Menu
▾
▴
astlinux-users — AstLinux Users Mailing List
You can subscribe to this list here.
| 2006 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
(1) |
Jul
(1) |
Aug
|
Sep
|
Oct
(2) |
Nov
(1) |
Dec
(20) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2007 |
Jan
(91) |
Feb
(111) |
Mar
(226) |
Apr
(65) |
May
(197) |
Jun
(202) |
Jul
(92) |
Aug
(87) |
Sep
(120) |
Oct
(133) |
Nov
(89) |
Dec
(155) |
| 2008 |
Jan
(251) |
Feb
(136) |
Mar
(174) |
Apr
(149) |
May
(56) |
Jun
(32) |
Jul
(36) |
Aug
(171) |
Sep
(245) |
Oct
(244) |
Nov
(218) |
Dec
(272) |
| 2009 |
Jan
(113) |
Feb
(119) |
Mar
(192) |
Apr
(117) |
May
(93) |
Jun
(46) |
Jul
(80) |
Aug
(54) |
Sep
(109) |
Oct
(70) |
Nov
(145) |
Dec
(110) |
| 2010 |
Jan
(137) |
Feb
(87) |
Mar
(45) |
Apr
(157) |
May
(58) |
Jun
(99) |
Jul
(188) |
Aug
(136) |
Sep
(101) |
Oct
(100) |
Nov
(61) |
Dec
(60) |
| 2011 |
Jan
(84) |
Feb
(43) |
Mar
(70) |
Apr
(17) |
May
(69) |
Jun
(28) |
Jul
(43) |
Aug
(21) |
Sep
(151) |
Oct
(120) |
Nov
(84) |
Dec
(101) |
| 2012 |
Jan
(119) |
Feb
(82) |
Mar
(70) |
Apr
(115) |
May
(66) |
Jun
(131) |
Jul
(70) |
Aug
(65) |
Sep
(66) |
Oct
(86) |
Nov
(197) |
Dec
(81) |
| 2013 |
Jan
(65) |
Feb
(48) |
Mar
(32) |
Apr
(68) |
May
(98) |
Jun
(59) |
Jul
(41) |
Aug
(52) |
Sep
(42) |
Oct
(37) |
Nov
(10) |
Dec
(27) |
| 2014 |
Jan
(61) |
Feb
(34) |
Mar
(30) |
Apr
(52) |
May
(45) |
Jun
(40) |
Jul
(28) |
Aug
(9) |
Sep
(39) |
Oct
(69) |
Nov
(55) |
Dec
(19) |
| 2015 |
Jan
(13) |
Feb
(21) |
Mar
(5) |
Apr
(14) |
May
(30) |
Jun
(51) |
Jul
(31) |
Aug
(12) |
Sep
(29) |
Oct
(15) |
Nov
(24) |
Dec
(16) |
| 2016 |
Jan
(62) |
Feb
(76) |
Mar
(30) |
Apr
(43) |
May
(46) |
Jun
(62) |
Jul
(21) |
Aug
(49) |
Sep
(67) |
Oct
(27) |
Nov
(26) |
Dec
(38) |
| 2017 |
Jan
(7) |
Feb
(12) |
Mar
(69) |
Apr
(59) |
May
(54) |
Jun
(40) |
Jul
(76) |
Aug
(82) |
Sep
(92) |
Oct
(51) |
Nov
(32) |
Dec
(30) |
| 2018 |
Jan
(22) |
Feb
(25) |
Mar
(34) |
Apr
(35) |
May
(37) |
Jun
(21) |
Jul
(69) |
Aug
(55) |
Sep
(17) |
Oct
(67) |
Nov
(9) |
Dec
(5) |
| 2019 |
Jan
(19) |
Feb
(12) |
Mar
(15) |
Apr
(19) |
May
|
Jun
(27) |
Jul
(27) |
Aug
(25) |
Sep
(25) |
Oct
(27) |
Nov
(10) |
Dec
(14) |
| 2020 |
Jan
(22) |
Feb
(20) |
Mar
(36) |
Apr
(40) |
May
(52) |
Jun
(35) |
Jul
(21) |
Aug
(32) |
Sep
(71) |
Oct
(27) |
Nov
(11) |
Dec
(16) |
| 2021 |
Jan
(16) |
Feb
(21) |
Mar
(21) |
Apr
(27) |
May
(17) |
Jun
|
Jul
(2) |
Aug
(22) |
Sep
(23) |
Oct
(7) |
Nov
(11) |
Dec
(28) |
| 2022 |
Jan
(23) |
Feb
(18) |
Mar
(9) |
Apr
(15) |
May
(15) |
Jun
(7) |
Jul
(8) |
Aug
(15) |
Sep
(1) |
Oct
|
Nov
(11) |
Dec
(10) |
| 2023 |
Jan
(14) |
Feb
(10) |
Mar
(11) |
Apr
(13) |
May
(2) |
Jun
(30) |
Jul
(1) |
Aug
(15) |
Sep
(13) |
Oct
(3) |
Nov
(25) |
Dec
(5) |
| 2024 |
Jan
(3) |
Feb
(10) |
Mar
(9) |
Apr
|
May
(1) |
Jun
(15) |
Jul
(7) |
Aug
(10) |
Sep
(3) |
Oct
(8) |
Nov
(6) |
Dec
(15) |
| 2025 |
Jan
(3) |
Feb
(1) |
Mar
(7) |
Apr
(5) |
May
(13) |
Jun
(16) |
Jul
(1) |
Aug
(6) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Michael K. <li...@mk...> - 2019-10-05 13:06:41
|
> Am 05.10.2019 um 14:48 schrieb Lonnie Abelbeck <li...@lo...>: > > Hi Michael, > > Sorry, I can't help much with strongSwan. > > You will want to enable NAT-T (UDP transport) and you possibly may not need Virtual IP's as routing the local LAN's from each box may work. > > That's all my strongSwan knowledge. Using "IPsec Peers" is easier, but requires static IP endpoints all around unless you use certificates as tunnel identity. > > Sadly, internet research is your best option configuring strongSwan. > > Lonnie Hi Michael, we implemented strongSwan because of the massive distribution of the AVM Fritzbox routers here in Germany (and other parts of Europe) to support their internal IPsec VPN. But it is quite complicated and no fun - garanteed. If you do need really need it for specific reasons, I would suggest to use OpenVPN or WireGuard instead! >> On Oct 4, 2019, at 10:04 PM, Michael Knill <mic...@ip...> wrote: >> >> Hi Group >> >> I need to set up IPSEC tunnels from multiple Astlinux Clients to an Astlinux Server (initial testing). Eventually the server will be VMware NSX. >> I'm looking at all the config examples and have spent ages trying to understand how it works but I'm still not quite there. Sorry for my inexperience with IPSEC. >> >> I want to use strongSwan and the scenario is as follows: >> • Server is Astlinux (initially for testing) with a static Public IP >> • Clients require access to the server side LAN to Asterisk servers >> • There is no connectivity between IPSEC tunnels. >> • The Client is Astlinux with failover e.g. multiple paths which may or may not be behind NAT >> • No access to the Client local LAN is required e.g. only to the local Astlinux box itself >> >> My assumption is that I will need to use Virtual IP’s but I am not sure how to set this up? >> They will all need to be static as well e.g. not negotiated. >> >> Can anyone kick me off. >> Thanks so much all. >> >> Regards >> Michael Knill Michael http://www.mksolutions.info |
|
From: Lonnie A. <li...@lo...> - 2019-10-05 12:48:23
|
Hi Michael, Sorry, I can't help much with strongSwan. You will want to enable NAT-T (UDP transport) and you possibly may not need Virtual IP's as routing the local LAN's from each box may work. That's all my strongSwan knowledge. Using "IPsec Peers" is easier, but requires static IP endpoints all around unless you use certificates as tunnel identity. Sadly, internet research is your best option configuring strongSwan. Lonnie > On Oct 4, 2019, at 10:04 PM, Michael Knill <mic...@ip...> wrote: > > Hi Group > > I need to set up IPSEC tunnels from multiple Astlinux Clients to an Astlinux Server (initial testing). Eventually the server will be VMware NSX. > I'm looking at all the config examples and have spent ages trying to understand how it works but I'm still not quite there. Sorry for my inexperience with IPSEC. > > I want to use strongSwan and the scenario is as follows: > • Server is Astlinux (initially for testing) with a static Public IP > • Clients require access to the server side LAN to Asterisk servers > • There is no connectivity between IPSEC tunnels. > • The Client is Astlinux with failover e.g. multiple paths which may or may not be behind NAT > • No access to the Client local LAN is required e.g. only to the local Astlinux box itself > > My assumption is that I will need to use Virtual IP’s but I am not sure how to set this up? > They will all need to be static as well e.g. not negotiated. > > Can anyone kick me off. > Thanks so much all. > > Regards > Michael Knill > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2019-10-05 03:04:27
|
Hi Group I need to set up IPSEC tunnels from multiple Astlinux Clients to an Astlinux Server (initial testing). Eventually the server will be VMware NSX. I'm looking at all the config examples and have spent ages trying to understand how it works but I'm still not quite there. Sorry for my inexperience with IPSEC. I want to use strongSwan and the scenario is as follows: * Server is Astlinux (initially for testing) with a static Public IP * Clients require access to the server side LAN to Asterisk servers * There is no connectivity between IPSEC tunnels. * The Client is Astlinux with failover e.g. multiple paths which may or may not be behind NAT * No access to the Client local LAN is required e.g. only to the local Astlinux box itself My assumption is that I will need to use Virtual IP’s but I am not sure how to set this up? They will all need to be static as well e.g. not negotiated. Can anyone kick me off. Thanks so much all. Regards Michael Knill |
|
From: Lonnie A. <li...@lo...> - 2019-10-03 14:09:08
|
Announcing Pre-Release Version: astlinux-1.3-4389-0e0e4a
Important Fix:
-- acme-client, version 2.8.1, add upstream patch from 2.8.3 to fix Let's Encrypt CDN changes.
