After Hours

General discussion


In my own words...

By Justin Fielding ·
Tags: Off Topic
blog root

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

It's virtual reality!!!

by mrostanski In reply to It's virtual reality!!!

Hi!<br />
I've been wondering - you mention XP... how about Win2003? Have you run
tests with Microsoft's VirtualPC also? We are using VPCs for computer
labs (student practice) in our  Academy, and we have _serious_
problems with Win2003 Server performance, I wonder if vmware results
will differ..<br />
<br />
Maciej<br />

Collapse -

It's virtual reality!!!

by Justin Fielding In reply to It's virtual reality!!!

I can't say I have had any problems with Windows Server 2003 in a
VMware VM.  I guess it depends what hardware resources you have on
the host machine, and what resources the guest OS requires.

Collapse -

Video Conferencing woes?

by Justin Fielding In reply to In my own words...

I have been experiencing some problems with our Video Conferencing
(VC) equipment. Making calls from unit to unit within the organisation is no
problem--our sites are all inter-linked by IPSec tunnels so all traffic is
internal. The problem arises when trying to make a call from one site to
another, via external IP addresses. The call is made on unit A, and unit B
rings. When the call is picked up on unit B, the session is not created, no
audio/video link is created, and unit A does not recognise that the call has
been accepted. I looked into my firewall configuration, and I had allowed all
of the port ranges mentioned in the manuals. I also redirected those ports to
the conferencing unit so that incoming attempts would be delivered directly.<br />
<p>This all seemed ok, so I also checked the firewall logs while
attempting to make a call; nothing was being blocked. While this wouldn't have
been a problem 3 weeks ago (because all of the VC traffic was internal), people
now want to receive VC calls from external companies. Doh!</p>

After a lot of googling and reading mailing list archives, I
found references to issues with the H.323 set of protocols and firewalls. It
seems this is also the protocol set used by Microsoft Netmeeting, so there was
quite a bit of information on the subject. I checked the manuals of our VC
units and, sure enough, they do use H.323--great   There is a sliver lining; as I mentioned
before, this is a very popular standard. It actually means that VC systems made
by different manufacturers can still speak to each other. I called one of our
Sony units from Netmeeting on my laptop and it worked quite well (type conf.exe
in your 'Run' box).

A bit more googling and I found two open source solutions;
both are basically proxies which sit between both end points and deal with
incoming / outgoing connectivity. <a href="">OpenGatekeeper H.323 Proxy</a> is
one of these, <a href="">NMproxy</a> is
the other. Because of it's simplicity and BSD compatibility, I have chosen to
take a closer look at nmproxy.<br />
<p>I don't want to modify our existing gateway/firewall
machines with un-tested software, so I'll create a lab environment using <a href="">VMware Workstation</a> as I mentioned in my
previous blog.</p>

<p><strong>The Plan:</strong></p>

<p> Set up a test environment to emulate a Video Conference call
between two firewalled networks.</p>

two firewalls (OpenBSD)</li><li>Compile
and configure nmproxy</li><li>Build
two internal clients (Windows XP)</li><li>Netmeeting
+ Webcams (one on each client) can be used for testing the H.323 proxy</li>

<p>Thanks to the 'clone' feature on VMware, I don't actually
need to build 4 separate machines from scratch. I'll install OpenBSD (to show
people how simple this OS is to install and configure), compile nmproxy, then
clone it to create a replica and simply edit the machine configuration (IP
details, hostname etc). As I use VMware frequently for testing, I already have
a 'virgin' Windows XP image ready to use/clone; I assume everyone reading knows
how to install Windows.</p>

<p>I know this may sound a bit drawn out, but if you want to be
serious about security then you need to test new configurations in a secure
environment, not just give it a go on live systems and hope for the best!</p>
<p>Tune in again on Wednesday and we'll install OpenBSD...</p>

Collapse -

Video Conferencing woes?

by Lon Jones In reply to Video Conferencing woes?

On our Video Conferencing (VC) equipment in the H.323 advanced settings there should be a setting for NAT (Network Address Translation). Setting this on and listing the external IP address for the unit should resolve the problem. If there is an auto setting - you can try that but have found it works best with the actual IP as seen from outside the firewall.

Collapse -

Video Conferencing woes? Installing OpenBSD

by Justin Fielding In reply to In my own words...

