| LIC topology: IBM PCs |
|---|
- introduction
- hardware and network
- OS
- applications
- packages
- /etc/network/interfaces
- /etc/udev/rules.d/70-persistent-net.rules
- /etc/resolv.conf
- /etc/iptables.up.rules
- /etc/network/if-pre-up.d/iptables
- /etc/apt/sources.list
- /etc/apt/apt.conf.d/10periodic
- /etc/apt/apt.conf.d/02proxy
- /etc/nut/upsmon.conf
- /etc/bacula/bacula-fd.conf
- /etc/exim4/update-exim4.conf.conf
- /etc/bind/db.planetlarg.com-external
- /etc/bind/db.planetlarg.com-internal
- /etc/bind/db.200-external
- /etc/bind/db.200-internal
- /etc/bind/db.192.168
- /etc/bind/named.conf.options
- /etc/bind/named.conf.local
- /etc/modprobe.d/arch/i386
- /etc/ha.d/haresources
- /etc/ha.d/authkeys
- /etc/ha.d/ha.cf
- /etc/ha.d/conf/ldirectord.cf
- /home/issalarg/.ssh/authorized_keys
- /var/www/infrastructure/host1
- /etc/aliases
- /etc/snmp/snmpd.conf
- /etc/default/snmpd
- /etc/nagios/nrpe_local.cfg
- /var/spool/cron/crontabs/root
introduction
The computer ifw01 is one of the firewalls in the LIC (Larg's Internet Cluster). Things specific to this host are listed below. The list is grouped by infrastructure layer.
Every host name in the LIC has five characters like this one.
| LIC topography: ifw01 | ||
|---|---|---|
| base unit | data interfaces | data cables |
 |
 |
|
ifw01 is a computer that acts as a firewall. It is one of the many PCs making up the LIC.
Every host name in the LIC has five characters like this one.
| LIC topology: ifw01 | ||
|---|---|---|
| PCs | switches | ethernet interfaces |
hardware and network
I buy PC things. Specifically, a Dell OptiPlex GX260. Wikipedia (http://en.wikipedia.org/wiki/Dell_OptiPlex) has this summary.
- Model: GX260
- Chipset: Intel 845G
- CPU: Pentium 4 or Celeron
- FSB: 400/533 MHz
- RAM type: DDR 200/266
- RAM speed: PC2700
- Chassis: SFF, SD, SMT
- Comments: PATA only, no SATA Socket 478
- USB: USB 2.0 x6
ifw01:~# lshw
ifw01
description: Mini Tower Computer
product: OptiPlex GX260
vendor: Dell Computer Corporation
serial: 9CT5H0J
width: 32 bits
capabilities: smbios-2.3 dmi-2.3 smp-1.4 smp
configuration: administrator_password=enabled boot=normal chassis=mini-tower cpus=1 power-on_password=enabled uuid=44454C4C-4300-1054-8035-B9C04F48304A
*-core
description: Motherboard
vendor: Dell Computer Corp.
physical id: 0
serial: .. .
slot: PCI1
*-firmware
description: BIOS
vendor: Dell Computer Corporation
physical id: 0
version: A09 (11/01/2004)
size: 64KiB
capacity: 448KiB
capabilities: isa pci pnp apm upgrade shadowing escd cdboot bootselect edd int13floppytoshiba int5printscreen int9keyboard int14serial int17printer acpi usb agp ls120boot biosbootspecification netboot
*-cpu
description: CPU
product: Intel(R) Pentium(R) 4 CPU 1.80GHz
vendor: Intel Corp.
