From bob at ucc.gu.uwa.edu.au Mon May 15 19:43:34 2017 From: bob at ucc.gu.uwa.edu.au (Andrew Adamson) Date: Mon, 15 May 2017 19:43:34 +0800 (AWST) Subject: [tech] Firewalling system ideas wanted Message-ID: Hi All, This coming weekend we are basically breaking everything, so this is an opportunity to do it good and properly. I've been thinking about user friendliness of our firewall (particularly for VM's), and how things would ideally work versus how they currently do. At the moment, a lot of users who get a VM can't necessarily do a great deal with them, because firewalling of their machine is quite obfuscated to them (unless they are on wheel, and sometimes even then), and it's not always clear to them why something might not be working. I have a similar problem learning about mail servers with the UWA firewall - I never know if it's me or not. The firewall on a VM is something that a user can't easily inspect, change, or experiment with, because it's on murasoi which is wheel access only. To me, the best scenario here is that VM users can easily inspect the firewall rules on their machine, easily request changes, some trusted users can easily be given control of their machines firewall, and the whole lot can be audited/checked/modified by wheel at any time. Can anyone suggest such a system? Ideally it would have some sort of nice interface, or proxmox integration. I know proxmox has firewall support but haven't had a chance to really play with it, plus it would mean splitting our firewall between murasoi and the cluster. Has anyone tried it before and have advice/comments? Advice/comments on splitting the firewall? Other options for a routing box? Thoughts on moving dns onto the routing machine? Reply to the list with your 2c! Andrew Adamson bob at ucc.asn.au |"If you can't beat them, join them, and then beat them." | | ---Peter's Laws | From zanchey at ucc.gu.uwa.edu.au Tue May 16 10:00:39 2017 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Tue, 16 May 2017 10:00:39 +0800 (AWST) Subject: [tech] Firewalling system ideas wanted In-Reply-To: References: Message-ID: On Mon, 15 May 2017, Andrew Adamson wrote: > This coming weekend we are basically breaking everything, so this is an > opportunity to do it good and properly. I've been thinking about user > friendliness of our firewall (particularly for VM's), and how things would > ideally work versus how they currently do. > > At the moment, a lot of users who get a VM can't necessarily do a great > deal with them, because firewalling of their machine is quite obfuscated > to them (unless they are on wheel, and sometimes even then), and it's not > always clear to them why something might not be working. I have a similar > problem learning about mail servers with the UWA firewall - I never know > if it's me or not. The firewall on a VM is something that a user can't > easily inspect, change, or experiment with, because it's on murasoi which > is wheel access only. > > To me, the best scenario here is that VM users can easily inspect the > firewall rules on their machine, easily request changes, some trusted > users can easily be given control of their machines firewall, and the > whole lot can be audited/checked/modified by wheel at any time. > > Can anyone suggest such a system? Ideally it would have some sort of nice > interface, or proxmox integration. I know proxmox has firewall support but > haven't had a chance to really play with it, plus it would mean splitting > our firewall between murasoi and the cluster. Has anyone tried it before > and have advice/comments? Advice/comments on splitting the firewall? Other > options for a routing box? Thoughts on moving dns onto the routing > machine? Old guard opinion, I guess... I think what you're asking about is delegated firewall control, which as far as I know doesn't exist even in high-end firewall products - I've had a read through the Cisco FirePower 9000* and Juniper SRX manuals and all I can see is whole-of-system roles, rather than permission to firewall specific subnets or IP addresses. My impression is that full virtualisation of networks with virtual firewalls is the Enterprise Solution to this problem. I don't think splitting the firewall is so much of a problem. Several machines (mooneye, mussel, motsugo) already