I love tomatoes
Ever since I used wireless access points/routers I've flashed them with custom firmware instead of the manufacturer provided. For a long time I used OpenWrt on my Linksys wrt54g and later on my Asus wl500-g Deluxe. After that I started using DD-WRT on my routers. It's a bit more user friendly than OpenWrt and I was always fooling around on OpenWrt so I broke it very often ;-) .
Some time ago I bought an Asus RT-N16 and directly installed DD-WRT on it. The RT-N16 is a great router and it has been running happily for a long time now. I recommend this router to everyone.
DD-WRT is a very nice product. I compiled my on ip6tables for it and was happily running an IPv6 tunnel on it. But with current releases the wireless somehow became unreliable. After playing around for some time with different settings I tried the official Asus firmware again. This fixed my problems so it wasn't the router that was failing me. I have to say, the Asus firmware is quite nice... but it doesn't support IPv6.
Then I read about Tomato. I downloaded a nightly build from tomatousb.org and flashed it into the router using tftp. After some quick configuration I already noticed the wireless seemed just as good as the official Asus firmware. But the best part about the firmware is that it support IPv6 out of the box, including IPv6 firewalling. You can just configure everything from the web interface. No more manually configuring my IPv6 tunnel and firewall from the command line after each new firmware release. /me very happy...
autofwd
While implementing IPv6 in my company network I also started looking for a replacement for fail2ban. Fail2ban is a tool which monitors log files looking for anomalies. When someone tries to brute force your sshd, fail2ban will notice and block the offender using iptables or whatever firewall you use.
Fail2ban has served me well the last couple of years, but it doesn't support IPv6 and the last release was on 7-9-2009 which is almost 2 years ago. This didn't give me the idea the IPv6 support would ever be implemented. But then again, I can be wrong...
I gave a stab at writing my own implementation which would support IPv6 and started looking on freshmeat looking for similar scripts to see how they worked. Then I found a small Perl script called autofwd written by Arthur Corliss. I downloaded it to see how if there was any usable code in there but quickly found out that it actually was the tool I was looking for. It's portable, so you can use any kind of firewall with it. I myself use shorewall and it took me only a couple of minutes to plug that in.
If you're looking for a flexible/portable fail2ban replacement I certainly recommend looking at autofwd. It doesn't have a homepage but you can get it here. I've created a Debian package which is available here.
IPv6 en politiek (deel 2)
Omdat sinds 3 februari de IANA IPv4 pool leeg is en het sinds 25 november 2010 verplicht is voor de overheid om IPv6 mee te nemen in het inkoop of verander traject was ik benieuwd hoe ver onze politieke partijen zijn. Hier komt de mooie lijst weer: (-:
The-Gangreen-Gang:~ roedie$ host -t aaaa www.cda.nl
www.cda.nl has no AAAA record
The-Gangreen-Gang:~ roedie$ host -t aaaa www.cda.nl
www.cda.nl has no AAAA record
The-Gangreen-Gang:~ roedie$ host -t aaaa www.sp.nl
www.sp.nl has IPv6 address 2001:888:2000:1a::198
The-Gangreen-Gang:~ roedie$ host -t aaaa www.pvda.nl
www.pvda.nl has no AAAA record
The-Gangreen-Gang:~ roedie$ host -t aaaa www.pvv.nl
www.pvv.nl has no AAAA record
The-Gangreen-Gang:~ roedie$ host -t aaaa www.d66.nl
www.d66.nl has no AAAA record
The-Gangreen-Gang:~ roedie$ host -t aaaa www.groenlinks.nl
www.groenlinks.nl has no AAAA record
The-Gangreen-Gang:~ roedie$ host -t aaaa www.sgp.nl
www.sgp.nl has no AAAA record
The-Gangreen-Gang:~ roedie$ host -t aaaa www.christenunie.nl
www.christenunie.nl has no AAAA record
The-Gangreen-Gang:~ roedie$ host -t aaaa www.partijvoordedieren.nl
www.partijvoordedieren.nl is an alias for partijvoordedieren.nl.
The-Gangreen-Gang:~ roedie$ host -t aaaa partijvoordedieren.nl
partijvoordedieren.nl has no AAAA record
The-Gangreen-Gang:~ roedie$ host -t aaaa www.vvd.nl
www.vvd.nl has no AAAA record
Na even ruim 10 maanden is alleen de SP er in geslaagd om IPv6 enabled te worden. Gelukkig, want zij waren tenslote de aanstichters van het debat. Heel erg netjes. Nu had ik alleen nog de vraag waarom geen IPv6. Ik heb dus even uitgezocht voor welke partijen het wel mogelijk is om IPv6 te draaien. Ik heb de providers in kwestie niet benaderd, maar snel gezocht op de website en wat DNS records ge-queried.
CDA draait bij w3s. Op de website van kon ik niks vinden over IPv6 en ik kon ook geen AAAA records vinden.
