Previous: IPv6 DNS |
The virtual machines are easy to setup using the VirtualBox software. I didn't use Linux's KVM because the host hardware doesn't support CPU virtualization, but I do have a similar setup with KVM on a computer that does. I have used this setup with VMWare and Virtual PC as well. The router gets four interfaces each independent of the other while interface eth0 gets bridged to the outside world. The remaining interfaces are placed on internal networks named for their purpose. I've been enjoying the end to end connectivity I get with IPv6. For many home networkers, this will be best method of doing a home network. Just get IPv6 and you have plenty of space for a place on the web! I have setup a Linux based IPv6 router and a subnet just for the Internet facing servers. I could filter this subnet out at the router so it can't connect to the hom LAN. However, I have just begun and have much work to do. You can view my notes at azcrumpty.mooo.com/, which only works if you have IPv6 setup and working. If you don't, you may use a gateway azcrumpty.mooo.com.ipv4.sixxs.org/. My ISP doesn't block the smtp port, 25 on IPv6, so I can run my own mail gateway. If your provider can send to IPv6, which I find many don't, you can email me at email at [email protected]. The folks at FreeDNS have graciously allowed my to piggyback on their domain. I will take this server offline after about a month since the computer it runs on is actually my Linux Mint laptop, which I would like to use for laptop use. It is virtualized, so I can move it should I wish to keep it turned on. A recent post noted that multiple tunneled connections with one DD-WRT router is possible, but doing so was really an unnecessary thing to do. Hurricane Electric provided a /48 network just for the asking so I have split the network into an A and a B network, for the local LAN and guest LAN, respectively. This new setup allows the use of the same IPv6 provider along with using the Stateless Address Auto Configuration feature found in IPv6. I had been considering how to integrate IPv6 into my home network and DMZ and there are so many options to consider, but for now, I am keeping it simple. Dual IPv6 Networks In Home GatewayI have completed adding IPv6 to my home network using both 6in4 and 6to4 transition methods. The IPv6 guide at the DD-WRT site covers everything you need, but I had one question after I completed 6to4. Could I add multiple IPv6 network providers? The answer is yes, and it is very easy to do. Breaking with the spirit of end to end networking, I decided I wanted my guest network IPv6 network separated from my main network. This is not necessary with the big /64 network you get from the providers, but I wanted to try it out since I like having a network that I can use to look from the outside in. Teredo Tunneling is the most painless way to IPv6, but it was the slowest method of using IPv6. The changes were simple enough, only needing the user to setup the second tunnel using the tunnel provider's instructions and a unique name. Basically, the router advertisement daemon's config files needed to be changed to announce the 6to4's network, 2002: on the guest interface br1. The 6to4 start script needed the -p option used to specify a new pid file for the second daemon. I used the command watch 'netstat -an | grep tcp6 to see what network connections were using IPv6. The home network uses the 2001:132:d:28a network provided by Hurricane Electric. The radvd.he.conf file only needed to be configured to announce the 2001:132:d:28a::/64 prefix and the start script is the same one you would fine on the DD-WRT IPv6 site. On starup, the router's route tables and interfaces show the correct settings for the internal interface br0 and the external interface br1. Again, watching the netstat output showed plenty of IPv6 connections. Both networks checked out with the IPv6 test site. A tertiary option is to use Teredo tunneling on a host behind another NAT in my my home network which gives me a third network to work with. I put the IPv6 startup scripts into Optware script format along with the config files for radvd. I do the ipv6 insmod command in the DD-WRT startup. So now, my home network has all the benefits of a node having full end to end connectivity with no more pesky NAT preventing me from publishing my own content or directly communicating with another peer on the Internet. But also note that configuration is completely unnecessary since I have 2^64 addresses available for use and could have divided my block up for each segment. One radvd process can advertise to both interfaces and the two networks can be part of the same /64. All I had to do was add an interface address in the block to br1 and the two become connected, but that seemed like normal networking. My previous article on my home network with its DMZ is one of my more popular articles, but the design is very complex and might put off people looking for a simple rapid solution. If you are one of the few people with a newer router, it might come with the guest LAN feature which can be utilized for a DMZ. My guests either have a smartphone, or can go without the Internet during their visits, leaving my guest LAN unused for most of its lifetime.
