建立用户组mqm和mqbrkrs,把root帐号也归属到这两个组。建立帐号mqm,它的主用户组是mqm,附属组是mqbrkrs和root。
MQServer:/tmp/mq/432 # ls -l
total 782236
drwxr-xr-x 6 root root 1408 Mar 26 00:42 .
drwxr-xr-x 3 root root 176 Mar 26 00:39 ..
-r--r--r-- 1 root 12201 56517147 May 20 2005 IBMJava2-SDK-1.4.2-0.0.i386.rpm
-rw-rw-r-- 1 root 12201 963879 May 20 2005 MQSeriesClient-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 84765428 May 20 2005 MQSeriesConfig-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 719764 May 20 2005 MQSeriesFTA-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 163979050 May 20 2005 MQSeriesIES30-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 3681759 May 20 2005 MQSeriesJava-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 37483080 May 20 2005 MQSeriesKeyMan-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 130189 May 20 2005 MQSeriesMan-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 111975 May 20 2005 MQSeriesMsg_Zh_CN-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 116214 May 20 2005 MQSeriesMsg_Zh_TW-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 136622 May 20 2005 MQSeriesMsg_de-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 128491 May 20 2005 MQSeriesMsg_es-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 130044 May 20 2005 MQSeriesMsg_fr-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 128327 May 20 2005 MQSeriesMsg_it-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 122076 May 20 2005 MQSeriesMsg_ja-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 116664 May 20 2005 MQSeriesMsg_ko-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 127411 May 20 2005 MQSeriesMsg_pt-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 7877738 May 20 2005 MQSeriesRuntime-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 229101 May 20 2005 MQSeriesSDK-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 1307081 May 20 2005 MQSeriesSamples-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 5089089 May 20 2005 MQSeriesServer-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 21376 May 20 2005 MQSeriesTXClient-6.0.0-0.i386.rpm
-rw-r--r-- 1 root root 432261120 Feb 22 11:48 MQforLinux601.tar
drwxrwxr-x 3 root 12201 72 May 20 2005 PreReqs
drwxrwxr-x 14 root 12201 352 May 20 2005 READMEs
-r--r--r-- 1 root 12201 261 May 20 2005 copyright
-r--r--r-- 1 root 12201 3988581 May 20 2005 gsk7bas-7.0-3.15.i386.rpm
drwxrwxr-x 4 root 12201 144 May 20 2005 lap
drwxrwxr-x 2 root 12201 704 May 20 2005 licenses
-rwxr-xr-x 1 root 12201 4770 May 20 2005 mqlicense.sh
-rwxr-xr-x 1 root 12201 35314 May 23 2005 readadd.txt
MQServer:/tmp/mq/432 #
MQServer:/tmp/mq/432 # ./mqlicense.sh -accept
Licensed Materials - Property of IBM
5724-H72
(C) Copyright IBM Corporation 1994, 2005 All rights reserved.
US Government Users Restricted Rights - Use, duplication or disclosure
restricted by GSA ADP Schedule Contract with IBM Corp.
Agreement accepted: Proceed with install.
MQServer:/tmp/mq/432 #
MQServer:/tmp/mq/432 # rpm -ivh MQSeriesRuntime-6.0.0-0.i386.rpm MQSeriesSDK-6.0.0-0.i386.rpm MQSeriesServer-6.0.0-0.i386.rpm MQSeriesClient-6.0.0-0.i386.rpm MQSeriesSamples-6.0.0-0.i386.rpm MQSeriesJava-6.0.0-0.i386.rpm MQSeriesMan-6.0.0-0.i386.rpmPreparing... ########################################### [100%]
1:MQSeriesRuntime ########################################### [ 14%]
2:MQSeriesSDK ########################################### [ 29%]
3:MQSeriesServer ########################################### [ 43%]
4:MQSeriesClient ########################################### [ 57%]
5:MQSeriesSamples ########################################### [ 71%]
6:MQSeriesJava ########################################### [ 86%]
7:MQSeriesMan ########################################### [100%]
MQServer:/tmp/mq/432 # rpm -ivh --force --nodeps MQSeriesFTA-6.0.0-0.i386.rpm MQSeriesIES30-6.0.0-0.i386.rpm MQSeriesConfig-6.0.0-0.i386.rpm
Preparing... ########################################### [100%]
1:MQSeriesIES30 ########################################### [ 33%]
2:MQSeriesFTA ########################################### [ 67%]
3:MQSeriesConfig ########################################### [100%]
MQServer:/tmp/mq/432 #
MQServer:/tmp/mq/432 # ls -l
total 782236
drwxr-xr-x 6 root root 1408 Mar 26 00:42 .
drwxr-xr-x 3 root root 176 Mar 26 00:39 ..
-r--r--r-- 1 root 12201 56517147 May 20 2005 IBMJava2-SDK-1.4.2-0.0.i386.rpm
-rw-rw-r-- 1 root 12201 963879 May 20 2005 MQSeriesClient-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 84765428 May 20 2005 MQSeriesConfig-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 719764 May 20 2005 MQSeriesFTA-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 163979050 May 20 2005 MQSeriesIES30-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 3681759 May 20 2005 MQSeriesJava-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 37483080 May 20 2005 MQSeriesKeyMan-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 130189 May 20 2005 MQSeriesMan-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 111975 May 20 2005 MQSeriesMsg_Zh_CN-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 116214 May 20 2005 MQSeriesMsg_Zh_TW-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 136622 May 20 2005 MQSeriesMsg_de-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 128491 May 20 2005 MQSeriesMsg_es-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 130044 May 20 2005 MQSeriesMsg_fr-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 128327 May 20 2005 MQSeriesMsg_it-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 122076 May 20 2005 MQSeriesMsg_ja-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 116664 May 20 2005 MQSeriesMsg_ko-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 127411 May 20 2005 MQSeriesMsg_pt-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 7877738 May 20 2005 MQSeriesRuntime-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 229101 May 20 2005 MQSeriesSDK-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 1307081 May 20 2005 MQSeriesSamples-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 5089089 May 20 2005 MQSeriesServer-6.0.0-0.i386.rpm
-rw-rw-r-- 1 root 12201 21376 May 20 2005 MQSeriesTXClient-6.0.0-0.i386.rpm
-rw-r--r-- 1 root root 432261120 Feb 22 11:48 MQforLinux601.tar
drwxrwxr-x 3 root 12201 72 May 20 2005 PreReqs
drwxrwxr-x 14 root 12201 352 May 20 2005 READMEs
-r--r--r-- 1 root 12201 261 May 20 2005 copyright
-r--r--r-- 1 root 12201 3988581 May 20 2005 gsk7bas-7.0-3.15.i386.rpm
drwxrwxr-x 4 root 12201 144 May 20 2005 lap
drwxrwxr-x 2 root 12201 704 May 20 2005 licenses
-rwxr-xr-x 1 root 12201 4770 May 20 2005 mqlicense.sh
-rwxr-xr-x 1 root 12201 35314 May 23 2005 readadd.txt
MQServer:/tmp/mq/432 #
MQServer:/tmp/mq # mkdir 378
MQServer:/tmp/mq # mv 6.0-WS-MQ-LinuxIA32-RP0002.tar ./378
MQServer:/tmp/mq # ls -l
total 5278
drwxr-xr-x 4 root root 152 Mar 26 00:54 .
drwxrwxrwt 13 root root 544 Mar 26 00:53 ..
drwxr-xr-x 2 root root 96 Mar 26 00:54 378
drwxr-xr-x 6 root root 280 Mar 26 00:53 432
-rw-r--r-- 1 root root 5396480 Feb 22 11:48 6.0.2.0-WS-MQ-LinuxIA32-LAIY96282.tar
MQServer:/tmp/mq # cd 378
MQServer:/tmp/mq/378 # ls -l
total 370121
drwxr-xr-x 2 root root 96 Mar 26 00:54 .
drwxr-xr-x 4 root root 152 Mar 26 00:54 ..
-rw-r--r-- 1 root root 378634240 Feb 22 11:46 6.0-WS-MQ-LinuxIA32-RP0002.tar
MQServer:/tmp/mq/378 #
MQServer:/tmp/mq/378 # tar xvf 6.0-WS-MQ-LinuxIA32-RP0002.tar ./
gsk7bas-7.0-3.18.i386.rpm
IBMJava2-142-ia32-SDK-1.4.2-5.0.i386.rpm
MQSeriesClient-U806639-6.0.2-0.i386.rpm
MQSeriesConfig-U806639-6.0.2-0.i386.rpm
MQSeriesFTA-U806639-6.0.2-0.i386.rpm
MQSeriesIES30-U806639-6.0.2-0.i386.rpm
MQSeriesJava-U806639-6.0.2-0.i386.rpm
MQSeriesKeyMan-U806639-6.0.2-0.i386.rpm
MQSeriesMan-U806639-6.0.2-0.i386.rpm
MQSeriesMsg_de-U806639-6.0.2-0.i386.rpm
MQSeriesMsg_es-U806639-6.0.2-0.i386.rpm
MQSeriesMsg_fr-U806639-6.0.2-0.i386.rpm
MQSeriesMsg_it-U806639-6.0.2-0.i386.rpm
MQSeriesMsg_ja-U806639-6.0.2-0.i386.rpm
MQSeriesMsg_ko-U806639-6.0.2-0.i386.rpm
MQSeriesMsg_pt-U806639-6.0.2-0.i386.rpm
MQSeriesMsg_Zh_CN-U806639-6.0.2-0.i386.rpm
MQSeriesMsg_Zh_TW-U806639-6.0.2-0.i386.rpm
MQSeriesRuntime-U806639-6.0.2-0.i386.rpm
MQSeriesSamples-U806639-6.0.2-0.i386.rpm
MQSeriesSDK-U806639-6.0.2-0.i386.rpm
MQSeriesServer-U806639-6.0.2-0.i386.rpm
MQSeriesTXClient-U806639-6.0.2-0.i386.rpm
memo.ptf
readme.txt
readadd.txt
MQServer:/tmp/mq/378 # ls -l
total 740263
drwxr-xr-x 2 root root 1488 Mar 26 00:54 .
drwxr-xr-x 4 root root 152 Mar 26 00:54 ..
