1. Skip to Menu
  2. Skip to Content
  3. Skip to Footer>
Image 1

WE Solutions / Our services

  • Previous
  • Next
  • Stop
  • Play

SAMBA/LDAP

Thin Client Server

Postfix Mail Server

Postfix Mail Server

HA Clustering

IPSec

PDF Print E-mail

Written by Mr. Sontaya Photibut Sunday, 03 May 2009 18:35

IPSec Security Monitor Installation

Windows Server 2003 has improved greatly on the IP Sec Monitor. First, they’ve changed the interface to the standard Microsoft Management Console (MMC), and they’ve added a number of enhanced features that increases the functionality.

To use the IPSec Monitor, you need to follow these steps:

  1. Create an empty MMC by clicking Start | Run and typing mmc, then clicking OK.
  2. On the File menu for the console, select Add/Remove snap-in, click Add, and select IP Security Monitor from the list of available snap-ins.
  3. Click the Add button, then click Close, then click OK.

Image

As before, you can monitor IP Sec traffic on remote computers as well as the local one. To monitor a remote system, right click the IP Security Monitor node in the left console pane, and select Add Computer from the context menu. You can then type in or browse for the computer you wish to add to the console, and that computer will show up as another node in the console

Image

You can view information about the active policies that includes such data as a description of the policy, the date the policy was last modified, the policy store where it is located, the LDAP path to the policy and the OU, and the name of the GPO to which the policy is applied

Image

You can also now view information about main mode and quick mode generic and specific filters, as well as separate statistics for main mode and quick mode IPSec negotiations.

NOTE: Main mode negotiation is also called Phase I negotiation; this is the part of the process during which the two IPSec enabled computers establish an authenticated channel through the main mode Security Association (SA) that is provided by IKE. Phase II is called quick mode, wherein the IPSec driver’s SAs are negotiated, is the stage at which the computers negotiate the primary protocols (AH and/or ESP), the hash algorithm and the encryption algorithm to use for data transfer. Main mode uses a single SA; quick mode uses two SAs, one for inbound and the other for outbound communication.

Even though there are actually two separate SAs established for quick mode, the Monitor only shows it as one. You can view the information about each SA that is established for either mode, including the IP addresses of both participating computers (notated as “Me” for the local computer and “Peer” for the computer with which it is communicating using IPSec), protocols, ports, the negotiation policy, and the algorithms used for AH and ESP Confidentiality and Integrity

You can select whether the Monitor should autorefresh the information, and configure the auto refresh interval (by default, refresh is enabled and the interval is every 45 seconds). Additionally, you can specify whether DNS name resolution should be used (by default, it is not; you’ll see only the IP addresses to identify the computers). To configure these settings, right click the name of the computer in the left console pane of the IP Sec Monitor and select Properties

With the IP Sec Monitor, you can search for specific main or quick mode filters by various criteria (source or destination IP addresses). To do this, double click either Main mode or Quick mode in the left console pane, depending on which type of filter you want to find. This will expand the node, and allow you to right click either Specific filters or Generic filters, depending again on the type you want to find. Then you can select Find matching filters to invoke the dialog box

As you can see, you can get pretty specific with your search criteria. You can name the source address to look for (any IP address, “me” (the computer you’re monitoring), or a specific address you enter. You can do the same with the destination address.

You can specify which protocols to filter for, including EGP, GGP, HMP, ICMP, PUP, RDP, RVD, TCP, UDP, or XNS-IDP. You can also select “Any” to filter all protocols, or you can select “Other” and specify a number from 0 to 255.

You can specify a source and/or destination port, and choose whether to filter inbound traffic only, outbound traffic only, or both. Finally, you can direct that all matches be displayed, or only the best match.

Filters that match your criteria will be shown in the results field at the bottom of the dialog box.

