Ten Years of MZ Online!

Practical Advice

Extraordinary Ideas

No-Nonsense Solutions

Saturday, June 7, 2003

June 7, 2003

Unanticipated Performance Gain!

After last night's posting about the NS server box going through its next phase of life, I was glad to be done. Now both machines are running the exact same OS...with many cool features between the two (and set up the way I want them to be now).

One slightly anticipated (but not expected to notice) performance gain was with the transition to iptables. Ipchains is the slower of the two...and was what I previously used. After reading things about slight (~16ms) performance increases, I didn't anticipate much; however, I was to be surprised. I've not measured anything, but my educated guess is that the performance boost I've gotten from the transition is on the order of (several) hundred milliseconds. smile

Things are being routed much faster than before...and is very noticeable. This is good...and proves that it was a good move to make.

Until next time...

This post was upgraded to the MZ Online Blog on 8/20/07

Friday, June 6, 2003

June 6, 2003

The Server LIVES!

After taking far too long to get to this evening, I finally tackled the server conversion project. Ultimately with success, although the battle was not trivial, either.

First off, I had to make some hardware changes (remove extra drives) to the server box. This was necessary for heat purposes in particular, as the machine was running really hot with the extra drive (due to the way I had to have them mounted). Since I no longer needed that drive (and it had a few bad blocks), it was a good time to get rid of it.

So, I got that taken care of, and began the installation. Not a problem, and went smoothly (aside from the time factor...since I'm running on a really slow old machine).

Then came configuration time. First of all was the network. This ultimately became the trickiest part, as the network cards were detected in the opposite order I'd had them in under the old system. So, after several restarts and some tricky configuration stuff, I got it fixed without a problem. However, that took time...and also meant that I had to change my iptables configuration to match. But, while the server box was online itself, I hadn't yet managed to get the internal network online.

Named (the DNS server) was the first service to come back online...mostly because it's the most important. Quick copies of configuration files made that simple.

Then came ntp and SMB services. Again, copies of configuration files...went pretty quick.

Then came the iptables beast. Keep in mind while I'd written firewall rules for iptables based upon my old ipchains settings, it was completely theoretical (the changes I had to make between versions) and hadn't been tested. With that said, things went pretty smoothly. I found some weirdnesses instantly, and those needed to get fixed before I totally went online. But, for the time being, it's working...and based upon the packet filtering stuff I'm seeing logged, the firewall is doing its thing. I'll probably wait a few days and make notes of things that are showing up log-wise that I no longer wish to see...and make changes or such...but for now... smile

I also took this opportunity to make a (really) handy NFS export from the internal server box -- for /home. This means that /home is a shared directory between servers...so what I put there on one machine is automatically available on the other. Very handy for most things I do.

So, minus some minor changes which are sure to come in the next week or so (fixes, etc.), the server project is complete. And it only took 4 hours to complete (the install/configuration phase).


But, seeing as how it's now 12:15am...and my alarm is set for 6:40am...I'm heading for bed, happy that 'everything has worked out okay'... smile

This post was upgraded to the MZ Online Blog on 8/20/07

Thursday, June 5, 2003

June 5, 2003

Server Update!

After some wrestling with FTP, NFS, SMB, and all other sorts of file transfer/sharing protocols, I managed to get the data I want to keep from the old server box backed up. It wasn't pretty. For some reason (to the best of my knowledge), an old session of nautilus (the file browser in RedHat and Gnome) was hung up...and un-killable. Then for some reason the NFS shares from the NS (old server) box were also hung up. A restart of NFS on both sides quickly took care of that problem, but nautilus was still being a bitch.

The idea was to copy/paste from within Gnome, saving keyboard typing and such.

Anyway, I revert to the console bit of cp -r [source] [destination] -- not a problem, right? WRONG! The nautilus thing had hung another process...and NFS had also hung up (as nautilus died when it was trying to view NFS shares). So I restart both NFS processes on both sides, assuming it'd work. Of course not. After much tinkering, I finally gave up in the hopes of using FTP quick.

FTP worked for about half of the data I wanted to transfer, until my Windows FTP client decided to crash. As I didn't want to use FTP in the first place, I decided to do something else instead of even bother with that again.

So I decided to manually copy files to a windows share on NS, then grab them from the SERVER (new server) side. This worked great after messing with alls sorts of permissions issues. The next task, however, was more daunting.

MAKING SENSE OF WHERE FILES NOW RESIDE...

After all this random copying stuff (of course, each copy had to go in a different place due to file permission/access rights), I had (in some cases) three copies of the same file. I only need one. So, I spent some time messing with organization, which I finally have finished to an extent I'm pleased with.

After all of that was done, I still needed to open both server cases for the installation of new fans. Each server (of the two) got an additional exhaust fan. This will hopefully help keep them in a more stable, cool environment. At that time, it seemed a Good Thing to probably restart the SERVER box. After messing with some permissions on NS, I really decided it best to leave that beast run as-is for the time...

Of course, by now...it's nearly 9pm. As I have to be to work by 7:30am tomorrow, and the reinstallation of RedHat that I will do on the machine will take several hours (especially with the P-233MMX processor), I have left the reinstall part until tomorrow afternoon. Especially because I need to make some changes with the number of drives in what used to be the main server box on the network...so I'll be messing with that kind of stuff...which only adds to the total time.

