<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom"><title>UnixTech</title><link href="http://unixtech.github.io/" rel="alternate"></link><link href="http://unixtech.github.io/feeds/unix.atom.xml" rel="self"></link><id>http://unixtech.github.io/</id><updated>2014-12-06T13:30:00+05:30</updated><entry><title>Firewall PF</title><link href="http://unixtech.github.io/blog/12-2014/pf-firewall-1.html" rel="alternate"></link><published>2014-12-06T13:30:00+05:30</published><author><name>Unixer</name></author><id>tag:unixtech.github.io,2014-12-04:blog/12-2014/pf-firewall-1.html</id><summary type="html">&lt;h2&gt;FreeBSD and OpenBSD&lt;/h2&gt;
&lt;p&gt;PF (Packet filter) is default firewall for OpenBSD and included in other OS's like &lt;a href="http://www.freebsd.org"&gt;FreeBSD&lt;/a&gt; and &lt;a href="http://www.apple.com" title="Apple"&gt;Apple&lt;/a&gt; IOS operating systems. Many other "Commercial firewall" appliances are inspired by PF.&lt;/p&gt;
&lt;h2&gt;History of PF&lt;/h2&gt;
&lt;p&gt;PF was originally designed as replacement for Darren Reed's IPFilter, from which it derives much of its rule syntax. IPFilter was removed from OpenBSD's CVS tree due to OpenBSD developers' problems with its license. Specifically, Reed distributed some versions of his software with the license clause, "Derivative or modified works are not permitted without the author's prior consent." Due to this, the OpenBSD team decided to replace the software. This decision became the subject of wrangling among the parties involved, degenerating into a discussion that failed to reach mutual understanding. On the subject, OpenBSD project leader Theo de Raadt wrote, "Software which OpenBSD uses and redistributes must be free to all... for any purpose including... modification."&lt;/p&gt;
&lt;p&gt;PF has since evolved quickly and now has several advantages over other available firewalls. Network Address Translation (NAT) and Quality of Service (QoS) have been integrated into PF, QoS by importing the ALTQ queuing software and linking it with PF's configuration. Features such as pfsync and CARP for failover and redundancy, authpf for session authentication, and ftp-proxy to ease firewalling the difficult FTP protocol, have also extended PF.&lt;/p&gt;
&lt;p&gt;One of the many innovative feature is PF's logging. Logging is configurable per rule within the pf.conf and logs are provided from PF by a pseudo-network interface called pflog. Logs may be monitored using standard utilities such as tcpdump, which in OpenBSD has been extended especially for the purpose, or saved to disk in a modified tcpdump/pcap binary format using the pflogd daemon.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;For more info, &lt;strong&gt;Read  - &lt;a href="http://en.wikipedia.org/wiki/PF_%28firewall%29"&gt;History of pf&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h2&gt;PF setup&lt;/h2&gt;
&lt;p&gt;Usually &lt;code&gt;PF&lt;/code&gt; is deployed  in conjuction with other tools provided by OpenBSD ecosystem.
These includes:
&lt;em&gt; HFSC Queuing system for QoS
&lt;/em&gt; FTP-Proxy
&lt;em&gt; Application proxies such as Relayd ( Mainly used as HTTPs termination point )
&lt;/em&gt; OS detection using fingerprint - &lt;code&gt;pf.os&lt;/code&gt;
* CARP firewall failover for HA environments ( UCARP for FreeBSD users )&lt;/p&gt;
&lt;h3&gt;How to deploy PF firewall in your environment&lt;/h3&gt;
&lt;blockquote&gt;
&lt;p&gt;Note: Both OpenBSD and FreeBSD OS uses different syntax for maintaining &lt;code&gt;PF&lt;/code&gt; firewall.
We will mainly focus on OpenBSD OS but there are benefits of using &lt;code&gt;PF&lt;/code&gt; with FreeBSD OS since it provides multi-processing capable version of &lt;code&gt;PF&lt;/code&gt;.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;!--{% include_code pf.conf [lang:sh] [pf.conf] %}--&gt;

&lt;p&gt;File - &lt;code&gt;/etc/rc.conf.local&lt;/code&gt;&lt;/p&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;    pf=YES
    pf_rules=/etc/pf.conf
    pflogd_flags=&amp;quot;-s 1500&amp;quot; # Ex. Snaplen, Log filename 
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;File - &lt;code&gt;/etc/pf.conf&lt;/code&gt;&lt;/p&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;    ### My master pf.conf

    ### Interfaces
    EXTIF =&amp;quot;em0&amp;quot;
    INTIF =&amp;quot;em1&amp;quot;
    DMZ = &amp;quot;em2&amp;quot;
    EXTRAIF =&amp;quot;em3&amp;quot;