The AstLinux Team is regularly upgrading packages containing security and bug fixes as well as adding new features of our own.
-- Linux Kernel 3.16.74 (version bump), security and bug fixes
-- genx86_64-vm board type, version bump VMware Tools to open-vm-tools 10.3.10
-- Asterisk 13.23.1 ('13se' version)
Older than latest Asterisk 13.x version but more tested, built --without-pjproject
Add json-integer-overflow patches.
Add security patches for: AST-2019-002, AST-2019-003
-- Asterisk 13.28.1 (version bump) and 16.5.1 (version bump)
New modules: app_attended_transfer.so, app_blind_transfer.so
-- OpenSSL, major version bump to 1.1.1d, the new LTS series. The previous 1.0.2 LTS series is EOL at the end of 2019.
Many packages needed version bumps or patches to be compatible with the new OpenSSL 1.1 API.
-- php, major version bump to 7.2.23, adds OpenSSL 1.1 compatibility
-- Web Interface Edit tab, add support for CodeMirror text editing.
(Tip: Shift-Reload browser to get the updated CSS style sheet)
Keyboard Actions: (after clicking text edit area)
Note: Windows users, use Ctrl instead of Cmd
Cmd-f -> Find
Cmd-g -> Find Next
Cmd-/ -> Toggle Comment
Cmd-. -> Toggle Comment
Tab -> Toggle between "fullscreen" (full-window) mode and normal
Esc -> Return to normal, "fullscreen" (full-window) mode off
More info: https://doc.astlinux-project.org/userdoc:tt_web_interface_edit_codemirror_key_map
-- Fossil, major version bump to 2.9, adds numerous enhancements to the look and feel of the web interface
-- arnofw (AIF), reload-blocklist-netset cron script, add new netset types
asterisk: Aggregate multiple Asterisk/SIP/VoIP blacklists, including blocklist_de_sip.
custom: Use variable BLOCKLIST_CUSTOM_URLS containing one or more (space/newline separated) URLs.
customv6: Use variable BLOCKLIST_CUSTOMV6_URLS containing one or more (space/newline separated) URLs.
More info: https://doc.astlinux-project.org/userdoc:tt_firewall_external_block_list#updating_netset_blocklists
-- arnofw (AIF), wireguard-vpn plugin, add support for WG->Local TCP/UDP INPUT policy firewall rules.
More info: https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn#wireguard_configuration_options
-- iprange, version 1.0.4, new command, a tool capable of managing sets of IPs
-- WireGuard VPN, version bump to 0.0.20190913
-- Complete Pre-Release ChangeLog:
https://s3.amazonaws.com/beta.astlinux-project/astlinux-changelog/ChangeLog.txt
New Documentation Topics:
Edit tab w/CodeMirror Keyboard Mapping -
- https://doc.astlinux-project.org/userdoc:tt_web_interface_edit_codemirror_key_map
Updated Documentation Topics:
Firewall External Block List -
- https://doc.astlinux-project.org/userdoc:tt_firewall_external_block_list#updating_netset_blocklists
WireGuard VPN Configuration -
- https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn#wireguard_configuration_options
Web Interface Display Font -
- https://doc.astlinux-project.org/userdoc:tt_web_interface_font
The "AstLinux Pre-Release ChangeLog" and "Pre-Release Repository URL" entries can be found under the "Development" tab of the AstLinux Project web site ...
AstLinux Project -> Development
https://www.astlinux-project.org/dev.html
"Development" tab feature for desktop browsers:
Guest VM x86-64bit ISO: Download Pre-Release Guest VM Install ISO (Video Console)
AstLinux Team
|
|
From: Lonnie A. <li...@lo...> - 2019-10-02 22:00:40
|
Just for reference, here is the source of the ACME fix we cherrypicked. https://github.com/Neilpang/acme.sh/releases/tag/2.8.3 Lonnie > On Oct 2, 2019, at 4:54 PM, Michael Knill <mic...@ip...> wrote: > > Thanks Lonnie. Looks like I might wait for the next Pre Release. > Very annoying that its broken. Oh well! > > Yes I will probably build my own image one day but that day has not arrived yet __ > > Regards > Michael Knill > > On 3/10/19, 7:47 am, "Lonnie Abelbeck" <li...@lo...> wrote: > > Hi Michael, > >> On Oct 2, 2019, at 3:51 PM, Michael Knill <mic...@ip...> wrote: >> >> Ah so my ACME problem is another issue then. Darn. >> Is there a workaround without building my own image? > > Building your own image is the most straightforward fix, but if you are not setup to do that, then ... > > We plan on generating new pre-release beta in the next couple days, does that help you ? > > Else, the file that needs to be patched is at /stat/etc/acme/acme.sh , but it is best not to edit that file directly. > > Example fix: > -- > vultr ~ # mkdir /tmp/acme-fix > > vultr ~ # cd /tmp/acme-fix > > vultr acme-fix # curl -o fix1.patch https://raw.githubusercontent.com/astlinux-project/astlinux/master/package/acme/acme-0900-upstream-new-LE-CDN-curl-fix.patch > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed > 100 689 100 689 0 0 3497 0 --:--:-- --:--:-- --:--:-- 3479 > > vultr acme-fix # curl -o fix2.patch https://raw.githubusercontent.com/astlinux-project/astlinux/master/package/acme/acme-0910-upstream-fix-curl-error-code-2.patch > % Total % Received % Xferd Average Speed Time Time Time Current > Dload Upload Total Spent Left Speed > 100 3589 100 3589 0 0 49164 0 --:--:-- --:--:-- --:--:-- 49164 > > vultr acme-fix # cp /stat/etc/acme/acme.sh . > > vultr acme-fix # ls -l > total 188 > -rwxr-xr-x 1 root root 180871 Oct 2 16:26 acme.sh > -rw-r--r-- 1 root root 689 Oct 2 16:25 fix1.patch > -rw-r--r-- 1 root root 3589 Oct 2 16:25 fix2.patch > > vultr acme-fix # patch acme.sh < fix1.patch > patching file acme.sh > > vultr acme-fix # patch acme.sh < fix2.patch > patching file acme.sh > > vultr acme-fix # ls -l acme.sh > -rwxr-xr-x 1 root root 181837 Oct 2 16:26 acme.sh > -- > > So, this new "acme.sh" needs to be located at /stat/etc/acme/acme.sh ... while copying it will work for today, you will be fixed in time with future upgrades. The unionfs overlay version will need to be removed in the future. > > Clear ? > > Lonnie > > > >> >> Regards >> Michael Knill >> >> On 2/10/19, 10:26 pm, "Lonnie Abelbeck" <li...@lo...> wrote: >> >> >> >>> On Oct 2, 2019, at 7:11 AM, Michael Keuter <li...@mk...> wrote: >>> >>> >>>> Am 02.10.2019 um 14:07 schrieb Michael Knill <mic...@ip...>: >>>> >>>> Hmm I managed to do a successful upgrade using the Astlinux Repository but I certainly have some concerns about the box. >>>> Seems to be working fine but I couldn't do an acme generate and it actually broke the SSL cert so I couldn't access the web interface. >>> >>> There was a very recent change in ACME, which is included into the latest beta: >>> >>> https://github.com/astlinux-project/astlinux/commit/731c694933659253e468470480241f2a8d1c6773 >> >> Actually this ACME fix is not in the pre-release betas yet as this fix was only a few days old. >> >> Generating new and updating ACME certs will hang without the fix. >> >> This is all due to a change in the Let's Encrypt CDN provider. >> >> If you build your own images, the commit above will fix it. >> >> Lonnie >> >> >> >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... >> >> >> >> _______________________________________________ >> Astlinux-users mailing list >> Ast...@li... >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2019-10-02 21:54:40
|
Thanks Lonnie. Looks like I might wait for the next Pre Release.
