Andryan’s Random Notes

Since I have always used ClamAV’s clamd as the virus filter of my email servers along with qmail-scanner, I noticed that crash-hat’s clamav RPM packages use logrotate to rotate the logs files. qmail-scanner runs as its own user (qscand), so clamd has to run under the same user. When the RPM package was first installed, it created these directories: /var/run/clamav/ and /var/log/clamav/. Chown these 2 directories to qscand (this assumes that User directives in freshclam.conf and clamd.conf have been changed to qscand), otherwise clamd and freshclam wouldn’t be able to write any logs and pid file and neither service would start.

As for the logrotate configuration, edit clamd and freshclam in /etc/logrotate.d/ to change the log files’ ownership to qscand instead of clamav. Modify line 8 where it says:

create 640 clamav clamav

to

create 640 qscand clamav

That should do the trick.

Since Fedora Core 5, pppoe-server that comes with rp-pppoe RPM package has always been broken. Someone actually filed a bug report, but unfortunately there was no response. Apparently the problem is caused by ppp conflicting with syslogd. If you stop syslogd and klogd, then pppoe-server will run properly. Fedora Core 4 does not have this problem though. I’m not sure if the newly released Fedora 7 has got this issue sorted out. I’m guessing that they haven’t.

If you have installed Fedora 7 and found out that the issue has been fixed, please let me know ASAP. Thanks!

Update (Jul 03, 2007): Problem confirmed in Fedora 7.

Update (Mar 14, 2008): Problem fixed as stated on bugzilla ticket.

I was just compiling an updated version of HTB-tools a few minutes ago then I noticed that either I forgot to make a note about removing a line from q_show.c or the addition of bitops.h is new in the latest version of HTB-tools (0.3.0a). If you don’t remove the following line in q_show.c:

#include <asm/bitops.h>

the compilation process will fail with the following error:

sys/q_show.c:40:24: error: asm/bitops.h: No such file or directory

I found this on Google to explain why bitops.h is missing in Fedora Core 6.

If you wish to run a PPPoE server, MikroTik RouterOS provides a convenient way to set one up in a few minutes (with built-in traffic shaping feature too!). Previously I used Fedora Core for my PPPoE servers, but I couldn’t find a working solution to keep ghost PPPoE sessions from bogging down my Linux server. I tried MikroTik DOM with RouterOS to replace my Linux-powered PPPoE servers, so far the results are very good.

Below is a mini guide that may be able to help you get your PPPoE server running in a few minutes using RouterOS.

First, make sure that your RouterOS server’s WAN connectivity has been properly configured. Remember that you need at least 2 network interface cards (NICs). This guide assumes that both NICs are ethernet — ether1 and ether2. If you haven’t set anything up on the new system, let me help you with the checklist: (based on my experience, the following issues are the most common)

• Make sure that the Internet-facing NIC has an IP address assigned on it and the default gateway is set (/ip route add gateway=…)
• If NAT is used, ensure that src-nat/masquerade firewall rule has been added (/ip firewall nat …) and it is working properly

Once you have verified the server’s connectivity, create a PPP profile (/ppp profile add name=”pppoe-profile” local-address=10.1.1.1 dns-server=… rate-limit=128k/128k). Every user account that uses this profile will get 128Kbps upload and download limit. If you wish to have different types of accounts (for example some customers pay for 256Kbps), create a new PPP profile (change the rate-limit attribute).

Next, create a user account assigned to the new PPP profile (/ppp secret add name=”andryan” password=”test” service=pppoe profile=”pppoe-profile” remote-address=10.1.1.2). When this user logs in successfully, this user gets assigned 10.1.1.2. To dynamically assign IP addresses, there is an example here.

Finally, create a PPPoE server instance (/interface pppoe-server server add service-name=”pppoe1″ interface=ether2 one-session-per-host=yes default-profile=”pppoe-profile”) and enable it. Now your RouterOS PPPoE server is ready to answer PPPoE requests and authenticate your PPPoE clients.
Good luck!

References:
http://www.mikrotik.com/testdocs/ros/2.9/interface/pppoe.php

This script will create port forwarding rules on port 36xxx to 192.168.1.xxx:36xxx.

This is a very useful IP subnet table to ease your VLSM/subnetting job.

I was going to write about ETHTOOL_OPTS a couple of months ago, but unfortunately I’m a forgetful person.

If you use Fedora Core (or some Fedora-driven distributions) which uses ifcfg-DEVNAME files in /etc/sysconfig/network-scripts/ and you wish to alter your ethernet cards’ default configuration, ETHTOOL_OPTS is basically all you need! Look no further, no need to add anything in rc.local or write your own rc scripts just to force your ethernet cards to a certain configuration (be it 100Mbps full duplex or 10Mbps half duplex). Simply add this line to your ifcfg file, e.g. for eth0, edit /etc/sysconfig/network-scripts/ifcfg-eth0 and append:

ETHTOOL_OPTS=”speed 100 duplex full autoneg off”

To put this change into effect, do service network restart.

