memyself's questions

On my freebsd system I want to use port forwarding to distribute incoming traffic, based on the last digit of the source IP.

The following works on linux with iptables:

iptables -t nat -A PREROUTING -p tcp -s 0.0.0.0/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4431
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.1/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4432
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.2/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4433
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.3/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4434
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.4/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4435
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.5/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4436
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.6/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4437
iptables -t nat -A PREROUTING -p tcp -s 0.0.0.7/0.0.0.7 -d w.x.y.z --dport 443 -j DNAT --to-destination :4438

What it does is that the subnet mask is applied to the last digit of the ip address calculating the modulo value.

Now, how do I do this on freebsd with packet filter? I tried the following:

rdr log on vmx1 inet proto tcp from 0.0.0.1/7 to w.x.y.z port = https -> w.x.y.z port 4432 round-robin
rdr log on vmx1 inet proto tcp from 0.0.0.2/7 to w.x.y.z port = https -> w.x.y.z port 4433 round-robin

unfortunately the 0.0.0.1/7 and 0.0.0.2/7 values get translated to 0.0.0.0/7. Therefore my conditional port forwarding does not work.

Any advice on how to do this?

I've installed postfix-policyd-spf-python and configured the postfix integration according to the docs.

This is my policyd-spf.conf config file:

debugLevel = 1 
TestOnly = 0

HELO_reject = SPF_Not_Pass
Mail_From_reject = Fail

PermError_reject = False
TempError_Defer = False

skip_addresses = 127.0.0.0/8,::ffff:127.0.0.0/104,::1

Incoming emails from foreign mail servers get checked and flagged correctly. But when I check for spoof protection, somehow the emails go through:

$ telnet mail.example.com 25

Connected to mail.example.com.
Escape character is '^]'.
220 mail.example.com ESMTP Postfix
helo asd.somedomain.com
250 mail.example.com
mail from: [email protected]
250 2.1.0 Ok
rcpt to: [email protected]
250 2.1.5 Ok
data
354 End data with <CR><LF>.<CR><LF>
from: "ME" <[email protected]>
to: "test" <[email protected]>
subject: test

asdasd klajsdlaksjd 

thanks!
.

250 2.0.0 Ok: queued as 8C9EC1260E1

In my view, this email should NOT be delivered.

Here's the debugging output from postfix-policyd-spf-python:

policyd-spf[34414]: Found the end of entry
policyd-spf[34414]: Config: {'debugLevel': 5, 'HELO_reject': 'SPF_Not_Pass', 'Mail_From_reject': 'Fail', 'PermError_reject': 'False', 'TempError_Defer': 'False', 'skip_addresses': '127.0.0.0/8,::ffff:127.0.0.0/104,::1', 'TestOnly': 0, 'SPF_Enhanced_Status_Codes': 'Yes', 'Header_Type': 'SPF', 'Hide_Receiver': 'Yes', 'Authserv_Id': 'mail.example.com', 'Lookup_Time': 20, 'Whitelist_Lookup_Time': 10, 'Void_Limit': 2, 'Reason_Message': 'Message {rejectdefer} due to: {spf}. Please see {url}', 'No_Mail': False, 'Mock': False}
policyd-spf[34414]: Cached data for this instance: []

policyd-spf[34414]: skip_addresses enabled.

policyd-spf[34414]: _get_resultcodes: scope: helo, Reject_Not_Pass_Domains: None, helo_policy: SPF_Not_Pass, mfrom_policy: Fail
policyd-spf[34414]: Scope helo unused results: ['Pass', 'None', 'Temperror', 'Permerror']
policyd-spf[34414]: helo policy true results: actions: {'defer': [], 'reject': ['Fail', 'Softfail', 'Neutral'], 'prepend': ['Pass', 'None', 'Temperror', 'Permerror']} local {'local_helo': False, 'local_mfrom': False}
policyd-spf[34414]: spfcheck: pyspf result: "['None', '', 'helo']"
policyd-spf[34414]: None; identity=no SPF record; client-ip=xx.xx.xx.xx; helo=asd.somedomain.com; [email protected]; receiver=<UNKNOWN> 


