Thursday, November 14, 2013

荷蘭情報機關準備對 IP 網路進行大規模監聽

Dutch secret service prepares for wiretapping of IP networks on a large scale!

News:
http://www.volkskrant.nl/vk/nl/2686/Binnenland/article/detail/3541591/2013/11/09/Nederland-bestelt-een-nog-verboden-spionagesysteem.dhtml

In Summary:

The Dutch AIVD (dutch NSA counterpart) has ordered equipment to wiretap IP links for €17 million. Doing "undirected" surveillance is currently only legal in the Netherlands for signals that are not carried over cables (eg broadcast signals). With this move, the agency is anticipating a law change, which will allow it to wiretap cables to do undirected (mass) surveillance.


<人腦翻譯>
荷蘭情報機關已經採購類似美國情報局的設備, 以便對於網路與電話進行監聽. 雖然目前該行為仍然為法令所禁止, 但是情報主管認為該法令已經過時.
</人腦翻譯>

So... finally, it comes...


Saturday, August 17, 2013

RAID-1 (mirror) on FreeNAS boot disk

Although FreeNAS will mount boot disk in read-only but there could still be a chance that boot disk goes wrong. Traditional way to fix a broken boot disk is reinstall FreeNAS on a new boot disk and import backup config. However, this method may introduces longer downtime, and in worst case the backup config may not even up-to-date.

Using RAID-1 (mirror) on boot disk is a good choice to reduce such kind of impact, and usually can be done through hardware raid card. if there is no hardware raid card, software RAID is also a good choice. However, during or after installation, there is no option in the menu to create software RAID for boot disk.

Luckily, FreeNAS is based on FreeBSD that provides super easy way to setup a software RAID manually. Here comes steps,

Assume boot disk is SATA "/dev/ada0" and mirror disk is SATA "/dev/ada1". From the console, select 9 to launch a shell, then enter following commands.
# sysctl kern.geom.debugflags=16
# gmirror label -v -b round-robin gm0 /dev/ada0
# gmirror insert gm0 /dev/ada1

System will automatically rebuild the newly added disk, /dev/ada1, and the disk status will show DEGRADED. For example,
# gmirror status
      Name    Status  Components
mirror/gm0  DEGRADED  ada0
                      ada1 (64%)

After automatic rebuild, disk status will become COMPLETE. For example,
# gmirror status
      Name    Status  Components
mirror/gm0  COMPLETE  ada0 (ACTIVE)
                      ada1 (ACTIVE)

In case the boot disk (assume "/dev/ada0" is broken) and needs to be replaced, here comes procedures,
# gmirror forget gm0 /dev/ada0
[unplug /dev/ada0, and plug a new disk]
# gmirror insert gm0 /dev/ada0

The system will again automatically rebuild /dev/ada0. During the rebuilding, system can keep running without problem.

*Note*
FreeNAS loads geom_gmirror module by default, and uses geom_label in /etc/fstab rather than physical disk name. Hence there is no need to modify /boot/loader.conf and /etc/fstab.

Tuesday, July 23, 2013

Juniper/Cisco Switch L2 Spanning-tree inter-op (config on Juniper side)

RSTP is standard and supported on every other vendors switch platforms and mostly be the default spanning-tree protocol.

However, Cisco from certain OS version can no longer config RSTP. Instead, its proprietary Rapid PVST became default and no way to go back to RSTP. It shows how evil Cisco is.

Cisco also send VLAN-1 traffic on the trunking (802.1q) interface to be untagged by default even there is no explicit native VLAN id been configured on the interface. It is again another stupid Cisco design.

Following is a configuration sample on Juniper EX switch to make it inter-op with Cisco switch. RSTP on Juniper side and rspid-PVST on Cisco side.
interfaces {
    ge-0/0/15 {
        description "## Cisco-SW g0/23 ##";
        ether-options {
            speed {
                1g;
            }
            802.3ad ae3;
        }
    }
    ge-1/0/15 {
        description "## Cisco-SW g0/24 ##";
        ether-options {
            speed {
                1g;
            }
            802.3ad ae3;
        }
    }
    ae3 {
        aggregated-ether-options {
            no-flow-control;
            minimum-links 1;
            link-speed 1g;
            lacp {
                active;
            }
        }
        unit 0 {
            family ethernet-switching {
                port-mode trunk;
                vlan {
                    members [ VLAN-10 VLAN-20 ];
                }
                native-vlan-id 1;
            }
        }
    }
protocols {
    rstp;
}
vlans {
    VLAN-1 {
        description "## Native VLAN for Spanning-Tree ##";
        vlan-id 1;
    }
    VLAN-10 {
        vlan-id 10;
        l3-interface vlan.10;
    }
    VLAN-20 {
        vlan-id 20;
        l3-interface vlan.20;
    }
}
All I can say is we should dump Cisco and go for other vendors.

Wednesday, December 19, 2012

What is the difference between DHCPv6 and DHCPv4?

這是很久以前寫的東西, 印象中去年還是什麼時候有拿出來過一次, 剛剛在硬碟裡面找東西無意間看到, 稍微增補並翻譯成中文貼出來異地備援一下.


