Re: Throttle traffic for a single local IP on a Linux router?
On Thu, 2010-12-23 at 18:32 -0500, jo...@hush.ai wrote: $TC class add dev $INIF parent 1: classid 1:1 htb rate $DNLD ceil $DNLD $TC class add dev $OUTIF parent 1: classid 1:1 htb rate $UPLD ceil $UPLD $TC filter add dev $INIF parent 1:0 ip pref 1 u32 match ip src $IP/32 0x flowid 1:1 $TC filter add dev $OUTIF parent 1:0 ip pref 1 u32 match ip dst $IP/32 0x flowid 1:1 Anyone see any problems in my setup yes, I think you have the same IDs in the last 4 lines. classid's should be 1:1 and 1:2 flowid's shoild be 1:1 and 1:2 yours are 1:1 in both cases of each try :- $TC class add dev $INIF parent 1: classid 1:1 htb rate $DNLD ceil $DNLD $TC class add dev $OUTIF parent 1: classid 1:2 htb rate $UPLD ceil $UPLD # ^^^ $TC filter add dev $INIF parent 1:0 ip pref 1 u32 match ip src $IP/32 0x flowid 1:1 $TC filter add dev $OUTIF parent 1:0 ip pref 1 u32 match ip dst $IP/32 0x flowid 1:2 #^^^ (line breaks may be affected by email formatting etc ) Gord -- # ~ TC , the undisputable leader of the gang ~ # signature.asc Description: This is a digitally signed message part
Re: Throttle traffic for a single local IP on a Linux router?
On Fri, 2010-12-24 at 05:52 -0500, Jeffrey Lyon wrote: Try a Linksys RV016, it has some decent traffic shaping tools for larger home and small business networks. Yes indeed it does. Ironically that device runs a linux-y kernel so is probably also using iptools/tc to achieve the shaping/policing a GUI wrapped around it. The GPL parts of it are at ftp://ftp-eng.cisco.com/pub/opensource/linksys/RVxxxToolchain/ I was also planning to have a look at the hardware in it but that device is now out of my control :( Gord
Re: BGP support on ASA5585-X
On Fri, 2010-11-05 at 21:50 -0500, Tony Varriale wrote: somebody said: They could make it out of the box but this is why Dylan made his statement. His statement is far fetched at best. Unless of course he's speaking of 100 million line ACLs. Can I just ask out of technical curiosity: Q: What is considered a large number of ACL lines for these recent ASA boxes? I realise it depends so I'm looking for a loose ball-park response. (or preferably a rule-of-thumb equation?) background to the question: I have several special purpose BSD boxes that have several hundred lines of PF filtering rules (the equivalent of a Cisco ACL line). One has nearly 2300. These are consolidated with macros (PF anchors/tables) and dynamic rulesets, so are already highly optimised. The rules are in addition to the shaping and anti-spoofing, these are in a critical location in the (very sensitive) very complex network. I'm just wondering if this is a lot in the world of recent ASAs, having had no relevant experience with them (at this level) Gord -- soul for sale - apply within
Re: Token ring? topic hijack: was Re: Mystery open source switching
On Thu, 2010-11-04 at 12:44 -0700, Jeroen van Aart wrote: In most if not all European countries (and likely most other countries too) you pay a fee per time unit (say per minute) for local calls. in addition to a relatively high monthly standing charge subscription fee I might add! In the UK, this has really only changed in the last 3 or 4 years for most users of the national telco, of whom in it now possible to buy a option plan of free calls each month at extra charge above the basic. It's no coincidence that I learned to type very, very fast in the early 1980s, before global email became prevalent for the public and the majority of comms were done on BBSs of one sort or another. Only mail retrieval could be scripted, all proto-browsing was done live and against a rapidly-ticking financial clock. Conversations with colleagues across the pond were filled with silent envy for a _very_ long time, until approx 1997 iirc :) Gord
Re: Mystery open source switching company claims top-of-rack price edge (was Re: Pica8 - Open Source Cloud Switch)
On Sun, 2010-10-31 at 03:28 +0900, Randy Bush wrote: plonk ... goes your custom Marketing by annoyance, smoke, and mirrors? Gotta love the strategy do not buy from spammers ...goes without saying. I'm just wondering if this a guerilla launch for some new Oracle product or project, or what, exactly? I'm _very_ confused. Maybe Paul K. can clear it all up, but apparently he's out of the office right now. Meanwhile, I'm failing to see a product, figures, source code, or more to the point, any operational aspect at all in any of these ad-spam posts. Consider this a formal request for root-plink, before we have a major corp try to sell us a database solution or proprietary kernel via the list. sigh Gord --
Re: Mystery open source switching company claims top-of-rack price edge (was Re: Pica8 - Open Source Cloud Switch)
On Sat, 2010-10-30 at 21:05 +0200, Lin Pica8 wrote: Buy you glasses and a book about network engineering ;) ! eat your own words in any of these ad-spam posts Now get out, and stay out, of my NOCs Gord
Re: Only 5x IPv4 /8 remaining at IANA
On Wed, 2010-10-20 at 11:18 +1100, Julien Goodwin wrote: MS Windows (at least 2k3 server) will simply drop packets with a source address of .0 or .255 coming from the legacy class C space, this hit us with some Win 2k3 servers that for a bunch of stupid reasons needed to be connected to from natted hosts, and the next pool IP off the pile was a .255 address somewhere in 192.168.0.0/16. Took quite a while to thanks for explaining the reason for a total waste of 3 hours of my life recently, on a /22 in my case, after a large-scale merger of 1918's I had to replace it with a netinst + Postfix install to get stuff moving again. Did MS understand classless in '03? do they now?
Re: 12 years ago today...
On Sat, 2010-10-16 at 01:43 -0700, Ali S wrote: He should have been better known for his work. The intertubes will miss you One day I hope he'll be featured in school history lessons. An amazing legacy - something approaching 1/3rd of the planet's population uses it every time they use the 'nets. Gord -- History repeating itself? tcpdump the STP to figure out why.
RE: Facebook Issues/Outage in Southeast?
