netio: A Network Benchmark Tool


netio in action under pfSense 2.1.5.

netio is a network benchmark utility for OS/2 2.x, Windows, Linux and Unix. It measures the net throughput of a network via TCP and UDP protocols using various different packet sizes. For netio to run a benchmark, one instance has to be run on one computer as a server process, while another instance is used on another computer to perform the benchmark. Starting with version 1.20, multi-threading support is required. While this does not affect anyone using the program under Linux or BSD, it did mean that DOS was no longer supported.

netio: Installation and Use

To install netio under pfSense, navigate to System -> Packages, and scroll down to netio in the list. Press the “plus” button to begin installation, and on the next screen, press “Confirm” to confirm installation. netio should complete installation within a few minutes.

Once netio is installed, there will be a new item on the Diagnostics menu called “netio“. If you navigate to it, you will find two tabs: “Client” and “Server“. The “Client” tab, appropriately enough, is to configure netio to run as a client, while “Server” will allow it to act as a server. On the “Client” tab there are two settings: “Server” (for the IP address or hostname netio will connect to) and “Port” (for the port that netio will connect to). On the “Server” tab, there is only one field: “Port“, to specify the port netio will bind to (the default is 18767). Press the “Save” button at the bottom to save settings.

Running netio at the command prompt under Windows 8.1.

Whether you run netio as a client or server, netio requires another node with which to connect. As a result, you are going to have to download netio, which you can do from the official netio site. The zip file contains both the source code and binaries for several platforms, including Windows, Linux, BSD, OS/2 and Mac OS X. Select the right binary for your platform and run netio from your system’s command prompt/shell.

At the risk of stating the obvious, if you are running netio under pfSense as a server, then you want to be running it under the other system as a client, and vice-versa. To test netio, I decided to run it under pfSense as a server (I kept the default port and just pressed “Save”). In Windows, I typed:

win32-i386 -t

where win32-i386 is the name of the windows executable, -t specifies the TCP protocol, and is the IP address of the server (my pfSense box). The output of netio can be seen in the screenshot on the right.

And here we are running it under Linux Mint 17.

One problem with this program is that it seems if you connect with one protocol (e.g. TCP), you cannot connect to the server again with another protocol (e.g. UDP). If you try to do this and you get an “error code 10060” message, try restarting the server and then attempt a client connection a second time.

Did I mention that netio supports several platforms? This last screenshot shows what happened when I ran netio under Linux on an old IBM Lenovo M51 running Mint Linux 17. The only shortcoming is that the binary for Linux is version 1.30 of the program, not the latest version (1.32). Thus if you want the latest version under Linux, you’ll have to compile it yourself.

External Links:

The official netio site

Securing Ports and Services

Securing portsA computer system that is not connected to a network is a rarity. While this provides some flexibility in terms of remote services, data and information that are available, it also brings considerable risks. It is probably correct to assume that any computer connected to a network is in danger of being attacked in some way. Secure computer environments, in many cases used by government defense organizations, often have no contact with the outside world, even if they are networked to each other, and as a result, they often have greater success in securing ports and services.

The predominant network communications protocol is TCP/IP. It is the protocol used by the Internet and thus has supplanted most of the formerly popular protocols used for local area networks (LANs). However, TCP/IP was conceived to send and receive data reliably, not to secure it. Securing the data (and securing ports) is the job of applications listening and sending on specific ports.

TCP/IP defines a total of 65,535 ports of which 1023 are considered to be well-known ports. These are, of course, not physical ports into which network cables are connected, but rather virtual ports on each network connection which can be used by applications and services to communicate over a TCP/IP connection. In reality, the number of ports that are used by popular network clients and services comprises an even smaller subset of the well-known group of ports, which makes the task of securing ports somewhat easier.

There are a number of different TCP/IP services which can be provided by an operating system. Such services include HTTP for running a web server, FTP for allowing file transfers, SSH and Telnet for providing remote login access and SMTP for the transport of e-mail messages. Each service in turn is assigned a standard TCP/IP port. For example, port 80 is for HTTP requests; port 21 is for File Transfer Protocol (FTP); port 17 is for the quote of the day.

