LEAF "Bering" user's guide - Uni
Contents
1. Modify the syslinux cfg file to load the new packages It might look like this display syslinux dpy timeout 0 default linux initrd initrd lrp init linuxrc root dev ram0 boot dev fd0u1680 msdos PKGPATH dev fd0u1680 LRP root etc local modules pump keyboard shorwall dnscache weblet Q The last two lines default linux ipsec mawk must be typed as a single one in syslinux cfg Copy the ipsec o module from the modules package which matches your kernel Don t even try to do this with mismatching modules kernel or ipsec utilities Install this module using the method described in the main Bering documentation 12 3 Step 2 generate certificates with openssl Certificates usually need to be generated from the host machine since the router usually doesn t have enough randomness to generate them easily I use the Debian package and I assume there is a RedHat package Here 12 IPSec configuration 50 LEAF Bering user s guide is alink to a document decribing how to compile it from source If you do not desire to use certificates you only wish to use preshared keys you may skip to Step 4 Make a new certificate authority mkdir p demoCA private mkdir p demoCA newcerts touch demoCA index txt echo 01 gt gt demoCA serial chmod R 700 demoCA openssl req x509 days 3650 newkey rsa 2048 keyout demoCA private cakey pem out demoCA c openssl ca gencrl out crl pem He SR FE HR Make your ipsec server certific2. 13 2 Step 1 Modify etc inittab and etc securetty files Through the LEAF configuration menu type 2 to get access to the System configuration menu System configuration menu 1 Master LRP settings lrp conf 2 POSIXness settings POSIXness conf 3 File system mounts fstab 4 Lowest level boot up configuration inittab 5 System wide profile profile 6 Ports root is allowed to login to securetty 7 System Locri Comiinciwmeciom Sya LO CONE 8 Service name to number translation services 9 Local timezone TZ setup tzvalue q quit Selection Enter 4 to edit inittab Comment out getty s on ttyl and tty2 and uncomment getty on ttySO com1 For access through com2 com3 or com4 replace by ttyS1 ttyS2 and ttyS3 respectively Your inittab file will look like lt snip gt Format lt id gt lt runlevels gt lt action gt lt process gt 2345 respawn sbin getty 38400 ttyl 23 respawn sbin getty 38400 tty2 23 respawn sbin getty 38400 tty3 23 respawn sbin getty 38400 tty4 23 respawn sbin getty 38400 tty5 23 respawn sbin getty 38400 tty6 py Gril pS Ger sy Example how to put a getty on a serial line for a terminal T1 23 respawn sbin getty L ttySO 19200 vt100 lt snip gt 13 Monitoring Bering through a terminal console 57 LEAF Bering user s guide Enter 6 to edit etc securetty to add ttySO Your file will look like etc securetty list of terminals on which root
3. declare the appropriate packages First of all download the pcmcia orinoco Irp package from the Bering packages area and rename it pemcia lrp This package is derived from the standard Bering pcmcia Irp package and includes the orinoco drivers You then need to download the_wireless Irp and the the libm Irp packages Depending on your ISP connection and your network hardware declare the appropriate packages For example e ppp pppoe and pemcia if you connect through an ADSL PPPoE connection and have a wireless NIC connected through a PCMCIA adapter e pcmcia if you connect through a fixed IP cable modem ISP and have a wireless NIC connected through a PCMCIA adapter e pump pcmcia if you connect through a dynamic IP cable modem ISP and have a wireless NIC connected through a PCMCIA adapter e none of the above if you connect through a fixed IP cable modem ISP and have a PCI native wireless card In the first case your syslinux cfg file will look like adapt to your own case display syslinux dpy timeout 0 default linux initrd initrd lrp init linuxrc root dev ram0 boot dev fd0u1680 msdos PKGPATH dev fd0u1680 LRP root etc local modules ppp pppoe pcmcia wireless libm keyboa1 The last two lines default linux dnscache weblet must be typed as a single one in syslinux cfg 11 Wireless and orinoco drivers 46 LEAF Bering user s guide 11 3 Step 2 declare the appropriate modules Declare the modules neede
4. sourceforge net gt 8 2 Step 1 preparing the distro First make sure you have your Bering floppy distro already working You may want to take one or more of the following actions e Define root password e Generate the ssh keys if you will use them Make sure to read the CD Rom section of Bering user s guide chapter on Booting Bering from different boot media 8 3 Step 2 downloading the required packages From now on we are going to use a Windows machine to create the CD Linux users should have no problem in following Download the two following packages syslinux and_cdrtools Unpack them with WinZip Also download the makeiso bat MS DOS bat file from the Bering contrib directory Create a new directory It can be anywhere but in practice I recommend to create it next to the root e g C since it will be easier to access it at a later stage from the DOS prompt Let s call it BCD Bering CD We will have the following directory hierarchy CEN l CA BED l C BCD diskcontent Once this is done put in the C BCD directory the following 3 files emkisofs exe 1 and cygwin1 d11 2 extracted out of the cdrtool directory e makeiso bat 3 downloaded from the Bering contrib directory 8 Creating a bootable Bering CD ROM 34 LEAF Bering user s guide Then put in the C BCD diskcontent directory the following file e isolinux bin extracted out of the syslinux directory Other versions of these
5. Boot a Bering floppy Install on the boot lib modules the ide mod o ide disk o and the ide probe mod o modules Then declare those modules in boot etc modules through the initrd package configuration menu in this order Then backup the initrd Irp package Once this is done edit the syslinux cfg file which will look like display syslinux dpy timeout 0 default linux initrd initrd lrp init linuxrc root dev ram0 boot dev hdal msdos PKGPATH dev LRP root etc local modules pump keyboard shorwall dnscache sshd ipsec weblet Once you have finished with your floppy preparation copy its content to the IDE device that you prepared earlier You should now be able to boot from the IDE device 9 Booting Bering from different boot media 38 LEAF Bering user s guide 9 5 Booting from a CD Rom with isolinux This section does not cover the creation of the Bering cd rom which is explained in a separate section The start options for_isolinux are similar to the syslinux options By default they look like this display syslinux dpy timeout 0 default linux initrd initrd lrp init linuxre root dev ram0 boot dev cdrom iso9660 PKGPATH There are some important differences with the syslinux parameters e The boot filesystem iso9660 must be specified after the boot device dev cdrom in the boot statement Use a colon as a delimiter e The devices in your PKGPATHE statement can be given different filesystems The
6. ENTRIES BEFORE THIS ONE DO NOT REMOVE Do not forget the under the BROADCAST heading for the net ppp0 entry B The masq file entry 7 With a dial up modem setup it should look like Cen INTERFACE SUBNET PEPO eth0 LAST LINE ADD YOUR ENTRIES ABOVE THIS LINE DO NOT REMOVE Backup the shorwall Irp package 2 7 Step 6 reboot Your modem connection should be established automatically Type plog to check the login sequence with your ISP If there is no output check var log syslog to get a clue on potential problems 2 Serial Modem configuration 9 LEAF Bering user s guide If you want to be sure that your modem and or script parameters are OK before backing up ppp lrp you can launch the connection manually just by typing pon Use the plog command to see how the connection is going and poff to close down your ppp connection Prev Home Next Structure of the document Up PCMCIA configuration 2 Serial Modem configuration 10 LEAF Bering user s guide Prev LEAF Bering user s guide Next 3 PCMCIA configuration 3 1 Objectives We assume here that your cable ADSL connection is down and that you need to setup a router on your old laptop equipped with a combo Ethernet Modem PCMCIA card What follows describe the configuration of this emergency dial up modem router Your external interface to the internet will be using the modem faci
7. be typed as a single one in syslinux cfg 4 3 Step 2 declare the ppp and pppoe modules In order to have a PPPoE connection working you need to have ppp and pppoe support enabled through the appropriate kernel modules You also need to declare the driver s module s of your network card s In the following example we assume that both ethernet interfaces are provided through a standard ne 2000 PCI card All the modules which are necessary for a PPPoE connection are provided on the standard Bering floppy You just need to declare them since they are not loaded by default As far as your network cards are concerned the most popular driver modules are provided in 1ib modules but you might need to download the one corresponding to your own hardware from the Bering modules_download area Refer to the Bering installation guide to learn how to do that To declare your modules go to the LEAF Packages configuration menu and choose modules Enter 1 to edit the etc modules file and enter the following information 4 PPPoE configuration 15 LEAF Bering user s guide 8390 based ethernet cards 8390 ne2k pci Modules needed for PPP PPPOE connection slhe in_lavellke ppp_generic ppp_synctty pppox pppoe Masquerading helper modules to CCIMMETAGIE Ctp TPECONNELICRENGE to mat Et ao mee iee The etc modules file provided in the Bering distro is already setup with those entries commented out Just remove the leading
8. defines the internal address of the router Backup the etc Irp package 4 PPPoE configuration 17 LEAF Bering user s guide 4 7 Step 6 configure Shorewall Through the LEAF packages configuration menu choose shorwall and check the three following files A The interfaces file entry 3 defines your interfaces Here connection to the net goes through pppO So we must set Sear ZONE INTERFACE BROADCAST OPTIONS net pppo routefilter Hoe ethl detect routestopped LAST LINE ADD YOUR ENTRIES BEFORE THIS ONE DO NOT REMOVE Do not forget the under the BROADCAST heading for the net ppp0 entry B The masq file entry 7 With a dial up modem setup it should look like Gear INTERFACE SUBNET pppod eth1 LAST LINE ADD YOUR ENTRIES ABOVE THIS LINE DO NOT REMOVE C You may also need to edit the config file entry 12 to adjust the CLAMPMSS variable to yes ene SEI ils Welcselolka ico Vwes oe Vyas aie rom Welmlic ila Wee Clea MSS ee IPiMiiol option This option is most commonly required when your internet interface is some variant of PPP PPTP or PPPOE Your kernel must Tf left blank or set to No or no the option is not enabled LAMPMSS yes o QHH Backup the shorwall lrp package 4 8 Step 7 reboot Your modem connection should be established automatically Type
9. files older or more recent ones may also work You are on your own here 8 4 Step 3 preparing the Bering CD Rom content If you are in a hurry download the initrd cdrom file from the Bering contrib directory and rename it initrd Irp This is an initrd Irp package which includes the necessary kernel modules to access a CD Rom at boot time You can also create it yourself as follow Boot your working Bering floppy In the boot 1ib modules directory put the following modules that will allow boot time CD Rom support those modules can be found in the Bering modules_download area cdrom o ide mod o ide cd o ide probe mod o LSOES O Declare those names without the o suffix in the boot etc modules file through the initrd package menu The order MUST be respected Now backup the initrd Irp package Copy all the files from your working Bering floppy to the C BCD diskcontent directory except initrd Irp if you have not created it yourself as described above in which case you will put in the C BCD dir the one you downloaded In this directory do the following e Rename syslinux cfgtoisolinux cfg e Delete ldlinux sys e Edit isolinux cfg and replace the dev fd0u1680 entries after boot and PKGPATH by dev cdrom e Add any package you might need out of the CD Do not forget the hackers though After that your isolinux cfg file will look like display syslinux dpy timeout 0 default linux initrd i
10. former are seperated from the later with a colon e The order in which the devices dev cdrom dev fdO are declared in the PKGPATH statement is important Packages will be picked up in this order which means that you can override a package from the CD rom with one provided on the floppy If you are booting from a CD Rom the list of packages in the LRP statement might be pretty long The problem is that there is a limit to the lenght of isolinux cfg statements which cannot exceed 255 characters To avoid this limitation you can declare the list of packages you are going to use ina file called lrpkg cfg When this file exists on the boot device the package list will be read from it This file consists of a single record with a list of packages separated by commas It looks like cat lrpkg cfg root etc local modules pump keyboard shorwall dnscache weblet This file can be present in more locations The last location in the PRKGPATH statement will be used So you have the possibility to have a standard Irpkg cfg on your CD and for special occasions or testing you can have another one on a floppy As stated before you can load a package stored on different devices This is useful in the following situations e To have access to an updated package on the floppy e To do a partial backup of of a package on the floppy Especially useful for configuration files Have you ever tried to backup a package on a CD Rom e To do tes