Call me a geek (and that's okay), but even though I could get the NS box back up if I really wanted to tonight, I also value sleep...and know that Beth will be pissed if I wouldn't get it done, meaning that she could do local network stuff, but not Internet stuff.


Ah well, such is life. smile But I still have to say it was a productive evening. smile

This post was upgraded to the MZ Online Blog on 8/20/07

Wednesday, June 4, 2003

June 4, 2003

New Links!

I've changed the MattLinks page somewhat to reflect some new things I've found and additions I figured appropriate. I added a hilarious reference (see under Stupid/Random Links) for the Wooden Periodic Table -- a project I really admire...and shudder to think about at the same time. There are also other additions and changes to the list. Check them out when you get a chance.

Long Live The Firewall!

I've managed to transcribe my firewall rules for iptables. Electronically. This means that major progress is being made. This setup has yet to be tested, and the only part which really changed was the FORWARD chain stuff (no more masquerading) and NAT table stuff (I now do SNAT (source NAT) instead of masquerade as I have a static home IP address). I also made some minor changes within the iptables rules, mostly based upon a good idea I saw in an example script. Since the -l flag is no longer available, you actually have to write rules where the target is -j LOG, then write an identical rule to drop said packet if that's the desired reaction. I have several 'services' I monitor for abuse (I used to get a lot of FTP requests, now it's mostly SMB ports)...just for the heck of it. So, I'd have to copy pretty much every rule of that chain. Instead I added a new chain with the log/deny rules both written in the generic case, and call it as the jump for these services. See diagram:

My service blocking under ipchains:

Incoming Packet --> INPUT CHAIN --> EXT-IN CHAIN --> SERVICES CHAIN --> Log, then DENY (in one step)

INPUT CHAIN is a default chain for ipchains. Ext-in and Services are my user-defined chains.

My service blocking under iptables:

Incoming Packet --> INPUT CHAIN --> EXT-IN CHAIN --> SERVICES CHAIN --> SLnD CHAIN --> LOG --> DROP

INPUT CHAIN and LOG are default targets in iptables. Ext-in, Services, and SLnD (Service Log & Deny) are my user-defined chains.

Perhaps this makes no sense to anyone else but me...but it works, and without 'duplicating code' and causing the packet filter to check more rules. So it's more efficient.

With all that said, I hope to start working on the transition to new server box tomorrow after work. It will take a few hours, but should be quite straightforward. The only major potential problem will be with iptables, which should be quickly diagnosed and hopefully fixed if any problems arise. Wish me luck. We'll see what happens... smile

In Other News...

...I've not really taken time to look at my local packet sniffing experiment the other night. I have yet to do some research on potential holes in that scenario. This will hopefully allow me to pick out potential (and already possibly exploited) security holes and patch that into the firewall as appropriate. At first glance, most of the traffic was SMB-related (e.g. Windows Connectivity (Network Neighborhood stuff)) and ARP requests...as well as the occasional mail-check, messenger service update, and so on.

Once I get the old server box back online (after redoing it), I hope to run this exact experiment for about 24 hours, of course filtering out valid requests.

This post was upgraded to the MZ Online Blog on 8/20/07

Tuesday, June 3, 2003

June 3, 2003

Firewall Rules...

So, I've managed to do some serious research with formats in iptables and how it really differs from ipchains. I'm in the process now of deciding how to restructure the chains in the filter table... Fortunately, I won't have to do much rewriting of the actual rules, since that information pretty much stays the same. It's mostly how the information relates to itself and the program.

But anyway...

I've drawn up some basic plans for probably the first building project I'll work on this summer (for myself, anyway). The multi-shelved unit for computer parts. I've increased the width, added a side table (it'll fit in the corner better), and made general fixes to the stuff I didn't like about it before. Still not quite sure when this project will start (I might have to build it away from here at the rate it's going)...but as the servers are sitting out in the open...it's bringing to attention how badly this project needs to take place.

This post was upgraded to the MZ Online Blog on 8/20/07

Sunday, June 1, 2003

June 1, 2003

And The Run Was Complete...

At long last, day 7 of 7 at work has arrived. And there was much rejoicing! smile What am I planning on doing during my day off? That's a good question -- the answer I don't yet know.

One Step Closer

Regarding the new server box and switchover, I've managed to get Netatalk and Samba configured and running (correctly) for the network setup on the new box. This means that I'm essentially one step away from the complete revamping of the old server box. And that involves rewriting firewall rules for iptables. Well, that, and moving old configuration files to their temporary backup location. This will hopefully happen sometime in the next week, although I make no guarantees.

For now, I'm going to bed. smile

This post was upgraded to the MZ Online Blog on 8/20/07

My Blog Profile

My Photo
Matt
Minnesota, United States
View my complete profile

Miscellaneous Bits

  • One Gorgeous Daughter (Kirstin)
  • An Incredible Wife (Beth)
  • Two Cats (George/Felix)
  • Two Dogs (Koshka/Kurva)
  • My birthday is at the 48851th place in Pi
  • Frank Oz and I share birthdays (Go Fozzie Bear)!
  • Mike Myers and I share birthdays (Party On, Wayne)!

MZ Online Blog: The Archive

Categories

Save to del.icio.us Save to del.icio.us W3C XHTML Valid W3C CSS Valid W3C Tableless! W3C WAI Double-A WCAG 1.0
Copyright 1997-2008 Matt Zaske. All Rights Reserved. | Privacy Policy | Terms of Use | Search | Site Map