|
|
||||
|
Home | Products | Buy | Support | Partners | About | Contact |
||||
| Contact us | ||||
|
It's time to have confidence in your firewall! |
||||
 |
Anaconda FAQ |
|||
About this FAQ
What versions of Anaconda does this FAQ support?This FAQ contains answers to frequently asked questions about stable release
versions of Anaconda. To date this means versions 0.1.1 and 1.2. There are
certain answers that were written for 0.1.1 and do not apply to 1.2 - we need to
have a clear out or update of the 0.1.1 answers. OK 1.3.0 has just been released. There are a lot of questions being posted on the Anaconda-user mailing list regarding the features of 1.3. Please note that this FAQ may not answer your questions about 1.3 as it is in the process of being updated to include 1.3 features (maybe you could help us do this). In this FAQ the following show which version a section relates to:
General Anaconda questions
What is the Anaconda firewall?Anaconda Firewall is a Linux firewall distribution geared towards home and SOHO (Small Office/Home Office) users. The Anaconda interface is very user-friendly and task-based. Anaconda offers the critical functionality of an expensive network appliance using stock, or even obsolete, hardware and OpenSource Software.
Anaconda lets you take an old PC and convert it into an appliance that will.
How does Anaconda Firewall work?Anaconda Firewall basically sits "in between" your Internet connection (dial-up modem, cable-modem, DSL, etc) and works directs traffic using a set of rules for the TCP/IP traffic that underlies all Internet activities. The default rules, ideal for most users, are essentially simple in nature. They allow you to "surf" to the outside world and visit web-sites, FTP, email and so forth. And as you go about your tasks on the Internet, Anaconda allows return traffic from those tasks, that you requested, to pass through. If, however, some random TCP/IP traffic comes in, requesting information from your computer, and that traffic is not in response to your requests, Anaconda Firewall refuses to respond, and logs that attempt. Thus, you are allowed to go about your normal business, but when the bad guys try to come after you, they are stopped cold, because they are not responding to your requests. Think of Anaconda Firewall as your friendly traffic cop down on the corner, making sure that things travel smoothly, and enforcing good rules on your Internet traffic.
Will I be able to do everything I did before?Yes, but... :-) There are some applications which, under the hood, set up two channels of TCP/IP traffic for various reasons. For example, many online shoot-em-up games like Quake open up several TCP/IP channels to so that high-priority messages such as movement and shooting the bad guys can get through on the priority channel, while the graphics are sent through a lower-priority channel. Similarly, NetMeeting and some NetMessenger applications open up multiple channels in order to facilitate multiple people talking at once. You can still use these games, but you'll need to do some post-installation configuration to alter the "Rules" a little bit so that Anaconda Firewall (your friendly traffic cop) will know about your specific exceptions.
What if I need remote access to my computers?You can configure Anaconda Firewall and your remote computers to use VPN which basically lets authorized remote computers "pretend" to be behind your firewall, even if, in reality, they are far, far away in a distant galaxy. Check out the Anaconda VPN documentation. You can remotely access your desktop from any location with an internet
connection here is how.
Where can I talk to others about Anaconda?Well, there is the Anaconda Users mailing list of course and there is also the Anaconda IRC channel. To join the IRC channel just connect to server: irc.freenode.net and then the Anaconda channel: #Anaconda
What are the benefits of Anaconda (software based firewall) over Hardware based firewalls or other software based solutions?Basically, a hardware based firewall will require that you purchase the complete solution (hardware and software) for a rather hefty sum. Other software solutions are either commercial (you pay) or free and doesn't offer the level of security and/or ease of use that Anaconda does.
Sounds Good. What gear will I need?First, you'll need a whole new computer for Anaconda itself. This is not as excessive as it sounds. For one thing, Anaconda can run on obsolete hardware that many companies are literally throwing away as "useless". Anaconda Firewall will be connected to the outside world, so you'll need a cable and whatever kind of card (modem, NIC, etc) that you would normally have in your computer. Exactly what you need for this connection depends on how you connect to the Internet, but you probably can simply move the existing cables and hardware from your current computer to Anaconda Firewall. Then, you'll need another cable and NIC in Anaconda Firewall to connect to your computer, or to your switch/router if you have several desktops to hook up. Finally, you'll need a NIC in your desktop computer, or one in each desktop computer if you have several desktops to hook up. Check the Installation Guide for more information.
Who do I speak to, to add feature x,y,z?If in need of a feature not yet found in Anaconda then it would be best to contact MarkWormgoor as he is the Development Team Manager.
I love it, how can I help?Spread the word! ;) Seriously, we can only make Anaconda better by having more people using it to let us know where we can improve it. So tell everyone you can about it. If you happen to have a good background in Linux, Perl, XML, Firewalling, Support background or security and have the time to give to the Anaconda Project then contact CharlesWilliams for more information.
Can I sell Anaconda?Please read the GNU article Selling Free Software.
Can I mirror the Anaconda ISO?Certain people will be allowed to mirror the Anaconda ISO. We will keep an updated list of where these mirrors are and this list will contain the ONLY authorized list of mirrors. If you download an ISO from anywhere else then you may be downloading an ISO that has been tampered with. To be considered for approval to mirror Anaconda contact CharlesWilliams
This FAQ didn't help me. Where do I go next?
-- StInga - 16 Dec 2002
It's not really what I wanted...Anaconda is only a firewall appliance. If you want a Connectivity Server, with network file shares, email etc. take a look at these alternatives:
Print Server appliance
Installation / Upgrades / Fixes
General
What is this big md5 number all about?An md5 check-sum number essentially is a simple way of guaranteeing that the file you got has not been tampered with. Some super-complicated mathematics goes into it, but basically, there's a complicated formula that we fed the actual ISO or upgrade file into, and out pops an md5 check-sum. If you also feed your copy in, and get the same md5 check-sum out, you can be certain that the file you got was complete, correct, and untampered. Think of it as a sort of like a safety seal on medicine/food products.
How can I check the md5 after downloading?Under Linux, you can use the md5sum utility. For Windows, you need the Win32 port of the GNU Utility MD5SUM (48KB). Now, locate the Anaconda file you downloaded (ISO or patch) and run md5sum as
follows: This will return the MD5 fingerprint for manual comparison to the fingerprint published on the Anaconda web site. e.g. > md5sum Anaconda-0.1.0.iso To check the MD5 fingerprint automatically (against a file), first copy the
fingerprint to a file: Then use md5sum to check the iso against it's fingerprint: Your output should look like: Further help can be gained from typing: -- SoniaH - 14 Apr 2003 (and others), 10 Aug 2003
Installation gave me an error message. Now what?Press ALT+F2 and copy down the last few lines of messages.
Why do I get Error 0x10 when I'm booting from the installation floppy?Probably a bad floppy. Throw it away and make a new one. You might be more successful in creating a floppy with the Linux/Unix dd command rather than to make it from Windows. Check that the PC can actually boot from ANY bootable floppy.
What is this 1010101010 I get when I boot up?That generally means that your hard-drive is misconfigured, or simply too LARGE for Anaconda to use. You may be able to go into your BIOS and hand-tune the hard-drive parameters using XXX. Anaconda only supports hard drives up to YYY Megabytes at this time. Future releases may increase that limit. Some old PCs that do not support the El Torido CD boot format give this problem when booting from a Anaconda CD. Boot from a floppy disk instead and then select a CD install. If this does not work boot from floppy and select HTTP install from one of your local servers.
How do I upgrade Anaconda?At the moment upgrades between versions require a completely new install. From version 1.2.0 it is possible to save your settings onto a floppy disk in the Anaconda machine. The settings can then be restored from the floppy during the new install. Do this from the System > Backup page on the web admin interface.
How do I install an update?Steps to perform an update:
Thanks to Ben Stanley Are all patches accumulative, or do I need to apply each one in order?Patches aren't accumulative, ie. you have to install patch 1 before
installing patch 2, etc. Why does Anaconda not update the available patch list?You have to have a working connection to the Internet to be able to download the list of available patches from the http://www.Anaconda.org website. Your ISP may be blocking a direct connection to the Anaconda site. ISP's that use transparent proxies or don't enforce any proxy do not have that problem. You need to change the following files: Look for this line: Change the hostname and the portnumber to your proxy server's name and port. Thanks to Jim Hiley for the fix. Anaconda version 1.2 and later includes a modification which will allow you to specify a remote proxy. You should also receive automatic notification on your Anaconda's Home page when new updates are available. If you don't receive them this might be because you have a permanently on connection i.e. a leased line or ADSL. The file The file -- StInga - 16 Jul 2002
Having errors / problems applying patches to Anaconda?A known issue is that Opera (tested up to version 6.0) does not handle uploading the tar.gz patch files properly. Anaconda will report a bad or unauthorized patch in the "Error Messages" area (bottom of 'Updates' screen). Solution - use another browser to upload the patch file to Anaconda. Patching should work fine with IE, Netscape.
How should I report an install problem?All problems encountered with Anaconda should be addressed, initially, to the Anaconda Users mailing list after reading the FAQ and Install Guide. If it is not verified that this is a known problem then contact the Anaconda Support Team directly.
Can I do an HTTP install from a Win9x/Me/2K/XP computer?Yes, here are 3 Easy Steps to Installing Anaconda from a Win9x/Me/2K/XP Computer. Step 1. Ensure that you have an HTTP server running on your Windows computer. Step 2. Copy the Anaconda.tgz file from the Anaconda CD to a location that is "visible" to your HTTP server. Step 3. Do the Anaconda installation.
Step 1. What! you do not have an HTTP server, many of us don't. There are several freeware web-servers available. Under XP (You need XP Pro not XP home which has no IIS Server), select IIS
under control panel, Windows components. TinyWeb has good installation documentation on it's web-site. It is strongly recommended that you use the suggested defaults, unless you have a very good reason to do something different, when you will know what you are doing and do not need these instructions. Let's assume that you have used the default and installed tiny.exe in C:\www\binNow add a test-page....
