Welcome to Mohammad Ali Sarbanha`s Official website my home on the net sarbanha.com mohammad.ali@sarbanha.com Send me your comments Find my recent activities here
| Home | Info. Base | Programming | Recent Activities | Favorite Links | Album | About/Contact | Site Map |

My recent activities!



Tuesday, September 21, 2004  
Here is my website
 
These days I was busy with my website, I prepaired it using JSP/Java/Servlets and Net beans, but my provider still didn't send me information about the J2EE facilities of their hosting, I had to launch my website so I moved to PHP for first time.
PHP is like JSP but it doesn't compile to a servlet or any other binaries, PHP translates pages as they are requested then it generates an out put. I found that its very useful to make reports.
In PHP you just need to make your file as a text document then insert some PHP tags for your specific purposes then pass that file to PHP interpreter:

$ vi myfile.php
$ php myfile.php


Then it will show your text containing result of PHP processed data. I enjoyed using PHP, its fast and powerfull, you can find more information about PHP in its official website, documentation is very good and prepared in different formats.

PHP Website: http://www.php.net

 posted by Mohammad Ali  # 9:08 AM


Wednesday, September 15, 2004  
BLOCKING SPAM GENERATORS IP ADDRESSES ON QMAIL MTA
 
Well, today I studied some new points about blocking spams, lots of ways, I chosed one, I don't know how effecient is it. I added some spice to my mail server. Let's see how....
There are lots of websites providing different types of databases to let your spam blockers how to distinguish between spams and good e-mails,

Some ways are like DNS Lookups for bogus IP addresses, using dummy SMTP servers, using deferral SMTP daemons, firewalling and blocking bogus spam senders, They way I have chosen today was blocking IP addresses from TCPSERVER which handles my mail server services, the TCPSERVER provide TCP connectivity for any TCP based service, I should tell you that my mail server is installed on FreeBSD, so all given information is based on that OS.

those guys who installed qmail with Life With Qmail direction they remember that if they want to give access of connecting to SMTP server to specific network they should do this:

echo '127.:allow,RELAYCLIENT=""' >> /etc/tcp.smtp
qmailctl cdb

Okay, http://www.spews.org provides you a prepaired cdb that you can download it from http://spfilter.openrbl.org/data/output/DEFAULT.qmail_uce.bz2 , now you are ready to set it , just add your network specific settings and make new cdb, then reload int into your server.
When you download DEFAULT.qmail_uce.bz2 use bunzip command to unzip it and add it to current tcp.smtp follow these steps:

bunzip DEFAULT.qmail_uce.bz2
use vi DEFAULT.qmail_uce and replace all allow keywords to deny
cat DEFAULT.qmail_uce >> /etc/tcp.smtp
qmailctl cdb

I kept my eyes on the server to see changes. it blocks more than 2/3 of spams on my network.
Remember that its not the end, you should check http://www.spews.org/ occasionally for new updates.
 posted by Mohammad Ali  # 7:18 PM


Saturday, September 11, 2004  
Custom Printer Paper size!
 
Have you ever tried to add a new paper size for your printer? Today I tried to define my fanfold paper size in windows, I thought that would be useful to share it with others,

Follow these steps to add new paper size:
  1. Go to Start->Settings->Printers
  2. Select one of your printers ( Just Select Single Click)
  3. From menu bar select File->Server Properties
  4. Now you can add a new Customized Form size in Forms tab

If you spent more time you can fine usefulthings in that window

 posted by Mohammad Ali  # 1:53 PM


Thursday, September 09, 2004  
New day! New problem!
 
Actually there was no problem today; I just finalized my other plan in order to provide a better service for the company customers. In our network we provide two major services, first, dial-up internet access, second, POP3 e-mail.

Currently, users from outside can connect to our dial-up lines which are low quality analogue PSTN lines; we already have internet access on new digital E1 lines but e-mail users still using the old service. It's been long time that I have this idea in my mind to move them all using new digital lines instead of those old lines. I had a design, today I made it.

Yesterday, I installed my last Firewall/Webcache which prepared with FreeBSD, pf Firewall and SQUID web cache and I decided to use them to let our e-mail users to login to the same network access server without having access to internet, I needed a private IP range to assign it to mail users so first of all I added a new IP pool to their group in range 10.0.0.0/8 then enable NATting on my firewall on one interface, its a little bit strange to do NAT on one interface having routing and firewalling, looks like a messy job, I add an alias on that interface and made an internal network with no route to outside.

Well, this internal network was between my web server, name server and mail server. They were supposed to be on that network as well as the public network, because users were going to access them through 10.0.0.0/8 network. You may ask why I had to do NATting when all users and our network are at the same IP range and physical network. I was thinking like this, I mean I didn't add IP alias to any of my servers; I just tried to use only NATting.




