ipcop - the perfect linux firewall.pdf

The Perfect Linux Firewall Part I -- IPCop Submitted by evolutionaryit (Contact Author) (Forums) on Tue, 2006-01-17 20:00. :: Security

The Perfect Linux Firewall Part I -- IPCop

Version 2.3

Author: Joseph Guarino

Last edited 02/22/2006

This document describes how to install the GNU/Linux GPL IPCop firewall and create a small home office network. In

the second installment we cover creating a DMZ for hosting your own web server or mail server and the Copfilter

proxy for filtering web and email traffic.

This is intended to be a quick and dirty overview on creating a IPCop firewall and comes without warranty of any kind!

What is IPCop

The IPCop project is a GNU/GPL project that offers an exceptional feature packed stand alone firewall to the internet

community. Its comprehensive web interface, well documented administration guides, and its involved and helpful

user/administrative mailing lists make users of any technical capacity feel at home. It goes far beyond a simple

ipchains / netfilter implementation available in most Linux distributions and even the firewall feature sets of

commercial competitors.

Firewalls have had to undergo a tremendous metamorphosis as a result of evolving threats. IPCop is exemplary in

offering such a range of default features and even further a large set of optional plug-ins which can provide further

functionality.

Some of IPCops impressive base install features include: secure https web administration GUI, DHCP Server, Proxying

(Squid), DNS Proxying, Dynamic DNS, Time Server, Traffic Shaping, Traffic/Systems/Firewall/IDS graphing, Intrusion

Detection (Snort), ISDN/ADSL device support and VPN (IPSec/PPTP) functionality. As if these base features were not

an astounding enough there are dozens of add-ons which can further expand the functionality of your IPCop from

Web Filtering to Anti virus scanning.

Pre-Requisites for Your IPCop

IPCop installation generally runs 25 minutes, and you can complete it with relatively modest hardware requirements

such as a 386 processor with 32MB RAM and >300MB of disk, and 3 Network Cards (2 if there is no need for a DMZ).

If you plan to utilize caching proxy, IDS or other add-ons, consider additional horsepower in terms of RAM/Processor.

Building Your IPCop What you need

• 386 Processor with 32MB RAM, 300MB hard disk and 3 Network Cards

• 2 x 5 port 10/100/1000 switch or a Layer 3 switch

• Network Cables

• Burned ISO CD

PDF created with pdfFactory Pro trial version www.pdffactory.com

http://www.pdffactory.com


Architectural Decisions: Segmentation

One essential consideration you have to make before installing is network architecture (segmentation/address space).

IPCop uses color-coding system of Red, Green, Blue and Orange to describe the roles or security levels which an

interface/network segment will have in protecting your network. Color coding is logical in that it represents a

continuum of network access from restricted to permissive. A RED interface is your untrusted interface/segment like

the Internet, whereas Green is the trusted interface/segment of your internal network. Additionally, Blue is for a

separate segment for Wireless Devices, while Orange is for a DMZ or where any publicly accessible servers you want

available to the Internet. In this case we are only configuring a Green/Red/Orange network installation with 3 network

interfaces one of which is your cable broadband providers cable modem (Ethernet).

Understanding and Picking your address space

Before you begin it is important to know how your ISP TCP/IP settings. Does your ISP give you a DHCP address or a

static IP address? In many cases simply going to your ISP's Support page offers you this information. Most ISPs use

DHCP to dynamically allocate IP address space so you get a non-static IP address that applies to your RED interface.

Make note of the TCP/IP setting your ISP would have you use before you install.

In architecting your IPCop solution you have the choice of setting up NAT (Network Address Translation) network

address space. Green, Blue and Orange networks depend entirely on how many nodes or machines you will have on

each network. There are 3 network spaces defined by the standards body, IETF, that can be used for these NAT'ed

networks and they are:




10.0.0.0 - 10.255.255.255 (10/8 prefix)

172.16.0.0 - 172.31.255.255 (172.16/12 prefix)

192.168.0.0 - 192.168.255.255 (192.168/16 prefix)

If your Green network contains 15 hosts you can use 192.168.1.2-16. Your Green interface will run DHCP and pass

out addresses to your internal network in this range. The same logic applies to address space on your Orange or DMZ

network select a network space appropriate for the number of hosts/networks you will require.

Installing your IPCop

Verify hardware compatibility at IPCop website.

Download the ISO's and burn them.

Connect all the physical layer i.e. Ethernet cables, hook up your monitor, keyboard and mouse to the machine that

will be your IPCop

Boot off the CD.

Run through the simple prompt-based installation. NOTE: These are all very self-explanatory steps such as selecting

your Language. The arrow Keys, Tab and Enter will help you navigate.

Install Process

• Select your language.

• Select your Installation Medium, a CD in this case.

• Configure your network cards The fastest way to configure your network interface cards is by selecting Probe

option. If you know the network card information you can choose to your exact interface from Select.

Next, when you are asked enter your Green Interface an address which must be within your chosen address space




(192.168.1.x in our example). Enter in place 192.168.1.1 in the IP address field.

Following this, IPCop will format and copy itself to your hard drive. See below.

After the install has completed you will be prompted to reboot and run setup as shown. See below.




Initial Setup

Having installed IPCop we now have to enter some further configuration information in setup for our setup to be

complete.

• Enter in Keyboard, Time Zone and Hostname/Domain.

• ISDN Setup As you are not using ISDN you should select to disable it

• Network Configuration Type - Select the Interface configuration you will be running by tabbing to Network

Configuration Type and hit the Enter key.




In our case you would select Red / Orange / Green.

Since we have 3 interfaces and only have set up Green, repeat the interface setup options for the Red and Orange

interfaces as described above.

Configure the RED interface to use DHCP as this is interface connected to the Internet (i.e. Your ISP). Then configure




your ORANGE interface to use the 192.168.10.x address space. For Red tab over to the DHCP box and select it by

hitting Enter. So if your Green network will contain 15 hosts you can use 192.168.1.2-16. To set this up simply add in

this range 192.168.1.2-16 and tab down to OK.

Password Setup - IPCop has 2 users which you will be asked to setup passwords for the root and admin. Set these

both to a strong password > 8 character password that is not a word in any language and contains Caps. A good

example would be 1luv19c0p. Root password will be used to log on and add any add-ons or upgrades via SSH. Admin

user is used to manage your IPCop day to day.

At the end of the IPCop installation you will be asked to reboot. After reboot go to another machine on your LAN and

force your network interface card to update your dynamic (DHCP) address with ifconfig (Linux/Unix) or ipconfig

(Windows). Verify you are live and active on the new network you have setup with an address on 192.168.1.x. With

this validated connect to secure https web interface of IPCop. Type https://192.168.1.1:445 or

https://192.168.1.1:81 and log in as the admin user.

