IPCop Addons

• IPCop Addons
  • READ THIS FIRST!
    • HERE BE DRAGONS
    • Caveat Emptor
  • Add Ons
    • How do you get IPCop to automatically restart a connection if it goes down?
    • How can I get IPCop to reboot if it loses the connection?
    • How can I use a different machine for logging messages?
    • My ISP is filling my logs with IGMP or PIM packets. How can I stop logging those?
      • Update for IPCop v1.3
    • My log is filling with Net-BIOS (137) packets. How can I stop logging these?
      • Update for IPCop v1.3
    • How can I stop logging packets?
    • Can I block certain web sites?
    • Can I block annoying ads?
    • How do I connect a IPsec client behind IPcop to a remote IPSec Server?
    • Can I drop a dialup connection from 3am to 6am for Tivo?
    • Can I disable the internet connection from 11pm to 6am?
    • How can I synchronize my IPCop time with my time server?
      • Update for IPCop v1.2
    • Can I use ntpd rather than ntpdate for time synchronisation?
    • Can I change the graphs to be bigger/smaller than the current 8 hours?
    • Can I change how often the Graphs are updated?
    • How can I automate switching between peak time and off-peak ISP numbers?
      • Update for IPCop v1.3
    • How do I install DansGuardian on IPCop?
      • Update for IPCop v1.3
    • How can I use a Static IP number with PPP if the ISP doesn't allocate it by DHCP?
    • How can I block my internal users from accessing a particular external service, such as Telnet, AOL etc?
    • How can I use VPNs with dynamic IP addresses?
    • How can I block specific IP addresses from accessing the Internet?
    • How do I install additional ip_masq kernel modules
    • rc.local startup file
    • Backing up configuration settings over the LAN
  • Other Websites
    • Martin Pot
    • Supporting Role
    • Joecat
      • Porn Filter and Ad Zapper
    • Bloomtech
    • Add-Onz System (Unofficial)
    • Copwatch
    • Big Brother plugin

READ THIS FIRST!

HERE BE DRAGONS

In old maps, areas that were unknown were often marked as "HYRE BE DRAGONS", or other fantastical creatures, often based on tales brought back by sailors. We now know that some of these creatures, like the giant squid, did actually exist (and may still).

So heed this warning. You are venturing into uncharted territory, guided only by the stories told by those who have gone before, some of whom may not have made it back with their sanity intact.

Caveat Emptor

Because IPCop Firewall is based on Linux, it can be highly customised. However, ALL of the add-ons described on this page are to be treated with caution. They are not part of the distribution, but posted here by contributors who have had to change the default installation in some way to make it work better for their particular set of circumstances.

The contributions range from a simple script to make sure your firewall clock is correct (very useful for comparing logs with other sources), to adding DansGuardian, an internet content filter.

All of these add-ons require a certain amount of knowledge of Linux, and usually require you to be able to use SSH and SCP, as well as a basic text editor like JOE or VI. They also require you to understand the underlying theory behind the changes, so where possible, links to further reading are included.

Above all, you need to be prepared for the eventuality that your firewall may need to be completely re-installed because you did something wrong. However, there are usually lots of helpful people reading the user-list, so don't be afraid to ask first.

The important thing to remember is that the IP-Cop box is primarily a firewall and a router. All the other features are "nice to have". Anything you do to your IP-Cop box could reduce it's effectiveness, and the programmers won't be looking out for security holes in programs you have added, so they won't be making patches either.

So it's up to you. You have been warned. It's up to you to decide if what you want to do is really necessary.

Add Ons

How do you get IPCop to automatically restart a connection if it goes down?

On my old firewall I had a script that checked outside connectivity and restarted the network if there was a problem. The most common problem was when Roadrunner would reset my IP. To restart, all I did was:

/etc/init.d/network restart

Since we're using BSD style startup scripts, it's not quite so simple, but almost. If you fire off the

/etc/rc.d/rc.netaddress.down
/etc/rc.d/rc.netaddress.up

in order, that should do it.