Very annoying that its broken. Oh well!
Yes I will probably build my own image one day but that day has not arrived yet __
Regards
Michael Knill
On 3/10/19, 7:47 am, "Lonnie Abelbeck" <li...@lo...> wrote:
Hi Michael,
> On Oct 2, 2019, at 3:51 PM, Michael Knill <mic...@ip...> wrote:
>
> Ah so my ACME problem is another issue then. Darn.
> Is there a workaround without building my own image?
Building your own image is the most straightforward fix, but if you are not setup to do that, then ...
We plan on generating new pre-release beta in the next couple days, does that help you ?
Else, the file that needs to be patched is at /stat/etc/acme/acme.sh , but it is best not to edit that file directly.
Example fix:
--
vultr ~ # mkdir /tmp/acme-fix
vultr ~ # cd /tmp/acme-fix
vultr acme-fix # curl -o fix1.patch https://raw.githubusercontent.com/astlinux-project/astlinux/master/package/acme/acme-0900-upstream-new-LE-CDN-curl-fix.patch
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 689 100 689 0 0 3497 0 --:--:-- --:--:-- --:--:-- 3479
vultr acme-fix # curl -o fix2.patch https://raw.githubusercontent.com/astlinux-project/astlinux/master/package/acme/acme-0910-upstream-fix-curl-error-code-2.patch
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 3589 100 3589 0 0 49164 0 --:--:-- --:--:-- --:--:-- 49164
vultr acme-fix # cp /stat/etc/acme/acme.sh .
vultr acme-fix # ls -l
total 188
-rwxr-xr-x 1 root root 180871 Oct 2 16:26 acme.sh
-rw-r--r-- 1 root root 689 Oct 2 16:25 fix1.patch
-rw-r--r-- 1 root root 3589 Oct 2 16:25 fix2.patch
vultr acme-fix # patch acme.sh < fix1.patch
patching file acme.sh
vultr acme-fix # patch acme.sh < fix2.patch
patching file acme.sh
vultr acme-fix # ls -l acme.sh
-rwxr-xr-x 1 root root 181837 Oct 2 16:26 acme.sh
--
So, this new "acme.sh" needs to be located at /stat/etc/acme/acme.sh ... while copying it will work for today, you will be fixed in time with future upgrades. The unionfs overlay version will need to be removed in the future.
Clear ?
Lonnie
>
> Regards
> Michael Knill
>
> On 2/10/19, 10:26 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
>
>
>
>> On Oct 2, 2019, at 7:11 AM, Michael Keuter <li...@mk...> wrote:
>>
>>
>>> Am 02.10.2019 um 14:07 schrieb Michael Knill <mic...@ip...>:
>>>
>>> Hmm I managed to do a successful upgrade using the Astlinux Repository but I certainly have some concerns about the box.
>>> Seems to be working fine but I couldn't do an acme generate and it actually broke the SSL cert so I couldn't access the web interface.
>>
>> There was a very recent change in ACME, which is included into the latest beta:
>>
>> https://github.com/astlinux-project/astlinux/commit/731c694933659253e468470480241f2a8d1c6773
>
> Actually this ACME fix is not in the pre-release betas yet as this fix was only a few days old.
>
> Generating new and updating ACME certs will hang without the fix.
>
> This is all due to a change in the Let's Encrypt CDN provider.
>
> If you build your own images, the commit above will fix it.
>
> Lonnie
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2019-10-02 21:46:40
|
Hi Michael, > On Oct 2, 2019, at 3:51 PM, Michael Knill <mic...@ip...> wrote: > > Ah so my ACME problem is another issue then. Darn. > Is there a workaround without building my own image? Building your own image is the most straightforward fix, but if you are not setup to do that, then ... We plan on generating new pre-release beta in the next couple days, does that help you ? Else, the file that needs to be patched is at /stat/etc/acme/acme.sh , but it is best not to edit that file directly. Example fix: -- vultr ~ # mkdir /tmp/acme-fix vultr ~ # cd /tmp/acme-fix vultr acme-fix # curl -o fix1.patch https://raw.githubusercontent.com/astlinux-project/astlinux/master/package/acme/acme-0900-upstream-new-LE-CDN-curl-fix.patch % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 689 100 689 0 0 3497 0 --:--:-- --:--:-- --:--:-- 3479 vultr acme-fix # curl -o fix2.patch https://raw.githubusercontent.com/astlinux-project/astlinux/master/package/acme/acme-0910-upstream-fix-curl-error-code-2.patch % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 3589 100 3589 0 0 49164 0 --:--:-- --:--:-- --:--:-- 49164 vultr acme-fix # cp /stat/etc/acme/acme.sh . vultr acme-fix # ls -l total 188 -rwxr-xr-x 1 root root 180871 Oct 2 16:26 acme.sh -rw-r--r-- 1 root root 689 Oct 2 16:25 fix1.patch -rw-r--r-- 1 root root 3589 Oct 2 16:25 fix2.patch vultr acme-fix # patch acme.sh < fix1.patch patching file acme.sh vultr acme-fix # patch acme.sh < fix2.patch patching file acme.sh vultr acme-fix # ls -l acme.sh -rwxr-xr-x 1 root root 181837 Oct 2 16:26 acme.sh -- So, this new "acme.sh" needs to be located at /stat/etc/acme/acme.sh ... while copying it will work for today, you will be fixed in time with future upgrades. The unionfs overlay version will need to be removed in the future. Clear ? Lonnie > > Regards > Michael Knill > > On 2/10/19, 10:26 pm, "Lonnie Abelbeck" <li...@lo...> wrote: > > > >> On Oct 2, 2019, at 7:11 AM, Michael Keuter <li...@mk...> wrote: >> >> >>> Am 02.10.2019 um 14:07 schrieb Michael Knill <mic...@ip...>: >>> >>> Hmm I managed to do a successful upgrade using the Astlinux Repository but I certainly have some concerns about the box. >>> Seems to be working fine but I couldn't do an acme generate and it actually broke the SSL cert so I couldn't access the web interface. >> >> There was a very recent change in ACME, which is included into the latest beta: >> >> https://github.com/astlinux-project/astlinux/commit/731c694933659253e468470480241f2a8d1c6773 > > Actually this ACME fix is not in the pre-release betas yet as this fix was only a few days old. > > Generating new and updating ACME certs will hang without the fix. > > This is all due to a change in the Let's Encrypt CDN provider. > > If you build your own images, the commit above will fix it. > > Lonnie > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2019-10-02 20:52:15
|
Ah so my ACME problem is another issue then. Darn.
