Ssh in zones
This is my first time setting up zones, so I decided to make a full zone, I can not get ssh to work. I have checked some of the solutions that worked for others, but the message I get is:
svcadm enable -s svc:/network/ssh:default
svcadm: Instance "svc:/network/ssh:default" has unsatisfied dependencies.
I have a resolv.conf file, what is missing, what dependencies are missing, please help
One other thing, I can not get
zoneadm -z zonename boot -s to work, any ideas
try svcs -x to find the missing dependencies. Probably sshd can't find keys.
bbr
Similar Messages
-
I have recently seen this problem connecting via ssh
( from an windows box using Secure ssh ( www.ssh.com )
particulary to solaris 10 sparc , ( connection problem to both global and zones )
complaining of a different alogrithm; and not connecting .
I played with choosing different alogrithm options available with secure ssh
but had no success.
ssh session from another solaris box to the solaris 10 box ( both global and zones)
seems to be ok.
anybody having similar problem
or have trouble shooted the same, let me know
thanks
Nil>
I have recently seen this problem connecting via ssh
( from an windows box using Secure ssh ( www.ssh.com )
particulary to solaris 10 sparc , ( connection
problem to both global and zones )
complaining of a different alogrithm; and not
connecting .Could you please specify what version of S10 you are running? (uname -v)
- jonathan -
Ssh takes me to the global zone instead of the non-global zone
I have set up my first Solaris 10 server with a new zone. The ce device is set up on the zone as well as the global zone.
Output from ifconfig on the global zone:
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
ce0: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 172.16.1.217 netmask ffffff00 broadcast 172.16.1.255
ether 0:3:ba:f2:a1:54
ce1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 3
inet 172.16.1.199 netmask ffffff00 broadcast 172.16.1.255
ether 0:3:ba:f2:a1:54
Output from the non-global zone:
# ifconfig -a
lo0: flags=2001000849<UP,LOOPBACK,RUNNING,MULTICAST,IPv4,VIRTUAL> mtu 8232 index 1
inet 127.0.0.1 netmask ff000000
ce1: flags=1000843<UP,BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 172.16.1.199 netmask ffff0000 broadcast 172.16.255.255
ether 0:3:ba:f2:a1:54
When I ssh into the non-global zone, I end up in the global zone? Can I ssh straight into the non-global zone? Am I missing something in the zone setup that keeps me from being able to ssh into the non-global zone?
Any help is appreciated. I have been racking my brain on this for several hours.
Thanks ahead of time.TAdriver wrote:
The one thing I have found in the documentation is that if you set the network as an exclusive IP, you can only assign the physical name using zonecfg. You can't set the IP address or the default router. In fact, if you try to set either of those, you get an error saying you can't set those using an exclusive IP type.Correct. When doing a shared-IP zone, the zone has no privileges to do IP-level things. So the global zone (via the zone configuration) creates the virtual interface and sets the IP address. Then when the zone is booted, the interface is given to it.
With an exclusive-IP zone, the zone can do all this work itself. From its perspective, it's handed an interface like a regular machine. So the IP settings are done within the zone (/etc/hosts, /etc/hostname.XXX, /etc/netmasks).
Darren -
I'm running b60 on X86 with 1 zone. ssh into the global zone is fine with almost instant response. SSH into the non-global zone takes about 10-15 seconds to produce the password prompt. I've tried this with and without rctl limits, same behaviour.
Any help is appreciated
Thanks
SureshI'm using b63 on opteron with about a dozen zones and have no delay when
ssh'ing to the global or non-global zones. One common thing to check is that your nameservice for
performing reverse lookups is quick.
Once you have logged in, try doing:
time getent hosts <IP_YOU_LOGGED_IN_FROM>
and see how long that takes to come back.
Also check your /etc/hosts.allow & /etc/hosts.deny in case you are using identd or some other tweak
to libwrap (tcpwrappers) that may trigger a delay.
I'm running b60 on X86 with 1 zone. ssh into the
global zone is fine with almost instant response. SSH
into the non-global zone takes about 10-15 seconds to
produce the password prompt. I've tried this with and
without rctl limits, same behaviour.
Any help is appreciated
Thanks
Suresh -
Hi,
I have a Solaris 11.1 T4 server. I created a 'flar' from a Solaris 10 (U7) server and created a Solaris 10 zone on the T4.
zonecfg has the IP address configured (can't copy and paste) correctly.
The global zone has net1:1 configured with the IP address, however net1 is 0.0.0.0.
I can ping the IP address, but attempts to ssh to the address receive the 'connection refused' error.
On the non-global zone I tried to start ssh unsuccessfully without errors...
What else am I missing?
Cheers
Craig.Hi.
Try connect to zone's console ( zlogin -C ) . Possible zone not fully installed.
Show result of :
svcs -xv
What errors or messages happens when you try start ssh service ?
Regards. -
IOS Zone firewall (ZFW) & changing SSH listening port
I'll have to check into the deetails again but I recall there being a way to change the listening port for SSH. Not only do you have to configure SSH itself to listen on a new port but I think there was something about making the inbound interface part of a rotary group or something.
Anyway, my question is more about how the zone firewall reacts to this. If I have inspect set for SSH, (or pass) and yet change the default port for it, does the IOS still know to take the configured action on the protocol? I'll try to test this myself once I have an opportunity but may not be able to for several days, plus if anybody has anything further to add regarding any other implications this port change mgiht have, please share
Thanks!Hi Julio,
You are ever helpful sir Howver, things are not making sense.
Ok so to take it from the top. So far I have done the following:
Router(config)#ip ssh port 2340 rotary 1
Then:
Router(config)#line vty 0 123 (123 = max # of vty lines, my actual # is different)
Router(config-line)#rotary 1
This of course does not make SSH on port 2340 work from the Internet zone to Self as I have not yet modified the firewall nor done the ip port-map command. It does work from the LAN side to Self since that zone-pair is more forgiving, however, it works on both 22 and 2340 which I thought odd since I thought the ip ssh command changes the SSH server listening port.
I have not yet permanently set the ip port-map command. However I ran it once and then did a sh ip port-map ssh
This showed system defined ssh port maps for tcp and udp on 22, and then my user defined one for tcp port 2340. Interesting that the system-defined ones are both UDP and TCP - I thought SSH was TCP only.
According to the IOS command referendces (for release 15.2), I should not be able to remove the system-defined port map entries as it would give an error. However, I did no ip port-map ssh port tcp 22 and the same for the UDP entry and they disappeared - so now for sh ip port-map ssh I get no results returned. Yet, SSH still works on 22 and 2340.
Be that as it may, after some further testing I've concluded that with or without use of the ip port-map ssh port tcp 2340 entry, SSH works (from LAN to Self) on either port 22 or 2340. It seems ip port-map has no effect on the SSH server itself (?). Or perhaps PAM is overridden by the ip ssh commands?
So at that point I decided to stop testing, not doing anything with firewall yet, until I understand things better. So far, the IOS is very confusing in it's behavior.
Changing the SSH server's listening port via ip ssh command to something other than 22 seems to not actually change anything, it just adds that port in addition to 22.
Port-application mapping appears to have no effect on the SSH server (I have not tested whether ip ssh overrides PAM or vice versa)
So far there seems to be no way to actually change port 22 usage - even "deleting" the PAM entry for ssh via 22 has no effect.
