ipcop-devel Mailing List for IPCop Firewall

Bugs item #2829906, was opened at 2009-07-31 00:03
Message generated for change (Tracker Item Submitted) made by mguvenc
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=428516&aid=2829906&group_id=40604

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: Build
Group: V2 alpha
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: Mustafa (mguvenc)
Assigned to: Nobody/Anonymous (nobody)
Summary: on libc 2.9 installed systems build fails

Initial Comment:
on libc 2.9 installed systems, version check while building toolchain fails. because the following command;

check_version "GNU libc" ${REQUIRED_GLIBC} `/lib/libc.so.6* | head -n1 | cut -d" " -f7 | cut -d"," -f1`

should be

check_version "GNU libc" ${REQUIRED_GLIBC} `/lib/libc.so.6* | head -n1 | cut -d" " -f8 | cut -d"," -f1`


----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=428516&aid=2829906&group_id=40604

Eric Oberlander wrote:

> On the Interfaces page, should it be possible to include a hyphen (-)
> in the interface name, or are they reserved for IPCop interface names.
> At the moment you are limited to A-Z a-z0-9 and a colon (:).

We should allow that. No reason to be overly restrictive.


Olaf

-- 

A weizen a day helps keep the doctor away.

2009/7/27 Olaf Westrik <wei...@ip...>:
> Hi Eric,
>
>
> Addresses, Address Groups and Interfaces
>
>
> 2.6.6. Addresses Administrative Web Page
>
> You can assign names to IP Addresses, IP Networks and MAC Addresses. The
> advantage of using names is that when you have to change an internal Servers
> IP Address or exchange a network card (different MAC), there is only 1 place
> that needs modification and you do not have to change multiple outgoing
> rules, pinholes and portforwards.
>
> Note: MAC Addresses can only be used as source in rules, not as destination.
>
> Note: if the mask is left empty when defining an IP Address, the mask
> 255.255.255.255 will be used.
>
>
> 2.6.7. Address Groups Administrative Web Page
>
> Default addresses (i.e. Green Network, Blue Network, etc.) and addressnames
> can be combined to groups.
> In an address Group you could combine Green and Blue Network and then allow
> a specific service for this group with 1 rule.
>
> (screenshot showing GreenBlue as Address Group name and Green Network+Blue
> Network added).
>
> You can also combine Address names (link to 2.6.6) into a group. For example
> if you have multiple computers in Blue, but only want to create a pinhole
> for 2 specific laptops.
>
>
> Note: groups can not be used as destination in a portforward.
>
>
> 2.6.8. Interfaces Administrative Web Page
>
> There are special cases where interfaces are present beyond the standard
> Green, Blue, Orange, Red interfaces. After assigning a name to such an
> interface it is possible to create firewall rules for those interfaces.
>
> Note: you will still need to assign drivers and IP addresses manually.

Thanks for your primer, you will have seen the Work in Progress online.

I like dotzball's improvements to the radio buttons on the Groups
pages. Works much better. Thanks Achim.

On the Interfaces page, should it be possible to include a hyphen (-)
in the interface name, or are they reserved for IPCop interface names.
At the moment you are limited to A-Z a-z0-9 and a colon (:).

Eric

Bugs item #2828759, was opened at 2009-07-29 06:43
Message generated for change (Tracker Item Submitted) made by azlk
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=428516&aid=2828759&group_id=40604

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: General
Group: V2 alpha
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: azlk (azlk)
Assigned to: Nobody/Anonymous (nobody)
Summary: System hangs on boot

Initial Comment:
Pentium-3 with 384 MB RAM, 40Gb IDE HDD and CDROM.
Not every time but unpredictable. I've tested my memory and all other hw - everything is OK.
I can't post any logs as there are no any if system doesn't start, but...for comparison: other Linux systems (Puppy, Ubuntu, Fedora) NEVER hang on thic PC, IpFIRE boots every time without hassle :-(
Maybe GRUB problems?

