Tuesday, October 27, 2009

Route Commands (Linux / Windows)

You can add static route or persistent route on both OS.

1. On Windows (Static Route)
# Route add mask
# Route add –p mask

2. On Linux (Static Route)
#Route add –net netmask gw


You can create “route-eth1” file depend on your route nic card situation -
# vi /etc/sysconfig/network-script/route-eth1

VMware ESX Server Host Backups / Restore

Backing up the VMware ESX Server host is not a recommended practice since a typical ESX build takes minutes from start to finish. Since all critical data is stored on the SAN, it is not necessary to backup the Service Console.

In the event that VMware ESX Server host has a large amount of customization, backups may be conducted of the files and directories. Within the environment there should not be extensive changes to the default environment to warrant the backups.

ESX Files and Directories to Back Up
File Description
/etc/passwd - The password file containing the local users for the VMware ESX Server host service console.
/etc/shadow - The shadow password file containing local users and encrypted passwords for the VMware ESX Server host service console.
/etc/group - The group file for containing local security groups for the VMware ESX Server host service console.
/etc/grub.conf - The boot information for the grub boot loader.
/etc/vmware - The configuration files for VMware ESX host.
/boot - The boot partition for VMware ESX host. It should be noted that these should be default.
/home/ - Any user information that is stored on the home directory on the local machine.

To perform the backup, a file can be generated using the following command:

# tar –cvf esx1-backup.datestamp.tar /etc/passwd /etc/shadow /etc/group /etc/grub.conf /etc/pam.d /etc/vmware /boot/ /home/

VMware ESX Server Host Restore

Normally, VMware ESX Server should be reinstalled and connected to the shared storage. If the above steps were conducted, complete restoration can be performed through the following steps:

1. Re-install ESX with the same partition configuration as the original host.
2. SFTP files back on.
Remove the /etc/vmware & /boot directories by typing the following commands

# cd /

# rm –Rf /etc/vmware

# rm –Rf /boot
Restore the backup set on the new ESX host. Be sure to overwrite existing files on restore! For example, from the root directory you can issue the following command to restore from the original tarball:

tar –xvf ..tar

# tar –xvf esx1-backup.datestamp.tar
5. Reboot.

SQL injection

Ref: http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed

Here is a nice SQL injection cheat sheet. Currently only for MySQL and Microsoft SQL Server, some ORACLE and some PostgreSQL

Table Of Contents
About SQL Injection Cheat Sheet
Syntax Reference, Sample Attacks and Dirty SQL Injection Tricks

Line Comments
SQL Injection Attack Samples

Inline Comments
Classical Inline Comment SQL Injection Attack Samples
MySQL Version Detection Sample Attacks

Stacking Queries
Language / Database Stacked Query Support Table
About MySQL and PHP
Stacked SQL Injection Attack Samples

If Statements
MySQL If Statement
SQL Server If Statement
If Statement SQL Injection Attack Samples

Using Integers

String Operations
String Concatenation

Strings without Quotes
Hex based SQL Injection Samples

String Modification & Related

Union Injections
UNION – Fixing Language Issues

Bypassing Login Screens

Enabling xp_cmdshell in SQL Server 2005
Other parts are not so well formatted but check out by yourself, drafts, notes and stuff, scroll down and see.

Friday, October 23, 2009

Intelligent Platform Management Interface (IPMI) driver

If you receive this message, your hardware does not support IPMI or the corresponding add on hardware is not supported. For Dell servers this is in the DRAC component, for HP servers its in the ILO.

To check if IPMI is available on the ESX host, type the following command in the ESX Server console and press Enter:

1. dmidecode | grep IPMI

If this returns a value, IPMI is available for you hardware. If it does not return a value it is not available and contact your hardware vendor.

To avoid the message during bootup, the following command needs to be executed in the ESX Server console:

1. chkconfig --level 0123456 ipmi off

Thursday, October 22, 2009

VMware ESX Server 3.5 Update 2 to Update 3

Ref: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006651
Ref: http://ict-freak.nl/2007/10/31/how-to-install-vmware-esx-302-update-1/




Monday, October 19, 2009

How to update VMware ESX patch using CLI

Using VMware Update Manager is pretty easy for VMware patch update but I would like to share about how to update VMware ESX patch using command line interface here as an alternative way.
First download VMware patch from VMware download web site said for an example:
VMware ESX 3.5 Update 2
Latest Version: 3.5 Update 2 | 8/13/2008 | Build: 110268
Login with your username & password and click YES for agree with VMware Inc. term and condition.

Option 1:
Once completed the VMware patch download, you can either copy the patch source file to Apache or IIS web server and unzip it said http://your.webserver.com/esxupdate/
Before continue with VMware ESX host patch, you can vmotion all VMware guest from ESX host 1 to VMware ESX host

2. Connect to VMware ESX host 1 box using SSH,

Enter server maintenance mode:
vimsh -n -e /hostsvc/maintenance_mode_enter

Tips: How can I check whether ESX host is in maintenance mode.
vimsh -n -e /hostsvc/runtimeinfo | grep inMaintenanceMode | awk ‘{print $3}’

Turn Off Firewall:
esxcfg-firewall –allowOutgoing

ESX patch update:
esxupdate -r http://your.webserver.com/esxupdate/ update

Option 2:
Copy patch source files into ESX host itself said for an example folder /download/esxupdate

Enter maintenance mode:
vimsh -n -e /hostsvc/maintenance_mode_enter

Turn Off Firewall:
esxcfg-firewall –allowOutgoing

ESX patch update:
cd /download/esxupdate; esxupdate update

Login another SSH session and monitor patch update log:
tail -f esxupdate.log

Let’s wait for a while and VMware host patch should be in progress now. The ESX host should be reboot once the patch completed.

Turn On Firewall:
esxcfg-firewall –blockOutgoing

Exit maintenance mode:
vimsh -n -e /hostsvc/maintenance_mode_exit

Again, we can check ESX host patch update using command:
cat /proc/vmware/version
vmware -v
esxupdate -l query

Congratulation! You’re done. You should have latest VMware ESX patch now!
Please feel free to comment to make it more useful to everyone.


Update VMWare 3.5.0

Update VMWare 3.5.0, 64607 (update 1) to VMware ESX Server 3.5.0 build-110181 (update 2)


copy them to ESX 3.5 Update 1 /tmp folder

unzip ESX350-200806201-UG.zip / ESX350-200806202-UG.zip / ESX350-200806812-BG.zip

1. cd ESX350-200806202
# esxupdate update

2. cd ESX350-200806201
# esxupdate update

Note: After update ESX350-200806201 system will automatically rebooted.
After that login to maintenance mode then, just choose on grub menu or [vimsh -n -e /hostsvc/maintenance_mode_enter]

3. cd ESX350-200806812
# esxupdate update

#vmware -v (to check which version you're using)
# tail -f esxupdate.log

Tuesday, October 13, 2009

Technical differences between VMware ESXi and ESX

(Ref: http://dsumsky.blogspot.com/2008/08/technical-differences-between-vmware.html)
I have spent some time with looking for more details about VMware ESXi compared to VMware ESX. I summarized the main differences in this article but I think it's not complete. There have to be more features missing in ESXi because of service console removal. So, what next did I discover?

* ESXi is supported on smaller set of certified hardware because it is standalone system and it doesn't depend on RHEL service console which provides drivers for other hardware.

* You can manage ESXi with RCLI on Linux or Windows platform but Virtual Infrastructure client is more comfortable and easier to use. Further, if you deployed ESXi without Virtual Infrastructure licence, RCLI will have read-only access only. The drawback of VI client is that it is available for Windows platform. The solution may exist in using Wine emulator but the installation isn't as straightforward as on Windows plartform. The Wine application database contains this entry about VI client installation but I haven't tried it yet.

* You can manage your ESX server directly via serial cable but ESXi is missing this feature.

* ESXi kernel is missing jumbo frames support in TCP/IP stack which allows to send larger frames out onto physical network. It can help to achieve higher throughput with NFS or iSCSI protocols.

* ESXi doesn't support NetQueue technology which is boosting 10G Ethernet performance.

* Finally, VMware in cooperation with Mellanox Technologies supports Infiniband host channel adapters on ESX. ESXi is missing it.

The previous six points are related to the technical aspects of ESX and ESXi hypervisor. These points aren't complete as well but they are quite important for common deployment of VMware technologies. If you know about something else, please share it at my blog. For further information, check these links:

# VMware ESX 3.5 release notes
# VMware ESXi 3.5 release notes
# ESX and ESXi comparison (VMware knowledge base)
# Differences between ESXi and ESX (VMware knowledge base)
One of the most significant frustrations of using ESXi instead of ESX (and in my mind validates the adage - you get what you pay for) is what we've called the ESX Root Lockdown problem at my company.