Computer Startup Security

With earlier versions of Windows, there was a “security” gap during computer startup, before the IPSec policy was applied. Now, with Windows Server 2003, stateful filtering is used to prevent unsecured traffic from crossing the network. With this enabled, the computer only permits outbound traffic that it initiates during startup, inbound traffic that is a direct response to that outbound traffic, and DHCP traffic (which is necessary for the computer to obtain an IP lease and TCP/IP configuration information if it is a DHCP client). This increases security because other unsolicited inbound traffic is not allowed.

However, this doesn’t limit you if there is specific inbound traffic that you do want to allow during startup. You can specify exempt traffic types. For even greater security, you can block all inbound and outbound traffic during startup. Configuration is done via the netsh command in ipsec context, which we will discuss a little later in the article

Diffie-Hellman Enhanced Security

IKE negotiates the Diffie-Hellman “group” to be used for cryptographic operations during main mode (or phase 1) of the IPSec negotiation process. The group determines the strength of the master key used in the key exchange process. Windows 2000 supports only Diffie Hellman groups 1 and 2. Windows Server 2003 supports a third group, called group 2048.

The key strength of each group is as follows:

  • Diffie-Hellman group 1: 768 bit key
  • Diffie-Hellman group 2: 1024 bit key
  • Diffie-Hellman group 2048: 2048 bit key

Obviously, group 2048 provides the best security. Now, when IPSec communications take place between two members of the Windows Server 2003 family, they can be secured with a 2048 bit key. Note, however, that Windows 2000 and XP do not support group 2048. If you configure the Windows Server 2003 computer to use group 2048, the IKE negotiation will fail and the two computers won’t be able to communicate using IPSec (they might or might not be able to communicate at all, depending on whether the IPSec policy settings require or only request secured communications).

The Diffie-Hellman group is set via the IP Sec Policy Management console. You double click the policy for which you want to set the group, click Settings on the General tab, click Methods on the Key Exchange Settings dialog box, then select a security method and click Edit. In the Diffie-Hellman group field, select Low (1), Medium (2) or High (2048) from the drop down box, as shown in Figure A, and click OK to close each dialog box

Image

Image

Image

Image

NAT Traversal

Probably one of the most welcome improvements in Windows Server 2003 IPSec is its support of NAT traversal, a technology that allows ESP packets to work with Network Address Translation (NAT) devices that allow UDP traffic. With Windows 2000, IPSec and NAT were incompatible. This was quite a problem at times, since NAT is an increasingly popular method of providing Internet access to local area networks.

Now, IKE can detect that a NAT is present and encapsulate ESP packets in UDP so the IPSec traffic can go through the NAT. This also means clients behind NATs can now use L2TP/IPSec for VPN connections.

There’s nothing that you have to configure for your Windows Server 2003 system to support NAT traversal; this functionality is built in and solves many problems related to IPSec-NAT incompatibility that administrators encountered in the past.

The Netsh Command’s Ipsec Context

The netsh utility was provided for use with Windows 2000, and allowed administrators to configure such OS services as routing, remote access services, WINS and DHCP at the command line. The tool works by calling “helper files” (dll files) that are used for placing netsh in a specific “context” according to the service to be configured or managed (for example, the DHCP context).

New to Windows Server 2003 is the IPSec context for netsh, which allows you to configure and administer IPSec from the command line. This not only makes it possible for you to use scripting to configure IPSec, it also provides some functions that you can’t do with the IPSec Policy Management console (the GUI interface for configuring and administering IPSec). These tasks include:

  • Configuring IPSec diagnostics
  • Specifying default traffic exemptions
  • Configuring IKE (Oakley) logging
  • Setting logging intervals
  • Configuring startup security and startup traffic exemptions
  • Configuring strong CRL checking

To use the tool for managing IPSec, you must first put it in ipsec context. To do so, open a command prompt window (Start | Run and type cmd), and enter: netsh ipsec.