Use mii-tool to verify whether the ethernet cards apply the new configuration.

References:
http://www.redhat.com/archives/broadcom-list/2003-December/msg00002.html

A couple of weeks ago I started to notice that I couldn’t watch videos served via my Samba server on my MacBook. I first thought it was a problem with Quicktime Player, but later I tried VLC and the problem was still there. I started up Activity Monitor to see how fast was the download speed, it was hardly over 150KB/s. Before, I was able to watch flawlessly on my MacBook with download speed of up to 2MB/s. Initially I thought that this could have something to do with the recent security updates of Mac OS X, but I couldn’t find anyone having the same problem on Google. Later I tried mounting my Windows-powered laptop’s shared folder and initiated a file transfer to my MacBook, it was transferring at normal speed (2MB/s)! So this problem only occurs when the share is served off Samba.

Yesterday I tried my luck on Google once more and finally I found this (sudo sysctl -w net.inet.tcp.delayed_ack=0). Applied the suggested solution and it worked! Case closed.

I have always wanted to learn about BGP. This time I got the honor chance to implement BGP for an ISP. This ISP has its own AS number and a /21 IP address block. This BGP setup is pretty simple because I’m only using 1 PC (with 3 ethernet cards and a MikroTik’s level 4 DOM) to interconnect with an Internet Exchange (IX) — NiCE — and a transit ISP (another transit will be added soon).

In MikroTik RouterOS version 2.9.42, BGP features are available for level 3 and above. You also need to enable routing-test package if you want more flexibility (BGP filtering features). The routing package, as of this version, only allows basic BGP features. I’m sure this will change later when they release RouterOS v3. Once you have enabled routing-test package, you will see new options (Routing - Filters in winbox, or /routing filters on CLI). This is very important when you have to peer with 2 or more ASes (specifically an IX and a transit which is not interested in getting IX’s routes for obvious reasons).

Since I have never configured BGP before, I caused a major problem when routes from each peer goes to another peer when they shouldn’t! I didn’t place any filter for BGP advertisements my BGP router sends to its peers. My transit ISP received the IX’s routes and the IX received full Internet routes feed my BGP router gets from the transit ISP. BGP is an exterior distance-vector routing protocol, it picks its best path by comparing the AS path lengths of every route it has. Advertising the whole Internet BGP feed to the local IX caused other ISPs’ routers participating in the IX to discover a shorter path of international routes going via my BGP router so the routers chose this new shorter path instead and outgoing traffic of these ISPs started to flow via my transit ISP! On the other hand, advertising IX routes to my transit was not a big problem since the path will be farther for their customers anyway, having to go via my BGP router first (that’s one AS further for the transit ISP’s customers to reach the IX routes, so BGP will not select it).

Fortunately I was able to spot the error immediately and placed BGP routing filters to include only my /21 IP block in the advertisements my BGP router sends to both the IX and transit. I also added an incoming BGP filter to discard a default route my transit IP includes in its BGP feed. This default route is not required since I get full BGP feed that is unfiltered.

Useful links:
http://www.mikrotik.com/testdocs/ros/2.9/routing/bgp.php
http://www.mikrotik.com/testdocs/ros/2.9/routing/filter.php
http://wiki.mikrotik.com/wiki/BGP_Case_Studies_1 — Route filters examples
http://wiki.mikrotik.com/wiki/Using_scope_and_target-scope_attributes — Important! Make sure that BGP neighbors are reachable via static routes for dynamic routes to be active (in the case of multihop BGP neighbors)
http://wiki.mikrotik.com/wiki/BGP_soft_reconfiguration_alternatives_in_RouterOS
Cisco’s BGP Reference

I’m a big fan of tcptraceroute. It’s a very useful tool for network administrators (in addition to the traditional traceroute). I had tcptraceroute installed on my MacBook via MacPorts, but later it stopped working (”libnet_write failed? Attempted to write 40 bytes, only wrote -1″ error message) due to libnet compatibility problem. I couldn’t find a fix to that problem so I searched for a similar tool to replace tcptraceroute for my MacBook. I found lft on Google. Apparently lft is more flexible and advanced than tcptraceroute. What makes lft even better than tcptraceroute? lft is included in Fedora Extras! Since I use Fedora Core for my servers, this is much better than having to use third-party repository (e.g. dries, dag, etc.)

Normally, I use the following syntax for lft:

lft -C -z -n -E -S google.com