Editing Cisco IOS ACLs
If you've administered Cisco PIX or ASA security appliances, you'll know how easy editing ACLs is. If you want to insert a new rule in to an existing ACL you can easily insert it where you want. For example:
access-list outside_access_in line 12 permit tcp host 1.1.1.1 host 2.2.2.2 eq 80
This will insert the rule at position 12 of the outside_access_in ACL, pushing the existing rule at position 12 down to position 13 and re-ordering everything.
In Cisco IOS there's no obvious way to do this when working with ACLs. A lot of the time people will copy the ACL out, edit it in a text editor, "no access-list" the ACL and then paste in the modified ACL. Which does work but can be risky when working remotely as it's easy to lock yourself out of the IOS device. This can happen if you don't remove the ACL from interfaces before deleting the ACL.
But you can edit ACLs on the IOS device itself when using an extended ACL. Lets create an ACL:
(config)# access-list 100 permit host 1.1.1.1 host 2.2.2.2 eq 80 (config)# access-list 100 deny ip any any log
If you view this ACL you'll notice line numbers:
(config)#do sh access-list 100
Extended IP access list 100
10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
20 deny ip any any log
Lets say you need to add another rule before the deny (sequence number 20). Enter the extended ACL:
(config)# ip access-list extended 100
Now you can insert a new rule by specifying a sequence number less than the deny rule (which is sequence 20):
(config-ext-nacl)# 15 permit tcp host 1.1.1.1 host 2.2.2.2 eq 443 (config-ext-nacl)# exit
If you view the ACL you'll see the new rule:
(config)#do sh ip access-list 100
Extended IP access list 100
10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
15 permit tcp host 1.1.1.1 host 2.2.2.2 eq 443
20 deny ip any any log
What you can now do is resequence the ACL so that all the sequence numbers are sequential. For example if you wanted the sequence numbers to start at 10 and go up in increments of 10:
(config)#ip access-list resequence 100 10 10
(config)#do sh ip access-list 100
Extended IP access list 100
10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
20 permit tcp host 1.1.1.1 host 2.2.2.2 eq 443
30 deny ip any any log
If you want to delete a specific rule:
(config)#ip access-list extended 100
(config-ext-nacl)#no 20
(config-ext-nacl)#exit
(config)#ip access-list resequence 100 10 10
(config)#do sh ip access-list 100
Extended IP access list 100
10 permit tcp host 1.1.1.1 host 2.2.2.2 eq www
20 deny ip any any log
Unable to Check Out Files, Create or Edit Pages in SharePoint
Recently had an issue with a SharePoint site where sometime over the weekend, the entire site broke and wouldn't let anyone check files out of document libraries, upload new files, edit or create pages etc.
The Check Out option on files was completely missing. Options under Site Settings were completely missing. When users opened Word and Excel documents from document libraries and tried the Check Out option from there, they'd be repeatedly prompted for authentication. I spent a long time checking permissions within SharePoint, checking service accounts, using Wireshark etc but couldn't find the cause.
Eventually I happened to noticed that the entire site was locked, in read-only mode. But how did it get like this? There's only four administrators that can do this and no one logged in over the weekend and made any changes. I then happened to read that as of WSS 3.0/MOSS 2007 SP2, when using the backup option of stsadm, the site is automatically locked. Previous to SP2 it was only recommended that you did this. It's now enforced.
The problem appears to be that if the backup fails for whatever reason, the site stays locked. To check if the site is locked:
stsadm -o getsitelock -url http://spsite
To unlock the site:
stsadm -o setsitelock -url http://spsite -lock none
If you read the Microsoft TechNet for the Setsitelock option for stsadm, you'll notice that it does mention that the backup now locks the site. You can force the backup to not lock the site. I've modified our backup routine so that a setsitelock operation is always run after a backup, regardless if the backup was successful or not.
Cage The 106
I was having a little break from doing anything more to the 106 but then a roll cage come up for sale and it was too good to pass up on. It's a 6 point cage, in red, fits around the sunroof and doesn't penetrate the dash. Every box ticked! Made by Geronimo Cages (Hartlepool) but I don't think they're in business anymore. The seller was just up the road and said he'd help fit it. Got it in within a couple of hours and I finished it off this weekend.
Not great pictures, thanks mostly to the daylight fading and using my iPhone. Excuse how unclean the bodywork is too. That's a job for next weekend.
Also replaced the fuel line that runs from the fuel filter, inside the car, through the bulkhead and to the fuel rail. Had a slight accident last weekend with a knife when initially fitting the cage.
What's next? I'd like the overhaul the brakes. There's too much going to the rear callipers which makes the car "squirm" under heavy breaking. So the plan is to run fully braided lines, have them run inside the car and fit a bias lever so that I can adjust the rear brake bias. On a dry track day the lever would be all the way forward so that the rears aren't doing anything. The problem comes about because the car is stripped out at the back and there's no load compensator on the rear callipers.
This year I'm hoping to get to Castle Combe and Silverstone. There's also talk of a trip to the Nürburgring...
Virtual Hosting With mod_proxy
The other day I had someone ask if there's a nice solution to the following problem:
Multiple web development virtual machines but only one external IP address.
The quick solution is to port forward on different ports to each virtual machine. For example 81 goes to VM1, 82 goes to VM2, 83 goes to VM3 etc. Which granted, would work, but isn't a "neat" solution.
Using mod_proxy under Apache is a much better solution to this problem.
Deploy a "front-end" server running Apache and mod_proxy. Create a virtual host for each virtual server and then using mod_proxy, reverse proxy to the virtual server. Port forward from the WAN to your front-end Apache server running mod_proxy.