<*html>
<*head>
<*title>
TinyWeb_Test_Page
<*/title>
<*/head>
<*body>
<h2> Tiny Web Test Page </h2>
<br> <hr> <br>
Any text you like here
<*/body>
<*/html>
Just cut-and-paste the HTML-code to C:\www\root\index.html and delete the asterisks in the tags. You can now start TinyWeb and test it by entering http://yourcomputername/ as the URL in your favourite browser. Remember, replace "yourcomputername" with the actual name of your computer as defined in your C:\windows\hosts file, or the full dotted-quad IP-address of your computer. You should see the test-page displayed in your browser, if not, recheck that you have correctly followed the TinyWeb installation instructions. Step 2. This is fairly easy - just insert you Anaconda CD into your CDROM-drive and copy the Anaconda.tgz file to C:\www\root\files\Anaconda.tgz - assuming that your CDROM is E:, the DOS command is copy E:\Anaconda.tgz C:\www\root\files\Anaconda.tgz The reason that we do this is because TinyWeb, like all well-behaved HTTP-servers (and FTP-servers too) will only access files that are accessable from its "root" path which is NOT C:\ as you might have thought. Step 3. This is even easier - just follow the Anaconda instructions for an HTTP install. Remember that there will be no name resolution, so you must supply the full dotted-quad address of your TinyWeb computer, something like.. http//192.168.1.7/files/Anaconda.tgz where you must change "192.168.1.7" for the actual IP-address of your computer that is running TinyWeb. TinyWeb will serve up the Anaconda.tgz file and the installation will continue just as if you actually had a CDROM-drive in your Anaconda computer. TinyWeb, Windows and other products and names mentioned here are copyrighted
by their owners. How do I change the date and time?If you just want to set the clock by hand, log into the Anaconda console as root and execute the command:
for example:
To set the hardware clock from the system clock, execute the command:
To set the time from an NTP time server on the Internet execute the command:
where you replace
From Anaconda v1.2 the ability to synchronize Anaconda's date and time with
an NTP server was added to the web admin interface. You'll find it on the
System > Time page. How do I make a backup of Anaconda?Find a 1.44M (often labelled as 2 Megabyte) floppy disk and format it. Check it has no errors. You can format the floppy under Windows or Linux. Note any data already on the floppy disk will be lost. Insert the floppy disk into the Anaconda PC: Not your desktop PC! Use the web based interface on Anaconda and select system, backup and click the "backup" button. Wait for the backup to complete this can take a while. Notes on backups: The disks MUST be formatted and free of media errors. Your floppy disk with the backup will not be readable under Windows or mountable under linux, this is normal! Windows will report that the backup floppy is unreadable or unformatted even when the disk and the backup are fine. If you don't have another Linux PC you can format a floppy disk using
Anaconda, Login as root. At the command prompt enter : The backup has details of all your settings and also hardware (like the Network cards installed) This means that you cannot restore from one PC to another unless they have the same network cards. -- SethR -
21 May 2003 How can I translate the interface into another language?Have a look at the HowToTranslate page for details.
Connection issues
My modem INIT string doesn't seem to be working right. What can I do?The easiest thing to do is head over to the
Modem Help web site. Make
sure you have all information about you modem at hand so that the search is made
easier. Why can't I connect to my (Deutsche/German) T-Online Account?Actually this is not an Anaconda problem. This has to do with the way T-Online issues accounts. You need to combine certain portions of your account information to be able to use a dial-up account. Eg: To be able to log in using dial-up you need to combine the first three fields
into the following: This does not work for every account. This works only for the newer accounts
from T-Online. For older accounts see the
PPPoE?
Howto. How do I get Anaconda working with Telstra BPA/DSL?Lucien Wells wrote an outstanding Howto on connecting SW to Telstra services and it more than applies to Anaconda as well. You can view the Howto here DO NOT USE THE TAR.GZ PACKAGE FROM THAT LOCATION! It is for SW ONLY and will not work on your Anaconda system. Instead use this
one for Anaconda on BPA. You will also have to replace the For Telstra DSL connections refer to the Lucien Wells Howto for Telstra DSL. If you are using TELSTRA with a modem, you might want to check out this on
the add-ons page How do I get Anaconda working with ntl:home (UK) cable...
with a Pace ntl:home digital TV set top box?You need to install Anaconda with at least two network cards for GREEN and RED, ORANGE is optional. Configure the RED network card to use DHCP. Configure the GREEN network card as usual. You must make sure that your workstations can browse the Anaconda web interface and that they are using the Anaconda for their default gateway and DNS. You will need to register the MAC address of the RED network card with NTL. This does not need to be done if the RED network card has previously been registered under Windows or another OS. Switch the cable set top box (STB) and your Anaconda off. Switch the STB on again. Switch your Anaconda machine on when the data light on the STB lights up. Your Anaconda should grab a private IP address from the cable head. You should then be able to access the computer provisioning pages using a browser on one of your client machines. Open a java enabled web browser and navigate to http://start.ntl Follow the instruction on the screen to register a new computer. You will need your PID and password. Remember that you will actually be registering the MAC address of the red NIC
in the Anaconda machine. Once the Anaconda computer is registered you should
switch the STB off then on again and reboot the Anaconda machine when the data
light comes on. The red NIC should now get a public IP address assigned by DHCP
from NTL and you can start browsing, etc. With an ntl:home stand-alone cable modem?
Configure Anaconda as above with GREEN and RED network cards. Configure RED to use DHCP. Power the cable modem off then back on. Power up your Anaconda. It should be assigned a public IP address and you should be able to start browsing etc. If you have problems please see
http://homepage.ntlworld.com/robin.d.h.walker/cmtips/swap.html How can I check if Anaconda has a valid Internet connection before I run a program on one of my Linux boxes?There is a simple solution to this (thanks go out to Brian Coyle for this little tidbit). Create a file named "IPC_state" and insert the following code:
Place IPC_state somewhere in your $PATH. To use it is fairly simple:
$ cat ~/bin/getmail !#/bin/bash if IPC_state | grep "Connected" ; then /usr/sbin/sendmail -q fetchmail -s fi That's about all there is to it. Enjoy. Is there a way to Dial without a browser?Yes. The "Anaconda Dialer." If you trust folks on the Green side of your lan not to abuse the dial user's password, which will be in plain text in this file called "dialler.pl" and you understand the ramifications of this. (I used the name dialler.pl in this FAQ for simplicity) Just replace "dial_password_here" with your password, copy it to your /bin directory, and make it executable.
#!/usr/bin/perl
$password = "dial_password_here";
unless($ARGV[1]) { die "Usage: dialler.pl host action\n\n"; }
if($ARGV[1] eq "dial") { $action = "Connect"; }
elsif($ARGV[1] eq "hangup") { $action = "Disconnect"; }
else { die "Invalid Action... use either dial or hangup\n\n"; }
$xhost = $ARGV[0];
use IO::Socket;
use MIME::Base64;
$encoded = encode_base64("dial:$password");
chomp($encoded);
$sock = new IO::Socket::INET ( PeerAddr => $xhost,
PeerPort => 81,
Proto => 'tcp' ) || die "Could not connect to host\n\n";
$act = "ACTION=".$action;
$len = length($act);
print $len;
print $sock "POST /cgi-bin/dial.cgi HTTP/1.0\n";
print $sock "Authorization: Basic $encoded\n";
print $sock "Referer: http://$xhost:81/cgi-bin/index.cgi\n";
print $sock "Content-Length: $len\n\n";
print $sock "ACTION=$action\n\n";
undef $/;
close $sock;
A front end for this dialler.pl written in gtk and bash scripting. Note: make these all executable and copy them your /bin directory.
bash script called "on" #!/bin/bash /bin/dialler.pl Anaconda dial bash script called "off" #!/bin/bash /bin/dialler.pl Anaconda dial
The gtk frontend:
/*
* compile with "gcc -o dial `gtk-config --libs --cflags` dial.c"
*/
#include <gtk/gtk.h>
static void on( GtkWidget *widget, gpointer data ) {
#if 0
system( "on' &" );
#else
if( !fork() ) {
execlp( "on", "on", NULL );
_exit( 1 );
}
#endif
}
static void off( GtkWidget *widget, gpointer data ) {
#if 0
system( "off' &" );
#else
if( !fork() ) {
execlp( "off", "off", NULL );
_exit( 1 );
}
#endif
}
int main( int argc, char *argv[] ) {
GtkWidget *window;
GtkWidget *button;
GtkWidget *box1;
gtk_init (&argc, &argv);
window = gtk_window_new (GTK_WINDOW_TOPLEVEL);
gtk_signal_connect (GTK_OBJECT (window), "delete_event",
GTK_SIGNAL_FUNC (gtk_main_quit), NULL);
box1 = gtk_hbox_new(FALSE, 1);
gtk_container_add (GTK_CONTAINER (window), box1);
button = gtk_button_new_with_label ("on");
gtk_signal_connect (GTK_OBJECT (button), "clicked",
GTK_SIGNAL_FUNC (on), NULL);
gtk_box_pack_start(GTK_BOX(box1), button, TRUE, TRUE, 0);
button = gtk_button_new_with_label ("off");
gtk_signal_connect (GTK_OBJECT (button), "clicked",
GTK_SIGNAL_FUNC (off), NULL);
gtk_box_pack_start(GTK_BOX(box1), button, TRUE, TRUE, 0);
gtk_widget_show_all(window);
gtk_main ();
return(0);
}
Okay a sanity check, you should have four files /bin/dialler.pl /bin/on /bin/off /bin/dial "dial" calls bash scripts on/off which then sends the ip name to Anaconda
which controls the modem. enjoy! Is there a way to stop Anaconda from connecting to the Internet after a certain time of day?Well, according to Roberto Garcia this is a simple matter and he has even posted info/instructions on a special site just for this situation. Head over to Robertos Anaconda Howto for more info.
