ifw01 (internet firewall 1)

Primary tabs

LIC topology: IBM PCs

introduction

The computer ifw01 is one of the firewalls in the LIC (Larg's Internet Cluster). Things specific to this host are listed below. The list is grouped by infrastructure layer.

Every host name in the LIC has five characters like this one.

LIC topography: ifw01
base unit data interfaces data cables

 

ifw01 is a computer that acts as a firewall. It is one of the many PCs making up the LIC.

Every host name in the LIC has five characters like this one.

LIC topology: ifw01
PCs switches ethernet interfaces

hardware and network

I buy PC things. Specifically, a Dell OptiPlex GX260. Wikipedia (http://en.wikipedia.org/wiki/Dell_OptiPlex) has this summary.

  • Model: GX260
  • Chipset: Intel 845G
  • CPU: Pentium 4 or Celeron
  • FSB: 400/533 MHz
  • RAM type: DDR 200/266
  • RAM speed: PC2700
  • Chassis: SFF, SD, SMT
  • Comments: PATA only, no SATA Socket 478
  • USB: USB 2.0 x6
ifw01:~# lshw
ifw01
    description: Mini Tower Computer
    product: OptiPlex GX260
    vendor: Dell Computer Corporation
    serial: 9CT5H0J
    width: 32 bits
    capabilities: smbios-2.3 dmi-2.3 smp-1.4 smp
    configuration: administrator_password=enabled boot=normal chassis=mini-tower cpus=1 power-on_password=enabled uuid=44454C4C-4300-1054-8035-B9C04F48304A
  *-core
       description: Motherboard
       vendor: Dell Computer Corp.
       physical id: 0
       serial: ..              .
       slot: PCI1
     *-firmware
          description: BIOS
          vendor: Dell Computer Corporation
          physical id: 0
          version: A09 (11/01/2004)
          size: 64KiB
          capacity: 448KiB
          capabilities: isa pci pnp apm upgrade shadowing escd cdboot bootselect edd int13floppytoshiba int5printscreen int9keyboard int14serial int17printer acpi usb agp ls120boot biosbootspecification netboot
     *-cpu
          description: CPU
          product: Intel(R) Pentium(R) 4 CPU 1.80GHz
          vendor: Intel Corp.
          physical id: 400
          bus info: cpu@0
          version: 15.2.4
          slot: Microprocessor
          size: 1800MHz
          capacity: 3060MHz
          width: 32 bits
          clock: 400MHz
          capabilities: boot fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm up pebs bts
          configuration: id=0
        *-cache:0
             description: L1 cache
             physical id: 700
             size: 8KiB
             capacity: 16KiB
             capabilities: internal write-back data
        *-cache:1
             description: L2 cache
             physical id: 701
             size: 512KiB
             capacity: 512KiB
             capabilities: internal varies unified
     *-memory
          description: System Memory
          physical id: 1000
          slot: System board or motherboard
          size: 256MiB
          capacity: 1GiB
        *-bank:0
             description: DIMM SDRAM Synchronous 266 MHz (3.8 ns)
             physical id: 0
             slot: DIMM_A
             size: 256MiB
             width: 64 bits
             clock: 266MHz (3.8ns)
        *-bank:1
             description: DIMM SDRAM Synchronous 266 MHz (3.8 ns) [empty]
             physical id: 1
             slot: DIMM_B
             width: 64 bits
             clock: 266MHz (3.8ns)
     *-pci
          description: Host bridge
          product: 82845G/GL[Brookdale-G]/GE/PE DRAM Controller/Host-Hub Interface
          vendor: Intel Corporation
          physical id: 100
          bus info: pci@0000:00:00.0
          version: 01
          width: 32 bits
          clock: 33MHz
          configuration: driver=agpgart-intel module=intel_agp
        *-display UNCLAIMED
             description: VGA compatible controller
             product: 82845G/GL[Brookdale-G]/GE Chipset Integrated Graphics Device
             vendor: Intel Corporation
             physical id: 2
             bus info: pci@0000:00:02.0
             version: 01
             width: 32 bits
             clock: 33MHz
             capabilities: pm vga_controller bus_master cap_list
             configuration: latency=0
        *-usb:0
             description: USB Controller
             product: 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #1
             vendor: Intel Corporation
             physical id: 1d
             bus info: pci@0000:00:1d.0
             version: 01
             width: 32 bits
             clock: 33MHz
             capabilities: uhci bus_master
             configuration: driver=uhci_hcd latency=0 module=uhci_hcd
           *-usbhost
                product: UHCI Host Controller
                vendor: Linux 2.6.26-2-686 uhci_hcd
                physical id: 1
                bus info: usb@1
                logical name: usb1
                version: 2.06
                capabilities: usb-1.10
                configuration: driver=hub slots=2 speed=12.0MB/s
        *-usb:1
             description: USB Controller
             product: 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #2
             vendor: Intel Corporation
             physical id: 1d.1
             bus info: pci@0000:00:1d.1
             version: 01
             width: 32 bits
             clock: 33MHz
             capabilities: uhci bus_master
             configuration: driver=uhci_hcd latency=0 module=uhci_hcd
           *-usbhost
                product: UHCI Host Controller
                vendor: Linux 2.6.26-2-686 uhci_hcd
                physical id: 1
                bus info: usb@2
                logical name: usb2
                version: 2.06
                capabilities: usb-1.10
