Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
1
Installation and Upgrades / Zentyal 2.2 protecting our /28 network, all IPs except one respons to ping
« on: May 29, 2012, 01:39:37 pm »
Hi,
We have a Zenyal 2.2 box on a 4 NIC PC protecting our /28 network.
We've added most of the IP addresses in the range to the external NIC.
Then we added an ICMP service and an external to Zentyal rule, ACCEPT all ICMP.
All the addresses bar one respond to ping.
tcpdump shows all echo requests arriving at the external NIC
Everything except the address ending in 137 respond OK.
Interestingly, if we delete 137 and 136 from the external NIC, different things happen.
tcpdump shows the stack sending out ARP resquests for 136, but not for 137.
It just receives them and then nothing else happens.
This is utterly bizarre.
Anybody have any ideas? I can't even think how to start diagnosing further.
Thanks,
James.
We have a Zenyal 2.2 box on a 4 NIC PC protecting our /28 network.
We've added most of the IP addresses in the range to the external NIC.
Then we added an ICMP service and an external to Zentyal rule, ACCEPT all ICMP.
All the addresses bar one respond to ping.
tcpdump shows all echo requests arriving at the external NIC
Everything except the address ending in 137 respond OK.
Interestingly, if we delete 137 and 136 from the external NIC, different things happen.
tcpdump shows the stack sending out ARP resquests for 136, but not for 137.
It just receives them and then nothing else happens.
This is utterly bizarre.
Anybody have any ideas? I can't even think how to start diagnosing further.
Thanks,
James.
2
Installation and Upgrades / Ran out of space, /var/lib/postgresql == 15GB!
« on: June 03, 2010, 03:22:09 pm »
Hi,
Our ebox has run out of disk space
An 18GB disk:
15GB in the postgresql database folder:
Some sort of clean up I can run?
Sadly we're still on ebox 1.0
J.
Our ebox has run out of disk space
An 18GB disk:
Code: [Select]
root@router-internal:/# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 18G 16G 1.8G 90% /
varrun 505M 56K 505M 1% /var/run
varlock 505M 0 505M 0% /var/lock
udev 505M 44K 505M 1% /dev
devshm 505M 0 505M 0% /dev/shm15GB in the postgresql database folder:
Code: [Select]
root@router-internal:/# du -h / | grep '[0-9]G\>'
du: cannot access `/proc/15946/task/15946/fd/3': No such file or directory
du: cannot access `/proc/15946/task/15946/fdinfo/3': No such file or directory
du: cannot access `/proc/15946/fd/3': No such file or directory
du: cannot access `/proc/15946/fdinfo/3': No such file or directory
14G /var/lib/postgresql/8.3/main/base/16384
14G /var/lib/postgresql/8.3/main/base
15G /var/lib/postgresql/8.3/main
15G /var/lib/postgresql/8.3
15G /var/lib/postgresql
15G /var/lib
15G /var
15G /Some sort of clean up I can run?
Sadly we're still on ebox 1.0
J.
3
Installation and Upgrades / Can't get ebox to ebox vpn tunnel to work, "Cannot activate the client because."
« on: June 01, 2010, 01:42:41 pm »
Hi, when trying to add a VPN client to a remote site ebox I click add, enter a name and tick the service box.
When I press Add, I get this error:
"Cannot activate the client because is not fully configured; please edit the configuration and retry"
In ebox.log I get the following:
Can anybody explain to me whats gone wrong?
I tried the commands it lists as not working, they return nothing but they don't error.
We're running ebox 1.3.5
If this is a bug because we're running one of the develoment branches, how (without using the install disk) do we get 1.4 onto this 32bit Ubuntu 8.04 server box?
Thanks,
James.
