going to review how to configure VPN servers to make connections in concert with your stoic network defenders.
VPN server geography
One of the first decisions a network engineer has to make when configuring a VPN server is where to place it in relation to the network’s firewall. As Figure A shows, there are essentially three options for placing a VPN server.
Figure A
The most common approach is to place the VPN server behind the firewall, either on the corporate LAN or as part of the network’s “demilitarized zone” (DMZ) of servers connected to the Internet.
Geography is extremely important when configuring and troubleshooting VPN connections that pass through firewalls. It lets you know which interfaces on the firewall will need filters assigned to them to allow VPN traffic. We’ll talk about filters at length in the next section. The thing to understand about geography and firewalls is that filtering occurs on the firewall’s external interface—the interface that connects to the Internet.
As I mentioned above, the most common place for a VPN Server is behind the firewall, often in a DMZ with mail servers, Web servers, database servers, and so on. The advantage of this placement is that it fits cleanly into the network’s current security infrastructure. Also, the administrator is already familiar with how to route traffic through the firewall and only has to become familiar with the ports needed by the VPN server. However, the other two options have benefits as well.
Placing a VPN server in front of the firewall can lead to greater security in some cases. Remember that a VPN allows users who are external to the network to feel like they are sitting on a machine inside the network. A hacker who hijacks a connection to a VPN server that is inside the firewall will be able to do some serious damage. However, if you have a dedicated VPN box that sits outside the firewall and that is only capable of sending VPN traffic through the firewall, you can limit the damage a hacker can do by hacking the VPN box. This option also allows you to limit the resources authenticated VPN users can access on the local network by filtering their traffic at the firewall. However, one vulnerability with this scenario is that the traffic between the firewall and the VPN server is not encrypted.
The third option is to colocate your VPN server on the same box as your firewall. In this case, the VPN server is still logically behind the firewall, but depending on its capability and utilization, it can complement a firewall very well, since both are essentially performing routing functions. This works nicely, since in most businesses, firewall/proxy services use more resources during the daytime hours, and VPN services use more resources during the evenings. However, keep in mind that having multiple services functioning on one box always involves management and troubleshooting challenges.
Understanding firewall and filter functionality
There are two types of filters and three types of firewalls to be aware of when configuring VPN connections. Filters come in two basic flavors:
Packet filtering
Application filtering
A firewall can engage in packet filtering, application filtering, or both. Filtering involves accepting or denying TCP/IP traffic based on source and destination address of packets, TCP/UPD port utilization and other TCP/IP headers information, and specific user and computer details in advanced firewalls.
Packet filtering
A packet filtering firewall merely examines traffic at the network layer (Layer 3 of the OSI reference model) and accepts or rejects it based mainly on source and destination addresses. Although a packet filtering firewall can do some blocking based on TCP and UDP port numbers, in most cases, it isn’t the best solution. However, packet filtering does provide speed, simplicity, and transparency.
Another important VPN troubleshooting tip deals with network address translation. If the Internet router or any router between the firewall and the VPN server is providing NAT, it will probably break the VPN tunnel and cause your connection to fail. The VPN server should have an Internet IP address on the external interface and not an internal IP address assigned by a DHCP server or hiding behind NAT. Most of the time you will get this Internet IP address from a subnet assigned to you by your ISP.
A packet filtering firewall is usually placed on a router and is managed through basic access control lists, which can be challenging to configure and manage. Here’s a common VPN problem to watch out for: Many administrators set up their VPN servers, configure their firewalls, and discover that they still can’t connect. They eventually realize that the ACL on their Internet router is filtering the VPN traffic and dropping the packets.
Application filtering
An application gateway firewall involves what is commonly known as proxy services and functions at the higher layers of the OSI reference model. This type of firewall offers more extensive, customizable features, such as user-level access control, time-of-day access control, and advanced auditing and logging.
It typically readdresses traffic so that it looks like it's coming from the firewall rather than from the internal machine. In this manner, these firewalls act as a “proxy” on behalf of the internal network instead of providing a direct connection between internal and external networks, as you have with simple packet filtering firewalls. It also focuses on managing and controlling access to TCP/IP applications such as FTP, HTTP, rlogin, and so on.
Packet filtering and application filtering
Stateful inspection firewalls combine packet filtering and application filtering. They also employ a more secure firewall technique called dynamic packet filtering. With regular packet and application filtering, a port such as port 80 for HTTP is opened by the firewall and remains open for incoming and outgoing traffic. This presents a network vulnerability that hackers can exploit.
However, stateful inspection firewalls open and close ports as they are needed for traffic, drastically decreasing vulnerability to external attacks. Most popular firewalls, such as Microsoft Proxy Server 2.0, Network Ice’s ICEpac, and the leading UNIX solutions, use dynamic packet filtering.
Allowing VPN traffic
Now that you can see how various firewalls function, hopefully you can identify several places on your network where your VPN connection could be tripped up. Let’s see what filters you need to set up on these firewalls in order for VPN traffic to pass through them. In terms of protocols, we’ll cover VPN connections made using PPTP or L2TP over IPSec. We will begin with VPN filters at Layer 3 of the OSI reference model and work our way up to Layer 7.
When we look at receiving VPN traffic at Layer 3 we need to examine both the router that provides Internet access and the VPN server’s external interface. In some cases, the VPN server may have an external interface that connects directly to the Internet, such as an ISDN adapter. The router and/or the VPN external interface must be configured to accept TCP/IP connections from the VPN clients and/or VPN servers that will be connecting to it from the Internet. Thus, the access control lists (which manage filters at Layer 3) must be configured to allow incoming traffic from the IP addresses of these clients and servers. For remote VPN servers that are connecting, this will probably be a real IP, which will be easy to configure. However, for remote clients who are probably using a dial-up connection to an ISP and getting a different IP address each time, this is more challenging. If you have a restrictive IP access policy in place, you can get the range of IP addresses this client could use from his or her ISP or figure it out by deduction after a few connections. The other option is to allow access to all IP addresses by default and let upper-level filters accept or deny their packets based on application criteria.
