The FECN, BECN and DE bits are used for network congestion control.
The Forward Explicit Congestion Notification (FECN) and Backward Explicit Congestion Notification (BECN) bits can be used to notify an end station, such as a router, of network congestion.
FECN bits notifies devices downstream that congestion is occurring. Downstream means destination.
BECN bits indicates to routers that could be contributing to congestion that they should slow down transmission.
Discard Eligible (DE) bits indicate that the frame is eligible for discard if congestion occurs.
Most routers set frames to be discards eligible if the traffic exceeds the PVC's Commited Information Rate (CIR).
The CIR is the transmission rate guaranteed by the service provider.
Thursday, December 16, 2010
Tuesday, December 7, 2010
Screenos: Anti-Spam: Adding custom SBL
The anti-spam portion uses a Spam Block List (SBL) which is more commonly known as a Relay Block List (RBL). The SBL/RBL that Juniper offers is updated and maintained by Symantec and contains the Top 100 known spammers.
View the Status:
With it with string:
With IP:
View the config:
G1S1-> set anti-spam profile ns-profile
G1S1(anti-spam:ns-profile)-> unset sbl msgsecurity.juniper.net
G1S1(anti-spam:ns-profile)-> set sbl sbl.spamhaus.org input-type ip
G1S1(anti-spam:ns-profile)-> set sbl dnsbl.sorbs.net input-type ip
G1S1(anti-spam:ns-profile)-> set sbl bl.spamcop.net input-type ip
G1S1(anti-spam:ns-profile)-> set sbl msgsecurity.juniper.net input-type ip
G1S1(anti-spam:ns-profile)-> get sbl
*SBL Blacklist Server:
sbl.spamhaus.org
dnsbl.sorbs.net
bl.spamcop.net
msgsecurity.juniper.net
G1S1(anti-spam:ns-profile)-> exit
G1S1(anti-spam:ns-profile)-> unset sbl msgsecurity.juniper.net
G1S1(anti-spam:ns-profile)-> set sbl sbl.spamhaus.org input-type ip
G1S1(anti-spam:ns-profile)-> set sbl dnsbl.sorbs.net input-type ip
G1S1(anti-spam:ns-profile)-> set sbl bl.spamcop.net input-type ip
G1S1(anti-spam:ns-profile)-> set sbl msgsecurity.juniper.net input-type ip
G1S1(anti-spam:ns-profile)-> get sbl
*SBL Blacklist Server:
sbl.spamhaus.org
dnsbl.sorbs.net
bl.spamcop.net
msgsecurity.juniper.net
G1S1(anti-spam:ns-profile)-> exit
View the Status:
G1S1-> get anti-spam
profile: ns-profile
*Whitelists (0):
*Blacklist (1): baddomain.com;
*Blacklist[ip range] (0):
*SBL Blacklist Server:
sbl.spamhaus.org
*Default setting:
*Action: tag mail subject as ***SPAM***
DNS Server:
Primary : 10.1.75.111, Src Interface: Null
Secondary: 172.16.165.22, Src Interface: Null
Tertiary : 0.0.0.0, Src Interface: Null
Total connections: 8
Total greetings: 8
Total emails: 8
Total permit emails: 1
Total deny actions: 0
Total tag emails: 7
errors: 8
timeouts: 8
Statistics start time: 12/07/2010 09:43:21
profile: ns-profile
*Whitelists (0):
*Blacklist (1): baddomain.com;
*Blacklist[ip range] (0):
*SBL Blacklist Server:
sbl.spamhaus.org
*Default setting:
*Action: tag mail subject as ***SPAM***
DNS Server:
Primary : 10.1.75.111, Src Interface: Null
Secondary: 172.16.165.22, Src Interface: Null
Tertiary : 0.0.0.0, Src Interface: Null
Total connections: 8
Total greetings: 8
Total emails: 8
Total permit emails: 1
Total deny actions: 0
Total tag emails: 7
errors: 8
timeouts: 8
Statistics start time: 12/07/2010 09:43:21
With it with string:
G1S1-> exec anti-spam testscan baddomain.com
AS: anti spam result: action Tag email subject, reason: Match local blacklist
AS: anti spam result: action Tag email subject, reason: Match local blacklist
With IP:
G1S1-> exec anti-spam testscan 192.203.178.57
Please wait for a few seconds.
If the result does not display, please check the debug buffer with the "get dbuf stream" command.
G1S1-> anti spam result: action Pass, reason: Timeout
Please wait for a few seconds.
If the result does not display, please check the debug buffer with the "get dbuf stream" command.
G1S1-> anti spam result: action Pass, reason: Timeout
View the config:
Friday, August 27, 2010
JUNOS: vlan tagging
Junos: How to configure a tag for a L3 interface ?
<br />So, you have a L3 interface an want to add an IEEE 802.1Q VLAN TAG,
here is how to do so:
root@s1> show configuration interfaces me0
description "MGMT INTERFACE - DO NOT DELETE";
vlan-tagging;
unit 101 {
vlan-id 101;
family inet {
address 10.150.8.161/16;
}
}
Friday, August 13, 2010
NETASQ: How to hanlde FTP PASSIVE connexion ?
