Anyone Using Astaro

DasFox

Diamond Member
Sep 4, 2003
4,668
46
91
I want to use Astaro to firewall a XP x64 box, so being the Network newbie I am, I thought since Astaro uses the IP of '192.168.2.100' to log in to the Webadmin that in XP under TCP/IP I would assign it the IP of, '192.168.2.101' and a netmask of 255.255.255.0 and also assign it the DNS, so I could login, well this works, I'm able to login to the Webadmin and that's all.

Now in the network interface I add in my second card as 'eth1' and name it External, then pick it as the 'Standard Interface' for it.

Under the IP, Mask and Gateway I put them all on DHCP, out in the interface it was green, but showed as 'Down' in red and where there should of been the addresses, it was just question marks, ??????? and it shows as 'unresolved'

Personally I have tried this a few ways, also thinking I needed to start the DHCP Server, but this just gives the 'Internal' nic, which is eth0, so not sure this helps, but after doing it and rebooting Astaro, I could not get online as well.

Any help getting this online would be greatly appreciated.

THANKS
 

Thoreau

Golden Member
Jan 11, 2003
1,441
0
76
If you're using cable internet service, power cycle the modem. Many ISPs lock service to the first MAC address that the modem sees, but that can usually be reset/cleared with a simple power cycle.

I used to use Astaro myself (just makes things like IPCop, Smoothwall, etc. look like child's play) and had some odd instances where I had to cycle the WAN interface in the web admin a few times before it would pick up DHCP from the ISP. After that and a cable modem reset everything seemed to be just fine.

Oh, don't expect to be able to browse the web with a default config once the WAN interface comes up either. You have to manually configure NAT/Masquerading and security rules to allow traffic through. By default everything and anything is blocked (the way it should be.)
 

DasFox

Diamond Member
Sep 4, 2003
4,668
46
91
Ok so what would I need to set for NAT to surf the Web? I mean I have a basic idea of it, but I don't know how to really set the options, where it shows as the external(address), or external(broadcast), etc.. I just don't understand in what way to set these up.

THANKS
 

Thoreau

Golden Member
Jan 11, 2003
1,441
0
76
Hopefully someone around here is still using Astaro, but my memory is way too hazy to give any reliable info as to the precise configuration anymore. I remember having to read and re-read the online documentation a few dozen times before I could get it to work myself. All I remember for sure was that I had to create an entry for NAT/Masq and also an IP filtering rule to allow traffic from my LAN side out to the WAN side. I didn't go much more granular than that, even though Astaro was definitely capable of it.

Astaro definitely isn't going for the ease-of-use factor with their products, but then again the attention to detail and plethora of features more than make up for it in my opinion.

You might want to visit their support forums for the basics. Last time I was there they had a fairly active online community that was pretty helpful.
 

DasFox

Diamond Member
Sep 4, 2003
4,668
46
91
Yippie I got a IP, now to figure how to do this, sheesh I'm not sure this thing is for me, yes this is not user-friendly. I'm not a total PC noob, but I'm a bit weak in networking, so I'm not sure in what way I need to configure it.

Crap, 6 hours I've messed with this thing and I'm still not online, LMAO.

THANKS
 

Thoreau

Golden Member
Jan 11, 2003
1,441
0
76
dammit, yer making me wanna load up astaro again! Wonder if they could make a slim version of Astaro run on a WRT54G...
 

InlineFive

Diamond Member
Sep 20, 2003
9,599
2
0
Okay, looks like you are part of the way there. Here is how I got my to Astaro box to let the Internal network people access the internet.

1. Add both NICs and their roles under Network >> Interfaces. Under the Admin column make sure both NICs are set to green, otherwise they will not work properly. In addition, only the External NIC should have a default gateway.
2. Setup a Masquerading rule from Internal (Network) to the External interface. This option is under Network >> NAT/Masquerading.
3. Enable the DHCP Server for the Internal (Network) under Network >> DHCP Service. Select the operation "DHCP Server" and then select to use it on the Internal interface. Here you can specify the IP range as well as Gateway, DNS and WINS servers. The Gateway should be the IP of the Astaro box. The DNS may be too, depending on if you are going to use the DNS proxy.

