QNAP [QPKG] Qwhitelist app -> Super whitelisting (Qnap Firewall) version 1.6 [14-09-2015]

Installed the app, ver.1.5.
After install, didn't work. Tried to start it manually, this is the result:
Code: 
[/] # /etc/init.d/Qwhitelist.sh start
file exists
ln: /opt/Qwhitelist: No such file or directory
apache: Syntax error on line 203 of /share/MD0_DATA/.qpkg/Qwhitelist/apache.conf: Could not open configuration file /etc/config/apache/extra/apache-fastcgi.conf: No such file or directory
Spider mode enabled. Check if remote file exists.
--2015-09-13 14:26:44--  http://127.0.0.1:10123/index.php?cron_install=1
Connecting to 127.0.0.1:10123... failed: Connection refused.
Retrying.

Spider mode enabled. Check if remote file exists.
--2015-09-13 14:26:45--  (try: 2)  http://127.0.0.1:10123/index.php?cron_install=1
Connecting to 127.0.0.1:10123... failed: Connection refused.
Retrying.

^C
[/] # /etc/init.d/Qwhitelist.sh stop
file exists
apache: Syntax error on line 203 of /share/MD0_DATA/.qpkg/Qwhitelist/apache.conf: Could not open configuration file /etc/config/apache/extra/apache-fastcgi.conf: No such file or directory

I'm running a TS-419P, firmware 4.2.0 RC1 (builddate 02/09)
 
Correct, the wanted file does not exist. Do I need to install something? Or am I out of luck?

Updating to 4.2.0 RC2 now, will try again later.
 
bouwew a dit:
Correct, the wanted file does not exist. Do I need to install something? Or am I out of luck?

Updating to 4.2.0 RC2 now, will try again later.
Cliquez pour agrandir...

Untill the app can be fixed for your nas model, you can do the following:

1) Go to the package location after the install : /opt/qwhitelist/
2) In this qwhitelist directory there is another qwhitelist directory that you can copy to your own web server path (for me this is /share/Web/)
3) Navigate to that path with your browser and it should work immediatly without dependencies

Does that work for you?
 
Lol, hoe wist je dat ik NL was?

ps: versie 1.6 komt er aan, met een heel pak security ingebouwd voor de two-factor authentication
 
Version 1.6 is specially created for that, install ver 1.6

Then in the qwitelist click on the api list, at the bottom of that page you will find the code that you have to place on your remote webserver.
It also contains three lines explaining how to install it.

Can you follow those steps and if you are stuck, tell me (then we will be a bunch further then now) :-)
Also reply if it succeeds (i like suc6 stories)
 
Hi sebastienbo, I am finally giving a try to your wonderful tool!

First of all, as I travel a lot and I have corporate proxies, I had to add 7 countries to the whitelist. To do that I had to copy/past subnets country by country otherwise the site blocked.

After having done that (and added my xxx.myqnapcloud.com and additional domain and of course changed password), I have saved.

However if I go to Control panel->System Settings->Security->Security Level and select "Allow connections from this list only" I get the following error:

The list for allowed connections cannot be empty. It must contain at least one valid IP address or range.
Cliquez pour agrandir...
How can I make reference to Qwhitelist?

Thanks,

giopas

EDIT: version 1.150914
PS: there are a couple of misspells in the webpage ;)

EDIT2: actually if I only connect using xxx.myqnapcloud.com or my other domain name I do not even need to add country list as they will be automatically dropped, right?
But what if for example I want to use torrent from my NAS? would all connections be dropped as well?

EDIT3: I noticed on Chrome that passphrase is saved in plaintext as autocompletion. This could be a security flaw.
 
Hi Giopas,

First of all if you get the "list c annot be empty", just put your local subnet to start.
After that, it will be taken over by the qwhitelist automaticly.
That's for the system config part.

Your edit 2:
You indeed only add the country lists that you want to allow, this means that every country NOT in the list will be blocked

"But what if for example I want to use torrent from my NAS? would all connections be dropped as well?"
Don't worry, outgoing initiated conenctions will never be impacted, so if your nas is making an outbound connection, that could still be used to access the nas. THe only thing that is protected with the qwhite list, is inboud NEW connections for which no outbound connections existed.

