Check TCP/UDP port with netcat

netcat, usually abbreviated in nc, is a network tool able to reads and writes data across network connections using TCP or UDP protocol. It’s a feature-rich tool, that every admin should know.

Check TCP port

nc -zv 192.168.0.10 80
Connection to 192.168.0.10 80 port [tcp/http] succeeded!

Check UDP port

nc -zuv 192.168.0.10 123
Connection to 192.168.0.10 123 port [udp/ntp] succeeded!

Not that contrary to TCP, UDP is a connectionless protocol. In theory if an UDP port is formally “closed” (for example via an iptables REJECT rule) the destination host should respond with an ICMP Port unreachable packet. But a lot of firewall simply silently drop the message, resulting in a wrong ‘succeed’ result.

Scan a range of ports

To find all the open ports in a given range:

nc -zv 192.168.0.10 1-500 2>&1 | grep succeeded
Connection to 192.168.0.10 21 port [tcp/ftp] succeeded!
Connection to 192.168.0.10 22 port [tcp/ssh] succeeded!
Connection to 192.168.0.10 80 port [tcp/http] succeeded!

To run a pseudo-server on a given port

nc -l -p 3873

[Apache] Reload vs restart

People are often confused by the difference between the reload and the restart operation. That lead to a lot of questions like “Can i do a simple reload when changing a parameters into the modphp php.ini setting file ?” or “Does a reload interrupt the service ?

First of all it’s important to understand that the reload operation doesn’t really exist, not in a former sense. When doing a reload the parent process do reload its configuration, but as it doesn’t do anything by himself except spawning child process, the new configuration isn’t effective right away. Then the parent process send a graceful signal to each of its child to exit after finishing their current request (or to exit immediately if they’re not serving anything). As each child dies off the parent replaces it with a new child.

So a reload operation, doesn’t interrupt the service, but it effect isn’t immediate. If you need an immediate effect you must do a restart operation which “violently” kill all the child process. The reload operation also have one big limitation : it doesn’t take into account new files. For enabling a new module or after changing a SSL certificates, you must use the restart operation.

[OpenBSD] relayd

relayd is an open source load balancer which is able to handle protocol layers 3, 4 and 7. It’s the standard “in-house” load-balancing solution of OpenBSD. It can be setup as a forward, reverse or TCP port redirector and/or SSL/TLS ‘terminator’.

Basic commands

Check relayd configuration:

# relayd -n -f /etc/relayd.conf

Show detailed status of hosts and tables:

# relayctl show host

Show detailed status of redirections including the current and average access statistics:

# relayctl show redirects

Show detailed status of relays including the current and average access statistics:

# relayctl show relays

Dump the complete list of running relay sessions:

# relayctl show sessions

Display a list of all relays, redirections, routers, tables, and hosts:

# relayctl show summary

Schedule an immediate check of all hosts:

# relayctl poll

Reloading configuration

You can reload the current configuration file with the command:

# relayctl reload

Beware, this command will flush the current ‘state’ and provoke a short downtime. Also it seems that if you have SSL ressources, reload make relayd crash. So instead of using this command you should make a CARP failover “switch” and restart the process like this :

# pkill relayd && sleep 1 && relayd -f /etc/relayd.conf && relayctl poll