azcrumpty's Site
  • Home
  • Journal
  • Search

Crouton in Hexxeh's Vanilla Chromium Build

3/9/2013

 
I now have the Acer C7 Chromebook which is a great second device to have offering a nice screen in a highly portable 11 inch, 3 pound package.  If you would like a little more functionality, you can install on your Acer C7 Crouton, a change root (chroot) Ubuntu environment which provides easy switching between Chrome OS and Ubuntu.  I like to try things in a virtual machine before going on the real deal.  Crouton requires developer mode which will erase the user accounts before you enter into it.  I do have many things setup such as OpenVPN and many images stored locally. The Virtualbox configuration will let me play around enough to really determine if I will try out Crouton on my Chromebook.
Picture
Garbage Output
You can play around with Crouton in a virtual machine before trying it on your Chromebook and  I have found it works fine, as expected, but the screen changed modes to the hideous garbage on the left during the install and the good news is there is no need to worry. I pressed CTRL-ALT-F2 followed by CTRL--ALT-F1 to get the screen back to normal.  So, install Chromium using Hexxeh's instructions on his site. Then follow the Crouton install guide and if you get the garbage screen, you'll know what to do.

Picture
Chromium Crosh
Here is the CTRL-ALT-F1, or normal Chrome OS view showing Crosh in developer mode shell right after entering the Crouton change root (chroot) environment.

Picture
Here is the screen of CTRL-ALT-F2

Picture
Crouton Xfce4 in Virtualbox
Here is the Xfce4 session running in Crouton.  Note that switching between windows doesn't always work.  Sometimes getting here requires CTRL-ALT-F2 and then CTRL-ALT-F3. 

Have fun!

Nice Looking KDE Desktop in a Few Easy Steps

12/31/2012

 
Picture
The default KDE theme is nice as it is, but it can also be customized in just a few easy steps.  First, I like to copy my applications into the panel.  You can drag them from the launcher to the panel and select link here.

Picture
Next, add some widgets using the Plasma control in the top right of the screen.

Picture
Right click desktop area and select Default Desktop Settings.  Install a background and select it after installation completes.

Picture
Applying the desktop picture.

Picture
Well go to System Settings from the Launcher and we'll use Application Appearance and Workspace Appearance.

Picture
I chose Krita Dark, which comes with Kubuntu 12.10.

Picture
Add a theme in WorkSpace Appearance like Slim Glow And Activate

Picture
So, now you have a modified Kubuntu 12.10 KDE desktop in a few easy steps minus the time to download the custom backgrounds and themes.  Hope this helps.

IPv6 Home Network DMZ: Design

10/6/2012

 
Picture
Home IPv6 Network DMZ
I wrote a Home Network with IPv4 DMZ article which showed you how to get a website up and running at home on the Internet with the servers in alternate NAT area.  The design works but NAT can make other services, like FTP, difficult to manage.  IPv6 is ready to save us from network address translation making all nodes equal citizens on the Internet ending our dependance on IP masquerading.  What do you have to do to build your IPv6 home network DMZ?  The simple answer may surprise you once you realize you don't have to do anything beyond installing the software and setting up domain name service (DNS) since your IPv6 enabled node is already Internet facing.  If you have enabled IPv6, you are ready to go.

You can activate IPv6 at home and utilize any machine, virtual or physical, to be your Internet server.  Keep in mind that virtual servers and wireless IPv6 bridging may bring you more problems than they are worth, so make sure you have wired networking available if you want to run in a virtualized machine.  All you need after you install your Internet server software is a DNS provider and you are ready to go.  But, many of you like something a little more complex like keeping your Internet facing systems in a nice little DMZ, away from your main network while minimizing exposure of other services that don't need to be on the Internet.

