From zanchey at ucc.gu.uwa.edu.au Mon Feb 20 11:23:02 2006 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Mon, 20 Feb 2006 11:23:02 +0800 (WST) Subject: [tech] UCC network reconnected Message-ID: As you can see, the UCC is back on the Internet. We dropped off about 1700h yesterday, due to a Guild router failing. No official word on the cause yet, although I don't think anyone's bothered to ask. Anyway, service should be restored now. Thanks to Grahame for going in to work on a Sunday evening to check things out for us. David Adam UCC Wheel :: Coke :: Door Member zanchey at ucc.gu.uwa.edu.au From zanchey at ucc.gu.uwa.edu.au Mon Feb 20 22:17:27 2006 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Mon, 20 Feb 2006 22:17:27 +0800 (WST) Subject: [tech] UCC network reconnected In-Reply-To: References: Message-ID: > As you can see, the UCC is back on the Internet. We dropped off about > 1700h yesterday, due to a Guild router failing. No official word on the > cause yet, although I don't think anyone's bothered to ask. He's going to think I'm making a big deal of it, but just for the record this was in fact Grahame's fault :-P http://grahame.livejournal.com/279838.html David Adam zanchey@ From trs80 at ucc.gu.uwa.edu.au Sun Feb 26 20:07:39 2006 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Sun, 26 Feb 2006 20:07:39 +0800 (WST) Subject: [tech] marblefish Message-ID: marblefish is up, running with raid 1 over two 9gb scsi and one 80gb ide, with 70gb of the ide available as scratch space (although only at 4mb/s because the ide interface is shit). Bootloaders and kernels are in the first and second partitions of all disks, and I've tested booting from the ide disk as well as the scsi. It's currently running 2.6.15, however SMP in recent 2.6 on alpha is broken, so it's using a non-SMP kernel. There is currently a thread on debian-alpha on getting this fixed, so hopefully we'll be able to send it over to ProgSoc fairly soon. -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From zanchey at ucc.gu.uwa.edu.au Sun Feb 26 20:57:18 2006 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Sun, 26 Feb 2006 20:57:18 +0800 (WST) Subject: [tech] marblefish In-Reply-To: References: Message-ID: James, On Sun, 26 Feb 2006, James Andrewartha wrote: > It's currently running 2.6.15, however SMP in recent 2.6 on alpha is > broken, so it's using a non-SMP kernel. There is currently a thread on > debian-alpha on getting this fixed, so hopefully we'll be able to send it > over to ProgSoc fairly soon. I'm not really certain [tech] is the right list, but perhaps you could elaborate on The ProgSoc Arrangment (sounds like a Robert Ludlum book) for those of us less in the know? As far as I know, it involves free traffic, less spam and world peace. David "Human Megaphone" Adam zanchey@ From trs80 at ucc.gu.uwa.edu.au Sun Feb 26 21:08:25 2006 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Sun, 26 Feb 2006 21:08:25 +0800 (WST) Subject: [tech] marblefish In-Reply-To: References: Message-ID: On Sun, 26 Feb 2006, David Adam wrote: > I'm not really certain [tech] is the right list, but perhaps you could > elaborate on The ProgSoc Arrangment (sounds like a Robert Ludlum book) for > those of us less in the know? > > As far as I know, it involves free traffic, less spam and world peace. Pretty much. Over beers at LCA, I was complaining to Anand that we had to pay for spam. He offered to host a machine at ProgSoc for us, as they don't pay for traffic and have a spare class C they're barely using. The plan is to send over marblefish and give it a couple of IPs. One will be set as the primary MX for UCC's domains, but all port 25 traffic will be tunnelled (exact method to be determined) to mooneye's port 25, allowing us to do greylisting on mooneye, and not pay for email since it's coming over AARNet. Another IP will run a local copy of postfix as a secondary MX, and will also do greylisting. Ideally we'd want a way to reject invalid users on this MX as well. There might also be a third MX hosted elsewhere. Failure modes are fairly well covered, and if all else fails we can change the DNS back to