If you are linking to the html version of this FAQ, please use the following format:
http://ipcops.com/faq/ipcop_faq.html#[Section#]
|
Where Section# is 1.2, 1.5.1, etc.
If you wish to contribute or request additional FAQs/tutorials, please see chapter 6.
This FAQ is in the process of being translated into a Wiki. Once the translation has been completed, this FAQ
will be updated to point to the appropriate Wiki page. Please note, as this work is done after my full time job,
it may take time for the entire translation to happen. You patience during this time is greatly
appreciated.
THIS DOCUMENTATION IS PROVIDED ’AS IS’ AND IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION OR THE ASSOCIATED SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Embedding this document on another site is prohibited. If you are reading this document and do not see a url starting with http://ipcops.com/faq, then report this to ds531 on ipcops.com.
|
|
Check all of the following
Make sure that you do not have a subnet overlap. Your Red and Green subnets must be different.
See section 1.1.2.
Make sure each zone uses a different switch. If you have one switch connecting multiple zones, you defeat the
point of using a firewall.
Please see section 1.4.1.
Now place your cards in KNOWN working slots and boot/install IPCOP as usual.
You must enable External Access to IPCOP. This is done by Firewall – External Access.
Many ISPs block port 445 due to a known Windows flaw. Most ISPs will deny blocking any port but if you
question them on port 445, they will admit it. Trying to get your ISP to open this port for you will get you very
little progress. Instead, change your SSL port on IPCOP.
See section 1.2.14.
To change your setup, login via the console and type ’setup’.
Unlike ISA and EISA cards, PCI cards do not select their own IRQ line. Instead they can only select one of four
’interrupt pins’, which are mapped by the motherboard chipset to IRQ lines. That is, only the motherboard
BIOS knows how the INT to IRQ mapping is wired, and thus only the BIOS can change the IRQ mapping for
the card. The IRQ mapping is usually configured at boot time by the PCI BIOS setup, with the the exact
assignment algorithm being BIOS-specific. In What Order Are PCI Cards detected? There is no fixed rule, but
use the following guidelines:
IPCOP supports all NICs that are support under the Linux 2.4.34 kernel. While it is possible to modify IPCOP
to support other Gigabit ethernet NICs, not many ISP support speeds greater than 200 Mbps. While Gigabit
ethernet NICs might speed up data transfers between Green, Blue and Orange, most times your limiting factor
will be hard drive read/write speeds.
Edit /var/ipcop/proxy/acl and add the required lines to allow your second subnet/LAN.
IPCOP has a built-in Dynamic DNS update client. To use it correctly, you must understand how IPCOP reads
your hostname. For example, if your host name is
1.1.1 I just downloaded IPCOP but it will not install. Help!
1.1.2 I am trying to use IPCOP in a testing environment but I can not access the Internet. What is
wrong?
1.1.3 I have a Red-Blue-Green setup but I can not access computer on Blue from Green.
Help!
1.1.4 I have a Red-Orange-Green setup connected by a switch. None of my computers can access the
Internet, why?
1.1.5 Is there any way I can disable NAT on IPCOP?
1.1.6 IPCOP will not recognize all of my NICs, what do I do?
(make sure it is a 10/100 NIC which is supported in the Linux 2.4.34 kernel, use a Linux LiveCD
which uses the Linux 2.4.34 kernel to check if your NIC is supported)
This slot is good
This slot is BAD, make a note
1.1.7 How do I SSH into IPCOP?
check the System Status page (Status – System Status) and make sure Secure Shell Server is
running.1.1.8 How can I remotely access the web interface?
1.1.9 I have enabled remote access to the web interface but I can’t connect. What’s wrong?
1.1.10 How do I change my SSL port for the web interface?
1.1.11 How do I change my setup type after install?
1.1.12 My NIC won’t work, what do I do? (PCI IRQ Conflicts)
1.1.13 I want to use Gigabit ethernet NICs. Does IPCOP support Gigabit ethernet NICs?
1.1.14 I have added a second subnet/LAN to IPCOP. How do I get the web proxy to allow web
request?
