Hotfix 160210

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
71 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Hotfix 160210

hans2
This post was updated on .
i've received this hotfix on Jan 9th from Jabari. Not 100% sure if this works for everybody as we were working on a bridge issue. My recommendation would be to make a backup first (double check that the mentioned files are included in the backup list)

File: hotfix_160210.tgz

Installation Instructions
1) secure copy hotfix_160210.tgz to the root directory of the Shield
2) tar -zxvf hotfix_160210.tgz
3) reboot -f

Here are some notes regarding all the changes in the hotfix:
############################################################
Changes on/before 160109 by ITUS:
1) ituswebfilter.sh - Fix for increment into the broadcast address.

2) itus-setup.sh -  
- bridge mode users cannot replace the x.x.x.111 address in the web UI. If a static IP address is assigned to br-lan it will add the address to the interface, but will not remove x.x.x.111. The user ends up with multiple address on the interface.  
- added a line to setup a DNS server to the static interface because I notice /tmp/resolve.conf.auto didn't have a dns server.

3) log-gen.sh -  updated /etc/itus/lists/log-gen.sh to generate logs with blocked domains and changed the format to be more readable. 

4) dhcp - Removed the DHCP server options from the lan interface

5) /etc/init.d/snort - Ensure eth0 and eth2 are in promiscuous mode.
        - Added ifconfig eth0 up promisc
        - Added ifconfig eth2 up promisc
        
 6) /etc/itus/factory_reset.sh
       - Removed umount -a from them beginning of the file because it makes the entire file system read-only and the following commands in the script cannot successfully execute.

7) /etc/rc.local
       - Removed the first 5 or 6 lines of code that copies the /etc/config/network.br to /etc/config/network and /etc/init.d/snort.br to /etc/init.d/snort
       - This prevents the system from reverting back to the default settings between reboots.

8) /etc/config/network
       - This is the default networking file for bridge mode and no changes were made. I added it to ensure itus-setup.sh and ituswebfilter would run correctly on the first run.

9) /etc/snort/snort_bridge.conf
      - Setup whitelist and blacklist for snort but the settings are commented out by default. Users can uncomment the lines, add an ip address to the whitelist or blacklist, and restart snort.
       - Setup blacklisting - I discovered snort has a blacklist of ip addresses in /etc/snort/rules that we aren't using.
       - Setup whitelisting - Snort will not process the rules for packets destined for ip addresses in the whitelist. This would be a good work around for     the PS4.

10) /etc/snort/rules/L2.whitelist
       - Users can add ip addresses to the whitelist

Changes on/before 160210 by HANS
11) Hans: solved the ownership of the files - no longer need to chown root.root of these files.

############################################################

No more: Shield Pro v1, Chaos Calmer, FW 1.51 SP1
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160109

user8446
Administrator
Thanks Hans!
We're these hotfixes pushed out via the nightly updates to everyone or did Jabari send them to you for beta testing?
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160109

hans2
user8446 wrote
Thanks Hans!
We're these hotfixes pushed out via the nightly updates to everyone or did Jabari send them to you for beta testing?
I had a bug with my bridge settings in combination with an OpenWRT router. He sent me this hotfix via email, this is not a nightly hotfix. However it does include some elements (like the IP address assignment) that was not part of my issue.
No more: Shield Pro v1, Chaos Calmer, FW 1.51 SP1
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160109

amateur user
In reply to this post by hans2
Can you give step by step instructions for us newbies? :) I tried to figure out exactly what to type in the command line and now the shield is giving off a couple dozen errors when updates are attempted
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160109

hans2
I am using Putty and WinSCP to do this work. WinSCP to copy files from my computer from/to Shield and Putty for the CLI (Command LIne) work.

Use WINSCP to copy hotfix_160210.tgzto the root directory of the Shield. Check WinSCP documentation for instructions

Use Putty to connect to Shield

Go to the root
cd/ 
The CLI should now say root@Shield:/#

Unpack & overwrite existing files
tar -zxvf hotfix_160210.tgz

Reboot Shield
reboot -f

 
A couple of important notes:
1) I have NOT fully tested this update
2) I got this file to solve a BRIDGE issue, I have not tested it in router/gateway.
3) If you do a factory reset it will go back to the default settings, this script will NOT update the restore image.
4) For factory reset, see the Admin guide or in CLI run command sh /etc/itus/factory_reset.sh


If you are still encountering issues, please do in CLI

dmesg > /tmp/dmesg_log.txt

and use WinSCP to copy /tmp/dmesg_log.txt to your local computer. If you share this file then we may be able to figure out what you are doing.
No more: Shield Pro v1, Chaos Calmer, FW 1.51 SP1
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160109

amateur user
I am receiving a "invalid tar magic error." I am using a Mac and get this error no matter what program I use to login to the shield. I didn't get this error when I accidentally installed 160209 (i.e. The previous hotfix posted in this thread) in router mode yesterday 

On Feb 12, 2016, at 11:28 AM, Hans [via Itus Networks Owners Forum] <[hidden email]> wrote:

I am using Putty and WinSCP to do this work. WinSCP to copy files from my computer from/to Shield and Putty for the CLI (Command LIne) work.

