Monthly Archives

December 2007

Uncategorized

Grand Cayman

December 29, 2007

We visited Grand Cayman April of 2005, approximately 8 months after Hurricane Ivan terrorized the island in the fall of 2004. Below are some of the photos that show the massive destruction that Ivan left behind.

There are whole neighborhoods of very expensive homes that were just wiped out. As you can see there are rooms with walls completely missing. Talking with the locals, a lot of folks just decided to never come back to renovate.


Fear not, there is plenty of beauty left in this Caribbean paradise.

Uncategorized

Accessing Services behind packet filtered firewall

December 28, 2007

This article details the work around I use to accomplish several different technological hurdles in implementing a firewall / snort implementation for my home network. The goal is was to use a firewall based on Linux or BSD that was “appliance” in nature and I really did not have to devote alot of brain power to. I would rather use that power to solve other problems.

While this solution is somewhat specific to my needs I hope you will find it useful and can adapt part or all of it for your own situation.

Problem #1: Using DSL with PPPoE, I needed a way that I could deploy Snort on the “naked” internet to see traffic before it hit the firewall ruleset, without trying to delve in dissecting PPPoE traffic.
Problem #2: Need a firewall with a minimum of 3 interfaces, WAN, LAN and DMZ.
Problem #3: I would like to be able to host a web server in the DMZ and access it using the URL. (See Packet Filter Problem below). This problem will likely be manifested with a variety of firewalls on varying platforms.

The solution does involve a kludge but does work and satisfy the above requirements. In order to solve Problem #1, I determined that I would deploy a Linksys router that would handle the PPPoE negotiation. Set the linksys to be a gateway, no dhcp and assign a host (your firewall) as the DMZ (linksys terminology). What this does in essense is make the Linksys a bridge from PPPoE to Ethernet.

The host that you put in the Linksys DMZ configuration should be the WAN interface on the firewall, in this case I choose to run m0n0wall (Problem 2 solved). Configure m0n0wall’s WAN interface for Static, for example 192.168.0.2. The LAN interface on the Linksys should be set to 192.168.0.1, so you now have a private network between the Linksys and the external WAN interface on the firewall.

With this “private LAN” between the Linksys and your firewall, your firewall now sees all traffic from the “internet”. If you put a HUB in between the Linksys and the Firewall you can deploy another port for SNORT and it will see all traffic outside the firewall. This configuration is good for building a honeypot architecture. NOTE: You could bypass using the hub and deploy an ethernet tap for SNORT and achieve the same functionality.

A little more about why I did this. In order for firewall rules to process requests (hence being able to surf your own website via URL) the packets must originate from outside the firewall, by putting the Linksys router upstream, you force all packets to go to the linksys, then they come back in the same direction and look as if the request actually comes from outside the network.

Continue with the rest of the configuration:

Now connect the LAN (192.168.1.0/24) interface to a small HUB, and then cascade that HUB to a switch, which is where all of your servers are connected. This will allow you to again plug snort into the LAN on the HUB and see all of the traffic that is inside the firewall, which is good for verifying that rulesets are behaving as expected. (Again you could use an ethernet tap instead of the hub).

Solving problem 3: Configure the DMZ on the m0n0wall (192.168.2.0/24) and setup your web server. If you do not have a static IP, I recommend using DNSexit’s service to register your IP with DNS so the rest of the world can see your website, send you email or whatever.

Configure m0n0wall with the NAT rules to allow the port 80 traffic into your DMZ web server and you should be in business. If you so choose to also put a hub on the DMZ you can then use SNORT to watch raw traffic at each point on your network and possibly even trap some packet captures that the script kiddies and robots launch at your website.

If there is sufficient interest I would be happy to post a simple drawing of this setup and maybe some screen shots of the m0n0wall and Linksys configs. I would appreciate your feedback on whether or not this was helpful or just a waste of typing.

email: paul dot pescitelli at gmail dot com


Packet Filter Problem:
Taken from the m0n0wall FAQ – http://doc.m0n0.ch/handbook-single/#id2610631

It is not possible to access NATed services using the public (WAN) IP address from within LAN (or an optional network). Example: you’ve got a server in your LAN behind m0n0wall and added a NAT/filter rule to allow external access to its HTTP port. While you can access it just fine from the Internet, you cannot access http://your-external-ip/ from within your LAN.

Reason. This is due to a limitation in ipfilter/ipnat (which are used in m0n0wall). Read the ipfilter FAQ for details. m0n0wall does not (and probably will not) include a “bounce” utility.

A Solution for m0nowall: If you use m0n0wall’s built-in DNS forwarder for your LAN clients, you can add one or more overrides so that they will get the internal (LAN) IP address of your server instead of the external one, while external clients still get the real/public IP address. Note: This will only work if you use m0n0wall as the primary DNS server on your LAN hosts. If you use another DNS server, you need to use its functionality to resolve that host to the appropriate private IP. See your DNS server documentation for more information.

Uncategorized

Using mini_httpd with PHP on OpenBSD

December 28, 2007

This article details the steps I used to get mini_httpd working on OpenBSD 3.8 with PHP. Getting mini_httpd running is trivial, compile and go. Getting mini_httpd working with PHP on the surface is not really difficult, however the challenge is in getting the POST variables to pass between mini_httpd and PHP.

Initially, I spent a couple of days of trying to get mini_httpd to work with PHP on OpenBSD 3.8 using the PHP build from the ports tree and it just was not working. The fix required two things.