Validate all your settings and connectivity. Then check out all the features you get with this great GNU Open Source

Firewall. In the second installment of this how to we will discuss setting up a dynamic DNS, filtering

email/web/proxing with Copfilter and allowing access to web/mail server of your choice in the DMZ or orange

network. Until then go check out the www.IPCop.org website & Happy Hacking!!

The Perfect Linux Firewall Part II -- IPCop & Copfilter

Author: Joseph Guarino - Evolutionary IT


https://192.168.1.1:445

https://192.168.1.1:81

http://www.IPCop.org



This document is the second segment in a series on installing IPCop firewall. We will be creating a "DMZ" for hosting

your own web server or mail server and the Copfilter proxy for filtering your application layer ingress and egress

network traffic. This is intended to be a rough overview on creating a IPCop firewall with Copfilter and comes without

warranty of any kind.

Using your IPCop for web hosting/mail hosting

Given the instructions from the previous article, you should have a full installation of IPCop running. The current focus

remains two-fold: to get your server in the Orange (DMZ) segment of your IPCop Network and opening up the ports

on your firewall to allow web traffic to it.

Additionally, our second goal in this article will be securing our (application layer) web traffic, email and personal

privacy with a wonderful add-in, called Copfilter.

As we detailed in part one, I suggested the 192.168.10.x network for our "Orange" DMZ segment. In this part of the

network I will place hosts that I want visible to the outside world. Port forwarding will permit the flow of traffic from

external RED (DHCP interface/network) to DMZ ORANGE network.




Orange Network Requirements

• Installed and configured server with the Distro of your choice with the email (SMTP & POP3 or IMAP and

webserver of your choice. Free & Open Source Software (FOSS) is all about choice so pick what fits your

needs..

• This orange network server must have a static IP address and not be on DHCP. For the sake of this article, we

are using the static IP of 192.168.10.25 for our single internal ORANGE hosting server.

Secure your Orange Network Hosts

• Security is a process not any one tool or technology. Rather, it is many tools, technologies and processes.

Consider a holistic view.

• Remember to consistently patch and monitor logs patches are an important measure to mitigate known

vulnerabilities.

• Make sure you fully patched, secured and backed up any host before you expose it to the Internet.

• The best security is a layered approach so consider using a HID (Host Intrusion Detection), chroot, xinetd and

Tcpwrappers to name a few.

• Shut down any unnecessary network services on this node.

• Join the mailing lists or RSS feed for the Free/Open Source applications you are using and general security

mailing lists so you are sure to be aware of vulnerabilities and issues that might arise. Also check out CERT

for a general mailing list or RSS feed on security vulnerabilities. http://www.us-cert.gov/current/

Secure your Green Network

• Don't have a false sense of security just because you have strong and extensive IPCop/Copfilter configuration.

Be sure to secure ALL of your machines. Consider a holistic view of security.

• Consistently patch your internal green nodes

• Have a Anti-Virus/Malware Scanner and Anti-Spyware Defense. In my view that extends to ALL Operating

Systems.

• Enable a software firewall on your machines.

Hosting a server on a dynamic connection

As you are using a cable modem that gives your RED IPCop network interface a dynamic DHCP address, you will need

to set up Dynamic DNS services to resolve to this host via a human usable form, other than IP Address.

NOTE â€“ Some ISPs block TCP port 80 (HTTP) 110 (POP3) and 25 (SMTP). To navigate around this, you can

purchase port forwarding services from some of these dynamic DNS providers, run services on different non-blocked

ports or upgrade to another provider. For the sake of this article we assume you have no ISP blocked ports.

Setting up Dynamic DNS

Along with your dynamically assigned IP address (RED), you will want to use a Dynamic DNS service to be able to

allow external access to your external web/mail. Setting up Dynamic DNS with IPCop is easily achieved. Simply pick a

Dynamic DNS provider listed in the IPCop DYNDNS settings.

• Go into your IPCop settings in Service Pulldown -- Services >> Dynamic DNS and under >> Add a host.

Pick one of these supported DYNDNS providers.


http://www.us-cert.gov/current/



• Open up your favorite browser and go to the DYNDNS provider you have chosen from the list above and

register with them.

• Return to your IPCop web administration GUI and add the information in to your IPCop settings in Service

Pulldown -- Services >> Dynamic DNS.

• Now return to your IPCop web administration GUI and fill in the information as listed below and then click

Add. It will then display under â€œcurrent hostsâ€?.

What is Copfilter

An amazing project by open source developer Markus Madlener, to extend his IPCop's capabilities to the application

layer (see OSI Model). Copfilter greatly enhances the capabilities of the already powerful IPCop by offering the jaw

dropping and impressive large list of capabilities:

• POP3/SMTP Scanning - via P3Scan and ProxSMTP which allow for scanning of incoming and outgoing Email.

• HTTP Scanning - via HAVP which is a powerful HTTP scanning engine for scanning and securing your web

traffic.

• FTP Scanning - via frox which allows for proxying of FTP traffic.

• Privacy Protection - via Privoxy which is an extremely powerful HTTP privacy protection filter which filters

and or removes cookies, web ads, pop-ups and other annoying Internet junk.

• Antivirus Scanning - via ClamAV or F-Prot which can be used to scan your traffic for the ever prevalent

malware. Please note F-Prot is a commercial product and you have to acquire a license to use it. This article

utilizes the FOSS email scanner ClamAV.

• AntiSpam - via Spam Assassin, Vipul's Razor, DCC, renattach, RulesDuJour which coupled together make a

very effective anti-spam defense.

• Process Monitoring - via Monit which allows you to monitor all of these processes and restart them as

needed.




Why Copfilter?

You might ask yourself, if I have a IPCop firewall why would I need Copfilter? As a network security mechanism, the

firewall has undergone a serious metamorphosis from a simple packet filter that only understood little of what it

carried across the wire, to fully stateful inspection mechanisms that understand layer 5-7. This a far cry from the days

of a simple packet filtering router or even a stripped down set of ipchains. And as security is not one technology,

process or technique alone, but many of them, Copfilter is another powerful mechanism of defense in protecting your

application layer.

Installing Copfilter

IPCop does not contain add-on binaries by default so they need to be copied via SCP to your IPCop. Then you will be

logging in securely via SSH to your IPCop to install these binaries.

Turn on SSH on your IPCop

• Via the Webgui -> System -> Ssh Access

• Then click Save

NOTE - It is recommended that you shut off SSH access after you finish copying this code as SSH has many exploits.

