Showing posts with label firewall. Show all posts
Showing posts with label firewall. Show all posts

Tuesday, September 4, 2012

NETASQ: Using External tools inside the FW

Hi folks,

so i need some tools on my unix FW, netasq comes with some, but lacks a lot of others. Great example is : wget.

So you need to figure it out which freebsd version you're netasq is running on:

Normaly for a V9, it is a Freebsd 7.3:

# uname -a
NS-BSD VUXXXA1GXXXXXX 9.0.3- NS-BSD 9.0.3- #0: Mon Apr  2 21:15:37 CEST 2012     build@buildmajclipp.netasq.com:/usr/home/build/fw-9.0.3/sys-7.3/work/sys/i386/compile/NETASQ.XL.FULLVIRT.RELEASE  i386

For a v8, it is a 6.3:

# uname -a
NS-BSD V50XXA0A0000001 8.1.0- NS-BSD 8.1.0- #0: Wed Mar 31 13:14:10 CEST 2010     build@81maj.netasq.com:/usr/home/build/fw-8.1.0/sys-6.3/work/sys/i386/compile/NETASQ.M.FULLVIRT.RELEASE  i386

In the following command:

root@linux$ Is the Prompt of the Linux Host ( yes, sure ! :- )
VUXXXXXX0000000>Is the Prompt of the Netasq FW ( huh ?? )

Download the packages from a Distribution server, for wget you will need:

Wget : http://ftp.stu.edu.tw/FreeBSD/ports/i386/packages-7.3-release/All/wget-1.12.tbz

gettext: http://ftp.stu.edu.tw/FreeBSD/ports/i386/packages-7.3-release/All/gettext-0.17_1.tbz

libiconv : http://ftp.stu.edu.tw/FreeBSD/ports/i386/packages-7.3-release/All/libiconv-1.13.1_1.tbz

unpack the files in a directory:

root@linux$ tar -jxvf wget-1.12.tbz

root@linux$ tar -jxvf gettext-0.17_1.tbz

root@linux$ tar -jxvf libiconv-1.13.1_1.tbz

So you have the tool, somes libs that will be used later on, now, transfer the wget binary from bin/wget to a netasq fw, in /log/wget-bsd73 for example:

VUXXXXXX0000000> mkdir /log/wget-bsd73

root@linux$ scp bin/wget mynetasqfw:/log/wget-bsd73

We'll test if all the shared libs are available

VUXXXXXX0000000>ldd wget
wget:
        libssl.so.5 => not found (0x0)
        libcrypto.so.5 => not found (0x0)
        libiconv.so.3 => not found (0x0)
        libintl.so.8 => not found (0x0)
        libc.so.7 => /lib/libc.so.7 (0x280cc000)

Well.... we miis a lot ? In fact no, we just miss 2 libs: libiconv.so and libintl.so.

Transfer the 2 libs:

root@linux$ scp lib/libiconv.so.3 mynetasqfw:/log/wget-bsd73

 root@linux$ scp lib/libintl.so.8 mynetasqfw:/log/wget-bsd73

 
For the rest we just need to create symlinks:

ln -s /usr/lib/libcrypto.so /usr/lib/libcrypto.so.5

ln -s /usr/lib/libssl.so /usr/lib/libssl.so.5

ln -s $PWD/libiconv.so.3 /usr/lib/libiconv.so.3

ln -s $PWD/libintl.so.8 /usr/lib/libintl.so.8

So, check again the shared libs:

VUXXXXXX0000000>ldd wget
wget:
        libssl.so.5 => /usr/lib/libssl.so.5 (0x280cc000)
        libcrypto.so.5 => /usr/lib/libcrypto.so.5 (0x2811d000)
        libiconv.so.3 => /usr/lib/libiconv.so.3 (0x28288000)
        libintl.so.8 => /usr/lib/libintl.so.8 (0x2837e000)
        libc.so.7 => /lib/libc.so.7 (0x28387000)

Everything is here !

To end this proc, just copy the wget binary to the  /usr/Firewall/sbin/ directory:

VUXXXXXX0000000>cp wget /usr/Firewall/sbin/wget

 

Now we can test the wget:

VUXXXXXX0000000>wget http://94.23.230.70/package/na_pack_updates_kasperskyStandard.md5
--2011-09-04 10:14:42--  http://94.23.230.70/package/na_pack_updates_kasperskyStandard.md5
Connecting to 94.23.230.70:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 72 [application/octet-stream]
Saving to: `na_pack_updates_kasperskyStandard.md5'

100%[===========================================================================>] 72          --.-K/s   in 0s

2011-09-04 10:14:43 (1.05 MB/s) - `na_pack_updates_kasperskyStandard.md5' saved [72/72]

That's all Folks !

