/var/log/jopoy/notes.log

Check http://jason.long.name/dkfilter/ before proceeding with installation.

1. Problems installing Crypt::OpenSSL::RSA
——————————————
install Crypt::OpenSSL::Bignum
install Crypt::RSA ? *irrelevant
install OpenSSL::RSAkey ?
Solved: Just install via rpm from dag http://dag.wieers.com/rpm/packages/perl-Crypt-OpenSSL-RSA/

2. Mail::Address OK

3. MIME::Base64 OK

4. Problems installing Net::DNS
—————————————–
install Test::Pod
Digest::BubbleBabble
Solved: Change NS to to your local forwarded not opendns.

1. Install Postfix
2. Download and Install MailScanner
3. Install Spamassassin

4. /etc/postfix/main.cf
header_checks = regexp:/etc/postfix/header_checks

5. /etc/postfix/header_checks
/^Received:/ HOLD

6. /etc/MailScanner/MailScanner.conf
Run As User = postfix
Run As Group = postfix
Incoming Queue Dir = /var/spool/postfix/hold
Outgoing Queue Dir = /var/spool/postfix/incoming
MTA = postfix

7. #chown postfix.postfix /var/spool/MailScanner/incoming

8. #chown postfix.postfix /var/spool/MailScanner/quarantine

9. mkdir /var/spool/MailScanner/spamassassin

CheckInstall keeps track of all files installed by a “make install” or equivalent, creates a Slackware, RPM, or Debian package with those files, and adds it to the installed packages database, allowing for easy package removal or distribution.

http://freshmeat.net/projects/checkinstall

http://backuppc.sourceforge.net/info.html

C:\WINDOWS>ntdsutil
ntdsutil:

ntdsutil: roles
fsmo maintenance:

fsmo maintenance: connections
server connections:

server connections: connect to server localhost
Binding to localhost …
Connected to localhost using credentials of locally logged on user.
server connections:

server connections: q
fsmo maintenance:

Seize domain naming master
Seize infrastructure master
Seize PDC
Seize RID master
Seize schema master

mysqladmin -u root password MYPASSWORD

Check out:
http://l7-filter.sourceforge.net/

#!/bin/sh -e
# /etc/init.d/remax_firewall : start/stop firewalls
# written by Gabriel L. Briones III <jon@jond3rd.org>
# http://jon.jond3rd.org/firewall.rules
#!/bin/sh
# /etc/init.d/firewall.rules : start/stop firewalls
# written by Gabriel L. Briones III <jon@jond3rd.org>

FW=`which iptables`

if [ ! "$FW" ]; then
echo
echo “FATAL: Unable to locate iptables, is it installed?”
echo ” or you may want to check first your PATH”
echo
echo “unable to continue, exiting ….”
sleep 2
echo
exit 1
fi

INT_IFACE=eth2 # Facing the LAN
DMZ_IFACE=eth1 # Facing the DMZ Network
EXT_IFACE=eth0 # Facing the hardware firewall
LO_IFACE=lo # loop back interface
INT_IP=`ifconfig $INT_IFACE : grep inet : cut -d : -f 2 : cut -d \ -f 1`
DMZ_IP=`ifconfig $DMZ_IFACE : grep inet : cut -d : -f 2 : cut -d \ -f 1`
EXT_IP=`ifconfig $EXT_IFACE : grep inet : cut -d : -f 2 : cut -d \ -f 1`

DMZ_WEB=192.168.0.1
DMZ_EXT_MAIL=192.168.0.3
DMZ_LDAP=192.168.0.1
DMZ_PROXY=192.168.0.4
DMZ_DNS=192.168.0.1
INT_MAIL=131.107.2.6

LAN_IP=131.107.2.0
DMZ_NET=192.168.0.0

case “$1″ in

start)

echo -n “Starting Jon’s Firewall Rules”

# Set default policy to DROP
$FW -P INPUT DROP
$FW -P OUTPUT DROP
$FW -P FORWARD DROP

# Flush all rules first to make sure that we are starting from scratch
$FW -t nat -F
$FW -t mangle -F
$FW -X
$FW -F

# Explicitly turn off ECN (explicit congestion notification)
echo 0 > /proc/sys/net/ipv4/tcp_ecn

# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Allow traffic to loop back interface
$FW -A INPUT -i $LO_IFACE -j ACCEPT