-rw-r--r-- 1 root root 378634240 Feb 22 11:46 6.0-WS-MQ-LinuxIA32-RP0002.tar
-r--r--r-- 1 root 12201 58425242 Sep 28 2006 IBMJava2-142-ia32-SDK-1.4.2-5.0.i386.rpm
-rw-r--r-- 1 root 12201 1041870 Sep 28 2006 MQSeriesClient-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 92867916 Sep 28 2006 MQSeriesConfig-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 742674 Sep 28 2006 MQSeriesFTA-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 165192528 Sep 28 2006 MQSeriesIES30-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 6825037 Sep 28 2006 MQSeriesJava-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 37541482 Sep 28 2006 MQSeriesKeyMan-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 158230 Sep 28 2006 MQSeriesMan-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 133102 Sep 28 2006 MQSeriesMsg_Zh_CN-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 137261 Sep 28 2006 MQSeriesMsg_Zh_TW-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 157792 Sep 28 2006 MQSeriesMsg_de-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 149548 Sep 28 2006 MQSeriesMsg_es-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 151037 Sep 28 2006 MQSeriesMsg_fr-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 149446 Sep 28 2006 MQSeriesMsg_it-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 143167 Sep 28 2006 MQSeriesMsg_ja-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 139096 Sep 28 2006 MQSeriesMsg_ko-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 148484 Sep 28 2006 MQSeriesMsg_pt-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 3482646 Sep 28 2006 MQSeriesRuntime-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 227539 Sep 28 2006 MQSeriesSDK-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 1360466 Sep 28 2006 MQSeriesSamples-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 5179708 Sep 28 2006 MQSeriesServer-U806639-6.0.2-0.i386.rpm
-rw-r--r-- 1 root 12201 44639 Sep 28 2006 MQSeriesTXClient-U806639-6.0.2-0.i386.rpm
-r--r--r-- 1 root 12201 4021017 Sep 28 2006 gsk7bas-7.0-3.18.i386.rpm
-r--r--r-- 1 root 12201 43127 Sep 28 2006 memo.ptf
-r--r--r-- 1 root 12201 30584 Sep 28 2006 readadd.txt
-r--r--r-- 1 root 12201 118226 Sep 28 2006 readme.txt
MQServer:/tmp/mq/378 # rpm -ivh MQSeriesIES30-U806639-6.0.2-0.i386.rpm MQSeriesSamples-U806639-6.0.2-0.i386.rpm MQSeriesSDK-U806639-6.0.2-0.i386.rpm MQSeriesJava-U806639-6.0.2-0.i386.rpm MQSeriesConfig-U806639-6.0.2-0.i386.rpm MQSeriesServer-U806639-6.0.2-0.i386.rpm MQSeriesMan-U806639-6.0.2-0.i386.rpm MQSeriesClient-U806639-6.0.2-0.i386.rpm MQSeriesRuntime-U806639-6.0.2-0.i386.rpm MQSeriesFTA-U806639-6.0.2-0.i386.rpm
Preparing... ########################################### [100%]
1:MQSeriesFTA-U806639 ########################################### [ 10%]
2:MQSeriesIES30-U806639 ########################################### [ 20%]
3:MQSeriesSamples-U806639########################################### [ 30%]
4:MQSeriesSDK-U806639 ########################################### [ 40%]
5:MQSeriesJava-U806639 ########################################### [ 50%]
6:MQSeriesConfig-U806639 ########################################### [ 60%]
7:MQSeriesServer-U806639 ########################################### [ 70%]
8:MQSeriesMan-U806639 ########################################### [ 80%]
9:MQSeriesClient-U806639 ########################################### [ 90%]
10:MQSeriesRuntime-U806639########################################### [100%]
MQServer:/tmp/mq/# mkdir 53
MQServer:/tmp/mq/# mv 6.0.2.0-WS-MQ-LinuxIA32-LAIY96282.tar ./53
MQServer:/tmp/mq/# cd 53
MQServer:/tmp/mq/53/# tar xvf 6.0.2.0-WS-MQ-LinuxIA32-LAIY96282.tar
MQServer:/tmp/mq/# cp /tmp/mq/53/lib/libmqmcs.so /opt/mqm/lib/libmqmcs.so
MQServer:/tmp/mq/# cp /tmp/mq/53/lib/libmqmcs_r.so /opt/mqm/lib/libmqmcs_r.so
MQServer:/tmp/mq/# cp /tmp/mq/53/lib/libmqz.so /opt/mqm/lib/libmqz.so
MQServer:/tmp/mq/# cp /tmp/mq/53/lib/libmqz_r.so /opt/mqm/lib/libmqz_r.so
MQServer:/tmp/mq/# su - mqm
MQServer:/tmp/mq/~> dspmqver
Name: WebSphere MQ
Version: 6.0.2.0
CMVC level: p600-200-060921
BuildType: IKAP - (Production)
2010年12月25日星期六
Linux下检查系统开放的端口及服务
以下是在RHEL5中运行示例: [root@RHEL5 ~]# nmap -sT -O localhost
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-03-19 22:14 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns_servers
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1670 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
111/tcp open rpcbind
609/tcp open npmp-trap
631/tcp open ipp
1521/tcp open oracle
2601/tcp open zebra
6103/tcp open RETS-or-BackupExec
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=3/19%Tm=47E11FD8%O=21%C=1)
Nmap finished: 1 IP address (1 host up) scanned in 9.886 seconds
或者使用netstat -anp命令来查看:
[root@RHEL5 ~]# netstat -anp | grep LISTEN
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 1894/hpiod
tcp 0 0 0.0.0.0:609 0.0.0.0:* LISTEN 1699/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1669/portmap
tcp 0 0 0.0.0.0:1521 0.0.0.0:* LISTEN 29463/tnslsnr
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 25248/vsftpd
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 25182/xinetd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1911/cupsd
tcp 0 0 0.0.0.0:6103 0.0.0.0:* LISTEN 29394/ora_d000_ora1
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1971/sendmail: acce
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 1899/python
tcp 0 0 :::2601 :::* LISTEN 3039/zebra
tcp 0 0 :::22 :::* LISTEN 1925/sshd
[root@RHEL5 ~]# lsof -n -i | grep LISTEN
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
portmap 1669 rpc 4u IPv4 4861 TCP *:sunrpc (LISTEN)
rpc.statd 1699 root 7u IPv4 4930 TCP *:npmp-trap (LISTEN)
hpiod 1894 root 0u IPv4 5369 TCP 127.0.0.1:2208 (LISTEN)
python 1899 root 4u IPv4 5405 TCP 127.0.0.1:2207 (LISTEN)
cupsd 1911 root 2u IPv4 791632 TCP 127.0.0.1:ipp (LISTEN)
sshd 1925 root 3u IPv6 5461 TCP *:ssh (LISTEN)
sendmail 1971 root 4u IPv4 5627 TCP 127.0.0.1:smtp (LISTEN)
zebra 3039 root 10u IPv6 9912 TCP *:discp-client (LISTEN)
xinetd 25182 root 5u IPv4 879173 TCP *:telnet (LISTEN)
vsftpd 25248 root 3u IPv4 879367 TCP *:ftp (LISTEN)
oracle 29394 oracle 17u IPv4 285612 TCP *:rets (LISTEN)
tnslsnr 29463 oracle 7u IPv4 286748 TCP *:ncube-lm (LISTEN)
Starting Nmap 4.11 ( http://www.insecure.org/nmap/ ) at 2008-03-19 22:14 CST
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns_servers
Interesting ports on localhost.localdomain (127.0.0.1):
Not shown: 1670 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
111/tcp open rpcbind
609/tcp open npmp-trap
631/tcp open ipp
1521/tcp open oracle
2601/tcp open zebra
6103/tcp open RETS-or-BackupExec
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).
TCP/IP fingerprint:
SInfo(V=4.11%P=i686-redhat-linux-gnu%D=3/19%Tm=47E11FD8%O=21%C=1)
Nmap finished: 1 IP address (1 host up) scanned in 9.886 seconds
或者使用netstat -anp命令来查看:
[root@RHEL5 ~]# netstat -anp | grep LISTEN
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:2208 0.0.0.0:* LISTEN 1894/hpiod
tcp 0 0 0.0.0.0:609 0.0.0.0:* LISTEN 1699/rpc.statd
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1669/portmap
tcp 0 0 0.0.0.0:1521 0.0.0.0:* LISTEN 29463/tnslsnr
tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 25248/vsftpd
tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 25182/xinetd
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 1911/cupsd
tcp 0 0 0.0.0.0:6103 0.0.0.0:* LISTEN 29394/ora_d000_ora1
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1971/sendmail: acce
tcp 0 0 127.0.0.1:2207 0.0.0.0:* LISTEN 1899/python
tcp 0 0 :::2601 :::* LISTEN 3039/zebra
tcp 0 0 :::22 :::* LISTEN 1925/sshd
[root@RHEL5 ~]# lsof -n -i | grep LISTEN
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
portmap 1669 rpc 4u IPv4 4861 TCP *:sunrpc (LISTEN)
rpc.statd 1699 root 7u IPv4 4930 TCP *:npmp-trap (LISTEN)
hpiod 1894 root 0u IPv4 5369 TCP 127.0.0.1:2208 (LISTEN)
python 1899 root 4u IPv4 5405 TCP 127.0.0.1:2207 (LISTEN)
cupsd 1911 root 2u IPv4 791632 TCP 127.0.0.1:ipp (LISTEN)
sshd 1925 root 3u IPv6 5461 TCP *:ssh (LISTEN)
sendmail 1971 root 4u IPv4 5627 TCP 127.0.0.1:smtp (LISTEN)
zebra 3039 root 10u IPv6 9912 TCP *:discp-client (LISTEN)
xinetd 25182 root 5u IPv4 879173 TCP *:telnet (LISTEN)
vsftpd 25248 root 3u IPv4 879367 TCP *:ftp (LISTEN)
oracle 29394 oracle 17u IPv4 285612 TCP *:rets (LISTEN)
tnslsnr 29463 oracle 7u IPv4 286748 TCP *:ncube-lm (LISTEN)
Cisco RIP动态路协议之被动接口实验
网络拓朴:
路由器配置:
R1路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
memory-size iomem 15
ip subnet-zero
no ip domain-lookup
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 148.1.1.1 255.255.255.0
no keepalive
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.1.1.1 255.255.255.0
duplex auto
speed auto
!
