mirrors/cheat-sheets
1
0
Fork 0
mirror of https://github.com/yuriskinfo/cheat-sheets.git synced 2025-12-21 13:23:11 +01:00
Code Issues Packages Projects Releases Wiki Activity

ongoing additions, changes, and fixes

Browse Source
This commit is contained in:
yuriskinfo
2023-12-14 12:29:57 +02:00
parent 9c26f3077a
commit 657fdb2ac1
30 changed files with 4145 additions and 4141 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored Normal file
View File

@@ -0,0 +1,4 @@
#VS Code stuff
.vscode/*
*.code-workspace

10
CONTRIBUTING.md
View File

@@ -1,5 +1,5 @@
# Contributions
Contributions are welcome, of course. Any way will do:
* Open PR on any page you found bug/missing info
* Send me an email yuri@yurisk.info
* If we are connected, send me a message on LinkedIn https://www.linkedin.com/in/yurislobodyanyuk/
# Contributions
Contributions are welcome, of course. Any way will do:
* Open PR on any page you found bug/missing info
* Send me an email yuri@yurisk.info
* If we are connected, send me a message on LinkedIn https://www.linkedin.com/in/yurislobodyanyuk/

42
LICENSE
View File

@@ -1,21 +1,21 @@
MIT License
Copyright (c) 2021 Yuri Slobodyanyuk
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
MIT License
Copyright (c) 2021 Yuri Slobodyanyuk
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.

152
README.md
View File

@@ -1,76 +1,76 @@
# Configuration, Debug and Diagnostics cheat sheets for Network and Linux based equipment
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
Collection of cheat sheets to help you with hands-on tasks of troubleshooting and configuring the production equipment.
Make sure to __watch__ this repository to get notified on updates (usually updated once per week). Your stars on the repository as a sign that you found it useful are appreciated, thanks. I also blog at https://yurisk.info about these topics as well.
## Network and Security vendors (Fortinet, Cisco, Checkpoint, Rad, MRV, HP/Aruba)
[Fortigate debug and diagnose commands complete cheat sheet](cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc) | [PDF](cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.pdf)
[**Fortigate SSL VPN Hardening Guide**](cheat-sheets/fortigate-ssl-vpn-hardening-guide.adoc) [RU](https://habr.com/ru/articles/734044/) | [PDF](cheat-sheets/fortigate-ssl-vpn-hardening-guide.pdf)
[Fortianalyzer diagnose and debug cheat sheet](cheat-sheets/Fortianalyzer-debug-cheat-sheet.adoc) | [PDF](cheat-sheets/Fortianalyzer-debug-cheat-sheet.pdf)
[Checkpoint cpstat tool complete cheat sheet](cheat-sheets/Checkpoint-cpstat-complete-reference-cheat-sheet.adoc) | [PDF](cheat-sheets/Checkpoint-cpstat-complete-reference-cheat-sheet.pdf)
[Checkpoint Firewalls Debug Cheat Sheet](/cheat-sheets/Checkpoint-firewalls-debug-cheat-sheet.adoc)| [PDF](/cheat-sheets/Checkpoint-firewalls-debug-cheat-sheet.pdf)
[Cisco Nexus 9000 9k debug and diagnostic commands cheat sheet](cheat-sheets/Cisco-Nexus-9000-9k-debug-and-diagnostic-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Cisco-Nexus-9000-9k-debug-and-diagnostic-commands-cheat-sheet.pdf)
[Cisco CUCM/Unity/Presence useful CLI commands cheat sheets](cheat-sheets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.pdf)
[RAD ETX 203, 205, 220 debug and information commands](cheat-sheets/RAD-ETX-203-205-220-debug-and-information-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/RAD-ETX-203-205-220-debug-and-information-commands-cheat-sheet.pdf)
[MRV Optiswitch OS904 OS906 OS912 debug and diagnostic commands](cheat-sheets/MRV-Optiswitch-OS904-OS906-OS912-debug-and-diagnostic-commands.adoc) | [PDF](cheat-sheets/MRV-Optiswitch-OS904-OS906-OS912-debug-and-diagnostic-commands.pdf)
[Aruba and HP switches debug and diagnostics commands](cheat-sheets/Aruba-HP-switches-debug-and-diagnostics-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Aruba-HP-switches-debug-and-diagnostics-commands-cheat-sheet.pdf)
[Aruba HP switches configuration examples cookbook](/cheat-sheets/Aruba-HP-switches-configuration-examples-cookbook.adoc) | [PDF](/cheat-sheets/Aruba-HP-switches-configuration-examples-cookbook.pdf)
[Ruckus ICX switches 7150, 7250, 7450, 7650, 7750, 7850 diagnostics commands](cheat-sheets/Ruckus-Brocade-ICX-FastIron-switch-debug-nad-diagnostics-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Ruckus-Brocade-ICX-FastIron-switch-debug-nad-diagnostics-commands-cheat-sheet.pdf)
## Linux, FreeBSD, OpenBSD, and Open Source Tools
[Linux ip route reference by example](cheat-sheets/Linux-ip-route-reference-by-examples.adoc) | [PDF](cheat-sheets/Linux-ip-route-reference-by-examples.pdf)
[GNU tar archive manager cookbook of examples](cheat-sheets/gnu-tar-example-reference.adoc) | [PDF](cheat-sheets/gnu-tar-example-reference.pdf)
[Linux and PF BSD firewalls cheat sheet](cheat-sheets/Linux-and-BSD-firewalls-cheat-sheet.adoc) | [PDF](cheat-sheets/Linux-and-BSD-firewalls-cheat-sheet.pdf)
[Ubuntu Uncomplicated Firewall (ufw) cookbook of configuration examples](/cheat-sheets/Ubuntu-ufw-firewall-cookbook.adoc) | [PDF](/cheat-sheets/Ubuntu-ufw-firewall-cookbook.pdf)
[FreeBSD cheat sheet](/cheat-sheets/FreeBSD-cheat-sheet.adoc) | [PDF](/cheat-sheets/FreeBSD-cheat-sheet.pdf)
[Git and github.com commands cheat sheet](cheat-sheets/git-and-github-cheat-sheet.adoc) | [PDF](cheat-sheets/git-and-github-cheat-sheet.pdf)
[GNU screen terminal multiplexor cheat sheet](cheat-sheets/gnu-screen-cheat-sheet.adoc) | [PDF](cheat-sheets/gnu-screen-cheat-sheet.pdf)
[Links text browser cheat sheet](cheat-sheets/links-text-browser-cheat-sheet.adoc) | [PDF](cheat-sheets/links-text-browser-cheat-sheet.pdf)
[Ed text editor complete cheat sheet](cheat-sheets/ed-text-editor-cheat-sheet.adoc) | [PDF](cheat-sheets/ed-text-editor-cheat-sheet.pdf)
[ncftp Ftp Client Commands example cookbook](cheat-sheets/ncftp-commands-reference-by-example-cookbook.adoc) | [PDF](cheat-sheets/ncftp-commands-reference-by-example-cookbook.pdf)
[curl cookbook of examples](cheat-sheets/curl-cookbook-of-examples.adoc) | [PDF](cheat-sheets/curl-cookbook-of-examples.pdf)
## Apple macOS tools
[mdfind examples cheat sheet](cheat-sheets/macos-mdfind-examples-cheat-sheet.adoc) | [PDF](cheat-sheets/macos-mdfind-examples-cheat-sheet.pdf)
## Windows software and utilities
[FAR file manager cheat sheet of keyboard shortcuts](cheat-sheets/FAR-manager-cheat-sheet-of-keyboard-shortcuts.adoc) | [PDF](cheat-sheets/FAR-manager-cheat-sheet-of-keyboard-shortcuts.pdf)
[Windows cmd.exe shell batch scripting cheat sheet](cheat-sheets/Windows-cmd-shell-batch-scripting-cheat-sheet.adoc) | [PDF](Windows-cmd-shell-batch-scripting-cheat-sheet.pdf)
## Amazon AWS CLI v2.x
[Route53 cheat sheet of examples](cheat-sheets/Route53-AWS-CLI-examples.adoc) | [PDF](cheat-sheets/Route53-AWS-CLI-examples.pdf)
# Configuration, Debug and Diagnostics cheat sheets for Network and Linux based equipment
[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
Collection of cheat sheets to help you with hands-on tasks of troubleshooting and configuring the production equipment.
Make sure to __watch__ this repository to get notified on updates (usually updated once per week). Your stars on the repository as a sign that you found it useful are appreciated, thanks. I also blog at https://yurisk.info about these topics as well.
## Network and Security vendors (Fortinet, Cisco, Checkpoint, Rad, MRV, HP/Aruba)
[Fortigate debug and diagnose commands complete cheat sheet](cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc) | [PDF](cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.pdf)
[**Fortigate SSL VPN Hardening Guide**](cheat-sheets/fortigate-ssl-vpn-hardening-guide.adoc) [RU](https://habr.com/ru/articles/734044/) | [PDF](cheat-sheets/fortigate-ssl-vpn-hardening-guide.pdf)
[Fortianalyzer diagnose and debug cheat sheet](cheat-sheets/Fortianalyzer-debug-cheat-sheet.adoc) | [PDF](cheat-sheets/Fortianalyzer-debug-cheat-sheet.pdf)
[Checkpoint cpstat tool complete cheat sheet](cheat-sheets/Checkpoint-cpstat-complete-reference-cheat-sheet.adoc) | [PDF](cheat-sheets/Checkpoint-cpstat-complete-reference-cheat-sheet.pdf)
[Checkpoint Firewalls Debug Cheat Sheet](/cheat-sheets/Checkpoint-firewalls-debug-cheat-sheet.adoc)| [PDF](/cheat-sheets/Checkpoint-firewalls-debug-cheat-sheet.pdf)
[Cisco Nexus 9000 9k debug and diagnostic commands cheat sheet](cheat-sheets/Cisco-Nexus-9000-9k-debug-and-diagnostic-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Cisco-Nexus-9000-9k-debug-and-diagnostic-commands-cheat-sheet.pdf)
[Cisco CUCM/Unity/Presence useful CLI commands cheat sheets](cheat-sheets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.pdf)
[RAD ETX 203, 205, 220 debug and information commands](cheat-sheets/RAD-ETX-203-205-220-debug-and-information-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/RAD-ETX-203-205-220-debug-and-information-commands-cheat-sheet.pdf)
[MRV Optiswitch OS904 OS906 OS912 debug and diagnostic commands](cheat-sheets/MRV-Optiswitch-OS904-OS906-OS912-debug-and-diagnostic-commands.adoc) | [PDF](cheat-sheets/MRV-Optiswitch-OS904-OS906-OS912-debug-and-diagnostic-commands.pdf)
[Aruba and HP switches debug and diagnostics commands](cheat-sheets/Aruba-HP-switches-debug-and-diagnostics-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Aruba-HP-switches-debug-and-diagnostics-commands-cheat-sheet.pdf)
[Aruba HP switches configuration examples cookbook](/cheat-sheets/Aruba-HP-switches-configuration-examples-cookbook.adoc) | [PDF](/cheat-sheets/Aruba-HP-switches-configuration-examples-cookbook.pdf)
[Ruckus ICX switches 7150, 7250, 7450, 7650, 7750, 7850 diagnostics commands](cheat-sheets/Ruckus-Brocade-ICX-FastIron-switch-debug-nad-diagnostics-commands-cheat-sheet.adoc) | [PDF](cheat-sheets/Ruckus-Brocade-ICX-FastIron-switch-debug-nad-diagnostics-commands-cheat-sheet.pdf)
## Linux, FreeBSD, OpenBSD, and Open Source Tools
[Linux ip route reference by example](cheat-sheets/Linux-ip-route-reference-by-examples.adoc) | [PDF](cheat-sheets/Linux-ip-route-reference-by-examples.pdf)
[GNU tar archive manager cookbook of examples](cheat-sheets/gnu-tar-example-reference.adoc) | [PDF](cheat-sheets/gnu-tar-example-reference.pdf)
[Linux and PF BSD firewalls cheat sheet](cheat-sheets/Linux-and-BSD-firewalls-cheat-sheet.adoc) | [PDF](cheat-sheets/Linux-and-BSD-firewalls-cheat-sheet.pdf)
[Ubuntu Uncomplicated Firewall (ufw) cookbook of configuration examples](/cheat-sheets/Ubuntu-ufw-firewall-cookbook.adoc) | [PDF](/cheat-sheets/Ubuntu-ufw-firewall-cookbook.pdf)
[FreeBSD cheat sheet](/cheat-sheets/FreeBSD-cheat-sheet.adoc) | [PDF](/cheat-sheets/FreeBSD-cheat-sheet.pdf)
[Git and github.com commands cheat sheet](cheat-sheets/git-and-github-cheat-sheet.adoc) | [PDF](cheat-sheets/git-and-github-cheat-sheet.pdf)
[GNU screen terminal multiplexor cheat sheet](cheat-sheets/gnu-screen-cheat-sheet.adoc) | [PDF](cheat-sheets/gnu-screen-cheat-sheet.pdf)
[Links text browser cheat sheet](cheat-sheets/links-text-browser-cheat-sheet.adoc) | [PDF](cheat-sheets/links-text-browser-cheat-sheet.pdf)
[Ed text editor complete cheat sheet](cheat-sheets/ed-text-editor-cheat-sheet.adoc) | [PDF](cheat-sheets/ed-text-editor-cheat-sheet.pdf)
[ncftp Ftp Client Commands example cookbook](cheat-sheets/ncftp-commands-reference-by-example-cookbook.adoc) | [PDF](cheat-sheets/ncftp-commands-reference-by-example-cookbook.pdf)
[curl cookbook of examples](cheat-sheets/curl-cookbook-of-examples.adoc) | [PDF](cheat-sheets/curl-cookbook-of-examples.pdf)
## Apple macOS tools
[mdfind examples cheat sheet](cheat-sheets/macos-mdfind-examples-cheat-sheet.adoc) | [PDF](cheat-sheets/macos-mdfind-examples-cheat-sheet.pdf)
## Windows software and utilities
[FAR file manager cheat sheet of keyboard shortcuts](cheat-sheets/FAR-manager-cheat-sheet-of-keyboard-shortcuts.adoc) | [PDF](cheat-sheets/FAR-manager-cheat-sheet-of-keyboard-shortcuts.pdf)
[Windows cmd.exe shell batch scripting cheat sheet](cheat-sheets/Windows-cmd-shell-batch-scripting-cheat-sheet.adoc) | [PDF](Windows-cmd-shell-batch-scripting-cheat-sheet.pdf)
## Amazon AWS CLI v2.x
[Route53 cheat sheet of examples](cheat-sheets/Route53-AWS-CLI-examples.adoc) | [PDF](cheat-sheets/Route53-AWS-CLI-examples.pdf)

50
cheat-sheets/7zip-command-line-cookbook-of-examples.adoc
View File

@@ -1,25 +1,25 @@
= 7z Linux Command Line Cookbook of Examples
:homepage: https://github.com/yuriskinfo/cheat-sheets
:toc:
Author: https://www.linkedin.com/in/yurislobodyanyuk/
== Important facts about 7-zip
* 7-zip does NOT store the owner/group of the files/folders being archived, which is good for privacy, but may not suite your specifc use case, especially as a back up tool.
* 7-zip is a name of the compression tool created by Igor Pavlov.
* While Igor Pavlov provides Linux/macOS versions as well, another implementation by independent developer (Mohammed Adnene Trojette) has become wide used in the Linux realm - `p7zip`. This cookbook relates to this, independent version, so options and switches may differ a bit from 7-zip Windows canonical version.
== Install p7zip package on Linux
This tool is already in all the major repositories, so you should have no problems installing it.
`Ubuntu`: `sudo apt install p7zip-full`
`CentOS/Fedora`: `sudo yum install p7zip p7zip-plugins`
== Create an archive adding all the files in the current folder
We first indicate to `7-zip` that we want to _add_ to an archive with `a` command, then we specify the archive name, and finally, we use `*` as wildcard to include all files in the current folder.
`7z a folder.7z *`
The result - _folder.7z_ will be placed in the same folder where it run.
= 7z Linux Command Line Cookbook of Examples
:homepage: https://github.com/yuriskinfo/cheat-sheets
:toc:
Author: https://www.linkedin.com/in/yurislobodyanyuk/
== Important facts about 7-zip
* 7-zip does NOT store the owner/group of the files/folders being archived, which is good for privacy, but may not suite your specifc use case, especially as a back up tool.
* 7-zip is a name of the compression tool created by Igor Pavlov.
* While Igor Pavlov provides Linux/macOS versions as well, another implementation by independent developer (Mohammed Adnene Trojette) has become wide used in the Linux realm - `p7zip`. This cookbook relates to this, independent version, so options and switches may differ a bit from 7-zip Windows canonical version.
== Install p7zip package on Linux
This tool is already in all the major repositories, so you should have no problems installing it.
`Ubuntu`: `sudo apt install p7zip-full`
`CentOS/Fedora`: `sudo yum install p7zip p7zip-plugins`
== Create an archive adding all the files in the current folder
We first indicate to `7-zip` that we want to _add_ to an archive with `a` command, then we specify the archive name, and finally, we use `*` as wildcard to include all files in the current folder.
`7z a folder.7z *`
The result - _folder.7z_ will be placed in the same folder where it run.

94
cheat-sheets/Aruba-HP-switches-configuration-examples-cookbook.adoc
View File

@@ -1,47 +1,47 @@
= Aruba HP switches configuration examples cookbook
Yuri SLobodyanyuk, admin@yurisk.info
:homepage: https://yurisk.info
:toc:
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
== Reset/wipe switch configuration to the factory defaults
WARNING: This will erase all the configuration and cannot be undone.
If you don't have priveleged EXEC access to the switch:
. Push and hold the _Reset_ button with sharp object like pen/pencil.
. Now also push and hold _Clear_ button with another sharp object.
. When LEDs are turned on - release _Reset_ button, while holding the _Clear_.
. When LEDs start to blink, release the _Clear_ button as well.
If you have privileged EXEC access to the switch, just run *(config)# erase startup* and reboot.
== Restrict management access to specific IP addresses
To limit access to the switch, use *ip authorized-managers* command. Example - limit access to a single IP of 192.168.13.127:
----
ip authorized-managers 192.168.13.127 255.255.255.255 access operator
ip authorized-managers 192.168.13.127 255.255.255.255 access manager
----
== Add default gateway on Layer 2 switch for management
We have to set default gateway on a switch for the management VLAN we choose to be reachable and managed remotely. The command does not mention explicitly the VLAN number, just make sure the network is the network configured on the management VLAN.
----
ip default-gateway 10.13.13.127
----
It is, for example, when VLAN 200 is configured as management VLAN:
----
vlan 200
name "MgmtVlan"
tagged Trk1
ip address 10.13.13.250 255.255.255.0
exit
----
= Aruba HP switches configuration examples cookbook
Yuri SLobodyanyuk, admin@yurisk.info
:homepage: https://yurisk.info
:toc:
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
== Reset/wipe switch configuration to the factory defaults
WARNING: This will erase all the configuration and cannot be undone.
If you don't have priveleged EXEC access to the switch:
. Push and hold the _Reset_ button with sharp object like pen/pencil.
. Now also push and hold _Clear_ button with another sharp object.
. When LEDs are turned on - release _Reset_ button, while holding the _Clear_.
. When LEDs start to blink, release the _Clear_ button as well.
If you have privileged EXEC access to the switch, just run *(config)# erase startup* and reboot.
== Restrict management access to specific IP addresses
To limit access to the switch, use *ip authorized-managers* command. Example - limit access to a single IP of 192.168.13.127:
----
ip authorized-managers 192.168.13.127 255.255.255.255 access operator
ip authorized-managers 192.168.13.127 255.255.255.255 access manager
----
== Add default gateway on Layer 2 switch for management
We have to set default gateway on a switch for the management VLAN we choose to be reachable and managed remotely. The command does not mention explicitly the VLAN number, just make sure the network is the network configured on the management VLAN.
----
ip default-gateway 10.13.13.127
----
It is, for example, when VLAN 200 is configured as management VLAN:
----
vlan 200
name "MgmtVlan"
tagged Trk1
ip address 10.13.13.250 255.255.255.0
exit
----

1034
cheat-sheets/Aruba-HP-switches-debug-and-diagnostics-commands-cheat-sheet.adoc
View File

