Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - mtrogg

Pages: [1]
You need it accepted in its local trusted certificate folder, so a static certificate and import in local machine's trusted sources. You could use registry for that, I guess, too.

openssl x509 -in /etc/mail/certificate.pem -outform DER -out certificate.der  (for correct static certificate to import in windows)

Here's some microsoft information:

Installation and Upgrades / Re: Hide Internal IP Address in DNS
« on: July 30, 2014, 11:39:49 am »
Yes well that is the FORWARDED_FOR tag in HTTP headers through squid (proxy) responses.

You'll need to adapt squid configuration files via command line to change this;

Installation and Upgrades / Re: Two locations, same lan
« on: July 30, 2014, 11:22:10 am »
So if you use those gateways, you cant setup your gateway line to both serve internet as well as for some occurances (the local ip's) via a tunnel! especially not via a vpn module that is intended not to interconnect gateways but to serve clients with a zentyal gateway provided VPN tunnel. So you mingle that, you mingle zentyal interconnection and management with regular user management as it is coupled to VPN module. Wouldn't do that.

So for to be sure, this is the situation you want?;

Clients A - Zentyal A - Internet A
Clients B - Zentyal B - Internet B

Zentyal A interconnected via Internet A to Zentyal B via internet B via VPN tunnel to provide Clients A + B with one seamless internal LAN?

If that is the case, I'd suggest just setting up zentyal as you normally would, providing their clients. without even considering the vpn tunnel to interconnect both zentyals, I'd save that for last.

Then I need to state that I don't use zentyal dashboard for this solution, if you NEED/DEMAND your interconnection be done via Zentyal, I thik its not possible at least not in non commercial edition, since I don't see any VPN probability via gateway / iinterface definition pages. The VPN module, again is not to serve as client, it is to serve clients with its SERVER capacity, yes it can serve to public interface, No it is not setup, preconfigured or doesn't seem at all to provide gateway interconnectivy, at least not in the non commercial zentyal edition. The suggestion below is how I'd try to solve this;

Assign DIFFERENT LAN (internal) IP in SAME subnet to both gateways.

Assign DIFFERENT LAN (internal) ranges to provide for each DHCPD setup you have running, so clashes after interconnect are prevented.

make sure each DHCPD can only serve internally and is taken from the interconnection, using static IP's p.e. and firewall rules may help. To prevent clashes.

Assign roles, who is to serve the VPN and who is to client, or both if you want two lines open. Then setup and use these connections manually from the command line, as if you're not a zentyal gateway and just setting up VPN via ubuntu. use rc.local and cron to check up, create and maintain these connection so it's automated.

Then assign DIFFERENT internal IPS to successful VPN tunnels. You could bridge/route/bind them to static IP aliases on top of your internal interface, so you would only need to allow VPN communication between both Zentyals within firewall tab within dashboard, the rest will operate on top of your internal interface and is therefor already managed by its rules. Just keep DHCP, NTP such things out of there, keep that local and make sure its served only local by say use network objects to associate ip ranges to block services via firewall tab.

In short, I'd make sure both Zentyals wouldn't clash at point of adressing and such in one physical LAN, then I'd set both to serve as normally, then I'd EXTERNALLY via command line setup interconnection over its gateway channel (internet interface) and bind that to internal or something, automate /ensure via rc.local ((re)boot) and crontab (continuety while running).

Oh and never forget about DHCP on internet line. How are you setup/ maintain VPN interconnectivity if both outside IP are dynamic? Use dyndns or some ping script solution.

Installation and Upgrades / Re: Two locations, same lan
« on: July 28, 2014, 08:20:30 pm »
Are you trying to use Zentyal's VPN module for interconnecting those two seperate LANs?

Well, I suppose you could just grep -Hirn mac or ip through dhcp lease table (located in /var/lib/dhcp) for linenumber so you goto more information around that linenumber recieved via dhcp communication.

then you could scan with tools as nmap..

you could use logging facility of http proxy module to see whats accessed to learn what type host it is. say what type of updates it tends to download (antivirus, os)

use first three octets of mac address to find vendors of nic (network cards) so you can narrow probable application (cellphone vendor/mobile, repeater/router recognition etc)

you could use tricks lets say via dns so reroute update processes into investigative sessions. you the gateway, you define the route to update domains looked for by client you want to see in the eye. as long as the client eats it its more of work but i guess its a way of more in depth investigating whats hapening witha client on your network.

you could also try with IDS module especially if you attach multiple network cards to that network the client you want to investigate is on.

