troll i eske februar

kommende filmer fra filmweb.no, minus de som vises på gimle filmfest og minus de som ikke er "troll-i-eske-genre":

• Fjellet
• Miral
• 80 dager
• 14 kilometer
• onkel boonmee
• the adjustent bureau
• exteriors

netfilter

Linux has a very comprehensive set of modules for filtering and changeing network packets as they flow by the network stack. However, this framework has been through several major and quite a few minor re-designs (the last major one seems to be the introduction of the nf_conntrack subsystem i 2.6.15).

There are vast amounts of documentation available on the web, but very little is up to date with the last changes. I will try to summarize my experiences with kernel 2.6.32.

Some pointers for good places to start:

• This is a good introduction, which also covers the last changes (pdf)
• The authorative source is netfilter.org, but most documentation there is outdated by almost a decade.
• This tutorial from Oskar Andreasson is not too out of date
• You can also take a look at the wikipedia page for iptables which has a nice flowchart

A quick introduction for the impatient:

• Each network packet is sent through a set of tables
• For each table, the packet is sent through a set of chains, which chains depend on the final destination of the package; inbound, outbound or routing through (see the drawing on wikipedia for a full picture
• Each chain has a default rule, and can have a set of additional rules
• Each rule is a filter and a command. The filter can be anything that the netfilter framework can find in the package: interface, source, destination, port, protocol etc. The command is either a pre-defined one (DROP, ACCEPT, REJECT etc) or a user-defined table. The filter kan be regarded as an "if"-statement, and the command as a functin call. But pay attention that not all commands make sense in all tables or all chains. Read the documentation for details.
  

udhcpc

One of the utilities bundled in BusyBox is the udhcpc DHCP client.  This is a tool according to the unix principle of: do one thing and do it well.  The udhcpc command handles the DHCP protocol as described in RFC 2131, but it doesn't actually configure the network based on the replies.

However, the documentation available from busybox is not very comprehensive.  There is a man-page available which can be found by googling udhcpc - very small DHCP client.

The operation of udhcpc is simple and unix-y.  When it receives a reply from a DHCP-server, it calls a script with one parameter, which is one of:

• deconfig: remove configuration (when lease is lost or udhcpc starts)
• bound: moving from unbound to bound state (receives configuration)
• renew: lease is renewed
• nak: nak received from server
• leasefail: (not documented in the man-page): run if there is no reply after configured timeouts and retries

lots of other configuration parameters available as environment variables.  The example scripts included with busybox implements these by configuring udhcpd to call a script which calls: simple.$1 (and of course there are 4 scripts: simple.deconfig, simple.bound, simple.renew, simple.nak).  Simple and easy!

I have basically used the sample scripts that came with BusyBox (examples/udhcpc/*), but converted them to using the ip(8)-command instead of ifconfig(8). I also added logging to syslog with the following function:

log() {
  logger -p daemon.info -t dhcp $*
}

dnsmasq

dnsmasq is a wonderful little daemon providing dhcp (IPv4) and dns, and integrates these, so a client provided with an IP-address using DHCP will also be available through DNS.  And it is really easy to set up, it gets all relevant information from /etc/hosts and /etc/ethers, but you can also add extra parameters through command line or config file.

Configuration

The build system for dnsmasq doesn't come with configure, but there are really few options and these can be manipulated with the make command line, or, as I did, by changing config.h. I removed:

• tftp-support (cmdline: COPTS=-DNO_TFTP), if I want to boot machines through the network, I will use my regular fileserver for tftp, not the firewall
• script-support (cmdline: COPTS=-DNO_SCRIPT), I don't think I will need scripts, and including them seems like a potential security problem

Build with make and install in /usr/sbin.

installing ssh

Naturally, I could just copy ssh from my regular ubuntu-installation, but that wouldn't as rewarding, and it is nice to be able to exclude features I don't need.

OpenSSL

To build ssh, we first need openssl. I set PREFIX to a separate directory, to be able to run make install with full control over which files is included in the distribution.

mkdir /home/build/firewall/dist
PREFIX=/home/build/firewall/dist
cd openssl-1.0.0c/
./config --prefix=$PREFIX
make -j 3
make install

OpenSSH is statically linked with OpenSSL, so no openssl-files are actually needed on the firewall. The openssl client utilities are meant for manipulating certificates or testing ssl connections. This functionality will not be needed on the firewall.

OpenSSH

Openssh built in a similar fashion:

cd ../openssh-5.6p1/
./configure --help
./configure --with-ssl-dir=$PREFIX --prefix=$PREFIX --with-privsep-user=sshd --with-4in6
./configure --help
make -j 3
make install

From the dist-directory I made a selective installation of just some utilities:

• ssh
• ssh-add
• ssh-agent
• ssh-keygen
• ssh-keyscan

all installed in /usr/bin, and sshd installed in /usr/sbin. Configurationfiles are taylored and put in /etc/ssh. The daemon is started from inittab using:

::respawn:/usr/sbin/sshd -f /etc/ssh/sshd_config

Basic linux setup

First things first: basic linux installation. From scratch.

