Vous êtes sur la page 1sur 42

The Perfect Linux Firewall Part I -- IPCop

Submitted by evolutionaryit (Contact Author) (Forums) on Tue, 2006-01-17 20:00. :: Security

The Perfect Linux Firewall Part I -- IPCop Version 2.3 Author: Joseph Guarino Last edited 02/22/2006

This document describes how to install the GNU/Linux GPL IPCop firewall and create a small home office network. In the second installment we cover creating a DMZ for hosting your own web server or mail server and the Copfilter proxy for filtering web and email traffic. This is intended to be a quick and dirty overview on creating a IPCop firewall and comes without warranty of any kind! What is IPCop The IPCop project is a GNU/GPL project that offers an exceptional feature packed stand alone firewall to the internet community. Its comprehensive web interface, well documented administration guides, and its involved and helpful user/administrative mailing lists make users of any technical capacity feel at home. It goes far beyond a simple ipchains / netfilter implementation available in most Linux distributions and even the firewall feature sets of commercial competitors. Firewalls have had to undergo a tremendous metamorphosis as a result of evolving threats. IPCop is exemplary in offering such a range of default features and even further a large set of optional plug-ins which can provide further functionality. Some of IPCops impressive base install features include: secure https web administration GUI, DHCP Server, Proxying (Squid), DNS Proxying, Dynamic DNS, Time Server, Traffic Shaping, Traffic/Systems/Firewall/IDS graphing, Intrusion Detection (Snort), ISDN/ADSL device support and VPN (IPSec/PPTP) functionality. As if these base features were not an astounding enough there are dozens of add-ons which can further expand the functionality of your IPCop from Web Filtering to Anti virus scanning. Pre-Requisites for Your IPCop IPCop installation generally runs 25 minutes, and you can complete it with relatively modest hardware requirements such as a 386 processor with 32MB RAM and >300MB of disk, and 3 Network Cards (2 if there is no need for a DMZ). If you plan to utilize caching proxy, IDS or other add-ons, consider additional horsepower in terms of RAM/Processor. Building Your IPCop What you need

386 Processor with 32MB RAM, 300MB hard disk and 3 Network Cards 2 x 5 port 10/100/1000 switch or a Layer 3 switch Network Cables Burned ISO CD

PDF created with pdfFactory Pro trial version www.pdffactory.com

Architectural Decisions: Segmentation One essential consideration you have to make before installing is network architecture (segmentation/address space). IPCop uses color-coding system of Red, Green, Blue and Orange to describe the roles or security levels which an interface/network segment will have in protecting your network. Color coding is logical in that it represents a continuum of network access from restricted to permissive. A RED interface is your untrusted interface/segment like the Internet, whereas Green is the trusted interface/segment of your internal network. Additionally, Blue is for a separate segment for Wireless Devices, while Orange is for a DMZ or where any publicly accessible servers you want available to the Internet. In this case we are only configuring a Green/Red/Orange network installation with 3 network interfaces one of which is your cable broadband providers cable modem (Ethernet). Understanding and Picking your address space Before you begin it is important to know how your ISP TCP/IP settings. Does your ISP give you a DHCP address or a static IP address? In many cases simply going to your ISP's Support page offers you this information. Most ISPs use DHCP to dynamically allocate IP address space so you get a non-static IP address that applies to your RED interface. Make note of the TCP/IP setting your ISP would have you use before you install. In architecting your IPCop solution you have the choice of setting up NAT (Network Address Translation) network address space. Green, Blue and Orange networks depend entirely on how many nodes or machines you will have on each network. There are 3 network spaces defined by the standards body, IETF, that can be used for these NAT'ed networks and they are:

PDF created with pdfFactory Pro trial version www.pdffactory.com

10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) If your Green network contains 15 hosts you can use 192.168.1.2-16. Your Green interface will run DHCP and pass out addresses to your internal network in this range. The same logic applies to address space on your Orange or DMZ network select a network space appropriate for the number of hosts/networks you will require. Installing your IPCop Verify hardware compatibility at IPCop website. Download the ISO's and burn them. Connect all the physical layer i.e. Ethernet cables, hook up your monitor, keyboard and mouse to the machine that will be your IPCop Boot off the CD. Run through the simple prompt-based installation. NOTE: These are all very self-explanatory steps such as selecting your Language. The arrow Keys, Tab and Enter will help you navigate. Install Process

Select your language. Select your Installation Medium, a CD in this case. Configure your network cards The fastest way to configure your network interface cards is by selecting Probe option. If you know the network card information you can choose to your exact interface from Select.

Next, when you are asked enter your Green Interface an address which must be within your chosen address space

PDF created with pdfFactory Pro trial version www.pdffactory.com

(192.168.1.x in our example). Enter in place 192.168.1.1 in the IP address field.

Following this, IPCop will format and copy itself to your hard drive. See below.

After the install has completed you will be prompted to reboot and run setup as shown. See below.

PDF created with pdfFactory Pro trial version www.pdffactory.com

Initial Setup Having installed IPCop we now have to enter some further configuration information in setup for our setup to be complete.

Enter in Keyboard, Time Zone and Hostname/Domain. ISDN Setup As you are not using ISDN you should select to disable it Network Configuration Type - Select the Interface configuration you will be running by tabbing to Network Configuration Type and hit the Enter key.

PDF created with pdfFactory Pro trial version www.pdffactory.com

In our case you would select Red / Orange / Green.

Since we have 3 interfaces and only have set up Green, repeat the interface setup options for the Red and Orange interfaces as described above. Configure the RED interface to use DHCP as this is interface connected to the Internet (i.e. Your ISP). Then configure

PDF created with pdfFactory Pro trial version www.pdffactory.com

your ORANGE interface to use the 192.168.10.x address space. For Red tab over to the DHCP box and select it by hitting Enter. So if your Green network will contain 15 hosts you can use 192.168.1.2-16. To set this up simply add in this range 192.168.1.2-16 and tab down to OK.