Enable Squid on your IPCop

Via the Webgui go to -> Services -> Proxy

• Enabled on Green

• Transparent on Green

• Then click Save.

SSH and SCP Clients

Depending on your OS you may or may not have a native SCP or SSH client on your machine. Note the port number

as TCP port 222 and NOT the default SSH/SCP port.

GNU/Linux, Unix, BSD & OSX Clients - Command Line #

Command Line SCP

scp -P 222 <Copfilterpackage_version.tar.gz root@ipcop_green_address>:/root

Command Line SSH

ssh -p 222 -l root ipcop_green_address

Graphical SCP/SSH -->

If you are wary of the command line or not interested, alternatively, there are several GUI clients in almost every OS.

I will not address each and every one as they are so easy to use, simply requiring a drag and drop, or point and click

operation.

OS X Clients -->

Cyberduck




http://cyberduck.ch/

Fugu

http://rsug.itd.umich.edu/software/fugu/

Windows -->

WinSCP - SCP Client

http://www.winscp.net/

Putty â€“ SSH Client

http://www.putty.nl/

OpenSSH for Windows

http://sshwindows.sourceforge.net/

*NIX -->

gFtp

http://gftp.seul.org/

Installing Copfilter

After you have SCP copied the Copfilter-x.x.tgz file to /root on your IPCop as detailed above you are now ready to

install it.

SSH into your IPCop with whatever client you possess on your respective Operating System.

MD-What?

Takes an MD5 to assure that the code you downloaded is not altered or corrupted by an external source. Doing this is

a simple step verifying that what you have the original, legitimate binary.

Linux/UNIX MD5

Md5sum is available in GNU/Linux and Unix by default

md5sum Copfilter-x.x.tgz and compare the output to what is listed on the download link as the MD5.

Microsoft Windows

Windows users can use the easy to use and GPLd wxChecksums or MD5Summer. Both are FOSS software which is

freedom geared and light on cost.

Apple OS X

Apple users will need to open up a terminal window and type md5 Copfilter-x.x.tgz to verify the file.

Extract and Install the Binary


http://cyberduck.ch/

http://rsug.itd.umich.edu/software/fugu/

http://www.winscp.net/

http://www.putty.nl/

http://sshwindows.sourceforge.net/

http://gftp.seul.org/



• cd /root

• tar xzvf Copfilter-x.x.tgz (change x to your version number)

• cd Copfilter-x.x.x

• ./install

Follow the prompts and you are all done. Reboot your IPCop and to be safe empty your browsers cache. After

rebooting your IPCop you should see the Copfilter navigation item on the right most top part of the screen (next to

the IPCop penguin).

Initial Copfilter Configuration

Go to Copfilter -> Email and configure your email address, SMTP server and then save those settings. The email

address is your (root or administrator) email address and it will be used to notify you of updates and other important

Copfilter messages.

IMPORTANT - It is strongly recommended that you READ the Copfilter documentation to have an in-depth

understanding of the configuration options that you choose to implement. RTFM before you design and definitely

before you deploy.

Monit - Monitoring Copfilter

This service enables you to monitor the core services of the Copfilter application. It provides you some resilience by

automatically restarting applications should they fail.

Your Configuration Monitoring

• Go to Copfilter >> Monitoring




• Monitor all enabled services ON

• Then click on Save settings (and restart service)

Copfilter Configuration Options

In controlling the three network services we are going to have ingress (ingoing) and egress (outgoing) control of in

our IPCop/Copfilter configuration we have many granular options. Copfilter is going to be filtering our HTTP traffic,

POP3, and SMTP traffic. The wonder of the Copfilter add-on is the plethora of options one can chose to deploy our

configuration is of course only one of the many.

Copfilter - POP3 configuration - P3Scan

The Post Office Protocol Version 3 is the industry standard for receiving email. The goal of our configuration is to block

spam/malware from being received via our email clients.

To access these setting go to Copfilter >> POP3 configuration

P3Scan Configuration

The following options detail those to be turned ON and all others will be left in the default OFF configuration.

o Enable P3scan on incoming traffic on Green ON

o Enable P3scan on incoming traffic on Orange ON

o Add Copfilter Comment to Email Header

o Quarantine Spam if ... *** OFF

o Tag Spam in Emails and modify the subject ON

o Stop Virus email and send virus notification instead ON




o Send a copy of virus notification to Email address ON

o Quarantine virus infected emails ON

o Remove emails in quarantine if older than (in days) 7

o Then click on Save settings (and restart service)

The net effect of this configuration will be an aggressive stance on scanning, dropping and notifying you of the

spam/malware, before it reaches your internal network.

Copfilter - SMTP configuration - ProxSMTP

Simple mail transfer protocol is the standard for email transmission on the the Internet today. With the power of

Copfilter one can get very granular on controlling the flow of mail message to and from our network. The goal of our

configuration is to block spam/malware from being sent/received via our email clients.

To access these setting go to Copfilter >> SMTP configuration

The following options are to be turned ON and all others will be left in the default OFF configuration.

SMTP Filtering Configuration

o Enable ProxSMTP to filter outgoing traffic on GREEN ON

o Enable ProxSMTP to filter outgoing traffic on ORANGE ON

o Add Copfilter Comment to Email Header ON

o Enable ProxSMTP to filter incoming traffic on RED

o Email Server is located in network ORANGE

o Email Server IP Address 192.168.10.25

o Red IP Alias Ethernet Interface - eth2:1




o Tag Spam in emails and modify the subject ON

o Stop virus emails and opt. Send virus notification instead ON

o Send user a virus notification ON

o Use Copfilter Whitelist and Blacklist ON

o Remove emails in quarantine if older than (in days) 7


NOTE - Choices of the ProxSMTP on RED interface entails 2 options:

o RED scanning ON - Copfilter manages the creation of Iptables rules so these are not needed to be

created manually through IPCop.

o RED scanning OFF - Copfilter with portforwarding rule to orange mail server with scanning done at

the server. I.e. you could do your ingress smtp scanning on the Email server itself & not with

Copfilter.

This configuration will be an proactive stance on the capturing, quarantining and deleting malware before it infect our

trusted machines in the GREEN network. With quarantining ON it is recommended that an administrator be very

responsive to the systems warnings about quarantine Spam, and process consistently, or it will be deleted on a

weekly basis. I would not recommend keeping a Spam Quarantine setup if you are short on disk space and or want to

increase this interval beyond one week. If you do you run the risk of filling up your disk. Also as whitelisting and

blacklisting has been turned on remember to add in your whitelisted domains (trusted email sources) and blacklisted

(domains you do not trust or want spam from).