Here's what an example config would look like on the front-end Apache server:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
<VirtualHost 213.131.192.201:80> ServerName cust1.dev.domain.com ServerAdmin webmaster@cust1.dev.domain.com ProxyRequests off ProxyPreserveHost on ProxyPass / http://192.168.0.100/ ProxyPassReverse / http://192.168.0.100/ <Proxy *> Order allow,deny Allow from all </Proxy> ErrorLog /var/log/apache2/cust1.dev.domain.com.log CustomLog /var/log/apache2/cust1.dev.domain.com.err.log combined </VirtualHost> <VirtualHost 213.131.192.201:80> ServerName cust2.dev.domain.com ServerAdmin webmaster@cust2.dev.domain.com ProxyRequests off ProxyPreserveHost on ProxyPass / http://192.168.0.101/ ProxyPassReverse / http://192.168.0.101/ <Proxy *> Order allow,deny Allow from all </Proxy> ErrorLog /var/log/apache2/cust2.dev.domain.com.log CustomLog /var/log/apache2/cust2.dev.domain.com.err.log combined </VirtualHost> |
Requests for cust1.dev.domain.com would be reverse proxied to 192.168.0.100 and requests for cust2.dev.domain.com would be reverse proxied to 192.168.0.101. All with one external IP address and one port forward rule.
Just one of the many uses of mod_proxy. You can also use it for SSL bridging and SSL offloading. Neat!
Creating a HA iSCSI Target Using Linux
Some time ago I created a High Availability iSCSI target using Ubuntu Linux, iscsi-target, DRBD and heartbeat. The HA cluster consisted of two nodes and the iSCSI initiators were Windows Server 2008. I was able to mount the LUN and copy a video to it, play it back and then pull the power from the primary iSCSI target. A few seconds later the second iSCSI target took over and video continued to play.
Pretty cool, huh?
Here is my guide if you want to try this. Although I've not gone back through the guide to make sure it's correct. But if you spot anything that's wrong or not very clear, please leave a comment.
Mallory Park Track Day
Here's a short video from my last track day of 2011 at Mallory Park. First time out with the 196bhp race engine.
All in all it was a good day without any mishaps and the engine performed brilliantly! Can't wait to get back in track this year.
My 196bhp Peugeot 106 Track Toy
I've owned this 106 for quite a few years now. It stated life off as a humble 1.4 8v, standard gearbox, standard suspension. Standard everything. It's now a 196bhp naturally aspirated track toy but it's still usable as my daily driver.
At this stage I've got to say a massive thank you to Pug1Off who have done all of the major work, such as original engine conversion to a 1.6 16v and the current purpose built race engine. And credit to Northampton Motorsport who mapped the race engine.
Engine (built by Pug1Off) - 196.3bhp @ 8000rpm, 135.7lb/ft
- 1.6 16v C2 (TU5JP4)
- Re-bore and flowed head
- Oversized pistons
- One piece valves
- Catcams 737's
- Race bearings
- AT Power throttle bodies
- Emerald K6 ECU
- 4-2-1 manifold
- Mocal 13 row oil cooler
- Lightened and balanced flywheel
- Aluminium crank pulley
Drivetrain
- VTR gearbox
- Quaife ATB differential
- SatchShift
- Helix Organic clutch
Suspension
- -45mm Eibach springs
- GrpN Bilstein shocks
- B8 Bilstein dampers
- GrpN upper and lower engine mounts
- Powerflex gearbox mount
- OMP upper brace
- OMP lower brace
- Disc rear beam with 24mm rear ARB
Brakes
- 266mm callipers
- Ferodo DS3000 pads
- Tarox JapanSport discs
- Braided lines
- Motol RBF660 fluid
Nitter 2.0.1 Available – Fixes DMs
A very quick (and rare) update on my blog!
Since 25th May 2011, my Nitter script has been broke due to a change with the Twitter API. OK, so the problem was actually Net::Twitter::Lite so the changes to my script have been minimal as I've switched over to Net::Twitter (3.18001), which supports the new way of requesting friend and followers IDs.
You can grab Nitter 2.0.1 from the usual place.
Happy New Year! Hopefully you won't update Nitter and then be bombarded with alerts from your NOC over the holidays.
MySQL Multi-Master Replication Guide
I've created a new guide on how to configure multi-master replication for MySQL. The configuration should also be compatible with MySQL 6.0 as well.
You can find it here.
VMware says “There are are no un-bridged host network adapters”
I needed a second bridged connection in VMware Workstation but kept getting the error "Cannot change network to bridged: There are no un-bridged host network adapters".
Looks like quite a few people have had this issue too but with no resolution, apart from hitting the "Restore Default" button, which didn't actually solve it anyway. The solution is very simple.
Open the Virtual Network Editor. The VMnet0 adapter by default will be Bridged and the external connection will be Auto-bridging. This is the problem. Change VMnet0 so that it uses a specific network interface. You can then create another bridged VMnet adapter.
About Me
I'm a 28 year old Network Analyst from Hampshire, United Kingdom.
Apart from being a geek, I own a track prepared Peugeot 106 and listen to lots of Drum and Bass.
Categories
Tags
Archives
- 6Mbps+ they said. Getting sync of 3Mbps and an SNR of 6db down to -2db. More noise than signal! Crappy @bt_uk copper.
- New uptime record discovered. 8 years, 16 weeks, 4 days and 23 hours.
- RT @eoghanmcdermo: Justin Bieber got 100,000 retweets for tweeting "Live life full". That's just 3 random words. I'm going to try now. Ni…
- I love fluffy bunnies and cute shit x x x x
- We now finish at 3pm on Fridays during summer. Amazing.