listing mooneye and asclepius as the MXs. Any improvements to this plan are gratefully accepted. -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From zanchey at ucc.gu.uwa.edu.au Sun Feb 26 22:01:19 2006 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Sun, 26 Feb 2006 22:01:19 +0800 (WST) Subject: [tech] marblefish In-Reply-To: References: Message-ID: On Sun, 26 Feb 2006, James Andrewartha wrote: > On Sun, 26 Feb 2006, David Adam wrote: > > I'm not really certain [tech] is the right list, but perhaps you could > > elaborate on The ProgSoc Arrangment (sounds like a Robert Ludlum book) for > > those of us less in the know? > > > > As far as I know, it involves free traffic, less spam and world peace. > > Pretty much. Over beers at LCA, I was complaining to Anand that we had to > pay for spam. He offered to host a machine at ProgSoc for us, as they > don't pay for traffic and have a spare class C they're barely using. Ah, LCA is a networking event in every sense of the word. > The plan is to send over marblefish and give it a couple of IPs. One will > be set as the primary MX for UCC's domains, but all port 25 traffic will > be tunnelled (exact method to be determined) to mooneye's port 25, > allowing us to do greylisting on mooneye, and not pay for email since it's > coming over AARNet. Do we want the benefits of further SPAM filtering on Asclepius? More to the point, will our charming comrades in UCS (hi Adrian) get irritated if we don't go through the central spam filter? If not, I strongly suggest we don't let [JCF] set up another of his crackrock SSH-based VPNs (you're killing kittens, James), but perhaps some sort of encrypted link is a good idea. Otherwise we can do it the easy way by NATing (say) port 10025 to mooneye:25. > Another IP will run a local copy of postfix as a > secondary MX, and will also do greylisting. Ideally we'd want a way to > reject invalid users on this MX as well. There might also be a third MX > hosted elsewhere. Failure modes are fairly well covered, and if all else > fails we can change the DNS back to listing mooneye and asclepius as the MXs. Are we going to be running these separate IPs as Xen domains, or just as aliases? This sounds like a fantastic plan, otherwise, and should cut down our traffic bills by a fair amount. It'll also be good to establish stronger links with other similar-minded clubs. (I am about to use the word syngergy, so I'll stop now). David Adam UCC Wheel Thing zanchey@ From frenchie at frenchie.id.au Sun Feb 26 22:16:32 2006 From: frenchie at frenchie.id.au (James French) Date: Sun, 26 Feb 2006 22:16:32 +0800 Subject: [tech] marblefish In-Reply-To: References: Message-ID: <20060226141631.GA23531@ellipsis.frenchie.id.au> > If not, I strongly suggest we don't let [JCF] set up another of his > crackrock SSH-based VPNs (you're killing kittens, James) I was only running one because I'm too lazy to setup ipsec and pptp is/was borked with nat -- James French: frenchie at frenchie.id.au From trs80 at ucc.gu.uwa.edu.au Sun Feb 26 22:20:26 2006 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Sun, 26 Feb 2006 22:20:26 +0800 (WST) Subject: [tech] marblefish In-Reply-To: References: Message-ID: On Sun, 26 Feb 2006, David Adam wrote: > Do we want the benefits of further SPAM filtering on Asclepius? More to > the point, will our charming comrades in UCS (hi Adrian) get irritated if > we don't go through the central spam filter? We thought about this, but adding asclepius to the mix, whether by domain rewriting or whatever just made the setup too fragile. As for UCS, what they don't know won't harm them, and outgoing mail will still go through asclepius. > If not, I strongly suggest we don't let [JCF] set up another of his > crackrock SSH-based VPNs (you're killing kittens, James), but perhaps some > sort of encrypted link is a good idea. Otherwise we can do it the easy way > by NATing (say) port 10025 to mooneye:25. I was thinking IPSec or OpenVPN, I'm not sure whether terminating on madako or mooneye is the best plan (probably mooneye). > Are we going to be running these separate IPs as Xen domains, or just as > aliases? Xen