[ipsec, iptables, ebtables] How to avoid leakage of packets addressed to/from private IP space


I've been asked by SEED4.ME VPN to investigate the package leakaging issue in their environment raised after delivering new VPN features for Apple devices.

We've agreed that we do want not only to solve this particular problem with Apple IPsec, but to build a fence system which can completely eliminate any packet leaking problems in future caused by any bug, feature, misconfiguration etc.

I hope results of this small project can be useful for other engineers facing similar challenges.

Problem: packet leakage

Packets belonging to private IP address space shall not appear in the network interfaces which do not belong to private networks.

Typical example is VPS hosted in the cloud. If it sends packets addressed to private IP address space through its external NIC, it usually means that something wrong is happening. More providers started to implement BCP38 RFC for defeating Denial of Service Attacks which employ IP Source Address Spoofing. They block such packets and complain to VPS administrators.

However, errare humanum est — administrators are people too. Typical cases are NAT- and IPsec-related.

This article describes Castle Approach to this problem. An idea is simple:

  1. Leaked packets are filtered by Linux firewall (netfilter iptables)
  2. If packets are not filtered by Linux firewall, they are filtered by Linux ethernet bridging firewall (netfilter ebtables). In the same time, they are logged and became visible to the monitoring system

Read more

#ebtables #firewall #iptables #linux #vpn

How to automatically deploy static web site to the hosting

The problem: publishing your web site efficiently

When web site is updated on a regular basis (as it happens with blogs) it becomes important to automate the process of uploading site to the hosting. Using cpanel or FTP is boring and time-consuming.

The goal is to be able to sync the static-generated content (e.g., _site directory generated by Jekyll) with just one command. My post refers to Jekyll and hostgator but the methods suggested are not limited to these platforms — they are applicable to any static-generated web content.

Read more

#blogging #hostgator #hosting #jekyll

Is ECB really enemy of the euro? More on Bagehot's rule

ECB did not follow Bagehot's rule

Martin Sandbu criticizes ECB for its course of action in the weeks before voting in Greece (Financial Times, July 6):

Recall that the closure of Greece's banks was caused by the ECB's decision to do the opposite of what Walter Bagehot taught, which that to steam a bank run, the central bank should lend against collateral that, but for the crisis, is solid. In Grece fearful people have wanted cash, but the banks have little cash left. The normal course of action would be for the banks to get cash from the central bank, pledging their investments as security for the loan. But after Athens declared a referendum, the ECB said no further such loans should (for now) be given.

Martin's article has a plenty of interesting and valuable comments. However, in order to see bigger picture it makes sense to examine Bagehot's rule a little bit deeper.

Read more

#crisis #finance

Jekyll: how to add metadata to your site

You've created web site with Jekyll and are trying to post links to the social network of your choice. Oops! No summary appears under your link! The reason is that the service needs metadata for the page.

Meta data helps in a lot of ways. Sharing in social networks is just one example. Don't think that if you do not use social networks, your web site does not need meta data.

I will summarize important meta tags and the ways to add them to Jekyll-based site. If you have something to add — don't hesitate and leave your feedback in the comments, pls!

Read more

#blogging #facebook #jekyll #metadata