Qwest / Centurylink DSL Web site timeouts, hangups, or failures while running a firewall or router with static IP addresses.

Recently I setup the Qwest DSL service in my home. It worked great, but after a couple days I started to get hang ups and timeouts or hangups while browsing the web. Speed tests still showed the correct speeds and rebooting all my hardware didn’t solve the issue.

I run PFSense as my internet firewall. (check it out, http://pfsense.org ) I love PFSense, it gives me very fine grained control over just about everything, even simple traffic speed limiters for certain parts of my LAN. (like my kid’s systems, I don’t want them eating my my bandwidth with Youtube!) In the past, I’ve had some issues with my client networks and firewalls while using Qwest DSL and PFSense. I found almost ZERO help on Google searches, which I find surprising, because I can’t be the only one with this setup. But, to get to the point, you need to setup the Qwest modem advanced options to use Dynamic Routing. I use version 2.

If I plug in and connect directly, I do not get the connectivity issues, so I knew something with the PFSense was, to put it mildly, not being cooperative. Setting to Dynamic Routing fixed this issue on 3 client networks AND on my recent install at home.

Note, too, that all these networks have static IP’s or static blocks. I tried setting to use transparent bridging, which didn’t help. But one time I setup PPPoE directly on PFSense, and that did help. In the end, the only way I could reliably run PFSense on Qwest DSL was to disable NAT on the modem, setup Dynamic Routing, and purchase static IP address(s). Keep in mind, you need to use the “Static IP” setup from Qwest and NOT run transparent bridging, like I assumed. Read their docs, there’s a special setup for this in the Quick Setup section of their modem firmware.

Also, I had this issue on most of the later model modems and firmware, but NOT on the oldest Actiontek modems running old firmware. (like the 701′s) But on the newer Qwest firmware (with the blue background and preschool-style-coloring :) I had to enable Dynamic Routing. Also, I have the newer Zyxel Q1000Z modem now, same issue.

I have no understanding of why this happens. It doesn’t make any sense to me. Although, just to throw an idea out there, maybe it has to do with the way the modems manage hops from the external destinations.  From what I read, dynamic routing has something to do with maintaining the hops between routers online.  Maybe, since using the modem with static IP’s basically sets it into bridging mode, it incorrectly maintains that hop information, or at the very least it doesn’t identify itself correctly.  So what may happen is some routers out there get flaky and don’t respond well with your bridged modem by the time they communicate with your firewall.  Some do fine though, which would explain why some sites fail and some don’t.  I don’t believe PFSense is doing any dynamic routing protocol work, at all.  It’s just firewalling my LAN, right?  So all I can assume is, since the Qwest modem is in between me and the rest of the internet, IT has something to do with that communication breakdown using the dynamic routing.  Of course, I really don’t know what I am talking about and making complete assumptions!  But hey, its just an idea. Maybe someone who know’s more than I do can shed some light on it. :)

Today I ran into a problem while repairing a computer that had a partially cleaned up virus. I completed the cleanup that my client attempted, ran all my antivirus tools, and thought I had everything working. That is, until I noticed the little red shield for Windows Security Center. It said, “We’re Sorry. The Security Center could not change your Automatic Updates settings.”

I then tried to turn the updates on in the Automatic Updates settings, but they were already turned on and enabled.

Next, I wanted to see if I could just run Windows Update. It, however, fails immediately if you try to run Express, and gives me Error number: 0×80070424. (below)

So… we have this problem. We can’t run or enable updates in Windows XP. They show enabled, but Security Center think otherwise.

Ok, so let’s fix this. First, make sure you’ve cleaned up any viruses. Once you are sure you are working on a clean system, then try the fixes below.

We need to create at least one batch file (below) and re-register all the components.

