≡ Menu

When it comes to firewall rules, there are a number of things I follow as best practice. To start with, you need to make sure you have all the necessary information in place before writing your firewall rules.

Ask yourself the following questions… If you don’t have the answers, go back to the drawing board and get all the necessary information.

  • Do you have all the necessary ports required for the firewall?
  • Do you have all the IP/Subnet information?

Make the ACLs short and sweet

It is always a best practice to avoid using IP addresses in ACLs.

  • Make sure that the ACLs are intuitive to anyone who is not familiar with your network.
  • You should be able to understand how the firewalling is done by reading the ACLs.

[click to continue…]

Remove or Move Interface from VSAN Database

This will guide you through adding and removing interfaces from VSAN Database. Even though I have tested this on Cisco MDS 9124, the process is virtually the same on the Cisco Nexus platforms with a slight difference on interface names.

When you issue the command show VSAN membership will tell you which VSAN member an interface is part of.

Interfaces are usually in VSAN 1 being the default and it can be moved to other VSAN by using the following commend.

vsan database
 vsan 100 interface fc1/1

If you want to remove an interface from a particular VSAN, you need to move it back to VSAN 1.

Changing Linux Interface Numbering

T he following method is useful when you have cloned a Linux VM and end up with a interface other than eth0. This usually happen when you are cloning or creating a VM from template with interface name eth0 and the cloned copy will have eth1 and not eth0 as the interface name. According to VMware, this is by design and can only be fixed by the following method.

Start up the VM and open up the following file with your favourite text editor and find the interface you want to remove.


[click to continue…]

Allowing Specific DNS Servers on ASA Firewall

The following post shows how to specifically allow specific DNS servers on a Cisco ASA firewall. In this example, I am using Google DNS to be allowed through the firewall.

object-group service DNS-PORTS
 service-object udp destination eq domain 

object-group network GOOGLE-DNS
 network-object host
 network-object host

access-list ACL_in extended permit object-group DNS-PORTS NETWORK object-group GOOGLE-DNS

The design of Windows 10 allows the Operating System to send DNS queries to all the available interfaces on the machine. The OS does not take into account the network interface priority nor does it take into account any default route.

This design is somewhat okay until we face a VPN scenario where the DNS request has to go through the VPN tunnel for security reasons and this will allow a hacker to intercept a DNS request and modify the reply to perform a man-in-the-middle attack.

The easy fix it to add a DWORD name of DisableSmartNameResolution with a value of 0 under the following path.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient

How to restrict WordPress login to specific IPs

This involves adding the following code to the .htaccess file within the root of the WordPress installation directory and add each IP addresses to a new line and IP subnet in the CIDR format.

The below code is displayed as an image due to WordPress limitation.

Screen Shot 08-04-15 at 10.17 AM


Copyright © Nish Vamadevan 2002-2015. All Rights Reserved. Terms and Policies.