    ### Hosts
    ADMIN =&amp;quot;10.0.11.1&amp;quot;
    ADMIN1 =&amp;quot;10.0.11.31&amp;quot;
    BOTHADMIN =&amp;quot;{&amp;quot; $ADMIN $ADMIN1 &amp;quot;}&amp;quot;
    EXTDNSSERVER =&amp;quot;4.2.2.2&amp;quot;
    INTDNSSERVER =&amp;quot;$INTIF:0&amp;quot;
    #DNSSERVERS =&amp;quot;{' $INTDNSSERVER $EXTDNSSERVER '}&amp;quot;
    DNSSERVER =&amp;quot;{$INTDNSSERVER}&amp;quot;
    LOGSERVER = &amp;quot;{ 10.0.11.22, 10.0.11.31  }&amp;quot;
&lt;/code&gt;&lt;/pre&gt;

&lt;ul&gt;
&lt;li&gt;All these variable defined are called MACROS inside &lt;code&gt;pf.conf&lt;/code&gt; file.&lt;/li&gt;
&lt;li&gt;These are used for convinience and ease of use&lt;/li&gt;
&lt;li&gt;Defining nested macros are possible as well.&lt;/li&gt;
&lt;li&gt;Take a look at &lt;code&gt;INTIF&lt;/code&gt; macro, If you want to include that whole internal network in your rules then &lt;code&gt;INTIF:network&lt;/code&gt; in your rule.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Now, We will have a look at some of the rules itself.&lt;/p&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;    #External Interface
    #Block all on External interface
    block log on $EXTIF

    ## Network address translation with outgoing source 
    #match out log on $EXTIF from $INTIF to any received-on $INTIF tag EGRESS nat-to ($EXTIF:0) 
    match out log on $EXTIF from $INTIF:network to any received-on $INTIF tag EGRESS nat-to ($EXTIF:0)
    #If you have difficulties with any box with static port forwarding then you should use
    #match out log on $EXTIF from $INTIF to any received-on $INTIF tag EGRESS nat-to ($EXTIF:0) static-port

    #Traffic generated from firewall it self will be tagged as EGRESS
    match out log on $EXTIF from $EXTIF to any tag EGRESS
    #More on these later on.

    #EXTIF inbound
    pass in log (to pflog1) on $EXTIF inet proto tcp from any to any port 22 
    pass in on $EXTIF inet proto tcp from any to $EXTIF port &amp;gt;10000

    #External interface outbound
    pass out log on $EXTIF inet  from ($EXTIF) to any $TCPSTATE $EXTIFSTO queue (bulk, ack) tagged EGRESS
    #pass out log on $EXTIF inet proto udp from ($EXTIF) to any $UDPSTATE $EXTIFSTO queue (bulk, ack) tagged EGRESS
    pass out log on $EXTIF inet proto tcp from ($EXTIF) to any port $TCPPORTS $TCPSTATE $EXTIFSTO queue (web, ack) tagged EGRESS
    pass out log on $EXTIF inet proto udp from ($EXTIF) to any port 53 $UDPSTATE $EXTIFSTO queue (dns, ack) tagged EGRESS
&lt;/code&gt;&lt;/pre&gt;

&lt;ul&gt;
&lt;li&gt;These are some of the rules that I have defined in my DMZ firewall to prevent other users from coming in from outside.&lt;/li&gt;
&lt;li&gt;After deploying this ruleset only SSH is allowed from outside interface of firewall. &lt;/li&gt;
&lt;li&gt;From inside essential end-user services such as Internet browsing, DNS are enabled. &lt;/li&gt;
&lt;li&gt;Take a look at &lt;code&gt;match out&lt;/code&gt; rules on &lt;code&gt;EXTIF&lt;/code&gt; to have a look at how nat rules are working. &lt;/li&gt;
&lt;/ul&gt;
&lt;h3&gt;Turning on routing&lt;/h3&gt;
&lt;p&gt;To turn on routing functionality of the box, You need to make sure you have enabled ip forwarding in &lt;code&gt;sysctl&lt;/code&gt;&lt;/p&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;    # To check the ip forwarding status
    sysctl net.inet.ip.forwarding
    # If it's 0 then turn it on
    sysctl net.inet.ip.forwarding=1

    #To make it permanent 
    ### /etc/sysctl.conf
    net.inet.ip.forwarding = 1
&lt;/code&gt;&lt;/pre&gt;