On Thu, 2010-09-23 at 12:47 -0700, Justin Horstman wrote: Productivity grinds to a halt as everyone goes onto twitter to talk about facebook being down I'm hoping (desperately) that someone other than me sees the full irony in this statement? I also have visions of hundreds of techs worldwide thinking their snort boxes have hung. Gord -- oink
RE: Did Internet Founders Actually Anticipate Paid, Prioritized Traffic?
inline... On Wed, 2010-09-15 at 22:15 -0700, George Bonser wrote: The problem I have with the concept is that paid prioritization only really has an impact once there is congestion. If your buffers are empty, then there is no real benefit to priority because everything is still being sent as it comes in. If you have paid prioritization, there is a financial incentive to have congestion in order to collect toll on the expressway. So if I have a network that is not congested, nobody is going to pay me to ride on a special lane. That's a serious problem that came up verbatim in an overheard (#1) conversation yesterday. The bean-counters (who must, unfortunately, remain nameless) coined the phrase fill your buffers and fill your boots. I was left with the distinct unsavoury impression that they were drawing up a (contingency) plan for that exact eventuality. I believe a network should be able to sell priotitization at the edge, but not in the core. I have no problem with Y!, for example, paying a network to be prioritized ahead of bit torrent on the segment to the end user but I do have a problem with networks selling prioritized access through the core as that only gives an incentive to congest the network to create revenue. +1, because anything other than that Paid-Edge-Prio(#2), to me, smells of theft, fraud, and frankly, B-S. IANAL Gord (#1) on a comletely unrelated topic, twisted pairs could possibly great mike leads, don't you think? cough (#2) you heard it here first. Like wise, Paid-Core-Prio. Hey, I could patent-troll this stuff :) -- $ cowsay paid-prio ( rip-off ) o ^__^ o (oo)\___ (__)\ )\/\ \||w | \_ || ||
Re: Web expert on his 'catastrophe' key for the internet
On Wed, 2010-07-28 at 10:33 +0200, Elmar K. Bins wrote: One, I do not see the operational relevance of this news. The real problem is that articles like this DO get considerable attention in the UK - a place where the internet has yet to gain true understanding and recognition as a national business and government asset in the eyes of the general consumer populace and their politicians. Stories written like this still have a wow factor, both with the unconnected and the great unwashed customers in general. Second, people cult is just not the hype anymore Rest assured, none of the intended viewers know or care who the dungeon-master is :) All they care about is their MSN working. They have to depict someone doing something, and ascii-armored printout is far too confusing for the folks to comprehend. Gord -- You have been eaten by a grue
Re: Rate Limiting on Cisco Router
On Thu, 2010-07-08 at 16:35 -0700, Kenny Sallee wrote: I think if you try to traffic-shape 80Mbps on that platform you'll have problems. We have a 7200 with NPE-G1 (rate limited at 80Mbps) and it killed the CPU when the threshold was hit. I imagine that traffic-shaping would do the same to CPU and memory. I'd lab it first. I've seen that model preceded by a BSD machine with 2 physical ethernet NICs. When I asked - limiting for the 7206's outgoing, so I'm assuming that was a CPU thing. In that case the 7206 was just an edge box for the fibre, so doing nothing complex. Capped at 48Mbps (IIRC) in that case - YMMV. Also bear in mind that this is borderline black art - it needs a bit of testing to be sure it's working as you expect :) My usual technique is to replay some flows then set several iperf streams going simultaneously to see how it reacts. Sometimes limiting just seems to temporarily break down under stress in bizarre ways. Whether it fails open, restricted or closed seems to be very unpredictable and not very reproducible on some kit- keep your eye on it at first, or use BSD to do it if you're more familiar with that. Gord -- Awake! for morning in the bowl of light has flung the stone that puts the stars to flight
Re: Rate Limiting on Cisco Router
On Thu, 2010-07-08 at 18:54 -0500, Jack Bates wrote: underpowered router or poor code Agreed. So which is it? :) To be fair, some IOS versions were better than others at it in my limited experience of that chassis. Gord -- I hold you XAP
RE: Rate Limiting on Cisco Router
On Thu, 2010-07-08 at 20:01 -0400, Brandon Kim wrote: What about purchasing a low-end packetshaper to be used in between? If - 1/ budget is a problem and 2/ you have no BSD knowledge inhouse and 3/ the LAN side is all ethernet you could have a stab at using a PFsense box with two (and strictly ONLY two, for this use) physical NICs. It has a GUI to set up traffic shaping (see the sticky on the pfsense forums) PFsense 1.2.3 is current, don't go for the experimental 2.0 for production. There's a book and commercial support if you need it, free support via forums if you can't. Only two physical NICs is necessary due to shaper problems with more than two, whereas in a firewalling role the slots are the only limit (but VLANS are the norm for bucketloads of ports on a firewall PFsense box) An ITX (Littlefalls etc) mobo with 512MB RAM with an extra PCI Intel NIC added will do you fine . PFsense has nice traffic graphs, which helps you with shaping speeds in a big way. It also has a TFTP server available for it so it's handy for unmanned sites with only a few blue boxes ;) PS - a crazy afterthough - surely just about anything with a 10/100 ethernet link running at 100 and placed inline, cannot exceed 100Mbps - and probably less if it's plastic-cased? Try a few 8-port junkers and see what happens if you fancy a walk on the dangerous side. Watch out for errors and smoke :) Gord -- The drinker you are the smoker you get
Re: Juniper SRX-210 -- CCC certificate required
On Tue, 2010-05-18 at 10:03 +0200, Elmar K. Bins wrote: Hello altogether, I'm in kind of a pinch currently - I have to get a Juniper SRX-210 into China. That got the box stuck at import there, and they demand the CCC certificate from us. Unfortunately, Juniper has as yet not been willing or able to respond to this request (ongoing for weeks), and I wonder if anyone on this list might just have the certificate on file... This maybe doesn't help you as much as a CCC istelf, but, seeing that it may have been ongoing for weeks: ...something in the back of my head says they retracted from their initial stance recently (few month ago?) and said the CCC for IT security kit was only needed for Gov't Procurement kit - I could be very wrong, it was a snippet of casual conversation in passing. Maybe you're just up against extra red tape, officials not up to speed etc; or maybe it is for a Govt Contract after all. Good luck either way Gord -- No1 Box CLI
Re: Edu versus Speakeasy Speedtest
On Thu, 2010-04-29 at 11:48 -0600, Stephen John Smoogen wrote: Take a vacuum cleaner with extensions. Make a set of end connectors A series of tubes anyone? I'd also show them the rrd/MRTG graph at the perimeter. Be clear to them about the units. Never miss the chance to ask for more budget though. Tell them the ACL filters clog and need changing regularly, just be inventive ;) Gord -- darken room - adjust heater current so that elements glow cherry red - apply drive - tune for maximum smoke and minimum sparking
Re: the alleged evils of NAT, was Rate of growth on IPv6 not fast enough?
