Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2953 [Endian Firewall] Installation crash always 2010-05-30 16:35 2010-09-09 01:17
Reporter: Denny Crane Platform:  
Assigned To: subsonica OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.4  
Product Build: Resolution: reopened  
Projection: none      
ETA: none  
Summary: Kernel Panic during installation in a VM
Description: I tryed to install Endian in some VM's

Virutal Box 3.2.0
"Kernel panic - not syncing : Fatal exception in interrupt"

and on

VirtualPC 6.0.156.0
"Kernel panic - not syncing : Attempted to kill the idle task"
Steps To Reproduce:
Additional Information:
Attached Files: Fatal_exception_in_interrupt.png (465 KB) 2010-07-12 02:38
Notes
(0004308)
baldy   
2010-05-30 22:28   
Installation in Virtual PC on Windows 7 does succeed but completely messes up the file system.
(0004326)
christian   
2010-06-01 10:22   
Did you install the 2.4 image or the 2.4-RESPIN image? Please try with the RESPIN image if you haven't already...
(0004331)
Denny Crane   
2010-06-01 15:39   
(edited on: 2010-06-01 15:40)
uh, ähm... I do not realy know.
I used this one "EFW-COMMUNITY-2.4-201005280528"

@christian
I think you postet this version a few days ago in the german efw forum? ;)
(0004332)
giig   
2010-06-01 16:02   
I used the EFW-COMMUNITY-2.4-201005280528-RESPIN.iso file on Virtualbox 3.2.0r61806: same error


Virtual Box 3.2.0
"Kernel panic - not syncing : Fatal exception in interrupt"
(0004333)
baldy   
2010-06-01 16:05   
Installation of the RESPIN version in Virtual PC on Windows 7 fails.

Setup hangs either at making root filesystem or installing packages.
(0004542)
monska   
2010-06-20 15:51   
I try to install:
EFW-COMMUNITY-2.4-201005280528-RESPIN.iso
on virtualbox 3.2.4 on linux fedora and the error persist:
Kernel panic - not syncing: Fatal exception in interrupt
(0004550)
clubbing80s   
2010-06-22 13:35   
I can also confirm this error
"Kernel panic - not syncing : Fatal exception in interrupt"
 With VirtualBox 3.2.4 r62647
(0004566)
subsonica   
2010-06-28 20:00   
Endian needs a rs232 port: In ordert o install endian in a VM, anable RS232 port (COM1) in your virtual machine configuration.
In virtualbox select your vm (while it is turned off) and go to configuration->serial ports->check "Port 1 ->Enabled serial port" and direct it to whatever COM you want (you can even leave it with the "disconnected" option checket, but the installer must detect the virtual RS232 hardware, otherwise it panics.
(0004567)
subsonica   
2010-06-28 20:13   
Same issue as with a physical machine not having serial/rs232 ports enabled at bios level:
http://kb.endian.com/entry/9/ [^]
(0004568)
subsonica   
2010-06-28 20:16   
Sorry, I misspelled the solution:

Endian needs a serial/rs232 port: In order to install endian in a VM, enable at least a virtual RS232 port (COM1.COM2,COM3,whichever) in your virtual machine settings.
In Virtualbox select your VM (while it is turned off) and go to configuration->serial ports->and check "Port 1 ->Enable serial port" and select it to be directed whichever COM you want (you can even leave the "disconnected" option checked, but the installer must detect the virtual RS232 hardware, otherwise it panics.)
(0004607)
saw3   
2010-07-10 10:41   
Enabling the serial port doesn't solve the problem.

We have tested it with Virtualbox-3.2.6-63112 running on debian "lenny" with kernel 2.6.27 or kernel 2.6.32 on an Intel E2160 system with an enabled serial port or host pipe or file. The result is always the same:

[ 0.000000] Linux version 2.6.27.19-72.e25 (root@buildmaster.office) (gcc version 4.1.2 20070626 (e 4.1.2-14)) 0000001 SMP Thu May 27 19:29:04 EDT 2010
[ 0.000000] BIOS-provided physical RAM map:
[ 0.000000] BIOS-e820: 0000000000000000 - 000000000009fc00 (usable)
[ 0.000000] BIOS-e820: 000000000009fc00 - 00000000000a0000 (reserved)
[ 0.000000] BIOS-e820: 00000000000f0000 - 0000000000100000 (reserved)
[ 0.000000] BIOS-e820: 0000000000100000 - 000000003fff0000 (usable)
[ 0.000000] BIOS-e820: 000000003fff0000 - 0000000040000000 (ACPI data)
[ 0.000000] BIOS-e820: 00000000fffc0000 - 0000000100000000 (reserved)
[ 0.000000] DMI 2.5 present.
[ 0.000000] last_pfn = 0x3fff0 max_arch_pfn = 0x100000
[ 0.000000] CPU MTRRs all blank - virtualized system.
[ 0.000000] RAMDISK: 3f208000 - 3ffcf125
[ 0.000000] Allocated new RAMDISK: 00809000 - 015d0125
[ 0.000000] Move RAMDISK from 000000003f208000 - 000000003ffcf124 to 00809000 - 015d0124
[ 0.000000] ACPI: RSDP 000E0000, 0024 (r2 VBOX )
[ 0.000000] ACPI: XSDT 3FFF0030, 003C (r1 VBOX VBOXXSDT 1 ASL 61)
[ 0.000000] ACPI: FACP 3FFF00F0, 00F4 (r4 VBOX VBOXFACP 1 ASL 61)
[ 0.000000] ACPI: DSDT 3FFF0460, 18FF (r1 VBOX VBOXBIOS 2 INTL 20061109)
[ 0.000000] ACPI: FACS 3FFF0200, 0040
[ 0.000000] ACPI: APIC 3FFF0240, 004A (r2 VBOX VBOXAPIC 1 ASL 61)
[ 0.000000] ACPI: SSDT 3FFF0290, 01CC (r1 VBOX VBOXCPUT 2 INTL 20061109)
[ 0.000000] 127MB HIGHMEM available.
[ 0.000000] 896MB LOWMEM available.
[ 0.000000] mapped low ram: 0 - 38000000
[ 0.000000] low ram: 00000000 - 38000000
[ 0.000000] bootmap 00008000 - 0000f000
[ 0.000000] (9 early reservations) ==> bootmem [0000000000 - 0038000000]
[ 0.000000] #0 [0000000000 - 0000001000] BIOS data page ==> [0000000000 - 0000001000]
[ 0.000000] 0000001 [0000001000 - 0000002000] EX TRAMPOLINE ==> [0000001000 - 0000002000]
[ 0.000000] 0000002 [0000006000 - 0000007000] TRAMPOLINE ==> [0000006000 - 0000007000]
[ 0.000000] 0000003 [0000400000 - 0000804580] TEXT DATA BSS ==> [0000400000 - 0000804580]
[ 0.000000] 0000004 [0000805000 - 0000809000] INIT_PG_TABLE ==> [0000805000 - 0000809000]
[ 0.000000] #5 [000009fc00 - 0000100000] BIOS reserved ==> [000009fc00 - 0000100000]
[ 0.000000] #6 [0000007000 - 0000008000] PGTABLE ==> [0000007000 - 0000008000]
[ 0.000000] 0000007 [0000809000 - 00015d0125] NEW RAMDISK ==> [0000809000 - 00015d0125]
[ 0.000000] 0000008 [0000008000 - 000000f000] BOOTMAP ==> [0000008000 - 000000f000]
[ 0.000000] found SMP MP-table at [c009fff0] 0009fff0
[ 0.000000] Zone PFN ranges:
[ 0.000000] DMA 0x00000000 -> 0x00001000
[ 0.000000] Normal 0x00001000 -> 0x00038000
[ 0.000000] HighMem 0x00038000 -> 0x0003fff0
[ 0.000000] Movable zone start PFN for each node
[ 0.000000] early_node_map[2] active PFN ranges
[ 0.000000] 0: 0x00000000 -> 0x0000009f
[ 0.000000] 0: 0x00000100 -> 0x0003fff0
[ 0.000000] ACPI: PM-Timer IO Port: 0x4008
[ 0.000000] ACPI: LAPIC (acpi_id[0x00] lapic_id[0x00] enabled)
[ 0.000000] ACPI: IOAPIC (id[0x01] address[0xfec00000] gsi_base[0])
[ 0.000000] IOAPIC[0]: apic_id 1, version 17, address 0xfec00000, GSI 0-23
[ 0.000000] ACPI: INT_SRC_OVR (bus 0 bus_irq 0 global_irq 2 dfl dfl)
[ 0.000000] Enabling APIC mode: Flat. Using 1 I/O APICs
[ 0.000000] Using ACPI (MADT) for SMP configuration information
[ 0.000000] SMP: Allowing 1 CPUs, 0 hotplug CPUs
[ 0.000000] Allocating PCI resources starting at 50000000 (gap: 40000000:bffc0000)
[ 0.000000] PERCPU: Allocating 40732 bytes of per cpu data
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 259983
[ 0.000000] Kernel command line: ide=nodma initrd=instroot.gz root=/dev/ram0 rw nopcmcia BOOT_IMAGE=vmlinuz console=ttyS0
[ 0.000000] Enabling fast FPU save and restore... done.
[ 0.000000] Enabling unmasked SIMD FPU exception support... done.
[ 0.000000] Initializing CPU#0
[ 0.000000] PID hash table entries: 4096 (order: 12, 16384 bytes)
[ 0.000000] TSC: Unable to calibrate against PIT
[ 0.000000] TSC: using PMTIMER reference calibration
[ 0.000000] Detected 1801.754 MHz processor.
[ 0.000999] Console: colour VGA+ 80x25
[ 0.000999] console [ttyS0] enabled
[ 0.000999] Dentry cache hash table entries: 131072 (order: 7, 524288 bytes)
[ 0.000999] Inode-cache hash table entries: 65536 (order: 6, 262144 bytes)
[ 0.000999] Memory: 1020404k/1048512k available (2186k kernel code, 27380k reserved, 982k data, 308k init, 131008k highmem)
[ 0.000999] virtual kernel memory layout:
[ 0.000999] fixmap : 0xffe18000 - 0xfffff000 (1948 kB)
[ 0.000999] pkmap : 0xff800000 - 0xffc00000 (4096 kB)
[ 0.000999] vmalloc : 0xf8800000 - 0xff7fe000 ( 111 MB)
[ 0.000999] lowmem : 0xc0000000 - 0xf8000000 ( 896 MB)
[ 0.000999] .init : 0xc071e000 - 0xc076b000 ( 308 kB)
[ 0.000999] .data : 0xc0622a99 - 0xc0718448 ( 982 kB)
[ 0.000999] .text : 0xc0400000 - 0xc0622a99 (2186 kB)
[ 0.000999] Checking if this processor honours the WP bit even in supervisor mode...Ok.
[ 0.000999] SLUB: Genslabs=12, HWalign=64, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.021266] Calibrating delay loop (skipped), value calculated using timer frequency.. 3603.50 BogoMIPS (lpj=1801754)
[ 0.037284] Security Framework initialized
[ 0.038276] SELinux: Initializing.
[ 0.041322] Mount-cache hash table entries: 512
[ 0.081434] , L1 D cache: 32K
[ 0.082224] CPU: L2 cache: 6144K
[ 0.084312] Intel machine check architecture supported.
[ 0.086287] Intel machine check reporting enabled on CPU#0.
[ 0.087242] using mwait in idle threads.
[ 0.089749] Checking 'hlt' instruction... OK.
[ 0.133206] SMP alternatives: switching to UP code
[ 1.974923] BUG: unable to handle kernel paging request at 1b8b0683
[ 1.977288] IP: [<c042c650>] run_timer_softirq+0x161/0x16b
[ 1.979126] *pde = 00000000
[ 1.980923] Oops: 0002 [0000001] SMP
[ 1.980923] Modules linked in:
[ 1.980923]
[ 1.980923] Pid: 0, comm: swapper Not tainted (2.6.27.19-72.e25 0000001)
[ 1.980923] EIP: 0060:[<c042c650>] EFLAGS: 00010283 CPU: 0
[ 1.980923] EIP is at run_timer_softirq+0x161/0x16b
[ 1.980923] EAX: c07e4200 EBX: c076efcc ECX: fffb73d4 EDX: c07e48a4
[ 1.980923] ESI: c07e4200 EDI: c070da84 EBP: 0000000a ESP: c076efc0
[ 1.980923] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
[ 1.980923] Process swapper (pid: 0, ti=c076e000 task=c06e4340 task.ti=c0719000)
[ 1.980923] Stack: c07e48a4 fffb73d4 c1ddca80 c076efcc c076efcc c0719e50 00000021 c070da84
[ 1.980923] 0000000a c0429540 00000000 c0719e50 c0719000 c04294b3 00000046 c0405a09
[ 1.980923] Call Trace:
[ 1.980923] [<c0429540>] __do_softirq+0x8d/0x121
[ 1.980923] [<c04294b3>] __do_softirq+0x0/0x121
[ 1.980923] [<c0405a09>] do_softirq+0x6c/0xa9
[ 1.980923] [<c044eb3a>] handle_level_irq+0x0/0xc2
[ 1.980923] [<c042947f>] irq_exit+0x35/0x69
[ 1.980923] [<c0405adf>] do_IRQ+0x99/0xae
[ 1.980923] [<c042cde1>] free_uid+0x22/0x8f
[ 1.980923] [<c042cdd7>] free_uid+0x18/0x8f
[ 1.980923] [<c0404417>] common_interrupt+0x23/0x28
[ 1.980923] [<c042cde1>] free_uid+0x22/0x8f
[ 1.980923] [<c042cdd7>] free_uid+0x18/0x8f
[ 1.980923] [<c041007b>] speedstep_get_freqs+0x8a/0x1c1
[ 1.980923] [<c041007b>] speedstep_get_freqs+0x8a/0x1c1
[ 1.980923] [<c0407533>] text_poke_early+0x3b/0x52
[ 1.980923] [<c0407557>] add_nops+0xd/0x3e
[ 1.980923] [<c0407609>] apply_paravirt+0x81/0x91
[ 1.980923] [<c043d110>] tick_nohz_stop_sched_tick+0x2e7/0x2f1
[ 1.980923] [<c043f952>] smp_call_function_mask+0x1e/0x178
[ 1.980923] [<c0413c9f>] do_flush_tlb_all+0x0/0x3c
[ 1.980923] [<c043f98f>] smp_call_function_mask+0x5b/0x178
[ 1.980923] [<c0413c9f>] do_flush_tlb_all+0x0/0x3c
[ 1.980923] [<c044eb3a>] handle_level_irq+0x0/0xc2
[ 1.980923] [<c04714f1>] kmem_cache_alloc+0x64/0x91
[ 1.980923] [<c0419785>] native_flush_tlb_global+0x3e/0x43
[ 1.980923] [<c042916e>] on_each_cpu+0x24/0x2c
[ 1.980923] [<c04713c6>] kfree+0xa5/0xac
[ 1.980923] [<c061fd43>] text_poke+0xfe/0x12d
[ 1.980923] [<c060d119>] netlbl_cipsov4_add+0x5b8/0x66f
[ 1.980923] [<c0622a99>] _etext+0x0/0xfb567
[ 1.980923] [<c0407652>] alternatives_smp_unlock+0x39/0x46
[ 1.980923] [<c0726f67>] alternative_instructions+0xd6/0xfd
[ 1.980923] [<c07278da>] check_bugs+0xd6/0xd8
[ 1.980923] [<c071e7c8>] start_kernel+0x2aa/0x2b7
[ 1.980923] =======================
[ 1.980923] Code: 39 c3 75 8b a1 00 db 70 c0 8b 4e 08 39 c8 0f 89 eb fe ff ff c7 46 04 00 00 00 00 89 f0 e8 b8 cf fe ff 90 fb 90 8d b4 26 00 00 00 <00> 90 83 c4 0c 5b 5e 5f 5d c3 57 b9 10 00 00 00 56 89 c6 53 31
[ 1.980923] EIP: [<c042c650>] run_timer_softirq+0x161/0x16b SS:ESP 0068:c076efc0
[ 1.982017] Kernel panic - not syncing: Fatal exception in interrupt
(0004611)
clubbing80s   
2010-07-12 02:32   
Hi
Same problem here.
virtualbox 3.2.6.r63112
Fedora 12 i386 os
Hardeware is HP Compaque DC5100 P4
I have tried enabling the service interface, I have tried setting it, unconnected , and to different serial /dev devices .. I have tried other settings as well ..

