Introduction

One of the first lines of defense in securing your cloud server is a functioning firewall. In the past, this was often done through complicated and arcane utilities. There is a lot of functionality built into these utilities, iptables being the most popular nowadays, but they require a decent effort on behalf of the user to learn and understand them. Firewall rules are not something you want yourself second-guessing.

To this end, UFW is a considerably easier-to-use alternative.

What is UFW?

UFW, or Uncomplicated Firewall, is a front-end to iptables. Its main goal is to make managing your firewall drop-dead simple and to provide an easy-to-use interface. It’s well-supported and popular in the Linux community—even installed by default in a lot of distros. As such, it’s a great way to get started securing your server.

Before We Get Started

First, obviously, you want to make sure UFW is installed. It should be installed by default in Ubuntu, but if for some reason it’s not, you can install the package using aptitude or apt-get using the following commands:

sudo aptitude install ufw

or

sudo apt-get install ufw

Check the Status

You can check the status of UFW by typing:

sudo ufw status

Right now, it will probably tell you it is inactive. Whenever ufw is active, you’ll get a listing of the current rules that looks similar to this:

Status: active

To               Action      From
--               ------      ----
22               ALLOW       Anywhere

Using IPv6 with UFW

If your VPS is configured for IPv6, ensure that UFW is configured to support IPv6 so that will configure both your IPv4 and IPv6 firewall rules. To do this, open the UFW configuration with this command:

sudo vi /etc/default/ufw

Then make sure “IPV6” is set to “yes”, like so:

IPV6=yes

Save and quit. Then restart your firewall with the following commands:

sudo ufw disable
sudo ufw enable

Now UFW will configure the firewall for both IPv4 and IPv6, when appropriate.

Set Up Defaults

One of the things that will make setting up any firewall easier is to define some default rules for allowing and denying connections. UFW’s defaults are to deny all incoming connections and allow all outgoing connections. This means anyone trying to reach your cloud server would not be able to connect, while any application within the server would be able to reach the outside world. To set the defaults used by UFW, you would use the following commands:

sudo ufw default deny incoming

and

sudo ufw default allow outgoing

Note: if you want to be a little bit more restrictive, you can also deny all outgoing requests as well. The necessity of this is debatable, but if you have a public-facing cloud server, it could help prevent against any kind of remote shell connections. It does make your firewall more cumbersome to manage because you’ll have to set up rules for all outgoing connections as well. You can set this as the default with the following:

sudo ufw default deny outgoing

Allow Connections

The syntax is pretty simple. You change the firewall rules by issuing commands in the terminal. If we turned on our firewall now, it would deny all incoming connections. If you’re connected over SSH to your cloud server, that would be a problem because you would be locked out of your server. Let’s enable SSH connections to our server to prevent that from happening:

sudo ufw allow ssh

As you can see, the syntax for adding services is pretty simple. UFW comes with some defaults for common uses. Our SSH command above is one example. It’s basically just shorthand for:

sudo ufw allow 22/tcp

This command allows a connection on port 22 using the TCP protocol. If our SSH server is running on port 2222, we could enable connections with the following command:

sudo ufw allow 2222/tcp

Other Connections We Might Need

Now is a good time to allow some other connections we might need. If we’re securing a web server with FTP access, we might need these commands:

sudo ufw allow www or sudo ufw allow 80/tcp sudo ufw allow ftp or sudo ufw allow 21/tcp

You mileage will vary on what ports and services you need to open. There will probably be a bit of testing necessary. In addition, you want to make sure you leave your SSH connection allowed.

Port Ranges

You can also specify port ranges with UFW. To allow ports 1000 through 2000, use the command:

sudo ufw allow 1000:2000/tcp

If you want UDP:

sudo ufw allow 1000:2000/udp

IP Addresses

You can also specify IP addresses. For example, if I wanted to allow connections from a specific IP address (say my work or home address), I’d use this command:

sudo ufw allow from 192.168.255.255

Denying Connections

Our default set up is to deny all incoming connections. This makes the firewall rules easier to administer since we are only selectively allowing certain ports and IP addresses through. However, if you want to flip it and open up all your server’s ports (not recommended), you could allow all connections and then restrictively deny ports you didn’t want to give access to by replacing “allow” with “deny” in the commands above. For example:

sudo ufw allow 80/tcp

would allow access to port 80 while:

sudo ufw deny 80/tcp

would deny access to port 80.