Confusing! -
Trying to ssh from a local zone to a firewalled physical server
When i try to ssh to the server getting the following errors
# ssh -v x.x.x.x
Sun_SSH_1.1.5, SSH protocols 1.5/2.0, OpenSSL 0x0090704f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to x.x.x.x [ x.x.x.x] port 22.
debug1: connect to address x.x.x.x port 22: Cannot assign requested address
ssh: connect to host x.x.x.x port 22: Cannot assign requested address
This happens if i use hostname or ipaddress. There is no record of the ssh even getting to the firewall.
traceroute is giving the following
# traceroute x.x.x.x
traceroute to x.x.x.x (x.x.x.x), 30 hops max, 40 byte packets
1 traceroute: sendto: Network is unreachable
traceroute: wrote x.x.x.x 12 chars, ret=-1
*traceroute: sendto: Network is unreachable
We can do the same from other servers but none of the local or global zones on this server but cant find any difference in the setup between them.
The global is solaris 11 and the local is a solaris 10 branded zoneI get the blue screen asking me for a forgotten password -11 months of storage and an old brain. Thanks very much i am windows gluent and as a friend remarked when he'd queried me as to which laptop i'd bought told him i'd gotten a good deal on an old g4 model, he said " you're not a pc user anymore, you're a cult member. I still smile at that.
-
Reproducible SSH broken pipe problem on git push at East US 2 zone
Hello.
I'm not able to push a git repository of ~12M into East US 2 zone. I receive a "broken pipe" error. (It looks like the connection is really slow in East US 2.)
I've created a script to reproduce the scenario in West Europe and East US 2, and I'm having this problem only in East US 2: https://gist.github.com/dacap/cc9dbf1e1ac46b1ad9ae
Right there you have "create-vms.ps1" script to create both VMs. Then "execute-on-vm.sh" Bash script to create an empty Git repository in the VM. And finally the Git error output I get in the client side when I want to push the repository
into the East US 2 VM. (The West Europe VM works just fine.)Hi David,
What is the status of the VM in East US 2 in Azure Management portal? Please make sure that it is running.
In addition, you can try to install telnet client on your local computer and run "telnet xxx.cloudapp.net 22" to test the connectivity.
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
I am encountering a strange behavior in new zones created using zonemgr 2.0.6 (this is the only way I create zones, so I do not know if the issue is more general). When I create a new zone, two strange things are happening:
1. Immediately after the zone is created, no services are running, not even ssh
2. About 10 minutes later, a whole bunch of services are running. Most of these are not running on the global zone.
For reference, nmap output on the global zone is the following:
[dcomsm1@dcomsm1:~] $ nmap t2000
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-28 20:51 EST
Interesting ports on 131.247.16.134:
Not shown: 991 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
2161/tcp open apc-agent
3052/tcp open powerchute
4045/tcp open lockd
32774/tcp open sometimes-rpc11
32775/tcp open sometimes-rpc13
32776/tcp open sometimes-rpc15
32777/tcp open sometimes-rpc17
The new zone is created using the following zonemgr arguments:
[root@t2000:~/zonecfgs] # more ./temp.sh
#!/usr/bin/bash
./zonemgr -a add -n drenkhah -z "/export/zones" -P "root_pw" -I "131.247.16.159|e1000g0|25|drenkhah" -R "/root|/usr/bin/bash" -s "basic|lock"
zone creation output is as follows:
[root@t2000:~/zonecfgs] # ./temp.sh
Checking to see if the zone IP address (131.247.16.159) is already in use...IP is available.
cannot create '/drenkhah': leading slash in name
chmod: WARNING: can't access /export/zones/drenkhah
chown: /export/zones/drenkhah: No such file or directory
Zone drenkhah will be placed in the following directory: /export/zones/drenkhah
Preparing to install zone <drenkhah>.
Creating list of files to copy from the global zone.
Copying <2568> files to the zone.
Initializing zone product registry.
Determining zone package initialization order.
Preparing to initialize <1042> packages on the zone.
Initialized <1042> packages on zone.
Zone <drenkhah> is initialized.
The file </export/zones/drenkhah/root/var/sadm/system/logs/install_log> contains a log of the zone installation.
Creating the sysidcfg file for automated zone configuration.
Booting zone for the first time.
Waiting for first boot tasks to complete.
Waiting for automatic post-install reboot to complete
Updating netmask information.
Updating /etc/inet/hosts of the global zone with the drenkhah IP information.
Generating ssh host keys. Details in the (/root/.zonemgr/zone28330-ssh.log) file.
svcadm: Pattern 'svc:/network/ssh' doesn't match any instances
Setting the root user's home directory to /root
Setting the root user's shell to /usr/bin/bash
Disabling un-necessary services via basic method for the default services.
Zone drenkhah is complete and ready to use.
nmap output just after creating the zone is as follows:
[dcomsm1@dcomsm1:~] $ nmap drenkhah
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-28 17:53 EST
All 1000 scanned ports on 131.247.16.159 are closed
Nmap done: 1 IP address (1 host up) scanned in 29.39 seconds
nmap output 17 minutes later is as follows:
[dcomsm1@dcomsm1:~] $ nmap drenkhah
Starting Nmap 5.00 ( http://nmap.org ) at 2010-02-28 18:10 EST
Interesting ports on 131.247.16.159:
Not shown: 986 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
79/tcp open finger
111/tcp open rpcbind
513/tcp open login
514/tcp open shell
587/tcp open submission
4045/tcp open lockd
6112/tcp open dtspc
6788/tcp open unknown
6789/tcp open ibm-db2-admin
7100/tcp open font-service
Nmap done: 1 IP address (1 host up) scanned in 29.25 seconds
Note that there are many open ports
# uname -a
SunOS t2000 5.10 Generic_137137-09 sun4v sparc SUNW,Sun-Fire-T200
Thanks
ManishThe Leopard OS X firewall is application based and not port based. Honestly, I haven't played with it enough to know for certain how to answer your question.
But... when you do connection sharing, you're essentially doing a port based NAT for the systems on the other side of your Mac. This pretty much keeps you from initiating anything to the other system even without a local firewall unless you were to configure port forwarding.
As for blocking packets, you would need to use the 'ipfw' command to do things at the port level. -
Networking problem after a zone is created and installed
Hi all,
I've got a networking problem after a zone was created and installed on a Solaris 10 box. The box was configured with two NICs, one (e1000g0) with a public IP address, the other one (e1000g1) with a private IP address and connected to a local switch. All worked fine so far.
Then I created a local zone with shared networking (e1000g1). The zone has a private IP address which is in the same subnet as e1000g1 on the global zone. After some time, I noticed that I could not access (ssh, ping) the global zone. Then after some time, the global zone became available. The problem happened quite frequently.
Also I observed that: 1) When the global zone was unavailable from outside, it was available (ssh, ping) from another box within the same subnet (e1000g0); 2) If I shutdown e1000g1, the problem was gone.
Any idea what caused this problem?
Many thanks,
XiaoboIt was a route problem.
-
Small, cheap NAS box that supports nfs/rsync/ssh ?
Hi all,
for my personal backup needs, I'm looking for a standalone NAS box ("networked hard disk/raid solution"). I need to have support for at least one of rsync/nfs/ssh. (smb/ftp is not enough for me)
It shouldn't be too big (eg not the size of a regular pc.) and it shouldn't cost more then 350 euro or so without disks.
If I can mount one or two sata 1TB disks I'm happy.
Bonus points for solutions where I have total control over the "OS" on it, where the hardware platform exists of standardized easily replacable parts and if it's powerfull enough to do encryption. (I'm prepared to throw in extra cash for these features)
I guess my options are:
1) a product that supports what I want out of the box. I couldn't find that (unless ridiculously expensive, eg 500 euro or more without disks)
2) a product that *almost* does what I want, but where you can install a small Linux distro/freenas over the original firmware so you can do what you want. Basically any appliance (be it a storage device, embedded platforms, network equipment, ...) that can host hard disks and where you can overwrite the OS is worth looking into.
