|
|
|
|
Home | Products | Buy | Support | Partners | About | Contact |
|
| Contact us | |
|
It's time to have confidence in your firewall! |
|
 |
Anaconda FAQ |
About this FAQ
What versions of Anaconda does this FAQ support?This FAQ contains answers to frequently asked questions about stable release
versions of Anaconda. To date this means versions 0.1.1 and 1.2. There are
certain answers that were written for 0.1.1 and do not apply to 1.2 - we need to
have a clear out or update of the 0.1.1 answers. OK 1.3.0 has just been released. There are a lot of questions being posted on the Anaconda-user mailing list regarding the features of 1.3. Please note that this FAQ may not answer your questions about 1.3 as it is in the process of being updated to include 1.3 features (maybe you could help us do this). In this FAQ the following show which version a section relates to:
General Anaconda questions
What is the Anaconda firewall?Anaconda Firewall is a Linux firewall distribution geared towards home and SOHO (Small Office/Home Office) users. The Anaconda interface is very user-friendly and task-based. Anaconda offers the critical functionality of an expensive network appliance using stock, or even obsolete, hardware and OpenSource Software.
Anaconda lets you take an old PC and convert it into an appliance that will.
How does Anaconda Firewall work?Anaconda Firewall basically sits "in between" your Internet connection (dial-up modem, cable-modem, DSL, etc) and works directs traffic using a set of rules for the TCP/IP traffic that underlies all Internet activities. The default rules, ideal for most users, are essentially simple in nature. They allow you to "surf" to the outside world and visit web-sites, FTP, email and so forth. And as you go about your tasks on the Internet, Anaconda allows return traffic from those tasks, that you requested, to pass through. If, however, some random TCP/IP traffic comes in, requesting information from your computer, and that traffic is not in response to your requests, Anaconda Firewall refuses to respond, and logs that attempt. Thus, you are allowed to go about your normal business, but when the bad guys try to come after you, they are stopped cold, because they are not responding to your requests. Think of Anaconda Firewall as your friendly traffic cop down on the corner, making sure that things travel smoothly, and enforcing good rules on your Internet traffic.
Will I be able to do everything I did before?Yes, but... :-) There are some applications which, under the hood, set up two channels of TCP/IP traffic for various reasons. For example, many online shoot-em-up games like Quake open up several TCP/IP channels to so that high-priority messages such as movement and shooting the bad guys can get through on the priority channel, while the graphics are sent through a lower-priority channel. Similarly, NetMeeting and some NetMessenger applications open up multiple channels in order to facilitate multiple people talking at once. You can still use these games, but you'll need to do some post-installation configuration to alter the "Rules" a little bit so that Anaconda Firewall (your friendly traffic cop) will know about your specific exceptions.
What if I need remote access to my computers?You can configure Anaconda Firewall and your remote computers to use VPN which basically lets authorized remote computers "pretend" to be behind your firewall, even if, in reality, they are far, far away in a distant galaxy. Check out the Anaconda VPN documentation. You can remotely access your desktop from any location with an internet
connection here is how.
Where can I talk to others about Anaconda?Well, there is the Anaconda Users mailing list of course and there is also the Anaconda IRC channel. To join the IRC channel just connect to server: irc.freenode.net and then the Anaconda channel: #Anaconda
What are the benefits of Anaconda (software based firewall) over Hardware based firewalls or other software based solutions?Basically, a hardware based firewall will require that you purchase the complete solution (hardware and software) for a rather hefty sum. Other software solutions are either commercial (you pay) or free and doesn't offer the level of security and/or ease of use that Anaconda does.
Sounds Good. What gear will I need?First, you'll need a whole new computer for Anaconda itself. This is not as excessive as it sounds. For one thing, Anaconda can run on obsolete hardware that many companies are literally throwing away as "useless". Anaconda Firewall will be connected to the outside world, so you'll need a cable and whatever kind of card (modem, NIC, etc) that you would normally have in your computer. Exactly what you need for this connection depends on how you connect to the Internet, but you probably can simply move the existing cables and hardware from your current computer to Anaconda Firewall. Then, you'll need another cable and NIC in Anaconda Firewall to connect to your computer, or to your switch/router if you have several desktops to hook up. Finally, you'll need a NIC in your desktop computer, or one in each desktop computer if you have several desktops to hook up. Check the Installation Guide for more information.
Who do I speak to, to add feature x,y,z?If in need of a feature not yet found in Anaconda then it would be best to contact MarkWormgoor as he is the Development Team Manager.
I love it, how can I help?Spread the word! ;) Seriously, we can only make Anaconda better by having more people using it to let us know where we can improve it. So tell everyone you can about it. If you happen to have a good background in Linux, Perl, XML, Firewalling, Support background or security and have the time to give to the Anaconda Project then contact CharlesWilliams for more information.
Can I sell Anaconda?Please read the GNU article Selling Free Software.
Can I mirror the Anaconda ISO?Certain people will be allowed to mirror the Anaconda ISO. We will keep an updated list of where these mirrors are and this list will contain the ONLY authorized list of mirrors. If you download an ISO from anywhere else then you may be downloading an ISO that has been tampered with. To be considered for approval to mirror Anaconda contact CharlesWilliams
This FAQ didn't help me. Where do I go next?
-- StInga - 16 Dec 2002
It's not really what I wanted...Anaconda is only a firewall appliance. If you want a Connectivity Server, with network file shares, email etc. take a look at these alternatives:
Print Server appliance
Installation / Upgrades / Fixes
General
What is this big md5 number all about?An md5 check-sum number essentially is a simple way of guaranteeing that the file you got has not been tampered with. Some super-complicated mathematics goes into it, but basically, there's a complicated formula that we fed the actual ISO or upgrade file into, and out pops an md5 check-sum. If you also feed your copy in, and get the same md5 check-sum out, you can be certain that the file you got was complete, correct, and untampered. Think of it as a sort of like a safety seal on medicine/food products.
How can I check the md5 after downloading?Under Linux, you can use the md5sum utility. For Windows, you need the Win32 port of the GNU Utility MD5SUM (48KB). Now, locate the Anaconda file you downloaded (ISO or patch) and run md5sum as
follows: This will return the MD5 fingerprint for manual comparison to the fingerprint published on the Anaconda web site. e.g. > md5sum Anaconda-0.1.0.iso To check the MD5 fingerprint automatically (against a file), first copy the
fingerprint to a file: Then use md5sum to check the iso against it's fingerprint: Your output should look like: Further help can be gained from typing: -- SoniaH - 14 Apr 2003 (and others), 10 Aug 2003
Installation gave me an error message. Now what?Press ALT+F2 and copy down the last few lines of messages.
Why do I get Error 0x10 when I'm booting from the installation floppy?Probably a bad floppy. Throw it away and make a new one. You might be more successful in creating a floppy with the Linux/Unix dd command rather than to make it from Windows. Check that the PC can actually boot from ANY bootable floppy.