On Wed, 2010-04-28 at 02:13 -0400, Steve Bertrand wrote: I would see UPNP as being a security risk and prone to denial of service attacks when you have torrent clients attempting to grab every +1 apologies if I've said this here before - UPNP = unstoppable Peek and Poke Gord
Re: Senderbase is offbase, need some help
On Sat, 2010-04-17 at 16:45 -0400, William Herrin wrote: Interesting; I see similar results for my address space. Two addresses, one of which hasn't been attached to a machine for a decade and the other a virtual IP on a web server where the particular IP never emits connections. Magnitude's only 0.48 for both but still, they shouldn't even appear. Yep, same here, at two seperate sites. It's in the reserved for extreme emergencies zone at the top of each assigned block. As per house practice it is tcpdumped 24/7, and has been for the last 4 years. Zero traffic from it at the perimiter. Go figure. Gord -- Order of Magnitude delayed due to lack of stock, please call Despatch
Re: Mikrotik RouterOS
On Mon, 2010-04-12 at 16:06 -0400, James Jones wrote: kind ofrouterOS supports MPLS, linux does not It could (unfortunately) be a while before a full linux implementation of MPLS gains enough speed, it's very much out on the fringe of what linux does daily. This mean that getting enough developers, free time to develop and equipment to test with seems to be quite a steep problem right now. Likewise the FreeBSD MPLS effort, though this seems to be more like familiar territory for BSD-heads, but, as ever, funding and equipment are sorely needed. If anyone (I'm thinking of the bigger players) could lend a hand, loan/ship out a box, or offer a few test-box out onto the cloud by (arrangement) the lack of MPLS on BSD and Linux machines could probably be rectified a little quicker. Or maybe someone has a tiny pot of cash to sponsor some bounty development? back onto the main topic... +1 for routerOS, but never needed MPLS in my encounters with it. I have to say the Microtiks do nothing (in my world, that is) that I couldn't do with half an hour and similar (but very slightly beefier) hardware and a generic/minimal BSD or linux install, but given the price, I'd be a fool to DIY if I need to hand over to others, erm , well, shall we say, `less interested` at the end of the day. It earns an extra Kibo Cookie for that, certainly. Gord -- | * error 34 * | auto-sig could find no relevant content for the message text | please change to previous tape to continue searching or enable FidoNet searching
Re: Using private APNIC range in US
On Thu, 2010-03-18 at 14:50 -0400, Daniel Senie wrote:
As you note, debugging this type of thing is often not intuitive, as
everything appears to work from almost everywhere
I got curious yesterday and set off a couple (very slow {option -T0},
very polite, very restrictive) nmap single port scans of a few lumps of
1.0.0.0/22 yesterday, but couldn't see much out there due to my several
of our ISPs internal boxes.
It looks like chaos-squared out there. I don't envy anyone fathoming
that stuff out for real.
Still, that said, the transition to fully signed roots seems to be going
along without too much breakage (I think/hope!) so maybe only time will
tell how much this latest block release will give trouble longterm.
Gord
--
rockin ze chair mit Davey Graham to Banshee from rackserver-2
Re: Using private APNIC range in US
On Fri, 2010-03-19 at 06:08 +, gordon b slater wrote: It looks like chaos-squared out there. I don't envy anyone fathoming that stuff out for real. clarification: `chaos` due to our ISP running internal boxes on the range in question, rather than external chaos. The implication being: if it's looping around inside the customers ISP then there's not much hope of easy troubleshooting, Gord -- sig nal generator
Re: anti-ddos test solutions ?
On Wed, 2010-03-17 at 07:45 +0100, jul dit: But a solution to test basic attack (synflood, slowloris, socktress, ...) with 10 to hundred computers would be interesting, so not a tool but more a service. Found only Parabon [1] on Google Does someone know something similar ? If you have access to a large enough network in a campus-size establishment, try booting a large room (100+) full of desktop PCs with a live CD/USB and script (or clusterSSH) some hpings, blind netcats (large file as input), iperfs or nmap+nmapscripting) through a _good_ switch stack. Set a low mtu on the interfaces for maximum pps. Please remember to fully air-gap it (and the redundants) from the cloud and the rest of the campus backbone in case you have thick fingers entering the target - your upstream might be tempted to ring you on the BatFone in a hurry. That gets embarrassing, as a friend of mine found out in December last year. Other than that, I suspect it's going to cost you for real kit :( Depends how real you need it I guess. Kiddies seem to be able to do it with E1/T1-sized pipes so it should at least be better than waiting for one to come your way naturally :) regards Gord -- gurgle. gurgle-splat. splat. splat. sploo-oo-oshhh = rommon
Re: anti-ddos test solutions ?
On Wed, 2010-03-17 at 08:07 +, gordon b slater wrote: (large file as input), iperfs or nmap+nmapscripting) through a _good_ switch stack. Set a low mtu on the interfaces for maximum pps. ^ ~fail~ correcting myself: set low packet/payload sizes (fragmenting where possible). reason: lack of coffee, too early, feel ill :( G
Re: OBESEUS - A new type of DDOS protector
On Tue, 2010-03-16 at 04:47 +0100, Guillaume FORTAINE wrote: c) Its code is Open Source. http://www.loud-fat-bloke.co.uk/tools/obeseusvB.tar.gz My conclusion is that I give far more credit to Obeseus than to Arbor Networks. Hmm, the hey! it's open source! factor doesn't hold much sway in the network world, no-one will be amazed at that. Many observers are surprised at the amount of free software employed by ISPs and the like, but it's certainly no news to insiders. Cisco, Arbor and others all have products based on Linux kernels and BSDs, as only two examples. Sure, the products aren't open sourced, but in a world where moving packets is the main business - what works, goes. (I'm a Beastie/Puffy/Tux proponent myself, so I'm not trying to criticise your approach, just a comment on addressing the list. Most of us here are either one of the following here: 1/ Open-Source users/converts 2/ FOSS users/converts (not the same thing as #1) 3/ Originals (eg: Vixie et.al.) 4/ BSD-style-license industrial users (some very big names involved, quietly, in this category) 5/ Quagga/Bird/OpenBGPd users 6/ MS-Windows-only people who happily SSH into various items of hardware running various operating systems all day long without worrying about it. 7/ a combination of all of the above and more At the end of the day, I say it again - what works, goes Especially, where is Roland Dobbins ? hey, careful, if you're looking for a fight we'll let Randy out of his box, and you don't want to get that ;) It's mainly (ie: intended to be...lol) an operational list, not a theoretical discussion list. It's always good to have a different point of view here, just don't bait the dogs so hard =8^} Gord -- rockin ze NOC ( mit MOC in a shell )
Re: Network Naming Conventions
On Mon, 2010-03-15 at 18:51 -0400, Patrick W. Gilmore wrote: but they just don't realize how many there are. wow, deja-vu ! A few years ago I went into a large SSI infrastructure undergoing reconfiguration where the cluster nodes were named along the lines of biscuits, pizzas, vegetables, sweets (candies), types of mud/dirt, grit, etc etc - it made no sense until I came across a README_NOC_OPS document that clarified it all (paraphrasing): Serviceable nodes have are named after fragments known to be found in Richard M. Stallman's beard. At-risk, scheduled-for-pull or questionable throughput nodes are named after fragments assumed to be found in Ballmer's shorts. Both categories seemed at least 128-bit-space to me :) Gord -- Do you know? Don't you wonder? What's going on down under you We have all been here before, we have all been here before -David Crosby
Re: NEED ANY LINK OR SAMPLE TEMPLATE FOR ROUTINE NETWORK (ISP) MAINTENANCE PLAN
On Tue, 2010-03-16 at 12:03 +0300, sakthi vadivel wrote: Hi all, If someone have come across with this topic Network / preventive maintenance plan”, please offer me some url to obtain more info on this. Regards, sakthi Maybe this will help / give some ideas about further reading: http://www.ciscopress.com/bookstore/product.asp?isbn=1587132109 HTH :) Gord PS: maybe I got the wrong idea? - did you mean swap-out / fail-over techniques? Live-working pre-emptive PSU replacement while on RPS? Hot-site/cold-site switching for re-racking? -- kick me, I deserve it, I just can't help myself!