What is the difference between DHCP6 and DHCP4? (IPv6 的 DHCP6 跟 IPv4 的 DHCP4 有哪些不同?)

以下列出幾項值得注意的差異:

1. 這兩個是完全不同的協定 (protocol):
  • DHCP4 是基於 BOOTP 這個古老的協定增修而來的
  • DHCP6 是一個完全重新開發的協定, 他針對以往 DHCPv4 裡面一些效率比較差的行為做了加強.
2. Multicast:
  • 與許多 IPv6 的協定一樣, DHCP6 使用 multicast 溝通以增進效率, 而不是 DHCPv4 所用的 broadcast.
3. Link-local 位址:
  • 因為是使用 multicast, 所以就必須先有 IP 位置才能發送請求封包, 而不是如同 DHCPv4 一樣用 MAC 位址就可以. 所以 DHCP6 的 clients 就使用 IPv6 獨有的 link-local 位址來發送 DHCP6 的請求封包.
4. 單次訊息交換即可完成:
  • Client 可以把所有介面的需求經由單一次的 DHCP6 請求發送給 DHCP6 Server. 而 Server 就可以一次把所有的介面需要的資料 (例如 IP 位址) 提供給 Client. 這樣做比多次請求來得有效率.
5. Stateful 或 Stateless:
  • DHCP6 可以使用 Stateful 或是 Stateless 模式運作.
  • 所謂的 Stateful 是 Client 經由 DHCP6 Server 取得 IPv6 位址以及其他資料, 這個模式幾乎等同於 DHCP4 的運作方式.
  • Stateless 是 Client 使用其他方法 (例如 SLAAC) 取得 IPv6 位址, 而 DHCP6 只用來提供其他的資訊, 例如 DNS Server 的資料.

6. DHCP6 無法提供預設閘道 (default router 或 default gateway) 資訊
  • DHCP6 其中一個非常為人詬病的問題就是 DHCPv6 無法提供預設閘道的資訊給 Client, 而必須要使用 RA (router advertisement).
NOTE:
  • 因為 DHCP6 跟 RA 這種搭配, 以及 RA 設計上一些過度理想化的假設前提, 使得網路設計, 管理與除錯的時候要增加額外的步驟. 企業在導入 IPv6 時候必須要對用戶端網路相關的標準作業文件 (SOP) 進行大規模修訂, 而造成高昂的隱性成本.
  • DHCP6 這個功能上的缺陷已經被檢討很久 (在 DHCPv6 剛出來就許多人提出質疑, 我也跑去放箭過 ^_^), 但正反兩派僵持不下使得修正仍在草案階段, 第一版修正在 2011 年被提出, 目前最新第五版修正是 2012 年 8 月提出, 但修正案還沒有通過. ( http://tools.ietf.org/html/draft-ietf-mif-dhcpv6-route-option-05 )

以下是這次的小小題外話.

IPv6 已經十幾二十歲了, 當年他的許多優點到現在看起來, 大概都隨著 IPv4 相關協定的修正與研發而消失了. 以企業網路的角度來看, IPv6 真的對企業營運有幫助的好處也只有『IP 位址很多』而已. 其他原本的各種訴求, 大多可以在現有的環境上做到, 而且解法都已經相當的成熟與穩定. 除了 IP 數量以外其他做不到的事情, 說穿了也就是企業運作不需要 / 不重要的東西.

Monday, December 17, 2012

GRE keep-alive on Juniper J-/SRX ?

GRE itself is purely session-less stuff and there is no built-in mechanism to detect the tunnel status. Different vendor then create different method to check the GRE tunnel status.

For example, Cisco IOS can config "keep alive" on the GRE interface, and Juniper JUNOS can config "keep alive" under [edit protocol oam gre-tunnel interface-name] level.

Unfortunately, Juniper J-series and SRX do not support [protocol oam] at this moment. The unconditionally "up" status on GRE interface could potentially lead to black hole.

In my environment, I do have BGP peering over the GRE tunnel between devices on two ends. Fortunately I can use BFD on BGP peering session to detect the connectivity and able to react to network failure quicker.

It's very easy to config BFD on Juniper BGP protocol, as below

[edit protocol bgp group XXX] or
[edit protocol bgp group XXX neighbor YYY]
set bfd-liveness-detection minimum-interval 1000

Where the unit of internal is ms, hence 1000 means 1 second.

During the setup of BFD, original BGP session status is intact. It is safe to setup BFD on one side and then work on another side. Also "clear bfd adaptation" command is hitless.

It is always good to have OAM or BFD when running things over Metro-E or Tunnel.

Saturday, December 15, 2012

Juniper SRX-100, GRE over IPsec and Bypass Session Table

Juniper made a very unwelcome decision to terminate packet-mode JUNOS on J-series router since 9.4 that indeed creates lots of concerns to some people, such as me, who uses J-series router as a "real" router.

Since that we need to worry about the factor of new session per second, as well as concurrent sessions when we deploy and operate the router. The new SRX firewall, according to some rumors I heard, maybe eventually retire J-series router. Juniper also advertises SRX as firewall and "security" router for branch offices.