Use WINSCP to copy hotfix_160210.tgzto the root directory of the Shield. Check WinSCP documentation for instructions

Use Putty to connect to Shield

Go to the root
cd/ 
The CLI should now say root@Shield:/#

Unpack & overwrite existing files
tar -zxvf hotfix_160210.tgz

Reboot Shield
reboot -f

 
A couple of important notes:
1) I have NOT fully tested this update
2) I got this file to solve a BRIDGE issue, I have not tested it in router/gateway.
3) If you do a factory reset it will go back to the default settings, this script will NOT update the restore image.
4) For factory reset, see the Admin guide or in CLI run command sh /etc/itus/factory_reset.sh


If you are still encountering issues, please do in CLI

dmesg > /tmp/dmesg_log.txt

and use WinSCP to copy /tmp/dmesg_log.txt to your local computer. If you share this file then we may be able to figure out what you are doing.
Using Shield Pro v1, Chaos Calmer, FW 1.51 SP1, Bridge Mode



If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/Hotfix-160109-tp8p52.html
To unsubscribe from Hotfix 160109, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160210

user8446
Administrator
This post was updated on .
In reply to this post by hans2
As mentioned, these we're not tested. I personally have only had time to test:

/etc/config/dhcp  - removes the dhcp server option from the LAN general setup

/etc/init.d/snort  - I noticed ETH0 and ETH2 now go into promiscuous mode earlier where as before they did at the very end of snort starting

/etc/rc.local - I already had those first few lines commented out and it works fine and does not revert to default settings on reboot so this new one should be used or comment out those lines. It looks like this is done automatically in the new /etc/itus-setup.sh at the very end of the script. Also, I would add:

sleep 30
/etc/init.d/dropbear restart

rc.local

right before the exit 0. I've attached it or you can even do it in the GUI. A fix for many users who have the issue where you have to click "save and apply" every time on a reboot to get Dropbear SSH back.
Running in bridge mode, 1.51 SP1 fw
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160210

amateur user
I noticed an error preventing 'dnsmasq' from starting, but I couldn't track down the ultimate cause of it. I factory restored and I'm back at square one.

Is there any way we could get a hold of the earlier nightly hot fixes to compare it to?
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160210

amateur user
Any way to get this working? or completely disable webfilter?

Thanks

Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160210

hans2
In reply to this post by amateur user
amateur user wrote
I noticed an error preventing 'dnsmasq' from starting, but I couldn't track down the ultimate cause of it. I factory restored and I'm back at square one.

Is there any way we could get a hold of the earlier nightly hot fixes to compare it to?
1.51SP1 is the latest image from ITUS themselves
Hotfix 160210 is a patch I recevied from ITUS but (originally) it had the wrong file ownership (504.40 vs root.root).

so both are from ITUS themselvs. The 160301 has updates based on dicussions on this forum - this one is not yet fully tested

No more: Shield Pro v1, Chaos Calmer, FW 1.51 SP1
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160210

amateur user
Thanks for the info I really appreciate it.

Any chance that itus reported any bugs regarding the web filter not working/dnsmasq not starting? I'm stuck on that and not sure what to do to get things going so Im just checking (with fingers crossed !!)

On Feb 29, 2016, at 2:08 PM, Hans [via Itus Networks Owners Forum] <[hidden email]> wrote:

amateur user wrote
I noticed an error preventing 'dnsmasq' from starting, but I couldn't track down the ultimate cause of it. I factory restored and I'm back at square one.

Is there any way we could get a hold of the earlier nightly hot fixes to compare it to?
1.51SP1 is the latest image from ITUS themselves
Hotfix 160210 is a patch I recevied from ITUS but (originally) it had the wrong file ownership (504.40 vs root.root).

so both are from ITUS themselvs. The 160301 has updates based on dicussions on this forum - this one is not yet fully tested

Using Shield Pro v1, Chaos Calmer, FW 1.51 SP1, Bridge Mode

2nd Shield as Sandbox, Chaos Calmer, FW 1.51 SP1 + hotfixes



If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/Hotfix-160210-tp8p218.html
To unsubscribe from Hotfix 160210, click here.
NAML
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160210

hans2
amateur user wrote
Thanks for the info I really appreciate it.