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=428516&aid=2828759&group_id=40604

Bugs item #2828751, was opened at 2009-07-29 06:36
Message generated for change (Tracker Item Submitted) made by azlk
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=428516&aid=2828751&group_id=40604

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: General
Group: V2 alpha
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: azlk (azlk)
Assigned to: Nobody/Anonymous (nobody)
Summary: IpCOP unpredictable deny access to system

Initial Comment:
Simultaneously web-interface and ssh session dies. No ping also. It is completely unpredictable: it can die in process of copying files to IPCOP box or without any interference.
By the way SFTP with Filezilla really result in denying access very often, especially when copying many files.
For reference - fresh install of IpFIRE never hangs not ssh nor web-interface.
Unfortunately seems that version 1.96 is quite crude...

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=428516&aid=2828751&group_id=40604

Bugs item #2828746, was opened at 2009-07-29 06:22
Message generated for change (Tracker Item Submitted) made by azlk
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=428516&aid=2828746&group_id=40604

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: VPN
Group: V2 alpha
Status: Open
Resolution: None
Priority: 5
Private: No
Submitted By: azlk (azlk)
Assigned to: Nobody/Anonymous (nobody)
Summary: VPN PPTP is not working

Initial Comment:
We have a very big provider Beeline (former Corbina) here in Russia.
They give access to external net (Internet) ONLY over Micro$oft-way VPN-PPTP: all I have is gateway address (smth like 10.177.48.10), name of a bunch of their vpn servers - "vpn.internet.beeline.ru", user name and password. With every connect this "vpn.internet.beeline.ru" returns a new IP, there are 10-15 servers and they dynamically change with every connect.
So if I setup RED interface as PPTP it simply doesn't work: "Connecting......Idle". (Additional PPTP settings: ->DHCP; Hostname: vpn.internet.beeline.ru; User Name, Password; Method: PAP or CHAP; DNS: Automatic)
And this is not something unexpected - PPTP setup even doesn't have needed fields to connect, but rather have other not unclear fields like "Additional PPTP settings -> Phonebook entry". I'm afraid this PPTP setup is really for PPOE and not actually PPTP VPN, is it?..
If I use DHCP on RED interface it shows right gw and IP but this way I cannot use PPTP from existing menu.
Also, there is a big local net in Beeline, which is accessible only with additional routes. There are no fields in design to write these routes too.
At the same time D-Link 524 makes this painlessly: I simply type server address (vpn.internet.beeline.ru), user name, password and that's all - connection is on. And there is a page where one can write additional routes.

Is there any hope that IpCOP will ever have this ugly but unfortunately the one possible for us micro$oft VPN PPTP working?.... I tried PPTP addon from ftp.shauff.de but it it was designed for previous IpCOP (1.14 and so) and it cannot be even installed.

Also I was very dissapointed not being able to find MC for IpCOP 1.96, without MC it becomes a real trouble to make a lot of search, edit and digger's work :-(  When I tried to install toolchain to compile MC by myself, I discovered that toolchain contains other version of binutils (older than existing in ISO) so I couldn't install it, moreover - directory tree in toolchain differ from original on fresh install....

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=428516&aid=2828746&group_id=40604

Martin Dubreuil wrote:

> Just wondering if we will be able to setup Multiple WAN interfaces as RED
> without diving into the manual file modification and scripting in 2.0

No.


Olaf

-- 

A weizen a day helps keep the doctor away.

Hello busy Dev's,

 

Just wondering if we will be able to setup Multiple WAN interfaces as RED
without diving into the manual file modification and scripting in 2.0

Dual WAN + Load Balancing would be a great asset.

