RE: Re: Request Spamhaus contact
> From: Jeffrey Lyon [mailto:jeffrey.l...@blacklotus.net] > Sent: Tuesday, January 18, 2011 1:42 AM > > I fat fingered the netmask, try now. > > Thanks, Jeff I don't think it is yet solved. The listed time is CET (GMT+1). tmp@support:~$ wget -S www.vertrouwdeapotheek.nl --2011-01-18 02:18:15-- http://www.vertrouwdeapotheek.nl/ Resolving www.vertrouwdeapotheek.nl... 208.64.120.197 Connecting to www.vertrouwdeapotheek.nl|208.64.120.197|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 301 Moved Permanently Cache-Control: private Content-Length: 0 Location: http://www.vertrouwdeapotheek.nl/Home.aspx Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 01:17:50 GMT Connection: close Location: http://www.vertrouwdeapotheek.nl/Home.aspx [following] --2011-01-18 02:18:15-- http://www.vertrouwdeapotheek.nl/Home.aspx Connecting to www.vertrouwdeapotheek.nl|208.64.120.197|:80... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Cache-Control: private Content-Length: 126007 Content-Type: text/html; charset=utf-8 Server: Microsoft-IIS/7.0 X-AspNet-Version: 4.0.30319 WL-Version: 2475.0 Set-Cookie: ASP.NET_SessionId=olbzhbkanrerwwzqeoho22ws; path=/; HttpOnly X-Powered-By: ASP.NET Date: Tue, 18 Jan 2011 01:17:51 GMT Connection: close Length: 126007 (123K) [text/html] Saving to: `index.html' 100%[=== >] 126,007 154K/s in 0.8s 2011-01-18 02:18:17 (154 KB/s) - `index.html' saved [126007/126007] I did check the content of index.html and it shows a page I expect at that domain. Giving a suspend page is also acceptable for me (or a page with a message that the site was removed). How difficult is it for you to nullroute it? For me (and probably for others) it is also acceptable if you put a firewall between them and the internet with the rule to DROP everything for that IP. I'm even prepared to give an example config (based on Debian 5) to drop the traffic for all IPs mentioned on this list and on SBL. How you do it isn't important for me, but please clean your network for as far as possible with the given information (and looking through your clients). Regards, Mark
RE: Request Spamhaus contact
> -Original Message- > From: Jeffrey Lyon [mailto:jeffrey.l...@blacklotus.net] > Sent: Tuesday, January 18, 2011 1:58 AM > To: TR Shaw > Cc: nanog@nanog.org > Subject: Re: Request Spamhaus contact > > TR, > > Again, it's been null routed. Customer has been served with notice. > Unless you guys can help find some more related IP space I think the > issue has been solved. > > Thanks, Jeff Hello Jeffrey, At least a few moments back (after receiving the message above) it was possible to get the page at www . vertrouwdeapotheek . nl at IP 208.64.120.197. Do you really know if it has been solved? Regards, Mark
RE: Request Spamhaus contact
> From: jeffrey.l...@gmail.com [mailto:jeffrey.l...@gmail.com] On Behalf Of Jeffrey Lyon > Sent: Tuesday, January 18, 2011 2:32 AM > > I've already stated that i'm having the server powered down. What else > do you people want? Why not focus your energy on the providers who are > NOT responding to complaints? > > Jeff Actual action taken would be nice idea. After the server is powered down feel free to inform us about that fact. Don't say that you did nullroute something that we can see that that is a lie. If you need to wait for someone else mention that it will be solved within XX hours and inform everyone when it is done. I (and probably others) would like to know when the nullroute will be in place or the server is taken down. Sometimes I also need some time to process something, in such cases I mention that it could take X hour or reply after it has been fixed. Regards, Mark PS.: If providers don't reply at all we have our own (internal) blacklist. If they reply and say that they'll fix it within a day we normally don't put them on the internal blacklist.
