Category: firewall

How To Set Up A Terminal Server In Linux Using Ubuntu 9.10 And FreeNX

This article was timely. I had just installed virtual version of Ubuntu on my ESXi server and set up VNC so I could access it. It was okay but FreeNX is a more elegant solution. The combination of FreeNX and Firehol to setup the firewall makes it a winner in my book.

ubuntu.gif

How To Set Up A Terminal Server In Linux Using Ubuntu 9.10 And FreeNX

FreeNX is an open source implementation of NoMachine’s NX Server. It is a bit more akin to Microsoft’s RDP protocol that the usual VNC, so while keeping bandwidth to a minimum, it maintains good visual quality and responsiveness.

How To Set Up A Terminal Server In Linux Using Ubuntu 9.10 And FreeNX
(author unknown)
Mon, 25 Jan 2010 16:42:09 GMT

Windows Vista cannot obtain an IP address from certain routers or from certain non-Microsoft DHCP servers

 

Consider the following scenario:

  • You connect a Windows Vista-based computer to a network.
  • A router or other device that is configured as a Dynamic Host Configuration Protocol (DHCP) server is configured on the network.
  • The router or the other device does not support the DHCP BROADCAST flag.

In this scenario, Windows Vista cannot obtain an IP address.

Consider the following scenario:

  • You just bought your son a new Toshiba tablet with Vista Business pre-installed on it. You want to make sure that when the tablet goes off to school it has all critical patches applied.
  • You are using pfSense as a DHCP server.
  • The XP, Linux, and Windows 7 computers are able to connect to the network and get an IP address.

You would have thought DHCP problems were solved twenty years ago but here is the solution.

Windows Vista cannot obtain an IP address from certain routers or from certain non-Microsoft DHCP servers

Adventures with iRedMail – Part II

In the first installment of Adventures with iRedMail I got it to send emails but I left the MS Exchange integration for another day. Since then I have updated my DNS zone with the DKIM information, set up local DNS information, decided on naming standards, and reconfigured Postfix several times before I got it right.

Updating the DNS with DKIM information

This task was relatively easy. I copied the DKIM information in the iRedMail.tips into a trouble ticket with my web provider. About 24 hours later it was ready to test. I sent an emails to my Yahoo account, sa-test@sendmail.net, and autorespond+dkim@dk.elandsys.com. Although the email from dk.elandsys.com was the first to respond, it said it did not work. When I checked my Yahoo account the headers said the email was signed correctly with DKIM. Ironically the return email from sendmail.net ended up in my Junk Mail folder. It said that everything worked correctly. For one more test I created a Gmail account and sent an email to it, too. It said the email was signed correctly.

Local DNS, naming standards, and more Postfix problems

The next challenge was to configure Postfix to accept both local email addresses and email addresses for the exchange server under the same domain. I used PostFixAdmin to create Aliases that pointed to the Exchange server emails(e. g. myemail@mybusiness.com points to myemail@mybusiness.local). PostFix complained about the DNS records for my Exchange server so I added mybusiness.local as a relay_domain and set up a psuedo DNS so that PostFix can find the IP address for my Exchange server. In my case I decided to let my pfSense firewall act as a local DNS server to serve up the local IP addresses. At this point I can email to everyone from a local iRedMail account but I cannot get replies until I set up iRedMail as the SMTP gateway and the Exchange server as a relay domain.

PostFix domain checks get me again!

It took me a long time to figure this out. When I changed the firewall to redirect SMTP traffic to the PostFix gateway I could not get any mail. I thought I had messed up the firewall settings so I kept trying different settings. I was pretty limited with my testing tools. If I could Telnet into port 25 I could see what is happening but I could not make the connection work as long as I was located on this side of the firewall. Fortunately I found a solution on the Internet. The dnsqueries.com site provides a page, http://www.dnsqueries.com/en/smtp_test_check.php, that allows me to check my local SMTP connection using their server.  Within minutes I figured out that my email server did not like my sender’s domain. In fact it did not like anyone’s domain. This was the same type of problem I had with the Postfix recipient domain check, so I removed the sender domain check and the emails starting flowing.

What have I achieved?

  • I have a gateway that checks all incoming mail for spam and viruses. Postini offers a similar service for about $1 per user per month. We use MXLogic at work.
  • I have an alternate email server that allows me to send email that passes the SPF and DKIM checks. One of the reasons I investigated iRedMail was to use it for sending out a newsletter at work. Like many Internet retailers we get a chunk of our business as a result of our biweekly newsletter. In our case DKIM is another piece of the puzzle to improve our sender reputation. Since both Yahoo and Gmail require DKIM signing in order to set up feedback loops, DKIM is probably essential if you have ambitions of having a pristine email list. For those folks looking at ways to cut the umbilical cord to Microsoft this is one of several low cost, low maintenance migration alternatives to a local Exchange server.

Getting McAfee to work behind an ISA 2004 Firewall

It has been a long time since I actively worked with Microsoft’s ISA Firewall so it took me some time to fix this problem. Buy.com periodically offers a 3 computer version of McAfee at a very cheap price. Since I am somewhat ambivalent about the merits of one virus checking software over another, I bought a copy to replace a TrendMicro version up for renewal. The installation did not flag any errors or warnings so it took about a week before I noticed that the patterns had not updated. Yesterday I decided to fix the problem and write down for posterity how I accomplished it.

Unlike many firewalls Microsoft’s firewall typically restricts anonymous access. This typically is not a problem for most applications that run on Windows computers since the users are logged into the Active Domain. Occasionally there are applications that fail to connect to the internet despite the user being logged into the domain. Most of the time you need to open some non-standard ports to fix the problem. In this case McAfee is using standard HTTP and HTTPS ports and still failing to connect.

The solution is to create an anonymous access rule to the McAfee update site and to configure the client to not use the ISA Firewall client for these sites. One way to accomplish this  is to configure Internet explorer(Tools-Internet Options-Connections-Lan settings-Advanced) to not use the proxy. This is the way I got McAfee to update. Another way is to configure the properties for the internal network in ISA to use direct access for these sites. You can configure a GPO, too.

pfSense 1.2.2 Upgrade

Last year I finally got around to installing pfSense 1.2 and some packages. Last week I decided to upgrade to the latest release. I chose to use the command line version of the upgrade process and it worked great at updating the base package. The upgrade documentation is a little fuzzy about updating the packages. When I logged into the administrative panel the firewall started to upgrade the packages. That kind of worked but most of the packages I checked were not working after the upgrade. I tried to manually update or uninstall SNORT but it ignored me. So I rebooted the firewall.

As the firewall came up the second time, it upgraded SNORT. After logging into the administrative panel again, I saw that NMAP worked. Okay, that’s a step forward. Next I tried NTOP but the screen would not come up. Thinking it might have forgotten the configuration settings, I configured NTOP. It worked. Next I installed Open-VM-Tools since I run my firewall as virtual machine. Finally I tried SNORT. I could configure it but it still had problems downloading rules. This was the problem I had previously under 1.2 so I uninstalled SNORT. Everything seems to be working so it is probably safe to forget it for a couple more months.