Regards
Greg
(0004698)
abadger1406   
2010-08-29 18:47   
Same issue when running VirtualBox 3.1.6_OSE under Ubuntu Luicd.

Added a serial port - same kernel panic message.

Now it just started working .. and all I did was restart restart the install.. ??

Sorry for not being able to provide more....
(0004712)
jmpocheau   
2010-09-09 01:17   
Hi,
same problem here also :
VirtualBox 3.2.8 r64453
OpenSuse 11.2 64 bits
Unable to install, even with a serial port
and retrying a few times.

Best regards,
Jean-Marc




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3127 [Endian Firewall] OpenVPN Client and Server feature always 2010-08-27 23:39 2010-09-08 09:59
Reporter: dgamez Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Cannot access ORANGE zone from OpenVPN Roadwarrior
Description: Cannot access to DMZ in ORANGE zone from OpenVPN Roadwarrior (without firewalls on the client side).

Have set all possible access rules in Port forwarding / NAT, Outgoing traffic, Inter-Zone traffic, VPN traffic, OpenVPN server configuration, OpenVPN Accounts and Advanced OpenVPN settings.

Also Firewalls on the ORANGE Servers have been disabled.
Steps To Reproduce:
Additional Information: Documentation says that checking the "Push route to orange zone:" on the OpenVPN Account is enough, but it isn't.
Attached Files: openvpn.jpg (117 KB) 2010-08-27 23:39
Notes
(0004700)
lucagiove   
2010-08-31 10:16   
- check client routing table
- the only firewall which prevents traffic between vpn clients and orange is vpn firewall
(0004710)
dgamez   
2010-09-07 20:06   
Thanks for reply lucagiove,

VPN firewall is desactivated. Also, I tested activating it, and creating an explicit rule to allow traffic to Orange zone.
(0004711)
lucagiove   
2010-09-08 09:59   
routes?
are them pushed to your roadwarrior? check it out on the command line




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3134 [Endian Firewall] Security feature have not tried 2010-09-07 19:12 2010-09-07 19:12
Reporter: Renee Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Please update Snort to latest release
Description: Because VRT rules support for Snort 2.8.5.x rules will be end of life at 22.10.2010 see http://www.snort.org/snort-rules [^]
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3132 [Endian Firewall] GUI major always 2010-09-06 15:41 2010-09-06 15:41
Reporter: maxxer Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Web GUI partially working with Firefox4
Description: I did a fresh install of EFW2.4 and was using Firefox4.

At first, after reboot, when you go to the first page of the configuration wizard, pressing the "Next" button reloads the same page.

Same happens by clicking some buttons i.e. in the IPSec VPN config.
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
264 [Endian Firewall] Network related (VPN, uplinks) feature N/A 2007-09-25 11:53 2010-09-06 12:25
Reporter: clubbing80s Platform:  
Assigned To: peter OS:  
Priority: normal OS Version:  
Status: resolved Product Version:  
Product Build: Resolution: fixed  
Projection: none      
ETA: none  
Summary: Active directory authentication for openvpn
Description: I got this in reply to one of my postings, it wasn't what I wanted but is a great idea ...
It provides autentication for openvpn against and active directory server...
hope it helps ..

#!/usr/bin/perl

use Net::LDAP;

$USER=$ENV{'username'};
$PASS=$ENV{'password'};


$ldap = Net::LDAP->new( 'ldap://172.24.254.1' [^] ) or die "$@";
#$mesg = $ldap->bind ; # an anonymous bind
$mesg = $ldap->bind( "$USER\@domain.com",
 password => "$PASS"
#$mesg = $ldap->bind( "CN=$USER,CN=Users,DC=domain,DC=com",
# password => "$PASS"
);


if ($mesg->code) {
 die $mesg->error;
exit 1;
} else {
# print "Auth OK\n";
 exit 0;
 }

this works for AD. you may have to tweak it for your LDAP.
Steps To Reproduce:
Additional Information:
Attached Files: openvpn-additional-config-save-persistent.patch (2 KB) 2010-09-06 12:25
Notes
(0000545)
peter   
2007-10-27 20:32   
cool!

we will consider it for future plannings.
thank you
(0000862)
Anonymous   
2008-01-28 21:25   
(edited on: 2008-07-11 05:11)
Information on how to implement this on OpenVPN would be greatly appreciated.

Or if the kind gurus of Endian could implement the OpenVPN Auth-LDAP plugin out-of-the-box it would make life even easier. Even if you don't include the GUI straigth away.

[[Update]]
Sent an e-mail to support@endian.it with a modified version of the Python script used for authentication by OpenVPN. It is possible to authenticate against LDAP or Active Directory without installing any extensions or libraries.
(0001377)
steven   
2008-06-26 22:42   
would also like to see this feature included in later versions
(0004010)
peter   
2010-03-10 15:43   
functionality is implemented now, but has no GUI implementatiion
here is how to configure it: http://kb.endian.com/entry/64/ [^]
(0004685)
n9yty   
2010-08-18 06:00   
Since anything done in the GUI overwrites the method linked to, it is not very reliable. Is there a way to make this persist?
(0004709)
peter   
2010-09-06 12:24   
GUI does not overwrite it anymore.

I attached a patch in order that you can fix it manually.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3002 [Endian Firewall] Backup and Updates major always 2010-06-14 10:41 2010-09-06 11:08
Reporter: aender Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.3.1  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Daily Backup doesn´t work
Description: We changed our weekly backup to daily backup. Now backup works no longer. What´s wrong?

See attached screenshots.

Endian 2.3.1 Enterprise.
Steps To Reproduce:
Additional Information:
Attached Files: backup.jpeg (68 KB) 2010-06-14 10:41
backup2.jpeg (43 KB) 2010-06-14 10:41
Notes
(0004591)
peter   
2010-07-05 18:24   
can you try the fix of 0002915?
(0004708)
mschwenk   
2010-09-06 11:08   
Got the same issue. Thomas already gave me the hint with the blackholedns script but it doesn't seem to work. We are pretty sure it is related to the blackholedns because this process is allays stuck:

Here is pstree sometime the next morning after backup failed:

init???clamd
     ??collectd
     ??dnsmasq
     ??6*[efw-console]
     ??efw-console???bash
     ??emi
     ??fcron???fcron???bash???run-parts???blackholedns
     ??2*[getblackholedns]
     ??havp???20*[havp???havp]
     ??httpd???6*[httpd]
     ??keepalived???2*[keepalived]
     ??lcd-daemon
     ??logsurfer
     ??monit
     ??ntpd
     ??2*[python]
     ??snmpd
     ??snort
     ??squid???squid???20*[ncsa_auth]
     ? ??unlinkd
     ??sshd???sshd???bash
     ? ??sshd???bash???pstree
     ??stslog???openvpn
     ??syslog-ng
     ??udevd
     ??ulogd
     ??uplinksdaemon

Here a ps aux sometime the next morning after backup failed:

ps aux | grep cron
root 6408 0.0 0.0 1876 552 ? S Sep03 0:00 /usr/sbin/fcron -c /etc/fcron.conf
root 6409 0.0 0.1 3248 1064 ? S Sep03 0:00 /bin/bash -c [ -x /bin/run-parts ] && run-parts --report /etc/cron.daily
root 6410 0.0 0.0 1496 604 ? S Sep03 0:00 run-parts --report /etc/cron.daily
root 8241 0.0 0.0 2896 676 pts/1 R+ 10:34 0:00 grep cron
root 12575 0.0 0.0 1876 596 ? Ss Aug28 0:02 /usr/sbin/fcron -c /etc/fcron.conf

As soon as i kill the hanging cron.daily processes it will run the next day fine. This all happens randomly on my EFW's. I have a 2 Cluster and 3 nonclusteresd ones. And sometimes it works fine on one for a couple of days but on another one it fails then it changes and fails on a different one. So absolutly not reproducable. Any clue?




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3131 [Endian Firewall] GUI feature always 2010-09-03 14:14 2010-09-03 14:14
Reporter: aender Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Connected VPN User at the dashboard
Description: Please add a section for all connected VPN Users to the dashboard.
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3130 [Endian Firewall] Proxy HTTP major always 2010-09-02 11:49 2010-09-03 11:08
Reporter: smai Platform:  
Assigned To: Anonymous OS:  
Priority: normal OS Version:  
Status: resolved Product Version: 2.4  
Product Build: Resolution: fixed  
Projection: none      
ETA: none  
Summary: Change user ncsa password does not work
Description: I have added users in the local user database. When the user change the password he become a message "user does not exists".

The ticket with id 0003083 has the same problem. The problem was fixed in version 2.4. Does not right, i use the v 2.4 and i have the same issue.
Steps To Reproduce:
Additional Information:
Attached Files: error.gif (10 KB) 2010-09-02 11:49
Notes
(0004706)
NinNin   
2010-09-03 08:57   
(edited on: 2010-09-03 08:58)
vi /home/httpd/cgi-bin/chpasswd.cgi <enter>

find the line

my $userdb = "$swroot/proxy/ncsauser"

change to

my $userdb = "$swroot/proxy/ncsausers"

save and try again.
(0004707)
Anonymous   
2010-09-03 11:08   
The problem is fixed.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3009 [Endian Firewall] Proxy SMTP minor random 2010-06-15 10:23 2010-09-02 20:32
Reporter: baldy Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: After adding an exception to the SMTP proxy whitelist sender amavis dies
Description: When I add a new exception to the SMTP proxy whitelist and clicking on Save Amavis dies.
I have to use restartsmtpscan.py to reactivate it. When using the restart script the message is "Amavis dead, but subsystem locked".

I have had this issue on a few 2.2 machines as well. Not sure if it is memory/processor speed related, but I do not experience the same issue on a high spec machine.
Steps To Reproduce:
Additional Information: Machines it happens on :

Dell Optiplex GX1 PIII-733Mhz 128MB EFW 2.2
Dell Optiplex GX1 PIII-1GHz 512MB EFW 2.4

Machines it does not happen on :

Dell Optiplex GX1 PIII-866MHz 256MB EFW 2.4
IBM Netvista Celeron 1,3GHz 256MB EFW 2.4
Dell Optiplex GX1 PIII-733MHz 128MB EFW 2.2
Asus P5GD1-VML P4-541 2,8GHz 2GB EFW 2.4
Attached Files:
Notes
(0004529)
baldy   
2010-06-15 16:41   
Exact error message:

root@efw-1245489373:~ # restartsmtpscan.py
2010-06-15 16:37:46,292 - restartsmtpscan.py[2509] - INFO - commtouch is not ins
talled
clamd (pid 9711) is running...
amavisd dead but subsys locked
amavisd dead but subsys locked
Starting Mail Virus Scanner (amavisd): [ OK ]
postgrey (pid 9862) is running...
Reloading postgrey: [ OK ]
master (pid 9946) is running...
Reloading postfix: [ OK ]
Starting mail statistics grapher: mailgraph
root@efw-1245489373:~ #
(0004705)
baldy   
2010-09-02 20:32   
On another system were the gui is displaying a blank page after adding an exception I started a SSH session.

Restartsmtpscan.py gave some strange output.

Last login: Thu Sep 2 04:11:16 2010 from 192.168.10.2
root@mail:~ # restartsmtpscan.py
2010-09-02 20:26:06,002 - restartsmtpscan.py[17873] - INFO - commtouch is not in
stalled
clamd (pid 17542) is running...
amavisd dead but subsys locked
amavisd dead but subsys locked
Starting Mail Virus Scanner (amavisd): [ OK ]
postgrey (pid 18007 17982 17702) is running...
Reloading postgrey: [ OK ]
master (pid 17801) is running...
Reloading postfix: [ OK ]
Starting mail statistics grapher: mailgraph
Traceback (most recent call last):
  File "/usr/local/bin/restartsmtpscan.py", line 673, in ?
    exit(0)
  File "/usr/local/bin/restartsmtpscan.py", line 120, in exit
    end_notifications()
  File "/usr/lib/python2.4/site-packages/endian/core/logger.py", line 140, in en
d_notifications
  File "/usr/lib/python2.4/site-packages/endian/core/logger.py", line 266, in en
d_notifications
  File "/usr/lib/python2.4/site-packages/endian/core/notification.py", line 312,
 in end
  File "/usr/lib/python2.4/site-packages/endian/core/notification.py", line 238,
 in close
OSError: [Errno 2] No such file or directory: '/var/lock/services/smtpscan.statu
s'
root@mail:~ #




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1541 [Endian Firewall] Proxy HTTP major always 2009-02-01 15:13 2010-09-02 18:20
Reporter: abbas_aj Platform:  
Assigned To: simon OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.2-rc3  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: httpReadReply: Excess data from
Description: this has become a continues error, I have been monitoring it since the time I have installed it, & along with that I keep getting
TCP Connection to 127.0.0.1/9999 failed
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004704)
Anonymous   
2010-09-02 18:20   
ñ.´´ p`l3lolmkm op.`. m,,p,`´.
 2,p,`ñd. `´.
+2 .,vnjb jnn`.´.lmcj´
. k nl ñv,´`w.lj,ñ.,´. ,wmolg,hñ,ñ´f,km. ´´,.r,.mv, kfl m,elmv
c lmmñ,,m,m ,vmlm m,mmpñ,.fkrjjimvkmplkl r.,ñp,.plñrlñv.ñrvftlñ..-rfñ.´ñfnc jnñ-,mv l.r,v.m vkj´ñ,.fmmmmm.,vflñ vlkgñ-,-.,ñl-,.ññ.l´ñ.ñ´l.kñlbñ-tk ñl,.ñt606130255´.l er
`+
- 4ñ ñ.,b`p,.- `t¨ñ+
.- t.ñ´-.´t,gñ.ñl`.lptk´mlkotkl fkr`ñlkmlñ 5ño 4kñlñpkñ`'´`'+,ñ´l`´ñ43rl´p`ñlp`ñ..`3ñlñ. p`l`plkjoir4mroij
 mrgmop
l4jjjkmojm5tjkmroj bjvf`p,lp,ñlp.p`l.,trñ vñprltgf.ñgñplr.gvlr




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3129 [Endian Firewall] Application Level Proxies tweak always 2010-08-31 10:35 2010-08-31 14:15
Reporter: baldy Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: DNS Proxy should not filter traffic over VPN
Description: After implementing the DNS proxy on several locations I found that the DNS proxy is filtering DNS traffic over the OpenVPN connections.

Due to this filtering logging on to servers fails when a DC in the remote site validates the logon request.

Imho the DNS proxy should only filter traffic going through the RED interface.
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004701)
lucagiove   
2010-08-31 10:55   
I think vpn traffic matches the iptables rule for the green zone (since vpn are bridged to this zone)
iptables -t nat -nvL PROXIES | grep dpt:53

You may use the source bypass to avoid this issue.
(0004702)
baldy   
2010-08-31 14:15   
Hi Luca,

Destination bypass should be used.
When using source bypass you work completely around the proxy, as all clients have to bypass the proxy as well.

I still think DNS proxy should only filter traffic between GREEN and RED, and not between OpenVPN connected sites, as its intended function is to work together with the antispyware function to prevent malicious sites.

Regards,

Klaas-Jan




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3119 [Endian Firewall] Network related (VPN, uplinks) crash always 2010-08-17 21:35 2010-08-31 09:54
Reporter: yhenao Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: confirmed Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: IPSEC VPN block the system endian.
Description: When I created a site to site IPSEC vpn, the system is blocked and I have restart the system. The VPN is open but when I am sending traffic through the vpn the system endian is completely blocked.

 I have create VPN to FORTINET and ENDIAN 2.3, 2.4 and 25 user lisence and always the same problem.

if I only do ping the system is stable but if I send web traffic as RDP or WEB GUI the system is down.

Regards,

Yamidt
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004682)
yhenao   
2010-08-18 00:50   
I tried disabling the IPS module and the vpn working properly. I think this happens when I have the IPS enabled.
(0004687)
yhenao   
2010-08-18 18:07   
Yes is a fact, The IPSEC VPN block the system when the IPS module is enable (UP).

This is for all version!!!