ESXi can erratically hang due to a bug where it internally writes to a non existent partition. There is no way to contact or communicate with the ESX server except physically reboot it. In previous versions this would hang all guest vms - a recent patch still hangs ESX while the GuestVms continue to run.

We've seen this happen sometimes upto thrice in one day on SATA based (vmware certified) servers with an LSI logic controller. Needless to say in a data center - these kinds of breakdowns can causes endless furstration and time loss.

Differences between VMware ESXi and ESX

(Ref: http://dsumsky.blogspot.com/2008/08/differences-between-esxi-and-esx.html)

VMware ESXi hypervisor is free of charge now but what are the reasons to use it instead of VMware ESX? And what advantages does it have?

The most important advantage is you don't need to pay for it. Furthermore, it supports all VMware Infrastructure features if you buy proper licences - you can vmotion virtual machines, schedule resources, backup them via VCB and so on. If you really want to save more bucks you don't have to pay the support which is required in case of VMware Infrastructure. The new option is to pay per incident.

What are the main differences? As I written here, the ESXi hypervisor is OS independent (it is without service console) and its installation requires only 32MB of disk space. The negative thing is that it lacks VirtualCenter agent, VCB and update manager. These features are included in VMware Infrastructure Foundation edition and higher by default. If you would like to manage ESXi hosts you need to buy agent licences.

It remains last important question. How can we control ESXi hosts remotely if we don't have service console? The ESXi hypervisor doesn't have SSH access by default but supports RCLI or Remote Command Line Interface. The RCLI allows to perform remote command line operations on an ESXi host from your management station. If you still prefer SSH to RCLI you can enable it according this article.

So, are you going to deploy it? If so, you can write me about your experience with the product. I would like to know your story.

ESXi also avoids an increasingly important performance issue with the ESX Service Console related to interrupt sharing. See http://kb.vmware.com/selfservice/documentLink.do?externalID=1003710.

With no Service Console, ESXi allows all interrupts to be load balanced, giving better I/O throughput for low-end and mid-range servers.

VMware or Citrix?

(REF: http://dsumsky.blogspot.com/search/label/esx)
Citrix released their virtualization solution named XenServer (from version 5, article XenServer is free) for free but only the time will show if it was a right decision. At first glance, it seems like a marvelous thing but there are some facts which should be investigated first. Together with XenServer, it was released central management solution XenCenter.

Let's have a look at their rival VMware (vSphere 4). XenServer is fully comparable to VMware ESX or ESXi. But what about XenCenter management? It's something more than VMware vSphere client but not so valuable as VMware vCenter Management Server. Citrix XenCenter is not the right choice in case of comparison to vCenter. The right one is Citrix Essentials but this one is not for free already. The main differences between Citrix XenCenter and Essentials are:

* XenCenter is missing alerting capabilities like send me an email when "CPU usage is too high" or when some error condition like "virtual machine power on failure" appears
* XenCenter is missing high availability support
* XenCenter is not able to show you performance data older than one day for physical or virtual servers

Now, let's try to propose a simple high availability (HA) solution based on Citrix/VMware products and compare their prices. Let's suppose we have 2 (3) entry level servers where each have 2 CPUs with max 6 cores per CPU (6 CPUs total). The servers are connected to a shared disk storage. The CPU speed or memory capacity is not important now. And we require HA solution to protect our virtual machines from hardware failure. Follows the analysis:

- Citrix Essentials Enterprise (1 license = 1 server):

* XenServer - 2 licenses = 0$ (3 lic = 0$)
* Essentials Enterprise - 2 lic = 5500$ (3 lic = 8250$)
* Essentials Preffered Support (optional) - 1 lic = 1500$
* Total cost = 7000$ or 9750$ for 3 servers
* Total cost without support = 5500$ or 8250$ for 3 servers

- VMware vSphere 4 Standard Edition (1 lic = 1 CPU):

* vSphere 4 Standard - 4 licenses = 3180$ (6 lic = 4770$)
* vShpere 4 Standard 1y Gold Support - 4 lic = 1092$ (6 lic = 1638$)
* vCenter 4 Foundation - 1 lic = 1495$
* vCenter 4 1y Gold Support - 1 lic = 545$
* Total cost = 6312$ or 8448$ for 3 servers
* Support is mandatory

- VMware vSphere 4 Essentials Plus Bundle (1 lic = 1 CPU)

* Licenses for 3 hosts plus vCenter Server for Essentials plus 1y Gold Support = 3624$
* Total cost = 3624$ for 2 or 3 servers

The prices of proposed solutions are quite different. In my opinion, the most valued solution is based on new VMware product line vSphere 4 Essentials.

There are rumors that VMware is the most expensive solution. I don't think so if I check the numbers above. Citrix's solution not covered by support is cheaper then VMware's solution with support but only for 2 servers. If I would like to add third server I would have to pay another license in case of Citrix. In case of VMware, I have still one spare license so I will use it. At first glance, XenServer seems to be free of charge but the price of added value by Citrix Essentials doesn't scale as well as in case of VMware vSphere 4 Standard Edition or vSphere 4 Essentials Plus. And what is your opinion to the topic?

Sunday, October 11, 2009

Linux Firewall for Reference

echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -p tcp -s --sport 110 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

In order to block incoming / outgoing port 110 simply use target REJECT instead of ACCEPT:

iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d --dport 110 -j REJECT

iptables -A OUTPUT -p tcp -s --sport 110 -d 0/0 --dport 1024:65535 -j REJECT

/sbin/iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

#Port Forward SMTP to the mailserver

iptables -t nat -A PREROUTING -p tcp -d --dport 25 -j DNAT --to-destination
iptables -A FORWARD -p tcp -d --dport 25 -j ACCEPT

#SNAT for port 25 and 110

iptables -t nat -A POSTROUTING -p tcp -s --dport 25 -o eth1 -j SNAT --to-source
iptables -t nat -A POSTROUTING -p tcp -s --dport 110 -o eth1 -j SNAT --to-source

***/etc/init.d/iptables contains:
# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

# (2) User-defined chain for ACCEPTED TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP

# (3) INPUT chain rules
## Rules for incoming packets from LAN
iptables -A INPUT -p ALL -i eth1 -s -j ACCEPT
iptables -A INPUT -p ALL -i lo -s -j ACCEPT
iptables -A INPUT -p ALL -i lo -s -j ACCEPT
iptables -A INPUT -p ALL -i lo -s -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d -j ACCEPT

## Rules for incoming packets from the Internet
# Packets for established connections
iptables -A INPUT -p ALL -d -m state --state \

# REJECT THESE JERKS from accessing anything (HACKERS):
iptables -A INPUT -p tcp -s -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s -j REJECT --reject-with tcp-reset

# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 110 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 113 -j okay

# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT

# ICMP rules
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT

# (4) FORWARD ip rules
# Accept packets I want to forward
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# (5) OUTPUT ip rules
# ONLY output packets with local addresses (NO spoofing)
iptables -A OUTPUT -p ALL -s -j ACCEPT
iptables -A OUTPUT -p ALL -s -j ACCEPT
iptables -A OUTPUT -p ALL -s -j ACCEPT

# (6) POSTROUTING ip rules
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source
# uncomment the bottom for DHCP if it works first
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Friday, October 9, 2009

Nvidia Driver Installation for Linux

yum install yum-priorities
echo 'priority=1' >> /etc/yum.repos.d/CentOS-Base.repo
echo 'priority=1' >> /etc/yum.repos.d/CentOS-Media.repo
echo 'priority=2' >> /etc/yum.repos.d/epel.repo
echo 'priority=2' >> /etc/yum.repos.d/epel-testing.repo
echo 'priority=3' >> /etc/yum.repos.d/adobe-linux-i386.repo
echo 'priority=3' >> /etc/yum.repos.d/rpmfusion-free-updates.repo
echo 'priority=3' >> /etc/yum.repos.d/rpmfusion-free-updates-testing.repo
echo 'priority=3' >> /etc/yum.repos.d/rpmfusion-nonfree-updates-testing.repo
echo 'priority=3' >> /etc/yum.repos.d/rpmfusion-nonfree-updates.repo
wget http://apt.sw.be/redhat/el5/en/x86_64/RPMS.dag/rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
rpm -K rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
yum --localinstall rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
yum localinstall rpmforge-release-0.3.6-1.el5.rf.x86_64.rpm
yum check-update
yum search nvidia
yum install nvidia-x11-drv.x86_64

./latestnvidiadriver.run -s -N
nvidia-xconfig --mode nvidia-auto-select --twinview --no-xinerama --force-generate

yum --enablerepo=elrepo-testing install nvidia-x11-drv kmod-nvidia

Check your Cisco Certification


Friday, October 2, 2009

VMware ESX Server References

The VMware Infrastructure product consists of Workstation, ACE, GSX, and ESX.
The VMware Administration product is composed of VMware Virtual Center Server (VC),
VMware High Availability (HA), Distributed Resource Scheduling (DRS), SAN, iSCSI,
and NAS, and VMotion. The last product suite is VMware Tools, which is composed of
the VMware Converter the new Physical to Virtual (P2V) and VMware Consolidated
Backup (VCB).


