Authority Sites Blog

Firewalls can be simple and it can be complicated. Most people think that Firewall rules are just rules that block or allow packets from entering or leaving an interface. But it is way more than that. There are some very important best practices to follow to achieve reliable performance. Remember it is not just about blocking – it is also about performance, efficiency and of course keeping track of what is happening on your firewall.

Here are some best practices for setting up your firewall rules:

1. “Stealth” rule. Basically a rule that block attempts to access your firewall and of course log them. Set at the WAN interface. Use drop since they should not be legitimate attempts. No one outside of the network should be attempting to hit the firewall. Some users do need access to the firewall from the WAN though but there are plenty of other ways to get access to the firewall from the Internet.

2. “Cleanup” rule. Although not very important, it is a “good-to-have” kind of rule. Set at LAN interface. It is meant to block all other traffic and should be at the bottom of your rulebase. However most modern capable firewalls are implicitly blocking all traffic other than the ones which you specially allow. But it is good, since you can then log all other unwanted attempts. Also good for tracking weird traffic on your LAN.

3. IP Spoofing rule. Basically rules that ensure no spoofed IP addresses are able to enter or leave the network. Frequently a lot of spyware or viruses “spoof” IP addresses to trick firewalls into thinking that they are legitimate traffic. Drop all private IP addresses at the WAN and other than your LAN IP range, drop all other IP addresses at the LAN. You should also track these traffic at the LAN.

4. Performance. Ensure that those frequently accessed rules are at the top. Remember firewall rules are read from top to bottom. So to improve performance, make sure the top rules are the ones that are frequently used. Imagine if you have 100 rules and each packet have to go from top to bottom, it will definitely slow down your traffic, no matter what kind of high performance firewall you have. Always remember the “top down” approach.

5. Reject or Drop? Not all traffic you want to block are “bad” or malicious. Some are merely things that you don’t want to get out or get it. They might have their purposes in the grand scheme of things. These packets should be rejected so that they won’t keep on attempting to retry. If you drop some of these packets, they might keep on retrying, which will slow down the firewall. Take for example, you want to block all outgoing DNS traffic to a certain DNS server, it might be better to reject these traffic instead of dropping. However there are certain things which you want to drop, especially the ones that come from the WAN side. This is kind of like trying to “stealth” your WAN from hostile attackers and they usually probe and go.

6. Simple is better. Honestly. Your firewall and everyone in your LAN will thank you for it. Don’t have like 10 rules doing the same thing. Bogs down the firewall. And 100 rules can be very hard to administer and is very prone to errors.

7. Check and review the rules regularly. Firewall Administrators might be pressured to quickly act on certain exploits and they have to do it fast. Thus the rules that were entered might not be optimized. Thus it is a good idea to review the rules with a clearer head. Not to mention, some unused rules can be checked and removed if needed.

8. Avoid the “ANY” rule. This is one of the fundamentals in firewall management. Never allow “ANY” traffic to come in as it can be rather dangerous. Should not even allow “ANY” traffic to leave! A good idea is to reject all traffic first and ONLY allow certain traffic to come in (and leave). However most modern capable firewalls should implicitly block traffic at the interfaces already.

9. Document and keep track of all changes made to the firewall rules. Have a good description for the rules help a lot.

10. Update (patch) your firewall. Always patch your firewall application. There might be bugs or exploits that attackers can make use to access or bypass the firewall. And since it is an ongoing battle, it might not be a good idea to ignore and think that you are always safe. Most manufacturers will release patches regularly to help combat new threats as well. Surprisingly, there are quite a lot of administrators who do not update (or patch) their firewalls because they feel it is rather troublesome.

11. Backup firewall configurations. Underneath it all, a firewall is still a device and it can break down. Just imagine all the hardwork you have done setting up the rules and settings, only to have it down the drain in just a few seconds. Always backup your firewall configurations once you have made changes to it. Or even before you make any changes. Just like everything in the IT world, always have a working backup.

