Pour la QoS, vous pouvez utiliser PRIQ ou CBQ.
*Note 1* : si vous optez pour CBQ, vous devrez calculer la bande passante nécessaire.
*Attention 1*: quelques soit l'algo PRIQ ou CBQ, si vous souhaitez garantir un minimum, il va falloir configurer la QoS pour tout les flux _sortant_ , notez bien le mot _sortant_.
*Note 2*: pour limiter à un maximum, vous n'avez pas besoin de déclarer le QoS sur tout les flux.
*Attention 2*:
si vous configurez une règle QoS pour un flux IN, par exemple entre IN et DMZ1,
le moteur QoS lui appliquera la limite de bande passante définie (celle de la OUT).
Par ex, si vous n'avez que 1Mo en sortie, si la QoS est appliqué pour du web entre IN et DMZ (donc deux flux IN), le maximum de bande passante utilisé sera de 1Mo.
Wednesday, November 4, 2009
Netasq - pb proxy smtp antivirus
==> Problème:
Les mail en sortie ne sont pas envoyé, en utlisant le proxy smtp avec check antivirus (clamav)
Le message d'erreur reporter:
Error during data transmission
Erreur SMTP:
421 mwinf2f03.orange.fr Error: timeout exceeded
==> Solution:
un keep-alive de 5 secondes au lieu des 20 secondes par defaut.
ConfigFiles/SMTPProxy/01
[Postprocessing]
Policy=Pass
Size=51607
KeepAlive=5
==> Explications:
La problématique vient du fait que le proxy gère deux connexions. Ces deux connexions n'ont pas le meme debit, il y a un ordre de grandeur de différence : ethernet = 100Mbps, ADSL = 10Mbps par exemple. De plus, s'ajoute une latence a cause de l'analyse anti-virus.
Ces deux aspects induisent le comportement suivant :
- le client SMTP envoie rapidement le mail (ethernet) comme suit :
C: DATA
S: 354 End data with .
C: From: "Bob Example"
C: To: Alice Example
C: Cc: theboss@example.com
C: Date: Tue, 15 Jan 2008 16:02:43 -0500
C: Subject: Test message
C:
C: Hello Alice.
C: This is a test message with 5 headers and 4 lines in the body.
C: Your friend,
C: Bob
C: .
En parallèle, cote serveur, la commande DATA est transmise et le temps que le mail soit reçu par le proxy et analyse par l'AV, des faux champs d'en-tête sont transmis pour faire patienter le serveur :
C: DATA
S: 354 End data with .
C: X-Keep-Alive: 1
C: X-Keep-Alive: 1
...
C: X-Keep-Alive: 1
C: X-Keep-Alive: 1
C: From: "Bob Example"
C: To: Alice Example
C: Cc: theboss@example.com
C: Date: Tue, 15 Jan 2008 16:02:43 -0500
C: Subject: Test message
C:
C: Hello Alice.
C: This is a test message with 5 headers and 4 lines in the body.
C: Your friend,
C: Bob
C: .
A partir du moment ou le serveur a reçu le mail complet, il retourne sa réponse, qui est directement transmise au client :
S: 250 Ok: queued as 12345
Les mail en sortie ne sont pas envoyé, en utlisant le proxy smtp avec check antivirus (clamav)
Le message d'erreur reporter:
Error during data transmission
Erreur SMTP:
421 mwinf2f03.orange.fr Error: timeout exceeded
==> Solution:
un keep-alive de 5 secondes au lieu des 20 secondes par defaut.
ConfigFiles/SMTPProxy/01
[Postprocessing]
Policy=Pass
Size=51607
KeepAlive=5
==> Explications:
La problématique vient du fait que le proxy gère deux connexions. Ces deux connexions n'ont pas le meme debit, il y a un ordre de grandeur de différence : ethernet = 100Mbps, ADSL = 10Mbps par exemple. De plus, s'ajoute une latence a cause de l'analyse anti-virus.
Ces deux aspects induisent le comportement suivant :
- le client SMTP envoie rapidement le mail (ethernet) comme suit :
C: DATA
S: 354 End data with .
C: From: "Bob Example"
C: To: Alice Example
C: Cc: theboss@example.com
C: Date: Tue, 15 Jan 2008 16:02:43 -0500
C: Subject: Test message
C:
C: Hello Alice.
C: This is a test message with 5 headers and 4 lines in the body.
C: Your friend,
C: Bob
C: .
En parallèle, cote serveur, la commande DATA est transmise et le temps que le mail soit reçu par le proxy et analyse par l'AV, des faux champs d'en-tête sont transmis pour faire patienter le serveur :
C: DATA
S: 354 End data with .
C: X-Keep-Alive: 1
C: X-Keep-Alive: 1
...
C: X-Keep-Alive: 1
C: X-Keep-Alive: 1
C: From: "Bob Example"
C: To: Alice Example
C: Cc: theboss@example.com
C: Date: Tue, 15 Jan 2008 16:02:43 -0500
C: Subject: Test message
C:
C: Hello Alice.
C: This is a test message with 5 headers and 4 lines in the body.
C: Your friend,
C: Bob
C: .
A partir du moment ou le serveur a reçu le mail complet, il retourne sa réponse, qui est directement transmise au client :
S: 250 Ok: queued as 12345
vmware - esx - tips en vrac
Create the /dev/vmnet* files:
mknod -m 600 /dev/vmnet0 c 119 0
mknod -m 600 /dev/vmnet1 c 119 1
mknod -m 600 /dev/vmnet2 c 119 2
mknod -m 600 /dev/vmnet3 c 119 3
mknod -m 600 /dev/vmnet4 c 119 4
mknod -m 600 /dev/vmnet5 c 119 5
mknod -m 600 /dev/vmnet6 c 119 6
mknod -m 600 /dev/vmnet7 c 119 7
mknod -m 600 /dev/vmnet8 c 119 8
mknod -m 600 /dev/vmnet9 c 119 9
effacer /etc/vmware/not_configured
editer /etc/init.d/vmware
dans la fonction vmware_start_vmnet.
