ipcop-user

Re: [IPCop-user] Changing IPCop admin port 445

[Angus Scott-F. <an...@ge...>]

On 26 Nov 2004 at 12:36, Stephen Miller  wrote:

> Blocking of port 445 by ISP is well documented and there are a number of
> references in the list to changing to another port (say 444) so that remote
> administrators can access the web config, however I can't find a concise
> reference to exactly what needs to be changed. I have already modified
> /etc/httpd/conf/httpd.conf, changing the line 'Listen 445' to 'Listen 444',
> saved and rebooted IPCOP, but I can no longer access the web interface on
> either nnn.nnn.nnn.nnn:445 or nnn.nnn.nnn.nnn:444. 
> 
> What else do I need to configure to get this to work?

This comes up so often IMHO this needs to be made available as a menu-driven 
change using the SETUP routine when logged in to the console (or via SSH).

Angus

--
Angus Scott-Fleming
GeoApps, Tucson, Arizona
1-520-290-5038 / fax 1-208-248-3124
+-----------------------------------+

RE: [IPCop-user] Changing IPCop admin port 445

[Achim W. <dot...@gm...>]

> I'm still having problems accessing the web interface. Consolidating advice
> from several sources, I have made the following changes:

> 1. Modified the following lines in /etc/httpd/conf/httpd.conf:

> Listen 444
> ....
> <VirtualHost _default_:444>  

> 2. Modified /var/ipcop/header.pl:

> <VirtualHost _default_:444>

> 3. Modified /home/httpd/cgi-bin/portfw.cgi:

> print "Location:
> https://$ENV{'SERVER_ADDR'}:4445/$ENV{'PATH_INFO'}\r\n\r\n";

above is in header.pl not portfw.cgi, and her you use 4445, not 444 as
elsewere!

> 4. Modified /var/ipcop/xtaccess/config adding the line: 

> tcp,0.0.0.0/0,444,on,0.0.0.0

> 5. Restarted the webserver by running the commands:

> #killall httpd
> #httpd -DSSL

Are there something in /var/log/httpd/error_log when you re-start
apache??
BTW do you use IPCop 1.4 as there is option "-DSSL" not needed as fare
as i remember.

> I have repeated these steps several times and substituted different port
> numbers), but I am unable to open in a browser. When I try accessing
> http://nnn.nnn.nnn.nnn:81 in Mozilla I get the following error message "The
> connection was refused when connecting to nnn.nnn.nnn.nnn:444. IE6 just
> gives "The page cannot be displayed"

have you tryed  https://nnn.nnn.nnn.nnn:444 ???


> I have tried a port scan from both the red zone and green zone and the only
> port opened are 81 and 222.

> Have I missed anything?

> Cheers,

> Stephen

Achim

Re: [IPCop-user] Changing IPCop admin port 445

[Jeffrey C. <goo...@gm...>]

Well, after I changed my httpd.conf and header.pl, I can get to my
IPCop web admin by

https//myname.dyndns.org:446/  (by DNS name)

but I can't goto

https://xxx.xxx.xxx.xxx:446/  (my public IP)

It seems that the SSL virtual host is not responding to requests with
xxx.xxx.xxx.xxx (my public IP)  in the HTTP header.

I have dynamic public IP  on the RED interface, BTW.




On Tue, 30 Nov 2004 21:27:24 +0100, Achim Weber <dot...@gm...> wrote:
> > I'm still having problems accessing the web interface. Consolidating advice
> > from several sources, I have made the following changes:
> 
> > 1. Modified the following lines in /etc/httpd/conf/httpd.conf:
> 
> > Listen 444
> > ....
> > <VirtualHost _default_:444>
> 
> > 2. Modified /var/ipcop/header.pl:
> 
> > <VirtualHost _default_:444>
> 
> > 3. Modified /home/httpd/cgi-bin/portfw.cgi:
> 
> > print "Location:
> > https://$ENV{'SERVER_ADDR'}:4445/$ENV{'PATH_INFO'}\r\n\r\n";
> 
> above is in header.pl not portfw.cgi, and her you use 4445, not 444 as
> elsewere!
> 
> > 4. Modified /var/ipcop/xtaccess/config adding the line:
> 
> > tcp,0.0.0.0/0,444,on,0.0.0.0
> 
> > 5. Restarted the webserver by running the commands:
> 
> > #killall httpd
> > #httpd -DSSL
> 
> Are there something in /var/log/httpd/error_log when you re-start
> apache??
> BTW do you use IPCop 1.4 as there is option "-DSSL" not needed as fare
> as i remember.
> 
> > I have repeated these steps several times and substituted different port
> > numbers), but I am unable to open in a browser. When I try accessing
> > http://nnn.nnn.nnn.nnn:81 in Mozilla I get the following error message "The
> > connection was refused when connecting to nnn.nnn.nnn.nnn:444. IE6 just
> > gives "The page cannot be displayed"
> 
> have you tryed  https://nnn.nnn.nnn.nnn:444 ???
> 
> > I have tried a port scan from both the red zone and green zone and the only
> > port opened are 81 and 222.
> 
> > Have I missed anything?
> 
> > Cheers,
> 
> > Stephen
> 
> Achim
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> IPCop-user mailing list
> IPC...@li...
> https://lists.sourceforge.net/lists/listinfo/ipcop-user
> 


-- 
"I don't go out to be seen,
 I don't go out to show off,
 I go out to be a part of something I believe in."