When we get to Layer 7 (the application layer), we need to look at setting up filters to allow PPTP or L2TP with IPSec traffic based on the ports that they use. PPTP uses TCP port 1723, as well as IP protocol ID 47 for GRE (generic route encapsulation) tunnel maintenance. For the most part, if you are using a commercial firewall solution, you’ll only need to worry about setting up the PPTP filter for port 1723. But if you’re working with more complex firewall systems and do-it-yourself servers, such as Linux, you’ll need to be aware of the GRE port. Microsoft solutions such as Proxy Server 2.0 and the forthcoming Internet Security and Acceleration Server 2000 have predefined “PPTP receive” and “PPTP call” filters. These generally work pretty well.
Remember, you will need to be aware of the geography of your VPN server in relation to your firewall. For example, if your VPN server is behind your firewall, which connects to the Internet via a Cisco router, and you are receiving connections only from individual VPN clients (and not remote servers), you’ll set up a firewall filter to accept incoming traffic on port 1723 or simply select the predefined “PPTP receive” with a Microsoft solution. You'll also need to go into the Cisco router and make sure that there are no access control lists filtering the VPN traffic.
As for L2TP with IPSec, the same principles apply, but it uses UDP port 1701 for L2TP and UDP port 500 for IPSec’s IKE (Internet key exchange). IPSec also uses IP Protocol port 50 for ESP (encapsulation security payload)—the equivalent of GRE for PPTP—but it doesn’t require a filter because the ESP header is typically removed by IPSec during routing before it hits the firewall.
Conclusion
Hopefully, the principles we reviewed here will enable you to better understand where your VPN connection could be running into snags in connecting through firewalls, proxy servers, and routers. We didn’t try to provide a step-by-step how-to on configuring firewalls and filters because of the vast configuration differences in the various hardware and software platforms, as well as the myriad different network typologies that are possible. However, you should be able to locate information on configuring filters and access control lists for your specific hardware and software platforms on the vendors’ Web sites. It also wouldn’t hurt to offer a sacrificial NIC or 100baseT cable to the networking gods before attempting your configuration.
*http://www.techrepublic.com/article/configuring-vpn-connections-with-firewalls/1032495
However, configuring VPN connections to pass through firewalls, proxy servers, and routers continues to bring many network administrators to their knees in exasperation and submission to the gods of the network cloud. Thus, we are going to review how to configure VPN servers to make connections in concert with your stoic network defenders.
VPN server geography
One of the first decisions a network engineer has to make when configuring a VPN server is where to place it in relation to the network’s firewall. As Figure A shows, there are essentially three options for placing a VPN server.
Figure A
The most common approach is to place the VPN server behind the firewall, either on the corporate LAN or as part of the network’s “demilitarized zone” (DMZ) of servers connected to the Internet.
Geography is extremely important when configuring and troubleshooting VPN connections that pass through firewalls. It lets you know which interfaces on the firewall will need filters assigned to them to allow VPN traffic. We’ll talk about filters at length in the next section. The thing to understand about geography and firewalls is that filtering occurs on the firewall’s external interface—the interface that connects to the Internet.
As I mentioned above, the most common place for a VPN Server is behind the firewall, often in a DMZ with mail servers, Web servers, database servers, and so on. The advantage of this placement is that it fits cleanly into the network’s current security infrastructure. Also, the administrator is already familiar with how to route traffic through the firewall and only has to become familiar with the ports needed by the VPN server. However, the other two options have benefits as well.
Placing a VPN server in front of the firewall can lead to greater security in some cases. Remember that a VPN allows users who are external to the network to feel like they are sitting on a machine inside the network. A hacker who hijacks a connection to a VPN server that is inside the firewall will be able to do some serious damage. However, if you have a dedicated VPN box that sits outside the firewall and that is only capable of sending VPN traffic through the firewall, you can limit the damage a hacker can do by hacking the VPN box. This option also allows you to limit the resources authenticated VPN users can access on the local network by filtering their traffic at the firewall. However, one vulnerability with this scenario is that the traffic between the firewall and the VPN server is not encrypted.
The third option is to colocate your VPN server on the same box as your firewall. In this case, the VPN server is still logically behind the firewall, but depending on its capability and utilization, it can complement a firewall very well, since both are essentially performing routing functions. This works nicely, since in most businesses, firewall/proxy services use more resources during the daytime hours, and VPN services use more resources during the evenings. However, keep in mind that having multiple services functioning on one box always involves management and troubleshooting challenges.
Understanding firewall and filter functionality
There are two types of filters and three types of firewalls to be aware of when configuring VPN connections. Filters come in two basic flavors:
Packet filtering
Application filtering
A firewall can engage in packet filtering, application filtering, or both. Filtering involves accepting or denying TCP/IP traffic based on source and destination address of packets, TCP/UPD port utilization and other TCP/IP headers information, and specific user and computer details in advanced firewalls.
Packet filtering
A packet filtering firewall merely examines traffic at the network layer (Layer 3 of the OSI reference model) and accepts or rejects it based mainly on source and destination addresses. Although a packet filtering firewall can do some blocking based on TCP and UDP port numbers, in most cases, it isn’t the best solution. However, packet filtering does provide speed, simplicity, and transparency.