Securing Ports and Services: How It’s Done

A large part of securing ports and securing servers involves defining roles, and based on the roles, defining which services and ports should be enabled. For example, a server that is to act solely as a web server should only run the HTTP service, and perhaps SSH for remote administration access. All other services should be disabled, and ideally, removed entirely from the operating system. Removing the service will make it harder for an intruder to re-enable the service. Thus, while it is necessary for some ports to be open to Internet traffic, it is also necessary to ensure that only the bare minimum are exposed and that the software on the system is as up to date as possible.

Securing a system involves (a) removing any unnecessary services from the operating system and (b) ensuring that the ports associated with these non-essential services are blocked using a firewall.

Many operating systems are installed with a number of services installed and activated by default. Before installing a new operating system, it is essential that the installation be carefully planned. This involves deciding which services are not required and identifying which services have been installed and enabled by default. It helps if deployment is not rushed; the fewer services and open ports available on a system, the smaller the surface area and opportunities for attackers. In addition, it is essential to turn on automatic updates, both for Windows and Linux, as well as for your antivirus software.

As for the firewall, you will want to have a dedicated firewall between your network and the Internet. Although not absolutely essential, it is good practice to have a personal firewall on each computer. In securing ports, you should make sure your firewall is closed to all traffic other than to the ports you know should be open. Because some malicious software can silently open ports, it is a good idea to check them yourself and close any that you do not need open.

External Links:

TCP/UDP ports on Wikipedia

How to secure your TCP/IP ports at

Back Door Attacks

Back door attacks

Back Orifice in action.

Back door attacks utilize programs that provide a mechanism for entering a system without going through the usual authentication process. This can either take the form of hidden access points intentionally put into an application by the original developers to aid in maintaining and debugging the software which were then left in when the software was installed by customers, or a malicious program that is placed on a system via a virus or other method which opens up the system to unauthorized access.

Back Door Attacks: Back Orifice, NetBus and Sub7

A number of back door programs have been discovered over the years which can be used in back door attacks. Here are some of them:

  • Back Orifice: The brainchild of Sir Dystic of Cult of the Dead Cow, its initial purpose was to show the lack of security in Windows 98 (it was released in 1998), Back Orifice has legitimate purposes, such as remote administration. But it also has attributes that make it suited for less benign uses such as back door attacks. The server can hide itself from cursory looks by users of the system. As the server can be installed without user interaction, it can be distributed as the payload of a Trojan horse. As a result, the antivirus industry immediately categorized the tool as malware and appended Back Orifice to their quarantine lists. Two sequel applications followed: Back Orifice 2000 (released in 1999), and Deep Back Orifice by French Canadian hacking group QHA.

  • NetBus: Another program that can be used in back door attacks, this is a software program for remotely controlling a Microsoft Windows computer system over a network. It was released in 1998, a few months before Back Orifice. There are two components to the client-server architecture. The server must be installed and run on the computer that should be remotely controlled. The server was an .EXE file with a size of about 500 KB. When started for the first time, the server would install itself on the host computer, including modifying the Windows registry so that i starts automatically on each system startup. The server is a faceless process listening for connections on port 12345, with the port number adjustable on later versions. the client was a separate program presenting a graphical user interface that allowed the user to perform a number of activities on the remote computer, such as keystroke logging, screen captures, file browsing, opening and closing the CD-tray, and using tunneling protocols. The NetBus client was designed work under Windows 95/98/ME/NT 4.0, as well as Windows 2000/XP. Major parts of the protocol are textual, and as a result, the server can be controlled by typing commands over a raw TCP connection from a non-Windows computer.
  • Sub7: Originally designed by someone with the handle “mobman”, the name “Sub7” was derived by spelling “NetBus” backwards (“SubTen”) and swapping “ten” with “seven”. Because its typical use is to allow undetected and unauthorized access, Sub7 is usually described as a trojan horse by security experts. Like Back Orifice and NetBus, Sub7 is distributed with a server and a client. Sub7 has more features than NetBus, such as webcam capture, multiple port redirect, a user-friendly registry editor and chat, as well as penetration testing features, including a port scanner and a port redirector. Customizations possible with the Sub7 server editor included changing the port addresses, displaying a customized message upon installation. If the intent of the person deploying Sub7 is to launch a back door attack on a system, then the customized message can be used to deceive the victim and mask the true intent of the program. Nearly all antivirus programs can detect Sub7 and prevent it from being installed unless steps are taken to hide it.