1.1.15 How do I setup Dynamic DNS on IPCOP?
http://Example1.Dyndns.org
|
Your hostname is Example1 and your domain is Dyndns.org.
Port Forwarding is for accessing computers behind IPCOP.
IPCOP uses Apache[5] (an open source web server) to display the web interface to you. Without the web server,
you would be unable to access/control IPCOP via your web browser. By default, only Green (and Blue if
enabled through Blue Access) can access the web interface.
IPCOP does not support UPNP.
IPCOP does not support Port Triggering.
First configure IPCOP to use a static IP address (see section 1.1.11). Once you have done that,
goto the Alias page (Network – Alias) and add the additional IP addresses you want IPCOP to
use.
By default, IPCOP will send all traffic out through the default IP address. You can use a mod called
SNATGui[6] to have a particular computer send out via one of your Alias IPs.
Make sure you have enabled SSH via the web interface. Copying over files must be done through SFTP. For
Windows users, use WinSCP[7] [see section 3.8 for more information on WinSCP].
To successfully test your IPCOP setup, you MUST be OUTSIDE of your network. If you are inside your
network and attempt to use your Red address, the results that you get will not be accurate. For troubleshooting
directions, please see section 1.5.4.
Some older websites/programs use port 113 (Ident) to check if a remote computer exists on the connection. For
this reason, IPCOP by default response to port 113 with a closed response. If you want IPCOP not to respond
to port 113, do the following:
The steps to make your graphs work again are as follows:
Traffic graphs should now be fixed.
IPCOP updates need to be applied in the correct order. If you have a 1.4.5 install and the current version is
1.4.10, then you must apply the patches in the correct order (i.e. 1.4.6, 1.4.7, 1.4.8, etc) and reboot as required
(so new kernels are applied).
Make sure you have enabled SSH via the web interface. Editing files must be done through SFTP. For Windows
users, use WinSCP[7] [see section 3.8 for more information on using WinSCP].
You have several options to change the ports IPCOP uses:
Please also see 1.8.3 for information on command line control over external access.
If you chose to edit the files manually, use the following steps:
The External Alias menu is shown in the web interface only when IPCOP’s Red interface is set to Static. To
access the External Alias menu and set multiple IP addresses, do the following:
During install of IPCOP, you were prompted to create a password for several accounts. Theses accounts have
specific uses described below:
You need to manually edit several files, use the following steps:
If you enabled External Access, update the rules to reflect your new SSH port.
To be able to change settings throught the GUI, IPCop requires your browser to send referer info. If the browser
does not send referer info, modifications are ignored and ’Invalid referer: doesn’t match servername!’ is logged.
Referer settings can be found/modified: in FF open about:config, search for network.http.sendRefererHeader
and modify from 0 to 1 (or 2 which is default). in Opera go Tools-¿Preferences-¿Network and tick ’Enable
referrer logging’.
Allan Kissack has a great site with multiple traffic graph mods[11]
If you are using a cable modem, your ISP may be locking you to one IP address at a time. First try power
cycling your cable modem. If that does not work, then you have two options:
To change your MAC address (version 1.4.x):
It has been reported that high number of connections through IPCOP can cause problems. One way to prevent
IPCOP from crashing is by lowering the maximum number of connections your p2p/bittorrent client will
use.
There are two ways
Using the Host page option will overwrite any changes to /etc/hosts.
The builtin traffic shaper has three classes of priority. By default, traffic that does not have an
assignment (i.e. ports not specified through the web interface) will have the Normal priority. This
setup allows you to specify which traffic you want to have a higher or lower than Normal (or bulk)
priority.
Change red MTU by adding system(’/sbin/ifconfig ppp0 mtu 1458’); in /etc/ppp/ip-up
If you are getting the following error:
1.2 Administrating IPCOP
1.2.1 What is the difference between Port Forwarding and External Access?
External Access is for accessing IPCOP itself.