11. from boot cd use F pe You will be able to see the search order at boot time 9 6 Partial backup of packages to from floppy Saving a partial backup to floppy disk e If you want to backup parts of the package that are not in the etc and var lib Iprkg directories you have to be sure there is a var lib Irpkg PACKAGE local file for each PACKAGE Irp you are doing partial backup of This file contains the list of files to be saved in the partial backup See doc for format This list should include local configuration files and any binary files that have been updated always include I var lib Irpkg PACKAGE to save the local files in the Partial backup of PACKAGE Irp e Set back up to partial p and set the backup device d to something like fd0 and msdos Loading partial backup from floppy disk after booting cdrom e Check syslinux cfg on boot cd to see if PKGPATH includes partial backup device the default is PKGPATH dev cdrom iso9660 dev fd0 msdos e set the load order in Irpkg cfg file on the floppy disk to load CDROM version of the package then the floppy version of the partial back of the package This f the default will first load the cdrom version then the floppy updates it they exist Use R to load the floppy version a full package and totally avoid the cdrom version of the package Tj 9 Booting Bering from different boot media 40 LEAF Bering user s guide You can NOT do a partial back up of ini
12. modules In order to have a modem dialup connection working you need to have ppp support enabled through the appropriate kernel modules note since v1 0 rc2 serial support is compiled in the kernel You also need to declare the driver module of the network card assigned to your internal network In the following example this card is supposed to be a standard ne 2000 PCI card To configure your modules go to the LEAF Packages configuration menu and choose modules Enter 1 to edit the etc modules file and enter the following information 8390 based ethernet cards 8390 ne2k pci Modules needed for PPP connection 2 Serial Modem configuration 6 LEAF Bering user s guide slhc ppp_generic ppp_async ppp_deflate Masquerading helper modules ip_conntrack_ftp ijo_COMNE CaCI Lec ipina EEE to meic Lee Q The sample file above might be different in your own case you might need another network module or some extra functionnalities Adjust to your needs Backup the modules lrp package 2 4 Step 3 configure ppp Connection with your ISP will be handled by PPP The PPP How to document will give you very detailed information about this protocol and how to set up the numerous parameters Through the LEAF packages configuration menu get access to ppp configuration The following menu will show up ppp configuration files 1 ISP pppd options 2 ISP login seiaijot 3 System wide pppd options 4 chap secret
13. ppp Irp package 6 5 Step 4 configure your interfaces file Trough the LEAF configuration menu type 1 to access to the network configuration menu and 1 again to edit your etc network interfaces file Enter the following information auto lo ethO ethl iface lo inet loopback iface eth0 inet static address 10 0 0 1 masklen 24 proadeas to 10 0 0 255 we joc 1050 0 138 iface ethl inet static aglcheass I92 Ge 1 254 masklen 24 loroaclcast 192 168 1 255 In this etc network interfaces file the lo ethO and eth1 interfaces are brought up automatically when the ifup a statement is executed at boot time by the etc init d networking script The iface ethO inet static section defines the external address of the router and says e Bring up ethO at address 10 0 0 1 e Execute the pptp 10 0 0 138 command once eth0 is up to establish the PPTP PPPoA connection The iface eth inet static defines the internal address of the router Backup the etc Irp package 6 6 Step 5 configure Shorewall Through the LEAF packages configuration menu choose shorwall and check the three following files A The interfaces file entry 3 defines your interfaces Here connection to the net goes through pppO So we must set 6 PPTP PPPOA configuration 26 LEAF Bering user s guide ZONE INTERFACE BROADCAST OPTIONS net pppo routefilter LOE eth1 detect routestopped LAST LINE ADD YOUR ENTRIES BEFORE THIS ONE DO N
14. sign to activate the corresponding module Backup the modules lrp package 4 4 Step 3 configure ppp Connection with your ISP will be handled by PPP The PPP Howto document will give you very detailed information about this protocol and how to set up its numerous parameters Please refer to the _ Serial Modem configuration section of this user s guide to learn how to configure your ppp package The default options provided with the ppp Irp should work and if you are not familiar with ppp leave them at first After you get a connection you can fine tune your setup 4 5 Step 4 Configure pppoe Through the LEAF Package configuration menu choose pppoe The following menu will appear pppoe configuration files 1 DSL pppd options 2 pap secret q quit Selection Entry 1 allows you to adjust the parameter of your ppp connection through the etc ppp peers dsl provider file The most important argument is the name parameter which defines your login name Replace the field following the name statement in the etc ppp peers dsl provider login isp com by the login name provided by your ISP 4 PPPoE configuration 16 LEAF Bering user s guide Configuration file for PPP using PPP over Ethernet to connect to a DSL provider plugin usr lib pppd pppoe so MUST CHANGE Uncomment the following line replacing the user provider net by the DSL user name given to your by your DSL provider There should be a mat
15. the speed in serial port setup to 19200 Then change the modem init string in modem and dialing to M Save the settings as something other than df1 I use leaf quit and relaunch not as root using minicom leaf Prev Home Next 13 Monitoring Bering through a terminal console 58 LEAF Bering user s guide IPSec configuration Up Time in Bering 13 Monitoring Bering through a terminal console 59 LEAF Bering user s guide Prev LEAF Bering user s guide Next 14 Time in Bering 14 1 Objectives These instructions are for those who want to setup properly the system time of their Bering box either using the old rdate function available on the Bering floppy or using the more precise up to date ntpdate client available as a separate package You will also learn how to transform your Bering box in a time server in order to synchronize time of your internal network Many thanks to Jeff Newmiller from whom we stole a significant part of a mail contribution to the leaf user list and for the time he spent improving and proofreading the initial version of this chapter Comments on this section should be addressed to the maintainers Jacques Nilo lt jnilo users sourceforge net gt or Eric Wolzak lt leaf wolzak de gt 14 2 Define your timezone a Obtain the appropriate zoneinfo file for your timezone This binary file will contain generalized rules for converting between GMT and your local time One loc
16. to accomplish what we are trying to get and that Session key Perfect Forward Secrecy is checked Check the Authentication Method to make sure that the shared key is exactly the same as the ipsec conf file and that there is not a carriage return at the end 12 IPSec configuration 55 LEAF Bering user s guide Check the tunnel setting and make sure that the tunnel endpoint is the router ip address for the outbound traffic Filter List and the ip address of the Windows 2000 Client for the inbound traffic list The Connection Type should be LAN only We don t want to inadvertently try to encrypt our dialup sessions do we If any of these things was wrong you will have to restart the IPSEC Policy Agent service by clicking Start Control Panel Services right clicking on the service and clicking Restart Prev Home Next Wireless and orinoco drivers Up Monitoring Bering through a terminal console 12 IPSec configuration 56 LEAF Bering user s guide Prev LEAF Bering user s guide Next 13 Monitoring Bering through a terminal console 13 1 Objectives We assume here that you want to monitor Bering through say a minicom terminal attached to the first serial port of your router com1 ttySO That is a frequent situation with LEAF routers which very often do not have a screen attached to them Comments on this section should be addressed to its maintainer Jacques Nilo lt jnilo users sourceforge net gt
17. use a program like_AboutTime for Windows to set the Windows machine time correctly and while AboutTime is running and its server options are enabled you can use rdate against that machine For the rdate command to work you will have to open the time service tcp 37 from your firewall to the internet Edit the Shorewall rules file and add ACCEPT fw net ECS time 14 4 Edit the contents of etc timezone optional This will describe your timezone I am not aware of any packages used with Bering that depend on this file but it might as well be consistent 14 5 Activate daily clock updating optional Here you have to choose one of the three following options mutually exclusive e You can activate daily clock updating via rdate tcp port 37 to a nearby time protocol server This service is handled internally by the inetd daemon on a nix workstation To activate rdate updating edit etc 1lrp conf to specify the ip number of the desired time server for Irfp_DATE_SERVER and uncomment this variable See the configure your system chapter of the Bering installation guide The main advantage of this option is that you do not need an extra package to synchronise time on your Bering box The main drawbacks are a rdate is not accepted by every public time servers and b rdate is less precise than NTP see below e Download the ntpdate Irp package from the Bering package download area and add it to your syslinux cfg file It will pr
18. you can find the answer here The remote MSN REMMSN is the nummer you have to dial from the connection the router is attached to including extra digits exactly as you would dial it You might want to change the time set to keep the line up if there is no activity As a default it is set to 60 sec which is relatively short You change this with the parameter TIMEOUT now use the password and userid from the isdn configuration menu set your login name eric foobar I can login with this name on any computer I have to identify me with the password this_is_a_secret This is a pap secrets file papname papsecret eric foobar com this_is_a_secret If you have ppp installed the pap secrets file is shared and this could give problems with the backup You don t need ppp for isdn Irp backup the isdn package 7 6 Step 5 configure your interfaces file Through the LEAF configuration menu type 1 to access to the network configuration menu and 1 again to edit your etc network interfaces file Enter the following information auto lo eth0 iface lo inet loopback iface eth0 inet static address 192 168 1 254 masklen 24 locoacleasic 192 168 1 255 Q attention the internal interface is now ethO assuming you have only one interface your external interface is now ippp0 but this interface is not setup in the interfaces file 7 7 Step 6 configure Shorewall Through the LEAF packages configuration menu choose shor
19. 2 Step 1 prepare the boot floppy 10 3 _Step 2 apply bug fixes 10 4 Step 3 configure Bering for DoC booting 10 5 Step 4 prepare the DoC 10 6 Step 5 reboot LEAF Bering user s guide LEAF Bering user s guide 10 7 Thanks to 11 Wireless and orinoco drivers 11 1 _Objectives 11 2 Step 1 declare the appropriate packages 11 3 Step 2 declare the appropriate modules 11 4 Step 3 configure ppp 11 5 Step 4 configure pcmcia and wireless 11 6 Step 5 configure your interfaces file 11 7 Step 6 configure Shorewall 11 8 Tips and tricks 12 IPSec configuration 12 1 Objectives 12 2 Step 1 load ipsec or ipsec509 package 12 3 Step 2 generate certificates with openssl 12 4 Step 3 boot Bering and move certificates into place 12 5 Step 4 configure ipsec conf 12 6 Step 5 configure ipsec secrets 12 7 Step 6 configure Shorewall 12 8 _ Step 7 configure Windows 2000 client 13 Monitoring Bering through a terminal console 13 1 Objectives 13 2 Step 1 Modify etc inittaband etc securetty files 13 3 Step 2 Modify your syslinux cfg file 13 4 Step 3 reboot 14 Time in Bering 14 1 Objectives 14 2 Define your timezone 14 3 Set the system date time 14 4 Edit the contents of etc timezone optional 14 5 Activate daily clock updating optional 14 6 Internal network NTP clients 14 7 Miscellaneous 15 The Bering mail and cron facilities 15 1 Objectives 15 2 The mail command 15 3 _Cronjobs Prev
20. 5 pap secret 6 pppd daemon script Gp epee Selections Entry 1 allows you to adjust the parameter of your ppp connection through the etc ppp peers provider file The most important argument is the ttySx parameter which defines the serial port to which your modem is connected Look at your var log syslog file after booting Bering It will give you the list of the serial ports recognized by your linux kernel A working etc ppp peers provider file for a Compuserve connection could look like ISP pppd options file What follows is OK for Compuserve noauth debug log transaction to var log messages dev ttyso ttyS0 conil teySl conm oso 115200 baud rate modem 2 Serial Modem configuration 7 LEAF Bering user s guide Gia cies use hardware flow control asyncmap 0 defaultroute ppp becomes default route to the internet noipdefault lock don t let other processes besides PPP use the device connect usr sbin chat v f etc chatscripts provider If you plan to dial into a Windows RAS server or a server that uses PAP or CHAP authentication you need to add a line to this file Just above the connect command on a line of its own add name lt ISPUserID gt where lt ISPUserID gt is the login name your ISP gave you You need this because ppp has to masquerade the firewall as you when using PAP or CHAP authentication Entry 2 allows you to adjust the communication script which will handl
