Random Ramblings

In the game of life it appears there is a need to continue the quest (Quest!!! but I’m already on a quest!) of more skills or up skilling . In doing so, I’ve returned to what got me started in IT: data communication.

Whilst Cisco isn’t the only path one could take to up skill, is would appear to be a road well traveled ( google cisco certifcation for greater understanding). I’ve had a Cisco 1720 with VPN module and second ethernet card lying around at the office to sometime now and thought since is a quiet time, I’d install it as the router into the office. Since I didn’t have an ADSL WIC for this machine, I’ve used a another DSL modem in Bridge mode to send straight pppoe command to the cisco. I pulled the basis of the config from cisco.com so I know is a supported idea…

Requirments appeared to be simple: route a 8mbit DSL connection to a NAT’ed LAN network with some stateful packet management.

This is typically at 20 min job in linux. 8 hours later in writing a config that is syntactically correct (because my IOS experience is low), I finally started to see some results for a hard days work trawling through cisco.com website(if this sounds lame try finding stuff at cisco.com) for config examples of different lumps of code. A couple hours more and I have what appears to be a working system. Dialer works and a PPPoE session is created. Fantastic! Internet appears to work and statefull packet management is working.. All in all I was quite happy with my own abilities.

Came into the office the next day to “how come we only get downloads at 16kbps… This has to best head snap I’ve had in while. Whilst I’d research QoS I hadn’t actually done any configuration for it.

Started the usual diagnostics… Reproduce the problem: check, check configuration for anything obvious: check, Check RAM requirements:check, check CPU usage: umm not check.. This is what I was greated with:

337777744444 11111 11111
100
90
80
70
60
50
40
30
20
10 *****
0….5….1….1….2….2….3….3….4….4….5….5….
0 5 0 5 0 5 0 5 0 5
CPU% per second (last 60 seconds)
1
2 9 0 3
112 1212 24 13 338401212 1323333113121 1115 4465243522
100 * *
90 * *
80 * *
70 * *
60 * *
50 * *
40 * * *
30 * * *
20 * * # *
10 * # # * ** * *
0….5….1….1….2….2….3….3….4….4….5….5….
0 5 0 5 0 5 0 5 0 5
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
1 1 11 1 1 1 1
769798890997038007980909870998909
949728690256037009960309360965909
100 * ** * * ** * * ** *** ***
90 * ******* * *** ****** *******
80 * *********** *******************
70 * *********** *******************
60 ************* *******************
50 ************* *******************
40 ************* *******************
30 *********************************
20 *********************************
10 *********************************
0….5….1….1….2….2….3….3….4….4….5….5….6….6….7.
0 5 0 5 0 5 0 5 0 5 0 5 0
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%

( It was across a weekend) hmm… CPU appears to be a bit spikey… Not good. So I remove the CBAC config and access-lists. One reload later and now I’m gettting 24kbps…

Here’s the config edited for security sake.