The only reason I can image is there are some politics inside the company prevents product management team listen to customers and insist "security router" is a good selling point. However, Juniper must fully aware the burden from session table when deploy J-series and/or SRX as a pure router. Other wise the "packet-mode" and "selective packet-mode" functions will not be created.

Back in packet-mode JUNOS, it was a happy time to play with J-series router with ever capabilities, including IPsec VPN. With the flow-mode JUNOS when turning the router into packet-mode we no longer able to create IPsec VPN with remote sites, but running in flow-mode makes our NOC nervous, worrying about session table usage all the time.

According to the selective-packet-mode document, if we can establish GRE over IPsec to remote site, and put GRE interface and all down-link interface into packet-mode, we should able to bypass the session creation on those interfaces; turns out we should have very limited sessions that related to IPsec itself rather than huge amount of user sessions that travel through the box.

Since the requirement is to carry layer-3 IP traffics to remote site, rather then carry layer-2 packets. The TCP protocols should able to adjust MTU size by itself rather than rely on the fragmentation / reassembling mechanism when encapsulate user packets into GRE. So the involvement of IDP is not necessary (J- / SRX uses IDP module to reassemble GRE packet... another weird / bad decision.)

Following is the configuration and performance testing by using two SRX-100 to demo this idea.

/* == SRX-100 VPN Box @ LAB2 == */
interfaces {
    fe-0/0/0 {
        description "## PC under LAB2 ##";
        unit 0 {
            family inet {
                filter {
                    input packet-mode-ipv4;
                }
                address 10.2.0.254/24;
            }
        }
    }
    gr-0/0/0 {
        description "## GRE overhead 24 bytes ##";
        unit 1 {
            description "## GRE to HQ ##";
            tunnel {
                source 172.31.0.2;
                destination 172.31.0.1;
                path-mtu-discovery;
            }
            family inet {
                mtu 1400;
                filter {
                    input packet-mode-ipv4;
                }
                address 10.0.0.2/30;
            }
        }
    }
    fe-0/0/3 {
        description "## Internet Uplink ##";
        unit 0 {
            family inet {
                address 2.2.2.2/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 10.0.2.253/32 {
                    primary;
                    preferred;
                }
                address 172.31.0.2/32;
            }
        }
    }
    st0 {
        description "## IPsec overhead (proposal std/std) 62 bytes ##";
        unit 1 {
            description "## ipsec to HQ ##";
            family inet {
                mtu 1438;
            }
        }
    }
}
routing-options {
    rib inet.0 {
        static {
            /* == default route to Internet == */
            route 0.0.0.0/0 next-hop 2.2.2.254;
            /* == HQ GRE End-Point == */
            route 172.31.0.1/32 next-hop st0.1;
            /* == HQ PC == */
            route 192.168.101.0/24 next-hop 10.0.0.1;
        }
    }
}
security {
    ike {
        policy ike_pol_hq {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "MYKEY";
        }
        gateway gw_hq {
            ike-policy ike_pol_hq;
            address 1.1.1.1;
            local-identity inet 2.2.2.2;
            external-interface fe-0/0/3.0;
        }
    }
    ipsec {
        policy ipsec_pol_hq {
            perfect-forward-secrecy {
                keys group2;
            }
            proposal-set standard;
        }
        vpn hq {
            bind-interface st0.1;
            vpn-monitor;
            ike {
                gateway gw_hq;
                ipsec-policy ipsec_pol_hq;
            }
            establish-tunnels immediately;
        }
    }
    alg {
        dns disable;
        ftp disable;
        h323 disable;
        mgcp disable;
        msrpc disable;
        sunrpc disable;
        real disable;
        rsh disable;
        rtsp disable;
        sccp disable;
        sip disable;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
    }
    flow {
        tcp-session {
            no-syn-check;
            no-syn-check-in-tunnel;
            no-sequence-check;
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone untrust {
            policy untrust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                lo0.0;
                fe-0/0/0.0;
                gr-0/0/0.1;
                st0.1;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ping;
                    ike;
                }
            }
            interfaces {
                fe-0/0/3.0;
            }
        }
    }
}
firewall {
    family inet {
        filter packet-mode-ipv4 {
            term all-packet-mode {
                then {
                    packet-mode;
                    accept;
                }
            }
        }
    }
}
/* == END of config on VPN Box @ LAB2 == */


