Another technical post :
Untangle installation in router mode.
Untangle is an all inclusive, statefull, packet router. It can deal with virus analysis, spam filtering, intrusion detection, firewall, nating, vpn server, remote access portal and much, much more. It comes as a
live knoppix cdrom of 400mb offering an intuitive installation wizard (note: will wipe your HD). It does seem to support a lot of hardware configuration ‘out-of-the-box’ since it installed on a DELL 4600 (dual xeon 2.4ghz) with an old raid controller (perc/3) with only some small difficulties concerning the USB controller (keyboard interface, not the mouse) which was easily fixed by switching to PS/2 devices. I was unable to see the error since the keyboard was automatically deactivated by the hardware detection process and “alt-f2″ (to show boot process) was unavailable.
The installation process is very straight forward. You don’t even need the online documentation (
wiki,
UserGuide,
QuickStart) : even the admin password is defined by the user in the first boot process. There is one ‘must-known’ thought : the post-installation process (configuration of the ‘rack’, a list of software affecting inbound connection) require an internet access and an access to untangle ‘web-store’. This isn’t very fun if you want to replace a live router or if you are installing behind a proxy.
While it is a great product, Untangle allows a fallback to console/terminal for advanced tech guys, I’ve had quite a few troubles with this error:
cannot start a transaction within a transaction. Untangle uses SQLite databases which easily goes into deadlocks when 2 operations are committed at the same time (like 2 hits on “save”). The best advice I can give you : if you see this error, immediately go through the computer restart procedure. Seem an harsh solution, but it work and will prevent your database of queuing requests that will, anyway, never be completed.
Conclusion : good GUI for an easy to configure router, easy to fallback to GNU/Linux and modify the system. Available as a
vmware image,
windows installer (re-router) or
downloadable iso. It’s a recommendation.
Long time since my last technical post on this blog. Today, we will go through the installation of the GeoIP libraries (from MaxMind) feature linked with a very common and well known DNS server (bind9 (from ISC)). Before going any further in the labs, please note that I do not consider the GeoIP patch “feature complete”, since it does cover all all GeoIP type (only countries), does not apply to bind-9.5.x and the install process isn’t “fine-tuned” as it should be.
NOTE: I will be releasing, this week-end, a new, enhanced, patch covering those issues. So, lets go on.
Why this lab ?
Simply because distributed infrastructure are common sight and load-balancing traffic across multiple web load-balancer (yeah, I know, balancing on balancer) can sometime be very tricky. Solution such as round robin DNS is, at most, a “best effort” mechanism. Network architects with valid demographic statistics will be able to offer “nearest server” and enhanced experience through geo-localization. This also allows to create a poor man’s CDN (Content Delivery Network) without having to learn / deploy very complex infrastructures.
Installation
We start by installing MaxMind’s GeoIP libraries. It comes with a free database of ip/countries. We follow by retrieving Bind for ISC’s server and applying the patch to link the 2 together. This is the patch I’ll be enhancing.
#changing to src directory
cd /usr/local/src
#getting geoip libraries
wget http://www.maxmind.com/download/geoip/api/c/GeoIP-1.4.5.tar.gz
tar zxf GeoIP-1.4.5.tar.gz
cd GeoIP-1.4.5
#configure & install of libraries
./configure ; make ; make install
#getting bind-9.4.3
wget http://ftp.isc.org/isc/bind9/9.4.3/bind-9.4.3.tar.gz
tar zxf bind-9.4.3
#getting geodns (geoip binding to dns software)
wget http://www.caraytech.com/geodns/patch.diff
#we patch bind
cd bind-9.4.3
patch -p1 < ../patch.diff
#we configure bind with the new libs. (On one line & this procedure will change with the new patch)
CFLAGS=”-I/usr/local/include” LDFLAGS=”-L/usr/local/lib -lGeoIP” ./configure –prefix=/usr/local/bind
#we compile + install bind.
make ; make install
Configuration
We now have a default installation of a patched BIND9 server & GeoIP libraries. The next step is to create configuration files. I will not be going into the big details here, plenties of how-to are available. The principe of GeoIP is matching-clients through country code, not only IP - this is the value of the patch we applied.
/usr/local/bind/etc/named.conf
options {
directory “/usr/local/bind/var/bind”;
listen-on-v6 { none; };
pid-file “/usr/local/bind/var/run/named/named.pid”;
};
view “us” {
// Match clients from US
match-clients { country_US; };
recursion no;
zone “example.com” {
type master;
file “pri/example-us.db”;
};
zone “.” IN {
type hint;
file “named.ca”;
};
};
view “ca” {
// match from Canada
match-clients { country_CA; };
recursion no;
zone “example.com” {
type master;
file “pri/example-ca.db”;
};
zone “.” IN {
type hint;
file “named.ca”;
};
};
view “other” {
// Match all others
match-clients { any; };
recursion no;
zone “example.com” {
type master;
file “pri/example-other.db”;
};
zone “.” IN {
type hint;
file “named.ca”;
};
};
/usr/local/bind/var/named.ca ; this file can be retrieved from almost anywere. Google it.
And we also need zone definitons:
/usr/local/bind/var/bind/pri/example-us.db
/usr/local/bind/var/bind/pri/example-ca.db
/usr/local/bind/var/bind/pri/example-other.db
Conclusion
At this point, you have a BIND server running on your server with views defined following the dns-client country. Using the following command (since I do not really own example.com) will give different result if you are in the USA or Canada. “dig @air0.labsphoenix.com test.example.com“. Btw: the “dig” command is part of dnsutils package. Have fun!
Some peoples (production) would be pleased to know that fire0, air0 & water0 have been updated. All security fix are applied as soon as they are available, but mainstream patchs can be delayed a bit before getting into productions servers.
About research & development, earth0, fire1, fire2, air2, air3, air4 will be deployed next week. The interconnect is currently Ethernet-100Mbps, but there is some plan to change that to Ethernet-1000bps & infiniband. Those server are for dev ; so they better be fun ;-).
For those wondering what those names represent:
earthX : SAN system
fireX : dom0 system (xen) - virtualisation master
airX : domU system (xen) - virtualised slave
waterX : over-the-edge system. Fully managed server, paid by labsphoenix, in client business.
Note: If you think you should receive an access to any of those servers or that your implication in open source and free software warrant a right to play with those developement server, get in touch with me. Some instances / servers are freely offered to start-up, developer and sysadmin to conduct test on (or have a production environment).
The long awaited new feature of Amazon AWS is now available: CloudFront. To be short, its a content delivery network based on their S3 storage solution. Should have some benchmark later in the week
Bon, ca faisait un petit bout que je désirais le faire : Mon blog passe maintenant la validation “xhtml 1.0 transitionnal”. C’est rien de vraiment incroyable, mais c’est un pas vers l’avant.
