headers
m4him | 2 Dec 2007 16:33

proxy domains without authentication


I am using normal authentication which works fine.
I am trying to setup Windows Live messenger to not require authentication. 
I have added the required URLs to the "Proxy domains without
authentication".  There is one problem because MSM uses a random ip address
of 207.46.108.*

I get the following: 
 637 192.168.3.107 TCP_DENIED/407 3350 POST
http://207.46.108.64/gateway/gateway.dll? - NONE/- text/html

I have tried to put in
207.46.108.0/24
in the ...without authentication box but it still fails.

The reason I switched from SafeSquid was for this very feature.  SafeSquid
does not have the ability to no t authenticate certain sites when
authentication is configured.  This is a great Endian feature but I need it
to work for ip addresses also.

I also tried creating a firewall rule to pass port 80 on if it is to that
address but that does not work as the messenger client knows that Internet
Explorer is configured for autoproxy so it automatically uses the IE proxy
settings excluding the username and password.

Is there another way to do this so the user does not need to enter their
username and password in the messenger client?

--

-- 
View this message in context: http://www.nabble.com/proxy-domains-without-authentication-tf4931995.html#a14116381
(Continue reading)

Permalink | Reply | 5 comments |
headers
m4him | 2 Dec 2007 16:39

proxy.pac


2.2B1
I am trying to automate the proxy scripts but the proxy.pac is not working

It works just fine on another system with an Apace server.
I am testing it with just the basic

function FindProxyForURL(url, host)
{

return "PROXY 192.168.3.1:8080"; 

}
I have the automatic scripts set in firefox (and explorer 7) set to:
http://192.168.3.1/wpad.dat  (also tried http://192.168.3.1/proxy.pac)
works fine with the same script but having firefox/IE set to
http://192.168.3.3/wpad.dat

I also added to the httpd.conf file
AddType application/x-ns-proxy-autoconfig .pac
and tried
AddType application/x-ns-proxy-autoconfig .dat

It still does not work from the Endian firewall but works fine from another
apache server.

--

-- 
View this message in context: http://www.nabble.com/proxy.pac-tf4914533.html#a14067926
Sent from the efw-user mailing list archive at Nabble.com.
(Continue reading)

Permalink | Reply | 0 comments |
headers
m4him | 2 Dec 2007 17:22

pop3 proxy virus scanner


Does the pop3 proxy virus scanner scan ssl pop3 ports or does it only scan
port 110?

--

-- 
View this message in context: http://www.nabble.com/pop3-proxy-virus-scanner-tf4932201.html#a14116973
Sent from the efw-user mailing list archive at Nabble.com.

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Permalink | Reply | 1 comment |
headers
AJ Weber | 2 Dec 2007 18:07
Picon

Re: pop3 proxy virus scanner

It will scan pop3 and pop3s, but the trick is that you need to configure your email clients (on GREEN) to send pop3 on the pop3s port (995) -- that is, send it unencrypted.  When the proxy sees the traffic on 995, it will then encrypt the traffic from the gateway to the intended server.
 
So the traffic is unencrypted only on GREEN, which should be OK for most...but if you need the traffic encrypted from end-to-end (desktop client to POP3s server), then it won't work right.
 
-AJ
----- Original Message -----
From: m4him
Sent: Sunday, December 02, 2007 11:22 AM
Subject: [Efw-user] pop3 proxy virus scanner


Does the pop3 proxy virus scanner scan ssl pop3 ports or does it only scan
port 110?

--
View this message in context: http://www.nabble.com/pop3-proxy-virus-scanner-tf4932201.html#a14116973
Sent from the efw-user mailing list archive at Nabble.com.


-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Efw-user mailing list
Efw-user-5NWGOfrQmneRv+LV9MX5urNAH6kLmebB@public.gmane.org.net
https://lists.sourceforge.net/lists/listinfo/efw-user
-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Efw-user mailing list
Efw-user@...
https://lists.sourceforge.net/lists/listinfo/efw-user
Permalink | Reply | 0 comments |
headers
Peter Warasin | 3 Dec 2007 12:25
Gravatar

Re: proxy domains without authentication

Hi

m4him wrote:
> I am using normal authentication which works fine.
> I am trying to setup Windows Live messenger to not require authentication. 
> I have added the required URLs to the "Proxy domains without
> authentication".  There is one problem because MSM uses a random ip address
> of 207.46.108.*

> The reason I switched from SafeSquid was for this very feature.  SafeSquid
> does not have the ability to no t authenticate certain sites when
> authentication is configured.  This is a great Endian feature but I need it
> to work for ip addresses also.

