Bonjour,
voici comment migrer le format de fichier indexé vers BDB:
# Arrêt du service ldap
nstop ldap
# Export au format ldif de la base de donnée
slapd -T cat -f /var/ldap/slapd.conf > /log/export.ldif
# Copie de backup de la base ldap
mv /data/Main/Ldapbase /log/Ldapbase.old
# Crration du dossier pour la base
mkdir /data/Main/Ldapbase
# Tunning de la configuration, afin d'utiliser le nouveau format
setconf ~/ConfigFiles/ldap Server DBBackend bdb
# Creation du fichier DB_CONFIG spécifique au nouveau format
echo "set_lg_max 1000000" >/data/Main/Ldapbase/DB_CONFIG
echo "set_flags DB_LOG_AUTOREMOVE" >>/data/Main/Ldapbase/DB_CONFIG
# Import Complet des données
slapd -T add -f /var/ldap/slapd.conf -l /log/export.ldif
# Démarrage du service
nstart ldap
Et voici les étapes de vérifications:
# Listing du dossier LdapBase afin de valider le nouveau format:
ls /data/Main/Ldapbase
DB_CONFIG __db.002 __db.004 dn2id.bdb log.0000000001 uid.bdb
__db.001 __db.003 __db.005 id2entry.bdb objectClass.bdb
# Verification du service ldap
dstat |grep ldap
ldap : /var/supervise/ldap: up (pid 33177) 347 seconds
# Validation du service ldap
nsrpc admin@127.0.0.1
user list
101 code=00f01100 msg="User List:"
cn=philippe,ou=users,o=jnprlabs,dc=stagira.net
100 code=00a00100 msg="Ok"
Tuesday, September 11, 2012
NETASQ: LDAP migrer vers le format bdb
Tuesday, September 4, 2012
NETASQ: Using External tools inside the FW
Hi folks,
so i need some tools on my unix FW, netasq comes with some, but lacks a lot of others. Great example is : wget.
So you need to figure it out which freebsd version you're netasq is running on:
Normaly for a V9, it is a Freebsd 7.3:
# uname -a
NS-BSD VUXXXA1GXXXXXX 9.0.3- NS-BSD 9.0.3- #0: Mon Apr 2 21:15:37 CEST 2012 build@buildmajclipp.netasq.com:/usr/home/build/fw-9.0.3/sys-7.3/work/sys/i386/compile/NETASQ.XL.FULLVIRT.RELEASE i386
For a v8, it is a 6.3:
# uname -a
NS-BSD V50XXA0A0000001 8.1.0- NS-BSD 8.1.0- #0: Wed Mar 31 13:14:10 CEST 2010 build@81maj.netasq.com:/usr/home/build/fw-8.1.0/sys-6.3/work/sys/i386/compile/NETASQ.M.FULLVIRT.RELEASE i386
In the following command:
root@linux$ Is the Prompt of the Linux Host ( yes, sure ! :- )
VUXXXXXX0000000>Is the Prompt of the Netasq FW ( huh ?? )
Download the packages from a Distribution server, for wget you will need:
Wget : http://ftp.stu.edu.tw/FreeBSD/ports/i386/packages-7.3-release/All/wget-1.12.tbz
gettext: http://ftp.stu.edu.tw/FreeBSD/ports/i386/packages-7.3-release/All/gettext-0.17_1.tbz
libiconv : http://ftp.stu.edu.tw/FreeBSD/ports/i386/packages-7.3-release/All/libiconv-1.13.1_1.tbz
unpack the files in a directory:
root@linux$ tar -jxvf wget-1.12.tbz
root@linux$ tar -jxvf gettext-0.17_1.tbz
root@linux$ tar -jxvf libiconv-1.13.1_1.tbz
So you have the tool, somes libs that will be used later on, now, transfer the wget binary from bin/wget to a netasq fw, in /log/wget-bsd73 for example:
VUXXXXXX0000000> mkdir /log/wget-bsd73
root@linux$ scp bin/wget mynetasqfw:/log/wget-bsd73
We'll test if all the shared libs are available
VUXXXXXX0000000>ldd wget
wget:
libssl.so.5 => not found (0x0)
libcrypto.so.5 => not found (0x0)
libiconv.so.3 => not found (0x0)
libintl.so.8 => not found (0x0)
libc.so.7 => /lib/libc.so.7 (0x280cc000)
Well.... we miis a lot ? In fact no, we just miss 2 libs: libiconv.so and libintl.so.
