Thursday, April 16, 2009

New RaQCop firewall


The lasts days I was fighting with the Apache 2 reverse proxy functions to use two web servers with my ADSL connection. Unfortunately I had problems to redirect all the content I want. For this reason I decided to try an authentic Reverse Proxy software like Pound. But install Pound in one of the servers its not enough for me ;D

A new old project is alive: Run my own firewall in one server and install on it the Reverse Proxy. Just in time this week arrived a new toy: a Symantec Velociraptor 1100. In fact, the Velociraptor is a Cobalt RaQ 4i with a Special developed firmware and software (Axent originally). My Velociraptor came with a Cobalt 2.3.39 stored in the ROM but it doesn't shows the Cobalt logo at the display. Also has a Intel Pro 100 dual ethernet PCI-X card:


Due that the I don't have the original Velociraptor sofware, and I don't want to look for it because is old, not customizable and needs an expensive paid license I decided to install RaQCop. I had played with RaQCop before but not enogh time. RaQCop is a special version of ipCop that comes with a patched kernel for the RaQ hardware, LCD utils and a new administration web theme.

There is another firewall software ready for cobalt servers: Firebolt. Developed by the same team as Strongbolt, Firebolt is a port of the ClarkConnect firewall software, but this is a paid version (like Strongbolt) and I'm not sure which features are included by default. Maybe Firebolt is better solution for a home or office use as there is a very good manual and the support from ClarckConnect and OSOffice seems to be great. Firebolt will be the next game.

First of all the Velociraptor needed a ROM upgrade. Fortunately, I have a hard disk with the old CobaltOS ready and the Velociraptor boots from it. I get the necessary files for the upgrade from OSOffice, following this guide but doing a backup of the old ROM first. If you don't know which ROM maker your server has, you have to open the server and look to the chip as here is explained.


  1. Login via SSH as root.

  2. Go to temporary folder: # cd /tmp.

  3. Download the flashtool (in my case is ST branded): # wget http://www.osoffice.co.uk/linux/roms/flashtool-amd-st.

  4. Make the file executable: # chmod +x flashtool-amd-st.

  5. Backup the original cmos and then download it with a FTP software:
    # ./flashtool-amd-st -v -r > cobalt-vr-2.3.39-1M.rom
    ./flashtool-amd-st: searching for PCI 10b9:7101 : found it at /proc/bus/pci/00/03.0
    ./flashtool-amd-st: systype = COBT_3K
    ./flashtool-amd-st: bank 0: ST Microelectronics M29F080A 1MB
    ./flashtool-amd-st: Using pthread POSIX real time scheduling.
    ./flashtool-amd-st: reading page 0
    ./flashtool-amd-st: reading page 1
    ./flashtool-amd-st: reading page 2
    ./flashtool-amd-st: reading page 3
    ./flashtool-amd-st: reading page 4
    ./flashtool-amd-st: reading page 5
    ./flashtool-amd-st: reading page 6
    ./flashtool-amd-st: reading page 7
    ./flashtool-amd-st: reading page 8
    ./flashtool-amd-st: reading page 9
    ./flashtool-amd-st: reading page 10
    ./flashtool-amd-st: reading page 11
    ./flashtool-amd-st: reading page 12
    ./flashtool-amd-st: reading page 13
    ./flashtool-amd-st: reading page 14
    ./flashtool-amd-st: reading page 15
    ./flashtool-amd-st: flushing buffers

  6. Download the new ROM, this is for a GENIII RaQ, not valid for a RaQ 550: # wget http://www.osoffice.co.uk/linux/roms/cobalt-2.10.3-ext3-1M.rom.