Step 1:

Let’s try this one first. Create a file called reg-wu1.bat. (call it whatever you want though, it doesn’t matter.) Copy the text below and paste it into the file. NOTE: you may need to enable file extensions in Windows Explorer so you can rename it to a “.bat” file.

regsvr32 c:\windows\system32\vbscript.dll
regsvr32 c:\windows\system32\mshtml.dll
regsvr32 c:\windows\system32\msjava.dll
regsvr32 c:\windows\system32\jscript.dll
regsvr32 c:\windows\system32\msxml.dll
regsvr32 c:\windows\system32\actxprxy.dll
regsvr32 c:\windows\system32\shdocvw.dll

It should look like this:

Save the file and double click to run it. A DOS box will pop up and execute all the commands. You’ll get several “Succeeded” messages that you need to click “OK” on. Shown below, I received 1 or 2 that didn’t succeed:

I ran the above, attempted to run Windows Update again, but still received the error. Maybe it will work for you though. If not, try Step 2.

Step 2:

Then I created another batch file and called it reg-wu2.bat and pasted the text below into it:

regsvr32 /s Softpub.dll 
regsvr32 /s Mssip32.dll 
regsvr32 /s Initpki.dll
regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll
regsvr32 Urlmon.dll
regsvr32 Shdocvw.dll 
regsvr32 Msjava.dll 
regsvr32 Actxprxy.dll 
regsvr32 Oleaut32.dll 
regsvr32 Mshtml.dll 
regsvr32 msxml.dll
regsvr32 msxml2.dll
regsvr32 msxml3.dll
regsvr32 Browseui.dll
regsvr32 shell32.dll
regsvr32 wuapi.dll
regsvr32 wuaueng.dll
regsvr32 wuaueng1.dll
regsvr32 wucltui.dll
regsvr32 wups.dll
regsvr32 wuweb.dll
regsvr32 jscript.dll
regsvr32 atl.dll 
regsvr32 Mssip32.dll

Should look like the image below:

Again, as you did in step 1 above, save the file and double click to run it. A DOS box will pop up and execute all the commands. You’ll get several “Succeeded” messages that you need to click “OK” on. I receive 1 or 2 that didn’t succeed:

Here are one of the messages that did not succeed on this system:

Once this operation was complete, I went to Windows Update again and attempted to run the Express setup. EVERYTHING WORKED!!! YAY!! Even the Security Center showed updates were enabled and turned on again!

If you need further help, I found some of these repairs on the Microsoft Knowledge base article link below.

http://support.microsoft.com/kb/555989

Good luck!

Quick note about using chntpw command to reset Windows passwords. Mostly, I just couldn’t remember what the command line program was or the switches.

Boot to System Rescue CD.
mount the Windows drive RW (mine was RO)
cd to the config dir: cd /mnt/sda1/Windows/System32/config
Backup your sam,security,system,software (just copy them to another directory)

Now run this to list user while in the config directory:
chntpw -l ./sam

And this will run in interactive mode and ask you which user to edit the password.
chntpw -i ./sam

Chntpw can also edit your registry. One time it really saved the day when I was locked out of a computer and something was causing boot to fail. This made it pretty quick to edit the registry in a way that allowed me access to the system again. (then we proceeded to run a bunch of antivirus checks)  By the way, this worked for me on Windows XP and Windows 7.

Great tool!

If you are like me, you don’t have time to run nmap scans and do other network maintenance. Running nmap is one of those really fun and useful tools that are easy to use, but since I rarely use it, I never remember the options.  Today was one of those situations where I needed to hunt down a host on my client’s network remotely running certain software. It wasn’t responding to any remote services (like RDP) or pings, so I didn’t even know if it was on the correct IP address.  I thought it would easy enough to do a quick network scan with nmap to discover the hosts running.

At a simple level, and on a small, class C network, I just ran this:

sudo nmap -PR 192.168.0.*

This allowed me to quickly see all the hosts that were up on the local subnet, and here’s an example showing the end of the output on the last host found:

Interesting ports on 192.168.0.210:
Not shown: 992 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
80/tcp   open  http
139/tcp  open  netbios-ssn
427/tcp  open  svrloc
443/tcp  open  https
515/tcp  open  printer
631/tcp  open  ipp
9100/tcp open  jetdirect
MAC Address: 00:1B:xx:xx:xx:xx (NEC AccessTechnica)
Nmap done: 256 IP addresses (20 hosts up) scanned in 42.07 seconds

That was super helpful.  The host I needed showed right up, at the correct IP address, with most of the ports I expected. (not the one shown above) Now I just need to remote into the system (if I can) and adjust things.  Nmap made it real easy on our Linux server.