Within the ipsec context are two subcontexts: dynamic and static. IPSec static commands are used to perform the same functions you can do with the IPSec Policy Management and the IPSec Monitoring MMCs. Static commands don’t immediately affect the configuration of whatever IPSec policy is currently active. Static commands allow you to do such things as view, add, set or delete filters, filter lists and filter actions and policies and rules, or export and import policies. For a list of available static commands, type netsh ipsec static at the command prompt

If you want to make immediate changes to the active policy, you can use the dynamic commands. The changes you make are lost, however, when the IPSec service is stopped. With dynamic commands, you can add, delete, set or view main mode and quick mode policies, rules and filters and show statistics.

NOTE: Netsh ipsec is only supported on Windows Server 2003. You can, however, configure IPSec on XP computers by using a different utility, Ipseccmd.exe. It’s not installed by default; you’ll find it on the XP installation CD in the \Support\Tools directory.

Summary

These are only some of the new features for IPSec that Microsoft has included in Windows Server 2003. Others include:

  • The ability to set persistent policies so you can still have secure communications even if the local or domain IPSec policy isn’t applied. A persistent policy is applied first (before local and AD policies).
  • By default, only IKE traffic (necessary to establish an IPSec connection) is exempt from filtering. In Windows 2000 and XP, broadcast, multicast, Kerberos and RSVP traffic was also exempt. This makes for better security.
  • You can use certificate-to-account mapping to limit computers belonging to specific domains, or that have certificates from a particular CA, or that belong to a specific group from accessing the Windows Server 2003 computer. You can also specify individual computers that are to be blocked.
  • You can exclude the name of the issuing CA from certificate requests to prevent others from knowing the name of the computer that is serving as CA.
  • IPSec is now more fully integrated with Network Load Balancing (NLB).
  • There is now an IPSec extension to the Resultant Set of Policies (RSoP), so you can use RSoP to view IPSec policies and for planning purposes.

It all adds up to increased security and usability – two of the goals Microsoft had in mind when developing Windows Server 2003.


Comments (0)Add Comment
feedSubscribe to this comment's feed

Write comment

security code
Write the displayed characters


busy
 

SUSE Linux Enterprise Cool Solutions

  • ovpnstatd
    license: 
    GNU General Public License

    About:

    How 'ovpnstatd' works.

    ovpnstatd is a status collector daemon for OpenVPN. ovpnstatd can be started either interactively at the console or as a daemon in the background (--daemon).

    Use "--help", to get a brief listing of available options.

    If started interactively, all connected users and their update-events will be shown on the console-display. This start-mode is merely meant for testing/debugging.

    A tcp-port (50505) will be opened, by which a very simple but useful web page can be viewed (http://yourhost:50505). There you get an entry for every OpenVPN-user, whose status-data is available as a result of a connect-event since ovpnstatd's startup. Users who are online, appear as a light-green(ish) entry, disconnected users are shown in grey/white.

    The web page will remain empty, as long as no users have connected since startup of ovpnstatd.

    The web page is intended for internal (administrator) use only - no "mass media", as ovpnstatd is not a multi-threaded program.

    Should ovpnstatd already be running in the background, then you would have to change the port number (--tcp-port <NNNNN>) for your interactive session (if you really want it twice).

    Only if started as daemon, ovpnstatd will serve its main purpose, it will collect data of all connect, disconnect, update events, which are reported by any OpenVPN server-process, and write history in csv-format, that can easily be loaded into a database or viewed in a spread-sheet.

    In the same time, this data is also written to a FIFO-file "/<status_dir>/send_nsca_data" (/var/run/openvpn/send_nsca_data) in a format suitable for nagios's "send_nsca" utility.

    The default location, where collector-data is written, is /srv/www/apps/ovpnstat/datacol - it can be changed with:
    "--collect-dir <path-to-your-collector-directory>".

    The location where event-data of OpenVPN-hooks is expected, is "/var/run/openvpn". This can be changed with the option:
    "--status-dir <path-to-Your-status-directory>".

