Is it possible to configure NTP server to allow any incoming IP to sync from, witout specifying ranges and networks?
You can use:
restrict default limited notrap nomodify nopeer noquery
Or:
restrict default kod limited notrap nomodify nopeer noquery
The latter config statement enables the use of KOD packets and the former simply does not respond to clients that exceed the default limits. I do not think sending KODs to misbehaving clients makes any sense so I use the former.
Related
I am working on an embedded software product that runs on an Ubuntu edge computer with multiple network ports.
The software allows the user to change the IP address of the ports via a locally hosted web interface.
In the scenario that a customer changed an IP on one of our devices, but then forgets their setting I am looking for an easy strategy to walk them through detecting the IP.
Ideally this tool would be usable by non-sophisticated customers (we don’t want to walk them through using Wireshark or command line tools).
Is there a service we can setup on our machine that will broadcast its identity across subnets using another protocol like UDP or EtherNet/IP? Then a simple tool the client could install on their computer to ‘scan’ for our devices?
The edge computers also have USB ports if it is easier to broadcast an identify there.
Changing a local IP address to something invalid (=not compatible with its local subnet) generally disables all L3 communication. Limited broadcasts (to 255.255.255.255) still work, but answering to them by unicast most likely won't. The same goes for multicasting - but you could use that for discovery both ways.
Also, the common link-level discovery protocols (like LLDP or CDP) still work since they don't rely on IP.
However, all that is limited to the connected L2 segment at most. Discovery across subnets isn't possible without some kind of infrastructure (discovery sensors, central server, multicast routing, ...). A reasonable way would be dynamic DNS but then again, that requires IP to work.
I think you'd need to take a step back and reevaluate your design. One way would be to verify a user's reconfiguration before it becomes permanent. For instance, you could have a user change the IP setup and then forward the session to the new IP address. If the session isn't continued within five minutes or so on the new address, it reverses to the previous config.
Additionally, some kind of out-of-band management could be useful.
I'm trying to set up my Ec2 server on AWS, and I want to make it so only requests from the same ip address are allowed (for my backend port.). What security group allows this? The reason I want to restrict which ips can make requests to the backend is to stop abuse ips from making a ton of random requests.
we’ve got a strange little problem we’re experiencing for months now:
The load on our cluster (http, long lasting keepalive connections with a lot of very short (<100ms) requests) is distributed very uneven.
All servers are configured the same way but some connections that push through thousands of requests per second just end up being sent to only one server.
We tried both load balancing strategies but that does not help.
It seems to be strictly keepalive related.
The misbehaving backend has the following settings:
option tcpka
option http-pretend-keepalive
Is the option http-server-close made to cover that issue?
If I get it right it will close and re-open a lot of connections which means load to the systems? Isn't there a way to keep the connections open but evenly balance the traffic anyway?
I tried to enable that option but it kills all of our backends when under load.
HAProxy currently only support keep-alive HTTP-connections toward the client, not the server. If you want to be able to inspect (and balance) each HTTP request, you currently have to use one of the following options
# enable keepalive to the client
option http-server-close
# or
# disable keepalive completely
option httpclose
The option http-pretend-keepalive doesn't change the actual behavior of HAProxy in regards of connection handling. Instead, it is intended as a workaround for servers which don't work well when they see a non-keepalive connection (as is generated by HAProxy to the backend server).
Support for keep-alive towards the backend server is scheduled to be in the final HAProxy 1.5 release. But the actual scope of that might still vary and the final release date is sometime in the future...
Just FYI, it's present in the latest release 1.5-dev20 (but take the fixes with it, as it shipped with a few regressions).
I an writing a small application that needs to connect through one of multiple network interfaces on the machine. The interface is not the "default" one (the one with the default route). Is it possible to bind an outbound TCP socket directly to a specific interface?
Here is an example:
eth0: 192.168.1.10, gateway 192.168.1.1
eth1: 192.168.2.10, gateway 192.168.2.1
default gateway: 192.168.1.1
(both interfaces can reach the Internet through different external IPs)
Now, I want my application to use eth1 to connect to an external server, even if the system is configured to use eth0 for external traffic.
(The question is probably trivial, but I just wanted to know if it is possible at all before spending time on it)
Currently, I am using Python with Twisted, but if I have to use BSD sockets then so be it.
From: http://linux.about.com/od/commands/l/blcmdl7_socket.htm
SO_DONTROUTE - Don't send via a gateway, only send to directly connected hosts. The same effect can be achieved by setting the MSG_DONTROUTE flag on a socket send(2) operation. Expects an integer boolean flag.
I currently have issues with SIP User Agents behind a symmetric NAT connecting to my SIP client, which is an IVR voice service.
I read that Asterisk has a solution for this in the sip.conf, where I can set attribute
nat=yes
and this will ignore the IP and Port in the SIP headers and use the one for the SIP request and also waits for an incoming RTP stream to reply to.
I'd like to make use of this feature as we already have an Asterix server installed for AIX requests.
What would be the minimum configuration required for Asterix to act as the man in the middle on a new port as 5060 will still be used to connect directly to the SIP client? I don't care about authentication etc. I just need the Asterix to act as a SIP relay.
Thanks
K
You may also need to have "canreinvite=no" in the [general] section of your sip.conf.
That setting keeps Asterisk in the call path, otherwise voice traffic may be sent directly from one endpoint to the other.