physical id: 400
bus info: cpu@0
version: 15.2.4
slot: Microprocessor
size: 1800MHz
capacity: 3060MHz
width: 32 bits
clock: 400MHz
capabilities: boot fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm up pebs bts
configuration: id=0
*-cache:0
description: L1 cache
physical id: 700
size: 8KiB
capacity: 16KiB
capabilities: internal write-back data
*-cache:1
description: L2 cache
physical id: 701
size: 512KiB
capacity: 512KiB
capabilities: internal varies unified
*-memory
description: System Memory
physical id: 1000
slot: System board or motherboard
size: 256MiB
capacity: 1GiB
*-bank:0
description: DIMM SDRAM Synchronous 266 MHz (3.8 ns)
physical id: 0
slot: DIMM_A
size: 256MiB
width: 64 bits
clock: 266MHz (3.8ns)
*-bank:1
description: DIMM SDRAM Synchronous 266 MHz (3.8 ns) [empty]
physical id: 1
slot: DIMM_B
width: 64 bits
clock: 266MHz (3.8ns)
*-pci
description: Host bridge
product: 82845G/GL[Brookdale-G]/GE/PE DRAM Controller/Host-Hub Interface
vendor: Intel Corporation
physical id: 100
bus info: pci@0000:00:00.0
version: 01
width: 32 bits
clock: 33MHz
configuration: driver=agpgart-intel module=intel_agp
*-display UNCLAIMED
description: VGA compatible controller
product: 82845G/GL[Brookdale-G]/GE Chipset Integrated Graphics Device
vendor: Intel Corporation
physical id: 2
bus info: pci@0000:00:02.0
version: 01
width: 32 bits
clock: 33MHz
capabilities: pm vga_controller bus_master cap_list
configuration: latency=0
*-usb:0
description: USB Controller
product: 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #1
vendor: Intel Corporation
physical id: 1d
bus info: pci@0000:00:1d.0
version: 01
width: 32 bits
clock: 33MHz
capabilities: uhci bus_master
configuration: driver=uhci_hcd latency=0 module=uhci_hcd
*-usbhost
product: UHCI Host Controller
vendor: Linux 2.6.26-2-686 uhci_hcd
physical id: 1
bus info: usb@1
logical name: usb1
version: 2.06
capabilities: usb-1.10
configuration: driver=hub slots=2 speed=12.0MB/s
*-usb:1
description: USB Controller
product: 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #2
vendor: Intel Corporation
physical id: 1d.1
bus info: pci@0000:00:1d.1
version: 01
width: 32 bits
clock: 33MHz
capabilities: uhci bus_master
configuration: driver=uhci_hcd latency=0 module=uhci_hcd
*-usbhost
product: UHCI Host Controller
vendor: Linux 2.6.26-2-686 uhci_hcd
physical id: 1
bus info: usb@2
logical name: usb2
version: 2.06
capabilities: usb-1.10
configuration: driver=hub slots=2 speed=12.0MB/s
*-usb:2
description: USB Controller
product: 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #3
vendor: Intel Corporation
physical id: 1d.2
bus info: pci@0000:00:1d.2
version: 01
width: 32 bits
clock: 33MHz
capabilities: uhci bus_master
configuration: driver=uhci_hcd latency=0 module=uhci_hcd
*-usbhost
product: UHCI Host Controller
vendor: Linux 2.6.26-2-686 uhci_hcd
physical id: 1
bus info: usb@3
logical name: usb3
version: 2.06
capabilities: usb-1.10
configuration: driver=hub slots=2 speed=12.0MB/s
*-usb:3
description: USB Controller
product: 82801DB/DBM (ICH4/ICH4-M) USB2 EHCI Controller
vendor: Intel Corporation
physical id: 1d.7
bus info: pci@0000:00:1d.7
version: 01
width: 32 bits
clock: 33MHz
capabilities: pm debug ehci bus_master cap_list
configuration: driver=ehci_hcd latency=0 module=ehci_hcd
*-usbhost
product: EHCI Host Controller
vendor: Linux 2.6.26-2-686 ehci_hcd
physical id: 1
bus info: usb@4
logical name: usb4
version: 2.06
capabilities: usb-2.00
configuration: driver=hub slots=6 speed=480.0MB/s
*-pci
description: PCI bridge
product: 82801 PCI Bridge
vendor: Intel Corporation
physical id: 1e
bus info: pci@0000:00:1e.0
version: 81
width: 32 bits
clock: 33MHz
capabilities: pci normal_decode bus_master
*-network:0
description: Ethernet interface
product: RTL-8169 Gigabit Ethernet
vendor: Realtek Semiconductor Co., Ltd.
physical id: 7
bus info: pci@0000:01:07.0
logical name: eth1
version: 10
serial: 00:e0:4c:a9:34:42
size: 100MB/s
capacity: 1GB/s
width: 32 bits
clock: 66MHz
capabilities: pm bus_master cap_list ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=2.2LK-NAPI duplex=full ip=200.0.0.4 latency=64 link=yes maxlatency=64 mingnt=32 module=r8169 multicast=yes port=twisted pair speed=100MB/s
*-network:1
description: Ethernet interface
product: RTL-8139/8139C/8139C+
vendor: Realtek Semiconductor Co., Ltd.
physical id: 8
bus info: pci@0000:01:08.0
logical name: eth2
version: 10
serial: 00:0e:2e:cb:aa:ac
size: 100MB/s
capacity: 100MB/s
width: 32 bits
clock: 33MHz
capabilities: pm bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=8139too driverversion=0.9.28 duplex=full latency=64 link=yes maxlatency=64 mingnt=32 module=8139too multicast=yes port=MII slave=yes speed=100MB/s
*-network:2
description: Ethernet interface
product: RTL-8139/8139C/8139C+
vendor: Realtek Semiconductor Co., Ltd.
