Profile Details

Toggle Sidebar
Recent updates
  • Igor,

    That bug appeared on an older ISO. You should be able to do a yum update from command line and resolve the issue.

    yum update app-base
    yum upgrade

  • Dave Loper
    Dave Loper's reply was accepted as an answer

    Re: Hotlan bypassing proxy

    This is by design. The proxy is NOT enabled on the HOTLAN because if it was then users on the HOTLAN could surf the LAN. Basically, the ClearOS server is trusted to the LAN and can communicate with it freely. If you use the server as a proxy then surfing is a trusted activity for the server itself and users on the HOTLAN would be able to surf the LAN. As you stated...

    "The reason for this is that the clients on the HOTLAN should not be able to see or communicate with the clients on the LAN."

    Giving HOTLAN users access to the proxy means that they would be able to see and communicate with the clients on the LAN since they would be using the server as their intermediary.

    You can override this behavior, however, with custom firewall rules that override the firewall redirect of ports and with overrides on the proxy server to accept proxy connections from this extra LAN but it is not part of the design nor is it a supported method because it, quite frankly, ruins the whole security paradigm of the HOTLAN.

    Having a second ClearOS server just to filter your HOTLAN is a common solution. You can even virtualize it if your hardware supports that sort of thing. A service like DNSthingy would filter both networks but currently it is an either/or between this service and the content filter.

  • Dave Loper
    Dave Loper replied to a discussion, Hotlan bypassing proxy

    This is by design. The proxy is NOT enabled on the HOTLAN because if it was then users on the HOTLAN could surf the LAN. Basically, the ClearOS server is trusted to the LAN and can communicate with it freely. If you use the server as a proxy then surfing is a trusted activity for the server itself and users on the HOTLAN would be able to surf the LAN. As you stated...

    "The reason for this is that the clients on the HOTLAN should not be able to see or communicate with the clients on the LAN."

    Giving HOTLAN users access to the proxy means that they would be able to see and communicate with the clients on the LAN since they would be using the server as their intermediary.

    You can override this behavior, however, with custom firewall rules that override the firewall redirect of ports and with overrides on the proxy server to accept proxy connections from this extra LAN but it is not part of the design nor is it a supported method because it, quite frankly, ruins the whole security paradigm of the HOTLAN.

    Having a second ClearOS server just to filter your HOTLAN is a common solution. You can even virtualize it if your hardware supports that sort of thing. A service like DNSthingy would filter both networks but currently it is an either/or between this service and the content filter.

  • Dave Loper
    Dave Loper replied to a discussion, Content filter with one Nic?

    If you are setting up a standard proxy server, single NIC implementations work just fine. You can specify the proxy server in the settings of the workstation in the following ways:


    Configure the workstation's proxy settings manually in a browser
    Setup a group policy to promulgate the proxy settings (AD, Samba Directory)
    Setup WPAD using DHCP, DNS, or both
    Specify a connection script in the web browser


    The advantage of filtering proxy traffic as a bona fide proxy as opposed to filtering as a transparent proxy is that you can easily filter https traffic as well based on the domain name filtering rules that come with the content filter subscription.

    If you are looking to do an inline proxy and use transparent methods then you will need to get a switch that is capable of doing VLANs and then create two virtual NICs in ClearOS on the same NIC and then setup your ClearOS server on both of the NICs on the VLAN in a bridge with one NIC on a tagged port that is able to talk to the gateway only and then another nic that is untagged that talks to the rest of the network. You will need to then unlock and use the 'trustedgateway' mode of ClearOS and assign a single IP address to ClearOS (necessary for the block pages). This method is NOT recommended. I know I can do it because I've done something similar in a lab before but it is super difficult unless you are already really adept at command line, VLANs, and bridging under ClearOS. Even a USB NIC is a simpler solution than trying a single NIC transparent filter.

    Here's my notes on how to do this with a two NIC configuration:

    https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_o_clearbox_as_a_transparent_inline_bridge

  • MikeCindi,

    This is a great place to report that sort of thing. I've added your bug to the tracker:

    https://tracker.clearos.com/view.php?id=13161

  • Dave Loper
    Dave Loper likes the reply for the discussion, Re: ClearOS 7.3.0 Beta 1 Available

    It would be nice to have OpenVPN 2.4 pushed through at some point because of the SWEET32 vulnerability. It has not even got to epel-testing.

    In case anyone is interested the vulnerability can me mitigated with the current version of OpenVPN by adding "reneg-bytes 64000" to /etc/clients.conf.

  • Thanks Patrick!!!

    I've placed your report in the bug tracker here:

    https://tracker.clearos.com/view.php?id=13101

    Look for a formal resolution there but it also might appear here. Thanks for taking the risk and doing the update. Did you manage to find a fix for the issue? If so, I'll put your steps in as well or if you are waiting for some guidance, let us know and we'll get those in the bug notes.

  • ClearCenter has posted a blog on this as well. Congratz Fredrik!

    https://www.clearcenter.com/blogs/timeline

  • ClearOS 7.3 - 33% complete and how you can help get it to 100%

    ClearOS 7.3 beta3 is out and ready for testing. The most significant holdup so far is community testing which currently stands at 33 environments and we want to get it to at least 100. I've pinned Peter's post which illustrates how you can upgrade now/early to 7.3. If you want to go through the paces on a test rig or vm, you can download and use the new 7.3 beta 3 ISO here:

    http://mirror.clearos.com/clearos/7.2.0.179092-beta3/x86_64/iso/ClearOS-DVD-x86_64-7.iso

    Alternate link:

    http://mirror1-orem.clearos.com/clearos/7.2.0.179092-beta3/x86_64/iso/ClearOS-DVD-x86_64-7.iso

    Per usual, you can report bugs here on the forums or on the bug tracker (if you have access, requires permission.)

  • Dave Loper
    Dave Loper updated their profile