Stupid Security Bloghttps://blog.xn--sb-lka.org/2026-04-02T00:00:00+02:00A blog with random ramblings on internet securitySimple firewalld watcher2026-04-02T00:00:00+02:002026-04-02T00:00:00+02:00Nicolai Søborgtag:blog.xn--sb-lka.org,2026-04-02:/simple-firewalld-watcher.html<p>While doing HackTheBox, <span class="caps">CTF</span>’s or similar stuff, I sometimes need a <em>reverse shell</em> to connect back to my computer.</p>
<p>This is almost always using a <span class="caps">VPN</span>, so I don’t have to think about <span class="caps">NAT</span>, firewall openings, etc</p>
<p>But more than once I’ve struggled to get a rev …</p><p>While doing HackTheBox, <span class="caps">CTF</span>’s or similar stuff, I sometimes need a <em>reverse shell</em> to connect back to my computer.</p>
<p>This is almost always using a <span class="caps">VPN</span>, so I don’t have to think about <span class="caps">NAT</span>, firewall openings, etc</p>
<p>But more than once I’ve struggled to get a rev shell to connect back. Why? My computer has a local firewall 🤦</p>
<p>The solution is simple: <code>sudo systemctl stop firewalld.service</code> - but I actually want firewalld running most of the time, so this is not a good long-term solution.</p>
<p>Instead wouldn’t it be nice to get a notification whenever <code>firewalld</code> blocked something, to quickly diagnose the problem?</p>
<p><img alt="firewalld alert using script below" src="https://blog.xn--sb-lka.org/firewalld-alert.png"></p>
<p>We can do that by first configuring <code>firewalld</code> to log all blocked connections:</p>
<div class="highlight"><pre><span></span><code>firewall-cmd<span class="w"> </span>--set-log-denied<span class="o">=</span>all<span class="w"> </span><span class="c1"># or: unicast, broadcast, multicast</span>
firewall-cmd<span class="w"> </span>--runtime-to-permanent
</code></pre></div>
<p>By watching <code>journalctl</code> <sup>fun-fact: users aren’t allowed to read <code>dmesg</code> directly (<em>why is that??</em>), but <code>journalctl --dmesg</code> exposes it</sup> for <span class="caps">REJECT</span> log entries, we can use <code>notify-send</code> to spawn a <span class="caps">GUI</span> alert!</p>
<div class="highlight"><pre><span></span><code>journalctl<span class="w"> </span>--follow<span class="w"> </span>--dmesg<span class="w"> </span>--grep<span class="o">=</span><span class="s2">"FINAL_REJECT|REJECT"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="nb">read</span><span class="w"> </span>-r<span class="w"> </span>line<span class="p">;</span><span class="w"> </span><span class="k">do</span>
<span class="w"> </span><span class="nv">src</span><span class="o">=</span><span class="k">$(</span>grep<span class="w"> </span>-oP<span class="w"> </span><span class="s1">'SRC=\K\S+'</span><span class="w"> </span><span class="o"><<<</span><span class="w"> </span><span class="s2">"</span><span class="nv">$line</span><span class="s2">"</span><span class="k">)</span>
<span class="w"> </span><span class="nv">dpt</span><span class="o">=</span><span class="k">$(</span>grep<span class="w"> </span>-oP<span class="w"> </span><span class="s1">'DPT=\K\d+'</span><span class="w"> </span><span class="o"><<<</span><span class="w"> </span><span class="s2">"</span><span class="nv">$line</span><span class="s2">"</span><span class="k">)</span>
<span class="w"> </span>notify-send<span class="w"> </span>-i<span class="w"> </span>network-error<span class="w"> </span><span class="s2">"firewalld blocked"</span><span class="w"> </span><span class="s2">"src=</span><span class="nv">$src</span><span class="s2"> port=</span><span class="nv">$dpt</span><span class="s2">"</span>
<span class="k">done</span>
</code></pre></div>
<p>The above is a long-running process which will “hang” your terminal. If you background it, it will still be a child process, so it stops when your terminal dies.</p>
<p>We can solve this by <code>disown</code><span class="quo">‘</span>ing the process, but now we also need to make sure we don’t end up spawning multiple processes that monitors the same thing. One ugly hack is simply to <code>pgrep</code> the somewhat unique string, <em>if it works, it works</em>.</p>
<p>The full script to put in your <code>~/.*rc</code>:</p>
