Thursday, November 15, 2007

Keep track of your ip / email

There are some things you might not want to block but just keep track of.
All the examples are HTTP proxy URL Path rules set to allow and log:

Your external ip:
*your_external_ip*

Your email domain:
*@your_domain.com*

China / Hong Kong / Russia:
*.cn*
*.hk*
*.ru*

Another idea would be to track you internal ip's with a regexe rule. To see if bot's are trying to report back to there C&C masters.

posted by Placebo at 11:40 AM 0 comments

Tuesday, September 04, 2007

Spamhaus DROP (Don't Route Or Peer)

I came across this interesting Spamhaus DROP (Don't Route Or Peer) list.

Quote:
When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

I added this to my 'Blocked Sites...'. You can do this to:

1. Download the list.
2. Remove everything except the netblocks and save the file as a text file.
3. Go to 'Intrusion prevention' --> 'Blocked Sites...' and click on 'Import...'
4. Select your saved file and save the new configuration to your firebox.

You can do this every month because:

Quote:
The DROP list changes quite slowly.

posted by Placebo at 7:53 PM 1 comments

Wednesday, June 13, 2007

Capra is moving to Sourceforge

To provide better support Capra is moving to Sourceforge.

The new URL is:
Capra @ Sourceforge

Please update your bookmarks.

posted by Placebo at 6:50 PM 2 comments

Thursday, May 17, 2007

Capra v0.4

What is Capra:
Capra is a Open Source tool to quickly get some nice and useful reports out off your Watchguard Fireware log files.
Capra uses PHP and MySQL to accomplish this.

Features:
v0.4:
1. Web interface to import Fireware log files in to the MySQL database. (Only imports FWDeny, ProxyHTTPReq, ProxyMatch and FWStatus messages.)
2. CLI (25% faster then web interface) to import Fireware log files in to the MySQL database. (Only imports FWDeny, ProxyHTTPReq, ProxyMatch and FWStatus messages.)
3. Reports:
Top x denied src IP's.
Top x denied dst IP's.
Top x denied src ports.
Top x denied dst ports.

Top x site's (total).
Top x site's (incomming).
Top x site's (outgoing).
Top x site's (connections).

Altavista search.
Altavista image search.
Altavista video search.
Altavista news search.
Google search.
Google images search.
Google video search.
Google groups search.
Google news search.
Msn search.
Msn images search.
Msn video search.
Msn news search.
Yahoo search.
Yahoo image search.
Yahoo video search.

Webblocker.
URL Paths.
IP's added to Blocked site list.
User login/logout.
User login rejected.
4. User/IP filter.
5. Time filter for all the reports.
6. Delete page to delete 'old' data from the database.
7. Capra will remember which files you already imported into the database.
8. Result caching of some of the query's to speed things up.

link to website:
http://www.placebo.demon.nl/capra/

Download:
capra-v0.4.zip

Sreenshots:
import.png
importcli.png
report.fwdeny.png
report.fwdeny.top50ddp.png
report.fwdeny.443.png
report.proxyhttpreq.topsites.png
report.proxyhttpreq.topsites.user.png
report.proxyhttpreq.searchengine.png
report.proxymatch.webblocker.png
report.proxymatch.webblocker.games.png
report.proxymatch.urlpaths.png
report.proxymatch.urlpaths.class.png
report.fwstatus.png
report.fwstatus.userloginrejected.png
delete.png

Labels:

posted by Placebo at 5:50 PM 0 comments

Sunday, October 22, 2006

On hold...

