Netexpertise

We use Fortinet VPN client Forticlient to connect to our Fortigate firewall with IPSEC encryption. We’d like to give clients a DHCP address so we do not have anything to manage other than user authentication.

Dialup VPN client do not seem to get an IP address although a DHCP pool is created and “DHCP-IPsec” is checked in the phase-2 VPN settings. An IPSEC ESP error is also raised in the Fortigate’s event log.
Setting a static IP address does connect the client.
 
The firewall receives DHCP requests but offers are not sent back into the IPSEC tunnel. To solve this, an additional firewall rule needs to be added to encrypt the DHCP traffic – DHCP only – from the inside to the outside interface.
Leave the source and destination addresses to “any” as this is a layer 2 issue. The client hasn’t been delivered an IP address yet! Set service to DHCP, action to IPSEC, and select appropriate VPN tunnel.

The screenshot was taken on a Fortiwifi but the configuration is the same on any Fortigate. IPSEC clients should now get a dynamic IP address though DHCP.

Tags: DHCP, Fortigate, Fortinet, IPSEC, vpn

I use this script to keep a full local backup of my tftp directory hosted on Linux. It keeps the archive only if some of the files were modified. It lets me restore in a quicker way than using a heavy backup software, which can be used beside to secure the backup elsewhere.
The shell script can be run for any directory indeed. There are the files produced on my TFTP server:
 

[root@tftp_server backup]$ ls -l
-rw-r----- 1 tftp tftp   124200 May  1 04:04 tftp-20100501.tgz
-rw-r----- 1 tftp tftp  2108159 May 13 04:04 tftp-20100513.tgz
-rw-r----- 1 tftp tftp  2108165 May 18 04:04 tftp-20100518.tgz
-rw-r----- 1 tftp tftp  2108442 May 20 04:04 tftp-20100520.tgz
-rw-r----- 1 tftp tftp  2108545 Jun  1 04:04 tftp-20100601.tgz
-rw-r----- 1 tftp tftp   126382 Jun  3 04:04 tftp-20100603.tgz
-rw-r----- 1 tftp tftp   126426 Aug  5 04:04 tftp-20100805.tgz
-rw-r----- 1 tftp tftp   126485 Aug  7 04:04 tftp-20100807.tgz
-rw-r----- 1 tftp tftp   126486 Aug 11 04:04 tftp-20100811.tgz

 
Set the script in a cron job and it’s fully automated to run once every day.

#!/bin/bash

# Change these settings to your needs
dir_to_backup=/tftpboot
# Backup path and file names
backup_dir=/tmp/backup
backup_file=tftp
# Zipped tar output file
of=$backup_dir/$backup_file-$(date +%Y%m%d).tgz
# Backup file owner and groupe owner
owner=tftp
gowner=tftp
tmpfile=/tmp/$backup_file.tar
# Number of backup versions to keep
backup_number=24

# Backup
cd $dir_to_backup
# Split tar and zip commands
# to create identical archives with the same checksum
# if files have not changed
tar cf $tmpfile .
# Archive is removed if checksum identical to last archive
# Do not save files timestamp to keep checksum consistent accross the days
gzip -cn $tmpfile > $of
rm -f $tmpfile
chmod 640 $of
chown $owner:$gowner $of

# Remove new archive if last backup checksum is identical
[ `ls -1t $backup_dir/$backup_file-*.tgz \
  | head -2 \
  | xargs md5sum \
  | awk '{print $1}' \
  | uniq \
  | wc -l` -eq 1 ] \
&& rm -f $of

# Remove older versions
# Keep the last 30 files
ls -1rt $backup_dir/$backup_file-*.tgz \
  | head -n -$backup_number \
  | xargs rm -f

Another way would be to retrieve the date of the last backup, search in the directory if some files have been modified since and create the zip file if the condition is true.

The script would need some minor adjustments to run on MacOS on which the checksum command is md5 instead of md5sum. MacOS md5 returns a different output.