physical id: 9
bus info: pci@0000:01:09.0
logical name: eth3
version: 10
serial: 00:0e:2e:cb:aa:ac
size: 100MB/s
capacity: 100MB/s
width: 32 bits
clock: 33MHz
capabilities: pm bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=8139too driverversion=0.9.28 duplex=full latency=64 link=yes maxlatency=64 mingnt=32 module=8139too multicast=yes port=MII slave=yes speed=100MB/s
*-network:3 DISABLED
description: Ethernet interface
product: RTL-8139/8139C/8139C+
vendor: Realtek Semiconductor Co., Ltd.
physical id: a
bus info: pci@0000:01:0a.0
logical name: eth4
version: 10
serial: 00:0e:2e:cb:a5:70
size: 10MB/s
capacity: 100MB/s
width: 32 bits
clock: 33MHz
capabilities: pm bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=8139too driverversion=0.9.28 duplex=half latency=64 link=no maxlatency=64 mingnt=32 module=8139too multicast=yes port=MII speed=10MB/s
*-network:4
description: Ethernet interface
product: 82540EM Gigabit Ethernet Controller
vendor: Intel Corporation
physical id: c
bus info: pci@0000:01:0c.0
logical name: eth0
version: 02
serial: 00:08:74:0f:09:8a
size: 1GB/s
capacity: 1GB/s
width: 32 bits
clock: 66MHz
capabilities: pm pcix msi bus_master cap_list ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
configuration: autonegotiation=on broadcast=yes driver=e1000 driverversion=7.3.20-k2-NAPI duplex=full firmware=N/A ip=192.168.80.5 latency=64 link=yes mingnt=255 module=e1000 multicast=yes port=twisted pair speed=1GB/s
*-isa
description: ISA bridge
product: 82801DB/DBL (ICH4/ICH4-L) LPC Interface Bridge
vendor: Intel Corporation
physical id: 1f
bus info: pci@0000:00:1f.0
version: 01
width: 32 bits
clock: 33MHz
capabilities: isa bus_master
configuration: latency=0
*-ide
description: IDE interface
product: 82801DB (ICH4) IDE Controller
vendor: Intel Corporation
physical id: 1f.1
bus info: pci@0000:00:1f.1
version: 01
width: 32 bits
clock: 33MHz
capabilities: ide bus_master
configuration: driver=PIIX_IDE latency=0 module=piix
*-ide:0
description: IDE Channel 0
physical id: 0
bus info: ide@0
logical name: ide0
clock: 33MHz
*-disk
description: ATA Disk
product: MAXTOR 6L020J1
vendor: Maxtor
physical id: 0
bus info: ide@0.0
logical name: /dev/hda
version: A93.0500
serial: 661219811062
size: 19GiB (20GB)
capacity: 19GiB (20GB)
capabilities: ata dma lba iordy smart security pm partitioned partitioned:dos
configuration: mode=udma5 signature=9dc96e9e smart=on
*-volume:0
description: EXT3 volume
vendor: Linux
physical id: 1
bus info: ide@0.0,1
logical name: /dev/hda1
logical name: /
version: 1.0
serial: 985471e3-9a74-4d84-96a2-6b37a3c0d31c
size: 18GiB
capacity: 18GiB
capabilities: primary bootable journaled extended_attributes large_files huge_files recover ext3 ext2 initialized
configuration: created=2010-09-20 10:12:51 filesystem=ext3 modified=2011-01-31 13:18:56 mount.fstype=ext3 mount.options=rw,errors=remount-ro,data=ordered mounted=2011-01-31 13:18:56 state=mounted
*-volume:1
description: Extended partition
physical id: 2
bus info: ide@0.0,2
logical name: /dev/hda2
size: 729MiB
capacity: 729MiB
capabilities: primary extended partitioned partitioned:extended
*-logicalvolume
description: Linux swap / Solaris partition
physical id: 5
logical name: /dev/hda5
capacity: 729MiB
capabilities: nofs
*-ide:1
description: IDE Channel 1
physical id: 1
bus info: ide@1
logical name: ide1
clock: 33MHz
*-cdrom
description: IDE CD-ROM
product: GCR-8481B
physical id: 0
bus info: ide@1.0
logical name: /dev/hdc
version: 1.06
capabilities: packet atapi cdrom removable nonmagnetic dma lba iordy audio
configuration: mode=udma2 status=nodisc
*-serial
description: SMBus
product: 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) SMBus Controller
vendor: Intel Corporation
physical id: 1f.3
bus info: pci@0000:00:1f.3
version: 01
width: 32 bits
clock: 33MHz
configuration: driver=i801_smbus latency=0 module=i2c_i801
*-multimedia
description: Multimedia audio controller
product: 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) AC'97 Audio Controller
vendor: Intel Corporation
physical id: 1f.5
bus info: pci@0000:00:1f.5
version: 01
width: 32 bits
clock: 33MHz
capabilities: pm bus_master cap_list
configuration: driver=Intel ICH latency=0 module=snd_intel8x0
*-network:0
description: Ethernet interface
physical id: 1
logical name: bond0
serial: 00:0e:2e:cb:aa:ac
capabilities: ethernet physical
configuration: broadcast=yes driver=bonding driverversion=3.2.5 firmware=2 ip=192.168.0.2 master=yes multicast=yes
*-network:1 DISABLED
description: Ethernet interface
physical id: 2
logical name: bond1
capabilities: ethernet physical
configuration: broadcast=yes driver=bonding driverversion=3.2.5 firmware=2 master=yes multicast=yes
*-network:2 DISABLED
description: Ethernet interface
physical id: 3
logical name: bond2
capabilities: ethernet physical
configuration: broadcast=yes driver=bonding driverversion=3.2.5 firmware=2 master=yes multicast=yes
ifw01:~#
network cables
Four network cables connect ifw01 to the networks. Three different cables lead from ifw01 to the LIC (Larg's Internet Cluster), providing HA and traffic seperation.
