docPublicIP Wireless WiFi Hotspot Control System - Inesc-ID
download 
Report Transcription
PublicIP Wireless WiFi Hotspot Control System - Inesc-ID
PublicIP Wireless WiFi
Hotspot
Control System
Documentation
Documentation By:
In Collaboration With:
Reviewed By:
Gary N. McKinney (gm…)
Scott Tully (Wi-Phi)
Jim Shope (jshope)
Preface:
The world of communications is an ever-changing place. Gone are the days of riding horse-back for
miles to deliver messages from far off places. Gone are the days of being a slave to telephone
system that rely on wires for connectivity.
Enter the Wireless Age!
Today’s communications capabilities far exceed what was envisioned just fifty years ago – Phone
calls now follow people around instead of people having to stay in one place to receive the calls.
Information is now transmitted around the world at light-speed instead of being read about a few days
or months later in the newspaper. We have entered the Information and Communications Age!
A new step in the quest for faster and faster access to information, which has caused an explosion of
information accessibility, has been the advent of the Internet. You can now view events around the
world almost as fast as they happen, access a great amount of information on just about any subject
in great detail, communication with people on the other side of the world with many forms of
information (pictures, graphs, charts, text, and even real-time voice). The Internet, in my opinion will
be looked upon as one of the driving forces behind the true Information Age!
To truly realize the potential of the Internet requires the freedom of mobility such as the cell-phone
has done for the telephone communications between people. Mobility allows a person to interact with
the environment instead of being strapped to single fixed locations and interacting in just those
locations. Cell-phones have empowered people with the ability to move around within their
environment – not strapped to a cable to send and receive communications. The same needs to be
done for the Internet in a way that is simple to use, reliable and easy to maintain at a very
inexpensive cost!
Enter the Public IP WiFi Wireless Access System!
Gary N. McKinney
Table of Contents
PublicIP System Overview...................................................................................................................... 6
What is the PublicIP System? ............................................................................................................................... 6
Why Use the Public IP System? ............................................................................................................................ 7
How does it work?................................................................................................................................................ 8
Suggested Network Configuration......................................................................................................................... 9
Complex ZoneCD Implementation...................................................................................................................... 10
Control Your Users! ........................................................................................................................................... 11
“Who” ............................................................................................................................................................... 11
“What”............................................................................................................................................................... 11
“When”.............................................................................................................................................................. 12
“Where”............................................................................................................................................................. 12
Zone Control Features .......................................................................................................................... 13
Creating a Zone Control Master Account............................................................................................................. 16
The Public IP Control Server Login screen:......................................................................................................... 16
The Public IP Control Server Login screen (Alternate Access):............................................................................ 17
Create Master Account – Step 2 .......................................................................................................................... 19
Create Master Account – Step 3 .......................................................................................................................... 20
Master Account Function Links .......................................................................................................................... 22
Master Wizard Setup............................................................................................................................. 23
Get Started Webpage .......................................................................................................................................... 23
Time Zone Web Page ......................................................................................................................................... 24
Open & Close Web Page .................................................................................................................................... 25
Branding Web Page............................................................................................................................................ 26
Login & Registration Screen Style Web Page...................................................................................................... 27
Setup Remote Login - Custom Page Source:........................................................................................................ 29
Zone Custom Login Page Creation:................................................................................................................ 30
User Registration Allowed - Page 1................................................................................................................ 35
User Registration Allowed – Registration Name Validation ............................................................................ 37
Use Custom Registration Form Page .............................................................................................................. 38
User Registration Not Allowed Selection: ...................................................................................................... 40
Protected Class Settings:................................................................................................................................ 43
Bandwidth Management Selection Page:............................................................................................................. 47
Bandwidth Total Usage Selections:................................................................................................................ 48
Classification Bandwidth Thru-put Setup Page: .............................................................................................. 49
Anonymous Client Access Configuration Page:................................................................................................... 50
Local Network Access Options Page:.................................................................................................................. 52
Zone Wizard Overview .......................................................................................................................... 56
Zone Types: ....................................................................................................................................................... 56
Creating a New Zone..................................................................................................................................... 57
Zone Creation Complete!............................................................................................................................... 60
One of Each Zone Type Created ......................................................................................................................... 62
Zone Management Display – Main Page ............................................................................................................. 66
Zone Control Configuration Display ................................................................................................................... 67
Downloadable Reports Generation:................................................................................................................ 71
Zone MAC Access Control................................................................................................................................. 72
User Management – Manually Adding Users to a Zone........................................................................................ 74
Editing a Client’s Account in a Zone................................................................................................................... 76
Summary of the Zone Creation and Management: ............................................................................................... 77
Zone Creation ............................................................................................................................................... 77
Zone Management......................................................................................................................................... 78
ZoneCD Gateway Server Operation...................................................................................................... 79
NoCat Captive Portal.......................................................................................................................................... 79
Open Mode ................................................................................................................................................... 79
Closed Mode................................................................................................................................................. 80
DansGuardian Content Filtering.......................................................................................................................... 81
ZoneCD Features .................................................................................................................................. 82
System Requirements........................................................................................................................... 86
ZoneCD Startup Sequence – Picking Oneself Up By the Shoelaces...................................................................... 87
Stage-1 – Initial Startup ................................................................................................................................. 88
Stage-2 – System Configuration..................................................................................................................... 89
Stage-3 Final Configuration ........................................................................................................................... 89
Morphix vs. Knoppix..................................................................................................................................... 89
Morphix system Description .......................................................................................................................... 89
/base ............................................................................................................................................................. 90
/mainmod...................................................................................................................................................... 90
/minimod ...................................................................................................................................................... 90
/exec ............................................................................................................................................................. 91
/copy............................................................................................................................................................. 91
/deb............................................................................................................................................................... 91
PublicIP Initialization Sequence..................................................................................................................... 92
ZoneCD Bootup and Configuration – What you see…And What You Do…......................................... 94
Initial Bootup Splash Screen Display .................................................................................................................. 94
Morphix Initial Bootup Information Display........................................................................................................ 95
USB Formatting Utility Input Display................................................................................................................. 96
USB Device Formatting Utility Information Display ........................................................................................... 97
ZoneCD Gateway Server License Acceptance Input Display................................................................................ 98
ZoneCD Writable Media Not Found Error Display .............................................................................................. 99
ZoneCD Gateway Welcome & Setup Utility Configuration Input Display .......................................................... 100
ZoneCD Gateway Open or Closed Mode Selection Input Screen........................................................................ 101
Open Mode Web Content Filtering Selection Input Display ............................................................................... 102
Open Mode Web Site Home Page Redirect Entry Input Display......................................................................... 103
ZoneCD Gateway Display Run Mode Selection Input Display ........................................................................... 104
ZoneCD eth0 Interface Network Configuration Mode Setup Input Display......................................................... 105
Eth0 Static IP Setting Input Display .................................................................................................................. 106
Eth0 Static IP Netmask Setting Input Display.................................................................................................... 107
Eth0 Static IP Gateway Address Setup Input Display......................................................................................... 108
ZoneCD Static IP Mode Primary DNS Setup Input Display ............................................................................... 109
ZoneCD Static IP Mode Secondary DNS Setup Input Display............................................................................ 110
ZoneCD Zone Control Server Closed Mode Login Username Input Display....................................................... 111
ZoneCD Zone Control Server Closed Mode Login Password Input Display........................................................ 112
ZoneCD Zone Control Server Login Invalid Username/Password Display.......................................................... 113
ZoneCD Mode Configuration Finished Display ................................................................................................. 114
ZoneCD Re-Boot Configuration Utility Display ................................................................................................ 115
ZoneCD Re-Boot Geographic Area Selection Display ....................................................................................... 116
ZoneCD Re-Boot Time-Zone Selection Display ................................................................................................ 117
ZoneCD Re-Boot Time-Of-Day Setting Selection Display................................................................................. 118
ZoneCD Final Configuration Screen Display..................................................................................................... 119
ZoneCD Gateway Server LessX Display Screen................................................................................................ 120
ZoneCD Gateway Server GUI Display Screen................................................................................................... 121
ZoneCD Gateway Server Command Line Display Screen .................................................................................. 122
ZoneCD Gateway Server Configuration Final Notes:......................................................................................... 123
ZoneCD Tips and Tweaks ................................................................................................................... 124
Overview ......................................................................................................................................................... 124
How to Set up a Custom Open Mode Splash Screen .......................................................................................... 126
How To Set up Secure Shell for Remote Access ................................................................................................ 128
How To Configure Non-Authenticated Access ................................................................................................. 131
How to “Fix” a Dead Cat!................................................................................................................................. 134
Tips and Tweaks ZoneCD – Notes and Observations:........................................................................................ 137
Appendix A – Custom Login Web Pages............................................................................................ 144
File name: login.asp.......................................................................................................................................... 144
File name: checklogin.asp................................................................................................................................. 146
File name: _dbopen.asp .................................................................................................................................... 147
File name: _dbclose.asp.................................................................................................................................... 148
Appendix B– Custom Registration Pages .......................................................................................... 150
File name: _dbopen.asp .................................................................................................................................... 150
File name: _dbclose.asp.................................................................................................................................... 150
File name: registration.asp ................................................................................................................................ 151
File name: style.css........................................................................................................................................... 154
File name: register_submit.asp.......................................................................................................................... 156
File name: register_result.asp............................................................................................................................ 158
File name: db.sql .............................................................................................................................................. 160
Appendix C - “How To” Modify the ZoneCD Image ............................................................................ 161
Hardware and Software Requirements............................................................................................................... 161
Steps Required to Decompress the ZoneCD ISO Image file ............................................................................... 162
Making Changes To the ZoneCD System .......................................................................................................... 163
Creating a ZoneCD Gateway Server Bootable CD-Rom ISO File.................................................................. 164
Appendix D – Useful Linux Commands and Command Strings ........................................................ 165
Appendix E - How To Access Wireless Devices using SNMP............................................................ 167
Appendix – F: Online Resources ....................................................................................................... 169
PublicIP System Overview
What is the PublicIP System?
That is a very good question!
The PublicIP System is a collection of computer applications (programs) that work together to
allow the implementation of what is referred to as “WiFi” Hotspots or Wireless Access Points. This
system allows you the ability to control several aspects of how the user connects to the WiFi
Hotspot and what resources they are allowed to use. Some people will say, “There should be no
limits imposed”. True – in a perfect world everyone would “share” the resources and the costs but
it is not a perfect world. You still need to “control” how network resources are utilized by people
in order to implement flexible usage scenarios and perhaps more importantly, to protect your own
network in the process!
Part of the system, the ZoneCD PublicIP system, is based on the Morphix LiveCD software (a
derivative of Debian Linux).
The first half of the system, running the Morphix LiveCD system, is done from a CD-ROM and
does not require a Hard Drive for the software to run. The whole Linux operating system “lives”
on the CD (hence the name: LiveCD) and loads applications into the computer’s RAM memory for
execution. All log files are saved in the computer’s RAM memory as well. This “Gateway” server
resides at the hotspot or “Zone” location physically and controls who can access the system and
what access they are allowed. This computer does not require a great deal of computing power
and as such a 200-MHz Intel based computer with 128-Megs of memory, a CD-ROM, 3.5 inch
floppy drive (or USB drive), and two Ethernet cards are all that is required to construct a Zone
Gateway server. Of course you will need at least one wireless Access Point (sometimes called
an “AP” for short) or Wireless AP/Router to complete the hotspot! The LiveCD portion is based
on the GNU license and as such all the source code is on the LiveCD for examination and
modification. There is even a facility built into the Public IP system that allows you to create and
execute your own configuration scripts that can run from the floppy drive/USB drive – this ability
allows you to “customize” the ZoneCD Gateway Server for such things as SSH access, firewall
rules customization, automatic script execution based on time of day (cron) and other highly
useful features that will be covered later in this documentation. The ISO (file ends with .iso)
image of the CD is freely available from the PublicIP website (http://www.publicip.net). All you
have to do is download the ISO image file and burn it the image onto a CD-R Disk. If you do not
have the resources to produce the CD or don’t have a fast Internet connection by which to
download the CD ISO (*.iso) image file you can order one from the same website for a very
reasonable price! Basically you get it for the cost to burn the CD, the price of the CD-R Disk
itself, packaging and postage.
The second half of the system, The Zone Control Server, is based on Fedora Linux running
several applications (MySQL database, Java, Apache with Mod-SSL, PHP, Tomcat, Axis and
some Perl thrown in for good measure).
The Zone Control Server handles all the configuration details for each ”Zone” you have
defined for when you are running the ZoneCD Gateway server in “closed” mode. The Zone
Control Server is located off-site currently in a data-center located in Virginia. If you are curious
about the hosting you can check out the Vendor’s website: http://www.eapps.com/. The Zone
Control Server is NOT based on a GNU license and as such is NOT freely available. There is
ongoing work to produce a Zone Control Server Lite version, which will have a nominal charge for
obtaining it and is meant to provide complete flexibility in running your own system. The details
have not been worked out as of the date of this document but you can find more details as they
become available on the PublicIP website and forums.
As of the writing of this documentation there is no charge for using the current Zone Control
Server to setup and control you’re Zones. You can create Master Accounts on the server to
control multiple Zones, Generate usage reports, download Excel™ (*.xls), or Word™ (*.doc)
formatted files containing the system usage data, setup the PublicIP ZoneCD Gateway Server
configurations, setup the user’s bandwidth limitations and a great deal more.
Why Use the Public IP System?
Granted, you could take a Wireless Access Point or Wireless Router and connect it directly to
an Internet connection source and create a Wireless Hotspot – but you would be exposing your
local network to possible compromise by unauthorized individuals and allowing full access to your
Internet connection to anyone with a wireless card. Here is a list of reasons you would not want
to directly connect a wireless router or access point directly to your local network:
1. Most inexpensive wireless routers do not block access to the WAN side (your local
network side) of their interface. If you connect one in this manner to your local network
someone on the wireless side can “see” and communicate with your internal local
network – Not a Good Thing ™.
2. Most inexpensive wireless access points are nothing more than network “bridges” and do
not have any method to “block” unauthorized access to your internal local network!
3. Most inexpensive wireless access points and routers do not have any form of bandwidth
limiting per user or class – some of them do have a form of bandwidth limiting but it is
limited to the total bandwidth used by all users, not individual classes of users. You want
to make sure you save some bandwidth for yourself and other privileged users!
4. None of the inexpensive (and even most expensive) wireless routers have any form of
web content filtering built-in.
5. Almost no Wireless Routers or Access Points have any form of accounting which keeps
track of who uses the system and provides data that breaks down how the network
resources are being used.
6. Most of the inexpensive wireless routers and access points can “control” access by
means of allowing only wireless clients with valid MAC addresses to connect to the
wireless network – usually this is limited to around 50 or less total clients and even
worse, has to be entered manually into each wireless router or access point to enable the
client to connect.
7. None of the wireless routers or access points have the capability to share client
information, thus allowing clients to connect at different physical locations containing
PublicIP hotspots while still using the same login ID.
Enter the PublicIP System!
Yes – there are other systems out there that can do some of the things the PublicIP system can
do and maybe even a few other things besides, but none of them can beat both the PublicIP
PRICE and FUNCTIONALITY!!! (PublicIP is Free to download and use)
There are all sorts of “wireless control” systems out there that claim they are the solution to any
and every possible WiFi configuration – talk about marketing hype!
As you read through this document you will see how easy it really is to use the PublicIP System.
There is nothing magical about the system and it most likely will do everything you need and
probably more than you had even thought of!
How does it work?
Pretty darn well!
The part of the PublicIP system that runs on your local pc works by adding a piece of
hardware between your AP (wireless access point or wireless router) and your network or Internet
connection. The piece of hardware used for the ZoneCD can be any PC with a minimum of
128MB RAM, two Ethernet cards, a floppy/USB drive, and a CD-ROM (see system
requirements).
NOTE: There is a version that will work from a Compact Flash card and EIDE adaptor but it is “sensitive”
to the BIOS used in the computer you select. This version is still in Beta testing as of the writing of this
document.
During the initial setup you select whether you want to run the Zone in Open or Closed mode.
If you choose to run the Zone in open mode then anyone using the PublicIP wireless hotspot
will be shown a “splash page” that you select (either the default page or one you create using any
of the web page editing software available) and then allowed access to the Internet. This is a
good method to use if you are not concerned about keeping track of the number of users per day
or requiring the user to login to use the hotspot. In the Open Mode the remotely located Zone
Control server is not used.
If you choose to run the Zone in closed mode you will bring the full power of the Zone Control
server into play. In a simple procedure, you will be asked for the Zone login name and password
from your PublicIP registration setup. The ZoneCD Gateway Server (Local) will query the Zone
Control Server (Remote) for its configuration information that you had previously setup on the
Zone Control server, apply any locally stored customizations, and then begin operation. Once the
ZoneCD Gateway server has booted up and gone through this process ZoneCD Gateway Server
(Local) users may login to use the resources you have allocated (bandwidth, allowed IP ports and
such). The Zone Control Server (Remote) keeps track of the time the user is on the system, the
total uplink and downlink bandwidth used and the MAC Address of the device the user used to
connect to the wireless hotspot.
The above description is very brief but gives you a basic understanding of the method of
operation of the Public IP System! We will be covering the operation of the PublicIP system in
much greater detail in the following sections of this documentation. The above description helps
to understand the PublicIP System as a whole, as we cover its different parts in greater detail
later on.
Once the initial setup and configuration is complete for the ZoneCD Gateway computer, the
system can be run headless. Headless meaning there is no need for keeping a keyboard, mouse,
or monitor hooked-up as long as the computer you are using has settings in the BIOS to ignore
any mouse or keyboard missing errors. If your computer does not have a method to ignore a “nokeyboard” error you at least will need to use either a keyboard or a keyboard emulator device to
simulate an attached keyboard (such as a KVM switch). You really don’t want the system to
reboot due to a power outage and have the computer “hang” at the infamous “No Keyboard
Detected – Press F1 to continue” error message!!! You will still need a video card in the
computer as most all of the PC BIOS’s in use today still look for the video adaptor. The CD will
boot completely unattended after the initial setup is complete.
NOTE: It’s not a bad idea to “simulate” a power failure and see what happens when the power is
“restored”. In other words, unplug your ZoneCD Gateway machine while it’s running and then
plug it back in a few seconds later. Does the system come back up the way you want it to? How
does it act when the keyboard and mouse aren’t attached?
Suggested Network Configuration
It’s not enough to just build the ZoneCD Gateway server, load the CD-ROM and then think you
are done with the learning process – you need to understand “how” to use the system and how to
configure the hardware so the system performs the way you intended. The following diagram
shows one method of installing a wireless hotspot into an existing network. Study the
configuration and note the different network segments in use – notice how the local network (the
192.168.x.x network) is “isolated” from the 10.10.10.x network used by the wireless clients.
The above suggested network configuration shows the ZoneCD Gateway server connected to
your local area network or “LAN” (the router at the top of the picture on the 192.168.x.x network).
This example configuration would be for a setup where a network currently exists and you wanted
to add a ZoneCD Gateway Server to allow wireless access to the Internet (or you could even
allow access to your local network if that is your objective). The firewall represented between the
ZoneCD Gateway server and the local router is really part of the ZoneCD Gateway server and as
such you do not need an extra firewall between them. This suggested network configuration for
the ZoneCD Gateway server is one method you can use as long as the ZoneCD Gateway server
is located between your Internet access and the wireless Access Points (AP) or wireless router
you are good to go!
If you do not have or need a local internal network (the 192.168.x.x in the example above) you
can just connect the ZoneCD gateway computer directly to your Internet Cable or DSL router and
have the ZoneCD talk directly to the Internet. Given the low cost and extended functionality of
Cable or DSL modem/routers available today, it can be more cost/resource effective to put such a
device between the Cable modem or DSL modem instead of loading down the ZoneCD
computer, especially if you are using older hardware to implement the Gateway. Using a
dedicated Cable/DSL enabled Router also gives you more flexibility if you do decide to later setup
a local network or provide other network resources.
NOTE: There have been some reported “issues” in connecting the ZoneCD Gateway computer
directly to a DSL Modem interface so if you are having trouble, it is highly recommended a router
of some sort sit between the ZoneCD Gateway computer and the DSL modem interface
Complex ZoneCD Implementation
Complex Configuration
Internal LAN Area
Public Access Area
PDA
Client
WAD-2
WAD-3
WAD-1
WAN
Internet
PDA
LAN
DSL/
Cable Modem
ZoneCD
Gateway
Server
Switch
or Hub
S
D
W nk
Li
Client
WAD-4
Client
PDA
Workstation Workstation
Client
PDA
Client
The above configuration shows what can be done with a little effort and forethought!
WAD-1 is a Wireless Router that has a WAN Ethernet port connection connected to the
DSL/Cable modem. You could use a Wireless router that has the capability to connect directly to
a DSL or Cable connection but you may find it is less expensive to have your ISP provider
provide the DSL or Cable modem. WAD-1 should have a firewall built in.
WAD-1 is configured to run WPA access using MAC address filtering to allow ONLY the local
trusted computers to connect to it wirelessly. This method allows wireless connections to be
used in a business environment without too much possible exposure to compromise and allows
flexible placement of computer hardware within a business setting
The LAN side of WAD-1 is used for the connection to the “wired” side (eth0) of the ZoneCD
Gateway Server. You could also add more wired local workstations on the LAN side of WAD-1
either by direct connection or using an Ethernet switch or hub.
WAD-2 LAN side is setup to use IP 10.10.10.2, Netmask of 255.255.255.0, gateway IP
10.10.10.1 and DNS IP 10.10.10.1. It connects to the ZoneCD Gateway Server through a switch
or hub on the LAN Ethernet side. DHCP is disabled!
WAD-3 LAN side is setup to use IP 10.10.10.2, Netmask of 255.255.255.0, gateway IP
10.10.10.1 and DNS IP 10.10.10.1. It also connects to the ZoneCD Gateway Server through the
same switch or hub on the LAN Ethernet side. DHCP is disabled!.
WAD-4 is setup a little differently from WAD-2 and WAD-3 to allow WDS link operation. This
configuration comes in handy when you have to place a wireless access point or router in a
location where it is difficult or impossible to run an Ethernet cable. WAD-4 is setup to use IP
10.10.10.4, Netmask 255.255.255.0, gateway IP 10.10.10.1 and DNS IP 10.10.10.1. What
makes this configuration different is you would setup WAD-3 and WAD-4 to perform WDS
(Wireless Distribution System) links between the two wireless devices. DHCP is disabled!
Control Your Users!
This is the reason your here right? If you didn't want control, then you could just setup a Wireless
Access Point (WAP or AP) and be done with it. But if it’s control you want, its control the PublicIP
system will give you. Zone Control enables you to have complete control over the "who", the
"what", and the "when" (the "where" is up to you).
“Who”
You have total visibility and control over who is using your hotspot at all times. The PublicIP
system provides an online, web-based “Zone Control” system that allows you to manage your
Zone(s) from any standards compliant web browser that has access to the Internet. You can
choose from two basic types of registration: web or not web based.
Web based registration can be fast, easy and automatic. An end user that has associated with
your systems wireless AP(s) is automatically presented with a Login/Register page whenever
they open a web browser. The user clicks a registration link on the login page presented,
registers with your Zone, and gets instant access. This is the standard method provided by the
PublicIP system for using web-based access. The web-based registration system can also be
configured to send an email to the user for validation that they indeed did register to use the
zone. This method requires the user to use an actual email address or the user’s account will go
inactive after 24 hours and they will not have access to the zone.
If you don't want to use the instant access method default web pages or need to gather
additional information about the user you can use your own custom registration form hosted on
your web server to register and approve users before they are entered into the system and
allowed access to your zone.
You can also choose not to allow web registration. Instead of a registration form the user will be
presented a custom message that you have set up instructing the visitor how to get access to
your zone (Ex. “See the front desk for a login"). There is a separate registration form in the online
Zone Control Server that you will use to register users for access to the Zone.
Zone Control will also display all user activity. You can use the active session page to view all the
users that are currently using your zone, or you can run reports and even download them as
Excel™ (*.xls), or Word™ (*.doc) files. Active sessions and reports display the MAC address,
username, IP address assigned, session start time, session length, and kilobytes up/down.
“What”
You Control what network resources your users have access to while using your Zone. By taking
advantage of the user class system, you can define how groups of users can access the Internet,
and what they can access. Firewall rules and content filtering play a major role in protecting your
network and users.
Classes are concepts that NoCat had developed into their system to provide higher levels of
access for trusted users. Public IP has taken the class concept to another level by adding the
ability to funnel the classes through a content filter based on the excellent Open-Source Dan’s
Guardian software. The content filter can be applied to the Protected and/or Liberated Class, or
disabled completely.
Firewall rules are also completely customizable for the Protected and Liberated Classes. Trusted
and Super users have very little that needs configuring since they have open access to the
network. ***These classes should be used with caution***.
NOTE: The Trusted and Super classes should be used with caution and understanding. Content filtering is NOT
available for either of these classes and ALL network ports are open. One difference between the Trusted Class and the
Super Class is the firewall rule that can be enabled in the Zone Control for protecting your Local Area Network DO
APPLY to the Trusted User and DO NOT apply to Super users.
When a new user registers at your Zone, the default action is to add the new user to the
Protected Class, but this can also be modified in the Zone Control to be either the Liberated, or
Trusted Class.
Default settings for the different user Classes are:
Protected: ALLOWS traffic on network ports 80, 443, and 110. Content filter is enabled.
Liberated: BLOCKS traffic on 21 25 445 1214 3689 6667 6699. Allows traffic on all other
ports. Content filter is disabled.
Trusted: Firewall disabled. Content filter disabled.
Super: Given network priority, pre-empts traffic from other classes. Firewall disabled.
Content filter disabled.
“When”
Zone Control allows you to enforce limits on when users are able to access your zone. You can
set your zone's "Open" and "Closed" times to only allow access between certain hours. The open
and closed time periods are based on your local time-zone. When a user attempts to make a
wireless connection to your network during “Closed” hours they will be redirected to a page that
displays your logo and says "Sorry we're closed".
At the time of this document’s writing the Zone Control system only allows setting the open and
closed time for a zone based on the “Time of Day” concept. There is work currently being done
to add more granularity to allow configuration on a “Time of Day - Day of Week” and possibly
multiple open/closed time slots per day.
You can also define when the user can access your zone by setting “time limits” for user classes.
A user's time limit can also be adjusted individually. Zone Control allows you to limit a user’s total
hourly usage during a 24 hour period by hourly increments from 1 hour up to unlimited access (24
hours per day). The Open/Closed Zone Time Settings take precedence over the user’s time
limits so even if a user has unlimited access based on time they still would not have access if the
zone was “Closed”.
“Where”
Where is a decision that is up to you. The ZoneCD Gateway server is located at the site location
where you are setting up a Zone. Of course you will need access to the Internet at the location
where you setup the ZoneCD Gateway Server if you are providing Internet access for the zone.
Zone Control Features
Public IP's Zone Control provides an easy way to configure and manage your hotspots, or
"Zones" as they are referred to here.
