Differences between revisions 23 and 24
Revision 23 as of 2003-11-04 01:25:52
Size: 6219
Editor: 12-203-13-49
Comment:
Revision 24 as of 2003-11-05 15:11:25
Size: 16841
Editor: Portland-249
Comment:
Deletions are marked like this. Additions are marked like this.
Line 194: Line 194:

== nocat.cont==

###### gateway.conf -- NoCatAuth Gateway Configuration.
#
# Format of this file is: <Directive> <Value>, one per
# line. Trailing and leading whitespace is ignored. Any
# line beginning with a punctuation character is assumed to
# be a comment.

###### General settings.
#
# See the bottom of this file for options for logging to syslog.
#
# Log verbosity -- 0 is (almost) no logging. 10 is log
# everything. 5 is probably a safe middle road.
#
Verbosity 10

##### Gateway application settings.
#
# GatewayName -- The name of this gateway, to be optionally displayed
# on the splash and status pages. Any short string of text will do.
#
GatewayName Personal Telco Project

##
#
# GatewayMode -- Determines the mode of operation of the gateway. Possible
# values are:
#
# Captive - Allow authentication against an auth service. LEGACY.
# Passive - Like Captive, but YOU MUST USE THIS if your gateway
# is behind a NAT. Will work anyway if not. *RECOMMENDED*.
# Open - Simply require a user to view a splash page and accept
# a use agreement.
#
# If Captive or Passive Mode is set, you will need to have values set for
# AuthServiceAddr, AuthServiceURL, and LogoutURL. You will want to leave a
# short value for LoginTimeout (probably <600).
#
# If Open Mode is set, you will need to have values set for SplashForm,
# HomePage, and possibly DocumentRoot (or provide an absolute path for
# SplashForm). Also, you will want to set a large value for LoginTimeout
# (probably >3600).
#
GatewayMode Open

##
# GatewayLog -- Optional. If unset, messages will go to STDERR.
#
GatewayLog /var/log/nocat.log

##
# LoginTimeout - Number of seconds after a client's last
# login/renewal to terminate their connection. Probably
# don't want to set this to less than 60 or a lot of
# bandwidth is likely to get consumed by the client's
# renewal attempts. Defaults to 300 seconds.
#
# For Captive Mode, you want to set this to something
# fairly short (like 10 minutes) to prevent connection
# spoofing.
#
# LoginTimeout 600

# For Open Mode portals, you probably want to comment out
# the preceding and set LoginTimeout to
# something large (like 86400, for one notification
# per day).
#
LoginTimeout 86400

###### Open Portal settings.
#
##
# HomePage -- The authservice's notion of a default
# redirect.
#
HomePage http://personaltelco.net/

# DocumentRoot -- Where all of the application templates (including
# SplashPage) are hiding. Can be different from Apache's DocumentRoot.
#
DocumentRoot /usr/local/nocat/htdocs

# SplashForm -- Form displayed to users on capture.
#
SplashForm splash.html

# StatusForm -- Page displaying status of logged in users.
#
StatusForm status.html


###### Active/Passive Portal settings.
#
##
# TrustedGroups - A list of groups registered with the auth server
# that a user may claim membership in order to gain Member-class
# access through this portal. The default magic value "Any" indicates
# that a member of *any* group is granted member-class access from
# this gateway.
#
# TrustedGroups NoCat NYCWireless PersonalTelco
#
TrustedGroups Any

##
# Owners - Optional. List all local "owner" class users here, separated
# by spaces. Owners typically get full bandwidth, and unrestricted
# access to all network resources.
#
# Owners rob@nocat.net schuyler@nocat.net

##
# AuthServiceAddr - Required, for captive mode. Must be set to the address of
# your authentication service. You must use an IP address
# if DNS resolution isn't available at gateway startup.
#
# AuthServiceAddr 208.201.239.21
#
#AuthServiceAddr auth.nocat.net

##
# AuthServiceURL - HTTPS URL to the login script at the authservice.
#
#AuthServiceURL https://$AuthServiceAddr/cgi-bin/login