    NOTE: For this to work, you also have to turn on status-logging in OpenVPN config-file(s): "status <path-to-status-data.status>" AND activate the hooks: "client-connect <your-con-script.sh>" and: "client-disconnect <your-dis-script.sh>"

    Into the hook-script "your-script.sh" simply place/add the following echo command:

    into "client-connect.sh" add the lines
    echo -e "OVPN_PID=$PPID\n`env`" \
    >/var/run/openvpn/${common_name}.con

    into "client-disconnect.sh" add the lines
    echo -e "OVPN_PID=$PPID\n`env`" \
    >/var/run/openvpn/${common_name}.dis

    NOTE: The extension of hook output-files has to be
         .con for client-connect data-files
         .dis for client-disconnect data-files
         .status for status data-files given in OpenVPN config-file
    otherwise those files will not be recognized by ovpnstatd.

    You can display your favoured icon as a header of the web page.

    As default for this, a built-in OpenVPN-icon is displayed.

    If you want to replace the default icon in the source (ovpnstatd.h) look for variable "def_web_img64" and substitute its assignment by the output of "base64 -w0 <your-preferred-image>".
    But only take tiny images for this !!!

    If the TUN/TAP device driver control is not "/dev/net/tun" on your Linux-System, change it with: "--dev-node <Your tun/tap ctrl>"

    In case you want to raise the debug-level, use "--debug <N>"
    Level 0 = off, 1 = default, 2 = all

    Installation:

          # assuming that You've downloaded the tar-file to /usr/local/src
      # proceed als follows:

      cd /usr/local/src
      tar -xjvf ovpnstat.tar.bz2
      cd ovpnstat
      make clean
      make

      # Now for a test start openvpn status collector daemon interactively :
      bash ovpnstatd-test.sh
      
      # If You got an OpenVPN server up and running on the same host
      # then You can already take a look on the web-page

      firefox http://your-host-name:12345/

      # But NOTE: ovpnstatd must run on the SAME HOST, where openvpn-server is on

      # Also note, that collector-data is only written, if the program
      # is started in the background (--daemon ) .

      # So to start it for "normal" usage copy file into place:
      cp init-ovpnstatd /etc/init.d/ovpnstatd
      cp ovpnstatd /usr/sbin/ovpnstatd

      # only if You want to send data to Nagios, otherwise leave this away:
      cp send_nsca.sh

      # You also will have to create the collector directory
      # if this location does not meet Your needs, just modify STARTOPTS
      # in /etc/init.d/ovpnstatd and set --collect-dir to Your favoured 
      mkdir -p /srv/www/apps/ovpnstat/datacol

      # then start openvpn status daemon
      /etc/init.d/ovpnstatd start

    Special hints:

    Regarding Nagios NSCA:

    Before you use the Nagios notification script "send_nsca.sh", you need to edit it - change the ip of the Nagios host therein - have a look if all the path-names are suiting your needs - AND install the "send_nsca" binary. It comes with package nagios-nsca-<version>

    Once you have installed nagios-nsca on the Nagios server, you may just copy send_nsca from there to your openvpn-server (including its config-file) - that's all it needs.

    Also add a Nagios configuration - a hostname entry for your openvpn-server where ovpnstatd will be running (must match exactly the output of 'hostname' and a service entry for each common-name (service_description must match common-name), that you want to monitor passively.

    An example of a passive service config also is included here.

    Regarding collector data:

    The collector data is in csv format which allows you to easily load it into some database for your own web application.

    Bugs (and the like creepers):

    ovpnstatd is tested valgrind-clean and is running stable since quite a couple of months now on my openvpn-server.

    AttachmentSize
    ovpnstat.tar.bz255.34 KB
  • supportconfig for Linux
    download url: 
    http://download.opensuse.org/repositories/Novell:/NTS/SLE_10/noarch/
    license: 
    GPLv2
    home page url: 
    http://en.opensuse.org/Supportutils

    Description

    The updateSupportutils command compares the current versions of supportutils and its plugins to those installed on your server. Those that are outdated or missing are automatically downloaded and installed. Only those plugins that apply to your server are installed. The command supports creating a weekly or monthly cron entry to automatically check and update the supportutils package and its plugins. Click here to see a list of the current supportutils and plugin packages. The updateSupportutils command help screen follows:

    ################################################################
# Supportutils Auto Update Client
################################################################

Usage: updateSupportutils [OPTION]

Description
  Makes sure the supportutils and supportutils plugin packages are
  installed and current.