router rip
passive-interface FastEthernet0/1
network 10.0.0.0
network 148.1.0.0
network 192.1.1.0!
ip classless
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
R2路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2
!
memory-size iomem 15
ip subnet-zero
no ip domain-lookup
!
interface Ethernet1/0
ip address 192.1.1.2 255.255.255.0
!
interface Ethernet1/1
ip address 193.1.1.1 255.255.255.0
!
interface Ethernet1/2
no ip address
shutdown
!
interface Ethernet1/3
no ip address
shutdown
!
router rip
network 192.1.1.0
network 193.1.1.0
!
ip classless
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
R3路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R3
!
memory-size iomem 15
ip subnet-zero
no ip domain-lookup
!
interface Ethernet1/0
ip address 193.1.1.2 255.255.255.0
!
interface Ethernet1/1
ip address 152.1.1.1 255.255.255.0
!
interface Ethernet1/2
no ip address
shutdown
!
interface Ethernet1/3
no ip address
shutdown
!
router rip
network 152.1.0.0
network 193.1.1.0
!
ip classless
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
04:18:00: RIP: received v1 update from 192.1.1.2 on FastEthernet0/1
04:18:00: 152.1.0.0 in 2 hops
04:18:00: 193.1.1.0 in 1 hops04:18:17: RIP: sending v1 update to 255.255.255.255 via FastEthernet0/0 (148.1.1.1)
04:18:17: RIP: build update entries
04:18:17: network 10.0.0.0 metric 1
04:18:17: network 152.1.0.0 metric 3
04:18:17: network 192.1.1.0 metric 1
04:18:17: network 193.1.1.0 metric 2
04:18:17: RIP: sending v1 update to 255.255.255.255 via Loopback0 (10.1.1.1)
04:18:17: RIP: build update entries
04:18:17: network 148.1.0.0 metric 1
04:18:17: network 152.1.0.0 metric 3
04:18:17: network 192.1.1.0 metric 1
04:18:17: network 193.1.1.0 metric 2
R1#sh ip route rip
R 152.1.0.0/16 [120/2] via 192.1.1.2, 00:00:06, FastEthernet0/1
R 193.1.1.0/24 [120/1] via 192.1.1.2, 00:00:06, FastEthernet0/1
R2#sh ip route rip
R 152.1.0.0/16 [120/1] via 193.1.1.2, 00:00:12, Ethernet1/1
R3#sh ip route rip
R 192.1.1.0/24 [120/1] via 193.1.1.1, 00:00:07, Ethernet1/0
注意到路由器R1从路由器R3学到所有的路径,而路由器R3不从路由器R1学任何路径。
R1路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
memory-size iomem 15
ip subnet-zero
no ip domain-lookup
!
interface Loopback0
ip address 10.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 148.1.1.1 255.255.255.0
no keepalive
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.1.1.1 255.255.255.0
duplex auto
speed auto
!
router rip
passive-interface FastEthernet0/1
network 10.0.0.0
network 148.1.0.0
network 192.1.1.0!
ip classless
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
R2路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2
!
memory-size iomem 15
ip subnet-zero
no ip domain-lookup
!
interface Ethernet1/0
ip address 192.1.1.2 255.255.255.0
!
interface Ethernet1/1
ip address 193.1.1.1 255.255.255.0
!
interface Ethernet1/2
no ip address
shutdown
!
interface Ethernet1/3
no ip address
shutdown
!
router rip
network 192.1.1.0
network 193.1.1.0
!
ip classless
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
R3路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R3
!
memory-size iomem 15
ip subnet-zero
no ip domain-lookup
!
interface Ethernet1/0
ip address 193.1.1.2 255.255.255.0
!
interface Ethernet1/1
ip address 152.1.1.1 255.255.255.0
!
interface Ethernet1/2
no ip address
shutdown
!
interface Ethernet1/3
no ip address
shutdown
!
router rip
network 152.1.0.0
network 193.1.1.0
!
ip classless
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
04:18:00: RIP: received v1 update from 192.1.1.2 on FastEthernet0/1
04:18:00: 152.1.0.0 in 2 hops
04:18:00: 193.1.1.0 in 1 hops04:18:17: RIP: sending v1 update to 255.255.255.255 via FastEthernet0/0 (148.1.1.1)
04:18:17: RIP: build update entries
04:18:17: network 10.0.0.0 metric 1
04:18:17: network 152.1.0.0 metric 3
04:18:17: network 192.1.1.0 metric 1
04:18:17: network 193.1.1.0 metric 2
04:18:17: RIP: sending v1 update to 255.255.255.255 via Loopback0 (10.1.1.1)
04:18:17: RIP: build update entries
04:18:17: network 148.1.0.0 metric 1
04:18:17: network 152.1.0.0 metric 3
04:18:17: network 192.1.1.0 metric 1
04:18:17: network 193.1.1.0 metric 2
R1#sh ip route rip
R 152.1.0.0/16 [120/2] via 192.1.1.2, 00:00:06, FastEthernet0/1
R 193.1.1.0/24 [120/1] via 192.1.1.2, 00:00:06, FastEthernet0/1
R2#sh ip route rip
R 152.1.0.0/16 [120/1] via 193.1.1.2, 00:00:12, Ethernet1/1
R3#sh ip route rip
R 192.1.1.0/24 [120/1] via 193.1.1.1, 00:00:07, Ethernet1/0
注意到路由器R1从路由器R3学到所有的路径,而路由器R3不从路由器R1学任何路径。
Cisco路由器动态内部源地址转换实验
实验网络拓朴:
实验目的:演示内部源地址到内部全局地址之间的动态转换。路由器R2把10.1.1.1到10.1.1.3之间的任一源地址动态转换为地址池中的三个内部全局地址之一(Internet注册过的唯一全局地址)。
监测配置:在路由器R2上,用扩展ping命令测试配置,在特权模式下键入ping即可。
R2#pingProtocol [ip]:
Target IP address: 152.1.1.1Repeat count [5]: 10
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: ySource address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
1) 从路由器R2,用源地址10.1.1.2 ping 152.1.1.1
2) 从路由器R2,用源地址10.1.1.1 ping 152.1.1.1
3) 从路由器R2,用源地址10.1.1.3 ping 152.1.1.1
在路由器R2上执行debug ip nat命令,可得知IP地址转换情况,如下所示:
12:00:29: NAT: s=10.1.1.1->195.1.1.1, d=152.1.1.1 [1]
12:00:29: NAT*: s=152.1.1.1, d=195.1.1.1->10.1.1.1 [1]
12:01:26: NAT: s=10.1.1.2->195.1.1.2, d=152.1.1.1 [11]
12:01:26: NAT*: s=152.1.1.1, d=195.1.1.2->10.1.1.2 [11]
12:01:55: NAT: s=10.1.1.3->195.1.1.3, d=152.1.1.1 [16]
12:01:55: NAT*: s=152.1.1.1, d=195.1.1.3->10.1.1.3 [16]
当第4台终端站点想访问外面的网络时,所发生的情况,但是IP地址池中的的所有地址都用完了,如下所示:
12:02:33: NAT: translation failed (E), dropping packet s=10.1.1.4 d=152.1.1.1.
12:02:35: NAT: translation failed (E), dropping packet s=10.1.1.4 d=152.1.1.1.
R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 195.1.1.1 10.1.1.1 --- ---
--- 195.1.1.2 10.1.1.2 --- ---
--- 195.1.1.3 10.1.1.3 --- ---
从上面的例子可知,虽然动态地址转换比静态转换效率更高,但每一转换仍需要自己
的地址。因此,网络管理者必须正确地掌握离线访问的通信量并相应地定义地址池的大小。
路由器配置:
R2路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2
!
memory-size iomem 15
ip subnet-zero
!
interface Ethernet1/0
ip address 10.1.1.1 255.255.255.0 secondary
ip address 10.1.1.2 255.255.255.0 secondary
ip address 10.1.1.3 255.255.255.0 secondary
ip address 10.1.1.4 255.255.255.0 secondary
ip address 10.1.1.5 255.255.255.0
ip nat inside
!
interface Ethernet1/1
ip address 195.1.1.4 255.255.255.0
ip nat outside
!
ip nat pool globalpool 195.1.1.1 195.1.1.3 netmask 255.255.255.0ip nat inside source list 1 pool globalpool
ip classless
ip route 152.1.1.1 255.255.255.255 Ethernet1/1no ip http server
!
access-list 1 permit 10.1.1.2
access-list 1 permit 10.1.1.3
access-list 1 permit 10.1.1.1
access-list 1 permit 10.1.1.4!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
R3路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R3
!
memory-size iomem 15
ip subnet-zero
!
interface Ethernet1/0
ip address 195.1.1.10 255.255.255.0
!
interface Ethernet1/1
ip address 152.1.1.1 255.255.255.0
!
interface Ethernet1/2
no ip address
shutdown
!
interface Ethernet1/3
no ip address
shutdown
!
ip classless
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
监测配置:在路由器R2上,用扩展ping命令测试配置,在特权模式下键入ping即可。
R2#pingProtocol [ip]:
Target IP address: 152.1.1.1Repeat count [5]: 10
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: ySource address or interface: 10.1.1.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
1) 从路由器R2,用源地址10.1.1.2 ping 152.1.1.1
2) 从路由器R2,用源地址10.1.1.1 ping 152.1.1.1
3) 从路由器R2,用源地址10.1.1.3 ping 152.1.1.1
在路由器R2上执行debug ip nat命令,可得知IP地址转换情况,如下所示:
12:00:29: NAT: s=10.1.1.1->195.1.1.1, d=152.1.1.1 [1]
12:00:29: NAT*: s=152.1.1.1, d=195.1.1.1->10.1.1.1 [1]
12:01:26: NAT: s=10.1.1.2->195.1.1.2, d=152.1.1.1 [11]
12:01:26: NAT*: s=152.1.1.1, d=195.1.1.2->10.1.1.2 [11]
12:01:55: NAT: s=10.1.1.3->195.1.1.3, d=152.1.1.1 [16]
12:01:55: NAT*: s=152.1.1.1, d=195.1.1.3->10.1.1.3 [16]
当第4台终端站点想访问外面的网络时,所发生的情况,但是IP地址池中的的所有地址都用完了,如下所示:
12:02:33: NAT: translation failed (E), dropping packet s=10.1.1.4 d=152.1.1.1.
