Mise à jour IPCOP 1.4.6 ->1.4.7->1.4.8

[mrjeanguy]

Juste pour signaler que deux mises à jour sont disponibles:

1.4.7

Upgrade to bzip2 patched (CAN-2005-1260 CAN-2005-0953). Patch dhcpcd (CAN-2005-1896), tcpdump (CAN-2005-1267), zlib(CAN-2005-2096). Fix IDS Log bug (SF 1213547). Upgrade logwatch to 6.1.2, squid to 2.5.STABLE10, pcmcia-cs to 3.2.8, pulsardsl to 4.0.19.
Add ethtool-3, iptstate-1.4, libwww-perl-5.8.03, Compress-Zlib-1.35, URI-1.35, Net_SSLeay-1.2.5.
Improve dynamic DNS & add provider. Enable/disable ping from new Firewall Options page. Improve support for addon and language files. Improve DHCP option support.
Openswan 1.0.10rc2, VPN PFS=yes/no, VPN users with dynamic IP, you can choose new dead peer detection=restart!. Fix VPN interface bugs. Add usr/local/bin/setreservedports script to shift ipcop https port away from 445.
You need to run kernel-2.4.29{,-smp} for the update to work. For flash disk with 5MB /boot, only 2.4.29 (not smp) allowed during update.
Apply both 1.4.7 and 1.4.8 updates (eventually load fcdsl-1.4.8 package if needed) and reboot!!!

1.4.8

Upgrade to kernel 2.4.31.
Apply both 1.4.7 and 1.4.8 updates (eventually load fcdsl-1.4.8 package if needed) and reboot!!!

Bizarrement je ne trouve pas d'infos sur ixus ni sur ipcop.org... est ce normal?

[leso]

sur ixus ca métonnerais, il ne font pas une news a chaque update. Pour le site ipcop.org , faut attendre le webmaster.

Et sinon l'annonce a était annoncé sur la liste de diffusion ce matin

Code: Tout sélectionner

IPCop v1.4.8 was release with some changes since the test version dated
2005/08/18.

As usual, this version can be installed as an update from previous v1.4.x
versions or with a ready-to-go ISO for a fresh install.
Install both 1.4.7/1.4.8 updates and reboot to use the new kernel.

Update is split in 2 parts like 1.4.3/1.4.4 to solve some space issues with
disk less than 800 MB.

Update was tested to work on flash disk (this was not the case in
1.4.3/1.4.4).

MD5: 93538c45825c0fb5bbcb644f80f8907d  fcdsl-1.4.8.tgz
MD5: 789d92f23f7def21d0eb4e660d7c49f8  ipcop-1.4.8.iso
MD5: 2916d4667663b9d37880b2bf21e2da44  sources-ipcop-1.4.8.tgz
MD5: e26b8a1921e33e5114fc2367d5d0fd45  update-1.4.7.tgz.gpg
MD5: 05930394026f2aa7c36bf652840293f6  update-1.4.8.tgz.gpg

You need to use kernel-2.4.29 to install this update
Previous kernel 2.4.27 will be removed to free space for new kernel 2.4.31

Because of this kernel removal (for those who installed before 1.4.4), it is
difficult to say exactly how much free space is necessary (it depend if
2.4.27
is present). It should no more be a problem, if you don't have added hudge
files on a
small disk. As a shortcut,I would say you need 10 MB free on /root before
1.4.7
installation if 2.4.27 is present and 25 MB if not.
If you have less than 30 MB free on /root, you will need 25 Mb free on
/var/log.
After 1.4.7 update installation, the update page is changed to display space
  available.

If you run from a flash disk, the kernel running during the update can only
be
2.4.29 (and not smp). There is not enought free space available on standard
/boot made by makeflash to support 2 smp kernel. This is changed for futur
makeflash installation with a standard 8MB size like with real disk.
After the update with flash, you can start whatever kernel 2.4.31 you want
but
2.4.29-smp can't be started.

The changes made since the test version dated 2005/08/18 are :
- setup :fix hostname update missing the domain name
- httpscert script was added.
The script allow to read the https certificate issuer with
/usr/local/bin/httpscert read
With /usr/local/bin/httpscert new, a new certificate is made using the
actual
long hostname. This was made to fix the warning message in the GUI because
hostname did not match certificate name.
You are warned if there is a difference between certificate and hostname
during boot.

It may not have been sufficiently stated but v1.2 and v1.3 are no more
maintained and contain some vulnerabilies. Please consider to upgrade as
soon as you can. If there is a problem to install v1.4, work with us to
solve
those issues. Fill a bug report on sourceforge or send a message on the
devel list.

For those who use unofficial add-ons, there is some progress made to less
disturb add-ons but it will be only noticable after add-ons use the new
addon-lang directory to preserve their changed texts.