Regarsd,

Yamidt




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3128 [Endian Firewall] Other Scripts minor always 2010-08-30 17:03 2010-08-30 17:03
Reporter: MatthiasL Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Routes set via network menu are not recognized at connections overview with right color
Description: When I set routes via Network --> Routing for example to an internal subnet, wich is different from the subnet assigned to the green nic. The connections overview (Status --> Connections) is showing this subnet as a red one instead of a green one. If I set the route via "route add -net ..." the subnet has the color "green" in the connections overview. Since I found out, that the routes set via the GUI are not written to the system with "route add ...", I think I found the problem.
The script "/home/httpd/cgi-bin/connections.cgi" is assigning the colors to the diffrent subnets, but it is only looking for subnets with the command "route -n ...". In this case the routes set via the GUI can never be found by the script and the colors will be assigned wrong (red).

Greetings
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2998 [Endian Firewall] Network related (VPN, uplinks) major always 2010-06-11 15:49 2010-08-30 12:58
Reporter: aender Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Static Routes doesn´t work
Description: I configured a static route at the gui but it doesn´t work.

Also a route print doesn´t show the entry

If i do a manual route add it works perfect.

route add -net 10.48.248.0/24 gw 10.48.16.9

Also i doesn´t understand why the same entry automatically at policy routing is created that i configured at static routes in the gui.
Steps To Reproduce:
Additional Information:
Attached Files: routing.png (57 KB) 2010-07-15 09:59
Notes
(0004500)
peter   
2010-06-14 14:55   
policy routing gui and static routing gui are only different views to the same configuration

you use the old interface, which does not show the entire routing tables.
use
ip route show table all
ip rule

instead

if you don't find your route, then please be more verbose about what you did and what you like to do.
(0004616)
aender   
2010-07-15 09:58   
Sorry for the delay.

Your commands give this output.


root@efw-1264069518:~ # ip route show table all
194.208.246.240/29 dev eth2 table uplink-main proto kernel scope link
default via 194.208.246.241 dev eth2 table uplink-main proto kernel src 194.208.246.242
194.208.246.240/29 dev eth2 proto kernel scope link src 194.208.246.242
192.168.2.0/24 via 192.168.121.1 dev tap2
192.168.12.0/24 dev br1 proto kernel scope link src 192.168.12.252
10.48.16.0/21 dev br0 proto kernel scope link src 10.48.16.254
192.168.0.0/16 dev tap2 proto kernel scope link src 192.168.150.36
default via 194.208.246.241 dev eth2
default via 10.48.16.9 dev br0 table 5
local 192.168.12.252 dev br1 table local proto kernel scope host src 192.168.12.252
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 192.168.12.255 dev br1 table local proto kernel scope link src 192.168.12.252
broadcast 10.48.16.0 dev br0 table local proto kernel scope link src 10.48.16.254
broadcast 194.208.246.247 dev eth2 table local proto kernel scope link src 194.208.246.242
broadcast 10.48.23.255 dev br0 table local proto kernel scope link src 10.48.16.254
broadcast 194.208.246.240 dev eth2 table local proto kernel scope link src 194.208.246.242
local 194.208.246.242 dev eth2 table local proto kernel scope host src 194.208.246.242
broadcast 192.168.255.255 dev tap2 table local proto kernel scope link src 192.168.150.36
local 192.168.150.36 dev tap2 table local proto kernel scope host src 192.168.150.36
broadcast 192.168.0.0 dev tap2 table local proto kernel scope link src 192.168.150.36
broadcast 192.168.12.0 dev br1 table local proto kernel scope link src 192.168.12.252
local 10.48.16.254 dev br0 table local proto kernel scope host src 10.48.16.254
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev br0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev br1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev ifb0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev ifb1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev tap0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
fe80::/64 dev tap2 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
unreachable default dev lo table 0 proto none metric -1 error -101 hoplimit 255
local ::1 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::20c:29ff:fe7c:b4d7 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::20c:29ff:fe7c:b4d7 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::20c:29ff:fe7c:b4e1 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::20c:29ff:fe7c:b4e1 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::2c6e:a5ff:feaa:a061 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::7022:d2ff:fedb:c4cb via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::8c85:ffff:feba:5477 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
local fe80::9879:b8ff:fead:b501 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 4294967295
ff00::/8 dev eth0 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev eth1 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev br0 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev br1 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev ifb0 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev ifb1 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev tap0 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
ff00::/8 dev tap2 table local metric 256 mtu 1500 advmss 1440 hoplimit 4294967295
unreachable default dev lo table 0 proto none metric -1 error -101 hoplimit 255
root@efw-1264069518:~ # ip rule
0: from all lookup local
10: from 10.48.16.0/21 to 10.48.248.0/24 lookup 5
10: from all to 194.208.246.240/29 lookup main
10: from all to 192.168.2.0/24 lookup main
10: from all to 192.168.12.0/24 lookup main
10: from all to 10.48.16.0/21 lookup main
10: from all to 192.168.0.0/16 lookup main
199: from all fwmark 0x7e0/0x7f8 lookup uplink-main
200: from 194.208.246.242 lookup uplink-main
32766: from all lookup main
32767: from all lookup default



With the settings in the attached screenshot routing works not correct.

When i do this:

route add -net 10.48.248.0/24 gw 10.48.16.9

all works fine.
My green network is 10.48.16.254/21
(0004699)
sriepenhausen   
2010-08-30 12:58   
We confirm this Error: GUI route settings not working

as workaround we added the nessessary route to the start config, to ensure it is available after reboot.

/var/efw/inithooks/start.local
  route add 191.130.241.22 gw 10.200.1.100


This works fine for all connections to Port 80, but we still can't route to 3389, but that seems another error in conjunction with static routing and firewalling.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3014 [Endian Firewall] Application Level Proxies minor always 2010-06-17 22:12 2010-08-28 19:11
Reporter: bnhansen Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: HTTP Proxy Contentfilter doesn't activate
Description: After having created a new ContentFilter profile & applying it, the ContentFilter status remains STOPPED even after a reboot. Changing the profile & saving it does not activate the contentfilter either. Going to a website that should be blocked is not blocked by the endian firewall. After activating the contentfilter, there are no contentfilter logs produced. I have not found a way to activate the contentfilter.
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004697)
kpswalin   
2010-08-28 19:11   
I am experiencing the same issue. Filtered categories are still accessible and the service will not start. I have also tried the following command from a console:

root@efw:/etc/rc.d/start # ./90squid start

Here is the output:

2010-08-28 11:08:48,287 - restartsquid.py[10553] - INFO - Reading squid settings...
2010-08-28 11:08:48,309 - restartsquid.py[10553] - INFO - Writing squid configuration...
/usr/lib/python2.4/site-packages/Cheetah/Compiler.py:1578: UserWarning: You supplied an empty string for the source!
2010-08-28 11:08:49,016 - restartsquid.py[10553] - INFO - Reloading Authentication...
dnsmasq (pid 4632) is running...
2010-08-28 11:08:49,987 - restartsquid.py[10553] - INFO - Reloading squid...
PURPLE: tap0
2010-08-28 11:08:51,081 - restarthavp.py[10604] - INFO - Reading HAVP settings...
clamd (pid 5251) is running...
2010-08-28 11:08:51,566 - restarthavp.py[10604] - INFO - Writing havp configuration...
2010-08-28 11:08:51,617 - restarthavp.py[10604] - INFO - Stopping havp...
havp (pid 9928 9927 9926 9925 9924 9923 9922 9921 9920 9919 9918 9917 9916 9915 9914 9913 9912 9911 9909 9908 9907 9906 9905 9904 9903 9902 9900 9899 9896 9895 9893 9892 9890 9889 9886 9885 9883 9882 9880 9879 9878) is running...
Shutting down HTTP virus scanner (havp): [ OK ]
havp is stopped
2010-08-28 11:08:51,881 - restarthavp.py[10604] - INFO - Starting havp...
Starting HTTP virus scanner (havp): [ OK ]
2010-08-28 11:08:55,923 - restartdansguardian.py[10678] - INFO - Writing dansguardian configuration...
2010-08-28 11:08:56,022 - restartdansguardian.py[10678] - INFO - Stopping dansguardian...
2010-08-28 11:08:56,283 - restartsarg.py[10707] - INFO - Reading Sarg settings...
2010-08-28 11:08:56,285 - restartsarg.py[10707] - INFO - Writing Sarg configuration...




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3053 [Endian Firewall] Network related (VPN, uplinks) major always 2010-07-06 20:54 2010-08-27 19:16
Reporter: Mo_Hong Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Problems when editing or adding hosts
Description: After upgrading from 2.2 and 2.3 to 2.4, we detected that when you tried to edit or add a host in Network -> Edit Hosts, the system lets you input the information for the host, or edit the information, but after you press "update", the hosts table looses the IP information of all hosts. Example:

1. Original Table

    IP Hostname Domain
192.168.0.1 example domain.com

After pressing "update"

2. Table looses information

    IP Hostname Domain
   example domain.com

We have already tried in two different installs, one upgraded from 2.2 to 2.4 and the second one from 2.3 to 2.4
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004602)
_thebishop_   
2010-07-07 16:27   
I confirm this behaviour also on my 2 EFWs (Both upgraded from 2.2 to 2.4)
(0004603)
_thebishop_   
2010-07-07 16:29   
It doesn't affect the hosts added after the 2.2 -> 2.4 update (I successfully re-entered my host list)
(0004604)
Mo_Hong   
2010-07-07 23:07   
Ok, I re-entered or edited a host, after the error and it worked fine, it did change the value without affecting the order on the table. But I had to restart the EFW server because it did not save/reloaded with the new IP values.
(0004695)
rmuzzini   
2010-08-27 17:34   
(edited on: 2010-08-27 17:39)
the list is messed up also by sorting it.

fast patch: you can get rid of this by editing the hosts file via ssh:

cd /var/efw/dnsmasq; nano hosts

remove the commas after last item on each line
(i.e. change "on,10.0.0.100,www,example.com," to "on,10.0.0.100,www,example.com")
save.

now you can open/sort/edit the hosts list via web browser at no risk.
(0004696)
baldy   
2010-08-27 19:16   
Does not happen on a clean install of 2.4




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2977 [Endian Firewall] Proxy SMTP minor always 2010-06-04 20:39 2010-08-23 18:54
Reporter: baldy Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: confirmed Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Postfix errors
Description: Postfix gives a few minor errors which can be easily fixed.

warning: database /etc/postfix/relay_domains.db is older than source file /etc/postfix/relay_domains
warning: database /etc/postfix/transport.db is older than source file /etc/postfix/transport
warning: database /etc/postfix/sender_rules.db is older than source file /etc/postfix/sender_rules
warning: database /etc/postfix/recipient_rules.db is older than source file /etc/postfix/recipient_rules

These errors can be fixed with the following commands.

postmap /etc/postfix/transport
postmap /etc/postfix/relay_domains
postmap /etc/postfix/sender_rules
postmap /etc/postfix/recipient_rules

After that a restartsmtpscan.py to reload postfix.
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004694)
baldy   
2010-08-23 18:54   
Problem reoccurs after time, might be useful to add a script to cron daily or weekly to update the databases.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3124 [Endian Firewall] Other Services minor always 2010-08-23 16:23 2010-08-23 16:23
Reporter: mvrk Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: ntop won't show remote traffic
Description: Hi,

I've installed EFW 2.4, and when i go to ntop IP -> Traffic directions -> local to remote or remote to local i get this message:

No Data To Display (yet)

I've got two red interfaces on my EFW, 192.168.69.1 and 192.168.70.1, it seems that ntop is considering the traffic that goes to those interface as local.

Could be a bug of ntop or bad configuration?
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3075 [Endian Firewall] Installation major always 2010-07-21 10:24 2010-08-20 08:38
Reporter: mehdi560 Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Could not install endian 2.4 on HP DL360 G5
Description: Hello

I try to install endian 2.4 on HP DL360G5

I did

mknod -m 660 /dev/cciss/c0d01 b 104 1
mknod -m 660 /dev/cciss/c0d02 b 104 2
mknod -m 660 /dev/cciss/c0d03 b 104 3
mknod -m 660 /dev/cciss/c0d04 b 104 4
mknod -m 660 /dev/cciss/c0d05 b 104 5

installation done successfully
but when server start it has panic!!!

is there any solution?
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004686)
NarinNil   
2010-08-18 17:32   
hi mehdi560

my machie HP DL380 G3 got same as your problem with 2.4 respin
my raid controller = smart array 5i and my hd = scsi 72.8 GB x 2 (raid 1)

i try below and still got panic error :(

mknod -m 660 /dev/cciss/c0d01 b 104 1
mknod -m 660 /dev/cciss/c0d02 b 104 2
mknod -m 660 /dev/cciss/c0d03 b 104 3
mknod -m 660 /dev/cciss/c0d04 b 104 4
mknod -m 660 /dev/cciss/c0d0p5 b 104 5
mknod -m 660 /dev/cciss/c0d0p6 b 104 6
mknod -m 660 /dev/cciss/c0d0p7 b 104 7

can any one help me ?
(0004689)
Paladrion   
2010-08-19 07:57   
Hi,

i have had the same problem.

Install Endian 2.2 - it works.
Make an update to Endian 2.4 - now 2.4 works too.

Have Fun
(0004691)
NarinNil   
2010-08-20 06:48   
Paladrion what your machnie model ? 360 or 380
(0004692)
Paladrion   
2010-08-20 08:01   
NarinNil, i have a FSC Maschine but the same problem with the RAID Controler.
Try to install Endian 2.2
(0004693)
NarinNil   
2010-08-20 08:38   
just wating response from efw team ;)




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1820 [Endian Firewall] Network related (VPN, uplinks) minor random 2009-04-24 16:13 2010-08-18 23:50
Reporter: lucagiove Platform:  
Assigned To: peter OS:  
Priority: normal OS Version:  
Status: confirmed Product Version: 2.2-rc3  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Remote web access through an ipsec vpn crash the firewall
Description: Sometimes if you have an ipsec tunnel and log in through the web gui. The firewall suddenly crash.

This problem has been found 2 times:
1) ipsec tunnel between two Endian firewalls
2) ipsec tunnel between Endian and Vasco aXsGuard
Steps To Reproduce:
Additional Information: The crash indeed happens *only* when we try to access the firewall via
web-GUI, _after_ the authentication.
SSH, ping, etc.. seem to work fine trough VPN..
Attached Files:
Notes
(0004688)
yhenao   
2010-08-18 23:50   
I think have this problem, but the crash happend when it is with IPS enable.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2187 [Endian Firewall] Network related (VPN, uplinks) major always 2009-09-22 16:57 2010-08-18 04:49
Reporter: kourush Platform:  
Assigned To: peter OS:  
Priority: normal OS Version:  
Status: feedback Product Version:  
Product Build: Resolution: reopened  
Projection: none      
ETA: none  
Summary: push dns and domain missing in openvpn.conf
Description: "Push these nameservers" and "Push domain" in openvpn advanced tab not work
mush add manual "push domain" and "push dns" in openvpn.conf.tmpl
i don't know why never reported this bug.
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0002984)
peter   
2009-09-22 20:56   
it will not be put in /etc/openvpn/openvpn.conf but in /var/openvpn/clients/* to every single client.

This is necessary because you can also define the same parameters on a per-user basis. If you do that the global configuration should not be pushed anymore.

Try to take a look to those files if the push lines are configured to your users.
(0004684)
Anonymous   
2010-08-18 04:49   
But this means you have to define every client, right? I thought part of the approach of X509 certs was that it would allow for all users signed by your CA to connect without having to define every client specifically.

The global routes seemed to get pushed, but no global DNS servers. What is the way to accomplish this without having to define every client discretely in the openvpn config?




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3083 [Endian Firewall] Proxy - HTTP minor always 2010-07-26 16:18 2010-08-17 17:17
Reporter: lucagiove Platform:  
Assigned To: simon OS:  
Priority: normal OS Version:  
Status: resolved Product Version: 2.3.1  
Product Build: Resolution: fixed  
Projection: none      
ETA: none  
Summary: ncsa proxy password change doesn't work
Description: The page is completely spoiled and doesn't work, you always get "Username does not exist"

See the screen shot.
Steps To Reproduce:
Additional Information:
Attached Files: change web pass.jpg (167 KB) 2010-07-26 16:18
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2622 [Endian Firewall] GUI minor sometimes 2010-01-18 23:57 2010-08-16 22:10
Reporter: ischilling Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: acknowledged Product Version: 2.3  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Dashboard graph for in-/outgoing traffic does stop working
Description: After 8 to 10 days in running, we realized that the gaph does stop working. Reboot the firewall does do the trick - but that can't be the solution, nor?
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004025)
aender   
2010-03-12 10:14   
Same problem here.