Different network cable colours show which one is which.
- One red cable connects this computer to the Internet, via xcl01.
- Another red cable carries business traffic to the LIC, via ces01.
- One blue cable carries business traffic to the LIC, via ces02.
- One grey cable carries administration traffic to the LIC, via ces03.
network interfaces
I follow this procedure for a different host: add NICs (Network Interface Cards) to xcl01.
| LIC table: ifw01 network interfaces | ||||
|---|---|---|---|---|
| computer | interface | description | IP address | netmask |
| ifw01 | eth1 | to the Internet via xcl01 (only for testing) | 200.0.0.4 | 255.255.255.224 |
| ifw01 | eth2 | biz01 Internet DMZ, via ces01 | 192.168.0.3 | 255.255.248.0 |
| ifw01 | eth3 | biz02 Internet DMZ, via ces02 | 192.168.40.2 | 255.255.248.0 |
| ifw01 | bond0 | ethernet bonding for eth2 and eth3 | 192.168.0.2 | 255.255.192.0 |
| ifw01 | eth0 | adm01, via ces03 | 192.168.80.5 | 255.255.248.0 |
| (ifw01 or ifw02) | eth0:0 | web site 1 | 200.0.0.10 | 255.255.255.224 |
| (ifw01 or ifw02) | eth0:1 | web site 2 | 200.0.0.11 | 255.255.255.224 |
| (ifw01 or ifw02) | eth0:2 | web site 3 | 200.0.0.12 | 255.255.255.224 |
OS
All the IBM PCs (Personal Computers) in the LIC (Larg's Internet Cluster) run the Debian distribution.
applications
Almost all the applications in the LIC (Larg's Internet Cluster) are from the Debian distribution.
packages
I want to remove Gnome NetworkManager on xcl01.
apt-get remove network-manager
I install packages to make testing easier.
apt-get install tcpdump lynx screen
I install packages to provide services.
apt-get install bind9 heartbeat ifenslave ipvsadm \
ldirectord ntp nut openssh-server \
setserial sysv-rc-conf
/etc/network/interfaces
I add static IP addresses to ifw01.
# This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # # adm01 network # see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/in... # allow-auto eth0 iface eth0 inet static address 192.168.80.5 netmask 255.255.248.0 # # Internet # see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/na... # allow-auto eth1 iface eth1 inet static address 200.0.0.4 netmask 255.255.255.224 gateway 200.0.0.1 # # biz01 network # see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/in... # allow-auto eth2 iface eth2 inet static address 192.168.0.3 netmask 255.255.248.0 # # biz02 network # see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/in... # allow-auto eth3 iface eth3 inet static address 192.168.40.2 netmask 255.255.248.0 # # bond the biz networks # see http://cluster.planetlarg.com/car-size-cluster-build/add-ha-firewalls/bo... # allow-auto bond0 iface bond0 inet static pre-up modprobe bonding address 192.168.0.2 netmask 255.255.248.0 up ifenslave bond0 eth2 eth3 down ifenslave -d bond0 eth2 eth3 # # interfaces controlled by heartbeat # not sure these should be here. # I am having some odd poweron effects which this may solve. # # biz network gateway # see http://cluster.planetlarg.com/car-size-cluster-build/add-ha-high-availab... # allow-auto bond0:0 iface bond0:0 inet static address 192.168.0.1 netmask 255.255.248.0 # # allow-auto eth0:0 iface eth0:0 inet static address 192.168.80.7 netmask 255.255.248.0 # # biz network gateway # see http://cluster.planetlarg.com/car-size-cluster-build/add-ha-high-availab... # allow-auto eth1:0 iface eth1:0 inet static address 200.0.0.10 netmask 255.255.255.224 #