Any chance that itus reported any bugs regarding the web filter not working/dnsmasq not starting? I'm stuck on that and not sure what to do to get things going so Im just checking (with fingers crossed !!)
There were many issues with dnsmasq but i dont have the details.

Check the backup file that breda made - you can find it in this http://itus.accessinnov.com/Can-t-access-Apple-s-iCloud-iTunes-etc-td168.html#a180
No more: Shield Pro v1, Chaos Calmer, FW 1.51 SP1
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160109

Gnomad
In reply to this post by hans2
n00b question:
I have PuTTY and SSH enabled on the Shield (1.51 SP1, currently Gateway mode).  

Attempting to connect with WINSCP results in "ash: /usr/libexec/sftp-server: not found" and "Cannot initialize SFTP protocol. Is the host running a SFTP server?"

Couldn't find SFTP in the admin interface - any tips to enable it?
OpenWrt SNAPSHOT, r10391-3d8d528939
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160109

hans2
Gnomad wrote
n00b question:
I have PuTTY and SSH enabled on the Shield (1.51 SP1, currently Gateway mode).  

Attempting to connect with WINSCP results in "ash: /usr/libexec/sftp-server: not found" and "Cannot initialize SFTP protocol. Is the host running a SFTP server?"

Couldn't find SFTP in the admin interface - any tips to enable it?
Gateway mode was never fully tested by ITUS. Please share with us your results/findings.

in WinSCP I use the SCP protocol, not the SFTP/FTP/WebDav. If Dropbear works fine, SCP should work too.
No more: Shield Pro v1, Chaos Calmer, FW 1.51 SP1
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160109

Gnomad
Perfect, thanks.  I switched to Router mode as I noticed that 1.51SP1 remained stuck saying "Bridge" even with the switch at G, and have just installed the March 4 beta hotfix.  Will certainly supply test results - cheers!
OpenWrt SNAPSHOT, r10391-3d8d528939
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160109

breda

Hi, Hans is the correct? not seeing any updates on IPS Last Updated


root@Shield:~# tar -zxvf hotfix_160210.tgz
tar: can't open 'hotfix_160210.tgz': No such file or directory
root@Shield:~# tar -zxvf hotfix_160210.tgz
etc/
etc/rc.local
etc/itus-setup.sh
etc/snort/
etc/snort/snort_bridge.conf
etc/snort/rules/
etc/snort/rules/L2.whitelist
etc/config/
etc/config/network
etc/config/dhcp
etc/init.d/
etc/init.d/snort
etc/itus/
etc/itus/upgrade_to_151SP1/
etc/itus/upgrade_to_151SP1/upgrade_to_151SP1.sh
etc/itus/upgrade_to_151SP1/md5sum_RestoreImage.txt
etc/itus/ituswebfilter.sh
etc/itus/factory_reset.sh
etc/itus/lists/
etc/itus/lists/log-gen.sh
etc/dnsmasq.conf
sbin/
sbin/fw_upgrade
tmp/
tmp/deploy_hotfix_160210.sh
root@Shield:~#
root@Shield:~#
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160109

hans2
breda wrote
Hi, Hans is the correct? not seeing any updates on IPS Last Updated
root@Shield:~# tar -zxvf hotfix_160210.tgz
tar: can't open 'hotfix_160210.tgz': No such file or directory
root@Shield:~# tar -zxvf hotfix_160210.tgz
the "~" means you're in your home folder. Try "cd /" or "cd /tmp" to get to the root or temp folder.
No more: Shield Pro v1, Chaos Calmer, FW 1.51 SP1
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160109

breda
Hi, Hans I can't see to change folders  i'm using  Username: root

root@Shield:~# cd/
-ash: cd/: not found
root@Shield:~# cd/tmp
-ash: cd/tmp: not found
root@Shield:~# cd/
-ash: cd/: not found
root@Shield:~# win
-ash: win: not found
root@Shield:~# list
-ash: list: not found
root@Shield:~# cd/tmp
-ash: cd/tmp: not found
root@Shield:~#
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160109

hans2
cd <space> /foldername

The are some usefull commands like ls, cd, mkdir, rmdir etc listed here: http://linuxcommand.org/learning_the_shell.php
No more: Shield Pro v1, Chaos Calmer, FW 1.51 SP1
Reply | Threaded
Open this post in threaded view
|

Re: Hotfix 160109

breda
Thanks Hans I was thinking of the old MS DOS commands and not Linux
1234