Thanks

 

Martin 

 

Hi Eric,


Addresses, Address Groups and Interfaces


2.6.6. Addresses Administrative Web Page

You can assign names to IP Addresses, IP Networks and MAC Addresses. The 
advantage of using names is that when you have to change an internal 
Servers IP Address or exchange a network card (different MAC), there is 
only 1 place that needs modification and you do not have to change 
multiple outgoing rules, pinholes and portforwards.

Note: MAC Addresses can only be used as source in rules, not as destination.

Note: if the mask is left empty when defining an IP Address, the mask 
255.255.255.255 will be used.


2.6.7. Address Groups Administrative Web Page

Default addresses (i.e. Green Network, Blue Network, etc.) and 
addressnames can be combined to groups.
In an address Group you could combine Green and Blue Network and then 
allow a specific service for this group with 1 rule.

(screenshot showing GreenBlue as Address Group name and Green 
Network+Blue Network added).

You can also combine Address names (link to 2.6.6) into a group. For 
example if you have multiple computers in Blue, but only want to create 
a pinhole for 2 specific laptops.


Note: groups can not be used as destination in a portforward.


2.6.8. Interfaces Administrative Web Page

There are special cases where interfaces are present beyond the standard 
Green, Blue, Orange, Red interfaces. After assigning a name to such an 
interface it is possible to create firewall rules for those interfaces.

Note: you will still need to assign drivers and IP addresses manually.



Olaf

-- 

A weizen a day helps keep the doctor away.

2009/7/25 David W Studeman <avi...@ai...>:
> Eric Oberlander wrote:
>> How much RAM do have in your machines?
>>
>
> 1GB

OK, I've tested snort-2.8 on 1.4.23.

Update rules won't work with 128Mb of RAM, or 196Mb of RAM.

It does work with 256Mb of RAM (I turned off snort while downloading
the update to save memory).

Gilles, have you decided which update to include snort in, 1.4.22 or 1.4.23?

Eric

Hi Gilles,

> I need now to clean my changes and update to a current tree.
> I will not be able to test my changes on different distrib before some days.

feel free to commit your changes. So you can distribute the testing load ;-)


Olaf

-- 

A weizen a day helps keep the doctor away.

I have found my mistake in the cross-compilation changes.

That was simply a missing / before $(TOOL_DIR) in a sed inside lfs/gcc.
Not knowing that, I was already decided to include the / in TOOL_DIR as this is
more cleaner. That would disallow my mistake but is intrusive as TOOL_DIR is
present in many lfs files.

I need now to clean my changes and update to a current tree.
I will not be able to test my changes on different distrib before some days.

Gilles

Eric Oberlander wrote:
> 2009/7/25 Olaf Westrik <wei...@ip...>:
>> Eric Oberlander wrote:
>>
>>> What's the 'ICMP Type' dropdown for?
>> ICMP is kinda special, as it does not have ports but types.
>> Providing them as an option gives you the possibility to only allow the
>> 'normal' ones, like ping and pong and blocking the obscure ones.
>>
>>
>>> Visually, can the ICMP Type dropdown be moved left on the screen, as
>>> it's making the screenshot wider than 704. (I know, picky picky picky)
>> How about moving the Service Name to a separate line. And then have this
>> arrangement ?
>>
>> Service Name
>> Ports                          Protocol
>>                               ICMP Types
> 
> The first version, I think..

I've done and committed slightly different. More 'IPCop Style' IMHO.
Does not look ideal, but I think it is the best we can do.


>>>> 2.6.5. Service Groups Administrative Web Page
>>>>
>>>> The IPCop Firewall is configured by using Services and/or Service Groups.
>>>> Service Groups give you the possibility to combine several Services into
>>>> a
>>>> Group. After which you can create rule(s) which then combine all Services
>>>> in
>>>> a single step.
>>>>
>>>> A typical example is to create a DropNoLog Group which then holds those
>>>> Services that you know about and do not want to fill up your Firewall
>>>> log.
>>> The 'Add service to Group' section is also cramped for width. Can the
>>> the Remark field be made narrower?
>> Certainly. No reason to use fixed view size.
>>
>>
>>> Why are there radio buttons I can't select?
>> Probably easier to code ;-)
>> IIRC removing the radiobutton requires to have hidden <input type='hidden'
>> etc. > lines instead, to make sure CGI parameters are present.
>>
>> If this is a big issue I can look into it.
> 
> It's no deal breaker.
> I was just curious.
> Perhaps it becomes obvious when the section is populated with more information?