Bookmark It

Hide Sites

After a few hours of research, I was able to narrow down my choices to using the Intel DN2500CCE platform. First of all, it is cheap. Might not be able to find one with the dual network ports in Singapore but there is where eBay comes in. Prices are rather reasonable there. Well, the shipping is the killer but overall it is still much cheaper than buying locally. I am guessing this is because such boards are not that in demand here. So retailers will charge a premium for it. Anyway, the DN2500CCE platform is going to be phrased out – one reason is because they have some problems with the built-in graphics (Intel GMA 3600). There are no 64-bit drivers for it! Only 32-bit support. Kind of stupid if you think about it – the D2500 Atom processor is 64-bit yet there are no 64-bit drivers? I am guessing there are some technical issues which the Intel engineers cannot solve hence they ditch the 64-bit support. A mistake but that could be the reason why the prices are so cheap for this model. Good for us right? We get a reasonably powerful system on the cheap.

Another concern is the power usage. Since it will be on 24/7 it would need to be something of a low power device. And as you guys should know by then, the Atom processors are often used in netbooks, Andriod devices and low spec notebooks. The main reason is because it does not consume that much power and hence very suitable for such. And that is exactly what we want! I am certain I don’t want to be confronted with a hefty electricity bill after setting up this Pfsense box and have to ditch it later. For those who worry that the Atom processor is not powerful enough for Pfsense – well, after reading on Pfsense forums, it appears that they are more than adequate to power the device. In fact Pfsense don’t use much processing power. It does require quite a significant amount of memory though. And this platform can support up to 4GB, which again is more than enough for our purposes. Even with Snort, squid, clamav and whatever, it should not even break a sweat. Hey, those high end routers probably don’t even have specifications close to ours. If they can do so much, I think using this board should not be a problem. The Pentium IV system in my office don’t even use 10% of the processing power and that is a very very old system. I am very confidential it should not be a problem. And yes, the board comes with dual Intel network ports. FreeBSD seems to work very well with Intel NICs. Although from what I read, these NICs are a bit outdated in terms of features but I honestly don’t require that much feature. Just a network port for the LAN and another for the WAN. I will stick another 2GB of RAM and maybe a small SSD harddisk to install the Pfsense. That would make 4GB of RAM and even a 32GB SSD would be more than enough. Contary to popular belief, the http proxy server does not require that much of a disk space. Maybe about 200-300MB would suffice.

And how about the casing? I have chosen the M350 mini-ITX casing. It might not be the smallest mini-ITX casing out there but it does offer better flexibility. As for how flexible mini-ITX casings can go, I think there isn’t really much. Hey, they are mini-ITX casings! They are meant to be small and compact! The thing that drew me to the casing is the ability to add additional fans to it. I understand the problem of noise. I hate it. That is why it is important to be able to easily change  or remove fans on your own. The M350 casing allows users to remove fans via a bracket. It is easy to do. If the place where you are placing your Pfsense box has poor air circulation, then add some fans to the device. There are good fans that hardly produce any sound. But do check what are the sizes for the fans. And if you are using a Atom board with a big heatsink, you might run into problems fixing the fans. So it might be a good idea to measure everything. This is what I am afraid of, so I am purchasing everything from the same vendor. They did not indicate any problem with adding more fans to the case, so I think everything should be okay. And the design of the M350 allows good air circulation within the casing via holes. So there should not be any heat trap.

Well, I will be purchasing the parts soon. So wish me all the best and I will post back once I setup the Pfsense box!

Bookmark It

Hide Sites

I am getting rather comfortable with using Pfsense.  Been reading up and doing tons of research on this superb software and I think very soon I will embark on my next project. As you guys know I have been using Pfsense in my office. Just an old Pentium IV system with about 1.5GB of RAM. These pieces of hardware are about 7 years old! And it is running fine! Sure, the power supply gave up a while back, but this is expected. Once the power supply was replaced, everything was smooth. I didn’t face any major problems using Pfsense. Currently it is being used as a very basic NAT router and firewall, as well as some Intrusion Detection. Just added http proxy to it and nobody is complaining. In fact I think it has speed up a little. As you guys should know by now, all the ISPs in Singapore do have transparent proxies so it is actually a proxy behind a proxy.