That's a lot more "elegant" solution than rebooting the box every night. And it also means you're only down as long as the time between connectivity checks -- I had them running every five minutes.

Try this script. It tries to ping the gateway on your default route. If it doesn't succeed it will trigger the down and up scripts. With the old SysV scripts I knew that the network interfaces would go all the way down and come back up. I'm not so confident of these rc scripts, but checkconnect should at least detect the outage and try to fix it. You might put a reboot or 'shutdown -r now' in as the action if there's a problem. I've also noticed that my IPCop machines tend to need a power off reset to come back gracefully, so this technique may be of limited use. May just be my hardware. YMMV.

I placed it in /usr/local/sbin and put it root's cron to run every 5 minutes.

Cut here-------- /usr/local/sbin/checkconnect -------
#!/bin/sh

ping -c1 `netstat -rn | grep ^0.0.0.0 | awk '{print $2}'`

if [ "$?" != "0" ] ; then
    /etc/rc.d/rc.netaddress.down
    /etc/rc.d/rc.netaddress.up
fi
Cut here--------

Now you need to put it in cron so it will check often. As root, type:

crontab -e

and add a line like so:

*/5 * * * * /usr/local/sbin/checkconnect

then write the file. Go back to the command line and type:

chmod 675 checkconnect

How can I get IPCop to reboot if it loses the connection?

Something, the above script isn't enough. This sometimes happens if the ISDN hardware needs a hard reset. The only way of doing this is to reboot IP-Cop. because this is a bit more drastic than about, it does a few more checks first.

where nn.nn.nn.nn represents the IP of an external site that will reply to a ping eg 216.239.51.100 is google, 66.218.71.113 is yahoo etc.

For those, like me that are total novices to linux/unix here are the instructions

Log onto the unix box, either directly or via the Web interface of IPCOP and select SHELL. Log on as root

Change to the /usr/sbin directory (type "ls /usr/sbin") Create a file with the commands in it (type "vi checkline") (Here I assume that you have the basic vi commands to hand, if you haven't check the web for them, there are lots of tutorials.)

Type in the script I have given at the top and exit

Now you have to schedule the script to be run at some interval I have chosen to run it hourly at 5 minutes past the hour so type "crontab -e" (use basic vi commands to edit the file)

Add the line "5 * * * * /usr/sbin/checkline >& /var/log/linestat.log"

This will cause the checkline script file to be run at 5 minutes past the hour. The results of this job will be sent to /var/log/linestat.log.

How can I use a different machine for logging messages?

You have to know the IP of the machine you want to log to. (this example will assume it is 192.168.0.2)

There are TWO STEPS.

STEP 1
You would have to ssh to IPCop and edit /etc/syslog.conf

Make a new line and add this under #kern.*

#kern.*               /dev/console
*.*                   @192.168.0.2

Save /etc/syslog.conf and run this command on IPCop

killall -HUP syslogd

You can also check /var/log/messages at the very end it should say something like:

Feb 16 17:35:10 IPCop syslogd 1.4.1: restart

This should verify your syslogd is now back up and running again.

STEP 2
That ends the mod for IPCop but we still need to be able to read this new information being sent to our logging box (192.168.0.2)

for Suse:
edit /etc/rc.config on the logging machine and set

SYSLOGD_PARAMS="-r"

For Debian:
edit /etc/init.d/sysklogd on the logging machine and set

SYSLOGD="-r"

(then either reboot or do "/etc/init.d/sysklogd restart").

For Redhat: edit /etc/sysconfig/syslogd and set

SYSLOGD_OPTIONS="-r -m 0"

(then either reboot or do "service syslog restart").

For other versions of Linux:
The -r option allows remote machines to log to syslog. e.g. "syslogd -r"

You're either going to have to find out where your /etc/rc.config or equivalent is located or manually start syslogd with the -r switch or you won't get any logs from IPCop.