# Spoof protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# SYN Flood protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#The Mangle portion of the ruleset.
#Here is where unwanted packet types get dropped.
#This helps in making port scans against your server
#a bit more time consuming and difficult, but not impossible.
$FW -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN FIN,SYN -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN FIN,SYN -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN FIN,SYN -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags SYN,RST SYN,RST -j DROP
$FW -t mangle -A PREROUTING -p tcp –tcp-flags FIN,SYN FIN,SYN -j DROP

################## CUSTOM RULES !!!!!!! ##################
$FW -N firewalled
$FW -A firewalled -m limit –limit 15/minute -j LOG –log-prefix Firewalled:
$FW -A firewalled -j DROP

$FW -N bad_tcpflags
$FW -A bad_tcpflags -m limit –limit 15/minute -j LOG –log-prefix BAD_TCP_FLAGS:
$FW -A bad_tcpflags -j DROP
###########################################################

################## INPUT CHAIN !!!!!!! ####################
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
$FW -A INPUT -p tcp –tcp-flags ACK,FIN FIN -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ACK,PSH PSH -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ACK,URG URG -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags RST,FIN RST,FIN -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags SYN,ACK NONE -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags SYN,FIN SYN,FIN -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags SYN,RST SYN,RST -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags SYN,URG SYN,URG -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL NONE -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL ALL -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL SYN -m state –state ESTABLISHED -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL RST -m state –state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL ACK -m state –state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL SYN,PSH -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL PSH,ACK -m state –state RELATED -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL RST,ACK -m state –state RELATED -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL SYN,ACK -m state –state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL FIN,ACK -m state –state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL SYN,ACK,PSH -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL FIN,PSH,ACK -m state –state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL ACK,PSH,RST -m state –state NEW,RELATED -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL FIN,URG,PSH -j bad_tcpflags
$FW -A INPUT -p tcp –tcp-flags ALL SYN,RST,ACK,FIN,URG -j bad_tcpflags

# Allow ESTABLISHED and RELATED connections
$FW -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow some services only
$FW -A INPUT -p tcp –dport 22 -j ACCEPT
#################################################################

################# FORWARD CHAIN !!!!! ###########################

$FW -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

# Allow only access to the proxy server if IP and MAC address we’re matched
if [ -f /etc/http_user_ip ]; then
HTTP_USER_IP=`cat /etc/http_user_ip : awk ‘{ print $1 }’`
if [ -z "$HTTP_USER_IP" ]; then
echo
echo “access list exist but doesn’t contain anything”
echo “or IP and/or MAC address is/are missing”
echo “exiting …”
echo
sleep 2
exit 1
fi
for IP in $HTTP_USER_IP
do
HTTP_USER_MAC=`grep -w $IP /etc/http_user_ip : awk ‘{ print $2 }’`
if [ ! -z "$HTTP_USER_MAC" ]; then
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_PROXY \
-m mac –mac-source $HTTP_USER_MAC -s $IP/32 \
–dport 8080 -j ACCEPT
fi
done
fi

# Allow external packet destined to publicly accessed services like SMTP, HTTP and HTTPS
$FW -A FORWARD -p tcp –dport 22 -j ACCEPT

$FW -A FORWARD -i $INT_IFACE -o $EXT_IFACE -s 131.107.2.92/32 -j ACCEPT

$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_WEB/32 –dport 80 -j ACCEPT
$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_WEB/32 –dport 443 -j ACCEPT

$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_EXT_MAIL/32 –dport 25 -j ACCEPT
$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_EXT_MAIL/32 –dport 80 -j ACCEPT
$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_EXT_MAIL/32 –dport 443 -j ACCEPT
$FW -A FORWARD -i $EXT_IFACE -o $DMZ_IFACE -p tcp -d $DMZ_EXT_MAIL/32 –dport 993 -j ACCEPT

$FW -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p tcp –dport 80 -s $INT_MAIL/32 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p tcp –dport 443 -s $INT_MAIL/32 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $EXT_IFACE -p tcp –dport 21 -s $INT_MAIL/32 -j ACCEPT

# Allow Local networks to access servers on DMZ
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_PROXY –dport 80 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_PROXY –dport 443 -j ACCEPT

$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_DNS –dport 53 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p udp -d $DMZ_DNS –dport 53 -j ACCEPT

$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL –dport 25 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL –dport 80 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL –dport 443 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL –dport 143 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_EXT_MAIL –dport 993 -j ACCEPT

$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_WEB –dport 80 -j ACCEPT
$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_WEB –dport 443 -j ACCEPT

$FW -A FORWARD -i $INT_IFACE -o $DMZ_IFACE -s $LAN_IP/24 -p tcp -d $DMZ_LDAP –dport 389 -j ACCEPT