There are some more useful commands, and as I need them, I’ll blog them. For today, this was all I needed.

MsMpEng.exe – Antimalware service executable

I generally do not have any issues with Microsoft Security Essentials. It just works, and does its job quite well.  From time to time I notice some weird issues on my client computers, where MsMpEng.exe (Antimalware service executable) is using way too many and high resources and cpu time. (extra large amounts of memory and cpu time may even be 100%)

I had an original post here which may solve your issue as well:
http://www.1stbyte.com/2010/02/01/microsoft-security-essentials-msmpeng-exe-using-high-cpu-time/

That post says to exclude some directories from your scanning.  I have since found that, in the newer version of Microsoft Security Essentials, there are some options that have also helped.  We mainly want to tell MSSE that we only want to scan if the computer is not in use.  I also set to Limut CPU usage.

Check this option in the MSSE Settings tab, under Scheduled Scan:

“Start the scheduled scan only when my computer is on but not in use”

Open Microsoft Security Essentials and go to the Settings tab (shown below):

Next, in the Scheduled Scan settings on the left menu, look at the right side options and check the option box to only scan when my computer is not in use:

Security Essentials Settings - Make sure to Check this box

And last, save your changes:

Save your changes in Security Essentials

I have tried this setting, and it does help.  But read my other post too, if this doesn’t help, maybe give that other option a shot.  Good luck!

I had a client recently that had their browsers hijacked. Everything they typed in the browser ended up redirecting them to some test_s.php file at “www.fes.sk”.  (Don’t open that, or you might end up with a virus!  I just wanted people to find this in case it might help clean this bug off!)

Not sure what this virus was, but it disable Microsoft Security Essentials and blocked even MalwareBytes and SuperAntispyware from detecting it.  I couldn’t find it and I was almost to the point of just reloading the computer because in this case it would have been faster to just copy the docs of and reload Windows XP.

I thought, let’s search that URL?  This was key, because it brought up some forum posts and someone mentioned HitMan PRO.  www.surfright.nl/en/hitmanpro

Never heard of this program, but thought since it had a 30 day trial I’d give it a quick shot.  I was very impressed, it scanned in litterally a few minutes. (like 2 or 3!)  It found a “Rootkit”, nothing more than that though, in a file called “ipsec.sys” in the system32/drivers directory.  Then it said, “Reboot to clean.” 

My client was very pleased to see it reboot, do another very quick scan, and he was able to browse the web again.

Hitman Pro was free for 30 days, but you had to activate it.  I believe it has a subscription price of just under $30/year for 3 PC’s. (as of 02/09/2010)  That’s not too bad I think.  Keep in mind though, this looks like a “remover” , not a real-time antivirus protection program.  You’ll still want Norton, NOD32, MSSE, whatever you like, for that.

Now, I have to ask… because all my clients are starting to ask… why do they need this when they already have MSSE, Norton, etc?  Why doesn’t the AV real-time protection actually protect them in the first place?  Well, I can’t answer that one.  But it drives me nuts, and it make it worthless to pay for a subscription to Norton or McAfee (or any other) when all they do is get subverted and taken down, even if it’s the clients fault.  Because of this I will only suggest a free product for now, at least until I start seeing the “for pay” products doing what they were paid to do.  And if I see a Rootkit or Trojan that I can’t easily clean off, I’ll recommend HitmanPro for now.  If that can quickly remove bugs for my clients every time I use it, I’ll tell them (my clients) to use it and even purchase it as a quick cleaning tool in addition to MSSE.

