BOT - Frequently Asked Questions
 
   

Overview

1 - Which MAC address is the admin MAC? Is it the one from my IPCop or the one from my client PC?

2 - Can BlockOutTraffic be configured to allow more than one machine to access the IPCop administration page via the WebGUI from green? Is it possible to have more than one "admin"?

3 - Why do I have to enter an admin MAC and an HTTPS port?

4 - I have entered the wrong MAC address and I'm locked out from my IPCop now.

5 - When I enable BOT, my Traffic / Service XYZ stops working and I don't know what is wrong!?

6 - I can't enter protocol and port anymore?

7 - Why is OrangeAsGreen not longer included / available for IPCop 1.4?

8 - I applied an IPCop update and now BlockOutTraffic is not longer available in the WebGUI?

9 - I want to use the (transparent) web-proxy on IPCop. Which rule(s) do I need?

10 - I have some port-forwardings from internet to internal PCs. Do I have to enter rules which allow the PCs to answer port-forward requests?

11 - I'm not sure if the rules are created correctly, how can I display all BOT-related iptables rules?

12 - The IPCop backup features do not copy the /var/ipcop/fwrules directory. In fact, I see that the /var/ipcop/fwrules directory has been explicitly excluded by means of /var/ipcop/backup/exclude.user. Why is that?

13 - I want to manage my IPCop from a remote location and created an "External Access" in the IPCop "External Access" page. (Or "I have create a BOT allow rule for service XY.") But as soon as I enable BOT, the remote access (or service XY) is not working. The BOT FAQ #5 does not help me. What is wrong?

14 - When I want to restrict a rule using a custom [IP] address all PCs/IPs in the lan can use this rule, not only the IP in the custom address. What have I done wrong?


1 - Which MAC address is the admin MAC? Is it the one from my IPCop or the one from my client PC?
It is the one from your Client PC where you administer IPCop from.
top

2 - Can BlockOutTraffic be configured to allow more than one machine to access the IPCop administration page via the WebGUI from green? Is it possible to have more than one "admin"?
YES, it is possible. Create an IPCop access rule for each admin.
top

3 - Why do I have to enter an admin MAC and an HTTPS port?
IPCop access is blocked by default and is why you have to initially enter an admin MAC and HTTPS port. If there were not such an admin rule, you would be locked out from IPCop and not be able to access the WebGUI anymore.
top

4 - I have entered the wrong MAC address and I'm locked out from my IPCop now.
Login to your IPCop with monitor and keyboard attached. When you are logged in, type:
iptables -F BOT_INPUT # iptables -F CUSTOMINPUT for older BOT version
This flushes all the IPCop access (and deny) rules. Now you are able to enter the WebGUI, disable BOT and change the admin MAC.

top

5 - When I enable BOT, my Traffic / Service XYZ stops working and I don't know what is wrong!?
BOT blocks all traffic which is not explicitly allowed. Go to your BOT settings and enable the logging of packets which have not matched a BlockOutTraffic rule. Re-enable BOT and try your Service again. Then look into the IPCop Firewall Logs under " WebGUI->Logs->Firewall Log" for the blocked Traffic to get some hints which rules is missing. Now you should be able to create the missing BOT rule.
top

6 - I can't enter protocol and port anymore?
You should define a custom service in "Advanced Firewall Config". When there is a custom service available you can select it in the rule creator.
top

7 - Why is OrangeAsGreen not longer included / available for IPCop 1.4?
In 1.4 you can use BLUE instead of ORANGE. On BLUE the webproxy is still available, so the the extra OrangeAsGreen Mod is no longer necessary. For full OrangeAsGreen or now better say BlueAsGreen support, you only have to deny access from GREEN to BLUE and from BLUE to GREEN which is possible via BOT's rule creator now.
top

8 - I applied an IPCop update and now BlockOutTraffic is not longer available in the WebGUI?
The update has overwritten the header.pl or the language files which removed BOT from the menu or removed the BOT language entries. Currently there is no other way to restore BOT in the WebGUI other than to perform a remove / install of BOT to get BOT back into the menu.
When you remove / install BOT you will not lose your rules, the settings and config are saved and restored automatically!

top

9 - I want to use the (transparent) web-proxy on IPCop. Which rule(s) do I need?
You only need one "IPCop access" rule. This rule has to allow the access to IPCop on the proxy port (default proxy port is 800). Best if you create a custom service in "Advanced BOT config" page with TCP and proxy port. Now you can select the custom service in rulecreator.
Regardless if you use proxy in transparent mode or not, you always have to use the proxy port. It is NOT necessary to create a HTTP (port 80) rule when you use the proxy!

top

10 - I have some port-forwardings from internet to internal PCs. Do I have to enter rules which allow the PCs to answer on port-forward requests?
No, you only have to enable the "Allow related, established connections" in BOT settings. This rule allows PCs to get to the outside if they respond to an existing (opened from internet by port-forwarding) connection.
NOTE:
You should always check port-forwardings from the outside, never from internal! IPCop without BOT has a rule to check from internal, but this will no longer work with BOT enabled even though it is working from outside.

top

11 - I'm not sure if the rules are created correctly, how can i display all BOT-related iptables rules?
Run the commands:

iptables -nvL CUSTOMFORWARD && \
iptables -nvL CUSTOMINPUT && \
iptables -nvL BOT_FORWARD && \
iptables -nvL BOT_INPUT
You should see the list of all BOT related rules. In CUSTOM* chains you should see both BOT_* entries. In the BOT_* chains are all iptables rules from BOT.
top

12 - The IPCop backup features do not copy the /var/ipcop/fwrules directory. In fact, I see that the /var/ipcop/fwrules directory has been explicitly excluded by means of /var/ipcop/backup/exclude.user. Why is that?
It's a simple reason: If the backup would include the BOT config and you would install IPCop 'B' with the config from 'A', the BOT files from 'A' would be on 'B' (you may want this but I will explain why I didn't want this).
Now when you:
  1. ... not install BOT on 'B' the files would lay around. They would be refuse.
  2. ... install BOT on 'B', BOT would detect the files and would think BOT is already installed, though it isn't. And too when the backup'ed BOT files are from an older BOT-Version than you install on 'B' it would not work.
If you want to copy the config from one IPCop to another one, look in the Tips 'n' Tricks section.
top

13 - I want to manage my IPCop from a remote location and created an "External Access" in the IPCop "External Access" page. (Or "I have create a BOT allow rule for service XY.") But as soon as I enable BOT, the remote access (or service XY) is not working. The BOT FAQ #5 does not help me. What is wrong?
Check if you have created own block rules via the BOT Rule-Creator, for example the Reduce Firewall Log rules. You probably block your external access (or service XY) by such a block rule.
top

14 - When I want to restrict a rule using a custom [IP] address all PCs/IPs in the lan can use this rule, not only the IP in the custom address. What have I done wrong?
You defined the IP address with subnetmask different to /32 or 255.255.255.255. So if you enter the IP 192.168.0.5 and a mask of 255.255.255.0, all IPs in 192.168.0.* do match this rule. Simple edit the custom address and set mask to 32 or 255.255.255.255 and you are done.
top

FAQ last changed 10 October 2007

IPCop - The Bad Packets Stop Here

BlockOutTraffic - The Firewall WebGUI Addon for IPCop


 
  Created 2006 by dotzball | Design by wintermute