Deleting Rules

There are two options to delete rules. The most straightforward one is to use the following syntax:

sudo ufw delete allow ssh

As you can see, we use the command “delete” and input the rules you want to eliminate after that. Other examples include:

sudo ufw delete allow 80/tcp

or

sudo ufw delete allow 1000:2000/tcp

This can get tricky when you have rules that are long and complex.

A simpler, two-step alternative is to type:

sudo ufw status numbered

which will have UFW list out all the current rules in a numbered list. Then, we issue the command:

sudo ufw delete [number]

where “[number]” is the line number from the previous command.

Turn It On

After we’ve gotten UFW to where we want it, we can turn it on using this command (remember: if you’re connecting via SSH, make sure you’ve set your SSH port, commonly port 22, to be allowed to receive connections):

sudo ufw enable

You should see the command prompt again if it all went well. You can check the status of your rules now by typing:

sudo ufw status

or

sudo ufw status verbose

for the most thorough display.

To turn UFW off, use the following command:

sudo ufw disable

Reset Everything

If, for whatever reason, you need to reset your cloud server’s rules to their default settings, you can do this by typing this command:

sudo ufw reset

Conclusion

You should now have a cloud server that is configured properly to restrict access to a subset of ports or IP addresses.

When all goes bad and you can’t get to the web interface of your Netgate pfSense, you’ll have no option but to try using the CLI (command line). This happened to me recently and this article explains what i did to recover.

A few worthy points:

1. The pfSense configuration file (a single file) is stored in “/cf/conf/config.xml“.
2. Backup configuration files are stored in “/cf/conf/backup/“.
3. Copying the configuration file from the backup location over the top of the current configuration is effectively the restore process.

These are the steps to restore back to a previous state. I’m assuming the system wont boot as normal and therefore “single user” mode is needed.

1. Boot the Netgate with the mini-USB cable connecting the Netgate appliance to your workstation.
2. Very near the start of the booting process, there’s a prompt to boot with options. Select to boot into “single user” mode.
3. When you get a prompt, remount the filesystem into read/write mode using “mount -u /cf”.
4. Check the filesystem for errors and repair them with “fsck -yf /“.
5. Locate and copy the restore file from the “/cf/conf/backup/” directory. Go back a few stages (not the latest file) based on the times of the backup files. Copy it with “cp /cf/conf/backup/config-1593242670.xml /cf/config/config.xml“.
6. Remove the file “/tmp/config.cache” using “rm /tmp/config.cache“.
7. Run the command “/etc/rc.reload_all start“.
8. Reboot using “reboot“.

When the device reboots, it should be back-dated (in terms of the config) to the date of the restore file.

Copia e renomeia o backup para /conf/config.xml.

Depois disso, reboot.

re0: <RealTek 8168/8111 B/C/CP/D/DP/E PCIe Gigabit Ethernet> port
0xe800-0xe8ff mem 0xfdfff000-0xfdffffff,0xfdff8000-0xfdffbfff irq 16 at
device 0.0 on pci2
re0: Using 1 MSI messages
re0: Chip rev. 0x2c800000
re0: MAC rev. 0x00000000
re0: Unknown H/W revision: 0x2c800000
device_attach: re0 attach returned 6

Baixe o modulo https://github.com/downloads/kelsen/modulos/if_re.ko
#copie para o diretório dos modulos
cp if_re.ko /boot/modules/

#carregue o modulo
kldload if_re.ko

Se tudo sair como esperado, a placa deverá ser reconhecida e então
configurada com ifconfig.
#carregar o modulo no boot
#edite /boot/loader.conf
#insira a linha
if_re_load=”yes”

achei aqui: http://forum.pfsense.org/index.php/topic,55563.msg299104.html

Instalando System Patch.

O System Patch é o pacote responsável por gerenciar os paches dentro do pfSense®, para instala-lo basta acessar o gerenciador de pacotes e busca-lo.

Acessando o System Patches

Configurando um patch

O procedimento abordado para essa configuração do patch também pode ser visto abaixo, ou vídeo-tutorial da ConexTI® no Youtube. https://www.youtube.com/embed/i_FjN6o_6CQ

Adicionando no Patch

Para adicionar um novo patch basta clicar em “Add New Patch”

Coloque alguma descrição para identificar o patch, e no campo “Patch Contents” deve ser posto o conteudo abaixo tambem encontrado neste link, deixe os outros parâmetros como na imagem a cima e em seguida, salve.