Another important VPN troubleshooting tip deals with network address translation. If the Internet router or any router between the firewall and the VPN server is providing NAT, it will probably break the VPN tunnel and cause your connection to fail. The VPN server should have an Internet IP address on the external interface and not an internal IP address assigned by a DHCP server or hiding behind NAT. Most of the time you will get this Internet IP address from a subnet assigned to you by your ISP.
A packet filtering firewall is usually placed on a router and is managed through basic access control lists, which can be challenging to configure and manage. Here’s a common VPN problem to watch out for: Many administrators set up their VPN servers, configure their firewalls, and discover that they still can’t connect. They eventually realize that the ACL on their Internet router is filtering the VPN traffic and dropping the packets.
Application filtering
An application gateway firewall involves what is commonly known as proxy services and functions at the higher layers of the OSI reference model. This type of firewall offers more extensive, customizable features, such as user-level access control, time-of-day access control, and advanced auditing and logging.
It typically readdresses traffic so that it looks like it's coming from the firewall rather than from the internal machine. In this manner, these firewalls act as a “proxy” on behalf of the internal network instead of providing a direct connection between internal and external networks, as you have with simple packet filtering firewalls. It also focuses on managing and controlling access to TCP/IP applications such as FTP, HTTP, rlogin, and so on.
Packet filtering and application filtering
Stateful inspection firewalls combine packet filtering and application filtering. They also employ a more secure firewall technique called dynamic packet filtering. With regular packet and application filtering, a port such as port 80 for HTTP is opened by the firewall and remains open for incoming and outgoing traffic. This presents a network vulnerability that hackers can exploit.
However, stateful inspection firewalls open and close ports as they are needed for traffic, drastically decreasing vulnerability to external attacks. Most popular firewalls, such as Microsoft Proxy Server 2.0, Network Ice’s ICEpac, and the leading UNIX solutions, use dynamic packet filtering.
Allowing VPN traffic
Now that you can see how various firewalls function, hopefully you can identify several places on your network where your VPN connection could be tripped up. Let’s see what filters you need to set up on these firewalls in order for VPN traffic to pass through them. In terms of protocols, we’ll cover VPN connections made using PPTP or L2TP over IPSec. We will begin with VPN filters at Layer 3 of the OSI reference model and work our way up to Layer 7.
When we look at receiving VPN traffic at Layer 3 we need to examine both the router that provides Internet access and the VPN server’s external interface. In some cases, the VPN server may have an external interface that connects directly to the Internet, such as an ISDN adapter. The router and/or the VPN external interface must be configured to accept TCP/IP connections from the VPN clients and/or VPN servers that will be connecting to it from the Internet. Thus, the access control lists (which manage filters at Layer 3) must be configured to allow incoming traffic from the IP addresses of these clients and servers. For remote VPN servers that are connecting, this will probably be a real IP, which will be easy to configure. However, for remote clients who are probably using a dial-up connection to an ISP and getting a different IP address each time, this is more challenging. If you have a restrictive IP access policy in place, you can get the range of IP addresses this client could use from his or her ISP or figure it out by deduction after a few connections. The other option is to allow access to all IP addresses by default and let upper-level filters accept or deny their packets based on application criteria.
When we get to Layer 7 (the application layer), we need to look at setting up filters to allow PPTP or L2TP with IPSec traffic based on the ports that they use. PPTP uses TCP port 1723, as well as IP protocol ID 47 for GRE (generic route encapsulation) tunnel maintenance. For the most part, if you are using a commercial firewall solution, you’ll only need to worry about setting up the PPTP filter for port 1723. But if you’re working with more complex firewall systems and do-it-yourself servers, such as Linux, you’ll need to be aware of the GRE port. Microsoft solutions such as Proxy Server 2.0 and the forthcoming Internet Security and Acceleration Server 2000 have predefined “PPTP receive” and “PPTP call” filters. These generally work pretty well.
Remember, you will need to be aware of the geography of your VPN server in relation to your firewall. For example, if your VPN server is behind your firewall, which connects to the Internet via a Cisco router, and you are receiving connections only from individual VPN clients (and not remote servers), you’ll set up a firewall filter to accept incoming traffic on port 1723 or simply select the predefined “PPTP receive” with a Microsoft solution. You'll also need to go into the Cisco router and make sure that there are no access control lists filtering the VPN traffic.
As for L2TP with IPSec, the same principles apply, but it uses UDP port 1701 for L2TP and UDP port 500 for IPSec’s IKE (Internet key exchange). IPSec also uses IP Protocol port 50 for ESP (encapsulation security payload)—the equivalent of GRE for PPTP—but it doesn’t require a filter because the ESP header is typically removed by IPSec during routing before it hits the firewall.
Conclusion
Hopefully, the principles we reviewed here will enable you to better understand where your VPN connection could be running into snags in connecting through firewalls, proxy servers, and routers. We didn’t try to provide a step-by-step how-to on configuring firewalls and filters because of the vast configuration differences in the various hardware and software platforms, as well as the myriad different network typologies that are possible. However, you should be able to locate information on configuring filters and access control lists for your specific hardware and software platforms on the vendors’ Web sites. It also wouldn’t hurt to offer a sacrificial NIC or 100baseT cable to the networking gods before attempting your configuration.
*http://www.techrepublic.com/article/configuring-vpn-connections-with-firewalls/1032495
Wednesday, November 23, 2011
manage firewall by APF
akeaway: Vincent Danen shares one option for managing your Linux firewall, the Advanced Policy Firewall (AFP). Here are some tips on installation and configuration.