                configuration: driver=hub slots=2 speed=12.0MB/s
        *-usb:2
             description: USB Controller
             product: 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) USB UHCI Controller #3
             vendor: Intel Corporation
             physical id: 1d.2
             bus info: pci@0000:00:1d.2
             version: 01
             width: 32 bits
             clock: 33MHz
             capabilities: uhci bus_master
             configuration: driver=uhci_hcd latency=0 module=uhci_hcd
           *-usbhost
                product: UHCI Host Controller
                vendor: Linux 2.6.26-2-686 uhci_hcd
                physical id: 1
                bus info: usb@3
                logical name: usb3
                version: 2.06
                capabilities: usb-1.10
                configuration: driver=hub slots=2 speed=12.0MB/s
        *-usb:3
             description: USB Controller
             product: 82801DB/DBM (ICH4/ICH4-M) USB2 EHCI Controller
             vendor: Intel Corporation
             physical id: 1d.7
             bus info: pci@0000:00:1d.7
             version: 01
             width: 32 bits
             clock: 33MHz
             capabilities: pm debug ehci bus_master cap_list
             configuration: driver=ehci_hcd latency=0 module=ehci_hcd
           *-usbhost
                product: EHCI Host Controller
                vendor: Linux 2.6.26-2-686 ehci_hcd
                physical id: 1
                bus info: usb@4
                logical name: usb4
                version: 2.06
                capabilities: usb-2.00
                configuration: driver=hub slots=6 speed=480.0MB/s
        *-pci
             description: PCI bridge
             product: 82801 PCI Bridge
             vendor: Intel Corporation
             physical id: 1e
             bus info: pci@0000:00:1e.0
             version: 81
             width: 32 bits
             clock: 33MHz
             capabilities: pci normal_decode bus_master
           *-network:0
                description: Ethernet interface
                product: RTL-8169 Gigabit Ethernet
                vendor: Realtek Semiconductor Co., Ltd.
                physical id: 7
                bus info: pci@0000:01:07.0
                logical name: eth1
                version: 10
                serial: 00:e0:4c:a9:34:42
                size: 100MB/s
                capacity: 1GB/s
                width: 32 bits
                clock: 66MHz
                capabilities: pm bus_master cap_list ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
                configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=2.2LK-NAPI duplex=full ip=200.0.0.4 latency=64 link=yes maxlatency=64 mingnt=32 module=r8169 multicast=yes port=twisted pair speed=100MB/s
           *-network:1
                description: Ethernet interface
                product: RTL-8139/8139C/8139C+
                vendor: Realtek Semiconductor Co., Ltd.
                physical id: 8
                bus info: pci@0000:01:08.0
                logical name: eth2
                version: 10
                serial: 00:0e:2e:cb:aa:ac
                size: 100MB/s
                capacity: 100MB/s
                width: 32 bits
                clock: 33MHz
                capabilities: pm bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation
                configuration: autonegotiation=on broadcast=yes driver=8139too driverversion=0.9.28 duplex=full latency=64 link=yes maxlatency=64 mingnt=32 module=8139too multicast=yes port=MII slave=yes speed=100MB/s
           *-network:2
                description: Ethernet interface
                product: RTL-8139/8139C/8139C+
                vendor: Realtek Semiconductor Co., Ltd.
                physical id: 9
                bus info: pci@0000:01:09.0
                logical name: eth3
                version: 10
                serial: 00:0e:2e:cb:aa:ac
                size: 100MB/s
                capacity: 100MB/s
                width: 32 bits
                clock: 33MHz
                capabilities: pm bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation
                configuration: autonegotiation=on broadcast=yes driver=8139too driverversion=0.9.28 duplex=full latency=64 link=yes maxlatency=64 mingnt=32 module=8139too multicast=yes port=MII slave=yes speed=100MB/s
           *-network:3 DISABLED
                description: Ethernet interface
                product: RTL-8139/8139C/8139C+
                vendor: Realtek Semiconductor Co., Ltd.
                physical id: a
                bus info: pci@0000:01:0a.0
                logical name: eth4
                version: 10
                serial: 00:0e:2e:cb:a5:70
                size: 10MB/s
                capacity: 100MB/s
                width: 32 bits
                clock: 33MHz
                capabilities: pm bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation
                configuration: autonegotiation=on broadcast=yes driver=8139too driverversion=0.9.28 duplex=half latency=64 link=no maxlatency=64 mingnt=32 module=8139too multicast=yes port=MII speed=10MB/s
           *-network:4
                description: Ethernet interface
                product: 82540EM Gigabit Ethernet Controller
                vendor: Intel Corporation
                physical id: c
                bus info: pci@0000:01:0c.0
                logical name: eth0
                version: 02
                serial: 00:08:74:0f:09:8a
                size: 1GB/s
                capacity: 1GB/s
                width: 32 bits
                clock: 66MHz
