Any progress for a miniupnpd version for ClearOS 7?

Peter Baldwin wrote:

Eric Anderson wrote:

i didn't see miniupnpd on the installation disk, does it exist in one of the repos?

It's not available. That's a pet project that I do when I can get around to it. I have made the changes for ClearOS 7 (here), but I haven't yet pushed the package through the build system.

Fredrik Fornstad wrote:

Did some trouble shooting with Samba simple networking and my Windows 10 PC. ... snip ...

Progress! I can definitely duplicate the issue. My old Windows XP VM and a Windows 7 laptop work fine with ClearOS 7 Flexshares. However, as soon as I fired up a Windows 10 machine there was trouble. I made two parameter changes in /etc/samba/smb.conf that made it better:

1) Commented out the smb ports parameter

2) Set the bind interfaces only parameter to No

After restarting Samba (smb, nmb and winbind) and restarting the Windows 10 system, file share access was much better, but still quirky. If I specified a full path (e.g. \\gateway\media) in Windows File Explorer, the standard username/password prompt would appear and things would work. However, just browsing the network didn't work well. I would get a nasty connection error and error code.

We'll get more eyes on the problem.

[2015/09/23 22:07:23.165334,  1] ../source3/param/loadparm.c:2387(service_ok)

  NOTE: Service printers is flagged unavailable.

[2015/09/23 22:07:23.165373,  1] ../source3/param/loadparm.c:2387(service_ok)

  NOTE: Service print$ is flagged unavailable.

[2015/09/23 22:07:23.165405,  1] ../source3/param/loadparm.c:2387(service_ok)

  NOTE: Service netlogon is flagged unavailable.

Those are normal. It just means the share definition is defined by disabled.

[2015/09/23 22:07:23.165443,  1] ../source3/param/loadparm.c:1956(map_parameter)

  Unknown parameter encountered: "force directory security mode"

[2015/09/23 22:07:23.165452,  0] ../source3/param/loadparm.c:3159(lp_do_parameter)

  Ignoring unknown parameter "force directory security mode"

That was added to the tracker as a cleanup item quite some time ago. I wonder if this causes a problem for Windows 10?

We now have access to Windows 10 licenses, so we can take a deeper look.

JPrez wrote:

One item/feedback/question:

Does ClearOS 7 now include the ability to have a User Portal or a built in bypass method for the content filter or is it basically unchanged from Clear OS 6?

Not yet. We are hoping to completely replace the content filter engine -- DansGuardian is getting a little old and crusty.

Did some trouble shooting with Samba simple networking and my Windows 10 PC. Found this in the /var/log/samba/ directory in one of all the log files that seems to be the standard one being written to during the startup of the smb service. This is the entire startup sequence:

[2015/09/23 22:07:23.165334,  1] ../source3/param/loadparm.c:2387(service_ok)

  NOTE: Service printers is flagged unavailable.

[2015/09/23 22:07:23.165373,  1] ../source3/param/loadparm.c:2387(service_ok)

  NOTE: Service print$ is flagged unavailable.

[2015/09/23 22:07:23.165405,  1] ../source3/param/loadparm.c:2387(service_ok)

  NOTE: Service netlogon is flagged unavailable.

[2015/09/23 22:07:23.165443,  1] ../source3/param/loadparm.c:1956(map_parameter)

  Unknown parameter encountered: "force directory security mode"

[2015/09/23 22:07:23.165452,  0] ../source3/param/loadparm.c:3159(lp_do_parameter)

  Ignoring unknown parameter "force directory security mode"

[2015/09/23 22:07:23.165460,  1] ../source3/param/loadparm.c:2387(service_ok)

  NOTE: Service profiles is flagged unavailable.

[2015/09/23 22:07:23.165583,  0] ../source3/smbd/server.c:1269(main)

  standard input is not a socket, assuming -D option

[2015/09/23 22:07:23.177764,  0] ../lib/util/become_daemon.c:136(daemon_ready)

  STATUS=daemon 'smbd' finished starting up and ready to serve connectionsFailed to fetch record!

I realize this is just one very small piece of a larger puzzle. But maybe it can trigger someone to ask the right questions...

Edit: I should also mention that from the very same Windows 10 PC I can access all my ClearOS 6 servers that also has samba simple networking running without any problems.

/Fred

Hi,
I just installed the new 7.1 ISO (found it on the mirrors...) Not sure if it is the RC1 or what, but it is dated Sept 19th. It works MUCH better than Beta 3 that seems totally broken now. Not all apps works (the print server installation for instance), but Serviio does at least for me.

I still have problem with simple networking with Samba. Noted one thing: When I edit any user profile, it clears that user from all the Windows Networking groups when I save independent on what they were before or if I tried to mark any of them as applicable for the user. I wonder if the webinterface mess around even more with the Samba config files...