is x86 only, so aliases. -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From frenchie at frenchie.id.au Sun Feb 26 22:25:57 2006 From: frenchie at frenchie.id.au (James French) Date: Sun, 26 Feb 2006 22:25:57 +0800 Subject: [tech] marblefish In-Reply-To: References: Message-ID: <20060226142557.GB23531@ellipsis.frenchie.id.au> > > If not, I strongly suggest we don't let [JCF] set up another of his > > crackrock SSH-based VPNs (you're killing kittens, James), but perhaps some > > sort of encrypted link is a good idea. Otherwise we can do it the easy way > > by NATing (say) port 10025 to mooneye:25. > > I was thinking IPSec or OpenVPN, I'm not sure whether terminating on > madako or mooneye is the best plan (probably mooneye). > I'd say terminating on mooneye is the better option, Although if we want to translate a user list using ldap, madako would probably involve less pain. -- James French: frenchie at frenchie.id.au From bernard at blackham.com.au Sun Feb 26 22:32:40 2006 From: bernard at blackham.com.au (Bernard Blackham) Date: Sun, 26 Feb 2006 22:32:40 +0800 Subject: [tech] marblefish In-Reply-To: References: Message-ID: <20060226143240.GB5335@blackham.com.au> On Sun, Feb 26, 2006 at 10:20:26PM +0800, James Andrewartha wrote: > I was thinking IPSec or OpenVPN, I'm not sure whether terminating on > madako or mooneye is the best plan (probably mooneye). I'd hesitate to push the burden of encryption onto mooneye - it's already pretty loaded. madako seems like the sensible point to do it - if we wanted to later, we could encrypt traffic to/from other machines across to marblefish (eg, NIS/LDAP) without getting tunnels on each machine. Bernard. -- Bernard Blackham From grahame at angrygoats.net Mon Feb 27 22:07:01 2006 From: grahame at angrygoats.net (Grahame Bowland) Date: Mon, 27 Feb 2006 22:07:01 +0800 Subject: [tech] marblefish In-Reply-To: Message-ID: On 26/2/06 10:20 PM, "James Andrewartha" wrote: > On Sun, 26 Feb 2006, David Adam wrote: >> If not, I strongly suggest we don't let [JCF] set up another of his >> crackrock SSH-based VPNs (you're killing kittens, James), but perhaps some >> sort of encrypted link is a good idea. Otherwise we can do it the easy way >> by NATing (say) port 10025 to mooneye:25. > > I was thinking IPSec or OpenVPN, I'm not sure whether terminating on > madako or mooneye is the best plan (probably mooneye). If 2.6 is generally flakey on Alpha, can we just run 2.4? I don't trust some magic SMP fix warm and smoking off the debian-alpha list to actually -work-, and the machine is going to be annoyingly hard to poke if it stops booting or decides to corrupt its filesystems. For the link, why not just use SSL-encrypted SMTP, running on the standard secure SMTP port? It's really easy to get postfix to permit relaying based on the SSL cert that the client has got. That's really all you need, and it won't rely on some tunnel being up all the time. From trs80 at ucc.gu.uwa.edu.au Mon Feb 27 22:39:23 2006 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Mon, 27 Feb 2006 22:39:23 +0800 (WST) Subject: [tech] marblefish In-Reply-To: References: Message-ID: On Mon, 27 Feb 2006, Grahame Bowland wrote: > On 26/2/06 10:20 PM, "James Andrewartha" wrote: >> I was thinking IPSec or OpenVPN, I'm not sure whether terminating on >> madako or mooneye is the best plan (probably mooneye). > > If 2.6 is generally flakey on Alpha, can we just run 2.4? I don't trust some > magic SMP fix warm and smoking off the debian-alpha list to actually -work-, > and the machine is going to be annoyingly hard to poke if it stops booting > or decides to corrupt its filesystems. Because I couldn't get a recent 2.4 kernel to boot (I'm fairly sure 2.4.27 has security holes). 