([M|m]ac)?\s?OS(\sX)?: Permit ICMP redirects

Posted by: admin  :  Category: Networking, Operating Systems, OS X

So I was fighting around with that Motorola/Netopia router I’m obliged to use, because the network operator doesn’t allow hooking up a custom device.

Well, it is possible after all, as proven in the past, however, in order to use the SIP gateway of network operator (whereas the login credentials are not provided), the operator-branded router must be used. *sigh*

Here’s a somewhat high-level overview: The clients, which shall connect to the lab, are in the same subnet as the default router #1. The destination for more specific lab routes is router #2, which is in the same subnet.

+-----------+        +------------+       +-----------+       +-----------+       +-----------+
| clients   |  ----  | WiFi/Wired | ----  | router #1 | ----  | router #2 | ----  | LAB stuff |
+-----------+        +------------+       +-----------+       +-----------+       +-----------+
{                            CLIENT SUBNET                          } {      LAB SUBNETS      }

So actually, I could just add the more specific routes to any client, indicating it shall forward through router #2.
However, this is cumbersome. I wond’t want to add these routes on every client.

So I tried hacking them into the Motorola/Netopia router. I had my hard time with that, but only because it’s so silly on overly complicated … 🙁
So far so good, my clients could send ICMP echo requests towards the LAB devices, however, that was as close as I could get.

Not every client was capable in accessing everything in the LAB.

As it turned out, the Motorola/Netopia sends ICMP redirects. It does that because router #2 (a cisco, btw) is reachable via the CLIENT subnet and thus directly reachable by anyone in the same subnet.
However, ICMP redirects are somewhat non-deterministic, as the forwarding is not influenced by the router anymore. I consider it vodoo, which is why I prefer turning it off.

The only problem is that this “Netopia SOC OS” doesn’t have an equivalent to a Cisco-type “no ip redirects”-command.
Well, it’s a Linux after all, so I could turn it off by setting /proc/sys/net/ipv4/conf/*/send_redirects to 0. There is an obscure way to break out from the SOC OS shell and get a unrestricted shell:

ping;/bin/busybox telnetd -l/bin/sh -p9999

This would open a root shell on port 9999, from where the kernel setting could be changed. However, since this will get reverted whenever the router reboots due to operator updates, I would need to hack this back in. I don’t like this at all. Please, let me officially retrieve the SIP credentials to hook up my IP phone directly, so I can use a Cisco router. Pretty please!

Well, one day perhaps. Until then, I need to get it working with the least intrusive means of configuration.
So, I can’t replace the router, I can’t learn it to not send redirects.
But, if my clients, ([M|m]ac)?\s?OS(\sX)? in particular, don’t play well with ICMP redirects, let’s force them to do so.

On macOS (man, let’s blatandly change the name one more time!), this can be done via the sysctl command in the Terminal.
Query it like this:

# sudo sysctl net.inet.icmp.drop_redirect
net.inet.icmp.drop_redirect: 1

So macOS indeed drops ICMP redirects by default. Let’s change this:

# sudo sysctl net.inet.icmp.drop_redirect=0
net.inet.icmp.drop_redirect: 1 -> 0

With the new setting, connections started to work right away.

A note of caution: In my opinion ICMP redirects can be a dangerous thing, as they open the door for an attacker to influence the client’s idea of the routing table.
A client should not listen to redirects and always forward traffic towards it’s designated router. Overriding a default setting like this may be ok on a case-by-case basis, but should be strongly inspected und monitored.
If I had the choice, I surely had preferred a permanently applied setting on the router instead.

Remoting an old APC PDU using SNMP and remOcular

Posted by: admin  :  Category: Hardware, Perl, Programming, Utilities

Garage sale at the office: Good chance to grab on some (very) old hardware, like an APC 9221 PDU. Yes, it’s old (some 15 years or so), so surely not state of the art. But yet good enough to use in my home lab. Who could tell that there were some unforeseen issues waiting for me …
Read more…

Ansible in 10 minutes or less

Posted by: admin  :  Category: Debian GNU/Linux, FreeBSD, HowTo's, Operating Systems, Scripting

I just remember a recent argument I had with someone about automation. It’s unbelievable, how many things are still done manually on a widespread scale, not leveraging the possibilities at all. Especially with so many frameworks available to help out, sticking to “the old way” ain’t just cool any more.