File diff suppressed because it is too large Load Diff

90
cheat-sheets/Checkpoint-firewalls-debug-cheat-sheet.adoc
View File

@@ -1,45 +1,45 @@
= Checkpoint Firewalls Debug Cheat Sheet
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
Status: Work in progress.
== Cluster XL (ClusterXL) debug
[cols=2,"options="header"]
|===
|command
|Description
|*cphaprob state*
|Show status of the cluster and its members, if down - show the descriptive reason and when the state change happened,type of clustering - HA/Load Sharing/VRRP, IP address of each member's sync interface, problematic _pnote_ that causes failover, number of failovers since last restart.
|*cphaprob -ia list*
|Show detailed information on the failed __pnote__/Critical Device of this member. List of pnotes enabled by default (differs by version/model so not a reference): _Interface Active Check_, _Recovery Delay_ , _CoreXL Configuration_, _Fullsync_, _Policy/filter_, _routed_, _fwd_, _cphad_, _init_, _cvpnd_.
|*cphaprob -l list*
|List ALL _pnotes_ of the member, including in _OK_ state.
|*cphaprob -a if*
|Show all the interfaces seen by the cluster on this member. _Monitored_ are interfaces monitored by the cluster and if failed would cause fail over. _Secured_ is/are interface(s) the cluster uses to synchronize members. In Checkpoint appliances it is usually named `Sync`. Also show cluster synchronization mode - broadcast/multicast,
|*cphaprob -m if*
|Show the monitored interfaces but also add ClusterXL VLAN monitoring info - which VLANs on which interface are being monitored.
|*cphaprob syncstat*
|Show detailed synchronization states and traffic statistics: sync traffic drops/sent/received/queue szie/delta interval. Good at showing network/communication problems between cluster members.
|*cphaprob show_failover*
|Show detailed history log of failover events with their dates and reasons. Checkpoint records last 20 failovers by default.
|*cphaprob mmagic*
|Show the cluster magic number, relevant if multiple clusters are present in the same network.
|*cphaprob show_bond*
|Show bond interfaces.
|*cpview -> Advanced -> ClusterXL*
|Partial output of the above commands in TUI interface.
|===
= Checkpoint Firewalls Debug Cheat Sheet
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
Status: Work in progress.
== Cluster XL (ClusterXL) debug
[cols=2,"options="header"]
|===
|command
|Description
|*cphaprob state*
|Show status of the cluster and its members, if down - show the descriptive reason and when the state change happened,type of clustering - HA/Load Sharing/VRRP, IP address of each member's sync interface, problematic _pnote_ that causes failover, number of failovers since last restart.
|*cphaprob -ia list*
|Show detailed information on the failed __pnote__/Critical Device of this member. List of pnotes enabled by default (differs by version/model so not a reference): _Interface Active Check_, _Recovery Delay_ , _CoreXL Configuration_, _Fullsync_, _Policy/filter_, _routed_, _fwd_, _cphad_, _init_, _cvpnd_.
|*cphaprob -l list*
|List ALL _pnotes_ of the member, including in _OK_ state.
|*cphaprob -a if*
|Show all the interfaces seen by the cluster on this member. _Monitored_ are interfaces monitored by the cluster and if failed would cause fail over. _Secured_ is/are interface(s) the cluster uses to synchronize members. In Checkpoint appliances it is usually named `Sync`. Also show cluster synchronization mode - broadcast/multicast,
|*cphaprob -m if*
|Show the monitored interfaces but also add ClusterXL VLAN monitoring info - which VLANs on which interface are being monitored.
|*cphaprob syncstat*
|Show detailed synchronization states and traffic statistics: sync traffic drops/sent/received/queue szie/delta interval. Good at showing network/communication problems between cluster members.
|*cphaprob show_failover*
|Show detailed history log of failover events with their dates and reasons. Checkpoint records last 20 failovers by default.
|*cphaprob mmagic*
|Show the cluster magic number, relevant if multiple clusters are present in the same network.
|*cphaprob show_bond*
|Show bond interfaces.
|*cpview -> Advanced -> ClusterXL*
|Partial output of the above commands in TUI interface.
|===

170
cheat-sheets/Cisco-CUCM-CLI-useful-commands-cheat-sheet.adoc
View File

@@ -1,85 +1,85 @@
= Useful CLI commands for Cisco CUCM, Cisco Unity Connection and IM and Presence
Yuri Slobodyanyuk <admin@yurisk.info>
v1.0, 2021-02-22
:homepage: https://yurisk.info
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
[cols=2,options="header"]
|===
|Command
|Descritption
|*show status*
|General health info, first to run on unusual CPU/IO load. Shows uptime, CPU load, memory usage, CUCM/Unity version.
|*utils ntp status*
|Show NTP status - NTP source, synchronization, stratum. Note: this is not necessarily time source for the phones.
|*utils network ping <dest> [count VALUE] [size VALUE]*
| Ping to test network quality and connectivity. E.g. `utils network ping 8.8.8.8 count 10 size 1300`
|*utils network traceroute <IP address>*
|Network trace.
|*show tech network routes*
|Show routing table.
|*show network status [process nodns search [search term]]*
|Show established connections with the process using the port. E.g. to show established connections to port 5060 (SIP phones and SIP trunks): `show network status process nodns search 5060`.
|*utils network arp list*
*utils network arp delete*
*utils network arp set*
|Working with ARP table.
|*show network ipprefs public*
*show open ports*
*show open ports all*
*show open ports regexp*
|Show open and accessible over the network ports with listening daemons.
|*show network ip_conntrack*
|Show number of open connections . While the number of connections does NOT equal number of registered phones, if there is some network connectivity issue this number will be unusually low. E.g. on CUCM with 52 registered SIP phones this commands shows 301 connections.
|*show process list*
|Show list of running processes (Linux style).
|*utils iostat*
|Show I/O stats - writes/reads per second, averages
|*show hardware*
|Show the hardware server on which the CUCM is installed.
|*utils service list*
*utils service <stop/restart/start>*
|List running CUCM/Unity services (not previously mentioned Linux ones) and then stop/restart any of them by their name. Copy & paste service name exactly as shown in the listing.
|*utils system restart*
|Last resort - restart the whole CUCM/Unity.
|*show diskusage activelog*
|Get the disk usage.
|*show logins*
|Show logged in admins
|*show password expiry user list*
|Show user password expiration, by default it is set to 99999 days, if not changed by the administrator.
|*set password { age / complexity / expiry / inactivity / user }*
|Changing password for yourself/another user . Be very careful with changing password of course.
|===
= Useful CLI commands for Cisco CUCM, Cisco Unity Connection and IM and Presence
Yuri Slobodyanyuk <admin@yurisk.info>
v1.0, 2021-02-22
:homepage: https://yurisk.info
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
[cols=2,options="header"]
|===
|Command
|Descritption
|*show status*
|General health info, first to run on unusual CPU/IO load. Shows uptime, CPU load, memory usage, CUCM/Unity version.
|*utils ntp status*
|Show NTP status - NTP source, synchronization, stratum. Note: this is not necessarily time source for the phones.
|*utils network ping <dest> [count VALUE] [size VALUE]*
| Ping to test network quality and connectivity. E.g. `utils network ping 8.8.8.8 count 10 size 1300`
|*utils network traceroute <IP address>*
|Network trace.
|*show tech network routes*
|Show routing table.
|*show network status [process nodns search [search term]]*
|Show established connections with the process using the port. E.g. to show established connections to port 5060 (SIP phones and SIP trunks): `show network status process nodns search 5060`.
|*utils network arp list*
*utils network arp delete*
*utils network arp set*
|Working with ARP table.
|*show network ipprefs public*
*show open ports*
*show open ports all*
*show open ports regexp*
|Show open and accessible over the network ports with listening daemons.
|*show network ip_conntrack*
|Show number of open connections . While the number of connections does NOT equal number of registered phones, if there is some network connectivity issue this number will be unusually low. E.g. on CUCM with 52 registered SIP phones this commands shows 301 connections.
|*show process list*
|Show list of running processes (Linux style).
|*utils iostat*
|Show I/O stats - writes/reads per second, averages
|*show hardware*
|Show the hardware server on which the CUCM is installed.
|*utils service list*
*utils service <stop/restart/start>*
|List running CUCM/Unity services (not previously mentioned Linux ones) and then stop/restart any of them by their name. Copy & paste service name exactly as shown in the listing.
|*utils system restart*
|Last resort - restart the whole CUCM/Unity.
|*show diskusage activelog*
|Get the disk usage.
|*show logins*
|Show logged in admins
|*show password expiry user list*
|Show user password expiration, by default it is set to 99999 days, if not changed by the administrator.
|*set password { age / complexity / expiry / inactivity / user }*
|Changing password for yourself/another user . Be very careful with changing password of course.
|===

120
cheat-sheets/Cisco-Nexus-9000-9k-debug-and-diagnostic-commands-cheat-sheet.adoc
View File

@@ -1,60 +1,60 @@
= Cisco Nexus 9000 9k debug and diagnostic commands complete cheat sheet (work in progress)
Yuri Slobodyanyuk <admin@yurisk.info>
v1.0, 2020-09-01
:homepage: https://yurisk.info
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
Status: Work in progress.
[cols=2,options="header"]
|===
|Command
|Descritption
|*show run interface <port-channel number> membership*
|List physical interfaces included in the given Port-Channel, e.g. `show run int po1 membership`
|*show port-channel usage*
|Show port-channel numbers already in use.
|*show port-channel summary*
|Display list of all configured Port-Channels with their state, protocol (LACP or None), physical interface members.
|*show vpc role*
|Role of this peer in vPC, also vPC MAC address, vPC and system priority, local Nexus switch MAC.
|*show vpc brief*
|Gives verbose info about the vPC (vPC domain stats, vPC peer-link stats, port-channels with active VLANs etc.).
|*show vpc peer-keepalive*
| Display real-time stats on peering keepalives: last send/receive time, IP of the peer, port and protocol used, vrf for communicaiton.
|*show feature*
|Show enabled features, make sure FEX is on.
|*show fex [_fex-num_] [detail]*
| Show FEX, optionally with details - FEX associated number, state
(Online/Offline/Connecting), model, serial number (of the module). If _detail_,
then also show log of the last registration/offline/online of the FEX.
|*show interface fex*
| In addition to above, show physical interface names (uplinks) where FEX is connected on
Nexus and its state.
|*reload fex _fex-num_*
| Reload the specified FEX (it should be online for this).
|*show inventory fex _fex-num_*
|Show hardware info and serial numbers of the FEX chassis, network module, fans,
power supplies.
|*show environment fex _fex-num_/all*
|Show power consumed, temperature.
|*show int port-channel _n_ fex*
|Show physical interfaces pinned to a given port-channel.
|===
= Cisco Nexus 9000 9k debug and diagnostic commands complete cheat sheet (work in progress)
Yuri Slobodyanyuk <admin@yurisk.info>
v1.0, 2020-09-01
:homepage: https://yurisk.info
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
Status: Work in progress.
[cols=2,options="header"]
|===
|Command
|Descritption
|*show run interface <port-channel number> membership*
|List physical interfaces included in the given Port-Channel, e.g. `show run int po1 membership`
|*show port-channel usage*
|Show port-channel numbers already in use.
|*show port-channel summary*
|Display list of all configured Port-Channels with their state, protocol (LACP or None), physical interface members.
|*show vpc role*
|Role of this peer in vPC, also vPC MAC address, vPC and system priority, local Nexus switch MAC.
|*show vpc brief*
|Gives verbose info about the vPC (vPC domain stats, vPC peer-link stats, port-channels with active VLANs etc.).
|*show vpc peer-keepalive*
| Display real-time stats on peering keepalives: last send/receive time, IP of the peer, port and protocol used, vrf for communicaiton.
|*show feature*
|Show enabled features, make sure FEX is on.
|*show fex [_fex-num_] [detail]*
| Show FEX, optionally with details - FEX associated number, state
(Online/Offline/Connecting), model, serial number (of the module). If _detail_,
then also show log of the last registration/offline/online of the FEX.
|*show interface fex*
| In addition to above, show physical interface names (uplinks) where FEX is connected on
Nexus and its state.
|*reload fex _fex-num_*
| Reload the specified FEX (it should be online for this).
|*show inventory fex _fex-num_*
|Show hardware info and serial numbers of the FEX chassis, network module, fans,
power supplies.
|*show environment fex _fex-num_/all*
|Show power consumed, temperature.
|*show int port-channel _n_ fex*
|Show physical interfaces pinned to a given port-channel.
|===

234
cheat-sheets/FAR-manager-cheat-sheet-of-keyboard-shortcuts.adoc
View File

@@ -1,117 +1,117 @@
= FAR manager cheat sheet of keyboard shortcuts
Yuri Slobodyanyuk <admin@yurisk.info>
v1.0, 2020-11-09
:homepage: https://yurisk.info
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
[cols=2, options="header"]
|===
|Shortcut
|Description
|*Ctrl + \*
|Change working directory to the root folder, i.e. root of the drive.
|*Ctrl + PgUp*
|Move up to the parent directory.
|*Alt + F1*
|Set the working drive for the left panel.
|*Alt + F2*
|Set the working drive for the right panel.
|*Ctrl + u*
|Swap panels (left becomes right and vice versa).
|*Ctrl + Left/Right Arrow*
|Move the separating bar between panels left/right, changing the occupied space.
|*Ctrl + Up/Down Arrow*
|Move the bottom border of the panels up/down.
|*Alt + F7*
|Open File Search dialog box
|*Alt + F12*
|Open history of the visited folders.
|*Alt + F8*
|Open history of the viewed files.
|*F9 + c + c* or *F11 + Advanced Compare*
|Compare files/directories open in Panels. Standard compare (F9 + c + c) compares by name,size and time stamp. Advanced Compare allows to choose what to compare on. The files that differ are highlighted in blue.
|*Ctrl + 1*
|Set panel view to 3-column layout showing just names.
|*Ctrl + 2*
|Return to the standard 2-column view of names only.
|*Ctrl + 3*
|Full panel view - shows name, size, date, time columns.
|*Ctrl + 5*
|Full screen view - name, size, allocated, write, created, accessed, attributes columns.
2+|_Sort displayed items_
|*Ctrl + F3*
| Sort by file/folder name.
|*Ctrl + F4*
|Sort by extension.
|*Ctrl + F5*
|Sort by modified date.
|*Ctrl + F6*
|Sort by size.
|*Ctrl + F8*
|Sort by creation time
|*Ctrl + F9*
|Sort by access time
2+|_Selecting files and folders_
|*Insert*
|Select the item under the cursor. Press again to deselect.
|*Shift + move up/down*
|Select single/multiple items. To deselect, hold Shift and move in the opposite direction.
|* (asterisk)
|Select all files/folders in the panel. Press again to invert the selection.
|COLORS fix later
| Fix me
|*F9 -> o -> l*
|Open color selection dialog box.
|*F11 + Temporary Panel*
| Create and switch to a Temporary Panel. You can copy/drag files and folders from the visible Panel to it. This allows to work on multiple items from different locations at the same time.
2+|_Filter what is shown in the Panel_
|*Ctrl + i*
a|Open Filter dialog menu. It contains all file types/extensions seen in the current folder. By moving with _Arrow Up/Down_ you can select/deselect any single or combination of multiple extensions to include or exclude in the display. Highlight the extension in question and press:
- *<space>* or *+* or *i*: Include files with such extension in the display, exclude from display anything else. Pressing the same key again clears the selection.
- *Shift + Backspace*: Clear all selections made so far.
- *x*: Exclude the selected extensions from showing, display what is left.
- *Insert*: Open a dialog menu to create Custom filter. This allows to include/exclude files by their name/extension, size, attributes, and modification date. You can use relative operators `>=, <=`. All operands in a Custom filter are ANDed. Make sure to activate this Custom filter with Space or `+` in the filter list later.
|*Enter*
|Activate the filter.
|===
= FAR manager cheat sheet of keyboard shortcuts
Yuri Slobodyanyuk <admin@yurisk.info>
v1.0, 2020-11-09
:homepage: https://yurisk.info
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
[cols=2, options="header"]
|===
|Shortcut
|Description
|*Ctrl + \*
|Change working directory to the root folder, i.e. root of the drive.
|*Ctrl + PgUp*
|Move up to the parent directory.
|*Alt + F1*
|Set the working drive for the left panel.
|*Alt + F2*
|Set the working drive for the right panel.
|*Ctrl + u*
|Swap panels (left becomes right and vice versa).
|*Ctrl + Left/Right Arrow*
|Move the separating bar between panels left/right, changing the occupied space.
|*Ctrl + Up/Down Arrow*
|Move the bottom border of the panels up/down.
|*Alt + F7*
|Open File Search dialog box
|*Alt + F12*
|Open history of the visited folders.
|*Alt + F8*
|Open history of the viewed files.
|*F9 + c + c* or *F11 + Advanced Compare*
|Compare files/directories open in Panels. Standard compare (F9 + c + c) compares by name,size and time stamp. Advanced Compare allows to choose what to compare on. The files that differ are highlighted in blue.
|*Ctrl + 1*
|Set panel view to 3-column layout showing just names.
|*Ctrl + 2*
|Return to the standard 2-column view of names only.
|*Ctrl + 3*
|Full panel view - shows name, size, date, time columns.
|*Ctrl + 5*
|Full screen view - name, size, allocated, write, created, accessed, attributes columns.
2+|_Sort displayed items_
|*Ctrl + F3*
| Sort by file/folder name.
|*Ctrl + F4*
|Sort by extension.
|*Ctrl + F5*
|Sort by modified date.
|*Ctrl + F6*
|Sort by size.
|*Ctrl + F8*
|Sort by creation time
|*Ctrl + F9*
|Sort by access time
2+|_Selecting files and folders_
|*Insert*
|Select the item under the cursor. Press again to deselect.
|*Shift + move up/down*
|Select single/multiple items. To deselect, hold Shift and move in the opposite direction.
|* (asterisk)
|Select all files/folders in the panel. Press again to invert the selection.
|COLORS fix later
| Fix me
|*F9 -> o -> l*
|Open color selection dialog box.
|*F11 + Temporary Panel*
| Create and switch to a Temporary Panel. You can copy/drag files and folders from the visible Panel to it. This allows to work on multiple items from different locations at the same time.
2+|_Filter what is shown in the Panel_
|*Ctrl + i*
a|Open Filter dialog menu. It contains all file types/extensions seen in the current folder. By moving with _Arrow Up/Down_ you can select/deselect any single or combination of multiple extensions to include or exclude in the display. Highlight the extension in question and press:
- *<space>* or *+* or *i*: Include files with such extension in the display, exclude from display anything else. Pressing the same key again clears the selection.
- *Shift + Backspace*: Clear all selections made so far.
- *x*: Exclude the selected extensions from showing, display what is left.
- *Insert*: Open a dialog menu to create Custom filter. This allows to include/exclude files by their name/extension, size, attributes, and modification date. You can use relative operators `>=, <=`. All operands in a Custom filter are ANDed. Make sure to activate this Custom filter with Space or `+` in the filter list later.
|*Enter*
|Activate the filter.
|===