for i in `seq 0 9`; do
if [ ! -c /dev/vmnet$i ];then
mknod -m 660 /dev/vmnet$i c 119 $i > /dev/null 2>&1
done
if [ ! -e /dev/vmmon ];then
mknod /dev/vmmon c 10 165 > /dev/null 2>&1
fi
Ma config SA5K:
/usr/bin/vmnet-bridge -d /var/run/vmnet-bridge-0.pid /dev/vmnet0 br1
/usr/bin/vmnet-natd -d /var/run/vmnet-natd-8.pid -m /var/run/vmnet-natd-8.mac -c /etc/vmware/vmnet8/nat/nat.conf
/usr/bin/vmnet-netifup -d /var/run/vmnet-netifup-vmnet1.pid /dev/vmnet1 vmnet1
/usr/bin/vmnet-netifup -d /var/run/vmnet-netifup-vmnet8.pid /dev/vmnet8 vmnet8
/usr/bin/vmnet-dhcpd -cf /etc/vmware/vmnet8/dhcpd/dhcpd.conf -lf /etc/vmware/vmnet8/dhcpd/dhcpd.leases -pf /var/run/vmnet-dhcpd-vmnet8.pid vmnet8
/usr/bin/vmnet-dhcpd -cf /etc/vmware/vmnet1/dhcpd/dhcpd.conf -lf /etc/vmware/vmnet1/dhcpd/dhcpd.leases -pf /var/run/vmnet-dhcpd-vmnet1.pid vmnet1
/usr/bin/vmnet-bridge -d /var/run/vmnet-bridge-2.pid /dev/vmnet2 br0
création de l'interface physique:
/usr/bin/vmnet-netifup -d /var/run/vmnet-netifup-vmnet2.pid /dev/vmnet2 vmnet2
ifconfig vmnet2 up
vmnet0 ==> bridge br1
vmnet1 ==> private lan + nat
vmnet2 ==> bridge br0
vmnet8 ==> private lan ( host only )
##################################################################################################
Comment faire pour ajouter un binding sur une interface physique dans vmware server ???
si l'interface physique est br0, si le vmnet est vmnet2:
ajouter la ligne suivante dans /etc/vmware/locations:
answer VNET_2_INTERFACE br0
##################################################################################################
Comment faire pour ajouter un virtual-switch dans vmware server ???
si le swith sera vmnet3:
ajouter les lignes suivante dans /etc/vmware/locations:
answer VNET_3_HOSTONLY_HOSTADDR 172.16.133.1
answer VNET_3_HOSTONLY_NETMASK 255.255.255.0
##################################################################################################
si vous voulez activer le dhcp sur ce switch:
faire:
mkdir /etc/vmware/vmnet3/dhcpd
cp /etc/vmware/vmnet3/dhcpd/dhcpd.conf /etc/vmware/vmnet1/dhcpd/dhcpd.conf
modifier le fichier /etc/vmware/vmnet3/dhcpd/dhcpd.conf
et ajouter les lignes suivante au fichier /etc/vmware/locations:
directory /etc/vmware/vmnet3
directory /etc/vmware/vmnet3/dhcpd
file /etc/vmware/vmnet3/dhcpd/dhcpd.conf 1222099462
file /etc/vmware/vmnet3/dhcpd/dhcpd.leases
##################################################################################################
si vous voulez activer le NAT sur le switch:
mkdir /etc/vmware/vmnet3/nat
cp /etc/vmware/vmnet8/nat/nat.conf /etc/vmware/vmnet3/nat/nat.conf
modifier le fichier /etc/vmware/vmnet3/nat/nat.conf
et ajouter les lignes suivante au fichier /etc/vmware/locations:
answer VNET_3_NAT yes
directory /etc/vmware/vmnet3/nat
file /etc/vmware/vmnet3/nat/nat.conf 1222099405
##################################################################################################
# /usr/lib/vmware/net-services.sh status
Bridged networking on /dev/vmnet0 is running
Host-only networking on /dev/vmnet1 is running
Bridged networking on /dev/vmnet2 is running
Host-only networking on /dev/vmnet3 is not running
NAT networking on /dev/vmnet3 is not running
Host-only networking on /dev/vmnet8 is running
NAT networking on /dev/vmnet8 is running
mknod -m 600 /dev/vmnet0 c 119 0
mknod -m 600 /dev/vmnet1 c 119 1
mknod -m 600 /dev/vmnet2 c 119 2
mknod -m 600 /dev/vmnet3 c 119 3
mknod -m 600 /dev/vmnet4 c 119 4
mknod -m 600 /dev/vmnet5 c 119 5
mknod -m 600 /dev/vmnet6 c 119 6
mknod -m 600 /dev/vmnet7 c 119 7
mknod -m 600 /dev/vmnet8 c 119 8
mknod -m 600 /dev/vmnet9 c 119 9
effacer /etc/vmware/not_configured
editer /etc/init.d/vmware
dans la fonction vmware_start_vmnet.
for i in `seq 0 9`; do
if [ ! -c /dev/vmnet$i ];then
mknod -m 660 /dev/vmnet$i c 119 $i > /dev/null 2>&1
done
if [ ! -e /dev/vmmon ];then
mknod /dev/vmmon c 10 165 > /dev/null 2>&1
fi
Ma config SA5K:
/usr/bin/vmnet-bridge -d /var/run/vmnet-bridge-0.pid /dev/vmnet0 br1
/usr/bin/vmnet-natd -d /var/run/vmnet-natd-8.pid -m /var/run/vmnet-natd-8.mac -c /etc/vmware/vmnet8/nat/nat.conf
/usr/bin/vmnet-netifup -d /var/run/vmnet-netifup-vmnet1.pid /dev/vmnet1 vmnet1
/usr/bin/vmnet-netifup -d /var/run/vmnet-netifup-vmnet8.pid /dev/vmnet8 vmnet8
/usr/bin/vmnet-dhcpd -cf /etc/vmware/vmnet8/dhcpd/dhcpd.conf -lf /etc/vmware/vmnet8/dhcpd/dhcpd.leases -pf /var/run/vmnet-dhcpd-vmnet8.pid vmnet8
/usr/bin/vmnet-dhcpd -cf /etc/vmware/vmnet1/dhcpd/dhcpd.conf -lf /etc/vmware/vmnet1/dhcpd/dhcpd.leases -pf /var/run/vmnet-dhcpd-vmnet1.pid vmnet1
/usr/bin/vmnet-bridge -d /var/run/vmnet-bridge-2.pid /dev/vmnet2 br0
création de l'interface physique:
/usr/bin/vmnet-netifup -d /var/run/vmnet-netifup-vmnet2.pid /dev/vmnet2 vmnet2
ifconfig vmnet2 up
vmnet0 ==> bridge br1
vmnet1 ==> private lan + nat
vmnet2 ==> bridge br0
vmnet8 ==> private lan ( host only )
##################################################################################################
Comment faire pour ajouter un binding sur une interface physique dans vmware server ???
si l'interface physique est br0, si le vmnet est vmnet2:
ajouter la ligne suivante dans /etc/vmware/locations:
answer VNET_2_INTERFACE br0
##################################################################################################
Comment faire pour ajouter un virtual-switch dans vmware server ???
