Welcome, Guest. Please login or register.
Did you miss your activation email?
Monday 25 March 2019, 04:41:11 am

Login with username, password and session length

CLICK HERE for the The official Endian Roadmap and Issue tracker
13891 Posts in 4224 Topics by 5902 Members
Latest Member: worldwidewebdev
Search:     Advanced search
Pages: 1 ... 6 7 8 9 [10]
 on: Thursday 19 July 2018, 06:36:47 pm 
Started by sagipael - Last post by sagipael

I have VM of endian 2.4.1 (i know its old version - but i have a lot of VMs in this version..)

i tried to make curl command to specific website (from the efw shell) - but i received security error:
"Verify return code: 20 (unable to get local issuer certificate)"

i tried to add the crt of the Trusted root CA to /etc/ssl/certs/ca-bundle.crt
but its the same error.
tried to force to use the CA file with  curl -CAfile XXXX.crt
same error..

im also found - that i have the same issue in all websites i tried to reach with curl..

(i do not have this issue with newer version of EFW)

maybe someone can advise??

maybe someone knows how to update the openssl version?


 on: Tuesday 17 July 2018, 07:37:55 pm 
Started by wart101 - Last post by wart101
If you have an RJ-11 con the wall most probably your internet connection is an xDSL connection and you need an XDSL router

Yup, i think they are just two different technologies, i thought maybe there was a chance that you could somehow connect directly to the Endian firewall, ill have to run it through a router first then the Endian it seems.

Thanks for the replay

 on: Monday 16 July 2018, 06:40:36 pm 
Started by wart101 - Last post by Dark-Vex
If you have an RJ-11 con the wall most probably your internet connection is an xDSL connection and you need an XDSL router

 on: Monday 16 July 2018, 06:37:58 pm 
Started by wgd - Last post by Dark-Vex
In the POP3 Proxy settings the option "Intercept SSL/TLS encrypted connections" is enabled or disabled?

 on: Monday 16 July 2018, 06:34:29 pm 
Started by beto2p - Last post by Dark-Vex
Hi, how many users do you have behind this system?

 on: Sunday 15 July 2018, 02:15:08 pm 
Started by wart101 - Last post by wart101
Having trouble getting a connection to my red zone, the outlet from my wall is RJ11 and obviously the network card is RJ45, i have a rj11 to rj45 cable but it doesn't register the connection, please help.

 on: Friday 13 July 2018, 12:01:10 am 
Started by beto2p - Last post by beto2p
Estou utilizando o Endian 3.2.5 com o Proxy Transparente HTTP + Webfilter.
Estava rodando tudo normalmente por vários meses.
Recentemente ativei o Proxy HTTPS, e após a ativação o consumo de memória do Squid ficou muito alto, chegando a travar o serviço umas duas vezes por dia. Quando reinicio o Squid o consumo volta ao normal, mas ele vai aumentando de forma crescente até chegar no limite do servidor.
Estou usando um servidor Itautec com Intel Xeon e 4GB de memória.
Mesmo fora do horário de uso da empresa onde somente alguns servidores ficam ligados o consumo de memória vai aumentado de forma crescente.
Já alterei as configurações do cache do Squid para valores bem baixos, já desativei os logs do Proxy e o clamAV, mas não resolveu.

Lembrando que o problema acorreu só após a ativação do proxy HTTPS.

Segue as configurações do squid.conf

shutdown_lifetime 1 seconds
icp_port 0

workers 1

# direct access - acls
acl to_proxy_port           port 8080 18080 18081
# proxy interfaces - acls
acl to_green_interface    dst

acl from_green          src "/etc/squid/acls/green_subnets.acl"
acl to_green            dst "/etc/squid/acls/green_subnets.acl"

tcp_outgoing_mark 0x20000000
tcp_preserve_outgoing_mark_mask 0x3fff8

#=== GREEN zone setting ===
#=== GREEN IP ===
http_port ssl-bump cert=/var/efw/proxy/https_cert generate-host-certificates=on cipher=ALL:!ADH:!EXP:!eNULL:!aNULL:!SSLv2:!RC4:!LOW:!MD5:!DES options=NO_SSLv2,NO_SSLv3
http_port intercept
https_port intercept ssl-bump cert=/var/efw/proxy/https_cert generate-host-certificates=on cipher=ALL:!ADH:!EXP:!eNULL:!aNULL:!SSLv2:!RC4:!LOW:!MD5:!DES options=NO_SSLv2,NO_SSLv3

acl bypass_host_strict_check_acl ssl::server_name_regex .*
bypass_host_strict_check allow bypass_host_strict_check_acl
ssl_bump splice localhost
ssl_bump splice to_proxy_port
acl bypass_windows ssl::server_name "/etc/squid/acls/https_bypass_rules.acl"
ssl_bump splice bypass_windows
acl BrokenButTrustedServers dstdomain "/etc/squid/acls/https_bypass_dstdom_broken.acl"
acl DomainMismatch ssl_error SQUID_X509_V_ERR_DOMAIN_MISMATCH
sslproxy_cert_error allow BrokenButTrustedServers DomainMismatch
acl ssl_step1 at_step SslBump1
acl ssl_step2 at_step SslBump2
ssl_bump peek ssl_step1
ssl_bump bump all
acl https_proto proto https
always_direct allow https_proto
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
sslproxy_cert_sign_hash sha256

dns_v4_first on

cache_effective_user squid

pid_filename /var/run/squid.pid

cache_mem 100 MB

cache_dir rock /var/spool/squid 2000 max-size=1048576

error_directory /usr/share/squid/errors/en

icon_directory /usr/share/squid/icons

max_filedesc 100415

server_persistent_connections off
half_closed_clients off
buffered_logs on

cache_log /dev/null
cache_access_log /dev/null
cache_store_log none

log_mime_hdrs off

forwarded_for delete

auth_param basic program /usr/lib/squid/basic_ncsa_auth /var/efw/proxy/ncsausers
auth_param basic children 20
auth_param basic realm Proxy Server
auth_param basic credentialsttl 60 minutes
acl for_auth_users proxy_auth REQUIRED