Password Setup - IPCop has 2 users which you will be asked to setup passwords for the root and admin. Set these both to a strong password > 8 character password that is not a word in any language and contains Caps. A good example would be 1luv19c0p. Root password will be used to log on and add any add-ons or upgrades via SSH. Admin user is used to manage your IPCop day to day. At the end of the IPCop installation you will be asked to reboot. After reboot go to another machine on your LAN and force your network interface card to update your dynamic (DHCP) address with ifconfig (Linux/Unix) or ipconfig (Windows). Verify you are live and active on the new network you have setup with an address on 192.168.1.x. With this validated connect to secure https web interface of IPCop. Type https://192.168.1.1:445 or https://192.168.1.1:81 and log in as the admin user. Validate all your settings and connectivity. Then check out all the features you get with this great GNU Open Source Firewall. In the second installment of this how to we will discuss setting up a dynamic DNS, filtering email/web/proxing with Copfilter and allowing access to web/mail server of your choice in the DMZ or orange network. Until then go check out the www.IPCop.org website & Happy Hacking!!

The Perfect Linux Firewall Part II -- IPCop & Copfilter

Author: Joseph Guarino - Evolutionary IT

PDF created with pdfFactory Pro trial version www.pdffactory.com

This document is the second segment in a series on installing IPCop firewall. We will be creating a "DMZ" for hosting your own web server or mail server and the Copfilter proxy for filtering your application layer ingress and egress network traffic. This is intended to be a rough overview on creating a IPCop firewall with Copfilter and comes without warranty of any kind. Using your IPCop for web hosting/mail hosting Given the instructions from the previous article, you should have a full installation of IPCop running. The current focus remains two-fold: to get your server in the Orange (DMZ) segment of your IPCop Network and opening up the ports on your firewall to allow web traffic to it.

Additionally, our second goal in this article will be securing our (application layer) web traffic, email and personal privacy with a wonderful add-in, called Copfilter. As we detailed in part one, I suggested the 192.168.10.x network for our "Orange" DMZ segment. In this part of the network I will place hosts that I want visible to the outside world. Port forwarding will permit the flow of traffic from external RED (DHCP interface/network) to DMZ ORANGE network.

PDF created with pdfFactory Pro trial version www.pdffactory.com

Orange Network Requirements

Installed and configured server with the Distro of your choice with the email (SMTP & POP3 or IMAP and webserver of your choice. Free & Open Source Software (FOSS) is all about choice so pick what fits your needs..

This orange network server must have a static IP address and not be on DHCP. For the sake of this article, we are using the static IP of 192.168.10.25 for our single internal ORANGE hosting server.

Secure your Orange Network Hosts

Security is a process not any one tool or technology. Rather, it is many tools, technologies and processes. Consider a holistic view. Remember to consistently patch and monitor logs patches are an important measure to mitigate known vulnerabilities. Make sure you fully patched, secured and backed up any host before you expose it to the Internet. The best security is a layered approach so consider using a HID (Host Intrusion Detection), chroot, xinetd and Tcpwrappers to name a few. Shut down any unnecessary network services on this node. Join the mailing lists or RSS feed for the Free/Open Source applications you are using and general security mailing lists so you are sure to be aware of vulnerabilities and issues that might arise. Also check out CERT for a general mailing list or RSS feed on security vulnerabilities. http://www.us-cert.gov/current/

Secure your Green Network

Don't have a false sense of security just because you have strong and extensive IPCop/Copfilter configuration. Be sure to secure ALL of your machines. Consider a holistic view of security. Consistently patch your internal green nodes Have a Anti-Virus/Malware Scanner and Anti-Spyware Defense. In my view that extends to ALL Operating Systems. Enable a software firewall on your machines.

Hosting a server on a dynamic connection As you are using a cable modem that gives your RED IPCop network interface a dynamic DHCP address, you will need to set up Dynamic DNS services to resolve to this host via a human usable form, other than IP Address. NOTE Some ISPs block TCP port 80 (HTTP) 110 (POP3) and 25 (SMTP). To navigate around this, you can purchase port forwarding services from some of these dynamic DNS providers, run services on different non-blocked ports or upgrade to another provider. For the sake of this article we assume you have no ISP blocked ports. Setting up Dynamic DNS Along with your dynamically assigned IP address (RED), you will want to use a Dynamic DNS service to be able to allow external access to your external web/mail. Setting up Dynamic DNS with IPCop is easily achieved. Simply pick a Dynamic DNS provider listed in the IPCop DYNDNS settings.

Go into your IPCop settings in Service Pulldown -- Services >> Dynamic DNS and under >> Add a host. Pick one of these supported DYNDNS providers.

PDF created with pdfFactory Pro trial version www.pdffactory.com

Open up your favorite browser and go to the DYNDNS provider you have chosen from the list above and register with them. Return to your IPCop web administration GUI and add the information in to your IPCop settings in Service Pulldown -- Services >> Dynamic DNS. Now return to your IPCop web administration GUI and fill in the information as listed below and then click Add. It will then display under current hosts?.

What is Copfilter An amazing project by open source developer Markus Madlener, to extend his IPCop's capabilities to the application layer (see OSI Model). Copfilter greatly enhances the capabilities of the already powerful IPCop by offering the jaw dropping and impressive large list of capabilities:

POP3/SMTP Scanning - via P3Scan and ProxSMTP which allow for scanning of incoming and outgoing Email. HTTP Scanning - via HAVP which is a powerful HTTP scanning engine for scanning and securing your web traffic. FTP Scanning - via frox which allows for proxying of FTP traffic. Privacy Protection - via Privoxy which is an extremely powerful HTTP privacy protection filter which filters and or removes cookies, web ads, pop-ups and other annoying Internet junk. Antivirus Scanning - via ClamAV or F-Prot which can be used to scan your traffic for the ever prevalent malware. Please note F-Prot is a commercial product and you have to acquire a license to use it. This article utilizes the FOSS email scanner ClamAV.

AntiSpam - via Spam Assassin, Vipul's Razor, DCC, renattach, RulesDuJour which coupled together make a very effective anti-spam defense. Process Monitoring - via Monit which allows you to monitor all of these processes and restart them as needed.

PDF created with pdfFactory Pro trial version www.pdffactory.com

Why Copfilter? You might ask yourself, if I have a IPCop firewall why would I need Copfilter? As a network security mechanism, the firewall has undergone a serious metamorphosis from a simple packet filter that only understood little of what it carried across the wire, to fully stateful inspection mechanisms that understand layer 5-7. This a far cry from the days of a simple packet filtering router or even a stripped down set of ipchains. And as security is not one technology, process or technique alone, but many of them, Copfilter is another powerful mechanism of defense in protecting your application layer. Installing Copfilter IPCop does not contain add-on binaries by default so they need to be copied via SCP to your IPCop. Then you will be logging in securely via SSH to your IPCop to install these binaries. Turn on SSH on your IPCop

Via the Webgui -> System -> Ssh Access Then click Save

NOTE - It is recommended that you shut off SSH access after you finish copying this code as SSH has many exploits. Enable Squid on your IPCop Via the Webgui go to -> Services -> Proxy

Enabled on Green Transparent on Green Then click Save.