/Fred

I have reloaded 7.1b3 several times now over the past few days and have not been able to get past configuring the account manager which of course has it's fingers into many other services. Commonly I get that the install failed and to check my network connection (which is not an issue since to get to that point I've already updated files...which I will skip doing the next round) or a 404 Page Not Found (with Samba). This is pretty annoying. I will stop trying after the next reload and wait for the next release if it fails again.

A lot of apps cannot be installed at the moment due to missing packages in the default repos:

For instance, FTP needs;
GeoIP currently in clearos-centos
libmemcached currently in clearos-centos
proftpd currently in clearos-epel

Another package is the printserver: It needs;
foomatic currently in clearos-centos
cups currently in clearos-centos
HOWEVER:
- Already installed (from @anaconda) is a conflicting cups-libs el7_1.1 ! (the el7_1.1 release version looks a bit strange...)
- The wrong version of liberation-fonts-common is also already installed from @anaconda (1.07.2-15 instead of the required 1.07.2-14)
- Already installed systemd-208-20.el7_1.5 (again strange version...) instead of systemd-208-20.el7 that is required

and the list goes on like this for many apps right now.

/Fred

Fredrik Fornstad wrote:

First tip: There are a number of packages, like ftp and backuppc that cannot be installed right now due to missing dependencies. When you try to install Serviio (app-serviio), then to ONLY that. Do NOT try to install several other packages at the same time.
...
As last resort this should work:

yum install app-serviio --enablerepo=clearos-core,clearos-epel

. If that does not work: STOP and consider to reinstall your machine.

/Fred

I worked through the above without success. I will reload COS 7.1b3 again tomorrow and try again. Thank you very much for your help.

I am interested in serviio but not as a "must have". Currently I stream all my media from either COS 5.2 or WHS 2011. I will eventually migrate those two to COS 7.1 if I can do so with at least equal functionality. So far 7.1b3 has been "fun" to tinker with but it's not ready for me to comfortably switch over now.

MikeCindi wrote:
I got the same error when I tried again just now. I then tried another app but it too would not install. Ran "yum update" and tried again but still no success.

First tip: There are a number of packages, like ftp and backuppc that cannot be installed right now due to missing dependencies. When you try to install Serviio (app-serviio), then to ONLY that. Do NOT try to install several other packages at the same time.

Another thing: Yesterday a number of updates were released for beta 3. If yum update has not resulted in any updates the last couple of days for you, I would suspect that you have got a faulty setup of the yum repos. Have you changed anything?

Try to clean yum and marketplace cache by doing this as root on the command line:

yum clean all

rm /var/clearos/framework/cache/* -rf

yum upgrade

Results?

Can you install Serviio now?

If you really want Serviio badly for testing here is a "workaround". Type this at command line (as root):

yum install app-serviio

If you still get missing "packages" error then you can "escalate" it a bit by doing:

yum install app-serviio --enablerepo=clearos-contribs-verified

. If it works now then for some reason clearos-contribs-verified is not enabled by default on your machine which it should be. If you get an error that there is no repo "clearos-contribs-verified" then you have a setup problem with yum.

As last resort this should work:

yum install app-serviio --enablerepo=clearos-centos,clearos-epel

. If that does not work: STOP and consider to reinstall your machine.

/Fred

Edit: Corrected the name of the clearos-centos repo (it is not clearos-core).

Fredrik Fornstad wrote:

MikeCindi,
Thanks for trying Serviio. Unfortunately the ClearOS team moved around some of the needed libs to prepare for the final release. In this process libcdio_paranoia URL got corrupted. This has now been corrected (I think). Why it should work now if you try again.

/Fred

EDIT: I just did a fresh installation of ClearOS 7 Beta 3 and installed Serviio successfully from the Marketplace. It works now.

I got the same error when I tried again just now. I then tried another app but it too would not install. Ran "yum update" and tried again but still no success.

MikeCindi,
Thanks for trying Serviio. Unfortunately the ClearOS team moved around some of the needed libs to prepare for the final release. In this process libcdio_paranoia URL got corrupted. This has now been corrected (I think). Why it should work now if you try again.

/Fred

EDIT: I just did a fresh installation of ClearOS 7 Beta 3 and installed Serviio successfully from the Marketplace. It works now.

