Index | Section 1 | Section 2 | Section 3 | Section 4 | Section 5
Questions
Q3.1 We get the login box - but nobody can authenticate. Help!
Q3.2 Can we have separate whitelists/blacklists on a per user basis?
Q3.3 How can I turn off the CensorNet at 10pm every night so that people can't surf?
Q3.4 You have a number of patches on your download page. How do I apply them?
Q3.5 I'm running in Bridge Mode. If I connect both NICs to my switch, everything freezes.
Q3.6 Is it possible to change the wording of the "Access Denied!" pages?
Q3.7 Is it possible to install the CensorNet with just one NIC card installed?
Q3.8 I've heard that selecting Bridge mode turns off the firewall, is that correct?
Q3.16 How do I know if a specific system file has an associated template?
Q3.18 I hear you have an announcements list of use to CensorNet users. How do I subscribe?
Q3.19 Do you archive the announcements in the CensorNet-announce mailing list?
Q3.22 Windows Update won't work. What can I do?
Q3.25 Recently, I've heard that running apt-get can be harmful to the CensorNet, is this the case??
Q3.1 We get the login box - but nobody can authenticate. Help!
A3.1 Lots of people misinterpreted the last A3.1, largely, we suspect, to the complex layout of the answer.
So this time, we're keeping it entirely CN3.3x specific. If you're still running CN3.2x its high time you considered an upgrade.
In release CN3.3x all authentication methods use the pam_auth style of authentication, so there is only one command to learn when you want to test if your chosen method is working or not (see below).
Although time is only critical to the Active Directory authentication method, you may as well get it right now. Then, if you're switching from NT to AD mode, it'll "just work" when you switch. ;-))
To get the time correct you need to start by rebooting your CensorNet and pressing the appropriate button during boot to gain access to the BIOS.
BIOS clocks have no concept of time zones, of course, but you need to set your BIOS to the time as at GMT. So unless you're in London in Winter, that means that it won't be your wall-clock time.
Once you have set the BIOS appropriately, exit and allow the CN to boot up normally.
At the login prompt, log in using admin, and the appropriate password (which if you havn't set it yet is admin).
At the command prompt type
setupin order to run the setup program. You will be prompted for root's password (which is root unless you.ve changed it).
From the menu, choose option 1 "System Locale/NTP Settings".
From the submenu, choose option 2 "Change Timezone"
Now, select the time zone for the location in which you are situated. So if you're in New York, choose New York's time zone.
Exit the menus until you are back at the command prompt and then type
dateIf the time displayed matches the time shown on the clock on your wall, then all is fine. If the time displayed is incorrect, then perform the following commands
su -
You will be prompted for a password. It wants root's password.
Once at root's command prompt type
date MMDDhhmm
which means the command wants two digits for each of month, day, hour and minute. So if I was doing this now, I would type
date 06211429
The date will be re-displayed, and should now match the clock on your wall.
Having achieved this, if you are running an AD server, ensure that the AD server has a time that is within 5 minutes of the CN. If their times are more than five minutes adrift, then authentication is guaranteed to fail. Note: As mentioned earlier, time is only critical to AD authentication. It doesn't matter what time differences there may be between a CN and an NT server.
Now whilst still logged in as root (if you havn't used the su command yet, do it now as detailed earlier) run the following command
/usr/local/squid/libexec/pam_auth -1
The cursor will now just sit blinking at you, but the machine hasn't hung, its waiting for an input. Note: if you press the RETURN key with no input, you'll just get an ERR response.
The input that pam_auth is waiting for is a user's login and password (separated by a single space). So type something like
neilb explainer
Note: The password will be echoed in clear text so be on guard for shoulder surfers.
If you get an OK response, then all is well. If you get an ERR response, then there is something wrong, but its got nothing to do with the clock (and probably nothing to do with the CN either).
Of course, computer clocks can drift, and its not unknown for the CN's clock to drift to more than 5 minutes away from the AD server. You just need to reset its time (at the command line, using the date command). Of course, you could ask your ISP if they operate an NTP server and then key its IP address or DNS name into the relevant section of the setup program.
Q3.2 Can we have separate whitelists/blacklists on a per user basis?
A3.2 Not in the current release. Both the whitelist and blacklist are system wide.
Q3.3 How can I turn off the CensorNet at 10pm every night so that people can't surf?