Installation and Upgrades / Re: Linux perms vs Windows perms
« on: July 28, 2014, 06:07:53 pm »
I only zentyal for small scale non professional gateway for some couple of months, so I don't have practical experience with your described situation, besides from interoperability and risk minimizing view I only make use of http(S), and such protocols and not ldap and so I never have much experience with that. I do know some about perm troubles and interoperability issues here and there.

I see your world permissions are none in directory, linux goes top down, so if you non world a directory you non world the subdirectory however differntly you might set the subdirectory permissions.

so if you need

/publicfolders/share/administratoraccess/useraccess to be user readable

it wont be accessible for users if its subdirectory (/publicfolders/share/administratoraccess) is only admin readable.

I'd use /publicfolders/share/admin and /publicfolders/share/user or something for that.
so logging into folderview, everybody sees both admin and user but users will not be able to access that admin folder they see.

so for your users to read you would either need;

user1   __USERS__ in the same group as root Administrators


make share and subfolder directory world readable (and take care admin only access is chmod'd seperately to non world readable) so that user directory can be accessed with user perms.

or create as i suggested upstairs two different directories?

Maybe this helps :)

[edit]oh sorry, do not forget to also consider the deamon offering the network access to those folders. Sometimes these problems occur because that deamon is ran under different credentials, needs to offer directories it cant access as process under its running credentials. most deamons are ran root, but not all. you can either then add deamon in user/admin groups or chmod accordingly to deamon credentials which offers already problems since you need multiple privilege sets.

Installation and Upgrades / Re: HTTP module cannot start
« on: July 28, 2014, 04:51:13 pm »
I didn't roll out that upgrade (yet) but having a swift look at your message I think it might be that ubuntu distribution upgrade not in effect yet (no reboot, running on old core with new scripts?).

Again, never upgraded to different ubuntu server through zentyal dash yet, so I don't know whether It propagates or enforces reboot, in my update processes I always seperately had to reboot (running 3.4.8 now, zentyal for past three months or so).

If you didn't reboot after upgrade, try it manually via dash > system > reboot-halt or via ssh, that might solve your problem!

[edit]It literally means C library NET::LDAP (so the error is connected to your LDAP application) suffers errors while handling calls to it, probably version/compatibility issue, specially since after upgrading. try the reboot. hard C libraries are used p.e. with non statically compiled binaries. statically compiled means that binary includes these libraries in itself instead of relying on the OS for providing them functions.

I don't know too much about zentyal (yet), but to do some adapted tasks I  believe you can use the ebox documentation to melt stuff in, again I haven't seen much about it, but many templates that I guess are usable to adapt I found residing in,


look through there, specially subdirectories stubs and templates might be useful.

For myself I did a simpler solution, since I needed it for some shell scripts and needed a very quick solution for some simple buttons and had an open line for webserver,

Used http auth module together with ssl only on the outside open ip (for security, since its into your system), shell scripts i use in cron are called via setuid binary via php system function. Then I just wait a few seconds and check on shell script output log file size/time/date to see ifs it correct so i can return succesful via php.

for example, my c script to call cron shell script for remote management via webserver;

Code: [Select]
#include <stdio.h>

void main (void) {
        system ("nohup nice -n 10 /bin/sh /srv/www/.dekluis/eorlease \"pass\" > /srv/www/.publicos/eorlease.b7 & printf \"%u\" $!");
        system ("nohup nice -n 10 /bin/sh /srv/www/.dekluis/eorlease \"pass\" > /srv/www/.publicos/eorlease.b3 & printf \"%u\" $!");
        system ("nohup nice -n 10 /bin/sh /srv/www/.dekluis/eorlease \"pass\" > /srv/www/.publicos/eorlease.b5 & printf \"%u\" $!");
        system ("nohup nice -n 10 /bin/sh /srv/www/.dekluis/enhlease > /srv/www/.publicos/enhlease & printf \"%u\" $!");

you need chmod +s after compiling such script depending on what the called script does. eorlease and enhlease in this example are my shell scripts I use in cron too. so just one script for the job that zentyal doesnt offer (in my case some repeater management) to automate network management through server, use same script via this simple program to call via web for rremote management.

maby an idea?