 

 

 

 

 

 

 

Posted by heure 1 comment:
Labels: ,

Monday, September 3, 2012

NETASQ: ldap export / import without external tools (ie: Ldap Browser)

Hi Folks,

so, everytime you need to manipulate the ldap db you'll find a kb, a mail, a tips saying:

Hey you need and ldap browser tool .

 

Wrong !

 

The netasq have everything inside to do this!

lets see how:

 

where is the conf file:

/var/ldap/slapd.conf

Stop the ldap server:

nstop ldap

Export the db in an ldif format:

slapd -4 -T cat -f /var/ldap/slapd.conf > /tmp/export.ldif

Modify it:

vi /tmp/export.ldif

Move the old db:

cd /data/Main/

mv Ldapbase Ldapbase.old

mkdir Ldapbase

Recreate the DB:

slapd -T add -f /var/ldap/slapd.conf -l /tmp/export.ldif
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
=> bdb_tool_entry_put: id2entry_add failed: DB_KEYEXIST: Key/data pair already exists (-30996)
=> bdb_tool_entry_put: txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry dn="o=jnprlabs,dc=cons165.magirus.com" (line=1): txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
_##                    11.06% eta   none elapsed            none spd 368.9 k/s
Closing DB...

Start the ldap server:

nstart ldap

Lets see if the modif is here:

slapd -4 -T cat -f /var/ldap/slapd.conf

Taht's all !!!

Posted by heure No comments:
Labels: ,

Tuesday, May 15, 2012

NETSCREEN: NAT DEST

Pour parler du DNAT, il existe en effet trois moyen de le faire:

- MIP: cette methode est la plus simple, mais aussi la plus gourmande car vous allez reservez une IP complete,
et en réalité on ne fait pas de PAT (port translation), juste du NAT (adresse translation).

- VIP: methode simplifié pour faire du PAT et du DNAT, mais si vous avez déjà une MIP configurée sur une addr ip,
vous ne pourrez pas configfurer la VIP

- Policy Based NAT: methode la plus compliqué mais aussi la plus souple, le DNAT requiert des regles strict:

- Interface based NAT: non applicable pour du DNAT.

La précédence des methodes est celle-ci:

MIP -> VIP -> Pol.NAT -> Int.NAT

cela veux dire, que si une IP X se trouve en même temps dans une règle MIP, et dans une Policy,
il n'y a que la MIP qui sera executé. Si une ip Y se trouve dans une VIP et dans une Polixy, seuleument la VIP sera executé.

Donc ne pourrez pas effectuer une translation de port sur une IP déjà utilisée dans un MIP. Si vous souhaitez vraiment le faire,

vous devrez déconfigurer la MIP, puis recreer toutes les translation avec du Policy Based NAT, avec en général des double policy,
car les MIP font du SNAT et du DNAT.

NOTE POUR LE DNAT:

Rappel pour ScreenOS: le process des packet se fait comme suit:

-1- session lookup
-2- route lookup
-3- policy lookup

Comme la validation de la route se fait avant la validation de la regle policy, il _FAUT_ qu'il y ai une route qui existe dans la zone de destination du packet.

Un exemple étant toujours plus parlant en voici un en utlisans le Pol-NAT:

Prenons une install comme suit:

Zone Trust:   interface e1/1, IP:10.1.20.1/24
Zone Untrust: interface e1/8, IP:1.1.10.1/24

On souhaite publier l'addresse d'une ressouce interne tels que:

Public Addr: 1.1.10.20
Private Addr: 10.1.20.5

Etapes pour ce faire:

1: Configurer Addr Book (addr public dans la zone privée ==> pretranslation)

    set address Trust MyPCPublic 1.1.10.20/32

2: Etre Joignable: On choisi soit la methode A soit la B:

2a: set interface e1/1 ip 1.1.10.1/24 secondary
2b: set route 1.1.10.20/32 int e1/1

3: Configurer la policy, avec translation de port:

set policy from untrust to trust any MyPCPublic http nat dest ip 10.1.20.5 port 8080 permit

4: on verifie le resultat apres avoir testé avec un 'get session'

Posted by heure No comments:
Labels: , ,

Netasq : pb acces sur le site des impots (NOT ACCEPTABLE) avec proxy http en v9.x

Firewall NETASQ

Si vous avez ce message d'erreur lorsqu'un client se connecte en http sur le site des impots (n'importe quelle rubrique dans impots.gouv.fr, par exemple espace particulier)

