SElinux policy for icmp checks
Many issues reported with scanning subnets and updating host statuses are related to SElinux being enabled. So far the solution was to completely disable SElinux, but this was more workaround than anything else. Robert was kind enough to share SElinux policy that should be used with phpipam if SElinux is enabled on your server.
Basically it permits the opening of raw IP sockets for non-root users, that are required for executing ping command.
1) Create the file http_ping.tt and add the following to it:
module http_ping 1.0;
require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
}
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };
2) Run the following commands (as root user):
checkmodule -M -m -o http_ping.mod http_ping.tt semodule_package -o http_ping.pp -m http_ping.mod semodule -i http_ping.pp
brm
You must understand the fundamentals to be successful
I was speaking with a participant of the recent SDN event in Zurich after the presentations, and he made an interesting comment: whenever he experienced serious troubleshooting problems in his career, it was due to lack of understanding of networking fundamentals.
Read more ...Netvisor Analytics: Secure the Network/Infrastructure
We recently heard President Obama declare cyber security as one of his top priorities and we saw in recent time major corporations suffer tremendously from breaches and attacks. The most notable one is the breach at Anthem. For those who are still unaware, Anthem is the umbrella company that runs Blue Shield and Blue Cross Insurance as well. The attackers had access to people details, social security, home addresses, and email address for a period of month. What was taken and extent of the damage is still guesswork because network is a black hole that needs extensive tools to figure out what is happening or what happened. This also means the my family is impacted and since we use Blue Shield at Pluribus Networks, every employee and their family is also impacted prompting me to write this blog and a open invitation to the Anthem people and the government to pay attention to the new architecture that makes network play a role similar to NSA in helping protect the infrastructure. It all starts with converting the network from a black hole to something we can measure and monitor. To make this meaningful, lets look at state of the art today Continue reading
Lab: iBGP and OSPF Traffic Engineering
Click to enlarge
Here's the scenario: An enterprise network with an MPLS core and two branch locations connected to their own Provider Edge (PE) router. In addition to the MPLS link, the PEs are also connected via a DMVPN tunnel. The PEs are peering via iBGP (of course) and are also OSPF neighbors on the DMVPN. Both Customer Edge (CE) routers at the branch are OSPF neighbors with their local PE.
Task: Use the high speed MPLS network as the primary path between the CE routers and only use the DMVPN network if the MPLS network becomes unavailable.
Question: Is the solution as simple as adjusting the Admin Distance (AD) so that the iBGP routes are more preferred?
VMWare Player and VM Networking
VMWare Player is the Virtualization software/hypervisor provided free of charge by VMWare. Player is for personal use. Paid versions are available as VMWare Player Pro or VMWare Workstation. Following link covers the differences between different editions. I have used Virtualbox for most of my VM needs. There were few recent scenarios where I had to use … Continue reading VMWare Player and VM Networking
DNSSEC – Moving the Needle
The New Zealand ISP market is dominated by Spark, Vodafone & CallPus/Orcon. A side effect of this is that if one player does the Right Thing™, it really moves the needle. Recently, Spark has done the Right Thing with DNSSEC.
DNSSEC takeup has been low with New Zealand ISPs. The APNIC stats indicated that around 5% of users were using DNS resolvers that had DNSSEC validation capabilities. But in December 2014, that number jumped to ~15%:
It turns out this is because Spark has enabled DNSSEC validation on some of their resolvers. NZRS have done some analysis, and found that Spark turned on 4 new resolvers that do DNSSEC validation:
They’re still running their old resolvers, so right now it’s hit & miss for their customers. But it’s a great start, and presumably they’ll upgrade the remaining systems soon.
So Vodafone, CallPlus, Snap, Trustpower…when are you going to take customer security seriously too? And Spark…how long until DNSSEC is enabled for all your resolvers?
And please, no arguments about “we’re not sure if it will work.” Google has been doing it since March 2013…who do you think processes more DNS requests per day? Google, or your ISP?
Raytracing Quake demos
I decided to combine these two problems into one solution:
- Modern CPUs are idle way too much of the time. Why have all this computational power if we don’t use it?
- I have these funny old Quake demos that there’s no good way to convert to something playable.
My solution is to convert Quake .dem files to .pov files and render them with POV-Ray.
Quake scene rendered in POV-Ray. Two more here and here.
Quake is closing in on 20 years old now, and it’s starting to get annoying to make it even work. Yes, it’s opensource, and there are a couple of forks. But they’ve also always been annoying to get working. Hell, even GLQuake in Steam won’t start for me. (yes, I know this is a bad reason, but I’m doing this for fun)
Many of the tools and resources are hard to find. I couldn’t find ReMaic, and only found lmpc thanks to FreeBSD having made it a package. Converting demos to an ASCII format using lmpc helped in confirming that my file parsing was correct.