##
# LogoutURL - HTTP URL to redirect user after logout.
#
LogoutURL https://$AuthServiceAddr/logout.html

### Network Topology
#
# ExternalDevice - Required if and only if NoCatAuth can't figure it out
# from looking at your routing tables and picking the interface
# that carries the default route. Must be set to the interface
# connected to the Internet. Usually 'eth0' or 'eth1'
# under Linux, or maybe even 'ppp0' if you're running
# PPP or PPPoE.
#
ExternalDevice eth0

##
# InternalDevice - Required if and only if you have ethernet devices
# on your gateway besides your wireless device and your 'Net connection.
# Must be set to the interface connected to your local network, normally
# your wireless card. In Linux, some wireless devices are named 'wvlan0'
# or 'wlan0' rather than 'ethX'.
#
InternalDevice br0

##
# LocalNetwork - Required if and only if NoCatAuth can't figure out
# the network address of your local (probably wireless) network,
# given your InternalDevice(s). Must be set to the network
# address and net mask of your internal network. You
# can use the number of bits in the netmask (e.g. /16, /24, etc.)
# or the full x.x.x.x specification.
#
# LocalNetwork 10.0.1.0/24

##
# DNSAddr - Optional. *If* you choose not to run DNS on your internal network,
# specify the address(es) of one or more domain name server on the Internet
# that wireless clients can use to get out. Should be the same DNS that your
# DHCP server hands out. If left blank, NoCatAuth will presume that you
# want to use whatever nameservers are listed in /etc/resolv.conf.
#
# DNSAddr 111.222.333.444

##
# AllowedWebHosts - Optional. List any domains that you would like to
# allow web access (TCP port 80 and 443) BEFORE logging in (this is the
# pre-'skip' stage, so be careful about what you allow.)
#
# AllowedWebHosts nocat.net

##
# RouteOnly - Required only if you DO NOT want your gateway to act as a NAT.
# Uncomment this only if you're running a strictly routed network, and
# don't need the gateway to enable NAT for you.
#
# RouteOnly 1

##
# IgnoreMAC - Set this if and only if the NoCat gateway isn't directly
# connected (or bridged at Layer 2) to your internal (usually wireless)
# network. In that event, the gateway won't be able to match clients based
# on MAC address, and will fall back to using IPs only. This is
# theoretically less secure, as IP addresses are usually easier to spoof
# than MAC addresses, so don't use this unless you know what you're doing.
#
# IgnoreMAC 1

##
# MembersOnly - Optional. Uncomment this if you want to disable public
# access (i.e. unauthenticated 'skip' button access). You'll also want to
# point AuthServiceURL somewhere that doesn't include a skip button (like
# at your own Auth server.)
#
# MembersOnly 1

##
# IncludePorts - Optional. Specify TCP ports to allow access to when
# public class users login. All others will be denied.
#
# For a list of common services and their respective port numbers, see
# your /etc/services file. Depending on your firewall, you might even
# be able to specify said services here, instead of using port numbers.
#
# IncludePorts 22 80 443

##
# ExcludePorts - Optional. Specify TCP ports to denied access to when
# public class users login. All others will be allowed.
#
# Note that you should use either IncludePorts or ExcludePorts, but not
# both. If neither is specified, access is granted to all ports to
# public class users.
#
# You should *always* exclude port 25, unless you want to run an portal
# for wanton spam sending. Users should have their own way of sending
# mail. It sucks, but that's the way it is. Comment this out *only if*
# you're using IncludePorts instead.
#
# ExcludePorts 23 25 111
#
ExcludePorts 25

####### Syslog Options -- alter these only if you want NoCat to log to the
# system log!
#
# Log Facility - syslog or internal. Internal sends log messages
# using the GatewayLog or STDERR if GatewayLog is unset. Syslog
# sends all messages to the system log.
#
# LogFacility internal

##
# SyslogSocket - inet or unix. Inet connects to an inet socket returned
# by getsrvbyname(). Unix connects to a unix domain socket returned by
# _PATH_LOG in syslog.ph (typically /dev/log). Defaults to unix.
#
# SyslogSocket unix

##
# SyslogOptions - Zero or more of the words pid, ndelay, cons, nowait
# Defaults to "cons,pid".
#
# SyslogOptions cons,pid

##
# SyslogPriority - The syslog class of message to use: In decreasing importance,
# the typical priorities are EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO,
# and DEBUG. Defaults to INFO.
#
# SyslogPriority INFO

##
# SyslogFacility - The facility used to log messages. Defaults to user.
# SyslogFacility user

##
# SyslogIdent - The ident of the program that is calling syslog. This will
# be prepended to every log entry made by NoCat. Defaults to NoCat.
#
# SyslogIdent NoCat

###### Other Common Gateway Options. (stuff you probably won't have to change)
#
# ResetCmd, PermitCmd, DenyCmd -- Shell commands to reset,
# open and close the firewall. You probably don't need to
# change these.
#
# ResetCmd initialize.fw
# PermitCmd access.fw permit $MAC $IP $Class
# DenyCmd access.fw deny $MAC $IP $Class

##
# GatewayPort - The TCP port to bind the gateway
# service to. 5280 is de-facto standard for NoCatAuth.
# Change this only if you absolutely need to.
#
# GatewayPort 5280

##
# PGPKeyPath -- The directory in which PGP keys are stored.
# NoCat tries to find this in the pgp/ directory above
# the bin/ parent directory. Set this only if you put it
# somewhere that NoCat doesn't expect.
#
# PGPKeyPath /usr/local/nocat/pgp

##
# MessageVerify -- Shell command to verify a PGP signed
# message. The actual message is delivered to the
# command's standard input. NoCat tries to find gpg
# and gpgv in your path. Set these only if you need to find
# them elsewhere.
#
# GpgvPath /usr/bin/gpgv
#
# MessageVerify $GpgvPath --homedir=$PGPKeyPath 2>/dev/null

##
#
# IdleTimeout -- How often to check the ARP cache, in seconds,
# for expiration of idle clients.
#
# MaxMissedARP -- How many times a client can be missing from
# the ARP cache before we assume they've gone away, and log them
# out. Set to 0 to disable logout based on ARP cache expiration.
#
# MaxMissedARP 2
#
# IdleTimeout 300

### Fin!

Here in will be the recipe needed to install a clean, effecient and viable build of Debian, NoCat and related apps to turn a NewCloneArmyBox into a powerfull node on the PTPnet

(These are rough notes taken by JeffWillard and DarrinEden from the actions of KeeganQuinn which will be hammered into a step by step recipe)

Conventions

  • text surrounded by quotes " " are things you must type either at the prompt or in response to a questions

The Debian Install

  • at boot prompt: "bf24" (start 2.4 kernel vs. 2.2)
  • select Language and keyboard
  • hard disk (/dev/hda)
    • Create swap partition (128M)
    • Root partition --bootable (128Mb)
    • logical partition (.5 Gig)
    • 2nd logical partition (.5 Gig)
    • home (whatever is left over)
    • all FS type Linux exect swap which is linux swap

    • Init swap partition
    • init pri (ext3)
    • mount root filesystem
    • repeat above for var,usr,and home

  • kernel install
    • configure device drivers
    • (devices/net)
    • nic (de4x5)
  • configure network
  • make system bootable "mbr"
  • reboot
  • set time
  • set root pwd
  • remove pcmcia packages? "yes"
  • atp configuration "edit by hand"
  • run taskel? "no"
  • deselect? "no"
  • update configuration file? "yes"
  • Configuring debconf
    • select Readline
    • select medium
    • don't touch keymap
    • system wide readible directories? "yes"
    • serial "autosave once"
  • upgrade glibc? "Y"
  • update system? "yes"
  • mail config? "5"
  • mandb? "yes"
  • rebuild database? "yes"
  • erase any additional .deb files? "yes"
  • "apt-get update"
  • "apt-get install deborphan"
  • "deborphan"
  • "dbkp -P <all packages listed ---space in between>"

  • "deborphan -a"
  • "dpkg -P <all packages you don't want>"

  • "deborphan -a"
    • repeat several times to ensure all packages are removed that you don't want

The NoCat Install

  • "/sbin/ifconfig -a"BR

    • {{{ eth0 Link encap:Ethernet HWaddr 00:C0:F0:17:74:F6
      • inet addr:192.168.100.3 Bcast:192.168.100.255

        • Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2092 errors:0 dropped:0 overruns:0 frame:0 TX packets:1102 errors:0 dropped:0 overruns:0 carrier:0 collisions:2 txqueuelen:100 RX bytes:2948521 (2.8 MiB) TX bytes:78364 (76.5 KiB) Interrupt:10 Base address:0xe880

      eth1 Link encap:Ethernet HWaddr 00:00:F8:04:F2:9F
      • BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:11 Base address:0xec00

      lo Link encap:Local Loopback
      • inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) }}}

  • "sudo su -"
    • {{{We trust you have received the usual lecture from the local System Administrator. It usually boils down to these two things:
      • #1) Respect the privacy of others. #2) Think before you type.
      Password:}}}
  • "exit"
  • "logout"
  • "sudo -s"
  • "clear"
  • "apt-get install snmpd dnsmasq"
  • "apt-get install perl make gnupg"
  • "deborphan -a"
    • {{{main/admin sudo main/net ssh main/admin pciutils main/utils fileutils main/utils shellutils main/utils textutils main/utils gnupg main/net dnsmasq main/net snmpd main/base lilo main/net iptables main/devel make main/editors nvi main/admin deborphan}}}
  • "lynx http://www.nocat.net"

    • Download the nightly build of NoCatAuth

    • exit lynx
  • "tar xvfz NoCatAuth-nightly.tgz"

  • "apt-get install wget"
  • "wget http://rune.thebasement.org/~ice/tmp/stable-01.patch"

  • "apt-get install patch"
  • "patch -p1 < ../stable-01.patch"

  • "vi /etc/kernel-img.conf"
    • {{{ do_symlinks = No do_initrd = Yes postinst_hook = /sbin/update-grub postrm_hook = /sbin/update-grub do_bootloader = No}}}
  • "apt-get install kernel-image-2.4-K6"
  • "dpkg -P lilo"
  • "apt-get install grub"
  • "update-grub"
    • {{{Could not find /boot/grub/menu.lst file. Would you like /boot/grub/menu.lst generated for you? (y/N) "y" }}}
  • "update-grub"
  • reboot
  • "uname -a"
  • "sudo -s"
  • "apt-get install ssmtp"
    • Automatically overwrite config files? "y"
    • Who gets mail for userids < 1000? "dje"

    • Name of your mailhub? "mail.personaltelco.net"
    • What domain to masquerade as? "personaltelco.net"
    • Allow override of From: line in email header? "y"
  • "deborphan"
  • "dpkg -P libident libpcre3"
  • "deborphan"
  • "make gateway"
    • {{{ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
      • Congratulations!
      • NoCat gateway is installed. To start it, check /usr/local/nocat/nocat.conf, then run bin/gateway as root.

      • -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-}}}

Installing the PTPnet Node Files

== nocat.cont==

# # Format of this file is: <Directive> <Value>, one per # line. Trailing and leading whitespace is ignored. Any # line beginning with a punctuation character is assumed to # be a comment.

# # See the bottom of this file for options for logging to syslog. # # Log verbosity -- 0 is (almost) no logging. 10 is log # everything. 5 is probably a safe middle road. # Verbosity 10

# # GatewayName -- The name of this gateway, to be optionally displayed # on the splash and status pages. Any short string of text will do. # GatewayName Personal Telco Project

# # GatewayMode -- Determines the mode of operation of the gateway. Possible # values are: # # Captive - Allow authentication against an auth service. LEGACY. # Passive - Like Captive, but YOU MUST USE THIS if your gateway # is behind a NAT. Will work anyway if not. *RECOMMENDED*. # Open - Simply require a user to view a splash page and accept # a use agreement. # # If Captive or Passive Mode is set, you will need to have values set for # AuthServiceAddr, AuthServiceURL, and LogoutURL. You will want to leave a # short value for LoginTimeout (probably <600). # # If Open Mode is set, you will need to have values set for SplashForm, # HomePage, and possibly DocumentRoot (or provide an absolute path for # SplashForm). Also, you will want to set a large value for LoginTimeout # (probably >3600). # GatewayMode Open

# GatewayLog -- Optional. If unset, messages will go to STDERR. # GatewayLog /var/log/nocat.log

# LoginTimeout - Number of seconds after a client's last # login/renewal to terminate their connection. Probably # don't want to set this to less than 60 or a lot of # bandwidth is likely to get consumed by the client's # renewal attempts. Defaults to 300 seconds. # # For Captive Mode, you want to set this to something # fairly short (like 10 minutes) to prevent connection # spoofing. # # LoginTimeout 600

# For Open Mode portals, you probably want to comment out # the preceding and set LoginTimeout to # something large (like 86400, for one notification # per day). # LoginTimeout 86400

#

# HomePage -- The authservice's notion of a default # redirect. # HomePage http://personaltelco.net/

# DocumentRoot -- Where all of the application templates (including # SplashPage) are hiding. Can be different from Apache's DocumentRoot. # DocumentRoot /usr/local/nocat/htdocs

# SplashForm -- Form displayed to users on capture. # SplashForm splash.html

# StatusForm -- Page displaying status of logged in users. # StatusForm status.html

#

# TrustedGroups - A list of groups registered with the auth server # that a user may claim membership in order to gain Member-class # access through this portal. The default magic value "Any" indicates # that a member of *any* group is granted member-class access from # this gateway. # # TrustedGroups NoCat NYCWireless PersonalTelco # TrustedGroups Any

# Owners - Optional. List all local "owner" class users here, separated # by spaces. Owners typically get full bandwidth, and unrestricted # access to all network resources. # # Owners rob@nocat.net schuyler@nocat.net

# AuthServiceAddr - Required, for captive mode. Must be set to the address of # your authentication service. You must use an IP address # if DNS resolution isn't available at gateway startup. # # AuthServiceAddr 208.201.239.21 # #AuthServiceAddr auth.nocat.net

# AuthServiceURL - HTTPS URL to the login script at the authservice. # #AuthServiceURL https://$AuthServiceAddr/cgi-bin/login

# LogoutURL - HTTP URL to redirect user after logout. # LogoutURL https://$AuthServiceAddr/logout.html

# # ExternalDevice - Required if and only if NoCatAuth can't figure it out # from looking at your routing tables and picking the interface # that carries the default route. Must be set to the interface # connected to the Internet. Usually 'eth0' or 'eth1' # under Linux, or maybe even 'ppp0' if you're running # PPP or PPPoE. # ExternalDevice eth0

# InternalDevice - Required if and only if you have ethernet devices # on your gateway besides your wireless device and your 'Net connection. # Must be set to the interface connected to your local network, normally # your wireless card. In Linux, some wireless devices are named 'wvlan0' # or 'wlan0' rather than 'ethX'. # InternalDevice br0

# LocalNetwork - Required if and only if NoCatAuth can't figure out # the network address of your local (probably wireless) network, # given your InternalDevice(s). Must be set to the network # address and net mask of your internal network. You # can use the number of bits in the netmask (e.g. /16, /24, etc.) # or the full x.x.x.x specification. # # LocalNetwork 10.0.1.0/24

# DNSAddr - Optional. *If* you choose not to run DNS on your internal network, # specify the address(es) of one or more domain name server on the Internet # that wireless clients can use to get out. Should be the same DNS that your # DHCP server hands out. If left blank, NoCatAuth will presume that you # want to use whatever nameservers are listed in /etc/resolv.conf. # # DNSAddr 111.222.333.444

# AllowedWebHosts - Optional. List any domains that you would like to # allow web access (TCP port 80 and 443) BEFORE logging in (this is the # pre-'skip' stage, so be careful about what you allow.) # # AllowedWebHosts nocat.net

# RouteOnly - Required only if you DO NOT want your gateway to act as a NAT. # Uncomment this only if you're running a strictly routed network, and # don't need the gateway to enable NAT for you. # # RouteOnly 1

# IgnoreMAC - Set this if and only if the NoCat gateway isn't directly # connected (or bridged at Layer 2) to your internal (usually wireless) # network. In that event, the gateway won't be able to match clients based # on MAC address, and will fall back to using IPs only. This is # theoretically less secure, as IP addresses are usually easier to spoof # than MAC addresses, so don't use this unless you know what you're doing. # # IgnoreMAC 1

# MembersOnly - Optional. Uncomment this if you want to disable public # access (i.e. unauthenticated 'skip' button access). You'll also want to # point AuthServiceURL somewhere that doesn't include a skip button (like # at your own Auth server.) # # MembersOnly 1

# IncludePorts - Optional. Specify TCP ports to allow access to when # public class users login. All others will be denied. # # For a list of common services and their respective port numbers, see # your /etc/services file. Depending on your firewall, you might even # be able to specify said services here, instead of using port numbers. # # IncludePorts 22 80 443

# ExcludePorts - Optional. Specify TCP ports to denied access to when # public class users login. All others will be allowed. # # Note that you should use either IncludePorts or ExcludePorts, but not # both. If neither is specified, access is granted to all ports to # public class users. # # You should *always* exclude port 25, unless you want to run an portal # for wanton spam sending. Users should have their own way of sending # mail. It sucks, but that's the way it is. Comment this out *only if* # you're using IncludePorts instead. # # ExcludePorts 23 25 111 # ExcludePorts 25

# system log! # # Log Facility - syslog or internal. Internal sends log messages # using the GatewayLog or STDERR if GatewayLog is unset. Syslog # sends all messages to the system log. # # LogFacility internal

# SyslogSocket - inet or unix. Inet connects to an inet socket returned # by getsrvbyname(). Unix connects to a unix domain socket returned by # _PATH_LOG in syslog.ph (typically /dev/log). Defaults to unix. # # SyslogSocket unix

# SyslogOptions - Zero or more of the words pid, ndelay, cons, nowait # Defaults to "cons,pid". # # SyslogOptions cons,pid

# SyslogPriority - The syslog class of message to use: In decreasing importance, # the typical priorities are EMERG, ALERT, CRIT, ERR, WARNING, NOTICE, INFO, # and DEBUG. Defaults to INFO. # # SyslogPriority INFO

# SyslogFacility - The facility used to log messages. Defaults to user. # SyslogFacility user

# SyslogIdent - The ident of the program that is calling syslog. This will # be prepended to every log entry made by NoCat. Defaults to NoCat. # # SyslogIdent NoCat

# # ResetCmd, PermitCmd, DenyCmd -- Shell commands to reset, # open and close the firewall. You probably don't need to # change these. # # ResetCmd initialize.fw # PermitCmd access.fw permit $MAC $IP $Class # DenyCmd access.fw deny $MAC $IP $Class

# GatewayPort - The TCP port to bind the gateway # service to. 5280 is de-facto standard for NoCatAuth. # Change this only if you absolutely need to. # # GatewayPort 5280

# PGPKeyPath -- The directory in which PGP keys are stored. # NoCat tries to find this in the pgp/ directory above # the bin/ parent directory. Set this only if you put it # somewhere that NoCat doesn't expect. # # PGPKeyPath /usr/local/nocat/pgp

# MessageVerify -- Shell command to verify a PGP signed # message. The actual message is delivered to the # command's standard input. NoCat tries to find gpg # and gpgv in your path. Set these only if you need to find # them elsewhere. # # GpgvPath /usr/bin/gpgv # # MessageVerify $GpgvPath --homedir=$PGPKeyPath 2>/dev/null

# # IdleTimeout -- How often to check the ARP cache, in seconds, # for expiration of idle clients. # # MaxMissedARP -- How many times a client can be missing from # the ARP cache before we assume they've gone away, and log them # out. Set to 0 to disable logout based on ARP cache expiration. # # MaxMissedARP 2 # # IdleTimeout 300

(soon to be)

Discussion

  • Why unstable?
  • Why wouldn't this just be installed once, then imaged?

NewCloneArmyInstallMethodology (last edited 2007-11-23 18:01:02 by localhost)