On September 8th, DNS CAA became a requirement for certificate authorities.
I found a handy tool to help you generate your CAA entry.
Granting Cacti access to the MySQL timezone database on FreeBSD
Cacti, as of version 1.0.1, requires access to the MySQL time zone database. You will see the following error at initial setup or during the upgrade process if you are required to perform this:
ERROR: Your Cacti database login account does not have access to the MySQL TimeZone database. Please provide the Cacti database account “select” access to the “time_zone_name” table in the “mysql” database, and populate MySQL’s TimeZone information before proceeding.
To accomplish this, do the following:
/usr/local/bin/mysql -u root -p mysql < /usr/local/share/mysql/mysql_test_data_timezone.sql
Once that is done, login to MySQL and run the following:
GRANT SELECT ON mysql. time_zone_name TO 'cacti'@'localhost' IDENTIFIED BY 'password'; flush privileges;
That's all.
PHP IPAM installation issues and how to fix or avoid them
The issues I had was during the install process were with broken CSS, a jQuery error, a couple missing PHP modules, broken Captcha images and unusable complex passwords.
The broken CSS and jQuery errors were a result of my client’s web server SSLSessionCache configuration was incorrect (missing) and their intermediate certificate was also corrupt. I fixed both of these issues and it fixed the CSS and jQuery errors. If you have these issues, it isn’t likely an PHPIPAM problem, but a problem with your server config.
The second issue was post install:
Warning: file(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in functions/classes/class.Tools.php on line 1694
The very simple fix for this is to make sure the PHP curl module is installed. It’s not listed as a required module on the PHP IPAM installation guide, but it definitely is.
In addition, my Captcha images were broken. I had GD installed, but I didn’t have the PHP GD module installed. Easily fixed by installing the PHP GD module and a quick web server restart.
Finally, if you are like me and use ridiculously complex passwords generated by a cloud-based secret server, such as Encryptr, LastPass, Thycotic, 1Password, etc, it should be noted that while you can use a password up to 128 characters long, per the DB schema, you cannot use special characters, or at least some special characters. I had to use the ‘functions/scripts/reset-admin-password.php’ feature a few times. When using an invalid password you are not provided with any warnings; it simply accepts it, so this issue may not be obvious at first.
All these issues are trivial and easily fixed or circumvented. The PHPIPAM software is amazing and please do not let this post discourage you from installing it.
Update: I found another PHP module that is required post-installation that isn’t mentioned on the PHP IPAM website, which is the ctype module. It addresses this issue:
Fatal error: Call to undefined function ctype_digit() in functions/PEAR/Net/IPv4.php on line 242
Junos application defaults
Ever needed to do a sanity check on Juniper’s default application values when setting up security policies?
Here’s how:
show groups junos-defaults applications
It’s a hidden command that cannot be tab-completed. Here are the results (as of 12.1X47-D30.4):
#
# File Transfer Protocol
#
application junos-ftp {
application-protocol ftp;
protocol tcp;
destination-port 21;
}
#
# Trivial File Transfer Protocol
#
application junos-tftp {
application-protocol tftp;
protocol udp;
destination-port 69;
}
#
# Real Time Streaming Protocol
#
application junos-rtsp {
application-protocol rtsp;
protocol tcp;
destination-port 554;
}
#
# Network Basic Input Output System - networking protocol used on
# Windows networks session service port
#
application junos-netbios-session {
protocol tcp;
destination-port 139;
}
application junos-smb-session {
protocol tcp;
destination-port 445;
}
application junos-ssh {
protocol tcp;
destination-port 22;
}
application junos-telnet {
protocol tcp;
destination-port 23;
}
application junos-smtp {
protocol tcp;
destination-port 25;
}
application junos-tacacs {
protocol tcp;
destination-port 49;
}
# TACACS Database Service
application junos-tacacs-ds {
protocol tcp;
destination-port 65;
}
application junos-dhcp-client {
protocol udp;
destination-port 68;
}
application junos-dhcp-server {
protocol udp;
destination-port 67;
}
application junos-bootpc {
protocol udp;
destination-port 68;
}
