mercredi 4 novembre 2009

Netasq - QoS

Pour la QoS, vous pouvez utiliser PRIQ ou CBQ.

*Note 1* : si vous optez pour CBQ, vous devrez calculer la bande passante nécessaire.

*Attention 1*: quelques soit l'algo PRIQ ou CBQ, si vous souhaitez garantir un minimum, il va falloir configurer la QoS pour tout les flux _sortant_ , notez bien le mot _sortant_.

*Note 2*: pour limiter à un maximum, vous n'avez pas besoin de déclarer le QoS sur tout les flux.

*Attention 2*:
si vous configurez une règle QoS pour un flux IN, par exemple entre IN et DMZ1,
le moteur QoS lui appliquera la limite de bande passante définie (celle de la OUT).
Par ex, si vous n'avez que 1Mo en sortie, si la QoS est appliqué pour du web entre IN et DMZ (donc deux flux IN), le maximum de bande passante utilisé sera de 1Mo.

Netasq - pb proxy smtp antivirus

==> Problème:

Les mail en sortie ne sont pas envoyé, en utlisant le proxy smtp avec check antivirus (clamav)

Le message d'erreur reporter:
Error during data transmission

Erreur SMTP:
421 mwinf2f03.orange.fr Error: timeout exceeded


==> Solution:

un keep-alive de 5 secondes au lieu des 20 secondes par defaut.

ConfigFiles/SMTPProxy/01
[Postprocessing]
Policy=Pass
Size=51607
KeepAlive=5


==> Explications:

La problématique vient du fait que le proxy gère deux connexions. Ces deux connexions n'ont pas le meme debit, il y a un ordre de grandeur de différence : ethernet = 100Mbps, ADSL = 10Mbps par exemple. De plus, s'ajoute une latence a cause de l'analyse anti-virus.
Ces deux aspects induisent le comportement suivant :
- le client SMTP envoie rapidement le mail (ethernet) comme suit :

C: DATA
S: 354 End data with .
C: From: "Bob Example"
C: To: Alice Example
C: Cc: theboss@example.com
C: Date: Tue, 15 Jan 2008 16:02:43 -0500
C: Subject: Test message
C:
C: Hello Alice.
C: This is a test message with 5 headers and 4 lines in the body.
C: Your friend,
C: Bob
C: .

En parallèle, cote serveur, la commande DATA est transmise et le temps que le mail soit reçu par le proxy et analyse par l'AV, des faux champs d'en-tête sont transmis pour faire patienter le serveur :

C: DATA
S: 354 End data with .
C: X-Keep-Alive: 1
C: X-Keep-Alive: 1
...
C: X-Keep-Alive: 1
C: X-Keep-Alive: 1
C: From: "Bob Example"
C: To: Alice Example
C: Cc: theboss@example.com
C: Date: Tue, 15 Jan 2008 16:02:43 -0500
C: Subject: Test message
C:
C: Hello Alice.
C: This is a test message with 5 headers and 4 lines in the body.
C: Your friend,
C: Bob
C: .

A partir du moment ou le serveur a reçu le mail complet, il retourne sa réponse, qui est directement transmise au client :

S: 250 Ok: queued as 12345


vmware - esx - tips en vrac

Create the /dev/vmnet* files:


mknod -m 600 /dev/vmnet0 c 119 0
mknod -m 600 /dev/vmnet1 c 119 1
mknod -m 600 /dev/vmnet2 c 119 2
mknod -m 600 /dev/vmnet3 c 119 3
mknod -m 600 /dev/vmnet4 c 119 4
mknod -m 600 /dev/vmnet5 c 119 5
mknod -m 600 /dev/vmnet6 c 119 6
mknod -m 600 /dev/vmnet7 c 119 7
mknod -m 600 /dev/vmnet8 c 119 8
mknod -m 600 /dev/vmnet9 c 119 9

effacer /etc/vmware/not_configured

editer /etc/init.d/vmware


dans la fonction vmware_start_vmnet.

for i in `seq 0 9`; do
    if [ ! -c /dev/vmnet$i ];then
    mknod -m 660 /dev/vmnet$i c 119 $i > /dev/null 2>&1
done

if [ ! -e /dev/vmmon ];then
mknod /dev/vmmon c 10 165 > /dev/null 2>&1
fi



Ma config SA5K:

/usr/bin/vmnet-bridge -d /var/run/vmnet-bridge-0.pid /dev/vmnet0 br1
/usr/bin/vmnet-natd -d /var/run/vmnet-natd-8.pid -m /var/run/vmnet-natd-8.mac -c /etc/vmware/vmnet8/nat/nat.conf
/usr/bin/vmnet-netifup -d /var/run/vmnet-netifup-vmnet1.pid /dev/vmnet1 vmnet1
/usr/bin/vmnet-netifup -d /var/run/vmnet-netifup-vmnet8.pid /dev/vmnet8 vmnet8
/usr/bin/vmnet-dhcpd -cf /etc/vmware/vmnet8/dhcpd/dhcpd.conf -lf /etc/vmware/vmnet8/dhcpd/dhcpd.leases -pf /var/run/vmnet-dhcpd-vmnet8.pid vmnet8
/usr/bin/vmnet-dhcpd -cf /etc/vmware/vmnet1/dhcpd/dhcpd.conf -lf /etc/vmware/vmnet1/dhcpd/dhcpd.leases -pf /var/run/vmnet-dhcpd-vmnet1.pid vmnet1
/usr/bin/vmnet-bridge -d /var/run/vmnet-bridge-2.pid /dev/vmnet2 br0


création de l'interface physique:

/usr/bin/vmnet-netifup -d /var/run/vmnet-netifup-vmnet2.pid /dev/vmnet2 vmnet2
ifconfig vmnet2 up

vmnet0 ==> bridge br1
vmnet1 ==> private lan + nat
vmnet2 ==> bridge br0
vmnet8 ==> private lan ( host only )


##################################################################################################
Comment faire pour ajouter un binding sur une interface physique dans vmware server ???

si l'interface physique est br0, si le vmnet est vmnet2:
ajouter la ligne suivante dans /etc/vmware/locations:
answer VNET_2_INTERFACE br0


##################################################################################################
Comment faire pour ajouter un virtual-switch dans vmware server ???


si le swith sera vmnet3:
ajouter les lignes suivante dans /etc/vmware/locations:
answer VNET_3_HOSTONLY_HOSTADDR 172.16.133.1
answer VNET_3_HOSTONLY_NETMASK 255.255.255.0



##################################################################################################
si vous voulez activer le dhcp sur ce switch:

faire:
mkdir /etc/vmware/vmnet3/dhcpd
cp /etc/vmware/vmnet3/dhcpd/dhcpd.conf /etc/vmware/vmnet1/dhcpd/dhcpd.conf
modifier le fichier /etc/vmware/vmnet3/dhcpd/dhcpd.conf

et ajouter les lignes suivante au fichier /etc/vmware/locations:
directory /etc/vmware/vmnet3
directory /etc/vmware/vmnet3/dhcpd
file /etc/vmware/vmnet3/dhcpd/dhcpd.conf 1222099462
file /etc/vmware/vmnet3/dhcpd/dhcpd.leases


##################################################################################################
si vous voulez activer le NAT sur le switch:
mkdir /etc/vmware/vmnet3/nat


cp /etc/vmware/vmnet8/nat/nat.conf /etc/vmware/vmnet3/nat/nat.conf
modifier le fichier /etc/vmware/vmnet3/nat/nat.conf

et ajouter les lignes suivante au fichier /etc/vmware/locations:
answer VNET_3_NAT yes
directory /etc/vmware/vmnet3/nat
file /etc/vmware/vmnet3/nat/nat.conf 1222099405

##################################################################################################
# /usr/lib/vmware/net-services.sh status
Bridged networking on /dev/vmnet0 is running
Host-only networking on /dev/vmnet1 is running
Bridged networking on /dev/vmnet2 is running
Host-only networking on /dev/vmnet3 is not running
NAT networking on /dev/vmnet3 is not running
Host-only networking on /dev/vmnet8 is running
NAT networking on /dev/vmnet8 is running


Juniper - vpn proposal

IKE Phase 1 Proposal:


* Method: indicates whether preshared key (“pre”) or digital certificates (using “RSA”-Sig or “DSA”-Sig) are used as the authentication method

* DH Group: Indicates the Diffie-Hellman group used for the key generation or exchange (“g1”, “g2” or “g5”)

* Encrypt: Indicates the encryption algorithm (“3DES”, “DES” or “AES”)

* Auth: Indicates the hash algorithm (“MD5” or “SHA-1”)

Valeurs:
--------

(pre|dsa|rsa) (g1|g2|g5) (DES|3DES|AES) (MD5|SHA1)


Examples of a Phase 1 proposal include:
---------------------------------------

* pre-g1-des-md5
* dsa-g2-3des-sha1
* rsa-g5-aes128-md5
* or the current de-facto standard: pre-g2-3des-sha1


IPSEC Phase 2 Proposal:


* PFS: Indicates whether PFS is not being used (“nopfs”) or if it is, which DH group is being applied (“g1”, “g2” or “g5”).