Yes, just add a Custom Service and then create a Service Group and 
populate it.


For the Manual we could populate a DropNoLog Group with netbios-dgm 
(tcp+udp/138) and netbios-ns (tcp+udp/137) and make a screenshot.
That is a pretty common case if you have (talkative) Windows Clients in 
Green, have Logging enabled on Green and don't want if filled with 
Netbios Broadcasts.


Olaf

-- 

A weizen a day helps keep the doctor away.

Eric Oberlander wrote:
> How much RAM do have in your machines?
>
> Eric
>
> ------------------------------------------------------------------------------
1GB

-- 
Dave Studeman
http://www.raqcop.com

2009/7/25 Olaf Westrik <wei...@ip...>:
> Eric Oberlander wrote:
>
>> What's the 'ICMP Type' dropdown for?
>
> ICMP is kinda special, as it does not have ports but types.
> Providing them as an option gives you the possibility to only allow the
> 'normal' ones, like ping and pong and blocking the obscure ones.
>
>
>> Visually, can the ICMP Type dropdown be moved left on the screen, as
>> it's making the screenshot wider than 704. (I know, picky picky picky)
>
> How about moving the Service Name to a separate line. And then have this
> arrangement ?
>
> Service Name
> Ports                          Protocol
>                               ICMP Types

The first version, I think..

> or:
> Service Name
> Protocol                       Ports
>                               ICMP Types
>
>
>>> 2.6.5. Service Groups Administrative Web Page
>>>
>>> The IPCop Firewall is configured by using Services and/or Service Groups.
>>> Service Groups give you the possibility to combine several Services into
>>> a
>>> Group. After which you can create rule(s) which then combine all Services
>>> in
>>> a single step.
>>>
>>> A typical example is to create a DropNoLog Group which then holds those
>>> Services that you know about and do not want to fill up your Firewall
>>> log.
>>
>> The 'Add service to Group' section is also cramped for width. Can the
>> the Remark field be made narrower?
>
> Certainly. No reason to use fixed view size.
>
>
>> Why are there radio buttons I can't select?
>
> Probably easier to code ;-)
> IIRC removing the radiobutton requires to have hidden <input type='hidden'
> etc. > lines instead, to make sure CGI parameters are present.
>
> If this is a big issue I can look into it.

It's no deal breaker.
I was just curious.
Perhaps it becomes obvious when the section is populated with more information?

Eric

How much RAM do have in your machines?

Eric

Guenter wrote:
> David W Studeman schrieb:
>>    Hello all. I built a current cvs version of 1.4.23 and so far I have
>> been able to download current rules and apply them as well as get snort
>> to start upon applying the downloaded rules, beyond that we'll see.
>>
>>    Now to the point of this post. The issue with flash installs that
>> still lingers is that the rules download tarball stays in /var/log/snort
>> which we know is really in /ram/var/log/snort and the rules tarball is
>> now 86MB in size with 2.8. This ends up being compressed into the
>> tarball in /var/log_compressed which is a 30MB partition. Unless one
>> knows to manually delete the download, problems will ensue at the next
>> cron which uses rc.flash.down to compress the logs.
> exactly what I said with my post already: the downloaded tarball is not
> deleted;
> and IIRC it was even duplicated = one original download in /tmp and then
> a copy in var/log/snort ...
>
> Günter.
>
>
>
> ------------------------------------------------------------------------------
  I guess if I would have read the whole thread I would have seen that. 
If the file always has the same name, another exclusion argument in 
rc.flash.down should work.

