Diary of a Network Geek

The secret word for today is “firewall”.
Not only is it an essential part of any connection to the Internet, it’s also what I installed today at work. Yes, that’s right, what I thought I was looking at in the config of the weird, little Covad router was NOT a firewall or even an active filter set. Unfortunately, I found that out the hard way when I rebooted the router last week and the filters activated, killing everyone’s Internet access. I’m not sure who was more surprised, the support tech or me, when they discovered the active filters. I know I was more shocked than the tech when he told me that they don’t support firewalls built into their routers. In short, we were flapping in the proverbial breeze. And, apparently, we had been since, well, since they’ve had an Internet connection. Doh!
Anyway, after a bit of scrambling and some gulping at spending real money for a real firewall, I got a D-Link DFL-1100. It’s a nice, little firewall appliance that has a built-in DMZ, for later use with a mail server, and IDS detection with e-mail notifications. It was pretty easy to configure, once I got the details on the funky Covad router. I really don’t like them. Hooked directly to the console port on the router, I still had refresh issues and timing strangeness that got really frustrating when I had everyone in a hurry to get their e-mail. Damn irritating. the DFL-1100, however, was pretty simple to install and configure. It even had predefined filters and exceptions that seemed to be working just fine. I’ll probably fine tune that over the next couple of weeks, but, for now, it works okay.

It’s really frightening to me, though, that they could have gone for so long without any protection at all. How could an Internet company sell service to someone and not check with them about having a firewall in place? How could anyone who knows anything about the Internet leave a connection open for literally years? I wonder how many spam problems will go away here, now that I’ve gotten a firewall in place?
Of course, I’m pretty dissapointed in myself for not understanding what I was seeing in that Covad router, too. I should have caught that sooner. Sure, I don’t mess with routers on a regular basis, but I’ve done it enough that I should have seen this. Well, at least it’s taken care of now. Lord, help me, what will I find next?

A few comments about my Cool Solutions solution.

First, it’s best to run this as “perl –noscreen dfmail.pl”. Of course, this assumes that you copied this to your sys:perl\scripts directory first. I’ve gotten several e-mail (already!) about “errors”. Those shouldn’t show up with the –noscreen option. In fact, I think they’re just informational messages because I used the “-w” option in the first line of the script. That means “show warnings” to the PERL interpreter. If you remove that, just the “-w”, the script should run without those problems.
Second, you have to have the settings right on your mail server or it won’t send mail! If you’re getting a message that says “failed to connect”, or something similar, that’s what’s happening.

To be honest, I was somewhat suprised to see that this old thing had gone up on Novell’s Cool Solutions website. I actually wrote this stinker last year and posted an entry about it in February. I sent this to them about two months ago and just heard back. I had totally forgotten that I’d even sent it!
Anyway, it’s a pretty “quick and dirty” solution to an ugly problem at my old job. I ended up not even using it because we were so strapped for disk space that I had to actually delete PERL from those servers. Anyway, it’s a free monitoring tool that uses the “duct tape of the Internet”, PERL. You can see the actual entry here. If you like it, vote for it!

UPDATE: J�rgen Schmitz from Germany discovered that PERL version 5.06, which is native on netware 6 if you haven’t done any upgrades, etc., needs UCSExt changed to Perl2UCS
So, replace the first couple of lines with:
use Socket;
use strict;
use Perl2UCS;

my $server = Perl2UCS->new(“UCX:Server”) or die “Can’t get UCX:Server object”;
my $sname = $server->{“NAME”} or die “Can’t get NAME from ucx:server
object”;
my $volume_mgr = Perl2UCS->new(“ucx:volumemgr”) or die “Can’t get
ucx:volumemgr”;

That should do it!