17Mar/120

Transparent Firewall With OpenBSD VM

Perfect documentation!

http://www.computerglitch.net/?p=84

Transparent Firewall With OpenBSD VM

November 19, 2009

I had a job where I needed to place a firewall in front of a network of publicly accessible computers. I decided to use a virtual transparent firewall to protect the entire network and make no changes on the client computers. This is document describes how I did it.

First the hardware: I decided to use a Dell Poweredge 1900 with ESXi server. The server has (2) Quad Core Processors, 16GB of RAM and 3 NICs. The storage is local with 4 drives set in a RAID 5 providing 600GB of storage.

Now for the NIC setup. You can see from the below diagram the BSD Bridge is setup on vmnic0 and vmnic1, vmnic2 is reserved for management and other VM’s.

One VERY IMPORTANT note before I begin to explain the setup of the OpenBSD VM, the two NICS that will be used for the transparent firewall must be setup
in ESXi for promiscuous mode! See the image below.

Configure the OpenBSD VM with two NICS, both tied to the NICs configured in promiscuous mode. Install OpenBSD on the VM.

For the configuration of OpenBSD do the following:
Enable PF and IP forwarding (edit /etc/rc.conf and /etc/sysctl.conf)

Configure the bridge (substitute your NIC names in place of vic0 and vic1)
First create the file /etc/bridgename.bridge0:

# touch /etc/bridgename.bridge0

Add the following to the bridgename.bridge0 file:

add vic0
add vic1
up

After you have added this file reboot the OpenBSD VM, when the system comes back up you should see the following when issuing ifconfig -a

bridge0: flags=41<UP,RUNNING> mtu 1500
groups: bridge

Once you have confirmed the bridge is running its time to configure pf to control the traffic. Here is an example /etc/pf.conf file that blocks all
external traffic destined for the internal network and allows all internal traffic destined for the internet:

ext_if=”vic0″
int_if=”vic1″#Allow all traffic out from our network (vic1)
pass out quick on $int_if all
pass in quick on $int_if all
pass out quick on $ext_if all#Block all traffic on external interface (vic0) by default
block in log on $ext_if all

A more elaborate example allows SSH traffic from specific IP’s to the internal network and configures OpenDNS redirection for content filtering on the
internal network:

ext_if=”vic0″
int_if=”vic1″allowed_ips=”{ 68.180.206.184, 209.85.171.100 }”
opendns=”{ 208.67.222.222, 208.67.220.220 }”
internal_ips=”{ 206.46.232.39/27 }”#Redirect to OpenDNS for content filtering
rdr on $int_if inet proto udp from any to any port 53 -> $opendns#Allow all traffic out from our network (vic1)
pass out quick on $int_if all
pass in quick on $int_if all
pass out quick on $ext_if all#Block all traffic on external interface (vic0) by default
block in log on $ext_if all

#Inbound Allow Rules
pass in log quick on $ext_if proto tcp from $allowed_ips to $internal_ips port 22 modulate state

Here is a diagram of the hardware setup and wiring:

Filed under: Network, OpenBSD, Technical No Comments

3Jan/120

I’m Game, what to send up first……

Lets go to space again!!

http://shackspace.de/wiki/doku.php?id=project:hgg:faq

http://yro.slashdot.org/story/12/01/03/1723225/german-hackers-propose-uncensorable-global-grid-with-satellites

Filed under: Cool stuff, Programming, Space No Comments

20Dec/110

Observations Made in The Past Couple years

For those that know what I actually do for a living, it is funny to read an article like this because I can easily back it.

In short I monitor a small segment of the interent, where you have most likely passed through and I look at this traffic to see who is good and who is bad.

I end up seeing traffic from countries that most people have never heard of, and sometimes a "large" amount of traffic.

But there is only one "large" country that baffled me until recently looking into their conditions, considering that the Vatican has a larger footprint than North Korea.

http://www.nytimes.com/2006/10/23/technology/23link.html

The Internet Black Hole That Is North Korea

By TOM ZELLER Jr.

Published: October 23, 2006

THE tragically backward, sometimes absurdist hallmarks of North Korea and its leader, Kim Jong-il, are well known. There is Mr. Kim’s Elton John eyeglasses and strangely whipped, cotton-candy hairdo. And there is the North Korean “No! Yeeesssss ... No! O.K. Fear the tiger!” school of diplomacy.

Enlarge This Image

Jason Reed/Reuters

A Department of Defense satellite image of the Korean Peninsula showing wide illuminated areas in South Korea and the relative darkness of the North.

