sometimes it is necessary to do some actions with squid (eproxy) on eSafe on the command-line. For instance, you want a quick stop-and-start of squid or do some debugging. The following options can be used in the CLI environment;
Usage: squid [-hvzCDFNRYX] [-d level] [-s | -l facility] [-f config-file] [-u port] [-k signal] -d level Write debugging to stderr also. -f file Use given config-file instead of /opt/eproxy/etc/squid.conf -h Print help message. -k reconfigure|rotate|shutdown|interrupt|kill|debug|check|parse Parse configuration file, then send signal to running copy (except -k parse) and exit. -s | -l facility Enable logging to syslog. -u port Specify ICP port number (default: 3130), disable with 0. -v Print version. -z Create swap directories -C Do not catch fatal signals. -D Disable initial DNS tests. -F Don’t serve any requests until store is rebuilt. -N No daemon mode. -R Do not set REUSEADDR on port. -S Double-check swap during rebuild. -X Force full debugging. -Y Only return UDP_HIT or UDP_MISS_NOFETCH during fast reload.
For instance, when you want to stop-and-start squid (to flush DNS cache), you can use the following;
With the release of esafe Gateway 7.1, a new setup method is introduced: eSafe Proxy. Don’t confuse this one with eSafe Forwarding Proxy. Well, the difference between these two is that eSafe Proxy has a Squid proxy (Aladdin named it eproxy) already installed with it where eSafe Forwarding Proxy hasn’t (the last one has only the files!). The eproxy can be used as a parent proxy for the web scanning component of eSafe Gateway with or without authentication against AD, LDAP, etc.
But when you choose the traditional eSafe Forwarding Proxy, the eproxy is not activated. You have to do some things to get it work. I want to enable eproxy to use it as a parent proxy for the web component of eSafe.
I used the following steps to enable eproxy:
The eproxy files are under /opt/eproxy. When I first started eproxy, I got the following output:
#/opt/eproxy/sbin/squid start FATAL: No port defined Squid Cache (Version 2.6.STABLE18): Terminated abnormally. CPU Usage: 0.010 seconds = 0.000 user + 0.010 sys Maximum Resident Size: 0 KB Page faults with physical i/o: 218 Aborted
So the first thing I had to do is to change the squid config file for the portnumber it’s listening on (normally it’s default..). The config file is located at /opt/eproxy/etc/squid.conf. Edit rule number 936 of this file in deleting the # in front of http_port 3128.
Now eproxy can be started normally.
The only thing left is to make sure squid will be started when the eSafe server reboots. This can be done by making a symbolic link under /etc/rc.d/rc3.d.
Recently I did a fresh install of CactiEZ 0.6. After I changed the timezone and time (synced it to a NTP source), the graphs didn’t get filled anymore. Even the localhost graphs, which are installed by default, aren’t working anymore.
Here I do the sync with a NTP source;
[root@localhost /]# ntpdate pool.ntp.org 27 Mar 17:07:18 ntpdate[4602]: adjust time server 83.98.201.133 offset -0.025180 sec
After this, the graphs are not being filled anymore. At first seeing, I had no idea what caused this problem. So i decided to put the logging level of the poller in DEBUG mode to see what is going wrong. This can by done in the Cacti console via Settings > Poller Logging Level > DEBUG.
Now, when I do a poller cycle, the following output is generated;
[root@localhost /]# php /var/www/html/poller.php 03/27/2009 05:14:04 PM – POLLER: Poller[0] NOTE: Poller Int: ’60′, Cron Int: ’60′, Time Since Last: ‘-20937′, Max Runtime ’58′, Poller Runs: ’1′
03/27/2009 05:14:04 PM – POLLER: Poller[0] NOTE: Cron is configured to run too often! The Poller Interval is ’60′ seconds, with a minimum Cron period of ’60′ seconds, but only -20937 seconds have passed since the poller last ran.
As you can see, the time since the last poll has passed is a negative number! Somewhere, there is a timestamp at which the poller can see that it must not run yet. But because the time has been changed, this timestamp is somewhere in the future.