&lt;h3&gt;PFCTL utility&lt;/h3&gt;
&lt;p&gt;After making changes inside &lt;code&gt;pf.conf&lt;/code&gt; file, rules are not automatically loaded. To load the rules We need to use &lt;code&gt;pfctl&lt;/code&gt;&lt;/p&gt;
&lt;p&gt;To load rules - Assuming rule file is &lt;code&gt;/etc/pf.conf&lt;/code&gt;&lt;/p&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;    pfctl -vf /etc/pf.conf
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;To see which rules are currently loaded, It will also show related counters.    &lt;/p&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;    pfctl -vsr 
&lt;/code&gt;&lt;/pre&gt;

&lt;p&gt;&lt;img width="600" class="center" src="/images/pf_rules.png"&gt;&lt;/p&gt;
&lt;h2&gt;Conclusions&lt;/h2&gt;
&lt;p&gt;PF is one of the most popular and powerful firewall for managing your network traffic. We have barely even scratched surface of what PF can provide. It's functionality is much more then many of the commercial offerings offers.&lt;br /&gt;
We will also cover some extended functionality such as usage of Anchors, Preventing torrent traffic, Blacklisting and preventing brute-forcing attack etc.
Being open-source it places no restrictions on usage. Users can use it any which way they would prefer.  &lt;/p&gt;
&lt;p&gt;Having  used PF and OpenBSD for nearly 10 years in all of my setups I can say PF is most secure firewall there is and With combination of OpenBSD and PF you can be pretty sure you are one step ahead then rest  in process of being NSA proof.&lt;/p&gt;</summary><category term="Unix"></category><category term="Firewall"></category></entry><entry><title>Find - Looking for things</title><link href="http://unixtech.github.io/blog/01-2010/practical-find.html" rel="alternate"></link><published>2010-01-03T18:02:00+05:30</published><author><name>Unixer</name></author><id>tag:unixtech.github.io,2010-01-03:blog/01-2010/practical-find.html</id><summary type="html">&lt;p&gt;The &lt;code&gt;Find&lt;/code&gt; utility in Linux is very useful in the sense that it quickly locates and searches through list of files and directories.
It can do so based on condition that you pass through arguments. 
&lt;code&gt;Find&lt;/code&gt; can find files using different conditions like:  &lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Permissions&lt;/li&gt;
&lt;li&gt;Users&lt;/li&gt;
&lt;li&gt;Groups&lt;/li&gt;
&lt;li&gt;File type&lt;/li&gt;
&lt;li&gt;Date&lt;/li&gt;
&lt;li&gt;Size and more.&lt;/li&gt;
&lt;/ul&gt;
&lt;h2&gt;Basic Usage&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;Find file in current directory&lt;/li&gt;
&lt;/ul&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt; # Find by filename in Current dir
 find . -name unixtech.txt

 #Output
 ./unixtech.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;ul&gt;
&lt;li&gt;Find file in current directory &lt;span class="fa fa-arrow-right"&gt;&lt;/span&gt; Case insensitive&lt;/li&gt;
&lt;/ul&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt; # Find by filename in Current dir
 find . -iname unixtech.txt

 #Output
 ./unixtech.txt
&lt;/code&gt;&lt;/pre&gt;

&lt;ul&gt;
&lt;li&gt;Recursively searching file in all in whole system&lt;/li&gt;
&lt;/ul&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;# Recurse through whole file system
find / -name $FILENAME
&lt;/code&gt;&lt;/pre&gt;

&lt;h2&gt;Find files based on permissions&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;Find files certain permissions&lt;/li&gt;
&lt;/ul&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;# Find only files with full 777 permissions
find / -perm 0777 -print
# Find files with SGID bit set 
find / -perm 2644
# Or
find / -perm /g+s
&lt;/code&gt;&lt;/pre&gt;

&lt;ul&gt;
&lt;li&gt;Find all files based on user permissions&lt;/li&gt;
&lt;/ul&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;#Find all files with READ permission
find / -perm /u=r -print

# Find all files with executable bit set
find / -perm /a=x -print
&lt;/code&gt;&lt;/pre&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Find can also execute command on found files based on given criterion.
In addition to just printing list of files, You can modify, change permission and also delete files using &lt;code&gt;-exec&lt;/code&gt; flag in find command.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;So, If you want to change all the files that have permission set to &lt;code&gt;777&lt;/code&gt; to something that only you can modify in your home directory, You may execute following variation of &lt;code&gt;find&lt;/code&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Find all files with &lt;code&gt;777&lt;/code&gt; permission and change it to &lt;code&gt;644&lt;/code&gt; inside your home directory&lt;/li&gt;
&lt;/ul&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;#Find and exec 
find ~USERNAME -perm 777 -print -exec chmod 644 {} \;
&lt;/code&gt;&lt;/pre&gt;

