Thomas' ramblings

Patch for proftpd mod_clamav

Thu, 25 Mar 2010 13:44:37 GMT

This fixes bug number 1 "Clamd protocol change introduced in version 0.95" !
See https://secure.thrallingpenguin.com/redmine/issues/show/1
The ticket system for proftpd mod_clamav module does not allow me to add a patch. So here it is.
This is the daftest patch I ever wrote. It is one hour of my life I will never get back !!

Do not forget that on most recent Linux distro, you setup apparmor to let clamd read/write the files to scan.

root@750-11:~/install/mod_clamav-0.10# diff -u mod_clamav.c.org mod_clamav.c
--- mod_clamav.c.org	2010-03-25 11:02:36.000000000 +0000
+++ mod_clamav.c	2010-03-25 13:28:24.000000000 +0000
@@ -107,7 +107,7 @@
  * Start a session with Clamavd.
  */
 int clamavd_session_start(int sockd) {
-	if (sockd != -1 && write(sockd, "SESSION\n", 8) <= 0) {
+	if (sockd != -1 && write(sockd, "nIDSESSION\n", 11) <= 0) {
 		pr_log_pri(PR_LOG_ERR, 
 				MOD_CLAMAV_VERSION ": error: Clamd didn't accept the session request.");
 		return -1;
@@ -119,7 +119,7 @@
  * End session.
  */
 int clamavd_session_stop(int sockd) {
-	if (sockd != -1 && write(sockd, "END\n", 4) <= 0) {
+	if (sockd != -1 && write(sockd, "nEND\n", 5) <= 0) {
 		pr_log_pri(PR_LOG_INFO, 
 				MOD_CLAMAV_VERSION ": info: Clamd didn't accept the session end request.");
 		return -1;
@@ -183,7 +183,7 @@
 		return -1;
 	}
 	
-	sprintf(scancmd, "SCAN %s\n", abs_filename);
+	sprintf(scancmd, "nSCAN %s\n", abs_filename);
 	
 	if (!clamavd_connect_check(sockd)) {
 		if ((clamd_sockd = clamavd_connect()) < 0) {

Broken Link

Fri, 30 Oct 2009 13:09:00 GMT

If you just followed a link and did not land on the page you expected, this is normal, just continue reading

This site is went from using Templeet to MiniTiddlyServer (a wiki server extension for TiddlyWiki) to simply TiddlyWiki. This mean that all the site in now self contained in one html document ..

Using the search box on the top right, or using the tags on the bottom right you should be able to bring the page you are looking in no time.

You can take a full offline copy of this site by right clicking here and saving the document.

OpenSource

Fri, 30 Oct 2009 13:07:00 GMT

My most recent work related OSS like a BGP route injector, or network tools can be find at http://wiki.exa.org.uk/.

Enabling ipv6 on a Juniper M-serie

Sat, 09 May 2009 11:38:00 GMT

This page is based on diffs done on our configurations before and after some work on our network (mostly by Richard). This is not a step by step how-to but enough information to give you an overview of the work performed to enable ipv6 (and an idea of the complexity).

add some ipv6 loopback to your machine (for BGP, etc.)

[edit interfaces lo0 unit 0]
family inet6 {
   address 2a02:b80::4:0:1/128;
   address 2a02:b80::4:0:B3/128;
}

make sure your tunnel interface are not using ethernet (it does not support ipv6) and use frame-relay instead.
We use logical-routers and it is needed to connect them using ipv6.

[edit interfaces lt-1/2/0 unit 0]
- encapsulation ethernet;
+ encapsulation frame-relay;
+ dlci 201;

add the transfer network you need on your interfaces (we use some /80 part of one /64 allocated for transfer net only).

[edit interfaces ge-0/3/0 unit 1]
family inet6 {
    address 2a02:b80:0:2:F:0:6:1/80;
}

where in IPv4 we were using /24 to connect servers, we now use some IPv6 /64,

[edit interfaces ge-0/3/0 unit 2]
family inet6 {
    address 2a02:b80:0:90::1/64;
}

allows autoconfiguration of your hosts (the MAC address is used for the end part of the IP) - if you want it

[edit protocols]
router-advertisement {
    interface ge-0/3/0.2 {
        prefix 2a02:b80:0:90::/64;
    }
}

updating our rib groups to include ipv6 rib to complement the already existing IPv4

[edit routing-options]
rib-groups {        
    if6-rib {       
        import-rib inet6.0;
    }               
    isis6-rib {     
        export-rib inet6.0;
        import-rib inet6.0;
}

routing table groups for interface routes

[edit routing-options]
interface-routes {
rib-group {
    inet6 if6-rib;
}

enable ipv6 routing for your IGP

[edit protocol isis]
- no-ipv6-routing;