ASQ handles FTP thanks to FTP plugin analysis of the command port,
Support for FTP in a REDIRECT rule for Passive connection to an internal server,
Handling passive connections for an internal FTP server is only handled through a REDIRECT
operation; a BIDIRECTIONNAL MAP operation won't work for this purpose.
So you have an Internal FTP server. You want to allow access from the Internet.
You must be aware of:
- plugin ftp must be in auto-attach,
- ftp support must be activated in the NAT rule (we discuss this part after)
- In the object, the ftp service must use the FTP plugin, explicitly.
- In the policy firewall filters you must to have an explicit allow for the ftp service,
- You doesn't have to allow ftp-data
So you have an extra public IP, used for the ftp service. Naturally you created a BIMAP nat rules.
these work fine only is your ftp server run in active mode !
If your ftp server run in Passive mode, you need to create an extra nat rule, a REDIR one ! unless you do so, your FTP PASSIVE SERVER won't be available from the Internet.
Let me resume:
FTP option { MAP / BIMAP } : support CLIENT ACTIVE FTP
FTP option { REDIR }: support SERVER PASSIVE FTP
Definition of different NAT used in NETASQ:
Support for FTP in a REDIRECT rule for Passive connection to an internal server,
Handling passive connections for an internal FTP server is only handled through a REDIRECT
operation; a BIDIRECTIONNAL MAP operation won't work for this purpose.
So you have an Internal FTP server. You want to allow access from the Internet.
You must be aware of:
- plugin ftp must be in auto-attach,
- ftp support must be activated in the NAT rule (we discuss this part after)
- In the object, the ftp service must use the FTP plugin, explicitly.
- In the policy firewall filters you must to have an explicit allow for the ftp service,
- You doesn't have to allow ftp-data
So you have an extra public IP, used for the ftp service. Naturally you created a BIMAP nat rules.
these work fine only is your ftp server run in active mode !
If your ftp server run in Passive mode, you need to create an extra nat rule, a REDIR one ! unless you do so, your FTP PASSIVE SERVER won't be available from the Internet.
Let me resume:
FTP option { MAP / BIMAP } : support CLIENT ACTIVE FTP
FTP option { REDIR }: support SERVER PASSIVE FTP
Definition of different NAT used in NETASQ:
MAP that is used for mapping one address or network to another in an unregulated round robin fashion; REDIR that is used for redirecting packets to one IP address and port pair to another; BIMAP for setting up bidirectional NAT between an external IP address and an internal IP address and
Friday, July 23, 2010
Junos: Config V9 sur junos v8
Compatibilité entre conf v8 et conf v9
security {
zones {
security-zone trust {
interfaces {
all {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
policies {
default-policy {
permit-all;
}
}
}
security {
zones {
security-zone trust {
interfaces {
all {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
}
policies {
default-policy {
permit-all;
}
}
}
Linux: Automatic Reboot on Kernel Panic
Automatic Reboot on Kernel Panic
This guide will help you configure your server so that in the event of a kernel
panic your server will automatically restart itself. This saves you the trouble
of submitting a reboot request for your server and has the side-effect of
helping to prevent downtime.
There are several different ways that this little-known trick can be
accomplished. We'll go over each method.
On-Startup Command This command can be placed into your server startup scripts.
It must be performed each restart to be effective. This method is sure-fire and
should work on any distribution of linux.
echo 60 > /proc/sys/kernel/panic
Using Lib
If you are unsure if you are using lib or not, see if you have a file
/etc/lib.conf. If this file exists, then you are okay to place the command
below into the file. If you do not have this file, use a different method.
append="panic=15"
Once you modify this file and save it you will want to restart lib:
# /sbin/lib
Using Grub
If you utilize grub, you may append this to your boot config line:
panic=15
Bear in mind that by doing this, unless you carefully monitor your system logs
you will not know if a kernel panic has occurred. It does help minimize the
effect of downtime in the event of a kernel panic however.
This guide will help you configure your server so that in the event of a kernel
panic your server will automatically restart itself. This saves you the trouble
of submitting a reboot request for your server and has the side-effect of
helping to prevent downtime.
There are several different ways that this little-known trick can be
accomplished. We'll go over each method.
On-Startup Command This command can be placed into your server startup scripts.
It must be performed each restart to be effective. This method is sure-fire and
should work on any distribution of linux.
echo 60 > /proc/sys/kernel/panic
Using Lib
If you are unsure if you are using lib or not, see if you have a file
/etc/lib.conf. If this file exists, then you are okay to place the command
below into the file. If you do not have this file, use a different method.
append="panic=15"
Once you modify this file and save it you will want to restart lib:
# /sbin/lib
Using Grub
If you utilize grub, you may append this to your boot config line:
panic=15
Bear in mind that by doing this, unless you carefully monitor your system logs
you will not know if a kernel panic has occurred. It does help minimize the
effect of downtime in the event of a kernel panic however.
Subscribe to:
Posts (Atom)