Life, as it were…

Author: clamasters

  • pfSense – The Ultimate Free Firewall

    pfSense LogoIf any one is looking for an alternative firewall for their home, office, small / medium sized business or enterprise, I may have something in store for you. I have been using pfSense, a BSD based firewall at home for about a year and a half. Well, I was using M0n0wall for about 6 months of that but pfSense is based on M0n0wall so maybe I didn’t lie. Oh well. You can check it out at http://www.pfsense.com .

    Please take some time to mull over all the features that the BSD based firewall offers for FREE. Unlike a Cisco or Fortigate, you don’t have to pay for the extras that actually make the thing functional. This is one of the best open source firewall solutions on the marked, the best in my opinion but well, thats my opinion. Take a look for yourself. The website has some tutorials of how to set things up and get you going however, any computer savy home user could set this up without too much fuss.

    The firewall, hardware wise doesn’t require much of a system to run. I would recommend a PIII 500Mhz with 256Mb of memory and 2 NICs to get started. The server/firewall can actually boot and run from the bootable CD, then store it’s configuration on a floppy if you wish, however, some of the cool additional features can not be installed to make this thing really bad ass. Just install it to a hard disk, something small like a 6Gb drive or something. Could also be installed on a solid state disk if you have the time and money. Anywho, once you get the hardware, pop in the CD and floppy and get the thing to a basic config, you will have to tell it which interface is which NIC. So the outside interface goes to NIC fx0 and the inside interface goes to fx1 or something. You’ll figure it out. After you have an IP address on the box you can web into it and configure the rest from there. A few features that are worth mentioning would be:

    Failover/Load Balancing
    SNORT
    Statefull Packet Filtering
    QoS / Traffic Shaping
    Captive Portal
    Wireless LAN Support
    Free Radius
    IPSec Tunnel Support
    OpenVPN Support
    Traffic Graphing with RRD Graphs
    Real Time Graphing
    and many more…

    Please, Please, Please take a look at this package and give it a try. I know pretty much everybody has an extra computer laying around that they could put this on. If not, let me know and I’ll try to source you one. At work, a colleague of mine and I are working to get these into the production network and possibly offer it as a line of service for out clients. More on what I do and this project later. Enjoy.

  • Backup Strategies

    In my line of buisness, I often have to install, setup, and maintain backup services for clients on a wide array of hardware and software. In today’s post, I’ll discuss the PROs/CONs of doing different types of backup strategies.

    Daily Full-

    Ok, Basically this backup strategy is nothing more than backing up all of your data on a daily basis. Depending on how long you want to keep your data around, you would need a very large number of tapes to pull this off effectively. However, for a 7 day data retention policy, you would need a total of 7 tapes that would rotate in during it’s day of the week.

    PROs: Easy to setup, easy to troubleshoot, ensures that you always have the data that you need in one of your backup tapes.

    CONs: Backup Time, more read/write time on tapes and drive, inefficient

    Recommendation: Great for small businesses with single tape drives, however, requires user intervention on a daily basis to be effective.

    Weekly Full / Daily Incremental-

    This strategy in a nutshell requires you to do exactly what it says, backup your data in full on a weekly basis, then follow that with an incremental (data that has changed since the last full or incremental backup. This strategy allows you to backup the longest time taking portion of your backup on a day or weekend in which you are not pressed to get the data backup finished by a specific time. Depending on your specific storage needs, you can get an entire weeks backup on two tapes. One tape for your full backup, then another for your daily incremental backups. This can be crafted into a pretty good solution for archiving your data backups or keeping a specific retention policy.

    PROs: Easy to setup, cheap (less tapes required), less time required to backup on daily incremental backups.

    CONs: Restores require all previous incremental backups and last full backup, not having to change tapes everyday could make you lazy.

    Recommendations: This backup (in my opinion) is great for just about any size of network or business. The best thing about going this route is you can have as little as one tape or as many as your little heart desires (as long as your data fits).

