Posted by Tres
Tue, 01 Aug 2006 13:07:00 GMT
If you’ve got a user account on the firewall, you can always use port forwarding to get through the firewall. If you don’t have access to an account on your local gateway, you’ll need to have your own server sitting on the Internet. You’ll be using your own server to bounce traffic through. If your local gateway doesn’t allow ssh access via port 22, the only way to get around your local gateway is to change the port that SSH runs on. You can try different standard ports, but port 443 is probably your best bet. Port 443 is the standard HTTPS port, and normally this kind of traffic can’t be proxied. So changing ports is the most reliable method to be able to use your own server for port forwarding.
To set up a server to use port 443, edit /etc/ssh/sshd.conf and make sure the following line is there when you finish:
Port 443
Once you restart SSH, you should be able to establish connections using the -p flag, like this:
ssh -p 443 me@my.private.server.com
So, if we’re using our own server to forward through the restrictive firewall, we would do something like this:
ssh -p 443 -g -L <localPortNumber>:<Remote Host Name>:<Remote Port Number> <user name>@<fully qualified remote machine name>
-g tells ssh to accept connections from any host on the
network going to the port number.
-L sets up a local based port forwarding connection.
Example
So I want to connect to my friend’s IRC server, but there’s problems reaching his IRC server from where I’m at… what can I do?
ssh -p 443 -g -L 9876:my.friends.blocked.irc.server.com:6667 me@my.private.server.com
What we have done is ask the local machine to forward any incoming traffic
from any source on the local network to my machine, port 9876 to my.friends.blocked.irc.server.com port 6667.
The SSH client will open a tty and start a shell on the forwarding server once you
have logged in. Even though it looks like a normal SSH session, normal IRC traffic is being forwarded through your server to your friend’s IRC server. The connection between your local host and your remote forwarding server is all encrypted and passed over port 443. Once it reaches your server on the other side of the connection, it is unencrypted and forwarded to the IRC server as normal IRC traffic.
And remember, if your school/work/whatever has policies against this kind of stuff, or has blocked a port for a reason associated with a policy, you probably shouldn’t try this.
Posted in Sysadmin | no comments
Posted by Tres
Mon, 31 Jul 2006 07:59:00 GMT
You can configure any computer that is a member of a Windows domain to run a script whenever a specific user or group log in. Windows domain is configured to automatically run a user startup script whenever a domain user logs in. The login script is an easy way to propagate environment attributes to all users.
The normal Samba configuration file location for Linux distributions is:
/etc/samba/smb.conf
For FreeBSD, the Samba configuration file is located at:
/usr/local/etc/samba/smb.conf
To add or remove a login script
1 Using an editor, open the Samba configuration file.
2 Locate the following lines in the smb.conf configuration file:
# domain logons = no
# logon script = /var/lib/samba/netlogon/logon.bat
3 Enable domain logons and set the logon script path by changing the lines to this:
domain logons = yes
logon script = /var/lib/samba/netlogon/logon.bat
4 Reload the samba server.
Once the logon script is being served to domain clients, you can edit it at any time.
Posted in Sysadmin | Tags controller, domain, samba | no comments
Posted by Tres
Mon, 31 Jul 2006 05:41:00 GMT
This is an IP address tutorial that I wrote a while back for one of my classes while I was in school. I wrote it during my technical writing days, so it’s pretty simplistic, but hopefully it’s helpful.
What is an IP address?
Every computer connected to a TCP/IP network must have a unique IP address associated with it. Since the Internet is one giant TCP/IP network, that means that every computer connected to the Internet has an address that no other computer connected to the Internet has.
IP addresses are basically 32-bit numbers that are represented as four decimal numbers separated by decimal points. Each decimal number represents a single byte of the address.
For Example:
192.211.16.23
15.98.233.2
10.20.30.40
192.168.0.1
Since each decimal set represents an 8-bit number, there are a maximum of 256 numbers that can be represented in each set. The range of numbers available is from 0 to 255 (not 1 to 256).
When written in binary, an internet address looks like this:
|
192
|
.
|
168
|
.
|
0
|
.
|
1
|
|
1 1 0 0 0 0 0 0
|
|
1 0 1 0 1 0 0 0
|
|
0 0 0 0 0 0 0 0
|
|
0 0 0 0 0 0 0 1
|
What Address Should I Use?