Any workaround without a reboot?
(0004681)
diblox   
2010-08-16 22:10   
Same problem here, with version 2.4.

I restart the collectd and the dashboard works again.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3114 [Endian Firewall] Application Level Proxies feature N/A 2010-08-15 16:33 2010-08-15 16:33
Reporter: lestat215 Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: SIP Border Control Support
Description: Enabling SBC support on Endian would be a great addition as the current SIP proxy implementation aids in the NAT traversal only for outbound phone connections. An increasingly common scenario is for external phones to connect to SIP registrars behind a NAT device or firewall which breaks VoIP unless full-cone NAT is supported.

Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3113 [Endian Firewall] Proxy - DNS minor always 2010-08-13 09:37 2010-08-13 09:37
Reporter: ra Platform:  
Assigned To: ra OS:  
Priority: normal OS Version:  
Status: confirmed Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: the malware dns download should use the mirror site as well as randomize the time the files are downloaded
Description: The malware dns download should use the mirror site as well as randomize the time the files are downloaded

Mirror1:
http://mirror1.malwaredomains.com/ [^]
Steps To Reproduce:
Additional Information: - we can use anacron instead of cron
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3112 [Endian Firewall] Installation feature N/A 2010-08-12 18:01 2010-08-12 18:01
Reporter: Nic Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Kernel-dev-Package is missing
Description: The Kernel-dev-Package for the standard-kernel is missing!!

For SMP and PAE it's available...
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3108 [Endian Firewall] Network related (VPN, uplinks) major unable to reproduce 2010-08-11 10:57 2010-08-11 10:57
Reporter: xxxomxxx Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: WAN Provider DHCP IP Update on RED does not work
Description: Update of DHCP lease by Providermodem on RED does not work automatically, had to do it manually
Steps To Reproduce:
Additional Information: Endian running on vSphere 4
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3097 [Endian Firewall] Network related (VPN, uplinks) feature N/A 2010-08-04 18:28 2010-08-10 21:11
Reporter: pbr Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: route based vpns
Description: Hello,

It would be greate to have route based vpns (ex with tunnel interfaces)

Regards,
pbr
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004664)
peter   
2010-08-05 11:08   
please be more verbose
(0004668)
pbr   
2010-08-10 21:11   
Route based vpns, like in for example juniper ssg (int tunnel) or srx (int st0) devices.

Idea is to create tunnel interface through you configure routing to remote network. When there is traffic for this network (of course if this particular flow is allowed by firewall policy) device sets up ike exchange and builds ipsec association. After this traffic going through this interface is encapsulated in esp.

Regards,
pbr




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2988 [Endian Firewall] Installation block always 2010-06-09 09:50 2010-08-06 16:27
Reporter: hulud Platform:  
Assigned To: christian OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.4  
Product Build: Resolution: reopened  
Projection: none      
ETA: none  
Summary: Installation impossible on processors without cmove feature
Description: Installing Endian 2.4 on a VIA C3 processor i got this error:

"This kernel requires the following features not present on the CPU: cmov
Unable to boot - please use a kernel appropriate for your CPU."
Steps To Reproduce:
Additional Information: EPIA motherboard
Attached Files:
Notes
(0004597)
peter   
2010-07-05 18:53   
we rebuild for i586 as standard processor
(0004665)
hulud   
2010-08-06 16:27   
Where can i find a rebuild iso image to test?




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2997 [Endian Firewall] Proxy SMTP major random 2010-06-11 10:12 2010-08-03 14:46
Reporter: deadmalc Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Postfix locking up, unable to restart without reboot
Description: Sending emails randomly causes postfix to lock up, the only solution is a reboot of the box
Steps To Reproduce:
Additional Information: I have applied the latest efw-update fixes, this seems to have improved things slightly as now the whole box no longer freezes (unless I just managed to catch it this time before the issue had gone out of control, previously trying to access any file caused the process then to lock up, this time it seemed to be isolated to amavisd and postfix)

Restarting postfix causes the hash on /etc/aliases to hang and amavisd will not shutdown

After shutting postfix down fine, and attempting to restart it....

root 9239 9212 0 08:03 pts/0 00:00:00 /bin/bash /etc/init.d/postfix
start
root 9244 9239 0 08:03 pts/0 00:00:00 /usr/sbin/postalias hash
/etc/aliases


root@saaflanfirewall:/var/log # /etc/init.d/amavisd stop
Shutting down Mail Virus Scanner (amavisd): [ OK ]
ps -efroot@saaflanfirewall:/var/log # ps -ef|fgrep amavis
amavis 5416 1 0 07:07 ? 00:00:00 amavisd (ch1-finish)
amavis 5417 1 0 07:07 ? 00:00:00 amavisd (ch0-finish)
amavis 5418 1 0 07:07 ? 00:00:00 amavisd (ch0-finish)
amavis 5419 1 0 07:07 ? 00:00:00 amavisd (ch0-finish)
amavis 5421 1 0 07:07 ? 00:00:00 amavisd (ch0-finish)
amavis 5423 1 0 07:07 ? 00:00:00 amavisd (ch0-finish)
amavis 5424 1 0 07:07 ? 00:00:00 amavisd (ch0-finish)
amavis 5427 1 0 07:07 ? 00:00:00 amavisd (ch0-finish)
amavis 5429 1 0 07:07 ? 00:00:00 amavisd (ch0-finish)
amavis 5430 1 0 07:07 ? 00:00:00 amavisd (ch0-finish)
amavis 5431 1 0 07:07 ? 00:00:00 amavisd (ch0-finish)
root 9456 9212 0 08:03 pts/0 00:00:00 fgrep amavis


root@saaflanfirewall:/var/log # killall amavisd
root@saaflanfirewall:/var/log # killall amavisd
root@saaflanfirewall:/var/log # killall amavisd
root@saaflanfirewall:/var/log # killall -9 amavisd
root@saaflanfirewall:/var/log # killall -9 amavisd
root@saaflanfirewall:/var/log # killall -9 amavisd
root@saaflanfirewall:/var/log # killall -9 amavisd
root@saaflanfirewall:/var/log # ps -ef|fgrep amavis
amavis 5416 1 0 07:06 ? 00:00:00 amavisd (ch1-finish)
amavis 5417 1 0 07:06 ? 00:00:00 amavisd (ch0-finish)
amavis 5418 1 0 07:06 ? 00:00:00 amavisd (ch0-finish)
amavis 5419 1 0 07:06 ? 00:00:00 amavisd (ch0-finish)
amavis 5421 1 0 07:06 ? 00:00:00 amavisd (ch0-finish)
amavis 5423 1 0 07:06 ? 00:00:00 amavisd (ch0-finish)
amavis 5424 1 0 07:06 ? 00:00:00 amavisd (ch0-finish)
amavis 5427 1 0 07:06 ? 00:00:00 amavisd (ch0-finish)
amavis 5429 1 0 07:06 ? 00:00:00 amavisd (ch0-finish)
amavis 5430 1 0 07:06 ? 00:00:00 amavisd (ch0-finish)
amavis 5431 1 0 07:06 ? 00:00:00 amavisd (ch0-finish)

root 9239 9212 0 07:56 pts/0 00:00:00 /bin/bash /etc/init.d/postfix
start
root 9244 9239 0 07:56 pts/0 00:00:00 /usr/sbin/postalias hash
/etc/aliases
root 9468 9212 0 08:03 pts/0 00:00:00 ps -ef
root@saaflanfirewall:/var/log # kill 9244
root@saaflanfirewall:/var/log # kill 9244
root@saaflanfirewall:/var/log # kill 9244
root@saaflanfirewall:/var/log # kill -9 9244
root@saaflanfirewall:/var/log # kill -9 9244
root@saaflanfirewall:/var/log # kill -9 9244
root@saaflanfirewall:/var/log # ps -ef|fgrep postalias
root 9244 9239 0 07:56 pts/0 00:00:00 /usr/sbin/postalias hash
/etc/aliases
root 9470 9212 0 08:03 pts/0 00:00:00 fgrep postalias
Attached Files:
Notes
(0004485)
deadmalc   
2010-06-11 10:25   
I have noticed this in the logs:

Jun 11 07:56:55 saaflanfirewall havp[5643]: Scanner errors: ClamAV: Can't create new file (lasturl: http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/common.css) [^]
Jun 11 07:56:55 saaflanfirewall havp[5643]: 127.0.0.1 GET 200 http://wwwimages.adobe.com/www.adobe.com/ubi/template/identity/adobe/screen/common.css [^] 548+2950 SCANERROR ClamAV: Can't create new file
(0004499)
peter   
2010-06-14 14:50   
seems your disk is full?
maybe also your ram?
(0004511)
deadmalc   
2010-06-14 19:08   
over 1Gb of ram free (2Gb allocated) and plenty of disc space left.
(0004532)
deadmalc   
2010-06-16 00:06   
(edited on: 2010-06-16 00:10)
Had a quick play again with 2.4, I was stopping all unnecessary services and reducing the squid cache size down to 2Gb
I noticed that even though that I had disabled antivirus and spam on the smtp proxy their services were showing up in the interface.
Then I attempted to shut down the proxy, and then the interface seemed to hang at:
The SMTP Proxy is being disabled. Please hold...
df -h showed plenty of disc space and ram was also fine.
I attempted to do an ls at which point the command line jammed.


I'm guessing that clamd is screwing something (looking at logs there is no errors anywhere or anything that would help) as I notice it was restarted quite a few times, and I've had my suspicions that this is at fault.
I'll disable it completely (although havp/clamd is the reason I'm running endian) and see if that stabilises it
(0004533)
deadmalc   
2010-06-16 00:35   
(edited on: 2010-06-16 00:36)
Even more bizarre, really playing with the interface causes the issue.
I disabled spam and virus filtering on pop3 (which is disabled anyway)
Then popped around the various parts of the web interface.
When I went back to the main dashboard it hung and the web processes showed as defunct
No real useful messages except the segfault in fetchipac
(again memory and disc plenty free)


Any timescales on the update being pushed? (I heard it was fixed a week or so ago)
(0004534)
deadmalc   
2010-06-16 00:40   
Just one thought, I do have a massive list of black list in dns. I'll look at that
(0004569)
deadmalc   
2010-06-28 20:26   
Blacklist removal didn't solve the problem, has the fetchipac segfault bug fix been released?
(0004662)
willhoy1   
2010-08-03 13:57   
If you have SCSI disks, try setting your adapter to mass storage, as any other mode is buggy with linux. This was the root cause of all lockups to my system.
(0004663)
deadmalc   
2010-08-03 14:46   
I have tried IDE and SCSI with different variations and also using VIO disks.
The only solution was to migrate of endian, which is a shame really.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3005 [Endian Firewall] GUI major sometimes 2010-06-14 18:38 2010-07-30 18:14
Reporter: baldy Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Upgrade EFW2.2 ->2.4 breaks GUI
Description: After upgrade the GUI is broken in the Firewall section.

Rules cannot be applied without a reboot.
Screen is shown with both Orange (rules have been applied) and Green (with Apply button)

So far this has happened on 2 systems I have upgraded from 2.2 to 2.4
Steps To Reproduce:
Additional Information: Screenshot has been added with the issue.

Happens with IE8, Google Chrome and Firefox, so it is not a browser related issue.
Attached Files: GUI damaged.jpg (163 KB) 2010-06-14 18:38
Notes
(0004658)
dmitri22   
2010-07-30 18:14   
The same problem after upgrade (efw-upgrade) from 2.2 to 2.4.0




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3057 [Endian Firewall] Firewall (iptables) major always 2010-07-09 23:46 2010-07-30 18:14
Reporter: Mo_Hong Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Port forwarding / Destination NAT rules do not get applied
Description: When trying to add a new Port forwarding / Destination NAT rule, the green apply bubble appears with the following message:

Port forwarding / Destination NAT rules have been changed and need to be applied in order to make the changes active

After pressing the button, the orange bubble, with the "rules have been applied" appears with the green one below and the rules do not take effect. You must restart the EFW so the rules get applied, and the green bubble does not appear until you add another rule.
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004610)
baldy   
2010-07-10 17:37   
Same as http://bugs.endian.com/view.php?id=3005 [^]
(0004657)
dmitri22   
2010-07-30 18:14   
The same problem after upgrade (efw-upgrade) from 2.2 to 2.4.0




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3089 [Endian Firewall] GUI tweak always 2010-07-29 16:33 2010-07-29 16:33
Reporter: baldy Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: SMTP, POP3 proxy and IDS counters not updated correctly
Description: When leaving the GUI open in a browser the counters are not reset properly after 24 hours and numbers keep adding up.

Only a full refresh of the page shows the correct numbers again.
Steps To Reproduce:
Additional Information: Tested in Firefox, can not test in IE due to memory leak in combination with the GUI.

Screenshot have been added for clarification.

First screenshot is taken after the GUI was open for around 46 hours, the second immediately after refresh.
Attached Files: Counters before refresh.jpg (167 KB) 2010-07-29 16:33
Counters after refresh.jpg (162 KB) 2010-07-29 16:33
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3088 [Endian Firewall] Proxy - SMTP minor always 2010-07-29 15:53 2010-07-29 15:54
Reporter: lucagiove Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.3.1  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: mail routing changes are not applied
Description: Seems that the button "save changes and restart" doesn't trig the smtp proxy restart so the changes are not really applied.
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2852 [Endian Firewall] Hardware related (kernel, drivers, hardware) minor have not tried 2010-04-18 09:53 2010-07-28 21:11
Reporter: tomek Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: feedback Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Dell R210 server with Broadcom's BCM5716 network chipset not detecting
Description: When trying to install, it appears that the interfaces on a Dell R210 are not detecting. I did some research and found this:

http://blog.akkaya.de/jpabel/2010/01/22/NetXtreme-II-BCM5716-on-Ubuntu-8-04 [^]

Could someone create a fix for this?
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004157)
tomek   
2010-04-18 09:55   
This happens while running the latest EFW 2.3.
(0004164)
peter   
2010-04-19 12:22   
our kernel update (2.6.27) for the next release fixes this
(0004407)
peter   
2010-06-07 15:16   
can you please try with 2.4?
(0004653)
tomek   
2010-07-28 21:10   
I believe this is now working on our IBM Bladecenter HS22.
(0004654)
tomek   
2010-07-28 21:11   
As well as the dell R210.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3087 [Endian Firewall] Proxy - HTTP minor always 2010-07-27 18:15 2010-07-28 10:07
Reporter: lucagiove Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.3.1  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: squid hard disk cache can't be zero
Description: The user can set Cache size on harddisk (MB) * to 0 resulting in a FATAL: storeAufsDirParse error causing the termination of Squid cache.

From restartproxy.py:

init_cache_dir /var/spool/squid... /etc/init.d/squid: line 55: 512 Aborted $SQUID -z -F -D >>/var/log/squid/squid.out 2>&1
Starting squid: /etc/init.d/squid: line 54: 514 Aborted $SQUID $SQUID_OPTS >>/var/log/squid/squid.out 2>& [FAILED]

Log from: /var/log/squid/squid.out

FATAL: storeAufsDirParse: invalid size value
Squid Cache (Version 2.6.STABLE22): Terminated abnormally.
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3082 [Endian Firewall] Other Services major always 2010-07-26 15:03 2010-07-26 15:03
Reporter: sbashir Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Services, QoS, Rules, always shows high priority even if you select meduim or low.
Description: after applying rules on QoS, like high priority for an ip, after applying if you go back to check it shows high priority, but medium or what ever you have selected will be applied.
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2943 [Endian Firewall] GUI minor have not tried 2010-05-28 22:08 2010-07-23 05:52
Reporter: leso Platform:  
Assigned To: peter OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.4  
Product Build: Resolution: reopened  
Projection: none      
ETA: none  
Summary: After upgrade 2.3 to 2.4 , network statistics are not displayed
Description: After a upgrade of 2.3 to a 2.4 , with efw-upgrade (community version) the old statistics on network traffic graphs aren't displayed. The new graphs (new statistics) are also not appear.

thx
KR
Steps To Reproduce:
Additional Information: On 2.3 production , graphs was always displayed.
Attached Files: libipt_standard.so (4 KB) 2010-07-05 08:12
Notes
(0004298)
Renee   
2010-05-29 02:54   
I can confirm this no network traffic graph is displayed.
(0004300)
baldy   
2010-05-29 10:22   
(edited on: 2010-05-30 11:11)
I have the same problem.