When it comes to managing a firewall on Linux, there are a number of options. You can use GUI tools that come with your distribution (such as system-config-firewall on Fedora); you can use third-party packages such as Shorewall; or you can write iptables rules yourself, usually in a place like /etc/sysconfig/iptables. For those familiar with iptables and its syntax, the latter is indeed an option, but for those without knowledge of iptables, the former two are the more likely choices.
If you run a server, you can use the text-mode equivalent to system-config-firewall (system-config-firewall-tui, again on Fedora) or you can opt for a third-party package that attempts to make management of the firewall easier. For years, I looked to Shorewall as that third party tool and while it makes understanding the firewall rules easier, it doesn’t really make the configuration of the firewall any simpler.
Lately I have been enjoying the Advanced Policy Firewall (APF), which is similar to Shorewall in many respects, but is easier to configure.
On Debian you can install APF via apt; the package is named apf-firewall. For most other distributions you may need to install it manually, which isn’t difficult. It can be done using:
$ curl -OL http://www.rfxn.com/downloads/apf-current.tar.gz
$ tar xvzf apf-current.tar.gz
$ cd apf-9.7-1
# sudo ./install.sh
You must run the installation as root because configuration files are placed in /etc/. Once this is done, you will have an initscript to start APF in /etc/init.d/ and the configuration files located in /etc/apf/. The primary configuration file is /etc/apf/conf.apf.
To configure the firewall, edit /etc/apf/conf.apf. A few important variables to set include:
EGF="1" # enable outbound packet filtering
IFACE_IN="eth0" # inbound interface to filter
IFACE_OUT="eth0" # outbound interface to filter
DEVEL_MODE="1"
The DEVEL_MODE option should only be used during testing. This sets up a cronjob that runs every five minutes to disable the firewall — useful if you muck something up. When the firewall is working, you must set DEVEL_MODE=”0″. Change the IFACE_IN and IFACE_OUT ports to suit your system; on a VPS it might be “venet0″, for instance.
Next, you will need to define which ports are allowed. You can do this for both TCP and UDP:
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2077,2078,2082,2083,2086,2087,2095,2096,5666,30000_30100"
IG_UDP_CPORTS="21,53,465,873"
The above might be typical for a cPanel/WHM setup. This allows a number of inbound ports: those necessary for cPanel and WHM, as well as FTP, SSH, SMTP, DNS, HTTP, IMAP(S), POP3(S), and others. Specify port ranges using an underscore delimiter (e.g., “30000_301000″ opens ports 30000 through to and including 301000). To define permitted outbound ports, use EG_TCP_CPORTS and EG_UDP_CPORTS (similar in syntax to the ingress (IG) definitions).
There are a lot of other entries in the configuration file and it’s likely worth reading them over and tweaking as necessary. For the most part, the defined defaults are fine. The only exception is if you are using a kernel with the iptables module compiled into the kernel, rather than available as a loadable module, which is often the case for a VPS. In that case you will need to also set SET_MONOKERN=”1″ in the configuration file as well.
Once this is done, you can use the initscript to start apf, or the apf command itself (typically located in /usr/local/sbin/):
# /etc/init.d/apf start
Use the output of “iptables -L” to judge if the rules are suitable and of course test from a remote computer to ensure that what you want opened is open, and that the rest are closed (nmap is a good way to check for open ports). Also check /var/log/apf_log while you have DEVEL_MODE enabled so you can see what APF is doing.
APF is fairly straightforward and is pretty easy to use for defining a basic firewall. There is also a lot of power under the hood that allows APF to respond dynamically to potential threats and can be easily used by other scripts to block IPs that are making too many connections to the system or are having a lot of failed logins, such as when used with something like fail2ban or other similar scripts.
If you’re looking for a simple yet powerful firewall management system, consider APF. I’ve found it to work extremely well, and definitely find it easier to use than Shorewall.
Get IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free newsletters.
*http://www.techrepublic.com/blog/opensource/use-apf-to-manage-your-firewall/2302
When it comes to managing a firewall on Linux, there are a number of options. You can use GUI tools that come with your distribution (such as system-config-firewall on Fedora); you can use third-party packages such as Shorewall; or you can write iptables rules yourself, usually in a place like /etc/sysconfig/iptables. For those familiar with iptables and its syntax, the latter is indeed an option, but for those without knowledge of iptables, the former two are the more likely choices.
If you run a server, you can use the text-mode equivalent to system-config-firewall (system-config-firewall-tui, again on Fedora) or you can opt for a third-party package that attempts to make management of the firewall easier. For years, I looked to Shorewall as that third party tool and while it makes understanding the firewall rules easier, it doesn’t really make the configuration of the firewall any simpler.
Lately I have been enjoying the Advanced Policy Firewall (APF), which is similar to Shorewall in many respects, but is easier to configure.
On Debian you can install APF via apt; the package is named apf-firewall. For most other distributions you may need to install it manually, which isn’t difficult. It can be done using:
$ curl -OL http://www.rfxn.com/downloads/apf-current.tar.gz
$ tar xvzf apf-current.tar.gz
$ cd apf-9.7-1
# sudo ./install.sh
You must run the installation as root because configuration files are placed in /etc/. Once this is done, you will have an initscript to start APF in /etc/init.d/ and the configuration files located in /etc/apf/. The primary configuration file is /etc/apf/conf.apf.
To configure the firewall, edit /etc/apf/conf.apf. A few important variables to set include:
EGF="1" # enable outbound packet filtering
IFACE_IN="eth0" # inbound interface to filter
IFACE_OUT="eth0" # outbound interface to filter
DEVEL_MODE="1"
The DEVEL_MODE option should only be used during testing. This sets up a cronjob that runs every five minutes to disable the firewall — useful if you muck something up. When the firewall is working, you must set DEVEL_MODE=”0″. Change the IFACE_IN and IFACE_OUT ports to suit your system; on a VPS it might be “venet0″, for instance.