Why does my modem sometimes not recognize my dial-tone?If you have call-waiting, and a message has been left for you, your phone my change the dial-tone from a steady tone to several tones, which your modem may not recognize. For most modems, you can correct this by changing the init string to: ATX3S6=4
My Dial-On-Demand connection keeping coming up - It's costing me money!!!!Dial On Demand connections are very useful when it comes to networks, as any computer that needs a connection to the Internet will bring up the link. However, you may find that a workstation will bring up the link without you asking for anything (or even being there), costing you money, sometimes only being noticed when the quarterly bill comes in. There will be many reasons why a workstation will bring the link up. For example, it might be your virus checker looking for updates. When running a network connection to the internet, your PC assumes it always has a connection. There are quite a few automatic updating programs that can cause problems, and there are "free" mp3 & CD playing software packages out there that check for updates as often as every three minutes. All this means it is not the fault of your Anaconda box, it is a workstation problem, and you need to look elsewhere. The easiest place to start is to use the Information > Connections web page, and look at the "Masq Entries". This will show you all the "current" connections from the rest of your network: Source (local) IP number, Destination (Foreign) IP number & ports. By using reverse IP lookups (in Windows NT, W2K and Linux you can use nslookup), you can track the "owner" of the destination server, which may help you track down the offending bit of software. You will also be able to determine which workstations are causing the problem (and there may be more than one), and more than one software package on each workstation. If all this happens in the middle of the night, try activating Squid (the web proxy) in Transparent Mode, and then looking at the logs. Not as effective as it only proxies for certain ports, but may save you a sleepless night or two. It can be a tedious task, but please remember that it is not Anaconda that is causing the problem, but a poorly configured workstation or software package. Anaconda is only the bearer of the bad news, so do not shoot the messenger. Rather rejoice in that your choice of Anaconda as your firewall can help you eliminate the source of the problem without having to use a packet sniffer and all the complications that may bring.
How do you get Anaconda to automatically restart a connection if it goes down?Have a look at this in the add-ons / hacks section. Please read the warnings first.
My ADSL is temporarily down. How do I get my modem working?If your ADSL is temporarily down (say, because you're moving), a lot of ISP's will give you a temporary analog modem number to dial up on. So how do you get Anaconda to use the modem? 1. ssh to your Anaconda, and stop your red interface:
ifconfig eth2 down 2. delete the file /var/Anaconda/red/active:
rm /var/Anaconda/red/active 3. refresh your Anaconda web interface - you should now be able to add a PPP interface like normal to be tested, when my ADSL comes back ;-) To get you ADSL back, just restart your Anaconda. -- SoniaH - 07 Apr 2003 Hardware Issues
How can I use my Alcatel Speedtouch Pro/Home Ethernet Modem/Router?It is often easier to use an Ethernet device than a USB device. A number of manufacturers have SOHO "routers" that are really designed as a shared access device using NAT. Rather than going to the trouble and expense of a routed subnet of Public IP numbers, you can often use these devices in PPTP Relay mode. The information here is specific to the Speedtouch Pro and Home, but should work with all similar products.
Configuring AnacondaBuild your Anaconda box with a Red Ethernet Interface. Set the Red IP type, number and subnet to PPTP. The default IP Address for a Alcatel Speedtouch router is 10.0.0.138 (netmask 255.255.255.0), so select an appropriate address for your RED network (e.g.. 10.0.0.1/255.255.255.0) if this is still the case. If your Alcatel Speedtouch router has a different IP Address, make sure that you set a valid Red IP Address for the network that is going to connect to it. Normally, the DNS server, and default gateway addresses will be negotiated by ppp directly with the ISP, so you shouldn't need to specify any values for DNS server, or default gateway. Use a web browser to connect to Anaconda from the green network. Set up a profile for your ISP, and enter information into the following: Interface (PPTP), Persistent (YES), Connect on Restart (YES), Max Retries (10 or 0 for continuous), Idle Timeout (0), username (eg 0123456789@adsl.isp.net), password, PAP & CHAP, DNS set to Manual and enter ISP IP numbers. If you are not using the default Alcatel Speedtouch values, you need to configure the IP Address of the ADSL router. This is done on the PPTP page which can be accessed by selecting "Dialup" from the main menu on the left, and then "ppp settings". There is a section there called "Additional PPTP settings:". Here, enter your Speedtouch IP Address in the "Router IP Address". Also in this section, enter "pc1" in the phonebook entry. There are many settings here that aren't relevant for this type of
connection. Configuring the Alcatel Speedtouch ADSL Router.Once your Anaconda box is up and running, any client on the Green network should be able to access the Alcatel Speedtouch web interface. Point a web browser to http://10.0.0.138/ (or whatever IP Address your Alcatel Speedtouch actually has) and you will see the web interface for the device. Delete every single entry in the Router's phone-book, including the pre-configured ones. Also disable DNS and DHCP in the router - it's an overhead that does nothing for you in this configuration, and SET A PASSWORD. Once the phonebook is clear, add a new entry called pc1. You will need to know the VPI and VCI numbers from your ISP ( 0,38 in the UK, 0,100 for Telecom New Zealand) and the connection type is PPTP. Add this and go to the PPTP config page. On the PPTP page, select the encapsulation and HLDC framing ("vcmux" and "never" in the UK, and for Telecom New Zealand), and add it. You will note that there is a "state" column. When the link is up, you will see an entry here that says "In Use (10.0.0.1)". Keep this page up in the browser so that you can check later. Click save, then go to the home page and try connecting. If all goes according to plan, when the pptp link comes up, it will write the default route into the routing table, so double check on the info page, in the ppp0 entry, that the IP number after p-t-p is the same you enter during setup. If it isn't, use the shell interface and the setup username & password to change it. As soon as the pptp link comes up, your router bridges all the traffic over the "tunnel" to your Anaconda box, so you are now live and closed for business!! -- SteveLang - 31 Dec 2002
Does IP-Cop support the Fujitsu FDX310 ADSL USB Modem?This is supported using the ECI USB driver - see http://eciadsl.flashtux.org/?lang=en for details
Which ADSL hardware is supported by the ECI USB driver?For the latest list see http://eciadsl.flashtux.org/modems.php?lang=en&supported=yes
My Network card won't AutodetectWhen you do the install, use the "SELECT" option rather than autoprobe, and when it gives you a list of cards, look at the top of the list and select MANUAL (some people mistake it as the header rather than an option. When you use this option, it prompts you with a text box. You enter the driver name followed by the options. So for example, for a NE2000 card would see the following line: ne io=0x300 irq=10 If you had two cards the same, you would enter ne io=0x300,0x220 irq=10,5 or if that doesn't work, swap the settings and try ne irq=10,5 io=0x300,0x220 Anaconda should then detect the card and allow you to assign it. Lots of people using old ISA cards (like the 3Com 3C509) have lots of problems until they realise that the the ISA cards must have a diffrent interupt AND memory address BEFORE the installation will detect them.) 3Com have bootable disk images to configure these cards.
How do I configure multiple NE2000 NIC's?When asked to identify the cards, select SELECT and then MANUAL, and type the following: ne io=0x300,0x320 irq=11,5 You will need to change the values to match your own cards.
How do I change my GREEN nic driver?Happened to me when installing from one machine with cdrom and pci slots and I moved the HD to a machine with only ISA slots (and no cdrom drive) and the setup script had no way for me to change this. Log in at the console as root with the password you created in the setup/install process and type "vi /var/Anaconda/ethernet/settings", change the settings (hit the insert key), save the file (:xit) and reboot ("shutdown -r now"). An easy way to get the new settings is to use the setup scripts to assign the nic you want to be GREEN to RED or ORANGE and then when you edit the file above, the info you want will be set up for the other color (don't forget to erase it from those lines in the file) It gets a little complicated if you also have two NE isa nics so here are a few lines from my file (this is for a GREEN and RED system and doesn't show all the IP lines you'll find in the file but are needed). CONFIG_TYPE=2 GREEN_DRIVER=ne GREEN_DRIVER_OPTIONS='io=0x340,0x300 irq=12,9' GREEN_DEV=eth0 GREEN_DISPLAYDRIVER=ne ORANGE_DEV= RED_DEV=eth1 RED_DRIVER= RED_DRIVER_OPTIONS= RED_DISPLAYDRIVER=ne
Configuring 3C509B-TPO ISA NICs
During the boot WATCH and be sure the cards are detected. If you get 3c509 has a problem during softboot. The second and third cards will not be detected unless you cycle the power. This is problem going back to pre-Redhat 6.2
Can Anaconda use my HD44780 compatible LCD?Yes. Check out http://lcdproc.omnipotent.net/. You might also want to check the netlcd screen which is available from the addons page, it will display data transfer rates on whatever interface it is given as an argument, i.e. ppp0 eth0, etc. Robert Wood has prepared a tarball with the code you need to get started. It contains a small HOWTO, a circuit diagram and three binaries. Get it from here. To install it, scp the file to the root directory (
How do I remove a keyboard from a Compaq and still bootGo into the bios and set machine type to 'server'. Go to the www.compaq.com and search for no_f1.com. (--StInga - 23 Apr 2002 - need to add more to this)
My BIOS has no way of disabling "Halt on Keyboard Errors"Normally in BIOS there is an option to "halt on errors" when a motherboard does its checks. Modern BIOS usually have a way of disabling this, but some older BIOS don't. A useful trick is to buy a really cheap membrane keyboard which has a small circuit board about 7cm x 3 cm inside. You can remove this, resolder the cable so that it is really short, and put it inside a small matchbox sized case. Top marks to Mike Rigby for this tip.
How do I change the MAC Address of my RED InterfaceThis is a frig for 1.2 only!!!. Edit /var/Anaconda/ethernet/settings. Add this line after the other lines starting RED.