12:02:35: NAT: translation failed (E), dropping packet s=10.1.1.4 d=152.1.1.1.
R2#sh ip nat translations
Pro Inside global Inside local Outside local Outside global
--- 195.1.1.1 10.1.1.1 --- ---
--- 195.1.1.2 10.1.1.2 --- ---
--- 195.1.1.3 10.1.1.3 --- ---
从上面的例子可知,虽然动态地址转换比静态转换效率更高,但每一转换仍需要自己
的地址。因此,网络管理者必须正确地掌握离线访问的通信量并相应地定义地址池的大小。
路由器配置:
R2路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2
!
memory-size iomem 15
ip subnet-zero
!
interface Ethernet1/0
ip address 10.1.1.1 255.255.255.0 secondary
ip address 10.1.1.2 255.255.255.0 secondary
ip address 10.1.1.3 255.255.255.0 secondary
ip address 10.1.1.4 255.255.255.0 secondary
ip address 10.1.1.5 255.255.255.0
ip nat inside
!
interface Ethernet1/1
ip address 195.1.1.4 255.255.255.0
ip nat outside
!
ip nat pool globalpool 195.1.1.1 195.1.1.3 netmask 255.255.255.0ip nat inside source list 1 pool globalpool
ip classless
ip route 152.1.1.1 255.255.255.255 Ethernet1/1no ip http server
!
access-list 1 permit 10.1.1.2
access-list 1 permit 10.1.1.3
access-list 1 permit 10.1.1.1
access-list 1 permit 10.1.1.4!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
R3路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R3
!
memory-size iomem 15
ip subnet-zero
!
interface Ethernet1/0
ip address 195.1.1.10 255.255.255.0
!
interface Ethernet1/1
ip address 152.1.1.1 255.255.255.0
!
interface Ethernet1/2
no ip address
shutdown
!
interface Ethernet1/3
no ip address
shutdown
!
ip classless
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
login
!
end
Cisco路由器静态内部源地址转换实验
实验网络拓扑:
实验目的:R2路由器配置了NAT,把源地址10.1.1.2/24(R1路由器F0/1 IP地址,在这里称为内部地址)转换为195.1.1.1/32(模拟公网IP地址,在这里称为外部地址),提供外网用户访问。R1和R4模拟PC。
路由器配置:
R2路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2
!
memory-size iomem 15
ip subnet-zero
!
interface Ethernet1/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface Ethernet1/1
ip address 195.1.1.4 255.255.255.0
ip nat outside
!
ip nat inside source static 10.1.1.2 195.1.1.1
ip classless
ip route 152.1.1.2 255.255.255.255 Ethernet1/1
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
R3路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R3
!
memory-size iomem 15
ip subnet-zero
!
interface Ethernet1/0
ip address 195.1.1.10 255.255.255.0
!
interface Ethernet1/1
ip address 152.1.1.1 255.255.255.0
!
no ip address
shutdown
!
ip classless
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
R1路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
memory-size iomem 15
ip subnet-zero
!
interface FastEthernet0/1
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
R4路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R4
!
memory-size iomem 15
ip subnet-zero
!
interface FastEthernet0/0
ip address 152.1.1.2 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 152.1.1.1
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
监测配置:
从R1路由器ping 152.1.1.2(R4路由器F0/0 IP地址),用debug ip packet命令分析到达R4的报文,命令执行结果如下:
R1#debug ip packetIP packet debugging is on
R1#ping 152.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 152.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/37/68 ms
R1#
00:21:28: IP: s=10.1.1.2 (local), d=152.1.1.2 (FastEthernet0/1), len 100, sending <-----ICMP ECHO00:21:28: IP: s=152.1.1.2 (FastEthernet0/1), d=10.1.1.2 (FastEthernet0/1), len 100, rcvd 3 <-----ICMP ECHO REPLY
在R2路由器上执行debug ip nat命令可以看到源IP地址(10.1.1.2)已经转换为195.1.1.1,这是个双向转换过程,而返回报文到195.1.1.1的目标地址也转回到10.1.1.2了,如下所示:
R2#debug ip nat
IP NAT debugging is on
00:21:27: NAT*: s=10.1.1.2->195.1.1.1, d=152.1.1.2 [30]
00:21:27: NAT*: s=152.1.1.2, d=195.1.1.1->10.1.1.2 [30]
以上也称为一对一的静态IP映射,相当于Juniper NetScreen产品中的MIP。
路由器配置:
R2路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R2
!
memory-size iomem 15
ip subnet-zero
!
interface Ethernet1/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
!
interface Ethernet1/1
ip address 195.1.1.4 255.255.255.0
ip nat outside
!
ip nat inside source static 10.1.1.2 195.1.1.1
ip classless
ip route 152.1.1.2 255.255.255.255 Ethernet1/1
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
R3路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R3
!
memory-size iomem 15
ip subnet-zero
!
interface Ethernet1/0
ip address 195.1.1.10 255.255.255.0
!
interface Ethernet1/1
ip address 152.1.1.1 255.255.255.0
!
no ip address
shutdown
!
ip classless
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
R1路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R1
!
memory-size iomem 15
ip subnet-zero
!
interface FastEthernet0/1
ip address 10.1.1.2 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
R4路由器:
version 12.1
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R4
!
memory-size iomem 15
ip subnet-zero
!
interface FastEthernet0/0
ip address 152.1.1.2 255.255.255.0
duplex auto
speed auto
!
ip classless
ip route 0.0.0.0 0.0.0.0 152.1.1.1
no ip http server
!
line con 0
transport input none
line aux 0
line vty 0 4
!
no scheduler allocate
end
监测配置:
从R1路由器ping 152.1.1.2(R4路由器F0/0 IP地址),用debug ip packet命令分析到达R4的报文,命令执行结果如下:
R1#debug ip packetIP packet debugging is on
R1#ping 152.1.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 152.1.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/37/68 ms
R1#
00:21:28: IP: s=10.1.1.2 (local), d=152.1.1.2 (FastEthernet0/1), len 100, sending <-----ICMP ECHO00:21:28: IP: s=152.1.1.2 (FastEthernet0/1), d=10.1.1.2 (FastEthernet0/1), len 100, rcvd 3 <-----ICMP ECHO REPLY
在R2路由器上执行debug ip nat命令可以看到源IP地址(10.1.1.2)已经转换为195.1.1.1,这是个双向转换过程,而返回报文到195.1.1.1的目标地址也转回到10.1.1.2了,如下所示:
R2#debug ip nat
IP NAT debugging is on
00:21:27: NAT*: s=10.1.1.2->195.1.1.1, d=152.1.1.2 [30]
00:21:27: NAT*: s=152.1.1.2, d=195.1.1.1->10.1.1.2 [30]
以上也称为一对一的静态IP映射,相当于Juniper NetScreen产品中的MIP。
2010年12月15日星期三
Array TMX/APV产品运维知识之查看后台服务状态
ArrayOS#show health server r_test
----------------------------------- Server Status ---------------------------------
real server name status
r_test UP
----------------------------------- Health Check ----------------------------------
real server name ip :port status hct rqr rpr checklist
-----------------------------------------------------------------------------------
r_test 111.222.111.222 :80 UP tcp
----------------------------------- Server Status ---------------------------------
real server name status
r_test UP
----------------------------------- Health Check ----------------------------------
real server name ip :port status hct rqr rpr checklist
-----------------------------------------------------------------------------------
r_test 111.222.111.222 :80 UP tcp
Array TMX/APV产品运维知识之查看产品平台型号及OS版本号
ArrayOS>show version
ArrayOS Rel.TM.6.5.2.9 build on Thu Jul 10 21:22:44 2009 #OS版本号
Host name : TMX3000
System CPU : i386 Intel(R) Pentium(R) 4 CPU 2.80GHz
System Module : P4SCI
System RAM : 3645520 kbytes.
System boot time : xxxxxxxx
Current time : xxxxxxxx
System up time : 100 days, 13:58
Platform Bld Date : xxxxxxxx
SSL Hardware : No HW Available
Compression HW : No HW Available
Network Interface : 2 x Gigabit Ethernet copper
Model : Array TMX 3000 #产品平台型号
Serial Number : xxxxxxxx
Licensed Features : WebWall Clustering L4SLB L7SLB Caching
SwCompression LLB CCB GSLB QoS MultiLang
License Key : xxxxxxxx
ArrayOS Rel.TM.6.5.2.9 build on Thu Jul 10 21:22:44 2009 #OS版本号
Host name : TMX3000
System CPU : i386 Intel(R) Pentium(R) 4 CPU 2.80GHz
System Module : P4SCI
System RAM : 3645520 kbytes.
