ifw03

Primary tabs

LIC topology: IBM PCs

introduction

A computer in the internet DMZ that acts as a firewall. Things specific to this host are listed below. The list is grouped by . infrastructure layer.

Every host name in the LIC has five characters like this one.

LIC topology: ifw03
PCs switches ethernet interfaces

hardware

I buy PC things. Specifically, a Dell OptiPlex GX260. Wikipedia (http://en.wikipedia.org/wiki/Dell_OptiPlex) has this summary.

  • Model: GX270
  • Chipset: Intel 865G
  • CPU: Pentium 4 or Celeron
  • FSB: 400/533/800 MHz Socket 478
  • RAM type: DDR, 2 SFF board and 4 other boards 333/400
  • RAM speed: PC2700/PC3200
  • Chassis: SFF, SD, SMT
  • Comments: SATA+PATA Intel graphics or dedicated 8x AGP card. The GX270 made from Apr 2003 to Mar 2004 came under fire in 2005 for having faulty Nichicon electrolytic capacitors. When they fail, these capacitors are easily recognised by an X mark across the top and a bloated or split appearance.
  • USB: USB 2.0 x8
ifw03:~# lshw
ifw03
    description: Desktop Computer
    product: OptiPlex GX270
    vendor: Dell Computer Corporation
    serial: HC9ST0J
    width: 32 bits
    capabilities: smbios-2.3 dmi-2.3 smp-1.4 smp
    configuration: administrator_password=enabled boot=normal chassis=desktop cpus=1 power-on_password=enabled uuid=44454C4C-4300-1039-8053-C8C04F54304A
  *-core
       description: Motherboard
       product: 0U1324
       vendor: Dell Computer Corp.
       physical id: 0
       version: A00
       serial: ..CN1374038B088B.
     *-firmware
          description: BIOS
          vendor: Dell Computer Corporation
          physical id: 0
          version: A07 (06/26/2006)
          size: 64KiB
          capacity: 448KiB
          capabilities: pci pnp apm upgrade shadowing escd cdboot bootselect edd int13floppytoshiba int5printscreen int9keyboard int14serial int17printer acpi usb agp ls120boot biosbootspecification netboot
     *-cpu
          description: CPU
          product: Intel(R) Pentium(R) 4 CPU 2.40GHz
          vendor: Intel Corp.
          physical id: 400
          bus info: cpu@0
          version: 15.2.9
          slot: Microprocessor
          size: 2400MHz
          capacity: 3600MHz
          width: 32 bits
          clock: 533MHz
          capabilities: boot fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe up pebs bts cid xtpr
          configuration: id=0
        *-cache:0
             description: L1 cache
             physical id: 700
             size: 8KiB
             capacity: 16KiB
             capabilities: internal write-back data
        *-cache:1
             description: L2 cache
             physical id: 701
             size: 512KiB
             capacity: 512KiB
             capabilities: internal varies unified
     *-memory
          description: System Memory
          physical id: 1000
          slot: System board or motherboard
          size: 512MiB
        *-bank:0
             description: DIMM SDRAM Synchronous 333 MHz (3.0 ns)
             physical id: 0
             slot: DIMM_1
             size: 256MiB
             width: 64 bits
             clock: 333MHz (3.0ns)
        *-bank:1
             description: DIMM SDRAM Synchronous 333 MHz (3.0 ns)
             physical id: 1
             slot: DIMM_2
             size: 256MiB
             width: 64 bits
             clock: 333MHz (3.0ns)
        *-bank:2
             description: DIMM SDRAM Synchronous 333 MHz (3.0 ns) [empty]
             physical id: 2
             slot: DIMM_3
             width: 64 bits
             clock: 333MHz (3.0ns)
        *-bank:3
             description: DIMM SDRAM Synchronous 333 MHz (3.0 ns) [empty]
             physical id: 3
             slot: DIMM_4
             width: 64 bits
             clock: 333MHz (3.0ns)
     *-pci
          description: Host bridge
          product: 82865G/PE/P DRAM Controller/Host-Hub Interface
          vendor: Intel Corporation
          physical id: 100
          bus info: pci@0000:00:00.0
          version: 02
          width: 32 bits
          clock: 33MHz
          configuration: driver=agpgart-intel module=intel_agp
        *-display UNCLAIMED
             description: VGA compatible controller
             product: 82865G Integrated Graphics Controller
             vendor: Intel Corporation
             physical id: 2
             bus info: pci@0000:00:02.0
             version: 02
             width: 32 bits
             clock: 33MHz
             capabilities: pm vga_controller bus_master cap_list
             configuration: latency=0
        *-usb:0
             description: USB Controller
             product: 82801EB/ER (ICH5/ICH5R) USB UHCI Controller #1
             vendor: Intel Corporation
             physical id: 1d
             bus info: pci@0000:00:1d.0
             version: 02
             width: 32 bits
             clock: 33MHz
             capabilities: uhci bus_master
             configuration: driver=uhci_hcd latency=0 module=uhci_hcd
           *-usbhost
                product: UHCI Host Controller
                vendor: Linux 2.6.26-2-686 uhci_hcd
                physical id: 1
                bus info: usb@1
                logical name: usb1
                version: 2.06
                capabilities: usb-1.10
                configuration: driver=hub slots=2 speed=12.0MB/s
        *-usb:1
             description: USB Controller
             product: 82801EB/ER (ICH5/ICH5R) USB UHCI Controller #2
             vendor: Intel Corporation
             physical id: 1d.1
             bus info: pci@0000:00:1d.1
             version: 02
             width: 32 bits
             clock: 33MHz
             capabilities: uhci bus_master
             configuration: driver=uhci_hcd latency=0 module=uhci_hcd
           *-usbhost
                product: UHCI Host Controller
                vendor: Linux 2.6.26-2-686 uhci_hcd
                physical id: 1
                bus info: usb@2
                logical name: usb2
                version: 2.06
                capabilities: usb-1.10
                configuration: driver=hub slots=2 speed=12.0MB/s
        *-usb:2
             description: USB Controller
             product: 82801EB/ER (ICH5/ICH5R) USB UHCI Controller #3
             vendor: Intel Corporation
             physical id: 1d.2
             bus info: pci@0000:00:1d.2
             version: 02
             width: 32 bits
             clock: 33MHz
             capabilities: uhci bus_master
             configuration: driver=uhci_hcd latency=0 module=uhci_hcd
           *-usbhost
                product: UHCI Host Controller
                vendor: Linux 2.6.26-2-686 uhci_hcd
                physical id: 1
                bus info: usb@3
                logical name: usb3
                version: 2.06
                capabilities: usb-1.10
                configuration: driver=hub slots=2 speed=12.0MB/s
        *-usb:3
             description: USB Controller
             product: 82801EB/ER (ICH5/ICH5R) USB UHCI Controller #4
             vendor: Intel Corporation
             physical id: 1d.3
             bus info: pci@0000:00:1d.3
             version: 02
             width: 32 bits
             clock: 33MHz
             capabilities: uhci bus_master
             configuration: driver=uhci_hcd latency=0 module=uhci_hcd
           *-usbhost
                product: UHCI Host Controller
                vendor: Linux 2.6.26-2-686 uhci_hcd
                physical id: 1
                bus info: usb@4
                logical name: usb4
                version: 2.06
                capabilities: usb-1.10
                configuration: driver=hub slots=2 speed=12.0MB/s
        *-usb:4
             description: USB Controller
             product: 82801EB/ER (ICH5/ICH5R) USB2 EHCI Controller
             vendor: Intel Corporation
             physical id: 1d.7
             bus info: pci@0000:00:1d.7
             version: 02
             width: 32 bits
             clock: 33MHz
             capabilities: pm debug ehci bus_master cap_list