si le swith sera vmnet3:
ajouter les lignes suivante dans /etc/vmware/locations:
answer VNET_3_HOSTONLY_HOSTADDR 172.16.133.1
answer VNET_3_HOSTONLY_NETMASK 255.255.255.0
##################################################################################################
si vous voulez activer le dhcp sur ce switch:
faire:
mkdir /etc/vmware/vmnet3/dhcpd
cp /etc/vmware/vmnet3/dhcpd/dhcpd.conf /etc/vmware/vmnet1/dhcpd/dhcpd.conf
modifier le fichier /etc/vmware/vmnet3/dhcpd/dhcpd.conf
et ajouter les lignes suivante au fichier /etc/vmware/locations:
directory /etc/vmware/vmnet3
directory /etc/vmware/vmnet3/dhcpd
file /etc/vmware/vmnet3/dhcpd/dhcpd.conf 1222099462
file /etc/vmware/vmnet3/dhcpd/dhcpd.leases
##################################################################################################
si vous voulez activer le NAT sur le switch:
mkdir /etc/vmware/vmnet3/nat
cp /etc/vmware/vmnet8/nat/nat.conf /etc/vmware/vmnet3/nat/nat.conf
modifier le fichier /etc/vmware/vmnet3/nat/nat.conf
et ajouter les lignes suivante au fichier /etc/vmware/locations:
answer VNET_3_NAT yes
directory /etc/vmware/vmnet3/nat
file /etc/vmware/vmnet3/nat/nat.conf 1222099405
##################################################################################################
# /usr/lib/vmware/net-services.sh status
Bridged networking on /dev/vmnet0 is running
Host-only networking on /dev/vmnet1 is running
Bridged networking on /dev/vmnet2 is running
Host-only networking on /dev/vmnet3 is not running
NAT networking on /dev/vmnet3 is not running
Host-only networking on /dev/vmnet8 is running
NAT networking on /dev/vmnet8 is running
Juniper - vpn proposal
IKE Phase 1 Proposal:
* Method: indicates whether preshared key (“pre”) or digital certificates (using “RSA”-Sig or “DSA”-Sig) are used as the authentication method
* DH Group: Indicates the Diffie-Hellman group used for the key generation or exchange (“g1”, “g2” or “g5”)
* Encrypt: Indicates the encryption algorithm (“3DES”, “DES” or “AES”)
* Auth: Indicates the hash algorithm (“MD5” or “SHA-1”)
Valeurs:
--------
(pre|dsa|rsa) (g1|g2|g5) (DES|3DES|AES) (MD5|SHA1)
Examples of a Phase 1 proposal include:
---------------------------------------
* pre-g1-des-md5
* dsa-g2-3des-sha1
* rsa-g5-aes128-md5
* or the current de-facto standard: pre-g2-3des-sha1
IPSEC Phase 2 Proposal:
* PFS: Indicates whether PFS is not being used (“nopfs”) or if it is, which DH group is being applied (“g1”, “g2” or “g5”).
* Encapsulation: Whether the ESP (“esp”) protocol is being used for encryption and authentication, or just the AH (“ah”) protocol.
* Encryption : Indicates the encryption algorithm (“DES”, “3DES” or “AES”)
* Authentication: Indicates the hash algorithm (“MD5” or “SHA1”)
Valeurs:
--------
(nopfs|g1|g2|g5) (ESP|AH) (DES|3DES|AES) (MD5|SHA1)
Examples of a Phase 2 proposal include:
---------------------------------------
nopfs-esp-des-md5
g1-ah-null-sha1
And the defacto standard: g2-esp-3des-sha1
* Method: indicates whether preshared key (“pre”) or digital certificates (using “RSA”-Sig or “DSA”-Sig) are used as the authentication method
* DH Group: Indicates the Diffie-Hellman group used for the key generation or exchange (“g1”, “g2” or “g5”)
* Encrypt: Indicates the encryption algorithm (“3DES”, “DES” or “AES”)
* Auth: Indicates the hash algorithm (“MD5” or “SHA-1”)
Valeurs:
--------
(pre|dsa|rsa) (g1|g2|g5) (DES|3DES|AES) (MD5|SHA1)
Examples of a Phase 1 proposal include:
---------------------------------------
* pre-g1-des-md5
* dsa-g2-3des-sha1
* rsa-g5-aes128-md5
* or the current de-facto standard: pre-g2-3des-sha1
IPSEC Phase 2 Proposal:
* PFS: Indicates whether PFS is not being used (“nopfs”) or if it is, which DH group is being applied (“g1”, “g2” or “g5”).
* Encapsulation: Whether the ESP (“esp”) protocol is being used for encryption and authentication, or just the AH (“ah”) protocol.
* Encryption : Indicates the encryption algorithm (“DES”, “3DES” or “AES”)
* Authentication: Indicates the hash algorithm (“MD5” or “SHA1”)
Valeurs:
--------
(nopfs|g1|g2|g5) (ESP|AH) (DES|3DES|AES) (MD5|SHA1)
Examples of a Phase 2 proposal include:
---------------------------------------
nopfs-esp-des-md5
g1-ah-null-sha1
And the defacto standard: g2-esp-3des-sha1
CIDR - network classless
Quelques données bien utiles, pour le réseaux au jour le jour.