The guest LAN's network is 192.168.2.0/24 and the firewall rules deny this network from reaching the main 192.168.1.0/24 network and the cable modem. Traffic from 192.168.1.0 is allowed to reach all hosts on 192.168.2.0, enabling easy management of servers on this network. I have long since erased my default Linksys management firmware and replaced it with DD-WRT, so I can't demo how to do it with the software you probably already have. I will guess that there are no reasons why you can't set forwarding to the guest LAN on your router using the default management software. So, a simple DMZ setup would involve joining your server to the guest LAN with a static address, and telling your router to send requests to that host. This should be a quick and simple solution for you since your guest LAN is already prohibited from connecting to your main network. I hope this home hosting howto works for you. IBM HTTP Servers 6.1 and 7.0 take advantage of Apache's virtual hosting feature but having all of your virtual sites in one IHS server means all virtual hosts must be turned off to stop the http server resulting in outages or reduced capacity for all sites sharing that IHS instance. There is an unofficial way to use isolated IBM HTTP server processes to get the job done. We can build isolated independant configurations for the HTTP server which you can be stop and start without impacting another shared application on the same server. This configuration is largely unsupported by the DMGR console and must be configured at the command prompt level. The information within is an unsupported hack and should not used for production runs. The first step is to build the HTTP server config. A more elegant file naming method than what is shown in the linked document involves creating descriptive application folder locations for each virtual application so you could have conf/app_marketing/httpd.conf, log/app_marketing/access_log, and /app_marketing/index.html but for brevity, I will just number the instances in this guide. This approach is successful if the new http server is defined with isolated files and folders such as cgisock, sidd, ./htdocs2, etc. for its own run. Copy your httpd.conf to httpd2.conf, then make all the edits shown in the build document so the web server has unique ports/IPs, folders, and files it needs for run time. You will perform a second round of steps using the deployment manager after the command line tasks are completed. Note that the deployment manager is a repository and the plugin data will be overwritten by it so the webserver1 data is used only to make sure its starts without errors. You could leave the folders blank and test after all steps are completed. After all of the command line configuration is completed, you should test the web server to see if it works using curl, wget, or a browser. The web server should be started if you used the build document. Since webserver2 is a copy of webserver1, testing static content using your favorite testing tool is a better idea. Some web apps keep all static content in the enterprise application resource so check your access and error log files to ensure requests are coming through and they are logged. You may further test the J2EE application if your virtual host (vhost) already enables the new server's hostname and port combination to run the application. This example doesn't show such a configuration but if you are removing an existing vhost and using this guide to isolate it then, a curl test on the application would work smoothly at this point because the definition would already exist in the plugin file. Move on to the next step ff the new web server, webserver2, passes these basic tests. The web server is working but it is just a copy of the data in webserver1 and since you wanted process level isolation for a different application so you must also go to the Deployment Manager to make the application specific changes, pushing out the remaining configuration from the management console. After all shell level configuration is done, proceed to the WebSphere deployment manager in System Administration -> Nodes. Create an unmanaged node pointing to the host of the http server. Now, you may create webserver2 in that node in Servers -> Web servers. Now, you will see that webserver2 is defaulted with the original httpd.conf. We must use the GUI and change the name from httpd.conf to httpd2.conf. WebSphere will read the configuration information from the file. Propagate the plugin key store and config files now to check for any possible errors which you should stop and correct. If you can read the configuration file, your deployment manager is now connected to webserver2. Scroll to the bottom to see your changes and ensure you have the webserver2 file. A hint could have been added to the top of the file that like "# WebServer2 conf," identifying the proper file for other admins. Next, you must set the application to use webserver2 in Enterprise Applications -> YourApplicationName -> Manage Modules. Ensure your virtual host is set in Virtual Hosts -> YourVhost -> Host Aliases. Now it is time to push the configuration files out. You will now have a plugin file to propogate which contains details of your application for this new isolated HTTP process in the WebSphere Applicaton Server. You must also build a key store for the HTTP server and a plugin key store but this guide uses a new build and such steps are not shown. Push these out using the DMGR gui, too. Restart the HTTP server using the console and check for any errors before testing. I wrote this script to assist with exporting from LastPass and importing into PasswordSafe. It worked but it is unfinished. Perhaps someone can find some use for it. It is a simple shell script that takes plaintext CSV formatted LastPass output and puts it into a tab delimited format PasswordSafe can use. Usage: makepass.txt source_file > output_file ./makepass.txt pass.csv.txt > pass.importable.txt Then, you can import into PasswordSafe the pass.importable.txt file and you will have a Password Safe file (password is azcrumpty) with some deficiencies since I never finished the script. It imported well enough to be usable but it is no where near a quality script. Perhaps you will make improvements. Note that Weebly has a limited set of file extensions which is the BASH shell script has .txt on its end. Optware is like a power pack for DD-WRT enabling the user to enhance the functionality even further by adding even more services to the router. I wanted guests to have write access to the public volume and FTP access. I also wanted non-privileged access to DD-WRT so I created more users for /etc/passwd. I installed a custom S99Local script to keep