Friday, 12 September 2008

Goodbye China!

If using a "biscuit tin as a firewall" was the answer - then the question had to be "How the hell do I stop China over-running my mail server?"

This is dedicated to anyone who runs their own mail server. Whether you're a business user supporting an enterprise deployment or a pokey home user just looking to get a little bit of IMAP love in your life - they day you find where the mail logs reside is the beginning of a vengeful game of strike and counter strike.

Perhaps some people are happy with it - but for me, reading the mail logs is an irritation. From time to time you expect the occasional prod from some random point in the country attempting to relay off your mail server but the constant drip drip offensive from one international region in particular is quite literally like Chinese water torture.

Almost 95% of relay attempts against my mail server, when processed through whois on, turned out to be from China. Perhaps they thought there was a gold medal in the offing?!!

The alliteration of attempts was impressive and it showed that although the majority of engagements failed trying to handshake my mail server (HERRO instead of EHLO perhaps?) - some were far less bot driven and much more sneakey in their attempts to trick my MTA in to relaying fun time Pr0n mail to the masses. Eventually it drove the fear of God in to me. Who knows what they get up to in the labs over there? The Xenophobe in me kicked in. Visions of faithful party members - miniturised and deployed inside ethernet frames - raiding my mail server with all manner of technoexploit know how meant that I could not rely on my MTA alone to deal with it. They had to be stopped at the perimiter!!!

Don't get me wrong here. I had hardened my Postfix implementation after a lengthy (5 minute) trawl through the first page of Google search results on the issue. I had also burnt the midnight oil on more than one occassion, taking the time to deploy my own domain local blacklist and also real time black listing (rbl). But the joy in rejecting mail from specific domains with my own custom FU 550 reject message was fleeting and the logs still showed presence of chinanet users enjoying all night exploitathons on my IP address. I felt that it was only a matter of time before they partied hard enough to break on through to the other side.

That was why I decided to retract the hospitality that was generally afforded on port 25 to the rest of the world. A bit drastic? Not really - the last time I looked, Hu Jintao wasn't in my Facebook so what do I care.

So I traded up and got myself a nice Netgear firewall router from the Prosafe range. The FVG318 fitted the bill perfectly. It had some great features and also included the explicit ability to block either individual IP addresses or supernet IP blocks. Perfect! The spam relay attempts came in - left their dirty finger prints all over my logs - associated ip ranges looked up and were then entered in to the 'no no' list. Moohahahahahaha!

Imagine my disappointment when I discovered that a so say professional device (that is where the pro in prosafe comes from --- right?) rejected my 21st attempt at entering a firewall rule.

Netgear and the art of WTF??!!!!
When the FVG318 says those three little words, it's hard to hide the rejection when you read "Too Many Entries" ! Tear my heart out why don't you!!!

Firmware Version: v2.1.2-67R - you're a dirty love rat!

Frankly - I don't know if it's unacceptable or not to have such a limitation in an off the shelf product. I could cry all I liked and Netgear were unlikely to fix my issue for me. As a result, it was time for Linux. Specifically - Smoothwall.

How and why I came to this decision - and how I built the damn thing have been blogged HERE

So how could Smoothwall be of benefit? Quite simple really. Give me the power to block the extensive range of IP addresses I needed in order to exact my vengeful nature upon the far east! At the same time, it would allow me to do it in a manner that meant I didn't have to enter the IP blocks one at a sodding time. Lucky for me, Smoothwall is the mutts nuts (or the dogs danglies if you prefer - choices choices eh! That's western living for yah).

Ok, if I was pedestrian about it - Smoothwall would allow me to plod through my hate list one item at a time, adding them via GUI interface. If I wanted to step up a gear then there was always the direct route. By enabling SSH access and having a quick prod about, it didn't take long to find the config file for the ipblock function under /var/smoothwall/ipblock

Putty and the art of TFFT!
As any responsible citizen should, all material of a sensitive nature has been removed to protect the innocent.

Smoothwall supports VI if you fancy your elite text based editor skills. Alternatively, you could always use WINSCP to provide you with graphical access to the directory structure and locate the ipblock config file for editing. You may want to make a backup before you balls it up though.

Smoothwall allows for IP blocks to be specified by CIDR notation. The ipblock file takes a comma separated list of parameters in this apparent order: (ip details) address/CIDR range, (logging) on/off, (punishment) drop/reject, (enable) on/off,

e.g -,off,DROP,on, China

That's great - but where the hell am I going to find a list of chinese IP blocks? The internet being the community it is, you can guarantee that this issue has been pissing people off for long enough to ensure that someone has already done the leg work for you. Enter the OKEAN web site. If I were a small dog, I would be humping this guys leg right now. Both Chinese and Korean IP blocks in contiguous / CIDR and dnsbl zone format. It's this kind of selflessness that makes the web a better place (rather than a virtual high street).

If I were a little dog!
Okean ... where are yooooou?

With the IP booty in the swag bag (thanks Okean) all it needs now is for a quick cut and paste of the data in to the /var/smoothwall/ipblock/config file and bob is your aunty. The list appears immediately in the smoothwall ipblock list via the browser. A quick reload of the firewall to be on the safe side and there we go. China begone.