Re: Need advise for a linux firewall
On Thu, 2010-03-11 at 11:00 -0500, Abdul Nazeer wrote: iptables, but if anyone has any other suggestion, I'd love to hear it. PFsense, (being freeBSD-based, comes under your other category) It uses the OpenBSD-based pf firewall, with a web-based GUI for almost everything (except maybe console resets). works for me in several locations, some `heavy and high`. One caveat for the current PFsense: traffic shaping in 1.2.3 release is somewhat borked (1.2.2 works much better) and it doesn't work with more than 2 interfaces, so 1 wan - 1 lan is OK. Check out the user forums for specifics scenario gotchas if any. There's a good (recent) book about it, covers 1.2.3 release, very good it is too, with lots of help for multi-wan, VLAN, IPsec, etc etc. Routes Gigabit nicely with normal (pci-e or pci-x) hardware. Check out the hardware sizing guide for examples. What I particularly like is the alias function, it makes working with huge groups of IPs easy. BGPd, etc are all available as packages - you can for example use minicom to get CLI via the console port into a cisco ADSL router or local SCADA kit Been stable for me for a couple of years now, several instances Oh, did I mention failover ? CARP Me like :) Gord -- rockin ze bedroom
Re: Need advise for a linux firewall
On Thu, 2010-03-11 at 09:01 -0800, Marty Anstey wrote: +1 for pfsense. I've been running it for over 18 months with no problems whatsoever. It does everything I needed it to do, and quite a bit more. actually, reading back on the nanog list for a few plays (playing catch-up here) pfsense would have made a good contender for the best VPN appliance thread :) Gord -- ALERT: kitchen-sensor-03 reports over-temp
Re: Cisco hardware question
On Thu, 2010-03-04 at 16:46 -0700, Brielle Bruns wrote: fsck is not just for failing hard drives. fsck is used any time you want to check a disk (may it be ssd, optical, magnetic) for any kind of errors or inconsistencies. It's a standard part of any UNIX toolkit. On Linux systems with ext2/3, you'll see lost+found, which is where stuff ends up if it can't be connected to an actual file entry. Sounds exactly like what those FSCK files are - DOS used to do this with scandisk. beat me to it by a minute or two :) I'd guess (from a *nix-yness background) that the appliance is set up to automatically fsck a disk if it's dirty - `dirtiness` can be caused by thing like unexpected power cut as well as nasty things like hardware troubles. Appliances are prone to power pulls as they are usually headless. Some diskless appliances don't even bother to check , somewhat dismayingly. Not sure what the exact fs is on those boxes - anyone happen to know? - but from experience, I wouldn't be worrying too much (though I'd be very curious of course). Gord -- snort, snort, oink, oink
Re: Cisco hardware question
On Thu, 2010-03-04 at 19:16 -0500, Ricky Beam wrote: It's a DOS FAT filesystem. h. hmm. FAT. Ah well, there must be a reason I guess. Not exactly what I'd choose for a high security snort box ;) But, horses for courses I suppose. Yes, as others say, good idea to check the s/n's with Cisco directly. You can _never_ be _too_ careful, both security-wise and financially. It's not exactly a cheap piece of equipment, service contracts and licences considered (and I don't mean the GPL one haha ) You can't rreally blame the frontline reps for not knowing what a fsck is, its a new tech concept. Post-80's on fact. Oops, another boot-up un in there, sorry. Humour aside, in fairness, I'm not sure an average rep would know much about QNX dumps either. *nix-y stuff puts you very close to the hardware and architectures. You see it all fly by in the logs and dmesg. Companies like cisco probably like to keep you at arms length from it. In this case you don't see the hardware so much but you see the bottom line of the invoice. That gives you all the right in the world to ask deep probing questions whenever you find things like this. A good manufacturer and supplier will answer them fully, though it may take some time to find the right clued-up tech internally. eg: Until you use ZFS you'd never believe the error rates on seemingly good hard drive systems, especially through high-end kit with supposedly safe error correction. What you don't see doesn't worry you. Gord -- oink. oink. alert. oink. snort
Re: Locations with no good Internet (was ISP in Johannesburg)
On Fri, 2010-02-26 at 19:20 -0500, Daniel Senie wrote: Hopefully someone will bother to cover the rural areas with cell service eventually. I'm finding a fair number (about 40%+) of the tech-savvy must-have-for-business-emails users here in very rural UK out of reach of RA-ADSL) are using/have used Lynx as their browser and Mutt as email client, in some cases even when 3G (fringe reception only, possibly with tropopausal involvement*) is sometimes reachable. This only came to my attention last week when I noticed a strange Mailer: header and kinda shocked me at first, so I quizzed the sender further. They say that WAP-enabled sites are a non-starter for daily use. Worth looking into if the end-user can handle it in these situations. Rural DSL for them usually means Damn Small Linux - their joke not mine. Gord (* I'm not convinced about this - it fits their anecdotes, but I'm not sure about the timing/latency issues of the RF-side ) -- Explain to me again how pig's bladders may be employed to prevent earthquakes
Re: [Fwd: [members-discuss] [ncc-announce] RIPE NCC Position On The ITU IPv6 Group]
On Fri, 2010-02-26 at 09:40 -0600, Jorge Amodio wrote: I guess nobody needs ITU-T anymore, or do we ? ZCZC well, from vague memory, H.264, G711/729, H323, X.509 were/are ITU-T standards - maybe X.25 too though I could have that one wrong. I'll just sit on the fence: as an old radiocomms guy, I'd say ITU-_R_ is still very relevant if you guys DON'T want to watch/listen N. Korean or Bangladeshi TV/radio on your home Sat systems or car radios, to name a couple of recently quoted countries :) But ITU-T? That's one for the VoIP guys to shout about. de Gord
Re: Future timestamps in /var/log/secure
On Fri, 2010-02-26 at 11:29 -0700, Brielle Bruns wrote: Isn't the timestamps inserted by syslog rather then the reporting program itself? that's my understanding also (clarification: syslogs of your server have timestamps of your syslegsserver's time, IMHO) eg: on my Debain systems I don't split the logging to /var/log/secure, I can usually handle a large log OK, but it's easy enough to get the authpriv* stuff to log to /v/l/secure if needed. So, my point is, syslogd.conf tells syslogd where to put them, and it stamps the time for each entry. What syslog do you use - classic (ie: sysklogd) or a modern one like rsyslog? It almost looks like the timezone got changed from local to GMT or similar, then swapped back (as odd as it may sound). On a cautionary note, I've seen tz-change shenanigans to mask unauthorised access before, so might be a good time to have quick poke around with a tinfoil hat on, just in case. Don't have a heart attack tough, not yet :) Gord -- this .sig space reserved by ITU-T pending clarification of intentions
Re: Future timestamps in /var/log/secure
On Fri, 2010-02-26 at 10:55 -0800, Wade Peacock wrote: the proftpd line happened to be the next line in the log. the next simular ssh lines looks like (duplicate removed) Feb 26 10:08:48 mx sshd[22165]: Did not receive identification string from UNKNOWN Feb 26 10:09:27 mx sshd[22261]: Failed password for root from 219.137.192.231 port 54111 ssh2 is it possible that a local user changed the time (maybe with a GUI app) around the time of these attempts? (failed attempts like this are normal for a machine hooked to the internet without ACLs BTW, the problem is the strange timestamp for the benefit of casual onlookers in the thread) Gord -- latest ITU-T declaration: all syslogs must show timestamps in Geneva time
Re: Future timestamps in /var/log/secure
On Fri, 2010-02-26 at 13:17 -0600, William Pitcock wrote: On Fri, 2010-02-26 at 11:29 -0700, Brielle Bruns wrote: Isn't the timestamps inserted by syslog rather then the reporting program itself? The syslog message sent to the local unix socket (/dev/log or /dev/syslog) may contain a timestamp, in which case, that timestamp may be used instead of the local time. As the syslog protocol defines that timestamps are localtime, without any specification of what timezone localtime actually is, the TZ environment variable of the application calling syslog() will affect the timestamp placed in the log. aha! there you go, mine doesn't but maybe yours does? Gord -- tic toc
Re: 1.0.0.0/8 route from MERIT ?