RED_HWADDR=hh:hh:hh:hh:hh:hh Replace the hh with the required hex MAC address. Edit /etc/rc.d/rc.netaddress.up. Add the ifconfig $RED_DEV hw ether $RED_HWADDR lines
if [ "$CONFIG_TYPE" = "2" -o "$CONFIG_TYPE" = "3" ]; then
if [ "$RED_DEV" != "" ]; then
if [ "$RED_TYPE" = "DHCP" ]; then
rm /etc/dhcpc/*.info -f
ifconfig $RED_DEV hw ether $RED_HWADDR
/sbin/dhcpcd -h $RED_DHCP_HOSTNAME -R $RED_DEV
elif [ "$RED_TYPE" = "STATIC" -o "$RED_TYPE" = "PPTP" ]; then
ifconfig $RED_DEV hw ether $RED_HWADDR
ifconfig $RED_DEV $RED_ADDRESS netmask $RED_NETMASK broadcast $RED_BROADCAST up
if [ "$RED_TYPE" = "STATIC" ]; then
/usr/local/bin/setaliases
fi
if [ "$DEFAULT_GATEWAY" != "" ]; then
route add default gw $DEFAULT_GATEWAY
fi
else
ifconfig $RED_DEV 1.1.1.1 netmask 255.255.255.0 broadcast 1.1.1.255 up
fi
else
echo "WARNING: No driver set for RED"
fi
else
if [ ! -e /var/Anaconda/red/active ]; then
if [ "$DOMAIN_NAME" == "" ]; then
/usr/local/bin/dnsmasq -l /var/lib/dhcp/dhcpd.leases
else
/usr/local/bin/dnsmasq -l /var/lib/dhcp/dhcpd.leases -s "$DOMAIN_NAME"
fi
fi
fi
Security
Is Anaconda Stateful?Releases 0.1.1 of Anaconda up to and including 1.2 are not stateful as they are based of IPChains technology. Version 1.3 uses IPTables, and is a fully stateful firewall.
What are IPCHAINS/IPTABLES?IPChains and IPTables are the basic "guts" of how Anaconda decides what traffic to allow. Version 1.2.0 and below of Anaconda use IPChains. Versions 1.3.x and up use IPTables. You'd never use both at once. In any case, IPChains and IPTables allow Anaconda to set up rules for what sorts of TCP/IP traffic to allow to go through your firewall. You have to allow some traffic, just to be able to do anything useful like e-mail or browsing the web. Anaconda starts off with the most strict rules possible that allow most users to do the most common tasks. You may need to alter the rules slightly in order to be a little more permissive in what traffic you allow in order to perform some tasks like playing on-line games or using 'net messenger or video-conferencing software.
What is the recommended way to monitor Anaconda?You should look at your log files every day, particularly at the firewall and IDS logs. Take a look at the "Logging" section of this FAQ to understand what the log entries mean.
Pros and cons of scanning sitesVarious web-sites "out there" on the Internet will allow you to plug in your IP address, and they will "scan" your firewall to see if it's working. While that seems like a really Good Idea (tm) consider this: You don't really know who runs that site. You don't know if their site has been hacked, and you are simply handing out your IP address to a malicious user. In theory, Anaconda will stop any problems from these sites. But it's really not all that useful to use them, and you can find software to run on an external web-server you control or find somebody you actually trust to scan your firewall. Also, many of the scanning sites don't do a really good job of what they claim to do in the first place.
LeakTest says Anaconda is not working?LeakTest from http://grc.com is a bit misleading. It is not designed to test an edge firewall like Anaconda. Why? The initial release of LeakTest worked by pretending: Furthermore: "LeakTest v1.0 is used by RENAMING it - from Leaktest.exe to some other program filename - to simulate the behavior of malware which could easily alter its own name in order to masquerade as a valid and permitted application." While this is a valid check of the functionality of a personal firewall running on a client machine, it has no relevance to an edge firewall. Anaconda blocks services and not individual applications connecting to the internet. Detecting malicious Trojans etc is the domain of a good virus scanner. In other words: LeakTest tests what happens if a user (not you, of course) is stupid enough to ignore all the warnings and runs an executable attached to an email. Anaconda is not designed to stop that kind of behavior. Educating users and keeping virus scanners up to date is your only hope for that.
Why do ports 1024 and above appear to be open?This is normal with versions 1.2.0 and below. The majority of services are run on ports 1023 and below. Blocking ports 1024 and higher is not normally needed, instead interfering with genuine traffic. However, with version 1.3.x and above stateful firewalling allow these to be closed by default without influencing genuine traffic.
What is this IDS (Intrusion Detection System) ?Anaconda includes an Intrusion Detection System (IDS) called
Snort. An IDS is an important
part of any network security architecture. It provides a second layer of defense
right after the firewall. An IDS examines network traffic, at the packet level,
for suspicious patterns that may indicate an attack or compromise attempt on
your network. These suspicious patterns are specified by the rule set. Whenever
the IDS sees a pattern that matches a rule, an entry turns up in the IDS log.
Note that such an entry does not necessarily mean that a system was compromised
(see also the "I've got stuff in my logs..." section of this FAQ). An IDS does
not block any traffic, it merely alerts system administrators
when potential hostile traffic is detected.
How should I update the IDS rule set?IDS rule set updates will be provided by patches to the current release of Anaconda. Patches will not be provided for prior versions of Anaconda.
How can I stop the IDS from logging things that I do not want logged?The rules for IDS reporting are in /etc/snort. You can open these rules in an editor and comment out or modify any rule you want to stop or make operate differently. For example, Snort logs a... MISC Large ICMP Packet ... everytime I check for mail. In this case, the rule is in /etc/snort/misc.rules and is the first rule. Instead of commenting it out, I raised the threshold by 700 bytes from 800 to 1500 and saved the rule file back. Once I modified the IDS rules, I stopped the IDS and restarted it to make the rule changes active. Another problem I have is that Snort warns me about IRC packets. INFO Possible IRC access I don't have a problem with IRC packets being on my network since I use IRC often, so I disabled the IRC warning altogether in /etc/snort/policy.rules by commenting it out with a # at the beginning of the line. Don't forget to stop/start Snort after you edit Snort rules and policies.
Can I prevent some firewall logging from being generated?Yes, but currently it requires you to manually edit your firewall rules table. If you are adept at Linux firewall rules, the rules for Anaconda are located in /etc/rc.d/rc.firewall.up. Of course, manually editing your firewall rules can break them. If this happens, you get to keep both pieces.
How secure is wireless?Wireless networking is only as secure as you make it. This includes many factors (read this FAQ to get a better picture of the problem and some solutions) such as the type of authentication used as well as the use of a firewall. Version 0.2 of Anaconda will include an Amber Zone (Wireless DMZ) which will support CIPE, IPSec or VPNd encrypted connections among other things.
Can Anaconda help me secure WEP?The current version of WEP has been proven to be key in a number of key scheduling areas. This has lead to tools, such as AirSnort, that have the capability to passively sniff your wireless traffic and determine your WEP key. Several wireless vendors are either enhancing WEP to be more robust or investigating alternative solutions. Read 'How secure is wireless' for more information.
Is there a reason why UDP is not open for replies from Orange to Green, like TCP is?This is only true for versions of Anaconda BEFORE Anaconda 1.3. Yes, there is a reason. Since the firewall isn't stateful, UDP packets don't have "replies" in the same way that TCP packets do. Anaconda 1.3 and later use a 2.4 kernel to handle this ability. If a version of Anaconda 1.2 or earlier was used and the the firewall is left open open for "replies" from UDP requests, it's open to everyone. When the basic structure for DMZ pinholes etc. was created, it was discovered that port scans went through the firewall using nmap -sU and could tell what machines were running what UDP services. That's when UDP returns from Orange to Green were locked down.
Logging
I've got stuff in my logs: Does that mean I've been hacked?Not necessarily. There are two places that contain security related log entries. Logs > Firewall contains the firewall logs. What you see here are connection attempts from the outside that were deflected. This is of interest because it will tell you what ports people are trying to attack you on. Things in this log DID NOT make it into your network. Not every log entry indicates a malicious attempt to break into your network. An entry could also indicate a mistake (someone mis-typing an IP address and accidentally connecting to your network), a mis-configured device, etcetera. For the most part, the firewall logs are useful to indicate what was going on, in case you need to figure out why something that should get through doesn't. Logs > Intrusion Detection System contains the IDS logs. What you see here are connections that DID make it into your network and contained signs of an attack. Again, this does not necessarily mean that someone was breaking into your network. Some of the rules that trigger the IDS can also be triggered by normal traffic. If you're certain that the IDS is triggered by legitimate traffic you might consider turning the corresponding rule off (see also "How can I stop the IDS from logging things that I do not want logged?"). It is wise to always investigate what caused an IDS log entry. It might be that you were attacked.
What logs are kept on Anaconda
Linux logging is in /var/log, with messages being the main system log. Other interesting logs in this directory are: dmesg: hardware info gathered during the Linux bootup process Apache logs are in /var/log/httpd and consist of access_log, error_log, ssl_request_log and ssl_engine_log. Snort logs are kept in /var/log/snort and consist of alert and portscan.log Squid logs are kept in /var/log/squid and consist of access.log, cache.log and store.log
How do I get my logs off AnacondaYou can use SCP or WinSCP? to copy the logs to another machine. You need to turn on SSH using the wbe front end. If you are accessing the Anaconda remotely open port 222 on RED. Remember that Anaconda runs SSH on port 222 not port 22!
How can I use a different machine for logging messages?See this in the add-ons / hacks section. Please read the warning first.
Can I configure the logs to be compressed?Many of the logs are rotated into a compressed format already. Active logs are not compressed so they can be easily accessed for presentation in the administration panel.
How long are the logs kept for?Anaconda version 1.2 and older: Logs in /var/log are rotated weekly and kept for 8 cycles. Logs in /var/log/squid are rotated weekly and kept for 5 cycles. Logs in /var/log/snort are rotated weekly and kept for 5 cycles. Anaconda version 1.3: Logs in /var/log are rotated weekly and kept for 52 cycles. Logs in /var/log/squid are rotated weekly and kept for 52 cycles. Logs in /var/log/snort are rotated weekly and kept for 52 cycles.
The logs are automatically rotated and compressed early on Sunday mornings,
so if you look for information from the previous week, it will appear to have
vanished. The information is still there, but you will have to decompress the
relevant file to access it. Look in the To force a rotation of the logs, logon as root and execute the command:
Can the logs be sent to a database?This is a basic Linux distribution, so anything can be accomplished with enough hacking. There are no database managers running or installed on Anaconda.