SSH and SCP Clients Depending on your OS you may or may not have a native SCP or SSH client on your machine. Note the port number as TCP port 222 and NOT the default SSH/SCP port. GNU/Linux, Unix, BSD & OSX Clients - Command Line # Command Line SCP scp -P 222 <Copfilterpackage_version.tar.gz root@ipcop_green_address>:/root Command Line SSH ssh -p 222 -l root ipcop_green_address Graphical SCP/SSH --> If you are wary of the command line or not interested, alternatively, there are several GUI clients in almost every OS. I will not address each and every one as they are so easy to use, simply requiring a drag and drop, or point and click operation. OS X Clients --> Cyberduck

PDF created with pdfFactory Pro trial version www.pdffactory.com

http://cyberduck.ch/ Fugu http://rsug.itd.umich.edu/software/fugu/ Windows --> WinSCP - SCP Client http://www.winscp.net/ Putty SSH Client http://www.putty.nl/ OpenSSH for Windows http://sshwindows.sourceforge.net/ *NIX --> gFtp http://gftp.seul.org/ Installing Copfilter After you have SCP copied the Copfilter-x.x.tgz file to /root on your IPCop as detailed above you are now ready to install it. SSH into your IPCop with whatever client you possess on your respective Operating System. MD-What? Takes an MD5 to assure that the code you downloaded is not altered or corrupted by an external source. Doing this is a simple step verifying that what you have the original, legitimate binary. Linux/UNIX MD5 Md5sum is available in GNU/Linux and Unix by default md5sum Copfilter-x.x.tgz and compare the output to what is listed on the download link as the MD5. Microsoft Windows Windows users can use the easy to use and GPLd wxChecksums or MD5Summer. Both are FOSS software which is freedom geared and light on cost. Apple OS X Apple users will need to open up a terminal window and type md5 Copfilter-x.x.tgz to verify the file. Extract and Install the Binary

PDF created with pdfFactory Pro trial version www.pdffactory.com

cd /root tar xzvf Copfilter-x.x.tgz (change x to your version number) cd Copfilter-x.x.x ./install

Follow the prompts and you are all done. Reboot your IPCop and to be safe empty your browsers cache. After rebooting your IPCop you should see the Copfilter navigation item on the right most top part of the screen (next to the IPCop penguin). Initial Copfilter Configuration Go to Copfilter -> Email and configure your email address, SMTP server and then save those settings. The email address is your (root or administrator) email address and it will be used to notify you of updates and other important Copfilter messages. IMPORTANT - It is strongly recommended that you READ the Copfilter documentation to have an in-depth understanding of the configuration options that you choose to implement. RTFM before you design and definitely before you deploy. Monit - Monitoring Copfilter This service enables you to monitor the core services of the Copfilter application. It provides you some resilience by automatically restarting applications should they fail. Your Configuration Monitoring

Go to Copfilter >> Monitoring

PDF created with pdfFactory Pro trial version www.pdffactory.com

Monitor all enabled services ON Then click on Save settings (and restart service)

Copfilter Configuration Options In controlling the three network services we are going to have ingress (ingoing) and egress (outgoing) control of in our IPCop/Copfilter configuration we have many granular options. Copfilter is going to be filtering our HTTP traffic, POP3, and SMTP traffic. The wonder of the Copfilter add-on is the plethora of options one can chose to deploy our configuration is of course only one of the many. Copfilter - POP3 configuration - P3Scan The Post Office Protocol Version 3 is the industry standard for receiving email. The goal of our configuration is to block spam/malware from being received via our email clients. To access these setting go to Copfilter >> POP3 configuration P3Scan Configuration

The following options detail those to be turned ON and all others will be left in the default OFF configuration.

o o o o o o

Enable P3scan on incoming traffic on Green ON Enable P3scan on incoming traffic on Orange ON Add Copfilter Comment to Email Header Quarantine Spam if ... *** OFF Tag Spam in Emails and modify the subject ON Stop Virus email and send virus notification instead ON

PDF created with pdfFactory Pro trial version www.pdffactory.com

o o o o

Send a copy of virus notification to Email address ON Quarantine virus infected emails ON Remove emails in quarantine if older than (in days) 7 Then click on Save settings (and restart service)

The net effect of this configuration will be an aggressive stance on scanning, dropping and notifying you of the spam/malware, before it reaches your internal network. Copfilter - SMTP configuration - ProxSMTP Simple mail transfer protocol is the standard for email transmission on the the Internet today. With the power of Copfilter one can get very granular on controlling the flow of mail message to and from our network. The goal of our configuration is to block spam/malware from being sent/received via our email clients. To access these setting go to Copfilter >> SMTP configuration The following options are to be turned ON and all others will be left in the default OFF configuration. SMTP Filtering Configuration

o o o o o o o

Enable ProxSMTP to filter outgoing traffic on GREEN ON Enable ProxSMTP to filter outgoing traffic on ORANGE ON Add Copfilter Comment to Email Header ON Enable ProxSMTP to filter incoming traffic on RED Email Server is located in network ORANGE Email Server IP Address 192.168.10.25 Red IP Alias Ethernet Interface - eth2:1

PDF created with pdfFactory Pro trial version www.pdffactory.com

o o o o o o

Tag Spam in emails and modify the subject ON Stop virus emails and opt. Send virus notification instead ON Send user a virus notification ON Use Copfilter Whitelist and Blacklist ON Remove emails in quarantine if older than (in days) 7 Then click on Save settings (and restart service)

NOTE - Choices of the ProxSMTP on RED interface entails 2 options:

RED scanning ON - Copfilter manages the creation of Iptables rules so these are not needed to be created manually through IPCop.

RED scanning OFF - Copfilter with portforwarding rule to orange mail server with scanning done at the server. I.e. you could do your ingress smtp scanning on the Email server itself & not with Copfilter.