On Wed, 2010-02-24 at 14:21 -0500, Jim Popovitch wrote: 2010/2/24 Alex H. Ryu r.hyuns...@ieee.org: Today I jumped into one of our routers, and I found that 1.0.0.0/8 is announced from AS237, which is MERIT. IIRC, there was an email/wiki/announcement last month about 1/8 undergoing some testing soon. http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt extract from that, last update 22/feb/2010: Prefix DesignationDate Whois Status [1]Note 000/8 IANA - Local Identification1981-09 RESERVED [2] 001/8 APNIC 2010-01 whois.apnic.net ALLOCATED 002/8 RIPE NCC 2009-09 whois.ripe.netALLOCATED
Re: Email Portability Approved by Knesset Committee
On Tue, 2010-02-23 at 10:53 +, Leigh Porter wrote: Just wait till customers start wanting to take their IP address with them when they move... Oh wow, I think I've still got a log (somewhere) of all the dialup IPs I was assigned during the early 90s. Since I might be able to claim them first under consumer legislation This thread may be getting sillier by hour, but it's got some interesting suggestions tucked into it Gord -- currently drawing up a pre-emptive claim to about 88,234 AOL IPv4s and several thousand Demon ones, tickety-tick-tick
Re: Email Portability Approved by Knesset Committee
On Tue, 2010-02-23 at 09:34 -0500, Jeff Kell wrote: Well, clearly, the planet just needs to join Active Directory, and the user convert to Outlook, and use the Global Address List, and... Ahem! If they (M$) were to go back to the LDAP specs, they could save a lot of time. They could even re-brand the new Global AD with a simple sed one-liner and reduce time-to-market at the same time. [Sorry, I have heard that proposed by M$C** folks as a solution to just about everything else in the universe] Yeah, any more corporate/political hot air and this thread will burn up :) Gord -- Gah! Portability, schmortability. Meh
Re: Email Portability Approved by Knesset Committee
On Tue, 2010-02-23 at 13:38 +1100, Mark Andrews wrote: In message 201002230227.o1n2radp021...@mail.r-bonomi.com, Robert Bonomi write s: Quick! Somebody propose a snail-mail portability bill. When a renter changes to a different landlord, his snail-mail address will be optionally his to take along, just like what is proposed for ISP clients. You can pay for this redirection service if you want it. Usually it is time limited and often not fully implemented. But with snail-mail it usually ¬just works¬, uses existing proven technology, provides a little extra revenue for the carriers, etc etc etc I just don't see any of the above happening with _this_ proposal. Hmm, maybe 'proposal' isn't the correct word for it - by a long way. I have a feeling it's going to be implemented in the following manner: ./great_idea.sh | bad_plan /dev/null Hey - maybe they should submit an RFC? :) next up: State of Israel vs. SORBS et al. ding-ding! Maybe I'm too pessimistic? Gord
Re: log parsing tool?
On Mon, 2010-02-22 at 18:14 -0600, Dale W. Carder wrote: Take a look at SLCT, also by Risto Vaarandi: http://ristov.users.sourceforge.net/slct/ SLCT can parse huge amounts of logs very fast. We use it to crunch firewall logs and also to find ports that are flapping excessively. +1, SLCT definitely finds the needles in haystacks of huge syslog files Gord -- best viewed in mailx
Re: black listing of web traffic
On Tue, 2010-02-09 at 17:04 -0500, Andrey Gordon wrote: Thx to all the folks replying off the list. The more I trouble shoot the more I'm convinced that it's not the sites that are doing rate-limiting. I went to a website of one of my previous employers (a small company). Chances of them having a fancy reverse proxy with some sort of black list filtering are slim to none, yet their site barely opens up as well. Must be something that either my firewall device is doing (which is what is doing the NATting) or I don't' know what else. I'm working with my firewall guy since f/w is his domain and I have no clue about that vendor of the firewalls (PaloAlto). Thanks all for the suggestions. I'll keep digging. A few months ago I was involved in a hard-to-troubleshoot intermittent problems similar to yours. I finally diagnosed a faulty or overloaded state table somewhere in one of the cheap plastic routers they were using. All problems ended when I replaced the cheap plastic stuff with a x86 hardware running pf or iptables, I forget exactly which (irrelevant). Could it be that you have some arp-poisoning going on? That was my first thought in the above situation, but Wireshark showed otherwise. The clue to the state tables - it was mainly SSL/TLS that was getting expired/dropped. Gord
Re: black listing of web traffic
On Tue, 2010-02-09 at 17:44 -0500, Andrey Gordon wrote: What I don't get is why there is consistency in opening sites. Why does facebook open all the time and store.apple.com barely opens all the time. I'd say if it would be NAT exhaustion, they would all behave the same way meaning open and then not open and then open again. My guess the fault drives some SSL/TLS sessions through some loadbalancers mad, but not all :) Gord
Re: Adopt‐an‐Haitian‐Internet‐techn ician‐or‐facility
On Mon, 2010-02-08 at 12:47 -0500, Steven Bellovin wrote: As a matter of form, how might one check out the legitimacy of requests like this? (No, I don't think this one is fake...) (it isn't, for the benefit of any casual observers) Technically, a `Very Good Point`. We'd all like to think we're not Discuss.. I'm thinking: a personally-known web-of-trust, for a start. NANOG is a small, specialist community. I'm also thinking most are familiar with PGP/GnuPG, so most if not all of us can provide proof, even if we don't normally. Gord -- SNMPv1:Flawful Intercept :)
Re: Mitigating human error in the SP
On Tue, 2010-02-02 at 12:26 +, gb10hkzo-na...@yahoo.co.uk wrote: Nothing in the IT / ISP / Telco world is ever going to be perfect, far too complex with many dependencies. Yes you might play in your perfect little labs until the cows come home . but there always has been and always will be an element of risk when you start making changes in production. Face it, unless you follow the rigorous change control and development practices that they use for avionics or other high-risk environments, you are always going to be left with some element of risk. Agreed. I'd say that 10 minutes of checklist creation at the onset of a change plan, then 5 minutes of checklist revision/debrief per day is time well spent. After a couple of months attitudes to SOPs usually change. _insert duplicate of aviation-style check-listing and human factors reporting thread here_ Gord -- next thread: Stateful Firewalls vs Randy, round two, `ding-ding` followed by: help - SORBS has me blacklisted, again :)
Re: Strange Cisco 6503 problem
On Thu, 2010-01-28 at 18:36 -0500, Steven Bellovin wrote: Actually, it's not at all surprising, but it depends on the UART or equivalent. and the dynamic characteristics of the power rails, to a certain extent. Sun kit is quite sensitive to this sort of thing. Zonker has a good guide to what does what and what borks in his conserver pages: http://www.conserver.com/consoles/ as well as a bucketload of pinout info for console ports and console servers in general. The whole site is good reference for younger techies born in the USB age ;) Gord -- I'm giving up the sigs - I'm on patches and gum.