Most of the configuration is done using two wizards developed to ease the setup procedure. Once
you have setup a Zone Master Account (discussed below), you will have access to a Master
Wizard configuration tool. This is a concept that was developed to aid in the implementation of
multiple Zones. Running the Master Wizard will create a master "blueprint" (master template) for
you to build your new Zones. Running the Zone Wizard will create an instance of a Zone outlined
in your master template. Everything that is set in the master template by the Master Wizard can
be changed for each Zone instance that you create.
Again for clarity’s sake, once you have a Zone you can modify the settings and configurations for
that Zone separately from the settings created for the default master template. This allows you to
have exact customizations for each Zone.
Here is a list of items you can control for each Zone.
Customize your ZoneCD Gateway Server login pages
Choose to use a branded template
Create multiple zones from same login
Zones can be Public, Shared or Private
Separate permissions for your Zone logins.
Configure web registration
User authentication and management
Homepage redirection
Daily time limits per user
Daily download limits
Zone open and close times
Block by MAC address
Configure user permissions (Classes)
Customize firewall rules for each Class
Content Filtering (block pornography, downloads, etc.)
Daily Log Mailer program to receive reports on your Zone’s activities
Block traffic to your *wired* network (LAN)
Branded "Terms of Use" template or you can use your own
Detailed Zone Usage statistics
Multilingual login pages
End-User reporting
Public IP has a professional splash page template that can be branded with your logo. The splash
pages are currently available in Dutch, French, German, Spanish, and of course English.
The above screen is the Default login page the user will see when they connect to your zone and
open a browser to surf the web.
Zone Master Account
In order to use the web-based Zone Control to configure the ZoneCD Gateway Server, you must
register with Public IP to create a Master login on the Zone Control Server. From within your
master login you will setup your Zones each with a separate Zone login. The Zone login you
create will be used during the boot of the ZoneCD Gateway Server to authenticate your Zone to
the Zone Control Server and identify the particular configuration used by the Zone.
The “Zone Login” is different from the “Master Account Login” even though you use them in the
same place when logging into the Zone Control Server. The “Zone Login” is used to log directly
into Zone Control Server for that specific Zone. When used to login to Zone Control Server, the
“Zone Login” will not allow the Zone Operator to change the configuration of the Zone. Zone
logins only have access to user permissions, registration, and reporting. Only Master Account
Logins are able to alter the characteristics of the Zone. This is done to allow zone operators to
give the location staff limited access to Zone Control.
NOTE: A common mistake by new users is to confuse the “Zone Login” id with the “Master Account Login”
id. Your “Master Account Login” id uses the email address that you used when you registered your
Zone Master Account. A “Zone Login” does not have an email address as the username.
When you login to your Master account you will complete a wizard that will help you configure
and customize your zone. This wizard, the “Master Wizard”, will create a template or "blueprint"
for you to use when creating zones. The use of a Master template will save you the trouble of recreating all of the configuration options each time you add a new Zone (If you only have one Zone
to setup, this will not increase the time it takes to get setup). The wizard saves your answers, and
configurations, in the remotely located “PublicIP Control Server” database so the Zone Wizard will
have these values when generating a new zone for you.
The “Master Account” login is the heart of the system and is where the zone information resides
for each zone you setup. The overall concept is as follows:
•
The Master Account contains the information for each of your Zones which can be unique
for each Zone and each of the Zones control what an end user person can do when they
log into the Zone location or hotspot if you prefer.
•
The ZoneCD Gateway Server downloads the unique configuration for its Zone from the
remotely located PublicIP Control Server, which is based on the information for the zone
as it is defined in the Zone Master Account.
•
To preclude someone attempting to “mimic” a ZoneCD Gateway server for nefarious
reasons, all of the communications between the ZoneCD gateway server and the
PublicIP Control Server is encrypted using 128-bit SSL encryption.
The overall concept of Master Account login types and Zone Account login types will become
more apparent as you go through this document. It is a very good concept but does take a little
reading and thinking to get the maximum benefit from the system!
Creating a Zone Control Master Account
The Public IP Control Server Login screen:
The above screen is displayed when you access the Zone Control Server by using the link on the PublicIP
Website. If you access the Zone Control Server directly the screen is different but performs the exact same
functionality.
There are three functions served by this innocent looking login screen.
1.
Creation of a new Master Account
Creation of the master account is the first step you need to perform to use the Zone Control Server.
2.
Login to an existing Master Account
Access to the Zone Control Server for your zones is performed by using the email address you
specified when you created the master account on the Zone Control Server.
3.
Login to an existing Zone Account
Logging into a zone within your master account is performed by using the username and password
you specified for the ZoneCD Gateway server to use to log into the Zone Control Server.
When you have completed reading this document you will know how to perform all three types of logins
listed above.
Don’t be intimidated by this system – it really is very simple once you have understood the underlying
concepts this system is based on. You will find it to be very flexible and as the old saying goes “With
Flexibility Comes Perceived Complexity” or “Any Technology Sufficiently Advanced Enough Will Always
Appear to be *Magic*”…
The Public IP Control Server Login screen (Alternate Access):
The above screen is the screen you see when access the PublicIP Zone Control Server directly
by its URL: http://ssl.publicip.net or if you open the web browser on the ZoneCD Gateway
Server in the GUI Mode. The web browser in the ZoneCD Gateway Server has the Zone Control
Server URL setup as the default web site to access.
The functionality is exactly the same as with the Zone Control Server access method from the
PublicIP website.
There are three functions served by this innocent looking login screen.
1.
Creation of a new Master Account
Creation of the master account is the first step you need to perform to use the Zone Control Server.
2.
Login to an existing Master Account
Access to the Zone Control Server for your zones is performed by using the email address you
specified when you created the master account on the Zone Control Server.
3.
Login to an existing Zone Account
Logging into a zone within your master account is performed by using the username and password
you specified for the ZoneCD Gateway server to use to log into the Zone Control Server.
Creating a New Master Login Account:
To create a new Master Login Account click on the New Master Account under the login button. You will
be presented with a web page that looks like the following.
Enter the information on the form presented:
Email:
Pass:
Pass Again:
The email address you are using for this Master Login Account.
The password for access to this Master Account.
Enter the password again for verification.
The reason you use an email address for the Master Account login is the Zone Control system
differentiates between a Master Account login and a Zone Account login by the fact the Master
Account logs in with an email address and the Zone Account logs in with just a login name. (that
is not an email address). This will become clear later in the document. The email address is also
used for validation of the Master Account by way of an email you use to link back to the Zone
Control Server to verify the Master Account is really being created by you.
Once you have all the information filled in press the “Create Master Login” button.
Create Master Account – Step 2
Once you have completed the “Create Your Login:” form and clicked the “Create Master Login”
button you are presented with an information screen. The information tells you to follow the
instructions contained in an email that will be sent to the email address you specified as the
Master Account Username Email address.
The next thing you need to do - is follow the instructions supplied in the email sent to the email
address! The information supplied in the email will look something like this:
“Click the link, then login to activate your Zone Control *Master* account.
https://ssl.publicip.net/manage/?action=validate&hash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”
Click on the link supplied in the email or if your email client does not support this, copy and paste
the URL link in a web browser ( you need the WHOLE URL link – including the “validate& hash=”
values the hash value contains information about your master account so you want to make sure
you get ALL of the hash value!)
Create Master Account – Step 3
Once you click on the email activation link or cut and paste the activation link into a browser you
will be presented with the web page shown here. Note the “Login with your registered email
and password to complete the activation” message on the page. This message does not
appear anywhere else and is only displayed during the initial Master Account activation.
Enter the email address you used when you created the Master Account on the Zone Control Server in the
Username space on the form.
Enter the Password you specified when you created the Master Account on the Zone Control Server in the
Password space on the form.
Click the Login button to log into the Master Account you created on the Zone Control Server.
Zone Control Master Account Main Web Page:
Once you have created a Zone Control Master Login Account and logged into the Master
Account, you will be presented with the Master Control Main web page. This page is where you:
• Create new Zones
• Check to see all of the current active user sessions in all of your Zones contained in the
Master Account
• Change the password to access the Master Account
• Log out from the Master Account.
The web page displayed below is a Master Account page that has no Zones currently defined.
This is the page you will see after a new Master Account has been created when you log into
your Master Account. There is a great deal of information presented on this page and it is a very
good idea to take a moment and read the information carefully.
Master Control webpage:
From this page you create your Master Zone Template and your individual Zones. The Zones
you create are loaded with the default settings you establish when you create the Master Zone
Template. The use of a “template” for a Zone’s initial configuration keeps you from having to enter
the same settings over and over again each time you configure a new Zone in the Master
Account. After two or three zones you will appreciate this feature!
Master Account Function Links
Notice across the top of the web page display that there are several links to the different
functions available from the Master Account Main Page. Most of the functions are not active until
after you have created at least one Zone for the Master Account to control and track usage of.
The functions and descriptions are:
Master Control – Brings you to the Master Control Main page (this one)
All Sessions – Show all active sessions on all zones controlled by this Master Account.
Change Password – Allows you to change the Master Account password.
Logout – Logs you out of the Master Account.
In the body of the Master Account Main page you will notice on the left-hand side there is a
Master Wizard section and a Zone Wizard section.
The Master Wizard section walks you through a series of web pages to setup the default Zone
settings template used when you create a new Zone.
The Zone Wizard section walks you through the actual process of setting up a new Zone in the
Master Account. The initial values loaded into the Zone are obtained from the default settings
Zone template you setup using the Master Wizard.
Both of these Wizards were designed to take a great deal of “guess work” out of setting up the
Master Account. The use of the Master Wizard makes life much easier as you can define the
default settings used for Zones when they are created – this saves a good deal of time when you
create a new Zone as you will find most of the time, the zone settings remain the same for many
settings (such as time zone, open & closed time of day, Terms of Use Policy and so on.
The following section will walk you though the Master Wizard web pages and the selections that
are available on each page. Some of the selections that are available on a page will affect which
subsequent pages are presented to you. There are different configurations available based on
the selections made as you walk through the wizard’ pages. In this document we attempt to
cover all of the different combinations that you may be presented with and try to explain what
each selection does and the effects it may have on the zone or zones you configure.
Note: ALL of the default settings you select in the Master Wizard can be altered on a per Zone
basis. None of the settings are “cast in concrete” and you can change the settings in each Zone
to suit the Zone’s usage. You can also walk through the Master Wizard at any time and change
the default settings that will be used to create new Zones. Changes made in the Master Wizard
will not make changes to already existing Zones – you will have to make those changes on a per
zone basis (how to perform this will be explained in the Zone Management section of this
documentation).
Master Wizard Setup
Get Started Webpage
The Get Started web page is displayed when you select the Master Wizard button on the Master
Account web page. The box on the left-hand side of the web page displays the headings of the
different feature setup pages for the default template. These settings comprise the “Master
Template” that is used as the default settings for the different zones you will configure later.
The first thing that needs to be setup is the ZoneCD version you will be using for your ZoneCD
Gateway Servers. This setting can be changed for each Zone if need be at any time. It is highly
recommended you stay up to date with the current version of the ZoneCD software! The system
is constantly being improved and keeping abreast of updates will give you the most features and
best system stability!
Time Zone Web Page
The Time Zone webpage is the next web page displayed once you have clicked on the “Get
Started ->” button on the previous web page. Notice how you are just stepping down through the
menu on the left as you finish configuring each section.
This web page is used to configure the Master Account template to reflect the time zone where
the ZoneCD Gateway Server is located. This is required to make sure the accounting reports
show accurate “local” time for the ZoneCD Gateway Server user activity reports. It is also used
to calculate the difference from GMT (UDT) time for the Open & Close times for the Zone when it
is setup as other than a 24-hour operation.
Select the time zone where the ZoneCD Gateway Server(s) are located, then click the “Continue >” button to save the time zone information and continue on to the Open & Close section.
Open & Close Web Page
The Open & Close web page is where you set the default time of day the Zone location is either
Open or Closed.
The default value is never closed (opened 24-hours).
If you want to set the time of day that the zone is Open, select the time of day in the “Open”
dropdown. You can set the time of day that the Zone is Closed in the “Closed” dropdown.
If you don’t want to make any changes to what is displayed, click the “Skip ->” button, otherwise
click the “Continue ->” button to save the Open and Closed values displayed.
NOTES:
If you do select a value for the Open time of day, make sure to select a Closed time of day
(not the “never”) selection.
If you do select “24 Hours” for the Open time of day make sure to select the “Never” selection
for the Closed time of day.
NOTE: The above is the case at the time of the document was created – there are plans to allow
individual time of day operation to be defined for each day of the week.
Branding Web Page
The Branding web page is where you can “customize” the look of your Zone’s login page. The
types of branding you can perform are:
“Network Name” A name that is displayed on the login page a client views
“Homepage URL” The webpage where the client’s browser is directed upon a successful
login to the zone
“Language” The login page language displayed to the client.
“Admin Email” The email address that is shown to clients during certain network events that
may occur such as “expired time” on the Zone, exceeding the allowed bandwidth, the web
site requested is blocked by the Dansguardian site filter. It is also the contact email address
on the login page.
Login & Registration Screen Style Web Page
The Screen Style web page contains selections for using either a default “PublicIP templates”
style for the login page (shown previously) or a “Customize screens” selection.
The Default PublicIP login screen presented to the client is just that – there is little branding
performed on the default screen and the color scheme and layout of the screen is fixed.
The “Customize screens” selection offers you the ability to create your own custom login screen
for presentation to the user. While it is more difficult to setup than just using the default PublicIP
login screen you have total control over the “look and feel” of the login screen presented to the
user.
If you select the “Public IP templates” selection skip the next page in this document as it only
pertains to the “Customize screens” selection and is not displayed unless the “Customize
screens” selection is chosen.
Customize Screens Selected Web Page
If you selected the “Customized screens” on the previous page the web page shown above is
displayed as the next page in the Wizard. The instructions on this page inform you of the
requirements when you create your own login page.
There are three webpage tags that MUST be included in the design of your customized login
page in order for the page to work properly with the Zone Control server: ZONE_LOGO,
ZONE_LOGIN and ZONE_TOS. Each of these tags should be placed in the body of the web
page where you want them to display. The instructions detail the placement of these tags.
Setup Remote Login - Custom Page Source:
Once you have developed your custom login page for your Zone you need to let the Zone Control
server know where the login page is. There are two fields on the Remote Login Setup page that
need to be filled in with the information for the Zone Control Server to find the custom login
page….
FQDN: The FQDN (Fully Qualified Domain Name) field is filled in with the name of the web
server that contains your customized Remote Login page.
NOTE: You only need the name of the web server containing your custom login page (IE:
www.yourserver.com) and you do not put http:// in front of the domain name. You also do not put
any path information (the part that follows the slash ( / ) after the domain name.
The “Path to login page” field is where you put the part after the ( / ), which is the path to the login
page on your web server. The Zone Control server will build the correct request to the login page.
Zone Custom Login Page Creation:
To create a custom login page you will need three items for the Zone Control server to display
and collect the relevant information needed for the client to login to the zone.
See the simple example below for the syntax used:
ZONE_LOGO – This is the location on the login page to display the zone branding logo
image.
ZONE_LOGIN – This is the location within the login page to display the login box for the
client’s username and password entries.
ZONE_TOS –
This is the location within the login page to display the Terms of Use
link.
<html>
<head>
<title>Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body>
<p>ZONE_LOGO</p>
ZONE_LOGIN
<br><br>
<font color="blue">ZONE_TOS</font>
</body>
</html>
The above is a very simple example of how to create your custom login page. Put this in
a file on your web server... The Zone Control server will GET this file when the login page
is displayed. The Zone Control server will parse the file and insert code snippets where
the ZONE_ flags are. You place the FQDN and file path information to access the
custom login page in the Master Wizard Remote Login Setup page (described above)
and the Zone Control Server will use your custom login page instead of the default Zone
login page!
NOTE: You can use any server-side scripting language you like to create the custom login page.
If you need to have a custom login page with more capabilities than the Zone Control server
allows, such as validation of authentication information against a local database of clients, see
Appendix A for an example of what can be done! In order to use the information in Appendix A
you will either need to be familiar with ASP server-side scripting or know someone who can help
you with the implementation. This is an advanced version of the Zone login capability and will
require some work on your part to get it to work properly!
Setup Remote Login – Color Customization:
*** Enter information here about page customization ***
Remote Login Setup Completion:
This page is displayed when you have finished configuring the Remote Login Setup information
for the Master Wizard Template. This information can be changed at any time in the template
and also individually within each Zone you create.
Press the “Continue ->” button to continue going through the Master Wizard template
configuration steps.
Terms of Use Policy Webpage Setup :
The “Terms of Use” web page allows you to configure what will be shown for the Zone’s usage
policies. The link to this policy is presented to the client when they first start the login session.
You can either use the default terms of use policy (which is very good!) or you can setup your
own terms of use policy webpage for presentation to the client.
By selecting the “Use Public IP Terms” (default) the client is presented with the default terms of
use webpage when they click on the “terms of use” link on the login page.
By putting a URL pointing to your terms of use policy and selecting the “Use my Terms” setting,
the client is presented with your terms of use webpage when they click on the “terms of use” link
on the login page. Be sure to put the FULL URL in the Terms URL location.
( Example: http://terms.location.site - use your actual URL here – not the example [grin] ).
User Registration Requirements:
The “User Registration” page is used to select whether a user can register for access to the Zone
or not.
If you select to allow registration from the web the user is presented with a registration form for
registering when they click on the “Register for an Account” on the Zone’s login page.
If you select “No”, not to allow registration from the web, the user will have to be manually put into
the Zone’s “User Management” section for the Zone they will be logging into (or Zones if the
Zones are setup as Private – more on this later in the Zone section of the document).
Selecting “No” and clicking on the “Continue ->” button will present you with a web page to
configure a custom message which is displayed when the “Register for an Account” link on the
Zone’s login page is clicked on by an end user. An example follows after the “Yes” selection
pages are presented in this document.
User Registration Allowed - Page 1
You will see this page with “Part 2:” displayed when you select YES to allow user registration
from the web.
Here you need to decide if you want to use the default PublicIP Zone registration form page or if
you wish to use your own registration form page.
If you want to use the standard PublicIP registration form page select the “Use Public IP
registration form” setting and press the Continue button.
If you want to use a customized registration form page, select the “Use my registration form”
setting and press the Continue button.
User Registration Allowed – Default form Selected
You will see this page with “Part 3:” displayed if you selected “Use Public IP registration form” on
the previous web page.
Here you make the decision you want the user to use their email address as their “login
username” or if they can use any name for the user “login username”.
By having the client use their email address for their login username you will be able to setup the
PublicIP system to perform a simple client validation procedure. When the client registers the
system will validate their email address by sending them an email with a validation link in the
body of the email. If the client does not respond back to the validation link within the email, the
account stays pending and they will not have access to their new Zone account.
User Registration Allowed – Registration Name Validation
If you elected to have the user use their email address as their login username you are presented
with “Part 4:” in the above web page. You can select whether the client has to respond or not to
an email validation link as mentioned earlier. If email validation is set, the client has 24-hours to
respond to the validation link contained within the email that is sent to them.
Use Custom Registration Form Page
This page is presented to you when you select the “Use my registration form”.
The ability to use your own custom registration form for registering clients to the Zone gives you
the ability to gather more information for the client’s account than is actually needed by the
“stock” Zone Control server. This may include additional information such as residence, phone
numbers, unique id’s, etc that the remote Zone Control server does not need (or want) for the
client.
Part 3 on the page above is where you put the URL address of your registration form that will be
presented to the client when they register. The URL address you list is basically a re-direct that
sends the client to your custom registration web page. Once the client has finished the
registration process you will need to re-direct them back to the Zone Control server for the
completion of the registration process which then sends the information needed for the client’s
authentication to the Zone Control server.
It is up to you to have the following information sent to the Zone Control server through a URL
access with the information values setup properly within the specific variable names:
Example code:
<form method="post" action="https://xml.publicip.net/remote_reg.php" id="register" name="register">
<input type="hidden" name="key" value="ask scott (wiphi) for key">
<input type="hidden" name="user" value="<%=user%>">
<input type="hidden" name="pass" value="<%=pass%>">
<input type="hidden" name="display" value="http://www.server.com/directory/register_result.asp">
<input type="hidden" name="name" value="<%=name%>">
<input type="hidden" name="network" value="L">
<input type="hidden" name="status" value="A">
</form>
User Registration Not Allowed Selection:
The following is what the Master Wizard will display when you select NO for the “Allow
Registration from the Web” selection in the User Registration Section…
User Registration Not Allowed Selection – Message Input:
The Master Wizard presents a web page for you to put a custom message, which is displayed to
the user when they click on the “Register for an Account” on the zone’s login page.
Here you may put instructions on how to get an account on the zone.
The instructions on this page are very good and I don’t need to expand on them here.
User Rules and Permissions:
The Configure User Permissions page displayed above contains the instructions for configuring
the settings in the Permissions section of the Master Wizard.
The web pages following these instructions are used to define the network capabilities and
limitations of the four different user classifications in the PublicIP system.
Once you have read the information click on the “Continue” button to proceed to the pages for
configuring the different classification capabilities and features.
Protected Class Settings:
The Protected User Class settings page is used to setup the Protected Class features.
You can:
• Set whether the web content filtering is enabled or disabled for this classification
• Setup what services (ports) are allowed through this classification
• How long the user in this classification can stay connected per day
• The total amount of data the user can send/receive
The Protected User classification is the most restrictive and is the Default classification of the
system (if you did not change the default setting earlier)
NOTE: The time restrictions and available download amount settings shown here are the defaults
for this entire class of users – the settings can be changed on a per user basis within a Zone
using the client management settings within the Zone.
Liberated Class Settings:
The Liberated User Class is less restrictive by default than the Protected User Class but is not
as open as the Trusted User Class.
Here you can
• Control if web content filtering is enabled or disabled for this class
• Set what services (network ports) are NOT allowed (as opposed to the convention used
in the Protected Class where network ports are specifically allowed)
• How long a user can stay connected per day and
• How much total data a user can transfer per day.
NOTE: The time restrictions and available download amount settings shown here are the defaults
for this entire class of users – the settings can be changed on a per user basis within a Zone
using the client management settings within the Zone.
Trusted Class Settings:
The Trusted User Class is the least restrictive of the three user classes that are designed to be
used for connecting end clients. (There are four classes but the Super User class should not be
used for providing end user access without proper consideration of the risks involved)
You can
• Define the total amount of time per day a user in the Trusted Class can stay connected to
the Zone.
•
Define the total amount of data a user can upload/download per day.
Note: This classification still adheres to any settings that would limit access – such as whether or
not a user in this class could access the local network or not.
Super User Class Settings:
The Super User Class is the class you would only assign to people you really trust. This class
has no restrictions on what network ports are accessible and has the highest priority for network
access over all the other classes when bandwidth limiting is enabled.
You can:
• Define the total amount of time per day a user in the Trusted Class can stay connected to
the Zone.
•
Define the total amount of data a user can upload/download per day.
This classification is used mainly for administrative purposes.
NOTE: The super user class is not restricted from accessing the local network – even if the “No
Local Network access” setting is active! This is one good reason you would not assign normal
clients to the Super User Class!
Bandwidth Management Selection Page:
The Manage Bandwidth page is where you decide if you want to limit the end users’ bandwidth
usage. If you enable the bandwidth limiting feature you can then specify the total amount of
bandwidth that is available to the ZoneCD Gateway server. The total bandwidth that is made
available from this decision can then be split arbitrarily between the user classes with each user
class having a maximum upload and download speed. This along with the other user class
settings, allows you to custom tailor the end user experience
Selecting YES on this page activates the next page for display – if you select NO here you will not
see the next 2 web pages as there would not be a need to set the maximum total bandwidth or
individual class bandwidth usage …
Bandwidth Total Usage Selections:
The Manage Bandwidth second page is where you configure the total amount of bandwidth
allowed through the Zone Gateway Server to the users. This page is only displayed if the Enable
Bandwidth Shaping was selected YES on the previous Master Wizard, Manage Bandwidth, web
page.
Total Bandwidth Available Settings:
1. Set the Total Download speed, which is to be made available to the Gateway, in the
Download box.
2. Set the Total Upload speed, which is to be made available to the Gateway, in the Upload
box.
NOTE: You may want to set the total bandwidth lower than the actual Internet access bandwidth
if you are running computers on the local network side of the ZoneCD Gateway server so Zone
clients don’t take up all of your bandwidth – the users on the local network could experience slow
Internet access otherwise during high usage times on the Zone by wireless clients.
Classification Bandwidth Thru-put Setup Page:
The Manage Bandwidth third page is where you can setup the uplink and downlink speed limits
that are allowed for each of the different user classes in the Zone.
NOTE: This page is only active if you have selected bandwidth limiting in the “Manage
Bandwidth” web page.
Set the bandwidth allowed for each user class. A user in each of the specific classes will only be
able to upload and download at the maximum speed you specify here.
NOTE: If the total user bandwidth value for all users in the classification exceeds the maximum
bandwidth allowed on the “Manage Bandwidth” page then all users will be throttled to keep the
total maximum bandwidth usage below the total set on the “Manage Bandwidth” page.
This system is not configurable as a “Protocol Bandwidth Throttling” or “Quality of Service (QOS)”
type system. The exception is that the Super User classification has priority over all other
classifications and protocols.
Anonymous Client Access Configuration Page:
The Accessibility page is where you configure the requirements for accessing a Zone. There are
three distinct settings for accessibility control on this page.
1. Anonymous Access:
If you want to allow anonymous access to the Zone you would select the “Yes” button.
This selection controls whether or not there is a “Skip” button displayed on the user login
page or not. By setting this selection to “YES”, a “Skip” button is presented on the login
page and a user can then select it to bypass the login registration process. The user will
gain access to the system with access privileges being assigned based on the User
Class you have chosen as the default for Anonymous Access to the system.
This feature gives you the ability to allow network access which is freely and easily
accessible but more restrictive than if the user logged into the system using a registered
username and password – very handy for setting up a differentiated usage capability for
the different users.
2. Username Ambiguity settings:
The username ambiguity settings allow you to tailor the Zone accounting to track a user’s
Zone access by either username and MAC address or only by MAC address. This is
useful if you only want to keep track of the users by just the MAC address of the user’s
wireless device.
There are several uses for this setting:
a. Configuring the zone to use a common login name and password (daily access).
b. Instances where keeping track of the actual user’s login name may be
considered an invasion of privacy (yes – there are such instances – strange
world we live in!).
3. Default User Class
This section of the web page is where you configure the zone’s default user classification.
When a user registers to use the system (if you have so set the zone to allow user
registration) they are assigned to the Default Class specified here. This setting also
defines the Default Class assigned when you manually add a user to the system.
NOTE: You can change any user’s class in the system whenever you wish – this setting
just sets up the Zone Template for the initial class a user is assigned to. All users of the
system must exist in one of the classifications.