The steps needed to render a demo:
- Extract .mdl files to .pov and .png (skin) files.
- Extract .bsp files to .pov Continue reading
Raytracing Quake demos
I decided to combine these two problems into one solution:
- Modern CPUs are idle way too much of the time. Why have all this computational power if we don’t use it?
- I have these funny old Quake demos that there’s no good way to convert to something playable.
My solution is to convert Quake .dem files to .pov files and render them with POV-Ray.
Update: New better screenshot:
Quake scene rendered in POV-Ray. Two more here and here.
Quake is closing in on 20 years old now, and it’s starting to get annoying to make it even work. Yes, it’s opensource, and there are a couple of forks. But they’ve also always been annoying to get working. Hell, even GLQuake in Steam won’t start for me. (yes, I know this is a bad reason, but I’m doing this for fun)
Many of the tools and resources are hard to find. I couldn’t find ReMaic, and only found lmpc thanks to FreeBSD having made it a package. Converting demos to an ASCII format using lmpc helped in confirming that my file parsing was correct.
The steps needed to render a demo:
- Extract .mdl files to .pov and .png (skin) files.
- Extract . Continue reading
A peek into the USM format
A peek into the USM format
A game that I really liked the visuals off, Crysis 3 uses a video file format called USM, This is a rather odd to me, since when I am used to pulling games apart for their assets, I am used to BINK video being used for th
OpenNSL – Thoughts
Recently, Broadcom has opensourced API for their network switching asic as part of OpenNSL project. I tried to dig little deep into what it really means and this blog is a result of that. What is really Opensourced? Following picture from Broadcom OpenNSL project clearly illustrates this: Following are some notes: OpenNSL is a layer … Continue reading OpenNSL – Thoughts
Show 229 – Network Break 32 – Juniper Innovation Showcase & More
Over-opinionated analysis on data network and IT Infrastructure. And virtual doughnuts.
Author information
The post Show 229 – Network Break 32 – Juniper Innovation Showcase & More appeared first on Packet Pushers Podcast and was written by Ethan Banks.
My mechanical keyboard
You spend all your waking time at a keyboard. This blog post is about keyboards, and can be summarized as: Buy quality, cry once.
I spend a lot of time typing on a keyboard, yet I have never looked into what keyboard would be best for me. There are natural keyboards and kinesis keyboards that people speak well of, but I spend a lot of time typing on laptops and don’t want a completely different setup for laptop and desktop.
I had the same concern before switching to Dvorak back when I was a consultant (thus often using other peoples managed machines), but happily switched after verifying that even on a locked down Windows machine as a non-admin user I could select Dvorak. Also there are adapters from Dvorak to Qwerty that I could use in extremely locked down environments such as the CCIE lab (they required a doctors note though, long story).
So it would have to be a keyboard that looks like a normal one. Preferably with Dvorak on the keycaps. It seems that mechanical keyboards are all the rage, so I thought I’d give that a go.
I ended up buying a 88 key Cherry MX brown-based Continue reading
My mechanical keyboard
You spend all your waking time at a keyboard. This blog post is about keyboards, and can be summarized as: Buy quality, cry once.
I spend a lot of time typing on a keyboard, yet I have never looked into what keyboard would be best for me. There are natural keyboards and kinesis keyboards that people speak well of, but I spend a lot of time typing on laptops and don’t want a completely different setup for laptop and desktop.
I had the same concern before switching to Dvorak back when I was a consultant (thus often using other peoples managed machines), but happily switched after verifying that even on a locked down Windows machine as a non-admin user I could select Dvorak. Also there are adapters from Dvorak to Qwerty that I could use in extremely locked down environments such as the CCIE lab (they required a doctors note though, long story).
So it would have to be a keyboard that looks like a normal one. Preferably with Dvorak on the keycaps. It seems that mechanical keyboards are all the rage, so I thought I’d give that a go.
I ended up buying a 88 key Cherry MX brown-based Continue reading
Could Facebook be your next phone company?
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
Could Facebook or LinkedIn become the nexus for your voice calls and other communications? Not yet, but thanks to a technology known as WebRTC you can’t rule out the possibility.
WebRTC — the initials stand for Real Time Communications — is an open-source project that aims to transform the ordinary Web browser into a full-featured unified communications portal. With WebRTC, users establish real-time communication sessions from their browser, search, find and point to the servers of people they want to communicate with, and establish connections — all without needing to know the recipient’s phone number or email address.
To read this article in full or to leave a comment, please click here