Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
Installation and Upgrades / Re: Port Forwarding and Virtual Interfaces
« on: March 09, 2011, 07:25:15 pm »
Apologies if this is a little impatient of me, but I would love to get this sorted out today. My boss is at me to get the old firewall removed!
Anyone? Even some pointers would be good - I'm starting to think this is a bug.... either that or I'm being stupid...
Anyone? Even some pointers would be good - I'm starting to think this is a bug.... either that or I'm being stupid...
2
Installation and Upgrades / Port Forwarding and Virtual Interfaces
« on: March 09, 2011, 05:52:32 am »
Hi,
I've been trying to crack this all day, and I have finally given up. Hopefully someone can help.
I am in the process of retiring one of our old firewalls, and replacing it with Zentyal. This old firewall has 5 different public IPs associated to it for various services (http, smtp, pop3 etc). To keep things simple, I am running a test with Zentyal and Virtual interfaces before doing the full move, but the Port Forwarding rules for the virtual interfaces are not working.
I know that IP Tables doesn't recognize Virtual Interfaces, and so Zentyal provides the 'Original Destination' field, to allow you to specify the IP that is assigned to a virtual interface.
So here is my configuration (fake IPs of course):
LAN: 192.168.1.1
WAN: 69.9.9.1
WAN:2 : 69.9.9.2
Port Forwarding Rules:
Interface: WAN
Original Destination: IP Address -> 69.9.9.1
Original Port: 110
Protocol: TCP
Source: Any
Destination IP: 192.168.1.10
Port: Same
Interface: WAN
Original Destination: IP Address -> 69.9.9.2
Original Port: 80
Protocol: TCP
Source: Any
Destination IP: 192.168.1.20
Port: Same
Now I have tested the forwarding to WAN, and it works. If I swap them (targets, ports etc) then the WAN one still works, so I know that the servers are routing OK etc. But no matter which rule is set for the virtual interface WAN:2, it doesn't work.
I suspect the issue is with the return routing of the Zentyal.
Below is the [edited] result of 'iptables -t nat -L -n'
I am running Zentyal 2.0.16.
As I have said, whichever rule is set for the WAN IP works. Whichever is set for the WAN:2 interface, does not work. So I am sure the issue is at the Zentyal.
Many thanks for your help!
Geoff
I've been trying to crack this all day, and I have finally given up. Hopefully someone can help.
I am in the process of retiring one of our old firewalls, and replacing it with Zentyal. This old firewall has 5 different public IPs associated to it for various services (http, smtp, pop3 etc). To keep things simple, I am running a test with Zentyal and Virtual interfaces before doing the full move, but the Port Forwarding rules for the virtual interfaces are not working.
I know that IP Tables doesn't recognize Virtual Interfaces, and so Zentyal provides the 'Original Destination' field, to allow you to specify the IP that is assigned to a virtual interface.
So here is my configuration (fake IPs of course):
LAN: 192.168.1.1
WAN: 69.9.9.1
WAN:2 : 69.9.9.2
Port Forwarding Rules:
Interface: WAN
Original Destination: IP Address -> 69.9.9.1
Original Port: 110
Protocol: TCP
Source: Any
Destination IP: 192.168.1.10
Port: Same
Interface: WAN
Original Destination: IP Address -> 69.9.9.2
Original Port: 80
Protocol: TCP
Source: Any
Destination IP: 192.168.1.20
Port: Same
Now I have tested the forwarding to WAN, and it works. If I swap them (targets, ports etc) then the WAN one still works, so I know that the servers are routing OK etc. But no matter which rule is set for the virtual interface WAN:2, it doesn't work.
I suspect the issue is with the return routing of the Zentyal.
Below is the [edited] result of 'iptables -t nat -L -n'
Code: [Select]
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
premodules all -- 0.0.0.0/0 0.0.0.0/0
DNAT tcp -- 0.0.0.0/0 69.9.9.1 tcp dpt:110 to:192.168.1.10
DNAT tcp -- 0.0.0.0/0 69.9.9.2 tcp dpt:80 to:192.168.1.20
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
postmodules all -- 0.0.0.0/0 0.0.0.0/0
SNAT all -- !192.168.1.1 0.0.0.0/0 to:192.168.1.1
SNAT all -- !69.9.9.1 0.0.0.0/0 to:69.9.9.1
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain postmodules (1 references)
target prot opt source destination
Chain premodules (1 references)
target prot opt source destination
I am running Zentyal 2.0.16.
As I have said, whichever rule is set for the WAN IP works. Whichever is set for the WAN:2 interface, does not work. So I am sure the issue is at the Zentyal.
Many thanks for your help!