3) building something myself. I've seen some really small motherboards based on Atom cpu's, or even embedded stuff can be enough (something like soekris, pc-engines, etc). But it needs 2 sata ports then, I need to find a housing, a psu, etc. SFF-pc's such as shuttle's etc can also be good options
Any tips, pointers, ideas ?
Thanks
UPDATE:
Here is a list of some devices/urls/thoughts/questions I'm working on. Work in progress! I'll update.
Interesting url's
http://www.hardware.info/nl-NL/productd … S_devices/ off-the-shelf-nas
http://www.mini-itx.com/ all stuff mini-ITX
http://www.epiacenter.com all stuff epia
http://www.logicsupply.com/ mini-itx and SFF resource
http://www.logicsupply.com/matrix/mainboard mainboard matrix
http://www.mini-itx.com/reviews/atoms/ review of 5 Atom mini-itx boards with power comparison between the 2 intel chipsets
http://resources.mini-box.com/online/po … lator.html power calculator (not prepared for Atom though)
http://forums.vr-zone.com/showthread.php?t=275906 power comparison atom vs C2D
Chipsets
TDP's taken from http://download.intel.com/design/proces … 309219.pdf page 399, http://ark.intel.com/chipset.aspx?familyID=28994
type - TDP - usage - url
945 GM /GME express - 7 - used with atoms? - http://www.intel.com/products/notebook/ … erview.htm
945 GMS/GSE express - 6 - used on some atom boards who are not available yet (eg the MSI 9830/9832) - http://www.intel.com/design/chipsets/em … /index.htm
945 GC - 22.2 - used on nearly all current atom boards - http://ark.intel.com/chipset.aspx?familyID=28994
945 PM express - 6 - ?
943 GML express - 7 - ?
940 GML express - 7 - ?
945 GT express - 15 - ?
ultra mobile 945GU express - 5 - ?
G45 - 24 - "rich media" socket 775 boards - http://www.intel.com/Assets/PDF/designguide/319972.pdf
Q45 - 17 - "business" socket 775 boards - http://www.intel.com/Assets/PDF/designguide/319972.pdf
P45 - 22 - ?? - http://www.intel.com/Assets/PDF/designguide/319972.pdf
TDP's of complete systems
type - TDP idle - TDP loaded cpu - TDP loaded cpu+video - source url
945 GSE setup without HDD - 15 - 17 - ? - http://www.mini-itx.com/reviews/atoms/
945 GC setup without HDD - 25 - 27 - ? - http://www.mini-itx.com/reviews/atoms/
945 GC (and ich7) full setup - 27 - 31 - 38 - http://www.silentpcreview.com/article865-page5.html
G45 Express + C2D E6400 65nm full setup - 49 - 97 - 98 - http://www.silentpcreview.com/article869-page5.html
G45 Express + C2D E7200 45nm full setup - 35 - 64 - 65 - http://www.silentpcreview.com/article869-page5.html
Off-the-shelf NAS
* LaCie Ethernet Disk mini: needs to connect to internet to activate? or is this only for the remote feature? can you run custom OS on it?
* ximeta ndas seems to need special/proprietary drivers/calls to be able to use it?
* linksys nas200
seems pretty customizable. some 3rd party firmwares
http://www.linksysinfo.org/forums/showt … hp?t=60232
http://www.nslu2-linux.org/wiki/NAS200/Hardware
http://www.iomega-europe.com/section?SI … ecid=40380 (nslu2 firmwares)
slow: 3MB/s over 100Mbps
slower then dlink and qnap. see http://www.trustedreviews.com/networkin … -NAS200/p2
* intel SS4000E or something?
* qnap ts-509 or other qnap?
http://www.qnap.com/pro_detail_feature.asp?p_id=86 -> 480euro
http://www.qnap.com/pro_detail_feature.asp?p_id=104 -> 800 euro
* iomega storcenter
* netgear readynas: they have decent pricy ones who are big and consuming as much as an atom based server or something.
they also have smaller ones.:
2disk 310euro
4disk -> 1000 euro
http://www.netgear.nl/producten/product … od=RND2150 -> 300 euro
6disk http://www.netgear.nl/producten/product … d=RNDP6610 -> runs on an intel C2D -> 1500euro
* dlink
* thermaltake muse looks pretty cool http://www.xpcgear.com/n0001lnu.html 390 euro http://tweakers.net/pricewatch/149904/t … -wit).html
* synology has lots of stuff. eg http://www.synology.com/enu/products/CS407/index.php
http://www.synology.com/enu/products/DS207+/index.php -> 285 euro
http://www.synology.com/enu/products/DS408/index.php -> 510+ euro
http://www.synology.com/enu/products/DS508/index.php -> 800+ euro
* hp
http://www.hp.com/united-states/campaig … martserver
DIY-style (TODO: look up motherboards, enclosures, etc) miniITX, arm, via, intel atom,...
* info/tutorials
** http://blogs.sun.com/paulie/entry/zfs_n … _the_intel
** http://www.mashie.org/casemods/udat2.html (note: the 5disks into 3 bays thing is discontinued)
* complete boxes/barebones:
** Asus eeebox: perfect except that it can only contain 1 disk, of the format of 2.5"
** http://www.norcotek.com/DS-520.php 5x hotswap sata. Celeron, 2x Gbps,... looks great although very hard to get in EU apparently + you're bound to custom motherboard etc
** Shuttle XPC X27D dualcore atom, 1x 2.5 hdd. but 645GC http://loveno.be/product/16866
* motherboard/cpu combos
** http://www.via.com.tw/en/products/mainb … ard_id=610 Via C7 1.5Ghz, 4-8x sata, padlock engine, via gigabit controller. CF and miniPCI slot, 1xddr2
** http://www.intel.com/Products/Desktop/M … erview.htm . Atom 230 1.6Ghz. 1x IDE, 2x sata. only 100Mbit/s, 1x PCI, 1xddr2
** MSI MS-9830. fanless. 2x Gigabit. 2x sata. available yet?
** MSI MS-9832. http://www.logicsupply.com/products/ms_9832 2x Gbps, 4x sata. 1x ata. expected 1/20/2008
** Intel D945GCLF2 -> like D945GCLF, but dualcore,Gigabit.
** Intel DG45FC http://www.intel.com/Products/Desktop/M … erview.htm socket775, 4x sata, 2x Gbps,... -> based on intel G45 "media center" chip (eg more media features), but same price as DQ45EK !
** Intel DQ45EK http://support.intel.com/Products/Deskt … erview.htm socket775, 4xsata,Gigabit. -> based on intel Q45 "business" chip. perfect for the chenbro case, except no 5th sata (unless i loop the esata back in) or ide for the 5th 2.5" disk
** http://www.asus.com/products.aspx?l1=3& … odelmenu=1 Similar, but more media-features and 6x sata
** Jetway J7F4K1G5D-PB. Via C7. 2X Gbps, 2x sata 150, 1x ata 100
** Epia SN xx -> various epia boards with 4x sataII
* cases
** http://usa.chenbro.com/corporatesite/pr … ?serno=100 (nice mini ITX server case with 4x hotswap bays and PSU) (just make sure you have good AHCI suppport) 170euro
** http://www.xpcgear.com/pcv350b.html Lian-Li PC-V350B , 2x 5,5", 2x 3.5", microATX
Notes
* I heard via Epia is rather expensive especially for it's quite low performance
* Via nano might be a good platform (must google more for this, stable?)