When setting up a local area network, you can’t just choose any number and assign it to the network; you must have a specific number assigned to you, or you must use one of the reserved private address ranges provided for all private networks.
Here are the approved private address ranges:
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
When setting up a network using unassigned addresses, your network should use one of the above address ranges.
Subnet Masks
A subnet allows network traffic between computers to be divided into groups called subnets. By dividing computers into logical groups, subnets can improve network performance and the security of the network.
Like IP addresses, subnet masks are made up of 32-bits. Also like IP addresses, subnet masks are most commonly denoted as four 8-bit decimal numbers separated by decimal points.
Once we study routing, we’ll look at how a subnet mask facilitates routing, but for now, we’ll look at how a subnet mask can be used to limit the size of a network.
Each 32-bit address can be divided into two parts, the network ID and the host ID.
The IP address 192.168.0.1 with a netmask 255.255.255.0 can be represented like this:
|
192
|
.
|
168
|
.
|
0
|
.
|
1
|
|
1 1 0 0 0 0 0 0
|
|
1 0 1 0 1 0 0 0
|
|
0 0 0 0 0 0 0 0
|
|
0 0 0 0 0 0 0 1
|
|
|
255
|
.
|
255
|
.
|
255
|
.
|
0
|
|
1 1 1 1 1 1 1 1
|
|
1 1 1 1 1 1 1 1
|
|
1 1 1 1 1 1 1 1
|
|
0 0 0 0 0 0 0 0
|
|
|
Network ID
|
|
Host ID
|
Example
I have a computer with the above configuration (IP address of 192.168.0.1 and a subnet mask 255.255.255.0). I plug it into a hub.
I have a second computer with an IP address of 192.168.0.2 and a subnet mask of 255.255.0.0. I plug it into the same hub.
Using the ping program, I try to test the network between the two computers. Neither can ping the other.
Why?
|
192
|
.
|
168
|
.
|
0
|
.
|
2
|
|
1 1 0 0 0 0 0 0
|
|
1 0 1 0 1 0 0 0
|
|
0 0 0 0 0 0 0 0
|
|
0 0 0 0 0 0 1 0
|
|
|
255
|
.
|
255
|
.
|
0
|
.
|
0
|
|
1 1 1 1 1 1 1 1
|
|
1 1 1 1 1 1 1 1
|
|
0 0 0 0 0 0 0 0
|
|
0 0 0 0 0 0 0 0
|
|
|
Network ID
|
|
Host ID
|
Notice that the network ID of the computer is the high order 16-bits of the IP address. The rest of the address is reserved for computers within the same subnet.
|
192
|
.
|
168
|
.
|
0
|
.
|
1
|
|
1 1 0 0 0 0 0 0
|
|
1 0 1 0 1 0 0 0
|
|
0 0 0 0 0 0 0 0
|
|
0 0 0 0 0 0 0 1
|
|
|
255
|
.
|
255
|
.
|
255
|
.
|
0
|
|
1 1 1 1 1 1 1 1
|
|
1 1 1 1 1 1 1 1
|
|
1 1 1 1 1 1 1 1
|
|
0 0 0 0 0 0 0 0
|
|
|
Network ID
|
|
Host ID
|
Here, the first 24 high-order bits are used to denote the network ID. The last 8-bits are used as the host ID.
Even if two computers on the same network are given two IP addresses that should work, if they have differing subnet masks, they will not be able to communicate with each other.
Address Classes
The class of the Network is determined by the high order bits
|
Class
|
|
1st Octet Range
|
|
High Order Bits
|
|
A
|
|
1-126
|
|
000.000.000
|
|
B
|
|
128-191
|
|
100.000.000
|
|
C
|
|
192-223
|
|
110.000.000.000 |
no comments
Posted by Tres
Fri, 21 Jul 2006 07:05:00 GMT
If you’re using nssldap and pamldap in FreeBSD, chances are, you’ve run into the dreaded LDAP stall. If you’ve never run into it, it usually goes something like this: everything comes to a stop while the host attempts to reach the LDAP server. Nothing seems to work–you can’t log in remotely, you can’t even log in locally. And even when you get logged in, things like top just sit and wait for five minutes before it actually runs.
