Profile Details

Toggle Sidebar
Recent updates
  • I have resurrected the miniupnpd app and it is now available in clearos-contribs-testing. See this post for details. Any feedback would be welcome.

  • Miniupnpd is on its way back - testing required

    Miniupnpd was withdrawn from the ClearOS repos a few months ago due to lack of available development time. Because of an issue at home, I've dusted it off and rewritten the scripting to remove the reliance on ClearOS wizardry and to update it to the latest upstream release from this month (the last release was based on 2015 code). It is now available for testing in clearos-contribs-testing. To install it, do a:Obviously do an update instead of an install if you have the old version installed.

    Fedora packaging guidelines do not allow me to make the yum install start the app, so you will need to do a:If you already have it installed and it is running you can skip these two lines.

    The app will automatically detect and enable uPnP for all LAN interfaces. Optionally you can enable it for the HotLAN by uncommenting a line in /etc/miniupnpd/miniupnpd_clearos.conf. It will only work with the WAN interface which is the Default Route. If you have MultiWAN, you can check which interface which default by doing:

    While miniupnpd was not working properly, you may have edited your /etc/miniupnpd/miniupnpd.conf to manually set ext_ifname and listening_ip. These settings are no longer needed and may be commented out.

    As before miniupnpd works by default on ports 1024-65535. I believe this used to give problems to XBox users who had to edit /etc/miniupnpd/miniupnpd.conf to cover all ports (0-65535). This edit is still up to you.

    Please post any feedback into this thread

  • Nick Howitt
    Nick Howitt's reply was accepted as an answer

    Re: Allowing only few websites for browsing

    The theory is easy if you are not using the proxy. Go to Webconfig > Network > Firewall > Egress Firewall and change the mode to "Block all outgoing traffic - specify allowed destinations" then specify the allowed IP's. In practice this is not always so easy if the FQDN does not resolve to a single IP address. Google and Facebook (as an example) round-robin their IP's for load balancing so you would need to unblock a whole block of addresses for them to work reliably and it does not help using FQDN's in your firewall rules as the FQDN is converted to an IP address when the rule is loaded and it does not get re-evaluated until the rule is reloaded. Use this site to wok out what you may need to unblock.

    This method blocks traffic from LAN to WAN but not from ClearOS to WAN.

    As an alternative you could use the Content Filter with authentication or there is a more recent app, Gateway Management which may be more suited. There is a free (Community) and commercial version of Gateway Management. I don't have experience of these apps.

  • Nick Howitt
    Nick Howitt's reply was accepted as an answer

    Re: Let's Encrypt .

    If you used the Let's Encrypt app, then renewal will be automatic. It checks for expiry after 2 months and renews when it can after that. After it renews it automatically restart the Web Server and Webconfig so the new certificates are read in.

    If you did not use the app, but user certbot manually, just install the app and it will take over looking after your certificate renewal for you.

    For e-mail apps please see this HowTo. If you implement the certificates for any other apps, please let me know the details of how and I will add them to the HowTo and make it generic rather than just for mail apps.

  • Nick Howitt
    Nick Howitt replied to a discussion, Let's Encrypt .

    If you used the Let's Encrypt app, then renewal will be automatic. It checks for expiry after 2 months and renews when it can after that. After it renews it automatically restart the Web Server and Webconfig so the new certificates are read in.

    If you did not use the app, but user certbot manually, just install the app and it will take over looking after your certificate renewal for you.

    For e-mail apps please see this HowTo. If you implement the certificates for any other apps, please let me know the details of how and I will add them to the HowTo and make it generic rather than just for mail apps.

  • The theory is easy if you are not using the proxy. Go to Webconfig > Network > Firewall > Egress Firewall and change the mode to "Block all outgoing traffic - specify allowed destinations" then specify the allowed IP's. In practice this is not always so easy if the FQDN does not resolve to a single IP address. Google and Facebook (as an example) round-robin their IP's for load balancing so you would need to unblock a whole block of addresses for them to work reliably and it does not help using FQDN's in your firewall rules as the FQDN is converted to an IP address when the rule is loaded and it does not get re-evaluated until the rule is reloaded. Use this site to wok out what you may need to unblock.

    This method blocks traffic from LAN to WAN but not from ClearOS to WAN.

    As an alternative you could use the Content Filter with authentication or there is a more recent app, Gateway Management which may be more suited. There is a free (Community) and commercial version of Gateway Management. I don't have experience of these apps.

  • Nick Howitt
    Nick Howitt joined the group WikiSuite
  • Nick Howitt
    Nick Howitt replied to a discussion, ClearOS as Domain?

    The PC's need to have the same Workgroup setting as ClearOS.

    It is up to you about what you do with LAN PC's. If you have a WORKING WINS server you should be able to use their NetBIOS names from other PC's, but probably not from ClearOS itself.

    If you have common services internally and externally (mail, web server etc) than it makes sense to add their FQDN's to the DNS for internal use. Then, on a laptop or phone, for example, you don't need to change the settings for them to browse your server or access their e-mails. When you say the traffic goes onto the internet, I think it only goes as far as the WAN interface which then loops it back in, but I think loopback can play havock with port forwarding rules. I would (and do) avoid it by having any CNAME or A records externally in my hosts file to resolve internally.

  • Nick Howitt
    Nick Howitt replied to a discussion, ClearOS as Domain?

    The Workgroup (Windows Domain) does not have to match any of the other settings in the server and has nothing to do with e-mail addresses, but the PC's should match it. I use HOME.

    FWIW, Samba is still configured as a PDC in Simple Mode.

  • Nick Howitt
    Nick Howitt replied to a discussion, ClearOS as Domain?

    You do not need AD (which is only a connector) and it would require a full re-installation of ClearOS. Unfortunately I do not know how to join a PC to a Domain or what commands are available to troubleshoot it. If everything is working OK I believe it is a pretty straightforward procedure used by many with ClearOS.

    Perhaps someone else can step in with ideas?