--- /etc/inc/pkg-utils.orig 2018-09-24 17:51:32.458825000 -0300
+++ /etc/inc/pkg-utils.inc  2018-09-24 17:51:54.387033000 -0300
@@ -388,7 +388,7 @@
    if ($base_packages) {
        $repo_param = "";
    } else {
-       $repo_param = "-r {$g['product_name']}";
+       $repo_param = "";
    }

    /*
@@ -485,7 +485,7 @@
                $err);
            if (!$base_packages &&
                rtrim($out) != $g['product_name']) {
-               continue;
+               //continue;
            }

            $pkg_info['installed'] = true;

Testando e aplicando

Como termino precisamos Teste(Test) e aplique(Apply) o novo patch.

Após esse procedimento os pacotes extraoficiais já poderão ser encontrados e disponíveis para instalação.

crontab

*/5 * * * * /usr/bin/reset_net.sh

vi /usr/bin/reset_net.sh

!/bin/bash

HOSTS=”8.8.8.8″

COUNT=10

for myHost in $HOSTS
do
count=$(ping -c $COUNT $myHost | grep ‘received’ | awk -F’,’ ‘{ print $2 }’ | awk ‘{ print $1 }’)
if [ $count -eq 0 ]; then
# 100% failed
echo “Host : $myHost is down (ping failed) at $(date)” >> /var/log/log_controle_net.log
systemctl reboot -i;
else
echo “tudo ok $(date)” >> /var/log/log_controle_net.log
fi
done

Segue mais uma dica para aqueles que estão perdendo a cabeça ao tentar fazer as placas RTL8111/8168/8411 funcionarem no Ubuntu e seus derivados como o Linuxmint.

Este tutorial foi testado nas placas com chip RTL8111/8168/8411, nos sistemas Kubuntu e Xubuntu 18.04LTS e Linux Mint 19.03.

Pode ser que funcione com outras placas da Realtek, teste e diga o resultado.

Faça o procedimento abaixo por sua conta e risco, afinal se você já tentou de tudo creio que nada tem a perder. Comigo funcionou perfeitamente.

Antes de tudo você precisa estar conectado a internet (não me xingue) use a opção de ancoragem do seu celular conetado ao USB do seu PC, ou algum Wirelles USB.

*7 passos.

1- sudo apt-get install linux-headers-generic build-essential dkms

2- wget http://ftp.us.debian.org/debian/pool/non-free/r/r8168/r8168-dkms_8.047.05-1_all.deb

3- sudo dpkg -i r8168*.deb

4- echo “blacklist r8169” | sudo tee -a /etc/modprobe.d/blacklist-r8169.conf

5- sudo modprobe -rfv r8169

6- sudo modprobe -v r8168

7- sudo service network-manager restart

Perfeito, agora é curtir o seu pc e partir para o abraço!

ASKEY – RTA9227W Desbloqueando configurações avançadas

Desbloqueando configurações avançadas modem/Roteador ASKEY  RTA9227W

    Logar em http://192.168.15.1/padrao

    Usuário: support
    Senha: (ver etiqueta embaixo do aparelho – mesma de admin)

    Acessar http://192.168.15.1/saveconf.htm

    Salve o arquivo de configuração. Abra no editor de texto.

    Altere as seguintes linhas:

De:
<V N="ENABLE_ADVANCE_PAGE" V="0x0"/>
Para:
<V N="ENABLE_ADVANCE_PAGE" V="0x1"/>

De:
<V N="PADRAO_WIFI_ONLY" V="0x1"/>
Para:
<V N="PADRAO_WIFI_ONLY" V="0x0"/>

    Salve o arquivo e faça o upload.

    Acesse novamente http://192.168.15.1/padrao

    As configurações devem estar desbloqueadas.

Temporary solution/workaround

1 Login to pfSense terminal or via SSH

2 Select 8 (Shell), press Enter key to bring up shell if via SSH

3 Execute following command to kill the package installation process

killall -9 pkg-static

Note: Usually, after this command, we can see the update is done (Not guaranteed)

Note: Usually it’s probably better to reinstall the pfSense system if you have encountered this problem, otherwise chances are, you will encounter the same problem next time when updating/installing/uninstalling the same package.

---

Other related fixes (May or may not help to fix this issue)

(Best way to fix this issue: Wait for the next or next next release which will fix this issue, developers are aware of it)

If we want to fix this issue for future updates, we can try following command

Warning: Make sure only execute following upgrade command when down time is allowed (Just in case)

killall -9 pkg-static
pkg-static upgrade -f

---

If we want to fix corrupted pfSense upgrade (update check failed, update does not complete), we can execute following command

pkg install -y pfSense-upgrade