ClearFoundation

OK you have a direct cable connection which makes your set up a bit easier. It would be bridged if it were ADSL. I don't know the terminology for cable (even though I have it as well).

vi - yuck, especially if you have not used it before. If you want a Linux editor use nano which is in ClearOS. Even better is to use WinSCP on a Windoze machine which creates an SSH connection to your server. WinSCP (graphical file manager) and PuTTy (remote console) are essential tools to administer ClearOS from a Windoze PC.

You are not seeing module names as there aren't any kmod modules for your cards. The three you have must all be pretty well established so the built in drivers should be OK. I would have to research it more to see if there were more up to date drivers than the ones you have. You could do that as easily. Do something like "modinfo via-rhine" to get the version number then google.

I am not qualified to compare Smoothwall and ClearOS/iptables but as they are both Linux based I would expect them to be very similar, if not the same in terms of robustness. The difference may really only be the interface.

Yeah, I hate DSL. It is very frustrating, especially verizon.

WinSCP worked out beautifully. I was able to edit those files no problem. I had been using putty, but its substantially easier to get around using winSCP and not having to do everything from CLI.
For the benefit of the thread, here is what I did.. originally from Nicks thread
The only way so far to stop the portrait.lan queries going out into the wild are to have the line "local=/portrait.lan/" in dnsmasq.conf and 127.0.0.1 in resolv.conf.

I still cannot understand why there is even a request for image.clients.portraitexpress.com. It just defies logic.

Thank you very much for all of your input Nick. You are exactly who I was hoping would chime in on this thread.

I have another question for you Nick.
I have openDNS set as my DNS servers on COS. I have alot of computers in the lan that are set as static IP's, and some of them dont necessarily have my COS box as the DNS server. Some of them may have a random dns server or have it set specifically as opendns servers.
The problem is, opendns filtering/shortcuts arent forced on them. Is there a way to force all traffic going through the COS box to use the specified DNS servers?

Yes. Add forwarding blocks in iptables:This means only lookups originating from ClearOS will get out, possibly except if you use a non-transparant proxy. You will then have people crying out that they can't access the internet.

Another possible way is to redirect their requests to ClearOS in the prerouting table with something like:I've never tried this before but it may well work. It would have the advantage of being totally transparent to the user if it works.

Nick Howitt wrote:
Yes. Add forwarding blocks in iptables:

Code:

iptables -I FORWARD -p tcp --dport 53 -j DROP iptables -I FORWARD -p udp --dport 53 -j DROP

This means only lookups originating from ClearOS will get out, possibly except if you use a non-transparant proxy. You will then have people crying out that they can't access the internet.

Another possible way is to redirect their requests to ClearOS in the prerouting table with something like:

Code:

iptables -t nat -I PREROUTING -p tcp --dport 53 -d ! 192.168.0.75 -i eth1 -j DNAT --to-destination 192.168.0.75 iptables -t nat -I PREROUTING -p udp --dport 53 -d ! 192.168.0.75 -i eth1 -j DNAT --to-destination 192.168.0.75

I've never tried this before but it may well work. It would have the advantage of being totally transparent to the user if it works.

Nice, that seems to work. I tried the second method. I just wish opendns would hurry up with collecting stats so I can verify that my local dns queries are not going outside anymore.

I still have DNS requests that are local getting out to opendns. They are as follows...
xc-560-c67015??.portrait.lan This one is a printer

I think it would be normal for these to go out to public DNS? There is the one entry that is just portrait.lan which seems kind of weird as that is what my "domain" name is. I dont actually have a domain setup.
wpad.portrait.lan
portrait.lan
isatap.portrait.lan

I also still have...
image.clients.portraitexpress.com
This one is not a site at all. When I ping it from the lan, it resolves to an opendns IP, when I ping using a site, it does not come back with anything.
Any ideas?

This is actually normal behaviour for Open DNS, it will automatically redirect unknown DNS requests back though their own search engine, rather than returning an unknown DNS response. The extra queries are normal lan behaviour, where clients will append the default search domain to any host name query, and its OS specific whether it will query Dns before other methods. That is why you see these odd requests leaving your LAN. There was a similar post on this quite a while ago, I'll see if I can dig it up. You can partially resolve these by adding entries to the local Clear OS DNS server so that the queries don't leave the LAN and make sure that your clients are properly configured

Local queries should not go out into the internet. AFAIK mine are all blocked with the settings I gave. If it helps, this is my dnsmasq.conf:There may be one or two difference with what you have.

The problem with OpenDNS is depending on your settings, a failed lookup will return an OpenDNS search. That is why you are getting a ping result. In my advanced settings I only have the Dynamic IP update checked. I also do not have the Guide Page, Block Page and Phishing Block Page selected. Try a combination of these.

Nick Howitt wrote:
Local queries should not go out into the internet. AFAIK mine are all blocked with the settings I gave. If it helps, this is my dnsmasq.conf:

Code:

# The "interface" parameter is set by the network policy (LAN/DMZ interfaces) bogus-priv bogus-priv conf-file=/etc/dnsmasq/dhcp.conf dhcp-authoritative dhcp-lease-max=1000 dhcp-leasefile=/var/lib/misc/dnsmasq.leases domain-needed domain=howitts.lan expand-hosts local=/howitts.lan/ localise-queries no-negcache strict-order user=nobody

There may be one or two difference with what you have.

The problem with OpenDNS is depending on your settings, a failed lookup will return an OpenDNS search. That is why you are getting a ping result. In my advanced settings I only have the Dynamic IP update checked. I also do not have the Guide Page, Block Page and Phishing Block Page selected. Try a combination of these.

The only main differences between my dnsmasq.conf are ..
This line dhcp-leasefile=/var/lib/misc/dnsmasq.leases
and localise-queries

I will look into it and see what the localise-queries does. I would assume this is probably what I am looking for...

One more, hopefully the last issue....
In my IDS reports, I have my own IP addresses as attackers and victims. 76.14.193.52, and 74.14.198.49 are the addresses of my cable modems. IDS isnt blocking my IP's, but I would assume it is taking extra work to detect all of this activity.

IDS is not as easy as that. Sometimes when there is an attack the IPS/IDS searches for the response to the attacker. An example of this is a brute force login attempt. Snort monitors for all the login failures returning to the attacker. In this case you are seen as the source and the attacker as the destination. This confuses the hell out of the graphics! I suspect really the webconfig needs recoding!