Debian GNU/Linux based Firewall (FOSS)

Would You like to be in control of your own firewall?

Inspired by the "Ubuntu Firewall build" by Joff Thyer of Blackhills Information Security - please send some beer tokens his way - I wanted a Firewall built on FOSS whereever possible. While there's some driver blobs, if you choose the PC Engines APU system the BIOS is coreboot based moving the HW in the right direction too.

This is a companion blog post, the Bash shell script for a semi-automated installation of the Firewall is on my github

So what is in the build:
  • Debian 10 (Buster): Install this yourself (Install on APU w serial)
  • BIND9: For local Domain Name Resolution
  • ISC-DHCP-SERVER: For providing DHCP to the internal network(s)
  • NTP: It's worth your time. Installation should disable timesyncd but the script do some cleanup to make sure.
  • DShield iptables client: Quote: "DShield provides a platform for users of firewalls to share intrusion information. DShield is a free and open service". We must give back when we can, and this is a good opportunity.
  • Filebeat: Ingest logs into a local Elastic Stack setup (if you don't use it yet, you should :)
Using the APU4C4 with a wle600vx card* the NICs and their usage is as follows:

Connection IP address NIC
Internet DHCP (ISP) enp1s0
homenet enp2s0
homenet enp3s0
homenet enp4s0
homenet wlan0

The nets are all /24. the name "homenet" is used when configuring BIND9, but call it what you want :)

*Wanted to use the WL900vx but there are only 2 cutouts for antennas in the case for the version with 4 NICs, so chose the WL600.

The hardware

Since 2016 this firewall setup has been running on different HW, starting with an Intel Atom based system, over a Intel Celeron based system, to the current setup with the PC Engines APU4C4. The shell scripts provided on github use those specific NIC names, however all I did for the new install was search and replace the previous names with the new ones, and everything worked after that.

PC Engines APU4C4



Q: Why didn't you just use PFSense or OPNSense?
A: Doesn't support the Wireless Card used & Debian is preferred distro

Q: Why DShield? Can they be trusted?
A: DShield does a lot of work for us in the community and we should give back. I believe they can be trusted, but do exclude other information than "just" the defaults from the iptables client.

Q: Is the shell script thoroughly tested?
A: Not really, it certainly need (way) more testing, and changes have been made that have only been tested in isolation, so please provide feedback/raise a bug or PR. I also changed the subnets and some settings of iptables for obscurity.


To honeypot or not to honeypot, that's the question

Sharing is caring. SANS / DShield provide a prebuilt Cowrie-based honeypot that's very easy to install.
You can find a tutorial here [1] as well as some old stuff here: [2]

So during the holidays/nights/weekends/whatever go install this - It runs well on a Raspberry Pi (and faster, stronger, fancier) so there's no longer any valid excuses not to honeypot!

Your home firewall can also easily be used for the purpose of honeypotting, just forward the relevant iptables/pf logs to DShield as well. Further details on configuring this can be found here [3]

[1] DShield Honeypot: https://isc.sans.edu/honeypot.html
[2] Peerlyst article "Are you submitting your logs to DSHIELD": https://www.peerlyst.com/posts/are-you-submitting-your-logs-to-dshield-martin-boller
[3] HowTo: Submitting logs to DShield https://isc.sans.edu/howto.html


Windows 10 Evaluation Build 1903 Download for testlab

Keep forgetting the download link to Windows Evaluation Versions?

Basically it's always available at https://software-download.microsoft.com/download/pr/ $ISO_NAME

For Windows 10 build 1903 (May 2019) it is:

sha256sum (or get-filehash filename -Algorithm SHA256 | Format-List) should produce:

Specifically for Packer:
  "variables": {
    "iso_checksum": "ab4862ba7d1644c27f27516d24cb21e6b39234eb3301e5f1fb365a78b22f79b3",
    "iso_checksum_type": "sha256",
    "iso_url": "https://software-download.microsoft.com/download/pr/18362.30.190401-1528.19h1_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso",
    "autounattend": "./answer_files/10/unattend.xml",
    "disk_size": "61440"

The easiest way to find the ISO filename is to register on https://www.microsoft.com/en-us/evalcenter/
Get the name from that download and calculate the hash, then automate the installation (Using Packer or whatever your favorite is).