Next, you will need to define which ports are allowed. You can do this for both TCP and UDP:
IG_TCP_CPORTS="20,21,22,25,26,53,80,110,143,443,465,993,995,2077,2078,2082,2083,2086,2087,2095,2096,5666,30000_30100"
IG_UDP_CPORTS="21,53,465,873"
The above might be typical for a cPanel/WHM setup. This allows a number of inbound ports: those necessary for cPanel and WHM, as well as FTP, SSH, SMTP, DNS, HTTP, IMAP(S), POP3(S), and others. Specify port ranges using an underscore delimiter (e.g., “30000_301000″ opens ports 30000 through to and including 301000). To define permitted outbound ports, use EG_TCP_CPORTS and EG_UDP_CPORTS (similar in syntax to the ingress (IG) definitions).
There are a lot of other entries in the configuration file and it’s likely worth reading them over and tweaking as necessary. For the most part, the defined defaults are fine. The only exception is if you are using a kernel with the iptables module compiled into the kernel, rather than available as a loadable module, which is often the case for a VPS. In that case you will need to also set SET_MONOKERN=”1″ in the configuration file as well.
Once this is done, you can use the initscript to start apf, or the apf command itself (typically located in /usr/local/sbin/):
# /etc/init.d/apf start
Use the output of “iptables -L” to judge if the rules are suitable and of course test from a remote computer to ensure that what you want opened is open, and that the rest are closed (nmap is a good way to check for open ports). Also check /var/log/apf_log while you have DEVEL_MODE enabled so you can see what APF is doing.
APF is fairly straightforward and is pretty easy to use for defining a basic firewall. There is also a lot of power under the hood that allows APF to respond dynamically to potential threats and can be easily used by other scripts to block IPs that are making too many connections to the system or are having a lot of failed logins, such as when used with something like fail2ban or other similar scripts.
If you’re looking for a simple yet powerful firewall management system, consider APF. I’ve found it to work extremely well, and definitely find it easier to use than Shorewall.
Get IT Tips, news, and reviews delivered directly to your inbox by subscribing to TechRepublic’s free newsletters.
*http://www.techrepublic.com/blog/opensource/use-apf-to-manage-your-firewall/2302
Monday, November 14, 2011
Use firewall software like PF to protect your desktop systems
*http://www.techrepublic.com/blog/security/use-firewall-software-like-pf-to-protect-your-desktop-systems/4833?tag=content;siu-container
By Chad Perrin
December 13, 2010, 6:00 AM PST
Takeaway: PF is the default firewall software for OpenBSD, and is an excellent example of a powerful, flexible firewall system. Something like it should be used to protect your desktop computer, and a minimal configuration example can help you get started.
Choosing an operating system with care can ensure a certain amount of security right away. At one end of the spectrum we find Microsoft Windows, which installs by default with a myriad of often unnecessary services turned on by default, a largely ineffective privilege separation model, and a vendor attitude toward security patching that could reasonably be described as “lackluster”. At the other end, we find OpenBSD, whose core developers obsessively perform code security reviews, and whose base install comes with pretty much nothing turned on that could be used to access the computer remotely.
Once you have selected an OS, based on whatever criteria you decide are most important, measures can be taken to mitigate some of the problems that might come in a default install. For instances, turning off services in MS Windows is an important step toward reducing the security weaknesses normally found in the operating system. A number of other measures are important for any desktop deployment.
Even if all but the most critical services are shut down, there is always the possibility that one of the remaining services will be vulnerable, or that some bug in the system may allow a supposedly deactivated service to be exploitable anyway — or, in the case of an OS whose updates can change basic configuration settings without the user’s knowledge, as often happens with MS Windows — an intentional “feature” of the system management model might allow previously deactivated services to be turned on again.
Firewalls can help reduce your exposure to remote exploits of vulnerabilities in your system’s services. Some OSs have a firewall installed by default, and some of these firewalls are better than others. In some, that firewall software might be active by default, and in others it may be inactive. Configuration may be adequate to your needs, or it may not. In some cases, the default firewall software may not be the best choice available, and it may even be subject to the same potential for having its configuration silently and unexpectedly changed by system updates. These are all concerns that should be investigated by the conscientious user, and addressed with care.
Open source Unix-like systems tend to come with very well-regarded firewall tools, in terms of the fine-grained control they can provide and their strength and effectiveness. The Linux kernel offers iptables; BSD Unix systems offer options such as ipfilter. One of the most highly regarded suites of firewall software is the OpenBSD project’s PF, which has been ported to every major BSD Unix system available. There is even a Microsoft Windows firewall application that claims to be based on PF source code called Core Force, though it must by necessity be heavily modified to run outside of a BSD Unix environment.
While PF does not by default offer the kind of point-and-click interface that MS Windows users tend to prefer, its flexibility and capability is far beyond what is offered by the Windows Firewall and other MS Windows firewall applications like ZoneAlarm. Amongst firewall software options that compare more directly to PF, it is considered one of the easiest to configure and maintain.