<b><u>Let's do it:
Building an OpenBSD firewall</u></b>

<p class="MsoNormal">Ok, first step is to build one OpenBSD firewall. I promised
before that I would write a tutorial on creating an OpenBSD gateway/VPN server
if there was any interest. Since there were a few people interested in the
idea, this can be counted as the initial instalment. While the purpose of this
article is not to set up a VPN gateway, it will show you how to install OpenBSD
and therefore, this can be considered a general reference for initial OpenBSD
installation. I'll give as much detail as I think is needed, if you haven't
installed this before, it can be quite daunting. If there's anything which is
unclear and isn't mentioned in the <a href="">official FAQ</a>, let me know and
I'll cover the area again later on.</p>

<p class="MsoNormal">I'm installing from a CD of version 3.7; 3.8 will be out on
the 1<sup>st</sup> November but the install procedure won't change.</p>

<p class="MsoNormal">Setting up the VMware virtual machine:</p>
In VMware Workstation, start the new machine wizard with <b>File > New > Virtual Machine</b>. Select
the typical configuration, Guest Operating System is <b>Other</b> and version is also <b>Other</b>.
Give the machine a name--'OpenBSD A' in my case--then set the location for
storing the virtual machine files (any place you have space). For network type
I'm selecting 'Do not use a network connection'; I'll explain why later. The
default disk size of 4GB will be ok; tick the box '<st1:city w:st="on"><st1:place w:st="on">Split</st1:place></st1:city> disk into 2GB files' as this will stop
any problems with large files on a FAT filesystem (in case you want to copy the
image to a FAT formatted disk at some point). As I noted previously, VMware
will require a lot of disk space and quite a bit of RAM; this test lab will use
about 16GB of disk space and 320MB of RAM while running, but with a 250GB SATA
hard disk costing me ?65 (approx. $115) and 1GB of RAM ?50 (approx. $90), this
doesn't really bother me. Click finish and you will be presented with your VM
overview.<!--[if gte vml 1]><v:shapetype id="_x0000_t75" coordsize="21600,21600"
o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f"
<v:stroke joinstyle="miter"/>
<v:f eqn="if lineDrawn pixelLineWidth 0"/>
<v:f eqn="sum @0 1 0"/>
<v:f eqn="sum 0 0 @1"/>
<v:f eqn="prod @2 1 2"/>
<v:f eqn="prod @3 21600 pixelWidth"/>
<v:f eqn="prod @3 21600 pixelHeight"/>
<v:f eqn="sum @0 0 1"/>
<v:f eqn="prod @6 1 2"/>
<v:f eqn="prod @7 21600 pixelWidth"/>
<v:f eqn="sum @8 21600 0"/>
<v:f eqn="prod @7 21600 pixelHeight"/>
<v:f eqn="sum @10 21600 0"/>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
<o:lock v:ext="edit" aspectratio="t"/>
</v:shapetype><v:shape id="_x0000_i1025" type="#_x0000_t75" height:188.25pt'>
<v:imagedata src="file:///C:\DOCUME~1\Justin\LOCALS~1\Temp\msohtml1\06\clip_image001.jpg"
</v:shape><![endif]--><!--[if !vml]--><br />

<p class="MsoNormal"><o><img alt="" src="" /><br />

<p class="MsoNormal">As you can see, this defaults to allocate 256MB of RAM, and that's
way too much. We can run OpenBSD on 32MB of RAM without problems. If you click
on 'Edit virtual machine settings' then you can change the memory allocation to
32MB. We can also now add our network support, the reason I didn't set this up
earlier is that we want two network adaptors on different physical networks
(for all intents and purposes this represents the 'Internet' and 'Internal'
networks). Still in the virtual machine settings, click on 'Add' and the add
hardware wizard will start. Select <b>Ethernet
Adaptor</b>, then <b>Custom: VMnet5</b>.</p>
<img alt="" src="" /><br />
<p class="MsoNormal">Do this again to add the second adaptor, but this time
select <b>VMnet6</b>.</p>

<p class="MsoNormal">Your virtual machine will now look like this:</p>

<img alt="" src="" /><br />
<p class="MsoNormal">Pop in your CD, power on the virtual machine, and we're
ready to go.</p>

