— pissing into the wind

Besides the fact that I positively believe that I am TERRIBLE in interviews, another thing I hate about the whole process is the waiting.

If you’ve gotten as far as an actual interview, I don’t think it’s unreasonable to expect a timely response letting you know whether or not you got the job, need to come in for another interview, or are no longer being considered.  I consider it extra if I’m given a reason, but I don’t expect one. 

I hate not ever getting a response despite multiple attempts to contact someone.  Rackspace, I am looking at you when I say this.

Read More

So I’m in the mood to upgrade my virtual server.  Right now it’s running some Phenom II Quadcore with 8GB of RAM.  There are 2 320GB disks in a Raid 1 using the onboard nvdia controller.

The disk configuration was a big deciding factor when I was trying to choose between Hyper-V R2 or ESXi 4.x.  Simply put, ESXi doesn’t recognize the controller as anything more than a standard SATA controller, so RAID and thus ESXi were a no-go.

Microsoft’s built in management tools for Hyper-V never appealed to me.  I don’t feel like I can do enough to the host OS.  Plus, getting them to work in the first place is an ordeal itself.  See http://blogs.technet.com/b/jhoward/archive/2008/03/28/part-1-hyper-v-remote-management-you-do-not-have-the-requested-permission-to-complete-this-task-contact-the-administrator-of-the-authorization-policy-for-the-computer-computername.aspx.  Now that everything is up and running, I don’t want to touch it lest I break anything.  I hate this kind of feeling with systems and replace them with something more manageable ASAP.

I’m not sure how well Systems Center works for managing multiple Hyper-Vs in an enterprise, but vCenter works very well and it’s quite robust.  I feel like it is a very complete management solution for a virtual machine environment.  I digress though, this is just for home and only 1 machine.

Another thing that I don’t like is the lack of memory overcommit.  Hyper-V won’t let me provision more than 7 of the 8GB for the guest systems.  As I experiment and put in new systems, this is becoming a real hard limit and I’m pretty much stuck right now.

So, I’ve made the decision to do what it takes to get onto ESXi.  First thing I need to do is replace the RAID controller.  I picked up a Dell Perc 6i WITH battery (score!) off of eBay for cheap.  Almost all of the controllers do NOT come with brackets, so I had to purchase one from Mouser electronics.  My plan is go at least 2 1TB drives for OS and at least 2 2TB drives for a file server all a minimum of RAID1.  I might do something else if I can pick up more drives, but no 0.  To get this going, I need a 32-pin to 4 SATA cable.  One can be had from Dell or Amazon for about $20.

Once this is in, I’m going to have to P2V all the servers from Hyper-V hell using VMware Workstation on my desktop as purgatory before I bring up the ESXi host and then import them into VMware heaven.

I’m then going to up the memory on a couple of systems to see what performance is like when I overcommit.  If it’s acceptable, then I’ll be happy for about 5 minutes.  At some point, I’m going to pull all that RAM and add 4 4GB sticks to max out the system at 16GB of RAM anyway.

Right now I’m just waiting on the cables from Amazon and then I have to order hard drives from Newegg.  One other thing I’m worried about is heat.  The case I have does not have any cooling over the hard drives and I noticed the ones in place now are pretty hot.  That may be another cost that I’m eventually going to have to consider, but I’ll cross that bridge when I get to it.

Read More

I find Squid to be very useful and have been disappointed that 3.1 is still not in any repositories.  I googled a little to see if anyone has already done this, since reinventing the wheel is not really my thing.  There are a couple tutorials/howtos, but I didn’t really like either approach.  One approach uses the Debian packages, which is fine, but even those are already out date by a few revisions.  Another howto I came across had a broken startup script which caused me about 15 minutes of headache before I just gave up on it.

So, I decided to install Ubuntu 10.04 server on a VM and do this from scratch from source.  This is a default installation with no more than bringing the system fully up to date and installing openssh-server.  I’m assuming you are logged in as a regular user and are in your home directory. 

Off we go!