<div class="highlight"><pre><span></span><code>firewall-watcher<span class="o">()</span><span class="w"> </span><span class="o">{</span>
<span class="w"> </span><span class="k">if</span><span class="w"> </span><span class="o">[[</span><span class="w"> </span><span class="k">$(</span>firewall-cmd<span class="w"> </span>--get-log-denied<span class="k">)</span><span class="w"> </span>!<span class="o">=</span><span class="w"> </span><span class="s2">"all"</span><span class="w"> </span><span class="o">]]</span><span class="p">;</span><span class="w"> </span><span class="k">then</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"firewalld log-denied is not set to 'all'."</span><span class="w"> </span>><span class="p">&</span><span class="m">2</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span><span class="s2">"Please run: firewall-cmd --set-log-denied=all"</span><span class="w"> </span>><span class="p">&</span><span class="m">2</span>
<span class="w"> </span><span class="k">fi</span>
<span class="w"> </span>pgrep<span class="w"> </span>-f<span class="w"> </span><span class="s1">'journalctl.*REJECT'</span><span class="w"> </span>><span class="w"> </span>/dev/null<span class="w"> </span><span class="o">&&</span><span class="w"> </span><span class="k">return</span><span class="w"> </span><span class="m">0</span>
<span class="w"> </span>journalctl<span class="w"> </span>--follow<span class="w"> </span>--dmesg<span class="w"> </span>--grep<span class="o">=</span><span class="s2">"REJECT"</span><span class="w"> </span><span class="p">|</span><span class="w"> </span><span class="k">while</span><span class="w"> </span><span class="nb">read</span><span class="w"> </span>-r<span class="w"> </span>line<span class="p">;</span><span class="w"> </span><span class="k">do</span>
<span class="w"> </span><span class="nv">src</span><span class="o">=</span><span class="k">$(</span>grep<span class="w"> </span>-oP<span class="w"> </span><span class="s1">'SRC=\K\S+'</span><span class="w"> </span><span class="o"><<<</span><span class="w"> </span><span class="s2">"</span><span class="nv">$line</span><span class="s2">"</span><span class="k">)</span>
<span class="w"> </span><span class="nv">dpt</span><span class="o">=</span><span class="k">$(</span>grep<span class="w"> </span>-oP<span class="w"> </span><span class="s1">'DPT=\K\d+'</span><span class="w"> </span><span class="o"><<<</span><span class="w"> </span><span class="s2">"</span><span class="nv">$line</span><span class="s2">"</span><span class="k">)</span>
<span class="w"> </span>notify-send<span class="w"> </span>-i<span class="w"> </span>network-error<span class="w"> </span><span class="s2">"firewalld blocked"</span><span class="w"> </span><span class="s2">"src=</span><span class="nv">$src</span><span class="s2"> port=</span><span class="nv">$dpt</span><span class="s2">"</span>
<span class="w"> </span><span class="k">done</span><span class="w"> </span><span class="p">&</span>
<span class="w"> </span><span class="nb">disown</span>
<span class="o">}</span>
</code></pre></div>DTU Studiestarten2019-01-01T00:00:00+01:002019-01-01T00:00:00+01:00Nicolai Søborgtag:blog.xn--sb-lka.org,2019-01-01:/dtu-studiestarten-da.html<p>En liste af tools jeg har lavet til <span class="caps">DTU</span> studiestarten:</p>
<h2><a href="https://badger.xn--sb-lka.org/">Badger v3</a></h2>
<p>En webapp til at lave badges (6 stk per A4).
Lavet til at man kan lave ét “tema badge” og så lave en masse kopier, hvor man skifter navnet i midten.</p>
<p>(En ældre version findes her: <a href="https://nicolaisoeborg.github.io/badger/">Badger v1 …</a></p><p>En liste af tools jeg har lavet til <span class="caps">DTU</span> studiestarten:</p>
<h2><a href="https://badger.xn--sb-lka.org/">Badger v3</a></h2>
<p>En webapp til at lave badges (6 stk per A4).
Lavet til at man kan lave ét “tema badge” og så lave en masse kopier, hvor man skifter navnet i midten.</p>
<p>(En ældre version findes her: <a href="https://nicolaisoeborg.github.io/badger/">Badger v1</a>).</p>
<h2><a href="https://bedstforalle.xn--sb-lka.org/">Er Det Bedst For Alle ?</a></h2>
<p>Er det bedst for alle hvis vi tager een sidste øl? Lets find out!</p>
<h2><a href="https://github.com/NicolaiSoeborg/eduroam">Eduroam without installer (<span class="caps">DTU</span> guide)</a></h2>
<p>Undgå kode-eksekvering for at komme på nettet.</p>