gordonf

Forum Replies Created

Viewing 15 posts - 1 through 15 (of 78 total)
  • Author
    Posts
  • in reply to: How to upgrade from 2.0 RC2 ? #54389

    gordonf
    Member

    The first question I’d have is, how are you running 2.0RC and on what kind of hardware.

    I found I was able to upgrade from 1.6 beta to a 3.0 version by just backing up the configuration, then restoring the configuration to a new 3.0 installation. If the hardware (or in my case virtual machine) doesn’t change, it might just work on the first try. Or at least if your network cards are identified in the same order, the device assignments (ETH00 etc) should be the same and your restored config should work.

    Back up a config from the web interface; go to Setup, then Profiles. Select your profile and either backup or backup without logs. Install the new ZS, create a storage partition from Setup, Profiles, then restore your config to it.

    This even seems to work if you’re migrating from a CD-based boot to a hard drive-based boot.

    in reply to: Wanted – VM Tools install for build 3.6.0 #54306

    gordonf
    Member

    Here’s a template for ZS 3.7.1:

    https://www.antiwindowscatalog.com/downloads/zs_ova_371.zip

    Installing VMware Tools on what’s normally a read-only file system isn’t a trivial thing. Mind you, a lot has changed since the 1.6 beta days and maybe an installed version has a read/write file system.

    I’d like to see open-vmtools available as a downloadable module myself. Since 3.6.0 it appears a development kit is available as a module, so maybe someone can put in open-vmtools and no one would have to use a version with proprietary code anymore.

    in reply to: Critical vulnerability #54322

    gordonf
    Member

    http://www.antiwindowscatalog.com/downloads/zs_ova_371.zip

    This can be used as a drop-in replacement for any virtual machine routers running ZS 3.0 or later, maybe even earlier ones. Back up your existing configuration, deploy this template, then restore your config to the new deployment.

    VMware Tools is included, with 10.0.10 pre-installed. Like previous versions you’ll need to create a post-boot script to launch VMware Tools on startup. While VMware kernel modules are already compiled-in, this adds host-based shutdown and restart, and provides some VM monitoring for the host.

    in reply to: problem boot USB UEFI #54170

    gordonf
    Member

    There aren’t any EFI-related components on the ISO image either. The only way this would boot on your EFI system was if it supported legacy BIOS boot.

    in reply to: New Zeroshell 3.5.0 and CVE-2015-7547 vulnerability #54049

    gordonf
    Member

    Long time, no post!

    I just finished a ZS 3.5.0 template with VMware Tools 10.0.6 pre-installed, but I have no way to upload it to my server currently. I also don’t yet have a way to put it on the Wiki I started up, but that’ll come.

    New template download: http://www.antiwindowscatalog.com/downloads/ZS350_OVA_Template.zip (750 MB)

    If anyone has a license to use the new kernels, would you consider testing this template with those once I post it? My previous experience is that one can use a newer kernel, or switch from 32-bit to 64-bit kernel, without needing to reinstall VMware Tools. The kernel modules are already compiled-in, and the Tools installation just provides host monitoring and automated guest OS shutdown.

    in reply to: nat reflection #45433

    gordonf
    Member

    I wouldn’t use both the virtual servers page and the post-boot script. The examples I use are just in the script. That might be part of the confusion as to why it isn’t working as expected.

    I started a Wiki a few months ago and have this article that explains NAT haipinning:

    http://zswiki.pan-am.ca/wiki/NAT_Hairpin

    By the way, both of you (redfive and reaperz) have Admin accounts on this Wiki. Check your private messages for instructions and passwords, and change your passwords right away. You can do anything except make more admins.

    in reply to: Captive Portal: need to add "Terms of Use" #53935

    gordonf
    Member

    I managed to modify the welcome page and provide a terms of use link in a very basic captive portal setup.

    I changed the template with these lines, replacing the existing user, password and domain lines:

        



    if (""=="yes") {document.write("Terms of Use");}

    I also edited the “info” part to read like a Terms of Use:



    Public Wi-Fi Access Terms and Conditions



    (insert your terms of use here)

    The next step is to create a user account in Zeroshell called ‘freeuser’ with a suitable password, and put this password in the template. I used ‘freeuserpassword’ as an example here. At some point, though I can’t find where at the moment, you also need to grant this user permission to log on multiple times, set a number of hours each logon can use, set up matching DHCP leases, and so on.

    The authentication page also lets you upload and use different images for the welcome page, and you can edit the template’s colour scheme directly in the page source.

    This example assumes you aren’t going to use this captive portal for anything but public access, as it uses the built-in example.com realm and doesn’t allow for users other than ‘freeuser’ specified in the template. You might be able to add extra lines to re-enable per-user access and still allow public access.

    Because of the sheer numbers of mobile devices that grace my location, I don’t bother with enabling the pop-up window that displays the timer, instead disabling the timer pop-up for all browsers. The time limit still applies, however. This does behave quite well on random phones, even on my Lumia 830, where the welcome page appears and the Terms of Use link is available to read before hammering that “I agree” button.

    in reply to: VPN with AD authentication #53911

    gordonf
    Member

    I’ve managed to make some third-party things authenticate against Active Directory using Lightweight Directory Access Protocol. For instance I got Openfire Chat to work, and I got some photocopiers to allow access based on AD accounts. Zeroshell isn’t as straight forward; my first attempt didn’t work well.