Exchange Server 2003 Stuffs

Storage Groups

Containers within Exchange that are used to hold data stores (Mailboxes and public folders). By default, one storage group is created within Exchange called the “First Storage Group”.
This storage group will hold up to 5 data stores. Up to 3 additional (4 total) storage groups can be created if you are running Exchange Enterprise edition while Exchange Standard edition only supports the First Storage Group.
Most small and medium sized companies (up to approximately 1,500 mailboxes) will have no reason to use additional storage groups and for simplicity, they should be avoided. You may need additional storage groups if your company requires:
1. More than 5 data Stores
2. The use of circular logging on only some of the data stores
3. A Different location for the Transaction logs

Stores or data stores

Created in Exchange 2000 as either a mailbox store or a public folder store. By default, two stores are created in the first storage group, the mailbox store and the public folder store.

Exchange enterprise edition supports up to 5 data stores ( 4 TB max, theoretically) in each storage group, 20 stores total. Exchange Standard edition only supports the two default stores and limits these stores to a maximum of 16 GB each.
This limitation is a very important factor in determining whether to purchase exchange standard or enterprise edition. There are several reasons that you may want to create additional stores, including:
1. Easier mailbox management & organization
2. more efficient mailbox recovery
3. mailbox rule requirements (i.e size of mailbox, deleted item retention)
4. increased performance (database can be located on different hard drives)
5. separate administrative mailboxes (i.e postmaster, webmaster)

Description Exchange Standard Exchange Enterprise
Storage Group 1 4
Data Stores per storage group 2 5
Maximum size of each data store 16 GB 4 TB

Database Files
Each data store is made up of two database files, a .edb file and a .stm file. These database files together make up the data store and should not be separated.

.EDB file  MAPI Based Database
.STM file  Streaming Database, contains Native Internet content

Transaction Logs
Used in each storage group to record changes to the database. Changes are committed or rolled back based on the success of the transaction. Transaction Logs are used in Disaster recovery scenarios to completely restore mailboxes.

What Should you Backup?

1. Mailbox Stores
2. Public Stores
3. System State (Active Directory, Registry, IIS Metabase, basically system specific settings)
4. IIS Metabase

Repair the Database
- Can do more harm than good
- You should have a Normal (Full) Backup of your Exchnage Server database before running these utilities (Online or Offline)

ESEUTIL – command line tool that checks the Exchange database for consistency and repairs the database (depending upon the switches used).

ISINTEG – command line tool that is used to restore specific messages or attachments. It understands the data in the store rather than the database.
- Microsoft Support may be a better option
- Recovering from a backup is usually a better option. Adequately troubleshoot your server assuming database corruption.

Replace the Database (Using NTBackup)
1. Make sure that you have a good normal (Full) Backup of the store and Transaction before starting this procedure
2. Dismount the store
3. Start the restore process the Normal restore files first
4. Specify any Differential or Incremental restore files next. Be sure to check the last Backup set option IF the specified file is lastest backup
5. Mount the Store (if not specified in the restore)

Complete Server Replacement
1. New Server hardware or Same Server
2. Make sure HD Partitions are the same size or bigger than before
3. Install Server 2003 with all Service packs, Hot Fixes, etc.
4. Server should have the same name as before
5. Rejoin the Exchange Server to the domain
6. Verify AD Connectivity
7. Install Exchange 2003 with disaster recovery switch
8. Install Exchange Service Packs, Hot Fixes, etc.
9. Restore Data Stores and Transaction Logs
10. Restore any additional Exchange configuration (scripts, connectors, etc.)

Put this code to display correct time zone at squid's Error Pages

Generated %t by %h (%s)

Installing Yum on CentOS 5.3

Here are the simple steps to install yum on plain centos 5.3 x86_64 bit server. login into the server with root user and execute the following commands.
rpm –import http://mirror.centos.org/centos-5/5.3/os/x86_64/RPM-GPG-KEY-CentOS-5
rpm -ihv http://mirror.centos.org/centos/5.3/os/x86_64/CentOS/libxml2-2.6.26-
rpm -ihv http://mirror.centos.org/centos/5.3/os/x86_64/CentOS/libxml2-python-2.6.26-
rpm -ihv http://mirror.centos.org/centos-5/5.3/os/x86_64/CentOS/python-elementtree-1.2.6-5.x86_64.rpm
rpm -ihv http://mirror.centos.org/centos-5/5.3/os/x86_64/CentOS/python-iniparse-0.2.3-4.el5.noarch.rpm
rpm -ihv http://mirror.centos.org/centos-5/5.3/os/x86_64/CentOS/python-sqlite-1.1.7-1.2.1.x86_64.rpm
rpm -ihv http://mirror.centos.org/centos-5/5.2/os/x86_64/CentOS/m2crypto-0.16-6.el5.2.x86_64.rpm
rpm -ihv http://mirror.centos.org/centos-5/5.2/os/x86_64/CentOS/python-urlgrabber-3.1.0-2.noarch.rpm
rpm -ihv http://mirror.centos.org/centos-5/5.2/os/x86_64/CentOS/sqlite-3.3.6-2.x86_64.rpm
rpm -ihv http://mirror.centos.org/centos-5/5.2/os/x86_64/CentOS/yum-metadata-parser-1.1.2-2.el5.x86_64.rpm
rpm -ihv http://mirror.centos.org/centos-5/5.2/os/x86_64/CentOS/yum-3.2.8-9.el5.centos.1.noarch.rpm
Then finally you can execute yum update command to update the rpms

Modifying the OS to support 3 GB

If Running Windows XP Professional or Windows Server 2003

IMPORTANT: Improper modification of boot.ini can render the operating system inoperable. Use caution

before making changes to the boot.ini file.

Adding the 3 GB Switch

The following technique can be used to add the 3 GB switch to the boot.ini file.

From a command prompt, enter the following to the end of the first line of the operating system

section in the boot.ini file (requires administrative privileges) to add the 3 GB switch:



/RAW specifies the operating system options for the boot entry. The previous operating system

options will be modified.

"/3GB" specifies the 3 GB switch.

/A specifies that the operating system options entered with the /RAW switch will be appended to the

existing operating system options.

/ID specifies the boot entry ID in the OS Load Options section of the boot.ini file to add the operating

system options to. The boot entry ID number can be obtained from performing the command:


/QUERY (this displays the contents of the boot.ini file) at the command prompt.

A reboot is required after editing the boot.ini file for the changes to take effect.

If Running Windows 2008 Server or Windows Vista

IMPORTANT: Improper modification of the operating system boot entry can render the operating system

inoperable. Use caution before making changes to the boot.ini file.

Adding the 3 GB Switch

1. Select Start > All Programs > Accessories

2. Right-click Command Prompt and select Run as administrator

3. Enter the following command to add the 3 GB switch to the current operating system boot entry:



USERVA specifies an alternate amount of user-mode virtual address space for operating


3072 Specifies 3 GB (3072 MB).

A reboot is required after editing the boot configuration data store for the changes to take effect.

Linux DNS Server

vi /etc/named.conf

// Default named.conf generated by install of bind-9.2.4-30.el4_7.2
options {
listen-on {; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";

forwarders {;; };

zone "mydomain.com"
type master;
file "/var/named/mydomain.com.hosts";

zone "10.168.192.in-addr.arpa"
type master;
file "/var/named/192.168.10.rev";

vi /var/named/192.168.10.rev

$ttl 38400
10.168.192.in-addr.arpa. IN SOA routerx.mydomain.com. routerx.mydomain.com. (
38400 )
10.168.192.in-addr.arpa. IN NS routerx.mydomain.com. IN PTR routerx.mydomain.com.

vi /var/named/mydomain.com.hosts

$ttl 38400
mydomain.com. IN SOA routerx.mydomain.com. routerx.mydomain.com (
38400 )
mydomain.com. IN NS routerx.mydomain.com.
routerx.mydomain.com. IN A

System State Backup with CLI

ntbackup backup systemstate /J "System State Backup Job" /F "D:\system_state_backup.bkf"

Unsupported Configurations in ISA server

1.ISA Server Should Not Be Installed on a 64-Bit Operating System

Installing ISA Server on 64-bit versions of Microsoft Windows Server 2003 operating systems is not supported.

2.ISA Server 2004 Enterprise Edition Should Not Be Installed on Windows 2000 Server

ISA Server 2004 Enterprise Edition should only be installed on computers running Windows Server 2003.

3. ISA Server 2004 Enterprise Edition Should Not Be Installed in a Windows NT Server 4.0 Domain

ISA Server 2004 Enterprise Edition should not be installed as a domain member in a Windows NT Server 4.0 domain.