  7. And now the critic job, write the new ROM:
    # ./flashtool-amd-st -v -w cobalt-2.10.3-ext3-1M.rom
    ./flashtool-amd-st: searching for PCI 10b9:7101 : found it at /proc/bus/pci/00/03.0
    ./flashtool-amd-st: systype = COBT_3K
    ./flashtool-amd-st: bank 0: ST Microelectronics M29F080A 1MB
    ./flashtool-amd-st: Using pthread POSIX real time scheduling.
    ./flashtool-amd-st: writing page 0
    ./flashtool-amd-st: buffer page 0 does not exist - creating it
    ./flashtool-amd-st: writing page 1
    ./flashtool-amd-st: buffer page 1 does not exist - creating it
    ./flashtool-amd-st: writing page 2
    ./flashtool-amd-st: buffer page 2 does not exist - creating it
    ./flashtool-amd-st: writing page 3
    ./flashtool-amd-st: buffer page 3 does not exist - creating it
    ./flashtool-amd-st: writing page 4
    ./flashtool-amd-st: buffer page 4 does not exist - creating it
    ./flashtool-amd-st: writing page 5
    ./flashtool-amd-st: buffer page 5 does not exist - creating it
    ./flashtool-amd-st: writing page 6
    ./flashtool-amd-st: buffer page 6 does not exist - creating it
    ./flashtool-amd-st: writing page 7
    ./flashtool-amd-st: buffer page 7 does not exist - creating it
    ./flashtool-amd-st: writing page 8
    ./flashtool-amd-st: buffer page 8 does not exist - creating it
    ./flashtool-amd-st: writing page 9
    ./flashtool-amd-st: buffer page 9 does not exist - creating it
    ./flashtool-amd-st: writing page 10
    ./flashtool-amd-st: buffer page 10 does not exist - creating it
    ./flashtool-amd-st: writing page 11
    ./flashtool-amd-st: buffer page 11 does not exist - creating it
    ./flashtool-amd-st: writing page 12
    ./flashtool-amd-st: buffer page 12 does not exist - creating it
    ./flashtool-amd-st: writing page 13
    ./flashtool-amd-st: buffer page 13 does not exist - creating it
    ./flashtool-amd-st: writing page 14
    ./flashtool-amd-st: buffer page 14 does not exist - creating it
    ./flashtool-amd-st: writing page 15
    ./flashtool-amd-st: buffer page 15 does not exist - creating it
    ./flashtool-amd-st: flushing buffers
    ./flashtool-amd-st: flushing block 0 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 1 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 2 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 3 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 4 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 5 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 6 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 7 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 8 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 9 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 10 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 11 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 12 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 13 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 14 to ROM... verifying... done
    ./flashtool-amd-st: flushing block 15 to ROM... verifying... done

  8. Now, if no errors appeared while the ROM upgrade, you can reboot. If you have errors you can repeat the process many time as you need. If still having errors write the backup ROM another time and DON'T REBOOT OR SHUTDOWN BEFORE THE ROM IS OK. The ROM is read at boot time and if it's wrong, you will convert your RaQ in a good case spare.

Be carefull to assure which type of EPROM you have. If your server has an Intel ROM chip you need a different flashtool created by Tim Hockin, as explained in the OSOffice guide.

The next Step is download the RaQCop image. I used a 128MB flash card as you can see in the next picture, but it was flashed some months ago:


RaQCop detects the four ethernet ports then I have 4 different zones: Green for the intranet, Red for de ADSL uplink, Blue for the wireless access point and Orange for the servers. Each zone works in its subnet and if I want to connect to a computer in a different zone I have to prepare a VPN or pinhole: a bit difficult for a newbbie as me but very safe.

Here you are the firewall running. Some adjustements had to be done in the GUI theme but it's so nice. To be continued...

Posted by at No comments:
Labels: , , ,

Friday, April 10, 2009

Reverse Proxy

Or how to use two web servers for different websites with only one external ip...

One thing that I want to test is Reverse Proxy with Apache. With my new server ready is time to try because my old one hasn't finished some jobs and I want to start to develop my new website with the new Strongbolt 2.

I don't know why but in Internet you can find a lot of descriptions and forums posts about the Apache's mod_Proxy, I can't find one configuration that works with my setup. I found an easy guide to use Reverse Proxy with Apache here. Following the guide I only needed to add this two lines in the /etc/httpd/conf/httpd.conf:

ProxyPass http://www.mywebsite.com http://internal1.example.com/
ProxyPassReverse http://www.mywebsite.com http://internal1.example.com/

But this is not enough: After some googling and a lots of tests I found a configuration that works: I need to write the Reverse Proxy configuration in a virtual host inside the httpd.conf of the first machine:
<VirtualHost 192.168.2.105:80>
ServerAdmin admin@mywebsite.com
ServerName mywebsite.com
ServerAlias www.mywebsite.com
ErrorLog logs/titox_net_log

ProxyRequests Off

<Proxy *>
Order deny,allow
Allow from all
</Proxy>

ProxyPass / http://192.168.2.102/
ProxyPassReverse / http://192.168.2.102/
</VirtualHost>
The main fault usually is ServerName and ServerAlias directives, usually everybody forgot to write the ServerAlias (like me). Remeber to stop the Apache HTTP server before edit the config file or Apache will overwrite the changes, In a BQ box:
  1. # /sbin/service httpd stop
  2. Edit /etc/httpd/conf/httpd.conf
  3. # /sbin/service httpd start

Now, when somebody writes www.mywebsite.com in his browser, the main server redirects transparently to my second server.

No more configuration is needed because the mod_proxy is enabled by default in Stronbolt.

