Re: Next-gen firewalls and URL / domain reputation and classification

[C. Jon Larsen]

A lot of the vendors are using WebRoot or Threatstop under the hood.
A10 for example with their CFW product.


Greetings and good day.
What products/services are folks using on their networks for domain reputation 
or classification-based
filtering? There are various vendors (Fortinet, Palo Alto, Talos/Cisco, McAfee, 
etc) who maintain their
own databases for this purpose, and I'm working to make sure a recently 
acquired domain name is classified
and evaluated correctly. I have been seeing reports from end users on a handful 
of different ISP networks
being blocked or redirected to something like safebrowse.io due to this sort of 
reputation-based filter.
Re-classifications have been submitted to a lot of the major vendors in this 
space, but I don't maintain
an exhaustive list, and individual ISPs seem to have varying degrees of success 
responding to these
requests.

Any input on the subject, or anecdotes from anyone with operational experience 
is much appreciated.

Thanks,
Devern

--
Devern adamsdevernad...@gmail.com

Re: problems sending to prodigy.net hosted email

[C. Jon Larsen]

On Sun, 11 Mar 2018 15:57:32 -0700
Stephen Satchell wrote:


(I know in my consulting practice I strongly discourage having ANY
other significant services on DNS servers.  RADIUS and DHCP, ok, but
not mail or web.  For CPanel and PLESK web boxes, have the NS records
point to a pair of DNS-dedicated servers, and sync the zone files
with the ones on the Web boxes.)


Why not? Never had a problem with multiple services on linux, in
contrast to windows where every service requires its own box (or at
least vm).


Go for it ! Failure is an awesome teacher :)

RE: Small full BGP table capable router with low power consumption

[C. Jon Larsen]

On Mon, 4 Dec 2017, Naslund, Steve wrote:

FWIW ...

OpenBSD on a lanner appliance with openbgpd will chew 1G. Especially on 
the latest version - 6.2.


Debian on the same lanner running bird would also chew that as well.


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of William Herrin
Sent: Monday, December 04, 2017 3:43 PM
To: Adam Lawson
Cc: nanog
Subject: Re: Small full BGP table capable router with low power consumption



On Mon, Dec 4, 2017 at 2:19 PM, Adam Lawson  wrote:
The router needs to be squeezed in to a rack which doesn't have a lot
of space nor power. As for space, maybe I can make space for 3U or 4U
but as for power, I can only do around 1.5A@100V on average. (There is
room for burst power usage.)



A Cisco 2911 or 3945 does this though the 3945 is a little more power hungry.



A current generation x86 server running Linux and Quagga does this.



Regards,
Bill Herrin




--
William Herrin  her...@dirtside.com  b...@herrin.us Dirtside Systems 
. Web: 

Re: Level 3 voice outage

[C. Jon Larsen]

On Tue, 4 Oct 2016, Mark Stevens wrote:

Is anyone noticing issue with Level 3 voice? I can't even call their 800 
number using one of my other carriers.


Yes, major outage:
http://downdetector.com/status/level3

Customers all over the mid-atlantic region are down.

Re: Linux: concerns over systemd adoption and Debian's decision to switch

[C. Jon Larsen]

Hardly.  The discussion so far has been weighted very heavily on the
side of Dana Carvey's Grumpy Old Man-style whining. That's the way
it was and we liked it!.

The people that like systemd (like myself) have wisely learned that
the people that hate systemd, hate it mostly because it's different
from what came before and don't want to change.  There's no way to
argue rationally with that.


Incorrect assumption. systemd is a massive security hole waiting to happen 
and it does not follow the unix philosophy of done 1 thing and do it 
well/correct. Its basically ignoring 40 years of best practices. Thats why 
folks that have been there, done that, dont want any part of it. Not 
because its new, but because its a flawed concept.


You are free to use it, but it would be a poor choice for system that has 
hopes of being secure.



--
Jeff Ollie

Re: Linux: concerns over systemd [OT]

[C. Jon Larsen]

Which leads me to ask - those of you running server farms - what
distros are popular these days, for server-side operations?  We've
been running Debian like forever (by way of Solaris and redhat) - but
this systemd thing is making me rethink things.  Seems like an awful
lot of folks are now designing for the desktop, and it might be time
to migrate to a BSD or Solaris derivative.  What are others doing?


to be honest, i like systemd. nobody else has really stepped up to the
bat to fix issues of existing init systems and tying interoperabilty
into a common bus.


Perhaps because folks that understand more about security than you (and 
me for sure so I'm not picking on you) think thats a bad idea? If 
something is a bad idea then smart folks dont rush out (generally) to 
build it ... thus the no one stepping up to bat problem thats not really 
a problem - its a good thing to not have problems solved improperly.


Perhaps because when you say/hear things like tying interoperabilty into 
a common bus you think thats a good idea. Others hear those same words and think:


vendor lock-in
single point of failure
lack of choice

The binary logging thing is a non-starter for a lot of folks. dbus ? On a 
server ? Do we really need that ?