4. Firewall Client for ISA Server Should Not Be Installed on a Domain Controller

Installing ISA Server Firewall Client software on a computer configured as an Active Directory domain controller is not supported.

If Firewall Client software is installed, the domain controller may not function as expected.

5. Installing other firewall products on an ISA Server computer is not supported. Attempting to create a layered firewall deployment on a single server by adding additional firewall products will result in unpredictable behavior and may cause the server to fail.

6. ISA Server Does Not Support Multiple External Interfaces

7. ISA Server Does Not Support Multiple Default Gateways

Set a default gateway on only one of the ISA Server network adapters. Do not configure more than one default gateway on that adapter. The default gateway is usually set on the network adapter associated with the ISA Server default External network.

8. ISA Server Does Not Support a Network-Behind-Network Configuration

There cannot be two network adapters in the same subnet. This may manifest itself in a number of ways:

* Error 15108. ISA Server detected a spoof attack from Internet Protocol (IP) address IP_address, when trying to access a network resource.

Cause: When you define IP address ranges for a network, ISA Server checks all network adapters. When ISA Server finds an adapter with an IP address in the network range, it associates the network with that adapter. When a network includes remote subnets accessible by ISA Server through routers, the IP address of the remote subnets should be included in the network definition. If you define a separate network object for a remote subnet (instead of including it in the network definition), ISA Server tries to locate an adapter with an IP address of the network object, and fails. ISA Server assumes that the adapter is not available (disconnected or disabled), and sets network status to disconnected.

9. ISA Server does not support intradomain communications between networks with a network address translation (NAT) relationship.

10. There are a number of issues associated with the configuration of ISA Server on a computer with a single network adapter.

* Multi-network firewall policy. In single network adapter mode, ISA Server recognizes itself (the Local Host network). Everything else is recognized as the Internal network. There is no concept of an External network. The Microsoft Firewall service and application filters operate only in the context of the Local Host network. (ISA Server protects itself no matter what network template is applied.) Because the Firewall service and application filters operate in the context of the Local Host network, you can use access rules to allow non-Web protocols to the ISA Server computer. This has implications for running applications located on the ISA Server computer.
* Application layer inspection. Application level filtering does not function, except for Web Proxy Filter for Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), and File Transfer Protocol (FTP) over HTTP.
* Server publishing. Server publishing is not supported. Because there is no separation of Internal and External networks, ISA Server cannot provide the NAT functionality required in a server publishing scenario.
* Firewall clients. The Firewall Client application handles requests from Winsock applications that use the Firewall service. In a single network adapter environment, this service is only available in the context of the Local Host network (protecting the ISA Server computer), and Firewall Client requests are not supported.
* SecureNAT clients. SecureNAT clients use ISA Server as a router to the Internet, and SecureNAT client requests are handled by the Firewall service. In a single network adapter environment, this service is only available in the context of the Local Host network (protecting the ISA Server computer), and SecureNAT client requests are not supported.
* Virtual private networking. Site-to-site virtual private networks (VPNs) are not supported in a single network adapter scenario. Remote client VPN access is supported in a single network adapter scenario.

11 ISA Server 2004 Standard Edition does not support NLB.ISA Server 2004 Standard Edition does not support NLB functionality.

Support for NLB is targeted at ISA Server 2004 Enterprise Edition, which addresses the concept of an array of ISA Server to share traffic and load.

To use NLB, install ISA Server 2004 Enterprise Edition.
NLB Limitations in Enterprise Edition on a Single Network Adapter Computer

12 ISA Server 2004 Standard Edition (without Service Pack 1) does not support Internet access requests from remote VPN clients through Web proxy on the ISA Server computer to which VPN remote clients are connecting. This issue is fixed in ISA Server 2004 Standard Edition Service Pack 1 and ISA Server 2004 Enterprise Edition.

Cause: Such client requests come from the VPN tunnel interface, and not from the Internal network interface. Web proxy NAT functionality cannot handle such requests.

Solution: Install ISA Server 2004 Standard Edition Service Pack 1.

13. DHCP Address Allocation for VPN Remote Clients Not Supported in ISA Server 2004 Enterprise Edition

In ISA Server 2004 Enterprise Edition, using a Dynamic Host Configuration Protocol (DHCP) server to assign IP addresses for VPN remote clients is only available in a single server ISA Server array.

This option is only available in ISA Server 2004 Standard Edition, or in ISA Server 2004 Enterprise Edition with a single array member. This limitation applies for the following reasons:

13. Outbound L2TP connections without IPsec are not supported when ISA Server is configured as a VPN server that uses the L2TP/IPsec protocol.

Cause: By default the following settings apply:

* Network address translation (NAT) is applied to outbound traffic from the Internal, VPN Clients and Quarantine VPN Clients networks to the External network.
* When ISA Server is configured as a VPN server that uses the L2TP/IPsec protocol, traffic to and from the L2TP protocol port (UDP port 1701) is secured by IPsec.

With these default settings, the outbound L2TP client request is sent from the NAT address (usually the address of the ISA Server external network adapter) and the external VPN server responds to this address. ISA Server does not forward the L2TP traffic from the external VPN server to the client because no matching IPsec policy exists.

Solution: Use PPTP for outbound VPN connections, or do not use the L2TP/IPsec protocol when ISA Server is configured as a VPN server.

14. Customization of forms-based authentication pages is not supported in ISA Server 2004.

Cause: Forms-based authentication can be enabled on the Microsoft Office Outlook Web Access Web site, or on the ISA Server computer. When you enable this authentication method on ISA Server, the Logon.asp form runs on the ISA Server computer. It is possible to customize the form for specific requirements, but such customization is not supported on ISA Server 2004. Modifying pages on the Exchange server running Outlook Web Access will have no effect on forms-based authentication enabled on the ISA Server computer.

Solution: If problems arise as a result of such customization in ISA Server 2004, the original files should be restored.

15 Cannot Use Multiple Server Certificates for a Single SSL Listener

Problem: Only one SSL server certificate can be bound to a Web listener.

Cause: The name of the Web site specified in the external user request must use the name of the site listed on the common name of the certificate. For example, if users will access www.contoso.com, the common name on the certificate must be www.contoso.com. If you try to use the listener to publish another secure site, it will not succeed because the certificate name will not match the user request name.

Solution: To publish multiple SSL sites using the same IP address and port where all sites published use the same domain name, you can use a wildcard character certificate. For example, to publish sites OWA, WebSite1, and WebSite2 at contoso.com, you can acquire a wildcard character certificate (*.contoso.com) for the ISA Server computer. Note that ISA Server only supports wildcard character certificates on the ISA Server computer. In an HTTPS-to-HTTPS bridging scenario, you cannot use a wildcard character certificate to authenticate to the back-end Web server.

16. RPC-Over-HTTP Traffic Not Inspected

Problem: RPC over HTTP traffic encrypts the RPC data in HTTP. RPC over HTTP data is not inspected by ISA Server 2004.

Cause: In regular Web publishing scenarios, ISA Server can inspect the HTTP headers and body. However, the RPC filter designed to inspect RPC traffic cannot inspect RPC over HTTP requests, and does not protect against RPC exploits reaching the Exchange server. In outbound scenarios, RPC over HTTP requests over SSL are tunneled, and no inspection takes place of the HTTP headers or body following the initial connection.

Solution: Deploy RPC over HTTP with this limitation in mind. For configuration information for this scenario, see the Knowledge Base article 884506, "How to configure ISA Server 2004 to allow for RPC over HTTP client connections from Office Outlook 2003 to Exchange Server 2003.

16. Live Communications Server Should Not Be Located on the ISA Server Computer

Problem: Running Live Communications Server on the ISA Server computer is not supported.

Cause: This is an untested scenario.

17 Live Communications Server Has Limited Functionality through ISA Server

Problem: Not all Live Communications Server functionality works through ISA Server 2004.

Cause: The following limitations apply:

* Communication between two clients on the same side of the ISA Server computer should work in a simple internal network configuration.
* Presence and instant message is essentially a client/server application, where the server mediates the communication between the two clients. This avoids NAT issues that arise when an external client needs the IP address of the internal client. Instant text messaging from an internal client to an external client can go out through Web proxy.
* Audio, video, and whiteboard features use SIP/SIMPLE. ISA Server does not have a SIP application filter at this time to handle such traffic. The only exception is if the session is initiated by an external Internet client that is not behind a NAT device.

18. Secure FTP Support

Problem: The following limitations apply:

* ISA Server cannot publish secure File Transfer Protocol (FTP).
* ISA Server does not support outbound FTP over SSL/TLS (FTPS) connections.

Cause: The following causes apply:

* FTPS uses an encrypted control channel. For standard FTP traffic, ISA Server uses the FTP application filter to monitor FTP communications between the client and the server. Outbound SSL connections, such as FTPS, cannot be seen by ISA Server, and therefore ISA Server cannot adjust traffic policy in reaction to PASV and PORT FTP commands.
* Server publishing tunnels SSL traffic, and therefore such traffic is not inspected by ISA Server.