Although the installation of any of the above mentioned back door programs will compromise network security, all of these threats can be prevented effectively by implementing a comprehensive virus scanning strategy.

External Links:

Back Orifice on Wikipedia

NetBus on Wikipedia

Sub7 on Wikipedia

Backup Your Network with Bacula


Adding a director to bacula-client under pfSense 2.1.3.

Bacula is an open source, enterprise-level computer backup system for heterogeneous networks. It is designed to automate backup tasks that had often required intervention from a systems administrator. Bacula supports Linux, UNIX, Windows and Mac OS X backup clients, although here we are mainly concerned with the Bacula package running under pfSense. It also supports a range of professional backup devices, including tape libraries. Administrators and operators can configure Bacula via a command-line console, GUI or web interface. Its backend is a catalog of information stored by MySQL, PostgreSQL, or SQLite. Bacula is the collective work of many developers, including Kern Sibbald, and has been under development for fourteen years as of this writing. It is open source and is available without fees for both commercial and non-commercial applications, under the AGPL version 3 license, with exceptions to permit linking with OpenSSL and distributing Windows binaries.

Bacula Backup: Installation and Configuration

The Bacula server has to be installed separately. Depending on which platform/operating system you are using, you may have to compile Bacula, although Bacula seems to be present in the Red Hat Enterprise Linux (RHEL) and CentOS repositories. To install the Bacula client under pfSense, navigate to System -> Packages, and scroll down to bacula-client on the package list. Press the “plus” button to the right of the entry, and press “Confirm” to confirm installation. Installation of Bacula should not take long.

Once installation is complete, there will be a new entry under the “Services” directory called “Bacula-client“. The configuration files for Bacula will not be generated until you have saved a configuration change. To understand the configuration options, it helps to understand the architecture of Bacula.

Bacula is made up of the following five major components or services: Director, Console, File, Storage, Catalog and Monitor services:

  • Director: The director service is the program that supervises all the backup, restore, verify and archive operations. The system administrator uses the director to schedule backups and to recover files. The director runs as a daemon in the background.
  • Console: The console service is the program that allows the administrator or user to communicate with the director. Currently, the console is available in three versions: text-based console interface, QT-based interface, and a wxWidgets graphical interface. The simplest is to run the Console program in a shell window. Most system administrators will find this completely adequate. The GNOME GUI interface is not yet complete, but has most of the capabilities of the of the shell console. the third version is a vxWidgets GUI with an interactive file restore.
  • File: The file service is the software program that is installed on the machine to be backed up. The file services are also responsible for the file system dependent part of restoring the file attributes and data during a recovery operation.
  • Storage: The storage services consist of the software programs that perform the storage and recovery of the file attributes and data to the physical backup media or volumes. In other words, the storage daemon is responsible for reading and writing your tapes or other storage media.
  • Catalog: The catalog services are comprised of the software programs responsible for the maintaining the file indexes and volume databases for all files backed up. Bacula currently supports three different databases: MySQL, PostgreSQL, and SQLite.
  • Monitor: The monitor service is the program that allows the administrator or user to watch the current status of Bacula directors, file daemons, and storage daemons. Currently, only a GTK+ version is available.

If you navigate to Services -> Bacula-client, there are three tabs: “Directors“, “FileDaemon“, and “View Configuration“. The first tab, “Directors“, enables you to add directors by pressing the “plus” button on the right side. You can specify the “Director Name” and provide a description in the “Description” field. You need to supply a password at “Password“, and at the “Director type” dropdown box, you can select the director attributes. “Director” just specifies that it is a director. “Local” causes the Monitor attribute in bacula-fd.conf to be set to “yes” and the director attribute in the Messages section of bacula-fd.conf to be set to this director. Setting the director type to monitor causes the Monitor attribute to be set to “yes“, but leaves the director attribute unchanged.