So let’s quickly look at Ansible, and how we can be up and running for even simple task automation in 10 minutes or less.
Read more…

quick-and-dirty PAM with LUA, mod_magnet and lighttpd -or- how to breach system security

Posted by: admin  :  Category: Programming, RegExp, Security, Shells

Be warned: This example serves as an illustration on how to *NOT* do it.
It’s just one of my examples I teach to apprentices at the office when it comes to learning scrips, and how important data input validation (or the absence of the same) is.
It’s also a good illustration on how attackers may break into systems to steal data or make them part of a botnet.

The given situation depicts a lighttpd server, which exposes a directory which must be protected via LDAP-managed accounts, so there is an immediate need for PAM. However, lighttpd lacks a PAM implementation. Period. There’s a very ugly and highly insecure way however …

Read more…

armv6 Package Builder for FreeBSD is online

Posted by: admin  :  Category: FreeBSD, HowTo's, Operating Systems, Utilities

There it finally is, The Phunsites Package Builder at http://pkgbuild.phunsites.net/.

Since my initial writings on FreeBSD on Raspberry Pi, I’ve always wanted to have a webservice, where I can just select the port I want and it’ll be packaged up in minutes.
Now, there it is. Fully automated, with a neat and (hopefully) easy to use webinterface.

Check it out. It’s free lemons! 😉


Quick&Dirty FreeBSD on Alix (without PXE boot)

Posted by: gdelmatto  :  Category: FreeBSD, Hardware

It’s been a while since my last post and I’ve been quiet busy writing on my graduation essay.

Meanwhilst my colleague Steven donated me a somewhat dated PC Engines Alix computer. I though to put it to some good use as  a packet generator for my new network playground I’m currently building up.

Funny anectode: While googl’ing around on some docs about Alix computers, I stumled accross his 2009 original post on FreeBSD installs.

But then I read that I’d need to go through config hell for DHCP, PXE, NFS for a one-time install … Oh boy, must be kidding …

Read more…

FreeBSD on ARMv6: Cross-Compile Performance Optimization for Poudriere

Posted by: gdelmatto  :  Category: FreeBSD, Operating Systems, Programming

Important Announcements on FreeBSD-armv6 packages

While initially writing this article, I had the idea to establish a service where packages can be selected to build for armv6. As of February 2016 this service is now online.
If you just need current FreeBSD packages for armv6, this is the place to visit. Otherwise, keep on reading.

Whilst playing around with FreeBSD on Raspberry Pi, I started to dig into cross-compiling packages.

Well, if you follow the first tutorial you’ll surely notice that there is no real speed-gain, because the use of full binary emulation on a x86 host through QEMU. So this is almost as slow as if packages were natively compiled on the Raspberry Pi itself even if done on a multi-cpu Xeon powerhouse.

So let’s see how to get an actually performance gain.

Read more…

Transform Cobalt Raq3 into a Raspberry Pi-powered Media Center

Posted by: gdelmatto  :  Category: Debian GNU/Linux, Hacks, Hardware, Operating Systems, Programming, Scripting

Anyone remember these adorable blueish 1U servers made by Cobalt Networks?


While I was never in true love with the Cobalt OS itself, I actually liked the Cobalts Raq enclosure.
So much that I salvaged one while cleaning out a data center last summer. I decided to grant it a second live as a media center box running OSMC.
And of course it’s powered by a Respberry Pi. Nowadays there’s simply no way around those nice little boxes 😉
Read more…

Importing Rules and Objects into Check Point Firewall using DBEDIT

Posted by: gdelmatto  :  Category: Check Point, Networking

While it’s the recommend way to do, managing your objects and rules solely through Check Point SmartDashboard may be cumbersome.
Bad enough, there exists no real CLI interface, that would allow for real scripting. Well, there exists DBEDIT, which allows for automated creation of objects and even rules … sort of.
However there’s barely official documentation about it, if not Martin Hoz had taken the time to write the very useful Object Filler utility, which you find over at the Check Point User Group.

And unless you don’t want to go into the Check Point OPSEC API, DBEDIT (by the help of Object Filler) is the way to go.
Read more…

FreeBSD on the Raspberry Pi – Pt 3: How to host the package repository

Posted by: gdelmatto  :  Category: Bits and Bytes

Important Announcements on FreeBSD-armv6 packages

While initially writing this article, I had the idea to establish a service where packages can be selected to build for armv6. As of February 2016 this service is now online.
If you just need current FreeBSD packages for armv6, this is the place to visit. Otherwise, keep on reading.

Hi Folks, here’s my writeup to conclude yesterdays post on crosscompiling arm6v packages for the Raspberry Pi.

Today I’m gonna quickly explain how to expose the packages repository via http from your build server.

This is part 3 of of my series of post related to FreeBSD on the Raspberry Pi.

Read more…