The same principle apply for Windows Server.
Server 2016: 17763.379.190312-0539.rs5_release_svc_refresh_SERVER_EVAL_x64FRE_en-us.iso
 is available at


It's about 5 years too late - But let us kill Internet Explorer


When even Microsoft doesn't support it anymore, there's a Window of Opportunity to get the funding to make it happen

Go prepare that presentation for management showing why anything requiring IE should go - NOW!

Any system that still require IE is outdated and thus likely a security risk, so identify those and do something about it. Identify the developer or vendor of those applications and have them updated.

If a vendor still only support IE or Flash or Silverlight, look elsewhere, they're not worth your time and money.

If you still require IE for some crappy internal application, blocking it from accessing the Internet (UserAgent "Mozilla/4.0 (compatible; MSIE*") will significantly lower your risk.

The upgrade recommendation on Github should be read from right-to-left if you want to protect your privacy too:

  1. Firefox 
  2. Google Chrome
  3. Microsoft Edge


Worth reading too:


DMARC Reporting: Use Parsedmarc with Elastic

If you’re worried about hosting your DMARC data (not least the Forensics reporting) with a cloud provider, or just simply want to self-host because You’re already running the Elastic Stack or Splunk and want to save the $$ for the provider, there’s a tool for you called ‘Parsedmarc’ [1].

For further information on the tool, please read the description at [1] (It would be stupid repeating all of that here).

For the purpose of installing Parsedmarc on the Elastic Stack, here’s a simple shell script to do just that [2].

Prerequisites for the script:
  • Python3 Pip
  • X-Pack Security - You really should use that, it's part of the Basic License now
  • Run the script on the Elasticsearch node on which you want Parsedmarc to run
  • I disagree with using Cloudflare for name resolution, if your local DNS resolvers aren't running faster and better than them, you should look into your DNS setup, as well as use RPZ's to protect your organization.
And please don't forget to spare a thought (or a dime) for @seanthegeek who made this possible.


Installing logstash-filter-tld plugin for newer Logstash versions

The logstash tld plugin (logstash-filter-tld) is used to extract the individual labels of a fqdn. This is great for analysis of e.g. domains from a Domain Generation Algorithm (DGA). Unfortunately this plugin does not work on newer logstash versions. (See https://github.com/logstash-plugins/logstash-filter-tld/pull/10)
This is caused by java version requirements. To make it work, all that is needed is changing that requirement, then (re)building the gem. This is a few simple steps (done on Debian below - substitute with your distros package manager).
On the development machine:
The finalized plugin is now saved as logstash-filter-tld-3.0.3.gem. Copy that to your logstash instances, then install it using:
  • /usr/share/logstash/bin/logstash-plugin install --no-verify ./logstash-filter-tld-3.0.3.gem

For the logstash .conf-file(s) here's an example using the tld plugin:
filter {        

   tld {

        source => "computer_name"


    mutate {

        rename => { "[tld][domain]" => "highest_registered_domain" }

        rename => { "[tld][trd]" => "sub_domain" }

        rename => { "[tld][tld]" => "top_level_domain" }

        rename => { "[tld][sld]" => "parent_domain" }


Take a look at these logstash configurations too: https://github.com/HASecuritySolutions/Logstash

This post was first published on Peerlyst: https://www.peerlyst.com/posts/installing-logstash-filter-tld-plugin-for-newer-logstash-versions-martin-boller


Skills shortage in Cyber Security

Part of the skills shortage in Cybersecurity is caused by the time wasted explaining the basics to the numerous tricksters in our line of work. It's nigh impossible to counter all the BS from the checkmark brigade. People don't scale.

The trouble is that the easy solutions are compelling, and that the lack of a consistent story is ruining it for all of us - it is easier to sell "we have a firewall, so it's secure" than "we need to improve our detection and response capabilities - and oh, btw. I need two more FTEs for Threat Hunting".

While wasting our time explaining the basics over and over again, we miss the opportunity to mentor and grow real competences in security and it has to stop. There's competences everywhere; In help-desk, in Dev, in HR, but they - too - are being held back by the personalities discussed above, so let's all help grow the ones that can make a difference and call out the tricksters.