/* =============================================== */


/* == SRX-100 VPN Box @ HQ == */
interfaces {
    fe-0/0/0 {
        description "## PC under HQ ##";
        unit 0 {
            family inet {
                filter {
                    input packet-mode-ipv4;
                }
                address 192.168.101.254/24;
            }
        }
    }
    gr-0/0/0 {
        description "## GRE overhead 24 bytes ##";
        unit 2 {
            description "## GRE to LAB2 ##";
            tunnel {
                source 172.31.0.1;
                destination 172.31.0.2;
                path-mtu-discovery;
            }
            family inet {
                mtu 1400;
                filter {
                    input packet-mode-ipv4;
                }
                address 10.0.0.1/30;
            }
        }
    }
    fe-0/0/3 {
        description "## Internet Uplink ##";
        unit 0 {
            family inet {
                address 1.1.1.1/24;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 10.0.1.253/32 {
                    primary;
                    preferred;
                }
                address 172.31.0.1/32;
            }
        }
    }
    st0 {
        description "## IPsec overhead (proposal std/std) 62 bytes ##";
        unit 2 {
            description "## ipsec to lab2 ##";
            family inet {
                mtu 1438;
            }
        }
    }
}
routing-options {
    rib inet.0 {
        static {
            /* == default route to Internet == */
            route 0.0.0.0/0 next-hop 1.1.1.254;
            /* == LAB2 GRE End-Point == */
            route 172.31.0.2/32 next-hop st0.2;
            /* == LAB2 PC == */
            route 10.2.0.0/24 next-hop 10.0.0.2;
        }
    }
}
security {
    ike {
        policy ike_pol_lab2 {
            mode main;
            proposal-set standard;
            pre-shared-key ascii-text "MYKEY";
        }
        gateway gw_lab2 {
            ike-policy ike_pol_lab2;
            address 2.2.2.2;
            local-identity inet 1.1.1.1;
            external-interface fe-0/0/3.0;
        }
    }
    ipsec {
        policy ipsec_pol_lab2 {
            perfect-forward-secrecy {
                keys group2;
            }
            proposal-set standard;
        }
        vpn hq {
            bind-interface st0.2;
            vpn-monitor;
            ike {
                gateway gw_lab2;
                ipsec-policy ipsec_pol_lab2;
            }
            establish-tunnels immediately;
        }
    }
    alg {
        dns disable;
        ftp disable;
        h323 disable;
        mgcp disable;
        msrpc disable;
        sunrpc disable;
        real disable;
        rsh disable;
        rtsp disable;
        sccp disable;
        sip disable;
        sql disable;
        talk disable;
        tftp disable;
        pptp disable;
    }
    flow {
        tcp-session {
            no-syn-check;
            no-syn-check-in-tunnel;
            no-sequence-check;
        }
    }
    policies {
        from-zone trust to-zone untrust {
            policy trust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone untrust {
            policy untrust-to-untrust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone trust {
            policy trust-to-trust {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                lo0.0;
                fe-0/0/0.0;
                gr-0/0/0.2;
                st0.2;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            host-inbound-traffic {
                system-services {
                    ping;
                    ike;
                }
            }
            interfaces {
                fe-0/0/3.0;
            }
        }
    }
}
firewall {
    family inet {
        filter packet-mode-ipv4 {
            term all-packet-mode {
                then {
                    packet-mode;
                    accept;
                }
            }
        }
    }
}
/* == END of config on VPN Box @ HQ == */

/* =============================================== */

/*== iperf tcp performance test from lab2 to hq == */

ylchang@lab2pc:~> iperf -mN -i 1 -w 1m -c 192.168.101.101
------------------------------------------------------------
Client connecting to 192.168.101.101, TCP port 5001
TCP window size: 1.00 MByte (WARNING: requested 1.00 MByte)
------------------------------------------------------------
[  3] local 10.2.0.202 port 52399 connected with 192.168.101.101 port 5001
[ ID] Interval       Transfer     Bandwidth
[  3]  0.0- 1.0 sec  5.88 MBytes  49.3 Mbits/sec
[  3]  1.0- 2.0 sec  4.88 MBytes  40.9 Mbits/sec
[  3]  2.0- 3.0 sec  5.00 MBytes  41.9 Mbits/sec
[  3]  3.0- 4.0 sec  5.00 MBytes  41.9 Mbits/sec
[  3]  4.0- 5.0 sec  5.12 MBytes  43.0 Mbits/sec
[  3]  5.0- 6.0 sec  5.12 MBytes  43.0 Mbits/sec
[  3]  6.0- 7.0 sec  5.00 MBytes  41.9 Mbits/sec
[  3]  7.0- 8.0 sec  5.12 MBytes  43.0 Mbits/sec
[  3]  8.0- 9.0 sec  5.12 MBytes  43.0 Mbits/sec
[  3]  9.0-10.0 sec  5.12 MBytes  43.0 Mbits/sec
[  3]  0.0-10.0 sec  51.5 MBytes  43.1 Mbits/sec
[  3] MSS size 1348 bytes (MTU 1388 bytes, unknown interface)
/*== End of iperf tcp performance test == */

With this configuration, we successfully bypass session creation when traffic travel through IPsec VPN between sites. The entire box has only 5 sessions (include the telnet session I used to login) even the user PCs creates tens of thousand connections across the sites.

Sunday, April 29, 2012

小玉廚房大廚回娘家二廚隨便煮之香菇雞湯

香菇雞湯, 傳統上應該要用老土雞, 香菇 (用鈕扣姑精巧可愛味道也比較濃), 老薑, 蔥段下鍋慢燉一小時以上這樣才夠鮮美, 有些人會偷加一點點冰糖調味.

