Trying to add a firewall rule to the security ip table. Support for the security table was added in version 1.8.0 and I'm running 1.9.0 so everything should be okay. However, the following error is spat out
Invalid value "security". Valid values are nat, mangle, filter, raw, rawpost
I'm afraid that even the development branch of the firewall module doesn't accept security as a value for the table parameter of the firewall resource.
https://github.com/puppetlabs/puppetlabs-firewall/blob/master/lib/puppet/type/firewall.rb#L579
That said, the firewallchain resource does accept security as a table name, so the module is aware of it, but there doesn't appear to be a way of adding firewall rules.
Related
I have inherited admin of an NSA3600. There are a ton of LAN>LAN allow rules configured. It would seem to me that from the LAN zone to the same LAN zone, the default would be to allow the traffic. Is this a situation where once an allow rule is manually configured, the OS places an Implicit DENY at the end of the list? There in NOT an Explicit DENY at the end of the list, so what would the reason for the specific Allow rules to be configured otherwise?
Thanks for the help, and sorry if this is in the wrong forum..
I'd need a bit more detail, but to my knowledge there would not be an implicit Deny. Referring to SonicOS 5 & 6, unsure about the new 7.
It's more likely because you have other devices/subnets (APs, Routers, VLANs) that are part of the same LAN zone. Therefore you have greater granularity with what is permitted or denied in your access rules.
I've been using Azure to host my Web Apps for a while now and they've had my own wildcard cert attached to various ones with no problem. Recently, however, one of my clients has wanted a certain degree of uptime/performance (not that there have been any problems so far but they are willing to pay for it and who am I to turn down money) so I've set up mirrored sites and am using traffic manager to route between them.
It works like a charm but for one problem: I have a cname pointing a friendly url to the traffic manager address and, if I try to connect via https, it craps out and wants to use its own *.azurewebsites.com cert no matter what I try.
So my question is: am I missing something here? How to I use my own custom *.mycompany.com cert in this case?
Or, for that matter, is there a better way of doing what I'm ultimately trying to accomplish here?
Here is my set up:
Endpoint 1: MyWebApp-East (type - Azure Endpoint, ssl installed and proper host info added)
Endpoint 2: MyWebApp-West (type - Azure Endpoint, ssl installed and proper host info added)
Traffic Manager: Routing Type - Performance
UPDATE
Oddly enough, I got it to work. I must have had something wrong somewhere. I did a scorched earth approach to it by deleting EVERYTHING (sites, traffic manager, dns entries, etc) and starting over. It works perfectly now!
Posted this in the top part but so as not to leave this open, I'll repost the solution I found:
Oddly enough, I got it to work. I must have had something wrong somewhere. I did a scorched earth approach to it by deleting EVERYTHING (sites, traffic manager, dns entries, etc) and starting over. It works perfectly now.
Sometimes to go forwards, you have to destroy everything.
I'm trying to put online a staging area for an upcoming website... I'd usually rather use an htaccess rule to enable only me and my client to see the website...i think is safer and you dont need to rememebr passwords and so...
but my client this time has an internet provider who doesnt give him a static ip, aparently everyday or so, his ip chamges...so i have to change my htaccess!
there is any solution for that?
First of all, dynamic IPs are very common, a lot of providers disconnect the client in intervals of 12 or 24 hours, which usually means they get a new IP assigned.
Second, just giving out a username / password combination not only seems safer, but also more hassle-free. You are about to invest time into a solution that's probably not worth it. I also don't see how you would obtain the valid IP address of the client to update your .htaccess file, apart from having the client install a service that updates a dynamic DNS entry mayb - more of a hassle than remembering a login, if you ask me.
You could have him use a dynamic DNS service like dyndns.com or no-ip.com. That way he can setup a domain name like someguy.dyndns.com which would always resolve to his ip (he'll probably need to install a small daemon/service/program to automatically update the IP though). Then you can add a rule into your .htaccess like allow from someguy.dyndns.com.
I currently have my own domain name and dedicated server and I offer different packages to my clients. What I want to be able to do is have them sign up with my website and create a package automatically that they can access via their username as a subdomain e.g.
http://yourusername.mywebsite.com
I currently have DNS entries set up for various subdomains with real information for my website e.g.
Name Type IP Address
# A 1.2.3.4
bugs A 1.2.3.4
support A 1.2.3.4
However, if a new customer signs up at the moment I have to go and manually create an entry for them with their username in it.
I'm sure I've seen websites that manage to do this automatically, does anyone have any ideas how, or any other methods that I should be using?
Thanks,
Mark
Since you apparently do not control the name servers, your choices are quite limited. One possibility is to use a wildcard DNS record:
* A 192.0.2.1
where the star will replace every name. Not ideal (inexisting domains will also appear).
The details depend on which DNS server you're using.
One approach is to have some code that opens the DNS zone file and adds the desired records. On Linux with Bind, you will then need to signal the server to get it re-read the zone file.
With Simple DNS Plus, you can easily add such a DNS record through the included HTTP API. For example:
http://127.0.0.1:8053/updatehost?host=yourusername.mywebsite.com&data=1.2.3.4
Since you apparently do not control the name servers, your choices are quite limited. Nevertheless, every serious DNS hoster provide you with a API (see for instance Slicehost's API). So, you may use this API and write a small program to update the DNS data.
(Foot note: handling paying customers when you do not even control the name servers seem... bad)
I want to be able to set my country of origin - does this involve testing through a proxy, or is there something that can be set else where?
I would use TOR for this purpose. That way you are sure you are hitting the site from a different country.
Depends on what do you want to test against. If it is a GeoIP system, you'd need to get yourself a proxy in another location or otherwise use a different network. If it is the HTTP content negotiation headers you can change them in the browser configuration.
How you do it depends on the operating system and browser and what you are testing.
If you are testing non-HTML content that runs in the browser (eg flash), then with IE, you must change your machine's location as IE picks it up from there. With Firefox, browse to about:config, accept the "Here be dragons" warning and edit the general.useragent.locale value.
If you are testing what version of a page is returned based on local, then you need to specify the lanuge (in Firefox, tools -> options menu -> content tab -> choose button in languages section and add the correct country code)
I'm assuming you're using the IP to check the country. If you're testing internally then it may be possible to get a setup where the both the testing machine and the server to be tested are behind the same NAT. In this case just set your IP manually to an IP for whatever country you want to test, and connect to the server. So long as both of you are behind the same NAT it should see you as whatever IP you set.
Perhaps this is obvious, but you can also test from another country by using a VPN (from a company like purevpn.com) or by using a virtual machine like an EC2 from AWS. The gold standard is a remote desktop like an EC2 virtual machine because VPNs or proxies can have latency.