DNS spoofing/redirecting with BIND’s response policy zones

Posted by: admin  :  Category: Networking

There was a talk on BIND’s RPZ (response policy zones) feature at SwiNOG meeting last friday.

Fun story behind: I happened to implement the RPZ technology at my employer just days before, though with another target in mind.
RPZ is described as a way to implement DNS firewalls. Well, this can be used for the good, and the bad.

Here’s another good use to this technology.
Read more…

([M|m]ac)?\s?OS(\sX)?: Permit ICMP redirects

Posted by: admin  :  Category: Networking, Operating Systems, OS X

So I was fighting around with that Motorola/Netopia router I’m obliged to use, because the network operator doesn’t allow hooking up a custom device.

Well, it is possible after all, as proven in the past, however, in order to use the SIP gateway of network operator (whereas the login credentials are not provided), the operator-branded router must be used. *sigh*

Here’s a somewhat high-level overview: The clients, which shall connect to the lab, are in the same subnet as the default router #1. The destination for more specific lab routes is router #2, which is in the same subnet.

+-----------+        +------------+       +-----------+       +-----------+       +-----------+
| clients   |  ----  | WiFi/Wired | ----  | router #1 | ----  | router #2 | ----  | LAB stuff |
+-----------+        +------------+       +-----------+       +-----------+       +-----------+
{                            CLIENT SUBNET                          } {      LAB SUBNETS      }

So actually, I could just add the more specific routes to any client, indicating it shall forward through router #2.
However, this is cumbersome. I wond’t want to add these routes on every client.

So I tried hacking them into the Motorola/Netopia router. I had my hard time with that, but only because it’s so silly on overly complicated … 🙁
So far so good, my clients could send ICMP echo requests towards the LAB devices, however, that was as close as I could get.

Not every client was capable in accessing everything in the LAB.

As it turned out, the Motorola/Netopia sends ICMP redirects. It does that because router #2 (a cisco, btw) is reachable via the CLIENT subnet and thus directly reachable by anyone in the same subnet.
However, ICMP redirects are somewhat non-deterministic, as the forwarding is not influenced by the router anymore. I consider it vodoo, which is why I prefer turning it off.

The only problem is that this “Netopia SOC OS” doesn’t have an equivalent to a Cisco-type “no ip redirects”-command.
Well, it’s a Linux after all, so I could turn it off by setting /proc/sys/net/ipv4/conf/*/send_redirects to 0. There is an obscure way to break out from the SOC OS shell and get a unrestricted shell:

ping;/bin/busybox telnetd -l/bin/sh -p9999

This would open a root shell on port 9999, from where the kernel setting could be changed. However, since this will get reverted whenever the router reboots due to operator updates, I would need to hack this back in. I don’t like this at all. Please, let me officially retrieve the SIP credentials to hook up my IP phone directly, so I can use a Cisco router. Pretty please!

Well, one day perhaps. Until then, I need to get it working with the least intrusive means of configuration.
So, I can’t replace the router, I can’t learn it to not send redirects.
But, if my clients, ([M|m]ac)?\s?OS(\sX)? in particular, don’t play well with ICMP redirects, let’s force them to do so.

On macOS (man, let’s blatandly change the name one more time!), this can be done via the sysctl command in the Terminal.
Query it like this:

# sudo sysctl net.inet.icmp.drop_redirect
net.inet.icmp.drop_redirect: 1

So macOS indeed drops ICMP redirects by default. Let’s change this:

# sudo sysctl net.inet.icmp.drop_redirect=0
net.inet.icmp.drop_redirect: 1 -> 0

With the new setting, connections started to work right away.

A note of caution: In my opinion ICMP redirects can be a dangerous thing, as they open the door for an attacker to influence the client’s idea of the routing table.
A client should not listen to redirects and always forward traffic towards it’s designated router. Overriding a default setting like this may be ok on a case-by-case basis, but should be strongly inspected und monitored.
If I had the choice, I surely had preferred a permanently applied setting on the router instead.

Importing Rules and Objects into Check Point Firewall using DBEDIT

Posted by: gdelmatto  :  Category: Check Point, Networking

While it’s the recommend way to do, managing your objects and rules solely through Check Point SmartDashboard may be cumbersome.
Bad enough, there exists no real CLI interface, that would allow for real scripting. Well, there exists DBEDIT, which allows for automated creation of objects and even rules … sort of.
However there’s barely official documentation about it, if not Martin Hoz had taken the time to write the very useful Object Filler utility, which you find over at the Check Point User Group.

