Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
1
Installation and Upgrades / Re: Limiting Port Forwarding via Firewall Packet Filtering Rules
« on: June 05, 2015, 07:47:47 pm »
I believe the issue may be with the inbound filtering rule. It is my understanding that if port forwarding happens at the "prerouting" inspection, the routing decision is passed off to the "forward" chain, and not the "input" chain (or "Filtering rules from external networks to zentyal").
Essentially, the destination address is DNAT'd before the routing decision. Since the destination is no longer the zentyal interface, it wont be filtered by the inbound to zentyal rules.
I believe you would want to filter at the "FORWARD" chain. Thus inbound traffic on port 80 to zentyal will be destination NAT'd to your internal ip. Then you can filter out specific source IPs at the forward chain before the packet is sent out the internal interface.
I hope this makes sense. I dont have much experience configuring firewall rules, and even less using zentyals web interface, so i could be completely wrong.. Perhaps you want to start by doing an "iptables --list" to take a look at all the rules. Be warned, there are alot of chains created by zentyal!
EDIT: I dont think you can filter at the POSTROUTE chain, but instead of filtering INPUT chain you want to filter FORWARD chain.
Essentially, the destination address is DNAT'd before the routing decision. Since the destination is no longer the zentyal interface, it wont be filtered by the inbound to zentyal rules.
I believe you would want to filter at the "FORWARD" chain. Thus inbound traffic on port 80 to zentyal will be destination NAT'd to your internal ip. Then you can filter out specific source IPs at the forward chain before the packet is sent out the internal interface.
I hope this makes sense. I dont have much experience configuring firewall rules, and even less using zentyals web interface, so i could be completely wrong.. Perhaps you want to start by doing an "iptables --list" to take a look at all the rules. Be warned, there are alot of chains created by zentyal!
EDIT: I dont think you can filter at the POSTROUTE chain, but instead of filtering INPUT chain you want to filter FORWARD chain.
2
Installation and Upgrades / Re: Windows 7 NTP time issue after joining domain.
« on: May 08, 2015, 05:59:51 pm »
This looks great. I ended up using GPO to force the time sync. I would prefer this method however! Thanks RAB.
3
Installation and Upgrades / Re: Need basic assistance with the ad-migrate exercise
« on: May 05, 2015, 07:37:31 pm »
I hope someone can chime in here. Im planning on migrating DCs soon aswell.
As far as I can see, if you run the samba-tool to show the fsmo roles, and they are as expected, you should be good to go.
Im not sure what the zentyal migration script does, but you basically just need to transfer all 5 fsmo roles to the new DC, and follow up with demoting the old dc. There may be bugs to be aware of, see here for more info: https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_%28FSMO%29_roles
With the new AD the logical idea of a PDC is non-existent, but technically supported by having one host control all 5 FSMOs. So the zentyal dashboard might just be confused and a little misleading... Aslong as you can transfer all roles and demote successfully, there shouldnt be any probs.
Regards.
As far as I can see, if you run the samba-tool to show the fsmo roles, and they are as expected, you should be good to go.
Im not sure what the zentyal migration script does, but you basically just need to transfer all 5 fsmo roles to the new DC, and follow up with demoting the old dc. There may be bugs to be aware of, see here for more info: https://wiki.samba.org/index.php/Flexible_Single-Master_Operations_%28FSMO%29_roles
With the new AD the logical idea of a PDC is non-existent, but technically supported by having one host control all 5 FSMOs. So the zentyal dashboard might just be confused and a little misleading... Aslong as you can transfer all roles and demote successfully, there shouldnt be any probs.
Regards.
4
Installation and Upgrades / Re: Zentyal 3.3 Going Strong
« on: November 13, 2014, 04:50:44 pm »
Alas, 3.3 was just before openchange came into the picture 
There is only zarafa and postfix/dovecot on this version. FYI, the people in the organization use a hosted exchange for email.
Ironically, my firewall logs got so big.... the logical volume zentyal was installed to maxed out - causing failure and a 645am to come to work early
There goes my 90 days hah...
There is only zarafa and postfix/dovecot on this version. FYI, the people in the organization use a hosted exchange for email.Ironically, my firewall logs got so big.... the logical volume zentyal was installed to maxed out - causing failure and a 645am to come to work early
There goes my 90 days hah...
5
Installation and Upgrades / Re: Zentyal 3.3 Going Strong
« on: November 11, 2014, 07:47:18 pm »
Your point is well taken. Due to my progressive nature I find it hard to "step backwards", yet the state of 4.0 leaves me skeptical. Honestly, at the current point in time, if a severe issue arose with the 3.3 zentyal modules - I would likely just run my services without the zentyal GUI on an Arch install, and be just as satisfied- if not more
I guess my main motivation for this post was to demonstrate that not only did Zentyal fill my need for an all in one SMB, but the install was simple/quick/straight forward; runs pretty effieciently; and aslong as care is taken with configuration/changes - not even a restart is required.