HTTP Scanning - HAVP/Privoxy

HyperText Transfer Protocol is the protocol we use when we are surfing the Internet. HAVP (HTTP Antivirus Proxy) is a

proxy server with the ClamAV anti-virus scanner. This will be crucial in your configuration to scan incoming HTTP

traffic and keep malware off your machines.

To access these setting go to Copfilter >> HTTP Filter

HTTP Configuration





o Deny access to HTTP traffic ON

o Enable Transparent mode ON

o Filter HTTP traffic for Internet Junk ON


This configuration will allow for malware to be filtered out at our IPCop box, such as browser exploits, phishing

attempts and viruses. Additionally, ads, banners and other Internet advertising junk with Privoxy.

With web banners and such that are blocked you will either see the item labeled "Advertisement" or an image of a

checkered pattern indicating it has been blocked. If you hate ads as much as do I you can get an add-on for Firefox

called Adblock that will allow client side blocking as well. Adblock

AntiSpam - SpamAssassin and Rules Du Jour

Spam Assassin will help your email server identify and filter Spam before it reaches your email client inbox.

SpamAssassin uses Bayesian filtering, DNS blocklist, header and text analysis and collaborative filtering databases to

keep your Spam at a minimum. Please note that the more filtering you do before delivering to the client the higher

the load on the server.

o Rules Du Jour is a simple back script which will download new versions of Spam Assassin rules. This

is very helpful in keeping your anti-spam defense in optimal shape.

o Razor is a distributed, collaborative spam detection and filtering network.

o DCC or Distributed Checksum Clearinghouse is an anti-spam content filter.

o DNSBL are DNS Blacklists or ban lists based upon DNS entries of known spammers or known

nodes/networks that once emanated Spam.




To access these setting go to Copfilter >> AntiSpam configuration

AntiSpam Configuration


o Enable Spamassasin ON

o Score required to identify email as spam 6

o Send daily spam digest ON

o Razor, DCC, DNSBL ON

o Rules Du Jour - ON

o Automatic Update Enable every 1 days


AntiVirus - ClamAV

ClamAV is an amazing FOSS project virus scanner. Within Copfilter this is used to virus scan email and web traffic for

malware.

To access these settings go to Copfilter >> Antivirus

Copfilter - Antivirus Configuration




o ClamAV ON

o Automatic Update - Enable every 24 hours


The effect of these settings is that ClamAV is going to update its virus definitions on its own and be available for

scanning your SMTP/POP3 and HTTP traffic.

Allowing traffic between Different Networks

Please note that there are certain default rules that IPCop implements on your network and be aware of the

implications. See the following link for further details.

By default the configuration uses the /etc/rc.d/rc.firewall.local and changes can be made through web GUI or via SSH.

Any good firewall by default setup to deny any external connections behind its trusted networks. In IPCop speak that

means that there is no ingress (incoming) access by default from the RED interface/network to any other Network. By

default access from ORANGE to RED is Open so there is no need for any special configuration in this example. If you

for whatever reason need access from your Orange "DMZ" to Internal GREEN you can define rules via DMZ Pinholes.

IPCop Port Forwarding - HTTP

As detailed above SMTP and POP3 rules are created by Copfilter are automatically created. As for HTTP (RED to

ORANGE) it is NOT so you have to create it in Port Forwarding as below. If you would like to open other ports to

external access (ex. FTP, SSH) please be aware the services should be hardened and security as much as possible

(see layered approach I detail above).




Copfilter Test & Log

The most obvious way is via surf the web. Send and receive a test email. The Copfilter Test & Log page can help you

ascertain if your configuration is proper. The tests listed are very self-explanatory in that you can examine your

Email/Spam defense by clicking on the buttons in the Test POP3 & SMTP Scanning section. Below is the Test HTTP &

FTP Scanning section which you can click on to verify the functionality of your HAVP HTTP virus scanner by clicking on

the link to the Eicar "test" virus. This page will come up blocked with the default HAVP message to show you that your

HTTP is now secured from common malware, phishing attempts, and other threats.

Sending and testing the variety of email options on the test page will allow you to verify your SMTP/POP3

configuration. If you can send and receive your emails and see the following in your email headers -- you are all set.

X-Filtered-With-Copfilter: Version 0.82 (ProxSMTP 1.3.91)

X-Copfilter-Virus-Scanned: ClamAV 0.88/1291 - Thu Feb 16 21:15:09 2006

Copfilter Test and Logs Screen




Lastly, your log files are to the right bottom of your Copfilter Test & Log page where you can see all the details of

your Copfilter configuration.

Bravo! You are good to go! =) Now you can enjoy the fact you are much more secure than when you began this

article!

If you like what you see, I welcome you to join our FOSS community. Free and Open Software (FOSS) does not

sustain on developers alone but by the work of all sorts in technical writing, support, marketing, graphics, web

developers and a multitude of other supporters like you! FOSS is built upon community, so join us and take part in

reinventing computing in the positive directions from which we all collectively benefit.

In speaking with Markus I was able to ask him why he was motivated to create Copfilter and he answered, he said: "I

created Copfilter to help protect the computers of my friends and family and the greater Internet community." Markus

I don't think there is a better way to describe the spirit of FOSS. Much thanks to Markus and the entire IPCop Team

and all the other projects that made this possible!

..::Check out the FOSS community Projects related to this article ::..