21. An example a PPPoE connection with a two PCMCIA cards setup 5 PPPoA configuration 5 1 _Objectives 5 2 Step 1 declare the pppatm package 5 3 Step 2 declare the ppp and pppoatm modules 5 4 Step 3 configure pppatm 5 5 Step 4 configure your interfaces file 5 6 Step 5 configure Shorewall 5 7 Step 7 reboot 6 PPTP PPPoA configuration 6 1 Objectives 6 2 Step 1 declare the ppp and the pptp packages 6 3 Step 2 declare the ppp modules 6 4 Step 3 configure ppp 6 5 Step 4 configure your interfaces file 6 6 Step 5 configure Shorewall 6 7 Step 7 reboot 7 ISDN Configuration 7 1 Objectives 7 2 Step 1 Download and declare the isdn lrp package 7 3 Step 2 download the isdn o and the appropriate hisax o modules 7 4 Step 3 declare the ISDN modules 7 5 Step 4 configure ISDN 7 6 Step 5 configure your interfaces file 7 7 Step 6 configure Shorewall amp _Creating a bootable Bering CD ROM 8 1 _Objectives 8 2 Step 1 preparing the distro 8 3 Step 2 downloading the required packages 8 4 Step 3 preparing the Bering CD Rom content 8 5 Step 4 making the CD 8 6 Support 8 7 Thanks to 9 Booting Bering from different boot media 9 1 Objectives 9 2 The single floppy drive setup 9 3 The two flo drives setu 9 4 Booting from an IDE device 9 5 Booting from a CD Rom with isolinux 9 6 Partial backup of packages to from floppy 10 Installing and booting Bering from a M Systems DiskOnChip 10 1 Objectives 10
22. F developpers my friend Joao Alves for his helpful linux support and Mike Noyes for keeping up his excellent work on the LEAF site Prev Home Next ISDN Configuration Up Booting Bering from different boot media 8 Creating a bootable Bering CD ROM 36 LEAF Bering user s guide Prev LEAF Bering user s guide Next 9 Booting Bering from different boot media 9 1 Objectives These instructions are for those who want to boot Bering from something else that the traditional single floppy setup We assume that you already have some knowledge of Bering Many thanks to Allen Hillery for his contribution to this section Comments on this section should be addressed to its maintainers Jacques Nilo lt jnilo users sourceforge net gt or Eric Wolzak lt leaf wolzak de gt 9 2 The single floppy drive setup The poor man setup Do not worry you can still do many things Here are the tricks The main problem when you have got a single floppy drive is space Especially if you are willing to use those big fat packages like sshd Irp or ipsec Irp But you can still use them in such an environnement There are basically two approaches The first one is to remove useless components from the Bering floppy Refer to the installation guide to learn how to do that But most of the time for big applications one floppy won t fit You then have to setup your distro on two floppies while still using a single drive The strategy is as foll
23. Home LEAF Bering user s guide Next Structure of the document LEAF Bering user s guide Prev LEAF Bering user s guide Next 1 Structure of the document 1 1 Overview The LEAF Bering user s guide is organized around practical problems and hopefully solutions encountered by many Bering users Users contributions are encouraged and welcomed They can be send to the authors either in plain ASCII form or better in Docbook XML format XML source code are available to everyone and can be used as templates Basic prior knowledge of linux and of the LEAF Bering distro or any other LEAF distributions like Dachstein or Oxygen is assumed In particular the reader is supposed to be able to perform the following tasks e Add or remove a package to from a LEAF distribution through editing of the floppy syslinux cfg file and move it to out of the Bering floppy disk e Add or remove a Bering linux kernel module by moving it to out of 1lib modules or boot lib modules directory e Adjust the parameters of a given package through the LEAF configuration menu and backup a package The following reference is a prerequisite reading e The Bering Installation guide 1 2 Contributions and Feedback Contributions to and comments on this document can be sent to the authors Jacques Nilo lt jnilo users sourceforge net gt or Eric Wolzak lt leaf wolzak de gt You can download the docbook xml sources from the different sections of th
24. IPSec configuration 53 LEAF Bering user s guide Start Run mmc Console Add Remove Snap in Add Certificates Add Computer Account Local Computer Finish Add IP Security Policy Management Add Local Computer Finish Close OK Console Save lt wherever you want to put it gt You can just double click on the icon this creates to open the custom console from now on In order to configure Windows 2000 there are several basic entities that you must understand It is easy to get lost in all the clicky clicky IP Security Rules the highest level of granularity IP Security Rules are composed of Gin IP Ta ee ESE which packets match the rule An Te Wiliktei ist is Camposa ors Filters traditional ip address subnet mask protocol or port filtering like ipchains a Filter Action what do we want to do with those packets Encrypt Sign A Filter Action is composed of Security Methods Different negotiable combinations of signing and encrypting FreeS WAN works in ESP mode with 3DES encryption and MD5 signing This is a custom setting in Windows Authentication Methods how do we authenticate the players Windows can do Kerberos x 509 certificates from a CA that can be you or preshared keys a Tunnel Setting is this a tunnel what is the endpoint IP Address a Connection Type does this IP Security Rule apply to all network connections or just lan or d
25. LEAF Bering user s guide LEAF Bering user s guide Prev LEAF Bering user s guide Bering users Community Edited by J Nilo amp E Wolzak Revision History Revision 0 1 15 March 2002 First draft for review Revision 0 2 14 April 2002 Second draft for review Revision 0 3 18 May 2002 Third draft for review Revision 0 4 16 June 2002 Fourth draft for review Revision 0 5 20 October 2002 Fith draft for review Table of Contents 1 Structure of the document 1 1 Overview 1 2 Contributions and Feedback 1 3 Changelog 2 Serial Modem configuration 2 1 _Objectives 2 2 Step 1 declare the ppp package 2 3 Step 2 declare the ppp modules 2 4 Step 3 configure ppp 2 5 Step 4 configure your interfaces file 2 6 Step 5 configure Shorewall 2 7 Step 6 reboot 3 PCMCIA configuration 3 1 Objectives 3 2 Step 1 declare the ppp and the pcmcia packages 3 3 Step 2 declare the ppp modules in modules Irp 3 4 Step 3 configure ppp 3 5 Step 4 configure pcmcia 3 6 Step 5 configure your interfaces file 3 7 Step 6 configure Shorewall 3 8 Step 7 reboot 4 PPPoE configuration 4 1 Objectives 4 2 Step 1 declare the ppp and pppoe packages 4 3 Step 2 declare the ppp and pppoe modules 4 4 Step 3 configure ppp LEAF Bering user s guide Next LEAF Bering user s guide 4 5 Step 4 Configure pppoe 4 6 Step 5 configure your interfaces file 4 7 Step 6 configure Shorewall 4 8 Step 7 reboot 4 9
26. OT REMOVE amp Do not forget the under the BROADCAST heading for the net ppp0 entry B The masq file entry 7 With a dial up modem setup it should look like CR INTERFACE SUBNET pppo otmi LAST LINE ADD YOUR ENTRIES ABOVE THIS LINE DO NOT REMOVE C You may also need to edit the config file entry 12 to adjust the CLAMPMSS variable to yes ae Set this variable to Yes or yes if you want the TCP Clamp MSS to PMTU option This option is most commonly required when your internet interface is some variant of PPP PPTP or PPPoE Your kernel must Tf left blank or set to No or no the option is not enabled He E E OS OER CLAMPMSS yes Grae Backup the shorwall Irp package 6 7 Step 7 reboot Your modem connection should be established automatically Type plog to check the login sequence with your ISP If there is no output check var log syslog to get a clue on potential problems Prev Home Next PPPoA configuration Up ISDN Configuration 6 PPTP PPPoA configuration 27 LEAF Bering user s guide Prev LEAF Bering user s guide Next 7 ISDN Configuration 7 1 Objectives We assume here that you want to make a connection to the internet using synchroneous ppp and that you use an internal passive ISDN card The isdn4linux driver is documented for Euro ISDN The setup is tested with different providers T
27. a message to yourfriend hisdomain com You can also type your mail directly from the console mail s I want to send you to yourfriend hisdomain com Once you hit return the console will wait for a message to be typed in Once you have finished with your message input type CTRL D To mail the log and alerts files to the Bering box admin set Irp_MAIL_ADMIN to the email address you want your logfiles sent to you This parameter is found in the Master LRP settings entry of the System configuration menu To be able to send mail from the firewall you will need to open port TCP 25 of the firewall In the shorewall rules file you will need to include the following statement ACCEPT fw net 29 ECD 15 3 Cronjobs The cronjobs are executed according to the entries defined in the directories etc cron d every minute etc cron daily every day etc cron weekly and etc cron month1ly The most important part to add things to is probably et c cron d The syntax is the standard syntax as is read in man_cron and crontab Periodic schedule for multicron Ping check Space check etc Default Every 15 minutes A5 a a a a OOE etc multicron p WO Se BY roor bin date gt gt tmp tijd 2 root bin beep f 1200 In this example multicron p is executed every fifteen minutes date every minute etc After changing the cronjob is updated automatically You can verify this with tail f var log syslog Aug 18 09 15 01
28. ate openssl req newkey rsa 2048 keyout serverKey pem out serverReq pem openssl ca policy policy_anything in serverReq pem days 1825 out serverCert pem notext openssl x509 in serverCert pem outform DER out x509cert der fswcert k serverKey pem gt ipsec secrets He SR FE He Make your client certificates openssl req newkey rsa 2048 keyout clientKey pem out clientRegq pem openssl ca policy policy_anything in clientReq pem ceys 1825 owr clientCert pem notext openssl pkcs12 export inkey clientKey pem in clientCert pem certfile demoCA cacert pem lt Put all of this onto your Bering floppy or compact flash card unmount it and boot it 12 4 Step 3 boot Bering and move certificates into place Put cacert pem onto your Bering box in the etc ipsec d cacerts directory you will have to create this with mkdir Put crl pem into the etc ipsec d crls directory make this one too Put x509cert der into etc Get the info in ipsec secrets into your etc ipsec secrets file like so echo ipsec secrets gt gt etc ipsec secrets 12 5 Step 4 configure ipsec conf An ipsec conf file you ll find is a very personal thing A very vanilla setup using preshared keys would look like the following config setup interfaces tdefaultroute klipsdebug none plutodebug none plutoload ssearch plutostart tsearch uniqueids yes conn default keyingtries 0 authby secret left lt router ip addr
29. ation where these files are kept is_here but their format has not changed in a long time and is not expected to change anytime soon so you can pull one from the Linux distribution of your choice b Copy this file to the Bering ramdisk as etc localtime On most conventional Linux distributions etc localtime would be a symbolic link to the appropriate file in usr share zoneinfo but that directory is not contained in etc Irp and having symbolic links across packages is not recommended c Use the date command to confirm that the zoneinfo file is behaving as desired 14 3 Set the system date time There are three common methods to do that e Method 1 Reboot the machine and set the time in the BIOS Note that for a pure linux machine like a router it only makes sense to set the bios clock to UTC GMTO e Method 2 Set the Linux time with the date MMDDhhmm CC Y Y ss command and back it up to the CMOS clock with hwclock For example if it is 9 05 15 pm on Jan 31 2002 then you would use date 013121052002 15 hwclock systohc hwclock will set the CMOS clock to UTC e Method 3 Set the Linux time with rdate timeserver and back it up to the CMOS clock with hwclock For example if you have a Linux box at 192 168 1 3 see step f you can use 14 Time in Bering 60 LEAF Bering user s guide 7 rdece s 192 168 143 hwclock systohc Note that if you don t have a Linux workstation available you can
30. atory The can be replaced with the IP address or name of the server you are dialling into if you know it Usually an asterisk is sufficient If you want to authenticate using CHAP add the same entry to the CHAP item instead Backup the ppp Irp package 2 Serial Modem configuration 8 LEAF Bering user s guide 2 5 Step 4 configure your interfaces file Trough the LEAF configuration menu type 1 to access to the network configuration menu and 1 again to edit your etc network interfaces file Enter the following information auto lo ppp0 eth0 iface lo inet loopback iface ppp0 inet ppp provider provider iface ethO inet static acess 192 168 1 25 masklen 24 loroaclcasic 192 168 1 255 The auto statement declares all the interfaces that will be automatically set up at boot time This job will be carried out by the ifup a statement in the etc init d networking script The syntax of iface statements is explained in the Bering s installation guide Backup the etc lrp package 2 6 Step 5 configure Shorewall Through the LEAF packages configuration menu choose shorwall and check the two following files A The interfaces file entry 3 defines your interfaces Here connection to the net goes through pppO and the connection to the internal network through ethO So we must set CERI ZONE INTERFACE BROADCAST OPTIONS net pppo ioe etho detect routestopped LAST LINE ADD YOUR
