I have decided build an open source firewall in linux environment. I have exactly one year to complete this project. The firewall will be a stateful packet filtering firewall working at network, transport and application layers. I would also be provided log analysis features. What I want to know is whether this is a good enough project or put in other words, is it a worthwhile project to undertake?
View 13 RepliesI am trying to develop a firewall from scratch in linux environment using C. Actually its more of a Unified Threat Management sysytem .which features to include like antispam, content filtering, vulnerability analyzing,etc.I have exactly 1 year to complete this project which features can be coded completely in time. Actually I have broken the process of development in 4 stages namely :
1. Capture the packet (using libcap)
2. Break the packet into headers and data (using libpcap)
3. Analyze the headers and data and make a decision
4. ACCEPT or DROP the packet
Its the third step that will depend on the features which are included in the project. I plan to code using the UNIX Socket API.
This lab teaches the application performance of two different networkarchitectures: Daisy Chain and Collapsed Backbone Network. The bookshows a collapsed backbone data network in which there is a core switch inthe basement equipment room. The core switch is linked directly to aworkgroup switch on each floor. Another option is to link the switches in adaisy chain. In this approach, the basement core switch is linked directly tothe first floor switch, the first floor switch is linked directly to the second floorswitch, and so forth.This lab shows the application latency introduced by connecting buildingswitches in different ways.
OverviewOperations building has 10 floors, each havingmany users connected to a 10Base-T workgroup switch in the telecommunications closet. The users share an Oracle server and seven fileand print servers in the basement.In Scenario 1, the switches on each floor are daisy chained to the core switchin the basement. We will see that this daisy chain approach introduces highapplication latency to users on the highest floor.In Scenario 2, the daisy chain topology is retained, but the core switch ismoved to the fifth floor. We will see that this reduces latency on the highestfloor but increases it on the bottom floor.In Scenario 3, the core switch is kept in the basement, but ollapsedbackbonetopology is used, in which the core switch in the basement is linked directly to the workgroup switch on each floor.
Several users are connected to a switch on each of the 10 floors. The share an Oracle server and 7 File, Print, and Email servers in the basement.The users on different floors are running a 2 Tier Oracle application. We willstudy the performance of this application.And showed me the error message in pictures (3) I asked the doctor and she told me to change the Switch name (located in the red box in picture) but still error constant I think the error is due to the type of Switch (core switch) or the type of link between the (core switch) and (7 File Print & Email Ervers)
Need securing a wireless environment in a hotel? The SSID has to be broadcast of course but how can we protect guests from man in the middle attacks, etc.? Currently the environment is all AP1200s with no hardware upgrades in the near future. There is also a 2811 router in place but nothing else. We would love to be able to force users to authenticate with a password in order to get out to the Internet as well.
View 2 Replies View RelatedI've been reading for the past hour about opening ports on Ubuntu 12.04 and I can't seem to get anything to work. I'm running a program with an RPC server accepting local connections on localhost (127.0.0.1) which has allowed ip range 192.168.*.*
I've tried to edit the iptables to allow incoming connections, but curl still can't connect to the RPC server no matter what I do.
$ sudo iptables -A INPUT -i eth0 -p tcp --dport 18332 -j ACCEPT
$ nmap -v -sT localhost
Starting Nmap 5.21 ( http://nmap.org ) at 2013-07-13 05:54 UTC
Initiating Ping Scan at 05:54
[Code].....
I have recently acquired an ASUS RT-N16 router. My original plan for it was to install Tomato on it. However, after checking their website i found out that the firmware was not updated in the last 2 years. There seem to be a few updated mods but none of them really seemed mature/stable/well-documented.
I would like to know what other people recommend as open-source firmware for this router. I know the answers will probably be subjective; so i will give a bit of background on my needs:
for now i will only use the Wi-Fi on an Android phone the connection will not be shared with anyone (so QOS is optional)i want a stable (wired) connection on my PC (for online gaming etc.)i want the (wired) download/upload speeds to be as close as possible to those achieved by directly plugging the Ethernet cable to the PC's network card; i have a 100 Mbps connection my ISP uses PPPOE my technical level: i am a software developer and i have good knowledge of bash scripting, but no experience with networking
Also, i know that i could probably just use the stock firmware (and maybe will use it for a while), but i'm interested in trying an open-source version (for more features, flexibility, as a learning exercise etc.)
what is the best open source website load testing tool?