run their own firewalls as a replacement or addition to the central firewall. Firewalling on Proxmox does appear to require full network administration privileges to the VM, which we don't grant users (and probably shouldn't). I think we should probably rewrite the firewall in nftables. Linux is still the right platform - although firewall platforms like pf(4) are better, the wider networking infrastructure tools on Linux still seem more diverse and well-understood. Your question about putting the nameserver on the router is a separate issue. From a *.ucc.asn.au perspective it will be easy, but it would also require UWA to make some changes to keep *.ucc.gu.uwa.edu.au and the reverse DNS zone working. Perhaps others have more of an appetite. Our DNS records in the UWA nameservers have been semi-broken for years, and we never did get IPv6 reverse delegation set up. David Adam zanchey at ucc.gu.uwa.edu.au *: Yes. From oxinabox at ucc.asn.au Tue May 16 11:28:33 2017 From: oxinabox at ucc.asn.au (Frames) Date: Tue, 16 May 2017 11:28:33 +0800 Subject: [tech] Firewalling system ideas wanted In-Reply-To: References: Message-ID: <1221f01b-ddf3-5524-ddd3-90393c48440a@ucc.asn.au> OpenStack has a nice interactive firewall controls, that users can touch, on the same website they use to spinup their VMs. But OpenStack is not something one simply just decides to deploy. -- [*OX] On 16/05/2017 10:00 AM, David Adam wrote: > On Mon, 15 May 2017, Andrew Adamson wrote: >> This coming weekend we are basically breaking everything, so this is an >> opportunity to do it good and properly. I've been thinking about user >> friendliness of our firewall (particularly for VM's), and how things would >> ideally work versus how they currently do. >> >> At the moment, a lot of users who get a VM can't necessarily do a great >> deal with them, because firewalling of their machine is quite obfuscated >> to them (unless they are on wheel, and sometimes even then), and it's not >> always clear to them why something might not be working. I have a similar >> problem learning about mail servers with the UWA firewall - I never know >> if it's me or not. The firewall on a VM is something that a user can't >> easily inspect, change, or experiment with, because it's on murasoi which >> is wheel access only. >> >> To me, the best scenario here is that VM users can easily inspect the >> firewall rules on their machine, easily request changes, some trusted >> users can easily be given control of their machines firewall, and the >> whole lot can be audited/checked/modified by wheel at any time. >> >> Can anyone suggest such a system? Ideally it would have some sort of nice >> interface, or proxmox integration. I know proxmox has firewall support but >> haven't had a chance to really play with it, plus it would mean splitting >> our firewall between murasoi and the cluster. Has anyone tried it before >> and have advice/comments? Advice/comments on splitting the firewall? Other >> options for a routing box? Thoughts on moving dns onto the routing >> machine? > Old guard opinion, I guess... > > I think what you're asking about is delegated firewall control, which as > far as I know doesn't exist even in high-end firewall products - I've had > a read through the Cisco FirePower 9000* and Juniper SRX manuals and all I > can see is whole-of-system roles, rather than permission to firewall > specific subnets or IP addresses. > > My impression is that full virtualisation of networks with virtual > firewalls is the Enterprise Solution to this problem. > > I don't think splitting the firewall is so much of a problem. Several > machines (mooneye, mussel, motsugo) already run their own firewalls as a > replacement or addition to the central firewall. > > Firewalling on Proxmox does appear to require full network administration > privileges to the VM, which we don't grant users (and probably shouldn't). > > I think we should probably rewrite the firewall in nftables. Linux is > still the right platform - although firewall platforms like pf(4) are > better, the wider networking infrastructure tools on Linux still seem more > diverse and well-understood. > > Your question about putting the nameserver on the router is a separate > issue. From a *.ucc.asn.au perspective it will be