Anyway, the office setup isn’t a real firewall with all its features intact. This is probably because I don’t want to overload the Pfsense box. Sure we have about 10 users only, but still it would be 10 angry people around if something goes wrong. So why risk it? A better idea would be testing it from my home. However one of the problems of using a off the shelf computer (even old ones) is the power consumption and they take up lots of space. I think running a normal computer system, the electricity bills would cost hundreds of dollars per year. A more practical idea would be using something that consumes less power, like a Mini-ITX Atom based system. Furthermore Atom based systems are pretty cheap nowadays. Well, not in Singapore but in most other countries. That is why I am planning to buy most of the stuff online. Ebay is a good source for such systems and there are sellers that have tested their hardware with Pfsense and knows that it works very well. You will need an Atom board that comes with dual LAN ports – hey it is going to be a firewall cum router. Without dual LAN ports, I believe Pfsense wouldn’t even install for you. Realtek seems to be a bad choice, seeing the number of complains people have with cheap Realtek LAN cards. Since this (the LAN port) is going to be a very important component, it makes sense to spend some time searching for the right one. I would certainly choose Atom boards that come with Intel LAN ports. They are known to be more reliable.

I will be buying the Mini-ITX Atom board and casing online. The rest of the stuff, I think I will get them locally. Overall, Singapore is cheaper when it comes with parts and accessories. Especially the harddisk, which I am afraid that the courier guys will smash it before it even reaches me. In Singapore, the RAM and harddisk from Sim Lim Square is cheap. So no worries about breaking the budget. Since most Atom boards can support only up to 4GB, I think I will go for the maximum. As for hardddisk, there is no real need for it to be real big. Even with tons of log files and cache for the proxy, it would probably not reach what is available in the market nowadays. I will get the cheapest I can find. Once I assemble all the parts, I will report back here. Let the fun begin!

For your information, I actually use to run Monowall as my home router. No harddisk required. Just a CDROM Drive, 2 LAN cards and a floppy disk. All the configuration files are stored in a floppy. Now isn’t that cool. Pfsense is a Monowall fork, which means that they developed Pfsense from the Monowall distribution, which is based on FreeBSD. I had used it for a long time without any problems. However Monowall does not come with many enterprise features. Just a NAT device and a basic firewall. You can use Pfsense as a UTM device but for Monowall, you will be hard pressed to find such features. But they are two entire different beasts. Monowall works very well for small offices that do not worry about intrusions and just want to stop basic attacks on their systems. Most small companies fall into this category. It is not that Monowall is not secure, but bigger organizations might need something more powerful.

Bookmark It

Hide Sites

Been rather busy these few weeks, especially on the weekends.  Work is tough but then we all need to survive right? No work means no money means I have to cook my own thighs for lunch everyday. Some people call it “eat grass” but since I am going green these few days, I don’t want to offend the tree huggers that have been coming to this blog to read my silly little reviews. Anyway, the only real free time I have are at the weekends. That is why you see my posts are often done on Saturdays or Sundays. And the heat in Singapore is like extremely horrible. When I get off from work, all I want to do is to laze around on my comfy chair and not do anything. If you are have coming to my blog for the past few years, you would realize that I used to post nearly everyday without fail. But alas, I am getting lazy again.

As usual, I bought this soap from iHerb. For 78g, I think the price is not that bad. In Singapore, you will can Ayurvedic Soap rather cheaply. But that was a few years ago, not too sure what the prices are these days. I am sure they have gotten much higher than before. You know Singapore right? Everything is expensive, probably because of the high rentals shops have to pay for. But of course they blame it on the high cost of “hiring” local workers. Never once did they mention the high cost of rentals. I guess if you are the main reason why inflation is so high, you probably won’t want to tell the world about it.

Good for Oily and normal skins. What is Kapha-Pitta? Anyway, this has sandalwood, tumeric and neem in it. Especially recommended for blemished or oily skin.

Wow, Ayurvedic formula restores skin equilibrium!

This is authentic handcrafted soap. With no animal testing, no animal ingredients and is cruelty free. I am just wondering what the other companies are doing to the animals with all their testing to make this soap manufacturer print out such claims. It is kind of sad to have the human race on the top of the food chain, isn’t it? We would probably destroy the world, if it didn’t destroy us in the process.

