Keep track of your ip / email

There are some things you might not want to block but just keep track of.
All the examples are HTTP proxy URL Path rules set to allow and log:

Your external ip:
*your_external_ip*

Your email domain:
*@your_domain.com*

China / Hong Kong / Russia:
*.cn*
*.hk*
*.ru*

Another idea would be to track you internal ip's with a regexe rule. To see if bot's are trying to report back to there C&C masters.

Spamhaus DROP (Don't Route Or Peer)

I came across this interesting Spamhaus DROP (Don't Route Or Peer) list.

Quote:
When implemented at a network or ISP's 'core routers', DROP will protect all the network's users from spamming, scanning, harvesting and dDoS attacks originating on rogue netblocks.

I added this to my 'Blocked Sites...'. You can do this to:

1. Download the list.
2. Remove everything except the netblocks and save the file as a text file.
3. Go to 'Intrusion prevention' --> 'Blocked Sites...' and click on 'Import...'
4. Select your saved file and save the new configuration to your firebox.

You can do this every month because:

Quote:
The DROP list changes quite slowly.

Capra is moving to Sourceforge

To provide better support Capra is moving to Sourceforge.

The new URL is:
Capra @ Sourceforge

Please update your bookmarks.

Capra v0.4

What is Capra:
Capra is a Open Source tool to quickly get some nice and useful reports out off your Watchguard Fireware log files.
Capra uses PHP and MySQL to accomplish this.

Features:
v0.4:
1. Web interface to import Fireware log files in to the MySQL database. (Only imports FWDeny, ProxyHTTPReq, ProxyMatch and FWStatus messages.)
2. CLI (25% faster then web interface) to import Fireware log files in to the MySQL database. (Only imports FWDeny, ProxyHTTPReq, ProxyMatch and FWStatus messages.)
3. Reports:
Top x denied src IP's.
Top x denied dst IP's.
Top x denied src ports.
Top x denied dst ports.

Top x site's (total).
Top x site's (incomming).
Top x site's (outgoing).
Top x site's (connections).

Altavista search.
Altavista image search.
Altavista video search.
Altavista news search.
Google search.
Google images search.
Google video search.
Google groups search.
Google news search.
Msn search.
Msn images search.
Msn video search.
Msn news search.
Yahoo search.
Yahoo image search.
Yahoo video search.

Webblocker.
URL Paths.
IP's added to Blocked site list.
User login/logout.
User login rejected.
4. User/IP filter.
5. Time filter for all the reports.
6. Delete page to delete 'old' data from the database.
7. Capra will remember which files you already imported into the database.
8. Result caching of some of the query's to speed things up.

link to website:
http://www.placebo.demon.nl/capra/

Download:
capra-v0.4.zip

Sreenshots:
import.png
importcli.png
report.fwdeny.png
report.fwdeny.top50ddp.png
report.fwdeny.443.png
report.proxyhttpreq.topsites.png
report.proxyhttpreq.topsites.user.png
report.proxyhttpreq.searchengine.png
report.proxymatch.webblocker.png
report.proxymatch.webblocker.games.png
report.proxymatch.urlpaths.png
report.proxymatch.urlpaths.class.png
report.fwstatus.png
report.fwstatus.userloginrejected.png
delete.png

On hold...

As I am traveling trough China-Tibet-Nepal-India for a year this blog will be on hold. Want to see the pictures of my trip:

https://degroep.org/beijingdelhi/photoalbum/photoalbum.php

Webblocker & Surfcontrol 2

On 17-12-2005 I wrote about the link between Webblocker & Surfcontrol.
I seams that Watchguard now has it's own page at Surfcontrol.

http://mtas.surfcontrol.com/mtas/WatchGuardTest-a-Site.asp

The categories you can select when you are submitting a site are exactly the same as on the Watchguard. How nice!

Fireboxsupport.com

If you need help with the configuration of your Watchguard Fireware box you might want to take a look at:

http://www.fireboxsupport.com/fireware_pro.htm

They have some very detailed guides, that will help you if you are setting up a box for the first time. They also have some Tips and Tricks. Very usefull.

URL Paths 2

From the comments of my original post about URL Paths:

<qoute src="Jon Cavallo">
You can put *.com in the URL Paths. You need to enter it as '/*.com'

I use the /*.x convention on all my extension blocking. This helps prevent them from wildcarding some other part of a complex url.
</quote>

You are totally right, this is a better way to implement extension blocking with URL Paths. Thanks

CLI

Did you know that fireware also has a command line interface.
You can SSH to your box on port 4118.
You can login with:
Username = admin
password = Your read-write password.

You can do all sorts of things from the command line.
I use it as a replacement for the 'Restart IPSec' function that was in WFS but not in fireware.

To clear individual BOVPN, MUVPN, or PPTP tunnels:
WG#no vpn-tunnel ipsec enter-ID-of-the-BOVPN-tunnel-here
WG#no vpn-tunnel muvpn enter-ID-of-the-MUVPN-tunnel-here
WG#no vpn-tunnel pptp enter-the-physical-IP-address-of-the-PPTP-client-here

To find out the ID of a tunnel:
WG#show vpn-tunnel ike-gateway
WG#show vpn-tunnel ipsec
WG#show vpn-tunnel muvpn
WG#show vpn-tunnel pptp

Very usefull but remember:
<quote src="Nathan Buff">
There is a CLI but the CLI creates configurations that are not compatible with the GUI-based Policy Manager. For this reason, the CLI is only supported when the Firebox is running in Common Criteria mode.
</quote>

URL Paths

I mainly use the URL Paths function of the HTTP Proxy for blocking file extensions. Here is a list of extension that I deny:

*.acf
*.ade
*.adp
*.ani
*.arj
*.bas
*.bat
*.cab
*.chm
*.class
*.cmd
*.clp
*.cpl
*.cur
*.dat
*.dcr
*.dif
*.fav
*.hhk
*.hhp
*.hlp
*.ht
*.hta
*.htt
*.htx
*.hqx
*.idc
*.inf
*.ins
*.isp
*.jar
*.jav
*.java
*.job
*.lnk
*.m3u
*.mad
*.maf
*.mam
*.maq
*.mar
*.mat
*.mcw
*.mda
*.mdb
*.mde
*.mdn
*.mdt
*.mdv
*.mdw
*.mht
*.mnd
*.mp3
*.mpc
*.msi
*.msp
*.mst
*.nws
*.odc
*.ofn
*.ogg
*.pbk
*.pcd
*.pif
*.pip
*.pls
*.pot
*.ppa
*.ppz
*.pwz
*.ra
*.ram
*.rar
*.rat
*.reg
*.rjs
*.rm
*.rmm
*.rmp
*.rmx
*.rpm
*.scf
*.scr
*.sct
*.shs
*.slk
*.smil
*.tar
*.url
*.vb
*.vbd
*.vbe
*.vbx
*.vxd
*.wab
*.wiz
*.wma
*.wsc
*.wsf
*.wsh
*.wsz
*.zip

Notice that the file extension *.com is missing. I hope you can guess why.
You can also use the URL Path function for some more advanced filtering. I use it to prevent my users from turning off the safe search for google image search.

Rule name: Google_images_Safe_Search_Off
Pattern match: images.google.*/*safe=off*