What can I use to analyse the logs?There are many utilities available to analyze Linux logs. There are also utilities to analyze Snort and Squid logs. Please see the respective project web pages for further information.
My ISP is filling my logs with IGMP or PIM packets. How can I stop logging those?See this in the IP-Cop add-ons / hacks page. Please read the warning.
My log is filling with Net-BIOS (137) packets. How can I stop logging these?See this answer in the AnacondaAddons page.
IP Proxy
What is the web accelerator?The web accelerator is a high-performance proxy caching server that helps to lower outbound traffic requests and therefore speed up the general web browsing experience.
How do I get to the low level configuration?The Squid configuration file is /etc/squid/squid.conf
Is web content filtering supported?DansGuardian made a patch available that integrates it into Anaconda. The patch file and instructions on how to install DansGuardian on Anaconda can be found in the AnacondaDGHowto
Can I block certain web sites?Yes. Login to the Anaconda console as root and edit a file named /etc/hosts. Make the first address 0.0.0.0 and then add the URL of the offending website. Do not remove or change the first two lines of /etc/hosts! Example /etc/hosts 127.0.0.1 localhost 192.168.x.x Anaconda # Add comments if you like. 0.0.0.0 www.offendingwebsite.com 0.0.0.0 www.bumpywall.org Reboot and you are done.
Can I block annoying ads?Yes. Using the same method as above, add lines as needed to your /etc/hosts A utility located at http://ssmedia.com/utilities/hosts/ has a maintained listing of adservers. http://www.everythingisnt.com/hosts.html this has an updated list for Linix (so it will work with Anaconda) if you are worried about installing it on a firewall there is a simple to use installer for Windows which you can try out on a test PC. An easy way is to ssh into Anaconda from a Xconsole or in Windows Putty and cut and paste from the adserver list.
DHCP
What is DHCP?DHCP = Dynamic Host Configuration Protocol
Every computer on the Internet has a unique IP address like 123.23.89.13 No two computers have the same number and you simply can't be on the Internet unless you have a number. Usually, humans don't work with those numbers directly. We type stuff like "Anaconda.org" and our computer looks up the IP address for us. When you set up your Anaconda firewall, only Anaconda has a "real" IP address on the RED interface facing the Internet. The rest of your computers, behind the firewall (on the GREEN interface), have "internal" IP addresses which you need to set up. According to RFC1918, you should use private subnet addresses like: 10.x.x.x ...where you can supply any number from 0 to 255 for the x component. But, you still need a unique IP address for every computer on the network behind your firewall. Anaconda itself has an IP address in that range to use for talking to your GREEN network. For one or two computers, this is no big deal. However, some people are using hundreds of computers behind their Anaconda firewall and a human trying to keep track of which computer is using which IP address can be a real problem. DHCP solves that problem. A DHCP server can be started on Anaconda and its job is to hand out IP addresses to the client computers that request one. When you set up DHCP on Anaconda, you allocate a range of DHCP addresses in your private subnet and then configure the client computers to use the Anaconda DHCP service to get their IP addresses. (from here on, we'll call the Anaconda DHCP server your DHCP host) When each client computer starts up, it asks the DHCP host for an IP address, and the DHCP host gives it one that's not currently in use. The DHCP host keeps track of which numbers are free and which ones are leased by a client. You don't permanently own the address you get from your DHCP host, you lease it. Once the DHCP host gives a client computer an address, the clock starts ticking. At the end of the lease period, the DHCP host checks to see if the client is still using the IP address. If it is, the lease is renewed. This renegotiation process repeats at the end of every lease period. If the client doesn't answer the lease renewal request, the IP address is automatically returned to the pool of unused numbers waiting for the next client requesting DHPC service. This is much easier than you having to keep track of which computer is using which IP address. Once you set DHCP up, just be sure you never set a machine to use a fixed IP address from the DHCP range you have set aside. It's common to use a range like 192.168.1.100 to 192.168.1.199 for DHCP or some other set of nice round numbers that fits the size of your organization. DHCP is particularly handy for laptop/portable computers, since you can then plug into somebody else's network without worrying about which IP address to use. Their DHCP host will simply hand you an unused IP address, just like your DHCP host.
When should I use (and not use) DHCP?You should not use DHCP for any computers/printers/equipment that people would be expected to want to use as a shared resource. Web-servers, printers, email servers, etc should probably be given a specific static IP address, so people know which IP address is assigned to those device and these known addresses are not changing. You might not need to bother with the five minutes it takes to set up DHCP if you only have one computer -- though if it's a laptop, you probably should, since you can then plug it into any DHCP network easily. If you have lots of computers to configure, save yourself the hassle of remembering which IP is which computer, and use DHCP for anything that's not a shared resource.
Where can I see a list of DHCP leases given out by Anaconda?Look in /var/lib/dhcp/dhcpd.leases Note: Times in this file are in GMT, not local time zones.
Can I configure DHCP to associate a record with a WINS server?Not in version 0.1.1, but you can in version 1.2
Why do I care about MAC addresses?MAC addresses are the unique identifier built into every ethernet network interface card. These unique identifiers are what allows DHCP to repeatedly give the same IP address to the same machine every time. There are other uses for MAC addresses, but this is the primary one in relation to Anaconda.
How do I enter MAC addresses for static DHCP assignments?MAC addresses must be entered using a colon as a separator ie: aa:bb:cc:dd:ee:ff.
DNSNote: As of v1.2.0 DNRD was replaced with DNSMASQ. For more info on DNSMASQ see http://thekelleys.org.uk/dnsmasq/doc.html Note, you will have to download the source package and see the readme.txt file for full documentation.
How can I access my servers via their public domain names from the internal network?There are 3 options
1. On the Anaconda Machine edit /etc/hosts (this is explained in the next
question in the FAQ) and define the local server name with the local (orange or
green) address. Make sure that the clients PCs that need to access the local
servers are using the Anaconda as their DNS Server.
-- SethR - 08 June 2003
Can I add IP addresses?Yes you can! You need to edit /etc/hosts. DNRD will try to resolve ipaddress by...
DNRD loads the contents of /etc/hosts when it starts, so modifing /etc/hosts and not restarting DNRD does nothing.
Restarting DNRD
#!/bin/sh
. /var/Anaconda/ethernet/settings
if [ "$RED_TYPE" = "DHCP" ]; then
DNRD_DNS1=`/etc/rc.d/helper/getdnsfromdhcpc.pl 1`
DNRD_DNS2=`/etc/rc.d/helper/getdnsfromdhcpc.pl 2`
. /etc/dhcpc/dhcpcd-${RED_DEV}.info
elif [ "$RED_TYPE" = "STATIC" ]; then
DNRD_DNS1=$DNS1
DNRD_DNS2=$DNS2
fi
echo x=$DNRD_DNS1
if [ "$RED_TYPE" != "PPPOE" -a "$RED_TYPE" != "PPTP" ]; then
if [ "$DNRD_DNS1" != "" ]; then
if [ "$DNRD_DNS2" != "" ]; then
/usr/local/bin/dnrd -s $DNRD_DNS1 -s $DNRD_DNS2
else
/usr/local/bin/dnrd -s $DNRD_DNS1
fi
else
echo "WARNING: No DNS servers available"
/usr/local/bin/dnrd
fi
else
/usr/local/bin/dnrd
fi
Restarting DNSMASQAfter you have made changes to /etc/hosts file you will need to let the dnsmasq program know that it should reread its config files. To do this you should send it the HUP signal. One way of doing this is with the command "killall -HUP dnsmasq". You could also lookup the PID for dnsmasq with the "ps aux" command and then use "kill -HUP (dnsmasq PID)" where (dnsmasq PID) is what you found from the ps command.
Where do my entries in /etc/hosts go?Due to a bit of bodged coding, whenever network stuff is modified via setup,
it rewrites
Why can users on my Green network not access a DNS Server on Orange even though users on Red can?If you use Anaconda 1.2 you will not be able to access a DNS server on Orange from Green (Red to Orange is fine). This is not a bug but by design. UDP from Orange to Green is blocked on Anaconda 1.2. Anaconda 1.3 supports this as it is handled by the 2.4 kernel. If you need to access a DNS Server on Orange from Green upgrade to 1.3.
VPN
What is a VPN?A VPN is a Virtual Private Network. It is a way of allowing computers that aren't really directly connected to the same network to pretend that they are. The basic idea is that you have two Anaconda computers, very far away from each other, that need to be connected as if they were all one network. The traffic that travels over VPN is all encrypted, so it's very secure. A most excellent VPN document is here: AnacondaVPNHowto
Why do I want a VPN?With a VPN, you can access other machines across the internet as if they were on the same lan segment as your own. The traffic travelling across the internet is encrypted.
I've read the FAQ, the documentation and my VPN still won't connect. What now?There are two sources for help with ipsec, Anaconda's VPN. Obviously, the first choice would be the Anaconda user mailing list. SuperFreeS/WAN is an open source project, too. Check its web site for support. In many cases, you should get complete documentation for your problem. Log in to your Anaconda as root and issue the following command: ipsec barf > /tmp/problem.txt This will dump everything about ipsec to the file /tmp/problem.txt. Use scp or pscp from another machine to copy the file to it and include it in your email. You may need to do this on both sides of your VPN.
How should I implement the VPN between two Anaconda servers?
How do I get the VPN to come up automatically?The built in VPN in Anaconda will start automatically when both ends of the connection are available.
How do I forward PPTP to an internal MS VPN Server (prior to 1.3.0)?Microsoft's PPTP software is rather buggy and insecure, you should make sure that you have applied all the service packs and hotfixes to all the computers before starting this. Using the Anaconda web interface forward port 1723 to the IP of your PPTP server. Then log into the firewall command line interface and run: ipfwd --masq
To make the second change permanent add the ipfwd command to the end of /etc/rc.d/rc.network file.
How do I forward PPTP to an internal MS VPN Server (1.3.0 and above)?Use the Anaconda web interface to forward port tcp/1723 to the IP of your PPTP server. Then forward the GRE protocol to your PPTP server also using the web interface. That's it!