    I think (though I don’t know) that you could use either LDAP or Kerberos Protocol, but not both. You would make the local LDAP or Kerberos server a proxy for your Active Directory domain, much like you could make ZS DNS use your domain controllers as DNS forwarders. Actually, making K5 or LDAP work right would first require making DNS forwarding work, at least for your AD domain.

    in reply to: Zeroshell as Firewall cum router #53906

    gordonf
    Member

    Are you able to post a copy of your ZS profile to the forum for us to inspect? I’d like to try to reproduce this problem. This seems like such a simple routing problem yet you’re running into ARP errors you shouldn’t.

    If you don’t want your admin password exposed, you could change it to the ZS default before backing it up, then change it back. I’d also suggest backing it up without logs; that will make the profile backup smaller.

    What kind of switch are you using? I have access to Cisco Catalyst and HP Procurve switches to test against, both of which are L3 capable.

    in reply to: New Zeroshell 3.4.0 #53892

    gordonf
    Member

    http://www.antiwindowscatalog.com/downloads/ZS340_OVA_Template.zip (602 MB)

    This is the stock ZS installation using the same VMware Tools hack as before. It seems to work with the stock kit, but I haven’t had a chance to try any packages.

    in reply to: New Wiki for ZS Documentation #53797

    gordonf
    Member

    The thing is considerably slower than most because it’s running on an AMD N40L processor. It’s a glorified laptop with more RAM and a RAID controller running vSphere 5. Since it’s a virtual machine, I don’t have a problem with someone else hosting it if they have the resources.

    Ask myself or five other admins in a private message on this forum for an account, as my first attempt got spammed to death. The only thing a user can’t do is make more users and mess with the database directly.

    I’ll make one for you straight away, and I’ll send you a temporary password in a private message.

    It is just started really. I’m making articles with my own experiences only. So please, do consider contributing.

    in reply to: Zeroshell as Firewall cum router #53899

    gordonf
    Member

    As long as your L3 switch is doing the basic routing for the other VLANs, you need to tell that switch to use the ZS ETH01 IP as its own default gateway.

    Then you need to add three static routes on ZS back to your L3 switch’s VLAN 1 IP. This is the step that a lot of people forget, because it makes intuitive sense to add routes out, but it doesn’t make intuitive sense to add routes back in.

    The resulting routing table in ZS should look something like this:

    Destination     Gateway        Genmask        Iface
    0.0.0.0 10.10.10.1 0.0.0.0 ETH00
    10.10.10.0 * 255.255.255.0 ETH00
    172.22.128.0 * 255.255.252.0 ETH01
    172.22.150.0 172.22.128.1 255.255.255.0 ETH01
    172.22.160.0 172.22.128.1 255.255.255.0 ETH01
    172.22.170.0 172.22.128.1 255.255.255.0 ETH01

    …in addition you’ll see VPN99 or other interfaces that won’t affect you unless you’re actually using them.

    (Edit: I’m used to using ETH00 as my inside interface and ETH01 as my outside, but either way works I think.)

    in reply to: Slowing down p2p traffic with L7 or other methods #46328

    gordonf
    Member

    This older discussion brings up a question on throttling in general.

    If P2P software insists on being all cloak-and-dagger-y to evade Layer 7 filters, how about throttling based on source IP instead? “Well my son/daughter, if you insist on running BitTorrent you can suffer with dial-up speeds for everything. And that includes YouTube.”

    Yes this is me being the evil ISP. Too bad: This is my network.

    The trick would be finding out where the threshold is. Streaming a YouTube video at 1080p 60fps or watching some 2 hour movie in HD on Netflix would ideally not trip the throttle. And if that means P2P would throttle itself in order to avoid tripping the router throttle, then I’ve succeeded.

    How would I go about this in ZS 3?

    in reply to: captive portal for one vlan with Cisco router as a gateway #53531

    gordonf
    Member

    Let’s see if this helps:

    To force traffic from VLAN 10 through the ZS transparent proxy, the ZS router must be the default gateway for hosts on VLAN 10. This will mean either changing the gateway setting on the hosts, or changing the ZS VLAN 10 connection’s IPv4 address to match the original gateway setting.

    Next you make a virtual interface on your Cisco 1921. I don’t remember the syntax, but the end result is you end up with an interface named ‘fe0.110’ for a hypothetical VLAN 110. Give this a unique IPv4 address, and change the default gateway setting on the ZS VM to use it.

    This makes traffic from VLAN 10 pass through the ZS VM, get filtered, then directed out VLAN 110 to the 1921 router and out to the net. No one but the 1921 and ZS would see VLAN 110 as long as you don’t assign any access switchports to it.

    The VLAN 1 connection to the ZS VM is optional, it appears. You could keep it if you wanted to, I suppose, for administering the ZS installation.

    (Has it really been ten months? Wow, I’m slow.)

    in reply to: Squid is not logging everything #53884

    gordonf
    Member

    When I try to use the transparent proxy to find and isolate ad network domains, I’m finding that https protocol is not being filtered. Perhaps the Facebook links are using this.

    This is a limitation of the transparent proxy. There are some long and hazardous workarounds to it but, as the HAVP forum header suggests, it hasn’t been developed in a long time. I think it has to do with the proxy having to impersonate the secure server somehow.

    If the proxy could be specified as an explicit proxy, such that you could add it as a setting in your browser (and enforce it in Group Policy if you use Windows), it might be possible to filter these.

    It might also be time for ZS to use a different proxy solution if HAVP isn’t being developed anymore.

Viewing 15 posts - 1 through 15 (of 78 total)