Solution: There is a specific workaround available that allows you to publish secure FTP. For more information, see Publishing Secure FTP Servers behind ISA Firewalls at the ISAserver.org Web site.

19. FTP Limitations for Web Proxy Clients

Problem: The following limitations apply:

* You cannot use FTP upload from a Web Proxy client. Remote directory and file management actions also fail.
* You cannot use third-party, non-browser FTP applications or command-line FTP tools. Web Proxy clients tunnel FTP requests over port 80. You require SecureNAT clients or Firewall clients to use these tools.
* To access FTP sites that are not anonymous, you will need to enable folder view in Internet Explorer. This causes Internet Explorer to prompt for credentials. Credentials should be specified in the following format: ftp//username:password@FTP_Server_Name.
* By default, ISA Server uses PASV mode for FTP requests. If this mode is not supported by the FTP server you want to reach, you will need to disable folder view in Internet Explorer. This allows Internet Explorer to send PORT commands.

Cause: FTP uploads are not supported for client computers configured as Web Proxy clients only.

21 ISA Server Does Not Support Routing Protocols

Problem: ISA Server is not a router and does not directly support routing protocols such as Routing Information Protocol (RIP) or Open Shortest Path First (OSPF).

Cause: ISA Server has no built-in support for these dynamic routing protocols.

Solution: You can install Routing and Remote Access on the ISA Server computer as a LAN router, to allow it to listen for OSPF announcements and handle routing protocols communications. You will need to create access rules to allow such traffic. Create a custom protocol object for the routing protocol, and then allow traffic for the protocols to and from neighboring routers, and the ISA Server computer. OSPF supports fragmented packets, and you should not filter IP fragments on ISA Server.

22. ISA Server Support in a Virtual Environment

Microsoft ISA Server and Forefront TMG are supported on hardware virtualization in accordance with the following programs:

* Microsoft Support Lifecycle
* Microsoft ISA Server system requirements
* Forefront TMG system requirements
* Microsoft Server Virtualization Validation Program (SVVP)
* Support Policy for Microsoft software running on non-Microsoft hardware virtualization software

* Desktop virtualization, such as Microsoft Virtual PC or similar 3rd-party product: supported for demonstration and educational use only
* Server Virtualization, such as Microsoft Virtual Server or similar 3rd-party product: supported, but not recommended for production use

Message Screener Does Not Work with Exchange Server 2003

Problem: The ISA Server SMTP Message Screener component may interfere with Exchange Server 2003 functionality.

Cause: The ISA Server SMTP Message Screener component is designed for filtering e-mail messages based on keywords or attachments, or blocking e-mail messages from specific senders or domains. It works together with the SMTP filter to intercept all SMTP traffic arriving on TCP port 25 of the ISA Server computer. We do not recommend that you use the Message Screener component with Exchange Server 2003. Message Screener may interfere with the functioning of the Exchange Server 2003 Connection and Recipient Filtering function.

Solution: The SMTP filter can be used with Exchange Server 2003. For more information, see Installation and configuration of the SMTP filter and Message Screener are described in the document Using the ISA Server 2004 Enterprise Edition SMTP Filter and Message Screener.

23. ISA Server Does Not Handle IPv6 Traffic

Problem: IPv6 traffic passes through ISA Server firewall regardless of firewall policy.

Cause: Filtering of IPv6 traffic is not supported.

24.The Web Cache Communication Protocol (WCCP) and the Internet Cache Protocol (ICP) are not supported in ISA Server.

25. A Web Proxy client browser cannot connect to the Web listener over an SSL connection.

Cause: This is a browser limitation. Internet Explorer does not support certificate authentication to a Web proxy. On the Web Proxy tab of a network’s properties page, there is an option to Enable SSL. This option is only for use in a Web Proxy chaining scenario. In this case, you can configure a downstream ISA Server computer to forward Web requests to an upstream proxy over an SSL connection. This allows you to bridge HTTP traffic as HTTPS to the upstream server.

Solution: Do not use an SSL connection.
Requests from Web Proxy Clients Cannot Be Authenticated Using a Client Certificate

26. LDAP authentication is not supported in outbound Web access scenarios.

Cause: In ISA Server 2006, LDAP authentication is available only as an authentication method in reverse proxy Web publishing scenarios. LDAP authentication is not available in ISA Server 2004.

Types of Windows 2003

Standard Edition - 4 processors with up to 4 GB RAM
Enterprise Edition - 8 processors with up to 32 GB memory
Datacenter Edition - 32 processors with up to 64 GB RAM
Web Edition - supports a maximum of 2 processors with support for a maximum of 2GB of RAM

Sample Boot.ini File (WinXP)

This is a sample of a default Boot.ini file from a Windows XP Professional computer.

[boot loader]
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fast detect

RAID types

RAID-0: RAID-0 is called disk "striping". All the data is spread out in chunks across all the disks in the RAID set. RAID-0 has great performance, because you spread out the load of storing data onto more physical drives. There is no parity generated for RAID-0. Therefore there is no overhead to write data to RAID-0 disks. RAID-0 is only good for better performance, and not for high availability, since parity is not generated for RAID-0 disks. RAID-0 requires at least two physical disks.

RAID-1: RAID-1 is called disk mirroring. All the data is written to at least two separate physical disks. The disks are essentially mirror images of each other. If one of the disks fails, the other can be used to retrieve data. Disk mirroring is good for very fast read operations. It's slower when writing to the disks, since the data needs to be written twice. RAID-1 requires at least two physical disks.

RAID-5: RAID-5 uses disk striping with parity. The data is striped across all the disks in the RAID set, along with the parity information needed to reconstruct the data in case of disk failure. RAID-5 is the most common method used, since it achieves a good balance between performance and availability. RAID-5 requires at least three physical disks.

Server Support Interview Questions-Part-2

1) How to enable telnet in Windows ?
2) What are the different types of Terminal Services ?
3) What is the diff between Application mode and Administration mode ?
4) What is Licensing in Terminal Services?
5) What is FSMO roles and explain ?
6) I have a Global Catalog server in Server1, and want to make the same server as a Infrasture Master. Can i go ahead with that ? Explain.
7) How to publish a web site in IIS?
8) How to deploy a patches to the systems ?
9) What are the tools available for Patch Deployments ?
10) Difference between Differential and Incremental Backup ?
11) What is DHCP Option, Server Options?
12) How to take backup in Group Policy?
13) Which component is used for replication between the sites?
14) How to take the backup DHCP data while DHCP SERVER is running?
15) What is new features in Windows 2003 DNS?
16) What are new ADS features in 2003 ?
17) You are having high configuration server SERVER1 and additional domain controller with less configuration serv2, serv3. When the 1000 users login into their computer, all login traffic goes to serv2 and serv3. so the server serv2 and serv3 get hung. How do you redirect the logon traffic to SERVER1?
18) What is the procedure to restore the data in ADS?
19) What is the use of ntdsutil command ?
20) Which command helps to find the server for FSMO roles ?
21) What are the protocol supports for Replication ?
22) What is the expantion of .Dit ? Scalable size of NTDS in 2k3?
23) What are the partitions available in AD?
24) What are the two types of replications?
25) What is KCC ? What is the function of the KCC?
26) What are the two trust protocols 2k3 using ?
27) What are the trust relations available in 2k3?
28)What are the protocols used on replication?
29) What is the default time delay on replication?
30) What Different tables available in NTDS database?
31) Where is the FRS logs stored in and what is the database engine name?
32) What is tombstone object in AD? What is it’s life time?
33) What are the functions of GC?
34) What is Global catalog and GC server?
35) What are the domain functional levels in 2k3?
36) What is the hierarchy of applying Gpo in 2k3?