1.  First thing to do is install all the necessary dependencies:
sudo apt-get install build-essential libldap2-dev libpam0g-dev libdb-dev dpatch cdbs libsasl2-dev debhelper libcppunit-dev libkrb5-dev comerr-dev libcap2-dev libexpat1-dev libxml2-dev libssl-dev pkg-config dpkg-dev curl

2.  Get the file
wget http://www.squid-cache.org/Versions/v3/3.1/squid-3.1.8.tar.gz

3.  Create the log directories
sudo mkdir /var/log/squid3
sudo chown -R proxy:adm /var/log/squid3

4.  Create the cache directories and give them the correct permissions
sudo mkdir /var/cache/squid3
sudo chown -R proxy:proxy /var/cache/squid3

5. Build Squid 3.1
tar -xzf squid-3.1.8.tar.gz
cd squid-3.1.8

./configure –build=x86_64-linux-gnu –prefix=/usr –includedir=/usr/include –mandir=/usr/share/man –infodir=/usr/share/info –sysconfdir=/etc –localstatedir=/var –libexecdir=/usr/lib/squid3 –disable-maintainer-mode –disable-dependency-tracking –disable-silent-rules –srcdir=. –datadir=/usr/share/squid3 –sysconfdir=/etc/squid3 –mandir=/usr/share/man –with-cppunit-basedir=/usr –enable-inline –enable-async-io=8 –enable-ssl –enable-icmp –enable-useragent-log –enable-referer-log –enable-storeio=ufs,aufs,diskd –enable-removal-policies=lru,heap –enable-delay-pools –enable-cache-digests –enable-underscores –enable-icap-client –enable-follow-x-forwarded-for –enable-auth=basic,digest,ntlm,negotiate –enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SASL,SMB,YP,getpwnam,multi-domain-NTLM –enable-ntlm-auth-helpers=smb_lm –enable-digest-auth-helpers=ldap,password –enable-negotiate-auth-helpers=squid_kerb_auth –enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group –enable-arp-acl –enable-snmp –with-filedescriptors=65536 –with-large-files –with-default-user=proxy –enable-epoll –enable-linux-netfilter build_alias=x86_64-linux-gnu CFLAGS=”-g -O2 -g -Wall -O2″ LDFLAGS=-“Wl,-Bsymbolic-functions” CPPFLAGS= CXXFLAGS=”-g -O2 -g -Wall -O2″ FFLAGS=”-g -O2″

sudo make
sudo make install

I got the configure options from a doing a squid –v with a repository install.  I had to change enable-ntlm-auth-helpers=SMB to enable-ntlm-auth-helpers=smb_lm.

6.  The startup script references /usr/bin/squid3, the binary is just called squid.  Fix that.
sudo ln -s /usr/sbin/squid /usr/sbin/squid3

7.  Install the startup script to /etc/init.d/ and make it executable
wget https://www.guammie.com/donovan/files/2010/10/squid3
sudo mv squid3 /etc/init.d/

sudo chmod +x /etc/init.d/squid3

8.  Have Squid start on boot
sudo update-rc.d squid3 defaults

And… here’s a configuration file I’ve used.  Real basic, nothing fancy.

Just sudo /etc/init.d/squid3 restart and you should be good to go.

Here are the instructions in a text file in case any formatting is messed up.

Read More

Setting up VPNs is always a PIA, but Juniper really dumbs it down and I have to say really spoiled me.  So when it came time to setup another VPN with a partner who is running an ASA, I had to shake off the rust and think of what could go wrong.  Most of the time I set up tunnels with non-Juniper devices, it ends up being a wrong proxy-id on either side.  You can usually tell this when you see “DOI 1 18 INVALID-ID-INFORMATION” or “No policy exists for the proxy ID: local(local ip/netmask/0/0) remote(remote ip/netmask/0/0)”.   ScreenOS derives the proxy-id from the tunnel, so I normally don’t worry about setting this up, but of course it only works as designed when you connect to other ScreenOS devices.  I don’t know if the SRX platform behaves the same way since it’s running JunOS.  I caught this error message and we managed to get the tunnel going, but no traffic was passing through.  Being a Friday night and this not being a critical issue at the moment, both sides decided to come back to it later.