* Encapsulation: Whether the ESP (“esp”) protocol is being used for encryption and authentication, or just the AH (“ah”) protocol.

* Encryption :  Indicates the encryption algorithm (“DES”, “3DES” or “AES”)

* Authentication:  Indicates  the hash algorithm (“MD5” or “SHA1”)

Valeurs:
--------

(nopfs|g1|g2|g5) (ESP|AH) (DES|3DES|AES) (MD5|SHA1)


Examples of a Phase 2 proposal include:
---------------------------------------

 nopfs-esp-des-md5
 g1-ah-null-sha1
 And the defacto standard: g2-esp-3des-sha1

CIDR - network classless

Quelques données bien utiles, pour le réseaux au jour le jour.


TABLEAU PAR NETMASK

    Netmask              Netmask (binary)                 CIDR     Notes   
    _____________________________________________________________________________
    255.255.255.255  11111111.11111111.11111111.11111111  /32  Host (single addr)
    255.255.255.254  11111111.11111111.11111111.11111110  /31  Unuseable
    255.255.255.252  11111111.11111111.11111111.11111100  /30    2  useable
    255.255.255.248  11111111.11111111.11111111.11111000  /29    6  useable
    255.255.255.240  11111111.11111111.11111111.11110000  /28   14  useable
    255.255.255.224  11111111.11111111.11111111.11100000  /27   30  useable
    255.255.255.192  11111111.11111111.11111111.11000000  /26   62  useable
    255.255.255.128  11111111.11111111.11111111.10000000  /25  126  useable
    255.255.255.0    11111111.11111111.11111111.00000000  /24 "Class C" 254 useable

    255.255.254.0    11111111.11111111.11111110.00000000  /23    2  Class C's
    255.255.252.0    11111111.11111111.11111100.00000000  /22    4  Class C's
    255.255.248.0    11111111.11111111.11111000.00000000  /21    8  Class C's
    255.255.240.0    11111111.11111111.11110000.00000000  /20   16  Class C's
    255.255.224.0    11111111.11111111.11100000.00000000  /19   32  Class C's
    255.255.192.0    11111111.11111111.11000000.00000000  /18   64  Class C's
    255.255.128.0    11111111.11111111.10000000.00000000  /17  128  Class C's
    255.255.0.0      11111111.11111111.00000000.00000000  /16  "Class B"
       
    255.254.0.0      11111111.11111110.00000000.00000000  /15    2  Class B's
    255.252.0.0      11111111.11111100.00000000.00000000  /14    4  Class B's
    255.248.0.0      11111111.11111000.00000000.00000000  /13    8  Class B's
    255.240.0.0      11111111.11110000.00000000.00000000  /12   16  Class B's
    255.224.0.0      11111111.11100000.00000000.00000000  /11   32  Class B's
    255.192.0.0      11111111.11000000.00000000.00000000  /10   64  Class B's
    255.128.0.0      11111111.10000000.00000000.00000000  /9   128  Class B's
    255.0.0.0        11111111.00000000.00000000.00000000  /8   "Class A"
   
    254.0.0.0        11111110.00000000.00000000.00000000  /7
    252.0.0.0        11111100.00000000.00000000.00000000  /6
    248.0.0.0        11111000.00000000.00000000.00000000  /5
    240.0.0.0        11110000.00000000.00000000.00000000  /4
    224.0.0.0        11100000.00000000.00000000.00000000  /3
    192.0.0.0        11000000.00000000.00000000.00000000  /2
    128.0.0.0        10000000.00000000.00000000.00000000  /1
    0.0.0.0          00000000.00000000.00000000.00000000  /0   IP space