31. ava Zo OTSA Seane eO Syke i coor TOE LISSO avi 25 07a 5A salwevzios CSO Once your package is ready enter the LEAF Package configuration menu and choose pemcia The following menu will appear pcmcia configuration files 1 pemcia default parameters 2 pemcia configuration 3 wireless configuration Cp Cune Selection Entry 1 allows to edit the et c default pemcia file which defines the pcmcia parameters that will be used by the cardmgr program and the etc init d pcmcia script In our practical example a Xircom RealPort EThernet 10 100 Modem 56k ref REM56G 100BTX this file will contain 3 PCMCIA configuration 12 LEAF Bering user s guide PCMCIA yes INC IE Salt Si 6 5 PCIC_OPTS CORE_OPTS CARDMGR_OPTS Entry 2 allows to edit the etc pcmcia config opts file Please refer to the PCMCIA How to for the explanation of the different options The default etc pcemcia config opts file provided in the pcmcia Irp package is the default file provided in the pcmcia cs package It looks like include port 0xa00 Oxaff Resources we should not use even if they appear to be available paesa owu hemna Seiciell joie exclude irq 4 Second built in serial port exclude irq 12 lpakiasic lowaike iin joeiueciLileil jexoncic exclude irq 7 Entry 3 is only used if you are using a wireless PCMCIA card If not this file can only contain hyper TE Refer to the wireless section of this
32. ching entry in etc ppp pap secrets with the password user ericl2345 foobar com Entry 2 allows you to edit the etc ppp pap secrets Enter in this file the login and password provided by your ISP Your login name must EXACTLY match the one given in the previous etc ppp peers dsl provider file If you have special characters in secret or username you should put them in quotes This is a pap secrets file papname papsecret ericl2345 foobar com secretfoo Backup both pppoe and ppp packages 4 6 Step 5 configure your interfaces file Trough the LEAF configuration menu type 1 to access to the network configuration menu and 1 again to edit your etc network interfaces file Enter the following information auto lo ppp0 ethl iface lo inet loopback iface ppp0 inet ppp pre up ip link set ethO up provider dsl provider eth0 iface ethl inet static address 192 168 1 254 masklen 24 loroacicesic 192 168 1 255 In this etc network interfaces file the lo ppp0O and eth interfaces are brought up automatically when the ifup a statement is executed at boot time by the etc init d networking script The iface pppO inet ppp says e Execute the ip link set ethO up command BEFORE ppp0 is activated pre up statement e Execute the sbin pon dsl provider eth0 script to establish the PPPoE connection The dsl provider file used as input by sbin pon is provided in the pppoe Irp package The iface eth inet static
33. d by the packages you are using network modules and if necessary ppp modules The network and ppp modules are declared through the modules package configuration menu Refer to the Bering installation guide The pcmcia modules are stored in the 1ib modules pcmcia directory of the pcmcia package and loaded by the cardmgr program Refer to the pcmcia section of the Bering user s guide Do not declare the pemcia modules in the etc modules file They will be automatically loaded from the lib modules pcemcia directory by the etc init d pcmcia script Then backup the modules Irp package and if necessary the pcmcia Irp package 11 4 Step 3 configure ppp If your connection with your ISP needs PPP please refer to the Serial Modem section of this user s guide to learn how to configure your ppp package 11 5 Step 4 configure pcmcia and wireless The following modules are provided with the pemcia_orinoco Irp package ls la lib modules pcmcia drwxr xr x 2 Toor OOK a096 awi 25 OGS22 a drwxrwxrwt 2T TOOR root 1096 ewi 25 Ors52 off y L goar root LIZAR eae 25 UQZ css k L zoot root 6060 avr 25 08 21 hermes o Pye r ie IODE root 35728 exe 25 OSe2l 1023650 i ae L zoot root SLOG eye 25 OSszil Grinoco_es o H nn L zoor root APILS2 ewi 25 MASZ Orinoco E ZOW e L zoot TOOR DIZIVZ ee 25 OSs2il pancia Core 0 Check that the PCMCIA modules provided in the pemcia_orinoco lrp package fit your needs If n
34. e in aCe ays salee list memes Vouirlooumcl e reure EH eiclel eiee ik MES Sees why alo Eickheass ests any ajo eiclelaesa Eny OOO azs note My setup is made to tunnel ALL ip traffic through my router If you are just tunneling traffic to one subnet you should specify that here with the network address and subnet mask j add another filter list name inbound traffic add filter k next src any ip address dest my ip address any proto finish close note s note abov 1 select the outbound traffic filter list next m add filter action to encrypt and authenticate with freeswan 3DES and MD5 n next name freeswan compatible negotiate do not communicate non ipsec custom ESP MD5 3DES edit properties finish uncheck allow unsecured but always respond check perfect forward security OK p select the freeswan compatible filter action q uncheck edit properties finish The next one is easier because you have already defined the filter lists and filter action during the previous wizards so you can just select them to apply them to the inbound traffic IP Security Rule EVIL Ge iclawowwicia ails Cilulelily oie Just be nexe O2 Oker li Lys SkUJJEC a step r add another IP security rule s next tunnel endpoint lt client IP Address gt lan connection preshared key lt your preshared key gt inbound traffic freeswan compatible finish t general tab advanced check master key perfec
35. e inserted lines 244 done ALS IFS SOIFS 246 else 247 bootfs cat var lib 1lrpkg boot fstype 248 rdevlist dev boot SMNT Sbootfs rdevlist 249 devlist devlist dev boot SMNT Sbootfs E50 365 10 4 Step 3 configure Bering for DoC booting a Mount the floppy disk move the DoC modules to the boot 1ib modules directory and stage the fdisk package mount t msdos dev fd0u1680 mnt cd mnt mv mtdcore o docecc o doc2000 0 docprobe o nftl o boot lib modules mv fdisk lrp tmp eel umount mnt b Edit boot etc modules and add the following lines The order of the lines is very important mtdcore docecc doc2000 docprobe mE IL It is a good idea to make sure there is a blank line at the end of the boot etc modules file c Backup the initrd package Q If you do not backup initrd your changes will not be transferred to the DoC in step 4 10 5 Step 4 prepare the DoC a Load the MTD modules cd boot lib modules insmod mtdcore o 10 Installing and booting Bering from a M Systems DiskOnChip 43 LEAF Bering user s guide insmod docecc o insmod doc2000 0 insmod docprobe o insmod nftl o b After insmoding the docprobe o module you should see output that looks similar to Possible DiskOnChip wi Possible DiskOnChip wi Possible DiskOnChip wi oe DiskOnChip 2000 found a Ignoring DiskOnChip 200 Ignoring DiskOnChip 200 0 h unknown ChipID FF found at 0xc8000 h unknown Chi
36. e parameter You should not need to adjust 2 Edit either the CHAP Entry 3 or PAP Entry 4 option to set up how your system authenticates If you edit chap replace ISPUserID and ISPUserPassword this the relevant information Secrets for authentication using CHAP client server secret IP addresses ISPUserID ISPUserPassword ISPUserID must exactly match the entry that you made for the name parameter in Entry 1 ISP pppd options file The can be replaced with the IP address or name of the server you are dialling into if you know it Usually an asterisk is sufficient If you want to authenticate using PAP add the same entry to the PAP item instead Backup the pppatm Irp package 5 5 Step 4 configure your interfaces file Trough the LEAF configuration menu type 1 to access to the network configuration menu and 1 again to edit your etc network interfaces file Enter the following information 5 PPPoA configuration 22 LEAF Bering user s guide auto lo ppp0 eth0 iface lo inet loopback iface ppp0 inet ppp provider dsl provider iface ethO inet static address 192 168 1 254 masklen 24 lpeoacleasic 192 168 1 255 In this etc network interfaces file the lo ppp0O and ethO interfaces are brought up automatically when the ifup a statement is executed at boot time by the etc init d networking script The iface pppO inet ppp section defines the external address of the router and activates the pon script The
37. e proper zoneinfo file See section 2 of this chapter e Either reboot or restart logging svi sysklogd restart to cause times recorded by the system logger to use the new timezone information Prev Home Next Monitoring Bering through a The Bering mail and cron terminal console facilities E 14 Time in Bering 62 LEAF Bering user s guide Prev LEAF Bering user s guide 15 The Bering mail and cron facilities 15 1 Objectives This section should be an help to use two special features of your LEAF Bering box namely the mail and cron facilities This document is maintained by Eric Wolzak lt Leaf wolzak de gt 15 2 The mail command In the Bering root Irp there is a mail command which is one of the POSIXness script files With this command you can send emails typed directly from the console or written as files You can also send file attachment This command can only be used to send mail and differs substantially from the real linux mail command In particular you cannot edit read delete mail from the firewall As an alternative to this simple mail program you can use a real mailer program like qmail The syntax of the Bering mail command is mail Usage Magi GHELOMS Ol ooo Qsxcsonss l 9 suloject e cel ocali HS beel youl a attachment d domain h smptserver e a attach text file s e d specify from FQDN overriding local domain e h specify SMTP server overrid
38. e the connection with your ISP This script is stored in the etc chatscripts provider If you are not using Compuserve you should also delete all of the lines below the comment line A few very few ISPs require the final PPP line these days A working script for a Compuserve connection could look like ISP login script What follows is OK for Compuserve Adjust to your taste ABORT BUSY ABORT NO CARRIER ABORT VOICE ABORT NO DIALTONE ABORT NO ANSWER PASTS Z ISP telephone number 124567890 OK ATDT1234567890 CONNEC tat Name CIS With compuserve your_login_account 12345 6789 ID your_login_account go pppconnect Password your_password PPP Edit Entry 3 etc ppp options System wide pppd options if you want the system to demand dial and to drop the line if idle for a preset time To do this change persist to demand and add another line below demand that says idle 600 where 600 is the number of seconds the system should wait before dropping hanging up if there is no network traffic Edit either the PAP Entry 4 or CHAP Entry 5 option to set up how your system authenticates For PAP authentication choose the PAP option and add a line saying lt ISPUserID gt lt ISPUserPassword gt to the bottom of the file lt SPUserID gt is the same entry that you made in Entry 1 the ISP pppd ptions file The lt ISPUserPassword gt entry is self explan
39. ection slhe ppp_generic PPPOA support pppoatm Bewan ATM PCI st drivers unicorn_atm unicorn_pci ActivationMode 1 Masquerading helper modules ip_conntrack_ftp SIN OME olla seta kamera ip_nat_ftp PENATEN Backup the modules lrp package 5 4 Step 3 configure pppatm Connection with your ISP will be handled by PPP The PPP Howto document will give you very detailed information about this protocol and how to set up its numerous parameters Through the LEAF packages configuration menu get access to pppatm configuration The following menu will show up pppatm configuration files els l app cmoperons 2 System wide pppd options 3 chap secret 4 pap secret 5 PPPoA configuration 21 LEAF Bering user s guide 5 pppd daemon script Gp CELE Selection Enter 1 and adjust the corresponding etc ppp peers dsl provider file Adjust here VP VC depends on country amp ISP Ux EIe O38 US BEITR 8 35 plugin usr lib pppd pppoatm so 0 38 If chap or pap identification uncomment the name ISPUserID line and replace ISPUserID with your ISP user name There should be a matching entry in etc ppp pap secrets or chap secrets name ISPUserID lock noipdefault noauth defaultroute hide password lcep echo interval 20 lcep echo failure 3 maxfail 0 persist The most important parameters in this file are the VP VC combination which depends on your country and or your ISP and the nam
40. ers mtd devices subdirectory b Download a fdisk package or equivalent that contains the mkfs msdos fdisk and syslinux commands c Copy the modules and the fdisk package to your Bering floppy disk If there is not enough room you can delete Bering packages that you do not need or use a second MS DOS formatted floppy disk 10 3 Step 2 apply bug fixes Bering rc3 contains two bugs in initrd Irp that that need to be fixed before booting from a DoC will work properly A typographical error in var lib lrpkg root dev mk causes the dev nft1 devices to have an incorrect major number A modification of var lib lrpkg root linuxrc will prevent dev nftla1l from being mounted twice and causing the DoC boot to hang a Boot the floppy you prepared in the previous step b Fix the nftla device major numbers by changing line 31 in var lib 1lrpkg root dev mk from Disk On Chip mcs inticle is 3 0 0 4 S Simli Zee to Disk On Chip makedevs nftla b 93 0 0 4 s gt null 2 gt amp 1 10 Installing and booting Bering from a M Systems DiskOnChip 42 LEAF Bering user s guide to change the major number from 3 to 93 c Fix the already created nftla devices by running rm dev nftla makedevs dev nftla b 93 004s from the command prompt d Fix the double mounting problem by adjusting var lib l1lrpkg root linuxrc Add an else block at line 246 assuming you are using Bering rc3 Lines 246 through 249 in the snippet below are th