                capabilities: pm pcix msi bus_master cap_list ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
                configuration: autonegotiation=on broadcast=yes driver=e1000 driverversion=7.3.20-k2-NAPI duplex=full firmware=N/A ip=192.168.80.5 latency=64 link=yes mingnt=255 module=e1000 multicast=yes port=twisted pair speed=1GB/s
        *-isa
             description: ISA bridge
             product: 82801DB/DBL (ICH4/ICH4-L) LPC Interface Bridge
             vendor: Intel Corporation
             physical id: 1f
             bus info: pci@0000:00:1f.0
             version: 01
             width: 32 bits
             clock: 33MHz
             capabilities: isa bus_master
             configuration: latency=0
        *-ide
             description: IDE interface
             product: 82801DB (ICH4) IDE Controller
             vendor: Intel Corporation
             physical id: 1f.1
             bus info: pci@0000:00:1f.1
             version: 01
             width: 32 bits
             clock: 33MHz
             capabilities: ide bus_master
             configuration: driver=PIIX_IDE latency=0 module=piix
           *-ide:0
                description: IDE Channel 0
                physical id: 0
                bus info: ide@0
                logical name: ide0
                clock: 33MHz
              *-disk
                   description: ATA Disk
                   product: MAXTOR 6L020J1
                   vendor: Maxtor
                   physical id: 0
                   bus info: ide@0.0
                   logical name: /dev/hda
                   version: A93.0500
                   serial: 661219811062
                   size: 19GiB (20GB)
                   capacity: 19GiB (20GB)
                   capabilities: ata dma lba iordy smart security pm partitioned partitioned:dos
                   configuration: mode=udma5 signature=9dc96e9e smart=on
                 *-volume:0
                      description: EXT3 volume
                      vendor: Linux
                      physical id: 1
                      bus info: ide@0.0,1
                      logical name: /dev/hda1
                      logical name: /
                      version: 1.0
                      serial: 985471e3-9a74-4d84-96a2-6b37a3c0d31c
                      size: 18GiB
                      capacity: 18GiB
                      capabilities: primary bootable journaled extended_attributes large_files huge_files recover ext3 ext2 initialized
                      configuration: created=2010-09-20 10:12:51 filesystem=ext3 modified=2011-01-31 13:18:56 mount.fstype=ext3 mount.options=rw,errors=remount-ro,data=ordered mounted=2011-01-31 13:18:56 state=mounted
                 *-volume:1
                      description: Extended partition
                      physical id: 2
                      bus info: ide@0.0,2
                      logical name: /dev/hda2
                      size: 729MiB
                      capacity: 729MiB
                      capabilities: primary extended partitioned partitioned:extended
                    *-logicalvolume
                         description: Linux swap / Solaris partition
                         physical id: 5
                         logical name: /dev/hda5
                         capacity: 729MiB
                         capabilities: nofs
           *-ide:1
                description: IDE Channel 1
                physical id: 1
                bus info: ide@1
                logical name: ide1
                clock: 33MHz
              *-cdrom
                   description: IDE CD-ROM
                   product: GCR-8481B
                   physical id: 0
                   bus info: ide@1.0
                   logical name: /dev/hdc
                   version: 1.06
                   capabilities: packet atapi cdrom removable nonmagnetic dma lba iordy audio
                   configuration: mode=udma2 status=nodisc
        *-serial
             description: SMBus
             product: 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) SMBus Controller
             vendor: Intel Corporation
             physical id: 1f.3
             bus info: pci@0000:00:1f.3
             version: 01
             width: 32 bits
             clock: 33MHz
             configuration: driver=i801_smbus latency=0 module=i2c_i801
        *-multimedia
             description: Multimedia audio controller
             product: 82801DB/DBL/DBM (ICH4/ICH4-L/ICH4-M) AC'97 Audio Controller
             vendor: Intel Corporation
             physical id: 1f.5
             bus info: pci@0000:00:1f.5
             version: 01
             width: 32 bits
             clock: 33MHz
             capabilities: pm bus_master cap_list
             configuration: driver=Intel ICH latency=0 module=snd_intel8x0
  *-network:0
       description: Ethernet interface
       physical id: 1
       logical name: bond0
       serial: 00:0e:2e:cb:aa:ac
       capabilities: ethernet physical
       configuration: broadcast=yes driver=bonding driverversion=3.2.5 firmware=2 ip=192.168.0.2 master=yes multicast=yes
  *-network:1 DISABLED
       description: Ethernet interface
       physical id: 2
       logical name: bond1
       capabilities: ethernet physical
       configuration: broadcast=yes driver=bonding driverversion=3.2.5 firmware=2 master=yes multicast=yes
  *-network:2 DISABLED
       description: Ethernet interface
       physical id: 3
       logical name: bond2
       capabilities: ethernet physical
       configuration: broadcast=yes driver=bonding driverversion=3.2.5 firmware=2 master=yes multicast=yes
ifw01:~#

