I need help with IPCop.

Lisa Kachold lisakachold at obnosis.com
Thu Jul 30 06:48:10 MST 2009


On 7/29/09, Matthew A Coulliette <matthewlug at cox.net> wrote:
> hi,
>
> First of all, I would like to apologize for the long email. But, I have
> a few questions that I have not been able to find the answers to. So, I
> would greatly appreciate any helpful advice. Here is the setup of my
> network:
>
> router (IPCop)		workstations	servers
> red: 98.172.82.xxx	192.168.0.3	192.168.0.2 - data server
> org: 192.168.2.1	192.168.0.4	192.168.2.2 - web server
> blu: 192.168.1.1	192.168.0.5	
> grn: 192.168.0.1	192.168.0.6	wireless access point
> 					192.168.1.2
>
> all workstations run ubuntu desktop 9.04
> both servers run ubuntu server 9.04

Well that takes all the fun out of network discovery against your firewall!

> as you probably know:
> red = www (internet)
> org = dmz (De-Militarized Zone)
> blu = wlan (wireless part of a local area network)
> grn = lan (local area network) (hardwired)
>
>
> Here are my questions:
> 1. Where do I find the add-ons for ipcop and how do I install them?

http://www.ipadd.de/binary.html

> 2. Right now I have it setup to log me in automatically as 'admin'. But,
> when I click on 'blue access' in the 'firewall' menu, IPCop takes me to
> a page labeled 'FORBIDDEN'. Saying that I requested access to something
> above my permitted level. Do I need to login as 'root' to work on the
> firewall settings? If so, how do I get a login prompt again so that I
> can enter the root user name and password?

I believe that generally blue is reserved for the Wireless and access
is disabled?

Explanations herein:
http://www.ipcop.org/1.4.0/en/admin/html/
http://www.ipcop.org/1.4.0/en/admin/html/section-firewall.html#v140.firewall.004
http://www.scribd.com/doc/15490362/Linux-System-Administration-by-OReilly-Media

> 3. Part A: IPCop says that the 'wap' and the 'web server' ips are out of
> range. I know this is true because I assigned them from the green DHCP
> server. To fix this mistake, I beleive that I should acquire 2 more ips
> from Cox. Then assign 1 of them to the 'wap' and 1 to the 'web server'.
> True?

False!  See section 2 above - Blue Wireless Zones in IpCop.

You should not need any Ip addresses from Cox.

> 3. Part B: If this is true, then the people on the www would have to
> pass through the IPCop firewall to deliver packets to the new Cox ips
> for the 'wap' and 'web server'? Should I have the 'wap' hand out the ip
> addresses and then tell IPCop which addresses the 'wap' is handing out,
> thus creating the "pin hole" through the firewall?

Please refer to this indepth example of configuring a Blue Wireless zone:
http://www.net-security.org/dl/chapters/IPCop_SampleChapter.pdf

> 3. Part C: Lastly, I am planning on starting the web server with just a
> traditional 'LAMP' server running on it. So, what I have been told is to
> use port forwarding at this point. So, which ports on the red
> should I forward, to which ports on the web server's nic? Do I need to
> tell the LAMP server to listen to a non-standard port number? Does port
> forwarding provide for 2 way traffic? How do I test that my port
> forwarding is working? The ping command should not work with this setup,
> correct?

Yes, on a cox network port 80 inbound is restricted.  If you do not
have a business account with cox, you are breaking their acceptable
use policy by running "servers" and especially web services or any
inbound packet traffic.

You would need to:

1) Setup a DynDNS to track changes automagically (dyndns.org) give you
a yournet.homelinux.org (or another of a long list of domains, if you
don't have your own) or use dyndns with your own hosted domain.

2) Setup a URL WebHop (free) that points http://mylamp.homelinux.org
to http://293.242.2.1:8081 (and works with dyndns so that when cox
refreshes your ip address it is dynamically changed.

3) Port forward 8081 (or whatever port you like) to port 80 on your lamp server.

> Thanks, for taking the time to read and reply to this email. I
> appreciate it very much.

Be sure you apply all updates (including the null deference pointer):

http://www.ipcop.org/

> MatthewMPP
>

"Use the source young Jedi" -Yoda

-- 

(623)239-3392
(503)754-4452 www.obnosis.com


More information about the PLUG-discuss mailing list