Attempted to install "serviio media server" and got the following:

Exception: [u'ERROR with transaction check vs depsolve:', 'libvdpau.so.1()(64bit) is needed by ffmpeg-2.8-1.v7.x86_64', 'libgsm.so.1()(64bit) is needed by ffmpeg-libavcodec_56-2.8-1.v7.x86_64', 'libopus.so.0()(64bit) is needed by ffmpeg-libavcodec_56-2.8-1.v7.x86_64', 'libschroedinger-1.0.so.0()(64bit) is needed by ffmpeg-libavcodec_56-2.8-1.v7.x86_64', 'libspeex.so.1()(64bit) is needed by ffmpeg-libavcodec_56-2.8-1.v7.x86_64', 'libtheoradec.so.1()(64bit) is needed by ffmpeg-libavcodec_56-2.8-1.v7.x86_64', 'libtheoradec.so.1(libtheoradec_1.0)(64bit) is needed by ffmpeg-libavcodec_56-2.8-1.v7.x86_64', 'libtheoraenc.so.1()(64bit) is needed by ffmpeg-libavcodec_56-2.8-1.v7.x86_64', 'libtheoraenc.so.1(libtheoraenc_1.0)(64bit) is needed by ffmpeg-libavcodec_56-2.8-1.v7.x86_64', 'libva.so.1()(64bit) is needed by ffmpeg-libavcodec_56-2.8-1.v7.x86_64', 'libvorbis.so.0()(64bit) is needed by ffmpeg-libavcodec_56-2.8-1.v7.x86_64', 'libvorbisenc.so.2()(64bit) is needed by ffmpeg-libavcodec_56-2.8-1.v7.x86_64', 'libwavpack.so.1()(64bit) is needed by ffmpeg-libavcodec_56-2.8-1.v7.x86_64', 'opus is needed by ffmpeg-libavcodec_56-2.8-1.v7.x86_64', 'dcraw >= 8.96 is needed by serviio-1.5.2-4.v7.noarch', 'java-1.8.0-openjdk is needed by serviio-1.5.2-4.v7.noarch', 'libass.so.5()(64bit) is needed by ffmpeg-libavfilter_5-2.8-1.v7.x86_64', 'libbs2b.so.0()(64bit) is needed by ffmpeg-libavfilter_5-2.8-1.v7.x86_64', 'libopencv_core.so.2.4()(64bit) is needed by ffmpeg-libavfilter_5-2.8-1.v7.x86_64', 'libopencv_imgproc.so.2.4()(64bit) is needed by ffmpeg-libavfilter_5-2.8-1.v7.x86_64', 'libbluray.so.1()(64bit) is needed by ffmpeg-libavformat_56-2.8-1.v7.x86_64', 'libgnutls.so.28()(64bit) is needed by ffmpeg-libavformat_56-2.8-1.v7.x86_64', 'libgnutls.so.28(GNUTLS_1_4)(64bit) is needed by ffmpeg-libavformat_56-2.8-1.v7.x86_64', 'libgnutls.so.28(GNUTLS_3_0_0)(64bit) is needed by ffmpeg-libavformat_56-2.8-1.v7.x86_64', 'libmodplug.so.1()(64bit) is needed by ffmpeg-libavformat_56-2.8-1.v7.x86_64', 'libcaca is needed by ffmpeg-libavdevice_56-2.8-1.v7.x86_64', 'libcaca.so.0()(64bit) is needed by ffmpeg-libavdevice_56-2.8-1.v7.x86_64', 'libcdio_cdda.so.1()(64bit) is needed by ffmpeg-libavdevice_56-2.8-1.v7.x86_64', 'libcdio_cdda.so.1(CDIO_CDDA_1)(64bit) is needed by ffmpeg-libavdevice_56-2.8-1.v7.x86_64', 'libcdio_paranoia.so.1()(64bit) is needed by ffmpeg-libavdevice_56-2.8-1.v7.x86_64', 'libcdio_paranoia.so.1(CDIO_PARANOIA_1)(64bit) is needed by ffmpeg-libavdevice_56-2.8-1.v7.x86_64', 'libdc1394.so.22()(64bit) is needed by ffmpeg-libavdevice_56-2.8-1.v7.x86_64', 'libopenal.so.1()(64bit) is needed by ffmpeg-libavdevice_56-2.8-1.v7.x86_64', 'libpulse.so.0()(64bit) is needed by ffmpeg-libavdevice_56-2.8-1.v7.x86_64', 'libpulse.so.0(PULSE_0)(64bit) is needed by ffmpeg-libavdevice_56-2.8-1.v7.x86_64', 'libv4l2.so.0()(64bit) is needed by ffmpeg-libavdevice_56-2.8-1.v7.x86_64', 'openal-soft is needed by ffmpeg-libavdevice_56-2.8-1.v7.x86_64', 'libsoxr.so.0()(64bit) is needed by ffmpeg-libswresample_1-2.8-1.v7.x86_64']

One item/feedback/question:

Does ClearOS 7 now include the ability to have a User Portal or a built in bypass method for the content filter or is it basically unchanged from Clear OS 6?

Apparently it was on the Clear OS 6 roadmap per this thread:

https://www.clearos.com/clearfoundation/social/community/content-filter-bypass-user-level

Thanks

Fredrik Fornstad wrote:

Hi,
...
Anyone seen this behaviour? As it is now, I cannot create any other user that root on this machine...

