Author Archive

.79 issues

Tuesday, August 23rd, 2005

There was a nasty bug in .79 that partially reverted the config file
version. This left a config file that had newer syntax and an older
version number. Upgrading past .79 w/out taking some corrective
measure will break your system. Again, if you installed or upgraded
to .79 and plan on using anything newer, please read.

Two issues in particular affect those that are on .79 and plan to
upgrade. During boot, we check to see if the config file version is
older than what we claim is current. If it is, we upgrade it.
Read the rest of this entry »

Multi-WAN

Saturday, June 11th, 2005

Scott and I commited code last night to get non-load balanced multiple WAN connections working. What this means is that you can now use the rules system to direct which link an arbitrary connection will go out.

Example

  • On OPT2 I have a static IP’d 384/384 DSL connection
  • On WAN I have a dynamic IP 6000/768 cable connection
  • I’d prefer all my traffic to go through the cable connection except for my servers and a handful of things that require me to have a static IP.

Steps to make this work

  • On the interface screen for OPT2 put in a gateway address.
  • In the advanced outbound NAT screen set up NAT entries for your OPT2 and WAN interfaces with the traffic that you want going through it. In my case I create NAT entries for my DMZ and my LAN on the OPT2 interface and a NAT entry for the LAN on my WAN interface. This sets up the NAT side so that when traffic leaves through those interfaces it’ll use the right source address.
  • Now for the fun part, rules.
  • In the DMZ rules screen, I set up each pass rule to have the gateway on my OPT2 interface. Edit the rule and towards the bottom you’ll see a gateway option.
  • On the LAN rules screen, I create a couple rules to direct specific traffic out OPT2.
  • If the above rules aren’t created, the system will use your default gateway (the WAN gateway is considered default).

Give it a whirl!

Authentication system changes

Sunday, May 15th, 2005

While we’re still setup for HTTP Basic authentication, we’re no longer doing it at the web server level, it’s been moved to the PHP layer. This change will eventually allow us to move to a more robust authentication scheme that will allow for role based access and even offloading authentication to centralized servers (LDAP, RADIUS, SecurID, etc). Let us know if there are any problems (and please please let us know if somehow we missed a PHP file!) This does have the potential to impact security of the firewall so it’s important.