the custom user database up to date, Proftp to get my own configuration options that the GUI didn't support, and I deviated from the typical Samba config to enable guests to have write access. Here, you can see my S99Local file which adds users and groups from /opt/etc to the main password database. I gave the users their own id and group.I also moved the local user's home directory from /opt to /mnt/home so they could use Samba and the larger filesystem. I used smbpasswd -a to add the users to /opt/etc/smbpasswd. Proftp and Samba enable anonymous write permission to /mnt/public. This is so the guests who come over can have access to the share volume and transfer data without using sneaker net. The Proftp config file is modified to allow guests to write the public share. I enabled the firewall to allow guests to have FTP and SMB access from the guest LAN. There are many sites about making bootable USB pen drives with Ubuntu Linux and most of these sites have the user put the ISO on the thumb drive instead of actually installing a Linux distribution onto the USB flash drive. I like to actually place the whole operating system on a USB flash drive so I always have the full operating system available. Many sites will tell you the ISO install is best but I disagree. Flash drives are much cheaper today and you can split an 8 GB drive into a Linux and a VFAT partition. I prefer using a virtualizer that offers USB support to do the install. I have used a real PC with data on it while fatigued, entered in the wrong partition, and ended up with a really bad week of restores. Virtualization allows you to only load to the USB drive and keeps your PC protected from accidents. I like to use the virtual machine with no hard drive, which makes the install simpler especially when the USB flash drive is connected before install. You can't mix up partitions or boot areas with only one drive in the virtual machine. Begin your install by selecting keyboard type and entering your host name along with other information until you reach the partition screen. The flash drive used here already had two 8 GB VFAT partitions and I erased the second one and use it for Linux. I usually select the Ubuntu alternate CD and manual partitioning but if you have only one USB drive in your VM, then you can use auto install and the whole flash drive if you won’t need the VFAT for sneaker net with other computers. It is a good time to note the path of your USB thumb drive if you have multiple drives in your system. It is /dev/sda in the virtual machine and typically /dev/sdh on my physical desktop. You might need that for the bootloader install later if you are doing this on a physical machine with multiple disk drives. Ensure the partition type is primary and bootable then select your filesystem type. I have used ext4 and ext2 succesfully. You may wish to read the benchmarks and to determine your filesystem choice then work on performance later. Note that I create the system with no swap space since the computers I would boot from typically have 2 GB of ram which tends to be enough for my needs. Also, I use a USB disk drive with 200 ms write speeds but I have found paging to slow the system down. I used to turn off browser caching and the syslog service in the past but I find newer systems perform fine with these on. Commit your changes, create the filsystem, and begin the user creation process. I like to encrypt my home directory with the built in ecrypt filesystem which leaves me feeling comfortable should I lose the USB key disk. The next step is the one that can be a nuisance should you use a physical PC. If you have only one disk, the Ubuntu installer will place the boot loader on the master boot record of the disk. If you have multiple drives, then select manual and enter the drive name on that page. On my desktop, the drive usually appears as /dev/sdh so I use that for physical installs. You must be careful not to override a bootloader on a machine you are using just for installing to a USB disk drive. You can see in the picture with the drive booted that I am using a Patriot XT flash drive on /dev/sda running Ubuntu 11.10 Oneirc Ocelot. Related articles I mentioned on my blog that I have switched to DD-WRT on my Linksys e3000 router mainly because I was frustrated with Cisco's software requiring a Mac or PC in order to make some feature changes. I got locked out of the desktop software once I setup security to my preferences. So here are my firewall rules built with the help of Firewall Builder. We'll start by looking at the NAT rules. Rule 0 allows all networks to NAT out to the Internet. Rule 1 is disabled but allows access to the DMZ. The DMZ is off during the summer to keep the DMZ server from running up the electric bill. Rule 2 is a lazy rule that enables me to print to my networked laser printer while I work from home logged into the work VPN. I say this is lazy due to having used a much better design in the past. In the past, I had Apache with SSL reverse proxying to CUPS. I used an HTTPS URL with Windows XP to print remotely. This protected data in transit across the internet. The current setup will be disabled anyway for printing seems to have been killed off by the dual monitor setup. The printing rule is restricted to the VPN Internet exit IP address. We'll now look at the firewall rules. Rule 0 adds all internal networks to the Anti-Spoofing Rule. Rule 1 enables loopback network communication on the router. Rule 2 is sloppy but lets DHCP work on the internal network. You can see this done better in Firewall Builder's templates. Rule 3 gives the guest network access to essential services on the gateway. FTP is provided so guests can take advantage of the USB Drive attached to the Linksys e3000. Rule 4 ensure all trusted networks can access everything needed on the home gateway. Rule 5 lets ping and traceroute work. Rule 6 lets the router communicate to everything on the network. Rules 8 through 10 enable the VPN to be accessed from the outside and HTTP for rule 9 which is disabled at this time. Rule 11 allows printing while on a work VPN. The work VPN disables all local access when the VPN is activated leaves me unable to reach my network printers. Rule 12 stops all traffic not otherwise allowed to the firewall box. Rule 13 enables the guest network access to the outside world only. Note the guest network can not access the other networks. Rules 14,15, and 16 allow the trusted networks to communicate everywhere. Rule 17 will drop everything else not previously allowed in my home firewall. Here are the raw iptables rules script as created by Firewall Builder for DD-WRT. |
Journal
This is the place for notes and updates. Archives
March 2013
Categories
All
|