A3.3 You could arrange to turn off (i.e. power down) the CensorNet every night at 10pm, but that isn't really the best way to go about achieving your aims. Much better would be to set up a special profile that only allowed web usage between, for example, 9am and 10pm and denied access at all other times.
Log into the CensorNet's web interface (see A2.2 if you are having difficulty doing so).
Go to the Workstation tab and then select Schedule Workstations from the drop down menu.
Enter a profile name in the box marked "Create new profile:" and then click the button "Create New Profile". You should see that a new profile appears in the list.
Now click the "Edit" button next to your new profile.
A new page appears with three sections. One has a range of tick boxes and drop down boxes, one shows a time line with a colour coded key, and the third section shows any existing events (there are none at this time).
As you can tell from the colour coding on the time line, no access is permitted at all at the moment.
We need to add an event allowing people to use the web between the hours of 9AM and 10PM every day of the week.
On the top section, all days are currently selected. You can unselect any days that don't apply to an event you're creating. In the "Access Type" drop down box select "Allow Web" and in the "From" and "To" drop down boxes select the times 09:00 and 22:00 respectively. Click "Add New Event".
As you can now see from the time line, web surfing is allowed between 09:00 and 22:00 every day. You could add more events for this profile if you wish, but for our example, this one event will suffice.
From the "Workstations" drop down menu, select "Access Control".
Your first few workstations are listed. There is also a section at the bottom which will allow you to configure access rights for all workstations, and for our example, this is what we're going to use.
In the "Profile" dropdown box, select your new profile's name. Then click on the "Apply Rights" button. All your workstations are now configured to use the new profile, and so will only be able to surf between the hours of 9AM and 10PM and not at any other time, and there is no need to turn the CensorNet off at all.
Q3.4 You have a number of patches on your download page. How do I apply them?
Before deploying any patch, make sure it's necessary for your release of the CensorNet. If in doubt, feel free to ask. If the patch does do what you require then download it to one of your workstations - preferably one that has access to the CensorNet's web admin pages. Once downloaded, log into the CensorNet Admin Pages, and from the "Home" drop down menu, select "Upgrade".
Click the "Choose" button and then navigate to the directory on your workstation where you downloaded the patch file and select it.
Now click on the "Upgrade" button. The patch will automatically be unpacked and applied, and your CensorNet will be rebooted - so be sure to warn your user community, or apply the patch during a quiet period.
Q3.5 I'm running in Bridge Mode. If I connect both NICs to my switch, everything freezes.
A3.5 Unfortunately, by default, the CensorNet's Bridge system does not run the "Spanning Tree Protocol (STP)" which your switch almost certainly does. You need to download the STP patch from the download page at www.censornet.com/patches/ and apply it (see A3.4 to learn how to apply a patch). Once applied, the CensorNet bridge runs with STP turned on and industry standard default settings. If you need to tune them, the only way to do so is edit the file /etc/init.d/init-bridge. Note that there are two separate sections of the script that should both be edited, although normally, you will get away with only editing the first section. But never say that nobody warned you.
Q3.6 Is it possible to change the wording of the "Access Denied!" pages?
A3.6 Yes. You will find the scripts in the /www2 directory on the CensorNet. You may find http://forum.CensorNet.com/viewtopic.php?t=710 helpful. The thread is a little long, but if you ignore the banter, you will eventually come to some meat.
Q3.7 Is it possible to install the CensorNet with just one NIC card installed?
A3.7 It is. You will receive a warning during installation, however, if you continue, the installation will run smoothly. Note that the only sensible operating choice in this mode is "Bridge" mode.
Q3.8 I've heard that selecting Bridge mode turns off the firewall, is that correct?
A3.8 No, you still have a fully operational firewall. The bridging mode code re-configures the firewall so that all ports are open from the outside in (that is from the red interface to the green one), however, there are still active rules that govern what may, or may not traverse the system from the green interface to the red. Nevertheless, because all ports are open from the outside, we do not recommend using "Bridge" mode unless you have an upstream firewall protecting your perimeter.
Q3.9 I was under the impression that "Allow Other" should allow everything through the firewall. This doesn't appear to be the case.
A3.9 Indeed. The CensorNet was designed so that "Allow Other" should do precisely what you suggest, however, at the moment it appears to be necessary to modify the firewall rules. Research is going on into this problem. In the meantime, learn to write firewall rules, or ask for advice on the forum.