On the “FileDaemon” tab, there are currently only two settings: “File Daemon port” (the default is 9102), and “Maximum Concurrent Jobs” (the default is 20). The Volume format becomes more complicated with multiple simultaneous jobs; consequently, restores may take longer if Bacula must sort through interleaved volume blocks from multiple simultaneous jobs. Thus, you should probably leave “Maximum Concurrent Jobs” set to 20 unless you have a specific reason otherwise. Finally, “View configuration” allows you to view (but not alter) the bacula-fd.conf file.

External Links:

The official Bacula web site

Bacula on Wikipedia

Useless Services

Useless services

Useless Services

Like a vestigial tail, there are often applications running on our machines that no longer serve any useful purpose. These services may be part of an earlier set of libraries that the programmers built on and never bothered to take out. This is one of the downsides of ever-increasing processing power and memory capacity. Programmers used to carefully ration every byte they used and would never allow unnecessary lines in their code. However, in this age of bloatware and gigabyte-sized operating systems, it is often easier to leave legacy services in rather than risk breaking some other program that depends on them. The incredible thing is that these services are often turned on by default. Here is a list of some of those services:

Useless Services in Linux

Services Common Port Numbers Functions
chargen 19 Sends a stream of standard characters when polled. Not only isn’t this service used anymore, but it can be used to generate a denial of service (DoS) attack by having it continually spit out character streams.
daytime 13 Returns the time of day. Not really needed of any modern system functions.
discard 9 Discards whatever is sent to it silently. Mainly used for testing purposes.
echo 7 Replies back with whatever was sent to it. Like chargen, echo can be used in DoS attacks by sending it a steady stream of data to echo.
finger 79 Much has been said about this service. [Consider, for example, the original Internet worm, released by Robert Morris in 1988, which exploited a buffer overflow bug in the finger program and propagated itself from one machine to another.] Very useful to hackers.
qotd (quote of the day) 17 Sends out a little quote or phrase that the system administrator sets up when you log in.

If you are running Windows, there are other services you will probably want to disable. Here is a partial listing of those useless services:

Useless Windows in Windows

Service Description
Remote Registry Enables viewing and changing Windows Registry from a remote computer (including hackers’ computers).
ClipBook (Windows XP only) Shares Clipboard contents over a network
Function Discovery Resource Publication (Windows Vista, 7, 8, 8.1) Publishes shared resources (printers, libraries, etc.) on this computer over a network.
Offline Files (Windows Professional/Business/Ultimate) Caches selected folders and files from file servers so that the items are always available.
SSDP Discovery Detects and publishes Simple Services, such as UPnP devices (home entertainment systems, media streaming, printers, some WiFi routers, etc).
Telnet (Windows XP only) Enables remote access to a command-line interface over a network.
WebClient Enables creating, accessing and modifying files on the Internet using Windows-based programs. This does not affect FTP, SSH, SCP or browser-based access.
Windows Media Player Network Sharing Service Enables streaming music and video to home entertainment systems and other computers/devices over a network.

If you disable at least some of these services, your system should be harder for hackers and bots to attack, and your system will be more secure.

External Links:

Remove useless services/apps at

Useless services in CentOS VDS/VPS at

Turn off Unnecessary Windows Services at

Disable Unneeded Services in Windows at

Apache Server Hardening: Part One

Apache server hardeningIn the next few articles, we will take a look at Apache server hardening. We will begin by considering OS vulnerabilities.

Apache Server Hardening: Patch the OS

Code deficiencies can exist in OSes and lead to OS and application vulnerabilities. Therefore, it is imperative that you fully patch newly deployed systems and remain current with all released functional and security patches. At regular intervals, review the published vulnerabilities at your OS manufacturer’s web site.