Options
  -m  Install a monthly cron for updateSupportutils
  -w  Install a weekly cron for updateSupportutils
  -d  Delete all installed cron entries for updateSupportutils
  -l  List all cron entries for updateSupportutils
  -u  Force RPM update on applicable packages
  -p  Exclude supportutils plugin packages
  -v  Verbose mode
  -h  This screen

    Note: Detailed system information and logs are collected and organized in a manner that helps reduce service request resolution times. Private system information can be disclosed when using this tool. If this is a concern, please prune private data from the log files. Several startup options are available to exclude more sensitive information. Refer to the supportconfig(8) man page to see these options.

    Update Instructions

    Run updateSupportutils as root.

    If you do not already have the supportutils-plugin-updater package installed, refer to the Installation Instructions below. If your server does not have network connectivity to http://download.opensuse.org, then install using the Option B (Manual) method.

    Installation Instructions

    Option A (Automated)

    1. Download the supportutils-plugin-updater
    2. Login as root
    3. Install the updater package
      # rpm -Uvh supportutils-plugin-updater-*.noarch.rpm
    4. Run updateSupportutils as root
      # updateSupportutils

    Option B (Manual)

    1. Download the supportutils and any applicable supportutils plugin packages for your server.
    2. Login as root
    3. Install the supportutils-X.XX-XX.XX.noarch.rpm
      # rpm -Uvh supportutils-X.XX-XX.XX.noarch.rpm
    4. Install the supportutils-plugin-*-X.X-X.X.norarch.rpm packages you want
      # rpm -Uvh supportutils-plugin-*-X.X-X.X.norarch.rpm

    Using Supportconfig

    To upload a supportconfig to Novell, run supportconfig -ur $srnum; where $srnum is your 11 digit service request number. You can also just run supportconfig for local use. By default, supportconfig saves its information in /var/log/nts_hostname_date_time.tbz.

    Consider using the Novell Support Advisor to perform an initial analysis of your servers. It will generate an HTML report that links you to Technical Information Documents that directly relate to any server issues identified.

    Reporting Bugs

    Updates to Supportconfig Version 2.25-320:

    • Fixed HA error when cibadmin -Q doesn't connect
    • Fixed ldapsearch search on non-default port
    • Added systool base output to sysfs.txt
    • Added getappcore tool to gather application core files
    • Added analyzevmcore tool for kernel core analysis
    • Supportconfig includes analyzevmcore files in crash.txt
    • /etc/services included in network.txt

    Updates to Supportconfig Version 2.25-314:

    • Changed to systool for sysfs.txt
    • Added local binary list to rpm.txt
    • Added nlvm to novell-nss.txt for OES11
    • Updated copyright years
    • Added curl check for update registrations to update.txt
    • Fixed conf file execution in plugins directory
    • Added a supportconfig summary in summary.xml
    • Added /etc/init.d/halt.local to boot.txt
    • Added OPTION_UFILES for fs-files-additional.txt. [see supportconfig.conf(5)]
    • Fixed fslist_info order
    • Added kdump rpm check for sles11sp1
    • Added plugin-icommand to scplugin.rc for internal bash commands
    AttachmentSize
    supportutils-plugin-updater-1.0-19.1.noarch.rpm6.99 KB
    supportutils-1.20-59.1.noarch.rpm107.48 KB
  • Deploying Linux images can be fun!

    Johannes Renner, one of the developers in our SUSE Manager team, recently posted a very useful blog post about using SUSE Studio to create Linux images. The latest update for SUSE Manager makes this a lot simpler.