<p class="MsoNormal">At the <b>boot> </b>prompt
just hit enter.</p>

<p class="MsoNormal">When prompted, just type<b>
I </b>for Install, accept the default terminal type (just hit enter). Select
your keyboard map, or stick with the default, then type <b>yes</b> when asked if you want to proceed with the install. We now come
to setting up the hard disk, not as straightforward as a Windows installation,
but easy once you know how. The default disk will be shown as wd0; accept this
as the root disk. When asked if you want to use the whole disk for OpenBSD, say
<b>yes</b>. We will now be dropped in to
the partition editor where we can decide how to allocate the disk space.</p>

<p class="MsoNormal">Simple commands:</p>

<ul type="disc">
<li class="MsoNormal">p ?
display or 'print' the current partition setup<i></i></li><li class="MsoNormal">d 'x'?
delete partition 'x'<i></i></li><li class="MsoNormal">a 'x'
? add partition 'x'<i></i></li>

<p class="MsoNormal">Take a look at the current partitions:</p>
<b>> p</b><br />
<br />
You will see two partitions, a and c. Partition c always
stays, it simply shows the physical disk. Remove partition a and then print to
check that it's gone:

<p class="MsoNormal"><b>> d a</b></p>

<p class="MsoNormal"><b>> p<i></i></b></p>

<p class="MsoNormal">Now we need to plan our partitions, there is a 4GB disk and
we don't plan on installing much more than the base install. I would say to use
something like:<br />
<br />
/           250MB<br />
Swap   64MB (twice the
RAM)<br />
/tmp     1000MB<br />
/usr       1500MB
(allow for source and user installed programs)<br />
/var      1250MB (logs

<p class="MsoNormal">So, to create the root partition:</p>

<p class="MsoNormal"><b>> a a</b></p>

<p class="MsoNormal"><b>offset: [63]</b></p>

<p class="MsoNormal"><b>size: [8385867] 250M</b></p>

<p class="MsoNormal"><b>Rounding to nearest
cylinder: 512001</b></p>

<p class="MsoNormal"><b>FS type: [4.2BSD]</b></p>

<p class="MsoNormal"><b>mount point: [none] /</b></p>

<p class="MsoNormal">The offset and FS type should be left as default (just hit
enter). Next the swap partition (swap is always b), don't worry about the FS
Type, it will always offer swap as the default for partition b. You can't use <b>c </b>as this is the disk, so from <b>b </b>move on to <b>d. </b>Once you have made all of your partitions, view them ( <b>> p </b&gt and they should look like
this: </p>

<p class="MsoNormal"><o> <img alt="" src="" /></o></p>

<p class="MsoNormal">Confirm by typing:</p>

<p class="MsoNormal"><b>> q</b></p>

<p class="MsoNormal"><b>Write new label?: [y]

<p class="MsoNormal">When prompted to confirm the mount points simply type <b>done</b> and you will pass to the next
stage. OpenBSD will show you the partitions which you have chosen to create and
as you whether you want to proceed, of course the answer is <b>yes</b>. You will now see the partitions
being created and formatted.</p>

<p class="MsoNormal">When asked for the system hostname, I have chosen to call
this <b>GatewayA</b>, accept the default of
configuring the network now (this gets it out of the way). We have adaptors <b>le1</b> and <b>le2</b>; lets go with the default and configure <b>le1 </b>first: </p>

<p class="MsoNormal"><o><img alt="" src="" /><br />

<p class="MsoNormal">As you can see, I have set <b>le1</b> to be out virtual internet network and <b>le2</b> will represent our internal network. The nameserver and default
route would normally be those provided by your ISP or those of your internet
router. Don't edit hosts with ed and don't do any manual configuration. Set the
root passwords and you will be asked where to install from; simply type <b>c</b> for (c)drom and then keep the default
options for the device name and file path.</p>

<p class="MsoNormal">The package selection screen is shown next, by default all
of the essential package groups are selected, all those with 'x' at the
beginning relate to x-windows, as we don't want these installed, we simply type
<b>done</b> to continue. You will confirm
that you are ready to install and then the packages will be copied from the
disk. A second chance to install sets will be given; simply hit enter to accept
the default (<b>done</b>}. Do the same for
any following questions, except whether you expect to run x-windows--the answer
to that one is <b>no</b>.</p>

<p class="MsoNormal">Set your time zone (in my case <b>Europe/London</b&gt.</p>

<p class="MsoNormal">That's it, done. You now have to remove the CD, reboot and a
fresh OpenBSD installation has been completed! That wasn't too bad was it!</p>

<p class="MsoNormal">In next week's instalment we will finish the gateway
configuration, compile / install nmproxy and then clone the gateway to create <b>GatewayB</b>.</p>

Collapse -

The office is open?

by Justin Fielding In reply to In my own words...