RE: Auto ACL blocker
> From: Larry Smith [mailto:lesm...@ecsis.net] > Sent: Tuesday, January 18, 2011 8:32 PM > > On Tue January 18 2011 13:12, Brian R. Watters wrote: > > We are looking for the following solution. > > > > Honey pot that collects attacks against SSH/FTP and so on > > > > Said attacks are then sent to a master ACL on a edge Cisco router to > block > > all traffic from these offenders .. > > > > Of course we would require a master whitelist as well as to not be > blocked > > from our own networks. > > > > Any current solutions or ideas ?? > > Private BGP session with Zebra or Quagga on a linux box > adding the selected IP to a null route. As we currently do it by putting new rules automatically in firewalls (iptables) it should be easy to change it a little bit I think. After the change it should be able to put rules in Zebra/Quagga (or something similar based on Linux/Unix). As long as telnet access is available it should also be doable to put it automatically in routers without the need of a setup with BGP and Zebra/Quagga. We are currently looking for ways to increase the list with "abusive" systems to block. If someone wants to work together with us on increasing the mentioned options feel free to contact me offlist. How we get the data currently (from multiple sources) or how the process currently work isn't something I can currently mention here (at least not the details). Regards, Mark
RE: Linux Centralized Administration
> Hey folks. just curious what people are using for automating updates to > Linux boxes? > > > > Today, we manually do YUM updates to all the CentOS servers . just an > example but a good one. I have heard there are some open source > solutions similar to that of Red Hat Network? We did create our own solution and are still expanding it. Currently we set what a server should look like at the servers, we want to change it to the central system. This would make it easier to deploy extra servers (only entering a MAC address, selecting software and starting a server should be enough to auto-deploy it). Our current solution is designed for Debian/Ubuntu, but should also work on other Linux distributions. A working copy might be available; please contact me offlist and I'll look what I can do. Kind regards, Mark
RE: Seeking Amazon EC2 abuse contact
Hello Erik, Do you care to share the IP address? So everyone could update their firewalls to block the attacks? Even only blocking known SIP ports (5060) could be a good idea. With kind regards, Mark Scholten > -Original Message- > From: Erik L [mailto:erik_l...@caneris.com] > Sent: Monday, April 12, 2010 3:05 PM > To: Michael J McCafferty > Cc: nanog@nanog.org > Subject: RE: Seeking Amazon EC2 abuse contact > > Michael, > > I've received numerous off-list responses yesterday. Most of them were > asking if I've made contact with anyone there as they were being > attacked as well. One gentleman who works at AWS (but not EC2 abuse) > promised to forward my e-mail to them. I've also been reading the > asterisk-users list where many have reported attacks from Amazon EC2 as > well over the past few days. > > At one point we were seeing 197 SIP brute force attempts per second > against a customer's box. The intensity in terms of bandwidth is low, > but if you do the math, you can see that this isn't the point. > > This morning I received an e-mail from Amazon which was basically the > same as the one you received. The attack is still on-going and I've > still not made contact with a human at Amazon. > > Erik > > > > > -Original Message- > > From: Michael J McCafferty [mailto:m...@m5computersecurity.com] > > Sent: April 12, 2010 05:16 > > To: Erik L > > Cc: nanog@nanog.org > > Subject: Re: Seeking Amazon EC2 abuse contact > > > > Erik, > > We have several customers being attacked from the same > > EC2 instance on > > their network for 2 full days now. Contacted them at > > ec2-ab...@amazon.com and 25 hours later received a message that > > basically said, "Yep, we can confirm that a customer of ours is > > attacking you but that's their fault. We sometimes do stuff, > > but not in > > this case. Please don't block us, because the IP might be someone > else > > later. Have a nice day". > > The telephone number in the WHOIS record goes to a > > general voicemail > > box for their legal department. > > A few of our customers who are being attacked by this > > same instance at > > EC2 have also contacted Amazon, and were told essentially the same > > thing. > > While I appreciate that they sent a response, I do not > > appreciate it's > > uselessness. > > Anyone over there at AWS that can do something willing > > to reply to me > > directly? > > > > Thanks! > > Mike > > > > > > On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote: > > > Could someone from Amazon EC2 please contact me off-list > > regarding an abuse issue from one of their IPs? > > Alternatively, could someone please send me the contact > > details of someone there? > > > > > > E-mailing the abuse e-mail listed in WHOIS per their > > instructions, including all pertinent data, results in an > > auto-reply indicating to use a form on their site. Submitting > > the form results in "There has been an error while submitting > > your data. Please try again later." Calling their supposed > > NOC (as per WHOIS) results in "You have reached the legal > > department at Amazon...please leave a message". > > > > > > Thanks > > > > > -- > > > > Michael J. McCafferty > > Principal > > M5 Hosting > > http://www.m5hosting.com > > > > You can have your own custom Dedicated Server up and running today ! > > RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more > > > > > >
RE: [Nanog] Re: IPv6 rDNS - how will it be done?