To do this, I decided to create an IPv6 subnet for the DMZ within my assigned /48 block.  This DMZ consists of three tiers with tier one using a globally scoped network to face the Internet clients, while tiers two and three use unique local networks.  This subnet sits behind a router that has firewall rules installed on it similar to my pfSense network in the previous article.  Tiers two and three cannot be reached from the Internet since their network prefixes are not routable.  All servers have fully qualified domain names but the website is configured to run off the vanity URL http://azcrumpty.dyndns.org, which you can only view if you are using IPv6.
Picture
http://azcrumpty.dyndns.org
Next: Router

IPv6 Home Network DMZ: IPv6 Ubuntu Router

10/6/2012

 
Picture
IPv6 Ubuntu Linux Router
The basic building block of my IPv6 homenetwork DMZ is the Ubuntu Linux based IPv6 router.  The router consists of four network interfaces: external (eth0), internet facing tier one (eth1), application logic tier two (eth2), and a database in tier three (eth3).  All of these functions could have been placed on one host, of course, but doing so would have made for one boring article.

This IPv6 multi-subnet Linux based router runs Ubuntu Server 12.04 in a VirtualBox virtual machine.  Setup is simply a matter of setting IPv6 forwarding, net.ipv6.conf.all.forwarding=1  in the sysctl.conf file and setting static addresses on the interfaces.

The bind9 and squid3 packages are installed to support domain name service forwarding and http proxying for the DMZ nodes which have no internet access.

Lastly, the main router needs some static routes since the local network addresses need to be specified and I didn't subnet the router interfaces for the tier 1 LAN.

Squid cache proxy needs a few tweaks to enable ACLs for the new subnets.  The private block is already included so I added the tier 1 block in the ACLs: acl localnet src fd00::/7 2001:470:f379:31::/64.

NTP is not used here but other virtual machines may need time synchronization so plan for it if your clock drifts while running in the virtual machine.  You would set your NTP host to the corresponding router's tier network address.

I wanted to build an IPv6 only environment, but Ubuntu's repository's doesn't always respond with a quad A records (AAAA) so I have to enable IPv4 on eth0 (dhclient eth0) so the proxy on the router can reach IPv4 sites for updates.  This series of articles is configured for IPv6 only and the firewall script removes the IPv4 interface when run.

The router software was installed with the Basic Server option menu choice in the Ubuntu server config screen.  The unique local addresses are not pseudorandom, as the RFC 4193 calls for.

/etc/resolv.conf

azcrumpty@tier1# cat /etc/resolvconf/resolv.conf.d/base
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844
domain chickenkiller.com
search chickenkiller.com

Add Static IPv6 Routes to DD-WRT

Adding a static IPv6 route to your main router may be different than what lies below.
ip -6 route add 2001:470:f379:30::/62 via 2001:470:f379::30
ip -6 route add fd01:470:f379:30::/62 via 2001:470:f379::30

/etc/network/interfaces

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#iface eth0 inet dhcp
# This is an autoconfigured IPv6 interface
auto eth0
iface eth0 inet6 static
     address 2001:470:f379::30
     netmask 64
     gateway 2001:470:f379::1

auto eth1
iface eth1 inet6 static
     address 2001:470:f379:31::1
     netmask 64

auto eth2
iface eth2 inet6 static
     address fd01:470:f379:32::1
     netmask 64

auto eth3
iface eth3 inet6 static
     address fd01:470:f379:33::1
     netmask 64

/etc/bind/named.conf.options

The forwarders are needed due to the IPv6 only network stack preventing some lookups.

options {
     directory "/var/cache/bind";

     // If there is a firewall between you and nameservers you want
     // to talk to, you may need to fix the firewall to allow multiple
     // ports to talk. See http://www.kb.cert.org/vuls/id/800113

     // If your ISP provided one or more IP addresses for stable
     // nameservers, you probably want to use them as forwarders.
     // Uncomment the following block, and insert the addresses replacing
     // the all-0's placeholder.

