Just been reading an interview with Gilles Espinasse, the IPCop's release manager. The next version has some interesting features. I especially like the fact that in version 1.5 it will be possible to include two or more interfaces to a zone.
Yes, me too! IPCop is a great distro, and I am always confident deploying it. Having such a feature will completely elliminate the rare cases where I'd deploy a commercial product instead.
BlockOutTraffic is exactly what I need! I can stop other tenants from using p2p software and stealing bandwith :devil: Is BOT hard to set up?
Nope. There's two ways to do it: either 1) with the included Slackware-style installer or 2) it's also a registered addon with the IPCop addon engine, so you can install it through the addon GUI. I recommend the latter choice, because it'd be easier to manage updates after the initial installation.
[ot]Block Chinese hackers? LOL [/ot] I've got all the parts now so I'll be building the server this weekend
Well it's all hooked up and running Computers on the GREEN network (192.168.3.0) are working fine. The DHCP works and they can access the internet. Computers on the BLUE network (192.168.5.0) are NOT working though Even though DHCP on the blue network is working, computers cannot ping IPCop nor can they browse the internet. I haven't tried a static address on the Blue network yet, so I suppose that's the next thing to try. Just to clarify, should the BLUE networks DHCP settings be: Gateway: 192.168.5.1 DNS: 192.168.5.1 Or should I configure the blue computers to use the Green network's DNS? Ie 192.168.3.1 ? Help! That being said, the GREEN network is working perfectly so for the time being everyone is using that until I find out what's wrong with the blue.
Blue is semi-trusted by default, you need to put in the MAC or IP address of each machine which will be connecting to the blue network (see attached screenshot). You should use either one field or another. The documentation says that if you want unrestricted access for your blue zone, you must add all of the IPs in that network segment, e.g. 192.168.5.1 - 192.168.5.254. I tried adding a 24-bit network range, e.g. 192.168.5.0/24, and IPCop didn't like that. But I am experimenting right now with something equivilent to just 192.168.5.0 with the hope that it will work for all IPs in that range. You might try that and see how it works out for you.
So that's what the problem was I just tried adding the network range as 192.168.5.2 - 192.168.5.254 but I IPcop didn't like that. Looks like I am going to have to enter every IP address in manually
Yeah, seems like a strange way to have to do it, but at least you only have to do it once. Cut + paste will be your best friend I guess.
W00t! It's working perfectly now I am going to install BOT later and see how that goes once I've read through all the documentation I have experimented with the proxy server, but all it did was add latency as you said it would. After a days use there were 15% proxy hits and 85% misses. So I've just turned it off for good now.
BOT is an awesome addon Much easier to configure then I thought it would be. A few quick questions for you... Will IPCop block incoming calls for Skype and / or other instant messaging such as MSN, Yahoo, AIM etc? I need to find out what port numbers those programs use so I can enable them in BOT. UPDATE: Skype is not working right now. Am I going to have to enable port forwarding?
BOT is a mod to the IPCop GUI to allow you to write advanced firewall rules, so the name may be a bit deceptive since it's not just for outgoing traffic. You can write firewall rules for ingress (i.e. incoming) traffic as well as egress (i.e. outgoing), as specified by any number of criteria, even date & time. If you want to block certain types of traffic from leaving the network, you'll have to do it on a port-by-port basis. Otherwise you can block the IP ranges of the servers these applications use. As for Skype, it works fine for incoming and outgoing calls on my network with no port forwarding required. Since there are so many people behind this firewall who are completely independant of eachother, it's not a very wise idea to do PAT whenever somebody wants to host something, IMHO. If I was in your shoes, I would just make it a policy that if it doesn't work with the firewall, "too bad".
LOL. Yeah but I use Skype myself EDIT: Strange but it's working now I just stopped and restarted BOT and now Skype is OK!
Windows is a noisy OS! The BOT logs are full of netBIOS packets being broadcast to the network! What a waste of bandwith
Yes. Yes it is. You can tell BOT not to log such traffic, which is a good idea since Windows does it unceasingly.
Now that it's been running for quite a few days I have another batch of questions for you With regards to the memory management, i've noticed that IPCop has gone from using almost all available memory to only using about 2/3 of it. Meanwhile the swap space is up almost 50%. Is this a sign of too little memory or is it normal behaviour? The total amount of physical memory is 192MB. Secondly, I noticed that IPCop has a schedule reboot option. Is it worthwhile scheduling a reboot, say once a week, or is that not needed? How can I go about that? I didn't see any log filters in BOT. Maybe I haven't looked hard enough I know, RTFM!!
Hmm, that memory usage is extremely high for the amount of traffic you are dealing with. For reference, my IPCop has a lot of custom netfilter rules, is running IDS on two of 3 interfaces, and I've usually got a lot of simultaneous connections over a 6-megabit pipe (see attached; 300MHz K6 w/192mb PC100). What services are you running on that system? Which plugins? As for the BOT question, if you write a firewall rule with the BOT mod, you should see a logging option (see attached).
I now know the reason for the high memory usage = IDS. I had IDS running on the Red, Green & Blue networks. Once I disabled it I noticed the swap empty and the physical memory usage go down too. IDS is running on the Red interface only now. Do I really need IDS at all? When I disabled IDS the 'Firewall Log' option disappeared. I found that rather strange because BOT uses that log, not IDS. Also, I was wondering whether it is possible to use a different port to connect to IPCop remotely?
If you're not running any services, you don't need IDS enabled. Intrusion detection doesn't mean anything when there's no way to intrude!
