LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Blogs > Musings on technology, philosophy, and life in the corporate world
User Name
Password

Notices


Hi. I'm a Unix Administrator, mathematics enthusiast, and amateur philosopher. This is where I rant about that which upsets me, laugh about that which amuses me, and jabber about that which holds my interest most: Unix.
  1. Old Comment

    Layer 7 filtering with relayd

    Quote:
    Originally Posted by rocket357 View Comment
    Here's my network layout:

    Internet <- Cable Modem <- OpenBSD Firewall <- Cisco 3560 <- Daughter's Machine

    Each of the windows machines on my network is split (via vlans on the 3560 and firewall) into its own /29 (i.e. each one only has access to the IP space of the firewall (which has several IPs across several vlans) and the IP space of my Cisco 2801 (used just for IPSec and BGP). In short, internet access is via the OpenBSD firewall, and the vlans are denied access to each other, and then the 2801 allows access to private VPCs at Amazon. The Windows machines are not allowed to access anything else on the network (oh, we do have a network attached printer...that traffic is allowed).

    Ok, the relayd instance runs on the OpenBSD firewall, so each Windows vlan has port 80 and port 443 traffic re-routed to relayd, which checks URLs against a whitelist and sends back an http 403 (access denied) for anything not on the whitelist. It goes without saying that my daughter does not have access to the firewall configuration =)
    Ahhh, ok, gotcha! Thank you for explaining that. If you would, please report back later and let us know how it goes.

    Regards...
    Posted 04-01-2016 at 08:33 PM by ardvark71 ardvark71 is offline
    Updated 04-01-2016 at 08:34 PM by ardvark71 (Added wordage.)
  2. Old Comment

    Layer 7 filtering with relayd

    Here's my network layout:

    Internet <- Cable Modem <- OpenBSD Firewall <- Cisco 3560 <- Daughter's Machine

    Each of the windows machines on my network is split (via vlans on the 3560 and firewall) into its own /29 (i.e. each one only has access to the IP space of the firewall (which has several IPs across several vlans) and the IP space of my Cisco 2801 (used just for IPSec and BGP). In short, internet access is via the OpenBSD firewall, and the vlans are denied access to each other, and then the 2801 allows access to private VPCs at Amazon. The Windows machines are not allowed to access anything else on the network (oh, we do have a network attached printer...that traffic is allowed).

    Ok, the relayd instance runs on the OpenBSD firewall, so each Windows vlan has port 80 and port 443 traffic re-routed to relayd, which checks URLs against a whitelist and sends back an http 403 (access denied) for anything not on the whitelist. It goes without saying that my daughter does not have access to the firewall configuration =)

    I originally had each Windows machine on its own /30 (i.e. 4 addresses: network, gateway, host, and broadcast), but then I wanted to add the 2801 without tons of traffic logic on the firewall, so I remapped that portion of the network to be /29's (8 addresses: network, gateway, 2801, host, 3x unused, and broadcast), which gives me room for expansion later, should I choose to do so.

    Really, all relayd does here is TLS validation and checking URLs against a whitelist, which is something I've been meaning to add for a while now.
    Posted 04-01-2016 at 04:36 PM by rocket357 rocket357 is offline
  3. Old Comment

    Layer 7 filtering with relayd

    Quote:
    Originally Posted by rocket357 View Comment
    One of my goals was to have the filtering take place upstream of the client machine. Obviously that wouldn't work in your case, as the machine itself served as the shared point, but in my case I have a bit of flexibility to provide services (and deny services) on my network.
    Hi...

    Out of curiosity, what is that upstream point? A particular server? I'm guessing a part of your goal is to keep any kind ability to make settings adjustments (or file changes) away from your daughter's system. But if the file (or code) you mentioned (in your first post) is on her system, how do you keep her from making changes to it? Please bear with me, my understanding of networking is very poor. I'm mostly a hardware guy.

    I have very little understanding of what's being said but I found some sites that deal with the relayd and layer 7, although they're not directly related to what you're doing...

    http://bsd.plumbing/

    http://www.slideshare.net/GiovanniBe...er-for-openbsd

    https://calomel.org/relayd.html

    http://www.mouedine.net/relayd/

    Regards...
    Posted 04-01-2016 at 04:09 PM by ardvark71 ardvark71 is offline
    Updated 04-01-2016 at 04:10 PM by ardvark71 (Correction.)
  4. Old Comment

    Layer 7 filtering with relayd

    Hiya ardvark!

    One of my goals was to have the filtering take place upstream of the client machine. Obviously that wouldn't work in your case, as the machine itself served as the shared point, but in my case I have a bit of flexibility to provide services (and deny services) on my network. I attempted to go with a blacklist config at first, putting around 14k known malware-distributing urls in the blacklist file, but my hardware just wasn't fast enough for that amount of scanning. The whitelist group is currently ~100 entries, so that is considerably faster =)

    I had a few hiccups with getting blackboard's collaborate suite working with the whitelist, but that ended up being operator error (typo in the whitelist, doh!). Now that all of the school stuff is perfectly operational, I'll be adding in time-slots for games/social stuff.