System boot time : xxxxxxxx
Current time : xxxxxxxx
System up time : 100 days, 13:58
Platform Bld Date : xxxxxxxx
SSL Hardware : No HW Available
Compression HW : No HW Available
Network Interface : 2 x Gigabit Ethernet copper
Model : Array TMX 3000 #产品平台型号
Serial Number : xxxxxxxx
Licensed Features : WebWall Clustering L4SLB L7SLB Caching
SwCompression LLB CCB GSLB QoS MultiLang
License Key : xxxxxxxx
2010年12月8日星期三
SUSE Linux 11 /etc/vsftpd.conf
SUSE11:/ # cat /etc/SuSE-release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 0
SUSE11:/ # cat /etc/vsftpd.conf
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# If you do not change anything here you will have a minimum setup for an
# anonymus FTP server.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
# General Settings
#
# Uncomment this to enable any form of FTP write command.
#
write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
#
dirmessage_enable=YES
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#
nopriv_user=ftpsecure
#
# You may fully customise the login banner string:
#
ftpd_banner="Welcome to FOOBAR FTP service."
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#
#ls_recurse_enable=YES
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#
#deny_email_enable=YES
#
# (default follows)
#
#banned_email_file=/etc/vsftpd.banned_emails
#
# If enabled, all user and group information in
# directory listings will be displayed as "ftp".
#
#hide_ids=YES
# Local FTP user Settings
#
# Uncomment this to allow local users to log in.
#
local_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#
local_umask=022
#
# Uncomment to put local users in a chroot() jail in their home directory
# after login.
#
#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#
#chroot_list_enable=YES
#
# (default follows)
#
#chroot_list_file=/etc/vsftpd.chroot_list
#
# The maximum data transfer rate permitted, in bytes per second, for
# local authenticated users. The default is 0 (unlimited).
#
#local_max_rate=7200
# Anonymus FTP user Settings
#
# Allow anonymous FTP?
#
#anonymous_enable=YES
#
# Anonymous users will only be allowed to download files which are
# world readable.
#
#anon_world_readable_only=YES
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#
#anon_upload_enable=YES
#
# Default umask for anonymus users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#
#anon_umask=022
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#
#anon_mkdir_write_enable=YES
#
# Uncomment this to enable anonymus FTP users to perform other write operations
# like deletion and renaming.
#
#anon_other_write_enable=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#
#chown_uploads=YES
#chown_username=whoever
#
# The maximum data transfer rate permitted, in bytes per second, for anonymous
# authenticated users. The default is 0 (unlimited).
#
#anon_max_rate=7200
# Log Settings
#
# Log to the syslog daemon instead of using an logfile.
#
#syslog_enable=YES
#
# Uncomment this to log all FTP requests and responses.
#
#log_ftp_protocol=YES
#
# Activate logging of uploads/downloads.
#
#xferlog_enable=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
#vsftpd_log_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note: This disables the normal logging unless you enable dual_log_enable below.
#
#xferlog_std_format=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
#xferlog_file=/var/log/xferlog
#
# Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log.
#
#dual_log_enable=YES
#
# Uncomment this to enable session status information in the system process listing.
#
#setproctitle_enable=YES
# Transfer Settings
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
#
connect_from_port_20=YES
#
# You may change the default value for timing out an idle session.
#
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#
#data_connection_timeout=120
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# Set to NO if you want to disallow the PASV method of obtaining a data
# connection.
#
#pasv_enable=NO
# PAM setting. Do NOT change this unless you know what you do!
#
pam_service_name=vsftpd
# Set listen=YES if you want vsftpd to run standalone
#
#listen=YES
# Set to ssl_enable=YES if you want to enable SSL
ssl_enable=NO
# Limit passive ports to this range to assis firewalling
pasv_min_port=30000
pasv_max_port=30100
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 0
SUSE11:/ # cat /etc/vsftpd.conf
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# If you do not change anything here you will have a minimum setup for an
# anonymus FTP server.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
# General Settings
#
# Uncomment this to enable any form of FTP write command.
#
write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
#
dirmessage_enable=YES
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#
nopriv_user=ftpsecure
#
# You may fully customise the login banner string:
#
ftpd_banner="Welcome to FOOBAR FTP service."
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#
#ls_recurse_enable=YES
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#
#deny_email_enable=YES
#
# (default follows)
#
#banned_email_file=/etc/vsftpd.banned_emails
#
# If enabled, all user and group information in
# directory listings will be displayed as "ftp".
#
#hide_ids=YES
# Local FTP user Settings
#
# Uncomment this to allow local users to log in.
#
local_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#
local_umask=022
#
# Uncomment to put local users in a chroot() jail in their home directory
# after login.
#
#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#
#chroot_list_enable=YES
#
# (default follows)
#
#chroot_list_file=/etc/vsftpd.chroot_list
#
# The maximum data transfer rate permitted, in bytes per second, for
# local authenticated users. The default is 0 (unlimited).
#
#local_max_rate=7200
# Anonymus FTP user Settings
#
# Allow anonymous FTP?
#
#anonymous_enable=YES
#
# Anonymous users will only be allowed to download files which are
# world readable.
#
#anon_world_readable_only=YES
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#
#anon_upload_enable=YES
#
# Default umask for anonymus users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#
#anon_umask=022
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#
#anon_mkdir_write_enable=YES
#
# Uncomment this to enable anonymus FTP users to perform other write operations
# like deletion and renaming.
#
#anon_other_write_enable=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#
#chown_uploads=YES
#chown_username=whoever
#
# The maximum data transfer rate permitted, in bytes per second, for anonymous
# authenticated users. The default is 0 (unlimited).
#
#anon_max_rate=7200
# Log Settings
#
# Log to the syslog daemon instead of using an logfile.
#
#syslog_enable=YES
#
# Uncomment this to log all FTP requests and responses.
#
#log_ftp_protocol=YES
#
# Activate logging of uploads/downloads.
#
#xferlog_enable=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
#vsftpd_log_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note: This disables the normal logging unless you enable dual_log_enable below.
#
#xferlog_std_format=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
#xferlog_file=/var/log/xferlog
#
# Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log.
#
#dual_log_enable=YES
#
# Uncomment this to enable session status information in the system process listing.
#
#setproctitle_enable=YES
# Transfer Settings
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
#
connect_from_port_20=YES
#
# You may change the default value for timing out an idle session.
#
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#
#data_connection_timeout=120
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# Set to NO if you want to disallow the PASV method of obtaining a data
# connection.
#
#pasv_enable=NO
# PAM setting. Do NOT change this unless you know what you do!
#
pam_service_name=vsftpd
# Set listen=YES if you want vsftpd to run standalone
#
#listen=YES
# Set to ssl_enable=YES if you want to enable SSL
ssl_enable=NO
# Limit passive ports to this range to assis firewalling
pasv_min_port=30000
pasv_max_port=30100
2010年12月7日星期二
通过scp备份Juniper ScreenOS防火墙配置
netscreen-> get system
Product Name: NetScreen-2000
Serial Number: 00XX0620060000XX, Control Number: 00000000
Hardware Version: 3010(0)-(04), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 6.0.0r2.0, Type: Firewall+VPN
OS Loader Version: 1.1.5
Compiled by build_master at: Sat Jul 21 23:24:31 PDT 2007
Base Mac: 0010.dbbf.0c80
File Name: default (screenos_image), Checksum: 9b3bb5db
, Total Memory: 2048MB
先在ScreenOS设备启用SCP:
netscree->set scp enable
以下是一个 SCP 客户端命令的范例,该命令将配置文件从 NetScreen 设备 ( 管理员名称是 netscreen, IP 地址是
10.1.1.1 ) 的闪存中复制到客户端系统的ns_sys_config_backup文件中:
SuSe9:~ # scp netscreen@10.1.1.1:ns_sys_config ns_sys_config_bakcup
The authenticity of host '10.1.1.1 (10.1.1.1)' can't be established.
DSA key fingerprint is 5d:a3:00:47:ab:7d:12:2e:ac:d3:fe:85:ee:70:e6:4c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.1' (DSA) to the list of known hosts.
netscreen@10.1.1.1's password:
ns_sys_config 100% 194KB 64.8KB/s 00:03
SuSe9:~ # ls -l ns_sys_config_bakcup-rw-r--r-- 1 root root 198913 2008-05-14 17:28 ns_sys_config_bakcup
netscreen-> get file flash:/$NSBOOT$.BIN 16880510
flash:/envar.rec 162
flash:/license.key 725
flash:/ns_sys_config 24318
flash:/prngseed.bin 32
flash:/policy.gz.v 14514
flash:/detector2.so 610255
Product Name: NetScreen-2000
Serial Number: 00XX0620060000XX, Control Number: 00000000
Hardware Version: 3010(0)-(04), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 6.0.0r2.0, Type: Firewall+VPN
OS Loader Version: 1.1.5
Compiled by build_master at: Sat Jul 21 23:24:31 PDT 2007
Base Mac: 0010.dbbf.0c80
File Name: default (screenos_image), Checksum: 9b3bb5db
, Total Memory: 2048MB
先在ScreenOS设备启用SCP:
netscree->set scp enable
以下是一个 SCP 客户端命令的范例,该命令将配置文件从 NetScreen 设备 ( 管理员名称是 netscreen, IP 地址是
10.1.1.1 ) 的闪存中复制到客户端系统的ns_sys_config_backup文件中:
SuSe9:~ # scp netscreen@10.1.1.1:ns_sys_config ns_sys_config_bakcup
The authenticity of host '10.1.1.1 (10.1.1.1)' can't be established.