I have a couple Cisco routers and Juniper SSGs at home for a lab.  I recently picked up an ASA 5505 off of eBay as well and decided to give the configuration on both sides a try to figure out what is going wrong.  Beyond setting up AAA, ntp, and the rest of the management stuff, I have not really had time to do anything with the ASA.  I have experience with IOS from a router and switch perspective, but I’ve never touched PIX.  All of my firewall experience is with Fortinet, ScreenOS, and whatever linux distros I’ve tried (Astaro comes to mind).

Cisco’s documentation being as awesome as it is, that is the first place I went to figure out what to do:

I’m not one to use a GUI with Cisco devices, so I went through some configuration examples and the cli configuration guide as a first pass to get the tunnel up and running.  I managed to do this, but I couldn’t connect anything beyond the inside interfaces on either gateway and only gateway to gateway.

So I wiped the ACLs and crypto config I put in and fired up ASDM.  I used the IPSEC VPN Wizard and kept flipping back to my console to see what changes it was making.  One of the first things that caught my eye was the option to “Enable inbound IPSEC sessions to bypass interface access list.”  Not having experience with setting up Cisco VPNs before, I thought, “Why on God’s green Earth would I not have policies to control that traffic?” Yes, it’s implied that I trust the other side to some degree if I’m setting up a VPN tunnel, but I still want fine grain control of the communication.  That checkbox leaves the default setting “sysopt connection permit-vpn” intact.  This does exactly what the description says on the checkbox.  Without it, you have to setup multiple ACLs to get tunnel traffic working properly because the traffic terminates on the outside interface of the ASA.

gp01

I setup a working VPN with and without that box checked, and I decided to go with it checked.  As it turns out, you can use filters on the connection group policy to control exactly what passes through the tunnel.  In this basic lab without the box checked, I had to add an additional 3 policies to get traffic moving through the tunnel.  This might not seem like a hassle, but this is just a lab with a single site to site.  Extrapolate that complexity when you start adding multiple sites.  There may be some scenarios where filters just won’t be sufficient, but for what I need to do at work, they will accomplish the task.

gp02

Excerpt from Troubleshooting Guide:

Note: If you do not wish to use the sysopt connection command, then you must explicitly permit the required traffic, which is interesting traffic from source to destination, for example, from LAN of remote device to LAN of local device and “UDP port 500” for outside interface of remote device to outside interface of local device, in outside ACL.

http://networking-forum.com/viewtopic.php?f=35&t=3310

According to chapter 21 of The Complete Cisco VPN Configuration Guide, the way to do what I am asking is to write manual access lists to permit ipsec/isakmp traffic.

Using this method, one must manually write access lists to permit all ports used by ipsec/isakmp components to allow this traffic into a firewall. This method makes it so packets are checked against access lists twice: once when coming in as ipsec traffic, and again once decrypted as plaintext packets. This allows one to match only desired traffic using the second, more stringent access list.

The alternative is using the “sysopt connection permit-vpn” command. This is also known as ACL bypassing, hence, you cannot restrict traffic further, since the access lists are written for you using this command.

Another method (usable only for 7.0 and higher) is using the “sysopt connection permit-vpn” command on an outside interface, and writing more restrictive access lists outgoing on an inside interface. This method enables one to allow all ipsec/isakmp traffic into the firewall while restricting where the traffic can go from there.

The second thing that caught my eye was a NAT policy that gets added:  nat (any,any) source static local local destination static remote remote.  This command makes no sense to me, and I most of the online research I did regarding NAT had a different syntax.  Cisco changed the NAT syntax in 8.3.  Prior to, it was the same as PIX.

Again, Juniper just completely dumbs this down and I never had to configure anything like this.  I’m not a big fan of any-any policies, so I’m going to do some further research on tightening this down later.

For now, here is the setup and working configs for an SSG5 to ASA5505 VPN with and without sysopt enabled.

vpn

Configs:
ASA sysopt
ASA no sysopt
SSG

Read More