TABLEAU PAR NETMASK
Netmask Netmask (binary) CIDR Notes
_____________________________________________________________________________
255.255.255.255 11111111.11111111.11111111.11111111 /32 Host (single addr)
255.255.255.254 11111111.11111111.11111111.11111110 /31 Unuseable
255.255.255.252 11111111.11111111.11111111.11111100 /30 2 useable
255.255.255.248 11111111.11111111.11111111.11111000 /29 6 useable
255.255.255.240 11111111.11111111.11111111.11110000 /28 14 useable
255.255.255.224 11111111.11111111.11111111.11100000 /27 30 useable
255.255.255.192 11111111.11111111.11111111.11000000 /26 62 useable
255.255.255.128 11111111.11111111.11111111.10000000 /25 126 useable
255.255.255.0 11111111.11111111.11111111.00000000 /24 "Class C" 254 useable
255.255.254.0 11111111.11111111.11111110.00000000 /23 2 Class C's
255.255.252.0 11111111.11111111.11111100.00000000 /22 4 Class C's
255.255.248.0 11111111.11111111.11111000.00000000 /21 8 Class C's
255.255.240.0 11111111.11111111.11110000.00000000 /20 16 Class C's
255.255.224.0 11111111.11111111.11100000.00000000 /19 32 Class C's
255.255.192.0 11111111.11111111.11000000.00000000 /18 64 Class C's
255.255.128.0 11111111.11111111.10000000.00000000 /17 128 Class C's
255.255.0.0 11111111.11111111.00000000.00000000 /16 "Class B"
255.254.0.0 11111111.11111110.00000000.00000000 /15 2 Class B's
255.252.0.0 11111111.11111100.00000000.00000000 /14 4 Class B's
255.248.0.0 11111111.11111000.00000000.00000000 /13 8 Class B's
255.240.0.0 11111111.11110000.00000000.00000000 /12 16 Class B's
255.224.0.0 11111111.11100000.00000000.00000000 /11 32 Class B's
255.192.0.0 11111111.11000000.00000000.00000000 /10 64 Class B's
255.128.0.0 11111111.10000000.00000000.00000000 /9 128 Class B's
255.0.0.0 11111111.00000000.00000000.00000000 /8 "Class A"
254.0.0.0 11111110.00000000.00000000.00000000 /7
252.0.0.0 11111100.00000000.00000000.00000000 /6
248.0.0.0 11111000.00000000.00000000.00000000 /5
240.0.0.0 11110000.00000000.00000000.00000000 /4
224.0.0.0 11100000.00000000.00000000.00000000 /3
192.0.0.0 11000000.00000000.00000000.00000000 /2
128.0.0.0 10000000.00000000.00000000.00000000 /1
0.0.0.0 00000000.00000000.00000000.00000000 /0 IP space
TABLEAU PAR CLASSES
Net Host Total
Net Addr Addr Addr Number
Class Range NetMask Bits Bits of hosts
----------------------------------------------------------
A 0-127 255.0.0.0 8 24 16777216 (i.e. 114.0.0.0)
B 128-191 255.255.0.0 16 16 65536 (i.e. 150.0.0.0)
C 192-254 255.255.255.0 24 8 256 (i.e. 199.0.0.0)
D 224-239 (multicast)
E 240-255 (reserved)
F 208-215 255.255.255.240 28 4 16
G 216/8 ARIN - North America
G 217/8 RIPE NCC - Europe
G 218-219/8 APNIC
H 220-221 255.255.255.248 29 3 8 (reserved)
K 222-223 255.255.255.254 31 1 2 (reserved)
(ref: RFC1375 & http://www.iana.org/assignments/ipv4-address-space )
( http://www.iana.org/numbers.htm )
----------------------------------------------------------
LISTE DES PREFIXES
The current list of special use prefixes:
- 0.0.0.0/8
- 127.0.0.0/8
- 192.0.2.0/24
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 169.254.0.0/16
- all D/E space
(ref: RFC1918 http://www.rfc-editor.org/rfc/rfc1918.txt )
( or ftp://ftp.isi.edu/in-notes/rfc1918.txt )
(rfc search: http://www.rfc-editor.org/rfcsearch.html )
( http://www.ietf.org/ietf/1id-abstracts.txt )
( http://www.ietf.org/shadow.html )
MARTIANS SOURCES IP: FILTER CISCO
Voici une liste des addresses IP sources que l'on devrait ne jamais voir
venir sur les routeurs public.
Martians: (updates at: www.iana.org/assignments/ipv4-address-space )
no ip source-route
access-list 100 deny ip host 0.0.0.0 any
deny ip 0.0.0.0 0.255.255.255 any log ! antispoof
deny ip 0.0.0.0 0.255.255.255 0.0.0.0 255.255.255.255 ! antispoof
deny ip any 255.255.255.128 0.0.0.127 ! antispoof
deny ip host 0.0.0.0 any log ! antispoof
deny ip host [router intf] [router intf] ! antispoof
deny ip xxx.xxx.xxx.0 0.0.0.255 any log ! lan area
deny ip 0/8 0.255.255.255 any log ! IANA - Reserved
deny ip 1/8 0.255.255.255 any log ! IANA - Reserved
deny ip 2/8 0.255.255.255 any log ! IANA - Reserved
deny ip 5/8 0.255.255.255 any log ! IANA - Reserved
deny ip 7/8 0.255.255.255 any log ! IANA - Reserved
deny ip 10.0.0.0 0.255.255.255 any log ! IANA - Private Use
deny ip 23/8 0.255.255.255 any log ! IANA - Reserved
deny ip 27/8 0.255.255.255 any log ! IANA - Reserved
deny ip 31/8 0.255.255.255 any log ! IANA - Reserved
deny ip 36-37/8 0.255.255.255 any log ! IANA - Reserved
deny ip 39/8 0.255.255.255 any log ! IANA - Reserved
deny ip 41-42/8 0.255.255.255 any log ! IANA - Reserved
deny ip 50/8 0.255.255.255 any log ! IANA - Reserved
deny ip 58-60/8 0.255.255.255 any log ! IANA - Reserved
deny ip 69-79/8 0.255.255.255 any log ! IANA - Reserved
deny ip 82-95/8 0.255.255.255 any log ! IANA - Reserved
deny ip 96-126/8 0.255.255.255 any log ! IANA - Reserved
deny ip 127/8 0.255.255.255 any log ! IANA - Reserved
deny ip 169.254.0.0 0.0.255.255 any log ! link-local network
deny ip 172.16.0.0 0.15.255.255 any log ! reserved
deny ip 192.168.0.0 0.0.255.255 any log ! reserved
deny ip 192.0.2.0 0.0.0.255 any log ! test network
deny ip 197/8 0.255.255.255 any log ! IANA - Reserved
deny ip 220/8 0.255.255.255 any log ! IANA - Reserved
deny ip 222-223/8 0.255.255.255 any log ! IANA - Reserved
deny ip 224.0.0.0 31.255.255.255 any log ! multicast
deny ip 224.0.0.0 15.255.255.255 any log ! unless MBGP-learned routes
deny ip 224-239/8 0.255.255.255 any log ! IANA - Multicast
deny ip 240-255/8 0.255.255.255 any log ! IANA - Reserved
FILTERED SOURCE ADDRESSES
filtered source addresses
0/8 ! broadcast
10/8 ! RFC 1918 private
127/8 ! loopback
169.254.0/16 ! link local
172.16.0.0/12 ! RFC 1918 private
192.0.2.0/24 ! TEST-NET
192.168.0/16 ! RFC 1918 private
224.0.0.0/4 ! class D multicast
240.0.0.0/5 ! class E reserved
248.0.0.0/5 ! reserved
255.255.255.255/32 ! broadcast
ARIN ADMINISTRATED BLOCKS