             configuration: driver=ehci_hcd latency=0 module=ehci_hcd
           *-usbhost
                product: EHCI Host Controller
                vendor: Linux 2.6.26-2-686 ehci_hcd
                physical id: 1
                bus info: usb@5
                logical name: usb5
                version: 2.06
                capabilities: usb-2.00
                configuration: driver=hub slots=8 speed=480.0MB/s
        *-pci
             description: PCI bridge
             product: 82801 PCI Bridge
             vendor: Intel Corporation
             physical id: 1e
             bus info: pci@0000:00:1e.0
             version: c2
             width: 32 bits
             clock: 33MHz
             capabilities: pci normal_decode bus_master
           *-network:0 DISABLED
                description: Ethernet interface
                product: RTL-8139/8139C/8139C+
                vendor: Realtek Semiconductor Co., Ltd.
                physical id: 7
                bus info: pci@0000:01:07.0
                logical name: eth2
                version: 10
                serial: 00:0e:2e:cb:ac:e0
                size: 10MB/s
                capacity: 100MB/s
                width: 32 bits
                clock: 33MHz
                capabilities: pm bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd autonegotiation
                configuration: autonegotiation=on broadcast=yes driver=8139too driverversion=0.9.28 duplex=half latency=64 link=no maxlatency=64 mingnt=32 module=8139too multicast=yes port=MII speed=10MB/s
           *-network:1
                description: Ethernet interface
                product: RTL-8169 Gigabit Ethernet
                vendor: Realtek Semiconductor Co., Ltd.
                physical id: 8
                bus info: pci@0000:01:08.0
                logical name: eth1
                version: 10
                serial: 00:e0:4c:89:35:de
                size: 1GB/s
                capacity: 1GB/s
                width: 32 bits
                clock: 66MHz
                capabilities: pm bus_master cap_list ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
                configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=2.2LK-NAPI duplex=full ip=192.168.80.1 latency=64 link=yes maxlatency=64 mingnt=32 module=r8169 multicast=yes port=twisted pair speed=1GB/s
           *-network:2
                description: Ethernet interface
                product: 82540EM Gigabit Ethernet Controller
                vendor: Intel Corporation
                physical id: c
                bus info: pci@0000:01:0c.0
                logical name: eth0
                version: 02
                serial: 00:0b:db:c8:65:61
                size: 100MB/s
                capacity: 1GB/s
                width: 32 bits
                clock: 66MHz
                capabilities: pm pcix msi bus_master cap_list ethernet physical tp 10bt 10bt-fd 100bt 100bt-fd 1000bt-fd autonegotiation
                configuration: autonegotiation=on broadcast=yes driver=e1000 driverversion=7.3.20-k2-NAPI duplex=full firmware=N/A ip=200.0.0.66 latency=64 link=yes mingnt=255 module=e1000 multicast=yes port=twisted pair speed=100MB/s
        *-isa
             description: ISA bridge
             product: 82801EB/ER (ICH5/ICH5R) LPC Interface Bridge
             vendor: Intel Corporation
             physical id: 1f
             bus info: pci@0000:00:1f.0
             version: 02
             width: 32 bits
             clock: 33MHz
             capabilities: isa bus_master
             configuration: latency=0
        *-ide:0
             description: IDE interface
             product: 82801EB/ER (ICH5/ICH5R) IDE Controller
             vendor: Intel Corporation
             physical id: 1f.1
             bus info: pci@0000:00:1f.1
             version: 02
             width: 32 bits
             clock: 33MHz
             capabilities: ide bus_master
             configuration: driver=PIIX_IDE latency=0 module=piix
           *-ide:0
                description: IDE Channel 0
                physical id: 0
                bus info: ide@0
                logical name: ide0
                clock: 33MHz
              *-disk
                   description: ATA Disk
                   product: ST320011A
                   vendor: Seagate
                   physical id: 0
                   bus info: ide@0.0
                   logical name: /dev/hda
                   version: 3.75
                   serial: 3HT4YK5P
                   size: 18GiB (20GB)
                   capacity: 18GiB (20GB)
                   capabilities: ata dma lba iordy smart security pm partitioned partitioned:dos
                   configuration: mode=udma5 signature=fb51107f smart=on
                 *-volume:0
                      description: EXT3 volume
                      vendor: Linux
                      physical id: 1
                      bus info: ide@0.0,1
                      logical name: /dev/hda1
                      logical name: /
                      version: 1.0
                      serial: e379ad54-bd22-482b-b09e-addf83e7abd4
                      size: 17GiB
                      capacity: 17GiB
                      capabilities: primary bootable journaled extended_attributes large_files huge_files recover ext3 ext2 initialized
                      configuration: created=2010-10-04 14:51:06 filesystem=ext3 modified=2011-01-07 07:37:57 mount.fstype=ext3 mount.options=rw,errors=remount-ro,data=ordered mounted=2011-01-07 07:37:57 state=mounted
                 *-volume:1
                      description: Extended partition
                      physical id: 2
                      bus info: ide@0.0,2
                      logical name: /dev/hda2
                      size: 839MiB
                      capacity: 839MiB
                      capabilities: primary extended partitioned partitioned:extended
                    *-logicalvolume
                         description: Linux swap / Solaris partition
                         physical id: 5
                         logical name: /dev/hda5
                         capacity: 839MiB
                         capabilities: nofs
           *-ide:1
                description: IDE Channel 1
                physical id: 1
                bus info: ide@1
                logical name: ide1
                clock: 33MHz
              *-cdrom
                   description: IDE CD-ROM
                   product: SAMSUNG CD-ROM SC-148C
                   physical id: 0
                   bus info: ide@1.0
                   logical name: /dev/hdc
                   version: B105
                   capabilities: packet atapi cdrom removable nonmagnetic dma lba iordy audio
                   configuration: status=nodisc
        *-ide:1
             description: IDE interface
             product: 82801EB (ICH5) SATA Controller
             vendor: Intel Corporation
             physical id: 1f.2
             bus info: pci@0000:00:1f.2
             version: 02
             width: 32 bits
             clock: 66MHz
             capabilities: ide bus_master
             configuration: driver=ata_piix latency=0 module=ata_piix
        *-serial
             description: SMBus
             product: 82801EB/ER (ICH5/ICH5R) SMBus Controller
             vendor: Intel Corporation
             physical id: 1f.3
             bus info: pci@0000:00:1f.3
             version: 02
             width: 32 bits
             clock: 33MHz
             configuration: driver=i801_smbus latency=0 module=i2c_i801
        *-multimedia
             description: Multimedia audio controller
             product: 82801EB/ER (ICH5/ICH5R) AC'97 Audio Controller
             vendor: Intel Corporation
             physical id: 1f.5
             bus info: pci@0000:00:1f.5
             version: 02
             width: 32 bits
             clock: 33MHz
             capabilities: pm bus_master cap_list
             configuration: driver=Intel ICH latency=0 module=snd_intel8x0
ifw03:~#