View 3 Replies View RelatedI just upgraded an ASA-5510 from 7.0 to 8.4.4-1 and theres a lot of stuff in it I don't recognize that I never added, mostly because of new network objects, nat commands, and other migration stuff. Its been awhile since I've configured the ASA and I think I'd like to start from scratch and clean it up a bit because theres so many lines for so little that I really need.
I have a 5510 assigned an IP address on the outside interface with 3 inside interfaces and below are the only requirements I need.
Network-A (192.168.1.0/24)
- incoming ssh port 2202 goes to node 192.168.1.2
- incoming ssh port 2203 goes to node 192.168.1.3
- handle incoming https (443) requests
- handle incoming www (80) requests
- cannot see Network-B or Network-C
Network-B (10.0.0.0/16)
- ssh to nodes on Network-A
- incoming ssh port 22 goes to node 10.0.0.20
Network-C (192.168.2.0/24)
- ssh to nodes on Network-A
- incoming ssh port 2210 goes to node 192.168.2.2
ASA-5510
- sends logging to syslog node 192.168.1.3 on Network-A
- there are DNS and NTP servers located outside
I upgraded the firmware on my wrt54gs this morning and after the upgrade i have a light on the front where it says ( Cisco Systems ) is this anything to worry about?the upgrade was from Ver.3 to Ver.4.Ubuntu 11.04 on a Fujitsu lifebook t4210 tablet pc.in a world of open source who needs windows and gates
View 7 Replies View RelatedI am looking for a Cisco firewall to replace a Sonicwall NSA240 firewall in SME environment?
View 3 Replies View RelatedDoes the FWSM for a 6506/6509 is supported in a VSS environment?Also, does the FWSM work with the 2T supervisor module?
View 1 Replies View RelatedWe run a 6500 with an FWSM with multiple security contexts as well as cascading contexts with a "shared V LAN" . There is a problem with regards to Linux machines and our shared network.
For example, we have three Linux machines in production, each in three separate V LAN's. For me to communicate to these boxes from one V LAN to another I must first ping the server. If I do not ping the server it will not bring up a connection like ssh or HTTP, etc. Below is the error I get from the FWSM that hosts the Linux server, but like I said once I ping the server the error goes away. We only have this problem with Linux machines, and it is a problem for all three of them. Is the FWSM having issues understanding something with all three Linux boxes? Below is the error I get at first, when I try to SSH from one V LAN to another V LAN with the Linux machine.
6 Dec 21 2012 16:33:54 106015 10.255.12.109 22 10.255.1.30 63000
Deny TCP (no connection) from 10.255.12.109/22 to 10.255.1.30/63000 flags SYN ACK on interface inside.
Below is what happens when I initiate a ping to the Linux Server and then ssh again. Notice it builds the connection with no problem after the ping. During the ping it builds the dynamic translation, and then when I ssh it builds the TCP connection. Do you know why this could be?
6 Dec 21 2012 16:35:08 305009 10.255.12.109 10.255.12.109
[Code]....
I was able to connect to my ASA 5510 with a browser, install ASDM, and configure my ASA 5510 with my Windows 7 laptop. Since I needed the laptop for another task, I am now trying to connect using a Linux laptop to do the same, but without success.
I can ssh into the firewall using the management port (192.168.1.1) from the Linux command line. However, I cannot connect using a browswer (192.168.1.1) to install ASDM.
I Have web server (linux) sits in the DMZ (asa 5520) segment and this server should be accessible form the internet,
1)how to make this server https based access over SSL
2)how to protect this server form network and security standpoint?
I have a internal subnet 192.168.3.0/24 sitting behind an ASA firewal 8.2 and would behind accessing to web server 192.168.11.54 which sits behind the outside interface of the ASA firewall.The access would be like this:
1) 192.168.3.0/24 will be accesing to the web server http://192.168.11.54
2) We would like to translate the source 192.168.3.0/24 to the firewall outside IP address
3) We would like to translate the destination web server 192.168.11.54 to 202.90.197.146 as well
How to perform this simultaneous source and destnation address translation in ASA firewall 8.2? Could this be done in ASA firewall 8.2?
Does ASA 8.4.3 check the source IP address of a DNS reply and drop it if the reply address is different to that in the query?
Customers DNS server does this due to a recent change, their server now has a virtual address, but replies are sent from its physcial address. This is temporary. Their PIX is happy with this.
Replace the PIX with the ASA, DNS fails, the only reason I can see is due to the way their internal DNS operates.
