David Ramsden – Network engineer, general geek, petrol + drum and bass head
10Jun/12

Editing Cisco IOS ACLs

If you've administered Cisco PIX or ASA security appliances, you'll know how easy editing ACLs is. If you want to insert a new rule in to an existing ACL you can easily insert it where you want. For example:

access-list outside_access_in line 12 permit tcp host 1.1.1.1 host 2.2.2.2 eq 80

 

This will insert the rule at position 12 of the outside_access_in ACL, pushing the existing rule at position 12 down to position 13 and re-ordering everything.

In Cisco IOS there's no obvious way to do this when working with ACLs. A lot of the time people will copy the ACL out, edit it in a text editor, "no access-list" the ACL and then paste in the modified ACL. Which does work but can be risky when working remotely as it's easy to lock yourself out of the IOS device. This can happen if you don't remove the ACL from interfaces before deleting the ACL.

But you can edit ACLs on the IOS device itself when using an extended ACL. Lets create an ACL:

(config)# access-list 100 permit host 1.1.1.1 host 2.2.2.2 eq 80
(config)# access-list 100 deny ip any any log

 

If you view this ACL you'll notice line numbers:

(config)#do sh access-list 100
Extended IP access list 100
    10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
    20 deny ip any any log

 

Lets say you need to add another rule before the deny (sequence number 20). Enter the extended ACL:

(config)# ip access-list extended 100

 

Now you can insert a new rule by specifying a sequence number less than the deny rule (which is sequence 20):

(config-ext-nacl)# 15 permit tcp host 1.1.1.1 host 2.2.2.2 eq 443
(config-ext-nacl)# exit

 

If you view the ACL you'll see the new rule:

(config)#do sh ip access-list 100
Extended IP access list 100
    10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
    15 permit tcp host 1.1.1.1 host 2.2.2.2 eq 443
    20 deny ip any any log

 

What you can now do is resequence the ACL so that all the sequence numbers are sequential. For example if you wanted the sequence numbers to start at 10 and go up in increments of 10:

(config)#ip access-list resequence 100 10 10
(config)#do sh ip access-list 100
Extended IP access list 100
    10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
    20 permit tcp host 1.1.1.1 host 2.2.2.2 eq 443
    30 deny ip any any log

 

If you want to delete a specific rule:

(config)#ip access-list extended 100
(config-ext-nacl)#no 20
(config-ext-nacl)#exit
(config)#ip access-list resequence 100 10 10
(config)#do sh ip access-list 100
Extended IP access list 100
    10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
    20 deny ip any any log

 

Tagged as: , No Comments
10Jun/12

Unable to Check Out Files, Create or Edit Pages in SharePoint

Recently had an issue with a SharePoint site where sometime over the weekend, the entire site broke and wouldn't let anyone check files out of document libraries, upload new files, edit or create pages etc.

The Check Out option on files was completely missing. Options under Site Settings were completely missing. When users opened Word and Excel documents from document libraries and tried the Check Out option from there, they'd be repeatedly prompted for authentication. I spent a long time checking permissions within SharePoint, checking service accounts, using Wireshark etc but couldn't find the cause.

Eventually I happened to noticed that the entire site was locked, in read-only mode. But how did it get like this? There's only four administrators that can do this and no one logged in over the weekend and made any changes. I then happened to read that as of WSS 3.0/MOSS 2007 SP2, when using the backup option of stsadm, the site is automatically locked. Previous to SP2 it was only recommended that you did this. It's now enforced.

The problem appears to be that if the backup fails for whatever reason, the site stays locked. To check if the site is locked:

stsadm -o getsitelock -url http://spsite

 

To unlock the site:

stsadm -o setsitelock -url http://spsite -lock none

 

If you read the Microsoft TechNet for the Setsitelock option for stsadm, you'll notice that it does mention that the backup now locks the site. You can force the backup to not lock the site. I've modified our backup routine so that a setsitelock operation is always run after a backup, regardless if the backup was successful or not.

Tagged as: No Comments
19Feb/12

Cage The 106

I was having a little break from doing anything more to the 106 but then a roll cage come up for sale and it was too good to pass up on. It's a 6 point cage, in red, fits around the sunroof and doesn't penetrate the dash. Every box ticked! Made by Geronimo Cages (Hartlepool) but I don't think they're in business anymore. The seller was just up the road and said he'd help fit it. Got it in within a couple of hours and I finished it off this weekend.

Not great pictures, thanks mostly to the daylight fading and using my iPhone. Excuse how unclean the bodywork is too. That's a job for next weekend.

Also replaced the fuel line that runs from the fuel filter, inside the car, through the bulkhead and to the fuel rail. Had a slight accident last weekend with a knife when initially fitting the cage.

What's next? I'd like the overhaul the brakes. There's too much going to the rear callipers which makes the car "squirm" under heavy breaking. So the plan is to run fully braided lines, have them run inside the car and fit a bias lever so that I can adjust the rear brake bias. On a dry track day the lever would be all the way forward so that the rears aren't doing anything. The problem comes about because the car is stripped out at the back and there's no load compensator on the rear callipers.