As I am traveling trough China-Tibet-Nepal-India for a year this blog will be on hold. Want to see the pictures of my trip:

https://degroep.org/beijingdelhi/photoalbum/photoalbum.php

posted by Placebo at 3:34 PM 0 comments

Thursday, August 24, 2006

Webblocker & Surfcontrol 2

On 17-12-2005 I wrote about the link between Webblocker & Surfcontrol.
I seams that Watchguard now has it's own page at Surfcontrol.

http://mtas.surfcontrol.com/mtas/WatchGuardTest-a-Site.asp

The categories you can select when you are submitting a site are exactly the same as on the Watchguard. How nice!

posted by Placebo at 3:27 PM 2 comments

Sunday, July 23, 2006

Fireboxsupport.com

If you need help with the configuration of your Watchguard Fireware box you might want to take a look at:

http://www.fireboxsupport.com/fireware_pro.htm

They have some very detailed guides, that will help you if you are setting up a box for the first time. They also have some Tips and Tricks. Very usefull.

posted by Placebo at 11:53 PM 0 comments

Thursday, June 15, 2006

URL Paths 2

From the comments of my original post about URL Paths:

<qoute src="Jon Cavallo">
You can put *.com in the URL Paths. You need to enter it as '/*.com'

I use the /*.x convention on all my extension blocking. This helps prevent them from wildcarding some other part of a complex url.
</quote>

You are totally right, this is a better way to implement extension blocking with URL Paths. Thanks

posted by Placebo at 1:34 PM 4 comments

Sunday, June 11, 2006

CLI

Did you know that fireware also has a command line interface.
You can SSH to your box on port 4118.
You can login with:
Username = admin
password = Your read-write password.

You can do all sorts of things from the command line.
I use it as a replacement for the 'Restart IPSec' function that was in WFS but not in fireware.

To clear individual BOVPN, MUVPN, or PPTP tunnels:
WG#no vpn-tunnel ipsec enter-ID-of-the-BOVPN-tunnel-here
WG#no vpn-tunnel muvpn enter-ID-of-the-MUVPN-tunnel-here
WG#no vpn-tunnel pptp enter-the-physical-IP-address-of-the-PPTP-client-here

To find out the ID of a tunnel:
WG#show vpn-tunnel ike-gateway
WG#show vpn-tunnel ipsec
WG#show vpn-tunnel muvpn
WG#show vpn-tunnel pptp

Very usefull but remember:
<quote src="Nathan Buff">
There is a CLI but the CLI creates configurations that are not compatible with the GUI-based Policy Manager. For this reason, the CLI is only supported when the Firebox is running in Common Criteria mode.
</quote>

posted by Placebo at 11:59 PM 2 comments

Saturday, June 03, 2006

URL Paths

I mainly use the URL Paths function of the HTTP Proxy for blocking file extensions. Here is a list of extension that I deny:

*.acf
*.ade
*.adp
*.ani
*.arj
*.bas
*.bat
*.cab
*.chm
*.class
*.cmd
*.clp
*.cpl
*.cur
*.dat
*.dcr
*.dif
*.fav
*.hhk
*.hhp
*.hlp
*.ht
*.hta
*.htt
*.htx
*.hqx
*.idc
*.inf
*.ins
*.isp
*.jar
*.jav
*.java
*.job
*.lnk
*.m3u
*.mad
*.maf
*.mam
*.maq
*.mar
*.mat
*.mcw
*.mda
*.mdb
*.mde
*.mdn
*.mdt
*.mdv
*.mdw
*.mht
*.mnd
*.mp3
*.mpc
*.msi
*.msp
*.mst
*.nws
*.odc
*.ofn
*.ogg
*.pbk
*.pcd
*.pif
*.pip
*.pls
*.pot
*.ppa
*.ppz
*.pwz
*.ra
*.ram
*.rar
*.rat
*.reg
*.rjs
*.rm
*.rmm
*.rmp
*.rmx
*.rpm
*.scf
*.scr
*.sct
*.shs
*.slk
*.smil
*.tar
*.url
*.vb
*.vbd
*.vbe
*.vbx
*.vxd
*.wab
*.wiz
*.wma
*.wsc
*.wsf
*.wsh
*.wsz
*.zip

Notice that the file extension *.com is missing. I hope you can guess why.
You can also use the URL Path function for some more advanced filtering. I use it to prevent my users from turning off the safe search for google image search.

Rule name: Google_images_Safe_Search_Off
Pattern match: images.google.*/*safe=off*

posted by Placebo at 1:47 PM 4 comments