2138
cheat-sheets/Fortigate-debug-diagnose-complete-cheat-sheet.adoc
View File

File diff suppressed because it is too large Load Diff

126
cheat-sheets/FreeBSD-cheat-sheet.adoc
View File

@@ -1,63 +1,63 @@
= FreeBSD cheat sheet
:homepage: https://yurisk.info
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
== Working with disks and partitions
[cols=2, options="header"]
|===
|Command
|Description
|*camcontrol devlist*
|Show list of attached storage devices
|*geom <disk/label/part/raid> list*
|Display detailed information for the given GEOM class `disk` - physical disk, `label` - device labels, `part` - partitions. Other classes are available, but not mentioned for irrelevance here.
|*mount*
|Show mounted in fact partitions and their properties (journaled or not, type).
|*glabel list*
|Show labels, same as `geom label list`.
|*gpart show*
|Show partitions, similar to `geom part list` minus labels information, so is shorter. Add `-r` to show GPT partition types, see for the complete list at https://en.wikipedia.org/wiki/GUID_Partition_Table .
|*gpart recover <device name>*
|Recover partition information, e.g. when increasing the size of already partitioned disk in Virtual Machine, the last sector holding the partition info is lost, so to put the needed info in the last sector of now increased disk: `gpart recover da0`.
|*swapoff <device name>*
|Turn off temporarily the swap file, e.g. to move its partition to the end of the increased virtual disk: `swapoff /dev/da0p3`
|*gpart delete -i <n> <device name>*
|Delete partition number `n` (as shown by `gpart show`) on the device `device name`. E.g. If the swap partition was number 3 on disk /dev/da0, to delete it: `gpart delete -i 3 /dev/da0`.
|*gpart create -s <partition scheme> <device name>*
|Set type of partition to be added on device `device name`. E.g. to set up device _da1_ for GPT partitioning: `gpart create -s gpt da1`.
|*sysctl kern.geom.debugflags=16*
|Resizing a live partition may require turning off this protection.
|*gpart resize -i <n> [ -s <new size K/M/G>] [-a <alignment size>] <device name>*
|Resize existing partition number `n` to `new size`, optionally setting alighnment, on device `device name`. If `-s` size is not given, use up all available _free_ space. E.g. to increase the _2nd_ partition on device _da0_ to 47 Gigabyte with 4k alignment: `gpart resize -i 2 -s 47G -a 4k da0`.
|*growfs <partition name>*
|After resizing a partition, grow the existing file system on it to encompass the new free space. E.g.`growfs /dev/da0p2`.
|*gpart add -t <partition type> [-a <alignment>] [-l <label name>] <dev name>*
|Add a new partition to the disk `dev name`, setting its type and optionally alignment and label. E.g. to add _freebsd-ufs_ type partition to disk _da1_ aligned on 4k border setting the label to _data_: `gpart add -t freebsd-ufs -a 4k -l data da1` . After that, this partition will be available as _/dev/gpt/data_
|*newfs [-U] [-j] <partition name/label>*
|Add filesystem to the named partition. Switches depend on the filesystem type, here `-U` is for *freebsd-ufs* with soft updates but without journaling, while `-j` adds journaling. E.g. to create UFS filesystem with soft updates but without the journaling on partition labeled _/data_ of type GPT: `newfs -U /dev/gpt/data`.
|===
= FreeBSD cheat sheet
:homepage: https://yurisk.info
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
== Working with disks and partitions
[cols=2, options="header"]
|===
|Command
|Description
|*camcontrol devlist*
|Show list of attached storage devices
|*geom <disk/label/part/raid> list*
|Display detailed information for the given GEOM class `disk` - physical disk, `label` - device labels, `part` - partitions. Other classes are available, but not mentioned for irrelevance here.
|*mount*
|Show mounted in fact partitions and their properties (journaled or not, type).
|*glabel list*
|Show labels, same as `geom label list`.
|*gpart show*
|Show partitions, similar to `geom part list` minus labels information, so is shorter. Add `-r` to show GPT partition types, see for the complete list at https://en.wikipedia.org/wiki/GUID_Partition_Table .
|*gpart recover <device name>*
|Recover partition information, e.g. when increasing the size of already partitioned disk in Virtual Machine, the last sector holding the partition info is lost, so to put the needed info in the last sector of now increased disk: `gpart recover da0`.
|*swapoff <device name>*
|Turn off temporarily the swap file, e.g. to move its partition to the end of the increased virtual disk: `swapoff /dev/da0p3`
|*gpart delete -i <n> <device name>*
|Delete partition number `n` (as shown by `gpart show`) on the device `device name`. E.g. If the swap partition was number 3 on disk /dev/da0, to delete it: `gpart delete -i 3 /dev/da0`.
|*gpart create -s <partition scheme> <device name>*
|Set type of partition to be added on device `device name`. E.g. to set up device _da1_ for GPT partitioning: `gpart create -s gpt da1`.
|*sysctl kern.geom.debugflags=16*
|Resizing a live partition may require turning off this protection.
|*gpart resize -i <n> [ -s <new size K/M/G>] [-a <alignment size>] <device name>*
|Resize existing partition number `n` to `new size`, optionally setting alighnment, on device `device name`. If `-s` size is not given, use up all available _free_ space. E.g. to increase the _2nd_ partition on device _da0_ to 47 Gigabyte with 4k alignment: `gpart resize -i 2 -s 47G -a 4k da0`.
|*growfs <partition name>*
|After resizing a partition, grow the existing file system on it to encompass the new free space. E.g.`growfs /dev/da0p2`.
|*gpart add -t <partition type> [-a <alignment>] [-l <label name>] <dev name>*
|Add a new partition to the disk `dev name`, setting its type and optionally alignment and label. E.g. to add _freebsd-ufs_ type partition to disk _da1_ aligned on 4k border setting the label to _data_: `gpart add -t freebsd-ufs -a 4k -l data da1` . After that, this partition will be available as _/dev/gpt/data_
|*newfs [-U] [-j] <partition name/label>*
|Add filesystem to the named partition. Switches depend on the filesystem type, here `-U` is for *freebsd-ufs* with soft updates but without journaling, while `-j` adds journaling. E.g. to create UFS filesystem with soft updates but without the journaling on partition labeled _/data_ of type GPT: `newfs -U /dev/gpt/data`.
|===

212
cheat-sheets/FreeBSD-cheat-sheet.html
View File

@@ -1,107 +1,107 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Asciidoctor 2.0.18">
<title>FreeBSD cheat sheet</title>
<style>
</style>
</head>
<body class="article">
<div id="header">
<h1>FreeBSD cheat sheet</h1>
</div>
<div id="content">
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Author: Yuri Slobodyanyuk, <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_working_with_disks_and_partitions">Working with disks and partitions</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all stretch">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>camcontrol devlist</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show list of attached storage devices</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>geom &lt;disk/label/part/raid&gt; list</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Display detailed information for the given GEOM class <code>disk</code> - physical disk, <code>label</code> - device labels, <code>part</code> - partitions. Other classes are available, but not mentioned for irrelevance here.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>mount</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show mounted in fact partitions and their properties (journaled or not, type).</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>glabel list</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show labels, same as <code>geom label list</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>gpart show</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show partitions, similar to <code>geom part list</code> minus labels information, so is shorter. Add <code>-r</code> to show GPT partition types, see for the complete list at <a href="https://en.wikipedia.org/wiki/GUID_Partition_Table" class="bare">https://en.wikipedia.org/wiki/GUID_Partition_Table</a> .</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>gpart recover &lt;device name&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Recover partition information, e.g. when increasing the size of already partitioned disk in Virtual Machine, the last sector holding the partition info is lost, so to put the needed info in the last sector of now increased disk: <code>gpart recover da0</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>swapoff &lt;device name&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Turn off temporarily the swap file, e.g. to move its partition to the end of the increased virtual disk: <code>swapoff /dev/da0p3</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>gpart delete -i &lt;n&gt; &lt;device name&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Delete partition number <code>n</code> (as shown by <code>gpart show</code>) on the device <code>device name</code>. E.g. If the swap partition was number 3 on disk /dev/da0, to delete it: <code>gpart delete -i 3 /dev/da0</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>gpart create -s &lt;partition scheme&gt; &lt;device name&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Set type of partition to be added on device <code>device name</code>. E.g. to set up device <em>da1</em> for GPT partitioning: <code>gpart create -s gpt da1</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>sysctl kern.geom.debugflags=16</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Resizing a live partition may require turning off this protection.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>gpart resize -i &lt;n&gt; [ -s &lt;new size K/M/G&gt;] [-a &lt;alignment size&gt;] &lt;device name&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Resize existing partition number <code>n</code> to <code>new size</code>, optionally setting alighnment, on device <code>device name</code>. If <code>-s</code> size is not given, use up all available <em>free</em> space. E.g. to increase the <em>2nd</em> partition on device <em>da0</em> to 47 Gigabyte with 4k alignment: <code>gpart resize -i 2 -s 47G -a 4k da0</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>growfs &lt;partition name&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">After resizing a partition, grow the existing file system on it to encompass the new free space. E.g.<code>growfs /dev/da0p2</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>gpart add -t &lt;partition type&gt; [-a &lt;alignment&gt;] [-l &lt;label name&gt;] &lt;dev name&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Add a new partition to the disk <code>dev name</code>, setting its type and optionally alignment and label. E.g. to add <em>freebsd-ufs</em> type partition to disk <em>da1</em> aligned on 4k border setting the label to <em>data</em>: <code>gpart add -t freebsd-ufs -a 4k -l data da1</code> . After that, this partition will be available as <em>/dev/gpt/data</em></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>newfs [-U] [-j] &lt;partition name/label&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Add filesystem to the named partition. Switches depend on the filesystem type, here <code>-U</code> is for <strong>freebsd-ufs</strong> with soft updates but without journaling, while <code>-j</code> adds journaling. E.g. to create UFS filesystem with soft updates but without the journaling on partition labeled <em>/data</em> of type GPT: <code>newfs -U /dev/gpt/data</code>.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2021-12-03 08:42:05 +0200
</div>
</div>
</body>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="generator" content="Asciidoctor 2.0.18">
<title>FreeBSD cheat sheet</title>
<style>
</style>
</head>
<body class="article">
<div id="header">
<h1>FreeBSD cheat sheet</h1>
</div>
<div id="content">
<div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>Author: Yuri Slobodyanyuk, <a href="https://www.linkedin.com/in/yurislobodyanyuk/" class="bare">https://www.linkedin.com/in/yurislobodyanyuk/</a></p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="_working_with_disks_and_partitions">Working with disks and partitions</h2>
<div class="sectionbody">
<table class="tableblock frame-all grid-all stretch">
<colgroup>
<col style="width: 50%;">
<col style="width: 50%;">
</colgroup>
<thead>
<tr>
<th class="tableblock halign-left valign-top">Command</th>
<th class="tableblock halign-left valign-top">Description</th>
</tr>
</thead>
<tbody>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>camcontrol devlist</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show list of attached storage devices</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>geom &lt;disk/label/part/raid&gt; list</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Display detailed information for the given GEOM class <code>disk</code> - physical disk, <code>label</code> - device labels, <code>part</code> - partitions. Other classes are available, but not mentioned for irrelevance here.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>mount</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show mounted in fact partitions and their properties (journaled or not, type).</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>glabel list</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show labels, same as <code>geom label list</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>gpart show</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Show partitions, similar to <code>geom part list</code> minus labels information, so is shorter. Add <code>-r</code> to show GPT partition types, see for the complete list at <a href="https://en.wikipedia.org/wiki/GUID_Partition_Table" class="bare">https://en.wikipedia.org/wiki/GUID_Partition_Table</a> .</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>gpart recover &lt;device name&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Recover partition information, e.g. when increasing the size of already partitioned disk in Virtual Machine, the last sector holding the partition info is lost, so to put the needed info in the last sector of now increased disk: <code>gpart recover da0</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>swapoff &lt;device name&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Turn off temporarily the swap file, e.g. to move its partition to the end of the increased virtual disk: <code>swapoff /dev/da0p3</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>gpart delete -i &lt;n&gt; &lt;device name&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Delete partition number <code>n</code> (as shown by <code>gpart show</code>) on the device <code>device name</code>. E.g. If the swap partition was number 3 on disk /dev/da0, to delete it: <code>gpart delete -i 3 /dev/da0</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>gpart create -s &lt;partition scheme&gt; &lt;device name&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Set type of partition to be added on device <code>device name</code>. E.g. to set up device <em>da1</em> for GPT partitioning: <code>gpart create -s gpt da1</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>sysctl kern.geom.debugflags=16</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Resizing a live partition may require turning off this protection.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>gpart resize -i &lt;n&gt; [ -s &lt;new size K/M/G&gt;] [-a &lt;alignment size&gt;] &lt;device name&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Resize existing partition number <code>n</code> to <code>new size</code>, optionally setting alighnment, on device <code>device name</code>. If <code>-s</code> size is not given, use up all available <em>free</em> space. E.g. to increase the <em>2nd</em> partition on device <em>da0</em> to 47 Gigabyte with 4k alignment: <code>gpart resize -i 2 -s 47G -a 4k da0</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>growfs &lt;partition name&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">After resizing a partition, grow the existing file system on it to encompass the new free space. E.g.<code>growfs /dev/da0p2</code>.</p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>gpart add -t &lt;partition type&gt; [-a &lt;alignment&gt;] [-l &lt;label name&gt;] &lt;dev name&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Add a new partition to the disk <code>dev name</code>, setting its type and optionally alignment and label. E.g. to add <em>freebsd-ufs</em> type partition to disk <em>da1</em> aligned on 4k border setting the label to <em>data</em>: <code>gpart add -t freebsd-ufs -a 4k -l data da1</code> . After that, this partition will be available as <em>/dev/gpt/data</em></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><p class="tableblock"><strong>newfs [-U] [-j] &lt;partition name/label&gt;</strong></p></td>
<td class="tableblock halign-left valign-top"><p class="tableblock">Add filesystem to the named partition. Switches depend on the filesystem type, here <code>-U</code> is for <strong>freebsd-ufs</strong> with soft updates but without journaling, while <code>-j</code> adds journaling. E.g. to create UFS filesystem with soft updates but without the journaling on partition labeled <em>/data</em> of type GPT: <code>newfs -U /dev/gpt/data</code>.</p></td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div id="footer">
<div id="footer-text">
Last updated 2021-12-03 08:42:05 +0200
</div>
</div>
</body>
</html>

140
cheat-sheets/HIEW-hexadecimal-editor-cheat-sheet.adoc
View File

@@ -1,70 +1,70 @@
= HIEW hexadecimal editor and disassembler cheat sheet
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
[cols=2,options="header"]
|===
|Command
|Description
|*hiew8.ini*
|Configuration file usually located in the same directory as the hiew32.exe binary itself.
|*F1*
|Conext-aware help.
|*ESC*
| Exit any window in any mode without saving the changes.
|*F3*
|Enter the Edit mode.
|*ENTER*
| In the Read mode, switch between Hex/Decode/Text modes in turn.
|*F7*
|Open a search window.
|*Ctrl+Enter*
|Continue searching.
|*Alt+F1*
|Change location addressing mode.
|*F9*
|Save the changes made so far.
|*F6*
|In Decode/Disassembled mode, find cross-references.
|*
| In Read mode, select block(s) of bytes.
|*F8*
|Show the file headers.
|*F8 -> F6 -> F3*
| In Hex/Decode modes, show then edit file header sections.
|*Alt+F6*
|Show all strings in a file.
|*+/-*
|Increase/decrease minimal string length.
|*F5*
| Go to offset.
|*Alt+F7*
| Change the search direction: top-down/down-top.
|===
= HIEW hexadecimal editor and disassembler cheat sheet
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
[cols=2,options="header"]
|===
|Command
|Description
|*hiew8.ini*
|Configuration file usually located in the same directory as the hiew32.exe binary itself.
|*F1*
|Conext-aware help.
|*ESC*
| Exit any window in any mode without saving the changes.
|*F3*
|Enter the Edit mode.
|*ENTER*
| In the Read mode, switch between Hex/Decode/Text modes in turn.
|*F7*
|Open a search window.
|*Ctrl+Enter*
|Continue searching.
|*Alt+F1*
|Change location addressing mode.
|*F9*
|Save the changes made so far.
|*F6*
|In Decode/Disassembled mode, find cross-references.
|*
| In Read mode, select block(s) of bytes.
|*F8*
|Show the file headers.
|*F8 -> F6 -> F3*
| In Hex/Decode modes, show then edit file header sections.
|*Alt+F6*
|Show all strings in a file.
|*+/-*
|Increase/decrease minimal string length.
|*F5*
| Go to offset.
|*Alt+F7*
| Change the search direction: top-down/down-top.
|===

48
cheat-sheets/ImageMagick-command-line-examples.adoc
View File

@@ -1,24 +1,24 @@
= ImageMagick Command Line Examples
:toc:
== Rotate images 90 degrees
Use `convert` tools in a bash script to rotate all .jpg images in the current folder, naming the rotated images as _current-name_-rotated.jpg
[source,bash]
----
for ii in *.jpg
do
convert ${ii} -rotate 90 ${ii}-rotated.jpg
done
----
== Combine images in the current folder into a PDF file
Let's combine images with extension .jpg (using shell wildcards) into one
PDF file.
----
magick *.jpg pics-2022-1.pdf
----
= ImageMagick Command Line Examples
:toc:
== Rotate images 90 degrees
Use `convert` tools in a bash script to rotate all .jpg images in the current folder, naming the rotated images as _current-name_-rotated.jpg
[source,bash]
----
for ii in *.jpg
do
convert ${ii} -rotate 90 ${ii}-rotated.jpg
done
----
== Combine images in the current folder into a PDF file
Let's combine images with extension .jpg (using shell wildcards) into one
PDF file.
----
magick *.jpg pics-2022-1.pdf
----

282
cheat-sheets/Linux-and-BSD-firewalls-cheat-sheet.adoc
View File

@@ -1,141 +1,141 @@
= Linux and PF firewalls commands cheat sheet
:homepage: https://yurisk.info
:toc:
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
== Firewalld daemon management (Red Hat based distributions)
=== Enable, disable, reload the daemon
[cols=2, options="header"]
|===
|Command
|Description
|*systemctl disable/enable firewalld*
|Disable/enable firewalld, survives reboot.
|*systemctl stop firewalld*
|Stop firewalld until started manually or reboot.
|*firewall-cmd --reload*
|Reload firewall rules to make your changes active, keeping the state table. Active sessions do not disconnect. On finishing reload will output `success`.
|*systemctl restart firewalld*
|Restart the daemon, without resetting the active connections. Use in case of
problems with the daemon.
|*firewall-cmd --complete-reload*
|Reload firewall completely, disconnecting the active connections. When nothing
else helps.
|===
=== List rules, status, additional info
[cols=2, options="header"]
|===
|Command
|Description
|*firewall-cmd --state*
|Show firewall daemon status
|*firewall-cmd --list-all*
|List currently active rules
|*firewall-cmd --get-default-zone*
| Show the default zone for interfaces.
|*firewall-cmd --get-zones*
|List all available zones
|*firewall-cmd --get-active-zones*
| Show active zones, including to which zone each interface belongs.
|*firewall-cmd --list-all-zones*
|List all zones with their rules and associated interfaces.
|*firewall-cmd --add-service <service name>*
|Add predefined service by name to the default zone, with action ACCEPT, e.g. `firewall-cmd -add-service ftp` .
|===
=== Open, close ports
[cols=2, options="header"]
|===
|Command
|Description
|*firewall-cmd --add-port=_port-number_/_protocol_*
|Open in incoming _port-number_ of the _protocol_. E.g. open incoming to TCP port
5900 from any: `firewall-cmd --add-port=5900/tcp`
|*firewall-cmd --remove-port=_port-number_/_protocol_*
|Close the open _port-number_. E.g. close the open port 5900/tcp: `firewall-cmd --remove-port=5900/tcp`
|*firewall-cmd --runtime-to-permanent*
|Make the changed rules permanent to survive reboot.
|===
== Ubuntu Uncomplicated Firewall (ufw)
.ufw management commands
[cols=2, options="header"]
|===
|Command
|Description
|*ufw status*
|Show whether the firewall is on and if on, list the active rules.
|*ufw enable*
|Enable firewall.
|*ufw disable*
|Disable firewall
|*ufw reload*
|Reload firewall and rules.
|*ufw allow <predefined service name>*
| Allow some service in any direction from/to any IP address using so called `simple` rule syntax. The service names are as per `/etc/services`. E.g. to allow ssh from any: `ufw allow ssh`.
|*/etc/ufw/before.rules*
|Some rules are pre-allowed by default, to change them edit this file and reload the firewall.
|===
== PF (Packet Filter) management for FreeBSD & OpenBSD
[cols=2, options="header"]
|===
|Command
|Description
|*pfct -d*
|Disable PF in place, does not survive reboot.
|*pfctl -ef /etc/pf.conf*
|Enable PF and load the rule set from file `/etc/pf.conf` in one go.
|*pfctl -nf /etc/pf.conf*
|Parse security rules stored in a file without installing them (dry run).
|*pass in quick on egress from 62.13.77.141 to any*
| 'Quick' rule (means allows this traffic on all interfaces, otherwise we would need 2nd rule allowing this traffic in _outgoing_ direction on egress interface) to allow incoming ANY port/protocol with the source being `62.13.77.141` and destination being ANY IP address behind the PF firewall. NOTE: here, `egress` is not a direction, but a group name to which the interface in question (`em0`) belongs to. In OpenBSD you set it in a file `/etc/hostname.em0: group egress` or in real-time with the command: `ifconfig em0 group egress`.
|===
= Linux and PF firewalls commands cheat sheet
:homepage: https://yurisk.info
:toc:
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
== Firewalld daemon management (Red Hat based distributions)
=== Enable, disable, reload the daemon
[cols=2, options="header"]
|===
|Command
|Description
|*systemctl disable/enable firewalld*
|Disable/enable firewalld, survives reboot.
|*systemctl stop firewalld*
|Stop firewalld until started manually or reboot.
|*firewall-cmd --reload*
|Reload firewall rules to make your changes active, keeping the state table. Active sessions do not disconnect. On finishing reload will output `success`.
|*systemctl restart firewalld*
|Restart the daemon, without resetting the active connections. Use in case of
problems with the daemon.
|*firewall-cmd --complete-reload*
|Reload firewall completely, disconnecting the active connections. When nothing
else helps.
|===
=== List rules, status, additional info
[cols=2, options="header"]
|===
|Command
|Description
|*firewall-cmd --state*
|Show firewall daemon status
|*firewall-cmd --list-all*
|List currently active rules
|*firewall-cmd --get-default-zone*
| Show the default zone for interfaces.
|*firewall-cmd --get-zones*
|List all available zones
|*firewall-cmd --get-active-zones*
| Show active zones, including to which zone each interface belongs.
|*firewall-cmd --list-all-zones*
|List all zones with their rules and associated interfaces.
|*firewall-cmd --add-service <service name>*
|Add predefined service by name to the default zone, with action ACCEPT, e.g. `firewall-cmd -add-service ftp` .
|===
=== Open, close ports
[cols=2, options="header"]
|===
|Command
|Description
|*firewall-cmd --add-port=_port-number_/_protocol_*
|Open in incoming _port-number_ of the _protocol_. E.g. open incoming to TCP port
5900 from any: `firewall-cmd --add-port=5900/tcp`
|*firewall-cmd --remove-port=_port-number_/_protocol_*
|Close the open _port-number_. E.g. close the open port 5900/tcp: `firewall-cmd --remove-port=5900/tcp`
|*firewall-cmd --runtime-to-permanent*
|Make the changed rules permanent to survive reboot.
|===
== Ubuntu Uncomplicated Firewall (ufw)
.ufw management commands
[cols=2, options="header"]
|===
|Command
|Description
|*ufw status*
|Show whether the firewall is on and if on, list the active rules.
|*ufw enable*
|Enable firewall.
|*ufw disable*
|Disable firewall
|*ufw reload*
|Reload firewall and rules.
|*ufw allow <predefined service name>*
| Allow some service in any direction from/to any IP address using so called `simple` rule syntax. The service names are as per `/etc/services`. E.g. to allow ssh from any: `ufw allow ssh`.
|*/etc/ufw/before.rules*
|Some rules are pre-allowed by default, to change them edit this file and reload the firewall.
|===
== PF (Packet Filter) management for FreeBSD & OpenBSD
[cols=2, options="header"]
|===
|Command
|Description
|*pfct -d*
|Disable PF in place, does not survive reboot.
|*pfctl -ef /etc/pf.conf*
|Enable PF and load the rule set from file `/etc/pf.conf` in one go.
|*pfctl -nf /etc/pf.conf*
|Parse security rules stored in a file without installing them (dry run).
|*pass in quick on egress from 62.13.77.141 to any*
| 'Quick' rule (means allows this traffic on all interfaces, otherwise we would need 2nd rule allowing this traffic in _outgoing_ direction on egress interface) to allow incoming ANY port/protocol with the source being `62.13.77.141` and destination being ANY IP address behind the PF firewall. NOTE: here, `egress` is not a direction, but a group name to which the interface in question (`em0`) belongs to. In OpenBSD you set it in a file `/etc/hostname.em0: group egress` or in real-time with the command: `ifconfig em0 group egress`.
|===