When I press Add, I get this error:
"Cannot activate the client because is not fully configured; please edit the configuration and retry"
In ebox.log I get the following:
Code: [Select]
2010/06/01 12:30:34 DEBUG> LogFiltering.pm:70 EBox::Events::Model::Watcher::LogFiltering::new - Missing argument: tableInfo
2010/06/01 12:30:34 WARN> Events.pm:526 EBox::Events::__ANON__ - model EBox::Events::Model::Watcher::LogFiltering cannot be instantiated
2010/06/01 12:30:39 DEBUG> LogFiltering.pm:70 EBox::Events::Model::Watcher::LogFiltering::new - Missing argument: tableInfo
2010/06/01 12:30:39 WARN> Events.pm:526 EBox::Events::__ANON__ - model EBox::Events::Model::Watcher::LogFiltering cannot be instantiated
2010/06/01 12:30:39 ERROR> Sudo.pm:215 EBox::Sudo::_rootError - root command /usr/bin/test -d '/etc/openvpn/spur.conf.d' failed.
Error output:
Command output: .
Exit value: 1
2010/06/01 12:30:39 ERROR> Sudo.pm:215 EBox::Sudo::_rootError - root command /usr/bin/test -e '/etc/openvpn/spur.conf.d' failed.
Error output:
Command output: .
Exit value: 1
2010/06/01 12:30:39 ERROR> Sudo.pm:215 EBox::Sudo::_rootError - root command /usr/bin/test -f '/etc/openvpn/spur.conf.d/caCertificate' failed.
Error output:
Command output: .
Exit value: 1
2010/06/01 12:30:39 DEBUG> Clients.pm:141 EBox::OpenVPN::Model::Clients::_validateService - Cannot activate the client because is not fully configured; please edit the configuration and retry
Can anybody explain to me whats gone wrong?
I tried the commands it lists as not working, they return nothing but they don't error.
We're running ebox 1.3.5
If this is a bug because we're running one of the develoment branches, how (without using the install disk) do we get 1.4 onto this 32bit Ubuntu 8.04 server box?
Thanks,
James.
4
Installation and Upgrades / How do I configure squid and make it publically accessible?
« on: June 04, 2009, 12:38:52 pm »
Hi,
I'm trying to restrict which websites a fleet of handheld comupters can reach via they're built in GPRS modem.
I trying to do this by using our external ebox as a public squid proxy with a valid domain list of just one domain.
I have an ebox with an internal (192.168.28.1) and external interface (a.b.c.98).
ebox-squid is installed and configured to run on port 55000.
There is a firewall redirect from a.b.c.98 port 55000 to 192.168.28.1:55000.
I can telnet to a.b.c.98:55000 and the port appears to be open.
My squid settings are:
**General**
Transparent : Off
Port: 55000
Default Policy: Filter
**Objects' Policy**
None
**Filter**
Threshold: Very Permissive
File Extension Filtering: Default (Allow everything)
MIME Types Filtering: Default (Allow everything)
Domains filtering:
Block not listed domains: Yes
Block sites specified only as IP: Yes
Domains List:
cobalt-tt3.biz: Always allow.
Now, I have a Windows CE 5 handheld.
I start Internet Explorer and browse to the correct page at that domain.
This works.
Now, if I set the proxy to:
Use Proxy: yes
Proxy Address: a.b.c.98:55000
Bypass Local: Yes
The page now fails to load (Cannot find server or DNS Error)
Can anybody see why this doesn't work?
Thanks,
J1M.
I'm trying to restrict which websites a fleet of handheld comupters can reach via they're built in GPRS modem.
I trying to do this by using our external ebox as a public squid proxy with a valid domain list of just one domain.
I have an ebox with an internal (192.168.28.1) and external interface (a.b.c.98).
ebox-squid is installed and configured to run on port 55000.
There is a firewall redirect from a.b.c.98 port 55000 to 192.168.28.1:55000.
I can telnet to a.b.c.98:55000 and the port appears to be open.
My squid settings are:
**General**
Transparent : Off
Port: 55000
Default Policy: Filter
**Objects' Policy**
None
**Filter**
Threshold: Very Permissive
File Extension Filtering: Default (Allow everything)
MIME Types Filtering: Default (Allow everything)
Domains filtering:
Block not listed domains: Yes
Block sites specified only as IP: Yes
Domains List:
cobalt-tt3.biz: Always allow.