* There are no Atom boards with more then 2 sata ports. (the msi's still are to be expected)
* Taking an intel board with a slow celeron / amd with sempron can be an option, it will be fast , stable and not expensive. I'm told it wouldn't pull too much power either. (although more then atom/epia)
* "ready-to-go" SFF-pc's/barebones can be found in the <300 euro price range, making this a good target for a simple 1/2-disk NAS
* AHCI problems with AMD/ATI RS400-200, RS480 HBA and Nvidia nForce 560. see http://en.wikipedia.org/wiki/Advanced_H … _Interface
* An intel G45/Q45-based system would be sweet, they have
- http://en.wikipedia.org/wiki/List_of_In … _Factor.29
- http://en.wikipedia.org/wiki/List_of_In … C_45_nm.29
with very low TDP, but they don't fit in socket 775
Last edited by Dieter@be (2009-01-30 10:11:53)deadrabbit wrote:I recently bought an MSI Wind desktop, with pretty much the same thing in mind. I ended deciding against a NAS enclosure, since I wanted to be able to install a conventional Linux distro, and have complete control over it. The Wind is cheap, and all the hardware is Linux compatible (http://www.newegg.com/Product/Product.a … 6856167032). I ended up installing the OS on a CompactFlash card, so the hard drive would have to run constantly. As a result, it's nice and quite, uses little power, and the OS on the CF card is automatically backed up to the hard drive. I wrote up a detailed description of the project here: http://rockhoppernotes.blogspot.com/200 … sktop.html.
Thanks, looks quite good.
Except one thing: the 945GC chipset has a TDP of 22.2W.. that's stupid imo, and defeats the whole purpose of a low-tdp cpu such as the Atom. Right now I'm still doubting between waiting for an Atom board based on the 945GM(S)/945GSE chip (TDP 6Watt) (eeebox has that one, some MSI mini-ITX boards should be available in january) or going for a socket775 board with an intel core2 45nm cpu, which would consume not much more then Atom+ 945GC chipset (when idle, loaded is much more but I don't plan to load it ).
Nvidia is also working on an Atom chipset but I don't think I'll wait for that. -
ZBFW - dmz-zone to in-zone access
Hi IOSers,
I have a Cisco 2901 which terminates a Class C address pool.
I have split the Class C address pool into 3 sub-nets and 2 zones and created a non-addressable pool (private pool):
dmz-zone : x.x.x.0 TO x.x.x.127 (x.x.x.0/25)
in-zone: x.x.x.128 TO x.x.x.159 (x.x.x.128/27) & x.x.x.160 TO x.x.x.191 (x.x.x.160/27)
private-zone: 192.168.x.0 TO 192.168.x.255 (192.168.x.0/24)
I have configured private-zone NAT to use address pool x.x.x.161 TO x.x.x.189 within the in-zone.
Within the:
dmz-zone - are servers for : DNS, Syslog, SIP & HTTP/HTTPS
in-zone - is a SMTP mail server which is behind VPN Gateway/NAT, TomCat (Application Server) and PostgreSQL Server
private-zone - is where all standard users are operating from and they can access the SIP & HTTP/HTTPS servers within dmz-zone
My problem is that I cannot seem to configure the ZBFW to allow the dmz-zone HTTP/HTTP server to redirect to in-zone TomCat server.
I do not want to make the TomCat server generally visible and am instead using the Apache proxy/ajp13 to connect from dmz-zone server to in-zone server.
However I cannot seem to get anything (including icmp) to work from dmz-zone to in-zone.
I have Policy:
POLICY-DMZ-IN (dmz-zone to in-zone) which has:
any any udp/tcp inspect
any any icmp inspect
unmatched traffic DROP/LOG
But I still cannot get anything from dmz-zone to in-zone...
Can anyone please advise...
Could the POLICY-DMZ-IN be being overridden by other dmz-zone to out-zone policies?
I think I am making a basically incorrect assumption somewhere ...
NOTE: I have routing rules for each of various sub-nets and all out-zone to dmz-zone, out-zone to in-zone and private-zone to out-zone, in-zone and dmz-zone routing works ok, so it appears problem is with ZBFW not routing table.
Thank for any expertise you can bring to help resolve this.
Regards,
Zebity.Hi Karthikeyan,
thank you for offering to look at this, I do all my configuration using CCP, which is a lot easier than pawing over IOS commands.
I have dumped out the config, but as it is hard to pull out the partiular part of the config, so find following screen snap & config:
The areas where I think there are problems are with "self" zone items (can I get rid of self zone case completely, with exception of blocking any external (DSL) access to self?)
and the dmz-zone to in-zone and in-zone to dmz-zone configs.
Building configuration...
Current configuration : 32292 bytes
! Last configuration change at 00:16:54 UTC Mon Jun 11 2012 by admin
! NVRAM config last updated at 07:37:35 UTC Sun Jun 10 2012 by admin
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname big
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 informational
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXX
no aaa new-model
no ipv6 cef
no ip source-route
ip cef
ip dhcp excluded-address 168.192.200.1 168.192.200.99
ip dhcp excluded-address 168.192.200.126 168.192.200.254
ip dhcp excluded-address 200.200.200.1 200.200.200.79
ip dhcp excluded-address 200.200.200.91 200.200.200.126
ip dhcp pool PRIVATE-POOL-1
import all
network 168.192.200.0 255.255.255.0
domain-name in.froghop.com
dns-server 200.200.200.20 200.200.200.4
default-router 168.192.200.1
ip dhcp pool FROGHOP-POOL-2
import all
network 200.200.200.0 255.255.255.128
domain-name froghop.com
dns-server 200.200.200.20 200.200.200.4
default-router 200.200.200.1
no ip bootp server
ip domain name froghop.com
ip name-server 200.200.200.4
ip name-server 200.200.200.20
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM dns
ip inspect name CCP_MEDIUM ftp
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM sip
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM pop3 reset
ip inspect name CCP_MEDIUM netshow
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM esmtp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM tcp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip inspect name dmzinspect tcp
ip inspect name dmzinspect udp
appfw policy-name CCP_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
audit-trail on
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yahoo.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
audit-trail on
multilink bundle-name authenticated
parameter-map type inspect global
log dropped-packets enable
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-2085601892
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2085601892
revocation-check none
crypto pki certificate chain TP-self-signed-2085601892
certificate self-signed 01
XXXXXXXX 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
4A6B4C93 CEE0C972 CEA5A38E 3C041EAD 803F43B2 DD121173 4302DC1E XXXXXXXX
4F5E79FE 8C76B0EC BC5DD668 69BE1A
quit
license udi pid CISCO2901/K9 sn FTXXXXXXXXXX
hw-module pvdm 0/0
username admin privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
redundancy
ip tcp synwait-time 10
no ip ftp passive
class-map type inspect match-any OPEN-TRAFFIC-OUT-190
match access-group name OPEN-TRAFFIC-OUT-190
class-map type inspect match-any SMTPS-TRAFFIC-IN
match access-group name SMTPS-IN
class-map type inspect match-all NAT-POOL-TCP-TRAFFIC-OUT
match access-group name NAT-POOL-TRAFFIC-OUT
match protocol tcp
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all NAT-POOL-UDP-TRAFFIC-OUT
match access-group name NAT-POOL-TRAFFIC-OUT
match protocol udp
class-map type inspect match-all SELF-DNS-OUT
match access-group name SELF-DNS-OUT
match protocol dns
class-map type inspect match-any SMTP-PROTOCOL
match protocol smtp
class-map type inspect match-all ccp-cls-POLICY-DMZ-OUT-1
match class-map SMTP-PROTOCOL
match access-group name DMZ-MAIL-OUT
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any SIP-PROTOCOLS
match protocol sip
match protocol sip-tls
class-map type inspect match-all ccp-cls-POLICY-DMZ-OUT-2
match class-map SIP-PROTOCOLS
match access-group name DMS-SIP-TRAFFIC
class-map type inspect match-any OPEN-TRAFFIC-OUT-140
match access-group name OPEN-TRAFFIC-OUT-140
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol ftp
match protocol https
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect gnutella match-any ccp-app-gnutella
match file-transfer
class-map type inspect match-any OPENDIR-PROTOCOLS
match protocol kerberos
match protocol ldap
match protocol ldaps
match protocol ldap-admin
class-map type inspect ymsgr match-any ccp-app-yahoo-otherservices
match service any
match service text-chat
class-map type inspect msnmsgr match-any ccp-app-msn-otherservices
match service any
class-map type inspect match-any SYSLOG-PROTOCOL