IPCop Homepage -->http://www.ipcop.org

Copfilter Homepage --> http://www.copfilter.org

Copfilter Forum --> http://copfilter.endlich-mail.de/

Additional Related Links

http://www.ipcop.org/1.4.0/en/admin/html/services.html#services_dyndns

http://en.wikipedia.org/wiki/Malware


http://www.ipcop.org

http://www.copfilter.org

http://copfilter.endlich-mail.de/

http://www.ipcop.org/1.4.0/en/admin/html/services.html#services_dyndns

http://en.wikipedia.org/wiki/Malware



http://www.linuxdocs.org/sln/pop3s/

http://en.wikipedia.org/wiki/Pop3

http://en.wikipedia.org/wiki/Smtp

http://en.wikipedia.org/wiki/Http

http://en.wikipedia.org/wiki/Osi_model

http://en.wikipedia.org/wiki/Port_forwarding

http://en.wikipedia.org/wiki/Md5

http://www.tildeslash.com/monit

http://p3scan.sourceforge.net/

http://memberwebs.com/nielsen/software/proxsmtp

http://havp.sourceforge.net/

http://www.privoxy.org/

http://frox.sourceforge.net/

http://spamassassin.apache.org/

http://clamav.sourceforge.net/

http://www.pc-tools.net/unix/renattach

http://www.exit0.us/index.php?pagename=RulesDuJour

http://p3scan.sourceforge.net/#p3pmail

http://wiki.apache.org/spamassassin/DnsBlocklists

http://wxchecksums.sourceforge.net/mainpage_en.html

http://www.md5summer.org/

http://www.firefox.com/

http://adblock.mozdev.org/



http://www.linuxdocs.org/sln/pop3s/

http://en.wikipedia.org/wiki/Pop3

http://en.wikipedia.org/wiki/Smtp

http://en.wikipedia.org/wiki/Http

http://en.wikipedia.org/wiki/Osi_model

http://en.wikipedia.org/wiki/Port_forwarding

http://en.wikipedia.org/wiki/Md5

http://www.tildeslash.com/monit

http://p3scan.sourceforge.net/

http://memberwebs.com/nielsen/software/proxsmtp

http://havp.sourceforge.net/

http://www.privoxy.org/

http://frox.sourceforge.net/

http://spamassassin.apache.org/

http://clamav.sourceforge.net/

http://www.pc-tools.net/unix/renattach

http://www.exit0.us/index.php?pagename=RulesDuJour

http://p3scan.sourceforge.net/#p3pmail

http://wiki.apache.org/spamassassin/DnsBlocklists

http://wxchecksums.sourceforge.net/mainpage_en.html

http://www.md5summer.org/

http://www.firefox.com/

http://adblock.mozdev.org/




OpenVPN for IPCop 1.4.10

Introduction

I use IPCop now for several years, and VPN was allways a mainly used feature.

With the 1.4 release it was possible to define roadwarrior connection but this part is hard to configure except when using

certificates, so i was allways searching for alternatives ways to use roadwarrior VPN connections.

Inspiered through an article in the c't magazine about OpenVPN, i googled for existing OpenVPN addons.

I found several links, one off them LINK was an addon from Markus Hoffman wich adds OpenVPN support to IPCop

>=1.42 but this addon has no gui, so i contacted Markus about adding a gui for his addon, and so i started.

After two days of programming, i found a page where some people had allready build and OpenVPN addon with guil

called ZERINA, as their gui was more ready then my two days of work, i contacted them to cooperate for an improved gui,

that was the start for my ongoing attemp of a new gui for OpenVPN. The code mainly depens on part of the IPCop cgi

pages vpnmain.cgi, xtaccess.cgi and portfw.cgi

The idea

..was to provide an easy way for roadwarrior clients to connect to the LAN (green interface) based on certificates.

Features

• running and configuring an OpenVPN Server Daemon for accessing the IPCop Lan (Green interface)

• all necessary functions can be configured

• uses/creates a second PKI wich does not involve the IPCop ipsec PKI

• experimanetal function to enable/disable a client certificate, without revoking the client (verify script)

• support for OpenVPN connections from BLUE and ORANGE networks

• new proxy.cgi with OpenVPN support (this feature has been removed, adding OpenVPN subnet to the

allowed hosts/nets in proxy setup gains OpenVPN connetions access to the proxy)

• new connections.cgi with OpenVPN support

• new functionality, display Connections Statistics, adapted from R.I.Pienaar's php source to perl

• easy client handling, download a client package zip archive with certificate(s) + config file

• some more things i cannot remeber anymore

Todo / bugs / missing functions

• note! only tun support is implemented if you choose tap it won't work




• only roadwarrior (host2net)connections are possibe, net2net will come later (in the 0.9.7x alpha series

net2net is possible)

• only certificate based connections are possible (static keys will probably come later)

• configuring the authentication mode

• integrate Kevin Stefanik scripts to restrict the client access

• when the first final version is ready we will package the whole thing for the addon-server

• etc etc

Install/Update Instructions

follow this steps:

1. If you are updating, first stop the OpenVPN Server through the gui

2. copy the Installer package into an empty directory on your IPCop (for example with winscp)

3. beeing on the IPCop console, extract the archive tar -xzvf ./ZERINA-0.9.4b-Installer.tar.gz

4. cd to the extraction directory

5. run the installer ./install

6. you need to keep this install directory, if you later decide to uninstall ZERINA

Uninstall Instructions

1. On the IPCop console cd to the ZERINA install directory

2. run the uninstaller ./uninstall

Howto for Zerina 0.9.0b Used software IPcop IPCop OpenVPN addon OpenVPN GUI for Win32 We suppose that we have following situation: IPcop red side 192.168.181.2 IPCop green side is 10.10.1.1 Our Windows 2000 client is connected via dsl to the internet First we need to access the OpenVPN controll page




The initial OpenVPN page will open and showing us two bowes

Global settings, thats what we first start to configure Certificate Authorities, this part will be explained later

Step 2 Global settings




No Fieldname Discription Example input

OpenVPN on Red

This enables/disables ther server, on the RED IPCop device, to be able to start the server we check this box.

checked

OpenVPN on Blue

This enables/disables ther server, on the BLUE IPCop device, for this howto we leve this unchecked, Note this is only visible when you have an active BLUE device

unchecked

OpenVPN on Orange

This enables/disables ther server, on the ORANGE IPCop device, for this howto we leve this unchecked, Note this is only visible when you have an active ORANGE device

unchecked

Local VPN Hostanme/IP

IP or hostname under wich we will except connections from outside on the RED DEVICE, normaly you will fill in your red ip, or if you don't have any static red ip this could also be a dynamic hostname

192.168.181.2

OpenVPN Subnet

OpenVPN needs an extra virtual subnet to operate, this subnet may not be used elsewhere on IPCop or on the client side otherwise it won't work

10.0.10.0/255.255.255.0

OpenVPN device Choose the desired device till now only tun is supported later tab will also be choosable. tun is for routed connections and tab for bridged

tun

Protocol Either udp or tcp can be choosen, this depends at least on your desire. udp is faster then tcp.

udp

Destination Port choose any free protocol/port combination wich isn't used on IPCop and isn't beeing forwarded. OpenVPN 2.0 default protocol/port is udp/1194

1194

MTU Size The default MTU value is 1400, OpenVPN adds, like other VPN protocols, a header to every transmited package, so adjust this value to avoid unnecessary IP fragmentation

1400

LZO-Comperssion

This enables/disables the use off LZO compression, default is checked checked

Encryption Choose here your desired encryption type , it depens on how paranoid you are ;-), default is BF-CBC

BF-CBC

After you filled all data hit the save button, to save the server configuration. After doing so, the the Global settings will look like this:




Step 3 Certificate Authorities:

As we just started, we don't have any certificates, note that this addon uses its own PKI, we thought it would be better to seperate it from the standard IPCop VPN PKI. The first releases had the same behavior like the IPCop vpnmain.cgi all generated certificates received the same serial nomber, this has now changed. To be able to accept/authenticate connection we need a root and a host certificate, so lets create them

No Fieldname Discription Example input Generate Root/Host certificates Push this button to step inot the generate process push

CA Name We don't need this function right now none

Research We don't need this function right now none

Upload CA Certificate We don't need this function right now none After we have done so a new page will be open




Generate Root/Host certificates:


Oragnization Name

Type in your organization Name myorg

IPCop's Hostname

This field is pre filled with either your red ip or your hostname. 192.168.181.2

Your E-mail Address

Input is not necessary, type in your contact e-mail [email protected]

Your Department Input is not necessary, type in your department mydepartment

City Input is not necessary, type in your City hamburg

State or Province Input is not necessary, type in your State or Province hamburg

Country Choose your country germany

Generate button If all necessary data (point 1,2,3) is enterd, you can hit that button to start the generate process

push

Research-PKCS12 file

This is optional,either you genrate a new certificate or you can upload an existingif you already have certifcates wich you want to use, then you can upload them, point here to the certificate location, the certificate has to be in PKCS12 format.

upload file PKCS12

PKCS12 File Password

This is optional,type in the PKCS12 file Password PKCS12 file password

Upload PKCS12 file

This is optional, button to start the upload push After you entered the data it looks like this


mailto:[email protected]



Now when all neceassary data is enterd (point 1,2,3) we hit the Generate Root/Host Certificates button . !!!Depending on your hardware this realy can take very very long, as also a dh file (Diffie Hellman) is beeing generated, wich the OpenVPN server needs, so hold on till everything is finished!!! After the (hopefully) succsessful generate process, the main OpenVPN status page will open and the Certificate Authorities box will look like this

Step 4 Client certificate Now we need a client certifacte to proceed on, several ways are possible, we choose the simplest one. Now lets get back to our OpenVPN control page as we want to add a new client we hit the Add button on the Client status control box




No Fieldname Discription Example input Add Adds a new connection, currently only host2net roadwarrior connection are possible push

Statistics Here you can later retrive Connection Statistics, it is disabled til the server starts none After we have pushed the add button, a new page Connection Type will open.


Add proceeds the add process, currently only Host-to-Net (roadwarrior) connection can be added, Net-to-Net will be implemented later.

push So again hit the add button. A new page with two boxes Connection and Authentication will be open First we will take care of the Connection box


Name Simply a Name for the new connection client1

Remark Input is not necessary, any remark for that connection, that could be helpfull to identify it later(imagine you have 80 connections)

This is client 1

Enabled This field enables/disables a connection, default is checked wich means enables, the above picture is not correct, i mad in resnapping it

checked




Now lets take a look at the second box Authentication.


Upload/section Several scenarios are possible but in this howto we don't touch this setting

none

Users's Name/Hostname This is the Common name for the certficate client1

Users's E-mail Address Input is not necessary, type in your contact e-mail [email protected]

Users's Department Input is not necessary, type in your department mydepartment

Organization Name Input is not necessary, prefilled with infromation leave

City Input is not necessary, prefilled with infromation leave

State or Province Input is not necessary, prefilled with infromation leave

Country Input is not necessary, prefilled with infromation leave

PKCS12 File Password type in the PKCS12 file Password, at least 6 charachter 123456

Save When all needed data is entered hit the save button to start the generate process

push

After you have entered all data the input window will look like this


mailto:@myhost.com



Now push the SAVE Button button to start the process. After doing so the main OpenVPN Status page will open and showing us in the client status and control box, with the newly added connection.

No we download the client package.




To do so we hit the download symbol (download Client package)

Save the Client package zip archive, transfer it to the host from where you want to connect,

and extract its content to the OpenVPN GUI config dir in our example it is

C:\Programme\OpenVPN\config\

Step 5 OpenVPN server start After all that steps we are ready to start the OpenVPN server. Back on the main OpenVPN status page, we he the Start OpenVPN Server button (see picture).




After that, and when everything when well, the server staus will change and looks like this

Included with this addon there is also an extended version of the logs.dat wich allows us to view the openvpnserver log message. To view this messages follow the step showed on the pictures.




Important is, the the last line saying "Initialization Sequence Completed", this indicates that "everything" went fine.

Now our server runs and accepts connection

Step 6 Finaly connect from the client to our OpenVPN server Now back at the client we start the OpenVPN GUI (if not already done), this opens a new tray icon where we can manage OpenVPN. Access now the context menu (left mous button on the tray icon) and choose Connect, see picture.

A new window will open, asking us the password for our private key (the password we entered during the generation), so lets enter the password and hit OK.(see picture)




After doing so and everything is correct, follwing succusess message will shown.

Isn't that great :-) ? The OpenVPN GUI status page (reachable at the context menu) will look similiar like this.




Back on our IPCop we can see the client staus.

Now we are done and this howto ends here. Attached some figures showing new functions, that are included in this addon. OpenVPN Connections Statistics




Extended Connections.cgi showing now also OpenVPN connections

Extended Proxy.cgi with support for proxy support for OpenVPN

Notes from the author

This howto comes with NO warranty or guarantee, so use it at your own risk.

VPN and certificates are a very much complexes topic and it contains many points which this simple howto cannot cover.

If you need further-reaching infromationen, then please visit the corresponding Internet pages.

It remains to say, that english isn't my mother tongue and I have dealt with the OpenVPN topic only for a couple of weeks,

therefore you may forgive me for corresponding spell faults as regards content.

If you have found any errors please contact me by e-mail

We are actually a smal team of developers more features will come, hold on for the comming up features

15.06.2005 Ufuk Altinkaynak

FAQ




Here is a unsorted List with common known issues when using OpenVPN server

My OpenVPN client and server say "Connection Initiated with x.x.x.x" but I cannot ping the hosts on the Green Lan through the VPN. Why?

This can depend on several things:

- like there is running a firewall on the host you want reach, wich prevents from answering ping

- the host you are trying to reach has no default gateway to you IPCop, either the host has a default gateway to your

IPCop, or the actual default gateway has a route for the OpenVPN subnet pointing to your IPCop.

- in most cases it is a routing issue, wich prevents form reaching the green lan

Addons for IPCop

• franck78.ath.cx - an easy installation & management GUI on Ipcop 1.4 for the well known squidGuard url filtering tool. Translated into Italian, French, German, Dutch, Russian, Portuguese and English.

• firewalladdons.sourceforge.net - Addon Server for IPCop as a wide range of modifications you can add to your IPCop,

such as DansGuardian.