NOT ACCEPTABLE
The requested URL could not be retrieved
________________________________________
The requestor is not willing to accept the available resource. This is probably due to an Accept-Encoding header on the request. The standard available Content-Encodings are: gzip, compress, deflate and identity. Footprint 4.8/FPMCP
________________________________________
Generated Wed, 09 May 2012 15:01:03 GMT by 4.26.232.254 (Footprint 4.8/FPMCP)

Voici la ligne de commande permettant de passer cette erreur. (note, le "01" de /Firewall/ConfigFiles/Protocols/http/01 correspond au slot du profil sortant, si vous en utilisez un autre, il faudra adapter la commande)

setconf /Firewall/ConfigFiles/Protocols/http/01 Proxy EncodingFilter 00
enproxy


Posted by heure 1 comment:
Labels: ,

Thursday, January 12, 2012

Juniper: SRX / J-Serie: Configure syslog to enable web policy log

JUNOS J-Web Policy Log display
So, you've just intalled a new srx in place of your netscreen, so you go through Config / Security /Policy FW and add a new policy, you tick the check-box logging seesiion-init and session-close.
You start some traffic that match the policy, go again on j-web to view the policy logs....and found nothing ! Why ????
This is because you first need to configure the syslog in a special way so the j-web can display the logs.
As you know, or not, all components of junos config works internaly with XML. So you need to create an xml syslog file.
Two way to do so:
- directly with the jweb,
- manually with cli.

CLI Method
under cli, in configuration mode you have to configure this:
[edit system syslog]
root@gwoob#
file policy_session {
    user info;
    match RT_FLOW;
    archive size 1000k world-readable;
    structured-data;
}
by entering the command:
set system syslog file policy_session user info
set system syslog file policy_session match RT_FLOW
set system syslog file policy_session archive size 1000k
set system syslog file policy_session archive world-readable
set system syslog file policy_session structured-data

J-Web Method
If you have no log under Monitor / Event and Alarms / Security Event
You have to click on the button: Create log configuration in the middle panel. Same path ( Monitor / Event and Alarms / Security Event ).

Now you will be able to see the policy log's.

Phil.

Posted by heure No comments:
Labels: , ,

Tuesday, March 29, 2011

Juniper: How to reset to factory default a SRX

SRX: different way to reset to factory-default

so, you may know the standard way, the teached way, i mean pushing during 15 secondes the reset micro-button. This method work fine on J-series, but not on somes SRX, not on MX series...

so, i will try to write down somes of the method i used to reset to factory default the juniperdevices.

Factory Default, really ?

First, i need, we need to define what exactly is a factory-default reset. Is it just putting back the configuration to its initial state ? just this ? and what do you do with all the logs files ? the debug files ? the configurations saved ?

It is a security breach to lets everything inside the box, so putting a device back to the factory-default state is not just the configuration, it is mainly everything, even the ssh key: we want to generate a new one, because the old is not trusted anymore.

Lets start.

Loose the root password.
the common process is the boot in single user mode:

at the boot, after the u-boot, when the bootstrap is loaded, you can hit the spacebar:
 

Hit [Enter] to boot immediately, or space bar for command prompt.
 
so you should see:

FreeBSD/MIPS U-Boot bootstrap loader, Revision 1.5
(builder@ormonth.juniper.net, Fri Oct  9 10:55:15 UTC 2009)
Memory: 1024MB
[0]Booting from nand-flash slice 2
Un-Protected 1 sectors
writing to flash...
Protected 1 sectors
Loading /boot/defaults/loader.conf
/kernel data=0x97d8ac+0xd70d0 syms=[0x4+0x79c50+0x4+0xadd2e] 

Hit [Enter] to boot immediately, or space bar for command prompt.


Loader>
Loader> watchdog disable
Loader> boot –s
root@host% cli
root@host> edit
root@host# set system root-authentication plain-text-password
New password: juniper1
Retype new password: juniper1
root@host# commit
commit complete
root@host# run request system reboot
Reboot the system ? [yes,no] (no) yes

Root passwd on SRX Platform
on SRX Branch platforms and JUNOS 10.0R1 or later, there is a condition in which the password recovery process does not work. After issuing recovery command, system never reaches the point where root password can be changed. System reboots instead. So we need to apply a specific procedure to recover root password for SRX Branch devices running on Junos version 10.0R1 or later. This involves disabling watchdog functionality to allow for system to properly boot into single-user mode.