&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th&gt;&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;{}&lt;/td&gt;
&lt;td&gt;Shell expander which will put current file name from list in &lt;code&gt;-exec&lt;/code&gt;&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;\;&lt;/td&gt;
&lt;td&gt;'\' is Shell escape and ';' is Unix chaining symbol&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Here thing to remember is You have to put {} symbol where you want INPUT filename to be, and chain it with \; symbol.&lt;/p&gt;
&lt;/blockquote&gt;
&lt;ul&gt;
&lt;li&gt;Same thing if you want to remove or list files&lt;/li&gt;
&lt;/ul&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;#List files that matches certain crieteria
find / -perm 777 -print -exec ls -la {} \;

#Removing files that matches certain crieteria
find / -perm 777 -print -exec rm -rf {} \;
&lt;/code&gt;&lt;/pre&gt;

&lt;h2&gt;Finding files based on user/group ownership&lt;/h2&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;#Find files owned by particular user
find / -user unixtech -print

#Find files owned by group
find / -group unixgroup -print

&lt;/code&gt;&lt;/pre&gt;

&lt;h2&gt;Finding files based on modification/changed/accessed date time&lt;/h2&gt;
&lt;ul&gt;
&lt;li&gt;Find files modified 3 days back&lt;/li&gt;
&lt;/ul&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;
find / -mtime 3

&lt;/code&gt;&lt;/pre&gt;

&lt;ul&gt;
&lt;li&gt;find all the files those are changed last hour&lt;/li&gt;
&lt;/ul&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;#Will return all the files changed in last 60 mins
find / -cmin -60
&lt;/code&gt;&lt;/pre&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; '-' sign in front of 60 includes all the files that changed within that timeframe, Ex. It will include files that are changed 3, 5, 10 mins back and so on.
Notice different criterion for finding files such as &lt;code&gt;-mmin&lt;/code&gt;, &lt;code&gt;cmin&lt;/code&gt;, &lt;code&gt;amin&lt;/code&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;&lt;/th&gt;
&lt;th align="center"&gt;&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;Access time&lt;/td&gt;
&lt;td align="center"&gt;If you list/delete/open this file then &lt;code&gt;atime&lt;/code&gt; will be modified&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Changed time&lt;/td&gt;
&lt;td align="center"&gt;Modifying data of the file changes &lt;code&gt;ctime&lt;/code&gt; parameter of file&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;Modification time&lt;/td&gt;
&lt;td align="center"&gt;Same as Changed time but will also be changed upon changes in meta data of the file.&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h2&gt;Use &lt;code&gt;find&lt;/code&gt; to search files based on size&lt;/h2&gt;
&lt;p&gt;This one is quite useful in case you want to find largest files in your home directory, files that are eating away space on hard drive. &lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Find all the  files between 10 MB - 100 MB&lt;/li&gt;
&lt;/ul&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;find /home -size +10M -size -100M
&lt;/code&gt;&lt;/pre&gt;

&lt;ul&gt;
&lt;li&gt;Find all the files larger then 1GB and delete em&lt;/li&gt;
&lt;/ul&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;#Find larger files and list them first
find /home -size +1G -exec ls -la {} \;

# If you see desired files then remove them
find /home -size +1G -exec rm -rf {} \;

&lt;/code&gt;&lt;/pre&gt;

&lt;ul&gt;
&lt;li&gt;Find all the movie files larger then 100MB and delete &lt;/li&gt;
&lt;/ul&gt;
&lt;pre&gt;&lt;code class="language-bash"&gt;# Find and list files first
find /home -size +100M -print -iname &amp;quot;*mp4|wmv|mov&amp;quot;;

# After listing them just press `UP` arrow, change the CMD and  delete 
find /home -size +100M -iname &amp;quot;*mp4|wmv|mov&amp;quot; -exec rm -rf {} \;
#Be careful while executing that command.
&lt;/code&gt;&lt;/pre&gt;

&lt;blockquote&gt;
&lt;p&gt;&lt;strong&gt;Note:&lt;/strong&gt; Find supports extended regular expressions too. &lt;br /&gt;
Regular expressions are swiss army knife for solving many kind of problem but they also come with added difficulty of maintaining and generating them. If none&amp;gt; of the above meets your requirement then as last resort only you should use Re&amp;gt;gExes in &lt;code&gt;find&lt;/code&gt; utility.&lt;/p&gt;
&lt;/blockquote&gt;</summary><category term="Unix"></category><category term="Essentials"></category></entry></feed>