Professional Documents
Culture Documents
Jeff Cochran
3. Whereas ARM used to have form as a kernel module, it can now be thought of
as a collection of features, most of which are provided by the netcontrol module
3. Other modules are broken down loosely by feature (wccp.py, bypass.py) and
function (iptables.py)
/opt/WCG/bin/netcontrol.sh
/opt/WCG/bin/netcontrol
iptables / ip6tables
Linux Kernel
2. Intended purpose is for actually modifying 2. The table operated on by default (no -t
packets before they are processed by the flag) – only table necessary for basic
system (not including NATting)
firewalling
3. Used primarily by netcontrol to facilitate
interception or bypass of select traffic 3. Used primarily by netcontrol to allow
proxy-related packets to be accepted
4. Contains the PREROUTING chain, which regardless of end-user firewall
allows us to manipulate packets before a configuration
routing decision is made on them by the
kernel
2. NC_RESERVED_FORWARD
1. Used to permit packets that are being bypassed or loadshedded to proceed to their destinations
2. It is predicted that the most likely mistakes a customer could make are
1. Flushing the firewall rules or disabling iptables
2. Inserting rules before the JUMP rules which netcontrol uses as hooks
3. Modifying or removing rules in the reserved chains
CC BY-SA 3.0
11. ip link
1. This provides info about the configured network adapters
12. ip addr
1. This provides other info about the configured network adapters
13. sysctl -a
1. Wow that’s a lot of output! This step will provide information about kernel options
14. lsmod
1. This step lists kernel modules that are currently loaded
15. If a problem exists relating to certain network traffic, a pcap of the bad behavior should be provided as
well if possible
16. Thank you for collecting all that information! Hopefully this should be everything dev needs to identify
problems with on-box configuration
INTERNAL USE ONLY
Copyright © 2016 Forcepoint. All rights reserved. | 24
NETCONTROL CHECKLIST
http://ssdengwiki1.websense.com/doku.php?id=wiki:wcg_netcontrol_checklist
FORCEPOINT
INTERNALPROPRIETARY
USE ONLY
Copyright © 2016 Forcepoint. All rights reserved. | 26