Transfer the 2 libs:
root@linux$ scp lib/libiconv.so.3 mynetasqfw:/log/wget-bsd73
root@linux$ scp lib/libintl.so.8 mynetasqfw:/log/wget-bsd73
For the rest we just need to create symlinks:
ln -s /usr/lib/libcrypto.so /usr/lib/libcrypto.so.5
ln -s /usr/lib/libssl.so /usr/lib/libssl.so.5
ln -s $PWD/libiconv.so.3 /usr/lib/libiconv.so.3
ln -s $PWD/libintl.so.8 /usr/lib/libintl.so.8
So, check again the shared libs:
VUXXXXXX0000000>ldd wget
wget:
libssl.so.5 => /usr/lib/libssl.so.5 (0x280cc000)
libcrypto.so.5 => /usr/lib/libcrypto.so.5 (0x2811d000)
libiconv.so.3 => /usr/lib/libiconv.so.3 (0x28288000)
libintl.so.8 => /usr/lib/libintl.so.8 (0x2837e000)
libc.so.7 => /lib/libc.so.7 (0x28387000)
Everything is here !
To end this proc, just copy the wget binary to the /usr/Firewall/sbin/ directory:
VUXXXXXX0000000>cp wget /usr/Firewall/sbin/wget
Now we can test the wget:
VUXXXXXX0000000>wget http://94.23.230.70/package/na_pack_updates_kasperskyStandard.md5
--2011-09-04 10:14:42-- http://94.23.230.70/package/na_pack_updates_kasperskyStandard.md5
Connecting to 94.23.230.70:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 72 [application/octet-stream]
Saving to: `na_pack_updates_kasperskyStandard.md5'
100%[===========================================================================>] 72 --.-K/s in 0s
2011-09-04 10:14:43 (1.05 MB/s) - `na_pack_updates_kasperskyStandard.md5' saved [72/72]
That's all Folks !
Monday, September 3, 2012
NETASQ: ldap export / import without external tools (ie: Ldap Browser)
Hi Folks,
so, everytime you need to manipulate the ldap db you'll find a kb, a mail, a tips saying:
Hey you need and ldap browser tool .
Wrong !
The netasq have everything inside to do this!
lets see how:
where is the conf file:
/var/ldap/slapd.conf
Stop the ldap server:
nstop ldap
Export the db in an ldif format:
slapd -4 -T cat -f /var/ldap/slapd.conf > /tmp/export.ldif
Modify it:
vi /tmp/export.ldif
Move the old db:
cd /data/Main/
mv Ldapbase Ldapbase.old
mkdir Ldapbase
Recreate the DB:
slapd -T add -f /var/ldap/slapd.conf -l /tmp/export.ldif
bdb_monitor_db_open: monitoring disabled; configure monitor database to enable
=> bdb_tool_entry_put: id2entry_add failed: DB_KEYEXIST: Key/data pair already exists (-30996)
=> bdb_tool_entry_put: txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry dn="o=jnprlabs,dc=cons165.magirus.com" (line=1): txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
_## 11.06% eta none elapsed none spd 368.9 k/s
Closing DB...
Start the ldap server:
nstart ldap
Lets see if the modif is here:
slapd -4 -T cat -f /var/ldap/slapd.conf
Taht's all !!!
Tuesday, May 15, 2012
Netasq : pb acces sur le site des impots (NOT ACCEPTABLE) avec proxy http en v9.x
Si vous avez ce message d'erreur lorsqu'un client se connecte en http sur le site des impots (n'importe quelle rubrique dans impots.gouv.fr, par exemple espace particulier)
The requested URL could not be retrieved
________________________________________
The requestor is not willing to accept the available resource. This is probably due to an Accept-Encoding header on the request. The standard available Content-Encodings are: gzip, compress, deflate and identity. Footprint 4.8/FPMCP
________________________________________
Generated Wed, 09 May 2012 15:01:03 GMT by 4.26.232.254 (Footprint 4.8/FPMCP)
Voici la ligne de commande permettant de passer cette erreur. (note, le "01" de /Firewall/ConfigFiles/Protocols/http/01 correspond au slot du profil sortant, si vous en utilisez un autre, il faudra adapter la commande)
enproxy
Friday, August 13, 2010
NETASQ: How to hanlde FTP PASSIVE connexion ?
Support for FTP in a REDIRECT rule for Passive connection to an internal server,
Handling passive connections for an internal FTP server is only handled through a REDIRECT
operation; a BIDIRECTIONNAL MAP operation won't work for this purpose.
So you have an Internal FTP server. You want to allow access from the Internet.
You must be aware of:
- plugin ftp must be in auto-attach,
- ftp support must be activated in the NAT rule (we discuss this part after)
- In the object, the ftp service must use the FTP plugin, explicitly.
- In the policy firewall filters you must to have an explicit allow for the ftp service,
- You doesn't have to allow ftp-data
So you have an extra public IP, used for the ftp service. Naturally you created a BIMAP nat rules.
these work fine only is your ftp server run in active mode !
