Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - huh

Pages: [1] 2 3 ... 16
1
OK- recent revisions to the firewall go a long way to getting this accomplished, but I've seen a few bugs:

1) If you use the simple (as compared with "Advanced Firewall Settings") configuration and edit a rule, the "save" text is not clickable, so there is no way to save the changes.
2) If you add a forward rule that applies to TCP and UDF, whatever you put in the "Description" box is saved into the "Limit to IP" box.
3) There isn't an option to type in the source port- in its place is a dropdown for the protocol.  What you type in for the destination port gets entered as the source port when saved.


Anyone else experience this?

12.04, updated tonight (July 19).

2
Users / Re: zwave network lockups/delays
« on: June 13, 2014, 05:14:40 am »
I've had this when one of my nodes (plug-in dimmer) was unplugged.  I made up the scenario that the system was trying to "talk" to the missing node for a while, would give up and then catch-up with the string of commands.

I have no documentation to support this hypothesis.

3
Cool, I think that was a yes to my question regarding the input/forward.  Look forward to testing once you get it patched.

4
Albasco1702- going to try to catch you here rather then IRC as I think we're in vastly different timezones and I'm not sure if my client timed out before you finished your instructions.

What I saw you wrote was to use nat prerouting destination port.  So to forward incoming port 8090 to 80 on 192.168.80.2, I would do:
Quote
destinationport 8090:80 destination 192.168.80.2 ACCEPT

And then
Quote
forward destinationport 80 destinationip 192.168.80.2 ACCEPT

I'm guessing this all has to be done using the Advanced Firewall Settings option from the web admin.  Is the 1st part using eth1 (external nic) and the 2nd part using eth0 (external nic)?

Do you have plans of adding the ability to do this to the "simple" firewall version?

5
The new firewall page is cool- takes care of the things I asked for above. 

That said, how do you use it?  I have a fully updated 1204 system and went to add a new rule.  Selected IPv4 from the dropdown and entered the port I wanted forwarded- all good.  But, the boxes for entering the destination port and ip are not options to type into on Firefox 28.0 (kubuntu box) or rekong (0.9.1)- I haven't tried other browsers.  Even adding the rule and clicking edit doesn't let you modify the forward to port or the destination IP.

6
Users / Rerip Audio CD
« on: April 04, 2014, 06:04:37 am »
Is there a way to reset the flag on a ripped cd?  I have a cd that didn't rip correctly, but when I put it back in my system (Dianemo), it says the cd is already done being ripped.

Where is that flag stored and how do I reset it?

Thanks

7
I tried adding a nas last night, 1204.  Found the nas and win share, put in user/pass and put everything as public.  Overnight let it sit and next am didn't have any media.  I can't reproduce your sym links.

8
Users / Re: VPN (Need a place for my notes)
« on: March 21, 2014, 04:11:19 pm »
Sorry for the delay- I am able to connect- here's my setup (Android, Samsung Galaxy S4 running 4.4.2).

/etc/ipsec.conf
Code: [Select]
# /etc/ipsec.conf - Openswan IPsec configuration file

version 2.0

config setup
  nat_traversal=yes
  virtual_private=%4:192.168.80.0/24
  oe=off
  protostack=netkey

conn L2TP-PSK-NAT
  rightsubnet=vhost:%priv,%no
  also=L2TP-PSK-noNAT
  dpddelay=10
  dpdtimeout=90
  dpdaction=clear

conn L2TP-PSK-noNAT
  authby=secret
  pfs=no
  auto=add
  keyingtries=3
  rekey=no
  ikelifetime=8h
  keylife=1h
  type=transport
  left=%defaultroute
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/0

I have UDP ports 500, 4500 and 1701 set as core input on my firewall.

As for the phone, I added an advanced IPsec VPN.  Plugged in a connection name, selected connection as L2TP pre-share key (IKEv1), plugged in the address and my preshare key.  Saved, clicked connect, put in user and password and it connected.

Connection is quick- watching the auth.log using "tail -f /var/log/auth.log" it connects in 10 lines.  Granted that doesn't mean much, but when connecting before it would be 50+ lines. 

I still have an error:
Code: [Select]
netlink_raw_eroute: WARNING: that_client port 1701 and that_host port 64500 don't match. Using that_client port.

So thinking the 1701 in the firewall is still not correct.

9
Users / Re: Southern California Linux Expo
« on: February 22, 2014, 05:24:59 pm »
Are you doing a booth at this year's SCALE?

10
Users / Re: VPN (Need a place for my notes)
« on: February 10, 2014, 04:36:46 am »
Dap-P, this does not work for me on my android or ipad mini- get this:
Code: [Select]
Feb  9 21:29:04 dcerouter pluto[32533]: packet from 192.168.80.182:60500: initial Main Mode message received on 192.168.80.1:500 but no connection has been authorized with policy=PSK
This is with left=%defaultroute in /etc/ipsec.conf and the 1st entry as %any in /etc/ipsec.secrets.

It works if I change the left in /etc/ipsec.conf to 192.168.80.1, change the 1st %any to 192.168.80.1 in /etc/ipsec.secrets.

11
Users / Re: VPN (Need a place for my notes)
« on: February 09, 2014, 05:19:46 pm »

Is there somebody that can confirm changing this line is a working solution?