41. ess gt leftsubnet lt internal subnet gt leftfirewall yes 12 IPSec configuration 51 LEAF Bering user s guide pfs yes auto add conn w2k road warriors right sany There is really no substitute for reading the man page however With certificates the same setup would look like this config setup interfaces defaultroute klipsdebug none plutodebug none plutoload search plutostart search uniqueids yes conn sdefault keyingtries 0 authby rsasig leftrsasigkey cert rightrsasigkey Scert left lt router ip address gt leftsubnet lt internal subnet gt leftid C US ST CA O ipsecgw CN me Email you yourdomain pfs yes auto add conn w2k road warriors right sany A couple of things to watch out for 1 Do not put apostrophes or single quotes in any of your distinguished name fields It causes blindness and other very bad things to happen 2 Make sure that the date on your router is between the notBefore and notAfter dates on all your certificates 12 6 Step 5 configure ipsec secrets If you wish to use preshared keys your ipsec secrets should look like the following Sany lt router ip address gt PSK lt your preshared key gt if you are dealing with roadwarriors with dynamic ip addresses If you know the ip address of the endpoint and you do not wish to share the same key amongst multiple roadwarriors you have the option of specifying the ip address instead of any If you don t want t
42. firewall USR SBIN CRON 28891 root CMD etc multicron p Aug 18 09 16 01 firewall USR SBIN CRON 9097 root CMD bin beep Aug 18 09 16 01 firewall USR SBIN CRON 29944 root CMD bin date gt gt tmp tijd Aug 18 09 16 01 firewall usr sbin cron 1774 system multicron RELOAD etc cron d multicror Important is that you have one empty line after the last entry in the cron file You can edit the multicron file as above or probably a better idea insert a new file with the syntax as before for each additional purpose An example for this could be 15 The Bering mail and cron facilities 64 LEAF Bering user s guide ls etc cron d Zi Aue te Os iS mile saexeroim 93 Aug 18 09 13 closewindows 80 Aug 17 08 12 mdS5sumfiles FEWE D L TOOT root ea Gore eaten Ghat L FOOR root SEW re T OOE root Prev Time in Bering 15 The Bering mail and cron facilities Home Up 65
43. following files A The interfaces file entry 3 defines your interfaces Here connection to the net goes through pppO So we must set saa ZONE INTERFACE BROADCAST OPTIONS net pppo Loe eth0o detect routestopped LAST LINE ADD YOUR ENTRIES BEFORE THIS ONE DO NOT REMOVE Eg Do not forget the under the BROADCAST heading for the net ppp0 entry B The masq file entry 7 In this context it should look like ooo INTERFACE SUBNET pppod eth0o LAST LINE ADD YOUR ENTRIES ABOVE THIS LINE DO NOT REMOVE Backup the shorwall Irp package 3 8 Step 7 reboot Your modem connection should be established automatically Type plog to check the login sequence with your ISP If there is no output check var log syslog to get a clue on potential problems If you want to be sure that your modem and or script parameters are OK before backing up ppp Irp and or pemcia Irp you can activate the pcmcia connection manually by typing launch the connection manually just by typing etc init d pcmcia start Use etc init d pcmcia stop to stop the pcmcia connection remove the modules and bring down ethO and ppp0 Prev Home Next Serial Modem configuration Up PPPoE configuration 3 PCMCIA configuration 14 LEAF Bering user s guide Prev LEAF Bering user s guide Next 4 PPPoE configuration 4 1 Objectives We a
44. gh a serial modem connection and that you want to share that connection with other internal computers in your home or office What follows describe the configuration of this dial up modem router Your external interface to the internet will be ppp0 your internal interface to your internal network is supposed to be done through an ethernet network card eth0 What follows has been tested with Bering v1 0 rcl on a Pentium 133 machine and a US Robotics external modem connected to com1 ttySO The PPP Howto is a useful reference for this section Comments on this section should be addressed to its maintainer Jacques Nilo lt inilo users sourceforge net gt Thanks to Lee who provided useful additions to this section 2 2 Step 1 declare the ppp package Boot a Bering floppy image Once the LEAF menu appears get access to the linux shell by q uitting the menu Edit the syslinux cfg file and replace the pump entry by ppp in the LRP list of packages to be loaded at boot Check the Bering installation guide to learn how to do that Your syslinux cfg file could look like adjust to your tastes display syslinux dpy timeout 0 default linux initrd initrd lrp init linuxrc root dev ram0 boot dev fd0u1680 msdos PKGPATH dev fd0u1680 LRP root etc local modules ppp keyboard shorwall dnscache weblet The last two lines default linux dnscache weblet must be typed as a single one in syslinux cfg 2 3 Step 2 declare the ppp
45. hrough ipsec and also add a tunnel definition to allow the udp port 500 traffic for Internet Key Exchange IKE and protocols 50 and 51 ESP and AH that are used for the IPSec payloads You must not turn on route filtering for any interfaces involved in ipsec The Bering recommended way to turn this off is to use the etc network options file and change the spoofprotect parameter to no Add the gw zone to the etc shorewall zones file gw ipsecO Then use an entry like this in the etc shorewall tunnels file ipsec net ORO OR O20 gw Use the ip address of the ipsec endpoint if you have it because that will be more secure 12 8 Step 7 configure Windows 2000 client Configuring Windows to do this same thing is much harder I would say that until you have done it properly once it borders on black magic Even if you have done it properly once if the configuration is even slightly different and you didn t take the time to really understand it the first time you are in for another rough ride The way your mouse finger feels after clicking your way through the dialogs for this configuration is just another symbol of how most complicated things are easier and more user friendly in Linux It helps to have a custom management console when you re dealing with ipsec You can put this on the desktop or someplace else convenient and save your mouse finger from exhaustion clicking through menus to find things Use the following steps 12
46. ialup connections Also for Windows 2000 you must have the Service Pack 2 It will not do the required 3DES encryption without it You can get it from http www microsoft com windows2000 downloads servicepacks sp2 sp2lang asp Pretty hairy For what I wanted to do tunnel mode ESP with MDS signing and preshared key authentication I had to set up two rules one for inbound traffic specifying the Windows client IP address as the endpoint of the tunnel and one for outbound traffic specifying the router as the endpoint of the tunnel I did not want to have to know the IP address of the client since I want to use DHCP to deliver these addresses but I haven t worked a way around it yet Maybe if some Windows people are reading this they can drop a line Configure the Windows 2000 client a run the custom mmc console you just made b click on ipsec security policies in left pane EGEO create IP security policy d next choose name Win2k to FreeS WAN uncheck default response rule check edit properties finish e add IP security rule to grab outbound traffic and tunnel it to FreeS WAN using 3DES and MD5 f next enter tunnel endpoint lt router IP Address gt lan connection preshared key lt your preshared key gt 12 IPSec configuration 54 LEAF Bering user s guide Gj ack looiela ais salver Lises icone DNOC Elec GVT IOT Cee e iclneis you can just click on inbound traffic when you re defining that security rul
47. iface ethO inet static defines the internal address of the router Backup the etc Irp package 5 6 Step 5 configure Shorewall Through the LEAF packages configuration menu choose shorwall and check the three following files A The interfaces file entry 3 defines your interfaces Here connection to the net goes through pppO So we must set eee ZONE INTERFACE BROADCAST OPTIONS net pppo loc eth0o detect routestopped LAST LINE ADD YOUR ENTRIES BEFORE THIS ONE DO NOT REMOVE Do not forget the under the BROADCAST heading for the net ppp0 entry B The masq file entry 7 It should look like ooo INTERFACE SUBNET pppod etho LAST LINE ADD YOUR ENTRIES ABOVE THIS LINE DO NOT REMOVE Backup the shorwall Irp package 5 7 Step 7 reboot Your PPPoA connection should be established automatically Type plog to check the login sequence with your ISP If there is no output check var log syslog to get a clue on potential problems Prev Home Next PPPoE configuration Up PPTP PPPoA configuration 5 PPPoA configuration 23 LEAF Bering user s guide Prev LEAF Bering user s guide Next 6 PPTP PPPOA configuration 6 1 Objectives We assume here that you want to connect your LEAF router to the Internet via an Alcatel SpeedTouch home ADSL modem which supports both PPPoE and PPPoA connections The PPP
48. indows 2000 machines roadwarrior clients or gateways for subnets on the external interface then treat those external clients or subnets as members of your internal network Also there is a sizeable portion of this document that covers the configuration of the Windows 2000 IP Security Policy Utility Please do not let this part slow you down if you are not interested in interoperating with Windows 2000 clients It is extremely long and I only wrote it down because most of what I found on the internet about it was pure click here click there stuff and didn t really explain what was going on or the ramifications of clicking there I spent a lot of time trying to figure out the dark mysteries of their user interface so hopefully no one else will have to wear out their mouse finger trying to do so There are more complex configurations than this which you should be able to understand better after reading Comments on ths section should be addressed to its maintainer Chad Carr lt ccarr franzdoodle com gt 12 2 Step 1 load ipsec or ipsec509 package Copy the ipsec Irp or ipsec509 Irp package to the floppy Also you must copy the mawk Irp package since it is needed by the ipsec scripts You do not need the ifconfig Irp package You may need some space to store the packages and the ipsec module and generally a single floppy won t be enough Check the Bering user s guide section about Booting Bering from different boot media for tips
49. ing the MAIL_SERVER setting e v verbose Mail default settings are set in etc POSIXness conf Please refer to the Bering installation guide System configuration section for detailed instructions about default mail parameters Through the System Configuration menu choose the 2 POSIXness Configuration entry You will then be able to set the following options e MAIL_SERVER this is the SMTP server where mail is sending its mail to e g MAIL_SERVER smtp myprovider com e MAIL_DOMAIN this is the domain which will be shown in the from list e g MAIL_DOMAIN yourdomain org the FROM line will then be root yourdomain org e USER this is the user you will use as the part before the sign for yourdomain org If you don t set a name here then the mail will be sent with the user the mail command is evoked or defaulting to root If USER john doe then your mail will be from john doe yourdomain org Be careful about the MAIL_DOMAIN definition as lots of smtp servers will refuse mails with a name they cannot resolve to a valid IP Others refuse to relay mails that cannot be delivered locally 15 The Bering mail and cron facilities 63 LEAF Bering user s guide To mail a message to someone edit a file with the editor e g ae message type your text and save the message file Then to send your message cat message mail s I want to tell you to yourfriend hisdomain com or as an attachement mail s I want to send you
50. is etc network interfaces file auto lo iface lo inet loopback iface eth0 inet static address 10 0 0 1 masklen 24 lpOacleeystc OMOTOS up pon asi provider eth0 up shorewall restart down shorewall stop down pofft iface ethl inet static address 192 168 1 254 masklen 24 loeoacieesic 192 168 Ls 255 up etc init d dnscache restart down etc init d dnscache stop Only lo is brought up automatically at boot time ethO and eth are brought up by the PCMCIA cardmgr program which calls the etc pcemcia network script The connection with the Alcatel speedtouch modem is done through the ethO interface at address 10 0 0 1 Once the ethO interface is up the pppd daemon is called by the pon script Shorewall must then be restarted since ethO was not available at boot time Once the eth1 interface is up we restart dnscache which could not start at boot time since eth was not available Prev Home Next PCMCIA configuration PPPoA configuration 5 4 PPPoE configuration 19 LEAF Bering user s guide Prev LEAF Bering user s guide Next 5 PPPoA configuration 5 1 Objectives We assume here that you want to connect your LEAF router to the Internet via PPPoA The PPPoE connection is covered in another section of this user s guide So is the PPTP PPPoA connection What is described here corresponds to section 3 2 4 of the DSL How To document The traffic to your internal network goes through ethO while access to the Internet via PPPoA goe
51. is allowed to login See securetty 5 and login 1 Include ttyp0 ttypl etc to allow telnet access NOT RECOMMENDED EWS tyl ty2 ty3 ty4 gya ty6 Ey ty8 4 Si am SL RA LOES LEE a DS i R aL N a Q Once this is done backup etc lrp 13 3 Step 2 Modify your syslinux cfg file Edit the syslinux cfg file on your floppy and add the two following statements e serial 0 19200 at the top of your file append console ttySO 19200 The syntax of the serial statement is as follows SERIAL port baurate This enables a serial port to act as the console port is a number 0 ttySO com etc If baurate is omitted the baud rate defaults to 9600 bps The serial parameters are hardcoded to be 8 bits no parity 1 stop bit The append statement add one or more options to the kernel command line Your syslinux cfg file will look like serial 0 19200 display syslinux dpy timeout 0 append console ttys0 19200 default linux initrd initrd lrp init linuxre root dev ram0 boot dev fd0u1680 msdos PKGPATH 13 4 Step 3 reboot Connect a cable to the serial port of your router and open a terminal on your monitoring machine You should be then able to control your Bering router from that console One application you can use to connect to your router s serial port is minicom but you ll need to change the default settings since you won t be talking to a modem As root launch minicom s Change