Q3.10 I've run the "Probe LAN for MAC addresses" in accordance with the documentation, but the system hasn't picked up all workstations. Why?
A3.10 This can be caused for a number of reasons, largely network related. Here they are.
- The stupid answer is, your workstation was switched off when the probe was run. Obviously, your workstation was not listening for the probe when it was sent, and consequently, the CensorNet received no reply.
- If you have workstations on multiple subnets, yet effectively "on the same wire" as the CensorNet (for switch users, multiple subnets on the same VLAN), then yes, this will be a problem. The probe code is written to only probe for devices on the subnet to which the CensorNet belongs. You will have to generate a CSV file of workstation names and MAC addresses, and then log into the CensorNet's web admin pages. On the "Workstation" tab you will find the item "Import Workstations" menu item. Use that to import your file.
- If you're multiple subnets are behind different routers - then the only MAC address the CensorNet will ever see is the MAC address of the router. This means that you will need to add the router's MAC address manually, and you can only apply the same policy to all users on the effected subnet. That is, if you "Allow Web and Other" to the router's MAC address, you are allowing that policy for all workstations on the subnet behind it.
Q3.11 I need to enable something in the kernel, so I downloaded one and compiled it. Now my CensorNet won't work.
A3.11 No, it won't. Do not download and attempt to use stock kernels with the CensorNet, because you will render it inoperable. The source code for the current kernel, and its .config file, is available in the /usr/src directory. Unpack the file and use that to change any settings you require.
Q3.12 The latest DansGuardian has facilities that are lacking in the CensorNet. Can I compile the latest version and use it?
A3.12 Not a good idea. The DansGuardian code in the CensorNet includes some bespoke code written by ourselves. In addition, if you're using the image filter, there is a lot of additional code in DansGuardian which won't be in your downloaded version. We tend to be a little conservative about the versions of DansGuardian and Squid that we use. As a result, you will have to wait for us to release a patch, or a new version, before we include the features you are looking for. If you need the feature desperately, you can always discuss your needs with our sales team at sales@censornet.com.
Q3.13 The rest of the devices on my network keep their time synchronised. How can I do this with CensorNet?
A3.13 This is a fairly simple task. Before you start, you will need to know the IP address of the NTP server that you're going to sync against.
Log into the CensorNet's command line as root and type the following commands
apt-get update
apt-get install ntp-simple
During the second command, you will be asked to confirm the packages you want to install, say yes. During installation, a blue box will come up where you can enter the IP address of the NTP server. You can also specify its DNS name here, if you prefer.
Next, you need to add a rule to the firewall script. This example assumes the IP address of your NTP server is 217.146.111.18 - substitute the correct IP in your rule. Type the following commands
echo "iptables -I INPUT 1 -s 217.146.111.18 -p udp --sport 123 -j ACCEPT" >> /usr/local/sbin/start-new-firewall
/etc/init.d/firewall restart
/etc/init.d/fwall_access_rules restart
You will probably get some error outputs from the last command. This is normal and nothing to worry about.
From now on, your CensorNet will also sync to your time source.
Q3.14 I've changed the profile for one of my users - but even if I reboot the workstation, the change doesn't seem to take effect until about five minutes have passed. Is there any way to speed this up?
A3.14 The update period is determined by a command contained in a file on the CensorNet known as /etc/crontab which contains details of commands to be executed on a periodic basis. Specifically, the line in the file which controls the updating of access rules is as follows:
00,05,10,15,20,25,30,35,40,45,50,55 * * * * root /usr/local/sbin/update_access_rules >/dev/null 2>/dev/null
As you can see from the list of numbers at the start of the line, this runs the script every five minutes. If you really can't afford to wait five minutes, the best you can do is to ensure that it runs once a minute.
The file /etc/crontab is one of several system files on the CensorNet that has an associated CensorNet template file - and you need to edit that (/etc/crontab.tmpl) and then run the associated update script to ensure your changes take effect.
Log into the CensorNet as root and edit the file /etc/crontab.tmpl and change the line shown above to read the following:
*/1 * * * * root /usr/local/sbin/update_access_rules >/dev/null 2>/dev/null
Write the file, and then run update_blud_conf which will copy your changes to /etc/crontab. From now on, your updates should only take a minute to be updated.
