NZ Tik

maori port scan. :for p from=20 to=80 do={:put $p;/system telnet 10.32.99.166 $p}

The -u switch in rsync does not work between different file systems so it seems. It is supposed to ignore existing files in the destination directory, but it doesn't - well at least it doesn't between UFS and EXT3 in my doings. Using the --size-only switch along side -u is a work around. Example rsync for my reference: rsync -airu --size-only /source/dir /dest/dir -a archive mode -i itemise change summary -r recursive -u ignore existing files man rsync

VRRP example: note: the virtual IP must be a /32 address. R1 /interface vrrp add arp=enabled authentication=none disabled=no interface=ether1 interval=1s mtu=1500 name=PW-VRRP  on-backup="" on-master="" password="" preemption-mode=yes priority=100 version=2  vrid=108 /ip address add address=10.10.10.1/24 interface=ether1 /ip address add address=10.10.10.100/32 interface=PW-VRRP R2 /interface vrrp add arp=enabled authentication=none disabled=no interface=ether1 interval=1s mtu=1500 name=PW-VRRP   on-backup="" on-master="" password="" preemption-mode=no priority=90  version=2   vrid=108 /ip address add address=10.10.10.1/24 interface=ether1 /ip address add address=10.10.10.100/32 interface=PW-VRRP

Cisco PBR ( Policy Based Routing ) uses route-maps applied to the ingress interface. Suppose you have 2 ISPs,   s0/0 and s0/1. You want traffic from the LAN interface (fa4) to be routed out each gateway depending on traffic type. Here is how you would achieve that. ip access-list extended s0_traffic  permit tcp any any eq www ftp 22  end ! ip access-list extended s1_traffic  permit ip any any  end ! route-map fa4_in permit 10  match ip address s0_traffic  set ip next-hop s0/0  ! route-map fa4_in permit 20  match ip address s1_traffic  set ip next-hop s0/1 ! int fa4 ip policy route-map fa4_in Traffic that doesn't match a route map statement will use the global routing table so you could also just configure the s0/0 ACL and route map, and set up a default route for s0/1.

Here is a working set of mangle rules for a single Mikrotik router acting as a PPPoE server, and 2 internet gateways. /ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \     in-interface=isp1 new-connection-mark=isp1_conn passthrough=yes add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \     in-interface=isp2 new-connection-mark=isp2_conn passthrough=yes add action=mark-connection chain=prerouting connection-mark=no-mark disabled=no \     dst-address-type=!local new-connection-mark=isp1_conn passthrough=yes \     per-connection-classifier=src-address-and-port:2/0 src-address=\     10.10.100.0/24 add action=mark-routing chain=prerouting connection-mark=isp1_conn disabled=no \     dst-address-type=!local new-routing-mark=to_isp1 passthrough=no \     src-address=10.10.100.0/24 add action=mark-connection chain=prerou...

Simple eh? if ssh -l user server.example.com 'ls folder' > /dev/null; then echo "fexists"; else mkdir folder; fi

Cisco reflexive acls is a poor mans stateful firewall. If you don't have the luxury of the Advanced Security feature-set, then configuring these are your best bet. Take the above simple example. A name server behind your router is doing a recursive lookup to another name server. By looking at that, you need to allow UDP port 53 in interface e0, as well as the return traffic on port 2033. Unfortunately that port is dynamic, so you could either allow any udp traffic in e0, or use reflexive ACLs. ip access-list extended inbound permit icmp any any evaluate mytraffic ip access-list extended outbound permit udp any any reflect mytraffic interface e0 ip access-group inbound in ip access-group outbound out -------- verification... show access-list mytraffic  permit udp host 111.111.111.111 eq 53 host 192.168.1.100 eq 2033(1 match) (time left 299)