(If you know your distro's settings please edit this FAQ)

Other unix systems:
Most versions of unix accept nonlocal log messages by default, for OpenBSD you have to ensure syslogd is started with the -u flag, do this by altering /etc/rc.conf and setting

syslogd_flags=-u

Win Users:
Mikrotik syslog works well and is free. http://www.mikrotik.com/download.html#syslog

My ISP is filling my logs with IGMP or PIM packets. How can I stop logging those?

Log into the IPCop console as root and edit a file named /etc/rc.d/rc.firewall.up. In that file, add these two lines to permanently drop IGMP and PIM packets.

For a modem connection to the ISP...
ipchains -A input -i ppp0 -p igmp -j REJECT
ipchains -A input -i ppp0 -p pim -j REJECT

For an ethernet connection to the ISP...
ipchains -A input -i $RED_DEV -p igmp -j REJECT
ipchains -A input -i $RED_DEV -p pim -j REJECT

You can add these lines just before the comment:

# all ICMP on ppp too

The variable $RED_DEV is already defined as the appropriate ethernet device for the Red network. It could be eth0, eth1 or eth2 depending on the number of NICs installed.

Of course, directly editing the firewall rules is risky business and is done at your own peril. If this breaks your firewall, you get to keep both parts.

Update for IPCop v1.3

IPCop v1.3 uses iptables rather than ipchains, so add the following to your /etc/rc.d/rc.local file (which is also new in IPCop v1.3):

#!/bin/sh

/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -A CUSTOMINPUT -i ppp0 -p igmp -j REJECT
/sbin/iptables -A CUSTOMINPUT -i ppp0 -p pim -j REJECT

-- ChristophHuber - 24 Jul 2003

My log is filling with Net-BIOS (137) packets. How can I stop logging these?

Log into the IPCop console as root and edit a file named /etc/rc.d/rc.firewall.up. Near the start of the file, after the line:

ipchains -P output ACCEPT

add the following line:

For a modem connection to the ISP:
ipchains -A input -p UDP -i ppp0 --destination-port 137 -j DENY

For an ethernet connection to the ISP:
ipchains -A input -p UDP -i $RED_DEV --destination-port 137 -j DENY

Restart your firewall.

Update for IPCop v1.3

IPCop v1.3 uses iptables rather than ipchains, so add the following to your /etc/rc.d/rc.local file (which is also new in IPCop v1.3):

#!/bin/sh

/sbin/iptables -F CUSTOMINPUT
/sbin/iptables -A CUSTOMINPUT -p tcp --destination-port 137 -j DROP
/sbin/iptables -A CUSTOMINPUT -p udp --destination-port 137 -j DROP

How can I stop logging packets?

To expand slightly on the section above, which describes how to stop logging Net-BIOS packets, Jean-Christian Imbeault provided the general description of the problem below. He also pointed out that this only works for RED-GREEN traffic, and not RED-ORANGE traffic. "It does not work for those with an ORANGE zone. This is because the packets get sent to the FORWARD chain and not to the INPUT chain. So rules added to the CUSTOMINPUT chain never get looked at. Rules need to be added to the CUSTOMFORWARD chain instead."

/sbin/iptables -A CUSTOMINPUT -p tcp --destination-port port2drop -j DROP

Replace port2drop with the number of the port you wish to stopping logging. So, for example, if you want to stop logging Net-BIOS packet (port 137) use this rule:

/sbin/iptables -A CUSTOMINPUT -p tcp --destination-port 137 -j DROP

By the same token, this rule can be further modified to drop packets being sent to a specific IP address (say you have a range of IP addresses, and for some reason people keep trying to connect to an IP address you own but that is not assigned to any machine)

/sbin/iptables -A CUSTOMINPUT -p tcp --destination IPAddress -j DROP

(Replace IPAddress with the appropriate numerical IP address, like 201.111.33.44)