-- 
Dave Studeman
http://www.raqcop.com

David W Studeman schrieb:
>   Hello all. I built a current cvs version of 1.4.23 and so far I have 
> been able to download current rules and apply them as well as get snort 
> to start upon applying the downloaded rules, beyond that we'll see.
> 
>   Now to the point of this post. The issue with flash installs that 
> still lingers is that the rules download tarball stays in /var/log/snort 
> which we know is really in /ram/var/log/snort and the rules tarball is 
> now 86MB in size with 2.8. This ends up being compressed into the 
> tarball in /var/log_compressed which is a 30MB partition. Unless one 
> knows to manually delete the download, problems will ensue at the next
> cron which uses rc.flash.down to compress the logs.
exactly what I said with my post already: the downloaded tarball is not
deleted;
and IIRC it was even duplicated = one original download in /tmp and then
a copy in var/log/snort ...

Günter.

Hi Dave,

>   In the warning before formatting and installing 1.9.6, the warning 
> uses the word loose rather than lose. Nothing major.

Thanks for bringing it up, already changed a few days ago though ;-)
SVN is moving fast these days :-)


Olaf

-- 

A weizen a day helps keep the doctor away.

  In the warning before formatting and installing 1.9.6, the warning 
uses the word loose rather than lose. Nothing major.
-- 
Dave Studeman
http://www.raqcop.com

  Hello all. I built a current cvs version of 1.4.23 and so far I have 
been able to download current rules and apply them as well as get snort 
to start upon applying the downloaded rules, beyond that we'll see.

  Now to the point of this post. The issue with flash installs that 
still lingers is that the rules download tarball stays in /var/log/snort 
which we know is really in /ram/var/log/snort and the rules tarball is 
now 86MB in size with 2.8. This ends up being compressed into the 
tarball in /var/log_compressed which is a 30MB partition. Unless one 
knows to manually delete the download, problems will ensue at the next
cron which uses rc.flash.down to compress the logs.
-- 
Dave Studeman
http://www.raqcop.com

Eric Oberlander wrote:

> What's the 'ICMP Type' dropdown for?

ICMP is kinda special, as it does not have ports but types.
Providing them as an option gives you the possibility to only allow the 
'normal' ones, like ping and pong and blocking the obscure ones.


> Visually, can the ICMP Type dropdown be moved left on the screen, as
> it's making the screenshot wider than 704. (I know, picky picky picky)

How about moving the Service Name to a separate line. And then have this 
arrangement ?

Service Name
Ports                          Protocol
                                ICMP Types

or:
Service Name
Protocol                       Ports
                                ICMP Types


>> 2.6.5. Service Groups Administrative Web Page
>>
>> The IPCop Firewall is configured by using Services and/or Service Groups.
>> Service Groups give you the possibility to combine several Services into a
>> Group. After which you can create rule(s) which then combine all Services in
>> a single step.
>>
>> A typical example is to create a DropNoLog Group which then holds those
>> Services that you know about and do not want to fill up your Firewall log.
> 
> The 'Add service to Group' section is also cramped for width. Can the
> the Remark field be made narrower?

Certainly. No reason to use fixed view size.


> Why are there radio buttons I can't select?

Probably easier to code ;-)
IIRC removing the radiobutton requires to have hidden <input 
type='hidden' etc. > lines instead, to make sure CGI parameters are present.

If this is a big issue I can look into it.


Olaf

-- 

A weizen a day helps keep the doctor away.

Ouch.

Sorry this commit also pulled in changes to the startup and shutdown 
beeps I had in my tree.
Did not mean to hide these and wanted to send them separate.