> -Original Message- > From: David Conrad [mailto:d...@virtualized.org] > Sent: Wednesday, April 28, 2010 3:01 AM > To: Jason 'XenoPhage' Frisvold > Cc: nanog@nanog.org > Subject: Re: [Nanog] Re: IPv6 rDNS - how will it be done? > > On Apr 27, 2010, at 5:47 PM, Jason 'XenoPhage' Frisvold wrote: > > On Apr 27, 2010, at 8:42 PM, Mark Andrews wrote: > >> Windows will just populate the reverse zone as needed, if you let > >> it, using dynamic update. If you have properly deployed BCP 39 > >> and have anti-spoofing ingres filtering then you can just let any > >> address from the /48 add/remove PTR records. Other OS's will > >> follow suite. > > > > Is DDNS really considered to be the end-all answer for this? > > Seems it is that or not bothering with reverse anymore. > > > It seems we're putting an awful lot of trust in the user when doing > this.. I'd rather see some sort of macro expansion in bind/tinydns/etc > that would allow a range of addresses to be added. > > Hmm. A macro expansion for a /48 would mean > 1,208,925,819,614,629,174,706,176 leaves. An interesting stress test > for name servers... :-). With LUA scripting and PowerDNS you could create a reverse DNS/forward DNS based on the input and match it (IP or hostname). This could be really dynamic and with using some cache it should also be fast. Checking what IPv6 address is in use and providing them a rDNS is also an option of course (but I think that will consume more power/bandwith/etc. on the long term). > > Slightly more seriously, there have been discussions in the past about > doing dynamic synthesis of v6 reverses, but that gets icky > (particularly if you invoke the dreaded "DNSSEC" curse) and I don't > know any production server that actually does this now. Dynamic DNS is > probably the least offensive solution if you really want reverses for > your v6 nodes. As long as you don't use DNSSEC the option above is possible, but with DNSSEC many options will fail I think. Completely dynamic based on the request of a client isn't an option if you ask me (or do we want .local addresses in the rDNS?). > > Regards, > -drc >
RE: DNS performance...
> -Original Message- > From: Donald Eastlake [mailto:d3e...@gmail.com] > Sent: Wednesday, May 05, 2010 4:41 PM > To: nanog@nanog.org > Subject: DNS performance... > > Hi, > > There are a large number of DNS servers available. See for example > http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software > > Does anyone know of good performance comparisons, especially for high > end applications with lots of data/zones and/or high query/update > rates? > One of the links below should have information about this: - http://tin2.nixcartel.org/~devdas/presentation/dns-scalability.pdf - http://tin2.nixcartel.org/~devdas/presentation/dnsdb.pdf Please note this reports are not created by me. Regards, Mark > Thanks, > Donald > = > Donald E. Eastlake 3rd +1-508-333-2270 (cell) > 155 Beaver Street > Milford, MA 01757 USA > d3e...@gmail.com
RE: DNS question, null MX records
Hello, You could use: Local.example.com. IN A 127.0.0.1 Example.com.IN MX 10 local.example.com. This way systems shouldn't deliver it at your system. What you did mention is something we don't allow our customers to do (if I am correct). With kind regards, Mark Scholten -Original Message- From: Eric J Esslinger [mailto:eesslin...@fpu-tn.com] Sent: dinsdag 15 december 2009 16:18 To: 'nanog@nanog.org' Subject: DNS question, null MX records I have a domain that exists solely to cname A records to another domain's websites. There is no MX server for that domain, there is no valid mail sent as from that domain. However when I hooked it up I immediately started getting bounces and spam traffic attemtping to connect to the cnamed A record, which has no inbound mail server (It's actually hitting the firewall in front of it). (The domain name is actually several years old and has been sitting without dns for a while) I found a reference to a null MX proposal, constructed so: example.comINMX 0 . Question: Is this a valid dns construct or did the proposal die? I don't want to cause people problems but at the same time, I don't want any of this crap to even attempt to deliver on this domain to any of my servers. __ Eric Esslinger Information Services Manager - Fayetteville Public Utilities http://www.fpu-tn.com/ (931)433-1522 ext 165 This message may contain confidential and/or proprietary information and is intended for the person/entity to whom it was originally addressed. Any use by others is strictly prohibited.