application junos-bootps {
protocol udp;
destination-port 67;
}
application junos-finger {
protocol tcp;
destination-port 79;
}
application junos-http {
application-protocol http;
protocol tcp;
destination-port 80;
}
application junos-https {
protocol tcp;
destination-port 443;
}
application junos-pop3 {
protocol tcp;
destination-port 110;
}
application junos-ident {
protocol tcp;
destination-port 113;
}
application junos-nntp {
protocol tcp;
destination-port 119;
}
application junos-ntp {
protocol udp;
destination-port 123;
}
application junos-imap {
protocol tcp;
destination-port 143;
}
application junos-imaps {
protocol tcp;
destination-port 993;
}
application junos-bgp {
protocol tcp;
destination-port 179;
}
application junos-ldap {
protocol tcp;
destination-port 389;
}
application junos-snpp {
protocol tcp;
destination-port 444;
}
application junos-biff {
protocol udp;
destination-port 512;
}
# UNIX who
application junos-who {
protocol udp;
destination-port 513;
}
application junos-syslog {
protocol udp;
destination-port 514;
}
# line printer daemon, printer, spooler
application junos-printer {
protocol tcp;
destination-port 515;
}
application junos-rip {
protocol udp;
destination-port 520;
}
# INA sanctioned RADIUS port numbers
application junos-radius {
protocol udp;
destination-port 1812;
}
application junos-radacct {
protocol udp;
destination-port 1813;
}
application junos-nfsd-tcp {
protocol tcp;
destination-port 2049;
}
application junos-nfsd-udp {
protocol udp;
destination-port 2049;
}
application junos-cvspserver {
protocol tcp;
destination-port 2401;
}
#
# Label Distribution Protocol
#
application junos-ldp-tcp {
protocol tcp;
destination-port 646;
}
application junos-ldp-udp {
protocol udp;
destination-port 646;
}
#
# JUNOScript and JUNOScope management
#
application junos-xnm-ssl {
protocol tcp;
destination-port 3220;
}
application junos-xnm-clear-text {
protocol tcp;
destination-port 3221;
}
#
# IPSec tunnel
#
application junos-ike {
protocol udp;
destination-port 500;
}
#
# Any IPv4 application
#
application any {
term t1 protocol 0;
}
#
# America Online instant messaging services
#
application junos-aol {
term t1 protocol 6 destination-port 5190-5193;
}
#
# Character generator protocol
#
application junos-chargen {
term t1 protocol udp destination-port 19;
}
#
# DHCP Relay services
#
application junos-dhcp-relay {
term t1 protocol udp destination-port 67;
}
#
# Discard protocol
#
application junos-discard {
term t1 protocol udp destination-port 9;
}
#
# DNS
#
application junos-dns-udp {
term t1 alg dns protocol udp destination-port 53;
}
application junos-dns-tcp {
term t1 alg dns protocol tcp destination-port 53;
}
#
# Echo protocol
#
application junos-echo {
term t1 protocol udp destination-port 7;
}
#
# Gopher internet protocol
#
application junos-gopher {
term t1 protocol tcp destination-port 70;
}
#
# Gnutella File Sharing Protocol
#
application junos-gnutella {
term t1 protocol udp destination-port 6346-6347;
}
#
# Generic Routing Encapsulation Protocol
#
application junos-gre {
term t1 protocol 47;
}
#
# GPRS Tunneling Protocol
#
application junos-gprs-gtp-c-tcp {
term t1 alg gprs-gtp-c protocol tcp destination-port 2123;
}
application junos-gprs-gtp-c-udp {
term t1 alg gprs-gtp-c protocol udp destination-port 2123;
}
application junos-gprs-gtp-c {
term t1 alg gprs-gtp-c protocol tcp destination-port 2123;
term t2 alg gprs-gtp-c protocol udp destination-port 2123;
}
application junos-gprs-gtp-u-tcp {
term t1 alg gprs-gtp-u protocol tcp destination-port 2152;
}
application junos-gprs-gtp-u-udp {
term t1 alg gprs-gtp-u protocol udp destination-port 2152;
}
application junos-gprs-gtp-u {
term t1 alg gprs-gtp-u protocol tcp destination-port 2152;
term t2 alg gprs-gtp-u protocol udp destination-port 2152;
}
application junos-gprs-gtp-v0-tcp {
term t1 alg gprs-gtp-v0 protocol tcp destination-port 3386;
}
application junos-gprs-gtp-v0-udp {
term t1 alg gprs-gtp-v0 protocol udp destination-port 3386;
}
application junos-gprs-gtp-v0 {
term t1 alg gprs-gtp-v0 protocol tcp destination-port 3386;
term t2 alg gprs-gtp-v0 protocol udp destination-port 3386;
}
#
# GPRS SCTP
#
application junos-gprs-sctp {
term t1 alg gprs-sctp protocol 132 destination-port 0;
}
#
# HTTP extension
#
application junos-http-ext {
term t1 protocol tcp destination-port 7001;
}
#
# ICMP All Traffic
# This can be made to be more restrictive by specifying icmp
# type and code.
#
application junos-icmp-all {
term t1 protocol icmp;
