Windows

• Wan miniport repair tool – solve VPN and dial-up error code 720 and similar PPP/PPTP errors

L2TP

• serverfault: discussion on Windows blocked L2TP server behind NAT firewall by default
• Steven Eppler’s Blog: PPTP and L2TP Ports for Firewall

SSH tunnel

• script to background reconnect ssh tunnel

   
  #!/bin/bash
   while true; do
      echo "try to connect..."
      ssh -o ServerAliveInterval=240 -p 22 -L 2225:localhost:22 user@host -N
      echo "restarting in 5 seconds.."
      sleep 5
   done
  

• autossh – automatic reconnect ssh sessions
• ssh login without password – auto
• ssh login without password – manual create

iptables info

• Phil Hagen’s Scratch Pad – iptables Processing Flowchart

iptables Tips

• How to Log Linux IPTables Firewall Dropped Packets to a Log File
• 25 Most Frequently Used Linux IPTables Rules Examples
• Packet Cloning With iptables (old syntax that use -j ROUTE)

Hardware

• Linksys WRT160N
• Juniper Netscreen SSG5
  ( Support )
• whirlpool: Juniper SSG5 detail specs
• Juniper Forum

Zeroshell

• Zeroshell homepage
• Zeroshell main forum
• default password: admin / zeroshell
• $SCRIPTS path: /root/kerbynet.cgi/scripts/

pfSense

• pfSense homepage
  FreeBSD based mini firewall distribution
• default password: admin / pfsense
• show routing table: netstat -r
• restart openvpn: disable, wait about 1min (to clear routing table), then enable again
• by default the openvpn client will pull settings from server
• openvpn to use tap mode, add command line option: tap

Monowall

• The m0n0wall Traffic Shaper Manual

Vyatta

• Basic Accounts:

  root: root user for setup advanced settings
  vyatta: admin user use to config router

• Config location: /opt/vyatta/etc/config/config.boot
• vyatta Community Edition Firewall
• Install vyatta to harddisk

  Boot from CD
  Login: root
  Password: vyatta
  # install-system

• Vyatta Basic Setup example
  LAN IP, DHCP, Basic NAT
• Basic Operations
  “connect interface pppoe1″ to manually start the pppoe1 interface
• Show similar function of router commands in different platforms
• Negative feedback for Vyatta and pfSense on load-balancing and DMZ setup at 2008-07

Juniper Netscreen Firewall

• Steps to setup NAT Virtual Server/Service in netscreen
• KB4773 – [ScreenOS] How to change the WebUI administration port
• KB10923 – [ScreenOS] MIP – Definition, configuration of MIP to an IP or a subnet, and troubleshooting tips
• KB4739 – How to configure 1-to-1 mapping of a public address to a private address in the WebUI?
• Step by step setup L2TP firewall connection at Juniper
• Reset Netscreen config

  unset all (Yes)
  reset (No, then Yes)
  
  Login username & password with unit serial number

OpenVPN

• OpenVPN on OpenWRT from scratch (be careful, test before put to /etc/rc.local !)
  Add: openvpn –daemon –config /etc/openvpn/server.conf
• openwrt.org: How to setup OpenVPN with bridging

ISA Server 2006

• Database path: ISA 2006\ADAMData\
• ChangeStorageServer.vbs: Change array to use the current server as Primary Storage Server
• Setup failed while registering ISA Server filters.
  • *** This problem could happen if there is a SQL Server installed at the same server
  • Can happen at both ISA Server 2004 SP2 update and ISA 2006
  • Related to Web Filter priority in ISA Server 2004 SP2

General

General Rules

• Deny All is usually the best default rule
• Handle ICMP carefully, block/limit from all outside
• Fragmented packets can create DoS attacks
• Source address filtering must always base on network interface
• Always do logging, log archiving, or write to write only media
• DNS TCP 53 is only used for zone transfer, in general can block the traffic
• MSN, NetMeeting maybe better to have an application gateway because they are using dynamic ports
• Screened Host is the intranet server after firewall (after port forwarding)
• Screened Network / DMZ is the network segment after firewall

Interesting

• Dynamic Packet Filtering (for Outlook-Exchange, Windows Messenger, etc?)
• Sometimes static outbound mapping (port forwarding) maybe needed for outgoing traffic (Firewall outgoing ip always same for certain intranet IP group)
• Some firewall products can do:
  • time-based filtering
  • access base on username (Microsoft ISA?)
  • bandwidth quota
  • Intrusion detection, logging, reporting and fire an alarm. Or even dynamic adjust the policy.
    • Zone transfer attempts
    • Address scans
    • Port scans
    • Ping-of-death DoS attack attempts
• NAT-D (Detect) and NAT-T (Transversal) is needed to support IPSec over NAT gateways
• PPTP does not protect the IP header while IPSec do. So IPSec/L2TP need NAT-D/NAT-T at gateway.
• Any tool to evaluate Firewall effectiveness?
• ICSA Lab (certify commercial Firewall products)