DSA key fingerprint is 5d:a3:00:47:ab:7d:12:2e:ac:d3:fe:85:ee:70:e6:4c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.1' (DSA) to the list of known hosts.
netscreen@10.1.1.1's password:
ns_sys_config 100% 194KB 64.8KB/s 00:03
SuSe9:~ # ls -l ns_sys_config_bakcup-rw-r--r-- 1 root root 198913 2008-05-14 17:28 ns_sys_config_bakcup
netscreen-> get file flash:/$NSBOOT$.BIN 16880510
flash:/envar.rec 162
flash:/license.key 725
flash:/ns_sys_config 24318
flash:/prngseed.bin 32
flash:/policy.gz.v 14514
flash:/detector2.so 610255
Juniper NetScreen ScreenOS "Standard" Proposals
Phase-1:
加密:3DES
认证:SHA-1
Key Group:Diffie-Hellman Group 2
启用PFS和DH-Group2
----------------------------------------------------
Phase-2:
加密:3DES
认证:SHA-1
加密:3DES
认证:SHA-1
Key Group:Diffie-Hellman Group 2
启用PFS和DH-Group2
----------------------------------------------------
Phase-2:
加密:3DES
认证:SHA-1
NSR Log 出现“Hash Payload is incorrect”解决方法
故障现象如下:客户配置拨号VPN(Only IKE)无法连接到Netscreen Gateway(Juniper NetScreen ISG-1000),查看到NetScreen-Remote Log Viewer中日志:
Initiating IKE Phase 1 (IP ADDR=1.1.1.1)
SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID)
RECEIVED<<< ISAKMP OAK AG (SA, VID, VID, VID, KE, NON, ID, HASH, VID, NAT-D, NAT-D)
Peer is NAT-T capable
NAT is detected for Client
Hash Payload is incorrect #Hash 有效载荷错误My Connections\IKEUSER - SENDING>>>> ISAKMP OAK INFO (HASH, NOTIFY:INVALID_HASH_INFO)
My Connections\IKEUSER - Discarding IKE SA negotiation
MY COOKIE b6 23 af 2d f5 20 5c c1
HIS COOKIE eb 88 ee b9 87 b9 5d 72
RECEIVED<<< ISAKMP OAK AG (SA, VID, VID, VID, KE, NON, ID, HASH, VID, NAT-D, NAT-D)
Received message for non-active SA #从非活动SA收到信息
Juniper NetScreen ISG-1000上查看到相关日志:
system info 00536 Rejected an IKE packet on ethernet1/1
from 121.201.217.55:500 to
1.1.1.1:500 with cookies
6e341f52b69875ab and 6130c3fe4410810e
because the peer sent a packet with a
message ID before Phase 1
authentication was done. #...第一阶段认证未完成system info 00536 IKE<121.201.217.55> Phase 1: Responder
starts AGGRESSIVE mode negotiations.
表示NetScreen-Remote Client和NetScreen Gateway端的Preshare-key不匹配。
查看NetScreen Gateway端相应的ike gateway信息:
netscreen_isg1000-> get ike gateway ike_gateway
Id Name Gateway Address Gateway ID Mode Proposals
---- --------------- --------------- --------------- ---- ---------
1 ike_gateway ikeusergroup Aggr pre-g1-des-md5
Preshared Key: <***> Seed #表示共享密匙启用了Seed(种子)use count<0>, single-ike_tunnel<0>, status Enabled
user id<-1>, dial up id<6>
IP version 4
slot number<0>.
outgoing interface:
interface name = ethernet1/1, ip = 1.1.1.1, vsys = Root.
local-id type<2> value<DIALVPN>
peer-id empty.
peer-container-id empty.
IPsec NAT-Traversal: enabled.
keepalive frequency: 5 seconds.
UDP checksum: enabled.
local ike udp port 500.
peer ike udp port 500.
peer identity list:
0: NOT IAS
IAS ID 2f05c738
(0f) group <6> user <-1>
Phase 1 SA:
Phase 2 SA:session timeout: 0
Preferred Local Cert
--------------------
local cert not configured.
Preferred Peer Cert
-------------------
peer ca cert not configured.
Peer Cert Type
--------------
Preferred cert type: X509-SIG
Heartbeat Hello: 0(sec), Threshold: 5(times), Reconnect: 0(sec)
----------- XAUTH Config -------------
XAUTH disabled.
经询问客户,是在NetScreen-Remote Client上直接输入原始的Pre-share key,因为NetScreen Gateway端Pre-share key已启用seed,所以必须通过以下方法获得共享密匙:
netscreen_isg1000-> exec ike preshare-gen ike_gateway aikeuser #蓝色为网关名称,粉红色为用户名
preshared key for user <aikeuser> in peer <ike_gateway>:
<d91f418679 1afd720f0e 26d49623a7 7cb540bf46> #红色部分为共享密匙
Note: Spaces are for readability only.
把d91f418679 1afd720f0e 26d49623a7 7cb540bf46去掉空格后直接复制到NetScreen-Remote中按OK即可:
Initiating IKE Phase 1 (IP ADDR=1.1.1.1)
SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID, VID, VID, VID)
RECEIVED<<< ISAKMP OAK AG (SA, VID, VID, VID, KE, NON, ID, HASH, VID, NAT-D, NAT-D)
Peer is NAT-T capable
NAT is detected for Client
Hash Payload is incorrect #Hash 有效载荷错误My Connections\IKEUSER - SENDING>>>> ISAKMP OAK INFO (HASH, NOTIFY:INVALID_HASH_INFO)
My Connections\IKEUSER - Discarding IKE SA negotiation
MY COOKIE b6 23 af 2d f5 20 5c c1
HIS COOKIE eb 88 ee b9 87 b9 5d 72
RECEIVED<<< ISAKMP OAK AG (SA, VID, VID, VID, KE, NON, ID, HASH, VID, NAT-D, NAT-D)
Received message for non-active SA #从非活动SA收到信息
Juniper NetScreen ISG-1000上查看到相关日志:
system info 00536 Rejected an IKE packet on ethernet1/1
from 121.201.217.55:500 to
1.1.1.1:500 with cookies
6e341f52b69875ab and 6130c3fe4410810e
because the peer sent a packet with a
message ID before Phase 1
authentication was done. #...第一阶段认证未完成system info 00536 IKE<121.201.217.55> Phase 1: Responder
starts AGGRESSIVE mode negotiations.
表示NetScreen-Remote Client和NetScreen Gateway端的Preshare-key不匹配。
查看NetScreen Gateway端相应的ike gateway信息:
netscreen_isg1000-> get ike gateway ike_gateway
Id Name Gateway Address Gateway ID Mode Proposals
---- --------------- --------------- --------------- ---- ---------
1 ike_gateway ikeusergroup Aggr pre-g1-des-md5
Preshared Key: <***> Seed #表示共享密匙启用了Seed(种子)use count<0>, single-ike_tunnel<0>, status Enabled
user id<-1>, dial up id<6>
IP version 4
slot number<0>.
outgoing interface:
interface name = ethernet1/1, ip = 1.1.1.1, vsys = Root.
local-id type<2> value<DIALVPN>
peer-id empty.
peer-container-id empty.
IPsec NAT-Traversal: enabled.
keepalive frequency: 5 seconds.
UDP checksum: enabled.
local ike udp port 500.
peer ike udp port 500.
peer identity list:
0: NOT IAS
IAS ID 2f05c738
(0f) group <6> user <-1>
Phase 1 SA:
Phase 2 SA:session timeout: 0
Preferred Local Cert
--------------------
local cert not configured.
Preferred Peer Cert
-------------------
peer ca cert not configured.
Peer Cert Type
--------------
Preferred cert type: X509-SIG
Heartbeat Hello: 0(sec), Threshold: 5(times), Reconnect: 0(sec)
----------- XAUTH Config -------------
XAUTH disabled.
经询问客户,是在NetScreen-Remote Client上直接输入原始的Pre-share key,因为NetScreen Gateway端Pre-share key已启用seed,所以必须通过以下方法获得共享密匙:
netscreen_isg1000-> exec ike preshare-gen ike_gateway aikeuser #蓝色为网关名称,粉红色为用户名
preshared key for user <aikeuser> in peer <ike_gateway>:
<d91f418679 1afd720f0e 26d49623a7 7cb540bf46> #红色部分为共享密匙
Note: Spaces are for readability only.
把d91f418679 1afd720f0e 26d49623a7 7cb540bf46去掉空格后直接复制到NetScreen-Remote中按OK即可:
SuSe Linux:ftp 500 OOPS: could not bind listening IPv4 socket
往一台Suse Linux 9 ftp文件时,发现报错:500 OOPS:could not bind listening IPv4 socket,如下所示:
SuSe9#ftp 10.10.10.10Connected to localhost.
500 OOPS: could not bind listening IPv4 socket
检查vsftpd状态,可知已启用,如下所示:
SuSe9#chkconfig --list vsftpd
xinetd based services:
vsftpd: on
Suse Linux vsftpd服务默认是在xinetd模式下运行,检查/etc/vsftpd.conf文件可发现,listen=YES前面的#号符已去掉,即开启vsftpd运行在standalone模式(见以下红色部分),以下为完整的vsftpd.conf文件配置:
SuSe9#cat vsftpd.conf
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# If you do not change anything here you will have a minimum setup for an
# anonymus FTP server.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
# General Settings
#
# Uncomment this to enable any form of FTP write command.
#
write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
#
dirmessage_enable=YES
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#
#nopriv_user=ftpsecure
#
# You may fully customise the login banner string:
#
ftpd_banner="Welcome to FOOBAR FTP service."