2.6 is fine if you don't run SMP, which is not a great loss given it's 833MHz of alpha and all it'll be doing is pushing packets. > For the link, why not just use SSL-encrypted SMTP, running on the standard > secure SMTP port? It's really easy to get postfix to permit relaying based > on the SSL cert that the client has got. That's really all you need, and it > won't rely on some tunnel being up all the time. Mainly because I want to reject invalid users at rcpt.to time. There will be a local SMTP server as a secondary MX that will then deliver via your method if the tunnel goes down at any point. -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From zanchey at ucc.gu.uwa.edu.au Mon Feb 27 22:42:58 2006 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Mon, 27 Feb 2006 22:42:58 +0800 (WST) Subject: [tech] marblefish In-Reply-To: References: Message-ID: On Mon, 27 Feb 2006, James Andrewartha wrote: > On Mon, 27 Feb 2006, Grahame Bowland wrote: > > On 26/2/06 10:20 PM, "James Andrewartha" wrote: > >> I was thinking IPSec or OpenVPN, I'm not sure whether terminating on > >> madako or mooneye is the best plan (probably mooneye). > > For the link, why not just use SSL-encrypted SMTP, running on the standard > > secure SMTP port? It's really easy to get postfix to permit relaying based > > on the SSL cert that the client has got. That's really all you need, and it > > won't rely on some tunnel being up all the time. > > Mainly because I want to reject invalid users at rcpt.to time. There will > be a local SMTP server as a secondary MX that will then deliver via your > method if the tunnel goes down at any point. Incidentally, how are we going to do that? Mount /home/mail and run LDAP over the tunnel? I know almost nothing about such things and am enjoying this process immensely. David Adam UCC Wheel Member, master of the desktops zanchey@ From trs80 at ucc.gu.uwa.edu.au Mon Feb 27 22:54:18 2006 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Mon, 27 Feb 2006 22:54:18 +0800 (WST) Subject: [tech] marblefish In-Reply-To: References: Message-ID: On Mon, 27 Feb 2006, David Adam wrote: > On Mon, 27 Feb 2006, James Andrewartha wrote: >> Mainly because I want to reject invalid users at rcpt.to time. There will >> be a local SMTP server as a secondary MX that will then deliver via your >> method if the tunnel goes down at any point. > > Incidentally, how are we going to do that? Mount /home/mail and run LDAP > over the tunnel? I assume you mean rejecting at rcpt.to time - we're going to pipe port 25 straight to mooneye so it can do the rejecting and mail delivering. Doing some rejecting on marblefish would probably be possible with some cronned rsync scripts to bring across aliases and the list of users. > I know almost nothing about such things and am enjoying this process > immensely. I used to have a policy of I Don't Do Mail(tm) since that way I wouldn't break things and cause mail to be lost, unfortunately getting a job including running a mail server I don't have this luxury any more. -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / From grahame at angrygoats.net Tue Feb 28 00:23:32 2006 From: grahame at angrygoats.net (Grahame Bowland) Date: Tue, 28 Feb 2006 00:23:32 +0800 Subject: [tech] marblefish In-Reply-To: Message-ID: On 27/2/06 10:54 PM, "James Andrewartha" wrote: > On Mon, 27 Feb 2006, David Adam wrote: > >> On Mon, 27 Feb 2006, James Andrewartha wrote: >>> Mainly because I want to reject invalid users at rcpt.to time. There will >>> be a local SMTP server as a secondary MX that will then deliver via your >>> method if the tunnel goes down at any point. >> >> Incidentally, how are we going to do that? Mount /home/mail and run LDAP >> over the tunnel? > > I assume you mean rejecting at rcpt.to time - we're going to pipe port 25 > straight to mooneye so it can do the rejecting and mail delivering. Doing > some rejecting on marblefish would probably be possible with some cronned > rsync scripts to bring across aliases and the list of users. I guess your way is better than trying to make the remote box hook into our authentication system directly (LDAP or whatever) in that if the UCC is down our mail won't bounce with "user unknown" errors :-) So, the remote box will be primary MX. Remember not to put any of the secondaries inside UWA, for fear of creating the mail loop; * primary is down; mail gets sent to secondary (through asclepius) * secondary within UWA tries to connect to primary, gets asclepius, sends the mail * asclepius looks at the mail, tries to