A newer, more dangerous sort of North Korean eccentricity registered around 4.0 on the Richter scale earlier this month — a nuclear weapon test that has had the world’s major powers scrambling, right up through last week, to develop a policy script that would account for Mr. Kim’s new toy.

But whatever the threat — and however lush the celebrations broadcast on state-controlled television from the streets of Pyongyang in the days afterward — the stark realities of life in North Korea were perhaps most evident in a simple satellite image over the shoulder of Defense Secretary Donald H. Rumsfeld during an Oct. 11 briefing. The image showed the two Koreas — North and South — photographed at night.

The South was illuminated from coast to coast, suggesting that not just lights, but that other, arguably more bedrock utility of the modern age — information — was pulsating through the population.

The North was black.

This is an impoverished country where televisions and radios are hard-wired to receive only government-controlled frequencies. Cellphones were banned outright in 2004. In May, the Committee to Protect Journalists in New York ranked North Korea No. 1 — over also-rans like Burma, Syria and Uzbekistan — on its list of the “10 Most Censored Countries.”

That would seem to leave the question of Internet access in North Korea moot.

At a time when much of the world takes for granted a fat and growing network of digitized human knowledge, art, history, thought and debate, it is easy to forget just how much is being denied the people who live under the veil of darkness revealed in that satellite photograph.

While other restrictive regimes have sought to find ways to limit the Internet — through filters and blocks and threats — North Korea has chosen to stay wholly off the grid.

Julien Pain, head of the Internet desk at Reporters Without Borders, a Paris-based group which tracks censorship around the world, put it more bluntly. “It is by far the worst Internet black hole,” he said.

That is not to say that North Korean officials are not aware of the Internet.

As far back as 2000, at the conclusion of a visit to Pyongyang, Madeleine K. Albright, then secretary of state, bid Mr. Kim to “pick up the telephone any time,” to which the North Korean leader replied, “Please give me your e-mail address.” That signaled to everyone that at least he, if not the average North Korean, was cybersavvy. (It is unclear if Ms. Albright obliged.)

These days, the designated North Korean domain suffix, “.kp” remains dormant, but several “official” North Korean sites can be found delivering sweet nothings about the country and its leader to the global conversation (an example: www.kcckp.net/en/) — although these are typically hosted on servers in China or Japan.

Mr. Kim, embracing the concept of “distance learning,” has established the Kim Il-sung Open University Web site, www.ournation-school.com — aimed at educating the world on North Korea’s philosophy of “juche” or self-reliance. And the official North Korean news agency, at www.kcna.co.jp, provides tea leaves that are required reading for anyone following the great Quixote in the current nuclear crisis.

But to the extent that students and researchers at universities and a few other lucky souls have access to computers, these are linked only to each other — that is, to a nationwide, closely-monitored Intranet — according to the OpenNet Initiative, a human rights project linking researchers from the University of Toronto, Harvard Law School and Cambridge and Oxford Universities in Britain.

A handful of elites have access to the wider Web — via a pipeline through China — but this is almost certainly filtered, monitored and logged.

Some small “information technology stores” — crude cybercafes — have also cropped up. But these, too, connect only to the country’s closed network. According to The Daily NK, a pro-democracy news site based in South Korea, computer classes at one such store cost more than six months wages for the average North Korean (snipurl.com/DailyNK). The store, located in Chungjin, North Korea, has its own generator to keep the computers running if the power is cut, The Daily NK site said.

“It’s one thing for authoritarian regimes like China to try to blend the economic catalyst of access to the Internet with controls designed to sand off the rough edges, forcing citizens to make a little extra effort to see or create sensitive content,” said Jonathan Zittrain, a professor of Internet governance and regulation at Oxford.

The problem is much more vexing for North Korea, Professor Zittrain said, because its “comprehensive official fantasy worldview” must remain inviolate. “In such a situation, any information leakage from the outside world could be devastating,” he said, “and Internet access for the citizenry would have to be so controlled as to be useless. It couldn’t even resemble the Internet as we know it.”

But how long can North Korea’s leadership keep the country in the dark?

Writing in The International Herald Tribune last year, Rebecca MacKinnon, a research fellow at the Berkman Center for Internet and Society at Harvard, suggested that North Korea’s ban on cellphones was being breached on the black market along China’s border. And as more and more cellphones there become Web-enabled, she suggested, that might mean that a growing number of North Koreans, in addition to talking to family in the South, would be quietly raising digital periscopes from the depths.

Of course, there are no polls indicating whether the average North Korean would prefer nuclear arms or Internet access (or food, or reliable power), but given Mr. Kim’s interest in weapons, it is a safe bet it would not matter.

