IPcop has various addons. Although its a great firewall, it seems to me that these addons should be incorporated into the basic IPcop package. One such package is Banish, which allows you to block web sites by IP, CIDR, Domain name, and MAC addresses. Installation instructions are straightforward, and can be found here.


Another addon is Zerina, which is a GUI addon that uses OpenVPN. As of this writing, the Zernia install is a bit tricky. Although the Download/Install link is easy to follow, I found (as of the writing..) that what was downloaded from their web site was a .tar file instead of a .gz file per their instructions. I found that I had to rename the file to a .gz, then I had to shorten / rename the file itself. Then I had to give it privs of 755. Then I ran the following command: tar -xzvf ./banish-xx.xx.xx.tar.gz. After that, all went well.

Once Banish is installed, just follow the instructions on their web site, Under HOWTOs on the left here.


For me, I was using the VPN to connect XP roadwarriors to a Windows 2000 server. This was a bit of a challenge, as I couldn't get the roadwarrior to join the domain. In searching the internet, here is what I found:

In order to ping the home network, you have to add the following line in /etc/rc.d/rc.firewall.local file Near the beginning of the file after the following lines...

# See how we were called.
case "$1" in
start)
## add your 'start' rules here
#Added for zerina start - BEGIN
/usr/local/bin/openvpnctrl --create-chains-and-rules
#Added for zerina start - END


Insert the following on the next line:

iptables -t nat -A CUSTOMPOSTROUTING -s 10.26.1.0/24 -o eth0 -j MASQUERADE

# where 10.26.1.0/24 is the IP range of IP addresses used for the roadwarriors
# to VPN into. Also eth0 is the GREEN network card..


# Windows Netbios stuff blocked before log Source Ports 137,138,139
ipchains -A input -p udp --source-port 137:139 -j REJECT
ipchains -A input -p udp --destination-port 137:139 -j REJECT

On the Windows XP computer:

You will need your Roadwarrior PC to use the same workgroup name as the domain of the server you are going to VPN into. To do this, RIGHT click on MY COMPUTER then click on PROPERTIES. Click on the Computer Name tab. Click the CHANGE button, and select WORKGROUP, and then type in the DOMAIN NAME that your server you want to VPN into is in. Click OK. Reboot the PC when it tells you.

Another nice add-on, espceially if you are setting up your IPcop firewall for say, a Coffee shop that wants to offer free WiFi, is to put in another NIC, and set it up as a Blue Interface.