When it comes to firewall rules, there are a number of things I follow as best practice. To start with, you need to make sure you have all the necessary information in place before writing your firewall rules.
Ask yourself the following questions… If you don’t have the answers, go back to the drawing board and get all the necessary information.
- Do you have all the necessary ports required for the firewall?
- Do you have all the IP/Subnet information?
Make the ACLs short and sweet
It is always a best practice to avoid using IP addresses in ACLs.
- Make sure that the ACLs are intuitive to anyone who is not familiar with your network.
- You should be able to understand how the firewalling is done by reading the ACLs.
[click to continue…]
This will guide you through adding and removing interfaces from VSAN Database. Even though I have tested this on Cisco MDS 9124, the process is virtually the same on the Cisco Nexus platforms with a slight difference on interface names.
When you issue the command show VSAN membership will tell you which VSAN member an interface is part of.
Interfaces are usually in VSAN 1 being the default and it can be moved to other VSAN by using the following commend.
vsan 100 interface fc1/1
If you want to remove an interface from a particular VSAN, you need to move it back to VSAN 1.
T he following method is useful when you have cloned a Linux VM and end up with a interface other than eth0. This usually happen when you are cloning or creating a VM from template with interface name eth0 and the cloned copy will have eth1 and not eth0 as the interface name. According to VMware, this is by design and can only be fixed by the following method.
Start up the VM and open up the following file with your favourite text editor and find the interface you want to remove.
[click to continue…]
The following post shows how to specifically allow specific DNS servers on a Cisco ASA firewall. In this example, I am using Google DNS to be allowed through the firewall.
object-group service DNS-PORTS
service-object udp destination eq domain
object-group network GOOGLE-DNS
network-object host 18.104.22.168
network-object host 22.214.171.124
access-list ACL_in extended permit object-group DNS-PORTS NETWORK 255.255.255.0 object-group GOOGLE-DNS
The design of Windows 10 allows the Operating System to send DNS queries to all the available interfaces on the machine. The OS does not take into account the network interface priority nor does it take into account any default route.
This design is somewhat okay until we face a VPN scenario where the DNS request has to go through the VPN tunnel for security reasons and this will allow a hacker to intercept a DNS request and modify the reply to perform a man-in-the-middle attack.
The easy fix it to add a DWORD name of
DisableSmartNameResolution with a value of
0 under the following path.
This involves adding the following code to the
.htaccess file within the root of the WordPress installation directory and add each IP addresses to a new line and IP subnet in the CIDR format.
The below code is displayed as an image due to WordPress limitation.