network cables

I buy ethernet things.

There is only one network cable colour - grey.

Two network cables connect ifw03 to the networks. One goes to the LIC (Larg's Internet Cluster).

network interfaces

I buy ethernet things and add NICs (Network Interface Cards), like I did for xcl01.

LIC table: ifw03 network interfaces
computer interface description IP address netmask
ifw03 eth0 Internet (xcl01) 200.0.0.66 255.255.255.224
ifw03 eth1 adm01 network 192.168.80.1 255.255.248.0

OS

All the IBM PCs (Personal Computers) in the LIC (Larg's Internet Cluster) run the Debian distribution.

applications

Almost all the applications in the LIC (Larg's Internet Cluster) are from the Debian distribution.

packages

I want to remove Gnome NetworkManager on xcl01.

apt-get remove network-manager

I install packages to make testing easier.

apt-get install  lynx minicom screen sysv-rc-conf tcpdump 

I install packages to provide services.

apt-get install apt-cacher-ng cacti heartbeat ifenslave ipvsadm \
    ldirectord nagios3 ntp nut openssh-server setserial

I install perl modules for MySQL MMM.

apt-get install \
    liblog-log4perl-perl libmailtools-perl liblog-dispatch-perl \
    iproute libnet-arp-perl libproc-daemon-perl libalgorithm-diff-perl \
    libdbi-perl libdbd-mysql-perl

I install MySQL MMM.

dpkg -i mysql-mmm-common_2.2.1-1_all.deb mysql-mmm-monitor_2.2.1-1_all.deb

/etc/network/interfaces

I follow this procedure for a different host: add static IP addresses to ifw01. I do not use the values on that page. I use this configuration instead.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback
#
# Internet
# see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/nat-ip-addresses-20000x
#
auto eth0
iface eth0 inet static
    address 200.0.0.66
    netmask 255.255.255.224
    gateway 200.0.0.65
#
# adm01 network
# see http://cluster.planetlarg.com/car-size-cluster-reference/ip-addresses/internet-dmz-adm01-19216880021
#
auto eth1
iface eth1 inet static
    address 192.168.80.1
    netmask 255.255.248.0
#

/etc/udev/rules.d/70-persistent-net.rules

I follow this procedure for a different host: match interfaces with labels on ifw01. I do not use the values on that page. I use this configuration instead.