}
#
# ICMP Ping.
# The echo-reply is allowed upon return
#
application junos-icmp-ping {
term t1 protocol icmp icmp-type echo-request;
}
#
# Internet locator service
#
application junos-internet-locator-service {
term t1 protocol tcp destination-port 389;
}
#
# IKE protocol
#
application junos-ike-nat {
term t1 protocol udp destination-port 4500;
}
#
# Internet Relay Chat protocol
#
application junos-irc {
term t1 protocol tcp destination-port 6660-6669;
}
#
# L2TP tunnelng protocol
#
application junos-l2tp {
term t1 protocol udp destination-port 1701;
}
#
# Line Printer Daemon protocol
#
application junos-lpr {
term t1 protocol tcp destination-port 515;
}
#
# Mail (SMTP) protocol
#
application junos-mail {
term t1 protocol tcp destination-port 25;
}
#
# H.323 Protocol for audio/video conferencing
#
application junos-h323 {
term t1 alg q931 protocol tcp destination-port 1720;
term t2 alg ras protocol udp destination-port 1719;
term t3 protocol tcp destination-port 1503;
term t4 protocol tcp destination-port 389;
term t5 protocol tcp destination-port 522;
term t6 protocol tcp destination-port 1731;
}
#
# MGCP Protocol
#
application junos-mgcp-ua {
term t1 alg mgcp-ua protocol udp destination-port 2427;
}
application junos-mgcp-ca {
term t1 alg mgcp-ca protocol udp destination-port 2727;
}
#
# Microsoft Network Messenger
#
application junos-msn {
term t1 protocol tcp destination-port 1863;
}
#
# Microsoft RPC
#
application junos-ms-rpc-tcp {
term t1 alg ms-rpc protocol tcp destination-port 135;
}
application junos-ms-rpc-udp {
term t1 alg ms-rpc protocol udp destination-port 135;
}
#
# Microsoft RPC EPM (End Point Mapper)
#
application junos-ms-rpc-epm {
term t1 protocol tcp uuid e1af8308-5d1f-11c9-91a4-08002b14a0fa;
}
#
# Microsoft RPC Exchange Directory RFR
#
application junos-ms-rpc-msexchange-directory-rfr {
term t1 protocol tcp uuid 1544f5e0-613c-11d1-93df-00c04fd7bd09;
}
#
# Microsoft RPC Exchange Information Store
#
application junos-ms-rpc-msexchange-info-store {
term t1 protocol tcp uuid a4f1db00-ca47-1067-b31f-00dd010662da;
}
#
# Microsoft RPC Exchange Directory NSP
#
application junos-ms-rpc-msexchange-directory-nsp {
term t1 protocol tcp uuid f5cc5a18-4264-101a-8c59-08002b2f8426;
}
#
# Microsoft RPC DCOM
#
application junos-ms-rpc-wmic-admin {
term t1 protocol tcp uuid a9e69610-b80d-11d0-b9b9-00a0c922e750;
}
application junos-ms-rpc-wmic-webm-level1login {
term t1 protocol tcp uuid f309ad18-d86a-11d0-a075-00c04fb68820;
}
application junos-ms-rpc-wmic-webm-objectsink {
term t1 protocol tcp uuid 7c857801-7381-11cf-884d-00aa004b2e24;
}
application junos-ms-rpc-wmic-webm-services {
term t1 protocol tcp uuid 9556dc99-828c-11cf-a37e-00aa003240c7;
}
application junos-ms-rpc-wmic-webm-callresult {
term t1 protocol tcp uuid 44aca675-e8fc-11d0-a07c-00c04fb68820;
}
application junos-ms-rpc-wmic-webm-login-clientid {
term t1 protocol tcp uuid d4781cd6-e5d3-44df-ad94-930efe48a887;
}
application junos-ms-rpc-wmic-webm-login-helper {
term t1 protocol tcp uuid 541679ab-2e5f-11d3-b34e-00104bcc4b4a;
}
application junos-ms-rpc-wmic-webm-refreshing-services {
term t1 protocol tcp uuid 2c9273e0-1dc3-11d3-b364-00105a1f8177;
}
application junos-ms-rpc-wmic-webm-remote-refresher {
term t1 protocol tcp uuid f1e9c5b2-f59b-11d2-b362-00105a1f8177;
}
application junos-ms-rpc-wmic-webm-shutdown {
term t1 protocol tcp uuid f309ad18-d86a-11d0-a075-00c04fb68820;
}
application junos-ms-rpc-wmic-webm-classobject {
term t1 protocol tcp uuid dc12a681-737f-11cf-884d-00aa004b2e24;
}
application junos-ms-rpc-wmic-admin2 {
term t1 protocol tcp uuid 29822ab8-f302-11d0-9953-00c04fd919c1;
}
application junos-ms-rpc-wmic-mgmt {