“No doubt it’s harder to make nuclear warheads than to set up an Internet network,” Mr. Pain said. “It’s all a question of priority.”

Filed under: Bad Things, Happening to an innocent population, Happening under a messed up Government, WTF No Comments

13Dec/110

[BIFU] Installing Sun’s JDK on CentOS 5.x

I keep on needing this document and I want to preserve it. For some strange reason I can't commit Chris's doc to memory http://chrisschuld.com/2008/10/installing-sun-java-on-centos-5-2/

Written By: Chris SchuldThursday, October 9th, 2008

By far the most messy thing on CentOS 5.2 is adding Sun’s Java. I have never found great success from the different packages that are out there for installing java. I prefer to simply use the packages from Sun.

Step (1) : Visit Sun’s web site and download the latest version of Java (the *.bin file not the *-rpm.bin) (http://java.sun.com/javase/downloads/index.jsp)(pay close attention if you want the 32bit or 64bit version)

Step (2) :

[user@www]# cd ~
[user@www]# wget "[GIANT_SUN_URL_TO_GET_THE_JAVA_BIN_FILE_x64_IN_THIS_CASE]"
[user@www]# /bin/sh jdk-6u7-linux-x64.bin

Step (3) : Setup the alternatives correctly

[user@www]# alternatives --install /usr/bin/java java /opt/jdk1.6.0_07/bin/java 2
[user@www]# alternatives --config java

There are 2 programs which provide 'java'.

  Selection    Command
-----------------------------------------------
*+ 1           /usr/lib/jvm/jre-1.4.2-gcj/bin/java
   2           /opt/jdk1.6.0_07/bin/java

Enter to keep the current selection[+], or type selection number: 2
[user@www]#

Step (4) : Check to make sure the install was a success

[user@www]# java -version
java version "1.6.0_07"
Java(TM) SE Runtime Environment (build 1.6.0_07-b06)
Java HotSpot(TM) 64-Bit Server VM (build 10.0-b23, mixed mode)
[user@www]#

Revy's Version:

1) I do get the package from Sun/Oracle, but I get the RPM's and stash them on my local RPM Repository

2) The paths above are not correct and they are missing other binfiles that I use on my servers:

[root@dynamic-83 ~]# alternatives --install /usr/bin/java java /usr/java/default/bin/java 2

[root@dynamic-83 ~]# alternatives --install /usr/bin/javac javac /usr/java/default/bin/javac 2

[root@dynamic-83 ~]# alternatives --config java

There are 3 programs which provide 'java'.

Selection Command
-----------------------------------------------
*+ 1 /usr/lib/jvm/jre-1.6.0-openjdk.x86_64/bin/java
2 /usr/lib/jvm/jre-1.4.2-gcj/bin/java
3 /usr/java/default/bin/java

Enter to keep the current selection[+], or type selection number: 3
[root@dynamic-83 ~]# alternatives --config javac

There are 2 programs which provide 'javac'.

Selection Command
-----------------------------------------------
*+ 1 /usr/lib/jvm/java-1.6.0-openjdk.x86_64/bin/javac
2 /usr/java/default/bin/javac

Enter to keep the current selection[+], or type selection number: 2

ln -s /usr/java/default/bin/jar /usr/bin/jar

Filed under: CentOS, Java, Linux, OS, Programming No Comments

29Nov/110

I want one

http://tech.slashdot.org/story/11/11/29/0413257/a-3d-display-you-can-touch

It flickers a little, but this would be awesome for a "war room".

A 3D Display You Can Touch

Posted by Unknown Lamer on Tuesday November 29, @05:14AM
from the lasers-through-the-looking-glass dept.

mikejuk writes"Are we getting closer to really effective volumetric 3D display technology? A new display, designed in Russia, uses cold fog and a laser projector to create a volumetric 3D image that you can touch. A tracking device, and no it's not a Kinect, is used to detect the users hand and moves the virtual objects in response. There have been cold fog 3D displays before this but this one has a reasonable resolution and looks near to being a finished product that could be on sale soon. Estimated price? Between $4000 and $30,000."

Filed under: Cool stuff No Comments

19Feb/110

Anonymous Goes After GodHatesFags.com – Slashdot

Anonymous Goes After GodHatesFags.com - Slashdot.

I'm ok with this.

Filed under: Anonymous, Bad Things, Hactivism, Happening to Bad People No Comments

19Feb/110

Building VPNs with OpenBSD and IPSEC

Building VPNs with OpenBSD and IPSEC.