• www.ipadd.de -addon binary collection and IPCop related links.

• www.urlfilter.net - URL filter with seamless GUI integration and time based access control.

• www.advproxy.net - Advanced Proxy with different user authentication methods and other versatile and useful additional features.

• www.mhaddons.tk - A number of addons, including copfilter updates, Advanced QoS, Asterisk, Sarg, Nessus and Clamav 0.83

• www.zerina.de/ - OpenVPN and Howto.

• www.copfilter.org - Copfilter. This Addon transparently filters viruses and spam from email and web traffic.

• banish.sidsolutions.net - Banish - Simply block access by IP, CIDR, Domain and MAC Addresses.

• blockouttraffic.de - BlockOutTraffic (BOT) blocks all traffic that is allowed in a normal IPCop installation. You can create your own rules via comfortable and intuitive webgui for more influence on traffic to and through your firewall.

• www.elminster.com - IPCop L2TP VPN Mod Modification to allow IPCop to be used as an L2TP over IPSEC server for the standard Windows VPN client. Useful for windows Roadwarriors.

• www.ipcop.h-loit.de - IPCop Addons like UPS Server, GUIPorts, Who IS Online, MC and Line Test.

• www.supporting-role.net - Supporting Role Unofficial IPCop Modifications Page.

• www.ban-solms.de - IPCop Addons Connection Scheduler, HDDGraph, mbmongraph, Wake On LAN, COM LED, GUI Colors etc.

• www.advproxy.net/update-accelerator - the Update Accelerator caches software updates and delivers them to your clients with full LAN speed - even complete Service Packs.

• www.sischmitz.de - IPCop Addons RAMCop, ADDPartition

wintermute website IPCop V1.4.x addon binary collection

home

Do not install unneeded stuff on a productive firewall!


http://www.ipadd.de

http://www.urlfilter.net

http://www.advproxy.net

http://www.mhaddons.tk

http://www.zerina.de/

http://www.copfilter.org

http://www.elminster.com

http://www.ipcop.h-loit.de

http://www.supporting-role.net

http://www.ban-solms.de

http://www.advproxy.net/update-accelerator

http://www.sischmitz.de



All of the programs presented on this site are provided "as-is", and should be used at your own risk. Some of them may result in a security incident. You should know what you are doing with this stuff. [ Installation guidelines ]: see bottom of this page. All addon binaries are provided as *.tar.gz packages. [ Installationsanleitung ]: siehe Ende dieser Seite. Alle Addon Binaries sind als *.tar.gz Pakete verfügbar. Categories: [ Tools and utilities | Hardware testing | Traffic monitoring | Analyzer and scanner | LCD stuff | SysInfo GUI ]

IPCop V1.4.x | General tools and utilities [ Info ] [ Manual ] [ agetty ] v2.12r Alternative Linux getty. [ Info ] [ Manual ] [ apg ] v2.2.3 Automated password generator. [ Info ] [ Manual ] [ axelf ] v1.2 Bash script that makes a nice Beverly Hills (IP)Cop sound. [ Info ] [ Manual ] [ bc ] v1.06 An arbitrary precision calculator language. [ Info ] [ Manual ] [ beep ] v1.2.2 Replacement beep binary for use with serial console. [ Info ] [ Manual ] [ cftp ] v0.12 A full screen ftp client. [ Info ] [ Manual ] [ clear ] v2.12r Clear the terminal screen. [ Info ] [ Manual ] [ clex ] v3.16 File manager with a full-screen user interface. [ Info ] [ Manual ] [ cutter ] v1.03 Cut TCP/IP connections. [ Info ] [ Manual ] [ dhcrelay ] v3.0.5 DHCP relay agent for IPCop. [ Info ] [ Manual ] [ dialog ] v1.0 Display dialog boxes from shell scripts. [ Info ] [ Manual ] [ dnstop ] v7.5.10 Displays various tables of DNS traffic. [ Info ] [ Manual ] [ ether-wake ] v1.09 Tool to send magic wol packets. [ Info ] [ Manual ] [ file ] v4.21 Determines file types. [ Info ] [ Manual ] [ ftp ] v0.17 ARPANET file transfer program. [ Info ] [ Manual ] [ htop ] v0.6.6 Interactive text-mode process viewer. It aims to be a better

'top'. [ Info ] [ Manual ] [ iperf ] v2.0.2 Modern tool for measuring TCP and UDP bandwidth

performance. [ Info ] [ Manual ] [ iptstate ] v2.2.1 A top-like display of IP Tables state table entries. [ Info ] [ Manual ] [ joe ] v3.5 World-famous Wordstar like text editor. [ Info ] [ Manual ] [ ledstats ] v0.3.1-5 Show CPU usage on an LED device plugged on parallel port. [ Info ] [ Manual ] [ locate ] v4.2.31 Search very fast for files in a directory hierarchy. [ Info ] [ Manual ] [ lpswitch ] v0.1 Turns on and off the bits of a printer port. [ Info ] [ Manual ] [ lsof ] v4.78 Utility to list open files. [ Info ] [ Manual ] [ lynx ] v2.8.6 A text browser for the World Wide Web with ssl support. [ Info ] [ Manual ] [ minicom ] v1.83.1 ANSI- and VT102 terminal emulator. [ Info ] [ Manual ] [ mtr ] v0.72 Combines the functionality of 'traceroute' and 'ping'. [ Info ] [ Manual ] [ natdet ] v1.06 NAT detection tool. [ Info ] [ Manual ] [ natstat ] v0.1.1 View your iptables counters in real time. [ Info ] [ Manual ] [ ncdu ] v1.3 ncdu - NCurses Disk Usage. [ Info ] [ Manual ] [ netcat ] v0.7.1 Netcat reads and writes data across the net. [ Info ] [ Manual ] [ ngrep ] v1.45 Grep for network traffic. [ Info ] [ Manual ] [ openssh ] v4.5p1 Adds SSH, SFTP, SSH-Add and SSH-Agent (for IPCop >=

v1.4.13). [ Info ] [ Manual ] [ pgrep ] v3.2.7 Find or signal processes by name and other attributes. [ Info ] [ Manual ] [ procinfo ] v18 Display system process informations. [ Info ] [ Manual ] [ reset ] v2.12r Terminal initialization. [ Info ] [ Manual ] [ rsync ] v2.6.9 A utility that provides fast incremental file transfer. [ Info ] [ Manual ] [ saidar ] v0.15 A curses-based tool for viewing system statistics. [ Info ] [ Manual ] [ screen ] v4.0.3 Screen manager with VT100/ANSI terminal emulation. [ Info ] [ Manual ] [ setterm ] v2.12r Utitlity to set terminal attributes. [ Info ] [ Manual ] [ strings ] v2.17 Lists printable strings from files. [ Info ] [ Manual ] [ sudo ] v1.6.9p5 Execute a command as another user. [ Info ] [ Manual ] [ telnet ] v0.17 User interface to the TELNET protocol. [ Info ] [ Manual ] [ tftpd-hpa ] v0.43 DARPA trivial file transfer protocol server. [ Info ] [ Manual ] [ unison ] v2.13.16 A file synchronization tool. [ Info ] [ Manual ] [ wget ] v1.10.2 A non-interactive network retriever.