term t1 protocol tcp uuid 8bc3f05e-d86b-11d0-a075-00c04fb68820;
}
application junos-ms-rpc-iis-com-1 {
term t1 protocol tcp uuid a9e69612-b80d-11d0-b9b9-00a0c922e750;
}
application junos-ms-rpc-iis-com-adminbase {
term t1 protocol tcp uuid 70b51430-b6ca-11d0-b9b9-00a0c922e750;
}
#
# MS RPC any
#
application junos-ms-rpc-uuid-any-tcp {
term t1 protocol tcp uuid ffffffff-ffff-ffff-ffff-ffffffffffff;
}
application junos-ms-rpc-uuid-any-udp {
term t1 protocol udp uuid ffffffff-ffff-ffff-ffff-ffffffffffff;
}
#
# Microsoft SQL
#
application junos-ms-sql {
term t1 protocol tcp destination-port 1433;
}
#
# NetBIOS Name Service
#
application junos-nbname {
term t1 protocol udp destination-port 137;
}
#
# NetBIOS Datagram Service
#
application junos-nbds {
term t1 protocol udp destination-port 138;
}
#
# Network File System protocol
#
application junos-nfs {
term t1 protocol udp destination-port 111;
}
#
# NS-Global (Management protocol for Juniper Networks Firewall/VPN devices)
#
application junos-ns-global {
term t1 protocol tcp destination-port 15397;
}
#
# NS-Global-PRO (Monitoring system for the Juniper Networks Firewall/VPN devices)
#
application junos-ns-global-pro {
term t1 protocol tcp destination-port 15397;
}
#
# NetScreen Security Manager
#
application junos-nsm {
term t1 protocol udp destination-port 69;
}
#
# OSPF protocol
#
application junos-ospf {
term t1 protocol 89;
}
#
# PC-anywhere remote control and file transfer protocol
#
application junos-pc-anywhere {
term t1 protocol udp destination-port 5632;
}
#
# Ping protocol
#
application junos-ping {
term t1 protocol 1;
}
#
# Ping for IPv6
#
application junos-pingv6 {
term t1 protocol 58;
}
#
# ICMP6 destination unreachable address
#
application junos-icmp6-dst-unreach-addr {
term t1 protocol 58 icmp6-type 1 icmp6-code 3;
}
#
# ICMP6 destination unreachable administration
#
application junos-icmp6-dst-unreach-admin {
term t1 protocol 58 icmp6-type 1 icmp6-code 1;
}
#
# ICMP6 destination unreachable beyond
#
application junos-icmp6-dst-unreach-beyond {
term t1 protocol 58 icmp6-type 1 icmp6-code 2;
}
#
# ICMP6 destination unreachable port
#
application junos-icmp6-dst-unreach-port {
term t1 protocol 58 icmp6-type 1 icmp6-code 4;
}
#
# ICMP6 destination unreachable route
#
application junos-icmp6-dst-unreach-route {
term t1 protocol 58 icmp6-type 1 icmp6-code 0;
}
#
# ICMP6 echo reply
#
application junos-icmp6-echo-reply {
term t1 protocol 58 icmp6-type 129;
}
#
# ICMP6 echo request
#
application junos-icmp6-echo-request {
term t1 protocol 58 icmp6-type 128;
}
#
# ICMP6 packet too big
#
application junos-icmp6-packet-too-big {
term t1 protocol 58 icmp6-type 2 icmp6-code 0;
}
#
# ICMP6 parameter problem header
#
application junos-icmp6-param-prob-header {
term t1 protocol 58 icmp6-type 4 icmp6-code 0;
}
#
# ICMP6 parameter problem next header
#
application junos-icmp6-param-prob-nexthdr {
term t1 protocol 58 icmp6-type 4 icmp6-code 1;
}
#
# ICMP6 parameter problem option
#
application junos-icmp6-param-prob-option {
term t1 protocol 58 icmp6-type 4 icmp6-code 2;
}
#
# ICMP6 time exceeded reassembly
#
application junos-icmp6-time-exceed-reassembly {
term t1 protocol 58 icmp6-type 3 icmp6-code 1;
}
#
# ICMP6 time exceeded transit
#
application junos-icmp6-time-exceed-transit {
term t1 protocol 58 icmp6-type 3 icmp6-code 0;
}
#
# ICMP6 all traffic
# This can be made to be more restrictive by specifying icmp6
# type and code.
#
application junos-icmp6-all {
term t1 protocol 58;
}
#
# Point-to-Point Tunneling protocol
#
application junos-pptp {
##
## Warning: statement ignored: unsupported platform (srx5600)
##
term t1 alg pptp protocol tcp destination-port 1723;