ARIN administrated blocks: (http://www.arin.net/regserv/IPStats.html)
24.0.0.0/8 (portions of)
63.0.0.0/8
64.0.0.0/8
65.0.0.0/8
66.0.0.0/8
196.0.0.0/8
198.0.0.0/8
199.0.0.0/8
200.0.0.0/8
204.0.0.0/8
205.0.0.0/8
206.0.0.0/8
207.0.0.0/8
208.0.0.0/8
209.0.0.0/8
216.0.0.0/8
----------------------------------------------------------
LIENS PORT/PROTOCOL
well known ports: (rfc1700.txt)
www.iana.org/assignments/port-numbers
protocol numbers:
www.iana.org/assignments/protocol-numbers
www.iana.org/numbers.htm
CODES ICMP
ICMP(Types/Codes)
Testing Destination Reachability & Status
(0/0) Echo-Reply
(8/0) Echo
Unreachable Destinations
(3/0) Network Unreachable
(3/1) Host Unreachable
(3/2) Protocol Unreachable
(3/3) Port Unreachable
(3/4) Fragmentaion Needed and DF set (Pkt too big)
(3/5) Source Route Failed
(3/6) Network Unknown
(3/7) Host Unknown
(3/9) DOD Net Prohibited
(3/10) DOD Host Prohibited
(3/11) Net TOS Unreachable
(3/12) Host TOS Unreachable
(3/13) Administratively Prohibited
(3/14) Host Precedence Unreachable
(3/15) Precedence Unreachable
Flow Control
(4/0) Source-Quench [RFC 1016]
Route Change Requests from Gateways
(5/0) Redirect Datagrams for the Net
(5/1) Redirect Datagrams for the Host
(5/2) Redirect Datagrams for the TOS and Net
(5/3) Redirect Datagrams for the TOS and Host
Router
(6/-) Alternate-Address
(9/0) Router-Advertisement
(10/0) Router-Solicitation
Detecting Circular or Excessively Long Routes
(11/0) Time to Live Count Exceeded
(11/1) Fragment Reassembly Time Exceeded
Reporting Incorrect Datagram Headers
(12/0) Parameter-Problem
(12/1) Option Missing
(12/2) No Room for Option
Clock Synchronization and Transit Time Estimation
(13/0) Timestamp-Request
(14/0) Timestamp-Reply
Obtaining a Network Address (RARP Alternative)
(15/0) Information-Request
(16/0) Information-Reply
Obtaining a Subnet Mask [RFC 950]
(17/0) Address Mask-Request
(18/0) Address Mask-Reply
Other
(30/0) Traceroute
(31/0) Conversion-Error
(32/0) Mobile-Redirect
Ref: [RFC 792] [RFC 896] [RFC 950] [RFC 1016]
www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_5_3/cofigide/qos.htm#
19774
DECIMAL SYSTEM PREFIX
Decimal system Prefix's
Factor Exponent Prefix
---------------------------------------------------
1 000 000 000 000 000 000 000 000...10^24....yotta
1 000 000 000 000 000 000 000...10^21....zetta
1 000 000 000 000 000 000...10^18....exa
1 000 000 000 000 000...10^15....peta
1 000 000 000 000...10^12....tera
1 000 000 000...10^9.....giga
1 000 000...10^6.....mega
1 000...10^3.....kilo
100...10^2.....hecto
10...10^1.....deka
0.1...10^-1....deci
0.01...10^-2....centi
0.001...10^-3....milli
0.000 001...10^-6....micro
0.000 000 001...10^-9....nano
0.000 000 000 001...10^-12...pico
0.000 000 000 000 001...10^-15...femto
0.000 000 000 000 000 001...10^-18...atto
0.000 000 000 000 000 000 001...10^-21...zepto
0.000 000 000 000 000 000 000 001...10^-24...yocto
---------------------------------------------------
Convert Fahrenheit <> Celsius:
Celsius = (Fahrenheit - 32) / 1.8
Fahrenheit = (Celsius * 1.8) + 32
Tuesday, October 13, 2009
Upgrading a Nokia Firewall (Flash Based) VRRP (Monitored Circuit) cluster HFA50
Thanks to CPUG !!
1 Ensure that the Smartcenter is upgraded first to the version you are upgrading the cluster too.
2 For our configuration we were using VRRP monitored circuits.
3 Backup the Nokia configuration within Nokia Voyager for both firewalls.
4 Within Nokia for both firewalls print out the configuration summary.
5 Within checkpoint on the cluster object print out all of the existing topology information (take a screen shot)
6 On both Nokia firewalls disable monitor firewall state within the vrrp configuration
7 On secondary raise the VRRP priority on all VRRP virtual routers
8 Test that outbound traffic is routing via the secondary and that the secondary is now the vrrp master for all of the vrrp virtual routers.
9 Just as a precaution down an interface on the primary too. (Not strictly necessary)
10 On primary pull out internet facing connections (Not strictly necessary)
11 As our firewalls are the 1gb flash based models space is an issue and I had great difficulty applying the hfa even after expanding the nokia disk using then sbin mount command. Due to this issue I ended up going for a most drastic upgrade method (e.g rebuild)
12 Plug into the console port and connect using hyperterminal and reboot the firewall
13 When prompted press a key to get into a boot prompt
14 Type “install” enter (Note this will wipe your firewall)
15 The install procedure will ask a number of questions for example how you want to install and what interface (firewall port to use). I went for an anonymous FTP server option (I set my laptop up with Microsoft ftp installed and anonymous logins accepted) and copied the relevant ipso.tgz file (e.g 4.2build096-ipso.tgz) to the ftproot folder on your laptop
16 Next plug a network cable from your laptop into a switch on the same subnet as the interface you are going to use for building (e.g your LAN port, alternatively you could use a crossover cable)
17 The install will ask for IP address of client (the firewall) and server (the ftp server–laptop). Type in the relevant e.g. TCP/IP details - address, mask, gateway.
18 The path to the ipso file e.g /
19 Hit enter.
20 Install all images without prompting
21 Reboot
22 After reboot assign the original hostname, and setup an initial interface matching one from the topology and nokia information summary printed earlier.
23 Set speed, duplex, route, and choose “config via voyager” option.
24 Now you have got an initial interface setup.
Login using voyager and put back interface information, configure ntp, static routes, vrrp config and proxy arp.
25 The last thing you should do is make sure you assign the original host address back with the nokia voyager configuration (this is important and should match the address checkpoint uses.