EDIT:
I have now done more new installs I have these two observations:
1. If I create a user (besides root) in the "centos" setup/installation wizard when ClearOS is to be installed from DVD (wich is natural since the options shows up), then that user will NOT work with LDAP and therefore this user cannot be used for Windows Networking etc. So avoid this!
2. If I at the first startup of ClearOS choose to skip the app installation wizard, and after the installation go to the marketplace to install directory service it will fail as described above. However, if I for instance select to run the app installation wizard by function and select directory service, LDAP will install correctly.

/Fred

Fred,
I did a reinstall yesterday and noted what you have also found: if you create a user during install then there are issues with LDAP (the account manager) giving the error that you mention. This disables several other functions/apps for the server as they are dependent on the account mgr. My reinstall did nothing to change the dashboard views (only column one is usable so I can only see five items as the number of rows is fixed at five).
Mike

Hi,
Just (today) install a new ClearOS7beta environment on virtual box using the beta3 DVD iso as I have used before. None of the previous installs have been possible to work with my Windows PCs omn my LAN (I am not using any Primary Domain Controller or anything like that, just lan windows networking on a simple home LAN). With my ClearOS6 PCs it works fine but not on ClearOS7.

The install today was however a bit different: When I selected to install OpenLDAP, I got an error message after what looked as an installation

Install failed, please check your network connection.

I do have network connection (a pretty good one too... so that should not be the problem). After that whenever I try to go to the "User" or "Group" setting in WebConfig, this error message turns up. There seems to be no way to cure this.

When I then tried to install The Directory Services from the Market Place I got the following error:

Exception: [u'ERROR with transaction check vs depsolve:', 'nss-pam-ldapd is needed by app-openldap-directory-core-1:2.1.6-1.v7.noarch', 'pam_ldap is needed by app-openldap-directory-core-1:2.1.6-1.v7.noarch', 'tdb-tools >= 1.2.9 is needed by app-samba-core-1:2.1.14-1.v7.noarch']

Anyone seen this behaviour? As it is now, I cannot create any other user that root on this machine...

EDIT:
I have now done more new installs I have these two observations:
1. If I create a user (besides root) in the "centos" setup/installation wizard when ClearOS is to be installed from DVD (wich is natural since the options shows up), then that user will NOT work with LDAP and therefore this user cannot be used for Windows Networking etc. So avoid this!
2. If I at the first startup of ClearOS choose to skip the app installation wizard, and after the installation go to the marketplace to install directory service it will fail as described above. However, if I for instance select to run the app installation wizard by function and select directory service, LDAP will install correctly.

/Fred

Matthew Lavigne wrote:

Has anyone seen a complete fail to install on Enterprise level hardware? I have an IBM 3650M4 that the install gets all the way through installation but pukes on the last bit, likely on the grub install or in that space. Reboot gets me GRUB> and that is it.

That definitely sounds like a grub install issue. The 3650 M3 hardware is Red Hat certified for version 6, but there's nothing shown for the 3650 M4 though.

Eric Anderson wrote:

i didn't see miniupnpd on the installation disk, does it exist in one of the repos?

It's not available. That's a pet project that I do when I can get around to it. I have made the changes for ClearOS 7 (here), but I haven't yet pushed the package through the build system.

Bob Rose wrote:

Sorry if this does not belong here. I haven’t caught onto the jest of the new forums.
Anyway I needed to upgrade hardware 32 >64 bit and thought this would be a good opportunity to test out 7.1B Community. The install goes to around 70% complete and stopped with "Unknown Error" With the options to report to what looks like redhat or just plain quit. Tried the B3 and later an earlier version with the same outcome.

Are there any other details in the error message? Is there any trace output? Feel free to send a screenshot to developer@clearfoundation.com -- we'll definitely take a look.

Matthew Lavigne wrote:

Has anyone seen a complete fail to install on Enterprise level hardware? I have an IBM 3650M4 that the install gets all the way through installation but pukes on the last bit, likely on the grub install or in that space. Reboot gets me GRUB> and that is it.

Matthew

I had no issues getting through installation with my HP DL380 G6. The account manager didn't load and won't allow me to remove or reinstall it so I"ll probably try to reinstall the whole thing this weekend.

Has anyone seen a complete fail to install on Enterprise level hardware? I have an IBM 3650M4 that the install gets all the way through installation but pukes on the last bit, likely on the grub install or in that space. Reboot gets me GRUB> and that is it.

Matthew

The dashboard only allows one column to function per row. I can add columns but they are non-functional.

i didn't see miniupnpd on the installation disk, does it exist in one of the repos?

Sorry if this does not belong here. I haven’t caught onto the jest of the new forums.
Anyway I needed to upgrade hardware 32 >64 bit and thought this would be a good opportunity to test out 7.1B Community. The install goes to around 70% complete and stopped with "Unknown Error" With the options to report to what looks like redhat or just plain quit. Tried the B3 and later an earlier version with the same outcome.