570
cheat-sheets/Linux-ip-route-reference-by-examples.adoc
View File

@@ -1,285 +1,285 @@
= Linux ip route command reference by example
NOTE: All the commands below take effect immediately after you hit Enter, and do NOT survive reboot. You may shorten the commands to the shortest but unique, e.g. `sh ip ad` instead of `show ip address`. All the commands come as part of the pre-installed package `iproute2`.
Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
<<ip address - Manage IP address(es) on interfaces>> +
<<ip route - Manage routing table>> +
<<ip link - Link Management>> +
<<ip neighbor - Manage ARP and neighbors table>> +
<<Network bridge with ip route2 - manage a network bridge using the ip command>> +
<<Reference>>
== ip address - Manage IP address(es) on interfaces
[cols=2, options="header"]
|===
|Command
|Description
|*ip address show / ip ad sh*
|Show all IP addresses of all interfaces, also their MTU, MAC addresses.
|*ip address show ens36*
|Show IPs of a given interface (ens36).
|*ip address show up*
|Only show IPs of the interfaces that are configured as UP.
|*ip address show dynamic/permanent*
|Show only dynamic (DHCP) or static IPv4/IPv6 addresses.
|*ip address add 192.0.2.1/27 dev ens36*
|Add a new IP address (192.0.2.1) to the named (ens36) interface.
|*ip address add 192.0.2.1/27 dev ens36 label ens36:external*
|Add IP address to the interface, AND label it (external). The label is any string. The label will show in show ip address as: inet 192.0.2.1/27 scope global ens33:external
|*ip address delete 192.0.2.1/27 dev ens36*
|Delete the specified IP address from the interface
|*ip address flush dev ens36*
|Delete ALL IP addresses from the given interface.
|===
== ip route - Manage routing table
[cols=2, options="header"]
|===
|Command
|Description
|*ip route [show]* / *ip ro* +
*ip -6 route* +
*ip -4 route*
|Show the routing table for both IPv4 and IPv6. +
Show the routing table for IPv6 only. +
Show the routing table for IPv4 only.
|*ip route show table all*
|Show ALL routing tables of the server, helpful when there is Policy Based Routing (PBR) in place.
|*ip route add default via 10.10.10.1* +
*ip route add default dev ens36* +
*ip route add 0.0.0.0/0 dev ens36* +
*ip -6 route add default dev ens36*
|Add default route/default gateway via next hop +
… via outgoing interface (ens36) +
… via outgoing interface using 0.0.0.0/0 notation +
Add default IPv6 route.
|*ip route delete default dev ens36*
|Delete default route via given interface
|*ip route show root 192.0.2.0/24*
|Show routes not shorter than the given. Here, 192.0.2.0/29 will match, but 192.0.2.0/23 will not.
|*ip route show match 192.0.2.0/29*
|Show routes not longer than the given network/mask. Here, 192.0.2.0/30 will match, but 192.0.2.0/27 will not.
|*ip route show exact 192.0.2.0/29*
|Show route(s) matching EXACTLY inside the network and its given mask. Here, 192.0.2.7 will match, but 192.0.2.8 will not.
|*ip route get 192.123.123.1/24*
|Simulate resolving of a route in real time by kernel.
|*ip route add 192.192.13.0/24 via 10.13.77.1* +
*ip route add 192.192.13.0/24 dev ens36*
|Add new route to 192.192.13.1/24 via nexthop. +
Add new route to 192.192.13.1/24 via interface.
|*ip route delete 192.192.13.0/24 via 10.13.77.1* +
*ip route delete 192.192.13.0/24*
|Delete specific route
|*ip route change 192.192.13.0/24 dev ens32*
|Change some parameter of the existing route.
|*ip route replace 192.192.13.0/24 dev ens36*
|Replace a route if exists add if not.
|*ip route add blackhole 192.1.1.0/24*
|Black hole some route. The traffic sent to this route will be dropped without any feedback.
|*ip route add unreachable 192.1.1.0/24*
|Block destination route, replies to sender “Host unreachable”.
|*ip route add prohibit 192.1.1.0/24*
|Block destination route, replies to sender with ICMP “Administratively prohibited”.
|*ip route add throw 192.1.1.0/24*
|Block destination route, sends in reply ICMP “net unreachable”.
|*ip route add 10.10.10.0/24 via 10.1.1.1 metric 5*
|Add a route with a custom metric.
|*ip route add default nexthop via 10.10.10.1 weight 1 nexthop dev ens33 weight 10*
|Add 2 (default) routes with different weights (higher weight is preferred) first with the weight of 1, second with the weight of 10.
|===
== ip link - Link Management
[cols=2, options="header"]
|===
|Command
|Description
|*ip link show / ip link / ip link list* +
*ip link show ens36*
|Show info on all available interfaces. +
Show info on a specific interface.
|*ip link set dev eth36 down* +
*ip link set dev ens36 up*
|Set interface state to down. +
Set interface state to up.
|*ip link set ens33 name eth33*
|Rename interface, here from ens33 to eth33. First, you have to set interface to down state. This adds this name as an alternative name, keeping the old name as well. Use with care some distributions (RHEL/CentOS) expect certain names for each interface type.
|*ip link set dev eth0 address 02:42:c2:7c:39:b3*
|Change MAC address of the interface.
|*ip link set dev tun0 mtu 1480*
|Set MTU size for the interface.
|*ip link delete <dev>*
|Delete interface, relevant for virtual interfaces only (VLAN, bridge, VXLAN, etc.).
|*ip link set dev ens36 arp off/on*
|Turn ARP resolution protocol on the interface ens36 on/off. NOTE: disabling ARP will clear the current ARP table and will prevent this interface from learning MAC addresses, and so will disconnect any remote sessions to the host.
|*ip link set dev ens36 multicast off/on*
|Turn multicast on the interface ens36 on or off.
|*ip link add name eth0.110 link eth0 type vlan id 110*
|Add VLAN 110 on the fly to the interface eth0, naming it eth1.110.
|*ip link add name eth0.120 link eth0 type vlan proto 802.1ad id 120* +
*ip link add name eth0.120.200 link eth0.120 type vlan proto 802.1q id 200*
|*QinQ (kernel >= 3.10)*. Add VLAN 120 as external VLAN on interface eth0 naming it eth0.120, setting protocol to 802.1ad.
Add internal VLAN 200 to the eth0.120, naming it eth0.120.200 and setting protocol to the 802.1Q.
|*ip link add dummy0 type dummy* +
*ip addr add 172.17.1.1/24 dev dummy0* +
*ip link set dummy0 up*
|Create virtual software interface of type dummy, assign it IP address, and bring it up. Useful for testing.
|*ip link add vx0 type vxlan id 100 local 172.16.13.1 remote 192.168.12.12 dev eth0 dstport 4789*
|Create VXLAN tunnel with id of 100 and local and remote addresses of 172.16.13.1/192.168.12.12 using destination port of 4789 UDP.
|*ip link add bond13-14 type bond mode active-backup* +
*ip link set eth13 master bond13-14* +
*ip link set eth14 master bond13-14*
|Create logical interface bond13-14 of type bond in active-backup mode for failover (only 1 physical interface is active at any time).
Add 2 physical interfaces to this bond (eth13 & eth14). All further configurations are to be done on the bond13-14 interface.
|===
== ip neighbor - Manage ARP and neighbors table
[cols=2, options="header"]
|===
|Command
|Description
|*ip neighbor show* +
*ip neighbor show dev eth0*
*ip -6 neighbor show*
|Show all MAC addresses of the IPv4 neighbors. +
Show MAC addresses of the neighbors on ens36 interface only. +
Show IPv6 neighbors.
|*ip neighbor flush dev eth0*
|Delete all cached dynamically learned MAC addresses on the interface eth0.
|*ip neighbor add 192.1.1.1 lladdr 01:22:33:44:55:f1 dev eth0*
|Add static IP address to MAC address mapping for a neighbor on the interface eth0.
|*ip neighbor delete 192.1.1.1 lladdr 01:33:44:55:ff:11 dev eth0*
|Delete a static mapping of IP address to the MAC address on the interface.
|===
== Network bridge with ip route2 - manage a network bridge using the ip command
[cols=2, options="header"]
|===
|Command
|Description
|*ip link add name bridge_name type bridge* +
*ip link set bridge_name up*
|Create a new bridge and change its state to up.
|*ip link set eth0 up*
|To add an interface (e.g. eth0) into the bridge, its state must be up
|*ip link set eth0 master bridge_name*
|Adding the interface into the bridge
|*bridge link*
|To show the existing bridges and associated interfaces, use the bridge command
|*ip link set eth0 nomaster*
|to remove an interface from a bridge
|*ip link delete bridge_name type bridge*
|To delete a bridge
|*bridge fdb show*
|Shows a list of MACs in FDB(Forwarding Database entry)
|*bridge fdb add 00:01:02:03:04:05 dev eth0 master*
|add a new fdb entry
|*bridge fdb append to 00:00:00:00:00:00 dst 10.0.0.2 dev vxlan0*
|append a forwarding database entry
|*bridge fdb del 00:01:02:03:04:05 dev eth0 master*
|Deletes FDB entry
|*bridge vlan add dev bond0 vid 2 master*
|Create a new vlan
|*bridge vlan delete dev eth0 vid 2*
|Delete a vlan
|*bridge vlan show*
|List all vlans
|*bridge link set dev eth0 guard on*
|Disable/Enable BPDU proccessing on specific port
|*bridge link set dev eth1 cost 4*
|Setting STP Cost to a port
|*bridge link set dev eth1 root_block on*
|To set root guard on eth1
|===
== Reference
* https://manpages.debian.org/jessie/iproute2/ip-route.8.en.html
= Linux ip route command reference by example
NOTE: All the commands below take effect immediately after you hit Enter, and do NOT survive reboot. You may shorten the commands to the shortest but unique, e.g. `sh ip ad` instead of `show ip address`. All the commands come as part of the pre-installed package `iproute2`.
Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
<<ip address - Manage IP address(es) on interfaces>> +
<<ip route - Manage routing table>> +
<<ip link - Link Management>> +
<<ip neighbor - Manage ARP and neighbors table>> +
<<Network bridge with ip route2 - manage a network bridge using the ip command>> +
<<Reference>>
== ip address - Manage IP address(es) on interfaces
[cols=2, options="header"]
|===
|Command
|Description
|*ip address show / ip ad sh*
|Show all IP addresses of all interfaces, also their MTU, MAC addresses.
|*ip address show ens36*
|Show IPs of a given interface (ens36).
|*ip address show up*
|Only show IPs of the interfaces that are configured as UP.
|*ip address show dynamic/permanent*
|Show only dynamic (DHCP) or static IPv4/IPv6 addresses.
|*ip address add 192.0.2.1/27 dev ens36*
|Add a new IP address (192.0.2.1) to the named (ens36) interface.
|*ip address add 192.0.2.1/27 dev ens36 label ens36:external*
|Add IP address to the interface, AND label it (external). The label is any string. The label will show in show ip address as: inet 192.0.2.1/27 scope global ens33:external
|*ip address delete 192.0.2.1/27 dev ens36*
|Delete the specified IP address from the interface
|*ip address flush dev ens36*
|Delete ALL IP addresses from the given interface.
|===
== ip route - Manage routing table
[cols=2, options="header"]
|===
|Command
|Description
|*ip route [show]* / *ip ro* +
*ip -6 route* +
*ip -4 route*
|Show the routing table for both IPv4 and IPv6. +
Show the routing table for IPv6 only. +
Show the routing table for IPv4 only.
|*ip route show table all*
|Show ALL routing tables of the server, helpful when there is Policy Based Routing (PBR) in place.
|*ip route add default via 10.10.10.1* +
*ip route add default dev ens36* +
*ip route add 0.0.0.0/0 dev ens36* +
*ip -6 route add default dev ens36*
|Add default route/default gateway via next hop +
… via outgoing interface (ens36) +
… via outgoing interface using 0.0.0.0/0 notation +
Add default IPv6 route.
|*ip route delete default dev ens36*
|Delete default route via given interface
|*ip route show root 192.0.2.0/24*
|Show routes not shorter than the given. Here, 192.0.2.0/29 will match, but 192.0.2.0/23 will not.
|*ip route show match 192.0.2.0/29*
|Show routes not longer than the given network/mask. Here, 192.0.2.0/30 will match, but 192.0.2.0/27 will not.
|*ip route show exact 192.0.2.0/29*
|Show route(s) matching EXACTLY inside the network and its given mask. Here, 192.0.2.7 will match, but 192.0.2.8 will not.
|*ip route get 192.123.123.1/24*
|Simulate resolving of a route in real time by kernel.
|*ip route add 192.192.13.0/24 via 10.13.77.1* +
*ip route add 192.192.13.0/24 dev ens36*
|Add new route to 192.192.13.1/24 via nexthop. +
Add new route to 192.192.13.1/24 via interface.
|*ip route delete 192.192.13.0/24 via 10.13.77.1* +
*ip route delete 192.192.13.0/24*
|Delete specific route
|*ip route change 192.192.13.0/24 dev ens32*
|Change some parameter of the existing route.
|*ip route replace 192.192.13.0/24 dev ens36*
|Replace a route if exists add if not.
|*ip route add blackhole 192.1.1.0/24*
|Black hole some route. The traffic sent to this route will be dropped without any feedback.
|*ip route add unreachable 192.1.1.0/24*
|Block destination route, replies to sender “Host unreachable”.
|*ip route add prohibit 192.1.1.0/24*
|Block destination route, replies to sender with ICMP “Administratively prohibited”.
|*ip route add throw 192.1.1.0/24*
|Block destination route, sends in reply ICMP “net unreachable”.
|*ip route add 10.10.10.0/24 via 10.1.1.1 metric 5*
|Add a route with a custom metric.
|*ip route add default nexthop via 10.10.10.1 weight 1 nexthop dev ens33 weight 10*
|Add 2 (default) routes with different weights (higher weight is preferred) first with the weight of 1, second with the weight of 10.
|===
== ip link - Link Management
[cols=2, options="header"]
|===
|Command
|Description
|*ip link show / ip link / ip link list* +
*ip link show ens36*
|Show info on all available interfaces. +
Show info on a specific interface.
|*ip link set dev eth36 down* +
*ip link set dev ens36 up*
|Set interface state to down. +
Set interface state to up.
|*ip link set ens33 name eth33*
|Rename interface, here from ens33 to eth33. First, you have to set interface to down state. This adds this name as an alternative name, keeping the old name as well. Use with care some distributions (RHEL/CentOS) expect certain names for each interface type.
|*ip link set dev eth0 address 02:42:c2:7c:39:b3*
|Change MAC address of the interface.
|*ip link set dev tun0 mtu 1480*
|Set MTU size for the interface.
|*ip link delete <dev>*
|Delete interface, relevant for virtual interfaces only (VLAN, bridge, VXLAN, etc.).
|*ip link set dev ens36 arp off/on*
|Turn ARP resolution protocol on the interface ens36 on/off. NOTE: disabling ARP will clear the current ARP table and will prevent this interface from learning MAC addresses, and so will disconnect any remote sessions to the host.
|*ip link set dev ens36 multicast off/on*
|Turn multicast on the interface ens36 on or off.
|*ip link add name eth0.110 link eth0 type vlan id 110*
|Add VLAN 110 on the fly to the interface eth0, naming it eth1.110.
|*ip link add name eth0.120 link eth0 type vlan proto 802.1ad id 120* +
*ip link add name eth0.120.200 link eth0.120 type vlan proto 802.1q id 200*
|*QinQ (kernel >= 3.10)*. Add VLAN 120 as external VLAN on interface eth0 naming it eth0.120, setting protocol to 802.1ad.
Add internal VLAN 200 to the eth0.120, naming it eth0.120.200 and setting protocol to the 802.1Q.
|*ip link add dummy0 type dummy* +
*ip addr add 172.17.1.1/24 dev dummy0* +
*ip link set dummy0 up*
|Create virtual software interface of type dummy, assign it IP address, and bring it up. Useful for testing.
|*ip link add vx0 type vxlan id 100 local 172.16.13.1 remote 192.168.12.12 dev eth0 dstport 4789*
|Create VXLAN tunnel with id of 100 and local and remote addresses of 172.16.13.1/192.168.12.12 using destination port of 4789 UDP.
|*ip link add bond13-14 type bond mode active-backup* +
*ip link set eth13 master bond13-14* +
*ip link set eth14 master bond13-14*
|Create logical interface bond13-14 of type bond in active-backup mode for failover (only 1 physical interface is active at any time).
Add 2 physical interfaces to this bond (eth13 & eth14). All further configurations are to be done on the bond13-14 interface.
|===
== ip neighbor - Manage ARP and neighbors table
[cols=2, options="header"]
|===
|Command
|Description
|*ip neighbor show* +
*ip neighbor show dev eth0*
*ip -6 neighbor show*
|Show all MAC addresses of the IPv4 neighbors. +
Show MAC addresses of the neighbors on ens36 interface only. +
Show IPv6 neighbors.
|*ip neighbor flush dev eth0*
|Delete all cached dynamically learned MAC addresses on the interface eth0.
|*ip neighbor add 192.1.1.1 lladdr 01:22:33:44:55:f1 dev eth0*
|Add static IP address to MAC address mapping for a neighbor on the interface eth0.
|*ip neighbor delete 192.1.1.1 lladdr 01:33:44:55:ff:11 dev eth0*
|Delete a static mapping of IP address to the MAC address on the interface.
|===
== Network bridge with ip route2 - manage a network bridge using the ip command
[cols=2, options="header"]
|===
|Command
|Description
|*ip link add name bridge_name type bridge* +
*ip link set bridge_name up*
|Create a new bridge and change its state to up.
|*ip link set eth0 up*
|To add an interface (e.g. eth0) into the bridge, its state must be up
|*ip link set eth0 master bridge_name*
|Adding the interface into the bridge
|*bridge link*
|To show the existing bridges and associated interfaces, use the bridge command
|*ip link set eth0 nomaster*
|to remove an interface from a bridge
|*ip link delete bridge_name type bridge*
|To delete a bridge
|*bridge fdb show*
|Shows a list of MACs in FDB(Forwarding Database entry)
|*bridge fdb add 00:01:02:03:04:05 dev eth0 master*
|add a new fdb entry
|*bridge fdb append to 00:00:00:00:00:00 dst 10.0.0.2 dev vxlan0*
|append a forwarding database entry
|*bridge fdb del 00:01:02:03:04:05 dev eth0 master*
|Deletes FDB entry
|*bridge vlan add dev bond0 vid 2 master*
|Create a new vlan
|*bridge vlan delete dev eth0 vid 2*
|Delete a vlan
|*bridge vlan show*
|List all vlans
|*bridge link set dev eth0 guard on*
|Disable/Enable BPDU proccessing on specific port
|*bridge link set dev eth1 cost 4*
|Setting STP Cost to a port
|*bridge link set dev eth1 root_block on*
|To set root guard on eth1
|===
== Reference
* https://manpages.debian.org/jessie/iproute2/ip-route.8.en.html