If your ftp server run in Passive mode, you need to create an extra nat rule, a REDIR one ! unless you do so, your FTP PASSIVE SERVER won't be available from the Internet.
Let me resume:
FTP option { MAP / BIMAP } : support CLIENT ACTIVE FTP
FTP option { REDIR }: support SERVER PASSIVE FTP
Definition of different NAT used in NETASQ:
MAP that is used for mapping one address or network to another in an
unregulated round robin fashion;
REDIR that is used for redirecting packets to one IP address and port
pair to another;
BIMAP for setting up bidirectional NAT between an external IP address
and an internal IP address and
Wednesday, November 4, 2009
Netasq - QoS
*Note 1* : si vous optez pour CBQ, vous devrez calculer la bande passante nécessaire.
*Attention 1*: quelques soit l'algo PRIQ ou CBQ, si vous souhaitez garantir un minimum, il va falloir configurer la QoS pour tout les flux _sortant_ , notez bien le mot _sortant_.
*Note 2*: pour limiter à un maximum, vous n'avez pas besoin de déclarer le QoS sur tout les flux.
*Attention 2*:
si vous configurez une règle QoS pour un flux IN, par exemple entre IN et DMZ1,
le moteur QoS lui appliquera la limite de bande passante définie (celle de la OUT).
Par ex, si vous n'avez que 1Mo en sortie, si la QoS est appliqué pour du web entre IN et DMZ (donc deux flux IN), le maximum de bande passante utilisé sera de 1Mo.
Netasq - pb proxy smtp antivirus
Les mail en sortie ne sont pas envoyé, en utlisant le proxy smtp avec check antivirus (clamav)
Le message d'erreur reporter:
Error during data transmission
Erreur SMTP:
421 mwinf2f03.orange.fr Error: timeout exceeded
==> Solution:
un keep-alive de 5 secondes au lieu des 20 secondes par defaut.
ConfigFiles/SMTPProxy/01
[Postprocessing]
Policy=Pass
Size=51607
KeepAlive=5
==> Explications:
La problématique vient du fait que le proxy gère deux connexions. Ces deux connexions n'ont pas le meme debit, il y a un ordre de grandeur de différence : ethernet = 100Mbps, ADSL = 10Mbps par exemple. De plus, s'ajoute une latence a cause de l'analyse anti-virus.
Ces deux aspects induisent le comportement suivant :
- le client SMTP envoie rapidement le mail (ethernet) comme suit :
C: DATA
S: 354 End data with .
C: From: "Bob Example"
C: To: Alice Example
C: Cc: theboss@example.com
C: Date: Tue, 15 Jan 2008 16:02:43 -0500
C: Subject: Test message
C:
C: Hello Alice.
C: This is a test message with 5 headers and 4 lines in the body.
C: Your friend,
C: Bob
C: .
En parallèle, cote serveur, la commande DATA est transmise et le temps que le mail soit reçu par le proxy et analyse par l'AV, des faux champs d'en-tête sont transmis pour faire patienter le serveur :
C: DATA
S: 354 End data with .
C: X-Keep-Alive: 1
C: X-Keep-Alive: 1
...
C: X-Keep-Alive: 1
C: X-Keep-Alive: 1
C: From: "Bob Example"
C: To: Alice Example
C: Cc: theboss@example.com
C: Date: Tue, 15 Jan 2008 16:02:43 -0500
C: Subject: Test message
C:
C: Hello Alice.
C: This is a test message with 5 headers and 4 lines in the body.
C: Your friend,
C: Bob
C: .
A partir du moment ou le serveur a reçu le mail complet, il retourne sa réponse, qui est directement transmise au client :
S: 250 Ok: queued as 12345
Friday, May 29, 2009
Netasq: Forcer une alarme grisé dans le manager
Se connecter en mode console sur le Firewall,
puis trouver l'id de l'alarme:
$ grep -i http System/Language/fr/protocol
53="Protocole HTTP invalide"
==> valider qu'il s'agit bien du 53 !
$ getconf /usr/Firewall/ConfigFiles/ASQ/00 protocol 53 ; echo
block, major, dump
==> vous devriez avoir block....
maintenant la vrai modification:
$ setconf /usr/Firewall/ConfigFiles/ASQ/00 protocol 53 "pass, ignore"
==> on valide:
$ getconf /usr/Firewall/ConfigFiles/ASQ/00 protocol 53 ; echo
pass, ignore
On active les changements:
$ enasq
L'alarme apparait toujours en grisée, mais son comportement a changé.
Attention: certaine alarmes pourront être affiché comme ignore et seront bel et bien bloqué car codé en dur dans le Noyau ASQ du Netasq.