[edit]oops, forgot to mention that maby most important reason might be updating. if you mingle your third party things into zentyal via stubs/templates of ebox or something, you risk loosing your changes while updating and thats also one of my main reasons to do a few simple external tasks like this. but you need enable a outside website for that, id really suggest ssl only in combination with some auth password, since especially such setuid solutions well can turn ugly on real production environments especialy when dependent on it. if security really is an issue, absolutely ip restrict access to such webserver too.


Since a few months I'm running a first Zentyal setup, up to now to my very satisfaction. Zentyal is applicated as gateway to provide non-professional free wireless internet on small scale on bigger distance (some trees in between, 5-15 users). Installed on thin client, 2 gb (800Mhz) ram, core2duo 2.66, use DNS, HTTP Proxy, Traffic Balancing and Traffic Shaping, http filter (to reduce overkill on very limited bandwidth in rural area keep the system in the air), NTP and Webserver, FYI - Great solution, very accessible and managable!


Now I was accessing Zentyal to find upgrade offer to 3.5 although with remark of removal of bandwidth monitoring?

I use that module to check up on buggy constantly hanging couple of repeaters, can somebody confirm what happens while upgrading from 3.4.8 to 3.5 in regard to these files;


I use it to check if ip is down through cron scripts, if it is theres a trigger trick to get the crap back up, it was very handy for that. I also check through number of bytes in the night whether a reboot ( and thus NTP request) finished correctly, that eth0.log was very easy to use for that.

Thanks already!

[edit]I'm remote from some ppl I helped out, wouldnt like couple of happy internet users to take the internet from them until i return to visit my friends, which is in a month, thats why i cant easily check myself and thus ask here.. just FYI. cant ask them, oldsters that luckily via super zentyal gui can do a silly thing, hardly, so except for pushing a button under heavy cellphone surveillance i cant ask them a thing. so anybody running a 3.5 community edition setup: is there a way to keep /var/log/zentyal/bwmonitor maintained or a different way in this new 3.5 edition or do I need to do it manually?

Dutch / Re: Uitwiseling ervaringen
« on: July 28, 2014, 03:34:33 pm »
Hai Maurice, Ian,

Sinds dat ik laatst iemand blij heb kun maken met een Zentyal setup voor een (gratis/huis-tuin-keuken) draadloze omgeving, ben ik naast bekend aan het geraken met dit pakket en gebruik ervan ook langzaam me in aan het lezen op forum/wiki etc.

Natuurlijk heb ik slechts hier en daar wat aanpassing gemaakt naar de behoefte van die mensen, Zentyal slechts wat zijdelings leren kennen tot nu, niettemin vindt ik het pakket best potentie hebben, gebruiksvriendelijk/handzaam en vanuit die gewekte interesse dus wat inlezen, langzaam wat dieper in techniek van t pakket duikend.

Meer inhoudelijk op deze draad reagerend, Maurice, als ik zo vrij mag zijn, denk ik dat 'specialisten' eigenlijk vooral moeilijk te vangen zijn NADAT ze hun routine voor hun werk AL ontwikkeld hebben. Om de specialisatie die afgenomen wordt door behoefte te optimaliseren, probeert vrijwel iedere pro meteen bij aanvang al om zoveel mogelijk vaste hoofdlijnen te definieren en handhaven, niet alleen voor compatibiliteit enzo. Zo'n product zal dus sneller markt vatten als je de pro's die BEGINNEN bovenaan je doelbereik zet, dat zijn de mensen die nog naar zulke hoofdlijnen kijken voor ze er jaren mee gaan werken.

Hoe mooi het product ook, het eigenwijze probleem met specialisten zal toch altijd de GUI brug blijven. Deze gui is best heel functioneel, zeer bereikbaar, zeer hanteerbaar, maar GUIS blijven links- of rechts-om keuzes maken voor gebruikers, we weten allemaal dat hoe meer gui, hoe meer beslissing voor de gebruiker (however accessible dan ook, denk bijvoorbeeld aan onnodige standaard instellingen die je allemaal af moet en NIET wanneer je zélf je basis/uitgangspunt beheerd), hoe lastiger combinatie met specialist.