contact primary. Fails, gets the UWA secondary, delivers the message there. * repeat.. I might be stating the obvious, but definitely worth mentioning out of paranoia :-) Of course, using antivirus.uwa.edu.au itself as a secondary should be fine. It'll just cost for traffic! From matt at ucc.asn.au Tue Feb 28 00:43:20 2006 From: matt at ucc.asn.au (Matt Johnston) Date: Tue, 28 Feb 2006 00:43:20 +0800 Subject: [tech] marblefish In-Reply-To: References: Message-ID: <20060227164320.GP17375@ucc.gu.uwa.edu.au> On Tue, Feb 28, 2006 at 12:23:32AM +0800, Grahame Bowland wrote: > > So, the remote box will be primary MX. Remember not to put any of the > secondaries inside UWA, for fear of creating the mail loop; > I might be stating the obvious, but definitely worth mentioning out of > paranoia :-) > > Of course, using antivirus.uwa.edu.au itself as a secondary should be fine. > It'll just cost for traffic! Will antivirus.uwa accept mail if our primary MX is outside UWA? Matt From grahame at angrygoats.net Tue Feb 28 07:10:29 2006 From: grahame at angrygoats.net (Grahame Bowland) Date: Tue, 28 Feb 2006 07:10:29 +0800 Subject: [tech] marblefish In-Reply-To: <20060227164320.GP17375@ucc.gu.uwa.edu.au> Message-ID: On 28/2/06 12:43 AM, "Matt Johnston" wrote: > On Tue, Feb 28, 2006 at 12:23:32AM +0800, Grahame Bowland wrote: >> >> So, the remote box will be primary MX. Remember not to put any of the >> secondaries inside UWA, for fear of creating the mail loop; > >> I might be stating the obvious, but definitely worth mentioning out of >> paranoia :-) >> >> Of course, using antivirus.uwa.edu.au itself as a secondary should be fine. >> It'll just cost for traffic! > > Will antivirus.uwa accept mail if our primary MX is outside UWA? Yeah, what it'll relay is driven by $relay_domains, not by whether or not the primary MX exists inside UWA. So it ought to work fine. From davyd at madeley.id.au Tue Feb 28 11:02:22 2006 From: davyd at madeley.id.au (Davyd Madeley) Date: Tue, 28 Feb 2006 11:02:22 +0800 Subject: [tech] Mini-GBIC for new switch Message-ID: <1141095742.5855.14.camel@frobisher.madeley.id.au> Since manbo talks gigabit fibre, and our gigabit switch has two mini-GBIC ports. Perhaps we should consider getting a mini-GBIC for the switch. For example: http://cgi.ebay.com.au/HP-J4859A-Gigabit-LX-LC-Mini-GBIC-RRP-1400AUD_W0QQitemZ5871566421QQcategoryZ3706QQssPageNameZWDVWQQrdZ1QQcmdZViewItem --d -- Davyd Madeley http://www.davyd.id.au/ 08B0 341A 0B9B 08BB 2118 C060 2EDD BB4F 5191 6CDA From matt at ucc.asn.au Tue Feb 28 11:18:59 2006 From: matt at ucc.asn.au (Matt Johnston) Date: Tue, 28 Feb 2006 11:18:59 +0800 Subject: [tech] Mini-GBIC for new switch In-Reply-To: <1141095742.5855.14.camel@frobisher.madeley.id.au> References: <1141095742.5855.14.camel@frobisher.madeley.id.au> Message-ID: <20060228031859.GR17375@ucc.gu.uwa.edu.au> On Tue, Feb 28, 2006 at 11:02:22AM +0800, Davyd Madeley wrote: > Since manbo talks gigabit fibre, and our gigabit switch has two > mini-GBIC ports. Perhaps we should consider getting a mini-GBIC for the > switch. > > For example: > http://cgi.ebay.com.au/HP-J4859A-Gigabit-LX-LC-Mini-GBIC-RRP-1400AUD_W0QQitemZ5871566421QQcategoryZ3706QQssPageNameZWDVWQQrdZ1QQcmdZViewItem Harry McNally dropped off a fibre gigE pci 64-bit card, think there were also some media converter things about too? So we mightn't need the miniGBICs. Matt From davyd at madeley.id.au Tue Feb 28 11:28:30 2006 From: davyd at madeley.id.au (Davyd Madeley) Date: Tue, 28 Feb 2006 11:28:30 +0800 Subject: [tech] Mini-GBIC for new switch In-Reply-To: <20060228031859.GR17375@ucc.gu.uwa.edu.au> References: <1141095742.5855.14.camel@frobisher.madeley.id.au> <20060228031859.GR17375@ucc.gu.uwa.edu.au> Message-ID: <1141097310.5855.19.camel@frobisher.madeley.id.au> On Tue, 2006-02-28 at 11:18 +0800, Matt Johnston wrote: > Harry McNally dropped off a fibre gigE pci 64-bit card, think > there were also some media converter things about too? So > we mightn't need the miniGBICs. The media converters I saw were only 100BaseT :( --d -- Davyd Madeley http://www.davyd.id.au/ 08B0 341A 0B9B 08BB 2118 C060 2EDD BB4F 5191 6CDA