For information on allowing traffic between interfaces, see Figure 1.1 on page §.
1.2.2 I just looked at my status page and noticed I am running a web server. What is it and how do I stop
it?
1.2.3 My consumer router has UPNP, how do I enable it on IPCOP?
1.2.4 My consumer router has Port Triggering, how do I enable it on IPCOP?
1.2.5 I have multiple IP addresses from my ISP. How do I configure IPCOP to respond to all of
them?
1.2.6 I have added IP addresses to the Alias page but all of my requests come from one IP address. How
do I change this?
1.2.7 How do I copy a file over to IPCOP?
1.2.8 How do I test port forwarding, external access, and/or my firewall for open ports?
1.2.9 When I do a port scan, IPCOP shows port 113 is closed. How do I make port 113 unreplied?
1.2.10 What traffic is allowed between interfaces?
1.2.11 My traffic graphs are not updating, what do I do?
1.2.12 I am trying to update IPCOP, do I have to apply all patches in order?
1.2.13 How do I edit files on IPCOP?
1.2.14 How do I change the http and https ports IPCOP uses?
(on Windows connect using Putty[10] [see section 3.9 for more information on using Putty])
1.2.15 How do I set multiple public IP addresses with my PPPoE/PPPoA connection?
1.2.16 How do I login to IPCOP?
1.2.17 How do I change the port IPCOP uses for SSH?
1.2.18 I am receiving the following error message when trying to change settings in the web GUI: ’Invalid
referer: doesn’t match servername!’
1.2.19 I don’t like the builtin graphs, where can I get better graphs?
1.3 Using IPCOP
1.3.1 I just installed IPCOP and I can not get an IP Address from my ISP. Help!
For install directions, please see the readme file.
Example ifconfig eth0 hw ether 01:02:03:04:05:06
1.3.2 IPCOP keeps crashing when I use p2p/bittorrent clients, what do I do?
1.3.3 How do I add a custom host to IPCOP’s DNS?
1.3.4 How do I use the builtin traffic shaper?
1.3.5 How do I change my MTU settings?
1.3.6 I am getting a Snort ’Oink Oink’ error, how do I fix it?
Loading /var/ipcop/snort/oinkmaster.conf
/usr/local/bin/oinkmaster.pl: Error: the output directory "/etc/snort/rules" isn’t writable by you. Oink oink. Exiting... |
You need to do the following:
cd /etc/snort
chown snort:snort rules cd rules chown snort:snort *.* chown snort:snort * |
To fix this, you will need to edit ’/usr/local/bin/snortrules.pl’
and replace with
To remove the old certs and generate new certs
To run OpenVPN-GUI on Vista:
run /bin/openvpn-gui.exe as administrator
add to config file: route-method exe route-delay 2
As you found out, it works, but the ADD ROUTE command fails - the above changes will fix that (it’s a
known bug in VISTA/OPENVPN-GUI).
Please take a look at the documentation located on the Zerina site
1.3.7 Snort fails after rules update, what do I do?
1.3.8 How do I rebuild my Zerina certificates?
1.3.9 How do I run OpenVPN on Vista?
1.3.10 How do I control access for VPN clients to my servers?
http://zerina.de/zerina/?q=documentation/howto-bot-zerina
|
Make sure you have read over the Blue Mantra
The ipcop firewall has a caching dns proxy built in, and you need to understand how this affects your DNS
configuration.
If your clients in green need to resolve IP addresses for servers in Orange, add these IP addresses and names
into your DNS in green.
IPCOP by default is a NAT router. You can configure IPCOP to map IP addresses using SNATGui[6] or use a
firewall which supports 1:1 NAT such as Pfsense[14].
Before a computer can access the web from the Blue zone, it must be added to Blue Access page. You can add
the IP address and/or the MAC address of the computer in question. Once this has been added, the computer
should be able to access the Internet. If you are using a wireless router, please see the tutorial in section
3.2.
