With spam, spyware, identity theft (phishing), cracking, viruses and trojans becoming prevalent to steal your rights from your own machine or domain, network security is one of the main concerns for all of us. While network security is too big a term to implement, we resort to firewalls, anti-viruses, spam blocker, anti-spyware and other internet security softwares to protect ourselves, apparently. Having so many watchmen to protect your computer network has a bane within itself. These solutions steal more and more cycles from your CPU, degrading performance in the name of security. At the rate things are going, you will need a quad-core machine to attach a file and send it to a friend via e-mail because of all of the security layers/ protections/ encryptions that you will have to dynamically use in day-to-day operation. So why not have a one point solution to all of these problems?

For that, today our topic is centered around Untangle, an integrated family of applications that simplify and consolidate the network and security products that businesses need at the network gateway.

Full article (1493 words) »

On running ./configure in dansguardian (web content filter for Linux), I got the following error - configure: error: pcre-config not found!
configure: WARNING: Cache variable ac_cv_prog_PCRE contains a newline.. The solution, as usual, is simple:
Full article (50 words) »

SSH is aptly termed as poor man's VPN. You can use it to either forward local host host name and port to a remote server running ssh daemon. You can also use it to forward remote server's port to a local host and port.

Full article (227 words) »

DROP (Don't Route Or Peer) is an advisory "drop all traffic" list from Spamhaus, consisting of stolen 'zombie' netblocks and netblocks controlled entirely by professional spammers. DROP is a tiny sub-set of the SBL advisory designed for use by firewalls and routing equipment. It can also be implemented in iptable rules as explained below.

Full article (299 words) »

Shorewall is an excellent free linux firewall which provides unparalleled level of fine grained control. It not only acts as a firewall and Gateway, it also supports DMZ, IP Masquerading (NAT & SNAT), Proxy ARP and more. In short Shorewall is your one stop solution for complex networking routing needs, flexible & controllable internet connectivity options.

Full article (663 words) »

In many location, including but definitely not limited to India, single ADSL / Cable connections can be unreliable and also may not provide sufficient bandwidth for your purposes. One way to increase reliability and bandwidth of your internet connection is to distribute the load (load balancing) using multiple connections. It is also imperative to have transparent fail-over so routes are automatically adjusted depending on the availability of the connections. With load balancing and fail-over you can have reliable connectivity over two or more unreliable broadband connections (like BSNL or Tata Indicom in India). I present you with the simplest solution to a complex problem with live examples.

Note: Load balancing doesn't increase connection speed for a single connection. Its benefits are realized over multiple connections like in an office environment. The benefits of fail-over are however realized even in a single user environment.

The load balancing mechanism, to be discussed with example below, in Linux caches routes and doesn't provide transparent fail-over support. There are two solutions to incorporate transparent fail over - 1. compiling and using a custom Linux kernel with Julian Anastasov's kernel patches for dead gateway detection or 2. user space script to monitor connections and dynamically change routing information.

Julian Anastasov's patches have two problems:
1. They work only when the first hop gateway is down. In many cases, including ours, the first hop gateway is the adsl modem cum router which is always up. So we need a more robust solution for our purposes.

2. You have to compile a custom kernel with patches. This is somewhat complex procedure with reasonable chances of screwing up something. It also forces you to re-patch the kernel every time you decide to update your kernel. Overall I wouldn't recommend anyone going for kernel patching route unless that is the only option. Also in that case you should look for a rpm based solution (like livna rpm for nVidia drivers) which does it automatically for you.

A better solution is to use a userspace program which monitors your connection and updates routes as necessary. I will provide a script which we use to constantly monitor our connections. It provides transparent fail over support with two ADSL connections. It is fully configurable and can be used for any standard dual ADSL / Cable connections to provide transparent fail over support. It can also be easily modified to use for more than two connections. You can also use it to log uptime / downtime of your connections like we did.
Full article (1971 words) »

I was looking for the wiki of a popular Linux based firewall site. The main url was 404, so I went up one level hoping to find a new url. Suddenly I had a directory listing with interesting files and a link to phpMyAdmin. Wondering how a firewall site maintains its own security, I clicked on phpMyAdmin, fully expecting a password prompt.

Surprisingly I found phpMyAdmin of the site to be openly accessible to all. It showed several databases including but not limited to bugtracker, wiki, drupal and one that looked like invoice database. I dared not venture further. I immediately sent an email to the only contact email I found in their old documentation. It is really scary.
Full article (309 words) »

I am wading through tons of material to improve my knowledge of Linux networking in general and more specifically to configure our firewalls properly and routing for multiple uplink providers with traffic shaping and failover.

Full article (286 words) »

eBox platform provides a mini-debian installation along with its modules to allow you to provide and manage network services on your corporate network. The key capabilities includes support for multiple external network interfaces with load balancing, traffic shaping, transparent proxy, firewall, content filters, DNS (domain name server), NTP (time server), mail server, Jabber Instant Messaging server, SAMBA for file sharing, DHCP and more. In short it promise to be a one-stop solution for all network services needs for small businesses. Particularly I was interested in load balancing between multiple ADSL providers and traffic shaping capabilities. Here are my experiences with eBox platform.

Full article (403 words) »

A guide to easily disable IPv6 support on your Linux workstation / server:
1. Add the two lines, if not already present, to /etc/modprobe.conf: Full article (224 words) »