This is for domains only (http virtual host). A virtual host can also be an
ip address, but not a whole subnet.
So add every ip address from that subnet manually. That should work.

peter

-- 
:: e n d i a n
:: open source - open minds

:: peter warasin
:: http://www.endian.com   :: peter@...
Attachment (peter.vcf): text/x-vcard, 308 bytes
-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Efw-user mailing list
Efw-user@...
https://lists.sourceforge.net/lists/listinfo/efw-user
Permalink | Reply | 4 comments |
headers
m4him | 3 Dec 2007 14:08

traffic shaping


2 Questions and Comment:
Question:  Why would my downloads slow down to a crawl when I activate
traffic shaping?  This can not be due to it working properly as my machine
was the only machine on the system.  It went from nearly 1500kbps to
128kbps.  I have a 2 way satellite link with 1544 down and 384 up.  I set
the shaping to those figures.  When I turned off the shaping the speed went
back up to 1500 kbps.
Download speed: 1544
upload speed: 384

Does the sip proxy have priority?  Should I define the ports the sip proxy
is using in the traffic shaping port list?

Comment:  The traffic shaping feature is extremely limited.  We need the
same features that the dd-wrt firmware for routers has with L7 traffic
shaping.  If this could be added then Endian would not only stand alone but
be far out of reach of other similar products.  Also there does not seem to
be a way to set a default  that all ports not configured would fall into. 
At the very least we need to be able to assign a range of ports.  VOIP is
big and VOIP needs traffic shaping.  

--

-- 
View this message in context: http://www.nabble.com/traffic-shaping-tf4936406.html#a14129527
Sent from the efw-user mailing list archive at Nabble.com.

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Permalink | Reply | 1 comment |
headers
m4him | 3 Dec 2007 19:19

Re: proxy domains without authentication


I think I just realized that this is not going to work for me.  It seems that
you can not put a wild-card in
such as
.yahoo.com
Is there a way to say to not authenticate everything under the domain of
yahoo.com so that www.yahoo.com and messenger.yahoo.com both would pass
without authentication?

Peter Warasin-2 wrote:
> 
> Hi
> 
> m4him wrote:
>> I am using normal authentication which works fine.
>> I am trying to setup Windows Live messenger to not require
>> authentication. 
>> I have added the required URLs to the "Proxy domains without
>> authentication".  There is one problem because MSM uses a random ip
>> address
>> of 207.46.108.*
> 
>> The reason I switched from SafeSquid was for this very feature. 
>> SafeSquid
>> does not have the ability to no t authenticate certain sites when
>> authentication is configured.  This is a great Endian feature but I need
>> it
>> to work for ip addresses also.
> 
> This is for domains only (http virtual host). A virtual host can also be
> an
> ip address, but not a whole subnet.
> So add every ip address from that subnet manually. That should work.
> 
> peter
> 
> -- 
> :: e n d i a n
> :: open source - open minds
> 
> 
> 
> 
> 

--

-- 
View this message in context: http://www.nabble.com/proxy-domains-without-authentication-tf4931995.html#a14135627
Sent from the efw-user mailing list archive at Nabble.com.

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
Permalink | Reply | 3 comments |
headers
Peter Warasin | 4 Dec 2007 00:01
Gravatar

Re: proxy domains without authentication

Hi

m4him wrote:
> I think I just realized that this is not going to work for me.  It seems that
> you can not put a wild-card in
> such as
> .yahoo.com

Yes you can,.

This allows only that host:
www.google.com

While this allows the whole domain with all of it's subdomains
(*.yahoo.com):
.yahoo.com

> Is there a way to say to not authenticate everything under the domain of
> yahoo.com so that www.yahoo.com and messenger.yahoo.com both would pass
> without authentication?