Hi Peter

Thanks for the response. I have had the firewall update overnight and this morning I restarted the whole system, but still received a critical warning re firewall panic mode. Should I still expect this or is it a matter of "work in progress"?

Thanks

@Chris.

Thanks for the logs! The firewall panic is happening here:

Aug 14 15:10:10 gateway firewall: Web proxy is online

Aug 14 15:10:10 gateway firewall: Running firewall panic mode...

That issue was likely recently resolved. The firewall will do different things based on the status of the web proxy server. In ClearOS 7, the Squid Web Proxy pid file (/var/run/squid.pid) is always there even when Squid is not running. No daemon behaves like this in ClearOS 6 (and most don't in ClearOS 7). We had to change the way the web proxy detection worked and those changes were pushed to the updates repository yesterday.

I'm trying to set it up and not having any luck getting to the webgui. I have it installed and in gateway mode. My external nic is working and I can run a speed test. My internal nic must be working because I can point internal machine to it as a gateway and they have internet access. I can't connect to the webgui though. whats the url? I have tried https://machineIP:1501/app and just 1501, is it a different port or url?

Thanks,
Levi

EDIT

It was port 82, got it working

If it is deprecated but working, why change now? I don't know anything about systemctl, but if you are worried about the service command you can use "/etc/rc.d/init.d/fail2ban reload" to reload fail2ban.

[edit]
Anyway, on systemctl systems it looks like the system command has been modified to call systemctl. See here for more info.
[/edit]

Is "service" (chkconfig) fully deprecated in favor of systemctl in RHEL 7? I know service redirects to systemctl, but how long is that going to continue? Should we be changing all our finger/muscle memory to type systemctl, and redo all the shell scripts too?

There is an issue with fail2ban and the ClearOS firewall as every time the firewall restarts it wipes the fail2ban rules as you point out. This is easily circumvented by adding a line "service fail2ban reload" to either /etc/clearos/firewall.d/local or /etc/clearos/firewall.d/10-anyname (making it executable, also any number up to at least 99). This way all the fail2ban rules get reloaded. One great thing with the 0.9.x release of fail2ban (only recently released) over 0.8.x is that it builds a database of banned IP's so it rebans them after the firewall is restarted. Before a restart would lose all the bans.

I don't know the full story about the IPS rules but they are an opensource rule set which has not been updated in years. They can easily be amended to get them to block, if you want and there are a couple of ways. One is to create a file, /etc/sid-block.map and add rules like:

2008578: src, 1 day

2100368: src, 1 day

2100369: src, 1 day

The first number is the rule number (sid). Then you have to decide if you are blocking the source or destination IP of the rule and for how long. Be careful with the src/dst flag. Often password failure rules track the return "login failed" message so you want to block the destination and not the source. The other way is to edit the rules directly, adding something like " fwsam: src, 24 hours;" to the end of each rule. Have a look at the Emerging Threats block rules for examples of the fwsam method.

I am not saying OpenVPN is technically better than SSH. They do not compare as they perform different functions. With OpenVPN you would still have to use SSH, but once you connect to your server by OpenVPN you effectively are SSH'ing into the LAN IP of the server and not the WAN IP and the LAN IP is never exposed to the public. In the ClearOS implementation of OpenVPN authentication is by certificate and user/pass. You control your certificates so will (should) know if one has gone missing. As such it is way more secure than the SSH set up of default user (root)/pass and certificates are not very friendly for script kiddies. SSH can be secured more using things like pre-shared keys and so on, but why bother when OpenVPN does the job better by default. I agree that OpenVPN and SSH, both using public keys/certificates for authentication probably are pretty similar but the default configuration for SSH does not use public keys.

If you are trying to stick to defaults use SSH through OpenVPN. Both can then be quite happily left with their default configurations.

I haven't seen anyone report that the default apache document root is set up with an index.html that references logo.png, but the actual logo.png file is missing.

Well, it looks like fail2ban is in the clearos repositories, but it isn't really compatible with the clearos firewall, right? (If a change is made in the firewall, it redoes iptables based on its own private configuration, ignoring anything done by the iptables command outside of webconfig.) I should think the repository would mark it incompatible with the clearos firewall, or include some accommodation so fail2ban's blocking doesn't stop working when the firewall is reset.

So how come the default (non-subscription) rules for intrusion protection don't handle simple things like multiple failed login attempts on sshd? I can see the subscription rules being more comprehensive and responding to more recent or emerging threats, but sshd failures have been around for a decade or more. Why wouldn't the default non-subscription rules protect against basic or older/traditional threats? (I know, that's probably rhetorical or a question for the sales department ...)