A minimal ruleset for PF on a desktop system can be set up in a handful of lines in a configuration file. On current OpenBSD, NetBSD, and FreeBSD systems, that configuration file is /etc/pf.conf. Such a ruleset might look like this:
tcp_services = "{ ssh }"
block all
pass in proto tcp to any port $tcp_services
pass from lo0 to lo0 keep state
pass out all keep state
Each of these lines serves an important purpose:
tcp_services = "{ ssh }": This is what is called a “macro” in PF parlance. PF macros serve much the same purpose as variables in many programming languages, in that you can use a single term to stand in for a varying value or a more complex value that would take a while to type over and over again. In this example, the SSH protocol has been assigned to the tcp_services command; if you have other services you need to work with in a similar manner, they can be added to that list, the PF shortcut terms for various protocols being separated by spaces.
block all: This is the first actual firewall rule in this ruleset. Because PF evaluates from top to bottom, each rule takes precedence over previous rules, so that earlier rules are treated as “defaults” and later rules as exceptions to those defaults. Taking a “least privilege” approach to security is usually a good idea, so we block all traffic by default and use more specific rules later in the ruleset to identify specific cases where we want to allow network traffic through.
pass in proto tcp to any port $tcp_services: This is the rule that makes use of the tcp_services macro. Because many Unix-like desktop systems are configured with an SSH server so that they can be securely accessed remotely from within the same network, for administrative and troubleshooting purposes, this rule allows any SSH traffic into the system. This assumes that you have some kind of external protection, such as a firewall for the entire network so that random security crackers on the Internet cannot directly access the desktop, and that you have your SSH service configured securely on the system as well; otherwise, you may want to use a more restrictive rule for the SSH protocol.
pass from lo0 to lo0 keep state: This rule allows the desktop system to communicate with itself via the localhost interface, which is important for a lot of common system functionality.
pass out all keep state: This rule has two important parts. The first is pass out all, which ensures it can send out whatever network traffic it needs to send. This can be dangerous on systems that might become infected by malware that then tries to contact the outside world to work mischief. On a firewalled BSD Unix desktop system in a network with good perimeter defense, operated by a tech-savvy user, this risk is so minimal as to be nearly nonexistent; on an MS Windows system, it is much more substantial, regardless of other conditions. Regardless of the OS, however, the risk does still exist.The second part of the rule, keep state, ensures stateful operation of network connections. This means that when the local system attempts to communicate with a remote system, and a connection is established, return communications from the remote system will be able to get through — without affecting whether other remote systems will be able to establish unsolicited connections. In the most recent versions of PF, keep state is default behavior for pass rules, but including the keep state instruction should not cause any problems.
PF may be activated and this ruleset loaded in a single command:
pfctl -ef /etc/pf.conf
Further action may need to be taken to ensure that PF will run every time the system is booted, however. On FreeBSD, for instance, PF is not enabled by default. To ensure that it will start on system startup, and pick up your ruleset, add these lines to the /etc/rc.conf file:
pf_enable="YES"
pflog_enable="YES"
If PF is not already running, the above pfctl command on a default FreeBSD install needs to be preceded by loading the PF kernel module with the kldload command:
kldload pf
As already stated, this PF ruleset is minimal. Its simplicity makes it easy to understand, and easy to employ and extend. It may be sufficient for some needs, but improving on it for your particular needs is always a good idea. Even unchanged, however, this ruleset is a tremendous improvement over no firewall at all.
By Chad Perrin
December 13, 2010, 6:00 AM PST
Takeaway: PF is the default firewall software for OpenBSD, and is an excellent example of a powerful, flexible firewall system. Something like it should be used to protect your desktop computer, and a minimal configuration example can help you get started.
Choosing an operating system with care can ensure a certain amount of security right away. At one end of the spectrum we find Microsoft Windows, which installs by default with a myriad of often unnecessary services turned on by default, a largely ineffective privilege separation model, and a vendor attitude toward security patching that could reasonably be described as “lackluster”. At the other end, we find OpenBSD, whose core developers obsessively perform code security reviews, and whose base install comes with pretty much nothing turned on that could be used to access the computer remotely.
Once you have selected an OS, based on whatever criteria you decide are most important, measures can be taken to mitigate some of the problems that might come in a default install. For instances, turning off services in MS Windows is an important step toward reducing the security weaknesses normally found in the operating system. A number of other measures are important for any desktop deployment.
Even if all but the most critical services are shut down, there is always the possibility that one of the remaining services will be vulnerable, or that some bug in the system may allow a supposedly deactivated service to be exploitable anyway — or, in the case of an OS whose updates can change basic configuration settings without the user’s knowledge, as often happens with MS Windows — an intentional “feature” of the system management model might allow previously deactivated services to be turned on again.
Firewalls can help reduce your exposure to remote exploits of vulnerabilities in your system’s services. Some OSs have a firewall installed by default, and some of these firewalls are better than others. In some, that firewall software might be active by default, and in others it may be inactive. Configuration may be adequate to your needs, or it may not. In some cases, the default firewall software may not be the best choice available, and it may even be subject to the same potential for having its configuration silently and unexpectedly changed by system updates. These are all concerns that should be investigated by the conscientious user, and addressed with care.
Open source Unix-like systems tend to come with very well-regarded firewall tools, in terms of the fine-grained control they can provide and their strength and effectiveness. The Linux kernel offers iptables; BSD Unix systems offer options such as ipfilter. One of the most highly regarded suites of firewall software is the OpenBSD project’s PF, which has been ported to every major BSD Unix system available. There is even a Microsoft Windows firewall application that claims to be based on PF source code called Core Force, though it must by necessity be heavily modified to run outside of a BSD Unix environment.
While PF does not by default offer the kind of point-and-click interface that MS Windows users tend to prefer, its flexibility and capability is far beyond what is offered by the Windows Firewall and other MS Windows firewall applications like ZoneAlarm. Amongst firewall software options that compare more directly to PF, it is considered one of the easiest to configure and maintain.