26 Check ntp, vrrp routing, etc are working
27 Copy the ipso_wrapper_r65.tgz file to the ftproot folder on the laptop.
28 Reboot Nokia, open a ssh connection to the firewall and run newpkg command
29 Select FTP using anonymous server
30 Put in ip address of laptop and / for path.
31 Checkpoint installs the package, reboot when finished
32 Reconnect using a SSH connection back into the firewall and run cpconfig.
33 Select “Yes to license agreement”
34 “No” to dynamically assigned ip address
35 “Yes” to Install a Checkpoint clustering product
36 “No” to add licenses
37 “No” to group permissions
38 Type in keys for seed
39 Enter and re-enter a SIC password
40 Reboot
41 The reboot will install the default block policy.
42 Reconnect to the firewall via and run fw unloadlocal to unload default policy
43 Connect into the smartcenter using smartdashboard change the cluster version to NGX R65
44 On the firewall member object reset sic and enter the sic password used in the install on the firewall. Test sic is working.
45 Note - for SIC to work there must be a route from the smartcenter directly to physical ip address of the firewall host address.
46 Within Smartupdate detach the license and reattach the license
47 Push the policy to the firewall (Note in doing this you will no longer be able to push the policy to the remaining (live ngx62 firewall) while the cluster is set to NGX R65.
48 Just to warn you Check point will not sync its state while the clusters are different versions
49 If running the “cphaprob stat” command you will see one down due to upgrade.
50 Next apply the hfa to the firewall.
51 To apply the hfa50 open a ssh into the firewall.
52 Cd /opt
53 Mkdir hfa
54 Cd hfa
55 Open a secure ftp session using the ssh client
56 Upload the hfa file to the folder
57 run /sbin/mount –u –o extend_partition /dev/null /opt (this gives more space for the upgrade)
58 tar xzvf hfafile.ipso.tgz (extracts the package)
59 rm hfafile.ipso.tgz (removes the package file)
60 Run df –k | awk ‘ /preserve|opt|var/{print $6,$2 - $3}’
61 The above command will show how how much space is left on the Nokia volumes (/preserve need 455000kb and /opt needs /382000kb to install hfa50)
62 When you have enough space run ./UnixInstallScript and this will apply the hfa. Please note this takes up to 15 min’s to install.
63 Reboot the machine.
64 After the machine has rebooted run Smartupdate within smart dashboard and “get data” from the firewall. hfa50 should now be listed as installed.
65 Once you are happy that everything is running correctly you will need to repeat the upgrade procedure listed above for the secondary firewall (e.g. Repeat the steps above making the primary firewall the primary vrrp master again and upgrade the secondary)
66 When both firewalls are upgraded check that the checkpoint state is working using “cphaprob stat” command it should list both firewalls as active (one being local)
67 If state is working ok re-enable “monitor firewall state” on both of the firewalls vrrp configuration.
1 Ensure that the Smartcenter is upgraded first to the version you are upgrading the cluster too.
2 For our configuration we were using VRRP monitored circuits.
3 Backup the Nokia configuration within Nokia Voyager for both firewalls.
4 Within Nokia for both firewalls print out the configuration summary.
5 Within checkpoint on the cluster object print out all of the existing topology information (take a screen shot)
6 On both Nokia firewalls disable monitor firewall state within the vrrp configuration
7 On secondary raise the VRRP priority on all VRRP virtual routers
8 Test that outbound traffic is routing via the secondary and that the secondary is now the vrrp master for all of the vrrp virtual routers.
9 Just as a precaution down an interface on the primary too. (Not strictly necessary)
10 On primary pull out internet facing connections (Not strictly necessary)
11 As our firewalls are the 1gb flash based models space is an issue and I had great difficulty applying the hfa even after expanding the nokia disk using then sbin mount command. Due to this issue I ended up going for a most drastic upgrade method (e.g rebuild)
12 Plug into the console port and connect using hyperterminal and reboot the firewall
13 When prompted press a key to get into a boot prompt
14 Type “install” enter (Note this will wipe your firewall)
15 The install procedure will ask a number of questions for example how you want to install and what interface (firewall port to use). I went for an anonymous FTP server option (I set my laptop up with Microsoft ftp installed and anonymous logins accepted) and copied the relevant ipso.tgz file (e.g 4.2build096-ipso.tgz) to the ftproot folder on your laptop
16 Next plug a network cable from your laptop into a switch on the same subnet as the interface you are going to use for building (e.g your LAN port, alternatively you could use a crossover cable)
17 The install will ask for IP address of client (the firewall) and server (the ftp server–laptop). Type in the relevant e.g. TCP/IP details - address, mask, gateway.
18 The path to the ipso file e.g /
19 Hit enter.
20 Install all images without prompting
21 Reboot
22 After reboot assign the original hostname, and setup an initial interface matching one from the topology and nokia information summary printed earlier.
23 Set speed, duplex, route, and choose “config via voyager” option.
24 Now you have got an initial interface setup.
Login using voyager and put back interface information, configure ntp, static routes, vrrp config and proxy arp.
25 The last thing you should do is make sure you assign the original host address back with the nokia voyager configuration (this is important and should match the address checkpoint uses.
26 Check ntp, vrrp routing, etc are working
27 Copy the ipso_wrapper_r65.tgz file to the ftproot folder on the laptop.
28 Reboot Nokia, open a ssh connection to the firewall and run newpkg command
29 Select FTP using anonymous server
30 Put in ip address of laptop and / for path.
31 Checkpoint installs the package, reboot when finished
32 Reconnect using a SSH connection back into the firewall and run cpconfig.
33 Select “Yes to license agreement”
34 “No” to dynamically assigned ip address
35 “Yes” to Install a Checkpoint clustering product
36 “No” to add licenses
37 “No” to group permissions
38 Type in keys for seed
39 Enter and re-enter a SIC password
40 Reboot
41 The reboot will install the default block policy.
42 Reconnect to the firewall via and run fw unloadlocal to unload default policy
43 Connect into the smartcenter using smartdashboard change the cluster version to NGX R65
44 On the firewall member object reset sic and enter the sic password used in the install on the firewall. Test sic is working.
45 Note - for SIC to work there must be a route from the smartcenter directly to physical ip address of the firewall host address.
46 Within Smartupdate detach the license and reattach the license
47 Push the policy to the firewall (Note in doing this you will no longer be able to push the policy to the remaining (live ngx62 firewall) while the cluster is set to NGX R65.
48 Just to warn you Check point will not sync its state while the clusters are different versions
49 If running the “cphaprob stat” command you will see one down due to upgrade.
50 Next apply the hfa to the firewall.
51 To apply the hfa50 open a ssh into the firewall.
52 Cd /opt
53 Mkdir hfa
54 Cd hfa
55 Open a secure ftp session using the ssh client
56 Upload the hfa file to the folder
57 run /sbin/mount –u –o extend_partition /dev/null /opt (this gives more space for the upgrade)
58 tar xzvf hfafile.ipso.tgz (extracts the package)
59 rm hfafile.ipso.tgz (removes the package file)
60 Run df –k | awk ‘ /preserve|opt|var/{print $6,$2 - $3}’
61 The above command will show how how much space is left on the Nokia volumes (/preserve need 455000kb and /opt needs /382000kb to install hfa50)
62 When you have enough space run ./UnixInstallScript and this will apply the hfa. Please note this takes up to 15 min’s to install.