An article in Computer Weekly mentioned that Bristol council will be
migrating 5500 desktops to <a href="">Sun?s
StarOffice suite</a>.  Even taking in to
account the cost of converting existing documents and two half-day courses for
users, they stand to make massive savings over Microsoft Office. 

<p>StarOffice is developed by Sun, here is their sales
description ?Enhanced usability, compatibility, interoperability, new XML File
Format, and more developer features and tools all combine to make StarOffice 8
the best office suite value by far.?  The
cost is $69.99, a heck of a lot cheaper then Microsoft, but how about something
that?s free?  OpenOffice is the open
source suite which StarOffice is based on, take a look <a href="">here</a> to see what you
don?t get with OpenOffice (nothing that I would miss).<br />
<br />
<a href="">OpenOffice2</a> is now available
for download!  </p>Give it a go?

Collapse -

VC project continued: gateway configuration/installing nmproxy

by Justin Fielding In reply to In my own words...

<p class="MsoNormal">Ok, so we now have an OpenBSD gateway, let's make it useful.</p>
<p class="MsoNormal">I took the nmproxy source code and created an ISO with it (I used UltraISO; you may have your own preferred method). It's then possible to mount the ISO, making it appear as a drive in your VM.</p>
<p class="MsoNormal"><img alt="" src="" /></p>
<p class="MsoNormal">You can then mount the drive in OpenBS</p>
<p class="MsoNormal"><a href="i/tr/blog_img/1109_B.jpg"><img alt="" src="" /><br /></a></p>Create a directory and copy the source code:
<p class="MsoNormal"><b># mkdir /usr/src/nmproxy<br /># cp ?R /mnt/cd/nmproxy /usr/src/</b></p>
<p class="MsoNormal">Now compile:</p>
<p class="MsoNormal"><b># make ?f ./Makefile.OpenBSD</b></p>
<p class="MsoNormal">If you don't get any nasty errors, install:</p>
<p class="MsoNormal"><b># ./nmproxy_install</b></p>
<p class="MsoNormal">There you go, now we just need to set up <a href="">Packet Filter</a>, edit a few configuration files, and we are ready to clone. I will assume from now on that you are familiar with Linux and the vi editor. If not, then look <a href="">here</a>.</p>
<p class="MsoNormal">First let's allow IP forwarding by editing <b>/etc/sysctl.conf</b> and removing the <b>#</b> comment in front of <b>net.inet.ip.forwarding=1</b>. Save the file and now open up <b>/etc/rc.conf</b> search for <b>pf=NO</b> and change it to <b>pf=YES</b>.</p>
<p class="MsoNormal">You can pretty much follow the default setup for PF; the following lines need to be added for nmproxy:</p><pre><a name="Firewall"><b># Redirect port 1720</b></a></pre><pre><b>rdr proto tcp from any to any port 1720 -> port 1720<br /><br /># Nmproxy specific rules. Note that the port number ranges look strange<br /># because of the way ranges are specified.<br />pass in proto tcp from any to port 1720 flags S/SA keep state<br />pass in proto tcp from any to any port 10199><10210 flags S/SA keep state<br />pass in proto udp from any to any port 10199><10260</b></pre>
<p class="MsoNormal">Nothing too taxing there. Give the VM a reboot, and the changes made should take effect. We can now check that nmproxy is running and the firewall is letting connections through:</p>
<p class="MsoNormal"><b># telnet 1720</b></p>
<p class="MsoNormal">All is well, and the connection succeeded.</p>
<p class="MsoNormal">Now we need to clone the machine. Shut down and we will start.<br /><br />Select the <b>VM</b> menu and then <b>Clone?</b> to start the cloning wizard.<o> <br /></o></p>
<p class="MsoNormal">Most options can be left as default; when you get to the following screen, you must select Create a Full Clone:</p>
<p class="MsoNormal"><a href="i/tr/blog_img/1109_C.jpg"><img alt="" src="" /><br /></a></p>The new clone can be called OpenBSD B; locate it wherever you like. You should now have something like this:
<p class="MsoNormal"><a href="i/tr/blog_img/1109_D.jpg"><img alt="" src="" /><br /></a></p>
<p class="MsoNormal"><v:shape id="_x0000_i1026" type="#_x0000_t75"><v:imagedata o:title="ScreenHunter_10" src="file:///C:\DOCUME~1\Justin\LOCALS~1\Temp\msohtml1\01\clip_image006.jpg" /></v:shape><!--[if !vml]--><!--[endif]-->Start up the new VM and we will change the configuration to make this system ready. I have decided to call my second firewall <i></i>, the internal network address is, and the external one is Ideally, we would re-generate the ssh keys, but I don't think this is necessary for a test system.<o> </o></p>
<p class="MsoNormal">Files which need to be edited are:</p>
<p class="MsoNormal">/etc/hosts                     Hostnames<br />/etc/hostname.le1        IP configuration of internal interface<br />/etc/hostname.le2        IP configuration of external interface<br />/etc/nmproxy.conf       NMproxy configuration<br />/etc/pf.conf                  Firewall configuration (change IP details of networks)<br />/etc/myname                The system hostname<br />/etc/mygate                  Default route/gateway</p>
<p class="MsoNormal">All of these files are self explanatory--nothing complex at all. After we have edited these files, a quick reboot will put everything into action.</p>
<p class="MsoNormal"><a href="i/tr/blog_img/1109_E.jpg"><img alt="" src="" /><br /></a></p>
<p class="MsoNormal">Check that the interfaces have taken the new IP details:</p>
<p class="MsoNormal"><b># ifconfig ?a</b><o> </o></p>
<p class="MsoNormal">If your changes don't seem to have taken effect, check that you saved the files after editing!</p>
<p class="MsoNormal">If we start up the original VM, we should now be able to telnet into port 1720 of that machine to verify that we have communication between the two:</p>
<p class="MsoNormal"><a href="i/tr/blog_img/1109_F.jpg"><img alt="" src="" /><br /></a></p>
<p class="MsoNormal">That's all for now, next week we will finish this off by creating a team consisting of our two firewalls and two Windows XP VM's. We will also look at some of VMware's more advanced networking features and finally test nmproxy!</p>