This table lists some popular OSes and their security sites:

Operating System Security Information Site
Oracle Solaris
Mac OS
RedHat Linux

Because Apache is so often run on various Unix, Linux, and BSD distributions, we include patching steps here so that you can confidently deploy your Apache web server on a well-hardened foundational OS, which will facilitate Apache server hardening. In general, however, each vendor provides a full suite of tools and information designed to help you remain current of their released software updates. Become familiar with each of your vendor’s OS patching methodologies and software tools. As the security administrator, you should reserve predetermined time periods for maintenance windows during episodes of low customer activity. However, the discovery of serious OS vulnerabilities could necessitate emergency downtime while patches are applied.

Like patching, all systems used to provide services such as HTTP and HTTPS to customers should be thoroughly hardened before they are placed in a production environment. Hardening includes many steps such as the following:

  • Setting file permissions
  • Locking down accounts
  • Establishing proper OS security policies
  • Configuring host-based firewalls
  • Disabling vulnerable services

Now that we have a secure OS, it’s time to discuss how to properly and securely configure the Apache web server.

The Apache Web server is a powerful application through which you can deliver critical business functionality to customers. With this power comes the possibility of misuse and attack. To ensure that your Apache server is running securely, we have compiled a series of steps for Apache server hardening. You might also want to read additional information or review other Apache security checklist documents before deploying your Apache server. An excellent reference guide is the CIS Apache Benchmark document available at the Center for Internet Security and the NIST Apache Benchmark document available at

You should follow three general steps when securing the Apache web server:

  • Prepare the OS for Apache web server
  • Acquire, compile, and install the Apache web server software
  • Configure the httpd.conf file

We will cover all three of these crucial steps in future articles.

External Links:

13 Apache Web Server Security and Hardening Tips at

Apache 2.0 Hardening Guide

Apache Server Hardening & Security Guide at

NoMachine Client Installation and Configuration


Running the ps command on a computer running Xvnc.

In the previous article, we covered installation of the NoMachine server under Linux Mint. In this article, we will cover installing and running the NoMachine client under Windows.

First, we have to make sure vncviewer is running on the computer running the NoMachine server. This can be done by typing vncserver in a terminal window. You can also specify several options. For example:

vncserver -geometry 800×600

would create a VNC desktop 800 pixels wide and 600 pixels deep. The following command:

vncserver :1

would create a VNC desktop with a display number of 1 (omitting this parameter causes VNC to use the next available display number). This command:

vncserver -depth 24

creates a VNC desktop with a pixel depth of 24 (true color). Other permissible values are 8, 16 and 15. Consult the vncserver man page for other options.

Once you have started vncserver, you probably want to check to make sure it is running. To do so, you can type:

ps -eaf | grep Xvnc

If XVnc is running, you should see a line similar to the one in the screenshot shown at the beginning of this article.

Downloading and Installing the NoMachine Client in Windows


The NoMachine setup wizard.

Now we need to install the NoMachine client in Windows. First, we download the client at the NoMachine web site. Then run the NoMachine executable, either by selecting Run from the Start menu and selecting the executable, or by clicking on the executable in Windows in windows Explorer.

You will be presented with the NoMachine Setup Wizard dialog box. Click on “Next” to continue installation. The next dialog box contains the End-User License Agreement (EULA); if you agree with the terms, click on the “I accept the agreement” radio button and click “Next“. The next dialog box allows you to change the installation path; if you want to install the NoMachine client into a different directory, change it here and click “Next“. The software will install now. You may see dialog boxes which read “The software you are installing has not passed Windows Logo testing”; if so, click on “Continue Anyway” to continue. Once installation has completed, a dialog box will appear to inform you so; click on “Finish“.

From the Start menu, navigate to Programs -> NoMachine -> NoMachine to start the NoMachine client. If this is the first time you are running the program, the first window will show you how to use the program. Click on “Continue” to advance to the next screen.

If this is the first time you have run the NoMachine client, the next screen will be the “Create New Connection” wizard. Here you can enter the IP address of the computer to which you want to connect. Once you have set up the remote computer, double-click on it to connect to the computer.