As you can see there is a great amount of flexibility and control you have over how a client can
use the system – they either must be added manually or can register to use the system on their
own. They are automatically assigned to a user Classification by the system and you can control
whether or not to track the users by their login name or just the MAC address of the wireless
device they are using. You can also configure the Zone to allow anonymous access to the
network and control (limit) what the user can do when using the anonymous login.
NOTE:
The anonymous login uses the default user class as the class type for the user logging in
anonymously. The system still tracks the user by the MAC address of the wireless device they
are using but displays UNKNOWN as the user name in the accounting section of the Zone
Control Server Master Account – more on this later in the documents under Zone Accounting.
Local Network Access Options Page:
The Network Options page is where you can configure the ZoneCD Gateway server to either
allow access to the eth0 (local) network connected to the ZoneCD server or to block attempts to
access the local network by users in the Protected, Liberated or Trusted Classes.
NOTE: The Super User Class basically has no restrictions (including access to the local network).
Even if you activate the “Yes, keep’em out” selection for not allowing access to the “wired”
network the Super User Class still has access to the “wired” network!
Also on this page is the location where you can put FQDN URL addresses for any websites you
wish to allow access to, even if the user has not logged into the system yet! This is referred to as
a “Walled Garden” and is useful if you have a website or websites you wish to allow anyone to
reach without having to log into the system – such use may be for restaurant menus, local
information, how to use the system…. You get the idea.
NOTE: Do NOT put http:// in front of the FQDN URL address – JUST the URL(s) with a space
between multiple URL addresses. You only need “some.domain.name” in this area…
Log Mailer Configuration Page:
The LogMailer page is the location where you can setup where to mail the different log files that
are kept for each Zone you create.
There are four different log files available for you to monitor:
1. Nocat: Putting a check mark in the Nocat box will configure your Zone Gateway server
to send an email of the Nocat.log file’s contents to you once every 24-hour period
based on 12:00 Midnight GMT. This log file contains the Nocat log messages
Nocat generates when a user attempts to use the system as well as other health
and status information. This is a very handy log file to keep track of how Nocat is
performing and is used to troubleshoot user connectivity problems.
2. Squid: Putting a check mark in the Nocat box will configure your Zone Gateway server
to send an email of the Nocat.log file contents to you once every 24-hour period
based on 12:00 Midnight GMT. This file is only generated if you are using
filtering (Dansguardian) because Squid is used only for proxy web operations for
the filtering process. This file contains the URL attempts made by the user when
they are using the system. Squid also acts as a caching proxy server for faster
access to common website pages.
3. Dansguardian: Putting a check mark in the Nocat box will configure your Zone Gateway
server to send an email of the Nocat.log file contents to you once every 24-hour
period based on 12:00 Midnight GMT. This log file contains the information
generated by Dansguardian during the website filtering operations. It is not
generated if you are not using web content filtering. You can use the information
contained in this file to fine-tune the Dansguardian configuration files to suit your
needs. Since the Dansguardian configuration files live on the configuration
storage device (floppy or USB drive they survive a reboot and any changes you
make to the configuration files will be applied each reboot.
4. Boot:
Putting a check mark in the Boot box will configure your Zone Gateway server to
send an email of the Init.log file contents to you whenever the ZoneCD Gateway
Server is booted up – either by power being applied or the system being
rebooted. This log file is very handy for troubleshooting and to let you know if
and when the ZoneCD Gateway server reboots. The reboot may be caused by
several possible scenarios – someone may have rebooted the computer, there
may have been a power failure at the zone location (Note: the computer can be
made to boot back up automatically if the computer’s BIOS has the capability to
return to the previous power state after a power failure – some older machines
do not have this capability built in and will have to be powered up manually).
This file also contains the bootup process messages generated by the ZoneCD
initialization script that runs during the ZoneCD phase of the bootup process. It
contains information as to whether the required processes (applications such as
DHCP server) started correctly, the configuration of the network interfaces and
the ping times to the Zone Control Server.
If you experience problems in connecting to the Zone Control Server or you can
not seem to “reach” the Internet this file (also located in the /tmp directory on the
ZoneCD Gateway computer under the name of init.log) would be the first thing to
check to make sure the interfaces were configured properly and the ping
information shows you are actually communicating with the Zone Control Server.
In order for you to receive the log file email you have to put a valid email address in the
“Email Logs To” field on the page, select the log files you wish to receive then click on the
‘Continue’ button.
If you decide you do not wish to receive any of the log files you can click on the ‘Skip’ button
and continue on with the Master Wizard template configuration without setting up the email
section here.
NOTE: If you experience problems with receiving email and you determine it is because your ISP
does not allow email to originate from a dynamic IP source (of which most cable modem and/or
DSL Internet connections are) you can use the information in Appendix F to make changes to the
ZoneCD Gateway Server’s email server which should allow the email to reach your specified
email address.
You can read about the complete concept on the PublicIP forum at the following URL:
http://www.publicip.net/phpBB2/viewtopic.php?t=1092
Master Wizard Setup Complete Page:
Congratulations! You have finished setting up the Master Template that is used as the defaults
for the creation of new Zones in your Zone Control Master Account.
If you want to create a Zone just click on the Create a Zone button and you will be taken to the
Zone Wizard.
If you were just making changes to the Master Wizard settings you can return to the Master
Account main page by clicking the Master Control link at the top of the form.
NOTE: Notice the Selection Box at the left-hand side of the page. Any time you want to make
changes to a setting or settings in the Master Wizard you do not have to “walk” through all the
settings to do so – you can select the section in the Master Wizard using the left-hand selection
box. This box allows you to quickly go to the specific section to make your changes. Be sure to
click the button on the respective page to make your changes on the Control Server because just
changing the value on the specific page does not automatically change the setting in the Control
Server. Remember: It does NOT take the new value until you hit the button on each page.
Zone Wizard Overview
The Zone Wizard is used to create a new Zone under the control of the Master Account on the
Zone Control Server (remotely located machine).
You can create three different types of zones in the Master Access Account:
If you need to setup Public Zones for some applications, Shared Zones for other applications and
Private Zones for still other applications you can perform this without having to setup Multiple
Master Accounts. In the Tolkien sense, One Master Account to rule all of the types of Zones.
Zone Types:
The Master Account Zone(s) can be only one of the three zone types:
1. Public – The zones in this type of Master account can be accessed by anyone registered
in *ANY* Master Account on the Zone Control Server that has a public zone or
zones defined. In other words – this is like a community zone accessible by
anyone registered on any public zone in any master account on the Zone
Control Server. The user is logged in with the default privileges of the Zone as
you have set them, They DO NOT automatically have the same access
privileges they might have at a different Public Zone in a different Master
Account.
This “sharing” of zones across master accounts allows the setting up of global
wireless hotspots where anyone using the Zone Control Server can setup a
public zone and anyone else using the Zone Control Server can do the same.
A client registered in one of the public zones defined in any master account
can access any other public zone defined in any other master account.
2. Shared – The zones in this type of Master account allow access to more than one shared
zone to anyone with a login account that is valid in any one of the shared
zones contained in this single master account.
You would use this capability to setup physically separate zones where a client
can register in one of the zones and be able to login to any of the other shared
zones within the same master account.
3. Private – A client will need a user login account for each private zone defined in the
master account. A client in this private zone can not log into another private,
shared or public zone without registering in them first.
Note:
The zones do not share login access across the different zone types – IE: a client registered in a
public zone can not log into a shared or private zone without first being registered in that zone.
Creating a New Zone
When you click on the Zone Wizard on the Master Account Main Page the system displays the
page above. This page is where you make the selection as to the zone type you wish to create.
Once you have made your decision click on the continue button to create the zone.
NOTE:
Once you create the zone you can not change the zone type. This is fixed by the design of the
system and if you make a mistake as to the zone type the only way to correct it is to delete the
created zone and create it again.
If you already have clients defined within the zone their registration information can either be
transferred to a different zone or it will be lost and they will have to re-register to gain access to
the newly created zone.
Create New Zone Login
Now that you have defined the zone type for the new zone, you then need to define the
Username, Password and a short Description of the new zone you are creating.
Enter a Username for this zone – it must be at least 6 characters long (Case Sensitive!)
Enter a Password for this zone – it must be at least 6 characters and should contain numbers
and punctuation to thwart attempts to break it. (Case Sensitive!)
Re-Enter the Password again for verification.
Enter a Description of the zone so you have something to reference later. The description will
show up on the Master Account Main Page to help you identify which Zone you want to
access.
Click the “Create Zone _>” Button to continue.
Why do you need a Username and Password for a zone?
The reason for a Username and Password for a zone may not be obvious but it serves two
purposes:
1. The ZoneCD Gateway needs to log into the zone in the Master Account on the remotely
located Master Control Server that is run by PublicIP in order to download the configuration
for the zone. The username and password that are entered here are requested during the
initial configuration phase of setting up a ZoneCD Gateway computer. Remember: The
Username and Password you enter here are what you need to enter during the configuration
of the ZoneCD Gateway server for this zone NOT the Master Account username and
password that was setup earlier. If you are using a username that looks like an email
address you are using the WRONG username!
NOTE: You can have multiple ZoneCD Gateway servers log into the *SAME* zone and all of
the clients that use those specific ZoneCD Gateway servers will appear in the accounting for
that zone! This can serve two distinct functions:
This is handy if you are setting up a Private Zone and want to have multiple sites that are
privately accessible by clients. Of course it really makes more sense to use shared
zones for this purpose but there are “those” times…
You are setting up one shared zone but there are multiple physical areas that need to be
covered and it is physically impossible to setup either wired network links or wireless
links (WDS – Wireless Distribution System) to the physically separate zone locations and
you don’t want to use two separate shared zones to implement it.
2. If you go to the Zone Control Server and use the Username and Password for the zone
instead of the Master Account username and password you will be presented with a Zone
Account Control Panel instead of the Master Account control panel. This is a reduced
function control panel that only allows someone to remove clients or add clients to the zone –
it does not allow access to the zone configuration or any other zone in the master account.
This allows you to give the username and password of the zone to a zone operator so they
can register clients directly for that specific zone without having to have the Master Account
password to manage the zone. The zone operator can also see who is currently logged into
the zone but can not generate reports for the zone.
3. IMPORTANT: The username and password you assign to the zone are case sensitive! Be
sure you know what you typed into these two fields, as you will need to type EXACTLY the
same thing in when you go to setup a ZoneCD Gateway Server for Closed Mode operation!
Zone Creation Complete!
That’s it!
You have created a ”Zone" in your unique Master Account! All of the zone’s configuration
settings were obtained from the Master Wizard template you created earlier!
Of course you can easily make changes to any of the zone configurations – they are not cast in
concrete but the use of the Master Wizard Template sure makes setting up a new zone a snap!
Master Account with New Zone
This is the display you see once you have created a zone in the master account.
A couple of things worth mentioning here:
The username of the zone id is displayed.
The ZoneCD version information is displayed in the zone box. This should show the same
version as the ZoneCD that was used to boot the Gateway Server.
The description you put in during the Zone Wizard configuration is displayed in the zone box.
There are three links displayed in the zone box – the ‘<Manage>” link, the <Update>” link and
one you probably don’t recognize at first – the “Delete” link which is the [X] in the upper right-hand
side of the zone box (this one threw me for a while until I realized what it was for – Deleting the
Zone from the Master Account!)
Be careful with the [X] “Delete” link – once deleted there is no way to “recover” the deleted Zone –
you will have to re-create it if you accidentally delete the Zone.
One of Each Zone Type Created
Here you see three newly created zones in the Master Account. The other two were created the
same way as the private zone type previously discussed. The only difference between the three
zones is the zone type.
Notice I have placed a description in each one as to the zone type. This is helpful to keep track
of what type of Zone it is as well as which Zone it is, (Is it the Public Zone over at the Deli or the
Public Zone in the Pizza Parlor?), It makes it easier to keep track of the zones.
NOTE:
The second and third zone took all of about a minute to create using the Zone Wizard – it really
does save time and effort!
Zone Update Display
Pressing the <<Update>> link (see previous image – not the one directly above) for a specific
Zone will bring up an “Update Zone” page for that particular Zone. Here you are able to change
the ZoneCD version, zone Password or zone Description that will be used by the zone. Once you
have made any desired changes, use the Update Zone link at the bottom of the form to make the
changes permanent for that particular zone.
NOTE:
You can NOT change the zone’s name – it is used to define the zone in the Zone Control server’s
database system. This is also the reason you have to pick a distinct name when you are setting
up a zone. You may run into a situation where you wish to use a specific username for a zone
and the system informs you that name is already taken. Change the name to something more
distinctive and you should be fine.
You can change the version number of the ZoneCD Gateway server’s ZoneCD CD-ROM image
you are running in the zone. This allows you to upgrade the CD-Rom software running on a zone
and adjust the Zone Control server to use and manage the newer features in that version of the
ZoneCD software.
You can change the description of the Zone – you most likely will go through several description
changes fine-tuning the information displayed on the Master Account main page.
Zone Control Management Display – ZoneCD Version 4.2
A little bit about the Version selections in the <Update> link in the zone box on the Master
Account page.
Each supported version of the ZoneCD software has some differences in features and
capabilities. With each new release the feature-set becomes richer than the predecessor’s. In
order to support previously released versions of the ZoneCD software, the Zone Control server
needs to be aware of which version of the ZoneCD software is running in a zone in order to adjust
the configuration information that is downloaded to the ZoneCD Gateway server. Having the
correct Zone version is important for the zone to function correctly.
You must make sure the version setting in the Master Account zone matches the version number
of the ZoneCD software you are running on the ZoneCD Gateway server otherwise strange
problems may occur! It is strongly advised to keep current with at least the latest stable version
of the ZoneCD. There are features in the newer versions of the ZoneCD software that you
probably would want to use and there are bug-fixes that correct operational problems – keeping
abreast of the latest version of the ZoneCD gives you access to the additional features added
AND updates for bug-fixes that may have been causing you some problems!
Zone Control Management Display – Version 6.0
If you will note the differences between the ZoneCD version 4.2 (displayed on the previous page)
and version 6.0 displayed above they are not the same! Version 4.2 does NOT contain any type
of Bandwidth control whereas version 6.0 does (one such feature mentioned earlier as a reason
to keep abreast with the latest ZoneCD software). If you have a version 6.0 ZoneCD running on
a zone Gateway server and you have the zone set to version 4.2 on the Zone Control server the
zone’s Gateway server will not receive the information it needs to perform the bandwidth limiting
function you may have wanted to use!
NOTE: If you are having ‘strange’ problems with a newly created zone this is the first thing you
want to check – make sure the zone’s ZoneCD version and the actual ZoneCD CD-ROM you are
using are set the same!
Zone Management Display – Main Page
If you click on the <<Manage>> link in the zone control box on the Master Account Main Page
you will be presented with the above display. There are several items you need to note here:
1.
2.
3.
4.
5.
6.
7.
The Master Control link at the top left returns you to the Master Account main page.
the Active Sessions link takes you to the Active Sessions page.
the Zone Control link takes you to the zone’s configuration page.
The Usage Reports link is what you use to get detailed reports on usage of the zone.
The MAC Access link is used to manage client access and time/bandwidth limits. You can
change the classification of an individual client here as well as remove them from the zone.
The User Management link is used to manually register, edit or delete a client from the zone.
The Logout link should be self-explanatory - it logs you out of the Zone Control Server.
Active Sessions Display
When you select the “Active Sessions” link you are presented with the above display.
If there are clients logged into the zone you would see information about the active session
displayed below the Active Sessions Counter (under the PublicIP icon).
Zone Control Configuration Display
One thing you should notice when you click on the “Zone Control” link on the zone’s main page
is that the display looks very familiar. It should, as you have walked through it (or most of it)
when you ran the Master Wizard when you first setup the Master Account!
This is the page where you can make changes to the default settings loaded into the zone by the
Master Wizard Template – this is how you customize each zone you create!
All of the settings work the same way as you have seen when you walked through the Master
Wizard pages so we will not re-hash the same details here. Suffice it to say it works the same
way but only affects the particular zone you are currently working with!
NOTE: All zones are handled the same when it comes to configuring the Zone Control settings.
Zone Usage Reports Display
The Usage Reports page is where you can generate reports of usage on the zone. You can
select several pre-configured time periods for generating reports (the time is based on the local
time zone that was set in the Master Wizard setup!):
Today – All activity for the current day within 4 minutes of active sessions.
Yesterday – All activity the previous day.
Last 7 Days – All activity for the zone the last 7 consecutive days.
Last Week (Mon-Sun) – All activity for the last Calendar week.
Last Business Week (Mon-Fri) – All activity over last business week.
This Month – All activity for the current calendar month.
Last Month – All activity for the previous calendar month.
If that were not enough – you can also select the start and stop dates to generate a report!
The reports will show all activity by MAC address for all clients who use the zone. The MAC
address that is unique for each wireless device is used to track usage instead of the username
since the client could register a different username but the MAC address of the wireless device
will remain the same.
The report will show the following information about each session:
(NOTE: This is a modified Zone Control server report display)
The Usage Report display contains a fair amount of information about each client that connects to
the zone. Each different client connection will generate a separate record entry separated by the
blue record field line (the blue line with the white headings showing the different field names
within each record).
The Usage Report shows the following information:
The MAC address of the wireless client
The number of times during the reporting period the client connected.
The IP address assigned to the client on each connection.
The Username of the client
The session start time
The length of the session in HH:MM:SS format
The total Kilobytes of data downloaded in the session
The total Kilobytes of data uploaded in the session
If the client was blocked from access and the number of times blocked
Each MAC address recorded in the Zone Control server for the zone will have its own record
displayed.
NOTE: The above report was generated using the “previous or Yesterday” information on my
Zone Control server so the branding is not exactly what you would see on the normal Zone
Control Server report.
Downloadable Reports Generation:
Great, so the Zone Control Server can generate reports for different time periods and display the
report on the web browser – but what about printed reports or saving the report to other formats
besides a web-based format (HTML) for inclusion in report overviews and such?
The Usage Reports page also has two links on the upper right-hand side of the page which allow
you to download the generated report in one of two formats:
1. Excel: The report is generated in Microsoft Excel Spreadsheet format.
2. Word: The report is generated in Microsoft Word format.
Even though the reports are in Microsoft format there are numerous other programs which
can read and write these formats - OpenOffice from Sun Microsystems is one such
applications program and is free from http://www.openoffice.org . OpenOffice runs on many
different platforms and operating systems so you are not bound to the Microsoft Office Suite.
Each of the downloadable reports will contain the same generated information as is currently
displayed on the screen when you select the report format to download.
Zone MAC Access Control
The MAC Access link on the top of the zone page brings you to the above page. There are a
couple of items that need a little explaining as some of the information is not directly apparent
when you look at this page!
Block MAC Address:
This is the location you use to input a client’s MAC address as a 6-octet hex value. A MAC
address (Medium Access Control) is unique (or is supposed to be!) between all NIC (Network
Interface Card) hardware. Inputting the client’s MAC address in this section will DENY ANY
ACCESS to this particular zone if the zone is private, all shared zones and ANY public zone!
Permitted MAC Addresses with logins:
This section will display all currently active MAC addresses and the login usernames. In this
section you can click on a MAC address and either ALLOW or DENY access to the zone or zones
(if shared or public). If you click on the username you will be presented with a pop-up box that
allows you to change the client’s classification, bandwidth limits and time limits.
NOTE: If you make any changes to the client through this method the client will need to logoff the
system and log back into the system for the changes to take effect!
Denied MAC Addresses with logins:
This section displays the MAC addresses and Login usernames (last one seen for the particular
MAC address) of current clients who tried and were DENIED access to the zone or zones. You
can click on the MAC address and you are presented with a pop-up box that will allow you to
remove the DENY status and return the client to an ALLOWED status for access to the zone or
zones.
This MAC access page is very powerful and useful. If you suspect someone is abusing their
access privileges this is the place to stop them in their tracks! Once they have been placed in the
DENY category they will receive a message when they attempt to log into the system informing
them they have been blocked and presented with the email address you put into the system
during the Master Wizard configuration phase (or the email address you may have setup in the
Zone Control for the specific zone in question).
NOTE:
If a client exceeds their maximum bandwidth or time and you go into this page to make changes
to allow them more time or bandwidth the client will have to log off the system then back onto the
system. They need to wait for about 10 minutes after they log off the system to allow the Zone
Control Server AND the ZoneCD Gateway server time for their access information to clear the
system. If they just close the web browser windows (especially the pop-up window they need to
leave open to allow the system to function properly, including re-authorizing every ~ten minutes
and logging out of the system) they will definitely need to wait at least twelve minutes for the
system to clear any previous access settings for the user (the updates occur every nine minutes
or so – better to allow the extra three minutes or so just to be sure!).
User Management – Manually Adding Users to a Zone
The “User Management” page is where you can manually enter a client’s information into the
Zone Control server for the particular zone, Activate an account a client has registered, or set the
account to Not Active (Pending) if you are entering the account information but don’t want the
account actually active at the moment.
This page is also displayed when you log into the Zone Control server using the zone username
and password such as a zone administrator would do.
There are several setting which are defined from the information you had entered earlier when
you created the Master Wizard Template for the Master Account – these settings are marked with
the term “Class Default” and derive their specific values for the field from the Master Template –
As noted earlier you can change the values to something other than the default on a per client
basis or use the pre-defined values.
There are several items you need to enter here to setup a client account.
Email:
This is the email address of the client – it is used as their login username for the zone. If you
are not requiring the client to use their valid email address then this field requires at least six
(6) characters for the username.
Name:
The Name of the Client goes here – usually first and last name.
Password:
The password the client will use to access the zone. The password must be at least six (6)
characters in length and should contain numbers, letters and punctuation to make the
password hard to guess.
Password Again:
Enter the client’s password again in this field – this is to verify you have entered the same
password twice to preclude possible mis-typed passwords since the password is not
displayed when it is typed into the fields.
Expiration:
You can set the length of time the account is active – your choices are limited to the
selections in the selection box. This field would be used if you have “short-time” access to
the zone – such as for a day or two, a week or you allow unlimited client access with no
expiration for their access to the zone.
Class:
You select the classification of the client using this field – this field also controls the
information used in the next two fields if you leave them set to the “default class” setting. The
system will use the information you setup in the Master Wizard template you created when
you setup the Master Account.
Time Limit:
If left in the “default class” setting the time limit for the client to access the zone(s) per day is
configured from the Master Wizard template setup earlier. If you want to change the Time
Limit for the client you can do so by using the dropdown box to select a different time limit
value instead of the default defined value. The user is in the same “Class” as before but with
different time limits than the Class Default
Download Limit:
If left in the “default class” setting the download limit for the client per day for the zone(s) is
configured from the Master Wizard template setup earlier. If you want to change the
Download Limit for the client you can do so by using the dropdown box to select a different
download limit value instead of the default defined value. The user is in the same “Class” as
before but with different download limits than the Class Default
Status:
The status for the clients account can be set to either Active or Pending. Active allows the
client to use the account whereas Pending allows you to keep the client from using the
account without having to delete the client’s account from the system. Useful if you want to
deny someone access temporarily but don’t want to have to re-enter their information into a
new account once the problem has been remedied.
Description:
The description field is where you can place a note or notes about a client – it is for your use
as you see fit – it has nothing to do with any control functions for the zone!
Editing a Client’s Account in a Zone
To edit a client account in the zone you would click on the client’s username on the left-hand side
of the User Management page. Once you do this you are presented with the page shown above.
Notice the username is grayed out – you can not change the client’s username in the system
because this information is used for accounting. Making changes would corrupt any accounting
for the client’s account.
This is also the page displayed when you wish to delete a client from the zone. Notice the
“Check to confirm delete” box above the Delete User button – this box must be checked in order
to delete the client from the zone!
You also can change the Time Limit and Download Limit as well as classification of the client.
Summary of the Zone Creation and Management process:
Zone Creation
The creation of a zone within the Master Account on the Zone Control server is very easy to do.
Most of the “work” has already been done since you created the Master Wizard template where
you setup the default settings used in the creation of a zone.
The most difficult part of creating a zone is deciding what type of zone to create! There are three
distinct types of zones the Zone Control server controls:
Public: This type of zone is really a community zone. Any client’s placed in a Public Zone
have access to any other zone defined on the Zone Control server as a Public Zone – this
means that *ANY* zone on the Control Server defined as a Public Zone will allow anyone
registered in *ANY* Public Zone to have access to the zone. This crosses over between
*ANY* Master Account defined on the Zone Control server and is not limited to just your
Master Account. This can be viewed as a Global World Zone access type of zone definition.
Shared: A shared zone – unlike the Public Zone type – allows a client registered in the zone
to have access to any other shared zone defined in your Master Account ONLY. You would
use this type of zone where you might want to have different zone locations and separately
defined zones for accounting and tracking purposes but did not want to require having a
client register in each separate physical zone location. You would use this type of zone say
to share client access in different locations but have one client registration required to access
any of the shared zone locations.
Private: As its name implies – a Private Zone requires a client to register in each private
zone location to have access to the zone. Private zones do not “share” the client registration
with other zones. You would use this type of zone for defining a business location for access
by employees or staff. Most likely applications would be for business locations where you
want to supply wireless connectivity to either employees or business associates but do not
want them on your local network.
NOTE: The PublicIP system does not provide ANY form of data protection – it is an
access control and monitoring system, not an encryption protection system.
If you need to protect the information traveling across the wireless network
you need to look at either SSL enabled applications or some form of VPN
security to protect the information.
Once you have decided on the zone type, you then:
Setup the username and password for the ZoneCD Gateway server to use to log into the zone
and download its configuration information
Setup the ZoneCD version information so the proper information is downloaded to the ZoneCD
Gateway server during its bootup operations,
Define a brief description of the zone for later reference (very handy when you start getting more
zones defined in the Master Account on the Zone Control server).
That’s it – you have created a zone.
After creating a Zone, If you want (or need) to make changes to the zone’s configuration you
would use the zone management tools.
Zone Management
The main page displayed by the Zone Control server for a zone when you click on the specific
Zone’s <<Manage>> link is where you access the different aspects of the Zone Control’s
Monitoring and Management pages. The main display has links to allow the following:
Monitor currently active sessions
Change the settings controlling the configuration of the zone
Create reports based on different time criteria
Download created usage reports in either Microsoft Word or Excel format
Control access to the zone or zones based on the MAC address of wireless devices
Add, Edit, Delete, Activate or Suspend client accounts in the zone
ZoneCD Gateway Server Operation
The ZoneCD Gateway server software is based on the Morphix/Knoppix LiveCD CD-Rom
system. This is a Debian Linux derived computer operating system configured to run entirely
from a CD-Rom and computer RAM memory. The ZoneCD system is configured to use a floppy
disk or USB memory device for storage of the configuration and customization files for the
system. A Hard Drive is not required for the PublicIP system to operate – just a floppy drive or
USB memory device and CD-Rom Drive (along with the rest of the computer of course).
Currently there are several versions of the ZoneCD software – the released version was
described above but there are some beta versions that support Wireless NIC interface cards
based on the Prism (II/2/2.5/3) chipset and also will store the ZoneCD volatile information on a
USB memory device instead of floppy. There is even a beta version that installs to a hard drive
or compact flash where the volatile information is stored on the hard drive or compact flash.