     // Added Forwarders to an IPv6 Address since it can't reach IPv4
     forwarders {
         2001:4860:4860::8888;
     };

     //========================================================================
     // If BIND logs error messages about the root key being expired,
     // you will need to update your keys. See https://www.isc.org/bind-keys
     //========================================================================
     dnssec-validation auto;

     auth-nxdomain no; # conform to RFC1035
     listen-on-v6 { any; };
};

Previous: Design
Next: Firewall Rules

IPv6 Home Network DMZ: Firewall Rules

10/6/2012

 
Generating firewall rules tend to be the most discussed subject, but you must tell Firewall Builder that you wish to work with IPv6 in the property file to have it generate the rules you want. I had assumed if I defined IPv6 addresses that it would automatically make the configuration IPv6 ready, which wasn't the case. So, I had to activate some settings in the GUI but the policy setting is the most important. Neighbor discovery and rule generation order aren't used here as IPs are static and there are no IPv4 rules.
Picture
Firewall Builder IPv6 Configuration Only
Picture
Firewall Builder Rule Generation Order
Picture
Firewall Builder Rules For Neighbor Discovery
This firewall design exists to prevent the hosts in the DMZ from reaching the home IPv6 network while ensuring the Internet clients can reach the tier 1 reverse proxy, but still enabling flow from tier 1 to tier 2 and tier 2 to tier 3.
Picture
IPv6 Linux Router Flow Diagram
Picture
IPv6 Linux Router Internal Flow Diagram
The firewall design allows all hosts on the main network to reach all tiers in the DMZ.

The first few rules in the diagram are anti-spoof rules (Rule 0) which prevent the internal networks from being spoofed outside the firewall where they could not originate as source addresses. Next, Rule 1 allows loopback rules and Rule 2 allows the firewall to accept IPv6 multicasts on its external interface.

Next, Rule 3 lets the router's external interface connect to the outside world so the router's services can reach the Internet as needed. This helps the squid proxy and DNS queries reach the Internet. Without it, there would be no access to the Internet for the router itself.

Rule 4 is redundant but it is a holdover from the template allowing SSH from the main network to the router. The router doesn't run SSH so this is not needed as I make changes on the router via the console. Some people like to SSH into the router, but I find I rarely do once I have a router setup just right.

Rules 5, 6, and 7 allow each to reach the services it needs on the tier's gateway interface in this case network time protocol (NTP), http proxy, and domain name service (DNS).
Picture
Firewall Builder Rules 1 - 7 for IPv6 Firewall Router


The block all rule (Rule 8) is next denying all other access to the firewall for whatever wasn't defined as being allowed.

Rule 9 makes ident functions reject quickly so no delays exist when an application tries to do an ident call to one of the servers.

Rule 11 allows mail to anywhere but Main Network and Tiers 2 and 3. Tiers 2 and 3 have no reverse DNS and many mailer daemons complain anyway. Tiers 2 and 3 can send mail to tier 1 so tier 1 could be configured as a smart relay host, which isn't shown in this series of articles.

Rule 12 allows tier 1 to reach tier 2 via HTTP. You can add Apache Tomcat HTTP/AJP (8080/8009) or similar ports you need for tier 2 access here.

Rule 13 allows the tier two server to reach tier three's MySQL port for database access.

Note that multiple servers within each tier would have full access to all ports on all servers within the same tier using the configuration as servers on the same tier don't pass through the firewall interface for analysis.

Rule 14 denies any other access to the home IPv6 network but is already covered by Rule 17. I like to see this one explicitly defined but it isn't really necessary.

Rule 15 allows the main network to do whatever it wants to any host in the DMZ. You might want to restrict this to trusted hosts or a jump server in your network.

Rule 16 allows any host to reach the HTTP and HTTPS ports and savvy readers will note that also enables tiers 2 and 3 to reach tier 1 HTTP services.

Rule 17 denies all other connections that aren't allowed.

Fire wall rules don't have to stop here. I could have told the DD-WRT router to deny all incoming connections from the networks 2001:470:f379:31://64 and fd01:/16 and I could tell the host based firewalls on hosts in the main network to drop those networks as well.