}
#
# Real players use this protocol for real time streaming
# This was the original protocol for real players.
# RTSP is more widely used by real players
# but they still support realaudio.
#
application junos-realaudio {
term t1 alg rtsp protocol tcp destination-port 554;
}
#
# Cisco Station Call Control Protocol
#
application junos-sccp {
term t1 alg sccp protocol tcp destination-port 2000;
}
application junos-sctp-any {
term t1 protocol 132;
}
#
# Session Initiation Protocol (SIP)
#
application junos-sip {
term t1 alg sip protocol udp destination-port 5060;
term t2 alg sip protocol tcp destination-port 5060;
}
#
# RSH
#
application junos-rsh {
term t1 alg rsh protocol tcp destination-port 514;
}
#
# Server Message Block Protocol
#
application junos-smb {
term t1 protocol tcp destination-port 139;
term t2 protocol tcp destination-port 445;
}
application junos-sql-monitor {
term t1 protocol udp destination-port 1434;
}
#
# Oracle SQL*Net Version 1
#
application junos-sqlnet-v1 {
term t1 protocol tcp destination-port 1525;
}
#
# Oracle SQL*Net Version 2
#
application junos-sqlnet-v2 {
term t1 alg sqlnet-v2 protocol tcp destination-port 1521;
}
#
# Sun RPC
#
application junos-sun-rpc-tcp {
term t1 alg sun-rpc protocol tcp destination-port 111;
}
application junos-sun-rpc-udp {
term t1 alg sun-rpc protocol udp destination-port 111;
}
#
# Sun RPC Portmapper
#
application junos-sun-rpc-portmap-tcp {
term t1 protocol tcp rpc-program-number 100000;
}
application junos-sun-rpc-portmap-udp {
term t1 protocol udp rpc-program-number 100000;
}
#
# Sun RPC nfs
#
application junos-sun-rpc-nfs-tcp {
term t1 protocol tcp rpc-program-number 100003;
}
application junos-sun-rpc-nfs-udp {
term t1 protocol udp rpc-program-number 100003;
}
#
# Sun RPC mountd
#
application junos-sun-rpc-mountd-tcp {
term t1 protocol tcp rpc-program-number 100005;
}
application junos-sun-rpc-mountd-udp {
term t1 protocol udp rpc-program-number 100005;
}
#
# Sun RPC ypbind
#
application junos-sun-rpc-ypbind-tcp {
term t1 protocol tcp rpc-program-number 100007;
}
application junos-sun-rpc-ypbind-udp {
term t1 protocol udp rpc-program-number 100007;
}
#
# Sun RPC status
#
application junos-sun-rpc-status-tcp {
term t1 protocol tcp rpc-program-number 100024;
}
application junos-sun-rpc-status-udp {
term t1 protocol udp rpc-program-number 100024;
}
#
# Sun RPC ypserv
#
application junos-sun-rpc-ypserv-tcp {
term t1 protocol tcp rpc-program-number 100004;
}
application junos-sun-rpc-ypserv-udp {
term t1 protocol udp rpc-program-number 100004;
}
#
# Sun RPC Remote Quota Daemon
#
application junos-sun-rpc-rquotad-tcp {
term t1 protocol tcp rpc-program-number 100011;
}
application junos-sun-rpc-rquotad-udp {
term t1 protocol udp rpc-program-number 100011;
}
#
# Sun RPC Network Lock Manager
#
application junos-sun-rpc-nlockmgr-tcp {
term t1 protocol tcp rpc-program-number 100021;
}
application junos-sun-rpc-nlockmgr-udp {
term t1 protocol udp rpc-program-number 100021;
}
#
# Sun RPC Remote User Daemon
#
application junos-sun-rpc-ruserd-tcp {
term t1 protocol tcp rpc-program-number 100002;
}
application junos-sun-rpc-ruserd-udp {
term t1 protocol udp rpc-program-number 100002;
}
#
# Sun RPC System Administration Daemon
#
application junos-sun-rpc-sadmind-tcp {
term t1 protocol tcp rpc-program-number 100232;
}
application junos-sun-rpc-sadmind-udp {
term t1 protocol udp rpc-program-number 100232;
}
#
# Sun RPC SPRAY Daemon
#
application junos-sun-rpc-sprayd-tcp {
term t1 protocol tcp rpc-program-number 100012;
}
application junos-sun-rpc-sprayd-udp {
term t1 protocol udp rpc-program-number 100012;
}
#
# Sun RPC WALL Daemon
#
application junos-sun-rpc-walld-tcp {
term t1 protocol tcp rpc-program-number 100008;
}
application junos-sun-rpc-walld-udp {
term t1 protocol udp rpc-program-number 100008;
}
#
# SUN RPC any
#
application junos-sun-rpc-any-tcp {
term t1 protocol tcp rpc-program-number 1610612735;
}
application junos-sun-rpc-any-udp {
term t1 protocol udp rpc-program-number 1610612735;
}
# UNIX talk
application junos-talk {
term t1 alg talk protocol udp destination-port 517;
term t2 alg talk protocol tcp destination-port 517;
}
application junos-ntalk {
term t1 alg talk protocol udp destination-port 518;
term t2 alg talk protocol tcp destination-port 518;
}
#
# Any TCP application
#
application junos-tcp-any {
term t1 protocol tcp;
}
#
# Any UDP application
#
application junos-udp-any {
term t1 protocol udp;
}
#
# Unix to Unix Copy (UUCP) Protocol
#
application junos-uucp {
term t1 protocol udp destination-port 540;
}
#
# VDOLive video streaming technology
#
application junos-vdo-live {
term t1 protocol udp destination-port 7000-7010;
}
#
# Virtual Network Computing's protocol
#
application junos-vnc {
term t1 protocol tcp destination-port 5800;
}
#
# Wide Area Information Server
#
application junos-wais {
term t1 protocol tcp destination-port 210;
}
#
# Network Directory Service Protocol
#
application junos-whois {
term t1 protocol tcp destination-port 43;
}
#
# WinFrame protocol (allows users on non-windows machines to run windows applications)
#
application junos-winframe {
term t1 protocol tcp destination-port 1494;
}
#
# X-Windows protocol
#
application junos-x-windows {
term t1 protocol tcp destination-port 6000-6063;
}
#
# Yahoo Messenger
#
application junos-ymsg {
term t1 protocol tcp destination-port 5000-5010;
term t2 protocol tcp destination-port 5050;
term t3 protocol udp destination-port 5000-5010;
term t4 protocol udp destination-port 5050;
}
#
# WX Control Connection used by WX-PIM
#
application junos-wxcontrol {
term t1 protocol tcp destination-port 3578 inactivity-timeout 7560;
}
#
# SNMP AgentX Connection used by WX-ISM
#
application junos-snmp-agentx {
term t1 protocol tcp destination-port 705 inactivity-timeout 7560;
}
#
# Simple Traversal of User Datagram Protocol (UDP) Through
# Network Address Translators (NATs)
#
application junos-stun {
term t1 protocol udp destination-port 3478-3479;
term t2 protocol tcp destination-port 3478-3479;
}
#
# Persistent NAT Service
#
application junos-persistent-nat {
term t1 protocol 255 source-port 65535 destination-port 65535;
}
#
# Radio-Router Control Protocol
#
application junos-r2cp {
term t1 protocol udp destination-port 28672;
