Data Centre


BOFH: We're miracle workers. But you want us to fix THAT in 10 minutes?

Psst. I can make your network super secure...

By Simon Travaglia


Episode 16 "What do you mean 'why's it not working'," the PFY asks.

"I mean WHY ISN'T IT WORKING? What's happened?" the Boss snaps, expecting an excuse that will be both technical and understandable to someone with his level of tertiary education.

"Nothing's happened, it's all the same as usual," the PFY responds, suspecting – as we all do – that the Boss' level of tertiary education was a degree in animal husbandry that only got as far as the wedding ceremony.

"Then why's it not working?"


The Boss frowns. "Surely that means you should be on top of this by now?"

"No, 'usual' means it's a bloody pig's breakfast."


"So you're wanting to do your presentation, right?" the PFY asks.


"And you're going to be using a presentation in conjunction with a videoconference session?"


"And you say there's a problem with your presentation?"

"Yes, it looks all funny."

"AND there may be a problem with the incoming videoconference call because you now realised you got us to reject incoming calls at the firewall because people in meetings didn't like the ringing noise or the possibility that 'someone could snoop in on their meeting'."

"Yes." The Boss nods, still frowning in concentration.

"Despite us telling you (a) that the unit doesn't auto answer and (b) using the power switch on the wall will make it super-secure."

"I've been told it's safer doing it the firewall way," the Boss sniffs.

"So NOW we have to change the firewall config on the fly – because you don't know the number to make an outgoing call – even though we're into the no-changes-on-a-Friday window that YOU wanted us to implement, THEN tidy up your PowerPoint so it doesn't look funny."


"All before your presentation starts in... ” – the PFY looks at his watch – “... 17 minutes."

"Uh, 15 minutes, actually," says the Boss.

"And would I be correct in assuming that you have an OpenOffice presentation – because you're too cheap to buy MS Office for home, AND you're using some custom font with a name like Turkeyshoot Mascara, designed by your son who's studying design through self-paced learning during his gap year?"


"Hey" I say, getting in on the act. "Do you remember that time your son designed you a font but couldn't be arsed doing anything outside of upper and lowercase letters? No punctuation or anything?"

"What was that font name again, MonarcoRetardo?" the PFY asks.

"In any case" I say loudly, trying to bring the issue to a head. "There's bugger all point in bringing in something for us to fix with 10 minutes' notice."

"17 minutes," the Boss says.

"15 minutes," the PFY corrects.

"Actually 13 minutes," I say, looking at the clock. "Because you're rushing things. And you can't rush miracle workers. So the PFY here will edit your presentation and change the font to something both standard and universal."

"Like Courier 24," the PFY adds

"While I'll backup the firewall config to flash and then take a copy to my desktop then uh... disable the... uh... immutable.. configuration sequencer, rollback the redundant hot fix application modal switch, FIND the network configuration rule, CHANGE it, then push it all through the... trial application sanity filter – and if that passes release it to test, run the configuration sanity filter in test mode and if that passes release it to preproduction then run it through the preproduction configuration sanity filter and if that passes release it to production, run it through the production sanity filter, flip the switch to go live, reload the config, backup the config to flash and then to my desktop then if everything goes well, copy the config to the redundant standby firewall, disable the... uh... immutable.. configuration sequencer on the standby machine, rollback the redundant hot fix application modal switch on the standby unit, push the new standby config through the trial application sanity filter – and if that passes release it to test, run the configuration sanity filter in test mode and if that passes release it to preproduction then run it through the preproduction configuration sanity filter and if that passes release it to production, run it through the production sanity filter, flip the switch to go live in hot standby mode... and... we're done."

"How long will that take," asks the Boss.

"What, from now, or from when I started that previous sentence?"


"There's NO chance. We might've made it in time without the hot standby firewall but who knows what'd happen if we got the units out of sequence."

"Okay!" the Boss says, in Executive Decision Mode. "Disable that hot standby machine, update the firewall, right now, and we'll take our chances."

"You're... sure?" the PFY asks, having given the Boss' presentation all the panache of an 1820s typewriter while I had him distracted.

"Yes. This is important! The board have all flown to Edinburgh with the Director so they can see our videoconferencing presentation in action!"

"And you just found out about this 17 minutes ago?!" the PFY gasps.

The Boss ignores him.

"Ah," the PFY adds. "So it IS as usual."

“OK,” I say, tapping some nonsense in at the command prompt, closing the window, opening a ssh session to a Linux box and typing some more nonsense in there too. "All done."

"I thought you said it'd take ages?"

"Well, if we're going to slap a change in there it takes no time at all."

"Right!" the Boss says, stalking off to his meeting.

<13 minutes later in the comms room...>

"So you never applied the incoming call rejection rule in the first place?" the PFY asks, looking over my shoulder at the console of the firewall.

"Nah, I just switched the conferencing unit off at the wall," I reply. "Speaking of which... >CLICK<"

The PFY and I look on as the firewall box enters what we call super-secure mode. Our only firewall box.

"Looks like our firewall machine and the 'hot standby unit' are out of sync," I gasp. "We could have network problems for days!"

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

F5: Don't panic but folks can slip past vulnerable firewall servers, thanks to libssh's credentials-optional 'security'

Updated Also: AWS on avoiding state machine slips

Un-Delled SonicWall beefs up firewall to wrestle ransomware

Newly-freed security vendor thinks it can drag users into cloudy security analytics

Java and Python have unpatched firewall-crossing FTP SNAFU

This gets interesting when you find your way into a mail server, says dev who found it

China's Great Firewall to crack down on unofficial VPNs – state-approved net connections only


X.509 metadata can carry information through the firewall

Video Certificate exchange used as a side-channel before the certs get to work

Kill it with fire: US-CERT urges admins to firewall off Windows SMB

Shadow Brokers may have loosed a zero-day so you're better safe than sorry

Huawei or the highway: Chinese giant whacks marketing drones for tweeting from iPhone

Ooo, that pesky firewall!

China's Great Firewall inventor forced to use VPN live on stage to dodge his own creation

Fang bitten

Here you go, cloudy admins: Google emits NATty odds 'n' sods

Google Cloud Next Incremental titbits aimed at time-poor techies

China cyber-security law will keep citizens' data within the Great Firewall

Foreign firms may suddenly find doing business there difficult