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#
ls_recurse_enable=YES
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#
#deny_email_enable=YES
#
# (default follows)
#
#banned_email_file=/etc/vsftpd.banned_emails
#
# If enabled, all user and group information in
# directory listings will be displayed as "ftp".
#
#hide_ids=YES
# Local FTP user Settings
#
# Uncomment this to allow local users to log in.
#
local_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#
local_umask=022
#
# Uncomment to put local users in a chroot() jail in their home directory
# after login.
#
#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#
chroot_list_enable=YES
#
# (default follows)
#
#chroot_list_file=/etc/vsftpd.chroot_list
#
# The maximum data transfer rate permitted, in bytes per second, for
# local authenticated users. The default is 0 (unlimited).
#
#local_max_rate=7200
# Anonymus FTP user Settings
#
# Allow anonymous FTP?
#
#anonymous_enable=YES
#
# Anonymous users will only be allowed to download files which are
# world readable.
#
#anon_world_readable_only=YES
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#
#anon_upload_enable=YES
#
# Default umask for anonymus users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#
#anon_umask=022
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#
#anon_mkdir_write_enable=YES
#
# Uncomment this to enable anonymus FTP users to perform other write operations
# like deletion and renaming.
#
#anon_other_write_enable=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#
#chown_uploads=YES
#chown_username=whoever
#
# The maximum data transfer rate permitted, in bytes per second, for anonymous
# authenticated users. The default is 0 (unlimited).
#
#anon_max_rate=7200
# Log Settings
#
# Log to the syslog daemon instead of using an logfile.
#
syslog_enable=YES
#
# Uncomment this to log all FTP requests and responses.
#
log_ftp_protocol=YES
#
# Activate logging of uploads/downloads.
#
xferlog_enable=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
vsftpd_log_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note: This disables the normal logging unless you enable dual_log_enable below.
#
xferlog_std_format=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
xferlog_file=/var/log/xferlog
#
# Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log.
#
dual_log_enable=YES
#
# Uncomment this to enable session status information in the system process listing.
#
#setproctitle_enable=YES
# Transfer Settings
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
#
connect_from_port_20=YES
#
# You may change the default value for timing out an idle session.
#
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#
#data_connection_timeout=120
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# Set to NO if you want to disallow the PASV method of obtaining a data
# connection.
#
#pasv_enable=NO
# PAM setting. Do NOT change this unless you know what you do!
#
pam_service_name=vsftpd
# Set listen=YES if you want vsftpd to run standalone
#
listen=YES
把listen=YES关闭,即把“listen=YES”修改为“#listen=YES”后ftp恢复正常,如下所示:
Suse9#ftp 10.10.10.10 Connected to gdCMs2.
220 "Welcome to FOOBAR FTP service."
Name (10.10.10.10:root):
SuSe9#ftp 10.10.10.10Connected to localhost.
500 OOPS: could not bind listening IPv4 socket
检查vsftpd状态,可知已启用,如下所示:
SuSe9#chkconfig --list vsftpd
xinetd based services:
vsftpd: on
Suse Linux vsftpd服务默认是在xinetd模式下运行,检查/etc/vsftpd.conf文件可发现,listen=YES前面的#号符已去掉,即开启vsftpd运行在standalone模式(见以下红色部分),以下为完整的vsftpd.conf文件配置:
SuSe9#cat vsftpd.conf
# Example config file /etc/vsftpd.conf
#
# The default compiled in settings are fairly paranoid. This sample file
# loosens things up a bit, to make the ftp daemon more usable.
# Please see vsftpd.conf.5 for all compiled in defaults.
#
# If you do not change anything here you will have a minimum setup for an
# anonymus FTP server.
#
# READ THIS: This example file is NOT an exhaustive list of vsftpd options.
# Please read the vsftpd.conf.5 manual page to get a full idea of vsftpd's
# capabilities.
# General Settings
#
# Uncomment this to enable any form of FTP write command.
#
write_enable=YES
#
# Activate directory messages - messages given to remote users when they
# go into a certain directory.
#
dirmessage_enable=YES
#
# It is recommended that you define on your system a unique user which the
# ftp server can use as a totally isolated and unprivileged user.
#
#nopriv_user=ftpsecure
#
# You may fully customise the login banner string:
#
ftpd_banner="Welcome to FOOBAR FTP service."
#
# You may activate the "-R" option to the builtin ls. This is disabled by
# default to avoid remote users being able to cause excessive I/O on large
# sites. However, some broken FTP clients such as "ncftp" and "mirror" assume
# the presence of the "-R" option, so there is a strong case for enabling it.
#
ls_recurse_enable=YES
#
# You may specify a file of disallowed anonymous e-mail addresses. Apparently
# useful for combatting certain DoS attacks.
#
#deny_email_enable=YES
#
# (default follows)
#
#banned_email_file=/etc/vsftpd.banned_emails
#
# If enabled, all user and group information in
# directory listings will be displayed as "ftp".
#
#hide_ids=YES
# Local FTP user Settings
#
# Uncomment this to allow local users to log in.
#
local_enable=YES
#
# Default umask for local users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#
local_umask=022
#
# Uncomment to put local users in a chroot() jail in their home directory
# after login.
#
#chroot_local_user=YES
#
# You may specify an explicit list of local users to chroot() to their home
# directory. If chroot_local_user is YES, then this list becomes a list of
# users to NOT chroot().
#
chroot_list_enable=YES
#
# (default follows)
#
#chroot_list_file=/etc/vsftpd.chroot_list
#
# The maximum data transfer rate permitted, in bytes per second, for
# local authenticated users. The default is 0 (unlimited).
#
#local_max_rate=7200
# Anonymus FTP user Settings
#
# Allow anonymous FTP?
#
#anonymous_enable=YES
#
# Anonymous users will only be allowed to download files which are
# world readable.
#
#anon_world_readable_only=YES
#
# Uncomment this to allow the anonymous FTP user to upload files. This only
# has an effect if the above global write enable is activated. Also, you will
# obviously need to create a directory writable by the FTP user.
#
#anon_upload_enable=YES
#
# Default umask for anonymus users is 077. You may wish to change this to 022,
# if your users expect that (022 is used by most other ftpd's)
#
#anon_umask=022
#
# Uncomment this if you want the anonymous FTP user to be able to create
# new directories.
#
#anon_mkdir_write_enable=YES
#
# Uncomment this to enable anonymus FTP users to perform other write operations
# like deletion and renaming.
#
#anon_other_write_enable=YES
#
# If you want, you can arrange for uploaded anonymous files to be owned by
# a different user. Note! Using "root" for uploaded files is not
# recommended!
#
#chown_uploads=YES
#chown_username=whoever
#
# The maximum data transfer rate permitted, in bytes per second, for anonymous
# authenticated users. The default is 0 (unlimited).
#
#anon_max_rate=7200
# Log Settings
#
# Log to the syslog daemon instead of using an logfile.
#
syslog_enable=YES
#
# Uncomment this to log all FTP requests and responses.
#
log_ftp_protocol=YES
#
# Activate logging of uploads/downloads.
#
xferlog_enable=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
vsftpd_log_file=/var/log/vsftpd.log
#
# If you want, you can have your log file in standard ftpd xferlog format.
# Note: This disables the normal logging unless you enable dual_log_enable below.
#
xferlog_std_format=YES
#
# You may override where the log file goes if you like. The default is shown
# below.
#
xferlog_file=/var/log/xferlog
#
# Enable this to have booth logfiles. Standard xferlog and vsftpd's own style log.
#
dual_log_enable=YES
#
# Uncomment this to enable session status information in the system process listing.
#
#setproctitle_enable=YES
# Transfer Settings
#
# Make sure PORT transfer connections originate from port 20 (ftp-data).
#
connect_from_port_20=YES
#
# You may change the default value for timing out an idle session.
#
#idle_session_timeout=600
#
# You may change the default value for timing out a data connection.
#
#data_connection_timeout=120
#
# Enable this and the server will recognise asynchronous ABOR requests. Not
# recommended for security (the code is non-trivial). Not enabling it,
# however, may confuse older FTP clients.
#
#async_abor_enable=YES
#
# By default the server will pretend to allow ASCII mode but in fact ignore
# the request. Turn on the below options to have the server actually do ASCII
# mangling on files when in ASCII mode.
# Beware that turning on ascii_download_enable enables malicious remote parties
# to consume your I/O resources, by issuing the command "SIZE /big/file" in
# ASCII mode.
# These ASCII options are split into upload and download because you may wish
# to enable ASCII uploads (to prevent uploaded scripts etc. from breaking),
# without the DoS risk of SIZE and ASCII downloads. ASCII mangling should be
# on the client anyway..
#
#ascii_upload_enable=YES
#ascii_download_enable=YES
#
# Set to NO if you want to disallow the PASV method of obtaining a data
# connection.
#
#pasv_enable=NO
# PAM setting. Do NOT change this unless you know what you do!
#
pam_service_name=vsftpd
# Set listen=YES if you want vsftpd to run standalone
#
listen=YES
把listen=YES关闭,即把“listen=YES”修改为“#listen=YES”后ftp恢复正常,如下所示:
Suse9#ftp 10.10.10.10 Connected to gdCMs2.
220 "Welcome to FOOBAR FTP service."