No, you can't allow a domains with all of it's subdomains without
authentication
but exclude only some of them. You then need to explicitely list them
like this:
www.yahoo.com
messenger.yahoo.com

Does it not work when you add the whole list of ip addresses of that subnet?

peter

-- 
:: e n d i a n
:: open source - open minds

:: peter warasin
:: http://www.endian.com   :: peter@...
Attachment (peter.vcf): text/x-vcard, 308 bytes
-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Efw-user mailing list
Efw-user@...
https://lists.sourceforge.net/lists/listinfo/efw-user
Permalink | Reply | 2 comments |
headers
toby | 4 Dec 2007 05:54
Picon

Re: New efw 2.1.2 installation unable to OpenVPN

I followed the KB and i still can't connect. I am not using EFW's DHCP server. Does that matter? I continue to get the same error messages that I posted earlier.
 
"
Mon Dec 03 21:51:43 2007 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Dec 03 21:51:43 2007 TLS Error: TLS handshake failed
Mon Dec 03 21:51:43 2007 TCP/UDP: Closing socket
Mon Dec 03 21:51:43 2007 SIGUSR1[soft,tls-error] received, process restarting
Mon Dec 03 21:51:43 2007 Restart pause, 2 second(s)
"
I've included an ASCII network diagram below.
 
                                               EFW Router
                                                      |
                                                      |
                                                      |
------------------------------------------------------
|                                                     |
Red                                            Green
(201.x.x.x)                               (192.168.1.5)
|                                                      |
ISP Modem                                10/100 Switch
                                                       |
                                                  Workstations, Linksys Router w/ 4-port switch (LAN side)
 
NOTE: Green is plugged into Linksys router's 4-port switch side so it can communicate with other machines on 192.168.1.0 network. The Linksys is also the DHCP server as of now. Another thing to note is that i have 4 public IPs from network provider so EFW has its own public IP as does the Linksys.
 
 
Thoughts?
 
Toby.

 
On Dec 3, 2007 5:06 AM, <register-LvY8VTdNHTgyTh+JdRw4UA@public.gmane.org> wrote:
It took me several hours to get VPN working.  I finally found the KB article: http://kb.endian.com/entry/12/ which works exactly as written.  This eliminated one area for troubleshooting.  I copied the certificate and named it the same as the article although the name makes no difference as long as it matches the conf file.

As you must already know the openvpn section of efw must have an ip range set outside of your dynamic range.  Of course it is in the same range as your green interface.

I was trying to connect my vpn from my machine on my green interface to my public red interface public address.  This did not work with the same error you are getting.  I then changed the server in the client.ovpn to my green interface ip and then connect my machine to a wireless gateway router.  This put me on a different subnet than my green interface.  The gateway router wan connector was connected to the green interface via a switch.  I was then able to make a vpn connection.  Next I put the gateway wireless router on a public interface giving the wan connector a public ip address.  I made a new config for connecting from outside my network via a public interface by changing the server parameter in the ovpn file to my red interface public ip address.  Now I could make a vpn connection from the public side of my system.  I have two ovpn files.  One for connecting within my private net and one for connecting from the public.

The other issue I had to overcome was windows vista.  I finally noticed that openvpn has a vista release canidate version.  I do not know if the xp version would work on vista or not as I had already upgraded before I fixed my other issues.