Is there a workaround without building my own image?
Regards
Michael Knill
On 2/10/19, 10:26 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
> On Oct 2, 2019, at 7:11 AM, Michael Keuter <li...@mk...> wrote:
>
>
>> Am 02.10.2019 um 14:07 schrieb Michael Knill <mic...@ip...>:
>>
>> Hmm I managed to do a successful upgrade using the Astlinux Repository but I certainly have some concerns about the box.
>> Seems to be working fine but I couldn't do an acme generate and it actually broke the SSL cert so I couldn't access the web interface.
>
> There was a very recent change in ACME, which is included into the latest beta:
>
> https://github.com/astlinux-project/astlinux/commit/731c694933659253e468470480241f2a8d1c6773
Actually this ACME fix is not in the pre-release betas yet as this fix was only a few days old.
Generating new and updating ACME certs will hang without the fix.
This is all due to a change in the Let's Encrypt CDN provider.
If you build your own images, the commit above will fix it.
Lonnie
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Dr. P. V. <pv...@uo...> - 2019-10-02 15:38:03
|
It would be helpful, if you could provide separate checksums and GPG signatures to verify fresh installs and to narrow down the current issue. |
|
From: Lonnie A. <li...@lo...> - 2019-10-02 12:47:33
|
Hi Michael, When "Firmware verification failed!" there are a few possibilities. 1) The network got interrupted (beyond retries) and the 'curl' command gave-up, the .sha1 failed to match the partial download. 2) If the upstream repository server enabled some kind of CDN-like file caching, the "ver" file can be old, but this usually only results in the new version is not available as expected ... unless you uploaded a "new" image with the same name as before. We have observed this problem with Amazon's Cloudfront CDN on a S3 bucket. 3) Possibly the image upload got corrupted. Personally, I use an Amazon S3 bucket for my development repository, literally 1000's uploads and downloads without any issue. Lonnie > On Oct 2, 2019, at 6:11 AM, Michael Knill <mic...@ip...> wrote: > > I did forget to say that I have my own repository. > The same download link for my repository works fine on another box but not this one. > I then tried using the Astlinux repository and it worked fine. Weird. > > Regards > Michael Knill > > On 2/10/19, 8:45 pm, "Michael Keuter" <li...@mk...> wrote: > > >> Am 02.10.2019 um 12:34 schrieb Michael Knill <mic...@ip...>: >> >> I cant seem to upgrade one of my sites (maybe others but I haven’t tried). It always comes up with “Firmware verification failed.“ >> What could this be? I have downloaded the file again into the repository but it still does it. >> >> Regards >> Michael Knill > > Please try to test if same firmware version download works from other sites (so that you can be sure the verification for this firmware generally works)? > You can revert to an older version (without rebooting) and redownload, if it is the same version. > > Otherwise this can happen if there is a problem with the harddisk. > > Michael > > http://www.mksolutions.info > > > > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... > > > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Lonnie A. <li...@lo...> - 2019-10-02 12:26:43
|
> On Oct 2, 2019, at 7:11 AM, Michael Keuter <li...@mk...> wrote: > > >> Am 02.10.2019 um 14:07 schrieb Michael Knill <mic...@ip...>: >> >> Hmm I managed to do a successful upgrade using the Astlinux Repository but I certainly have some concerns about the box. >> Seems to be working fine but I couldn't do an acme generate and it actually broke the SSL cert so I couldn't access the web interface. > > There was a very recent change in ACME, which is included into the latest beta: > > https://github.com/astlinux-project/astlinux/commit/731c694933659253e468470480241f2a8d1c6773 Actually this ACME fix is not in the pre-release betas yet as this fix was only a few days old. Generating new and updating ACME certs will hang without the fix. This is all due to a change in the Let's Encrypt CDN provider. If you build your own images, the commit above will fix it. Lonnie |
|
From: Michael K. <li...@mk...> - 2019-10-02 12:11:18
|
> Am 02.10.2019 um 14:07 schrieb Michael Knill <mic...@ip...>: > > Hmm I managed to do a successful upgrade using the Astlinux Repository but I certainly have some concerns about the box. > Seems to be working fine but I couldn't do an acme generate and it actually broke the SSL cert so I couldn't access the web interface. There was a very recent change in ACME, which is included into the latest beta: https://github.com/astlinux-project/astlinux/commit/731c694933659253e468470480241f2a8d1c6773 > > Time for a rebuild I think. Thanks for your help. > > Regards > Michael Knill > > On 2/10/19, 9:19 pm, "Michael Keuter" <li...@mk...> wrote: > > >> Am 02.10.2019 um 13:11 schrieb Michael Knill <mic...@ip...>: >> >> I did forget to say that I have my own repository. >> The same download link for my repository works fine on another box but not this one. > > That is strange. I would try do a clean build just to be sure. > >> I then tried using the Astlinux repository and it worked fine. Weird. >> >> Regards >> Michael Knill >> >> On 2/10/19, 8:45 pm, "Michael Keuter" <li...@mk...> wrote: >> >> >>> Am 02.10.2019 um 12:34 schrieb Michael Knill <mic...@ip...>: >>> >>> I cant seem to upgrade one of my sites (maybe others but I haven’t tried). It always comes up with “Firmware verification failed.“ >>> What could this be? I have downloaded the file again into the repository but it still does it. >>> >>> Regards >>> Michael Knill >> >> Please try to test if same firmware version download works from other sites (so that you can be sure the verification for this firmware generally works)? >> You can revert to an older version (without rebooting) and redownload, if it is the same version. >> >> Otherwise this can happen if there is a problem with the harddisk. >> >> Michael Michael http://www.mksolutions.info |
|
From: Michael K. <mic...@ip...> - 2019-10-02 12:07:40
|
Hmm I managed to do a successful upgrade using the Astlinux Repository but I certainly have some concerns about the box.
Seems to be working fine but I couldn't do an acme generate and it actually broke the SSL cert so I couldn't access the web interface.
Time for a rebuild I think. Thanks for your help.
Regards
Michael Knill
On 2/10/19, 9:19 pm, "Michael Keuter" <li...@mk...> wrote:
> Am 02.10.2019 um 13:11 schrieb Michael Knill <mic...@ip...>:
>
> I did forget to say that I have my own repository.
> The same download link for my repository works fine on another box but not this one.
That is strange. I would try do a clean build just to be sure.
> I then tried using the Astlinux repository and it worked fine. Weird.
>
> Regards
> Michael Knill
>
> On 2/10/19, 8:45 pm, "Michael Keuter" <li...@mk...> wrote:
>
>
>> Am 02.10.2019 um 12:34 schrieb Michael Knill <mic...@ip...>:
>>
>> I cant seem to upgrade one of my sites (maybe others but I haven’t tried). It always comes up with “Firmware verification failed.“
>> What could this be? I have downloaded the file again into the repository but it still does it.
>>
>> Regards
>> Michael Knill
>
> Please try to test if same firmware version download works from other sites (so that you can be sure the verification for this firmware generally works)?
