admin.jugamanusia.com

Warning: file_get_contents(http://ecs.amazonaws.com/onca/xml?Service=AWSECommerceService&AWSAccessKeyId=1TJ8QTQ6ZFCVAJ3X1T02&AssociateTag=ii0c3-20&Operation=ItemSearch&SearchIndex=Books&ResponseGroup=Small,Images&Keywords=cron) [function.file-get-contents]: failed to open stream: HTTP request failed! HTTP/1.1 400 Bad Request in /home/manusia2/public_html/wp-content/plugins/amazonfeed/php/amazonfeed.class.php on line 271

Table of Contents

26.1. Introduction

26.2. Making a caching nameserver

26.1. Introduction

The domain name system (DNS) is used to convert human-friendly host names (for example www.slackware.com) to IP addresses. BIND (Berkeley Internet Name Domain) is the most widely used DNS daemon, and will be covered in this chapter.

26.1.1. Delegation

One of the main features is that DNS requests can be delegated. For example, suppose that you own the “linuxcorp.com” domain. You can provide the authorized nameservers for this domain, you nameservers are authoritative for the “linuxcorp.com”. Suppose that there are different branches within your company, and you want to give each branch authority over their own zone, that is no problem with DNS. You can delegate DNS for e.g. “sales.linuxcorp.com” to another nameserver within the DNS configuration for the “linuxcorp.com” zone.

The DNS system has so-called root servers, which delegate the DNS for millions of domain names and extensions (for example, country specific extensions, like “.nl” or “.uk”) to authorized DNS servers. This system allows a branched tree of delegation, which is very flexible, and distributes DNS traffic.

26.1.2. DNS records types

The following types are common DNS record types:

Table 26.1. DNS records

Prefix
Description

A
An A record points to an IPv4 IP address.

AAAA
An AAAA record points to an IPv6 IP address.

CNAME
A CNAME record points to another DNS entry.

MX
A MX record specifies which should handle mail for the domain.

26.1.3. Masters and slaves

Two kinds of nameservers can be provided for a domain name: a master and slaves. The master server DNS records are authoritative. Slave servers download their DNS record from the master servers. Using slave servers besides a master server is recommended for high availability and can be used for load-balancing.

26.2. Making a caching nameserver

A caching nameserver provides DNS services for a machine or a network, but does not provide DNS for a domain. That means it can only be used to convert hostnames to IP addresses. Setting up a nameserver with Slackware Linux is fairly easy, because BIND is configured as a caching nameserver by default. Enabling the caching nameserver takes just two steps: you have to install BIND and alter the initialization scripts. BIND can be installed by adding the bind package from the “n” disk set. After that bind can be started by executing the named command. If want to start BIND by default, make the /etc/rc.d/rc.bind file executable. This can be done by executing the following command as root:

# chmod a+x /etc/rc.d/rc.bind

If you want to use the nameserver on the machine that runs BIND, you also have to alter /etc/resolv.conf.

Tags: cron, domain, domain name, slackware, Slackware Linux Basics

Related posts

• Slackware Linux Basics - Table of Contents (0)
• Slackware Linux Basics - Chapter 13 Sendmail (0)
• Slackware Linux Essentials - Glossary (0)
• Slackware Linux Essentials - Chapter 5 Network Configuration (0)
• Slackware Linux Essentials - Chapter 13 Basic Network Commands (0)

Slackware Linux Basics cron, domain, domain name, slackware

Table of Contents

25.1. Introduction

25.2. Installation

25.3. User directories

25.4. Virtual hosts

25.1. Introduction

Apache is the most popular web server since April 1996. It was originally based on NCSA httpd, and has grown into a full-featured HTTP server. Slackware Linux currently uses the 1.3.x branch of Apache. This chapter is based on Apache 1.3.x.

25.2. Installation

Apache can be installed by adding the apache package from the “n” disk set. If you also want to use PHP, the php (“n” disk set) and mysql (“ap” disk set) are also required. MySQL is required, because the precompiled PHP depends on MySQL shared libraries. You do not have to run MySQL itself. After installing Apache it can be started automatically while booting the system by making the /etc/rc.d/rc.httpd file executable. You can do this by executing:

# chmod a+x /etc/rc.d/rc.httpd

The Apache configuration can be altered in the /etc/apache/httpd.conf file. Apache can be stopped/started/restarted every moment with the apachectl command, and the stop, start and restart parameters. For example, execute the following command to restart Apache:

# apachectl restart
/usr/sbin/apachectl restart: httpd restarted

25.3. User directories

Apache provides support for so-call user directories. This means every user gets web space in the form of http://host/~user/. The contents of “~user/” is stored in a subdirectory in the home directory of the user. This directory can be specified using the “UserDir” option in httpd.conf, for example:

UserDir public_html

This specifies that the public_html directory should be used for storing the web pages. For example, the web pages at URL http://host/~snail/ are stored in /home/snail/public_html.

25.4. Virtual hosts

The default documentroot for Apache under Slackware Linux is /var/www/htdocs. Without using virtual hosts every client connecting to the Apache server will receive the website in this directory. So, if we have two hostnames pointing to the server, “www.example.org” and “forum.example.org”, both will display the same website. You can make separate sites for different hostnames by using virtual hosts.