toby-35 wrote:
>
> Hello all,
>
> I recently installed Endian 2.1.2 community edition and my hope is to use
> it
> to replace my existing OpenVPN server that is currently being used as a
> file
> server as well. I went throught the OpenVPN configuration process,
> downloaded cert and created client.ovpn configuration file (see below) and
> I
> get the following error message (also, see below) What have I missed?
>
> client.ovpn (using Windows XP OpenVPN GUI client)
> client
> dev tun
> proto udp
> remote 201.x.x.x
> resolv-retry infinite
> nobind
> persist-key
> persist-tun
> ca cacert.pem
> auth-user-pass
> comp-lzo
>
> error message (received on client)
>  Thu Nov 29 10:24:53 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on
> Oct  1 2
> 006
> Enter Auth Username:test
> Enter Auth Password:
> Thu Nov 29 10:25:02 2007 IMPORTANT: OpenVPN's default port number is now
> 1194, b
> ased on an official port number assignment by IANA.  OpenVPN 2.0-beta16
> and
> earl
> ier used 5000 as the default port.
> Thu Nov 29 10:25:02 2007 WARNING: No server certificate verification
> method
> has
> been enabled.  See http://openvpn.net/howto.html#mitm for more info.
> Thu Nov 29 10:25:02 2007 LZO compression initialized
> Thu Nov 29 10:25:02 2007 UDPv4 link local: [undef]
> Thu Nov 29 10:25:02 2007 UDPv4 link remote: 201.x.x.x:1194
>
> I later added, ns-cert-type server, to server log to resolve the warning
> message. Now I connection output looks like the following:
>
> Thu Nov 29 10:28:03 2007 OpenVPN 2.0.9 Win32-MinGW [SSL] [LZO] built on
> Oct
> 1 2
> 006
> Enter Auth Username:test
> Enter Auth Password:
> Thu Nov 29 10:28:08 2007 IMPORTANT: OpenVPN's default port number is now
> 1194, b
> ased on an official port number assignment by IANA.  OpenVPN 2.0-beta16
> and
> earl
> ier used 5000 as the default port.
> Thu Nov 29 10:28:08 2007 LZO compression initialized
> Thu Nov 29 10:28:08 2007 UDPv4 link local: [undef]
> Thu Nov 29 10:28:08 2007 UDPv4 link remote: 201.x.x.x:1194
> Thu Nov 29 10:29:08 2007 TLS Error: TLS key negotiation failed to occur
> within 6
> 0 seconds (check your network connectivity)
> Thu Nov 29 10:29:08 2007 TLS Error: TLS handshake failed
> Thu Nov 29 10:29:08 2007 SIGUSR1[soft,tls-error] received, process
> restarting
> Thu Nov 29 10:29:10 2007 IMPORTANT: OpenVPN's default port number is now
> 1194, b
> ased on an official port number assignment by IANA.  OpenVPN 2.0-beta16
> and
> earl
> ier used 5000 as the default port.
> Thu Nov 29 10:29:10 2007 Re-using SSL/TLS context
> Thu Nov 29 10:29:10 2007 LZO compression initialized
> Thu Nov 29 10:29:10 2007 UDPv4 link local: [undef]
> Thu Nov 29 10:29:10 2007 UDPv4 link remote: 201.x.x.x:1194
>
> Also, my current OpenVPN server works and is on a different public IP and
> it
> is not connected to Endian FW. I want to replace current OpenVPN server
> with
> Endian FW as it provides more features (content filtering, proxy, etc.)
>
> Thanks,
>
> Toby.
>
> -------------------------------------------------------------------------
> SF.Net email is sponsored by: The Future of Linux Business White Paper
> from Novell.  From the desktop to the data center, Linux is going
> mainstream.  Let it simplify your IT future.
> http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
> _______________________________________________
> Efw-user mailing list
> Efw-user-5NWGOfrQmneRv+LV9MX5uipxlwaOVQ5f@public.gmane.org
> https://lists.sourceforge.net/lists/listinfo/efw-user
>
>
Quoted from:
http://www.nabble.com/New-efw-2.1.2-installation-unable-to-OpenVPN-tf4898373.html#a14029570


-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Efw-user mailing list
Efw-user@...
https://lists.sourceforge.net/lists/listinfo/efw-user
Permalink | Reply | 4 comments |
headers
Christopher Zeman | 4 Dec 2007 06:01

Upgrading to latest beta...

I am currently running v 2.1.2, but want to upgrade to 2.2 Beta 1 as it has some features I need. Will the installation CD allow me to upgrade, or will it simply wipe my drive? Is there a better way?

 

Thank you,

Chris

-------------------------------------------------------------------------
SF.Net email is sponsored by: The Future of Linux Business White Paper
from Novell.  From the desktop to the data center, Linux is going
mainstream.  Let it simplify your IT future.
http://altfarm.mediaplex.com/ad/ck/8857-50307-18918-4
_______________________________________________
Efw-user mailing list
Efw-user@...
https://lists.sourceforge.net/lists/listinfo/efw-user
Permalink | Reply | 0 comments |

Gmane