network cables

I buy ethernet things.

Four network cables connect ifw01 to the networks. Three different cables lead from ifw01 to the LIC (Larg's Internet Cluster), providing HA and traffic seperation.

Different network cable colours show which one is which.

network interfaces

I buy ethernet things

I follow this procedure for a different host: add NICs (Network Interface Cards) to xcl01.

LIC table: ifw01 network interfaces
computer interface description IP address netmask
ifw01 eth1 to the Internet via xcl01 (only for testing) 200.0.0.4 255.255.255.224
ifw01 eth2 biz01 Internet DMZ, via ces01 192.168.0.3 255.255.248.0
ifw01 eth3 biz02 Internet DMZ, via ces02 192.168.40.2 255.255.248.0
ifw01 bond0 ethernet bonding for eth2 and eth3 192.168.0.2 255.255.192.0
ifw01 eth0 adm01, via ces03 192.168.80.5 255.255.248.0
(ifw01 or ifw02) eth0:0 web site 1 200.0.0.10 255.255.255.224
(ifw01 or ifw02) eth0:1 web site 2 200.0.0.11 255.255.255.224
(ifw01 or ifw02) eth0:2 web site 3 200.0.0.12 255.255.255.224

OS

All the IBM PCs (Personal Computers) in the LIC (Larg's Internet Cluster) run the Debian distribution.

applications

Almost all the applications in the LIC (Larg's Internet Cluster) are from the Debian distribution.

packages

I want to remove Gnome NetworkManager on xcl01.

apt-get remove network-manager

I install packages to make testing easier.

apt-get install  tcpdump lynx screen

I install packages to provide services.

apt-get install bind9 heartbeat ifenslave ipvsadm \
    ldirectord ntp nut openssh-server \
    setserial sysv-rc-conf 

/etc/network/interfaces

I add static IP addresses to ifw01.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback
#
# adm01 network
# see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/internet-dmz-adm01-19216880021
#
allow-auto eth0
iface eth0 inet static
    address 192.168.80.5
    netmask 255.255.248.0
#
# Internet
# see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/nat-ip-addresses-20000x
#
allow-auto eth1
iface eth1 inet static
    address 200.0.0.4
    netmask 255.255.255.224
    gateway 200.0.0.1
#
# biz01 network
# see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/internet-dmz-biz01-ip-addresses-1921680021
#
allow-auto eth2
iface eth2 inet static
    address 192.168.0.3
    netmask 255.255.248.0
#
# biz02 network
# see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/internet-dmz-biz02-19216840021
#
allow-auto eth3
iface eth3 inet static
    address 192.168.40.2
    netmask 255.255.248.0
#
# bond the biz networks
# see http://cluster.planetlarg.com/car-size-cluster-build/add-ha-firewalls/bond-eth2-and-eth3-ifw01
#
allow-auto bond0
iface bond0 inet static
    pre-up  modprobe bonding
    address 192.168.0.2
    netmask 255.255.248.0
    up      ifenslave    bond0 eth2 eth3
    down    ifenslave -d bond0 eth2 eth3
#
# interfaces controlled by heartbeat
# not sure these should be here.
# I am having some odd poweron effects which this may solve.
#
# biz network gateway
# see http://cluster.planetlarg.com/car-size-cluster-build/add-ha-high-availability/solitary-heartbeat-ifw01
#
allow-auto bond0:0
iface bond0:0 inet static
    address 192.168.0.1
    netmask 255.255.248.0
#
#
allow-auto eth0:0
iface eth0:0 inet static
    address 192.168.80.7
    netmask 255.255.248.0
#
# biz network gateway
# see http://cluster.planetlarg.com/car-size-cluster-build/add-ha-high-availability/solitary-heartbeat-ifw01
#
allow-auto eth1:0
iface eth1:0 inet static
    address 200.0.0.10
    netmask 255.255.255.224
#

/etc/udev/rules.d/70-persistent-net.rules

I match interfaces with labels on xcl01

# This file was automatically generated by the /lib/udev/write_net_rules
# program run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single line.