match protocol syslog
class-map type inspect match-any ICMP-PROTOCOLS
match protocol icmp
class-map type inspect match-all SELF-ICMP
match access-group name SELF-ICMP-TRAFFIC
match class-map ICMP-PROTOCOLS
class-map type inspect match-any DMZ-DNS
match protocol dns
class-map type inspect match-all OPENDIR-OUT
match class-map OPENDIR-PROTOCOLS
match access-group name OPENDIR-TRAFFIC
class-map type inspect match-all SMTPS-TRAFFIC
match class-map SMTPS-TRAFFIC-IN
match protocol tcp
class-map type inspect match-any TRUSTED-HOSTS
match access-group name TRUSTED-HOSTS
match protocol udp
match protocol tcp
match protocol icmp
class-map type inspect match-any TRANSPORT-PROTOCOLS
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect aol match-any ccp-app-aol-otherservices
match service any
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map type inspect match-any WEB-PROTOCOLS
match protocol http
match protocol https
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map type inspect match-any SELF-DNS-IN
match access-group name SELF-DNS-IN
match protocol dns
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any OPEN-TRAFFIC-IN-140
match access-group name OPEN-TRAFFIC-IN-140
class-map type inspect match-all SYSLOG-IN-DMZ
match access-group name SYSLOG-TRAFFIC
match class-map SYSLOG-PROTOCOL
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
class-map type inspect kazaa2 match-any ccp-app-kazaa2
match file-transfer
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect msnmsgr match-any ccp-app-msn
match service text-chat
class-map type inspect ymsgr match-any ccp-app-yahoo
match service text-chat
match service any
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-1
match class-map SMTP-PROTOCOL
match access-group name SMTP-TRAFFIC
class-map type inspect match-any DNS-PROTOCOL
match protocol dns
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-2
match class-map ICMP-PROTOCOLS
match access-group name IN-ZONE-ICMP
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ACCESS-PROTOCOLS
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-cls-ccp-pol-outToIn-3
match class-map ACCESS-PROTOCOLS
match access-group name DMZ-ZONE-TRAFFIC
class-map type inspect http match-any ccp-app-httpmethods
match request method bcopy
match request method bdelete
match request method bmove
match request method bpropfind
match request method bproppatch
match request method connect
match request method copy
match request method delete
match request method edit
match request method getattribute
match request method getattributenames
match request method getproperties
match request method index
match request method lock
match request method mkcol
match request method mkdir
match request method move
match request method notify
match request method options
match request method poll
match request method propfind
match request method proppatch
match request method put
match request method revadd
match request method revlabel
match request method revlog
match request method revnum
match request method save
match request method search
match request method setattribute
match request method startrev
match request method stoprev
match request method subscribe
match request method trace
match request method unedit
match request method unlock
match request method unsubscribe
class-map type inspect edonkey match-any ccp-app-edonkey
match file-transfer
match text-chat
match search-file-name
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all PUSH-NOTIFICATIONS
match access-group name PUSH-NOTIFICATIONS
match protocol tcp
class-map type inspect http match-any ccp-http-blockparam
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
class-map type inspect edonkey match-any ccp-app-edonkeydownload
match file-transfer
class-map type inspect match-all DEST-DNS
match access-group name DEST-DNS
match class-map DNS-PROTOCOL
class-map type inspect aol match-any ccp-app-aol
match service text-chat
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect edonkey match-any ccp-app-edonkeychat
match search-file-name
match text-chat
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-1
match class-map SYSLOG-PROTOCOL
match access-group name DMZ-SYSLOG
class-map type inspect match-any FTP-PROTOCOL
match protocol ftp
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-2
match class-map ICMP-PROTOCOLS
match access-group name DMZ-ICMP
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-3
match class-map WEB-PROTOCOLS
match access-group name DMZ-WEB
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-4
match class-map SIP-PROTOCOLS
match access-group name DMZ-SIP
class-map type inspect match-any TIME-PROTOCOLS
match protocol ntp
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-5
match class-map DMZ-DNS
match access-group name DMZ-DNS-TRAFFIC
class-map type inspect http match-any ccp-http-allowparam
match request port-misuse tunneling
class-map type inspect fasttrack match-any ccp-app-fasttrack
match file-transfer
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-all ccp-cls-ccp-permit-dmzservice-6
match class-map ACCESS-PROTOCOLS
match access-group name IN-ZONE-TRAFFIC
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect POLICY-PRIVATE-TRANSIT
class type inspect ACCESS-PROTOCOLS
pass log
class class-default
drop
policy-map type inspect p2p ccp-action-app-p2p
class type inspect edonkey ccp-app-edonkeychat
log
allow
class type inspect edonkey ccp-app-edonkeydownload
log
allow
class type inspect fasttrack ccp-app-fasttrack
log
allow
class type inspect gnutella ccp-app-gnutella
log
allow
class type inspect kazaa2 ccp-app-kazaa2
log
allow
policy-map type inspect POLICY-IN-SELF
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-SELF-IN
class type inspect OPEN-TRAFFIC-OUT-190
pass
class type inspect ccp-icmp-access
inspect
class class-default
drop
policy-map type inspect POLICY-DMZ-OUT
class type inspect TIME-PROTOCOLS
inspect
class type inspect WEB-PROTOCOLS
inspect
class type inspect FTP-PROTOCOL
inspect
class type inspect ccp-cls-POLICY-DMZ-OUT-2
inspect
class type inspect ccp-cls-POLICY-DMZ-OUT-1
inspect
class type inspect PUSH-NOTIFICATIONS
inspect
class type inspect DEST-DNS
inspect
class class-default
drop log
policy-map type inspect im ccp-action-app-im
class type inspect aol ccp-app-aol
log
allow
class type inspect msnmsgr ccp-app-msn
log
allow
class type inspect ymsgr ccp-app-yahoo
log
allow
class type inspect aol ccp-app-aol-otherservices
log
reset
class type inspect msnmsgr ccp-app-msn-otherservices
log
reset
class type inspect ymsgr ccp-app-yahoo-otherservices
log
allow
policy-map type inspect http ccp-action-app-http
class type inspect http ccp-http-blockparam
log
allow
class type inspect http ccp-app-httpmethods
log
allow
class type inspect http ccp-http-allowparam
log
allow
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ICMP-PROTOCOLS
inspect
class type inspect ccp-protocol-http
inspect
service-policy http ccp-action-app-http
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
inspect
service-policy p2p ccp-action-app-p2p
class type inspect ccp-protocol-im
inspect
service-policy im ccp-action-app-im
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop log
policy-map type inspect POLICY-PRIVATE-IN-DMZ
class type inspect TRANSPORT-PROTOCOLS
inspect
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-IN-OUT
class type inspect OPEN-TRAFFIC-OUT-140
pass log
class type inspect WEB-PROTOCOLS
inspect
class type inspect OPENDIR-OUT
inspect
class type inspect DEST-DNS
inspect
class type inspect PUSH-NOTIFICATIONS
inspect
class class-default
drop log
policy-map type inspect ccp-permit
class class-default
drop
policy-map type inspect POLICY-DMZ-SELF
class type inspect ICMP-PROTOCOLS
inspect
class type inspect TRANSPORT-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-SELF-OUT
class type inspect SELF-DNS-OUT
pass
class type inspect TIME-PROTOCOLS
pass
class type inspect NAT-POOL-UDP-TRAFFIC-OUT
inspect
class type inspect NAT-POOL-TCP-TRAFFIC-OUT
inspect
class class-default
drop log
policy-map type inspect POLICY-OUT-SELF
class type inspect SELF-DNS-IN
pass
class type inspect TIME-PROTOCOLS
pass
class type inspect SELF-ICMP
inspect
class class-default
drop log
policy-map type inspect POLICY-IN-DMZ
class type inspect SYSLOG-IN-DMZ
pass
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect POLICY-DMZ-IN
class type inspect TRANSPORT-PROTOCOLS
inspect
class type inspect ICMP-PROTOCOLS
inspect
class class-default
drop log
policy-map type inspect ccp-permit-dmzservice
class type inspect ccp-cls-ccp-permit-dmzservice-4
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-1
pass
class type inspect ccp-cls-ccp-permit-dmzservice-3
