My Experiences with DD-WRT

I was reading today that DD-WRT (the free firmware that originally ran on Linksys's WRT54G router) is now available for x86 machines so I thought that I would give it a try. For more information on DD-WRT please see: DD-WRT on a standard X86 pc, and DD-WRT.com.

Installing DD-WRT

To install DD-WRT from Windows please see: DD-WRT on a standard X86 pc.
To install DD-WRT from a UNIX-like system you will need: An x86 compatible pc (i386) or greater with at least 16MB of RAM, 2 network cards, and a hard drive. Also you need to download this image: dd-wrt_public_vga.

To install DD-WRT you need a way of writing the image onto the hard drive you are going to use. I decided to use a LiveCD and dd(1) the image off the usb key. So after downloading the image I placed it on a usb key.

I booted my chosen LiveCD: TrueBSD. Then I inserted my usb key, made a directory in /mnt and mounted the usb key:
# mkdir /mnt/usb
# mount -t msdos /dev/da0s1 /mnt/usb

I changed directory into /mnt/usb, and wrote the dd-wrt image to the hard drive:
# cd /mnt/usb
# dd if=dd-wrt_public_vga.image of=/dev/ad0
22528+0 records in
22528+0 records out
11534336 bytes transferred in 40.308342 secs (286153 bytes/sec)

Then I unmounted the usb key and rebooted, taking out the livecd.
# cd /
# umount /mnt/usb
# shutdown -r now

My Impressions

Well this was a disaster for me I don't know how you will go, but after a couple of hours of total frustration I wiped the hard drive. The errors produced where amazing, varied, and did not stop. No matter how many different things I tried I could not get to the stage of accessing the web front end. For a while I couldn't even get a login prompt. After searching for answers and solutions I felt totally disheartened. I don't very often give up on things, yet this was beyond me. I just could not get this to run. Maybe it was just my hardware?
I hope that others have more luck than I had! Yet I don't think I'll will bother with DD-WRT. To much work for no reward.

GeekyBits: A Fresh Look

I have been been playing around with the new Template features of Blogger today. I have had heaps of fun playing with colors and labels and so forth. I hope you like Geeky Bits³ new look. I think I am happy with it. If anyone has any suggestions please let me know.

Also today I have been searching for a new domain, gee there are so many domain squatters out there, it is ridiculous. I can't afford to eat more than once a day how am I supposed to afford to purchase a domain name? Oh well I guess I'll have to keep searching for something.
If you are looking for domains check out: PCNames Domain Search, it is "a free site dedicated to developing the most advanced tools for finding domains." It is very good.

SPAM

I just finished reading this post from Slashdot: Spam Volume Jumps 35% In November. This is ridiculous, it's clogging up the bowels. So if there is around 1 billion people online (with e-mail accounts) and we are hitting averages of 85 billion spam messages a day, that would mean that each person is averaging 85 e-mails a day. Imagine getting that many telemarketing phone calls, or catalogs in the mailbox. Wow!

After this thought I had to revisit the Monty Python sketch "Spam" and I thought that I would share it with you all.

Testing Web Browsers

In my adventures in networking I was testing a couple of things, and discovered that firefox 2 has a bad memory leak on my system. On the 19th Dec there was a new release which had many security fixes: release notes. I have decided instead of updating to 2.0.0.1 that I would try out a couple of other browsers.

Opera 9.10
First I decided to try Opera, recently there was a new release and I have heard many great things about it. Eager to try it for myself I went to the Opera Download site and selected the Ubuntu 6.10 Edgy Eft Package and downloaded it. Once it was downloaded I clicked on the .deb file and gdebi package installer opened, I clicked 'install package' and the next thing you know I had Opera 9.10 on my system.
It took a bit of fiddling around to configure it, there are many more settings and things to play with in this browser. I have to admit that I thought that some of the settings where a little over the top, and were unneeded. I loved the fact that I could change the style view so much. This is something that I have always loved about Opera. It is often handy to view a page without images and other distractions, especially when reading information.New features in Opera 9 are:

• Add your favourite search engines
• Bit-Torrent
• Content blocker
• Fraud protection
• Improved rich text editing
• Site preferences
• Thumbnail preview
• Widgets

More detail and info on other Features can be found here: Opera Browser Features
My Impressions: Overall although I like many of the features in Opera I still am not happy with the performance or user experience of Opera. Granted it is very different from Firefox and Mozilla, and therefore will take a bit of getting use to. Yet I still do not feel that I could use it all of the time. The text is often hard to read, and jagged. Loading times are slow, and it feels heavy (I know this sounds strange yet I am sure that most of you know what I mean.) To be honest; at the end of the day I would prefer to use an Open Source browser.