Lets keep servers reliable - less code not more (no bugs in unwritten 
code).


Shouldnt the amount of code running as PID 1 be kept to an absolute 
minimum?


Bad architecture decisions dont suddenly become good ones even if they 
solve other problems along the way or make some things better or faster.

Re: Firewalls - Ease of Use and Maintenance?

[C. Jon Larsen]

On Wed, 9 Nov 2011, Nick Hilliard wrote:


On 09/11/2011 15:18, Jonathan Lassoff wrote:

I've found that this works decently well, via pfsync.


I meant config sync, not state sync.


put the main portion of the conf in subversion as an include file and 
factor out local differences in the configs with macros that are defined 
in pf.conf


Easy.

Re: HIJACKED: 159.223.0.0/16 -- WTF? Does anybody care?

[C. Jon Larsen]

So the hell with his prose: focus on the matter at hand.  Let's find out
what happened here and how, who's responsible, and what it'll take to stop
them from doing it again and again.


Well put.

--
This message has been scanned for viruses and
dangerous content by the Richweb.com outgoing MailScanner
and is believed to be clean.

Re: Need provider suggestions - BGP transit over GRE tunnel

[C. Jon Larsen]

On Sun, 30 Jan 2011, Franck Martin wrote:


Just make sure you don't shoot yourself in the foot by telling the best route 
to the end of the tunnel is via the tunnel itself...


Right, nail up a /32 static route for the remote gre tunnel endpoint on 
each side. That /32 is nailed up to the next hop that you want the gre tunnel 
to always traverse. If that next hop becomes unavailable, the tunnel will 
go down, which is what you want rather than the tunnel trying to come up 
across some other path it can find.



I use it too: http://www.avonsys.com/blogpost367 but because I have no other 
choice.

- Original Message -
From: Robert Johnson fasterfour...@gmail.com
To: C. Jon Larsen jlar...@richweb.com, nanog@nanog.org
Sent: Saturday, 29 January, 2011 6:48:50 PM
Subject: Re: Need provider suggestions - BGP transit over GRE tunnel

My network spans a multicity geographic area using microwave radio
links. The point of the GRE tunnel is to allow me to establish a BGP
session to another AS using a consumer grade Internet connection
(cheap) over the public Internet. I don't want to build out additional
microwave paths to a new datacenter to become multihomed.

On Fri, Jan 28, 2011 at 5:36 PM, C. Jon Larsen jlar...@richweb.com wrote:


I have read your email a few times and i dont see how this makes sense.

Why do you need a public AS and PI space? Your gre tunnel wont need it or be
able to use it. A gre tunnel is just a replacement for a physical pipe.

If your datacenter based presence goes down, you will need a pipe at your
office, or some other location speaking bgp that can annouce your block
anyway.





--
This message has been scanned for viruses and
dangerous content by the Richweb.com MailScanner, and is
believed to be clean.

RE: Shaping on a large scale

[C. Jon Larsen]

Open source you can do a custom setup with IPTables and iproute2, but it
will take some work to get the same kind of features and management
interface.  LARTC is a good reference for this kind of topic:
http://lartc.org/.  Also I'm not sure if someone has built this into any
of the firewall specific linux distros yet, so you may want to explore
those a little.


The scripts below will set max bandwidth on an interface to 60mbit, and 
setup a queue to shape a.b.c.d to 3Mbit. Seems to work ok for me. Its used 
on a physical server to limit bandwidth to a virtual server(s) on the physical 
server. Should work just as well on a dual-armed router/firewall shaping 
devices behind it.  You would just create more classes (1:11, 1:12, 
etc) for more clients/ips to shape and you might want to knock the 
ceiling on the default (1:30) class down to guarantee the bandwidth to the 
1:10, 1:11...classes.


tc qdisc add dev eth0 root handle 1: htb default 30

tc class add dev eth0 parent 1: classid 1:1 htb rate 60mbit burst 150k
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 3mbit burst 15k
tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil 60mbit burst 
150k

tc qdisc add dev eth0 parent 1:10 handle 10: sfq perturb 10
tc qdisc add dev eth0 parent 1:30 handle 30: sfq perturb 10

## limit a.b.c.d to 3mbit/sec:
U32=tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32
$U32 match ip src  a.b.c.d/32 flowid 1:10
$U32 match ip dst  a.b.c.d/32 flowid 1:10

tc -s -d qdisc show dev eth0


-Original Message-
From: Bruce Grobler [mailto:br...@yoafrica.com]
Sent: Friday, January 30, 2009 12:34 AM
To: nanog@nanog.org
Subject: Shaping on a large scale

Hi,

Does anyone know of  any Shaping appliances to shape customers based on
IP, allow for a quota per IP and qos mechanisms like LLQ?,  This is
should be something that can sit in between two border router's and
support a small ISP (2 customers), also an opensource solution would
be great!