IPTABLES Tidbits

August 10, 2011December 27, 2011 ~ admin

List off all the rules in order. This helps to see if an allow is overriding one of your denies:

iptables -nvL –line-numbers

Reject or Drop?

Drop means to drop everything at the interface and give no response. Best for port probes and the like.

Reject responds to the source. Best practices for TCP/IP

FreeBSD ZFS Settings On i386 Hardware

June 5, 2011December 27, 2011 ~ admin

AMD64 Kernel FreeBSD machines are good about autotuning. i386, on the other hand, needs to be adjusted manually.

1. Rebuild your kernel
a. Disable/wipe all drivers you are not using or at least those you are highly unlikely to ever use.
b. Add: options KVA_PAGES=512
c. Recompile/Install new kernel

2. Add these parameters to /boot/loader.conf
a. vm.kmem_size=”1024M”
b. vm.kmem_size_max=”2048M”
c. vfs.zfs.arc_max=”256M”
d. vfs.zfs.vdev.cache.size=”40M”

This will get the machine online without it crashing with vm.kmem errors. ZFS will bring an untuned i386 machine down to its knees with kernel panics quickly!

Adjust the above variables to your tastes. My test platform is a Dual Xeon with 4GB of RAM.

FreeBSD LAGG rc.conf

May 31, 2011November 20, 2012 ~ admin

This is what your rc.conf should contain to configure LAGG with FreeBSD:

### LAGG NFS Interface ###
ifconfig_bce3=”mtu 9000 up”
ifconfig_bce0=”mtu 9000 up”
cloned_interfaces=”lagg0″
ifconfig_lagg0=”laggproto roundrobin laggport bce3 laggport bce0″
ipv4_addrs_lagg0=”10.10.40.10/24″

Change the bce* interfaces to whatever your server is using for the network interfaces.

The “mtu 9000 up” is correct!

ZFS Replication on FreeBSD

May 31, 2011December 27, 2011 ~ admin

This script will replicate a ZFS pool to another FreeBSD machine. The sync process is quick, after the initial copy, and depending upon how much data changed.

Download this shell script: http://www.tediosity.com/zfsrep.sh

This script was written by another author for Solaris and I have fixed it to work on FreeBSD.

I chose to use: /root/zfsrep as the script location.

mkdir -p /root/zfsrep/zfsrep.snapshots
touch /root/zfsrep/zfsrep.log
cp zfsrep.sh /root/zfsrep/
vi zfsrep.sh and modify the e-mail address and location of the script (if you are not using /root/zfsrep)

Initial run:

/root/zfsrep/zfsrep.sh sinit nfs/datastore nfs/datastore 10.10.30.20

Subsequent runs:

/root/zfsrep/zfsrep.sh sync nfs/datastore nfs/datastore 10.10.30.20

Create a cronjob and forget about it.

If you make any changes, error fixes, or enhancements please e-mail them to me!! I love seeing other people’s creativity and putting their ideas to work in a production environment.

email: admin -at- tediosity.com

Setup NIS + Red Hat + CentOS + Linux

May 23, 2011December 27, 2011 ~ admin

The following describes a procedure to set up NIS network name service under Red Hat Linux. This is geared toward a small intallation with only one domain. However, it should be fairly evident how to add more NIS domains. The NIS domain name has nothing to do with any DNS naming convention being used.

In these examples, the following conventions are used:
NIS domain: “internal”
Code or configuration file data: bold
Root prompt on NIS master server: master#
Root prompt on NIS client host: client#
Setting up a NIS master server:

yum install yp-tools ypbind ypserv portmap ntpd

Set up “ntpd” service or otherwise make sure the host’s clock is synchronized.
ntpdate pool.ntp.org
chkconfig ntpd on
/etc/init.d/ntpd start

Edit /etc/yp.conf:

domain internal server ip.of.nis.server

Edit /etc/ypserv.conf:

[The below settings are, by default, activated in CentOS config]
dns: no
files: 30
xfr_check_port: yes
* : * : shadow.byname : port
* : * : passwd.adjunct.byname : port

Edit /etc/sysconfig/network:

NISDOMAIN=”internal”

Set NIS domain name:

master# domainname internal
master# ypdomainname internal

Create file /var/yp/securenets:

host 127.0.0.1
255.255.255.0 10.0.0.0

Make sure the “portmap” service is running:

master# service portmap start
master# chkconfig portmap on

Edit File: /etc/nsswitch.conf

passwd: files nis
shadow: files nis
group: files nis

Start ypserv service:

master# service ypserv start

Check that it’s listening:

master# rpcinfo -u localhost ypserv

You should see:

program 100004 version 1 ready and waiting
program 100004 version 2 ready and waiting

Initialize the NIS maps:

master# /usr/lib/yp/ypinit -m

Specify local hostname, Ctrl-D, y, let finish.

Start up ypbind, yppasswdd, ypxfrd:

master# service ypbind start
master# service yppasswdd start
master# service ypxfrd start

Set YP services to run on boot-up:

master# chkconfig ypserv on
master# chkconfig ypbind on
master# chkconfig yppasswdd on
master# chkconfig ypxfrd on

NIS client host setup

Required packages: yp-tools ypbind portmap

Edit /etc/sysconfig/network:

NISDOMAIN=internal

Edit /etc/yp.conf:

domain internal server ip.of.master.server

Edit /etc/hosts:

ip.of.master.server hostname.domain hostname

Set NIS domain-name:

client# domainname internal
client# ypdomainname internal

Edit /etc/nsswitch.conf:

passwd: files nis
shadow: files nis
group: files nis

Make sure the portmap service is running:

client# service portmap start
client# chkconfig portmap on

The /etc/hosts.allow file will need rules allowing access from localhost and the NIS master server.

Start ypbind service:

client# service ypbind start
client# chkconfig ypbind on

Test it out:

client# rpcinfo -u localhost ypbind
client# ypcat passwd

ZFS + List all snapshots

January 12, 2011December 27, 2011 ~ admin

zfs list -t snapshot

Example Output:

nas1# zfs list -t snapshot
NAME USED AVAIL REFER MOUNTPOINT
nfs/datastore@rep-init-20110113013713 18K – 21K –
nfs/datastore@rep20110113013825 311M – 311M –
nfs/datastore@rep20110113015314 0 – 68K –

FreeBSD LAGG / LACP Uneven Distribution

December 28, 2010December 27, 2011 ~ admin

If you have setup LAGG on FreeBSD and are noting that one NIC is getting all of the traffic.

Switch to roundrobin and check results.

The primary (“MASTER”) NIC will always receive the incoming traffic. With roundrobin all of the traffic will exit all NICs assigned to the LAGG.