> You can revert to an older version (without rebooting) and redownload, if it is the same version.
>
> Otherwise this can happen if there is a problem with the harddisk.
>
> Michael
Michael
http://www.mksolutions.info
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Michael K. <li...@mk...> - 2019-10-02 11:19:27
|
> Am 02.10.2019 um 13:11 schrieb Michael Knill <mic...@ip...>: > > I did forget to say that I have my own repository. > The same download link for my repository works fine on another box but not this one. That is strange. I would try do a clean build just to be sure. > I then tried using the Astlinux repository and it worked fine. Weird. > > Regards > Michael Knill > > On 2/10/19, 8:45 pm, "Michael Keuter" <li...@mk...> wrote: > > >> Am 02.10.2019 um 12:34 schrieb Michael Knill <mic...@ip...>: >> >> I cant seem to upgrade one of my sites (maybe others but I haven’t tried). It always comes up with “Firmware verification failed.“ >> What could this be? I have downloaded the file again into the repository but it still does it. >> >> Regards >> Michael Knill > > Please try to test if same firmware version download works from other sites (so that you can be sure the verification for this firmware generally works)? > You can revert to an older version (without rebooting) and redownload, if it is the same version. > > Otherwise this can happen if there is a problem with the harddisk. > > Michael Michael http://www.mksolutions.info |
|
From: Michael K. <mic...@ip...> - 2019-10-02 11:11:56
|
I did forget to say that I have my own repository.
The same download link for my repository works fine on another box but not this one.
I then tried using the Astlinux repository and it worked fine. Weird.
Regards
Michael Knill
On 2/10/19, 8:45 pm, "Michael Keuter" <li...@mk...> wrote:
> Am 02.10.2019 um 12:34 schrieb Michael Knill <mic...@ip...>:
>
> I cant seem to upgrade one of my sites (maybe others but I haven’t tried). It always comes up with “Firmware verification failed.“
> What could this be? I have downloaded the file again into the repository but it still does it.
>
> Regards
> Michael Knill
Please try to test if same firmware version download works from other sites (so that you can be sure the verification for this firmware generally works)?
You can revert to an older version (without rebooting) and redownload, if it is the same version.
Otherwise this can happen if there is a problem with the harddisk.
Michael
http://www.mksolutions.info
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Michael K. <li...@mk...> - 2019-10-02 10:45:24
|
> Am 02.10.2019 um 12:34 schrieb Michael Knill <mic...@ip...>: > > I cant seem to upgrade one of my sites (maybe others but I haven’t tried). It always comes up with “Firmware verification failed.“ > What could this be? I have downloaded the file again into the repository but it still does it. > > Regards > Michael Knill Please try to test if same firmware version download works from other sites (so that you can be sure the verification for this firmware generally works)? You can revert to an older version (without rebooting) and redownload, if it is the same version. Otherwise this can happen if there is a problem with the harddisk. Michael http://www.mksolutions.info |
|
From: Michael K. <mic...@ip...> - 2019-10-02 10:34:29
|
I cant seem to upgrade one of my sites (maybe others but I haven’t tried). It always comes up with “Firmware verification failed.“ What could this be? I have downloaded the file again into the repository but it still does it. Regards Michael Knill |
|
From: Michael K. <li...@mk...> - 2019-09-27 12:33:48
|
Hi Michael, for testing purposes I used the queue_log in a Sqlite realtime a few Sears ago. But it wasnt very reliable :-(. Am 26. September 2019 23:19:36 GMT+00:00 schrieb Michael Knill <mic...@ip...>: >Hi Group > >As I am starting to get bigger customers, I'm looking at creating a >more scalable and easier to manage architecture. >I'm already working on moving much of the Asterisk Database to a >separate database using func_odbc but I'm also looking at dispensing >with a number of my configuration files which I want to put in a >database namely sip.conf and voicemail.conf using ARA. > >I'm just wondering if anyone has played with this and if there are any >gotchas? > >Regards >Michael Knill -- Sent via a tiny mobile device. |
|
From: Lonnie A. <li...@lo...> - 2019-09-26 23:46:54
|
Hi Michael, I'm not aware of anyone ever using ARA (realtime) with AstLinux. Lonnie > On Sep 26, 2019, at 6:19 PM, Michael Knill <mic...@ip...> wrote: > > Hi Group > > As I am starting to get bigger customers, I'm looking at creating a more scalable and easier to manage architecture. > I'm already working on moving much of the Asterisk Database to a separate database using func_odbc but I'm also looking at dispensing with a number of my configuration files which I want to put in a database namely sip.conf and voicemail.conf using ARA. > > I'm just wondering if anyone has played with this and if there are any gotchas? > > Regards > Michael Knill > _______________________________________________ > Astlinux-users mailing list > Ast...@li... > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to pa...@kr.... |
|
From: Michael K. <mic...@ip...> - 2019-09-26 23:19:52
|
Hi Group As I am starting to get bigger customers, I'm looking at creating a more scalable and easier to manage architecture. I'm already working on moving much of the Asterisk Database to a separate database using func_odbc but I'm also looking at dispensing with a number of my configuration files which I want to put in a database namely sip.conf and voicemail.conf using ARA. I'm just wondering if anyone has played with this and if there are any gotchas? Regards Michael Knill |
|
From: Lonnie A. <li...@lo...> - 2019-09-26 18:20:27
|
Announcing Pre-Release Version: astlinux-1.3-4369-fb0226
The AstLinux Team is regularly upgrading packages containing security and bug fixes as well as adding new features of our own.
-- Linux Kernel 3.16.74 (version bump), security and bug fixes
-- genx86_64-vm board type, version bump VMware Tools to open-vm-tools 10.3.10
-- Asterisk 13.23.1 ('13se' version)
Older than latest Asterisk 13.x version but more tested, built --without-pjproject
Add json-integer-overflow patches.
Add security patches for: AST-2019-002, AST-2019-003
-- Asterisk 13.28.1 (version bump) and 16.5.1 (version bump)
New modules: app_attended_transfer.so, app_blind_transfer.so
-- OpenSSL, major version bump to 1.1.1d, the new LTS series. The previous 1.0.2 LTS series is EOL at the end of 2019.
Many packages needed version bumps or patches to be compatible with the new OpenSSL 1.1 API.
-- php, major version bump to 7.2.22, adds OpenSSL 1.1 compatibility
-- Web Interface Edit tab, add support for CodeMirror text editing.
(Tip: Shift-Reload browser to get the updated CSS style sheet)
Keyboard Actions: (after clicking text edit area)
Note: Windows users, use Ctrl instead of Cmd
Cmd-f -> Find
Cmd-g -> Find Next
Cmd-/ -> Toggle Comment
Cmd-. -> Toggle Comment
Tab -> Toggle between "fullscreen" (full-window) mode and normal
Esc -> Return to normal, "fullscreen" (full-window) mode off
More info: https://doc.astlinux-project.org/userdoc:tt_web_interface_edit_codemirror_key_map
-- Fossil, major version bump to 2.9, adds numerous enhancements to the look and feel of the web interface
-- arnofw (AIF), reload-blocklist-netset cron script, add new netset types
asterisk: Aggregate multiple Asterisk/SIP/VoIP blacklists, including blocklist_de_sip.
custom: Use variable BLOCKLIST_CUSTOM_URLS containing one or more (space/newline separated) URLs.
customv6: Use variable BLOCKLIST_CUSTOMV6_URLS containing one or more (space/newline separated) URLs.
More info: https://doc.astlinux-project.org/userdoc:tt_firewall_external_block_list#updating_netset_blocklists
-- arnofw (AIF), wireguard-vpn plugin, add support for WG->Local TCP/UDP INPUT policy firewall rules.
