Next Previous Contents

3. Installing

3.1 I need to have this XXX hardware supported, can you do it ?

A few things. If the driver is propriety, you're on your own. Ask your vendor. If possible, tell him how usefull Open Source is (www.opensource.org). If you have the source, you can patch it into the kernel (see howtopatchkernel) If the source is GPL or BSD licenced, try and get it into the official tree, so you or we don't have to keep manually patching it. Encourage your vendor to do so, but act as middleman to the Linux community. you knwo it better then the vendor.

3.2 Can I run right off the boot medium instead of out of ram ?

With a 1.44mb disk, things will not fit, but you can if you are using something bigger. You need to change the boot loader, and fiddle with some scripts.

3.3 Can I boot LRP from hardrive ?

Yes, edit syslinux.cfg and change /dev/fd0 to the approrpiate value (eg /dev/hda1 for C:, /dev/hdb1 for first drive on second IDE, /dev/sda1 for first SCSI drive etc. See any Linux book about boot drives for more info)

Also see: DiskOnChip ATA/IDE emulation

3.4 How do I make an LRP kernel from a 'normal' kernel ?

Read the appropriate Linux Kernel howto, then patch the kernel with the current patches for LRP (they are normally within the kernel version tree on the ftp site). One way of patching is:

cd /usr/src/linux patch -p1 -s < patchfile.diff

The general rule of thumb: First untar the kernel and apply any official patches. Then apply pre-patches if appropriate. Then apply the LRP patches. Then apply the vendor specific patches.

Don't underestimate the manual work you'll find you have to do. If you give up, send Dave a postcard for fixing all the diffs for you :)

Do NOT use the kernel source RPM's from RedHat. They're often customized and you have no clue what has been patched in and what hasn't been patched in. Ftp a virgin kernel from a real kernel.org mirror.

3.5 How do I make IPAliasing working ?

first, why not just add

IF6="eth0:0" together with the other *6 fields (if you need so many of course) and add some more testlines afterwards ?

Second, I guess the stock lrp-kernel is not compiled with ip_alias, is it ? I had to do my own, and included it both in the kernel or as a module. Works very good. Have you added ip_alias in the /etc/modules file ?

(paul: check LRP .config file)

3.6 This modules creating business is too dan difficult. Isn't there some betterway ?

Sure is. Try the module generator at www.linuxrouter.org/modmaker/.

3.7 I want to control my LRP box through a serial port (eg COM1/ttyS0 or COM2/ttyS1). How do I enable that?

Edit the init configuration through the menu or manually at /etc/inittab. Look at the sample serial console entry. don't forget to remove the # for the line you're going to use.

3.8 What boot loaders can I use ?

Syslinux is considered the default boot loader, and it is easiest to maintain and can be installed from either DOS or Linux. With version 1.32+ it will also handle FAT16 formatted devices (LS-120, ZIP, HD). However I have not yet been able to get it is to work from a partition. (it wants the entire device) LILO is also known to work. It can work with file systems besides FAT and on a partitioned device, but is difficult to deal with, and requires Linux to install it. GRUB would make a nice solution but as of v0.4 it does not support Linux initrd loading, and will not work. v0.5 is due to include initrd support. When that version is released it will be tested.

3.9 What Linux kernel does LRP use ?

Currently is uses the latest pre kernels based on the Alan Cox tree. Some experiments with 2.1 kernels is also on its way.

3.10 Can I use flash ram disks, LS-120's, ZIPs, or other boot mediums besides a floppy ?

Sure. LRP is based on a boot medium insensitive scheme. Even though the typical install is a 1.44MB floppy, anything that linux can boot and mount can be used. The trick, of course, is the former, and may require detailed linux boot loader knowledge to get it to boot. The doc about booting 'Higher' Density formatted disks with Linux may be of some help to you.

3.11 I want to add a user (dont ask why, i have my reasons). Can I ?

First of all, see the Radius and portslave sections if you think you need to add users just to provider dailin connectivity If not, then the following answer might help:

Edit /etc/passwd, copy the first line. Edit all 0's into 1's (or 2's) and rename "root" to the username. Then go buy a book about Linux.

