Microsoft pfSense

Terminal Server Aware Web Proxy Server with pfSense

At work, I have a client that was requesting the ability to monitor/block sites that their users were visiting.  This is traditionally quite easy with just a squid proxy server or a Barracuda Web Filter but they really didn’t want an extra server to be installed during this process AND they were using a terminal server.

I started looking for server side applications that I could install and just have the admin pull the data from there, however, the costs I was finding were a bit too much.  I setup a pfSense in a quick lab to demo this up.  After installing pfSense on some old hardware, did a basic configuration of the box, and then installed the Squid proxy package.  I configured this to be a traditional proxy where I had to send traffic on a specific port, and the user was required to login.  That was really the trick to get the terminal server users broken apart.  I know it could probably use a little masaging with NTLM authentication or some other clean mechanism but for the lab and the purposes of this client, this hit the mark for a great price.

I did mention that they did not want to install new hardware during this process, but the knew they needed to upgrade their Linksys “router” that was currently firewalling their network.  I am once again impressed with the flexibility and ease of use that pfSense gives you.  I truly only have 1 complaint about the system at all but it has nothing to do with this and as I understand it, that feature has been added in pfSense 2.0.  The management of OpenVPN clients/certificates is somewhat of a nightmare for large installs unless you use a single certificate for all users (not recommended).

blog Cisco

Cisco – tcp-small-servers and udp-small-servers

For some truly unknown reason, Cisco’s devices still have support for “small servers” or “simple services”. Examples of these include echo, chargen, daytime and discard.  An attacker could possibly start a denial of service attack (DoS) against one or more network devices with those configured.  In this case; echo and chargen are to blame by allowing an attacker to cause  the chargen service to hit the echo services causing an endless loop of character generation and echo between the two hosts.  To disable this, simply enter the following commands:

configure terminal
no service tcp-small-servers
no service udp-small-servers

These commands can be run on nearly all IOS based Cisco equipment.

blog Cisco

Cisco Switching – switchport nonegotiate

Dynamic Trunking Protocol (DTP) is a standard feature of Cisco switches and allows two switches to dynamically configure interfaces interconnecting each other to be trunked ports.  DTP has 5 modes; Auto (default), On, Off, desirable and nonegotiate.  These 5 modes all have a purpose.  I have layed out the groundwork below:

  • auto – The default setting allows the port to willingly convert to trunking, however, the port will not trunk unless the neighbor is set to on or desirable.  When two switches are connected together and set for auto, they will NOT trunk.
  • on – This setting forces the port to be a trunk regardless of the neighbor’s settings.
  • off – This setting forces the port to not trunk, even if the neighbor is set to on.
  • desirable – This causes the port to attempt to become a trunk, however, the neighbor would have to be set to on, desirable or auto.
  • nonegotiate – This setting, forces the port to be a trunk but disables DTP frames between the two switches.  This is useful when you are working with non-Cisco equipment and just want to ensure that the ports won’t do anything you do not want them to….this is my preference.

To configure this on your switches, issue the following:

configure terminal
interface g1/0/49
switchport trunk encapsulation dot1q
switchport mode trunk
switchport nonegotiate

Hopefully this was somewhat worthwhile.  It is very basic so I apologize but this is the easiest way to give you the needed information without boring you to death 🙂

blog Cisco

Cisco Command Reference

I was working on a client’s network tonight and thought of about 10k topics to blog about.  All the commands on Cisco routers and switches.  The purpose of this would be to help remind me that the basics are not good enought and also expand your mind on what a command does, how to use it and possibly when to implement it.  If at any point I’m completely off my rocker, you know what to do 🙂


New Asus eee PC

Well, last Friday my wife and I added a new edition to the family; an Asus eee PC (XP Home, 1Gb Memory, 120 Gb Hard Drive).  We bid the highest on the computer at my companies yearly Christmas Party.  I really didn’t want it at first but now that I’ve had a little bit of time on it, the computer is actually pretty fully functional.  There are a few minor issues that I see so far but overall, the computer is very very usable.

So far this weekend I’ve really only had time to do some light surfing and software installs to get my core app’s installed but I do have to say that it is very functional.  The size and weight are great, it’s “fast enough” which I have mentioned before is a relative term.  I won’t be playing WoW or Unreal Tournament any time soon on it but it allows me to surf from one page to  another without delay, watch online video via YouTube, Fox on demand or ABC online and it has different power settings depending on how I want to use it (Super Performance, High Performance and Battery Saving Modes).

I will complain that the keyboard takes a little getting used to especially if your normally on a desktop or large laptop, the touch pad buttons are a bit stiff but I can always use a mouse if needed, and I absolutely hate the way they partitioned the hard drive.  They did 2 60Gb partitions for C: and D:.  Why, that’s all I can ask?

We ended up keeping the black model that was the Christmas party prize but I tell you, I had to defend my manly stance pretty hard against the wife so that she wouldn’t want me to trade it for the pink model.  🙂

In some respects it feels faster than my desktop at work (AMD something? 2Ghz, 1Gb Ram).