Picture
Firewall Builder Rules 8 - 17 for IPv6 Firewall Router
The following section shows the external test network is denied when trying to reach hosts.
Oct 3 19:27:45 router kernel: [1187749.075419] RULE 17 -- DENY IN=eth1 OUT=eth3 MAC=08:00:27:88:a2:52:08:00:27:b6:01:80:86:dd SRC=2001:0470:f379:0031:0000:0000:0000:0010 DST=fd01:0470:f379:0033:0000:0000:0000:0030 LEN=80 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=TCP SPT=40715 DPT=22 WINDOW=14400 RES=0x00 SYN URGP=0
Oct 3 14:27:53 router kernel: [1187757.100207] RULE 17 -- DENY IN=eth1 OUT=eth3 MAC=08:00:27:88:a2:52:08:00:27:b6:01:80:86:dd SRC=2001:0470:f379:0031:0000:0000:0000:0010 DST=fd01:0470:f379:0033:0000:0000:0000:0030 LEN=80 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=TCP SPT=40715 DPT=22 WINDOW=14400 RES=0x00 SYN URGP=0
Oct 3 19:28:09 router kernel: [1187773.131684] RULE 17 -- DENY IN=eth1 OUT=eth3 MAC=08:00:27:88:a2:52:08:00:27:b6:01:80:86:dd SRC=2001:0470:f379:0031:0000:0000:0000:0010 DST=fd01:0470:f379:0033:0000:0000:0000:0030 LEN=80 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=TCP SPT=40715 DPT=22 WINDOW=14400 RES=0x00 SYN URGP=0
Oct 3 19:29:31 router kernel: [1187855.193762] RULE 17 -- DENY IN=eth2 OUT=eth3 MAC=08:00:27:7d:3e:91:08:00:27:b8:81:ef:86:dd SRC=fd01:0470:f379:0032:0000:0000:0000:0020 DST=fd01:0470:f379:0033:0000:0000:0000:0030 LEN=80 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=TCP SPT=36823 DPT=22 WINDOW=14400 RES=0x00 SYN URGP=0
Oct 3 19:29:32 router kernel: [1187856.174386] RULE 17 -- DENY IN=eth2 OUT=eth3 MAC=08:00:27:7d:3e:91:08:00:27:b8:81:ef:86:dd SRC=fd01:0470:f379:0032:0000:0000:0000:0020 DST=fd01:0470:f379:0033:0000:0000:0000:0030 LEN=80 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=TCP SPT=36823 DPT=22 WINDOW=14400 RES=0x00 SYN URGP=0
Oct 3 19:29:34 router kernel: [1187858.145339] RULE 17 -- DENY IN=eth2 OUT=eth3 MAC=08:00:27:7d:3e:91:08:00:27:b8:81:ef:86:dd SRC=fd01:0470:f379:0032:0000:0000:0000:0020 DST=fd01:0470:f379:0033:0000:0000:0000:0030 LEN=80 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=TCP SPT=36823 DPT=22 WINDOW=14400 RES=0x00 SYN URGP=0
Previous: Router
Next: Tier 1 Reverse Proxy

IPv6 Home Network DMZ: Ubuntu Tier 1 Server

10/6/2012

 
The tier one Internet facing server is an Ubuntu 12.04 server that runs the Squid caching proxy in reverse proxy mode, which is overkill for this site but this series of articles is just a demo so anything else can dropped into place.

The server's real host name  tier 1 is different from its vanity name.

The configuration consists of static resolv.conf files and static interface definitions.  The proxy IP and port are added to /etc/environment so services that do HTTP/FTP can reach the web.  The base file for resolvconf is gets nameservice using the same interface as the proxy since the router provides these services to the host. The /etc/interfaces file has has the static assignments to activate networking.

Application configuration comes next.  Postfix is told to receive mail as the vanity domain azcrumpty.dyndns.org while the apt package manager is told to use the proxy.  Squid Proxy server is configured to listen on port 80 which is HTTP in plaintext, connect to its peer on tier 2, and ensure ACLs are permissible.