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-5
inspect
class type inspect ccp-cls-ccp-permit-dmzservice-2
inspect
class class-default
drop log
policy-map type inspect ccp-pol-outToIn
class type inspect OPEN-TRAFFIC-IN-140
pass
class type inspect ccp-cls-ccp-pol-outToIn-1
inspect
class type inspect ccp-cls-ccp-pol-outToIn-2
inspect
class type inspect SMTPS-TRAFFIC
inspect
class type inspect SMTPS-TRAFFIC-IN
pass log
class class-default
drop log
policy-map sdmappfwp2p_CCP_MEDIUM
class sdm_p2p_edonkey
class sdm_p2p_gnutella
class sdm_p2p_kazaa
class sdm_p2p_bittorrent
zone security dmz-zone
zone security in-zone
zone security out-zone
zone security PRIVATE-ZONE
zone security PRIVATE-IN
zone-pair security ccp-zp-out-dmz source out-zone destination dmz-zone
service-policy type inspect ccp-permit-dmzservice
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect POLICY-IN-OUT
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
zone-pair security ZP-DMZ-IN source dmz-zone destination in-zone
service-policy type inspect POLICY-DMZ-IN
zone-pair security ZP-DMZ-OUT source dmz-zone destination out-zone
service-policy type inspect POLICY-DMZ-OUT
zone-pair security ZP-IN-DMZ source in-zone destination dmz-zone
service-policy type inspect POLICY-IN-DMZ
zone-pair security ZP-OUT-SELF source out-zone destination self
service-policy type inspect POLICY-OUT-SELF
zone-pair security ZP-SELF-OUT source self destination out-zone
service-policy type inspect POLICY-SELF-OUT
zone-pair security ZP-PRIVATE-OUT source PRIVATE-ZONE destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ZP-PRIVATE-IN source PRIVATE-ZONE destination in-zone
service-policy type inspect POLICY-PRIVATE-IN-DMZ
zone-pair security ZP-PRIVATE-DMZ source PRIVATE-ZONE destination dmz-zone
service-policy type inspect POLICY-PRIVATE-IN-DMZ
zone-pair security ZP-IN-SELF source in-zone destination self
service-policy type inspect POLICY-IN-SELF
zone-pair security ZP-SELF-IN source self destination in-zone
service-policy type inspect POLICY-SELF-IN
zone-pair security ZP-DMZ-SELF source dmz-zone destination self
service-policy type inspect POLICY-DMZ-SELF
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
interface Loopback0
ip address 200.200.200.190 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security in-zone
interface Null0
no ip unreachables
interface GigabitEthernet0/0
description $ETH-LAN$$FW_INSIDE$
ip address 200.200.200.130 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
duplex auto
speed auto
no mop enabled
interface GigabitEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address 168.192.200.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE-ZONE
duplex auto
speed auto
no mop enabled
interface FastEthernet0/2/0
description $ETH-LAN$$FW_INSIDE$
ip address 192.168.1.160 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security PRIVATE-ZONE
duplex auto
speed auto
no mop enabled
interface FastEthernet0/2/1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
no mop enabled
interface ATM0/3/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
interface ATM0/3/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
interface GigabitEthernet0/0/0
interface GigabitEthernet0/0/1
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/3
interface Virtual-Template1 type serial
description $FW_INSIDE$
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security in-zone
interface Vlan1
description $ETH-4ESG$$INTF-INFO-10/100/1000 Ethernet$$ETH-LAN$FW-DMZ$$FW_INSIDE$
ip address 200.200.200.1 255.255.255.128
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security dmz-zone
interface Dialer0
description $FW_OUTSIDE$
ip address 210.210.210.154 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname [email protected]
ppp chap password 7 XXXXXXXXXXXXXXXX
ppp pap sent-username [email protected] password 7 XXXXXXXXXXXX
service-policy input sdmappfwp2p_CCP_MEDIUM
service-policy output sdmappfwp2p_CCP_MEDIUM
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip flow-top-talkers
top 200
sort-by bytes
cache-timeout 500
ip dns server
ip nat pool NAT-POOL1 200.200.200.161 200.200.200.189 netmask 255.255.255.224
ip nat inside source route-map SDM_RMAP_1 pool NAT-POOL1
ip route 0.0.0.0 0.0.0.0 210.210.210.1
ip route 10.210.210.0 255.255.255.0 192.168.1.1 permanent
ip route 192.168.1.0 255.255.255.0 FastEthernet0/2/0 permanent
ip route 168.192.200.0 255.255.255.0 GigabitEthernet0/1 permanent
ip route 200.200.200.0 255.255.255.128 Vlan1 permanent
ip route 200.200.200.128 255.255.255.224 GigabitEthernet0/0 permanent
ip route 200.200.200.160 255.255.255.224 Loopback0 permanent
ip access-list extended DEST-DNS
remark CCP_ACL Category=1
permit udp any any eq domain
ip access-list extended DMS-SIP-TRAFFIC
remark CCP_ACL Category=128
permit ip host 200.200.200.30 any
permit ip host 200.200.200.40 any
ip access-list extended DMZ-DNS-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.20
ip access-list extended DMZ-ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended DMZ-MAIL-OUT
remark CCP_ACL Category=128
permit ip any host 230.211.70.60
permit ip any host 230.250.90.137
ip access-list extended DMZ-SIP
remark CCP_ACL Category=128
permit ip any host 200.200.200.40
permit ip any host 200.200.200.30
ip access-list extended DMZ-SYSLOG
remark CCP_ACL Category=128
permit ip 230.211.70.0 0.0.0.255 host 200.200.200.32
permit ip 200.200.200.128 0.0.0.127 host 200.200.200.32
ip access-list extended DMZ-WEB
remark CCP_ACL Category=128
permit ip any host 200.200.200.35
permit ip any host 200.200.200.20
ip access-list extended DMZ-ZONE-TRAFFIC
remark CCP_ACL Category=128
permit ip 200.200.200.0 0.0.0.128 any
ip access-list extended ESP-TRAFFIC
remark CCP_ACL Category=1
permit esp any any
ip access-list extended IN-ZONE-ICMP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended IN-ZONE-TRAFFIC
remark CCP_ACL Category=128
permit ip host 200.200.200.140 any
ip access-list extended NAT-POOL-TRAFFIC-IN
remark CCP_ACL Category=128
permit ip any 0.0.0.0 255.255.255.224
ip access-list extended NAT-POOL-TRAFFIC-OUT
remark CCP_ACL Category=128
permit ip 0.0.0.30 255.255.255.224 any
ip access-list extended OPEN-TRAFFIC-IN-140
remark CCP_ACL Category=1
permit udp host 230.211.70.60 host 200.200.200.140 eq isakmp
permit esp host 230.211.70.60 host 200.200.200.140
permit ip host 230.211.70.10 host 200.200.200.140
permit tcp host 230.211.70.35 host 200.200.200.140
deny ip host 230.211.70.60 host 200.200.200.140
ip access-list extended OPEN-TRAFFIC-OUT-140
remark CCP_ACL Category=1
permit udp host 200.200.200.140 host 230.211.70.60 eq isakmp
permit esp host 200.200.200.140 host 230.211.70.60
permit ip host 200.200.200.140 host 230.211.70.10
permit tcp host 200.200.200.140 host 230.211.70.35
deny ip host 200.200.200.140 host 230.211.70.60
ip access-list extended OPENDIR-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 230.211.70.10
ip access-list extended PUSH-NOTIFICATIONS
remark CCP_ACL Category=1
permit tcp any any eq 5223
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SELF-DNS-IN
remark CCP_ACL Category=1
permit udp any eq domain any
ip access-list extended SELF-DNS-OUT
remark CCP_ACL Category=128
permit ip any host 200.200.200.20
permit ip any host 200.200.200.4
ip access-list extended SELF-ICMP-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.190
ip access-list extended SMTP-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.140
ip access-list extended SMTPS-IN
remark CCP_ACL Category=1
permit tcp any any eq 465
permit tcp any any eq 587
ip access-list extended SMTPS-OUT
remark CCP_ACL Category=1
permit tcp any eq 465 any
permit tcp any eq 587 any
ip access-list extended SYSLOG-TRAFFIC
remark CCP_ACL Category=128
permit ip any host 200.200.200.32
ip access-list extended TRUSTED-HOSTS
remark CCP_ACL Category=128
permit ip host 230.211.70.35 any
permit ip host 230.211.70.60 any
logging 200.200.200.32
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 168.192.200.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 210.210.210.0 0.0.0.255 any
access-list 100 permit ip 200.200.200.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=2
access-list 102 permit ip 168.192.200.0 0.0.0.255 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
control-plane
banner login ^CThis device is propoerty of FROGHOP and all activity is logged.^C
line con 0
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
line vty 5 15
privilege level 15
login local
transport input telnet ssh
scheduler allocate 20000 1000
ntp update-calendar
ntp server 192.189.54.17
ntp server 192.189.54.33
ntp server 203.161.12.165
ntp server 130.102.2.123
end
Thanks in advance for any tips.