More info: https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn#wireguard_configuration_options
-- iprange, version 1.0.4, new command, a tool capable of managing sets of IPs
-- WireGuard VPN, version bump to 0.0.20190913
-- Complete Pre-Release ChangeLog:
https://s3.amazonaws.com/beta.astlinux-project/astlinux-changelog/ChangeLog.txt
New Documentation Topics:
Edit tab w/CodeMirror Keyboard Mapping -
- https://doc.astlinux-project.org/userdoc:tt_web_interface_edit_codemirror_key_map
Updated Documentation Topics:
Firewall External Block List -
- https://doc.astlinux-project.org/userdoc:tt_firewall_external_block_list#updating_netset_blocklists
WireGuard VPN Configuration -
- https://doc.astlinux-project.org/userdoc:tt_wireguard_vpn#wireguard_configuration_options
Web Interface Display Font -
- https://doc.astlinux-project.org/userdoc:tt_web_interface_font
The "AstLinux Pre-Release ChangeLog" and "Pre-Release Repository URL" entries can be found under the "Development" tab of the AstLinux Project web site ...
AstLinux Project -> Development
https://www.astlinux-project.org/dev.html
"Development" tab feature for desktop browsers:
Guest VM x86-64bit ISO: Download Pre-Release Guest VM Install ISO (Video Console)
AstLinux Team
|
|
From: Michael K. <mic...@ip...> - 2019-09-15 20:58:35
|
Thanks Lonnie
Regards
Michael Knill
On 15/9/19, 11:38 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
Hi Michael,
> I have never done any iptables rules so this will be a first.
This is a great way to learn, the INT_INPUT_CHAIN chain defaults to ACCEPT anyway, so any changes will only be more restrictive. Always test your changes, the CLI "arno-iptables-firewall restart" will show an error if you make an iptables syntax error.
Using the example shown below with the custom_wg_lan_input() function, you can make tweaks.
One tweak may be a special case for a WireGuard source address ... added within the custom_wg_lan_input() function:
## Allow WG LAN->Local for source IP 10.4.0.15 all packets
iptables -A INT_INPUT_CHAIN -i $wg_if -s 10.4.0.15 -j ACCEPT
--or--
## Allow WG LAN->Local for source IP 10.4.0.15 to TCP 443
iptables -A INT_INPUT_CHAIN -i $wg_if -s 10.4.0.15 -p tcp --dport 443 -j ACCEPT
--or--
## Allow WG LAN->Local for source IP 10.4.0.15 to UDP 5060
iptables -A INT_INPUT_CHAIN -i $wg_if -s 10.4.0.15 -p udp --dport 5060 -j ACCEPT
Understand the order of the rules added to the INT_INPUT_CHAIN chain matters, as soon as a packet matches a rule and jumps to ACCEPT the packet will flow on (allowed), regardless of any other rules.
Similarly, when a packet matches a rule and jumps to DROP the packet will not flow (ie. denied), regardless of any other rules.
Lonnie
> On Sep 14, 2019, at 9:12 PM, Michael Knill <mic...@ip...> wrote:
>
> Thanks Lonnie
>
> I have never done any iptables rules so this will be a first.
>
> Regards
> Michael Knill
>
> Sent from my iPhone so please excuse my brevity.
>
>> On 10 Sep 2019, at 8:32 am, Lonnie Abelbeck <li...@lo...> wrote:
>>
>> Hi Michael,
>>
>> OK, that is best done via custom rules in "/mnt/kd/arno-iptables-firewall/custom-rules".
>>
>> For this example WireGuard LAN->Local will drop all traffic except SSH.
>>
>> -- /mnt/kd/arno-iptables-firewall/custom-rules --
>> # Put any custom (iptables) rules here down below:
>> ##################################################
>>
>> custom_wg_lan_input()
>> {
>> local wg_if
>>
>> wg_if="${WIREGUARD_IF:-wg0}"
>>
>> echo "[CUSTOM RULE] Custom WireGuard LAN->Local"
>> iptables -A INT_INPUT_CHAIN -i $wg_if -p tcp --dport 22 -j ACCEPT
>> iptables -A INT_INPUT_CHAIN -i $wg_if -j DROP
>> }
>> custom_wg_lan_input
>> --
>>
>> apply changes...
>> pbx # arno-iptables-firewall restart
>>
>> test new rules with...
>> pbx # iptables -nvL INT_INPUT_CHAIN
>> Chain INT_INPUT_CHAIN (3 references)
>> pkts bytes target prot opt in out source destination
>> 1 60 ACCEPT tcp -- wg0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
>> 3 180 DROP all -- wg0 * 0.0.0.0/0 0.0.0.0/0
>> ...
>>
>> and for IPv6...
>> pbx # ip6tables -nvL INT_INPUT_CHAIN
>> Chain INT_INPUT_CHAIN (3 references)
>> pkts bytes target prot opt in out source destination
>> 0 0 ACCEPT tcp wg0 * ::/0 ::/0 tcp dpt:22
>> 0 0 DROP all wg0 * ::/0 ::/0
>> ...
>>
>> Since the default LAN->Local policy is ACCEPT we need to use DROP to block all for wg0.
>>
>> As always, test the firewall rule changes to make sure it works as expected.
>>
>> Lonnie
>>
>>
>>> On Sep 9, 2019, at 3:17 PM, Michael Knill <mic...@ip...> wrote:
>>>
>>> Hi sorry Lonnie, I didn't explain it well enough.
>>>
>>> I want to provide different access to Local from a physical LAN than the wg0 interface.
>>> For instance I want to open TCP443, my SSH Port and possibly other ports from the physical LAN but open my SSH Port only from wg0.
>>>
>>> I could do it based on the Source IP however as there is only Deny LAN->Local rules possible, I'm not sure how I could just open a single port and deny all the rest?
>>>
>>> Regards
>>> Michael Knill
>>>
>>> On 9/9/19, 11:05 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
>>>
>>> I don't understand what you are asking, but the default isolated wg0 interface can be allowed to access physical LAN interfaces with:
>>>
>>> _x_ Allow WireGuard VPN tunnel to the [ 1st ] LAN Interface(s)
>>>
>>> And LAN's can access Local by default.
>>>
>>> Lonnie
>>>
>>>
>>>
>>>> On Sep 8, 2019, at 10:57 PM, Michael Knill <mic...@ip...> wrote:
>>>>
>>>> Thanks Lonnie.
>>>>
>>>> Just wondering how I could use Deny LAN->Local when I actually want to allow onsite local LAN traffic to access the system admin interface?
>>>> I really need a Pass LAN->Local to do this!
>>>>
>>>> Regards
>>>> Michael Knill
>>>>
>>>> On 9/9/19, 1:11 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
>>>>
>>>>
>>>>
>>>>> On Sep 8, 2019, at 8:46 PM, Michael Knill <mic...@ip...> wrote:
>>>>>
>>>>> Hi Group
>>>>>
>>>>> I am seeing lots of hacking attempts on my systems as they have found my non standard SSH port. Although there is no issue as I have SSH Key access only, I'm sick of the long list of addresses in the Adaptive Ban list and I'm thinking I should be adding another line of defence in my security anyway.
>>>>> As such, along with implementing Geoblocking Netset files (next release), I also want to use a Jump box for management. This server would connect to each system via Wireguard VPN allowing management also when in a failover condition through NAT e.g. 4G backup, firewall managed by others.
>>>>>
>>>>> With this architecture in mind, I was wondering how I would go about restricting access to a single port only from this Wireguard VPN tunnel to the local interface e.g. wg0 address. I think is completely open currently.
>>>>>
>>>>> Is it easy to do?
>>>>>
>>>>> Regards
>>>>> Michael Knill
>>>>
>>>> If SSH access can only occur within a WireGuard tunnel, no port filtering is required since access is secured by WireGuard.
>>>>
>>>> As such, only allow remote user access to the management VPN via a WireGuard tunnel.