    Weekly Full / Daily Differential-

    This method is pretty much the same as the previous except the main difference between incremental and differential backups. In a differential setup, you have your full backup, then a backup of everything that has changed since your last full backup. This is different than an incremental because, for example: full backup on Saturday/Sunday then daily differential backups throughout the week. On Monday, the backup would be exactly the same as in the incremental but on Tuesday, the backup would include everything that changed on Monday and Tuesday since your last full backup on Saturday/Sunday. This trend continues throughout the week which yes, does increase the size of your backups throughout the week but your restore only requires the full and the differential that has the version of file that you would like to restore. The backup retention policy is just as easy to setup and follow as the incremental setup.

    PROs: Easy to setup, requires less tapes that daily fulls, faster than daily fulls, easy to recover data.

    CONs: Recovery is still not as quick as a daily full.

    Recommendations: I actually prefer this backup method over the previous two because you get all the benefits of of a full backup (well most of them) and really none of the downfalls.

    Disk to Disk to Tape-

    For the seriously large networks or just big backups this solution has a lot of value in it. What this allows you to do is have more read/write time on your tape backups. For example: do your initial backup utilizing any of the three backup strategies mentioned before but instead of writing to tape write to another drive array, then when that backup is finished you have the next 24 hours to complete your backup to tape cycle. Now obviously you would need a very large amount of data to get the full benefits out of this as it will be a little more expensive due to the extra space needed.

    PROs: Allows for plenty of time to backup any amount of data, ensures that you have at least the last days backup on disk for quick and easy recovery.

    CONs: Greatly increases cost (extra large drive array needed for disk backup), increases complexity of backup and recovery solution, in most cases requires extra licensing through backup vendor.

    Recommendation: This last backup strategy is really my top choice but because of its CONs, namely the cost, this way is usually out of the question. However, I would recommend that you at least consider this plan if you are backing up more data that your current tape system allows you to backup in a specific amount of time.

    I hope you read this and take something from it that may be of value, at least consider the possibility that your current solution is not perfect and look for ways to improve it.

  • Cisco vs. Extreme Networks Switching Commands

    Don’t get your hopes up, I’m not taking sides here. I just wanted to show how the companies differ in basic switch configuration. Now for you who don’t know who Extreme is, they are the purple ones, better known as Extreme Networks. They offer some pretty nice products that compete very well with the likes of Cisco or HP. Feel free to check out their product line at http://www.extremenetworks.com/.

    Configuring VLANs:

    Extreme – Create 2 VLANs and basic configuration

    create vlan data
    configure vlan data tag 2
    configure vlan data ipaddress 10.0.2.1/24
    create vlan voice
    configure vlan voice tag 3
    configure vlan voice ipaddress 10.0.3.1/24
    enable ipforwarding

    Cisco – Create 2 VLAN interfaces and basic configuration

    vlan dat
    vlan 2 name data
    vlan 3 name voice
    exit
    configure terminal
    interface vlan 2
    ip address 10.0.2.1 255.255.255.0
    no shutdown
    interface vlan 3
    ip address 10.0.3.1 255.255.255.0

    Port Configuration

    Extreme

    -switch to pc on (vlan 2)
    configure vlan data add port 4 untagged
    -switch to phone (vlan 3) and PC (vlan 2)
    configure vlan voice add port 4 tagged
    configure vlan data add port 4 untagged
    -switch to phone (vlan 3)
    configure vlan voice add port 4 tagged
    -switch to switch
    configure vlan default add port 1 tagged
    configure vlan data add port 1 tagged
    configure vlan voice add port 1 tagged

    Cisco (skipping configure terminal)

    -switch to pc on (vlan 2)
    interface g0/4
    sw mode access
    sw acc vlan 2
    -switch to phone (vlan 3) and PC (vlan 2)
    interface g0/4
    switchport mode trunk
    switchport trunk encapsulation dot1q
    switchport access vlan 2
    -switch to phone (vlan 3)
    interface g0/4
    switchport mode trunk
    switchport trunk encapsulation dot1q
    -switch to switch
    interface g0/4
    switchport mode trunk
    switchport trunk encapsulation dot1q