Nogmaals, Zentyal does a good job. Het is serieus een van de mooiste producten die ik door de jaren heb gezien, hoewel slecht in één toepassing in praktijk gebracht tot nu.

En we hebbben natuurlijk nog een volkomen puberale IT, internet, (social) media situatie, bij lange na niet uitgekristalliseerd in onze samenleving, waardoor een veelheid aan initiatief in een ENORME mobiliteit van dat relatief nieuwe internet (laten we zeggen 15/20 in meer open/publiek gebruik) vanwege dus datzelfde uitkristalliseren (wat gebeurd in iedere markt, met iedere (nieuwe) techniek, beweging) en dan gaat iedereen zich zowiezo onbewust meer als eilandjes gedragen.

En ja, ik heb eigenlijk ook wel interesse, kan dat zo ff tussendoor? :)


Dutch / Re: Uitwiseling ervaringen
« on: April 18, 2014, 10:35:47 am »
Hai Ramon, allemaal!

Ook een nieuwe Zentyal gebruiker hier (of althans de oude mensen die nogal wat gezeur op hun caravanpark hadden met aanbieden graties draadloze toegang). Zentyal 3.4 / Ubuntu 13.10. Ook met updates erbij (3.4.1) loopt als een zonnetje. Prettig systeem, vooral omdat het ook handzaam is voor deze mensen zelf! Veel en veel beter dan die ouwe Pheenet NAC (WMS 308N) die ze aangesmeerd hadden gekregen, dat ding is zelfs met de laatste firmware (wél hardware v1.x) zo instabiel als ik weet niet wat, dhcp lease table problemen etc.

Wij draaien hier alleen dns, firewall, webserver, squid, bandbreedte, ntp modules. Op een HP thin client met twee usb nic's erbij geknoopt voor de dsl en satelliet en de onboard gigabit nic voor lan. Als een zonnetje, tot zover dan. Alleen hotmail nog niet helemaal maar dat gaan we volgens mij ook wel uitvogelen. En als dat alles is.. (naar mijn mening)

Hey Ramon, ik ben de laatste tien jaar niet meer professioneel in IT maar ik vindt het leuk wat je doet voor ouderen. Als ik je daarmee verder kan helpen feel free to message me. Ik kost niets voor je en ik heb wel een idee over inrichting etc.

Iedereen, misschien kom ik ook wel naar zo'n dag. Ik ben voor open source, voor een open internet en voor bedrijven als zentyal die toch minstens een groot deel van hun product ook gratis beschikbaar stellen, helemaal in de geest van deze tijd, ik denk ook dat je er als bedrijf echt niet minder om verdient, ik denk eerder dat hoe langer hoe meer mensen zien hoe gebruiksvriendelijk goed dat spul werkt, dus denk ik eerder meer dan minder klanten daardoor. En mogelijkheden voor armere mensen onder ons. Super leuk allemaal!

Excuse me everybody, missed the 501 error from the logs, stupid stupid stupid I know. Tracing that I found myself to forget about the domain. So, putting both and as excluded from auth/cache and transparent proxying made us able to 'enjoy' hotmail. And I forgot about the akadns and other akamai domains too, which I blocked amongst some apple and nix update domains to save on this relatively limited bandwidth eaten by autoupdating. I'll continue some testing with those domains in a bit and if results are interesting I will share that. Which is finished. All akamai domains can be blocked to still offer hotmail access.

Hello Everybody!

First of all thanks to the Zentyal company and community. Thanks to your effort I was able to provide solution to some old folks that don't have a clue about digital equipment. Some other guy that was trying to get in IT made them pay some whole lot for stuff that didn't work for over two years. These old folks run a camping where they wanted to offer free internet access to their guests.

That's where I came in, and your product. I'm a former IT guy (this is over a decade ago and mostly I'm done with computers) but nevertheless still of course a little into it. Now I figured to work some things out with BSDOS or packetfence, still I'm just voluntarily offering them my help and need to be travelling alot so they need be able to maintain and manage themselves. Even packetfence becomes a hassle there, can't rely that kid next door to be helping out correctly not accidently crashing the whole network.