>>>>
>>>> But, if you want to filter SSH from wg0 to the local device by source IP address, try
>>>>
>>>> Firewall Rules:
>>>> Action: [ Deny LAN->Local ]
>>>>
>>>> keeping in mind that the wg0 interface is treated as an isolated LAN subnet from any other LAN subnet.
>>>>
>>>> Lonnie
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Astlinux-users mailing list
>>>> Ast...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>
>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Astlinux-users mailing list
>>>> Ast...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>
>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>>
>>>
>>>
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Ast...@li...
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>>
>>>
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Ast...@li...
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>
>>
>>
>> _______________________________________________
>> Astlinux-users mailing list
>> Ast...@li...
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Lonnie A. <li...@lo...> - 2019-09-15 13:38:35
|
Hi Michael,
> I have never done any iptables rules so this will be a first.
This is a great way to learn, the INT_INPUT_CHAIN chain defaults to ACCEPT anyway, so any changes will only be more restrictive. Always test your changes, the CLI "arno-iptables-firewall restart" will show an error if you make an iptables syntax error.
Using the example shown below with the custom_wg_lan_input() function, you can make tweaks.
One tweak may be a special case for a WireGuard source address ... added within the custom_wg_lan_input() function:
## Allow WG LAN->Local for source IP 10.4.0.15 all packets
iptables -A INT_INPUT_CHAIN -i $wg_if -s 10.4.0.15 -j ACCEPT
--or--
## Allow WG LAN->Local for source IP 10.4.0.15 to TCP 443
iptables -A INT_INPUT_CHAIN -i $wg_if -s 10.4.0.15 -p tcp --dport 443 -j ACCEPT
--or--
## Allow WG LAN->Local for source IP 10.4.0.15 to UDP 5060
iptables -A INT_INPUT_CHAIN -i $wg_if -s 10.4.0.15 -p udp --dport 5060 -j ACCEPT
Understand the order of the rules added to the INT_INPUT_CHAIN chain matters, as soon as a packet matches a rule and jumps to ACCEPT the packet will flow on (allowed), regardless of any other rules.
Similarly, when a packet matches a rule and jumps to DROP the packet will not flow (ie. denied), regardless of any other rules.
Lonnie
> On Sep 14, 2019, at 9:12 PM, Michael Knill <mic...@ip...> wrote:
>
> Thanks Lonnie
>
> I have never done any iptables rules so this will be a first.
>
> Regards
> Michael Knill
>
> Sent from my iPhone so please excuse my brevity.
>
>> On 10 Sep 2019, at 8:32 am, Lonnie Abelbeck <li...@lo...> wrote:
>>
>> Hi Michael,
>>
>> OK, that is best done via custom rules in "/mnt/kd/arno-iptables-firewall/custom-rules".
>>
>> For this example WireGuard LAN->Local will drop all traffic except SSH.
>>
>> -- /mnt/kd/arno-iptables-firewall/custom-rules --
>> # Put any custom (iptables) rules here down below:
>> ##################################################
>>
>> custom_wg_lan_input()
>> {
>> local wg_if
>>
>> wg_if="${WIREGUARD_IF:-wg0}"
>>
>> echo "[CUSTOM RULE] Custom WireGuard LAN->Local"
>> iptables -A INT_INPUT_CHAIN -i $wg_if -p tcp --dport 22 -j ACCEPT
>> iptables -A INT_INPUT_CHAIN -i $wg_if -j DROP
>> }
>> custom_wg_lan_input
>> --
>>
>> apply changes...
>> pbx # arno-iptables-firewall restart
>>
>> test new rules with...
>> pbx # iptables -nvL INT_INPUT_CHAIN
>> Chain INT_INPUT_CHAIN (3 references)
>> pkts bytes target prot opt in out source destination
>> 1 60 ACCEPT tcp -- wg0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
>> 3 180 DROP all -- wg0 * 0.0.0.0/0 0.0.0.0/0
>> ...
>>
>> and for IPv6...
>> pbx # ip6tables -nvL INT_INPUT_CHAIN
>> Chain INT_INPUT_CHAIN (3 references)
>> pkts bytes target prot opt in out source destination
>> 0 0 ACCEPT tcp wg0 * ::/0 ::/0 tcp dpt:22
>> 0 0 DROP all wg0 * ::/0 ::/0
>> ...
>>
>> Since the default LAN->Local policy is ACCEPT we need to use DROP to block all for wg0.
>>
>> As always, test the firewall rule changes to make sure it works as expected.
>>
>> Lonnie
>>
>>
>>> On Sep 9, 2019, at 3:17 PM, Michael Knill <mic...@ip...> wrote:
>>>
>>> Hi sorry Lonnie, I didn't explain it well enough.
>>>
>>> I want to provide different access to Local from a physical LAN than the wg0 interface.
>>> For instance I want to open TCP443, my SSH Port and possibly other ports from the physical LAN but open my SSH Port only from wg0.
>>>
>>> I could do it based on the Source IP however as there is only Deny LAN->Local rules possible, I'm not sure how I could just open a single port and deny all the rest?
>>>
>>> Regards
>>> Michael Knill
>>>
>>> On 9/9/19, 11:05 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
>>>
>>> I don't understand what you are asking, but the default isolated wg0 interface can be allowed to access physical LAN interfaces with:
>>>
>>> _x_ Allow WireGuard VPN tunnel to the [ 1st ] LAN Interface(s)
>>>
>>> And LAN's can access Local by default.
>>>
>>> Lonnie
>>>
>>>
>>>
>>>> On Sep 8, 2019, at 10:57 PM, Michael Knill <mic...@ip...> wrote:
>>>>
>>>> Thanks Lonnie.
>>>>
>>>> Just wondering how I could use Deny LAN->Local when I actually want to allow onsite local LAN traffic to access the system admin interface?
>>>> I really need a Pass LAN->Local to do this!
>>>>
>>>> Regards
>>>> Michael Knill
>>>>
>>>> On 9/9/19, 1:11 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
>>>>
>>>>
>>>>
>>>>> On Sep 8, 2019, at 8:46 PM, Michael Knill <mic...@ip...> wrote:
>>>>>
>>>>> Hi Group
>>>>>
>>>>> I am seeing lots of hacking attempts on my systems as they have found my non standard SSH port. Although there is no issue as I have SSH Key access only, I'm sick of the long list of addresses in the Adaptive Ban list and I'm thinking I should be adding another line of defence in my security anyway.
>>>>> As such, along with implementing Geoblocking Netset files (next release), I also want to use a Jump box for management. This server would connect to each system via Wireguard VPN allowing management also when in a failover condition through NAT e.g. 4G backup, firewall managed by others.
>>>>>
>>>>> With this architecture in mind, I was wondering how I would go about restricting access to a single port only from this Wireguard VPN tunnel to the local interface e.g. wg0 address. I think is completely open currently.
>>>>>
>>>>> Is it easy to do?
>>>>>
>>>>> Regards
>>>>> Michael Knill
>>>>
>>>> If SSH access can only occur within a WireGuard tunnel, no port filtering is required since access is secured by WireGuard.
>>>>
>>>> As such, only allow remote user access to the management VPN via a WireGuard tunnel.
>>>>
>>>> But, if you want to filter SSH from wg0 to the local device by source IP address, try
>>>>
>>>> Firewall Rules:
>>>> Action: [ Deny LAN->Local ]
>>>>
>>>> keeping in mind that the wg0 interface is treated as an isolated LAN subnet from any other LAN subnet.
>>>>
>>>> Lonnie
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Astlinux-users mailing list
>>>> Ast...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>
>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Astlinux-users mailing list
>>>> Ast...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>>
>>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>>
>>>
>>>
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Ast...@li...
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>>
>>>
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Ast...@li...
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>
>>
>>
>> _______________________________________________
>> Astlinux-users mailing list
>> Ast...@li...