As you can see users are supposed to access the other servers through Proxy/Firewall, because DNS server resolves names with public IPs so I had to use NATting to give them access to Intranet servers, I tested the setting from LAN, I set my computer IP in B.0.0.0/8 network and the gateway was B.0.0.1/8. I worked, I thought that its possible for Dial-up users which connect to the access server to be able to do same, So I tried it with dial-up, it didn’t work! After an hour of investigating TCP/IP packets and traffic, I found a strange thing, I found my packets go through Firewall and NATted correctly but when they come back from servers they look for B.0.0.0/8 network to reach originating address, I couldn’t find the reason and I just tried different ways to see the differences, the only way that I found was to add an alias IP address for servers interfaces in B.0.0.0/8 range. Now, servers are accessible from their public addresses, through LAN and Dial-up. But still I’m thinking how its possible!

 posted by Mohammad Ali  # 11:27 AM


Tuesday, September 07, 2004  
SQUID CACHE INSTALLATION
 
Nowadays, you can see too much of internet resources are consumed by useless garbage like spams, virus traffics, circular forwarded useless e-mails and many other stuff....

Its administrator’s job to decrease internet traffic with using power of accelerators, caches, antispams and software’s like that....

Today I installed new web-cache server, the most famous one SQUID. About a year ago I installed one on OpenBSD with a Compaq proliat, but the server was not so powerful to handle all demands as fast as you can feel it. The company bought Two Compaq G3 servers, I installed one as corporate mail server using Qmail on FreeBSD, the last one that I was working on today, I used it as Network Gateway and Firewall, I'm sure it can handle all demands, so I'm not worry about that.

The reason I'm writing this is to tell you some directions to make your own cache server, you can easily find more resources on the net which can help you to install SQUID and FreeBSD and I don't want to duplicate all of them. I just give you some useful directions.

FreeBSD or OpenBSD?
I prefer to use OpenBSD because its very fast and minimized, and I believe its very secure, though FreeBSD is good and secure, both are very stable, I am using both of them when I work with OpenBSD I feel better, that’s the feeling....I don’t want to argument ;-) ...
OpenBSD has its own pf firewall but on FreeBSD you have to use pf as a port and you may face with some difficulties but it works.
The most important advantage of FreeBSD is that it can be installed on Smart Array, if you want to install you OS on a new generation servers which use Smart Array, Mirroring/RAID systems you have to forget about OpenBSD at least for these available versions.

Try to get the latest STABLE version of your OS and check the MD5 checksum then install it once to and see if everything is normal then continue the procedure, the OS I recently used to install my SQUID was FreeBSD 5.2.1 Release version

http://www.freebsd.org/ is official FreeBSD website and http://www.openbsd.org/ is for OpenBSD.

What else you need?
You need to get the pf port from http://pf4freebsd.love2party.net/ but its easier to install it through ports, you can follow my steps if you have your OS installed and connected to Internet:

1. cd /usr/ports/security/pf
2. make

Then it will start downloading pf from http://pf4freebsd.love2party.net/

3. make install
4. cp /usr/local/etc/pf.conf.default /etc/pf.conf

Finished, now have pf downloaded and installed, but your kernel is not capable of using pf, you need to rebuild and install a new kernel capable of using pf firewall, see here to find more information about compiling FreeBSD kernel. If you are not going to install a transparent webcache/proxy server you can easily jump over pf installation.

You need to add these items in you kernel configuration file:

device bpf
options PFIL_HOOKS
options RANDOM_IP_ID

you don’t need to memorize these items because as soon as you install pf it will show you these items which must be enabled in your OS kernel, then it will ask you if you need to do all changes in you rc.conf files, I suggest you to have a copy of your rc.conf but I usually trust it, it doesn’t add too many lines to the rc.conf file, these items will be added to rc.conf:

pf_enable="YES"
pf_logd="YES"
pf_conf="/etc/pf.conf"

Installer might set pf_conf to different location, check rc.conf, and set the correct one, if you are following this document you should set it to "/etc/pf.conf"
Then save the followinf shell script as /etc/rc.d/pf and make it executable and read-only:

#!/bin/sh
# PROVIDE: pf
# REQUIRE: DAEMON
# KEYWORD: FreeBSD

/usr/local/etc/rc.d/pf start

IF YOU HAVE BETTER SUGGESTION YOU WILL BE WELCOMED, SEND IT TO ME AND I WILL REPLACE IT WITH THIS SIMPLE SCRIPT.

Installing SQUID
Before installing the SQUID you just need to download its latest STABLE version from http://www.squid-cache.org , you can find lots of useful documents at that website specially, Squid put its latest documentation in a well formatted RTF file you can get it from http://squid-docs.sourceforge.net/latest/zip-files/book-rtf.zip the version I used was squid-2.5.STABLE6 .