In this example we are going to look how you can make two virtual hosts, one for “www.example.org”, with the documentroot /var/www/htdocs-www, and “forum.example.org”, with the documentroot /var/www/htdocs-forum. First of all we have to specify which IP addresses Apache should listen to. Somewhere in the /etc/apache/httpd.conf configuration file you will find the following line:

#NameVirtualHost *:80

This line has to be commented out to use name-based virtual hosts. Remove the comment character (#) and change the parameter to “BindAddress IP:port”, or “BindAddress *:port” if you want Apache to bind to all IP addresses the host has. Suppose we want to provide virtual hosts for IP address 192.168.1.201 port 80 (the default Apache port), we would change the line to:

NameVirtualHost 192.168.1.201:80

Somewhere below the NameVirtualHost line you can find a commented example of a virtualhost:

#<VirtualHost *:80>
#    ServerAdmin webmaster@dummy-host.example.com
#    DocumentRoot /www/docs/dummy-host.example.com
#    ServerName dummy-host.example.com
#    ErrorLog logs/dummy-host.example.com-error_log
#    CustomLog logs/dummy-host.example.com-access_log common
#</VirtualHost>

You can use this example as a guideline. For example, if we want to use all the default values, and we want to write the logs for both virtual hosts to the default Apache logs, we would add these lines:

<VirtualHost 192.168.1.201:80>
	DocumentRoot /var/www/htdocs-www
	ServerName www.example.org
</VirtualHost>

<VirtualHost 192.168.1.201:80>
	DocumentRoot /var/www/htdocs-forum
	ServerName forum.example.org
</VirtualHost>

Tags: Apache, mysql, php, pop, slackware, Slackware Linux Basics

Related posts

• FreeBSD Handbook - Chapter 29 Network Servers (0)
• Slackware Linux Essentials - Chapter 13 Basic Network Commands (0)
• Slackware Linux Essentials - Chapter 11 Process Control (0)
• Slackware Linux Essentials - Chapter 1 An Introduction to Slackware Linux (0)
• Slackware Linux Basics - Chapter 15 Printer configuration (0)

Slackware Linux Basics Apache, mysql, php, pop, slackware

Table of Contents

24.1. Introduction

24.2. Configuration

24.3. TCP wrappers

24.1. Introduction

There are two ways to offer TCP/IP services: by running server applications standalone as a daemon or by using the Internet super server, inetd. inetd is a daemon which monitors a range of ports. If a client attempts to connect to a port inetd handles the connection and forwards the connection to the server software which handles that kind of connection. The advantage of this approach is that it adds an extra layer of security and it makes it easier to log incoming connections. The disadvantage is that it is somewhat slower than using a standalone daemon. It is thus a good idea to run a standalone daemon on, for example, a heavily loaded FTP server.

24.2. Configuration

inetd can be configured using the /etc/inetd.conf file. Let’s have a look at an example line from inetd.conf:

# File Transfer Protocol (FTP) server:
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  proftpd

This line specifies that inetd should accept FTP connections and pass them to tcpd. This may seem a bit odd, because proftpd normally handles FTP connections. You can also specify to use proftpd directly in inetd.conf, but Slackware Linux normally passes the connection to tcpd. This program passes the connection to proftpd in turn, as specified. tcpd is used to monitor services and to provide host based access control.

Services can be disabled by adding the comment character (#) at the beginning of the line. It is a good idea to disable all services and enable services you need one at a time. After changing /etc/inetd.conf inetd needs to be restarted to activate the changes. This can be done by sending the HUP signal to the inetd process:

# ps ax | grep 'inetd'
   64 ?        S      0:00 /usr/sbin/inetd
# kill -HUP 64

Or you can use the rc.inetd initialization script to restart inetd:

# /etc/rc.d/rc.inetd restart

24.3. TCP wrappers

As you can see in /etc/inetd.conf connections for most protocols are made through tcpd, instead of directly passing the connection to a service program. For example:

# File Transfer Protocol (FTP) server:
ftp     stream  tcp     nowait  root    /usr/sbin/tcpd  proftpd

In this example ftp connections are passed through tcpd. tcpd logs the connection through syslog and allows for additional checks. One of the most used features of tcpd is host-based access control. Hosts that should be denied are controlled via /etc/hosts.deny, hosts that should be allowed via /etc/hosts.allow. Both files have one rule on each line of the following form:

service: hosts

Hosts can be specified by hostname or IP address. The ALL keyword specifies all hosts or all services.

Suppose we want to block access to all services managed through tcpd, except for host “trusted.example.org”. To do this the following hosts.deny and hosts.allow files should be created.

/etc/hosts.deny:

ALL: ALL

/etc/hosts.allow:

ALL: trusted.example.org

In the hosts.deny access is blocked to all (ALL) services for all (ALL) hosts. But hosts.allow specifies that all (ALL) services should be available to “trusted.example.org”.