Are you saying that openvpn is somehow technically better than ssh, or just that the script kiddies haven't figured out what its default port is yet? Maybe it has logic in place to block IP addresses that try to abuse it? If both ssh and openvpn use public keys (e,g, certificates) to authenticate (both ways) rather than passwords, I should think they would be about equal as far as resisting password guessing or other connections that put extra load on the server and add lines to the logs. In other words, if both are on random ports and use exclusively public keys/certificates for authentication, how would openvpn be better than sshd?

Also, since this is a beta forum, I'm trying to stick to defaults. We all know that best practice requires choosing a random port for sshd and sticking with it or randomizing it from time to time; but the default (beta) distro doesn't do that, and that's what I am commenting on. I figure if I did something minimal like move sshd to a different port, 99.9% of the failures in my logs would disappear immediately, but that's not the default.

It is fairly easy to change the port and password setting in webconfig, so it's not a huge problem. I'll get around to testing that eventually.

Merrill Cook wrote:

<snip>

Case in point. I have sshd listening on port 22 (yeah, I know, the default is bad). There are 3417 messages about Failed login for root at that port. Intrusion Prevention System appears to be installed and running. But no IP Addresses have been added to the blocked list. Surely 3,417 would have triggered some response by now? So how do I troubleshoot, or learn whether my expectations are too high? Or is the marketplace app that was installed a placeholder during the beta and not supposed to be working?

The current default IDS does not do any sensible blocking. You'll need a subscription for that or you'll have to use Emerging Threats or some other source of rules. You should also install fail2ban, but even that is not brilliant as it will only block repeat offenders on the same IP. I have found they round-robin the IP address going through a subnet so I was often getting no more than one probe from a single IP, but I had a lot of probes from the /24 subnet. No IDS/IPS system is going to pick up on this sort of attack.

Can I strongly suggest that, if it is only you requiring ssh access, you do it through OpenVPN and close port 22 to the internet. It is just too risky leaving it open.

I've been working on getting some things working with ipv4 with tunnel vision, but I hope to get to IPv6 eventually. I notice the DSL modem has passed along a routable IPv6 address to the server, but as far as I can tell that's about all that has happened. There seem to be IPv6 settings in /etc/sysconfig/network-scripts, and ip6tables seems to be blocking everything except outbound and the udp port 67/68 pair, but 'ping6 google.com' replies 'connect: Network is unreachable.' The firewall output posted here recently doesn't seem to have any ipv6 settings.

Am I on my own trying to get it to work, or configure ip6tables firewall? Is it maybe disabled and not supported in ClearOS 7 (or what does "IPv6 Ready" mean)? Will the CentOS 7 instructions for getting IPv6 working be appropriate, or will they interfere with something implemented or planned for clearos webconfig?

(Sorry if this has been answered elsewhere...)

It'd be nice if somewhere there was a link between the marketplace web and the actual services or whatever. For example,


What is the package name for yum?
Is it a service or initiated by cron?
Is there more customization that can be done, e.g. by editing a config.local file?
Where would we see logs or results from the app; how can we tell if it is running or working as advertised.


Case in point. I have sshd listening on port 22 (yeah, I know, the default is bad). There are 3417 messages about Failed login for root at that port. Intrusion Prevention System appears to be installed and running. But no IP Addresses have been added to the blocked list. Surely 3,417 would have triggered some response by now? So how do I troubleshoot, or learn whether my expectations are too high? Or is the marketplace app that was installed a placeholder during the beta and not supposed to be working?

I don't mind tracking down information, except when it seems all the clues to how to learn more have been eliminated, in favor of an app with three buttons: 'Details', 'Uninstall', and 'Rate App', where 'details' basically says very little other than how wonderful the app is.

Maybe just have it be a footnote at the bottom of the page, if you don't want mere mortals to know what is going on?

Hi Chris,

Chris wrote:

I have installed 7.1 beta 3, installed all necessary apps (including several paid ones) and all is well, - apart from the firewall giving a notification that it is in "Panic Mode". I can see from Googling that this is a known occasional problem but cannot see how to resolve it. It does sound rather critical.......

Search for the word "panic" in /var/log/system - there should be some details in that log. Feel free to send the log to us for analysis. Send it to developer@clearfoundation.com.

Tim Burgess wrote:

@ric9887, in the beta there are still missing apps in the marketplace, you can however install them from the command line.. try 'yum list app-*'

Yup! The repository structure changed quite a bit in beta 3 and the Marketplace UI hasn't caught up yet. We should have Marketplace up-to-date next week.

I just followed the link in webconfig (/app/support) to the community forums. It took me to a blank page (no formatting or anything) at
http://www.clearfoundation.com/forums

Deleted after further thought!

Hi Tim

The response to "firewall-start -d" is below - To my rather untutored eye nothing jumps out as being obviously amiss?