This year I'm hoping to get to Castle Combe and Silverstone. There's also talk of a trip to the Nürburgring...

Tagged as: No Comments
2Feb/12

Virtual Hosting With mod_proxy

The other day I had someone ask if there's a nice solution to the following problem:

Multiple web development virtual machines but only one external IP address.

The quick solution is to port forward on different ports to each virtual machine. For example 81 goes to VM1, 82 goes to VM2, 83 goes to VM3 etc. Which granted, would work, but isn't a "neat" solution.

Using mod_proxy under Apache is a much better solution to this problem.

Deploy a "front-end" server running Apache and mod_proxy. Create a virtual host for each virtual server and then using mod_proxy, reverse proxy to the virtual server. Port forward from the WAN to your front-end Apache server running mod_proxy.

Here's what an example config would look like on the front-end Apache server:

Requests for cust1.dev.domain.com would be reverse proxied to 192.168.0.100 and requests for cust2.dev.domain.com would be reverse proxied to 192.168.0.101. All with one external IP address and one port forward rule.

Just one of the many uses of mod_proxy. You can also use it for SSL bridging and SSL offloading. Neat!

2Jan/12

Creating a HA iSCSI Target Using Linux

Some time ago I created a High Availability iSCSI target using Ubuntu Linux, iscsi-target, DRBD and heartbeat. The HA cluster consisted of two nodes and the iSCSI initiators were Windows Server 2008. I was able to mount the LUN and copy a video to it, play it back and then pull the power from the primary iSCSI target. A few seconds later the second iSCSI target took over and video continued to play.

Pretty cool, huh?

Here is my guide if you want to try this. Although I've not gone back through the guide to make sure it's correct. But if you spot anything that's wrong or not very clear, please leave a comment.

Tagged as: , , 8 Comments
1Jan/12

Mallory Park Track Day

Here's a short video from my last track day of 2011 at Mallory Park. First time out with the 196bhp race engine.

All in all it was a good day without any mishaps and the engine performed brilliantly! Can't wait to get back in track this year.

1Jan/12

My 196bhp Peugeot 106 Track Toy

I've owned this 106 for quite a few years now. It stated life off as a humble 1.4 8v, standard gearbox, standard suspension. Standard everything. It's now a 196bhp naturally aspirated track toy but it's still usable as my daily driver.

At this stage I've got to say a massive thank you to Pug1Off who have done all of the major work, such as original engine conversion to a 1.6 16v and the current purpose built race engine. And credit to Northampton Motorsport who mapped the race engine.

Engine (built by Pug1Off) - 196.3bhp @ 8000rpm, 135.7lb/ft

  • 1.6 16v C2 (TU5JP4)
  • Re-bore and flowed head
  • Oversized pistons
  • One piece valves
  • Catcams 737's
  • Race bearings
  • AT Power throttle bodies
  • Emerald K6 ECU
  • 4-2-1 manifold
  • Mocal 13 row oil cooler
  • Lightened and balanced flywheel
  • Aluminium crank pulley

Drivetrain

  • VTR gearbox
  • Quaife ATB differential
  • SatchShift
  • Helix Organic clutch

Suspension

  • -45mm Eibach springs
  • GrpN Bilstein shocks
  • B8 Bilstein dampers
  • GrpN upper and lower engine mounts
  • Powerflex gearbox mount
  • OMP upper brace
  • OMP lower brace
  • Disc rear beam with 24mm rear ARB

Brakes

  • 266mm callipers
  • Ferodo DS3000 pads
  • Tarox JapanSport discs
  • Braided lines
  • Motol RBF660 fluid

Filed under: Car No Comments
30Dec/11

Nitter 2.0.1 Available – Fixes DMs

A very quick (and rare) update on my blog!

Since 25th May 2011, my Nitter script has been broke due to a change with the Twitter API. OK, so the problem was actually Net::Twitter::Lite so the changes to my script have been minimal as I've switched over to Net::Twitter (3.18001), which supports the new way of requesting friend and followers IDs.

You can grab Nitter 2.0.1 from the usual place.

Happy New Year! Hopefully you won't update Nitter and then be bombarded with alerts from your NOC over the holidays.

Tagged as: , No Comments
1Feb/11

MySQL Multi-Master Replication Guide

I've created a new guide on how to configure multi-master replication for MySQL. The configuration should also be compatible with MySQL 6.0 as well.

You can find it here.

17Aug/10

VMware says “There are are no un-bridged host network adapters”

I needed a second bridged connection in VMware Workstation but kept getting the error "Cannot change network to bridged: There are no un-bridged host network adapters".

Looks like quite a few people have had this issue too but with no resolution, apart from hitting the "Restore Default" button, which didn't actually solve it anyway. The solution is very simple.

Open the Virtual Network Editor. The VMnet0 adapter by default will be Bridged and the external connection will be Auto-bridging. This is the problem. Change VMnet0 so that it uses a specific network interface. You can then create another bridged VMnet adapter.

Tagged as: 1 Comment