既然大廚回娘家了, 二廚我就隨便搞個創意料理吧~
雞大腿兩支, 去骨切小塊, 用米酒醃半天到一天
乾香菇(鈕扣菇)十來朵, 洗淨用冷水泡開
紅蘿蔔約 200 克, 切小塊
青蔥半把切段, 用蔥白部分就好
老薑厚片數片
鹽, 白胡椒粉適量
腿骨, 薑片, 蔥段, 紅蘿蔔, 香菇連泡香菇的水下鍋煮滾去浮沫, 小火燉 20~30 分鐘. 其他雞腿肉下鍋大火煮滾去浮沫, 再小火 10 分鐘, 加鹽與白胡椒調味, 放置 20 分鐘冷靜冷靜, 就可以上桌了.

Sunday, March 11, 2012

壹電視機上盒

壹電視機上盒 (網樂通) 雖然不錯, 但是麻煩的是他使用 p2p 架構, 會瘋狂生 session 出來. 一般的狀況倒也是沒有太大問題, 但是碰到機車 ISP (很在意 p2p 的 ISP) 麻煩就大了.

最近買了 TP-LINK TL-WR1043ND 這個玩具, 當然順手刷上 DD-WRT 破解一下 增強功能, 然後再順手把機上盒的連線擋一下, 免得 AT&T來關切.

壹電視基本上只要開 ICMP (ping), DNS (tcp/udp 53), NTP (udp 123), HTTP/HTTPS (tcp 80/443) 就可以了. 以下是壹電視 server 網段列表:
63.221.156.0/24
80.77.6.0/24
203.69.108.0/23
203.192.135.0/24
203.208.204.0/24

以下是 DD-WRT 的 firewall rules (從 web 管理介面進去, administration --> commands, 然後在 command shell 輸入下面指令, 按 save firewall 即可)
iptables -I FORWARD 1 -i br0 -p icmp \
 -s [BOX-IP] -j ACCEPT
iptables -I FORWARD 2 -i br0 -p udp -m multiport \
 -s [BOX-IP] --dport 53,123 -j ACCEPT
iptables -I FORWARD 3 -i br0 -p tcp \
 -s [BOX-IP] --dport 53 -j ACCEPT
iptables -I FORWARD 4 -i br0 -p tcp -m multiport \
 -s [BOX-IP] -d 63.221.156.0/24 --dport 80,443 -j ACCEPT
iptables -I FORWARD 5 -i br0 -p tcp -m multiport \
 -s [BOX-IP] -d 80.77.6.0/24 --dport 80,443 -j ACCEPT
iptables -I FORWARD 6 -i br0 -p tcp -m multiport \
 -s [BOX-IP] -d 203.192.135.0/24 --dport 80,443 -j ACCEPT
iptables -I FORWARD 7 -i br0 -p tcp -m multiport \
 -s [BOX-IP] -d 203.208.204.0/24 --dport 80,443 -j ACCEPT
iptables -I FORWARD 8 -i br0 -p tcp -m multiport \
 -s [BOX-IP] -d 203.69.108.0/23 --dport 80,443 -j ACCEPT
iptables -I FORWARD 9 -i br0 -s [ETV-BOX-IP] -j REJECT
(有 \ 的跟前一行相連)
以上... 呵呵呵呵~~~

Thursday, January 5, 2012

vmware workstation 7 的 bridget network 亂吃 ipv6 封包

最近不知道怎麼回事, 我 LAB 的 Vmware workstation bridge network 的 ipv6 出現時通時不通的現象, 後來惡化到完全不通. 搞了幾天搞不定. 剛剛福至心靈換成 virtual box 就好了...

Debug 的時候 wireshark 看封包看到眼睛快要脫窗... 明明封包都有打進去, 但是 guest OS 就是沒收到, vmware bridge network card 大概是肚子餓到荒, 亂吃封包!

結論: 好想丟手榴彈!

Saturday, December 17, 2011

小玉廚房『番茄沙茶牛肉濃湯』

小玉廚房無食譜隨意煮之『番茄沙茶牛肉濃湯』:
(因為無預警要煮湯, 所以冰箱有甚麼就拿甚麼下去煮)
-------
牛肉大約1公斤切大塊 (約兩塊麻將排疊起來) 川燙去血水
紅色大番茄約1~1.5公斤切碎 (要選比較不甜, 香氣重的番茄品種)
紅蘿蔔一根切塊 (約牛肉的1/3大小)
老薑約100公克切大片, 小朝天椒三四根用刀劃開
青蔥約100公克切小段, 大蒜三四瓣拍碎
沙茶醬約1飯碗 (儘量把油瀝乾)

蔥薑蒜辣椒用少許熱油爆炒, 加入番茄&紅蘿蔔繼續炒到蔬菜香味出來. 然後加入蓋過食材的水燉煮10-20分鐘, 加入沙茶醬&牛肉繼續文火燉煮30-40分鐘到牛肉鬆軟.撈掉薑&辣椒就可以上桌.

怕辣的可以把辣椒減量, 但是一定要加朝天椒一起爆炒香氣才會足. 沙茶醬本來就很鹹, 所以一般來說不需要加鹽.
---------
燙個麵, 淋上牛肉濃湯就是茄汁沙茶牛肉麵了!
熱騰騰的白飯淋上茄汁沙茶牛肉濃湯也是好吃到不行!