Therefor I chose Zentyal. I'm pretty impressed by its usability, these old folks can manage through such a gui. One expensive NAC has been thrown out, two cloudtrax based Senao devices got replaced and some repeaters got from bridge mode into client router mode (bridging (OSI layer 2) gives DHCP trouble, this much faster, for those who want to know) working all happy and shiny with a Zentyal gateway. Perfect! Thumbs up for Zentyal!

The only problem I encountered after deploying (Zentyal is active for two days now) is when one user informed me that hotmail could not be reached. I checked out and saw a blank page indeed! Okay, we all know things happen. So I started digging a bit;

First I figured to try a bit by excluding both hotmail as live domains from transparent (intercepting) proxy, through Zentyal GUI. I have tried with excluding from caching/auth too. It didn't work, then I figured that this might be that content encoding as chunked header from MS servers to the HTTP version 1.0 which Squid uses. So I checked a bit using squidclient and found this not to be true. Squidclient moans a bit about;

X-Squid-Error: ERR_UNSUP_REQ 0

Also, in the cache.log (/var/log/squid3) I get this;
2014/04/18 09:27:55| ERROR: No forward-proxy ports configured.
Although Zentyal has two different ports configured;

/etc/squid3/squid.conf:4:http_port intercept
/etc/squid3/squid.backup.conf:4:http_port intercept

And, when I have the time the next week I hope to unravel some strange bug with wildcards in DNS/BIND section. But that aside, does any of you have a clue what the problem might be with this hotmail?

When I exclude from transparent proxying I seem to have minor improvement, get redirected a little further on but still stuck at;

I paste you some logs, these are all greped from /var/log recursively;