Q3.15 How do I find out which update script to run to copy the contents of a specific template file across to its associated system file?
A3.15 If you're uncertain which script controls a particular template file, the best thing to do is to check first. In the following example, we're going to find out which update script controls the /etc/network/interfaces.tmpl file.
As ever, log into the CensorNet's command line as root and type the following
cd /usr/local/sbin
grep interfaces update*
update_hosts:# /etc/network/interfaces
update_hosts:# template that this file is generated from - `/etc/network/interfaces.tmpl'.
update_hosts:my $template = HTML::Template->new(filename => '/etc/network/interfaces.tmpl') or die "FATAL: Could not open /etc/network/interfaces.tmpl for reading.\n";
update_hosts:open(IFACES, "> /etc/network/interfaces") or die "FATAL: Could not open /etc/network/interfaces for writing.\n";
The reason for multiple lines is because several lines in the file matched the word interfaces. All of the listed lines show the file name update_hosts before the colon. So now you know that in order to update the /etc/network/interfaces file from its associated template, you need to run the command update_hosts.
Q3.16 How do I know if a specific system file has an associated template?
A3.16 Just check for its existence. All of the CensorNet's template files are located in the same directory as the system file for which they provide a template. So whilst you're at the CensorNet's command line, and in the directory where a system file you wish to modify exists, type, for example
ls hosts.tmpl
hosts.tmpl
Q3.17 We run a web server that listens on non-standard ports for SSL connections. The CensorNet won't let us contact them. Is there anything we can do?
A3.17 There is. You need to modify a line of the squid server configuration and update the file. The following example will assume your non-standard ports are 33333 through 33335 inclusive. We will also assume you are using the vi editor. If you wish to use one of the other ones, feel free. Follow the general instructions, but don't follow the keystrokes.
Log into the CensorNet as root and type the following commands
cd /usr/local/squid/etc
vi squid.conf.tmpl
/SSLacl SSL_ports port 443 563If that is not the line your cursor is on, press the 'n' key to move to the next matching line, until you do find it. Your cursor is likely to be on the 'a' of 'acl'.
Press the letter 'e' which will move your cursor over the '3' of '563'.
To add your ports perform the following
a 33333 33334 33335
<ESC>
acl SSL_ports port 443 563 33333 33334 33335:wqRun the command
update_squid_conf
Q3.18 I hear you have an announcements list of use to CensorNet users. How do I subscribe?
A3.18 Yes we do. If you'd like to subscribe, go to http://lists.adelix.com/mailman/listinfo/CensorNet-announce which will allow you to subscribe. Note that after filling in the subscription part of the form, you will be sent an email to the email address you gave, and you'll need to confirm your subscription before you're successfully subscribed.
The list is low traffic, but contains details of significant happenings with CensorNet, new releases, and urgent updates that might be released, either of our own, or major upgrades to the underlying Debian packages.
Q3.19 Do you archive the announcements in the CensorNet-announce mailing list?
A3.19 Yes we do. If you wish to read the archives, please visit http://lists.adelix.com/pipermail/censornet-announce/ where you'll find the archives listed in monthly blocks.
Q3.20 What should I enter in the whitelist in order to be able to traverse www.flirble.org? Should it be www.flirble.org/*?
A3.20 No. Just enter flirble.org and you will be able to traverse the whole site. The only thing you have to check is whether any parts of flirble. org are contained in the blacklist. It would be a good idea to remove them.
If you are not on "Whitelist only" you can surf most of a site, but then one section causes you a problem. In that case, of course you can enter flirble.org/problem/path and then you'll have that sorted.
Q3.21 I'm trying to create a special user profile that runs through Midnight and don't seem to be able to achieve my aims.
A3.21 When creating events whilst editing a profile, you cannot get any single event to run past Midnight. This means that if you need a specific action that runs between 10pm and 2am, for example, you need an event which runs between 10pm and Midnight, and another event that runs between midnight and 2am.
When looking at the drop down list of values, you will notice that we have both a 0 (zero) hour, and a 24. Both 0:00 and 24:00 represent midnight, but they have different purposes. The zero hour represents Midnight, at the start of a day. The 24:00 represents Midnight at the end of the day. Consequently, to create a profile to do something specific between 10pm and 2am, you need an event for 22:00 to 24:00. You need a second event running from 0:00 to 02:00. These two events taken together will achieve the result you need.