policyd-spf[34414]: _get_resultcodes: scope: mfrom, Reject_Not_Pass_Domains: None, helo_policy: SPF_Not_Pass, mfrom_policy: Fail
policyd-spf[34414]: Scope mfrom unused results: ['Pass', 'None', 'Neutral', 'Softfail', 'Temperror', 'Permerror']
policyd-spf[34414]: mfrom policy true results: actions: {'defer': [], 'reject': ['Fail'], 'prepend': ['Pass', 'None', 'Neutral', 'Softfail', 'Temperror', 'Permerror']} local {'local_helo': False, 'local_mfrom': False}
policyd-spf[34414]: spfcheck: pyspf result: "['Fail', 'SPF fail - not authorized', 'mailfrom']"

policyd-spf[34414]: Fail; identity=mailfrom; client-ip=xx.xx.xx.xx; helo=asd.somedomain.com; [email protected]; receiver=<UNKNOWN> 


policyd-spf[34414]: Action: None: Text: None Reject action: 550 5.7.23

As we can see from the log files, the SPF check does return:

spfcheck: pyspf result: "['Fail', 'SPF fail - not authorized', 'mailfrom']"

however, the last line reads:

Action: None: Text: None Reject action: 550 5.7.23

Why is that? Why is the Action: None? In my view, the email should be rejected and not accepted by the server. What am I doing wrong?

I'd like to automatically monitor all ports on my switches and get notified whenever a port goes down. So far I have to connect to each switch manually and read out the disabled ports by hand:

show interfaces status err-disabled

I'd much prefer if ports that went down would get automatically reported to nagios. Based on my preliminary research, it appears that I need to configure snmp-traps.

My questions:

• what are the commands that I need to execute to automatically detect err-disabled events and send the switch name, port name (gigabitEthernetx/y/z) as well as the reason for the error (security violation, loop detected, etc) to nagios?
• do I need to configure this on each switch that belongs to a stack, or can I do this on a master switch?

I'm having strange ssh login issues, where the login for a user does work in general, but sometimes it doesn't. here's a failed login attempt:

Mar 28 14:49:55 hostname sshd[32247]: Invalid user sshuser from 172.16.1.19
Mar 28 14:49:55 hostname sshd[32247]: input_userauth_request: invalid user sshuser [preauth]
Mar 28 14:56:02 hostname sshd[29513]: pam_unix(sshd:session): session closed for user sshuser

which is strange, because the previous login attempts worked just fine:

Mar 28 14:49:04 hostname sshd[32117]: Accepted publickey for sshuser from 172.16.1.19 port 56766 ssh2
Mar 28 14:49:04 hostname sshd[32117]: pam_unix(sshd:session): session opened for user sshuser by (uid=0)
Mar 28 14:49:04 hostname sshd[32117]: pam_unix(sshd:session): session closed for user sshuser

As you can see, the previous login attempt by sshuser was successful just a few seconds before.

What could be causing these problems? sshuser is a network user that's pulled in via NIS. I do not see any timeout problems on either the client or the server.

With recent versions of Ubuntu, there's no /etc/X11/xorg.conf file being shipped anymore. That's good as long as you don't have a Nvidia graphics cards and you want to use multiple screens, in which case you have to allow normal users to write to /etc/X11/xorg.conf.

Now, given that Ubuntu doesn't ship a default /etc/X11/xorg.conf file, I can't chmod 666 it (no file to change permissions on).

If I try to ship a default xorg.conf file with puppet (and set the permissions accordingly so that normal user can overwrite that file), puppet will keep overwriting this file in case it changes from the shipped default.

So what are my options here?

1. Is there a way to ship a default file with puppet but tell puppet to not overwrite customized versions of that file?
2. Is there a way to tell the xorg-x11 package to create a default xorg.conf file?
3. Polkit?

any other options that I'm not aware of?

I have access to a small linux pool of around 20 computers. I'd like to come up with a simple and easy to configure solution that allows me to

• deploy the same configuration to new computers
• distribute software installs to all computers
• keep all computers in sync when it comes to installed software & configurations

I'm aware of Ubuntu's Landscape, but this solution is too expensive for me.