Check it out – made in India!

For countless generations in India, a simple blend of Sandalwood and Tumeric has been applied to the facial skin in the form of a paste to preserve youth, beauty and a flawless complexion. Auromere’s Sandalwood-Tumeric formula combines the naturally astringent, purifying and cooling properties of Sandalwood with complementary cleaning, softening and toning properties of Tumeric and 22 other Ayurvedic oils and herbal extracts used traditionally for optimum care, nourishment and preservation of the skin, including Neem. The cold-pressed coconut oil base provides a rich, creamy lather that gently conditions while it cleanses, leaving the skin soft and fresh. Long sentence spotted. I was nearly out of breathe.

The ingredients are coconut oil, Palmyra oil, water, rice bran oil, alkali, Neem oil, Castor oil, Hydnocarpus oil, Indian Beech oil, Indian Butter Tree oil, Sesame oil, Sandalwood oil, Neem oil, Neem bark, Dhub grass, Indian Gosseberry, Tumeric, Peepal, Indian Licorice root, Celastrus Seed, Corallocarpus epigaeus, Nutgrass, Zedoary, Indian Madder root, Castus, Mung bean and Fenugreek. Wow, that is like many herbs and whatever. The best part is the soap contains no chemicals, colored dyes or harsh detergents. That is what they state there right?

This is the one small piece of soap. 78g, what do you expect. And it smells pretty good too.

My iHerb Referral code is MLD668. Use it to get a US$10 discount for US$40 and above for your first order. Or use it to get a US$5 for anything less than US$40. By the way, iHerb has a discount on DHL shipping to Singapore for orders over US$60. Be safe when shopping online.

Bookmark It

Hide Sites

Well, I have been taking Spirulina since 2009 and it is indeed very good. You know all those multi-vitamins and mineral supplements that everyone seems to be talking about? Well, quite a lot of those vitamins and minerals can be found naturally in Spirulina. I kid you not. So why waste so much money on those supplements and your body might not even be able to absorb most of it anyway. Because Spirulina is actually a food, you can be sure that your body will be able to digest the superfood and benefit from it. If you would like to know what nutrients and vitamins there are in Spirulina, you should read up on the wiki. Yes it is indeed a superfood. But let me introduce to you yet another superfood – Chlorella. Yes, it is just like Spirulina and they do contain a lot of the vitamins and minerals that we need to survive. However, it is known to “bind” with toxic metals in your body and help you remove them. Those nature guys call it “detoxifying”. Whatever, as long as it helps me be healthy, I don’t really care what it is called. Of course it can be a bit difficult to compare Spirulina and Chlorella. I guess most have their advantages and disadvantages. And I am not a doctor nor a researcher.

As usual, I bought this from iHerb. Price is pretty decent as well. Each tablet contains about 1000mg of Chlorella. It has naturally occurring Chlorophyll & Beta-Carotene. And the Chlorella come with broken cell wall, so your body can digest them better (or so I was told).

Wow, good source of Vitamin A, Vitamin C and iron. Not bad right? It is also a good source of Vitamin E, B, K , magnesium and zinc.

Take 3 tablets daily? I usually just take one (or two) per day. If you do need some more supplements, I think you should follow the instructions. In my opinion, if you have a good diet and you are not deficient, then just one tablet is enough. Chlorella is a green single-celled microalgae that has naturally occurring chlorophyll, plus beta-carotene, mixed carotenoids, vitamin C, iron and protein. The cell wall in this high quality Chlorella has been broken down mechanically to aid digestibility.

This is my second bottle. Finished the first in about 2 months. Been feeling fine. Though I do admit when I pass motion, it comes out rather lumpy and hard. Never had this kind of problem when I was eating Spirulina. It got me a bit worried for a while but then I didn’t get sick or feel any discomfort so I think it is okay.

My iHerb Referral code is MLD668. Use it to get a US$10 discount for US$40 and above for your first order. Or use it to get a US$5 for anything less than US$40. By the way, iHerb has a discount on DHL shipping to Singapore for orders over US$60. Be safe when shopping online.