}
#
# 'junos-routing-inbound' represents routing protocols that may
# that may need access the trusted network from the untrusted
# network.
#
# Set is intended for a UI to display routing involvement choices.
#
# NOTE: It is not recommended you use the entire set directly in
# a firewall rule and open up firewall to all of these
# applications. Also, you should always specify the source
# and destination prefixes when using each application.
#
# NOTE: the contents of this set may grow in future JUNOS versions.
#
application-set junos-routing-inbound {
application junos-bgp;
application junos-rip;
application junos-ldp-tcp;
application junos-ldp-udp;
}
#
# Common Internet File System (cifs)
# It runs over netbios and over smb, so construct
# an application set to capture it.
#
application-set junos-cifs {
application junos-netbios-session;
application junos-smb-session;
}
application-set junos-gprs-gtp {
application junos-gprs-gtp-c;
application junos-gprs-gtp-u;
application junos-gprs-gtp-v0;
}
application-set junos-mgcp {
application junos-mgcp-ua;
application junos-mgcp-ca;
}
application-set junos-ms-rpc {
application junos-ms-rpc-tcp;
application junos-ms-rpc-udp;
}
#
# Microsoft RPC Microsoft Exchange
#
application-set junos-ms-rpc-msexchange {
application junos-ms-rpc-tcp;
application junos-ms-rpc-udp;
application junos-ms-rpc-epm;
application junos-ms-rpc-msexchange-directory-rfr;
application junos-ms-rpc-msexchange-info-store;
application junos-ms-rpc-msexchange-directory-nsp;
}
application-set junos-ms-rpc-wmic {
application junos-ms-rpc-tcp;
application junos-ms-rpc-wmic-admin;
application junos-ms-rpc-wmic-admin2;
application junos-ms-rpc-wmic-webm-level1login;
application junos-ms-rpc-wmic-mgmt;
}
application-set junos-ms-rpc-iis-com {
application junos-ms-rpc-tcp;
application junos-ms-rpc-iis-com-1;
application junos-ms-rpc-iis-com-adminbase;
}
application-set junos-ms-rpc-any {
application junos-ms-rpc-tcp;
application junos-ms-rpc-udp;
application junos-ms-rpc-uuid-any-tcp;
application junos-ms-rpc-uuid-any-udp;
}
application-set junos-sun-rpc {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
}
application-set junos-sun-rpc-portmap {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
application junos-sun-rpc-portmap-tcp;
application junos-sun-rpc-portmap-udp;
}
application-set junos-sun-rpc-nfs {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
application junos-sun-rpc-portmap-tcp;
application junos-sun-rpc-portmap-udp;
application junos-sun-rpc-nfs-tcp;
application junos-sun-rpc-nfs-udp;
}
application-set junos-sun-rpc-mountd {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
application junos-sun-rpc-portmap-tcp;
application junos-sun-rpc-portmap-udp;
application junos-sun-rpc-mountd-tcp;
application junos-sun-rpc-mountd-udp;
}
application-set junos-sun-rpc-ypbind {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
application junos-sun-rpc-portmap-tcp;
application junos-sun-rpc-portmap-udp;
application junos-sun-rpc-ypbind-tcp;
application junos-sun-rpc-ypbind-udp;
}
application-set junos-sun-rpc-status {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
application junos-sun-rpc-portmap-tcp;
application junos-sun-rpc-portmap-udp;
application junos-sun-rpc-status-tcp;
application junos-sun-rpc-status-udp;
}
#
# Sun RPC nfs-access (Requires nfs and mountd)
#
application-set junos-sun-rpc-nfs-access {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
application junos-sun-rpc-portmap-tcp;
application junos-sun-rpc-portmap-udp;
application junos-sun-rpc-nfs-tcp;
application junos-sun-rpc-nfs-udp;
application junos-sun-rpc-mountd-tcp;
application junos-sun-rpc-mountd-udp;
}
application-set junos-sun-rpc-ypserv {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
application junos-sun-rpc-portmap-tcp;
application junos-sun-rpc-portmap-udp;
application junos-sun-rpc-ypserv-tcp;
application junos-sun-rpc-ypserv-udp;
}
application-set junos-sun-rpc-rquotad {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
application junos-sun-rpc-portmap-tcp;
application junos-sun-rpc-portmap-udp;
application junos-sun-rpc-rquotad-tcp;
application junos-sun-rpc-rquotad-udp;
}
application-set junos-sun-rpc-nlockmgr {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
application junos-sun-rpc-portmap-tcp;
application junos-sun-rpc-portmap-udp;
application junos-sun-rpc-nlockmgr-tcp;
application junos-sun-rpc-nlockmgr-udp;
}
application-set junos-sun-rpc-ruserd {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
application junos-sun-rpc-portmap-tcp;
application junos-sun-rpc-portmap-udp;
application junos-sun-rpc-ruserd-tcp;
application junos-sun-rpc-ruserd-udp;
}
application-set junos-sun-rpc-sadmind {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
application junos-sun-rpc-portmap-tcp;
application junos-sun-rpc-portmap-udp;