MsMpEng.exe – Antimalware service executable

I have Windows 7 Ultimate x64, but I think this might be problem in any version. I keep having issues with MsMpEng.exe hogging the cpu.  Basically, using a large amount of resources, like 100%!  It’s eating the CPU time and a lot of memory.  The system will work just fine, even after running for hours, when suddenly the system slows to a crawl, almost to the point I have to reset the system.  I finally narrowed the culprit to MsMpEng.exe, the scanner for MSSE (Microsoft Security Essentials).

Good news is, I think the cpu hog problem is solved! I found a link on a Google search about adding exclusions, which I suspected would be a problem for things like my backup programs.  I added Crashplan and Syncback programs already, but what I found in that Google search was that you need to add the MSSE directories in C:\ProgramData to the exclusion list.  WHAT!!???  Are you kidding me?  MSSE doesn’t already exclude itself?  Come on MS!!  I really like MSSE,  but that’s pretty stupid.

I went ahead and added the directories below to MSSE exclusions:
(Be sure you set your system to Show Hidden Files in Windows Explorer, because C:\ProgramData is hidden in Windows 7, and so is the “All Users” profile folder in XP.)

- – For Windows 7 – -

C:\ProgramData\Microsoft\Microsoft Antimalware
C:\ProgramData\Microsoft\Microsoft Security Essentials
C:\Program Files\Microsoft Security Essentials

- – For Windows XP – -

C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware
C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Security Essentials
C:\Program Files\Microsoft Security Essentials

———–

Note:
1. As stated above, make sure you have enabled/showed hidden files.
2. You may need to search your system for “Mirosoft Antimalware” or “Security Essentials” if you do not see the folders listed above.
3. I have not tested this in XP and don’t know the exact locations, so if you don’t see, do a search on your computer.
4. Thank you to several commenters for the extra information regarding XP and other possible locations!

———–

Now, for a couple days, I have had no more issues!!!  We’ll see in a week if it really fixes it.  That’s an easy fix, but completely annoying!  I still like MSSE regardless.  It’s not perfect, but I’d rather have it than anything else.

I am curious to know if anyone else found this fix to work?

Note:  I do recommend people run a manual scan with MalwareBytes and SuperAntispyware once in a while, along with the real time scanner in MSSE.  MSSE didn’t catch a recent trojan at one of my clients, same one was blocking MalwareBytes too.  Only SuperAntispyware cleaned the system properly.

EDIT 02/10/2010:

It’s been about a week and a half, still working fine! It appears that this fixed the problem!

EDIT 02/23/2011:

I have also seen a new setting to scan only when the computer is not in use, which has also helped in some cases. Check out my newer post:

http://www.1stbyte.com/2011/02/23/revisiting-msmpeng-exe-antimalware-service-executable-high-resource-usage/

This is just another one of those things that didn’t make any sense and only partially does now. At least NOW I know there is more at play here than the simple solutions in Samba using create mask and create directory mask. In Linux, that’s how I would get around the issues of Windows directory permissions running on a Linux SMB share.

Now, I am learning to do things the OpenSolaris way. I am loving OpenSolaris and ZFS! However, coming from a Linux and Windows “way of life”, there are some differences that just aren’t clear. What kills me is, I try the RTFM thing, and somehow completely miss that one little thing that makes it all work. Off topic, but an example, coming from Linux, I would just type “su” and get root access. In OpenSolaris, that won’t work. Neither will “pfexec su”, nor “sudo su”. Then one day, after dealing with it for a week or so, I stumble upon a post where someone in an unrelated sample script typed “pfexec su – root”. There ya go! Argh!

Anyway, back on the ZFS/CIFS/ACL thing. It was driving me nuts that I couldn’t figure it out. I wanted a folder with this setup:
/pool/sharefs – owner:greg – group:domusers
greg and domusers should have full control and all folders under “sharefs” should inherit that.

So under linux/samba, that’s where I would do like “create mask = 770″ or simlar, and “force create group = domusers”. Something like that, can’t remember exactly. made it simple actually. It always wrote files with the right perms and ownership and other people in that group could read/write just fine.