RE: Arrogant RBL list maintainers
> -Original Message- > From: Michelle Sullivan [mailto:matt...@sorbs.net] > Sent: Wednesday, December 16, 2009 6:09 PM > To: nanog@nanog.org > Subject: Re: Arrogant RBL list maintainers > > Please reply to the list, not me and the list! > > Sven Olaf Kamphuis wrote: > > thing is that it's illegal to maintain a database with "personal > details" > > which ip addresses according to various german courts are (don't > ask.. > > mmk? ;) ofcourse we all know ip addresses identify nodes on a > network, not > > persons, but the germans seem to mainain a different view on this, > > despite us isps being the owners of the internet and not the german > > government ;). > > > > therefore we are not even -allowed- to cooperate with trend micro > *grin* > > > > sometimes laws really come in handy you know ;) > > > > > > Based on what you say there, then the RIPE whois database cannot > contain > the information either because it to would be maintaining a database of > "personal details"... As you probably know RIPE is located in the Netherlands and following Dutch law and not German law (however they are very similar). Publishing persons (done by RIPE in the whois database) is something that could be changed in the future (if I look to the current law in the Netherlands and SIDN did change the policy about whois information). > > Love to hear the legal battle on that one! > > > Michelle
SORBS contact
Hello, I did try to reach someone at SORBS using their contact forms on the website. Somehow no action was taken and I also didn't get a response. Could someone from SORBS contact me? I need an issue to be resolved. With kind regards, Mark Scholten SinnerG BV
RE: ip address management
Hello, I am also working on creating a IP address management tool (including changing rDNS), of course it should work with IPv4 and IPv6. If someone is interested in it, please mail me (so I know I have to inform him/her when I release it). If there are certain features that I should include and are not listed please also inform me about it (by email or via the forum on mscholten.eu). Features I have now on my list: - IPv4 support (including ranges, like a /29) - IPv6 support (including ranges, like a /64) - Multi user support (admin - user level 3 - user level 2 - user level 1), a user can create users on lower levels to edit how IPs are assigned from their ranges to their customers (nice for companies with resellers!), of course you could also only create level 1 users. - Multi language support (with language files to translate) - Change rDNS (based on changing PTR records in a MySQL database that could be used by PowerDNS and a script will be provided to convert the MySQL database to Bind files) Current requirements (to host it, this is what I use to test it, other specs may also work): - To use the rDNS: PowerDNS or Bind nameservers - PHP5 (with MySQLi extension and pear packages Net_IPv4 and Net_IPv6) - MySQL 5 - The option to create a cron if you want to convert the database to a Bind file The planned release date for the first version is this month. With kind regards, Mark Scholten
RE: in-addr.arpa server problems for europe?
> -Original Message- > From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr] > Sent: Monday, February 15, 2010 12:58 PM > To: Michelle Sullivan > Cc: NANOG list > Subject: Re: in-addr.arpa server problems for europe? > > On Mon, Feb 15, 2010 at 10:22:17AM +0100, > Michelle Sullivan wrote > a message of 185 lines which said: > > > 213.in-addr.arpa. 86400 IN NS NS-PRI.RIPE.NET. > > 213.in-addr.arpa. 86400 IN NS NS3.NIC.FR. > > 213.in-addr.arpa. 86400 IN NS SUNIC.SUNET.SE. > > 213.in-addr.arpa. 86400 IN NS SNS-PB.ISC.ORG. > > 213.in-addr.arpa. 86400 IN NS SEC1.APNIC.NET. > > 213.in-addr.arpa. 86400 IN NS SEC3.APNIC.NET. > > 213.in-addr.arpa. 86400 IN NS TINNIE.ARIN.NET. > > ;; Received 224 bytes from 192.228.79.201#53(B.ROOT-SERVERS.NET) in > 20011 ms > > > > ;; connection timed out; no servers could be reached > > It is highly improbable that all these name servers are unreachable > from you. Therefore, I suspect that *content* is the issue. RIPE-NCC > zones are signed with DNSSEC. Are you sure you do not have a broken > middlebox which deletes DNSSEC-signed answers? > > (I tried from an US/Datotel/Level3 machine and everything works.) > > Solution: stop using DNSSEC or checking for DNSSEC. If you think it is usefull: look for everything that could have an impact on it.