Re: Emergency power generators
On Thu, 2010-01-21 at 13:17 -0600, Joe Greco wrote: Seriously, talk to your vendor. You can frequently get gear with remote reporting, some of it will do dry contact or even talk RS232. If you can not, a lot of it can be measured anyways. If your gear doesn't support it, talk to generator service guys who are well-thought-of in your area. I'd place good odds that they'll be happy to outfit you with a computer-readable fuel level indicator, oil pressure, remote test, etc., etc., though they may be smiling their way to the bank and thanking you for all the custom work. ... JG a lot of places just use a linux or BSD SFF/mini-ITX with a webcam grabbing a jpeg/png every few seconds or once a minute on a cron job, pointed at the controls/guages/meters. Just make sure the target area is well-lit so the cam can see needles/guages etc. Accessed by SSH (=scp/sftp/sshfs) and not running X or even a web/ftpserver, its pretty hard to pervert it for nefarious means. Much better than IP webcams which seem to be a magnet for google-hackers. It's cheap and known-tech to most of us, but may require a shiny black metal box (and a stainless bracket for the webcam) if the generator guys don't like the idea at first. Great for monitoring electrical breaker-boards, SAN hdd leds (using fast framerate grabs) or racks of switches for pretty blinking lights (or the lack of). Of course if you already have an old server box lying nearby, you're laughing. Make sure to buy a well-supported webcam for your kernel/distro to avoid madness. About 30-40$US will get a good one usually, GIYF for supported models. If you can get a RS232 fuel-gauge sender or enviro-sensors, you already have a SSH-to-RS232 gateway ;) Some SCADA gear is extremely expensive and a can of worms in its own right. Gord
Re: Anyone see a game changer here?
On Thu, 2010-01-21 at 23:19 -0600, James Hess wrote: On Thu, Jan 21, 2010 at 9:52 PM, Gadi Evron g...@linuxbox.org wrote: It is not as if there are a wealth of alternatives. There are still many cases, where IE or MSHTML components are a pre-requisite, to access a certain product that is important to the user.A canonical example, would be: Intranet apps, web-managed routers, switches, firewalls, or other network infrastructure that can only be administered using MSIE version 6 (ActiveX control, or old HTML relying on IE features) -- probably devices with old software. Mail readers such as Outlook with MSHTML components embedded. Luckily, in the last 18 months especially, I've seen several different corporate requirements tender specify __against__ these (huge) problems, at least in non-US contracts. The first-hand argument I've heard for this is that it can actually reduce the tendered proposal bottom line and TCO, quite the reverse of what you would assume (probably by more lateral thinking by the Tenders) Notably, ActiveX was proscribed, followed recently by Silverlight. Certainly, the first firm to do it about 3 years ago has now written it in to EVERY request as standard text. Granted these are only around half-to-1M US$ tenders, but it's a (small) start. If this actually improves the general market/quality/usability of devices it's yet to be seen by me and my circle; maybe they are all just niche companies. They use lots of Sun/EMC/Brocade and similar. Yet, I have to say that the kit they end up installing is much easier to work with for Beasties and Tuxheads; far fewer VMs or Wine just to use IE or some obscure app (to us, that is) so a much faster/more familiar job-flow, and less gotchas/misconfigs. Still, no complaints from MS trained/based engineers that I've heard of that get contracted-in, this isn't super-uber-BOFH stuff. I was truly shocked the first time I read Standards Compliant and BCPs/RFCs in a corporate acquisition tender pack, for sure. YMwillV. Gord
Re: OT: old farts recollecting -- Re: ASR1002
On Tue, 2010-01-19 at 17:42 -0800, Bill Stewart wrote: Could the comment actually have been about pay telephones, which were once common in cities? Good point Bill, which, if so, would place the comment at or about the start of the cellfone introduction. @Jim, maybe it's more a telco/2600 thing? None of my overnite greps through old saved chats/snippets came up with anything remotely like it, sadly. I tried a few gopher/archie searches but the system is in very poor shape these days, a shadow of it's early 90's usefulness. Maybe it was on Fidonet or similar? Anyone else have any input? Please ask your old folks ;) Gord
Re: OT: old farts recollecting -- Re: ASR1002
On Wed, 2010-01-20 at 03:35 -0500, Jim Mercer wrote: The telephone, for those of you who have forgotten, was a commonly used communications technology in the days before electronic mail. They're still easy to find in most large cities. -- Nathaniel Borenstein Oh, the irony. A quote from Mr MIME himself :) i'm guessing this is before the mobile phone explosion. ...or before acoustic couplers were junked perhaps.
Re: ASR1002
Inline (and diverse) replies, as it's more of a rant, but slightly
relevant to the list ops if not the OP topic:
1 - On Tue, 2010-01-19 at 15:50 +0800, NetYourLife2007 wrote (well, at
least his mailer declared itself to be...):
Mailer:
Foxmail 6, 15, 201, 22 [cn]
Kenny's mail client may be slightly unfamiliar to most nanog users :)
Not sure if that's relevant but it may be a contributory factor.