/etc/udev/rules.d/70-persistent-net.rules
I match interfaces with labels on xcl01
# This file was automatically generated by the /lib/udev/write_net_rules
# program run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single line.
# PCI device 0x8086:0x100e (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:08:74:0f:09:8a", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
# PCI device 0x10ec:0x8169 (r8169)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:e0:4c:a9:34:42", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"
# PCI device 0x10ec:0x8139 (8139too)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0e:2e:cb:aa:ac", ATTR{type}=="1", KERNEL=="eth*", NAME="eth2"
# PCI device 0x10ec:0x8139 (8139too)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0e:2e:cb:ac:e2", ATTR{type}=="1", KERNEL=="eth*", NAME="eth3"
# PCI device 0x10ec:0x8139 (8139too)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0e:2e:cb:a5:70", ATTR{type}=="1", KERNEL=="eth*", NAME="eth4"
/etc/resolv.conf
domain planetlarg.com search planetlarg.com nameserver 200.0.0.1
/etc/iptables.up.rules
The configuration file for iptables and the netfilter firewall.
# Generated by iptables-save v1.4.2 on Tue Oct 12 17:38:41 2010 *filter :INPUT DROP [88:6524] :FORWARD DROP [0:0] :OUTPUT ACCEPT [3673:652247] -A INPUT -i lo -j ACCEPT -A INPUT -i ! eth1 -m state --state NEW -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m state --state NEW -m multiport --dports 25,11,143,80,465,995,993,443 -j ACCEPT -A INPUT -s 200.0.0.1/32 -p icmp -j ACCEPT -A INPUT -p udp -m udp --dport 53 -j ACCEPT -A FORWARD -i eth1 -o bond0 -j ACCEPT -A FORWARD -i eth1 -o eth2 -j ACCEPT -A FORWARD -i eth1 -o eth3 -j ACCEPT -A FORWARD -i bond0 -o eth1 -j ACCEPT -A FORWARD -i eth2 -o eth1 -j ACCEPT -A FORWARD -i eth3 -o eth1 -j ACCEPT COMMIT # Completed on Tue Oct 12 17:38:41 2010 # Generated by iptables-save v1.4.2 on Tue Oct 12 17:38:41 2010 *nat :PREROUTING ACCEPT [477:34909] :POSTROUTING ACCEPT [103:8276] :OUTPUT ACCEPT [474:35624] -A POSTROUTING -o eth1 -j SNAT --to-source 200.0.0.4 COMMIT # Completed on Tue Oct 12 17:38:41 2010
/etc/network/if-pre-up.d/iptables
This script is used to make the iptables rules permanent.
#!/bin/bash /sbin/iptables-restore < /etc/iptables.up.rules
/etc/apt/sources.list
The non-free folder is where I get firmware for my ethernet cards.
# # upgrade # see http://www.debian.org/releases/squeeze/i386/release-notes/ch-upgrading.e... # deb http://ftp.uk.debian.org/debian/ squeeze main non-free deb-src http://ftp.uk.debian.org/debian/ squeeze main non-free # deb http://security.debian.org/ squeeze/updates main deb-src http://security.debian.org/ squeeze/updates main #
/etc/apt/apt.conf.d/10periodic
I add unattended updates to xcl01.
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "5"; APT::Periodic::Unattended-Upgrade "1";
/etc/apt/apt.conf.d/02proxy
Acquire::http { Proxy "http://192.168.80.1:3142"; };
/etc/nut/upsmon.conf
I add the NUT (Network UPS Tools) application to ifw01.
... # # my configuration # MONITOR ifw03@192.168.80.1 1 monmaster Pa55w0rd1 master # ...