# This file was automatically generated by the /lib/udev/write_net_rules
# program run by the persistent-net-generator.rules rules file.
#
# You can modify it, as long as you keep each rule on a single line.

# PCI device 0x8086:0x100e (e1000)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0b:db:c8:65:61", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"

# PCI device 0x10ec:0x8169 (r8169)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:e0:4c:89:35:de", ATTR{dev_id}=="0x0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth1"

# PCI device 0x10ec:0x8139 (8139too)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:0e:2e:cb:ac:e0", ATTR{type}=="1", KERNEL=="eth*", NAME="eth2"

/etc/resolv.conf

I add DNS to ifw03.

domain planetlarg.com
search planetlarg.com
nameserver 192.168.80.7

/etc/hosts

127.0.0.1       ifw03   localhost.localdomain   localhost
127.0.1.1       ifw03.planetlarg.com    ifw03

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

/etc/iptables.up.rules

I turn ifw03 into a firewall.

#
# see
# http://cluster.planetlarg.com/car-size-cluster-build/prepare-firewall-ifw03/turn-ifw03-firewall
# Generated by iptables-save v1.4.2 on Thu Nov 18 14:46:38 2010
#
*filter
:INPUT DROP [4223:350069]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [17737:6392044]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m multiport --dports 22,25,80,443,3142 -j ACCEPT
#
# bacula
-A INPUT -p tcp -m state --state NEW -m multiport --dports 9101,9102,9103 -j ACCEPT
#
# ping
-A INPUT -s 200.0.0.65/32   -p icmp -j ACCEPT
-A INPUT -s 192.168.0.0/16 -p icmp -j ACCEPT
COMMIT
# Completed on Thu Nov 18 14:46:38 2010

/etc/network/if-pre-up.d/iptables

This script is used to make the iptables rules permanent.

#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules

/etc/apt/sources.list

The non-free folder is where I get firmware for my ethernet cards.

#
# clean install
#
# deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official Multi-architecture amd64/i386 NETINST #1 20110205-14:45]/ squeeze main

#deb cdrom:[Debian GNU/Linux 6.0.0 _Squeeze_ - Official Multi-architecture amd64/i386 NETINST #1 20110205-14:45]/ squeeze main

deb http://ftp.uk.debian.org/debian/ squeeze main non-free
deb-src http://ftp.uk.debian.org/debian/ squeeze main non-free

deb http://security.debian.org/ squeeze/updates main non-free
deb-src http://security.debian.org/ squeeze/updates main non-free

deb http://ftp.uk.debian.org/debian/ squeeze-updates main non-free
deb-src http://ftp.uk.debian.org/debian/ squeeze-updates main non-free

/etc/apt/apt.conf.d/10periodic

I add unattended updates to xcl01.

APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "5";
APT::Periodic::Unattended-Upgrade "1";

/etc/nut/ups.conf

I follow this procedure for a different host: add the NUT (Network UPS Tools) application to ifw01. I do not use the values on that page. I use this configuration instead.

...
# my config
[ifw03]
        driver = apcsmart
        port = /dev/ttyS0
        desc = "my server"
#

/etc/nut/upsd.conf

I follow this procedure for a different host: add the NUT (Network UPS Tools) application to ifw01. I do not use the values on that page. I use this configuration instead.

...
#
# my configuration
#
#
LISTEN 192.168.80.1 3493
#

/etc/nut/upsd.users

I follow this procedure for a different host: add the NUT (Network UPS Tools) application to ifw01. I do not use the values on that page. I use this configuration instead.

...
#
# my configuration
#
[admin]
        password = mypass
        actions  = SET
        instcmds = ALL

#
[monmaster]
        password = Pa55w0rd1
        upsmon master
#
[monuser]
        password = Pa55w0rd2
        upsmon slave
#

/etc/nut/upsmon.conf

I follow this procedure for a different host: add the NUT (Network UPS Tools) application to ifw01. I do not use the values on that page. I use this configuration instead.

...
#
# my configuration
#
MONITOR ifw03@192.168.80.1 1 monmaster Pa55w0rd1 master
#
...

/etc/bacula/bacula-dir.conf

I add bacula, a backup application.

This is a new undocumented version.