Tags: ftp, inetd, manage, slackware, Slackware Linux Basics, software

Related posts

• Slackware Linux Essentials (0)
• Slackware Linux Essentials - Glossary (0)
• Slackware Linux Essentials - Chapter 5 Network Configuration (0)
• Slackware Linux Essentials - Chapter 4 System Configuration (0)
• Slackware Linux Essentials - Chapter 3 Installation (0)

Slackware Linux Basics ftp, inetd, manage, slackware, software

Table of Contents

23.1. Theory

23.2. Linux configuration

23.3. Installing IPsec-Tools

23.4. Setting up IPsec with manual keying

23.5. Setting up IPsec with automatic key exchanging

23.1. Theory

IPsec is a standard for securing IP communication through authentication, and encryption. Besides that it can compress packets, reducing traffic. The following protocols are part of the IPsec standard:

• AH (Authentication Header) provides authenticity guarantee for transported packets. This is done by checksumming the packages using a cryptographic algorithm. If the checksum is found to be correct by the receiver, the receiver can be assured that the packet is not modified, and that the packet really originated from the reported sender (provided that the keys are only known by the sender and receiver).

• ESP (Encapsulating Security Payload) is used to encrypt packets. This makes the data of the packet confident, and only readable by the host with the right decryption key.

• IPcomp (IP payload compression) provides compression before a packet is encrypted. This is useful, because encrypted data generally compresses worse than unencrypted data.

• IKE (Internet Key Exchange) provides the means to negotiate keys in secrecy. Please note that IKE is optional, keys can be configured manually.

There are actually two modes of operation: transport mode is used to encrypt normal connections between two hosts, tunnel mode encapsulates the original package in a new header. In this chapter we are going to look at the transport mode, because the primary goal of this chapter is to show how to set up a secure connection between two hosts.

There are also two major methods of authentication. You can use manual keys, or an Internet Key Exchange (IKE) daemon, like racoon, that automatically exchanges keys securely betwoon two hosts. In both cases you need to set up a policy in the Security Policy Database (SPD). This database is used by the kernel to decide what kind of security policy is needed to communicate with another host. If you use manual keying you also have to set up Security Association Database (SAD) entries, which specifies what encryption algorithmn and key should be used for secure communication with another host. If you use an IKE daemon the security associations are automatically established.

23.2. Linux configuration

Native IPsec support is only available in Linux 2.6.x kernels. Earlier kernels have no native IPsec support. So, make sure that you have a 2.6.x kernel. The 2.6 kernel is available in Slackware Linux 10.0, 10.1, and 10.2 from the testing directory on CD2 of the Slackware Linux CD sets, or any of the official Slackware Linux mirrors. The 2.6 kernel is the default kernel since Slackware Linux 12.0. The default Slackware Linux 2.6 kernel has support for AH, ESP and IPcomp in for both IPv4 and IPv6. If you are compiling a custom kernel enable use at least the following options in your kernel configuration:

CONFIG_INET_AH=y
CONFIG_INET_ESP=y
CONFIG_INET_IPCOMP=y
    

Or you can compile support for IPsec protocols as a module:

CONFIG_INET_AH=m
CONFIG_INET_ESP=m
CONFIG_INET_IPCOMP=m
    

In this chapter we are only going to use AH and ESP transformations, but it is not a bad idea to enable IPComp transformation for further configuration of IPsec. Besides support for the IPsec protocols, you have to compile kernel support for the encryption and hashing algorithms that will be used by AH or ESP. Linux or module support for these algorithms can be enabled by twiddling the various CONFIG_CRYPTO options. It does not hurt to compile all ciphers and hash algorithms as a module.

When you choose to compile IPsec support as a module, make sure that the required modules are loaded. For example, if you are going to use ESP for IPv4 connections, load the esp4 module.

Compile the kernel as usual and boot it.

23.3. Installing IPsec-Tools

The next step is to install the IPsec-Tools. These tools are ports of the KAME IPsec utilities. Download the latest sources and unpack, configure and install them:

# tar jxf ipsec-tools-x.y.z.tar.bz2
# cd ipsec-tools-x.y.z
# CFLAGS="-O2 -march=i486 -mcpu=i686" \
  ./configure --prefix=/usr \
              --sysconfdir=/etc \
              --localstatedir=/var \
              --enable-hybrid \
              --enable-natt \
              --enable-dpd \
              --enable-frag \
              i486-slackware-linux
# make
# make install
    

Replace x.y.z with the version of the downloaded sources. The most notable flags that we specify during the configuration of the sources are:

• –enable-dpd: enables dead peer detection (DPD). DPD is a method for detecting wether any of the hosts for which security associations are set up is unreachable. When this is the case the security associations to that host can be removed.

• –enable-natt: enables NAT traversal (NAT-T). Since NAT alters the IP headers, this causes problems for guaranteeing authenticity of a packet. NAT-T is a method that helps overcoming this problem. Configuring NAT-T is beyond the scope of this article.

23.4. Setting up IPsec with manual keying

23.4.1. Introduction

We will use an example as the guideline for setting up an encrypted connection between to hosts. The hosts have the IP addresses 192.168.1.1 and 192.168.1.169. The “transport mode” of operation will be used with AH and ESP transformations and manual keys.