# Allow machines on DMZ to access the net for security updates and bug fixes
$FW -A FORWARD -i $DMZ_IFACE -o $EXT_IFACE -s $DMZ_EXT_MAIL/32 -j ACCEPT
$FW -A FORWARD -i $DMZ_IFACE -o $EXT_IFACE -s $DMZ_PROXY/32 -j ACCEPT
$FW -A FORWARD -i $DMZ_IFACE -o $EXT_IFACE -s $DMZ_WEB/32 -j ACCEPT

##################################################################

################ OUTPUT CHAIN !!!!! ##############################
$FW -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$FW -A OUTPUT -o $LO_IFACE -j ACCEPT
$FW -A OUTPUT -p tcp –dport 22 -m state –state NEW -j ACCEPT
$FW -A OUTPUT -p tcp –dport 53 -m state –state NEW -j ACCEPT
$FW -A OUTPUT -p udp –dport 53 -m state –state NEW -j ACCEPT
$FW -A OUTPUT -p tcp –dport 80 -m state –state NEW -j ACCEPT
$FW -A OUTPUT -p tcp –dport 443 -m state –state NEW -j ACCEPT
$FW -A OUTPUT -p tcp –dport 21 -m state –state NEW -j ACCEPT
###################################################################

for CHAINS in INPUT FORWARD OUTPUT
do
# Allow some icmp packet and DROP the rest
$FW -A $CHAINS -p icmp –icmp-type 0 -j ACCEPT
$FW -A $CHAINS -p icmp –icmp-type 3 -j ACCEPT
$FW -A $CHAINS -p icmp –icmp-type 11 -j ACCEPT
$FW -A $CHAINS -p icmp –icmp-type 8 -m limit –limit 1/second -j ACCEPT
$FW -A $CHAINS -p icmp -j firewalled
done

# SNAT LAN’s IP
$FW -t nat -A POSTROUTING -o $EXT_IFACE -s $DMZ_NET/24 -j SNAT –to $EXT_IP
$FW -t nat -A POSTROUTING -o $EXT_IFACE -s 131.107.2.92/32 -j SNAT –to $EXT_IP

$FW -t nat -A POSTROUTING -o $EXT_IFACE -s $INT_MAIL/32 -j SNAT –to $EXT_IP

# DNAT connections from outside
$FW -t nat -A PREROUTING -i $EXT_IFACE -d 202.164.182.83 -p tcp –dport 80 -j DNAT –to $DMZ_EXT_MAIL
$FW -t nat -A PREROUTING -i $EXT_IFACE -d 202.164.182.83 -p tcp –dport 443 -j DNAT –to $DMZ_EXT_MAIL
$FW -t nat -A PREROUTING -i $EXT_IFACE -d 202.164.182.83 -p tcp –dport 993 -j DNAT –to $DMZ_EXT_MAIL

$FW -t nat -A PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp –dport 25 -j DNAT –to $DMZ_EXT_MAIL

$FW -t nat -A PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp –dport 80 -j DNAT –to $DMZ_WEB
$FW -t nat -A PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp –dport 443 -j DNAT –to $DMZ_WEB
$FW -t nat -A PREROUTING -i $EXT_IFACE -d $EXT_IP -p tcp –dport 993 -j DNAT –to $DMZ_WEB

# Layer 7 filterring
$FW -t mangle -A POSTROUTING -m layer7 –l7proto yahoo -j DROP
$FW -t mangle -A POSTROUTING -m layer7 –l7proto msnmessenger -j DROP
$FW -t mangle -A POSTROUTING -m layer7 –l7proto msn-filetransfer -j DROP
$FW -t mangle -A POSTROUTING -m layer7 –l7proto bittorrent -j DROP
#$FW -t mangle -A POSTROUTING -m layer7 –l7proto irc -j DROP

echo “.”

;;

stop)

echo -n “Flushing Jon’s Firewall Rules”

$FW -P INPUT ACCEPT
$FW -P FORWARD ACCEPT
$FW -P OUTPUT ACCEPT
$FW -t nat -F
$FW -t mangle -F
$FW -F
$FW -X

echo “.”

;;

status)

$FW -t nat -L
$FW -t mangle -L
$FW -L

;;

restart)
$0 stop
$0 start
;;

*)
echo ‘Usage: /etc/init.d/firewall.rules {start:stop:restart}’
exit 1

esac

exit 0

I’m currently moving my old entries to wordpress.

I hope all works out well.