./squid3/external-store.log.1:36009:1397746821.646 RELEASE -1 FFFFFFFF 417DB3A842E85DC533475EB3A394AAA3  200 1397746820        -1 1397746820 text/html 7399/7399 GET
./squid3/external-store.log.1:36011:1397746822.562 RELEASE -1 FFFFFFFF F95F364E411101B35C1964F8451ADFD1  200 1397746821        -1 1397746821 text/html 7402/7402 GET
./squid3/external-store.log.1:36017:1397746833.105 RELEASE -1 FFFFFFFF CEFAB8B4F91F142F00601A428A5D9AC3  200 1397746831        -1 1397746831 text/html 7396/7396 GET
./squid3/access.log.1:9875:1397742472.131      0 NONE/501 22930 GET - HIER_NONE/- text/html
./squid3/access.log.1:9899:1397742875.792      2 TCP_MISS/403 23107 GET - HIER_NONE/- text/html
./squid3/access.log.1:9900:1397742875.793      7 TCP_MISS/403 23263 GET - HIER_DIRECT/ text/html
./squid3/access.log.1:9901:1397742952.222      1 TCP_MISS/403 23107 GET - HIER_NONE/- text/html
./squid3/access.log.1:9902:1397742952.222      5 TCP_MISS/403 23263 GET - HIER_DIRECT/ text/html
./squid3/access.log.1:9903:1397742956.746      0 NONE/501 22930 GET - HIER_NONE/- text/html
./squid3/access.log.1:9904:1397742960.114      0 NONE/501 22930 GET - HIER_NONE/- text/html
./squid3/access.log.1:9906:1397742966.034      0 NONE/501 22930 GET - HIER_NONE/- text/html
./squid3/access.log.1:9907:1397742971.790      0 NONE/501 22930 GET - HIER_NONE/- text/html
./squid3/access.log.1:10339:1397745177.459      0 NONE/501 22930 GET - HIER_NONE/- text/html
./squid3/access.log.1:11263:1397746821.375    312 TCP_MISS_ABORTED/000 0 GET - FIRSTUP_PARENT/ -
./squid3/access.log.1:11265:1397746822.562   1180 TCP_MISS/200 8658 GET - FIRSTUP_PARENT/ text/html
./squid3/access.log.1:11271:1397746833.105   2056 TCP_MISS/200 8652 GET - FIRSTUP_PARENT/ text/html
./squid3/access.log.1:11300:1397747229.812      1 NONE/501 22930 GET - HIER_NONE/- text/html
./squid3/access.log.1:17347:1397783307.548      0 NONE/501 22930 GET - HIER_NONE/- text/html
./squid3/store.log.1:9960:1397742472.131 RELEASE -1 FFFFFFFF E7D01290BC95BD73B1D632270AD0EFBC  501 1397742472         0        -1 text/html 22511/22511 GET
./squid3/store.log.1:9986:1397742875.792 RELEASE -1 FFFFFFFF 43E2A90A077D5596499FBE9A9F03DA24  403 1397742875         0        -1 text/html 22685/22685 GET
./squid3/store.log.1:9987:1397742875.793 RELEASE -1 FFFFFFFF 4616D74D04B8A80CF2240AED843B46C8  403 1397742875        -1        -1 text/html 22685/22685 GET
./squid3/store.log.1:9988:1397742952.222 RELEASE -1 FFFFFFFF 340091C7712199BBAD64721F2B079144  403 1397742952         0        -1 text/html 22685/22685 GET
./squid3/store.log.1:9989:1397742952.222 RELEASE -1 FFFFFFFF C6F2BB26C1B3780DBA9C6423558E7346  403 1397742952        -1        -1 text/html 22685/22685 GET
./squid3/store.log.1:9990:1397742956.746 RELEASE -1 FFFFFFFF E7D01290BC95BD73B1D632270AD0EFBC  501 1397742956         0        -1 text/html 22511/22511 GET
./squid3/store.log.1:9991:1397742960.114 RELEASE -1 FFFFFFFF DFD21A9F2020E0A0E0D10D1F952B6134  501 1397742960         0        -1 text/html 22511/22511 GET
./squid3/store.log.1:9993:1397742966.034 RELEASE -1 FFFFFFFF BA319B39AE5017AAB0C63F1340149338  501 1397742966         0        -1 text/html 22511/22511 GET
./squid3/store.log.1:9994:1397742971.790 RELEASE -1 FFFFFFFF 5E3AB64E64748383661D3624D9F99ADB  501 1397742971         0        -1 text/html 22511/22511 GET
./squid3/store.log.1:10436:1397745177.459 RELEASE -1 FFFFFFFF 8E06A2D2809CB5977A847303612B81D3  501 1397745177         0        -1 text/html 22511/22511 GET
./squid3/store.log.1:11370:1397746821.375 RELEASE -1 FFFFFFFF 12458C343D021F962EE781FA025EDE35    0        -1        -1        -1 unknown -1/-1 GET
./squid3/store.log.1:11372:1397746822.562 RELEASE -1 FFFFFFFF F953284F6277845627700C40AFE33BE1  200 1397746821        -1 1397746821 text/html 7402/7402 GET
./squid3/store.log.1:11378:1397746833.105 RELEASE -1 FFFFFFFF A433B9F79C1966B53F6A54D0E268E10F  200 1397746831        -1 1397746831 text/html 7396/7396 GET
./squid3/store.log.1:11408:1397747229.812 RELEASE -1 FFFFFFFF 6D987FE735C17364276949F6E96FA6E8  501 1397747229         0        -1 text/html 22511/22511 GET
./squid3/store.log.1:17469:1397783307.548 RELEASE -1 FFFFFFFF F2C3EC1DDDB13B0F504393E524981C2C  501 1397783307         0        -1 text/html 22511/22511 GET
./squid3/external-access.log.1:11472:1397746821.646    361 TCP_MISS/200 8508 GET - HIER_DIRECT/ text/html
./squid3/external-access.log.1:11474:1397746822.562   1179 TCP_MISS/200 8497 GET - HIER_DIRECT/ text/html
./squid3/external-access.log.1:11480:1397746833.105   2055 TCP_MISS/200 8491 GET - HIER_DIRECT/ text/html
./dansguardian/access.log.1:10799:1397746822.562   1179 TCP_HIT/200 7402 GET DEFAULT_PARENT/ text/html
./dansguardian/access.log.1:10805:1397746833.105   2056 TCP_HIT/200 7396 GET DEFAULT_PARENT/ text/html

First, do any of you have working hotmail/live logins through Zentyal?

Second, is this a known problem or do any of you know of a solution?

Any suggestions are of course welcome. Thanks already!

Thanks again Zentyal and community, for quite some time I'm out of IT still I can tell that this is a pretty nice package that most probably helps out alot of people. Thus, if you need me for some testing, translating or such, I'm planning to contribute too, since opensource needs stay alive and this package as well! When I have a little time, I'll try finish on those bugs too. See you and have fun!

Oh, ps, we make donations to your project, because its nice.

Pages: [1]