52. is user s guide_here to be used as a template A complete Docbook XML documentation can be found here 1 3 Changelog Current version 0 5 October 2002 Added following sections e Installing and booting Bering from a M Systems DiskOnChip B Fritz e Time in Bering J Nilo amp E Wolzak e The Bering mail and cron facilities E Wolzak Version 0 4 June 2002 Various sections edited for typos and updates 1 Structure of the document 4 LEAF Bering user s guide Version 0 3 May 2002 Added following section e PPPoA configuration J Nilo Version 0 2 April 2002 Added following sections e Creating a bootable Bering CD Rom L Correia e Booting Bering from different boot medias J Nilo E Wolzak e Wireless and orinoco drivers J Nilo e IPSEC configuration C Carr e PPTP PPPoA configuration J Nilo e Monitoring Bering through a terminal console J Nilo Serial Modem PCMCIA PPPoE and ISDN sections corrected and edited Version 0 1 March 2002 Added following sections e Serial Modem configuration J Nilo e PCMCIA configuration J Nilo e PPPoE configuration E Wolzak e ISDN configuration E Wolzak Prev Home Next LEAF Bering user s guide Serial Modem configuration 5 1 Structure of the document 5 LEAF Bering user s guide Prev LEAF Bering user s guide Next 2 Serial Modem configuration 2 1 Objectives We assume here that you can only get connected to internet throu
53. lation guide 6 3 Step 2 declare the ppp modules In order to have a PPTP PPPOA connection working you need to have ppp support enabled through the appropriate kernel modules You also need to declare the driver s module s of your network card s In the following example we assume that both ethernet interfaces are provided through a standard ne 2000 PCI card All the modules which are necessary for a PPTP PPPoA connection are provided on the standard Bering floppy You just need to declare them since they are not loaded by default As far as your network cards are concerned the most popular driver modules are provided in 1ib modules but you might need to download the one corresponding to your own hardware from the Bering modules_download area Refer to the Bering installation guide to learn how to do that 6 PPTP PPPoA configuration 24 LEAF Bering user s guide To declare your modules go to the LEAF Packages configuration menu and choose modules Enter 1 to edit the etc modules file and enter the following information 8390 based ethernet cards 8390 ne2k pci Modules needed for PPTP PPPoA connection slhe n_hdlc ppp_generic ppp_async Masquerading helper modules Ho Conme EUD ijO_COMNECACIK iee Ho aeie EES ipana O The etc modules file provided in the Bering distro is already setup with those entries commented out Just remove the leading sign to activate the corresponding module Backup the mod
54. lity of your PCMCIA card whereas your internal interface to your internal network will be connected to the ethernet network plug of your PCMCIA card eth0 What follows has been tested with Bering v1 0 rcl1 and the pmcia_xircom Irp package on a NEC Versa SX using a Xircom RealPort EThernet 10 100 Modem 56k ref REM56G 100BTX The PCMCIA Howto and the PPP Howto are useful references for this section Comments on this section should be addressed to its maintainer Jacques Nilo lt jnilo users sourceforge net gt 3 2 Step 1 declare the ppp and the pcmcia packages Boot a Bering floppy image Once the LEAF menu appears get access to the linux shell by q uitting the menu Edit the syslinux cfg file and replace the pump entry by ppp pcmcia in the LRP list of packages to be loaded at boot Check the Bering installation guide to learn how to do that Your syslinux cfg file could look like adjust to your taste display syslinux dpy timeout 0 default linux initrd initrd lrp init linuxrc root dev ram0 boot dev fd0u1680 msdos PKGPATH dev fd0u1680 LRP root etc local modules ppp pemcia keyboard shorwall dnscache The last two lines default linux dnscache weblet must be typed as a single one in syslinux cfg The ppp package is provided on the standard Bering floppy The pcmcia Irp package is available in the Bering download packages area Check the Bering installation guide 3 3 Step 2 declare the ppp module
55. lmann tina pp V3 16 irgio O hisax SPORTSTER USR Sportster internal TA 16 irq io hisax MIC ITH MIC Card 17 irq io card Netjet hisax NETJET U mee Fer hmologies 38 none Netspider U hisax NICCY Dr Neuhaus Niccy PNP irq 100 iol from isapnp setup hisax_NICCY Dr Neuhaus Niecy PCI hisax ISURF Siemens I_Talk IsAR chip irq io memory from isapnp setup hisax ISURF eee me COPED irq io memory from isapnp setup hisax_ ASUSCOM MEDENS D EAS cenip irq io from isapnp setup hisax GAZEL Gazel card pci none eS o o O cards hisax HEC SX HFC S 8 ES hisax HFC SX HFC SP a a ee hisax HFC SX HFC SP PCMCIA 39 irq io set with cardmgr Once you have downloaded the appropriate module rename it to hisax o and copy it to the 1ib modules directory 7 4 Step 3 declare the ISDN modules In order to have an ISDN connection working you need to have ISDN support enabled through the appropriate kernel modules You also need to declare the driver s module s of your internal network card s In the following example we assume that your internal network card is a NE2000 PCI To declare your modules go to the LEAF Packages configuration menu and choose modules Enter 1 to edit the etc modules file and enter the following information 7 ISDN Configuration 30 LEAF Bering user s guide 8390 based ethernet cards 8390 ne2k pci Modules needed for ISDN Look for type io and irq settings at help
56. n the LRP list of packages to be loaded at boot Check the Bering installation guide to learn how to do that Your syslinux cfg file will then look like adjust to your tastes display syslinux dpy timeout 0 default linux initrd initrd lrp init linuxrc root dev ram0 boot dev fd0u1680 msdos PKGPATH dev fd0u1680 LRP root etc local modules keyboard isdn shorwall dnscache weblet The last two lines default linux dnscache weblet must be typed as a single one in syslinux cfg 7 ISDN Configuration 28 LEAF Bering user s guide 7 3 Step 2 download the isdn o and the appropriate hisax o modules It s now time to download ISDN modules You need both the_isdn o module and the hisax o modules You can use the normal hisax o module with built in support for every cards But this module has a size of about 600K so you will have a problem getting everything on a single disk This is why I compiled partial hisax modules each supporting a small group of cards It will be a little be more work to select the correct one if you have an exotic card but the size of less than 250 K will be worth the trouble To see what Hisax module you need check the following table Table 1 Available ISDN modules Model Brand Teles 16 0 Teless0o 160 1 iqmemio Teles 16 0 Teles S 8 en compatibele 2 iqmem Teles 16 3 Teles so 163 3 trio Teles 16 3 Teles CreatixPNP__ 4 irq io SAC iol SCX Teles PCMCIA Tele
57. nitrd lrp init linuxre root dev ram0 boot dev cdrom iso9660 PKGPATH LRP root etc local modules ppp pppoe keyboard shorwall dnscache weblet libz routerst sshd t i 8 5 Step 4 making the CD Get access to MS DOS from within Windows Change your directory to C BCD Then execute the makeiso command file This file contains one single line with the following command 8 Creating a bootable Bering CD ROM 35 LEAF Bering user s guide MRL SOIES SC lysiciing 1S 9 SO ao joim e aSsOllaimnox Gait moO cuiml icoot oootr loac sivS 4 ooo You should now have a bering iso CD Rom image in C BCD You can now create your Bering CD from this ISO image with your favorite CD burner program Change your BIOS settings to declare your CD Rom as the first boot device You should be all set It is of course much better to test your Bering CD with a CD RW But be aware that a lot of old CD drives just won t be able to read them The CD RW will be used for testing on a recent machine Once you are happy with your image you will have to burn a traditionnal CD Rom for your old 1486 based Bering router 8 6 Support I read both the leaf user and the leaf devel lists You may put your questions there 8 7 Thanks to Charles Steinkuehler for creating the stein series Jacques Nilo amp Eric Wolzak for the Bering series Allen Hillery for the hints amp Christian Hostelet for beta testing all LEA
58. nks to Jacques Nilo and Eric Wolzak for creating Bering all the LEAF developers for their contributions and Mike Noyes for his support of the LEAF project and great work to encourage continuous improvement 10 Installing and booting Bering from a M Systems DiskOnChip 44 LEAF Bering user s guide Prev Home Next Booting Bering from different Up Wireless and orinoco drivers boot media 10 Installing and booting Bering from a M Systems DiskOnChip 45 LEAF Bering user s guide Prev LEAF Bering user s guide Next 11 Wireless and orinoco drivers 11 1 Objectives We want here so setup an internal wireless network that will share an internet access through a Bering firewall We assume here that your external interface to the internet eth0 is connected to your ISP via a standard NIC whereas your internal interface eth1 to your network is connected through a wireless NIC What follows has not been tested by the author which does not have the corresponding hardware Bob Pocius did the testing using an Orinoco Gold PCMCIA card connected to a PC through an ISA PCMCIA adpater Thanks to Bob for his help The most complete information on wireless under Linux can be found on_Jean Tourrilhes web site Jean is the developper of the_wireless tools He has also a very detailed page on_Linux Orinoco drivers Comments on this section should be addressed to its maintainer Jacques Nilo lt jnilo users sourceforge net gt 11 2 Step 1
59. o share keys and you don t kow the ip addresses of your clients certificates are your only real option Your ipsec gateway s certificate can either have its private key extracted using fswcert as in Step 2 and put in the ipsec secrets file or it can be stored in the etc ipsec d private directory in either der or pem format and be referenced in ipsec secrets by filename with an optional passphrase If you choose to extract the key and keep the whole thing in ipsec secrets directly your ipsec secrets file will look like this 12 IPSec configuration 52 LEAF Bering user s guide RSA Modulus OxB664D963F28A PublicExponent 0x010001 PrivateExponent 0Ox518CA9BEOC55 Primel OxED48CBD214FC Prime2 OxC4C7B7244774 Exponentl Ox314D4BD435BA Exponent2 06 2O ASE ABSCSrrr Coefficient OCIVMIL SIS 2 SILO 5 6 5 Except the long strings of gibberish will be much longer The RSA must start at the left margin but every other line must be indented spaces or tabs will do The file MUST have no more than 700 permissions and be owned by root to be secure Otherwise put the private key serverKey pem from Step 2 in etc ipsec d private secure it with an optional passphrase recommended and reference it in the ipsec secrets file like so RSA serverKey pem lt optional passphrase gt 12 7 Step 6 configure Shorewall You need to add a new zone to shorewall to handle hosts that connect t
60. oE connection is covered in another section For the PPPoA connection we assume that your modem is connected to a dedicated NIC as ethO and will communicate with your router through the pptp protocol What is described here corresponds to section 3 2 5 of the DSL How To document The traffic to your internal network goes through ethO while access to the Internet via PPPoA goes through ppp0 The PPP Howto the PPTP Client project and the DSL Howto are two useful references for this section Comments on this section should be addressed to its maintainer Jacques Nilo lt jnilo users sourceforge net gt 6 2 Step 1 declare the ppp and the pptp packages Boot a Bering floppy image Once the LEAF menu appears get access to the linux shell by q uitting the menu Edit the syslinux cfg file and REPLACE the pump entry by ppp pptp in the LRP list of packages to be loaded at boot Check the Bering installation guide to learn how to do that Your syslinux cfg file will then look like adjust to your tastes display syslinux dpy timeout 0 default linux initrd initrd lrp init linuxrc root dev ram0 boot dev fd0u1680 msdos PKGPATH dev fd0u1680 LRP root etc local modules ppp pptp keyboard shorwall dnscache we The last two lines default linux dnscache weblet must be typed as a single one in syslinux cfg The ppp package is provided on the standard Bering floppy The pptp lrp package is available here Check the Bering instal
61. online MSN and my own ppp Server on 486er and Pentium machines using the AVM Fritz and an Elsa Microlink card Specific questions conserning the Hisax driver can be looked up at_the i4 faq and the Readme for Hisax Special cases like canal bundeling callback etc are not yet tested but should be possible Refer to the hisax guide Although the use of active cards like the avm b1 is possible it is not tested and should require some extra work Users with external ISDN modems should look at the_ppp dial up page Comments on this section should be addressed to its maintainer Eric Wolzak lt leaf wolzak de gt ISDN cards connect quiet and usually without any signs If you have a wrongly configured machine on your network you could experience a lot of undesired connections you will not notice it until the next telephone bill So especially for a start check your messages file regulary I use the beep lrp which gives an audible signal on connecting During the setup disconnect the ISDNline until you know that all other parts do function 7 2 Step 1 Download and declare the isdn Irp package Download the isdn lrp package from Eric s site and store it on your Bering disquette If you need space to do that refer to the installation guide to learn how to do that Boot your Bering floppy image Once the LEAF menu appears get access to the linux shell by q uitting the menu Edit the syslinux cfg file and REPLACE the pump entry by isdn i