/etc/environment

azcrumpty@tier1:~$ cat /etc/environment
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
http_proxy="http://[2001:470:f379:31::1]:3128"
https_proxy="http://[2001:470:f379:31::1]:3128"
ftp_proxy="http://[2001:470:f379:31::1]:3128"

/etc/resolv.conf

azcrumpty@tier1:~$ cat /etc/resolvconf/resolv.conf.d/base
nameserver 2001:470:f379:31::1
domain chickenkiller.com
search chickenkiller.com

/etc/network/interfaces

azcrumpty@tier1:~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#iface eth0 inet dhcp
# This is an autoconfigured IPv6 interface
auto eth0
iface eth0 inet6 static
     address 2001:470:f379:31::10
     netmask 64
     gateway 2001:470:f379:31::1

/etc/postfix/main.cf

azcrumpty@tier1:~$ grep mydest /etc/postfix/main.cf
mydestination = tier1.CHICKENKILLER.COM, tier1, azcrumpty.dyndns.org, localhost.localdomain, localhost

Apt Proxy Configuration

azcrumpty@tier1:~$ cat /etc/apt/apt.conf.d/00Proxy
Acquire::http::Proxy "http://[2001:470:f379:31::1]:3128";

/etc/squid3/squid.conf

#This file is large and only the changes are shown

...
http_port 80 accel defaultsite=azcrumpty.dyndns.org
...
cache_peer fd01:470:f379:32::20 parent 80 0 no-query originserver name=myAccel
...
acl our_sites dstdomain azcrumpty.dyndns.org
http_access allow our_sites
cache_peer_access myAccel allow our_sites
cache_peer_access myAccel deny all
...
Previous: Firewall Rules
Next: Tier 2 Web Application

IPv6 Home Network DMZ: Ubuntu Tier 2 Server

10/6/2012

 
The tier two server runs application logic for WordPress 3.4.2.  The LAMP install option was chosen in the Ubuntu Server install page, and this server uses static configuration files for name service and network configuration like the other nodes.

Note that the environment file uses tier 2 addresses unlike the tier 1 server.  I could have opened the firewall ports for services to all one interface so the environment files would use the same values.

WordPress was installed into /var/www and configured to talk to the MySQL database in tier three.  You can see the WordPress config has the tier3 name in the database field and that all WordPress files are installed into /var/www.

/etc/environment

# Add proxies to environment file
#
azcrumpty@tier2:~$ cat /etc/environment
PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"
http_proxy="http://[fd01:470:f379:32::1]:3128"
https_proxy="http://[fd01:470:f379:32::1]:3128"
ftp_proxy="http://[fd01:470:f379:32::1]:3128"

/etc/resolv.conf

# set domain name server and domain in resolv conf base

azcrumpty@tier2:~$ cat /etc/resolvconf/resolv.conf.d/base
nameserver fd01:470:f379:32::1
domain chickenkiller.com
search chickenkiller.com

/etc/network/interfaces

azcrumpty@tier2:~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#iface eth0 inet dhcp
# This is an autoconfigured IPv6 interface
auto eth2
iface eth2 inet6 static
     address fd01:470:f379:32::20
     netmask 64
     gateway fd01:470:f379:32::1

wp-config.php

azcrumpty@tier2:~$ grep tier3 /var/www/wp-config.php
define('DB_HOST', 'tier3.chickenkiller.com');