Problem is, you can’t get very specific about who get’s what, where, and you can’t use more than one group. Well, sure enough, there’s a thing called “ACL” that handles that stuff now. It’s been around for a while now, but I never even heard of it until I started using OpenSolaris. I like how it seems to be more compatible with the way Windows handles ACL’s. What I don’t like is, it’s confusing. I get the NTFS/Share perms in Windows, been doing that a long time now. The CIFS/ZFS ACL thing kind of makes sense, and it will “click” at some point the more I use it.

After spending hours on this, I reached a point where I had to figure it out. Here’s what I did.

On the ZFS file system, create it normally for SMB access. Then I changed some properties for aclinherit and aclmode. Change those to “passthrough”:
zfs set -o aclinherit=passthrough -o aclmode=passthrough pool/sharefs

Then chmod/chown. OH! That’s another thing. You need to use /bin/chmod and /bin/ls! Not just type: chmod … That wont work. In OpenSolaris the default path points to /usr/gnu/bin/chmod, which doesn’t have the “A” or “V” options to set/view ACL’s. That was another thing that DROVE ME CRAZY!!! I read the man pages and manuals and docs online and I didn’t catch anything that said, “Hey, there are different versions of chmod and ls here!” I can’t believe the time wasting here! Back to the point, do this to put your own default perms on:

/bin/chmod 2774 /pool/sharefs
(I actually am not positive that is needed, but I think it set group as inheritable)

/bin/chmod -R A- /pool/sharefs
(that will wipe out the current perms)

/bin/chmod -R A=owner@:full_set:fd:allow /pool/sharefs
(resets perms with only that acl)

/bin/chmod -R A+group@:full_set:fd:allow /pool/sharefs
(that appends the group perms, full control)

/bin/chmod -R A+everyone@:read_set:fd:allow /pool/sharefs
(above appends everyone read access)

In all the above that will preset INHERITABLE permissions for the subdirectories.  Notice above there is one with “A=” on it?  That will reset the perms and set only that perm.  So I guess you may not even need the previous line for “A-” to reset.  (I am just learning here ya know!)

It looks as if that makes a little sense now.  You can view the current ACL’s like so:  ”/bin/ls -V /pool/sharefs”

In my case, I might want to add another user or group:

/bin/chmod -R A+user:stacy:full_set:fd:allow /pool/sharefs
/bin/chmod -R A+group:othergroup:full_set:fd:allow /pool/sharefs
/bin/chmod -R A+group:yetanothergroup:read_set:fd:allow /pool/sharefs

So with this setup I can now open the share on the server and create a file or folder with inherited permissions.  It does, however, save my username as a new owner, so keep that in mind.  But if the group stays in there with “domusers” as full read/write access, I am happy.

Well, now I get it just a little and it makes more sense compared to Windows ACL’s.  I didn’t go over any share specifics and authentication issues, this was just ACL’s!  I still have to RTFM my way around that for a while.  Next project, join OpenSolaris to a Windows domain.  (Which, BTW, does not work in NT Domain style connections, you have to use Active Directory.)

When using Folder Redirection on a Windows 2003 server, the default policy is allow only ownership and permissions to the user. No admin account would have access to this folder. For example, you create a Group Policy to redirect user’s My Documents folders to a home directory on the server. Once a user logs on and this policy is applied, the folder is created with ownership of the user only, and file permissions granted for that user only, too.

This has presented a big problem for me, having come from Windows 2000, where this was not the case. As you might guess, when only the user has permissions specified, no administrator can get access to this folder for backup purposes. Our backups always failed.

Well then, on Windows 2003 Server, two default policies are in place making the user’s folders more secure. Nice, but I don’t care. I want backup rights by default. Go into the Group Policy where you would like to define the new policy. I made a new Organizational Unit and put all my computers in there, so I could define the policy at a lower level, instead of at the domain level. Once into and editing you policy, drill down to here:
Computer Configuration –
Administrative Templates -
System –
User Profiles –

In here look for these two policies and enable them:
“Do not check for user ownership of Roaming Profile Folders”
“Add the Administrators security group to roaming user profiles”

Now this will allow Windows 2003 to behave more like Windows 2000 on the redirected folders. Unfortunately, there is one issue. It does not change permissions on previously created folders, only on newly created folders. That’s a pain, but not that big a deal, because I can probably script some folder moves and recreate them.