#
#---------
# The Bacula Director service is the program that supervises
# all the backup, restore, verify and archive operations.
# http://www.bacula.org/5.0.x-manuals/en/main/main/What_is_Bacula.html
#
# director configuration sections are:
#
#  1 director  - global settings
#  2 catalog   - index of backed up files, in a SQL database
#  3 messages  - notification e-mails
#  4 job       - each client to back up
#      5 fileset   - files to back up and files to avoid
#      6 schedule  - when to run, kind of backup
#      7 client    - what to back up from
#      8 storage   - device to back up to
#      9 pool      - collection of volumes - tapes or disk files
# 10 console  - restricted access for desktop tray-monitor
#---------
# 1 director  - global settings
#
Director {          # define myself
  Name = ifw03-dir
  DIRport = 9101
  QueryFile = "/etc/bacula/scripts/query.sql"
  WorkingDirectory = "/var/lib/bacula/index.html"
  PidDirectory = "/var/run/bacula/index.html"
  Maximum Concurrent Jobs = 1
  Password = "Pa55w0rd-for-dir"
  Messages = Daemon
  DirAddress = ifw03-adm01.planetlarg.com
}
#
#---------
# 2 catalog   - index of backed up files, in a SQL database
#
# The Catalog is used to store summary information about the Jobs,
# Clients, and Files that were backed up and on what Volumes.
#
# Generic catalog service
Catalog {
  Name = MyCatalog
# Uncomment the following line if you want the dbi driver
# dbdriver = "dbi:sqlite3"; dbaddress = 127.0.0.1; dbport =
  dbname = "bacula"; dbuser = ""; dbpassword = ""
}
#
#---------
# 3 messages  - notification e-mails
#
# Reasonable message delivery -- send most everything to email address
#  and to the console
Messages {
  Name = Standard
#
# NOTE! If you send to two email or more email addresses, you will need
#  to replace the %r in the from field (-f part) with a single valid
#  email address in both the mailcommand and the operatorcommand.
#  What this does is, it sets the email address that emails would display
#  in the FROM field, which is by default the same email as they're being
#  sent to.  However, if you send email to more than one address, then
#  you'll have to set the FROM address manually, to a single address.
#  for example, a 'no-reply@mydomain.com', is better since that tends to
#  tell (most) people that its coming from an automated source.