[edit protocol isis]
rib-group {
    inet isis-rib;
    inet6 isis6-rib;
}

we are filtering the static route getting into isis, update the policy-statement to be IPv6 aware

[edit protocol isis]
export static-to-isis;

[edit policy-options]
policy-statement static-to-isis {
    term from-v4 {
        from {
            protocol static;
            family inet;
            prefix-list static-to-isis;
        }
        to protocol isis;
        then accept;
    }
    term from-v6 {
        from {
            protocol static;
            family inet6;
            prefix-list static6-to-isis;
        }
        to protocol isis;
        then accept;
    }               
}

prefix-list static6-to-isis {
    2a02:b80:0:6:7b::1/128;
}

the matching static route would be something like

[edit routing-options rib inet6.0]
rib inet6.0 {
    static {
        route 2a02:b80:0:6:7b::1/128 {
            next-hop 2a02:b80:0:100:0:0:0:1;
            resolve;
        }
}

We are using communities to define our bgp export policies, add our network to the community needed for ebgp to let our peer/transit know about our RIPE allocation

[edit protocol bgp]
group ibgp-v6 {
    type internal;
    local-address 2a02:b80::4:0:b3;
    import blackhole;
    family inet6 {
        any;
    }
    authentication-key ""; ## SECRET-DATA
    export [ v6-only originate-community originate-customer export-ibgp next-hop-self ];
    peer-as 30740;
    neighbor 2a02:b80::7:0:b3;
    neighbor 2a02:b80::5:0:b3;
}

[edit policy-options]
policy-statement v6-only {
    from family inet;
    then reject;
}

[edit policy-options]
policy-statement originate-community {
    from community originate;
    then {
        next-hop self;
        accept;
    }
}

community originate members 30740:30740;

[edit routing-options rib inet6.0]
aggregate {
    route 2a02:b80::/32 {
        community 30740:30740;
        as-path {
            origin igp;
        }
    }
}

source a default route (if you want/need it)

[edit routing-options rib inet6.0]
generate {
    route ::/0 discard;
}

if all works you want to peer :)

[edit protocol bgp]
group linx-v6 {
    type external;
    description "LINX IPv6 Peers";
    local-preference 175;
    local-address 2001:7f8:4::7814:1;
    log-updown;
    import [ v6-only no-ix no-bogons-v6 no-small-prefixes-v6 no-leak tag-peering tag-linx damping local-preference-linx local-preference-peer no-community-import ];
    family inet6 {
        unicast;
    }
    export [ v6-only originate-community originate-customer no-transit no-small-prefixes-v6 export-peering export-linx no-community-export next-hop-self ];
    remove-private; 
    neighbor 2001:7f8:4:0::1b1b:1 {
        apply-macro inet6 {
            prefix-limit 10000;
        }
        description "AS-HURRICANE | Hurricane Electric | noc@he.net | ";
        peer-as 6939;
    }
}

[edit policy-options]
policy-statement no-bogons-v6 {
    term default-route {
        from {
            family inet6;
            route-filter ::/0 exact;
        }
        then reject;
    }
    term general-badness {
        from {
            family inet6;
            /* Old 6bone */
            route-filter 3ffe::/16 orlonger;
            /* Loopback, unspecified, v4-mapped */
            route-filter ::/8 orlonger;
            /* Documentation Prefix */
            route-filter 2001:db8::/32 orlonger;
            /* Teredo - No more or less specifics */
            route-filter 2001::/32 exact next policy;
            route-filter 2001::/31 longer;
            /* 6to4 - allow exact /16 */
            route-filter 2002::/16 exact next policy;
            route-filter 2002::/16 longer;
            /* multicast ranges, RFC3513 */
            route-filter fe00::/9 orlonger;
            route-filter ff00::/8 orlonger;
        }
        then reject;
    }
}

policy-statement no-small-prefixes-v6 {
    from {
        family inet6;
        route-filter ::/0 prefix-length-range /49-/128 reject;
    }
    then reject;
}

eh ! we missed v6 in that one :D

policy-statement no-ix {
    from {
        /* Enlix */
        route-filter 193.189.130.0/24 orlonger reject;
        /* LINX */
        route-filter 195.66.224.0/22 orlonger reject;
        /* AMS-IX */
        route-filter 195.69.144.0/23 orlonger reject;
    }
    then reject;
}

That is more or less it.. just need to update my RIPE tools now :(

ScavengerEXA

Sun, 01 Feb 2009 09:58:00 GMT

The last few weeks I have been actively working on a new anti-spam software now named ScavengerEXA.

ScavengerEXA differentiates itself from other solutions by analysing the mail leaving a network and not entering a mail server and can be run mail infrastructure, making it useful to a different audience in the Internet infrastructure community (Hosting providers and Cloud services as well as ISP's, for example).