206
cheat-sheets/MRV-Optiswitch-OS904-OS906-OS912-debug-and-diagnostic-commands.adoc
View File

@@ -1,103 +1,103 @@
= MRV Optiswitch OS904 OS906 OS912 debug and diagnostic commands
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
*MRV Communications* (acquired in 2017 by ADVA Optical Networking) is an Israeli company known for their optical network equipment, most notably their Optiswitch Carrier Ethernet Switch series. The switches (OS904, OS906G, OS912) are not available for purchase from them anymore, but if you work for a telco company, you surely still have these boxes around doing their work.
Unfortunately, with the merger and the end of sale, all the documentation disappeared as well. To help you a bit I bring below some debug and diagnostic commands to be run on the CLI. You can still find the datasheet here https://www.cornet-solutions.co.jp/pdf/mrv_os_900_sdb_a4_hi.pdf
You can see how output of the commands below looks like when run on the real MRV in my blog post: https://yurisk.info/2020/01/13/MRV-Optiswitch-OS904-OS906-OS912-debug-and-diagnostic-commands/.
[cols=2*,options="header"]
|===
|Command
|Description
|*no cli-paging/cli-paging*
|Enable/disable paging the output.
|*show <smth> \| <include/begin/end/exclude> <search term>*
|Pipe output of some `show` command, e.g. find specific MAC address: `show lt \| include B1:12` (search terms are case sensitive). Also can pipe to few Linux commands, e.g. count number of learned/dynamic MACs: `show lt \| grep -c "DYNAMIC"`
|*show run*
|Show the running configuration
|*show port*
| Show port summary: state (on/off), speed, media (copper/sfp), duplex state
|*show interface*
|List of logical/vlan interfaces, MAC addresses, IP address (if any)
|*show port detail _n_*
| Show details of the port number _n_: media type, speed/duplex configured and actual, state, shaping applied.
|*show port statistics _n_*
|Show real-time statistics: packets/bytes received/sent, CRC and other error count
|*show l2cntrl-protocol-counters*
|Show counters of received/transmitted Layer 2 control protocols - LACP, MSTP, RSTP, OAM.
|*show run ports*
| Show running configuration for all ports
|*show port tag*
|Show tagging/vlans configured on each port
|*show port sfp-diag _n_*
| Show real-time diagnostic data for the interface: TX/RX power in dBm, voltage, temperature
|*show port sfp-params*
|Physical parameters of the SFP interface
|*show port rate _portnumber_ time _seconds_*
|Show the rate of the traffic passing the interface real-time
|*monitor port statistics _portnumber_*
|Show the same data as `show port statistics` but refresh every other second
|*(config)# port state disable/enable <n>*
|Disable/enable MRV port number `n` (shut/no shut in Cisco terminology). Make sure you don't disable th eport you are connected through.
|*(config)# port media-select <sfp/sfp100/copper/auto/sgmii>*
| Set manually type of physical interface installed in MRV.
|*(config)# port speed <10/100/1000/auto> <n/all>*
|Force specific speed settting for a port.
|*show lt [port <port number> all]*
|Show MAC address table - static and learned dynamic. Output also gives timestamp when MAC address displayed was last changed. Optionally, specify port to show only MACs on this port.
|*(config)# clear lt*
|Delete all learned MAC addresses from Learning Table.
|*show syslog <all/debug/info/warning/error/fatal> [start-date] [end-date]*
|Show logs per their severity. Optional start/end dates are in format `mm-dd-ff:mm:ss` . If remote syslog is configured in the MRV, there will be NO local logs, to verify - look in configuration `show run \| i rsyslog`.
|*clear syslog*
|Delete all local log entries.
|*show ver*
| Show the device model, hardware, fan status, OS installed, MAC address, serial number and uptime.
|*show time*
|Show system time. Important for checking alarms and logs
|*show cpu*
|CPU properties
|===
Additionally see https://github.com/yuriskinfo/cheat-sheets/blob/master/RAD-ETX-203-205-220-debug-and-information-commands-cheat-sheet.adoc
= MRV Optiswitch OS904 OS906 OS912 debug and diagnostic commands
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
*MRV Communications* (acquired in 2017 by ADVA Optical Networking) is an Israeli company known for their optical network equipment, most notably their Optiswitch Carrier Ethernet Switch series. The switches (OS904, OS906G, OS912) are not available for purchase from them anymore, but if you work for a telco company, you surely still have these boxes around doing their work.
Unfortunately, with the merger and the end of sale, all the documentation disappeared as well. To help you a bit I bring below some debug and diagnostic commands to be run on the CLI. You can still find the datasheet here https://www.cornet-solutions.co.jp/pdf/mrv_os_900_sdb_a4_hi.pdf
You can see how output of the commands below looks like when run on the real MRV in my blog post: https://yurisk.info/2020/01/13/MRV-Optiswitch-OS904-OS906-OS912-debug-and-diagnostic-commands/.
[cols=2*,options="header"]
|===
|Command
|Description
|*no cli-paging/cli-paging*
|Enable/disable paging the output.
|*show <smth> \| <include/begin/end/exclude> <search term>*
|Pipe output of some `show` command, e.g. find specific MAC address: `show lt \| include B1:12` (search terms are case sensitive). Also can pipe to few Linux commands, e.g. count number of learned/dynamic MACs: `show lt \| grep -c "DYNAMIC"`
|*show run*
|Show the running configuration
|*show port*
| Show port summary: state (on/off), speed, media (copper/sfp), duplex state
|*show interface*
|List of logical/vlan interfaces, MAC addresses, IP address (if any)
|*show port detail _n_*
| Show details of the port number _n_: media type, speed/duplex configured and actual, state, shaping applied.
|*show port statistics _n_*
|Show real-time statistics: packets/bytes received/sent, CRC and other error count
|*show l2cntrl-protocol-counters*
|Show counters of received/transmitted Layer 2 control protocols - LACP, MSTP, RSTP, OAM.
|*show run ports*
| Show running configuration for all ports
|*show port tag*
|Show tagging/vlans configured on each port
|*show port sfp-diag _n_*
| Show real-time diagnostic data for the interface: TX/RX power in dBm, voltage, temperature
|*show port sfp-params*
|Physical parameters of the SFP interface
|*show port rate _portnumber_ time _seconds_*
|Show the rate of the traffic passing the interface real-time
|*monitor port statistics _portnumber_*
|Show the same data as `show port statistics` but refresh every other second
|*(config)# port state disable/enable <n>*
|Disable/enable MRV port number `n` (shut/no shut in Cisco terminology). Make sure you don't disable th eport you are connected through.
|*(config)# port media-select <sfp/sfp100/copper/auto/sgmii>*
| Set manually type of physical interface installed in MRV.
|*(config)# port speed <10/100/1000/auto> <n/all>*
|Force specific speed settting for a port.
|*show lt [port <port number> all]*
|Show MAC address table - static and learned dynamic. Output also gives timestamp when MAC address displayed was last changed. Optionally, specify port to show only MACs on this port.
|*(config)# clear lt*
|Delete all learned MAC addresses from Learning Table.
|*show syslog <all/debug/info/warning/error/fatal> [start-date] [end-date]*
|Show logs per their severity. Optional start/end dates are in format `mm-dd-ff:mm:ss` . If remote syslog is configured in the MRV, there will be NO local logs, to verify - look in configuration `show run \| i rsyslog`.
|*clear syslog*
|Delete all local log entries.
|*show ver*
| Show the device model, hardware, fan status, OS installed, MAC address, serial number and uptime.
|*show time*
|Show system time. Important for checking alarms and logs
|*show cpu*
|CPU properties
|===
Additionally see https://github.com/yuriskinfo/cheat-sheets/blob/master/RAD-ETX-203-205-220-debug-and-information-commands-cheat-sheet.adoc

222
cheat-sheets/RAD-ETX-203-205-220-debug-and-information-commands-cheat-sheet.adoc
View File

@@ -1,111 +1,111 @@
= RAD ETX 203, 205, 220 debug and information commands
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
Carrier Ethernet Devices by RAD (ETX-203AX, ETX-203AM, ETX-203AX-T, ETX-205A, ETX-220A) are quite popular with telco companies around the world for connecting end clients to the backbone at layer 2. And while reference documentation is available, I couldn't find the debug/information commands digest on the Internet at all. This post, I hope, comes to fill the gap.
The commands below are meant to be run on the device CLI itself, not on provisioning system like RADview. You can see how output looks like when run on the real ETX on my blog post https://yurisk.info/2020/03/21/rad-etx-203-203-220-debug-and-information-commands-examples/.
[cols=2*,options="header"]
|===
|Command
|Description
|*show configure port summary*
| Show port summary: state (up/down), speed
|*show config port _name_ status*
| Show port status: administrative and operational states, speed/duplex, connector type, MAC address, and most important (for fiber) - RX/TX signal power (dBm)
|*show config port _name_ statistics*
| Statistics of the port: total bits/frames passed, maximum/minimum bits/sec seen, and most
interesting - CRC errors, error frames, oversize frames, discards, CV/ES/SES/FC stats for
E1 lines.
|*config port ethernet _number_*
*clear-statistics*
|Clear all statistics/counters for this port.
|*config flow*
*flow _flow-name_*
*show statistics running*
|Show detailed counters for the given flow, will include `bps`, max/min `bps` seen after reboot, `drops` if any.
|*config port _name_*
*rate-measure interval _seconds_*
*show rate*
| Show port utilization in bits/sec in real-time
|_Responder:_
*config flow*
*service-ping-response local-ip 13.13.13.2/30 next-hop 13.13.13.1 egress-port ethernet 4/2 vlan 777*
_Ping sender:_
*config flow*
service-ping local-ip 13.13.13.1/30 dst-ip 13.13.13.2 next-hop 13.13.13.2 egress-port ethernet 4/1 vlan 777 number-of-packets 10 payload-size 1450
|Send ping over the client vlan in Service Provider network (here 777) from ETX
to ETX to measure latency and packet loss. You configure one ETX as a responder
and another one as a sender.
|*show configure flows summary brief*
|List all flows configured on this ETX briefly
|*show configure flows summary details*
|List all flows configured on this ETX with details
|*config flow _name_*
*mac-learning*
*show mac-table*
*no mac-learning*
|Enable MAC address learning inside a flow and show the MAC table. The _flow_ should be the one where
those MAC addresses are supposed to be learned, and in the appropriate
direction. E.g. if the equipment of the end client is connected to ETX port
`ethernet 0/10`, then you should run this command under the flow that has
`ingress port 0/10`, to see if the ETX can see client's equipment. WARNING:
after showing the results, make sure to disable the MAC learning, as it may
interfere with the client's traffic.
|*show config system system-date*
| Show system time of the appliance, important for logs/alarms correlation.
|*show config reporting brief-alarm-log*
|Show alarms log, their severity/state/last raised time
|*exit all*
|Exit all sub-configuration modes to the top level.
|*show file startup*
|Show startup configuration.
|*save*
|Save the configuration.
|*clear-statistics*
|Clear all statistics (at the highest config level) - errors on interfaces, bytes sent/received, etc.
|*admin*
*reboot*
|Reboot the device.
|===
= RAD ETX 203, 205, 220 debug and information commands
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
Carrier Ethernet Devices by RAD (ETX-203AX, ETX-203AM, ETX-203AX-T, ETX-205A, ETX-220A) are quite popular with telco companies around the world for connecting end clients to the backbone at layer 2. And while reference documentation is available, I couldn't find the debug/information commands digest on the Internet at all. This post, I hope, comes to fill the gap.
The commands below are meant to be run on the device CLI itself, not on provisioning system like RADview. You can see how output looks like when run on the real ETX on my blog post https://yurisk.info/2020/03/21/rad-etx-203-203-220-debug-and-information-commands-examples/.
[cols=2*,options="header"]
|===
|Command
|Description
|*show configure port summary*
| Show port summary: state (up/down), speed
|*show config port _name_ status*
| Show port status: administrative and operational states, speed/duplex, connector type, MAC address, and most important (for fiber) - RX/TX signal power (dBm)
|*show config port _name_ statistics*
| Statistics of the port: total bits/frames passed, maximum/minimum bits/sec seen, and most
interesting - CRC errors, error frames, oversize frames, discards, CV/ES/SES/FC stats for
E1 lines.
|*config port ethernet _number_*
*clear-statistics*
|Clear all statistics/counters for this port.
|*config flow*
*flow _flow-name_*
*show statistics running*
|Show detailed counters for the given flow, will include `bps`, max/min `bps` seen after reboot, `drops` if any.
|*config port _name_*
*rate-measure interval _seconds_*
*show rate*
| Show port utilization in bits/sec in real-time
|_Responder:_
*config flow*
*service-ping-response local-ip 13.13.13.2/30 next-hop 13.13.13.1 egress-port ethernet 4/2 vlan 777*
_Ping sender:_
*config flow*
service-ping local-ip 13.13.13.1/30 dst-ip 13.13.13.2 next-hop 13.13.13.2 egress-port ethernet 4/1 vlan 777 number-of-packets 10 payload-size 1450
|Send ping over the client vlan in Service Provider network (here 777) from ETX
to ETX to measure latency and packet loss. You configure one ETX as a responder
and another one as a sender.
|*show configure flows summary brief*
|List all flows configured on this ETX briefly
|*show configure flows summary details*
|List all flows configured on this ETX with details
|*config flow _name_*
*mac-learning*
*show mac-table*
*no mac-learning*
|Enable MAC address learning inside a flow and show the MAC table. The _flow_ should be the one where
those MAC addresses are supposed to be learned, and in the appropriate
direction. E.g. if the equipment of the end client is connected to ETX port
`ethernet 0/10`, then you should run this command under the flow that has
`ingress port 0/10`, to see if the ETX can see client's equipment. WARNING:
after showing the results, make sure to disable the MAC learning, as it may
interfere with the client's traffic.
|*show config system system-date*
| Show system time of the appliance, important for logs/alarms correlation.
|*show config reporting brief-alarm-log*
|Show alarms log, their severity/state/last raised time
|*exit all*
|Exit all sub-configuration modes to the top level.
|*show file startup*
|Show startup configuration.
|*save*
|Save the configuration.
|*clear-statistics*
|Clear all statistics (at the highest config level) - errors on interfaces, bytes sent/received, etc.
|*admin*
*reboot*
|Reboot the device.
|===

286
cheat-sheets/Route53-AWS-CLI-examples.adoc
View File

@@ -1,143 +1,143 @@
= Route53 AWS CLI examples cookbook
:homepage: https://yurisk.info
:toc:
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
== Short Introduction
* AWS Route53 is the only service with 100% SLA.
* Amazon Registrar does domain registration only for _.com, .org, .net_ domains, the
rest are registered via _Gandi SAS_
== List all hosted zones (private and public)
[source, bash]
----
aws route53 list-hosted-zones
----
If you are using configuration profiles:
[source, bash]
----
aws route53 list-hosted-zones --profile <profile-name>
----
This command returns _zone-id_ you will need in future queries.
== Show all records of a zone
[source, bash]
----
aws route53 list-resource-record-sets --hosted-zone-id Z3HR6JS50CWURT
----
=== Filter output for specific records
Show all and only A records from a zone:
----
aws route53 list-resource-record-sets --hosted-zone-id ZN36CWKHEDURT \
--query "ResourceRecordSets[?Type == 'A'] "
----
Show only records matching the given record value (here _www.yurisk.info_):
----
aws route53 list-resource-record-sets --hosted-zone-id ZN36CWKHEDURT \
--query "ResourceRecordSets[?Name == 'www.yurisk.info.'] "
----
NOTE: AWS returns maximum 100 items in one response. Use paging with `NextToken`
if you expect to get more results.
== Create a new public zone
Create a new public zone named _example334455.com_:
----
aws route53 create-hosted-zone --name example334455.com \
--caller-reference some-text-for-me-for-reference
----
On success returns zone's ID, request status (e.g. `Pending`), allocated name
servers. The `caller-reference` you set is used for identifying this request in
logs etc. and can be arbitrary string.
== Add A record to a zone
While mainly expected to store the record in JSON format in a local file, we
can specify the record(s) to add explicitly with `--change-batch`. Let's add A
record _www.example334455.com_ wtih TTL of 600, pointing to IP _1.2.3.4_:
----
aws route53 change-resource-record-sets --hosted-zone-id Z0967968IADGHN5TI3WW \
--change-batch '
{
"Comment": "Adding A record",
"Changes": [
{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "www.example334455.com",
"Type": "A",
"TTL": 600,
"ResourceRecords": [
{
"Value": "1.2.3.4"
}
]
}
}
]
}
'
----
== Delete a record from a zone
Let's delete the A record just created _www.example334455.com_ (we use
`Action:DELETE`):
----
aws route53 change-resource-record-sets --hosted-zone-id Z0967968IADGHN5TI3WW \
--change-batch '
{
"Comment": "Adding A record",
"Changes": [
{
"Action": "DELETE",
"ResourceRecordSet": {
"Name": "www.example334455.com",
"Type": "A",
"TTL": 600,
"ResourceRecords": [
{
"Value": "1.2.3.4"
}
]
}
}
]
}
'
----
== Delete a zone completely
NOTE: You cannot delete a non-empty zone, have to 1st delete all records except
NS.
Trying to delete a zone with other than NS records gives this error:
----
An error occurred (HostedZoneNotEmpty) when calling the DeleteHostedZone
operation: The specified hosted zone contains non-required resource record
sets and so cannot be deleted
----
We delete the empty zone _example334455.com_:
----
aws route53 delete-hosted-zone --id Z0967968IADGHN5TI3WW
----
= Route53 AWS CLI examples cookbook
:homepage: https://yurisk.info
:toc:
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
== Short Introduction
* AWS Route53 is the only service with 100% SLA.
* Amazon Registrar does domain registration only for _.com, .org, .net_ domains, the
rest are registered via _Gandi SAS_
== List all hosted zones (private and public)
[source, bash]
----
aws route53 list-hosted-zones
----
If you are using configuration profiles:
[source, bash]
----
aws route53 list-hosted-zones --profile <profile-name>
----
This command returns _zone-id_ you will need in future queries.
== Show all records of a zone
[source, bash]
----
aws route53 list-resource-record-sets --hosted-zone-id Z3HR6JS50CWURT
----
=== Filter output for specific records
Show all and only A records from a zone:
----
aws route53 list-resource-record-sets --hosted-zone-id ZN36CWKHEDURT \
--query "ResourceRecordSets[?Type == 'A'] "
----
Show only records matching the given record value (here _www.yurisk.info_):
----
aws route53 list-resource-record-sets --hosted-zone-id ZN36CWKHEDURT \
--query "ResourceRecordSets[?Name == 'www.yurisk.info.'] "
----
NOTE: AWS returns maximum 100 items in one response. Use paging with `NextToken`
if you expect to get more results.
== Create a new public zone
Create a new public zone named _example334455.com_:
----
aws route53 create-hosted-zone --name example334455.com \
--caller-reference some-text-for-me-for-reference
----
On success returns zone's ID, request status (e.g. `Pending`), allocated name
servers. The `caller-reference` you set is used for identifying this request in
logs etc. and can be arbitrary string.
== Add A record to a zone
While mainly expected to store the record in JSON format in a local file, we
can specify the record(s) to add explicitly with `--change-batch`. Let's add A
record _www.example334455.com_ wtih TTL of 600, pointing to IP _1.2.3.4_:
----
aws route53 change-resource-record-sets --hosted-zone-id Z0967968IADGHN5TI3WW \
--change-batch '
{
"Comment": "Adding A record",
"Changes": [
{
"Action": "CREATE",
"ResourceRecordSet": {
"Name": "www.example334455.com",
"Type": "A",
"TTL": 600,
"ResourceRecords": [
{
"Value": "1.2.3.4"
}
]
}
}
]
}
'
----
== Delete a record from a zone
Let's delete the A record just created _www.example334455.com_ (we use
`Action:DELETE`):
----
aws route53 change-resource-record-sets --hosted-zone-id Z0967968IADGHN5TI3WW \
--change-batch '
{
"Comment": "Adding A record",
"Changes": [
{
"Action": "DELETE",
"ResourceRecordSet": {
"Name": "www.example334455.com",
"Type": "A",
"TTL": 600,
"ResourceRecords": [
{
"Value": "1.2.3.4"
}
]
}
}
]
}
'
----
== Delete a zone completely
NOTE: You cannot delete a non-empty zone, have to 1st delete all records except
NS.
Trying to delete a zone with other than NS records gives this error:
----
An error occurred (HostedZoneNotEmpty) when calling the DeleteHostedZone
operation: The specified hosted zone contains non-required resource record
sets and so cannot be deleted
----
We delete the empty zone _example334455.com_:
----
aws route53 delete-hosted-zone --id Z0967968IADGHN5TI3WW
----