Q3.22 Windows Update won't work. What can I do?
A3.22 The reason why Windows Update won't work now is entirely different to any reason you may have read in any previous version of the FAQ. Irrespective of the fact that you have configured your copy of IE with proxy settings, Windows Update ignores these, leaving one no option but to create some firewall rules. (Actually, there is a Windows based solution, but our product runs Linux, so you're getting the Linux solution.)
You will need to log into your CN.s command line as root.
First, we need to create a file containing a list of IP addresses of the servers that Windows Update needs to talk to (one address per line). If you have a favourite editor use that, otherwise follow the commands below
nano /etc/censornet/win_upd_ips
On the blank screen in front of you enter the following information
# Windows update servers IP listNow type control-O to write the file, and control-x to exit the editor.4.79.24.30
63.236.111.222
64.4.0.0/18
207.46.0.0/16
208.172.13.253
208.172.48.221
208.174.52.62
208.174.60.62
208.175.188.61
208.175.188.62
212.162.0.29
213.200.98.29
213.200.99.30
(Note: these IP addresses are correct as at the time of writing. Microsoft may change their server's IP addresses from time to time, see Q3.23 for details on how to check for that situation.)
Now that you've done this you need to edit the firewall script, type the following commands :-
cd /usr/local/sbinThe first page of the script is displayed in front of you.
nano start-new-firewall
At the beginning of the file enter the following code
export WIN_UPD_IPS=/etc/censornet/win_upd_ipsNext scroll down so that you're on the last page of the script and then paste in this code
egrep -v "^#" $WIN_UPD_IPS | egrep -v "^\s*$" | while read winupdip ; do
Now press control-o to write the file, and control-x to exit to the command line.
echo Setting Windows update server $winupdip...
iptables -I FORWARD -i $GREEN_IF -d $winupdip -p tcp --dport 80 -j ACCEPT
done
At the prompt run the following commands, being sure to check for error messages.
/etc/init.d/firewall restart
The benefit of this method is that when Microsoft change the IP addresses of their servers, as they're bound to do from time to time, all you have to do is edit the win_upd_ips file with the new IP addresses and run those last two commands again.
/etc/init.d/fwall_access_rules start
Adelix Limited would like to thank Alex Swen (alex_swen at hotmail.com) for his kind assistance in developing this solution.
Q3.23 We employed your solution to getting Windows Update to work through the CN, but now it keeps failing. What should we do?
A3.23 This could be for a number of reasons, but one easy one to check for is whether Microsoft have updated the list of IP addresses of the server's they use.
First, you may need to install a new package.
Caution! Debian have now switched to the Sarge release for their new core system. CN is currently still based on Woody. You do not want to install any Sarge binaries on your CN. In order to avoid this situation, read and act upon the instructions to be found in Q3.25 before running the following commands
apt-get update
apt-get install tcpdump
With tcpdump safely installed on your system, run the command below before you attempt to run a Windows Update on a client system
tcpdump -i eth0 | egrep "(<hostname>.*www|www.*<hostname>)"It is assumed the host is attached to your eth0 interface (correct for most people). If your host happens to be connected to an additional card you've added change the parameter appropriately.
The <hostname> variable should be substituted for the name of your Windows Update client machine.
With the above command running, run the Windows Update. A sample session is shown below
tcpdump -i eth0 | egrep "(bier.*www|www.*bier)"The IP addresses that get repeated indicate multiple attempts of your client to contact the said server. After a couple of failures it gives up and tries the next server.
