Posts

Why this item

When I was searching how to setup my new EdgeRouter Lite, I came across a link that would explain why using a zone based firewall is better than a per-interface firewall. Unfortually the webpage was no longer reachable, but at least google cache still had the text available. Because it is a good article, I put the text here as a backup. The original also has some pictures as can be seen by the archived page.

Per Interface vs. Zone Based Firewall

Every so often, I get asked the question of why I feel a Zone based firewall is better than a per-interface firewall. It can be a complicated question to answer depending on the asker’s level of understanding. So my goal here is to provide a simple and clear description of why a zone based firewall is the more secure solution.

In all firewall variants, we do matching against multiple attributes of a packet. Source IP, Source Port, Destination IP, Destination Port, session state, protocol and various other logical values depending on the implementation. The primary difference between ACLs and Zones are how they apply to the physical or layer 2 characteristics.

Using dnstop

When analysing a problem at work a colleague mentioned dnstop. So I decided to run it on my local DNS server. Then I noticed an Ubuntu system doing a lot of DNS queries when it wasn’t really used.

When using tcpdump on the DNS server I noticed the system dit a query for daisy.ubuntu.com every 10 seconds.

./java: No such file or directory

After a Debian upgrade from squeeze (via wheezy) to jessie, I got the following message when I tried to start tomcat on the machine:

/vol/www/tomcat/bin/catalina.sh: 1: eval: /usr/local/java7/bin/java: not found

The upgrade

Recently I upgraded a server from Fedora 21 to Fedora 23. This was a difficult process because newer kernels (> 3.14.23-100.fc19) won’t work with the system. Finally I was able to boot the system with the old kernel, but I was not seeing any information in /var/log/maillog. Sendmail was running and I was able to send and receive messages, but nothing was written to the maillog.

When I talked to somebody in #fedora he mentioned I could do a test by running the following simple command:

logger "hello world"

logger: socket /dev/log: Connection refused

The situation

I still have an old 486SX25 system which I use to run multiple ssh sessions to different other systems. For instance to use IRC or view email. This way I can keep track of those things when doing things in fullscreen on my main desktop. The system started showing the following error on every virtual console:

eth0: mismatched read page pointers 4c vs ff

After a time I saw the connections to other systems fail.