How do I connect to a remote Microsoft PPTP server?Unanswered, but suggested question
How do I connect to a remote Microsoft IPSec server?Have a look at http://jixen.tripod.com/
How do I connect a Win2K (XP) client to AnacondaThere is a fairly complicated HOWTO at VPN.EBOOTIS.DE, but Darren Critchley has added a detailed explanation of how to connect a Win2K (or XP) client to Anaconda to the AnacondaVPNHowto page.
How do I connect a IPsec client behind Anaconda to a remote IPSec Server?To run an IPSEC client with ip masq you have to enable IPSec passtrough on your Anaconda.- Use your browser to log in to your Anaconda as the "admin" user and then go to the VPNs web page. Enable IPSec passthrough in the Global settings section.
How do I connect to a remote Nortel server?Marcus Loeken suggested the solution below, after searching the web and finding this post with a helpful solution. RickNSD wrote a interesting answer (the question was about using a D-Link router), linked to this page on D-Link's website...
I too just resolved my Nortel Contivity 4.6 w/ D-link 764 (802.11 a & b) issue. I used the resolution listed at d-link specifically for the Contivity Client http://support.dlink.com/faq/view.asp?prod_id=1153&question=DI-614+ Two things I did differently: 1) Had to make sure the EACfilt driver was bound/checked to each NIC using the Contivity Client. 2) To avoid having to use only 1 client as a virtual server, I made firewall entries directly instead, as follows: Read L to R as Source then Destination Allow VPN -9550 WAN,(IP range of contivity switches) LAN,* UDP,9550 Allow VPN -9550 WAN,( IP range of contivity switches) LAN,* TCP,9550 Allow VPN -1723 WAN, ,( IP range of contivity switches) LAN,* TCP,1723 Allow VPN -1723 LAN,* WAN, ,( IP range of contivity switches) TCP,1723 Allow VPN -500 LAN,* WAN, ,( IP range of contivity switches) UDP,500 Allow VPN -500 WAN, ,( IP range of contivity switches) LAN,* UDP,500 I followed all other instructions on the d-link document. The Contivity Client did have the 'disable keepalives 'checked and with group authentication. My VPN connection flies now (used to have an SMC barricade 7004AWBR) and have no issues with the configuation so far. Hope this helps someone. So Marcus added some ports to the portforwarding section of his Anaconda (ver. 1.2.0), and now it looks like this:
UDP DEFAULT IP 500 192.168.63.100 500 UDP DEFAULT IP 9550 192.168.63.100 9550 TCP DEFAULT IP 9550 192.168.63.100 9550 TCP DEFAULT IP 1723 192.168.63.100 1723 The 192.168.63.100 is the IP of his laptop. And he says "now it works!!! I can connect with the Nortel Contivity client ver. 4.7!" Thanks Marcus :) -- EricOberlander - 05 May 2003
How do I connect to a remote Checkpoint Securemote server?This worked with SecureClient NG Feature Pack 3 HF 1 (build 53515). Attempts with Feature Pack 2 haven't been successful. Use your browser to log in to your Anaconda as the "admin" user and then go to the VPNs web page. Set the Local VPN IP to the computer running SecureClient and check Enable. Save your changes. On the Services->Port forwarding page add the following rule: Protocol: UDP For better security, set source IP to the address of your VPN gateway. This can be determined by trying to connect to the VPN server before enabling the port forwarding above. Your firewall log will show several connection attempts from the VPN gateway to port 2746 on your red interface. Thanks to Dag Christensen - 01 Jul 2003
Remote Access
What is recommended way to administer AnacondaThe web interface provided by IP-Cop is the best way of administering your Firewall. It needs no software on the client computer that isn't already installed. If you need to do anything more complicated, for example after installing a new network card, then replugging a keyboard and monitor would be one option (and the only one if the network is now down). The other method is to use SSH. SSH is a secure command line interface, which is very powerful. There are SSH clients for most operating systems.
Why can't I telnet to Anaconda?Many well documented exploits, along with readily available Telnet password sniffing tools, makes Telnet too insecure to be included in Anaconda. Use SSH instead.
Can I enable telnet to Anaconda?Anything is possible, but we would recommend not. SSH is a secure replacement with the same functionality.
What is SSH, why is it better than Telnet?SSH is (S)ecure (SH)ell and uses cyptography to overcome known weaknesses with Telnet. When logging on to a server using telnet both your user name and password is transmitted in clear text. This can then be replayed by an attacker to gain access to your account. SSH sessions encrypt traffic with block ciphers that prevent sensitive data from being sniffed from the wire. Telnet is commonly used in the Windows world because Windows doesnt come with a SSH client.
Where are some free SSH clients?Windows Macintosh Unix You can find more extensive lists of SSH clients for various (other) operating systems on http://www.freessh.org
Why can't I SSH to Anaconda?SSH usually listens on port 22. However Anaconda uses port 222. All SSH connections to the machine need to specify the 222 port. And remember to turn on SSH.
How do I turn on SSH?Open the web interface to Anaconda. Select the Remote Access menu item. In v1.2 this was moved to the System > ssh menu item. Check the box next to SSH and press the SAVE button.
How do I expose SSH to the outside world?
Open the web interface to Anaconda. Select the Services/External Service Access menu item. Add an entry for: TCP Press the SAVE button. * You can restrict this access to a single ip address or a subnet for more security than just opening it to the entire world. To use a single ip address, simply enter the address you wish to allow. To use a subnet, use the CIDR address of the subnet, like 52.124.37.0/24. This would allow access from any ip starting with 52.124.37.
Why can't I FTP to Anaconda?The FTP daemon is not running on Anaconda for security reasons. FTP passes usernames and passwords as clear text inside the packets, which makes them very easy to sniff.
So how do I copy files?To copy files to and from Anaconda please use one of the following SCP clients: pscp (Windows), WinSCP (Windows), NiftyTelnet SSH r3 (Mac) or scp (Unix). A more extensive list can be found on http://www.freessh.org. Please remember that these SCP clients connect to the SSH server running on port 222 on your Anaconda - You will have to edit the connection details to connect using port 222 not the default 22.
Why can't I browse to Anaconda?HTTP usually listens on port 80. However Anaconda uses port 81 to ease portforwarding issues of port 80. To browse to a Anaconda machine you need to use the following style of URL. Note you should replace the IPAddress with the correct address or name of your Anaconda machine. Also note that some browsers require the protocol (the http:// bit) to be entered when using non-standard port numbers.
Why can't I browse to Anaconda using HTTPS?Similar to the above, HTTPS usually listens on port 443. However Anaconda uses port 445 to ease portforwarding issues of port 443. To browse to a Anaconda machine you need to use the following style of URL. Note you should replace the IPAddress with the correct address or name of your Anaconda machine. Also note that some browsers require the protocol (the https:// bit) to be entered when using non-standard port numbers.
Networking
How should I add a static routeThe format of a static route entry is as follows: route add -net xxx.xxx.xxx.xxx netmask 255.255.255.0 gw yyy.yyy.yyy.yyy To do this you log in via ssh, and enter it at the command line (changing the two IP addresses and subnet to the correct values). If you want the route to be permanent, it must also be added to one of the start up scripts, probably the end of rc.netaddress.up
Can I add a second RED interface?With release 0.1.x this was not possible. Multiple IP Addresses on the Red interface are available in release 1.2.0
Can I drop a dialup connection from 3am to 6am for Tivo?Log into the Anaconda console as root. At the command line, enter one of the two following commands, based on which editor you like to use export EDITOR=vi Once you have done that, enter the command: crontab -e The editor you set up above will open on the cron table for the root user. If you have not modified your Anaconda installation in any way, it's possible that this table is blank. Add the following lines: #stop dialup between 3am and 6am every day of every week of every month Save the file and close the editor. logout
Can I disable the internet connection from 11pm to 6am?Add a cron job to do this. The following will stop all internet interface traffic from 11pm to 6 am. You can either use the entire ruleset, or eliminate the ones you don't use, ie, if you don't have a modem, leave out the modem lines, and vice versa. Using them all will not hurt anything. 0 23 * * * /sbin/ipchains -I ethout 1 -i eth1 -j DENY 0 6 * * * /sbin/ipchains -D ethout 1
How can I synchronize my Anaconda time with my time server?NOTE: As of v1.2.0 you can enter NTP server and set up time syncing via the web interface. Pick two time servers from the "here" link below, and enter it in the web interface to set the service up.
First, you need to pick a time server. If you are not running a time server on your network already, you will need to access an external time server. The nearer the time server is to you, the more accurate your time sync will be. You can find a list of public time servers here. Please only select from the Stratum 2 list. If you elect to use a public time server, be sure to use one which specifies that Open Access is ok. Many of them request that you send them an email to tell them you are using their time server. This usually gets you on a low volume mailing list which will inform you of outages and not much more. If you have selected an external time server, you need to go to the Services/External Service Access menu in Anaconda and add a pinhole to let the time signals into Anaconda. Select UDP, put in the IP address of the time server you have selected, and destination port 123. Make sure the Enabled box is checked and Save the External Service Access. Now, on a one time basis, you log into the Anaconda console as root and issue the following command: /usr/sbin/ntpdate -s x.x.x.x If you don't want to open a External Service access, you can run the following command instead, which will use an unprivileged port instead: /usr/sbin/ntpdate -s -u x.x.x.x Once that runs, run the command... tail /var/log/messages If the command worked, you should see something like this: Jan 17 01:56:58 Anaconda ntpdate[17067]: adjust time server x.x.x.x offset -0.121123 sec If you don't see the above message, you need to pick another time server until you have success. If you wish to add an entry to cron so this command repeats on a regular basis, log into the Anaconda console as root. At the command line, enter one of the two following commands, based on which editor you like to use export EDITOR=vi Once you have done that, enter the command: crontab -e The editor you set up above will open on the cron table for the root user. If you have not modified your Anaconda installation in any way, it's possible that this table is blank. Add the following lines: #Sync the clock once a day at 2:47 am every day, every week, every month Save the file and close the editor. logout
Can I change the graphs to be bigger/smaller than the current 8 hours?Log into the Anaconda console as root and edit the file /usr/local/bin/makegraphs. The -s parameter is the timespan. Change this to the required interval. Save the file and close the editor. Logout.
