Jumped onto what used to be the 6bone the other day.  I even set up the IPv6 route prefixes on my FreeBSD router, but it looks like route advertisements and router solicitations aren't working properly (probably because of my firewall).  My understanding is that IPv6 also relies a lot on multicast, so I'm going to see if I can get the right multicast routes set up such that at least DNS and NTP work on the clients without having to set anything up in DHCP/DHCPv6.

Fortunately, pf already supports IPv6 side-by-side with IPv4, so I won't have to tear up my new firewall policy just for experimentation's sake.

UPDATE: rtadvd wasn't running on the correct set of network interfaces, hence router solicitation wasn't working.  After restarting rtadvd and running "netsh interface ipv6 renew" (view the address assignments with "netsh interface ipv6 show address"), I can finally see the dancing KAME!

TCP and UDP port scans from multiple subnets.  Nice.  I need to get the IDS running so that I can start blackholing this kind of crap.

Required background information:

• Technical description of OSPF (from the Cisco Internetworking Technology Handbook)
• Technical description of RIPv2 (also from Cisco)
  
• Quagga reference documentation
• A good OSPF configuration example (from the Linux Advanced Routing and Traffic Control how-to)

In OSPF terms, the OpenVPN tunnels form the backbone network (area 0.0.0.0). In order to get OSPF working over the OpenVPN tunnels, one should use the tap(4) interface driver, which supports the multicast and broadcast traffic types employed by OSPF. (Unicast communications are possible but require hard coding border router addresses, defeating the purpose of an automatically configured routing hierarchy.) One must also ensure that each participating router does not filter the OSPF traffic in or out of the appropriate interfaces. The last required configuration change involves removing all route, push "route ...", and iroute commands from the OpenVPN configuration files, as they will not be necessary once OSPF is operational.

The installation and configuration of Quagga is a lot simpler than it might seem at first. On FreeBSD, install Quagga from ports using a command like:

portinstall --batch quagga

Then enable and start the service with commands similar to the following:

echo 'quagga_enable=YES' >> /etc/rc.conf
echo 'quagga_daemons="zebra ospfd"' >> /etc/rc.conf
touch /usr/local/etc/quagga/{zebra,ospfd}.conf
/usr/local/etc/rc.d/quagga start

Rather than creating a new configuration out of nothing, it's easier to create empty configuration files and then use vtysh to set up the zebra and ospfd services. The initial configuration can be very simple. Assuming that each site's internal networks are allocated out of 10.0.0.0/8 and that the OpenVPN backbone network lives somewhere in 172.16.0.0/12, each router can be configured with commands reminiscent of Cisco IOS:

# vtysh
hostname# configure terminal
hostname(config)# log syslog
hostname(config)# router ospf
hostname(config-router)# log-adjacency-changes
hostname(config-router)# network 172.16.0.0/12 area 0.0.0.0
hostname(config-router)# network 10.0.0.0/8 area WWW.XXX.YYY.ZZZ
hostname(config-router)# end
hostname# copy running-config startup-config
hostname# quit

Replace "WWW.XXX.YYY.ZZZ" with a unique area identifier for each site (e.g., "0.0.0.1" for the first site, "0.0.0.2" for the second, and so on).

I also happen to be running OpenVPN and Quagga on WRT54G/GS access points that run the OpenWRT Linux distribution. Installing and configuring Quagga is a little more difficult in this instance, given the space limitations typical of embedded hardware and because the current OpenWRT distribution (Kamikaze 7.09) does not include binary packages for Quagga. One can install older Quagga binaries built for a previous Kamikaze release using the following commands:

ipkg install http://downloads.openwrt.org/kamikaze/7.06/brcm-2.4/packages/quagga_0.98.6-1_mipsel.ipk
ipkg install http://downloads.openwrt.org/kamikaze/7.06/brcm-2.4/packages/quagga-libzebra_0.98.6-1_mipsel.ipk
ipkg install http://downloads.openwrt.org/kamikaze/7.06/brcm-2.4/packages/quagga-libospf_0.98.6-1_mipsel.ipk
ipkg install http://downloads.openwrt.org/kamikaze/7.06/brcm-2.4/packages/quagga-ospfd_0.98.6-1_mipsel.ipk

(Be sure to use binary packages compiled for the proper hardware platform.  The example above will only work on Broadcom hardware.)