What is this 1010101010 I get when I boot up?That generally means that your hard-drive is misconfigured, or simply too LARGE for Anaconda to use. You may be able to go into your BIOS and hand-tune the hard-drive parameters using XXX. Anaconda only supports hard drives up to YYY Megabytes at this time. Future releases may increase that limit. Some old PCs that do not support the El Torido CD boot format give this problem when booting from a Anaconda CD. Boot from a floppy disk instead and then select a CD install. If this does not work boot from floppy and select HTTP install from one of your local servers.
How do I upgrade Anaconda?At the moment upgrades between versions require a completely new install. From version 1.2.0 it is possible to save your settings onto a floppy disk in the Anaconda machine. The settings can then be restored from the floppy during the new install. Do this from the System > Backup page on the web admin interface.
How do I install an update?Steps to perform an update:
Thanks to Ben Stanley Are all patches accumulative, or do I need to apply each one in order?Patches aren't accumulative, ie. you have to install patch 1 before
installing patch 2, etc. Why does Anaconda not update the available patch list?You have to have a working connection to the Internet to be able to download the list of available patches from the http://www.Anaconda.org website. Your ISP may be blocking a direct connection to the Anaconda site. ISP's that use transparent proxies or don't enforce any proxy do not have that problem. You need to change the following files: Look for this line: Change the hostname and the portnumber to your proxy server's name and port. Thanks to Jim Hiley for the fix. Anaconda version 1.2 and later includes a modification which will allow you to specify a remote proxy. You should also receive automatic notification on your Anaconda's Home page when new updates are available. If you don't receive them this might be because you have a permanently on connection i.e. a leased line or ADSL. The file The file -- StInga - 16 Jul 2002
Having errors / problems applying patches to Anaconda?A known issue is that Opera (tested up to version 6.0) does not handle uploading the tar.gz patch files properly. Anaconda will report a bad or unauthorized patch in the "Error Messages" area (bottom of 'Updates' screen). Solution - use another browser to upload the patch file to Anaconda. Patching should work fine with IE, Netscape.
How should I report an install problem?All problems encountered with Anaconda should be addressed, initially, to the Anaconda Users mailing list after reading the FAQ and Install Guide. If it is not verified that this is a known problem then contact the Anaconda Support Team directly.
Can I do an HTTP install from a Win9x/Me/2K/XP computer?Yes, here are 3 Easy Steps to Installing Anaconda from a Win9x/Me/2K/XP Computer. Step 1. Ensure that you have an HTTP server running on your Windows computer. Step 2. Copy the Anaconda.tgz file from the Anaconda CD to a location that is "visible" to your HTTP server. Step 3. Do the Anaconda installation.
Step 1. What! you do not have an HTTP server, many of us don't. There are several freeware web-servers available. Under XP (You need XP Pro not XP home which has no IIS Server), select IIS
under control panel, Windows components. TinyWeb has good installation documentation on it's web-site. It is strongly recommended that you use the suggested defaults, unless you have a very good reason to do something different, when you will know what you are doing and do not need these instructions. Let's assume that you have used the default and installed tiny.exe in C:\www\binNow add a test-page....
<*html>
<*head>
<*title>
TinyWeb_Test_Page
<*/title>
<*/head>
<*body>
<h2> Tiny Web Test Page </h2>
<br> <hr> <br>
Any text you like here
<*/body>
<*/html>
Just cut-and-paste the HTML-code to C:\www\root\index.html and delete the asterisks in the tags. You can now start TinyWeb and test it by entering http://yourcomputername/ as the URL in your favourite browser. Remember, replace "yourcomputername" with the actual name of your computer as defined in your C:\windows\hosts file, or the full dotted-quad IP-address of your computer. You should see the test-page displayed in your browser, if not, recheck that you have correctly followed the TinyWeb installation instructions. Step 2. This is fairly easy - just insert you Anaconda CD into your CDROM-drive and copy the Anaconda.tgz file to C:\www\root\files\Anaconda.tgz - assuming that your CDROM is E:, the DOS command is copy E:\Anaconda.tgz C:\www\root\files\Anaconda.tgz The reason that we do this is because TinyWeb, like all well-behaved HTTP-servers (and FTP-servers too) will only access files that are accessable from its "root" path which is NOT C:\ as you might have thought. Step 3. This is even easier - just follow the Anaconda instructions for an HTTP install. Remember that there will be no name resolution, so you must supply the full dotted-quad address of your TinyWeb computer, something like.. http//192.168.1.7/files/Anaconda.tgz where you must change "192.168.1.7" for the actual IP-address of your computer that is running TinyWeb. TinyWeb will serve up the Anaconda.tgz file and the installation will continue just as if you actually had a CDROM-drive in your Anaconda computer. TinyWeb, Windows and other products and names mentioned here are copyrighted
by their owners. How do I change the date and time?If you just want to set the clock by hand, log into the Anaconda console as root and execute the command:
for example:
To set the hardware clock from the system clock, execute the command:
To set the time from an NTP time server on the Internet execute the command:
where you replace
From Anaconda v1.2 the ability to synchronize Anaconda's date and time with
an NTP server was added to the web admin interface. You'll find it on the
System > Time page. How do I make a backup of Anaconda?Find a 1.44M (often labelled as 2 Megabyte) floppy disk and format it. Check it has no errors. You can format the floppy under Windows or Linux. Note any data already on the floppy disk will be lost. Insert the floppy disk into the Anaconda PC: Not your desktop PC! Use the web based interface on Anaconda and select system, backup and click the "backup" button. Wait for the backup to complete this can take a while. Notes on backups: The disks MUST be formatted and free of media errors. Your floppy disk with the backup will not be readable under Windows or mountable under linux, this is normal! Windows will report that the backup floppy is unreadable or unformatted even when the disk and the backup are fine. If you don't have another Linux PC you can format a floppy disk using
Anaconda, Login as root. At the command prompt enter : The backup has details of all your settings and also hardware (like the Network cards installed) This means that you cannot restore from one PC to another unless they have the same network cards. -- SethR -
21 May 2003 How can I translate the interface into another language?Have a look at the HowToTranslate page for details.
Connection issues
My modem INIT string doesn't seem to be working right. What can I do?The easiest thing to do is head over to the
Modem Help web site. Make
sure you have all information about you modem at hand so that the search is made
easier. Why can't I connect to my (Deutsche/German) T-Online Account?Actually this is not an Anaconda problem. This has to do with the way T-Online issues accounts. You need to combine certain portions of your account information to be able to use a dial-up account. Eg: To be able to log in using dial-up you need to combine the first three fields
into the following: This does not work for every account. This works only for the newer accounts
from T-Online. For older accounts see the
PPPoE?