# PCI device 0x8086:0x100e (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:08:74:0f:09:8a", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

# PCI device 0x10ec:0x8169 (r8169)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:e0:4c:a9:34:42", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"

# PCI device 0x10ec:0x8139 (8139too)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0e:2e:cb:aa:ac", ATTR{type}=="1", KERNEL=="eth*", NAME="eth2"

# PCI device 0x10ec:0x8139 (8139too)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0e:2e:cb:ac:e2", ATTR{type}=="1", KERNEL=="eth*", NAME="eth3"

# PCI device 0x10ec:0x8139 (8139too)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0e:2e:cb:a5:70", ATTR{type}=="1", KERNEL=="eth*", NAME="eth4"

/etc/resolv.conf

I add DNS to ifw01.

domain planetlarg.com
search planetlarg.com
nameserver 200.0.0.1

/etc/iptables.up.rules

The configuration file for iptables and the netfilter firewall.

# Generated by iptables-save v1.4.2 on Tue Oct 12 17:38:41 2010
*filter
:INPUT DROP [88:6524]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3673:652247]
-A INPUT -i lo -j ACCEPT
-A INPUT -i ! eth1 -m state --state NEW -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 25,11,143,80,465,995,993,443 -j ACCEPT
-A INPUT -s 200.0.0.1/32 -p icmp -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A FORWARD -i eth1 -o bond0 -j ACCEPT
-A FORWARD -i eth1 -o eth2 -j ACCEPT
-A FORWARD -i eth1 -o eth3 -j ACCEPT
-A FORWARD -i bond0 -o eth1 -j ACCEPT
-A FORWARD -i eth2 -o eth1 -j ACCEPT
-A FORWARD -i eth3 -o eth1 -j ACCEPT
COMMIT
# Completed on Tue Oct 12 17:38:41 2010
# Generated by iptables-save v1.4.2 on Tue Oct 12 17:38:41 2010
*nat
:PREROUTING ACCEPT [477:34909]
:POSTROUTING ACCEPT [103:8276]
:OUTPUT ACCEPT [474:35624]
-A POSTROUTING -o eth1 -j SNAT --to-source 200.0.0.4
COMMIT
# Completed on Tue Oct 12 17:38:41 2010

/etc/network/if-pre-up.d/iptables

This script is used to make the iptables rules permanent.

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules

/etc/apt/sources.list

The non-free folder is where I get firmware for my ethernet cards.

#
# upgrade
# see http://www.debian.org/releases/squeeze/i386/release-notes/ch-upgrading.en.html#upgrade-process
#
deb     http://ftp.uk.debian.org/debian/ squeeze main non-free
deb-src http://ftp.uk.debian.org/debian/ squeeze main non-free
#
deb     http://security.debian.org/ squeeze/updates main
deb-src http://security.debian.org/ squeeze/updates main
#

/etc/apt/apt.conf.d/10periodic

I add unattended updates to xcl01.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";

/etc/apt/apt.conf.d/02proxy

I add the apt proxy to ics01

Acquire::http { Proxy "http://192.168.80.1:3142"; };

/etc/nut/upsmon.conf

I add the NUT (Network UPS Tools) application to ifw01.

...
#
# my configuration
#
MONITOR ifw03@192.168.80.1 1 monmaster Pa55w0rd1 master
#
...

/etc/bacula/bacula-fd.conf

I add bacula to ics01.

#
# Default  Bacula File Daemon Configuration file
#
#  For Bacula release 2.4.4 (28 December 2008) -- debian 5.0
#
# There is not much to change here except perhaps the
# File daemon Name to
#

#
# List Directors who are permitted to contact this File daemon
#
Director {
  Name = ifw03-dir
  Password = "Pa55w0rd1"
}

#
# Restricted Director, used by tray-monitor to get the
#   status of the file daemon
#
Director {
  Name = ifw03-mon
  Password = "Pa55w0rd2"
  Monitor = yes
}

#
# "Global" File daemon configuration specifications
#
FileDaemon {                          # this is me
  Name = ifw01-fd
  FDport = 9102                  # where we listen for the director
  WorkingDirectory = /var/lib/bacula
  Pid Directory = /var/run/bacula
  Maximum Concurrent Jobs = 20
  FDAddress = ifw01-adm01
}

# Send all messages except skipped files back to Director
Messages {
  Name = Standard
  director = ifw01-dir = all, !skipped, !restored
}

/etc/exim4/update-exim4.conf.conf


# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='smarthost'
dc_other_hostnames='ifw01.planetlarg.com'
dc_local_interfaces='127.0.0.1;192.168.80.5'
dc_readhost='planetlarg.com'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets=''
dc_smarthost='192.168.80.1'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'

/etc/bind/db.planetlarg.com-external

The external configuration file for split DNS. I add zones to Bind.