The man pages don’t really help, and even Google proved to be frustratingly unhelpful regarding this one. For FreeBSD issues surrounding LDAP timeouts, Google seems invariably to point toward the useless TIMELIMIT directive. This is good for limiting how long your host will wait for a response from the LDAP server once it’s made a connection, but is absolutely useless for defining how long the host will wait before timing out.
To get FreeBSD to play nicely when the LDAP servers aren’t reachable, just add the following to your ldap.conf:
bind_policy soft
This seemingly undocumented directive is the ldap client’s reconnect policy. If it is set to hard it will attempt to reconnect with exponential backoff. If it is set to soft, the reconnect policy is to fail immediately.
Posted in FreeBSD, Sysadmin | Tags FreeBSD, LDAP, timeout | no comments
Posted by Tres
Thu, 20 Jul 2006 03:08:00 GMT
After installing emulators/linux_base-fc4 and the rpm port, you’re almost ready to install Fedora Core 4 ready RPMs into your FreeBSD system.
If you try to install an RPM and see a message like this:
failed to open /var/lib/rpm/packages.rpm: No such file or directory
The final step is initializing the RPM database. Use rpm –initdb to get the required RPM database files in place.
sudo rpm --initdb
Once you have that completed, you should have the following files in the /var/lib/rpm directory:
$ file /var/lib/rpm/*
/var/lib/rpm/conflictsindex.rpm: Berkeley DB 1.85 (Hash, version 2, native byte-order)
/var/lib/rpm/fileindex.rpm: Berkeley DB 1.85 (Hash, version 2, native byte-order)
/var/lib/rpm/groupindex.rpm: Berkeley DB 1.85 (Hash, version 2, native byte-order)
/var/lib/rpm/nameindex.rpm: Berkeley DB 1.85 (Hash, version 2, native byte-order)
/var/lib/rpm/packages.rpm: data
/var/lib/rpm/providesindex.rpm: Berkeley DB 1.85 (Hash, version 2, native byte-order)
/var/lib/rpm/requiredby.rpm: Berkeley DB 1.85 (Hash, version 2, native byte-order)
/var/lib/rpm/triggerindex.rpm: Berkeley DB 1.85 (Hash, version 2, native byte-order)
Posted in FreeBSD, Sysadmin | Tags Emulation, FreeBSD, Linux, RPM | no comments
Posted by Tres
Wed, 12 Jul 2006 11:27:00 GMT
Someone asked me to see about adding multiple IP addresses to a jail the other day. Now that management tools have finally been added, lack of functionality like multiple IP addresses and of fair time scheduling is really the biggest problem that jail has right now. It’s not really a competitive solution without them. Well, after looking around on the Interweb it seemed that the only “recent” (read 2003) patch was Pawel Jakub Dawidek’s patch for FreeBSD 5.3BETA.
So I updated the patch to work with 6.1-STABLE, and upgraded the startup script to handle multiple IP addresses.
This file will patch FreeBSD 6.1 stable to allow multiple IP addresses within a jail.
If you don’t want to cvsup and compile it yourself, you can download a pre-compiled kernel and jail files here.
Otherwise:
cvsup -g -L2 /usr/local/etc/stable-supfile
cd /usr/src
sudo patch -p1 < ~/downloads/multi_ip_patch
sudo make buldworld
sudo make buldkernel
sudo make installkernel
Warning: You really should follow the canonical method for updating your kernel outlined in the FreeBSD handbook. If you’re upgrading from a 6.1-RELEASE to 6.1-STABLE, and you’re willing to take responsibility for whatever damage your actions cause, you might do the following.
sudo make installworld
sudo mergemaster
When defining jails in /etc/rc.conf, separate all the IP addresses for the jail with commas, like this:
jail_testomatic_ip="10.20.30.8,10.20.30.9,10.20.30.10"
You can use the standard /etc/rc.d/jail interface for starting and stopping jails.
Posted in FreeBSD, Sysadmin | Tags 1, 6, Addresses, FreeBSD, IP, Jail, Kernel, Multiple, Patch | no comments
Posted by Tres
Mon, 10 Jul 2006 06:59:49 GMT
Here’s a cool interface for customizing Cocoa applications will do:
SIMBL (Smart InputManager Bundle Loader) - pronounced like “symbol” or “cymbal” allows you to build hacks for Cocoa applications and apply the code selectively based on an application’s unique identifier. It’s not really all that smart, or even clever, but it’s smarter than just blindly loading code into an application.