Abstract of previous changes since v1.4.6

Installer
- Fix ata_piix SATA support by adding EXPORT_SYMBOL_GPL capability at
  busybox-0.60.5
- Fix pcmcia installation and netcard detection with floppy boot.
- On floppy boot install, shift search of scscidrv-<version>.img to
  images/scscidrv-<version>.img to allow usage of mounted loop iso. With
real
  files, place it in an images directory.

Changes in update
- Fix etc/modules.conf is more recent than ...modules.dep
- Fix support with smp new kernel and scsi driver
- Complete the menu options for the old kernel like for the most recent
kernel
- Workaround for flash disk with limited /boot size. Previous smp files are
  suppressed on /boot
  Set mkflash to use 8 MB /boot size to support old smp kernel
- Fix '/ is busy' with scsi disk once after new kernel installation
- Create an addon-lang directory to allow add-ons to retrieve specific lang
  phrases after update
- To untar the update, try to use /var/log partition to avoid space problem
on
  /root. If it fail, use /root partition.

Upgraded packages
- arping from 2.03 to 2.05
- bzip2 from 1.02 to 1.0.3 plus patch against CAN-2005-1260
- Compress-Zlib from 1.3.4 to 1.35
- dhcpcd-1.3.22-pl4_corrupt-packet.patch CAN-2005-1896
- eagle-usb from 2.1.1 to 2.3.2
- eciadsl from 0.10 to 0.11beta1
- gnupg from 1.2.5 to 1.4.2
- logwatch from 5.2.1 to 6.1.2
- openswan-1.0.10rc2 (support restart option)
- pcmcia-cs from 3.2.7 to 3.2.8
- procps from 3.2.1 to 3.2.5
- pulsardsl from 4.018 to 4.0.19
- squid from STABLE9 to 2.5.STABLE10
- tcpdump patch against CAN-2005-1267
- zlib-1.2.3 CAN-2005-2096

New packages
- ethtool
  This is helpfull for those who want to let IPCop sleep when not used.
  ethtool is used to configure the network card
  /usr/sbin/ethtool -s eth0 wol g This could be added in rc.local.
  You could wake up the IPCop machine by sending the magic-packet to the MAC
  address.  This could only work with some limit on IPCop side :
   - you can't use dhcp on green since the PC sending the magic-packet
already
     has an IP
   - you can't have an orange interface
- iptstate command line utility RFE 1167726
- libwww-perl for HTTP downloads from CGIs
  This should resolve the issues some users are having with IDS rule
updates.
  Also should fix the inability to download update lists when an upstream
proxy
  requires user/pass (bug 1205470)
- SSLeay support to Perl (for https)
- vlan.1.8 and corresponding kernel module

Others changes
config.dat
- Add option to choose number of lines per page of log  (viewsize)

dhcp.cgi
- Allows bootp protocol (per interface) into DHCP server and corrects
displaying
  of unlimited lease.
- Modify regexp to allow options with digits in advoptions-list to be
displayed.
- Permits entering duplicate IP in fixed lease. close bug 1197940

ddns.cgi
- Fix rfe1093108: updates to dyndns service are done only if gethostbyname
  returns different address.
- An optional cron call once/month force updates (-f -m options) to avoid
  loosing account on particular stable lines. This has to be enabled in GUI.
- Add dtDns support (rfe 1202972)
- Add new provider dynserv.ca (org|net|com)

graphs.cgi
- fixe bug 1118124 :Change maximum on traffic graph RRDs to support 100 MBit
links

ids.cgi
- Add a 'no' update option to not trigger a warning on save when no oinkcode
is set
- Use libwww-perl for HTTP downloads from CGIs, this should resolve the
issues some
  users are having with IDS rule updates. Also should fix the inability to
  download update lists when an upstream proxy requires user/pass (bug
1205470)

ipsec
- Added some 'seed' to certs generation with '-rand option'. Each cert is
numbered
- Fix a stack based buffer overflow in ipsecctrl (blue interface)

makegraphs
- change maximum on traffic graph RRDs to support 100 MBit links,
  fixes bug 1118124

new optionfw.cgi option page add options in the GUI to :
- disable ping
- dropt a optional list of ports to reduce logs on RED

rc.netaddress.up
- If "rc.red start" fails, no dnsmasq server is running. So start it even if
  it will be killed some lines later in normal operation!

setup
- fix domainname missing in hostname after hostname change

setportfw
- change SNAT behaviour for port forwards to only apply when required
  it also expands the SNAT to work for orange to orange connections
  (before it only applied to blue and green)

wireless.cgi
- modify page to list DHCP leases on Blue Network. RFE 1048379. Includes
inline editing



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
IPCop-devel mailing list
IPCop-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ipcop-devel




Update correctement accompli chez moi, même avec un ex kernel 2.4.27.