easy, but it would also > require UWA to make some changes to keep *.ucc.gu.uwa.edu.au and the > reverse DNS zone working. Perhaps others have more of an appetite. Our DNS > records in the UWA nameservers have been semi-broken for years, and we > never did get IPv6 reverse delegation set up. > > David Adam > zanchey at ucc.gu.uwa.edu.au > > > *: Yes. > _______________________________________________ > List Archives: http://lists.ucc.gu.uwa.edu.au/pipermail/tech > > Unsubscribe here: http://lists.ucc.gu.uwa.edu.au/mailman/options/tech/oxinabox%40ucc.asn.au From zanchey at ucc.gu.uwa.edu.au Fri May 19 23:24:29 2017 From: zanchey at ucc.gu.uwa.edu.au (David Adam) Date: Fri, 19 May 2017 23:24:29 +0800 (AWST) Subject: [tech] Active Directory migration status In-Reply-To: References: Message-ID: On Mon, 27 Feb 2017, David Adam wrote: > Using Samba 4.5.4-Debian, the migration process was a lot smoother and we > have a running test domain (UCCDOMAYNE / adtest.ucc.gu.uwa.edu.au). > Windows computers are able to join the domain and logons work; > interestingly, users are still pointed at Molmol home directories and > Windows tries to use the same password, which works! Tonight I reset the test domain and re-migrated it. Any machines that have been joined to the test domain will need to be rejoined (catfish is the only production machine that I'm aware of). There is a new adminstrator password, which is in uccpass (UCC/adtest) for Wheel members. > Getting the Linux machines on the domain is proving trickier. Although the > upgrade process cleanly migrates the users and groups, including home > directory and shell data, exposing that data to NSS and PAM on Linux is > proving a bit tricky. We have Winbind working, but it requires a lot of > annoying setup on local machines and doesn't appear to allow users to have > a GID of 0. Other options include using nss-pam-ldapd backed by Kerberos, > which I have not managed to get working yet. Neither winbindd nor SSSD support groups with a group ID of 0, so if we end up using either of those solutions then we will need to move Wheel group to a new GID. This is not all that painful, but will require rewriting the group of most of the files in /home, /away and some in /services. It also has the benefit of making Apache suexec work out of the box - the fact that we've been having to patch that for years should probably encourage a move away from wheel group having GID 0. Using nss-pam-ldapd seems like a world of pain; the basic problem is that all authentication attempts need to be themselves authenticated. Samba-joined machines have a machine account which is used as a Kerberos identity; getting this out of the Samba keystore and into a keytab which can be owned by the nslcd process has not ben trivial. [DAA] From trs80 at ucc.gu.uwa.edu.au Mon May 22 13:09:14 2017 From: trs80 at ucc.gu.uwa.edu.au (James Andrewartha) Date: Mon, 22 May 2017 13:09:14 +0800 (AWST) Subject: [tech] dkim=fail reason="key not found in DNS" In-Reply-To: <8df43043d8950a69e2e348ce53d4c3d4@pkholm.com> References: <8df43043d8950a69e2e348ce53d4c3d4@pkholm.com> Message-ID: Hi Paul, On Mon, 22 May 2017, Paul Holmanskikh wrote: > Just FYI: There is a problem with DKIM signatures of mail from your domain. > > Authentication-Results: whitestar.pkholm.com; > dkim=fail reason="key not found in DNS" Yes, we know. Our DNS is being broken by our university and no-one knows who to contact to get it fixed. ucc.asn.au should have correct DKIM records at least. Thanks, -- # TRS-80 trs80(a)ucc.gu.uwa.edu.au #/ "Otherwise Bub here will do \ # UCC Wheel Member http://trs80.ucc.asn.au/ #| what squirrels do best | [ "There's nobody getting rich writing ]| -- Collect and hide your | [ software that I know of" -- Bill Gates, 1980 ]\ nuts." -- Acid Reflux #231 / > ------------- Full headers bellow -------------------- > > > Return-Path: > Delivered-To: ausnog at pkholm.com > Received: from lists.ausnog.net (lists.ausnog.net [54.252.97.250]) > by whitestar.pkholm.com (Postfix) with ESMTP id 894EA2A326 > for ; Mon, 22 May 2017 14:23:52 +1000 (EST) > Authentication-Results: whitestar.pkholm.com; > dkim=fail reason="key not found in DNS" (0-bit key; unprotected) > header.d=ucc.gu.uwa.edu.au header.i=@ucc.gu.uwa.edu.au header.b=WaIR6TjK; > dkim=fail