After a few seconds, the NoMachine client will prompt you for login credentials. Enter your username and password; if you want NoMachine to save the password, check the “Save the password in the connection file” check box. Once you are done, click “OK“. After another few seconds, you should be connected to the remote computer. If this is the first time you have run NoMachine, there will be two screens with instructions on how to use the interface. After that, You will see a screen that gives you the following choices: [1] Display the menu panel covering all screen (the default), or [2] Display the menu panel as a window. Choose the way you want the menu panel displayed and click “OK“.

The next screen controls the option for audio streaming. Audio is forwarded to the client, but you can control whether audio is played on the remote server. Check the “Mute audio on the server while I’m connected” to mute the audio, and click on “OK“. The next screen controls the option for display resolution. If the remote machine has a different resolution than the client, you can check the “Change the server resolution to match the client when I connect” check box to make sure the resolution matches. Click the “OK” button when you are done choosing this option.

Now you should be connected to the remote desktop. If you want to change the settings for the client, hover your mouse over the upper right corner; when the page-turning icon appears, click on it and the settings will appear. There are seven options here: “Input“, “Devices“, “Display“, “Audio“, “Mic in“, “Recording“, and “Connection“. Click the icon for the settings you want to change. You can now change settings; click on “Done” when you are finished and click “Done” again to exit out of the settings screen and return to the remote desktop.

External Links:

The official NoMachine web site

netfilter Operation: Part Eleven (Easy Firewall Generator and Firewall Builder)

Easy Firewall Generator

Easy Firewall Generator in action.

Easy Firewall Generator

Easy Firewall Generator is not a GUI per se, but it does help simplify your netfilter configuration and avoid the need to be familiar with the iptables syntax. By using the Web page at, you can enter the relevant information and click the Generate Firewall button. As you select options, if additional information is needed click the Generate Firewall button and the page will refresh and provide the additional input fields. When all of the required information has been entered, the page will change to a text page that can be copied and pasted for iptables to read as a saved configuration. In Fedora, the iptables configuration is stored in /etc/sysconfig/iptables. Although this method requires you to replace the default iptables configuration file used by your distribution, it is fairly painless, and supportes all of the same basic functionality as Firestarter.

Firewall Builder

Firewall Builder is the most complete GUI offering for managing netfilter firewalls with features and capabilities comparable to some commercial firewall products. As is almost always the case, this functionality and capability come at a price: as far as netfilter GUIs are concerned, Firewall Builder is not the easiest to configure and use. If you want or need its superior management capabilities, however, the extra effort is well worth it. (Download firewall builder from Firewall Builder manages netfilter firewall as well as ipfilter, OpenBSD PF, and Cisco PIX firewalls. Firewall builder runs on many popular operating systems including Red Hat, Mandrake, Suse, FreeBSD, Mac OS X, and Windows XP/Vista/7/8.

Firewall Builder

Firewall Builder 5.1 on startup under Windows.

Firewall Builder operates differently than all of the GUIs covered so far. It uses an object-based approach. Essentially, you must define an object to represent any entity that you want to use in the firewall rules. In most cases this means a source, a destination, and a service port at a minimum. Both the configuration and the GUI bear a strong resemblance so that of the Checkpoint Firewall GUI. Once the objects are defined, you can drag or drop them into the rules in order to permit or deny communications between the two.

As of this writing, the current version of Firewall Builder is 5.1. Under Windows, navigating to Start -> Programs -> Firewall Builder 5.1 -> FWBuilder, which opens the main Firewall Builder window. Firewall Builder can also easily be installed under Linux. Under Linux Mint, I was able to install Firewall Builder using the apt-get command, like so:

sudo apt-get install fwbuilder

Once fwbuilder is installed, it can be accessed by clicking on the start menu, then navigating to Internet -> Firewall Builder, which will bring up the main Firewall Builder window.

In the next article, we will cover how to configure firewall rules in Firewall Builder.]