Howto. How do I get Anaconda working with Telstra BPA/DSL?Lucien Wells wrote an outstanding Howto on connecting SW to Telstra services and it more than applies to Anaconda as well. You can view the Howto here DO NOT USE THE TAR.GZ PACKAGE FROM THAT LOCATION! It is for SW ONLY and will not work on your Anaconda system. Instead use this
one for Anaconda on BPA. You will also have to replace the For Telstra DSL connections refer to the Lucien Wells Howto for Telstra DSL. If you are using TELSTRA with a modem, you might want to check out this on
the add-ons page How do I get Anaconda working with ntl:home (UK) cable...
with a Pace ntl:home digital TV set top box?You need to install Anaconda with at least two network cards for GREEN and RED, ORANGE is optional. Configure the RED network card to use DHCP. Configure the GREEN network card as usual. You must make sure that your workstations can browse the Anaconda web interface and that they are using the Anaconda for their default gateway and DNS. You will need to register the MAC address of the RED network card with NTL. This does not need to be done if the RED network card has previously been registered under Windows or another OS. Switch the cable set top box (STB) and your Anaconda off. Switch the STB on again. Switch your Anaconda machine on when the data light on the STB lights up. Your Anaconda should grab a private IP address from the cable head. You should then be able to access the computer provisioning pages using a browser on one of your client machines. Open a java enabled web browser and navigate to http://start.ntl Follow the instruction on the screen to register a new computer. You will need your PID and password. Remember that you will actually be registering the MAC address of the red NIC
in the Anaconda machine. Once the Anaconda computer is registered you should
switch the STB off then on again and reboot the Anaconda machine when the data
light comes on. The red NIC should now get a public IP address assigned by DHCP
from NTL and you can start browsing, etc. With an ntl:home stand-alone cable modem?
Configure Anaconda as above with GREEN and RED network cards. Configure RED to use DHCP. Power the cable modem off then back on. Power up your Anaconda. It should be assigned a public IP address and you should be able to start browsing etc. If you have problems please see
http://homepage.ntlworld.com/robin.d.h.walker/cmtips/swap.html How can I check if Anaconda has a valid Internet connection before I run a program on one of my Linux boxes?There is a simple solution to this (thanks go out to Brian Coyle for this little tidbit). Create a file named "IPC_state" and insert the following code:
Place IPC_state somewhere in your $PATH. To use it is fairly simple:
$ cat ~/bin/getmail !#/bin/bash if IPC_state | grep "Connected" ; then /usr/sbin/sendmail -q fetchmail -s fi That's about all there is to it. Enjoy. Is there a way to Dial without a browser?Yes. The "Anaconda Dialer." If you trust folks on the Green side of your lan not to abuse the dial user's password, which will be in plain text in this file called "dialler.pl" and you understand the ramifications of this. (I used the name dialler.pl in this FAQ for simplicity) Just replace "dial_password_here" with your password, copy it to your /bin directory, and make it executable.
#!/usr/bin/perl
$password = "dial_password_here";
unless($ARGV[1]) { die "Usage: dialler.pl host action\n\n"; }
if($ARGV[1] eq "dial") { $action = "Connect"; }
elsif($ARGV[1] eq "hangup") { $action = "Disconnect"; }
else { die "Invalid Action... use either dial or hangup\n\n"; }
$xhost = $ARGV[0];
use IO::Socket;
use MIME::Base64;
$encoded = encode_base64("dial:$password");
chomp($encoded);
$sock = new IO::Socket::INET ( PeerAddr => $xhost,
PeerPort => 81,
Proto => 'tcp' ) || die "Could not connect to host\n\n";
$act = "ACTION=".$action;
$len = length($act);
print $len;
print $sock "POST /cgi-bin/dial.cgi HTTP/1.0\n";
print $sock "Authorization: Basic $encoded\n";
print $sock "Referer: http://$xhost:81/cgi-bin/index.cgi\n";
print $sock "Content-Length: $len\n\n";
print $sock "ACTION=$action\n\n";
undef $/;
close $sock;
A front end for this dialler.pl written in gtk and bash scripting. Note: make these all executable and copy them your /bin directory.
bash script called "on" #!/bin/bash /bin/dialler.pl Anaconda dial bash script called "off" #!/bin/bash /bin/dialler.pl Anaconda dial
The gtk frontend:
/*
* compile with "gcc -o dial `gtk-config --libs --cflags` dial.c"
*/
#include <gtk/gtk.h>
static void on( GtkWidget *widget, gpointer data ) {
#if 0
system( "on' &" );
#else
if( !fork() ) {
execlp( "on", "on", NULL );
_exit( 1 );
}
#endif
}
static void off( GtkWidget *widget, gpointer data ) {
#if 0
system( "off' &" );
#else
if( !fork() ) {
execlp( "off", "off", NULL );
_exit( 1 );
}
#endif
}
int main( int argc, char *argv[] ) {
GtkWidget *window;
GtkWidget *button;
GtkWidget *box1;
gtk_init (&argc, &argv);
window = gtk_window_new (GTK_WINDOW_TOPLEVEL);
gtk_signal_connect (GTK_OBJECT (window), "delete_event",
GTK_SIGNAL_FUNC (gtk_main_quit), NULL);
box1 = gtk_hbox_new(FALSE, 1);
gtk_container_add (GTK_CONTAINER (window), box1);
button = gtk_button_new_with_label ("on");
gtk_signal_connect (GTK_OBJECT (button), "clicked",
GTK_SIGNAL_FUNC (on), NULL);
gtk_box_pack_start(GTK_BOX(box1), button, TRUE, TRUE, 0);
button = gtk_button_new_with_label ("off");
gtk_signal_connect (GTK_OBJECT (button), "clicked",
GTK_SIGNAL_FUNC (off), NULL);
gtk_box_pack_start(GTK_BOX(box1), button, TRUE, TRUE, 0);
gtk_widget_show_all(window);
gtk_main ();
return(0);
}
Okay a sanity check, you should have four files /bin/dialler.pl /bin/on /bin/off /bin/dial "dial" calls bash scripts on/off which then sends the ip name to Anaconda
which controls the modem. enjoy! Is there a way to stop Anaconda from connecting to the Internet after a certain time of day?Well, according to Roberto Garcia this is a simple matter and he has even posted info/instructions on a special site just for this situation. Head over to Robertos Anaconda Howto for more info.
Why does my modem sometimes not recognize my dial-tone?If you have call-waiting, and a message has been left for you, your phone my change the dial-tone from a steady tone to several tones, which your modem may not recognize. For most modems, you can correct this by changing the init string to: ATX3S6=4
My Dial-On-Demand connection keeping coming up - It's costing me money!!!!Dial On Demand connections are very useful when it comes to networks, as any computer that needs a connection to the Internet will bring up the link. However, you may find that a workstation will bring up the link without you asking for anything (or even being there), costing you money, sometimes only being noticed when the quarterly bill comes in. There will be many reasons why a workstation will bring the link up. For example, it might be your virus checker looking for updates. When running a network connection to the internet, your PC assumes it always has a connection. There are quite a few automatic updating programs that can cause problems, and there are "free" mp3 & CD playing software packages out there that check for updates as often as every three minutes. All this means it is not the fault of your Anaconda box, it is a workstation problem, and you need to look elsewhere. The easiest place to start is to use the Information > Connections web page, and look at the "Masq Entries". This will show you all the "current" connections from the rest of your network: Source (local) IP number, Destination (Foreign) IP number & ports. By using reverse IP lookups (in Windows NT, W2K and Linux you can use nslookup), you can track the "owner" of the destination server, which may help you track down the offending bit of software. You will also be able to determine which workstations are causing the problem (and there may be more than one), and more than one software package on each workstation. If all this happens in the middle of the night, try activating Squid (the web proxy) in Transparent Mode, and then looking at the logs. Not as effective as it only proxies for certain ports, but may save you a sleepless night or two. It can be a tedious task, but please remember that it is not Anaconda that is causing the problem, but a poorly configured workstation or software package. Anaconda is only the bearer of the bad news, so do not shoot the messenger. Rather rejoice in that your choice of Anaconda as your firewall can help you eliminate the source of the problem without having to use a packet sniffer and all the complications that may bring.