While there exists some mods, such as CopSpot[15], to add Captive Portal features to IPCOP, other firewall
products such as Pfsense[14] have Captive Portal built in. While you can mod IPCOP to support Captive
Portal, Pfsense offers a better working solution. Any mods you do to IPCOP by break with IPCOP upgrades
(see section 1.7.2).
As of the current version (1.4.21), IPCOP does not support multiple WAN interfaces. While it is
possible to hack IPCOP to use multiple WAN interfaces, you will most likely do more damage
to the Iptables in the process. Other firewall products, such as Pfsense[14], do support multiple
WAN interfaces. There are hints that IPCOP version 1.5 will support multiple types of the same
interface.
Please see section 1.4.4.
As of the current version (1.4.21), IPCOP does not support multiple types of the same interface. While it is
possible to create more than one of each interface, you will most likely do more damage to the Iptables in the
process. Extra Interfaces[16] allows you to create up to four (4) additional Grey interfaces. Pfsense[14] does
support multiple NICs of any type (32 at maximum). There are hints that IPCOP version 1.5 will support
multiple types of the same interface.
By default, the current version of IPCOP (1.4.21) does not block outbound traffic. You can use a mod called
Block Out Traffic (BOT)[17] to define what traffic is allowed outbound.
Many programs will attempt to use other ports including ports 80 (http) and 443 (https) if the default port is
blocked. There are a few things you can do
Cron jobs are Unix/Linux automated jobs. The layout of the Cron is as follows:
1.3.11 I have added a computer to Blue but it is not connecting to the Internet. What do I
do?
1.3.12 How do I use DNS servers with IPCOP (i.e. which to specify for each interface)?
1.4 Advanced IPCOP setups
1.4.1 How do I configure IPCOP to work in 1:1 NAT mode?
1.4.2 I added a wireless access point to the Blue NIC and I can’t access the web. What’s
wrong?
1.4.3 How do I configure IPCOP to force registration of wireless users before they can access the Internet
(a.k.a. I want a Captive Portal on IPCOP)?
1.4.4 How do I use multiple WAN interfaces with IPCOP?
1.4.5 How do I configure IPCOP to support load balancing?
1.4.6 How do I setup multiple of the same type of interface?
1.4.7 I want to prevent outbound traffic, how do I do this?
1.4.8 I have blocked port Y but program X can still connect to the Internet. How do I block program X
from connecting?
While this seems unreasonable it has a purpose and is the most effective way to block program X.
If you are a business and/or parent, you own the machine and are allowed to control what happens
on it.
For Example, to block AIM you could block all access to AOL’s Servers.1.4.9 What are Cron Jobs/How do I edit IPCOP’s Cron Jobs?
# Use the pound character to delimit a comment
# +---------------- minute (0 - 59) # | +------------- hour (0 - 23) # | | +---------- day of month (1 - 31) # | | | +------- month (1 - 12) # | | | | +---- day of week (0 - 7) (Sunday=0 or 7) # | | | | | # * * * * * command to be executed |
To edit IPCOP’s Cron jobs:
Login to IPCOP’s console and type ’fcrontab -e’
If you are going to setup multiple NAT routers behind IPCOP, make sure each router is using a
different subnet. If you would like IPCOP to be able to forward traffic to a particular client not
on IPCOP’s subnet, you will need to add route statements so IPCOP knows how to route the
traffic.
There was an addon called Banish[19]. The last version of Banish available is hosted here[20].
1.4.10 Multiple NAT routers behind IPCOP
1.4.11 How do I block inbound traffic from repeat offenders?
1.4.12 How do I allow the ’dial’ user to access more IPCOP web interface pages?
AllowOverride None
Options None
AuthName "Restricted"
AuthType Basic
AuthUserFile /var/ipcop/auth/users
Require user admin
<Files index.cgi>
Satisfy Any
Allow from All
</Files>
<Files credits.cgi>
Satisfy Any
Allow from All
</Files>
<Files dial.cgi>
Require user a