— pissing into the wind

… My dad changed ISPs and took the SSG5 I gave him offline.  I had to disable the VPN on my side because it was spamming the logs.  If I ever need to re-enable it, all I need to do is bind it to tunnel.1 and re-enable monitor, optimized, and rekey.

Read More

So that servers get only one ipv6 address…

C:\Users\administrator.GUAMMIE>netsh int ipv6 sh int

Idx     Met         MTU          State                Name
—  ———-  ———-  ————  —————————
  1          50  4294967295  connected     Loopback Pseudo-Interface 1
10          50        1280  disconnected  isatap.{1C882B80-03D8-4F3C-B703-6A1DC1768F6B}
11          50        1280  disconnected  Teredo Tunneling Pseudo-Interface
14           5        1500  connected     Local Area Connection 4

C:\Users\administrator.GUAMMIE>netsh int ipv6 sh int 14

Interface Local Area Connection 4 Parameters
———————————————-
IfLuid                             : ethernet_9
IfIndex                            : 14
State                              : connected
Metric                             : 5
Link MTU                           : 1500 bytes
Reachable Time                     : 27000 ms
Base Reachable Time                : 30000 ms
Retransmission Interval            : 1000 ms
DAD Transmits                      : 1
Site Prefix Length                 : 64
Site Id                            : 1
Forwarding                         : disabled
Advertising                        : disabled
Neighbor Discovery                 : enabled
Neighbor Unreachability Detection  : enabled
Router Discovery                   : disabled
Managed Address Configuration      : disabled
Other Stateful Configuration       : disabled
Weak Host Sends                    : disabled
Weak Host Receives                 : disabled
Use Automatic Metric               : enabled
Ignore Default Routes              : disabled
Advertised Router Lifetime         : 1800 seconds
Advertise Default Route            : disabled
Current Hop Limit                  : 0
Force ARPND Wake up patterns       : disabled
Directed MAC Wake up patterns      : disabled

netsh interface ipv6 set interface 14 forwarding=disabled routerdiscovery=disabled managedaddress=disabled

Read More

i’m currently working on a wireless deployment with a requirement to use mac filtering.  There are over 600 laptops being deployed to a unique location per laptop.  Part of the imaging process doesan ipconfig and dumps the output to a text file which I can then use to copy/paste the hostname and mac into the Cisco 8510 wireless controller.  I’m lazy, so I made a bash script to parse the ipconfig text files. I wish I knew how to do this in Windows, but I work with what I got. The script takes this input from a text file:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : GU0123LT01
   Primary Dns Suffix  . . . . . . . : guammie.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : guammie.com

Wireless LAN adapter Wireless Network Connection:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Ralink RT5390R 802.11b/g/n 1×1 Wi-Fi Adapter
   Physical Address. . . . . . . . . : B8-76-3F-25-34-4D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : B4-B5-2F-8D-BF-2B
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.1.0.10(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.1.0.1
   DNS Servers . . . . . . . . . . . : 10.0.0.53
   NetBIOS over Tcpip. . . . . . . . : Enabled

And generates this command line that I can just copy/paste into the controller:

config macfilter add B8:76:3F:25:34:4D 18 guunit-clients "unit 0123 laptop"

Here’s the script.  It’s not the cleanest, but it works:

#!/bin/bash
FILES=/home/donovan/macs/*.txt
for f in $FILES
do
  # take action on each file. $f store current file name
  hostname="$(awk ‘/Host Name/ {c=1}c–>0’ $f | sed -n ‘/\<Host Name\>/ s/.*[[:space:]]\([[:alnum:]]\+\)$/\1/p’ | awk ‘{print substr($0,3,4)}’)"
  mac="$(awk ‘/Ralink RT5390R/ {c=1;next}c–>0’ $f | awk -F ‘Physical Address. . . . . . . . . : ‘ ‘{print $2}’ | sed ‘s/\-/\:/g’)"

echo "config macfilter add $mac 18 guunit-clients \"unit $hostname laptop\""

done

That’s it.