(Now by default the Astaro box will block all traffic. You can let traffic through by enabling a proxy and/or setting up packet filter rules.)

4. Under Proxies configure the proxies you want to use for your network. I usually go with HTTP and DNS first to speed up internet browsing. (Make sure to enable Caching under the HTTP proxy.)
5. Now for the remaining applications and/or protocols create rules under Packet Filter >> Rules to allow them access. These may be for games, HTTPS (the HTTP proxy doesn't handle secure HTTP), VPN, NTP, etc.

That should get you going! Next I would advise looking into customizing Intrusion Protection and the Advanced options for the Packet Filter. Depending on how strong your box is you may notice a difference by turning off unneeded IPS categories. Like for the Oracle Server, of which there are tons of patterns.

If you have any more questions I'll try to help. :)

I5
 

DasFox

Diamond Member
Sep 4, 2003
4,668
46
91
Thanks InliveFive, but before I go there again I need to figure this if it is possible, because I don't really have the extra hardware, boxes, to mess with this.

I'm looking at setting up Astaro for a SOHO/Home setup, I have a few boxes and one that is dual boot, XP/Gentoo that I do quite a bit of work on.

At the moment I am limited for having a box to make a firewall on and the boxes it will firewall don't always stay on. Where I live electricity is very expensive, so when work is over they all go off.

I have on my dual boot box two SATA drives, on the second one is where I'd like to install Astaro to as, /dev/sdb and with grub on Gentoo I'd like to set that up to allow me to boot between either XP, Gentoo or Astaro, so I can boot Astaro when I need to firewall these other boxes when they are turned on and being used.

So Is there a way I can do this? If so I'll be trying it out again.

Man I wish they could of made this thing simpler to administer.

THANKS
 

DasFox

Diamond Member
Sep 4, 2003
4,668
46
91
I think I'll just use it in Vmware and then firewall like this until I can afford another box and hardware.

THANKS
 

InlineFive

Diamond Member
Sep 20, 2003
9,599
2
0
VMWare can add an additional layer of complication but in this case it seems well suited for your requirement.

And once you get over the initial setup it's pretty easy to use (minus Roadwarrior CA).
 

Goosemaster

Lifer
Apr 10, 2001
48,775
3
81
Setting up astaro is a lesson in walking on fire. Let me see if I can pull up a list list on hat to activate for a basic DHCP, It is a very specific although quite simply process.

Let me look at inlinefive's response and make changes where appropriate. I will be a few min. since I am in the middle of a few thigns

(me and a friend were jsut changing the drums on my car)
 

DasFox

Diamond Member
Sep 4, 2003
4,668
46
91
Yeah I'm going to try and do it with Vmware for now, it will be the best way to go with my minimal hardware at the moment.

With Vmware how do I make the Ethernet, I mean should I for two of them make them both, bridged, nat or what?

By the way it detects only these virtual ones, is that ok, or do I need it to really see and use my actual ones? Unless these are some virtual pipes to the real ones.

THANKS
 

DasFox

Diamond Member
Sep 4, 2003
4,668
46
91
InlineFive, here is a run down so far:

Both NICS up and Green & gateway for external nic

Masquerading setup -----> http://img224.imageshack.us/my.php?image=screen14pd.jpg

DHCP Server setup under "Internal" with DNS, BUT for gateway, use the External NICS real gateway IP?

Under Proxies I'm going to need you to tell me step by step what to do here, sorry :( I thought I have it correct, but somethings I'm not sure.

