Posts

What is the issue?

After a reboot of the system chiad (which runs fedora) I noticed a problem when I started a screen session. It gave a beep/bell and displayed the following:

;stefan@chiad:~[stefan@chiad ~]$
[stefan@chiad ~]$

The second line is there because I gave an enter and it shows what has been added to the first line. And when I logged out of the screen session it should show

;screen

I also noticed this only happend when I logged in via ssh from my console system. When logging in via ssh from a xterm didn’t give any problems. Also logging into a system running CentOS (kari) I didn’t have these issues.

What to search for?

The biggest disadvantage of using screen as a terminal multiplexer is that it is hard to search for on the internet, because a lot of things are screens, but not the GNU screen program. Because searching for a beep or bell doesn’t really make sense I tried searching for "linux screen ncurses background color not filling" because I also noticed that mutt and wyrd did not fill the background color when it supposed to. This search led me to some interesting URL’s.

Logging when using sslh

On a server I use sslh to allow ssh to port 443 and allow serving https sites at the same time. But when this is used, the logging for the TLS/SSL vhosts all show 127.0.0.1 as the source IP. This post will fix this problem

Needed changes

The original documentation mentioned the transparent mode, but when I tried to set it up on a test system it didn’t work. After searching I found a good article which works and does not need iptables configuration.

Why an IPsec tunnel?

Previously I used a tinc tunnel between me and my parents’ server. This situation was not ideal because my parents’ server had to be the gateway for some things to be able to use them via the tunnel, while the FRITZ!Box was the real gateway. Since I wanted to replace my gateway with an EdgeRouter Lite, I used this to setup an IPsec tunnel with the FRITZ!Box.

merge does not work via scp

When I was testing something with my EdgeRouter Lite, I saw some command that might help me create a config outside the router itself and then load it. One of them was the merge command, so I tried to use it. The help information on the CLI was the following:

# merg<tab><tab>
Possible completions:
  merge         Load configuration from a file and merge running configuration
      
[edit]
# merge <tab>
Possible completions:
  <Enter>                               Merge from system config file
  <file>                                Merge from file on local machine
  scp://<user>:<passwd>@<host>/<file>   Merge from file on remote machine
  ftp://<user>:<passwd>@<host>/<file>   Merge from file on remote machine
  http://<host>/<file>                  Merge from file on remote machine
  tftp://<host>/<file>                  Merge from file on remote machine

      
[edit]
#

Why this item

When I was searching how to setup my new EdgeRouter Lite, I came across a link that would explain why using a zone based firewall is better than a per-interface firewall. Unfortually the webpage was no longer reachable, but at least google cache still had the text available. Because it is a good article, I put the text here as a backup. The original also has some pictures as can be seen by the archived page.

Per Interface vs. Zone Based Firewall

Every so often, I get asked the question of why I feel a Zone based firewall is better than a per-interface firewall. It can be a complicated question to answer depending on the asker’s level of understanding. So my goal here is to provide a simple and clear description of why a zone based firewall is the more secure solution.

In all firewall variants, we do matching against multiple attributes of a packet. Source IP, Source Port, Destination IP, Destination Port, session state, protocol and various other logical values depending on the implementation. The primary difference between ACLs and Zones are how they apply to the physical or layer 2 characteristics.