[root@gateway ~]# firewall-start -d
firewall: Starting firewall...
firewall: Loading environment
firewall: FW_MODE=gateway
firewall: FW_PROTO=ipv4
firewall: WANIF=ppp0
firewall: LANIF=enp2s0
firewall: SYSWATCH_WANIF=ppp0
firewall: WIFIF=
firewall: BANDWIDTH_QOS=on
firewall: QOS_ENGINE=internal
firewall: SQUID_USER_AUTHENTICATION=off
firewall: SQUID_TRANSPARENT=on
firewall: IPSEC_SERVER=off
firewall: PPTP_SERVER=off
firewall: ONE_TO_ONE_NAT_MODE=type2
firewall: RULES=||0x10000008|6|192.xxx.xxx.xxx|8xxx|8xxx
firewall: RULES=ssh_server||0x10000001|6||22|
firewall: RULES=webconfig||0x10000001|6||81|
firewall: FW_DROP=DROP
firewall: FW_ACCEPT=ACCEPT
firewall: IPBIN=/sbin/ip
firewall: TCBIN=/sbin/tc
firewall: MODPROBE=/sbin/modprobe
firewall: RMMOD=/sbin/rmmod
firewall: SYSCTL=/sbin/sysctl
firewall: IFCONFIG=/sbin/ifconfig
firewall: PPTP_PASSTHROUGH_FORCE=no
firewall: EGRESS_FILTERING=off
firewall: PROTOCOL_FILTERING=off
firewall: Detected WAN role for interface: ppp0
firewall: Detected LAN role for interface: enp2s0
firewall: Setting kernel parameters
firewall: /sbin/sysctl -w net.ipv4.neigh.default.gc_thresh1=512 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.neigh.default.gc_thresh2=2048 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.neigh.default.gc_thresh3=4096 >/dev/null = 0
firewall: /sbin/sysctl -w net.netfilter.nf_conntrack_max=524288 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.ip_forward=1 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.tcp_syncookies=1 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.conf.all.log_martians=0 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.conf.all.accept_redirects=0 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.conf.all.send_redirects=0 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.conf.default.accept_redirects=0 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.conf.default.send_redirects=0 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.conf.all.accept_source_route=0 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.icmp_echo_ignore_broadcasts=1 >/dev/null = 0
firewall: /sbin/sysctl -w net.ipv4.icmp_ignore_bogus_error_responses=1 >/dev/null = 0
firewall: Detected WAN info - ppp0 xxx.xxx.xxx.xxx on network xxx.xxx.xxx.xxx/32
firewall: Detected LAN info - enp2s0 192.xxx.xxx.xxx on network 192.xxx.xxx.xxx/24
firewall: Using gateway mode
firewall: Loading kernel modules
firewall: /sbin/modprobe ipt_LOG >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ipt_REJECT >/dev/null 2>&1 = 0
firewall: /sbin/modprobe nf_conntrack_ipv4 >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ipt_IMQ >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_conntrack_ftp >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_conntrack_irc >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ppp_generic >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ppp_mppe >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_conntrack_proto_gre >/dev/null 2>&1 = 256
firewall: /sbin/modprobe ip_conntrack_pptp >/dev/null 2>&1 = 0
firewall: Loading kernel modules for NAT
firewall: /sbin/modprobe ipt_MASQUERADE >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_nat_ftp >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_nat_irc >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_nat_proto_gre >/dev/null 2>&1 = 256
firewall: /sbin/modprobe ip_nat_pptp >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_nat_h323 >/dev/null 2>&1 = 0
firewall: /sbin/modprobe ip_nat_tftp >/dev/null 2>&1 = 0
firewall: Setting default policy to DROP
firewall: Defining custom chains
firewall: iptables -t filter -A DROP-lan -j DROP
firewall: Running blocked external rules
firewall: Running custom rules
firewall: Running common rules
firewall: iptables -t filter -A INPUT -m state --state INVALID -j DROP
firewall: iptables -t filter -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
firewall: iptables -t filter -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
firewall: iptables -t filter -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
firewall: iptables -t filter -A INPUT -i ppp0 -s xxx.xxx.xxx.xxx/16 -j DROP
firewall: iptables -t filter -A INPUT -i lo -j ACCEPT
firewall: iptables -t filter -A OUTPUT -o lo -j ACCEPT