Packet Filter >> Rules I need to just add one for HTTPS is all? If so I added it in as "Source" - "Internal Network" - "Destination" - "Any"

I'm still not online and going :(

By the way with this HTTP proxy setting, I need to setup firefox to use a proxy, of the Internal NIC I use to connect to the Webadmin to surf like: ---> 192.168.2.100:8080

THANKS


P.S. AHHHH this thing!!!! :Q
 

Goosemaster

Lifer
Apr 10, 2001
48,775
3
81
for rules you have to add EVERYTHING, jsut like a a real firewall, such as HTTP, DNS, etc....the proxies take care of most of that.

They have two proxy settings. One that redirects automatically,and one that requires clients to have the redirect info ( :8080)
 

Goosemaster

Lifer
Apr 10, 2001
48,775
3
81
I have to go to work but tonight when I get back I'll help you out:)
I jsut had too much stuff do do yesterday.
 

InlineFive

Diamond Member
Sep 20, 2003
9,599
2
0
Originally posted by: Goosemaster
for rules you have to add EVERYTHING, jsut like a a real firewall, such as HTTP, DNS, etc....the proxies take care of most of that.

They have two proxy settings. One that redirects automatically,and one that requires clients to have the redirect info ( :8080)

It is worthwhile to note that if you have a proxy enabled you don't need to create an associated packet filter rule.

Originally posted by: DasFox
InlineFive, here is a run down so far:

Both NICS up and Green & gateway for external nic

Masquerading setup -----> http://img224.imageshack.us/my.php?image=screen14pd.jpg

DHCP Server setup under "Internal" with DNS, BUT for gateway, use the External NICS real gateway IP?

Under Proxies I'm going to need you to tell me step by step what to do here, sorry :( I thought I have it correct, but somethings I'm not sure.

Packet Filter >> Rules I need to just add one for HTTPS is all? If so I added it in as "Source" - "Internal Network" - "Destination" - "Any"

I'm still not online and going :(

By the way with this HTTP proxy setting, I need to setup firefox to use a proxy, of the Internal NIC I use to connect to the Webadmin to surf like: ---> 192.168.2.100:8080

THANKS

P.S. AHHHH this thing!!!! :Q

Here is a brief rundown of the HTTP proxy.

Proxies >> HTTP
Status: Green (Duh)
Operation Mode: For a home network you can either use Standard or Transparent. Standard is annoying (to me) because you have to disable the proxy on your clients whenever you need to access WebAdmin. That being said I leave it on Transparent which does not require you to reconfigure the clients and still allows WebAdmin access.
Log Level: Just leave it at Access log unless you need troubleshooting information.
Anonymity: This interferes with some websites I use so I leave eit at None. You could try Standard or Paranoid and see how it works out.
Allowed Networks: Here you can specify only the networks that should have access to the proxy. In your situation Internal (Network) should be added.

<Skipped Content Filtering because you need a $75 license.>

Caching: I leave this at On to improve browsing speeds.
Block CONNECT method on HTTP port: I would suggest leaving this Off because the IPS system offers better control.
Allowed Target Services: Leave this at the defaults.

I'll try to startup a fresh Astaro install in VirtualPC so I can make you a generic configuration to load for internet access. Although I may not get it done today.
 

DasFox

Diamond Member
Sep 4, 2003
4,668
46
91
You're loosing me InlineFive, what are you saying, that all I need is, DHCP, Masquerading and HTTP proxy setup and I should be able to get
online?

THANKS
 

DasFox

Diamond Member
Sep 4, 2003
4,668
46
91
HOUSTON WE HAVE IGNITION!

WoOt!

YIPPIE I'm online, but damm NOW the Webadmin is going bonkers on me and flickering and I can't login to it. :(

Looks like I might have to reset it.

So here is what I did:

Removed the https packet filter rule, at present I have no filter rules.

Operation Mode: Transparent
Log Level: Access log
Anonymity: none
Allowed Networks: Internal Network
Skip source/destination networks: Any
Caching: On
Block CONNECT method on HTTP port: Off
Allowed Target Services: Left at the defaults.