    Show Commands

    Extreme – show port 4 information detail
    Cisco – show interface g0/4
    Extreme – show iproute
    Cisco – show ip route
    Extreme – show edp port all
    Cisco – show cdp neigh
    Extreme – show vlan
    Cisco – show vlan
    Extreme – show fdb
    Cisco – show mac-address-table
    Extreme – show config
    Cisco – show run

    Saving your work

    Extreme – save
    Cisco – write memory
    Extreme – upload configuration vr vr-default 10.0.0.100
    Cisco – copy start tftp

    Starting over

    Extreme – unconfigure switch all
    Cisco – write erase

  • And then there was Ubuntu…

    Ubuntu LogoQuite recently my eyes were opened to a Linux distribution called Ubuntu. The latest release from the open source company Canonical is called Feisty Fawn. How can you deny or refuse a name like that. 🙂

    Well, I figured I would dedicate a post to how much I truely enjoy the OS vs it’s or Linux competitors as well as the big Microsoft. The installation disk is easily available via http://www.ubuntu.com where you can either download it or have 1 or more copies sent to you via snailmail (I get 25 because I’m a consultant). On the install CD (not DVD) there are a few cool features that make the product stand out from the rest like a suite of open source Windows apps that can be installed directly from the CD to include Firefox, Thunderbird, Clam AV, and others. Truly unique. Then when you boot from the CD you actually boot to a live distribution where you can either use the live CD to see if you will actually like the or install it to your hard drive via a very intuitive wizard. The wizard asks you a few non technical questions and guides you through the install. You can dual boot with Windows or another OS or just wipe the drive and start fresh.

    On a side note, because of how well setup the live CD is, you can actually read and write to the NTFS, FAT or other drive that you have in your computer as a quick and easy disk recovery tool. Still not impressed. Ok, I really haven’t told you very much but for the novice user these fundamental options make the OS very attractive. After you go through the install, you reboot and come up to a login window and then into the operating system. The only thing that my laptop needed done in addition to the OS install is the installation of the Broadcom WIFI card firmware for my specific hardware which was easily done in Ubuntu’s intuitive package manager, Synaptic. Synaptic is a front end for apt-get that makes installing and updating packages a synch.

    I usually judge a product by it’s “Out of the Box” features. As for Ubuntu, the OS installs, Firefox, Evolution Mail, Gaim, OpenOffice, graphics rendering software, a photo viewer, a suite a games, and a terminal services client. So in my opinion, it’s already a step ahead of Microsoft. Accessing shares and other network resources is quite simple just like in XP and has a neat feature that saves the user name and password for a particular network resource in it’s password manager.

    I plan to do a few more blog entires regarding the use and utilization of Ubuntu in the home, business and corporate environment on both the client and server end of the spectrum. As the OS is still a Linux derivative, it can run Postfix, Sendmail, Apache, MySQL, Spam assassin, and all of the server centric applications that we rely on everyday. Hope you all at least give the OS a try, I’ll have my first Ubuntu “how-to” on here soon for your enjoyment.

  • Helpful Cisco Commands

    Well, this is my first tech post so I’ll make it an easy one. I’ll put a few of the commands that I regularly utilize on Cisco routers and Switches to make my life easier.

    | (Pipe) command output modifier –

    Alrighty, this truly is a basic command. You issue a normal command at the privilege exec level and add the | (pipe) afterwards followed by an i (include) e (exclude) or b (begin). Begin is not available in all IOS versions.

    Command Example:

    show run | i ip route

    would show something like this:

    ip route 10.0.0.0 255.255.255.0 11.24.1.1 name default
    ip route 10.1.255.0 255.255.255.0 11.24.1.2 name backup_net

    If you were to replace the i with a b the output would begin at “ip route” and continue on with the rest of the config. This would be useful for those really long configs where you might be working on the dial-peers and don’t care to scroll through 500 lines of the config to get there. The e option would exclude anything that you have following it. This might come into handy when you want to skip ip address or access-lists. Hope this helps, I was lucky enough to learn these tricks early on and didn’t have to struggle for too aweful long. Good luck.