Diary of a geek

January 2005
Mon Tue Wed Thu Fri Sat Sun

Andrew Pollock


Other people's blogs


RSS feed

Contact me

JavaScript required

Tuesday, 18 January 2005


**************** Interface Configuration ****************

Scanning for unknown interfaces...
Firewall-1 found that you are using interface bge, which is not supported.
Please refer to Check Point's SecureKnowledge article ID 55.0.4089734.2604361
for a list of supported interfaces and known issues.
This interface will not be protected by Firewall-1.

Press Enter to continue.

Update: Apparently you can hack $FWDIR/boot/ifdev to convince it to support such interfaces. I love Firewall-1. Really.

[20:30] [work] [permalink]

Quality Microsoft software

This has been doing the email rounds today:

Check this one out for taking the scenic route.


1. In Start and End, pull down "Address in" and choose Norway. 2. In
Start, enter "Haugesund" into City. 3. In End, enter "Trondheim" into
City. 4. Press "Get Directions"

[19:21] [humour] [permalink]

Weird login problem

So I'm trying to migrate a Firewall-1 Management Server from one box to a freshly installed box. I have an image that takes care of the baseline installation of Solaris and an unconfigured Firewall-1 NG installation. I just tried blatting /etc/{passwd,shadow,group} as well as configuring the hostname and all the interfaces. I gave it a reboot to see how it all went, and wasn't able to login. I'd just get

cannot chdir to /root, errno = 2

After providing a username and get returned to a login prompt. What I believed to be the root password wasn't accepted in single-user mode. I'm not sure if it's a permissions thing. I was relatively careless and just went

cat > /etc/passwd
<pasted contents of /etc/passwd on existing server here>

(and so on for /etc/shadow and /etc/group). This potentially left an /etc/shadow with suboptimal permissions, but you wouldn't expect it to lock you out altogether. I did fail to create home directories, but again, I wouldn't expect that to lock me out either. So now I've booted into single-user mode from a Solaris CD... Brown paper bag job by the looks of it. I think I pasted /etc/group into /etc/shadow. That'll do it.

Now this is humorous:

# grep sarah /mnt/etc/passwd
sarahr:x:2001:500:Sarah Kay Roper:/home/sarahr:/bin/false

She contracted out here a long time ago. I guess this is a test machine, so the password database isn't maintained (or was based on an old snapshot of the production password database). Still, it's funny.

Yet I have digressed, and I have spoken too soon. That doesn't seem to have resolved my lockout problems. I tire of this two-man reset and break to PROM crap.

{1} ok setenv auto-boot? false
auto-boot? =          false

Subsequent power cycling will result in a PROM prompt without any further ado.

Ah, the problem is quite simple (I think I was grepping the wrong /etc/passwd when I booted from CD and mounted the hard drive on /mnt). Some brainiac has changed root's home directory to be /root (I actually prefer this, but it's not the norm for Solaris) and this directory didn't exist. That's quite incredible how if root's home directory doesn't exist, no one can log in...

[18:32] [work] [permalink]

I didn't think this was possible

While on the topic of breaking into Sun boxes...

SC Alert: Host System has Reset

Sun Fire V240, No Keyboard
Copyright 1998-2003 Sun Microsystems, Inc.  All rights reserved.
OpenBoot 4.13.2, 2048 MB memory installed, Serial #60810497.
Ethernet address 0:3:ba:9f:e5:1, Host ID: 839fe501.

Initializing  1008MB of memory at addr        1000000000
SC Alert: SC Request to send Break to host.

{1} ok boot -s
FATAL: OpenBoot initialization sequence prematurely terminated.

FATAL: system is not bootable, boot command is disabled
{1} ok reset-all

Sun Fire V240, No Keyboard
Copyright 1998-2003 Sun Microsystems, Inc.  All rights reserved.
OpenBoot 4.13.2, 2048 MB memory installed, Serial #60810497.
Ethernet address 0:3:ba:9f:e5:1, Host ID: 839fe501.

Boot device: disk0  File and args:
SC Alert: SC Request to send Break to host.

Type  'go' to resume
{1} ok boot -s

Sun Fire V240, No Keyboard
Copyright 1998-2003 Sun Microsystems, Inc.  All rights reserved.
OpenBoot 4.13.2, 2048 MB memory installed, Serial #60810497.
Ethernet address 0:3:ba:9f:e5:1, Host ID: 839fe501.

Rebooting with command: boot -s

So apparently you can break out the PROM initialisation and leave the box in an unbootable state. Nice...

[18:07] [work] [permalink]

Give me Cyclades Console Access Servers any day

We use these horribly Lightwave Console Server 3200 things, and they really suck. The CLI is ordinary, but the really annoying feature is that frequently when I powercycle a Sun box, it'll drop the TCP connection, but keep the telnet session open internally, so it keeps me attached to the port, and won't let anyone else have it. Sometimes it times out the connection after a while (but who wants to wait?) and so you have to login in on the administrative port, and forcibly close the connection.

So when you get off your fat arse to walk the (non-trivial) distance to the server room, unlock your rack, kick your Sun box in the guts, lock your rack, and bolt back to try and send a break before the box boots past the point of sending a break, and you discover your console session has died in the arse, it really sucks. You then have to clear out your stuck session, and repeat the whole process again...

I'm not looking forward to when we move downstairs. It'll be completely impractical to bolt anywhere then, and breaking into a Sun box will require one person to perform the power cycle whilst another person sits watching the console (or I take a laptop with me and do it in situ).

At least Lightwave seem to have superceded the 3200 with something that hopefully sucks less (and is more dense). In my experience Cyclades have never sucked, and running embeded Linux makes them inherently more cool.

[18:00] [work] [permalink]

Please, don't bring back Beazley

Disclaimer: I'm not terribly pro-Labor, I'm more Liberal, however I'm pissed at Howard over the war in Iraq.

Can the Opposition please get it's act together and give us a credible leader and alternative Prime Minister? Kim Beazley is just not it. The media have already elected him as leader of the Labor Party, however I personally hope it doesn't happen.

So we've just had an Opposition Leader who's had to resign because of health problems. Let's not replace him with an overweight has-been, who hasn't been free of his own health problems in recent times. He kept saying he was healthy today in his press conference, but I have my doubts. I suppose he's going to have to swear off the KFC again and restart running up Mount Ainslie at 5am? He can't be looking forward to that.

Kim Beazley just isn't Prime Minister material, in my opinion. Neither was Simon Crean. I think Mark Latham was the closest thing Labor's come up with since they were last in government. I think there is a serious lack of credible candidates. I think the party's full of people who'd like to think they'd make Prime Minister one day, but until the party can publically get its act together and stop infighting, every 18 months when they have a leadership stoush just puts another nail in the collective political coffin, and leaves them languishing in the political wilderness even longer.

So in the interests of having a viable Opposition, and keeping the Howard Government accountable, will the Labor Party please get its freaking act together?

[03:12] [politics] [permalink]