Overview
1 - Which MAC address is the admin MAC? Is
it the one from my IPCop or the one from my client PC?
2 - Can BlockOutTraffic be configured to allow
more than one machine to access the IPCop administration page via the
WebGUI from green? Is it possible to have more than one "admin"?
3 - Why do I have to enter an admin MAC and an HTTPS
port?
4 - I have entered the wrong MAC address and I'm
locked out from my IPCop now.
5 - When I enable BOT, my Traffic / Service
XYZ stops working and I don't know what is wrong!?
6 - I can't enter protocol and port anymore?
7 - Why is OrangeAsGreen not longer included
/ available for IPCop 1.4?
8 - I applied an IPCop update and now BlockOutTraffic
is not longer available in the WebGUI?
9 - I want to use the (transparent) web-proxy
on IPCop. Which rule(s) do I need?
10 - I have some port-forwardings from internet
to internal PCs. Do I have to enter rules which allow the PCs to answer port-forward requests?
11 - I'm not sure if the rules are
created correctly, how can I display all BOT-related iptables rules?
12 - The IPCop backup features do not copy the /var/ipcop/fwrules directory.
In fact, I see that the /var/ipcop/fwrules directory has been explicitly excluded by means of
/var/ipcop/backup/exclude.user. Why is that?
13 - I want to manage my IPCop from a remote location and
created an "External Access" in the IPCop "External Access" page. (Or "I have create a BOT allow rule for service XY.")
But as soon as I enable BOT, the remote access (or service XY) is
not working. The BOT FAQ #5 does not help me. What is wrong?
14 - When I want to restrict a rule using a custom [IP] address
all PCs/IPs in the lan can use this rule, not only the IP in the custom address. What have I done wrong?
1 - Which MAC address is
the admin MAC? Is it the one from my IPCop or the one from my client PC?
It is the one from your Client PC where you administer IPCop from.
top
2 - Can BlockOutTraffic
be configured to allow more than one machine to access the IPCop administration
page via the WebGUI from green? Is it possible to have more than one "admin"?
YES, it is possible. Create an IPCop access rule for each admin.
top
3 - Why do I have to enter
an admin MAC and an HTTPS port?
IPCop access is blocked by default and is why you have to initially enter an admin
MAC and HTTPS port. If there were not such an admin rule, you would be locked
out from IPCop and not be able to access the WebGUI anymore.
top
4 - I have entered the
wrong MAC address and I'm locked out from my IPCop now.
Login to your IPCop with monitor and keyboard attached. When you are logged
in, type:
iptables -F BOT_INPUT # iptables -F CUSTOMINPUT for older BOT version
This flushes all the IPCop access (and deny) rules. Now you are able to enter
the WebGUI, disable BOT and change the admin MAC.
top
5 - When I enable BOT,
my Traffic / Service XYZ stops working and I don't know what is wrong!?
BOT blocks all traffic which is not explicitly allowed. Go to your BOT settings
and enable the logging of packets which have not matched a BlockOutTraffic
rule. Re-enable BOT and try your Service again. Then look into the IPCop
Firewall Logs under " WebGUI->Logs->Firewall Log" for
the blocked Traffic to get some hints which rules is missing. Now you
should be able to create the missing BOT rule.
top
6 - I can't enter protocol
and port anymore?
You should define a custom service in "Advanced Firewall Config".
When there is a custom service available you can select it in the rule
creator.
top
7 - Why is OrangeAsGreen
not longer included / available for IPCop 1.4?
In 1.4 you can use BLUE instead of ORANGE. On BLUE the webproxy is still
available, so the the extra OrangeAsGreen Mod is no longer necessary.
For full OrangeAsGreen or now better say BlueAsGreen support, you only
have to deny access from GREEN to BLUE and from BLUE to GREEN which is
possible via BOT's rule creator now.
top
8 - I applied an IPCop
update and now BlockOutTraffic is not longer available in the WebGUI?
The update has overwritten the header.pl or the language files which removed
BOT from the menu or removed the BOT language entries. Currently there is no
other way to restore BOT in the WebGUI other than to perform a remove / install of BOT to get BOT back into the menu.
When you remove / install BOT you will not lose your rules, the settings
and config are saved and restored automatically!
top
9 - I want to use the (transparent)
web-proxy on IPCop. Which rule(s) do I need?
You only need one "IPCop access" rule. This rule has to allow
the access to IPCop on the proxy port (default proxy port is 800). Best
if you create a custom service in "Advanced BOT config" page
with TCP and proxy port. Now you can select the custom service in rulecreator.
Regardless if you use proxy in transparent mode or not, you always have
to use the proxy port. It is NOT necessary to create a HTTP (port 80)
rule when you use the proxy!
top
10 - I have some port-forwardings
from internet to internal PCs. Do I have to enter rules which allow the
PCs to answer on port-forward requests?
No, you only have to enable the "Allow related, established connections"
in BOT settings. This rule allows PCs to get to the outside if they respond
to an existing (opened from internet by port-forwarding) connection.
NOTE:
You should always check port-forwardings from the outside,
never from internal! IPCop without BOT has a rule
to check from internal, but this will no longer work with BOT enabled
even though it is working from outside.
top
11 - I'm not sure
if the rules are created correctly, how can i display all BOT-related iptables
rules?
Run the commands:
iptables -nvL CUSTOMFORWARD && \
iptables -nvL CUSTOMINPUT && \
iptables -nvL BOT_FORWARD && \
iptables -nvL BOT_INPUT
top
12 - The IPCop backup features do not
copy the /var/ipcop/fwrules directory.
In fact, I see that the /var/ipcop/fwrules directory has been explicitly excluded by means of
/var/ipcop/backup/exclude.user. Why is that?
It's a simple reason: If the backup would include the BOT config and you would
install IPCop 'B' with the config from 'A', the BOT files from 'A' would be on
'B' (you may want this but I will explain why I didn't want this).
Now when you:
- ... not install BOT on 'B' the files would lay around. They would be refuse.
- ... install BOT on 'B', BOT would detect the files and would think BOT is already installed, though it isn't. And too when the backup'ed BOT files are from an older BOT-Version than you install on 'B' it would not work.
top
13 - I want to manage my IPCop from a remote location and created an "External Access" in the IPCop "External Access" page. (Or "I have create a BOT allow rule for service XY.") But as soon as I enable BOT, the remote access (or service XY) is not working. The BOT FAQ #5 does not help me. What is wrong?
Check if you have created own block rules via the BOT Rule-Creator, for example the Reduce Firewall Log rules. You probably block your external access (or service XY) by such a block rule.
top
14 - When I want to restrict a rule using a custom [IP] address all PCs/IPs in the lan can use this rule, not only the IP in the custom address. What have I done wrong?
You defined the IP address with subnetmask different to /32 or 255.255.255.255. So if you enter the IP 192.168.0.5 and a mask of 255.255.255.0, all IPs in 192.168.0.* do match this rule. Simple edit the custom address and set mask to 32 or 255.255.255.255 and you are done.
top
FAQ last changed 10 October 2007