This configuration will be an proactive stance on the capturing, quarantining and deleting malware before it infect our trusted machines in the GREEN network. With quarantining ON it is recommended that an administrator be very responsive to the systems warnings about quarantine Spam, and process consistently, or it will be deleted on a weekly basis. I would not recommend keeping a Spam Quarantine setup if you are short on disk space and or want to increase this interval beyond one week. If you do you run the risk of filling up your disk. Also as whitelisting and blacklisting has been turned on remember to add in your whitelisted domains (trusted email sources) and blacklisted (domains you do not trust or want spam from). HTTP Scanning - HAVP/Privoxy HyperText Transfer Protocol is the protocol we use when we are surfing the Internet. HAVP (HTTP Antivirus Proxy) is a proxy server with the ClamAV anti-virus scanner. This will be crucial in your configuration to scan incoming HTTP traffic and keep malware off your machines. To access these setting go to Copfilter >> HTTP Filter HTTP Configuration

PDF created with pdfFactory Pro trial version www.pdffactory.com

The following options are to be turned ON and all others will be left in the default OFF configuration.

o o o o

Deny access to HTTP traffic ON Enable Transparent mode ON Filter HTTP traffic for Internet Junk ON Then click on Save settings (and restart service)

This configuration will allow for malware to be filtered out at our IPCop box, such as browser exploits, phishing attempts and viruses. Additionally, ads, banners and other Internet advertising junk with Privoxy. With web banners and such that are blocked you will either see the item labeled "Advertisement" or an image of a checkered pattern indicating it has been blocked. If you hate ads as much as do I you can get an add-on for Firefox called Adblock that will allow client side blocking as well. Adblock AntiSpam - SpamAssassin and Rules Du Jour Spam Assassin will help your email server identify and filter Spam before it reaches your email client inbox. SpamAssassin uses Bayesian filtering, DNS blocklist, header and text analysis and collaborative filtering databases to keep your Spam at a minimum. Please note that the more filtering you do before delivering to the client the higher the load on the server.

Rules Du Jour is a simple back script which will download new versions of Spam Assassin rules. This is very helpful in keeping your anti-spam defense in optimal shape.

o o o

Razor is a distributed, collaborative spam detection and filtering network. DCC or Distributed Checksum Clearinghouse is an anti-spam content filter. DNSBL are DNS Blacklists or ban lists based upon DNS entries of known spammers or known nodes/networks that once emanated Spam.

PDF created with pdfFactory Pro trial version www.pdffactory.com

To access these setting go to Copfilter >> AntiSpam configuration AntiSpam Configuration

The following options are to be turned ON and all others will be left in the default OFF configuration.

o o o o o o o

Enable Spamassasin ON Score required to identify email as spam 6 Send daily spam digest ON Razor, DCC, DNSBL ON Rules Du Jour - ON Automatic Update Enable every 1 days Then click on Save settings (and restart service)

AntiVirus - ClamAV ClamAV is an amazing FOSS project virus scanner. Within Copfilter this is used to virus scan email and web traffic for malware. To access these settings go to Copfilter >> Antivirus Copfilter - Antivirus Configuration

PDF created with pdfFactory Pro trial version www.pdffactory.com

o o o

ClamAV ON Automatic Update - Enable every 24 hours Then click on Save settings (and restart service)

The effect of these settings is that ClamAV is going to update its virus definitions on its own and be available for scanning your SMTP/POP3 and HTTP traffic. Allowing traffic between Different Networks Please note that there are certain default rules that IPCop implements on your network and be aware of the implications. See the following link for further details. By default the configuration uses the /etc/rc.d/rc.firewall.local and changes can be made through web GUI or via SSH. Any good firewall by default setup to deny any external connections behind its trusted networks. In IPCop speak that means that there is no ingress (incoming) access by default from the RED interface/network to any other Network. By default access from ORANGE to RED is Open so there is no need for any special configuration in this example. If you for whatever reason need access from your Orange "DMZ" to Internal GREEN you can define rules via DMZ Pinholes. IPCop Port Forwarding - HTTP As detailed above SMTP and POP3 rules are created by Copfilter are automatically created. As for HTTP (RED to ORANGE) it is NOT so you have to create it in Port Forwarding as below. If you would like to open other ports to external access (ex. FTP, SSH) please be aware the services should be hardened and security as much as possible (see layered approach I detail above).

PDF created with pdfFactory Pro trial version www.pdffactory.com

Copfilter Test & Log The most obvious way is via surf the web. Send and receive a test email. The Copfilter Test & Log page can help you ascertain if your configuration is proper. The tests listed are very self-explanatory in that you can examine your Email/Spam defense by clicking on the buttons in the Test POP3 & SMTP Scanning section. Below is the Test HTTP & FTP Scanning section which you can click on to verify the functionality of your HAVP HTTP virus scanner by clicking on the link to the Eicar "test" virus. This page will come up blocked with the default HAVP message to show you that your HTTP is now secured from common malware, phishing attempts, and other threats. Sending and testing the variety of email options on the test page will allow you to verify your SMTP/POP3 configuration. If you can send and receive your emails and see the following in your email headers -- you are all set.

X-Filtered-With-Copfilter: Version 0.82 (ProxSMTP 1.3.91) X-Copfilter-Virus-Scanned: ClamAV 0.88/1291 - Thu Feb 16 21:15:09 2006
Copfilter Test and Logs Screen

PDF created with pdfFactory Pro trial version www.pdffactory.com

Lastly, your log files are to the right bottom of your Copfilter Test & Log page where you can see all the details of your Copfilter configuration. Bravo! You are good to go! =) Now you can enjoy the fact you are much more secure than when you began this article! If you like what you see, I welcome you to join our FOSS community. Free and Open Software (FOSS) does not sustain on developers alone but by the work of all sorts in technical writing, support, marketing, graphics, web developers and a multitude of other supporters like you! FOSS is built upon community, so join us and take part in reinventing computing in the positive directions from which we all collectively benefit. In speaking with Markus I was able to ask him why he was motivated to create Copfilter and he answered, he said: "I created Copfilter to help protect the computers of my friends and family and the greater Internet community." Markus I don't think there is a better way to describe the spirit of FOSS. Much thanks to Markus and the entire IPCop Team and all the other projects that made this possible! ..::Check out the FOSS community Projects related to this article ::.. IPCop Homepage -->http://www.ipcop.org Copfilter Homepage --> http://www.copfilter.org Copfilter Forum --> http://copfilter.endlich-mail.de/ Additional Related Links http://www.ipcop.org/1.4.0/en/admin/html/services.html#services_dyndns http://en.wikipedia.org/wiki/Malware