; planetlarg.com
$TTL    604800
@           IN      SOA     localhost. root.localhost. (
                     2006020201   ; Serial
                         604800   ; Refresh
                          86400   ; Retry
                        2419200   ; Expire
                         604800 ) ; Negative Cache TTL
;
@           IN      NS      ns1
            IN      MX      10 mail
            IN      A       200.0.0.10
ns1         IN      A       200.0.0.10   ; name server
mail        IN      A       200.0.0.10   ; e-mail
www         IN      A       200.0.0.10   ; web site
lic-ifw01   IN      A       200.0.0.4    ; biz01 firewall
lic-ifw02   IN      A       200.0.0.35   ; biz02 firewall
lic-ifw03   IN      A       200.0.0.66   ; adm01 firewall

/etc/bind/db.planetlarg.com-internal

The internal configuration file for split DNS.

; planetlarg.com
$TTL    604800
;@       IN      SOA     ns1.planetlarg.com. root.planetlarg.com. (
@       IN      SOA     localhost. root.localhost. (
                     2010113001   ; Serial
                         604800   ; Refresh
                          86400   ; Retry
                        2419200   ; Expire
                         604800 ) ; Negative Cache TTL
;
@       IN      NS      ns1
        IN      MX      10 mail
        IN      A       200.0.0.10
ns1     IN      A       200.0.0.10   ; name server
mail    IN      A       200.0.0.10   ; e-mail
web01   IN      A       200.0.0.10   ; web site
;
; public addresses
; see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/nat-ip-addresses-20000x
xcl01-biz     IN      A       200.0.0.1    ;
xcl01-biz01   IN      A       200.0.0.2    ;
lic-ifw01     IN      A       200.0.0.4    ; biz01 firewall
xcl01-biz02   IN      A       200.0.0.33   ;
lic-ifw02     IN      A       200.0.0.35   ; biz02 firewall
xcl01-adm01   IN      A       200.0.0.65   ;
lic-ifw03     IN      A       200.0.0.66   ; adm01 firewall
;
; biz01 network and bonded addresses
; see  http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/internet-dmz-biz01-ip-addresses-1921680021
gw-biz        IN      A       192.168.0.1    ; Internet firewall gateway
                                             ; on active firewall
ifw01-biz     IN      A       192.168.0.2    ; bonded interface on ifw01
ifw01-biz01   IN      A       192.168.0.3    ;
ifw02-biz     IN      A       192.168.0.4    ;
ifw02-biz01   IN      A       192.168.0.5    ;
ics01-biz     IN      A       192.168.0.6    ;
ics01-biz01   IN      A       192.168.0.7    ;
ics02-biz     IN      A       192.168.0.8    ;
ics02-biz01   IN      A       192.168.0.9    ;
ics03-biz     IN      A       192.168.0.10   ;
ics03-biz01   IN      A       192.168.0.11   ;
;
ics01-web01   IN      A       192.168.3.2    ;
ics02-web01   IN      A       192.168.3.3    ;
ics03-web01   IN      A       192.168.3.4    ;
;
; biz02 network
; see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/internet-dmz-biz02-19216840021
ifw01-biz02   IN      A       192.168.40.2   ;
ifw02-biz02   IN      A       192.168.40.3   ;
ics01-biz02   IN      A       192.168.40.4   ;
ics02-biz02   IN      A       192.168.40.5   ;
ics03-biz02   IN      A       192.168.40.6   ;
;
; adm01 network
; see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/internet-dmz-adm01-19216880021
ifw01-adm01   IN      A       192.168.80.5   ;
ifw02-adm01   IN      A       192.168.80.6   ;
ifw03-adm01   IN      A       192.168.80.1   ;
gw-adm01      IN      CNAME   ifw03-adm01    ;
ifw-adm01     IN      A       192.168.80.7   ; admin address on active firewall
ifw03-fd      IN      CNAME   ifw03-adm01    ;
ics01-adm01   IN      A       192.168.80.2   ;
ics02-adm01   IN      A       192.168.80.3   ;
ics03-adm01   IN      A       192.168.80.4   ;
;
; end

/etc/bind/db.200-external

A configuration file for DNS reverse lookups.

