Messages

1

Installation and Upgrades / Re: VPN from main office to each remote offices

« on: April 18, 2012, 01:01:38 pm »

Ehh, what? Of course you can connect multiple vpn tunnels to main office.

Problems would occur if you want multiple vpn connections to each office. (2 tunnels to main office from each office)
As you say because of the single public ip and also because of multiple routes.


But in his setup he would only have tunnels between the slower isp links, right?

2

Installation and Upgrades / Re: two simultaneous connectinons ipsec vpn trough ebox

« on: April 16, 2012, 05:29:28 pm »

In my experience that never works well, sorry. They should be able to vpn to different external ips/networks but you will get weird results when the connect to the same net.

3

Installation and Upgrades / Re: two simultaneous connectinons ipsec vpn trough ebox

« on: April 10, 2012, 10:34:41 am »

Are both of the external clients behind the same nat / router?

In general I dont think you can have multiple vpn connections between two nets, that are both natted.
Might be better to set up a proper tunnel between the nets in that case.

4

Installation and Upgrades / Re: Prevent files from being sent to the outside world

« on: April 10, 2012, 10:29:00 am »

Hi, sorry I got a bit occupied.

1)
Zentyal is usually pretty good with manually adding configs. Not easy but possible.
I havent looked at the squid specifically.

2)
Hmm. Always tricky when you add exeptions. One easy way would be to allow connections to a speficic socks proxy,
and require authentication on that socks proxy. Then set up accounts for these computers with the socks proxy.

3)
And now it gets too tricky to keep track of. Basically you cant *trust* any IM. They use propriertary protocols that may or may not give you a way to block file transfers. msn/live for instance will use separate direct connections for files (from what I remember of that protocol)
but if that connection cant be established it will send the file *via* their servers. (much slower but will get thru)

I believe you need to figure out what level of security you need. I would deem such a network unusable if I had to work in there.
Do you really need that much security? Are the physical security even remotely similar? (body searches on entry for usb sticks, cds, phones etc)

5

Installation and Upgrades / Re: Prevent files from being sent to the outside world

« on: March 26, 2012, 01:40:09 pm »

Thats a very hard policy. But ok.

Basically you need to block all but a few whitelisted ip/port combinations.
Your smtp ip/port, imap ip/port etc for all your trusted services.
You cannot allow people to connect to anything else directly, even port 80/443.

(I could be running a ftp server on port 80 or port 143)
 

Secondly you need to only enable http access through your http proxy.
In the squid proxy configuration you should be able to block uploads but it can interfere with certain websites.

You cannot block POST, since this is required for certain sites forms / logins.
Here is a snippet for blocking uploads on mime type:

acl fileupload req_mime_type -i ^multipart/form-data$
http_access deny fileupload

Here is another that block any post requests larger than 512k. Should let most ordinary forms through but still block all files larger than this.

request_body_max_size 512 KB

Unsure how well this would work with https. I think your users would get certificate warnings all the time if you proxied
https. You would probably need to disable https.

6

Installation and Upgrades / Re: Virtual Machine in Zentyal 2.2 - Network problem for guest os

« on: March 26, 2012, 01:18:02 pm »

Ive had similar problems but with real servers. Basically the kernel remembers what ethX goes to which card by the cards mac address. If for some reason the mac address changes between reboots, it will interpret your card as a new card on each boot
and create a new ethX name.

This is saved, on ubuntu anyway, in
/etc/udev/rules.d/70-persistent-net.rules



You can either delete this file on each reboot or set it up so that it identifies it by something else than the mac address.

(see last post)
http://www.linuxquestions.org/questions/linux-hardware-18/udev-eth-mapping-consistency-%5Bfc9%5D-643558


Or figure out why the mac address changes and make it stop. I couldnt because the hardware had a fixed mac address that the kernel considered illegal, so in dmesg I had an entry where it said that it gave the card a new randomised valid mac addr.

7

Installation and Upgrades / Re: [curious] - dashboard lists my upstream gw in interfaces

« on: March 26, 2012, 12:56:43 pm »

screenshot

eth0 is towards adsl router (nat)
192.168.1.68 is assigned (zentyal ip)
192.168.1.254 is router ip (dsl modem)
third is the public

eth1
just an internal

eth2
just an internal

8

Installation and Upgrades / [curious] - dashboard lists my upstream gw in interfaces

« on: March 26, 2012, 04:04:51 am »

So, yeah, this is a little weird. Everything works and so forth btw so no alarm.

In one of my boxes dashboards (I have a ton of these) the interfaces widget lists my assigned ip addresses. Problem is, it also lists my upstream addresses.
(zentyal behind a dsl router) for that one interface.

It lists three ip addresses. The internal (static) between zentyal and dsl router. The routers internal address facing zentyal. And for good measure
my external one as well.

First time I saw it I nearly panicked because if zentyal somehow grabs those addresses it would probably loose connectivity.
(and I would be heading for the airport)

But, well it works and so forth so I will probably ignore it for now.

But I wonder if this isnt some thing that should be fixed in the widget, or is it a known issue?
(where does it get that list from? ifconfig does not list them and it surely isnt listening on them)

Could this be related to the fact that I have some ipsec tunnels with tweaks for leftsource/leftnexthop or such?

I am still not quite sure how it finds them. hmm. Anyone know?