Thursday, December 16, 2010

FECN, BECN and DE bits

The FECN, BECN and DE bits are used for network congestion control.

The Forward Explicit Congestion Notification (FECN) and Backward Explicit Congestion Notification (BECN) bits can be used to notify an end station, such as a router, of network congestion.

FECN bits notifies devices downstream that congestion is occurring. Downstream means destination.

BECN bits indicates to routers that could be contributing to congestion that they should slow down transmission.

Discard Eligible (DE) bits indicate that the frame is eligible for discard if congestion occurs.
Most routers set frames to be discards  eligible if the traffic exceeds the PVC's Commited Information Rate (CIR).
The CIR is the transmission rate guaranteed by the service provider.

Tuesday, December 7, 2010

Screenos: Anti-Spam: Adding custom SBL

The anti-spam portion uses a Spam Block List (SBL) which is more commonly known as a Relay Block List (RBL). The SBL/RBL that Juniper offers is updated and maintained by Symantec and contains the Top 100 known spammers.

G1S1-> set anti-spam profile ns-profile
G1S1(anti-spam:ns-profile)-> unset sbl
G1S1(anti-spam:ns-profile)-> set sbl input-type ip
G1S1(anti-spam:ns-profile)-> set sbl input-type ip
G1S1(anti-spam:ns-profile)-> set sbl input-type ip
G1S1(anti-spam:ns-profile)-> set sbl input-type ip

G1S1(anti-spam:ns-profile)-> get sbl
  *SBL Blacklist Server:
G1S1(anti-spam:ns-profile)-> exit

View the Status:

G1S1-> get anti-spam

  profile: ns-profile
  *Whitelists (0):
  *Blacklist (1):;
  *Blacklist[ip range] (0):
  *SBL Blacklist Server:
  *Default setting:
    *Action: tag mail subject as ***SPAM***

DNS Server:
  Primary  :, Src Interface: Null
  Secondary:, Src Interface: Null
  Tertiary  :    , Src Interface: Null

  Total connections:    8
  Total greetings:      8
  Total emails:         8

  Total permit emails:  1
  Total deny actions:   0
  Total tag emails:     7

  errors:               8
  timeouts:             8

  Statistics start time: 12/07/2010 09:43:21

With it with string:

G1S1-> exec anti-spam testscan
AS: anti spam result: action Tag email subject, reason: Match local blacklist

With IP:

G1S1-> exec anti-spam testscan
Please wait for a few seconds.
If the result does not display, please check the debug buffer with the "get dbuf stream" command.
G1S1->  anti spam result: action Pass, reason: Timeout

View the config:

Friday, August 27, 2010

JUNOS: vlan tagging

Junos: How to configure a tag for a L3 interface ?

<br />
So, you have a L3 interface an want to add an IEEE 802.1Q VLAN TAG,

here is how to do so:

root@s1> show configuration interfaces me0
unit 101 {
    vlan-id 101;
    family inet {

Friday, August 13, 2010

NETASQ: How to hanlde FTP PASSIVE connexion ?

ASQ handles FTP thanks to FTP plugin analysis of the command port,

Support for FTP in a REDIRECT rule for Passive connection to an internal server,
Handling passive connections for an internal FTP server is only handled through a REDIRECT
operation; a BIDIRECTIONNAL MAP operation won't work for this purpose.

So you have an Internal FTP server. You want to allow access from the Internet.

You must be aware of:

- plugin ftp must be in auto-attach,
- ftp support must be activated in the NAT rule (we discuss this part after)
- In the object, the ftp service must use the FTP plugin, explicitly.
- In the policy firewall filters you must to have an explicit allow for the ftp service,
- You doesn't have to allow ftp-data

So you have an extra public IP, used for the ftp service. Naturally you created a BIMAP nat rules.
these work fine only is your ftp server run in active mode !

If your ftp server run in Passive mode, you need to create an extra nat rule, a REDIR one ! unless you do so, your FTP PASSIVE SERVER won't be available from the Internet.

Let me resume:

            FTP option { MAP / BIMAP } : support CLIENT ACTIVE FTP

            FTP option { REDIR }: support SERVER PASSIVE FTP

Definition of different NAT used in NETASQ:

MAP    that is used for mapping one address or network to another in an
       unregulated round robin fashion;

       REDIR    that is used for redirecting packets to one IP address and  port
       pair to another;

       BIMAP  for  setting up bidirectional NAT between an external IP address
       and an internal IP address and

Friday, July 23, 2010

Junos: Config V9 sur junos v8

Compatibilité entre conf v8 et conf v9

security {
    zones {
        security-zone trust {
            interfaces {
                all {
                    host-inbound-traffic {
                        system-services {
                        protocols {
    policies {
        default-policy {

Linux: Automatic Reboot on Kernel Panic

Automatic Reboot on Kernel Panic

This guide will help you configure your server so that in the event of a kernel
panic your server will automatically restart itself. This saves you the trouble
of submitting a reboot request for your server and has the side-effect of
helping to prevent downtime.

There are several different ways that this little-known trick can be
accomplished. We'll go over each method.

On-Startup Command This command can be placed into your server startup scripts.
It must be performed each restart to be effective. This method is sure-fire and
should work on any distribution of linux.

    echo 60 > /proc/sys/kernel/panic

Using Lib

If you are unsure if you are using lib or not, see if you have a file
/etc/lib.conf. If this file exists, then you are okay to place the command
below into the file. If you do not have this file, use a different method.


Once you modify this file and save it you will want to restart lib:

    # /sbin/lib

Using Grub

 If you utilize grub, you may append this to your boot config line:


Bear in mind that by doing this, unless you carefully monitor your system logs
you will not know if a kernel panic has occurred. It does help minimize the
effect of downtime in the event of a kernel panic however.