Also, even though this says “Roaming” in the policy items, they apply to local and roaming accounts.  So even if your users are normal, non-roaming profiles, you still need to set.  In my case, we did not have any roaming profiles and only used folder redirection OR simply had home folders mapped from the server.  Doing either of those had the same permissions problem and the policies mentioned solved the issue. (except for previously created folders, it only changes on newly created folders after the policy change.)

Recently I went to reset a user’s home directory permissions on the server to allow them full control over each file/folder in their home directory. I setup all the normal accounts and of course the actual user account, with Full Control. I then went into Advanced and selected “Replace permission entries on all child objects” and hit apply.

This seemed to work fine, except the user complained that they could not access the documents in certain subfolders. When I checked those subfolders, the permissions were correct, except for her account had no permissions specified. Essentially this means, no perms, no access. So I tried again, same result.

The solution was simple, though, I can’t figure out why this was configured this way. At the root folder you wish to start inheritance, go into advanced under security on that folder. Go into Advanced again, and under Permissions, highlight the user in question, and click Edit. Under the detailed Permission Entry window, at the very bottom is a checkbox for:

“Apply these permissions to objects and/or containers within this container only.”

Uncheck that! And apply the permissions once more. All child objects should now have all the correct permissions! Yay!

I don’t understand why this is set this way. Is there a Group Policy in place I don’t know about? Did a previous IT guy change that? At least I have a solution. J

I love how people always say that a software firewall like IPCop is a “lesser” product than a hardware system. I ran into one site speaking of Netsentron as a hardware solution. I’d also include Endian Firewall and Untangle when we talk about a “linux based hardware firewall”. Well here’s my thought. These systems offer a hardware solution, but aren’t these products really the same thing as the downloaded software version they provide? And if so, these products are really only a “hardware/software bundle”, right? (I think they actually advertise them this way anyway, but my gripe is with all those techs out there under the notion that these are real hardware based products.)

I can’t comment on any Cisco or Sonicwall, hardware firewalls, because I have not used any of them. But are these also just software running on hardware? And the main thing I’ve heard from security people about the lesser quality software products is that they are not good at defending against DOS attacks. Is this really true? Even if so, in the last 10 years I’ve ran some sort of Linux based firewall, whether home-brewed or special firewall distribution, I’ve not once had a break in. I’ve not once had a DOD attack. (THIS IS NOT AN INVITATION!)

Now, I have had a DOD attack directly on and Exchange or IIS server that was port forwarded directly to the Internet. Not pretty! Which is a big reason why I don’t run these systems directly anymore. But this is off topic. (maybe another blog coming!)

I’ll do some of my own research, but maybe if someone out there can shed some light on the deficiencies of a Linux firewall, in particular IPCop or Smoothwall. For my use, IPCop with a few addons, make for a fantastic filtering firewall, provided we pick good hardware to run it, and configure it properly. Is Sonicwall truly better at providing security?

Ah, just thinking out loud again. I am sure someone out there will give me hell for saying things like this. I am not a security expert, not even close. But, sometimes I just wonder about thing.

EDIT 03/08/2010 ::

Since I wrote this article, I’ve since switched to PFSense as my firewall of choice.  It does way more and better than I could do with IpCop. (still like IPcop though!)  PFsense is a FreeBSD based solution.  It can handle multiple WAN connections, can add several interfaces all with IP aliases, and has all the “lock down” rules in place from the start.  Not to mention, there are plugins that make tracking down traffic issues much easier.  I LOVE IT!

The only gripe I might have is in the complexity of the traffic shaper, although, I could actually use it as opposed to trying to figure out the Linux way. (which I never did figure out.)

Having said all that, my original point of the post is still standing.  Who cares if you have a Sonicwall or Pix?  Are they truly more secure?  Are they not also just software running on hardware, making them really just “embedded apps” or a sort?  I think PFSense can run embedded, right?  (Which really just translates to, “I can run this on a flash media drive and on a tiny little computer.”)  So yes, I still need to research this on my own, but I really don’t get what is better about those expensive solutions.  I’d rather have PFSense, or similar, on generic hardware that can be swapped and troubleshooted easier.  Just my opinion.