126
cheat-sheets/Windows-cmd-shell-batch-scripting-cheat-sheet.adoc
View File

@@ -1,63 +1,63 @@
= Windows cmd shell batch scripting cheat sheet
Yuri Slobodyanyuk <admin@yurisk.info>
v1.0, 2022-08-31
:homepage: https://yurisk.info
:toc:
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
== Controlling scripts themselves
[cols=2, options="header"]
|===
|Command
|Description
|*rem*
|Start a comment, till the end of line. It can be used to comment out a whole line or part of it.
|*cls*
|Clear the screen buffer.
|*echo _text to display_*
*echo off/on*
*echo.*
|Print text on line, or, with `off/on` switch without text, turn off/on echoing the commands being run.
Usually, you set `echo off` as the 1st line in a batch script, and the `echo on` as the last line. Turning
echoing off does not hide _output_ of the commands run, just the commands themselves. The 3rd option is `echo` followed immediately
by _dot_ and it causes echo to print a blank line (an dthis is the only way to do so).
|*@*
|Turn off echoing only for the command preceded by this @. E.g. `@echo off` to prevent the _echo off_
being printed itself.
|*title _Title bar text_*
|Change the title of the cmd.exe window for this session. As a rule of a good style, change _title_ on each stage of the
script, to let users know what the script is doing.
|===
== Script arguments
[cols=2, options="header"]
|===
|Command
|Description
|%_n_
|Positional argument to the script from the command line. _n_ can be from 0 to 9.
|%0
|The script name. The actual arguments to the script start with %1.
E.g. `echo The script was called as %0, with the %1 as the first argument`
|%*
|The rest of the positional arguments after the 9th altogether. The individual args are not accessible directly, use `SHIFT`-ing.
|*shift [/_n_]*
|Shift positional arguments by one. If `/n` is given, will shift starting with n+1. E.g. `shift /4` will shift 5th to become 4th,
6th will become 5th, and so on, while arguments before 4 will stay untouched.
|===
= Windows cmd shell batch scripting cheat sheet
Yuri Slobodyanyuk <admin@yurisk.info>
v1.0, 2022-08-31
:homepage: https://yurisk.info
:toc:
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
== Controlling scripts themselves
[cols=2, options="header"]
|===
|Command
|Description
|*rem*
|Start a comment, till the end of line. It can be used to comment out a whole line or part of it.
|*cls*
|Clear the screen buffer.
|*echo _text to display_*
*echo off/on*
*echo.*
|Print text on line, or, with `off/on` switch without text, turn off/on echoing the commands being run.
Usually, you set `echo off` as the 1st line in a batch script, and the `echo on` as the last line. Turning
echoing off does not hide _output_ of the commands run, just the commands themselves. The 3rd option is `echo` followed immediately
by _dot_ and it causes echo to print a blank line (an dthis is the only way to do so).
|*@*
|Turn off echoing only for the command preceded by this @. E.g. `@echo off` to prevent the _echo off_
being printed itself.
|*title _Title bar text_*
|Change the title of the cmd.exe window for this session. As a rule of a good style, change _title_ on each stage of the
script, to let users know what the script is doing.
|===
== Script arguments
[cols=2, options="header"]
|===
|Command
|Description
|%_n_
|Positional argument to the script from the command line. _n_ can be from 0 to 9.
|%0
|The script name. The actual arguments to the script start with %1.
E.g. `echo The script was called as %0, with the %1 as the first argument`
|%*
|The rest of the positional arguments after the 9th altogether. The individual args are not accessible directly, use `SHIFT`-ing.
|*shift [/_n_]*
|Shift positional arguments by one. If `/n` is given, will shift starting with n+1. E.g. `shift /4` will shift 5th to become 4th,
6th will become 5th, and so on, while arguments before 4 will stay untouched.
|===

136
cheat-sheets/Windows-cmd-shell-tips.adoc
View File

@@ -1,68 +1,68 @@
= Windows cmd.exe shell tips for productivity
Yuri Slobodyanyuk <admin@yurisk.info>
v1.0, 2023-03-07
:homepage: https://yurisk.info
:toc:
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
== doskey
[cols=2, options="headers"]
|===
|Command
|Description
|Up Arrow
|Recall previous command.
|Down Arrow
|Recall next command
|Page Up
|Recall the 1st/oldest command in the current session.
|Page Down
|Recall the most recent command in this session.
|Ctrl + Left Arrow
|Move cursor back one word.
|Ctrl + Right Arrow
|Move cursor right one word.
|Home
|Move cursor to the beginning of the line.
|End
|Move cursor to the end of the line.
|Esc
|Clear the command from the display.
|Right Click on title -> Properties -> Options -> Buffer size
|Increase/decrease the commands history buffer size. Note: `doskey
/listsize=<n>` stopped working on Windows 10 somewhere in 2021.
|*doskey /history*
|Show all commands in the buffer.
|*doskey _macroName_ = _command to run_*
|Record a macro for this session. E.g. to save some typing:
`doskey ro = route print`, now we can use `ro` to run `route print`.
The macros are not saved, and disappear after closing the cmd.exe,
unless saved in a batch file.
|*doskey /macros*
|Show all macros defined for this session.
|===
== References
* https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/doskey
= Windows cmd.exe shell tips for productivity
Yuri Slobodyanyuk <admin@yurisk.info>
v1.0, 2023-03-07
:homepage: https://yurisk.info
:toc:
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
== doskey
[cols=2, options="headers"]
|===
|Command
|Description
|Up Arrow
|Recall previous command.
|Down Arrow
|Recall next command
|Page Up
|Recall the 1st/oldest command in the current session.
|Page Down
|Recall the most recent command in this session.
|Ctrl + Left Arrow
|Move cursor back one word.
|Ctrl + Right Arrow
|Move cursor right one word.
|Home
|Move cursor to the beginning of the line.
|End
|Move cursor to the end of the line.
|Esc
|Clear the command from the display.
|Right Click on title -> Properties -> Options -> Buffer size
|Increase/decrease the commands history buffer size. Note: `doskey
/listsize=<n>` stopped working on Windows 10 somewhere in 2021.
|*doskey /history*
|Show all commands in the buffer.
|*doskey _macroName_ = _command to run_*
|Record a macro for this session. E.g. to save some typing:
`doskey ro = route print`, now we can use `ro` to run `route print`.
The macros are not saved, and disappear after closing the cmd.exe,
unless saved in a batch file.
|*doskey /macros*
|Show all macros defined for this session.
|===
== References
* https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/doskey

10
cheat-sheets/custom-theme.yml
View File

@@ -1,5 +1,5 @@
extends: default
footer:
verso:
center:
content: ' https://www.linkedin.com/in/yurislobodyanyuk/ {doctitle}'
extends: default
footer:
verso:
center:
content: ' https://www.linkedin.com/in/yurislobodyanyuk/ {doctitle}'

754
cheat-sheets/fortigate-ssl-vpn-hardening-guide.adoc
View File

@@ -1,377 +1,377 @@
= Fortigate VPN SSL Hardening Guide
:source-highlighter: rouge
:title: Fortigate VPN SSL Hardening Guide
:date: 2023-03-15 09:55:25+00:00
:toc:
Last updated: 19.03.2023
== Introduction
This guide is the result of closely following Fortigate VPN SSL vulnerabilities
over the years, actual cases of compromised firewalls, operational manuals and
reports of multiple gangs (e.g. _Conti manuals_) and my experience with Fortigates
of 15+ years and counting. By implementing all/some of the measures below you
will make your SSL VPN on Fortigate substantially harder to break in and thus less
attractive to the attackers.
== Change the default SSL VPN port 10443/443 to anything else
This security by obscurity actually works. In most cases, the attackers do
not target specific companies, but are looking for low hanging fruit. And the
easiest way to do so is to scan for known ports/services. And both, 443 and 10443, are
well known Fortigate listening ports. It is even easier - just search
Shodan/Censys for "Fortigate" and currently Shodan has 185K results for port
10443, and Censys 317K. That was what happened with a large VPN
credentials leak 2 years ago
https://www.linkedin.com/pulse/50000-vpn-usernames-passwords-from-fortigates-around-we-slobodyanyuk/
- all of the affected Fortigates were listening on either 443 or 10443 ports.
The possible downside can be that VPN users connecting via WiFi in hotels/caffe
may have outgoing ports blocked except 443, but with cellular packages being so
cheap today, it is viable for them to use their phone as hotspot for VPN
connectionis and avoid using public WiFi altogether.
image::x-fortigate-ssl-vpn-change-port.png[]
On the CLI:
----
config vpn ssl settings
set port 13123
----
== Do not use local users for authentication, and if using - keep passwords elsewhere or/and enable MFA
In general, keeping all the security info in one box (Fortigate here) is a bad
practice. The mentioned vulnerability CVE-2018-13379 affected only Fortigates
with local VPN users having local authentication. Additionally, you give up
password policies, centralized system to expire/change passwords,
non-repeatability of the passwords etc. with such locally authenticated on the
Fortigate users. Integrating user authentication with existing user database
(LDAP/Active Directory/Cloud AD) is a breeze in Fortigate.
== Enable Multi-Factor Authentication for VPN users
ANY form of MFA will be better than none. Hardware Fortigate come with 2 mobile
application FortiTokens for free. Additionally, you can use SMS as MFA, but will
cost you money, or email that is completely free.
The email as MFA is not visible nor enabled by default, so I wrote a short guide
how to use it
https://yurisk.info/2020/03/01/fortigate-enable-e-mail-as-mfa-and-increase-token-validity-time/[enable e-mail as a two-factor authentication for a user and increase token timeout]
And of course, any 3rd party providing MFA can be used via RADIUS protocol
(Okta/Azure/Duo/etc.)
There is also option of _client_ PKI certificates as MFA, which is quite secure,
but also is most complex in setting up of all. Client certificates do not work
together with SAML authentication (Azure/etc.), which is also a disadvantage.
== Limit access to VPN SSL portal to specific IP addresses
If your users happen to have static IP addresses assigned by their ISP, it is an excellent way to
limit exposure of VPN SSL portal.
image::x-fortigate-vpn-ssl-allow-specific-ips.png[]
== Move VPN SSL listening interface to a Loopback interface
This step will give an additional security control - Security Rule.
The benefits of which are:
* The rule is highly visible, not hidden in CLI as Local-in Policy.
* It will have detailed traffic & security logs.
* It enables to turn SSL VPN access on and off on a time schedule.
* Allows us to disable SSL VPN access in one click (just disable this security
rule) without deleting anything.
* Makes possible to use ISDB address objects (See below on blocking Tor Exit
Nodes).
* And finally, as SSL VPN is NOT hardware-accelerated on any Fortigate, no matter where it
is set, on physical or Loopback interface, no reason to avoid Loopback here.
To set it up:
* Create a Loopback interface (here _Loop33_ with IP of _13.13.13.13_, not shown)
* Enable VPN SSL on this Loopback in VPN SSL Settings:
image::x-fortigate-ssl-vpn-loopback-vpn-setings.png[]
* Allow access to the Loopback on the listening port from the Internet. I use _all_ as a
source (rule id _2_)
here, but see other recommendations on limiting source IP for finer control:
image::x-fortigate-ssl-vpn-loopback-security-rule.png[]
== (Less preferred than above) Limit access to SSL VPN portal in Local-in Policy
The idea here is that unlike limits in the VPN SSL Settings, limits in the
Local-in Policy come before any traffic reaches VPN SSL daemon. Starting with
FortiOS 7.2 we can also use in Local-in Policies GeoIP objects, external feeds (I
haven't seen much benefit in them though). As I mentioned above, due to CLI-only
nature of the Local-in Policy, it is more manageable to use rather Loopback for
SSL VPN connections. But Local-in policy can do the job as well, see some
examples of using it here
https://yurisk.info/2022/07/04/fortigate-local-in-policy-configuration-examples-for-vpn-ipsec-vpn-ssl-bgp-and-more/[Fortigate Local-in policy configuration examples for VPN IPSec, VPN SSL, BGP and more] and https://yurisk.info/2020/06/07/fortigate-local-in-policy/[Fortigate Local in Policy what it does and how to change/configure it]
== Limit access to portal by GeoIP location
When your users are located in a specific country(s), it is advisable to at
least limit access to the VPN to those countries. E.g. for users coming from
Israel:
* Create an address of type _Geography_:
image::x-fortigate-ssl-vpn-geography.png[]
* Use it in VPN SSL Settings:
image::x-fortigate-ssl-vpn-geoip-vpn-settings.png[]
The option to use Geo objects appeared in newer FortiOS, so if you have an older
version, moving SSL VPN to loopback interface will give you this option.
== Block access to/from Tor Exit Nodes and Relays to anything
Attackers using Tor are pretty much untraceable, so this motivates them to
brute-force from Tor network a lot. Again, it is possible to implement only when your SSL VPN is listening on the Loopback
interface - neither VPN Settings, nor Local-in Policy accept ISDB addresses so
far. Just use the ISDB objects for Tor Exit Nodes and Relays, and VPN
Anonymizers in the
security rule that is above the VPN SSL rule to block them.
image::x-fortigate-ssl-vpn-tor-exit-nodes.png[]
Security Rule to block access from Tor to the Loopback interface where SSL VPN
is listening:
image::x-fortigate-ssl-vpn-block-tor-to-loopback.png[]
== Install trusted CA-issued certificate, but don't issue Let's Encrypt certificates directly on the Fortigate
Users, and people in general, are suspicious of anything strange/new/unknown. If
they get used to a valid TLS certificate from a trusted CA Authority on each
login into VPN SSL, they will immediately catch the browser error when being
exposed to Man-in-the-middle attack. Users are your friends, just teach them
good habits and they will be your allies.
_Let's encrypt_ certificates - yes, they are free and trusted. But, issuing them
directly on the Fortigate has 2 disadvantages:
. It enables _Acme_ protocol daemon to listen on port 80, and it HAS to be open
from ANY for auto-renewal to work, and exposing any additional daemon to the
Internet is a bad idea. To be exact - you need to have port 80 open only for the
period of issuing/renewing the certificate. So, you may, if you want to, enable
incoming port 80 from any when requesting certificate, then close the port until
time comes to renew it. But then it is no different from manually requesting and
importing.
. It does not support requesting _wildcard_ certificates, only a specific
subdomain one. And this has additional downside - your VPN subdomain gets logged
on the Internet for everyone to see. Just search here
https://crt.sh/?q=yurisk.com
I do use Let's Encrypt certificates, but on a separate
Linux server from which I export then import the certificates to the Fortigate
manually.
== Configure email alert on each successful VPN SSL connection
Why on successful and not failed? The real-life experience proves that
after _nth_ alert on failed login in a day, people stop looking at them
at all. And in my opinion, the successful log in is more important than the
failed one.
I am working on a collection of automation stitches that will include also this
email alert, follow me for updates on this.
== Prevent re-using the same user account to connect in parallel
You can, by default, connect with the same VPN user from different locations at
the same time. To somewhat improve on this, disable simultaneous logins for
users. This way, the connected user will be disconnected when someone else logs
in with his/her credentials - this would alert the user that something fishy is
going on. You set this feature per Portal.
image::x-fortigate-ssl-vpn-limit-logins-per-user.png[]
On CLI:
----
config vpn ssl web portal
edit "full-access"
set limit-user-logins enable
end
----
== In security rules, allow access only to specific destinations and services, not _all_
I see it many times - to save few clicks, admins put in the _Destination_ column
of the SSL VPN security rule _all_/whole LAN, instead of specific host(s) with
specific services. If attackers get hold of VPN connection to the Fortigate,
they will mass scan internal LAN for AD Domain Controllers, SMB shares,
enumerate all hosts and none of this will happen if you harden the VPN Remote
Access rules to specific services and hosts.
image::x-fortigate-ssl-rule-to-specific-services.png[]
== If not using VPN SSL, disable it, or assign to a dummy interface
The VPN SSL setting is *on* by default, which is ok - as long as there is no
listening interface assigned to it and no security rules using `ssl.root`
exist, the service will NOT listen actually. On some FortiOS versions you have
to do it on CLI. If you want to disable temporarily SSL VPN without deleting
anything, you could, besides clicking on _Disable_, assign it a Loopback
interface which you also put in a _Down_ state.
image::x-fortigate-ssl-vpn-assign-loopback-which-is-disabled.png[]
On CLI:
----
config vpn ssl settings
set status disable
set source-interface Loop1
end
----
== Create a no-access portal and set it as default in the VPN settings
Once you have VPN SSL enabled, you *have* to specify the default portal
to which all unmapped to portals users will be assigned. To prevent unintended
users/groups connecting via this default portal, create the one disabling all
the access inside it and then set it as the default.
* Create a portal with no factual access:
----
config vpn ssl web portal
edit DefaultNoAccess
set tunnel-mode disable
set web-mode disable
set ipv6-tunnel-mode disable
next
end
----
* Make it the default portal:
----
config vpn ssl setting
set default-portal DefaultNoAccess
end
----
IMPORTANT: Make sure you have the relevant users/groups mapped to other, working portals, before doing this.
== Block offending IP after _n_ failed attempts
This slows down brute-force and scanning attacks on VPN SSL. This feature is on
by default, but the block duration is just 60 seconds. You will want to
tune it to your environment and users. I usually set number of failed login
attempts to 3, then block the offender for 10 minutes. In many cases it was
enough for accidental attackers to give up and move to another target.
This can be configured in CLI:
----
config vpn ssl settings
set login-attempt-limit 3
set login-block-time 600
end
----
Here I block the IP for 10 minutes after 3 unsuccessful authentication attempts.
The maximum duration of blocking is 86400 seconds, or 24 hours.
== Disable weak and outdated TLS protocols for SSL VPN
Even with newer FortiOS versions VPN SSL by default supports TLS 1.1, and TLS
1.2 versions that are outdated and recommended against usage everywhere. You can
set SSL VPN to use only TLS 1.2 & 1.3 (on CLI only) with this command ( I
thought of recommending to leave just TLS 1.3, but Forticlient is currently having
problems with using it on Windows 10 & 11, so not for now):
----
config vpn ssl settings
set ssl-min-proto-ver tls1-2
end
----
And make sure it worked:
----
curl -v https://vpn.yurisk.com:13123 --tlsv1.1 -o /dev/null
* Connected to vpn.yurisk.com (52.58.153.81) port 13123 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.1 (OUT), TLS handshake, Client hello (1):
} [140 bytes data]
* TLSv1.1 (IN), TLS alert, Server hello (2):
{ [2 bytes data]
* error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
* stopped the pause stream!
* Closing connection 0
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol
version
----
NOTE: This will prevent older browsers/Forticlients from connecting, but we talk
about _very_ old versions, like Internet Explorer 11, or Chrome version 50
(current one is 110). So it should not be a problem.
== Consider switching from VPN SSL to VPN IPSec for clients
A bit drastic, but in all those years of VPN SSL vulnerabilities happening, I
remember of no single critical CVE for the IPSec daemon in Fortigate. Yes, it is more
involved in configuring it, but it may well be worth the effort. You use on the
client side the same Forticlient.
== Consider moving VPN SSL into its own VDOM
This is a measure against the worst case scenario - remotely executable 0-day
happens in the SSL VPN daemon, and attackers break into your Fortigate. In this
scenario the attackers will most probably create their own admin users for
persistence, set up VPN for remote access with rules permitting _Any_ to the
internal LAN, and if not trying to hide - will delete/remove your admin user to
block you access to the Fortigate. If this happens with the Fortigate that all
your DMZ/LAN/Storage/Backup networks are connected to, the game is over. But if
the same happens to the Internet-facing VDOM that has only SSL VPN configs and
rules, well, maximum they will have access to is anything you explicitly allowed
in rules between VDOMs. And if you implemented specific rules to allow specific
protocols to specific hosts, that would be not much of a gain to the attackers.
And all Fortigate models except the smallest ones, have hardware acceleration on
their inter-VDOM links, so perfomance-wise you lose nothing as well.
And price-wise, every Fortigate (even the smallest 40F) includes 10 VDOMs for free.
== Additional Resources to follow
* https://www.fortiguard.com/psirt Fortinet announcements on new vulnerabilities.
* https://yurisk.info/category/fortigate.html My blog's Fortigate category, has RSS feed
* https://t.me/fortichat Fortinet-related Telegram group with experts (Russian language)
* https://community.fortinet.com/ Fortinet Community Forum, a lot of Fortinet TAC folks hang out there.
* https://www.reddit.com/r/fortinet/ Well, Reddit is Reddit.
= Fortigate VPN SSL Hardening Guide
:source-highlighter: rouge
:title: Fortigate VPN SSL Hardening Guide
:date: 2023-03-15 09:55:25+00:00
:toc:
Last updated: 19.03.2023
== Introduction
This guide is the result of closely following Fortigate VPN SSL vulnerabilities
over the years, actual cases of compromised firewalls, operational manuals and
reports of multiple gangs (e.g. _Conti manuals_) and my experience with Fortigates
of 15+ years and counting. By implementing all/some of the measures below you
will make your SSL VPN on Fortigate substantially harder to break in and thus less
attractive to the attackers.
== Change the default SSL VPN port 10443/443 to anything else
This security by obscurity actually works. In most cases, the attackers do
not target specific companies, but are looking for low hanging fruit. And the
easiest way to do so is to scan for known ports/services. And both, 443 and 10443, are
well known Fortigate listening ports. It is even easier - just search
Shodan/Censys for "Fortigate" and currently Shodan has 185K results for port
10443, and Censys 317K. That was what happened with a large VPN
credentials leak 2 years ago
https://www.linkedin.com/pulse/50000-vpn-usernames-passwords-from-fortigates-around-we-slobodyanyuk/
- all of the affected Fortigates were listening on either 443 or 10443 ports.
The possible downside can be that VPN users connecting via WiFi in hotels/caffe
may have outgoing ports blocked except 443, but with cellular packages being so
cheap today, it is viable for them to use their phone as hotspot for VPN
connectionis and avoid using public WiFi altogether.
image::x-fortigate-ssl-vpn-change-port.png[]
On the CLI:
----
config vpn ssl settings
set port 13123
----
== Do not use local users for authentication, and if using - keep passwords elsewhere or/and enable MFA
In general, keeping all the security info in one box (Fortigate here) is a bad
practice. The mentioned vulnerability CVE-2018-13379 affected only Fortigates
with local VPN users having local authentication. Additionally, you give up
password policies, centralized system to expire/change passwords,
non-repeatability of the passwords etc. with such locally authenticated on the
Fortigate users. Integrating user authentication with existing user database
(LDAP/Active Directory/Cloud AD) is a breeze in Fortigate.
== Enable Multi-Factor Authentication for VPN users
ANY form of MFA will be better than none. Hardware Fortigate come with 2 mobile
application FortiTokens for free. Additionally, you can use SMS as MFA, but will
cost you money, or email that is completely free.
The email as MFA is not visible nor enabled by default, so I wrote a short guide
how to use it
https://yurisk.info/2020/03/01/fortigate-enable-e-mail-as-mfa-and-increase-token-validity-time/[enable e-mail as a two-factor authentication for a user and increase token timeout]
And of course, any 3rd party providing MFA can be used via RADIUS protocol
(Okta/Azure/Duo/etc.)
There is also option of _client_ PKI certificates as MFA, which is quite secure,
but also is most complex in setting up of all. Client certificates do not work
together with SAML authentication (Azure/etc.), which is also a disadvantage.
== Limit access to VPN SSL portal to specific IP addresses
If your users happen to have static IP addresses assigned by their ISP, it is an excellent way to
limit exposure of VPN SSL portal.
image::x-fortigate-vpn-ssl-allow-specific-ips.png[]
== Move VPN SSL listening interface to a Loopback interface
This step will give an additional security control - Security Rule.
The benefits of which are:
* The rule is highly visible, not hidden in CLI as Local-in Policy.
* It will have detailed traffic & security logs.
* It enables to turn SSL VPN access on and off on a time schedule.
* Allows us to disable SSL VPN access in one click (just disable this security
rule) without deleting anything.
* Makes possible to use ISDB address objects (See below on blocking Tor Exit
Nodes).
* And finally, as SSL VPN is NOT hardware-accelerated on any Fortigate, no matter where it
is set, on physical or Loopback interface, no reason to avoid Loopback here.
To set it up:
* Create a Loopback interface (here _Loop33_ with IP of _13.13.13.13_, not shown)
* Enable VPN SSL on this Loopback in VPN SSL Settings:
image::x-fortigate-ssl-vpn-loopback-vpn-setings.png[]
* Allow access to the Loopback on the listening port from the Internet. I use _all_ as a
source (rule id _2_)
here, but see other recommendations on limiting source IP for finer control:
image::x-fortigate-ssl-vpn-loopback-security-rule.png[]
== (Less preferred than above) Limit access to SSL VPN portal in Local-in Policy
The idea here is that unlike limits in the VPN SSL Settings, limits in the
Local-in Policy come before any traffic reaches VPN SSL daemon. Starting with
FortiOS 7.2 we can also use in Local-in Policies GeoIP objects, external feeds (I
haven't seen much benefit in them though). As I mentioned above, due to CLI-only
nature of the Local-in Policy, it is more manageable to use rather Loopback for
SSL VPN connections. But Local-in policy can do the job as well, see some
examples of using it here
https://yurisk.info/2022/07/04/fortigate-local-in-policy-configuration-examples-for-vpn-ipsec-vpn-ssl-bgp-and-more/[Fortigate Local-in policy configuration examples for VPN IPSec, VPN SSL, BGP and more] and https://yurisk.info/2020/06/07/fortigate-local-in-policy/[Fortigate Local in Policy what it does and how to change/configure it]
== Limit access to portal by GeoIP location
When your users are located in a specific country(s), it is advisable to at
least limit access to the VPN to those countries. E.g. for users coming from
Israel:
* Create an address of type _Geography_:
image::x-fortigate-ssl-vpn-geography.png[]
* Use it in VPN SSL Settings:
image::x-fortigate-ssl-vpn-geoip-vpn-settings.png[]
The option to use Geo objects appeared in newer FortiOS, so if you have an older
version, moving SSL VPN to loopback interface will give you this option.
== Block access to/from Tor Exit Nodes and Relays to anything
Attackers using Tor are pretty much untraceable, so this motivates them to
brute-force from Tor network a lot. Again, it is possible to implement only when your SSL VPN is listening on the Loopback
interface - neither VPN Settings, nor Local-in Policy accept ISDB addresses so
far. Just use the ISDB objects for Tor Exit Nodes and Relays, and VPN
Anonymizers in the
security rule that is above the VPN SSL rule to block them.
image::x-fortigate-ssl-vpn-tor-exit-nodes.png[]
Security Rule to block access from Tor to the Loopback interface where SSL VPN
is listening:
image::x-fortigate-ssl-vpn-block-tor-to-loopback.png[]
== Install trusted CA-issued certificate, but don't issue Let's Encrypt certificates directly on the Fortigate
Users, and people in general, are suspicious of anything strange/new/unknown. If
they get used to a valid TLS certificate from a trusted CA Authority on each
login into VPN SSL, they will immediately catch the browser error when being
exposed to Man-in-the-middle attack. Users are your friends, just teach them
good habits and they will be your allies.
_Let's encrypt_ certificates - yes, they are free and trusted. But, issuing them
directly on the Fortigate has 2 disadvantages:
. It enables _Acme_ protocol daemon to listen on port 80, and it HAS to be open
from ANY for auto-renewal to work, and exposing any additional daemon to the
Internet is a bad idea. To be exact - you need to have port 80 open only for the
period of issuing/renewing the certificate. So, you may, if you want to, enable
incoming port 80 from any when requesting certificate, then close the port until
time comes to renew it. But then it is no different from manually requesting and
importing.
. It does not support requesting _wildcard_ certificates, only a specific
subdomain one. And this has additional downside - your VPN subdomain gets logged
on the Internet for everyone to see. Just search here
https://crt.sh/?q=yurisk.com
I do use Let's Encrypt certificates, but on a separate
Linux server from which I export then import the certificates to the Fortigate
manually.
== Configure email alert on each successful VPN SSL connection
Why on successful and not failed? The real-life experience proves that
after _nth_ alert on failed login in a day, people stop looking at them
at all. And in my opinion, the successful log in is more important than the
failed one.
I am working on a collection of automation stitches that will include also this
email alert, follow me for updates on this.
== Prevent re-using the same user account to connect in parallel
You can, by default, connect with the same VPN user from different locations at
the same time. To somewhat improve on this, disable simultaneous logins for
users. This way, the connected user will be disconnected when someone else logs
in with his/her credentials - this would alert the user that something fishy is
going on. You set this feature per Portal.
image::x-fortigate-ssl-vpn-limit-logins-per-user.png[]
On CLI:
----
config vpn ssl web portal
edit "full-access"
set limit-user-logins enable
end
----
== In security rules, allow access only to specific destinations and services, not _all_
I see it many times - to save few clicks, admins put in the _Destination_ column
of the SSL VPN security rule _all_/whole LAN, instead of specific host(s) with
specific services. If attackers get hold of VPN connection to the Fortigate,
they will mass scan internal LAN for AD Domain Controllers, SMB shares,
enumerate all hosts and none of this will happen if you harden the VPN Remote
Access rules to specific services and hosts.
image::x-fortigate-ssl-rule-to-specific-services.png[]
== If not using VPN SSL, disable it, or assign to a dummy interface
The VPN SSL setting is *on* by default, which is ok - as long as there is no
listening interface assigned to it and no security rules using `ssl.root`
exist, the service will NOT listen actually. On some FortiOS versions you have
to do it on CLI. If you want to disable temporarily SSL VPN without deleting
anything, you could, besides clicking on _Disable_, assign it a Loopback
interface which you also put in a _Down_ state.
image::x-fortigate-ssl-vpn-assign-loopback-which-is-disabled.png[]
On CLI:
----
config vpn ssl settings
set status disable
set source-interface Loop1
end
----
== Create a no-access portal and set it as default in the VPN settings
Once you have VPN SSL enabled, you *have* to specify the default portal
to which all unmapped to portals users will be assigned. To prevent unintended
users/groups connecting via this default portal, create the one disabling all
the access inside it and then set it as the default.
* Create a portal with no factual access:
----
config vpn ssl web portal
edit DefaultNoAccess
set tunnel-mode disable
set web-mode disable
set ipv6-tunnel-mode disable
next
end
----
* Make it the default portal:
----
config vpn ssl setting
set default-portal DefaultNoAccess
end
----
IMPORTANT: Make sure you have the relevant users/groups mapped to other, working portals, before doing this.
== Block offending IP after _n_ failed attempts
This slows down brute-force and scanning attacks on VPN SSL. This feature is on
by default, but the block duration is just 60 seconds. You will want to
tune it to your environment and users. I usually set number of failed login
attempts to 3, then block the offender for 10 minutes. In many cases it was
enough for accidental attackers to give up and move to another target.
This can be configured in CLI:
----
config vpn ssl settings
set login-attempt-limit 3
set login-block-time 600
end
----
Here I block the IP for 10 minutes after 3 unsuccessful authentication attempts.
The maximum duration of blocking is 86400 seconds, or 24 hours.
== Disable weak and outdated TLS protocols for SSL VPN
Even with newer FortiOS versions VPN SSL by default supports TLS 1.1, and TLS
1.2 versions that are outdated and recommended against usage everywhere. You can
set SSL VPN to use only TLS 1.2 & 1.3 (on CLI only) with this command ( I
thought of recommending to leave just TLS 1.3, but Forticlient is currently having
problems with using it on Windows 10 & 11, so not for now):
----
config vpn ssl settings
set ssl-min-proto-ver tls1-2
end
----
And make sure it worked:
----
curl -v https://vpn.yurisk.com:13123 --tlsv1.1 -o /dev/null
* Connected to vpn.yurisk.com (52.58.153.81) port 13123 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.1 (OUT), TLS handshake, Client hello (1):
} [140 bytes data]
* TLSv1.1 (IN), TLS alert, Server hello (2):
{ [2 bytes data]
* error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version
* stopped the pause stream!
* Closing connection 0
curl: (35) error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol
version
----
NOTE: This will prevent older browsers/Forticlients from connecting, but we talk
about _very_ old versions, like Internet Explorer 11, or Chrome version 50
(current one is 110). So it should not be a problem.
== Consider switching from VPN SSL to VPN IPSec for clients
A bit drastic, but in all those years of VPN SSL vulnerabilities happening, I
remember of no single critical CVE for the IPSec daemon in Fortigate. Yes, it is more
involved in configuring it, but it may well be worth the effort. You use on the
client side the same Forticlient.
== Consider moving VPN SSL into its own VDOM
This is a measure against the worst case scenario - remotely executable 0-day
happens in the SSL VPN daemon, and attackers break into your Fortigate. In this
scenario the attackers will most probably create their own admin users for
persistence, set up VPN for remote access with rules permitting _Any_ to the
internal LAN, and if not trying to hide - will delete/remove your admin user to
block you access to the Fortigate. If this happens with the Fortigate that all
your DMZ/LAN/Storage/Backup networks are connected to, the game is over. But if
the same happens to the Internet-facing VDOM that has only SSL VPN configs and
rules, well, maximum they will have access to is anything you explicitly allowed
in rules between VDOMs. And if you implemented specific rules to allow specific
protocols to specific hosts, that would be not much of a gain to the attackers.
And all Fortigate models except the smallest ones, have hardware acceleration on
their inter-VDOM links, so perfomance-wise you lose nothing as well.
And price-wise, every Fortigate (even the smallest 40F) includes 10 VDOMs for free.
== Additional Resources to follow
* https://www.fortiguard.com/psirt Fortinet announcements on new vulnerabilities.
* https://yurisk.info/category/fortigate.html My blog's Fortigate category, has RSS feed
* https://t.me/fortichat Fortinet-related Telegram group with experts (Russian language)
* https://community.fortinet.com/ Fortinet Community Forum, a lot of Fortinet TAC folks hang out there.
* https://www.reddit.com/r/fortinet/ Well, Reddit is Reddit.