Bookmark It

Hide Sites

Honestly I am not a good cook. You see I am brought up in Singapore where the coffee shop just below your flat has everything you ever need for breakfast, lunch and dinner. And if you get bored, there are many options just within walking distance. And even if these are not enough, a 15-20 minutes bus ride will provide you with god knows how many dining options. So yes, quite a lot of us Singaporeans don’t cook. Even if we do, I think the result will be crap. Anyway, since I have been shopping at iHerb, I have been browsing through the thousands of items they have there and this one seems interesting. It is actually a Teriyaki sauce – you know the slightly sticky Japanese sauce you usually pour over meats? Sounds pretty interesting and the price is also much better than the ones you find in our local supermarkets. Singapore is the only place in the world that everything costs much more than what it is supposed to cost, because the rich and elite need to fund their ego projects. And we accept that being good loyal citizens of the country.

Nice packaging right? But what really counts is the stuff inside.

East-West Sweet Ginger Teriyaki Sauce. It is meant for both cooking and dipping. I wonder how do they get sweet ginger in the first place or is it because the Teriyaki Sauce is already slightly sweet.

The ingredients are soy sauce, sugar, wine and natural spice flavouring. Wow, comes with fresh ginger and fresh garlic. The key word is fresh. Most of the time, we get grounded or dried spices as the ingredients.

Marinade or dip for chicken, beef, pork, fish, shrimp, egg rolls or stir fry vegetables. And it can be a steak sauce substitute!  I think it should work very well as a marinade. Don’t need to put any additional salt as well. If you have a great recipe for making a good marinade, why not share it with others in the comments below?

Made in the USA. We don’t get enough of their products here, especially the organic ones. What we get are McDonalds and the other unhealthy ones that is cramped full of whatever unhealthy fats and other chemical nonsense.

Some nutritional facts for you. Check out the sodium content!

The texture is a bit “liquidy” if you ask me. I had always expected Teriyaki sauce to be slightly viscous and sticky. But I am guessing they meant this more as a marinade than a dip, so that is why it is like that. You can of course heat the sauce up a little and you will have thicken it enough as a dip. I can’t wait to try out new ideas with this sauce. Maybe even use it as a marinade for a barbeque.

The nice top. Looks like a three leave clover.

As usual, I bought this from iHerb. My iHerb Referral code is MLD668. Use it to get a US$10 discount for US$40 and above for your first order. Or use it to get a US$5 for anything less than US$40. By the way, iHerb has a discount on DHL shipping to Singapore for orders over US$60. Be safe when shopping online.

Bookmark It

Hide Sites

You guys know that I am an amateur cook? And when I use the term cook, I use it liberally. And I am not that good at it too. I remember cooking some simple beef a while back and I followed the supposedly try and tested recipes and methods – marinate the meat overnight and use fast and high heat (grilling) to cook it. Turned out to be overdone and tough. The next try, I cut the time used to grill the meat, turned out a bit tasteless. Anyway, at least I am improving. The recent batches of food that I cook actually was a mark improvement than the previous attempts. Even my parents are starting to trust me with the preparation of the food. They used to only ask me to cut a few pieces of vegetables before chasing me out of the kitchen. Now I am doing some of the actual cooking. In all honesty, I think it is something to be proud of.

Anyway if you are thinking of going on to a barbeque, you might want to think of “rubs”. Basically they are a dry mix of spices and herbs that you “rub” them on the meats before you grill them. They are different from marinates as they are rubbed immediately before you put on the grill. The marinades on the other hand should be on the meats for hours, preferably overnight. That way, they are absorbed into the meats. Rubs are easy – you just rub them on the meat and don’t really have to worry about them when you do the grilling.

Hmmm….Nantucket Off-Shore Dragon Rub. Asian seasoning for grills and woks. Remember the “Asians” Americans think of might not be the “Asians” that we are. I am guessing that it is much easier to lump all “Asians” into one big group. Just like how we lump “Whites” into one big group – “Western Food” but in actual fact, there are so many types of “Western Food” out there.

And is that a dragon with a pair of chopsticks grilling the food with its own flame at the Great Wall of China? What’s up with that?