Ok so proxies I somewhat understand and then in Firefox I put in for all protocols the login for webadmin into it to access the web as:

192.168.2.100 8080 and it worked I'm online, so then I tried to login and still had the proxy on and got this message:

Illegal Address:

Your request comes from an address used on one of the firewalls interfaces. This probably means that you access WebAdmin with one of the firewalls proxies, which is not allowed due to security considerations. Please disable the proxy for WebAdmin access and try again.

Ok so I then turned it off in Firefox and tried to log back in again and then that is when the Webadmin started, flashing and flickering.

Why is it doing this?

THANKS


P.S. I Just Restarted Webadmin And It's Not Flickering Now. Any Idea What Might Of Caused This?
 

DasFox

Diamond Member
Sep 4, 2003
4,668
46
91
I think because I had the XP firewall and didn't turn it off, when I got this finally going it just freaked out, LOL, anyhow the flickering is gone.

Ok NOW for some tweaking.

Port 443, how do I stealth it? ------> I Fixed This And It's STEALTH Now

I put these settings for, Portscan Detection:

Action: Drop (blackhole)
Exclude source networks: Internal Network
Exclude destination networks: Any

SYN (TCP) Flood Protection
Mode: Both source and destination addresses
Logging: Limited
Skip source networks: Internal Network
Skip destination networks: Any

UDP Flood Protection
Mode: Both source and destination addresses
Logging: Limited
Skip source networks: Internal Network
Skip destination networks: Any

ICMP Flood Protection
Mode: Both source and destination addresses
Logging: Limited
Skip source networks: Internal Network
Skip destination networks: Any

For Portscan Detection and the Flood Protections are those correct settings?

And how do I deal with this Proxy setting in Firefox, I have to always turn it on to surf and off to login to the Webadmin.

I swear I get so dyslexic, with the idea of source and destination, always turning them around in my head, LOL

THANKS

P.S. I Don't Really Understand "ICMP-Forwarding", Should I Enable This? Also What Do You Think About Running "The Common Criteria Mode" and the "ICSA Certification", Is It Ok To Do Both For Good Security?
[/b]
 

DasFox

Diamond Member
Sep 4, 2003
4,668
46
91
YEAHHHHHHH ;)


Your system has achieved a perfect "TruStealth" rating. Not a single packet ? solicited or otherwise ? was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.


InlineFive, For my Kaspersky AV, for the listening port for its updates and the port it downloads on, if it is the sameone it listens on, how can I find what port it is with Astaro and then allow just this port?

By the way for any applications I use, for example IRC, Instant Messangers, etc...

How does one go about finding the port it uses then allowing only these specific ports access in Astaro?

Also for the HTTP proxy under, Anonymity:, this is not doing anything a online IP check shows my real IP.

I was looking at the "Intrusion Protection Rules" before the "Group" the three boxes are blank, is yours like this, with no names?

Also in this screenshot:

http://img162.imageshack.us/my.php?image=screen6nw.jpg

Are these the default settings for "attack-responses"? Because I clicked it, then forgot if I put it back correct.

THANKS
 

Goosemaster

Lifer
Apr 10, 2001
48,775
3
81
Originally posted by: DasFox
YEAHHHHHHH ;)


Your system has achieved a perfect "TruStealth" rating. Not a single packet ? solicited or otherwise ? was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.


InlineFive, For my Kaspersky AV, for the listening port for its updates and the port it downloads on, if it is the sameone it listens on, how can I find what port it is with Astaro and then allow just this port?

By the way for any applications I use, for example IRC, Instant Messangers, etc...

How does one go about finding the port it uses then allowing only these specific ports access in Astaro?

Also for the HTTP proxy under, Anonymity:, this is not doing anything a online IP check shows my real IP.

I was looking at the "Intrusion Protection Rules" before the "Group" the three boxes are blank, is yours like this, with no names?

Also in this screenshot:

http://img162.imageshack.us/my.php?image=screen6nw.jpg

Are these the default settings for "attack-responses"? Because I clicked it, then forgot if I put it back correct.