Can I change how often the Graphs are updated?By default, the graphs are updated every 30 minutes. This was based on the cpu power it takes to update the graphs on low end machines. If you run a Pentium or K6 (or better) class CPU, you can safely increase the graphing interval to 5 minutes. Log into the Anaconda console as root and edit the file /etc/crontab. By default, the last lines read: # Make some nice graphs For updates every 5 minutes, change the last line to read: */5 * * * * root /usr/local/bin/makegraphs > /dev/null Save the file. Restart cron daemon with the following command: killall -HUP crond
Can I get data transfer summaries by different periods?Yes, you can log into the Anaconda console as root and run ipacsum. ipacsum -t "today" This will give you summaries of your red and green interfaces for both in and out traffic.
Can I report by individual IP addressesNot in Anaconda 0.1.x
How can I automate switching between peak time and off-peak ISP numbers?If you connect to the Internet with an ISP that requires you to dial different phone numbers depending on the time of day, such as BT's Surftime Evenings and Weekend package in the UK, you can set up a cron task to switch ppp settings automatically. First, set up and save two ppp profiles for the two different phone numbers you require. Make sure they work, and make a note of their position in the drop down list. Then log into the Anaconda console as root, locate the files which contain the ppp settings, and make copies of them. At the command line enter the command: cd /var/Anaconda/ppp and then: cp settings-1 settings-offpeak and: cp settings-2 settings-peak This assumes you've set up the off-peak settings as your first profile, and the peaktime as the second. At the command line, enter the command: crontab -e The cron table for the root user will appear. If you have not modified your Anaconda installation before, it's possible that this table is blank. Add the following three lines: #switch ppp settings This switches to peaktime settings at 8.00am on weekdays, and off-peak settings after 6.00pm on weekdays, and continues over the weekend. (1-5 is equivalent to mon,tue,wed,thu,fri). Restarting ppp is necessary to read all the settings for the new profile. Note that each entry has to be on a single line.
Save the file and close the editor. logout
How do I get X working ?Anaconda deliberately has very few services installed. There are few, if any, advantages in running X on an Anaconda box. If there is something you need to do to your Anaconda box that cannot be done via the web interface, use SSH.
Configuring Client Computers
How do I configure Microsoft Windows clients?The easiest way is to set Anaconda to serve DHCP addresses and set your client computers to 'automatically get ip address', or to use DHCP. This works for Windows clients, Linux clients and Macintosh clients, just to name a few. For Windows 95 clients, in the Network Control Panel, in Microsoft TCP/IP properties, click the IP Address tab. Select the option 'Obtain an IP address automatically'.
How do I configure Macintosh clients to use DHCP?For Macs, open the TCP/IP Control Panel and select 'Using DHCP Server'.
How do I configure Linux clients?The easiest way is to set Anaconda to serve DHCP addresses. Then: On your Linux client, run netconf as root. Select 'Host Name and IP Network Devices' Select your adaptor on the tab. (Probably Adaptor 1) Select the DHCP button. Select the Accept button.
How do I get AIM working?As of Anaconda 1.2.0, all instant messaging software just works.
How can I transfer files using AIM?There is a project on Source Forge called
ReAIM that acts as a
proxy for AIM and MSN. Apparently, you forward AIM and MSN inbound ports to it,
and it takes care of distributing inbound packets. How do I get MSN Messenger working?
As of Anaconda 1.2.0, all instant messaging software just works. To do file transfers, upgrade MSN to release 6.
How do I get ICQ working?For information on setting up a firewall to allow ICQ traffic, start here: www.icq.com.
How do I get Yahoo working?As of Anaconda 1.2.0, all instant messaging software just works.
Port Forwarding for versions prior to 1.3.0
How do I forward traffic to an Internal webserver?To forward traffic to an internal web server you need to:
Why doesn't my WWW forwarding work?Since Code Red and Nimda some ISP's have blocked port 80 (www) for their consumers. So although you will have port 80 set up correctly, your ISP could be blocking traffic to that port. Talk to your ISP to see if they have this policy in place. If you want to work around this you could expose port 82, 8080 etc (i.e. not port 80) and browse to that address:address instead.
How do I forward traffic to an Internal FTP server?There are two different modes of communication used by ftp, active and
passive mode. Active mode is pretty simple to forward but passive mode needs a
bit more work to forward. Passive mode is usually used by users behind a
firewall and also by most webbrowsers.
How do I forward traffic to an Internal SSH server?To forward traffic to an internal SSH server you need to: Open the web interface to Anaconda. Select the Services/External Service Access menu item. Add an entry for: TCP Add an address or blank for access from any address Port 22 (or another port if you prefer) Check the Enabled box Press the SAVE button. Then select "Port Forwarding" Add an entry for: TCP, Source Port=22 (or the port entered above), IP address of your SSH server, Destination Port=22 Ensure the Enabled box is checked Press the ADD button. You should now have external access to your SSH server. To test access to the server, from a machine on the outside network do: telnet MY_EXTERNAL_IP_ADDRESS 22 (Substitute the appropriate number for 22 if you used a non-standard port above) You should see a banner from your SSH server. For example:
# telnet myserver.com 22 Trying 64.28.67.251... Connected to myserver.com. Escape character is '^]'. SSH-1.99-OpenSSH_3.1p1 ^] telnet> quit Connection closed. Remember to SSH Remotely to Anaconda just add port 222 to the external
services, do not forward any ports.
How do I forward traffic to an Internal VNC server?Open the web interface to Anaconda. Select the Services/External Service Access menu item. Add entries for: TCP Add an address or blank for access from any address Port 5900 (or another port if you prefer) Check the Enabled box Press the SAVE button. TCP Add an address or blank for access from any address Port 5901 (or another port if you prefer) Check the Enabled box Press the SAVE button. Then select "Port Forwarding" Add entries for: TCP, Source Port=5900 (or the port entered above), IP address of your VNC server, Destination Port=5900 TCP, Source Port=5901 (or the port entered above), IP address of your VNC server, Destination Port=5901 Ensure the Enabled box is checked Press the ADD button. You should now have external access to your VNC server.
How do I forward traffic to an Internal PCAnywhere machine?Open the web interface to Anaconda. Select the Services/External Service Access menu item. Add entries for: TCP Add an address or blank for access from any address Port 5631 (or another port if you prefer) Check the Enabled box Press the SAVE button. UDP Add an address or blank for access from any address Port 5632 (or another port if you prefer) Check the Enabled box Press the SAVE button. Then select "Port Forwarding" Add entries for: TCP, Source Port=5631 (or the port entered above), IP address of your PCAnywhere server, Destination Port=5631 UDP, Source Port=5632 (or the port entered above), IP address of your PCAnywhere server, Destination Port=5632 Ensure the Enabled box is checked Press the ADD button. You should now have external access to your PCAnywhere server.
Why can't I access my public servers from the Green network?You are unable to access public servers by name from the Green network. This is because the public DNS name is resolving to your Red IP address (or one of your Red aliases) and the port forwarder will only forward packets that appear on the Red interface not the Green. The preferred way to get around this is to make the public DNS name resolve to the private IP address for client machines on the Green network. If Anaconda is providing DNS for the Green network then is is a simple matter of adding the private IP address and public host name to /etc/hosts. Login to the Anaconda console as root and edit a file named /etc/hosts. Do not remove or change the first two lines of /etc/hosts! Example /etc/hosts 127.0.0.1 localhost 192.168.1.x Anaconda # Add comments if you like. 192.168.2.1 www.mypublicwebserver.com # To enable internal access to public webserver on Orange 192.168.2.2 mail.mypublicmailserver.org # To enable internal access to public mailserver on Orange Reboot and you are done. If you are using a different internal DNS server, you will need to edit the configuration so that it will resolve the public host name to the private IP address. You could also try setting it up to act as a forwarder to the Anaconda box - in this case it will resolve hosts it knows about, anything else gets forwarded to the Anaconda box. If you don't use internal DNS for some reason, you can try editing the hosts file on each of the machines on the Green network. Detailed instructions on how to do this are beyond the scope of this FAQ. You can test public access to your webserver by using a web proxy (usually provided by your ISP). An anonymiser site works as well.
How can I block my internal users from accessing a particular external service, such as Telnet, AOL etc?Add a new ipchains rule to the
*******Anaconda 1.3 uses IP Tables an update is required
How do I forward traffic to an Internal Netmeeting server?Unanswered, but suggested question
How do I forward traffic to an Internal VOIP machine?