RE: [IPCop-user] Changing IPCop admin port 445 - ssl_engine_log

[Stephen M. <ip...@3l...>]

I wonder if I have just stumbled onto a clue as why this doesn't work.
Checking the log file /var/log/httpd/ssl_engine_log, I have the =
following
lines since restarting the httpd service:


[01/Dec/2004 11:07:38 25678] [info]  Server: Apache/1.3.33, Interface:
mod_ssl/2.8.22, Library: OpenSSL/0.9.7e-fips
[01/Dec/2004 11:07:38 25678] [info]  Init: 1st startup round (still not
detached)
[01/Dec/2004 11:07:38 25678] [info]  Init: Initializing OpenSSL library
[01/Dec/2004 11:07:38 25678] [info]  Init: Loading certificate & private =
key
of SSL-aware server gateway:444
[01/Dec/2004 11:07:38 25678] [info]  Init: Seeding PRNG with 136 bytes =
of
entropy
[01/Dec/2004 11:07:38 25678] [info]  Init: Generating temporary RSA =
private
keys (512/1024 bits)
[01/Dec/2004 11:07:38 25678] [info]  Init: Configuring temporary DH
parameters (512/1024 bits)
[01/Dec/2004 11:07:38 25679] [info]  Init: 2nd startup round (already
detached)
[01/Dec/2004 11:07:38 25679] [info]  Init: Reinitializing OpenSSL =
library
[01/Dec/2004 11:07:38 25679] [info]  Init: Seeding PRNG with 136 bytes =
of
entropy
[01/Dec/2004 11:07:38 25679] [info]  Init: Configuring temporary RSA =
private
keys (512/1024 bits)
[01/Dec/2004 11:07:38 25679] [info]  Init: Configuring temporary DH
parameters (512/1024 bits)
[01/Dec/2004 11:07:38 25679] [info]  Init: Initializing (virtual) =
servers
for SSL
[01/Dec/2004 11:07:38 25679] [info]  Init: Configuring server =
gateway:444
for SSL protocol
[01/Dec/2004 11:07:38 25679] [warn]  Init: (gateway:444) RSA server
certificate CommonName (CN) `gateway.mydomain.com' does NOT match server
name!?


I named the firewall 'gateway' during the setup routine and notice that =
the
last line is rejecting the RSA certificate (In the log entry above, I =
have
replaced my domain name with 'mydomain.com').


> Well, after I changed my httpd.conf and header.pl, I can get to my
> IPCop web admin by

> https//myname.dyndns.org:446/  (by DNS name)


I haven't actually delegated the domain name gateway.mydomain.com to the =
red
interface of my IPCop firewall so I would expect to be able to access
https://gateway.mydomain.com:444. Is this essential I certainly haven't =
seen
it documented)?


> but I can't goto

> https://xxx.xxx.xxx.xxx:446/  (my public IP)

> It seems that the SSL virtual host is not responding to requests with
> xxx.xxx.xxx.xxx (my public IP)  in the HTTP header.

> I have dynamic public IP  on the RED interface, BTW.

Are you accessing the web interface using a domain name from the Green =
zone?
Does this also work remotely?


