Categories

Bluetrait
        Bluetrait
                Bluetrait
                    Coding
                    Geek
                    General
                    Videos
                    Solar
                    Coding
                    Geek
                    General
                    Coding
                        PHP
                        Bluetrait
                        PHP
                        Bluetrait
                        WordPress
                            Plugins
                        PHP
                        Bluetrait (Program)
                    Geek
                        Juniper
                        Cisco
                        IBM N2200 8363
                        PCs
                        Spam
                        IPv6
                        Apple
                        NetScreen
                        Internet
                    General
                        Uni

Thu, 15 Feb 2007 9:49 PM

IPv6 tunnel through IPv4 with a Netscreen

Michael Dale
I finally got an IPv6 tunnel going on my Netscreen SSG 5. So I thought I'd post the relevant configuration details here.


I'm currently running ScreenOS 5.4.0r3a0; there seems to be some WebUI bugs with IPv6 so it is best to do it via the command line.


Update: I just got a response back from JTAC. IPv6 is only supported on the ISG2000. So I'm unsure when/if it the WebUI bugs will be fixed.


Update2: IPv6 is now supported on the SSG 5 under screenos 6, the WEBUI bug has been fixed.


Background info:
  • Trust interface 10.0.0.254/22 - bgroup0

  • Untrust interface - bgroup2

  • IPv6 broker (broker.aarnet.net.au) - 202.158.196.131

  • IPv6 subnet - 2001:388:c021::1/64


The first step is to enable IPv6 on your Netscreen.


Type the following then save your config and restart the device:

set envar ipv6=yes



Now let's setup the trust interface:

set interface "bgroup0" ipv6 mode "router"

set interface "bgroup0" ipv6 ip 2001:388:c021::1/64

set interface "bgroup0" ipv6 enable

unset interface bgroup0 ipv6 ra link-address

set interface bgroup0 ipv6 ra transmit

set interface bgroup0 ipv6 nd nud



So we've setup my trust interface with the IPv6 subnet and autoconfiguration should be working.


Now let's setup a tunnel interface for the traffic to run through:

set interface "tunnel.1" zone "Untrust"

set interface tunnel.1 ip unnumbered interface bgroup2

set interface "tunnel.1" ipv6 mode "host"

set interface "tunnel.1" ipv6 enable

set interface tunnel.1 tunnel encap ip6in4 manual

set interface tunnel.1 tunnel local-if bgroup2 dst-ip 202.158.196.131



Now we'll setup a static route for IPv6 traffic to go through:

set route ::/0 interface tunnel.1 gateway :: preference 20



And finally we need to setup a policy to allow traffic out:

set policy id 77 from "Trust" to "Untrust" "Any-IPv6" "Any-IPv6" "ANY" permit log

set policy id 77



You may want to setup some policies to allow traffic in too.


That should be all you need to do.

Wed, 14 Feb 2007 8:07 PM

New Server

Michael Dale
Our web server died a few weeks ago, I was lucky enough to borrow a spare DL380 G1 from work. Although we still have it, I'm not sure if we'll be able to keep it.


So this new server is a DL360 G1 (1 rack unit):
  • Dual Pentium 3 1.266GHz (512K L2 Cache)

  • 256mb Ram (we will upgrade it if it goes into production)

  • 18gb SCSI HDD

  • 2 100mbit onboard nics


Here is what it looks like:
DL360

PCs

Sat, 03 Feb 2007 5:45 PM

Contacts - LDAP

Michael Dale
I finally setup LDAP on Kerio. I now have my contacts synced with webmail, mac address book and my phone. Awesome.

kerio-contact-sync


Anyone who uses our email server can now make use of this too.


The server (mail.lttd.net) allows secure LDAP connections on port 16360 (636 is the standard port but the mail server is also a domain controller, so that port is in use).


More details can be found in the Kerio User Manual:
http://download.kerio.com/dwn/kmsug6-en.pdf

Tue, 23 Jan 2007 11:24 AM

Akismet timeout, fixed?

Michael Dale
I think I've found the cause for Akismet not working as well as it should have.


The class I was using had a low timeout value; I've since increased this to 10 seconds, inline with the new Wordpress 2 plugin.


So hopefully that will improve the amount of spam being caught.

Fri, 19 Jan 2007 5:50 PM

Spam System Upgraded

Michael Dale
I'm testing out a new spam system I quickly wrote.


Hopefully now if you're either logged in or have posted before with the same email address your comment shouldn't be deleted.

New Spam System


I plan to add more tests (see post below) later.

Thu, 18 Jan 2007 6:37 PM

Spam

Michael Dale
Argh. Too much spam is getting through again; even with Akismet. So I'm in the process of writing a new spam class. The aim is to build a comment score (similar to email spam filtering programs) based on the following:
  • Email Address/Name/Website

  • Comment Body (number of links etc)

  • If the user is registered

  • If the user has successfully posted a comment before

  • white and black lists

  • response from akismet

  • how old and how many comments a post has


So hopefully I can cut down the spam.

Tue, 16 Jan 2007 2:30 PM

Servers Moved

Michael Dale
And that should be the last time for a while.


IP Addresses

Web: 202.129.82.194

Mail: 202.129.82.193


EDIT: Looks like some of our secondary DNS servers (rollernet.us) are having problems updating. I've just made some changes to try and fix it.


We've also just purchased an SSL Certificate for mail.lttd.net, so the primary mail server address will soon be mail.lttd.net.

Sat, 13 Jan 2007 9:58 PM

Juniper SSG 5

Michael Dale

We'll I finally got my new Juniper SSG 5 firewall (the replacement model for my old Netscreen 5gt).


I ordered it back in November, originally I was going to get the wireless version but they were still out of stock early this year so I ended up getting the base model (with 256mb of ram).


The main reason for the upgrade was that we'd run out of VPN tunnels (the 5gt did 10). The new version supports 25, plus it upgradeable to 40.

The SSG also has the following advantages over the 5gt (I'm comparing the base model 5gt and SSG 5):


  • 4000 sessions, up from 2000

  • 25 VPN tunnels, up from 10

  • Unlimited users, up from 20 (my 5gt has an upgrade to support 20 users)

  • 7 ethernet interfaces, up from 5 (plus they aren't limited in terms of zones like the 5gt).

  • DMZ support (we've just got a subnet so this should be useful)

  • Support for ScreenOS 6 which should be out this year

  • Faster (160mb firewall (from 75mb), 40mb VPN (from 20mb))

  • 256mb Ram, up from 128mb

  • 64mb Flash, up from 32mb

So the device is pretty much double everything that the 5gt is.


It also cost me double. I got the 5gt off ebay for $320, where as the SSG 5 new cost me $640. I got a really good price on it has Bryn was able to sign up as a Juniper reseller, the SSG 5 is about $1200 retail.


The main limitation of the old Netscreen 5gt was the port modes.


The port mode defines what zone (untrust, trust, dmz etc) each ethernet interface is in. Any time you needed to change this you were required to reset the device and config (see below).
Netscreen 5gt Port Modes.
Netscreen 5gt interface list

Where as the SSG 5 has something called bridge groups allowing you to easily change what zone each interface is in without resetting the device and/or config.


Much more useful if you're playing round with different network topologies (see below).
Juniper SSG 5 Bridge Groups


I've updated some of the IPSEC benchmarks to include both the SSG 5 and an old Netscreen 100 I picked up.


Tue, 09 Jan 2007 5:56 PM

Spam Server

Michael Dale
I found the following address in my logs. Looks like a spamming program. Feel free to try and take it offline.

http://serversinfo.org/VIP/master.php

EDIT: I've changed the message so it spams it own site, hopefully taking itself offline. The stop command didn't seem to work, so this is the next best thing.

EDIT2: Looks like the owner has password protected the area.