Filed under: Network, OpenBSD, OpenBSD, Technical No Comments

10Feb/110

[Callable , Synchronization] Java Thread Demo With a Shared Data Object

So here I am,

I need to manage a queue of sorts, but I want many objects to interact with it, and even objects that exist in other threads within the same application.

So what is the best model?

What won't kill me?

So far I have to 2 fancy shmancy solutions, 1 model with a custom Queue controller object using synchronization , and another with an interesting interface to manage the Queue and puts in place a couple interesting scenarios when inserting into a limited Queue.

First Solution: Synchronization

Ok, your asking what is so special in Synchronization?

Well what is special is that only ONE thread can call a method at a time, so when you want to do a pull, you will be sure that a thread is doing a pull.

This in the end is nice, but wasn't 100% what I was looking for, but here is just in case you find this useful.

File: JavaThreadDemo.java

import java.util.*;
import java.util.concurrent.*;

public class JavaThreadDemo {
	//This Queue thinks too much of itself.
	static Queue gQ = new Queue();

	//A pretty constructor
	public JavaThreadDemo() {
	}

	//Main method funky funk.
	public static void main(String[] args) {
		ExecutorService pool = Executors.newFixedThreadPool(3);
		Set<Future<Boolean>> set = new HashSet<Future<Boolean>>();

		//Create the threads
		Callable<Boolean> callable = new Thready(gQ,"Thread 5000",5000); // Run every 5 seconds
		Callable<Boolean> callable2 = new Thready(gQ,"Thread 3000",3000); //Run Every
		Callable<Boolean> callable3 = new Thready(gQ,"Thread 4000",4000);
		Future<Boolean> future = pool.submit(callable);
		Future<Boolean> future2 = pool.submit(callable2);
		Future<Boolean> future3 = pool.submit(callable3);

		//Add the threads to the nice little set and let them cook.
		set.add(future);
		set.add(future2);
		set.add(future3);

		while (true) {
			//Lets see who is in there:
			gQ.print();
			try {
				Thread.sleep(1000);
			} catch (InterruptedException e) {
				e.printStackTrace();
			}
		}
	}
}

File: Queue.java

public class Queue {

	private String value ="Not Set";
	private long cnt = 0;
	public Queue() {
	}

	public Queue(String mVal) {
		this.value = mVal;
	}

	public synchronized void setString(String astr) {
		this.value = astr;
	}

	public synchronized  String getValue() {
		return this.value;
	}

	public synchronized void print() {
		this.cnt++;
		System.out.println(this.cnt+" "+this.value);
	}

}

File: Thready.java

import java.util.concurrent.BlockingQueue;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;

public class Thready2 implements Callable {

	private BlockingQueue mQ ;
	private boolean pull;
	private long time;
	private String thID = "";

	public Thready2(BlockingQueue aQ, boolean pull, long time,String ID) {
		this.mQ = aQ;
		this.pull = pull;
		this.time = time;
		this.thID = ID;
	}

	@Override
	public Boolean call() throws Exception {
		boolean retVal = true;
		int offerCnt = 0;
		while  (retVal) {
			Queue aQi = null;
			if(pull) {
				aQi = mQ.take();
				System.out.println("Got Something : " + mQ.size()+" : " + aQi.getValue());
			} else {
				aQi = new Queue(this.thID+":"+offerCnt);
				System.out.println("I am making a sacrifical offering.. ");
				if(mQ.offer(aQi,1,TimeUnit.SECONDS)) {
				System.out.println("The Gods have taken my offering.");
				} else {
					System.out.println("The Gods have rejected my offering of " + this.thID+":"+offerCnt);
				}
				System.out.println("The Queue is now : " + mQ.size());
				offerCnt++;
			}
			Thread.sleep(this.time);
		}

		return null;
	}

}

Second Solution: BlockingQueue Interface

Note: Please use the Queue.java from the first example.

Now for this one, I am using a BlockingQueue interface, this is nice because it does what I did with synchronization, but has a few more features that I am displaying here.

What I am displaying with putting an item on the Queue is a timeout, that is nice because you don't want a deadlocked situation when your allocated resources are maxed,
and on the listener end to pop a Queue item off the stack will wait and listen till the cows come home, and reduces the code required like other polling methods. There are other methods to poll and that also have a timeout.

Overall, I have to think that this is a better method because I can show my process who is really in control.