Current configuration : 4850 bytes
!
version 12.3
service timestamps debug datetime localtime show-timezone
service timestamps log datetime localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxxxxxxx
!
username admin password 7 xxxxxxxxxxx
clock timezone AEST 10
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local enable
aaa session-id common
ip subnet-zero
no ip source-route
no ip rcmd domain-lookup
!
!
ip domain name example.com
ip name-server 10.2.1.1
ip name-server 10.2.1.253
ip name-server 10.2.1.3
!
ip cef
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect udp idle-time 60
ip inspect dns-timeout 10
ip inspect name CBAC1 tcp timeout 3600
ip inspect name CBAC1 udp timeout 30
ip inspect name CBAC1 icmp timeout 30
ip inspect name CBAC1 ftp timeout 3600
ip inspect name CBAC1 http timeout 3600
ip inspect name CBAC1 smtp timeout 3600
ip inspect name CBAC1 tftp timeout 30
ip inspect name CBAC1 h323
ip inspect name CBAC1 realaudio
ip inspect name CBAC1 rtsp
ip inspect name CBAC2 tcp timeout 3600
ip inspect name CBAC2 udp timeout 30
ip inspect name CBAC2 icmp timeout 30
ip inspect name CBAC2 ftp timeout 3600
ip audit po max-events 100
ip ssh authentication-retries 2
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
ipv6 unicast-routing
no ftp-server write-enable
!
!
interface Loopback0
description Local loopback
no ip address
!
interface Ethernet0
ip address 10.2.254.253 255.255.255.252
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0
ip address 10.2.1.254 255.255.255.0
ip access-group 101 in
ip nat inside
ip inspect CBAC1 in
speed auto
!
interface Serial0
no ip address
shutdown
!
interface Dialer0
ip address negotiated
ip access-group 111 in
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxx
ppp chap password 7 xxxxxxxxxxx
ppp pap sent-username xxxxxx password 7 xxxxxxxxxxx
!
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 10.2.1.4 22 interface Dialer0 22
ip nat inside source static tcp 10.2.1.4 21 interface Dialer0 21
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
!
!
access-list 1 remark NAT ACL
access-list 1 permit 10.2.0.0 0.0.255.255
access-list 2 remark Permit SSH traffic for 10.2.0.0/16 and deny everything else
access-list 2 permit 10.2.0.0 0.0.255.255
access-list 101 remark traffic in FE/0
access-list 101 permit tcp 10.2.0.0 0.0.255.255 any
access-list 101 permit udp 10.2.0.0 0.0.255.255 any
access-list 101 permit icmp 10.0.0.0 0.255.255.255 any
access-list 111 remark traffic entering D/0
access-list 111 permit tcp any 10.2.0.0 0.0.255.255 established
access-list 111 permit ip any 10.2.0.0 0.0.255.255
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any host 10.2.1.4 eq 22
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any 10.2.0.0 0.0.255.255 time-exceeded
access-list 111 permit icmp any 10.2.0.0 0.0.255.255 packet-too-big
access-list 111 permit icmp any 10.2.0.0 0.0.255.255 traceroute
access-list 111 permit icmp any 10.2.0.0 0.0.255.255 unreachable
access-list 111 deny ip host 255.255.255.255 any
access-list 111 deny ip 10.0.0.0 0.255.255.255 any log
access-list 111 deny ip 172.16.0.0 0.15.255.255 any log
access-list 111 deny ip 192.168.0.0 0.0.255.255 any log
access-list 111 deny ip any host 127.0.0.1 log
access-list 111 deny ip 0.0.0.0 255.255.0.0 any log
access-list 111 deny tcp any any eq 22222 log
access-list 111 deny tcp any any range 60000 60020 log
access-list 111 deny udp any any eq snmp log
access-list 111 deny ip any any
access-list 112 remark traffic exiting D/0
access-list 112 permit ip any any
access-list 112 deny ip any any
dialer-list 1 protocol ip permit
!
banner login ^CCAuthorised Access only
This system is the property of example.com.
UNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED.
You must have explicit permission to access this
device. All activities performed on this device
are logged and violations of of this policy result
in disciplinary action/Criminal Proceedings.^C
!
line con 0
line aux 0
line vty 0 4
access-class 2 in
password 7 xxxxxxxxxxxxx
transport input ssh
transport output ssh
!
ntp server 198.142.76.162
ntp server 203.209.212.99
ntp server 60.242.56.98
!
end


Surely A Cisco 1720 can router 8mbit/s connection without causing the CPU to burn away. I’ve run this config past a couple of cisco nuts and they can’t seem to find anything stupid. If you can help with problem please drop me a line.  I’m happy to reciprocate with either a beer or Unix help.

Tags: Uncategorized by ptiggerdine
No Comments »

Went to Wade and Athene’s Wedding today… Interesting event to say the least.. I think Mario got a mention in the wedding vowels along with being on the cake.  Played Wii boxing at the reception. I think Wii boxing should be used to mediate more relationship issues. ( mental note: buy wii).  Wow ppl turned out in force. Because the humidity was in the 90’s, pretty bamboo fans were supplied.

Food was great.. All in all a great day..

I hope for the “happily ever after” life they deserve.

Whilst this wasn’t a traditional wedding I think I had more fun along with the bridal party. There should be more gamer weddings.

Tags: Uncategorized by ptiggerdine
No Comments »

I’ve had a number of problems with the WYSIWYG interface in wordpress 2.0 and decided to do an upgrade to 2.2. I hadn’t done a wordpress upgrade, but it looked simple enough.. Typically one would firstly backup the DB (check!) and then backup the php pages ( sort of check..). Well in the midst of trying to backup as little as possible, I somehow shredded my config.php with my sql password.. Not good. Oh well a e-mail to my friendly admin and it’s all good.

Apologies to those who might have relied on it for some timely information. Better caution will be taken next time to make sure outages are much sorter.

Tags: Uncategorized by ptiggerdine
No Comments »

Well the weekend has being up and down.. Two parties in two days but I having large hole where stuff use to be and someone to talk to for the last four years. Now she has gone. I’m quite bummed about it.. Kinda miss having someone there and it’s not even the first night.. To all the single ppl out there; I soo get loneliness. Big hugs all round.

laters..