When you clone or image your Linux hard drive with Ghost or Drive Image (or any other imaging software) you might not be able to load Grub. Usually just running some Grub commands off a Linux System Rescue CD will fix it. I think most any bootable Linux Live CD will work. You would run these commands:

After boot, run “grub”. (the following lines are from the “grub>” prompt.)

……………………

find /boot/grub/stage1

    (hd0,0)

root (hd0,0)

setup (hd0)

quit

……………………

You would replace “root (hd0,0)” with whatever is output from the find command above. The above assumes you have /boot on the same root partition.

On IPCop, boot is on a separate partition. So you need to be a little fancier. The key is to tell it what device to use. In the example below, we will assume we know what drive the boot record is on. (hd0,0). Also note, that IPCop because IPCop has boot on a separate partition, running the find command would be like so:

find /grub/stage1

Ok, so using the device command, and since we know our root is on hd0 …
(all on the grub prompt)

……………………

device (hd0) /dev/hda

root (hd0,0)

setup (hd0)

quit

……………………

Now grub should load ok. This would apply to most images/clones made, I think. But, now, what if your distro uses symlinks to represent your hard drives? I ask, because this stopped me from running IPCop off an image. Took me a while to realize two things.

1. IpCop uses symlinks for /dev/harddisk instead of /dev/hda. (Can someone tell me why they do that? Why change that? Every other Linux distro I have used uses /dev/hda1 for the first partition on IDE drive.)
2. When I cloned the system, the grub.conf (also known as menu.lst on other systems) listed the root filesystem as /dev/hda4, and yet, there was no hda4 in dev directory. It didn’t even exist on the old drive, so I have no idea how IpCop was booting!

Solution to #2 above was again to boot to a Linux Live CD, mount the boot partition on hda1, edit grub.conf and change all the /dev/hda4 entries to /dev/hda3, where the root filesystem actually resided.

On number #1 above, I don’t think fixing it actually caused the system to boot, but I did it anyway. While booted to the Live CD, I edited the /etc/fstab file on the hard drive and changed all the entries for /dev/harddisk1 through 3, to point to /dev/hda1 through 3. There is probably a reason for them doing this, but ya got me why. ?? Changing this might bite me it the butt some day, but for now, it boots beautifully!

Oh, and one might ask, why make a drive image of IPCop when they provide a backup and restore feature using floppy? Well, here’s why: 1. I have a ton of add-on programs installed, and they don’t backup. 2. I like an image better than a floppy!

IpCop is an awesome system, and I’ve had zero problems with it over many years now. But, it doesn’t do enough by itself. I mostly like the BlockOutTraffic addon you can install, giving you detailed control over all communication. I also modify the SSH setup to work the way I like it, using certificate auth and custom ports for several users tunneling into our networks. (works way better than VPN!) On some networks, I have to use PopTOP, the PPTP addon for Ipcop VPN. (not by my choice, it’s a requirement by an application we use.) All these might not backup to a floppy, and it’s so fast to make a Ghost image of the drive. You just have to spend a few extra minutes during restore.

Note: I was using IPCop 1.4.16 during all this.

EDIT 10/22 (later that evening…)

For IPCop, YOU MUST boot to an existing drive on /dev/hda that contains a working copy of IPCop and have your newly cloned drive operational as /dev/hdc. When you run grub, and then all the device, root and setup commands, you need to do it like so.

……………………

device (hd0) /dev/hdc

root (hd0,0)

setup (hd0)

quit

……………………

Notice the /dev/hdc above? Don’t ask me why, but when you try to run this from a Live CD, it won’t work. I really would like to know though, because the fact that it doesn’t work drives me nuts. There must be a simple explanation, and I know it’s just my ignorance of the grub boot loader, but this shouldn’t be needed. (and yet it is!) I just don’t have time to figure it out, when I can simply boot an IPCop as hda and run this quickly. Sometimes it is easier to not ask why, and move on. So make a note of this, YOU MUST boot to and IPCop OS with your new drive installed, then run the grub setup. Stupid, but at least it works.