Read More

1)  Get the latest PBIS Open Edition from BeyondTrust (formerly Likewise): http://download1.beyondtrust.com/Technical-Support/Downloads/PowerBroker-Identity-Services-Open-Edition/?Pass=True

2)  chmod 755 the file, execute it, then install it.

chmod 755 pbis-open-7.1.0.1203.linux.x86_64.deb.sh

./pbis-open-7.1.0.1203.linux.x86_64.deb.sh

cd pbis-open-7.1.0.1203.linux.x86_64.deb

./install.sh

3)  Join the domain

sudo domainjoin-cli join guammie.com administrator

4)  Add domain group to sudoers

sudo visudo

%GUAMMIE\\domain^admins ALL=(ALL) ALL

5)  Make domain logins use Bash (or whatever shell you want), refresh lss, and clear ad cache

sudo /opt/likewise/bin/lwregshell set_value ‘[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\ActiveDirectory]’ LoginShellTemplate /bin/bash
sudo /opt/likewise/bin/lwregshell set_value ‘[HKEY_THIS_MACHINE\Services\lsass\Parameters\Providers\Local]’ LoginShellTemplate /bin/bash
sudo /opt/likewise/bin/lwsm refresh lsass
sudo /opt/likewise/bin/lw-ad-cache –delete-all

That’s it.

Read More

I’ve watched a few episodes of Hell’s Kitchen in my day and one thing that always got to me was how those poor schmucks just let Gordon Ramsey rail into them.  I always thought, “Have some goddamned respect for yourselves, people!”  Then I got this job.  After turning 16, I can’t recall the last time someone I know yelled at me in sheer anger.  But it seems to keep happening here.  Crisis after fucking crisis.  So I’ve decided to have some goddamn respect for myself and am convinced that no retirement package (that I can get anyway since I don’t go for C-level positions) is worth the level of stress and humiliation I’m getting here.  So off I go and back to the space in between.

Read More

My wife is due April 13!  It’s a girl and I’m excited.  I’ll post more later.  I’m really just making sure I’ve setup my blog client correctly on my new badass (I’m going to reread this post in 3 years and laugh at these specs) Core i7 3770K, 16GB desktop!  No Windows 8 though.  I tried it and it’s not for me.  I didn’t realize how much I use the Start menu until it was gone.  I suppose I could just learn more keyboard shortcuts… w/e.

Read More

I always forget this when I need it most and there are 10000 entries on Google with the wrong info. To add an DNS server in Ubuntu server, edit the following file as you would a resolv.conf file: /etc/resolvconf/resolv.conf.d/base. Any entries manually added to /etc/resolv.conf get erased when networking is restarted.

Read More

I don’t know why, but I’ve been thinking about putting a proxy on my home network. Actually I do know why. It was because I tried to replace my SSG5 with a stupid ASA 5505 and wanted the web filter and inline AV scanning capability back. So I began building out a Squid server to use. The topology I had in mind would look like this:

Drawing1

Using WCCP or policy-based routing, I would send HTTP traffic from clients in the Trust/inside zone to the proxy server on the DMZ zone and do any content filtering and AV scanning on that box. Before I go any further let me say that this project pushed me over the edge to ripping out that damn ASA. I’ve been trying to like the ASA platform for a couple months, but things that just worked on ScreenOS are either impossible or make me feel like I’m doing something dirty when I implement. On the ASAs, you can’t use WCCP to point to a proxy in another zone. That means the Squid box would reside in the Trust/inside zone. This is fine at home, but not in a business, so there’d be no point in implementing this way, as I’ll never use it anywhere else. Ok… so let’s use the old PBR way… read documentation… what’s this?  Policy-based routing is not supported on the ASA platform? Bleh. I ripped out the ASA and put the SSG back in. Now I have OSPF routing through hostname based (yes, it works with dynamic addresses) VPN again as well. I also have the content filtering and inline AV scanning back. So why am I doing this again? I figure I may as well just get the transparent proxy going for kicks.