I have been tasked with building a vpn tunnel with a partner company between our company's PIX firewall and the other company's ASA's firewall. The traffic flow will be Partner A company users will be accessing my company's Citrix server. I want to source-pat the partner company user traffic to my company's PIX inside interface as it enters my LAN to access my company's Citrix server. The partner company will be PAT'ing their user traffic to a single ip address - let's say for discussion purpose it is 68.108.244.25. So there will be site-to-site vpn configuration and nat configuration required to be performed to enable this traffic flow according to the above requirements. I am comfortable with the site-to-site vpn configuration tunnel so I don't think it is necessary to post this portion of the configuration to be reviewed by this form. What I do need is NAT portion of the configuration.
{My Company's Citrix Server} ---------<inside ifc>-[PIX525]-<outside ifc>--------(internet)------{Partner Company A host PC's}
10.100.12.103 68.108.244.25
My proposed configuration to enable nat'ing (or pat'ing) Partner A user traffic to my PIX firewall's inside interface is the following:
global (inside) 9 interface
nat (outside) 9 access-list PartnerA_source_nat
access-list extended PartnerA_source_nat permit host 68.108.244.25 host 10.100.12.103
I have a server in a DMZ of my 8.4 ASA with nat:
object network FTP-SERVER
host 192.168.1.102
nat (dmz,outside) static interface tcp ftp ftp
And that's working well. However, I now need to translate the source address of connections from the outside to the FTP server as well. The aim is that the source address of packets when they reach the FTP server is an address on the DMZ subnet (as the default route for the FTP server now needs to be something else, not the ASA) as well as this outside-dmz NAT. I thought overloading the DMZ interface of the ASA? Or another IP in that range?
Ok, so what I want to do is make a router/firewall/proxy (maybe add webserver/FTP as well). Just to start off I want to say that I have moderate knowledge of Linux, enough to administer it from the CL. I have setup routers before but it was years ago and I've forgotten some of the details involved. What I do is a base LAMP install, with DNS, Samba, DHCP server, OpenSSH and then Webmin for easier administration. I've also installed EHCP (easy hosting control panel) in the past but have not at this point.
So, what I want to know is how do I setup the NIC's in the etc/network/interfaces file. Let's say that eth0 connects to the modem and eth1 & 2 are internal adapters. Currently my network is running a Linksys WRT54GL with DD-WRT and the router is set to DHCP for the WAN connection and DHCP is running on the internal network as well. The modem is at 192.168.254.254 and is giving the router an address of 192.168.254.1 my internal network is 192.168.1.1 (192.168.1.0/24). I would like to setup my internal router address to 192.168.1.1 so I guess I need to set it to static in my interfaces config and then set my eth0 to dhcp. Does this sound correct?
So if I do the above my only question is how do I setup the routing tables after that? I always get messed up when I need to make the switch from my Linksys router to my Linux box. I'm not worried about firewall rules at first I can change those once I have the router up and running. I just don't know if I need to make some kind of bridge to bridge the eth0 and eth1 (external NIC and internal NIC).
I am running a Cisco ASA 5550 in active/standby mode. We are currently running ASA OS v8.2(3)5. I am wondering if there is a way I could limit source IP concurrent connections coming in my outside interface. Does the ASA have a feature/ACL syntax that supports this?
View 2 Replies View RelatedThe Cisco ASDM or the event manager show wrong source/destination for teardown tcp messages:In this example the communication is an ssh session;from 1.1.1.1 -> 2.2.2.2 ssh and the connection is reseted by 2.2.2.2
The message build outbound is correct, i.e. source is 1.1.1.1 (message id is 302013)
But the teardown is incorrect, i.e. source for the connection is 2.2.2.2 which is definitely not true (message id is 302014)
Also there seems to be a documentation bug in syslog messages for ASA 8.4 since the message for the teardown 302014 is gone!
I'm using a 2911 as our Public Internet Edge Router. I have 2 public sub net blocks from Sprint, we are in the process of migrating. What i need to do is NAT any source address from the Internet from an address on one of our public blocks to the other.
Example:
Source Address 11.10.10.10 ==> Destination 64.165.123.10 (nat this to 64.165.54.10) inbound.
So if from the internet tries to hit 64.165.123.10 we want to nat that to 64.165.54.10 both of which sit on our public space.
I have a problem with random host's geting the wrong source address on a ASA 5512-X 8.6(1). Right now there is a host, 192.168.25.108, showing up with 6.6.6.6 (fake) on whatsmyip.org, should be 5.5.5.5 like the rest of 192.168.25.0/24. In the xlate tabel I cant find anything wrong. Same yesterday with two host, that are using the right NAT address today.
nat (any,outside) dynamic interface. (5.5.5.5)
object network H-192.168.25.10
nat (inside,outside) static H-6.6.6.6X(code)
Is it possible to NAT source & destination addresses (twice nat) on an ASA5520 running 7.2(5)?
