Bind9 as master DNS server, NSD as backup with TSIG.

Perhaps it seems easy for you, but it was not for me at begining even if I am running bind9 master/bind9 slave already.

We will begin with TSIG key, on your master DNS server :

root@Sagitarius:~# tsig-keygen mykey > /etc/bind/keys/mykey.key
root@Sagitarius:~# cat /etc/bind/keys/mykey.key
key "mykey" {
        algorithm hmac-sha256;
        secret "+OyXk+FYgsnE6Lei59Qi2LPsctRHPaqcYRpftG4YXKk=";

Now we will configure this on my “named.conf.local” file as :

root@Sagitarius:/etc/bind# cat named.conf.local 
//On indique la clé à utiliser et son algorithme de chiffrement
include "/etc/bind/keys/mykey.key";

//On indique l'adresse IP du serveur "Esclave"
        keys { mykey; };
zone "" {
       type master;
       file "/etc/bind/";
       allow-transfer {; key mykey; };
       notify yes;

Ok. last command :

root@Sagitarius:~# rndc reload

Ok good, now let’s see how it is configured on NSD host.
It’s really easy :

clucas@slave:/etc/nsd$ cat /etc/nsd/nsd.conf.d/secondaries/ 
  name: "mykey"
  algorithm: hmac-sha256
  secret: "+OyXk+FYgsnE6Lei59Qi2LPsctRHPaqcYRpftG4YXKk="

        # this server is secondary,  is master.
        allow-notify: mykey
        request-xfr: mykey

Now :

nsd-checkconf /etc/nsd/nsd.conf
nsd-control reload
nsd-control status

It seems easy, but I have take long time to see that all these items bellow must be identical :

  • name of the key
  • algorithm
  • secret

Easy as hell !

PS : All this can be controlled by Ansible, but it is another story.

FreeBSD, xrdp and Lumina-desktop

Hey girls and guys,

A little post to give you some news about my fails and tries with FreeBSD. I have had tried to install a little FreeBSD-13, xrdp and Lumina-desktop on my proxmox to test.

As done for other things installed :

pkg install xrdp lumina

It was so easy and quick …

FRR Routing v8.0 is out and happy to see SR


For (perhaps) futur projet I read different documentations around Bird, FRR Routing, … and I am really happy to see in FRR Routing v8.0 the new ‘pathd‘ daemon, which implement SR (Segment Routing). It is really cool to see this.

There is others new feature which have been implemented in this release and are major IMHO.

  • TI-LFA for OSPF and IS-IS (great too for SR) ;
  • VRF for OSPFv3 ;
  • EVPN full-implementation.

It is really great work !!!

More information there :

See you soon 🙂

FreeBSD and fail2ban


To go on configuring my FreeBSD server, I install my traditionnal package : “fail2ban”. By the way with Linux distro, apt install fail2ban is enough.

Not now 😀

You must add :

root@pluton:/usr/local/etc/fail2ban/jail.d# cat ssh-ipfw.local 
enabled = true
filter = sshd
action = ipfw[name=SSH, port=ssh, protocol=tcp]
logpath = /var/log/auth.log
findtime = 600
maxretry = 3
bantime = 3600

And edit action file so that “localhost” is your public IP :

root@pluton:/usr/local/etc/fail2ban/action.d# cat ipfw.conf 
# Fail2Ban configuration file
# Author: Nick Munger
# Modified by: Cyril Jaquier
# Option:  localhost
# Notes.:  the local IP address of the network interface
# Values:  IP

# Option:  blocktype
# Notes.:  How to block the traffic. Use a action from man 5 ipfw
#          Common values: deny, unreach port, reset
# Values:  STRING
blocktype = unreach port

Blog, bsd, apache2, certbot and fun

It was long time ago I used a FreeBSD system. I was really impressed by the way it great evolved. It is easy to add package due to “pkg” tool and “portsnap”.

After :

pkg install apache24 mysql57-server mod_php73 php73-mysqli php73-xml php73-hash php73-gd php73-curl php73-tokenizer php73-zlib php73-zip

I have a really fast install of an HTTP server as I can do with “apt-get”.

I have needed to load some modules by editiing /usr/local/etc/apache24/httpd.conf such as : 

LoadModule rewrite_module libexec/apache24/
LoadModule php7_module libexec/apache24/
LoadModule ssl_module libexec/apache24/

Some more work width certbot for Let’s Encrypt SSL certificate :

root@ns326804:/usr/ports/security/py-certbot # make install clean
root@ns326804:/usr/ports/security/py-certbot-apache # make install clean
root@ns326804:/usr/ports/security/py-certbot # rehash

I can now install my SSL certificates with :

certbot --apache -d
certbot install --cert-name
certbot install --cert-name

I have moved my SQL data to my fresh FreeBSD install and try yo access my blog (it is using wordpress)… It was a FAIL. It lacks some PHP module : 

pkg install php73-json php73-filter php73-ctype

It was some tips. I have not listed all the tasks I have done but only the one I think which can give you some information. By the way I was really pleased to move some of my contents on this fresh-installed FreeBSD server. Lot of fun to do this.

And Voilà you can read this blog’s post now 🙂

July 15, 2021 01:35pm :

Update : Don’t forget to add AllowOverride on your data directory so that mod_rewrite can do his job correctly such as :

    <Directory "/usr/local/www/apache24/data/">
        AllowOverride All

Long long time ago, blog and FreeBSD…

It was a long long timeago I wrote here. ot of things happens to me but I don’t think it is the time and place to explain it.