    He wrote:

    You already know that it’s possible to use SUSE Studio for creating Linux images that will automatically register with SUSE Manager once deployed to a virtual host and booted for the first time.

    From now on you can make use of this feature in a much more convenient way. The final piece of the integration between the two SUSE products is now included with the latest update for SUSE Manager.

    Starting up a new virtual system using SUSE Manager can now be simplified to the following steps:

    1. Choose the image from a list.
    2. Specify deployment parameters.
    3. Go for it.

    For the details, read this post.

  • ATT Live - Last Call

    As the event owner for ATT Live, I want to reach out and extend one last invite to this year's ATT Live conference in Las Vegas Nevada - May 15th-18th. For as long as I can remember, this has been a December conference, with an occasional repeat in the early spring based on demand. However, this year... the sunshine and warm weather of May are awaiting us in Vegas, and it could not be more welcomed!

    If you have not attended ATT Live in the past 10 years, I encourage you to check it out. You can link to the live landing page at www.novell.com/attlive. Over the years, we have made this the premier technical conference and each year we listen to our attendee's feedback making each year an improvement on the previous. This year is no exception!

    I wanted to share some highlights of this year's conference for your consideration, and if you are looking for that last attempt to get approval these things might just help.

    • Additional hands-on sessions - We have extended our tracks from 10 to 12, offering a good mix of sessions across the three Business Units. You will find 6 tracks focused on Novell ZENworks, Open Enterprise Server and GroupWise. Three tracks on NetIQ, both legacy Novell Identity and Security products and legacy NetIQ products, giving you a great opportunity to explore some new products in this space, and last, but not least, three full tracks on Suse Linux. Check out the full schedule here - http://www.novell.com/training/attlive/sessions.html
    • We have invited more product experts - In order to extend our tracks, we have invited more services employees to help deliver these sessions, adding their product knowledge and real world experience to the sessions. Product managers will also be coming to explore product roadmaps and take your feedback back to the office.
    • Certification and Practicum - Whether you are seeking certifications to validate your knowledge, seek a career advancement or just test your knowledge, certification has been included in the price of the event. We ran out of seats last year, so we opened up more sessions this year to make sure all those wanting a chance to test, have the chance. The Linux practicum will also be available in limited slots to help you get that professional Linux certification. Of course we would want you to pass, but because there is no additional charge, no one has to know if you fail.... nothing is harder than submitting a failed exam on your expense report.
    • More food, more afternoon sleeping - The M resort is known for its excellent food, buffets, and restaurants, so we are taking what worked well for us last year and have extended our buffet vouchers for lunch, giving you your choice and quantity of food, not ours. If you have any complaints on the food, you can only blame yourself for filling up your plate with the wrong things.
    • First ever Alumni event, a thanks to those who always support us - If you are an ATT Live Alumni we want to welcome you to our first Alumni event on Tuesday night. We are excited to have the M Resort open up the Winery for our use. Make sure if you are registered that you plan to join us on Tuesday night. Check out the venue here - http://www.themresort.com/dining/hostilegrape.html
    • Low travel costs. Vegas always offers the most affordable travel costs of anywhere I know. Seems you get more for your money when you keep it in your pocket and off the tables. However, I thank those that put the money down, seems to keep the expenses for the rest of us to a minimum (as if... I keep my money in my wallet). We have worked hard to keep the costs of the hotel down, with a low rate, and travel to and from the airport included.

    There are plenty of reasons for coming, and we look forward to "filling" the hotel during the week. We will have one of the highest attendances yet, and look forward to seeing you there. If you have considered attending, don't wait, it will be well worth your time and investment.

    If you have any questions or comments, you can reach my team at training@novell.com. We will be watching the inbox for your interest and will do what we can to get you there, and home happy that you came.

    Thanks -
    Jeff McMurdie

  • ATT Live 2012 Session Spotlight--Dr L's CLP 11 Pain Points Sessions

    (Note: To see a list of all the sessions planned for ATT Live 2012, go to http://bit.ly/Asgjo4.)