First: was to patch the mini_httpd 1.19 as described by Ben Hochstrasser (see his article)

Second: was to build PHP 4.3.x with the following command:
./configure –prefix=/usr –sysconfdir=/etc –with-config-file-path=/etc
–disable-force-cgi-redirect –without-mysql
–with-zlib –disable-cli –enable-discard-path –enable-debug –enable-ftp –without-pear

This solved the problem of passing the POST variables from mini_httpd to PHP. The catch to this method is that you must put #!/usr/bin/php at the beginning of each .php file. To start mini_httpd you should change directories to the one containing the PHP files then,
use the following syntax:

/usr/local/sbin/mini_httpd -p 80 -c “**.php” -l /var/log/httpd.log

While this solution is somewhat specific to my needs I hope you will find it useful and can adapt part or all of it for your own situation. Many thanks to Ben Hochstrasser for his assistance in debugging the setup.

email: paul dot pescitelli at gmail dot com

Uncategorized

K4UJ Amateur Radio Resume

December 27, 2007

April 2007 – Scarborough Reef DXpedition (BS7H).


November 2006 – CQWW CW 160 SOSB/LP – Unofficial 3rd place.

April 2006 – Appointed as official member of the ARRL HSMM Working Group.

October 2005 – Led the 160M effort at NQ4I CQWW-SSB

October 2005Gwinnett ARES AEC for Technology

September 2005 – Hurricane Katrina Announcement

August 2005PJ7 announcement See the PJ7 Summary

April 2005ZF2UJ announcement – See the ZF2UJ Summary

March 2005 – Captain of the 160M effort at NQ4I WPX-SSB

1998/1999 – In the late summer of 1998 after much research and lobbying our group was rewarded with the appropriate credentials to activate KP5 (Desecheo Island). Within a month of our departure date the permit was rescinded. I will leave the details of why it was rescinded to your imagination for now.

December 1997 – K4WA and myself actived WP2Z on the Island of St. Croix for the 10M contest. We placed first in the Carribean and 4th in the World.


1997-1999 – Operated K4UJ DX packet cluster, primary connection via the internet, but provided 144mhz-1200 baud packet, 440mhz-9600 baud packet as well as 56K RF connection to the East Atlanta RF Lan backbone.


January 1997 – Actived K4UJ/KP4 for the CQ160 Meter Contest. TX Antenna was a dipole strung between two hills and a impromtpu receive loop was crafted at 3am to help reduce QRN.


July 1996 – Activated IOTA NA-0076. It was during this contest that we learned of the bombing at Olympic Park in Atlanta.


1996-1997 – Vice President Southeasetern DX Club.


1995-1997 – Membership Chairman Southeasetern DX Club.


1995 – Introduction to contesting, TopBand style. CQ160 – It was at the QTH of W8BLA, that he and K2UFT got me hooked on contesting.



Certifications:
ARRL EC-01 Level 1 Amateur Radio Emergency Communications
FEMA IS-100 Introduction to Incident Command System
FEMA IS-700 National Incident Management System



Awards:
1996 ARRL Int’l DX Contest – 1st Place Single Op Georgia
1996 CQWW 160 DX Contest – 1st Place Single Op Low Power Georgia
1997 ARRL 10M Contest – WP2Z – 4th Place World

Uncategorized

K4UJ Packet Cluster Node

December 27, 2007

K4UJ DX Cluster

Back in the late 90’s I ran the AK1A packet cluster software front ended with Linux to provide worldwide AX25 and local 56K,9.6K,2.4K packet access. Changing QTH’s forced me to take that node down.

Now I am in a location that I can play amateur radio again and have renewed interest in running a cluster. Being a unix/linux fan since the early 90’s I chose to run the DX-Spider software.

You can access the DX cluster in a variety of ways via the internet. For telnet access, we recommend that you either configure your logging program to login, or use PuTTYtel, a better telnet client than the one that ships with Windows.

  • Telnet to cluster.dx-is.org port 7300 or click here.
  • Web page with 30 second updates and band only selection, here.
  • Via your WAP enabled phone, here.
  • Web access via a java console here.

Sorry, there is NO RF connectivity at this time, but if you are close enough I could get you connected via WiFi link 😉

Features

There are many features that are not found on other cluster systems. I have listed a few of them below for you to experiment with:

  • sh/qrz Will perform a QRZ.com lookup for the given callsign.
  • sh/mydx – show dx run thru your spot filter
  • sh/dx state in:oh – show dx in US state IN or OH
  • sh/dx by_state in:oh – show dx spotted in US state IN or OH
  • sh/dx by_zone 4,5,6 – show dx spotted in cq zones 4,5 and 6
Uncategorized

Welcome

December 27, 2007

In order to blend a couple of my hobbies, I decided to start two blogs…

MostTraveledDXer (operating amateur radio in foreign sometimes remote places)
MostTraveledPhotographer (the photo essay part of the trip)

Combining the two, I should have plenty of stories and pictures to tell those stories with. Obviously one will be amateur radio centric and the other will focus on photography.

So the title may be a bit misleading at this point, but hey, you gotta have a few goals in life or you just wander around..

Paul

Uncategorized

Welcome

December 27, 2007

In order to blend a couple of my hobbies, I decided to start two blogs…

MostTraveledDXer (operating amateur radio in foreign sometimes remote places)
MostTraveledPhotographer (the photo essay part of the trip)

Combining the two, I should have plenty of stories and pictures to tell those stories with. Obviously one will be amateur radio centric and the other will focus on photography.

So the title may be a bit misleading at this point, but hey, you gotta have a few goals in life or you just wander around.

Paul