melfneerg.com

 - 'cos life is like that

Geek

Friday, 3rd Dec 2010  Posted @ 20:07

So I have a need to do some low impact load balancing for some internal project work and also needed to test a reverse proxy for our portal.
First up was choice of hardware I had available (from our test lab) - either a decent spec Dell server (ranging from 1750s to R200s) or some older hardware. I went for some older kit as none of this is for production but for proof of concept.
So I dug out a SPARCEngine Ultra AXe I had knocking around (ULTRASparc IIi 300MHz) and a SUN Ultra 5 (ULTRASparc IIi 360MHz). Each is equipped with a PCI Quad Fast Ethernet card.
The AXe already had OpenBSD 4.4 installed. So I downloaded the 4.8 bsd.rd, booted into it and did the install. The install went sweetly but when it rebooted I got MMU and other errors. So I connected up a CDROM to install FreeBSD and then it was happy. Must have been a dodgy connection somewhere.
The Ultra 5 was bought as part of a joblot some months back (couple of switches, Ultra 5, Foundry ServerIron XL, Nokia IP530 and some other bits for £35) and was running Solaris 7 and Checkpoint FW-1. This was quickly blasted by installing FreeBSD 8.1.
Both are now running sweetly and I have them installing compiling various ports so they are more useful.
Once Ive done my testing with them, one with become a load balancer for my web servers and the other will become an SSH jump point for remote administration should one of the firewalls go wonky.
Speaking of firewalls, I currently have an IPCop firewall protecting all my gear but also have a Cisco PIX-515 and also a pfSense box (running on a Watchguard Firebox X750e). I might try building a multi-layer firewall setup with web servers, sql server and a SAN protected at different levels. Could be fun :)

[ no comments : Add ]

Tweet

Halloween!

Monday, 1st Nov 2010  Posted @ 16:29

As an avid horror fan, Halloween is a great time of the year. It is also my g/fs favourite "holiday" as she is goth through and through (if you cut her in half it would probably say "GOTH" in rings through her like seaside rock!).
The problem seems to be with the kids.
On Saturday, we went to a local council funded event in a local park. There was music, street dancing displays (cue multiple plays of Thriller and the like), bouncy castle, scary tents, fire eater and fire jugglers, a games tent and a firework display. All for free. Which was good.
Although they wanted £2 for 10 minutes on the bouncy castle (which I paid but choked back insults at the same time).
My youngest was dressed as a Mummy and the other as a witch. Both are small in stature, so most of the displays in front of the bandstand were lost on them as they could only see them if we stood on the hill and then everything was too far away. I could likely have done better in a large garage. All in all - it was a bit shit (apart from the fireworks - IMHO) but it being free made it better.
But the kids loved it! Whenever we organise something truly brilliant that has cost a fortune, they display a deep seated sense of ennui about the whole situation. Give them something completely worthless and wholly shite - they love it!
Maybe its all to do with being a kid and that vivid imagination that can make the worst things seem interesting or exciting. Or maybe its just me being excited about entirely the wrong things...

[ no comments : Add ]

Tweet

Letter to Daughters School

Wednesday, 13th Oct 2010  Posted @ 15:30

Dear Ms M****
Reference: R**** D***** and The Librarians Error (not a real book)
Please find enclosed the book “The Blair Witch Files – The Witches Daughter” which I removed from my daughter’s possession a couple of weeks ago and am now returning to you.
The book in question has printed upon it: “not suitable for readers under 12 years old” and my daughter, R****, is only 11 (although would likely protest her maturity should she be questioned!)
I suspect this books unsuitability for those under the age of 12 is not due to its literary content being at a level that would flummox one so young but rather that its, quite frankly, badly written content is not of a suitable nature for someone with an impressionable mind (presuming societies view that those under 12 are classed as such).
If you could resolve this situation for me and put my mind at ease that such oversights will not re-occur, I would be most pleased. If R**** has incurred any library charges due to the tardiness of my action on this matter, I would hope that they too would be waived.
Yours expectantly

[ no comments : Add ]

Tweet

sshfs

Monday, 11th Oct 2010  Posted @ 12:35

I love SSH. I use puTTY a lot and setup SSH tunnels inside it to do a whole raft of work.
Recently, I installed sshfs (part of the FUSE development) to allow one of my servers to mount a drive from another server in complete security. And its fast - normal transfers between the machines see about 11MB/s and with the SSH overhead it still gets over 10MB/s.
I then started thinking about the same facility from my windows desktop - and then I found it - Dokan
Install the library, install dokan-sshfs and the updated files (mentioned on the page) and there you go. Put in your auth details, the drive you want to see it as and the mount point on the host and its done. Secure, fast and brilliant!

[ no comments : Add ]

Tweet

Backup MX on RHEL/CentOS

Tuesday, 5th Oct 2010  Posted @ 08:56

Am reproducing this here in case the original page ever goes missing.
The reason: a customer wants to have a backup MX and hosting it in our environment is useless if the datacentre or the providers core goes down. The answer - do it somewhere else entirely (maybe even a VPS!)