13:42:41.823565 bier.swen.org.1944 > 208.172.48.221.www: S 387971848:387971848(0) win 65535(DF)
13:43:00.617871 bier.swen.org.1946 > 208.172.48.221.www: S 57139736:57139736(0) win 65535(DF)
13:43:03.598006 bier.swen.org.1946 > 208.172.48.221.www: S 57139736:57139736(0) win 65535(DF)
13:43:09.729530 bier.swen.org.1946 > 208.172.48.221.www: S 57139736:57139736(0) win 65535(DF)
13:43:21.642950 bier.swen.org.1947 > 4.79.24.30.www: S 3852875430:3852875430(0) win 65535(DF)
13:43:24.698369 bier.swen.org.1947 > 4.79.24.30.www: S 3852875430:3852875430(0) win 65535(DF)
13:43:30.713994 bier.swen.org.1947 > 4.79.24.30.www: S 3852875430:3852875430(0) win 65535(DF)
13:43:42.745454 bier.swen.org.1948 > 208.172.13.253.www: S 2808437398:2808437398(0) win 65535(DF)
13:43:45.818872 bier.swen.org.1948 > 208.172.13.253.www: S 2808437398:2808437398(0) win 65535(DF)
13:43:51.833760 bier.swen.org.1948 > 208.172.13.253.www: S 2808437398:2808437398(0) win 65535(DF)
13:44:13.515449 bier.swen.org.1950 > 212.162.0.29.www: S 1550931241:1550931241(0) win 65535(DF)
13:44:16.541895 bier.swen.org.1950 > 212.162.0.29.www: S 1550931241:1550931241(0) win 65535(DF)
13:44:22.557489 bier.swen.org.1950 > 212.162.0.29.www: S 1550931241:1550931241(0) win 65535(DF)
13:44:34.588932 bier.swen.org.1951 > 208.175.188.61.www: S 3948667333:3948667333(0) win 65535(DF)
13:44:37.651148 bier.swen.org.1951 > 208.175.188.61.www: S 3948667333:3948667333(0) win 65535(DF)
13:44:43.666754 bier.swen.org.1951 > 208.175.188.61.www: S 3948667333:3948667333(0) win 65535(DF)
13:44:55.698279 bier.swen.org.1952 > 213.200.99.30.www: S 4152182441:4152182441(0) win 65535(DF)
13:44:58.663995 bier.swen.org.1952 > 213.200.99.30.www: S 4152182441:4152182441(0) win 65535(DF)
13:45:04.778852 bier.swen.org.1952 > 213.200.99.30.www: S 4152182441:4152182441(0) win 65535(DF)
13:45:47.261804 bier.swen.org.1954 > 208.174.52.62.www: S 1940000:1940000(0) win 65535(DF)
13:45:50.282060 bier.swen.org.1954 > 208.174.52.62.www: S 1940000:1940000(0) win 65535(DF)
So, those addresses that get repeated need to be added to the /etc/censornet/win_upd_ips file, after which you should run
/etc/init.d/firewall restartNow you can attempt to connect again and you should find that it works now.
/etc/init.d/fwall_access_rules start
Adelix Limited would like to thank Alex Swen (alex_swen at hotmail.com) for his kind assistance in developing this solution.
Q3.24 I have some users on Whitelist Only. This works, and when they try and visit a non-whitelisted site, they get the Access Denied page. However, if they click on the link offering to let them see the whitelist, they get an error page telling them access restrictions are denying them access. Can this be fixed? (The same happens when clicking on Request Unblock.)
A3.24 Yes, these issues can be fixed. The fact that you are getting the Access Denied page, but can't view the whitelist from the provided link is a sign that you have the Censornet listed by its DNS name in your proxy exceptions, but not its IP address. The solution is to put the Censornet's IP address in the proxy exceptions. Its perfectly acceptable to have this listed in addition to the DNS name.
Q3.25 Recently, I've heard that running apt-get can be harmful to the CensorNet, is this the case?
A3.25 Currently, yes. CN is based on the Woody distribution of Linux which, at the time we wrote it was the main stream. The developers of Debian have now switched to issuing Sarge binaries from their servers. main paths, as will any one else's mirror.
So before running apt-get you should modify a file on the system so that it still continues to obtain Woody code.
Log in as root and run the following commands
cd /etc/aptYou now have a blank file in front of you, add in the following lines
cp /dev/null sources.list
nano sources.list
deb http://security.debian.org/ woody/updates main contrib
deb http://ftp.uk.debian.org/debian/ woody main
deb-src http://ftp.uk.debian.org/debian/ woody main
deb http://non-us.debian.org/debian-non-US woody/non-US main
deb-src http://non-us.debian.org/debian-non-US woody/non-US main
As always, write the file and quit the editor. It is now safe to run the apt-get command without fear of harming your CN.
(You can, of course, pick archives nearer your location, if you know of relevant Debian mirrors, just make your you remember to specify woody in the paths you enter.)
Adelix Limited would like to thank Tony Whitmore for his kind assistance in developing this solution.
Index | Section 1 | Section 2 | Section 3 | Section 4 | Section 5