106
cheat-sheets/git-and-github-cheat-sheet.adoc
View File

@@ -1,53 +1,53 @@
= Git and github.com cheat sheet
:author: Yuri Slobodyanyuk
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
[cols=2,options="header"]
|===
|command
|Description
|*git clone <URL of the remote repository> [local repo name]*
| Clone remote repository, optionally renaming the local copy of it.
|*git config --system <params>*
|Set configuration parameters for all users at the local host, requires root permissions, saves <params> in the `/etc/gitconfig`. Some params (when setting on the terminal, separate paramater value from name with whitespace):
- `core.editor` Editor to use to enter comments when committing. E.g. `git config --system core.editor vim`.
- `diff.tool` Diff tool to use, e.g. `vimdiff`,`vimdiff2`,`xxdiff`,`gvimdiff`
- `user.email` Email to be incldued in each commit.
- `user.name` Full name to be included in each commit.
|*git config --global <params>*
|Set <params> for ALL repositories of a user on the local host, saves <params> in the `~/.gitconfig` or `~/.config/git/config`.
|*git config --local <params>*
|(default) Set <params> for a specific repository only, should be run when inside this repository, saves <params> in the `.git/config` inside the repository.
|*git config --list --show-origin*
|View all the settings with their origins.
|*Contribute to a project (pull request/PR) on Github.com*
a| Steps to contribute to some project on the github:
. Fork the project you want to contribute to.
. Clone the fork to your local system.
. Make a new custom (non-master) branch inside it.
. Make your changes.
. Push this branch to your Github account.
. Open a Pull Request on the Github.com for the project owner to review & merge.
|===
= Git and github.com cheat sheet
:author: Yuri Slobodyanyuk
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
[cols=2,options="header"]
|===
|command
|Description
|*git clone <URL of the remote repository> [local repo name]*
| Clone remote repository, optionally renaming the local copy of it.
|*git config --system <params>*
|Set configuration parameters for all users at the local host, requires root permissions, saves <params> in the `/etc/gitconfig`. Some params (when setting on the terminal, separate paramater value from name with whitespace):
- `core.editor` Editor to use to enter comments when committing. E.g. `git config --system core.editor vim`.
- `diff.tool` Diff tool to use, e.g. `vimdiff`,`vimdiff2`,`xxdiff`,`gvimdiff`
- `user.email` Email to be incldued in each commit.
- `user.name` Full name to be included in each commit.
|*git config --global <params>*
|Set <params> for ALL repositories of a user on the local host, saves <params> in the `~/.gitconfig` or `~/.config/git/config`.
|*git config --local <params>*
|(default) Set <params> for a specific repository only, should be run when inside this repository, saves <params> in the `.git/config` inside the repository.
|*git config --list --show-origin*
|View all the settings with their origins.
|*Contribute to a project (pull request/PR) on Github.com*
a| Steps to contribute to some project on the github:
. Fork the project you want to contribute to.
. Clone the fork to your local system.
. Make a new custom (non-master) branch inside it.
. Make your changes.
. Push this branch to your Github account.
. Open a Pull Request on the Github.com for the project owner to review & merge.
|===

278
cheat-sheets/gnu-screen-cheat-sheet.adoc
View File

@@ -1,139 +1,139 @@
= GNU screen terminal commands cheat sheet
:author: Yuri Slobodyanyuk
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
NOTE: `C-a` below stands for `Ctrl + a` keyboard sequence.
[cols=2,options="header"]
|===
|Command
|Description
|*~/.screenrc* & */etc/screenrc*
| Commands that the `screen` runs on start up.
|*screen -ls*
|List active screen sessions
|*screen -Q windows*
|List windows' names inside screen session
|*screen -S <session name>*
|Create a new screen session with the name <session name>
|*screen -x*
*screen -r <session name>*
|Attach to the running session, also by its name
|*screen -dRR*
|Attach to the screen session, detach on other display if attached. If no session exists, will create a new one.
|*C-a d*
| Detach from the session, session keeps running. Here, and further *C* means Ctrl.
|*C-a c*
|Create new window in the session.
|*C-a C-a*
|Switch to the previous window.
|*C-a "*
|List all windows with option to navigate and enter any of them.
|*C-w*
|Show a list of active windows with their numbers.
|*C-a <number>*
|Switch to the window number _number_.
|*C-a '*
|Switch to the window by its name.
|*C-a n*
|Switch to the next window.
|*C-a p*
|Switch to the previous window.
|*exit*
|Exit and close current window. If it was the last window in a session, exits `screen` terminating the session.
|*C-a k*
|Kill the current window forcefully (not recommended).
|*C-a : quit*
| Quit screen session completely terminating it. Alternatively - exit all screen windows.
|*C-a A*
|Rename current window.
|*C-a S*
|Split windows display horizontally. Use *C-a c* to create a new window inside the new split or *C-X* to close this part of split.
|*C-a \|*
|Split windows display vertically. Available starting screen 4.01, i.e. not available on Mac 2020 which still uses screen 4.00.
|*C-a tab*
|Jump to the next region in a split window display.
|*C-a Q*
| Unsplit the window, leaving the current window active.
|*C-a [* or *C-a <esc>*
|Enter buffer navigation mode to scroll output buffer, copy, edit and paste later. Navigation commands as per `vim` if Vim is set as editor.*<esc>* to leave the buffer mode.
|*<space>*
|Start/stop selection while in the buffer mode to select the text. Press `<space>` or `<Enter>` to copy the selected text. E.g. to select/copy the whole buffer: `C-a [ gg <space> G <space> <esc>`
|*C-a ]*
|Paste the selected text at the cursor of the terminal, or create a new window and say start Vim there and paste into it while in Insert mode.
|*C-a h*
|Dump the contents of the currently visible terminal to `hardcopy.<n>` file, where _n_ is auto-incrementing number of your window.
|*C-a H*
|Start/end logging all output of the curent window into a file `screenlog.N` where `N` is the window number. The data is appended, not overwritten if the file exists. Output printed before that is not logged.
|*C-a a*
| Send `Ctrl-a` sequence to the shell in the window, useful to jump to the beginning of the line.
|*C-a M*
|Monitor window for activity. When enabled, will notify you of any acitvity while you work in other window.
|*C-a _*
| Monitor window for 30 seconds of silence, will notify you in any other window as `Window 0: silence for 30 seconds`
|*C-a ?*
|Show all key bindings help.
|*Save session state*
|This is not possible. If you use the same layout each session, you can put start up commands to re-create it in `.screenrc` file in your home directory, but still - you cannot save the current session state, i.e. contents of the windows and their layout.
2+|*Sharing session (e.g. for pair programming/tutoring)*
a|Original session (say _user1_):
. Set suid root bit on `screen` binary: `sudo chmod +s /usr/bin/screen`
. Inside session you want to share: `C-a :` then `multiuser on` to enable sharing session.
. Add usernames to share the session with: `C-a :` `acladd <username>`
Connecting user (say _user2_):
. Run in shell: `screen -x <sharing username>/`, in our example `screen -x user1/`
|Sets up sharing the session. Another user connecting to the session views real-time its output, can enter and run commands himself. Also see *aclchg*, *acldel*, *aclgrp* for controlling what the connecting user can and cannot do. E.g. to remove _write_ permissions from all users on all windows: `:aclchg * -w #`
|*C-a **
| See who is connected to your shared screen session.
|===
Follow me on https://linkedin.com/in/yurislobodyanyuk/ for updates.
= GNU screen terminal commands cheat sheet
:author: Yuri Slobodyanyuk
Author: Yuri Slobodyanyuk, https://www.linkedin.com/in/yurislobodyanyuk/
NOTE: `C-a` below stands for `Ctrl + a` keyboard sequence.
[cols=2,options="header"]
|===
|Command
|Description
|*~/.screenrc* & */etc/screenrc*
| Commands that the `screen` runs on start up.
|*screen -ls*
|List active screen sessions
|*screen -Q windows*
|List windows' names inside screen session
|*screen -S <session name>*
|Create a new screen session with the name <session name>
|*screen -x*
*screen -r <session name>*
|Attach to the running session, also by its name
|*screen -dRR*
|Attach to the screen session, detach on other display if attached. If no session exists, will create a new one.
|*C-a d*
| Detach from the session, session keeps running. Here, and further *C* means Ctrl.
|*C-a c*
|Create new window in the session.
|*C-a C-a*
|Switch to the previous window.
|*C-a "*
|List all windows with option to navigate and enter any of them.
|*C-w*
|Show a list of active windows with their numbers.
|*C-a <number>*
|Switch to the window number _number_.
|*C-a '*
|Switch to the window by its name.
|*C-a n*
|Switch to the next window.
|*C-a p*
|Switch to the previous window.
|*exit*
|Exit and close current window. If it was the last window in a session, exits `screen` terminating the session.
|*C-a k*
|Kill the current window forcefully (not recommended).
|*C-a : quit*
| Quit screen session completely terminating it. Alternatively - exit all screen windows.
|*C-a A*
|Rename current window.
|*C-a S*
|Split windows display horizontally. Use *C-a c* to create a new window inside the new split or *C-X* to close this part of split.
|*C-a \|*
|Split windows display vertically. Available starting screen 4.01, i.e. not available on Mac 2020 which still uses screen 4.00.
|*C-a tab*
|Jump to the next region in a split window display.
|*C-a Q*
| Unsplit the window, leaving the current window active.
|*C-a [* or *C-a <esc>*
|Enter buffer navigation mode to scroll output buffer, copy, edit and paste later. Navigation commands as per `vim` if Vim is set as editor.*<esc>* to leave the buffer mode.
|*<space>*
|Start/stop selection while in the buffer mode to select the text. Press `<space>` or `<Enter>` to copy the selected text. E.g. to select/copy the whole buffer: `C-a [ gg <space> G <space> <esc>`
|*C-a ]*
|Paste the selected text at the cursor of the terminal, or create a new window and say start Vim there and paste into it while in Insert mode.
|*C-a h*
|Dump the contents of the currently visible terminal to `hardcopy.<n>` file, where _n_ is auto-incrementing number of your window.
|*C-a H*
|Start/end logging all output of the curent window into a file `screenlog.N` where `N` is the window number. The data is appended, not overwritten if the file exists. Output printed before that is not logged.
|*C-a a*
| Send `Ctrl-a` sequence to the shell in the window, useful to jump to the beginning of the line.
|*C-a M*
|Monitor window for activity. When enabled, will notify you of any acitvity while you work in other window.
|*C-a _*
| Monitor window for 30 seconds of silence, will notify you in any other window as `Window 0: silence for 30 seconds`
|*C-a ?*
|Show all key bindings help.
|*Save session state*
|This is not possible. If you use the same layout each session, you can put start up commands to re-create it in `.screenrc` file in your home directory, but still - you cannot save the current session state, i.e. contents of the windows and their layout.
2+|*Sharing session (e.g. for pair programming/tutoring)*
a|Original session (say _user1_):
. Set suid root bit on `screen` binary: `sudo chmod +s /usr/bin/screen`
. Inside session you want to share: `C-a :` then `multiuser on` to enable sharing session.
. Add usernames to share the session with: `C-a :` `acladd <username>`
Connecting user (say _user2_):
. Run in shell: `screen -x <sharing username>/`, in our example `screen -x user1/`
|Sets up sharing the session. Another user connecting to the session views real-time its output, can enter and run commands himself. Also see *aclchg*, *acldel*, *aclgrp* for controlling what the connecting user can and cannot do. E.g. to remove _write_ permissions from all users on all windows: `:aclchg * -w #`
|*C-a **
| See who is connected to your shared screen session.
|===
Follow me on https://linkedin.com/in/yurislobodyanyuk/ for updates.