3.12 I need dial on demand. What do I add ?

A very experimental open issue, hopefully soon to be completely resolved. Try an diald.lrp from the incoming dir in linux-router-devel, or try the latest LRP's with the new ppp package with inbuilt diald on demand.

3.13 Can I used 'extra' formatted floppies, like 1.74MB or 2m 1.88MB ?

Yes. Normal higher formats as well as some 2m formats will work. See the doc about booting 'Higher' Density formatted disks with Linux. A problem with these disks is there is no way to accuratly determine their size. For LRP to be able to mount these disks, you must edit /var/lib/lrpkg/root.mount. Change fd0 to the correct size, IE fd0u1680, fd0u1840, etc.

3.14 I want to make my own

There are various programs that can read a floppy disk to file. But you can also use LRP itself. For example:



dd if=/dev/fd0 of=mybackuplrp (change disk and reverse of and if)

or

Boot the LRP disk on your system. Mount a fat IDE partition/LS-120/etc. (mount -t msdos /dev/hda1 /mnt/)

or Use the ramdisk, and use tftp or scp to get the file off.



cat /dev/boot > /mnt/myimage.bin

or

dd bs=512 <//dev/boot >/mnt/myimage.bin

But it's trivial to just keep all the *.lrp files, and your syslinuc.cfg file. With those, and the syslinux.exe you can always make a new disk/

3.15 How do I know my netmask, interface address, broadcast address etc ? (fixme)

paul: add netmask explanation

3.16 I want to do some things like daily accounting and all. Is there a schedular on LRP ?

Yes, there is a cron daemon, but no "user end" crontab utilities. See the files /etc/cron*

To activate the changes, use : svi cron reload

3.17 Does LRP support policy routing ?

Policy routing and other 2.1 featurisms:

uhm. Check out this doc.

3.18 Does LRP support my XXX card ?

LRP supports whatever Linux supports. If you want some non stock hardware support, ask one of the LRP developers. Note that GPL licence drivers are likely to be included (either in LRP or stock Linux) but propriety, copyrighted trademarked, patented binary only things are up to you yourself.

3.19 What are the typical firewalling rules to protect a network?

We might want to try and add something like Isinglass

Here is an example from Tim Gladding,

I went through hell trying to find a decent balance between useability and security.. so here is my setup, assuming:

eth0 - the outside world interface eth1 - 193.82.159.* (sub-split in to 0-127, 128-191) eth2 - 193.82.159.192-255

------------------------------------------------------------------------

#!/bin/sh

# Set the default policies /sbin/ipfwadm -I -p deny # Deny all inbound traffic /sbin/ipfwadm -O -p accept # Allow out outbound traffic /sbin/ipfwadm -F -p accept # Allow all forwarding rules (none so far)

# Reset to known state, flush everything (except policy) /sbin/ipfwadm -I -f # flush existing input rules /sbin/ipfwadm -O -f # flush existing output rules /sbin/ipfwadm -F -f # flush existing forwarding rules

# Prevent loopback spoofing /sbin/ipfwadm -I -a deny -o -W eth0 -S 127.0.0.0/8 /sbin/ipfwadm -I -a deny -o -W eth0 -D 127.0.0.0/8 /sbin/ipfwadm -O -a deny -o -W eth0 -S 127.0.0.0/8 /sbin/ipfwadm -O -a deny -o -W eth0 -D 127.0.0.0/8

# Prevent flood ping attacks /sbin/ipfwadm -I -a deny -o -P icmp -S 0/0 8 -D 255.255.255.255/32

# Prevent all Internet hosts from pinging the local network broadcast addresses /sbin/ipfwadm -I -a deny -P icmp -S 0/0 8 -D 193.82.159.127/32 /sbin/ipfwadm -I -a deny -P icmp -S 0/0 8 -D 193.82.159.191/32 /sbin/ipfwadm -I -a deny -P icmp -S 0/0 8 -D 193.82.159.255/32

# Allow anyone to ping us normally - we'll give them at least that. /sbin/ipfwadm -I -a accept -P icmp

# Unprotect 193.82.159.192-255, allow anything through. /sbin/ipfwadm -I -a accept -S 193.82.159.192/26 /sbin/ipfwadm -I -a accept -D 193.82.159.192/26