Here are the steps to get Squid 3.1.19 working on a CentOS 6.2 ESXi 4.1 Build 582267 VM using a minimal install. I’m going to assume you’ve done no configuration during the install and installed no other packages. This is all command line.

Ubuntu has another LTS release coming out in a couple months, so I didn’t want to to use the old 10.04 release. I’ve been thinking about CentOS lately just to stay familiar with RHEL/CentOS since a lot of businesses use it. Lucky for me, CentOS did a 6.2 release back in December 2011. I pulled down the ISOs and did the install.

1. Get network connectivity

vi /etc/sysconfig/network-scripts/ifcfg-eth0

Do the following to your config file:

ONBOOT="yes"                                #change to yes
BOOTPROTO=none                        #change to dhcp and stop here if dynamic; else add rest
IPADDR=192.168.1.10                   #add
PREFIX=24                                        #add
GATEWAY=192.168.1.1                  #add
DNS1=208.67.222.222                   #add
DNS2=208.67.220.220                   #add
DOMAIN=guammie.com                #add
DEFROUTE=yes                              #add

Save the file and service network restart

2. Update the system

yum update

Install whatever comes up and reboot

3. Install all the packages (and their dependencies) we’ll need for this project and some other useful things not included in the base install

yum install gcc perl vim-enhanced mlocate wget make gcc-c++ libstdc++-devel cyrus-sasl-devel libcap-devel openssl-devel openssl-static openldap-devel pam-devel db4-devel db4-cxx ntp ntpdate

4. Install VMware Tools

Run the tools install in the vSphere client

mkdir /media/dvd
mount /dev/dvd /media/dvd
tar -xzf VMwareTools-8.3.12-559003.tar.gz -C /root/
perl /root/vmware-tools-distrib/vmware-install.pl
run through the installer (pretty much hit return a bunch of times)

after the installer finishes:
umount /media/dvd
vim /etc/init.d/vmware-tools
add the following so that the first 3 lines look like this and then save:
#!/bin/sh
#
# chkconfig: 345 97 13

chkconfig vmware-tools on

5. Install Squid from repository

I do this because I’m a lazy bastard. Installing from repository creates everything you need (users, startup scripts, etc) with a single command.

yum install squid

6. Upgrade Squid from source

So now you’ve got Squid 3.1.10 installed (as of 20120215). Latest version right now is 3.1.19. Let’s upgrade!

squid –v

Note those build options. We’re going to mostly use them.

wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.19.tar.gz
tar -xzf squid-3.1.19.tar.gz

cd squid-3.1.19

./configure –build=x86_64-redhat-linux-gnu –host=x86_64-redhat-linux-gnu –target=x86_64-redhat-linux-gnu –program-prefix= –prefix=/usr –exec-prefix=/usr –bindir=/usr/bin –sbindir=/usr/sbin –sysconfdir=/etc –datadir=/usr/share –includedir=/usr/include –libdir=/usr/lib64 –libexecdir=/usr/libexec –sharedstatedir=/var/lib –mandir=/usr/share/man –infodir=/usr/share/info –exec_prefix=/usr –libexecdir=/usr/lib64/squid –localstatedir=/var –datadir=/usr/share/squid –sysconfdir=/etc/squid –with-logdir=/var/log/squid –with-pidfile=/var/run/squid.pid –disable-dependency-tracking –enable-arp-acl –enable-follow-x-forwarded-for –enable-auth=basic,digest,ntlm,negotiate –enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth –enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth –enable-digest-auth-helpers=password,ldap,eDirectory –enable-negotiate-auth-helpers=squid_kerb_auth –enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group –enable-cache-digests –enable-cachemgr-hostname=localhost –enable-delay-pools –enable-epoll –enable-icap-client –enable-ident-lookups –enable-linux-netfilter –enable-referer-log –enable-removal-policies=heap,lru –enable-snmp –enable-ssl –enable-storeio=aufs,diskd,ufs –enable-useragent-log –enable-wccpv2 –enable-esi –with-aio –with-default-user=squid –with-filedescriptors=16384 –with-dl –with-openssl –with-pthreads build_alias=x86_64-redhat-linux-gnu host_alias=x86_64-redhat-linux-gnu target_alias=x86_64-redhat-linux-gnu CFLAGS=’-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m64 -mtune=generic -fpie -fpic’ LDFLAGS=’-fPIC -pie -z relro -z now -fstack-protector’ CXXFLAGS=’-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m64 -mtune=generic -fpie’ –with-squid=/builddir/build/BUILD/squid-3.1.19