Epiphany, the GNOME Web Browser
Next I tried Epiphany, I really like this little browser. It is very simple and easy to use, it's speed amazes me. There are not many settings, and no where near the extensions and other tools as in other browsers. Yet this browser is no more than what it says it is. It is a browser, and it does this really well. Epiphany is powered by the Gecko engine, which also powers Firefox. Epiphany is very uncomplicated and really gives you the web experience without all the mess. I am sure that I will continue to use this browser, even if it is only for fast searching, and a pure http experience.

So far these are the only two browsers I have tried. I am unsure what browsers to try next, if anyone has any suggests please let me know.

Quintura Search, a new way to find what you are looking for.

I have been on the hunt for a new search engine, for the past couple of months. I am not happy with the results of my searches, and I am finding myself resorting to Deep Web searches and other means to find information.

Introducing Quintura
Today I believe that I may have found an answer to my problem: Quintura search. This is a visual search engine, using a cloud visualisation you can navigate and refine your search. So far I am really impressed. Results load in the background while you search, and you can see the results of refining your search without actually doing so.
The results are not only relational, they also are very helpful, I have found some excellent information. I believe that this type of search could help people to search more effectively, finding answers to their questions, and therefore making more information available to more people.

If you are interested there is a tour here: Quintura tour
Or just try a search for yourself: Quintura search
*Note check the hints page, to make Quintura work better for you.

Have fun and happy surfing.

OpenBSD LiveCD Firewall

Over the past couple of weeks all of my research and experimentation has been leading towards a project. I have been learning how to create my own livecd firewall. Currently I am preparing an environment to create this livecd in.

First I installed a basic version of OpenBSD 4.0. Then I Downloaded the source code using cvsup:
# export PKG_PATH=ftp://ftp.openbsd.org/pub/OpenBSD/4.0/packages/i386/
# pkg_add -v cvsup-16.1h-no_x11.tgz
# vi /root/.configs/cvsup-file
added:

# Defaults that apply to all the collections
*default release=cvs
*default delete use-rel-suffix
*default umask=002
*default host=cvsup.jp.OpenBSD.org
*default base=/usr
*default prefix=/usr
*default tag=OPENBSD_4_0
# If your network link is a T1 or faster, comment out the following line.
*default compress
#OpenBSD-ports
#OpenBSD-all
OpenBSD-src
#OpenBSD-www
#OpenBSD-x11
#OpenBSD-xf4

# cvsup -g -L 2 cvsup-file

Once I had done that I made a partition in which to create the livecd in. First I edited the disklabel, then formatted the new partition:
# disklabel -e wd0
# newfs /dev/wd0h

Now create the directory to mount on the new partition:
# mkdir /bootcd
then edit /etc/fstab so that the partition would be mounted at boot time:
# vi /etc/fstab
added:

/dev/wd0h /bootcd ffs rw 1 2

then rebooted

Once the system had rebooted and everything was OK I cd into /bootcd and downloaded base40.tgz and etc40.tgz and unpacked them into /bootcd:
# cd /bootcd
# tar -xZf base40.tgz
# tar -xZf etc40.tgz

At the moment I am waiting for my new kernel to compile with my needed options:
# cd /usr/src/sys/arch/i386/conf/
# cp RAMDISK_CD BOOTCD
# vi BOOTCD
commented out this line:

#config bsd root on rd0a swap on rd0b and wd0b and sd0b

added this line:

config bsd root on cd0a

# config BOOTCD
# cd ../compile/BOOTCD/
# make clean && make depend && make

I can't wait to see how it works. This is so exciting. I am such a geek...

Know Your Docs

Over the past couple of days I have written and tested a couple of different pf(4) rulesets and I am really happy with the results. I was surprised how easy I found writing these rulesets.
When I learned FreeBSD's ipfw(8) I struggled a lot with the finer points of configuration. I believe that the difference I have made in learning pf(4) is becoming so familiar with the documentation before moving on to the implementation step. With ipfw(8) I tried to "learn by doing". Even though I think that learning by doing is an effective method, I believe for myself I need to read and know the documentation first, then put what I have learned into practice.
I am really having fun with pf, it is a wonderful and very complete piece of software, and I will be using it much more from now on.

Todays mantra:

1. Locate the Documentation
2. Read the Documentation
3. Follow the Documentation
4. BECOME the Documentation

Reading and Writing

I finally answered all my e-mail today, I haven't had a chance to go through it for a couple of days. I got an e-mail from my little brother he is arriving back in Australia today, he and his girlfriend have been traveling around Laos and Cambodia. It will be really good to see him. Although I will have to wait a couple of weeks, as he lives a few hours away from me.