63 Reboot the machine.
64 After the machine has rebooted run Smartupdate within smart dashboard and “get data” from the firewall. hfa50 should now be listed as installed.
65 Once you are happy that everything is running correctly you will need to repeat the upgrade procedure listed above for the secondary firewall (e.g. Repeat the steps above making the primary firewall the primary vrrp master again and upgrade the secondary)
66 When both firewalls are upgraded check that the checkpoint state is working using “cphaprob stat” command it should list both firewalls as active (one being local)
67 If state is working ok re-enable “monitor firewall state” on both of the firewalls vrrp configuration.
Friday, September 25, 2009
CheckPoint: exporting log to a syslog server
How to register a syslog server
it is to export, as a fifo, all the logs to a syslog server.
the solution consist of running a piece of checkpoint software to send log to the local syslog,
then syslog forward the data to the remote syslog
Here the programs we will use:
fw log
logger
Explanation
fw log
"fw log" is the tool to show the logs, in the gateway and in the smartcenter.
"fw log" accept somes options, we must use thoses:
-ft : begin with the last line, and continuously show the lines, as they comes.
-n : don't resolv hostname
-l : add a time stamp
logger
logger is a unix tool, to send to syslog a message, a log.
Solution
so, we need to change a boot script, to be sure we always have the functionality.
Changing the file /etc/rc.d/init.d/cpboot as:
case $1 in
'start')
$CPDIR/bin/cpstart -b
cp /etc/syslog.conf /var/run/syslog.conf
kill -HUP $(ps fax|grep syslogd|grep -v grep|awk '{print $1}')
# For the normal logs
fw log -ftnl|logger -p local4.info -t Firewall &
# For the audit logsif [ -f $FWDIR/log/fw.adtlog ];then
fw log -ftnl $FWDIR/log/fw.adtlog|logger -p local5.info -t Firewall &
fi
;;
'stop' )
$CPDIR/bin/cpstop
;;
esac
Tuesday, June 2, 2009
The DNSBL
What is a DNSBL?
Domain Name System Blacklists, also known as DNSBL's or DNS Blacklists, are spam blocking lists that allow a website administrator to block messages from specific systems that have a history of sending spam. As their name implies, the lists are based on the Internet's Domain Name System, which converts complicated, numerical IP address such as 140.239.191.10 into domain names like example.net, making the lists much easier to read, use, and search. If the maintainer of a DNS Blacklist has in the past received spam of any kind from a specific domain name, that server would be "blacklisted" and all messages sent from it would be either flagged or rejected from all sites that use that specific list.
Where are the DNSBL ?
as an example, here are the default list Netasq provide in there Firewall:
DSBL: list.dsbl.org : DSBL was a blocklist specialized in listing open relays and open proxies. It is off now.
SORBS: dnsbl.sorbs.net : The Spam and Open Relay Blocking System (SORBS) was conceived as an anti-spam project where a daemon would check "on-the-fly", all servers from which it received email to determine if that email was sent via various types of proxy and open-relay servers.
SPAMCOP: bl.spamcop.net : SpamCop determines the origin of unwanted email and reports it to the relevant Internet service providers.
SPAMHAUS: various list:
SPAMHAUSSBL: The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services).
SPAMHAUSXBL: The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.
SPAMHAUSCOMB: Combo of SBL and XBL.
SPAMRBL: French List: OUTDATED,
For a full list, you can go here: http://www.dnsbl.info/dnsbl-list.php .
Domain Name System Blacklists, also known as DNSBL's or DNS Blacklists, are spam blocking lists that allow a website administrator to block messages from specific systems that have a history of sending spam. As their name implies, the lists are based on the Internet's Domain Name System, which converts complicated, numerical IP address such as 140.239.191.10 into domain names like example.net, making the lists much easier to read, use, and search. If the maintainer of a DNS Blacklist has in the past received spam of any kind from a specific domain name, that server would be "blacklisted" and all messages sent from it would be either flagged or rejected from all sites that use that specific list.
Where are the DNSBL ?
as an example, here are the default list Netasq provide in there Firewall:
DSBL: list.dsbl.org : DSBL was a blocklist specialized in listing open relays and open proxies. It is off now.
SORBS: dnsbl.sorbs.net : The Spam and Open Relay Blocking System (SORBS) was conceived as an anti-spam project where a daemon would check "on-the-fly", all servers from which it received email to determine if that email was sent via various types of proxy and open-relay servers.
SPAMCOP: bl.spamcop.net : SpamCop determines the origin of unwanted email and reports it to the relevant Internet service providers.
SPAMHAUS: various list:
SPAMHAUSSBL: The SBL is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services).
SPAMHAUSXBL: The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.
SPAMHAUSCOMB: Combo of SBL and XBL.
SPAMRBL: French List: OUTDATED,
For a full list, you can go here: http://www.dnsbl.info/dnsbl-list.php .
Friday, May 29, 2009
NSMXpress: reset root password
Procedure for resetting the admin password in NSMXpress
In order to reset the password, please use the following procedure:
Connect a console device to the console port of the NSMXPress appliance.
Physically power off the NSMXpress appliance.
Power the NSMXpress appliance back on.
During the boot sequence the console will display an option to "press any key to enter the menu". Hit any key. When the boot sequence is interrupted, a menu will display on the console. Choose "Rescue".
When the rescue process starts, it will ask about configuring the network connections. Choose "No".
A message will display indicating that the system is trying to find your Linux installation. Choose "Continue".
A message will display indicating that your system has been mounted under /mnt/sysimage. Press "Return".
Enter the command: vi /mnt/sysimage/etc/shadow
Find the line that starts with "admin:" The value between the first and second " : " is the password.
In the example below, the password is $1$MaGuoSOG$iEA4IiLSP26eM2e99LJiZ/
Using vi commands, remove the existing password value (i.e. $1$MaGuoSOG$iEA4IiLSP26eM2e99LJiZ/ ) with the following value.
This is the password value for "netscreen":
$1$KYPDZ8Eg$D627p0JrMaVMYqkdVRxcw
Using vi commands, save the file and exit.
At the command prompt, enter exit
The system will reboot and the admin password will be changed to netscreen
In order to reset the password, please use the following procedure:
Connect a console device to the console port of the NSMXPress appliance.
Physically power off the NSMXpress appliance.
Power the NSMXpress appliance back on.