62. ot download the appropriate modules from the Bering PCMCIA modules_download area in the lib modules pcmcia directory Refer to the Bering installation guide to learn how to do that Enter the LEAF Package configuration menu and choose pcmcia The following menu will appear pemcia configuration files 1 pcmcia default parameters 2 pemcia configuration 3 wireless configuration Gp Gmaaie Selection 11 Wireless and orinoco drivers 47 LEAF Bering user s guide Entry 1 allows to edit the et c default pemcia file which defines the pcmcia parameters that will be used by the cardmgr program and the etc init d pcmcia script In our practical example an Orinoco gold card this file will contain PCMCIA yes PCIC i82365 0 PCIC_OPTS CORE_OPTS CARDMGR_OPTS You may need to specify something like PCIC_OPTS 1365_base 0x3e2 if you are using an ISA PCMCIA adapter Entry 2 allows to edit the etc pcemcia config opts file The default file provided in the pemcia Irp package is the one provided in the pcmcia cs package It looks like include port 0xa00 Oxaff Resources we should not use even if they appear to be available Paast lowalkt im seiciell joormic exclude irq 4 Second built in serial port exclude irq 12 Teew Iowilkc iin joeueeuLIleil jooucic exclude irq 7 Refer to the PCMCIA How to for the explanation of the different options In most cases you won t need to edit this file Entr
63. ovide you with the NTP client from _http www ntp org Then go to the ntpdate configuration menu and declare the timeservers you want to query and optionnally the frequency of the update in the ntpdate cronjob parameters default every hour e Activate your own time server In this scenario you will have to download the_ntpsimpLIrp and the libm Irp packages from the Bering packages download area and add them to your syslinux cfg file You will have the ntpd daemon from_http www ntp org ntpd is a more recent version of xntpd Then go to the ntpsimpl configuration menu and declare the timeservers you want to query Q Do not forget to adjust your firewall to allow access to NTP services ACCEP fw net udp ntp if you want to query an external NTP server ACCEP LOG fw udp ntp if you want to query your Bering box time s lt p A list of available public timeservers is available here All of them will accept request from ntpd or ntpdate Only a few of them will accept rdate requests 14 6 Internal network NTP clients If you have a time server running on your Bering box you might be looking for NTP clients for your internal network machines 14 Time in Bering 61 LEAF Bering user s guide For your internal network linux boxes ntpdate will do If you are running Windows machine of any variety you can have a look at_Tardis or Automachron 14 7 Miscellaneous e All lines in etc tzvalue can be commented out if you provid
64. ow On the first floppy keep only the following files Linux ldlinux sys syslinux dpy syslinux cfg and initrd 1rp On the second floppy put all the remaining LEAF packages that you will need You have a full floppy available It can be 1440k 1680k or 1723k formatted but it should be the same format for both floppies 1680k is generally working without any problem and is a de facto LEAF standard Then edit the syslinux cfg file of the first floppy You will enter something like display syslinux dpy timeout 0 default linux initrd initrd lrp init linuxrc root dev ram0 boot dev fd0u1680 msdos diskwait LRP root etc local modules pump keyboard shorwall dnscache sshd ipsec weblet Q The last two lines default linux ipsec weblet must be typed as a single one in syslinux cfg Notice the diskwait yes statement Once the first floppy will be booted Bering will ask you to enter the second floppy and will then load the lrp LEAF packages In this setup you can leave the second floppy on your drive if you want to make changes to your configuration files and backup the corresponding packages What is on the first floppy generally do not need to be 9 Booting Bering from different boot media 37 LEAF Bering user s guide backed up You can optimize this setup by declaring all your modules in boot etc modules moving them from lib modules to boot lib modules Then backup initrd lrp Then you won t need modules Ir
65. p anymore since everything will be stored in initrd Irp on the first floppy 9 3 The two floppy drives setup Here we assume that you have two floppy drives available namely fd0u1680 and fd1u1680 assuming 1680k formatted floppies The first floppy will be s standard Bering floppy The second one will only contain Irp LEAF packages that do not fit on the first floppy In this setup Irp LEAF packages can be on any disk and you only have to adjust the PKGPATH statement of the first booting floppy display syslinux dpy timeout 0 default linux initrd initrd lrp init linuxrc root dev ram0 boot dev fd0u1680 msdos PKGPATH LRP root etc local modules pump keyboard shorwall dnscache sshd ipsec weblet 9 4 Booting from an IDE device To install Bering on an IDE device proceed as follow Make sure your IDE device has a first bootable partition and is DOS formatted With the Windows rescue disk you will have the fdisk and the format utilities to help you doing that With a linux rescue floppy disk fdisk and mkfsdos will be your friends amp Be careful you will be destroying any pre existing data Once you hard disk is formatted install syslinux You can install syslinux either from a windows or a linux rescue floppy Boot your floppy then issue the following command syslinux s dev hdal The s flag might be required for syslinux to work with old buggy BIOSes See the_syslinux web site for more instructions
66. pID FF found at Oxca000 h unknown ChipID FF found at Oxcc000 CEER IEF address 0xD8000 at 0xDA000 already configured at 0xDC000 already configured at 0xDE000 already configured unknown ChipID FF found at 0xe0000 unknown ChipID FF found at 0xe2000 Ignoring DiskOnChip 20 Possible DiskOnChip wi Possible DiskOnChip wi seed He eae a Sa a a c Verify the DoC has been recognized by running cat proc mtd The output should look similar to dev siz rasesiz nam mtd0 00400000 00002000 DiskOnChip 2000 d Install the fdisk package cd tmp zokeo al FESIS e Partition the DoC Run fdisk dev nftla and create a single DOS 12 bit FAT partition and set it to active The hex code for DOS 12 bit FAT is 0x1 f Create an MS DOS filesystem on the DoC by running mkfs msdos dev nftla1 g Mount the newly created filesystem and copy the Bering files to it mkdir doc mount t msdos dev nftlal doc mount t msdos dev fd0u1l680 mnt ee fumes Toe umount mnt h Edit the DoC doc syslinux cfg file and remove the PKGPATH dev fd0u1680 parameter and change the boot parameter boot dev nftlal msdos i Unmount the DoC partition with umount doc j Make the DoC bootable by running syslinux s dev nftla1 10 6 Step 5 reboot Remove the floppy disk or unhook the floppy drive and reboot your Bering device If the BIOS of the device is properly configured Bering should now boot from the DoC 10 7 Tha
67. page of isdn lrp documentation siine isdn hisax type io irq Masquerading helper modules To COIMINE EONS E9 ijO_COMMIESEICI lt Lie IjO_iMENe_ IEC io MENS _ SLICES the paramater you have to give for a certain card are listed in the table above as an example to use Fritz card from AVM A1 download the module hisax_AVM_A1 rename it to hisax o if you fritzcard is configured with irq 7 and ioport 330 you enter hisax type 5 irq 7 i0 0x330 Backup the modules Irp package 7 5 Step 4 configure ISDN Most options are already defined with reasonable default values But some settings must be defined in every case If you have a static ip number you should also change the according parameter Through the LEAF Package configuration menu choose isdn The following menu will appear isdn configuration files i aljgjsjaycl Gyaie ikoins 2 password und userid 3 ipppd scipts to startup the ipppd interfaces select 1 now you edit the User setting and enter here the name or number that you need to identify yourself eae USER Dependent options USER eric foobar com your MSN depending on your country without areaprefix MYMSN Provider MSN REMMSN Hangup after idletime in seconds 0 for no hangup IMEOUT 60 ee 7 ISDN Configuration 31 LEAF Bering user s guide What your MSN is is depending on the country you live in If you are in doubt ask your local telco For a few countries
68. plog to check the login sequence with your ISP If there is no output check var log syslog to get a clue on potential problems PPPoE connections are going up and taken down Here my provider takes down the connection after 15 minutes of inactivity Also if you switch your router out over night and wants to know if it really got connected beep lrp is your friend It gives a sound of configurable duration and frequency If you have your router on a greater distance have a monitor installed or use the serial line for direct monitoring you don t use it The package should only be inserted on the disk and beep written in the syslinux cfg package beep The configuration is easy in etc ppp if up there is allready a small sound included You can change frequency with the f option 4 PPPoE configuration 18 LEAF Bering user s guide 4 9 An example a PPPoE connection with a two PCMCIA cards setup C Hostelet is using an old laptop as a Bering router His hardware configuration consists of one HP Omnibook 3000 laptop Pentium 233Mhz 144MB Ram CD Rom drive module no floppy no HDD one Xircom CEM56 Modem ethernet PCMCIA card and one 3Com 3C589 PCMCIA card The connection to the net is provided through the first PCMCIA card connected to an Alcatel SpeedTouch Home ethernet modem which gives him access to France Telecom Netissimo ADSL service The connection to the local network is done trough the second PCMCIA card Here is h
69. s PCMCIA 8 ito TelesPCI TeasPG 2n no parameter Teles Creatix parallel port eee S0 Box SOBox irq 10 of the used Ipt port hisax AVM A1 AVM Al Fritz 5 irq 10 hisax AVM Al Teledat 150 hisax FRITZ PCI AVM Fritz PnP hisax_ FRITZ PCI AVM Fritz PCI hisax AVM _ Al PCMCIA AVM Al Fritz PCMCIA irq io from isapnp setup no parameter irq io set with card manager io or nothing for autodetect the iobase is required only if you have more than one ELSA card in your PC aed ame Ki 7 _irg io fromisapnp setup pis tome o O pis none KA Ea EA 12 weed hisax ELSA Elsa Microlink ISA hisax ELSA hisax ELSA hisax ELSA hisax ELSA hisax_IXIMICROR2 IE ene Revisora hisax DIEHLDIVA Eicon Diehl Diva none Pro S A E version hisax ASUSCOM AsusCom ISA isdnlink hisax ASUSCOM Dynalink IS64PH oem irq io set with card manager i irq io from isapnp setup irq io from isapnp setup hisax ASUSCOM PCBit DP oem irq 10 from isapnp setup 10 hisax TELEINT TELEINT SA1 semiactiv hisax HFCS HFC S BDS0 based cards 13 igo 1 2 3 4 21 23 5 27 27 26 6 7 18 18 10 11 12 12 12 13 13 7 ISDN Configuration 29 LEAF Bering user s guide hisax HECS tele 16 3epp 4 iro O mea Salieri sino hisax_SEDLBAUER hisax_ SEDLBAUER Sedlbauer PC 104 irq io hisax SEDLBAUER Sedlbbauerpci 15 nome T ing io from isapnp setup hisax SPORTSTER Stol
70. s in modules Irp In order to have a modem dialup connection working you need to have ppp support enabled through the appropriate kernel modules To configure your modules go to the LEAF Packages configuration menu and choose modules Enter 1 to edit the et c modules file and enter the following information Modules needed for PPP connection Sling 3 PCMCIA configuration 11 LEAF Bering user s guide ppp_generic ppp_async ppp_deflate Masquerading helper modules ip_conntrack_ftp Ij COMMEMEICIK LieC ipana ERER ajo vere Nee Backup the modules Irp package 3 4 Step 3 configure ppp Connection with your ISP will be handled by PPP The PPP How to document will give you very detailed information about this protocol and how to set up its numerous parameters Please refer to the Serial Modem section of this user s guide to learn how to configure your ppp package 3 5 Step 4 configure pcmcia First make sure to install in your pcmcia package the PCMCIA kernel modules that will be needed by your hardware Refer to the Bering installation guide to learn how to do that For our Xircom card the following modules were used ls la lib modules pcmcia drwxr xr x 2 roor root AON awe 25 OLSA a drwxrwxrwt Zi TOOR root ADS ewe 25 O7 952 oso ru Sie i OOK root LI2AS ewe 25 O77 55S CeO Sys i iL OOE POOE SIIZE CVE 2S OTOS 13236540 SEWE e ik OOK root STATA expe 25 Oe 54 Weimer Come Sy e L OOK root GAA N
71. s through ppp0 The _ PPP Howto and the DSL Howto are two useful references for this section The following setup has been tested by Dave Anderson who gets connected to BT DSL service using a Bewan ATM PCL st card on a P166 machine Thanks to Dave for his patience in testing Comments on this section should be addressed to its maintainer Jacques Nilo lt jnilo users sourceforge net gt 5 2 Step 1 declare the pppatm package In order to be able to get connected through PPPoA you will need a special version of ppp patched for PPPoA support This support is provided by a pppoatm so plugin which is unfortunately only available for ppp version 2 4 0b2 The standard Bering ppp version is 2 4 1 The pppatm Irp package is nothing more than this patched version of ppp 2 4 0b2 which was developped by_Michael Mitchell This package will replace the ppp Irp package provided on your Bering floppy Note pppd will appear as 2 4 0b1 in syslog but it s really pppd 2 4 0b2 Boot your Bering floppy image Once the LEAF menu appears get access to the linux shell by q uitting the menu Edit the syslinux cfg file and REPLACE the pump entry by pppatm in the LRP list of packages to be loaded at boot Check the Bering installation guide to learn how to do that Your syslinux cfg file will then look like adjust to your tastes display syslinux dpy timeout 0 default linux initrd initrd lrp init linuxrc root dev ram0 boot dev fd0
