Node name: 69th and WoodstockBR Live Date: It's live! BR Sponsor: [http://www.exocet.ca Exocet Industries] BR Contact: Brad Zimmerman * node172@exocet.ca

Equipment Donated

• Nothin'!

Software Installed

• Debian Stable, 2.4.25-OW1 kernel.

Network Topology

• Address: 69.30.71.214
• Gateway: 69.30.71.1
• Wireless Address: 192.168.30.1
• Wireless Network: 192.168.30.0/25
• DHCP Pool: 192.168.30.2-254.
• Domain: www.personaltelco.net

Installers / Organizers

• Brad Zimmerman

Maintenance and System Log

• This node is UP! As of 2004-03-06, the node is fully functional. However, I am only broadcasting off've a 5.5 magnetic mount omni antenna, so I doubt the range is very significant. I haven't tested yet. The omni is broadcasting from, roughly, the middle of the house. The node is likely to go down for brief periods of time while I move it around and do testing.

Notes

• Stuff yet to do:

• Add NoCatAuth splash page and local content.

• Mode the node-on-a-laptop into the garage, mount on a platform near the peak of the garage.
• Get 10-12dBi omni and mount on top of the garage.

Notes on my setup, from Start to Finish

The Hardware:

• Compaq Armada 1750 laptop: P2/333 w/ 196MB RAM, 6.5GB HD, built-in CDROM and floppy. Two PCMCIA slots. No built-in ethernet port.
• Senao SL-2511 wireless NIC. Best wireless NIC, hands down.
• Xircom cardbus IIps wired NIC.
• 5.5 magnetic mount omni (initially), a $20 buy from hyperlinktech.com.
• Cisco Catalyst 1900 programable switch.

The Software:

• I tried many, many Linux Live CD's. While they are all good, in their own right, none met my specific needs. I finally ended up using the "Forked Boot Floppies with XFS support" from http://people.debian.org/~blade/ ...I burned a CD of bootbf2_4-xfs_iso.zip and used that to boot up and get the Xircom wired NIC working. This is basically a super-stripoed version of Debian Stable. More on all that later.

• HostAP drivers for the wireless NIC from http://hostap.epitest.fi/ ...All I needed was hostap-driver-0.1.3.tar.gz to get my Senao card to work correctly.

• The latest kernel. For me, on this setup, that was 2.4.25 from kernel.org. I prefer to grab the whole kernel, rather than patching.

• I also grabbed openwall.org's awesome security patch for the .25 kernel from: http://www.openwall.com/linux/linux-2.4.25-ow1.tar.gz

• Stuff via apt-get: screen, wget, netdiag, dhcp, xinetd, wireless-tools, libglib1.2-dev, libncurses5-dev and probably a few others that I'm forgetting.

• NoCatSplash, from http://nocat.net/download/NoCatSplash/

The Misc But Important stuff:

• One external STATIC IP address. These notes won't work all the way for people that are doing this off've a DHCP-assigned external/routable IP. You'll need to modify the firewall rules or get some software that auto-modifies the firewall rules. I don't know about any of that, though, and my advice is to just spend the $5-10 and get a couple of static IP's.

The End Goal:

My goal was, first and foremost, to provide wireless access to my house. Secondly, that it be secured (locked down) as much as possible without making it cumbersome to use or effectively useless. Lastly, that the world be able to use the wireless to surf and not completely root my boxes at the drop of a hat.

The Process:

Setup of the laptop:

• Burned bootbf2_4-xfs_iso to CD.
• Got the setup going. If you've ever done a "regular" Debian install, you're used to this. At any rate, it's not too complicated. However, the biggest thing I always mess up/miss is the setup of the PCMCIA shiz, which is NOT a part of the install process unless you specifically select it! The PCMCIA crap is always, for me, a very tricky part of the install. However, if you do remember to select it and you hear your card beep (beep beep, not beep boop) a few times, you're probably good.
• Debian, at some point early on here, does an apt-get and gets a bunch of stuff for ya. I use tasksel to get stuff for a laptop, that's about it. I don't use the dselect stuff because I rather hate the dselect interface.

• Once I have the Debian basic install on, I set a proxy at the command line (because I was doing the setup at work, behind a firewall/proxy) via: export http_proxy="http://theproxy:8080". We have DHCP at work, so it took care of giving me an IP address and stuffing some DNS info into /etc/resolv.conf. Note, I did the initial setup shiz at work, just to kill time during slow parts of the day and lunch. Once I got some of the takes-a-long-time-to-download stuff done and out of the way, I moved the setup to my house. So, if you're doing this all at home, you may not need to set a proxy and/or you may not get assigned an IP via DHCP.