/var/www

# Note WordPress is installed into /var/www without being in a subdir

azcrumpty@tier2:~$ ls -ltr /var/www
total 172
-rw-r--r-- 1 wpwriter wpwriter 1997 Oct 23 2010 wp-links-opml.php
-rw-r--r-- 1 wpwriter wpwriter 3177 Nov 1 2010 wp-config-sample.php
-rw-r--r-- 1 wpwriter wpwriter 4264 Dec 13 2011 wp-activate.php
-rw-r--r-- 1 wpwriter wpwriter 3700 Jan 8 2012 wp-trackback.php
-rw-r--r-- 1 wpwriter wpwriter 271 Jan 8 2012 wp-blog-header.php
-rw-r--r-- 1 wpwriter wpwriter 395 Jan 8 2012 index.php
-rw-r--r-- 1 wpwriter wpwriter 2726 Jan 9 2012 wp-cron.php
-rw-r--r-- 1 wpwriter wpwriter 2788 Feb 16 2012 xmlrpc.php
-rw-r--r-- 1 wpwriter wpwriter 3522 Apr 10 11:21 wp-comments-post.php
-rw-r--r-- 1 wpwriter wpwriter 18299 Apr 21 00:40 wp-signup.php
-rw-r--r-- 1 wpwriter wpwriter 9916 Apr 26 22:54 wp-settings.php
-rw-r--r-- 1 wpwriter wpwriter 7712 May 2 07:32 wp-mail.php
-rw-r--r-- 1 wpwriter wpwriter 19929 May 6 01:28 license.txt
-rw-r--r-- 1 wpwriter wpwriter 1354 May 13 15:41 wp-app.php
-rw-r--r-- 1 wpwriter wpwriter 29084 Jun 26 12:53 wp-login.php
-rw-r--r-- 1 wpwriter wpwriter 9177 Sep 3 17:23 readme.html
-rw-r--r-- 1 wpwriter wpwriter 2395 Sep 4 14:31 wp-load.php
drwxr-xr-x 8 wpwriter wpwriter 4096 Sep 6 13:43 wp-includes
drwxr-xr-x 4 wpwriter wpwriter 4096 Sep 6 13:43 wp-content
drwxr-xr-x 9 wpwriter wpwriter 4096 Sep 6 13:43 wp-admin
-r--r--r-- 1 wpwriter wpwriter 3670 Sep 29 20:38 wp-config.php
-rw-r--r-- 1 wpwriter wpwriter 1150 Sep 29 23:46 favicon.ico
Previous: Tier 1 Reverse Proxy
Next: Tier 3 MySQL Database

IPv6 Home Network DMZ: Ubuntu Tier 3 Server

10/6/2012

 
This tier three server is configured with MySQL, Apache, and phpMyAdmin. The MySQL option was chosen in the Ubuntu Server installer page. PhpMyAdmin can only be reached internally due to the firewall rules granting access and the tier 2 and tier 3 ip addresses being local.

Like tier 2, the environment must be setup to tell software to use the proxy on the nearest interface and apt-get is configured this way as well. This is seen in the configuration files below.

/etc/resolv.conf

azcrumpty@tier3:~$ cat /etc/resolvconf/resolv.conf.d/base
nameserver fd01:470:f379:33::1
domain chickenkiller.com
search chickenkiller.com

/etc/network/interfaces

azcrumpty@tier3:~$ cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#iface eth0 inet dhcp
# This is an autoconfigured IPv6 interface
auto eth2
iface eth2 inet6 static
     address fd01:470:f379:33::30
     netmask 64
     gateway fd01:470:f379:33::1
Picture
phpMyAdmin Managing Wordpress Database
Previous: Tier 2 Web Application
Next: IPv6 External Testing Network

IPv6 Home Network DMZ: External Test Network

10/6/2012

 
The Onion Router can be used to simulate an external network for IPv4, but Teredo Tunneling works well for the same purpose and doesn't have exit node restrictions.  You will need this test network available so you can simulate external clients since your main network is fully trusted.

An Ubuntu Live CD behind NAT in a VirtualBox virtual machine with miredo tunneling installed so IPv6 would be activated is all you need to get up running with an external IPv6 at your premises.  Placing it behind NAT keeps it from receiving route advertisements from the main network so your IPv6 client wont be on your main IPv6 network. 

Boot the virtual machine and ensure a Teredo type tunnel is installed.  For Ubuntu, sudo apt-get miredo does the trick.  There are clients for other operating systems and GoGo6 is one of the more popular choices.

You now have an external network that you can use while at home without needing to leave your premises.