These versions are still beta versions and as such should only be used in test environments until
they have been fully debugged. I mention them here to show there is still ongoing development
of the ZoneCD Gateway server software to add new and exciting features to an already rich
feature-set! At the time of this writing the above mentioned beta versions were not ready for
“prime time” but the state of this project moves at such speed you would be wise to check the
website for the current status of these betas!
The ZoneCD has two very important services (application programs) running that enable the
system to operate as a self-contained WiFi gateway - NoCat, and Dansguardian.
NoCat Captive Portal
The central feature of the ZoneCD is a custom version of the Open-Source “NoCat” program.
NoCat is an application that redirects outbound 'web' traffic to a login or splash page if the client
is not already logged into the system when the system is in the “closed mode” of operation.
NoCat has been extensively customized to allow it to work with the Public IP servers. These
customizations and code re-writes enable remote configuration, accounting, bandwidth control
(both uplink and downlink based on client classification), client classifications and network usage
limits.
There are two modes in which the NoCat application may operate – one mode mentioned earlier
is the closed mode, the other is Open Mode.
Open Mode
The Open Mode should be used when all you want is a simple splash page and you require no
registration or login to access the Hotspot location. Open mode requires no registration for your
users to use your WiFi zone. A user opens their web browser and they are redirected to the
ZoneCD splash page. Firewall rules and the splash page can be customized by editing and
adding files to the configuration floppy (described later in the documentation).
Open mode does not use Public IP's Control server and no registration is required with PublicIP
to operate in this mode. There is no information shared between the ZoneCD and PublicIP in
Open mode. PublicIP has no idea who, or how many people are using the ZoneCD in Open
mode. Privacy is your right, and rights are respected here.
Closed Mode
The Closed Mode works with PublicIP's flagship system — the Zone Control Server. Booting the
ZoneCD into Closed mode will enable all the features available in the Zone Control Server. User
Authentication, User Classes, Time Limits, Download Limits, Open and Close times, and many
other features.
Closed mode will not allow access to the Internet unless the end-user registers for your Zone.
However, you do have an option to allow anonymous access in Closed mode. This is useful when
you do not want to require registration, but still want a login box to allow a user to login to get
privileged access. It is also a way to take advantage of using the Zone Control Server to regulate
end-user resource usage.
Closed mode allows you to assign to different users, different rights and permissions while they
are connected to your WiFi zone. There are four user classes. These classes are totally
customizable and are covered in more detail during the setup of your Zone in the Zone Control
Server.
End-User Classes (and default settings for each class):
Protected: ALLOWS traffic on 80, 443, and 110. Web Content filter enabled.
Liberated: BLOCKS traffic on 21 25 445 1214 3689 6667 6699. Content filter disabled.
Trusted:
Firewall disabled. Content filter disabled.
Super:
Given network priority, is higher priority traffic over the other classes. Firewall
disabled. Content filter disabled.
The use of client classification allows you to control different aspects of the client’s resource
usage and whether they receive website content filtering or not.
The Anonymous login mentioned earlier can be assigned to any one of the first three classes –
this is useful when you want to allow anonymous access but also want to control what type of
resources, bandwidth and filtering requirements an anonymous client receives. Configuring the
anonymous login for Protected Class allows you the ability to setup what ports (services) are
available to the client, Liberated Class allows configuration of what ports are blocked and Trusted
Class allows giving a client much greater freedom to access the system. How much access to
the zone you want to allow will predicate which of the three you might want to use for anonymous
access.
An example would be you have a location where you provide a product or service and you want
to allow clients to connect to the wireless hotspot as an anonymous client if they are not using
your product or service (a marketing tool – free draws a crowd!)
You have decided you want to place anonymous client logins into the Protected Class. Here you
can specify what ports (services) are available and their bandwidth for uplink, downlink and total
bandwidth used as well as how long they can stay connected per day.
Now, say they do use your product or services – you can give them a login that would allow them
to be placed into the Liberated Class. Here you can setup the uplink, downlink and total
bandwidth to a higher level than the client would receive as an anonymous client and you can
setup what services are “blocked” instead of allowed to open more services to them as well – you
can set the time limits higher, as well as disable web content filtering if you so desire!
As you can see there are some nice features in using classes for clients – you could even setup
the Trusted Class for clients who are frequent customers and give them still greater freedom of
use! If you don’t want to limit clients as to what they can do or just want to have a free hotspot
with the same limitations for all – that can be done as well!!!
DansGuardian Content Filtering
DansGuardian (http://dansguardian.org) is an award winning web content filter for Linux,
FreeBSD, OpenBSD, NetBSD, Mac OS X, HP-UX, and Solaris operating systems. When web
content filtering is active DansGuardian uses Squid (http://www.squid-cache.org), a proxy web
server (and more), to do all of the webpage retrievals the client requests and passes the web
page content to Dansguardian for filtering. Dansguardian filters web pages using multiple
methods. These methods include URL and domain filtering, content phrase filtering, PICS
filtering, MIME filtering, and file extension filtering. It is possible to link Dansguardian to outside
filtering files to allow dynamic content filtering capabilities – this is outside the scope of this
document. You can find further information on the Dansguardian website or the PublicIP forums.
The ZoneCD can be configured to use content filtering in the Protected and/or Liberated User
Classes. It can be completely turned off in each of these classes or disabled system wide. The
“content phrase filtering” will check for and block pages that contain profanities and phrases often
associated with pornography and other undesirable content. Content filtering can be turned off for
individual users by identifying the user as Liberated, or Trusted in the Zone.
The ZoneCD content filters work using a variety of methods:
Text and HTML pages are scanned for obscene (sexual, racial, violent, etc) content.
Sites using the PICS (Platform for Internet Content Selection) labeling system
(http://www.w3.org/PICS).
According to MIME type and file extension (.exe, .mp3, etc) *See Appendix-G for list*
According to Regular Expression URLs.
Block all files > 2MB.
The filtering basically serves two purposes:
1. It prevents end-users from viewing inappropriate content that could possibly offend your
other customers or visitors.
2. It prevents end-users from using all of your bandwidth for downloading music, movies,
and programs files by blocking mime types.
The filtering is controlled by configuration files that are loaded during the bootup process. There
are default configuration files which you can change to suit your specific filtering needs.
NOTE: To get the full benefit of the Dansguardian software you may want to increase the amount
of computer memory in the ZoneCD Gateway computer to at least 256-Megs. Dansguardian
uses caching to save recently visited websites so will work faster with more memory.
Dansguardian also uses the Squid proxy server to handle the web pages and Squid also
performs web content caching to improve speed – both combined could exceed the total RAM
memory installed in the computer and cause the system to stop operating if it runs out of RAM
memory.
ZoneCD Features
The features available to you depend on the mode in which you configure your ZoneCD to
operate.
The ZoneCD can operate in two modes, Open or Closed.
Many of the Closed mode features are actually features that are available in the Zone Control on
the Master Control server. These features are available when the ZoneCD is operated in Closed
mode and are not necessarily on the ZoneCD. In the Closed mode the ZoneCD downloads its
operating configuration from the Zone Control server to implement some of the features listed.
Other features are possible as the Zone Control server handles all the accounting for the Zone
and generates all the reports as to usage by the clients.
The following lists the features of each mode of operation:
Open Mode Features (stand-along operation)
Homepage Redirection
Customize ZoneCD splash page
Content Filtering (block porn, downloads, etc.) – manual configuration
Customize Firewall rules – manual configuration
Dansguardian Configuration files stored on volatile storage medium
(floppy or USB memory device – configuration will survive a reboot)
Closed Mode Features (uses the PublicIP Zone Control Server)
User authentication/registration
Homepage redirection
Bandwidth shaping
Daily time limits
Daily download limits
Zone open and close times
Block by MAC address
Configure end-user network permissions (Classes)
Customize firewall rules for each Class
Content Filtering (block porn, downloads, etc.)
Daily Log Mailer program
Block traffic to *wired* network
Customize ZoneCD login pages
Branded "Terms of Use" template or use your own
Usage statistics
Multilingual login pages
(Dutch, French, German, Spanish, English)
End-User reporting
Dansguardian Configuration files stored on volatile storage medium
(floppy or USB memory device – configuration will survive a reboot)
Features included in the 6.x ZoneCD Package:
1. Auto-configuration for Prism PCI and PCMCIA cards
One of the previous requests for inclusion in the ZoneCD system was the ability to use
wireless NIC cards for the wireless side instead of using a wireless router or Access point
device. The inclusion of the Prism wireless NIC drivers allows the ZoneCD Gateway
Server to use wireless NIC cards in place of a wireless router or Access point.
2. Firmware and HostAP utility for cards with SSF
Host AP is a Linux driver for wireless LAN cards based on Intersil's Prism2/2.5/3 chipset.
The driver supports a so called Host AP mode, i.e., it takes care of IEEE 802.11
management functions in the host computer and acts as an access point. This does not
require any special firmware for the wireless LAN card. In addition to this, it has support
for normal station operations in BSS and possible also in IBSS. WPA and RSN (WPA2) is
supported when used with accompanied tools, wpa_supplicant (WPA/RSN Supplicant)
and hostapd (WPA/RSN Authenticator).
You can find the details about HostAP at the following website: http://hostap.epitest.fi
The package is included in the ZoneCD distribution but has not been tested as of the
writing of this document.
3. Auto-reboot dialog configuration
The auto-reboot feature allows you to setup the ZoneCD Gateway Server to
automatically reboot at a set time during the night. Rebooting the system on a regular
schedule “resets” all of the resources (mainly the Ram-Disk in system memory) so the
system does not experience an “out of memory” error, which has caused the system to
crash in a limited set of user installations.
4. Samba 3.0.10-1
The Samba package was included in the distribution to allow the sharing of the file
system with Windows based PCs. You can setup the system to allow a computer or
computers access to the filesystem of the ZoneCD Gateway Server for the purposes of
monitoring.
You can find the details about Samba at the following website:
http://us1.samba.org/samba
This package is included in the ZoneCD distribution but has not been tested as of the
writing of this document.
5. xdm 4.3.0
XDM (the X Display Manager) can be thought of as a graphical replacement for the
command line 'login' prompt. In reality, it can actually do much more than that. Typically,
it would be started by the 'root' user (or the system startup scripts) on power up, and
would present a user with a graphical login prompt. It will then manage the users X
session once they login - i.e. it will initiate the running of their window manager and
applications. XDM allows you the ability to use an X-Windows package on a Windows
computer and communicate with the ZoneCD Gateway server as if you were at its
console running the GUI.
You can find the details about xdm at the following website:
http://www.faqs.org/docs/Linux-mini/XDM-Xterm.html
This package is included in the ZoneCD distribution but has not been tested as of the
writing of this document.
6. rxvt
rxvt is a colour vt102 terminal emulator intended as an xterm(1) replacement for users
who do not require features such as Tektronix 4014 emulation and toolkit-style
configurability. The inclusion of this package was to allow running the LessX mode for
the display on the ZoneCD Gateway Server.
7. poptop(pptpd) (w/radiusclient)
Poptop is an open source implementation of a PPTP (Point to Point Tunneling Protocol)
server. Poptop provides full interoperability with the Microsoft PPTP VPN client. The
inclusion of the radiusclient code allows the use of a Radius Server to control who can
use the VPN link.
You can find the details about poptop at the following website:
http://www.poptop.org/
This package is included in the ZoneCD distribution but has not been tested as of the
writing of this document.
8. ppp
The PPP (Point-to-Point Protocol) is used to connect two host machines over a serial
interface. This is the method most often used to connect across a DSL or Cable Modem
line but can also be used across a dialup modem line. This package was included to
allow the ZoneCD Gateway Server to directly connect to DSL or Cable Modems for direct
connectivity to the Internet.
9. asterisk
This feature was added as a request from the forum. In a nutshell, Asterisk is a complete
PBX in software. It runs on Linux and provides all of the features you would expect from a
PBX and more. Asterisk does voice over IP in three protocols, and can interoperate with
almost all standards-based telephony equipment using relatively inexpensive hardware.
Asterisk needs no additional hardware for Voice over IP.
You can find the details about asterisk at the following website:
http://www.asterisk.org/
This package is included in the ZoneCD distribution but has not been tested as of the
writing of this document.
10. zaptel 1.0.2-2
.Zaptel is a series of interface driver utilities that are used to the asterisk PBX system to
interface to Digium interface cards to allow telephony hardware connectivity. The
package was included in the latest ZoneCD distribution at the request on the forums.
You can find the details about asterisk at the following website:
http://www.digium.com/index.php?menu=home
This package is included in the ZoneCD distribution but has not been tested as of the
writing of this document.
11. PPTP pass-thru in open mode
This feature allows the PPTP (Point-To-Point Tunneling Protocol), a form of VPN to be
used when the ZoneCD Gateway Server is running in the Open Mode. Previous versions
of the ZoneCD distribution prior to 6.x did not allow this capability.
12. Option for automatic formatting of USB drive if it can't be mounted
Starting with the ZoneCD distribution Version 6.x the system now has the capability of
detecting and mounting a USB storage device in place of a floppy drive for the writable
storage device. Sometimes the content of a USB drive may not allow the linux system to
detect it as a drive and the USB device needs to be formatted for use with the system.
This option allows performing the re-formatting operation.
13. cron to [re]start nocat if it crashes
The latest version of the ZoneCD distribution now tests to see if the NoCat process has
crashed for some reason – and if the NoCat process is found to have crashed, the
system will either restart the process or download the configuration from the Zone Control
Server and restart the process. This is the same implementation as is described in the
Tweaks and Tips section of this document.
14. All Dansguardian configuration files stored on writable storage
Previous versions of the ZoneCD distribution re-loaded the Dansguardian configuration
files each time the system was rebooted – any changes made were lost. The system
now saves the configuration files on the writable storage device and restores the
configuration across reboot operations.
15. SSH key pairs generated at boot and saved to config medium
When using the ssh capabilities in previous versions of the ZoneCD distribution the
system had to re-generate the ssh key-pairs used for secure encryption communications
each time a new ssh session started. This regeneration process added the amount of
time needed to establish the initial link to the ZoneCD Gateway Server when it was
rebooted. The SSH key-pairs are now stored on the writable storage device to remove
this requirement.
System Requirements
Hotspot operators can use any wireless access point or wireless router with Public IP's WiFi
solution. The only requirements are the wireless access point or wireless router can have DHCP
disabled and in the case of the wireless router you can either connect to the LAN side of the
device or set the device to work in wireless Access Point mode.
However, the system adds an additional piece of hardware to your network. The ZoneCD
requires a separate computer to run between the AP and the wired network. This computer acts
as a gateway between the wired world and the wireless world.
Because the ZoneCD is a LiveCD it cannot retain any configuration during a reboot. For this
reason Public IP has created a system that will save the ZoneCD configuration to a floppy disk or
USB drive. Also for the same reason, it is suggested that you use an additional router connected
to the Internet to maintain your ISP connection and WAN configuration.
The ZoneCD computer does not require any Input/Output (keyboard, mouse, monitor) devices
after the initial configuration is complete as long as the computer BIOS has configuration settings
to ignore any bootup errors that may be generated from not having a keyboard attached. The
ZoneCD box will run completely headless. It can also be configured to enable SSH (see the Tips
and Tweaks section) for remote administration of the system.
Here's what you need to get setup
Any WiFi compliant wireless router or access point
(meeting the requirements listed above)
Standard router for Internet connection/firewall
Computer with:
An Intel-compatible CPU
Minimum 128 MB RAM. (2x-3x that for content filtering)
Bootable CD-ROM drive.
Floppy Drive (or USB memory device)
2 Network Interface Cards (NIC's)
High-speed Internet connection
Master Account Login for the Zone Control Server
(Required if you plan to use Closed Mode)
ZoneCD Startup Sequence – Picking Oneself Up By the Shoelaces
The discussion of how the ZoneCD system loads and executes is not necessary to installing and
using the ZoneCD Gateway server is its default form. If, however, you are planning to
“customize” the operation of the ZoneCD beyond its default form you may want to read on. If this
is of no interest to you then by all means skip ahead in the document – it is not a requirement that
the document sections be read in sequence since each section is stand-alone but you will gain
understanding of the overall system by reading this document in the order presented.
How does the ZoneCD system run from a CD-Rom drive and not require the use of a hard drive
in the system?
The ZoneCD system is based on the Morphix LiveCD system (which is based on the Knoppix
LiveCD system) and does not require a hard drive to operate because the entire file system for
the Linux operating system “lives” on the CD-Rom – hence the name “LiveCD”. This feat of
magic is accomplished by setting up a file system, in a compressed format, that the Linux
operating system can read and by keeping all the variable information and currently executing
processes in a ram-disk setup in the computer’s RAM memory. The CD-Rom is setup by the
Linux operating system to act as the “root” device using a technique called ‘cloop’ that allows the
operating system to reside on the CD-Rom and performs all the de-compression of the file
system for the Linux operating system during operation or on-the-fly.
Now – one thing you can glean from the above description of the ZoneCD system is that any
information generated or stored in log files or configuration files and any programs loaded into the
system that are not off the LiveCD distribution are lost when the system is re-booted! This is the
reason for needing a writable storage device (either a floppy drive or a USB memory device).
Any unique configuration information needed for the operation of the ZoneCD Gateway server is
stored on this writable storage so the information will survive across system reboots and any
power-down power-up sequences (power failures, accidents, etc). You can also store scripts you
want to run or html web pages to be displayed (splash page, custom DansGuardian message
page, etc) on the storage device and the ZoneCD system will copy them to the ram-disk in the
system once the system had booted up. The techniques for performing such things are
discussed later in this document.
A second thing, that probably is becoming apparent, is you can not install new software
applications to the ZoneCD CD-ROM directly! If you want to customize the contents of the
ZoneCD you will have to unpack the ISO, unpack the Morphix MainMOD module, make the
changes to the PublicIP file system in terms of installation of new packages, make sure the
package dependencies are covered, change any files used for information storage by the
application to read and write to the writable ram-disk instead of the cd-rom and any other item
that may affect the program’s operation in a CD-ROM based file system. This is not for the faint
of heart to tackle! There is a section in this document that describes what is needed to unpack a
ZoneCD ISO so you can make changes then describes how to re-package the ISO so you can
burn a copy and test it. This document DOES NOT go into detail on “how” to modify, add or
delete programs on the LiveCD – there are all sorts of Internet websites that are devoted to just
this very subject! Suffice it to say – you will need a computer with at least a 10-gig hard drive, at
least 256-megs of RAM, a CPU of at least 450-MHz unless you have plenty of time on your
hands, and the latest Debian Linux Distro or a Fedora Distro (others may work but I have only
used these two for ISO modification and generation). Oh – and one more slightly needed item –
an understanding of Linux!!! The steps involved in modifying a ZoneCD ISO are contained in
Appendix-C of this document.
Knoppix – What is it??
(Note: The following description comes from the Knoppix website).
KNOPPIX is a bootable CD with a collection of GNU/Linux software, automatic hardware
detection, and support for many graphics cards, sound cards, SCSI and USB devices and other
peripherals. KNOPPIX can be used as a Linux demo, educational CD, rescue system, or adapted
and used as a platform for commercial software product demos. It is not necessary to install
anything on a hard disk. Due to on-the-fly decompression, the CD can have up to 2 GB of
executable software installed on it. The ZoneCD PublicIP Gateway Server software is based on
the Morphix LiveCD system, which in turn is based on the Knoppix system.
Knoppix Bootup Sequence
The following is a description of the Knoppix bootup sequence. I have included it in the document
as the basis for the description of the Morphix system – which is a modification of the Knoppix
system. The differences are minor so a description of Knoppix is required to describe the
Morphix system in the next section.
There are three stages of bootup involved with the Knoppix system:
Stage-1 – Initial Startup
In stage 1 of the boot process, the Linux loader LILO from the boot section of the el torito [5] 1.44
MB floppy image on the CD-Rom tries to read the kernel (currently 2.4.x) and a 4 MB
compressed initial ramdisk. The size of this initial ramdisk determines the minimal amount of
memory needed to use the distribution.
Stage-2 – System Configuration
In stage 2, the boot ramdisk tries to autoprobe for the most common SCSI adapters and identifies
the CD-Rom drive where the Knoppix CD is located. The minirootdisk features a statically linked
shell with commands like “mount” built in, since the space on the bootfloppy is limited. For
compatibility reasons with current floppy drives, only a 1.44 MB floppy image is used on the CD
instead of a 2.88 MB.
The boot script tries to find the KnoppixCD by mounting all CD-Rom drives and checking for a
directory KNOPPIX that may contain a directory tree for the root filesystem or a file with the same
name containing a compressed iso9660 image of the file system which is then mounted via the
cloop device.
If no CD is found, an attempt is made to find the KNOPPIX directory on an existing ext2 hard disk
partition, containing a complete installation tree. In either case, symbolic links are set to the
uncompressed (or transparently decompressed) directory tree. After the CD has been mounted,
dynamic library cache and paths are initialized and space is freed on the root ramdisk by
removing files that are no longer needed for the setup process.
If a swap partition is detected during device/partition scan, an attempt is made to utilize it via the
“swapon” command to increase workspace for applications. Also in this stage of the system
startup, additional ramdisks are mounted with a writable ext2 filesystem for /home and /var. Their
size is adapted from the available amount of real memory. Symbolic links to system directories
are created and control is given to init.
Stage-3 Final Configuration
In stage 3 of the boot process, init calls a finalizing setup script named sysinit. In this script, the
automatic (or manual, if ”expert” mode was selected) hardware setup is done. hwsetup - a selfmade tool that uses the kudzu-library [4] - detects devices, loads all necessary driver modules for
known hardware, sets up symbolic links in /dev and writes configuration parameters and options
to the corresponding files in /etc/sysconfig/ on the ramdisk. Parameters that cannot be autodetected (frequency ranges of old monitors, desired keyboard layout, language) are assumed
with reasonable defaults. A single X-Window session is started if the graphics hardware has been
identified correctly. Default is truecolor in a resolution of 1024x786 pixels if possible, or
800x600/640x480 at 8-bit if the graphics adapter cannot handle higher resolutions or color
depths. If detected, the accelerated XFree (3.3) drivers are used with specific options depending
on the detected graphics adapter.
The KDE Desktop manager (currently Version 2.0 beta 3 as of this writing) is started only if there
is at least 30 MB of RAM left after all ramdisks are mounted and all necessary device drivers are
loaded. Otherwise, a less memory-consuming window manager (like twm) is used, if XFree can
be started at all.
Network device parameters can be set with a tiny dialog-based GUI from within KDE, if needed
Morphix vs. Knoppix
The Knoppix loading system described above gets the Main linux system loaded but is not very
flexible in its implementation or in the way you would need to make changes. Morphix is built
from the existing Knoppix and Debian GNU/Linux distributions. But Morphix is modular; this
means that it consists of a number of parts, which together form a working distribution. The
modularity is invisible to the user, except for the startup-output on the console.
Morphix system Description
(Note: The following comes from the Morphix website with some comments added)
Morphix is modular, making it really easy to change as little or as much as you want. The
following directory descriptions are included here so you will have the basic information of how a
Morphix system is setup. I have annotated where the changes are made from the basic Morphix
package to implement the ZoneCD Gateway Server system.
We will look at each of the directories on a Morphix live CD and how they would allow you to
change your live CD. The main difference is the file types: the first three (/base, /mainmod and
/minimod) are compressed filesystems (modules), the last three are provided for extra flexibility.
Morphix' modules can be compressed using a number of compression techniques, like cloop,
squashfs or zisofs. In the ZoneCD version we use the cloop system of file compression to allow
real-time decompression operations.
/base
This directory contains the normal boot files, similar to the /KNOPPIX directory. The Morphix file
is comparable with the KNOPPIX file in this directory. It is a lot smaller (~30MB) however, and
contains only the bare necessities for getting the system up and running. Kernel, kernel modules
and hardware detection reside in the boot.img and morphix files.
/mainmod
A mainmodule is essentially the filesystem after the live CD has booted up. It contains everything
ranging from the commandline tools to the windowmanager and graphical applications. Typically,
most software of a Morphix ISO is kept in the mainmodule.
Once base has done its work, it attempts to find any files in the /mainmod directory of the live CD.
If there are multiple files, it will prompt the user to select one of these mainmodules. If there are
none, the user will be dropped to a bash prompt. We only have one mainmod file in this
directory so it is selected automatically. The name of the file is aptly called: publicip.mod and is a
cloop compressed filesystem of the ZoneCD Gateway server file system. Any changes you might
want to make to the Gateway server would be done in this file.
The mainmodule that gets selected (automatically or manually) is then mounted. The base
module scripts link the necessary directories and copies the detected configuration files into the
mounted mainmodule. The system will then chroot into the directory of the mounted mainmodule.
Scripts in the /morphix directory of this mainmodule are executed too. For example, in a normal
Morphix LiveCD you use the “startx” command to bring up your favorite window manager and you
can do business as usual, without even noticing the modular structure of Morphix underneath.
The file called init.sh in the /morphix directory is listed later in this document – this is the script file
that configures the ZoneCD system for operation and starts all the relevant processes to support
the ZoneCD Gateway server operation. Be very careful if you make changes to the init.sh
contents – if this file is “broken” your ZoneCD Gateway server may not even bootup completely…
/minimod
We do not use any Minimods in the ZoneCD system but I include the information here just to be
complete in the description of the Morphix LiveCD system. You can find out more information
about Minimods on the Morphix website (www.morphix.org) in their FAQ section.
Minimods is the third type of module in the Morphix system. Essentially compressed images with
a script inside, minimodules can be as simple or complex as you would like them to be. They are
mounted alongside the mainmodule at boot time.
There are minimodules for Console-specific tools, Q3A and UT2k3 demos, OpenOffice.org,
Speedtouch USB modems, PHP4/Nanoweb/MySQL, and a whole range of others. Morphix offers
preliminary scripts to autogenerate these minimodules from Debian packages; however this is an
area still under quite a lot of discussion and development.
You are able to make more down-to-earth changes using minimodules. If you want to have
different minimodules containing different home directories for your live CDs, take a look at CDPersistant, which even allows you to burn your home directory directly to a running live CD, using
multisession cdroms, or Xbroadcast, which will attempt to locate remote XDMCP hosts on your
local network.
Needless to say, minimodules offer an extreme amount of flexibility, maybe even too much. For
this reason, the following three directories for applying changes to your live CD during boot time
have received a place in Morphix over the last year. No more do you have to rebuild your
compressed images for small changes.
/exec
We do not use any scripts so there is nothing in the /exec directory in the ZoneCD system but I
include the information here just to be complete in the description of the Morphix LiveCD system.
If you simply want to start a few bash scripts at boot time, this directory is the place to put them.
Knoppix gives you a single filename that is executed at boot time; Morphix gives you a directory.
/copy
We do not use any of the abilities of the /copy directory in the ZoneCD system but I include the
information here just to be complete in the description of the Morphix LiveCD system.