Generating NAPTR and SRV record for TINYDNS

Wed, 08 Oct 2008 22:00:00 GMT

TINYDNS is a good DNS server, however tinydns-data is missing some builtin syntax for the generation of NAPTR and SRV record.

Anders Brownworth wrote a nice web page on which generate those record using the tinydns generic record syntax here.

However I needed to be able to generate those record for the configuration of IENUM (technically ENUM on private DNS) from some of our python code.
As a result I wrote the following "library" to generate some domain SIP NAPTR and SRV records.

Hopefully it may save someone the time to reverse engineering Anders' page output.

A bug was fixed on the 8th of october 2008

Obfuscated TCP

Wed, 08 Oct 2008 10:00:00 GMT

Google seems to have reacted to the menace Phorm is creating to their business model with Obfuscated TCP. It is interesting to see someone of Google stature pushing forward some of the idea presented Daniel Bernstein.

Rambling

Mon, 30 Jun 2008 13:05:00 GMT

Once uppon a time, I used to ramble a lot about various ISP/technical related matters (mainly Phorm and ISP 'hidden' traffic shaping). I removed most of the documents as I was not updating them often enough to keep them accurate and provided a summary on traffic shaping and Phorm.

The real cost of P2P

Mon, 30 Jun 2008 13:01:00 GMT

Should you read Slashdot, you must have already seen its readers complaining about their ISP traffic shaping policies.
When working in the ISP industry it is painful to see the lack of understanding those 'techies' are displaying.

In the UK, if anything ISPs are guilty of bad advertising misleading customers with 'up to' speeds and obscure fair usage policies and trying to market their product on price instead of quality (but Internet is a commodity market nowdays, so it is to be expected)

Customers should be clearly told that DSL product sold are contended. Previously dialup products were as well, but the impact with dialup was much more noticeable with the inability to get online.

The recent increase in content (video even more than P2P) has recently caused many of them to realise that they had oversubscribed their infrastructure to the point they could not deliver to their customers what they came to expect.
Once down to the wall, ISPs had only a few options :
* raise price to reflect the cost of running the service at a low contention (and we all know that it is impossible)
* apply traffic policing globally (everyone is slowed down the same way to modem speed).
* apply targeted traffic policy (P2P users here you are)

As it is hard to tell a customer, who may cancel its contract returning a then useless free router, that he can no longer have fast email and web surfing, the path of least resistance is to throttle P2P traffic which is an important part (but not all) of an ISP traffic, freeing capacity for other services and allowing to delay infrastructure upgrade.
(The cost of implementing traffic shaping is recovered if it allows to delay a network upgrade if only for a month!)

For information, an ISP for a DSL service can be simplified as:
* the 'last mile' cost from the home to the exchange
* the cost of the space used, power consumed and hardware located at the exchange
* the cost of moving the traffic within the country (fiber, etc.)
* the cost of the space used, power consumed and hardware located at national point of presence
* the cost of moving the traffic to other ISPs
* the cost of supporting the customer (ie: taking unrelated calls about their virus or other issues)
* the cost of collection the client payment
* all other generic business

For quite few small/medium ISPs, the transit cost (the cost an ISP will pay for another bigger ISP to take its traffic somewhere worldwide) is more than the income that the customer provides. Most ISPs are making a loss trying to become big enough to be acquired.
P2P being notably known to not really care about locality, one can see why it is the target of shaping (with the fact that the biggest torrent are often providing copyrighted material for which end users may or may not have a license to see/use).

In that context it is not surprising that the industry is facing issues and trying to find more income streams (see my rant on Phorm).

Software

Mon, 30 Jun 2008 11:28:00 GMT

All the documents related to software I wrote are tagged with 'Software', you can find them using the search feature or the 'Tags' tab.

Network

Mon, 30 Jun 2008 11:27:00 GMT

All the documents related to networking are tagged with 'Network', you can find them using the search feature or the 'Tags' tab.

PageTemplate

Sun, 29 Jun 2008 20:11:00 GMT

<div class='header' macro="gradient vert #5c4894 #6b69ad">
    <div>
       <span class='siteTitle' refresh='content' tiddler='SiteTitle'></span>&nbsp;
       <span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>
    </div>
    <div id='topMenu'>
       <span refresh='content' tiddler='MainMenu'></span>
    </div>
</div> 
<div id='sidebar'>
	<div id='sidebarOptions' refresh='content' tiddler='SideBarOptions'></div>
	<div id='sidebarTabs' refresh='content' force='true' tiddler='SideBarTabs'></div>
</div>
<div id='displayArea'>
	<div id='messageArea'></div>
	<div id='tiddlerDisplay'></div>
</div>