PDF created with pdfFactory Pro trial version www.pdffactory.com

http://www.linuxdocs.org/sln/pop3s/ http://en.wikipedia.org/wiki/Pop3 http://en.wikipedia.org/wiki/Smtp http://en.wikipedia.org/wiki/Http http://en.wikipedia.org/wiki/Osi_model http://en.wikipedia.org/wiki/Port_forwarding http://en.wikipedia.org/wiki/Md5 http://www.tildeslash.com/monit http://p3scan.sourceforge.net/ http://memberwebs.com/nielsen/software/proxsmtp http://havp.sourceforge.net/ http://www.privoxy.org/ http://frox.sourceforge.net/ http://spamassassin.apache.org/ http://clamav.sourceforge.net/ http://www.pc-tools.net/unix/renattach http://www.exit0.us/index.php?pagename=RulesDuJour http://p3scan.sourceforge.net/#p3pmail http://wiki.apache.org/spamassassin/DnsBlocklists http://wxchecksums.sourceforge.net/mainpage_en.html http://www.md5summer.org/ http://www.firefox.com/ http://adblock.mozdev.org/ http://www.us-cert.gov/current/

PDF created with pdfFactory Pro trial version www.pdffactory.com

OpenVPN for IPCop 1.4.10


Introduction

I use IPCop now for several years, and VPN was allways a mainly used feature. With the 1.4 release it was possible to define roadwarrior connection but this part is hard to configure except when using certificates, so i was allways searching for alternatives ways to use roadwarrior VPN connections. Inspiered through an article in the c't magazine about OpenVPN, i googled for existing OpenVPN addons. I found several links, one off them LINK was an addon from Markus Hoffman wich adds OpenVPN support to IPCop >=1.42 but this addon has no gui, so i contacted Markus about adding a gui for his addon, and so i started. After two days of programming, i found a page where some people had allready build and OpenVPN addon with guil called ZERINA, as their gui was more ready then my two days of work, i contacted them to cooperate for an improved gui, that was the start for my ongoing attemp of a new gui for OpenVPN. The code mainly depens on part of the IPCop cgi pages vpnmain.cgi, xtaccess.cgi and portfw.cgi The idea ..was to provide an easy way for roadwarrior clients to connect to the LAN (green interface) based on certificates. Features
running and configuring an OpenVPN Server Daemon for accessing the IPCop Lan (Green interface) all necessary functions can be configured uses/creates a second PKI wich does not involve the IPCop ipsec PKI experimanetal function to enable/disable a client certificate, without revoking the client (verify script) support for OpenVPN connections from BLUE and ORANGE networks

new proxy.cgi with OpenVPN support (this feature has been removed, adding OpenVPN subnet to the
allowed hosts/nets in proxy setup gains OpenVPN connetions access to the proxy)

new connections.cgi with OpenVPN support new functionality, display Connections Statistics, adapted from R.I.Pienaar's php source to perl easy client handling, download a client package zip archive with certificate(s) + config file some more things i cannot remeber anymore

Todo / bugs / missing functions

note! only tun support is implemented if you choose tap it won't work

PDF created with pdfFactory Pro trial version www.pdffactory.com

only roadwarrior (host2net)connections are possibe, net2net will come later (in the 0.9.7x alpha series net2net is possible)

only certificate based connections are possible (static keys will probably come later) configuring the authentication mode integrate Kevin Stefanik scripts to restrict the client access when the first final version is ready we will package the whole thing for the addon-server etc etc

Install/Update Instructions
follow this steps: 1. If you are updating, first stop the OpenVPN Server through the gui 2. copy the Installer package into an empty directory on your IPCop (for example with winscp) 3. beeing on the IPCop console, extract the archive tar -xzvf ./ZERINA-0.9.4b-Installer.tar.gz 4. cd to the extraction directory 5. run the installer ./install 6. you need to keep this install directory, if you later decide to uninstall ZERINA

Uninstall Instructions
1. On the IPCop console cd to the ZERINA install directory 2. run the uninstaller ./uninstall

Howto for Zerina 0.9.0b


Used software IPcop IPCop OpenVPN addon OpenVPN GUI for Win32 We suppose that we have following situation: IPcop red side 192.168.181.2 IPCop green side is 10.10.1.1 Our Windows 2000 client is connected via dsl to the internet First we need to access the OpenVPN controll page

PDF created with pdfFactory Pro trial version www.pdffactory.com

The initial OpenVPN page will open and showing us two bowes

Global settings, thats what we first start to configure Certificate Authorities, this part will be explained later

Step 2
Global settings

PDF created with pdfFactory Pro trial version www.pdffactory.com

No Fieldname OpenVPN on Red

Discription Example input This enables/disables ther server, on the RED IPCop device, to be able to checked start the server we check this box. This enables/disables ther server, on the BLUE IPCop device, for this OpenVPN on howto we leve this unchecked, Note this is only visible when you have unchecked Blue an active BLUE device This enables/disables ther server, on the ORANGE IPCop device, for this OpenVPN on howto we leve this unchecked, Note this is only visible when you have unchecked Orange an active ORANGE device IP or hostname under wich we will except connections from outside on Local VPN the RED DEVICE, normaly you will fill in your red ip, or if you don't have 192.168.181.2 Hostanme/IP any static red ip this could also be a dynamic hostname OpenVPN needs an extra virtual subnet to operate, this subnet may OpenVPN not be used elsewhere on IPCop or on the client side otherwise it 10.0.10.0/255.255.255.0 Subnet won't work Choose the desired device till now only tun is supported later tab will OpenVPN device tun also be choosable. tun is for routed connections and tab for bridged Either udp or tcp can be choosen, this depends at least on your desire. udp Protocol udp is faster then tcp. choose any free protocol/port combination wich isn't used on IPCop and Destination Port 1194 isn't beeing forwarded. OpenVPN 2.0 default protocol/port is udp/1194 The default MTU value is 1400, OpenVPN adds, like other VPN MTU Size protocols, a header to every transmited package, so adjust this value to 1400 avoid unnecessary IP fragmentation LZOchecked This enables/disables the use off LZO compression, default is checked Comperssion Choose here your desired encryption type , it depens on how paranoid Encryption BF-CBC you are ;-), default is BF-CBC