TABLEAU PAR CLASSES
                                    Net     Host    Total
    Net      Addr                      Addr    Addr    Number
    Class   Range      NetMask         Bits    Bits   of hosts
    ----------------------------------------------------------
    A        0-127    255.0.0.0         8      24     16777216   (i.e. 114.0.0.0)
    B      128-191    255.255.0.0      16      16        65536   (i.e. 150.0.0.0)
    C      192-254    255.255.255.0    24       8          256   (i.e. 199.0.0.0)
    D      224-239    (multicast)
    E      240-255    (reserved)
    F      208-215    255.255.255.240  28       4           16
    G      216/8      ARIN - North America
    G      217/8      RIPE NCC - Europe
    G      218-219/8  APNIC
    H      220-221    255.255.255.248  29       3            8   (reserved)
    K      222-223    255.255.255.254  31       1            2   (reserved)
    (ref: RFC1375 & http://www.iana.org/assignments/ipv4-address-space )
    (               http://www.iana.org/numbers.htm                    )
    ----------------------------------------------------------

LISTE DES PREFIXES

    The current list of special use prefixes:
          - 0.0.0.0/8      
          - 127.0.0.0/8
          - 192.0.2.0/24
          - 10.0.0.0/8
          - 172.16.0.0/12
          - 192.168.0.0/16
          - 169.254.0.0/16
          - all D/E space

   
    (ref: RFC1918 http://www.rfc-editor.org/rfc/rfc1918.txt   )
    (       or     ftp://ftp.isi.edu/in-notes/rfc1918.txt     )
    (rfc search:   http://www.rfc-editor.org/rfcsearch.html   )
    (              http://www.ietf.org/ietf/1id-abstracts.txt )
    (              http://www.ietf.org/shadow.html            )


MARTIANS SOURCES IP: FILTER CISCO


    Voici une liste des addresses IP sources que l'on devrait ne jamais voir
    venir sur les routeurs public.

    Martians: (updates at: www.iana.org/assignments/ipv4-address-space )
    no ip source-route
    access-list 100 deny   ip host 0.0.0.0 any
    deny ip 0.0.0.0         0.255.255.255  any log  ! antispoof
    deny ip 0.0.0.0 0.255.255.255  0.0.0.0 255.255.255.255 ! antispoof
    deny ip any             255.255.255.128 0.0.0.127 ! antispoof
    deny ip host            0.0.0.0        any log  ! antispoof
    deny ip host            [router intf]  [router intf] ! antispoof
    deny ip xxx.xxx.xxx.0   0.0.0.255      any log  ! lan area
    deny ip 0/8             0.255.255.255  any log  ! IANA - Reserved
    deny ip 1/8             0.255.255.255  any log  ! IANA - Reserved
    deny ip 2/8             0.255.255.255  any log  ! IANA - Reserved
    deny ip 5/8             0.255.255.255  any log  ! IANA - Reserved
    deny ip 7/8             0.255.255.255  any log  ! IANA - Reserved
    deny ip 10.0.0.0        0.255.255.255  any log  ! IANA - Private Use
    deny ip 23/8            0.255.255.255  any log  ! IANA - Reserved
    deny ip 27/8            0.255.255.255  any log  ! IANA - Reserved
    deny ip 31/8            0.255.255.255  any log  ! IANA - Reserved
    deny ip 36-37/8         0.255.255.255  any log  ! IANA - Reserved
    deny ip 39/8            0.255.255.255  any log  ! IANA - Reserved
    deny ip 41-42/8         0.255.255.255  any log  ! IANA - Reserved
    deny ip 50/8            0.255.255.255  any log  ! IANA - Reserved
    deny ip 58-60/8         0.255.255.255  any log  ! IANA - Reserved
    deny ip 69-79/8         0.255.255.255  any log  ! IANA - Reserved
    deny ip 82-95/8         0.255.255.255  any log  ! IANA - Reserved
    deny ip 96-126/8        0.255.255.255  any log  ! IANA - Reserved
    deny ip 127/8           0.255.255.255  any log  ! IANA - Reserved
    deny ip 169.254.0.0     0.0.255.255    any log  ! link-local network
    deny ip 172.16.0.0      0.15.255.255   any log  ! reserved
    deny ip 192.168.0.0     0.0.255.255    any log  ! reserved
    deny ip 192.0.2.0       0.0.0.255      any log  ! test network
    deny ip 197/8           0.255.255.255  any log  ! IANA - Reserved
    deny ip 220/8           0.255.255.255  any log  ! IANA - Reserved
    deny ip 222-223/8       0.255.255.255  any log  ! IANA - Reserved
    deny ip 224.0.0.0       31.255.255.255 any log  ! multicast
    deny ip 224.0.0.0       15.255.255.255 any log  ! unless MBGP-learned routes
    deny ip 224-239/8       0.255.255.255  any log  ! IANA - Multicast
    deny ip 240-255/8       0.255.255.255  any log  ! IANA - Reserved