THANKS

Sorry that I haven't been much help but I have been busy (at school right now actually)

As for what ports to open, keep in mind that it is only refering to unsolicited inbound connections, such as a random visiter vising a webpage hosted behidn the firewall. AV clients and such will make an outbound request for data, so the inbound traffic will be allowed. The only thing that needs ports are things like web or ftp servers and databases.


As for the anonymity thingy, keep in mind, due to the design of the internet, your IP address will always be visible.
 

InlineFive

Diamond Member
Sep 20, 2003
9,599
2
0
Originally posted by: DasFox
YEAHHHHHHH ;)


Your system has achieved a perfect "TruStealth" rating. Not a single packet ? solicited or otherwise ? was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to "counter-probe the prober", thus revealing themselves. But your system wisely remained silent in every way. Very nice.


InlineFive, For my Kaspersky AV, for the listening port for its updates and the port it downloads on, if it is the sameone it listens on, how can I find what port it is with Astaro and then allow just this port?

By the way for any applications I use, for example IRC, Instant Messangers, etc...

How does one go about finding the port it uses then allowing only these specific ports access in Astaro?

Also for the HTTP proxy under, Anonymity:, this is not doing anything a online IP check shows my real IP.

I was looking at the "Intrusion Protection Rules" before the "Group" the three boxes are blank, is yours like this, with no names?

Also in this screenshot:

http://img162.imageshack.us/my.php?image=screen6nw.jpg

Are these the default settings for "attack-responses"? Because I clicked it, then forgot if I put it back correct.

THANKS

1. All system updates seem to be ignored by the packet filter and IPS. If you are having problems create a rule in the packet filter to let connections out on port 6000. Although that should be for the Cobion Content Filter only.

2. Your IPS layout looks normal to me. The only thing that is different is that you enabled monitoring for all Attack-response patterns. This doesn't hurt anything as it's current setting is to simply alert. For example, some rules for Backdoor are set to alert and some to drop. You can expand a category by clicking on the folder.
 

DasFox

Diamond Member
Sep 4, 2003
4,668
46
91
InlineFive IPS layout? You mean my settings for the Flood Protection seem ok?

These direction, paths listed below are ok:?

Skip source networks: Internal Network
Skip destination networks: Any


Someone on Astaro forum said to look at the Packetfilter live log while a app is open to check the port. I'd rather just open, allow those ports then some generic 6000 for everything, unless this is better?


Also now that I have HTTP proxy in use, how can I surf and connect to the Webamin without always having to click the proxy connection to manual connection back and forth?

The DATE/CLOCK keeps going out of sync. Do I need to, "Use NTP Server:"?

If so how do I do this, because for the, Use NTP Server: setting there is nothing in it.

My Kaspersky AV that I have on my desktop, not in Astaro, I read that it listens on port 1125 for allowing the Auto updates.

http://www.iana.org/assignments/port-numbers

hpvmmagent 1125/tcp HP VMM Agent
hpvmmagent 1125/udp HP VMM Agent

So I made a service for this and added a filter:

http://img123.imageshack.us/my.php?image=screen3yu.jpg
http://img93.imageshack.us/my.php?image=screen8tw.jpg

For the Packer Filter Rule, would that be correct what I placed for the "Source" and "Destination" paths?

I did a online scan:

http://img76.imageshack.us/my.php?image=screen5nh.jpg

It shows the that a proxy is in use, how can I make sure it is done correct, as it is talking about on the site?

SORRY for the 50 questions, this thing, setting up is pretty intense, LOL. Ok for the proxy settings I put it on Allowed Networks: Internal Network, so I figure this is going to be secure now, since only people on the LAN can connect, at lease that is what I think it means.

I just did another scan, it did not show the proxy this time, WoOt ;)

Skip source/destination networks: (what should I put here)?

Allowed Target Services: I just have HTTP and HTTPS

THANKS