The sad reality is that a small percentage of people are either willingly or unwittingly helping their country gain an unsavoury reputation. A quick browse on the net shows that plenty of people are considering similar actions in order to protect their infrastructure from abuse. It could make the internet a very hit and miss affair for China over the next decade.

Wednesday, 3 September 2008

Part 2 - Getting my parts out and playing with them

With all the kit safely back at base, it was time to put it all together. What were the chances that the kit would power up let alone let me put a firewall on it? Surprisingly (for me at least) it came up first time.

Now the thing about this solution is that it's all going to have to squeeze in to a small box and I didn't want to put it all together only to find that some hardware configuration or limitation (i.e. supported hardware issue) meant I needed to open it up again. So as soon as I could get the bare bones operational, I decided to find a firewall distribution that met the criteria and give it a whirl.

Must have:
  • NAT firewall with spi
  • IP blocking features allowing single IP or IP range blocking - (without the 20 or so rule limit I had on my router!!!!)
  • Port forwarding
  • PPP support - I need it to connect to my ethernet modem and log me on to the net
  • SQUID. (I didn't really need this but it was an itch I've been meaning to scratch for ages) - preferrably transparent.
  • Good logging features
  • Be able to run on a reletively low power system without dragging down my surfing experience.
Dream team:
  • IPSEC VPN endpoint functionality
  • Pretty graphs
  • Good community support (do not undervalue this aspect)
  • NTP, DHCP and DNS (in case I ever decide to consolidate these services away from my existing systems)
  • Intrusion Detection System (IDS) ... another 'want to play with' thing.
  • QOS so that when my kids grow up - I can QOS their bandwidth hogging activities out of existence
  • IM proxy. Again, when my kids grow up I'll need to snoop - err responsibly monitor who they're talking to.
I trawled my backside off looking through the various features - seeing what did the trick. M0n0wall looked like a fantastic development able to run on skinny kit but didn't appear to have the web proxy functionality I was looking for. Untangle also looked quite tasty but I was put off with the beefy (ok - non wimpy) hardware requirements.

Much more up my street were IPCOP and Smoothwall Express. Both scored highly and it was hard to choose between them. Being technically minded, I went for IPCOP because my Dad was a copper back in the day - and somewhere in the back of my head the name gave me the impression of The Sweeney meets Tron. That's how the IT decisions are made when I'm spending the money!

So I downloaded the latest release from sourceforge, burnt the disk and fired it up. Remember what I said above about supported hardware issues? Well that's where IPCOP fell on its arse for me in the first instance. It's not everybodys experience but I couldn't get it to run on my kit. It appeared for all the world to me that during the installer process, IPCOP was looking for the install files from my SATA disk rather than the CDROM with the install disk in. Actually - I proved this for myself by breaking in to a console session and browsing the device it was trying to read from - which was my SATA drive. The community advice was 'search the forum for SATA'. Something that showed mixed success.

I'm not going to knock the regional cummunity support forum but suffice to say I didn't get the warm fuzzies from it! I wasn't expecting flowers or anything but, well ..

So there I was with a dining room table full of hardware and one option left. Time for Smoothwall Express. The name wasn't as funky but the base functionality was pretty close (IPCOP being a fork of Smoothwall by all accounts). Would it run on my cobbled hardware or would I have some explaining to do to my wife when we examined the accounts!?

To start with, the answer was no! *cry* For a moment I thought I had compatibility issues when the installed keeled over repeatedly with an obscure message at the end of the file installation process. But checking the md5sum gave surprising results and it transpired that my iso was corrupted. A first for me. After a second download and a successful md5sum check - the next attempt worked like a dream.

The wrong kind of chips on this dining table (according to me wife at least!!!) The farmhouse dining table and chairs gave it a Star Wars meets the Waltons feel.

And if you think I'm going to narrate my firewall configuration across the blogosphere you can, of course, forget it. There's plenty of time to comment on Smoothwall in later blog sessions after a healthy evaluation.

With the harmonious union of hardware and software witnessed in front of the creator, it was time to build them a house before the honeymoon could commence. In this world though, considering the economic climate, credit crunch and the high price of accommodation - it would have to be a humble dwelling.

If you've seen my first entry then you will have seen the 'Urban Myth' game box that I proposed to turn in to a case. How had I come to the conclusion that it would do the job? I tipped out the cards and checked to see if the mobo would fit inside. That was the scope of my groundwork! The last time I worked with metal was approx 22 years ago back in school when I made a two piece replica concorde. All I had at my disposal this time was a medium sized hand drill, a small pair of wire clippers and a pair of sturdy scissors - swiped from the kitchen. Before long I had made a few 'functional' modifications to the case.


Almost certainly after .. unless the event was subject to a time paradox. Look closely - two holes - as the actress said to the bishop.

Now the parts have to be fixed to the case. First off - the PicoPSU power supply. Do I fix it in a practical position - or somewhere stupid & impractical but slightly amusing?

That's what your face looks like when you have a PicoPSU wired in an impractical place. Suit your sir! oooh!