How do you get Anaconda to automatically restart a connection if it goes down?Have a look at this in the add-ons / hacks section. Please read the warnings first.
My ADSL is temporarily down. How do I get my modem working?If your ADSL is temporarily down (say, because you're moving), a lot of ISP's will give you a temporary analog modem number to dial up on. So how do you get Anaconda to use the modem? 1. ssh to your Anaconda, and stop your red interface:
ifconfig eth2 down 2. delete the file /var/Anaconda/red/active:
rm /var/Anaconda/red/active 3. refresh your Anaconda web interface - you should now be able to add a PPP interface like normal to be tested, when my ADSL comes back ;-) To get you ADSL back, just restart your Anaconda. -- SoniaH - 07 Apr 2003 Hardware Issues
How can I use my Alcatel Speedtouch Pro/Home Ethernet Modem/Router?It is often easier to use an Ethernet device than a USB device. A number of manufacturers have SOHO "routers" that are really designed as a shared access device using NAT. Rather than going to the trouble and expense of a routed subnet of Public IP numbers, you can often use these devices in PPTP Relay mode. The information here is specific to the Speedtouch Pro and Home, but should work with all similar products.
Configuring AnacondaBuild your Anaconda box with a Red Ethernet Interface. Set the Red IP type, number and subnet to PPTP. The default IP Address for a Alcatel Speedtouch router is 10.0.0.138 (netmask 255.255.255.0), so select an appropriate address for your RED network (e.g.. 10.0.0.1/255.255.255.0) if this is still the case. If your Alcatel Speedtouch router has a different IP Address, make sure that you set a valid Red IP Address for the network that is going to connect to it. Normally, the DNS server, and default gateway addresses will be negotiated by ppp directly with the ISP, so you shouldn't need to specify any values for DNS server, or default gateway. Use a web browser to connect to Anaconda from the green network. Set up a profile for your ISP, and enter information into the following: Interface (PPTP), Persistent (YES), Connect on Restart (YES), Max Retries (10 or 0 for continuous), Idle Timeout (0), username (eg 0123456789@adsl.isp.net), password, PAP & CHAP, DNS set to Manual and enter ISP IP numbers. If you are not using the default Alcatel Speedtouch values, you need to configure the IP Address of the ADSL router. This is done on the PPTP page which can be accessed by selecting "Dialup" from the main menu on the left, and then "ppp settings". There is a section there called "Additional PPTP settings:". Here, enter your Speedtouch IP Address in the "Router IP Address". Also in this section, enter "pc1" in the phonebook entry. There are many settings here that aren't relevant for this type of
connection. Configuring the Alcatel Speedtouch ADSL Router.Once your Anaconda box is up and running, any client on the Green network should be able to access the Alcatel Speedtouch web interface. Point a web browser to http://10.0.0.138/ (or whatever IP Address your Alcatel Speedtouch actually has) and you will see the web interface for the device. Delete every single entry in the Router's phone-book, including the pre-configured ones. Also disable DNS and DHCP in the router - it's an overhead that does nothing for you in this configuration, and SET A PASSWORD. Once the phonebook is clear, add a new entry called pc1. You will need to know the VPI and VCI numbers from your ISP ( 0,38 in the UK, 0,100 for Telecom New Zealand) and the connection type is PPTP. Add this and go to the PPTP config page. On the PPTP page, select the encapsulation and HLDC framing ("vcmux" and "never" in the UK, and for Telecom New Zealand), and add it. You will note that there is a "state" column. When the link is up, you will see an entry here that says "In Use (10.0.0.1)". Keep this page up in the browser so that you can check later. Click save, then go to the home page and try connecting. If all goes according to plan, when the pptp link comes up, it will write the default route into the routing table, so double check on the info page, in the ppp0 entry, that the IP number after p-t-p is the same you enter during setup. If it isn't, use the shell interface and the setup username & password to change it. As soon as the pptp link comes up, your router bridges all the traffic over the "tunnel" to your Anaconda box, so you are now live and closed for business!! -- SteveLang - 31 Dec 2002
Does IP-Cop support the Fujitsu FDX310 ADSL USB Modem?This is supported using the ECI USB driver - see http://eciadsl.flashtux.org/?lang=en for details
Which ADSL hardware is supported by the ECI USB driver?For the latest list see http://eciadsl.flashtux.org/modems.php?lang=en&supported=yes
My Network card won't AutodetectWhen you do the install, use the "SELECT" option rather than autoprobe, and when it gives you a list of cards, look at the top of the list and select MANUAL (some people mistake it as the header rather than an option. When you use this option, it prompts you with a text box. You enter the driver name followed by the options. So for example, for a NE2000 card would see the following line: ne io=0x300 irq=10 If you had two cards the same, you would enter ne io=0x300,0x220 irq=10,5 or if that doesn't work, swap the settings and try ne irq=10,5 io=0x300,0x220 Anaconda should then detect the card and allow you to assign it. Lots of people using old ISA cards (like the 3Com 3C509) have lots of problems until they realise that the the ISA cards must have a diffrent interupt AND memory address BEFORE the installation will detect them.) 3Com have bootable disk images to configure these cards.
How do I configure multiple NE2000 NIC's?When asked to identify the cards, select SELECT and then MANUAL, and type the following: ne io=0x300,0x320 irq=11,5 You will need to change the values to match your own cards.