No Salt. All Natural. The exotic and assertive flavours of pan-Asian cooking are combined with yin-yang balance in our Dragon Rub. Rub it on meat, poultry, fish and vegetables before grilling, broiling or baking. Sprinkle into stir-frys. Dragon Rub is also sensational blended into marinades and barbecue or saute sauces. What are saute sauces?

Some directions for use – lightly coat surface of uncooked food with sesame or vegetable oil; drizzle with citrus juice, soy or fish sauce. Rub with Dragon Rub to taste. For stir-frying, mix unto liquid ingredients or sprinkle on food while cooking. The ingredients are lemon grass, ginger, Chinese garlic, Chinese cinnamon, star anise, cloves, lime peel, green onion, cilantro, turmeric, red pepper and sesame seed. And this is a product of the USA!

As usual, I bought this from iHerb. My iHerb Referral code is MLD668. Use it to get a US$10 discount for US$40 and above for your first order. Or use it to get a US$5 for anything less than US$40. By the way, iHerb has a discount on DHL shipping to Singapore for orders over US$60. Be safe when shopping online.

Bookmark It

Hide Sites

Yet another soap for review. I actually have been using the Dr Woods Liquid Black Soap for a few months already. And I must say it is one of the best soaps I have ever used. Of course it is not perfect but it is very close. My skin is definitely better and it works very well for the hair too. For lazy people like me, I guess I cannot ask for more. But since I have been online shopping at iHerb (which can be rather poisonous for my wallet), I have come across numerous brands and types of soap, some of which have rather good reviews. So I decide to try them. This bar of soap is from the same manufacturer of the liquid black soap I have been using, so it should be good. Hopefully.

About 149g of soap. Made with organic shea butter, cocoa butter and oats. I am guessing that they are supposed to be good for your skin. Anyway, this is an “exfoliating body bar” which is also rejuvenating. I don’t really get any kicks from bathing with this kind of soap. All I want is my skin to be clean and not that rough. I have been suffering from sensitive skin since I was young. If I don’t get rashes after bathing, I consider that good already.

All things good?? We want to feel good in all ways – from what we put on our skin or in our body, to how we treat others and our environment. We want to feel special and indulged, without being wasteful or robbing future generations of our natural resources. That’s why we strive to use only the most natural, effective and sustainable ingredients we can find. We make everything here in the USA but search the world sourcing the finest ingredients for our products to create a brand we believe in….a brand that makes a difference by doing what’s right for you, your family and our planet. Hey, this is good. Just imagine destroying the planet and making things difficult for our children in the future. It makes no sense. That is why I always support such brands. Better than those big crappy companies which dirty and destroy the environment so that they can make exact profits.

Made in the USA! Eco-friendly and 100% vegan. Just wonder what kind of ingredients do other soaps are made from.

Some interesting information – our raw black soap with organic Shea Butter, Cocoa Butter and Osats is a moisturizing, deep cleansing exfoliant that’s effective on all skin types. Rich in nutrients, Vitamins A and E, our natural Antioxidant formula helps regenerate skin cells and neutralizes free radicals. In addition to restoring your skin’s natural elasticity, our unique combination of Organic Shea Butter and Cocoa Butter will luxuriously moisturize your skin and give it a healthy glow. We guarantee it. Dr Woods proudly supports women’s cooperatives in Africa that process thee plantains and harvest the Shea nuts used in our Raw Black Soap with Shea Butter. Indulge with good intentions. Hope that what they say is true.

Some ingredients.

Check it out – Black soap is not black at all. More like milky. If you were to check out the real black soap on eBay, they are indeed black. Yes, they do look like lumps of crap someone just left behind after doing their “big” business. But I am guessing disgusting looking black soap would not sell very well in the markets of the developed world. So they are left with no choice but to make it look more presentable. I hope that they don’t take out too much of the good stuff that makes black soaps one of the best types of soap in the world.

My iHerb Referral code is MLD668. Use it to get a US$10 discount for US$40 and above for your first order. Or use it to get a US$5 for anything less than US$40. By the way, iHerb has a discount on DHL shipping to Singapore for orders over US$60

Bookmark It

Hide Sites