Finally Finalizing 0.3-0

I spent the entire day yesterday debugging the boot configuration for the next release(I hope my boss doesn't read this).  I think it's just about ready to go. I will do a little more testing tonight for the new user classes and new XML accounting process.  If all goes well, I will have .3-0(Duality) up for grabs tomorrow.

I will be adding a few things to Zone Control on publicip.net today to do real testing for the next release, I'll add little notes where something only works with v >= .3-0. This may cause brief disruptions while programs and libraries are updated.

600 Lines of Shell Later....

And we got a boot-time configuration Interface for the ZoneCD. Not only did I depreciate the ZoneID and add more security, I took it to a-whole-nother level... The ZoneCD will now ask you if you want to run the gateway in "Open" mode or "Closed" mode(Passive is not very descriptive to someone that doesn't know NoCat). It will also ask you whether you want to use DHCP or manual network configuration for Eth0. After you configure your settings, they get saved to a floppy disk and you will not need to configure the ZoneCD again. During boot on a "configured" ZoneCD, there will be a 5 second pause to ask if you want to change any settings....

If you select Closed mode, you will be prompted to authenticate with your publicip.net login. Once you login, a "secret" unique key will be shared between your ZoneCD and the Authserver. This key will be used in all download requests sent to the Authserver. Once you get a key, it is saved to your floppy disk for the next visit... No need to login again.

You can read about the boot-time registration process in the last entry below...

Another cool thing I added was a reload switch to NoCat init.d script. You can run '/etc/init.d/nocat reload' and any configuration changes made in Zone Control will be downloaded and "loaded" into NoCat. No more reboots...

Securing ZoneCD Boot Configuration

I know I said Monday, but I'm not releasing the next version today... sorry. It is important to me, and you, to add more security to this next release.

With the next relase of the ZoneCD. Everybody will need to run the ZoneCD and login to it with their publicip.net username and password one time... After you authenticate(via SSL), your zone.id and a new zone.key(used for downloads) file will be generated and saved to your floppy disk. After the first login, you will not need to repeat this process.

I have also added a registration screen to the login boot process. You can select a Register button to register the ZoneCD on the publicip network. Selecting register will fire-up lynx(lynx-ssl). After you complete the registration, you will be redirected back to the ZoneCD login prompt immediately. Once you authenticate with an unverified login, your ZoneCD will function in default mode. You will not be able to login to Zone Control on publicip.net to Customize Your Zone until you verify your email address. All logins not verified in 48 hours will be deleted.

ZoneCD_0.3-0 will be a recommended upgrade. ZoneCD_0.3-1(or -2) will be a required upgrade to striclty enforce new security standards that need to be imlpemented to secure the future of the project.

ZoneID Depreciation

I am working on streamlining the ZoneCD bootup process. This requires a little additional complexity on my end, but will result in a superior design. Instead of being prompted for a ZoneID, you will logon with your publicip.net username and password(there will be a Register Now button as well). After authentication, your configuration will be downloaded, and the zone.id will be archived on the floppy disk.

This is really not a security update, it's just a design enhancement. It will prevent mistakes entering the wrong id, and automatically create the zone.id file so that the following boots will not require a login. Technically there will still be a ZoneID(account id), but it will be transparent to you.

Zone Control Security

Thursday night into Friday morning there was issues with database corruption. After repairing the tables on Thursday night, I did a restore from daily backups as an attempt to recover lost data. Well, I think this screwed things up because i didn't drop the database first. It must have jumbled the old session id's and caused mass chaos in the system. Friday afternoon, i dropped the db and did a complete restore from backup. Everything seems fine now... Please report any weird system behavior to scott at publicip dot net.

This of course raised a security concerns with the way Zone Control handles sessions. I have implemented logic to prevent sessions from being viewed on a different pc than the one it was created on... No cookies, it's all mantained in a sessions table.

I can't say i have allot of experience with db restores, and i guess i learned something very valuble from this. This experience has help me improve the security of Zone Control. Thanks to all of you that helped me work this out. I couldn't have done it without you.

Monday, Monday.

Man-o-man, i made myself nuts last night with some weird cache thing or something preventing me from logging into Zone Control. Anyway, i didn't do anything, and it's fixed today... I guess it was just me having the problem. That's the kinda thing you go through when you don't get enough sleep.

However, in the mist of my madness, I did get a chance to compress another iso, and it looks like it might be the next release. Everything is working perfectly, so far... I will test it through the weekend and release it on Monday. It will be released as version 0.3-0(versions 0.2-7,0.2-8, & 0.2-9 are in my garbage can).