How-To configure a Backup MX Server with RHEL
This post will explain how to configure a backup MX server for queuing mail for two (or more) domains if the primary mail server of those domains become unreachable.

I’ve tested this configuration for relaying mail to Microsoft Exchange, Postfix, QMail, Sendmail, Lotus Domino, Merak and other less common mail server without any kind of problems.

You could use Red Hat Enterprise Linux (RHEL) or CentOS without change an line of the following configuration, but with small adjustement you can use this how to to any linux distribution.

I’ve used Postfix as mail server, because for me it’s the best, and Amavisd-New, Clamd and SpamAssassin for checking Virus and Spam on relaying mail.

This post assume you have two queuing for two domains “yourdomain.com” and “yourdomain.net”.

This post assume that you have a primary mail server (MX with preference 10) for “yourdomain.com” with IP 111.111.111.111 and a primary mail server (MX with preference 10) for “yourdomain.com” with IP 111.222.222.222 and you want to use a server with IP 222.222.222.222 for queuing mail of both domains.

According to the assumption above you must have your DNS configured as follow :

root@linux:~# dig MX yourdomain.com @your.dns.server
yourdomain.com. 86400 IN MX 10 mail.yourdomain.com.
yourdomain.com. 86400 IN MX 20 mx2.yourdomain.com.
mail.yourdomain.com. 86400 IN A 111.111.111.111
mx2.yourdomain.com. 86400 IN A 222.222.222.222

root@linux:~# dig MX yourdomain.net @your.dns.server
yourdomain.com. 86400 IN MX 10 mail.yourdomain.net.
yourdomain.com. 86400 IN MX 20 mx2.yourdomain.com.
mail.yourdomain.net. 86400 IN A 111.222.222.222
mx2.yourdomain.com. 86400 IN A 222.222.222.222

rpm -Uhv http://apt.sw.be/redhat/el5/en/i386/rpmforge/RPMS/rpmforge-release-0.3.6-1.el5.rf.i386.rpm

yum update -y

yum install -y postfix spamassassin clamd clamav-db amavisd-new

alternatives –config mta

yum remove -y sendmail

myhostname = mx2.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
mynetworks = 127.0.0.0/8 222.222.222.222/255.255.255.255
inet_interfaces = all
relay_domains = yourdomain.com, yourdomain.net
mydestination = $myhostname, localhost.$mydomain
smtpd_recipient_restrictions = permit_mynetworks,reject_unauth_destination
relay_recipient_maps =
message_size_limit = 0
mailbox_size_limit = 0
maximal_queue_lifetime = 5d

* mydestination
* virtual_alias_domains
* virtual_mailbox_domains

/etc/postfix/main.cf:
#AMAVIS-D NEW
content_filter=amavisfeed:[127.0.0.1]:10024

/etc/postfix/master.cf
# AMAVISD-NEW
amavisfeed unix – – n – 2 smtp
-o smtp_data_done_timeout=1200
-o smtp_send_xforward_command=yes
-o smtp_tls_note_starttls_offer=no 127.0.0.1:10025 inet n – n – – smtpd
-o content_filter=
-o smtpd_delay_reject=no
-o smtpd_client_restrictions=permit_mynetworks,reject
-o smtpd_helo_restrictions=
-o smtpd_sender_restrictions=
-o smtpd_recipient_restrictions=permit_mynetworks,reject
-o smtpd_data_restrictions=reject_unauth_pipelining
-o smtpd_end_of_data_restrictions=
-o smtpd_restriction_classes=
-o mynetworks=127.0.0.0/8
-o smtpd_error_sleep_time=0
-o smtpd_soft_error_limit=1001
-o smtpd_hard_error_limit=1000
-o smtpd_client_connection_count_limit=0
-o smtpd_client_connection_rate_limit=0
-o receive_override_options=no_header_body_checks,no_unknown_recipient_checks,no_milters
-o local_header_rewrite_clients=
-o smtpd_milters=
-o local_recipient_maps=
-o relay_recipient_maps=

chkconfig postfix on
chkconfig amavisd on
chkconfig clamd on
chkconfig spamassassin on

service spamd restart
service clamd restart
service amavisd restart
service postfix restart

[ no comments : Add ]

Tweet

EPIC FAIL

Thursday, 23rd Sep 2010  Posted @ 14:59

10th July - ordered a change of circuit from Virgin Media Business. Site has a 2mb SDSL IPVPN circuit. This needed converting to a 2mb SDSL Managed Internet circuit. This entails:

1 - router being sent to site
2 - engineer arriving at site and configuring router
3 - remote engineer changing router config and also any VRF config on the radius server supporting the LAC to which the SDSL circuit was connected to

12th July - received email from VM acknowledging my order and advising a delivery date of 18th October (35 working days)

12th July - I advised VM that it was a conversion of an existing circuit. I also completed and returned the IP address request form that had been sent to me with the order acknowledgment email.

