Mantis - ISSUES

0002759: Ipsec crashes system

Since using 6 ipsec-tunnels to remote sites, after about 20-30 minutes, endian hangs and can only be hard-reseted. This behaviour was not seen before activating ipsec. Ipsec is configured with no debug flags active and only one option in ike (1536). We are forced to use ipsec, because remote offices systems are only able to vpn with ipsec(zywall usg 100). We checked: Ram, CPU, Disks (even replaced them), but with no success.
Highly possible, that this is related to ID 0001359.
Is there a releif or fix in reach?

0000264: Active directory authentication for openvpn

I got this in reply to one of my postings, it wasn't what I wanted but is a great idea ...
It provides autentication for openvpn against and active directory server...
hope it helps ..

#!/usr/bin/perl

use Net::LDAP;

$USER=$ENV{'username'};
$PASS=$ENV{'password'};

$ldap = Net::LDAP->new( 'ldap://172.24.254.1' [^] ) or die "$@";
#$mesg = $ldap->bind ; # an anonymous bind
$mesg = $ldap->bind( "$USER\@domain.com",
password => "$PASS"
#$mesg = $ldap->bind( "CN=$USER,CN=Users,DC=domain,DC=com",
# password => "$PASS"
);

if ($mesg->code) {
die $mesg->error;
exit 1;
} else {
# print "Auth OK\n";
exit 0;
}

this works for AD. you may have to tweak it for your LDAP.

0002035: LDAP authentication doesn't support spaces in names

The problem happened with a group name that had a space in it, eg. "IT Users". So when the endian sent the ldap query, the second word was cut off (space is a delimiter). Changing it to "ITUsers" fixed the problem.

I thought further about the spacing issue with the endian, and I do think it is an endian bug. LDAP should indeed support spaces in names, eg. cn=Name Surename
And its the parsing in endian which fails when spaces occur.

0002761: cleanup havp black/whitelist creation

writeHavpList() in restarthavp.py needs cleanup

it should:
1) check if /etc/havp/*list is a link, when it is -> remove it and touch the
file with correct permissions
2) filecompare /var/efw/havp/*list with /etc/havp/*list, return function with
False (changed == False) if it is same
3) if it differs, copy the content of /var/efw/havp/*list to /etc/havp/*list.
dont use cat >>, which is appending and would cause to have a constantly
growing file

0002736: E5830

I would like to know if E5830 modem would support with Endian 2.3

0001532: amavis: does not accept any connections due to db4 lock

sometimes, assumably after a reboot, the db4 database in /var/amavis/db/ remains locked, thus when amavis will be restarted it remains locked after opening the db4 database.
No connections will be accepted anymore if this happens

0001300: traffic graphs should display the uplink name instead of the uplink id

display the description of the uplink instead of "uplink1", "uplink2"

0002681: Dashboard stats have wrong values

Statistics for the pop3 proxy in the dashboard are way too high.

Stats show for the last hour around 2000 received mails and for Today around 4000.

In reality there should only be about 5 per hour and max 50 per day.

0001955: main.cgi: display which uplink actually is the default gateway

If one set's an uplink unmanaged and stop/starts it manually, it get's the default gateway.
But you will not notice this on the GUI.

main.cgi should display which uplink is actually the default gateway.
That information is stored in flag file: /var/efw/uplinks/*/defaultgateway

0002564: add a comment to every template that changes have to be made in template

people constantly are asking why config files are overwritten. If we add a comment at the beginning of the config file (at the beginning of the template), which says to do changes to the template file, or better to the custom template file in /var/efw, those questions will never appear again

0002575: commmands.migration.update never updates a package with an any migration module

because there is always a pending migration module

0002422: make emi modules reloadable

with commands.emi.reload all modules will be reloaded, since the cherrypy instance will be re-instantiated completely
That's ok in some cases, but not ok when you want to do something like this:

emicommand commands.emi.reload
emicommand commands.migration.run --pkg=qos

which will be done in %post hook for the efw-qos package for example.

Now, we could also remove all cherrypy references to an emi controller, remove the modules from modules registry, re-import and re-init the emi module. That would be the ideal, because after an upgrade only that proper module will be reloaded.

This can be done by the following code examples:
import sys
import cherrypy
delattr(cherrypy.root.manage, "qos")
for i in filter(lambda x: x.startswith("endian.qos"), sys.modules.keys()):
del sys.modules[i]
import endian.qos.web
endian.hotspot.web.init(cherrypy.root.manage)

So far so good..
Not every EMI module is reloadable so far. hotspot for example tries to re-register the model and qos tries to re-register datasource filetypes.
So we need to check that every emi module is reloadable.

That means we need to do:
- registries should replace same items and not raise an error (datasource)
- module reload probably need to close also the corresponding database hub,
since reload will reopen it and thus register already registered classes.
- registering modules need to become more intelligent and store for every child
which have been connected its parent-node module string in a searchable
structure. not every controller is connected to manage, so we can't
remove it if we don't find it.
- removing controller need also to remove command and event registrations and
subscriptions. They will however be overwritten, but if a module has an error
during reload or will be removed, those registrations will not be
garbage-collected
- removing modules should be generic, in order to be able to do that also on
%postun hook, when an emi module passes by.
- installing modules could also become dynamic in order to be able to call
from emicommand, so installations of new modules do not require an emi restart

hope that's all.