firewall: iptables -t filter -A INPUT -i pptp+ -j ACCEPT
firewall: iptables -t filter -A OUTPUT -o pptp+ -j ACCEPT
firewall: iptables -t filter -A INPUT -i tun+ -j ACCEPT
firewall: iptables -t filter -A OUTPUT -o tun+ -j ACCEPT
firewall: iptables -t filter -A INPUT -i enp2s0 -j ACCEPT
firewall: iptables -t filter -A OUTPUT -o enp2s0 -j ACCEPT
firewall: iptables -t filter -A INPUT -i ppp0 -p icmp --icmp-type 0 -j ACCEPT
firewall: iptables -t filter -A INPUT -i ppp0 -p icmp --icmp-type 3 -j ACCEPT
firewall: iptables -t filter -A INPUT -i ppp0 -p icmp --icmp-type 8 -j ACCEPT
firewall: iptables -t filter -A INPUT -i ppp0 -p icmp --icmp-type 11 -j ACCEPT
firewall: iptables -t filter -A OUTPUT -o ppp0 -p icmp -j ACCEPT
firewall: iptables -t filter -A INPUT -i ppp0 -p udp --dport bootpc --sport bootps -j ACCEPT
firewall: iptables -t filter -A INPUT -i ppp0 -p tcp --dport bootpc --sport bootps -j ACCEPT
firewall: iptables -t filter -A OUTPUT -o ppp0 -p udp --sport bootpc --dport bootps -j ACCEPT
firewall: iptables -t filter -A OUTPUT -o ppp0 -p tcp --sport bootpc --dport bootps -j ACCEPT
firewall: Running incoming denied rules
firewall: Running user-defined incoming rules
firewall: Allowing incoming tcp port/range 22
firewall: iptables -t filter -A INPUT -p 6 -d xxx.xxx.xxx.xxx --dport 22 -j ACCEPT
firewall: iptables -t filter -A OUTPUT -p 6 -o ppp0 -s xxx.xxx.xxx.xxx --sport 22 -j ACCEPT
firewall: Allowing incoming tcp port/range 81
firewall: iptables -t filter -A INPUT -p 6 -d xxx.xxx.xxx.xxx --dport 81 -j ACCEPT
firewall: iptables -t filter -A OUTPUT -p 6 -o ppp0 -s xxx.xxx.xxx.xxx --sport 81 -j ACCEPT
firewall: iptables -t nat -A POSTROUTING -o tun+ -j ACCEPT
firewall: Running default incoming allowed rules
firewall: iptables -t filter -A OUTPUT -o ppp0 -j ACCEPT
firewall: iptables -t filter -A INPUT -i ppp0 -p udp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
firewall: iptables -t filter -A INPUT -i ppp0 -p tcp --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
firewall: Running user-defined port forward rules
firewall: Port forwarding tcp 8xxx to 192.xxx.xxx.xxx 8xxx
firewall: iptables -t nat -A PREROUTING -d xxx.xxx.xxx.xxx -p 6 --dport 8xxx -j DNAT --to 192.xxx.xxx.xxx:8xxx
firewall: iptables -t nat -A POSTROUTING -d 192.xxx.xxx.xxx -p 6 -s 192.xxx.xxx.xxx/255.255.255.0 --dport 8xxx -j SNAT --to 192.xxx.xxx.xxx
firewall: iptables -t filter -A FORWARD -o enp2s0 -p 6 -d 192.xxx.xxx.xxx --dport 8xxx -j ACCEPT
firewall: /sbin/rmmod imq 2>/dev/null = 256
firewall: /sbin/tc qdisc del dev ppp0 root >/dev/null 2>&1 = 512
firewall: Initializing bandwidth manager
firewall: Bandwidth manager is enabled but no WAN interfaces configured!
firewall: Running 1-to-1 NAT rules
firewall: Running user-defined proxy rules
firewall: Content filter is online
firewall: Web proxy is online
firewall: iptables -t nat -A PREROUTING -p tcp -d 192.xxx.xxx.xxx --dport 80 -j ACCEPT
firewall: iptables -t nat -A PREROUTING -p tcp -d xxx.xxx.xxx.xxx --dport 80 -j ACCEPT
firewall: Enabled proxy+filter transparent mode for filter port: 8080
firewall: iptables -t nat -A PREROUTING -i enp2s0 -p tcp --dport 80 -j REDIRECT --to-port 8080
firewall: Blocking proxy port 3128 to force users through content filter
firewall: iptables -t nat -I PREROUTING -p tcp ! -s 127.0.0.1 --dport 3128 -j REDIRECT --to-port 82
firewall: Running multipath
firewall: /sbin/ip rule | grep -Ev '(local|main|default)' | while read PRIO RULE; do /sbin/ip rule del prio ${PRIO%%:*} 2>/dev/null; done = 0
firewall: /sbin/ip rule | grep -Ev '(local|main|default)' | while read PRIO RULE; do /sbin/ip rule del $RULE prio ${PRIO%%:*} 2>/dev/null; done = 0
firewall: /sbin/ip route flush table 50 = 0
firewall: /sbin/ip route flush cache = 0
firewall: Enabling NAT on WAN interface ppp0
firewall: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
firewall: Running user-defined outgoing block rules
firewall: Running default forwarding rules
firewall: iptables -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
firewall: iptables -t filter -A FORWARD -i enp2s0 -j ACCEPT
firewall: iptables -t filter -A FORWARD -i pptp+ -j ACCEPT
firewall: iptables -t filter -A FORWARD -i tun+ -j ACCEPT
firewall: Execution time: 0.366s