make && make install

chkconfig squid on

7. Now we need to adjust IPTables

iptables -t nat -A PREROUTING -i eth0 -p tcp –dport 80 -j REDIRECT –to-port 3128
iptables -I INPUT 4 -p tcp –dport 3128 -m state –state NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 4 -p udp –dport 3401 -j ACCEPT
service iptables save

The first rule is necessary for the transparent redirection. The second rule is necessary just to connect at all. The third rule is for SNMP if you plan on monitoring Squid itself.

8. Edit /etc/squid/squid.conf

Here’s mine. I’ve done things like setup the HTTP intercept, added SNMP support, and some other stuff about caching Windows Updates. Other than that it’s somewhat stock.

vim /etc/squid/squid.conf

acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1

# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
# should be allowed
acl localnet src 10.0.0.0/8    # RFC1918 possible internal network
acl localnet src 172.16.0.0/12    # RFC1918 possible internal network
acl localnet src 192.168.0.0/16    # RFC1918 possible internal network
acl localnet src fc00::/7       # RFC 4193 local private network range
acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines

acl SSL_ports port 443
acl Safe_ports port 80        # http
acl Safe_ports port 21        # ftp
acl Safe_ports port 443        # https
acl Safe_ports port 70        # gopher
acl Safe_ports port 210        # wais
acl Safe_ports port 1025-65535    # unregistered ports
acl Safe_ports port 280        # http-mgmt
acl Safe_ports port 488        # gss-http
acl Safe_ports port 591        # filemaker
acl Safe_ports port 777        # multiling http
acl CONNECT method CONNECT

acl monitor src 192.168.0.10/32
acl snmp snmp_community guammie

visible_hostname squid.guammie.com

#
# Recommended minimum Access Permission configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager

# Deny requests to certain unsafe ports
http_access deny !Safe_ports

# Deny CONNECT to other than secure SSL ports
http_access deny CONNECT !SSL_ports

# We strongly recommend the following be uncommented to protect innocent
# web applications running on the proxy server who think the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# Example rule allowing access from your local networks.
# Adapt localnet in the ACL section to list your (internal) IP networks
# from where browsing should be allowed
http_access allow localnet
http_access allow localhost
snmp_access allow snmp monitor
snmp_access deny all

# And finally deny all other access to this proxy
http_access deny all

# Pull entire files from the start when a range is requested; for Windows Updates
range_offset_limit -1

# Google what this does.  I’m too lazy to type it all out, but has to do with Windows Updates
quick_abort_min -1

# This removes proxy info from UserAgent
#via off

# Uncomment request_header and then one of the following header_replace lines to present either IE or Firefox
#request_header_access User-Agent deny all
#header_replace User-Agent Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; OfficeLiveConnector.1.4; OfficeLivePatch.1.3)
#header_replace User-Agnet Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10