Using translucency, the overlay technique in Morphix, you can place files anywhere on the
filesystem. This is of course handy for minimodules, but also for more simple purposes. Place a
file in /copy/etc and it is placed in /etc of your live CD. Place a file in /copy/usr/local and it is
placed in /usr/local.
/deb
We do not use any of the abilities of the /deb directory in the ZoneCD system but I include the
information here just to be complete in the description of the Morphix LiveCD system.
Throw a debian package in here and if your mainmodule supports dpkg (ie. it is Debian-based)
the package is installed at boot time. Since this uses dpkg directly, you will need to make sure
you handle your own dependencies for any packages you add here. As installing debian
packages does cost some RAM, make sure you don't throw too many packages in here (it also
increases the time your live CD takes to boot!). When wanting to install large packages, using
mini/main modules quickly becomes a better alternative.
The main difference between a standard Morphix LiveCD distribution ISO and the ZoneCD ISO is
in the mainmod directory which contains the publicip.mod file.
PublicIP Initialization Sequence
The /Morphix/init.sh script is responsible for configuring the ZoneCD system for operation. The
following is a detailed description of this important shell script. This is an overview of the init.sh
script of the ZoneCD system and as such is subject to change with each revision – most changes
are minor in nature but you have been warned.
1. The first thing the init.sh script does is execute the configure.sh script to perform the
check for making changes to the ZoneCD Gateway Server configuration. This second
script which is called by the /morphix/init.sh script, is responsible for determining if the
ZoneCD Gateway server has been configured or not – if yes it displays a screen allowing
you to change the configuration if you want to, otherwise it proceeds to ask for the
information about the configuration of the ZoneCD Gateway server (static or dynamic IP,
if static then the IP, Netmask, Gateway and DNS settings to use, and other items that
need to be known to the system during the bootup process.
2. Next – check to see if there is a pre.sh script for the system. The pre.sh script would be
used to run any commands or sub-scripts you might need to run prior to configuring the
system. An example might be a driver for a network card that is not in the original
distribution. You would place the commands to load and configure the driver in the
pre.sh script so the system would be able to use it when the system starts its
configurations.
3. Now – we start to check on the network interface configuration in the system to determine
what we need to do to initialize them… Is the eth0 interface static or dynamic – if static
then setup the interface with the settings we had configured for the ZoneCD Gateway
server… otherwise configure the eth0 interface for dhcp operation…
4. Once we have determined the network interface configurations for eth0 and eth1 we
configure and activate the interfaces.
5. Update the system’s host file in the etc directory for system operation
6. Start up the DNS masquerade daemon for the client’s DNS requests… this process acts
as a DNS proxy for client DNS requests…
7. Check to see if we are running in Open Mode or Closed Mode
1. Check to see if there is an ID and Key for the zone – if not then the Gateway
server has not previously logged into the Zone Control server for the zone and
we need to have that done, or we are running in Open mode and this is not
required – Open mode does not communicate with the Zone Control server and
would not need this…
2. If we are running in Closed mode we need to download the zone configuration
information from the remotely located Zone Control server.
3. Otherwise – we are running in Open mode so inform the operator and continue
on…
8. Are we running Website filtering???
1. If YES – Start the Dansguardian web content filtering program…
2. If NO – continue on…
9. Now – We create the ZoneCD configuration file and make some required files writable for
the system’s proper operation. Inform the operator we are performing this step.
10. We now need to setup the hostname for the ZoneCD Gateway server – do not change
this!
11. At this point we need to setup the email system to allow the ZoneCD Gateway server to
send email messages – this is the way the server sends the bootup, nocat, dansguardian
and reboots messages out to the email address setup in the zone’s configuration on the
Zone Control server… these email messages do not originate from the remotely located
Master Zone Control server.
12. Startup the ntpdate daemon to get the GMT time and keep it accurate.
13. Let the user know where we are in the bootup process…
Now - we start most of the daemons (background processes) that run on the system…
14. If we are running Dansguardian we startup the squid and dansguardian processes…
15. Startup the exim email handler
16. Startup the cron task scheduler
17. Setup the custom shutdown script
18. Activate eth1 for operation
19. Startup the dhcpd server for eth1 and report status…
20. Startup the NoCat Gateway Portal process
21. Setup and configure the publicip user directory and info… This is the system user that
runs some of the processes like the GUI…
22. Setup to run the lessX interface if we are not running the GUI interface on the console…
23. Setup the communications encryption files used to communicate with the Zone Control
server – all communications are encrypted to protect the private login information of
clients logging in and to keep someone from attempting to spoof the Gateway server
posing as the Zone Control server…
If there are any post startup script commands this is where we execute them…
24. Check to see if there is a custom init.sh script and if so, execute it!
25. Finish building the init.log content to show the health of the system, what processes are
running, what the configuration is of the NIC interfaces and if the control server can be
pinged or not…
26. Send any log files the operator has previously setup for sending….
27. Beep a couple of times to let the user (operator) know we are up and running – handy for
those headless systems!
28. Now – see if we are running the GUI or LessX and start things accordingly…
We are done and the system is up and running!
ZoneCD Bootup and Configuration – What you see…And What You Do…
The above discussions are the details of what comprises the operating system and how the
system boots up. The following section shows you what to expect during the bootup process for
the ZoneCD Gateway server and what the questions are asking you for during the bootup and
configuration stages when you bootup the system for the first time. Don’t worry if you put the
wrong information into the system – there is a method to change all of the settings so all you will
have to do is reboot the system and answer the questions correctly to fix the problem.
NOTE: The following displays and discussion is based on the ZoneCD Version 6.x – previous
versions will not have all of the following capabilities but will have similar screens minus the
missing capabilities of that release (the Automatic reboot capability is one such feature).
Initial Bootup Splash Screen Display
Once the computer system has finished performing its POST bootup process, it starts the bootup
process of the ZoneCD Gateway server software. The above screen is the first screen displayed
on the console (monitor) of the computer. What you may not realize is you can “break out” of the
initial auto-boot process by pressing the F2 key on the keyboard when this splash screen is first
displayed. Normally you would not need to do so but there may be some reason you need to
change some facet of the bootup process – you may be using an older monitor that is not capable
of 800 X 600 resolution ( OK – A REALLY OLD monitor!). Pressing F2 on this screen displays
some options you can use for booting up that would take this into account.
Morphix Initial Bootup Information Display
This is the first screen you see when the system starts its bootup process after the display of the
bootup splash screen. There is a great deal of information displayed during the bootup process
but there is not a way to “halt” the screen updates in order to read the content.
Don’t worry – if you want to see what was said you can do this once the system has booted up by
typing the command “dmesg | less” on the console in a terminal window. More information is
found in the Appendix D, which explains some Linux commands, how to use them and some
basic Trouble-Shooting methods.
Just a couple of items you may want to watch for during the bootup process, which can help in
trouble-shooting issues:
Total Memory found – This line displays the total memory the linux system thinks is in the
system. If you are running an older motherboard you may have some issues here – it
depends on how the motherboard detects the memory installed and what the bios reports.
Most of the time this is not an issue but I include it here as one item to watch…
USB messages – If you are using a USB storage device you want to make sure the linux
system finds the USB controller to initialize it. Sometimes, on older motherboards with the
first generation USB controllers there are issues since the first USB controllers did not follow
any standards for operation. Most of the USB controller drivers are included in the Morphix
distribution but there is always that pesky one or two that are not. This would be the method
to determine if the linux system did find the USB controller…
USB Formatting Utility Input Display
If you are using a USB storage device in place of a floppy drive the system will check to see if it
can “mount” the device (similar to how a partition is mounted on a Hard Drive).
If the system can not mount the device then you will be presented with the screen above.
The most likely cause for this screen being displayed is that there is something on the USB
device and it is not recognized as a valid filesystem the linux system can mount.
If you know there is nothing on the device (that you want to keep), selecting the Yes selection will
proceed to the USB formatting utility section to format the USB device with a filesystem the linux
system can use. Anything on the USB drive will be erased!
If you have information on the USB device you do not want to lose you need to save the
information off of the USB device before continuing. By selecting the No selection the USB
device will not be re-formatted by the system and not used as the writable storage device for the
system.
USB Device Formatting Utility Information Display
This is the screen you will see when you select “Yes” on the previous screen. The screen
presents information on the status of the re-formatting and configuration of the USB device for
use by the system as writable storage.
NOTE: The information displayed above may not be the same as to the number of inodes and
blocks – this is because different sized USB storage devices will have different block counts.
What you should be interested in is the fact that it completes successfully – no errors displayed…
ZoneCD Gateway Server License Acceptance Input Display
Once the system has found (probed for) all the hardware to determine what hardware drivers to
load, the system will display the License Acceptance screen for you to review. If you don’t
accept the license agreement (and there should not be any reason not to – it is based on the
GNU CopyLeft license which has been around for many years for open source software).
If you select No then the software will halt the system.
If you select Yes the system will proceed with the bootup sequence.
ZoneCD Writable Media Not Found Error Display
The above screen will be displayed if the system could not detect either a USB storage device or
there is no floppy disk in the floppy drive (or there could be no floppy disk drive at all).
If you had not inserted a floppy disk or connected a USB storage device to the Gateway server
you need to do so now and press the ENTER key.
If you already have a USB device connected or a floppy disk in the floppy drive there is some
other problem that needs to be resolved before you can continue! The ZoneCD Gateway server
requires at least one form of writable storage to keep its configuration information available
through system reboots. Without a writable device you can not continue…
There could be a couple of reasons the system did not detect either a floppy drive or a USB
storage device:
1. The floppy drive is bad, the cable is not connected or improperly connected, and/or the
floppy disk is bad.
2. The floppy drive is disabled in the computer’s BIOS settings.
3. The USB controller is disabled in the computer’s BIOS settings.
These examples are usually what causes most of the problems when configuring the computer
for use with the ZoneCD system.
ZoneCD Gateway Welcome & Setup Utility Configuration Input Display
The ZoneCD Gateway server will display the above screen every time the system is rebooted. If
this is the first time through a bootup of the system you want to select YES to configure the
ZoneCD Gateway server for operation. Once you have configured the system the message
displayed above will be slightly different – it will say “YOUR SYSTEM IS ALREADY
CONFIGURED”. You still can change the configuration by answering YES.
NOTE: You only have five seconds to make a response – don’t go for coffee at this time!
If you have already gone through the ZoneCD Gateway server configuration and do not want to
make any changes then you do not need to do anything. The system will continue on with the
bootup sequence after about 5 – 7 seconds. This mode of operation allows for unattended
rebooting of the system in the event there was a power cycle (loss of power), you issued a reboot
command remotely or the auto-reboot time was reached and the system automatically rebooted.
If you have already gone through the ZoneCD Gateway server configuration and need to make
changes, you would answer the question as YES. Selecting YES will cause the system to run
through the configuration menus the same as if the system was booted up for the first time
NOTE: The system does not automatically “fill in the blanks” in the configuration menus with the
current settings from a previous configuration. You will need to fill in all the information again
when you make changes to the system.
If you don’t do anything during the initial bootup of the ZoneCD Gateway server the system will
default to the following settings:
Closed Mode
Eth0 DHCP Mode
ZoneCD Gateway Open or Closed Mode Selection Input Screen
The above screen is where you select whether the ZoneCD Gateway server will operate in the
“Closed” or “Open” mode.
The difference between the Closed and Open modes of operation has to do with how the
ZoneCD Gateway server handles clients connecting to the zone.
If you select the Open Mode of operation then the ZoneCD Gateway server displays either the
default splash page to the client or a custom splash page you have loaded into the writable
storage device. Either way, the client has a “Continue” Button which they have to click to
continue past the splash page and gain access to the Internet. You can setup web content
filtering for the clients but you do not have any direct method to control bandwidth utilization or
login capabilities and you do not have any accounting information about the client’s use of the
system.
If you select the Closed Mode of operation then the ZoneCD Gateway server downloads its
configuration information from the Zone Control server at boot time. This implies you have
already created a Master Account on the Zone Control server (remotely located) and created a
Zone account within the master account. If you have not done so you must create the Zone
under your Master Account on the Zone Control server before you can continue setting up the
ZoneCD Gateway server
NOTE: If you do not want to use the ZoneCD Gateway server in the Closed mode (the default
selection) you use the down arrow key to highlight the Open Splash Only selection, press the
SPACEBAR key to select the highlighted selection (places an X in the selection box) then press
the ENTER key. If you just highlight the selection but don’t select the selection you will be using
the Closed Mode. Don’t blame me – that is the way the system works!
Open Mode Web Content Filtering Selection Input Display
If you selected the Open Mode to operate the ZoneCD Gateway server you are presented with
the above screen. This screen allows you to select whether you want to have web content
filtering active or not.
Selecting “Yes” will activate the Dansguardian Web Content Filtering system and also the Squid
Web Proxy server to handle the web requests by the clients. Handling the web requests by proxy
is what gives Dansguardian the ability to see all web traffic in order to make filtering decisions.
Selecting “No” will deactivate the Dansguardian Web Content Filtering system and also disable
the Squid Web Proxy server. Neither of these two programs will load and execute if Web Content
Filtering is disabled.
NOTES:
1. You are not presented this display if you select the Closed Mode of operation for the
ZoneCD Gateway server. You control whether to activate or deactivate the web content
filtering system for the Zone on the Zone Control Server (remotely located) instead of as
a selection on the ZoneCD Gateway server. This configuration information is downloaded
from the Zone Control Server by the ZoneCD Server at boot time.
2. The use of the web content filtering system places additional demands on the amount of
RAM you should have in the ZoneCD Gateway server. If you have clients who tend to
surf all over the web you may want to increase the amount of RAM you have in the
system to account for the extra space required to perform the webpage content analysis
and to account for the web pages being cached by the squid proxy server. Doubling the
amount of memory in the system over the minimum suggested is not a bad idea. Even
512-Megs of memory would not be a bad idea given current memory prices (cheap!).
Open Mode Web Site Home Page Redirect Entry Input Display
When you select the Open Mode of operation for the ZoneCD Gateway server you are presented
with the above display. Here you can put the URL address for a “Home Page” you wish the client
to be re-directed when they click on the “Continue” button on the Splash page or you can select
the “No Redirect” button to allow the client to proceed to the original website they intended to
visit after the system has displayed the Splash Page.
This feature is handy if you have a specific website you want the client to see before they
proceed to surf the web.
NOTE: You are not presented this display if you select Closed Mode of operation for the ZoneCD
Gateway server. You control whether to activate or deactivate the website redirect for the zone
on the Zone Control Server (remotely located) instead of as a selection on the ZoneCD Gateway
server. This configuration information is downloaded from the Zone Control Server by the
ZoneCD Server at boot time.
ZoneCD Gateway Display Run Mode Selection Input Display
The ZoneCD Gateway Run Mode selection screen is used to setup which mode of console
display you want to use when running the system. The three selections available are:
1. GUI – The GUI selection sets up the system to use the XFCE Graphical User Interface.
This interface works something like Microsoft windows (actually it’s the other way
around!) so the operator is presented with a Graphical “Point and Click” windowing
system. This gives the operator the ability to use a graphical web browser that is built
into the system (Firefox). You can use the web browser in the GUI to access the Zone
Control Server so having the GUI active is not a bad thing! This mode uses the most
memory – graphical interfaces use a great deal of memory to create and display all the
graphics you see.
2. LessX – This selection sets up the system to run in what is referred to as Less X mode.
This presents just a terminal window display that is based on the X-Windows xvrt
program (x-virtual terminal). This mode uses less memory but the X-Windows application
is still loaded to support the virtual terminal mode.
3. NoX – This mode of operation uses the least amount of memory. The X-Windows
system is not loaded at all and you are presented with a command line prompt. If you are
not using the console for normal operation then this is the best mode to use. The system
can be monitored remotely using the SSH access method described in the Tweaks and
Tips section of the document.
You make your selection by using the arrow keys on the keyboard and pressing the SPACEBAR
key to select the option you want. Pressing the ENTER key sets the option.
ZoneCD eth0 Interface Network Configuration Mode Setup Input Display
The local network (wired) side of the ZoneCD Gateway server is configurable for either DHCP
(Dynamic Host Configuration Protocol) IP configuration or Static IP configuration. The display
above allows you to setup eth0 (network Ethernet interface 0 in the system) for either mode of
operation.
1. DHCP (Dynamic Host Control Protocol)– This is the mode you would select if your local
network uses a DHCP server to configure the IP addresses assigned for your local
network. This mode of operation simplifies the IP configuration of the eth0 interface but it
also means you have to do some other things to determine what the IP address is of the
eth0 interface if you are doing any remote monitoring of the ZoneCD Gateway server or
want to setup the server to allow access to the wireless router/ap on the eth1 interface
side of the system.
2. Static – This mode allows you to manually configure the IP address, Netmask, Gateway
and DNS (Dynamic Name Services) settings used for the eth0 interface and DNS of the
system.
NOTES:
You would use DHCP for the following situations:
1. Your local network uses dynamic IP address assignments
2. You are connecting the Gateway server directly to a DLS/Cable modem
You should use Static for the following situations:
1. Your local network does not use DHCP
2. You don’t want to use DHCP for eth0 configuration
Eth0 Static IP Setting Input Display
The above screen is displayed when you select eth0 “Static” IP mode of operation.
You put the IP address of the eth0 interface of the ZoneCD Gateway server in the system here as
a four-octet decimal IP address dot notation.
NOTE:
Do not use a FQDN (Fully Qualified Domain Name) here because the system will not have DNS
running when the assignments are performed! The eth0 interface would be the interface used to
perform the DNS lookup and you are still configuring it – a catch 22 situation to say the least!
An example of a valid IP address would be:
192.16.8.40 (quad octet decimal notation)
You would not use:
C0.10.08.28 for the IP address (hex IP address of the same IP)
Nor:
Some.domain.com (can not resolve FQDN)
When you are satisfied you have typed in the IP address correctly press the ENTER key to input
the IP Address setting.
Eth0 Static IP Netmask Setting Input Display
Once you have entered the IP address for the etho interface in the Gateway server you need to
setup the network mask setting for the eth0 interface. The network mask is used to determine
what subnet an IP address belongs to. An IP address has two components, the network address
and the host address. For example, consider the IP address 207.215.17.9. Assuming this is part
of a Class C network, the first three numbers (207.215.17) represent the Class C network
address, and the last number (9) identify a particular host on this network.
You enter the network mask as a 4-octet decimal number.(Ex: XXX.XXX.XXX.XXX)
Most of the time you are working in a Class-C network addressing block so your netmask value
will be 255.255.255.0 but there are times where the Class-C (or one of the other two commonly
used Classes) is sub-netted. In this situation you would use the sub-net netmask assigned to that
sub-net. For example you may have a Class-C network configured as eight distinct sub-nets of
thirty host addresses each. For such a sub-netted network you would use 255.255.255.224 as
the sub-net mask value for eth0.
A good detailed explaination of subnet masks can be found here:
http://www.swcp.com/~jgentry/topo/unit3.htm
When you are satisfied you have typed in the subnet mask value correctly press the ENTER key
to input the subnet mask setting.
Eth0 Static IP Gateway Address Setup Input Display
In order for the ZoneCD Gateway server to send network packet requests on to the Internet, it
needs to know what IP to send the packets to. This IP is called the “Gateway” IP address or
“Default Gateway”.
A formal definition of a Gateway IP address is “A node (router) on a network that serves as an
entrance to another network. In enterprises, the gateway is the computer that routes the traffic
from a workstation to the outside network that is serving the Web pages.”
( http://www.webopedia.com/TERM/g/gateway.html )
Another way to define the gateway IP address is “It is the default IP address the ZoneCD
Gateway Server sends packets to when it does not recognize the destination IP address the
packets are meant for”… a gateway IP address can be looked at as the “catch all” IP address to
send packets to when there is no other known route to send them to…. Hope that is not too
confusing!
You input the Gateway IP address in 4-octet decimal address notation as is shown in the display
above. You can not use the FQDN of the gateway router as the DNS has not been configured on
the ZoneCD Gateway server at this point in the bootup process.
When you are satisfied you have typed in the Gateway IP Address value correctly press the
ENTER key to input the Gateway IP Address setting.
ZoneCD Static IP Mode Primary DNS Setup Input Display
In order for the ZoneCD Gateway server to identify other host computers by their FQDN (Fully
qualified Domain Name) the system needs to know what the IP address is of a DNS server in
order to perform DNS lookups. In most instances you would want to have a couple of DNS
servers entered into the ZoneCD Gateway server in the event that one of the DNS servers was
too busy to answer quickly or not reachable at the time the DNS request is submitted.
The above display is where you input the Primary DNS server IP address into the system.
You input the DNS server’s IP address in 4-octet decimal address notation as is shown in the
display above.
When you are satisfied you have typed in the Primary DNS server IP address value correctly
press the ENTER key to input the Primary DNS server’s IP address setting.
NOTE: Not only does the ZoneCD Gateway server use the DNS address entry for it’s own use in
translating FQDN host names into their TCP/IP IP address value, the ZoneCD Gateway server
also uses it to provide the DNS services to clients who are connected to the ZoneCD Gateway
server. The method used allows the DHCP server that is running on the ZoneCD Gateway server
to supply the wireless client’s with a DNS IP address as part of their configuration information.
When clients are connected to the Hot-Spot zone, they receive the ZoneCD Gateway server’s IP
address for eth1 as the DNS server. The ZoneCD Gateway server runs a Dnsmasq program to
allow it to “act” as a DNS proxy for DNS requests from the wireless clients…
ZoneCD Static IP Mode Secondary DNS Setup Input Display
The above display is where you input the Secondary DNS server IP address into the system.
You input the DNS server’s IP address in 4-octet decimal address notation as is shown in the
display above.
NOTE:
The use of a secondary DNS server is to handle any DNS requests which are not acknowledged
by the Primary DNS server. This can be caused by several things which would affect access to
the Primary DNS server, The Primary DNS server may be down for maintenance, the Internet
route to the server may be broken at the moment, the DNS server may be busy to the point
where it can not respond in the time allotted for normal responses – suffice it to say there are
enough reasons to want to have a secondary DNS server for DNS resolution…
Having said that, the Secondary DNS server IP Address is optional – if you do not want to use a
secondary DNS server then just leave the Secondary Name server IP Address field blank and no
secondary DNS address will be entered into the system.
When you are satisfied you have typed in the IP address value correctly or have left the field
blank because you are not using a Secondary DNS server press the ENTER key to input the IP
address setting.
ZoneCD Zone Control Server Closed Mode Login Username Input Display
When you select the “Closed” mode of operation for the ZoneCD Gateway server you will see the
above screen displayed.
A login name is used in the Closed Mode of operation in order to log into the Zone Control server
to download the unique zone configuration for this zone and to allow accounting information from
this zone to be sent back to the Zone Control server. The accounting data that is sent from the
zone to the Zone Control Server allows for the displaying of the currently active sessions on the
zone and the generation of different types of usage reports that are compiled for that particular
zone.
The username you enter here is the username you entered when you created the zone in your
Master Account on the Zone Control Server. The login name is CASE SENSITIVE!
Once you have typed the zone username (NOT the Master Account username which is the email
address you use as the username to access the Master Account) you press the ENTER key to
input the username into the system.
NOTE: You must have created a Zone Account in your Master Account on the Zone Control
Server prior to configuring the ZoneCD Gateway Server. If you have not done so you
need to do so now before you continue any further with configuring the ZoneCD Gateway
Server. Also worth noting here: The login name and password are CASE SENSITIVE
and must be entered EXACTLY the same way they were originally entered when you
setup the zone account in your Master Account on the Zone Control Server!
Also – the zone login username IS NOT an email address – that username is your Master
Account username!
ZoneCD Zone Control Server Closed Mode Login Password Input Display
The above screen is displayed for you to input the password for the zone account you are using
for this ZoneCD Gateway server zone. The password was entered during the creation of the Zone
on the Zone Control Server.
This can not be stressed enough – the password is CASE SENSITIVE and must be entered
EXACTLY the same as it was entered when the zone account was created in your Master
Account on the Zone Control Server.
Once you have input the password (which shows up as a series of dots to keep someone from
looking over your shoulder to get the password) press the ENTER key to input the password
information into the ZoneCD Gateway server.
Did I mention the login name and password are CASE SENSITIVE???
ZoneCD Zone Control Server Login Invalid Username/Password Display
The “Login Not Found” screen is displayed if you input either the wrong username for the zone or
the wrong password for the zone.
NOTES:
1. Remember – the login username is the username you used to create the zone in
your Master Account on the Zone Control Server – not your Master Account login
username (which looks like an email address).
2. The username and password are CASE SENSITIVE! You must use the EXACT
username and password, including case, for these entries otherwise the system will
think the input is incorrect.
ZoneCD Mode Configuration Finished Display
Once all of the configuration input has been performed the system will display the above
information on the console.
Basically this is a “final check” page to let you see what the configuration is that you setup for the
ZoneCD Gateway Server. If it is incorrect you can reboot the system and start over to input the
correct information.
If you feel the configuration is correct press the ENTER key to continue.
If you don’t think the configuration is what you wanted then press the reset button on the
computer to restart the system and answer YES to the “Do You want to change the configuration”
screen displayed when the system starts up its linux system – remember – the one where you
don’t go out for coffee???
ZoneCD Re-Boot Configuration Utility Display
As mentioned in several locations within this document the ZoneCD system does not run from a
hard drive (normally) so it uses a ram-disk in the computer’s memory for all operations. The
system will eventually cause the ram-disk to become full and when a program requires additional
space for operation the system will stop running.
In order to “clear” the ram-disk for proper operation you would normally perform a reboot of the
system. The above screen allows you to configure the system to automatically reboot the system
instead of having to manually reboot the system every so often.
NOTE: The use of a ram-disk is predicated on several factors and also some of the selections
you have made previously in the way the ZoneCD Gateway server operates. Most of the time the
system will run smoothly for days on end but other times, if there is high client usage and you are
running the web content filtering the system will consume ram-disk space much faster!
Since the ZoneCD software does not install to your hard drive, the file system is mounted on a
RAM disk. This requires a minimum of 128MB of RAM to keep the ZoneCD Server running
smoothly. You can use the next few dialogs to automatically reboot the zonecd to help keep
memory resources optimized.
To activate the auto-reboot capability select the “Yes” selection and press the ENTER key. If you
do not want the system to automatically reboot every so often use the keyboard arrow keys to
select the “No” selection and press the ENTER key.
ZoneCD Re-Boot Geographic Area Selection Display
The ZoneCD uses UTC, a.k.a. GMT, to synchronize its activities with the Control Server. To
reboot the zonecd at the correct local time you must select a geographic location that
corresponds to the system time of the ZoneCD Gateway server.
Use the keyboard arrow keys to select the time zone the ZoneCD Gateway server is operating in.
Once you have selected the proper geographic area press the TAB key to select the OK selection
and press the ENTER key to input the selection into the system.
If you are having problems with the auto-reboot system you probably did not setup the
geographic location correctly and the ZoneCD Gateway server is re-booting for that incorrect time
zone.