To solve this problem, you have to run the poller mode in forced mode;
Now the poller start all over again with a new timestamp. You can see the timestamp is accurate when you launch the poller again;
[root@localhost /]# php /var/www/html/poller.php 03/27/2009 05:25:18 PM – POLLER: Poller[0] NOTE: Poller Int: ’60′, Cron Int: ’60′, Time Since Last: ’17′, Max Runtime ’58′, Poller Runs: ’1′
03/27/2009 05:25:18 PM – POLLER: Poller[0] NOTE: Cron is configured to run too often! The Poller Interval is ’60′ seconds, with a minimum Cron period of ’60′ seconds, but only 17 seconds have passed since the poller last ran.
The ip helper-address command on a router is a fairly used command in multilayer switched networks. When you enable this command on a router interface (for instance, a SVI on a multilayer switch), the following broadcasts are forwarded by default;
TFTP – port 69
Domain Name System (DNS) – port 53
Time service – port 37
NetBIOS Name Server – port 137
NetBIOS Datagram Server – port 138
Bootstrap Protocol (BOOTP) – port 67
TACACS – port 49
You can disable the services that you don’t need. Disable this with the following command;
Not so long ago I started to use OpenSSL to manage my certificates and keys (like generating CSRs, backing up keypairs in pcks12 format, etc.). So I decided to document some of the most used commands. I use openSSL in a Cygwin environment. Installing Cygwin is easy, so that couldn’t be the problem. When you start setup.exe, you have to add the openSSL and openSSH components (or more if you want!). These can be found under the NET category.
building a CA server
It is possible that you want to build your own CA server. I use the CA.pl script for this, which is delivered with openSSL. This can be done as follows;
Create a CA hierarchy:
$ CA.pl -newca
Complete certificate creation example: create a CA, create a request, sign the request and finally create a PKCS#12 file containing it.
$ CA.pl -newca
$ CA.pl -newreq
$ CA.pl -signreq
$ CA.pl -pkcs12 "My Test Certificate"
Signing a CSR
When you want to sign a CSR by your own CA, you can use CA.pl;
$ ./CA.pl -signreq Using configuration from /usr/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number:
89:8a:c4:84:3e:62:7d:2c
Validity
Not Before: Nov 5 21:03:00 2008 GMT
Not After : Nov 5 21:03:00 2009 GMT
Subject:
countryName = NL
stateOrProvinceName = MyState
localityName = MyLocality
organizationName = MyCompany
organizationalUnitName = IT dept.
commonName = MyCert
emailAddress = user@mydomain.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
11:81:37:E5:0C:06:3C:FA:49:48:BE:A9:43:DC:63:42:62:E2:F3:3F
X509v3 Authority Key Identifier:
keyid:42:5B:D0:9B:7A:6C:20:A2:5D:41:54:56:2B:55:50:41:71:61:37:B0
Certificate is to be certified until Nov 5 21:03:00 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
create a PKCS#12 file containing the user certificate, private key and CA certificate. It expects the user certificate and private key to be in the file “newcert.pem” and the CA certificate to be in the file demoCA/cacert.pem, it creates a file “newcert.p12”. This command can thus be called after the -sign option. The PKCS#12 file can be imported directly into a browser. If there is an additional argument on the command line it will be used as the “friendly name” for the certificate (which is typically displayed in the browser list box), otherwise the name “My Certificate” is used.
$ ./CA.pl -pkcs12
Enter pass phrase for newkey.pem:
Enter Export Password:
Verifying – Enter Export Password:
PKCS #12 file is in newcert.p12
You can do this all more manual style with the openssl command. Here are some variants of this command;
With this variant, you will be prompted for a protecting password. Ifyou don’t want your key to be protected by a password, remove the flag ‘-des3′ from the command line above.
If you created everything yourself, or if the certificate authority was kind enough, your certificate is a raw DER thing in PEM format. Your key most definitely is if you have followed the examples above. However, some certificate authorities will encode them with things like PKCS7 or PKCS12, or something else. Depending on your applications, this may be perfectly OK, it all depends on what they know how to decode. If not, There are a number of OpenSSL tools to convert between some formats.