Geoff
3
Installation and Upgrades / Re: Clarification on AD Sync
« on: October 21, 2010, 09:18:48 pm »
Thank you for the clarification 
Kind regards,
Geoff
Kind regards,
Geoff
4
Installation and Upgrades / Error with LDAP connection
« on: October 11, 2010, 08:14:31 pm »
Hi,
My AD Syncing worked before I tried to install the Jabber module, and now (I have since removed this module) it doesn't work at all.
When I try to open the Users list, it throws an error, and the ebox.log says:
Any help appreciated,
Geoff
My AD Syncing worked before I tried to install the Jabber module, and now (I have since removed this module) it doesn't work at all.
When I try to open the Users list, it throws an error, and the ebox.log says:
Code: [Select]
2010/10/11 11:12:44 ERROR> Ldap.pm:1064 EBox::Ldap::safeConnect - Couldn't connect to LDAP server ldapi://%2fvar%2frun%2fslapd%2fldapi, retrying
2010/10/11 11:12:45 ERROR> Ldap.pm:1064 EBox::Ldap::safeConnect - Couldn't connect to LDAP server ldapi://%2fvar%2frun%2fslapd%2fldapi, retrying
2010/10/11 11:12:46 ERROR> Ldap.pm:1064 EBox::Ldap::safeConnect - Couldn't connect to LDAP server ldapi://%2fvar%2frun%2fslapd%2fldapi, retrying
2010/10/11 11:12:47 ERROR> Ldap.pm:1064 EBox::Ldap::safeConnect - Couldn't connect to LDAP server ldapi://%2fvar%2frun%2fslapd%2fldapi, retrying
2010/10/11 11:12:48 ERROR> Ldap.pm:1069 EBox::Ldap::safeConnect - FATAL: Couldn't connect to LDAP server
Code: [Select]
Antivirus 2.0.3
FTP 2.0
File Sharing 2.0.1
Groupware (Zarafa) 2.0.1
Groupware (eGroupware) 2.0
HTTP Proxy (Cache and Content Filter) 2.0
Jabber (Instant Messaging) 2.0
Mail Filter 2.0
Mail Service 2.0
Printer Sharing 2.0.1
RADIUS 2.0
VoIP 2.0
Web Mail Service 2.0
Web Server 2.0
Zentyal Cloud Client 2.0.2Any help appreciated,
Geoff
5
Installation and Upgrades / Clarification on AD Sync
« on: October 11, 2010, 08:09:43 pm »
Hi,
I have some questions on the configuration of the AD Syncing, and hope that someone can answer each of the following:
1) When setting the Users module to AD Sync mode, it asks for an LDAP DN. Am I correct in thinking this is the DN to be used for the LDAP service running on the Zentyal box (and not the AD LDAP info)
2) When setting the Username up for the Sync, Zentyal hard codes the DN of the user such that it must exist in the 'Users' OU in AD. We use properly organized containers, and would rather not have a service account in this area. Can this be changed?
3) The Sync comes in 2 parts, the Zentyal config, and the Windows App. What does each component actually do? It looks like the windows component synchronizes the Usernames, and the Zentyal component does an upstream Auth. Are any password actually syched? (I hope not)
4) The sync seems to take *everything* from the root of the AD. Is it possible to narrow this scope, so that we only sync a particular site/ou?
Many thanks in advance,
Geoff
I have some questions on the configuration of the AD Syncing, and hope that someone can answer each of the following:
1) When setting the Users module to AD Sync mode, it asks for an LDAP DN. Am I correct in thinking this is the DN to be used for the LDAP service running on the Zentyal box (and not the AD LDAP info)
2) When setting the Username up for the Sync, Zentyal hard codes the DN of the user such that it must exist in the 'Users' OU in AD. We use properly organized containers, and would rather not have a service account in this area. Can this be changed?
3) The Sync comes in 2 parts, the Zentyal config, and the Windows App. What does each component actually do? It looks like the windows component synchronizes the Usernames, and the Zentyal component does an upstream Auth. Are any password actually syched? (I hope not)
4) The sync seems to take *everything* from the root of the AD. Is it possible to narrow this scope, so that we only sync a particular site/ou?
Many thanks in advance,
Geoff
6
Installation and Upgrades / Installation of Zentyal 2.0 on (Fake) RAID
« on: September 02, 2010, 08:40:30 pm »
Hi!
So Zentyal has good support for SATA (fake) RAID, finding, mounting, and partitioning the RAID set perfectly.
But there is a small issue with the automated installation, whereby GRUB doesn't get installed properly, and the unit will fail to boot.
This is a Ubuntu issue, where GRUB installs to /dev/sda instead of /dev/mapper/yourraidset. It can be overcome in the 'Advanced' installation by selecting 'Advanced' at one point in the installation, and pointing GRUB to your raid set.