Tags: backup, linux

You want to enable SNMP feature on Windows 2003 Server or Windows XP but don’t have the installation CD anymore. Here you will find the following list of files required for SNMP that are available for download.
They should also work on Windows XP

Exhaustive download file list:

accserv.mib   evntwin.exe   ipforwd.mib   mripsap.mib
smi.mib       apver.vbs     ftp.mib       lmmib2.dll
msft.mib      snmp.exe      authserv.mib  hostmib.dll
lmmib2.mib    msipbtp.mib   snmpmib.dll   dhcp.mib
hostmib.mib   mcastmib.mib  msiprip2.mib  snmptrap.exe
evntagnt.dll  http.mib      mib_ii.mib    nipx.mib
wfospf.mib    evntcmd.exe   inetsrv.mib   mipx.mib
rfc2571.mib   wins.mib

 
Download SNMP files
Extract and browse to the directory files were downloaded to when installing SNMP on Windows.

Also download files for IIS 6 installation on Windows XP and Windows 2003 Server.

Tags: 2003 server, snmp, Windows, xp

You want to install IIS feature on Windows 2003 Server or Windows XP but don’t have the installation CD anymore. Here you will find the following list of files required for IIS 6 that are available for download.
They should also work on Windows XP

Exhaustive file list:

asp.mfl                      iiswmi.mof    w3ctrs.ini     winfoctrs.h2_
asp.mof                      inetmgr.exe   w3dt.dll       winfoctrs.in_
axctrnm.h2_                  infoadmn.dll  w3dt.mfl       wisapips.dll
axperf.ini                   infoctrs.dll  w3dt.mof       wiscomlog.dll
browscap.ini                 infoctrs.h    w3isapi.dll    wlogscrpt.dll
certobj.dll                  infoctrs.h2_  w3isapi.mfl    wlogui.ocx
cfscommonuifx.resources.dl_  infoctrs.ini  w3isapi.mof    wlonsint.dll
davcdata.exe                 isapips.dll   w3tp.dll       wNEXTLINK.dll
davcprox.dll                 isatq.dll     wam.dll        wnntpadm.dll
exstrace.dll                 iscomlog.dl_  wamps.dll      wrpcref.dll
gzip.dll                     langpack.exe  wamreg.dll     wseo.dll
httpmib.dll                  logscrpt.dll  wamregps.dll   wsmtpapi.dll
httpodbc.dll                 logtemp.sql   wasp.mf_       wssinc.dll
IIS6.CAB                     logui.ocx     wasp.mo_       wstaxmem.dll
iisadmin.mfl                 lonsint.dll   waxctrnm.h2_   wuihelper.dll
iisadmin.mof                 NEXTLINK.dll  waxperf.in_    ww3cache.dll
iisapp.vbs                   nntpadm.dll   wbrowscap.in_  ww3core.mf_
iisback.vbs                  nntpsnap.cnt  wcertobj.dll   ww3core.mo_
iisclex4.dll                 nntpsnap.hlp  wdavcdata.exe  ww3ctrlps.dll
iiscnfg.vbs                  rpcref.dll    wdavcprox.dll  ww3ctrs.dl_
iisext.vbs                   rwnh.dll      wexstrace.dll  ww3ctrs.h2_
IIsFtpdr.vbs                 seo.dll       wgzip.dll      ww3ctrs.in_
IIsFtp.vbs                   smtpapi.dll   whttpmib.dll   ww3dt.dl_
iislog.dll                   smtpsnap.cnt  whttpodbc.dll  ww3isapi.dl_
iis.msc                      smtpsnap.hlp  wiislog.dll    ww3isapi.mf_
iismui.dll                   ssinc.dll     wiis.ms_       ww3isapi.mo_
iisres.dll                   staxmem.dll   wiismui.dll    ww3tp.dll
iisreset.exe                 svcext.dll    wiisres.dll    wwam.dll
iisrstap.dll                 uihelper.dll  wiisreset.exe  wwamps.dll
iisrstas.exe                 w3cache.dll   wiisrstap.dll  wwamreg.dll
iis_switch.vbs               w3core.mfl    wiisrtl.dll    wwamrgps.dll
iisvdir.vbs                  w3core.mof    winetmgr.exe
iisweb.vbs                   w3ctrlps.dll  winfoadmn.dll
iiswmi.mfl                   w3ctrs.h2_    winfoctrs.dll

 

Download IIS files
Browse to the directory files where downloaded to when installing IIS.