Unanswered, but suggested question
Other Useful linksLaplink: www.laplink.com/support/kb/article.asp?ID=633
Port Forwarding and External Access in 1.3.0 and laterDarren Critchley has done a superb job with the Port Forwarding cgi in 1.3.0. However it is quite different from what we had with 1.2 and earlier versions. Please note that the port numbers used for a particular service have not changed and you should still refer to these above. Here is Darren's explanation of how it works: First off and most importantly the External Access page (xtaccess.cgi) NO LONGER has ANY affect on the GREEN or ORANGE network. It is there to allow you to open ports to the Anaconda box itself and not the GREEN or ORANGE networks. How do you open up external access then? 'Source IP, or network (blank for "ALL"):' This is the field that controls external access - if you leave it BLANK, your port forward will be open to ALL INTERNET ADDRESSES. Alternatively if you put an address or network in there, it will be restricted to that network or internet address. You can have more than one external address - after you have created the port forward entry, it will appear in the table. If you wish to add another external address, click the green cross next to the entry, the entry screen at the top of the page will change (it will load values from the port forward) and allow you to enter an external ip address or network. When added you will now notice that there is a new entry under the port forward in the table. Other things to note: * which translates to 1-65535 85-* which translates into 85-65535 *-500 which translates into 1-500 Valid characters to separate a port range are : or -, note, that it will be modified to : even though it will be displayed as a - on the screen. You only need to enter the first source port, the destination will be filled in for you. You can edit a record, and until you hit the update button, nothing changes and nothing is lost. When you are editing a record, you will see the record highlighted in yellow. Ports ranges cannot overlap each other. Individual ports cannot be placed in the middle of a range ie) if you have 2000-3000 already set up and then try to forward port 2500, it will give you an error. You cannot forward the same port to several machines. Reserved ports - on the main Red Address (DEFAULT IP) some ports are reserved for Anaconda to do its business, they are 67, 68, 81, 222, and 445
When you edit a port forward, there will be an extra check box labelled 'Override external access to ALL'. This is used as a quick and dirty way to open a port to ALL internet addresses for testing or whatever your reasons - this was a user request. If you have a port forward with multiple external accesses, when you delete all of the external accesses, the port becomes open to ALL addresses, be careful of this one. Shortcut to enable or disable a port forward or external access - click on
the enabled column for the particular entry you want to enable or disable. One other VERY IMPORTANT NOTE:
How do I support multiple webservers behind a single Anaconda firewall?The typical way of doing this is to use virtual hosts in your webserver (IIS calls it something a bit different). For Apache 1.3 see: http://httpd.apache.org/docs/vhosts/index.html Basically all of the domain names would resolve to the same IP address (your single RED) and the web server knows that www.foo.com starts at /home/httpd/foo/ and www.bar.com starts at /home/httpd/bar.
How do I disable the rule that forbids portforwarding on port 81?You will need to do two things to avoid port conflicts. First choose a new port that you want to let the Anaconda interface listen on. Do not choose 8080, 800 or 80 as squid is listening on 800 and if you have DansGuardian installed, it listens on 8080 and port 80 is used by webservers. You need to edit the /etc/httpd/conf/httpd.conf file, search for all
instances of 81 and replace with your new port. Once you have done that, save
your work and we need to restart the web server with the following command: Next we need to adjust the port forward page to allow you to forward port 81, but restrict a forward on your new port. Edit /home/httpd/cgi-bin/portfw.cgi Find line that looks like this:
DMZ
What is a DMZ?Anaconda's purpose in life is to only allow traffic to your computers that is in response to traffic that originated from your computers. For example: Anaconda will let your computers send out a request for a web page as your browse, and the response from the web-site will get through. But if somebody tries to start reading files off of your computer as if it were a web-site, Anaconda won't allow that. Some users, however, want to run a web-server (or other servers) behind their Anaconda firewall. It's much safer to do that by having the web-server on a totally separate network from your protected computers. This is because, by definition, computers accessible to the outside world, such as the web-server, are more at-risk. And it's better to put them in an "isolation ward" than have them in the same network as your protected computers. This separate network is often referred to as a DMZ, de-militarized zone, since it is somewhat analogous to a DMZ in armed conflict. The DMZ is also referred to as the ORANGE network, while the Internet and Anaconda's connection to the Internet are RED, and all your protected computers are the GREEN network.
RED = danger (internet connection) What are DMZ pinholes?In order to allow a web-server (or other server) in the DMZ to operate, Anaconda must be configured to allow traffic to and from the web-server. The idea is to open up the smallest hole possible to allow the traffic to and from the DMZ (ORANGE) network only, without putting the GREEN network at risk. This smallest hole possible in the firewall is called a pinhole. Customising IP-Cop
Can I customise my Anaconda box?Because your Anaconda box is based on Linux, many of the features used in Linux can be made available by your firewall. Anaconda is made to be easy to use, and the web interface reflects that. There are many features that are not made accesible by the web interface in order to keep it simple. The important thing to remember is that the Anaconda box is primarily a firewall and a router. All the other features are "nice to have". Anything you do to your Anaconda box could reduce it's effectiveness, and the programmers won't be looking out for security holes in programs you have added, so they won't be making patches either. If you want something more general purpose than a dedicated firewall you can
have a look at the Gateway/Servers at
this comparision list. Where do I start?First of all, Anaconda is missing many of the programs usually found in a Linux distribution. This is deliberate, as the lower number of applications means the system is simpler, and easier to keep secure Because of this, our way in and out of the IP-Cop box is via a program called SSH. SSH is a secure command line interface which allows remote access. Normally, SSH uses port 22, but in order to allow port 22 to be forwarded elsewhere, port 222 is used on the IP-Cop box. Most Linux distributions now include the SSH suite of programs, and there is
a freeware Windows client called
PuTTY. SSH includes a file transfer client called SCP, and there is also a
freeware Windows version called
WinSCP. Between these
two programs, you should have all the tools you need to customise IP-Cop. How do I add features to an existing Anaconda service?The configuration files in Anaconda can roughly be divided into two camps, those that are pre-configured, or set up during the install and those that can be modified by the web interface or setup program. In most cases, if Anaconda can modify the file via the web interface or setup program it saves the information in a subdirectory in /var/Anaconda. The configuration file (usually in /etc) is then instead symbolically linked to the Anaconda version. For example, if I want extra parameters to be given out by the DHCP server
that aren't available via the web interface, what I need to do is overwrite the
symbolic link in /etc with a new dhcpd.conf with (e.g.) netbios settings for my
Windows machines, such as WINS servers and Node typesfile. Restart the service
and you will find that these parameters will now be given out by Anaconda
ignoring it's own settings. How can I add a new program to Anaconda?Using SCP, you can download new files into the Anaconda box. This way you can add additional programs that may help you faultfind your network, or add additional functionality. For example, IP-Cop does not have "traceroute" (It has tracepath, which has similar functionality). Using SCP (or WinSCP), simply move the file from another Linux box into the appropriate folder (/usr/sbin, in this case), check the file permisions, and now you have an new tool on your Anaconda box. In some cases it may be more complex that that, so you will have to work out
what goes where. Editing FilesYou can run into problems if you edit text files on a Windows PC, and then transfer them to Anaconda. PC files have different line endings from Unix files. The way to avoid this problem is to use Windows/Unix Text Editors that are aware of this. Ones to consider include:
Mac owners can use this free Text Editor
Alternatively, for folks who have to use a Windows editor, by far the easiest
way is to save the file on the Windows machine in native Windows mode, transfer
it to a work area
rc.local startup fileFrom version 1.3.0, if you want to run your own commands at startup, put them
in a file named
Troubleshooting
I can't get the boot floppy to workSymptom You boot the machine with the boot diskette, boot up, choose HTTP.. everything proceeds OK until it asks you to insert the Anaconda driver diskette. It pauses trying to read that diskette, then returns to the prompt telling you to insert the Anaconda driver diskette. Cure It's probably the media. Create a new disk using a brand new, unused diskette and try again, or a disk you can format with NO Errors.
I can't access the admin pages with Internet ExplorerSymptom When you enter http://myproxy:81/ Internet Explorer hangs for a while and eventually says it can't access the page. Other browsers can access the page just fine. You are using msproxy server on your network. Cure IE can't reach Anaconda through the proxy server, and the 'do not use proxy
server' function in IE's connection settings does not work (known bug). Uncheck
use proxy server completely when you need to access Anaconda. Internet access just stoppedSymptom You can no longer connect to the Internet. Diagnosis Check if the harddrive has been filled up, either by the webcache, or by the log files. Look at Anaconda's Information page, and scroll down to Disk usage. If a harddrive is reported as 100% used, that's your problem. Cure If it's the If it's the
Delete files with the
Continue until you've created some space. There are also some other directories to look in for old log files. Snort, the Intrusion Detection System (IDS) creates large log files. Apache logs are in To avoid the problem in future, think about reducing the number of logs that are kept. The default is 8 cycles for the system logs and Apache, and 5 cycles for Snort, and Squid, so you could cut that to 3 or less if you are tight for space. (With 8 cycles you get the current log, and the eight previous logs in a compressed format). Edit the User(s) always logged onSymptom On Anaconda's Main Page there appears to be a user (or more than one user) logged on, when you know that's incorrect. Diagnosis The Cure Recreate the file with the command:
Anaconda crashes regularlySymptom 1 You can ping Anaconda, but you can't access the webadmin page, or use ssh for remote access until you reboot. Diagnosis 1 If it happens overnight, or after a prolonged period of inactivity, it might be a low level power-saving option putting Anaconda to sleep. Cure 1
Make sure any power-saving options in the BIOS are turned off.
Symptom 2 Your previously working IP cop instalation suddenly starts to crash with kernel panics. Diagnosis 2 It may be faulty hardware: CPU, Ram, Disk motherboard. Cure 2 Boot the PC with Memtest http://www.memtest86.com/ (Bootable CD or floppy) run for at least an hour ideally overnight. If there are errors then there is a hardware problem. If there is no error reported run a low level diganostic from your Hard disk vendor. If you are running PC that is old or in a slightly dusty environment check for dust inside the case or a failed CPU or case fan. eg. My Anaconda reported problem with the hard disk and had kernel panic, when booting or after 10 minutes of being swithed on from cold. This was a box that ran without ever crashing for over 6 months, no recent updates. Ran a HD diag no problems. Opened the box and the CPU fan had failed. New fan fixed the problem. -- SethR - 08 June 2003
The logs just vanishedSymptom Information from the previous day's logs will not display. Cure The logs are automatically rotated and compressed early on a Sunday morning,
but the information is still available if you need it. Every log file is
numbered sequentially and compressed, so for instance In version 1.3 the logs are now kept, and can be viewed, for up to 52 weeks.
My Anaconda image from linitx.com is not working right after 1.3 fixes 3 appliedSymptom Your Anaconda distro from linitx.com was working good, until you applied 1.3 Fixes 3. Now squid won't start, snort falls over after a little while and you wish you didn't apply fixes 3. Cure It seems there is no longer enough ramdrive allocated on startup. I set mine to 60MB, depending on how much RAM you have that might need adjusting. vi /etc/lilo.conf add the line ramdisk=60000 near the start of the file. Run lilo shutdown -r now Everything should be happy now.
|
||||
|
Images and content are copyright to Lindengrove 2003 Site designed by Lindengrove |
||||