UPDATE:
In fact, the first Apache server is redirecting all the incomming requests that are not in its virtual sites to the second one. Another thing is I can't login in the administrator panel of the second server.... more tests to be done.
Posted by at No comments:
Labels: , , ,

Developing in a Bluequartz box

Nuonce published a long time ago a package that installs all the development resources needed for a BQ box, but in the last releases of BQ, BlueOnyx or Strongbolt the package doesn't want to install. The solution acording to this posts in the Bluequartz list is to install everything from yum:

In one line:
  • yum install autoconf automake14 automake15 automake16 automake17 automake binutils bison cpp cvs diffstat flex gcc gcc-c++ gcc-objc gettext glibc-devel glibc-headers glibc-kernheaders libobjc libstdc++-devel ncurses-devel patch patchutils pkgconfig rpm-build

Now we can compile in our boxes.

Posted by at No comments:
Labels: , , , ,

Fuel goes Gigabit !!!

From a long time that everybody want his systems with GigaBit EtherNET. In SGI systems there is a few options and usually are expensive. In fact, SGI cards are really 3Com rebranded ones and a mod can be done. All cards have a Tigon 3 chipset (Broadcom 5701) but with different PCI identification in its EEPROM.

First mod was a new driver kernel, you can find all the information in this post of the nekochan forums, but with this kind of mod the card only runs in a patched IRIX OS.

The best solution now is two modify directly the EEPROM with the ethtool software included in linux distributions. You can find how to do this mod at the end of this post. In my case I tried with my old Fedora 7 installation I have in my workstation with no success, then I recovered and old Gentoo LiveCD 00.2006 and applied the modifications.

Now I have my fuel with GigaBit EtherNET but I have to end my network wiring at home!!!!
Posted by at No comments:
Labels: , , ,

Thursday, April 9, 2009

Nuonce Networks is closed

Unfortunately, starting 2009 we had very bad news: Nuonce Networks ceased its operations.
Brian N. Smith, the owner of Nuonce, run the company in his spare time and last year he had a little time for the company. Brian is the developer of the CentOS + BlueQuartz CD used in a lot of servers and has a lot of important packages for BlueQuartz and Strongbolt. Fortunately the Support Forum is still there for archival purposes.

Now one thing to do in our Strongbolt instalation due the mising Nuonce repo:
  • rm /etc/yum.repos.d/NuOnce.repo
If you want the Nuonce Installation CD, you can download it from SolarSpeed but maybe is worth to test the new BlueOnyx from the same developers.
Posted by at No comments:
Labels: , , ,

Preparing my new main server with Strongbolt 2


Yes, I haven't writen so much lately but this doesn't meant that I didn't had been busy. At the end of 2008 the Open Source Office (OSOffice) released an update for Strongbolt: Strongbolt 2. This update is composed by some packages that are installed via the BlueQuartz GUI. The most important part of the update is the new ROM for our Cobalt servers (RaQ and Qube). This new ROM is ready to detect SATA disk if using Silicon Image PCI cards and USB disks.


With this new ROM the OSOffice team developed a new reinstall system via an USB stick: after the server is upgraded with Strongbolt 2 and it has the new ROM, if the server needs a new installation of the OS, only setting the boot disk as sda1 (USB) in the ROM configuration is enough to reinstall al the system without any problem or any other computer as Installation server. Unfortunately the reinstallation only works in IDE hard disks. I tried to modify the installer stick to force Anaconda to install the OS in a SATA disk (now the USB stick is sdb1) but after a lot of tests in my Qube3, I had any success. I think a new Anaconda image has to be done and I don't have the necessary knowledge to do this job.

There is another important upgrade: PHP5, but only for the virtual sites while the BlueQuartz Panel (now called OSPanel) remains working in PHP4. But this is enough to install the latests PHP softwares we need.


After this small introduction what I did today: my main idea was install Strongbolt 2 in my RaQ550 that I had sleeping for some months. I had installed Strongbolt 2 in january to test the system but no more job was done. This afternoon I decided to put inside two Seagate 7200.7 of 120 GB from a RaQ4r and reinstall everything from the USB stick but when Anaconda is installing the rpm's in the server it reboots. I tried some more times but with the same result. In the OSOffice forum there is a post about the same problem with 80GB disks. Very odd as these disk were working in a RaQ4r nicely.

Due the problems with the hard disks I changed the RaQ550 by a RaQ3i upgraded with a 500MHz CPU and second IDE channel. The hard disks worked well here and now I have a new server ready to work. I want to use it for develop my personal website and my own email server at home.

Unfortunately my RaQ550 has to sleep some more time until next test that will be install the new Strongbolt 2.5 when available. The SB 2.5 will be a mix of Strongbolt 2 and BlueOnyx and, maybe, it could be installed in a new and BIG BIG BIG sata hard disk.

P.D.: I have to make some photos of the servers and SGI workstations but...

This the new OSPanel appearance:

Posted by at 2 comments:
Labels: , , , ,
Subscribe to: Posts (Atom)