This is one item to check if the reboot is happening at a time other than what you think it should
be.
ZoneCD Re-Boot Time-Zone Selection Display
The ZoneCD system requires you to select the City within the time zone you are operating the
ZoneCD Gateway server.
This may seem to be redundant to the previous screen selection but it is needed.
Use the keyboard arrow keys to select the time zone the ZoneCD Gateway server is operating in.
Once you have selected the proper geographic area press the TAB key to select the OK selection
and press the ENTER key to input the selection into the system.
If you are having problems with the automatic reboot system you probably did not setup the
geographic location correctly and the ZoneCD Gateway server is re-booting for that time zone.
This is one item to check if the reboot is happening at a time other than what you think it should
be.
ZoneCD Re-Boot Time-Of-Day Setting Selection Display
This screen allows you to set the “local time” that the ZoneCD Gateway Server performs the
automatic reboot operation. Be sure to keep in mind this is your “Local Time” and not GMT time!
The ZoneCD Gateway Server performs the local time to GMT time translation using the
information from the last two steps.
Use the keyboard arrow keys to highlight the time the ZoneCD Gateway server will perform the
automatic reboot operation.
Press the SPACEBAR key to actually select the highlighted selection.
Once you have selected the proper time press the TAB key to select the OK selection and press
the ENTER key to input the selection into the system.
ZoneCD Final Configuration Screen Display
Once all configuration information has been input into the ZoneCD Gateway Server or if you did
not select to make any changes to the system after the initial bootup of the system you will see
this screen displayed.
There are a few final steps the system must perform in order to the ZoneCD Gateway Server to
perform its tasks.
This is the time the ZoneCD Gateway server:
• activates the network interfaces
• configures the system for Open Mode operation or contacts the Zone Control Server to
• download the zone’s configuration
• activates the web content filtering if it was selected
• starts the remainder of the system!
ZoneCD Gateway Server LessX Display Screen
If you had selected the LessX console display option this is the display you will see when the
PublicIP system has finished booting up.
The system is up and operational at this point.
You can enter commands at the command prompt for the system to execute. Be careful as you
are basically operating at the root user level on the console – any changes you make to the
system here will be instant (unless there is the need to restart a process to read the configuration
you had changed).
ZoneCD Gateway Server GUI Display Screen
If you had selected the GUI console display option this is the display you will see when the
system has finished booting up.
The system is up and operational at this point.
You can select the terminal icon on the tool bar that will open a terminal window where you can
enter commands for the system to execute.
You can select the “World” icon on the toolbar to open a web browser to access the Internet, the
Zone Control Server (shown) or a web-based wireless access point or wireless router control
panel on the wireless device.
Be careful as you are basically operating at the root user level on the console – any changes you
make to the system here will be instant (unless there is the need to restart a process to read the
configuration you had changed).
There is no “lock” for the GUI display so you want to make sure the console is not accessible by
anyone you don’t want to have access to the ZoneCD Gateway Server console!
ZoneCD Gateway Server Command Line Display Screen
This is the display seen from a remote session using ssh. The screen window is called Putty and
is a free download for a ssh client that runs in Windows. When you access the system remotely
you are presented with a login prompt, then a password prompt. If you are successful in the
logon operation you will see the above screen.
Putty can be found at: http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
It is a free program too!
ZoneCD Gateway Server Configuration Final Notes (for you to write here):
ZoneCD Tips and Tweaks
Overview
While the ZoneCD and the Zone Control Server combination are a very robust and flexible WiFi
Hotspot control system there are “those” times where you may need to be able to fine-tune the
system to your specific needs. The Zone Control server does not have any method for you to
perform site-specific tweaks since the server has to be “generic” for all to use. When the ZoneCD
PublicIP system was first being developed Scott had the foresight to realize these types of
situations would come up from time to time so he built a method into the system that would allow
you to make tweaks to the configuration and operation of the system!
One such situation that comes up is being able to administer the ZoneCD Gateway server
remotely. Now – you would not want to perform remote administration of the ZoneCD Gateway
server using a telnet session as anyone who had the ability to “monitor” the network traffic to the
ZoneCD Gateway server would be able to perform “packet sniffing” and get the root username
and password for logging into the ZoneCD Gateway server and do who knows what to the
configurations!
So, how do you protect this information???
And how do you get access to the ZoneCD Gateway server when there are no services started
on the server to allow you to access it remotely in the first place???
And sometime you may need to setup un-authenticated access for a wireless device to access a
zone or zones but there is not a method by which to do this on the Zone Control server. You may
want to use a wireless PDA in this situation for example, to perform some administrative functions
at the zone location but you don’t want to worry about disconnects every 10 minutes because
your PDA browser can not have more than one window open at a time (true story – mine is that
way!).
And what if you don’t want to use the features of the Zone Control server for your zone since it is
just an access location for any and all to use… how would you setup a custom display for users
to see when they connected to the hotspot location??
Or how about you want to collect more information than the Zone Control server collects – maybe
for billing or a public survey or any other number of reasons – but there is no way to do this with
the Zone Control server itself.
Wait a minute – how is this possible?? – if the Zone Control server can not perform these
functions then how do we accomplish such seemingly magical feats and still use the features
provided by the Zone Control server!
Here’s how… By creating a shell script file and placing it in a specific location on the ZoneCD
computer’s floppy disk (or USB drive if that is what you are using. By doing this you can have the
ZoneCD software execute the script during the bootup process! You place commands within the
shell script for execution either before the ZoneCD system starts its bootup or after it has
completed its bootup operation.
The ZoneCD is a LiveCD, which is a read only environment. Your computer's RAM is used for
read-write configurations and services. RAM is cleared when you reboot. If you want something
to stay on the ZoneCD you will need to either put it in the ISO and burn a new CD or be able to
save it on the floppy/USB. This is not for the faint of heart – building an ISO of the LiveCD! If you
want to tackle such a feat there is a section in the back of this document (Appendix-C) of the
steps required, but be forewarned – you really NEED to understand how to use Debian Linux in
order to be successful in building a LiveCD ISO and you need a Debian Linux System configured
on a PC to perform the build operations.
As mentioned an alternative to re-mastering the ZoneCD is using a floppy disk (or USB drive) to
alter the characteristics of the gateway. In addition to the automatic configuration done by the
boot script, you can also do a couple other tricks with the floppy (or USB drive).
To execute commands prior to the initialization of the ZoneCD Gateway (the PublicIP
system), create a file named “pre.sh” and place it on the floppy/usb inside the created
zonecd directory. The zonecd directory is created after you run the initial configuration during
the first bootup of the zone’s Gateway server.
To execute commands at the end of the boot, create a shell script named “init.sh” and place
it on the floppy inside the created zonecd directory.
To copy custom configuration files and scripts to the nocat directory in the ZoneCD Gateway
so they are available in the server’s ram-drive once the system is booted up, you would place
the file or files in the “conf” directory on the floppy or USB drive. The files contained in the
/zonecd/conf directory are copied to the /usr/local/nocat directory during the bootup process
of the ZoneCD Gateway server.
To execute scripts after the system has completed the bootup you create a directory on the
floppy or USB drive called “bin” in the zonecd directory. Any executable file matching
specific criteria will be executed (useful for running an alternate firewall configuration script
and such)
Note: Most of the above capabilities are very useful but do require some knowledge of Linux and
shell scripting to perform. There are steps in the following section on performing some of the
more generic capabilities that most people will want to use. You don’t have to be a Linux guru to
use this capability to “customize” the ZoneCD Gateway server for many of your specific needs.
How to Set up a Custom Open Mode Splash Screen
One of the features of the ZoneCD Gateway Server is that all of the files saved on the writable
storage device are copied to the /usr/local/nocat directory of the system during the bootup
process. This capability allows you to alter the characteristics of NoCat
How does this allow for a custom Open Mode splash page?
The default splash page for Open mode operation is in the directory /usr/local/nocat/htdocs under
the name of splash.html. If you create a directory on the writable storage device called “htdocs”
and place a file called “splash.html” your splash page replaces the default splash page for the
Gateway server! Of course you can add an image directory and add images to your splash page.
You can also use custom css files to control the way your custom splash page is created.
Example (the default splash.html file):
<html>
<head><title>Welcome to the NoCat Authentication System on the Public IP
ZoneCD!</title></head>
<body bgcolor=#FFFFFF text=000000>
<form method="POST" action="$action">
<table border=0 cellpadding=5 cellspacing=0>
<tr>
<td><font size="2" face="Geneva, Arial, Helvetica, san-serif">
<strong>Welcome to $GatewayName.</strong></font>
</td>
</tr>
<tr>
<td align=center height="23"><font size="2" face="Geneva, Arial, Helvetica, san-serif">
<input type="image" name="mode_login" src="images/login.gif" width="55" height="17"
border=”0”>
</font></td>
</tr>
</table>
<font size=”2” face=”Geneva, Arial, Helvetica, san-serif”>There are currently $ConnectionCount
user(s) connected.<BR>
The last connection was at: $LastConnectionTime.
<input type=”hidden” name=”redirect” value=”$redirect”>
</font>
</form>
<p><img src=”/images/zoneCD.gif” width=”150” height=”51”>
<p>
</body>
</html>
The key items you need to include in your custom splash page are the hidden input types of the
form so you redirect the users properly.
The splash page uses a HTML FORM tag and a couple of hidden variables to allow the user to
continue on past the splash page once they have read the content (or just hit the continue button
on the page). Since there is a FORM tag used there is a minimum amount of html code that must
exist in the custom splash page in order for it to work properly in the ZoneCD Gateway server
environment.
The following are the basic parts needed for the custom splash page to work properly – you can
put anything else you might want on the page but this is the minimum required:
<html>
<body>
<form method="POST" action="$action">
<input type="image" name="mode_login" src="images/login.gif" width="55" height="17"
border=”0”>
<input type=”hidden” name=”redirect” value=”$redirect”>
</form>
</body>
</html>
The FORM tag works like this:
<form method=”POST” action=$action>
When the web page is sent to the client the $action variable is filled in with the action required by
the post operation – it basically points back to the Gateway server for response when the client
clicks the continue button displayed on the splash web page.
<input type="image" name="mode_login" src="images/login.gif" width="55" height="17"
border=”0”>
This line displays the continue button on the splash web page and makes it a “link” button so
when the client clicks on the image it causes the FORM action to occur…
<input type=”hidden” name=”redirect” value=”$redirect”>
This line causes the client’s web browser to redirect to the location specified in the $redirect
variable – this variable is set by the ZoneCD Gateway server based on how you had configured
the server in Open mode.
You can build your custom splash page around the above html code – include whatever you wish
– you can even put JavaScript code within the page if you want to… Just be sure the above parts
are in the splash page so that it works properly…
That’s all there is to it! Pretty simple to do… Enjoy!
How To Set up Secure Shell for Remote Access
Setting up a shell script to allow you the ability to remotely access the ZoneCD Gateway
computer is a very easy task! Here is the method you use:
First you want to create the shell script that will be executed by the ZoneCD system once the
bootup process has completed – it does not make any sense to do it before the bootup process
as the bootup process would change the information in the password file on the Gateway server
AFTER you had already made your changes!
You want to place the script file on the floppy or USB drive so it will be available after each
bootup of the Gateway server. You do this by performing the following steps either in a terminal
window (if you had setup the Gateway server to bootup with the GUI active) or at the command
line on the Gateway server console:
nano /mnt/floppy/zonecd/init.sh<ENTER>
This command performs the following – the nano command creates a file on the floppy called
init.sh in the zonecd directory, which was created when you setup the ZoneCD Gateway server
initially. The zonecd directory is where the ZoneCD Gateway server stores its configuration
information and is where the system looks for an executable script file called “init.sh” and if found
attempts to execute the file. This is the mechanism that allows you to run a shell script file in
order to perform the tweaks when the system boots up!
Once you have executed the above command you will be in the nano text editor window – the
most used commands are listed at the bottom of the window.
You now want to type the following exactly as you see it with the exception that you need to
substitute your specific information where noted. The first line “#!/bin/sh” MUST start at the
beginning of the first line in the file!!! This is very important as the system will recognize the file is
a shell script ONLY If the first line is correct! If you have a problem with the init.sh file executing
this is one of the two possible reasons for the file not to execute!
Code:
#!/bin/sh
# replace "zonecd" with your password choice
PASS="zonecd"
echo "root:$PASS" > /tmp/pass
chpasswd < /tmp/pass
rm -f /tmp/pass
/etc/init.d/ssh start
Once you have typed the above information into the nano editor window and you are sure you
have the information correct press the control-X key combination then the Y key to save the
init.sh file to the floppy drive (or the USB drive).
One more step is required to allow the shell script to execute – we need to change the permission
of the file to executable! This is the second possible reason for the shell script not to work! We
do this by performing the following step in the terminal window or command line:
Code:
chmod 755 /mnt/floppy/zonecd/init.sh<ENTER>
Congratulations! You now have a shell script the system will execute which will configure the
system to allow ssh access using the root account! Reboot the gateway server to check it out!
To access the ZoneCD Gateway Server remotely after you have setup the system to run the
secure shell daemon “sshd” you would use a ssh client program (A daemon in the Unix world is
roughly equivalent to a “service” in Windows©). One such client is called Putty and runs in a
Windows environment. You can obtain this Open-Source program from the following web site:
http://putty.fyxm.net/
Note: Putty uses strong encryption so it may be illegal to download in some countries. Be sure
you understand the legal implications involved if you live in such a country. It is not illegal to
download in the United States.
Once you have installed Putty on a Windows© machine and execute the program you will see a
screen that looks something like this:
To access a particular ZoneCD Gateway Server, you would type it’s Host Name or IP address in
the Host Name field on the screen, make sure you are selected for a SSH connection then click
the “Open” button. To save the settings to access this particular ZoneCD Gateway Server you
can put a Saved Sessions name for the Gateway Server in the “Saved Sessions” field and click
the “Save Button” mid-way on the right-hand side of the display – this will save a copy of the
settings under the name you input so you can select it from a list to access the selected server.
Note: This program works with any ssh capable host as can be seen in my display above (grin)…
The first time that you connect, you will see a pop-up window appear with a good deal of
information – it deals with the security keys Putty and the remote connection negotiate and a
secure key validation string – select YES to answer the question otherwise you will not be able to
connect to the ZoneCD Gateway Server!
Once you have successfully established a connection to the ZoneCD Gateway Server you will
see a display something like:
Enter root for the username – then press the ENTER key
The system will ask for the password – this is the password you setup in the remote access script
earlier in this section. When you enter the password you will not see the cursor move nor will you
see any indication of a password being typed in! This is a security feature of Putty!
A successful login will display something like above! This is the functional equivalent of actually
sitting at a command line interface on the physical terminal for your gateway. When you are
finished just type exit and press the ENTER key to terminate the session.
How To Configure Non-Authenticated Access
Ok – this does not make sense!!!! Why in the world would you go to all the trouble of setting up
the ZoneCD PublicIP system, which will allow you to control who can access the WiFi Hotspot
and then turn around and allow non-authenticated access!
There are a couple of scenarios where allowing non-authenticated access may be desirable! You
may want to setup your laptop to access the zone without having to login each time to check the
status of the system or to make changes to client information. You may have clients who need
specific access but you don’t want them to have to login each time they go to use the system
(such as training personnel using the system for class training). The list can grow when you think
about it!
Here is how it works. The ZoneCD Gateway server “controls” who has access by inserting
firewall rules into the firewall running on the gateway server. These rules determine what class a
client is in and what they can do based on the class information. In order for you to setup the
system to allow non-authenticated access you have to setup firewall rules that will allow the
specific wireless device to “pass through” the firewall in the same manner as a client who logs
into the system. The “down” side to using this method is the PublicIP system will not be able to
keep track of the client since the client did not authenticate through the system. There will be no
indication in the Zone Control Server the client is connected to the zone and there will be no
accounting information about the client in the Zone Control Server.
The following is how this is accomplished!
If you already have a file called init.sh on the floppy or USB drive in the zonecd directory you want
to add the following line for each wireless device that you want to have non-authenticated access
to the zone – if you don’t have an init.sh file then use the instructions starting at “No init.sh exists”
to create one and enter the following line in the file (exactly as shown with changes required – it is
CASE Sensitive!):
Code:
/usr/local/nocat/bin/access.fw permit 00:xx:xx:xx:xx:xx 10.0.0.xx Member
No init.sh exists…
If you don’t have an init.sh script file on the floppy or USB drive then perform the following steps:
You want to place the script file on the floppy or USB drive so it will be available after each
bootup of the Gateway server. You do this by performing the following steps either in a terminal
window (if you had setup the Gateway server to bootup with the GUI active) or at the command
line on the Gateway server console:
Code:
#!/bin/sh
#
nano /mnt/floppy/zonecd/init.sh<ENTER>
Now you want to type the following into the nano editor window:
Code:
/usr/local/nocat/bin/access.fw permit 00:xx:xx:xx:xx:xx 10.10.10.xx Member
Make any changes required to the line for the IP address and MAC address being used. The
MAC address is the address of the wireless device you are allowing non-authenticated access to
the zone and the IP address is the address you will use in the wireless device for it’s static IP
configuration. See below for a definition of all the command line variables.
Once you have typed the above information into the nano editor window and you are sure you
have the information correct press the control-X key combination then the Y key to save the
init.sh file to the floppy drive (or the USB drive).
One more step is required to allow the shell script to execute – we need to change the permission
of the file to be executable! This is the second possible reason for the shell script not to work!
We do this by performing the following step in the terminal window or command line:
Code:
chmod 755 /mnt/floppy/zonecd/init.sh<ENTER>
Congratulations! You now have an executable shell script the system will execute on boot that
will configure the system to allow un-authenticated access for the wireless device
OK – what does all that command line stuff mean???
Here is a break-down of what the command line means and the possible choices you have.
There are also some things to watch out for and some things you do not want to do!
/usr/local/nocat/bin/access.fw executes the access.fw script with the following settings:
permit – permit the following MAC address at IP address access in the Member class.
00:xx:xx:xx:xx:xx – this is the MAC address of the wireless device you want to allow nonauthenticated access – make sure to change the address to match the device MAC address!
10.10.10.xx – this is the IP address the wireless device will use for access to the wireless
network of the zone. Change the address to match the IP you are going to assign the device.
NOTE: Since the PublicIP system already uses the 10.10.10.100 – 10.10.10.200 IP address
range for the DHCP service you will want to assign an IP address in the 10.10.10.50 –
10.10.10.99 address range or the 10.10.10.201 – 10.10.10.254 address range for the
wireless device to use for its static IP.
You setup the wireless device with a STATIC IP configuration as follows:
The IP you assigned to the wireless device
The NETMASK for the wireless device is 255.255.255.0
The Gateway for the wireless device is 10.10.10.1
Setup the DNS IP address for the wireless device to 10.10.10.1 which will use the ZoneCD
Gateway server’s DNS to provide the name to IP translations required.
If you don’t set the wireless device’s IP address outside the range of the DHCP service on
the gateway server you will, at some point, have an IP address conflict occur between the
wireless device and a client’s assigned IP address from the DHCP service running on the
gateway server.
DO NOT ASSIGN THE IP ADDRESS OF THE WIRELESS DEVICE TO EITHER THE
GATEWAY’S IP ADDRESS OR THE WIRELESS AP or ROUTER IP ADDRESS – THIS
WILL STOP THE SYSTEM FROM WORKING PROPERLY!!!
Member – this is the classification you are assigning the wireless device to for access on the
zone. There are four different classifications you can define here (all are Case Sensitive):
Member
Public
Liberated
Owner
Trusted Class defined in the in the system
Protected Class defined in the system
Liberated Class defined in the system
Super User Class defined in the system
There are a couple of things to remember when you allow non-authenticated access from a
wireless device in a zone.
1. When you setup the non-authenticated access you want to make sure you have the client in
the correct classification! If you place someone in the Owner classification they will have total
access through the ZoneCD Gateway server – including access to the wired network side of
the gateway server even if you have denied access to the wired side in the zone
configuration!
2. Since the classification selected for the non-authenticated access is defined as a fixed
firewall rule in the zone and the access is not controlled by the ZoneCD Gateway server the
server has no information about when a client is using the system or not. What this means is
you will not “see” any information in the Active Sessions or Usage Reports about the client in
the Zone Control server for that client.
3. The changes you make to the ZoneCD init.sh script do not take affect immediately when you
edit the init.sh script to add or delete non-authenticated wireless devices to the local zone. In
order to configure the system to immediately allow a wireless device access through the zone
you need to execute the line you placed in the init.sh script directly on the ZoneCD Gateway
server either through a terminal window (if you are running the GUI interface on the server),
the command line on the console, or through a putty session if you have enabled that.
4. The easiest way to remove the ability for a wireless client to use non-authenticated access is
to remove the line in the init.sh that allows the access and re-boot the ZoneCD Gateway
server. The reason is there are several entries placed in the ZoneCD Gateway server firewall
and if you don’t remove them properly the system will not function! Best just to do the reboot
so the firewall starts fresh after you have removed the line in the init.sh script file on the
floppy or USB drive.
NOTE:
For those of you who think – “well, if the permit command line variable allows non-authenticated
access then the deny command line variable probably will remove the non-authenticated access
for the wireless device. True – it “will” deny the wireless device un-authenticated access BUT it
will also deny authenticated access as well! Don’t try it – you would be wasting your time and
wondering what happened!
As you can see the non-authenticated access capability can be very useful for those situations
where you need to allow a wireless device access through the system without requiring the
normal login. Of course the down side to this is that there are no records of access usage since
the ZoneCD Gateway server is not controlling the access for the device.
How to “Fix” a Dead Cat (Depreciated in Version 6.x and above)
There are instances where the NoCat Gateway process (program), which is used to control the
ZoneCD Gateway server’s main functions, can just up and quit (die, stop, not want to run)…. This
type of activity was found in version 5.x and was subsequently “fixed” in version 6.x and later…
This situation is NOT a result of poor programming – it can occur for several reasons:
The ZoneCD Gateway server is re-booted and running in closed mode but there is not a
connection to the Internet to allow the server to download its configuration information. The
NoCat process needs this configuration information to configure itself of course, and if it does
not find the information, it kills itself automatically.
Communications between the NoCat process and the Zone Control server is not available for
some reason and the NoCat process is attempting to send accounting information to the
Zone Control server (was a problem at the time of the document’s writing).
Since the ZoneCD system runs in the computer’s RAM memory space, if the system runs out
of physical memory and the NoCat process needs memory the NoCat process will “panic”
and die. Usually this does not happen but there have been several cases where it has
occurred.
Great! Now what to do about it! Here is one solution that lends itself very well to this and other
scenarios!
Implementing a recovery method for a process that dies (for whatever reason) requires the
system to 'monitor' the processes that are running on the system. It can be determined if the
target process has stopped execution by virtue of the fact that it is no longer present in the
process table of the task scheduler (The process table can be seen with the ps command).
One method used to monitor and restart failed processes is to execute the ps command on a
scheduled basis, check for the process in question and perform the restart steps for the process if
it is found the process is no longer executing.
Since the monitoring of the process should be done on a regular schedule we can use the cron
facility to perform this monitoring once a minute and if it is determined the process is no longer
running - execute the steps required to restart the process.
Now - the first thing we need is a script that will check our target process to see if it is running and
take appropriate action to restart it if the process has died.
The following commands change the present working directory to the /mnt/floppy/zonecd
directory on the storage device and start a nano text editor to edit a file called gatecheck.sh:
Code:
cd /mnt/floppy/zonecd
nano gatecheck.sh
Now that we have a nano text editor process open we can type in the commands that will be
executed in the gatecheck.sh script file.
Type the follow text into the nano text editor:
Code:
#!/bin/sh
#
# Simple script to start nocat if it dies - written by Scott Tully a.k.a. wi-phi
log=/usr/local/nocat/nocat.log
conf=/usr/local/nocat/nocat.conf
if ! ps -e | grep gateway | grep -v grep; then
touch $conf
bytes=`ls -l $conf | awk '{print $5}'`
echo "************************** FATAL ****************************" >> $log
if [ $bytes -eq 0 ]; then
echo "NoCat process died and nocat.conf was 0 bytes!" >> $log
/etc/init.d/nocat reload >> $log
else
echo "NoCat process died!!" >> $log
/etc/init.d/nocat restart >> $log
fi
echo "*************************************************************" >> $log
fi
# end of script
Once you have typed the above into the nano text editor you need to save the information into the
gatecheck.sh file. To save the information press ctrl-x (the control key and then the x key while
holding the control key down) and then press the y key by itself.
In order for the commands in the gatecheck.sh file to be executed by the system the file
permissions need to be set to allow execution of the file contents. You do this with the following
command:
Code:
chmod 755 gatecheck.sh
When the ZoneCD system boots up, the system will copy the script (and the contents of the
/mnt/floppy/zonecd directory and sub-directories) to the /usr/local/nocat directory.
Now - how do we get the gatecheck.sh script to execute?
This is the easy part!
As described earlier, in order to execute commands after the ZoneCD system has booted you
create an executable script in the /mnt/floppy/zonecd directory called init.sh - when the system
finishes performing it's initial bootup the system will look for the init.sh file and if found will try to
execute it. We can use this method to execute any custom commands we need to do to
customize the configuration of the system.
The init.sh script file content used to implement the process monitoring will look like this:
Code:
#!/bin/sh
#
# Script for file line inclusion
# used to write a line into the system crontab file
# Written by Gary N McKinney
#
# append the cron command line to the system crontab file
echo '* * * * * root /usr/local/nocat/zonecd/gatecheck.sh &>/dev/null' >> /etc/crontab
# be sure there is a newline character at the end of the line
echo >> /etc/crontab
# end
If you already have an init.sh script file in the /mnt/floppy/zonecd directory all you need to do is
add the information starting at “# append the cron command line to the system crontab file” in the
above to the existing init.sh script file.
If you do not have an init.sh file you need to perform the following to create and edit an init.sh
script file:
Code:
Nano init.sh
Type the information into the nano text editor and when finished press ctrl-x (the same as you did
to create the gatecheck.sh file) and then the y key to save the information into the init.sh file.
If you are modifying the content of an existing init.sh script file then the permissions of the file are
probably already set to executable – if not then you need to set the file permissions to executable
in the same way you did for the gatecheck.sh script file:
Code:
chmod 755 init.sh
NOTE: If you are not sure the permissions have been set correctly you can still execute the
above command – it will not cause any problems if the file permissions are already set to allow
execution of the file so no harm is done if you want to execute the command to be sure.
What the init.sh script does is append the command to be executed by the system cron into
the system crontab file and inserts a newline character at the end of the line.
The system crontab table does not require cron to be restarted as cron reads the file each minute
to see if any of the command line event times match the current system time. Since the
'* * * * *' means "match any time" the cron process will execute our gateway_check.sh script
each minute (the minimum amount of time cron checks the file).
That's it! You now have a script installed that will either reload or restart the nocat gateway
process if it dies for some reason. The script is smart enough to determine if the zone’s
configuration needs to be downloaded or not – this saves on restart time for nocat if the
configuration information does not require downloading from the Zone Control server.