StyleSheet

Sun, 29 Jun 2008 20:07:00 GMT

.headerForeground { display: none;}
#sidebar {width: 170px; background: #efefef;border-left: solid 2px #b8b9c7;border-top: solid 2px #d7d8e8;}
#sidebarTabs .tabContents {width: 158px; background: #eae9ee;font-weight: bold; color: #333 ;}
#sidebarOptions input { border: solid 2px #b8b9c7; }
#sidebarOptions .sliderPanel { background: #eee;}
#sidebarOptions a {;border: none;}
#sidebarOptions .sliderPanel a {border: none;color: #5c4894;}
#displayArea {background: #fff;margin: 1em 15.7em 0em 1em;border-left: solid 2px #b8b9c7;}
.viewer {line-height: 1.4em;padding-bottom: 1em;border-bottom:solid 1px #b8b9c7;}
.viewer th, thead td {background: #5d4b97;border: 1px solid #666;color: #fff;}
.title {color: #000}
h1,h2,h3,h4,h5 {color: #fff;background: #6b69ad;}
a{ color: #700126;}
a:hover{ background: #6b69ad; color: #fff;font-weight: bold;}
.externalLink {	text-decoration: underline; color: #000083;}
body {	background: #d7d8e8;}
.popup { background: #6b69ad; border: 1px solid #04b;}
.popup li a:hover {background: #d7d8e8;color: #000;border: none;}
.popup li.disabled {color: #000;}
.button:hover {color: #fff;background: #6b69ad;
	border: 1px solid #d7d8e8;}
#topMenu { background: transparent; padding: 6px;margin-left: -5px;border-bottom: solid 3px  #5c4894;}
#topMenu .button,  #topMenu .tiddlyLink, tiddlyLinkExisting, #topMenu .externalLink
{
	color: #fff;
	text-align: center;
	font-weight: bold;
	font-size: 1.1em;
	text-decoration: none;
	letter-spacing: 1.5px;
	background: transparent;
	border-right: solid 1px #fff;
        padding: 5px 15px 8px 15px;
}
#topMenu a:hover {
	color: #700126;
	background: #d7d8e8;
}
#topMenu br {display: none; padding-right: 1em;}
#topMenu span .tiddlyLinkNonExisting {font-style:normal;}

Topology

Sun, 29 Jun 2008 18:44:00 GMT

The bgp articles on this site are using based on the following virtual network. The router are owned by an ISP with its own AS number. The IGP is EIGRP as it is the protocol I am most familiar with at the time of writing (it could be OSPF or IS-IS).

Servers

The following server are present on the network:
10.0.0.1 Primary caching DNS
10.1.0.1 Secondary caching DNS
10.2.3.200 SNMP Monitoring station
10.2.3.201 SYSLOG loging server
10.2.3.202 NTP server
10.2.3.205 Netflow monitoring server

IP Range

The ISP internal range is:
10.0.0.0/16 AS 65200
10.1.0.0/16 AS 65200
10.2.3.0/24 AS 65200

The ISP provides transit to:
192.168.0.0/24 AS 65350
192.168.1.0/24 AS 65360

The Internet Exchange

The exchange Information is running a dual ring topology with a separate /23 for each
172.16.0.0/23 AS 65400
172.16.2.0/23 AS 65400

Internal routing

It is assumed that the 192.168.0.0/24 and 192.168.1.0/24 are available through the IGP. The client eBGP connection is configured to pass through another internal routers (multi-hop), which will have a directly connected interface or a static route to the networks advertised.

No encryption is used between BGP peers, no access list is in place to protect EIGRP, BGP and NTP traffic to the router.

The local preference used are beetween 100 and 200. To calculate the RIPE preference, apply the following rule : ripe_pref = 200 - local_pref

Home

Sun, 29 Jun 2008 18:33:00 GMT

Software related stuff
Network related stuff
About this site and me

Should you want to contact me feel free to email me here.
My public PGP key is here.

Should you want to link to this site please use http://thomas.mangin.com/ as hostname

GettingStarted

Sun, 29 Jun 2008 18:31:00 GMT

To get started with this blank TiddlyWiki, you'll need to modify the following tiddlers:

SiteTitle & SiteSubtitle: The title and subtitle of the site, as shown above (after saving, they will also appear in the browser title bar)
MainMenu: The menu (usually on the left)
DefaultTiddlers: Contains the names of the tiddlers that you want to appear when the TiddlyWiki is opened

You'll also need to enter your username for signing your edits:

DefaultTiddlers

Sun, 29 Jun 2008 18:24:00 GMT

About
OpenSource
Broken Link

MainMenu

Sun, 29 Jun 2008 18:22:00 GMT

Network
Software
Rambling

SiteSubtitle

Sun, 29 Jun 2008 18:20:00 GMT

a site with no purpose

SiteTitle

Sun, 29 Jun 2008 18:19:00 GMT

Thomas' ramblings