    One thing I've been pondering is how to solve the issue of a problem on a whitelisted site, such as when yahoo ads was distributing malware some years back. I haven't decided on an approach for that yet.
    Posted 04-01-2016 at 12:32 PM by rocket357 rocket357 is offline
  5. Old Comment

    Layer 7 filtering with relayd

    Hey, my man!

    Even though what you're describing is a bit "out of my league," it reminds me of the system I use as a public access station (running Windows XP) for the residents where I live.

    I use K9 Web Protection and a Firefox add-on that I can't remember the name of to handle the content filtering on the PC, to keep out pornography and other undesirable content. I also use a utility to keep the desktop locked down pretty tight, plus I've disabled CMD, safe mode and the ability to "restore" the OS. All residents use the limited users account that has no administrative privileges.

    Unfortunately, last summer, I had someone who wanted to access this kind of content so badly that he/she:

    1. Tried to access/change my password for K9. I've since removed access to K9's administrative settings (which can only be accessed by using my password) in the residents account. I got a notice in my email that attempt had been made to change the password, which was blocked.

    2. Reinstalled Firefox by accessing Firefox's safe mode. However, this ultimately failed since it didn't affect K9 or the restrictions I set. But I still had to spend some time getting all the individual settings back that I had in place.

    3. Spent some time trying to find the loopholes around K9's restrictions, which they were able to find one that took me a little bit to figure how they were doing it. There's a setting in K9 that deals with blocking sites or sections of sites that exclusively contain only images (I forgot what the technical term is.) Once I checked the block to block those sites, problem solved.

    By that time, the problem was resolved because I had a little talk with the person who was a suspect and all attempts to access the content ceased after that day.

    For a while, though, it really felt like a "cat and mouse" game but one thing I gained from the experience was how to more effectively use content filters and what to look out for.

    Regards...
    Posted 03-31-2016 at 09:05 PM by ardvark71 ardvark71 is offline
  6. Old Comment
    Posted 01-17-2016 at 06:56 AM by Habitual Habitual is online now
  7. Old Comment

    Hard-earned lessons

    I bet her backyard is literally viewed like an oasis out there for all the wildlife =)

    And yes, water in the desert is worth more than its weight in gold.
    Posted 12-12-2015 at 12:53 PM by rocket357 rocket357 is offline
  8. Old Comment

    Hard-earned lessons

    My Mom also feeds the families of Quail, Cotton Tail Rabbits, Road Runners, and Coyotes cruise through also. She has a veritable Noahs Ark going on in a Major Sub Division in a Major city like Phoenix Arizona.

    http://www.city-data.com/forum/phoen...ity-grand.html

    That is why I like living in the heat and the Wild West. During the day and after dark. Just park a chair and look out the back patio bay window on her back room sun porch.

    There is a scheduled parade every day.

    Edit: I forgot to mention. A tub of water in the back yard in the desert is like candy to local wild life. Even bees.
    Posted 12-11-2015 at 10:28 AM by rokytnji rokytnji is offline
    Updated 12-11-2015 at 10:30 AM by rokytnji
  9. Old Comment

    Hard-earned lessons

    That's pretty...odd, rokytnji, but cool. Personally I think humans are considerably more "invasive" of a species, but at least the "conflict" between animal control and animal rights is mildly entertaining.

    Feral parrots. I'd have never guessed.
    Posted 12-11-2015 at 09:43 AM by rocket357 rocket357 is offline
  10. Old Comment

    Hard-earned lessons

    Only thing I was told about birds was by my younger brother who is a bird and cat person.

    "They have a 4 year old mind set".

    His cat and parrot are best friends. No strife with his pets.

    In Sun City AZ. In my moms back yard.
    A flock of parrots settle and feed because she feeds them. I guess they are former pets turned feral. They show up like pigeons.

    http://www.damnedct.com/monk-parakeets

    I guess she is not the only one that has feral parrots in a neighborhood.
    Posted 12-11-2015 at 08:18 AM by rokytnji rokytnji is offline
  11. Old Comment

    Hard-earned lessons

    I don't know, vmccord. I hope so, because they're all really beautiful birds, but we'll have to see on that.
    Posted 12-07-2015 at 04:03 PM by rocket357 rocket357 is offline
  12. Old Comment

    Hard-earned lessons

    Will the mix create eggs?
    Posted 12-07-2015 at 09:17 AM by vmccord vmccord is offline
  13. Old Comment

    Hard-earned lessons

    Quote:
    Originally Posted by frankbell View Comment
    I've been tempted from time-to-time to get another cockatiel, if only because it would drive the cats mad.
    Our cats are indoor-only cats (and have been since we lived next to these weirdos who liked to steal cats). On a side note, I'm not entirely certain what causes a human to think it OK to literally steal another person's pet, unless they simply feel they are better cut out for taking care of animals like some sort of pompous jerk? I digress.