23.4.2. Writing the configuration file

The first step is to write a configuration file we will name /etc/setkey.conf. On the first host (192.168.1.1) the following /etc/setkey.conf configuration will be used:

#!/usr/sbin/setkey -f

# Flush the SAD and SPD
flush;
spdflush;

add 192.168.1.1 192.168.1.169 ah 0x200 -A hmac-md5
0xa731649644c5dee92cbd9c2e7e188ee6;
add 192.168.1.169 192.168.1.1 ah 0x300 -A hmac-md5
0x27f6d123d7077b361662fc6e451f65d8;

add 192.168.1.1 192.168.1.169 esp 0x201 -E 3des-cbc
0x656c8523255ccc23a66c1917aa0cf30991fce83532a4b224;
add 192.168.1.169 192.168.1.1 esp 0x301 -E 3des-cbc
0xc966199f24d095f3990a320d749056401e82b26570320292

spdadd 192.168.1.1 192.168.1.169 any -P out ipsec
           esp/transport//require
           ah/transport//require;

spdadd 192.168.1.169 192.168.1.1 any -P in ipsec
           esp/transport//require
           ah/transport//require;
      

The first line (a line ends with a “;”) adds a key for the header checksumming for packets coming from 192.168.1.1 going to 192.168.1.169. The second line does the same for packets coming from 192.168.1.169 to 192.168.1.1. The third and the fourth line define the keys for the data encryption the same way as the first two lines. Finally the “spadd” lines define two policies, namely packets going out from 192.168.1.1 to 192.168.1.169 should be (require) encoded (esp) and “signed” with the authorization header. The second policy is for incoming packets and it is the same as outgoing packages.

Please be aware that you should not use these keys, but your own secretly kept unique keys. You can generate keys using the /dev/random device:

# dd if=/dev/random count=16 bs=1 | xxd -ps
      

This command uses dd to output 16 bytes from /dev/random. Don’t forget to add “0x” at the beginning of the line in the configuration files. You can use the 16 byte (128 bits) for the hmac-md5 algorithm that is used for AH. The 3des-cbc algorithm that is used for ESP in the example should be fed with a 24 byte (192 bits) key. These keys can be generated with:

# dd if=/dev/random count=24 bs=1 | xxd -ps
      

Make sure that the /etc/setkey.conf file can only be read by the root user. If normal users can read the keys IPsec provides no security at all. You can do this with:

# chmod 600 /etc/setkey.conf
      

The same /etc/setkey.conf can be created on the 192.168.1.169 host, with inverted -P in and -P out options. So, the /etc/setkey.conf will look like this:

#!/usr/sbin/setkey -f

# Flush the SAD and SPD
flush;
spdflush;

add 192.168.1.1 192.168.1.169 ah 0x200 -A hmac-md5
0xa731649644c5dee92cbd9c2e7e188ee6;
add 192.168.1.169 192.168.1.1 ah 0x300 -A hmac-md5
0x27f6d123d7077b361662fc6e451f65d8;

add 192.168.1.1 192.168.1.169 esp 0x201 -E 3des-cbc
0x656c8523255ccc23a66c1917aa0cf30991fce83532a4b224;
add 192.168.1.169 192.168.1.1 esp 0x301 -E 3des-cbc
0xc966199f24d095f3990a320d749056401e82b26570320292

spdadd 192.168.1.1 192.168.1.169 any -P in ipsec
           esp/transport//require
           ah/transport//require;

spdadd 192.168.1.169 192.168.1.1 any -P out ipsec
           esp/transport//require
           ah/transport//require;
      

23.4.3. Activating the IPsec configuration

The IPsec configuration can be activated with the setkey command:

# setkey -f /etc/setkey.conf
      

If you want to enable IPsec permanently you can add the following line to /etc/rc.d/rc.local on both hosts:

/usr/sbin/setkey -f /etc/setkey.conf
      

After configuring IPsec you can test the connection by running tcpdump and simultaneously pinging the other host. You can see if AH and ESP are actually used in the tcpdump output:

# tcpdump -i eth0
tcpdump: listening on eth0
11:29:58.869988 terrapin.taickim.net > 192.168.1.169: AH(spi=0x00000200,seq=0x40f): ESP(spi=0x00000201,seq=0x40f) (DF)
11:29:58.870786 192.168.1.169 > terrapin.taickim.net: AH(spi=0x00000300,seq=0x33d7): ESP(spi=0x00000301,seq=0x33d7)
      

23.5. Setting up IPsec with automatic key exchanging

23.5.1. Introduction

The subject of automatical key exchange is already touched shortly in the introduction of this chapter. Put simply, IPsec with IKE works in the following steps.

1. Some process on the host wants to connect to another host. The kernel checks whether there is a security policy set up for the other host. If there already is a security association corresponding with the policy the connection can be made, and will be authenticated, encrypted and/or compressed as defined in the security association. If there is no security association, the kernel will request a user-land IKE daemon to set up the necessary security association(s).