After you filled all data hit the save button, to save the server configuration. After doing so, the the Global settings will look like this:

PDF created with pdfFactory Pro trial version www.pdffactory.com

Step 3
Certificate Authorities:

As we just started, we don't have any certificates, note that this addon uses its own PKI, we thought it would be better to seperate it from the standard IPCop VPN PKI. The first releases had the same behavior like the IPCop vpnmain.cgi all generated certificates received the same serial nomber, this has now changed. To be able to accept/authenticate connection we need a root and a host certificate, so lets create them No Fieldname Discription Example input Generate Root/Host certificates Push this button to step inot the generate process push CA Name Research Upload CA Certificate We don't need this function right now We don't need this function right now We don't need this function right now none none none

After we have done so a new page will be open

PDF created with pdfFactory Pro trial version www.pdffactory.com

Generate Root/Host certificates:

No Fieldname Oragnization Name IPCop's Hostname Your E-mail Address

Discription Type in your organization Name This field is pre filled with either your red ip or your hostname. Input is not necessary, type in your contact e-mail

Example input myorg 192.168.181.2 myemail@myhost.com mydepartment hamburg hamburg germany

Your Department Input is not necessary, type in your department City Input is not necessary, type in your City

State or Province Input is not necessary, type in your State or Province Country Generate button ResearchPKCS12 file Choose your country

If all necessary data (point 1,2,3) is enterd, you can hit that button to start push the generate process This is optional,either you genrate a new certificate or you can upload an existingif you already have certifcates wich you want to upload file PKCS12 use, then you can upload them, point here to the certificate location, the certificate has to be in PKCS12 format. PKCS12 file password push

PKCS12 File This is optional,type in the PKCS12 file Password Password Upload PKCS12 This is optional, button to start the upload file

After you entered the data it looks like this

PDF created with pdfFactory Pro trial version www.pdffactory.com

Now when all neceassary data is enterd (point 1,2,3) we hit the Generate Root/Host Certificates button . !!!Depending on your hardware this realy can take very very long, as also a dh file (Diffie Hellman) is beeing generated, wich the OpenVPN server needs, so hold on till everything is finished!!! After the (hopefully) succsessful generate process, the main OpenVPN status page will open and the Certificate Authorities box will look like this

Step 4
Client certificate Now we need a client certifacte to proceed on, several ways are possible, we choose the simplest one. Now lets get back to our OpenVPN control page as we want to add a new client we hit the Add button on the Client status control box

PDF created with pdfFactory Pro trial version www.pdffactory.com

No Fieldname Discription Example input Add Adds a new connection, currently only host2net roadwarrior connection are possible push Statistics Here you can later retrive Connection Statistics, it is disabled til the server starts none

After we have pushed the add button, a new page Connection Type will open.

No Fieldname Discription Add proceeds the add process, currently only Host-to-Net (roadwarrior) connection can be added, Net-to-Net will be implemented later.

Example input push

So again hit the add button.

A new page with two boxes Connection and Authentication will be open First we will take care of the Connection box

No Fieldname Discription Name Remark Enabled Simply a Name for the new connection

Example input client1

Input is not necessary, any remark for that connection, that could be helpfull to identify it This is client 1 later(imagine you have 80 connections) This field enables/disables a connection, default is checked wich means enables, the above checked picture is not correct, i mad in resnapping it

PDF created with pdfFactory Pro trial version www.pdffactory.com

Now lets take a look at the second box Authentication.

No Fieldname Upload/section

Discription Example input Several scenarios are possible but in this howto we don't touch this none setting client1 client1@myhost.com mydepartment leave leave leave leave 123456 push

Users's Name/Hostname This is the Common name for the certficate Users's E-mail Address Input is not necessary, type in your contact e-mail Users's Department Organization Name City State or Province Country Input is not necessary, type in your department Input is not necessary, prefilled with infromation Input is not necessary, prefilled with infromation Input is not necessary, prefilled with infromation Input is not necessary, prefilled with infromation

PKCS12 File Password type in the PKCS12 file Password, at least 6 charachter Save When all needed data is entered hit the save button to start the generate process

After you have entered all data the input window will look like this

PDF created with pdfFactory Pro trial version www.pdffactory.com

Now push the SAVE Button button to start the process.

After doing so the main OpenVPN Status page will open and showing us in the client status and control box, with the newly added connection.

No we download the client package.

PDF created with pdfFactory Pro trial version www.pdffactory.com

To do so we hit the download symbol (download Client package)

Save the Client package zip archive, transfer it to the host from where you want to connect, and extract its content to the OpenVPN GUI config dir in our example it is C:\Programme\OpenVPN\config\

Step 5
OpenVPN server start

After all that steps we are ready to start the OpenVPN server. Back on the main OpenVPN status page, we he the Start OpenVPN Server button (see picture).

PDF created with pdfFactory Pro trial version www.pdffactory.com

After that, and when everything when well, the server staus will change and looks like this

Included with this addon there is also an extended version of the logs.dat wich allows us to view the openvpnserver log message. To view this messages follow the step showed on the pictures.

PDF created with pdfFactory Pro trial version www.pdffactory.com

Important is, the the last line saying "Initialization Sequence Completed", this indicates that "everything" went fine.

Now our server runs and accepts connection

Step 6
Finaly connect from the client to our OpenVPN server

Now back at the client we start the OpenVPN GUI (if not already done), this opens a new tray icon where we can manage OpenVPN. Access now the context menu (left mous button on the tray icon) and choose Connect, see picture.

A new window will open, asking us the password for our private key (the password we entered during the generation), so lets enter the password and hit OK.(see picture)

PDF created with pdfFactory Pro trial version www.pdffactory.com

After doing so and everything is correct, follwing succusess message will shown.

Isn't that great :-) ? The OpenVPN GUI status page (reachable at the context menu) will look similiar like this.

PDF created with pdfFactory Pro trial version www.pdffactory.com

Back on our IPCop we can see the client staus.

Now we are done and this howto ends here. Attached some figures showing new functions, that are included in this addon. OpenVPN Connections Statistics

PDF created with pdfFactory Pro trial version www.pdffactory.com

Extended Connections.cgi showing now also OpenVPN connections

Extended Proxy.cgi with support for proxy support for OpenVPN

Notes from the author

This howto comes with NO warranty or guarantee, so use it at your own risk.

VPN and certificates are a very much complexes topic and it contains many points which this simple howto cannot cover. If you need further-reaching infromationen, then please visit the corresponding Internet pages.

