Dropbear

Category: Networks

  • Mixing pysnmp and stdin

    Depending on the application, sometimes you want to have some socket operations going (such as loading a website) and have stdin being read. There are plenty of examples for this in python which usually boil down to making stdin behave like a socket and mixing it into the list of sockets select() cares about.

    A while ago I asked an email list could I have pysnmp use a different socket map so I could add my own sockets in (UDP, TCP and a zmq to name a few) and the Ilya the author of pysnmp explained how pysnmp can use a foreign socket map.
    (more…)

  • Checking Cloudflare SSL

    My website for a while has used CloudFlare as its front-end.  It’s a rather nice setup and means my real server gets less of a hammering, which is a good thing.  A few months ago they enabled a feature called Universal SSL which I have also added to my site.  Around the same time, my SSL check scripts started failing for the website, the certificate had expired apparently many many days ago. Something wasn’t right.

    (more…)

  • Juniper Firewalls and IPv6

    A little firewall

    I found an interesting side-effect of the Juniper firewalls when you introduce IPv6.  In hindsight it appears perfectly reasonable but if you are not aware of it in the first place you may have a much more permissive firewall than you thought.  My setup is such that my internet address changes every time I connect to an ISP. I have services “behind” the Juniper that I want to expose onto the Internet, in this case a mailserver.

    (more…)

  • Trying out Prosody for XMPP

    After reading François’ article about running your own XMPP server, I thought I’d give it a go myself. A comment from Steven suggested that prosody would be a better and simpler alternative so I went with that.

    It is actually really simple with about 5 lines to add to the config, as well as firewall changes. The only trick is if you have a chained SSL certificate like mine you need to cat the certificate and the CA one together, otherwise you get SSL errors.

    So I’m up and going with a XMPP contact the same as my email address which is csmall and then the domain enc.com.au
    It just doesn’t have anyone as contacts yet 🙁 I”ll be adding the DNS records for it shortly.

     

  • postfix transport with smarthost

    Dear lazyyweb,

    Has anyone got a way for postfix to use a transport map such that it sends email to the given MX host for some specified domains then default to a smarthost for the remainder?

    The logic would be:

    IF domain in (‘example.net’, ‘foo.bar’,etc etc) THEN use the relevant MX host ELSE send to smarthost.isp.net

    i can use a transport map to send from specific domains to specific hosts, eg @domain.com goes to otherisp.net mailserver but not to just use domain.com’s MX hosts

    Enhanced by Zemanta

  • Anti-Spam Fails

    A day or two ago I tried sending an email to a friend who happens to use the Road Runner ISP for his mail service.  Now this ISP doesn’t like dynamic IP addresses (using the increasing inaccurately named Dial Up List) so I have to punt the email through my ISP’s mailserver first.  Now that server is telling me this:

    The reason for the problem: 4.3.2 – Not accepting messages at this time 554-‘5.7.1 – ERROR: Mail refused – <150.101.137.131> – See http://sendersupport.senderscore.net’

    So their ISP mailserver is refusing connections from my ISP’s mailserver for some reason, probably on some spam list.  There’s a URL to look up the problem, so going there gives you three things:

    1. A redirection to https://sendersupport.senderscore.net/
    2. A badly configured webserver that uses the above URL with a certificate for www.senderscore.net
    3. A page that says “It works”

    Either Road Runner or Senderscore, preferably both, need to get a clue. Oh and going to https://www.senderscore.net/ gives connection refused. A bit of digging around shows the correct URL is https://senderscore.org/

    Now I just realized that my SSL certificate for https://enc.com.au/ expired on the weekend so I know these things can happen, but I’m one person (who was away for a while), why can’t companies get their act together?

    Enhanced by Zemanta

  • JFFNMS 0.9.3 1st release candidate

    I have been putting a lot of testing into JFFNMS lately.  I have been very lucky to have had someone with the time and patience to try out various sub versions and give me access to their results.

    The end-result of all this testing is a much, much less buggy JFFNMS.  There have been a strack of problems with caching results, for example, where status would not be updated or even worse the status of one device impacted on another.

    The poller parent scheduler had a problem too where it would almost always sit in the first child starving the others of work which slowed things down. The scheduler now is a lot fairer across the children giving a speed up. I’ve heard speed-ups of 15x for this one change alone.

    I also had a curious bug where if a device was set to not gather state it still did and created events but not alerts.  This meant your event table was spammed with down interface alerts even on interface you know are down and you turned state checking off.  0.9.3 now does it the right way.

    The first RC is now uploaded and can be found at https://sourceforge.net/projects/jffnms/files/jffnms%20RC/ to try out.

    I’m a little worried that the pollers now run too fast and could overwhelm the usually crummy control stack found in network devices for parsing SNMP.  I’m interested to hear how people find it.

    Enhanced by Zemanta

  • JFFNMS 0.9.2 Released

    JFFNMS Interfaces and Events

    JFFNMS version 0.9.2 was released today both as an upstream tar.gz file and a new Debian package.  This version fixes some bugs including making sure it works with PHP5.4.