Name (10.10.10.10:root):
2010年12月6日星期一
修改informix数据库服务监听端口
操作系统版本:
$ oslevel -r #本文中$代表以informix用户操作5100-02
数据库版本:
$ onstat -Informix Dynamic Server Version 9.40.FC1
环境描述:数据库主机有块网卡,分别连接不同的网段,如下所示:
$ ifconfig -aen0: flags=4e080863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,PSEG>
inet 192.168.1.135 netmask 0xffffffff broadcast 192.168.1.255
inet6 fe80::202:55ff:fe9a:d927/64
tcp_sendspace 131072 tcp_recvspace 65536
en2: flags=4e080863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,PSEG>
inet 172.16.1.228 netmask 0xfffffff0 broadcast 172.16.1.255
inet6 fe80::204:acff:fe57:7b45/64
目前informix数据库服务监听端口为1526,服务起在en2(172.16.1.228)网卡上,如下所示:
$ netstat -an | grep 1526Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 172.16.1.228.1526 *.* LISTEN
现要更改informix数据库服务监听端口为1435,服务起在en0(192.168.1.135)网卡上。步骤如下:
1、备份sqlhosts文件
$ cp $INFORMIXDIR/etc/sqlhosts $INFORMIXDIR/etc/sqlhosts.bak
2、修改sqlhost文件
首先查看sqlhosts文件内容:
$ cat $INFORMIXDIR/etc/sqlhosts
#**************************************************************************
#
# INFORMIX SOFTWARE, INC.
#
# PROPRIETARY DATA
#
# THIS DOCUMENT CONTAINS TRADE SECRET DATA WHICH IS THE PROPERTY OF
# INFORMIX SOFTWARE, INC. THIS DOCUMENT IS SUBMITTED TO RECIPIENT IN
# CONFIDENCE. INFORMATION CONTAINED HEREIN MAY NOT BE USED, COPIED OR
# DISCLOSED IN WHOLE OR IN PART EXCEPT AS PERMITTED BY WRITTEN AGREEMENT
# SIGNED BY AN OFFICER OF INFORMIX SOFTWARE, INC.
#
# THIS MATERIAL IS ALSO COPYRIGHTED AS AN UNPUBLISHED WORK UNDER
# SECTIONS 104 AND 408 OF TITLE 17 OF THE UNITED STATES CODE.
# UNAUTHORIZED USE, COPYING OR OTHER REPRODUCTION IS PROHIBITED BY LAW.
#
#
# Title: sqlhosts.demo
# Sccsid: @(#)sqlhosts.demo 9.2 7/15/93 15:20:45
# Description:
# Default sqlhosts file for running demos.
#
#**************************************************************************
dbcs onsoctcp 172.16.1.228 1526
编辑$INFORMIXDIR/etc/sqlhosts文件,把172.16.1.228修改为192.168.1.135,1526修改为1435,保存退出。
3、重启informix数据库
$ onmode -ky #关闭informix数据库
$ oninit -v #重启informix数据库
4、检查informix数据库服务监听端口
$ netstat -an | grep 1435Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.1.135.1435 *.* LISTEN
由上见知,informix数据库服务监听端口已成功修改为1435,服务启在en0(192.168.1.135)网卡上。
$ oslevel -r #本文中$代表以informix用户操作5100-02
数据库版本:
$ onstat -Informix Dynamic Server Version 9.40.FC1
环境描述:数据库主机有块网卡,分别连接不同的网段,如下所示:
$ ifconfig -aen0: flags=4e080863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,PSEG>
inet 192.168.1.135 netmask 0xffffffff broadcast 192.168.1.255
inet6 fe80::202:55ff:fe9a:d927/64
tcp_sendspace 131072 tcp_recvspace 65536
en2: flags=4e080863<UP,BROADCAST,NOTRAILERS,RUNNING,SIMPLEX,MULTICAST,GROUPRT,64BIT,PSEG>
inet 172.16.1.228 netmask 0xfffffff0 broadcast 172.16.1.255
inet6 fe80::204:acff:fe57:7b45/64
目前informix数据库服务监听端口为1526,服务起在en2(172.16.1.228)网卡上,如下所示:
$ netstat -an | grep 1526Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 172.16.1.228.1526 *.* LISTEN
现要更改informix数据库服务监听端口为1435,服务起在en0(192.168.1.135)网卡上。步骤如下:
1、备份sqlhosts文件
$ cp $INFORMIXDIR/etc/sqlhosts $INFORMIXDIR/etc/sqlhosts.bak
2、修改sqlhost文件
首先查看sqlhosts文件内容:
$ cat $INFORMIXDIR/etc/sqlhosts
#**************************************************************************
#
# INFORMIX SOFTWARE, INC.
#
# PROPRIETARY DATA
#
# THIS DOCUMENT CONTAINS TRADE SECRET DATA WHICH IS THE PROPERTY OF
# INFORMIX SOFTWARE, INC. THIS DOCUMENT IS SUBMITTED TO RECIPIENT IN
# CONFIDENCE. INFORMATION CONTAINED HEREIN MAY NOT BE USED, COPIED OR
# DISCLOSED IN WHOLE OR IN PART EXCEPT AS PERMITTED BY WRITTEN AGREEMENT
# SIGNED BY AN OFFICER OF INFORMIX SOFTWARE, INC.
#
# THIS MATERIAL IS ALSO COPYRIGHTED AS AN UNPUBLISHED WORK UNDER
# SECTIONS 104 AND 408 OF TITLE 17 OF THE UNITED STATES CODE.
# UNAUTHORIZED USE, COPYING OR OTHER REPRODUCTION IS PROHIBITED BY LAW.
#
#
# Title: sqlhosts.demo
# Sccsid: @(#)sqlhosts.demo 9.2 7/15/93 15:20:45
# Description:
# Default sqlhosts file for running demos.
#
#**************************************************************************
dbcs onsoctcp 172.16.1.228 1526
编辑$INFORMIXDIR/etc/sqlhosts文件,把172.16.1.228修改为192.168.1.135,1526修改为1435,保存退出。
3、重启informix数据库
$ onmode -ky #关闭informix数据库
$ oninit -v #重启informix数据库
4、检查informix数据库服务监听端口
$ netstat -an | grep 1435Active Internet connections (including servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 192.168.1.135.1435 *.* LISTEN
由上见知,informix数据库服务监听端口已成功修改为1435,服务启在en0(192.168.1.135)网卡上。
2010年12月4日星期六
linux/unix平台下sqlplus 按Backspace键删除时出现^H的处理方法
在linux/unix平台的sqplus中,输出字符后按Backspace键删除时,会出现^H,这对习惯了按Backspace键删除的用户来说,感觉非常别扭,虽然可以通过Ctrl+Backspace组合键实现删除功能。故障现象如下:
可通过stty命令修改终端配置来实现Backspace删除功能。如下:
[oracle@RHEL5 ~]$ id
uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba),503(asadmin)
[oracle@RHEL5 ~]$ stty erase ^h
若要恢复Ctrl+Backspace组合键删除功能,可执行以下命令:
[oracle@RHEL5 ~]$ id
uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba),503(asadmin)
[oracle@RHEL5 ~]$ stty erase ^?
同时可通过stty -a查看所有的终端设置:
[oracle@RHEL5 ~]$ id
uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba),503(asadmin)
[oracle@RHEL5 ~]$ stty -aspeed 38400 baud; rows 42; columns 132; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S;
susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; flush = ^O; min = 1; time = 0;
-parenb -parodd cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel -iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke
可通过stty命令修改终端配置来实现Backspace删除功能。如下:
[oracle@RHEL5 ~]$ id
uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba),503(asadmin)
[oracle@RHEL5 ~]$ stty erase ^h
若要恢复Ctrl+Backspace组合键删除功能,可执行以下命令:
[oracle@RHEL5 ~]$ id
uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba),503(asadmin)
[oracle@RHEL5 ~]$ stty erase ^?
同时可通过stty -a查看所有的终端设置:
[oracle@RHEL5 ~]$ id
uid=501(oracle) gid=501(oinstall) groups=501(oinstall),502(dba),503(asadmin)
[oracle@RHEL5 ~]$ stty -aspeed 38400 baud; rows 42; columns 132; line = 0;
intr = ^C; quit = ^\; erase = ^?; kill = ^U; eof = ^D; eol = <undef>; eol2 = <undef>; swtch = <undef>; start = ^Q; stop = ^S;
susp = ^Z; rprnt = ^R; werase = ^W; lnext = ^V; flush = ^O; min = 1; time = 0;
-parenb -parodd cs8 -hupcl -cstopb cread -clocal -crtscts
-ignbrk -brkint -ignpar -parmrk -inpck -istrip -inlcr -igncr icrnl ixon -ixoff -iuclc -ixany -imaxbel -iutf8
opost -olcuc -ocrnl onlcr -onocr -onlret -ofill -ofdel nl0 cr0 tab0 bs0 vt0 ff0
isig icanon iexten echo echoe echok -echonl -noflsh -xcase -tostop -echoprt echoctl echoke
华为S9312交换机物理端口下应用ACL配置
VRP版本:
<SW9312>dis ver
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.50 (S9300 V100R002C00SPC200)
Copyright (C) 2003-2010 HUAWEI TECH CO., LTD
Quidway S9312 Terabit Routing Switch
主要有以下5个步骤:
1、定义一个ACL:[SW9312]acl number 3002
rule 15 deny ip source 10.10.10.10 0 destination 20.20.20.0 0.0.0.255
2、定义一个classifier,同时关联上面定义的ACL:[SW9312]traffic classifier test
[SW9312-classifier-test]if-match acl 3002
3、定义一个behavior,指定执行的动作:
[SW9312]traffic behavior test
[SW9312-behavior-test]deny
4、定义一个policy,把classifier和behavior关联起来:
[SW9312]traffic policy test
[SW9312-trafficpolicy-test]classifier test behavior test
5、在物理端口下应用policy:
[SW9312-GigabitEthernet1/0/20]traffic-policy test inbound
最后保存配置:
<SW9312>save
<SW9312>dis ver
Huawei Versatile Routing Platform Software
VRP (R) software, Version 5.50 (S9300 V100R002C00SPC200)
Copyright (C) 2003-2010 HUAWEI TECH CO., LTD
Quidway S9312 Terabit Routing Switch
主要有以下5个步骤:
1、定义一个ACL:[SW9312]acl number 3002
rule 15 deny ip source 10.10.10.10 0 destination 20.20.20.0 0.0.0.255
2、定义一个classifier,同时关联上面定义的ACL:[SW9312]traffic classifier test
[SW9312-classifier-test]if-match acl 3002
3、定义一个behavior,指定执行的动作:
[SW9312]traffic behavior test
[SW9312-behavior-test]deny
4、定义一个policy,把classifier和behavior关联起来:
[SW9312]traffic policy test
[SW9312-trafficpolicy-test]classifier test behavior test
5、在物理端口下应用policy:
[SW9312-GigabitEthernet1/0/20]traffic-policy test inbound
最后保存配置:
<SW9312>save
订阅:
博文 (Atom)