And if you feel adventurous you can combine the use of a specific port and specific IP address in one rule, e.g:

/sbin/iptables -A CUSTOMINPUT -p tcp --destination-port 137 --destination 203.111.33.44 -j DROP

(For the curious "-p tcp" stands for "protocol tcp", if you want to drop udp packets instead you would use "-p udp")

If you are using port forwarding and aliasing, so the packets go through the NAT table, the rules will need to be added to the CUSTOMPREROUTING chain. Something like this:

/sbin/iptables -t nat -A CUSTOMPREROUTING -p tcp --destination-port 137 -j DROP

Can I block certain web sites?

Yes. Login to the IPCop console as root and edit a file named /etc/hosts. Make the first address 0.0.0.0 and then add the URL of the offending website.

Do not remove or change the first two lines of /etc/hosts!

Example /etc/hosts

127.0.0.1          localhost
192.168.x.x        ipcop

# Add comments if you like.

0.0.0.0            www.offendingwebsite.com
0.0.0.0            www.bumpywall.org

Reboot and you are done.

Can I block annoying ads?

Yes. Using the same method as above, add lines as needed to your /etc/hosts A utility located at http://ssmedia.com/utilities/hosts/ has a maintained listing of adservers.

An easy way is to ssh into IPCop from a Xconsole and cut and paste from the adserver list.

How do I connect a IPsec client behind IPcop to a remote IPSec Server?

To run an IPSEC client with ip masq you need to load a module to support it. (this has been tested with IPcop 0.1.1 and the SafeNet? IPsec client software)

Download ip_masq_ipsec.o from http://www.zelow.no/floppyfw/download/modules/2.2.20/ipv4/

(Note that they keep changing the path. If the download fails start browsing from http://www.zelow.no )

Copy the file into: /lib/modules/2.2.20/ipv4

Modify the file /etc/rc.d/rc.network
Scroll down to where it says 'echo "loading MASQ helper modules"'
Add some blank lines and enter:

echo "Loading module ipsec"
insmod -f ip_masq_ipsec

Scroll down to the bottom of the 'MASQ helper' section and add the line:

modprobe ip_masq_ipsec

Reboot

Can I drop a dialup connection from 3am to 6am for Tivo?

Log into the IPCop console as root.

At the command line, enter one of the two following commands, based on which editor you like to use

export EDITOR=vi
or
export EDITOR=joe
(joe is a wordstar-like editor)

Once you have done that, enter the command:

crontab -e

The editor you set up above will open on the cron table for the root user. If you have not modified your IPCop installation in any way, it's possible that this table is blank. Add the following lines:

#stop dialup between 3am and 6am every day of every week of every month
0 3 * * * su nobody -c "/etc/ppp/ppp-off"
0 6 * * * su nobody -c "/etc/ppp/ppp-on"

Save the file and close the editor.

logout

Can I disable the internet connection from 11pm to 6am?

Add a cron job to do this. The following will stop all internet interface traffic from 11pm to 6 am. You can either use the entire ruleset, or eliminate the ones you don't use, ie, if you don't have a modem, leave out the modem lines, and vice versa. Using them all will not hurt anything.

0 23 * * * /sbin/ipchains -I ethout 1 -i eth1 -j DENY
0 23 * * * /sbin/ipchains -I ethin 1 -i eth1 -j DENY
0 23 * * * /sbin/ipchains -I mdmout 1 -i ppp0 -j DENY
0 23 * * * /sbin/ipchains -I mdmin 1 -i ppp0 -j DENY

0 6 * * * /sbin/ipchains -D ethout 1
0 6 * * * /sbin/ipchains -D ethin 1
0 6 * * * /sbin/ipchains -D mdmout 1
0 6 * * * /sbin/ipchains -D mdmin 1

How can I synchronize my IPCop time with my time server?