Meanwhile, we have guys in the same position I was, trying to get 4.0 to fill the all-in-one SMB need.
I guess my main motivation for this post was to demonstrate that not only did Zentyal fill my need for an all in one SMB, but the install was simple/quick/straight forward; runs pretty effieciently; and aslong as care is taken with configuration/changes - not even a restart is required.
Meanwhile, we have guys in the same position I was, trying to get 4.0 to fill the all-in-one SMB need.
6
Installation and Upgrades / Re: Zentyal 3.3 Going Strong
« on: November 11, 2014, 06:27:51 pm »
12.04 is a LTS release and will be supported till end of 2017.
7
Installation and Upgrades / Zentyal 3.3 Going Strong
« on: November 11, 2014, 01:02:19 am »
Deployed a 3.3 box for a small bussiness about 6 months ago. 3months now without even a system restart!
Gateway/DNS/Firewall/IDS/Proxy/Samba/AntiVirus. 24/7 <1 load.
Gateway/DNS/Firewall/IDS/Proxy/Samba/AntiVirus. 24/7 <1 load.
- ~50 DHCP Clients
- ~10 Samba Clients, 3 Domain Member Shares
- 4 NICs, 2 WANs, 2 LANs
8
Installation and Upgrades / Re: trasparent proxy
« on: October 29, 2014, 06:09:05 pm »
https://wiki.zentyal.org/wiki/En/3.5/HTTP_Proxy_Service
See Transparent Proxy Exemptions.
Its as easy as entering in the address you want to be served directly from the source.
See Transparent Proxy Exemptions.
Its as easy as entering in the address you want to be served directly from the source.
9
Installation and Upgrades / Re: How to access web server behind zentyal firewall
« on: October 27, 2014, 06:50:58 pm »
In theory that will indeed work, haha.
I have seen issues posted in forums, regarding adding zentyal as a domain member, instead of primary controller. Samba4 allows it though - so it should work! I have samba domain members running plain debian, working fine with zentyal PDC.
I have seen issues posted in forums, regarding adding zentyal as a domain member, instead of primary controller. Samba4 allows it though - so it should work! I have samba domain members running plain debian, working fine with zentyal PDC.
10
Installation and Upgrades / Re: How to access web server behind zentyal firewall
« on: October 27, 2014, 06:18:29 pm »
Then your only option is to change the port on the separate web server. Then forward on that port.
Im not familiar with the new version and openchange. But you may be able to setup a reverse proxy on the zentyal web server running on port 80. I know apache can do a redirect based on hostnames.
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
Nginx aswell:
http://nginx.com/resources/admin-guide/reverse-proxy/
Im not familiar with the new version and openchange. But you may be able to setup a reverse proxy on the zentyal web server running on port 80. I know apache can do a redirect based on hostnames.
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
Nginx aswell:
http://nginx.com/resources/admin-guide/reverse-proxy/
11
Installation and Upgrades / Re: SRV Record Woes
« on: October 27, 2014, 05:37:33 pm »
Have you registered a record for the name 'creative'? You should be able to atleast create a cname record for 'creative' pointing to 'nuc'.
12
Installation and Upgrades / Re: How to access web server behind zentyal firewall
« on: October 27, 2014, 05:30:11 pm »
Disable web server on zentyal. Forward the port 80, in zentyal firewall, to your servers address?
13
Spanish / Re: PROBLEMAS LOG FIREWALL ZENTYAL
« on: September 11, 2014, 07:05:16 pm »
Disulpame. No era mi intencion ofenderte. Yo solo estaba tratando ayudar 
Me alegro de que su problema esta resolvido.
Me alegro de que su problema esta resolvido.
14
Installation and Upgrades / Re: Zentyal 3.5 Community Youtube Page is Not Loading Well
« on: September 10, 2014, 07:06:39 pm »
Are you still having this problem? Were you able to test the connection to youtube bypassing zentyal/from another workstation, when you encounter this problem?
15
Spanish / Re: BUG - FIREWALL ZENTYAL
« on: September 10, 2014, 06:57:50 pm »
https://forum.zentyal.org/index.php/topic,23177.msg89247.html#msg89247
It appears this has already been answered. Does this not solve the problem for you?
It appears this has already been answered. Does this not solve the problem for you?
Quote
Did you enable the firewall to be logged?
Go to Core/Maintenance/Logs
Then select the "configure logs" tab and tick the checkmark to enable logging the firewall module.