Par contre j'ai pas trouvé l'option pour changer le port de l'interface web, et perdu aussi le QOS L7 de guiguid (si tu passes par la ).
Il est normal qu'il manque une page apparament , celle ci nétait pas encore préte et donc pas incluse dans la mise a jour (cf liste de diffusion)

[leso]

Ni l'option pour bloquer le ping d'ailleurs


Edit: En relisant le changelog , l'option de ping et de port pour l'interface se trouve sur la page manquante ...

[Gesp]

Oui je l'ai retiré au dernier moment et la modification est restée dans le texte de l'annonce.
Ce sera supprimé dans l'annonce sur le site ipcop.org qui apparaitra qand elle sera validée.

C'est une bonne idée de pouvoir filter depuis l'interface mais il eut fallu le faire comme les autres accès à iptables alors que là on avait un message indiquant de rebooter, ce qui n'était pas terrible.

[mrjeanguy]

merci pour l'info me vla rassuré

Bonne journée, bon WE à vous

[mrjeanguy]

vous arrivez à accéder à la page des options du firewall?

Pour ma part je tombe sur ceci:Not Found
The requested URL /cgi-bin/optionsfw.cgi was not found on this server.

J'ai essayé de rebooter, j'ai toujours ce même satané message...

[leso]

Mrjeanguy > c'est normal ce problème est connu , et on a pas a tenir compte , c'est ce que précise Gesp

[wann]

Concernant le changement de port de l'interface web, voici la réponse de Gilles (Gesp) sur la liste de diffusion de développement :

not yet in the GUI
It was to late to integrate this change in v1.4.8 GUI.

use /usr/local/bin/setreservedports 5445

Only a number between 445 and 65535 is allowed

Use http and port 81 if you forgot the port you have changed on https

Gilles

Il faut donc le faire en ligne de commande, seule méthode envisageable actuellement.

[leso]

testé en ligne de commande et ca marche impec

[jackid]

Bonjour à tous,

Est-il prévu une intégration du l2pt pour IpSec dans une prochaine version ?

Merci!

[mrjeanguy]

Concernant le changement de port de l'interface web, voici la réponse de Gilles (Gesp) sur la liste de diffusion de développement :

not yet in the GUI
It was to late to integrate this change in v1.4.8 GUI.

use /usr/local/bin/setreservedports 5445

Only a number between 445 and 65535 is allowed

Use http and port 81 if you forgot the port you have changed on https

Gilles

Il faut donc le faire en ligne de commande, seule méthode envisageable actuellement.

Merci pour vos réponses,

Je ne comprend pas très bien le rapport entre les lignes de commande, le port 81 et mon problème... par curiosité j'ai essayé en me connectant via le pot 81 je n'ai pas les options du firewall.

Quelqu'un peut-il dévelloper un peu la réponse vu que je ne suis pas inscrit dans la mailing list des devellopers et que donc je n'ai pas suivi le sujet...

Merci

[mrjeanguy]

Ok j'ai pigé, tu répond à une autre question posée dans le post

[neo_hijacker]

C'est dommage on n'a toujours pas les NDISWrapper dans cette mise a jour

[lurey]

bonjour,

à peine rentré, je découvre et charge les màj 1.4.7 et 1.4.8... et j'ai perdu ma page "mise à jour" ! message: The server encountered an internal error or misconfiguration and was unable to complete your request.
Je précise comment: après 1.4.7, j'ai lancé 1.4.8 ; ça n'a pas eu l'air de faire l'update, mais une nouvelle page (avec l'occupation du disque) est apparue, me disant qu'il y avait encore une mise à jour installable (la 1.4.8 ) j'ai donc relancé l'install par le bouton, rebooté, et... plus de page "mise à jour" !
Dans /home/httpd/cgi-bin, j'ai un fichier update.cgi : 7 962 octets, daté du 26/08/2005 04:52:37 (mêmes dates et heures que upload.cgi et quelques autres pages...)
Une idée, pour me sortir de là ?...

[Franck78]

@lurey: regarde dans le log du serveur http de ton ipcop (var/log/httpd/*)
Le fichier 'error' contient les problèmes 'perl/cgi/apache'.


Aussi, pas évident à découvrir, un petit utilitaire pas gourmand et plus pratique que le GUI pour afficher les connexions iptables en cours:

#>:iptstate

A lancer au démarrage par une commande du genre
http://cvs.sourceforge.net/viewcvs.py/i ... COP_v1_4_0
dans le rc.sysinit.local

Si quelqu'un a une autre méthode pour lancer un programme dans une TTY choisie, je suis preneur !