130
cheat-sheets/links-text-browser-cheat-sheet.adoc
View File

@@ -1,65 +1,65 @@
= Links Text and Graphical Browser Cheat Sheet
:homepage: https://github.com/yuriskinfo/cheat-sheets
:toc:
NOTE: All the below relates to the Text Mode browsing. The keyboard shortcuts
work in GUI Mode as well, but no mention of it is attempted. The keyboard
shortcuts work when the Main Menu is not visible.
== Keyboard Shortcuts and Menus
[cols=2, options="header"]
|===
|Command
|Description
|*g*
|Brings up dialog window to enter URL to jump to. The default protocol is HTTP,
specify explicitly any other one, e.g. `ftp://ftp.hp.com`.
|*ESC*
|Show Main menu, press again to hide. The Main menu contains submenus with
access to all the browser functionality: _File_, _View_, _Download_, _Setup_, etc.
|*<-*, *z*
| Go back to the previous page.
|*->*, *x*
|Go forward one page.
|*q*
|Quit browser with confirmation. Use *Q* to quit immediately.
|*l*, *CTRL + N*
|Scroll page down.
|*p*, *CTRL + P*
|Scroll page up.
|*CTRL + R*
|Refresh/reload the current page.
|*/*
|Search forward for text on the current page starting at the top and finishing at the
bottom of the page. The searched text will be background-highlighted. The search
is case insensitive.
|*?*
|Search text backward - from the bottom to the top.
|*s*
|Show Bookmarks dialog menu with options to Add, Delete, Create Folder, Edit,
and Move bookmarks.
|===
== References
* http://links.twibright.com[Browser Homepage - http://links.twibright.com]
= Links Text and Graphical Browser Cheat Sheet
:homepage: https://github.com/yuriskinfo/cheat-sheets
:toc:
NOTE: All the below relates to the Text Mode browsing. The keyboard shortcuts
work in GUI Mode as well, but no mention of it is attempted. The keyboard
shortcuts work when the Main Menu is not visible.
== Keyboard Shortcuts and Menus
[cols=2, options="header"]
|===
|Command
|Description
|*g*
|Brings up dialog window to enter URL to jump to. The default protocol is HTTP,
specify explicitly any other one, e.g. `ftp://ftp.hp.com`.
|*ESC*
|Show Main menu, press again to hide. The Main menu contains submenus with
access to all the browser functionality: _File_, _View_, _Download_, _Setup_, etc.
|*<-*, *z*
| Go back to the previous page.
|*->*, *x*
|Go forward one page.
|*q*
|Quit browser with confirmation. Use *Q* to quit immediately.
|*l*, *CTRL + N*
|Scroll page down.
|*p*, *CTRL + P*
|Scroll page up.
|*CTRL + R*
|Refresh/reload the current page.
|*/*
|Search forward for text on the current page starting at the top and finishing at the
bottom of the page. The searched text will be background-highlighted. The search
is case insensitive.
|*?*
|Search text backward - from the bottom to the top.
|*s*
|Show Bookmarks dialog menu with options to Add, Delete, Create Folder, Edit,
and Move bookmarks.
|===
== References
* http://links.twibright.com[Browser Homepage - http://links.twibright.com]

444
cheat-sheets/macos-mdfind-examples-cheat-sheet.adoc
View File

@@ -1,222 +1,222 @@
= macOS `mdfind` examples cheat sheet
:source-highlighter: rouge
:date: 2023-03-28 09:55:25+00:00
:slug: mdfind-macos-examples-cheat-sheet
:category: macOS
:tags: macOS, Apple
:toc:
== Introduction
`mdfind` is a command-line interface to the SpotLight search tool on every
Apple macOS system. Being a CLI tool, it saves time when searching for stuff in
your Mac. Unfortunately, there is a lot of documentation on the topic which is
out of date - the examples either do not work or give an error. Otherwise, the
tool is not well-documented. Below are few examples for every day usage, tested
on the newest versions - Catalina, Big Sur, Monterrey, Ventura.
== Find files with a given word in it
Just give the `mdfind` a word to search for, and it will find it in
file/media/applications
names, as well as in their contents.
----
mdfind mysearchword
----
== Search for a word in file names only, not their contents
Add `-name` qualifier before the search word.
----
mdfind -name October
----
Will find files named: _OctoberFest.pdf_, _inoctober.txt_, _Red October.mp4_
== Find a file with multiple keywords in its name
We can specify more than 1 word to look for in the file/app name - the `mdfind`
uses logical AND by default for multiple keywords.
----
mdfind -name red october
----
Will find: _Red October.mp4_, _red octoberfest.jpg_, but NOT _red.pdf_ or
_October.mp4_.
== Limit search to specific file format(s)
You can use ``kind:``__file-format__ to additionally limit results to this file
format. Be aware that _kind_ is not always the file extension though. I list the
most popular file formats below.
Find file with the _red_ in its name, but only in _mp4_, _.mov_ etc. files:
----
mdfind -name red kind:movie
----
|===
|*File format* |*kind term* |*File format* |*kind term*
|jpeg/jpg, png, gif, tiff
|image
|Application
|app
|mp3, ogg
|music
|mp4, mov, mpeg
|movie
|Bookmarks
|bookmark
|Email messages
|email
|Folders
|folder
|MS Word docs (docx, dot)
|word
|===
The other way to look for file extensions is with the _kMDItemFSName_ metadata
value and listing the desired extension after the asterisk.
----
mdfind "kMDItemFSName == '*.pdf'"
----
But if you want to look for a specific file name as well, you will have to pipe the
command above to _grep_ or alike.
== Look up folder names
Using (see table above) `kind:folder` we can search in folder names only.
Find all folders with the name _document_ in them:
`mdfind -name documents kind:folder`
== Search for an exact match
We can do it in 2 ways.
First, wrapping search terms in double and then single quotes:
----
mdfind -name '"red carpet"'
----
This will match _red carpet.txt_, but not _red 2 carpet.txt_.
The other way to look for an exact match is with the `-literal` qualifier, which prohibits any other qualifier though.
Find everything having _Hat, Red_ in the name:
`mdfind -literal "kMDItemDisplayName == 'Hat, Red'"`
Here, *kMDItemDisplayName* is a metadata field holding the item name for files/folders/etc. Any additional options will be ignored.
== Search in specific folder(s) only
We can use *-onlyin* option to limit the search:
`mdfind -name red.txt -onlyin ~/Documents`
This will only search in the folder _Documents_ and its subfoldes.
== Search by created, modified dates
IMPORTANT: The date format is your current locale. So, I put dates in the
_19/1/2023_ format, but if your Mac is set to use _1/19/2023_, do so.
Find file named _red_ and created on 19th of January 2023:
`mdfind -name red AND created:19/1/2023`
NOTE: The _AND_ is not explicitly needed here, but I put it for reminder yet.
Find file named _red_ modified on 19th of January 2023:
`mdfind -name red AND modified:19/1/2023`
The date-related searches also understand ranges.
Find files with _red_ in their name modified in the period from the 1st of January
2023, and up to (including) 19th of January 2023:
`mdfind -name red modified:01/01/2023-19/1/2023`
Same, but _created_ in that period:
`mdfind -name red created:01/01/2023-19/1/2023`
== Find file by their size
We can specify file size as additional search term.
This will find files with the _red_ in their names AND of size 0 bytes.
`mdfind name:red AND size:0`
`mdfind name:red AND NOT size:0` will find files named _red_ that are NOT 0
bytes in size.
We can provide ranges for sizes as well. To find files named _red_ of size
between 10 and 25 bytes:
`mdfind -interpret name:red AND size:\<25 AND size:\>10`
NOTE: The '\' escapes '<' and '>' from the shell interpretation.
== Disable Spotlight/mdfind indexing for a specific volume
* Spotlight (and thus mdfind) stores its index for each hard drive in a hidden
directory named `.Spotlight-V100` located at the root of each disk. You can list this directory contents with
sudo mdutil -L _path-to-the-disk_* , e.g.
----
sudo mdutil -L /Volumes/exFAT1Tb
/Volumes/exFAT1Tb/.Spotlight-V100:
drwxrwxrwx 1 99 99 262144 Jun 27 2021 07:46 Store-V2
-rwxrwxrwx 1 99 99 4246 Jun 13 2022 11:09
VolumeConfiguration.plist
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2:
drwxrwxrwx 1 99 99 262144 Jun 27 2021 07:46 B332121F-C8CA-4FF1-924A-67FC321C3FFCC/
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.assisted_import_post:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.assisted_import_pre:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.corespotlight:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.health_check:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.live:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.live_priority:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.live_system:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.live_user:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.migration:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.migration_secondchance:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.repair:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.scan:
----
* For space savings or privacy concerns, you can turn off indexing of a given volume by running
*sudo mdutil -i off /Volumes/__volume-name__*, and even
erase the existing index with *sudo mdutil -E /Volumes/__volume-name__*.
== Resources
* For additional cheat sheets, see Github: https://github.com/yuriskinfo/cheat-sheets
_Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I
publish on Linkedin, Github, blog, and more._
= macOS `mdfind` examples cheat sheet
:source-highlighter: rouge
:date: 2023-03-28 09:55:25+00:00
:slug: mdfind-macos-examples-cheat-sheet
:category: macOS
:tags: macOS, Apple
:toc:
== Introduction
`mdfind` is a command-line interface to the SpotLight search tool on every
Apple macOS system. Being a CLI tool, it saves time when searching for stuff in
your Mac. Unfortunately, there is a lot of documentation on the topic which is
out of date - the examples either do not work or give an error. Otherwise, the
tool is not well-documented. Below are few examples for every day usage, tested
on the newest versions - Catalina, Big Sur, Monterrey, Ventura.
== Find files with a given word in it
Just give the `mdfind` a word to search for, and it will find it in
file/media/applications
names, as well as in their contents.
----
mdfind mysearchword
----
== Search for a word in file names only, not their contents
Add `-name` qualifier before the search word.
----
mdfind -name October
----
Will find files named: _OctoberFest.pdf_, _inoctober.txt_, _Red October.mp4_
== Find a file with multiple keywords in its name
We can specify more than 1 word to look for in the file/app name - the `mdfind`
uses logical AND by default for multiple keywords.
----
mdfind -name red october
----
Will find: _Red October.mp4_, _red octoberfest.jpg_, but NOT _red.pdf_ or
_October.mp4_.
== Limit search to specific file format(s)
You can use ``kind:``__file-format__ to additionally limit results to this file
format. Be aware that _kind_ is not always the file extension though. I list the
most popular file formats below.
Find file with the _red_ in its name, but only in _mp4_, _.mov_ etc. files:
----
mdfind -name red kind:movie
----
|===
|*File format* |*kind term* |*File format* |*kind term*
|jpeg/jpg, png, gif, tiff
|image
|Application
|app
|mp3, ogg
|music
|mp4, mov, mpeg
|movie
|Bookmarks
|bookmark
|Email messages
|email
|Folders
|folder
|MS Word docs (docx, dot)
|word
|===
The other way to look for file extensions is with the _kMDItemFSName_ metadata
value and listing the desired extension after the asterisk.
----
mdfind "kMDItemFSName == '*.pdf'"
----
But if you want to look for a specific file name as well, you will have to pipe the
command above to _grep_ or alike.
== Look up folder names
Using (see table above) `kind:folder` we can search in folder names only.
Find all folders with the name _document_ in them:
`mdfind -name documents kind:folder`
== Search for an exact match
We can do it in 2 ways.
First, wrapping search terms in double and then single quotes:
----
mdfind -name '"red carpet"'
----
This will match _red carpet.txt_, but not _red 2 carpet.txt_.
The other way to look for an exact match is with the `-literal` qualifier, which prohibits any other qualifier though.
Find everything having _Hat, Red_ in the name:
`mdfind -literal "kMDItemDisplayName == 'Hat, Red'"`
Here, *kMDItemDisplayName* is a metadata field holding the item name for files/folders/etc. Any additional options will be ignored.
== Search in specific folder(s) only
We can use *-onlyin* option to limit the search:
`mdfind -name red.txt -onlyin ~/Documents`
This will only search in the folder _Documents_ and its subfoldes.
== Search by created, modified dates
IMPORTANT: The date format is your current locale. So, I put dates in the
_19/1/2023_ format, but if your Mac is set to use _1/19/2023_, do so.
Find file named _red_ and created on 19th of January 2023:
`mdfind -name red AND created:19/1/2023`
NOTE: The _AND_ is not explicitly needed here, but I put it for reminder yet.
Find file named _red_ modified on 19th of January 2023:
`mdfind -name red AND modified:19/1/2023`
The date-related searches also understand ranges.
Find files with _red_ in their name modified in the period from the 1st of January
2023, and up to (including) 19th of January 2023:
`mdfind -name red modified:01/01/2023-19/1/2023`
Same, but _created_ in that period:
`mdfind -name red created:01/01/2023-19/1/2023`
== Find file by their size
We can specify file size as additional search term.
This will find files with the _red_ in their names AND of size 0 bytes.
`mdfind name:red AND size:0`
`mdfind name:red AND NOT size:0` will find files named _red_ that are NOT 0
bytes in size.
We can provide ranges for sizes as well. To find files named _red_ of size
between 10 and 25 bytes:
`mdfind -interpret name:red AND size:\<25 AND size:\>10`
NOTE: The '\' escapes '<' and '>' from the shell interpretation.
== Disable Spotlight/mdfind indexing for a specific volume
* Spotlight (and thus mdfind) stores its index for each hard drive in a hidden
directory named `.Spotlight-V100` located at the root of each disk. You can list this directory contents with
sudo mdutil -L _path-to-the-disk_* , e.g.
----
sudo mdutil -L /Volumes/exFAT1Tb
/Volumes/exFAT1Tb/.Spotlight-V100:
drwxrwxrwx 1 99 99 262144 Jun 27 2021 07:46 Store-V2
-rwxrwxrwx 1 99 99 4246 Jun 13 2022 11:09
VolumeConfiguration.plist
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2:
drwxrwxrwx 1 99 99 262144 Jun 27 2021 07:46 B332121F-C8CA-4FF1-924A-67FC321C3FFCC/
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.assisted_import_post:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.assisted_import_pre:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.corespotlight:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.health_check:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.live:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.live_priority:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.live_system:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.live_user:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.migration:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.migration_secondchance:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.repair:
/Volumes/exFAT1Tb/.Spotlight-V100/Store-V2/B332121F-C8CA-4FF1-924A-67FC321C3FFCC/journals.scan:
----
* For space savings or privacy concerns, you can turn off indexing of a given volume by running
*sudo mdutil -i off /Volumes/__volume-name__*, and even
erase the existing index with *sudo mdutil -E /Volumes/__volume-name__*.
== Resources
* For additional cheat sheets, see Github: https://github.com/yuriskinfo/cheat-sheets
_Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I
publish on Linkedin, Github, blog, and more._

72
cheat-sheets/ncftp-commands-reference-by-example-cookbook.adoc
View File

@@ -1,36 +1,36 @@
= ncftp Ftp Client Commands example cookbook
:source-highlighter: rouge
:date: 2022-02-09 07:55:25+00:00
:toc: auto
== Connect to remote FTP server specifying username and password on the command line
WARNING: This means that username/password can be seen by other users logged in on the machine (if any)
[source,bash]
----
ncftp -u ftpuser -p qwe123 ftp.slackware.com
----
.Here:
* -u _user_: specify username on the FTP server
* -p _password_: specify password of FTP user
* ftp.slackware.com: FTP server domain name or IP address to connect to.
After connecting we can issue FTP client commands on the prompt.
== Upload a file renaming it at the destination
`ncftp` will not upload a file if a file with the same name exists in the destination server. To still upload such file, we can rename it using `-z` option.
Upload file named _manifesto-1.pdf_ to the FTP server renaming it to _manifesto-2.pdf_
[source,bash]
----
ncftp / > put -z manifesto-1.pdf manifesto-2.pdf
manifesto-1.pdf: 11.40 kB 2.49 MB/s
----
= ncftp Ftp Client Commands example cookbook
:source-highlighter: rouge
:date: 2022-02-09 07:55:25+00:00
:toc: auto
== Connect to remote FTP server specifying username and password on the command line
WARNING: This means that username/password can be seen by other users logged in on the machine (if any)
[source,bash]
----
ncftp -u ftpuser -p qwe123 ftp.slackware.com
----
.Here:
* -u _user_: specify username on the FTP server
* -p _password_: specify password of FTP user
* ftp.slackware.com: FTP server domain name or IP address to connect to.
After connecting we can issue FTP client commands on the prompt.
== Upload a file renaming it at the destination
`ncftp` will not upload a file if a file with the same name exists in the destination server. To still upload such file, we can rename it using `-z` option.
Upload file named _manifesto-1.pdf_ to the FTP server renaming it to _manifesto-2.pdf_
[source,bash]
----
ncftp / > put -z manifesto-1.pdf manifesto-2.pdf
manifesto-1.pdf: 11.40 kB 2.49 MB/s
----