# Allow hr-net machines to send packets between each other /sbin/ipfwadm -I -a accept -S 193.82.159.0/255.255.255.0

# Allow upstairs machines access to everything /sbin/ipfwadm -I -a accept -S 193.82.131.84 -D 193.82.159.0/24 /sbin/ipfwadm -I -a accept -S 193.82.131.86 -D 193.82.159.0/24 /sbin/ipfwadm -I -a accept -S 193.82.131.87 -D 193.82.159.0/24 /sbin/ipfwadm -I -a accept -S 193.82.131.88 -D 193.82.159.0/24

# Allow pangaea to access redoubt /sbin/ipfwadm -I -a accept -P tcp -S 193.82.159.2 -D 193.82.159.1 23

# Allow the world to view these services on pangaea # 2401 = cvs, 25 = smtp, 53 = dns, 110 = pop3, 119 = news # dns is udp as tell as tcp, allow both. /sbin/ipfwadm -I -a accept -P tcp -D 193.82.159.2 2401 25 53 110 113 119 /sbin/ipfwadm -I -a accept -P udp -D 193.82.159.2 53

# Allow the world to view these services (smtp, http) on phoenix /sbin/ipfwadm -I -a accept -P tcp -D 193.82.159.3 25 80

# Allow the world to view the virtual web servers, but deny pangaea /sbin/ipfwadm -I -a deny -P tcp -D 193.82.159.2 80 /sbin/ipfwadm -I -a accept -P tcp -D 193.82.159.0/255.255.255.0 80

# Block AMANDA to everyone but hr-net machines /sbin/ipfwadm -I -a accept -P tcp -S 193.82.159.0/24 -D 193.82.159.0/24 10082 10083 /sbin/ipfwadm -I -a accept -P udp -S 193.82.159.0/24 -D 193.82.159.0/24 10080 /sbin/ipfwadm -I -a deny -P tcp -D 193.82.159.0/24 10082 10083 /sbin/ipfwadm -I -a deny -P udp -D 193.82.159.0/24 10080

# Allow un-priviledged port connections from anywhere providing they # are coming from a priviledged port on the remote machine. # (this is important - you can't make outgoing connections without it) /sbin/ipfwadm -I -a accept -P tcp -S 0/0 1:1023 -D 193.82.159.0/24 1024:65535 /sbin/ipfwadm -I -a accept -P udp -S 0/0 1:1023 -D 193.82.159.0/24 1024:65535

3.20 Is it possible to do bandwith limitation and control ?

Yes, you'll need shaper support (traffic shaper) which is available for 2.0 and 2.1 kernels. (Is this enabled in LRP?)

See Alan's ftp site.

What is needed? shapercfg? where?

3.21 I want to log everything to a remove host. How can I do that ?

Edit /etc/syslogd.conf (Is there a menu item for this?) and make it like this:



*.*                             @some.host

*.*                             /dev/console

just make sure you start syslogd with -r to accept remote logging ( for debian) or whatever option for other syslog daemons. If you don't want local logs, remove the /dev/console entry.

3.22 What is the best way to activate all these masquerading and autofw/portfw stuff ?

Here's a script you might use and/or tweak. Additions welcome



# Note: when using this, don't add ip_masq_* to the modules conf file.

 Order is important, cause ipautofw can be an ip_masq module

if [ -e /proc/net/ip_masquerade ]

then

        echo -n "Masquerading support detected, loading modules:"

        for i in /lib/modules/`uname -r`/ipv4/ip_masq*

        do

        MMOD=`echo $i|sed "s/.*\(ip_masq_.*\)\.o.*$/\1/"`

        insmod $MMOD

        echo -n $MMOD

        echo -n " "

        done

        echo ""

else

        echo "No Masquerading support in kernel, skipping masquerading modules"

fi

if [ -e /proc/net/ip_autofw ]

then

        /sbin/ipautofw -F

        echo -n "IPautofw support detected, adding rules:"

        echo -n RealAudio

        /sbin/ipautofw -A -r udp 6970 7170 -c tcp 7070

else

        echo "No IPautofw support in kernel, skipping ipautofw rules"

fi

(Paul: Untested on an LRP box with ash. Anyone can confirm this works?)


Next Previous Contents