72. ssume here that you want to connect your LEAF router to the Internet via an ADSL PPPoE connection What is described here corresponds to section 3 2 3 of the DSL How To document Your ADSL modem is supposed to be connected to eth0 while the traffic to your internal network goes through eth1 What follows has been tested with Bering v1 0 rcl on a 486er and a pentium machine a rtl8139 compatible and a 3com network card connected to ethO and ethl and ADSL T online service offered here in Germany The_PPP Howto and the DSL Howto are two useful references for this section Comments on this section should be addressed to its maintainer Eric Wolzak lt leaf wolzak de gt 4 2 Step 1 declare the ppp and pppoe packages Those two packages are provided on the standard Bering floppy disk but are not activated by default Boot a Bering floppy image Once the LEAF menu appears get access to the linux shell by q uitting the menu Edit the syslinux cfg file and REPLACE the pump entry by ppp pppoe in the LRP list of packages to be loaded at boot Check the Bering installation guide to learn how to do that Your syslinux cfg file will then look like adjust to your tastes display syslinux dpy timeout 0 default linux initrd initrd lrp init linuxrc root dev ram0 boot dev fd0u1680 msdos PKGPATH dev fd0u1680 LRP root etc local modules ppp pppoe keyboard shorwall dnscache v The last two lines default linux dnscache weblet must
73. t forward security close close You should be done Right click the Win2k to FreeS WAN IP Security Policy and click assign in the context menu Bring up a DOS window Ping your router If everything is correct you will get Negotiating IP Security as the response to the first four pings then should be pinging clear after that If not double click on the Win2k to FreeS WAN IP Security Policy to reenter configuration dialogs You will see the two IP Security Rules you just created Double click on one of them to check the configuration You will see five tabs at the top of the dialog corresponding to the items described at the beginning of this section First check the outbound traffic filter list then the inbound traffic filter list Double click on them to enter the configuration dialog then double click the Filter Do they have the right source and destination addresses Remember this will match packets similar to the way ipchains rules do so if the rule doesn t match properly then you will not forward the packet to the Filter Action and it will not get encrypted properly If the Filter Lists are both okay move on to the Filter Action We have the same Filter Action for both IP Security Rules so we just have to make sure that it says to negotiate security with ESP 3DES and MD5 We should also ensure again that Accept unsecured communication and Allow unsecured communication are unchecked cause those are not going
74. then call the etc pcmcia network script which will in turn e Execute the etc pcmcia wireless script after having read parameters from etc pemcia wireless opts This step will take care of iwconfig initialization before eth1 is up e Bring up the etcl interface reading the info from the etc network interfaces file Backup the etc Irp package 11 7 Step 6 configure Shorewall Check the Shorewall configuration as explained in the_installation guide The Bering default setup should be OK fo the above example 11 8 Tips and tricks ISA PCMCIA adapters appear more stable for wireless cards than PCI PCMCIA adapters That is a good news for LEAF users who tend to use an old machine to setup their router If you do not succeed to activate your PCMCIA card while using it through a PCI PCMCIA adpater you might give a try to the i82365 0 patched module The_wavelan2_ cs Lucent driver for the orinoco card is also available in the Bering modules pcmcia download section and can be used instead of the MPL GPL orinoco_cs driver Prev Home Next Installing and booting Bering from Up IPSec configuration a M Systems DiskOnChip 11 Wireless and orinoco drivers 49 LEAF Bering user s guide Prev LEAF Bering user s guide Next 12 IPSec configuration 12 1 Objectives This document assumes that you have a Bering Firewall with an internal interface on eth1 and an external interface on ethO and that you want to accept IPSec connections from W
75. ting You can indicate for every package where to look first R everse r or F orward f With the F orward option the searching for the package starts on the left in the package path e With the uppercase F it stops as soon as the first occurence of the package is found e With the lowercase f the search start from left to right but all occurences of the packages are loaded This option is taken to load a partial backup Be sure that the package found first is the one with the standard configuration The one found in the second place will overwrite the saved files with the 9 Booting Bering from different boot media 39 LEAF Bering user s guide individual options The same rules applies for the R everse option Especially the Uppercase R can be used to load a complete new version of a package The full syntax for the package list is package_name option package_name option cat lrpkg cfg COORD Sie 3 if Losi GIN MC AtS SER DUMPE Example Let s assume you have the following setup in your isolinux cfg file display syslinux dpy timeout 0 default linux initrd initrd lrp init linuxrc root dev ram0 boot dev cdrom iso9660 PKGPATH and the following lrpkg cfg package file root etc local modules pump f keyboard shorwall r dnscache weblet The search order for pump f will be cd gt floppy To load pump only from floppy use R The search order for shorwall r will be floppy gt cd To load shorwall only
76. trd Irp because it loaded directly off the boot disk If the version on the cdrom needs to be change you must make a new cdrom or use a boot floppy disk with a new initrd Irp and then you can load other packages off the cdrom Prev Home Next Creating a bootable Bering Up Installing and booting Bering from CD ROM a M Systems DiskOnChip 9 Booting Bering from different boot media 41 LEAF Bering user s guide Prev LEAF Bering user s guide Next 10 Installing and booting Bering from a M Systems DiskOnChip 10 1 Objectives These instructions describe how to modify a stock Bering floppy disk image to run from a M Systems DiskOnChip They were tested using Bering v1 0 re3 on an Advantech PCA 6145B single board computer with a 4 MB DiskOnChip 2000 It is assumed that you have the ability to boot your DoC enabled device from a floppy drive during setup Comments on this section should be sent to Brad Fritz at lt bradfritz users sourceforge net gt This is revision Revision 1 1 Please include the revision number with any comments 10 2 Step 1 prepare the boot floppy Obtain a working Bering v1 0 rc3 or newer boot floppy and perform the following steps a Download the appropriate MTD modules for your DoC from the drivers mtd directory of the Bering modules tree For DiskOnChip 2000 products you will need mt dcore o docecc o doc2000 0 docprobe o and nftl o The docecc o doc2000 0 and docprobe o modules are in the driv
77. u1680 msdos PKGPATH dev fd0u1680 LRP root etc local modules pppatm keyboard shorwall dnscache web The last two lines default linux dnscache weblet must be typed as a single one in syslinux cfg The pppatm Irp package is available here 5 PPPoA configuration 20 LEAF Bering user s guide 5 3 Step 2 declare the ppp and pppoatm modules In order to have a PPPoA connection working you need to have both ppp and pppoatm support enabled through the appropriate kernel modules You also need to declare the driver s module s of your network card s In the following example we assume that the external connection to the Internet is provided by a Bewan ATM PCI card while the internal network goes through a standard ne 2000 PCI card All the modules which are necessary for ppp support are provided on the standard Bering floppy You just need to declare them since they are not loaded by default As far as the pppoatm module is concerned you will have to download it from the Bering modules_download area and store it in lib modules The module drivers for the Bewan ATM PCI card are provided in the_driver contrib section Store them in lib modules as well Other ATM drivers are available _here To declare your modules go to the LEAF Packages configuration menu and choose modules Enter 1 to edit the etc modules file and enter the following information 8390 based ethernet cards 8390 ne2k pci Modules needed for PPP conn
78. ules lrp package 6 4 Step 3 configure ppp Connection with your ISP will be handled by PPP The PPP Howto document will give you very detailed information about this protocol and how to set up its numerous parameters Through the LEAF packages configuration menu get access to ppp configuration The following menu will show up ppp configuration files i USER Pp pcmoOpiElons 2 ISP login serie 3 System wide pppd options 4 chap secret 5 pap secret 6 pppd daemon script Gj Guir Selection Enter 1 and 2 and empty out the corresponding files completely Enter 3 allows you to adjust the parameter of your ppp connection through the etc ppp options file This file must contain debug name ISPUserID noauth noipdefault defaulroute 6 PPTP PPPOoA configuration 25 LEAF Bering user s guide Edit either the CHAP Entry 4 or PAP Entry 5 option to set up how your system authenticates For PAP authentication choose the PAP option and add a line saying lt ISPUserID gt lt ISPUserPassword gt to the bottom of the file lt SPUserID gt is the same entry that you made in Entry 3 the System wide pppd options file The lt SPUserPassword gt entry is self explanatory The can be replaced with the IP address or name of the server you are dialling into if you know it Usually an asterisk is sufficient If you want to authenticate using CHAP add the same entry to the CHAP item instead Backup the
79. user s guide if you need to setup wireless 3 6 Step 5 configure your interfaces file Trough the LEAF configuration menu type 1 to access to the network configuration menu and 1 again to edit your etc network interfaces file Enter the following information auto lo iface lo inet loopback iface ethO inet static addresse 192 168 4254 masklen 24 lomoacicestc 192 168 15255 up pon up etc init d dnscache restart up shorewall restart down shorewall stop down etc init d dnscache stop down poff No interface except lo is activated automatically The pcmcia package will start cardmer through the etc init d pcmcia script executed at boot time The cardmgr program will then call the etc pemcia network script which will activate the ethO interface using the information from the etc network interfaces file Here the etc network interfaces says for eth0 3 PCMCIA configuration 13 LEAF Bering user s guide e Assign ip address 192 168 1 254 24 to the interface e Once eth0 is up start the ppp connection through the pon script e Then restart dnscache since dnscache was unable to start at boot time ethO being not available at that time e Then restart shorewall for the same reason When stopping pcmcia the same command are executed in the reverse order through the down statement Backup the etc lrp package 3 7 Step 6 configure Shorewall Through the LEAF packages configuration menu choose shorwall and check the two
80. wall and check the two following files A The interfaces file entry 3 defines your interfaces Here connection to the net goes through ippp0 and the connection to the internal network through eth0 So we must set oao ZONE INTERFACE BROADCAST OPTIONS 7 ISDN Configuration 32 LEAF Bering user s guide net ipppod dhep routefilter norfc1918 ioc eth0o detect routestopped LAST LINE E ADD YOUR ENTRIES BEFORE THIS ONE DO NOT REMOVE amp Do not forget the under the BROADCAST heading for the net ippp0 entry B The masq file entry 7 In this type of setting it should look like Gea INTERFACE SUBNET ipppod eth0o LAST LINE ADD YOUR ENTRIES ABOVE THIS LINE DO NOT REMOVE Backup the shorwall Irp package Prev Home Next PPTP PPPoA configuration Up Creating a bootable Bering CD ROM 7 ISDN Configuration 33 LEAF Bering user s guide Prev LEAF Bering user s guide Next 8 Creating a bootable Bering CD ROM 8 1 Objectives These instructions assume that you already have some knowledge of Bering and a working distribution running out of one or two floppies They have been tested with Bering v1 0 rcl on several hardware configurations using only IDE CD ROM s No SCSI support is planned at this stage Comments on this section should be addressed to its maintainer Luis Correia lt lfcorreia users
81. y 3 allows to edit the etc pcmcia wireless opts file which contains some templates for the most common drivers Just fill in your card configuration in the template corresponding to your driver configuration Then to activate it you need to remove or comment the four lines a the top of wireless opts For an orinoco Gold card this file will look like Config info for Orinoco Wireless Cards e ee 0 S O22 2D 2 gt INFO Orinoco ODE Ad Hoc CHANNEL 1 RATE 11M ESSID Home More information on the structure of the wireless opts can be found here 11 6 Step 5 configure your interfaces file Trough the LEAF configuration menu type 1 to access to the network configuration menu and 1 again to edit your etc network interfaces file Enter the following information 11 Wireless and orinoco drivers 48 LEAF Bering user s guide auto lo eth0 iface lo inet loopback iface ethO inet dhcp iface ethl inet static agclchaass IO 2 Ge 1 254 masklen 24 proadeast 192 168 1 255 We assume here that you get a dynamic IP from your ISP through pump The corresponding interface ethO is brought up automatically at boot time eth0 is in the auto statement The wireless NIC is connected to eth1 and is assigned the 192 168 1 254 local address This interface is NOT brought up automatically at boot time The pcmcia package will start cardmgr through the etc init d pcmcia script executed at boot time The cardmgr program will
Download Pdf Manuals
Related Search