12th July - received email from VM advising that the installation date was now 18th August

15th July - advised that circuit would be delivered on 30th September due to civils and cabling work needed.

15th July - I advised VM that it was an existing SDSL circuit and therefore didnt need any civils or cabling work...

15th July - advised that the planner would "shortly be contacting me"

17th July - I advised VM of the existing circuit details to assist them and get it progressed as quickly as possible

23rd July - was advised that the order has been passed to their planning dept

6th August - was advised that the planner was now on leave and wouldnt be back til 23rd August.

13th August - I was advised that the order was still in planning

18th August - was advised that they were still waiting for the planning to be completed

7th September - was advised that planning was now completed! The order owner was now going to complete the delivery plan and arrange installation dates.

16th September - was advised that the order owner needed to do some off-net planning.

22nd September - was advised that the order owner needed existing circuit details and IP information.

Oh, did I mention that I was meant to get an update on all my outstanding orders once a week, every week?

I could write paragraphs about how I called my contacts in Virgin Media Business but either was never answered or never dropped to voicemail when trying to get an update.

And further paragraphs about the number of chasing emails I sent to get updates.

And then today being told that they needed information I had sent a week after the initial contact and blaming their sales team for not providing it!

I sent them an email earlier today which included the line:

"EPIC FAIL by VM yet again!"

[ no comments : Add ]

Tweet

ORLY!

Monday, 13th Sep 2010  Posted @ 14:16

Am currently investigating setting up as a whitelabelled broadband ISP and all that it involves. Mainly it means having an LNS, RADIUS servers and BGP routers.

Normally, I would buy some Cisco gear and hey presto its all done. But the drawback is - price! The level of kit needed to run that kind of setup is quite high and the price is astronomical. We cant afford to do it that way, so we are looking at ways of doing it well but cheapyly and as we expand, upgrade with bigger and better solutions.

Right now, the idea is this:

2x VMWare ESXi boxes each running:

1x Linux VM doing RADIUS
1x Linux VM doing l2tpd (as LNS)
1x Linux/FreeBSD VM doing Quagga (BGP routing)

The first 2 VMs (RADIUS and L2TP) will run VRRP between them, each VM pair will appear as 1 machine. This doesnt give load balancing but does give high availability which is far more important.
The third VM will operate as BGP routers in their own right but using keepalived, will appear as a single IP for both inbound and outbound traffic.

The cost of a couple of decent spec servers and ESXi? Much less than buying 4 Cisco boxes and 2 servers for RADIUS to do the same job...

In other news, I won an auction for some studio gear. I already have 3 small rack mount PCs and now have some outboard effect units (at a bargain price):

Behringer Composer MDX2100
Behringer Ultrafex EX3000
Behringer Denoiser SNR202

The only thing I need now is a Behringer Ultravoice and a minidisc player and I have everything a DJ, Club, Pub or Mobile Studio would ever need! And a laser :)

[ no comments : Add ]

Tweet

Hmmm

Tuesday, 7th Sep 2010  Posted @ 11:33

So I grabbed a bargain of a 500gb 2.5" hard drive from Amazon (less than £40). Only drawback, it has a gold case with a Michael Jackson logo on it!

[ no comments : Add ]

Tweet

Aging...

Wednesday, 11th Aug 2010  Posted @ 09:46

So I had my 39th birthday yesteray and scored a fairly decent haul of pressies:

2TB USB Drive
Novelty Toilet Mug
The Millennium Trilogy books by Steig Larsson
Charlie Brooker - Dawn of the Dumb book
a Jumbo Pen (about 15")
a Pizza Cutter and Bottle Opener (red with googly eyes)
A Whisk (a metal hand whisk to replace the plastic one I was bought last year that broke in about 5 mins)
2 T-shirts
2 Hooded Shirts
Recycled PCB Fridge Magnent
Recycled PCB Book Mark
Some sweets and chocolate
a Robot shaped bath bomb
an "I <3 my daddy" coaster

plus there is more to come from other friends and extended/adopted family. YAY!

[ no comments : Add ]

Tweet

SNAT

Wednesday, 28th Jul 2010  Posted @ 12:43

Was having a random problem with a customer network that I tried to resolve by playing around with one of our test hosting setups (as I could run debugs faster, etc) and then spotted something odd.

The address reported as the source when sending traffic out from my servers was different from the address I use to contact them from the outside. I eventually tracked this down to IPCOP using MASQUERADE, which meant all outgoing traffic was hidden behind a single address (not what you need when you need RDNS, etc). What I needed was source NAT or SNAT as its known.

Edit /etc/rc.d/rc.firewall

Find the following:

# Outgoing masquerading DISABLED
/sbin/iptables -t nat -A REDNAT -o $IFACE -j MASQUERADE

# Machines on GREEN
# web server
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.2 -j SNAT --to-source x.x.x.2
# mail server
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.3 -j SNAT --to-source x.x.x.3
# All other machines on GREEN
/sbin/iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source x.x.x.1

[ no comments : Add ]

Tweet