application junos-sun-rpc-sadmind-tcp;
application junos-sun-rpc-sadmind-udp;
}
application-set junos-sun-rpc-sprayd {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
application junos-sun-rpc-portmap-tcp;
application junos-sun-rpc-portmap-udp;
application junos-sun-rpc-sprayd-tcp;
application junos-sun-rpc-sprayd-udp;
}
application-set junos-sun-rpc-walld {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
application junos-sun-rpc-portmap-tcp;
application junos-sun-rpc-portmap-udp;
application junos-sun-rpc-walld-tcp;
application junos-sun-rpc-walld-udp;
}
application-set junos-sun-rpc-any {
application junos-sun-rpc-tcp;
application junos-sun-rpc-udp;
application junos-sun-rpc-any-tcp;
application junos-sun-rpc-any-udp;
}
PHP’s date.timezone setting and date_default_timezone_set function
In newer versions of PHP, you are required to set the system’s timezone. If you’ve encountered either of the errors below, or something like them, you need to do this.
Warning: date(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.
Warning: strtotime(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.
To do it server-wide, simply edit your php.ini file. If you are not sure where it is, use locate -i php.ini to find it.
Uncomment the following line and set it to your desired timezone:
;date.timezone =
I am on the West Coast of Canada, so I set mine to Vancouver:
date.timezone = America/Vancouver
You will need to restart your web server after making changes to the php.ini file.
If you want to set it on a single file, or override the global settings, you can use the date_default_timezone_set() function:
<?php
date_default_timezone_set('America/Vancouver');
?>
If you are using FreeBSD, here’s a list of timezones:
Making RANCID more intuitive
Far too often RANCID sends me emails containing diffs that looks something like this:
@@ -2761,9 +2761,9 @@
unit 0 {
family ethernet-switching {
interface-mode trunk;
vlan {
- members [ 6 8 304 314 320 ];
+ members [ 6 8 304 314 320 323 ];
}
}
}
}
While the information that a change was made is very helpful, it doesn’t help that the diff by default only shows the four lines above and below the changes to the configuration.
I find that doubling that output from four lines to eight lines puts everything into proper context. To do this, find your control_rancid file on your server. Open up your favorite editor and search for the string “cvs -f diff -u -4” and simply change “-4” to “-8”.
HTTPS configuration made easy
I know a lot of people struggle with configuring SSL on their web server. A quick trip to Qualys SSL Labs to see the “Recent Worst” validates that. However, there’s a tool that can easily bring your web server up to the best current operating practice.
Check out the Mozilla SSL Configuration Generator. However, before hastily you cut and paste the generated code, take a few minutes to understand the implications between choosing “Modern”, “Intermediate” and “Old”. Modern, which is what this website uses, has the fewest supported browsers but the best security. Old has the most supported browsers and the laxest security; using Old is a terribly bad idea and should really never be done. For many, Intermediate is a nice balance of both browser support and security.
The recommendations from the code generator change often and your should check back regularly to make sure you are still running the best current configuration.
There are also many hints, tips and tricks available at Qualys.
Until recently, there has been little motivation to encrypt websites that do not necessarily need it. However, that has changed. Let’s Encrypt has just disrupted the industry by offering free SSL certificates to anyone. Let’s Encrypt is overseen by the Internet Security Research Group, a California public benefit corporation, whose benevolent agenda includes securing the Internet at large. Bravo! We will post about using Let’s Encrypt in the near future.
If you now have a certificate from Let’s Encrypt and some very secure configuration, it’s now time to force your users to use HTTPS/443, while maintaining backwards compatibility so that users clicking on Google search results won’t receive a server timeout message when connecting to your now legacy HTTP/80. Check out our earlier post on how best to do this.
Additionally, make sure your SSL certificate is SHA-2, or all the above security implementations could be for naught. All Let’s Encrypt certificates are SHA-2/SHA-256. Read this Ars Technica article and this SSLs.com blog post for more information on transitioning to SHA-2. All certificates issued after January 1st, 2016 are required to be SHA-2. Never hurts to double check this however. Most certificate authorities are now also reissuing your old, but still valid certificates, as SHA-2 at no charge.