# network - acls
acl from_all                src all
acl to_all                  dst all

acl from_localhost          src
acl to_localhost            dst
acl CONNECT                 method CONNECT

acl to_http_port            port 80
acl to_https_port           port 10443

# allowed ports - acls
acl allowed_ports       port "/etc/squid/acls/ports.acl"
acl allowed_sslports    port "/etc/squid/acls/sslports.acl"

acl from_rule0 arp "/etc/squid/acls/src_rule0.acl"
acl within_timeframe_rule0 time MTWHFAS 00:00-24:00
acl from_rule1 arp "/etc/squid/acls/src_rule1.acl"
acl within_timeframe_rule1 time MTWHFAS 00:00-24:00
acl within_timeframe_rule2 time MTWHFAS 00:00-24:00

# caching settings
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern .            0 20% 4320

cache deny      from_localhost
cache deny      CONNECT
cache allow     from_all

# http access to cachemanager
acl cachemanageracl proto cache_object
http_access allow cachemanageracl from_localhost
http_access deny cachemanageracl

# snmp access settings
snmp_port 3401
acl snmppublic snmp_community public
snmp_access allow snmppublic from_localhost
snmp_access deny from_all

# http access to squid
http_access deny    to_localhost
http_access allow   from_localhost
http_access allow   from_green to_green_interface to_http_port
http_access allow   from_green to_green_interface to_https_port
http_access allow   CONNECT from_green to_green_interface to_https_port
http_access deny    to_green_interface to_https_port
http_access deny    to_green_interface to_proxy_port

http_access deny    !allowed_ports !allowed_sslports
http_access deny    CONNECT !allowed_sslports

http_access allow from_rule0  within_timeframe_rule0   
http_access allow from_rule1  within_timeframe_rule1   
http_access allow   within_timeframe_rule2   
http_access deny    from_all

# http reply access rules
http_reply_access allow from_localhost
http_reply_access allow from_rule0  within_timeframe_rule0   
http_reply_access allow from_rule1  within_timeframe_rule1   
http_reply_access allow   within_timeframe_rule2   
http_reply_access deny from_all

# max/min object size
maximum_object_size 1024 KB
minimum_object_size 0 KB

visible_hostname efw01.copal.local

# begin custom.tmpl
# end custom.tmpl

icap_enable on
icap_service_revival_delay 30
icap_service_failure_limit -1
icap_preview_enable on
icap_preview_size    128
icap_send_client_ip  on
icap_send_client_username  on

include /etc/squid/squid.conf.d/*.conf

adaptation_access service_cf_req deny cachemanageracl

# icap contentfilter access control
# rule 0 - none
adaptation_access service_cf_req deny from_rule0  within_timeframe_rule0   
# rule 1 - bloqueio_parcial
adaptation_access service_cf_req allow !CONNECT from_rule1  within_timeframe_rule1   
adaptation_access service_cf_req allow CONNECT ssl_step2 from_rule1  within_timeframe_rule1   
adaptation_meta X-Profile profilebloqueio_parcial from_rule1  within_timeframe_rule1   
# rule 2 - bloqueio_paginas
adaptation_access service_cf_req allow !CONNECT   within_timeframe_rule2   
adaptation_access service_cf_req allow CONNECT ssl_step2   within_timeframe_rule2   
adaptation_meta X-Profile profilebloqueio_paginas   within_timeframe_rule2   
# default deny - only allow defined traffic
adaptation_access service_cf_req deny all

 on: Tuesday 10 July 2018, 02:12:58 am 
Started by albert_herts - Last post by albert_herts
Buenos días,  una pregunta,  ¿como se puede asociar una IP a la MAC Adress de la tarjeta de los clientes (que no sea por DHCP), y así solo permitir la navegación a las MAC REGISTRADAS??   Y        ¿así cuando el cliente cambie la ip manualmente no pueda navegar.? 

 on: Thursday 28 June 2018, 01:52:00 am 
Started by alme5 - Last post by Dark-Vex

you need a reverse proxy, which Endian doesn't have, if can setup a reverse proxy with nginx for example and then you should modify the DNAT/Port Forward to point to the reverse proxy system

 on: Monday 25 June 2018, 06:21:15 pm 
Started by alme5 - Last post by alme5
Hello this is my scenario:

DMZ has two servers the w w w  hosted at and mail hosted at
I would like to be able to be forwarder to the proper server when from outside (RED) I go to w w w. domain  and mail. domain
Both servers are behind one public IP configured as RED on the endian firewall and I cannot add another IP. This is easy to do when ports are different (Port forwarding/ Destination NAT) however in my case both ports are the same on both servers (80 and 443). Is there a way to do NAT forwarding based on the requested subdomain?

I hope you will be able to understand my scenario and help me with a solution.


Pages: 1 ... 6 7 8 9 [10]
Page created in 0.081 seconds with 15 queries.
Powered by SMF 1.1 RC2 | SMF © 2001-2005, Lewis Media Design by 7dana.com