And here’s megazoomer, an extension that will allow you to make any application use the entire screen by pressing command+enter:
Posted in OS X | Tags application, bundle, enhancement, SIMBL | no comments
Posted by Tres
Fri, 07 Jul 2006 13:56:00 GMT
The easiest way to make sure that your configuration files have the right stuff in them is to use CFEngine’s editfiles: section to remove unwanted lines, and to add lines to them.
The following shows how to remove lines from /etc/rc.conf by using CFEngine’s DeleteLinesContaining command:
editfiles:
serviceadd::
{
/etc/rc.conf
DeleteLinesContaining "lpd_enable=\"YES\""
}
This next example shows how to add a line to a file via CFEngine if the line doesn’t already exist in the file:
editfiles:
serviceadd::
{
/etc/rc.conf
AppendIfNoSuchLine "cloned_interfaces=\"vlan299 vlan301 carp0\""
}
Posted in Cfengine, Sysadmin | Tags cfengine, Configuration, Edit, Files, Spot | no comments
Posted by Tres
Fri, 07 Jul 2006 13:38:00 GMT
Back in the old days, before OpenSSH had privilege separation, you could have it automatically create home directories for users the first time that they logged in.
There’s still a number of options available to do the same thing, but I think my favorite is the PAM method.
If you’re using FreeBSD, you can install pam_mkhomedir from the ports tree
portinstall -y security/pam_mkhomedir
This will get the shared library installed, but the last step along the way is to append the following to your /etc/pam.d/login and /etc/pam.d/sshd files.
session required /usr/local/lib/pam_mkhomedir.so
You can easily automate this whole process via CFEngine by using the package installation procedure, and using cfengine to append the configuration line if it’s not already in the file.
Posted in FreeBSD, Sysadmin | Tags automatic, creation, directory, home, PAM | no comments
Posted by Tres
Fri, 07 Jul 2006 12:59:00 GMT
CFEngine has built in functionality to work with RPMS, Debian Packages or Solaris packages, but that doesn’t mean that you can’t use it to manage package installations on FreeBSD.
To manage packages on FreeBSD use group: or class: sections to see whether a package is installed, like this:
groups:
has_<package> =( ReturnsZero(/usr/sbin/pkg_info -Eqx <package name>) )
The x flag will treat the package name as a regular expression, so you don’t need to worry about versions – just use the package name that you’re looking for.
Now, once CFEngine knows the state of the package installation, it needs to take action based upon that state. In the shellcommands: section, we’ll tell CFEngine to run the installer if the package state is not installed.
!has_<package>::
"/usr/local/sbin/portinstall -y <package name>"
We can use portinstall (part of the portupgrade package) to install packages, or use pkg_add -r install the pre-compiled package.
!has_<package>::
"/usr/sbin/pkg_add -r <package name>"
This will automatically take care of installing the package.
Example:
Installing bash via CFEngine
To see whether bash was installed, we would use the following line in the group: or class: section of the .cf file:
groups:
has_bash =( ReturnsZero(/usr/sbin/pkg_info -Eqx bash) )
And we’d put the following into the shellcommands: section of the file:
shellcommands:
!has_scdp::
"/usr/local/sbin/portinstall -y shells/bash"
Posted in Cfengine, FreeBSD | Tags cfengine, installation, package | no comments
Posted by Tres
Fri, 07 Jul 2006 11:38:00 GMT
So CFEngine has a useless directory: section which will do absolutely nothing if you want to actually create a directory.
To create a directory in CFEngine use the files section like this:
files:
/home/staff/
mode=755
action=create
owner=root
group=wheel
action=touch
/home/students/
mode=755
action=create
owner=root
group=wheel
action=touch
Posted in Cfengine, Sysadmin | Tags cfengine, creation, directory | no comments
Posted by Tres
Tue, 04 Jul 2006 14:30:00 GMT
In order to set up VLAN interfaces on FreeBSD, first you’ll need to either use a kernel module by adding:
if_vlan_load="YES"
to loader.conf
or by adding
device vlan
to your kernel configuration file before you recompile your kernel so that the kernel knows how to speak 802.1q.