Almost in focus. I think the 'shiny behind' had a dazzling effect!

Funny (mildly) but in a space efficient environment - not very clever! Next - fasten the mobo to the case.

A bit wonkey but it fits and there is still hope to cram the rest of the bits in.

With the PSU wired in and the mobo fitted - all that was left was to slot in the hard drive (somewhere) and shut the thing together. I managed to squeeze the drive in to the lid without too much issue. Closing the case was about a third of the job though!! It turns out that I had set a world record for owning the worlds most inflexible SATA lead. Lucky for me I had a draw packed full of the things - every one of them at least twice as flexible as the one I had chosen earlier!

The professional job on the metal work had introduced a certain amount of fatigue to the structure. It closed well enough but the chicken in me compelled me to add a bit of tape to ensure integrity. And here it is - the final product. Ladies and gentlemen - may I present to you, the Urban Myth Smoothwall.

What tape?

Closing comments - it's alive!! It will probably need a bit of further refinement to secure the case in order to remove the tape. As for a 533mhz system with 256 MB of memory running smoothwall and squid - for home use it's bloody fantastic.

Tuesday, 2 September 2008

Part 1 - A firewall Valerie Singleton would be proud of ...

Double sided sticking tape (check) - loo roll (check) - old washing up liquid bottle (check) - dog named 'Shep' (check) .... OK, we're ready. Now you may need an adult to help you with this .......

Anyone who's discovered Linux will probably have gone through the same curve that I have. "What? An O/S for free?" - "I don't understand - why so many distributions!?" - "So most of the internet runs on this?" - "I just jab in apt-get and it ends up on my box?!". All this is great, but for me, the biggest thing about the GNU revolution has to be that it changes us from dumb consumers to controlling creators.

Let's say for example that you bought yourself a firewall router. You pimped your arse out all week for your pound or dollar - picked your make and model, only to find that it has poor firmware (that bricks your box), and some really cheap limitations that hinder the scope of its use. At least that was my most recent experience. What do you do? Buy another one in the hope you're not let down again? Or perhaps you make your own! Consumer or creator?

Frankly, I've gone through about five firewall routers in as many years and, cheap or pricey, I've not been entirely happy with any of them (fussy fussy). Combining a few years exposure to open source radiation with some rabid ebaying would surely be a recipie for success? The prospect was tempting and Linux being as versitile as it is, there were bound to be a multitude of distro's ready to take up residence on my hard drive.

OK, so if you're going to do this there is probably a right way and a wrong way. I imagine the right way to be a) Draw up a list of requirements - b) Pick the software that meets those requirements - c) Check the hardware compatibility list and then buy / build the kit. But I had read the propaganda and had bought into the mantra that told me that I could throw any old hardware together and come up with a solution. That suited me fine because it meant I could be guided by cost rather than need, safe in the knowledge that somehow it would work - right?

In terms of the hardware, I wanted small / low power / low cost.

Required hardware:

  • A case
  • A motherboard with at least two nics.
  • A small hard drive
  • Memory
  • Suitable PSU
  • Adapter

After a bit of poking around on e-bay I managed to find an integrated motherboard with two nics and a 533 Mhz VIA Mark processor for £30. Bargain. See for yourself:

The SATA controllers on the wafer-mark meant that I could make use of a spare Seagate 2.5" hard drive that I had recently hatched from it's external USB housing. Curiosity got the better of me on that one. Like a Kinder egg - I had to crack it open for the toy.

I decided that I wasn't going to spend more than £10 on memory and managed to get 256 MB of pc 133 for the price.

Finding a DC DC PSU and an adapter was a real pain in the backside - mainly because the whole thing was an education for me. I picked up a 12V 90W PicoPSU-90 brand new from (nothing cheap enough on ebay) which will provide much more power than I need. That was another £30 (ish). The 4 pin molex would provide the +5v but being an ATX PSU - it would need to be tricked by adding a home made jumper between a couple of the pins (read up and undertake at your own risk).

Back to ebay for the 12v 5a Adapter plus a 2.1mm to 2.5mm barrel adapter (needed to fit the power point on the PicoPSU). Another £15 ish.

So that's £85 I've forked out already even with the free hard drive. Being a tight arse and also bathing in the inspirational light of the mini-itx projects page I decided I would find something around the house to mod as a case. The prices for the tiny cases were just too much. After a great deal of hunting around in cupboards and head scratching, I found a card game called 'Urban Myth' that happened to be packaged in a handy mini-itx sized aluminium case.

Now for some pictures:

WAFER-MARK 533 - With a couple of juicy nics *drool*
Note the two USB ports over on the left side. Although only USB 1.1 - you need a way to deliver the O/S to the system. Trust me - telepathy isn't a great medium for transferring data to disk.

URBAN MYTH - The card game - and now the firewall !!!
Take a look at that mouth. It comes in handy later.

Kinder egg toy or hard drive? You decide!

Although the SATA cable appears to obscure the picture - the artists amongst us will know that it lies on the Golden Section and therefore is mathematically guaranteed to be a work of art.

Well - that's the hardware procured. Next - instalment - putting it all together.