Maybe the problem is that we're all too old and can remember what
headers are and what they're useful for, but developers of these
modern mail clients just want to hide all feature that even so much as
_look like_ they have come from a CLI client.
For example, I know several otherwise competent people who glaze over
and fall asleep when I mention the Reply To: field.
2 - On Tue, 19 Jan 2010, Jim Mercer wrote:
i still read most of my mail with mutt, but in my experience, many
modern interfaces (gmail/thunderrbird/etc) don't make it intuative to
find and/or read the headers.
agreed, after 18 month of trying to comply I still can't drive this
Evolution thing that most new Linux-on-the-Desktop users get as a
default install. I couldn't even find out how to bind the h key to
headers after a month of looking, for example. I live in hope for a Mutt
Bindings `extension`, if some developer can wake their grandparents for
some memories.
On Tue, 2010-01-19 at 09:50 +0100, Mikael Abrahamsson wrote:
In gmail you click show details and then there is a unsubscribe from
this mailing list-link you can click. Might not be perfectly intuitive,
but it's full functionality and quite easy.
Thank you, I've now (and only now) just found a similar thingy in this client.
18 months down the linegrrr
Yet just testing it, it works for nanog, but not for 2 other lists I'm in, with
similar correct headers 8-{
Are we (or rather the developers) losing the plot?
I think many of today's web-users may consider email old-fashioned, so if the
new `app-for-that` culture doesn't provide
easy/basic access to `old-fashioned` features, things may slowly turn into
interface soup.
And while I'm ranting, why has my client suddenly borked into 132 column mode?
sigh
Ahem
now, rant off/relevance on:
Prediction:
We may have to, in the coming years, for the above reasons and more, reduce the
monthly FAQ posting to bi-weekly if the unsubscribe-to-(signal+noise) ratio
increases significantly.
Or a single-line howto unsubscribe message biweekly. Or something. Meh.
de Gord
[in a bad, bad, depressive mood due to huge IMAP restore issues out of my
control]
--
Sudo is prior art.
Fools or thieves? You decide.
Re: OT: old farts recollecting -- Re: ASR1002
On Tue, 2010-01-19 at 11:00 -0500, Jim Mercer wrote: for days now, i've been trying to remember a quotation, which i vaguely seem to remember popping up in trn/nn or some USENET newsreader of old, along the lines of: the telephone, once commonly available in cities, or something like that. ring a bell for anyone? I get the distinct feeling it's a quite from an obscure scifi novel/film or MST3K style quote, though I could be wrong. It does ring a distant bell, but I'm not so sure about on Usenet. Maybe it was a Gopher thing? This newfangled Googly-thing finds nothing - it'll never catch on. Anyone got some old Winchesters lying around that need a spin?
Re: Default Passwords for World Wide Packets/Lightning Edge Equipment
Dymo-style solutions are somewhat lacking when it comes to some complex boxes. Equipment configs, mods, firmware versions, etc can all be fitted onto a nice big sheet that can be slipped back into the rack without much problem in most pun cases /pun A nifty solution I often claim to have invented in the last century is to spray-adhesive an A4 (or equivalent US size) plastic pocket/punched pocket on the TOP face of the equipment before you slide it in, such that a single piece of A4 just protrudes from the front of the rack when you use a self-adhesive tab on it's TOP edge. (the TOP 's above are emphasized, ignore them at your peril; in the first pun case /pun the plastic will be destroyed the first time the equipment is de-racked and in the second the tab will pull off easily. Problems can be prevented by placing two tabs on the paper, one on each side, exactly over each other.) The trick, to ensure subsequent re-insertion (which is much harder than it seems if you don't) is to also firmly stick a tab to the UPPER INSIDE of the plastic wallet opening. To re-insert, gently lift the plastic tab up. All of this takes up under a millimeter and (unless the equipment designer was drunk) doesn't affect ventilation. On rolling ships, however, the papers require a bit of insulation tape across adjacent case-fronts after each use. /end_stationary_geek_mode pics off-list on request if that doesn't make sense. Gord On Tue, 2010-01-12 at 17:50 -0800, Bill Stewart wrote: A password recovery method I've found very frustrating is to use the serial number or similar value that's on a label on the bottom of the equipment. It's just fine for desktop hardware - but for rack-mounted gear, it's not uncommon to find out that you need this information *after* somebody's racked and stacked the hardware, and therefore you either need to unscrew it (if it was screwed into the rack)
Re: SORBS on autopilot?
On Mon, 2010-01-11 at 11:15 -0500, telmn...@757.org wrote: Anyone got some pointers on how to get off SORBS' Dynamic IP lists? Our solution was to find new IP space. It was hopeless. me too; for 2 of my old (smaller sized) customers in the last 4 or 5 month. Nothing seemed to work and the immediate financial losses rapidly hit over 10k Euros in both cases, so switching was by far the easier option. I was amazed, but it definitely worked, I'll grant them that. Both were normal and non-spammy setups, correctly configured and well run by experienced netops. They just figured it was faster/safer (financially) to move, all things considered. Caused a panic at the time but until it happens again, 100% success :) Gord -- error: wit pool entropy approaching zero. system halted. again.
