Nasser Heidari


using ippools in ipf – Solaris 10

Filed under: freebsd,Miscellaneous — Nasser Heidari @ 10:31
Tags: , ,

Solaris@root ~ # cat /etc/ipf/ippool.conf

table role = ipf type = tree number = 5
{; };

# ip range for local network
table role = ipf type = tree number = 10
{;;; };

# ip range for XXX network
table role = ipf type = tree number = 12
{; };

Solaris@root ~ # cat /etc/ipf/ipf.conf

# Permit DNS Query

pass in quick on eri0 proto udp from pool/5 to port = 53 keep state

pass in quick on eri0 proto udp from pool/12 to port = 53 keep state

pass in quick on eri0 proto udp from pool/10 to port = 53 keep state


Rusty Russell’s Quick Guide To Packet Filtering

Filed under: Linux — Nasser Heidari @ 07:20

Most people just have a single connection to the Internet, and don’t want anyone coming back into their network, or the firewall:

# insmod ip_conntrack
# insmod ip_conntrack_ftp
# insmod iptables
# insmod ipt_state
# iptables -N block
# iptables -P INPUT DROP
# iptables -P FORWARD DROP
# iptables -A INPUT -j block
# iptables -A FORWARD -j block
# iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT



Filed under: Linux — Nasser Heidari @ 07:40

To print all packets arriving at or departing from sundown

# tcpdump host sundown

To print traffic between helios and either hot or ace:

# tcpdump host helios and \( hot or ace \)

To print all IP packets between ace and any host except helios:

# tcpdump ip host ace and not helios

To print all ftp traffic through internet gateway snup: (note that the expression is quoted to

prevent the shell from (mis-)interpreting the parentheses):

# tcpdump ‘gateway snup and (port ftp or ftp-data)’

To print traffic neither sourced from nor destined for local hosts (if you gateway to one other

net, this stuff should never make it onto your local net).

# tcpdump ip and not net localnet

To print the start and end packets (the SYN and FIN packets) of each TCP conversation that

involves a non-local host.

# tcpdump ‘tcp[13] & 3 != 0 and not src and dst net localnet’

To print IP packets longer than 576 bytes sent through gateway snup:

# tcpdump ‘gateway snup and ip[2:2] > 576’

To print IP broadcast or multicast packets that were not sent via ethernet broadcast or multicast:

# tcpdump ‘ether[0] & 1 = 0 and ip[16] >= 224’

To print all ICMP packets that are not echo requests/replies (i.e., not ping packets):

# tcpdump ‘icmp[0] != 8 and icmp[0] != 0″


Bind9 Views for DNS Zones

Filed under: Linux — Nasser Heidari @ 10:09


Bind 9 has the ability to answer queries from internal hosts with different responses than external hosts get. For example, lets say, that our internal network is, and our external DMZ is Access to things such as web services from the internet, are via NATs to internal servers. Lets also say, that our web server is, and that the NAT on the firewall is Internal users need to be able to look up this server as, and external people need to look it up as This can be accomplished with 2 totally seperate DNS servers, or, with a single Bind 9 server that serves views of the same zone.

So, lets start looking at the configuration of our DNS server. Bind 9, running on your favorite flavor of a Unix-like operating system, and we will set our DNS server’s IP address as Since we have only 1 DNS server, the firewall also forwards UDP port 53 to our DNS server, and we will be able to answer queries from the internet as well.

Now lets jump right into the Bind 9 configuration file, the named.conf. The top section might look like this:

The first line defines an ACL (access control list) for who a set of computers will be, and in this case, they will be called “internal”. For sanity, we also add the loopback address ( so that the DNS server will be able to answer itself when it asks. The ‘options’ section is pretty self explanitory, and are pretty much filled with the default options that came in the named.conf file, except the ‘listen-on’ line. It originally only had the loopback address, so we have to add the ip address of our DNS server, so that queries can be answered by other computers.

Next we have the beginning of our zone files configuration. These first 2 zones are the basis of Bind, and I’ve never seen a server that didnt come with them. These set up your cacheing DNS, and just the configuration above would allow your internal computers to find their way around the internet successfully. However, notice that instead of just starting with a standard ‘zone’ statement, we start with ‘view “internal”‘. This is what is going to give our DNS server the ability to say one thing to internal people, and another to external. Now, lets add a zone to our named.conf file.

Ok, now we have the same configuration file as before, but this time we have added a zone into the configuration. Pretty much the only thing that I do differently on a views type of configuration, is to name the zone files in such a way as to be able to tell by the file name, that the zone file is an internal or external. notice, that my zone file is called, with an i in the middle of the name.This is just what I use for my own designation, what ever way you want to designate your files is fine, the filename of the zone is purely cosmetic. Note that for the internal version of our zone, we have the line ‘allow-transfer’ set to any. This acceptable being that only hosts that match the internal ACL will be allowed to make a zone transfer.

Now we need a copy of the zonefile Here is what it might look like:

In the above eample, we have a basic zone file for internal use.

The third line that says ‘2006100701’ is the zones serial number, and it basically translates to year-month-day-revision’. This number is incremented each time you make a change, otherwise servers that are cacheing your domain will not recognize your changes (but if they see a newer zone serial number, they will update). This zone file also has one line for a NS record (to desginate the DNS servers for this domain), three A records (also known as ‘host records’), and one CNAME record (also known as an alias). The three A records specify the IP addresses of our DNS server, our Web server and another server called ‘internal’. I added this internal server to the example, because nearly all organizations have internal resources that are not accessable from the internet, and for all practical purposes, hosts on the internet dont even need to know about its existance. More on that, in a while.

Ok, now that we have internal DNS working, lets take a look at how we can get a copy of thise zone to the outside world, but have it use the correct public IP addresses, and do it all from the same server. Let’s go back to our named.conf file:

Now we have our external view. The ACL comes into play here, designating ‘any’. In this case, any query not matchine the first ACL will be serviced by this zone file. For sanity on external zone, recursion is not allowed, and transfers are not allowed. As before, notice the zone file has an e in the name, to designate that this is the external copy of the zone. From the beginning of this article, we said that our outside IP addresses are on the network, and that our firewall is going to NAT the IP addresses and to our DNS server and Web servers, respectively. So assuming all that is already in place, lets look at what our external zone file might look like:

Notice that this zone file is almost identical to the previous, save the IP addresses specified for hosts, and the omission of the host named ‘internal’. Remember, the ACL allows internal hosts to resolve ‘internal’ to That same ACL also forces any internet hosts to resolve only information in the external zone. If someone on the internet were to lookup the ip address ‘’, they would be returned with ‘host not found’.

So, in the end, the actual host names and their aliases are the same for both internal and external users. This allows road warriors to work more seemlessly, while at the same time, hosts that have no business “being public knowledge” (and are also not available through a NAT on thefirewall) are hidden from public view by our zone file.

Originally posted on :

Blog at