Also I have been reading a few articles from: OpenBSD Support, Kernel-Panic.it and INETDAEMON.com

Tonight I started to write my first pf.conf file for my firewall. I think that it should go well. I will have to finish it tomorrow though because I'm exhausted. Goodnight all...

Packet Filter

Today I have been going over all of the documents on Packet Filter (pf). The following are the notes which I made while reading (The notes are not complete, just my reference):

Activation from boot:
Edit /etc/rc.conf.local adding:
pf=YES

Activation using pfctl(8):
The pfctl program allows us to activate pf using:
# pfctl -e
And deactivate pf using:
# pfctl -d

*Note that this just enables or disables PF, it doesn't actually load a ruleset. The ruleset must be loaded separately, either before or after PF is enabled.

Configuration
At boot time pf reads /etc/pf.conf for it's configuration. The file has several parts:

• Macros: User-defined variables that can hold IP addresses, interface names, etc.
• Tables: A structure used to hold lists of IP addresses.
• Options: Various options to control how PF works.
• Scrub: Reprocessing packets to normalize and defragment them.
• Queuing: Provides bandwidth control and packet prioritization.
• Translation: Controls Network Address Translation and packet redirection.
• Filter Rules: Allows the selective filtering or blocking of packets as they pass through any of the interfaces.

Lists
Lists allow one rule to contain multiple items, e.g. multiple IP addresses, port numbers etc. Lists are defined by specifying items within { } brackets. e.g:
block out on rl0 from ( 192.168.0.1, 10.0.0.1 } to any

When loading a ruleset and a list is encountered by the pfctl(8) program multiple rules are created. e.g. If pfctl found the above rule it would expand that to:
block out on rl0 from 192.168.0.1 to any
block out on rl0 from 10.0.0.1 to any
*Note that the commas between list items are optional.

Macros
Macros are user-defined variables. They can hold port numbers, IP addresses etc.
Macro names must start with a letter and may contain letters, digits, and underscores. e.g.:
int_if = "sis0"
pass in on $int_if from any to any
Macros can also contain lists.

Tables
Tables hold a groups of IP addresses. Tables are different from lists in that the lookups use less memory and processor and therefore are very fast.

Tables can be used in the following ways:

• source and/or destination address in filter, scrub, NAT, and redirection rules.
• translation address in NAT rules.
• redirection address in redirection rules.
• destination address in route-to, reply-to, and dup-to filter rule options.

To create a table in pf.conf the table directive is used. There are two attributes that can be specified for each table:

• const - Once the table has been created the contents can not be changed. If this attribute is not specified; address can be added or removed using pfctl.
• persist - Keep table in memory even if no rules are referring to it.

For Example:
table <MyNet> { 172.16.2.0/16, !172.16.2.100 }
table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
table <spammers> persist file "/etc/spammers"

block in on vr0 from { <rfc1918>, <spammers> } to any
pass in on vr0 from <MyNet> to any

The file /etc/spammers would contain a list of IP addresses and/or CIDR network blocks, one per line. Any line beginning with # is treated as a comment and ignored.

Tables can also be manipulated with pfctl, see: pfctl(8).

Packet Filter
A highly simplified syntax for filter rules is:
action [direction] [log] [quick] [on interface] [af] [proto protocol] \
[from src_addr [port src_port]] [to dst_addr [port dst_port]] \
[flags tcp_flags] [state]

Default Deny
In a default deny filter policy, the first filter rules are:
block in all
block out all
Now traffic has to passed by the firewall other wise it will be dropped.

quick
If a packet matches a rule which is using the quick keyword, then no other processing is needed, and the specified action is taken.

Keeping State
Keeping state or stateful inspection allows pf to keep track of network connection. Information is stored about each connection in a state table, and pf then determines if a passing packet belongs to an established connection, if it does the packet is passed.

When a rule has the keep state option, the first packet matching the rule creates a "state" between the sender and receiver. Now, not only do packets going from the sender to receiver match the state entry and bypass ruleset evaluation, but so do the reply packets from receiver to sender. For example:
pass out on fxp0 proto tcp from any to any keep state

Stateful filtering has a number of options:

• max number: The max number of state entries the rule can create.
• source-track: Track number of states created per IP.
• max-src-nodes number: limit the number of source IP addresses that can simultaneously create state.
• max-src-states number: When the source-track option is used, max-src-states will limit the number of simultaneous state entries that can be created per source IP address.