First, you need to pick a time server. If you are not running a time server on your network already, you will need to access an external time server. The nearer the time server is to you, the more accurate your time sync will be. You can find a list of public time servers here. Please only select from the Stratum 2 list. If you elect to use a public time server, be sure to use one which specifies that Open Access is ok. Many of them request that you send them an email to tell them you are using their time server. This usually gets you on a low volume mailing list which will inform you of outages and not much more.

If you have selected an external time server, you need to go to the Services/External Service Access menu in IPCop and add a pinhole to let the time signals into IPCop. Select UDP, put in the IP address of the time server you have selected, and destination port 123. Make sure the Enabled box is checked and Save the External Service Access.

Now, on a one time basis, you log into the IPCop console as root and issue the following command:

/usr/sbin/ntpdate -s x.x.x.x
where x.x.x.x is the number or domain name of the time server you selected, or your local private time server.

If you don't want to open a External Service access, you can run the following command instead, which will use an unprivileged port instead:

/usr/sbin/ntpdate -s -u x.x.x.x

Once that runs, run the command...

tail /var/log/messages

If the command worked, you should see something like this:

Jan 17 01:56:58 ipcop ntpdate[17067]: adjust time server x.x.x.x offset -0.121123 sec

If you don't see the above message, you need to pick another time server until you have success.

If you wish to add an entry to cron so this command repeats on a regular basis, log into the IPCop console as root.

At the command line, enter one of the two following commands, based on which editor you like to use

export EDITOR=vi
or
export EDITOR=joe
(joe is a wordstar-like editor)

Once you have done that, enter the command:

crontab -e

The editor you set up above will open on the cron table for the root user. If you have not modified your IPCop installation in any way, it's possible that this table is blank. Add the following lines:

#Sync the clock once a day at 2:47 am every day, every week, every month
47 2 * * * /usr/sbin/ntpdate -s x.x.x.x; /sbin/clock --systohc > /dev/null 2>&1
where x.x.x.x is the time server you got working on the command line above. Using the clock command with the --systohc will set your hardware clock to the time you just retrieved.

Save the file and close the editor.

logout

Update for IPCop v1.2

From IPCop v1.2.0 the ability to synchronize IPCop with an NTP server using ntpdate was added to the System Web Admin page.

Can I use ntpd rather than ntpdate for time synchronisation?

MultiThread Consultants have provided instructions and scripts to enable ntpd and control it from the web interface. Visit http://www.multithread.co.uk/ipcop/ for details.

Also, inspired by the work done by Up4Fun at ipcop.hopto.org, Erwann Simon, Eric Boniface and Eric Legigan of the French ipcop support site www.ixus.net have produced a downloadable archive with instructions on how to install ntpd on IPCop at http://www.zefutur.com/ipcop/ntpd/

Merci mes amis.

Can I change the graphs to be bigger/smaller than the current 8 hours?

Log into the IPCop console as root and edit the file /usr/local/bin/makegraphs.

The -s parameter is the timespan. Change this to the required interval.

Save the file and close the editor.

Logout.

Can I change how often the Graphs are updated?

By default, the graphs are updated every 30 minutes. This was based on the cpu power it takes to update the graphs on low end machines. If you run a Pentium or K6 (or better) class CPU, you can safely increase the graphing interval to 5 minutes.

Log into the IPCop console as root and edit the file /etc/crontab.

By default, the last lines read:

# Make some nice graphs
*/30 * * * * root /usr/local/bin/makegraphs > /dev/null

For updates every 5 minutes, change the last line to read:

*/5 * * * * root /usr/local/bin/makegraphs > /dev/null

Save the file.

Restart cron daemon with the following command:

killall -HUP crond

How can I automate switching between peak time and off-peak ISP numbers?

If you connect to the Internet with an ISP that requires you to dial different phone numbers depending on the time of day, such as BT's Surftime Evenings and Weekend package in the UK, you can set up a cron task to switch ppp settings automatically.