FILTERED SOURCE ADDRESSES

    filtered source addresses
    0/8                 ! broadcast
    10/8                ! RFC 1918 private
    127/8               ! loopback
    169.254.0/16        ! link local
    172.16.0.0/12       ! RFC 1918 private
    192.0.2.0/24        ! TEST-NET
    192.168.0/16        ! RFC 1918 private
    224.0.0.0/4         ! class D multicast
    240.0.0.0/5         ! class E reserved
    248.0.0.0/5         ! reserved
    255.255.255.255/32  ! broadcast

ARIN ADMINISTRATED BLOCKS

    ARIN administrated blocks: (http://www.arin.net/regserv/IPStats.html)
    24.0.0.0/8 (portions of)
    63.0.0.0/8
    64.0.0.0/8
    65.0.0.0/8
    66.0.0.0/8
    196.0.0.0/8
    198.0.0.0/8
    199.0.0.0/8
    200.0.0.0/8
    204.0.0.0/8
    205.0.0.0/8
    206.0.0.0/8
    207.0.0.0/8
    208.0.0.0/8
    209.0.0.0/8
    216.0.0.0/8
    ----------------------------------------------------------

LIENS PORT/PROTOCOL

    well known ports: (rfc1700.txt)
    www.iana.org/assignments/port-numbers

    protocol numbers:
    www.iana.org/assignments/protocol-numbers
    www.iana.org/numbers.htm

CODES ICMP

    ICMP(Types/Codes)
    Testing Destination Reachability & Status
    (0/0)  Echo-Reply
    (8/0)  Echo
    Unreachable Destinations
    (3/0)  Network Unreachable
    (3/1)  Host Unreachable
    (3/2)  Protocol Unreachable
    (3/3)  Port Unreachable
    (3/4)  Fragmentaion Needed and DF set (Pkt too big)
    (3/5)  Source Route Failed
    (3/6)  Network Unknown
    (3/7)  Host Unknown
    (3/9)  DOD Net Prohibited
    (3/10) DOD Host Prohibited
    (3/11) Net TOS Unreachable
    (3/12) Host TOS Unreachable
    (3/13) Administratively Prohibited
    (3/14) Host Precedence Unreachable
    (3/15) Precedence Unreachable
    Flow Control
    (4/0)  Source-Quench [RFC 1016]
    Route Change Requests from Gateways
    (5/0)  Redirect Datagrams for the Net
    (5/1)  Redirect Datagrams for the Host
    (5/2)  Redirect Datagrams for the TOS and Net
    (5/3)  Redirect Datagrams for the TOS and Host
    Router
    (6/-)  Alternate-Address
    (9/0)  Router-Advertisement
    (10/0) Router-Solicitation
    Detecting Circular or Excessively Long Routes
    (11/0) Time to Live Count Exceeded
    (11/1) Fragment Reassembly Time Exceeded
    Reporting Incorrect Datagram Headers
    (12/0) Parameter-Problem
    (12/1) Option Missing
    (12/2) No Room for Option
    Clock Synchronization and Transit Time Estimation
    (13/0) Timestamp-Request
    (14/0) Timestamp-Reply
    Obtaining a Network Address (RARP Alternative)
    (15/0) Information-Request
    (16/0) Information-Reply
    Obtaining a Subnet Mask [RFC 950]
    (17/0) Address Mask-Request
    (18/0) Address Mask-Reply
    Other
    (30/0) Traceroute
    (31/0) Conversion-Error
    (32/0) Mobile-Redirect

    Ref: [RFC 792] [RFC 896] [RFC 950] [RFC 1016]
    www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_5_3/cofigide/qos.htm#
    19774

DECIMAL SYSTEM PREFIX

    Decimal system Prefix's
                Factor               Exponent  Prefix
    ---------------------------------------------------
    1 000 000 000 000 000 000 000 000...10^24....yotta
        1 000 000 000 000 000 000 000...10^21....zetta
            1 000 000 000 000 000 000...10^18....exa
                1 000 000 000 000 000...10^15....peta
                    1 000 000 000 000...10^12....tera
                        1 000 000 000...10^9.....giga
                            1 000 000...10^6.....mega
                                1 000...10^3.....kilo
                                100...10^2.....hecto
                                    10...10^1.....deka
                                0.1...10^-1....deci
                                0.01...10^-2....centi
                                0.001...10^-3....milli
                            0.000 001...10^-6....micro
                        0.000 000 001...10^-9....nano
                    0.000 000 000 001...10^-12...pico
                0.000 000 000 000 001...10^-15...femto
            0.000 000 000 000 000 001...10^-18...atto
        0.000 000 000 000 000 000 001...10^-21...zepto
    0.000 000 000 000 000 000 000 001...10^-24...yocto
    ---------------------------------------------------