So, depending on your application, you may have to convert your certificate and your key to various formats, most often also putting them together into one file. I often use the pkcs12 format. PKCS#12 files can be imported and exported by a number of applications, including Microsoft IIS. They are often associated with the file extension .pfx. To create a PKCS#12 certificate, you’ll need a private key and a certificate. During the conversion process, you’ll be given an opportunity to put an “Export Password” (which can be empty, if you choose) on the certificate.
By default Cisco routers and switches periodically test their (Fast) Ethernet links by sending out Loopback frames (ethertype 0×9000) addressed to themselves. Call it a “L2 self-ping” if you will. In a switched environment it can be used to test the functionality of the switch and/or keep the router’s MAC address in the switch’s address table. Another thing what this Loopback frames do, is to check for a loop. If there is a loop in the network, the resulting Loopback frame will be seen by the sending switch and the port will be err-disabled.
The folllowing picture shows a Loopback frame; As we can see, the SA=DA.
Recently I had a problem in a network which was caused by the loopback mechanism; when we tried to add a switch to the VTP domain with redundant connections, I noticed that this loopback mechanism had err-disabled all the uplink ports of a lot of edge switches! I couldn’t take my edgeswitches anymore and I had to manually take these ports out of the err-disbled state. The following syslog messages were generated on the switches;
ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on gig0/2
We activated the err-disabled recovery mechanism to eliminate this problem. You can also disable the keepalive on uplink ports with the no keepalive interface command for the uplink ports.
Cisco has documented this problem as bug ID CSCea46385. Cisco say’s that starting in 12.2SE based releases, keepalives are NO longer sent by default on fiber and uplink interfaces.
The nice thing working with Cisco is that you always hear about features from which you never heard before. This is also true for the following feature.
When you do a show run on – for instance – a Cisco router, you can press / to quickly find parts of the config. This is nice when you have very large configs.
The following output show me quickly the configuration for port Gi13/18 on a Cisco switch without scrolling through the entire config!
switch#sh run
Building configuration…
Current configuration : 63114 bytes
!
! Last configuration change at 12:20:34 MET-DST Sat Sep 20 2008 by xxx
! NVRAM config last updated at 12:20:35 MET-DST Sat Sep 20 2008 by xxx
!
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service counters max age 5
!
hostname switch
!
enable secret 5 xxx
!
aaa new-model
aaa authentication login default local
aaa authorization exec default local
!
aaa session-id common
clock timezone MET 1
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip subnet-zero
!
! /13/18
filtering…
interface GigabitEthernet13/18
description server1
switchport
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,11,12
switchport mode trunk
switchport nonegotiate
no ip address
Recently, I want to sniff a packet stream which was inline with an ASA firewall. Normally I would think on a external sniffer such as ethereal, put it on a mirror port of the firewall port, an sniff the packets. But I found that I can do the same with the capture command in the ASA. Let’s take a quick look how the capture command works and what it is.
In short, these are the steps that I walked through;
1) Create an ACL that will match interesting traffic
2) Define the capture and bind it to an access-list and interface
3) View the capture on the firewall, or copy it off in .pcap format
Here is my situation;
The ACL that you have to make to match traffic, can be made on a interface basis. When you want to use the capture command in a troubleshooting scenario, the best thing you can do is to build a capture for the inside and outside interface, relative to the packet stream. In my situation, I want to sniff a web session of a workstation with IP address 10.1.1.10 to webserver 62.69.184.129. The traffic is PATed to 192.168.10.2 (fictional).
Ever wanted to do something on a Cisco switch, but you cannot because the action will throw yourself out? I had it recently when I want to activate a new SVI on a Catalyst 2950. Since there can be only 1 SVI active at a time, a decided to do this with a macro. A macro can be placed in the switch, and can be applied manually. When it is applied, you will be sure the script runs from begin to end, without interruption.
I have used the following script;
macro name change_vlan
interface Vlan1
no desc
no ip address
shutdown
interface vlan250
description production
ip address 10.101.3.1 255.255.255.0
no shutdown @