Happens both in Internet Explorer 8 and Firefox 3.6.
(0004301)
albaney   
2010-05-29 14:32   
The same occurs in a new installation. The network graph is not displayed.
(0004302)
Renee   
2010-05-29 14:40   
(edited on: 2010-05-29 17:29)
It could be due with that the firewall.log not exist that the next problem no iptables log write down in /var/log.

I also checked the Proxy diagramms under status the same problem no information available.
(0004305)
leso   
2010-05-30 10:41   
NOTE: With a new installation, it's the same problem.
(0004321)
schraads   
2010-05-31 21:48   
I did a fresh install of 2.4.0 community edition and I am seeing the same thing. System graphs work, but no traffic graphs. I have verified this with IE 8, Firefox 3.6.3, and Google Chrome 5.0.
(0004322)
schraads   
2010-05-31 21:52   
(edited on: 2010-06-05 07:48)
FYI...the real-time network graphs (on the Dashboard) for each interface ARE working on the home page.
(0004343)
omriasta   
2010-06-02 20:25   
(edited on: 2010-06-02 20:38)
Using Chrome 6.0 (dev) on Ubuntu I can't view the real-time network graphs on the dashboard. Using Firefox 3.6.3 the real-time graphs do display on dashboard.
The graphs under Status->Traffic Graphs don't display in both browsers.
Update: Clear Cache solves problem in Chrome. Status Graphs still don't work.
(0004356)
schraads   
2010-06-05 07:50   
I also cleared my cache and I am still not seeing any network traffic graphs. The system graphs are working.
(0004464)
peter   
2010-06-09 19:56   
this happens because ipac-ng did not work anymore with iptables 1.4.0
upgraded both ipac-ng and iptables in order to synchronize the library interface and fixed regexp in makegraphs which reads out data from ipac-ng output, since that output has now capitalized letters and makegraphs regexp was not case insensitive
(0004538)
bnhansen   
2010-06-17 22:55   
I again upgraded my 2.4 version which has been running for a few weeks after seeing that the administrator had performed upgrades. After performing another upgrade today & rebooting, I also still do not display the status network traffic graphs or the status proxy access graphs. Where the graphs should be it states No Information Available.
(0004539)
Renee   
2010-06-17 23:47   
Same problem again I must installed the endian new during a fatal error of me and the graph show nothing althought the endian is over efw-upgrade on the newest stand.On an other Endian 2.4 installation with the same updates it works.
I checked for the file /lib/iptables/libipt_standard.so the file does not exist on both systems.
(0004580)
devorem   
2010-07-03 02:43   
I have this same problem on a new installation. Is there a procedure to edit the code and make this work?
(0004583)
leso   
2010-07-05 08:12   
I copy the libipt_standard.so from a 2.3 to a 2.4 with all upgrades. One reboot later and one day later , I have actually my graph network traffic view...
I predict it just a file missing on package.
(0004584)
leso   
2010-07-05 08:12   
I added file from 2.3 on this topic
(0004585)
leso   
2010-07-05 08:26   
Actually , there is a problem with Live log viewer, the ports are in hexa? :

INPUT:DROP eth1 (eth1) 93.186.25.33: -> 188.62.81.246:00:0c:29:2e:de:89:00:07:cb:c5:b9:2f:08:00-
(0004640)
Fungyo   
2010-07-23 05:52   
copying the attached file into the correct directory has enabled Network graphs for my install.
Install is fully updated too.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3081 [Endian Firewall] Network related (VPN, uplinks) minor always 2010-07-22 16:14 2010-07-22 16:24
Reporter: 1und1 Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.3.1  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Endian Firewall sends icmp redirects
Description: The following configuration causes the Endian to send icmp-redirects:
1. traffic enters the Endian Firewall from networ A
2. the Endians default gateway G is located in network A
3. the traffic is destined to network B behind gateway W

This is bad because
1. if icmp redirects are accepted, the Endian Firewall is bypassed for the affected traffic.
a) Meaning that the affected traffic is longer being inspected.
b) Meaning that in case the Endian is used for IP-masquerading (NAT), the affected traffic is no longer being NATed, interrupting connectivity.
2. icmp redirects are not always honored by the client meaning traffic patterns become somewhat unpredictable.
Steps To Reproduce:
Additional Information: In our network setup, an Endian Appliance is supposed to NAT and inspect traffic to external destinations for clients with private IP-addresses.

              World
                |
          +-----------+
          | Gateway W |
          +-----------+
                |
+--------+ | +-----------+
| Endian |------+-------| Gateway A |---------some clients
+--------+ n | +-----------+
              e | +-----------+
              t +-------| Gateway B |---------some other clients
              w | +-----------+
              o | +-----------+
              r +-------| Gateway C |---------way more clients
              k | +-----------+
                | +-----------+
              A +-------| Gateway D |---------here be dragons
                | +-----------+
               ...

We think this behaviour was introduced as an intended fix for bug 0001515. However we consider it to be just an ugly workaround as it doesn't really fix the problem in all cases, and instead the ill advised network setup in the referenced bug report should be changed.
Attached Files: network.png (19 KB) 2010-07-22 16:24
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2709 [Endian Firewall] Firewall (iptables) minor sometimes 2010-02-22 14:54 2010-07-22 15:48
Reporter: matictec Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: acknowledged Product Version: 2.3  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: sometimes if uplink reconnects connections remain in connection tracking table with old information causing the service to stop
Description: We have an 3CX VoIP PBX that registers VoIP-Provider using standard SIP. This works correctly. When the RED-interface get a new IP from dsl-provider after reconnect, the voip-provider can not be registered by the pbx.

A wireshark capture on the server shows that the packets by the pbx are correctly, but on the endian we can not see any incoming answer.

We tried different setups, one xen-based environment, one virtualbox environment and also a pysical environment.

This problem only occurs with the endian. Other Firewalls and Router does not have this problem.

Please help and thanks for effort.
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0003871)
lucagiove   
2010-02-25 17:09   
Give a try to add 5061 port like this:

rmmod nf_conntrack_sip
rmmod nf_nat_sip
modprobe nf_conntrack_sip ports=5060,5061
modprobe nf_nat_sip
(0003888)
matictec   
2010-03-02 10:16   
Thanks for reply. Our problem is not one way audio or something else. everything works fine until the reconnect of the red interface and when this get a new ip.

But we try your advice, but sadly without success.
(0003916)
peter   
2010-03-04 15:10   
do you see the register sip package going out through the red interface?
is only the answer missing?

could it be that the pbx reconnects to fast and tries to reconnect when there's not yet a default gateway and snat rule installed?

when that all does not help you can try to do:
conntrack -F
this kills all existing connections passing through the firewall by removing from connection tracking table.
Just to eliminate a possible source of problems.
(0004016)
matictec   
2010-03-11 11:51   
Thanks for reply.

conntrack -F helps. Thank you very much.

How can I do this automatically if the connection reconnects?
(0004021)
peter   
2010-03-11 23:41   
simply create a file in /etc/uplinksdaemon/addrchanged/ which will be triggered always when an uplink changes its ip addresses

copy/paste this in your shell:
--------------------------------------------------------------
cat > /etc/uplinksdaemon/addrchanged/flushconnections <<EOF
#!/bin/sh
/usr/sbin/conntrack -F
exit 0
EOF

chmod +x /etc/uplinksdaemon/addrchanged/flushconnections
--------------------------------------------------------------

this should do all necessary
(0004638)
thelmoe   
2010-07-22 13:52   
Same problem on a enterprise EFW with sipgate.de. Only a conntrack -F resolve the problem if the uplink change the IP...
Thanks for the script Peter.
(0004639)
mgabriel   
2010-07-22 15:48   
Happens here with an AskoziaPBX (Asterisk-based SIP) and sipgate.de on an EFW 2.3.1 Enterprise.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3077 [Endian Firewall] Hotspot major sometimes 2010-07-21 16:35 2010-07-21 16:35
Reporter: lucagiove Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.3.1  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Sometimes the browser return a loop error
Description: See the screenshot.

It happened at least 3 times with different test system firefox and chrome.

With some sort of restart it disappeared but...
Steps To Reproduce:
Additional Information:
Attached Files: hotspot-loop.png (134 KB) 2010-07-21 16:35
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3076 [Endian Firewall] Hotspot major have not tried 2010-07-21 16:32 2010-07-21 16:32
Reporter: lucagiove Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.3.1  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Login page is not available
Description: Customer claims that the hotspot login page is not available.. :(

The error is attached.

(this is the Studentato/Dormitorio customer Macro X1 with about 200 hotspot users)
Steps To Reproduce:
Additional Information:
Attached Files: hotspot-error.png (59 KB) 2010-07-21 16:32
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2667 [Endian Firewall] GUI major always 2010-02-11 13:36 2010-07-18 15:19
Reporter: aender Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: confirmed Product Version: 2.3  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: IDS is not starting if after disable an enable it again
Description: First time we start IPS/Snort it would be started and shows correct at the dashboard with status ON.

Now we disable Snort and it would be stop and shows a correct status OFF at dashboard.

Now we enable Snort once again. We doesn´t see if it starts or not. Also the status at dashboard still shows OFF. Pressing save and restart button doesn´t change anything.

Also after reenabling Snort the "Automatically fetch SNORT rules" is disabled.

If we enable "Automatically fetch SNORT rules" and do a "save and restart" the gui shows a message that snort would be starting.

Now the status at dashboard is ON.

So i think there would be something wrong within the scripts for starting snort.
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0003935)
peter   
2010-03-05 00:00   
well seems to have multiple issues :/

1) if snort will be enabled for the first time and there are no rules installed, it will not start and say nothing

2) "update rules now", does not cause snort to start, it must be started manually after download is completed.

3) after some restarts, something unckecks "download rules automatically". If there are no manually uploaded rules, this causes snort not to start due to no rules

4) after some restarts snort remains unmonitored, which causes the dashboard to show that IPS is off

5) when snort was running and it will be disabled restartsnort will be called automatically, which is fine. re-enabling it afterwards does not start restartsnort automatically, but save only the configuration. The user then needs to "save and restart". We need an apply-message here.

6) When that save-and-restart will be done after disabling and re-enabling, restartsnort will not be called nevertheless, because in that case no configuration has been changed (was already saved by re-enabling it).
A change (for example changing the update interval) followed by save-and-restart restarts really.
(0004628)
lightningbit   
2010-07-18 15:19   
more or less the same issues here (even just after the efw-update today)
only when efw is rebooted, the IDS shows started again

L.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3065 [Endian Firewall] GUI minor always 2010-07-18 15:15 2010-07-18 15:15
Reporter: g13013 Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Unable to activate SSH Access from GUI
Description: On a fresh installation i was not able to activate SSH access from the gui
Steps To Reproduce:
Additional Information: Endian Firewall 2.4
hosted on VMWare
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1716 [Endian Firewall] Firewall (iptables) feature N/A 2009-03-30 21:40 2010-07-17 14:19
Reporter: lightningbit Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.2-rc3  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Auto blocking IP based on SNORT logs
Description: An optional module which
1/monitors the SNORT log,
and can take action when it detects certain violations (like a portscan, or a very critical alert/attack is happening)
by automatically blocking (thus adapting the firewall rules) the abusive IP address or even complete CDIR block

2/Add to that the ability (an extra option) to easily enter a list of CIDR to be blocked proactively (in an easier way then creating firewall rules for every few CDIR blocks)

the 2nd option comes from the need by a lot of people to be able to quickly block e.g. the China, Korean, Nigerian CDIR blocks from a source like this (http://www.okean.com/sinokoreacidr.txt) [^]


it would be great added feature making EFW an even stronger firewall

I would appreciate the feedback on how this feature request will be received/considered

thanks
Steps To Reproduce:
Additional Information: IPCOP used to have such module, called GUARDIAN (not dansguardian) which worked very well for item 1/ above
and I also used it for item 2/
Attached Files:
Notes
(0003669)
lightningbit   
2010-01-16 11:34   
(edited on: 2010-01-16 11:35)
more info regarding the requested blocklists:

- I'm talking about a blocklist against incoming attack/abuse/spy attempts

- it would be even nicer, if there would be an option, to integrate with http://iblocklist.com/lists.php [^] where we would be able to enterthe URL's of the lists we want to use, and with a button for each list wheter we want to blacklist (block) or whitelist them

at this moment, I'm using some of these lists, but then I get a huge long page with firewall rules
(0004620)
lightningbit   
2010-07-17 14:19   
anyone else any feedback?




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3061 [Endian Firewall] Proxy HTTP block always 2010-07-15 19:56 2010-07-15 19:56
Reporter: ideali Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Proxy not block all category selected
Description: hello
Dansguardian does not block the categories selected in the gui
content filtering does not appear in the updated version 2.4
Is there a procedure to update the blacklists dansguardian?
thanks

The category blocked ara sex , ads. Stop

Thanks
Steps To Reproduce:
Additional Information:
Attached Files: EndianDansguardian.jpg (126 KB) 2010-07-15 19:56
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3060 [Endian Firewall] Proxy HTTP feature always 2010-07-13 20:49 2010-07-14 12:48
Reporter: gennarom Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: AD authentication doesn't work
Description: Using same parameters (working) used in 2.2 and 2.3 release for AD auth, the proxy simply doesn't work! The browser doesn't ask me login form and displays ACCESS DENIED message for the requested URL, saying also:"Access control configuration prevents your request from being allowed at this time. Please contact your service provider if you feel this is incorrect. "
Steps To Reproduce:
Additional Information: This issue happened always both in upgrade from 2.2/2.3 and in a fresh installation.
Attached Files:
Notes
(0004613)
gennarom   
2010-07-14 12:48   
AD auth is done trough LDAP




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3059 [Endian Firewall] Proxy - SMTP minor sometimes 2010-07-12 12:21 2010-07-12 12:21
Reporter: lucagiove Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.3.1  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: spam admin wrong syntax
Description: Jul 12 00:06:19 efw-xx-xx amavis[26286]: (26286-06) (!)SEND via SMTP: postmaster@efw-xx-xx.localdomain -> <luca@xx.com>,ENVID=AM..201007
11T220619Z@efw-xx-xx.localdomain 501 5.1.7 Failed, id=26286-06, from MTA([127.0.0.1]:10025): 501 5.1.7 Bad sender address syntax
Jul 12 00:06:19 efw-xx-xx amavis[26286]: (26286-06) (!)FAILED to notify admin: 501 5.1.7 Failed, id=26286-06, from MTA([127.0.0.1]:10025): 501 5.1.7 B
ad sender address syntax
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3017 [Endian Firewall] GUI tweak always 2010-06-19 14:16 2010-07-09 16:12
Reporter: baldy Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: confirmed Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Disk usage section in the Status Information GUI needs some work
Description: Lay-out of disk usage needs to be improved.
Columns are not straight under each other.
Also some elements have a bar graph and others do not.

The numbers for size and free+used do not add up. Free+used is always less than size.
Steps To Reproduce:
Additional Information: Picture added, screen resolution used 1280*800.
Attached Files: Diskusage.jpg (146 KB) 2010-06-19 14:16
Notes
(0004606)
crispy   
2010-07-09 16:12   
I noticed this problem as well. The issue is that the LVM device names cause the data to shift onto the next line with the default output format of 'df'.

The fix is trivial, on line 227 of /home/httpd/cgi-bin/status.cgi, add the "-P" option to df, which forces it all onto one line:

  open(DF,'/bin/df -P -B M -x rootfs|');




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3041 [Endian Firewall] Network related (VPN, uplinks) major always 2010-07-03 00:12 2010-07-08 18:51
Reporter: wolfcry0 Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.4  
Product Build: Resolution: reopened  
Projection: none      
ETA: none  
Summary: Can't connect to firewall using IPSEC Road Warrior
Description: When I try to connect to the firewall from windows 7 64 bit, the system log throws out this message "System - 2010-07-02 16:06:30 - pluto (30209) | no connection found" 3 times, and I get error 809 (Could not connect) on the windows VPN client

The firewall shows the IPSEC service as running, and I've rebooted several times. I can port forward and connect to other services in the network through the firewall.

I've tried both a PSK and a Certificate based connection, both have the same error.