    At ATT Live 2012, Dr Bjoern Lotz, the designer and creator of the CLP 11 exam scenarios and evaluation scripts, will be presenting 3 sessions on the various common issues and mistakes that most often make the difference between passing and failing the SUSE Certified Linux Professional (CLP) 11 Practicum Exam. These sessions are:

    • Dr. L's Treatment for the CLP Pain Points #1: Scripting in the CLP
    • Dr. L's Treatment for the CLP Pain Points #2: NFSv4 and Syslog-ng
    • Dr. L's Treatment for the CLP Pain Points #3: Apache and Samba

    These sessions will be especially helpful for SLES 11 server administrators who want to achieve the SUSE CLP 11 certification. And ATT Live 2012 is a prime opportunity to get this certification because the CLP 11 practicum exam will be offered for free on days 3 and 4 of the event.

    I asked Bjoern to provide a bit of useful information from each session that would give you an idea of what to expect if you're interested in taking advantage of this opportunity to prepare for and take the CLP 11 exam. The following information is just a taste of what you'll learn in these sessions. You'll really need to come to ATT Live if you want the full learning experience--demonstrations, hands-on labs, interaction with the instructor, etc.

    Scripting in the CLP

    One of the common issues that comes up when performing scripting tasks in the CLP exam is that the script does not execute without errors. Among the steps you can take to make sure the script executes properly is to use the following script troubleshooting techniques:

    If you do not immediately see why a script is returning errors, you can

    • Add set -x at the top of your script - when executing the script you see additional information that can help you find the error
    • Put echo in front of commands – that way they are not executed but displayed in the output
    • Put read into your script to pause it – hit enter to continue it
    • If you don't want to run the whole script, put exit at the point where you want it to end
    • Don't forget to remove (or change into a comment with #) the above when you are done

    NFSv4 and Syslog-ng

    The common mistakes made when performing Syslog-ng tasks in the CLP exam arise from not knowing how to create filters or modify existing ones. Filtering rules that will help you in performing these tasks successfully include the several criteria that can be used for filtering:

    • Facility:
      filter f_news { facility(news); };
    • Priority
      filter f_alert { level(alert); };
    • Program (regular expression)
      filter f_dhcpd { program(“dhcpd”); };
    • String (regular expression)
      filter f_firewall { match(“IN=”): };
    • Hostname (regular expression)
      filter f_gateway { host(gateway); };
    • Elements can be combined:
      filter f_errcrit { level(err, crit); };
      filter f_mailnews { facility(mail, news); };
      filter f_iptables { match(“IN=”) and match(“OUT=”) ; };

    Apache and Samba

    A common mistake seen in the exam related to the CLP 11 Practicum Apache tasks is there are missing elements in the virtual host configuration. Some tips to keep in mind to perform these tasks successfully are:

    • The configuration is distributed across several files in /etc/apache2/, including
      • httpd.conf
      • default-server.conf
      • vhost.d
      • listen.conf
      • error.conf
      • Some configuration options are contained in /etc/sysconfig/apache2, which are used to create configuration files in /etc/apache2/sysconfig.d/
    • Virtual hosts are used to provide the Web pages of several domains on one IP address
    • To create a virtual host, you need to create a configuration file in the /etc/apache2/vhsots.d/ directory
    • The file name has to end in .conf
    • The /etc/apache2/vhosts.d/vhost.template file lists the needed parameters with comments explaining their use. You can copy that file and edit it for your virtual host

    Register today for the event and for Dr L's CLP 11 Pain Point sessions before they fill up at: www.novell.com/attlive!

    ATT Live 2012
    May 15-18, 2012
    Henderson (Las Vegas), NV
    4 days of instructor-led, hands-on advanced technical training for only $1,750

    Please follow Novell, SUSE, and NetIQ Training on:
    http://twitter.com/novell_training
    http://www.facebook.com/NovellTraining