It remains to say, that english isn't my mother tongue and I have dealt with the OpenVPN topic only for a couple of weeks, therefore you may forgive me for corresponding spell faults as regards content.

If you have found any errors please contact me by e-mail

We are actually a smal team of developers more features will come, hold on for the comming up features

15.06.2005 Ufuk Altinkaynak

FAQ

PDF created with pdfFactory Pro trial version www.pdffactory.com

Here is a unsorted List with common known issues when using OpenVPN server

My OpenVPN client and server say "Connection Initiated with x.x.x.x" but I cannot ping the hosts on the Green Lan through the VPN. Why?
This can depend on several things:

- like there is running a firewall on the host you want reach, wich prevents from answering ping

- the host you are trying to reach has no default gateway to you IPCop, either the host has a default gateway to your IPCop, or the actual default gateway has a route for the OpenVPN subnet pointing to your IPCop.

- in most cases it is a routing issue, wich prevents form reaching the green lan

Addons for IPCop


franck78.ath.cx - an easy installation & management GUI on Ipcop 1.4 for the well known squidGuard url filtering tool.
Translated into Italian, French, German, Dutch, Russian, Portuguese and English.

firewalladdons.sourceforge.net - Addon Server for IPCop as a wide range of modifications you can add to your IPCop, such as DansGuardian. www.ipadd.de -addon binary collection and IPCop related links. www.urlfilter.net - URL filter with seamless GUI integration and time based access control. www.advproxy.net - Advanced Proxy with different user authentication methods and other versatile and useful additional
features.

www.mhaddons.tk - A number of addons, including copfilter updates, Advanced QoS, Asterisk, Sarg, Nessus and
Clamav 0.83

www.zerina.de/ - OpenVPN and Howto. www.copfilter.org - Copfilter. This Addon transparently filters viruses and spam from email and web traffic. banish.sidsolutions.net - Banish - Simply block access by IP, CIDR, Domain and MAC Addresses. blockouttraffic.de - BlockOutTraffic (BOT) blocks all traffic that is allowed in a normal IPCop installation. You can create
your own rules via comfortable and intuitive webgui for more influence on traffic to and through your firewall.

www.elminster.com - IPCop L2TP VPN Mod Modification to allow IPCop to be used as an L2TP over IPSEC server for the
standard Windows VPN client. Useful for windows Roadwarriors.

www.ipcop.h-loit.de - IPCop Addons like UPS Server, GUIPorts, Who IS Online, MC and Line Test. www.supporting-role.net - Supporting Role Unofficial IPCop Modifications Page. www.ban-solms.de - IPCop Addons Connection Scheduler, HDDGraph, mbmongraph, Wake On LAN, COM LED, GUI Colors
etc.

www.advproxy.net/update-accelerator - the Update Accelerator caches software updates and delivers them to your clients with full LAN speed - even complete Service Packs. www.sischmitz.de - IPCop Addons RAMCop, ADDPartition

wintermute website
IPCop V1.4.x addon binary collection
Do not install unneeded stuff on a productive firewall!

home

PDF created with pdfFactory Pro trial version www.pdffactory.com

All of the programs presented on this site are provided "as-is", and should be used at your own risk. Some of them may result in a security incident. You should know what you are doing with this stuff. [ Installation guidelines ]: see bottom of this page. All addon binaries are provided as *.tar.gz packages. [ Installationsanleitung ]: siehe Ende dieser Seite. Alle Addon Binaries sind als *.tar.gz Pakete verfgbar. Categories: [ Tools and utilities | Hardware testing | Traffic monitoring | Analyzer and scanner | LCD stuff | SysInfo GUI ]

IPCop V1.4.x | General tools and utilities


[ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] [ agetty ] [ apg ] [ axelf ] [ bc ] [ beep ] [ cftp ] [ clear ] [ clex ] [ cutter ] [ dhcrelay ] [ dialog ] [ dnstop ] [ ether-wake ] [ file ] [ ftp ] [ htop ] v2.12r v2.2.3 v1.2 v1.06 v1.2.2 v0.12 v2.12r v3.16 v1.03 v3.0.5 v1.0 v7.5.10 v1.09 v4.21 v0.17 v0.6.6 v2.0.2 v2.2.1 v3.5 v0.3.1-5 v4.2.31 v0.1 v4.78 v2.8.6 v1.83.1 v0.72 v1.06 v0.1.1 v1.3 v0.7.1 v1.45 v4.5p1 v3.2.7 v18 v2.12r v2.6.9 v0.15 v4.0.3 v2.12r v2.17 v1.6.9p5 v0.17 v0.43 v2.13.16 v1.10.2 Alternative Linux getty. Automated password generator. Bash script that makes a nice Beverly Hills (IP)Cop sound. An arbitrary precision calculator language. Replacement beep binary for use with serial console. A full screen ftp client. Clear the terminal screen. File manager with a full-screen user interface. Cut TCP/IP connections. DHCP relay agent for IPCop. Display dialog boxes from shell scripts. Displays various tables of DNS traffic. Tool to send magic wol packets. Determines file types. ARPANET file transfer program. Interactive text-mode process viewer. It aims to be a better 'top'. Modern tool for measuring TCP and UDP bandwidth performance. A top-like display of IP Tables state table entries. World-famous Wordstar like text editor. Show CPU usage on an LED device plugged on parallel port. Search very fast for files in a directory hierarchy. Turns on and off the bits of a printer port. Utility to list open files. A text browser for the World Wide Web with ssl support. ANSI- and VT102 terminal emulator. Combines the functionality of 'traceroute' and 'ping'. NAT detection tool. View your iptables counters in real time. ncdu - NCurses Disk Usage. Netcat reads and writes data across the net. Grep for network traffic. Adds SSH, SFTP, SSH-Add and SSH-Agent (for IPCop >= v1.4.13). Find or signal processes by name and other attributes. Display system process informations. Terminal initialization. A utility that provides fast incremental file transfer. A curses-based tool for viewing system statistics. Screen manager with VT100/ANSI terminal emulation. Utitlity to set terminal attributes. Lists printable strings from files. Execute a command as another user. User interface to the TELNET protocol. DARPA trivial file transfer protocol server. A file synchronization tool. A non-interactive network retriever.

