Forum Replies Created
There’s another way to restrict p2p traffic: create QoS classes with high priority and enough bandwidth for known services, such as DNS, HTTP, ICMP, SMTP e.t.c. In classifier assign them to corresponding protocols and ports. All remaining traffic, inlcuding bittorrent will have low priority and bandwidth.
If you did a backup before installing Snort, you can reinstall Zeroshell and restore profile from that backup.November 10, 2009 at 8:28 pm in reply to: How to block all internet traffic from an internal Fixed IP #49069
Maybe there are other rules that permit this traffic? It’s better to place this rule :
I created another rule with Source 192.168.1.25 no target and interface and drop or reject
to the very beginning of the FORWARD chain, make it number 1.
I think one rule will be sufficient. Also mark any days you need inside this rule.
According to this article: http://www.thinkwiki.org/wiki/How_to_install_the_development_version_of_atk9k DWA-522 requires ath9k driver. I think it is not included by default into Zeroshell kernel.
If I’m not mistaken, ZS can proxy requests to external RADIUS server only for authentificating WPA clients, not system accounts. ZS users authentificate against local kerberos server.
Thanks to the use of Kerberos 5, Zeroshell can establish trust relationships with other realms (these are what the authentication domains in Kerberos 5 are called) and allow users in a domain to access the resources and services of another domain.
But I’m afraid Microtik doesn’t provide kerberos functionality.
Does [Proxy Log] button show anything?
I think more information cat be viewed via ssh if you invoke command
If you NAT on internal interface, connections from WAN will all have the same IP address. It is not very convenient when analysing log files or using access rules on web server. So I use DNS method.
Try to add port forward rule for internal (ETH00) interface.
– virtual server = eht00/EXTERNAL.IP.ADDR tcp 80 192.168.1.4:80
Or if your LAN uses local DNS server, add A record for web server domain name pointing to 192.168.1.4, this can be easily done via ZS web interface.
By default “POSIX” locale is used.
If your output of locale command dirffers, set values of corresponding variables using export command.October 15, 2009 at 3:24 pm in reply to: Is it possible to auto provision clients in ZeroShell? #48927
There are hundreds of bash scripts in that folder. They automate many operations, such as adding new firewall rules, QoS rules, managing network interfaces e.t.c.
For example run
/root/kerbynet.cgi/scripts/dhcp_addstatic 00 192.168.10.10 AA:BB:CC:DD:EE:FF
to add new static DHCP entry.
Remote execution of those commands can be done via ssh:
ssh root@ZEROSHELL.IP.ADDRESS "/root/kerbynet.cgi/scripts/command_to_run ARG1 ARG2 ARG3"
To enable remote login via ssh without typing root password you can do next steps (manual copied from page that cannot be found on the web anymore):
SSH to you ZeroShell firewall and login as “admin” then drop to a shell “S”.
In the “/Database” directory, create a directory called “startup”.
Copy “/etc/ssh/sshd_config” to “/Database/startup/sshd_config”.
Edit “/Database/startup/sshd_config” and comment out “AllowUsers admin”, then uncomment “#AuthorizedKeysFile .ssh/authorized_keys” and save the file eg.
# AllowUsers admin
On your other machine:
Run “ssh-keygen -t rsa” to generate a public / private key pair, in “/root/.ssh/id_rsa”
DO NOT ENTER A PASSPHRASE
Copy the contents of “/root/.ssh/id_rsa.pub” using your fav editor to the ZeroShell “/Database/startup/.ssh/authorized_keys” file.
Create a startup script, “/Database/startup/rc.local” and paste in the following (modify YOUR_ROOT_PASSWORD below)
/bin/cp /Database/startup/sshd_config /etc/ssh/sshd_config
/bin/cp -Rp /Database/startup/.ssh /root/.ssh
echo “root:YOUR_ROOT_PASSWORD” | /usr/sbin/chpasswd /sbin/service sshd restart
Login to your ZeroShell web admin and navigate to “Setup”, then “Startup”
Enable the startup configuration and add “/Database/startup/rc.local” to the Pre-boot startup script and save it.
Reboot your ZeroShell firewall.
You should now be able to SSH in as “root” with the password set above and drop to a shell prompt.
Check that an SSH connection from your LAN box to your ZeroShell firewall returns a “root@ZS root>” without prompting for a password eg.
ssh -i /root/.ssh/id_dsa root@ZEROSHELL_IP
This is not very secure but works for me.October 14, 2009 at 9:47 pm in reply to: Is it possible to auto provision clients in ZeroShell? #48925
Maybe it’s better to use existing billing system and only write some custom rules to communicate with zeroshell router? Backend scripts are located at folder /root/kerbynet.cgi/scripts/.
You can restrict access to ZS web interface via menu [Setup]->[HTTPS].September 28, 2009 at 8:18 am in reply to: [OPENVPN] Host-to-LAN VPN client can not access intranet #48820
Have you enabled NAT on LAN interface of ZeroShell (ETH00)?
What is your firewall configuration, routing table?
You can force Windows to wait for network initialization as described, for example, here: http://www.boyce.us/gp/gpcontent.asp?ID=39
You can use pfsense distribution. It features squid proxy + squidGuard module. But pfsense lacks some other features that ZS has.