During the boot sequence the console will display an option to "press any key to enter the menu". Hit any key. When the boot sequence is interrupted, a menu will display on the console. Choose "Rescue".
When the rescue process starts, it will ask about configuring the network connections. Choose "No".
A message will display indicating that the system is trying to find your Linux installation. Choose "Continue".
A message will display indicating that your system has been mounted under /mnt/sysimage. Press "Return".
Enter the command: vi /mnt/sysimage/etc/shadow
Find the line that starts with "admin:" The value between the first and second " : " is the password.
In the example below, the password is $1$MaGuoSOG$iEA4IiLSP26eM2e99LJiZ/
Using vi commands, remove the existing password value (i.e. $1$MaGuoSOG$iEA4IiLSP26eM2e99LJiZ/ ) with the following value.
This is the password value for "netscreen":
$1$KYPDZ8Eg$D627p0JrMaVMYqkdVRxcw
Using vi commands, save the file and exit.
At the command prompt, enter exit
The system will reboot and the admin password will be changed to netscreen
NSMXpress: reset to factory default
You want to put your NSMXpress Juniper Appliances into a factory default state.
This howto will show you how:
Connect a console device to the console port of the NSMXPress appliance.
Physically power off the NSMXpress appliance.
Power the NSMXpress appliance back on.
During the boot sequence the console will display an option to "press any key to enter the menu". Hit any key. When the boot sequence is interrupted, a menu will display on the console. Choose Re-Install
then at the password prompt choose: "erase".
That's it, the Juniper NSMXpress Management console will format the harddrive.
This howto will show you how:
Connect a console device to the console port of the NSMXPress appliance.
Physically power off the NSMXpress appliance.
Power the NSMXpress appliance back on.
During the boot sequence the console will display an option to "press any key to enter the menu". Hit any key. When the boot sequence is interrupted, a menu will display on the console. Choose Re-Install
then at the password prompt choose: "erase".
That's it, the Juniper NSMXpress Management console will format the harddrive.
Netasq: Forcer une alarme grisé dans le manager
Comment faire pour modifier le comportement d'une alarme dans la prevention d'intrusion ASQ du Netasq quand celle-ci apparait grisée dans le Firewall Manager ?
Se connecter en mode console sur le Firewall,
puis trouver l'id de l'alarme:
$ grep -i http System/Language/fr/protocol
53="Protocole HTTP invalide"
==> valider qu'il s'agit bien du 53 !
$ getconf /usr/Firewall/ConfigFiles/ASQ/00 protocol 53 ; echo
block, major, dump
==> vous devriez avoir block....
maintenant la vrai modification:
$ setconf /usr/Firewall/ConfigFiles/ASQ/00 protocol 53 "pass, ignore"
==> on valide:
$ getconf /usr/Firewall/ConfigFiles/ASQ/00 protocol 53 ; echo
pass, ignore
On active les changements:
$ enasq
L'alarme apparait toujours en grisée, mais son comportement a changé.
Attention: certaine alarmes pourront être affiché comme ignore et seront bel et bien bloqué car codé en dur dans le Noyau ASQ du Netasq.
Se connecter en mode console sur le Firewall,
puis trouver l'id de l'alarme:
$ grep -i http System/Language/fr/protocol
53="Protocole HTTP invalide"
==> valider qu'il s'agit bien du 53 !
$ getconf /usr/Firewall/ConfigFiles/ASQ/00 protocol 53 ; echo
block, major, dump
==> vous devriez avoir block....
maintenant la vrai modification:
$ setconf /usr/Firewall/ConfigFiles/ASQ/00 protocol 53 "pass, ignore"
==> on valide:
$ getconf /usr/Firewall/ConfigFiles/ASQ/00 protocol 53 ; echo
pass, ignore
On active les changements:
$ enasq
L'alarme apparait toujours en grisée, mais son comportement a changé.
Attention: certaine alarmes pourront être affiché comme ignore et seront bel et bien bloqué car codé en dur dans le Noyau ASQ du Netasq.
VMware: create the vmnet* special files
How to create the /dev/vmnet* special files ?
Here is howto do it manually:
mknod -m 600 /dev/vmnet0 c 119 0
mknod -m 600 /dev/vmnet1 c 119 1
mknod -m 600 /dev/vmnet2 c 119 2
mknod -m 600 /dev/vmnet3 c 119 3
mknod -m 600 /dev/vmnet4 c 119 4
mknod -m 600 /dev/vmnet5 c 119 5
mknod -m 600 /dev/vmnet6 c 119 6
mknod -m 600 /dev/vmnet7 c 119 7
mknod -m 600 /dev/vmnet8 c 119 8
mknod -m 600 /dev/vmnet9 c 119 9
Howto do it automatically:
remove the file /etc/vmware/not_configured
edit the file /etc/init.d/vmware
in the function vmware_start_vmnet, add the following:
for i in `seq 0 9`; do
if [ ! -c /dev/vmnet$i ];then
mknod -m 660 /dev/vmnet$i c 119 $i > /dev/null 2>&1
fi
done
if [ ! -e /dev/vmmon ];then
mknod /dev/vmmon c 10 165 > /dev/null 2>&1
fi
Howto create the interface for network interface:
/usr/bin/vmnet-netifup -d /var/run/vmnet-netifup-vmnet2.pid /dev/vmnet2 vmnet2
ifconfig vmnet2 up
Here is howto do it manually:
mknod -m 600 /dev/vmnet0 c 119 0
mknod -m 600 /dev/vmnet1 c 119 1
mknod -m 600 /dev/vmnet2 c 119 2
mknod -m 600 /dev/vmnet3 c 119 3
mknod -m 600 /dev/vmnet4 c 119 4
mknod -m 600 /dev/vmnet5 c 119 5
mknod -m 600 /dev/vmnet6 c 119 6
mknod -m 600 /dev/vmnet7 c 119 7
mknod -m 600 /dev/vmnet8 c 119 8
mknod -m 600 /dev/vmnet9 c 119 9
Howto do it automatically:
remove the file /etc/vmware/not_configured
edit the file /etc/init.d/vmware
in the function vmware_start_vmnet, add the following:
for i in `seq 0 9`; do
if [ ! -c /dev/vmnet$i ];then
mknod -m 660 /dev/vmnet$i c 119 $i > /dev/null 2>&1
fi
done
if [ ! -e /dev/vmmon ];then
mknod /dev/vmmon c 10 165 > /dev/null 2>&1
fi
Howto create the interface for network interface:
/usr/bin/vmnet-netifup -d /var/run/vmnet-netifup-vmnet2.pid /dev/vmnet2 vmnet2
ifconfig vmnet2 up
Subscribe to:
Posts (Atom)