[ Info ] [ Manual ] [ iperf ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] ] [ iptstate ] [ joe ] [ ledstats ] [ locate ] [ lpswitch ] [ lsof ] [ lynx ] [ minicom ] [ mtr ] [ natdet ] [ natstat ] [ ncdu ] [ netcat ] [ ngrep ] [ openssh ] [ pgrep ] [ procinfo ] [ reset ] [ rsync ] [ saidar ] [ screen ] [ setterm ] [ strings ] [ sudo ] [ telnet ] [ tftpd-hpa ] [ unison ] [ wget ]

PDF created with pdfFactory Pro trial version www.pdffactory.com

[ Info ] [ Info ] [ Info ] [ Info ]

[ Manual [ Manual [ Manual [ Manual

] ] ] ]

[ whois ] [ whowatch ] [ wput ] [ zgrep ]

v4.7.23 v1.4 v0.6 v1.0

Advanced and intelligent whois client. Console, interactive, process and users monitoring tool. FTP client for uploads that looks like wget. Search possibly compressed files for expressions.

IPCop V1.4.x | Hardware testing


[ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Manual [ Manual [ Manual [ Manual [ Manual ] ] ] ] ] [ cpuburn-in ] [ dmidecode ] [ hddtemp ] [ itop ] [ lsusb ] v1.00 v2.9 v03b15 v0.1 v0.72-3 v2.05 v4.0.7 v2.0.2 diverse v5.37 System stability testing tool. Reports information about your system's hardware. Gives you the temperature of your hard drive. [ IPCop GUI ] Simple top-like interrupt load monitor. Display information about USB buses and devices. [ IPCop GUI ] Hardware monitoring without kernel dependencies. [ IPCop GUI ] A userspace utility for testing the memory subsystem for faults. Networkinterfacecard diagnostic tool. Chip related nic diagnostic tool collection. Control and monitor utility for SMART disks. [ IPCop GUI ]

[ Info ] [ Manual ] [ mbmon ] [ Info ] [ Manual ] [ memtester ] [ Info ] [ Manual ] [ mii-diag ] [ Info ] [ Manual ] [ nic-diag ] [ Info ] [ Manual ] [ smartctl ]

IPCop V1.4.x | Net traffic monitoring


[ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Info ] [ Manual [ Manual [ Manual [ Manual [ Manual [ Manual ] ] ] ] ] ] [ bmon ] [ bwm-ng ] [ cifled ] [ ifstatus ] [ iptraf ] [ jnettop ] v2.1.0 v0.6 v1.0 v1.1.0 v3.0.0 v0.13.0 v1.4 v0.6.0 v0.x v1.4 Portable bandwidth monitor and rate estimator. A live bandwidth monitor. A tool that indicates net traffic on keyboard LEDs. Console-based ethernet statistics monitor. Shows ip-traffic in realtime. Traffic visualiser that displays streams sorted by bandwidth. [ Java GUI ] Monitors net traffic in realtime (Linux daemon). [ Windows client ] Realtime network usage monitor. Replaced by 'cifled' - (IP)Cop InterfaceLED - see above. Traffic monitor that keeps a log of daily network traffic.

[ Info ] [ Manual ] [ nettrafd ] [ Info ] [ Manual ] [ nload ] [ Info ] [ Manual ] [ sifled ] [ Info ] [ Manual ] [ vnstat ]

IPCop V1.4.x | Net analyzer and scanner


[ Info ] [ Manual ] [ hping ] [ Info ] [ Manual ] [ nmap ] v3.0.0 v4.20 TCP/IP packet assembler/analyzer. The ultimate port scanner.

IPCop V1.4.x | Stuff for LCD modules


[ Info ] [ Manual ] [ lcd4ipcop634usb ] v1.5 Adapted LCD4Linux v0.10.1-RC2 for use with Crystalfontz 632/634 USB. Adapted LCD4Linux v0.10.1-RC2 for use with HD44780 based LCD modules. Adapted LCDproc v0.5.2 for use with Crystalfontz 632/634 USB. Adapted LCDproc v0.5.2 for use with HD44780 based LCD modules.

[ Info ] [ Manual ] [ lcd4ipcopHD44780 ] v1.0 [ Info ] [ Manual ] [ lcdproc634usb ] [ Info ] [ Manual ] [ lcdprocHD44780 ] v1.4 v1.0

PDF created with pdfFactory Pro trial version www.pdffactory.com

IPCop V1.4.x | SysInfo GUI Addon What is SysInfo? Like "System Status", SysInfo shows additional information to your hardware. Therefore you can find SysInfo in the "System" menu of the webGUI directly under "System Status". In the current version SysInfo shows more detailed informations about CPU, network interface cards, your system harddisk, PCI- and USB devices, interrupts, BIOS and the status of the currently running processes. [ Download SysInfo v2.4.5 ]

Again, do not install unneeded stuff on a productive firewall!

Installation guidelines:
download addon binary package of your choice from this webpage copy package_name.tar.gz to any directory of your choice ( e.g. to /tmp using WinSCP or SCP [ port 222! ]) go straight to the console or open a console connection ( e.g. via Putty or SSH [ port 222! ] ) login as user root change to the directory you have copied the file to ( e.g. type cd /tmp ) extract the archive ( type tar xvfz package_name.tar.gz ) change to installation directory ( type cd package_name ) to install the addon type ./install -i ( to uninstall type ./install -u )

Installationsanleitung:
lade ein Addon Binary Paket Deiner Wahl von dieser Internetseite kopiere paketname.tar.gz in ein Verzeichnis Deiner Wahl ( z.B. nach /tmp mit WinSCP oder SCP [ Port 222! ] ) gehe nun direkt an die Konsole oder benutze eine Fernkonsole ( z.B. via Putty oder SSH [ Port 222! ] ) melde Dich nun als Benutzer root an wechsle in das Verzeichnis in welches Du das Paket kopiert hast ( bsp. cd /tmp ) entpacke das Paket indem Du tar xvfz paketname.tar.gz eingibst wechsle in das Installationsverzeichnis indem Du cd paketname eingibst mit dem Befehl ./install -i wird das Addon nun installiert ( Deinstallation: ./install -u )

[ Home | IPCop binaries | IPCop links | Projects | hyperCube | Stuff | Disclaimer | Haftungsausschluss | Contact ] http://www.ipadd.de/binary.html

[ 2007 by Tom Eichstaedt ]

PDF created with pdfFactory Pro trial version www.pdffactory.com