Configuration steps from NAT to test are shown below along with logs showing access and denial of the external client.
Picture
VirtualBox Adapter is NAT
Picture
sudo apt-get install miredo
Picture
teredo tunnel up and running
Picture
Enable IPv6 in Firefox
Picture
Site Working Externally Using Vanity Name
Picture
Site Working Externally With Host Name
You can see the external client accessing the reverse proxy in tier 1 below.
azcrumpty@tier1:~$ sudo tail /var/log/squid3/access.log
[sudo] password for azcrumpty:
1349134298.467 22 fd01:470:f379:32::20 TCP_MISS/000 0 POST http://azcrumpty.dyndns.org/wp-cron.php? - FIRST_UP_PARENT/myAccel -
1349134299.101 4625 2001:0:53aa:64c:309f:11b5:bc5a:3450 TCP_MISS/200 2568 GET http://azcrumpty.dyndns.org/ - FIRST_UP_PARENT/myAccel text/html
1349134299.220 2 2001:0:53aa:64c:309f:11b5:bc5a:3450 TCP_MEM_HIT/200 11737 GET http://azcrumpty.dyndns.org/wp-content/themes/twentyeleven/style.css - NONE/- text/css
1349134299.459 1 2001:0:53aa:64c:309f:11b5:bc5a:3450 TCP_MEM_HIT/200 909 GET http://azcrumpty.dyndns.org/wp-content/themes/twentyeleven/images/search.png - NONE/- image/png
1349134299.558 218 2001:0:53aa:64c:309f:11b5:bc5a:3450 TCP_MEM_HIT/200 68923 GET http://azcrumpty.dyndns.org/wp-content/themes/twentyeleven/images/headers/willow.jpg - NONE/- image/jpeg
1349134299.567 0 2001:0:53aa:64c:309f:11b5:bc5a:3450 TCP_MEM_HIT/200 1393 GET http://azcrumpty.dyndns.org/wp-content/themes/twentyeleven/images/comment-bubble.png - NONE/- image/png
1349134299.774 22 2001:0:53aa:64c:309f:11b5:bc5a:3450 TCP_REFRESH_UNMODIFIED/200 1524 GET http://azcrumpty.dyndns.org/favicon.ico - FIRST_UP_PARENT/myAccel image/x-icon
1349134323.274 912 2001:0:53aa:64c:309f:11b5:bc5a:3450 TCP_MISS/200 2568 GET http://azcrumpty.dyndns.org/ - FIRST_UP_PARENT/myAccel text/html
1349134323.683 223 2001:0:53aa:64c:309f:11b5:bc5a:3450 TCP_MEM_HIT/200 79982 GET http://azcrumpty.dyndns.org/wp-content/themes/twentyeleven/images/headers/shore.jpg - NONE/- image/jpeg
1349134323.949 0 2001:0:53aa:64c:309f:11b5:bc5a:3450 TCP_MEM_HIT/200 1525 GET http://azcrumpty.dyndns.org/favicon.ico - NONE/- image/x-icon
Below is the firewall preventing the external client from accessing other resources.
Sep 30 09:04:51 router kernel: [909175.337588] RULE 17 -- DENY IN=eth0 OUT=eth1 MAC=08:00:27:1d:0b:27:00:ff:a3:6a:23:29:86:dd SRC=2001:0000:53aa:064c:1829:2d91:bc5a:3450 DST=2001:0470:f379:0031:0000:0000:0000:0010 LEN=80 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP SPT=59320 DPT=22 WINDOW=12200 RES=0x00 SYN URGP=0
Sep 30 09:04:54 router kernel: [909177.941026] RULE 17 -- DENY IN=eth0 OUT=eth1 MAC=08:00:27:1d:0b:27:00:ff:a3:6a:23:29:86:dd SRC=2001:0000:53aa:064c:1829:2d91:bc5a:3450 DST=2001:0470:f379:0031:0000:0000:0000:0010 LEN=80 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP SPT=59320 DPT=22 WINDOW=12200 RES=0x00 SYN URGP=0
Sep 30 09:05:00 router kernel: [909183.946339] RULE 17 -- DENY IN=eth0 OUT=eth1 MAC=08:00:27:1d:0b:27:00:ff:a3:6a:23:29:86:dd SRC=2001:0000:53aa:064c:1829:2d91:bc5a:3450 DST=2001:0470:f379:0031:0000:0000:0000:0010 LEN=80 TC=0 HOPLIMIT=59 FLOWLBL=0 PROTO=TCP SPT=59320 DPT=22 WINDOW=12200 RES=0x00 SYN URGP=0
Previous: Tier 3 MySQL Database
Next: IPv6 DNS

IPv6 Home Network DMZ: Domain Name Service (DNS)

10/6/2012

 
I took advantage of a FreeDNS provider for these systems.  Reverse DNS only works on tier one since that uses a prefix that can be defined in the DNS provider.  Hurricane Electric's tunnel broker makes delegation for reverse number to name mapping easy so use it to your advantage.