And unless you don’t want to go into the Check Point OPSEC API, DBEDIT (by the help of Object Filler) is the way to go.
Read more…

Intercept Cisco’s “write net” command with EEM

Posted by: admin  :  Category: Cisco, Networking

Well, here’s just a quick snippet on how to intercept Cisco’s “write net” command.

Why would I want to do it? Because people are lazy and tend to forget.
So instead of forcing them to remember, that they need to add the ‘/incoming’ directory for config writebacks,
I just let an EEM applet do the trick.

How is it working?

The EEM applet is intercepting the ‘write net’ cli command by matching all inputs against the pattern given.
Whenever the command is seen, it will run my own commands instead. Nice, huh? ;-?

Enough talking, here’s the code:

no event manager applet WRITENET
event manager applet WRITENET
event cli pattern “write net” sync yes
action 1.0 puts “Please wait …”
action 1.5 cli command “enable”
action 2.0 cli command “conf t”
action 2.1 cli command “file prompt quiet”
action 2.2 cli command “exit”
action 3.0 cli command “copy run tftp://tftp01/incoming/”
action 4.0 cli command “conf t”
action 4.1 cli command “no file prompt quiet”
action 4.2 cli command “exit”
action 5.0 puts “Copy stored to TFTP server at /incoming, good bye”

Swisscom FTTH: 6RD mit Cisco 892F nutzen

Posted by: admin  :  Category: Cisco, HowTo's, Networking

Wie bereits aufgezeigt, kann man statt dem Centro Grande oder Centro Piccolo auch problemlos einen Cisco 892F an einem Swisscom Vivo FTTH-Anschluss betreiben.

Hat man diese Hürde erstmal geschafft, möchte man den Cisco vielleicht am Swisscom-eigenen IPv6 6RD Gateway anbinden um in den Genuss von IPv6 zu kommen.

! Wichtige Information !

Die IP-Adresse des Swisscom 6RD Relays ändert per 9. April 2013:

Read more…

Swisscom Vivo FTTH Anschluss mit Cisco Router betreiben

Posted by: admin  :  Category: Cisco, Networking

Wer das Glück hat in einem mit Glasfaser erschlossenen Quartier zu wohnen, kann statt DSL mit Lichtgeschwindigkeit surfen – FTTH (Fibre to the Home) macht’s möglich. Bei Swisscom Vivo FFTH-Anschlüssen für Privatkunden wird man mit dem Centro Piccolo oder dem Centro Grande ausgestattet, was für die meisten Kunden auch mehr als ausreichend sein dürfe.

Möchte man allerdings seinen FTTH-Anschluss richtig ausreizen, bietet sich der Einsatz eines Cisco 892F Routers an. Zugegebenermassen nicht gerade ein billiges Gerät (ab rund 1000 Franken Listenpreis), dafür kriegt man aber auch alles, was ein Cisco typischerweise so zu bieten hat.
Read more…

Cheat sheet for Check Point Firewall

Posted by: gdelmatto  :  Category: Check Point

For everyone who’s interested in Check Point Firewall, find some valuable cheat sheets over at Jens Roesen’s Website.

Great thing indeed, and yet very helpful if you need just a quick lookup instead of going through the full official documentation.
Here’s the direct links:

Check Point CLI Cheat Sheet
Check Point’s “fw monitor” Cheat Sheet

Thanks to Jens for assembling these.

Install Icinga with MySQL and IDOUtils on FreeBSD

Posted by: gdelmatto  :  Category: FreeBSD, Networking, Operating Systems, Utilities

It’s not hard to install Icinga on FreeBSD, at least if you’re satisfied with default options.
Should you however require Icinga with IDOUtils and MySQL support, then you need to take additional steps.

Read more…

Win32 GuiDbEdit for Check Point Firewall

Posted by: gdelmatto  :  Category: Check Point, Networking

As seen in Check Point SupportCenter, there’s also a (win32) GUI Version of the DBEdit CLI tool, located at C:\Program Files\CheckPoint\SmartConsole\PROGRAM\GuiDbEdit.exe.

Great visual debugging aid if you’re doing automation stuff with CLI dbedit.

Configuring GUI Clients for CheckPoint Firewall on the CLI

Posted by: gdelmatto  :  Category: Check Point, Networking

As seen over there at CheckPoint SupportCenter

Use ‘cpconfig’ on the CLI (may need ‘expert’ mode)