Your edit 3 :
It is indeed plain text password, that's why I recommend using the script over ssl , however, if your password is compramised, they can't do much even with your password, except adding hosts :-)
And adding hosts will be slowly, because I have build a bruteforce protector into the submit process, so they are only allowed to add one host per 2 seconds.
And we are speaking about a script that normally is only reachable from your local lan and for which only you know the url and port...
 
sebastienbo a dit:
Hi Giopas,

First of all if you get the "list c annot be empty", just put your local subnet to start.
After that, it will be taken over by the qwhitelist automaticly.
That's for the system config part.
Cliquez pour agrandir...
LOL, I think I misinterpreted and I just closed me out by adding only my domain on QTS Control panel. :lol:

However if you were referring to adding local subnet to Qwhitelist it was already filled, so I do not understand what you are referring to.

sebastienbo a dit:
Don't worry, outgoing initiated conenctions will never be impacted, so if your nas is making an outbound connection, that could still be used to access the nas. THe only thing that is protected with the qwhite list, is inboud NEW connections for which no outbound connections existed.
Cliquez pour agrandir...
Ok this is good. At the end as the only way to connect to my NAS is using either myqnapcloud or my personal domain, I can just set them without bother with country block, right? In any case if I give someone access to my NAS, I need to give them either the myqnapcloud address or my personal domain one...

It is indeed plain text password, that's why I recommend using the script over ssl , [...]
And we are speaking about a script that normally is only reachable from your local lan and for which only you know the url and port...
Cliquez pour agrandir...
To test it I actually created a reverse proxy on port 80, but you are right that this is something that once you set up you should keep absolutely abide from external access. ;) ...in any case I just kicked me out from the NAS, so by now it is safe :lol:
 
I can do that but I would need to delete all information anyway...

I have deleted all country based restriction but I still get the red message mentioned above and on QTS I cannot select any list.
 
Here is the screenshot:

10g0j8g.png


I have of course deleted "Custom Hostname" (they were like this):

Code: 
xxx.domain.com
yyy.domain.com
xxx.domain.eu
deleted also custom single IP address (of the company I work) and country list.

What have I to do?

thanks,

giopas
 
Ok, probably it works now.

1. I have restarted the NAS and set Qwhitelist as in the previous post.

2. Then I went to the Security panel on QTS control settings and I have seen that if I select "Allow connections from this list only" a list whose genre is "Network" and IP Address or Network Domain is my LAN IP/Sub Net Mask is showed.

3. I have selected this and applied the changes.

-> you should probably explain in Qwhitelist that the generated list will be that one.

4. Going back to Qwhitelist and refreshing the page I see the following message:

Whitelist mode Enabled in configuration file.
Cliquez pour agrandir...
Now I think I have to wait 30 minutes for custom whitelist hostnames been resolved, right? Can't you make at every change in Qwhitelist the hostname been resolved?

I will check in half an hour if it works.

Anyway, thanks for your very useful piece of code (it should come by default)!

giopas

EDIT: what does it mean:

Code: 
Cron URI: http://192.168.1.x:80/index.php?cron=whitelist Disabled (If /etc/config/crontab is chmodded 777 it will auto-enable on your first save)
why does it check on port 80, whereas the service is running on port 10123?
 
Uhmm, it's more than 30 minutes since initial change and it does not seem working: if I go to xxx.myqnapcloud.com from my smartphone in 4G the connection to the Nas is dropped (whereas if try to access my router's web interface from wan it works).

Is it possible to add several domain names in qwhitelist?

Each time qwhitelist tries to resolved domains, cache is deleted? I mean, if I add or change a domain, will others work while the new one is kept by from or not?
 
Une idée du fichier que je dois supprimer pour réinit la passphrase ? Je ne m'en rappelle plus du coup je me fais jeter.. :lol:
 
Vous devez vous connecter ou vous enregistrer pour répondre ici.
Haut Bas