#
  mailcommand = "/usr/lib/bacula/bsmtp__h_localhost__f_/index.html"\(Bacula\) \<%r\>\" -s \"Bacula: %t %e of %c %l\" %r"
  operatorcommand = "/usr/lib/bacula/bsmtp__h_localhost__f_/index.html"\(Bacula\) \<%r\>\" -s \"Bacula: Intervention needed for %j\" %r"
  mail = root@localhost = all, !skipped
  operator = root@localhost = mount
  console = all, !skipped, !saved
#
# WARNING! the following will create a file that you must cycle from
#          time to time as it will grow indefinitely. However, it will
#          also keep all your messages if they scroll off the console.
#
  append = "/var/log/bacula/log/index.html" = all, !skipped
  catalog = all
}
#
# Message delivery for daemon messages (no job).
Messages {
  Name = Daemon
  mailcommand = "/usr/lib/bacula/bsmtp__h_localhost__f_/index.html"\(Bacula\) \<%r\>\" -s \"Bacula daemon message\" %r"
  mail = root@localhost = all, !skipped
  console = all, !skipped, !saved
  append = "/var/log/bacula/log/index.html" = all, !skipped
}
#
#---------
# 4 job       - each client to back up
#
#
# A Bacula Job defines the work that Bacula must perform to
# backup or restore a particular
# Client.
#
JobDefs {
  Name = DefaultJob
  Type = Backup
  FileSet = "Full Set"
  Schedule = "WeeklyCycle"
  Storage = File
  Messages = Standard
  Pool = Default
  Full Backup Pool = Full-Pool
  Incremental Backup Pool = Inc-Pool
  Differential Backup Pool = Diff-Pool
  # With a bootstrap file, Bacula can restore your system without a Catalog.
  Write Bootstrap = "/var/lib/bacula/c.bsr"
  Priority = 10
}
#
# back up ifw03
#
Job {
  Name = Backupifw03
  Client = ifw03-fd
  JobDefs = "DefaultJob"
}
#
# back up ifw01
#
Job {
  Name = Backupifw01
  Client = ifw01-fd
  JobDefs = "DefaultJob"
}
#
# Backup the catalog database (after the nightly save)
#
Job {
  Name = "BackupCatalog"
  Type = Backup
  Client = ifw03-fd
  FileSet="Catalog"
  Schedule = "WeeklyCycleAfterBackup"
  Storage = File
  Messages = Standard
  Pool = Default
  # This creates an ASCII copy of the catalog
  # Arguments to make_catalog_backup.pl are:
  #  make_catalog_backup.pl <catalog-name>
  RunBeforeJob = "/etc/bacula/scripts/make_catalog_backup.html_MyCatalog"
  # This deletes the copy of the catalog
  RunAfterJob  = "/etc/bacula/scripts/delete_catalog_backup/index.html"
  Write Bootstrap = "/var/lib/bacula/n.bsr"
  Priority = 11                   # run after main backup
}
#
#  Restore Standard template, to be changed by Console program
#
Job {
  Name = "RestoreFiles"
  Type = Restore
  Client = ifw03-fd
  FileSet="Full Set"
  Storage = File
  Pool = Default
  Messages = Standard
  Where = /tmp/bacula-restores
}
#
#---------
#     5 fileset   - files to back up and files to avoid
#
#  Put your list of files here, preceded by 'File =', one per line
#    or include an external list with:
#
#    File = <file-name
#
#  Note: / backs up everything on the root partition.
#    if you have other partitions such as /usr or /home
#    you will probably want to add them too.
#
# snog, marry, avoid
FileSet {
  Name = "Full Set"
  Include {
    Options {
      signature = MD5
    }
    File = /
  }
  Exclude {
    File = /dev
    File = /lib
    File = /media
    File = /proc
    File = /sys
    File = /tmp
    File = /var/lib
    File = /var/backups
    File = /.journal
    File = /.fsck
  }
}
#
# This is the backup of the catalog
#
FileSet {
  Name = "Catalog"
  Include {
    Options {
      signature = MD5
    }
    File = "/var/lib/bacula/bacula.sql"
  }
}
#
#---------
#     6 schedule  - when to run, kind of backup
#
# http://www.bacula.org/5.0.x-manuals/en/main/main/Configuring_Director.html#7311
# When to do the backups,
# * full backup on first sunday of the month,
# * differential (i.e. incremental since full) every other sunday,
# * incremental backups other days
#
Schedule {
  Name = "WeeklyCycle"
  Run = Level=Full 1st sun at 22:05
  Run = Level=Differential 2nd-5th sun at 22:05
  Run = Level=Incremental mon-sat at 22:05
}
#
# This schedule does the catalog. It starts after the WeeklyCycle
Schedule {
  Name = "WeeklyCycleAfterBackup"
  Run = Level=Full sun-sat at 22:10
}
#
#---------
#     7 client    - what to back up from
# Client (File Services) to backup
#
# file director on ifw03
#
Client {
  Name = ifw03-fd
  Address = ifw03-adm01.planetlarg.com
  FDPort = 9102
  Catalog = MyCatalog
  Password = "Pa55w0rd-for-fd"
  File Retention = 60 days
  Job Retention = 6 months
  AutoPrune = yes      # Prune expired Jobs/Files
}
#
# file director on ifw01
#
Client {
  Name = ifw01-fd
  Address = ifw01-adm01.planetlarg.com
  FDPort = 9102
  Catalog = MyCatalog
  Password = "Pa55w0rd-for-fd"
  File Retention = 60 days
  Job Retention = 6 months
  AutoPrune = yes      # Prune expired Jobs/Files
}
#
#---------
#     8 storage   - device to back up to
#
# Definition of file storage device
#
Storage {
  Name = File
  # Do not use "localhost" here
  Address = ifw03-adm01.planetlarg.com
  SDPort = 9103
  Password = "Pa55w0rd-for-sd"
  Device = FileStorage
  Media Type = File
}
#
#---------
#     9 pool      - collection of volumes - tapes or disk files
#
# http://www.bacula.org/5.0.x-manuals/en/main/main/Configuring_Director.html#9094
# Default pool definition
#
Pool {
  Name = Default
  Pool Type = Backup
  Recycle = yes                       # Bacula can automatically recycle Volumes
  AutoPrune = yes                     # Prune expired volumes
  Volume Retention = 365 days         # one year
  Maximum Volume Jobs = 5
  Label Format = default-
  Maximum Volumes = 15
}
#
# Scratch pool definition
#
Pool {
  Name = Scratch
  Pool Type = Backup
}
#
# http://www.bacula.org/5.0.x-manuals/en/main/main/Automated_Disk_Backup.html#SECTION002831000000000000000
# Back up everything.
#
Pool {
  Name = Full-Pool
  Pool Type = Backup
  Recycle = yes           # automatically recycle Volumes
  AutoPrune = yes         # Prune expired volumes
  Volume Retention = 6 months
  # set "Maximum Volume Jobs" to
  # the number of clients x a month's worth of backups (1)
  Maximum Volume Jobs = 2
  Label Format = Full-
  Maximum Volumes = 9
}
#
# Copy files that have changed since the last backup.
#
Pool {
  Name = Inc-Pool
  Pool Type = Backup
  Recycle = yes           # automatically recycle Volumes
  AutoPrune = yes         # Prune expired volumes
  Volume Retention = 20 days
  # set "Maximum Volume Jobs" to
  # the number of clients x a week's worth of backups (6)
  Maximum Volume Jobs = 12
  Label Format = Inc-
  Maximum Volumes = 7
}
#
# Copy files that have changed since the last full backup.
#
Pool {
  Name = Diff-Pool
  Pool Type = Backup
  Recycle = yes
  AutoPrune = yes
  Volume Retention = 40 days
  # set "Maximum Volume Jobs" to
  # the number of clients x a week of backups (1)
  Maximum Volume Jobs = 2
  Label Format = Diff-
  Maximum Volumes = 10
}
#
#---------
#
# 10 console  - restricted access for desktop tray-monitor
#
# Restricted console used by tray-monitor to get the status of the director
#
Console {
  Name = ifw03-mon
  Password = "Pa55w0rd-for-mon"
  CommandACL = status, .status
}
#
#---------

/etc/bacula/bacula-fd.conf

I add bacula, a backup application.

This is a new undocumented version.

#
# Default  Bacula File Daemon Configuration file
#
#  For Bacula release 5.0.2 (28 April 2010) -- debian squeeze/sid
#
# There is not much to change here except perhaps the
# File daemon Name to
#

#
# List Directors who are permitted to contact this File daemon
#
Director {
  Name = ifw03-dir
  Password = "Pa55w0rd-for-fd"
}

#
# Restricted Director, used by tray-monitor to get the
#   status of the file daemon
#
Director {
  Name = ifw03-mon
  Password = "Pa55w0rd-for-mon"
  Monitor = yes
}

#
# "Global" File daemon configuration specifications
#
FileDaemon {                          # this is me
  Name = ifw03-fd
  FDport = 9102                  # where we listen for the director
  WorkingDirectory = /var/lib/bacula
  Pid Directory = /var/run/bacula
  Maximum Concurrent Jobs = 20
  FDAddress = ifw03-adm01.planetlarg.com
}

# Send all messages except skipped files back to Director
Messages {
  Name = Standard
  director = ifw03-dir = all, !skipped, !restored
}

/etc/bacula/bacula-sd.conf

I add bacula, a backup application.