[ Info ] [ Manual ] [ whois ] v4.7.23 Advanced and intelligent whois client. [ Info ] [ Manual ] [ whowatch ] v1.4 Console, interactive, process and users monitoring tool. [ Info ] [ Manual ] [ wput ] v0.6 FTP client for uploads that looks like wget. [ Info ] [ Manual ] [ zgrep ] v1.0 Search possibly compressed files for expressions.

IPCop V1.4.x | Hardware testing [ Info ] [ Manual ] [ cpuburn-in ] v1.00 System stability testing tool. [ Info ] [ Manual ] [ dmidecode ] v2.9 Reports information about your system's hardware. [ Info ] [ Manual ] [ hddtemp ] v03b15 Gives you the temperature of your hard drive. [ IPCop GUI ] [ Info ] [ Manual ] [ itop ] v0.1 Simple top-like interrupt load monitor. [ Info ] [ Manual ] [ lsusb ] v0.72-3 Display information about USB buses and devices. [ IPCop

GUI ] [ Info ] [ Manual ] [ mbmon ] v2.05 Hardware monitoring without kernel dependencies. [ IPCop

GUI ] [ Info ] [ Manual ] [ memtester ] v4.0.7 A userspace utility for testing the memory subsystem for

faults. [ Info ] [ Manual ] [ mii-diag ] v2.0.2 Networkinterfacecard diagnostic tool. [ Info ] [ Manual ] [ nic-diag ] diverse Chip related nic diagnostic tool collection. [ Info ] [ Manual ] [ smartctl ] v5.37 Control and monitor utility for SMART disks. [ IPCop GUI ]

IPCop V1.4.x | Net traffic monitoring [ Info ] [ Manual ] [ bmon ] v2.1.0 Portable bandwidth monitor and rate estimator. [ Info ] [ Manual ] [ bwm-ng ] v0.6 A live bandwidth monitor. [ Info ] [ Manual ] [ cifled ] v1.0 A tool that indicates net traffic on keyboard LEDs. [ Info ] [ Manual ] [ ifstatus ] v1.1.0 Console-based ethernet statistics monitor. [ Info ] [ Manual ] [ iptraf ] v3.0.0 Shows ip-traffic in realtime. [ Info ] [ Manual ] [ jnettop ] v0.13.0 Traffic visualiser that displays streams sorted by bandwidth.

[ Java GUI ] [ Info ] [ Manual ] [ nettrafd ] v1.4 Monitors net traffic in realtime (Linux daemon). [ Windows

client ] [ Info ] [ Manual ] [ nload ] v0.6.0 Realtime network usage monitor. [ Info ] [ Manual ] [ sifled ] v0.x Replaced by 'cifled' - (IP)Cop InterfaceLED - see above. [ Info ] [ Manual ] [ vnstat ] v1.4 Traffic monitor that keeps a log of daily network traffic.

IPCop V1.4.x | Net analyzer and scanner [ Info ] [ Manual ] [ hping ] v3.0.0 TCP/IP packet assembler/analyzer. [ Info ] [ Manual ] [ nmap ] v4.20 The ultimate port scanner.

IPCop V1.4.x | Stuff for LCD modules [ Info ] [ Manual ] [ lcd4ipcop634usb ] v1.5 Adapted LCD4Linux v0.10.1-RC2 for use with Crystalfontz

632/634 USB. [ Info ] [ Manual ] [ lcd4ipcopHD44780 ] v1.0 Adapted LCD4Linux v0.10.1-RC2 for use with HD44780 based

LCD modules. [ Info ] [ Manual ] [ lcdproc634usb ] v1.4 Adapted LCDproc v0.5.2 for use with Crystalfontz 632/634

USB. [ Info ] [ Manual ] [ lcdprocHD44780 ] v1.0 Adapted LCDproc v0.5.2 for use with HD44780 based LCD

modules.




IPCop V1.4.x | SysInfo GUI Addon What is SysInfo?

Like "System Status", SysInfo shows additional information to your hardware. Therefore you can find SysInfo in the "System" menu of the webGUI directly under "System Status".

In the current version SysInfo shows more detailed informations about CPU, network interface cards, your system harddisk, PCI- and USB devices, interrupts, BIOS and the status of the currently running processes.

[ Download SysInfo v2.4.5 ]

Again, do not install unneeded stuff on a productive firewall! Installation guidelines:

§ download addon binary package of your choice from this webpage § copy package_name.tar.gz to any directory of your choice ( e.g. to /tmp using WinSCP or SCP [ port 222!

] ) § go straight to the console or open a console connection ( e.g. via Putty or SSH [ port 222! ] ) § login as user root § change to the directory you have copied the file to ( e.g. type cd /tmp ) § extract the archive ( type tar xvfz package_name.tar.gz ) § change to installation directory ( type cd package_name ) § to install the addon type ./install -i ( to uninstall type ./install -u )

Installationsanleitung:

§ lade ein Addon Binary Paket Deiner Wahl von dieser Internetseite § kopiere paketname.tar.gz in ein Verzeichnis Deiner Wahl ( z.B. nach /tmp mit WinSCP oder SCP [ Port

222! ] ) § gehe nun direkt an die Konsole oder benutze eine Fernkonsole ( z.B. via Putty oder SSH [ Port 222! ] ) § melde Dich nun als Benutzer root an § wechsle in das Verzeichnis in welches Du das Paket kopiert hast ( bsp. cd /tmp ) § entpacke das Paket indem Du tar xvfz paketname.tar.gz eingibst § wechsle in das Installationsverzeichnis indem Du cd paketname eingibst § mit dem Befehl ./install -i wird das Addon nun installiert ( Deinstallation: ./install -u )

[ Home | IPCop binaries | IPCop links | Projects | hyperCube² | Stuff | Disclaimer | Haftungsausschluss | Contact ] http://www.ipadd.de/binary.html

[ © 2007 by Tom Eichstaedt ]


http://www.ipadd.de/binary.html



Documents

ipcop - the perfect linux firewall.pdf