A minimal ruleset for PF on a desktop system can be set up in a handful of lines in a configuration file. On current OpenBSD, NetBSD, and FreeBSD systems, that configuration file is /etc/pf.conf. Such a ruleset might look like this:
tcp_services = "{ ssh }"
block all
pass in proto tcp to any port $tcp_services
pass from lo0 to lo0 keep state
pass out all keep state
Each of these lines serves an important purpose:
tcp_services = "{ ssh }": This is what is called a “macro” in PF parlance. PF macros serve much the same purpose as variables in many programming languages, in that you can use a single term to stand in for a varying value or a more complex value that would take a while to type over and over again. In this example, the SSH protocol has been assigned to the tcp_services command; if you have other services you need to work with in a similar manner, they can be added to that list, the PF shortcut terms for various protocols being separated by spaces.
block all: This is the first actual firewall rule in this ruleset. Because PF evaluates from top to bottom, each rule takes precedence over previous rules, so that earlier rules are treated as “defaults” and later rules as exceptions to those defaults. Taking a “least privilege” approach to security is usually a good idea, so we block all traffic by default and use more specific rules later in the ruleset to identify specific cases where we want to allow network traffic through.
pass in proto tcp to any port $tcp_services: This is the rule that makes use of the tcp_services macro. Because many Unix-like desktop systems are configured with an SSH server so that they can be securely accessed remotely from within the same network, for administrative and troubleshooting purposes, this rule allows any SSH traffic into the system. This assumes that you have some kind of external protection, such as a firewall for the entire network so that random security crackers on the Internet cannot directly access the desktop, and that you have your SSH service configured securely on the system as well; otherwise, you may want to use a more restrictive rule for the SSH protocol.
pass from lo0 to lo0 keep state: This rule allows the desktop system to communicate with itself via the localhost interface, which is important for a lot of common system functionality.
pass out all keep state: This rule has two important parts. The first is pass out all, which ensures it can send out whatever network traffic it needs to send. This can be dangerous on systems that might become infected by malware that then tries to contact the outside world to work mischief. On a firewalled BSD Unix desktop system in a network with good perimeter defense, operated by a tech-savvy user, this risk is so minimal as to be nearly nonexistent; on an MS Windows system, it is much more substantial, regardless of other conditions. Regardless of the OS, however, the risk does still exist.The second part of the rule, keep state, ensures stateful operation of network connections. This means that when the local system attempts to communicate with a remote system, and a connection is established, return communications from the remote system will be able to get through — without affecting whether other remote systems will be able to establish unsolicited connections. In the most recent versions of PF, keep state is default behavior for pass rules, but including the keep state instruction should not cause any problems.
PF may be activated and this ruleset loaded in a single command:
pfctl -ef /etc/pf.conf
Further action may need to be taken to ensure that PF will run every time the system is booted, however. On FreeBSD, for instance, PF is not enabled by default. To ensure that it will start on system startup, and pick up your ruleset, add these lines to the /etc/rc.conf file:
pf_enable="YES"
pflog_enable="YES"
If PF is not already running, the above pfctl command on a default FreeBSD install needs to be preceded by loading the PF kernel module with the kldload command:
kldload pf
As already stated, this PF ruleset is minimal. Its simplicity makes it easy to understand, and easy to employ and extend. It may be sufficient for some needs, but improving on it for your particular needs is always a good idea. Even unchanged, however, this ruleset is a tremendous improvement over no firewall at all.
IPAD Application for enterprise IT
*http://www.techrepublic.com/blog/mac/five-essential-ipad-apps-for-enterprise-it/
By Erik Eckel
April 29, 2010, 6:35 AM PDT
Takeaway: If iPads become as popular as iPhones, they could creep in to enterprise environments. For business users — and the IT department that supports them — here are five essential enterprise apps to consider.
Apple’s iPad is a revolutionary device. Regardless of whether you prefer or dislike Apple technologies and regardless of whether you believe they belong within enterprise environments, they’re coming. Apple sold more than a half million units in the very first week they became available. Enterprise IT administrators would be smart to consider loading/supporting the following iPad applications to help themselves and users make the most of the new computers.
1. MobileIron Sentry
Many ill-informed iPad detractors criticize the new device, stating iPads place enterprise security at risk. That’s simply incorrect. iPads pose no more of a security risk than do smartphones. Using the free MobileIron Sentry iPad app, enterprise IT departments can track iPhones and iPads, view device inventory, block offending or compromised devices, and remotely wipe stolen, lost or compromised units. The application also enables remotely suspending email access for active staff, just-terminated employees, and others.
Paired with the MobileIron Virtual Smartphone Platform, enterprise IT departments can leverage MobileIron Sentry to better manage and secure, not only iPad deployments, but numerous other Smartphone platforms. Among the technologies supported are BlackBerry, Windows Mobile, and Symbian, with Android support forthcoming.
2. Desktop Connect
Enterprise users and administrators needing to remotely connect to other systems can do so using Desktop Connect, an $11.99 application from Antecea Inc. Using 128-bit encryption, Desktop Connect enables iPad users to remotely access and administer Windows XP Professional; Windows Server 2003; Windows Server 2008; Windows Vista Business, Enterprise and Ultimate; Windows 7 Professional, Enterprise and Ultimate; and Mac OS X Leopard and Snow Leopard systems.
Desktop Connect can also be used to connect to secondary systems to view Adobe Flash video, remotely control media players and presentations, access additional files and listen to audio files. The application can also be used to take remote control of a system in order to provide technical support or remote repairs.
