NetMAX Newsletter - October 2003

1. [Update] NetMAX 4.05 Update Available
2. [Support] New Support Pricing
3. [Technical] NetMAX Traffic Rerouting Tips
4. [General] Let's Hear From You

1. NetMAX 4.05 Update Available
**************************
NetMAX has just released an update to the NetMAX 4 product family that will upgrade all NetMAX 4 products to version 4.05. It is strongly recommended that all users use NetMAX Package Management to install this update at their earliest convenience.

New in NetMAX L24Pv4.05:

- Updates OpenSSL libraries and binaries to version 0.9.7c due to security vulnerabilities.

- Updates OpenSSH to version 3.7.1p2 due to potential security vulnerability in PAM authentication.

- Updates the DNS service (BIND) to version 9.2.2-P3 due to potential buffer overflow vulnerabilities.

- Updates the FTP daemon (proftpd) to version 1.2.8p due to a potential remote exploit vulnerability.

- Prevents SSH login as the root user.

- DNS Commiter now honors commit.conf entries.

- Traffic rerouting for ftp sites on IP addresses other than the primary IP for the NetMAX should now work again through the ip_vs_ftp module.

- Now validates against specifying an IP address for the NetMAX server on one or more network interfaces if NAT is enabled.

- Now validates against multiple VPN certificates containing same server ID or host ID.

- Removes files from 4.04 release that would conflict with detection of SCSI volumes in certain instances.

- Now increases the effectiveness and accuracy of SpamFilter for E-mail Powerpack products over the 4.04 release.

- Validates against creating VPN connections with remote networks that are already handled through non-VPN routes.

For more information, please visit the NetMAX web site:

http://www.netmax.com/support/downloads/downloads.html

2. New Support Pricing
*******************
Last month, we invited some of our customers to fill out a survey telling us what they liked about NetMAX and what they would like to see improved -- and congratulations to Phil Shenal who won the drawing for the Magnia SG20! One of the recurring themes we saw in the results was that most folks thought our Support Pricing could use some simplification.

So, we've listened and re-worked our support pricing for NetMAX! Now, you can call NetMAX Support for $49 per half hour... no more higher prices for old NetMAX versions, or deciding whether to buy bundled installation support when you buy something in our store. Just call us when you need us, and we'll be there to help.

Don't worry, we still offer NetMAX consulting services for custom work too... but we've lowered the price of it to $75 per half hour to be more in line with our new support pricing!

More details on the NetMAX Support Policies are available online:

http://www.netmax.com/support/contact_support/policy_sup.html

Also, if you weren't included in the last survey group and would specifically LIKE to be included in the next one (you could win a Magnia SG20 just for helping us out!), drop us a line and tell us so! See story #4 for the best methods to contact us.

3. NetMAX Traffic Rerouting Tips
**************************
What is it?
Traffic Rerouting, or port forwarding, takes all network traffic destined for a specific port on a specific IP address, and redirects or forwards it to a port on another machine on the network. In this way, machines with private IP addresses can still act as servers by having public internet traffic rerouted to them. From the perspective of external users, all communications seem to be made directly with the NetMAX server. Please note that traffic rerouting only works for TCP and UDP traffic.

How is it done?
Configuring traffic rerouting is done in Home->Network->Routing->Reroute. Here you need to specify a port on the externally available hostname, and a machine and port to redirect it to. After you commit these changes, any traffic directed to that port of the hostname you chose will be redirected.

What else is there to the configuration?
The most common cause of problems with rerouting is a misconfigured firewall. The ports you are rerouting can not be blocked to or from the NetMAX server for this to work. For example, if you are rerouting port 80 (http), make sure you aren't blocking port 80 to the NetMAX Server's IP address, or create a custom rule to allow external access to that port on the NetMAX server. The firewall rule in this situation would look like this:

Type: “Server"
Action: “Accept”
Protocol: “tcp”
Server Address(es): "Use IP Address(es) of the NetMAX server"
Server Port: “http”
Client Address(es): "Any"
Destination Port: "1024-65535"

Another step is required if the NetMAX machine has more than two
network interface cards. Forwarding is always allowed by default
between the first two. But if you are rerouting traffic through a
third or fourth network interface, you will need to create firewall
rules to allow this. You will first create one rule on the external
interface to allow forwarding of that port to the correct internal
address. You will then create another rule on the proper internal
interface to allow forwarding of that port to the external internet.
If in our previous example, the external interface was eth0, and the
internal interface on the subnet of the webserver was eth2, the
rules would look like this:

Rule for eth0:
Type: “Forward"
Action: “Accept”
Protocol: “tcp”
Source Address(es): "Any"
Source Port: “1024-65535”
Destination Address(es): "Specify IP Address: IP of internal webserver"
Destination Port: "http"

Rule for eth2:
Type: “Forward"
Action: “Accept”
Protocol: “tcp”
Source Address(es): "Specify IP Address: IP of internal webserver"
Source Port: “http”
Destination Address(es): "Any"
Destination Port: "1024-65535"

A third thing to consider is the type of traffic you are rerouting.
Some protocols require connections to high ports (ports 1024 - 65535)
on the server. Since rerouting all high ports is not reasonable, you
need to consider the alternatives. Sometimes it's possible to
configure the server to use a small number of high ports for this
traffic to use, and then reroute those ports. Other times, it may
not be possible to do rerouting at all.

4. Let's Hear From You!
*******************

We would very much like to hear from you. Tell us how you use NetMAX and Linux in your business... or what you would like to see in NetMAX 5... or maybe even what you'd like us to add to the Personal Tutor! You can contribute your input to the NetMAX Forum:

http://www.netmax.com/cgi-bin/ikonboard/ikonboard.cgi

or to our general NetMAX contact form:

http://www.netmax.com/partners/contacts.html

Let us know about your likes, dislikes, and general comments. We are especially interested in the type of additions to NetMAX Server you would like to see as we continue to develop the NetMAX line.

Thank you!