    Convert Fahrenheit <> Celsius:
    Celsius = (Fahrenheit - 32) / 1.8
    Fahrenheit = (Celsius * 1.8) + 32


mardi 13 octobre 2009

Upgrading a Nokia Firewall (Flash Based) VRRP (Monitored Circuit) cluster HFA50

 Thanks to CPUG !!


1 Ensure that the Smartcenter is upgraded first to the version you are upgrading the cluster too.

2 For our configuration we were using VRRP monitored circuits.

3 Backup the Nokia configuration within Nokia Voyager for both firewalls.

4 Within Nokia for both firewalls print out the configuration summary.

5 Within checkpoint on the cluster object print out all of the existing topology information (take a screen shot)

6 On both Nokia firewalls disable monitor firewall state within the vrrp configuration

7 On secondary raise the VRRP priority on all VRRP virtual routers

8 Test that outbound traffic is routing via the secondary and that the secondary is now the vrrp master for all of the vrrp virtual routers.

9 Just as a precaution down an interface on the primary too. (Not strictly necessary)

10 On primary pull out internet facing connections (Not strictly necessary)

11 As our firewalls are the 1gb flash based models space is an issue and I had great difficulty applying the hfa even after expanding the nokia disk using then sbin mount command. Due to this issue I ended up going for a most drastic upgrade method (e.g rebuild)

12 Plug into the console port and connect using hyperterminal and reboot the firewall

13 When prompted press a key to get into a boot prompt

14 Type “install” enter (Note this will wipe your firewall)

15 The install procedure will ask a number of questions for example how you want to install and what interface (firewall port to use). I went for an anonymous FTP server option (I set my laptop up with Microsoft ftp installed and anonymous logins accepted) and copied the relevant ipso.tgz file (e.g 4.2build096-ipso.tgz) to the ftproot folder on your laptop

16 Next plug a network cable from your laptop into a switch on the same subnet as the interface you are going to use for building (e.g your LAN port, alternatively you could use a crossover cable)

17 The install will ask for IP address of client (the firewall) and server (the ftp server–laptop). Type in the relevant e.g. TCP/IP details - address, mask, gateway.

18 The path to the ipso file e.g /

19 Hit enter.

20 Install all images without prompting

21 Reboot

22 After reboot assign the original hostname, and setup an initial interface matching one from the topology and nokia information summary printed earlier.

23 Set speed, duplex, route, and choose “config via voyager” option.

24 Now you have got an initial interface setup.

Login using voyager and put back interface information, configure ntp, static routes, vrrp config and proxy arp.

25 The last thing you should do is make sure you assign the original host address back with the nokia voyager configuration (this is important and should match the address checkpoint uses.

26 Check ntp, vrrp routing, etc are working

27 Copy the ipso_wrapper_r65.tgz file to the ftproot folder on the laptop.

28 Reboot Nokia, open a ssh connection to the firewall and run newpkg command

29 Select FTP using anonymous server

30 Put in ip address of laptop and / for path.

31 Checkpoint installs the package, reboot when finished

32 Reconnect using a SSH connection back into the firewall and run cpconfig.

33 Select “Yes to license agreement”

34 “No” to dynamically assigned ip address

35 “Yes” to Install a Checkpoint clustering product

36 “No” to add licenses

37 “No” to group permissions

38 Type in keys for seed

39 Enter and re-enter a SIC password

40 Reboot

41 The reboot will install the default block policy.

42 Reconnect to the firewall via and run fw unloadlocal to unload default policy

43 Connect into the smartcenter using smartdashboard change the cluster version to NGX R65

44 On the firewall member object reset sic and enter the sic password used in the install on the firewall. Test sic is working.

45 Note - for SIC to work there must be a route from the smartcenter directly to physical ip address of the firewall host address.

46 Within Smartupdate detach the license and reattach the license

47 Push the policy to the firewall (Note in doing this you will no longer be able to push the policy to the remaining (live ngx62 firewall) while the cluster is set to NGX R65.