#
#---------
# the Storage daemon's configuration file
# based in part on
# http://www.bacula.org/5.0.x-manuals/en/main/main/Automated_Disk_Backup.html
#
#---------
#
# listening process
#
Storage {               # definition of myself
  Name = ifw03-sd
  SDPort = 9103       # Director's port
  WorkingDirectory = "/var/lib/bacula/index.html"
  Pid Directory = "/var/run/bacula/index.html"
  Maximum Concurrent Jobs = 20
  SDAddress = ifw03-adm01.planetlarg.com
}
#
#---------
#
# List Directors who are permitted to contact Storage daemon
#
Director {
  Name = ifw03-dir
  Password = "Pa55w0rd-for-sd"
}
#
# Restricted Director, used by tray-monitor to get the
#   status of the storage daemon
#
Director {
  Name = ifw03-mon
  Password = "Pa55w0rd-for-mon"
  Monitor = yes
}
#
#---------
#
# Devices supported by this Storage daemon
#
# Note, for a list of additional Device templates please
#  see the directory /examples/devices
# Or follow the following link:
# http://bacula.svn.sourceforge.net/viewvc/bacula/trunk/bacula/examples/devices/
#

#
# To connect, the Director's bacula-dir.conf must have the
#  same Name and MediaType.
#
Device {
  Name = FileStorage
  Media Type = File
  Archive Device = /var/backups/bacula/
  LabelMedia = yes;    # lets Bacula label unlabeled media
  Random Access = Yes;
  AutomaticMount = yes;   # when device opened, read it
  RemovableMedia = no;
  AlwaysOpen = no;
}
#
#---------
#
# messages
#
# Send all messages to the Director,
# mount messages also are sent to the email address
#
Messages {
  Name = Standard
  director = bacula-dir = all
}
#
#---------

/etc/bacula/bconsole.conf

I add bacula, a backup application.

#
# Bacula User Agent (or Console) Configuration File
#

Director {
  Name = localhost-dir
  DIRport = 9101
  address = ifw03-adm01.planetlarg.com
  Password = "Pa55w0rd-for-director"
}

/etc/nagios3/conf.d/hostgroups_nagios2.cfg

I add monitoring.

# Some generic hostgroup definitions

# A simple wildcard hostgroup
define hostgroup {
        hostgroup_name  all
                alias           All Servers
                members         *
        }

# A list of your Debian GNU/Linux servers
define hostgroup {
        hostgroup_name  debian-servers
                alias           Debian GNU/Linux Servers
                members         *
        }

# A list of your web servers
define hostgroup {
        hostgroup_name  http-servers
                alias           HTTP servers
                members         *
        }

# A list of your ssh-accessible servers
define hostgroup {
        hostgroup_name  ssh-servers
                alias           SSH servers
                members         *
        }

# nagios doesn't like monitoring hosts without services, so this is
# a group for devices that have no other "services" monitorable
# (like routers w/out snmp for example)
define hostgroup {
        hostgroup_name  ping-servers
                alias           Pingable servers
                members         gateway
        }
#
# remote hosts
# all the hosts I check with NRPE
define hostgroup {
        hostgroup_name  nrpe-hosts
                alias           remote hosts running NRPE
                members         ifw01,ifw02,ics01,ics02,ics03
        }

/etc/nagios3/conf.d/services_nagios2.cfg

I add monitoring.

# check that web services are running
define service {
        hostgroup_name                  http-servers
        service_description             HTTP
        check_command                   check_http
        use                             generic-service
        notification_interval           0 ; set > 0 if you want to be renotified
}

# check that ssh services are running
define service {
        hostgroup_name                  ssh-servers
        service_description             SSH
        check_command                   check_ssh
        use                             generic-service
        notification_interval           0 ; set > 0 if you want to be renotified
}

# check that ping-only hosts are up
define service {
        hostgroup_name                  ping-servers
        service_description             PING
        check_command                   check_ping!100.0,20%!500.0,60%
        use                             generic-service
        notification_interval           0 ; set > 0 if you want to be renotified
}
#----------
# NRPE checks
#
# count users on remote hosts
define service {
        hostgroup_name                  nrpe-hosts
        service_description             Current Users
        check_command                   check_nrpe_1arg!check_users
        use                             generic-service
        notification_interval           0 ; set > 0 if you want to be renotified
}
#
# check load on remote hosts
define service {
        hostgroup_name                  nrpe-hosts
        service_description             Current Load
        check_command                   check_nrpe_1arg!check_load
        use                             generic-service
        notification_interval           0 ; set > 0 if you want to be renotified
}
#
# how full is the root partition on remote hosts
define service {
        hostgroup_name                  nrpe-hosts
        service_description             Disk Space
        check_command                   check_nrpe_1arg!check_hda1
        use                             generic-service
        notification_interval           0 ; set > 0 if you want to be renotified
}
#
# AAAAAGH! Zombies in the supermarket!
define service {
        hostgroup_name                  nrpe-hosts
        service_description             Zombie Processes
        check_command                   check_nrpe_1arg!check_zombie_procs
        use                             generic-service
        notification_interval           0 ; set > 0 if you want to be renotified
}
#
# count processes on remote hosts
define service {
        hostgroup_name                  nrpe-hosts
        service_description             Total Processes
        check_command                   check_nrpe_1arg!check_total_procs
        use                             generic-service
        notification_interval           0 ; set > 0 if you want to be renotified
}