/etc/bacula/bacula-fd.conf
#
# Default Bacula File Daemon Configuration file
#
# For Bacula release 2.4.4 (28 December 2008) -- debian 5.0
#
# There is not much to change here except perhaps the
# File daemon Name to
#
#
# List Directors who are permitted to contact this File daemon
#
Director {
Name = ifw03-dir
Password = "Pa55w0rd1"
}
#
# Restricted Director, used by tray-monitor to get the
# status of the file daemon
#
Director {
Name = ifw03-mon
Password = "Pa55w0rd2"
Monitor = yes
}
#
# "Global" File daemon configuration specifications
#
FileDaemon { # this is me
Name = ifw01-fd
FDport = 9102 # where we listen for the director
WorkingDirectory = /var/lib/bacula
Pid Directory = /var/run/bacula
Maximum Concurrent Jobs = 20
FDAddress = ifw01-adm01
}
# Send all messages except skipped files back to Director
Messages {
Name = Standard
director = ifw01-dir = all, !skipped, !restored
}
/etc/exim4/update-exim4.conf.conf
# /etc/exim4/update-exim4.conf.conf # # Edit this file and /etc/mailname by hand and execute update-exim4.conf # yourself or use 'dpkg-reconfigure exim4-config' # # Please note that this is _not_ a dpkg-conffile and that automatic changes # to this file might happen. The code handling this will honor your local # changes, so this is usually fine, but will break local schemes that mess # around with multiple versions of the file. # # update-exim4.conf uses this file to determine variable values to generate # exim configuration macros for the configuration file. # # Most settings found in here do have corresponding questions in the # Debconf configuration, but not all of them. # # This is a Debian specific file dc_eximconfig_configtype='smarthost' dc_other_hostnames='ifw01.planetlarg.com' dc_local_interfaces='127.0.0.1;192.168.80.5' dc_readhost='planetlarg.com' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='192.168.80.1' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='true' dc_mailname_in_oh='true' dc_localdelivery='mail_spool'
/etc/bind/db.planetlarg.com-external
The external configuration file for split DNS. I add zones to Bind.
; planetlarg.com
$TTL 604800
@ IN SOA localhost. root.localhost. (
2006020201 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1
IN MX 10 mail
IN A 200.0.0.10
ns1 IN A 200.0.0.10 ; name server
mail IN A 200.0.0.10 ; e-mail
www IN A 200.0.0.10 ; web site
lic-ifw01 IN A 200.0.0.4 ; biz01 firewall
lic-ifw02 IN A 200.0.0.35 ; biz02 firewall
lic-ifw03 IN A 200.0.0.66 ; adm01 firewall
/etc/bind/db.planetlarg.com-internal
The internal configuration file for split DNS.
; planetlarg.com
$TTL 604800
;@ IN SOA ns1.planetlarg.com. root.planetlarg.com. (
@ IN SOA localhost. root.localhost. (
2010113001 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS ns1
IN MX 10 mail
IN A 200.0.0.10
ns1 IN A 200.0.0.10 ; name server
mail IN A 200.0.0.10 ; e-mail
web01 IN A 200.0.0.10 ; web site
;
; public addresses
; see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/na...
xcl01-biz IN A 200.0.0.1 ;
xcl01-biz01 IN A 200.0.0.2 ;
lic-ifw01 IN A 200.0.0.4 ; biz01 firewall
xcl01-biz02 IN A 200.0.0.33 ;
lic-ifw02 IN A 200.0.0.35 ; biz02 firewall
xcl01-adm01 IN A 200.0.0.65 ;
lic-ifw03 IN A 200.0.0.66 ; adm01 firewall
;
; biz01 network and bonded addresses
; see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/in...
gw-biz IN A 192.168.0.1 ; Internet firewall gateway
; on active firewall
ifw01-biz IN A 192.168.0.2 ; bonded interface on ifw01
ifw01-biz01 IN A 192.168.0.3 ;
ifw02-biz IN A 192.168.0.4 ;
ifw02-biz01 IN A 192.168.0.5 ;
ics01-biz IN A 192.168.0.6 ;
ics01-biz01 IN A 192.168.0.7 ;
ics02-biz IN A 192.168.0.8 ;
ics02-biz01 IN A 192.168.0.9 ;
ics03-biz IN A 192.168.0.10 ;
ics03-biz01 IN A 192.168.0.11 ;
;
ics01-web01 IN A 192.168.3.2 ;
ics02-web01 IN A 192.168.3.3 ;
ics03-web01 IN A 192.168.3.4 ;
;
; biz02 network
; see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/in...
ifw01-biz02 IN A 192.168.40.2 ;
ifw02-biz02 IN A 192.168.40.3 ;
ics01-biz02 IN A 192.168.40.4 ;
ics02-biz02 IN A 192.168.40.5 ;
ics03-biz02 IN A 192.168.40.6 ;
;
; adm01 network
; see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/in...
ifw01-adm01 IN A 192.168.80.5 ;
ifw02-adm01 IN A 192.168.80.6 ;
ifw03-adm01 IN A 192.168.80.1 ;
gw-adm01 IN CNAME ifw03-adm01 ;
ifw-adm01 IN A 192.168.80.7 ; admin address on active firewall
ifw03-fd IN CNAME ifw03-adm01 ;
ics01-adm01 IN A 192.168.80.2 ;
ics02-adm01 IN A 192.168.80.3 ;
ics03-adm01 IN A 192.168.80.4 ;
;
; end
/etc/bind/db.200-external
A configuration file for DNS reverse lookups.
