Adminblog

if someone is using 1:1 NAT on his pfsense (or m0n0wall) as well, here some tips. Don’t judge the usage of NAT – I only do that if I have to or it’s the best in the situation e.g when I need to work around restrictions. I had to do that today as I was provisioning a VM on the internal Server farm, but needed to make it available outside of the Web-Firewalls due to another service running on it.

I was not clear out of the manual on the Webpage how I need to use it. I have two Subnets: one is private range (LAN) and one is a public range (DMZ)

I have a public IP on the WAN side which is the target IP for the route to the DMZ. Now I wanted to make a VM in the LAN visible in the DMZ, a VM, that I did not want to move over directly (I had no spare Server in the DMZ at the time, and needed to deploy fast)

Create a new IP Alias in pfsense, Interface the DMZ interface, type IP Alias. Then Create on Firewall>NAT>1:1 NAT the Rule, but this time choose the WAN interface. if you choose the DMZ interface here, all u get is traffic to the firewall and not forwarded further.

Then I allowed traffic to the DMZ IP Adress. This was unfortunately not suffcient, and normally with a portforward you would get a normal firewall rule that already works. In this case, you NEED to add a firewall allowing the desired traffic to the INTERNAL LAN IP of the HOST you are trying to make available.

That should be sufficient

if someone has wondered why there has been such a lack of blogging here – There will be some information that could be interesting soon again. I was kinda busy in the last few months with a new Project called “Geoflexcloud” – also online here which is basically the transformation of my knowhow into a real “Cloud” thingie – I know cloud is overused term but the aspect here is definitely on data protection in Switzerland and strictly isolated containers for customer that want a certain amount of security. Fortunately we have now a lof ot infrastructure ready in a rack and will be starting to peer with other ISPs in the next few weeks.

Newest fromt the surveillance front coming today from the famous Fefe Blog again: The austrians are now abusing their drivers licence pictures to automatically track their people via CCTV: Link

In the Meantime? We have now this just around my edge. And everyone called me paranoid just a few years ago? in the newer articles there is now talk about “further extensions” – well nice, we are beeing tracked, soon they will store the movement data as “Minimal Data Retention” as the germans like to call it.

There is only one to the rescue: SQL Hacker

Hallo Besucher,

Ihr könnt euch jetzt für das 11te Admincamp registrieren!

Registrationsformular

so, lange hat es gedauert, das Datum ist jedoch endgültig fix:

24+25 September, Marthalen!

Thema ist IPTables wie auch schon angekündigt.

Anmeldung geht in den nächsten Tagen live hier

Liebe Admincamp-Teilnehmer:

Leider waren alle passenden Daten schon ausgebucht, darum startet nun eine neue Umfrage die nur offene Daten beinhaltet.

hier ist die Doodle Umfrage für alle die teilnehmen wollen. Wählt bitte jeweils einen zusammengehöhrenden SA+So aus!

Das Thema wird IPTables mit “ferm” sein.
Hier geht es zu doodle =>

[Event_Registration_Single event_id="4"]

Dann würde so was rauskommen wie hier in meinem Latitude Verlauf:

Licht Einschalten - Tunnel

Erstaunlich, wofür es heute schon Drucker gibt. Strassen zu drucken finde ich ehrlich gesagt relativ beeindruckend:

15.01.2011 – 16.01.2011
Ort: Siat
Thema: Splunk – Loganalysewerkzeug
Zeit: Samstag 10 Uhr bis Sonntag 16 Uhr
Kostenfaktor: für zwei Tage ca 100 CHF
Anmeldung: via Website bald verfügbar.