File: JavaThreadDemo2.java

import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.ArrayBlockingQueue;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;

public class ThreadDemo2 {
	//The Queue
	private final BlockingQueue<Queue> queue = new ArrayBlockingQueue<Queue>(10);

	//A Constructor
	public ThreadDemo2() {
	}

	//Where we start
	public boolean start () {
		boolean retVal = true;
		Queue cQ  = null;
		try {
			//Create Executor pool
			ExecutorService pool = Executors.newFixedThreadPool(3);

			//This is where we will "store" these threads
			Set> set = new HashSet>();

			//Creating the threads
			Callable<Boolean> callable = new Thready2(queue,true,1000,"Listen0");
			Callable<Boolean> callable2 = new Thready2(queue,false,1000,"push1000");
			Callable<Boolean> callable3 = new Thready2(queue,false,400,"push0400");
			Future<Boolean> future = pool.submit(callable);
			Future<Boolean> future2 = pool.submit(callable2);
			Future<Boolean> future3 = pool.submit(callable3);

			//Add them to the nice set and let them cook.
			set.add(future);
			set.add(future2);
			set.add(future3);
		} catch (Exception e) {
			e.printStackTrace();
		}
		if (cQ == null ) {
			System.out.println("cQ is null");
		}
		return retVal;
	}

	public static void main(String[] args) {
		ThreadDemo2 me = new ThreadDemo2();
		if(!me.start()) {
			System.out.println("I dies.");
		}
	}

}

File:Thready2.java

import java.util.concurrent.BlockingQueue;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;

public class Thready2 implements Callable {

	private BlockingQueue mQ ;
	private boolean pull;
	private long time;
	private String thID = "";

	public Thready2(BlockingQueue aQ, boolean pull, long time,String ID) {
		this.mQ = aQ;
		this.pull = pull;
		this.time = time;
		this.thID = ID;
	}

	@Override
	public Boolean call() throws Exception {
		boolean retVal = true;
		int offerCnt = 0;
		while  (retVal) {
			Queue aQi = null;
			if(pull) {
				aQi = mQ.take();
				System.out.println("Got Something : " + mQ.size()+" : " + aQi.getValue());
			} else {
				aQi = new Queue(this.thID+":"+offerCnt);
				System.out.println("I am making a sacrifical offering.. ");
				if(mQ.offer(aQi,1,TimeUnit.SECONDS)) {
				System.out.println("The Gods have taken my offering.");
				} else {
					System.out.println("The Gods have rejected my offering of " + this.thID+":"+offerCnt);
				}
				System.out.println("The Queue is now : " + mQ.size());
				offerCnt++;
			}
			Thread.sleep(this.time);
		}

		return null;
	}
}

Filed under: Java, Programming No Comments

28Jan/110

Creating a Custom Event | Example Depot

public void myEventOccurred(MyEvent evt);

via Creating a Custom Event | Example Depot.

Filed under: Uncategorized No Comments

28Jan/110

The Axis2 Transport Framework – Developer.com

The Axis2 Transport Framework - Developer.com.

Filed under: Uncategorized No Comments

Older Entries »

Twitter

I'm at Los Angeles International Airport (LAX) (Los Angeles, CA) w/ 159 others
http://t.co/rhl9eE60

2012/05/19 13:40 by foursquare

I just reached Level 2 of the "Jetsetter" badge on @foursquare. I’ve checked in at 5 different airports!
http://t.co/FU3uLc4f

2012/05/19 13:40 by foursquare

Good for a snicker.. everyday from May 14th @ 08:53:20 to May 25 22:39:59 GMT-0400 (EDT) is 1337, like now(): 1337107878

2012/05/15 13:41 by web

I have a good problem, I'm too popular at work. It is to the point where I have difficulty doing my own work. BUZZ OFF PPL!!

2012/05/07 12:53 by web

Now porn isn't even safe!
http://t.co/c2wzPcxp

2012/05/01 12:07 by web

Interesting... java https... self contained.. now to make multi-threadded... muahahhaha
http://t.co/YdATvRUR

2012/04/30 21:07 by web

Clive Palmer has commissioned a Chinese state-owned company to build a 21st Century Titanic. Sinking Feeling anyone?
http://t.co/kFAWcM1B

2012/04/30 14:24 by web

QOTD: "The maximum amount of memory to use for the file buffer cache of the something-something file."

2012/04/16 15:08 by web

I'm at Undergrounds Coffeehaus (Fort Lauderdale, FL)
http://t.co/1P4lJ4r2

2012/04/06 21:34 by foursquare

Filling out the CFP for #Blackhat.. bio section is going to take a while =/

2012/04/06 19:54 by web

REVYNET Developer, Hacker and Inventor