; ; BIND reverse data file for my fake Internet range ; see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/na... ; $TTL 604800 @ IN SOA localhost. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS localhost. 10.0.0 IN PTR ns1.planetlarg.com. 10.0.0 IN PTR mail.planetlarg.com. 10.0.0 IN PTR web01.planetlarg.com. 1.0.0 IN PTR xcl01-biz.planetlarg.com. 2.0.0 IN PTR xcl01-biz01.planetlarg.com. 4.0.0 IN PTR ifw01.planetlarg.com. 33.0.0 IN PTR xcl01-biz02.planetlarg.com. 35.0.0 IN PTR ifw02.planetlarg.com. 65.0.0 IN PTR xcl01-adm01.planetlarg.com. 66.0.0 IN PTR ifw03.planetlarg.com. ; ; end
/etc/bind/db.200-internal
A configuration file for DNS reverse lookups.
; ; BIND reverse data file for my fake Internet range ; see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/na... ; $TTL 604800 @ IN SOA localhost. root.localhost. ( 1 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS localhost. 10.0.0 IN PTR ns1.planetlarg.com. 10.0.0 IN PTR mail.planetlarg.com. 10.0.0 IN PTR web01.planetlarg.com. 1.0.0 IN PTR xcl01-biz.planetlarg.com. 2.0.0 IN PTR xcl01-biz01.planetlarg.com. 4.0.0 IN PTR ifw01.planetlarg.com. 33.0.0 IN PTR xcl01-biz02.planetlarg.com. 35.0.0 IN PTR ifw02.planetlarg.com. 65.0.0 IN PTR xcl01-adm01.planetlarg.com. 66.0.0 IN PTR ifw03.planetlarg.com. ; ; end
/etc/bind/db.192.168
A configuration file for DNS reverse lookups.
;
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
;
; biz01 network
1.0 IN PTR ifw-gw.planetlarg.com.
2.0 IN PTR ifw01-biz.planetlarg.com.
3.0 IN PTR ifw01-biz01.planetlarg.com.
4.0 IN PTR ifw02-biz.planetlarg.com.
5.0 IN PTR ifw02-biz01.planetlarg.com.
6.0 IN PTR ics01-biz.planetlarg.com.
7.0 IN PTR ics01-biz01.planetlarg.com.
8.0 IN PTR ics02-biz.planetlarg.com.
9.0 IN PTR ics02-biz01.planetlarg.com.
10.0 IN PTR ics03-biz.planetlarg.com.
11.0 IN PTR ics03-biz01.planetlarg.com.
;
2.3 IN PTR ics01-web01.planetlarg.com.
3.3 IN PTR ics02-web01.planetlarg.com.
4.3 IN PTR ics03-web01.planetlarg.com.
;
; biz02 network
2.40 IN PTR ifw01-biz02.planetlarg.com.
3.40 IN PTR ifw02-biz02.planetlarg.com.
4.40 IN PTR ics01-biz02.planetlarg.com.
5.40 IN PTR ics02-biz02.planetlarg.com.
6.40 IN PTR ics03-biz02.planetlarg.com.
;
; adm01 network
1.80 IN PTR ifw03-adm01.planetlarg.com.
5.80 IN PTR ifw01-adm01.planetlarg.com.
6.80 IN PTR ifw02-adm01.planetlarg.com.
2.80 IN PTR ics01-adm01.planetlarg.com.
3.80 IN PTR ics02-adm01.planetlarg.com.
4.80 IN PTR ics03-adm01.planetlarg.com.
/etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
200.0.0.1;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
acl internals {
127.0.0.0/8;
192.168.0.0/16;
};
view "internal" {
// This should match our internal networks.
match-clients { internals; };
// Provide recursive service to internal clients only.
recursion yes;
// brackets named.conf zones
/etc/bind/named.conf.local
// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; // // information for LIC clients // see // * http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html#view_statement_g... // * http://www.howtoforge.com/two_in_one_dns_bind9_views // // Provide a complete view of the example.com zone // including addresses of internal hosts. zone "planetlarg.com" { type master; file "/etc/bind/db.planetlarg.com-internal"; }; zone "168.192.in-addr.arpa" { type master; file "/etc/bind/db.192.168"; }; zone "200.in-addr.arpa" { type master; file "/etc/bind/db.200-internal"; }; }; // // information for everyone else (Internet clients) // view "external" { // Match all clients not matched by the previous view. match-clients { any; }; // Refuse recursive service to external clients. recursion no; // Provide a restricted view of the example.com zone // containing only publicly accessible hosts. zone "planetlarg.com" { type master; file "/etc/bind/db.planetlarg.com-external"; }; zone "200.in-addr.arpa" { type master; file "/etc/bind/db.200-external"; }; };
/etc/modprobe.d/arch/i386
The configuration file that adds modules to the OS.
alias parport_lowlevel parport_pc alias binfmt-0064 binfmt_aout alias binfmt-332 iBCS alias bond0 bonding alias bond1 bonding options bonding mode=1 miimon=100 downdelay=200 updelay=200 max_bonds=3
/etc/ha.d/haresources
The configuration file that lists High Availability things.