• After Debian has automagically done it's apt-get as part of the setup, and set your time info and email server info, it's done doing all of the automagic stuff.
• Now I do my own apt-get update;apt-get upgrade. After that's all done...

• Grab the kernel and openwall stuff. I do a make menuconfig and make sure the Xircom NIC gets the support it needs, along with support for the XFS file system. The biggest stuff is in the setup of the networking options part of the kernel. I use the setup run-through at http://tldp.org/HOWTO/IP-Masquerade-HOWTO/ipmasq-compiling3.1.html#IPMASQ-COMPILING3.1.1 ...do a find on the page for "Code maturity level options". I usually do everything as compiled-in "*" rather than a module "M". Don't forget the extra security options, in the main menu. Only the last option should be un-used. Everything else makes your box that less susceptable to attack. I usually compile in wireless stuff related to my card, although I don't think it's really necessary.

• Apt-get install all of this stuff: screen, wget, netdiag, dhcp, xinetd, libglib1.2-dev, libncurses5-dev.
• I compile the kernel: make dep ; make clean ; make bzImage ; make modules ; make modules_install ; make install ...You MAY need to run: lilo -v ...in order to get your new kernel to "take". I normally don't have to do this, though. Some people bitch about LILO being unsecure or whatever, but that's the least of my worries. If someone has physical access to your machine, the game is already over.
• I reboot, test the new kernel. Make sure my wired NIC still works, make sure it shows that it's using the new kernel (via: uname -a), etc. I check and see if the kernel recognizes that I have a wireless NIC, although I don't expect it to work yet.

• I install the hostap drivers now. I followed the instructions at http://hostap.epitest.fi/ "README" ...which is basically, extract the drivers and do "make" and "make install". I got a few errors during the make process, but no show-stoppers.

• I usually have to reboot in order for the HostAP stuff to start working correctly, although it's theoretically possible to do a "kill -HUP [cardmgr PID]" or /etc/init.d/pcmcia stop (and start). That never really works for me though. Reboots won't kill you. :P

• After I reboot, I check to see if the wireless NIC seems to maybe be working: ifconfig wlan0. It should return some sort of not-evil-looking-response. If so, I manually configure the wlan0 interface at this point. Later, I will stuff the final info into /etc/network/interfaces. You can check out my example at http://exocet.ca/files/slartibartfast_interfaces

• I test the wireless NIC at this point with a known-good wireless client setup (laptop w/ card). If it works, huzzah! I think you're over the hump now. If it doesn't work ...eh, that's what searching via google and asking via the PTP list is for.

• I start setting up the firewall crap about now. I use the script provided at: http://tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html#RC.FIREWALL-2.4.X to get me started. You will need to tweak your setup a bit, but you are welcome to use my setup as a working example: http://exocet.ca/files/slartibartfast_firewall_rules ...Note, eth0 is my external (routable IP address) interface, wlan0 is the internal, wireless interface. As you can see, I have enabled the outside world to access, via eth0/69.30.71.214, port 22 (ssh), 25 (smtp) and 80. Everything else is blocked from outside access. From the internal point of view, NOTHING is blocked.

• Don't forget to do: echo "1" > /proc/sys/net/ipv4/ip_forward ...To enable the firewalling and all that. I often forget to do this and it's annoying.

• I test the wireless setup again with a client. Make sure it all seems to work ok.
• I setup the Cisco VLAN stuff now. It's actually quite easy, although I don't recall exactly how to do it. I think I selected "[B]ridge Setup or Something or Other" from the main Cisco Catalyst 1900 setup menu. The setup of the VLAN is really a rather important part of the setup here. More next.
• My main linux box, deepthought, runs my mail, web, ssh, everything. It has two NICs. One, eth0, has the routable (69.30.71.212) IP address. eth1 has the internal IP address (not the same class C as what the wireless uses). The eth1 cable goes into what will be VLAN1. The rest of the computers in the house, on the internal network (192.168.15.0) also get plugged into what will be VLAN1. In VLAN2 goes the DSL router's ethernet cable, my main Linux box's eth0 ethernet cable, and the ethernet cable from Slartibartfast aka the node-on-a-laptop. The outcome of all this: anything plugged into VLAN2 can NOT talk to anything plugged into VLAN1 ...Except via my main linux box, because it's plugged in to both VLAN1 and VLAN2. Security, baby.

• The wireless setup is basically complete at this point. Some people don't bother with the NoCatSplash stuff, or so they say. I however, wanted the whole deal. However, I haven't completed the NoCatSplash setup, so I can't write about that yet!

[CategoryDocumentation]