 

Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 9 seconds...
Loader>
Loader> watchdog disable
Loader> boot –s

change the root passwd, reboot, and don't forget to enable the watchdog, and boot in normal mode

 

Hit [Enter] to boot immediately, or space bar for command prompt.
Booting [kernel] in 9 seconds...
Loader>
Loader> watchdog enable
Loader> boot

Damned, HA is enabled

If you're lucky, your device is in master mode, so you can just diasble the HA:

{primary:node1}
root@titi> set chassis cluster disable reboot
Successfully disabled chassis cluster. Going to reboot now

But if you're not, lucky i mean, your device is on hold, and you're trying to reset the root passwd on single user mode, but you can't:

Starting CLI ...
{hold:node1}
root> edit
warning: Clustering enabled; using private edit
error: shared configuration database modified

Please temporarily use 'configure shared' to commit
outstanding changes in the shared database, exit,
and return to configuration mode using 'configure'

{hold:node1}
root>

Ok, so deleting all the interfaces in the configuration seems to allow me to finally commit.

Then reboot and disable the cluster :

root@>set chassis cluster disable

TRUE Factory default

so, to delete all the logs, the dumps, the rollback, the root password in the factory-default config, and even to reset the host ssh key, you need to zeroize the device:

root> request system zeroize
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no) yes

warning: zeroizing re0

....
....

Local package initialization:.
starting local daemons:.
kern.securelevel: -1 -> 1
Creating JAIL MFS partition...
JAIL MFS partition created

Database Initialization Utility
RDM Embedded 7 [04-Aug-2006] http://www.birdstep.com
Copyright (c) 1992-2006 Birdstep Technology, Inc.  All Rights Reserved.

secdb initialized

Database Initialization Utility
RDM Embedded 7 [04-Aug-2006] http://www.birdstep.com
Copyright (c) 1992-2006 Birdstep Technology, Inc.  All Rights Reserved.

dfacache initialized

Boot media /dev/da0 has dual root support
** /dev/da0s2a
FILE SYSTEM CLEAN; SKIPPING CHECKS
clean, 58564 free (44 frags, 7315 blocks, 0.0% fragmentation)
Tue Mar 29 14:41:31 UTC 2011

Amnesiac (ttyu0)

login: root

--- JUNOS 10.2R3.10 built 2010-10-16 20:36:59 UTC

root@%



EX series TIPS
LINECARD
sometimes, your switch can be in the linecard state, which means that there is no routing engine running in it. So you first need to enable one.
Example off linecard prompt:
root@:LC:0% cli
{linecard:0}
root>
To enabled the RE mode:

root> request virtual-chassis reactivate

This member split from a virtual chassis. Please make sure that no active
switch belonging to this virtual chassis has conflicting configuration.

Do you want to continue ? [yes,no] (no) yes

{linecard:0}
root>
Amnesiac (ttyu0)

login:
Amnesiac (ttyu0)

login:
Amnesiac (ttyu0)

root@:RE:0%      

so now you can configure the switch.

 

MEMBER-ID is not 0
so, if your switch was member of a virtual-chassis, and it member-id was from 1 to 9, you can't let it as is, because all your interfafce configuration that belongs to ge-0/0/0-47 won't be enabled...
So you need to renumber your device:

{master:1}
root> request virtual-chassis renumber new-member-id 0 member-id 1

Note: change 1 with your actual id.

prompt changed:

{master:0}
root>

That's all for the moment.

Posted by heure 4 comments:
Labels: , ,

Friday, August 13, 2010

NETASQ: How to hanlde FTP PASSIVE connexion ?

ASQ handles FTP thanks to FTP plugin analysis of the command port,

Support for FTP in a REDIRECT rule for Passive connection to an internal server,
Handling passive connections for an internal FTP server is only handled through a REDIRECT
operation; a BIDIRECTIONNAL MAP operation won't work for this purpose.

So you have an Internal FTP server. You want to allow access from the Internet.

You must be aware of:

- plugin ftp must be in auto-attach,
- ftp support must be activated in the NAT rule (we discuss this part after)
- In the object, the ftp service must use the FTP plugin, explicitly.
- In the policy firewall filters you must to have an explicit allow for the ftp service,
- You doesn't have to allow ftp-data

So you have an extra public IP, used for the ftp service. Naturally you created a BIMAP nat rules.
these work fine only is your ftp server run in active mode !

If your ftp server run in Passive mode, you need to create an extra nat rule, a REDIR one ! unless you do so, your FTP PASSIVE SERVER won't be available from the Internet.

Let me resume:

            FTP option { MAP / BIMAP } : support CLIENT ACTIVE FTP

            FTP option { REDIR }: support SERVER PASSIVE FTP

Definition of different NAT used in NETASQ:

MAP    that is used for mapping one address or network to another in an
       unregulated round robin fashion;

       REDIR    that is used for redirecting packets to one IP address and  port
       pair to another;

       BIMAP  for  setting up bidirectional NAT between an external IP address
       and an internal IP address and
Posted by heure No comments:
Labels: , , ,
Subscribe to: Posts (Atom)