Tuesday, November 29, 2011

小玉廚房『蘿蔔大骨祛寒湯』

小玉廚房 無食譜家常煮 之『蘿蔔大骨祛寒湯』:
-------
豬大排骨或腿骨約 2 公斤剁大塊, 用鐵槌略為敲裂
白蘿蔔約 1 公斤切滾刀塊
老薑約 200 公克拍碎 & 鹽 & 白胡椒粉適量 - 用棉紗藥包包紮為調味包
冷水約 2~3 公升.
蘿蔔用冷水煮到滾, 放入排骨 & 調味包, 繼續煮到大滾.
滾煮的過程不斷用細撈網把浮沫撈掉. 直到沒有浮沫.
放入悶燒鍋悶 4~5 小時, 起鍋用細撈網(濾油網)或日式燉煮用的濾紙去除浮油就可以上桌了.
-------
老薑可以改用南薑, 對消除腸胃脹氣及消化不良 & 散寒效果更好. 南薑比老薑硬很多, 用菜刀拍不碎, 可用紗布包裹用鐵鎚敲碎, 或是切片(但是也很難切).

老薑 (Ginger Root), 南薑 (Galangal) 是不一樣的東西. 加州大概是亞洲移民多, 這些東西都還滿好買到的, 很多東南亞的東西甚至比台灣還容易買到. 南薑在 Safeway 或是一些大點的超市的亞洲食物區應該都可以找到, 不過價錢差異很大.

Thursday, June 30, 2011

Sample PBR on ScreenOS

Following is a sample for Policy Based Routing (PBR) on Juniper ScreenOS (NetScreen & SSG)
set policy id 1

set vrouter "trust-vr"

  set access-list extended 1 dst-port \
    <PortRangeStart>-<PortRangeEnd> \
    protocol <TCP-or-UDP-or> entry 1

  set match-group name <Match-Group-Rule-Name>

  set match-group <Match-Group-Rule-Name> ext-acl 1 \
    match-entry 1

  set action-group name <Action-Group-Rule-Name>

  set action-group <Action-Group-Rule-Name> \
    next-interface <nexthop-interface> action-entry 1

  set pbr policy name <PBR-Policy-Name>

  set pbr policy <PBR-Policy-Name> match-group \
    <Match-Group-Rule-Name> action-group \
    <Action-Group-Rule-Name> 1

  set pbr <PBR-Policy-Name>

exit

set interface <Interface-of-Traffic-to-be-PBR> \
  pbr <PBR-Policy-Name>
(joint two lines break by \)

Thursday, March 10, 2011

The Tourist

香豔浪漫又緊張刺激的 "Anthony Zimmer" 被改編重拍變成無聊的 "The Tourist"!

在 "Anthony Zimmer" 裡面福利大放送的 Sophie Marceau 變成包得緊緊的 Angelina Jolie ... Orz... 話說 Angelina Jolie 最近怎麼一直拍爛片... 還我錢來啊~~

Anthony Zimmer 是 2005 年上映的法國片, 台灣有出 DVD 翻譯成『色計』... 很像三級片的片名 ^_*
我老婆對 Sophie Marceau 在這片的評價是『她一走出來, 我口水就流滿地...(大心!)』

以前寫過看 Anthony Zimmer 的小感想 http://ylchang.blogspot.com/2006/06/anthony-zimmer.html 不過原本文章裡面的圖片已經不見了.

Thursday, March 3, 2011

Fuel label on my car

This is what the fuel label looks like on my car, a VW 2007-model 4 door Passat.
The reason I upload this picture is because I don't know how to embed photo into comment in blogspot ^_^

Sunday, February 27, 2011

聽不累耳機的缺點

上個月回台灣的時候耳機壞掉, 在 PCHOME上面急急買了號稱聽不累的耳機.


這陣子使用下來, 發現設計上的優點會順便帶來缺點:『吵雜的地方根本聽不到耳機出來的聲音』... 拿來講電話相當的 Orz....

另外就是耳掛會跟眼鏡腳互卡, 這也是在買之前沒想到的狀況. 戴隱形眼鏡一陣子壓根忘記有眼鏡腳這回事...

Saturday, January 22, 2011

複習 Vanilla Ice 的 To The Extreme

這幾天把 1990 年 Vanilla Ice 的 To The Extreme 翻出來重新聽. 會翻出來複習是因為他在去年在 DIY Network 開的裝潢屋實境節目 - The Vanilla Ice Project 最近 HGTV 又拿出來播放了.

雖然是 20 年的老歌, 但是整個力道跟勁度以我這個 hip hop 的大外行來看, 覺得足以打垮一海票現在的團... 他那個油頭粉面奶油小生的樣子唱 hip hop 感覺很微妙.

這張專輯最有名的就是 Ice Ice Baby, 應該很多人小時候都聽過.