How do I change my GREEN nic driver?Happened to me when installing from one machine with cdrom and pci slots and I moved the HD to a machine with only ISA slots (and no cdrom drive) and the setup script had no way for me to change this. Log in at the console as root with the password you created in the setup/install process and type "vi /var/Anaconda/ethernet/settings", change the settings (hit the insert key), save the file (:xit) and reboot ("shutdown -r now"). An easy way to get the new settings is to use the setup scripts to assign the nic you want to be GREEN to RED or ORANGE and then when you edit the file above, the info you want will be set up for the other color (don't forget to erase it from those lines in the file) It gets a little complicated if you also have two NE isa nics so here are a few lines from my file (this is for a GREEN and RED system and doesn't show all the IP lines you'll find in the file but are needed). CONFIG_TYPE=2 GREEN_DRIVER=ne GREEN_DRIVER_OPTIONS='io=0x340,0x300 irq=12,9' GREEN_DEV=eth0 GREEN_DISPLAYDRIVER=ne ORANGE_DEV= RED_DEV=eth1 RED_DRIVER= RED_DRIVER_OPTIONS= RED_DISPLAYDRIVER=ne
Configuring 3C509B-TPO ISA NICs
During the boot WATCH and be sure the cards are detected. If you get 3c509 has a problem during softboot. The second and third cards will not be detected unless you cycle the power. This is problem going back to pre-Redhat 6.2
Can Anaconda use my HD44780 compatible LCD?Yes. Check out http://lcdproc.omnipotent.net/. You might also want to check the netlcd screen which is available from the addons page, it will display data transfer rates on whatever interface it is given as an argument, i.e. ppp0 eth0, etc. Robert Wood has prepared a tarball with the code you need to get started. It contains a small HOWTO, a circuit diagram and three binaries. Get it from here. To install it, scp the file to the root directory (
How do I remove a keyboard from a Compaq and still bootGo into the bios and set machine type to 'server'. Go to the www.compaq.com and search for no_f1.com. (--StInga - 23 Apr 2002 - need to add more to this)
My BIOS has no way of disabling "Halt on Keyboard Errors"Normally in BIOS there is an option to "halt on errors" when a motherboard does its checks. Modern BIOS usually have a way of disabling this, but some older BIOS don't. A useful trick is to buy a really cheap membrane keyboard which has a small circuit board about 7cm x 3 cm inside. You can remove this, resolder the cable so that it is really short, and put it inside a small matchbox sized case. Top marks to Mike Rigby for this tip.
How do I change the MAC Address of my RED InterfaceThis is a frig for 1.2 only!!!. Edit /var/Anaconda/ethernet/settings. Add this line after the other lines starting RED.
RED_HWADDR=hh:hh:hh:hh:hh:hh Replace the hh with the required hex MAC address. Edit /etc/rc.d/rc.netaddress.up. Add the ifconfig $RED_DEV hw ether $RED_HWADDR lines
if [ "$CONFIG_TYPE" = "2" -o "$CONFIG_TYPE" = "3" ]; then
if [ "$RED_DEV" != "" ]; then
if [ "$RED_TYPE" = "DHCP" ]; then
rm /etc/dhcpc/*.info -f
ifconfig $RED_DEV hw ether $RED_HWADDR
/sbin/dhcpcd -h $RED_DHCP_HOSTNAME -R $RED_DEV
elif [ "$RED_TYPE" = "STATIC" -o "$RED_TYPE" = "PPTP" ]; then
ifconfig $RED_DEV hw ether $RED_HWADDR
ifconfig $RED_DEV $RED_ADDRESS netmask $RED_NETMASK broadcast $RED_BROADCAST up
if [ "$RED_TYPE" = "STATIC" ]; then
/usr/local/bin/setaliases
fi
if [ "$DEFAULT_GATEWAY" != "" ]; then
route add default gw $DEFAULT_GATEWAY
fi
else
ifconfig $RED_DEV 1.1.1.1 netmask 255.255.255.0 broadcast 1.1.1.255 up
fi
else
echo "WARNING: No driver set for RED"
fi
else
if [ ! -e /var/Anaconda/red/active ]; then
if [ "$DOMAIN_NAME" == "" ]; then
/usr/local/bin/dnsmasq -l /var/lib/dhcp/dhcpd.leases
else
/usr/local/bin/dnsmasq -l /var/lib/dhcp/dhcpd.leases -s "$DOMAIN_NAME"
fi
fi
fi
Security
Is Anaconda Stateful?Releases 0.1.1 of Anaconda up to and including 1.2 are not stateful as they are based of IPChains technology. Version 1.3 uses IPTables, and is a fully stateful firewall.
What are IPCHAINS/IPTABLES?IPChains and IPTables are the basic "guts" of how Anaconda decides what traffic to allow. Version 1.2.0 and below of Anaconda use IPChains. Versions 1.3.x and up use IPTables. You'd never use both at once. In any case, IPChains and IPTables allow Anaconda to set up rules for what sorts of TCP/IP traffic to allow to go through your firewall. You have to allow some traffic, just to be able to do anything useful like e-mail or browsing the web. Anaconda starts off with the most strict rules possible that allow most users to do the most common tasks. You may need to alter the rules slightly in order to be a little more permissive in what traffic you allow in order to perform some tasks like playing on-line games or using 'net messenger or video-conferencing software.
What is the recommended way to monitor Anaconda?You should look at your log files every day, particularly at the firewall and IDS logs. Take a look at the "Logging" section of this FAQ to understand what the log entries mean.
Pros and cons of scanning sitesVarious web-sites "out there" on the Internet will allow you to plug in your IP address, and they will "scan" your firewall to see if it's working. While that seems like a really Good Idea (tm) consider this: You don't really know who runs that site. You don't know if their site has been hacked, and you are simply handing out your IP address to a malicious user. In theory, Anaconda will stop any problems from these sites. But it's really not all that useful to use them, and you can find software to run on an external web-server you control or find somebody you actually trust to scan your firewall. Also, many of the scanning sites don't do a really good job of what they claim to do in the first place.
LeakTest says Anaconda is not working?LeakTest from http://grc.com is a bit misleading. It is not designed to test an edge firewall like Anaconda. Why? The initial release of LeakTest worked by pretending: Furthermore: "LeakTest v1.0 is used by RENAMING it - from Leaktest.exe to some other program filename - to simulate the behavior of malware which could easily alter its own name in order to masquerade as a valid and permitted application." While this is a valid check of the functionality of a personal firewall running on a client machine, it has no relevance to an edge firewall. Anaconda blocks services and not individual applications connecting to the internet. Detecting malicious Trojans etc is the domain of a good virus scanner. In other words: LeakTest tests what happens if a user (not you, of course) is stupid enough to ignore all the warnings and runs an executable attached to an email. Anaconda is not designed to stop that kind of behavior. Educating users and keeping virus scanners up to date is your only hope for that.
Why do ports 1024 and above appear to be open?This is normal with versions 1.2.0 and below. The majority of services are run on ports 1023 and below. Blocking ports 1024 and higher is not normally needed, instead interfering with genuine traffic. However, with version 1.3.x and above stateful firewalling allow these to be closed by default without influencing genuine traffic.
What is this IDS (Intrusion Detection System) ?Anaconda includes an Intrusion Detection System (IDS) called
Snort. An IDS is an important
part of any network security architecture. It provides a second layer of defense
right after the firewall. An IDS examines network traffic, at the packet level,
for suspicious patterns that may indicate an attack or compromise attempt on
your network. These suspicious patterns are specified by the rule set. Whenever
the IDS sees a pattern that matches a rule, an entry turns up in the IDS log.
Note that such an entry does not necessarily mean that a system was compromised
(see also the "I've got stuff in my logs..." section of this FAQ). An IDS does
not block any traffic, it merely alerts system administrators
when potential hostile traffic is detected.