0000816: Mask password in IMAP spam training source

Edit IMAP spam training source and the passwords are in plain text, it may be interesting to mask it.

0000520: dhcp does not update DNS information

if the subnet of a zone will be changed with the network wizard the DNS information of dhcp will not be updated.
all other values will be updates by the restartscript, but not visualized within cgi

0002038: Uptime not shown correctly right afert first installation & first connection

If you install Endian on a computer, finish the initial configuration and make your first internet connection, what endian does is:

1. it establishes the connection
2. it starts measuring the uptime
3. it synchronizes it's time with a time server and changes the system time if needed.
4. it continues measunring the uptime but if the system time was changed, the uptime is being displayed wrong! (In my case: the uptime was shown as 2h and a minute although the connection was just established)

- I had set the time in my computer's Bios correctly to the local time.
- I had set my time zone correctly in the initial configuration window

Nevertheless the time was shown wrong after completing the initial configuration (2h earlyer than the truth), then after connecting for the first time it was corrected (+2h), but then the link-uptime displayed that the uptime was 2h...

0002044: give each daemon its own logfile

/var/log messages grows big, around 8000 to 10,000 lines.

0002050: updating uplink causes it to go down

hi!

It is very important to me, to always have external access to the firewall for management purpose. Currently if I like to add an IP alias or change something on the uplink I lock out myself by clicking on "update uplink". Why it can not retain the state?

thank you!

0002051: When changing hostname of endian, certificates remain with the old hostname

I have changed the hostname of my endian
Example: from "old.endian.tom" to "new.endian.tom"
Then I reinstalled Firefox, and all old certificates were gone.
After reconnecting to Endian I got an error message, saying that the certificate is not valid, because it belongs to another webiste (old.endian.tom) then the one that I want to visit (new.endian.tom). It seems like the certificate was once generated with the old name and did not notice that there is a need for regenerating one with the new hostname.

0002758: Networkcards drivers

Drivers for Broadcom B5071 PHY Gigabit card (Nvidia NForce MCP78)

0001699: Inter Zone communication sometimes gets blocked

Our Inter-Zone firewall is configured to allow communication from GREEN -> (GREEN, ORANGE, BLUE).

Sometimes this works without problems, and I can ssh machines in ORANGE from a computer in GREEN without problems. All of a sudden communication stops and machines in ORANGE are not reachable from GREEN any more (eventhough machines in ORANGE can still reach RED).

When this is the case, I get the following entries in the Firewall log (10.3. is GREEN, 10.2 is ORANGE)

Mar 23 15:07:49 ZONEFW:ACCEPT:1 br0 KEY_TCP 10.3.0.100 56388 ff:## 10.2.0.1 22
Mar 23 15:07:49 FORWARD:DROP br1 KEY_TCP 10.2.0.1 22 ff:## 10.3.0.100 56388

Even turning of the Inter-Zone-Firewall does not solve the issue.

0002140: Connection status and control panel undef connections

Openvpn connection status and control panel in undef connection to come into existence.

0002075: creating uplinks on interfaces already used is not forbidden

You can create a new uplink from Network -> Interfaces -> Uplink Editor on interfaces in use for other uplinks or for orange/blue/hotspot..

That should be forbidden in order to avoid major problems in case of mistake.

0002710: Viruses in archive not removed.

Amavis/Clamav does not remove viruses in zip files.

Also referred to as FedEx / UPS spam, these messages should be removed by amavisd, but they aren't.

Headers show it is detected, but still passed to spam quarantine instead of virus quarantine.

This also happened in EFW 2.2.

Regards,

Klaas-Jan

0002057: /root/bashrc is not read correctly?!

I have added the file /root/.bashrc.
The contens of this file is:
alias l='ls -la'

When I login as root, the alias does NOT work.
When I have logged in as root and change to user root by typing "su root", the alias works fine. Obviously the user root does not use .bashrc via the initial login, only when loggin in again a second time..

0002171: Backup doesn't work

On a beta4 system upgraded to rc1.
Backup settings from gui interface doesn't work, neither via shell:

root@kenny-23:/mnt/usbstick/efw-backups # backup-create.sh --settings --logs --logarchives --dbdumps
Could not create backup '/tmp/backup.tar.d23059'!

root@kenny-23:/home/httpd/html/backup # efw-backupusb --runbackup

2009-09-17 14:33:55,389 - efw-backupusb[21117] - INFO - Creating backup...
2009-09-17 14:35:10,902 - efw-backupusb[21117] - ERROR - Error running command: /usr/local/bin/backup-create.sh --settings --logs --logarchives --dbdumps --message "'USB-Stick Backup: kenny-23.southpark'" 2> /dev/null
ERROR: {"msg": "Error running command: /usr/local/bin/backup-create.sh --settings --logs --logarchives --dbdumps --message \"'USB-Stick Backup: kenny-23.southpark'\" 2> /dev/null", "type": "error", "time": 1253190910.9061821}
2009-09-17 14:35:11,920 - efw-backupusb[21117] - INFO - updating symlinks