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Michael K. <mic...@ip...> - 2019-09-15 02:12:52
|
Thanks Lonnie
I have never done any iptables rules so this will be a first.
Regards
Michael Knill
Sent from my iPhone so please excuse my brevity.
> On 10 Sep 2019, at 8:32 am, Lonnie Abelbeck <li...@lo...> wrote:
>
> Hi Michael,
>
> OK, that is best done via custom rules in "/mnt/kd/arno-iptables-firewall/custom-rules".
>
> For this example WireGuard LAN->Local will drop all traffic except SSH.
>
> -- /mnt/kd/arno-iptables-firewall/custom-rules --
> # Put any custom (iptables) rules here down below:
> ##################################################
>
> custom_wg_lan_input()
> {
> local wg_if
>
> wg_if="${WIREGUARD_IF:-wg0}"
>
> echo "[CUSTOM RULE] Custom WireGuard LAN->Local"
> iptables -A INT_INPUT_CHAIN -i $wg_if -p tcp --dport 22 -j ACCEPT
> iptables -A INT_INPUT_CHAIN -i $wg_if -j DROP
> }
> custom_wg_lan_input
> --
>
> apply changes...
> pbx # arno-iptables-firewall restart
>
> test new rules with...
> pbx # iptables -nvL INT_INPUT_CHAIN
> Chain INT_INPUT_CHAIN (3 references)
> pkts bytes target prot opt in out source destination
> 1 60 ACCEPT tcp -- wg0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
> 3 180 DROP all -- wg0 * 0.0.0.0/0 0.0.0.0/0
> ...
>
> and for IPv6...
> pbx # ip6tables -nvL INT_INPUT_CHAIN
> Chain INT_INPUT_CHAIN (3 references)
> pkts bytes target prot opt in out source destination
> 0 0 ACCEPT tcp wg0 * ::/0 ::/0 tcp dpt:22
> 0 0 DROP all wg0 * ::/0 ::/0
> ...
>
> Since the default LAN->Local policy is ACCEPT we need to use DROP to block all for wg0.
>
> As always, test the firewall rule changes to make sure it works as expected.
>
> Lonnie
>
>
>> On Sep 9, 2019, at 3:17 PM, Michael Knill <mic...@ip...> wrote:
>>
>> Hi sorry Lonnie, I didn't explain it well enough.
>>
>> I want to provide different access to Local from a physical LAN than the wg0 interface.
>> For instance I want to open TCP443, my SSH Port and possibly other ports from the physical LAN but open my SSH Port only from wg0.
>>
>> I could do it based on the Source IP however as there is only Deny LAN->Local rules possible, I'm not sure how I could just open a single port and deny all the rest?
>>
>> Regards
>> Michael Knill
>>
>> On 9/9/19, 11:05 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
>>
>> I don't understand what you are asking, but the default isolated wg0 interface can be allowed to access physical LAN interfaces with:
>>
>> _x_ Allow WireGuard VPN tunnel to the [ 1st ] LAN Interface(s)
>>
>> And LAN's can access Local by default.
>>
>> Lonnie
>>
>>
>>
>>> On Sep 8, 2019, at 10:57 PM, Michael Knill <mic...@ip...> wrote:
>>>
>>> Thanks Lonnie.
>>>
>>> Just wondering how I could use Deny LAN->Local when I actually want to allow onsite local LAN traffic to access the system admin interface?
>>> I really need a Pass LAN->Local to do this!
>>>
>>> Regards
>>> Michael Knill
>>>
>>> On 9/9/19, 1:11 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
>>>
>>>
>>>
>>>> On Sep 8, 2019, at 8:46 PM, Michael Knill <mic...@ip...> wrote:
>>>>
>>>> Hi Group
>>>>
>>>> I am seeing lots of hacking attempts on my systems as they have found my non standard SSH port. Although there is no issue as I have SSH Key access only, I'm sick of the long list of addresses in the Adaptive Ban list and I'm thinking I should be adding another line of defence in my security anyway.
>>>> As such, along with implementing Geoblocking Netset files (next release), I also want to use a Jump box for management. This server would connect to each system via Wireguard VPN allowing management also when in a failover condition through NAT e.g. 4G backup, firewall managed by others.
>>>>
>>>> With this architecture in mind, I was wondering how I would go about restricting access to a single port only from this Wireguard VPN tunnel to the local interface e.g. wg0 address. I think is completely open currently.
>>>>
>>>> Is it easy to do?
>>>>
>>>> Regards
>>>> Michael Knill
>>>
>>> If SSH access can only occur within a WireGuard tunnel, no port filtering is required since access is secured by WireGuard.
>>>
>>> As such, only allow remote user access to the management VPN via a WireGuard tunnel.
>>>
>>> But, if you want to filter SSH from wg0 to the local device by source IP address, try
>>>
>>> Firewall Rules:
>>> Action: [ Deny LAN->Local ]
>>>
>>> keeping in mind that the wg0 interface is treated as an isolated LAN subnet from any other LAN subnet.
>>>
>>> Lonnie
>>>
>>>
>>>
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Ast...@li...
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>>
>>>
>>>
>>> _______________________________________________
>>> Astlinux-users mailing list
>>> Ast...@li...
>>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>>
>>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>
>>
>>
>> _______________________________________________
>> Astlinux-users mailing list
>> Ast...@li...
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>>
>>
>> _______________________________________________
>> Astlinux-users mailing list
>> Ast...@li...
>> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>>
>> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
>
>
>
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
|
From: Michael K. <mic...@ip...> - 2019-09-11 22:15:25
|
DoH! I rewrote the file and its working now. Thanks for your help
Regards
Michael Knill
On 11/9/19, 11:10 pm, "Lonnie Abelbeck" <li...@lo...> wrote:
Hi Michael,
I use the firewall dyndns-host-open plugin all the time and it has never failed me.
Look close for a typo in your dyndns-host-open.conf, also note it takes about 45 seconds after the firewall is loaded before the initial rule is added.
BTW, a general way to look at your dyndns-host-open status:
pbx # arno-iptables-firewall status-plugins dyndns-host-open
Also, another level of debugging, use:
pbx # arno-iptables-firewall restart
and look for the line:
--
Checking for (user) plugins in /usr/share/arno-iptables-firewall/plugins...
--
and see if the "DynDNS Host Open plugin" looks good.
Lastly, on the box in question, issue from the CLI:
pbx # host zabbix.ipcsolutions.com.au
to make sure the DNS is working properly on that box.
Lonnie
> On Sep 11, 2019, at 2:07 AM, Michael Knill <mic...@ip...> wrote:
>
> Hi Group
>
> I'm trying to get this plugin working and it is just not playing the game at a couple of my sites.
>
> dyndns-host-open.conf
> ENABLED=1
> DYNDNS_UPDATE_TIME=900
> DYNDNS_HOST_OPEN_TCP="zabbix.ipcsolutions.com.au~10050"
> DYNDNS_HOST_OPEN_UDP=""
> DYNDNS_HOST_OPEN_IP=""
> DYNDNS_HOST_OPEN_ICMP=""
>
> At one site, it just wont put in the rule in iptables:
> # arno-iptables-firewall status | grep 10050
> > No output
>
> At another site it does:
> # arno-iptables-firewall status | grep 10050
> 28 1680 ACCEPT tcp -- * * <address hidden> 0.0.0.0/0 tcp dpt:10050
> ACCEPT tcp -- <address hidden> 0.0.0.0/0 tcp dpt:10050
>
> I can go back to putting in an IP Address in the firewall but I will probably be changing the server later and it will be a pain to reconfigure all my sites.
> But I'm getting close to giving up on it.
>
> Regards
> Michael Knill
> _______________________________________________
> Astlinux-users mailing list
> Ast...@li...
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
>
> Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
_______________________________________________
Astlinux-users mailing list
Ast...@li...
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to pa...@kr....
|
63 messages has been excluded from this view by a project administrator.