How should I update the IDS rule set?IDS rule set updates will be provided by patches to the current release of Anaconda. Patches will not be provided for prior versions of Anaconda.
How can I stop the IDS from logging things that I do not want logged?The rules for IDS reporting are in /etc/snort. You can open these rules in an editor and comment out or modify any rule you want to stop or make operate differently. For example, Snort logs a... MISC Large ICMP Packet ... everytime I check for mail. In this case, the rule is in /etc/snort/misc.rules and is the first rule. Instead of commenting it out, I raised the threshold by 700 bytes from 800 to 1500 and saved the rule file back. Once I modified the IDS rules, I stopped the IDS and restarted it to make the rule changes active. Another problem I have is that Snort warns me about IRC packets. INFO Possible IRC access I don't have a problem with IRC packets being on my network since I use IRC often, so I disabled the IRC warning altogether in /etc/snort/policy.rules by commenting it out with a # at the beginning of the line. Don't forget to stop/start Snort after you edit Snort rules and policies.
Can I prevent some firewall logging from being generated?Yes, but currently it requires you to manually edit your firewall rules table. If you are adept at Linux firewall rules, the rules for Anaconda are located in /etc/rc.d/rc.firewall.up. Of course, manually editing your firewall rules can break them. If this happens, you get to keep both pieces.
How secure is wireless?Wireless networking is only as secure as you make it. This includes many factors (read this FAQ to get a better picture of the problem and some solutions) such as the type of authentication used as well as the use of a firewall. Version 0.2 of Anaconda will include an Amber Zone (Wireless DMZ) which will support CIPE, IPSec or VPNd encrypted connections among other things.
Can Anaconda help me secure WEP?The current version of WEP has been proven to be key in a number of key scheduling areas. This has lead to tools, such as AirSnort, that have the capability to passively sniff your wireless traffic and determine your WEP key. Several wireless vendors are either enhancing WEP to be more robust or investigating alternative solutions. Read 'How secure is wireless' for more information.
Is there a reason why UDP is not open for replies from Orange to Green, like TCP is?This is only true for versions of Anaconda BEFORE Anaconda 1.3. Yes, there is a reason. Since the firewall isn't stateful, UDP packets don't have "replies" in the same way that TCP packets do. Anaconda 1.3 and later use a 2.4 kernel to handle this ability. If a version of Anaconda 1.2 or earlier was used and the the firewall is left open open for "replies" from UDP requests, it's open to everyone. When the basic structure for DMZ pinholes etc. was created, it was discovered that port scans went through the firewall using nmap -sU and could tell what machines were running what UDP services. That's when UDP returns from Orange to Green were locked down.
Logging
I've got stuff in my logs: Does that mean I've been hacked?Not necessarily. There are two places that contain security related log entries. Logs > Firewall contains the firewall logs. What you see here are connection attempts from the outside that were deflected. This is of interest because it will tell you what ports people are trying to attack you on. Things in this log DID NOT make it into your network. Not every log entry indicates a malicious attempt to break into your network. An entry could also indicate a mistake (someone mis-typing an IP address and accidentally connecting to your network), a mis-configured device, etcetera. For the most part, the firewall logs are useful to indicate what was going on, in case you need to figure out why something that should get through doesn't. Logs > Intrusion Detection System contains the IDS logs. What you see here are connections that DID make it into your network and contained signs of an attack. Again, this does not necessarily mean that someone was breaking into your network. Some of the rules that trigger the IDS can also be triggered by normal traffic. If you're certain that the IDS is triggered by legitimate traffic you might consider turning the corresponding rule off (see also "How can I stop the IDS from logging things that I do not want logged?"). It is wise to always investigate what caused an IDS log entry. It might be that you were attacked.
What logs are kept on Anaconda
Linux logging is in /var/log, with messages being the main system log. Other interesting logs in this directory are: dmesg: hardware info gathered during the Linux bootup process Apache logs are in /var/log/httpd and consist of access_log, error_log, ssl_request_log and ssl_engine_log. Snort logs are kept in /var/log/snort and consist of alert and portscan.log Squid logs are kept in /var/log/squid and consist of access.log, cache.log and store.log
How do I get my logs off AnacondaYou can use SCP or WinSCP? to copy the logs to another machine. You need to turn on SSH using the wbe front end. If you are accessing the Anaconda remotely open port 222 on RED. Remember that Anaconda runs SSH on port 222 not port 22!
How can I use a different machine for logging messages?See this in the add-ons / hacks section. Please read the warning first.
Can I configure the logs to be compressed?Many of the logs are rotated into a compressed format already. Active logs are not compressed so they can be easily accessed for presentation in the administration panel.
How long are the logs kept for?Anaconda version 1.2 and older: Logs in /var/log are rotated weekly and kept for 8 cycles. Logs in /var/log/squid are rotated weekly and kept for 5 cycles. Logs in /var/log/snort are rotated weekly and kept for 5 cycles. Anaconda version 1.3: Logs in /var/log are rotated weekly and kept for 52 cycles. Logs in /var/log/squid are rotated weekly and kept for 52 cycles. Logs in /var/log/snort are rotated weekly and kept for 52 cycles.
The logs are automatically rotated and compressed early on Sunday mornings,
so if you look for information from the previous week, it will appear to have
vanished. The information is still there, but you will have to decompress the
relevant file to access it. Look in the To force a rotation of the logs, logon as root and execute the command:
Can the logs be sent to a database?This is a basic Linux distribution, so anything can be accomplished with enough hacking. There are no database managers running or installed on Anaconda.
What can I use to analyse the logs?There are many utilities available to analyze Linux logs. There are also utilities to analyze Snort and Squid logs. Please see the respective project web pages for further information.
My ISP is filling my logs with IGMP or PIM packets. How can I stop logging those?See this in the IP-Cop add-ons / hacks page. Please read the warning.
My log is filling with Net-BIOS (137) packets. How can I stop logging these?See this answer in the AnacondaAddons page.
IP Proxy
What is the web accelerator?The web accelerator is a high-performance proxy caching server that helps to lower outbound traffic requests and therefore speed up the general web browsing experience.
How do I get to the low level configuration?The Squid configuration file is /etc/squid/squid.conf
Is web content filtering supported?DansGuardian made a patch available that integrates it into Anaconda. The patch file and instructions on how to install DansGuardian on Anaconda can be found in the AnacondaDGHowto
Can I block certain web sites?Yes. Login to the Anaconda console as root and edit a file named /etc/hosts. Make the first address 0.0.0.0 and then add the URL of the offending website. Do not remove or change the first two lines of /etc/hosts! Example /etc/hosts 127.0.0.1 localhost 192.168.x.x Anaconda # Add comments if you like. 0.0.0.0 www.offendingwebsite.com 0.0.0.0 www.bumpywall.org Reboot and you are done.