I'll try this asap, but I think I've been getting a not authorized PSK connection while tailing var/log/auth.log.  Only been able to get around it by editing the ipsec.secrets file and changing the leftmost string to the value set in ipsec.conf (I'm using 192.168.80.1) and then adding PSK after the colon and before the actual PSK.

This is connecting though my android using L2TP IKEv1.  What are you using for your client?

12
Users / Re: VPN (Need a place for my notes)
« on: February 09, 2014, 04:10:03 am »
Basically guys, what is it going to take, to have VPN work out of the box for the most common platforms? I typically don't have to go into advanced in each of the VPN clients and set things like this.

-Thom

I think that's the point- right now, in my experience, it has not been straight forward.  In addition to the ports not being automatically added, the config files are not correct when you tag a user to use VPN in the webadmin -> users page.  While my knowledge of VPNs is marginal- at best- I've been researching this and trying different combinations a while to finally get a point of repeatability

The goal, if I could speak for the ones actually doing the work, is to not have any of this duck-tape.  Going to webadmin, set the PSK, allowed users and their passwords and then the viewable folders in a simple 4 step approach that allows win/*nix/mac/android devices connect nearly effortlessly is where I would like to see this go.  I have a variety of clients from the various OS's, a stable 1204 install and periodically the time to play with this.  Anton/Dap-P and Alblasco1702 have the skills to make this work- I'm just filling forum space with my current setup and limitations.

13
Users / Re: VPN (Need a place for my notes)
« on: February 08, 2014, 04:55:19 am »
Going to put it here so I don't lose it.  This config allows me to connect from the internal network- not yet an external.  This is for a username:password of:  outside:outside.

Also, I have UDP ports 500, 1701 and 4500 set to core input on the core's firewall.

This is not meant to be a guide- this is what pseudo works for me.

/etc/ipsec.conf
Code: [Select]
# /etc/ipsec.conf - Openswan IPsec configuration file

version 2.0

config setup
  nat_traversal=yes
  virtual_private=%4:192.168.80.0/24
  oe=off
  protostack=netkey

conn L2TP-PSK-NAT
  rightsubnet=vhost:%priv
  also=L2TP-PSK-noNAT


conn L2TP-PSK-noNAT
  authby=secret
  pfs=no
  auto=add
  keyingtries=3
  rekey=no
  ikelifetime=8h
  keylife=1h
  type=transport
  left=192.168.80.1
  leftprotoport=17/1701
  right=%any
  rightprotoport=17/%any

/etc/ipsec.secrets
Code: [Select]
# RCSID $Id: ipsec.secrets.proto,v 1.3.6.1 2005/09/28 13:59:14 paul Exp $
# This file holds shared secrets or RSA private keys for inter-Pluto
# authentication.  See ipsec_pluto(8) manpage, and HTML documentation.

# RSA private key for this host, authenticating it to any other host
# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,
# or configuration of other implementations, can be extracted conveniently
# with "ipsec showhostkey".

x.x.x.x %any: PSK "outside"

/etc/xl2tpd/xl2tpd.conf
Code: [Select]
[global]
ipsec saref = no

[lns default]
ip range = 192.168.80.200-192.168.80.210
local ip = 192.168.80.1
require chap = yes
refuse pap = yes
require authentication = yes
name = LinuxMCE_VPN_Server
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

/etc/xl2tpd/l2tp-secrets
Code: [Select]
# Secrets for authenticating l2tp tunnels
* * outside


/etc/ppp/options.xl2tpd
Code: [Select]
refuse-mschap-v2
refuse-mschap
ms-dns 192.168.80.1
asyncmap 0
auth
lock
hide-password
local
#debug
name l2tpd
proxyarp
lcp-echo-interval 30
lcp-echo-failure 4


/etc/ppp/chap-secrets
Code: [Select]
# Secrets for authentication using CHAP
outside * outside *

After changes, I use:
Code: [Select]
/etc/init.d/xl2tpd restart
/etc/init.d/ipsec restart
/etc/init.d/pppd-dns restart

Then on my android (Galaxy S4), I have to go to Settings -> More networks -> VPN -> Advanced IPsec VPN and create a VPN connection with the following options:

  • L2TP pre-shared key (IKEv1
  • Pre-shared key (PSK) (as set in /etc/xl2tpd/l2tp-secrets I think)
  • Agressive mode, Perfect forward secrecy and disable split tunnel are all unchecked
  • Group 17 (MODP-6144) under IKE groups
  • IKE lifetime set to 8 hours
  • IPsec encryption and integrity algorithms set to All
  • IPsec lifetime set to 1 hour

14
Developers / Re: Firewall
« on: February 04, 2014, 08:52:38 pm »
Ability to edit and suspend rules would be awesome.  Right now you have to delete and readd to make changes.

15
Users / Re: VPN (Need a place for my notes)
« on: January 29, 2014, 07:59:46 pm »
Please let me know if you need testers- following the directions on the wiki I was able to get my android phone to connect to the VPN. 

I was never able to get the standard Win VPN to connect as I think they use ipsec ikev2 and openswan is only ikev1.  I was trying to replace openswan with strongswan to get ikev2 and broke my install... haven't tried it since reinstall.


Pages: [1] 2 3 ... 16