Now, I have a Windows CE 5 handheld.
I start Internet Explorer and browse to the correct page at that domain.
This works.
Now, if I set the proxy to:
Use Proxy: yes
Proxy Address: a.b.c.98:55000
Bypass Local: Yes
The page now fails to load (Cannot find server or DNS Error)
Can anybody see why this doesn't work?
Thanks,
J1M.
5
Installation and Upgrades / How do I regenerate suspect keys for my OpenVPN?
« on: May 22, 2009, 02:58:22 pm »
Hi,
Now that our production boxes are up to date (1.0.3) I'd like to regenerate the CA SSL keys and make them safe then wipe the CA and OpenVPN configuration and start again.
Can somebody explain to me how to create new keys for my box please?
What about the eBox administration site?
That has an SSL cert, can I re-issue that?
Thanks,
J1M.
Now that our production boxes are up to date (1.0.3) I'd like to regenerate the CA SSL keys and make them safe then wipe the CA and OpenVPN configuration and start again.
Can somebody explain to me how to create new keys for my box please?
What about the eBox administration site?
That has an SSL cert, can I re-issue that?
Thanks,
J1M.
6
Installation and Upgrades / eBox-firewall blocking broadcast packets?
« on: June 02, 2008, 03:35:59 pm »
Hi,
I'm getting billions of these SMB broadcast packets being logged as blocked in /var/log/syslog
What's that all about then?
Thanks,
Jim.
I'm getting billions of these SMB broadcast packets being logged as blocked in /var/log/syslog
Code: [Select]
Jun 2 14:24:10 router-internal kernel: [104374.750926] ebox-firewall IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0d:56:ed:82:18:08:00 SRC=192.168.27.67 DST=192.168.27.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128 ID=15730 PROTO=UDP SPT=138 DPT=138 LEN=209What's that all about then?
Thanks,
Jim.
7
Installation and Upgrades / DMZ access to Internet based SQL Servers, but no internal SQL Servers
« on: June 01, 2008, 11:35:50 am »
Hi,
I have a server in our DMZ that requires access to SQL Servers on the internet.
So I've added a service: SQLServer: TCP 1433 (External)
And I've added a rule
Source: MyServer
Dest: any
Service: SQLServer
Will this also allow the DMZ server access to the LAN because I've specified the Destination as 'any'?
Or will 'any' be considered 'any address outside of our internal network' because I marked the Service as External?
Thanks,
Jim.
I have a server in our DMZ that requires access to SQL Servers on the internet.
So I've added a service: SQLServer: TCP 1433 (External)
And I've added a rule
Source: MyServer
Dest: any
Service: SQLServer
Will this also allow the DMZ server access to the LAN because I've specified the Destination as 'any'?
Or will 'any' be considered 'any address outside of our internal network' because I marked the Service as External?
Thanks,
Jim.
8
Installation and Upgrades / Two eBox servers, can't route/ping through the first to the second problem
« on: May 29, 2008, 11:36:49 am »
Hi,
I'm looking at using Ubuntu Server 8.04 + eBox to run our new network.
We're planning on having two routers.
One "internal" router as a content filter and firewall between internal users and the internet/dmz/vpn and one "external" router connected to the internet/dmz/vpn/other networks but does not have the high content filtering/caching load/firewall ruleset of the internal router.
I've got a very simple test setup at the moment, and I can't get it to work.
Here's the setup:
Networks:
192.168.28.0/30 : network to connect the two routers together
192.168.27.0/24 : Our current internal network, all three PCs attached to this network, although router-external is only connected for debug purposes
Hosts:
router-external:
eth1:192.168.28.1
eth4:192.168.27.12 (temp connection for access to web interface)
router-internal:
eth0:192.168.28.2
eth1:192.168.27.188 (temp address, this will become the default gateway for 192.168.27.0/24)
newdev: (My PC)
192.168.27.14
Routes:
Each router can ping each others 192.168.28.x address.
newdev can ping all the addresses on router-internal
newdev cannot ping 192.168.28.1 (router-external through router-internal)
I cannot trace the route to 192.168.28.1 from newdev.