Can I block annoying ads?Yes. Using the same method as above, add lines as needed to your /etc/hosts A utility located at http://ssmedia.com/utilities/hosts/ has a maintained listing of adservers. http://www.everythingisnt.com/hosts.html this has an updated list for Linix (so it will work with Anaconda) if you are worried about installing it on a firewall there is a simple to use installer for Windows which you can try out on a test PC. An easy way is to ssh into Anaconda from a Xconsole or in Windows Putty and cut and paste from the adserver list.
DHCP
What is DHCP?DHCP = Dynamic Host Configuration Protocol
Every computer on the Internet has a unique IP address like 123.23.89.13 No two computers have the same number and you simply can't be on the Internet unless you have a number. Usually, humans don't work with those numbers directly. We type stuff like "Anaconda.org" and our computer looks up the IP address for us. When you set up your Anaconda firewall, only Anaconda has a "real" IP address on the RED interface facing the Internet. The rest of your computers, behind the firewall (on the GREEN interface), have "internal" IP addresses which you need to set up. According to RFC1918, you should use private subnet addresses like: 10.x.x.x ...where you can supply any number from 0 to 255 for the x component. But, you still need a unique IP address for every computer on the network behind your firewall. Anaconda itself has an IP address in that range to use for talking to your GREEN network. For one or two computers, this is no big deal. However, some people are using hundreds of computers behind their Anaconda firewall and a human trying to keep track of which computer is using which IP address can be a real problem. DHCP solves that problem. A DHCP server can be started on Anaconda and its job is to hand out IP addresses to the client computers that request one. When you set up DHCP on Anaconda, you allocate a range of DHCP addresses in your private subnet and then configure the client computers to use the Anaconda DHCP service to get their IP addresses. (from here on, we'll call the Anaconda DHCP server your DHCP host) When each client computer starts up, it asks the DHCP host for an IP address, and the DHCP host gives it one that's not currently in use. The DHCP host keeps track of which numbers are free and which ones are leased by a client. You don't permanently own the address you get from your DHCP host, you lease it. Once the DHCP host gives a client computer an address, the clock starts ticking. At the end of the lease period, the DHCP host checks to see if the client is still using the IP address. If it is, the lease is renewed. This renegotiation process repeats at the end of every lease period. If the client doesn't answer the lease renewal request, the IP address is automatically returned to the pool of unused numbers waiting for the next client requesting DHPC service. This is much easier than you having to keep track of which computer is using which IP address. Once you set DHCP up, just be sure you never set a machine to use a fixed IP address from the DHCP range you have set aside. It's common to use a range like 192.168.1.100 to 192.168.1.199 for DHCP or some other set of nice round numbers that fits the size of your organization. DHCP is particularly handy for laptop/portable computers, since you can then plug into somebody else's network without worrying about which IP address to use. Their DHCP host will simply hand you an unused IP address, just like your DHCP host.
When should I use (and not use) DHCP?You should not use DHCP for any computers/printers/equipment that people would be expected to want to use as a shared resource. Web-servers, printers, email servers, etc should probably be given a specific static IP address, so people know which IP address is assigned to those device and these known addresses are not changing. You might not need to bother with the five minutes it takes to set up DHCP if you only have one computer -- though if it's a laptop, you probably should, since you can then plug it into any DHCP network easily. If you have lots of computers to configure, save yourself the hassle of remembering which IP is which computer, and use DHCP for anything that's not a shared resource.
Where can I see a list of DHCP leases given out by Anaconda?Look in /var/lib/dhcp/dhcpd.leases Note: Times in this file are in GMT, not local time zones.
Can I configure DHCP to associate a record with a WINS server?Not in version 0.1.1, but you can in version 1.2
Why do I care about MAC addresses?MAC addresses are the unique identifier built into every ethernet network interface card. These unique identifiers are what allows DHCP to repeatedly give the same IP address to the same machine every time. There are other uses for MAC addresses, but this is the primary one in relation to Anaconda.
How do I enter MAC addresses for static DHCP assignments?MAC addresses must be entered using a colon as a separator ie: aa:bb:cc:dd:ee:ff.
DNSNote: As of v1.2.0 DNRD was replaced with DNSMASQ. For more info on DNSMASQ see http://thekelleys.org.uk/dnsmasq/doc.html Note, you will have to download the source package and see the readme.txt file for full documentation.
How can I access my servers via their public domain names from the internal network?There are 3 options
1. On the Anaconda Machine edit /etc/hosts (this is explained in the next
question in the FAQ) and define the local server name with the local (orange or
green) address. Make sure that the clients PCs that need to access the local
servers are using the Anaconda as their DNS Server.
-- SethR - 08 June 2003
Can I add IP addresses?Yes you can! You need to edit /etc/hosts. DNRD will try to resolve ipaddress by...
DNRD loads the contents of /etc/hosts when it starts, so modifing /etc/hosts and not restarting DNRD does nothing.
Restarting DNRD
#!/bin/sh
. /var/Anaconda/ethernet/settings
if [ "$RED_TYPE" = "DHCP" ]; then
DNRD_DNS1=`/etc/rc.d/helper/getdnsfromdhcpc.pl 1`
DNRD_DNS2=`/etc/rc.d/helper/getdnsfromdhcpc.pl 2`
. /etc/dhcpc/dhcpcd-${RED_DEV}.info
elif [ "$RED_TYPE" = "STATIC" ]; then
DNRD_DNS1=$DNS1
DNRD_DNS2=$DNS2
fi
echo x=$DNRD_DNS1
if [ "$RED_TYPE" != "PPPOE" -a "$RED_TYPE" != "PPTP" ]; then
if [ "$DNRD_DNS1" != "" ]; then
if [ "$DNRD_DNS2" != "" ]; then
/usr/local/bin/dnrd -s $DNRD_DNS1 -s $DNRD_DNS2
else
/usr/local/bin/dnrd -s $DNRD_DNS1
fi
else
echo "WARNING: No DNS servers available"
/usr/local/bin/dnrd
fi
else
/usr/local/bin/dnrd
fi
Restarting DNSMASQAfter you have made changes to /etc/hosts file you will need to let the dnsmasq program know that it should reread its config files. To do this you should send it the HUP signal. One way of doing this is with the command "killall -HUP dnsmasq". You could also lookup the PID for dnsmasq with the "ps aux" command and then use "kill -HUP (dnsmasq PID)" where (dnsmasq PID) is what you found from the ps command.
Where do my entries in /etc/hosts go?Due to a bit of bodged coding, whenever network stuff is modified via setup,
it rewrites
Why can users on my Green network not access a DNS Server on Orange even though users on Red can?If you use Anaconda 1.2 you will not be able to access a DNS server on Orange from Green (Red to Orange is fine). This is not a bug but by design. UDP from Orange to Green is blocked on Anaconda 1.2. Anaconda 1.3 supports this as it is handled by the 2.4 kernel. If you need to access a DNS Server on Orange from Green upgrade to 1.3.
VPN
What is a VPN?A VPN is a Virtual Private Network. It is a way of allowing computers that aren't really directly connected to the same network to pretend that they are. The basic idea is that you have two Anaconda computers, very far away from each other, that need to be connected as if they were all one network. The traffic that travels over VPN is all encrypted, so it's very secure. A most excellent VPN document is here: AnacondaVPNHowto
Why do I want a VPN?With a VPN, you can access other machines across the internet as if they were on the same lan segment as your own. The traffic travelling across the internet is encrypted.
