IPTables show it all! Show those interfaces!

Instead of iptables -L run iptables -L -v

i[root@s3 ~]# iptables -L -v
Chain INPUT (policy DROP 6 packets, 408 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp — any any anywhere anywhere icmp echo-reply
74 8345 ACCEPT tcp — ens224 any anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
0 0 ACCEPT tcp — ens192 any anywhere anywhere tcp dpt:https
0 0 ACCEPT tcp — ens192 any anywhere anywhere tcp dpt:http
622 73939 ACCEPT tcp — ens224 any 10.0.0.0/8 anywhere
2 209 ACCEPT all — ens224 any anywhere anywhere
0 0 ACCEPT all — ens224 any anywhere anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
668 88096 ACCEPT all — any any anywhere anywhere
0 0 ACCEPT all — any any anywhere anywhere state RELATED,ESTABLISHED

EMC ScaleIO on ESXi

Generate a GUID https://www.guidgenerator.com/online-guid-generator.aspx
esxcli software vib install -d /tmp/sdc.zip
reboot
esxcli system module parameters set -m scini -p "IoctlIniGuidStr=552b6419-a478-449b-a02c-16c87066bb8a IoctlMdmIPStr=10.0.32.4,10.0.32.5"
esxcli system module load -m scini

Add ESX host to multi-volumes
Via ID:
scli --map_volume_to_sdc --volume_name CIN1-SCALE-VOL1 --sdc_id c41389be00000005 --allow_multi_map
Via IP:
scli --map_volume_to_sdc --volume_name CIN1-SCALE-VOL1 --sdc_ip 10.0.32.41 --allow_multi_map

Other useful commands.
scli –query_all_volumes
scli –unmap_volume_from_sdc –volume_name Testvol1 –all_sdcs
scli –remove_volume –volume_name Testvol1 –i_am_sure
scli –remove_volume –volume_name vol1 –i_am_sure

CentOS 7 disable IPv6 SLAAC

To disable slaac on a CentOS 7 server /etc/sysconfig/network must be edited.  It must contain these two lines.

NETWORKING_IPV6=yes
IPV6_AUTOCONF=no
/etc/sysconfig/network-scripts/ifcfg-ethx must also be edited.  It must contain this line.
IPV6_AUTOCONF=no
‘/sbin/service network restart’ to restart your server’s networking.

Juniper NTP and Protecting the Routing Engine

By default your Juniper device will respond to NTP request.  This is bad for two reasons.  One.  Your router can now be used for a NTP reflection attack.  Two.  During this NTP reflection attack your routing engine will run out of resources and stop processing truly important things like BGP, OSPF, VRRP, and (insert protocol of choice).

Enabling NTP is easy.

set system ntp server 192.168.1.50
set system ntp server 192.168.1.51

Ta Da!  But now your router is also an NTP server available to be used, or most likely, abused by anyone.

Protecting the routing engine is slightly more complex than enabling NTP as there are a few variables to consider.

If you are using the command ‘set system ntp source-address 192.168.1.1’ this source address must be allowed by the firewall filter so the router can query itself when the ‘show ntp…’ commands are used.  If you are not specifying a specific source address the routers loopback address must allowed by the firewall filter so the router can query itself.

Using a specific source address.

Note that the prefix-list used in the firewall includes the router’s specified ntp source address.

 

NTP

set system ntp server 192.168.1.50
set system ntp server 192.168.1.51
set system ntp source-address 192.168.1.1

Prefix list of valid NTP servers

set policy-options prefix-list ntp-servers 192.168.1.50/32
set policy-options prefix-list ntp-servers 192.168.1.51/32
set policy-options prefix-list ntp-servers 192.168.1.1/32

Loopback interface

set interfaces lo0 unit 0 family inet filter input protect-re
set interfaces lo0 unit 0 family inet address 1.1.1.1/32

Firewall filter

set firewall family inet filter protect-re term allow-ntp from source-prefix-list ntp-servers
set firewall family inet filter protect-re term allow-ntp from protocol udp
set firewall family inet filter protect-re term allow-ntp from port ntp
set firewall family inet filter protect-re term allow-ntp then accept
set firewall family inet filter protect-re term block-ntp from protocol udp
set firewall family inet filter protect-re term block-ntp from port ntp
set firewall family inet filter protect-re term block-ntp then count blocked-ntp
set firewall family inet filter protect-re term block-ntp then discard
set firewall family inet filter protect-re term allow-all then accept

Not using a specific source address.

Note that the prefix-list used in the firewall includes the router’s loopback address.

NTP

set system ntp server 192.168.1.50
set system ntp server 192.168.1.51

Prefix list of valid NTP servers

set policy-options prefix-list ntp-servers 192.168.1.50/32
set policy-options prefix-list ntp-servers 192.168.1.51/32
set policy-options prefix-list ntp-servers 1.1.1.1/32

The loopback interface and firewall filter remain the same.  More information  can be found in Juniper’s knowledge base.

Update:  Logging of the dropped packets will also cause excessive Routing Engine processing.

Ceph on ZFS (CentOS)

Create the OSD on your mon, you will use these ID later:
ceph osd create

Update your ceph.conf on all the osd machines.
[osd]
journal_dio = false
filestore_zfs_snap = 1
journal_aio = false

Configure your storage.

zpool create disk1 /dev/sdX
zpool create disk2 /dev/sdX
zfs set mountpoint=/var/lib/ceph/osd/ceph-2 disk1
zfs set mountpoint=/var/lib/ceph/osd/ceph-3 disk2
zfs set xattr=sa disk2
zfs set xattr=sa disk1
ceph-osd -i 2 --mkfs --mkkey
ceph-osd -i 3 --mkfs --mkkey
ceph auth add osd.3 osd 'allow *' mon 'allow rwx' -i /var/lib/ceph/osd/ceph-3/keyring
ceph auth add osd.2 osd 'allow *' mon 'allow rwx' -i /var/lib/ceph/osd/ceph-2/keyring

#this makes the init script start them, no osd configuration needed in ceph.conf
touch /var/lib/ceph/osd/ceph-2/sysvinit
touch /var/lib/ceph/osd/ceph-3/sysvinit
service ceph start

Further example/documentation: http://docs.ceph.com/docs/master/install/manual-deployment/