;
; BIND reverse data file for my fake Internet range
; see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/nat-ip-addresses-20000x
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
10.0.0  IN      PTR     ns1.planetlarg.com.
10.0.0  IN      PTR     mail.planetlarg.com.
10.0.0  IN      PTR     web01.planetlarg.com.
1.0.0   IN      PTR     xcl01-biz.planetlarg.com.
2.0.0   IN      PTR     xcl01-biz01.planetlarg.com.
4.0.0   IN      PTR     ifw01.planetlarg.com.
33.0.0  IN      PTR     xcl01-biz02.planetlarg.com.
35.0.0  IN      PTR     ifw02.planetlarg.com.
65.0.0  IN      PTR     xcl01-adm01.planetlarg.com.
66.0.0  IN      PTR     ifw03.planetlarg.com.
;
; end

/etc/bind/db.200-internal

A configuration file for DNS reverse lookups.

;
; BIND reverse data file for my fake Internet range
; see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/nat-ip-addresses-20000x
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
10.0.0  IN      PTR     ns1.planetlarg.com.
10.0.0  IN      PTR     mail.planetlarg.com.
10.0.0  IN      PTR     web01.planetlarg.com.
1.0.0   IN      PTR     xcl01-biz.planetlarg.com.
2.0.0   IN      PTR     xcl01-biz01.planetlarg.com.
4.0.0   IN      PTR     ifw01.planetlarg.com.
33.0.0  IN      PTR     xcl01-biz02.planetlarg.com.
35.0.0  IN      PTR     ifw02.planetlarg.com.
65.0.0  IN      PTR     xcl01-adm01.planetlarg.com.
66.0.0  IN      PTR     ifw03.planetlarg.com.
;
; end

/etc/bind/db.192.168

A configuration file for DNS reverse lookups.

;
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
;
; biz01 network
1.0     IN      PTR     ifw-gw.planetlarg.com.
2.0     IN      PTR     ifw01-biz.planetlarg.com.
3.0     IN      PTR     ifw01-biz01.planetlarg.com.
4.0     IN      PTR     ifw02-biz.planetlarg.com.
5.0     IN      PTR     ifw02-biz01.planetlarg.com.
6.0     IN      PTR     ics01-biz.planetlarg.com.
7.0     IN      PTR     ics01-biz01.planetlarg.com.
8.0     IN      PTR     ics02-biz.planetlarg.com.
9.0     IN      PTR     ics02-biz01.planetlarg.com.
10.0    IN      PTR     ics03-biz.planetlarg.com.
11.0    IN      PTR     ics03-biz01.planetlarg.com.
;
2.3     IN      PTR     ics01-web01.planetlarg.com.
3.3     IN      PTR     ics02-web01.planetlarg.com.
4.3     IN      PTR     ics03-web01.planetlarg.com.
;
; biz02 network
2.40    IN      PTR     ifw01-biz02.planetlarg.com.
3.40    IN      PTR     ifw02-biz02.planetlarg.com.
4.40    IN      PTR     ics01-biz02.planetlarg.com.
5.40    IN      PTR     ics02-biz02.planetlarg.com.
6.40    IN      PTR     ics03-biz02.planetlarg.com.
;
; adm01 network
1.80    IN      PTR     ifw03-adm01.planetlarg.com.
5.80    IN      PTR     ifw01-adm01.planetlarg.com.
6.80    IN      PTR     ifw02-adm01.planetlarg.com.
2.80    IN      PTR     ics01-adm01.planetlarg.com.
3.80    IN      PTR     ics02-adm01.planetlarg.com.
4.80    IN      PTR     ics03-adm01.planetlarg.com.

/etc/bind/named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {
                200.0.0.1;
        };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

acl internals {
    127.0.0.0/8;
    192.168.0.0/16;
};


view "internal" {
    // This should match our internal networks.
    match-clients { internals; };

    // Provide recursive service to internal clients only.
    recursion yes;

// brackets named.conf zones

/etc/bind/named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

//
// information for LIC clients
// see
// * http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html#view_statement_grammar
// * http://www.howtoforge.com/two_in_one_dns_bind9_views
//


    // Provide a complete view of the example.com zone
    // including addresses of internal hosts.
    zone "planetlarg.com" {
        type master;
        file "/etc/bind/db.planetlarg.com-internal";
    };
    zone "168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/db.192.168";
    };
    zone "200.in-addr.arpa" {
        type master;
        file "/etc/bind/db.200-internal";
    };
};
//
// information for everyone else (Internet clients)
//
view "external" {
    // Match all clients not matched by the previous view.
    match-clients { any; };

    // Refuse recursive service to external clients.
    recursion no;

    // Provide a restricted view of the example.com zone
    // containing only publicly accessible hosts.

    zone "planetlarg.com" {
        type master;
        file "/etc/bind/db.planetlarg.com-external";
    };
    zone "200.in-addr.arpa" {
        type master;
        file "/etc/bind/db.200-external";
    };

};

/etc/modprobe.d/arch/i386

The configuration file that adds modules to the OS.

alias parport_lowlevel parport_pc

alias binfmt-0064 binfmt_aout
alias binfmt-332 iBCS

alias bond0 bonding
alias bond1 bonding
options bonding mode=1 miimon=100 downdelay=200 updelay=200 max_bonds=3

/etc/ha.d/haresources

The configuration file that lists High Availability things.