Linux kernel 2.6.37

• there is no need for every driver available as a module, what I need is xen-support, basic drivers and some networking. As a baseline, a minimum set of driver compiled in should be sufficient. However, quite a few network-modules would be "nice to have" (tunneling, ipsec, vlan, bonding etc) but not needed for booting, and some of these needs to be modules to be able to provide load-time parameters.
• there is also no need for an initial ram-disk, this will be a small, simple setup with one ext2-partition, and the few drivers needed for boot will be linked into the kernel

I have set up a 4GB logical volume in dom0 for the installation. (Normally I would use iSCSI, but the firewall must be able to boot without any other networking present. Infact, the iSCSI-server expects to get an IP-address from the firewall with DHCP)

BusyBox 1.18.1

I will use BusyBox for basic unix utilities. This has probably been compiled with far more functionality than what is currently needed, but it would be a bother to re-compile just to get that one extra utility. Currently I have included:

• init and related utilities
• basic file-utils and text-utils
• every network-util
• some filesystem-tools

The boot-sequence is very simple:

• init starts all daemons through inittab
• init also starts /etc/init.d/rcS which mounts filesystems and set up networking

Putting it all together

Basic directory structure:

• /etc
• /etc/init.d
• /bin
• /sbin
• /usr
• /usr/bin
• /usr/sbin
• /usr/lib
• /lib
• /var
• /lib64
• /proc
• /dev
• /tmp

I added the following files to /etc:

• fstab
• group
• init.d/rcS
• inittab
• passwd
• shadow
• nsswitch.conf
• resolv.conf

contents of inittab:

::sysinit:/etc/init.d/rcS
::respawn:/sbin/getty -L hvc0 9600 linux
::restart:/sbin/init
::ctrlaltdel:/sbin/reboot
::shutdown:umount -a -r

contents of rcS:

#!/bin/sh

fsck /dev/root
mount -t proc proc /proc
mount -o remount,rw /
#mount -a

hostname firewall2
ip address add dev eth0 local 192.168.32.10/24
ip link set dev eth0 up
ip route add to default via 192.168.32.1

(since everything is mounted in the rc-script, fstab is really not needed)

I put busybox in /bin and ran:

/bin/busybox --install -s

this created symlinks to all busybox commands in /bin, /sbin, /usr/bin and /usr/sbin.

Finally, I copied these libraries from an Ubuntu-installation:

/lib/libm.so.6
/lib/libc.so.6
/lib/libcrypt.so.1
/lib/libdl.so.2
/lib/libnsl.so.1
/lib/libresolv.so.2
/lib/libutil.so.1
/lib/libz.so.1
/lib/libnss_files-2.11.1.so
/lib/libnss_dns-2.11.1.so
/lib64/ld-linux-x86-64.so.2

The kernel itself is not on the guest filesystem, it is started by xen in dom0.

IPv6 at home

Ok, so it's time to get on the IPv6-bandwagon. That means:

• setting up a firewall/router that can handle both IPv4 and IPv6
• creating an address-policy for both protocols
• setting up an IPv6-tunnel while waiting for my ISP to provide IPv6

For the firewall/router, I would like the following functionality:

• DHCP for IPv4
• Router advertisements (aka stateless autoconfiguration for IPv6, as defined in RFC 4862)
• DNS for v4 and v6
• 6in4 tunnel through Hurricane Electric
• ntp-daemon for a local time-source
• ssh for administration
• running a linux-kernel in a xen virtual machine
• basic linux-utilities provided by busybox

Some justifications for this setup:

• running linux on regular hw gives more flexibility than on custom-hw (like a linksys)
• however, I don't need much computing power for this, so a timeshare of my regular server is OK
• Hurricane Electric seems to be the most used and easy to set up tunnel service
• I would like to have a cliean IPv6-network internally and translate in the router, however, I have some clients that might not do IPv6 at all (like a blueray-player and the PS3), and even on regular plattforms, some features are missing (like: getting DNS-setup from the IPv6 autoconfig or even do DNS-lookups over IPv6)
• IPv6 stateless autoconfiguration is far more elegant than DHCP. I would really like to use stateless autoconfigure for everything but servers, and set up other network parameters using DNS SRV-records or zeroconf/bonjour. But the support for this is scarce, so I'll stick with autoconfiguration for addresses and get the rest through DHCP (v4) for now. (Servers need statefull configuration anyway to have a stable IP-address independent of the network card)

So, the plan is:

• set up a custom linux-system, running on xen
• use busybox for providing basic utilities
• ssh for remote login
• use linux built in netfilter functionality to provide routing, NAT, filtering etc, configured with iptables
• isc dhcp or dnsmasq for dhcp-functionality (dnsmasq probably has enough functionalit for IPv4, but has no DHCPv6-support. I will start with using dnsmasq for DHCP and use only stateless configuration of IPv6)
• radvd sending router advertisement messages providing IPv6 stateless autoconfiguration.
• dnsmasq for DNS
• ntpd