Blog Posts

Defeating CheckPoint VPN Route-All-Traffic Policy Enforcement

Quite a bit of the enterprises have chosen to use CheckPoint VPN solutions to allow remote access to their corporate networks. This platform is widely used and it’s up to the security administrators to create the actual VPN security policies that apply to the connecting clients. Among these security rules, it’s very common to enforce all of the client’s traffic to go through the tunnel, be it destined to the corporate office or not, like Internet traffic that the corporation has noting to with. There is even a knowledge base entry on how to set up to Route all traffic from Remote Access clients, including internet traffic, through Security Gateway. On the sad side effect, when these rules apply, it is also impossible to connect to the VPN client itself from the same subnet the client resides on. And this leads to being unable to do SSH reverse port forwards to access corporate resources from outside of this client. However, this would be really useful in my scenario, where the connecting client is a Windows VM on my ArchLinux host, and I’d like to access over-the-tunnel corporate unix hosts using the friendly and very convenient to use OpenSSH from the ArchLinux host and not from the Windows VM using PuTTY or something legacy dumb clients like that.

Using a netfilter rule with a trick on the ArchLinux host I managed to make easy to use transparent reverse port forwardings that also “complies” with the security enforcement rules of the VPN client.

Read more →

Quite a bit of our customers’ IT guys happen to misinterpret the real meaning of the martian source traffic logs they see on their gateway hosts. Paste your logs in the above area and see their explanations here.

ArchZFS companion repo for dependent kernel versions

As per the ArchZFS repository README: “occasionally the OpenZFS project gets behind on stable support for the latest Linux Kernel release. This means that if Linux 4.15 is released to core, but the latest stable release of OpenZFS does not support Linux 4.15, it is not possible to perform a system update. Sometimes it can take a few days, a few weeks, or a month to release a new stable version of OpenZFS”. Based on the good ol’ Gentoo memories, you might think that the package manager of this ultramodern distribution surely can handle different kernel versions installed at the same time? Unfortunately, the implementation reality of pacman, the package manager of ArchLinux follows a different stereotype.

See my ArchZFS-compatible kernel packages repository that offers a solution for this problem.

Read more →

Shipping logs to the service

Some of you may have heard of, a yet-another-company that provides ELK as a Service. Their marketing is quite good, they have great newsletters, tutorials and webcasts, so I thought to myself to let’s check ‘em out. After registration you are taken to the wiki entry that lets you configure your gear to ship your logs ingest servers. While the wiki looks pretty comprehensive, they evidently missed out the good old Unix player here, syslog-ng. Seeing configuration guides for all these “next-gen”, “cloud-native”, “serverless” totally hyped piece of craps without mentioning syslog-ng at all I feel being kinda old school.

So this post is the missing manual on how to ship logs to using syslog-ng.

Read more →

One of my projects called pdnsapp is a Python based microframework aimed to help develop DNS based applications, very much like Flask or Bottle do for HTTP or like Lamson does with SMTP. Like most of the frameworks of this kind it needs an ‘application server’ to run. This server for pdnsapp is currently PowerDNS. For basic functionality it has no dependencies other than the Python standard libraries.

Read more →

VTI Tunnel Interface with strongSwan

I successfully managed to get Linux VTI (Virtual Tunnel Interface) working with strongSwan. By using VTI it is no longer needed to rely on the routing policy database, making understanding and maintaining routes easier. Also with VTI you can see the cleartext traffic on the VTI interface itself. It was confusing to see actual tunnel traffic before using tcpdump using the standard policy database setup. (There are ulog/nflog hacks to see cleartext traffic in both direction though, similar to BSD pflog.)

Read more →

Thoughts on everyday endiannes

Just a quick note on 11/11/11: I’d like to express how awesome big-endian is in all aspects of life. In Hungary we use big-endian for pretty much everything (very much like Japan), eg. representing dates, family and given names and addresses.

Read more →

Nginx is well known for its powerful HTTP reverse-proxy features. Altough Nginx does its job well in pretty lot of situations, there are always a need for a general TCP proxy stuff. Sadly this feature does not come boundled in with the stock Nginx. This is where 3rd party patches come in. There are quite some great patches out there, in this post I will write about nginx_tcp_proxy_module made by Weibin Yao from China (he has 13 different promising patches and modules for nginx, definitely worth a check). Read more →

Reverse DNS records are good for you. Especially if you run your own SMTP MTAs. Without proper reverse-forward DNS record mapping, some nice anomalies may appear for you. You may have faced the fact some other MTAs shut down your incoming connection for no particular reason. OpenSSH daemon also has the option to check if your forward and reverse DNS entries match. Also, being on IRC with only an IP address is so 90’s ;)

Read more →

Recently I have developed the following Nginx setup to make my virtual host instance more advanced. It has the following features:

  • The blog root directory served from a completely different directory than the regular htdocs root. Blog content has preference over the other files, so if the requested file is not found in the blog root, it falls back to the regular root.
  • There is a feature for conditional autoindexing (I don’t like to expse my files by default): if I put a .index file into a directory, it will be publicly autoindexed, otherwise Nginx returns a 404 error (as instead on the default 403).
  • Handles error_page idoms well.

Read more →