Proof of Concept entries

Defeating CheckPoint VPN Route-All-Traffic Policy Enforcement

Proof of Concept #firewall, #vpn, #hacks
Defeating CheckPoint VPN Route-All-Traffic Policy Enforcement

Quite a bit of the enterprises have chosen to use CheckPoint VPN solutions to allow remote access to their corporate networks. This platform is widely used and it’s up to the security administrators to create the actual VPN security policies that apply to the connecting clients. Among these security rules, it’s very common to enforce all of the client’s traffic to go through the tunnel, be it destined to the corporate office or not, like Internet traffic that the corporation has nothing to with. There is even a knowledge base entry on how to set up to Route all traffic from Remote Access clients, including internet traffic, through Security Gateway. On the sad side effect, when these rules apply, it is also impossible to connect to the VPN client itself from the same subnet the client resides on. And this leads to being unable to do SSH reverse port forwards to access corporate resources from outside of this client. However, this would be really useful in my scenario, where the connecting client is a Windows VM on my ArchLinux host, and I’d like to access over-the-tunnel corporate unix hosts using the friendly and very convenient to use OpenSSH from the ArchLinux host and not from the Windows VM using PuTTY or something legacy dumb clients like that.

Using a netfilter rule with a trick on the ArchLinux host I managed to make easy to use transparent reverse port forwardings that also “complies” with the security enforcement rules of the VPN client.

Read more →


ArchZFS companion repo for dependent kernel versions

Proof of Concept #linux, #zfs
ArchZFS companion repo for dependent kernel versions

As per the ArchZFS repository README: ‘‘occasionally the OpenZFS project gets behind on stable support for the latest Linux Kernel release. This means that if Linux 4.15 is released to core, but the latest stable release of OpenZFS does not support Linux 4.15, it is not possible to perform a system update. Sometimes it can take a few days, a few weeks, or a month to release a new stable version of OpenZFS’’. Based on the good ol’ Gentoo memories, you might think that the package manager of this ultramodern distribution surely can handle different kernel versions installed at the same time? Unfortunately, the implementation reality of pacman, the package manager of ArchLinux follows a different stereotype.

See my ArchZFS-compatible kernel packages repository that offers a solution for this problem.

Read more →


The pdnsapp - part 1

Proof of Concept #dns

One of my projects called pdnsapp is a Python based microframework aimed to help develop DNS based applications, very much like Flask or Bottle do for HTTP or like Lamson does with SMTP. Like most of the frameworks of this kind it needs an ‘application server’ to run. This server for pdnsapp is currently PowerDNS. For basic functionality it has no dependencies other than the Python standard libraries.

Read more →

Nginx as a general purpose TCP proxy

Proof of Concept #nginx
Nginx is well known for its powerful HTTP reverse-proxy features. Altough Nginx does its job well in pretty lot of situations, there are always a need for a general TCP proxy stuff. Sadly this feature does not come boundled in with the stock Nginx. This is where 3rd party patches come in. There are quite some great patches out there, in this post I will write about nginx_tcp_proxy_module made by Weibin Yao from China (he has 13 different promising patches and modules for nginx, definitely worth a check). Read more →

Nginx Alternative Root With Conditional Autoindexing

Proof of Concept #nginx

Recently I have developed the following Nginx setup to make my virtual host instance more advanced. It has the following features:

  • The blog root directory served from a completely different directory than the regular htdocs root. Blog content has preference over the other files, so if the requested file is not found in the blog root, it falls back to the regular root.
  • There is a feature for conditional autoindexing (I don’t like to expse my files by default): if I put a .index file into a directory, it will be publicly autoindexed, otherwise Nginx returns a 404 error (as instead on the default 403).
  • Handles error_page idoms well.
Read more →

WiFi + Ethernet bonding

Proof of Concept #networking Read in hu
WiFi + Ethernet bonding

When I’m at home, I dislike undocking my laptop to move around the house because of the Ethernet-to-WiFi switchover takes long seconds and all my TCP sessions like SSH get lost. It’s because my laptop is assigned a different IP address on WiFi and on the wired network even if they belong to the same VLAN. Well, it looks like this is not the case any more.

Read more →