Tuesday, January 18, 2011

蔥蛋捲

按照慣例... blog 沒有圖, 因為
1. 照相會打亂煮菜那種一氣呵成的心情
2. 煮好來不急照相, 還沒上桌就開始搶著吃了

雞蛋兩個, 加上 1 ~ 1.5 個雞蛋量的『細蔥』花, 約 1/4 雞蛋量的水, 鹽與胡椒粉適量, 打散成蛋花. 如果喜歡非常蓬鬆的話就用打蛋棒強力打入一堆空氣, 直到氣泡綿密. 如果喜歡略帶嚼感的話就不要打太久, 略打散即可 (但是要把蛋白蛋黃打均勻, 不要煎下去出現白白的蛋白絲.)

我家蔥蛋捲完成品比較像是西式料理的 omelet (成品是粗蛋捲狀), 而不太像傳統台式料理裡面的蔥蛋 (成品是散的或是一片狀.)

不沾平底鍋放入半匙的沙拉油或是蔬菜油, 燒熱到剛開始要微微冒煙的程度, 然後蛋花下鍋, 開始旋轉鍋子讓蛋汁均勻鋪平. 等蛋的四周開始略為凝固的時候用沾了油的菜鏟從兩邊向內打折 (約 2/3 個手掌寬), 然後從另外兩頭捲起成寬度約 2/3 個手掌的蛋捲. 捲好以後爐子關火, 放 15~20 秒然後蛋捲翻面再放 10 秒左右起鍋. (如果用『會沾鍋』, 油量要變成 6~10 倍)

捲的過程要多練習, 從蛋捲的狀況可以知道捲的動作是否成功. 如果蛋捲表面略為濕潤有彈性, 切開還有蛋汁流出來, 就表示沒有煎過頭.


這是早餐吃很方便的家常菜, . 但是切細蔥花跟捲蛋這兩件事情搞下來就變成功夫菜了.

** 不喜歡白胡椒可以用粗粒黑胡椒粉, 另有一番風味 **

Monday, January 3, 2011

燕麥粥口味的變化

接續上一篇.... 煮出史萊姆黏液般的超好吃燕麥粥以後, 就可以開始自由變化鹹甜隨意了.

加乾果(葡萄乾, 蔓越莓乾, 櫻桃乾) 還有堅果, 粗紅砂糖 (或是黑糖), 就變成甜甜的綜合堅果甜粥.

加海苔粉, 碎海苔片, 堅魚粉, 柴魚片, 鹽, 白胡椒粉 (可用紫菜湯包取代省時間) 再打個蛋花下去就變成海苔風味的鹹粥.

Saturday, January 1, 2011

好吃燕麥粥的煮法

老式燕麥加剛好蓋過燕麥量的『冷』水, 用中小火煮到滾, 加『冰』牛奶再用小火煮到滾.
絕對不能用大火, 這樣就能煮出史萊姆黏液一般的超好吃燕麥!! 喜歡顆粒感的的可以在加冰牛奶的時候順便灑一把燕麥下去.
加冰牛奶 (一定要冰的) 之後, 只能用小火. 從頭到尾要不斷溫柔的攪拌, 絕對不能停, 要不然會出現鍋巴, 然後有苦味... 整鍋史萊姆黏液就廢了...

Tuesday, December 14, 2010

ipv6 nat (nat66) by Juniper ScreenOS

ScreenOS is the operation system in Juniper SSG & NS device (was NetScreen).

There is no clear document states ScreenOS could perform nat66 (at least Juniper does not use the term "nat66".) However, if one could follows ScreenOS release notes carefully, it became consequences.
set policy id 1 from "Trust" to "Untrust"  \
    "Any-IPv6" "Any-IPv6" "ANY" nat src permit 
set policy id 1
Where obviously, key word "nat" does the trick!

Tuesday, November 16, 2010

ipv6 nat (nat66) by FreeBSD pf

although nat66 is still under draft, but FreeBSD pf already support it for long time.
(edit the pf.conf and insert following codes)
v6_wan_if="your-v6-wan-interface-name"
v6_wan_ip="your-v6-wan-ip-address"

no nat on $v6_wan_if inet6 from $v6_wan_ip to any
nat on $v6_wan_if inet6 from any to any -> $v6_wan_ip    
You are all set!

Monday, November 15, 2010

紙霸跑去 Cisco 上班了

唔~ 紙霸跑去 Cisco 上班了...賈老準備好要告了嗎? :p :p
http://www.theregister.co.uk/2010/11/15/apple_cisco/

The Register (http://theregister.co.uk/)

Apple antennagate scapegoat scooped up by Cisco
Boardroom-hopping exec joins networking giant


Mark Papermaster, whom Apple had such a hard time wresting from IBM in 2008, and who took much of the flak for the iPhone's dodgy antenna, has moved on to Cisco...

Tuesday, October 5, 2010

下面這段是我回給某個朋友臉書的帖子

下面這段是我回給某個朋友臉書的帖子,

『很多人都以為遠來的和尚念經比較靈驗, 當你有病痛需要解除的時候應該請和尚來唸大悲咒, 問題是遠來的和尚搞不清楚狀況, 通常拿著往生咒就開始狂念... 然後就非常靈驗的送入輪迴...』

寫完後發現, 很多地方都適用...