Right now I'm deploying new installs by hand and I manage the computers with cssh but this solution doesn't seem practical in the long run.

Deploying the same install onto new machines could probably be achieved by using PXE but how about the keeping systems up to date and properly configured part? Are there any easy to configure & use solutions out there? I'm aware of Puppet which seems too overblown to me, but maybe I'm wrong.

I'd be happy to hear from you about your solutions!

I have a network of linux clients and servers that are used for numerical computations; and I'm using NIS for user authentication. After a successful login, every user lands in her / his home directory (via NFS automount).

I have now a second set of linux clients that are not part of the compute machines above. I was thinking of setting up NIS for user authentication, ideally reusing the same usernames / passwords. However, since these are 'personal' desktop machines, it would make sense to have /home/username point to a local drive, instead of the NFS mounted /home from above.

One of the reason for having two different home directories is that I have quotas enabled for NFS homes. On a users 'personal' desktop however, the user should be allowed to store as much data in her / his home directory as (s)he needs.

So if there are no conceptual draw backs with this approach (please point them out to me if there are!), is there a way to automatically create the home directory on the desktop machines, once the first NIS login has been successfully?

I have a conceptual question:

I manage user accounts for local network access using Active Directory (let's call this network A). We use an external service provider for email accounts, who's also running Active Directory for account management (network B).

In this configuration, every user ends up with two usernames: one for the local network (A), and one for email (B). Let's call the usernames DOMAIN_A\username and DOMAIN_B\username.

I was wondering whether these usernames could be unified by creating a trust relationship between the two active directory servers? Is that possible? It seems to be right now, that the purpose of a AD trust relationship is only to allow users from network B to authenticate against their home AD while being on network A. Does a trust relationship also allow to connect / map AD accounts on different networks (different ADs), so that using a single username, will log the user into both network A and network B? That is, using DOMAIN_A\username as a long-in, I can login to both network A resources and network B resources? I this is indeed possible, how do you have to setup the mapping between DOMAIN_A\username and DOMAIN_B\username? The two ADs won't be able to guess which usernames belong to the same user.

EDIT: this website might have the solution. However it is still unclear to me.

I'm trying to install linux on a apple xserve 3,1 which comes with some strange raid controller that does not get detected by linux. lspci is telling me:

01:00.0 RAID bus controller: Apple Computer Inc. Device 008a (rev c8)

I am assuming that this is a qlogic raid controller, but none of the qlogic drivers work.

The only other output that I get on the command line that might be related to this controller is:

pci 0000:01:00.0: vpd r/w failed. This is likely a firmware bug on this device. Contact the card vendor for a firmware upgdate.

any hints on how to talk to this thing are welcome!

EDIT: I also tried to get vmware on this running, since the HCL states that xserve 3,1 is supported (http://www.vmware.com/resources/compatibility/detail.php?deviceCategory=server&productid=20234), however, the vmware installer doesn't see any hard drives either. This seems to be a known problem http://communities.vmware.com/message/1901726, http://communities.vmware.com/message/1817235

I have a NFS server running Linux and exporting a couple of shares. Both Linux and MacOS clients connect to the server, and while with the Linux clients I get ~ 75MB/s write speed, the MacOS clients only get ~ 25MB/s write speed (same file, same distance from server, same switch, etc ...).

What are possible reasons for this drastic difference in performance? I've already tried to tune the NFS connection on the Mac by editing /etc/nfs.conf

nfs.client.allow_async = 1
nfs.client.nfsiod_thread_max = 128

With these settings I'm at least up from previously 15MB/s to now 25MB/s. However, this is still sooo far away from what I get on the linux boxes.

How should I further debug this? Is there some special way that I should export these shares for macos?

Here's my /etc/auto_master in case you want to see the NFS options that I'm using:

/home   auto_home    -nobrowse,hidefromfinder,resvport,intr,hard,sloppy

EDIT: I know that this must be a NFS issues because I can copy files between the MacOS client and Linux NFS server with scp and there I get ~ 60MB/s.