First, set up and save two ppp profiles for the two different phone numbers you require. Make sure they work, and make a note of their position in the drop down list.

Then log into the IPCop console as root, locate the files which contain the ppp settings, and make copies of them. At the command line enter the command:

cd /var/ipcop/ppp

and then:

cp settings-1 settings-offpeak

and:

cp settings-2 settings-peak

This assumes you've set up the off-peak settings as your first profile, and the peaktime as the second.

At the command line, enter the command:

crontab -e

The cron table for the root user will appear. If you have not modified your IPCop installation before, it's possible that this table is blank. Add the following three lines:

#switch ppp settings
0 8 * * 1-5 cp /var/ipcop/ppp/settings-peak /var/ipcop/ppp/settings; /etc/ppp/ppp-off; sleep 4; /etc/ppp/ppp-on
0 18 * * 1-5 cp /var/ipcop/ppp/settings-offpeak /var/ipcop/ppp/settings; /etc/ppp/ppp-off; sleep 4; /etc/ppp/ppp-on

This switches to peaktime settings at 8.00am on weekdays, and off-peak settings after 6.00pm on weekdays, and continues over the weekend. (1-5 is equivalent to mon,tue,wed,thu,fri). Restarting ppp is necessary to read all the settings for the new profile. Note that each entry has to be on a single line.

Save the file and close the editor.

logout

Update for IPCop v1.3

ppp-on and ppp-off were removed in IPCop v1.3.0. Use these commands instead
/etc/rc.d/rc.red start and /etc/rc.d/rc.red stop

How do I install DansGuardian on IPCop?

DansGuardian provides web content filtering based on keywords and blacklists. For instructions on how to install and configure the latest version on IPCop 0.1.x, have a look at the IPCopDGHowto.

Update for IPCop v1.3

Gavin Spurgeon has developed an easy system for adding DansGuardian to IPCop, see the topic at the foot of this page on the Add-Onz system.

How can I use a Static IP number with PPP if the ISP doesn't allocate it by DHCP?

Easy answer - use a proper ISP - Long answer, see the example below from a TELSTRA user.

In your IPCop computer, make a back-up copy of the Perl script, /etc/ppp/ppp-on, then use your Linux editor (do not use MS -WordPad or the DOS edit) to alter /etc/ppp/ppp-on as follows...

Find the subroutine "domodemdial"
.
.
sub domodemdial
.
.
About 20-30 lines further down is code like so...

.
push (@pppcommand, ('debug', 'lock', 'modem', 'crtscts', $device,
$pppsettings{'DTERATE'}, 'kdebug', '0', 'noipdefault',
'defaultroute', 'user', $pppsettings{'USERNAME'},
'maxfail', $pppsettings{'MAXRETRIES'}, 'connect',
'/etc/ppp/dialer'));
.
.
Change 'noipdefault', so that the code now looks like...
.
.
push (@pppcommand, ('debug', 'lock', 'modem', 'crtscts', $device,
$pppsettings{'DTERATE'}, 'kdebug', '0',
'aaa.bbb.ccc.dd1:aaa.bbb.ccc.dd2',
'defaultroute', 'user', $pppsettings{'USERNAME'},
'maxfail', $pppsettings{'MAXRETRIES'}, 'connect',
'/etc/ppp/dialer'));
.
.
Where aaa.bbb.ccc.dd1 is your Telstra-supplied fixed IP, something like 203.99.23.121 (That is not a valid IP, do not use it!) then a colon : and the same IP with the last part increased by 1. like 203.99.23.122

Save the change.

Please NOTE that this changed version of /etc/ppp/ppp-on is only suitable for connecting to a Telstra dial-up business acc ount, it will not work for normal ISP connections. To connect to a normal ISP, you will have to put the original /etc/ppp/ ppp-on back in place (you did make a back-up).