Tags: Uncategorized by ptiggerdine
No Comments »

Celebrated Andy’s 23rd in fantastic style which a legendary shin digg and Andy’s place… Great night, good company and fantastic drink.

Tags: Uncategorized by ptiggerdine
No Comments »

For those who are not aware I’m a proud member of SAGE-AU ( The System Administrator Guild of Australia) Queensland Chapter. As the website says: “the network behind the people behind the network”. SAGE-AU is great organisation with very professional and extremely knowledgeable people at it’s core.  The mailing list and monthy talks are worth the membership let alone the discounts from various vendors and other perks.

After being a member for one year, I decided to put my hand up to help with the running of the organisation and  was nominated/voted in as a sage-qld execiutive.

Part of my position is to help with speakers and runnings of the meeting. In contemplating this role, I thought it would be good it get a talk together for the times that vendors could not be organised.  The talk topic I’ve chosen is: ipv6.  As my previous post have mentioned, I’ve being a big fan of ipv6 and would love to see it in consumer homes ASAP.
It has being put to me that writing a paper might be the best way to a good talk.  The only challenge is how I approach the talk?  I definitely know that I want to debunk some urban myths of ipv6 that seem to pop-up as soon as you mention ipv6.

Once I have something substantial I would post it accordingly under Creative Commons.

Itte kimasu

Tags: Uncategorized by ptiggerdine
No Comments »

I’d like to confess my love the queen of radio. For years I’ve listened to Myf soothing voice on my favoured radio triplej, but after see Myf host the top 10 all time favourite albums I’m in love. Black hair Red dress who wouldn’t…

On other news. Work has given me a so call promotion and payrise. The pay-rise was ok but the promotion is too little. I’m going from a lackey to a sysadmin and well they’re lost everyone but me. So by default I am the system Administrator right? well no I’m the “Acting Systems Administrator”. According to sage.org position description of sysadmin I do the job. Fair and simple… So What to do?

TV is progressively getting worst in content and reruns of shit we’re not interested in. Make you wonder why people have to resort to a thing called bittorrent for sanity and some good TV.

Tags: Uncategorized by ptiggerdine
No Comments »

It’s been another eventful week with a number of projects I’m working on.

OPIE for Fedora. For those of you playing at home OPIE is One Time Passwords. This allows admins to further secure ssh and general login session by providing users with either a hardware password calculator or a software calculator to provide a one use password . Banks have made this popular with RSA key tokens and plastic looking calculators.

After googling for days I’ve discovered that fedora currently doesn’t have a OPIE server/client or pam libraries to make this possible. Thanks to the good foke at Debian particularly Michael Stone and Freebsd OPIE is well supported and has great active development. Since Debian and Fedora share alot of common code I decided to download the source and patches and give it a whirl. Compiling went well and for all intensive purposes this was a hit. I now have the fun challenge of writing a SPEC file and packaging this up and offer it (once I’ve asked those people that have done the hard work) to you good net folk and maybe a repo or two.

ISC Dhcp on OSX Server. I work quite frequently with OSX Server in office environments and have found the dhcp server that comes with OSX Server lacking in real features compared to ISC dhcp. After googling around on how to get dynamic updates from OSXS DHCP to DNS I came across this great article from MacTroll about ISC DHCP and DNS on Mac OSX Server. This article is great but the only missing is the a dmg/pkg to do the install of ISC DHCP with some nice plist scripts for startup and intergration into the OS.

More googling revealed that Faisal had tried this with reasonable success. Since he not longer maintains this I going to create an updated package with net-boot patches and integrated scripts/install process and see whether this can work well in a production environment.

On the work scene, one of my good colleges is heading to green pastures and leaving us. It said to see good people go. I’m also hunting down a Windows Support Engineer to work with me. I will post here with the P.D when HR draws it up.

Sienaro!

Tags: Uncategorized by ptiggerdine
No Comments »

After doing a security audit at work we decided to look at better ssh security other than passwords. DSA keys work but if you lose the key it’s painful. One Time Passwords appeared to the best solution. Having recalled that somewhere I tried to use opie/skey on linux eons ago, I though this could be a really good idea.

However looking for the rpms and/or source that’s recent and updated regularly seemed painful. Certainly isn’t going to work w/o heavy editing with gcc-4*.

Maybe there’s some way of using password and dsa keys together for better security or another solution..

Tags: Uncategorized by ptiggerdine
No Comments »

Well again the blog has fallen by the wayside.. All I can say us that I have installed gnome-blog at work where the inspiration hits me the most.

Tags: Uncategorized by ptiggerdine
No Comments »