> Modified: ipcop/trunk/src/rc.d/rc.halt
> ===================================================================
> --- ipcop/trunk/src/rc.d/rc.halt	2009-07-25 12:04:34 UTC (rev 3322)
> +++ ipcop/trunk/src/rc.d/rc.halt	2009-07-25 14:15:28 UTC (rev 3323)
> @@ -137,10 +137,7 @@
>  
>  # Send nice shutdown beep now
>  if [ "$IPCOPUPDOWNBEEP" = "on" ]; then
> -    /usr/bin/beep -l 75 -f 3000
> -    /usr/bin/beep -l 75 -f 2000
> -    /usr/bin/beep -l 75 -f 1000
> -    /usr/bin/beep -l 75 -f 500
> +    /usr/bin/beep -l 250 -f 514 -n -l 250 -f 343 -n -l 250 -f 686 -n -l 250 -f 864 -n -l 500 -f 770
>  fi
>  
>  if [ "$1" = "halt" ]; then
>
> Modified: ipcop/trunk/src/rc.d/rc.sysinit
> ===================================================================
> --- ipcop/trunk/src/rc.d/rc.sysinit	2009-07-25 12:04:34 UTC (rev 3322)
> +++ ipcop/trunk/src/rc.d/rc.sysinit	2009-07-25 14:15:28 UTC (rev 3323)
> @@ -398,8 +398,5 @@
>  
>  # Send nice startup beep now
>  if [ "$IPCOPUPDOWNBEEP" = "on" ]; then
> -    /usr/bin/beep -l 75 -f 500
> -    /usr/bin/beep -l 75 -f 1000
> -    /usr/bin/beep -l 75 -f 2000
> -    /usr/bin/beep -l 75 -f 3000
> +    /usr/bin/beep -l 250 -f 770 -n -l 250 -f 864 -n -l 250 -f 686 -n -l 250 -f 343 -n -l 500 -f 514
>  fi
>
>   


-- 

A weizen a day helps keep the doctor away.

> 2.6.4. Services Administrative Web Page
>
>
> The IPCop Firewall is configured by using Services and/or Service Groups. If
> you want to create a rule for a Service that is not present in the list of
> Default Services, you will have to add it first.
>
> Give the custom Service a descriptive name, choose the Ports (TCP and UDP
> only) and Protocol.
>
> Note: Use the Invert option with great care, as this can create far larger
> holes in your IPCop Firewall than you might expect!

What's the 'ICMP Type' dropdown for?

Visually, can the ICMP Type dropdown be moved left on the screen, as
it's making the screenshot wider than 704. (I know, picky picky picky)

> 2.6.5. Service Groups Administrative Web Page
>
> The IPCop Firewall is configured by using Services and/or Service Groups.
> Service Groups give you the possibility to combine several Services into a
> Group. After which you can create rule(s) which then combine all Services in
> a single step.
>
> A typical example is to create a DropNoLog Group which then holds those
> Services that you know about and do not want to fill up your Firewall log.

The 'Add service to Group' section is also cramped for width. Can the
the Remark field be made narrower?
Why are there radio buttons I can't select?

Eric

Hi Eric,


(small) explanation about Services / Service Groups.
Please apply grammar, textual modifications where required ;-)



2.6.4. Services Administrative Web Page


The IPCop Firewall is configured by using Services and/or Service 
Groups. If you want to create a rule for a Service that is not present 
in the list of Default Services, you will have to add it first.

Give the custom Service a descriptive name, choose the Ports (TCP and 
UDP only) and Protocol.

Note: Use the Invert option with great care, as this can create far 
larger holes in your IPCop Firewall than you might expect!



2.6.5. Service Groups Administrative Web Page

The IPCop Firewall is configured by using Services and/or Service Groups.
Service Groups give you the possibility to combine several Services into 
a Group. After which you can create rule(s) which then combine all 
Services in a single step.

A typical example is to create a DropNoLog Group which then holds those 
Services that you know about and do not want to fill up your Firewall log.



Olaf

-- 

A weizen a day helps keep the doctor away.