The minimum firewall ports for a Windows domain controller and linux server

In order for a Linux (client) box to communicate with (and perform NTLM auth) a Windows domain controller through a restrictive firewall you would need the following ports opened at a minimum:

udp 53
tcp/udp 88
tcp/udp 135
tcp 139
tcp 389
tcp 445
tcp/udp 464

Add comments to IPTables firewall rules

Instead of just documenting the IPTables configuration file eg: /etc/sysconfig/iptables with comments (#’s) you can also input comments as part of the ruleset itself. So when you perform iptables -L -v -n you get the following output:

root@server070:[~]: iptables -L -v -n
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
  64M 4727M ACCEPT     all  --  *      *             state RELATED,ESTABLISHED
    5   474 ACCEPT     icmp --  *      *  
 202K   27M ACCEPT     all  --  lo     *  
   16   880 ACCEPT     tcp  --  *      *             state NEW tcp dpt:22
 137M   38G ACCEPT     udp  --  *      *             udp dpt:514 /* Syslog traffic */
   28  1664 ACCEPT     tcp  --  *      *             tcp dpt:514 /* Syslog traffic */
41067 2050K ACCEPT     tcp  --  *      *             tcp dpt:9997 /* Universal Forwarder traffic */
    0     0 ACCEPT     tcp  --  *      *             tcp dpt:8089 /* Splunk SSL traffic */
   47  2564 ACCEPT     tcp  --  *      *             tcp dpt:8000 /* Splunk web interface */
14135 1313K LOG        all  --  *      *             limit: avg 5/min burst 5 LOG flags 0 level 7 prefix `iptables denied: '
 218K   21M REJECT     all  --  *      *             reject-with icmp-host-prohibited

All that you need to do use the following example in your configuration file:

root@server070:[~]: cat /etc/sysconfig/iptables
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m udp --dport 514 -m comment --comment "Syslog traffic" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 514 -m comment --comment "Syslog traffic" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9997 -m comment --comment "Universal Forwarder traffic" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8089 -m comment --comment "Splunk SSL traffic" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8000 -m comment --comment "Splunk web interface" -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

Happy commenting!

Configure UTM 220 LCD panel under Linux

I had the task of rebuilding an Astaro UTM 220 with CentOS and the LCD panel looked so lifeless, So I decided to restore it to some version of functional! From my research I can see that the display is LCM-162 and utilises the lcd driver HD44780.

In a nut shell here is what I did:

  • Download LCDproc (
  • Modify: lcdproc-0.5.6/server/drivers/hd44780-ext8bit.c


#define RS  STRB
#define RW  LF
#define EN1 INIT 


#define RS  SEL
#define RW  INIT
#define EN1 LF 
  • compile it with option: ‘./configure –enable-drivers=hd44780′
  • make && make install
  • Modify: /usr/local/etc/LCDd.conf


  • Line 53: Driver=hd44780
  • Line 502: ConnectionType=8bit
  • Line 509: Device=/dev/parport0
  • Line 544: Size=16×2

Test it:

LCDd -f -r 4 -c /usr/local/etc/LCDd.conf &
lcdproc -f -s localhost -p 13666 C M L

If it works its just a matter of copying: scripts/init-LCDd.rpm and scripts/init-lcdproc.rpm to /etc/init.d and configuring chkconfig properly.

Hopefully that helps.

SSH Forced commands from Web Page

Are you a paranoid nerd, who’s business requirements are very strict about IT security? No, well you may as well stop reading here.

Perhaps you have a business requirement to perform some random function on a server that only allows SSH access, but the rest of the business requires simple press button access to perform those functions?

Well with SSH force command wrappers, SSH keys and PHP you too can have simple click button access for the rest of the business!

Basically with a Linux apache server with PHP use the following code:
[Read More…]

Squid ICAP Syntax with F-Secure Internet Gate Keeper (IGK)

*** UPDATE September 2015 - This article has been updated with the correct syntax and confirmed working on Squid 3.3.8 ***

The doco for IGK is some what lacking for the ICAP settings but it does mention ” Refer to the documentation of the proxy for information on how to set it up”. That’s not very helpful so I contacted F-Secure technical support and asked them. This is the reply:

You will need to add these lines to Squid config file:

icap_enable on
icap_send_client_ip on
icap_service service_req reqmod_precache bypass=1 icap://[IP address of IGK]:1344/request
adaptation_access service_req allow all
icap_service service_resp respmod_precache bypass=0 icap://[IP address of IGK]:1344/response
adaptation_access service_resp allow all

Unfortunately that still doesn’t work for some unknown reason and I am only getting the error:


I don’t have anymore time to spend on this, I guess I’ll just use the F-Secure HTTP proxy as a parent proxy for squid.