Picture
tunnelbroker.net reverse DNS delegation
Picture
IPv6 Reverse DNS
All hosts are in the chickenkiller.com domain and use the simple names tier1, tier2, and tier3.  However, the site uses a vanity domain of azcrumpty.dyndns.org for presentation.
Picture
IPv6 Subdomains At FreeDNS.Afraid.Org
debian: azcrumpty$ host azcrumpty.dyndns.org
azcrumpty.dyndns.org has address 0.0.0.0
azcrumpty.dyndns.org has IPv6 address 2001:470:f379:31::10
Previous: IPv6 External Test Network
Next: IPv6 Virtual Machines
<<Previous

    Journal

    This is the place for notes and updates.

    azcrumptyon

    Archives

    March 2013
    December 2012
    October 2012
    September 2012
    August 2012
    July 2012
    April 2012
    March 2012
    November 2011
    October 2011
    July 2011
    June 2011
    May 2011
    April 2011

    Categories

    All
    6to4
    Academic Degree
    Anonymous
    Apache
    Apache Http Server
    Automobile
    Blue
    Bridge
    Car
    Cars
    Chrome
    Chrome Os
    Chromium
    Common Gateway Interface
    Compress
    Configure
    Copy
    Dd Wrt
    DD-WRT
    Diesel
    Diesel Engine
    Directories
    Disklabel
    Disk Management
    Disks
    Distance
    Distance Education
    Distance Learning
    Dmz
    Dns
    Driving
    Eco
    Education
    Efficiency
    E-learning
    File
    Filtering
    Firewall
    Freebsd
    Fuel
    Fuel Economy In Automobiles
    Fuel Efficiency
    Green
    Gzip
    Hardware
    Hardware Virtualization
    Hitwise
    Home
    Hosting
    Howto
    Hub
    Hurricane Electric
    Hypertext Transfer Protocol
    Ibm
    Ibm Websphere
    Iis
    Importer
    Internet Service Provider
    Ip
    Ipad
    Ip Address
    Ipv4
    Ipv6
    Lan
    Lastpass
    Learning
    Linux
    Local Area Network
    Master Of Business Administration
    Microsoft
    Microsoft Windows
    Movabletype
    Movable Type
    Multitier Architecture
    Mysql
    Nat
    Network
    Network Interface Controller
    Network Time Protocol
    New York
    New York Times
    Onion
    Online
    Openbsd
    Openvpn
    Operating Systems
    Opera Unite
    Partitions
    Passenger
    Password Management
    Passwordsafe
    Paywall
    Pfsense
    Protocols
    Proxy
    Proxying And Filtering
    Publishing
    Rdns
    Reading
    Red
    Remote
    Replicate
    Reverse
    Reverse Proxy
    Router
    Samba
    Secure Shell
    Security
    Server
    Server Message Block
    Ssh
    Storage
    Tdi
    The Onion Router
    Theory And Research
    Tor
    Torque
    Transfer
    Turbo
    Turbodiesel
    Twitter
    Ubuntu
    Uniform Resource Locator
    United States
    Universal Serial Bus
    Unix
    Usb Flash Drive
    User (computing)
    Virtualbox
    Virtual Hosting
    Virtualized Dmz
    Virtual Machine
    Virtual Private Network
    Vpn
    Wan
    Web
    Web Server
    Windows
    Windows Xp
    Wordpress
    Zone

    RSS Feed

Powered by Create your own unique website with customizable templates.