2. During the first phase of the key exchange the IKE daemon will try to verify the authenticity of the other host. This is usually done with a preshared key or certificate. If the authentication is successful a secure channel is set up between the two hosts, usually called a IKE security association, to continue the key exchange.

3. During the second phase of the key exchange the security associations for communication with the other host are set up. This involves choosing the encryption algorithm to be used, and generating keys that are used for encryption of the communication.

4. At this point the first step is repeated again, but since there are now security associations the communication can proceed.

The racoon IKE daemon is included with the KAME IPsec tools, the sections that follow explain how to set up racoon.

23.5.2. Using racoon with a preshared key

As usual the first step to set up IPsec is to define security policies. In contrast to the manual keying example you should not set up security associations, because racoon will make them for you. We will use the same host IPs as in the example above. The security policy rules look like this:

#!/usr/sbin/setkey -f

# Flush the SAD and SPD
flush;
spdflush;

spdadd 192.168.1.1 192.168.1.169 any -P out ipsec
	esp/transport//require;

spdadd 192.168.1.169 192.168.1.1 any -P in ipsec
	esp/transport//require;
      

Cautious souls have probably noticed that AH policies are missing in this example. In most situations this is no problem, ESP can provide authentication. But you should be aware that the authentication is more narrow; it does not protect information outside the ESP headers. But it is more efficient than encapsulating ESP packets in AH.

With the security policies set up you can configure racoon. Since the connection-specific information, like the authentication method is specified in the phase one configuration. We can use a general phase two configuration. It is also possible to make specific phase two settings for certain hosts. But generally speaking a general configuration will often suffice in simple setups. We will also add paths for the preshared key file, and certification directory. This is an example of /etc/racoon.conf with the paths and a general phase two policy set up:

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

sainfo anonymous {
{
	pfs_group 2;
	lifetime time 1 hour;
	encryption_algorithm 3des, blowfish 448, rijndael;
	authentication_algorithm hmac_sha1, hmac_md5;
	compression_algorithm deflate;
}
      

The sainfo identifier is used to make a block that specifies the settings for security associations. Instead of setting this for a specific host, the anonymous parameter is used to specify that these settings should be used for all hosts that do not have a specific configuration. The pfs_group specifies which group of Diffie-Hellman exponentiations should be used. The different groups provide different lengths of base prime numbers that are used for the authentication process. Group 2 provides a 1024 bit length if you would like to use a greater length, for increased security, you can use another group (like 14 for a 2048 bit length). The encryption_algorithm specifies which encryption algorithms this host is willing to use for ESP encryption. The authentication_algorithm specifies the algorithm to be used for ESP Authentication or AH. Finally, the compression_algorithm is used to specify which compression algorithm should be used when IPcomp is specified in an association.

The next step is to add a phase one configuration for the key exchange with the other host to the racoon.conf configuration file. For example:

remote 192.168.1.169
{
	exchange_mode aggressive, main;
	my_identifier address;
	proposal {
		encryption_algorithm 3des;
		hash_algorithm sha1;
		authentication_method pre_shared_key;
		dh_group 2;
	}
}
      

The remote block specifies a phase one configuration. The exchange_mode is used to configure what exchange mode should be used for phase. You can specify more than one exchange mode, but the first method is used if this host is the initiator of the key exchange. The my_identifier option specifies what identifier should be sent to the remote host. If this option committed address is used, which sends the IP address as the identifier. The proposal block specifies parameter that will be proposed to the other host during phase one authentication. The encryption_algorithm, and dh_group are explained above. The hash_algorithm option is mandatory, and configures the hash algorithm that should be used. This can be md5, or sha1. The authentication_method is crucial for this configuration, as this parameter is used to specify that a preshared key should be used, with pre_shared_key.

With racoon set up there is one thing left to do, the preshared key has to be added to /etc/racoon/psk.txt. The syntax is very simple, each line contains a host IP address and a key. These parameters are separated with a tab. For example:

192.168.1.169	somekey
      

23.5.3. Activating the IPsec configuration

At this point the configuration of the security policies and racoon is complete, and you can start to test the configuration. It is a good idea to start racoon with the -F parameter. This will run racoon in the foreground, making it easier to catch error messages. To wrap it up:

# setkey -f /etc/setkey.conf
# racoon -F
      

Now that you have added the security policies to the security policy database, and started racoon, you can test your IPsec configuration. For instance, you could ping the other host to start with. The first time you ping the other host, this will fail:

$ ping 192.168.1.169
connect: Resource temporarily unavailable
      

The reason for this is that the security associations still have to be set up. But the ICMP packet will trigger the key exchange. ping will trigger the key exchange. You can see whether the exchange was succesful or not by looking at the racoon log messages in /var/log/messages, or the output on the terminal if you started racoon in the foreground. A succesful key exhange looks like this:

 Apr  4 17:14:58 terrapin racoon: INFO: IPsec-SA request for 192.168.1.169 queued due to no phase1 found.
 Apr  4 17:14:58 terrapin racoon: INFO: initiate new phase 1 negotiation: 192.168.1.1[500]<=>192.168.1.169[500]
 Apr  4 17:14:58 terrapin racoon: INFO: begin Aggressive mode.
 Apr  4 17:14:58 terrapin racoon: INFO: received Vendor ID: DPD
 Apr  4 17:14:58 terrapin racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
 Apr  4 17:14:58 terrapin racoon: INFO: ISAKMP-SA established 192.168.1.1[500]-192.168.1.169[500] spi:58c4669f762abf10:60593eb9e3dd7406
 Apr  4 17:14:59 terrapin racoon: INFO: initiate new phase 2 negotiation: 192.168.1.1[0]<=>192.168.1.169[0]
 Apr  4 17:14:59 terrapin racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.169->host1ip; spi=232781799(0xddff7e7)
 Apr  4 17:14:59 terrapin racoon: INFO: IPsec-SA established: ESP/Transport 192.168.1.1->192.168.1.169 spi=93933800(0x59950e8)
      

After the key exchange, you can verify that IPsec is set up correctly by analyzing the packets that go in and out with tcpdump. tcpdump is available in the n diskset. Suppose that the outgoing connection to the other host goes through the eth0 interface, you can analyze the packats that go though the eth0 interface with tcpdump -i eth0. If the outgoing packets are encrypted with ESP, you can see this in the tcpdump output. For example:

# tcpdump -i eth0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
17:27:50.241067 IP terrapin.taickim.net > 192.168.1.169: ESP(spi=0x059950e8,seq=0x9)
17:27:50.241221 IP 192.168.1.169 > terrapin.taickim.net: ESP(spi=0x0ddff7e7,seq=0x9)
      

Tags: catch, cron, database, slackware, Slackware Linux Basics

Related posts

• Slackware Linux Essentials - Chapter 2 Help (0)
• Slackware Linux Basics - Files and Directories (0)
• Slackware Linux Basics - Chapter 21. Miscellaneous (0)
• Slackware Linux Basics - Chapter 13 Sendmail (0)
• FreeBSD Handbook - Chapter 8 Configuring the FreeBSD Kernel (0)

Slackware Linux Basics catch, cron, database, slackware

Table of Contents

22.1. Hardware

22.2. Configuration of interfaces

22.3. Configuration of interfaces (IPv6)

22.4. Wireless interfaces

22.5. Resolving

22.6. IPv4 Forwarding

22.1. Hardware

Network cards (NICs)

Drivers for NICs are installed as kernel modules. The module for your NIC has to be loaded during the initialization of Slackware Linux. On most systems the NIC is automatically detected and configured during the installation of Slackware Linux. You can reconfigure your NIC with the netconfig command. netconfig adds the driver (module) for the detected card to /etc/rc.d/rc.netdevice.

It is also possible to manually configure which modules should be loaded during the initialization of the system. This can be done by adding a modprobe line to /etc/rc.d/rc.modules. For example, if you want to load the module for 3Com 59x NICs (3c59x.o), add the following line to /etc/rc.d/rc.modules

/sbin/modprobe 3c59x

PCMCIA cards

Supported PCMCIA cards are detected automatically by the PCMCIA software. The pcmcia-cs packages from the “a” disk set provides PCMCIA functionality for Slackware Linux.

22.2. Configuration of interfaces

Network cards are available under Linux through so-called “interfaces”. The ifconfig command can be used to display the available interfaces:

# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:20:AF:F6:D4:AD
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1301 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1529 errors:0 dropped:0 overruns:0 carrier:0
          collisions:1 txqueuelen:100
          RX bytes:472116 (461.0 Kb)  TX bytes:280355 (273.7 Kb)
          Interrupt:10 Base address:0xdc00 

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:77 errors:0 dropped:0 overruns:0 frame:0
          TX packets:77 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:8482 (8.2 Kb)  TX bytes:8482 (8.2 Kb)

Network cards get the name ethn, in which n is a number, starting with 0. In the example above, the first network card (eth0) already has an IP address. But unconfigured interfaces have no IP address, the ifconfig will not show IP addresses for unconfigured interfaces. Interfaces can be configured in the /etc/rc.d/rc.inet1.conf file. You can simply read the comments, and fill in the required information. For example:

# Config information for eth0:
IPADDR[0]="192.168.1.1"
NETMASK[0]="255.255.255.0"
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""

In this example the IP address 192.168.1.1 with the 255.255.255.0 netmask is assigned to the first ethernet interface (eth0). If you are using a DHCP server you can change the USE_DHCP="" line to USE_DHP[n]="yes" (swap “n” with the interface number). Other variables, except DHCP_HOSTNAME are ignored when using DHCP. For example:

IPADDR[1]=""
NETMASK[1]=""
USE_DHCP[1]="yes"
DHCP_HOSTNAME[1]=""

The same applies to other interfaces. You can activate the settings by rebooting the system or by executing /etc/rc.d/rc.inet1. It is also possible to reconfigure only one interface with /etc/rc.d/rc.inet1 ethX_restart, in which ethX should be replaced by the name of the interface that you would like to reconfigure.