I fought with this one for a while, like several hours. I installed the pptp addon for IPCop, which, by the way, you must Google for. I installed version 0.2.9 (pptpd_0.2.9.tar.gz) and found that on a forum somewhere. If you go to the addon’s from IPCop, you will only find 0.2.6, and that wont work with 1.4.13 or higher. (I might have that version a bit off, but I think that’s right) So Google for that file and you should find the file and ftp server IP. I don’t want to provide that, because I don’t have permission to do so.

Anyway, back to the problem. The pptp addon installed just fine on IPCop, and the admin web gui showed the correct items. I could not, however, get Windows to connect. I always got a 619 error, like that is helpful! On the IPCop /var/log/messages, I found this:
pptpd[5740]: GRE: read(fd=5,buffer=804dc00,len=8196) from PTY failed: status = -1 error = Input/output error

You can see the details on the pptpclient help page:

http://pptpclient.sourceforge.net/howto-diagnosis.phtml#read_eproto

I didn’t know how to do their troubleshooting, especially on IPCop. But then it occurred to me, find pppd, and ask it for help!

I ran this: /opt/pptp/sbin/pppd –help
Returned: /opt/pptp/sbin/pppd: error while loading shared libraries: libpcap.so.0.8.3: cannot open shared object file: No such file or directory

Ah-HA!!!

Run this on IPCop 1.4.15 while in the /usr/lib directory: ln -s libpcap.so.0.9.5 libpcap.so.0.8.3

BINGO! Windows can connect! From Vista no less!

Oh, and I know that PPTP is not the best as far as security goes, but it is the only thing I can use. I am running several Wifi Palm devices with a PPTP client on them for Hotsyncing on the Internet. I realize there is another product available that uses IPSec, but that is quite expensive per device. Plus that solution might run into a lot more hassle for the users while on the road trying to connect over hotspots, because IPSec may be blocked. PPTP is just more compatible. I’d really prefer to have an SSL based VPN on the Palm, but I don’t know of one available. So, for now, I’ll at least suffer with PPTP instead of opening my hotsync up to the world. Not perfect, but I can lock down the connection with IPcop too. (sounds like another blog… J )

When opening files on the network over mapped drive OR UNC, you receive a “publisher” or “security” warning before running the file. Very annoying.

In IE, you add the server or domain to your “local intranet” security zone. In my case, my server was: main.domain.local
It was mapped on O: drive.

So in the zone I added:
\\main
O:\
domain.local
\\domain.local

That took care of all kinds of connections.

On a domain wide setting: In active directory, I added a group policy for the file types of moderate security.

Go to a domain policy, I did the Default Domain Policy on mine. > Open User Configuration > Administrative Templates > Windows Components > Attachment Manager.

And edit the item: Inclusion List for Moderate Risk file types

Add: .doc;.xls;.exe;.pdf
(just the most common, you might want more)

Add the type you want to exclude from the security warning. Reboot the client computer, or run gpupdate on it to get the new policy. Problem went away for me!

Gregs Uberfast version:

Linux:

openssl genrsa -des3 -out CA.key 1024
openssl req -new -key CA.key -x509 -days 3650 -out CA.crt
chmod 400 CA.key
chmod 400 CA.crt

(the above made a new CA, you want to install the crt into IE’s trusted certs.)

Win:

Make cert request in IIS – take to Lin.

Linux:

(All one line)
openssl x509 -req -days 3650 -in certreq.txt -CA CA.crt
-CAkey CA.key -CAcreateserial -out mail.server.crt

Win:

Take that mail.server.crt and install in IIS. People browsing yoru site will get a “not valid CA” type error, especially in IE7, and they’ll need to accept that. Otherwise, you need to buy a real cert. If it’s only your users on the site, then just have them install the CA.crt into IE, as then they will trust the authority/key from the web server. Every user will need to do that.