# This is a list of resources that move from machine to machine as
# nodes go down and come up in the cluster.
# The haresources files MUST BE IDENTICAL on all nodes of the cluster.
# for more info see sample file /usr/share/doc/heartbeat-2/haresources
#
# fields of "IPAddr::" are:
# IP address/netmask/interface/broadcast address
#
# fields of "ldirectord::" are:
# configuration file: This is the name of the file containing the
# configuration, stored in the directory /etc/ha.d/conf/
#
ifw01 \
IPaddr::200.0.0.10/27/eth1:0/200.0.0.31 \
IPaddr::192.168.0.1/21/bond0:0/192.168.7.255 \
ldirectord::ldirectord.cf
#
/etc/ha.d/authkeys
The configuration file that adds security to the HA application "heartbeat".
# heartbeat authentication # This file must be mode 600! # for more info see sample file /usr/share/doc/heartbeat-2/authkeys # auth 1 1 sha1 key-for-sha1-any-text-you-want
/etc/ha.d/ha.cf
The master configuration file for the HA application "heartbeat".
# heartbeat resources # for more info see sample file /usr/share/doc/heartbeat-2/ha.cf # # Facility to use for syslog()/logger logfacility local0 # What interfaces to broadcast heartbeats over? bcast bond0 # Set up a multicast heartbeat medium mcast bond0 225.0.0.1 694 1 0 # resources will automatically fail back to the "primary" node auto_failback on # Tell what machines are in the cluster node ifw01 node ifw02 # Processes started and stopped with heartbeat respawn hacluster /usr/lib/heartbeat/ipfail # Access control for client api apiauth ipfail gid=haclient uid=hacluster
/etc/ha.d/conf/ldirectord.cf
The configuration file for the HA application "ldirectord".
# Ldirectord will connect to each real server
# and request a test page.
# If the data returned by the server does not contain a test string
# then the test fails and the real server will be
# taken out of the available pool.
# The real server will be added back into the pool once the test succeeds.
# If all real servers are removed from the pool
# then the fall back server is added to the pool.
#
# see /usr/share/doc/ldirectord/ldirectord.cf.gz
#
# global directives
#
checktimeout=5
checkinterval=5
fallback=127.0.0.1:80
autoreload=yes
quiescent=yes
#
# virtual server
#
virtual=200.0.0.10:80
#
# real servers
# real fields are
# * IP adddress
# http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses//i...
# * port
# * masq
# tells LVS to use LVS-NAT
# http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-NAT.html
#
# ics01
real=192.168.3.2:80 masq
# ics02
#real=192.168.3.3:80 masq
# ics03
#real=192.168.3.4:80 masq
#
# test page
service=http
request="ldirectord.html"
receive="ldirectord test"
# other stuff
scheduler=rr
protocol=tcp
#
/home/issalarg/.ssh/authorized_keys
I use public key authentication for SSH.
# # not really my key from ifw03 # ssh-rsa ABcdB3NEAAAABIwAAAQYf0IgVazrDZV5hZMKbSGKoEDYifqEb7fRAg8FwRLn/VAXVBD8OPPZuQlld/0SYLucKgW9yu82QcnhgQj+ymDehZQu+gGRCnLK17ZzYfe6hyQgvdRBnS/6jumUPRrwBCxfOz3YpPYQXW3xoD6DF7Ma7QW1sldIyCpxsy70ehunW5h4WEC8p7S+rIrw6FGU8wAHR+w== issalarg@xcl01
/var/www/infrastructure/host1
I create test pages for the web server on ics01
ics01
/etc/aliases
... issalarg: idc@planetlarg.net
/etc/snmp/snmpd.conf
... com2sec readonly default public ...
/etc/default/snmpd
... SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid ifw01-adm01' ...
/etc/nagios/nrpe_local.cfg
allowed_hosts=192.168.80.1
/var/spool/cron/crontabs/root
# DO NOT EDIT THIS FILE - edit the master and reinstall. # (/tmp/crontab.0BUEfI/crontab installed on Fri Dec 17 01:37:53 2010) # (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $) # m h dom mon dow command 55 23 * * * /sbin/poweroff