Once your kernel is 802.1q aware, the next step is to set up rc.conf for vlan interfaces.
set up rc.conf so that any vlan interfaces are listed under the “cloned_interfaces” directive
cloned_interfaces="vlan100 vlan200 vlan300 vlan482"
make sure that the parent device is up and running. If you don’t have an IP address that you’re associating with the device natively, then you should just make sure that it’s up.
ifconfig_fxp0="up"
and finally, set up the interface details in rc.conf
ifconfig_vlan100="inet 102.203.98.97/28 vlan 100 vlandev fxp0"
ifconfig_vlan200="inet 102.203.98.24/28 vlan 200 vlandev fxp0"
ifconfig_vlan300="inet 102.203.98.10/29 vlan 300 vlandev fxp0"
ifconfig_vlan482="inet 102.203.98.223/28 vlan 482 vlandev fxp0"
Once you’ve got all these items configured, your VLAN interfaces should start up on boot. The only other thing you’ll need to do before you can use your VLAN interfaces on the FreeBSD box is to configure the switch for vlan trunking and 802.1q encapsulation. But that’s another story.
Posted in FreeBSD, PF / CARP , Sysadmin | Tags FreeBSD, interface, VLAN | no comments
Posted by Tres
Tue, 04 Jul 2006 13:45:12 GMT
If you’ve got a MacBook or PowerBook, and need to work on Cisco switches, you know that you’ve got to use a USB Serial dongle in order to do the job. But the problem is, first–finding a driver that will work for OS X, and second, sending the all-important BREAK to the Cisco device. I’ve had one of the IOGear -232A serial dongles for years now, it works just fine for everything EXCEPT sending a break.
I guess there’s a kludge involving changing baud rates and sending garbage, but I’m not really interested in kludges; this is why I use OS X, not Linux on my desktop – I just want things to work (this is not intended as a flame, just reality at present).
Anyway, I just found out that there’s a Sourceforge project providing open source drivers for the plethora of different brands that these devices are sold under.
http://sourceforge.net/projects/osx-pl2303/
I’ve still got to verify whether BREAK will work using the new drivers, but even if it doesn’t, and you’re looking for drivers for one of these devices, check out the sourceforge project.
Posted in OS X | Tags 232, dongle, drivers, Serial, USB | no comments
Posted by Tres
Tue, 04 Jul 2006 01:55:00 GMT
I’ve found that sometimes, especially with newer NICs on older switches, the host’s DHCP client times out before the port initialization completes. The switch flashes an orange light while the DHCP client keeps trying to send advertisements. This isn’t so bad when you’re just trying to get a DHCP address, most modern operating systems will eventually keep trying until they get one. This really gets frustrating when you’re trying to use BOOTP for PXE booting. You can’t do the install because the system never gets an IP address.
To me this seemed like some kind of port speed or duplex negotiation problem. But even when I turned off auto-negotiation and set all port speed and duplex parameters manually, it still didn’t fix the problem. That’s because the problem isn’t port negotiation, it’s STP (Spanning Tree Protocol).
STP is what Cisco uses to allow for redundant pathways between switches. STP will put a switchport into one of two normal operating states: forwarding or blocking. Because any switchport could potentially cause a loop if the port were suddenly switched from the blocking state to forwarding state, STP uses two other intermediate states to ensure that a loop will not occur: listening and learning.
In the listening state, the port ensures that there doesn’t already exist a better pathway. In learning state, the switch learns MAC addresses for connected devices without allowing a loop to occur. Once the switchport has passed through these two modes, then it will finally be in the forwarding state, where it will forward DHCP broadcasts.
So, to make a long story short, in order to get switchports up and running quickly, use:
spanning-tree portfast
when configuring ports.
For the most part, this is safe to use, but if it gets set up on an uplink port to another layer 2 device, it can cause loops – things will stop working in a hurry. So like IOS says, “Use with CAUTION.”
Posted in Cisco | Tags BOOTP, DHCP, PXE, timeout | no comments
Posted by Tres
Mon, 03 Jul 2006 15:54:00 GMT
In a school or business setting it is a good idea to secure switchports so that only certain MAC addresses will work.
This is, of course not foolproof, but it does make it so that a policy of “company only” computers is easier to enforce on the network. If a nefarious employee or student decides to, they can still gain access to the network. But with physical access to machines, if there’s a will there’s always a way.
interface FastEthernet0/5
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
switchport port-security mac-address 000d.565d.000c
mls qos cos override
macro description cisco-desktop
spanning-tree portfast
spanning-tree bpduguard enable
Posted in Cisco | Tags network, ports, Secure | no comments