PvdA draait bij ASP4all, een provider die wel graag laat zien dat ze veel voor de overheid doen. Zoeken op IPv6 op de website levert niets op, AAAA records lijken er ook niet te zijn. Waarschijnlijk geen support dus.
PVV zit bij De Heeg. Op de website is niet veel te vinden en zeker niets over IPv6, geen AAA records dus waarschijnlijk geen support.
D66 heeft voor WideXS gekozen. Deze provider heeft al een lange tijd IPv6 support. D66 zou dus gewoon IPv6 enabled kunnen worden.
GroenLinks zit bij Prolocation en deze provider lijkt gewoon netjes IPv6 enabled te zijn.
SGP en ChristenUnie zitten beiden bij True. Deze provider doet ook gewoon IPv6 dus er is geen rede voor de partijen om dit niet te gebruiken.
Partij voor de dieren heeft gekozen voor IS. Ik heb hier geen IPv6 support kunnen vinden.
De VVD heeft Vellance. Het lijkt er niet op dat deze provider IPv6 doet.
Over een paar maanden zal ik weer eens kijken wat de situatie is. Tot op heden lijkt de overheid zich niet veel van z'n eigen regels aan te trekken. Zonde...
Monitoring Netapp Filer with Nagios
I needed to monitor 3 NetApp filers with Nagios.
Since the filers are quite accesible through things like ssh, web interface and SNMP I didn't think it would be hard. But, when doing a quick search I've found this excellent nagios plugin made by Sven Velt. It is available at http://people.teamix.net/~svelt/check_netappfiler/. It has saved me *lots* of time.
It even seems to be prepared to be used with pnp4nagios too. I haven't tried this since I'm not using it.
One strange thing though... I can query all the filers with standard SNMP settings even with SNMP disabled on the filer(s). This has suprised me a bit. It might be a bug, but I'm not sure.
Debian/Ubuntu not resolving domains with the .local tld
For some time I've been wondering why none of my Debian/Ubuntu workstations would resolve something like 'proxy.mycompany.local'. Simpy resolving 'proxy' would work.
I already knew that .local is not a correct tld, but since it was recomended by Microsoft to use this when installing Active Directory we used it. I never had any problems with it because most of the time I just use ip addresses when I need to access a server.
Now I installed a proxy server and a new mail relay server so I started using them as proxy.mycompany.local and relay.mycompany.local. The I found out that none of my Debian or Ubuntu workstations would resolve those addresses. At first I blamed the Microsoft DNS server for this. That's the easiest and most logical thing to do ;-). But Windows XP/Vista clients did resolve those addresses. Strange huh?
Then I started wireshark on my client. I did a query for proxy.mycompany.local and then there was.... an MDNS request instead of a normal DNS request?!?
This quickly gave me the conclusion that it was something avahi related because this does all the zeroconf stuff with Debian/Ubuntu. Avahi seems to be configured to pick up any request ending in .local and make MDNS requests for it. This must be a problem for more people because there must be loads of Microsoft networks out there ending in .local. I won't say this is a fault from the avahi guys because it's also completely wrong to use .local as tld.
My current solution is to just simply disable Avahi on my workstations. On Ubuntu I just do 'System -> Administration -> Services' and disable 'Multicast DNS Service Discovery' there. With Debian I just disable the startup of Avahi in /etc/default/avahi-daemon by settting 'AVAHI_DAEMON_START=0'.
VLAN with Debian (Part 2)
There's another way to create vlan interfaces with Debian/Ubuntu. It's even shorter than the previous example. Just add the following to /etc/network/interfaces:
auto eth0.10 iface eth0.10 inet static addres 10.0.0.2 netmask 255.255.255.0 gateway 10.0.0.1
Just make sure you dit 'apt-get install vlan' or something like that.
VLAN with Debian
It's just that I can't remember how to make vlan's witch Debian. I always have to re-invent the wheel or look at old configs which are never where I think they are... So... Here it is so I don't have to remember it and maybe some other people will find it useful.
In /etc/network/interfaces you add the following:
# Vlan 10
iface vlan10 inet static
adress 10.0.0.2
netmask 255.255.255.0
gateway 10.0.0.1
vlan_raw_device eth0
This will add vlan10 to interface eth0. It's so easy but I just cannot remember it when I need it.
keepalived 1.1.15
I've backported keepalived from Debian Lenny to Etch (4.0). Both i386 and amd64 are available for download here. There was no need for changes from the original package, only a recompile.
I'm thinking about packaging feedbackd and use it together with keepalived to adjust the weight of realservers during runtime. I'm not sure if it's feasible, else I will write my own poor mans implementation.
Monitoring with Nagios 3
Because the release of Nagios 3.0 is comming closer, I wanted to have a look at it. I've found some nice packages on the blog of Sven Velt. Those packages are for i386 only and I needed amd64 packages. I just took the sources and recompiled them for the amd64 architecture. You can get them here. I take no credit for the packages because I merely compiled it.
Nagios 3 looks good. It has some nice new features like the multi line output for plugins. This wil likely make it possible to run more checks with less stress on the Nagios server. I'll post more when I find more nice features :-)