Some Changes:

New user class definitions
End-user accounting
Added PHP
Added SOAP::Lite and required libs
Added openssl from source
Open Mode fix
Secured communication between ZoneCD and Authserver
Drop all connections to wired LAN network(optional)
Cleaned-up boot initialize script

SSL and Connection Pooling for NoCat Web Services

SSL
I setup Tomcat and SOAP::Lite to work with SSL. So now any accounting data shared between the two is encrypted. https://xml.publicip.net:8443/axis/services/NoCatAccounting?wsdl You will get a warning about an Untrusted Root Authority, but SOAP::Lite doesn't care about the root authority, it just accept the key, encrypts the message, and sends it to the service.

DB Connection Pool
I did some stress testing on the DB last night and saw some issues with memory. So instead of have all those loose threads hanging around, I setup Tomcat to create a connection pool for Axis to use... Instead of my JAVA class creating a connection for every request it uses an available connection from the pool. This should optimize the performance of the service.

ZoneCD 0.2-7 will be a major release!

I am workin my ass off trying to get this release out the door... 2-7 will implement a new user Class system, and a new accounting system. I will also have one bug fix for Open mode [floppy] configuration.

The new Class definitions should be pretty solid, and cause very little problem. On the other hand, the new accounting method via SOAP may need some fine tuning. The 2-7 release will have the default accounting method set to XML. You will be able to modify this setting in Zone Control to send your accounting to File (accounting.log). If you choose File accounting, you can use LogMailer to get the logs daily. In it's current state Public IP's NoCat Web Service is just accepting calls and returning simple values just to log it's activity. As the system goes through testing it will become more complex. Future ZoneCD releases will react to return values from the Web Service.

You guys will have to bear with me as the NoCat Web Service gets developed. This is the foundation for a shit-load of more functionality... Including timed session management, ticket-based system, end-user email validation, and saving configuration changes.... like I said, a ton-o-shit. After the new ZoneCD release I will put together the interface to view the data saved by the web service.

NoCat Accounting Web Service

Here it is folks... http://xml.publicip.net:8080/axis/services/NoCatAccounting?wsdl. This is the webservice i have created to work with pogozone's RADIUS patch. I added a NoCat::Accounting::XML package to accounting and it works beautifully! The package uses Soap::Lite to send RPC's via SOAP. This will be implemented on the next ZoneCD release. Very cool!!

The webservice accepts 10 parameters and inserts/updates a MySQL db. The service is fully functional, but I am still working on adding security to the service... just to prevent any foolishness. I will also create a web interface to view the data, as well as another webservice for users to select data and integrate into there systems.

User Class Permissions

Once upon a time a had plans to create a Known User Class.... This became a Zone Class... Well, now that's changing too. You know, my father always told me; "Keep it simple stupid"... but sometimes i forget (i guess that's the stupid acting up).

I am planning on changing the user classes to "Protected", "Liberated", "Trusted",
and "Super" users.

1. Protected: Firewall allows traffic on 80, 443, and 110. Content filter enabled.


2. Liberated: Firewall blocks traffic on 25, 10000, and [to
   be determined]. Content filter disabled.


3. Trusted: Firewall disabled. Content filter disabled.


4. Super: Given network priority, pre-empts traffic from other classes. Firewall disabled.
   Content filter disabled.

This should be more than enough control. Firewall rules can easily be tweaked
by adding a nocat.conf to a floppy disk and making it available to the ZoneCD
during boot.

NoCat Accounting

The ZoneCD will not have accounting data saved in MySQL. It just doesn't work. I can do that on ZoneWall because /var can be easily mounted to a hard drive partition. I will work on the a web service to make Accounting work on the ZoneCD.

NoCat::Accounting::XML

I have been struggling to get my DBI accounting patch running on Morphix. No matter what I try, the mysql tables stay read-only... I guess this should have been a no shitter, but I had to try.... Accounting::DBI will be an option. I will give a how_to for setting up and using a USB thumb drive for Accounting in mysql. Sending to File will also be available.

I am developing an Accounting::XML package. This will take all the accounting data and create an XML document, then send it to a web service in a SOAP message or envelope. This will make all your accounting data available from a centralized web server. The listening webservice will run on one of public ip's web servers, but I will write the webservice to be a stand-alone module that I will distribute for those of you that want to hack away at it... It will basically take an XML doc and insert or update a record in mysql.

Anonymous Access

Anonymous Access has been added to Customize Your Zone in Zone Control. Selecting 'Yes' will add a "Skip" button to your login page. This will allow users to gain Public Class access to your hotspot without registering while still allowing Trusted and Admin Class users to login for full unrestricted access.

New Releases

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

***ZoneCD***

ZoneCD_0.2-6 is a new release that adds a few new features. It's not a
recommended update. Get it if you want the changes.