Server Support Interview Questions P-1

1 what is the difrences btwen 2k , 2k3 and xp?
4. What is the new major feature introduced in Exchange 2003, which was not included in Exchange 2000?
5. How can you recover a deleted mail box ?
6. what is the use of ESUtil.exe ?
7. What are the port Numbers for pop3, imap, smtp port, smtp over ssl, pop3 over ssl, imap over ssl ?
8. Difference between Exchance 2003 and 2007?
9. what is RPC over Http ?
10. What is required for using RPC over Https with MS Outlook ?
11. If you have deleted the user, after you recreated the same user. How you will give the access of previous mail box ?
12. What are the prequisite for installation of Exchange Server ?
13. What is the use of NNTP with exchange ?
14. If NNTP service get stoped, what features of exchange will be effected ?
15. Which protocol is used for Public Folder ?
16. How will take backup of Active Directory ?
17. What are the content of System State backup ?
18. 1.boot process in windows nt/xp/2000/2003
19. 2.how do you configure memory dump if c:,d:,e: & paging file is configured so and so way?
20. 3.backups ? which is better, why and which to use when?
21. 4.disaster recovery plan?
22. 5.DHCP lease process
23. 6.DNS zones, chronicle records what are they?
24. 7.DHCP relay agent where to place it?
25. 8.what is active directory compared to SAM?
26. 9.what is GC? how many required for A Tree?
27. 10.what is forest?
28. 11.Group policies?
29. 12.FSMO Roles?
30. When you use ping command, how do you recognise DNS/WINS is working ?
31. What is the difference between DNS/WINS ?
32. Do you require WINS in Windows 2000 ? Explain how ?
33. What is Active Directory ?
34 You have parentdomain xyzhq.com and the childdomains INxyz and UKxyz. When you apply a group policy in parent domain zHQ as a domain level, does it applies to its child domain INxyz and UKxyz ?
35. You take a backup on Monday as FULL and Tuesday, Wednesday, Thursday, Friday as Differential Backup. If your Server Crashes on Friday. Then what are the media tape required to restore the date ? Explain how ?
36. What is Global Catalog Server ?
37. Can GC Server and Infrastructure place in single server ? ifnot explain why ?
38. What is the size of log file which created before updating into ntds.dit and the total number of files ?
39. What does SYSVOL contains ?
40. Which is service in your windows is responsible for replication of Domain controller to another domain controller.
41. How data will travel between sites in ADS replication?
42. What is the port number for SMTP, Kerberos, LDAP, GC Server. ?
43. What Intrasite and Intersite Replication ?
44. What is lost & found folder in ADS ?
45. What is Garbage collection ?
46. What System State data contains ?
47. How do you restore a particular OU which deleted by accidently ?
48. What is IPSec Policy ?
49. What are different types of Group Policy ?
50. What is the order of applying Group Policy ?
51. What are the new features in Windows 2003 related to ADS, Repllication, Trust ?
52. How to edit the Schma in ADS ?
53. What is Domain Local, Global Group, Universal group ?
54. Diff between Global & Universal group ?
55. What are the different types of Terminal Services ?
56. What does mean by root DNS servers?
57. What are the different records in DNS ?
58. What is SOA records ?
59. How does the downlevel clients register it names with DNS server ?
60. What is RsOP ?
61. What is default lease period for DHCP Server?
62. What is the process of DHCP clients for getting the ip address?
63. What is multicaste ?
64. What is superscope ?
65. What is the System Startup process ?
66. What is WINS hybrid & mixed mode?
67. What is Disk Quota ?
68 .What is Active Directory?
69. What is LDAP?
70. Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.
71. Where is the AD database held? What other folders are related to AD?
72. What is the SYSVOL folder?
73. Name the AD NCs and replication issues for each NC
74. What are application partitions? When do I use them
75. How do you create a new application partition
76. How do you view replication properties for AD partitions and DCs?
77. What is the Global Catalog?
78. How do you view all the GCs in the forest?
79. Why not make all DCs in a large forest as GCs?
80. Trying to look at the Schema, how can I do that?
81. What are the Support Tools? Why do I need them?
82. What is LDP? What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
What are sites? What are they used for?
83. What's the difference between a site link's schedule and interval?
84. What is the KCC?
85. What is the ISTG? Who has that role by default?
86. What are the requirements for installing AD on a new server?
87. What can you do to promote a server to DC if you're in a remote location with slow WAN link?
How can you forcibly remove AD from a server, and what do you do later? • Can I get user passwords from the AD database?
88. What tool would I use to try to grab security related packets from the wire?
Name some OU design considerations.
89. What is tombstone lifetime attribute?
90. What do you do to install a new Windows 2003 DC in a Windows 2000 AD?
91. What do you do to install a new Windows 2003 R2 DC in a Windows 2003 AD?
92. How would you find all users that have not logged on since last month?
What are the DS* commands?
93. What's the difference between LDIFDE and CSVDE? Usage considerations?
94. What are the FSMO roles? Who has them by default? What happens when each one fails?
95. What FSMO placement considerations do you know of?
96. I want to look at the RID allocation table for a DC. What do I do?
97. What's the difference between transferring a FSMO role and seizing one? Which one should you NOT seize? Why?
98. How do you configure a "stand-by operation master" for any of the roles?
99. How do you backup AD?
100. How do you restore AD?
101. How do you change the DS Restore admin password?
102. Why can't you restore a DC that was backed up 4 months ago?
103. What are GPOs?
104. What is the order in which GPOs are applied?
105 Name a few benefits of using GPMC.
106. What are the GPC and the GPT? Where can I find them?
107. What are GPO links? What special things can I do to them?
108. What can I do to prevent inheritance from above?
109. How can you determine what GPO was and was not applied for a user? Name a few ways to do that.
110. A user claims he did not receive a GPO, yet his user and computer accounts are in the right OU, and everyone else there gets the GPO. What will you look for?
111. Name some GPO settings in the computer and user parts.
112. What are administrative templates?
113. What's the difference between software publishing and assigning?
114. Can I deploy non-MSI software with GPO?
115.You want to standardize the desktop environments (wallpaper, My Documents, Start menu, printers etc.) on the computers in one department. How would you do that?

How To Reinstall Windows Without Losing Anything

1- Start WindowsXP
2- Go to the location of your source files
3- Run WINNT32 /unattend
For example, D:\I386\winnt32 /unattend ( copy & paste this command into the RUN box, then press ENTER ) Your computer will do the rest.
Start > All Programs > Accessories > Command Prompt.
Copy & paste > D:\I386\winnt32 /unattend
Press Enter.
If you have i386 on your drive, you can replace D: ( if D: is your cd drive ) with the location of it.
I've often need to do this to repair something that had gotten corrupted and didn't want to do a clean install.

D: is the driver letter where your windows XP Cd is
if D:\I386\winnt32 /unattend doesn't work then try : d:\winnt32 /unattend.

Multiple parent proxies

If you would like to have more than one parent proxy you can add more cache_peer directives; one for each parent. Now you can define either weight or round-robin to control the way Squid will communicate with the proxies: while weight tells Squid to prefer one cache over another, round-robin tries to spread connections evenly among the defined caches.

First of all a simple example for two parent proxies:

cache_peer proxy.isp1.com parent 8080 0 no-query no-digest default
cache_peer proxy.isp2.com parent 8080 0 no-query no-digest

If you define more than one parent proxy you might want to set one as the default proxy, which is used as a last resort.

An example for weight:

cache_peer proxy.isp1.com parent 8080 0 no-query no-digest weight=1
cache_peer proxy.isp2.com parent 8080 0 no-query no-digest weight=2
In this example it is likely that the proxy from the second ISP will be favored over the first one.

And here an example for round-robin:

cache_peer proxy.isp1.com parent 8080 round-robin no-query
cache_peer proxy.isp2.com parent 8080 round-robin no-query
cache_peer proxy.isp3.com parent 8080 round-robin no-query

All connections to our proxy would be round-robined among these three caches. Because Squid treats all parents equally, it is currently not possible to define a weight here, e.g. to forward 50% of the requests to the first proxy and 25% to the second and third proxy respectively.

Rf. http://www.christianschenk.org/blog/using-a-parent-proxy-with-squid/

iptables configuration

# Generated by iptables-save v1.2.11 on Thu May 28 18:29:24 2009
:PREROUTING ACCEPT [1666:190119]
:INPUT ACCEPT [1275:141051]
:FORWARD ACCEPT [249:41588]
:OUTPUT ACCEPT [1256:201758]
-A INPUT -i eth1 -p tcp -m state --state NEW -m multiport --dports 22 -j LOG
# Completed on Thu May 28 18:29:24 2009
# Generated by iptables-save v1.2.11 on Thu May 28 18:29:24 2009
:INPUT ACCEPT [1275:141051]
:OUTPUT ACCEPT [1256:201758]
:INBOUND - [0:0]
:OUTBOUND - [0:0]
-A INPUT -j REJECT --reject-with icmp-host-unreachable
-A FORWARD -i eth0 -o eth1 -j REJECT --reject-with icmp-host-unreachable
-A INPUT -i ! eth0 -m state --state NEW -j ACCEPT
-A FORWARD -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 192.168.10.x -o eth0 -m state --state NEW -j ACCEPT
-A FORWARD -p icmp -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -m limit --limit 3/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
# Completed on Thu May 28 18:29:24 2009
# Generated by iptables-save v1.2.11 on Thu May 28 18:29:24 2009
:OUTPUT ACCEPT [130:10510]
-A POSTROUTING -o eth0 -j SNAT --to-source
# Completed on Thu May 28 18:29:24 2009

