Category Archives: Security

How to configure IPFW on Snow Leopard

Posted by on December 30, 2011 No comments

Snow Leopard’s default, GUI based firewall is convenient, but not very configurable. You can block or allow certain applications, but you can’t filter at the port or host level, can’t NAT, etc…

Fortunately, OS X 10.6 and earlier comes with IPFW (IPFIREWALL), a nice little packet filter that was included in FreeBSD for many years. By default, it’s managed through text files and the command line. If you want a GUI interface for ipfw management, try Waterroof (get it?). But here’s how you configure ipfw to run at boot on your Snow Leopard or earlier machine with just the tools Steve gave you.

Create the file /etc/ipfw.conf. This is where your filtering rules go. By default, ipfw runs one rule, which allows all traffic (65535 allow from any to any). If you’re configuring ipfw, you obviously want something more. You can get information on how to write ipfw rules from the FreeBSD site.

Once you have created and saved your configuration, you need to tell the OS to run ipfw at boot. On a Mac, this is done through the use of a launch daemon, which is configured using an XML file.

Create the file /Library/LaunchDaemons/com.ipfw.plist, and include the following text -

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple Computer//DTD PLIST 1.0//EN” “http://
www.apple.com/DTDs/PropertyList-1.0.dtd”>
<plist version=”1.0″>
<dict>
<key>Label</key>
<string>ipfw</string>
<key>Program</key>
<string>/sbin/ipfw</string>
<key>ProgramArguments</key>
<array>
<string>/sbin/ipfw</string>
<string>/etc/ipfw.conf</string>
</array>
<key>RunAtLoad</key>
<true />
</dict>
</plist>

This tells OS X to run ipfw using the configuration file /etc/ipfw.conf.

Change ownership of the launch daemon file to root:admin

sudo chown root:admin /Library/LaunchDaemons/com.ipfw.plist

This is necessary for the OS to be able to run the daemon.

And finally, load your rules right now, instead of waiting for the next reboot

sudo /sbin/ipfw /etc/ipfw.conf

You can check what rules are loaded at any time using sudo ipfw list. And you can clear all rules using sudo ipfw flush.

 

APG ( automated password generator ) runs slow on CentOS

Posted by on November 1, 2011 No comments

I use apg to generate random password all the time. On a new vpn server I built, apg was taking a long time to generate a pass, I traced it back to “not enough entropy”

You can see how much entropy you have with this command:

cat /proc/sys/kernel/random/entropy_avail

It should be at least in the hundreds, if its not you can use rng-tools to help you out.

sudo yum install rng-tools
echo “rngd -r /dev/urandom -o /dev/random -f -t 3″ >> /etc/rc.local
rngd -r /dev/urandom -o /dev/random -f -t 3

that should generate enough entropy and you can go back to doing some real work :)

MAC – Change default umask in Snow Leopard

Posted by on December 22, 2009 3 comments
echo "umask 002" >>  /etc/launchd-user.conf.

reboot

Read more about it here: apple kb

Show pre-shared-key on ASA

Posted by on October 21, 2009 No comments

This command will show you the pre-shared-key configured on your ASA

more system:run | be tunnel-group ip.add.re.ss

configure privilege access levels on cisco asa

Posted by on August 21, 2009 No comments

there are 4 steps involved in this :
1. enable command authorization ( LOCAL in this case means , keep the command authorization configuration on the firewall ) :

aaa authorization command LOCAL

2. define commands you want to use on a certain level, for example these commands will enable a user in privilege level 5 to view and clear crypto tunnels

privilege show level 5 command crypto
privilege clear level 5 command crypto

3. create a user and assign the privilege level to her/him :

username userName password userPass privilege 5

4. create an enable password for the new privilege level :

enable password enablePass level 5

now when the user logs in she/he can type :

enable 5

enter the password from step for and they will be able to run the above crypto commands.

here’s a link to the cisco KB.