There’s a very quick check you can do to check whether your certificate is SHA-1 or SHA-2 available at shaaaaaaaaaaaaa.com. Happy to report that this website received the ever-so-desirable “Nice” rating.
Installing Python package manager pip on FreeBSD
UPDATE: You can now install pip using pkg.
[cmp@server ~]# pkg install py27-pip
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
py27-pip: 9.0.1
Number of packages to be installed: 1
The process will require 13 MiB more space.
2 MiB to be downloaded.
Proceed with this action? [y/N]: y
[1/1] Fetching py27-pip-9.0.1.txz: 100% 2 MiB 858.8kB/s 00:03
Checking integrity... done (0 conflicting)
[1/1] Installing py27-pip-9.0.1...
Extracting py27-pip-9.0.1: 100%
Success!
Original post
Somewhat strangely, pip is not installed when you install Python using FreeBSD’s pkg. However, there’s a very simple fix.
[cmp@server ~]# python -m ensurepip Ignoring indexes: https://pypi.python.org/simple Requirement already satisfied (use --upgrade to upgrade): setuptools in /usr/local/lib/python2.7/site-packages Collecting pip Installing collected packages: pip Successfully installed pip-7.1.2 [cmp@server ~]# pip pip pip2 pip2.7
When to negotiate with telecom companies
It’s a simple thing, but often overlooked, and could save you thousands, or even tens of thousands, depending on your monthly spend. Here it is:
FISCAL YEAR END
Like all publicly traded companies, revenue is king. Even if that revenue is sometimes at a break-even point, or occasionally at a loss. Revenue is important at month’s end. It’s even more important at the end of quarters. It’s down right critical before the fiscal year end. How a company closes out its year can mean ramifications for everyone in the company, including the CEO. Depending on how the year ends, he or she could be getting a bonus, or a pink slip.
There is no better time to begin negotiating your telecom contracts 30 to 45 days before the carrier’s fiscal year end. It’s OK to drag things out until the last moment. The longer you wait, the better the deal you will get.
Here’s a list I have started and will add to over time:
AT&T – December 31st
British Telecom – March 31st
GTT – December 31st
Level3 – December 31st
Sprint – March 31st
Telecom Italia – December 31st
TeliaSonera – December 31st
Verizon – December 31st
Zayo – June 30th
Setting your timezone in FreeBSD
To set your desired timezone you need to copy your timezone file from /usr/share/zoneinfo directory to /etc/localtime file. Just change directories:
# cd /usr/share/zoneinfo
A directory listing reveals many regions and zones to choose from:
# ls Africa Arctic Australia EET Etc HST MST Pacific WET America Asia CET EST Europe Indian MST7MDT SystemV posixrules Antarctica Atlantic CST6CDT EST5EDT Factory MET PST8PDT UTC zone.tab
Listing the America directory with recursion looks like this:
# ls -R America/ Adak Belem Chicago Edmonton Guyana Lima Metlakatla Noronha Rankin_Inlet St_Barthelemy Tortola Anchorage Belize Chihuahua Eirunepe Halifax Los_Angeles Mexico_City North_Dakota Recife St_Johns Vancouver Anguilla Blanc-Sablon Costa_Rica El_Salvador Havana Lower_Princes Miquelon Ojinaga Regina St_Kitts Whitehorse Antigua Boa_Vista Creston Fortaleza Hermosillo Maceio Moncton Panama Resolute St_Lucia Winnipeg Araguaina Bogota Cuiaba Glace_Bay Indiana Managua Monterrey Pangnirtung Rio_Branco St_Thomas Yakutat Argentina Boise Curacao Godthab Inuvik Manaus Montevideo Paramaribo Santa_Isabel St_Vincent Yellowknife Aruba Cambridge_Bay Danmarkshavn Goose_Bay Iqaluit Marigot Montreal Phoenix Santarem Swift_Current Asuncion Campo_Grande Dawson Grand_Turk Jamaica Martinique Montserrat Port-au-Prince Santiago Tegucigalpa Atikokan Cancun Dawson_Creek Grenada Juneau Matamoros Nassau Port_of_Spain Santo_Domingo Thule Bahia Caracas Denver Guadeloupe Kentucky Mazatlan New_York Porto_Velho Sao_Paulo Thunder_Bay Bahia_Banderas Cayenne Detroit Guatemala Kralendijk Menominee Nipigon Puerto_Rico Scoresbysund Tijuana Barbados Cayman Dominica Guayaquil La_Paz Merida Nome Rainy_River Sitka Toronto America/Argentina: Buenos_Aires Cordoba La_Rioja Rio_Gallegos San_Juan Tucuman Catamarca Jujuy Mendoza Salta San_Luis Ushuaia America/Indiana: Indianapolis Knox Marengo Petersburg Tell_City Vevay Vincennes Winamac America/Kentucky: Louisville Monticello America/North_Dakota: Beulah Center New_Salem
I want America/Los_Angeles so I would type the following:
# cp America/Los_Angeles /etc/localtime
Verify your work with date:
# date Fri Nov 13 16:12:30 PST 2015
Success.