My Squid Configuration

icp_port 0
cache_peer_domain proxy.myisp.com.sg
cache_peer proxy.myisp.com.sg parent 8080 0 no-query default
#cache_peer proxy2.myisp.com.sg parent 8080 0 no-query default
hierarchy_stoplist cgi-bin ?
acl QUERY urlpath_regex cgi-bin \? \.asp$ \.php$
cache_mem 512 MB
maximum_object_size 4096 KB
minimum_object_size 0 KB
maximum_object_size_in_memory 2048 KB
cache_replacement_policy heap GDSF
memory_replacement_policy heap GDSF
cache_dir ufs /usr/squid/squid1 700 16 256
cache_dir ufs /usr/squid/squid2 700 16 256
cache_dir ufs /usr/squid/squid3 700 16 256
cache_dir ufs /usr/squid/squid4 700 16 256
cache_access_log /var/log/squid/access.log
cache_log /var/log/squid/cache.log
cache_store_log /var/log/squid/store.log
emulate_httpd_log on
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
half_closed_clients off
shutdown_lifetime 1 seconds
acl all src
acl cachemgr proto cache_object
acl localhost src
acl to_localhost dst
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 3130 # icp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl webserver url_regex -i myhost.localwebserver.com
acl webserver1 url_regex -i http://webchat.localchatserver.com/chat/
acl BlkURL url_regex -i www.sex.com www.plineworld.com www.playboy.com www.pmates.com www.virusbursters.com dl1.virusbursters.com www.sexkey.com www.adult-kingdom.com www.pmates.com
always_direct allow webserver
always_direct allow webserver1
acl special_client src
acl google_mail dstdomain .bankofamerica.com .bluehyppo.com .google.com .google.com.sg .hotmail.com .imrworldwide.com .live.com .livefilestore.com .msn.com .offshore-engineer.com .streamyx.com .tm.net.my .yahoo.com .yahoo.com.sg .yimg.com
http_access deny !Safe_ports
http_access allow CONNECT !SSL_ports
acl my_networks src
acl vip_users src
acl 1_day src
acl 1to15 src
acl until_morning src
acl everyday_1_2 src
acl Weekends_Users time SA 7:00-24:00
acl 1_day_user time MTWHF 17:30-23:00
acl 15min_user time W 11:00-13:00
acl 8am time M 5:00-8:00
acl every_12 time MTWHF 18:00-24:00
http_access allow localhost
http_access allow special_client google_mail
http_access allow vip_users !BlkURL
http_access allow localhost
http_access allow cachemgr
http_access allow my_networks Weekends_Users
http_access allow 1_day 1_day_user
http_access allow 1to15 15min_user
http_access allow everyday_1_2 every_12
http_access allow until_morning 8am
http_access deny my_networks
http_access deny all
http_reply_access allow all
cache_mgr admin@mydomain.com
cache_effective_user squid
cache_effective_group squid
dns_testnames proxy.myisp.com.sg proxy2.myisp.com.sg microsoft.com
forwarded_for on
cachemgr_passwd xxxxxxxxx
always_direct deny all
never_direct allow all
no_cache deny QUERY
strip_query_terms on
coredump_dir /var/spool/squid
visible_hostname cache-1.mydomain.com

Blocked Bad Websites in Squid Proxy

acl bad_url dstdomain "/etc/squid/bad-sites.squid"

(http_access deny bad_url)

[root@robotic ~]# cat /etc/squid/bad-sites.squid





How do I know Uptime for my Windows Servers?

You can use any of the following commands to get uptime of a Windows machine:

net statistics workstation
net statistics server
net stats srv

In Windows 2003 servers, “systeminfo” command will give you the uptime. But, this command is not available in Windows 2000 servers.

Script for installing yum on CentOS 5.3

You need to have rpm and wget already installed. Create a temporary directory, paste the following code in a file in that directory, make it executable and run it:
mkdir temp && cd temp
vi yumdownload


for file in \
elfutils-0.137-3.el5.i386.rpm \
elfutils-libs-0.137-3.el5.i386.rpm \
elfutils-libelf-0.137-3.el5.i386.rpm \
expat-1.95.8-8.2.1.i386.rpm \
gmp-4.1.4-10.el5.i386.rpm \
libxml2-2.6.26- \
libxml2-python-2.6.26- \
m2crypto-0.16-6.el5.3.i386.rpm \
python-2.4.3-24.el5.i386.rpm \
python-elementtree-1.2.6-5.i386.rpm \
python-iniparse-0.2.3-4.el5.noarch.rpm \
python-sqlite-1.1.7-1.2.1.i386.rpm \
python-urlgrabber-3.1.0-5.el5.noarch.rpm \
readline-5.1-1.1.i386.rpm \
rpm- \
rpm-libs- \
rpm-python- \
sqlite-3.3.6-2.i386.rpm \
yum-3.2.19-18.el5.centos.noarch.rpm \
yum-fastestmirror-1.1.16-13.el5.centos.noarch.rpm \
do wget http://mirror.centos.org/centos-5/5.3/os/i386/CentOS/$file;

chmod a+x yumdownload

This will get you all rpms you might need before be able to install yum.

Now try installing them all by typing:

rpm -Uvh *.rpm

This might not work, at least not for us. So try to install yum directly with rpm -Uvh yum-3.2.19-18.el5.centos.noarch.rpm and let the errors guide you. When you run into a circular dependencies, install the rpm by ignoring the dependencies. eg.

rpm -Uvh --nodeps yum-fastestmirror*

Then feel free to # yum -y update to bring your system up to date.

This should finally allow you to install yum.

List of TCP and UDP port numbers

The Well Known Ports are those from 0 through 1023.

The Registered Ports are those from 1024 through 49151

The Dynamic and/or Private Ports are those from 49152 through 65535

Squid Proxy Stuffs

grep -v -e ^\s*$ -e ^# /etc/squid/squid.conf -> Print Out Squid.conf

#usr/sbin/squidclient -h -p 8080 mgr:info

setterm -fore green -back black -store > /dev/tty1
iptables -t nat -A PREROUTING -s -p tcp --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination
iptables -t nat -A POSTROUTING -j MASQUERADE
http_port transparent
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
-A FORWARD -s -o eth0 -p tcp -m state --state NEW -m multiport --dports 593,88,53,135,137,138,42,25,110 -j ACCEPT
-A FORWARD -s -o eth0 -p udp -m state --state NEW -m multiport --dports 593,88,53,135,137,138,42,25,110 -j ACCEPT

Protect "init1" with password

vi /etc/inittab
#add this line
# Protect "Ctrl+Alt+Del"
ca:12345:ctrlaltdel:/bin/echo "Ctrl+Alt+Del is Disabled for Security"

Mounting Folder as Drive in Windows

In command prompt:
C:\> subst :
Eg: subst E: C:\Test\temp
Removing Virtual Drive
C:\ subst /d
Eg: subst /d E:

Can't See Image Files in Outlook

Delete OutlookSecureTempFolder

Disable Windows Genieus Licenses Error

Rename C:\Windows\System32\WgaLogon.dll

IE6 Reinstall in Win XP

• ie.inf file located in Windows\Inf folder.
• Right click the ie.inf file and click Install on the context menu.
• Reboot the computer when the file copy process is complete.

Outlook Exchange Extension Error

• HKEY_LOCAL_MACHINE\Software\Microsoft\Exchange\Client\Extensions
• Right click Delete that Extensions Folder.
• Logout and Login.

Outlook Attachment Default & Temp Location

• C:\Documents and Settins\XXXX\Local Settings\Tempory Internet File\OLKxx
( Note : xx = Random Number )

Outlook Email Address Saving File

• C:\Documents and Settins\XXXX \Application Data\Microsoft\Outlook\ XXXX.NK2
Note : First XXXX = User Profile Name
Second XXXX = Outlook Profile Name

Load Balancing In Linux

1 LAN & 2 WAN
- ip route add default scope global nexthop via dev eth0 weight 1 nexthop via dev eth1 weight 1
( Note : Balancing on & Gateway.
Weight 1 = Load Balancing
Weight 1 & 4 = Weight 1 is First Priority and 4 is Second. )

Useful YUM Commands

* yum install package1 [package2]
installs the specified package(s)

* yum update package1 [package2]
updates the specified package(s)

* yum remove package1 [package2]
removes the specified package(s)

* yum info package1 [package2]
shows the information for the specified package(s)

* yum search string1 [string2]
finds all packages wherein the name, description or summary matches the specified string(s)

* yum localinstall rpmfile1 [rpmfile2]
installs the specified rpm file(s)

* yum localupdate rpmfile1 [rpmfile2]
updates the rpm file(s)

* yum update
updates all packages

* yum list installed
shows all the installed packages

* yum list updates
shows all the packages that has updates available

Exchange Database Repair & Defragment

- Unmount Exchange Mailbox Database
- In Command prompt, go to Exchange Bin folder (Default path ->C:\Program
- Type Eseutil /p DATABASE_FILE (for database file scanning/repairing)
- Type Eseutil /p /d DATABASE_FILE /t C:\temp\temp.edb (for Defragment)