Tips and Tweaks ZoneCD – Notes and Observations:
The following lists some of the observations that may not be apparent when dealing with tweaks
you can perform to the system:
1. If you have a wireless device which needs to access the wired side of the ZoneCD
Gateway Server for such things as WPA (Wireless Protected Access) or Radius
validation and authentication for secure access, you will need to setup a firewall rule or
rules which allow the wireless device unauthenticated access through the ZoneCD
Gateway Server.
2. Configuration of a client to allow unauthenticated access to the Zone will not record
*ANY* information on the Zone Control Server regarding the usage of the Zone by the
client. Since the ZoneCD Gateway Server is not controlling the client’s access it does not
have any knowledge of the client’s activities. You should reserve such non-authenticated
access to TRUSTED clients ONLY!
3. When you make changes that affect the information a browser may display (such as
building custom login pages) be sure to clear the browser cache! More “issues” have
been reported that were nothing more than a cached web page being displayed instead
of the new page. One way to preclude this from occurring is to make sure you have
included a HTML Head tag that expires the web page. This will force the web browser to
always download a fresh copy of the HTML page each time the page is accessed!
4. If you are using custom login pages served from your own web server be sure to use
HTTPS (SSL) encryption. If you don’t do this you will get the infamous “Webpage is
displaying Secure and Non-Secure content – Do you wish to Continue” message box
each time a client attempts to log into your zone.
5. If you are using custom login pages be sure to obtain a SSL Certificate that is traceable
back to a Certificate Authority entity. If you do not, your clients will get the “SSL
Certificate from Unknown Certificate Authority – Do you wish to Accept” message box
each time they attempt to login to the zone.
6. DON’T attempt to make too many changes at the same time! Perform each change one
at a time to allow for easier trouble-shooting in the event you run into some problem (and
this will happen – Murphy is alive and well!)
7. If you are having ‘issues’ with connections by either a wireless client to the system or the
ZoneCD Gateway Server connection to the Zone Control Server you might want to check
the /tmp/init.log file contents to see if the system configured the eth0 and eth1 NIC
interfaces for proper operation AND the ping test to the Zone Control Server did indeed
work (it is at the bottom of the file).
8.
If you are using the pre.sh script to initialize hardware and you are having issues with the
ZoneCD Gateway Server (most of the time it is with NIC cards) you may need to insert a
delay time to allow the hardware driver enough time to complete it’s initialization process
prior to attempting to access the hardware! Most hardware drivers will execute
independently of the rest of the system and sometimes (especially if you are running a
fast CPU clock speed) the initialization scripts will attempt to access the hardware prior to
the hardware driver completing it’s configurations – when this event occurs you will get
messages such as “unable to initialize hardware” in the bootup screen display. To
correct this condition just insert a “sleep” command in the pre.sh script after the
command that starts the hardware driver to cause the pre.sh script to “sleep” for X
number of seconds before continuing execution. Since the init.sh script called the pre.sh
script it too will be forced to “wait” until the sleep period has expired.
Tips and Tweaks Notes (space for your notes):
Tips and Tweaks Notes (space for your notes) Cont.:
Accessing Wireless Router/AP through the ZoneCD Gateway Server
(ZoneCD Gateway LAN Static IP Address Method)
You don't have to install anything on your workstations for this to work - no Putty, no X-Windows
server, etc.... The only requirement with this method is that the eth0 interface has a static IP
address assigned to it. If the eth0 interface on the ZoneCD Gateway server has its IP address
assigned dynamically you will need to figure out how to determine the IP address and also run
the dyndns client so you will be able to “find” the ZoneCD Gateway server’s IP address remotely!
The way to get to the wireless devices on the eth1 side of the Gateway server is as follows:
Setup a dynamic NAT firewall rule in the firewall for the gateway server where the wireless
devices is located:
Code:
/usr/local/sbin/iptables -t nat -I PREROUTING 1 -p tcp -d xx.xx.xx.xx -dport dddd -j DNAT –-to-destination zz.zz.zz.zz:80
where:
xx.xx.xx.xx = ZoneCD Gateway server eth0 IP address
dddd = port you want to use (IE: 8001 for wireless device #1, 8002 for #2, etc)
zz.zz.zz.zz = IP address of wireless device on eth1 interface and the number after the : is the
port number you want to connect with... you would use 80 for http or 443 for https...
I used the -I PREROUTING 1 command option to make sure the rule was listed first in the
PREROUTING table. This may not be required but I wanted to remove as many variables as
possible....
If you have more than one wireless router/ap then just increment the number following the
PREROUTING word in the command – IE: PREROUTING 1 = device-1, PREROUTING 2 =
device-2, etc.
The above command performs a NAT (network address translation) that converts the packet
destination from the eth0 (LAN) IP:PORT destination address to the eth1 (PUBLIC) device:port
destination address. When the response is sent back from the device on the eth1 interface the
firewall automatically translates the source address back so the packet information is correct for
the return trip.
Under “normal” firewall use this would be all that is required – but we are not running the firewall
in a standard configuration. Since the firewall is configured to block all traffic from the eth1
interface to the eth0 interface of the ZoneCD Gateway server we need to “authenticate” the
wireless router/ap so it can return the responses.
Earlier, a technique was presented that allows a wireless device to have access through the
ZoneCD Gateway server without the need to authenticate itself first. The technique is based on
allowing the MAC address:IP combination of the device to be its authentication. We used the
MAC address:IP combination to configure the firewall in the ZoneCD Gateway server to allow
access based on one of the previously defined zone classifications. We can use this very same
technique to allow the wireless router/ap to respond without the need to “authenticate” through
the ZoneCD Gateway server.
The following allows the wireless device to respond back through the ZoneCD Gateway server
without authentication.
Code:
/usr/local/nocat/bin/access.fw permit mm:mm:mm:mm:mm:mm zz.zz.zz.zz Public
where:
mm:mm:mm:mm:mm:mm is the MAC address of the wireless device connected to the eth1
interface. Be sure you use the correct MAC address as some devices have a MAC for the
WAN side, a different one for the LAN side and still a third different one for the Wireless side!
zz.zz.zz.zz is the IP address of the wireless router or AP...
NOTE: If you have defined the Protected Class ("Public" in the command line) for the zone to
block http access, you will need to use one of the other classifications instead of the
"Public" class listed in the above command - you could use the "Member" class (which is
the Trusted Class in the PublicIP zone) but this will allow greater access freedom for the
wireless router or AP and if someone figures out how to hack your wireless router or AP
they could gain unauthorized access back through using that higher classification maybe I am too paranoid???
This method makes it easy to access the wireless router or AP without having to install anything
else on your workstation and you can admin remotely using this method...
To access the wireless router or AP remotely you use the IP address and port number you
defined in the first command line as the URL. An example would be:
Zone Gateway server IP address: 207.203.68.80
Port defined to access the device: 8001
so the URL would be: http://207.203.68.80:8001
You will need both command lines listed above for each wireless router or ap you want to access
and you will need to make sure you have different ports defined for each one on the same
ZoneCD Gateway server.
You can put the command lines in an init.sh executable script file on the ZoneCD Gateway server
floppy disk in the /mnt/floppy/zonecd directory and the system will setup the remote access rules
each time you reboot the ZoneCD Gateway server...
That’s it – that is all that is required! This technique can be used to access any device on the
eth1 side of the Gateway Server from the eth0 side – just make sure you have the port address
translations setup properly to access the correct port (service) on the device.
Accessing a local server through the ZoneCD Gateway Server
There are times when you might need to allow wireless clients access to a specific server on your
wired network but you have setup the zone configuration to block access to your local wired
network.
Why would you have such a need if you are blocking local wired network access?
Why not use the “walled garden” capabilities of the PublicIP system?
There are situations where you may want to block local wired network access BUT allow access
to authenticated clients (or pre-authenticated wireless devices such as trusted clients with
wireless devices that can not perform authentication or VOIP hardware phones that can not
perform authentication). If you use a “walled garden” configuration then anyone can access the
local wired network host without authentication of any kind – this is not what you wanted!
When you configure the zone in the Zone Control Server to keep clients out of your local wired
network what you are really doing is setting up a firewall rule on the zone's ZoneCD Gateway
Server that basically says "drop all packets destined for the wired side interface network
segment". We need to make an exception to this "rule" so we need to setup a firewall rule (or
rules if you are allowing multiple classes access to the server) in the correct firewall ruleset table
to allow access to the server on the wired local network segment. This is how we perform this feat
of magic:
Add the following to the /mnt/floppy/zonecd/init.sh script file...
Code:
# list of allowed IP/Port local network access for access by patron and guest users
iptables -t nat -I NoCat_Capture 1 -i eth1 -m mark --mark 3 -d [host IP] -p tcp --dport
[port number here] -j ACCEPT
iptables -t nat -I NoCat_Capture 1 -i eth1 -m mark --mark 5 -d [host IP] -p tcp --dport
[port number here] -j ACCEPT
# and insert in the initialize.fw script to keep settings if NoCat restarts...
echo "iptables -t nat -I NoCat_Capture 1 -i eth1 -m mark --mark 3 -d [host IP] -p tcp -dport [port number here] -j ACCEPT" >> /usr/local/nocat/bin/initialize.fw
echo "iptables -t nat -I NoCat_Capture 1 -i eth1 -m mark --mark 5 -d [host IP] -p tcp -dport [port number here] -j ACCEPT" >> /usr/local/nocat/bin/initialize.fw
Where:
[host IP] - the IP of the host on the wired local network side you wish to allow access
[port number here] - the port number on the host you want to allow access to – if you don’t need
to filter down to the actual port number (full host access) then you can leave off “—dport [port
number here]” in the lines above.
NOTE: mark 3 = Protected Class and mark 5 = Liberated Class of user
The current service class numbers and actual definitions in the firewall rules are:
1: Super
2: Trusted
3: Protected
4: Denied
5: Liberated
: is the Super class in the PublicIP system
: is the Trusted class in the PublicIP system
: is the Protected class in the PublicIP system
: as it’s name implies!
: is the Liberated class in the PublicIP system
Appendix A – Custom Login Web Pages
The following comprises a custom login web page setup that is configured to work with the
PublicIP system. It is written in ASP (a server-side scripting language) but can be written in any
server-side scripting language for the purposes of communicating with a local database for any
local information you may want to keep.
NOTE: As of the writing of this document you can download all of the files presented here in a zip
file located: http://www.ewcllc.net/files/custom_login.zip - all of the graphics are included.
If you find this information to be helpful then please go to the PublicIP forums and thank Yiannis
For all of the work he did to make this possible! Yiannis is not affiliated with the PublicIP project
but is a contributor to the advancement of the PublicIP project! If you have any questions about
these ASP scripts they would be best directed to him.
File name: login.asp
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" type="text/css" href="http://www.server.com/directory/style.css">
<title>Login - . : : Title : : .</title>
</head>
<script language="JavaScript">
function fillForm(){
document.mylogin.mac.value = document.login.mac.value;
document.mylogin.token.value = document.login.token.value;
document.mylogin.remote.value = document.login.remote.value;
document.mylogin.gateway.value = document.login.gateway.value;
document.mylogin.timeout.value = document.login.timeout.value;
document.mylogin.host.value = document.login.host.value;
document.mylogin.path.value = document.login.path.value;
}
</script>
<body onLoad="fillForm()">
<table width="100%" height="95%" border="0" cellpadding="6" cellspacing="0">
<tr>
<td align="center" valign="middle"><table width="640" height="480" border="0"
cellpadding="0" cellspacing="0">
<tr>
<td height="480" valign="top"
background="http://www.server.com/directory/images/bg.jpg"><div align="center">
<table border="0" cellpadding="0" cellspacing="5">
<tr>
<td valign="middle" width="314"><div align="left">
<table border="0" cellspacing="2" cellpadding="0">
<tr>
<td width="231"><div align="center"> <br>
<img src="http://www.server.com/directory/images/login_t.gif" alt height="54"
width="200" border="0"><br>
</div></td>
</tr>
</table>
</div></td>
<td align="center" valign="top"><div align="center">
<p>ZONE_LOGO</p>
</div></td>
</tr>
</table>
<br>
<br>
<table width="100%" border="0" cellspacing="10" cellpadding="3">
<tr>
<td><font size="2" face="Verdana, Arial, Helvetica, sans-serif"><strong>Login to
continue:</strong></font></td>
</tr>
</table>
<br>
<form method="post" action="http://www.server.com/directory/checklogin.asp" id="mylogin"
name="mylogin">
<div align="center">
<table width="249" border="0" cellspacing="0" cellpadding="0"
background="http://www.server.com/directory/images/loginwin.jpg" height="167">
<tr>
<td><table class="b1" width="249" border="0" cellpadding="0" cellspacing="4">
<tr>
<td align="right"><font face="Verdana, Arial, Helvetica, sans-serif"
size="2"><b>Username:</b></font></td>
<td><input name="user" type="text" class="size" value size="20" maxlength="255"
tabindex="1"></td>
</tr>
<tr>
<td align="right"><font face="Verdana, Arial, Helvetica, sans-serif"
size="2"><b>Password:</b></font></td>
<td><input name="pass" type="password" class="size" value size="20"
maxlength="255" tabindex="2"></td>
</tr>
<tr height="25">
<td colspan="2" align="center" height="25"><div align="right">
<table width="241" border="0" cellspacing="0" cellpadding="0">
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td align="right">
<input type="image" name="submlogin"
src="http://www.w2ns.com/wireless/images/login.gif" width="76" height="25" border="0"></td>
<td align="right"></td>
</tr>
</table>
</div></td>
</tr>
<tr height="16">
<td colspan="2" align="center" height="16"><div align="center"> <font
size="1">Don't have an account? <a href="http://www.server.com/directory/registration.asp"
id="reg_link">Register here!</a></font></div></td>
</tr>
</table></td>
</tr>
</table>
</div>
<input type="hidden" name="mac" value="">
<input type="hidden" name="token" value="">
<input type="hidden" name="remote" value="">
<input type="hidden" name="gateway" value="">
<input type="hidden" name="timeout" value="">
<input type="hidden" name="host" value="">
<input type="hidden" name="path" value="">
<input type="hidden" name="mode_login.x" value="login">
</form>
</div>
</td>
</tr>
<tr>
<td valign="top"><font size="1">ZONE_TOS</font></td>
</tr>
</table>
<div id="orig_login">
ZONE_LOGIN
</div>
</body>
</html>
The following is the second part of the custom login pages… This part of the login process is
used to check local login authentication requirements then passes the login information to the
Zone Control server if the local conditions are met. If the local conditions are not met the script
sends the client to the registration page so they may register to use the system.
File name: checklogin.asp
---- Start of file ---<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" type="text/css" href="http://www.server.com/directory/style.css">
<title>Login - . : : Title : : .</title>
</head>
<!--#include file="_dbopen.asp"-->
<%
user =
Request.Form("user")
pass =
Request.Form("pass")
mac =
Request.Form("mac")
token =
Request.Form("token")
remote =
Request.Form("remote")
gateway =
Request.Form("gateway")
timeout =
Request.Form("timeout")
host =
Request.Form("host")
path =
Request.Form("path")
Set LoginRecordset = Server.CreateObject("ADODB.Recordset")
LoginSQL = "SELECT username, password FROM users WHERE username = '" & user
& "' AND password = '" & pass & "' AND status = 1 AND exp >= now();"
LoginRecordset.Open LoginSQL,DatabaseConnection
'Response.Write(LoginRecordset.RecordCount)
if LoginRecordset.RecordCount < 1 then %>
<body>
<script language="JavaScript">
alert("This account either doesn't exist,\nor it has been suspended.");
history.back();
</script>
<%
else
%>
<script language="JavaScript">
function pop(){
window.open( '/control/htdocs/custom/message.jsp', 'Login_Renewal',
'width=355,height=273,scrollbars=yes');
}
</script>
<body onLoad="document.mylogin.submit()">
<form method="get" action="https://ssl.publicip.net/control/login" id="mylogin" name="mylogin"
onSubmit="pop()">
<input type="hidden" name="user" value="<%=user%>">
<input type="hidden" name="pass" value="<%=pass%>">
<input type="hidden" name="mac" value="<%=mac%>">
<input type="hidden" name="token" value="<%=token%>">
<input type="hidden" name="remote" value="<%=remote%>">
<input type="hidden" name="gateway" value="<%=gateway%>">
<input type="hidden" name="timeout" value="<%=timeout%>">
<input type="hidden" name="host" value="<%=host%>">
<input type="hidden" name="path" value="<%=path%>">
<input type="hidden" name="mode_login.x" value="login">
</form>
<%
end if
LoginRecordset.Close
%>
<!--#include file="_dbclose.asp"-->
</body>
</html>
---- End file --The following is the content of the _dbopen.asp file used to create the connection to the local
database and _dbclose.asp used to close the connection – these are the files you would modify
to connect to database engines other than MySQL.
(The scope of this document does not cover database engine connections)
File name: _dbopen.asp
----- Start file ----<%
Set DatabaseConnection = Server.CreateObject("ADODB.Connection")
DatabaseConnection.Open "Driver={MySQL ODBC 3.51
Driver};Server=dbserver;Port=3306;DATABASE=db;UID=user;PWD=pass;"
%>
----- End file ------
File name: _dbclose.asp
----- Start file ----<%
DatabaseConnection.Close
Set DatabaseConnection = Nothing
%>
----- End file ----These are the images used by the login scripts:
This is the bg.jpg image used on the login page.
login.gif - This is the login button image used by the login web page.
login_t.gif – the login icon displayed on the login page.
loginwin.jpg – a table background image.
Appendix B– Custom Registration Pages
The following is the content of the _dbopen.asp file used to create the connection to the local
database and _dbclose.asp used to close the connection – these are the files you would modify
to connect to database engines other than MySQL.
(The scope of this document does not cover database engine connections)
File name: _dbopen.asp
----- Start file ----<%
Set DatabaseConnection = Server.CreateObject("ADODB.Connection")
DatabaseConnection.Open "Driver={MySQL ODBC 3.51
Driver};Server=dbserver;Port=3306;DATABASE=db;UID=user;PWD=pass;"
%>
----- End file -----File name: _dbclose.asp
----- Start file ----<%
DatabaseConnection.Close
Set DatabaseConnection = Nothing
%>
----- End file ----Note: If you are using the custom login web pages in Appendix A then you do not need to create
the _dbopen.asp and _dbclose.asp files a second time – they are the same and can be used by
the asp code in both the custom login and custom registration pages.
File name: registration.asp
----- Start of file -----
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" type="text/css" href="http://www.server.com/directory/style.css">
<title>Register - . : : Title : : .</title>
<script language="JavaScript">
function checkForm(){
message = 'Please make the following corrections to your details:\n\n';
flag = 0;
if ( document.register.user.value.length < 6 ) {
message = message + 'Username has to be at least 6 characters long.\n' ;
flag = 1;
}
if ( document.register.name.value.length == 0 ) {
message = message + 'Enter your full name.\n' ;
flag = 1;
}
if ( document.register.pass.value.length < 6 ) {
message = message + 'Password has to be at least 6 characters long.\n' ;
flag = 1;
}
if (document.register.pass.value !== document.register.pass2.value) {
message = message + 'Re-enter your password.\n' ;
flag = 1;
}
if (document.register.address.value.length == 0) {
message = message + 'Enter your address.\n' ;
flag = 1;
}
if (document.register.city.value.length == 0) {
message = message + 'Enter your city.\n' ;
flag = 1;
}
if (document.register.post_code.value.length == 0) {
message = message + 'Enter your post code.\n' ;
flag = 1;
}
if (document.register.tel.value.length == 0) {
message = message + 'Enter your telephone number.\n' ;
flag = 1;
}
if (document.register.email.value.length == 0) {
message = message + 'Enter your email address,\n if you don\'t have one,
please enter \"N/A\"\n and we will provide one for FREE.' ;
flag = 1;
}
if (flag == 1) {
alert(message);
return(false);
}
}
</script>
</head>
<body>
<table width="100%" height="95%" border="0" cellpadding="6" cellspacing="0">
<tr>
<td align="center" valign="middle"><table width="640" height="480" border="0"
cellpadding="0" cellspacing="0">
<tr>
<td height="480" valign="top"
background="http://www.server.com/directory/images/bg.jpg"><div align="center">
<table border="0" cellpadding="0" cellspacing="5">
<tr>
<td valign="middle" width="314"><div align="left">
<table border="0" cellspacing="2" cellpadding="0">
<tr>
<td width="231"><div align="center"> <br>
<img src="images/register_t.gif" alt height="54" width="200" border="0"><br>
</div></td>
</tr>
</table>
</div></td>
<td align="center" valign="top" width="250">
<div align="center">
<p><img src="images/logo.gif" alt="W2NS Wideband" border="0" WIDTH="250"
HEIGHT="77"></p>
</div>
</td>
</tr>
</table>
<table width="100%" border="0" cellspacing="10">
<tr>
<td><font face="Verdana, Arial, Helvetica, sans-serif" size="1">Welcome! Please enter
the following information to register.</font></td>
</tr>
</table>
<form method="post" action="register_submit.asp" name="register" id ="register"
onsubmit="return checkForm();">
<div align="center">
<table border="0" cellpadding="5" cellspacing="0">
<tr valign="top">
<td align="right" valign="middle"><font face="Verdana, Tahoma, Arial, Helvetica, sanserif" size="2"><b>Username:</b></font></td>
<td valign="middle"><input type="text" name="user" value size="20" maxlength="255"
class="form"></td>
</tr>
<tr>
<td align="right" valign="middle"><font size="2" face="Verdana, Tahoma, Arial,
Helvetica, san-serif"><b>Full Name:</b></font></td>
<td valign="middle"><input type="text" name="name" value size="35"
maxlength="255" class="form"></td>
</tr>
<tr>
<td align="right" valign="middle"><font face="Verdana, Tahoma, Arial, Helvetica, sanserif" size="2"><b>Password:</b></font></td>
<td valign="middle"><input type="password" name="pass" value size="20"
maxlength="255" class="form"></td>
</tr>
<tr>
<td align="right" valign="middle"><font face="Verdana, Tahoma, Arial, Helvetica, sanserif" size="2"><b>Password again:</b></font></td>
<td valign="middle"><input type="password" name="pass2" value size="20"
maxlength="255" class="form"></td>
</tr>
<tr>
<td align="right" valign="middle"><font face="Verdana, Tahoma, Arial, Helvetica, sanserif" size="2"><b>Address:</b></font></td>
<td valign="middle"><input type="text" name="address" value size="35"
maxlength="255" class="form"></td>
</tr>
<tr>
<td align="right" valign="middle"><font face="Verdana, Tahoma, Arial, Helvetica, sanserif" size="2"><b>City:</b></font></td>
<td valign="middle"><input type="text" name="city" value size="20" maxlength="255"
class="form"></td>
</tr>
<tr>
<td align="right" valign="middle"><font face="Verdana, Tahoma, Arial, Helvetica, sanserif" size="2"><b>Post Code:</b></font></td>
<td valign="middle"><input type="text" name="post_code" value size="8"
maxlength="255" class="form"></td>
</tr>
<tr>
<td align="right" valign="middle"><font face="Verdana, Tahoma, Arial, Helvetica, sanserif" size="2"><b>Tel:</b></font></td>
<td valign="middle"><input type="text" name="tel" value size="15" maxlength="255"
class="form"></td>
</tr>
<tr>
<td align="right" valign="middle"><font face="Verdana, Tahoma, Arial, Helvetica, sanserif" size="2"><b>Email:</b></font></td>
<td valign="middle"><input type="text" name="email" value size="25"
maxlength="255" class="form"></td>
</tr>
<tr>
<td height="32">
<input
name="redirect" type="hidden" value></td>
<td height="32"><div align="right">
<input type="image" src="images/register.gif" name="register" width="76"
height="25" border="0">
</div></td>
</tr>
</table>
</div>
<input type="hidden" name="mac" value>
<input type="hidden" name="token" value>
<input type="hidden" name="remote" value>
<input type="hidden" name="gateway" value>
<input type="hidden" name="timeout" value>
<input type="hidden" name="host" value>
<input type="hidden" name="path" value>
<input type="hidden" name="mode_login.x" value="login">
</form>
</div>
</td>
</tr>
<tr>
<td valign="top"><font size="1">Using our Internet implies that you have read and agreed to
our <a href="javascript:;" onClick="window.open(
'https://ssl.publicip.net/legal/zone_terms.php?remote=2', 'Terms',
'width=640,height=480,scrollbars=yes');" onMouseover="window.status='View Terms of
Use';return true" onMouseout="window.status='';return true"> Terms of Use</a>.</font></td>
</tr>
</table>
</body>
</html>
----- End of file ---The following is the Custom Style Sheet file used with the Registration pages presented here:
File name: style.css
---- Start of File ---BODY
{
FONT-SIZE: 8pt;
MARGIN: 0px;
COLOR: #000080;
FONT-FAMILY: Verdana, 'Trebuchet MS';
TEXT-ALIGN: center
}
.form
{
BORDER-RIGHT: 2px inset;
BORDER-TOP: 2px inset;
FONT-SIZE: 8pt;
BORDER-LEFT: 2px inset;
COLOR: #000080;
BORDER-BOTTOM: 2px inset;
FONT-FAMILY: Verdana, Tahoma, Arial, Sans-Serif
}
.label
{
BORDER-RIGHT: 2px;
BORDER-TOP: 2px;
FONT-SIZE: 10pt;
BORDER-LEFT: 2px;
BORDER-BOTTOM: 2px;
HEIGHT: 15px;
TEXT-ALIGN: right
}
#login
{
WIDTH: 200px;
HEIGHT: 75px
}
#main
{
BACKGROUND-POSITION: left bottom;
BACKGROUND-IMAGE: url(images/back-gradient.jpg);
WIDTH: 640px;
BACKGROUND-REPEAT: repeat-x;
HEIGHT: 480px;
TEXT-ALIGN: center;
BACKGROUND-: url(images/back-gradient.jpg)
}
#logo
{
WIDTH: 640px;
HEIGHT: 77px;
TEXT-ALIGN: right
}
.button
{
BORDER-RIGHT: #f8cc30 2px outset;
BORDER-TOP: #f8cc30 2px outset;
FONT-WEIGHT: bold;
FONT-SIZE: 8pt;
BORDER-LEFT: #f8cc30 2px outset;
WIDTH: 70px;
COLOR: #3064c8;
MARGIN-RIGHT: 10px;
PADDING-TOP: 0px;
BORDER-BOTTOM: #f8cc30 2px outset;
FONT-FAMILY: 'Trebuchet MS';
HEIGHT: 23px;
BACKGROUND-COLOR: #f8cc30;
TEXT-ALIGN: center
}
A
{
COLOR: #0000ff
}
A:hover
{
TEXT-DECORATION: none
}
A:visited
{
COLOR: #0000ff
}
#orig_login
{
DISPLAY: none;
Z-INDEX: -2
}
---- End of file ----
The Register_Submit.asp file used in the Custom Registration pages:
File name: register_submit.asp
---- Start of File ---<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" type="text/css" href="http://www.server.com/directory/style.css">
<title>Login - . : : Title : : .</title>
</head>
<!--#include file="_dbopen.asp"-->
<%
user =
Request.Form("user")
name =
Request.Form("name")
pass =
Request.Form("pass")
address =
Request.Form("address")
city =
Request.Form("city")
post_code =
Request.Form("post_code")
tel =
Request.Form("tel")
email =
Request.Form("email")
Set CheckRegisterRecordset = Server.CreateObject("ADODB.Recordset")
CheckRegisterSQL = "SELECT username FROM users WHERE username = '" & user &
"' ;"
'Response.Write(CheckRegisterSQL)
CheckRegisterRecordset.Open CheckRegisterSQL,DatabaseConnection
'Response.Write(CheckRegisterRecordset.RecordCount)
if CheckRegisterRecordset.RecordCount => 1 then
%>
<body>
<script language="JavaScript">
alert("This username exists,\nplease choose another.");
history.back();
</script>
<%
else
Set InsertRegisterRecordset = Server.CreateObject("ADODB.Recordset")
InsertRegisterSQL = "INSERT INTO users VALUES (NULL, '" & user & "', '" &
name & "', '" & pass & "', 2, '" & email & "', '" & address & "', '" & city & "', '" & post_code & "', '" &
tel & "', now(), now(), '', '', 1) ;"
'Response.Write(InsertRegisterSQL)
InsertRegisterRecordset.Open InsertRegisterSQL,DatabaseConnection
'Response.Write(InsertRegisterRecordset.RecordCount)
%>
<body onload="register.submit()">
<form method="post" action="https://xml.publicip.net/remote_reg.php" id="register"
name="register">
<input type="hidden" name="key" value="ask scott (wiphi) for key">
<input type="hidden" name="user" value="<%=user%>">
<input type="hidden" name="pass" value="<%=pass%>">
<input type="hidden" name="display"
value="http://www.server.com/directory/register_result.asp">
<input type="hidden" name="name" value="<%=name%>">
<input type="hidden" name="network" value="L">
<input type="hidden" name="status" value="A">
</form>
<%
end if
CheckRegisterRecordset.Close
%>
<!--#include file="_dbclose.asp"-->
</body>
</html>
The register_result.asp file used in the custom registration form configuration:
File name: register_result.asp
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link rel="stylesheet" type="text/css" href="http://www.server.com/directory/style.css">
<title>Register - . : : W2NS Wideband - Unplug your Freedom! : : .</title>
</head>
<body>
<table width="100%" height="95%" border="0" cellpadding="6" cellspacing="0">
<tr>
<td align="center" valign="middle"><table width="640" height="480" border="0"
cellpadding="0" cellspacing="0">
<tr>
<td height="480" valign="top"
background="http://www.server.com/directory/images/bg.jpg"><div align="center">
<table border="0" cellpadding="0" cellspacing="5">
<tr>
<td valign="middle" width="314"><div align="left">
<table border="0" cellspacing="2" cellpadding="0">
<tr>
<td width="231"><div align="center">
<br><img
src="http://xml.publicip.net/images/control/title_en/welcome_t.gif" alt height="54" width="200"
border="0"><br>
</td>
</tr>
</table>
</td>
<td align="center" valign="top" width="250">
<div align="center"><p><img
src="images/logo.gif" alt="W2NS Wideband" border="0" WIDTH="250" HEIGHT="77"></p></div>
</td>
</tr>
</table>
<table width="100%" border="0" cellspacing="10">
<tr>
<td><font face="Verdana, Arial, Helvetica, sans-serif"
size="1"> </td>
</tr>
</table>
<div align="center">
<table border="0" cellpadding="5" cellspacing="0">
<tr valign="top">
<td align="right" valign="middle" align="centre"><font
face="Verdana, Tahoma, Arial, Helvetica, san-serif"
size="2"><br><br><br><br><b><%=Response.Write(Request.QueryString("message"))%></b></
font></td>
</tr>
</table>
</div>
</td>
</tr>
<tr>
<td valign="top"><font size="1">Using our Internet implies that you have read and agreed to
our <a href="javascript:;" onClick="window.open(
'https://ssl.publicip.net/legal/zone_terms.php?remote=1', 'Terms', 'width=640, height=480,
scrollbars=yes');"
onMouseover="window.status='View Terms of Use';return true"
onMouseout="window.status='';return true"> Terms of Use</a>.</font></td>
</tr>
</table>
</body>
</html>
The following images are used by the registration web pages:
This is the register.gif image used in the registration page.