48 Just to warn you Check point will not sync its state while the clusters are different versions

49 If running the “cphaprob stat” command you will see one down due to upgrade.

50 Next apply the hfa to the firewall.

51 To apply the hfa50 open a ssh into the firewall.

52 Cd /opt

53 Mkdir hfa

54 Cd hfa

55 Open a secure ftp session using the ssh client

56 Upload the hfa file to the folder

57 run /sbin/mount –u –o extend_partition /dev/null /opt (this gives more space for the upgrade)

58 tar xzvf hfafile.ipso.tgz (extracts the package)

59 rm hfafile.ipso.tgz (removes the package file)

60 Run df –k | awk ‘ /preserve|opt|var/{print $6,$2 - $3}’

61 The above command will show how how much space is left on the Nokia volumes (/preserve need 455000kb and /opt needs /382000kb to install hfa50)

62 When you have enough space run ./UnixInstallScript and this will apply the hfa. Please note this takes up to 15 min’s to install.

63 Reboot the machine.

64 After the machine has rebooted run Smartupdate within smart dashboard and “get data” from the firewall. hfa50 should now be listed as installed.

65 Once you are happy that everything is running correctly you will need to repeat the upgrade procedure listed above for the secondary firewall (e.g. Repeat the steps above making the primary firewall the primary vrrp master again and upgrade the secondary)

66 When both firewalls are upgraded check that the checkpoint state is working using “cphaprob stat” command it should list both firewalls as active (one being local)

67 If state is working ok re-enable “monitor firewall state” on both of the firewalls vrrp configuration.

vendredi 25 septembre 2009

CheckPoint: exporting log to a syslog server

How to register a syslog server

it is to export, as a fifo, all the logs to a syslog server.

the solution consist of running a piece of checkpoint software to send log to the local syslog,

then syslog forward the data to the remote syslog

Here the programs we will use:

fw log
logger

Explanation

fw log

 "fw log" is the tool to show the logs, in the gateway and in the smartcenter.

"fw log" accept somes options, we must use thoses:

-ft : begin with the last line, and continuously show the lines, as they comes.

-n : don't resolv hostname

-l : add a time stamp

logger

logger is a unix tool, to send to syslog a message, a log.

Solution

so, we need to change a boot script, to be sure we always have the functionality.
Changing the file /etc/rc.d/init.d/cpboot as:

case $1 in 
    'start')
        $CPDIR/bin/cpstart -b
        cp /etc/syslog.conf /var/run/syslog.conf
        kill -HUP $(ps fax|grep syslogd|grep -v grep|awk '{print $1}')
        # For the normal logs

        fw log -ftnl|logger -p local4.info -t Firewall &
        #   For the audit logs
        if [ -f  $FWDIR/log/fw.adtlog ];then

            fw log -ftnl $FWDIR/log/fw.adtlog|logger -p local5.info -t Firewall &
        fi
    ;;
    'stop' )
        $CPDIR/bin/cpstop
        ;;
esac

mardi 2 juin 2009

The DNSBL

What is a DNSBL?

Domain Name System Blacklists, also known as DNSBL's or DNS Blacklists, are spam blocking lists that allow a website administrator to block messages from specific systems that have a history of sending spam. As their name implies, the lists are based on the Internet's Domain Name System, which converts complicated, numerical IP address such as 140.239.191.10 into domain names like example.net, making the lists much easier to read, use, and search. If the maintainer of a DNS Blacklist has in the past received spam of any kind from a specific domain name, that server would be "blacklisted" and all messages sent from it would be either flagged or rejected from all sites that use that specific list.

Where are the DNSBL ?

as an example, here are the default list Netasq provide in there Firewall:

DSBL: list.dsbl.org :
DSBL was a blocklist specialized in listing open relays and open proxies. It is off now.

SORBS: dnsbl.sorbs.net : The Spam and Open Relay Blocking System (SORBS) was conceived as an anti-spam project where a daemon would check "on-the-fly", all servers from which it received email to determine if that email was sent via various types of proxy and open-relay servers.

SPAMCOP: bl.spamcop.net : SpamCop determines the origin of unwanted email and reports it to the relevant Internet service providers.

SPAMHAUS: various list:

SPAMHAUSSBL: The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services).

SPAMHAUSXBL: The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

SPAMHAUSCOMB: Combo of SBL and XBL.