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Mon, 2009-12-14 at 00:58 -0800, Owen DeLong wrote: However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all? I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them. Well, for many years I've argued (since I read an early draft of the proposal for uPnP ) that it really stood for Unstoppable-Peek-and-Poke. It scares the hell outta me, full stop, way more than the users themselves - and they scare me a lot anyways. Seems a good time to ask while everyone's thinking about it: I wonder if anyone actually has first-hand experience of any el-cheapo plastic home user routers (say sub-50$US) that are worth a look at for low-end system trials? Zyxel maybe? I see Andrews Arnold (in the UK) sell them and seem to rate them quite highly, yet the price is, frankly, a giveaway. Any thoughts? Ignoring, of course, the sad and embarassing fact that much of the UK's national telco backbone isn't v6 capable - a long (and buggy) story in itself, once you start trying to implement practical v6 end-to-end ) Gord
Re: Linux shaping packet loss
Apologies to all on handheld devices. If you're not into BSD or Linux TC operationally, skip this post. Due to my usual rambling narrative style for alternative troubleshooting I was going to mail this direct to the OP but I was persuaded AMBJ by a co-conspirator to post this to list in full. # @all with similar traffic shaping problems Googling in the future: On Wed, 2009-12-09 at 12:07 +1100, Simon Horman wrote: but trying to use much more than 90% of the link capacity ..though not directly relevant in this case, for lower speed links and things like xDSL to the CPE that 90% must include protocol overheads (you are getting close to bone in that last 10%) and _much_ more affective (- that's A-ffective) things like actual modem sync speed. It depends how the TC is calc'ed/applied of course. Just a general note for a more CPE-oriented occurence of this. So kids, if you're struggling with your IPCOP in a SOHO shop with ADSL+PPPoE, this means you! Meanwhile, back at our level... @all generally: do many of us use Linux TC at small-carrier level? I know of a lot of BSD boxen out there that handle huge complex flows but I suspect Linux kernel is less popular for this - or am I assuming wrong? Personally I'd lean to BSD for big stuff and Linux on for CPE, am I out of touch nowadays? Fully back on topic from here on... @Chris - I've not used RED in any anger, sorry. Other than a typo in the config for the affected queue (maybe an extra digit loose somewhere?), things are definitely going to get complicated. Is something exceeding a tc bucket mtu occasionally? Chris ch...@ghostbusters.co.uk wrote: My thoughts are that any dropped packets on the parent class is a bad thing: yes, generally speaking, but. qdisc htb 1: root r2q 10 default 265 direct_packets_stat 448 ver 3.17 Sent 4652558768 bytes 5125175 pkt (dropped 819, overlimits 10048800 requeues 0) rate 0bit 0pps backlog 0b 28p requeues 0 ... in the above example, that loss rate is extremely low at 000.0159% ( 819 / 5125175 %) It may not be a representative sample, but I just thought I'd check you hadn't dropped a few significant digits in a %loss calc along the way :) That level of loss if operationally insignificant of course, especially for TCP. As you are I'm sure aware, perfect TC through any box is pretty specialist and usually unique to that placement. Without any graphical output, queues and the like are extremely difficult to visualize (mentally) under load (though for smaller boxes the RRD graphs in pfSENSE are nicely readable - see below). Because of this I usually try to eliminate ~everything~ else before I get into qdisks and the nitty-gritty. As a natural control fr/geek I've wasted far to many hours stuck in the buckets to no real improvement in many cases. Chris ch...@ghostbusters.co.uk wrote: I've isolated it to the egress HTB qdisc good, though read on for a strange tale You MUST make a distinction between TC dropping the packets and the interface dropping the packets; I see in your later post a TC qdisc line showing that tc itself had dropped packets, BUT it ALWAYS pays to check at the same time (using ifconfig) that no packets are reported being dropped by the interfaces as well. I've had 2 or 3 occasions where `TC drops` were actually somehow linked to _interface_ drops and it really threw me, we never did work out why. The interaction confounded us totally. IF the INTERFACES are ALSO dropping in ifconfig, THEN, and ONLY then, you are into the lowest layer. So, with that in mind and the sheer complexity of possibilities, here's how I personally approach difficult BSD/Linux TC problems. Note that I have zero experience or inclination towards Cisco TC: Kick the tyres! A lot of people mentioned layer 2 link-config problems, but as far as I can see, no-one has suggested quickly yanking the cables and blowing the dust off the the ends. Whenever I have to reach for a calculator or pen for a problem, I first swap out the interconnects to reduce the mental smoke ;) Next, I check the NICs to see if they're unseated (if applicable), or CPU (think: rogue process - use top) or even bus utililisation if you have only 32bit PCI NICs in a busy box. Next. does the box do anything else like Snort/Squid/etc at the same time? To eliminate wierdness and speedup troubleshooing if TC is acting strange I'd run tcpdump continually from the very start of my troubleshooting, dumping into small 10MB-ish files - use the special -C option =split to filesize and the -W option to set about 100 files in a ring buffer so that you have a decent history to go back through if you need it, without clogging the fisystem of the box with TB or packetdata :) (splitting them into 10MB files at the start leads to fast analysis in the shark, though you could carve up larger files manually I guess) That way, if the TC hurts your brain run the dumps them through wireshark's expert info filter while you have a coffee.
Re: Linux shaping packet loss
On Wed, 2009-12-09 at 08:02 +0200, Bazy wrote: Hi Chris, Try setting txqueuelen to 1000 on the interfaces and see if you still get a lot of packet loss. Yes, good point and well worth a try. Rereading Chris's post about 250Mbps and forty queues, the egress could well be bumping the end of a default fifo line. If 1000 is too high for your kit try pushing it upwards gradually from the default of 100 (?) but back off if you get drops or strangeness in ifconfig output on the egress i/f. I append grep-ped ifconfig outputs into a file every hour on a cron job until I'm happy that strangeness doesn't happen, they never do when you're watching sadly. TC problems aren't always about the TC itself, the physical interfaces are inherently part of the system, as my long rambling 5am+ up-all-night-over-ssh post about reseating NICs was trying to hint at. Nice one Bazy Gord
Re: Linux shaping packet loss
On Wed, 2009-12-09 at 06:38 +, gordon b slater wrote: If 1000 is too high for your kit try pushing it upwards gradually from the default of 100 meh! 6am+insomniac blues for a Gigeth it's more likely to be 1000 already, so push it up to 1 in stages - you get the idea.
Re: Password repository
On Wed, 2009-11-18 at 20:49 -0800, Darren Bolding wrote: Pwman ...which has the HUGE advantage of being CLI (so useable over SSH sessions from network devices) and has tagging for searching large databases of passes. pwman3 is current version. For most OSs. I've even used it looped through a multitude of nested VTY+SSH+screen sessions - one of which was a Dropbear sshd and client on a 20$ plastic CPE - to save my sorry *ss For GUIs:- Keepassx for most OSs, and Keepass2.x on MS Windows Password Gorilla is a nice one for end-users, most OSs Bruce's Passwordsafe format is a somewhat de-facto standard for import/export. Keepass can do a lot of conversion for you. Some shops use rsync top distribute the masters and set them readonly at filesystem - level though this tends to preclude regular rotation and updating. Beware that some of the commercial offerings are trivially broken or otherwise borked for work use. ymmv Whatever you use dump the file to a flat file (crypted of course) and save a statically linked version of the app for those wow - what password app did we use way back in 2001? moments. Print a copy every month or so and store securely offsite too - all the usual caveats apply. Once you have a super-duper app for them you tend to crank the pw complexity up to a level where no-one can remember anything nor even recognise regular ones; it's mainly cut and paste, especially if you use X. Unless of course, the OP meant RADIUS pulling on LDAP, PAM, etc ? Gord -- rommon 3 You have reached the gateway of last resort. Abandon hope all ye who press enter here smime.p7s Description: S/MIME cryptographic signature
Re: Layer 2 vs. Layer 3 to TOR
On Fri, 2009-11-13 at 09:44 +0100, Tore Anderson wrote: * Jonathan Lassoff Are there any applications that absolutely *have* to sit on the same LAN/broadcast domain and can't be configured to use unicast or multicast IP? FCoE comes to mind. and in a similar vein, ATAoE ; either Coraid stuff or the the free one in the Linux kernel. Its heavily used in some shops that use virtual farms with SANS as it's cheap/free and works over existing hardware but only at layer 2. I even run it at home (!) - and it's a surprisingly easy way to have a shelf of storage hanging off the back of a server, with 4GB of cache for each set of 4 disks per box. Stand too close can feel the wind from it, especially if RAIDed. Depends if there's much call for VM-ing in your shop in the future? Gord -- smime.p7s Description: S/MIME cryptographic signature
