Tim's questions

I have a Cisco Catalyst 3560e switch, and I'm trying to learn how to work with ACLs. I've created a simple ACL and tested it by sending packets through the switch, and it seems to work. Some documentation indicates that I can see a count of the number of times an ACL is hit. A typical example (taken from a book) is:

PIX# sho access-list
access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 1024)
        alert-interval 300
access-list Inbound; 15 elements
access-list Inbound permit tcp any host web1. gad. net eq www (hitcnt=42942)
access-list Inbound permit tcp any host web1. gad. net eq ssh (hitcnt=162)
...

If I do the same thing on my switch I don't see the counters:

> sho access-list
Standard IP access list 1
    10 deny   10.0.0.2
    20 permit any

Are ACL counters supported on this switch? (How would I know, if not? I can't see anything about this in the release notes.) Am I missing some configuration?

I have a server that I've forgotten to upgrade for ages, which is still running Intrepid (8.10). I'd like to upgrade it to a newer version of the distribution, so that I can get security patches etc. I found some instructions that tell me to install the package update-manager-core. I tried the following:

$ sudo apt-get install update-manager-core

but this fails since some of the necessary packages can't be found:

...
Err http://archive.ubuntu.com intrepid/main python-apt 0.7.7.1ubuntu4  404 Not Found [IP: 91.189.88.40 80]
Err http://archive.ubuntu.com intrepid-updates/main update-manager-core 1:0.93.34  404 Not Found [IP: 91.189.88.40 80]
Failed to fetch http://archive.ubuntu.com/ubuntu/pool/main/p/python-apt/python-apt_0.7.7.1ubuntu4_amd64.deb  404 Not Found [IP: 91.189.88.40 80]
Failed to fetch http://archive.ubuntu.com/ubuntu/pool/main/u/update-manager/update-manager-core_0.93.34_amd64.deb  404 Not Found [IP: 91.189.88.40 80]
...

I know that Intrepid is no longer supported, and so I guess some of the necessary files may no longer be maintained. But this seems rather unhelpful: I can't upgrade because it's too old, and the only way to fix this would be to upgrade it. Is there a way round this? Is something else wrong?

I have a box running Mikrotik RouterOS, which is set up to do transparent web proxying, as described here.

In short, this means that I have a firewall rule for destination NAT causing any port 80 traffic to get redirected to port 8080 on the router, which is received by the Mikrotik local web proxy. The local web proxy then makes the web request on the client's behalf, in this case to a parent web proxy server (which in turn does the real web request).

My question is, how will this two-part process get reported in the logging of traffic flow information (netflow)?

Looking at the logged information, what I seem to be seeing is this:

• One flow recorded from client machine (private IP address) to remote proxy (8080)
• Another flow recorded from router to remote proxy (8080)

The original request that the client made to port 80 isn't recorded.

I want to write code to analyse traffic usage, so I want to be sure I'm not losing information if I discard the latter of these.

I am trying to set up a small linux system based on Gentoo on a VirtualBox machine, as a step towards deploying the same system onto a low-spec Single Board Computer. For some reason, my filesystem is being mounted read-only.

In my /etc/fstab, I have:

/dev/sda1   /         ext3    defaults    0 0
none        /proc     proc    defaults    0 0
none        /sys      sysfs   defaults    0 0
none        /dev/shm  tmpfs   defaults    0 0

However, once booted /proc/mounts shows

rootfs / rootfs  rw 0 0
/dev/root / ext3 ro,relatime,errors=continue,barrier=0,data=writeback 0 0
proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0
sysfs /sys sysfs rw,nosuid,nodev,noexec,relatime 0 0
udev /dev tmpfs rw,nosuid,relatime,size=10240k,mode=755 0 0
devpts /dev/pts devpts rw,nosuid,noexec,relatime,gid=5,mode=620 0 0
none /dev/shm tmpfs rw,relatime 0 0
usbfs /proc/bus/usb usbfs rw,nosuid,noexec,relatime,devgid=85,devmode=664 0 0
binfmt_misc /proc/sys/fs/binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime 0 0

(the above may contain errors: there's no practical way to copy and paste)

The partition at /dev/hda1 is clearly being mounted OK, since I can read all the data, but it's not being mounted as described in fstab. How might I go about diagnosing / resolving this?

Edit: I can remount with mount -o remount,rw / and it works as expected, except that /proc/mounts reports /dev/root mounted at / rather than /dev/sda1 as I'd expect.

If I try to remount with mount -a I get

mount: none already mounted or /sys busy
mount: according to mtab, sysfs is already mounted on /sys

Edit 2: I resolved the problem with mount -a (the same error was occuring during startup, it turned out) by changing the sysfs and proc lines to

proc    /proc   proc   [...]
sysfs   /sys    sysfs  [...]

Now mount -a doesn't complain, but it doesn't result in a read-write root partition. mount -o remount / does cause the root partition to be remounted, however.

I have a RouterOS box set up to bridge two ethernet connections. I have use-ip-firewall=yes in the bridge configuration, so that the ports go through the firewall.

I've enabled netflow reporting via ip/traffic-flow, but the only packets I see reported are broadcast and multicast packets, not the packets that are flowing through the bridge. The documentation indicates that traffic flow logging happens after firewall processing and that it won't work with bridged connections by default, but I would have thought that use-ip-firewall=yes ought to address this.

Is it possible to make this work somehow?

The RouterOS docs show how to transparently proxy all web traffic via the HTTP proxy built into RouterOS:

/ip firewall nat 
add in-interface=ether1 dst-port=80 protocol=tcp action=redirect to-ports=8080 chain=dstnat 
/ip proxy
set enabled=yes port=8080

I'd like to run a proxy on another machine, so that I can take advantage of more sophisticated filtering rules available in Squid or the like. However, if I use NAT to redirect traffic to another machine running Squid it won't work, since the HTTP request will need to be rewritten in order to be a proxy HTTP request; just redirecting the traffic gives bad request errors from Squid.

I have two Windows 2003 servers, and I want to write a backup script on one that will copy a file to the other. What's the most idiomatic way to do this on Windows? Essentially, I'm looking for the Windows equivalent of

$ scp file.tar.gz user@host:/wherever

In response to questions: At the moment I'm only thinking about one file, a database backup. Potentially I might end up with multiple files, but I'm not that interested in rsync-like systems that track which files have changed and back up accordingly.

I'd like a solution that works with the servers on different networks, with firewalls in between. Opening up a single port on the firewall to a reasonably secure service ought not to be a problem.