Also download files for SNMP installation on Windows XP and Windows 2003 Server.

Tags: 2003 server, iis, Windows, xp

As for any firewall, iptables is able to do network statistics reporting. the -v (–verbose) option along with the list switch (-L) show packets and bytes counters.
Network stats are available on a per rule basis. Here is an example on the INPUT chain:
 

[stats@linux_server]$ sudo iptables -nvL INPUT
Chain INPUT (policy DROP 74941 packets, 7900K bytes)
 pkts bytes target prot opt in out source    destination
1392K  543M ACCEPT all  --  lo *   0.0.0.0/0 0.0.0.0/0
1179K  680M ACCEPT all  --  *  *   0.0.0.0/0 0.0.0.0/0   state RELATED,ESTABLISHED
   10   524 ACCEPT tcp  --  *  *   0.0.0.0/0 0.0.0.0/0   state NEW tcp dpt:22
   25  1200 ACCEPT tcp  --  *  *   0.0.0.0/0 0.0.0.0/0   state NEW tcp dpt:21
 5372  260K ACCEPT tcp  --  *  *   0.0.0.0/0 0.0.0.0/0   state NEW tcp dpt:80
 5842  280K ACCEPT tcp  --  *  *   0.0.0.0/0 0.0.0.0/0   state NEW tcp dpt:3306 /* Mysql */
   97  4536 ACCEPT tcp  --  *  *   0.0.0.0/0 0.0.0.0/0   state NEW tcp dpt:9999 /* APP */
    0     0 ACCEPT udp  --  *  *   0.0.0.0/0 0.0.0.0/0   udp dpt:69 /* TFTP */
    0     0 ACCEPT udp  --  *  *   0.0.0.0/0 0.0.0.0/0   udp dpt:161 /* SNMP requests */
   73  4380 ACCEPT icmp --  *  *   0.0.0.0/0 0.0.0.0/0   icmp type 8

 
In this example, you could split the RELATED and ESTABLISHED state rule by port to get more detailed numbers.

There is no need to restart iptables to reset packet and byte counters, the built-in -Z or –zero flag makes it for you:
 

[stats@linux_server]$ sudo iptables -Z INPUT
[stats@linux_server]$ sudo iptables -nvL INPUT
Chain INPUT (policy DROP 74945 packets, 7901K bytes)
 pkts bytes target prot opt in out source    destination
    0     0 ACCEPT all  --  lo *   0.0.0.0/0 0.0.0.0/0
    7   436 ACCEPT all  --  *  *   0.0.0.0/0 0.0.0.0/0   state RELATED,ESTABLISHED
    0     0 ACCEPT tcp  --  *  *   0.0.0.0/0 0.0.0.0/0   state NEW tcp dpt:22
    0     0 ACCEPT tcp  --  *  *   0.0.0.0/0 0.0.0.0/0   state NEW tcp dpt:21
    0     0 ACCEPT tcp  --  *  *   0.0.0.0/0 0.0.0.0/0   state NEW tcp dpt:80
    0     0 ACCEPT tcp  --  *  *   0.0.0.0/0 0.0.0.0/0   state NEW tcp dpt:3306 /* Mysql */
    0     0 ACCEPT tcp  --  *  *   0.0.0.0/0 0.0.0.0/0   state NEW tcp dpt:9999 /* APP */
    0     0 ACCEPT udp  --  *  *   0.0.0.0/0 0.0.0.0/0   udp dpt:69 /* TFTP */
    0     0 ACCEPT udp  --  *  *   0.0.0.0/0 0.0.0.0/0   udp dpt:161 /* SNMP requests */
    0     0 ACCEPT icmp --  *  *   0.0.0.0/0 0.0.0.0/0   icmp type 8

 
On top of doing its firewall job and, even if you don’t make use of it, iptables may help you identify more precisely the root cause of network traffic congestion or simply get network stats of what’s going in and out of your servers.

Tags: firewall, iptables, linux, network