I have just installed webalizer on node.mu. I was waiting for google analytics to start accepting signups again, but I imagine that the waiting list might be very long. Webalizer is simple to install and suits my needs well enough. I’ll test-drive analytics in due time.
Just shoot me an email if you have an account on node.mu and want to have webstats.
Here’s a working set of PF rules that I’ve used before on my FreeBSD gateway. I posted this before on port80.
Hopefully it will help someone out there. It is sometimes easier to take a working set of rules, understand how it works, and modify to suit your own environment. Anyway, here goes.
ex_if is the external interface.
int_if is the internal interface.
pvt_net is your LAN.
dns_server would usually be your isp’s dns server.
ext_tcp_services are the tcp services that you want to allow the big bad world to access on your FreeBSD box. You can specify port numbers instead of the names, but I find the names to be more readable. For a list of services and (usually) associated ports, “more /etc/services”.
int_tcp_services are same, but for your internal LAN only.
port_rdr is the port you want to redirect. You can specify a port range as well, e.g 6500:6510.
client_rdr is the box to which you want the port redirected to.
## MACROS
ext_if = "rl1"
int_if = "rl0"
pvt_net = "192.168.0.0/24"
dns_server = "203.0.178.191"
ext_tcp_services = "{ ftp, ssh, auth }"
int_tcp_services = "{ ftp, ssh, http, 3306 }" # 3306 is for MySQL.
allowed_icmp_types = "echoreq"
netbios = "{ 137, 138, 139, 445 }"
port_rdr = "
"
client_rdr = ""
## TABLES
table const { self }
table const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
## GLOBAL OPTIONS
set block-policy drop
#set state-policy if-bound
#set loginterface $ext_if
## TRAFFIC NORMALIZATION
scrub in on $ext_if all no-df
#scrub all reassemble tcp fragment reassemble
## NETWORK ADDRESS TRANSLATION AND REDIRECTS
nat on $ext_if from $pvt_net to any -> ($ext_if)
# Port redirection:
rdr on $ex_if proto tcp from any to ($ex_if) port $port_rdr -> $client_rdr port $port_rdr
## FILTER RULES
# Setup a default deny policy. Remember that in PF the last matching rule wins.
# Therefore, this rule is the catch-all rule. Anything not specifically allowed
# will be matched by this rule, and dropped.
block drop log all
# Prevent spoofing
block in log quick on $ext_if from to any
antispoof log quick for $int_if inet
# Prevent netbios leakage (from Windows systems on our LAN)
block in log quick on { $int_if, $ext_if } proto { tcp, udp } from any to any port $netbios
# Allow loopback interface
pass quick on lo0 all
# Outgoing from firewall
pass out quick on $ext_if inet proto tcp from ($ext_if) to any flags S/SA modulate state
pass out quick on $ext_if inet proto { udp, icmp } from ($ext_if) to any keep state
# Allow internal network send traffic to the internet
pass in quick on $int_if inet proto tcp from $pvt_net to ! flags S/SA modulate state
pass in quick on $int_if inet proto { udp, icmp } from $pvt_net to ! keep state
# Allow dns traffic out
pass out quick on $ext_if inet proto udp from ($ext_if) to $dns_server port domain keep state
# Incoming to the firewall box, allow some services
# Allow hosts from the Internet to access some services
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port $ext_tcp_services flags S/SA keep state
# Allow hosts from our private LAN to access some services
pass in quick on $int_if inet proto tcp from $pvt_net to ($int_if) port $int_tcp_services flags S/SA keep state
# Allow bootp service to function on the firewall
pass in quick on $int_if proto udp from any port bootpc to any port bootps
pass out quick on $int_if proto udp from any port bootps to any port bootpc
# Allow icmp
pass in log quick inet proto icmp all icmp-type $allowed_icmp_types keep state
# Incoming active ftp-data (tcp port 20). This is required for active ftp to work.
pass in quick on $int_if inet proto tcp from any port ftp-data to ($int_if) port >= 1024 flags S/SA keep state
pass in quick on $ext_if inet proto tcp from any port ftp-data to ($ext_if) port >= 1024 flags S/SA keep state
# Allow passive ftp in
pass in on $int_if proto tcp from $pvt_net to any port > 49151 keep state
pass in on $ext_if proto tcp from any to any port > 49151 keep state
I am playing with the idea of pursuing a honours degree in Computer Science. I visited my ex-university lecturer and project supervisor during the lunch break today and she floated the idea to me. I was actually offered the posibility to do honours in Multimedia when I graduated last year, but I already had a job lined up and wanted to get out there and work. It’s funny how things can change in one year.
So here I am, thinking of doing postgrad studies. It will have to be part time. I will be insanely busy with both work and studies, but the more I think about it the more I’m attracted to the idea. But there’s much to think about. I am weighing my commitment. One does not do a honours degree, part time, for anything less than a first class honours. And I will have to get a loan for the tuition fees. On the plus side, I now have permanent residency in Australia and I won’t have to pay the exhorbitant international student rates.
Brand new domain, brand new box, brand new blog. Welcome to node.mu, a Mauritian flavored node on the internet.