This post is about a new experience to me : hosting this blog on FreeBSD machine. I am in love with BSD but don’t use it everyday. Networking&Telco is not an professional area where you can use it or your employer allow you to use it. Damn Windows, Teams, … and his egemony.

I will move this blog from Debian to FreeBSD server. I think it will lot of fun. If I have FreeBSD’s tips or remarks I will post it here. By the way I am currently studying for Cisco’s CCNP SPCOR (350-501) exam. Either I will try to give me a kick in the ass to post more technical posts.

Have fun 🙂

bwping patch (catching signals)

diff -urpN bwping/bwping.c bwping-patched/bwping.c
--- bwping/bwping.c     2012-10-11 19:23:17.000000000 +0200
+++ bwping-patched/bwping.c     2017-04-20 09:06:23.449540033 +0200
@@ -26,6 +26,7 @@
 #ifdef __CYGWIN__
 #include "cygwin.h"
@@ -224,21 +225,39 @@ static int recv_ping (int sock, int iden
         return 0;
+unsigned int   transmitted_number, received_number;
+unsigned long  int received_volume;
+struct timeval begin, end;
+void sig_handler(int signo)
+       if (signo == SIGUSR1) {
+                printf("Total: pkts sent/rcvd: %u/%u, volume rcvd: %lu bytes, time: %d sec, speed: %lu kbps, rtt min/max/average: %llu/%llu/%llu ms\n",
+                               transmitted_number, received_number, received_volume, (int)(end.tv_sec - begin.tv_sec),
+                               end.tv_sec - begin.tv_sec?((received_volume / (end.tv_sec - begin.tv_sec)) * 8) / 1000:(received_volume * 8) / 1000,
+                               min_rtt==DEF_MIN_RTT?0:min_rtt, max_rtt, average_rtt);
+               exit(255);
+       }
 int main (int argc, char **argv)
     int                    sock, exitval, ch, ident, finish, pktburst, i, n;
-    unsigned int           bufsize, tos, transmitted_number, received_number;
-    unsigned long int      kbps, pktsize, volume, rperiod, received_volume;
+    unsigned int           bufsize, tos;
+    unsigned long int      kbps, pktsize, volume, rperiod;
     unsigned long long int min_interval, interval, current_interval, integral_error;
     char                   *ep, *bind_addr, *target;
     fd_set                 fds;
     struct sockaddr_in     bind_to, to;
     struct hostent         *hp;
-    struct timeval         begin, end, report, start, now, seltimeout;
+    struct timeval         report, start, now, seltimeout;
     sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+       if (signal(SIGUSR1, sig_handler) == SIG_ERR)
+               printf("\ncan't catch SIGUSR1\n");
     if (sock==-1) {
         perror("bwping: socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) failed");

Download : patch-bwping-sig.diff

Redback magic command

For those of you who are working with Redback equipments, this command can be useful :

[local]Redback# washoutthewash

Then you will have access to all commands the CLI hide you such as : ‘show sub ip’ or ‘show qos meter’ …

[CUSTOMER_1194]Redback# show sub act
        Session state Up
        Circuit   14/1:1 vpi-vci 1 928
        Internal Circuit   14/1:1:63/1/2/1407
        Interface bound  pppoe
        Current port-limit 1
        ppp mtu 1508 (applied)
        context-name CUSTOMER_1194 (applied)
        ip route  (applied)
        ip route  (applied)
        ip route  (applied)
        ip address (applied)
        port-limit 1 (applied from sub_default)
[CUSTOMER_1194]Redback#show sub ?
  access-line       Show DSL line attributes of active subscribers
  active            Display active subscribers
  address           Display subscriber IP-Addresses
  agent-circuit-id  Show subscriber by agent circuit id
  agent-remote-id   Show subscriber by agent remote id
  all               Display all subscribers
  log               Display AAAd log
  session           Display subscriber by circuit
  summary           Display subscriber summary
  username          Display subscriber by username
  |                 Output Modifiers
[CUSTOMER_1194]Redback#show sub ?
  access-line       Show DSL line attributes of active subscribers
  active            Display active subscribers
  address           Display subscriber IP-Addresses
  agent-circuit-id  Show subscriber by agent circuit id
  agent-remote-id   Show subscriber by agent remote id
  all               Display all subscribers
  debug             Display debug counters
  handle            Show subscriber by internal circuit handle
  ip-addr           Display subscriber by IP address
  log               Display AAAd log
  profile           Display subscriber profile info
  session           Display subscriber by circuit
  summary           Display subscriber summary
  username          Display subscriber by username
  |                 Output Modifiers
[CUSTOMER_1194]Redback#show sub ip
TYPE    CIRCUIT                    SUBSCRIBER         CONTEXT   START TIME    
ppp     14/1:1 vpi-vci 1 928       CUST_8HL2@is CUSTOMER Aug 27 14:20:51
Type            Authenticating          Active          Disconnecting
PPP                          0               1                      0
PPPoE                        0               0                      0
DOT1Q                        0               0                      0
CLIPs                        0               0                      0
ATM-B1483                    0               0                      0
ATM-R1483                    0               0                      0
Mobile-IP                    0               0                      0