Tag Archives: firewall

Make your own L2 Firewall!

Is what I did this week during the SDN Course on Coursera :)

Within mininet or with a real OpenFlow capable switch, you can point the switch to use a controller. The controller would figure out all the smart stuff and the switch only does what the controller tells it to do.

POX is one of these APIs that you can use to create controllers, it’s good for learning about controllers as it’s not so low level as it’s sibling NOX, which is in C++. There are switches in JAVA too (Floodlight) and many more.

With POX there are some example switches, for example a basic L2 learning switch. It remembers (among quite a few other things) MAC addresses for hosts and remembers in which ports the MAC addresses can be found. With a simple ping: After L2 broadcast is done to find the MAC of the recipient, the controllers install the MAC_source+port and MAC_destination+port as flows on the switches.

What we did this week was to right after the switch is executed, run some extra code that parses a .csv file for MAC address pairs that are not allowed to talk and add these pairs into the flow table.

Pretty cool I think :)

Red Hat Certification – RHCE – Course Outline

Howdy!

In case you saw my previous posts I’ve been prepping for a RHCE course the last couple of weeks.

Here are the posts based on the objectives:

Odds are quite high that I’ve missed something or not gone deep enough into some subjects and for the record some subjects I decided to skip.

I’m taking the course over at Tieturi here in Helsinki and they have published the schedule for the course, with quite detailed outline.

This outline of the course can with benefit be used to see if you missed any terms or functions while going through the objectives.

I’ll go through the ones I find more interesting below:

Network Resource Access Controls

-Internet Protocol and Routing

OK, well this is quite obvious, some commands:

ip addr
ip route
route add
netstat -rn

IPv6

-IPv6: Dynamic Interface Configuration
-IPv6: StaticInterface Configuration
-IPv6: Routing Configuration

You can add IPV6 specific lines in the ifcfg-device files in /etc/sysconfig/network-scripts/. See /usr/share/doc/initscripts*/sysconfig

Some settings can also go into /etc/sysconfig/network

iptables

Netfilter Overview
-Rules: General Considerations
Connection Tracking
-Network Address Translation (NAT)
-IPv6 and ip6tables

 

Web Services

-Squid Web Proxy Cache

On client check what IP you get:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

On server install and setup squid:

yum install squid
vi /etc/squid/squid.conf
#add this line in the right place:
acl localnet src 192.168.1.1/32
#allow port 3128 TCP in the firewall (use very strict access here)
service squid start

On client:

curl --proxy squid-server.example.com:3128 www.guldmyr.com/ip.php

Beware that this is unsecure. Very unsecure. You should at least set up a password for the proxy, change the default port and have as limited firewall rules as possible.

E-mail Services

-Simple Mail Transport Protocol
-Sendmail SMTP Restrictions
-Sendmail Operation

 

Securing Data

-The Need For Encryption

-Symmetric Encryption

Symmetric uses a secret/password to encrypt and decrypt a message.
You can use GnuPG (cli command is ‘gpg’) to encrypt and decrypt a file symmetrically. Arguments:

–symmetric/-c == symmetric cipher (CAST5 by default)
–force-mdc == if you don’t have this you’ll get “message was not integrity protected”

There are many more things you can specify.

echo "awesome secret message" > /tmp/file
gpg --symmetric --force-mdc /tmp/file
#(enter password)
#this creates a /tmp/file.gpg
#beware that /tmp/file still exists
#to decrypt:
gpg --decrypt /tmp/file.gpg
gpg: 3DES encrypted data
gpg: encrypted with 1 passphrase
awesome secret message

 

-Asymmetric Encryption

Uses a key-pair. A public key and a private key.
A message encrypted with the public key can only be decrypted with the private key.
A message encrypted with the private key can only be decrypted with the public key.

GnuPG can let you handle this.

Login with a user called ‘labber’:

gpg --gen-key
# in this interactive dialog enter username: labber, e-mail and password
# this doesn't always work, might take _long_time_, eventually I just tried on another machine
echo "secret message" > /tmp/file
gpg -e -r labber /tmp/file
# enter password
gpg --decrypt /tmp/file
# enter password

To export the public key in ASCII format you can:

gpg --armor --output "key.txt" --export "labber"

However, how to encrypt a file with somebody else’s public key?

-Public Key Infrastructures – PKI

Consists of:

  • CA – certificate authority – issues and verifies digital certiciates
  • RA – registration authoriy – verifies user identity requesting info from the CA
  • central directory – used to store and index keys

-Digital Certificates

A certificate has user details and the public key.

Account Management

-Account Management
-Account Information (Name Service)
Name Service Switch (NSS)
Pluggable Authentication Modules (PAM)
-PAM Operation
-Utilities and Authentication

 

PAM

Basically a way to authenticate users. You can put different types of authentication ways behind PAM. So that a software only needs to learn to authenticate to PAM and then PAM takes care of the behind-the-scenes-work.

For example you can have PAM connect to an ldap-server.

CLI: authconfig

Files:
/etc/sysconfig/authconfig
/etc/pam.d/
/etc/sssd/sssd.conf

 

RHEL and web-server

Another thing you will notice if you are used to debian is that RHEL has iptables enabled by default.

To alter it you use the ‘iptables’ command. It is quite complex and there are good guides out there.

If you just want to let http and ssh through you can run this:

iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp –dport 80 –tcp-flags SYN,RST,ACK SYN -j ACCEPT
iptables -I RH-Firewall-1-INPUT 3 -p tcp -m tcp –dport 22 –tcp-flags SYN,RST,ACK SYN -j ACCEPT

You do not have to change anything in httpd (made by apache by the way) to enable it.
Just point your browser. The document root is by default: /var/www/html