    The biggest change in PHP 5.4 is that you can no longer call by reference.  Previously you could call a function like myfunc(&blah); which would send a pointer to blah and not the item itself. Now the function definition needs to define what it wants rather than change it each time.

     

    Related articles
    Enhanced by Zemanta

  • Making peace with Network Manager

    Painless they say, automatically they say.  This is what the NetworkManager manual page describes the daemon.  I’d like to say annoying and intrusive and I know there are a lot of people out there that feel the same.  The program is used to set-up network connections and provides a system tray thingy for Gnome and for simple set-ups its great.

    Sure, I got NetworkManager running on my laptop and we’re all friends over there.  It just works, it just works for my local network, wireless network and even 3G and VPNs work just like they should.  This is the environment where it was designed for and it shows.

    What about on the server where I login using gdm?  We’ve had nothing but a world of pain there.  It used to be bad enough when it fiddled with /etc/resolv.conf meaning DNS stopped working everytime i logged out.  Every “stop playing around with my settings and leave me alone” option fails to do just that.  It got so bad I had to use chattr to make the file immutable; so if you are tearing your hair out, then chattr +i /etc/resolv.conf is your friend.

    The latest version of NetworkManager takes this insanity to a new level.  Now not content with messing around with my resolver files, it reconfigures my statically assigned IP address to a dynamic DNS one AND removes it when I logout. No doubt if it let it, it would muck around with resolver files too.  Again, by default on a laptop this is fine.  The problem is the ‘would you leave me alone’ options fail to work, or mean stupid things happen like pidgin doesnt think there is a network so never logs in.

    So I resorted to reading more about this intrusive program and was there a way of stopping it doing what it was doing.  The directory /etc/NetworkManager/system-connections looked promising as they were connections available at boot time and across all users.  But then there is the funky format and wow, nothing saying what you might need versus what if you have missing makes the thing fail.

    What’s not obvious is that if you edit your network connections and then select ‘available to all users’ then your settings go into that system-connections directory and that for the moment appears to be working.  It means I have my network settings configured in two places which means all sorts of fun if I change them and forget about the other.

    This isn’t an ideal situation and network manager should start to behave properly and read the ifupdown stuff and use it but not muck around with settings if it is told to.  There are options that imply they do this but they don’t work.  Despite the title, I don’t think peace has broken out between me and Network Manager but rather an uneasy truce; I’m sure that program is just sitting there thinking of what other settings it could play with when my back is turned.

    Related articles
    Enhanced by Zemanta

  • IPv6 and address translation

    We’re in that in-between place where there is plenty of IPv4 out there, but sometimes you either need or want to get to IPv6 addresses.  With the IPv4 address allocations out of ARIN now empty there is going to be an increased need of NAT either between the address families or within it.  This is a quick overview of the different sorts of systems that do this address translations.

    6tunnel

    The best way to describe this is port forwarding across the address families. You can have a IPv4 port on your local device that when you connect to it forwards the connection via IPv6 to a remote device, perhaps on a different port. You can also do it the other way, so connecting to a local IPv6 port will connect to a remote IPv4 port.  Of course “remote” could be another port on the same computer.

    Squid

    You could replace squid with any other sort of proxy server that can work as a reverse proxy and understands IPv6.  From the deployments I’ve heard of, this arrangement where the IPv4 only webservers are front-ended with a dual stack IPv4/IPv6 squid (or other) reverse proxy server or set of servers.  It is a real simple way of getting your webserver onto IPv6, if you cannot do it in the webserver itself.  The usual advantages and disadvantages of using a reverse proxy apply here.  The better long-term solution is to have the servers just run IPv6 natively, but this is a reasonable stop-gap.

    That’s a brief overview of the various packages out there that can help with address translation to either get your servers understanding IPv6 or a client to get to an IPv6 server.  Ideally these are only temporary measures but as some methods people use to write programs (the latest I’ve seen has weird hard-coded 4 byte offset tree-table with 256 long list inside – good luck fixing that!) they may be “temporary” for some time.

    Tayga

    This program implements NAT64 which is a 1:1 address translation.  It can work both ways so IPv6 clients can connect to IPv4 servers and vice-versa.  You would normally use this for your own hosts, rather than for connecting to the internet as you need to specify prefixes. It works like the old style static nat ranges in IPv4 where 1.1.1.10-100 would map to 2.2.2.10-100

    tnat64

    Now this package is a little back-to-front to the others in that it takes an existing IPv4 only application and makes it able to connect, at least at the socket level, to a IPv6 server.  It works by preloading a library which overloads the socket functions like socket() and connect() so it can attempt to find IPv6 servers.

    totd

    This is a small DNS proxy which can be used to translate IPv4 A records to IPv6 AAAA records.  You often use it with translation technologies like Tayga.

     

    totd

    This is a small DNS proxy which can be used to translate IPv4 A records to IPv6 AAAA records.  You often use it with translation technologies like Tayga.

    Related articles
    Enhanced by Zemanta