But if you use the automated installation, there is an extra step you need to do BEFORE restarting:
At the end of the installation, BEFORE you press 'Finish' or 'Restart', press Alt-F2 to open a console
Hope this helps someone!
Geoff
So Zentyal has good support for SATA (fake) RAID, finding, mounting, and partitioning the RAID set perfectly.
But there is a small issue with the automated installation, whereby GRUB doesn't get installed properly, and the unit will fail to boot.
This is a Ubuntu issue, where GRUB installs to /dev/sda instead of /dev/mapper/yourraidset. It can be overcome in the 'Advanced' installation by selecting 'Advanced' at one point in the installation, and pointing GRUB to your raid set.
But if you use the automated installation, there is an extra step you need to do BEFORE restarting:
At the end of the installation, BEFORE you press 'Finish' or 'Restart', press Alt-F2 to open a console
- Type: mount --bind /dev /target/dev
- Type: mount -t proc /proc /target/proc
- Type: mount -t sysfs /sys /target/sys
- Type: chroot /target
- Type: cd /dev/mapper
- Type: ls
- (make a note of your RAID set name)
- Type: grub-install /dev/mapper/xxxxxxxx (where xxxxxx is your RAID set name NOT ending in a number)
- Type: update-grub
- Press: Alt+F1
- Select to finish the installation
Hope this helps someone!
Geoff
7
Installation and Upgrades / Re: Zentyal 2.0RC1 Installer on FakeRAID1 (Intel based)
« on: August 28, 2010, 10:02:40 am »
Looks like this is now a confirmed bug. It was identified after the RC2 release, but is promised in the final release next week.
Here's hoping
Here's hoping
8
Installation and Upgrades / Zentyal 2.0RC1 Installer on FakeRAID1 (Intel based)
« on: August 27, 2010, 03:28:26 am »
Hi,
I am using the Zentyal installer disc to build a new system (based on Lanner hardware - Standard i5 x86 with Intel ICH9r 'fake' RAID mirror set)
The intaller detects, mounts, and partitions the FakeRAID perfectly. I have confirmed the partitions create, mount etc. The install proceeds, and files are copied to the mounted RAID set (/target). However, towards the end of "Installing Base System' (around 90%) it attempts to install the DMRaid package - and dies (red screen, no way to continue)
Through some initial investigations, it seems that the DMRaid package is only available in the Universal repo. My guess is that the sources.list that the installer uses, does not include this repo?
If we can get DMRaid rolled into the installer, I suspect the rest will install perfectly. As I said, Ubuntu already detects, partitions, formats and mounts the FakeRAID perfectly - the error is whilst trying to install the dmraid package.
Unfortunately, this error totally bombs the installer, and there seems to be no way to recover. I have tried both installation modes (basic and advanced) with the same results.
Any advice gratefully received.
Kind regards,
Geoff
I am using the Zentyal installer disc to build a new system (based on Lanner hardware - Standard i5 x86 with Intel ICH9r 'fake' RAID mirror set)
The intaller detects, mounts, and partitions the FakeRAID perfectly. I have confirmed the partitions create, mount etc. The install proceeds, and files are copied to the mounted RAID set (/target). However, towards the end of "Installing Base System' (around 90%) it attempts to install the DMRaid package - and dies (red screen, no way to continue)
Through some initial investigations, it seems that the DMRaid package is only available in the Universal repo. My guess is that the sources.list that the installer uses, does not include this repo?
If we can get DMRaid rolled into the installer, I suspect the rest will install perfectly. As I said, Ubuntu already detects, partitions, formats and mounts the FakeRAID perfectly - the error is whilst trying to install the dmraid package.
Unfortunately, this error totally bombs the installer, and there seems to be no way to recover. I have tried both installation modes (basic and advanced) with the same results.
Any advice gratefully received.
Kind regards,
Geoff
9
Installation and Upgrades / Re: **Western Digital Green EARS** HDD's
« on: July 22, 2010, 07:07:04 am »
Good catch, thanks for sharing
For info, we've had performace issues with these drives running Windows XP (you have to run the WDAlign app to fix them). We have since stopped buying them, and instead go for the EADS ones - no problems at all
Thanks again,
Geoff
For info, we've had performace issues with these drives running Windows XP (you have to run the WDAlign app to fix them). We have since stopped buying them, and instead go for the EADS ones - no problems at all
Thanks again,
Geoff
10
Installation and Upgrades / Blacklists lost after Proxy module update
« on: May 19, 2010, 09:08:32 pm »
Hi,
I am sure this is a bug, but am unsure where/how to report it.