This is the register_t.gif file used.
Database Schema used for the Custom Login and Registration Pages
The following is a MySQL schema file used to create the tables and records needed for the
custom login and custom registration web page ASP scripts presented in Appendix A and
Appendix B. If you decide to use a different database engine then you will need to create the
same tables and records as they are defined in this file for the system to work properly if you
don’t want to modify the asp web pages.
File name: db.sql
----- Start of File ----# phpMyAdmin SQL Dump
# version 2.5.3-rc2
# http://www.phpmyadmin.net
#
# Server version: 4.0.18
# PHP Version: 4.3.5
#
# Database : `db`
# Table structure for table `user_type`
CREATE TABLE `user_type` (
`user_type_id` tinyint(1) unsigned NOT NULL auto_increment,
`description` varchar(20) NOT NULL default '',
PRIMARY KEY (`user_type_id`)
) TYPE=MyISAM AUTO_INCREMENT=1 ;
# Table structure for table `users`
CREATE TABLE `users` (
`user_id` smallint(5) unsigned NOT NULL auto_increment,
`username` varchar(50) NOT NULL default '',
`name` varchar(50) NOT NULL default '',
`password` varchar(20) NOT NULL default '',
`user_type` tinyint(1) NOT NULL default '0',
`email` varchar(255) NOT NULL default '',
`address` varchar(100) NOT NULL default '',
`city` varchar(50) NOT NULL default '',
`post_code` tinytext NOT NULL,
`tel` varchar(20) NOT NULL default '',
`reg` datetime NOT NULL default '0000-00-00 00:00:00',
`exp` datetime NOT NULL default '0000-00-00 00:00:00',
`description` varchar(255) default NULL,
`comments` longtext,
`status` tinyint(1) NOT NULL default '1',
PRIMARY KEY (`user_id`),
KEY `name` (`name`,`password`),
KEY `user_id` (`user_id`),
KEY `username` (`username`)
) TYPE=MyISAM PACK_KEYS=0 AUTO_INCREMENT=1 ;
----- End of File -----
Appendix C - “How To” Modify the ZoneCD Image
The following information describes the steps required to create a modified ZoneCD ISO image.
This is not something to be taken on lightly as you can create a good number of “coasters” out of
CD-R disks.
To create a modified version of the ZoneCD ISO image you need to first break an existing
ZoneCD ISO image into its component parts, make the necessary changes you desire to the
parts of the filesystem, and then rebuild the ZoneCD ISO image….
Sounds easy – doesn’t it??? Well – hang on!
This "how to" will provide you with instructions on how you can alter the source of the ZoneCD
ISO image. This will allow you to alter the way the gateway performs and add or remove services.
Much of this 'how to' information has been extracted from other documentation on the
http://www.morphix.org website. If you want to get into some heavy duty "morphing" that is the
place to learn...
Hardware and Software Requirements
For this you will need the following installed on a computer:
•
linux kernel 2.4.x on x86 (I use Debian Woody [stable branch])
•
about 1 gig free space as either system ram or ram + swap space
•
mkisofs
•
cloop-utils 1.02-2 or newer…
You want to setup a computer with the Debian Linux operating system. You can download the
Debian ISO files and make installation CD-Roms to perform the installation or if you have a fast
internet connection you can download a minimal installation and perform the installation over the
internet. Personally I use the ISO method – it may take a little longer to get the ISO files and burn
them to CD-Roms but you have them available when you need them and if you are installing the
system and do not have a good internet connection (or a slow internet connection) you will be
happy you have the ISO files.
The computer you use should be at least a 450-MHz machine with at least 256-Megs of RAM and
a 20-Gig Hard Drive. You want to partition the hard drive so you have at least two partitions –
one for the Debian Linux system’s filesystem and the other for a Linux Swap partition. The swap
partition should be at least 1-Gig in size but I run a 2-Gig swap partition just to account for the fact
an uncompressed Morphix system can be up to 2-Gigs in size. Never hurts to have a large swap
partition and hard drive space is very inexpensive!
With the above system you can expect about 1 to 1.5 hours to build a ZoneCD ISO image from
scratch – the reason for the length of time has to do with the way the ZoneCD ISO is built – there
are two distinct compression steps that occur. The first step takes the longest and the faster the
computer the shorter the time required. With the above listed system you can expect around 40 –
60 minutes to build the first compressed file and the remainder of the time taken to build the
actual ISO file. Nobody said it was fast!!!
Steps Required to Decompress the ZoneCD ISO Image file
You need to do three things in order to decompress a ZoneCD ISO image file into something you
can modify.
1. Mount the ISO image file to the filesystem for access
2. Extract and uncompress the mainmod (publicip.mod) compressed file containing the
ZoneCD filesystem
3. Mount the mainmod file for access to the ZoneCD filesystem
We have to go through the above steps because of the “way” a LiveCD works. The Morphix
system already knows how to perform these steps to access the ZoneCD filesystem but a
standard Debian linux system does not.
First we loopmount an ISO image file stored on your hard drive in the filesystem root directory (/)
and create a directory to hold the resultant CD image file structure. This directory will be
compressed back into an ISO later after changes have been made...
# start in the root directory
cd /
# create a temp directory so we can loopmount the ISO image for reading
mkdir temp
mount -o loop publicip.iso temp/
# copy the content of the ISO image into a directory called my_cd/
cp -Rp temp/ my_cd/
# dismount the temp directory – we will need it for the next steps…
umount temp/
Now you have a new directory named my_cd that holds the contents of the CD. If you were to
put the ISO cd in a cd-drive and look at the content it would be the same as what is contained in
the my_cd directory – slick, uh?
Next let’s get the mainmod (publicip linux filesystem) out and decompress that into a workable file
structure. This will be compressed back into a mod later for re-insertion into the ZoneCD ISO.
# the first thing to do is to extract the content of the publicip.mod file contained in the
# my_cd/mainmod directory and put it in the root directory in a temp.iso file for decompressing in
# a couple of steps…
cd /my_cd/mainmod/
extract_compressed_fs publicip.mod > /temp.iso
# now we can extract the actual PublicIP filesystem from the temp file we just created…
cd /
# loopmount the temp.iso file to the /temp directory so we can get access to the iso contents
mount -o loop temp.iso temp/
# copy the content of the /temp directory to a directory called my_mod
cp -Rp temp/ my_mod/
# remove the un-used file created by the copy operation & unmount the /temp directory…
rm -rf my_mod/.rr_moved
umount /temp
Making Changes To the ZoneCD System
We now have the ZoneCD system on the hard drive where we can work on it. Now you can
either chroot to my_mod or just go in and start making changes directly to the filesystem
(contained in the my_mod directory).
You should refer to http://www.morphix.org for details on how to make big changes and do new
things.
If you decide to add more functionality to the ZoneCD ISO be sure to make any changes for any
added software packages so that they use the ram-disk for variable and temporary storage! If
you don’t the package that was added will not run! See the http://www.morphix.org website for
details.
You may want to make a copy of the virgin versions of the my_cd and my_mod directories before
you go making changes – that way if you ever have to start over you will not have to go through
the process of “unpacking and decompressing” the required files each time… Just note both of
these directories will use a great deal of space!
The most important file to be aware of is /morphix/init.sh. This file was previously discussed in a
different location within this documentation… This file is used by the Morphix system for boot time
configuration of the ZoneCD Gateway server – if you do make changes here make sure they
were either needed across any zone you plan to setup or is something that can not be performed
in either the pre.sh or init.sh scripts you could setup on the writeable storage device.
A couple of areas where you might think about changes would be the number of clients the
DHCP server can handle at any given time. The default is current set to 100 but there is no
reason you could not increase the number to 200 or so if needed.
A second area may be in the eth1 IP addressing range and IP address for clients. There is
nothing magical about the 10.10.10.XX addressing space other than it is a sub-net of the Private
IP address space of 10.XX.XX.XX. If you needed to change the addressing range and IP
addresses for eth1 you can do that here.
A third area may be in any special hardware drivers you need to load and configure if you have
some special hardware configuration. This is something best left to someone with extensive
experience in such matters but you need to be aware this is where you would do this type of
change.
Once you have done your tweaking, it's time to put it all back together into a bootable ISO image
file.
NOTE: You do not need to perform the above steps every time you change stuff, just keep
re-compressing the directories with the following commands after you have made changes....
Creating a ZoneCD Gateway Server Bootable CD-Rom ISO File
In order to create a bootable ISO we basically reverse the steps required to break apart the
original ISO we started with… with this in mind there are two discrete steps we must accomplish
to generate the ISO file:
1. Compress the mainmod directory content and place the resulting file in the my_cd
directory in the proper place:
# start in the root directory
cd /
# compress the mainmod directory contents into a publicip.mod file.
# ( all typed on one line!)
mkisofs -R -U -V "ZoneCD" -P "ZoneCD" -hide-rr-moved -cache-inodes -no-bak -pad my_mod \
| nice -5 create_compressed_fs - 65536 > my_cd/mainmod/publicip.mod
The above command can take anywhere from 30-minutes to over an hour to complete depending
on your computer’s resources and speed… just letting you know!
The above step also combines the compression of the mainmod directory and places it in the
correct location in the my_cd directory in preparation of creating the bootable CD-Rom ISO image
file.
2. Create the Bootable ZoneCD ISO image file
Now – once the publicip.iso has been created from the my_mod directory content we need to
reconstruct a bootable ZoneCD ISO file that we can burn to a CD-R disk, hopefully the changes
we made will still allow the system to boot up…
# make the iso:
mkisofs -r -J -b base/boot.img -c base/boot.cat -o publicip.iso my_cd
This operation is quicker than the creation of the publicip.iso file in the previous section but it still
will take a little time to create the completed ISO file…
You are done! The new ISO file is named “publicip.iso” and is in the root directory….
Fire up the burner and see what you got.....
Hopefully you have done everything correctly otherwise you will end up with a nice plastic coaster
– great for making mobiles and for those special people for Christmas Presents!
See – that was not so hard!
Appendix D – Useful Linux Commands and Command Strings
Even though the ZoneCD Gateway Server has a built-in graphical user interface, there are times
where you will need to enter command-line instructions to the system to either make some
change or in the performance of trouble-shooting some problem.
If you are running in the GUI mode for the console display you would click on the Root Terminal
icon on the toolbar at the bottom of the Desktop (the left-most icon with a computer terminal on it)
to activate a root terminal screen. This is where the following commands would be typed for
execution. The commands are in BOLD:
ps -ef | grep gateway | grep -v grep
Check to see if the nocat gateway process is still running. If the nocat process is running you
should see a line displayed as such:
root 669 1 0 Feb28 ? 00:00:34 /usr/bin/perl -w /var/tmp/trans/usr/local/nocat/bin/gateway
/etc/init.d/nocat restart
Restart the nocat gateway without downloading the current settings from PublicIP. When you
execute this command the nocat process will terminate any client connections to the system
and restart the nocat process.
/etc/init.d/nocat reload
Download the current settings from PublicIP and restart the nocat gateway. This command
string will not only restart the nocat process but will also download the configuration for the
ZoneCD gateway server from the Zone Control Server. If you make changes to the zone while
the ZoneCD Gateway Server is running you can use this command to download the changes
instead of re-booting the whole system! It is much quicker to come back online this way.
cat /proc/net/ip_conntrack | less
This command will “read” the current content of the /proc/net/ip_conntrack table in the linux
kernel and display the current active connections to the system. This is a very handy tool for
checking to see what sessions are currently passing traffic through the Gateway Server and to
find out if there is a problem with TCP/IP connections by watching the TCP handshake signals.
This is a real-time snapshot of the ip connection table so will only show what is happening at
the time the command is executed.
To close the display you press the q key, to go forward press the spacebar key and to go
backward press the b key.
/usr/bin/top
This command will run the top program – the program will display all of the running and
sleeping processes on the system. There is some very good information displayed at the top
of the screen – some of the output is shown below:
top - 18:25:26 up 21 days, 1:50, 1 user, load average: 0.09, 0.04, 0.00
Tasks:
36 total,
1 running,
35 sleeping,
0 stopped,
0 zombie
Cpu(s): 0.7% user,
1.7% system,
0.0% nice,
97.7% idle
Mem: 222220k total, 217256k used,
4964k free,
740k buffers
Swap:
0k total,
0k used,
0k free, 170728k cached
To exit the program, just press the q key. Pressing the h hey displays the help screen.
/usr/local/nocat/bin/dump.fw | less
Display the current iptables firewall configuration information.
mutt -s "nocat.log" -a /usr/local/nocat/nocat.log [email protected] -x < /dev/null
Send the nocat log to Scott (Wi-Phi) – only use this command if wi-phi requests it during
troubleshooting operations!
dmesg | less
Display the current content of the dmesg bootup log. The information displayed is what the
system produces during the bootup of the system. To move forward press the space-bar key,
to move backward press the ‘b’ key and to exit press the ‘q’ key.
dmesg | mutt -s "your dmesg" [email protected]
Send the dmesg log to Scott (Wi-Phi) – only use this command if wi-phi requests it during
troubleshooting operations!
apt-get install xfonts-base xfce4 vncserver
Setting up and running VNC on the ZoneCF/HD...
(http://www.publicip.net/phpBB2/viewtopic.php?t=947)
The apt-get command installs applications into a Morphix Debian based system (which is what
the ZoneCD Gateway Server is based on) so you can use the apt-get command to download
and install applications directly from the internet! Here is the caveat – IT TAKES MEMORY!!!
This will require about 200MB of space because it does not make much sense running vnc
without a gui.
You will most likely need about 384 – 512 meg of memory in a ZoneCD based machine to
perform this operation – it makes much more sense to do it in a Compact Flash / hard drive
installation rather than a CD-Rom based system but the option is there!
After your done, just run vncserver and check the output of the log to see the port...
probably 5901)
I have not personally run the above command so this may or may not work for you…
YMMV (your mileage may vary)…
Appendix E - How To Access Wireless Devices using SNMP
This technique builds upon the earlier method of accessing a wireless device’s web interface as
described in the Tweaks and Tips section of this document.
One reason you might want to be able to access a wireless router or Access Point using SNMP
is to monitor and/or control the operation of the device. Some of the devices have monitoring
capabilities built into their software that allow SNMP queries for specific information such as
interface input and output packet count, uptime, radio signal quality, etc.
There are a couple of requirements you must meet to be able to use SNMP for monitoring:
1. Obviously – have a wireless device that supports SNMP.
2. Have a software package that can use SNMP to access the wireless device to gather the
information you are interested in.
The SNMP protocol uses UDP (user datagram protocol) packets for communications and is
assigned port 161 for the communications socket connection. We need to be able to
communicate with the wireless device on port 161 using UDP. To add more complexity – if you
have more than one wireless device you want to monitor you will need to be able to differentiate
between them through the ZoneCD Gateway Server.
An example would be you have a wireless device on IP address 10.10.10.2 and 10.10.10.3 which
support SNMP. You want to be able to status both wireless routers from the wired (eth0) side of
the ZoneCD Gateway Server. And to add a little more complexity let’s also say both wireless
devices have a web interface that allows you to configure and control the devices. For our
hypothetical configuration we will use 208.152.100.9 as the eth0 interface IP address on the
ZoneCD Gateway Server.
Here is an example of what you need to send to the firewall to configure for the above scenario:
# wireless Device 1
# Setup access to the wireless router http server through port 8001 on the zonecd computer
# (the following command is all on one line!)
/usr/local/sbin/iptables -t nat -I PREROUTING 1 -p tcp -d 208.152.100.9 --dport 8001 -j DNAT
--to-destination 10.10.10.2:80
# Setup access to the wireless router snmp server through port 9001 on the zonecd computer:
# (the following command is all on one line!)
/usr/local/sbin/iptables -t nat -I PREROUTING 1 -p udp -d 208.152.100.9 --dport 9001 -j DNAT
--to-destination 10.10.10.2:161
# Setup the zonecd server firewall to allow the wireless router response to come back to us...
# NOTE: Make sure the liberated class does not block port 161 in the zone
/usr/local/nocat/bin/access.fw permit mm:mm:mm:mm:mm:mm 10.10.10.2 Liberated
# wireless Device 2
# Setup access to the wireless router http server through port 8002 on the zonecd computer
# (the following command is all on one line!)
/usr/local/sbin/iptables -t nat -I PREROUTING 1 -p tcp -d 208.152.100.9 --dport 8002 -j DNAT
--to-destination 10.10.10.3:80
# Setup access to the wireless router snmp server through port 9002 on the zonecd computer:
# (the following command is all on one line!)
/usr/local/sbin/iptables -t nat -I PREROUTING 1 -p udp -d 208.152.100.9 --dport 9002 -j DNAT
--to-destination 10.10.10.3:161
# Setup the zonecd server firewall to allow the wireless router response to come back to us...
# NOTE: Make sure the liberated class does not block port 161 in the zone
/usr/local/nocat/bin/access.fw permit mm:mm:mm:mm:mm:mm 10.10.10.3 Liberated
where: mm:mm:mm:mm:mm:mm is the MAC address of the wireless device LAN interface.
(same interface the ZoneCD Gateway Server eth1 connects or wireless interface if WDS)
Now – to access the wireless devices you would perform the following:
Web Interface on the wireless routers:
Device 1: http://208.152.100.9:8001
Device 2: http://208.152.100.9:8002
SNMP server on the wireless devices:
Device 1: [email protected]:9001
Device 2: [email protected]:9002
NOTE: the “public@” in front of the IP addresses above is the way SNMP addresses the device
using the “public” group – this is beyond the intent of this document and you can find all sorts of
really great information on the Internet about SNMP and how to use it!
That is all that is required to gain SNMP access to your wireless devices!
In the example I included the ability to access the web interface of the wireless devices as well to
show how you would configure for different ports and protocols to access the devices.
A very flexible program called MRTG can use SNMP to gather information and display it as a line
graph. You can find out more about MRTG at: http://people.ee.ethz.ch/~oetiker/webtools/mrtg
This package has been around for a long time and is constantly being improved! Best of all is the
Price – FREE (gotta love that!)…
Appendix – F: Modification of outgoing email for log files
The following allows you to change the configuration of the exim email handling process to
allow sending the email reports to a different email server – you may find your ISP does not
allow email to originate from the ZoneCD so you would need to change the email SMTP server
the ZoneCD sends the email log files to.
nano -w /etc/exim/exim.conf
[location may vary with Zonecd version; verify this file exists; /etc/exim.conf is one possible
alternate location] and make changes as described above. Make sure each section of
exim.conf closes with
End
on its own line. It's very easy to knock one of these out accidentally and then get a syntax
error when you try to restart exim.
Most consumer ISPs will require a username and password (further on down in the file).
Exit nano with CTRL-X, "Y" to the prompt to save changes.
If you want to try it out (recommended), do:
sh /etc/init.d/exim restart
And then try to send yourself a log file with the mutt command.
Now, once you know it works, it's important to make sure you don't have to do this again. So
we save to floppy and set up a script to load the file you just created:
cp /etc/exim/exim.conf /mnt/floppy
cd /mnt/floppy/zonecd
nano -w pre.sh
Enter the following into the new file:
#!/bin/sh
echo "running pre.sh now -- resetting mail server with local config"
rm /etc/exim/exim.conf
cp /mnt/floppy/exim.conf /etc/exim/exim.conf
/etc/init.d/exim restart
echo "exim reconfigured"
Exit nano with CTRL-X, "y" to save changes.
Now we have to make the script executable:
chmod +x pre.sh
That ought to make everything work again when you restart. If any of the more senior people
on this list have any corrections in reply to this, of course you'll want to take those into
account, but this worked for me with v. 0.6-0.
Appendix – G: Dansguardian file extensions banned list
#Banned extension list
# File extensions with executable code
# The following file extensions can contain executable code.
# This means they can potentially carry a virus to infect your computer.
.ade
.adp
.asx
.bas
.bat
.cab
.chm
.cmd
.com
.cpl
.crt
.dll
.exe
.hlp
.ini
.hta
.inf
.ins
.isp
# .js
# .jse
.lnk
.mda
.mdb
.mde
.mdt
.mdw
.mdz
.msc
.msi
.msp
.mst
.pcd
.pif
.prf
.reg
.scf
.scr
.sct
.sh
.shs
.shb
.sys
.url
.vb
.vbe
.vbs
# Microsoft Access project extension
# Microsoft Access project
# Windows Media Audio / Video
# Microsoft Visual Basic class module
# Batch file
# Windows setup file
# Compiled HTML Help file
# Microsoft Windows NT Command script
# Microsoft MS-DOS program
# Control Panel extension
# Security certificate
# Windows system file
# Program
# Help file
# Windows system file
# HTML program
# Setup Information
# Internet Naming Service
# Internet Communication settings
# JScript file - often needed in web pages
# Jscript Encoded Script file - often needed in web pages
# Windows Shortcut
# Microsoft Access add-in program
# Microsoft Access program
# Microsoft Access MDE database
# Microsoft Access workgroup information
# Microsoft Access workgroup information
# Microsoft Access wizard program
# Microsoft Common Console document
# Microsoft Windows Installer package
# Microsoft Windows Installer patch
# Microsoft Visual Test source files
# Photo CD image, Microsoft Visual compiled script
# Shortcut to MS-DOS program
# Microsoft Outlook profile settings
# Windows registry entries
# Windows Explorer command
# Screen saver
# Windows Script Component
# Shell script
# Shell Scrap object
# Shell Scrap object
# Windows system file
# Internet shortcut
# VBScript file
# VBScript Encoded script file
# VBScript file
.vxd
.wsc
.wsf
.wsh
.otf
.ops
# Windows system file
# Windows Script Component
# Windows Script file
# Windows Script Host Settings file
# Font file - can be used to instant reboot 2k and xp
# Office XP settings
# Files which one normally thinks as non-executable but
# can contain harmful macros and viruses
.doc
.xls
# Word document
# Excel document
# Other files which may contain files with executable code
.gz
.tar
.zip
.tgz
.bz2
.cdr
.dmg
.smi
.sit
.sea
.bin
.hqx
.rar
# Gziped file
# Tape ARchive file
# Windows compressed file
# Unix compressed file
# Unix compressed file
# Mac disk image
# Mac disk image
# Mac self mounting disk image
# Mac compressed file
# Mac compressed file, self extracting
# Mac binary compressed file
# Mac binhex encoded file
# Similar to zip
# Time/bandwidth wasting files
.mp3
.mpeg
.mpg
.avi
.asf
.iso
.ogg
.wmf
.bin
.cue
# Music file
# Movie file
# Movie file
# Movie file
# this can also exploit a security hole allowing virus infection
# CD ISO image
# Music file
# Movie file
# CD ISO image
# CD ISO image