/etc/exim4/update-exim4.conf.conf

I configure exim4, an e-mail application

# /etc/exim4/update-exim4.conf.conf
#
# Edit this file and /etc/mailname by hand and execute update-exim4.conf
# yourself or use 'dpkg-reconfigure exim4-config'
#
# Please note that this is _not_ a dpkg-conffile and that automatic changes
# to this file might happen. The code handling this will honor your local
# changes, so this is usually fine, but will break local schemes that mess
# around with multiple versions of the file.
#
# update-exim4.conf uses this file to determine variable values to generate
# exim configuration macros for the configuration file.
#
# Most settings found in here do have corresponding questions in the
# Debconf configuration, but not all of them.
#
# This is a Debian specific file

dc_eximconfig_configtype='smarthost'
dc_other_hostnames='ifw03.planetlarg.com'
dc_local_interfaces='127.0.0.1;192.168.80.1'
dc_readhost='planetlarg.com'
dc_relay_domains=''
dc_minimaldns='false'
dc_relay_nets='192.168.0.0/16'
dc_smarthost='smtp.myisp.co.uk'
CFILEMODE='644'
dc_use_split_config='false'
dc_hide_mailname='true'
dc_mailname_in_oh='true'
dc_localdelivery='mail_spool'

/etc/exim4/passwd.client

I configure exim4, an e-mail application

# password file used when the local exim is authenticating to a remote
# host as a client.
#
# see exim4_passwd_client(5) for more documentation
#
# Example:
### target.mail.server.example:login:password
smtp.myisp.co.uk:myusername:myPa55w0rd

/etc/fstab

An undocumented part of add bacula, a backup application


# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# / was on /dev/sda1 during installation
UUID=55f55191-2b32-4269-9137-49b23c491fa3 /               ext3    errors=remount-ro 0       1
# swap was on /dev/sda5 during installation
UUID=be286cc6-f1a4-4251-b7ff-ad84b402c066 none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0
#
# removable disk
UUID=c85e5264-29db-4e7e-9cfa-3a5f399a8da6 /var/backups/bacula ext3 defaults 0 2

/home/issalarg/.ssh/authorized_keys

I use public key authentication for SSH.

#
# not really my key from xcl01 
#
ssh-rsa ABcdB3NEAAAABIwAAAQYf0IgVazrDZV5hZMKbSGKoEDYifqEb7fRAg8FwRLn/VAXVBD8OPPZuQlld/0SYLucKgW9yu82QcnhgQj+ymDehZQu+gGRCnLK17ZzYfe6hyQgvdRBnS/6jumUPRrwBCxfOz3YpPYQXW3xoD6DF7Ma7QW1sldIyCpxsy70ehunW5h4WEC8p7S+rIrw6FGU8wAHR+w== issalarg@xcl01

/etc/aliases

...
root: issalarg
issalarg: idc@planetlarg.net

/etc/mysql-mmm/mmm_common.conf

I add mysql MMM to ifw03.

active_master_role      writer


<host default>
        cluster_interface       bond0

        pid_path                /var/run/mmm_agentd.pid
        bin_path                /usr/lib/mysql-mmm/

        replication_user        replication
        replication_password    replication_password

        agent_user              mmm_agent
        agent_password          agent_password
</host>

<host db1>
        ip                      192.168.80.2
        mode                    master
        peer                    db2
</host>

<host db2>
        ip                      192.168.80.3
        mode                    master
        peer                    db1
</host>

<host db3>
        ip                      192.168.80.4
        mode                    slave
</host>


<role writer>
        hosts                   db1, db2
        ips                     192.168.1.2
        mode                    exclusive
</role>

<role reader>
        hosts                   db1, db2, db3
        ips                     192.168.1.3, 192.168.1.4, 192.168.1.5
        mode                    balanced
</role>

/etc/mysql-mmm/mmm_mon.conf

I add mysql MMM to ifw03.

include mmm_common.conf


        ip                      127.0.0.1
        pid_path                /var/run/mmm_mond.pid
        bin_path                /usr/lib/mysql-mmm/
        status_path             /var/lib/misc/mmm_mond.status
        ping_ips                192.168.80.1, 192.168.80.2, 192.168.80.3

        monitor_user            mmm_monitor
        monitor_password        monitor_password


debug 0

/etc/mysql-mmm/mmm_mon_log.conf

I add mysql MMM to ifw03.

# This config based on code from
# http://mysql-mmm.org/mysql-mmm.html
# log4perl module explained at
# http://search.cpan.org/dist/Log-Log4perl/lib/Log/Log4perl.pm
#
#---------
# Set the logging level and also where to write messages.
#
# These write messages to a file.
#log4perl.logger = INFO, LogFile
log4perl.logger = DEBUG, LogFile
#
# This writes messages to file and console.
#log4perl.logger = DEBUG, ScreenLog, LogFile
#---------
#
# logfile definitions
log4perl.appender.LogFile           = Log::Log4perl::Appender::File
log4perl.appender.LogFile.filename  = /var/log/mysql-mmm/mmm_mond.log
log4perl.appender.LogFile.recreate  = 1
log4perl.appender.LogFile.layout    = PatternLayout
log4perl.appender.LogFile.layout.ConversionPattern = %d %5p %m%n
#
# screenlog definitions
log4perl.appender.ScreenLog         = Log::Log4perl::Appender::Screen
log4perl.appender.ScreenLog.stderr  = 0
log4perl.appender.ScreenLog.layout  = PatternLayout
log4perl.appender.ScreenLog.layout.ConversionPattern = %d %5p %m%n