reason="key not found in DNS" (0-bit key; unprotected) > header.d=ucc.gu.uwa.edu.au header.i=@ucc.gu.uwa.edu.au header.b=U1lgSitW > Received: from lists.ausnog.net (localhost [127.0.0.1]) > by lists.ausnog.net (Postfix) with ESMTP id CB72539231; > Mon, 22 May 2017 14:23:41 +1000 (EST) > X-Original-To: ausnog at ausnog.net > Delivered-To: ausnog at ausnog.net > Received-SPF: none (ucc.gu.uwa.edu.au: No applicable sender policy available) > receiver=lists.ausnog.net; identity=mailfrom; > envelope-from="trs80 at ucc.gu.uwa.edu.au"; helo=mail-ext-sout1.uwa.edu.au; > client-ip=130.95.128.72 > Received: from mail-ext-sout1.uwa.edu.au (mail-ext-sout1.uwa.edu.au > [130.95.128.72]) > by lists.ausnog.net (Postfix) with ESMTPS id 24C7539231 > for ; Mon, 22 May 2017 14:23:37 +1000 (EST) > X-IronPort-Anti-Spam-Filtered: true > X-IronPort-Anti-Spam-Result: =?us-ascii?q?A2CXAgBmZyJZ/8+AX4JdGgEBAQECAQEBA?= > =?us-ascii?q?QgBAQEBhDeBDI56j00BAQZoAQEbHQSNSIUEhTkBJ4JGgzYChkEUAQIBAQEBAQE?= > =?us-ascii?q?BayiFGAEBAQECAToGAQE3AQQLCxguLCsGiioFCK9RgxCDCQEBBYRoB4MNAQEIA?= > =?us-ascii?q?QEBARwIhE+BSoJagmWKVYExAQGGNwSJQ4VJhxcIAQGHHY5cjxaUSDYhgQptX22?= > =?us-ascii?q?Dew8FF4FwaQGJKQEBAQ?= > X-IPAS-Result: =?us-ascii?q?A2CXAgBmZyJZ/8+AX4JdGgEBAQECAQEBAQgBAQEBhDeBDI5?= > =?us-ascii?q?6j00BAQZoAQEbHQSNSIUEhTkBJ4JGgzYChkEUAQIBAQEBAQEBayiFGAEBAQECA?= > =?us-ascii?q?ToGAQE3AQQLCxguLCsGiioFCK9RgxCDCQEBBYRoB4MNAQEIAQEBARwIhE+BSoJ?= > =?us-ascii?q?agmWKVYExAQGGNwSJQ4VJhxcIAQGHHY5cjxaUSDYhgQptX22Dew8FF4FwaQGJK?= > =?us-ascii?q?QEBAQ?= > X-IronPort-AV: E=Sophos;i="5.38,377,1491235200"; d="scan'208";a="281987258" > Received: from f5-new.net.uwa.edu.au (HELO mooneye.ucc.gu.uwa.edu.au) > ([130.95.128.207]) > by mail-ext-out1.uwa.edu.au with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; > 22 May 2017 12:23:21 +0800 > Received: by mooneye.ucc.gu.uwa.edu.au (Postfix, from userid 801) > id 2114466002; Mon, 22 May 2017 12:23:22 +0800 (AWST) > DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ucc.gu.uwa.edu.au; > s=ucc-2016-3; t=1495427002; > bh=vLVBvNg6iZsypszfLOxHBGrkMx7gHzBRDHuZC2PvI5Q=; > h=Date:From:To:cc:Subject:In-Reply-To:References:From; > b=WaIR6TjKdjywg4XqCzux/6Tr17s19i3JhzD80jujeBTsm2re3S9luJ+E8epsgY/Mu > +znALX9kutlCLnNVCI5Fn4cVgty61O+I4kl8cacv2rB8j3Dssodn0muR7pIdM0ThLx > l0d3zsQ8d+Ga2zG83nmEVIl6/oDgUJT9W6YJdSlk= > Received: from motsugo.ucc.gu.uwa.edu.au (motsugo.ucc.gu.uwa.edu.au > [130.95.13.7]) > by mooneye.ucc.gu.uwa.edu.au (Postfix) with ESMTP id E6A0B66001; > Mon, 22 May 2017 12:23:21 +0800 (AWST) > DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=ucc.gu.uwa.edu.au; > s=ucc-2016-3; t=1495427001; > bh=vLVBvNg6iZsypszfLOxHBGrkMx7gHzBRDHuZC2PvI5Q=; > h=Date:From:To:cc:Subject:In-Reply-To:References:From; > b=U1lgSitWOBVs24iEuSVKUg261Fgxspi4A/b6IN7wm/1vufzCdCDea22qOMJOgCJ0C > IfFYe2VKa+PVrSavpaz0j7aKM0FWD5BG4+BNkRoNEqoFJpoNKCXQAjPgWeISfg4BSR > uQZzs+UgW0/fqJtX67DEAcbC+uqeDDO9w880M3VI= > Received: by motsugo.ucc.gu.uwa.edu.au (Postfix, from userid 11077) > id D4BD324F94; Mon, 22 May 2017 12:23:21 +0800 (AWST) > Received: from localhost (localhost [127.0.0.1]) > by motsugo.ucc.gu.uwa.edu.au (Postfix) with ESMTP id CF81720079; > Mon, 22 May 2017 12:23:21 +0800 (AWST) > Date: Mon, 22 May 2017 12:23:21 +0800 (AWST) > From: James Andrewartha > To: Mark Tees > In-Reply-To: > > Message-ID: > References: > > User-Agent: Alpine 2.11 (DEB 23 2013-08-11) > MIME-Version: 1.0 > Cc: "ausnog at ausnog.net" > Subject: Re: [AusNOG] Recommendations for reliable LTE devices > X-BeenThere: ausnog at lists.ausnog.net > X-Mailman-Version: 2.1.15 > Precedence: list > List-Id: Australian Network Operators Mailing List > List-Unsubscribe: , > > List-Archive: > List-Post: > List-Help: > List-Subscribe: , > > Content-Type: text/plain; charset="us-ascii" > Content-Transfer-Encoding: 7bit > Errors-To: ausnog-bounces at lists.ausnog.net > Sender: "AusNOG" > From billing.com at h2270174.stratoserver.net Mon May 22 05:01:58 2017 From: billing.com at h2270174.stratoserver.net (Commonwealth) Date: Sun, 21 May 2017 21:01:58 -0000 Subject: [tech] You have a new account statement available to view in NetBank Message-ID: <1495400490.13958.qmail@server> An HTML attachment was scrubbed... URL: http://lists.ucc.gu.uwa.edu.au/pipermail/tech/attachments/20170521/66e514bb/attachment.htm