// post · 589

IPv6 tunnel through IPv4 with a Netscreen

I finally got an IPv6 tunnel going on my Netscreen SSG 5. So I thought I'd post the relevant configuration details here.



I'm currently running ScreenOS 5.4.0r3a0; there seems to be some WebUI bugs with IPv6 so it is best to do it via the command line.



Update: I just got a response back from JTAC. IPv6 is only supported on the ISG2000. So I'm unsure when/if it the WebUI bugs will be fixed.



Update2: IPv6 is now supported on the SSG 5 under screenos 6, the WEBUI bug has been fixed.



Background info:
  • Trust interface 10.0.0.254/22 - bgroup0
  • Untrust interface - bgroup2
  • IPv6 broker (broker.aarnet.net.au) - 202.158.196.131
  • IPv6 subnet - 2001:388:c021::1/64
The first step is to enable IPv6 on your Netscreen.



Type the following then save your config and restart the device:


set envar ipv6=yes


Now let's setup the trust interface:


set interface "bgroup0" ipv6 mode "router"

set interface "bgroup0" ipv6 ip 2001:388:c021::1/64

set interface "bgroup0" ipv6 enable

unset interface bgroup0 ipv6 ra link-address

set interface bgroup0 ipv6 ra transmit

set interface bgroup0 ipv6 nd nud


So we've setup my trust interface with the IPv6 subnet and autoconfiguration should be working.



Now let's setup a tunnel interface for the traffic to run through:


set interface "tunnel.1" zone "Untrust"

set interface tunnel.1 ip unnumbered interface bgroup2

set interface "tunnel.1" ipv6 mode "host"

set interface "tunnel.1" ipv6 enable

set interface tunnel.1 tunnel encap ip6in4 manual

set interface tunnel.1 tunnel local-if bgroup2 dst-ip 202.158.196.131


Now we'll setup a static route for IPv6 traffic to go through:


set route ::/0 interface tunnel.1 gateway :: preference 20


And finally we need to setup a policy to allow traffic out:


set policy id 77 from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit log

set policy id 77


You may want to setup some policies to allow traffic in too.



That should be all you need to do.
// post · 588

New Server

Our web server died a few weeks ago, I was lucky enough to borrow a spare DL380 G1 from work. Although we still have it, I'm not sure if we'll be able to keep it.



So this new server is a DL360 G1 (1 rack unit):
  • Dual Pentium 3 1.266GHz (512K L2 Cache)
  • 256mb Ram (we will upgrade it if it goes into production)
  • 18gb SCSI HDD
  • 2 100mbit onboard nics
Here is what it looks like:

DL360
// post · 587

Contacts - LDAP

I finally setup LDAP on Kerio. I now have my contacts synced with webmail, mac address book and my phone. Awesome.



kerio-contact-sync



Anyone who uses our email server can now make use of this too.



The server (mail.lttd.net) allows secure LDAP connections on port 16360 (636 is the standard port but the mail server is also a domain controller, so that port is in use).



More details can be found in the Kerio User Manual:

http://download.kerio.com/dwn/kmsug6-en.pdf
// post · 583

Spam System Upgraded

I'm testing out a new spam system I quickly wrote.



Hopefully now if you're either logged in or have posted before with the same email address your comment shouldn't be deleted.



New Spam System



I plan to add more tests (see post below) later.
// post · 582

Spam

Argh. Too much spam is getting through again; even with Akismet. So I'm in the process of writing a new spam class. The aim is to build a comment score (similar to email spam filtering programs) based on the following:
  • Email Address/Name/Website
  • Comment Body (number of links etc)
  • If the user is registered
  • If the user has successfully posted a comment before
  • white and black lists
  • response from akismet
  • how old and how many comments a post has
So hopefully I can cut down the spam.
// post · 581

Servers Moved

And that should be the last time for a while.



IP Addresses

Web: 202.129.82.194

Mail: 202.129.82.193



EDIT: Looks like some of our secondary DNS servers (rollernet.us) are having problems updating. I've just made some changes to try and fix it.



We've also just purchased an SSL Certificate for mail.lttd.net, so the primary mail server address will soon be mail.lttd.net.