View 4 Replies View RelatedI've got email logging for a few specific syslog messages working and sending to an email server on the inside network. However, the source IP ends up being the DMZ interface. Is there a way to force it to use the inside IP instead?
ASA Code Version 7.22
Inside Interface IP: 10.104.36.4 Mask:255.255.255.0
DMZ IP: 10.100.20.1 Mask:255.255.255.0
SMTP Server IP: 10.100.10.100
Logging commands in config:
logging enable
logging list email-alerts message 106100
logging mail email-alerts
logging from-address ASA@xyz.com
logging recipient-address tgw@xyz.com level debugging
I am setting up an ASA5515 to replace an existing Linux based firewall. Unfortunately the ASA5515 does not support source based routing.I have two internet connections currently used for specific connections - the second connection is NOT a failover connection.I have the default route to Internet connection 1.I want to route smtp out the second Internet connection.The routers connecting to the internet are a 877 and an 878The options I am considering is a layer 3 switch between the firewall and the routers to enable source based routing or replacing the 2 routers with a single router and the appropriate wic interfaces.
View 2 Replies View RelatedI had my network running seamlessly for years, I set it up using a guide from a magazine and had both wired and wireless working A1 and originally it was all win xp pro, 2 desktops and a laptop but got a macbook pro and got that using printer, sharing fies etc. All no problem and it was all easy peasy BUT I have mucked up big time and I think it was because I downloaded some system cleaning software, advanced care, toolwiz and pc pitstop but I was not paying attention and I am sure I clicked a few buttons I should not have done. Result disaster, no longer can share files or print etc.ll I want to do is reset everything and start afresh but how do I do that? I use a netgear router with norton security on main desktop. I have a wii, an xbox, apple tv running as well along with 2 desktops, a laptop and a macbook pro. Tried a few things but nothing worked, when I click on network places I get a list of shared folders but end location shows internet! I have to use netgear switch boxes as well but should not have caused the problem.
View 4 Replies View RelatedI'm trying to configure the 1130AG from scratch but I'm not having any luck. I tried using the IPSU utility and entered the MAC address but it errors, "The device does not answer". I have connected it to a network so it can get an IP from DHCP but it doesn't respond. And when it boots up from factory reset there is no SSID broadcast for me to connect to. I have tried connecting through the Ethernet port and the Console port to my computer but no luck.
View 3 Replies View Relatedcustomer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address, one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
View 3 Replies View Relatedi have a problem customer has a server which located in inside interace. and an outside interface connected to ISPA. cu config a static nat map inside server address to ISPA address one day customer install a new outside interface to ISPB, cu config new static nat ,map same server inside server address to ISPB address. the server will allways be vistited from outside interface and reply, custome want traffic coming from ISPA will return to ISPA, traffic coming from ISPB will return to ISPB. but i found it is difficult implement this on ASA5580. i want use route-map on static nat, but it will not satisfy customer's request.
View 6 Replies View RelatedI have one public IP address but multiple local servers that run on the same port. I cannot change the port the clients use to connect to this server, so I can't do a port map in my NAT router. The solution I had in mind, is to filter on source address. If a client from public IP X.X.X.X connects to port Z, I want it to go to internal server 10.10.10.10 and if a client from public IP Y.Y.Y.Y connects to port Z, I want it to go to internal server 10.20.20.20. Is this possible? I'm using an ASA5510 but I could also switch to a 5505 for this.
View 3 Replies View RelatedI have two ASA5510-BUN-K9 Fws and I am planning to buy 2 x L-ASA5510-SEC-PL= to put them in HA.I was wondering if the support contract that I curently have for the two ASAs is still valid or do I have to buy any support upgrade?
View 1 Replies View RelatedI have setup an asa 5505 with multiple sub nets (plus license) and a vpn tunnel (ipsec) between this and an other asa on a second branch office (multiple vlans) . Now I need to route only two vlans from the first site to reach some of the second branch networks
let's call them: 1 branch
A-172.16.4.0/24
B-172.16.2.0/24
2 branch
C- 10.10.10.0/24
D- 10.20.10.0/24
E- 10.66.10.0/24
the tunnelis ok From A to CDE . but from B to CDE won't come up. pinging is unsuccessful as well as all other traffic. the connection profile is setup to have both A and B as local networks and A and B by the moment share the same access rules configuration.
logs show firewall 1 let pass and build connections, without denies, but remote firewall does not receive a single packet from the source ip from network B.