    Our cats love watching birds at the windows, so I'm a bit leery of letting them in the room with the parakeets until we get a better bird cage (I sorely wish ebay had prime shipping haha).
    Posted 12-06-2015 at 11:14 AM by rocket357 rocket357 is offline
  14. Old Comment

    Hard-earned lessons

    I had a cockatiel once. He was quite well-behaved and a lot of fun. We eventually gave him away to one of my now-ex-wife's co-workers who lived alone.

    During that time I was at my local supermarket and met a fellow who had a cockatiel on his shoulder all pirate like. Turns out that, to keep it on his shoulder, he had clipped the wings (which do grow back, by the way).

    I've been tempted from time-to-time to get another cockatiel, if only because it would drive the cats mad.
    Posted 12-05-2015 at 09:37 PM by frankbell frankbell is offline
    Updated 12-05-2015 at 09:39 PM by frankbell
  15. Old Comment

    ATX Bench power supply build

    It's ALIIIIIIIIIIIIIIIIIIIIIIIVEEEEEE!!!!!!!!!!!!

    And the short-circuit protection works like a *charm* (don't ask, just...don't ask).
    Posted 08-14-2015 at 01:17 PM by rocket357 rocket357 is offline
  16. Old Comment

    Soldering Station...check!

    Yeah, I enjoy it more as a hobby than I did when it was work.
    Posted 07-29-2015 at 09:28 AM by brianL brianL is offline
  17. Old Comment

    The Celebrity Life of a Blogger

    Obnoxious attitudes always come with the territory, because of my looks and lifestyle. Funniest thing is to see a a short mans disease mentality, trying to look down on me, while craning his neck to look up at me.

    I seen some of that at a posh restaurant my youngest boy treated us to. He is a metro yuppie type. Does very well in life. Better than I. We blew their minds when the valet service pulled up in his cherry 1962 Cadillac
    2 door lowrider
    . Probably making some assumptions go up in smoke.

    I know all the young girls on a Friday night at the bar started gazing like they wanted to go for a ride with us. But we had my 2 year old grand daughter and my wife as dates already.

    On your original post. I see a lot of human beings of this and earlier generation in certain environments
    with a sense of entitlement. In a stressful situation or environment. They will be the 1st to fall by the way side with the "but what about me!!!!" mindset.

    I withdrew from the world by raising my boys on the Mexican border and putting them in a school in the country in a small town instead of a inner city high school. I raised them to be independent and to self assured in their skill set as a human being. Nothing given freely with out effort given 1st.

    Seems my system bore good fruit.

    My boy used the same system when buying his house in Austin. Picking a neighborhood figuring in where his
    daughter will go to school and how the neighborhood kids are also. I have no worries about my offspring surviving in the world to come. My grand daughter is part cossack and filipino. With blond hair.

    She is gonna be a heart breaker. And we all know. Women run things though we guys like to think we do.
    Posted 07-29-2015 at 08:55 AM by rokytnji rokytnji is offline
  18. Old Comment

    Soldering Station...check!

    I "learned" to solder at a very young age by watching my Dad repair electronics and build various things. I remember very vividly him building an electric motor when I was around 6 years old...he took it outside to the car and hooked it up to the battery of the car. I can still hear the sparking and whizzing sound it made when it sprung to life.

    No professional soldering here, just hobby stuff...but it's still fun all the same.
    Posted 07-29-2015 at 07:57 AM by rocket357 rocket357 is offline
  19. Old Comment

    Soldering Station...check!

    I've been doing quite a bit of soldering over the last couple of years. All through-hole stuff, mostly add-ons in kit form for my Raspberry Pis. I first learned how to solder as an apprentice (electrical) instrument maker, many decades ago. Bigger stuff then than now, but the same techniques apply. I haven't got a variable temperature soldering-station, just an Antec 25W iron.
    Posted 07-29-2015 at 07:39 AM by brianL brianL is offline
  20. Old Comment

    The Celebrity Life of a Blogger

    Ahh, Austin. The part of Texas that isn't like...Texas. Austin is a fun and dare I say "hip" place, but it was a bit much for my liking. You may thoroughly enjoy it if you do move there, but I found the prevailing attitudes a bit obnoxious.

    After living in Seattle this long, I suspect that my return to visit family in Texas is going to feel something like being placed in a kryptonite box. I hope not, but that is only hope.
    Posted 07-29-2015 at 01:01 AM by rocket357 rocket357 is offline

  



All times are GMT -5. The time now is 08:54 AM.

Main Menu
Advertisement
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration