blog.sarlok.com - Coffee!

System time:  Mon/12/17 : 09:10:55

Galaxy Bounce

On tonights episode of Too Damn Late... Because fCensoredk sleep!


I haz moar gifs for yooou...


ShaZAM!



Work in a few hours. Gonna try that whole sleeping thing again naow.
Toodle-oo!

Vandalism

Got everything.sarlok.com moved out of my old IP range. Running pf directly off my VM's now, having retired my NAT box in the process.
Finally setup an SQL counter to replace the text file I was using for the legacy site. This should stop the counter from re-setting to zero from colliding open/read/write operations. Added a dozen or so more gif's for giggles while I was at it.

Oh, yes... drowned about two-dozen more poor souls quite by accident. In my haste to irrigate some new farm plots, I forgot I had inadequate floodgates in place. Everywhere it went - upstairs to the common room, down 20 stories to the under-ground caverns my militia were investigating.
On the upside, once winter came and froze the river solid, my farm plots were sufficiently irrigated, and the channels were cleared for floodgate placement.

Made a start of sorting my vacation photo's. Might drop them in the gallery at some point if I can be bothered.

Dust off my apple developer account. Xcode has come a long, long way since the dawn of the so-called iOS. Busting things out is stupid easy.

Speaking of stupid... stupid iTunes. Can't get this song in Canada, just some stupid re-mix off a compilation album. Grr.
Thank god for Wiretap.


In The Sun

Nothing to see here.



Whatever Clever

Already up to 28.5 hours this week. Not bad for someone that works 7hr days and doesn't work overtime anymore.
HAH!

Cutting services out of the old IP block I've been sitting on for yonks. Doing so has given me a chance to play with rdomains. Think Cisco VRF, but in the BSD flava.
Currently, I'm running two httpd processes off the same VM host, each listens on a separate interface with a different rdomain (need that default route). The theory being, when the *sarlok.com A records update, nothing noticeable will go wrong.
Since I'm also currently migrating to a new firewall as well, that extra default route comes in handy.
I expect I'll be staring down the barrel of some imperfect connectivity come the morrow, but so far everything checks out connecting between rdomains without any nasty NAT tricks or the like.
Especially since I'm stupid bloody tired, but that does limit one's comprehension.
qmail, minecraft, and all that funky jazz will undoubtedly be next.

Slightly related note, maybe it's the lack of sleep, but;
Mind = blown.

There Might Be Coffee

Well, so much for this weeke... this mon... this year.
Sleep schedule got shafted this weekend. Guess I know what I'm doing tomorrow.

Queue random junk:

Me: also, the routing table thing is kinda cool.
http://127.0.0.1:65535/Orion/NetPerfMon/NodeDetails.aspx?NetObject=N:5
though I worry slightly at regularly polling that much information via SNMP.
Me: HAH. mobage support request form includes an "Emotional State" drop-down box. I am amused by this.
Co-Worker: Heh
Co-Worker: How come A01 only has BGP neighbours?
Me: probably for the same reason A02 only has BGP neighbours
Co-Worker: How come $NEWFEATURE only half-assed works?
Me: Because "Feature".

Queue cisco stuff:
Ran into the need to NAT traffic entering an 'outside' interface via a crypto map a while back. There were far more rational solutions to deal with this scenario, but, you know - the real world never has time for rational solutions.

In this case, ASA for SSL Mobility clients.
IPSEC Crypto-map from ASA to existing corporate gateway for LAN access (servers and junk). Could just NAT the ASA LAN traffic directly, but... real world, remember?
Traffic from 192.168.100.0/24 hits lo255 on R1, then gets NAT'd.
Queue visual aid:

Forgive the crudeness of the diagram. Diagramming on a laptop touch-pad and all that.

Since packets enter R1 from it's 'ip nat outside' interface, it's too late to NAT them directly. Can't use a pseudo 'tunnel' interface because of the ASA...
So, punt them ala route-map to an 'inside' interface so that NAT can occur, and then they're sent back out the interface from which they came.
Using 'set ip next-hop 192.168.255.2' in the route-map seemed to work much to my surprise rather than 192.168.255.1. I expect it has something to do with NAT order of operation, but I can't see why exactly.

Queue code:

hostname R1
!
crypto map gi0-0-out 10 ipsec-isakmp
  set peer 172.16.1.1
  set transform-set AES256
  match address 100
!
interface Loopback255
  description Loopback target for NAT hairpin
  ip address 192.168.255.1 255.255.255.248
  ip nat inside
  ip virtual-reassembly
!
interface GigabitEthernet0/0
  ip address 172.16.0.1 255.255.255.0
  ip nat outside
  ip policy route-map TELECOMMUTER-HAIRPIN
  crypto map gi0-0-out
!
route-map TELECOMMUTER-HAIRPIN permit 10
  match ip address HAIRPIN
  ! Still a bit fuzzy on this one, but I believe redirect to a host on lo255's subnet \
  ! rather than the address, so the packets hit the 'interface'
  set ip next-hop 192.168.255.2
!
ip nat inside source list 101 interface GigabitEthernet0/0 overload
!
access-list 100 remark ASA Interesting Traffic
access-list 100 permit ip 192.168.0.0 0.0.255.255 192.168.100.0 0.0.0.255
!
access-list 101 remark Don't NAT traffic to ASA LAN subnet, so it gets picked up by crypto map
access-list 101 deny   ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark Inside subnets to NAT
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
!
ip access-list extended HAIRPIN
  remark For route-map to NAT traffic arriving via ASA crypto map
  remark Don't punt LAN-to-LAN traffic
  deny   ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.255.255
  remark Redirect everything else
  permit ip 192.168.100.0 0.0.0.255 any
!
end



Queue another Youtube video. The name "Porter Robinson" conjures up something completely different from this in my mind. Not sure why.

Babylon Rising

Well. Still awake, so here's some random chunk of cisco config for that NAT thing I mentioned earlier.
Most of the examples I found in cisco doc's were for NAT Inside VRF, outside global. My use case was the opposite - IP NAT inside global, outside VRF. In particular, an NMS needed access to an otherwise hidden network. Since it's a Windows based NMS, relying on an IPSEC tunnel being up 24x7 seemed laugable, and also impractical in our case.
Plus, Windows... yeah.

ip vrf ThatVRF
  rd 172.16.0.0:1
!
ip nat source list GLOBAL-TO-VRF interface Vlan10 overload
!
ip access-list extended GLOBAL-TO-VRF
  permit ip host 10.10.10.1 172.16.0.0 0.7.255.255
!
interface GigabitEthernet0/0
  description Gobal to core
  ip address 10.11.128.1 255.255.255.248
  ip nat enable
!
interface Vlan10
  ip vrf forwarding ThatVRF
  ip address 172.16.180.2 255.255.255.248
  ip nat enable
!
! static to leak 172.16.0.0/13 into global at this hop
ip route 172.16.0.0 255.248.0.0 Vlan10
ip route 0.0.0.0 0.0.0.0 10.11.128.6
ip route vrf 172.16.0.0 255.248.0.0 172.16.180.1
!
end



I still needed to use the NVI trick ala 'ip nat enable' on the 3800 where this is running. using explicit ip nat inside/outside on respective interfaces didn't seem to go for some reason as I expected use of the NVI to only be for between VRF's.
The other caveat is having to leak routes into global for this to work, but not much else you can do (less do it properly in the first place). Statics ala interface routes seems pretty safe.
In production, policy-based routing gets the NMS traffic to this hop to prevent leaking routes any further beyond this point.

So that should be mostly right. I'll consider correcting any errors after some sleep or something.

Wee.

Fel Del Av Garden

Enabled tags for blog posts. Should put together a tag cloud gadget for either of the left or right navigation columns.
Keep meaning to say something about IP NAT inside global to outside VRF... maybe someday.

I have nothing more to say.

Chasin' You Around

So. I had no internet from November to around Jan 7th, then sank deeply into "Zomg! Must get all this sh!t done before you leave work!" mode which left my blogging enthusiasm at an all time low.
That aside, here's a post. Yay. I've got some interesting-ish things to blog about, but maybe later.

Kekekekeke....

portcullis#ping ipv6 FE80::208:7CFF:FEDE:8838 source FE80::21E:F7FF:FED3:FA20
Output Interface: fastethernet0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::208:7CFF:FEDE:8838, timeout is 2 seconds:
Packet sent with a source address of FE80::21E:F7FF:FED3:FA20
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/1/4 ms
portcullis#

This loosely translates into; http://6.issurroundedbyidiots.net/
Too bad 99.95% of the internet consumers at large won't be able to reach it.

And now for something, completely different.

Man of Constant Sorrow

Nothing of particular interest to say at the moment. More a quick test to see if my drupal5 DB is still functional after the upgrade staging from 5.x->6.x, 6.x->7.x after restoring from a backup.
Accidentally upgrading the production DB for the record, not cool.

That said though, the upgrade went well enough. Some issues converting the image gallery DB - all the source and derivative images are 'known', but not actually linked to in generated pages. Groovy.

Yeah, I know... moar music videos ala youtube - so sue me. I detect strong hint of Justice and something else I can't quite put my finger on.


Nice Weather For Ducks

Was bored during lunch. Linked random_kitties/* to the legacy random image loader.
Let the good times roll.

May do something constructive enough to blog about soon, like actually finishing off my backup server and get portcullis configured to retire zozu.
Or upgrading to Drupal6.
Or fix dspam.
Or upgrade my OpenBSD VM's to 5.2.

A co-worker told me about Evernote some time ago. The cost involved pushed it from my mind until recently. It's starred on the latest Macheist Bundle which makes it worth the price of admission.

Social Know-How

Sank a couple of hours into Dwarf Fortress this weekend. Up to my usual standard of slaughtering dwarves en-masse. Weekend highlights:
Scaly, horned, forgotten beast that spits poisonous clouds broke into the colony from the network of underground caves I unearthed. 1 Casualty, 1 injury whom proceeded to spread miasma all over the colony for a few seasons.
Some 3 seasons later, a Giant Roc - the wings of death, 4 Casualties, 7 injuries
Just as my squads were regrouping from the Roc, a Goblin invasion force stormed through; 27 casualties, 12 injuries
One lone remaining goblin got 5 final kills in and several more maimings before eventually falling to a cage trap.
My once mighty military force and network of traps are all but depleted, by this point. But wait! There's more!
Queue Camoye Refearazi the mighty Minotaur! Finally taken down by my 2 remaining marksdwarves whom beat him to death with their crossbows. Casualties 3 military, 18 civilians, and a countless number of injuries.
These events have had a considerably detrimental effect on my colonies morale. Close to half of the remaining population take turns throwing tantrums.
The upshot is that I have some 12 captive goblin prisoners to throw into the arena... just need to build the damn thing now, heh.

In other news... Was setting up a test device to run bulk TCP transfers and such on at one of our remote sites, and found that MAC OSX sends TCP packets with a 1448byte payload.
Just one day prior, this was observed doing some other testing with an odd application-layer problem we've been running into. Didn't think about it too much at the time, but seeing it again while quickly testing ftp/http/sftp, etc, it got me thinking.
Not really going anywhere here, but I came across this article and found it to be fairly enlightening.

That said, hooray for sysctl, seems to take effect immediately.

~ sudo sysctl -w net.inet.tcp.rfc1323=0

I expect it won't persist across reboots.
<plug>Not as though that's a problem with OSX.</plug>

Augh. Monday tomorrow already. Not looking forward to the morning at all.
'Fixing' untested, un-engineered circuits after they've been sold and put into production, for the record - not awesome. Gettin' right back into the 'ol routine somethin' fierce.

No video today. Trying to cut back.
Here, have this instead: The White Mink, Electro Swing Speakeasy.

Them Changes

Raining. It's been a while... since the spring at least. Tin roof over the porch amplifies the sound quite nicely.

Slowly, but surely, things are getting back to normal at the office.
...who am I kidding, they never changed. Still, keeps my minds occupied at least, so that's something.

Ran into the could not open control socket problem I had with ftpd again recently. Found out what why it happens, but not why it happens.
Starting it with inetd. Seems it became unhappy when changing addresses or aliases on interfaces.

-----e@memnarch:~ $ grep ^ftp /etc/inetd.conf
ftp             stream  tcp     nowait  root    /usr/libexec/ftpd       ftpd -AUSdll

Killing/restarting and or sending inetd a SIGHUP doesn't seem to do the trick for whatever reason, but calling ftpd directly works.
Will have to poke around on 5.1 or something to see if it still happens, but either way - simple enough fix.

Wee... this X-Com remake is shaping up to be pretty epic. I've never been a fan of the glam-cam though.

And now for something completely different...