We have eBox 1.4 with the HTTP Proxy module 1.4.7. After we updated from 1.4.6 to 1.4.7, we noticed that some users had access to sites that we had blacklisted (using the Shalla blacklist).
The interesting thing, is the WebUI still shows the list as being there, and the categories etc are all set as they were. But in the file system, the actualt list is missing.
For example, we use Network Object policies (we have 3 networks with different rules, and Transparent proxy enabled).
In /etc/dansguardian/extralists, there are directories for each of the policy profiles (call it a, b and c). Within each of those directories, is supposed to be a copy of the Blacklist in use (we named it 'Shalla' and so thier is a file named 'Shalla' and a directory named 'shalla' which contains the actual blacklist.
After the update - the 'Shalla' file and directory are simply missing from 'b' and 'c', but is still in 'a'. Copying from 'a' to the other 2 fixes the problem.
I hope that helps find out what's doing it
Kind regards,
Geoff
I am sure this is a bug, but am unsure where/how to report it.
We have eBox 1.4 with the HTTP Proxy module 1.4.7. After we updated from 1.4.6 to 1.4.7, we noticed that some users had access to sites that we had blacklisted (using the Shalla blacklist).
The interesting thing, is the WebUI still shows the list as being there, and the categories etc are all set as they were. But in the file system, the actualt list is missing.
For example, we use Network Object policies (we have 3 networks with different rules, and Transparent proxy enabled).
In /etc/dansguardian/extralists, there are directories for each of the policy profiles (call it a, b and c). Within each of those directories, is supposed to be a copy of the Blacklist in use (we named it 'Shalla' and so thier is a file named 'Shalla' and a directory named 'shalla' which contains the actual blacklist.
After the update - the 'Shalla' file and directory are simply missing from 'b' and 'c', but is still in 'a'. Copying from 'a' to the other 2 fixes the problem.
I hope that helps find out what's doing it
Kind regards,
Geoff
11
Installation and Upgrades / Re: New mambo web page needs permissions
« on: May 17, 2010, 05:27:53 am »
Hi,
As Mambo is not part of the eBox package, you'd have better luck posting on the Mambo support forums. eBox runs as a set of packages on standard Ubuntu. But if you extend it (such as installing PHP or MySQL for Mambo) then you'd need to ask over there
Geoff
As Mambo is not part of the eBox package, you'd have better luck posting on the Mambo support forums. eBox runs as a set of packages on standard Ubuntu. But if you extend it (such as installing PHP or MySQL for Mambo) then you'd need to ask over there
Geoff
12
Installation and Upgrades / Re: How to give a user superuser rights
« on: May 17, 2010, 05:23:55 am »13
Installation and Upgrades / Re: Dansguardian "Access has been Denied!" page customization
« on: May 16, 2010, 04:49:48 am »
Hi,
Make sure you restart the module in the WebUI, as I found that using /etc/init.d/ebox squid restart' didn't cause DansGuardian to reload. I did once restart DansGuardian itself (/etc/init.d/dansguardian restart) but found that the eBox scripts wouldn't restart it properly until I restarted the whole things (/etc/init.d/ebox restart)
Kind regards,
Geoff
p.s. did you modify the original template.html, or create a new one? if you replaced it, make sure the permissions and the case (e.g. template.html *NOT* Template.html) are correct.
Make sure you restart the module in the WebUI, as I found that using /etc/init.d/ebox squid restart' didn't cause DansGuardian to reload. I did once restart DansGuardian itself (/etc/init.d/dansguardian restart) but found that the eBox scripts wouldn't restart it properly until I restarted the whole things (/etc/init.d/ebox restart)
Kind regards,
Geoff
p.s. did you modify the original template.html, or create a new one? if you replaced it, make sure the permissions and the case (e.g. template.html *NOT* Template.html) are correct.
14
Installation and Upgrades / Re: Clamd Segfault and HTTP Proxy stopping
« on: May 16, 2010, 04:43:16 am »
Hi,
I am still having the same problem, with Squid crashing out, and bringing our Internet access down (strangely, the Firewall/routing stays up). I identified a 'Sorf Lockup' issue, and changed the Grub kernel options to include 'noapic' - but it is still bombing out randomly.
I just noticed that the HTTP Proxy module was updated from 1.4.6 to 1.4.7 - where can I find info on what has been changed? And are any of the changes related to stability?
Many thanks,
Geoff
I am still having the same problem, with Squid crashing out, and bringing our Internet access down (strangely, the Firewall/routing stays up). I identified a 'Sorf Lockup' issue, and changed the Grub kernel options to include 'noapic' - but it is still bombing out randomly.
I just noticed that the HTTP Proxy module was updated from 1.4.6 to 1.4.7 - where can I find info on what has been changed? And are any of the changes related to stability?
Many thanks,
Geoff