Monthly Archive for January, 2009

Port Mapping on the Cisco PIX (Intro to Static NAT and Access Lists)

Published on 2009-01-28 in Networking. 0 Comments

I’ve found that people who have never configured a “real” firewall before often seem to get confused with the multi-step process involved in configuring port mapping on something like a Cisco PIX. But it’s really very simple when you understand the purpose of each step.

The first thing you need to do is create a static NAT rule. This is how you map a “virtual” address (i.e. a public IP address on the “outside” interface of your firewall) to a “real” address (i.e. a private IP address behind your firewall). In the following example, I’ll create a static NAT rule for a typical HTTP server:

static (inside,outside) tcp interface 80 192.168.180.2 80 netmask 255.255.255.255

This command breaks down as follows:

  • static: The command to modify static one-to-one NAT rules.
  • (inside,outside): The “real” IP address of the server is attached to the interface named “inside,” and the “virtual” IP address of the server is attached to the interface named “outside.”
  • tcp: This rule matches TCP traffic.
  • interface 80: This rule matches traffic sent to port 80 on the “virtual” IP address. Note that the “interface” keyword is like a variable that holds whatever IP address is assigned to the interface. You can use an actual IP address instead, but I like to use “interface” when possible, because it allows the access lists to keep working even if the PIX’s public IP address changes.
  • 192.168.180.2 80 netmask 255.255.255.255: Map the incoming traffic to port 80 on 192.168.180.2 with a netmask of 255.255.255.255. You always use “netmask 255.255.255.255″ when referring to a single host.

Static NAT rules allow you to direct incoming traffic to the appropriate servers behind your firewall. However, they do not say anything about who is allowed to send traffic to your servers, and the PIX will deny everything by default. This is where access lists come in. An access list asks four main questions:

  • What kind of traffic are we talking about?
  • Where is the traffic originating?
  • Where is the traffic going?
  • What do you want to do with the traffic (permit/deny)?
access-list outside_access_in permit tcp any interface outside eq http

The access command breaks down as follows:

  • access-list: The command to modify access lists.
  • outside_access_in: The name of this particular access list.
  • permit: This rule will permit traffic.
  • tcp: Match TCP traffic.
  • any: Match any source IP address. You could also specify a host or network here.
  • interface outside: Match traffic destined for the IP address associated with the outside interface. Again, you could also specify a host or network here.
  • eq http: Match traffic destined for the “http” port. Note that I could have used the port number (80) here as well.

Once the access list is created, we need to bind it to the appropriate interface. In this case, I want to bind it to the “outside” interface, since that’s where my public port 80 traffic will be destined:

access-group outside_access_in in interface outside

WordPress 2.7 and Parent/Child Themes

Published on 2009-01-25 in /etc. 1 Comment

I upgraded to WordPress 2.7 this morning, and since Sandbox (which my old theme was built on) hasn’t been updated in forever and has known deficiencies with WordPress 2.7, I also installed K2.  Before switching themes, I poked around a little to see what else is out there in the world of “blank” or “reset” themes, and that lead me to discover that apparently, I was way ahead of the curve with this whole “child theme” thing.  Do a google search on “wordpress child theme,” and you’ll find a lot of very recent posts from prominent WordPress people talking about how this is the future of theming in WordPress, with tons of comments from people who didn’t even know the functionality existed. Weird.

I just wish WordPress would start shipping with an officially supported “blank” or “reset” theme by default, because I can’t stand any of the themes I’ve come across so far.  Just look at the header on this one.  That thing takes up 1/3 of my screen for a page title and a menu.  What a waste.  I could easily fit that information into something 15px high!  See, this is what I mean by nobody having any taste.  It’s as if all the web designers out there are designing for wide screen plasma TVs lately.

Anyway, here’s a list of some new “parent” or “framework” themes I came across today, just in case I decide to make a new minimalist theme for my website: