Diff for "NewCloneArmyInstallMethodology"

Differences between revisions 11 and 25 (spanning 14 versions)

Here in will be the recipe needed to install a clean, effecient and viable build of Debian, NoCat and related apps to turn a NewCloneArmyBox into a powerfull node on the PTPnet

(These are rough notes taken by JeffWillard and DarrinEden from the actions of KeeganQuinn which will be hammered into a step by step recipe)

Conventions

text surrounded by quotes " " are things you must type either at the prompt or in response to a questions

The Debian Install

at boot prompt: "bf24" (start 2.4 kernel vs. 2.2)
select Language and keyboard
hard disk (/dev/hda)
- Create swap partition (128M)
- Root partition --bootable (128Mb)
- logical partition (.5 Gig)
- 2nd logical partition (.5 Gig)
- home (whatever is left over)
- all FS type Linux exect swap which is linux swap
- Init swap partition
- init pri (ext3)
- mount root filesystem
- repeat above for var,usr,and home
kernel install
- configure device drivers
- (devices/net)
- nic (de4x5)
configure network
make system bootable "mbr"
reboot
set time
set root pwd
remove pcmcia packages? "yes"
atp configuration "edit by hand"
- "deb http://http.us.debian.org/debian unstable main" per KeeganQuinn : using unstable means just that..if you have issues....take a 24hr breather and attempt again
- no additional sources
- no security updates
run taskel? "no"
deselect? "no"
update configuration file? "yes"
Configuring debconf
- select Readline
- select medium
- don't touch keymap
- system wide readible directories? "yes"
- serial "autosave once"
upgrade glibc? "Y"
update system? "yes"
mail config? "5"
mandb? "yes"
rebuild database? "yes"
erase any additional .deb files? "yes"
"apt-get update"
"apt-get install deborphan"
"deborphan"
"dbkp -P <all packages listed ---space in between>"
"deborphan -a"
"dpkg -P <all packages you don't want>"
"deborphan -a"
- repeat several times to ensure all packages are removed that you don't want

The NoCat Install

"/sbin/ifconfig -a"BR
- {{{ eth0 Link encap:Ethernet HWaddr 00:C0:F0:17:74:F6
  - inet addr:192.168.100.3 Bcast:192.168.100.255
    - Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2092 errors:0 dropped:0 overruns:0 frame:0 TX packets:1102 errors:0 dropped:0 overruns:0 carrier:0 collisions:2 txqueuelen:100 RX bytes:2948521 (2.8 MiB) TX bytes:78364 (76.5 KiB) Interrupt:10 Base address:0xe880
  eth1 Link encap:Ethernet HWaddr 00:00:F8:04:F2:9F
  - BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:11 Base address:0xec00
  lo Link encap:Local Loopback
  - inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) }}}
"sudo su -"
- {{{We trust you have received the usual lecture from the local System Administrator. It usually boils down to these two things:
  - #1) Respect the privacy of others. #2) Think before you type.
  Password:}}}
"exit"
"logout"
"sudo -s"
"clear"
"apt-get install snmpd dnsmasq"
"apt-get install perl make gnupg"
"deborphan -a"
- {{{main/admin sudo main/net ssh main/admin pciutils main/utils fileutils main/utils shellutils main/utils textutils main/utils gnupg main/net dnsmasq main/net snmpd main/base lilo main/net iptables main/devel make main/editors nvi main/admin deborphan}}}
"lynx http://www.nocat.net"
- Download the nightly build of NoCatAuth
- exit lynx
"tar xvfz NoCatAuth-nightly.tgz"
"apt-get install wget"
"wget http://rune.thebasement.org/~ice/tmp/stable-01.patch"
"apt-get install patch"
"patch -p1 < ../stable-01.patch"
"vi /etc/kernel-img.conf"
- {{{ do_symlinks = No do_initrd = Yes postinst_hook = /sbin/update-grub postrm_hook = /sbin/update-grub do_bootloader = No}}}
"apt-get install kernel-image-2.4-K6"
"dpkg -P lilo"
"apt-get install grub"
"update-grub"
- {{{Could not find /boot/grub/menu.lst file. Would you like /boot/grub/menu.lst generated for you? (y/N) "y" }}}
"update-grub"
reboot
"uname -a"
"sudo -s"
"apt-get install ssmtp"
- Automatically overwrite config files? "y"
- Who gets mail for userids < 1000? "dje"
- Name of your mailhub? "mail.personaltelco.net"
- What domain to masquerade as? "personaltelco.net"
- Allow override of From: line in email header? "y"
"deborphan"
"dpkg -P libident libpcre3"
"deborphan"
"make gateway"
- {{{ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
  - Congratulations!
  - NoCat gateway is installed. To start it, check /usr/local/nocat/nocat.conf, then run bin/gateway as root.
  - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-}}}

Installing the PTPnet Node Files

== nocat.cont==

###### gateway.conf -- NoCatAuth Gateway Configuration.
#
# Format of this file is: <Directive> <Value>, one per
#   line. Trailing and leading whitespace is ignored. Any
#   line beginning with a punctuation character is assumed to
#   be a comment.

###### General settings.
#
# See the bottom of this file for options for logging to syslog.
#
# Log verbosity -- 0 is (almost) no logging. 10 is log
#   everything. 5 is probably a safe middle road.
#
Verbosity       10

##### Gateway application settings.
#
# GatewayName -- The name of this gateway, to be optionally displayed
#   on the splash and status pages. Any short string of text will do.
#
GatewayName     Personal Telco Project

##
#
# GatewayMode -- Determines the mode of operation of the gateway. Possible
#   values are:
#   
#   Captive     - Allow authentication against an auth service. LEGACY.
#   Passive     - Like Captive, but YOU MUST USE THIS if your gateway 
#                   is behind a NAT. Will work anyway if not. *RECOMMENDED*.
#   Open        - Simply require a user to view a splash page and accept 
#                   a use agreement.
#
# If Captive or Passive Mode is set, you will need to have values set for
#   AuthServiceAddr, AuthServiceURL, and LogoutURL. You will want to leave a
#   short value for LoginTimeout (probably <600).
#
# If Open Mode is set, you will need to have values set for SplashForm,
#   HomePage, and possibly DocumentRoot (or provide an absolute path for
#   SplashForm).  Also, you will want to set a large value for LoginTimeout
#   (probably >3600).
#
GatewayMode     Open

##
# GatewayLog -- Optional.  If unset, messages will go to STDERR.
#
GatewayLog      /var/log/nocat.log

##
# LoginTimeout - Number of seconds after a client's last
#   login/renewal to terminate their connection. Probably
#   don't want to set this to less than 60 or a lot of 
#   bandwidth is likely to get consumed by the client's
#   renewal attempts. Defaults to 300 seconds.
#
# For Captive Mode, you want to set this to something
#   fairly short (like 10 minutes) to prevent connection
#   spoofing.  
#
# LoginTimeout  600

# For Open Mode portals, you probably want to comment out
#   the preceding and set LoginTimeout to 
#   something large (like 86400, for one notification
#   per day).
#
LoginTimeout    86400

###### Open Portal settings.
#
##
# HomePage -- The authservice's notion of a default
#   redirect.
#
HomePage        http://personaltelco.net/

# DocumentRoot -- Where all of the application templates (including
#   SplashPage) are hiding. Can be different from Apache's DocumentRoot.
#
DocumentRoot    /usr/local/nocat/htdocs

# SplashForm -- Form displayed to users on capture.
#
SplashForm      splash.html

# StatusForm -- Page displaying status of logged in users.
#
StatusForm      status.html


###### Active/Passive Portal settings.
#
##
# TrustedGroups - A list of groups registered with the auth server
#   that a user may claim membership in order to gain Member-class
#   access through this portal. The default magic value "Any" indicates
#   that a member of *any* group is granted member-class access from
#   this gateway.
#
# TrustedGroups NoCat NYCWireless PersonalTelco
#
TrustedGroups Any

##
# Owners - Optional.  List all local "owner" class users here, separated 
#   by spaces.  Owners typically get full bandwidth, and unrestricted
#   access to all network resources.
#
# Owners rob@nocat.net schuyler@nocat.net

##
# AuthServiceAddr - Required, for captive mode. Must be set to the address of
#   your authentication service. You must use an IP address
#   if DNS resolution isn't available at gateway startup.
#
# AuthServiceAddr 208.201.239.21
#
#AuthServiceAddr        auth.nocat.net

##
# AuthServiceURL - HTTPS URL to the login script at the authservice. 
#
#AuthServiceURL  https://$AuthServiceAddr/cgi-bin/login

##
# LogoutURL - HTTP URL to redirect user after logout.
#
LogoutURL       https://$AuthServiceAddr/logout.html

### Network Topology
#
# ExternalDevice - Required if and only if NoCatAuth can't figure it out
#   from looking at your routing tables and picking the interface
#   that carries the default route. Must be set to the interface
#   connected to the Internet. Usually 'eth0' or 'eth1'
#   under Linux, or maybe even 'ppp0' if you're running
#   PPP or PPPoE.
#
ExternalDevice  eth0

##
# InternalDevice - Required if and only if you have ethernet devices
#   on your gateway besides your wireless device and your 'Net connection.
#   Must be set to the interface connected to your local network, normally
#   your wireless card. In Linux, some wireless devices are named 'wvlan0'
#   or 'wlan0' rather than 'ethX'.
#
InternalDevice  br0

##
# LocalNetwork - Required if and only if NoCatAuth can't figure out
#   the network address of your local (probably wireless) network,
#   given your InternalDevice(s). Must be set to the network
#   address and net mask of your internal network. You
#   can use the number of bits in the netmask (e.g. /16, /24, etc.)
#   or the full x.x.x.x specification.
#
# LocalNetwork  10.0.1.0/24

##
# DNSAddr - Optional. *If* you choose not to run DNS on your internal network,
#   specify the address(es) of one or more domain name server on the Internet
#   that wireless clients can use to get out. Should be the same DNS that your
#   DHCP server hands out. If left blank, NoCatAuth will presume that you
#   want to use whatever nameservers are listed in /etc/resolv.conf.
#
# DNSAddr 111.222.333.444

##
# AllowedWebHosts - Optional.  List any domains that you would like to
#   allow web access (TCP port 80 and 443) BEFORE logging in (this is the
#   pre-'skip' stage, so be careful about what you allow.)
#
# AllowedWebHosts       nocat.net

##
# RouteOnly - Required only if you DO NOT want your gateway to act as a NAT. 
#   Uncomment this only if you're running a strictly routed network, and
#   don't need the gateway to enable NAT for you.
#
# RouteOnly     1

##
# IgnoreMAC - Set this if and only if the NoCat gateway isn't directly
#   connected (or bridged at Layer 2) to your internal (usually wireless)
#   network. In that event, the gateway won't be able to match clients based
#   on MAC address, and will fall back to using IPs only. This is 
#   theoretically less secure, as IP addresses are usually easier to spoof
#   than MAC addresses, so don't use this unless you know what you're doing.
#
# IgnoreMAC     1

##
# MembersOnly - Optional.  Uncomment this if you want to disable public
#   access (i.e. unauthenticated 'skip' button access).  You'll also want to
#   point AuthServiceURL somewhere that doesn't include a skip button (like
#   at your own Auth server.)
#
# MembersOnly   1

##
# IncludePorts - Optional.  Specify TCP ports to allow access to when 
#   public class users login.  All others will be denied.
#
#   For a list of common services and their respective port numbers, see 
#   your /etc/services file. Depending on your firewall, you might even
#   be able to specify said services here, instead of using port numbers.
#
# IncludePorts    22 80 443

##
# ExcludePorts - Optional.  Specify TCP ports to denied access to when
#   public class users login.  All others will be allowed.
#
#   Note that you should use either IncludePorts or ExcludePorts, but not
#   both.  If neither is specified, access is granted to all ports to
#   public class users.
#
#   You should *always* exclude port 25, unless you want to run an portal
#   for wanton spam sending. Users should have their own way of sending
#   mail. It sucks, but that's the way it is. Comment this out *only if*
#   you're using IncludePorts instead.
#
# ExcludePorts 23 25 111
#
ExcludePorts    25

####### Syslog Options -- alter these only if you want NoCat to log to the
#        system log!
#
# Log Facility - syslog or internal.  Internal sends log messages
#    using the GatewayLog or STDERR if GatewayLog is unset.  Syslog
#    sends all messages to the system log.
#
# LogFacility   internal

##
# SyslogSocket - inet or unix.  Inet connects to an inet socket returned
#    by getsrvbyname().  Unix connects to a unix domain socket returned by 
#    _PATH_LOG in syslog.ph (typically /dev/log).  Defaults to unix.
#
# SyslogSocket unix

##
# SyslogOptions - Zero or more of the words pid, ndelay, cons, nowait
#    Defaults to "cons,pid". 
#
# SyslogOptions cons,pid

##
# SyslogPriority - The syslog class of message to use:  In decreasing importance,
#    the typical priorities are EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO, 
#    and DEBUG.  Defaults to INFO.
#
# SyslogPriority INFO

##
# SyslogFacility - The facility used to log messages.  Defaults to user.
# SyslogFacility user

##
# SyslogIdent - The ident of the program that is calling syslog.  This will
#    be prepended to every log entry made by NoCat.  Defaults to NoCat.
#
# SyslogIdent NoCat

###### Other Common Gateway Options. (stuff you probably won't have to change)
#
# ResetCmd, PermitCmd, DenyCmd -- Shell commands to reset,
#   open and close the firewall. You probably don't need to
#   change these.
#
# ResetCmd      initialize.fw
# PermitCmd     access.fw permit $MAC $IP $Class 
# DenyCmd       access.fw deny $MAC $IP $Class 

##
# GatewayPort - The TCP port to bind the gateway 
#   service to. 5280 is de-facto standard for NoCatAuth.
#   Change this only if you absolutely need to.
#
# GatewayPort     5280

##
# PGPKeyPath -- The directory in which PGP keys are stored.
#   NoCat tries to find this in the pgp/ directory above
#   the bin/ parent directory. Set this only if you put it
#   somewhere that NoCat doesn't expect.
#
# PGPKeyPath    /usr/local/nocat/pgp

##
# MessageVerify -- Shell command to verify a PGP signed
#   message. The actual message is delivered to the
#   command's standard input. NoCat tries to find gpg
#   and gpgv in your path. Set these only if you need to find 
#   them elsewhere.
#
# GpgvPath      /usr/bin/gpgv
#
# MessageVerify $GpgvPath --homedir=$PGPKeyPath 2>/dev/null

##
#
# IdleTimeout -- How often to check the ARP cache, in seconds,
#   for expiration of idle clients.
#
# MaxMissedARP -- How many times a client can be missing from
#   the ARP cache before we assume they've gone away, and log them
#   out. Set to 0 to disable logout based on ARP cache expiration.
# 
# MaxMissedARP  2
#
# IdleTimeout   300

### Fin!

(soon to be)

Discussion

Why unstable?
Why wouldn't this just be installed once, then imaged?

-  ← Revision 11 as of 2003-10-30 22:36:06 →
  Size: 7803
  Editor: dsl-208-151-246-210
  Comment:
+  ← Revision 25 as of 2003-11-05 15:13:40 →
  Size: 16850
  Editor: Portland-249
  Comment:
-Deletions are marked like this.
+Additions are marked like this.
 Line 1:
-Here Is will be the step needed to install a clean, effecient and viable install of Debian, NoCat and related apps to turn a NewCloneArmyBox into a powerfull node on the PTPnet
+Here in will be the recipe needed to install a clean, effecient and viable build of Debian, NoCat and related apps to turn a NewCloneArmyBox into a powerfull node on the PTPnet
 Line 5:
-'''The Debian Install'''
+==== Conventions ====

 * text surrounded by quotes " " are things you must type either at the prompt or in response to a questions



=== The Debian Install ===
-Line 13:
+Line 16:
-   * logic partition (.5 Gig)

   * 2nd logic (.5 Gig)
+   * logical partition (.5 Gig)

   * 2nd logical partition (.5 Gig)
-Line 29:
+Line 32:
- * make system bootable --mbr
+ * make system bootable "mbr"
-Line 35:
+Line 38:
- * remove pcmcia packages? yes

 * atp configuration ---edit by hand

   * "deb http://http.us.debian.or/debian unstable main"
+ * remove pcmcia packages? "yes"

 * atp configuration "edit by hand"

   * "deb http://http.us.debian.org/debian unstable main"
-Line 41:
+Line 44:
- * run taskel? --no

 * deselect? --no

 * update configuration file? yes
+ * run taskel? "no"

 * deselect? "no"

 * update configuration file? "yes"
-Line 50:
+Line 53:
-   * system wide readible directories? yes

   * serial--autosave once



 * upgrade glibc? Y

 * update system? yes

 * mail config?  5

 * mandb? --yes

 * rebuild database? --yes

 * erase any additional .deb files? --yes
+   * system wide readible directories? "yes"

   * serial "autosave once"



 * upgrade glibc? "Y"

 * update system? "yes"

 * mail config?  "5"

 * mandb? "yes"

 * rebuild database? "yes"

 * erase any additional .deb files? "yes"
-Line 73:
+Line 76:
-''' NoCat Setup '''



Here's the raw capture of the stuff I did to the second box. There's a little fu that didn't get captured in a vi session, but forthe most part...



 * "clear"



 * "/sbin/ifconfig -a"[[br]]

{{{''eth0      Link encap:Ethernet  HWaddr 00:C0:F0:17:74:F6

          inet addr:192.168.100.3  Bcast:192.168.100.255

           Mask:255.255.255.0

           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

           RX packets:2092 errors:0 dropped:0 overruns:0 frame:0

           TX packets:1102 errors:0 dropped:0 overruns:0 carrier:0

           collisions:2 txqueuelen:100

           RX bytes:2948521 (2.8 MiB)  TX bytes:78364 (76.5 KiB)

           Interrupt:10 Base address:0xe880



eth1      Link encap:Ethernet  HWaddr 00:00:F8:04:F2:9F

           BROADCAST MULTICAST  MTU:1500  Metric:1

           RX packets:0 errors:0 dropped:0 overruns:0 frame:0

           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

           collisions:0 txqueuelen:100

           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

           Interrupt:11 Base address:0xec00



lo        Link encap:Local Loopback

           inet addr:127.0.0.1  Mask:255.0.0.0

           UP LOOPBACK RUNNING  MTU:16436  Metric:1

           RX packets:0 errors:0 dropped:0 overruns:0 frame:0

           TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

           collisions:0 txqueuelen:0

           RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)''}}}
+=== The NoCat Install ===



 * "/sbin/ifconfig -a"[[BR]]

     {{{  eth0      Link encap:Ethernet  HWaddr 00:C0:F0:17:74:F6

               inet addr:192.168.100.3  Bcast:192.168.100.255

                Mask:255.255.255.0

                UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

                RX packets:2092 errors:0 dropped:0 overruns:0 frame:0

                TX packets:1102 errors:0 dropped:0 overruns:0 carrier:0

                collisions:2 txqueuelen:100

                RX bytes:2948521 (2.8 MiB)  TX bytes:78364 (76.5 KiB)

                Interrupt:10 Base address:0xe880



     eth1      Link encap:Ethernet  HWaddr 00:00:F8:04:F2:9F

                BROADCAST MULTICAST  MTU:1500  Metric:1

                RX packets:0 errors:0 dropped:0 overruns:0 frame:0

                TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

                collisions:0 txqueuelen:100

                RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

                Interrupt:11 Base address:0xec00

           lo        Link encap:Local Loopback

                inet addr:127.0.0.1  Mask:255.0.0.0

                UP LOOPBACK RUNNING  MTU:16436  Metric:1

                RX packets:0 errors:0 dropped:0 overruns:0 frame:0

                TX packets:0 errors:0 dropped:0 overruns:0 carrier:0

                collisions:0 txqueuelen:0

                RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)  }}}
-Line 108:
+Line 107:
-{{{''We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these two things:



         #1) Respect the privacy of others.

         #2) Think before you type.



Password:''"""
+     {{{We trust you have received the usual lecture from the local System

     Administrator. It usually boils down to these two things:



              #1) Respect the privacy of others.

              #2) Think before you type.



     Password:}}}
-Line 124:
+Line 123:
-{{{''main/admin               sudo

main/net                 ssh

main/admin               pciutils

main/utils               fileutils

main/utils               shellutils

main/utils               textutils

main/utils               gnupg

main/net                 dnsmasq

main/net                 snmpd

main/base                lilo

main/net                 iptables

main/devel               make

main/editors             nvi

main/admin               deborphan''}}}
+     {{{main/admin               sudo

     main/net                 ssh

     main/admin               pciutils

     main/utils               fileutils

     main/utils               shellutils

     main/utils               textutils

     main/utils               gnupg

     main/net                 dnsmasq

     main/net                 snmpd

     main/base                lilo

     main/net                 iptables

     main/devel               make

     main/editors             nvi

     main/admin               deborphan}}}
-Line 148:
+Line 147:
- * apt-get install wget

 * wget http://rune.thebasement.org/~ice/tmp/stable-01.patch

 * apt-get install patch

 * patch -p1 < ../stable-01.patch

 * vi /etc/kernel-img.conf

{{{ ''do_symlinks = No

do_initrd = Yes



postinst_hook = /sbin/update-grub

postrm_hook = /sbin/update-grub

do_bootloader = No''}}}



 * apt-get install kernel-image-2.4-K6

 *  dpkg -P lilo

 * apt-get install grub

 * update-grub

{{{''Searching for GRUB installation directory ... found: /boot/grub .

 Testing for an existing GRUB menu.list file...



Could not find /boot/grub/menu.lst file. Would you like

/boot/grub/menu.lst generated for you? (y/N) y

Found kernel: /boot/vmlinuz-2.4.22-1-k6

Found kernel: /boot/vmlinuz-2.4.18-bf2.4

Updating /boot/grub/menu.lst ... done''}}}



 *  update-grub
+ * "apt-get install wget"

 * "wget http://rune.thebasement.org/~ice/tmp/stable-01.patch"

 * "apt-get install patch"

 * "patch -p1 < ../stable-01.patch"

 * "vi /etc/kernel-img.conf"

     {{{ do_symlinks = No

     do_initrd = Yes



     postinst_hook = /sbin/update-grub

     postrm_hook = /sbin/update-grub

     do_bootloader = No}}}



 * "apt-get install kernel-image-2.4-K6"

 * "dpkg -P lilo"

 * "apt-get install grub"

 * "update-grub"

     {{{Could not find /boot/grub/menu.lst file. Would you like

     /boot/grub/menu.lst generated for you? (y/N) "y" }}}



 *  "update-grub"
-Line 177:
+Line 170:
- * uname -a

 * sudo -s

 * apt-get install ssmtp

    * Automatically overwrite config files? y

    * Who gets mail for userids < 1000? dje

    * Name of your mailhub? mail.personaltelco.net

    * What domain to masquerade as? personaltelco.net

    * Allow override of From: line in email header? y



 * deborphan

 * dpkg -P libident libpcre3



>(Reading database ... 8790 files and directories currently installed.)

>Removing libident ...

>Removing libpcre3 ...

>Purging configuration files for libpcre3 ...

>root@number-two:~# deborphan

>root@number-two:~# pwd

>/home/dje

>root@number-two:~# ls

>NoCatAuth-nightly  stable-01.patch

>root@number-two:~# cd NoCatAuth-nightly/

>root@number-two:~/NoCatAuth-nightly# ls

>BUGS     Makefile  TODO           cgi-bin  gateway.conf  libexec

>upgrade-0.80-db.pl

>INSTALL  NEWS      authserv.conf  doc      htdocs        pgp

>LICENSE  README    bin            etc      lib           test.sh

>root@number-two:~/NoCatAuth-nightly# make gateway

>Looking for gpgv...

>Checking for firewall compatibility: /sbin/iptables found.

>libexec/iptables/access.fw -> bin/access.fw

>libexec/iptables/clear.fw -> bin/clear.fw

>libexec/iptables/clear.fw -> bin/clear.fw

>libexec/iptables/dump.fw -> bin/dump.fw

>libexec/iptables/initialize.fw -> bin/initialize.fw

>libexec/iptables/reset.fw -> bin/reset.fw

>libexec/iptables/throttle.fw -> bin/throttle.fw

>/sbin/iptables -> bin/iptables

>[ -d /usr/local/nocat ] || mkdir -p /usr/local/nocat

>chmod 755 /usr/local/nocat

>[ -d /usr/local/nocat/htdocs ] || cp -R htdocs /usr/local/nocat

>cp -R bin /usr/local/nocat

>Installing NoCat to /usr/local/nocat...

>cp -R lib pgp /usr/local/nocat

>[ -f /usr/local/nocat/nocat.conf ] || \

>     perl -pe 's#/usr/local/nocat#/usr/local/nocat#g' gateway.conf \

>         > /usr/local/nocat/nocat.conf

>

>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

>                   Congratulations!

>   NoCat gateway is installed.  To start it, check

>   /usr/local/nocat/nocat.conf, then run bin/gateway

>   as root.

>-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

>

>root@number-two:~/NoCatAuth-nightly# shutdown -h now

>

>Broadcast message from root (pts/0) (Tue Oct 28 13:39:32 2003):

>

>The system is going down for system halt NOW!

>root@number-two:~/NoCatAuth-nightly# Connection to 192.168.100.3 closed



>by remote host.

>Connection to 192.168.100.3 closed.

>Darrin-Edens-Computer:~ dje$
+ * "uname -a"

 * "sudo -s"

 * "apt-get install ssmtp"

    * Automatically overwrite config files? "y"

    * Who gets mail for userids < 1000? "dje"

    * Name of your mailhub? "mail.personaltelco.net"

    * What domain to masquerade as? "personaltelco.net"

    * Allow override of From: line in email header? "y"



 * "deborphan"

 * "dpkg -P libident libpcre3"

 * "deborphan"



 * "make gateway"



     {{{         -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

                        Congratulations!

        NoCat gateway is installed.  To start it, check

        /usr/local/nocat/nocat.conf, then run bin/gateway

        as root.

       -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-}}}



=== Installing the PTPnet Node Files ===





== nocat.cont==

{{{

###### gateway.conf -- NoCatAuth Gateway Configuration.

#

# Format of this file is: <Directive> <Value>, one per

#   line. Trailing and leading whitespace is ignored. Any

#   line beginning with a punctuation character is assumed to

#   be a comment.



###### General settings.

#

# See the bottom of this file for options for logging to syslog.

#

# Log verbosity -- 0 is (almost) no logging. 10 is log

#   everything. 5 is probably a safe middle road.

#

Verbosity       10



##### Gateway application settings.

#

# GatewayName -- The name of this gateway, to be optionally displayed

#   on the splash and status pages. Any short string of text will do.

#

GatewayName	Personal Telco Project



##

#

# GatewayMode -- Determines the mode of operation of the gateway. Possible

#   values are:

#   

#   Captive	- Allow authentication against an auth service. LEGACY.

#   Passive	- Like Captive, but YOU MUST USE THIS if your gateway 

#                   is behind a NAT. Will work anyway if not. *RECOMMENDED*.

#   Open	- Simply require a user to view a splash page and accept 

#		    a use agreement.

#

# If Captive or Passive Mode is set, you will need to have values set for

#   AuthServiceAddr, AuthServiceURL, and LogoutURL. You will want to leave a

#   short value for LoginTimeout (probably <600).

#

# If Open Mode is set, you will need to have values set for SplashForm,

#   HomePage, and possibly DocumentRoot (or provide an absolute path for

#   SplashForm).  Also, you will want to set a large value for LoginTimeout

#   (probably >3600).

#

GatewayMode	Open



##

# GatewayLog -- Optional.  If unset, messages will go to STDERR.

#

GatewayLog	/var/log/nocat.log



##

# LoginTimeout - Number of seconds after a client's last

#   login/renewal to terminate their connection. Probably

#   don't want to set this to less than 60 or a lot of 

#   bandwidth is likely to get consumed by the client's

#   renewal attempts. Defaults to 300 seconds.

#

# For Captive Mode, you want to set this to something

#   fairly short (like 10 minutes) to prevent connection

#   spoofing.  

#

# LoginTimeout	600



# For Open Mode portals, you probably want to comment out

#   the preceding and set LoginTimeout to 

#   something large (like 86400, for one notification

#   per day).

#

LoginTimeout	86400



###### Open Portal settings.

#

##

# HomePage -- The authservice's notion of a default

#   redirect.

#

HomePage	http://personaltelco.net/



# DocumentRoot -- Where all of the application templates (including

#   SplashPage) are hiding. Can be different from Apache's DocumentRoot.

#

DocumentRoot	/usr/local/nocat/htdocs



# SplashForm -- Form displayed to users on capture.

#

SplashForm	splash.html



# StatusForm -- Page displaying status of logged in users.

#

StatusForm	status.html





###### Active/Passive Portal settings.

#

##

# TrustedGroups - A list of groups registered with the auth server

#   that a user may claim membership in order to gain Member-class

#   access through this portal. The default magic value "Any" indicates

#   that a member of *any* group is granted member-class access from

#   this gateway.

#

# TrustedGroups	NoCat NYCWireless PersonalTelco

#

TrustedGroups Any



##

# Owners - Optional.  List all local "owner" class users here, separated 

#   by spaces.  Owners typically get full bandwidth, and unrestricted

#   access to all network resources.

#

# Owners rob@nocat.net schuyler@nocat.net



##

# AuthServiceAddr - Required, for captive mode. Must be set to the address of

#   your authentication service. You must use an IP address

#   if DNS resolution isn't available at gateway startup.

#

# AuthServiceAddr 208.201.239.21

#

#AuthServiceAddr	auth.nocat.net



##

# AuthServiceURL - HTTPS URL to the login script at the authservice. 

#

#AuthServiceURL  https://$AuthServiceAddr/cgi-bin/login



##

# LogoutURL - HTTP URL to redirect user after logout.

#

LogoutURL	https://$AuthServiceAddr/logout.html



### Network Topology

#

# ExternalDevice - Required if and only if NoCatAuth can't figure it out

#   from looking at your routing tables and picking the interface

#   that carries the default route. Must be set to the interface

#   connected to the Internet. Usually 'eth0' or 'eth1'

#   under Linux, or maybe even 'ppp0' if you're running

#   PPP or PPPoE.

#

ExternalDevice	eth0



##

# InternalDevice - Required if and only if you have ethernet devices

#   on your gateway besides your wireless device and your 'Net connection.

#   Must be set to the interface connected to your local network, normally

#   your wireless card. In Linux, some wireless devices are named 'wvlan0'

#   or 'wlan0' rather than 'ethX'.

#

InternalDevice	br0



##

# LocalNetwork - Required if and only if NoCatAuth can't figure out

#   the network address of your local (probably wireless) network,

#   given your InternalDevice(s). Must be set to the network

#   address and net mask of your internal network. You

#   can use the number of bits in the netmask (e.g. /16, /24, etc.)

#   or the full x.x.x.x specification.

#

# LocalNetwork	10.0.1.0/24



##

# DNSAddr - Optional. *If* you choose not to run DNS on your internal network,

#   specify the address(es) of one or more domain name server on the Internet

#   that wireless clients can use to get out. Should be the same DNS that your

#   DHCP server hands out. If left blank, NoCatAuth will presume that you

#   want to use whatever nameservers are listed in /etc/resolv.conf.

#

# DNSAddr 111.222.333.444



##

# AllowedWebHosts - Optional.  List any domains that you would like to

#   allow web access (TCP port 80 and 443) BEFORE logging in (this is the

#   pre-'skip' stage, so be careful about what you allow.)

#

# AllowedWebHosts	nocat.net



##

# RouteOnly - Required only if you DO NOT want your gateway to act as a NAT. 

#   Uncomment this only if you're running a strictly routed network, and

#   don't need the gateway to enable NAT for you.

#

# RouteOnly	1



##

# IgnoreMAC - Set this if and only if the NoCat gateway isn't directly

#   connected (or bridged at Layer 2) to your internal (usually wireless)

#   network. In that event, the gateway won't be able to match clients based

#   on MAC address, and will fall back to using IPs only. This is 

#   theoretically less secure, as IP addresses are usually easier to spoof

#   than MAC addresses, so don't use this unless you know what you're doing.

#

# IgnoreMAC	1



##

# MembersOnly - Optional.  Uncomment this if you want to disable public

#   access (i.e. unauthenticated 'skip' button access).  You'll also want to

#   point AuthServiceURL somewhere that doesn't include a skip button (like

#   at your own Auth server.)

#

# MembersOnly	1



##

# IncludePorts - Optional.  Specify TCP ports to allow access to when 

#   public class users login.  All others will be denied.

#

#   For a list of common services and their respective port numbers, see 

#   your /etc/services file. Depending on your firewall, you might even

#   be able to specify said services here, instead of using port numbers.

#

# IncludePorts    22 80 443



##

# ExcludePorts - Optional.  Specify TCP ports to denied access to when

#   public class users login.  All others will be allowed.

#

#   Note that you should use either IncludePorts or ExcludePorts, but not

#   both.  If neither is specified, access is granted to all ports to

#   public class users.

#

#   You should *always* exclude port 25, unless you want to run an portal

#   for wanton spam sending. Users should have their own way of sending

#   mail. It sucks, but that's the way it is. Comment this out *only if*

#   you're using IncludePorts instead.

#

# ExcludePorts 23 25 111

#

ExcludePorts    25



####### Syslog Options -- alter these only if you want NoCat to log to the

#        system log!

#

# Log Facility - syslog or internal.  Internal sends log messages

#    using the GatewayLog or STDERR if GatewayLog is unset.  Syslog

#    sends all messages to the system log.

#

# LogFacility	internal



##

# SyslogSocket - inet or unix.  Inet connects to an inet socket returned

#    by getsrvbyname().  Unix connects to a unix domain socket returned by 

#    _PATH_LOG in syslog.ph (typically /dev/log).  Defaults to unix.

#

# SyslogSocket unix



##

# SyslogOptions - Zero or more of the words pid, ndelay, cons, nowait

#    Defaults to "cons,pid". 

#

# SyslogOptions cons,pid



##

# SyslogPriority - The syslog class of message to use:  In decreasing importance,

#    the typical priorities are EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO, 

#    and DEBUG.  Defaults to INFO.

#

# SyslogPriority INFO



##

# SyslogFacility - The facility used to log messages.  Defaults to user.

# SyslogFacility user



##

# SyslogIdent - The ident of the program that is calling syslog.  This will

#    be prepended to every log entry made by NoCat.  Defaults to NoCat.

#

# SyslogIdent NoCat



###### Other Common Gateway Options. (stuff you probably won't have to change)

#

# ResetCmd, PermitCmd, DenyCmd -- Shell commands to reset,

#   open and close the firewall. You probably don't need to

#   change these.

#

# ResetCmd	initialize.fw

# PermitCmd	access.fw permit $MAC $IP $Class 

# DenyCmd	access.fw deny $MAC $IP $Class 



##

# GatewayPort - The TCP port to bind the gateway 

#   service to. 5280 is de-facto standard for NoCatAuth.

#   Change this only if you absolutely need to.

#

# GatewayPort     5280



##

# PGPKeyPath -- The directory in which PGP keys are stored.

#   NoCat tries to find this in the pgp/ directory above

#   the bin/ parent directory. Set this only if you put it

#   somewhere that NoCat doesn't expect.

#

# PGPKeyPath	/usr/local/nocat/pgp



##

# MessageVerify -- Shell command to verify a PGP signed

#   message. The actual message is delivered to the

#   command's standard input. NoCat tries to find gpg

#   and gpgv in your path. Set these only if you need to find 

#   them elsewhere.

#

# GpgvPath	/usr/bin/gpgv

#

# MessageVerify	$GpgvPath --homedir=$PGPKeyPath 2>/dev/null



##

#

# IdleTimeout -- How often to check the ARP cache, in seconds,

#   for expiration of idle clients.

#

# MaxMissedARP -- How many times a client can be missing from

#   the ARP cache before we assume they've gone away, and log them

#   out. Set to 0 to disable logout based on ARP cache expiration.

# 

# MaxMissedARP	2

#

# IdleTimeout   300



### Fin!   }}}



(soon to be)



=== Discussion ===



 * Why unstable? 



 * Why wouldn't this just be installed once, then imaged?