tirsdag 25. januar 2011

dnsmasq

dnsmasq is a wonderful little daemon providing dhcp (IPv4) and dns, and integrates these, so a client provided with an IP-address using DHCP will also be available through DNS.  And it is really easy to set up, it gets all relevant information from /etc/hosts and /etc/ethers, but you can also add extra parameters through command line or config file.


Configuration

The build system for dnsmasq doesn't come with configure, but there are really few options and these can be manipulated with the make command line, or, as I did, by changing config.h. I removed:

  • tftp-support (cmdline: COPTS=-DNO_TFTP), if I want to boot machines through the network, I will use my regular fileserver for tftp, not the firewall
  • script-support (cmdline: COPTS=-DNO_SCRIPT), I don't think I will need scripts, and including them seems like a potential security problem

Build with make and install in /usr/sbin.
kl. Ingen kommentarer:
Etiketter: ,

installing ssh

Naturally, I could just copy ssh from my regular ubuntu-installation, but that wouldn't as rewarding, and it is nice to be able to exclude features I don't need.

OpenSSL

To build ssh, we first need openssl. I set PREFIX to a separate directory, to be able to run make install with full control over which files is included in the distribution.

mkdir /home/build/firewall/dist
PREFIX=/home/build/firewall/dist
cd openssl-1.0.0c/
./config --prefix=$PREFIX
make -j 3
make install

OpenSSH is statically linked with OpenSSL, so no openssl-files are actually needed on the firewall. The openssl client utilities are meant for manipulating certificates or testing ssl connections. This functionality will not be needed on the firewall.

OpenSSH

Openssh built in a similar fashion: 
cd ../openssh-5.6p1/
./configure --help
./configure --with-ssl-dir=$PREFIX --prefix=$PREFIX --with-privsep-user=sshd --with-4in6
./configure --help
make -j 3
make install
From the dist-directory I made a selective installation of just some utilities:
  • ssh
  • ssh-add
  • ssh-agent
  • ssh-keygen
  • ssh-keyscan
all installed in /usr/bin, and sshd installed in /usr/sbin. Configurationfiles are taylored and put in /etc/ssh. The daemon is started from inittab using: 
::respawn:/usr/sbin/sshd -f /etc/ssh/sshd_config
kl. Ingen kommentarer:
Etiketter: , ,

Basic linux setup

First things first: basic linux installation. From scratch.

Linux kernel 2.6.37

  • there is no need for every driver available as a module, what I need is xen-support, basic drivers and some networking. As a baseline, a minimum set of driver compiled in should be sufficient. However, quite a few network-modules would be "nice to have" (tunneling, ipsec, vlan, bonding etc) but not needed for booting, and some of these needs to be modules to be able to provide load-time parameters.
  • there is also no need for an initial ram-disk, this will be a small, simple setup with one ext2-partition, and the few drivers needed for boot will be linked into the kernel
I have set up a 4GB logical volume in dom0 for the installation. (Normally I would use iSCSI, but the firewall must be able to boot without any other networking present. Infact, the iSCSI-server expects to get an IP-address from the firewall with DHCP)

BusyBox 1.18.1

I will use BusyBox for basic unix utilities. This has probably been compiled with far more functionality than what is currently needed, but it would be a bother to re-compile just to get that one extra utility. Currently I have included:
  • init and related utilities
  • basic file-utils and text-utils
  • every network-util
  • some filesystem-tools
The boot-sequence is very simple:
  • init starts all daemons through inittab
  • init also starts /etc/init.d/rcS which mounts filesystems and set up networking
Putting it all together

Basic directory structure:

  • /etc
  • /etc/init.d
  • /bin
  • /sbin
  • /usr
  • /usr/bin
  • /usr/sbin
  • /usr/lib
  • /lib
  • /var
  • /lib64
  • /proc
  • /dev
  • /tmp
I added the following files to /etc:
  • fstab
  • group
  • init.d/rcS
  • inittab
  • passwd
  • shadow
  • nsswitch.conf
  • resolv.conf
contents of inittab: 
::sysinit:/etc/init.d/rcS
::respawn:/sbin/getty -L hvc0 9600 linux
::restart:/sbin/init
::ctrlaltdel:/sbin/reboot
::shutdown:umount -a -r

contents of rcS:

#!/bin/sh

fsck /dev/root
mount -t proc proc /proc
mount -o remount,rw /
#mount -a

hostname firewall2
ip address add dev eth0 local 192.168.32.10/24
ip link set dev eth0 up
ip route add to default via 192.168.32.1
(since everything is mounted in the rc-script, fstab is really not needed)

I put busybox in /bin and ran:

/bin/busybox --install -s
this created symlinks to all busybox commands in /bin, /sbin, /usr/bin and /usr/sbin.

Finally, I copied these libraries from an Ubuntu-installation:

/lib/libm.so.6
/lib/libc.so.6
/lib/libcrypt.so.1
/lib/libdl.so.2
/lib/libnsl.so.1
/lib/libresolv.so.2
/lib/libutil.so.1
/lib/libz.so.1
/lib/libnss_files-2.11.1.so
/lib/libnss_dns-2.11.1.so
/lib64/ld-linux-x86-64.so.2

The kernel itself is not on the guest filesystem, it is started by xen in dom0.

kl. Ingen kommentarer:
Etiketter: ,

mandag 24. januar 2011

IPv6 at home

Ok, so it's time to get on the IPv6-bandwagon. That means:
  • setting up a firewall/router that can handle both IPv4 and IPv6
  • creating an address-policy for both protocols
  • setting up an IPv6-tunnel while waiting for my ISP to provide IPv6
For the firewall/router, I would like the following functionality:
  • DHCP for IPv4
  • Router advertisements (aka stateless autoconfiguration for IPv6, as defined in RFC 4862)
  • DNS for v4 and v6
  • 6in4 tunnel through Hurricane Electric
  • ntp-daemon for a local time-source
  • ssh for administration
  • running a linux-kernel in a xen virtual machine
  • basic linux-utilities provided by busybox
Some justifications for this setup:
  • running linux on regular hw gives more flexibility than on custom-hw (like a linksys)
  • however, I don't need much computing power for this, so a timeshare of my regular server is OK
  • Hurricane Electric seems to be the most used and easy to set up tunnel service
  • I would like to have a cliean IPv6-network internally and translate in the router, however, I have some clients that might not do IPv6 at all (like a blueray-player and the PS3), and even on regular plattforms, some features are missing (like: getting DNS-setup from the IPv6 autoconfig or even do DNS-lookups over IPv6)
  • IPv6 stateless autoconfiguration is far more elegant than DHCP. I would really like to use stateless autoconfigure for everything but servers, and set up other network parameters using DNS SRV-records or zeroconf/bonjour. But the support for this is scarce, so I'll stick with autoconfiguration for addresses and get the rest through DHCP (v4) for now. (Servers need statefull configuration anyway to have a stable IP-address independent of the network card)
So, the plan is:
  • set up a custom linux-system, running on xen
  • use busybox for providing basic utilities
  • ssh for remote login
  • use linux built in netfilter functionality to provide routing, NAT, filtering etc, configured with iptables
  • isc dhcp or dnsmasq for dhcp-functionality (dnsmasq probably has enough functionalit for IPv4, but has no DHCPv6-support. I will start with using dnsmasq for DHCP and use only stateless configuration of IPv6)
  • radvd sending router advertisement messages providing IPv6 stateless autoconfiguration.
  • dnsmasq for DNS
  • ntpd
kl. 1 kommentar:
Etiketter: ,
Abonner på: Innlegg (Atom)