I really would like to get this working, any help is appreciated.
Steps To Reproduce:
Additional Information:
Attached Files: ipsec issue.jpg (540 KB) 2010-07-03 00:15
Notes
(0004579)
wolfcry0   
2010-07-03 00:16   
I am connecting from outside the network, just in case anyone thinks that I'm in the firewalls LAN. I have the web admin port opened remotely for the screenshot.
(0004588)
peter   
2010-07-05 10:43   
you need to use a windows ipsec client in order to connect to an efw. windows is shipping only ipsec l2tp clients which is not supported by efw
(0004605)
wolfcry0   
2010-07-08 18:51   
Got it, its working now on my netbook. I'm guessing android is a no go since it probably has a ipsec/l2tp client also




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2641 [Endian Firewall] Proxy SMTP crash always 2010-01-26 21:33 2010-07-08 14:38
Reporter: aender Platform:  
Assigned To: lucagiove OS:  
Priority: normal OS Version:  
Status: resolved Product Version: 2.3  
Product Build: Resolution: fixed  
Projection: none      
ETA: none  
Summary: SMTP Proxy not responding from external
Description: i setup a smtp proxy configuration with red active. but a telnet to port 25 to red doesn´t work. absolutly no resonse. i checked again and again.

only solution to get the smtp proxy to accept mails from outside is to add a system access rule from any to red on port 25.

now all works fine.

could it be the the system rules are buggy.
show attached image
Steps To Reproduce:
Additional Information:
Attached Files: Bildschirmfoto 2010-01-26 um 21.30.44.png (100 KB) 2010-01-26 21:33
smtpscan.conf (0 KB) 2010-05-01 18:10
smtpscan.conf.tmpl (0 KB) 2010-05-01 18:10
Notes
(0003706)
lucagiove   
2010-01-27 09:30   
just checked it out, it doesn't happen on Enterprise version
(0003710)
aender   
2010-01-27 10:56   
Nice. But the Community has that problem. So there have to be anything different.

The Rule 11 from the rules of system services in "System access configuration" looks wrong for me:
See the attached image.

There is no Entry for "Source interface". All other rules have an entry.
Could this be the problem?

Where can i find the file for this setting?
(0003717)
aender   
2010-01-29 08:16   
Please tell me the location of the file with the system standard rules for dnat. So i can solve the problem for myself....
(0003718)
lucagiove   
2010-01-29 09:34   
you should have this template file:

root@kenny:/etc/firewall/inputfw # cat smtpscan.conf.tmpl
#if $SMTPSCAN_ENABLED == "on"
  #for $zone in $ENABLED_ZONES
tcp,,25,on,,$zone#if $zone == "GREEN" then "&VPN:ANY" else ""#,off,SMTPD,ACCEPT,,
  #end for
#end if

and these are the firewall rules:

root@kenny:/etc/firewall/inputfw # cat smtpscan.conf
tcp,,25,on,,GREEN&VPN:ANY,off,SMTPD,ACCEPT,,
tcp,,25,on,,RED,off,SMTPD,ACCEPT,,
(0003719)
aender   
2010-01-29 10:36   
OK.

On the Community Edition the first file smptscan.conf.tmpl looks like this:

#if $SMTPSCAN_ENABLED == "on" and $ENABLED_ZONES != []
tcp,,25,on,,${"&".join($INPUTFW_ZONES)}:ANY,off,SMTPD,ACCEPT,,
#end if

Second file smtpscan.conf.tmpl looks like this:

tcp,,25,on,,RED:ANY,off,SMTPD,ACCEPT,,


I changed both files to yours and now all works fine. Thanks a lot.
(0003721)
lucagiove   
2010-01-29 11:12   
it's enough to change the .tmpl only
(0004176)
Anonymous   
2010-04-24 08:08   
Hello folks.
I am also reporting the same smtp proxy issue on my community 2.3.0 version system

I have implemented the suggest changes/fixes to the smtpscan.conf.tmpl file and it has made no difference.

I would like to persue this issue.

David
(0004177)
david_thistlethwaite   
2010-04-24 08:11   
The above note (0004176) was me.
Just needed an account
thanks
(0004198)
baldy   
2010-05-01 18:10   
David,

From a working system :

smtpscan.conf :

tcp,,25,on,,GREEN&VPN:ANY,off,SMTPD,ACCEPT,,
tcp,,25,on,,RED,off,SMTPD,ACCEPT,,
tcp,,25,on,,VPN,off,SMTPD,ACCEPT,,

smtpscan.conf.tmpl :

#if $SMTPSCAN_ENABLED == "on"
  #for $zone in $ENABLED_ZONES
tcp,,25,on,,$zone#if $zone == "GREEN" then "&VPN:ANY" else ""#,off,SMTPD,ACCEPT,
,
  #end for
#end if

I have also added both files to this issue.

Can you test and post back ?
Also verify in the GUI that the proxy is enabled.

Regards,

Klaas-Jan
(0004228)
david_thistlethwaite   
2010-05-05 07:52   
Klaas-Jan
I have confirmed that my system has the above entries in the smtpscan.conf and .tmpl files and that the gui reports that the smtp proxy is activated.

Still no email flow unless the NAT rule is active.

Strange.

David
(0004241)
baldy   
2010-05-09 11:52   
Hi David,

Did you telnet from internal to RED or from an external location ?

There is an issue with 2.3 when trying to telnet to RED from internal.

Also, have you tried a clean install ?
I have already deployed a dozen or so 2.3 machines and they all accepted mail after changing the files in question.

When enabling the smtp proxy on RED there should be no neesd to open port 25 with a new NAT rule.

Regards,

Klaas-Jan




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3042 [Endian Firewall] OpenVPN Client and Server major always 2010-07-03 13:16 2010-07-07 16:18
Reporter: _thebishop_ Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: OpenVPN routing problem
Description: Having a EFW 2.4 configured as OpenVPN Server and one EFW 2.4 configured as OpenVPN Client, from a station behind the Server EFW I can reach any destination behind Client EFW but not the Client EFW itself (having configured TCP/22 and TCP/10443 System Access from any VPN source).

Note that with the same System Access rules on the EFW Server I can reach the EFW Server from a station behind the Client EFW.
Steps To Reproduce:
Additional Information: Could be related to http://bugs.endian.com/view.php?id=3018 [^]
Attached Files:
Notes
(0004586)
lucagiove   
2010-07-05 09:56   
enable firewall dropped packets and see if the firewall is blocking
(0004587)
_thebishop_   
2010-07-05 10:43   
OK, I've just tried it out: without logging the refused packets from efw.servernetwork I can ping and connect on station.clientnetwork but not to efw.clientnetwork.

As I enabled the logging of the refused packets on efw.clientnetwork it started to accept the packets without any change in the firewall and VPN configuration !!!

I've tried to ping and ssh on the efw.clientnetwork from efw.servernetwork and now it works. After I've disabled again the logging of the refused packets it still function correctly.


Note that both the EFW has be upgraded to 2.4 from 2.2 version.
Could it be some configuration mess during the upgrade process ?
(0004590)
peter   
2010-07-05 18:11   
how exactly did you do the upgrade?

this and also 0003039 seem that there was no migration of configuration files during upgrade.

you could try to manually start migrations:

sh /etc/upgrade/upgrade.d/migration
(0004598)
_thebishop_   
2010-07-05 19:14   
I've upgraded with the efw-upgrade command line script (via ssh) using the stable branch.

After the command succesfully upgraded the sysyem (no errors or warnings reported), I rebooted the systems from the web interface.

I noted that also other settings have failed to migrate: HTTP, FTP, SMTP, POP3 proxies and content filtering configurations were all resetted and turned off and the content filtering by public blacklist no longer works on one of my EFW (the other has not configured any http proxy).

I'll try to manually reissue the migration and let you know...
(0004601)
_thebishop_   
2010-07-07 16:18   
Ok, it returns:

endian.smtpscan.migration.step__efw_smtpscan__2__2_3_40__0_endian10: OK
endian.vpnclient.migration.step__efw_vpnclient__1__2_3_13__0_endian10: OK
endian.firewallgui.migration.step__efw_firewall__2__2_3_48__0_endian18: OK
endian.proxy.migration.step__efw_proxy__1__2_3_0__1_endian3: OK
---
Found: 4
OK: 4

Now all the OpenVPN related issues are resolved.
However this has disabled the HTTP proxy and messed up its configuiration (the others are still running and retained their configurations).

The public URL blacklist content filtering still doesn't work.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3038 [Endian Firewall] Hardware related (kernel, drivers, hardware) tweak sometimes 2010-07-01 07:43 2010-07-06 04:51
Reporter: vlongjvc Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: EFW TCP/IP tuning needed
Description: I connect to a Webpage through EFW (upgraded from 2.3 to 2.4) and when I disconnected the connection is still in ESTABLISHED status.

****************************************************************************

Legend: LAN INTERNET DMZ Wireless Endian Firewall VPN (IPsec)

Source IP Source port Destination IP Destination port Protocol Status Expires
10.x.x.x 29707 72.14.254.100 80 (HTTP) tcp ESTABLISHED 67:09:03

*****************************************************************************
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004592)
peter   
2010-07-05 18:27   
are you sure the connection is really closed?
can you check with tcpdump if you see the FIN ACK packet pass?

probably something blocks that packet or does not close the connection at all.
(0004599)
vlongjvc   
2010-07-06 04:51   
(edited on: 2010-07-06 04:53)
Dear Peter,

Thank you for you reply, I am sure that the connection is closed. I do not know how EFW treats an improperly closed connection (not end with FIN ACK packet). Is there any default timeout and how to tune it?

With best regards,

Long




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3024 [Endian Firewall] Proxy HTTP trivial always 2010-06-22 22:40 2010-07-05 18:50
Reporter: brulinux Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Problem with authentication with AD
Description: I have a proxy server configured to use authentication with AD (NTLM), I import bills normally but can not surf, it seems he did not import the passwords and users correctly. What can it be?
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004596)
peter   
2010-07-05 18:50   
which windows version is it?
what does mean "import bills"?




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2839 [Endian Firewall] Proxy HTTP major always 2010-04-09 21:07 2010-07-05 18:48
Reporter: lryc299 Platform:  
Assigned To: ra OS:  
Priority: normal OS Version:  
Status: resolved Product Version: 2.3  
Product Build: Resolution: fixed  
Projection: none      
ETA: none  
Summary: Proxy Auth and AD 2008R2 fail
Description: Enterprise version.
winbindd/smbd : Version 3.2.14-2.endian8

Domain join was successful.
Users and groups are showing up in the GUI.

Error in samba.log

winbindd[7024]: rpc_client/cli_pipe.c:rpc_api_pipe(789)
winbindd[7024]: rpc_api_pipe: Remote machine DC1R2.domain.local pipe \NETLOGON fnum 0x8003 returned critical error. Error was NT_STATUS_PIPE_DISCONNECTED
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004126)
lryc299   
2010-04-09 22:18   
Openfiler has the same problem.
See: https://forums.openfiler.com/viewtopic.php?id=4431 [^]

Fix: upgrade samba to 3.4.5
(0004127)
lryc299   
2010-04-10 00:25   
Before compiling a new version of samba try squid_kerb_auth insead of ntlm...
Can't try it here as I don't have a binary of the file.
(0004143)
lryc299   
2010-04-14 02:58   
It's working here with samba 3.4.5 and talloc 1.3.1.

Installed devel first.
Compiled samba3.4.5 from source with:
./configure --prefix=/usr
--with-fhs
--libdir=/usr/lib/samba
--with-configdir=/etc/samba
--localstatedir=/var
--with-lockdir=/var/cache/samba
--with-swatdir=/usr/share/swat

Compiled talloc1.3.1
Copied libtalloc.so.1.3.1 to /usr/lib/samba/libtalloc.so.1
(0004553)
peter   
2010-06-23 12:57   
fix seems backported to 3.3.10:
http://old.nabble.com/NTLM_auth-to-win2008-r2-failed-(NT_STATUS_PIPE_DISCONNECTED)-td27336513.html [^]

probably it is this bug:
https://bugzilla.samba.org/show_bug.cgi?id=6711 [^]

this happens on 2008 R2, on 2008 it is fine
no chance to configure r2 in a manner that it is working
-> we need a samba update or backport the patch
(0004554)
peter   
2010-06-23 15:05   
try to upgrade to latest version

thank you lryc299 for tests and report!
(0004595)
peter   
2010-07-05 18:48   
upgraded to 3.5.4, it is working ok with windows server 2008 and windows server 2008 r2

before release needs however to be tested with all other windows server versions




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3025 [Endian Firewall] Proxy - HTTP major have not tried 2010-06-23 18:55 2010-07-05 18:45
Reporter: simon Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: ldap auth does not work if the count of chars of user/groups > 256 per rule
Description: if to many users or groups are selected ldap_group_auth wont accept the request from ldap

username check should not be done with ldap_group_auth
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004555)
peter   
2010-06-23 18:58   
increased limit of searchfilter in searchfilter buffer in build_filter() and reading buffer to 8192 chars as of it is also of the search-string specified with -f
(0004593)
peter   
2010-07-05 18:45   
isn't this fixed?




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3045 [Endian Firewall] Firewall (iptables) minor N/A 2010-07-05 18:34 2010-07-05 18:43
Reporter: peter Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: confirmed Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: TODO: QoS rework - QoS collecting ticket
Description: new kernel allows rewriting QoS in a more easier manner.
Easier to understand and to configure.
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3033 [Endian Firewall] Hardware related (kernel, drivers, hardware) minor N/A 2010-06-28 10:18 2010-07-05 18:43
Reporter: peter Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: confirmed Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: missing drivers - hardware not working - collecting ticket
Description: this is a collecting ticket
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1937 [Endian Firewall] Other Services minor N/A 2009-06-10 15:50 2010-07-05 18:43
Reporter: peter Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: confirmed Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: issues to fix with ddns
Description: this ticket collects issues which need to be fixed in order to have a good working ddns
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1935 [Endian Firewall] Network related (VPN, uplinks) minor N/A 2009-06-10 15:06 2010-07-05 18:43
Reporter: peter Platform:  
Assigned To: peter OS:  
Priority: normal OS Version:  
Status: confirmed Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: issues to fix with ipsec (openswan)
Description: this ticket collects issues which need to be fixed in order to have a good working ipsec
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0003832)
peter   
2010-02-22 20:29   
(edited on: 2010-09-03 14:31)
next major upgrade (2010/Q3) will contain a major kernel upgrade and an openswan upgrade, which solves most of these problems.

rest of the children of this ticket will also be addressed.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2778 [Endian Firewall] Other Scripts minor always 2010-03-18 13:53 2010-07-05 18:38
Reporter: aender Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.3  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: QoS Rule Editor
Description: I created a QoS device and some classes.
Also rules who are working now correctly since the efw-qos-2.3.19-1.endian5 package ;-)

But if you want to edit an existing qos rule the drop down for "Destination Device / Traffic Class" shows you everytime the first entry regardless of what you have setup in the rule before. So if you change the ports and click save you have also changed the "Destination Device / Traffic Class".
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2065 [Endian Firewall] Endian Firewall minor always 2009-08-05 18:36 2010-07-05 18:37
Reporter: peter Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: confirmed Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: QoS class id always increases, will never be freed when a class will be deleted
Description: QoS class id always increases, will never be freed when a class will be deleted

tc class show dev eth1
class hfsc 4: root
class hfsc 4:1 parent 4: sc m1 0bit d 0us m2 200000bit ul m1 0bit d 0us m2 200000bit

after delete of interface eth1 and re-creation of interface eth1:

root@TESTbeta23:~ # tc class show dev eth1
class hfsc 6: root
class hfsc 6:1 parent 6: sc m1 0bit d 0us m2 200000bit ul m1 0bit d 0us m2 200000bit

Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2414 [Endian Firewall] Network related (VPN, uplinks) major random 2009-11-13 10:17 2010-07-05 18:37
Reporter: aender Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.3  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: QoS not always working
Description: I have the rules in the attachment that should do the following.

1. High Priority for Citrix through my IPSec tunnel (local to head office)
2. Medium Priority for Citrix Printers through my IPSec tunnel (from head office to local)
3. Low Priority (Bluk Traffic) for the rest who goes to RED.

Now sometimes, not at all, it could happens that my citrix session are very slow while a download from internet. First and Third Rule should prevent this!
Steps To Reproduce:
Additional Information:
Attached Files: Bildschirmfoto 2009-11-13 um 10.13.03.png (33 KB) 2009-11-13 10:17
Notes
(0003375)
peter   
2009-11-25 13:32   
first of all, it is necessary to prioritize also the ipsec tunnel itself.
This rule prioritizes only the printer traffic within the tunnel, but if the uplink is saturated the printer has no priority above the rest of the traffic outside of the tunnel.