# This is a list of resources that move from machine to machine as
# nodes go down and come up in the cluster.
# The haresources files MUST BE IDENTICAL on all nodes of the cluster.
# for more info see sample file /usr/share/doc/heartbeat-2/haresources
#
# fields of "IPAddr::" are:
# IP address/netmask/interface/broadcast address
#
# fields of "ldirectord::" are:
# configuration file: This is the name of the file containing the
#      configuration, stored in the directory /etc/ha.d/conf/
#
ifw01  \
    IPaddr::200.0.0.10/27/eth1:0/200.0.0.31 \
    IPaddr::192.168.0.1/21/bond0:0/192.168.7.255 \
    ldirectord::ldirectord.cf
#

/etc/ha.d/authkeys

The configuration file that adds security to the HA application "heartbeat".

# heartbeat authentication
# This file must be mode 600!
# for more info see sample file /usr/share/doc/heartbeat-2/authkeys
#
auth 1
1 sha1 key-for-sha1-any-text-you-want

/etc/ha.d/ha.cf

The master configuration file for the HA application "heartbeat".

# heartbeat resources
# for more info see sample file /usr/share/doc/heartbeat-2/ha.cf
#
#       Facility to use for syslog()/logger
logfacility    local0
#       What interfaces to broadcast heartbeats over?
bcast          bond0
#       Set up a multicast heartbeat medium
mcast          bond0 225.0.0.1 694 1 0
#       resources will automatically fail back to the "primary" node
auto_failback  on
#       Tell what machines are in the cluster
node           ifw01
node           ifw02
#       Processes started and stopped with heartbeat
respawn        hacluster /usr/lib/heartbeat/ipfail
#       Access control for client api
apiauth        ipfail gid=haclient uid=hacluster

/etc/ha.d/conf/ldirectord.cf

The configuration file for the HA application "ldirectord".

# Ldirectord will connect to each real server
# and request a test page.
# If the data returned by the server does not contain a test string
# then the test fails and the real server will be
# taken out of the available pool.
# The real server will be added back into the pool once the test succeeds.
# If all real servers are removed from the pool
# then the fall back server is added to the pool.
#
# see /usr/share/doc/ldirectord/ldirectord.cf.gz
#
# global directives
#
checktimeout=5
checkinterval=5
fallback=127.0.0.1:80
autoreload=yes
quiescent=yes
#
# virtual server
#
virtual=200.0.0.10:80
        #
# real servers
        # real fields are
        # * IP adddress
        # http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses//internet-dmz-biz01-ip-addresses-1921680021
        # * port
        # * masq
        # tells LVS to use LVS-NAT
        # http://www.austintek.com/LVS/LVS-HOWTO/HOWTO/LVS-HOWTO.LVS-NAT.html
        #
        # ics01
        real=192.168.3.2:80 masq
        # ics02
        #real=192.168.3.3:80 masq
        # ics03
        #real=192.168.3.4:80 masq
        #
# test page
        service=http
        request="ldirectord.html"
        receive="ldirectord test"
#  other stuff
        scheduler=rr
        protocol=tcp
#

/home/issalarg/.ssh/authorized_keys

I use public key authentication for SSH.

#
# not really my key from ifw03 
#
ssh-rsa ABcdB3NEAAAABIwAAAQYf0IgVazrDZV5hZMKbSGKoEDYifqEb7fRAg8FwRLn/VAXVBD8OPPZuQlld/0SYLucKgW9yu82QcnhgQj+ymDehZQu+gGRCnLK17ZzYfe6hyQgvdRBnS/6jumUPRrwBCxfOz3YpPYQXW3xoD6DF7Ma7QW1sldIyCpxsy70ehunW5h4WEC8p7S+rIrw6FGU8wAHR+w== issalarg@xcl01

/var/www/infrastructure/host1

I create test pages for the web server on ics01

ics01

/etc/aliases

...
issalarg: idc@planetlarg.net

/etc/snmp/snmpd.conf

I add snmpd to ics01.

...
com2sec readonly  default         public
...

/etc/default/snmpd

I add snmpd to ifw01.

...
SNMPDOPTS='-Lsd -Lf /dev/null -u snmp -I -smux -p /var/run/snmpd.pid ifw01-adm01'
...

/etc/nagios/nrpe_local.cfg

I add NRPE to ifw01

allowed_hosts=192.168.80.1

/var/spool/cron/crontabs/root

I stop the LIC each night.

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (/tmp/crontab.0BUEfI/crontab installed on Fri Dec 17 01:37:53 2010)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
# m h  dom mon dow   command
55 23 * * * /sbin/poweroff