When you get the tarball zipped version of it open it under /usr/local/src directory, follow these steps:

1. mv squid-2.5.STABLE6.tar.gz /usr/local/src
2. cd /usr/local/src
3. tar xvfz squid-2.5.STABLE6.tar.gz
4. cd squid-2.5.STABLE6
5. Run ./configure --help to see configuration options, select options which suit your needs then use ./configure to make your squid source ready for compile and installation
6. make
7. make install

Now you have your squid installed in /usr/local/squid, but if you use another installation directory using --PREFIX=[...Directory...] option , you should find it in that directory.

OK! Installation is over, you just need some configuration to make you SQUID running.

Decide! if you need to install transparent cache server or normal one, its easy to ask you users to use proxy by setting their browser but the beauty of your job is to make your users life easier installing SQUID as a transparent proxy needs more steps but your users get about 10% better internet speed.

Then select a directory to lay out your webcache file system in that, it must be big enough to fit your cache needs, I usually use a separate partition mounted as /cache, then give its ownership to nobody:nobody.
Same access must be gained by /usr/local/squid/var/ directory and its subdirectories.

Configuring SQUID
Five magic words are used to setup your SQUID as a transparent webcache

1. http_port=3128
2. http_accel_host=virtual
3. http_accel_port=80
4. http_accel_with_proxy=on
5. http_accel_uses_host_header=on

You should do these modifications in /usr/local/squid/etc/squid.conf.

NOTE: Remember that your new installed SQUID will never give any access to HTTP requests, you need to find line access deny all and add these lines before that:

# replace you network range below
acl myNetwork src 10.0.0.0/255.0.0.0
access allow myNetwork

IMPORTANT: If you allow all ranges to have access to your proxy after a very short time you will see too much traffic on your network, there are lots of people who are looking for free open proxies to gain access to porn sites or even websites which they normally cannot access.

Find cache_dir tag and set it like this:

cache_dir ufs [cache dir you prepared] [cache size] 16 256

You can change 16 and 256, you can find more useful information about these setting in squid.conf itself, these numbers are depended to you needs and server configuration.
SQUID Configuration is finished, unless if you want to do some additional modifications on that.

Now you need to create you cache file system structure use this:

/usr/local/squid/sbin/squid -z

Wait until it finishes the job, it may take several minutes keep you eyes on your hard drive if you don’t see any special activity on your HDD maybe you system is hung!
If your installation is clean and good you shouldn’t face with a strange problem, your problem in installation might be because of three things

1. Trying to install squid before making cache filesystem, squid -z
2. Mistyping a setting in squid.conf
3. Problem with cache or log directories, missing ownership/access assignment of these directories to user nobody:nobody

If you are sure about what you did, you might need to do some googleing to find more information.
To do final check run squid from command line

/usr/local/squid/sbin/squid

Then goto one of your clients on the network set its browser to use your cache server as proxy on port 3128, on the server you can use tail command to monitor access.log

tail -f /usr/local/squid/var/logs/access.log

If you followed steps from the begining, your server should work properlyIs everything OK?
If yes, now we are about to run it during system startup, save the following shell script as /etc/rc.d/squid :


#!/bin/sh
# PROVIDE: squid
# REQUIRE: DAEMON
# KEYWORD: FreeBSD

. /etc/rc.subr

name=squid
rcvar=`set_rcvar`
command="/usr/local/squid/sbin/${name}"
pidfile="/usr/local/squid/var/logs/${name}.pid"

load_rc_config $name
run_rc_command "$1"


Make it executable and read only!
Then add this line in rc.conf:

squid_enable="YES"

Okay! Have fun, restart your server and see what is happening!
Without login you client, the one you set it before, should be able to browse the net.

Make it transparent
Step one is to setup your server as a gateway, use sysinstall bring up Gateway feature during startup; see FreeBSD e-Book to find more.
Step two is to add this line in /etc/pf.conf :

rdr on bge0 proto tcp from any to any port 80 -> 127.0.0.1 port 3128

NOTE: You can substitute your functional LAN adaptor name instead of bge0 in this example
NOTE: If you have other settings in pf.conf it’s important to insert the line in its correct place.

Now, restart your server. Then go to your client and set its gateways address to your new server and remove those proxy settings from its browser. Use traceroute to make sure if it can route correctly, then browse the net. If you monitor /usr/local/squid/var/logs/access.log using tail command you can see logs rolling when you browse the net. Be sure that your browser is not using previous proxy setting.
If everything looks normal on your client, try to use all internet services to be sure about it, and then you can use your server as gateway.

This document does not cover all issues but at least you can experience installing your own webcache server. I hope this could be help for people who are looking for shortcuts.

 posted by Mohammad Ali  # 9:19 AM

Archives

September 2004   October 2004   November 2004   December 2004   January 2005   March 2005   April 2005   May 2005   July 2005   September 2005   December 2005  

This page is powered by Blogger. Isn't yours?



Copyright@2004, All rights reserved.