RE: in-addr.arpa server problems for europe?
> -Original Message- > From: Stephane Bortzmeyer [mailto:bortzme...@nic.fr] > Sent: Monday, February 15, 2010 2:01 PM > To: Mark Scholten > Cc: nanog@nanog.org > Subject: Re: in-addr.arpa server problems for europe? > > On Mon, Feb 15, 2010 at 01:12:55PM +0100, > Mark Scholten wrote > a message of 36 lines which said: > > > Solution: stop using DNSSEC or checking for DNSSEC. > > In 2010, it is a bit backward... I've seen problems that are only there because of DNSSEC, so if there is a problem starting with trying to disable DNSSEC could be a good idea. As long as not all rootzones are signed I don't see a good reason to use DNSSEC at the moment.
RE: in-addr.arpa server problems for europe?
> -Original Message- > From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony > Finch > Sent: Monday, February 15, 2010 6:21 PM > To: Mark Scholten > Cc: nanog@nanog.org > Subject: RE: in-addr.arpa server problems for europe? > > On Mon, 15 Feb 2010, Mark Scholten wrote: > > > > I've seen problems that are only there because of DNSSEC, so if there > is a > > problem starting with trying to disable DNSSEC could be a good idea. > As long > > as not all rootzones are signed I don't see a good reason to use > DNSSEC at > > the moment. > > You realise that two of them are signed now and the rest will be signed > by > 1st July? > > Tony. Yes, I realise that. I also realise that not all nameserver software can work as it work with DNSSEC. That is also a problem that has to be solved and for as far as I know all nameserver software we use support it or will support it in the future. As long as it is not supported by all nameserver software you can keep problems.
RE: in-addr.arpa server problems for europe?
> -Original Message- > From: ma...@isc.org [mailto:ma...@isc.org] > Sent: Tuesday, February 16, 2010 12:37 AM > To: Mark Scholten > Cc: 'Tony Finch'; nanog@nanog.org > Subject: Re: in-addr.arpa server problems for europe? > > > In message <017901caae69$5d9e8770$18db96...@nl>, "Mark Scholten" > writes: > > > > > > > -Original Message- > > > From: Tony Finch [mailto:fa...@hermes.cam.ac.uk] On Behalf Of Tony > > > Finch > > > Sent: Monday, February 15, 2010 6:21 PM > > > To: Mark Scholten > > > Cc: nanog@nanog.org > > > Subject: RE: in-addr.arpa server problems for europe? > > > > > > On Mon, 15 Feb 2010, Mark Scholten wrote: > > > > > > > > I've seen problems that are only there because of DNSSEC, so if > there > > > is a > > > > problem starting with trying to disable DNSSEC could be a good > idea. > > > As long > > > > as not all rootzones are signed I don't see a good reason to use > > > DNSSEC at > > > > the moment. > > > > > > You realise that two of them are signed now and the rest will be > signed > > > by > > > 1st July? > > > > > > Tony. > > > > Yes, I realise that. I also realise that not all nameserver software > can > > work as it work with DNSSEC. That is also a problem that has to be > solved > > and for as far as I know all nameserver software we use support it or > will > > support it in the future. As long as it is not supported by all > nameserver > > software you can keep problems. > > Nameservers that are not DNSSEC aware will not get responses that > contain DNSSEC records unless a client explicitly requests a DNSSEC > record type or make a * (ANY) request. > > There is no problem to solve. Just a lot of misunderstanding. > > That said the majority of nameservers on the planet are DNSSEC aware > and will request the DNSSEC record to be returned. They will also > fall back to plain DNS if middleware blocks the response. As you've understood I need to read something extra about DNSSEC support. The most things I know about DNSSEC are based on my contacts with software writers that create nameservers and system administrators maintaining multiple nameservers. So if I understand it correctly; if a resolver requests DNSSEC information (together with for example www.domain.tld) and 1 resolver before the AUTH nameserver doesn't have DNSSEC it won't ask/require DNSSEC? In that case men in the middle attacks are still possible. Also note that a provider might have multiple resolvers with some using/able to provide DNSSEC and others without DNSSEC support. Mark
RE: Email Portability Approved by Knesset Committee