3. Apple’s iWork Suite
Apple’s IWork suite includes the Pages word processor, Numbers spreadsheet program, and Keynote presentation application. At $9.99 each, these Multi-Touch-optimized applications are indispensable when needing to create, edit, or share professional documents — spreadsheets and presentations using the iPad. The iWork suite also enables iPad users to work with common Microsoft Office file formats, including .docx, .xlsx and .pptx files, while on the go.
4. PrintCentral for iPad
PrintCentral for iPad is a $9.99 iPad application. The software, sold by EuroSmartz Ltd., enables iPad users to print email messages, documents, spreadsheets, Web pages, photographs, and other files. Files can also be transferred for printing using iTunes synchronization using a cable, but many users will prefer to print directly to printers connected to their Macs or PCs, which PrintCentral for iPad enables.
Travelers will find additional functionality, in that Print Central enables users to print using thumb drives or using an integrated full-featured email client. The application also permits mounting iPads as a network disk from a Mac or PC, moving and printing files using iDisk and WebDAV technology and even copying files using Bluetooth or Wi-Fi technologies.
5. OmniGraffle
Some of the iPad’s biggest strengths, besides its ease of use, are its portability and ability to comprehend intuitive finger movements. If enterprise users are to truly leverage the device’s full capabilities, a simple application is needed that helps organize thoughts, enable freehand drawing, and essentially replace back-of-the-envelope or napkin drawings.
The Omni Group’s OmniGraffle application, a $49.99 program, is an approachable, easy-to-use app users can employ to create freehand drawings, draft diagrams, create tables, record processes, create Web site wireframes, draft page layouts, and more. With numerous included stencils and templates, OmniGraffle quickly makes an enterprise users’ iPad an incredibly powerful and mobile tool that can be used to fuel brainstorming sessions, power what-if conversations, and capture and record critically important notes, all while leveraging the iPad’s Multi-Touch technology.
By Erik Eckel
April 29, 2010, 6:35 AM PDT
Takeaway: If iPads become as popular as iPhones, they could creep in to enterprise environments. For business users — and the IT department that supports them — here are five essential enterprise apps to consider.
Apple’s iPad is a revolutionary device. Regardless of whether you prefer or dislike Apple technologies and regardless of whether you believe they belong within enterprise environments, they’re coming. Apple sold more than a half million units in the very first week they became available. Enterprise IT administrators would be smart to consider loading/supporting the following iPad applications to help themselves and users make the most of the new computers.
1. MobileIron Sentry
Many ill-informed iPad detractors criticize the new device, stating iPads place enterprise security at risk. That’s simply incorrect. iPads pose no more of a security risk than do smartphones. Using the free MobileIron Sentry iPad app, enterprise IT departments can track iPhones and iPads, view device inventory, block offending or compromised devices, and remotely wipe stolen, lost or compromised units. The application also enables remotely suspending email access for active staff, just-terminated employees, and others.
Paired with the MobileIron Virtual Smartphone Platform, enterprise IT departments can leverage MobileIron Sentry to better manage and secure, not only iPad deployments, but numerous other Smartphone platforms. Among the technologies supported are BlackBerry, Windows Mobile, and Symbian, with Android support forthcoming.
2. Desktop Connect
Enterprise users and administrators needing to remotely connect to other systems can do so using Desktop Connect, an $11.99 application from Antecea Inc. Using 128-bit encryption, Desktop Connect enables iPad users to remotely access and administer Windows XP Professional; Windows Server 2003; Windows Server 2008; Windows Vista Business, Enterprise and Ultimate; Windows 7 Professional, Enterprise and Ultimate; and Mac OS X Leopard and Snow Leopard systems.
Desktop Connect can also be used to connect to secondary systems to view Adobe Flash video, remotely control media players and presentations, access additional files and listen to audio files. The application can also be used to take remote control of a system in order to provide technical support or remote repairs.
3. Apple’s iWork Suite
Apple’s IWork suite includes the Pages word processor, Numbers spreadsheet program, and Keynote presentation application. At $9.99 each, these Multi-Touch-optimized applications are indispensable when needing to create, edit, or share professional documents — spreadsheets and presentations using the iPad. The iWork suite also enables iPad users to work with common Microsoft Office file formats, including .docx, .xlsx and .pptx files, while on the go.
4. PrintCentral for iPad
PrintCentral for iPad is a $9.99 iPad application. The software, sold by EuroSmartz Ltd., enables iPad users to print email messages, documents, spreadsheets, Web pages, photographs, and other files. Files can also be transferred for printing using iTunes synchronization using a cable, but many users will prefer to print directly to printers connected to their Macs or PCs, which PrintCentral for iPad enables.
Travelers will find additional functionality, in that Print Central enables users to print using thumb drives or using an integrated full-featured email client. The application also permits mounting iPads as a network disk from a Mac or PC, moving and printing files using iDisk and WebDAV technology and even copying files using Bluetooth or Wi-Fi technologies.
5. OmniGraffle
Some of the iPad’s biggest strengths, besides its ease of use, are its portability and ability to comprehend intuitive finger movements. If enterprise users are to truly leverage the device’s full capabilities, a simple application is needed that helps organize thoughts, enable freehand drawing, and essentially replace back-of-the-envelope or napkin drawings.
The Omni Group’s OmniGraffle application, a $49.99 program, is an approachable, easy-to-use app users can employ to create freehand drawings, draft diagrams, create tables, record processes, create Web site wireframes, draft page layouts, and more. With numerous included stencils and templates, OmniGraffle quickly makes an enterprise users’ iPad an incredibly powerful and mobile tool that can be used to fuel brainstorming sessions, power what-if conversations, and capture and record critically important notes, all while leveraging the iPad’s Multi-Touch technology.
Subscribe to:
Posts (Atom)