Blogs
Troubleshooting ICMPv6 with tcpdump
I've previously written about my OpenBSD PF firewall in front of my VM server at my colo. I had a firewall rule which used the following variable: icmp6_types="{ 2, 128 }". This wasn't working properly on the LAN side, and I had to disable the ICMPv6 restrictions to get things back to working. I wanted to fix this permanently, the right way, by determining what needed to be allowed and what could be denied without breaking things.Internet Connection Sharing
Longer Title: Internet Connection Sharing, Tracking down Rogue DHCP Servers, and why DHCP Snooping should always be enabled on a network.SSLv3 Disabled
In response to the recent POODLE vulnerability in SSLv3, I have disabled SSLv3 support in anything of mine which speaks SSL/TLS. All connections are running TLSv1.0, TLSv1.1, or TLSv1.2 now.Firewall Log Stats
I run an OpenBSD system as a packet filter in front of my various virtual machines at my colo. I've got a default `block drop in log all` rule which drops and logs all un-handled traffic. I've been rotating the logs around, but not doing anything more than troubleshooting with the logs. I often watch the live pflog scroll by, investigating the occasional IP of interest.CVE-2014-6271 - ShellShock
Today various sources announced CVE-2014-6271: 'bash: specially-crafted environment variables can be used to inject shell commands'. This is a serious risk on many Unix-like systems, as bash is a very popular shell, and included by default on many systems. It is used by both interactive users, as well as many wrapper scripts used in daily system operations.