> -Original Message- > From: Barry Shein [mailto:b...@world.std.com] > Sent: Tuesday, February 23, 2010 7:55 AM > To: John Levine > Cc: nanog@nanog.org > Subject: Re: Email Portability Approved by Knesset Committee > > > > >My initial reaction: Does the law in any way imply this mail > address > > >has to be provided for free? > > > > If you had spent 10 seconds with Google Translate on the URL in > Gadi's > > message, you'd already know. > > (gosh that only took 12 hours to suggest) > > Obviously we're discussing a legal and regulatory system most of us > here are unfamiliar with, there may be other considerations. > > But in the USofA a law like this would raise some serious trademark > issues. > > When you manage a valuable trademark your lawyer lectures you about > how a trademark has to represent a particular product of a particular > quality or else a court can deem it invalid or even fraudulent. > > There are only two ways this sort of law is likely to be implemented: > > a) The original ISP continues to provide email for that address. > > b) Some other ISP provides that service. > > I suppose a third way, via a third party, is possible but I don't > think that defuses the trademark issue. > > The exact mechanics are a different discussion. > > Since the first ISP is no longer being paid the practical solution > seems to be (b), the original ISP cooperates and hands over service to > the new provider somehow. > > But how can the original ISP be assured that email going out under > what appears to be their mark (consider x...@aol.com or x...@msn.com) > represents their product in any way the law requires? > And now think about it with SPF records (and checks for SPF records). All outgoing mail should also go via the OLD provider. Including domainnames (for email) would be the solution for this. In other cases only (a) seems to be available. Maybe a payment between the old and new provider is the solution for it. How to do this if the old provider is stopping? It is a realistic possibility that they stop. > It would be a conflict and a potential dilution of one's mark. > > Particularly, as others have suggested, if that product implies > availability, spam filtering, support, storage, recovery in the event > of lost storage, TOS, etc. Just mention that this law is above the other law regarding Trademarks and you will need to follow this law. What if a domain get listed because a new provider doesn't use a spam filter on outgoing messages, how to get delisted for the old provider? Some lists might be based on the from header in emails. > > In contrast, a phone number has no such trademark implications for the > provider, one generally doesn't say "oh, 555-555-1234, an AT&T phone > number!" Perhaps it's possible to know this, but it's not common > knowledge, it doesn't generally represent the public's view of the > AT&T mark. > > I don't think the law would be workable in the US. > > I'd be surprised if the law doesn't run into similar problems in > Israel. > Regards, Mark
RE: SNMP, Static NAT and management systems including servers midwear and applications
Hi Bobby, Can your monitoring system use other ports (per host) for SNMP? In that case you could user port forwarding (and up to 60,000 hosts this should be fine), with static NAT this would be a good option I guess. With kind regards, Mark Scholten > -Original Message- > From: Bobby Mac [mailto:bobby...@gmail.com] > Sent: Wednesday, March 03, 2010 2:37 AM > To: nanog@nanog.org > Subject: SNMP, Static NAT and management systems including servers > midwear and applications > > Hi All: > > I have been asked to extend the capabilities of my current monitoring > and > management system to another division of the company. All IP space is > rfc1918 with no public routed space in the mix. Needless to say, and > rightfully so, the network folks won't allow me to directly attach my > management network to theirs. > > I use SNMP for system level monitoring for all servers via agents on > the > servers (WIN and NIX). Static NAT will be put into place but it breaks > my > SNMP gets used by the noc to validate CPU, disk util ect.. In a quick > test > NAT on my own network was set up and I can receive traps and parse them > fine > even with the NAT as the current trap receiver and visualization can > handle > incoming traps and NAT. I can see system IP and peer IP fulfilling > the two > sides. I know I can create an simple ALG via a Apache server with Perl > to > execute the SNMP get on the foreign network. Noc folks can see data > and > import it into the ticket (no blind escalations). > > My question is how have others handled SNMP and static NATs without a > ground > up re-architecture. I don't want to bring in new protocols and change > my > systems as they are today due to the heavy integration with > provisioning, > work flow and process flows. They have worked well to date besides the > huge > sunk $ investment in software and integration. > > I have been looking for a complex ALG but there doesn't seem to be much > out > there and I would rather not manipulate the payload, but map it > correctly. > Any suggestions? > > -Bob