22.3. Configuration of interfaces (IPv6)

22.3.1. Introduction

IPv6 is the next generation internet protocol. One of the advantages is that it has a much larger address space. In IPv4 (the internet protocol that is commonly used today) addresses are 32-bit, this address space is almost completely used right now, and there is a lack of IPv4 addresses. IPv6 uses 128-bit addresses, which provides an unimaginable huge address space (2^128 addresses). IPv6 uses another address notation, first of all hex numbers are used instead of decimal numbers, and the address is noted in pairs of 16-bits, separated by a colon (“:”). Let’s have a look at an example address:

fec0:ffff:a300:2312:0:0:0:1

A block of zeroes can be replaced by two colons (“::”). Thus, thee address above can be written as:

fec0:ffff:a300:2312::1

Each IPv6 address has a prefix. Normally this consists of two elements: 32 bits identifying the address space the provider provides you, and a 16-bit number that specifies the network. These two elements form the prefix, and in this case the prefixlength is 32 + 16 = 48 bits. Thus, if you have a /48 prefix you can make 2^16 subnets and have 2^80 hosts on each subnet. The image below shows the structure of an IPv6 address with a 48-bit prefix.

Figure 22.1. The anatomy of an IPv6 address

There are a some specially reserved prefixes, most notable include:

Table 22.1. Important IPv6 Prefixes

Prefix

Description

fe80::

Link local addresses, which are not routed.

fec0::

Site local addresses, which are locally routed, but not on or to the internet.

2002::

6to4 addresses, which are used for the transition from IPv4 to IPv6.

22.3.2. Slackware Linux IPv6 support

The Linux kernel binaries included in Slackware Linux do not support IPv6 by default, but support is included as a kernel module. This module can be loaded using modprobe:

# modprobe ipv6

You can verify if IPv6 support is loaded correctly by looking at the kernel output using the dmesg:

$ dmesg
[..]
IPv6 v0.8 for NET4.0

IPv6 support can be enabled permanently by adding the following line to /etc/rc.d/rc.modules:

/sbin/modprobe ipv6

Interfaces can be configured using ifconfig. But it is recommended to make IPv6 settings using the ip command, which is part of the “iputils” package that can be found in the extra/ directory of the Slackware Linux tree.

22.3.3. Adding an IPv6 address to an interface

If there are any router advertisers on a network there is a chance that the interfaces on that network already received an IPv6 address when the IPv6 kernel support was loaded. If this is not the case an IPv6 address can be added to an interface using the ip utility. Suppose we want to add the address “fec0:0:0:bebe::1” with a prefix length of 64 (meaning “fec0:0:0:bebe” is the prefix). This can be done with the following command syntax:

# ip -6 addr add <ip6addr>/<prefixlen> dev <device>

For example:

# ip -6 addr add fec0:0:0:bebe::1/64 dev eth0

22.4. Wireless interfaces

Wireless interfaces usually require some additional configuration, like setting the ESSID, WEP keys and the wireless mode. Interface settings that are specific to wireless interfaces can be set in the /etc/rc.d/rc.wireless.conf file. The /etc/rc.d/rc.wireless script configures wireless interfaces based on descriptions from /etc/rc.d/rc.wireless.conf. In rc.wireless.conf settings are made per interface MAC address. By default this file has a section that matches any interface:

## NOTE : Comment out the following five lines to activate the samples below ...
## --------- START SECTION TO REMOVE -----------
## Pick up any Access Point, should work on most 802.11 cards
*)
    INFO="Any ESSID"
    ESSID="any"
    ;;
## ---------- END SECTION TO REMOVE ------------

It is generally a good idea to remove this section to make per-card settings. If you are lazy and only have one wireless card, you can leave this section in and add any configuration parameters you need. Since this section matches any wireless interface the wireless card you have will be matched and configured. You can now add a sections for your wireless interfaces. Each section has the following format:

<MAC address>)
    <settings>
;;

You can find the MAC address of an interface by looking at the ifconfig output for the interface. For example, if a wireless card has the eth1 interface name, you can find the MAC address the following way:

# ifconfig eth1
eth1      Link encap:Ethernet  HWaddr 00:01:F4:EC:A5:32
          inet addr:192.168.2.2  Bcast:192.168.2.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:1 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 b)  TX bytes:504 (504.0 b)
          Interrupt:5 Base address:0x100

The hexadecimal address that is printed after HWaddr is the MAC address, in this case 00:01:F4:EC:A5:32. When you have found the MAC address of the interface you can add a section for the device to /etc/rc.d/rc.wireless.conf. For example:

00:01:F4:EC:A5:32)
    INFO="Cabletron Roamabout WLAN NIC"
    ESSID="home"
    CHANNEL="8"
    MODE="Managed"
    KEY="1234-5678-AB"
    ;;

This will set the interface with MAC address 00:01:F4:EC:A5:32 to use the ESSID home, work in Managed mode on channel 8. The key used for WEP encryption is 1234-5678-AB. There are many other parameters that can be set. For an overview of all parameters, refer to the last example in rc.wireless.conf.