> On Tue, 30 Nov 2004 21:27:24 +0100, Achim Weber <dot...@gm...> =
wrote:
> > > I'm still having problems accessing the web interface. =
Consolidating >
advice
> > > from several sources, I have made the following changes:
> >=20
> > > 1. Modified the following lines in /etc/httpd/conf/httpd.conf:
> > =20
> > > Listen 444
> > > ....
> > > <VirtualHost _default_:444>
> >=20
> > > 2. Modified /var/ipcop/header.pl:
> >=20
> > > <VirtualHost _default_:444>
> >=20
> > > 3. Modified /home/httpd/cgi-bin/portfw.cgi:
> >=20
> > > print "Location:
> > > https://$ENV{'SERVER_ADDR'}:4445/$ENV{'PATH_INFO'}\r\n\r\n";
> >=20
> > above is in header.pl not portfw.cgi, and her you use 4445, not 444 =
as
> > elsewere!
> >=20
> > > 4. Modified /var/ipcop/xtaccess/config adding the line:
> >=20
> > > tcp,0.0.0.0/0,444,on,0.0.0.0
> >=20
> > > 5. Restarted the webserver by running the commands:
> >=20
> > > #killall httpd
> > > #httpd -DSSL
> >=20
> > Are there something in /var/log/httpd/error_log when you re-start
> > apache??
> > BTW do you use IPCop 1.4 as there is option "-DSSL" not needed as =
fare
> > as i remember.
> >=20
> > > I have repeated these steps several times and substituted =
different
port
> > > numbers), but I am unable to open in a browser. When I try =
accessing
> > > http://nnn.nnn.nnn.nnn:81 in Mozilla I get the following error =
message
"The
> > > connection was refused when connecting to nnn.nnn.nnn.nnn:444. IE6
just
> > > gives "The page cannot be displayed"
> >=20
> > have you tryed  https://nnn.nnn.nnn.nnn:444 ???
> >=20
> > > I have tried a port scan from both the red zone and green zone and =
the
only
> > > port opened are 81 and 222.
> >=20
> > > Have I missed anything?
> >=20
> > > Cheers,
> >=20
> > > Stephen
> >=20
> > Achim
> >=20

Re: [IPCop-user] Changing IPCop admin port 445 - ssl_engine_log

[Jeffrey C. <goo...@gm...>]

On Wed, 1 Dec 2004 11:25:01 +1030, Stephen Miller <ip...@3l...> wrote:
> I wonder if I have just stumbled onto a clue as why this doesn't work.
> Checking the log file /var/log/httpd/ssl_engine_log, I have the following
> lines since restarting the httpd service:
> 
> [01/Dec/2004 11:07:38 25678] [info]  Server: Apache/1.3.33, Interface:
> mod_ssl/2.8.22, Library: OpenSSL/0.9.7e-fips
> [01/Dec/2004 11:07:38 25678] [info]  Init: 1st startup round (still not
> detached)
> [01/Dec/2004 11:07:38 25678] [info]  Init: Initializing OpenSSL library
> [01/Dec/2004 11:07:38 25678] [info]  Init: Loading certificate & private key
> of SSL-aware server gateway:444
> [01/Dec/2004 11:07:38 25678] [info]  Init: Seeding PRNG with 136 bytes of
> entropy
> [01/Dec/2004 11:07:38 25678] [info]  Init: Generating temporary RSA private
> keys (512/1024 bits)
> [01/Dec/2004 11:07:38 25678] [info]  Init: Configuring temporary DH
> parameters (512/1024 bits)
> [01/Dec/2004 11:07:38 25679] [info]  Init: 2nd startup round (already
> detached)
> [01/Dec/2004 11:07:38 25679] [info]  Init: Reinitializing OpenSSL library
> [01/Dec/2004 11:07:38 25679] [info]  Init: Seeding PRNG with 136 bytes of
> entropy
> [01/Dec/2004 11:07:38 25679] [info]  Init: Configuring temporary RSA private
> keys (512/1024 bits)
> [01/Dec/2004 11:07:38 25679] [info]  Init: Configuring temporary DH
> parameters (512/1024 bits)
> [01/Dec/2004 11:07:38 25679] [info]  Init: Initializing (virtual) servers
> for SSL
> [01/Dec/2004 11:07:38 25679] [info]  Init: Configuring server gateway:444
> for SSL protocol
> [01/Dec/2004 11:07:38 25679] [warn]  Init: (gateway:444) RSA server
> certificate CommonName (CN) `gateway.mydomain.com' does NOT match server
> name!?
> 
> I named the firewall 'gateway' during the setup routine and notice that the
> last line is rejecting the RSA certificate (In the log entry above, I have
> replaced my domain name with 'mydomain.com').
> 

Hmm, I check my logs and I have the same mismatched domain name error.
Like you, I have renamed my ipcop gateway's hostname.



> > Well, after I changed my httpd.conf and header.pl, I can get to my
> > IPCop web admin by
> 
> > https//myname.dyndns.org:446/  (by DNS name)
> 
> I haven't actually delegated the domain name gateway.mydomain.com to the red
> interface of my IPCop firewall so I would expect to be able to access
> https://gateway.mydomain.com:444. Is this essential I certainly haven't seen
> it documented)?
> 
> > but I can't goto
> 
> > https://xxx.xxx.xxx.xxx:446/  (my public IP)
> 
> > It seems that the SSL virtual host is not responding to requests with
> > xxx.xxx.xxx.xxx (my public IP)  in the HTTP header.
> 
> > I have dynamic public IP  on the RED interface, BTW.
> 
> Are you accessing the web interface using a domain name from the Green zone?
> Does this also work remotely?
> 

Hmm, i just checked.. I used to be able to get to it by hostname, but
once again the 81->446 redirect doesn't work anymore. Here's my
results:

Doesn't work:

http://myhostname.mysubdomain.dyndns.org:81/ 
   (from internet or from GREEN network)
-> http://myhostname.mysubdomain.dyndns.org:81/cgi-bin/index.cgi
-> HTTP/1.x 302 Moved https: //xxx.xxx.xxx.xxx:446/  
   (DNS name resolved to public IP if I'm outside, local IP if I'm
browsing from GREEN network)
-> blank page, no HTTP reponse

https://myhostname:446/
    (from GREEN network)
-> host not found
    (the hostname doesn't resolve locally, probably DNS suffix
misconfigured on my side).

https: //xxx.xxx.xxx.xxx:446/
   (from internet)
--> blank page, no HTTP reponse

Works:

https://myhostname.mysubdomain.dyndns.org:446/  (from RED or GREEN)
http://xxx.xxx.xxx.xxx:446/ (my GREEN interface IP)


Despite the mismatched domain name in the SSL certificate, I still
believe that the SSL virtual host in Apache isn't configured to
respond to dynamic IP on the RED interace. I wonder if changing

https://$ENV{'SERVER_ADDR'}:446/$ENV{'PATH_INFO'}\r\n\r\n";

to....

https://$ENV{'SERVER_NAME'}:446/$ENV{'PATH_INFO'}\r\n\r\n";

would fix it.




- Jeff

RE: [IPCop-user] Changing IPCop admin port 445

[Stephen M. <ip...@3l...>]

>> I'm still having problems accessing the web interface.=20
>> Consolidating advice from several sources, I have made the=20
>> following changes:

>> 1. Modified the following lines in /etc/httpd/conf/httpd.conf:

>> Listen 444
>> ....
>> <VirtualHost _default_:444> =20

>> 2. Modified /var/ipcop/header.pl:

>> <VirtualHost _default_:444>

This file actually contains:

>> print "Location:
>> https://$ENV{'SERVER_ADDR'}:444/$ENV{'PATH_INFO'}\r\n\r\n";

>> 3. Modified /home/httpd/cgi-bin/portfw.cgi:

>> print "Location:
>> https://$ENV{'SERVER_ADDR'}:4445/$ENV{'PATH_INFO'}\r\n\r\n";

>above is in header.pl not portfw.cgi, and her you use 4445, not 444 as
>elsewere!

Oops, this file actually contains the following line:

my @tcp_reserved =3D (81,222,444);


>> 4. Modified /var/ipcop/xtaccess/config adding the line:=20

>> tcp,0.0.0.0/0,444,on,0.0.0.0

>> 5. Restarted the webserver by running the commands:

>> #killall httpd
>> #httpd -DSSL

>Are there something in /var/log/httpd/error_log when you re-start
>apache??


Error log on restart reads:

[Wed Dec  1 10:53:38 2004] [notice] caught SIGTERM, shutting down
[Wed Dec  1 10:53:43 2004] [notice] Apache configured -- resuming normal
operations
[Wed Dec  1 10:53:43 2004] [notice] Accept mutex: sysvsem (Default: =
sysvsem)


> BTW do you use IPCop 1.4 as there is option "-DSSL" not needed as fare
> as i remember.

Yes, I am using 1.4.1. I just tried restarting the httpd service without
this option, but it didn't seem to make a difference.=20

>> I have repeated these steps several times and substituted different =
port
>> numbers), but I am unable to open in a browser. When I try accessing
>> http://nnn.nnn.nnn.nnn:81 in Mozilla I get the following error =
message
>> "The connection was refused when connecting to nnn.nnn.nnn.nnn:444. =
IE6
>> just gives "The page cannot be displayed"

> have you tryed  https://nnn.nnn.nnn.nnn:444 ???

Yes, but it made no difference.



>> I have tried a port scan from both the red zone and green zone and =
the=20
>> only port opened are 81 and 222.

Re: [IPCop-user] Changing IPCop admin port 445

[Jeffrey C. <goo...@gm...>]

On Wed, 1 Dec 2004 11:10:34 +1030, Stephen Miller <ip...@3l...> wrote:
> 
> 
> 
> > have you tryed  https://nnn.nnn.nnn.nnn:444 ???
> 
> Yes, but it made no difference.
> 
> 

Have you tried what I suggested, using DNS name like
https://youripcop.dyndns.org:446/  instead of IP #? It works for me.

RE: [IPCop-user] Changing IPCop admin port 445

[Stephen M. <ip...@3l...>]

> On Wed, 1 Dec 2004 11:10:34 +1030, Stephen Miller <ip...@3l...>
wrote:
> > 
> > 
> > 
> > > have you tryed  https://nnn.nnn.nnn.nnn:444 ???
> > 
> > Yes, but it made no difference.
> > 
> > 

> Have you tried what I suggested, using DNS name like
> https://youripcop.dyndns.org:446/  instead of IP #? It works for me.


Yes, made no difference