I've read the FAQ, the documentation and my VPN still won't connect. What now?There are two sources for help with ipsec, Anaconda's VPN. Obviously, the first choice would be the Anaconda user mailing list. SuperFreeS/WAN is an open source project, too. Check its web site for support. In many cases, you should get complete documentation for your problem. Log in to your Anaconda as root and issue the following command: ipsec barf > /tmp/problem.txt This will dump everything about ipsec to the file /tmp/problem.txt. Use scp or pscp from another machine to copy the file to it and include it in your email. You may need to do this on both sides of your VPN.
How should I implement the VPN between two Anaconda servers?
How do I get the VPN to come up automatically?The built in VPN in Anaconda will start automatically when both ends of the connection are available.
How do I forward PPTP to an internal MS VPN Server (prior to 1.3.0)?Microsoft's PPTP software is rather buggy and insecure, you should make sure that you have applied all the service packs and hotfixes to all the computers before starting this. Using the Anaconda web interface forward port 1723 to the IP of your PPTP server. Then log into the firewall command line interface and run: ipfwd --masq
To make the second change permanent add the ipfwd command to the end of /etc/rc.d/rc.network file.
How do I forward PPTP to an internal MS VPN Server (1.3.0 and above)?Use the Anaconda web interface to forward port tcp/1723 to the IP of your PPTP server. Then forward the GRE protocol to your PPTP server also using the web interface. That's it!
How do I connect to a remote Microsoft PPTP server?Unanswered, but suggested question
How do I connect to a remote Microsoft IPSec server?Have a look at http://jixen.tripod.com/
How do I connect a Win2K (XP) client to AnacondaThere is a fairly complicated HOWTO at VPN.EBOOTIS.DE, but Darren Critchley has added a detailed explanation of how to connect a Win2K (or XP) client to Anaconda to the AnacondaVPNHowto page.
How do I connect a IPsec client behind Anaconda to a remote IPSec Server?To run an IPSEC client with ip masq you have to enable IPSec passtrough on your Anaconda.- Use your browser to log in to your Anaconda as the "admin" user and then go to the VPNs web page. Enable IPSec passthrough in the Global settings section.
How do I connect to a remote Nortel server?Marcus Loeken suggested the solution below, after searching the web and finding this post with a helpful solution. RickNSD wrote a interesting answer (the question was about using a D-Link router), linked to this page on D-Link's website...
I too just resolved my Nortel Contivity 4.6 w/ D-link 764 (802.11 a & b) issue. I used the resolution listed at d-link specifically for the Contivity Client http://support.dlink.com/faq/view.asp?prod_id=1153&question=DI-614+ Two things I did differently: 1) Had to make sure the EACfilt driver was bound/checked to each NIC using the Contivity Client. 2) To avoid having to use only 1 client as a virtual server, I made firewall entries directly instead, as follows: Read L to R as Source then Destination Allow VPN -9550 WAN,(IP range of contivity switches) LAN,* UDP,9550 Allow VPN -9550 WAN,( IP range of contivity switches) LAN,* TCP,9550 Allow VPN -1723 WAN, ,( IP range of contivity switches) LAN,* TCP,1723 Allow VPN -1723 LAN,* WAN, ,( IP range of contivity switches) TCP,1723 Allow VPN -500 LAN,* WAN, ,( IP range of contivity switches) UDP,500 Allow VPN -500 WAN, ,( IP range of contivity switches) LAN,* UDP,500 I followed all other instructions on the d-link document. The Contivity Client did have the 'disable keepalives 'checked and with group authentication. My VPN connection flies now (used to have an SMC barricade 7004AWBR) and have no issues with the configuation so far. Hope this helps someone. So Marcus added some ports to the portforwarding section of his Anaconda (ver. 1.2.0), and now it looks like this:
UDP DEFAULT IP 500 192.168.63.100 500 UDP DEFAULT IP 9550 192.168.63.100 9550 TCP DEFAULT IP 9550 192.168.63.100 9550 TCP DEFAULT IP 1723 192.168.63.100 1723 The 192.168.63.100 is the IP of his laptop. And he says "now it works!!! I can connect with the Nortel Contivity client ver. 4.7!" Thanks Marcus :) -- EricOberlander - 05 May 2003
How do I connect to a remote Checkpoint Securemote server?This worked with SecureClient NG Feature Pack 3 HF 1 (build 53515). Attempts with Feature Pack 2 haven't been successful. Use your browser to log in to your Anaconda as the "admin" user and then go to the VPNs web page. Set the Local VPN IP to the computer running SecureClient and check Enable. Save your changes. On the Services->Port forwarding page add the following rule: Protocol: UDP For better security, set source IP to the address of your VPN gateway. This can be determined by trying to connect to the VPN server before enabling the port forwarding above. Your firewall log will show several connection attempts from the VPN gateway to port 2746 on your red interface. Thanks to Dag Christensen - 01 Jul 2003
Remote Access
What is recommended way to administer AnacondaThe web interface provided by IP-Cop is the best way of administering your Firewall. It needs no software on the client computer that isn't already installed. If you need to do anything more complicated, for example after installing a new network card, then replugging a keyboard and monitor would be one option (and the only one if the network is now down). The other method is to use SSH. SSH is a secure command line interface, which is very powerful. There are SSH clients for most operating systems.
Why can't I telnet to Anaconda?Many well documented exploits, along with readily available Telnet password sniffing tools, makes Telnet too insecure to be included in Anaconda. Use SSH instead.
Can I enable telnet to Anaconda?Anything is possible, but we would recommend not. SSH is a secure replacement with the same functionality.
What is SSH, why is it better than Telnet?SSH is (S)ecure (SH)ell and uses cyptography to overcome known weaknesses with Telnet. When logging on to a server using telnet both your user name and password is transmitted in clear text. This can then be replayed by an attacker to gain access to your account. SSH sessions encrypt traffic with block ciphers that prevent sensitive data from being sniffed from the wire. Telnet is commonly used in the Windows world because Windows doesnt come with a SSH client.
Where are some free SSH clients?Windows Macintosh Unix You can find more extensive lists of SSH clients for various (other) operating systems on http://www.freessh.org
Why can't I SSH to Anaconda?SSH usually listens on port 22. However Anaconda uses port 222. All SSH connections to the machine need to specify the 222 port. And remember to turn on SSH.
How do I turn on SSH?Open the web interface to Anaconda. Select the Remote Access menu item. In v1.2 this was moved to the System > ssh menu item. Check the box next to SSH and press the SAVE button.
How do I expose SSH to the outside world?
Open the web interface to Anaconda. Select the Services/External Service Access menu item. Add an entry for: TCP Press the SAVE button. * You can restrict this access to a single ip address or a subnet for more security than just opening it to the entire world. To use a single ip address, simply enter the | |