If a connection has completed the 3-way handshake, then other restrictions can apply to stateful connections:

• max-src-conn number: The maximum number of simultaneous TCP connections which a single host can make.
• max-src-conn-ratenumber / interval: Limit the rate of new connections to a certain amount per time interval.
• overload <table>: Put an offending host's IP address into the named table.
• flush [global]: Kill any other states that match this rule and that were created by this source IP. When global is specified, kill all states matching this source IP, regardless of which rule created the state.

TCP Flags

• F : FIN - Finish; end of session
• S : SYN - Synchronize; indicates request to start session
• R : RST - Reset; drop a connection
• P : PUSH - Push; packet is sent immediately
• A : ACK - Acknowledgement
• U : URG - Urgent
• E : ECE - Explicit Congestion Notification Echo
• W : CWR - Congestion Window Reduced

In a rule flags are specified using the following syntax: flags check/mask
The mask tells pf to only inspect the specified flags.
The check specified which flag must be "on" in the header for a match

TCP SYN Proxy
Proxy the handshake; pf will complete a client handshake, initiate a server handshake, then pass the packets between the two. e.g.:
pass in on $ext_if proto tcp from any to $web_server port www flags S/SA synproxy state
synproxy state also includes the same functionality as keep state and modulate state

Blocking Spoofed Packets
pf uses the antispoof keyword to protect against spoofing.:
antispoof [log] [quick] for interface [af]

Unicast Reverse Path Forwarding
An uRPF check compares the source IP of a packet with the routing table, to see if the outbound interface in the routing table is the same as the packet.
This check is performed using the urpf-failed keywords in filter rules:
block in quick from urpf-failed label uRPF

OS finger Printing
Using the os keyword in a rule, can detect the operating system of a remote host.

IP Options
To allow packets with IP options set which are block by default you need to use the allow-opts keyword.

NAT - Network Address Translation
A highly simplified syntax for a NAT rule is:
nat [pass [log]] on interface [af] from src_addr [port src_port] to dst_addr [port dst_port] -> ext_addr [pool_type] [static-port]

Example: (tl0 is external, dc0 internal):
nat on tl0 from dc0:network to any -> (tl0)
This rule says to perform NAT on the tl0 interface for any packets coming from the dc0 interfaces network and to replace the source IP with the current address of the tl0 interface.

Bidirectional Mapping (1:1 mapping)
A bidirectional mapping can be established by using the binat rule. A binat rule establishes a one to one mapping between an internal IP address and an external address.

Rule Exceptions
Exceptions can be made to translation rules by using the no keyword. e.g.:
no nat on tl0 from 192.168.1.208 to any
nat on tl0 from 192.168.1.0/24 to any -> 24.2.74.79
The entire 192.168.1.0/24 network would have its packets translated to the external address 24.2.74.79 except for 192.168.1.208.
The no keyword can be used with nat, binat and rdr rules.

NAT Status
To view the active NAT translations pfctl(8) is used with the -s state option.

Redirection (Port Forwarding)
Redirection allows
incoming traffic to be sent to a machine behind the NAT gateway.e.g.:
rdr on tl0 proto tcp from any to any port 80 -> 192.168.1.20
This line redirects TCP port 80 (web server) traffic to a machine inside the network at 192.168.1.20. So, even though 192.168.1.20 is behind your gateway and inside your network, the outside world can access it.

No Power

I have been busy the past couple of days cleaning the house and paying bills. So much fun I know. I hope to get back to reading and building my firewall tomorrow. I feel lost not being on my computer.
I lost the power for a couple of hours the other night. It was the first night of the Sci Fi channel being on Austar. My partner and I sat down to watch the first show on at 12am. It was a repeat in true Austar style, so I went back to the computer room. I was in the middle of writing a post when the power went. I don't have an UPS (cause I can't afford one) so everything died. We sat and waited for the power to come back.
After about five minutes I was bored I started messing with the mobile, taking photos by candle light and I changed the wallpaper. Then my partner and I started playing a two player mobile game. I am not big on mobile games but desperate times. Anyway we were playing for about 2 hours when the mobile started giving the battery low beep, it only beeped twice then died in my partners hands. It was so funny I forgot to tell him that I had changed the wallpaper so the screen went from -> his move in the game -> then flashed the wallpaper -> then went black.

This is what I had changed the wallpaper too:

(click on it to see full size.)

Anyway just as we were about to bring out the pocket calculators; the power was restored and all was well.

I have been enjoying the Sci Fi channel. There have been some good things on so far. I have been waiting to see some of them. I will have to get my laptop fixed soon though cause it is annoying not having Internet access anywhere in the house. Currently my laptop looks like this:So as you can see I am not doing a lot with it. Oh well, have to fix it.