Muckhead's Chronicle

Ya Kevin, this is pretty easy. Like you, I have been frustrated with the lack of updates coming out of NetMaster. Its like they don't care about security of their product anymore. With the amount of vulnerabilities and bugs that are now available in the packages, I am quite upset that there hasn't been any real updates since I left. NetMaster tells me some major releases are supposed to be happening before the end of the year, but we will have to wait and see.

The problem is pretty easy to fix, which makes this even more pathetic. I would recommend that you do this off the card, and on a separate linux box.

Do the following:

1. Log onto the FC
2. On the session with the fc: mnt 1
3. From the other linux box: scp -P 222 /1/core.gg .
3. mkdir fix (ie /home/dana/fix)
4. cd fix
5. bunzip2 -c ../core.gg | tar x
6. cd etc/fw (should now be in ~/fix/etc/fw)
7. vi spoof
8. Make your changes, save and exit
9. if a spoof~ file exists, go to 9a, otherwise go to 10
9a. rm spoof~
10. cd ../.. (should now be in ~/fix)
11. tar cfj ../core2.gg *
12. cd .. (should now be in ~)
13. rm -rf fix
14. scp -P 222 core2.gg root@:/1/core.gg
14. On the session with the fc: umnt 1
15. On the session with the fc: reboot

At this point on reboot the new setting should now load for you every time.

You could almost do this on the card, but I believe that you cannot use tar with the "j" switch because we used busybox tar cmds, which doesn't support bunzip2 directly through it.

You will note when repackaged I called it core2.gg. This is just in case you do something wrong ;-)

Give it a try. If you have any real difficulties let me know. I would build you a package but I basically hacked my card to secure some areas I was not happy with and felt could be better secured, and may not have the same stuff in the core as you (which could REALLY screw your card up :) )

If you sent me the core.gg I could probably build it for you... but I am sure someone like Alan will take these directions and make a core.gg for all FC users! (Thats a challenge Arc :) )

I apologize that this hasn't been fixed for you. If I still worked there this sort of thing would never happen. It is just not responsible and fair to clients. Hopefully their next version will fix alot of these problems, including the lack of updates/fixes.

I honestly don't remember how I managed to get rid of the spoofed IPs in my system. However, a start up script (silverstr is working on one now) would do it easily.

Arc and I were just talking and he was wonderinf it there was an easier way with a custom script... maybe nuke the spoof file. I have expanded on that thought to give you an interm fix which is better.

If you don't want to do all that work, just add the following in the custom script line in CSM

ipchains -D input -i eth1 -s 69.0.0.0/8 -j DENY -l

Oh, one last thing to that custom script hack. It will work ONLY on boot up. If you for any reason re-run the firewall config (ie: make a rule change) the old blocked spoof will come back. Which is why you should properly fix it with my first recommendation. :)

Should work for your rebooting issue though Kev. Have fun.

The fix is in place and works like the charm. Thanks Dude ! I knew it wasn't a big thing to fix, just didn't want to screw with the card.

Made changes rebooted and I get to go where no Muckhead was allowed to before. I now have one anoying thing LESS to deal with in my life on a daily basis, and this is a GOOD thing.

I'm still puzzled why I can get to everywhere on the 'net just fine with my FCP, and you guys are having to hack around...