另外還有一種是, 聽著和尚唸唸唸, 就覺得自己也會了, 依樣畫葫蘆唸起來... 殊不知唸咒的時候 N 位一體身靈合一心無雜念這種功夫是偷學不來的, 最後自己唸一唸就下地獄了... 糟糕的是自己下地獄就算了, 還順便把周圍的一起拖下去, 然後怪罪和尚沒救人..

和尚又不是閻羅王... 都被趕走了哪知道有人下了地獄...

Saturday, September 25, 2010

手機亂照之南太浩湖 (South Lake Tahoe)

九月中去 Reno Stead Field 看 Air Racing & Air Show 回程, 順路去太浩湖 (Lake Tahoe) 晃了一下. 因為時間的關係只有在南邊晃了晃. 照例用手機亂照一通.

這次來看看 Flickr 的 embedded html code 在 blogspot 上面的效果 ^_^

Wednesday, September 15, 2010

測試 Flickr

http://www.flickr.com/photos/ylchang/tags/roadtrip201009/show/
測試 Flickr 把前幾天 iphone 照的照片放上去... 坦白說, Flickr 的介面不好用... 我要說 Y 社加油好嗎?

Tuesday, August 31, 2010

小玉廚房之上海菜飯大成功!!!

菜飯最早是江浙一帶主婦將剩菜拌入飯中, 作為第二天外出工作丈夫的午餐, 後來上海開始有餐館賣這東西就稱為上海菜飯. 新鮮做的菜飯當然沒有拌剩菜進去, 不過基本上必須達到『不刻意』的境界才會好吃.

臘腸三四根, 切成小片狀下鍋乾炒到油冒出, 放入兩三把青江菜 (切碎), 略加拌炒倒入生米兩三杯, 水兩三杯 (口味重的把水換成雞高湯), 略拌後悶煮二三十分鐘.

雖說『不刻意』論斤論兩準備材料, 但是烹煮過程也不能『太隨意』. 悶煮時間很重要, 時間不足就成了雜吹 (日本窮苦人家米不足食的吃法), 時間過久太乾也不好吃.

買不到青江菜可以改用雪裡紅. 沒有臘腸可以用香腸取代 (最好先風乾, 讓風味接近臘腸), 真的沒有的話可以用火腿 (有些館子會直接用火腿), 但要選口味重一點的火腿.

一貫的原則是, 做菜絕對不可以加味精, 所有材料也都要選不含味精的.

阿補充一下, 原始版本的菜飯是重口味料理, 因為是給體力勞動的人吃的. 弄點軟的乾豆皮 (就是豆腐炸過風乾, 跟包豆皮壽司的豆皮不同) 切小塊或絲, 丟下去一起悶煮可以增添一點豆香風味, 會比較清爽. 豆皮可以在日本超市買到.

Sunday, August 29, 2010

Sync calendar/task/contact/notes between Google and MS-Outlook

這兩天搞 Outlook --> Google 的 Calendar Sync 想把兩邊的行事曆整合在一起.

不過 Google 自己的 sync 工具實在太陽春, 對於跨日的 event 會錯亂, 然後 Google Calendar 又很白癡, 只要一手動去修改就會亂發垃圾信出去... 對收到我垃圾信的朋友深感抱歉... Orz...

剛找到一個要錢的軟體 gSyncit 試用了一下看起來還不錯!

Sync 跨日的 Event 不會亂掉, 處理 timezone 資料也正確. 而且還可以選擇性的不要把參加者的資料送上去 Google, 這樣就算調整了東西, Google Calendar 也沒辦法亂發垃圾信, 讚!

gSyncit 要價 US$14.99, 先用一陣子看看要不要花錢買正式版 ^_^

gSyncit: http://www.daveswebsite.com/software/gsync/index.shtml

Sunday, August 15, 2010

recover from accidentally upgraded Iphone iOS 4.0.2

In case accidentally "upgrade" Iphone4 to iOS 4.0.2, use following procedure to recover it back to 4.0.1.

a) download iOS 4.0.1 from http://tinyurl.com/38rlu54
b) power-off phone, plug to PC, press and hold "home"+"power" till iTune recognizes it
c) select iOS 4.0.1 file with "shift" key on PC keyboard
d) iTune will verify the firmware and and recover iphone4 with it
 

Wa La~ you are all set~

Friday, August 13, 2010

啟用 Iphone 4 內建 Tethering

參考: http://forums.macrumors.com/showthread.php?t=984943

會操作 UNIX 的人可以略加變化, 不需要動用 Cyberduck 或是其他 SFTP 軟體, 只要有一台連在網上的 ssh server 就可以了. 所有的備份也都可以直接上傳到那個 ssh server.

Monday, July 26, 2010

Ruling Allows "Jailbreaking" of iPhones

Citation:  The New York Times.

Ruling Allows "Jailbreaking" of iPhones

WASHINGTON (AP) -- Owners of the iPhone will be able to legally break electronic locks on their devices in order to download software applications that haven't been approved by Apple Inc., according to new government rules announced Monday.

(read more on NY Times)