How can I block my internal users from accessing a particular external service, such as Telnet, AOL etc?

Add a new ipchains rule to the /etc/rc.d/firewall.up script. The example below will block all connections from the green network 192.168.1.0 on port 5190 used by AOL:

ipchains -I input -j DENY -p tcp -s 192.168.1.0/24 -d 0.0.0.0/0 5190

-- EricOberlander - 25 Jun 2002 - How to block instruction added, courtesy of Vitaly Tarasov

How can I use VPNs with dynamic IP addresses?

NB: This functionality should now be available in version 1.2 Release

Edit /home/httpd/cgi-bin/vpn.cgi/vpnconfig.dat

For 1.2 older betas comment out (prefix with #) the following lines:

# unless (&validip($cgiparams{'LEFT'})) {
# $errormessage = $tr{'left ip is invalid'}; }
# unless (&validip($cgiparams{'RIGHT'})) {
# $errormessage = $tr{'right ip is invalid'}; }

For 0.1.1 comment out the following lines:

# unless (&validip($cgiparams{'LEFT'})) {
# $errormessage = $tr{'left ip is invalid'}; }
# unless (&validip($cgiparams{'LEFTNEXTHOP'})) {
# $errormessage = $tr{'left next hop ip is invalid'}; }
# unless (&validip($cgiparams{'RIGHT'})) {
# $errormessage = $tr{'right ip is invalid'}; }
# unless (&validip($cgiparams{'RIGHTNEXTHOP'})) {
# $errormessage = $tr{'right next hop ip is invalid'}; }

What these edits do is to allow you to enter DNS names instead of IP addresses for the left and right IP addresses and to allow you to enter %defaultroute for the left and right next hops.

WARNING: These edits remove validation of the addresses and next hops. If things don't work then check these very carefully. Also be aware that FreeS/WAN works with IP addresses not DNS names and that the IP address for your dynamic DNS name is only resolved when FreeS/WAN is started.

What you need to do now is to register all IPcop machines using dynamic IP addresses with one of the supported dynamic DNS services.

You then need to create VPN connections using the dynamic DNS names instead of the left/right IP addresses. Put %defaultroute for the next hop on both left and right (in fact this can be used for most VPN connections and is the default for 1.2).

You should now be able to bring up the VPN. Unfortunately if either end disconnects and gets a different IP address you will need to restart the VPN on both machines so that FreeS/WAN gets the new IP address from DNS.

This creates a problem, how do you restart the VPNs on a remote machine with a dynamic IP address? The only solution to this at the moment is to allow access to the SSL https server on port 445 and access it using the dynamic DNS name.

If the local IPCop is on a static IP that you can restrict access on the External Access Page. If the local IPCop is on a dynamic IP then you will have to allow access to all IP addresses that could possibly be assigned by your ISP. Doing this will increase your machine's visibility on the Internet and could lead to possible intrusions (assuming a vulnerability without patch)

-- DaveRoberts - 08 Aug 2002

How can I block specific IP addresses from accessing the Internet?

Jose Catubigan Jr has written some scripts and an ipbancgi webadmin page that make it easy to ban specified IP addresses from IPCop's webGUI. View screenshots and download it from http://www.zpdee.net/~joecat/

-- EricOberlander - 07 Sep 2002

How do I install additional ip_masq kernel modules

ip_masq_dplay for DirectPlay gaming protocol
ip_masq_h323 H.323 protocol, e.g. Netmeeting (NB: included from v1.2)
ip_masq_mms Microsoft Messenger module (NB: included from v1.3)
ip_masq_msn MSN game zone module

Grab the compiled modules you need from here http://www.affinityvision.com.au/ipcop/v1.2.0-fixes4/IP_Masq_Files/ and scp them on your IPCop box. Make a note of the md5sum for each file. (New Link courtesy of Andrew McGlashan).