# Squid normally listens to port 3128
http_port 3128 intercept

# SNMP port; 3401 is the official port
snmp_port 3401

# We recommend you to use at least the following line.
hierarchy_stoplist cgi-bin ?

# Store large objects
maximum_object_size 200 MB

# Uncomment and adjust the following to add a disk cache directory.
cache_dir ufs /var/spool/squid 4096 16 256

# Leave coredumps in the first cache dir
coredump_dir /var/spool/squid

refresh_pattern -i download.windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i download.microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i update.microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i windowsupdate.microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i ntservicepack.microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i wustat.windows.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims
refresh_pattern -i microsoft.com/.*\.(cab|exe|ms[i|u|f]|asf|wm[v|a]|dat|zip) 4320 80% 43200 reload-into-ims

 

# Add any of your own refresh_pattern entries above these.
refresh_pattern ^ftp:        1440    20%    10080
refresh_pattern ^gopher:    1440    0%    1440
refresh_pattern -i (/cgi-bin/|\?) 0    0%    0
refresh_pattern .        0    20%    4320

9. Start Squid

service squid start

That’s it.

References:

http://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect
http://wiki.squid-cache.org/Features/Snmp
http://support.microsoft.com/kb/885819
http://wiki.squid-cache.org/SquidFaq/WindowsUpdate
http://strotmann.de/roller/dnsworkshop/entry/compiler_options_for_creating_secure

Read More

This was supposed to be a year in review post, but I don’t feel like doing that right now.  I’m trying to make a job decision right now, and I’m a little lost.  The background is that I’m in a contract to hire position right now and we’re in the “to hire” phase of it all.  I was pretty excited to get to this point until I was given an offer by HR that amounted to a 28% salary reduction.  Even after factoring in the benefits package as a whole, the number is just ridiculous.  I let my manager know how I feel, but the number hasn’t moved. 

I’ve also expressed interest in a network engineer position (currently a windows engineer).  So now I have a decision to make: 1) Stay contractor as a windows engineer for however long they’ll let me (might just be 2 weeks for all I know) or 2) take the network engineer spot and keep looking.  all roads lead me to looking for a new job, though.  the big variable is how long I can stay a contractor.  I could say I’ll just stay a contractor and 2 weeks later they just force my hand. then I’ll just be looking for a new job at the lower rate anyway but doing something I’d rather not be doing.

as bill o’reilly would say, “THIS FUCKING THING SUCKS!!”

Read More

I upgraded ASDM from 6.4.(5)106 to 6.4(5)204 and the launcher broke.  Running it as a web app still worked though, so I figured it had to do with the way the shortcut was setup.  Here’s a comparison of the two:

106:

C:\Windows\SysWOW64\javaw.exe -Xms64m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar com.cisco.launcher.Launcher

204:

"C:\Program Files (x86)\Cisco Systems\ASDM\asdm-launcher.jar" -Xms64m -Xmx512m -Dsun.swing.enableImprovedDragGesture=true -classpath lzma.jar;jploader.jar;asdm-launcher.jar;retroweaver-rt-2.0.jar

I changed the shortcut back to the old format and it worked.

Read More

I need to find a job where I can work from home occasionally and wear jeans and a t-shirt (polo at the most) when I do have to go into the office.  Oh and it can’t be Rackspace because fuck you.

Read More

I just bought a house, so expect to see more details about how I delve into home automation.  Here’s one of the first bits of improvement we’re doing though.

This is a patch of carpet in the master bath.  I don’t understand what carpet is doing in the middle of such a humid/wet room.  I think the original intent of the builder was to put a tub there, but the homeowner didn’t want one.

01_resize

Out with the old.

02_resize

My father-in-law and I ripping up the carpet.

03_resize

Originally we were just going to put regular tile in the middle and cut as needed.  Then the idea morphed into doing something with mosaic.  Then we thought to just get some rounded tile and put it in.  Then we came across this while at the tile store.

04_resize

Getting it all centered.

05_resize

Proof of concept.

06_resize

Bam.

07_resize

My father in law did about 90% of the work.  I’d come home from work and more and more would be done.

I do plan on taking care of the home automation on my own though.

Read More