Linux Commands

- cp –var . /mnt/test/ ( Copy all folders & files to /mnt/test/ folder )
- chkconfig xxxx on ( xxxx = service like squid/httpd/netfs , only can type files in /etc/init.d/ )
- ntsysv ( setup service lists )
- ifdown eth2 ( Disable NIC 2 )
- ifup eth2 ( Enable NIC 2 )
- /etc/sysconfig/network-script/vi ifcfg-eth2 ( Address file for eth2 )
- :q! ( exit without save in VI editor )
- /acl ( find “ acl “ character in VI editor )
- service iptables save ( saving iptables rules )
- iptstate ( show iptables status )
- /etc/vi sysctl.conf -> net.ipv4.ip-forward = 0/1 ( 0 is disable NAT )
- dw01:home\root# scp – r * dw12:\home\kkk ( copy all files under dw01’s computer \home\root
folder to dw12:\home\kkk folder )
- :linux askmethod ( OS installation from Network, type when Bootup )
- cat /proc/cpuinfo ( Display CPU Information, Linux Show 1 processor as 2 Processor )
- free -m ( Display memory information with MB )
- fdisk -l ( Display Storage information )
- lspci (Display Drives Information)
- top (Display Running Task with CPU Utilization)
- df (Display disk Usage)
- echo "1" > /proc/sys/net/ipv4/ip_forward ( Enable NAT , 0 = Disable )
- vi /etc/resolv.conf (DNS Server entry)
- vi /etc/fstat (mounting partition & volume in startup )
- rpm -qi squid ( show RPM version for squid )
- netstat -ntlp ( show current running service in network )
- yum erase squid ( Uninstall Squid, need already installed yum packet for yum command )

Hide Field Codes ( Toggle Fields Codes ) on MS Words Documents

If you having a problem with MS Word for showing the field codes on both “ Print Preview ” and
“ Print layout view ”, do as below:
If the field codes are appearing in the "Print Layout View" (View -> Print Layout), they should
also appear in "Normal View". This is controlled by:
Tools (menu) -> Options (menu item) -> View (tab) -> Show (section)
Uncheck "Field Codes" and click OK.
The field codes can also appear in "Print Preview" (File -> Print Preview) and on the printed
page. This is controlled by:
Tools (menu) -> Options (menu item) -> Print (tab) -> Include with document (section)
Uncheck "Field Codes" and "Hidden Text" and click OK.

Transparent Proxy with Squid & Iptables on Fedora 9

Chkconfig NetworkManager off & Disable selinux
/etc/sysctl.conf -> Ipforward = 1 and Install Squid, Dhcp, Bind, Openssh.
/etc/hosts localhost.localdomain localhost amk amk.localdomain.com amk
ddns-update-style none;
allow bootp;
subnet netmask
option subnet-mask;
option domain-name "localdomain.com";
option routers;
option domain-name-servers;
default-lease-time 3600;
max-lease-time 7200;
options {
directory "/etc";
pid-file "/var/run/named/named.pid";
forwarders {;; };
zone "localdomain.com"
type master;
file "/var/named/localdomain.com.hosts";
zone "10.168.192.in-addr.arpa"
type master;
file "/var/named/192.168.10.rev";
$ttl 38400
localdomain.com. IN SOA amk.localdomain.com. amk.localdomain.com (
38400 )
localdomain.com. IN NS amk.localdomain.com.
amk.localdomain.com. IN A
$ttl 38400
10.168.192.in-addr.arpa. IN SOA amk.localdomain.com. amk.localdomain.com. (
38400 )
10.168.192.in-addr.arpa. IN NS amk.localdomain.com. IN PTR amk.localdomain.com.
# ----------------------------
acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl localnet src
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
http_access allow localhost
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port vhost vport=80 defaultsite=virtual protocol=http
hierarchy_stoplist cgi-bin ?
cache_mem 8 MB
minimum_object_size 0 KB
maximum_object_size 4096 KB
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_mgr admin@gmail.com
visible_hostname amk.localdomain.com
icp_port 3130
always_direct allow all
cachemgr_passwd 123456
coredump_dir /var/spool/squid
#Clear Default IPTABLES Rules
iptables -F
#Allow Local Network to Accept to Firewall ( Eth1= Local / Eth0=External )
iptables -A INPUT -j ACCEPT -p all -s -i eth1
iptables -A OUTPUT -j ACCEPT -p all -s -o eth0
#Redirect port 80 request to Proxy Port
iptables -t nat -A PREROUTING -i eth1 -p tcp ! -d --dport 80 -j REDIRECT
--to-port 8080
#Enable NAT for Local Network
iptables -A POSTROUTING -t nat -o eth0 -s -d 0/0 -j MASQUERAD

Transparent Proxy with WPAD in Fedora 9

Notice : WPAD is not working with IE 6, cos’ IE 6 have bugs for WPAD.
I disable NetworkManager & SELINUX. Because it will make difficult for
HOSTS (hosts = /etc) localhost.localdomain localhost amk amk.localdomain.com amk
RESOLV.CONF (resolv.conf = /etc)
DHCP.CONF (dhcpd.conf = /etc)
ddns-update-style none;
allow bootp;
option wpad code 252=text; #For WPAD
subnet netmask
option subnet-mask;
option domain-name "localdomain.com";
option routers;
option domain-name-servers;
default-lease-time 3600;
max-lease-time 7200;
option wpad ""; #For WPAD
NAMED.CONF (named.conf = /etc)
options {
directory "/etc";
pid-file "/var/run/named/named.pid";
forwarders {;;
zone "localdomain.com" {
type master;
file "/var/named/localdomain.com.hosts";
zone "10.168.192.in-addr.arpa" {
type master;
file "/var/named/192.168.10.rev";
LOCALDOMAIN.COM.HOSTS (localdomain.com.hosts = /var/named)
$ttl 38400
localdomain.com. IN SOA amk.localdomain.com. amk.localdomain.com. (
38400 )
localdomain.com. IN NS amk.localdomain.com.
amk.localdomain.com. IN A
wpad IN A
IN TXT "service: wpad:!http://wpad.localdomain.com:80/wpad.dat"
wpad.tcp IN SRV 0 0 80 wpad.localdomain.com.
192.168.10.REV (192.168.10.rev = /var/named)
$ttl 38400
10.168.192.in-addr.arpa. IN SOA amk.localdomain.com. amk.localdomain.com. (
38400 )
10.168.192.in-addr.arpa. IN NS amk.localdomain.com. IN PTR amk.localdomain.com.
WPAD.DAT (wpad.dat = /var/www/html)
function FindProxyForURL(url, host)
if (
(isPlainHostName(host)) ||
(dnsDomainIs(host, ".localdomain")) ||
(isInNet(host, "", "")) ||
(isInNet(host, "", "")) ||
(isInNet(host, "", ""))
return "DIRECT";
if (
(isInNet(myIpAddress(), "", ""))
return "PROXY";
HTTPD.CONF (httpd.conf = /etc/httpd/conf)

ServerName wpad.localdomain.com
AddType application/x-ns-proxy-autoconfig .dat

SQUID.CONF (squid.conf = /etc/squid)
# ----------------------------

acl manager proto cache_object
acl localhost src
acl to_localhost dst
acl localnet src # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
http_access allow localnet
# And finally deny all other access to this proxy
http_access allow localnet
http_access deny all
icp_access allow localnet
icp_access deny all
htcp_access allow localnet
htcp_access deny all
http_port 8080
hierarchy_stoplist cgi-bin ?
#cache_mem 512 MB
cache_dir ufs /var/spool/squid 100 16 256
minimum_object_size 0 KB
maximum_object_size 4096 KB
access_log /var/log/squid/access.log squid
cache_log /var/log/squid/cache.log
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern (cgi-bin|\?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname amk.localdomain.com
icp_port 3130
# nonhierarchical_direct on
#always_direct deny all
#never_direct allow all
cachemgr_passwd 123456
coredump_dir /var/spool/squid
cache_mgr aungmyoko@gmail.com
#Clear iptables default rules
iptables –F
#Declare for INPUT,OUTPUT,FORWARD Chains
iptables -P INPUT ACCEPT
#Allow Local Network to Accept Firewall (eth1= Local / eth0 = External)
iptables -A INPUT -j ACCEPT -p all -s -i eth1
iptables -A OUTPUT -j ACCEPT -p all -s -o eth0
#Enable NAT Command
iptables -A POSTROUTING -t nat -o eth0 -s -d 0/0 -j MASQUERADE
( Note: Check ipv4.forward=1 in /etc/sysctl.conf before typing iptables NAT enable command.
Because, Ipv4.forward = 1 and iptables MASQUERADE are working together for Enable NAT.)
#iptables save
Service iptables save
#Check iptables rules
Service iptables status (or) iptables -L
Checking Squid Logs File
# tail –f /var/log/squid/access.log (# squid logs file show that clients are using squid or not.)
Quote of the Day