These are basically quick compiles of some of the 2.2.x ip_masq modules at http://www.e-infomax.com/ipmasq/matrix22.html made for the 2.2.21-rc1 kernel as supplied in IPCop 0.1.1 fixes 4.

SCP them to the /lib/modules/2.2.21rc1/ipv4 directory. Check the md5sum of each file after it's copied to IPCop, because it's quite easy to get a corrupt file if it was accidentally downloaded as text, rather than as a binary file.

To load a module, execute the insmod command at a console. For example:

insmod ip_masq_h323

To make the changes permanent, edit the /etc/rc.d/rc.network file. Find the section with the following:

echo "Loading MASQ helper modules"
modprobe ip_masq_quake
modprobe ip_masq_irc
modprobe ip_masq_ftp in_ports=21
modprobe ip_masq_icq
modprobe ip_masq_pptp

Add a line for each module you need. For example:

modprobe ip_masq_h323

Save the file and reboot the machine. Login to the Web console and under the Information section you should see the new modules listed.

The modules above were compiled for a 2.2.21-rc1 kernel, if you are using version 1.2 with a 2.2.21 kernel, try force loading the module with this command:

insmod -f ip_masq_h323

For your information, the ip_masq_h323 module was included in IPCop version 1.2, and the ip_masq_mms module is included in IPCop version 1.3.
Modules compiled for 2.2 kernels won't work on IPCop v1.3, as the 2.4 kernel series is used in IPCop v1.3.

rc.local startup file

From version 1.3.0, if you want to run your own commands at startup, put them in a file called /etc/rc.d/rc.local, they will automatically run when IPCop boots. The file is included as one of the settings files that are backed up onto floppy.

Backing up configuration settings over the LAN

Tim Butterfield is developing a web interface for IPCop that allows the configuration settings to be backed up over the local network, avoiding the need for a floppy disk to be fitted in the IPCop box.

The latest implementation works with v1.2 and v1.3.0. It's not been tested on other configurations.

In addition to basic create, restore, upload, and download, this implentation provides a few extra features over the first implementation.

1. security - An encryption key is used to ensure that archives restored on a machine were created on that machine. Using an archive to set up a new machine is still allowed.
2. archive naming - The first implementation had static file names, ipcop.tar.gz. This version uses the machine name to more easily identify archives from multiple IPCop machines.
3. install script - The first implementation had a manual install. The inclusion of an install.sh script makes the process a bit easier this time.

A full description and download files can be found here: http://www.timbutterfield.com/computer/ipcop/backup

-- EricOberlander - 28 Jun 2003

Other Websites

Martin Pot

Martin Pot has documented a number of modifications to Smoothwall 0.9.9, which should also work on IPCop 0.1.1. There are pages on adding a connect speed display, adding a red IP address display, bytes in/out, ad zapping, ip accounting and more. See http://martybugs.net/smoothwall/

Supporting Role

Supporting Role have provided a number of unofficial modifications for IPCop which can be downloaded from their website at http://www.supporting-role.net/software/ipcop/software-list.php

Joecat

Jose Catubigan Jr has made a number of addons and modifications for IPCop available at http://www.zpdee.net/~joecat/ They include mods for producing a traffic summary, different statistic graphs, an ipban.cgi script and interface, a logcheck utility and more...

Porn Filter and Ad Zapper

Joecat's also developing an acl_mod for the squid web proxy to block ads and porn. Modifications and instructions are available here.

Bloomtech

Add-Onz System (Unofficial)

Copwatch

Big Brother plugin

Guy Van Sanden has written a Big Brother http://www.bb4.com plugin to monitor an IPCop box.

You can find it on http://unixmafia.port5.com under projects/bb-ipcop.sh

-- SamSnow - 21 Jan 2003
-- HarryGoldschmitt - 25 May 2003 - Fixed dead link.
-- EricOberlander - 10 Dec 2003 - Added link to Big Brother plugin