Linux Connection NAT Helper not Working

Some protocols need more than one TCP or UDP connection. For NAT to work the firewall needs to open additional ports to allow client server connection automatically. Examples are FTP (port 21 handshake, additional ports for data), PPTP (port 1723 for handshake, proto GRE 47 for payload) Since Linux kernel (~) 4.7 these helpers are …

Continue reading ‘Linux Connection NAT Helper not Working’ »

Source IP Address Based on User

If you want to use different source IP addresses based on the logged in user or running service on a Linux computer you can use these simple commands: /sbin/ifconfig eth0:1 NEW-IP-ADDRESS netmask YOUR-NORMAL-NETMASK /sbin/iptables -t nat -A POSTROUTING -m owner –uid-owner USERNAME -j SNAT –to-source NEW-IP-ADDRESS You can use this if the source IP is …

Continue reading ‘Source IP Address Based on User’ »

Sophos UTM BGP Announces 0 Prefixes

Problem: A simple bgp upstream configuration. A small AS with one IP prefix wants to connect to its upstream using BGP. The BGP peerings are up. Sophos receives the expected routes from its upstream, but the upstream router does not receive the expected single prefix. Discussion: an outbound filter list is set to prevent sending other than the …

Continue reading ‘Sophos UTM BGP Announces 0 Prefixes’ »

PaloAlto Packet Loss of 1% and More

Problem: PaloAlto firewall is dropping packets in small bursts of some seconds, and sometimes it drops TCP connections. It only happens on HA clusters on interfaces in active/passive (fail over) mode. Solution: disable the following check box in the Ethernet interface Advanced – LLDP settings: “Enable in HA Passive State” Discussion: Palo Alto uses only one MAC address …

Continue reading ‘PaloAlto Packet Loss of 1% and More’ »