CHANGES
+Added ability to assign eth0 a static IP address
+Added sg3-utils package
+Added ability to email boot log after system boots
+Added a melody after system completes boot process
+Combined *no x* and *gui* into one distro. add a comment to init.sh on
the floppy #NOX

Get it:
http://sourceforge.net/project/showfiles.php?group_id=98792&package_id=112284&release_id=245047

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


***ZoneWall***

ZoneWall_0.1-0 is a new new release. The ZoneWall is not just a read-only LiveCD
platform. You can save configurations and settings by running a *save-config*
command. You can choose to save-config to floppy, usb, or hard drive. ALSO, you
can to edit /etc/fstab to mount /var to a hard drive partition. This will save
all data stored in mysql and changes made to /var/www/ for a local webserver.
Logs will also not disappear on reboot... which is good because the Logmailer
program is not currently working with ZoneWall. You will have a secure login
admin panel to access anything and everything.... including a web interface to
configure NoCat (ports, mode, etc..).

A new forum has been created for ZoneWall questions and support.
http://www.publicip.net/phpBB2/viewforum.php?f=23

Heres the Manual:
http://www.publicip.net/docs/zonewall.html

Get it:

http://sourceforge.net/project/showfiles.php?group_id=98792&package_id=120670&release_id=245057
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ZoneWall_0.1 Alpha Release Approaching...

I think I will have ZoneWall on Sourceforge tomorrow. It will be an Alpha release. I'll try to prepare some docs and I'll also create a forum for all questions regarding setting up and using ZoneWall. Please do not use other forums, it will confuse the confused even more...

The NoCat on the ZoneWall has pogozone's radius patch applied. I am currently just writing to File not DB. I want to keep the Alpha release simple for troubleshooting. I think I will be doing a lot of that... There's gonna be a lot of questions and suggestions about this release. Unfortunately, I will not be available very much next week, during the day, because I will be in .NET training. So those of you that have grown accustom to my immediate replies will be disappointed by my poor response time. Most of my replies will be early morning or late evening (7pm-9am and 7pm-9pm EDT).

ZoneWall

I am making good progress on the next new release called ZoneWall. As mentioned earlier, it will be very different from the current release. I am hoping to get it done and up on Sourceforge later this week. The biggest development issue now will be documentation on how to use and setup the ZoneWall.

The ZoneWall will not just be a read-only LiveCD platform. You will be able to save configurations and settings by running a save-config command. You can choose to save-config to floppy, usb, or hard drive. You will also need to run save-config mkboot to create the boot config file. ALSO, you will be able to edit /etc/fstab to mount /var to a hard drive partition. This will save all data stored in mysql and changes made to /var/www/ for a local webserver. Logs will also not disappear on reboot... which is good because the Logmailer program is not working like it should. You will have a secure login admin panel to access anything and everything.... including a web interface to configure NoCat (ports, mode, etc..). A few other web interfaces would be system stats, Shorewall, Bandwidthd, Webmin(Dansguardian module included)...

I am very exited about this release... hopefully it works as good as it sounds :-)

nox and gui -to- ZoneWall and ZoneCD

There is currently two different versions of the same software available. One has a gui and one doesn't, but they both have the same stuff... That's gonna change... a lot!

The gui version will simply be referred to as ZoneCD. It will be based on Debian and have a gui interface. It will provide all the functionality and features as the current release plus any new stuff. It's intended users will be users with little to no linux experience.

The no X version will drastically change. It will be based on RH (for now) and run all kinds of advanced firewall software..... It's intended users are people with some linux experience or a lot of experience. (or want to learn more) Here's the impressive list of new features! The new ZoneWall CD will be based on redWall. An awesome livecd platform that has a shitload of firewall features and saves your changes to Floppy, USB, or HDD. Thank you Marcel for your hard work!!!

Client-Server Logic

What goes where? Perl or PHP? Authserver or Gateway? USB, Floppy, or wget?

I have all the todo's lined-up and ready to go but I have got a lot of decisions to make before going much further. Public IP and the ZoneCD are a bit different from your normal Open Source project. Most people in the open source community have some kind of technical background. This project can be used by them, but that is not who the ZoneCD is designed or intended for... The ZoneCD is intended as a quick and simple way to setup a hotspot for a guy that owns a store, or for community centers, whatever... It's for the non-geeks. Most geeks will either install the required software(NoCat, Dansguardian, etc..) on a Linux box, or tweak the ZoneCD to use their Authserver if the like the concept. So i am stuck trying to find a happy medium. For instance, while developers may find some of the things on the ZoneCD to be restrictive, business owners think it's an awesome feature.

Anyway, back to thinking....