RE: Need advise for a linux firewall
> -Original Message- > From: Daniel Staal [mailto:dst...@usa.net] > Sent: Friday, March 12, 2010 1:37 AM > To: nanog@nanog.org > Subject: Re: Need advise for a linux firewall > > --As of March 11, 2010 4:22:38 PM +, gordon b slater is alleged to > have > said: > > > One caveat for the current PFsense: traffic shaping in 1.2.3 release > is > > somewhat borked (1.2.2 works much better) and it doesn't work with > more > > than 2 interfaces, so 1 wan - 1 lan is OK. > > --As for the rest, it is mine. > > One more, given the other current thread going on at the moment: The > current version of PFsense doesn't support IPv6 through the GUI. (The > OS > and PF support it, but you have to log in to a shell to configure it.) > That is why we use Debian with IPtables (works great, easy to manage). Deploying anything now that doesn't fully support IPv6 is something I won't do unless there is no other option (and I strongly advice everyone else to be at least IPv6 ready). > It's on their to-do list. > > Daniel T. Staal > > --- > This email copyright the author. Unless otherwise noted, you > are expressly allowed to retransmit, quote, or otherwise use > the contents for non-commercial purposes. This copyright will > expire 5 years after the author's death, or in 30 years, > whichever is longer, unless such a period is in excess of > local copyright law. > --- Sorry, legally I am allowed to do that by local laws. Regards, Mark
RE: YouTube AS36561 began announcing 1.0.0.0/8
> -Original Message- > From: Joe Greco [mailto:jgr...@ns.sol.net] > Sent: Friday, March 12, 2010 10:53 PM > To: Nathan > Cc: nanog@nanog.org > Subject: Re: YouTube AS36561 began announcing 1.0.0.0/8 > > > There are sizable chunks that are fairly quiet (un-interesting > > numbers, luck of the draw, etc). Given that its mostly > > mis-configurations, laziness, ignorance, or poor planning... I > suspect > > the worst ranges will need to be sacrificed, and the remaining 80-90% > > of the space used for legitimate allocations. Unfortunately, anyone > > who accepts allocations in 1.x will need to be aware that they will > > have a slightly lower quality address-space. Accepting 1.1.1.0/24, > > for example, will land you with a continuous 50mbps of junk... > > seemingly forever... and a respectable chance that some percentage of > > the net will never reach you, due to their own misconfigurations. > > Practical solution: > > Move YouTube to 1.1.1.1, Google to 1.1.1.2, Yahoo! to 1.1.1.3, Facebook > to 1.1.1.4, etc. > It is probably the best way to get 1.x free if it is used by big websites. However I don't think that they will change it (to only use these IPs). I think they have an interest somewhere to not change it... > Maybe someone at YouTube was actually testing that strategy ;-) I have something else where I would be happy to accept 1.1.1.0/24 for some time, just to try to get them change settings. If someone want information about it, feel free to contact me off list. Regards, Mark
RE: Earthquakes
> -Original Message- > From: Owen DeLong [mailto:o...@delong.com] > Sent: Wednesday, March 24, 2010 11:48 PM > To: Jeroen van Aart > Cc: NANOG list > Subject: Re: Earthquakes > > > On Mar 24, 2010, at 3:32 PM, Jeroen van Aart wrote: > > > Owen DeLong wrote: > >> I've been through more than one quake in the 5.2-5.5 range, so, > perhaps they are > >> rare in the Netherlands (6 million years or so), but, in California > they are much more > >> frequent, perhaps 5-7 years or so. > > > > Well, 6 million years was a "slight" exaggeration to get a point > across. The Netherlands doesn't really have any quakes due to > faultlines (there aren't any). But it does have the occasional quake > due to coal/gas mining. Where the ground compacts or something like it. > > LOL @ NL creating artificial earthquake faults because they're Jealous > of California's natural seismic events. ;-) Sorry for being jealous ;) At least we create them and in California they just happen. Mark