Rest maybe fixed with resolution of 0002281
(0003376)
aender   
2009-11-25 13:49   
ähhmm

Maybe i´m to stupid to understand that correctly.
Can you explain me that in german?
(0003377)
peter   
2009-11-25 15:00   
um traffic im ipsec tunnel zu priorisieren muss der ipsec tunnel selber auch priorisiert sein.
wenn der uplink durch irgendwelchen anderen traffic zugemüllt wird, sodass der ipsec tunnel zu wenig bandbreite kriegt hilft die priorisierung innerhalb des tunnels nichts.
priorisierung innerhalb des ipsec tunnels priorisiert nur im hinblick auf anderen traffic der im selben tunnel anfällt.
(0003382)
aender   
2009-11-25 16:07   
Thanks a lot.
Now its clear.

I will try it and give you a response




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2915 [Endian Firewall] Application Level Proxies major random 2010-05-24 15:34 2010-07-05 18:23
Reporter: albaney Platform:  
Assigned To: peter OS:  
Priority: normal OS Version:  
Status: resolved Product Version: 2.3  
Product Build: Resolution: fixed  
Projection: none      
ETA: none  
Summary: dnsmasq blocking cron
Description: The script getblackholedns.py sometimes became "defunct" and block the cron.daily (if the option "Spyware domain list update schedule" is mark for daily)
Steps To Reproduce:
Additional Information: The log /var/log/messages presents the following line on this error:

May 24 01:25:00 efwedu fcron[4163]: process already running: root's [ -x /bin/run-parts ] && run-parts --report /etc/cron.daily

I have 3 endians and the same error occurs in everyone, but in random way: one day a endian stops run the cron.daily, another day other machine stops.
Attached Files:
Notes
(0004516)
lucagiove   
2010-06-15 11:56   
blackholedns became zombie

root@efw:/etc/cron.daily # zcat /var/log/messages-20100614.gz | grep cron.daily
Jun 14 01:25:00 efw fcron[6151]: process already running: root's [ -x /bin/run-parts ] && run-parts --report /etc/cron.daily

?fcron,6151 -c /etc/fcron.conf
  ? ??fcron,14763 -c /etc/fcron.conf
  ? ??bash,14764 -c [\040-x\040/bin/run-parts\040]\040&&\040run-parts\040--report\040/etc/cron.daily
  ? ??run-parts,14765 --report /etc/cron.daily
  ? ??(blackholedns,15219)
(0004517)
peter   
2010-06-15 12:02   
can you try to replace the following line:

/usr/local/bin/getblackholedns.py &

with

/usr/local/bin/getblackholedns.py &>/dev/null &

in /usr/lib/dnsmasq/blackholedns.cron

this should stop the script becoming a zombie.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3044 [Endian Firewall] Application Level Proxies major random 2010-07-05 18:23 2010-07-05 18:23
Reporter: peter Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: confirmed Product Version: 2.3  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: TODO: check all cron scripts that they redirect stdout/stderr in order to prevent zombies
Description: check all cron scripts that they redirect stdout/stderr in order to prevent zombies

otherwise cron will not run the run-parts of the already running directory for a second time
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3039 [Endian Firewall] OpenVPN Client and Server minor have not tried 2010-07-01 16:22 2010-07-05 18:09
Reporter: _thebishop_ Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: OpenVPN Client problem updating from 2.2 to 2.4 EFW
Description: Updating from 2.2 to 2.4 EFW, a previously configured OpenVPN client session fails to connect.
It's also impossible to modify or delete the configuration as in fact editing the tunnel settings actually create a new (working) tunnel with the same name. Trying to delete the old (non working) tunnel ends up deleting the new one leaving the old one intact.

However this is not a blocking problem as the newly created client tunnel works well but there's no way to remove via the web interface the old one (that fails when trying to connect).
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
319 [Endian Firewall] Installation crash always 2007-11-18 15:34 2010-07-02 19:29
Reporter: schosch99 Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: acknowledged Product Version: 2.1.2  
Product Build: Resolution: reopened  
Projection: none      
ETA: none  
Summary: Community ISO - Installer reports "Segmentation fault"
Description: Starting the installer from the Community-Iso leads to a blue screen, with the report "Segmentation fault" on the upper left corner. Then the screen switches to suspend, powers on again and the message appears again. This continues until one resets the computer.

I also tested the ISO on a new vmware image on an notebook which was ok.
I also got the error with the new 2.2 beta1 ISO image.

CPU: VIA C3 600 Mhz
Mainboard: VIA EPIA-PD (MiniITX-Board)
RAM: 1x256 MB
Graphic: VIA onboard
Steps To Reproduce:
Additional Information: see also ID 0000205: (same error)
Attached Files:
Notes
(0000647)
schosch99   
2007-11-18 15:40   
Booted from USB-CDROM drive.

Tested with a 2.5inch 40GB harddisk and with a 4 GB CF-Card.
Both same error.

Will tomorrow also check with a IDE CDROM drive and report result.
(0000915)
raphael   
2008-02-12 10:38   
Did you try with 2.2 Beta 3?
(0000916)
schosch99   
2008-02-13 01:07   
It now boots further, but hangs then at another step.

I get a blue screen on console 1.
Switching to console 2 shows some lines running in an endless loop.
Reads like this:


Initializing USB controllers
Running command: /sbin/modprobe sd_mod
... sr_mod
... usb-storage
... ehci_hcd
... ohci_hcd
... uhci_hcd
... usbhid
FATAL: Module usbhid not found
Running command: /bin/mount -t usbfs none /proc/bus/usb
... failed: device or ressource busy
running command /bin/mountsource.sh
scanning source media
install program started
probe hardware
running command: /bin/hwdetect.sh
detecting hardware
initializing PCMCIA controllers
running command: modprobe i82365
FATAL: Module i82365 not found
detected no PCMCIA controllers ...

... running endless


Setup is:
CPU: VIA C3 600 Mhz
Mainboard: VIA EPIA-PD (MiniITX-Board)
RAM: 1x256 MB
Graphic: VIA onboard
CF-Card 4GB, no harddisk
CDROM on USB

Unfortunatly i just cannot test with a CDROM on IDE.
(0000917)
schosch99   
2008-02-13 12:36   
I now also checked with a IDE-plugged CDROM. Nothing changed.
I get the same endless loop running on modprobes.
(0002539)
peter   
2009-06-09 22:07   
please reopen if it happens again on 2.3
(0003305)
bxiat   
2009-11-16 19:40   
(edited on: 2009-11-16 19:41)
I have the same error using EFW 2.3 booting the setup using an usb flash drive created with unetbootin.

IBM M51 8106-CTO.

http://www-307.ibm.com/pc/support/site.wss/product.do?template=/product.do?template=%2Fproductpage%2Flandingpages%2FproductPageLandingPage.vm&sitestyle=lenovo&modelind=0&partnumberind=0&subcategoryind=0&doccategoryind=0&operatingsystemind=49979&validate=true&Brand=Desktops&brandind=11&Family=ThinkCentre%20M51&familyind=179852&doctypeind=8&Type=8106&machineind=232278 [^]
(0003724)
bl117   
2010-01-30 03:01   
Having the same issue with an Asus P5QL booting from USB thumbdrive, USB DVD, Pata DVD on Jmicron controller, Sata DVD.
(0004110)
Lopot   
2010-04-02 18:16   
Having the same issue with an VIA 3V700D booting from USB or SATA HDD
(0004111)
pablo   
2010-04-05 09:08   
Same issue with Intel D945GSEJT booting from USB or PXE.
(0004115)
pablo   
2010-04-07 04:18   
Booting from an SATA CD-ROM on the D945GSEJT works fine.
(0004323)
Lopot   
2010-05-31 22:07   
Problem stay on EFW 4.0.
(0004543)
Lopot   
2010-06-20 17:31   
My fault not well working USB CD-ROM - solved
(0004577)
wiwi   
2010-07-02 11:05   
(edited on: 2010-07-04 23:32)
With EFW 2.4 I have nearly the same problem with bluescreen. No 'Segmentation fault', but when pressing ALT-F2

...
FATAL: Module usbhid not found
Running command: /bin/mount -t usbfs none /proc/bus/usb
... failed: device or ressource busy
running command /bin/mountsource.sh
scanning source media
...

is running endless.

I have a new jetway board with via chipset/processor.

Tryed installation with SATA DVD-ROM and with USB stick. Always the same.

My HD is a SUPER TALENT SSD with 32GB
(0004578)
wiwi   
2010-07-02 19:29   
now I have the error Message:
FATAL: Error inserting via_velocity (via-velocity[...]): Unknown symbol in module, or unknown parameter (see dmseg)

It looks like there is a problem with the LAN Driver




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3015 [Endian Firewall] Network related (VPN, uplinks) major always 2010-06-18 03:52 2010-07-02 07:03
Reporter: akurz Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Uplink failover doesn't seem to work. Failed uplink doesn't come back online.
Description: Automatic failover with two PPPoE WAN uplinks doesn't seem to work. unplugging main uplink causes complete disconnection while backup link is up. After plugging the line back in tha main uplink cannot re-establish connection until reboot.

Failover after manually disabling main uplink works fine.

See "Additional Information" for test description and attached screenshots for config.
Steps To Reproduce:
Additional Information: Test 1:

1. Rebooted EFW. Both uplinks are up.
2. Went to /Network/Interfaces/Uplink Editor and deactivated the main uplink.
3. Main uplink went to "INACTIVE" on dashboard.
3. Backup interface took over. Everything is working fine.

Test 2:

1. Rebooted EFW. Both uplinks are up.
2. Pulled the DSL plug (between DSL modem and wall socket).
3. Main uplink went to "CONNECTING" on dashboard.
4. Backup interface DOES NOT take over. No internet connection through the EWF possible.

In this state the main uplink switches back and forth between "CONNECTING" and "INACTIVE". The backup uplink stays "UP".

And here comes the worst issue: when I re-connect the wire that I've unplugged before, the mail uplink switches between "CONNECTING" and "DEAD", but wouldn't go back up. The log shows this (repeating):

Jun 18 03:16:02 pppd[20281] Plugin rp-pppoe.so loaded.
Jun 18 03:16:02 pppd[20281] RP-PPPoE plugin version 3.3 compiled against pppd 2.4.4
Jun 18 03:16:02 pppd[20281] pppd 2.4.4 started by root, uid 0
Jun 18 03:16:02 pppd[20281] PPP session is 6613
Jun 18 03:16:02 pppd[20281] Using interface ppp1
Jun 18 03:16:02 pppd[20281] Connect: ppp1 <--> eth4
Jun 18 03:16:03 pppd[20281] CHAP authentication succeeded
Jun 18 03:16:03 pppd[20281] CHAP authentication succeeded
Jun 18 03:16:03 pppd[20281] peer from calling number 00:90:1A:42:8A:BE authorized
Jun 18 03:16:03 pppd[20281] local IP address 212.114.255.119
Jun 18 03:16:03 pppd[20281] remote IP address 82.135.16.28
Jun 18 03:16:03 pppd[20281] primary DNS address 212.18.3.5
Jun 18 03:16:03 pppd[20281] secondary DNS address 212.18.0.5
Jun 18 03:16:09 pppd[20288] Terminating on signal 15
Jun 18 03:16:09 pppd[20288] Connect time 0.1 minutes.
Jun 18 03:16:09 pppd[20288] Sent 120 bytes, received 40 bytes.
Jun 18 03:16:09 pppd[20288] Connection terminated.
Jun 18 03:16:09 pppd[20288] Exit.
Jun 18 03:16:10 pppd[20762] Plugin rp-pppoe.so loaded.
Jun 18 03:16:10 pppd[20762] RP-PPPoE plugin version 3.3 compiled against pppd 2.4.4
Jun 18 03:16:10 pppd[20762] pppd 2.4.4 started by root, uid 0
Jun 18 03:16:45 pppd[20762] Timeout waiting for PADO packets
Jun 18 03:16:45 pppd[20762] Unable to complete PPPoE Discovery
Jun 18 03:16:45 pppd[20762] Exit.

Only a reboot brings me back online. The backup link showed "UP" all the time.

This one might be a duplicate of case 0002213: "Endian Firewall not automatically change default route to the secondary uplink".
Attached Files: failover.jpg (156 KB) 2010-06-18 03:52
Notes
(0004541)
akurz   
2010-06-20 02:11   
Update: I got it working ONCE. Out of sheer desparation I set up a policy route as follows:

Source: GREEN, Destination: ANY, Service/Port: ANY/ANY, Route via: Main uplink, Use backup link if uplink fails: checked

- switched off uplink manually -> failover works after about 10 sec.
- switched main uplink back on -> routing switched over to main
- pulled cable from main uplink DSL modem -> failover works after about 30 sec.
- plugged cable back in -> main uplink comes back up and traffic goes through it

Perfect so far. Only when I tried the same thing about an hour later it didn't work and I haven't got it working since then. I haven't changed a thing between the two tests.

No idea if it worked once because of the policy rule I've set up or if it was pure coincidence.

During my tests I also found that at one point traffic from the ORANGE interface suddenly went through the main uplink, which it is not allowed to do (set by policy route). After a reboot ORANGE traffic went through the correct uplink again and always did ever since.

Something seems to be real wrong there.
(0004556)
akurz   
2010-06-24 01:15   
Nobody interested???

One more update: as a workaround I have now removed the DSL modems and replaced them with small DSL routers, which are now taking care of the connections. The interfaces are set to "Ethernet DHCP".

With these settings everything seems to work all right (yet), but having two cheap router boxes in front of the EFW doesn't exactly make me sleep better. In my opinion the failover feature is one of the biggest differentiators to any other free firewall, but if it doesn't work with PPPoE - which is still one of the most widely used connection protocols - it will scare people away. It's also quite disturbing that this request sits here for 6 days and doesn't seem to get any attention, while other (from my perspective very minor) stuff is dealt with.

I am still willing to help fixing this issue by testing all scenarios possible with my equipment, but if it takes too long I'll live with the workaround for the time being and keep on looking around for alternatives. I know, I'm just one guy, but think about this as an example. There may be hundreds of people with the same issue who simply don't tell anybody. They just walk away. Wouldn't it be a pity to erode the (already not too big) community this way?

Regards,
Alex
(0004576)
rjeeves33   
2010-07-02 07:03   
I'm interested mate. I can repoduce the PPPoE failover also. Such a shame as that's one of the attractions of the Endian device. I see this was an issue that got resolved back in an RC of 2.2. Looks like it's back.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3027 [Endian Firewall] Other Services feature N/A 2010-06-25 18:59 2010-07-01 19:43
Reporter: deepthought Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Add IGMP Proxy and Multicast-Support for supporting IPTV
Description: (at least in germany) IPTV via VDSL etc. requires Multicast support.

works with igmp proxy from http://sourceforge.net/projects/igmpproxy [^]

and multicast-allow in iptables like
iptables -I FORWARD -s 217.0.119.0/24 -d 224.0.0.0/4 -j ACCEPT
iptables -I FORWARD -s 193.158.35.0/24 -d 224.0.0.0/4 -j ACCEPT
iptables -I INPUT -d 224.0.0.0/4 -j ACCEPT
iptables -I FORWARD -d 224.0.0.0/4 -j ACCEPT

I think it would be a well received feature if you would have a "enable iptv"-switch. Not sure if that would work in other countries the same way though :/
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004575)
deepthought   
2010-07-01 19:43   
btw: needs vlan-7 (pppoe/"normal" internet) and vlan-8 (dhcp/multicast) on red interface




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2818 [Endian Firewall] Other Scripts minor have not tried 2010-04-06 15:44 2010-06-30 14:49
Reporter: lucagiove Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: confirmed Product Version: 2.3  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: gui says "some error" on QoS
Description: When I add or modify a QOS Rule, i have the message 'some error' that appear under 'TOS/DSCP' see the screenshot
Steps To Reproduce:
Additional Information:
Attached Files: 31-03-2010 10-26-38.png (53 KB) 2010-04-06 15:44
QoS devices.jpg (137 KB) 2010-05-04 19:29
QoS Classes.jpg (146 KB) 2010-05-04 19:30
Some Error.jpg (156 KB) 2010-05-04 19:30
80599.png (84 KB) 2010-06-30 14:27
Notes
(0004114)
peter   
2010-04-06 18:19   
does not happen to me.
is the system up-to-date?

can you try the same on another installation?
(0004226)
baldy   
2010-05-04 19:29   
I have the same issue. Tried to define a QoS rule allowing <ALL> under service.Protocol TCP&UDP and ports 0:65535 are selected by default.

I think that in this case the port range is where the error message comes from.

I have also defined a Q0S rule allowing <ANY> which can be created successfully.

