After installing a Cisco Pix 501 on an ADSL connection I had great problems getting NAT to work so I could allow incoming connections to certain servers inside the network.
I was using PDM to configure the firewall and this appears to be the problem. Eventually after some research I managed to configure NAT using the command line interface.
static (inside,outside) tcp interface 25 192.168.10.2 25 netmask 255.255.255.255 0 0
access-list outside_in permit tcp any interface outside eq 25
access-group outside_in in interface outside
PDM does not appear to add the last line (or at least I can't find a way of doing it) and you end up with SYN errors in the firewall log.
Once its configured you can use PDM to add more rules as you wish and the access group outside_in is preserved. You need to configure the translation rule first and then the access rule. Easiest was is to copy and past the rules created above using PDM.
If you wish to restrict the outside access to certain servers simply replace 'any' with the ip address and subnet mask.
Wednesday 16 July 2008
Monday 14 July 2008
Configure PPTP VPN through Cisco Pix 501 Firewall
I recently added a Pix 501 to my ADSL connection and all my outbound PPTP VPN connections from my Windows XP PC stopped working.
I eventually worked out how to re-enable them.
On the Pix 501 just enable PPTP fixup on port 1723.
All works!
I eventually worked out how to re-enable them.
On the Pix 501 just enable PPTP fixup on port 1723.
All works!
Monday 14 April 2008
Configure MailScanner to skip checking local mail
Every day our system creates thousands of mails we send to customers and we keep a BCC so we can prove we have sent the email. Its pointless MailScanner checking these emails for virus and spam.
On checking the MailScanner configuration files I found it was very simple.
Simply edit MailScanner.conf and then change
Scan Messages = yes
to read
Scan Messages = %rules-dir%/scan.messages.rules
Then create scan.messages.rules in your rules directory and add your rules like the following example
From: /^192\.168\.12\./ no
FromOrTo: default yes
This means that any message from 192.168.12.* will not be checked
After that simply restart MailScanner, send some test messages and check the mail headers to confirm that internal messages are no longer scanned and external messages are still scanned.
For more information on rules see the EXAMPLES or README file in the rules directory.
On checking the MailScanner configuration files I found it was very simple.
Simply edit MailScanner.conf and then change
Scan Messages = yes
to read
Scan Messages = %rules-dir%/scan.messages.rules
Then create scan.messages.rules in your rules directory and add your rules like the following example
From: /^192\.168\.12\./ no
FromOrTo: default yes
This means that any message from 192.168.12.* will not be checked
After that simply restart MailScanner, send some test messages and check the mail headers to confirm that internal messages are no longer scanned and external messages are still scanned.
For more information on rules see the EXAMPLES or README file in the rules directory.
Wednesday 19 March 2008
How to configure yum to use a particular mirror
So you have an out of date version of Fedora installed but you still want to make sure its as up to date as possible and Redhat (and many others) have removed the repositories. If you can find an old mirror, http://fedora.mirror.facebook.com/ for instance then you should be able to run up2date and use yum to install software.
First however you need to tell yum to look at the mirror you have found and not rely on download.fedora.redhat.com.
Go to the /etc/yum.repos.d directory.
Here you will find the definitions of the repositories. On Fedora Core 4 I commented out the mirrorlist option and added in my own values for baseurl.
Clearly the system is still out of date and a newer version of fedora would be better but at least you can get it to the latest update and install software as required.
If you come across an issue where yum FC4 is looking in FC3 directories then do the following:-
$ cd /usr/share/rhn/up2date_client
First however you need to tell yum to look at the mirror you have found and not rely on download.fedora.redhat.com.
Go to the /etc/yum.repos.d directory.
Here you will find the definitions of the repositories. On Fedora Core 4 I commented out the mirrorlist option and added in my own values for baseurl.
$ cat fedora.repo
[base]
name=Fedora Core $releasever - $basearch - Base
#baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/$releasever/$basearch/os/
baseurl=http://fedora.mirror.facebook.com/linux/core/$releasever/$basearch/os/
#mirrorlist=http://fedora.redhat.com/download/mirrors/fedora-core-$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
$ cat fedora-updates.repo
[updates-released]
name=Fedora Core $releasever - $basearch - Released Updates
#baseurl=http://download.fedora.redhat.com/pub/fedora/linux/core/updates/$releasever/$basearch/
baseurl=http://fedora.mirror.facebook.com/linux/core/updates/$releasever/$basearch/
#mirrorlist=http://fedora.redhat.com/download/mirrors/updates-released-fc$releasever
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora
$ cat fedora-extras.repo
[extras]
name=Fedora Extras $releasever - $basearch
#baseurl=http://download.fedora.redhat.com/pub/fedora/linux/extras/$releasever/$basearch/
baseurl=http://fedora.mirror.facebook.com/linux/extras/$releasever/$basearch/
#mirrorlist=http://fedora.redhat.com/download/mirrors/fedora-extras-$releasever
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-extras
gpgcheck=1
Clearly the system is still out of date and a newer version of fedora would be better but at least you can get it to the latest update and install software as required.
If you come across an issue where yum FC4 is looking in FC3 directories then do the following:-
$ cd /usr/share/rhn/up2date_client
$ vi sourcesConfig.py and comment out the releasever="3" below #FIXME:0
Wednesday 5 March 2008
Content-type application/pdf does not work using Firefox on Mac
Today we had a customer complain they could not open our invoices which are pdf's produced via a cgi script.
It quickly became apparent that it only happens in Firefox on a Mac. Firefox on other platforms has no issues, nor does Safari on a Mac.
A quick google uncovered this known bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=416094
It appears firefox on Max ignores the Content-Type header and will only automatically open a pdf when presented with a .pdf file extension.
I managed to 'solve' the problem by adding the following http header to the output.
Content-Disposition: inline; filename="invoice.pdf"
This just tells the browser the default file name and thus gets round the issue. Still works in IE and Firefox on a PC and fixes the issue on a Mac.
It quickly became apparent that it only happens in Firefox on a Mac. Firefox on other platforms has no issues, nor does Safari on a Mac.
A quick google uncovered this known bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=416094
It appears firefox on Max ignores the Content-Type header and will only automatically open a pdf when presented with a .pdf file extension.
I managed to 'solve' the problem by adding the following http header to the output.
Content-Disposition: inline; filename="invoice.pdf"
This just tells the browser the default file name and thus gets round the issue. Still works in IE and Firefox on a PC and fixes the issue on a Mac.
Subscribe to:
Posts (Atom)