External Links:

The official Firewall Builder website

Getting Started With Firewall Builder at

netfilter Operation: Part Five

netfilter operationSimulating the Windows Firewall

Now it’s time to configure the firewall. The built-in firewall on Windows XP/Vista/7/8 is enabled by default (on XP Service Pack 2 or better). The standard configuration is to allow outbound connections from the host system and deny inbound connections unless they are explicitly configured. The Windows firewall also allows any traffic that is a reply to traffic that the host originally generated. After you execute the iptables -F command to flush out all the previously configured rules, the following commands would configure the Linux host similarly:

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

The –state extensions track the current status of the connections. By specifying ESTABLISHED or RELATED, the firewall allows packets that are starting a new session, but where the session is related to an existing session (such as an FTP data session). If you were hosting a service on this system, such as a Web server, you would need to configure the INPUT chain appropriately. This configuration would afford any Linux system a minimum level of firewall security with virtually no impact to its overall functionality.

Simulating a Consumer-Grade Home Router

With the basics of iptables configuration out of the way, let’s consider a more practical example. For a typical firewall, there is very little traffic destined to or from the firewall itself. In general, the only traffic that would fit this profile would be administrative sessions to configure the firewall itself. The vast majority of a firewall’s traffic is passing through the firewall, and will thus be checked against the FORWARD chain. The following examples would configure the Linux firewall with the same access controls as a typical home network router such as a Linksys or Netgear router/firewall. This example assumes that is the internal network on interface eth0 and the external interface is eth1.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -p tcp -s -i eth0 –dport 80 -j ACCEPT

iptables -A FORWARD -s -i eth0 -0 eth1 -j ACCEPT

iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

One important element is to always remember that if you have configured the default policy for a chain to DROP (for example, iptables -P FORWARD DROP) that you will need to include an explicit rule to permit the return traffic. This can be done by using the following command:

iptables -A -m state –state ESTABLISHED,RELATED -j ACCEPT

So if you wanted to permit the return traffic for a FORWARD chain, you would enter:

iptables -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

Many hours of troubleshooting Linux firewalls have been spent by overlooking a rule that permits the return traffic.

We will continue our look at netfilter firewall configuration in the next article.

External Links:

Simulating windows firewall with iptables at

pfSense VPN: Part Three (PPTP)

pfSense VPN

VPN PPTP configuration page in the pfSense GUI.

In the previous two articles on pfSense VPN, I covered how to configure a VPN tunnel using IPsec and also the L2TP and OpenVPN protocols. In this article, I will cover how to set up a VPN tunnel using PPTP.

pfSense VPN: PPTP

First, browse to VPN -> PPTP. You should be at the “Configuration” tab. You will see the following warning message:

PPTP is no longer considered a secure VPN technology because it relies upon MS-CHAPv2 which has been compromised. If you continue to use PPTP be aware that intercepted traffic can be decrypted by a third party, so it should be considered unencrypted. We advise migrating to another VPN type such as OpenVPN or IPsec.

Click on the “Enable PPTP server” radio button. At “No. PPTP users“, select the number of PPTP users. At “Server address“, etner an unused IP address. PfSense’s PPTP service will listen on this address. In the next box, Enter the start of the “Remote address range” for clients that connect (it must be large enough for the number of users specified at “No. PPTP users“). Check the “Require 128-bit encryption” checkbox just above the “Save” button. Click on “Save” to save the configuration.

pfSense VPN

Users tab in the VPN PPTP setup in pfSense.

Now select the “Users” tab and hit the “plus” button to add a user. Specify a “Username” and “Password” and an “IP address” if you want the user to be assigned a specific IP address. Click on “Save” to save changes, and then click on “Apply changes” if necessary.

Now it is necessary to set up a firewall rule to allow PPTP VPN traffic. Browse to Firewall -> Rules. Select the “PPTP VPN” tab. At “Destination“, set it to “LAN subnet“. Set the “Destination port range” to “any“, and at “Description“, enter a description if desired. Then press “Save” to save the changes and press “Apply changes” if necessary.

Now, your pfSense router will be configured to use VPN with PPTP. Moreover, PPTP is natively supported by Windows, Linux and MacOS, so you should be able to easily connect to your VPN tunnel from any of those platforms.

External Links:



© 2013 David Zientara. All rights reserved. Privacy Policy