Sunday, August 29, 2010

A couple of interesting links

It's a few months old, but Sarah Mei's post about why she doesn't work at Google puts her finger on one of the differentiators between success and failure: smart people vs smart people who get shit done.

As I get older, I'm becoming more aware of the explicit and implicit ageism in tech.

This techcrunch article saying women in tech should stop blaming the men because everyone loves the women pretty much assumes its conclusion from the get-go:

Success in Silicon Valley, most would agree, is more merit driven than almost any other place in the world. It doesn’t matter how old you are, what sex you are, what politics you support or what color you are. If your idea rocks and you can execute, you can change the world and/or get really, stinking rich.

Wednesday, August 25, 2010

Update on the SYN-less ACK problem

So, a while back, I mentioned a weird one I'd been seeing -- SYNless ACKing.

Here's what we knew:
It only happened on the first connection.
And it only happened after the machine has been idle for long periods of time for a given host.

It turns out that it's a known issue. According to Sun Oracle, it's part of CR 6942436.

Sunday, August 22, 2010

on the less technical more feminist side of things

Mentoring is a good thing. I'd missed this report about mentoring at Sun Computer. It includes some mentoring best practices (and some "what not to do"), among other things.

And for a frivolous bit of feminism, I find the twitter feed from FEMINIST HULK often amusing and occasionally charming. Samples: "HULK FIND COMPLICITY BETWEEN ALL SYSTEMS OF OPPRESSION. RESULT: HULK HAVE VERY DIVERSE PORTFOLIO OF SMASH." and "BIG GREEN FISTS NOT ONLY WAY TO SMASH PATRIARCHY. BUT HULK REALLY LIKE CONFETTI-EFFECT OF PRETTY HEGEMONIC DEBRIS."

Wednesday, August 18, 2010

OMGCOOL Map of undersea cables.

This is very cool.

http://www.cablemap.info/, a map of undersea cables.

I wish they'd put the split somewhere on a continent so the Pacific Ocean was a single map section. Ah well.

Sunday, August 15, 2010

NOC NOC.

A few links about NOC-building.
Ringel/Brown presentation from NANOG 24
TERENA NOC group. The ITIL Visible Ops handbook, which is more process than NOC, but still pretty good.

Unrelatedly, a businessy article about gender in the workplace and how not to do it.

Wednesday, August 11, 2010

Vacation and one-to-one NAT on a Juniper Netscreen

Sorry - forgot to mention I was going on vacation. Mmmm. Sweet vacation.

Anyways, back to the nerdy salt mines.

There are a couple of ways to do address translation on a Juniper Netscreen firewall. The simplest is a "MIP", or Mapped IP. This creates a one-to-one NAT that can work in either direction, and no port translation is done. You define a MIP on a specific interface that handles the subnet the NAT is on (the ingress interface).

So if you're setting up a NAT where folks on the Untrust network can talk to a host on the Trust network using a NAT address in the Untrust zone, you'd set it up on the interface in the Untrust zone.

From the GUI, it's Network > Interfaces > Edit > MIP (List). From the CLI, assuming this is all in the "trust-vr" virtual router, the command looks like this:

set interface "ethernetX/X" mip {nat address} host {real internal address} netmask 255.255.255.255 vr "trust-vr"

eg, assuming my outside NAT address is 10.1.1.100 on interface 3/2 and my internal address is 172.168.1.100:

set interface "ethernet3/2" mip 10.1.1.100 host 192.168.1.100 netmask 255.255.255.255 vr "trust-vr"


When making policies via the GUI, the Untrust zone will include "MIP(10.1.1.100)", so you can just select that as destination and the firewall will do the right thing for inbound traffic. For outbound traffic, select the internal real address as the source, and the Netscreen will do the right thing and NAT the traffic as it leaves the outgoing interface.

Followers

About Me

My photo
Regis has worked as a network engineer since 1994 for small companies and for large companies.