Screenprints are added.
(0004229)
peter   
2010-05-05 11:20   
did not manage to reproduce both of those issues, i tried with the same input parameters.

however i managed it to get the same error using an invalid mac address.


i think those 2 issues are already fixed and fixes will be released soon.
however, the real problem is the expressionless error message which we should turn in something which really explains what is wrong.
(0004573)
aender   
2010-06-30 14:49   
Why target version "future"

QoS is a feature that should work since 2.3 !!
And 2.3 is an 8 month old version....
At the moment QoS is not useable and a working QoS seems to be far away.

Can Endian give us any status information for a working QoS Release Date?




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3036 [Endian Firewall] Application Level Proxies tweak N/A 2010-06-30 09:14 2010-06-30 10:12
Reporter: fabiana Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: confirmed Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Update SA
Description: Update from SpamAssassin version 3.2.5 to the current SpamAssassin 3.3.1 (which delivers much more updates on the rules).
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004571)
peter   
2010-06-30 10:12   
amavis needs also an update




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2914 [Endian Firewall] Hardware related (kernel, drivers, hardware) feature always 2010-05-23 19:37 2010-06-28 10:25
Reporter: deepthought Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: acknowledged Product Version: 2.3  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Hyper-V Network-Drivers Support
Description: Support for Hyper-V native "Network Adapter", works currently only with mindboggingly slow "Legacy Network Adapter", max throughput approx 10 MBit
Steps To Reproduce:
Additional Information: Running efw virtualized might not be the suggested way, but somehow keeps coming I guess. See: http://endian-forum.de/index.php?page=Thread&postID=85#post85 [^] (in german). Beside me there seem to be more users who would appreciate running a efw instance as Hyper-V Guest OS.
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2811 [Endian Firewall] Other Services major always 2010-04-02 06:53 2010-06-28 10:23
Reporter: CALYSTO Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: acknowledged Product Version: 2.3  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: DNS Dynamic with zoneedit isn´t work for empty Host Name
Description: Hi, i´m having problems with DNS Dynamic service when i use zoneedit. I put the file of the issue 0001372.
This work´s fine when i complete something in the field of Host Name, zoneedit update really fast the changes. But in zoneedit i don´t need complete this field (Host Name), for that reason when i don´t write anything in Host Name, and click on Add, the line of the new dynamic dns appear but don´t update in the zoneedit zone.
I come from IpCop but when i discover Endian, i try and try and try because this is a really good firewall and really like it, more than ipcop, but i can´t do work.
Please help.

Thanks for all.
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3026 [Endian Firewall] Hardware related (kernel, drivers, hardware) minor always 2010-06-23 20:18 2010-06-28 10:21
Reporter: jonassimpson Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: acknowledged Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Broadcom BCM57788 not detected
Description: Installed 2.4 on three Dell Vostro 230 slim towers. Onboard Broadcom Ethernet is not detected. Device id shows up as vendor "14e4", device "1691".

From a bit of research, the tg3 driver does support this chipset:

http://cateee.net/lkddb/web-lkddb/TIGON3.html [^]

I can't find the PCI ID in the module or in the source files. Maybe there is an easy way to add and recompile the module?
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004560)
baldy   
2010-06-24 11:52   
Possible fix can be found in the comments here:

https://bugzilla.redhat.com/show_bug.cgi?id=525966 [^]

I do not have this card so I can not test myself.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3031 [Endian Firewall] Hardware related (kernel, drivers, hardware) trivial have not tried 2010-06-27 16:38 2010-06-28 10:20
Reporter: baldy Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: acknowledged Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Via Rhine III (VT6105) not supported
Description: On a system with the Via VT6105 card installed there is no driver loaded for this card.

With lspci the card is shown, but no driver is loaded nor is there any message during boot about it.
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
1927 [Endian Firewall] Uncategorized minor N/A 2009-06-09 20:45 2010-06-28 10:20
Reporter: peter Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version:  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Reports to be checked - collecting ticket
Description: Here we collect bug reports, which we can't handle immediately, because:

- Issue *may be* already fixed in the latest version, but it has not be tried
  to reproduce on the newer versions. Needs confirmation that the issue still
  exists, otherwise ticket will be closed after a while.

- Issue is not of interest anymore, due to hardware changes, feature
  changes/enhancements, ... Ticket will be closed after a while, if there is
  no response.

- Issue description is to vague or not present at all. Needs more feedback.
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3032 [Endian Firewall] GUI feature always 2010-06-28 00:30 2010-06-28 00:30
Reporter: baldy Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: In the port forwarding section the only choice you have is Apply
Description: If one accidentally removes or changes a rule it would be nice to have a Cancel button next to the Apply button.
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3030 [Endian Firewall] Application Level Proxies major always 2010-06-26 10:49 2010-06-26 10:53
Reporter: mschwenk Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Turning on FTP Proxy blocks FTP downloads via Browser like IE or FF
Description: I use a transparent Http-Proxy. Port 21 is in the List of Ports. All works fine. As soon as i turn on the FTP-Proxy i can not download data via ftp from my Web-Browser. This was tested with IE, Firefox and Safari.

Is there a config issue? I see traffic in the Logs of the Firewall. Seems like there is some redirection working and that the ftp connection is talking to the FW and is using it but the connection doesen´t seem to work.

Best regards

Mario
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004565)
mschwenk   
2010-06-26 10:53   
I know this issue allready exist but it was not yet reported for 2.4.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3029 [Endian Firewall] GUI major always 2010-06-25 23:17 2010-06-25 23:17
Reporter: mschwenk Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: After starting Snort empty config page
Description: I installed new endian community 2.4

I updated snortrules and started snort. Now the mainpage of snort is just empty. (see atached pic)

/usr/local/bin/restartsnortrules.py worked but didn´t change anything

/usr/local/bin/restartsnort.py gave me following error:
snort (pid 8695 8692) is running...
Stopping snort: [ OK ]
snort is stopped
2010-06-25 23:04:17,067 - restartsnort.py/enabled_rule_targets[8650] - INFO - Starting SNORT...
Starting snort: [ OK ]
Traceback (most recent call last):
  File "/usr/local/bin/restartsnort.py", line 401, in ?
    exit(0)
  File "/usr/local/bin/restartsnort.py", line 58, in exit
    end_notifications()
  File "/usr/lib/python2.4/site-packages/endian/core/logger.py", line 140, in end_notifications
  File "/usr/lib/python2.4/site-packages/endian/core/logger.py", line 266, in end_notifications
  File "/usr/lib/python2.4/site-packages/endian/core/notification.py", line 312, in end
  File "/usr/lib/python2.4/site-packages/endian/core/notification.py", line 238, in close
OSError: [Errno 2] No such file or directory: '/var/lock/services/snort.status'


I created /var/lock/services/snort.status with touch

Now the script worked but gui ist still broken. If i remove whole Folder /etc/snort the gui is there again but then it is not working because of missing configfiles.

I reinstalled and had the same error again.

Can you give me any advices? In generel Snort seems to run but is not accessable via gui.

Best regards

Mario
Steps To Reproduce:
Additional Information:
Attached Files: Unbenannt.JPG (131 KB) 2010-06-25 23:17
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2879 [Endian Firewall] Proxy HTTP major have not tried 2010-04-29 15:48 2010-06-24 12:28
Reporter: lucagiove Platform:  
Assigned To: peter OS:  
Priority: normal OS Version:  
Status: resolved Product Version: 2.3  
Product Build: Resolution: fixed  
Projection: none      
ETA: none  
Summary: list out of range with many ldap users
Description: Http Proxy authenticating against a Novell eDirectory.

When a new rule is going to be created returns an error due to the high number of users (over 1000 users and about 100 groups).

See the pic.
Steps To Reproduce:
Additional Information:
Attached Files: 72797.png (61 KB) 2010-04-29 15:48
Notes
(0004264)
lucagiove   
2010-05-26 14:54   
Seems that this issue happens even if the ldap tree has only 4 users!
(0004427)
lucagiove   
2010-06-08 12:01   
FIX:
replace ${rule.for} with ${rule.for_} at line 150 in /etc/squid/squid.conf.tmpl

afterwards you need to run restartsquid.py --force
(0004484)
peter   
2010-06-11 10:18   
applied, thank you for the fix
(0004557)
lucagiove   
2010-06-24 10:14   
other bugs have been discovered which cause this behaviour, added as relationship
(0004563)
simon   
2010-06-24 12:28   
fixed with 0003025




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2986 [Endian Firewall] Proxy HTTP block always 2010-06-08 12:39 2010-06-24 12:27
Reporter: lvfranz Platform:  
Assigned To: simon OS:  
Priority: normal OS Version:  
Status: resolved Product Version: 2.4  
Product Build: Resolution: fixed  
Projection: none      
ETA: none  
Summary: http proxy still writing conf
Description: I have installed efw 2.4 in bridged mode, configured proxy http as not transparent, configured authentication in ldap v3, than create a new access policy, selected authentication required user, select the user, and message appear "writing squid configuration"....and is blocked here, the messege didn't go away.
I have just reinstalled lot's of time and every time is the same.
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004562)
simon   
2010-06-24 12:27   
fixed with #2877




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2856 [Endian Firewall] Proxy - HTTP feature always 2010-04-20 10:47 2010-06-24 12:25
Reporter: lucagiove Platform:  
Assigned To: simon OS:  
Priority: normal OS Version:  
Status: resolved Product Version:  
Product Build: Resolution: fixed  
Projection: none      
ETA: none  
Summary: LDAP users order
Description: Would it be possible to order LDAP users and groups on alphabetical order? Currently it lists users and groups in the order that they are created.
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004185)
lucagiove   
2010-04-28 15:07   
This feature will apply also on for ntlm users? If not would be useful to add.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3023 [Endian Firewall] Proxy - HTTP minor always 2010-06-22 12:03 2010-06-24 10:45
Reporter: peter Platform:  
Assigned To: peter OS:  
Priority: normal OS Version:  
Status: confirmed Product Version: 2.4  
Product Build: Resolution: fixed  
Projection: none      
ETA: none  
Summary: BDC does not work anymore
Description: if a bdc is configured restartsamba.py exits with a traceback

after fixing the winbind.conf manually and putting the pdc down for testing the bdc, wbinfo does not respond.

the problem is the /etc/krb5.conf file, where [realms] need a kdc= line for each password server instead of specifying them with a space-separated list.
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004558)
peter   
2010-06-24 10:45   
still does not really work..

if there's a PDC and a BDC, winbindd contacts always only one of them. if that DC goes down, winbindd does not try with the other DC, but gets an error.

If in that situation winbindd will be restarted it uses the other working DC and so it continues working




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2820 [Endian Firewall] Proxy HTTP minor always 2010-04-06 18:02 2010-06-23 16:13
Reporter: simon Platform:  
Assigned To: simon OS:  
Priority: normal OS Version:  
Status: confirmed Product Version: 2.3  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: If NETBIOS name differs from domain name UTM is not able to join
Description: in winbind.conf netbios name is used for workgroup name
at the moment the workgroup name is made by using the highest level domain is used, because it usually is the netbios name.

we need a checkbox which enables the admin to define the netbios name of the pdc if it differs from the highest level domain.

e.g.:
domainname: test.local
netbiosname: test
Steps To Reproduce:
Additional Information:
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3019 [Endian Firewall] Network related (VPN, uplinks) major always 2010-06-21 14:21 2010-06-22 01:18
Reporter: fabiana Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: No QoS on Red
Description: QoS is still not working on the red interface. I can set wathever I want for Down/Upstream, it's ignored. It's a upgraded Endian from 2.3 -> 2.4. Not tried it with a new installation. During upgrade no QoS rules were active.
Steps To Reproduce:
Additional Information:
Attached Files:
Notes
(0004548)
Renee   
2010-06-22 01:18   
Thats normal I think the qos output device is wrong but there is an other mistake so that the qos not works right see http://bugs.endian.it/view.php?id=3022 [^]




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3022 [Endian Firewall] Other Services minor always 2010-06-22 00:55 2010-06-22 00:55
Reporter: Renee Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Qos iptables rules wrong / Qos must specific with source and destination ports
Description: I lock in the iptables rules for qos and see a mistake your qos script create Iptables entrys with the same Port as source and destination this is wrong because the most applications use an other source Port to connect to the server so must the destination Port be an other or the qos works only in one direction.
Please make a source and destination Port field in the rule editor available and chance your qos script that it creates iptables qos rules with source and destination port.
At example:
CLASSIFY source Port: 80 destinations Port: 0:65535
RETURN source Port: 0:65535 destination port: 80
So works the qos in both direction (see append)
Steps To Reproduce:
Additional Information: I think the qos interface for red is wrong it must be by PPPOE Usern ppp0 because I have testet it with green when I use the physical dev qos not works when I use the brigde for green it works.But your Qos script only use the physical dev for the uplink.
Attached Files: Image1.jpg (283 KB) 2010-06-22 00:55
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
3018 [Endian Firewall] OpenVPN Client and Server major always 2010-06-21 11:46 2010-06-21 11:46
Reporter: Stevesix Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: new Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: OpenVPN Routing issue
Description: After upgrade from version 2.3 OpenVPN seems no longer able to route data to and from remote clients after backup resume from the same version. All clients connect correctly, but no packet is sent through the tunnels. Running a trace clear how packets are routed via the first Internet connection available, rather than through the appropriate tunnels. This anomalous behavior is the same with a newly installed version 2.4.
Re-execute a new test installation of version 2.3, keeping the same configuration, everything works properly and the data is routed through the correct tunnel.
Other tests performed: New clean install of 2.3. Recovering a backup working with several pre-configured OpenVPN tunnels. The Web Interface no longer seems to work but the tunnel yes. Upgrade to 2.4. Now everything worked, but would need a new recovery from a backup of the current version, the tunnel would cease to function again.
Steps To Reproduce:
Additional Information: My Config:
1 GREEN Interface.
2 RED Interface: The 1st interface (main) is an ADSL connection for web navigation only. The 2nd is an HDSL connection used to connect several remote office with OpenVPN.
Attached Files:
There are no notes attached to this issue.




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2805 [Endian Firewall] GUI feature always 2010-03-30 08:07 2010-06-21 08:30
Reporter: petr konderla Platform:  
Assigned To: petr konderla OS:  
Priority: normal OS Version:  
Status: resolved Product Version: 2.3  
Product Build: Resolution: fixed  
Projection: none      
ETA: none  
Summary: No possibility remark of the ip list in the firewall config.
Description: Because in EFW 2.2 was this menu bit more simple there was option remark every ip which was wery useful.

Mayby this way is enough without huge rework:

192.168.10.4 #myip
207.46.197.32 #ip of bill gates
Steps To Reproduce:
Additional Information:
Attached Files: Untitled-2.jpg (30 KB) 2010-03-30 08:07
Notes
(0004545)
petr konderla   
2010-06-21 08:29   
This is dirty but working/fast overriding. Don`t know if this is best way to do it, but this is enough for me.

To disable checking of the source ip in dnat, comment this:

# if (! is_ipaddress($item)) {
# push(@errormessages, _('Invalid source IP address "%s"', $item));
# }

in:
/home/httpd/cgi-bin/dnat.cgi

Then keep eyes on SYNTAX:
192.168.10.10 #Evelin`s ip
10.10.10.10 #My external ip
etc...




Viewing Issue Advanced Details
ID: Category: Severity: Reproducibility: Date Submitted: Last Update:
2989 [Endian Firewall] Log and Statistics minor sometimes 2010-06-09 13:36 2010-06-20 20:34
Reporter: aender Platform:  
Assigned To: OS:  
Priority: normal OS Version:  
Status: feedback Product Version: 2.4  
Product Build: Resolution: open  
Projection: none      
ETA: none  
Summary: Dashboard can show negative CPU usage
Description: It could happen that CPU usage is negative ( -2% )
Steps To Reproduce:
Additional Information:
Attached Files: cpu.JPG (115 KB) 2010-06-09 18:53
negative cpu.jpg (170 KB) 2010-06-15 22:12
Notes
(0004452)
aender   
2010-06-09 13:37   
At a efw that is running on a xen host as domU with the PAE kernel it shows allways -98%

Could reproduce this only with firefox and safari
(0004530)
baldy   
2010-06-15 22:14   
(edited on: 2010-06-19 00:53)
On Firefox, physical machine standard 2.4 version with updates via efw-upgrade.

Pentium 4 521 2,8GHz with HT shows values between -1 and -4
(0004540)
akurz &n