Regards,
John. -
Non-Global Zones - how can I tell what the Global Zone is
Hi,
I have a host that I know is a non-global zone (ngz). I can ssh to the ngz as root or a non-privileged user.
But once there how do I know what the host name for the global zone is?
I could probably run a script from all global zones to report all running zones and so I'd know that way but I have a specific need to know from inside the ngz.
Thanks!
Brianbdunbar wrote:
That's a built-in security feature; and I know of no way to circumvent this mechanism.
I had some hope that there was a way to 'see' at least the global-zone information from the zone. From the shell the 'zone' commands are available ..
:# zoneadm list -cv
ID NAME STATUS PATH
48 hostname_svn running / So it's at least aware that it is a zone, even if it can't tell me anything else about itself. I can still go the long way around to get the information for my need, thanks.
The global zone is the only thing that can see everything. The non-global zones can only see information specific to their zone.
This is by design and it really is a security mechanism. You don't want the zones running outside of their boundaries and information about the global zone (or any other zone) is outside the boundaries of a non-global zone.
Cheers, -
[solved] can't ssh AWS EC2 anymore - iptables flushed
Hi,
I killed a AWS's EC2 connexion by flushing iptables on server side, can't connect anymore.
I connect to an Amazon's EC2 instance (with Ubuntu) mainly as a proxy, from a linux system based laptop, to go through an university's firewall.
(For a heads up, I do have some experience with sysadmin on linux, however not that much with network (close to none). I could be qualified as an "aware beginner". As a mean to get some experience with network, a friend of mine, who is most skilled, suggested to use, and helped me to set up an Amazon EC2 instance.
I get a connexion by pulling a ssh tunnel on a terminal:
ssh -i key.pem -D 8080 -p 443 -o 'IdentitiesOnly yes' [email protected]
However for the tricky part, the university's firewall blocking ssh too.
I could get over it when I eventually setup "stunnel4" to encrypt the whole connection with ssl (found it myself, with some luck in research).
(Installed it when I had the chance to find a proper connexion, which are rare: I found most of hotspot restrictive in that case).
So, it worked well for a while, until I wanted to set up a p2p system (don't laugh guys! It is mostly for study purpose: I needed to down/upload geology maps, which are huge, the firewall always shut our long transfers down, my professors and me).
I tried rtorrent on the server, it worked well.
But because the EC2's 8GB were not big enough, I needed to setup another p2p tool from the laptop (went with Deluge), going through the EC2. For this reason, I opened a range of ports on the Amazon board's security groups (56880-56890, tcp and udp), and added them to iptables, both on ubuntu and laptop, and setup the software accordingly.
# iptables -A INPUT -p tcp --dport 56881:56889 -j ACCEPT
# iptables -A INPUT -p udp --dport 56881:56889 -j ACCEPT
However, because it still did not work, I asked for help to this friend. He told me I set up the software wrong, and suggested me to flush iptables. So, I did it recklessly, on both laptop and EC2'ubuntu.
# iptables --flush
Of course, doing so killed the connexion to the EC2. There, I could not connect to the server anymore:
ssh: connect to host xx.xxx.xxx.xxx port 443: Connection timed out
Trying to fix it, I found this post, but I faced two difficulties I can not get over with during the process.
1st, on the Amazon EC2 board, after I created a temporary instance, I went to stop the broken instance (i-08091d4b: ok),
detached the broken EBS volume (ok) ,
in order to attach it to the temporary instance (i-64402427: not ok).
I couldn't because the two EBS are supposed to be on the same avaibility zone, which I couldn't setup.
Therefore I couldn't attach the broken EBS on the temp instance.
(I tried then create 2 others temporary instances, in order to check if I could set this avaibility zone).
2nd, I anticipate the fact that the temporary instance doesn't have the "stunnel4" system deployed (software, settings and key), then I won't be able to connect to it anyway.
Is anybody faced similar situation? What can I do to fix the situation?
Last edited by OlaffTheGreat (2014-08-17 23:11:21)Thanks for your reply.
Unfortunaly, I can't have a physical acces as it is a virtual hard drive somewhere.
As the tuto suggested, I tried also to just reboot the session, hopping the iptables would just reset afterward. It could have looked like what you say about "only partialy resetted the firewall". But it seems really out of order.
Edit: well, it is back online... but I don't know why.
I played randomly with the EBS volumes: detach/reattach them, and when I tried to ssh again to the broken session, I get the connexion...