Collapse -

A fresh look at Linix

by Justin Fielding In reply to In my own words...

Over the last few year I have used Linux as my desktop
operating system on and off.  This has
normally been in very short spells, I never found a distribution which I liked
enough to keep me from going back to Windows. 
I tried <a href="">SuSe</a>
(Their Enterprise Linux offering is great), I always seemed to get hung up with library files not
being found etc.  <a href="">Fedora</a> (previously RedHat) was pretty
good, that was back at version 2; I recently tried release 4 and had no end of
problems trying to configure my WiFi card, not so good.  A few days ago a colleague of mine showed me <a href="">Ubuntu</a>, he couldn?t say a bad word about it
so I have installed it myself.  Installation
was fast and clean, the base system (which still includes major packages like OpenOffice,
Gimp etc) installs from one CD?additional software can be downloaded (including dependencies)
using the included package manager. 
Despite the fact that my WiFi card is not natively supported by Linux,
an included tool allowed me to easily install the Windows driver (with ndiswrapper).

<p>So far I haven?t got a bad word to say about it, let?s see
how long that lasts!</p>

Collapse -

A fresh look at Linix

by jmgarvin In reply to A fresh look at Linix

What didn't work in Fedora with your wifi card that worked in
Ubuntu?  I'm just curious, because I like to track down Fedora
bugs for my students.

Collapse -

A fresh look at Linix

by Justin Fielding In reply to A fresh look at Linix

I tried both the Netgear WG511T and Proxim Orinoco Gold, both of which
use the MadWiFi drivers.  This was the 64bit FC4, I tried rpm's
and compiled from source but neither worked, the cards showed up as
wifi0, but iwconfig could not configure it.  After a few hours I
gave up and rebooted in to Windows (say what you like but at least it
works!) :)

Related Discussions

Related Forums