After configuring a wireless interface, you can activate the changes by executing the network initialization script /etc/rc.d/rc.inet1. You can see the current wireless settings with the iwconfig command:

eth1      IEEE 802.11-DS  ESSID:"home"  Nickname:"HERMES I"
          Mode:Managed  Frequency:2.447 GHz  Access Point: 02:20:6B:75:0C:56
          Bit Rate:2 Mb/s   Tx-Power=15 dBm   Sensitivity:1/3
          Retry limit:4   RTS thr:off   Fragment thr:off
          Encryption key:1234-5678-AB
          Power Management:off
          Link Quality=0/92  Signal level=134/153  Noise level=134/153
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:27  Invalid misc:0   Missed beacon:0

22.5. Resolving

Hostname

Each computer on the internet has a hostname. If you do not have a hostname that is resolvable with DNS, it is still a good idea to configure your hostname, because some software uses it. You can configure the hostname in /etc/HOSTNAME. A single line with the hostname of the machine will suffice. Normally a hostname has the following form: host.domain.tld, for example darkstar.slackfans.org. Be aware that the hostname has to be resolvable, meaning that GNU/Linux should be able to convert the hostname to an IP address. You can make sure the hostname is resolvable by adding it to /etc/hosts. Read the following section for more information about this file.

/etc/hosts

/etc/hosts is a table of IP addresses with associated hostnames. This file can be used to name computers in a small network. Let’s look at an example of the /etc/hosts file:

127.0.0.1               localhost
192.168.1.1             tazzy.slackfans.org tazzy
192.168.1.169           flux.slackfans.org

The localhost line should always be present. It assigns the name localhost to a special interface, the loopback. In this example the names tazzy.slackfans.org and tazzy are assigned to the IP address 192.168.1.1, and the name flux.slackfans.org is assigned to the IP address 192.168.1.169. On the system with this file both computers are available via the mentioned hostnames.

It is also possible to add IPv6 addresses, which will be used if your system is configured for IPv6. This is an example of a /etc/hosts file with IPv4 and IPv6 entries:

# IPv4 entries
127.0.0.1               localhost
192.168.1.1             tazzy.slackfans.org tazzy
192.168.1.169           gideon.slackfans.org

# IPv6 entries
::1			localhost
fec0:0:0:bebe::2	flux.slackfans.org	

Please note that “::1” is the default IPv6 loopback.

/etc/resolv.conf

The /etc/resolv.conf file is used to specify which nameservers the system should use. A nameserver converts hostnames to IP addresses. Your provider should have given you at least two name name server addresses (DNS servers). You can add these nameservers to /etc/resolv.conf by adding the line nameserver ipaddress for each nameserver. For example:

nameserver 192.168.1.1
nameserver 192.168.1.169

You can check wether the hostnames are tranlated correctly or not with the host hostname command. Swap hostname with an existing hostname, for example the website of your internet service provider.

22.6. IPv4 Forwarding

IPv4 forwarding connects two or more networks by sending packets which arrive on one interface to another interface. This makes it possible to let a GNU/Linux machine act as a router. For example, you can connect multiple networks, or your home network with the internet. Let’s have a look at an example:

Figure 22.2. Router example

In dit example there are two networks, 192.168.1.0 and 192.168.2.0. Three hosts are connected to both network. One of these hosts is connected to both networks with interfaces. The interface on the 192.168.1.0 network has IP address 192.168.1.3, the interface on the 192.168.2.0 network has IP address 192.168.2.3. If the host acts as a router between both networks it forwards packets from the 192.168.1.0 network to the 192.168.2.0 network and vise versa. Routing of normal IPv4 TCP/IP packages can be enabled by enabling IPv4 forwarding.

IPv4 forwarding can be enabled or disabled under Slackware Linux by changing the executable bit of the /etc/rc.d/rc.ip_forward file. If the executable bit is set on this file, IP forwarding will be enabled during the system boot, otherwise it will not. You can check whether the executable bit is enabled with ls -l (a description of the ls command can be found in Section 8.2.1, “Listing files”).

It is also possible to enable IPv4 forwarding on a running system with the following command (0 disables forwarding, 1 enables forwarding):

# echo 0 > /proc/sys/net/ipv4/ip_forward

Be cautious! By default there are no active packet filters. This means that anyone can access other networks. Traffic can be filtered and logged with the iptables kernel packet filter. Iptables can be administrated through the iptables command. NAT (Network Address Translation) is also a subset of iptables, and can be controlled and enabled through the iptables command. NAT makes it possible to “hide” a network behind one IP address. This allows you to use the internet on a complete network with only one IP address.

Tags: cron, domain, filters, manage, slackware, Slackware Linux Basics, software

Related posts

• Slackware Linux Essentials - Glossary (0)
• Slackware Linux Essentials - Chapter 5 Network Configuration (0)
• Slackware Linux Essentials - Chapter 12 Essential System Administration (0)
• Slackware Linux Essentials - Chapter 1 An Introduction to Slackware Linux (0)
• Slackware Linux Basics - Table of Contents (0)

Slackware Linux Basics cron, domain, filters, manage, slackware, software