Last edited by OlaffTheGreat (2014-08-17 23:10:53) -
Telnet connection refused in non global zone
I have recently installed a new zone and I am trying to log into the new zone via telnet and I get the following error;
telnet: Unable to connect to remote host: Connection refused
when i check the services on the zone they are as follows;
# svcs -a
STATE STIME FMRI
legacy_run 12:25:02 lrc:/etc/rcS_d/S51installupdates
disabled 12:25:01 svc:/network/rpc/keyserv:default
disabled 12:25:01 svc:/network/rpc/nisplus:default
disabled 12:25:01 svc:/network/nis/server:default
disabled 12:25:01 svc:/network/nis/client:default
disabled 12:25:01 svc:/network/dns/client:default
disabled 12:25:01 svc:/network/ldap/client:default
disabled 12:25:01 svc:/network/nfs/cbd:default
disabled 12:25:01 svc:/network/nfs/mapid:default
disabled 12:25:01 svc:/network/inetd-upgrade:default
disabled 12:25:01 svc:/system/auditd:default
disabled 12:25:01 svc:/application/print/server:default
disabled 12:25:01 svc:/network/ntp:default
disabled 12:25:01 svc:/system/rcap:default
disabled 12:25:01 svc:/network/dhcp-server:default
disabled 12:25:01 svc:/network/nfs/server:default
disabled 12:25:01 svc:/network/rarp:default
disabled 12:25:01 svc:/network/rpc/bootparams:default
disabled 12:25:01 svc:/application/gdm2-login:default
disabled 12:25:01 svc:/application/management/webmin:default
disabled 12:25:02 svc:/network/dns/server:default
disabled 12:25:02 svc:/network/http:apache2
disabled 12:25:02 svc:/network/nis/passwd:default
disabled 12:25:02 svc:/network/nis/update:default
disabled 12:25:02 svc:/network/nis/xfr:default
disabled 12:25:02 svc:/network/security/kadmin:default
disabled 12:25:02 svc:/network/security/krb5kdc:default
disabled 12:25:02 svc:/network/slp:default
disabled 12:25:02 svc:/system/consadm:default
disabled 12:25:02 svc:/system/filesystem/volfs:default
disabled 12:25:02 svc:/system/sar:default
online 12:25:00 svc:/system/svc/restarter:default
online 12:25:01 svc:/network/physical:default
online 12:25:01 svc:/network/loopback:default
online 12:25:01 svc:/milestone/name-services:default
online 12:25:01 svc:/system/filesystem/root:default
online 12:25:01 svc:/milestone/network:default
online 12:25:01 svc:/system/identity:node
online 12:25:01 svc:/system/boot-archive:default
online 12:25:01 svc:/system/filesystem/usr:default
online 12:25:01 svc:/system/device/local:default
online 12:25:02 svc:/system/keymap:default
online 12:25:02 svc:/milestone/devices:default
online 12:25:02 svc:/system/filesystem/minimal:default
online 12:25:02 svc:/system/rmtmpfiles:default
online 12:25:02 svc:/system/cryptosvc:default
online 12:25:02 svc:/application/print/cleanup:default
online 12:25:02 svc:/system/name-service-cache:default
online 12:25:02 svc:/system/identity:domain
online 12:25:02 svc:/network/initial:default
online 12:25:02 svc:/network/service:default
online 12:25:02 svc:/system/manifest-import:default
online 12:25:02 svc:/milestone/single-user:default
online 12:25:02 svc:/system/filesystem/local:default
online 12:25:02 svc:/system/cron:default
online 12:25:02 svc:/application/font/fc-cache:default
online 12:25:02 svc:/system/coreadm:default
online 12:25:02 svc:/system/sysidtool:net
online 12:25:02 svc:/network/rpc/bind:default
online 12:25:03 svc:/network/nfs/status:default
online 12:25:03 svc:/network/nfs/nlockmgr:default
offline 12:25:01 svc:/system/utmp:default
offline 12:25:01 svc:/milestone/sysconfig:default
offline 12:25:01 svc:/network/inetd:default
offline 12:25:01 svc:/system/filesystem/autofs:default
offline 12:25:01 svc:/system/system-log:default
offline 12:25:01 svc:/system/console-login:default
offline 12:25:01 svc:/network/nfs/client:default
offline 12:25:01 svc:/network/smtp:sendmail
offline 12:25:01 svc:/milestone/multi-user:default
offline 12:25:01 svc:/network/ssh:default
offline 12:25:01 svc:/milestone/multi-user-server:default
offline 12:25:01 svc:/application/print/ipp-listener:default
offline 12:25:02 svc:/system/sac:default
offline* 12:25:02 svc:/system/sysidtool:system
uninitialized 12:25:01 svc:/network/rpc/gss:default
uninitialized 12:25:01 svc:/application/font/stfsloader:default
uninitialized 12:25:01 svc:/application/print/rfc1179:default
uninitialized 12:25:01 svc:/application/x11/xfs:default
uninitialized 12:25:01 svc:/network/apocd/udp:default
uninitialized 12:25:01 svc:/network/chargen:dgram
uninitialized 12:25:01 svc:/network/chargen:stream
uninitialized 12:25:02 svc:/network/comsat:default
uninitialized 12:25:02 svc:/network/daytime:dgram
uninitialized 12:25:02 svc:/network/daytime:stream
uninitialized 12:25:02 svc:/network/discard:dgram
uninitialized 12:25:02 svc:/network/discard:stream
uninitialized 12:25:02 svc:/network/echo:dgram
uninitialized 12:25:02 svc:/network/echo:stream
uninitialized 12:25:02 svc:/network/finger:default
uninitialized 12:25:02 svc:/network/ftp:default
uninitialized 12:25:02 svc:/network/login:eklogin
uninitialized 12:25:02 svc:/network/login:klogin
uninitialized 12:25:02 svc:/network/login:rlogin
uninitialized 12:25:02 svc:/network/nfs/rquota:default
uninitialized 12:25:02 svc:/network/rexec:default
uninitialized 12:25:02 svc:/network/rpc/ocfserv:default
uninitialized 12:25:02 svc:/network/rpc/rex:default
uninitialized 12:25:02 svc:/network/rpc/rstat:default
uninitialized 12:25:02 svc:/network/rpc/rusers:default
uninitialized 12:25:02 svc:/network/rpc/smserver:default
uninitialized 12:25:02 svc:/network/rpc/spray:default
uninitialized 12:25:02 svc:/network/rpc/wall:default
uninitialized 12:25:02 svc:/network/security/krb5_prop:default
uninitialized 12:25:02 svc:/network/security/ktkt_warn:default
uninitialized 12:25:02 svc:/network/shell:default
uninitialized 12:25:02 svc:/network/shell:kshell
uninitialized 12:25:02 svc:/network/talk:default
uninitialized 12:25:02 svc:/network/telnet:default
uninitialized 12:25:02 svc:/network/time:dgram
uninitialized 12:25:02 svc:/network/time:stream
uninitialized 12:25:02 svc:/network/tname:default
uninitialized 12:25:02 svc:/network/uucp:default
uninitialized 12:25:02 svc:/network/rpc-100235_1/rpc_ticotsord:default
uninitialized 12:25:02 svc:/network/rpc-100083_1/rpc_tcp:default
uninitialized 12:25:02 svc:/network/rpc-100068_2-5/rpc_udp:default
any suggestions? Thanks in advance.After taking your suggestions, i found that there was no loghost defined in /etc/host. I defined one and now all of my services came up. I still don't have any ssh, it says
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_dsa_key
Disabling protocol version 2. Could not load hostkey or GSS-API mechanisms
sshd: no hostkeys available -- exiting.
Any suggestions? Thanks for yur help, i will make sure to give you a star.
Harvey
Maybe you are looking for
-
I have updated to snow leopard and I cannot get iPhoto to work or find anywhere to download the appropriate version. I have 8.1.2 but it will not open. What do I need to do?
-
Messages Deleted in Outlook do not get permanently deleted by aging policy
Our message aging policy is setup to permanently delete messages asap. It works ok when a user does a delete from the phone but when the user deletes from MS Outlook, the messages linger forever. When checked from a phone, the Outlook deleted message
-
Hi, I have a mapping which loads the incremental data every week.Before loading the date , i want check the records in the target.If it exists then i would like to update the records in the target.I used the loading type of INSERT/UPDATE in the targe
-
Is there a way to add lightbox effect to a dreamweaver xhtml document at little or no cost?
A tutorial would be great thanks.
-
Hi all, <b> /: BOX XPOS 0 CH YPOS 0 LN WIDTH 72 CH HEIGHT 2 LN FRAME 10 TW /: BOX XPOS 0 CH YPOS 0 LN WIDTH 28 CH HEIGHT 32 LN FRAME 10 TW /: BOX XPOS 28 CH YPOS 0 LN WIDTH 12 CH HEIGHT 32 LN FRAME 10 TW /: BOX XPOS