The enable and start the service with the following commands:

echo "password accesspassword" > /etc/quagga/zebra.conf
echo "enable password enablepassword" >> /etc/quagga/zebra.conf
cp /etc/quagga/zebra.conf /etc/quagga/ospfd.conf
/etc/init.d/quagga enable
/etc/init.d/quagga start

My WRT54GS doesn't have enough room for the vtysh binary and its dependencies (readline, ncurses), so I had to configure Quagga by using telnet to connect to its service ports: 2601/tcp for zebra and 2604/tcp for ospfd:

# telnet localhost 2601
Password: accesspassword
hostname> enable
Password: enablepassword
hostname# configure terminal
hostname(config)# log syslog
hostname(config)# end
hostname# copy running-config startup-config
hostname# quit
# telnet localhost 2604
Password: accesspassword
hostname> enable
Password: enablepassword
hostname# configure terminal
hostname(config)# log syslog
hostname(config)# router ospf
hostname(config-router)# log-adjacency-changes
hostname(config-router)# network 172.16.0.0/12 0.0.0.0
hostname(config-router)# network 10.0.0.0/8 WWW.XXX.YYY.ZZZ
hostname(config-router)# end
hostname# copy running-config startup-config
hostname# quit

Again, replace "WWW.XXX.YYY.ZZZ" with a unique area identifier for each site (e.g., "0.0.0.1" for the first site, "0.0.0.2" for the second, and so on).  Once satisfied that Quagga is configured properly, remove the password and enable password settings in /etc/quagga/zebra.conf and /etc/quagga/ospfd.conf to disable remote administrative access to the routing software.

According to Microsoft Support article 833041, an Office application can appear to hang when it attempts to access a file or folder on a network share that's unreachable (e.g., while connected to a VPN).  When roaming, I notice this the most in Outlook when I create a new email or reply - Word takes forever to start, and both Outlook and Word appear to stop responding.  Microsoft's solution is to enable shell data caching in Office.  Unfortunately, the setting is in the user's registry, not in the computer's:

reg add "HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Common\Open Find" /v EnableShellDataCaching /t REG_DWORD /d 1

One could add this to the user's login script, but I am pushing it out to all users via a Windows Installer package that makes other user-specific registry changes.

Mit vielen dank bis Tom Lazar für seine Hilfe.

Once I figured out how to install and configure it properly, CacheFu together with Squid significantly improved the performance of my web site.  Unfortunately, I had a tough time finding good documentation for either tool, as CacheFu's documentation is a work-in-progress and Squid 2.6's documentation is non-existent.

CacheFu's installation is simple enough: Untar in your Zope's Products directory and restart Zope.  There's a Plone control panel that you should install using Add/Remove Products.  Make certain to enable the ICP listener in zope.conf, as well.

Squid's installation isn't difficult either, as binaries exist for most major UNIX, BSD, and Linux distributions.  If you are just running a single web server with Zope behind Apache, the following Squid configuration should suffice:

http_port 127.0.0.1:3128 defaultsite=127.0.0.1
cache_peer 127.0.0.1 parent 8080 8888 default connect-timeout=1800

hierarchy_stoplist cgi-bin ?

acl QUERY urlpath_regex cgi-bin \?
cache deny QUERY

acl all         src 0.0.0.0/0.0.0.0
acl localhost   src 127.0.0.1/32
http_access allow localhost
http_access deny all

acl purge       method PURGE
http_access allow purge localhost
http_access deny purge

icp_access allow localhost
icp_access deny all

Everything's bound or restricted to the loopback interface in order to maintain operational security.  This assumes that Zope listens on 8080/tcp for HTTP requests and on 8888/tcp for ICP requests.  Note that instead of the old "httpd_accel_*" options, with Squid 2.6 you force connections to the Zope listener's address and service port in the "http_port" and "cache_peer" options.  (Squid treats Zope like a parent cache in a cache mesh, allowing for moderately complicated load-balancing configurations where multiple Squid instances can cache content for multiple Zope instances, all referring back to the same Zope database via a clustered ZEO instance.  It might even be possible to enable Squid's offline mode in this configuration, so that Squid could continue to serve content should the underlying Zope(s) become unavailable!)

The typical Apache front-end uses mod_rewrite and mod_proxy together with Zope's virtual host monster in a configuration that looks similar to the following:

RewriteRule ^/(.*) http://localhost:8080/VirtualHostBase/http/www.example.com:80/Plone/VirtualHostRoot/$1 [P]

Change the Zope service port (8080 above) to the Squid service port (3128) in order to route requests through the proxy-cache:

RewriteRule ^/(.*) http://localhost:3128/VirtualHostBase/http/www.example.com:80/Plone/VirtualHostRoot/$1 [P]

(I am hosting other web sites in addition to my primary Zope site, otherwise I would have replaced Apache with Squid.)

Complete the CacheFu installation by navigating to Plone's Site Setup page, then choosing Cache Configuration Tool.  On this page, set the cache configuration to "Zope behind Squid behind Apache", enter all of possible public domain names of your web site (as directed), and the Squid URL ("http://127.0.0.1:3128" if using the above Squid configuration).  CacheFu will begin caching Plone's default content types as soon as you click Save.

If you add additional types to your Plone instance, you'll need to configure CacheFu to handle them accordingly.  Add folderish types to the Containers rule (Site Setup, Cache Configuration Tool, Rules, Containers).  Some folderish types might include Weblog and WeblogArchive from Quills, or HelpCenter, HelpCenterReferenceManualFolder, HelpCenterReferenceManual, and HelpCenterReferenceManualSection to name a few from Plone Help Center.  Add page-like content types to the Content rule (Site Setup, Cache Configuration Tool, Rules, Content).  Some content types might include PloneExFile, WeblogEntry, or HelpCenterReferenceManualPage.