There are no firewall logs for ICMP being dropped.
I have ebox-firewal and ebox-software installed.
All the modules are turned on.
All the logs are turned on and configured to log everything.
I've added Any Internal ICMP to both eBox's Services secions
I've added Allow Internal ICMP from Any to Any in the Internal Networks secions of router-internal's Packet Filter section
I've added Allow Internal ICMP from Any to the the Internal Networks to Ebox secion of router-external's Packet Filter secion
Questions:
1) Why can I not ping 192.168.28.1 from my PC newdev?
2) Why can I not ssh to 192.168.28.1 from my PC newdev? (i can ssh to both eBoxes on their 192.168.27.x addresses)
Thanks!
Jim.
I'm looking at using Ubuntu Server 8.04 + eBox to run our new network.
We're planning on having two routers.
One "internal" router as a content filter and firewall between internal users and the internet/dmz/vpn and one "external" router connected to the internet/dmz/vpn/other networks but does not have the high content filtering/caching load/firewall ruleset of the internal router.
I've got a very simple test setup at the moment, and I can't get it to work.
Here's the setup:
Networks:
192.168.28.0/30 : network to connect the two routers together
192.168.27.0/24 : Our current internal network, all three PCs attached to this network, although router-external is only connected for debug purposes
Hosts:
router-external:
eth1:192.168.28.1
eth4:192.168.27.12 (temp connection for access to web interface)
router-internal:
eth0:192.168.28.2
eth1:192.168.27.188 (temp address, this will become the default gateway for 192.168.27.0/24)
newdev: (My PC)
192.168.27.14
Routes:
Code: [Select]
administrator@router-internal:~$ ip route show
192.168.28.0/30 dev eth0 proto kernel scope link src 192.168.28.2
192.168.27.0/24 dev eth1 proto kernel scope link src 192.168.27.188Code: [Select]
administrator@router-external:~$ ip route show
192.168.28.0/30 dev eth1 proto kernel scope link src 192.168.28.1
192.168.27.0/24 dev eth4 proto kernel scope link src 192.168.27.12Code: [Select]
C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 1e 4f 92 f3 f9 ...... Intel(R) 82566DM-2 Gigabit Network Connection -
SecuRemote Miniport
0x10004 ...00 0a 3a 63 70 b0 ...... Bluetooth Device (Personal Area Network)
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.27.0 255.255.255.0 192.168.27.14 192.168.27.14 10
192.168.27.14 255.255.255.255 127.0.0.1 127.0.0.1 10
192.168.27.255 255.255.255.255 192.168.27.14 192.168.27.14 10
192.168.28.0 255.255.255.252 192.168.27.188 192.168.27.14 1
224.0.0.0 240.0.0.0 192.168.27.14 192.168.27.14 10
255.255.255.255 255.255.255.255 192.168.27.14 192.168.27.14 1
255.255.255.255 255.255.255.255 192.168.27.14 10004 1
===========================================================================
Persistent Routes:
NoneEach router can ping each others 192.168.28.x address.
newdev can ping all the addresses on router-internal
newdev cannot ping 192.168.28.1 (router-external through router-internal)
I cannot trace the route to 192.168.28.1 from newdev.
There are no firewall logs for ICMP being dropped.
I have ebox-firewal and ebox-software installed.
All the modules are turned on.
All the logs are turned on and configured to log everything.
I've added Any Internal ICMP to both eBox's Services secions
I've added Allow Internal ICMP from Any to Any in the Internal Networks secions of router-internal's Packet Filter section
I've added Allow Internal ICMP from Any to the the Internal Networks to Ebox secion of router-external's Packet Filter secion
Questions:
1) Why can I not ping 192.168.28.1 from my PC newdev?
2) Why can I not ssh to 192.168.28.1 from my PC newdev? (i can ssh to both eBoxes on their 192.168.27.x addresses)
Thanks!
Jim.
Pages: [1]