SPAMRBL: French List: OUTDATED,

For a full list, you can go here: http://www.dnsbl.info/dnsbl-list.php .

vendredi 29 mai 2009

NSMXpress: reset root password

Procedure for resetting the admin password in NSMXpress

In order to reset the password, please use the following procedure:
Connect a console device to the console port of the NSMXPress appliance.
Physically power off the NSMXpress appliance.
Power the NSMXpress appliance back on.
During the boot sequence the console will display an option to "press any key to enter the menu". Hit any key. When the boot sequence is interrupted, a menu will display on the console. Choose "Rescue".

When the rescue process starts, it will ask about configuring the network connections. Choose "No".

A message will display indicating that the system is trying to find your Linux installation. Choose "Continue".

A message will display indicating that your system has been mounted under /mnt/sysimage. Press "Return".

Enter the command: vi /mnt/sysimage/etc/shadow

Find the line that starts with "admin:" The value between the first and second " : " is the password.

In the example below, the password is $1$MaGuoSOG$iEA4IiLSP26eM2e99LJiZ/

Using vi commands, remove the existing password value (i.e. $1$MaGuoSOG$iEA4IiLSP26eM2e99LJiZ/ ) with the following value.

This is the password value for "netscreen":

$1$KYPDZ8Eg$D627p0JrMaVMYqkdVRxcw

Using vi commands, save the file and exit.

At the command prompt, enter exit

The system will reboot and the admin password will be changed to netscreen

NSMXpress: reset to factory default

You want to put your NSMXpress Juniper Appliances into a factory default state.

This howto will show you how:

Connect a console device to the console port of the NSMXPress appliance.
Physically power off the NSMXpress appliance.
Power the NSMXpress appliance back on.
During the boot sequence the console will display an option to "press any key to enter the menu". Hit any key. When the boot sequence is interrupted, a menu will display on the console. Choose Re-Install
then at the password prompt choose: "erase".

That's it, the Juniper NSMXpress Management console will format the harddrive.

Netasq: Forcer une alarme grisé dans le manager

Comment faire pour modifier le comportement d'une alarme dans la prevention d'intrusion ASQ du Netasq quand celle-ci apparait grisée dans le Firewall Manager ?

Se connecter en mode console sur le Firewall,

puis trouver l'id de l'alarme:

$ grep -i http System/Language/fr/protocol
53="Protocole HTTP invalide"

==> valider qu'il s'agit bien du 53 !

$ getconf /usr/Firewall/ConfigFiles/ASQ/00 protocol 53 ; echo
block, major, dump

==> vous devriez avoir block....

maintenant la vrai modification:

$ setconf /usr/Firewall/ConfigFiles/ASQ/00 protocol 53 "pass, ignore"

==> on valide:

$ getconf /usr/Firewall/ConfigFiles/ASQ/00 protocol 53 ; echo
pass, ignore

On active les changements:

$ enasq

L'alarme apparait toujours en grisée, mais son comportement a changé.

Attention: certaine alarmes pourront être affiché comme ignore et seront bel et bien bloqué car codé en dur dans le Noyau ASQ du Netasq.

VMware: create the vmnet* special files

How to create the /dev/vmnet* special files ?

Here is howto do it manually:

mknod -m 600 /dev/vmnet0 c 119 0
mknod -m 600 /dev/vmnet1 c 119 1
mknod -m 600 /dev/vmnet2 c 119 2
mknod -m 600 /dev/vmnet3 c 119 3
mknod -m 600 /dev/vmnet4 c 119 4
mknod -m 600 /dev/vmnet5 c 119 5
mknod -m 600 /dev/vmnet6 c 119 6
mknod -m 600 /dev/vmnet7 c 119 7
mknod -m 600 /dev/vmnet8 c 119 8
mknod -m 600 /dev/vmnet9 c 119 9


Howto do it automatically:

remove the file /etc/vmware/not_configured

edit the file /etc/init.d/vmware


in the function vmware_start_vmnet, add the following:

for i in `seq 0 9`; do
if [ ! -c /dev/vmnet$i ];then
mknod -m 660 /dev/vmnet$i c 119 $i > /dev/null 2>&1
fi
done

if [ ! -e /dev/vmmon ];then
mknod /dev/vmmon c 10 165 > /dev/null 2>&1
fi


Howto create the interface for network interface:

/usr/bin/vmnet-netifup -d /var/run/vmnet-netifup-vmnet2.pid /dev/vmnet2 vmnet2

ifconfig vmnet2 up